Fix publish workflow to checkout the bumped version

The publish job was checking out the commit that triggered the workflow,
not the new commit with the bumped version. Now we capture the new tag
from the bump step and pass it as the ref to the reusable publish workflow.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: mikolalysenko

.github/workflows/publish.yml

@@ -32,6 +32,8 @@ permissions:
 jobs:
   bump-version:
     runs-on: ubuntu-latest
+    outputs:
+      new-tag: ${{ steps.bump.outputs.new-tag }}
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -47,7 +49,10 @@ jobs:
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
       - name: Bump version
-        run: npm version ${{ inputs.version-bump }} -m "v%s"
+        id: bump
+        run: |
+          npm version ${{ inputs.version-bump }} -m "v%s"
+          echo "new-tag=$(git describe --tags --abbrev=0)" >> "$GITHUB_OUTPUT"
 
       - name: Push changes
         run: git push && git push --tags
@@ -60,5 +65,6 @@ jobs:
       dist-tag: ${{ inputs.dist-tag }}
       package-name: '@socketsecurity/socket-patch'
       publish-script: 'publish:ci'
+      ref: ${{ needs.bump-version.outputs.new-tag }}
       setup-script: 'pnpm run build'
       use-trusted-publishing: true