Fix git push authentication failure in release workflow

.github/workflows/publish-release-assets.yml

@@ -125,6 +125,22 @@ jobs:
             # Note: This tag represents the state of the release workflow repository,
             # not the source repository. The tag is used as a reference point for the release.
             git tag "${TAG_NAME}"
+
+            # Configure git to use GitHub token for authentication
+            git config --global user.email "github-actions[bot]@users.noreply.github.com"
+            git config --global user.name "github-actions[bot]"
+
+            # Configure git credentials securely using credential helper
+            # This keeps the token out of the command line and git URLs
+            git config --global credential.helper 'cache --timeout=300'
+            git credential approve <<EOF
+protocol=https
+host=github.com
+username=x-access-token
+password=${GH_TOKEN}
+EOF
+
+            # Push the tag using standard remote (credentials from helper)
             git push origin "${TAG_NAME}"
           fi
 

IMPLEMENTATION.md

@@ -40,6 +40,10 @@ The implementation includes multiple security measures:
 - **Problem**: Release assets were uploaded as empty files because the workflow was using `browser_download_url` with API authentication, which doesn't download files correctly
 - **Solution**: Changed to use GitHub API asset endpoint with asset IDs (`repos/owner/repo/releases/assets/{id}`) via `gh api` command with proper `Accept: application/octet-stream` header
 
+### Git Push Authentication Issue
+- **Problem**: When pushing tags, git would fail with "could not read Username for 'https://github.com'" because HTTPS authentication wasn't configured
+- **Solution**: Configured git credential helper to securely provide authentication using the GitHub token, avoiding exposing the token in command-line arguments or URLs
+
 ## Setup Required
 
 Before the workflow can be used, you need to configure one secret: