diff --git a/.github/workflows/aur-publish.yml b/.github/workflows/aur-publish.yml
index c2358ab..8191870 100644
--- a/.github/workflows/aur-publish.yml
+++ b/.github/workflows/aur-publish.yml
@@ -90,14 +90,15 @@ jobs:
             echo "missing required secret: AUR_SSH_PRIVATE_KEY" >&2
             exit 1
           fi
-          mkdir -p ~/.ssh
-          echo "${{ secrets.AUR_SSH_PRIVATE_KEY }}" > ~/.ssh/aur
-          chmod 600 ~/.ssh/aur
-          ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts
+          mkdir -p "$HOME/.ssh"
+          printf '%s\n' "${{ secrets.AUR_SSH_PRIVATE_KEY }}" > "$HOME/.ssh/aur"
+          chmod 600 "$HOME/.ssh/aur"
+          ssh-keyscan -H aur.archlinux.org >> "$HOME/.ssh/known_hosts"
+          chmod 644 "$HOME/.ssh/known_hosts"
 
       - name: Publish openbitdo and openbitdo-bin
         env:
-          GIT_SSH_COMMAND: ssh -i ~/.ssh/aur -o IdentitiesOnly=yes
+          GIT_SSH_COMMAND: ssh -i $HOME/.ssh/aur -o IdentitiesOnly=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts -o StrictHostKeyChecking=accept-new
         run: |
           set -euo pipefail
           publish_pkg() {
diff --git a/packaging/homebrew/sync_tap.sh b/packaging/homebrew/sync_tap.sh
index 9aaa725..6780faa 100755
--- a/packaging/homebrew/sync_tap.sh
+++ b/packaging/homebrew/sync_tap.sh
@@ -16,7 +16,8 @@ HOMEBREW_TAP_TOKEN="$(printf '%s' "${HOMEBREW_TAP_TOKEN}" | tr -d '\r\n')"
 
 ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
 TAP_REPO="${HOMEBREW_TAP_REPO:-bybrooklyn/homebrew-openbitdo}"
-TAP_USER="${HOMEBREW_TAP_USERNAME:-${GITHUB_ACTOR:-x-access-token}}"
+TAP_OWNER="${TAP_REPO%%/*}"
+TAP_USER="${HOMEBREW_TAP_USERNAME:-$TAP_OWNER}"
 FORMULA_SOURCE="${FORMULA_SOURCE:-$ROOT/packaging/homebrew/Formula/openbitdo.rb}"
 TMP="$(mktemp -d)"
 
@@ -25,7 +26,24 @@ if [[ ! -f "$FORMULA_SOURCE" ]]; then
   exit 1
 fi
 
-git clone "https://${TAP_USER}:${HOMEBREW_TAP_TOKEN}@github.com/${TAP_REPO}.git" "$TMP/tap"
+clone_url() {
+  local user="$1"
+  echo "attempting tap clone using token auth as '${user}'"
+  git clone "https://${user}:${HOMEBREW_TAP_TOKEN}@github.com/${TAP_REPO}.git" "$TMP/tap"
+}
+
+if ! clone_url "$TAP_USER"; then
+  # Some token types (for example GitHub App tokens) require x-access-token.
+  if [[ "$TAP_USER" != "x-access-token" ]]; then
+    rm -rf "$TMP/tap"
+    clone_url "x-access-token"
+    TAP_USER="x-access-token"
+  else
+    echo "failed to clone tap repo with HOMEBREW_TAP_TOKEN" >&2
+    exit 1
+  fi
+fi
+
 mkdir -p "$TMP/tap/Formula"
 cp "$FORMULA_SOURCE" "$TMP/tap/Formula/openbitdo.rb"
 
@@ -37,4 +55,5 @@ git commit -m "Update openbitdo formula" || {
   echo "no formula changes to push"
   exit 0
 }
+git remote set-url origin "https://${TAP_USER}:${HOMEBREW_TAP_TOKEN}@github.com/${TAP_REPO}.git"
 git push