From af518c12e403a60c6173317c06e7c11e2236c56f Mon Sep 17 00:00:00 2001
From: YiWang24 <yiwang2457@gmail.com>
Date: Mon, 25 May 2026 23:12:27 -0400
Subject: [PATCH] fix(ci): clear extraheader before pushing with RELEASE_PAT

actions/checkout sets http.extraheader with github.token, which
overrides the RELEASE_PAT in the remote URL. Clear the extraheader
before pushing so the PAT actually takes effect.
---
 .github/workflows/on-main-bump-sha.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/on-main-bump-sha.yml b/.github/workflows/on-main-bump-sha.yml
index b8d1835..37f73e0 100644
--- a/.github/workflows/on-main-bump-sha.yml
+++ b/.github/workflows/on-main-bump-sha.yml
@@ -143,11 +143,13 @@ jobs:
           git commit -m "${commit_msg}" -m "${commit_body}"
 
           # Use RELEASE_PAT for the push — github.token cannot push
-          # .github/workflows/ files (requires "workflows" permission
-          # which doesn't exist in workflow syntax).
-          git remote set-url origin \
-            "https://x-access-token:${RELEASE_PAT}@github.com/${GITHUB_REPOSITORY}.git"
-          git push origin "${branch}"
+          # .github/workflows/ files. We must clear the extraheader
+          # that actions/checkout sets (which injects github.token on
+          # every request) and push directly with the PAT in the URL.
+          git config --local --unset-all 'http.https://github.com/.extraheader' || true
+          git push \
+            "https://x-access-token:${RELEASE_PAT}@github.com/${GITHUB_REPOSITORY}.git" \
+            "${branch}"
           echo "::notice::Pushed branch ${branch}"
 
       - name: Manage PRs — close old, clean orphans, open new