KEMBAR78
Require repo disambiguation for secret commands by williammartin · Pull Request #10209 · cli/cli · GitHub
Skip to content

Conversation

@williammartin
Copy link
Member

@williammartin williammartin commented Jan 9, 2025

Description

Fixes #4688
Supersedes #9083

Testing

There is a new acceptance test to run through the non-interactive cases:

➜  cli git:(wm/add-remote-check-to-secret) set -o pipefail && GH_ACCEPTANCE_SCRIPT=secret-require-remote-disambiguation.txtar GH_ACCEPTANCE_HOST=github.com GH_ACCEPTANCE_ORG=gh-acceptance-testing go test -tags acceptance -json -coverprofile=coverage.out -coverpkg=./... -run ^TestSecrets$ github.com/cli/cli/v2/acceptance | tparse --all go test
┌──────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│  STATUS │ ELAPSED │                       TEST                       │             PACKAGE               │
│─────────┼─────────┼──────────────────────────────────────────────────┼───────────────────────────────────│
│  PASS   │   11.45 │ TestSecrets/secret-require-remote-disambiguation │ github.com/cli/cli/v2/acceptance  │
│  PASS   │    0.00 │ TestSecrets                                      │ github.com/cli/cli/v2/acceptance  │
└──────────────────────────────────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────────┐
│  STATUS │ ELAPSED │             PACKAGE              │ COVER │ PASS │ FAIL │ SKIP  │
│─────────┼─────────┼──────────────────────────────────┼───────┼──────┼──────┼───────│
│  PASS   │ 12.16s  │ github.com/cli/cli/v2/acceptance │ 10.2% │  2   │  0   │  0    │
└────────────────────────────────────────────────────────────────────────────────────┘

The other secret A/C tests that are expected to pass, pass.

There are some scripts in 0c9b6ed that demonstrate the behaviour. Most importantly, interactive prompting:

#!/usr/bin/env sh
_cli=/Users/williammartin/workspace/cli/
_tmp=/tmp
_org=williammartin-test-org
_repo=gh-some-repo
_gh="$_cli/bin/gh"
_pwd=$(pwd)
set -e
# Uncomment this to echo expanded commands:
#   set -x
cleanup () {
    ARG=$?
    cd $_pwd
    rm -rf "$_tmp/$_repo"
    $_gh repo delete --yes $_repo
    $_gh repo delete --yes "$_org/$_repo"
    exit $ARG
}
trap cleanup EXIT
cd $_tmp
_upstream=$($_gh repo create --private --add-readme $_repo)
$_gh repo fork --clone --org $_org $_upstream
cd $_repo

echo "setting secret..."
$_gh secret set ACCEPTANCE_KEY

echo "listing secrets..."
$_gh secret list

echo "deleting secret..."
$_gh secret delete ACCEPTANCE_KEY
echo 'PASS'
➜ ./multiple-git-remotes-interactive-prompting.sh
✓ Created fork williammartin-test-org/gh-some-repo
Cloning into 'gh-some-repo'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (3/3), done.
From https://github.com/williammartin/gh-some-repo
 * [new branch]      main       -> upstream/main
✓ Cloned fork
! Repository williammartin/gh-some-repo set as the default repository. To learn more about the default repository, run: gh repo set-default --help
setting secret...
! Multiple remotes detected. Due to the sensitive nature of secrets, requiring disambiguation.
? Select a base repo williammartin/gh-some-repo
? Paste your secret: ******

✓ Set Actions secret ACCEPTANCE_KEY for williammartin/gh-some-repo
listing secrets...
! Multiple remotes detected. Due to the sensitive nature of secrets, requiring disambiguation.
? Select a base repo williammartin/gh-some-repo
deleting secret...
! Multiple remotes detected. Due to the sensitive nature of secrets, requiring disambiguation.
? Select a base repo williammartin/gh-some-repo
✓ Deleted Actions secret ACCEPTANCE_KEY from williammartin/gh-some-repo
PASS
✓ Deleted repository williammartin/gh-some-repo
✓ Deleted repository williammartin-test-org/gh-some-repo

@williammartin williammartin changed the title Wm/add remote check to secret Require disambiguation for secret commands Jan 9, 2025
@williammartin williammartin force-pushed the wm/add-remote-check-to-secret branch 2 times, most recently from fae1343 to 4282fef Compare January 9, 2025 16:53
Copy link
Contributor

@jtmcg jtmcg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clever implementation, but I'm wondering if hoisting this even higher and into the factory's BaseRepo function might be the right choice. I'm not sure about the cost of that throughout the rest of the app, but the amount of repetition in the tests are giving me pause.

