ci: call homebrew-bump as reusable workflow instead of PAT event propagation (#53)

Reverts PR #44's approach of swapping GITHUB_TOKEN for a PAT on
action-gh-release. That approach worked in principle but failed in
practice during the v0.10.2 cut: HOMEBREW_TAP_GITHUB_TOKEN is a
fine-grained PAT scoped only to razvandimescu/homebrew-tap, so when
action-gh-release tried to create a release on razvandimescu/numa it
got 403 Resource not accessible. v0.10.2 had to be recovered manually
via `gh release create` from a user PAT.

Root cause of the original bug (from #44): GitHub Actions deliberately
does not propagate workflow events triggered by GITHUB_TOKEN, so a
release created by GITHUB_TOKEN silently failed to fire homebrew-bump's
`release: published` trigger.

Fix: sidestep the event-propagation rule entirely by invoking
homebrew-bump.yml directly as a reusable workflow via `workflow_call`.

- release.yml: drop the `token:` override on action-gh-release (reverts
  to GITHUB_TOKEN default, which v0.10.0 and v0.10.1 used successfully)
  and add a new `bump-homebrew` job that `needs: release` and `uses:`
  homebrew-bump.yml with `secrets: inherit`.
- homebrew-bump.yml: add `workflow_call` trigger with a `version` input,
  remove the `release: published` trigger (no longer needed), keep
  `workflow_dispatch` for manual recovery, and collapse the version
  determination step to a single `inputs.version` read.

Each token now does exactly what its scope permits:
- GITHUB_TOKEN creates the release on numa (contents: write, default)
- HOMEBREW_TAP_GITHUB_TOKEN pushes to homebrew-tap (unchanged)

The tap update becomes a child job in the release run, so failures are
visible in one place instead of "why didn't the release event fire?"
mysteries.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/homebrew-bump.yml

@@ -1,8 +1,12 @@
 name: Bump Homebrew Tap
 
 on:
-  release:
+  workflow_call:
-    types: [published]
+    inputs:
+      version:
+        description: 'Version to bump (e.g. 0.10.0 or v0.10.0)'
+        type: string
+        required: true
   workflow_dispatch:
     inputs:
       version:
@@ -20,13 +24,10 @@ jobs:
 
       - name: Determine version
         id: ver
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
         run: |
-          if [ "${{ github.event_name }}" = "release" ]; then
+          V="${INPUT_VERSION#v}"
-            V="${{ github.event.release.tag_name }}"
-          else
-            V="${{ github.event.inputs.version }}"
-          fi
-          V="${V#v}"
           echo "version=$V" >> "$GITHUB_OUTPUT"
 
       - name: Fetch sha256 checksums from release assets

.github/workflows/release.yml

@@ -103,16 +103,15 @@ jobs:
       - name: Create Release
         uses: softprops/action-gh-release@v2
         with:
-          # Use a PAT (not the default GITHUB_TOKEN) so the resulting
-          # `release: published` event propagates to downstream workflows
-          # like homebrew-bump.yml. Events triggered by GITHUB_TOKEN are
-          # deliberately not propagated by GitHub Actions to prevent
-          # infinite loops; PAT-authored events are the documented escape
-          # hatch. Reusing HOMEBREW_TAP_GITHUB_TOKEN (already a PAT used
-          # by homebrew-bump.yml itself) keeps the secret surface flat.
-          token: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
           generate_release_notes: true
           files: |
             *.tar.gz
             *.zip
             *.sha256
+
+  bump-homebrew:
+    needs: release
+    uses: ./.github/workflows/homebrew-bump.yml
+    with:
+      version: ${{ github.ref_name }}
+    secrets: inherit