Refactor createDependentPR to use http.extraHeader for auth

[issuetopr-dev]

Summary

• Refactor the createDependentPR workflow to avoid embedding tokens in the remote URL. Keep origin as a normal https URL and pass authentication via an ephemeral HTTP Authorization header.
• Update SyncBranchTool (both app and shared) to use per-command Authorization header for git push in container environments and rely on the refactored pushBranch for host environments.
• Update pushBranch helpers (app and shared) to use git -c http.https://github.com/.extraHeader="Authorization: bearer <token>" push ... so credentials are never persisted in .git/config.

Details

• Removed git remote set-url origin "https://x-access-token:<token>@github.com/..." usage.
• When networked git operations are required (fetch/pull/push), inject auth with:
  • git -c http.https://github.com/.extraHeader="Authorization: bearer <token>" <command>
• Ensured origin stays set to the clean URL: https://github.com/<owner>/<repo>.git.
• The command string is executed inside the container via Dockerode without logging the full command, keeping tokens out of logs.

Files changed

• lib/workflows/createDependentPR.ts
• lib/tools/SyncBranchTool.ts
• shared/src/lib/tools/SyncBranchTool.ts
• lib/git.ts
• shared/src/lib/git.ts

Rationale

• Safer: tokens are not written to .git/config, not left in remotes, and not echoed in URLs.
• Least persistent: uses per-command -c options so nothing is persisted.

Notes

• I kept the changes scoped to the areas performing pushes and fetches for the dependent PR workflow and the branch sync tool, which are the main spots that previously embedded credentials.
• ESLint passes via pnpm run lint. Prettier and full type checks are not part of the normal CI workflow here, and running them locally flags pre-existing issues unrelated to this change.

Closes #1410

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Note

Free review on us!

CodeRabbit is offering free reviews until Wed Dec 17 2025 to showcase some of the refinements we've made.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}