Maybe it isn't expansion of BaseRepo but instead the introduction of an UnambiguousBaseRepo function on the factory that secret delete, list, and set all use in place of BaseRepo. That way all the functionality is hoisted higher, you remove the need for repetitive testing, and you can rely on mocking in the command tests for the base repo instead of writing the tests you have here to validate the behavior.

@williammartin williammartin force-pushed the wm/add-remote-check-to-secret branch from 4282fef to 393b361 Compare January 15, 2025 12:22
@williammartin williammartin changed the title Require disambiguation for secret commands Require repo disambiguation for secret commands Jan 15, 2025
@williammartin williammartin marked this pull request as ready for review January 15, 2025 13:48
@williammartin williammartin requested a review from a team as a code owner January 15, 2025 13:48
@williammartin williammartin force-pushed the wm/add-remote-check-to-secret branch from af872c3 to ac8ad5d Compare January 15, 2025 13:54
@williammartin williammartin force-pushed the wm/add-remote-check-to-secret branch from ac8ad5d to e7ffb1e Compare January 15, 2025 13:55
Copy link
Member

@andyfeller andyfeller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm giving this a preliminary LGTM having read the code, I'm going to build this locally and report back results before final approval.

Comment on lines +102 to +109
var baseRepo ghrepo.Interface
if secretEntity == shared.Repository || secretEntity == shared.Environment {
baseRepo, err = opts.BaseRepo()
if err != nil {
return err
}
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this was moved higher up so any ambiguity errors are raised earlier before the other ways this can error.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeh, similar to #10209 (comment) I just wanted the repo disambiguation frontloaded to avoid going through a bunch of steps only to discover this at the end.

Comment on lines +18 to +21
t.Parallel()

t.Run("succeeds when there is only one remote", func(t *testing.T) {
t.Parallel()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this would make a great topic of conversation about testing craftsmanship.

Copy link
Member

@andyfeller andyfeller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having manually put it through its paces, I think this is good to go.

Testing notes

Building PR locally

$ cd Documents/workspace/cli/cli
$ gh pr checkout 10209          
Already on 'wm/add-remote-check-to-secret'
Your branch is up to date with 'origin/wm/add-remote-check-to-secret'.
Already up to date.

$ make
go build -trimpath -ldflags "-X github.com/cli/cli/v2/internal/build.Date=2025-01-15 -X github.com/cli/cli/v2/internal/build.Version=v2.65.0-138-ge7ffb1e4 " -o bin/gh ./cmd/gh
``

