ci(release): auto-bump homebrew-tap after release

[vxcozy]

Summary

Two-commit PR:

1. ci(release): auto-bump homebrew-tap after release — adds a homebrew-tap job that, after the build matrix and release step succeed, checks out vxcozy/homebrew-tap, downloads the release assets, computes sha256s, rewrites Formula/clitunes.rb, and pushes the bump commit on main.
2. ci(release): workflow_dispatch entry for tap-bump validation — adds a manual trigger (with target_tag + dry_run inputs, dry_run default true) so the tap-bump logic can be validated against an existing tag without cutting a new release. build and release jobs skip on workflow_dispatch; only the tap-bump job runs.

Closes clitunes-7ch / CLI-95.

Why

v1.2.0 shipped but brew upgrade clitunes was a no-op for ~15 minutes because the tap was still pointing at v1.1.0. A human had to clone the tap, fetch 4 tarballs, recompute 4 sha256s, rewrite URLs + checksums, and push. This PR automates that procedure.

Option (c) from the plan: a small bash + python step on a first-party actions/checkout. No third-party actions, easy to audit.

The second commit exists because the -rc skip (commit 1) means RC dry runs can't validate the tap-bump job itself — it would skip itself. workflow_dispatch closes that gap: run the job manually against an already-released tag to prove the regex + download + rewrite path works end-to-end, with dry_run=true by default so nothing is ever pushed to the tap accidentally.

Behaviour

• On tag push (non-rc): needs: [build, release] — runs only after the tag's release is live on GitHub. -rcN tags are skipped so the stable tap never tracks a release candidate.
• On workflow_dispatch: build and release are skipped. homebrew-tap runs against inputs.target_tag. dry_run=true (default) stops before the git push; dry_run=false actually commits.
• 5x linear-backoff retry on each tarball download (release asset CDN sometimes lags the release job completion by a few seconds).
• Per-target regex rewrite with a n != 1 guard — formula shape change would fail the job loudly rather than silently pushing an untouched commit.
• always() on the if: expression so the explicit success check on needs.{build,release} runs instead of GitHub short-circuiting to "skip on needs-skipped".
• Commits as github-actions[bot].

Secret provisioning (required before the next tag push)

Create a fine-grained PAT at https://github.com/settings/personal-access-tokens/new:

• Resource owner: vxcozy
• Repository access: Only select repositories → vxcozy/homebrew-tap
• Permissions → Repository permissions → Contents: Read and write (Metadata auto-added as Read-only)

Add to vxcozy/clitunes → Settings → Secrets and variables → Actions → New repository secret: HOMEBREW_TAP_TOKEN.

Without the secret, the checkout step fails at the first tag push — safe failure mode, no partial state.

Test plan

• cargo fmt --check
• cargo clippy --workspace --all-targets -- -D warnings
• cargo test --workspace --all-features
• YAML syntax-check via ruby YAML.load_file
• Regex dry-run against the current vxcozy/homebrew-tap formula — all 4 URL/sha pairs matched exactly once
• After merge + secret provisioning: trigger workflow_dispatch with target_tag=v1.2.0, dry_run=true. "Show diff" step should log a no-op diff (tap already points at v1.2.0 after tonight's manual bump). If the diff is clean, the whole tap-bump pipeline is validated and we can trust the next real release.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.