The way we do it in our CI is "this one weird trick". We (ab)use Git's url.<base>.insteadOf to re-write the clone URL to include the appropriate credentials in our pipeline and make use of xcodebuild's -usePackageSupportBuiltinSCM.
Our CI of choice is GitLab and it provides ephemeral credentials as environment variables to clone over HTTPS for each job. Specifically it provides, CI_JOB_TOKEN, CI_SERVER_PROTOCOL, and CI_SERVER_HOST.
Typically, our URLs in our Xcode and Package.swift files are of the SSH variety (e.g., git@my.git.server.org:group/project.git). So we use Git's url.<base>.insteadOf to re-write the URL to be HTTP(S) and to include the appropriate credentials.
Example
git config --global url.$CI_SERVER_PROTOCOL://gitlab-ci-token:$CI_JOB_TOKEN@$CI_SERVER_HOST/.insteadOf git@$CI_SERVER_HOST:
Assuming that CI_SERVER_HOST=my.git.server.org, CI_SERVER_PROTOCOL=https, and CI_JOB_TOKEN=WF0IjoxNTE2MjM5MDIyfQ.
This translates any URL in either or Xcode or Package.swift that might look like git@my.git.server.org:group/project.git → https://gitlab-ci-token:WF0IjoxNTE2MjM5MDIyfQ@my.git.server.org/group/project.git.
Then using xcodebuild -usePackageSupportBuiltinSCM along with all of our other normal flags things build just fine.
That git config is cut-n-paste from our .gitlab-ci.yml file and we have found this to be a relatively painless and robust way of handling HTTPS Git authentication. YMMV.
Hope it helps.