Setting up upstream and fork repos for testing

```shell
$ ~/Documents/workspace/cli/cli/bin/gh repo create gh-acceptance-testing/10209-upstream --add-readme --private --clone 
✓ Created repository gh-acceptance-testing/10209-upstream on GitHub
  https://github.com/gh-acceptance-testing/10209-upstream
Cloning into '10209-upstream'...

$ ~/Documents/workspace/cli/cli/bin/gh repo fork gh-acceptance-testing/10209-upstream --org gh-acceptance-testing --fork-name 10209-fork
✓ Created fork gh-acceptance-testing/10209-fork
? Would you like to clone the fork? Yes
Cloning into '10209-fork'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (3/3), done.
From https://github.com/gh-acceptance-testing/10209-upstream
 * [new branch]      main       -> upstream/main
✓ Cloned fork
! Repository gh-acceptance-testing/10209-upstream set as the default repository. To learn more about the default repository, run: gh repo set-default --help

Confirming ambiguous prompt behavior

$ cd 10209-fork 

$ ~/Documents/workspace/cli/cli/bin/gh secret set SECRET --body "should be fork" 
! Multiple remotes detected. Due to the sensitive nature of secrets, requiring disambiguation.
? Select a repo  [Use arrows to move, type to filter]
> gh-acceptance-testing/10209-upstream
  gh-acceptance-testing/10209-fork

Creating secrets on upstream and fork for testing in workflow run

$ ~/Documents/workspace/cli/cli/bin/gh secret set SECRET --body "should be fork" --repo gh-acceptance-testing/10209-fork
✓ Set Actions secret SECRET for gh-acceptance-testing/10209-fork

$ ~/Documents/workspace/cli/cli/bin/gh secret set SECRET --body "should be upstream" --repo gh-acceptance-testing/10209-upstream
✓ Set Actions secret SECRET for gh-acceptance-testing/10209-upstream

Creating workflow to test secrets

$ cd ..                          
$ cd 10209-upstream 
$ mkdir -p .github/workflows
$ cat << EOF > .github/workflows/verify.yml
# This workflow is intended to assert the value of the GitHub Actions secret was set appropriately
name: Test Workflow Name
on:
  # Allow workflow to be dispatched by gh workflow run
  workflow_dispatch:

jobs:
  # This workflow contains a single job called "assert" that should only pass if the GitHub Actions secret value matches
  assert:
    runs-on: ubuntu-latest
    steps:
      - name: Assert secret value matches
        env:
          SECRET: ${{ secrets.SECRET }}
        run: |
          if [[ "$SECRET" == "should be upstream" ]]; then
            echo "GitHub Actions secret value states it should be the upstream value"
          elif [[ "$SECRET" == "should be fork" ]]; then
            echo "GitHub Actions secret value states it should be the fork value"
          else
            echo "GitHub Actions secret value does not match anything we expect; this is bad"
            exit 1
          fi
EOF

$ git add verify.yml
$ git commit -m "Test workflow"
$ git push
Enumerating objects: 6, done.
Counting objects: 100% (6/6), done.
Delta compression using up to 16 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (5/5), 762 bytes | 762.00 KiB/s, done.
Total 5 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
To https://github.com/gh-acceptance-testing/10209-upstream.git
   006dbc5..4c1d420  main -> main

Testing secret values with workflow in upstream

$ ~/Documents/workspace/cli/cli/bin/gh run view 12791122577 --repo gh-acceptance-testing/10209-upstream --log
assert	Set up job	2025-01-15T15:04:17.5302179Z Current runner version: '2.321.0'
assert	Set up job	2025-01-15T15:04:17.5340288Z ##[group]Operating System
assert	Set up job	2025-01-15T15:04:17.5341721Z Ubuntu
assert	Set up job	2025-01-15T15:04:17.5342556Z 24.04.1
assert	Set up job	2025-01-15T15:04:17.5343331Z LTS
assert	Set up job	2025-01-15T15:04:17.5344352Z ##[endgroup]
assert	Set up job	2025-01-15T15:04:17.5345387Z ##[group]Runner Image
assert	Set up job	2025-01-15T15:04:17.5346389Z Image: ubuntu-24.04
assert	Set up job	2025-01-15T15:04:17.5347395Z Version: 20250105.1.0
assert	Set up job	2025-01-15T15:04:17.5349449Z Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20250105.1/images/ubuntu/Ubuntu2404-Readme.md
assert	Set up job	2025-01-15T15:04:17.5351932Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20250105.1
assert	Set up job	2025-01-15T15:04:17.5353680Z ##[endgroup]
