Ville Skyttä
4ed7002681
Switch from actions/attest-build-provenance to actions/attest
...
https://github.com/actions/attest-build-provenance#usage
> As of version 4, actions/attest-build-provenance is simply a wrapper
> on top of actions/attest.
>
> Existing applications may continue to use the attest-build-provenance
> action, but new implementations should use actions/attest instead.
2026-05-01 10:16:14 +03:00
tidy-dev
8b89c8b2b2
Enable extended PR screening for external PRs
...
Opts in to the new PR screening features in the shared triage workflow:
- Instantly closes PRs with zero file changes
- Detects same-author resubmissions of recently closed PRs
- Fast-tracks small, well-described fixes to ready-for-review
- Accelerates closure of large unsolicited PRs (3 days vs 7)
Depends on desktop/gh-cli-and-desktop-shared-workflows#17
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-29 09:43:23 -04:00
dependabot[bot]
ed31e2f6e8
chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1
...
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action ) from 7.0.0 to 7.2.1.
- [Commits](ec59f474b9...1a80836c5c
2026-04-27 17:26:50 +00:00
orbisai0security
f52acd51e9
fix: yaml.github-actions.security.run-shell-injection.run-shell-injection security vulnerability
...
Automated security fix generated by Orbis Security AI
2026-04-22 16:05:54 +05:30
Kynan Ware
d88705ea96
Add @cli/code-reviewers to all CODEOWNERS rules
...
This ensures that an approval from @cli/code-reviewers can satisfy the
CODEOWNERS requirement for any path, not just the catch-all wildcard.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-16 09:47:40 -06:00
Kynan Ware
a38e81ea5e
Add cli/skill-reviewers as CODEOWNERS for skills packages
...
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-16 09:10:00 -06:00
Kynan Ware
d3b2cebb60
Merge pull request #12918 from cli/dependabot/github_actions/advanced-security/filter-sarif-1.1
...
chore(deps): bump advanced-security/filter-sarif from 1.0.1 to 1.1
2026-04-14 12:36:19 -06:00
Kynan Ware
73d65ed701
Document dependency CVE policy in SECURITY.md
...
Clarify that a dependency having a CVE does not mean gh has a
vulnerability. We use govulncheck for reachability analysis and
ask reporters to demonstrate impact before we act on dependency CVE
reports.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-08 11:28:30 -06:00
William Martin
afe0adf7ed
Merge pull request #12951 from cli/dependabot/github_actions/azure/login-3.0.0
...
chore(deps): bump azure/login from 2.3.0 to 3.0.0
2026-03-26 14:09:45 +01:00
William Martin
c61b1600c2
Merge pull request #13004 from cli/dependabot/github_actions/mislav/bump-homebrew-formula-action-4.1
...
chore(deps): bump mislav/bump-homebrew-formula-action from 3.6 to 4.1
2026-03-26 14:09:33 +01:00
dependabot[bot]
dd1a3680d3
chore(deps): bump microsoft/setup-msbuild from 2.0.0 to 3.0.0
...
Bumps [microsoft/setup-msbuild](https://github.com/microsoft/setup-msbuild ) from 2.0.0 to 3.0.0.
- [Release notes](https://github.com/microsoft/setup-msbuild/releases )
- [Commits](6fb0222098...30375c66a4
2026-03-23 14:14:35 +00:00
dependabot[bot]
c255e77dde
chore(deps): bump mislav/bump-homebrew-formula-action from 3.6 to 4.1
...
Bumps [mislav/bump-homebrew-formula-action](https://github.com/mislav/bump-homebrew-formula-action ) from 3.6 to 4.1.
- [Release notes](https://github.com/mislav/bump-homebrew-formula-action/releases )
- [Commits](56a283fa15...ccf2332299
2026-03-23 14:14:32 +00:00
tidy-dev
d77b2239e9
Remove auto-labels from issue templates
...
The bug_report, submit-a-request, and submit-a-design-proposal issue
templates currently auto-apply 'bug' and 'enhancement' labels. This
causes issues to arrive pre-labeled with types that may not be accurate,
making triage harder since the template-applied labels can't be trusted.
Removing auto-labels ensures all type classification happens during
triage, giving the team confidence that labeled issues have been
reviewed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-19 19:36:11 -04:00
dependabot[bot]
ead34e1ed2
chore(deps): bump azure/login from 2.3.0 to 3.0.0
...
