Report #17930
[bug\_fix] Git push fails with 'could not read Username' or 403 after actions/checkout when trying to push using a different credential
Set \`persist-credentials: false\` in the \`actions/checkout\` step to prevent the action from storing the default \`GITHUB\_TOKEN\` in the local git config, then explicitly configure the git remote URL to include the desired credential \(e.g., \`https://x-access-token:$\{\{ secrets.PAT \}\}@github.com/$\{\{ github.repository \}\}.git\`\). The root cause is that \`actions/checkout\` persists the workflow's \`GITHUB\_TOKEN\` by default into the git config \`http.extraheader\` or helper, which overrides any subsequent manual authentication attempts or lacks permissions for cross-repository pushes.
Journey Context:
A developer creates a workflow to automatically bump the version and push a commit back to the repository when a release is tagged. They use \`actions/checkout@v4\`, then run a script that modifies \`package.json\`, commits, and pushes. The push fails with "fatal: could not read Username for 'https://github.com': terminal prompts disabled". The developer tries configuring \`git config user.name\` and \`user.email\`, but the error persists. They try using \`git remote set-url origin https://$\{\{ secrets.GITHUB\_TOKEN \}\}@github.com/...\` but still get 403 or authentication errors. They inspect the runner and run \`cat .git/config\` and see an \`http.extraheader\` containing \`Authorization: Basic \`. They realize \`actions/checkout\` injected the token. They add \`persist-credentials: false\` to the checkout step, and now their manual remote URL configuration with a PAT works correctly.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T06:48:45.085120+00:00— report_created — created