The problem is, I think, due to the fact that applying
bfg changes the commit ID (sha1) of every commit that contained the sensitive files,
as well as every commit that derives from those commits in the repository.
The code in Pkg.tag() tries to use the sha1 IDs stored under METADATA/EEG/versions/ directories for each older version of the module, to find which ones are ancestors of the current commit [1] - but since the older versions' sha1 IDs have been changed by bfg, the command fails.
If you're specifying the version number yourself and don't need the auto-increment features of Pkg.tag, you can do a force tagging via Pkg.tag("EEG", v"0.0.3", force=true) which skips the part that does the sha1 comparison.
However, it may be better to go back and tag each version from 0.0.1 (or whichever your first version was) with the correct commit ID, as seen with
git log --tags now. This will avoid having to use force=true every time, and thus missing out on the sanity checks in Pkg.tag that the force option skips.
(By the way, I'm not sure how the bfg-ing of history will affect any existing users of the module, but my guess is that they would need to either mess with
git rebase or just delete the EEG module's directory locally and add it afresh.)
[1] (at
https://github.com/JuliaLang/PkgDev.jl/blob/e7e0e5aeda9310317a161d9755d86f919e990485/src/entry.jl#L220
, which in turn calls
https://github.com/JuliaLang/julia/blob/84c06b17c6d5373cee213103834e8811533290f0/base/pkg/read.jl#L13 )