From 6acd8f0fadb8998d15e3d0e3fc8e379eed0145b9 Mon Sep 17 00:00:00 2001
From: Jonathan Putney <jonathan@putney.io>
Date: Wed, 20 May 2026 14:00:56 -0400
Subject: [PATCH] ci(release): rewrite SSH URL to HTTPS for release:prepare
 push
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous PAT swap unblocked checkout's HTTPS clone but not maven-
release-plugin's push. `release:prepare` reads pom's <developerConnection>
directly and does NOT expose a `developerConnection` CLI override (only
`connectionUrl`, which `release:perform` consumes for the post-tag
checkout). So `-DdeveloperConnection=...` had no effect — the push still
ran against pom's SSH URL and failed with "Permission denied (publickey)"
because there's no SSH key on the runner anymore.

Fix: git URL rewriting via `url.<base>.insteadOf`. When maven-scm-
provider-gitexe spawns `git push git@github.com:jcputney/magika-java.git`,
git transparently rewrites the URL to `https://github.com/...`, and the
http.extraheader set up by actions/checkout authenticates the push with
the RELEASE_TOKEN PAT.

This leaves pom.xml's developerConnection at its SSH URL — local devs
running `mvn release:prepare` continue to work the same way.
---
 .github/workflows/release.yml | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3ab5600..2e091e6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -113,13 +113,15 @@ jobs:
         run: |
           git config --global user.name "github-actions[bot]"
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          # pom.xml's developerConnection still points at the SSH URL for
-          # local-dev convenience. CI doesn't have an SSH key any more — it
-          # auths via the http.extraheader actions/checkout set up — so
-          # override developerConnection to HTTPS so maven-release-plugin
-          # pushes over HTTPS and picks up the PAT credential.
-          mvn -B -ntp -Dstyle.color=always release:prepare -P sign \
-            -DdeveloperConnection=scm:git:https://github.com/${REPO}.git
+          # pom.xml's <developerConnection> uses an SSH URL for local-dev
+          # convenience. maven-release-plugin's `prepare` mojo reads pom
+          # directly and does NOT expose a `developerConnection` CLI
+          # override (only `connectionUrl`, used by `perform`). So make
+          # git transparently rewrite the SSH URL to HTTPS — the
+          # http.extraheader actions/checkout set up then authenticates
+          # the push with the RELEASE_TOKEN PAT. No pom change needed.
+          git config --global url."https://github.com/".insteadOf "git@github.com:"
+          mvn -B -ntp -Dstyle.color=always release:prepare -P sign
           cat release.properties
           RELEASE_TAG=$(grep '^scm.tag=' release.properties | cut -d'=' -f2)
           echo "RELEASE_TAG=${RELEASE_TAG}" >> "$GITHUB_ENV"