diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index 874dbe2..5b36a0d 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -1,8 +1,12 @@
 name: pypi-wheels
 
 on:
-  release:
-    types: [published]
+  workflow_call:
+    inputs:
+      tag:
+        description: "Release tag to package (e.g., v1.2.3)"
+        required: true
+        type: string
   workflow_dispatch:
     inputs:
       tag:
@@ -24,18 +28,14 @@ jobs:
         id: version
         shell: bash
         env:
-          INPUT_TAG: ${{ github.event.inputs.tag || '' }}
-          RELEASE_TAG_NAME: ${{ github.event.release.tag_name || '' }}
-          GH_TOKEN: ${{ github.token }}
+          INPUT_TAG: ${{ inputs.tag || github.event.inputs.tag || '' }}
         run: |
           set -euo pipefail
-          if [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
-            TAG="${RELEASE_TAG_NAME}"
-          elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
-            TAG="${INPUT_TAG}"
-          else
-            TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
+          if [[ -z "${INPUT_TAG}" ]]; then
+            echo "No tag provided — cannot determine version" >&2
+            exit 1
           fi
+          TAG="${INPUT_TAG}"
           if [[ ! "${TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
             echo "Invalid tag format: ${TAG}" >&2
             exit 1
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
index 0fc00e7..199dcb3 100644
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -5,11 +5,15 @@ name: Publish Docker image
 # Triggers
 ###############################################################################
 on:
-  # 1️⃣  Traditional: run automatically when a GitHub Release is published
-  release:
-    types: [published]
+  # Called automatically by the release workflow after a successful build
+  workflow_call:
+    inputs:
+      tag:
+        description: "Tag to push (e.g. v1.2.3)"
+        required: true
+        type: string
 
-  # 2️⃣  Manual: “Run workflow” button or `gh workflow run`
+  # Manual: "Run workflow" button or `gh workflow run`
   workflow_dispatch:
     inputs:
       tag:
@@ -19,7 +23,7 @@ on:
 
 ###############################################################################
 permissions:
-  contents: read       # needed for checkout + GH API
+  contents: read       # needed for checkout
 
 ###############################################################################
 jobs:
@@ -31,23 +35,21 @@ jobs:
 
     steps:
     # -----------------------------------------------------------------------
-    # Decide which tag we’re going to publish
+    # Decide which tag we're going to publish
     # -----------------------------------------------------------------------
     - name: Determine tag
       id: tag
       shell: bash
       env:
-        # populated only for workflow_dispatch
-        MANUAL_TAG: ${{ github.event.inputs.tag }}
-        RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+        # workflow_call passes tag here; workflow_dispatch may or may not
+        CALL_TAG: ${{ inputs.tag }}
+        GH_TOKEN: ${{ github.token }}
       run: |
         set -euo pipefail
-        if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
-          RAW_TAG="${RELEASE_TAG_NAME}"
-        elif [[ -n "${MANUAL_TAG}" ]]; then
-          RAW_TAG="${MANUAL_TAG}"
+        if [[ -n "${CALL_TAG}" ]]; then
+          RAW_TAG="${CALL_TAG}"
         else
-          # manual w/o tag → ask GitHub API for latest release tag
+          # workflow_dispatch without a tag → query latest release
           RAW_TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
         fi
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 37e5aaf..8ea626f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -352,6 +352,8 @@ jobs:
     name: Public GitHub Release
     needs: [linux-x64, linux-arm64, windows, macos-x64, macos-arm64]
     runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.version.outputs.tag }}
     permissions:
       contents: write
       id-token: write
@@ -405,3 +407,23 @@ jobs:
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: 'target/release/*'
+
+  # ──────────────── Publish Docker image ────────────────
+  publish-docker:
+    needs: [release]
+    uses: ./.github/workflows/release-docker.yml
+    with:
+      tag: ${{ needs.release.outputs.tag }}
+    permissions:
+      contents: read
+      packages: write
+
+  # ──────────────── Publish PyPI wheels ────────────────
+  publish-pypi:
+    needs: [release]
+    uses: ./.github/workflows/pypi.yml
+    with:
+      tag: ${{ needs.release.outputs.tag }}
+    permissions:
+      contents: read
+      id-token: write