diff --git a/gitlab/commodore-compile.jsonnet b/gitlab/commodore-compile.jsonnet
index 0ccc732..e3ab20c 100644
--- a/gitlab/commodore-compile.jsonnet
+++ b/gitlab/commodore-compile.jsonnet
@@ -46,10 +46,23 @@ local gitInsteadOf(cluster) =
     else if https_catalog != null then
       // set an insteadOf which injects credentials if we have a catalog URL
       // that's already HTTPS in Lieutenant.
+      local replacement = 'https://%(catalog_user)s:%(access_token)s@%(https_catalog)s' % {
+        catalog_user: cluster_access_user,
+        access_token: cluster_access_token,
+        https_catalog: https_catalog,
+      };
       [
-        'git config --global url."https://%(catalog_user)s:%(access_token)s@%(https_catalog)s".insteadOf https://%(https_catalog)s' % {
-          catalog_user: cluster_access_user,
-          access_token: cluster_access_token,
+        // for fetch/clone
+        'git config --global url."%(replacement)s".insteadOf https://%(https_catalog)s' % {
+          replacement: replacement,
+          https_catalog: https_catalog,
+        },
+        // We need to configure an additional pushInsteadOf for the ssh://git@
+        // variant of a HTTPS catalog URL since Commodore will optimistically
+        // rewrite all HTTPS Git URLs to have their ssh://git@ equivalent as
+        // the push URL to make local component development easier.
+        'git config --global url."%(replacement)s".pushInsteadOf ssh://git@%(https_catalog)s' % {
+          replacement: replacement,
           https_catalog: https_catalog,
         },
       ]
diff --git a/gitlab/tests/golden/external-catalog.yml b/gitlab/tests/golden/external-catalog.yml
index dfe5f1c..d1bbafb 100644
--- a/gitlab/tests/golden/external-catalog.yml
+++ b/gitlab/tests/golden/external-catalog.yml
@@ -22,6 +22,7 @@
       "script": [
          "git config --global url.\"https://gitlab-ci-token:${CI_JOB_TOKEN}@git.vshn.net:80\".insteadOf ssh://git@${CI_SERVER_SHELL_SSH_HOST}",
          "git config --global url.\"https://${ACCESS_USER_c_cluster_id_1111:-token}:${ACCESS_TOKEN_c_cluster_id_1111}@git.vshn.net/cluster-catalogs/c-cluster-id-1111.git\".insteadOf https://git.vshn.net/cluster-catalogs/c-cluster-id-1111.git",
+         "git config --global url.\"https://${ACCESS_USER_c_cluster_id_1111:-token}:${ACCESS_TOKEN_c_cluster_id_1111}@git.vshn.net/cluster-catalogs/c-cluster-id-1111.git\".pushInsteadOf ssh://git@git.vshn.net/cluster-catalogs/c-cluster-id-1111.git",
          "/usr/local/bin/entrypoint.sh commodore catalog compile --tenant-repo-revision-override $CI_COMMIT_SHA c-cluster-id-1111",
          "(cd catalog/ && git --no-pager diff --staged --output ../diff.txt)"
       ],
@@ -49,6 +50,7 @@
       "script": [
          "git config --global url.\"https://gitlab-ci-token:${CI_JOB_TOKEN}@git.vshn.net:80\".insteadOf ssh://git@${CI_SERVER_SHELL_SSH_HOST}",
          "git config --global url.\"https://${ACCESS_USER_c_cluster_id_1111:-token}:${ACCESS_TOKEN_c_cluster_id_1111}@git.vshn.net/cluster-catalogs/c-cluster-id-1111.git\".insteadOf https://git.vshn.net/cluster-catalogs/c-cluster-id-1111.git",
+         "git config --global url.\"https://${ACCESS_USER_c_cluster_id_1111:-token}:${ACCESS_TOKEN_c_cluster_id_1111}@git.vshn.net/cluster-catalogs/c-cluster-id-1111.git\".pushInsteadOf ssh://git@git.vshn.net/cluster-catalogs/c-cluster-id-1111.git",
          "/usr/local/bin/entrypoint.sh commodore catalog compile --push c-cluster-id-1111"
       ],
       "stage": "deploy",