Merge branch 'main' into dependabot/github_actions/actions/download-artifact-7

Author: Ruh-Al-Tarikh

.devcontainer/devcontainer.json

@@ -1,5 +1,5 @@
 {
-	"image": "mcr.microsoft.com/devcontainers/go:1.24",
+	"image": "mcr.microsoft.com/devcontainers/go:1.25",
 	"features": {
 		"ghcr.io/devcontainers/features/sshd:1": {}
 	},

.github/CONTRIBUTING.md

@@ -2,19 +2,19 @@
 
 Hi! Thanks for your interest in contributing to the GitHub CLI!
 
-We accept pull requests for bug fixes and features where we've discussed the approach in an issue and given the go-ahead for a community member to work on it. We'd also love to hear about ideas for new features as issues.
+We accept pull requests for issues labelled `help wanted`. We encourage issues and discussion posts for all other contributions.
 
 ### Please do:
 
 * Check issues to verify that a [bug][bug issues] or [feature request][feature request issues] issue does not already exist for the same problem or feature
 * Open an issue if things aren't working as expected
-* Open an issue to propose a significant change
+* Open an issue to propose a change
 * Open an issue to propose a design for an issue labelled [`needs-design` and `help wanted`][needs design and help wanted], following the [proposing a design guidelines](#proposing-a-design) instructions below
 * Open an issue to propose a new community supported `gh` package with details about support and redistribution
 * Mention `@cli/code-reviewers` when an issue you want to work on does not have clear Acceptance Criteria
 * Open a pull request for any issue labelled [`help wanted`][hw] and [`good first issue`][gfi]
 
-### Please _do not_:
+### Please _do NOT_:
 
 * Open a pull request for issues without the `help wanted` label or explicit Acceptance Criteria
 * Expand pull request scope to include changes that are not described in the issue's Acceptance Criteria
@@ -24,7 +24,7 @@ We accept pull requests for bug fixes and features where we've discussed the app
 ## Building the project
 
 Prerequisites:
-- Go 1.24+
+- Go 1.25+
 
 Build with:
 * Unix-like systems: `make`

.github/workflows/bump-go.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6

.github/workflows/codeql.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Setup Go
         if: matrix.language == 'go'

.github/workflows/deployment.yml

@@ -44,16 +44,24 @@ jobs:
     if: contains(inputs.platforms, 'linux')
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
-          version: "~1.17.1"
+          # The version is pinned not only for security purposes, but also to avoid breaking
+          # our scripts, which rely on the specific file names generated by GoReleaser.
+          version: v2.13.1
           install-only: true
+      # We temporarily create a tag on HEAD to make the right version embedded
+      # in the built binaries, BUT we don't push it to the remote.
+      - name: Create temporary tag
+        env:
+          TAG_NAME: ${{ inputs.tag_name }}
+        run: git tag "$TAG_NAME"
       - name: Build release binaries
         env:
           TAG_NAME: ${{ inputs.tag_name }}
@@ -62,7 +70,7 @@ jobs:
         run: |
           go run ./cmd/gen-docs --website --doc-path dist/manual
           tar -czvf dist/manual.tar.gz -C dist -- manual
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v6
         with:
           name: linux
           if-no-files-found: error
@@ -79,7 +87,7 @@ jobs:
     if: contains(inputs.platforms, 'macos')
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
@@ -103,10 +111,18 @@ jobs:
           security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "$keychain_password" "$keychain"
           rm "$RUNNER_TEMP/cert.p12"
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
-          version: "~1.17.1"
+          # The version is pinned not only for security purposes, but also to avoid breaking
+          # our scripts, which rely on the specific file names generated by GoReleaser.
+          version: v2.13.1
           install-only: true
+      # We temporarily create a tag on HEAD to make the right version embedded
+      # in the built binaries, BUT we don't push it to the remote.
+      - name: Create temporary tag
+        env:
+          TAG_NAME: ${{ inputs.tag_name }}
+        run: git tag "$TAG_NAME"
       - name: Build release binaries
         env:
           TAG_NAME: ${{ inputs.tag_name }}
@@ -134,7 +150,7 @@ jobs:
         run: |
           shopt -s failglob
           script/pkgmacos "$TAG_NAME"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v6
         with:
           name: macos
           if-no-files-found: error
@@ -151,15 +167,17 @@ jobs:
     if: contains(inputs.platforms, 'windows')
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Set up Go
         uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
-          version: "~1.17.1"
+          # The version is pinned not only for security purposes, but also to avoid breaking
+          # our scripts, which rely on the specific file names generated by GoReleaser.
+          version: v2.13.1
           install-only: true
       - name: Install Azure Code Signing Client
         shell: pwsh
@@ -170,17 +188,24 @@ jobs:
           METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
         run: |
           # Download Azure Code Signing client containing the DLL needed for signtool in script/sign
-          Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.43 -OutFile $Env:ACS_ZIP -Verbose
+          Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Microsoft.Trusted.Signing.Client/1.0.95 -OutFile $Env:ACS_ZIP -Verbose
           Expand-Archive $Env:ACS_ZIP -Destination $Env:ACS_DIR -Force -Verbose
 
