From 022e8baefc6d55ba49ccbbf2184179f45c0fcc75 Mon Sep 17 00:00:00 2001
From: Tommaso Sciortino <sciortino@gmail.com>
Date: Tue, 12 May 2026 15:15:16 -0700
Subject: [PATCH] fix(ci): configure git remote with token for authentication
 (#26949)

---
 .github/actions/publish-release/action.yml | 6 ++++--
 .github/workflows/release-promote.yml      | 3 ++-
 .github/workflows/release-rollback.yml     | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/actions/publish-release/action.yml b/.github/actions/publish-release/action.yml
index c34f4c8e0a..1a34b1f191 100644
--- a/.github/actions/publish-release/action.yml
+++ b/.github/actions/publish-release/action.yml
@@ -114,13 +114,14 @@ runs:
         BRANCH_NAME: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
         DRY_RUN: '${{ inputs.dry-run }}'
         RELEASE_TAG: '${{ inputs.release-tag }}'
+        GIT_PUSH_TOKEN: '${{ inputs.github-release-token || inputs.github-token }}'
       run: |-
         set -e
         git add package.json package-lock.json packages/*/package.json
         git commit -m "chore(release): ${RELEASE_TAG}"
         if [[ "${DRY_RUN}" == "false" ]]; then
           echo "Pushing release branch to remote..."
-          git push --set-upstream origin "${BRANCH_NAME}" --follow-tags
+          git push "https://x-access-token:${GIT_PUSH_TOKEN}@github.com/${{ github.repository }}.git" "HEAD:${BRANCH_NAME}" --follow-tags
         else
           echo "Dry run enabled. Skipping push."
         fi
@@ -336,7 +337,8 @@ runs:
       shell: 'bash'
       run: |
         echo "Cleaning up release branch ${STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME}..."
-        git push origin --delete "${STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME}"
+        git push "https://x-access-token:${GIT_PUSH_TOKEN}@github.com/${{ github.repository }}.git" --delete "${STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME}"
 
       env:
+        GIT_PUSH_TOKEN: '${{ inputs.github-release-token || inputs.github-token }}'
         STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
diff --git a/.github/workflows/release-promote.yml b/.github/workflows/release-promote.yml
index 4ac5213a27..2b703bff7a 100644
--- a/.github/workflows/release-promote.yml
+++ b/.github/workflows/release-promote.yml
@@ -403,6 +403,7 @@ jobs:
           BRANCH_NAME: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
           DRY_RUN: '${{ github.event.inputs.dry_run }}'
           NEEDS_CALCULATE_VERSIONS_OUTPUTS_NEXT_NIGHTLY_VERSION: '${{ needs.calculate-versions.outputs.NEXT_NIGHTLY_VERSION }}'
+          GIT_PUSH_TOKEN: '${{ secrets.GEMINI_CLI_ROBOT_GITHUB_PAT }}'
         run: |-
           git add package.json packages/*/package.json
           if [ -f package-lock.json ]; then
@@ -411,7 +412,7 @@ jobs:
           git commit -m "chore(release): bump version to ${NEEDS_CALCULATE_VERSIONS_OUTPUTS_NEXT_NIGHTLY_VERSION}"
           if [[ "${DRY_RUN}" == "false" ]]; then
             echo "Pushing release branch to remote..."
-            git push --set-upstream origin "${BRANCH_NAME}"
+            git push "https://x-access-token:${GIT_PUSH_TOKEN}@github.com/${{ github.repository }}.git" "HEAD:${BRANCH_NAME}" --follow-tags
           else
             echo "Dry run enabled. Skipping push."
           fi
diff --git a/.github/workflows/release-rollback.yml b/.github/workflows/release-rollback.yml
index f23e6908b7..1de277d172 100644
--- a/.github/workflows/release-rollback.yml
+++ b/.github/workflows/release-rollback.yml
@@ -193,7 +193,7 @@ jobs:
         run: |
           echo "ROLLBACK_TAG=$ROLLBACK_TAG_NAME" >> "$GITHUB_OUTPUT"
           git tag "$ROLLBACK_TAG_NAME" "${ORIGIN_HASH}"
-          git push origin --tags
+          git push "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git" --tags
 
       - name: 'Verify Rollback Tag Added'
         if: "${{ github.event.inputs.dry-run == 'false' }}"