assert	Set up job	2025-01-15T15:04:17.5354509Z ##[group]Runner Image Provisioner
assert	Set up job	2025-01-15T15:04:17.5355565Z 2.0.414.1
assert	Set up job	2025-01-15T15:04:17.5356502Z ##[endgroup]
assert	Set up job	2025-01-15T15:04:17.5358706Z ##[group]GITHUB_TOKEN Permissions
assert	Set up job	2025-01-15T15:04:17.5361479Z Contents: read
assert	Set up job	2025-01-15T15:04:17.5362448Z Metadata: read
assert	Set up job	2025-01-15T15:04:17.5363318Z Packages: read
assert	Set up job	2025-01-15T15:04:17.5364702Z ##[endgroup]
assert	Set up job	2025-01-15T15:04:17.5369809Z Secret source: Actions
assert	Set up job	2025-01-15T15:04:17.5370966Z Prepare workflow directory
assert	Set up job	2025-01-15T15:04:17.5856623Z Prepare all required actions
assert	Set up job	2025-01-15T15:04:17.5997410Z Complete job name: assert
assert	Assert secret value matches	2025-01-15T15:04:17.7028911Z ##[group]Run if [[ "$SECRET" == "***" ]]; then
assert	Assert secret value matches	2025-01-15T15:04:17.7029780Z if [[ "$SECRET" == "***" ]]; then
assert	Assert secret value matches	2025-01-15T15:04:17.7030538Z   echo "GitHub Actions secret value states it should be the upstream value"
assert	Assert secret value matches	2025-01-15T15:04:17.7031334Z elif [[ "$SECRET" == "should be fork" ]]; then
assert	Assert secret value matches	2025-01-15T15:04:17.7032092Z   echo "GitHub Actions secret value states it should be the fork value"
assert	Assert secret value matches	2025-01-15T15:04:17.7032792Z else
assert	Assert secret value matches	2025-01-15T15:04:17.7033440Z   echo "GitHub Actions secret value does not match anything we expect; this is bad"
assert	Assert secret value matches	2025-01-15T15:04:17.7034181Z   exit 1
assert	Assert secret value matches	2025-01-15T15:04:17.7034574Z fi
assert	Assert secret value matches	2025-01-15T15:04:17.7258622Z shell: /usr/bin/bash -e {0}
assert	Assert secret value matches	2025-01-15T15:04:17.7259548Z env:
assert	Assert secret value matches	2025-01-15T15:04:17.7260120Z   SECRET: ***
assert	Assert secret value matches	2025-01-15T15:04:17.7260542Z ##[endgroup]
assert	Assert secret value matches	2025-01-15T15:04:17.7506265Z GitHub Actions secret value states it should be the upstream value
assert	Complete job	2025-01-15T15:04:17.7609521Z Cleaning up orphan processes

Syncing local fork to pickup workflow change

$ ~/Documents/workspace/cli/cli/bin/gh repo sync       
✓ Synced the "main" branch from "gh-acceptance-testing/10209-upstream" to local repository

$ git push
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
To https://github.com/gh-acceptance-testing/10209-fork.git
   006dbc5..6db6d5e  main -> main

Testing secret values with workflow in fork

$ ~/Documents/workspace/cli/cli/bin/gh workflow run verify.yml --repo gh-acceptance-testing/10209-fork
✓ Created workflow_dispatch event for verify.yml at main

To see runs for this workflow, try: gh run list --workflow=verify.yml

$ ~/Documents/workspace/cli/cli/bin/gh run list --repo gh-acceptance-testing/10209-fork               
STATUS  TITLE               WORKFLOW            BRANCH  EVENT              ID           ELAPSED  AGE                   
*       Test Workflow Name  Test Workflow Name  main    workflow_dispatch  12791264263  10s      less than a minute ago

$ ~/Documents/workspace/cli/cli/bin/gh run view 12791264263 --log --repo gh-acceptance-testing/10209-fork
assert	Set up job	2025-01-15T15:11:08.7937555Z Current runner version: '2.321.0'
assert	Set up job	2025-01-15T15:11:08.7969975Z ##[group]Operating System
assert	Set up job	2025-01-15T15:11:08.7970877Z Ubuntu
assert	Set up job	2025-01-15T15:11:08.7971579Z 24.04.1
assert	Set up job	2025-01-15T15:11:08.7972354Z LTS
assert	Set up job	2025-01-15T15:11:08.7972915Z ##[endgroup]
assert	Set up job	2025-01-15T15:11:08.7973627Z ##[group]Runner Image
assert	Set up job	2025-01-15T15:11:08.7974320Z Image: ubuntu-24.04
assert	Set up job	2025-01-15T15:11:08.7974948Z Version: 20250105.1.0
assert	Set up job	2025-01-15T15:11:08.7976335Z Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20250105.1/images/ubuntu/Ubuntu2404-Readme.md
assert	Set up job	2025-01-15T15:11:08.7978054Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20250105.1
assert	Set up job	2025-01-15T15:11:08.7979165Z ##[endgroup]
assert	Set up job	2025-01-15T15:11:08.7979889Z ##[group]Runner Image Provisioner
assert	Set up job	2025-01-15T15:11:08.7980606Z 2.0.414.1
assert	Set up job	2025-01-15T15:11:08.7981115Z ##[endgroup]
assert	Set up job	2025-01-15T15:11:08.7982801Z ##[group]GITHUB_TOKEN Permissions
assert	Set up job	2025-01-15T15:11:08.7985103Z Contents: read
assert	Set up job	2025-01-15T15:11:08.7985850Z Metadata: read
assert	Set up job	2025-01-15T15:11:08.7986468Z Packages: read
assert	Set up job	2025-01-15T15:11:08.7987448Z ##[endgroup]
assert	Set up job	2025-01-15T15:11:08.7990772Z Secret source: Actions
assert	Set up job	2025-01-15T15:11:08.7991927Z Prepare workflow directory
assert	Set up job	2025-01-15T15:11:08.8320617Z Prepare all required actions
assert	Set up job	2025-01-15T15:11:08.8415448Z Complete job name: assert
assert	Assert secret value matches	2025-01-15T15:11:08.9501281Z ##[group]Run if [[ "$SECRET" == "should be upstream" ]]; then
assert	Assert secret value matches	2025-01-15T15:11:08.9503026Z if [[ "$SECRET" == "should be upstream" ]]; then
assert	Assert secret value matches	2025-01-15T15:11:08.9504563Z   echo "GitHub Actions secret value states it should be the upstream value"
assert	Assert secret value matches	2025-01-15T15:11:08.9506369Z elif [[ "$SECRET" == "***" ]]; then
assert	Assert secret value matches	2025-01-15T15:11:08.9507927Z   echo "GitHub Actions secret value states it should be the fork value"
assert	Assert secret value matches	2025-01-15T15:11:08.9509304Z else
assert	Assert secret value matches	2025-01-15T15:11:08.9510576Z   echo "GitHub Actions secret value does not match anything we expect; this is bad"
assert	Assert secret value matches	2025-01-15T15:11:08.9512315Z   exit 1
assert	Assert secret value matches	2025-01-15T15:11:08.9513214Z fi
assert	Assert secret value matches	2025-01-15T15:11:08.9866996Z shell: /usr/bin/bash -e {0}
assert	Assert secret value matches	2025-01-15T15:11:08.9868123Z env:
assert	Assert secret value matches	2025-01-15T15:11:08.9868850Z   SECRET: ***
assert	Assert secret value matches	2025-01-15T15:11:08.9869374Z ##[endgroup]
assert	Assert secret value matches	2025-01-15T15:11:09.0102099Z GitHub Actions secret value states it should be the fork value
assert	Complete job	2025-01-15T15:11:09.0242915Z Cleaning up orphan processes

@williammartin williammartin merged commit ff92235 into trunk Jan 21, 2025
@williammartin williammartin deleted the wm/add-remote-check-to-secret branch January 21, 2025 14:24
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Feb 4, 2025
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cli/cli](https://github.com/cli/cli) | minor | `v2.65.0` -> `v2.66.1` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>cli/cli (cli/cli)</summary>

### [`v2.66.1`](https://github.com/cli/cli/releases/tag/v2.66.1): GitHub CLI 2.66.1

[Compare Source](cli/cli@v2.66.0...v2.66.1)

#### Hotfix: `gh pr view` fails with provided URL

This addresses a regression in `gh pr view` was reported in [#&#8203;10352](cli/cli#10352). This regression was due to a change in `v2.66.0` that no longer allowed `gh pr` subcommands to execute properly outside of a git repo.

#### What's Changed

-   Hotfix: `gh pr view` fails with provided URL by [@&#8203;jtmcg](https://github.com/jtmcg) in cli/cli#10354

**Full Changelog**: cli/cli@v2.66.0...v2.66.1

### [`v2.66.0`](https://github.com/cli/cli/releases/tag/v2.66.0): GitHub CLI 2.66.0

[Compare Source](cli/cli@v2.65.0...v2.66.0)

#### `gh pr view` and `gh pr status` now respect common triangular workflow configurations

Previously, `gh pr view` and `gh pr status` would fail for pull request's (MR) open in triangular workflows. This was due to `gh` being unable to identify the MR's corresponding remote and branch refs on GitHub.

Now, `gh pr view` and `gh pr status` should successfully identify the MR's refs when the following common git configurations are used:

-   [`branch.<branchName>.pushremote`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-branchltnamegtpushRemote) is set
-   [`remote.pushDefault`](https://git-scm.com/docs/git-config#Documentation/git-config.txt-remotepushDefault) is set

Branch specific configuration, the former, supersedes repo specific configuration, the latter.

Additionally, if the [`@{push}` revision syntax](https://git-scm.com/docs/gitrevisions#Documentation/gitrevisions.txt-emltbranchnamegtpushemegemmasterpushemempushem) for git resolves for a branch, `gh pr view` and `gh pr status` should work regardless of additional config settings.

For more information, see

-   cli/cli#9363
-   cli/cli#9364
-   cli/cli#9365
-   cli/cli#9374

#### `gh secret list`, `gh secret set`, and `gh secret delete` now require repository selection when multiple `git` remotes are present

Previously, `gh secret list`, `gh secret set`, and `gh secret delete` would determine which remote to target for interacting with GitHub Actions secrets.  Remotes marked as default using `gh repo set-default` or through other `gh` commands had higher priority when figuring out which repository to interact with.  This could have unexpected outcomes when using `gh secret` commands with forked repositories as the upstream repository would generally be selected.

Now, `gh secret` commands require users to disambiguate which repository should be the target if multiple remotes are present and the `-R, --repo` flag is not provided.

For more information, see cli/cli#4688

#### Extension update notices now notify once every 24 hours per extension and can be disabled

Previously, the GitHub CLI would notify users about newer versions every time an extension was executed.  This did not match GitHub CLI notices, which only notified users once every 24 hours and could be disabled through an environment variable.

Now, extension update notices will behave similar to GitHub CLI notices.  To disable extension update notices, set the `GH_NO_EXTENSION_UPDATE_NOTIFIER` environment variable.

For more information, see cli/cli#9925

#### What's Changed

##### ✨ Features

-   Draft for discussing testing around extension update checking behavior by [@&#8203;andyfeller](https://github.com/andyfeller) in cli/cli#9985
-   Make extension update check non-blocking by [@&#8203;andyfeller](https://github.com/andyfeller) in cli/cli#10239
-   Ensure extension update notices only notify once within 24 hours, provide ability to disable all extension update notices by [@&#8203;andyfeller](https://github.com/andyfeller) in cli/cli#9934
-   feat: make the extension upgrade fancier by [@&#8203;nobe4](https://github.com/nobe4) in cli/cli#10194
-   fix: padded display by [@&#8203;nobe4](https://github.com/nobe4) in cli/cli#10216
-   Update `gh attestation` attestation bundle fetching logic by [@&#8203;malancas](https://github.com/malancas) in cli/cli#10185
-   Require repo disambiguation for secret commands by [@&#8203;williammartin](https://github.com/williammartin) in cli/cli#10209
-   show error message for rerun workflow older than a month ago by [@&#8203;iamrajhans](https://github.com/iamrajhans) in cli/cli#10227
-   Update `gh attestation verify` table output by [@&#8203;malancas](https://github.com/malancas) in cli/cli#10104
-   Enable MSI building for Windows arm64 by [@&#8203;dennisameling](https://github.com/dennisameling) in cli/cli#10297
-   feat: Add support for creating autolink references by [@&#8203;hoffm](https://github.com/hoffm) in cli/cli#10180
-   Find MRs using `@{push}` by [@&#8203;Frederick888](https://github.com/Frederick888) in cli/cli#9208
-   feat: Add support for viewing autolink references by [@&#8203;hoffm](https://github.com/hoffm) in cli/cli#10324
-   Update `gh attestation` bundle fetching logic by [@&#8203;malancas](https://github.com/malancas) in cli/cli#10339

##### 🐛 Fixes

-   gh gist delete: prompt for gist id by [@&#8203;danochoa](https://github.com/danochoa) in cli/cli#10154
-   Better handling for waiting for codespaces to become ready by [@&#8203;cmbrose](https://github.com/cmbrose) in cli/cli#10198
-   Fix: `gh gist view` and `gh gist edit` prompts with no TTY by [@&#8203;mateusmarquezini](https://github.com/mateusmarquezini) in cli/cli#10048
-   Remove naked return values from `ReadBranchConfig` and `prSelectorForCurrentBranch` by [@&#8203;jtmcg](https://github.com/jtmcg) in cli/cli#10197
-   Add job to deployment workflow to validate the tag name for a given release by [@&#8203;jtmcg](https://github.com/jtmcg) in cli/cli#10121
