From f1c3534c41ab7f5b5b4d264a035e2a8d6333e348 Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Thu, 8 Jun 2023 17:27:14 +0200
Subject: [PATCH 001/253] Add macOS pkg installer to deployment

---
 .github/workflows/deployment.yml |  14 ++++
 .goreleaser.yml                  |   2 +-
 build/macOS/distribution.xml     |  19 ++++++
 script/pkgmacos                  | 107 +++++++++++++++++++++++++++++++
 4 files changed, 141 insertions(+), 1 deletion(-)
 create mode 100644 build/macOS/distribution.xml
 create mode 100755 script/pkgmacos

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index 3974737aae7..e866eea1163 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -110,6 +110,19 @@ jobs:
         run: |
           shopt -s failglob
           script/sign dist/gh_*_macOS_*.zip
+      - name: Build universal macOS pkg installer
+        if: inputs.environment != 'production'
+        env:
+          TAG_NAME: ${{ inputs.tag_name }}
+        run: script/pkgmacos "$TAG_NAME"
+      - name: Build & notarize universal macOS pkg installer
+        if: inputs.environment == 'production'
+        env:
+          TAG_NAME: ${{ inputs.tag_name }}
+          APPLE_DEVELOPER_INSTALLER_ID: ${{ vars.APPLE_DEVELOPER_INSTALLER_ID }}
+        run: |
+          shopt -s failglob
+          script/pkgmacos "$TAG_NAME"
       - uses: actions/upload-artifact@v3
         with:
           name: macos
@@ -118,6 +131,7 @@ jobs:
           path: |
             dist/*.tar.gz
             dist/*.zip
+            dist/*.pkg
   
   windows:
     runs-on: windows-latest
diff --git a/.goreleaser.yml b/.goreleaser.yml
index f441156e3fb..7e742429213 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -10,7 +10,7 @@ before:
     - >-
       {{ if eq .Runtime.Goos "windows" }}echo{{ end }} make manpages GH_VERSION={{.Version}}
     - >-
-      {{ if ne .Runtime.Goos "linux" }}echo{{ end }} make completions
+      {{ if ne .Runtime.Goos "windows" }}echo{{ end }} make completions
 
 builds:
   - id: macos #build:macos
diff --git a/build/macOS/distribution.xml b/build/macOS/distribution.xml
new file mode 100644
index 00000000000..35f14d930f0
--- /dev/null
+++ b/build/macOS/distribution.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<installer-gui-script minSpecVersion="1">
+    <title>Github Cli</title>
+    <license file="LICENSE" mime-type="text/plain"/>
+    <options hostArchitectures="arm64,x86_64" customize="never" require-scripts="false" allow-external-scripts="false"/>
+    <domains enable_localSystem="true"/>
+    
+    <choices-outline>
+        <line choice="gh-cli"/>
+    </choices-outline>
+    <choice id="gh-cli" title="Github Cli (universal)">
+        <pkg-ref id="com.github.cli.pkg"/>
+    </choice>
+
+    <pkg-ref id="com.github.cli.pkg" auth="Root" packageIdentifier="com.github.cli">#com.github.cli.pkg</pkg-ref>
+    <pkg-ref id="com.github.cli.pkg" auth="Root" packageIdentifier="com.github.cli">
+        <bundle-version/>
+    </pkg-ref>
+</installer-gui-script>
diff --git a/script/pkgmacos b/script/pkgmacos
new file mode 100755
index 00000000000..4646f8d5157
--- /dev/null
+++ b/script/pkgmacos
@@ -0,0 +1,107 @@
+#!/bin/zsh
+set -e
+
+print_help() {
+    cat <<EOF
+To build a universal pkg for macOS:
+  script/pkgmacos <tag-name>
+
+To build and sign set APPLE_DEVELOPER_INSTALLER_ID environment variable before.
+For example, if you have a signing identity with the identifier 
+"Developer ID Installer: Your Name (ABC123DEF)" set it in the variable.
+EOF
+}
+
+if [ $# -eq 0 ]; then
+  print_help >&2
+  exit 1
+fi
+
+tag_name=""
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+  -h | --help )
+    print_help
+    exit 0
+    ;;
+  -* )
+    printf "unrecognized flag: %s\n" "$1" >&2
+    exit 1
+    ;;
+  * )
+    tag_name="$1"
+    shift 1
+    ;;
+  esac
+done
+
+# gh-binary paths
+bin_path="/bin/gh"
+arm64_bin="dist/macos_darwin_arm64$bin_path"
+amd64_bin="dist/macos_darwin_amd64_v1$bin_path"
+# payload paths
+payload_root="pkg_payload"
+payload_local_bin="${payload_root}/usr/local/bin"
+payload_zsh_site_functions="${payload_root}/usr/local/share/zsh/site-functions"
+payload_man1="${pkg_payload}/usr/local/share/man/man1"
+
+merge_binaries() {
+    lipo -create -output "${payload_local_bin}/gh" "$arm64_bin" "$amd64_bin"
+}
+
+build_pkg() {
+    # setup payload
+    mkdir -p "${payload_local_bin}"
+    mkdir -p "${payload_man1}"
+    mkdir -p "${payload_zsh_site_functions}"
+
+    # copy man pages
+    for file in "./share/man/man1/gh*.1"; do
+        cp "$file" "${payload_man1}"
+    done
+    # Include only Zsh completions,
+    # the recommended/only option on macOS since Catalina for default shell.
+    cp "./share/zsh/site-functions/_gh" "${payload_zsh_site_functions}"
+
+    # merge binaries
+    merge_binaries
+
+    # build pkg
+    pkgbuild \
+    --root "$payload_root" \
+    --identifier "com.github.cli" \
+    --version "$tag_name" \
+    --install-location "/" \
+    "dist/com.github.cli.pkg"
+
+    # setup resources
+    mkdir "build/macOS/resources"
+    cp "LICENSE" "build/macOS/resources"
+
+    # build distribution
+    if [ -n "$APPLE_DEVELOPER_INSTALLER_ID" ]; then
+        # build and sign production package with license
+        productbuild \
+        --distribution "./build/macOS/distribution.xml" \
+        --resources "./build/macOS/resources" \
+        --package-path "./dist" \
+        --timestamp \
+        --sign "${APPLE_DEVELOPER_INSTALLER_ID?}" \
+        "./dist/gh_${tag_name}_macOS_universal.pkg"
+    else
+        echo "skipping macOS pkg code-signing; APPLE_DEVELOPER_INSTALLER_ID not set" >&2
+
+        # build production package with license without signing
+        productbuild \
+        --distribution "./build/macOS/distribution.xml" \
+        --resources "./build/macOS/resources" \
+        --package-path "./dist" \
+        "./dist/gh_${tag_name}_macOS_universal.pkg"
+    fi
+
+    # remove temp installer so it does not get uploaded
+    rm "dist/com.github.cli.pkg"
+}
+
+build_pkg

From 775476d30b8b4aa77678841c9877c00b47f2b62b Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Mon, 4 Sep 2023 13:43:39 +0200
Subject: [PATCH 002/253] Fix typo in macOS pkg installer build script

---
 .gitignore      | 2 ++
 script/pkgmacos | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index b1e8e1fa887..b2b66aaf728 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,8 @@
 /.goreleaser.generated.yml
 /script/build
 /script/build.exe
+/pkg_payload
+/build/macOS/resources
 
 # VS Code
 .vscode
diff --git a/script/pkgmacos b/script/pkgmacos
index 4646f8d5157..ba72fef9ece 100755
--- a/script/pkgmacos
+++ b/script/pkgmacos
@@ -44,7 +44,7 @@ amd64_bin="dist/macos_darwin_amd64_v1$bin_path"
 payload_root="pkg_payload"
 payload_local_bin="${payload_root}/usr/local/bin"
 payload_zsh_site_functions="${payload_root}/usr/local/share/zsh/site-functions"
-payload_man1="${pkg_payload}/usr/local/share/man/man1"
+payload_man1="${payload_root}/usr/local/share/man/man1"
 
 merge_binaries() {
     lipo -create -output "${payload_local_bin}/gh" "$arm64_bin" "$amd64_bin"
@@ -57,7 +57,7 @@ build_pkg() {
     mkdir -p "${payload_zsh_site_functions}"
 
     # copy man pages
-    for file in "./share/man/man1/gh*.1"; do
+    for file in ./share/man/man1/gh*.1; do
         cp "$file" "${payload_man1}"
     done
     # Include only Zsh completions,
@@ -78,6 +78,7 @@ build_pkg() {
     # setup resources
     mkdir "build/macOS/resources"
     cp "LICENSE" "build/macOS/resources"
+    touch .gi
 
     # build distribution
     if [ -n "$APPLE_DEVELOPER_INSTALLER_ID" ]; then

From b3c6d39c664d7c9aa2cf6b4f75a3342aebfdb127 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Wed, 10 Apr 2024 19:19:57 +0100
Subject: [PATCH 003/253] Upgrade `shurcooL/githubv4`

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 go.mod | 2 +-
 go.sum | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index e779ae75fc4..db8ab013f03 100644
--- a/go.mod
+++ b/go.mod
@@ -34,7 +34,7 @@ require (
 	github.com/muhammadmuzzammil1998/jsonc v0.0.0-20201229145248-615b0916ca38
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/rivo/tview v0.0.0-20221029100920-c4a7e501810d
-	github.com/shurcooL/githubv4 v0.0.0-20230704064427-599ae7bbf278
+	github.com/shurcooL/githubv4 v0.0.0-20240120211514-18a1ae0e79dc
 	github.com/sigstore/protobuf-specs v0.3.1
 	github.com/sigstore/sigstore-go v0.2.1-0.20240222221148-8bd2a8139edc
 	github.com/spf13/cobra v1.8.0
diff --git a/go.sum b/go.sum
index 5cff3f2cf2d..e8e52fa9cd9 100644
--- a/go.sum
+++ b/go.sum
@@ -394,6 +394,8 @@ github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/shurcooL/githubv4 v0.0.0-20230704064427-599ae7bbf278 h1:kdEGVAV4sO46DPtb8k793jiecUEhaX9ixoIBt41HEGU=
 github.com/shurcooL/githubv4 v0.0.0-20230704064427-599ae7bbf278/go.mod h1:zqMwyHmnN/eDOZOdiTohqIUKUrTFX62PNlu7IJdu0q8=
+github.com/shurcooL/githubv4 v0.0.0-20240120211514-18a1ae0e79dc h1:vH0NQbIDk+mJLvBliNGfcQgUmhlniWBDXC79oRxfZA0=
+github.com/shurcooL/githubv4 v0.0.0-20240120211514-18a1ae0e79dc/go.mod h1:zqMwyHmnN/eDOZOdiTohqIUKUrTFX62PNlu7IJdu0q8=
 github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 h1:17JxqqJY66GmZVHkmAsGEkcIu0oCe3AM420QDgGwZx0=
 github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466/go.mod h1:9dIRpgIY7hVhoqfe0/FcYp0bpInZaT7dc3BYOprrIUE=
 github.com/sigstore/protobuf-specs v0.3.1 h1:9aJQrPq7iRDSLBNg//zsP7tAzxdHnD1sA+1FyCCrkrQ=

From 7de10f0bdf55c679a86a645f31608c6f7e6480c3 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Wed, 10 Apr 2024 19:20:20 +0100
Subject: [PATCH 004/253] Add `UpdatePullRequestBranch` method

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 api/queries_pr.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/api/queries_pr.go b/api/queries_pr.go
index 36f3c2eef03..f2166ae249f 100644
--- a/api/queries_pr.go
+++ b/api/queries_pr.go
@@ -607,6 +607,18 @@ func UpdatePullRequestReviews(client *Client, repo ghrepo.Interface, params gith
 	return err
 }
 
