Ship Homebrew bottles so installs pour instead of building (fixes juxt/allium#42)

[yavorpanayotov]

The durable fix for juxt/allium#42. The tap formula ships no bottle, so brew install/upgrade allium runs the install from source in Homebrew's build sandbox; on macOS Tahoe that sandbox's deny_read_home realpaths a TCC-protected ~/Documents and aborts (rb_check_realpath_internal … EPERM) when the terminal lacks access. Pouring a bottle goes through #pour_bottle, never #build, so the realpath is never reached.

Change

• scripts/build-bottle.sh — builds a bottle from a prebuilt release binary via brew bottle, reads tag/sha back from the JSON manifest, emits the pourable (single-dash) bottle file. Validated locally against the real v3.4.0 arm64 binary: the produced bottle pours on macOS 26.5 (Tahoe).
• bottles job (matrix): arm64 on macos-14, x86_64 on macos-13. Built on the oldest runners because the binary is :any_skip_relocation and Homebrew's OS-version fallback then pours one per-arch bottle on all newer macOS — verified empirically (an arm64_sonoma bottle pours on Tahoe), so no per-OS matrix is needed.
• publish-release attaches the bottles (bottle do root_url points at the release download URL).
• update-homebrew assembles + injects the bottle do block into the formula (Ruby edit validated locally for valid syntax + idempotency).
• Linux has no TCC/sandbox crash, so it ships no bottle (unchanged).

Validation status — please note

• Locally proven: the brew bottle recipe (real v3.4.0 binary → pours on Tahoe) and the formula edit.
• Not yet exercised end-to-end: the tagged-release orchestration only runs on a v* tag. Recommend validating on the next release (or a throwaway pre-release tag) before relying on it. PR CI here runs the normal cargo test/lint suite, which is unaffected.

To fix the already-released v3.4.0 (which has no bottle), cut a 3.4.1 with this merged — that release will ship bottles. A companion repro harness is in juxt/homebrew-allium#4.

🤖 Generated with Claude Code