-   \[gh run list] Stop progress indicator on failure from `--workflow` flag by [@&#8203;iamazeem](https://github.com/iamazeem) in cli/cli#10323
-   Update deployment.yml by [@&#8203;andyfeller](https://github.com/andyfeller) in cli/cli#10340

##### 📚 Docs & Chores

-   Add affected version heading to bug report issue form by [@&#8203;BagToad](https://github.com/BagToad) in cli/cli#10269
-   chore: fix some comments by [@&#8203;petercover](https://github.com/petercover) in cli/cli#10296
-   Update triage.md to reflect FR experiment outcome by [@&#8203;jtmcg](https://github.com/jtmcg) in cli/cli#10196
-   Clear up --with-token fine grained PAT usage by [@&#8203;williammartin](https://github.com/williammartin) in cli/cli#10186
-   Correct help documentation around template use in `gh issue create` by [@&#8203;andyfeller](https://github.com/andyfeller) in cli/cli#10208
-   chore: fix some function names in comment by [@&#8203;zhuhaicity](https://github.com/zhuhaicity) in cli/cli#10225
-   Tiny typo fix by [@&#8203;robmorgan](https://github.com/robmorgan) in cli/cli#10265
-   add install instructions for Manjaro Linux by [@&#8203;AMS21](https://github.com/AMS21) in cli/cli#10236
-   Update test to be compatible with latest Glamour v0.8.0 by [@&#8203;ottok](https://github.com/ottok) in cli/cli#10151
-   Add more `gh attestation verify` integration tests by [@&#8203;malancas](https://github.com/malancas) in cli/cli#10102

##### :dependabot: Dependencies

-   Bump github.com/mattn/go-colorable from 0.1.13 to 0.1.14 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#10215
-   Bump github.com/sigstore/protobuf-specs from 0.3.2 to 0.3.3 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#10214
-   Bump github.com/gabriel-vasile/mimetype from 1.4.7 to 1.4.8 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#10184
-   Bump google.golang.org/protobuf from 1.36.2 to 1.36.3 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#10250
-   Bump golangci-linter and address failures to prepare for Go 1.24 strictness by [@&#8203;mikelolasagasti](https://github.com/mikelolasagasti) in cli/cli#10279
-   Bump github.com/google/go-containerregistry from 0.20.2 to 0.20.3 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#10257
-   Bump actions/attest-build-provenance from 2.1.0 to 2.2.0 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#10300
-   Bump google.golang.org/protobuf from 1.36.3 to 1.36.4 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#10306
-   Upgrade sigstore-go to v0.7.0: fixes [#&#8203;10114](cli/cli#10114) formatting issue by [@&#8203;codysoyland](https://github.com/codysoyland) in cli/cli#10309
-   Bump github.com/in-toto/attestation from 1.1.0 to 1.1.1 by [@&#8203;dependabot](https://github.com/dependabot) in cli/cli#10319

#### New Contributors

Big thank you to our many new *and* longtime contributors making this release happen!! ❤️ ✨

-   [@&#8203;zhuhaicity](https://github.com/zhuhaicity) made their first contribution in cli/cli#10225
-   [@&#8203;danochoa](https://github.com/danochoa) made their first contribution in cli/cli#10154
-   [@&#8203;robmorgan](https://github.com/robmorgan) made their first contribution in cli/cli#10265
-   [@&#8203;iamrajhans](https://github.com/iamrajhans) made their first contribution in cli/cli#10227
-   [@&#8203;AMS21](https://github.com/AMS21) made their first contribution in cli/cli#10236
-   [@&#8203;petercover](https://github.com/petercover) made their first contribution in cli/cli#10296
-   [@&#8203;ottok](https://github.com/ottok) made their first contribution in cli/cli#10151
-   [@&#8203;dennisameling](https://github.com/dennisameling) made their first contribution in cli/cli#10297
-   [@&#8203;iamazeem](https://github.com/iamazeem) made their first contribution in cli/cli#10323
-   [@&#8203;Frederick888](https://github.com/Frederick888) made their first contribution in cli/cli#9208

**Full Changelog**: cli/cli@v2.65.0...v2.66.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNDMuMCIsInVwZGF0ZWRJblZlciI6IjM5LjE0Ni40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
@williammartin williammartin restored the wm/add-remote-check-to-secret branch February 13, 2025 11:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Secret created in Upstream Repo instead of Current Repo

5 participants