https-github-com-bit
diff --git a/‎.github/dependabot.yml‎
Lines changed: 15 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/go.yml‎
Lines changed: 9 additions & 0 deletions b/‎.github/workflows/go.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.github/workflows/issueauto.yml‎
Lines changed: 19 additions & 0 deletions b/‎.github/workflows/issueauto.yml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.github/workflows/prauto.yml‎
Lines changed: 8 additions & 1 deletion b/‎.github/workflows/prauto.yml‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎.github/workflows/releases.yml‎
Lines changed: 14 additions & 5 deletions b/‎.github/workflows/releases.yml‎
Lines changed: 14 additions & 5 deletions
diff --git a/‎.goreleaser.yml‎
Lines changed: 5 additions & 1 deletion b/‎.goreleaser.yml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎CODEOWNERS‎
Lines changed: 5 additions & 0 deletions b/‎CODEOWNERS‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 11 additions & 4 deletions b/‎README.md‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎api/client.go‎
Lines changed: 119 additions & 13 deletions b/‎api/client.go‎
Lines changed: 119 additions & 13 deletions
@@ -0,0 +1,15 @@
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: "daily"
+  ignore:
+    - dependency-name: "*"
+      update-types:
+        - version-update:semver-minor
+        - version-update:semver-major
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+      interval: "daily"
@@ -2,7 +2,11 @@ name: Code Scanning
 
 on:
   push:
+    branches: [trunk]
   pull_request:
+    branches: [trunk]
+    paths-ignore:
+      - '**/*.md'
   schedule:
     - cron: "0 0 * * 0"
 
 
@@ -17,6 +17,15 @@ jobs:
       - name: Check out code
         uses: actions/checkout@v2
 
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: ~/go
+          key: ${{ runner.os }}-build-${{ hashFiles('go.mod') }}
+          restore-keys: |
+            ${{ runner.os }}-build-
+            ${{ runner.os }}-
+
       - name: Download dependencies
         run: go mod download
 
 
@@ -0,0 +1,19 @@
+name: Issue Automation
+on:
+  issues:
+    types: [opened]
+jobs:
+  issue-auto:
+    runs-on: ubuntu-latest
+    steps:
+      - name: label incoming issue
+        env:
+         GH_REPO: ${{ github.repository }}
+         GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}
+         ISSUENUM: ${{ github.event.issue.number }}
+         ISSUEAUTHOR: ${{ github.event.issue.user.login }}
+        run: |
+          if ! gh api orgs/cli/public_members/$ISSUEAUTHOR --silent 2>/dev/null
+          then
+            gh issue edit $ISSUENUM --add-label "needs-triage"
+          fi
@@ -15,6 +15,7 @@ jobs:
           PRNUM: ${{ github.event.pull_request.number }}
           PRHEAD: ${{ github.event.pull_request.head.label }}
           PRAUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_AUTHOR_TYPE: ${{ github.event.pull_request.user.type }}
         if: "!github.event.pull_request.draft"
         run: |
           commentPR () {
@@ -42,8 +43,12 @@ jobs:
             ' -f colID="$(colID "Needs review")" -f prID="$PRID"
           }
 
-          if gh api orgs/cli/public_members/$PRAUTHOR --silent 2>/dev/null
+          if [ "$PR_AUTHOR_TYPE" = "Bot" ] || gh api orgs/cli/public_members/$PRAUTHOR --silent 2>/dev/null
           then
+            if [ "$PR_AUTHOR_TYPE" != "Bot" ]
+            then
+              gh pr edit $PRNUM --add-assignee $PRAUTHOR
+            fi
             if ! errtext="$(addToBoard 2>&1)"
             then
               cat <<<"$errtext" >&2
@@ -55,6 +60,8 @@ jobs:
             exit 0
           fi
 
+          gh pr edit $PRNUM --add-label "external"
+
           if [ "$PRHEAD" = "cli:trunk" ]
           then
             closePR
 
