Use git -c credential.helper for git push — token never embedded in URL, written to .git/config, or derived into an unmasked value

[Copilot]

Summary

Embedding a token in a git push URL risks credential exposure in git error messages and verbose output. Using git remote set-url is equally problematic since it persists the token in .git/config. An earlier iteration used git -c http.extraHeader with a base64-encoded token, but base64-derived values are not automatically masked by GitHub Actions — only the raw secret value is. This switches both release workflows to pass credentials via an inline git -c credential.helper shell function that uses ${GH_TOKEN} directly, avoiding all three issues.

monorepo-release.yml and python-release.yml:

• Replace git push "https://x-access-token:${TOKEN}@..." with:

git -c "credential.helper=!f() { printf 'username=x-access-token\npassword=%s\n' \"${GH_TOKEN}\"; }; f" \
  push "https://${REMOTE_HOST}/${GH_REPOSITORY}.git" "$TAG"

• ${GH_TOKEN} is used directly (the raw secret value), so GitHub Actions will mask it if it ever appears in logs.
• Token is never written to .git/config, never embedded in a URL, and no derived/unmasked value is created.
• Credentials are passed only via git's internal credential protocol to a subprocess — not written to any log.

Testing

• Not run (why?)
• uv run poe check
• Other: CodeQL scan — 0 alerts; bash syntax validation passed

Checklist

• Linked issue or task reference
• Added/updated tests where relevant
• Updated docs/README if needed
• No secrets or sensitive data added
• Considered backward compatibility and deployment impact

Additional context

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[pmalarme]

@copilot by doing that you can decode the token and it won't be masked?

[Copilot]

@copilot by doing that you can decode the token and it won't be masked?

Correct — that was a real problem. GitHub Actions only masks the literal value of ${{ secrets.GITHUB_TOKEN }}; the base64-encoded value is a derived string that is not automatically masked, so it could appear in logs unredacted and be trivially decoded.

Fixed in commit 27d356b by switching to git -c credential.helper with an inline shell function that uses ${GH_TOKEN} directly:

git -c "credential.helper=!f() { printf 'username=x-access-token\npassword=%s\n' \"${GH_TOKEN}\"; }; f" \
  push "https://${REMOTE_HOST}/${GH_REPOSITORY}.git" "$TAG"

Since ${GH_TOKEN} is the raw secret value, GitHub Actions will mask it if it ever appears in logs. The credential helper runs as a subprocess and writes only to git's credential pipe, not to the log. The token is never written to .git/config and never embedded in a URL.

[github-actions]

Security Review — PR #32

Overall posture: ✅ Positive change — no blocking issues found.

This PR correctly addresses the credential exposure risk where embedding a GitHub token directly in a push URL could leak it through git error messages and verbose output. The http.extraHeader approach is the recommended pattern.

What looks good

• Token is no longer embedded in any URL or stored in .git/config
• ENCODED_TOKEN is a shell-local variable (not exported), so it is not inherited by child processes
• unset ENCODED_TOKEN (and unset ENCODED_TOKEN PUSH_CMD in python-release.yml) is called promptly after use
• base64 encoding is the correct encoding for HTTP Basic Auth — not a security concern
• The PUSH_CMD array pattern in python-release.yml correctly avoids splitting on spaces in the header value

Findings

#	Category	Severity	File	Issue
1	CI/CD Security (§14)	Informational	monorepo-release.yml:78	-c http.extraHeader=… arg is visible in the process list during git push; ACTIONS_STEP_DEBUG warning comment is now slightly inaccurate
2	CI/CD Security (§14)	Informational	python-release.yml:55	Same as above for the PUSH_CMD array; nearby WARNING comment refers to "push URL" which no longer contains the token

Both findings are informational only — the risk is the same as the old URL-based approach and is negligible in GitHub Actions' isolated VM environment. The inline comments include suggested WARNING comment updates to keep documentation accurate.

No other issues found across all 15 security posture categories.

[Copilot]

Pull request overview

This PR enhances security in GitHub Actions release workflows by replacing token-embedded URLs with git credential helpers, preventing token exposure in logs and configuration files.

Changes:

• Modified python-release.yml to use inline credential helper instead of token-embedded URLs
• Modified monorepo-release.yml to use the same secure credential helper pattern
• Updated comments to explain the security benefits and correct variable usage

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/python-release.yml	Replaced token-embedded git push URL with inline credential helper using GH_TOKEN directly
.github/workflows/monorepo-release.yml	Replaced token-embedded git push URL with inline credential helper using GH_TOKEN directly