+func UpdatePullRequestBranch(client *Client, repo ghrepo.Interface, params githubv4.UpdatePullRequestBranchInput) error {
+	var mutation struct {
+		UpdatePullRequestBranch struct {
+			PullRequest struct {
+				ID string
+			}
+		} `graphql:"updatePullRequestBranch(input: $input)"`
+	}
+	variables := map[string]interface{}{"input": params}
+	return client.Mutate(repo.RepoHost(), "PullRequestUpdateBranch", &mutation, variables)
+}
+
 func isBlank(v interface{}) bool {
 	switch vv := v.(type) {
 	case string:

From a828e05baa35f03b139e1a254000ededb31e3b9d Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Wed, 10 Apr 2024 19:20:44 +0100
Subject: [PATCH 005/253] Add `pr update` command

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update.go | 120 ++++++++++++++++++++++++++++++++++++
 1 file changed, 120 insertions(+)
 create mode 100644 pkg/cmd/pr/update/update.go

diff --git a/pkg/cmd/pr/update/update.go b/pkg/cmd/pr/update/update.go
new file mode 100644
index 00000000000..5ce98c88feb
--- /dev/null
+++ b/pkg/cmd/pr/update/update.go
@@ -0,0 +1,120 @@
+package update
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/MakeNowJust/heredoc"
+	"github.com/cli/cli/v2/api"
+	"github.com/cli/cli/v2/git"
+	"github.com/cli/cli/v2/internal/ghrepo"
+	shared "github.com/cli/cli/v2/pkg/cmd/pr/shared"
+	"github.com/cli/cli/v2/pkg/cmdutil"
+	"github.com/cli/cli/v2/pkg/iostreams"
+	"github.com/shurcooL/githubv4"
+	"github.com/spf13/cobra"
+)
+
+type UpdateOptions struct {
+	HttpClient func() (*http.Client, error)
+	IO         *iostreams.IOStreams
+	GitClient  *git.Client
+
+	Finder shared.PRFinder
+
+	SelectorArg string
+	Rebase      bool
+}
+
+func NewCmdUpdate(f *cmdutil.Factory, runF func(*UpdateOptions) error) *cobra.Command {
+	opts := &UpdateOptions{
+		IO:         f.IOStreams,
+		HttpClient: f.HttpClient,
+		GitClient:  f.GitClient,
+	}
+
+	cmd := &cobra.Command{
+		Use:   "update [<number> | <url> | <branch>]",
+		Short: "Update a pull request branch",
+		Long: heredoc.Docf(`
+			Update a pull request branch with latest changes of the base branch.
+
+			Without an argument, the pull request that belongs to the current branch is selected.
+
+			The default behavior is to update with a merge commit (i.e., merging the base branch
+			into the the PR's branch). To reconcile the changes with rebasing on top of the base
+			branch, the %[1]s--rebase%[1]s option should be provided.
+		`, "`"),
+		Example: heredoc.Doc(`
+			$ gh pr update 23
+			$ gh pr update 23 --rebase
+		`),
+		Args: cobra.MaximumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			opts.Finder = shared.NewFinder(f)
+
+			if len(args) > 0 {
+				opts.SelectorArg = args[0]
+			}
+
+			if runF != nil {
+				return runF(opts)
+			}
+
+			return updateRun(opts)
+		},
+	}
+
+	cmd.Flags().BoolVar(&opts.Rebase, "rebase", false, "Update PR branch by rebasing on top of latest base branch")
+
+	_ = cmdutil.RegisterBranchCompletionFlags(f.GitClient, cmd, "base")
+
+	return cmd
+}
+
+func updateRun(opts *UpdateOptions) error {
+	findOptions := shared.FindOptions{
+		Selector: opts.SelectorArg,
+		Fields:   []string{"id", "headRefOid"},
+	}
+
+	pr, repo, err := opts.Finder.Find(findOptions)
+	if err != nil {
+		return err
+	}
+
+	httpClient, err := opts.HttpClient()
+	if err != nil {
+		return err
+	}
+	apiClient := api.NewClientFromHTTP(httpClient)
+
+	opts.IO.StartProgressIndicator()
+	err = updatePullRequestBranch(apiClient, repo, pr.ID, pr.HeadRefOid, opts.Rebase)
+	opts.IO.StopProgressIndicator()
+
+	if err != nil {
+		return err
+	}
+
+	cs := opts.IO.ColorScheme()
+	fmt.Fprintf(opts.IO.ErrOut, "%s PR branch updated\n", cs.SuccessIcon())
+	return nil
+}
+
+// updatePullRequestBranch calls the GraphQL API endpoint to update the given PR
+// branch with latest changes of its base.
+func updatePullRequestBranch(apiClient *api.Client, repo ghrepo.Interface, pullRequestID string, expectedHeadOid string, rebase bool) error {
+	updateMethod := githubv4.PullRequestBranchUpdateMethodMerge
+	if rebase {
+		updateMethod = githubv4.PullRequestBranchUpdateMethodRebase
+	}
+
+	params := githubv4.UpdatePullRequestBranchInput{
+		PullRequestID:   pullRequestID,
+		ExpectedHeadOid: (*githubv4.GitObjectID)(&expectedHeadOid),
+		UpdateMethod:    &updateMethod,
+	}
+
+	return api.UpdatePullRequestBranch(apiClient, repo, params)
+}

From a81cf0b89e7729c3a08211b2c75995fca32da508 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Wed, 10 Apr 2024 19:20:59 +0100
Subject: [PATCH 006/253] Add tests for `pr update` command

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update_test.go | 229 +++++++++++++++++++++++++++++++
 1 file changed, 229 insertions(+)
 create mode 100644 pkg/cmd/pr/update/update_test.go

diff --git a/pkg/cmd/pr/update/update_test.go b/pkg/cmd/pr/update/update_test.go
new file mode 100644
index 00000000000..be6e192b6ea
--- /dev/null
+++ b/pkg/cmd/pr/update/update_test.go
@@ -0,0 +1,229 @@
+package update
+
+import (
+	"bytes"
+	"net/http"
+	"testing"
+
+	"github.com/cli/cli/v2/api"
+	"github.com/cli/cli/v2/git"
+	"github.com/cli/cli/v2/internal/ghrepo"
+	shared "github.com/cli/cli/v2/pkg/cmd/pr/shared"
+	"github.com/cli/cli/v2/pkg/cmdutil"
+	"github.com/cli/cli/v2/pkg/httpmock"
+	"github.com/cli/cli/v2/pkg/iostreams"
+	"github.com/google/shlex"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewCmdUpdate(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		output   UpdateOptions
+		wantsErr string
+	}{
+		{
+			name:   "no argument",
+			input:  "",
+			output: UpdateOptions{},
+		},
+		{
+			name:  "with argument",
+			input: "23",
+			output: UpdateOptions{
+				SelectorArg: "23",
+			},
+		},
+		{
+			name:  "no argument, --rebase",
+			input: "--rebase",
+			output: UpdateOptions{
+				Rebase: true,
+			},
+		},
+		{
+			name:  "with argument, --rebase",
+			input: "23 --rebase",
+			output: UpdateOptions{
+				SelectorArg: "23",
+				Rebase:      true,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ios, _, _, _ := iostreams.Test()
+			ios.SetStdoutTTY(true)
+			ios.SetStdinTTY(true)
+			ios.SetStderrTTY(true)
+
+			f := &cmdutil.Factory{
+				IOStreams: ios,
+			}
+
+			argv, err := shlex.Split(tt.input)
+			assert.NoError(t, err)
+
+			var gotOpts *UpdateOptions
+			cmd := NewCmdUpdate(f, func(opts *UpdateOptions) error {
+				gotOpts = opts
+				return nil
+			})
+
+			cmd.SetArgs(argv)
+			cmd.SetIn(&bytes.Buffer{})
+			cmd.SetOut(&bytes.Buffer{})
+			cmd.SetErr(&bytes.Buffer{})
+
+			_, err = cmd.ExecuteC()
+			if tt.wantsErr != "" {
+				assert.EqualError(t, err, tt.wantsErr)
+				return
+			}
+
+			assert.NoError(t, err)
+			assert.Equal(t, tt.output.SelectorArg, gotOpts.SelectorArg)
+			assert.Equal(t, tt.output.Rebase, gotOpts.Rebase)
+		})
+	}
+}
+
+func Test_updateRun(t *testing.T) {
+	defaultInput := func() UpdateOptions {
+		return UpdateOptions{
+			Finder: shared.NewMockFinder("123", &api.PullRequest{
+				ID:         "123",
+				HeadRefOid: "head-ref-oid",
+			}, ghrepo.New("OWNER", "REPO")),
+		}
+	}
+
+	tests := []struct {
+		name      string
+		input     *UpdateOptions
+		httpStubs func(*testing.T, *httpmock.Registry)
+		stdout    string
+		stderr    string
+		wantsErr  string
+	}{
+		{
+			name: "success, merge",
+			input: &UpdateOptions{
+				SelectorArg: "123",
+			},
+			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
+				reg.Register(
+					httpmock.GraphQL(`mutation PullRequestUpdateBranch\b`),
+					httpmock.GraphQLMutation(`{
+						"data": {
+							"updatePullRequestBranch": {
+								"pullRequest": {}
+							}
+						}
+					}`, func(inputs map[string]interface{}) {
+						assert.Equal(t, "123", inputs["pullRequestId"])
+						assert.Equal(t, "head-ref-oid", inputs["expectedHeadOid"])
+						assert.Equal(t, "MERGE", inputs["updateMethod"])
+					}))
+			},
+			stdout: "",
+			stderr: "✓ PR branch updated\n",
+		},
+		{
+			name: "success, rebase",
+			input: &UpdateOptions{
+				SelectorArg: "123",
+				Rebase:      true,
+			},
+			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
+				reg.Register(
+					httpmock.GraphQL(`mutation PullRequestUpdateBranch\b`),
+					httpmock.GraphQLMutation(`{
+						"data": {
+							"updatePullRequestBranch": {
+								"pullRequest": {}
+							}
+						}
+					}`, func(inputs map[string]interface{}) {
+						assert.Equal(t, "123", inputs["pullRequestId"])
+						assert.Equal(t, "head-ref-oid", inputs["expectedHeadOid"])
+						assert.Equal(t, "REBASE", inputs["updateMethod"])
+					}))
+			},
+			stdout: "",
+			stderr: "✓ PR branch updated\n",
+		},
+		{
+			name: "failure, pr not found",
+			input: &UpdateOptions{
+				Finder:      shared.NewMockFinder("", nil, nil),
+				SelectorArg: "123",
+			},
+			wantsErr: "no pull requests found",
+		},
+		{
+			name: "failure, API error",
+			input: &UpdateOptions{
+				SelectorArg: "123",
+			},
+			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
+				reg.Register(
+					httpmock.GraphQL(`mutation PullRequestUpdateBranch\b`),
+					httpmock.GraphQLMutation(`{
+						"data": {},
+						"errors": [
+							{
+								"message": "some error"
+							}
+						]
+					}`, func(inputs map[string]interface{}) {
+						assert.Equal(t, "123", inputs["pullRequestId"])
+						assert.Equal(t, "head-ref-oid", inputs["expectedHeadOid"])
+						assert.Equal(t, "MERGE", inputs["updateMethod"])
+					}))
+			},
+			wantsErr: "GraphQL: some error",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ios, _, stdout, stderr := iostreams.Test()
+			ios.SetStdoutTTY(true)
+			ios.SetStdinTTY(true)
+			ios.SetStderrTTY(true)
+
+			reg := &httpmock.Registry{}
+			defer reg.Verify(t)
+			if tt.httpStubs != nil {
+				tt.httpStubs(t, reg)
+			}
+
+			tt.input.GitClient = &git.Client{
+				GhPath:  "some/path/gh",
+				GitPath: "some/path/git",
+			}
+
+			if tt.input.Finder == nil {
+				tt.input.Finder = defaultInput().Finder
+			}
+
+			httpClient := func() (*http.Client, error) { return &http.Client{Transport: reg}, nil }
+
+			tt.input.IO = ios
+			tt.input.HttpClient = httpClient
+
+			err := updateRun(tt.input)
+
+			if tt.wantsErr != "" {
+				assert.EqualError(t, err, tt.wantsErr)
+				return
+			} else {
+				assert.NoError(t, err)
+			}
+
+			assert.Equal(t, tt.stdout, stdout.String())
+			assert.Equal(t, tt.stderr, stderr.String())
+		})
+	}
+}

