Replace gh CLI with native GitHub OAuth device flow

Introduce pkg/githubauth with two-app architecture (CI App + User App),
device flow login, token caching, and direct REST client. Remove all
exec.Command("gh") calls. Rewrite tests to use httptest.

Author: daniel-garcia

cmd/apx/commands/init.go

@@ -12,6 +12,7 @@ import (
 	"github.com/infobloxopen/apx/internal/interactive"
 	"github.com/infobloxopen/apx/internal/schema"
 	"github.com/infobloxopen/apx/internal/ui"
+	"github.com/infobloxopen/apx/pkg/githubauth"
 	"github.com/spf13/cobra"
 )
 
@@ -54,7 +55,7 @@ func newInitCanonicalCmd() *cobra.Command {
 	cmd.Flags().String("site-url", "", "Custom domain for the catalog site (e.g. apis.internal.infoblox.dev)")
 	cmd.Flags().Bool("skip-git", false, "Skip git initialization")
 	cmd.Flags().Bool("non-interactive", false, "Disable interactive prompts and require all flags")
-	cmd.Flags().Bool("setup-github", false, "Configure GitHub repo settings (branch/tag protection, org secrets) via gh CLI")
+	cmd.Flags().Bool("setup-github", false, "Configure GitHub repo settings (apps, branch/tag protection, org secrets)")
 	cmd.Flags().String("app-id", "", "GitHub App ID for org secrets (used with --setup-github)")
 	cmd.Flags().String("app-pem-file", "", "Path to GitHub App private key PEM file (used with --setup-github)")
 	return cmd
@@ -71,7 +72,7 @@ func newInitAppCmd() *cobra.Command {
 	cmd.Flags().String("repo", "", "Repository name")
 	cmd.Flags().String("import-root", "", "Custom public Go import prefix (e.g. go.acme.dev/apis)")
 	cmd.Flags().Bool("non-interactive", false, "Disable interactive prompts and require all flags")
-	cmd.Flags().Bool("setup-github", false, "Configure GitHub repo settings (branch protection) via gh CLI")
+	cmd.Flags().Bool("setup-github", false, "Configure GitHub repo settings (branch protection)")
 	return cmd
 }
 
@@ -251,70 +252,117 @@ func initCanonicalAction(cmd *cobra.Command, args []string) error {
 	ui.Success("\u2713 Generated .github/workflows/ci.yml")
 	ui.Success("\u2713 Generated .github/workflows/on-merge.yml")
 
-	// --setup-github: configure GitHub repo settings via gh CLI
+	// --setup-github: configure GitHub repo settings
 	setupGitHub, _ := cmd.Flags().GetBool("setup-github")
 	if setupGitHub {
-		// Preflight: verify gh is installed, authenticated, and has required scopes.
-		if err := gh.CheckGHAuth(); err != nil {
-			return fmt.Errorf("GitHub setup preflight failed: %w", err)
-		}
-		if err := gh.CheckGHScopes(); err != nil {
-			return fmt.Errorf("GitHub setup preflight failed: %w", err)
-		}
-
 		appID, _ := cmd.Flags().GetString("app-id")
 		pemFile, _ := cmd.Flags().GetString("app-pem-file")
 
