ci(release): harden release publishing workflow

[jgoux]

Summary

• Serialize the release workflow per ref so duplicate release runs cannot publish the same computed version concurrently.
• Make Homebrew and Scoop updaters use direct git clones with the GitHub App token available to both gh and git, and skip no-op downstream commits when the generated file is already current.
• Harden the local npm smoke registry publish path by publishing platform packages deterministically and accepting a local conflict only when Verdaccio has already stored the package tarball.
• Update the release process docs to match the current downstream updater behavior and GitHub App variable names.

Context

The release failures on June 10 exposed two repo-side release issues: the Homebrew updater depended on gh repo clone, which failed during GitHub GraphQL authentication, and duplicate release runs could race the same prerelease version through downstream publish/smoke-test jobs. The npm smoke-test change hardens the local Verdaccio path that surfaced during the duplicate release window.

The Alpine setup-cli failure from the same day was a Docker Hub image pull timeout during GitHub Actions container initialization, before any repository step ran.

[github-actions]

Supabase CLI preview

npx --yes https://pkg.pr.new/supabase@5536

Preview package for commit c03bf84.