From 9230b0c60e469028b7ce58961da08861e040be34 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Wed, 10 Apr 2024 19:21:20 +0100
Subject: [PATCH 007/253] Register `update` command

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/pr.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/cmd/pr/pr.go b/pkg/cmd/pr/pr.go
index 401177755cd..aaf15b651a3 100644
--- a/pkg/cmd/pr/pr.go
+++ b/pkg/cmd/pr/pr.go
@@ -16,6 +16,7 @@ import (
 	cmdReopen "github.com/cli/cli/v2/pkg/cmd/pr/reopen"
 	cmdReview "github.com/cli/cli/v2/pkg/cmd/pr/review"
 	cmdStatus "github.com/cli/cli/v2/pkg/cmd/pr/status"
+	cmdUpdate "github.com/cli/cli/v2/pkg/cmd/pr/update"
 	cmdView "github.com/cli/cli/v2/pkg/cmd/pr/view"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/spf13/cobra"
@@ -57,6 +58,7 @@ func NewCmdPR(f *cmdutil.Factory) *cobra.Command {
 		cmdChecks.NewCmdChecks(f, nil),
 		cmdReview.NewCmdReview(f, nil),
 		cmdMerge.NewCmdMerge(f, nil),
+		cmdUpdate.NewCmdUpdate(f, nil),
 		cmdReady.NewCmdReady(f, nil),
 		cmdComment.NewCmdComment(f, nil),
 		cmdClose.NewCmdClose(f, nil),

From 6856d0fcef9ef36f4c4dd7eb318cc71f377c83f9 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Wed, 10 Apr 2024 20:40:24 +0100
Subject: [PATCH 008/253] Run `go mod tidy`

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 go.sum | 2 --
 1 file changed, 2 deletions(-)

diff --git a/go.sum b/go.sum
index e8e52fa9cd9..8f94faa1853 100644
--- a/go.sum
+++ b/go.sum
@@ -392,8 +392,6 @@ github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
-github.com/shurcooL/githubv4 v0.0.0-20230704064427-599ae7bbf278 h1:kdEGVAV4sO46DPtb8k793jiecUEhaX9ixoIBt41HEGU=
-github.com/shurcooL/githubv4 v0.0.0-20230704064427-599ae7bbf278/go.mod h1:zqMwyHmnN/eDOZOdiTohqIUKUrTFX62PNlu7IJdu0q8=
 github.com/shurcooL/githubv4 v0.0.0-20240120211514-18a1ae0e79dc h1:vH0NQbIDk+mJLvBliNGfcQgUmhlniWBDXC79oRxfZA0=
 github.com/shurcooL/githubv4 v0.0.0-20240120211514-18a1ae0e79dc/go.mod h1:zqMwyHmnN/eDOZOdiTohqIUKUrTFX62PNlu7IJdu0q8=
 github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 h1:17JxqqJY66GmZVHkmAsGEkcIu0oCe3AM420QDgGwZx0=

From f85d0ebaedd0991294959ba99367ad6838a3ec93 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 14 Apr 2024 12:25:01 +0100
Subject: [PATCH 009/253] Require non-empty selector when `--repo` override is
 used

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/cmd/pr/update/update.go b/pkg/cmd/pr/update/update.go
index 5ce98c88feb..ae78ce2fca5 100644
--- a/pkg/cmd/pr/update/update.go
+++ b/pkg/cmd/pr/update/update.go
@@ -48,11 +48,16 @@ func NewCmdUpdate(f *cmdutil.Factory, runF func(*UpdateOptions) error) *cobra.Co
 		Example: heredoc.Doc(`
 			$ gh pr update 23
 			$ gh pr update 23 --rebase
+			$ gh pr update 23 --repo owner/repo
 		`),
 		Args: cobra.MaximumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.Finder = shared.NewFinder(f)
 
+			if repoOverride, _ := cmd.Flags().GetString("repo"); repoOverride != "" && len(args) == 0 {
+				return cmdutil.FlagErrorf("argument required when using the --repo flag")
+			}
+
 			if len(args) > 0 {
 				opts.SelectorArg = args[0]
 			}

From 07f954229fedebca1ed95bc7b93eb3d43ea261cd Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 14 Apr 2024 12:25:35 +0100
Subject: [PATCH 010/253] Add test to verify `--repo` requires non-empty
 selector

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update_test.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/pr/update/update_test.go b/pkg/cmd/pr/update/update_test.go
index be6e192b6ea..3302f8db232 100644
--- a/pkg/cmd/pr/update/update_test.go
+++ b/pkg/cmd/pr/update/update_test.go
@@ -50,6 +50,11 @@ func TestNewCmdUpdate(t *testing.T) {
 				Rebase:      true,
 			},
 		},
+		{
+			name:     "no argument, --repo",
+			input:    "--repo owner/repo",
+			wantsErr: "argument required when using the --repo flag",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -62,15 +67,17 @@ func TestNewCmdUpdate(t *testing.T) {
 				IOStreams: ios,
 			}
 
-			argv, err := shlex.Split(tt.input)
-			assert.NoError(t, err)
-
 			var gotOpts *UpdateOptions
 			cmd := NewCmdUpdate(f, func(opts *UpdateOptions) error {
 				gotOpts = opts
 				return nil
 			})
 
+			cmd.PersistentFlags().StringP("repo", "R", "", "")
+
+			argv, err := shlex.Split(tt.input)
+			assert.NoError(t, err)
+
 			cmd.SetArgs(argv)
 			cmd.SetIn(&bytes.Buffer{})
 			cmd.SetOut(&bytes.Buffer{})

From 365ae0d8f9f1bff96bcb3c1073d8aff64ed5b163 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 14 Apr 2024 12:26:40 +0100
Subject: [PATCH 011/253] Run `go mod tidy`

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 335b58b914f..db8ab013f03 100644
--- a/go.mod
+++ b/go.mod
@@ -24,6 +24,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-version v1.3.0
 	github.com/henvic/httpretty v0.1.3
+	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/joho/godotenv v1.5.1
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
 	github.com/mattn/go-colorable v0.1.13
@@ -96,7 +97,6 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/itchyny/gojq v0.12.15 // indirect
 	github.com/itchyny/timefmt-go v0.1.5 // indirect

From 4090f0488f44a5aa318300199a69e9e63a127000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kaan=20Uzdo=C4=9Fan?= <kaanuzdogan@hotmail.com>
Date: Mon, 22 Apr 2024 17:52:27 +0200
Subject: [PATCH 012/253] Add --latest=false to `gh release create` docs

---
 pkg/cmd/release/create/create.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/release/create/create.go b/pkg/cmd/release/create/create.go
index f575a339a09..4f1835f31df 100644
--- a/pkg/cmd/release/create/create.go
+++ b/pkg/cmd/release/create/create.go
@@ -185,7 +185,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 	cmd.Flags().StringVarP(&opts.DiscussionCategory, "discussion-category", "", "", "Start a discussion in the specified category")
 	cmd.Flags().BoolVarP(&opts.GenerateNotes, "generate-notes", "", false, "Automatically generate title and notes for the release")
 	cmd.Flags().StringVar(&opts.NotesStartTag, "notes-start-tag", "", "Tag to use as the starting point for generating release notes")
-	cmdutil.NilBoolFlag(cmd, &opts.IsLatest, "latest", "", "Mark this release as \"Latest\" (default [automatic based on date and version])")
+	cmdutil.NilBoolFlag(cmd, &opts.IsLatest, "latest", "", "Mark this release as \"Latest\" (default [automatic based on date and version]). --latest=false to skip default automatic")
 	cmd.Flags().BoolVarP(&opts.VerifyTag, "verify-tag", "", false, "Abort in case the git tag doesn't already exist in the remote repository")
 	cmd.Flags().BoolVarP(&opts.NotesFromTag, "notes-from-tag", "", false, "Automatically generate notes from annotated tag")
 

From 18d8079d6f83105bb54e46eb4d32e575dcafd3bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kaan=20Uzdo=C4=9Fan?= <kaanuzdogan@hotmail.com>
Date: Mon, 22 Apr 2024 17:59:03 +0200
Subject: [PATCH 013/253] Update create.go

---
 pkg/cmd/release/create/create.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/release/create/create.go b/pkg/cmd/release/create/create.go
index 4f1835f31df..0b594de810b 100644
--- a/pkg/cmd/release/create/create.go
+++ b/pkg/cmd/release/create/create.go
@@ -185,7 +185,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 	cmd.Flags().StringVarP(&opts.DiscussionCategory, "discussion-category", "", "", "Start a discussion in the specified category")
 	cmd.Flags().BoolVarP(&opts.GenerateNotes, "generate-notes", "", false, "Automatically generate title and notes for the release")
 	cmd.Flags().StringVar(&opts.NotesStartTag, "notes-start-tag", "", "Tag to use as the starting point for generating release notes")
-	cmdutil.NilBoolFlag(cmd, &opts.IsLatest, "latest", "", "Mark this release as \"Latest\" (default [automatic based on date and version]). --latest=false to skip default automatic")
+	cmdutil.NilBoolFlag(cmd, &opts.IsLatest, "latest", "", "Mark this release as \"Latest\" (default [automatic based on date and version]). --latest=false to explicitly NOT set as latest")
 	cmd.Flags().BoolVarP(&opts.VerifyTag, "verify-tag", "", false, "Abort in case the git tag doesn't already exist in the remote repository")
 	cmd.Flags().BoolVarP(&opts.NotesFromTag, "notes-from-tag", "", false, "Automatically generate notes from annotated tag")
 

From 5a5b04d1320fcb48a51f1969253e2fa815c6d368 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Wed, 1 May 2024 11:14:00 +0200
Subject: [PATCH 014/253] Document relationship between host and active account

---
 pkg/cmd/auth/status/status.go | 10 ++++++----
 pkg/cmd/auth/switch/switch.go |  2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/pkg/cmd/auth/status/status.go b/pkg/cmd/auth/status/status.go
index c28c3f48e88..21b867eb5e0 100644
--- a/pkg/cmd/auth/status/status.go
+++ b/pkg/cmd/auth/status/status.go
@@ -141,11 +141,13 @@ func NewCmdStatus(f *cmdutil.Factory, runF func(*StatusOptions) error) *cobra.Co
 		Use:   "status",
 		Args:  cobra.ExactArgs(0),
 		Short: "View all accounts and authentication status",
-		Long: heredoc.Doc(`Verifies and displays information about your authentication state.
+		Long: heredoc.Docf(`
+			Displays information about your authentication state on each known GitHub host.
 
