superset-sh · saddlepaddle · May 22, 2026 · May 22, 2026 · coderabbitai · May 22, 2026
diff --git a/.github/workflows/bump-homebrew.yml b/.github/workflows/bump-homebrew.yml
@@ -1,12 +1,26 @@
 name: Bump Homebrew Formula
 
-# Triggers when a CLI release (tag matching cli-v*) is published, computes
-# SHA256 for each platform tarball, and pushes an updated formula to the
-# superset-sh/homebrew-tap repository.
+# Renders the superset.rb formula for a published CLI release and pushes it to
+# the superset-sh/homebrew-tap repository. Invoked as a reusable job from
+# release-cli.yml (needs: release) so the bump runs in the same workflow run as
+# the release. It is NOT driven by `release: published` because a release
+# auto-created by the workflow's GITHUB_TOKEN does not emit an event that can
+# trigger another workflow. workflow_dispatch is the manual escape hatch to
+# re-bump a specific tag.
 
 on:
-  release:
-    types: [published]
+  workflow_call:
+    inputs:
+      tag:
+        description: "CLI release tag (cli-v<semver>)"
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "CLI release tag (cli-v<semver>)"
+        required: true
+        type: string
 
 # Serialize runs so two concurrent releases can't race and drop a bump.
 concurrency:
@@ -15,13 +29,12 @@ concurrency:
 
 jobs:
   bump:
-    if: startsWith(github.event.release.tag_name, 'cli-v')
     runs-on: ubuntu-latest
     steps:
       - name: Extract version from tag
         id: version
         env:
-          TAG: ${{ github.event.release.tag_name }}
+          TAG: ${{ inputs.tag }}
         run: |
           set -euo pipefail
           # Validate tag format: cli-v<semver>. Rejects tags with shell metacharacters.

diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml
@@ -1,9 +1,10 @@
 name: Release CLI
 
-# Fires on cli-v* tag push. Builds the full 3-target matrix and publishes
-# a draft GitHub Release plus a rolling cli-latest pointer. workflow_dispatch
-# is the manual escape hatch for testing the full pipeline without cutting
-# a tag (the release job is gated to tag pushes only).
+# Fires on cli-v* tag push. Builds the full 3-target matrix, publishes a
+# prerelease GitHub Release plus a rolling cli-latest pointer, then bumps the
+# Homebrew formula. workflow_dispatch is the manual escape hatch for testing
+# the full pipeline without cutting a tag (the release job is gated to tag
+# pushes only).
 
 on:
   push:
@@ -79,3 +80,16 @@ jobs:
             --notes "Rolling pointer to the latest published CLI release. See [${VERSION_TAG}](https://github.com/${{ github.repository }}/releases/tag/${VERSION_TAG}) for changelog." \
             --target "${{ github.sha }}" \
             --prerelease
+
+  bump-homebrew:
+    # Chained here instead of triggering on `release: published`: the release
+    # above is created with GITHUB_TOKEN, and GitHub does not fire workflow
+    # triggers for events generated by GITHUB_TOKEN, so an event-driven bump
+    # never runs. needs: release guarantees the tarballs are published first.
+    name: Bump Homebrew Formula
+    needs: release
+    if: startsWith(github.ref, 'refs/tags/cli-v')
+    uses: ./.github/workflows/bump-homebrew.yml
+    with:
+      tag: ${{ github.ref_name }}
+    secrets: inherit