https-github-com-bit
diff --git a/‎.devcontainer/devcontainer.json‎
Lines changed: 5 additions & 0 deletions b/‎.devcontainer/devcontainer.json‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 6 additions & 1 deletion b/‎.github/workflows/codeql.yml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.github/workflows/go.yml‎
Lines changed: 9 additions & 6 deletions b/‎.github/workflows/go.yml‎
Lines changed: 9 additions & 6 deletions
diff --git a/‎.github/workflows/issueauto.yml‎
Lines changed: 9 additions & 4 deletions b/‎.github/workflows/issueauto.yml‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎.github/workflows/lint.yml‎
Lines changed: 13 additions & 2 deletions b/‎.github/workflows/lint.yml‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎.github/workflows/prauto.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/prauto.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/releases.yml‎
Lines changed: 29 additions & 20 deletions b/‎.github/workflows/releases.yml‎
Lines changed: 29 additions & 20 deletions
diff --git a/‎.goreleaser.yml‎
Lines changed: 0 additions & 1 deletion b/‎.goreleaser.yml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎api/client.go‎
Lines changed: 18 additions & 1 deletion b/‎api/client.go‎
Lines changed: 18 additions & 1 deletion
diff --git a/‎api/queries_pr.go‎
Lines changed: 14 additions & 12 deletions b/‎api/queries_pr.go‎
Lines changed: 14 additions & 12 deletions
@@ -0,0 +1,5 @@
+{
+    "extensions": [
+        "golang.go"
+    ]
+}
@@ -10,13 +10,18 @@ on:
   schedule:
     - cron: "0 0 * * 0"
 
+permissions:
+  actions: read  # for github/codeql-action/init to get workflow details
+  contents: read  # for actions/checkout to fetch code
+  security-events: write  # for github/codeql-action/analyze to upload SARIF results
+
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v1
 
@@ -1,5 +1,9 @@
 name: Tests
 on: [push, pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -15,16 +19,15 @@ jobs:
           go-version: 1.16
 
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
-      - name: Cache Go modules
+      - name: Restore Go modules cache
         uses: actions/cache@v2
         with:
-          path: ~/go
-          key: ${{ runner.os }}-build-${{ hashFiles('go.mod') }}
+          path: ~/go/pkg/mod
+          key: go-${{ runner.os }}-${{ hashFiles('go.mod') }}
           restore-keys: |
-            ${{ runner.os }}-build-
-            ${{ runner.os }}-
+            go-${{ runner.os }}-
 
       - name: Download dependencies
         run: go mod download
 
@@ -2,16 +2,21 @@ name: Issue Automation
 on:
   issues:
     types: [opened]
+
+permissions:
+  contents: none
+  issues: write
+
 jobs:
   issue-auto:
     runs-on: ubuntu-latest
     steps:
       - name: label incoming issue
         env:
-         GH_REPO: ${{ github.repository }}
-         GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}
-         ISSUENUM: ${{ github.event.issue.number }}
-         ISSUEAUTHOR: ${{ github.event.issue.user.login }}
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}
+          ISSUENUM: ${{ github.event.issue.number }}
+          ISSUEAUTHOR: ${{ github.event.issue.user.login }}
         run: |
           if ! gh api orgs/cli/public_members/$ISSUEAUTHOR --silent 2>/dev/null
           then
 
@@ -11,6 +11,9 @@ on:
       - go.mod
       - go.sum
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -22,14 +25,22 @@ jobs:
           go-version: 1.16
 
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+
+      - name: Restore Go modules cache
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: go-${{ runner.os }}-${{ hashFiles('go.mod') }}
+          restore-keys: |
+            go-${{ runner.os }}-
 
       - name: Verify dependencies
         run: |
           go mod verify
           go mod download
 
-          LINT_VERSION=1.39.0
+          LINT_VERSION=1.44.2
           curl -fsSL https://github.com/golangci/golangci-lint/releases/download/v${LINT_VERSION}/golangci-lint-${LINT_VERSION}-linux-amd64.tar.gz | \
             tar xz --strip-components 1 --wildcards \*/golangci-lint
           mkdir -p bin && mv golangci-lint bin/
 
@@ -2,6 +2,12 @@ name: PR Automation
 on:
   pull_request_target:
     types: [ready_for_review, opened, reopened]
+
+permissions:
+  contents: none
+  issues: write
+  pull-requests: write
+
 jobs:
   pr-auto:
     runs-on: ubuntu-latest
 
@@ -5,12 +5,16 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: write  # publishing releases
+  repository-projects: write  # move cards between columns
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Set up Go 1.16
         uses: actions/setup-go@v2
         with:
@@ -27,6 +31,13 @@ jobs:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
       - name: Install osslsigncode
         run: sudo apt-get install -y osslsigncode
+      - name: Obtain signing cert
+        run: |
+          cert="$(mktemp -t cert.XXX)"
+          base64 -d <<<"$CERT_CONTENTS" > "$cert"
+          echo "CERT_FILE=$cert" >> $GITHUB_ENV
+        env:
+          CERT_CONTENTS: ${{ secrets.WINDOWS_CERT_PFX }}
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
         with:
@@ -35,10 +46,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
           GORELEASER_CURRENT_TAG: ${{steps.changelog.outputs.tag-name}}
-          GITHUB_CERT_PASSWORD: ${{secrets.GITHUB_CERT_PASSWORD}}
-          DESKTOP_CERT_TOKEN: ${{secrets.DESKTOP_CERT_TOKEN}}
+          CERT_PASSWORD: ${{secrets.WINDOWS_CERT_PASSWORD}}
       - name: Checkout documentation site
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           repository: github/cli.github.com
           path: site
@@ -122,7 +132,7 @@ jobs:
     runs-on: windows-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Download gh.exe
         id: download_exe
         shell: bash
@@ -132,34 +142,33 @@ jobs:
           unzip -o *.zip && rm -v *.zip
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-      - name: Install go-msi
-        run: choco install -y "go-msi"
       - name: Prepare PATH
-        shell: bash
-        run: |
-          echo "$WIX\\bin" >> $GITHUB_PATH
-          echo "C:\\Program Files\\go-msi" >> $GITHUB_PATH
+        id: setupmsbuild
+        uses: microsoft/setup-msbuild@v1.0.3
       - name: Build MSI
         id: buildmsi
         shell: bash
         env:
           ZIP_FILE: ${{ steps.download_exe.outputs.zip }}
+          MSBUILD_PATH: ${{ steps.setupmsbuild.outputs.msbuildPath }}
         run: |
-          mkdir -p build
-          msi="$(basename "$ZIP_FILE" ".zip").msi"
-          printf "::set-output name=msi::%s\n" "$msi"
-          go-msi make --msi "$PWD/$msi" --out "$PWD/build" --version "${GITHUB_REF#refs/tags/}"
+          name="$(basename "$ZIP_FILE" ".zip")"
+          version="$(echo -e ${GITHUB_REF#refs/tags/v} | sed s/-.*$//)"
+          "${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$PWD" -p:OutputPath="$PWD" -p:OutputName="$name" -p:ProductVersion="$version"
       - name: Obtain signing cert
         id: obtain_cert
+        shell: bash
+        run: |
+          base64 -d <<<"$CERT_CONTENTS" > ./cert.pfx
+          printf "::set-output name=cert-file::%s\n" ".\\cert.pfx"
         env:
-          DESKTOP_CERT_TOKEN: ${{ secrets.DESKTOP_CERT_TOKEN }}
-        run: .\script\setup-windows-certificate.ps1
+          CERT_CONTENTS: ${{ secrets.WINDOWS_CERT_PFX }}
       - name: Sign MSI
         env:
           CERT_FILE: ${{ steps.obtain_cert.outputs.cert-file }}
           EXE_FILE: ${{ steps.buildmsi.outputs.msi }}
-          GITHUB_CERT_PASSWORD: ${{ secrets.GITHUB_CERT_PASSWORD }}
-        run: .\script\sign.ps1 -Certificate $env:CERT_FILE -Executable $env:EXE_FILE
+          CERT_PASSWORD: ${{ secrets.WINDOWS_CERT_PASSWORD }}
+        run: .\script\signtool sign /d "GitHub CLI" /f $env:CERT_FILE /p $env:CERT_PASSWORD /fd sha256 /tr http://timestamp.digicert.com /v $env:EXE_FILE
       - name: Upload MSI
         shell: bash
         run: |
@@ -183,7 +192,7 @@ jobs:
         env:
           COMMITTER_TOKEN: ${{ secrets.UPLOAD_GITHUB_TOKEN }}
       - name: Checkout scoop bucket
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           repository: cli/scoop-gh
           path: scoop-gh
 
