Detect which AI coding agent is invoking gh by checking well-known
environment variables and include the agent name in the User-Agent
header sent to GitHub APIs.
Supported agents: Codex, Gemini CLI, Copilot CLI, OpenCode,
Claude Code, and Amp. Generic AI_AGENT env var is also supported
with validation to prevent header injection.
Fixesgithub/cli#1111
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Consolidate duplicated INSUFFICIENT_SCOPES error handling into a single
implementation. The project queries package now calls
api.GenerateScopeErrorForGQL instead of reimplementing the same logic.
Removes duplicated requiredScopesFromServerMessage, scopesRE, and the
associated test (already covered by api/client_test.go).
Fixes#12823
The returned response from `api.EndpointNeedsScopes` causes `bodyclose`
linter to raise a false positive error, assuming it's a new response that
its body needs to be closed.
Signed-off-by: Babak K. Shandiz <babakks@github.com>
This changes the FetchRelease implementation to look up draft releases directly using by its pending tag name, as opposed to resorting to the Releases list API which is backed by Elastic Search and thus suffers replication lag after the creation of a draft release.
Bonus: all release lookup functions now accept a context for cancellation.
* Fix obtained scope mapping to include missing scopes
As is, `gotScopes` does not contain certain scopes because it doesn't check for the "special" scopes that imply other scopes. For example, the `repo` scope implies `repo:invite`.
* Add a comment in ScopesSuggestion explaining branch statements
* Delete whitespace to appease go-fmt
Whenever a SSO challenge gets issued by the server by means of a URL in
the `X-GitHub-SSO` response header, gh now additionally prints that URL
on the standard error stream.
This is achieved by installing a middleware to all HTTP requests and
storing the server challenge to a value accessible by `factory.SSOURL()`.
Such approach was made necessary mainly because of the
`shurcool-graphql` client which doesn't give access to response headers
when a GraphQL error case is encountered.
HTTP 422 messages are for validation errors, but OAUTH permissions
suggestions get printed anyways. Most times, the user probably has the
right permissions. This fix adds the check to avoid printing a confusing
message.
Co-authored-by: Mislav Marohnić <mislav@github.com>
- Supports passing a PR as argument, not just issues
- Makes it non-fatal when project cards were not able to load
- Cleans up legacy method for fetching issues
- `issue close` no longer fetches all issue fields and thus avoids the
problem when loading failed due to token not having access to projects
- `issue close` now accepts either issue or pull number as argument.
If a 4xx server response lists scopes in the X-Accepted-Oauth-Scopes
header that are not present in the X-Oauth-Scopes header, the final
error messaging on stderr will now include a hint for the user that they
might need to request the additional scope:
$ gh codespace list
error getting codespaces: HTTP 403: Must have admin rights to Repository. (https://api.github.com/user/codespaces?per_page=30)
This API operation needs the "codespace" scope. To request it, run: gh auth refresh -h github.com -s codespace
The "path" field of a GraphQL error object contains a mix of strings and
numbers and cannot be deserialized into `[]string`. Fortunately, we
don't need to rely on the "path" field and instead have the final error
message be constructed by aggregating human-readable "message" fields.
GitHub REST resources typically return full URLs to fetch related
resources at. We used to parse those URLs to find just the path portion
and pass that in to the `REST()` function, which only accepted paths. By
doing so, we are essential de-constructing a URL just to re-assemble it
again. While re-assembling it for Enterprise, though, we would
accidentally inject an extra `api/v3/` prefix where one was not needed.
The solution is just to use raw URLs as reported by the REST API with
no modifications. This extends the `REST()` function to accept full URLs
in addition to just paths to resources.
We install an HTTP middleware that adds the "Authorization" header on
every HTTP request. However, our asset download process might redirect
to a 3rd-party host (Amazon S3) and we want to allow those requests but
not require that they are authenticated.
Furthermore, we need the ability to specify the `Accept` request header
without it being overwritten by middleware, so now middleware only adds
headers that are not present in a request.