@@ -16,24 +16,34 @@ jobs:
         with:
           go-version: 1.16
       - name: Generate changelog
+        id: changelog
         run: |
-          echo "GORELEASER_CURRENT_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-          git fetch --unshallow
-          script/changelog | tee CHANGELOG.md
+          echo "::set-output name=tag-name::${GITHUB_REF#refs/tags/}"
+          gh api repos/$GITHUB_REPOSITORY/releases/generate-notes \
+            -f tag_name="${GITHUB_REF#refs/tags/}" \
+            -f target_commitish=trunk \
+            -q .body > CHANGELOG.md
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+      - name: Install osslsigncode
+        run: sudo apt-get install -y osslsigncode
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
           version: v0.174.1
           args: release --release-notes=CHANGELOG.md
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GORELEASER_CURRENT_TAG: ${{steps.changelog.outputs.tag-name}}
+          GITHUB_CERT_PASSWORD: ${{secrets.GITHUB_CERT_PASSWORD}}
+          DESKTOP_CERT_TOKEN: ${{secrets.DESKTOP_CERT_TOKEN}}
       - name: Checkout documentation site
         uses: actions/checkout@v2
         with:
           repository: github/cli.github.com
           path: site
           fetch-depth: 0
-          token: ${{secrets.SITE_GITHUB_TOKEN}}
+          ssh-key: ${{secrets.SITE_SSH_KEY}}
       - name: Update site man pages
         env:
           GIT_COMMITTER_NAME: cli automation
@@ -55,7 +65,6 @@ jobs:
             api-write --silent projects/columns/cards/$card/moves -f position=top -F column_id=$DONE_COLUMN
           done
           echo "moved ${#cards[@]} cards to the Done column"
-      
       - name: Install packaging dependencies
         run: sudo apt-get install -y rpm reprepro
       - name: Set up GPG
 
@@ -8,7 +8,8 @@ release:
 before:
   hooks:
     - go mod tidy
-    - make manpages
+    - make manpages GH_VERSION={{.Version}}
+    - ./script/prepare-windows-cert.sh '{{ if index .Env "GITHUB_CERT_PASSWORD"  }}{{ .Env.GITHUB_CERT_PASSWORD}}{{ end }}' '{{ if index .Env "DESKTOP_CERT_TOKEN"  }}{{ .Env.DESKTOP_CERT_TOKEN}}{{ end }}'
 
 builds:
   - <<: &build_defaults
@@ -32,6 +33,9 @@ builds:
     id: windows
     goos: [windows]
     goarch: [386, amd64]
+    hooks:
+      post:
+        - ./script/sign-windows-executable.sh '{{ .Path }}'
 
 archives:
   - id: nix
 
@@ -0,0 +1,5 @@
+* @cli/code-reviewers
+
+pkg/cmd/codespace/ @cli/codespaces
+pkg/liveshare/ @cli/codespaces
+internal/codespaces/ @cli/codespaces
@@ -19,7 +19,7 @@ If anything feels off, or if you feel that some functionality is missing, please
 
 ### macOS
 
-`gh` is available via [Homebrew][], [MacPorts][], [Conda][], and as a downloadable binary from the [releases page][].
+`gh` is available via [Homebrew][], [MacPorts][], [Conda][], [Spack][], and as a downloadable binary from the [releases page][].
 
 #### Homebrew
 
@@ -41,21 +41,27 @@ If anything feels off, or if you feel that some functionality is missing, please
 
 Additional Conda installation options available on the [gh-feedstock page](https://github.com/conda-forge/gh-feedstock#installing-gh).
 
+#### Spack
+
+| Install:           | Upgrade:                                 |
+| ------------------ | ---------------------------------------- |
+| `spack install gh` | `spack uninstall gh && spack install gh` |
+
 ### Linux & BSD
 
-`gh` is available via [Homebrew](#homebrew), [Conda](#Conda), and as downloadable binaries from the [releases page][].
+`gh` is available via [Homebrew](#homebrew), [Conda](#conda), [Spack](#spack), and as downloadable binaries from the [releases page][].
 
 For instructions on specific distributions and package managers, see [Linux & BSD installation](./docs/install_linux.md).
 
