Merge branch 'trunk' into tommy/skill-install-all-flag

Author: tommaso-moro

.github/dependabot.yml

@@ -4,6 +4,8 @@ updates:
   directory: "/"
   schedule:
     interval: "daily"
+  cooldown:
+    default-days: 3
   ignore:
     - dependency-name: "*"
       update-types:
@@ -12,3 +14,5 @@ updates:
   directory: "/"
   schedule:
       interval: "daily"
+  cooldown:
+    default-days: 3

.github/workflows/codeql.yml

@@ -34,29 +34,20 @@ jobs:
           go-version-file: "go.mod"
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@v4.35.5
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@v4.35.5
         with:
           category: "/language:${{ matrix.language }}"
           upload: false
           output: sarif-results
 
-      - name: Filter SARIF for third-party code
-        if: matrix.language == 'go'
-        uses: advanced-security/filter-sarif@2da736ff05ef065cb2894ac6892e47b5eac2c3c0 # v1.1.0.1.1
-        with:
-          patterns: |
-            -third-party/**
-          input: sarif-results/${{ matrix.language }}.sarif
-          output: sarif-results/${{ matrix.language }}.sarif
-
       - name: Upload filtered SARIF
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@v4.35.5
         with:
           sarif_file: sarif-results/${{ matrix.language }}.sarif
           category: "/language:${{ matrix.language }}"

.github/workflows/deployment.yml

@@ -52,7 +52,7 @@ jobs:
         with:
           go-version-file: 'go.mod'
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
+        uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
         with:
           # The version is pinned not only for security purposes, but also to avoid breaking
           # our scripts, which rely on the specific file names generated by GoReleaser.
@@ -113,7 +113,7 @@ jobs:
           security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "$keychain_password" "$keychain"
           rm "$RUNNER_TEMP/cert.p12"
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
+        uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
         with:
           # The version is pinned not only for security purposes, but also to avoid breaking
           # our scripts, which rely on the specific file names generated by GoReleaser.
@@ -175,7 +175,7 @@ jobs:
         with:
           go-version-file: 'go.mod'
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
+        uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
         with:
           # The version is pinned not only for security purposes, but also to avoid breaking
           # our scripts, which rely on the specific file names generated by GoReleaser.
@@ -414,14 +414,4 @@ jobs:
           else
             git log --oneline @{upstream}..
             git diff --name-status @{upstream}..
-          fi
-      - name: Bump homebrew-core formula
-        uses: mislav/bump-homebrew-formula-action@ccf2332299a883f6af50a1d2d41e5df7904dd769
-        if: inputs.environment == 'production' && !contains(inputs.tag_name, '-')
-        with:
-          formula-name: gh
-          formula-path: Formula/g/gh.rb
-          tag-name: ${{ inputs.tag_name }}
-          push-to: williammartin/homebrew-core
-        env:
-          COMMITTER_TOKEN: ${{ secrets.HOMEBREW_PR_PAT }}
+          fi

.github/workflows/detect-spam.yml

@@ -4,20 +4,19 @@ on:
     types: [opened]
 
 permissions:
-  contents: none
-  issues: write
-  models: read
+  contents: read # check out the repo to run the spam-detection scripts.
+  issues: write # read issue contents (gh issue view), comment, label, and close issues detected as spam.
+  models: read # run inference via `gh models run` for spam classification.
 
 jobs:
   issue-spam:
     runs-on: ubuntu-latest
-    environment: cli-automation
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
       - name: Run spam detection
         env:
-          GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
           ISSUE_URL: ${{ github.event.issue.html_url }}
         run: |
           ./.github/workflows/scripts/spam-detection/process-issue.sh "$ISSUE_URL"

.github/workflows/govulncheck.yml

@@ -1,7 +1,7 @@
 name: Go Vulnerability Check
 on:
   schedule:
-    - cron: "0 0 * * 1" # Every Monday at midnight UTC
+    - cron: "0 0 * * *" # Every day at midnight UTC
   workflow_dispatch:
 
 jobs:
@@ -26,6 +26,6 @@ jobs:
           go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -format sarif ./... > gh.sarif
 
       - name: Upload SARIF report
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@v4.35.5
         with:
           sarif_file: gh.sarif

.github/workflows/homebrew-bump.yml

@@ -29,8 +29,6 @@ linters:
     # - staticcheck
     # - errcheck
   exclusions:
-    paths:
-      - third-party
     rules:
       - path: _test\.go$
         linters:
@@ -62,9 +60,6 @@ linters:
 formatters:
   enable:
     - gofmt
-  exclusions:
-    paths:
-      - third-party
 
 issues:
   max-issues-per-linter: 0

.github/workflows/triage-discussion-label.yml

@@ -11,7 +11,6 @@ From a high level, the [release workflow](https://github.com/cli/cli/blob/537a22
  * Builds and updates the [manual](https://cli.github.com/manual) and repository packages
  * Creates GitHub Attestations for the artifacts
  * Creates a GitHub Release and attaches the artifacts
- * Bumps the `gh` [homebrew-core formula](https://github.com/Homebrew/homebrew-core/blob/2df031cbd8f7bc9b9a380e941ccefcf3c8f3d02b/Formula/g/gh.rb)
 