           # Generate metadata file for signtool, used in signing box .exe and .msi
           @{
             CertificateProfileName = "GitHubInc"
             CodeSigningAccountName = "GitHubInc"
             CorrelationId = $Env:CORRELATION_ID
-            Endpoint =  "https://wus.codesigning.azure.net/"
+            Endpoint =  "https://wus3.codesigning.azure.net/"
           } | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH
 
+      # We temporarily create a tag on HEAD to make the right version embedded
+      # in the built binaries, BUT we don't push it to the remote.
+      - name: Create temporary tag
+        shell: bash
+        env:
+          TAG_NAME: ${{ inputs.tag_name }}
+        run: git tag "$TAG_NAME"
       # Azure Code Signing leverages the environment variables for secrets that complement the metadata.json
       # file generated above (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID)
       # For more information, see https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet
@@ -207,15 +232,15 @@ jobs:
             MSI_VERSION="$(cut -d_ -f2 <<<"$MSI_NAME" | cut -d- -f1)"
             case "$MSI_NAME" in
             *_386 )
-              source_dir="$PWD/dist/windows_windows_386"
+              source_dir="$PWD/dist/windows_windows_386_sse2"
               platform="x86"
               ;;
             *_amd64 )
               source_dir="$PWD/dist/windows_windows_amd64_v1"
               platform="x64"
               ;;
             *_arm64 )
-              source_dir="$PWD/dist/windows_windows_arm64"
+              source_dir="$PWD/dist/windows_windows_arm64_v8.0"
               platform="arm64"
               ;;
             * )
@@ -238,7 +263,7 @@ jobs:
           Get-ChildItem -Path .\dist -Filter *.msi | ForEach-Object {
             .\script\sign.ps1 $_.FullName
           }
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v6
         with:
           name: windows
           if-no-files-found: error
@@ -254,11 +279,11 @@ jobs:
     if: inputs.release
     steps:
       - name: Checkout cli/cli
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Merge built artifacts
         uses: actions/download-artifact@v7
       - name: Checkout documentation site
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: github/cli.github.com
           path: site
@@ -309,9 +334,14 @@ jobs:
           rpmsign --addsign dist/*.rpm
       - name: Attest release artifacts
         if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+<<<<<<< HEAD
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+=======
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+>>>>>>> main
         with:
           subject-path: "dist/gh_*"
+          create-storage-record: false # (default: true)
       - name: Run createrepo
         env:
           GPG_SIGN: ${{ inputs.environment == 'production' }}

.github/workflows/detect-spam.yml

@@ -14,7 +14,7 @@ jobs:
     environment: cli-automation
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Run spam detection
         env:
           GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}

.github/workflows/go.yml

@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6
@@ -45,7 +45,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6

.github/workflows/govulncheck.yml

@@ -2,6 +2,8 @@ name: Go Vulnerability Check
 on:
   schedule:
     - cron: "0 0 * * 1" # Every Monday at midnight UTC
+  workflow_dispatch:
+
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
@@ -10,7 +12,7 @@ jobs:
       security-events: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6

.github/workflows/lint.yml

@@ -7,19 +7,23 @@ on:
       - "**.go"
       - go.mod
       - go.sum
+      - ".github/licenses.tmpl"
+      - "script/licenses*"
   pull_request:
     paths:
       - "**.go"
       - go.mod
       - go.sum
+      - ".github/licenses.tmpl"
+      - "script/licenses*"
 permissions:
   contents: read
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6
@@ -42,16 +46,28 @@ jobs:
           exit $STATUS
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
-          version: v2.1.6
+          version: v2.6.0
+
+      # actions/setup-go does not setup the installed toolchain to be preferred over the system install,
+      # which causes go-licenses to raise "Package ... does not have module info" errors.
+      # For more information, https://github.com/google/go-licenses/issues/244#issuecomment-1885098633
+      #
+      # go-licenses has been pinned for automation use.
+      - name: Check licenses
+        run: |
+          export GOROOT=$(go env GOROOT)
+          export PATH=${GOROOT}/bin:$PATH
+          go install github.com/google/go-licenses/v2@3e084b0caf710f7bfead967567539214f598c0a2 # v2.0.1
+          make licenses-check
 
   # Discover vulnerabilities within Go standard libraries used to build GitHub CLI using govulncheck.
   govulncheck:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go
         uses: actions/setup-go@v6
@@ -60,7 +76,9 @@ jobs:
 
       # `govulncheck` exits unsuccessfully if vulnerabilities are found, providing results in stdout.
       # See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck#hdr-Exit_codes for more information on exit codes.
+      #
+      # On go1.25, To make `-mode binary` work we need to make sure the binary is built with `go build -buildvcs=false`
+      # Since our builds do not use `-buildvcs=false`, we run in source mode here instead.
       - name: Check Go vulnerabilities
         run: |
-          make
-          go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 -mode=binary bin/gh
+          go run golang.org/x/vuln/cmd/govulncheck@d1f380186385b4f64e00313f31743df8e4b89a77 ./...

.github/workflows/pr-help-wanted.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set PR variables for workflow_dispatch event
         id: pr-vars-dispatch