 ### Windows
 
-`gh` is available via [WinGet][], [scoop][], [Chocolatey][], [Conda](#Conda), and as downloadable MSI.
+`gh` is available via [WinGet][], [scoop][], [Chocolatey][], [Conda](#conda), and as downloadable MSI.
 
 #### WinGet
 
 | Install:            | Upgrade:            |
 | ------------------- | --------------------|
-| `winget install gh` | `winget upgrade gh` |
+| `winget install --id GitHub.cli` | `winget upgrade --id GitHub.cli` |
 
 #### scoop
 
@@ -99,6 +105,7 @@ tool. Check out our [more detailed explanation][gh-vs-hub] to learn more.
 [scoop]: https://scoop.sh
 [Chocolatey]: https://chocolatey.org
 [Conda]: https://docs.conda.io/en/latest/
+[Spack]: https://spack.io
 [releases page]: https://github.com/cli/cli/releases/latest
 [hub]: https://github.com/github/hub
 [contributing]: ./.github/CONTRIBUTING.md
 
@@ -12,8 +12,8 @@ import (
 	"strings"
 
 	"github.com/cli/cli/v2/internal/ghinstance"
+	graphql "github.com/cli/shurcooL-graphql"
 	"github.com/henvic/httpretty"
-	"github.com/shurcooL/graphql"
 )
 
 // ClientOption represents an argument to NewClient
@@ -98,6 +98,22 @@ func ReplaceTripper(tr http.RoundTripper) ClientOption {
 	}
 }
 
+// ExtractHeader extracts a named header from any response received by this client and, if non-blank, saves
+// it to dest.
+func ExtractHeader(name string, dest *string) ClientOption {
+	return func(tr http.RoundTripper) http.RoundTripper {
+		return &funcTripper{roundTrip: func(req *http.Request) (*http.Response, error) {
+			res, err := tr.RoundTrip(req)
+			if err == nil {
+				if value := res.Header.Get(name); value != "" {
+					*dest = value
+				}
+			}
+			return res, err
+		}}
+	}
+}
+
 type funcTripper struct {
 	roundTrip func(*http.Request) (*http.Response, error)
 }
@@ -124,7 +140,18 @@ type graphQLResponse struct {
 type GraphQLError struct {
 	Type    string
 	Message string
-	// Path []interface // mixed strings and numbers
+	Path    []interface{} // mixed strings and numbers
+}
+
+func (ge GraphQLError) PathString() string {
+	var res strings.Builder
+	for i, v := range ge.Path {
+		if i > 0 {
+			res.WriteRune('.')
+		}
+		fmt.Fprintf(&res, "%v", v)
+	}
+	return res.String()
 }
 
 // GraphQLErrorResponse contains errors returned in a GraphQL response
@@ -135,18 +162,41 @@ type GraphQLErrorResponse struct {
 func (gr GraphQLErrorResponse) Error() string {
 	errorMessages := make([]string, 0, len(gr.Errors))
 	for _, e := range gr.Errors {
-		errorMessages = append(errorMessages, e.Message)
+		msg := e.Message
+		if p := e.PathString(); p != "" {
+			msg = fmt.Sprintf("%s (%s)", msg, p)
+		}
+		errorMessages = append(errorMessages, msg)
+	}
+	return fmt.Sprintf("GraphQL: %s", strings.Join(errorMessages, ", "))
+}
+
+// Match checks if this error is only about a specific type on a specific path. If the path argument ends
+// with a ".", it will match all its subpaths as well.
+func (gr GraphQLErrorResponse) Match(expectType, expectPath string) bool {
+	for _, e := range gr.Errors {
+		if e.Type != expectType || !matchPath(e.PathString(), expectPath) {
+			return false
+		}
+	}
+	return true
+}
+
+func matchPath(p, expect string) bool {
+	if strings.HasSuffix(expect, ".") {
+		return strings.HasPrefix(p, expect) || p == strings.TrimSuffix(expect, ".")
 	}
-	return fmt.Sprintf("GraphQL error: %s", strings.Join(errorMessages, "\n"))
+	return p == expect
 }
 
