chore(ci): fix sync push auth shadowed by checkout credentials

[Piccirello]

Problem

The sync rework in #60583 broke production foss-sync and private-sync — both fail at the push step:

• foss-sync: Permission to posthog/posthog-foss.git denied to github-actions[bot] (403)
• private-sync: Repository not found (404 — the default token can't see the private repo)

actions/checkout persists the default GITHUB_TOKEN as an http.https://github.com/.extraheader. That Authorization header shadows the app-token credentials embedded in the push remote URL, so both pushes authenticate as github-actions[bot] instead of the posthog-foss-sync / posthog-private-sync apps. The old PostHog/git-sync Docker action never hit this because it ran a fresh clone with no checkout extraheader.

posthog-foss and posthog-private have stopped receiving updates until this lands. master on those repos is not corrupted — both runs failed at the first push, so nothing was half-written.

Changes

Add persist-credentials: false to the posthog checkout in both foss-sync.yml and private-sync.yml. This removes the shadowing auth header, so the app token embedded in the push remote URL is the one used. posthog is public, so the partial-clone (blob:none) lazy blob fetches still work unauthenticated.

How did you test this code?

I'm an agent — no manual end-to-end run (these workflows only trigger on push to posthog master and can't run from a PR/fork).

• Validated both workflow files parse (python3 -c "import yaml; yaml.safe_load(...)").
• The auth mechanism was verified earlier with a manual blob:none partial clone of posthog pushed to a throwaway branch on posthog-foss — it succeeded, precisely because a manual clone has no actions/checkout extraheader. persist-credentials: false reproduces that same condition in CI.

End-to-end confirmation will come from the first post-merge run on master.

Automatic notifications

• Publish to changelog?
• Alert Sales and Marketing teams?

🤖 Agent context

Authored by Claude Code at the maintainer's direction. Root-caused from the failing run logs: the 403/404 identities (github-actions[bot]) showed the push used the default token, not the app token in the remote URL — the signature of actions/checkout's persisted http.extraheader shadowing URL credentials.

Alternatives considered and rejected: a per-remote http.<url>.extraheader override (git sends all matching extraheaders, producing two Authorization headers) and unsetting the generic extraheader before each push (equivalent effect, more fragile). persist-credentials: false is the standard, minimal fix; lazy blob fetches stay anonymous because posthog is public.

Note: this commit is unsigned — the maintainer's commit-signing key (Secretive, Touch ID) can't be driven from the agent environment. Re-sign via amend from a local terminal if signed commits are required to merge.

[greptile-apps]

_{Reviews (1): Last reviewed commit: "chore(ci): fix sync push auth shadowed b..." | Re-trigger Greptile}

[stamphog]

Gates denied this PR: it modifies CI/CD authentication workflows (foss-sync and private-sync), which are on the deny-list. Changes to auth behavior in sync workflows require human review from @PostHog/team-devex.

[deployment-status-posthog]

Deploy status

Environment	Status	Deployed At	Workflow
dev	✅ Deployed	2026-05-29 21:46 UTC	Run
prod-us	✅ Deployed	2026-05-29 22:10 UTC	Run
prod-eu	✅ Deployed	2026-05-29 22:14 UTC	Run