ci: fix bump-platform-submodule auth (Basic, not Bearer)

[NiveditJain]

Summary

Fixes the first post-merge run of .github/workflows/bump-platform-submodule.yml (introduced in #394), which failed with:

[main 0c18a8a] Bump failproofai/oss to 3bb5421
fatal: could not read Username for 'https://github.com': No such device or address
Push failed on attempt 1 — rebasing onto latest main
fatal: could not read Username for 'https://github.com': No such device or address

Run: https://github.com/FailproofAI/failproofai/actions/runs/26587331160/job/78336760505

Root cause

The CodeRabbit hardening in #394 set persist-credentials: false on the actions/checkout step (correct — keeps the cross-repo PAT out of .git/config) and then authenticated git push/git fetch inline via:

AUTH_HEADER="Authorization: bearer ${PLATFORM_BUMP_TOKEN}"
git -c http.extraheader="$AUTH_HEADER" push origin main

That works for GitHub's REST API but not for git-over-HTTPS smart-protocol. GitHub's git endpoints expect Basic auth with x-access-token:<pat> as the credential pair — the exact format actions/checkout writes internally when persist-credentials: true. With Bearer, git gets a 401, falls through to interactive credential prompting, and dies on stdin (fatal: could not read Username).

Fix

Swap the header to base64-encoded Basic auth, matching actions/checkout's own extraheader format:

-          AUTH_HEADER="Authorization: bearer ${PLATFORM_BUMP_TOKEN}"
+          AUTH_B64=$(printf '%s' "x-access-token:${PLATFORM_BUMP_TOKEN}" | base64 -w0)
+          AUTH_HEADER="Authorization: basic ${AUTH_B64}"

persist-credentials: false and the SHA pin from #394 stay in place — the token is still never written to .git/config, and both the push and the rebase-and-retry fetch in the loop now authenticate correctly.

Test plan

• CI green on this PR (the workflow itself doesn't run on PRs, only on push: main / workflow_dispatch).
• After merge: confirm the next push-triggered Bump platform submodule pointer run on main lands a fresh Bump failproofai/oss to <short-sha> commit on FailproofAI/platform main (verify with git log --oneline main -3 in that repo).
• If wanting to validate before merge: Actions → Bump platform submodule pointer → Run workflow on this branch (the dispatch is allowed off any branch); should either push a bump or no-op cleanly if already in sync.

Summary by CodeRabbit

• Bug Fixes

  • Resolved authentication failures in cross-repository git operations during automated updates.

• Documentation

  • Updated changelog for version 0.0.11-beta.3.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 27d18281-1454-4391-a4d3-d559d110a5ba

📥 Commits

Reviewing files that changed from the base of the PR and between 3bb5421 and 8dfdc0d.

📒 Files selected for processing (2)

• .github/workflows/bump-platform-submodule.yml
• CHANGELOG.md

---

📝 Walkthrough

Walkthrough

The workflow's git authentication for cross-repo push/fetch operations is changed from Bearer to base64-encoded Basic auth headers. The bump-platform-submodule.yml workflow now constructs an Authorization header using x-access-token:<PLATFORM_BUMP_TOKEN> encoded in base64, exported to git commands. A changelog entry documents this authentication fix.

Changes

Git Authentication Fix for Submodule Bump

Layer / File(s)	Summary
Workflow authentication with Basic auth header .github/workflows/bump-platform-submodule.yml, CHANGELOG.md	Workflow bash script generates base64-encoded Basic auth Authorization header using x-access-token:<PLATFORM_BUMP_TOKEN> for authenticated git push/fetch operations in cross-repo submodule bumps; changelog documents the fix for handling persist-credentials: false.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• FailproofAI/failproofai#394: The main PR updates the existing bump-platform-submodule.yml workflow's push/fetch authentication header construction (switching to base64-encoded Basic auth), directly aligning with the retrieved PR's creation/implementation of the same workflow and its cross-repo git auth mechanics.

Poem

🐰 A token wrapped in base64's cloak,
Authentication's no longer a joke!
Basic auth headers, now standing tall,
Race-safe pushes, answering the call—
x-access-token, our hero for all! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: fixing authentication in the bump-platform-submodule workflow by switching from Bearer to Basic auth.
Description check	✅ Passed	The description comprehensively covers the issue, root cause, fix, and test plan; however, the provided template includes a checklist that is not addressed in the PR description.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0