ci: pass PAT to action-gh-release so release events propagate (#44)

GitHub Actions deliberately does not propagate workflow events triggered
by the default GITHUB_TOKEN — a safety feature against infinite loops.
softprops/action-gh-release falls back to GITHUB_TOKEN when no `token`
is supplied, so the resulting `release: published` event was silently
swallowed and never reached homebrew-bump.yml.

Discovered shipping v0.10.1: tag pushed cleanly, crates.io published
cleanly, GitHub release page created cleanly, but the brew tap never
auto-bumped. Had to trigger homebrew-bump.yml manually via
workflow_dispatch.

Fix: pass HOMEBREW_TAP_GITHUB_TOKEN explicitly. This is already a PAT
(used by homebrew-bump.yml to push cross-repo to razvandimescu/
homebrew-tap), so reusing it keeps the secret surface flat. PAT-authored
release events are the documented escape hatch from the GITHUB_TOKEN
no-propagation rule.

Applies to v0.10.2+. v0.10.1 was bumped manually.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/release.yml

@@ -103,6 +103,14 @@ jobs:
       - name: Create Release
         uses: softprops/action-gh-release@v2
         with:
+          # Use a PAT (not the default GITHUB_TOKEN) so the resulting
+          # `release: published` event propagates to downstream workflows
+          # like homebrew-bump.yml. Events triggered by GITHUB_TOKEN are
+          # deliberately not propagated by GitHub Actions to prevent
+          # infinite loops; PAT-authored events are the documented escape
+          # hatch. Reusing HOMEBREW_TAP_GITHUB_TOKEN (already a PAT used
+          # by homebrew-bump.yml itself) keeps the secret surface flat.
+          token: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
           generate_release_notes: true
           files: |
             *.tar.gz