Fix extension release workflow PR branch authentication

[adamint]

Description

The Extension Release workflow could pass its permission gate and prepare release files, then fail when pushing the extension-release/v... branch because checkout intentionally uses persist-credentials: false and the previous bearer http.extraHeader approach did not provide Git HTTPS credentials for git push.

This configures origin with the GitHub App token using the repository's existing x-access-token remote URL pattern before ls-remote, fetch, and push, and disables interactive Git prompts so authentication failures fail clearly in CI. The draft release PR still uses the GitHub App token, then removes/re-adds the vscode-extension-release label so the downstream extension changelog agentic workflow receives a fresh pull_request labeled event.

Validation:

• Parsed the workflow YAML and syntax-checked the extracted Create draft pull request shell script with bash -n.
• Ran git diff --check.
• Verified the same https://x-access-token:<token>@github.com/<repo>.git credential shape can non-interactively push and delete a temporary branch.
• Confirmed the live agentic workflow is active and wired to pull_request labeled events gated on the vscode-extension-release label for same-repo PRs.

Fixes # (issue)

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17737

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17737"

[Copilot]

Pull request overview

Replaces the previous bearer http.extraHeader Git auth with an x-access-token URL embedded in origin's remote URL so git push (and ls-remote/fetch) of the extension-release/v<version> branch authenticates correctly using the GitHub App token, matching the pattern already used elsewhere in the repo.

Changes:

• Set origin remote URL to https://x-access-token:${GH_TOKEN}@.../${REPOSITORY}.git before remote Git operations.
• Disable interactive Git prompts via GIT_TERMINAL_PROMPT=0 to fail fast on auth errors.
• Drop the http.extraHeader=AUTHORIZATION: bearer ... per-command overrides for ls-remote, fetch, and push.