Add release action for Homebrew tap

.github/workflows/release.yaml

@@ -57,6 +57,13 @@ jobs:
           cd bin
           sha256sum * > checksums.txt
 
+      - name: Upload binaries as workflow artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: release-binaries
+          path: bin/
+          retention-days: 1
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v3
         with:
@@ -112,3 +119,110 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+  homebrew-release:
+    name: Homebrew Release
+    runs-on: ubuntu-latest
+    needs: release
+    if: ${{ !contains(github.ref, 'alpha') && !contains(github.ref, 'beta') && !contains(github.ref, 'rc') }}
+    env:
+      TAP_REPO: opendefensecloud/homebrew-tap
+      FORMULA_PATH: Formula/ocm-kit.rb
+    steps:
+      - name: Resolve version
+        id: version
+        run: |
+          tag="${GITHUB_REF#refs/tags/}"
+          echo "tag=${tag}" >> "$GITHUB_OUTPUT"
+          echo "version=${tag#v}" >> "$GITHUB_OUTPUT"
+
+      - name: Download release binaries
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: release-binaries
+          path: bin/
+
+      - name: Compute SHA256s
+        id: sha
+        run: |
+          cd bin
+          {
+            echo "darwin_amd64=$(sha256sum ocm-kit-darwin-amd64 | cut -d' ' -f1)"
+            echo "darwin_arm64=$(sha256sum ocm-kit-darwin-arm64 | cut -d' ' -f1)"
+            echo "linux_amd64=$(sha256sum ocm-kit-linux-amd64 | cut -d' ' -f1)"
+            echo "linux_arm64=$(sha256sum ocm-kit-linux-arm64 | cut -d' ' -f1)"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Checkout tap repo
+        uses: actions/checkout@v6
+        with:
+          repository: ${{ env.TAP_REPO }}
+          token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+          path: tap
+
+      - name: Render formula
+        env:
+          TAG: ${{ steps.version.outputs.tag }}
+          VERSION: ${{ steps.version.outputs.version }}
+          SHA_DARWIN_AMD64: ${{ steps.sha.outputs.darwin_amd64 }}
+          SHA_DARWIN_ARM64: ${{ steps.sha.outputs.darwin_arm64 }}
+          SHA_LINUX_AMD64: ${{ steps.sha.outputs.linux_amd64 }}
+          SHA_LINUX_ARM64: ${{ steps.sha.outputs.linux_arm64 }}
+          REPO: ${{ github.repository }}
+        run: |
+          mkdir -p "tap/$(dirname "$FORMULA_PATH")"
+          base="https://github.com/${REPO}/releases/download/${TAG}"
+          cat > "tap/${FORMULA_PATH}" <<EOF
+          # This file is generated by .github/workflows/release.yaml. Do not edit by hand.
+          class OcmKit < Formula
+            desc "Render Helm values templates from OCM components"
+            homepage "https://github.com/${REPO}"
+            version "${VERSION}"
+            license "Apache-2.0"
+
+            on_macos do
+              if Hardware::CPU.arm?
+                url "${base}/ocm-kit-darwin-arm64"
+                sha256 "${SHA_DARWIN_ARM64}"
+              else
+                url "${base}/ocm-kit-darwin-amd64"
+                sha256 "${SHA_DARWIN_AMD64}"
+              end
+            end
+
+            on_linux do
+              if Hardware::CPU.arm?
+                url "${base}/ocm-kit-linux-arm64"
+                sha256 "${SHA_LINUX_ARM64}"
+              else
+                url "${base}/ocm-kit-linux-amd64"
+                sha256 "${SHA_LINUX_AMD64}"
+              end
+            end
+
+            def install
+              os = OS.mac? ? "darwin" : "linux"
+              arch = Hardware::CPU.arm? ? "arm64" : "amd64"
+              bin.install "ocm-kit-#{os}-#{arch}" => "ocm-kit"
+            end
+
+            test do
+              assert_match "ocm-kit", shell_output("#{bin}/ocm-kit --help")
+            end
+          end
+          EOF
+
+      - name: Commit and push to tap
+        working-directory: tap
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          git config user.name 'github-actions[bot]'
+          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
+          if git diff --quiet -- "$FORMULA_PATH"; then
+            echo "Formula unchanged; nothing to commit."
+            exit 0
+          fi
+          git add "$FORMULA_PATH"
+          git commit -m "ocm-kit ${VERSION}"
+          git push