Enable WinGet installation method for Windows, replace Scoop references

[Copilot]

Description

WinGet package Microsoft.APM is now live via winget-pkgs#351674. This PR updates all install docs and enables the CI auto-update job.

• Docs & README: Replace Scoop (scoop bucket add / scoop install) with winget install Microsoft.APM across README.md, installation guide, and quick-start guide
• CI workflow: Convert disabled update-scoop job to update-winget — uses Microsoft's official wingetcreate tool (MIT) on a windows-latest runner to generate updated manifests and open PRs directly to microsoft/winget-pkgs
• CHANGELOG: Add entry under Unreleased

winget install Microsoft.APM

Setup required before first use:

• WINGET_TOKEN repository secret — classic PAT with public_repo scope (documented in workflow comments)

Type of change

• Bug fix
• New feature
• Documentation
• Maintenance / refactor

Testing

• Tested locally
• All existing tests pass
• Added tests for new functionality (if applicable)

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[danielmeppiel]

@copilot we have no such repo winget-apm. It's microsoft/winget-pkgs. If we want to auto-update the version there, we need to open a PR on it automatically and update the manifest there, example PR for another pkg is: microsoft/winget-pkgs#352862 . Assess how to do this properly and refactor accordingly.

[Copilot]

@copilot we have no such repo winget-apm. It's microsoft/winget-pkgs. If we want to auto-update the version there, we need to open a PR on it automatically and update the manifest ther...

Refactored in 6738a43. Replaced the repository-dispatch to the nonexistent microsoft/winget-apm with the community-standard vedantmgoyal9/winget-releaser@v2 action, which uses Komac to generate updated manifests and opens PRs directly to microsoft/winget-pkgs.

Setup required before first use:

1. WINGET_TOKEN secret -- classic PAT with public_repo scope
2. Fork of microsoft/winget-pkgs under the repo owner account (or set fork-user to a bot account that has the fork)

[danielmeppiel]

Review — Supply Chain & Operational Concerns

The docs changes (Scoop → WinGet) are great. But the CI workflow has significant trust and operational gaps that need addressing before merge.

---

🔴 Critical: Supply chain trust of vedantmgoyal9/winget-releaser@v2

This is a single individual's community action (284 stars, AGPL-3.0) being used in a Microsoft org repo to push PRs to another Microsoft repo (microsoft/winget-pkgs). Three compounding risks:

1. Mutable @v2 tag — points to a commit that can be force-pushed at any time. The action code could change without notice.
2. Transitive supply chain — the action itself pulls cargo-bins/cargo-binstall@main (pinned to main!) to download the komac Rust binary at runtime. That's two layers of mutable, unaudited dependencies installing and running arbitrary binaries with your PAT.
3. Token exposure — WINGET_TOKEN (classic PAT with public_repo scope) is passed as GITHUB_TOKEN env var to komac. A compromised action or Komac binary has full public_repo access.
4. Zero Microsoft org adoption — no other microsoft/* repo uses this action in their workflows.

Recommendation: Use Microsoft's own wingetcreate tool (microsoft/winget-create, MIT, 618 stars). It's the official Windows Package Manager Manifest Creator. Example:

steps:
  - name: Update WinGet manifest
    run: |
      iwr https://aka.ms/wingetcreate/latest -OutFile wingetcreate.exe
      .\wingetcreate.exe update Microsoft.APM `
        --version ${{ github.ref_name }} `
        --urls "https://github.com/${{ github.repository }}/releases/download/${{ github.ref_name }}/apm-windows-x86_64.zip" `
        --submit --token ${{ secrets.WINGET_TOKEN }}
    shell: pwsh
runs-on: windows-latest  # wingetcreate requires Windows

If wingetcreate is not viable (e.g., you need Linux runners), at minimum pin winget-releaser to a full SHA rather than @v2:

uses: vedantmgoyal9/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e  # v2

---

🔴 Critical: Fork ownership problem

The action defaults fork-user to ${{ github.repository_owner }}, which is microsoft. But microsoft/winget-pkgs already exists — you cannot fork a repo into the same org that owns it. This means:

1. As-is, the workflow will fail at runtime (Komac cannot create a fork under microsoft)
2. You need a separate bot/service account that owns a fork of winget-pkgs
3. The fork-user input must be explicitly set to that account

This is not called out in the workflow and would be a silent runtime failure on first release.

---

🟡 Medium: Token scope & naming

• WINGET_TOKEN needs public_repo scope on a classic PAT. Fine-grained tokens won't work for cross-repo fork PRs. This should be documented in a comment in the workflow.
• The old GH_PKG_PAT secret is removed — confirm it's no longer needed by any other workflow before cleanup.

---

🟢 Docs changes look good

The Scoop → WinGet swap across README, installation guide, quick-start, and CHANGELOG is clean and correct.

---

Summary

Finding	Severity	Action
Untrusted community action with mutable tags + transitive deps	Critical	Use wingetcreate or pin to SHA
Fork-user defaults to microsoft — will fail at runtime	Critical	Configure bot account fork + set fork-user
Token scope/docs	Medium	Add workflow comment documenting requirements
Docs changes	✅	Good to go

[Copilot]

Review — Supply Chain & Operational Concerns

The docs changes (Scoop → WinGet) are great. But the CI workflow has significant trust and operational gaps that need addressing before merge....

Addressed all findings in 526d9cf. Replaced vedantmgoyal9/winget-releaser@v2 with Microsoft's official wingetcreate tool (microsoft/winget-create, MIT):

• Supply chain: No third-party actions. Downloads wingetcreate.exe directly from aka.ms/wingetcreate/latest (Microsoft's official redirect).
• Fork ownership: Not an issue — wingetcreate update --submit handles fork creation and PR submission internally. No fork-user configuration needed.
• Token docs: Added workflow comments documenting WINGET_TOKEN requirements (classic PAT, public_repo scope).
• Runner: Changed to windows-latest (wingetcreate requires Windows).
• GH_PKG_PAT: Still used by the update-homebrew job — no cleanup needed.