-			This command will test your authentication state for each GitHub host that gh knows about and
-			report on any issues.
-		`),
+			For each host, the authentication state of each known account is tested and any issues are included in
+			the output. Each host section will indicate the active account, which will be used when targeting that host.
+			To change the active account for a host, see %[1]sgh auth switch%[1]s.
+		`, "`"),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if runF != nil {
 				return runF(opts)
diff --git a/pkg/cmd/auth/switch/switch.go b/pkg/cmd/auth/switch/switch.go
index d2aa73a9de7..a01017609ea 100644
--- a/pkg/cmd/auth/switch/switch.go
+++ b/pkg/cmd/auth/switch/switch.go
@@ -48,7 +48,7 @@ func NewCmdSwitch(f *cmdutil.Factory, runF func(*SwitchOptions) error) *cobra.Co
 			# Select what host and account to switch to via a prompt
 			$ gh auth switch
 
-			# Switch to a specific host and specific account
+			# Switch the active account on a specific host to a specific user
 			$ gh auth switch --hostname enterprise.internal --user monalisa
 		`),
 		RunE: func(c *cobra.Command, args []string) error {

From cb357785ddb7bebc6e9d72bd5975b2b5ef8407f1 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Wed, 1 May 2024 11:54:35 +0200
Subject: [PATCH 015/253] Do not mutate headers when initialising tableprinter

---
 internal/tableprinter/table_printer.go      |  7 ++++---
 internal/tableprinter/table_printer_test.go | 22 +++++++++++++++++++++
 2 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100644 internal/tableprinter/table_printer_test.go

diff --git a/internal/tableprinter/table_printer.go b/internal/tableprinter/table_printer.go
index ee1cc07a578..e1454170f71 100644
--- a/internal/tableprinter/table_printer.go
+++ b/internal/tableprinter/table_printer.go
@@ -63,9 +63,10 @@ func NewWithWriter(w io.Writer, isTTY bool, maxWidth int, cs *iostreams.ColorSch
 	}
 
 	if isTTY && len(headers.columns) > 0 {
-		// Make sure all headers are uppercase.
+		// Make sure all headers are uppercase, taking a copy of the headers to avoid modifying the original slice.
+		upperCasedHeaders := make([]string, len(headers.columns))
 		for i := range headers.columns {
-			headers.columns[i] = strings.ToUpper(headers.columns[i])
+			upperCasedHeaders[i] = strings.ToUpper(headers.columns[i])
 		}
 
 		// Make sure all header columns are padded - even the last one. Previously, the last header column
@@ -77,7 +78,7 @@ func NewWithWriter(w io.Writer, isTTY bool, maxWidth int, cs *iostreams.ColorSch
 		}
 
 		tp.AddHeader(
-			headers.columns,
+			upperCasedHeaders,
 			WithPadding(paddingFunc),
 			WithColor(cs.LightGrayUnderline),
 		)
diff --git a/internal/tableprinter/table_printer_test.go b/internal/tableprinter/table_printer_test.go
new file mode 100644
index 00000000000..840c464568b
--- /dev/null
+++ b/internal/tableprinter/table_printer_test.go
@@ -0,0 +1,22 @@
+package tableprinter_test
+
+import (
+	"testing"
+
+	"github.com/cli/cli/v2/internal/tableprinter"
+	"github.com/cli/cli/v2/pkg/iostreams"
+	"github.com/stretchr/testify/require"
+)
+
+func TestHeadersAreNotMutated(t *testing.T) {
+	// Given a TTY environment so that headers are included in the table
+	ios, _, _, _ := iostreams.Test()
+	ios.SetStdoutTTY(true)
+
+	// When creating a new table printer
+	headers := []string{"one", "two", "three"}
+	_ = tableprinter.New(ios, tableprinter.WithHeader(headers...))
+
+	// The provided headers should not be mutated
+	require.Equal(t, []string{"one", "two", "three"}, headers)
+}

From 4ca098b0c9a7d9d09d9782a22b0bf3487024638f Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Wed, 1 May 2024 14:17:08 +0200
Subject: [PATCH 016/253] Adjust short and long to be the same

---
 pkg/cmd/auth/status/status.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/auth/status/status.go b/pkg/cmd/auth/status/status.go
index 21b867eb5e0..b6ae21cb68d 100644
--- a/pkg/cmd/auth/status/status.go
+++ b/pkg/cmd/auth/status/status.go
@@ -140,9 +140,9 @@ func NewCmdStatus(f *cmdutil.Factory, runF func(*StatusOptions) error) *cobra.Co
 	cmd := &cobra.Command{
 		Use:   "status",
 		Args:  cobra.ExactArgs(0),
-		Short: "View all accounts and authentication status",
+		Short: "Display active account and authentication state on each known GitHub host",
 		Long: heredoc.Docf(`
-			Displays information about your authentication state on each known GitHub host.
+			Display active account and authentication state on each known GitHub host.
 
 			For each host, the authentication state of each known account is tested and any issues are included in
 			the output. Each host section will indicate the active account, which will be used when targeting that host.

From fea08d194cd5b37879ccdd2b6d0cbdf3162a38a9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 1 May 2024 15:04:39 +0000
Subject: [PATCH 017/253] build(deps): bump golang.org/x/net from 0.22.0 to
 0.23.0

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.22.0 to 0.23.0.
- [Commits](https://github.com/golang/net/compare/v0.22.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index fd6b5ec2226..3e6e52ce627 100644
--- a/go.mod
+++ b/go.mod
@@ -158,7 +158,7 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
 	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/sys v0.19.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
diff --git a/go.sum b/go.sum
index a819d3d9760..6cb70bf60df 100644
--- a/go.sum
+++ b/go.sum
@@ -491,8 +491,8 @@ golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
-golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
 golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

From 7b2bd95c9ade9918f49f4b02839a9fc4ccaa22a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kaan=20Uzdo=C4=9Fan?= <kaanuzdogan@hotmail.com>
Date: Thu, 2 May 2024 11:08:37 +0200
Subject: [PATCH 018/253] Add --latest=false example to `release create`
 command

---
 pkg/cmd/release/create/create.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/cmd/release/create/create.go b/pkg/cmd/release/create/create.go
index 0b594de810b..78eca9422ce 100644
--- a/pkg/cmd/release/create/create.go
+++ b/pkg/cmd/release/create/create.go
@@ -115,6 +115,9 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 
 			Use release notes from a file
 			$ gh release create v1.2.3 -F changelog.md
+   
+   			Don't mark the release as latest
+			$ gh release create v1.2.3 --latest=false 
 
 			Upload all tarballs in a directory as release assets
 			$ gh release create v1.2.3 ./dist/*.tgz

From 6f350827d27d7dea21c8f4c8dab5f816d72cf253 Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@users.noreply.github.com>
Date: Thu, 2 May 2024 08:07:44 -0600
Subject: [PATCH 019/253] Run `attestation` command set integration tests
 separately (#9035)

* rename and add integration build tag

Signed-off-by: Meredith Lancaster <malancas@github.com>

* run tests that include integration build tag in workflow

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 .github/workflows/go.yml                                      | 4 ++--
 .../{sigstore_test.go => sigstore_integration_test.go}        | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)
 rename pkg/cmd/attestation/verification/{sigstore_test.go => sigstore_integration_test.go} (99%)

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 6b0ab10af93..0757b1a12ed 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -24,8 +24,8 @@ jobs:
       - name: Download dependencies
         run: go mod download
 
-      - name: Run tests
-        run: go test -race ./...
+      - name: Run unit and integration tests
+        run: go test -race -tags=integration ./...
 
       - name: Build
         run: go build -v ./cmd/gh
diff --git a/pkg/cmd/attestation/verification/sigstore_test.go b/pkg/cmd/attestation/verification/sigstore_integration_test.go
similarity index 99%
rename from pkg/cmd/attestation/verification/sigstore_test.go
rename to pkg/cmd/attestation/verification/sigstore_integration_test.go
index 92eeb1571d8..aa6dd3e740f 100644
--- a/pkg/cmd/attestation/verification/sigstore_test.go
+++ b/pkg/cmd/attestation/verification/sigstore_integration_test.go
@@ -1,3 +1,5 @@
+//go:build integration
+
 package verification
 
 import (

From 61a698a55ae327ce71fda9f1f49a5cfc0ce5d3f9 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Mon, 6 May 2024 11:27:07 +0200
Subject: [PATCH 020/253] Add support for jobs with long filenames

Co-authored-by: John Basila <john@orca.security>
Co-authored-by: Shay Nehmad <shay.nehmad@orca.security>
---
 pkg/cmd/run/view/fixtures/run_log.zip | Bin 2656 -> 6822 bytes
 pkg/cmd/run/view/view.go              |  78 ++++++++++++++++++++++++--
 pkg/cmd/run/view/view_test.go         |  38 +++++++++++--
 3 files changed, 107 insertions(+), 9 deletions(-)

diff --git a/pkg/cmd/run/view/fixtures/run_log.zip b/pkg/cmd/run/view/fixtures/run_log.zip
index e298df38649fae359e8f6576705b58490b6276e3..2422c3b2496a37b98c164713aee746f65ce150d1 100644
GIT binary patch
literal 6822
zcmdT|2~bm46#XGAL8_z`L_ph*vPgwM&{}ldB3emVOa)WwG6_o%C?*XFiq<VI6rn0A
z6{xgW8e3Yc1GOqrAqpsqPDKz=6c>sjB9;{G2rl%!;7?xUCn;5C<T5`b|4;5c_r81I
zJ0~1Js<9OYEj{Fi5Y?OKFN-i7lSV~Lq9wv;p+G7S2*aa7<0QOSbI)Tz@KDT*@r`#R
zydLCuN5&^uU=-tr6bw@V;;4YpFq#%H9DoxJEHEa|UnE?L2Zk;a;2(;@7}5l(8Y{#}
zg7r-0ypJm?&-yL!Y_5_qx6=K?F^-=ZZFSmZ`fvakf+kNV4`jO%Jm>KOSU&TDLOfng
zamg0TgTXVD*_+?@S%q-Eb@)<#7{4RHpW9){P2#LKN*zgcq1!V(JugzC@oX`b`q2rd
zqa&@vsFmN0d2#o;h9)L=PVh`}X=%CZG{UM`es{B+n^th!spZFr+xvVTq)^Q%rlzi&
zzRoIZ+F8?dAuX+JXYj4{{M>1GXXfmZogDQY<Nd>qZ{|9mfA>oLDHo>edoIP73dR-X
z{XBJl!Nj`bHB-kQ^JY#vaP`7CX8v2b$9{7Rs4r=#zEoCGeYK`!_R@oM>?&^fZ&|{(
zm>%Gp;&m~kkdvpJwQPBCF8$+9LHW<4f?89G8^zy#RM{f1-S}mC@uPR1P5->7$f<tP
z(_b?hDjxj)$&Glvu=48T?F)MtYgSjbO3yQkI}~Ptjn_Iit%)njecU#8yzTBoP74wb
z73LR7g^jz%HawiwwYROxW@{7AX0gOF_R;)BlS-HW^XH6rTZVUEPTnnQyJK|_c7Yk~
zvj^c3^T4{pweRf;&>q-@u+>`AX9l_=Gy;zih4oGf7Gx6n40K<QzDYrym;<MF8YfI%
zSZG`%E{zi4;`sOkbyq{b7+7}_zvIvOy0P8;+?$M4xNkpH@-2W<=vafhn!05^xS=+4
z5HegOiq#-D-z4J0i)3yzL*Z~FN$th~II~CHFnN)pFcox=!zwlO8L_=iNgVebNQNp0
zdXw~1xZA-H<iYd66K4=yJ(22U;QZ*t(Vy|5h)2^mKC&N~WVFq}fyHt5EjPkP%nT|?
zqNjiO$GJK`w{aEhx-)DyhO2vE0GsW`UNDSi>YA4I=?>EzkMea~>UmW@e_Wokelb7{
zQET$C)mKa}*a)js)dbn7i|O^Miirl-S4;yq2ELe9dtfooEz2$)nnQtuIot7ot#&a%
zRWaHI1sDD&%o^!T9A6PFjlw0dp^~WHG0o$yh=3PKPiofZ#b$TW<<daIkp$^q<D<D5
zkHoOIbpc__4&nt#MR5YvNvJ2u_KayUR3?4%_1GgJpN(C-?}GUo#j@CYCGo>j6FPl{
zlx`5?1r3byK>69Rzlh%myp?*~GSQN2$G+lgN6G6tQ))%S><W~LqUe!xgMVAu%v?D8
zUdNZ^_d3TN3-=eNxJb>q+%H}V+s=OWcXDG)ZR62B2XBQfo$UNqcGl!w^jS2AA-7{b
zNMDjjZ?c*H&lkQfg)8i@j4yn<*?3CLmivvT*IF;B9Xk3Byf3Ns8u8BQ%&peRCR1u!
z=PKOF6gR7^tGX0rmEAm=@{9ac;zJpK?#I1zvJNxL8$Dagoc8`*Ued-=z;CyW!OQkN
zQjOq_DU*M^51IqkPqV~mWfQ<tSF$Zdt9=+e@*?+Z5c2K8u3|m&EEaSVKe3+bow&)E
zm1*s{<POAUMzcsd;r$*!0}=IN1#hrzFA%@|0PCD(qL^qrSRj$&9oZS1U)Sp|MN#kE
zjRqtVUL+%-Srjx;93);ixDsXZdRGM{r9{podH3B4R6RgWO3~6lVsZ-Y*Fn?_@Q~JB
zrT)y)>q>B&t45_vOg*`KbMzRzdsl?A?I&T2ji`D?ZNrlv#0@1`-rF;K6wTMVZtPe$
zxo){^mf}+8`$gUC3AViAMZ+62R;?8(C-!8!Z{2<?FnRHoZH$$5Y4^_`5B>GnwKlt(
z^%mEy>z{nSCpBOB`0%<N->td+)mJGI*8^5gKk!7V%uereE|ht!RZgAI72#4_?G_U9
zG)-|cF~vv7opv<tPN<Kn!;GJ@P5KgC4nj)cu0sPICP5i)24EoHJZB*~wIJ%n0eFEt
zk?`WhgUpuTiIHk*10BQp_)jyUk0%BoDZCh57r);5vcV}vR#e>r9aa)rI}5%Jpn6nG
zV4ZTk7bqdv(QO6_cEaSc%z*`JNaT`q0mn}pJF3v2Iwwpni=to}WiWu%{$E<1NCUz}
zl_2~K<s@P4thH3^zl%#vZJ<+B1wwgAm|Rw>ajI(=^oUIqJej5>;<U3S8DsrXm>T$y
zcB29i?j3~5WouBk{U_c8e%Svo5UR|eo+L~z>jr^djk-i*LfNG|xhfN+W(Jg(fdPSm
zP^F}u++0)g<P5|lIhcv$VBt_U4L?H-Mp!$`#!Qo(7Ns^MR)`S9nxXZBnv5{HEJjy|
zmunQ57pfni{vu2+>(mvLTqqb=Hy8`$|4@+-CYJ?(Uv>I4rB*Tfp-+gqLiZ@KgrA|f
zAgrC$1;P#@cByJ8y;4K7+rY%pLlBA$!sN21A%iM$eWcnz-@!Vdj1Vdd!sN22;1@-8
z-wmQp=(o;5X96X$uoRFA6V}e+4a3xwR@HENiLs{PpjUJU(>~tzAzuFnQ6}KStrF5;
h-GRnfYT)bQ0eVO=$Ik>DAsA)_{*+)yvVl7c`xkJFQjY)t

delta 941
zcmZ2x`apywz?+$6a-WdY<Pa7yHIwl2l+p@r21b^zj0_AcA`A=+AbAkY!JxRUBS_#;
zNw&!32`u^?Af+HY`2f4BAWVrQk`j^0pM|ASlraHqnlB<X*_2&L&4xIeYT2z(jDXw3
z(X>BoqLt<HcazyT%vit<ap3rmBF)`#z`}HL0;eO31IV2pc{C=U<&>M8$Y+S(p8;@B
z?BLVqFh%kwE7+ft4Wz^;JMgQZNX0O-Z~;S!f#FJ0O$3+$CD<8c7!p$yvhtJkLqj+j
zm>Ggu(?A#!%-@lN8DYS)uOAaQfd+uE6obs<2h6g{P`!+pddo8sOH#{Hi?}9t2x-ZI
z>`l(k&w*OW%fQarlAi#=;7}425@%$X{6a{P$(>;`x3C%_c!4skpm>&?{6<KYX$w#h
zn(X8WLM)S)ipVi50!<L$5Sx5QgqH;rk&_{YvWhA)mq4ZLMUmnjB3%WPehZe?fkYTY
z_?f68lR5L`KoQ}|HJqxDxB|*dE|64`z0AzOPz(<}pjT$(<R{DpVwhLJ4h{f2SdwM(
zD@ip(q(DqJkWyrBV_}$V&##IsC0sAZj0kQ}kih^ug9MZ*!0^`bGYbPE_E;gYhY@p(
vOvr|z#vQ~kU@S8%X*2=47U~(p$uF5jbZ{BS$_8=*4-oDI+CLGfje!9G31rkf

diff --git a/pkg/cmd/run/view/view.go b/pkg/cmd/run/view/view.go
index 2ffe7f72cf2..e88054ef8e0 100644
--- a/pkg/cmd/run/view/view.go
+++ b/pkg/cmd/run/view/view.go
@@ -15,6 +15,7 @@ import (
 	"strconv"
 	"strings"
 	"time"
+	"unicode/utf16"
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
@@ -519,6 +520,8 @@ func promptForJob(prompter shared.Prompter, cs *iostreams.ColorScheme, jobs []sh
 	return nil, nil
 }
 
+const JOB_NAME_MAX_LENGTH = 90
+
 func logFilenameRegexp(job shared.Job, step shared.Step) *regexp.Regexp {
 	// As described in https://github.com/cli/cli/issues/5011#issuecomment-1570713070, there are a number of steps
 	// the server can take when producing the downloaded zip file that can result in a mismatch between the job name
@@ -527,15 +530,82 @@ func logFilenameRegexp(job shared.Job, step shared.Step) *regexp.Regexp {
 	//  * Truncating names that are too long for zip files
 	//  * Adding collision deduplicating numbers for jobs with the same name
 	//
-	// We are hesitant to duplicate all the server logic due to the fragility but while we explore our options, it
-	// is sensible to fix the issue that is unavoidable for users, that when a job uses a composite action, the server
-	// constructs a job name by constructing a job name of `<JOB_NAME`> / <ACTION_NAME>`. This means that logs will
-	// never be found for jobs that use composite actions.
+	// We are hesitant to duplicate all the server logic due to the fragility but it may be unavoidable. Currently, we:
+	// * Strip `/` which occur when composite action job names are constructed of the form `<JOB_NAME`> / <ACTION_NAME>`
+	// * Truncate long job names
+	//
 	sanitizedJobName := strings.ReplaceAll(job.Name, "/", "")
+	sanitizedJobName = truncateAsUTF16(sanitizedJobName, JOB_NAME_MAX_LENGTH)
 	re := fmt.Sprintf(`^%s\/%d_.*\.txt`, regexp.QuoteMeta(sanitizedJobName), step.Number)
 	return regexp.MustCompile(re)
 }
 
+/*
+If you're reading this comment by necessity, I'm sorry and if you're reading it for fun, you're welcome, you weirdo.
+
+What is the length of this string "a😅😅"? If you said 9 you'd be right. If you said 3 or 5 you might also be right!
+
+Here's a summary:
+
+	"a" takes 1 byte (`\x61`)
+	"😅" takes 4 `bytes` (`\xF0\x9F\x98\x85`)
+	"a😅😅" therefore takes 9 `bytes`
+	In Go `len("a😅😅")` is 9 because the `len` builtin counts `bytes`
+	In Go `len([]rune("a😅😅"))` is 3 because each `rune` is 4 `bytes` so each character fits within a `rune`
+	In C# `"a😅😅".Length` is 5 because `.Length` counts `Char` objects, `Chars` hold 2 bytes, and "😅" takes 2 Chars.
+
+But wait, what does C# have to do with anything? Well the server is running C#. Which server? The one that serves log
+files to us in `.zip` format of course! When the server is constructing the zip file to avoid running afoul of a 260
+byte zip file path length limitation, it applies transformations to various strings in order to limit their length.
+In C#, the server truncates strings with this function:
+
+	public static string TruncateAfter(string str, int max)
+	{
+		string result = str.Length > max ? str.Substring(0, max) : str;
+		result = result.Trim();
+		return result;
+	}
+
+This seems like it would be easy enough to replicate in Go but as we already discovered, the length of a string isn't
+as obvious as it might seem. Since C# uses UTF-16 encoding for strings, and Go uses UTF-8 encoding and represents
+characters by runes (which are an alias of int32) we cannot simply slice the string without any further consideration.
+Instead, we need to encode the string as UTF-16 bytes, slice it and then decode it back to UTF-8.
+
+Interestingly, in C# length and substring both act on the Char type so it's possible to slice into the middle of
+a visual, "representable" character. For example we know `"a😅😅".Length` = 5 (1+2+2) and therefore Substring(0,4)
+results in the final character being cleaved in two, resulting in "a😅�". Since our int32 runes are being encoded as
+2 uint16 elements, we also mimic this behaviour by slicing into the UTF-16 encoded string.
+
+Here's a program you can put into a dotnet playground to see how C# works:
+
+	using System;
+	public class Program {
+	  public static void Main() {
+	    string s = "a😅😅";
+	    Console.WriteLine("{0} {1}", s.Length, s);
+	    string t = TruncateAfter(s, 4);
+	    Console.WriteLine("{0} {1}", t.Length, t);
+	  }
+	  public static string TruncateAfter(string str, int max) {
+	    string result = str.Length > max ? str.Substring(0, max) : str;
+	    return result.Trim();
+	  }
+	}
+
+This will output:
+5 a😅😅
+4 a😅�
+*/
+func truncateAsUTF16(str string, max int) string {
+	// Encode the string to UTF-16 to count code units
+	utf16Encoded := utf16.Encode([]rune(str))
+	if len(utf16Encoded) > max {
+		// Decode back to UTF-8 up to the max length
+		str = string(utf16.Decode(utf16Encoded[:max]))
+	}
+	return strings.TrimSpace(str)
+}
+
 // This function takes a zip file of logs and a list of jobs.
 // Structure of zip file
 //
diff --git a/pkg/cmd/run/view/view_test.go b/pkg/cmd/run/view/view_test.go
index 1ac8e49e401..38ae1be44ad 100644
--- a/pkg/cmd/run/view/view_test.go
+++ b/pkg/cmd/run/view/view_test.go
@@ -1376,6 +1376,8 @@ func TestViewRun(t *testing.T) {
 }
 
 // Structure of fixture zip file
+// To see the structure of fixture zip file, run:
+// `❯ unzip -lv pkg/cmd/run/view/fixtures/run_log.zip`
 //
 //	run log/
 //	├── cool job/
@@ -1487,23 +1489,49 @@ func Test_attachRunLog(t *testing.T) {
 			// not the double space in the dir name, as the slash has been removed
 			wantFilename: "cool job  with slash/1_fob the barz.txt",
 		},
+		{
+			name: "Job name with really long name (over the ZIP limit)",
+			job: shared.Job{
+				Name: "thisisnineteenchars_thisisnineteenchars_thisisnineteenchars_thisisnineteenchars_thisisnineteenchars_",
+				Steps: []shared.Step{{
+					Name:   "Long Name Job",
+					Number: 1,
+				}},
+			},
+			wantMatch:    true,
+			wantFilename: "thisisnineteenchars_thisisnineteenchars_thisisnineteenchars_thisisnineteenchars_thisisnine/1_Long Name Job.txt",
+		},
+		{
+			name: "Job name that would be truncated by the C# server to split a grapheme",
+			job: shared.Job{
+				Name: "Emoji Test 😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅",
+				Steps: []shared.Step{{
+					Name:   "Emoji Job",
+					Number: 1,
+				}},
+			},
+			wantMatch:    true,
+			wantFilename: "Emoji Test 😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅😅�/1_Emoji Job.txt",
+		},
 	}
 