 // HTTPError is an error returned by a failed API call
 type HTTPError struct {
-	StatusCode  int
-	RequestURL  *url.URL
-	Message     string
-	OAuthScopes string
-	Errors      []HTTPErrorItem
+	StatusCode int
+	RequestURL *url.URL
+	Message    string
+	Errors     []HTTPErrorItem
+
+	scopesSuggestion string
 }
 
 type HTTPErrorItem struct {
@@ -165,7 +215,63 @@ func (err HTTPError) Error() string {
 	return fmt.Sprintf("HTTP %d (%s)", err.StatusCode, err.RequestURL)
 }
 
-// GraphQL performs a GraphQL request and parses the response
+func (err HTTPError) ScopesSuggestion() string {
+	return err.scopesSuggestion
+}
+
+// ScopesSuggestion is an error messaging utility that prints the suggestion to request additional OAuth
+// scopes in case a server response indicates that there are missing scopes.
+func ScopesSuggestion(resp *http.Response) string {
+	if resp.StatusCode < 400 || resp.StatusCode > 499 || resp.StatusCode == 422 {
+		return ""
+	}
+
+	endpointNeedsScopes := resp.Header.Get("X-Accepted-Oauth-Scopes")
+	tokenHasScopes := resp.Header.Get("X-Oauth-Scopes")
+	if tokenHasScopes == "" {
+		return ""
+	}
+
+	gotScopes := map[string]struct{}{}
+	for _, s := range strings.Split(tokenHasScopes, ",") {
+		s = strings.TrimSpace(s)
+		gotScopes[s] = struct{}{}
+		if strings.HasPrefix(s, "admin:") {
+			gotScopes["read:"+strings.TrimPrefix(s, "admin:")] = struct{}{}
+			gotScopes["write:"+strings.TrimPrefix(s, "admin:")] = struct{}{}
+		} else if strings.HasPrefix(s, "write:") {
+			gotScopes["read:"+strings.TrimPrefix(s, "write:")] = struct{}{}
+		}
+	}
+
+	for _, s := range strings.Split(endpointNeedsScopes, ",") {
+		s = strings.TrimSpace(s)
+		if _, gotScope := gotScopes[s]; s == "" || gotScope {
+			continue
+		}
+		return fmt.Sprintf(
+			"This API operation needs the %[1]q scope. To request it, run:  gh auth refresh -h %[2]s -s %[1]s",
+			s,
+			ghinstance.NormalizeHostname(resp.Request.URL.Hostname()),
+		)
+	}
+
+	return ""
+}
+
+// EndpointNeedsScopes adds additional OAuth scopes to an HTTP response as if they were returned from the
+// server endpoint. This improves HTTP 4xx error messaging for endpoints that don't explicitly list the
+// OAuth scopes they need.
+func EndpointNeedsScopes(resp *http.Response, s string) *http.Response {
+	if resp.StatusCode >= 400 && resp.StatusCode < 500 {
+		oldScopes := resp.Header.Get("X-Accepted-Oauth-Scopes")
+		resp.Header.Set("X-Accepted-Oauth-Scopes", fmt.Sprintf("%s, %s", oldScopes, s))
+	}
+	return resp
+}
+
+// GraphQL performs a GraphQL request and parses the response. If there are errors in the response,
+// *GraphQLErrorResponse will be returned, but the data will also be parsed into the receiver.
 func (c Client) GraphQL(hostname string, query string, variables map[string]interface{}, data interface{}) error {
 	reqBody, err := json.Marshal(map[string]interface{}{"query": query, "variables": variables})
 	if err != nil {
@@ -261,9 +367,9 @@ func handleResponse(resp *http.Response, data interface{}) error {
 
 func HandleHTTPError(resp *http.Response) error {
 	httpError := HTTPError{
-		StatusCode:  resp.StatusCode,
-		RequestURL:  resp.Request.URL,
-		OAuthScopes: resp.Header.Get("X-Oauth-Scopes"),
+		StatusCode:       resp.StatusCode,
+		RequestURL:       resp.Request.URL,
+		scopesSuggestion: ScopesSuggestion(resp),
 	}
 
 	if !jsonTypeRE.MatchString(resp.Header.Get("Content-Type")) {