Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

After ~60 minutes the Azure DevOps repository configured with WorkloadIdentity
returns HTTP 302 (“redirect to sign-in”) and the argocd-repo-server marks the
repository as unreachable until the pod is restarted.
Argo CD should refresh the short-lived Azure token automatically, but on
v3.0.3 it does not.

To Reproduce

1. Deploy Argo CD v3.0.3 (Helm chart argo-cd-8.0.9)
2. Add an Azure Devops Git repo using only Workload Identity credentials
   (no PAT or SSH key), exactly as described in the docs:
   https://argo-cd.readthedocs.io/en/stable/user-guide/private-repositories/#azure-container-registryazure-repos-using-azure-workload-identity
3. Wait > 60 minutes (lifetime of token).
4. Trigger a sync or let the controller poll.
5. Observe sync failure in the UI and error log on argocd-repo-server:

   Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = failed to list refs: unexpected client error: unexpected requesting "https://<org>@dev.azure.com/<org>/<proj>/_git/<repo>/info/refs?service=git-upload-pack" status code: 302

Expected behavior

argocd-repo-server should refresh the Azure token before it expires and continue to
clone/fetch without manual intervention.

Version

• Argo CD version: v3.0.3
• Argo CD Helm chart: argo-cd-8.0.9

Logs

   Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = failed to list refs: unexpected client error: unexpected requesting "https://<org>@dev.azure.com/<org>/<proj>/_git/<repo>/info/refs?service=git-upload-pack" status code: 302