-	rlz, err := zip.OpenReader("./fixtures/run_log.zip")
+	run_log_zip_reader, err := zip.OpenReader("./fixtures/run_log.zip")
 	require.NoError(t, err)
-	defer rlz.Close()
+	defer run_log_zip_reader.Close()
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 
-			attachRunLog(&rlz.Reader, []shared.Job{tt.job})
+			attachRunLog(&run_log_zip_reader.Reader, []shared.Job{tt.job})
+
+			t.Logf("Job details: ")
 
 			for _, step := range tt.job.Steps {
 				log := step.Log
 				logPresent := log != nil
-				require.Equal(t, tt.wantMatch, logPresent)
+				require.Equal(t, tt.wantMatch, logPresent, "log not present")
 				if logPresent {
-					require.Equal(t, tt.wantFilename, log.Name)
+					require.Equal(t, tt.wantFilename, log.Name, "Filename mismatch")
 				}
 			}
 		})

From 1f07de7557d062d3cb306d07a39654bc82625784 Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Mon, 6 May 2024 12:04:52 -0400
Subject: [PATCH 021/253] Fix doc bug for gh run watch

---
 pkg/cmd/run/watch/watch.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/run/watch/watch.go b/pkg/cmd/run/watch/watch.go
index 92120dc38b6..c2067bf1933 100644
--- a/pkg/cmd/run/watch/watch.go
+++ b/pkg/cmd/run/watch/watch.go
@@ -56,7 +56,7 @@ func NewCmdWatch(f *cmdutil.Factory, runF func(*WatchOptions) error) *cobra.Comm
 			gh run watch
 
 			# Run some other command when the run is finished
-			gh run watch && notify-send "run is done!"
+			gh run watch && notify-send 'run is done!'
 		`),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			// support `-R, --repo` override

From 1e88ec55fcc83fb23c9982155c1ad8d591b012f4 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 17:54:21 +0100
Subject: [PATCH 022/253] Add `FormatSlice` function

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 internal/text/text.go      | 63 ++++++++++++++++++++++++++
 internal/text/text_test.go | 92 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 155 insertions(+)

diff --git a/internal/text/text.go b/internal/text/text.go
index 9ecfad93b50..c14071c320a 100644
--- a/internal/text/text.go
+++ b/internal/text/text.go
@@ -2,8 +2,10 @@ package text
 
 import (
 	"fmt"
+	"math"
 	"net/url"
 	"regexp"
+	"slices"
 	"strings"
 	"time"
 
@@ -81,3 +83,64 @@ func RemoveDiacritics(value string) string {
 func PadRight(maxWidth int, s string) string {
 	return text.PadRight(maxWidth, s)
 }
+
+// FormatSlice concatenates elements of the given string slice into a
+// well-formatted, possibly multiline, string with specific line length limit.
+// Elements can be optionally surrounded by custom strings (e.g., quotes or
+// brackets). If the lineLength argument is non-positive, no line length limit
+// will be applied.
+func FormatSlice(values []string, lineLength uint, indent uint, prependWith string, appendWith string, sort bool) string {
+	if lineLength <= 0 {
+		lineLength = math.MaxInt
+	}
+
+	sortedValues := values
+	if sort {
+		sortedValues = slices.Clone(values)
+		slices.Sort(sortedValues)
+	}
+
+	pre := strings.Repeat(" ", int(indent))
+	if len(sortedValues) == 0 {
+		return pre
+	} else if len(sortedValues) == 1 {
+		return pre + sortedValues[0]
+	}
+
+	builder := strings.Builder{}
+	currentLineLength := 0
+	sep := ","
+	ws := " "
+
+	for i := 0; i < len(sortedValues); i++ {
+		v := prependWith + sortedValues[i] + appendWith
+		isLast := i == -1+len(sortedValues)
+
+		if currentLineLength == 0 {
+			builder.WriteString(pre)
+			builder.WriteString(v)
+			currentLineLength += len(v)
+			if !isLast {
+				builder.WriteString(sep)
+				currentLineLength += len(sep)
+			}
+		} else {
+			if !isLast && currentLineLength+len(ws)+len(v)+len(sep) > int(lineLength) ||
+				isLast && currentLineLength+len(ws)+len(v) > int(lineLength) {
+				currentLineLength = 0
+				builder.WriteString("\n")
+				i--
+				continue
+			}
+
+			builder.WriteString(ws)
+			builder.WriteString(v)
+			currentLineLength += len(ws) + len(v)
+			if !isLast {
+				builder.WriteString(sep)
+				currentLineLength += len(sep)
+			}
+		}
+	}
+	return builder.String()
+}
diff --git a/internal/text/text_test.go b/internal/text/text_test.go
index 98f16da5d99..6d76d48722d 100644
--- a/internal/text/text_test.go
+++ b/internal/text/text_test.go
@@ -54,3 +54,95 @@ func TestFuzzyAgoAbbr(t *testing.T) {
 		assert.Equal(t, expected, fuzzy)
 	}
 }
+
+func TestFormatSliceDoc(t *testing.T) {
+	tests := []struct {
+		name        string
+		values      []string
+		indent      uint
+		lineLength  uint
+		prependWith string
+		appendWith  string
+		sort        bool
+		wants       string
+	}{
+		{
+			name:       "empty",
+			lineLength: 10,
+			values:     []string{},
+			wants:      "",
+		},
+		{
+			name:       "empty with indent",
+			lineLength: 10,
+			indent:     2,
+			values:     []string{},
+			wants:      "  ",
+		},
+		{
+			name:       "single",
+			lineLength: 10,
+			values:     []string{"foo"},
+			wants:      "foo",
+		},
+		{
+			name:       "single with indent",
+			lineLength: 10,
+			indent:     2,
+			values:     []string{"foo"},
+			wants:      "  foo",
+		},
+		{
+			name:       "long single with indent",
+			lineLength: 10,
+			indent:     2,
+			values:     []string{"some-long-value"},
+			wants:      "  some-long-value",
+		},
+		{
+			name:       "exact line length",
+			lineLength: 4,
+			values:     []string{"a", "b"},
+			wants:      "a, b",
+		},
+		{
+			name:       "values longer than line length",
+			lineLength: 4,
+			values:     []string{"long-value", "long-value"},
+			wants:      "long-value,\nlong-value",
+		},
+		{
+			name:       "zero line length (no wrapping expected)",
+			lineLength: 0,
+			values:     []string{"foo", "bar"},
+			wants:      "foo, bar",
+		},
+		{
+			name:       "simple",
+			lineLength: 10,
+			values:     []string{"foo", "bar", "baz", "foo", "bar", "baz"},
+			wants:      "foo, bar,\nbaz, foo,\nbar, baz",
+		},
+		{
+			name:        "simple, surrounded",
+			lineLength:  13,
+			prependWith: "<",
+			appendWith:  ">",
+			values:      []string{"foo", "bar", "baz", "foo", "bar", "baz"},
+			wants:       "<foo>, <bar>,\n<baz>, <foo>,\n<bar>, <baz>",
+		},
+		{
+			name:       "sort",
+			lineLength: 99,
+			sort:       true,
+			values:     []string{"c", "b", "a"},
+			wants:      "a, b, c",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.wants, FormatSlice(tt.values, tt.lineLength, tt.indent, tt.prependWith, tt.appendWith, tt.sort))
+		})
+	}
+}

From 506378cc21e648f70a8a5f7ab7dd331dc57e8b2f Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 17:54:59 +0100
Subject: [PATCH 023/253] Add `help:json-fields` annotation

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmdutil/json_flags.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkg/cmdutil/json_flags.go b/pkg/cmdutil/json_flags.go
index bc3c242fe65..440e0e0b889 100644
--- a/pkg/cmdutil/json_flags.go
+++ b/pkg/cmdutil/json_flags.go
@@ -83,6 +83,15 @@ func AddJSONFlags(cmd *cobra.Command, exportTarget *Exporter, fields []string) {
 		}
 		return e
 	})
+
+	if len(fields) == 0 {
+		return
+	}
+
+	if cmd.Annotations == nil {
+		cmd.Annotations = map[string]string{}
+	}
+	cmd.Annotations["help:json-fields"] = strings.Join(fields, ",")
 }
 
 func checkJSONFlags(cmd *cobra.Command) (*jsonExporter, error) {

From a3ff7791dbcdd8ae464f1d5cd63a50f544fb4a7a Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 17:55:19 +0100
Subject: [PATCH 024/253] Add tests to verify proper `help:json-fields`
 annotations

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmdutil/json_flags_test.go | 49 ++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/pkg/cmdutil/json_flags_test.go b/pkg/cmdutil/json_flags_test.go
index 16dd879000d..63c63aa00d6 100644
--- a/pkg/cmdutil/json_flags_test.go
+++ b/pkg/cmdutil/json_flags_test.go
@@ -119,6 +119,55 @@ func TestAddJSONFlags(t *testing.T) {
 	}
 }
 
+// TestAddJSONFlagsSetsAnnotations asserts that `AddJSONFlags` function adds the
+// appropriate annotation to the command, which could later be used by doc
+// generator functions.
+func TestAddJSONFlagsSetsAnnotations(t *testing.T) {
+	tests := []struct {
+		name                string
+		cmd                 *cobra.Command
+		jsonFields          []string
+		expectedAnnotations map[string]string
+	}{
+		{
+			name:                "empty set of fields",
+			cmd:                 &cobra.Command{},
+			jsonFields:          []string{},
+			expectedAnnotations: nil,
+		},
+		{
+			name:                "empty set of fields, with existing annotations",
+			cmd:                 &cobra.Command{Annotations: map[string]string{"foo": "bar"}},
+			jsonFields:          []string{},
+			expectedAnnotations: map[string]string{"foo": "bar"},
+		},
+		{
+			name:       "no other annotations",
+			cmd:        &cobra.Command{},
+			jsonFields: []string{"few", "json", "fields"},
+			expectedAnnotations: map[string]string{
+				"help:json-fields": "few,json,fields",
+			},
+		},
+		{
+			name:       "with existing annotations (ensure no overwrite)",
+			cmd:        &cobra.Command{Annotations: map[string]string{"foo": "bar"}},
+			jsonFields: []string{"few", "json", "fields"},
+			expectedAnnotations: map[string]string{
+				"foo":              "bar",
+				"help:json-fields": "few,json,fields",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			AddJSONFlags(tt.cmd, nil, tt.jsonFields)
+			assert.Equal(t, tt.expectedAnnotations, tt.cmd.Annotations)
+		})
+	}
+}
+
 func TestAddFormatFlags(t *testing.T) {
 	tests := []struct {
 		name        string

From 9f9d0415da31582a979b195f7f8920a582788d51 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 17:55:46 +0100
Subject: [PATCH 025/253] Output `JSON FIELDS`

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/root/help.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/cmd/root/help.go b/pkg/cmd/root/help.go
index 1586445e126..7180a3152e0 100644
--- a/pkg/cmd/root/help.go
+++ b/pkg/cmd/root/help.go
@@ -166,6 +166,10 @@ func rootHelpFunc(f *cmdutil.Factory, command *cobra.Command, args []string) {
 	if inheritedFlagUsages != "" {
 		helpEntries = append(helpEntries, helpEntry{"INHERITED FLAGS", dedent(inheritedFlagUsages)})
 	}
+	if _, ok := command.Annotations["help:json-fields"]; ok {
+		fields := strings.Split(command.Annotations["help:json-fields"], ",")
+		helpEntries = append(helpEntries, helpEntry{"JSON FIELDS", text.FormatSlice(fields, 80, 0, "", "", true)})
+	}
 	if _, ok := command.Annotations["help:arguments"]; ok {
 		helpEntries = append(helpEntries, helpEntry{"ARGUMENTS", command.Annotations["help:arguments"]})
 	}

From 2b304a5e84a09b527f72078eb5a13411513a3037 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 17:56:37 +0100
Subject: [PATCH 026/253] Output `JSON Fields` section