-		// Try to resolve from cache if flags are not provided.
+		// ── Step 1: User App ────────────────────────────────────────
+		// Create the user-facing GitHub App (apx-{org}-user) if not cached.
+		// This app provides device-flow OAuth for human users.
+		userClientID := gh.GetCachedUserAppClientID(org)
+		if userClientID == "" {
+			if nonInteractive {
+				return fmt.Errorf("user app not configured for org %q; run interactively first", org)
+			}
+			ui.Info("\nCreating user app %q via GitHub App manifest flow...", gh.UserAppName(org))
+			creds, createErr := gh.CreateAppViaManifest(org, gh.UserAppName(org), gh.UserAppPermissions)
+			if createErr != nil {
+				return fmt.Errorf("failed to create user app: %w", createErr)
+			}
+			if err := gh.CacheUserAppClientID(org, creds.ClientID); err != nil {
+				return fmt.Errorf("failed to cache user app client ID: %w", err)
+			}
+			if err := gh.CacheUserAppID(org, fmt.Sprintf("%d", creds.ID)); err != nil {
+				return fmt.Errorf("failed to cache user app ID: %w", err)
+			}
+			if creds.Slug != "" {
+				if err := gh.CacheUserAppSlug(org, creds.Slug); err != nil {
+					ui.Warning("Failed to cache user app slug: %v", err)
+				}
+			}
+			userClientID = creds.ClientID
+			ui.Success("User app created! Client ID: %s", userClientID)
+		} else {
+			ui.Info("User app already configured (client_id cached).")
+		}
+
+		// ── Step 2: Device flow login ───────────────────────────────
+		// Authenticate the user via OAuth device flow to get a token.
+		token, tokenErr := githubauth.EnsureToken(org)
+		if tokenErr != nil {
+			return fmt.Errorf("GitHub authentication failed: %w", tokenErr)
+		}
+		client := githubauth.NewClient(token)
+
+		// ── Step 3: Ensure user app is installed ────────────────────
+		userAppIDStr := gh.GetCachedUserAppID(org)
+		userAppSlug := gh.GetCachedUserAppSlug(org)
+		if userAppIDStr != "" && userAppSlug != "" {
+			userAppIDInt, _ := strconv.Atoi(userAppIDStr)
+			if userAppIDInt > 0 {
+				if err := gh.EnsureAppInstalled(client, org, userAppIDInt, userAppSlug); err != nil {
+					ui.Warning("Could not verify user app installation: %v", err)
+				}
+			}
+		}
+
+		// ── Step 4: CI App ──────────────────────────────────────────
+		// Create the CI GitHub App (apx-{repo}-{org}) if not cached.
 		if appID == "" {
 			appID = gh.GetCachedAppID(org)
 		}
 		pemCached := false
-		if cachePath, err := gh.PEMCachePath(org); err == nil {
+		if cachePath, pemErr := gh.PEMCachePath(org); pemErr == nil {
 			if _, statErr := os.Stat(cachePath); statErr == nil {
 				pemCached = true
 			}
 		}
 
 		needsApp := appID == "" || (!pemCached && pemFile == "")
 		if needsApp && !nonInteractive {
-			ui.Info("\nNo GitHub App configured for org %q.", org)
-			ui.Info("Creating one via the GitHub App manifest flow...\n")
-
-			newAppID, appSlug, pemContents, err := gh.CreateAppViaManifest(org, repo)
-			if err != nil {
-				return fmt.Errorf("failed to create GitHub App: %w", err)
+			ui.Info("\nCreating CI app %q via GitHub App manifest flow...", gh.CIAppName(repo, org))
+			creds, createErr := gh.CreateAppViaManifest(org, gh.CIAppName(repo, org), gh.CIAppPermissions)
+			if createErr != nil {
+				return fmt.Errorf("failed to create CI app: %w", createErr)
 			}
-
-			if err := gh.CachePEMFromContents(org, pemContents); err != nil {
+			if err := gh.CachePEMFromContents(org, creds.PEM); err != nil {
 				return fmt.Errorf("failed to cache PEM: %w", err)
 			}
-			if err := gh.CacheAppID(org, newAppID); err != nil {
-				return fmt.Errorf("failed to cache app ID: %w", err)
+			if err := gh.CacheAppID(org, fmt.Sprintf("%d", creds.ID)); err != nil {
+				return fmt.Errorf("failed to cache CI app ID: %w", err)
 			}
-			if appSlug != "" {
-				if err := gh.CacheAppSlug(org, appSlug); err != nil {
-					ui.Warning("Failed to cache app slug: %v", err)
+			if creds.Slug != "" {
+				if err := gh.CacheAppSlug(org, creds.Slug); err != nil {
+					ui.Warning("Failed to cache CI app slug: %v", err)
 				}
 			}
+			appID = fmt.Sprintf("%d", creds.ID)
+			ui.Success("CI app created! App ID: %s", appID)
 
