diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3ab5600..2e091e6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -113,13 +113,15 @@ jobs:
         run: |
           git config --global user.name "github-actions[bot]"
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          # pom.xml's developerConnection still points at the SSH URL for
-          # local-dev convenience. CI doesn't have an SSH key any more — it
-          # auths via the http.extraheader actions/checkout set up — so
-          # override developerConnection to HTTPS so maven-release-plugin
-          # pushes over HTTPS and picks up the PAT credential.
-          mvn -B -ntp -Dstyle.color=always release:prepare -P sign \
-            -DdeveloperConnection=scm:git:https://github.com/${REPO}.git
+          # pom.xml's <developerConnection> uses an SSH URL for local-dev
+          # convenience. maven-release-plugin's `prepare` mojo reads pom
+          # directly and does NOT expose a `developerConnection` CLI
+          # override (only `connectionUrl`, used by `perform`). So make
+          # git transparently rewrite the SSH URL to HTTPS — the
+          # http.extraheader actions/checkout set up then authenticates
+          # the push with the RELEASE_TOKEN PAT. No pom change needed.
+          git config --global url."https://github.com/".insteadOf "git@github.com:"
+          mvn -B -ntp -Dstyle.color=always release:prepare -P sign
           cat release.properties
           RELEASE_TAG=$(grep '^scm.tag=' release.properties | cut -d'=' -f2)
           echo "RELEASE_TAG=${RELEASE_TAG}" >> "$GITHUB_ENV"