Bumps [azure/login](https://github.com/azure/login ) from 2.3.0 to 3.0.0.
- [Release notes](https://github.com/azure/login/releases )
- [Commits](a457da9ea1...532459ea53
2026-03-17 14:03:22 +00:00
dependabot[bot]
fb13f29f8a
chore(deps): bump advanced-security/filter-sarif from 1.0.1 to 1.1
...
Bumps [advanced-security/filter-sarif](https://github.com/advanced-security/filter-sarif ) from 1.0.1 to 1.1.
- [Release notes](https://github.com/advanced-security/filter-sarif/releases )
- [Commits](f3b8118a93...2da736ff05
2026-03-12 14:03:44 +00:00
Kynan Ware
bd12a06860
Switch deployment signing to OIDC authentication
2026-03-11 18:42:56 -06:00
tidy-dev
c9afc3c089
fix: add if guard to no-response job to prevent running on workflow_dispatch
...
Prevents no-response from accidentally closing issues when manually
dispatching the workflow for pitch surfacing.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-10 11:44:55 -04:00
tidy-dev
089e461087
Add pitch surfacing workflow (monthly + manual dispatch)
2026-03-10 09:30:57 -04:00
Kynan Ware
7fa453e467
Update Go version requirement to 1.26+
2026-03-07 10:10:01 -07:00
Kynan Ware
b18358b754
Bump golangci-lint from v2.6.0 to v2.11.0 for Go 1.26 support
...
golangci-lint v2.6.0 was built with Go 1.25 and cannot lint code targeting
Go 1.26.1. Go 1.26 support was added in golangci-lint v2.9.0.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-06 21:24:41 -07:00
Kynan Ware
e3ac074968
Merge pull request #12760 from cli/dependabot/github_actions/goreleaser/goreleaser-action-7.0.0
...
chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0
2026-03-02 09:27:01 -07:00
Kynan Ware
453d89c2d4
Merge pull request #12795 from cli/dependabot/github_actions/actions/attest-build-provenance-4.1.0
...
chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0
2026-03-02 09:26:34 -07:00
Kynan Ware
c2ccf29aa4
Merge pull request #12796 from cli/dependabot/github_actions/actions/download-artifact-8
...
chore(deps): bump actions/download-artifact from 7 to 8
2026-03-02 09:24:28 -07:00
dependabot[bot]
b1df464f52
chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0
...
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action ) from 6.4.0 to 7.0.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases )
- [Commits](e435ccd777...ec59f474b9
2026-03-02 16:03:04 +00:00
dependabot[bot]
ab399f09e1
chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0
...
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance ) from 3.2.0 to 4.1.0.
- [Release notes](https://github.com/actions/attest-build-provenance/releases )
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md )
- [Commits](96278af6ca...a2bbfa2537
2026-03-02 16:02:34 +00:00
dependabot[bot]
6842f5bdcb
chore(deps): bump actions/download-artifact from 7 to 8
...
Bumps [actions/download-artifact](https://github.com/actions/download-artifact ) from 7 to 8.
- [Release notes](https://github.com/actions/download-artifact/releases )
- [Commits](https://github.com/actions/download-artifact/compare/v7...v8 )
---
updated-dependencies:
- dependency-name: actions/download-artifact
dependency-version: '8'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-03-02 16:02:32 +00:00
dependabot[bot]
cc15e7e16d
chore(deps): bump actions/upload-artifact from 6 to 7
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 6 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7 )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-03-02 16:02:25 +00:00
William Martin
7ea88b1c4d
Bundle licenses at release time ( #12625 )
...
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
2026-02-18 17:59:27 +01:00
Kynan Ware
560128bd73
Merge pull request #12708 from cli/kw/remove-feedback-template
...
Remove feedback issue template
2026-02-17 10:36:58 -07:00
Kynan Ware
5f66c0e8b7
Remove feedback issue template
...
Delete the .github/ISSUE_TEMPLATE/feedback.md file
2026-02-17 08:07:02 -07:00
Kynan Ware
e90343db35
Migrate PR triage workflows to shared workflows
...
Replace prauto.yml and pr-help-wanted.yml with a single
triage-pull-requests.yml that calls shared reusable workflows from
desktop/gh-cli-and-desktop-shared-workflows:
- triage-label-external-pr: labels external PRs with external,needs-triage
- triage-close-from-default-branch: closes PRs opened from trunk
- triage-pr-requirements: enforces body length + help-wanted issue linkage
- triage-close-no-help-wanted: closes PRs labeled no-help-wanted-issue
- triage-ready-for-review: removes needs-triage on ready-for-review label
Also adds a daily schedule to auto-close PRs with unmet requirements
after 7 days.