-			appID = newAppID
-			ui.Success("GitHub App created! App ID: %s", appID)
+			// Ensure CI app is installed on the org.
+			if creds.Slug != "" {
+				if err := gh.EnsureAppInstalled(client, org, creds.ID, creds.Slug); err != nil {
+					ui.Warning("Could not verify CI app installation: %v", err)
+				}
+			}
 		} else if needsApp {
 			return fmt.Errorf("--app-id and --app-pem-file are required with --setup-github in non-interactive mode")
 		} else {
-			// App already exists – ensure it is installed on the org
-			appSlug := gh.GetCachedAppSlug(org)
-			if appSlug != "" {
+			// CI app already exists – ensure it is installed on the org.
+			ciSlug := gh.GetCachedAppSlug(org)
+			if ciSlug != "" {
 				appIDInt, _ := strconv.Atoi(appID)
 				if appIDInt > 0 {
-					if err := gh.EnsureAppInstalled(org, appIDInt, appSlug); err != nil {
-						ui.Warning("Could not verify app installation: %v", err)
+					if err := gh.EnsureAppInstalled(client, org, appIDInt, ciSlug); err != nil {
+						ui.Warning("Could not verify CI app installation: %v", err)
 					}
 				}
 			}
 		}
 
+		// ── Step 5: Set up canonical repo ───────────────────────────
 		// Resolve siteURL from config if not provided via flag.
 		if siteURL == "" {
 			if cfg, cfgErr := config.LoadRaw("apx.yaml"); cfgErr == nil && cfg.SiteURL != "" {
@@ -323,9 +371,9 @@ func initCanonicalAction(cmd *cobra.Command, args []string) error {
 		}
 
 		ui.Info("\nConfiguring GitHub repository...")
-		res, err := gh.SetupCanonicalRepo(org, repo, appID, pemFile, siteURL)
-		if err != nil {
-			return fmt.Errorf("GitHub setup failed: %w", err)
+		res, setupErr := gh.SetupCanonicalRepo(client, org, repo, appID, pemFile, siteURL)
+		if setupErr != nil {
+			return fmt.Errorf("GitHub setup failed: %w", setupErr)
 		}
 		res.Print()
 	}
@@ -342,7 +390,7 @@ func initCanonicalAction(cmd *cobra.Command, args []string) error {
 		ui.Info("   - Restrict direct pushes to main")
 		ui.Info("5. Push: git remote add origin <url> && git push -u origin main")
 		ui.Info("")
-		ui.Info("Or re-run with --setup-github to configure automatically via gh CLI.")
+		ui.Info("Or re-run with --setup-github to configure automatically.")
 	}
 
 	ui.Success("\n\u2713 Canonical API repository initialized successfully!")
@@ -460,16 +508,19 @@ func initAppAction(cmd *cobra.Command, args []string) error {
 	ui.Success("\u2713 Generated buf.work.yaml")
 	ui.Success("\u2713 Generated .github/workflows/apx-release.yml")
 
-	// --setup-github: configure GitHub repo settings via gh CLI
+	// --setup-github: configure GitHub repo settings
 	setupGitHub, _ := cmd.Flags().GetBool("setup-github")
 	if setupGitHub {
-		if err := gh.CheckGHAuth(); err != nil {
-			return fmt.Errorf("GitHub setup preflight failed: %w", err)
+		token, tokenErr := githubauth.EnsureToken(org)
+		if tokenErr != nil {
+			return fmt.Errorf("GitHub authentication failed: %w", tokenErr)
 		}
+		client := githubauth.NewClient(token)
+
 		ui.Info("\nConfiguring GitHub repository...")
-		res, err := gh.SetupAppRepo(org, repo)
-		if err != nil {
-			return fmt.Errorf("GitHub setup failed: %w", err)
+		res, setupErr := gh.SetupAppRepo(client, org, repo)
+		if setupErr != nil {
+			return fmt.Errorf("GitHub setup failed: %w", setupErr)
 		}
 		res.Print()
 	}

cmd/apx/commands/release.go

@@ -16,6 +16,7 @@ import (
 	"github.com/infobloxopen/apx/internal/publisher"
 	"github.com/infobloxopen/apx/internal/ui"
 	"github.com/infobloxopen/apx/internal/validator"
+	"github.com/infobloxopen/apx/pkg/githubauth"
 	"github.com/spf13/cobra"
 )
 
@@ -500,28 +501,37 @@ func releaseSubmitAction(cmd *cobra.Command, _ []string) error {
 		return nil
 	}
 
