diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index 874dbe2..4ce81cd 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -3,6 +3,12 @@ name: pypi-wheels
 on:
   release:
     types: [published]
+  workflow_call:
+    inputs:
+      tag:
+        description: "Release tag to package (e.g., v1.2.3)"
+        required: true
+        type: string
   workflow_dispatch:
     inputs:
       tag:
@@ -24,15 +30,16 @@ jobs:
         id: version
         shell: bash
         env:
-          INPUT_TAG: ${{ github.event.inputs.tag || '' }}
+          INPUT_TAG: ${{ inputs.tag || '' }}
           RELEASE_TAG_NAME: ${{ github.event.release.tag_name || '' }}
           GH_TOKEN: ${{ github.token }}
         run: |
           set -euo pipefail
-          if [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
-            TAG="${RELEASE_TAG_NAME}"
-          elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${INPUT_TAG}" ]]; then
+          if [[ -n "${INPUT_TAG}" ]]; then
+            # workflow_call or workflow_dispatch with explicit tag
             TAG="${INPUT_TAG}"
+          elif [[ "${GITHUB_EVENT_NAME}" == "release" && -n "${RELEASE_TAG_NAME}" ]]; then
+            TAG="${RELEASE_TAG_NAME}"
           else
             TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
           fi
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
index 0fc00e7..9ac1e81 100644
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -5,11 +5,15 @@ name: Publish Docker image
 # Triggers
 ###############################################################################
 on:
-  # 1️⃣  Traditional: run automatically when a GitHub Release is published
-  release:
-    types: [published]
+  # Called automatically by the release workflow after a successful build
+  workflow_call:
+    inputs:
+      tag:
+        description: "Tag to push (e.g. v1.2.3)"
+        required: true
+        type: string
 
-  # 2️⃣  Manual: “Run workflow” button or `gh workflow run`
+  # Manual: "Run workflow" button or `gh workflow run`
   workflow_dispatch:
     inputs:
       tag:
@@ -19,7 +23,7 @@ on:
 
 ###############################################################################
 permissions:
-  contents: read       # needed for checkout + GH API
+  contents: read       # needed for checkout
 
 ###############################################################################
 jobs:
@@ -31,24 +35,22 @@ jobs:
 
     steps:
     # -----------------------------------------------------------------------
-    # Decide which tag we’re going to publish
+    # Decide which tag we're going to publish
     # -----------------------------------------------------------------------
     - name: Determine tag
       id: tag
       shell: bash
       env:
-        # populated only for workflow_dispatch
-        MANUAL_TAG: ${{ github.event.inputs.tag }}
-        RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+        # workflow_call passes tag here; workflow_dispatch may or may not
+        CALL_TAG: ${{ inputs.tag }}
       run: |
         set -euo pipefail
-        if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then
-          RAW_TAG="${RELEASE_TAG_NAME}"
-        elif [[ -n "${MANUAL_TAG}" ]]; then
-          RAW_TAG="${MANUAL_TAG}"
+        if [[ -n "${CALL_TAG}" ]]; then
+          RAW_TAG="${CALL_TAG}"
         else
-          # manual w/o tag → ask GitHub API for latest release tag
-          RAW_TAG=$(gh release view --repo "${{ github.repository }}" --json tagName --jq .tagName)
+          # workflow_dispatch without a tag → query latest release (no auth
+          # needed for public repos)
+          RAW_TAG=$(curl -sf "https://api.github.com/repos/${{ github.repository }}/releases/latest" | jq -r .tag_name)
         fi
 
         if [[ ! "${RAW_TAG}" =~ ^v[0-9A-Za-z._+-]+$ ]]; then
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 37e5aaf..8851fa4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -352,6 +352,8 @@ jobs:
     name: Public GitHub Release
     needs: [linux-x64, linux-arm64, windows, macos-x64, macos-arm64]
     runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.version.outputs.tag }}
     permissions:
       contents: write
       id-token: write
@@ -405,3 +407,24 @@ jobs:
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: 'target/release/*'
+
+  # ──────────────── Publish Docker image ────────────────
+  publish-docker:
+    needs: [release]
+    uses: ./.github/workflows/release-docker.yml
+    with:
+      tag: ${{ needs.release.outputs.tag }}
+    permissions:
+      contents: read
+      packages: write
+
+  # ──────────────── Publish PyPI wheels ────────────────
+  publish-pypi:
+    needs: [release]
+    uses: ./.github/workflows/pypi.yml
+    with:
+      tag: ${{ needs.release.outputs.tag }}
+    secrets: inherit
+    permissions:
+      contents: read
+      id-token: write