Merge branch 'cli:trunk' into trunk

Author: akabarki76

.github/secret_scanning.yml

@@ -0,0 +1,3 @@
+paths-ignore:
+  - 'third-party/**'
+  - 'third-party-licenses.*.md'

.github/workflows/codeql.yml

@@ -18,6 +18,10 @@ permissions:
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['go', 'actions']
 
     steps:
       - name: Check out code
@@ -26,13 +30,20 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
-          languages: go
+          languages: ${{ matrix.language }}
           queries: security-and-quality
+          config: |
+            paths-ignore:
+              - 'third-party/**'
+              - 'third-party-licenses.*.md'
 
       - name: Setup Go
+        if: matrix.language == 'go'
         uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/deployment.yml

@@ -309,7 +309,7 @@ jobs:
           rpmsign --addsign dist/*.rpm
       - name: Attest release artifacts
         if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
         with:
           subject-path: "dist/gh_*"
       - name: Run createrepo
@@ -384,7 +384,7 @@ jobs:
             git diff --name-status @{upstream}..
           fi
       - name: Bump homebrew-core formula
-        uses: mislav/bump-homebrew-formula-action@942e550c6344cfdb9e1ab29b9bb9bf0c43efa19b
+        uses: mislav/bump-homebrew-formula-action@8e2baa47daaa8db10fcdeb04105dfa6850eb0d68
         if: inputs.environment == 'production' && !contains(inputs.tag_name, '-')
         with:
           formula-name: gh

.github/workflows/homebrew-bump.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Bump homebrew-core formula
-        uses: mislav/bump-homebrew-formula-action@942e550c6344cfdb9e1ab29b9bb9bf0c43efa19b
+        uses: mislav/bump-homebrew-formula-action@8e2baa47daaa8db10fcdeb04105dfa6850eb0d68
         if: inputs.environment == 'production' && !contains(inputs.tag_name, '-')
         with:
           formula-name: gh

.github/workflows/pr-help-wanted.yml

@@ -0,0 +1,27 @@
+name: PR Help Wanted Check
+on:
+  pull_request_target:
+    types: [opened]
+
+permissions:
+  contents: none
+  issues: read
+  pull-requests: write
+
+jobs:
+  check-help-wanted:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check for issues without help-wanted label
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_AUTHOR_TYPE: ${{ github.event.pull_request.user.type }}
+          PR_AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association }}
+        if: "!github.event.pull_request.draft"
+        run: |
+          # Run the script to check for issues without help-wanted label
+          bash .github/workflows/scripts/check-help-wanted.sh ${{ github.event.pull_request.html_url }}

.github/workflows/scripts/check-help-wanted.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+set -e
+
+PR_URL="$1"
+
+if [ -z "$PR_URL" ]; then
+    echo "Usage: $0 <PR_URL>"
+    echo ""
+    echo "Check if the PR references any non-help-wanted issues and, if so, comment"
+    echo "on it explaining why the team might close/dismiss it."
+    exit 1
+fi
+
+# Skip if PR is from a bot or org member
+if [ "$PR_AUTHOR_TYPE" = "Bot" ] || [ "$PR_AUTHOR_ASSOCIATION" = "MEMBER" ] || [ "$PR_AUTHOR_ASSOCIATION" = "OWNER" ]; then
+    echo "Skipping check for PR #$PR_URL as it is from a bot ($PR_AUTHOR_TYPE) or an org member ($PR_AUTHOR_ASSOCIATION: MEMBER/OWNER)"
+    exit 0
+fi
+
+# Extract PR number from URL for logging
+PR_NUM="$(basename "$PR_URL")"
+
+# Extract cli/cli closing issues references from PR
+CLOSING_ISSUES="$(gh pr view "$PR_URL" --json closingIssuesReferences --jq '.closingIssuesReferences[] | select(.repository.name == "cli" and .repository.owner.login == "cli") | .number')"
+
+if [ -z "$CLOSING_ISSUES" ]; then
+    echo "No closing issues found for PR #$PR_NUM"
+    exit 0
+fi
+
+# Check each closing issue for 'help-wanted' label
+ISSUES_WITHOUT_HELP_WANTED=()
+
+for issue_num in $CLOSING_ISSUES; do
+    echo "Checking issue #$issue_num for 'help wanted' label..."
+
+    # Get issue labels
+    LABELS=$(gh issue view "$issue_num" --json labels --jq '.labels[].name')
+
+    # Skip if the issue has the gh-attestion or gh-codespace label
+    # This is because the codeowners for these commands may not be public
+    # cli org members, and so unless we authenticate with a PAT, we can't
+    # know who is an external contributor or not.
+    # So we skip these issues to avoid falsely writing a comment
+    # on each PR opened by these codeowners.
+    if echo "$LABELS" | grep -q -e "gh-attestation" -e "gh-codespace"; then
+        echo "Issue #$issue_num is skipped due to labels"
+        continue
+    fi
+
+    # Check if 'help wanted' label exists
+    if ! echo "$LABELS" | grep -q "help wanted"; then
+        ISSUES_WITHOUT_HELP_WANTED+=("$issue_num")
+        echo "Issue #$issue_num does not have 'help wanted' label"
+    else
+        echo "Issue #$issue_num has 'help wanted' label"
+    fi
+done
+
+# If we found issues without 'help wanted' label, post a comment
+if [ ${#ISSUES_WITHOUT_HELP_WANTED[@]} -gt 0 ]; then
+    echo "Found ${#ISSUES_WITHOUT_HELP_WANTED[@]} issues without 'help wanted' label"
+
+    # Build issue list for comment
+    ISSUE_LIST=""
+    for issue_num in "${ISSUES_WITHOUT_HELP_WANTED[@]}"; do
+        ISSUE_LIST="$ISSUE_LIST- #$issue_num"$'\n'
+    done
+
+    # Create comment message
+    gh pr comment "$PR_URL" --body-file - <<EOF
+Thank you for your pull request! 🎉
+
+This PR appears to fix the following issues that are not labeled with \`help wanted\`:
+
+$ISSUE_LIST
+As outlined in our [Contributing Guidelines](https://github.com/cli/cli/blob/trunk/.github/CONTRIBUTING.md), we expect that PRs are only created for issues that have been labeled \`help wanted\`.
+
+While we appreciate your initiative, please note that:
+
+- **PRs for non-\`help wanted\` issues may not be reviewed immediately** as they might not align with our current priorities
+- **The issue might already be assigned** to a team member or planned for a specific release
+- **We may need to close this PR**. For example, if it conflicts with ongoing work or architectural decisions
+
+**What happens next:**
+- Our team will review this PR and the associated issues
+- We may add the \`help wanted\` label to the issues, if appropriate, and review this pull request
+- In some cases, we may need to close the PR. For example, if it doesn't fit our current roadmap
+
+Thank you for your understanding and contribution to the project! 🙏
+
+*This comment was automatically generated by cliAutomation.*
+EOF
+
+    echo "Posted comment on PR #$PR_NUM"
+else
+    echo "All closing issues have 'help wanted' label - no action needed"
+fi

api/queries_pr.go

@@ -85,15 +85,25 @@ type PullRequest struct {
 
 	Assignees      Assignees
 	AssignedActors AssignedActors
-	Labels         Labels
-	ProjectCards   ProjectCards
-	ProjectItems   ProjectItems
-	Milestone      *Milestone
-	Comments       Comments
-	ReactionGroups ReactionGroups
-	Reviews        PullRequestReviews
-	LatestReviews  PullRequestReviews
-	ReviewRequests ReviewRequests
+	// AssignedActorsUsed is a GIGANTIC hack to carry around whether we expected AssignedActors to be requested
+	// on this PR. This is required because the Feature Detection of support for AssignedActors occurs inside the
+	// PR Finder, but knowledge of support is required at the command level. However, we can't easily construct
+	// the feature detector at the command level because it needs knowledge of the BaseRepo, which is only available
+	// inside the PR Finder. This is bad and we should feel bad.
+	//
+	// The right solution is to extract argument parsing from the PR Finder into each command, so that we have access
+	// to the BaseRepo and can construct the feature detector there. This is what happens in the issue commands with
+	// `shared.ParseIssueFromArg`.
+	AssignedActorsUsed bool
+	Labels             Labels
+	ProjectCards       ProjectCards
+	ProjectItems       ProjectItems
+	Milestone          *Milestone
+	Comments           Comments
+	ReactionGroups     ReactionGroups
+	Reviews            PullRequestReviews
+	LatestReviews      PullRequestReviews
+	ReviewRequests     ReviewRequests
 
 	ClosingIssuesReferences ClosingIssuesReferences
 }

api/queries_repo.go

@@ -709,19 +709,22 @@ func (m *RepoMetadataResult) MembersToIDs(names []string) ([]string, error) {
 		}
 
 		// Look for ID in assignable actors if not found in assignable users
-		for _, a := range m.AssignableActors {
-			if strings.EqualFold(assigneeLogin, a.Login()) {
-				ids = append(ids, a.ID())
-				found = true
-				break
-			}
-			if strings.EqualFold(assigneeLogin, a.DisplayName()) {
-				ids = append(ids, a.ID())
-				found = true
-				break
+		if !found {
+			for _, a := range m.AssignableActors {
+				if strings.EqualFold(assigneeLogin, a.Login()) {
+					ids = append(ids, a.ID())
+					found = true
+					break
+				}
+				if strings.EqualFold(assigneeLogin, a.DisplayName()) {
+					ids = append(ids, a.ID())
+					found = true
+					break
+				}
 			}
 		}
 
+		// And if we still didn't find an ID, return an error
 		if !found {
 			return nil, fmt.Errorf("'%s' not found", assigneeLogin)
 		}

api/queries_repo_test.go

@@ -461,6 +461,78 @@ t001: team(slug:"robots"){id,slug}
 	}
 }
 
+func TestMembersToIDs(t *testing.T) {
+	t.Parallel()
+
+	t.Run("finds ids in assignable users", func(t *testing.T) {
+		t.Parallel()
+
+		repoMetadataResult := RepoMetadataResult{
+			AssignableUsers: []AssignableUser{
+				NewAssignableUser("MONAID", "monalisa", ""),
+				NewAssignableUser("MONAID2", "monalisa2", ""),
+			},
+			AssignableActors: []AssignableActor{
+				NewAssignableBot("HUBOTID", "hubot"),
+			},
+		}
+		ids, err := repoMetadataResult.MembersToIDs([]string{"monalisa"})
+		require.NoError(t, err)
+		require.Equal(t, []string{"MONAID"}, ids)
+	})
+
+	t.Run("finds ids by assignable actor logins", func(t *testing.T) {
+		t.Parallel()
+
+		repoMetadataResult := RepoMetadataResult{
+			AssignableActors: []AssignableActor{
+				NewAssignableBot("HUBOTID", "hubot"),
+				NewAssignableUser("MONAID", "monalisa", ""),
+			},
+		}
+		ids, err := repoMetadataResult.MembersToIDs([]string{"monalisa"})
+		require.NoError(t, err)
+		require.Equal(t, []string{"MONAID"}, ids)
+	})
+
+	t.Run("finds ids by assignable actor display names", func(t *testing.T) {
+		t.Parallel()
+
+		repoMetadataResult := RepoMetadataResult{
+			AssignableActors: []AssignableActor{
+				NewAssignableUser("MONAID", "monalisa", "mona"),
+			},
+		}
+		ids, err := repoMetadataResult.MembersToIDs([]string{"monalisa (mona)"})
+		require.NoError(t, err)
+		require.Equal(t, []string{"MONAID"}, ids)
+	})
+
+	t.Run("when a name appears in both assignable users and actors, the id is only returned once", func(t *testing.T) {
+		t.Parallel()
+
+		repoMetadataResult := RepoMetadataResult{
+			AssignableUsers: []AssignableUser{
+				NewAssignableUser("MONAID", "monalisa", ""),
+			},
+			AssignableActors: []AssignableActor{
+				NewAssignableUser("MONAID", "monalisa", ""),
+			},
+		}
+		ids, err := repoMetadataResult.MembersToIDs([]string{"monalisa"})
+		require.NoError(t, err)
+		require.Equal(t, []string{"MONAID"}, ids)
+	})
+
+	t.Run("when id is not found, returns an error", func(t *testing.T) {
+		t.Parallel()
+
+		repoMetadataResult := RepoMetadataResult{}
+		_, err := repoMetadataResult.MembersToIDs([]string{"monalisa"})
+		require.Error(t, err)
+	})
+}
+
 func sliceEqual(a, b []string) bool {
 	if len(a) != len(b) {
 		return false

go.mod

@@ -44,7 +44,7 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/rivo/tview v0.0.0-20221029100920-c4a7e501810d
 	github.com/shurcooL/githubv4 v0.0.0-20240120211514-18a1ae0e79dc
-	github.com/sigstore/protobuf-specs v0.4.2
+	github.com/sigstore/protobuf-specs v0.4.3
 	github.com/sigstore/sigstore-go v1.0.0
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
@@ -56,7 +56,7 @@ require (
 	golang.org/x/sync v0.14.0
 	golang.org/x/term v0.32.0
 	golang.org/x/text v0.25.0
-	google.golang.org/grpc v1.72.0
+	google.golang.org/grpc v1.72.2
 	google.golang.org/protobuf v1.36.6
 	gopkg.in/h2non/gock.v1 v1.1.2
 	gopkg.in/yaml.v3 v3.0.1