@@ -9,7 +9,6 @@ before:
   hooks:
     - go mod tidy
     - make manpages GH_VERSION={{.Version}}
-    - ./script/prepare-windows-cert.sh '{{ if index .Env "GITHUB_CERT_PASSWORD"  }}{{ .Env.GITHUB_CERT_PASSWORD}}{{ end }}' '{{ if index .Env "DESKTOP_CERT_TOKEN"  }}{{ .Env.DESKTOP_CERT_TOKEN}}{{ end }}'
 
 builds:
   - <<: &build_defaults
 
@@ -236,7 +236,23 @@ func ScopesSuggestion(resp *http.Response) string {
 	for _, s := range strings.Split(tokenHasScopes, ",") {
 		s = strings.TrimSpace(s)
 		gotScopes[s] = struct{}{}
-		if strings.HasPrefix(s, "admin:") {
+
+		// Certain scopes may be grouped under a single "top-level" scope. The following branch
+		// statements include these grouped/implied scopes when the top-level scope is encountered.
+		// See https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps.
+		if s == "repo" {
+			gotScopes["repo:status"] = struct{}{}
+			gotScopes["repo_deployment"] = struct{}{}
+			gotScopes["public_repo"] = struct{}{}
+			gotScopes["repo:invite"] = struct{}{}
+			gotScopes["security_events"] = struct{}{}
+		} else if s == "user" {
+			gotScopes["read:user"] = struct{}{}
+			gotScopes["user:email"] = struct{}{}
+			gotScopes["user:follow"] = struct{}{}
+		} else if s == "codespace" {
+			gotScopes["codespace:secrets"] = struct{}{}
+		} else if strings.HasPrefix(s, "admin:") {
 			gotScopes["read:"+strings.TrimPrefix(s, "admin:")] = struct{}{}
 			gotScopes["write:"+strings.TrimPrefix(s, "admin:")] = struct{}{}
 		} else if strings.HasPrefix(s, "write:") {
@@ -326,6 +342,7 @@ func (c Client) REST(hostname string, method string, p string, body io.Reader, d
 	if err != nil {
 		return err
 	}
+
 	err = json.Unmarshal(b, &data)
 	if err != nil {
 		return err
 
@@ -80,18 +80,7 @@ type PullRequest struct {
 			Commit struct {
 				StatusCheckRollup struct {
 					Contexts struct {
-						Nodes []struct {
-							TypeName    string    `json:"__typename"`
-							Name        string    `json:"name"`
-							Context     string    `json:"context,omitempty"`
-							State       string    `json:"state,omitempty"`
-							Status      string    `json:"status"`
-							Conclusion  string    `json:"conclusion"`
-							StartedAt   time.Time `json:"startedAt"`
-							CompletedAt time.Time `json:"completedAt"`
-							DetailsURL  string    `json:"detailsUrl"`
-							TargetURL   string    `json:"targetUrl,omitempty"`
-						}
+						Nodes    []CheckContext
 						PageInfo struct {
 							HasNextPage bool
 							EndCursor   string
@@ -113,6 +102,19 @@ type PullRequest struct {
 	ReviewRequests ReviewRequests
 }
 
+type CheckContext struct {
+	TypeName    string    `json:"__typename"`
+	Name        string    `json:"name"`
+	Context     string    `json:"context,omitempty"`
+	State       string    `json:"state,omitempty"`
+	Status      string    `json:"status"`
+	Conclusion  string    `json:"conclusion"`
+	StartedAt   time.Time `json:"startedAt"`
+	CompletedAt time.Time `json:"completedAt"`
+	DetailsURL  string    `json:"detailsUrl"`
+	TargetURL   string    `json:"targetUrl,omitempty"`
+}
+
 type PRRepository struct {
 	ID   string `json:"id"`
 	Name string `json:"name"`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +{
 +    "extensions": [
 +        "golang.go"
 +    ]
 +}