Address review feedback: always set both go and toolchain
directives via go mod edit, then let go mod tidy normalize.
This eliminates complex conditional toolchain handling.
Additional fixes:
- Add go mod tidy after edits to reconcile dependencies
- Commit go.sum alongside go.mod
- Filter PR search to open PRs only (--state open)
- Use GITHUB_REPOSITORY for repo instead of hardcoding
- Use git diff to detect no-op bumps post-tidy
- Read go.mod state via go mod edit -json instead of grep
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The jq -r flag with // "" operator already returns empty string
for null/missing values, never the literal string "null".
The checks for == "null" are unnecessary.
Co-authored-by: babakks <36728931+babakks@users.noreply.github.com>
Replace manual parsing and editing with go mod edit:
- Use 'go mod edit -json' to read current go and toolchain directives
- Use 'go mod edit -go' to update go directive
- Use 'go mod edit -toolchain' to update toolchain directive
- Remove manual sed/grep parsing and .bak file handling
- More reliable and maintainable than custom text manipulation
Co-authored-by: williammartin <1611510+williammartin@users.noreply.github.com>
- Clarify comment to say "matches" instead of "matches or exceeds"
- Update PR body to accurately reflect final go.mod state
- Show actual toolchain if present, or note it's not specified
- Provide clear explanation when toolchain is omitted
Co-authored-by: williammartin <1611510+williammartin@users.noreply.github.com>
- Compare major.minor versions instead of exact string match
- Preserve go directive if already at latest major.minor
- Handle cases where go.mod has full patch version (e.g., 1.25.6)
- Update PR body to use actual go directive from modified go.mod
- Add detailed comments explaining version handling logic
Co-authored-by: williammartin <1611510+williammartin@users.noreply.github.com>
- Add early trap setup to avoid exit code issues
- Handle missing toolchain directive gracefully with `|| true`
- Add logic to detect when toolchain is expected to be missing
- Add informative messages about missing toolchain
- Implement smart toolchain handling:
- Skip toolchain when go version matches latest (redundant)
- Add toolchain when go version is older than latest
- Update toolchain when it exists but is outdated
Co-authored-by: williammartin <1611510+williammartin@users.noreply.github.com>
When a PR is opened as draft and later marked ready for review, the
check-requirements job's if filter excluded the ready_for_review action,
so the screening workflow never ran and unmet-requirements was never
applied. Add ready_for_review to the action filter so screening runs
when a draft PR transitions to requesting review.
Companion fix in desktop/gh-cli-and-desktop-shared-workflows updates the
called workflow's own filters to handle ready_for_review consistently.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
https://github.com/actions/attest-build-provenance#usage
> As of version 4, actions/attest-build-provenance is simply a wrapper
> on top of actions/attest.
>
> Existing applications may continue to use the attest-build-provenance
> action, but new implementations should use actions/attest instead.
Opts in to the new PR screening features in the shared triage workflow:
- Instantly closes PRs with zero file changes
- Detects same-author resubmissions of recently closed PRs
- Fast-tracks small, well-described fixes to ready-for-review
- Accelerates closure of large unsolicited PRs (3 days vs 7)
Depends on desktop/gh-cli-and-desktop-shared-workflows#17
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This ensures that an approval from @cli/code-reviewers can satisfy the
CODEOWNERS requirement for any path, not just the catch-all wildcard.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Clarify that a dependency having a CVE does not mean gh has a
vulnerability. We use govulncheck for reachability analysis and
ask reporters to demonstrate impact before we act on dependency CVE
reports.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The bug_report, submit-a-request, and submit-a-design-proposal issue
templates currently auto-apply 'bug' and 'enhancement' labels. This
causes issues to arrive pre-labeled with types that may not be accurate,
making triage harder since the template-applied labels can't be trusted.
Removing auto-labels ensures all type classification happens during
triage, giving the team confidence that labeled issues have been
reviewed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Prevents no-response from accidentally closing issues when manually
dispatching the workflow for pitch surfacing.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
golangci-lint v2.6.0 was built with Go 1.25 and cannot lint code targeting
Go 1.26.1. Go 1.26 support was added in golangci-lint v2.9.0.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace prauto.yml and pr-help-wanted.yml with a single
triage-pull-requests.yml that calls shared reusable workflows from
desktop/gh-cli-and-desktop-shared-workflows:
- triage-label-external-pr: labels external PRs with external,needs-triage
- triage-close-from-default-branch: closes PRs opened from trunk
- triage-pr-requirements: enforces body length + help-wanted issue linkage
- triage-close-no-help-wanted: closes PRs labeled no-help-wanted-issue
- triage-ready-for-review: removes needs-triage on ready-for-review label
Also adds a daily schedule to auto-close PRs with unmet requirements
after 7 days.
Deletes:
- prauto.yml
- pr-help-wanted.yml
- scripts/check-help-wanted.sh
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Rename .github/workflows/triage.yml to .github/workflows/triage-discussion-label.yml and update the workflow name from "Discussion Triage" to "Process Discuss Label" to better reflect its intent.
The `environment` property cannot be set at the job level when using
`uses:` to call a reusable workflow. Pass it as a workflow input instead.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Enable manual runs of the Bump Go workflow by adding the workflow_dispatch trigger alongside the existing scheduled cron. This allows maintainers to trigger the bump process on-demand while keeping the daily 3 AM UTC schedule intact.
