Use git credential helper for secure authentication

Co-authored-by: volodymyr-memsql <57520563+volodymyr-memsql@users.noreply.github.com>

Author: Copilot

.github/workflows/publish-release-assets.yml

@@ -130,8 +130,16 @@ jobs:
             git config --global user.email "github-actions[bot]@users.noreply.github.com"
             git config --global user.name "github-actions[bot]"
 
-            # Push the tag using authenticated URL
-            git push https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git "${TAG_NAME}"
+            # Configure git credentials securely using credential helper
+            # This keeps the token out of the command line and git URLs
+            git config --global credential.helper 'cache --timeout=300'
+            echo "protocol=https
+host=github.com
+username=x-access-token
+password=${GH_TOKEN}" | git credential approve
+
+            # Push the tag using standard remote (credentials from helper)
+            git push origin "${TAG_NAME}"
           fi
 
           # Create release with options (avoiding eval for security)

IMPLEMENTATION.md

@@ -42,7 +42,7 @@ The implementation includes multiple security measures:
 
 ### Git Push Authentication Issue
 - **Problem**: When pushing tags, git would fail with "could not read Username for 'https://github.com'" because HTTPS authentication wasn't configured
-- **Solution**: Changed to use token-authenticated URL format (`https://x-access-token:${GH_TOKEN}@github.com/${repo}.git`) for pushing tags, which provides authentication inline
+- **Solution**: Configured git credential helper to securely provide authentication using the GitHub token, avoiding exposing the token in command-line arguments or URLs
 
 ## Setup Required