fix(ci): use deploy key for release automation git pushes

[iamfj]

What does this PR do?

Fixes post-merge release automation failures caused by git auth mismatch in protected-branch workflows.

• Use repo deploy key for workflows that must push commits/tags (release-check, sync-main-release-back-to-next)
• Force SSH remote for push path in those workflows
• Configure semantic-release repository URL to SSH so @semantic-release/git push/tag uses deploy key auth

This keeps workflow behavior same, only auth transport changes.

Type of change

• Bug fix
• New feature
• Refactor (no behavior change)
• Documentation
• Tests
• Build / CI

Checklist

• npm run check:ci passes (lint + format)
• npx tsc --noEmit passes (type check)
• npm test passes (unit tests)
• New code has tests (happy path + primary error case)
• Commit messages follow Conventional Commits

Testing

Validated by configuration-level checks and dry-run release initialization:

npm run check:ci
npm run release:dry-run

Also verified failing production run root cause and fix target:

• Release failure was @semantic-release/git push rejected by branch rules using HTTPS/token path.
• New wiring routes pushes through SSH deploy key path.

Notes for reviewers

• Kept branch lean: no promote-token changes (that path already fixed upstream and now passing).
• PR should target next.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5b42037911

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep checkout credentials persisted for semantic-release

This workflow now disables credential persistence even though later steps rely on authenticated Git pushes (npm run release:run with @semantic-release/git), so the deploy key is not available to subsequent git push/tag operations and release publishing will still fail with SSH auth errors. actions/checkout's persist-credentials: false opts out of configuring token/SSH auth for later git commands, which conflicts with the intended deploy-key push path in this job.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Preserve auth credentials for sync workflow pushes

The sync job also disables credential persistence but then performs git push origin HEAD:next; with persist-credentials: false, checkout does not leave the deploy-key auth configured for subsequent git commands, so this push step can fail with Permission denied (publickey) and break automatic main -> next synchronization after releases.

Useful? React with 👍 / 👎.