ci: avoid duplicate release tag auth headers

[haasonsaas]

Summary

• disables checkout credential persistence in the release workflow
• leaves the shared setup-go-service GitHub module credential as the single auth path for tag pushes
• fixes the v0.1.49 release failure caused by duplicate Authorization headers

Validation

• actionlint .github/workflows/release.yml
• git diff --check

[cursor]

PR Summary

Low Risk
Low risk workflow-only change that adjusts GitHub Actions authentication behavior during releases. Main risk is misconfigured credentials could prevent tag pushes or releases.

Overview
The release workflow now sets actions/checkout to persist-credentials: false, preventing the runner from keeping the checkout token in the git config.

This avoids multiple auth paths when pushing release tags, relying on the workflow’s other credential setup to handle tag/release publishing cleanly.

^{Reviewed by Cursor Bugbot for commit e2c22b6. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit e2c22b6. Configure here.}

[cursor]

Tag fetch runs before git auth is configured

Medium Severity

The git fetch --force --tags origin step on line 26 runs before setup-go-service (line 29) configures git authentication. With the newly added persist-credentials: false, checkout no longer leaves credentials in the git config. The setup-go-service composite action is what configures the extraheader auth (via git config --global), but it runs two steps later. For a private repository, this fetch will fail with an authentication error. Even for a public repo this creates a fragile ordering dependency.

Additional Locations (1)

• .github/workflows/release.yml#L22-L23

 

^{Reviewed by Cursor Bugbot for commit e2c22b6. Configure here.}