From cc5592a47c726b852b6ff335639137d80585549d Mon Sep 17 00:00:00 2001
From: Etienne Stalmans <etienne@supabase.io>
Date: Fri, 3 Oct 2025 16:22:19 +0200
Subject: [PATCH] chore(ci): fix publish

nx shells out to git, which uses the authorization configured on the
repo that was checkedout. update the repo authorization when switching
between auth tokens
---
 scripts/release-canary.ts | 13 +++++++++----
 scripts/release-stable.ts | 13 ++++++++++---
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/scripts/release-canary.ts b/scripts/release-canary.ts
index 201d94765..fe7dd75f6 100644
--- a/scripts/release-canary.ts
+++ b/scripts/release-canary.ts
@@ -24,9 +24,13 @@ import { execSync } from 'child_process'
   // token, because releasePublish wants a token that has the id_token: write permission
   // so that we can use OIDC for trusted publishing
 
-  const gh_token_bak = process.env.GITHUB_TOKEN
-  process.env.GITHUB_TOKEN = process.env.RELEASE_GITHUB_TOKEN
-
+  // backup original auth header
+  const originalAuth = execSync('git config --local http.https://github.com/.extraheader')
+    .toString()
+    .trim()
+  // switch the token used
+  const authHeader = `AUTHORIZATION: basic ${Buffer.from(`x-access-token:${process.env.RELEASE_GITHUB_TOKEN}`).toString('base64')}`
+  execSync(`git config --local http.https://github.com/.extraheader "${authHeader}"`)
   await releaseChangelog({
     versionData: projectsVersionData,
     version: workspaceVersion,
@@ -36,7 +40,8 @@ import { execSync } from 'child_process'
   })
 
   // npm publish with OIDC
-  process.env.GITHUB_TOKEN = gh_token_bak
+  // not strictly necessary to restore the header but do it incase  we require it later
+  execSync(`git config --local http.https://github.com/.extraheader "${originalAuth}"`)
   const publishResult = await releasePublish({
     registry: 'https://registry.npmjs.org/',
     access: 'public',
diff --git a/scripts/release-stable.ts b/scripts/release-stable.ts
index bf3b60b83..b18542b60 100644
--- a/scripts/release-stable.ts
+++ b/scripts/release-stable.ts
@@ -62,8 +62,13 @@ if (!validSpecifiers.includes(versionSpecifier) && !isValidVersion) {
   // token, because releasePublish wants a token that has the id_token: write permission
   // so that we can use OIDC for trusted publishing
 
-  const gh_token_bak = process.env.GITHUB_TOKEN
-  process.env.GITHUB_TOKEN = process.env.RELEASE_GITHUB_TOKEN
+  // backup original auth header
+  const originalAuth = execSync('git config --local http.https://github.com/.extraheader')
+    .toString()
+    .trim()
+  // switch the token used
+  const authHeader = `AUTHORIZATION: basic ${Buffer.from(`x-access-token:${process.env.RELEASE_GITHUB_TOKEN}`).toString('base64')}`
+  execSync(`git config --local http.https://github.com/.extraheader "${authHeader}"`)
 
   const result = await releaseChangelog({
     versionData: projectsVersionData,
@@ -74,7 +79,9 @@ if (!validSpecifiers.includes(versionSpecifier) && !isValidVersion) {
   })
 
   // npm publish with OIDC
-  process.env.GITHUB_TOKEN = gh_token_bak
+  // not strictly necessary to restore the header but do it incase  we require it later
+  execSync(`git config --local http.https://github.com/.extraheader "${originalAuth}"`)
+
   const publishResult = await releasePublish({
     registry: 'https://registry.npmjs.org/',
     access: 'public',