ci(release): authenticate Homebrew tap push with HOMEBREW_TAP_TOKEN

[piyushsarin-sib]

Summary

• Fix the Bump Homebrew formula step failing with 403: Permission to getbrevo/homebrew-tap.git denied to github-actions[bot] on the 1.1.1 release run: changesets/action writes ~/.netrc containing the repo-scoped GITHUB_TOKEN, so the bare git push to the tap authenticated as github-actions[bot] (which has no access to the tap) instead of using HOMEBREW_TAP_TOKEN. The step now removes the stale netrc and runs gh auth setup-git before pushing, so git resolves credentials through gh from GH_TOKEN (the tap PAT) — still keeping the token out of argv, the remote URL, and on-disk config.
• Document the changeset policy in AGENTS.md and CLAUDE.md: keep one pending changeset file per branch/PR — append new change details to it (raising the bump level if needed) instead of creating additional files.

Notes for reviewers

• release.yaml security invariants are untouched: action SHA pins, persist-credentials: false, OIDC/no-NPM_TOKEN publish auth, and HOMEBREW_TAP_TOKEN scoping are all unchanged. The fix only affects how the existing PAT reaches git push.
• Removing ~/.netrc is safe — the bump step is the job's last step, and every other step authenticates via env tokens, not netrc.
• Worth verifying alongside this PR: HOMEBREW_TAP_TOKEN hasn't hit its expiry and still has contents + pull-requests write on the tap (an expired token would surface as a 401 on the next run).
• The missed 1.1.1 formula bump will be replayed with a manual PR on the tap; this fix covers releases going forward.
• No changeset: CI + contributor-docs only, no user-visible CLI behavior. agent-context/SKILL.md / agent-context/AGENTS.md untouched (no CLI surface change).

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud