Address remaining PR review comments

- Pin cache-apt-pkgs-action to commit SHA for supply-chain safety
- Fix Homebrew post_install to use with_env block instead of env hash
  in system() call (idiomatic Homebrew pattern)
- Add clarifying comments to service file, preremove.sh, and nfpm.yaml
  explaining user/group creation, directory ownership, and upgrade handling

https://claude.ai/code/session_01Vx1EsNrNySgsc8Y67dGzCn

.github/workflows/homebrew.yml

@@ -48,7 +48,7 @@ jobs:
 
       - name: Install build dependencies (Linux)
         if: runner.os == 'Linux'
-        uses: awalsh128/cache-apt-pkgs-action@v1.6.0
+        uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.6.0
         with:
           packages: build-essential python3-dev python3-setuptools libssl-dev libldap2-dev libsasl2-dev zlib1g-dev libatomic1
           version: 1.0
@@ -108,7 +108,9 @@ ${RESOURCES}
 
   def post_install
     (var/"archivebox").mkpath
-    system({ "DATA_DIR" => var/"archivebox" }, bin/"archivebox", "install", "--binproviders", "pip,npm")
+    with_env(DATA_DIR: var/"archivebox") do
+      system bin/"archivebox", "install", "--binproviders", "pip,npm"
+    end
   end
 
   service do
@@ -275,7 +277,9 @@ ${RESOURCES}
 
   def post_install
     (var/"archivebox").mkpath
-    system({ "DATA_DIR" => var/"archivebox" }, bin/"archivebox", "install", "--binproviders", "pip,npm")
+    with_env(DATA_DIR: var/"archivebox") do
+      system bin/"archivebox", "install", "--binproviders", "pip,npm"
+    end
   end
 
   service do