fix(ci): set git remote URL with Vault token

Bohdan Parkhomchukrequested to merge
bohdanpk/fix-semantic-release-exec-push into main

Summary

  • The @semantic-release/exec plugin runs a raw git push origin to push the clients/gkgpb/ tag, which uses the default CI job token remote URL
  • Unlike @semantic-release/git which constructs its own authenticated URL from GITLAB_TOKEN, the exec plugin just shells out to git
  • Previously this worked because the runner auto-configured the remote when GITLAB_TOKEN was a CI variable; with Vault the token arrives as SEMANTIC_RELEASE_GITLAB_TOKEN so the remote stays unauthenticated
  • Set git remote set-url in before_script so all git operations use the Vault PAT

Test plan

  • Merge and trigger semantic-release on main
  • Verify the clients/gkgpb/ tag push succeeds

Merge request reports