From f69419101e5564e4dfb377c8d2e7a2981158f4f0 Mon Sep 17 00:00:00 2001
From: jdx <216188+jdx@users.noreply.github.com>
Date: Tue, 12 May 2026 15:07:20 -0500
Subject: [PATCH] fix(ci): add gh auth setup-git to release-plz.sh

The release-plz workflow's checkout uses persist-credentials: false (set
in #471), so the token isn't written to .git/config and `git push origin
release --force` would 403. Mirror the workaround already applied to
scripts/postversion.sh.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 scripts/release-plz.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/scripts/release-plz.sh b/scripts/release-plz.sh
index ec1ddca..503ac0a 100755
--- a/scripts/release-plz.sh
+++ b/scripts/release-plz.sh
@@ -47,6 +47,11 @@ if [ -n "$latest_release_version" ] && [ "$cur_pkg_version" = "$latest_release_v
 	git config user.name mise-en-dev
 	git config user.email 123107610+mise-en-dev@users.noreply.github.com
 
+	# Configure git to use gh's credential helper. The checkout step uses
+	# persist-credentials: false (per zizmor's artipacked audit), so the
+	# token isn't written to .git/config and raw `git push` would 403.
+	gh auth setup-git
+
 	# Create a PR with the version bump
 	npm version "${version#v}" --no-git-tag-version