 # Jobs Deep Dive
 
@@ -569,16 +568,6 @@ release:
             git log --oneline @{upstream}..
             git diff --name-status @{upstream}..
           fi
-      - name: Bump homebrew-core formula
-        uses: mislav/bump-homebrew-formula-action@v3
-        if: inputs.environment == 'production' && !contains(inputs.tag_name, '-')
-        with:
-          formula-name: gh
-          formula-path: Formula/g/gh.rb
-          tag-name: ${{ inputs.tag_name }}
-          push-to: williammartin/homebrew-core
-        env:
-          COMMITTER_TOKEN: ${{ secrets.HOMEBREW_PR_PAT }}
 ```
 </details>
 
@@ -647,11 +636,11 @@ In previous steps, a git commit was made for the manual, and files had moved int
 
 Occasionally, the repository can become unwieldy due to hosting so many large binary artifacts. Instructions can be found in the README for that repository.
 
-#### Homebrew Formula
+#### Homebrew
 
-Using [`mislav/bump-homebrew-formula-action`](https://github.com/mislav/bump-homebrew-formula-action), a PR for the `gh` [`homebrew-core` formula](https://github.com/Homebrew/homebrew-core/blob/master/Formula/g/gh.rb) is created. The fork repository is currently owned by `williammartin` as PRs are [not accepted from organizations.](https://github.com/cli/cli/pull/7953)
+Historically, we used [`mislav/bump-homebrew-formula-action`](https://github.com/mislav/bump-homebrew-formula-action). It created a PR for the `gh` [`homebrew-core` formula](https://github.com/Homebrew/homebrew-core/blob/master/Formula/g/gh.rb). The fork repository was owned by `williammartin` because PRs are [not accepted from organizations.](https://github.com/cli/cli/pull/7953)
 
-`Homebrew/formulae.brew.sh` makes new formula versions available every 15 minutes through scheduled CI workflow. For more information, see https://docs.brew.sh/Formula-Cookbook#an-introduction
+However, since this required a legacy PAT token to open a PR between these repositories, it was deemed too much risk for our security. As such, we now rely on [Homebrew's autobump](https://docs.brew.sh/Autobump).
 
 ## <a id="deepest-dive">Deepest Dive</a>
 

.golangci.yml

@@ -21,13 +21,14 @@ What this does is:
 - Uploads all release artifacts to a new GitHub Release;
 - A new git tag `vX.Y.Z` is created in the remote repository;
 - The changelog is [generated from the list of merged pull requests](https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes);
-- Updates [GitHub CLI marketing site](https://cli.github.com) with the contents of the new release;
-- Updates the [`gh` Homebrew formula](https://github.com/williammartin/homebrew-core/blob/master/Formula/g/gh.rb) in the [`homebrew/homebrew-core` repo](https://github.com/search?q=repo%3AHomebrew%2Fhomebrew-core+%22gh%22+in%3Atitle&type=pullrequests).
+- Updates [GitHub CLI marketing site](https://cli.github.com) with the contents of the new release.
 
-> [!NOTE]
-> `Homebrew/formulae.brew.sh` makes new formula versions available every 15 minutes through scheduled [CI workflow](https://github.com/Homebrew/formulae.brew.sh/actions/workflows/tests.yml).
->
-> For more information, see https://docs.brew.sh/Formula-Cookbook#an-introduction
+## Bumping Homebrew
+
+Homebrew bumps are handled by [autobump](https://docs.brew.sh/Autobump), which runs periodically every 3 hours. In cases where a quicker rollout is required, a pull request can be opened manually with the following steps:
+ 1. Replace the version number in the url to point ot the updated version.
+ 2. Calculate and replace the sha256 value.
+ 3. Open the PR.
 
 To test out the build system while avoiding creating an actual release:
 
@@ -60,6 +61,5 @@ Occasionally, it might be necessary to clean up a bad release and re-release.
 
 1. Delete the release and associated tag
 2. Re-release and monitor the workflow run logs
-3. Open pull request updating [`gh` Homebrew formula](https://github.com/williammartin/homebrew-core/blob/master/Formula/g/gh.rb)
-   with new SHA versions, linking the previous PR
+3. Open pull request updating [`gh` Homebrew formula](https://github.com/Homebrew/homebrew-core/blob/master/Formula/g/gh.rb) with new SHA versions, linking the previous PR
 4. Verify resulting Debian and RPM packages, Homebrew formula