ci: auto-update Homebrew tap on release

After creating a GitHub release, the new update-homebrew job:
- Extracts SHA256 checksums from build artifacts
- Generates an updated numa.rb formula with correct version and hashes
- Pushes it to razvandimescu/homebrew-tap via the GitHub API

Requires HOMEBREW_TAP_TOKEN secret (PAT with repo scope on homebrew-tap).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/release.yml

@@ -108,3 +108,93 @@ jobs:
             *.tar.gz
             *.zip
             *.sha256
+
+  update-homebrew:
+    needs: release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get version from tag
+        id: version
+        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
+
+      - name: Download SHA256 files
+        uses: actions/download-artifact@v4
+        with:
+          merge-multiple: true
+
+      - name: Extract checksums
+        id: sha
+        run: |
+          echo "macos_arm=$(awk '{print $1}' numa-macos-aarch64.tar.gz.sha256)" >> "$GITHUB_OUTPUT"
+          echo "macos_x86=$(awk '{print $1}' numa-macos-x86_64.tar.gz.sha256)" >> "$GITHUB_OUTPUT"
+          echo "linux_arm=$(awk '{print $1}' numa-linux-aarch64.tar.gz.sha256)" >> "$GITHUB_OUTPUT"
+          echo "linux_x86=$(awk '{print $1}' numa-linux-x86_64.tar.gz.sha256)" >> "$GITHUB_OUTPUT"
+
+      - name: Update Homebrew formula
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+          script: |
+            const version = '${{ steps.version.outputs.version }}';
+            const base = `https://github.com/razvandimescu/numa/releases/download/v${version}`;
+            const formula = `class Numa < Formula
+              desc "Portable DNS resolver with ad blocking, .numa local service proxy, and developer overrides"
+              homepage "https://github.com/razvandimescu/numa"
+              license "MIT"
+              version "${version}"
+
+              on_macos do
+                if Hardware::CPU.arm?
+                  url "${base}/numa-macos-aarch64.tar.gz"
+                  sha256 "${{ steps.sha.outputs.macos_arm }}"
+                else
+                  url "${base}/numa-macos-x86_64.tar.gz"
+                  sha256 "${{ steps.sha.outputs.macos_x86 }}"
+                end
+              end
+
+              on_linux do
+                if Hardware::CPU.arm?
+                  url "${base}/numa-linux-aarch64.tar.gz"
+                  sha256 "${{ steps.sha.outputs.linux_arm }}"
+                else
+                  url "${base}/numa-linux-x86_64.tar.gz"
+                  sha256 "${{ steps.sha.outputs.linux_x86 }}"
+                end
+              end
+
+              def install
+                bin.install "numa"
+              end
+
+              def caveats
+                <<~EOS
+                  Numa requires root to bind port 53:
+                    sudo numa                    # start the DNS server
+                    sudo numa install            # set as system DNS
+                    sudo numa service start      # run as persistent service
+
+                  Dashboard: http://localhost:5380
+                EOS
+              end
+
+              test do
+                assert_match "numa", shell_output("#{bin}/numa --version")
+              end
+            end
+            `.replace(/^            /gm, '');
+
+            const { data: existing } = await github.rest.repos.getContent({
+              owner: 'razvandimescu',
+              repo: 'homebrew-tap',
+              path: 'numa.rb',
+            });
+
+            await github.rest.repos.createOrUpdateFileContents({
+              owner: 'razvandimescu',
+              repo: 'homebrew-tap',
+              path: 'numa.rb',
+              message: `numa ${version}`,
+              content: Buffer.from(formula).toString('base64'),
+              sha: existing.sha,
+            });