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 internal/docs/man.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/internal/docs/man.go b/internal/docs/man.go
index 1643fdd9846..41d3371db5d 100644
--- a/internal/docs/man.go
+++ b/internal/docs/man.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmd/root"
 	"github.com/cpuguy83/go-md2man/v2/md2man"
 	"github.com/spf13/cobra"
@@ -178,6 +179,17 @@ func manPrintOptions(buf *bytes.Buffer, command *cobra.Command) {
 	}
 }
 
+func manPrintJSONFields(buf *bytes.Buffer, command *cobra.Command) {
+	raw, ok := command.Annotations["help:json-fields"]
+	if !ok {
+		return
+	}
+
+	buf.WriteString("# JSON FIELDS\n")
+	buf.WriteString(text.FormatSlice(strings.Split(raw, ","), 0, 0, "`", "`", true))
+	buf.WriteString("\n")
+}
+
 func genMan(cmd *cobra.Command, header *GenManHeader) []byte {
 	cmd.InitDefaultHelpCmd()
 	cmd.InitDefaultHelpFlag()
@@ -195,6 +207,7 @@ func genMan(cmd *cobra.Command, header *GenManHeader) []byte {
 		}
 	}
 	manPrintOptions(buf, cmd)
+	manPrintJSONFields(buf, cmd)
 	if len(cmd.Example) > 0 {
 		buf.WriteString("# EXAMPLE\n")
 		buf.WriteString(fmt.Sprintf("```\n%s\n```\n", cmd.Example))

From b445adae20c66dd6dddf90c4fa768a0a14f4597b Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 17:57:12 +0100
Subject: [PATCH 027/253] Add `jsonCmd` test command variable

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 internal/docs/docs_test.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/internal/docs/docs_test.go b/internal/docs/docs_test.go
index ad1b3263194..06e924224e1 100644
--- a/internal/docs/docs_test.go
+++ b/internal/docs/docs_test.go
@@ -26,6 +26,8 @@ func init() {
 	printCmd.Flags().IntP("intthree", "i", 345, "help message for flag intthree")
 	printCmd.Flags().BoolP("boolthree", "b", true, "help message for flag boolthree")
 
+	jsonCmd.Flags().StringSlice("json", nil, "help message for flag json")
+
 	echoCmd.AddCommand(timesCmd, echoSubCmd, deprecatedCmd)
 	rootCmd.AddCommand(printCmd, echoCmd, dummyCmd)
 }
@@ -73,6 +75,14 @@ var printCmd = &cobra.Command{
 	Long:  `an absolutely utterly useless command for testing.`,
 }
 
+var jsonCmd = &cobra.Command{
+	Use:   "blah --json <fields>",
+	Short: "View details in JSON",
+	Annotations: map[string]string{
+		"help:json-fields": "foo,bar,baz",
+	},
+}
+
 var dummyCmd = &cobra.Command{
 	Use:   "dummy [action]",
 	Short: "Performs a dummy action",

From 5b99a4a2ece135a97e73f2dc7648932cc862b53f Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 17:57:50 +0100
Subject: [PATCH 028/253] Add test to verify JSON fields section is rendered

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 internal/docs/man_test.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/internal/docs/man_test.go b/internal/docs/man_test.go
index fb595d17ddd..287f356ed7e 100644
--- a/internal/docs/man_test.go
+++ b/internal/docs/man_test.go
@@ -98,6 +98,22 @@ func TestGenManSeeAlso(t *testing.T) {
 	}
 }
 
+func TestGenManJSONFields(t *testing.T) {
+	buf := new(bytes.Buffer)
+	header := &GenManHeader{}
+	if err := renderMan(jsonCmd, header, buf); err != nil {
+		t.Fatal(err)
+	}
+
+	output := buf.String()
+
+	checkStringContains(t, output, translate(jsonCmd.Name()))
+	checkStringContains(t, output, "JSON FIELDS")
+	checkStringContains(t, output, "foo")
+	checkStringContains(t, output, "bar")
+	checkStringContains(t, output, "baz")
+}
+
 func TestManPrintFlagsHidesShortDeprecated(t *testing.T) {
 	c := &cobra.Command{}
 	c.Flags().StringP("foo", "f", "default", "Foo flag")

From ad71f8cf9f62ddd095728d64dccfabacfc3bf4b4 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 18:00:54 +0100
Subject: [PATCH 029/253] Output `JSON Fields` section in Markdown

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 internal/docs/markdown.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/internal/docs/markdown.go b/internal/docs/markdown.go
index 8a193d0b6bb..19899110d8a 100644
--- a/internal/docs/markdown.go
+++ b/internal/docs/markdown.go
@@ -8,12 +8,24 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmd/root"
 	"github.com/spf13/cobra"
 	"github.com/spf13/cobra/doc"
 	"github.com/spf13/pflag"
 )
 
+func printJSONFields(w io.Writer, cmd *cobra.Command) {
+	raw, ok := cmd.Annotations["help:json-fields"]
+	if !ok {
+		return
+	}
+
+	fmt.Fprint(w, "### JSON Fields\n\n")
+	fmt.Fprint(w, text.FormatSlice(strings.Split(raw, ","), 0, 0, "`", "`", true))
+	fmt.Fprint(w, "\n\n")
+}
+
 func printOptions(w io.Writer, cmd *cobra.Command) error {
 	flags := cmd.NonInheritedFlags()
 	flags.SetOutput(w)
@@ -135,6 +147,7 @@ func genMarkdownCustom(cmd *cobra.Command, w io.Writer, linkHandler func(string)
 	if err := printOptions(w, cmd); err != nil {
 		return err
 	}
+	printJSONFields(w, cmd)
 	fmt.Fprint(w, "{% endraw %}\n")
 
 	if len(cmd.Example) > 0 {

From 05a87b966452e858087809e67805d4194097ce2e Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 18:01:12 +0100
Subject: [PATCH 030/253] Add test to verify JSON fields section is rendered in
 Markdown

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 internal/docs/markdown_test.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/internal/docs/markdown_test.go b/internal/docs/markdown_test.go
index 0bf65ddf3cc..0710cad716d 100644
--- a/internal/docs/markdown_test.go
+++ b/internal/docs/markdown_test.go
@@ -70,6 +70,21 @@ func TestGenMdNoHiddenParents(t *testing.T) {
 	checkStringOmits(t, output, "Options inherited from parent commands")
 }
 
+func TestGenMdJSONFields(t *testing.T) {
+	buf := new(bytes.Buffer)
+	if err := genMarkdownCustom(jsonCmd, buf, nil); err != nil {
+		t.Fatal(err)
+	}
+	output := buf.String()
+
+	checkStringContains(t, output, jsonCmd.Long)
+	checkStringContains(t, output, jsonCmd.Example)
+	checkStringContains(t, output, "JSON Fields")
+	checkStringContains(t, output, "`foo`")
+	checkStringContains(t, output, "`bar`")
+	checkStringContains(t, output, "`baz`")
+}
+
 func TestGenMdTree(t *testing.T) {
 	c := &cobra.Command{Use: "do [OPTIONS] arg1 arg2"}
 	tmpdir, err := os.MkdirTemp("", "test-gen-md-tree")

From 4ac966f030c7c33f87f0899b5c8809a912c2d45a Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 18:35:54 +0100
Subject: [PATCH 031/253] Fix test function name

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 internal/text/text_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/text/text_test.go b/internal/text/text_test.go
index 6d76d48722d..46566bbf895 100644
--- a/internal/text/text_test.go
+++ b/internal/text/text_test.go
@@ -55,7 +55,7 @@ func TestFuzzyAgoAbbr(t *testing.T) {
 	}
 }
 
-func TestFormatSliceDoc(t *testing.T) {
+func TestFormatSlice(t *testing.T) {
 	tests := []struct {
 		name        string
 		values      []string

From acef17d6cb6653b31d75edb0e55b35fb9745939f Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 23:57:20 +0100
Subject: [PATCH 032/253] Add `ComparePullRequestBaseBranchWith` function

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 api/queries_pr.go | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/api/queries_pr.go b/api/queries_pr.go
index f2166ae249f..a78d1f4e045 100644
--- a/api/queries_pr.go
+++ b/api/queries_pr.go
@@ -708,3 +708,44 @@ func BranchDeleteRemote(client *Client, repo ghrepo.Interface, branch string) er
 	path := fmt.Sprintf("repos/%s/%s/git/refs/heads/%s", repo.RepoOwner(), repo.RepoName(), url.PathEscape(branch))
 	return client.REST(repo.RepoHost(), "DELETE", path, nil, nil)
 }
+
+type RefComparison struct {
+	AheadBy  int
+	BehindBy int
+	Status   string
+}
+
+func ComparePullRequestBaseBranchWith(client *Client, repo ghrepo.Interface, prNumber int, headRef string) (*RefComparison, error) {
+	query := `query ComparePullRequestBaseBranchWith($owner: String!, $repo: String!, $pr_number: Int!, $head_ref: String!) {
+		repository(owner: $owner, name: $repo) {
+			pullRequest(number: $pr_number) {
+				baseRef {
+					compare (headRef: $head_ref) {
+						aheadBy, behindBy, status
+					}
+				}
+			}
+		}
+	}`
+
+	var result struct {
+		Repository struct {
+			PullRequest struct {
+				BaseRef struct {
+					Compare RefComparison
+				}
+			}
+		}
+	}
+	variables := map[string]interface{}{
+		"owner":     repo.RepoOwner(),
+		"repo":      repo.RepoName(),
+		"pr_number": prNumber,
+		"head_ref":  headRef,
+	}
+
+	if err := client.GraphQL(repo.RepoHost(), query, variables, &result); err != nil {
+		return nil, err
+	}
+	return &result.Repository.PullRequest.BaseRef.Compare, nil
+}

From 81df8638cbeac2c663d6b5dfb05b30ac8e243055 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 6 May 2024 23:57:53 +0100
Subject: [PATCH 033/253] Check if PR branch is already up-to-date

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update.go | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/pr/update/update.go b/pkg/cmd/pr/update/update.go
index ae78ce2fca5..2d84a7ac1d5 100644
--- a/pkg/cmd/pr/update/update.go
+++ b/pkg/cmd/pr/update/update.go
@@ -80,7 +80,7 @@ func NewCmdUpdate(f *cmdutil.Factory, runF func(*UpdateOptions) error) *cobra.Co
 func updateRun(opts *UpdateOptions) error {
 	findOptions := shared.FindOptions{
 		Selector: opts.SelectorArg,
-		Fields:   []string{"id", "headRefOid"},
+		Fields:   []string{"id", "number", "headRefName", "headRefOid", "headRepositoryOwner"},
 	}
 
 	pr, repo, err := opts.Finder.Find(findOptions)
@@ -94,15 +94,34 @@ func updateRun(opts *UpdateOptions) error {
 	}
 	apiClient := api.NewClientFromHTTP(httpClient)
 
+	headRef := pr.HeadRefName
+	if pr.HeadRepositoryOwner.Login != repo.RepoOwner() {
+		// Only prepend the `owner:` to comparison head ref if the PR head
+		// branch is on another repo (e.g., a fork).
+		headRef = pr.HeadRepositoryOwner.Login + ":" + headRef
+	}
+
 	opts.IO.StartProgressIndicator()
-	err = updatePullRequestBranch(apiClient, repo, pr.ID, pr.HeadRefOid, opts.Rebase)
+	comparison, err := api.ComparePullRequestBaseBranchWith(apiClient, repo, pr.Number, headRef)
 	opts.IO.StopProgressIndicator()
-
 	if err != nil {
 		return err
 	}
 
 	cs := opts.IO.ColorScheme()
+	if comparison.BehindBy == 0 {
+		// The PR branch is not behind the base branch, so it'a already up-to-date.
+		fmt.Fprintf(opts.IO.ErrOut, "%s PR branch already up-to-date\n", cs.SuccessIcon())
+		return nil
+	}
+
+	opts.IO.StartProgressIndicator()
+	err = updatePullRequestBranch(apiClient, repo, pr.ID, pr.HeadRefOid, opts.Rebase)
+	opts.IO.StopProgressIndicator()
+	if err != nil {
+		return err
+	}
+
 	fmt.Fprintf(opts.IO.ErrOut, "%s PR branch updated\n", cs.SuccessIcon())
 	return nil
 }

