fix(ci-cd): use PAT to push tag so publish-images.yml is triggered (#1742)

* fix(ci-cd): use PAT to push tag so publish-images.yml is triggered

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs(ci-cd): explain why GITHUB_PAT is needed for tag-triggered workflows

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Update workflows.md

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: tyler-dane

.github/workflows/bump-and-tag.yml

@@ -19,6 +19,8 @@ jobs:
           fetch-depth: 0
 
       - name: Bump patch version and push tag
+        env:
+          COMPASS_PAT: ${{ secrets.COMPASS_CI_TOKEN }}
         run: |
           LATEST=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -1)
           [ -z "$LATEST" ] && LATEST="v0.0.0"
@@ -30,4 +32,4 @@ jobs:
           NEW_TAG="v${MAJOR}.${MINOR}.$((PATCH + 1))"
           echo "Bumping ${LATEST} → ${NEW_TAG}"
           git tag "$NEW_TAG"
-          git push origin "$NEW_TAG"
+          git push "https://x-access-token:${COMPASS_CI_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "$NEW_TAG"

docs/CI-CD/workflows.md

@@ -69,6 +69,7 @@ All secrets go in **GitHub → Settings → Secrets and variables → Actions**:
 
 | Secret | Value |
 |---|---|
+| `COMPASS_CI_TOKEN` | Fine-grained PAT needed for the bump and tag workflow |
 | `DOCKERHUB_USERNAME` | Docker Hub username for the `switchbacktech` org |
 | `DOCKERHUB_TOKEN` | Docker Hub personal access token (Read & Write) |
 | `STAGING_SSH_HOST` | VPS IP address or hostname |