Deletes:
- prauto.yml
- pr-help-wanted.yml
- scripts/check-help-wanted.sh
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-02-17 07:57:52 -07:00
Kynan Ware
e1983ce457
Rename triage workflow to triage-discussion-label
...
Rename .github/workflows/triage.yml to .github/workflows/triage-discussion-label.yml and update the workflow name from "Discussion Triage" to "Process Discuss Label" to better reflect its intent.
2026-02-17 07:32:35 -07:00
Kynan Ware
e861681139
Pass environment as input to shared triage workflow
...
The `environment` property cannot be set at the job level when using
`uses:` to call a reusable workflow. Pass it as a workflow input instead.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-02-17 07:27:01 -07:00
copilot-swe-agent[bot]
8e6cdf7059
Add missing environment and label check to triage workflow
...
Co-authored-by: BagToad <47394200+BagToad@users.noreply.github.com>
2026-02-17 14:05:39 +00:00
Kynan Ware
f1ebf6f8d9
Migrate stale workflow to shared workflow
2026-02-13 11:17:33 -07:00
Kynan Ware
a5e97b5b6c
Migrate issue triage workflows to shared workflows
2026-02-12 23:32:45 -07:00
Kynan Ware
35828f44cd
Add manual dispatch to bump-go workflow
...
Enable manual runs of the Bump Go workflow by adding the workflow_dispatch trigger alongside the existing scheduled cron. This allows maintainers to trigger the bump process on-demand while keeping the daily 3 AM UTC schedule intact.
2026-02-06 11:52:24 -07:00
dependabot[bot]
fdc72751a7
chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0
...
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance ) from 3.1.0 to 3.2.0.
- [Release notes](https://github.com/actions/attest-build-provenance/releases )
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md )
- [Commits](00014ed6ed...96278af6ca
2026-01-27 14:01:36 +00:00
dependabot[bot]
09e66252fd
chore(deps): bump goreleaser/goreleaser-action from 6.0.0 to 6.4.0
...
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action ) from 6.0.0 to 6.4.0.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases )
- [Commits](286f3b13b1...e435ccd777
2026-01-23 18:22:34 +00:00
Kynan Ware
c8335e3f55
Merge pull request #12315 from cli/dependabot/github_actions/actions/upload-artifact-6
...
chore(deps): bump actions/upload-artifact from 5 to 6
2026-01-23 11:18:50 -07:00
Kynan Ware
970a1ebbc1
Merge pull request #12314 from cli/dependabot/github_actions/actions/download-artifact-7
...
chore(deps): bump actions/download-artifact from 6 to 7
2026-01-23 11:18:19 -07:00
Kynan Ware
fe729082ad
Update contributing guidelines for clarity
2026-01-20 15:21:23 -07:00
William Martin
249de236bd
Update go-licenses for 1.25
2026-01-07 15:38:58 +00:00
Kynan Ware
1d76eae5aa
Add shell specification for temporary tag creation
2026-01-06 10:37:12 -07:00
Babak K. Shandiz
f47a230eda
ci: shorten run block
...
Signed-off-by: Babak K. Shandiz <babakks@github.com>
2026-01-06 17:04:02 +00:00
Babak K. Shandiz
d02341d5a3
ci: improve step name
...
Signed-off-by: Babak K. Shandiz <babakks@github.com>
2026-01-06 17:02:54 +00:00
Babak K. Shandiz
fa871ffa67
ci: tag per build job
...
We need to tag the HEAD commit to make sure the right version is baked
into the built binaries.
See for more details:
- https://github.com/cli/cli/issues/12263
Signed-off-by: Babak K. Shandiz <babakks@github.com>
2026-01-06 16:59:08 +00:00
Kynan Ware
c9ba3793ee
Update Azure Code Signing endpoint URL
2026-01-05 13:43:55 -07:00
Kynan Ware
319567c2cf
Update Azure Code Signing client to 1.0.95
...
Also updates the source URL
2026-01-05 11:49:16 -07:00
Babak K. Shandiz
aed52d5ee1
ci: disable create storage record for artifacts
...
Signed-off-by: Babak K. Shandiz <babakks@github.com>
2025-12-19 19:17:44 +00:00
