ci: use existing release-plz GitHub App for Homebrew tap pushes

[boorad]

Follow-up to #42. Switches the update-homebrew job from a personal fine-grained PAT (HOMEBREW_TAP_TOKEN) to the existing enforceauth-zift-release-plz GitHub App.

Why

• No personal PAT. PAT was tied to my account, max 1-year expiry, audit trail showed me as the pusher. The app is org-owned and survives people leaving.
• Short-lived tokens. App tokens expire ~1h instead of ~1y.
• No new secrets. Reuses RELEASE_PLZ_APP_ID / RELEASE_PLZ_APP_PRIVATE_KEY already in the repo for release-plz.yml.
• Same actions/create-github-app-token SHA pin as release-plz.yml so dependabot updates them together.

Scope

The minted token is scoped via repositories: homebrew-tap, so even though the app is installed on both zift and homebrew-tap, the token only has access to the tap.

Trade-off: the private key's blast radius widens from "can push to zift" to "can push to zift and the tap." For a derivative tap repo this is the same trust posture; not worth a second app.

Required one-time setup

• App enforceauth-zift-release-plz installed on EnforceAuth/homebrew-tap (Settings → Installations → Configure → add repo)
• Once merged: delete the HOMEBREW_TAP_TOKEN repo secret if it was created — no longer used

Test plan

• CI passes on this PR
• On next release (or a manual test release): update-homebrew job mints a token, checks out the tap, writes Formula/zift.rb, and pushes — committer shows as enforceauth-zift-release-plz[bot]

Summary by CodeRabbit

• Chores
  • Updated release workflow to use a minted GitHub App token for authentication.
  • Switched checkout and push operations to use the app token and set commit author to an app-specific bot identity.
  • Adjusted automated commit/push steps to source token and bot identity dynamically.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e6235d92-553e-4217-9051-bb1b7a2eaae6

📥 Commits

Reviewing files that changed from the base of the PR and between 42d53a1 and c4c4032.

📒 Files selected for processing (1)

• .github/workflows/release-binaries.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/release-binaries.yml

---

📝 Walkthrough

Walkthrough

The workflow replaces a static Homebrew tap PAT with a minted GitHub App token via actions/create-github-app-token and updates checkout and the commit/push step to use the app token and ${APP_SLUG}[bot] identity.

Changes

Homebrew Tap Release Workflow

Layer / File(s)	Summary
Token Minting /.github/workflows/release-binaries.yml	Adds a step using actions/create-github-app-token with RELEASE_PLZ_APP_ID and RELEASE_PLZ_APP_PRIVATE_KEY to mint a temporary GitHub App token.
Repository Checkout /.github/workflows/release-binaries.yml	Updates actions/checkout for EnforceAuth/homebrew-tap to use the minted token output instead of secrets.HOMEBREW_TAP_TOKEN.
Commit & Push Wiring /.github/workflows/release-binaries.yml	"Commit and push formula" step now sets APP_SLUG and GH_TOKEN from the minted token and configures git user.name/user.email to use ${APP_SLUG}[bot] when committing and pushing Formula/zift.rb.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore: enable crates.io publish + Homebrew tap automation #42: Edits the same release-binaries.yml job that updates the Homebrew tap; relates to replacing the prior PAT usage.
• ci: use GitHub App token for release-plz so release events fire #24: Introduced GitHub App token minting in another CI workflow with a similar authentication pattern.

Poem

🐰 I minted a token, quick and neat,
Keys swapped out for something sweet.
The app-bot hops and makes the push,
No secrets left in any hush.
Formula lands — a carrot hush 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: switching from a personal PAT to an existing GitHub App for Homebrew tap authentication in CI.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Review rate limit: 3/5 reviews remaining, refill in 15 minutes and 38 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-q-developer]

The migration from a personal PAT to GitHub App authentication is implemented correctly. The token minting, scoping, and usage all follow GitHub Actions best practices. The workflow will now use short-lived, repository-scoped tokens instead of a long-lived personal access token, improving security posture.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release-binaries.yml:
- Around line 143-148: Update the git author email to use the documented GitHub
App bot format including the numeric bot user ID: call the GitHub API (or use
the output from the app token action that returns the bot user id) to obtain the
numeric ID (e.g. steps.app-token.outputs.app-user-id) and set git config
user.email to "<BOT_ID>+${APP_SLUG}[bot]@users.noreply.github.com" instead of
"${APP_SLUG}[bot]@users.noreply.github.com"; keep the existing git config
user.name "${APP_SLUG}[bot]" and ensure the new BOT_ID output is fetched before
the git config commands run.
- Around line 87-94: The GitHub App token step ("Mint Homebrew tap token", id:
app-token) currently mints a token with all installation permissions; narrow it
to least privilege by adding the input permission-contents: write to the
actions/create-github-app-token@... step so the minted token only has repository
contents write access required for the checkout/add/commit/push operations on
the homebrew-tap repository.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c0c6c8d6-27fa-4db8-b8d1-a072f5ab2bdb

📥 Commits

Reviewing files that changed from the base of the PR and between 43d49a9 and 42d53a1.

📒 Files selected for processing (1)

• .github/workflows/release-binaries.yml