debug: add logging to credential clearing

actions/checkout now stores git credentials in external config files
via includeIf instead of directly in .git/config. Our configureGitAuth
was only unsetting extraheader from local config, missing the included
files. This caused git push to use the stale github-actions[bot] token
instead of the Claude app token.

Now we enumerate all config origins and clear extraheader entries from
any included credential files.

src/github/operations/git-config.ts

@@ -42,13 +42,55 @@ export async function configureGitAuth(
   await $`git config user.email "${botId}+${botName}@${noreplyDomain}"`;
   console.log(`✓ Set git user as ${botName}`);
 
-  // Remove the authorization header that actions/checkout sets
+  // Remove the authorization header that actions/checkout sets.
+  // Newer versions of actions/checkout store credentials in external config files
+  // referenced via includeIf, so --unset-all on local config may not find them.
+  // We clear both: local config entries and any includeIf credential files.
   console.log("Removing existing git authentication headers...");
   try {
     await $`git config --unset-all http.${GITHUB_SERVER_URL}/.extraheader`;
-    console.log("✓ Removed existing authentication headers");
+    console.log("✓ Removed existing authentication headers from local config");
-  } catch (e) {
+  } catch {
-    console.log("No existing authentication headers to remove");
+    console.log("No existing authentication headers in local config to remove");
+  }
+
+  // Clear extraheader from includeIf credential config files set by actions/checkout
+  try {
+    const configOutput = await $`git config --list --show-origin`.text();
+    const extraheaderPattern = `http.${GITHUB_SERVER_URL}/.extraheader=`;
+    console.log(
+      `Scanning git config origins for extraheader pattern: ${extraheaderPattern}`,
+    );
+    let foundExternalEntries = false;
+    for (const line of configOutput.split("\n")) {
+      if (!line.includes(extraheaderPattern)) continue;
+      // Format: "file:<path>\t<key>=<value>"
+      const match = line.match(/^file:(.+?)\t/);
+      if (!match) {
+        console.log(
+          `Found extraheader but could not parse origin: ${line.substring(0, 80)}`,
+        );
+        continue;
+      }
+      const configFile = match[1]!;
+      // Skip the local .git/config — we already handled that above
+      if (configFile.endsWith("/.git/config")) {
+        console.log("Skipping .git/config (already handled)");
+        continue;
+      }
+      foundExternalEntries = true;
+      try {
+        await $`git config --file ${configFile} --unset-all http.${GITHUB_SERVER_URL}/.extraheader`;
+        console.log(`✓ Removed authentication headers from ${configFile}`);
+      } catch {
+        console.log(`Could not unset extraheader from ${configFile}`);
+      }
+    }
+    if (!foundExternalEntries) {
+      console.log("No external credential config files found");
+    }
+  } catch (error) {
+    console.log(`Could not enumerate git config origins: ${error}`);
   }
 
   // Update the remote URL to include the token for authentication