feat: Homebrew tap auto-update on release + brew install instructions

[StephaneDelcroix]

Changes

• build.yml: Adds two steps to create-release job:

  • Compute Mac SHA256 — hashes PolyPilot.zip for the cask
  • Update Homebrew tap — dispatches release-published event to PureWeen/homebrew-tap with version + SHA256 (skipped for prereleases)

• README.md: Adds Install with Homebrew section (brew tap PureWeen/tap && brew install --cask polypilot) and fixes the Copilot CLI install command

Homebrew Tap

The tap at PureWeen/homebrew-tap is already set up with:

• brew install --cask polypilot — Mac Catalyst GUI app (auto-installs copilot-cli as a dependency)
• brew install polypilot-console — Cross-platform CLI
• Auto-update workflow triggered by this PR's dispatch step

Setup Required

Add a HOMEBREW_TAP_TOKEN secret to this repo — a fine-grained PAT scoped to PureWeen/homebrew-tap with Contents: Read and write permission.

[PureWeen]

PR #313 Re-Review Report — Post-Fix (5-Model Consensus)

CI Status: ⚠️ Not yet run on latest push (2 fix commits added)

---

Previous Findings Status

#	Original Finding	Status
1	🔴 CRITICAL: No continue-on-error: true → tap failure kills release job	✅ FIXED — continue-on-error: true added (5/5 models confirmed)
2	🟡 MODERATE: Empty HOMEBREW_TAP_TOKEN causes gh auth 401	✅ FIXED — secrets.HOMEBREW_TAP_TOKEN != '' guard in if condition (see note below)
3	🟡 MODERATE: gh api -f bracket notation produces flat JSON keys	✅ FIXED — Replaced with --input - <<EOF heredoc with well-formed JSON (5/5 models confirmed)
4	🟢 MINOR: Compute Mac SHA256 step runs on prereleases	⚠️ STILL PRESENT — No prerelease guard on the SHA256 step; harmless (output is never consumed on prereleases)

---

Fix Note: env context correction

The initial fix used env.HOMEBREW_TAP_TOKEN != '' in the if condition with the token set only in the step-level env: block. 4/5 review models flagged that step-level env vars may not be available in the same step's if evaluation. A follow-up commit corrected this to use secrets.HOMEBREW_TAP_TOKEN != '' directly in the if expression — the canonical GitHub Actions pattern for optional-secret guards — avoiding any ambiguity.

---

Final State of build.yml

- name: Update Homebrew tap
  if: "!contains(github.ref, '-') && secrets.HOMEBREW_TAP_TOKEN != ''"
  continue-on-error: true
  env:
    GH_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
  run: |
    VERSION="${GITHUB_REF#refs/tags/v}"
    MAC_SHA256="${{ steps.mac_sha.outputs.sha256 }}"
    gh api repos/PureWeen/homebrew-tap/dispatches \
      --method POST --input - <<EOF
    {"event_type":"release-published","client_payload":{"version":"$VERSION","mac_sha256":"$MAC_SHA256"}}
    EOF

---

Test Coverage

No test coverage exists for CI workflow logic (standard for GitHub Actions workflows). The changes are self-contained to the release pipeline.

---

Recommended Action: ✅ Approve

All critical and moderate findings from the initial review are resolved. The only remaining item (SHA256 step runs on prereleases) is harmless. The PR is ready to merge.