fix(ci): use GitHub App token for homebrew-tap push

[miguelsanchez-upsun]

Summary

• Generates a scoped GitHub App token for upsun/homebrew-tap using actions/create-github-app-token@v2
• Replaces GITHUB_TOKEN with TAP_GITHUB_TOKEN in all GoReleaser brew/scoop repository configs
• Token generation is gated behind the same if: condition as the release step, so it's only minted during actual releases

Test Plan

• Trigger a manual release via workflow_dispatch with a tag and verify the token step runs and taps are updated
• Trigger a snapshot build and verify the token step is skipped

[Copilot]

Pull request overview

This PR improves security by replacing the broad GITHUB_TOKEN with a scoped GitHub App token specifically for the homebrew-tap repository. The changes involve generating a GitHub App token during release workflows and updating GoReleaser configurations to use this dedicated token for Homebrew and Scoop tap updates.

Changes:

• Adds a new workflow step to generate a GitHub App token scoped to the homebrew-tap repository using actions/create-github-app-token@v2
• Replaces all 4 instances of GITHUB_TOKEN with TAP_GITHUB_TOKEN in GoReleaser's brew and scoop repository configurations
• Token generation is gated behind the same conditional as the release step to ensure it only runs during actual releases

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.goreleaser.yaml	Updates all homebrew-tap token references from GITHUB_TOKEN to TAP_GITHUB_TOKEN (4 instances across brews and scoops)
.github/workflows/release.yml	Adds GitHub App token generation step and passes the scoped token to GoReleaser as TAP_GITHUB_TOKEN environment variable

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pjcdawkins]

I'm ok with the APP_ generic secret name