feat: default ci migrate secrets and variables to repo scope

[121watts]

Summary

depot ci migrate was storing all secrets and variables at org scope, which meant every repo in the org could see them. That's almost never what you want when migrating a single repo's workflows — you want those secrets scoped to that repo.

• Secrets and variables created during depot ci migrate now default to repo-scoped instead of org-scoped
• Repo is auto-detected from the git remote origin URL, or explicitly set via --repo owner/name
• Falls back to org scope (with a clear message) when the repo can't be detected
• Warning messages for missing secrets/variables now include the --repo flag in the suggested command

Builds on the v2 secret/variable API from #446 (DEP-3330).

Closes DEP-3838

Made with Cursor

---

Note

Medium Risk
Changes the default scope for newly created CI secrets/variables during depot ci migrate, which can affect where credentials are visible and how workflows resolve them. Also introduces git-remote-based repo detection that may fail or mis-detect in some setups, falling back to org scope.

Overview
depot ci migrate now supports repo-scoped secrets/variables via a new --repo owner/repo flag and will auto-detect the repo from git remote origin when not provided.

Secrets and variables created during migration are now written using repo scope when a repo is available (and the CLI prints the chosen scope in both the initial output and migration summary); if detection fails, it falls back to org scope with an explicit warning and updated “missing secret/var” command hints that include --repo when applicable.

Adds parsing/detection helpers for GitHub SSH/HTTPS remote URLs and expands tests to cover repo parsing plus repo-scope and org-scope fallback messaging.

^{Written by Cursor Bugbot for commit 0552c5d. This will update automatically on new commits. Configure here.}

[linear]

DEP-3838 `depo ci migrate` secrets and variables should default to repo (not org)

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Autofix Details

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: HTTPS parser inconsistently accepts extra path segments
  • Added trailing slash trimming and changed validation to len(parts) != 2 for consistent rejection of URLs with extra path segments in both SSH and HTTPS branches.

Or push these changes by commenting:

@cursor push d9c58f5e0a

Preview (d9c58f5e0a)

diff --git a/pkg/cmd/ci/migrate.go b/pkg/cmd/ci/migrate.go
--- a/pkg/cmd/ci/migrate.go
+++ b/pkg/cmd/ci/migrate.go
@@ -645,8 +645,9 @@
 	}
 	path := strings.TrimPrefix(u.Path, "/")
 	path = strings.TrimSuffix(path, ".git")
+	path = strings.TrimRight(path, "/")
 	parts := strings.SplitN(path, "/", 3)
-	if len(parts) < 2 || parts[0] == "" || parts[1] == "" {
+	if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
 		return ""
 	}
 	return parts[0] + "/" + parts[1]

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: SSH branch missing trailing slash trim before split
  • Added strings.TrimRight(path, "/") to SSH branch to match HTTPS branch behavior and ensure consistent handling of trailing slashes.

Or push these changes by commenting:

@cursor push a4d97d4235

Preview (a4d97d4235)

diff --git a/pkg/cmd/ci/migrate.go b/pkg/cmd/ci/migrate.go
--- a/pkg/cmd/ci/migrate.go
+++ b/pkg/cmd/ci/migrate.go
@@ -631,6 +631,7 @@
 		}
 		path := remoteURL[idx+1:]
 		path = strings.TrimSuffix(path, ".git")
+		path = strings.TrimRight(path, "/")
 		parts := strings.SplitN(path, "/", 3)
 		if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
 			return ""