ci: restore macOS Keychain backend via CGO-enabled darwin builds [INT-448]

[rianjs]

Summary

• Splits .goreleaser.yml into nrq-darwin (CGO_ENABLED=1, xcrun clang arch overrides, both amd64+arm64) and nrq-unix-win (CGO_ENABLED=0, linux+windows). Pins nfpms.ids: [nrq-unix-win] so deb/rpm never pull a darwin binary (uses v2 ids filter, not deprecated builds).
• Moves the goreleaser release job to macos-15 (pinned, not macos-latest) so cgo+darwin builds work without cross-compilation from Linux.
• Restructures the goreleaser job to verify-before-publish: goreleaser check → goreleaser release --snapshot --clean → pre-publish gate → goreleaser release --clean --release-notes.
• Pre-publish gate: locates darwin binaries via dist/artifacts.json (no filename globs); asserts file/lipo -archs for both arches; asserts Security.framework linked on amd64 (cross-arch necessary signal); runs a functional arm64 check with isolated HOME/XDG and seeded config — asserts backend==keychain, backend_source==auto, credential_ref==newrelic-cli/default.
• Fixes all 8 GNU sed -i invocations in the Homebrew tap step → perl -pi -e (BSD sed -i on macOS requires a backup-suffix argument; perl works identically on both).
• Adds set -euo pipefail and non-empty SHA assertions before writing tap files, preventing silent empty-checksum cask commits.

Closes #99

Test plan

• goreleaser check exits 0 on the changed config (verified locally)
• CGO_ENABLED=1 GOOS=darwin GOARCH=arm64/amd64 builds succeed locally; file shows correct Mach-O arches; otool -L amd64 lists Security.framework
• Functional gate passes locally: arm64 binary with isolated HOME/XDG reports backend=keychain source=auto ref=newrelic-cli/default
• CI goreleaser job (macos-15) runs green on the PR branch
• chocolatey/winget/snap/linux-packages jobs still target their original runners (only goreleaser moved)

[rianjs]

No findings.

The PR matches the INT-446 template and nrq-specific needs: nrq-darwin/nrq-unix-win split is correct, BuildDate ldflag is preserved, nfpms.ids targets only nrq-unix-win, archives remain unfiltered with disjoint GOOS sets, and CC values are quoted. goreleaser check passes locally.

The in-job Homebrew update is correctly after the real goreleaser release --clean, so it reads real dist/checksums.txt, not the snapshot. All eight sed -i sites were converted to perl -pi -e; replacements are safe for these placeholder/hash/version values, and the remaining sed -i is only in the Ubuntu snap job. The gate uses artifacts.json, the config show --output json path reaches OpenNoMigrate -> keyring.Open, and a CGO-off darwin binary cannot satisfy the positive keychain/auto/ref assertion. There are no before.hooks in nrq’s GoReleaser config, so the claimed macOS test-suite risk does not apply.

Verification note: write-heavy snapshot/build checks could not be run in this read-only sandbox; the static review plus goreleaser check found no issues.