.github/workflows/homebrew-bump.yml

@@ -1,8 +1,12 @@
 name: Bump Homebrew Tap
 
 on:
-  release:
+  workflow_call:
-    types: [published]
+    inputs:
+      version:
+        description: 'Version to bump (e.g. 0.10.0 or v0.10.0)'
+        type: string
+        required: true
   workflow_dispatch:
     inputs:
       version:
@@ -20,13 +24,10 @@ jobs:
 
       - name: Determine version
         id: ver
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
         run: |
-          if [ "${{ github.event_name }}" = "release" ]; then
+          V="${INPUT_VERSION#v}"
-            V="${{ github.event.release.tag_name }}"
-          else
-            V="${{ github.event.inputs.version }}"
-          fi
-          V="${V#v}"
           echo "version=$V" >> "$GITHUB_OUTPUT"
 
       - name: Fetch sha256 checksums from release assets

.github/workflows/release.yml

@@ -103,16 +103,15 @@ jobs:
       - name: Create Release
         uses: softprops/action-gh-release@v2
         with:
-          # Use a PAT (not the default GITHUB_TOKEN) so the resulting
-          # `release: published` event propagates to downstream workflows
-          # like homebrew-bump.yml. Events triggered by GITHUB_TOKEN are
-          # deliberately not propagated by GitHub Actions to prevent
-          # infinite loops; PAT-authored events are the documented escape
-          # hatch. Reusing HOMEBREW_TAP_GITHUB_TOKEN (already a PAT used
-          # by homebrew-bump.yml itself) keeps the secret surface flat.
-          token: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
           generate_release_notes: true
           files: |
             *.tar.gz
             *.zip
             *.sha256
+
+  bump-homebrew:
+    needs: release
+    uses: ./.github/workflows/homebrew-bump.yml
+    with:
+      version: ${{ github.ref_name }}
+    secrets: inherit