-	// ── Preflight: gh CLI check ──────────────────────────────────────
-	if err := publisher.CheckGHCLI(); err != nil {
+	// ── Auth: ensure GitHub token ────────────────────────────────────
+	org, orgErr := githubauth.DetectOrg()
+	if orgErr != nil {
 		return publisher.NewReleaseError(
 			publisher.ErrCodePRCreationFailed,
-			"GitHub CLI (gh) is required for release submission",
-		).WithHint("Install gh from https://cli.github.com and run: gh auth login")
+			"Cannot detect GitHub org from git remote",
+		).WithHint("Ensure you are in a git repository with a GitHub remote")
 	}
+	token, tokenErr := githubauth.EnsureToken(org)
+	if tokenErr != nil {
+		return publisher.NewReleaseError(
+			publisher.ErrCodePRCreationFailed,
+			fmt.Sprintf("GitHub authentication failed: %v", tokenErr),
+		).WithHint("Run 'apx init canonical --setup-github' to set up GitHub authentication")
+	}
+	ghClient := githubauth.NewClient(token)
 
 	// ── Submit via PR ────────────────────────────────────────────────
 	ui.Info("Submitting release %s @ %s", manifest.APIID, manifest.RequestedVersion)
 
 	// Build CI provenance extra for PR body
 	prBodyExtra := buildCIProvenance()
 
-	resp, err := publisher.SubmitReleaseWithPR(manifest, manifest.SourcePath, prBodyExtra)
+	resp, err := publisher.SubmitReleaseWithPR(ghClient, manifest, manifest.SourcePath, prBodyExtra)
 	if err != nil {
 		manifest.Fail(string(publisher.ErrCodePRCreationFailed), err.Error(), "submit")
 		_ = publisher.WriteManifest(manifest, ".apx-release.yaml")
 		return &publisher.ReleaseError{
 			Code:    publisher.ErrCodePRCreationFailed,
 			Message: fmt.Sprintf("release submission failed: %v", err),
-			Hint:    "Check gh auth status and try 'apx release submit' again",
+			Hint:    "Check authentication and try 'apx release submit' again",
 		}
 	}
 

go.mod

@@ -40,9 +40,10 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	golang.org/x/crypto v0.48.0 // indirect
 	golang.org/x/mod v0.33.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.40.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
 )

go.sum

@@ -85,6 +85,8 @@ github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
@@ -100,8 +102,12 @@ golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
 golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
 golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=

internal/catalog/discover.go

@@ -3,8 +3,9 @@ package catalog
 import (
 	"encoding/json"
 	"fmt"
-	"os/exec"
 	"strings"
+
+	"github.com/infobloxopen/apx/pkg/githubauth"
 )
 
 // ghPackage represents a minimal GitHub Package from the Packages API.
@@ -16,27 +17,38 @@ type ghPackage struct {
 // in the given org. It returns a RegistrySource for each package whose name
 // ends with "-catalog".
 //
-// Requires `gh` to be installed and authenticated with read:packages scope.
-// Returns nil (no sources) if gh is not available or no catalogs are found.
+// Uses the githubauth package for authentication. Returns nil (no sources)
+// if authentication is unavailable or no catalogs are found.
 func DiscoverRegistries(org string) []CatalogSource {
 	return discoverRegistries(org, ghRunDiscover)
 }
 
-// ghRunDiscover is the default implementation that calls `gh api`.
+// ghRunDiscover is the default implementation that calls the GitHub API
+// via githubauth.
 var ghRunDiscover = ghRunDiscoverReal
 
 func ghRunDiscoverReal(org string) ([]byte, error) {
-	return exec.Command("gh", "api",
-		fmt.Sprintf("/orgs/%s/packages?package_type=container", org),
-		"--paginate",
-	).Output()
+	token, err := githubauth.EnsureToken(org)
+	if err != nil {
+		return nil, fmt.Errorf("GitHub auth failed: %w", err)
+	}
+
+	client := githubauth.NewClient(token)
+	items, err := client.GetPaginated(fmt.Sprintf("/orgs/%s/packages?package_type=container", org))
+	if err != nil {
+		return nil, err
+	}
+
+	// Re-serialize the items as a JSON array for backward compatibility
+	// with the existing parser below.
+	return json.Marshal(items)
 }
 
 // discoverRegistries is the testable core — accepts a runner function.
 func discoverRegistries(org string, runner func(string) ([]byte, error)) []CatalogSource {
 	output, err := runner(org)
 	if err != nil {
-		return nil // gh not available or API error — silent fallback
+		return nil // auth not available or API error — silent fallback
 	}
 
 	var packages []ghPackage