From cec2ced42f81a3bb15f0c60c208763edf81a106a Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Tue, 7 May 2024 00:19:30 +0100
Subject: [PATCH 034/253] Improve query variable names

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 api/queries_pr.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/api/queries_pr.go b/api/queries_pr.go
index a78d1f4e045..ff8dc3cc8eb 100644
--- a/api/queries_pr.go
+++ b/api/queries_pr.go
@@ -716,11 +716,11 @@ type RefComparison struct {
 }
 
 func ComparePullRequestBaseBranchWith(client *Client, repo ghrepo.Interface, prNumber int, headRef string) (*RefComparison, error) {
-	query := `query ComparePullRequestBaseBranchWith($owner: String!, $repo: String!, $pr_number: Int!, $head_ref: String!) {
+	query := `query ComparePullRequestBaseBranchWith($owner: String!, $repo: String!, $pr_number: Int!, $headRef: String!) {
 		repository(owner: $owner, name: $repo) {
-			pullRequest(number: $pr_number) {
+			pullRequest(number: $pullRequestNumber) {
 				baseRef {
-					compare (headRef: $head_ref) {
+					compare (headRef: $headRef) {
 						aheadBy, behindBy, status
 					}
 				}
@@ -738,10 +738,10 @@ func ComparePullRequestBaseBranchWith(client *Client, repo ghrepo.Interface, prN
 		}
 	}
 	variables := map[string]interface{}{
-		"owner":     repo.RepoOwner(),
-		"repo":      repo.RepoName(),
-		"pr_number": prNumber,
-		"head_ref":  headRef,
+		"owner":             repo.RepoOwner(),
+		"repo":              repo.RepoName(),
+		"pullRequestNumber": prNumber,
+		"headRef":           headRef,
 	}
 
 	if err := client.GraphQL(repo.RepoHost(), query, variables, &result); err != nil {

From 119e58c0914098a2ee0da5955ec7392003ff6f8b Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Tue, 7 May 2024 00:19:54 +0100
Subject: [PATCH 035/253] Update tests to account for ref comparison step

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update_test.go | 164 +++++++++++++++++++++++++++++--
 1 file changed, 158 insertions(+), 6 deletions(-)

diff --git a/pkg/cmd/pr/update/update_test.go b/pkg/cmd/pr/update/update_test.go
index 3302f8db232..e55391aeb56 100644
--- a/pkg/cmd/pr/update/update_test.go
+++ b/pkg/cmd/pr/update/update_test.go
@@ -100,8 +100,11 @@ func Test_updateRun(t *testing.T) {
 	defaultInput := func() UpdateOptions {
 		return UpdateOptions{
 			Finder: shared.NewMockFinder("123", &api.PullRequest{
-				ID:         "123",
-				HeadRefOid: "head-ref-oid",
+				ID:                  "123",
+				Number:              123,
+				HeadRefOid:          "head-ref-oid",
+				HeadRefName:         "head-ref-name",
+				HeadRepositoryOwner: api.Owner{Login: "head-repository-owner"},
 			}, ghrepo.New("OWNER", "REPO")),
 		}
 	}
@@ -114,12 +117,107 @@ func Test_updateRun(t *testing.T) {
 		stderr    string
 		wantsErr  string
 	}{
+		{
+			name: "failure, pr not found",
+			input: &UpdateOptions{
+				Finder:      shared.NewMockFinder("", nil, nil),
+				SelectorArg: "123",
+			},
+			wantsErr: "no pull requests found",
+		},
+		{
+			name: "success, already up-to-date",
+			input: &UpdateOptions{
+				SelectorArg: "123",
+			},
+			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
+				reg.Register(
+					httpmock.GraphQL(`query ComparePullRequestBaseBranchWith\b`),
+					httpmock.GraphQLQuery(`{
+						"data": {
+							"repository": {
+								"pullRequest": {
+									"baseRef": {
+										"compare": {
+											"aheadBy": 999,
+											"behindBy": 0,
+											"Status": "AHEAD"
+										}
+									}
+								}
+							}
+						}
+					}`, func(_ string, inputs map[string]interface{}) {
+						assert.Equal(t, float64(123), inputs["pullRequestNumber"])
+						assert.Equal(t, "head-repository-owner:head-ref-name", inputs["headRef"])
+					}))
+			},
+			stdout: "",
+			stderr: "✓ PR branch already up-to-date\n",
+		},
+		{
+			name: "success, already up-to-date, PR branch on the same repo as base",
+			input: &UpdateOptions{
+				SelectorArg: "123",
+				Finder: shared.NewMockFinder("123", &api.PullRequest{
+					ID:                  "123",
+					Number:              123,
+					HeadRefOid:          "head-ref-oid",
+					HeadRefName:         "head-ref-name",
+					HeadRepositoryOwner: api.Owner{Login: "OWNER"},
+				}, ghrepo.New("OWNER", "REPO")),
+			},
+			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
+				reg.Register(
+					httpmock.GraphQL(`query ComparePullRequestBaseBranchWith\b`),
+					httpmock.GraphQLQuery(`{
+						"data": {
+							"repository": {
+								"pullRequest": {
+									"baseRef": {
+										"compare": {
+											"aheadBy": 999,
+											"behindBy": 0,
+											"Status": "AHEAD"
+										}
+									}
+								}
+							}
+						}
+					}`, func(_ string, inputs map[string]interface{}) {
+						assert.Equal(t, float64(123), inputs["pullRequestNumber"])
+						assert.Equal(t, "head-ref-name", inputs["headRef"])
+					}))
+			},
+			stdout: "",
+			stderr: "✓ PR branch already up-to-date\n",
+		},
 		{
 			name: "success, merge",
 			input: &UpdateOptions{
 				SelectorArg: "123",
 			},
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
+				reg.Register(
+					httpmock.GraphQL(`query ComparePullRequestBaseBranchWith\b`),
+					httpmock.GraphQLQuery(`{
+						"data": {
+							"repository": {
+								"pullRequest": {
+									"baseRef": {
+										"compare": {
+											"aheadBy": 0,
+											"behindBy": 999,
+											"Status": "BEHIND"
+										}
+									}
+								}
+							}
+						}
+					}`, func(_ string, inputs map[string]interface{}) {
+						assert.Equal(t, float64(123), inputs["pullRequestNumber"])
+						assert.Equal(t, "head-repository-owner:head-ref-name", inputs["headRef"])
+					}))
 				reg.Register(
 					httpmock.GraphQL(`mutation PullRequestUpdateBranch\b`),
 					httpmock.GraphQLMutation(`{
@@ -144,6 +242,26 @@ func Test_updateRun(t *testing.T) {
 				Rebase:      true,
 			},
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
+				reg.Register(
+					httpmock.GraphQL(`query ComparePullRequestBaseBranchWith\b`),
+					httpmock.GraphQLQuery(`{
+						"data": {
+							"repository": {
+								"pullRequest": {
+									"baseRef": {
+										"compare": {
+											"aheadBy": 0,
+											"behindBy": 999,
+											"Status": "BEHIND"
+										}
+									}
+								}
+							}
+						}
+					}`, func(_ string, inputs map[string]interface{}) {
+						assert.Equal(t, float64(123), inputs["pullRequestNumber"])
+						assert.Equal(t, "head-repository-owner:head-ref-name", inputs["headRef"])
+					}))
 				reg.Register(
 					httpmock.GraphQL(`mutation PullRequestUpdateBranch\b`),
 					httpmock.GraphQLMutation(`{
@@ -162,19 +280,53 @@ func Test_updateRun(t *testing.T) {
 			stderr: "✓ PR branch updated\n",
 		},
 		{
-			name: "failure, pr not found",
+			name: "failure, API error on ref comparison request",
 			input: &UpdateOptions{
-				Finder:      shared.NewMockFinder("", nil, nil),
 				SelectorArg: "123",
 			},
-			wantsErr: "no pull requests found",
+			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
+				reg.Register(
+					httpmock.GraphQL(`query ComparePullRequestBaseBranchWith\b`),
+					httpmock.GraphQLQuery(`{
+						"data": {},
+						"errors": [
+							{
+								"message": "some error"
+							}
+						]
+					}`, func(_ string, inputs map[string]interface{}) {
+						assert.Equal(t, float64(123), inputs["pullRequestNumber"])
+						assert.Equal(t, "head-repository-owner:head-ref-name", inputs["headRef"])
+					}))
+			},
+			wantsErr: "GraphQL: some error",
 		},
 		{
-			name: "failure, API error",
+			name: "failure, API error on update request",
 			input: &UpdateOptions{
 				SelectorArg: "123",
 			},
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
+				reg.Register(
+					httpmock.GraphQL(`query ComparePullRequestBaseBranchWith\b`),
+					httpmock.GraphQLQuery(`{
+						"data": {
+							"repository": {
+								"pullRequest": {
+									"baseRef": {
+										"compare": {
+											"aheadBy": 0,
+											"behindBy": 999,
+											"Status": "BEHIND"
+										}
+									}
+								}
+							}
+						}
+					}`, func(_ string, inputs map[string]interface{}) {
+						assert.Equal(t, float64(123), inputs["pullRequestNumber"])
+						assert.Equal(t, "head-repository-owner:head-ref-name", inputs["headRef"])
+					}))
 				reg.Register(
 					httpmock.GraphQL(`mutation PullRequestUpdateBranch\b`),
 					httpmock.GraphQLMutation(`{

From 5007c18f5f4c6902249f373cdd2a7ffccfbc0a63 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Tue, 7 May 2024 17:35:00 +0200
Subject: [PATCH 036/253] Fix unused params across project

---
 internal/codespaces/api/api_test.go    |  6 +--
 pkg/cmd/auth/setupgit/setupgit_test.go |  2 +-
 pkg/cmd/auth/token/token_test.go       |  2 +-
 pkg/cmd/issue/lock/lock.go             | 12 +++---
 pkg/cmd/pr/edit/edit_test.go           | 58 +++++++++++++-------------
 pkg/cmd/pr/review/review.go            | 10 ++---
 pkg/cmd/pr/review/review_test.go       | 13 +++---
 pkg/cmd/pr/status/http.go              |  4 +-
 8 files changed, 51 insertions(+), 56 deletions(-)

diff --git a/internal/codespaces/api/api_test.go b/internal/codespaces/api/api_test.go
index 65852cc7914..72265719793 100644
--- a/internal/codespaces/api/api_test.go
+++ b/internal/codespaces/api/api_test.go
@@ -565,7 +565,7 @@ func TestRetries(t *testing.T) {
 		t.Fatalf("expected codespace name to be %q but got %q", csName, cs.Name)
 	}
 	callCount = 0
-	handler = func(w http.ResponseWriter, r *http.Request) {
+	handler = func(w http.ResponseWriter, _ *http.Request) {
 		callCount++
 		err := json.NewEncoder(w).Encode(Codespace{
 			Name: csName,
@@ -755,7 +755,7 @@ func TestAPI_EditCodespace(t *testing.T) {
 	}
 }
 
-func createFakeEditPendingOpServer(t *testing.T) *httptest.Server {
+func createFakeEditPendingOpServer() *httptest.Server {
 	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method == http.MethodPatch {
 			w.WriteHeader(http.StatusUnprocessableEntity)
@@ -776,7 +776,7 @@ func createFakeEditPendingOpServer(t *testing.T) *httptest.Server {
 }
 
 func TestAPI_EditCodespacePendingOperation(t *testing.T) {
-	svr := createFakeEditPendingOpServer(t)
+	svr := createFakeEditPendingOpServer()
 	defer svr.Close()
 
 	a := &API{
diff --git a/pkg/cmd/auth/setupgit/setupgit_test.go b/pkg/cmd/auth/setupgit/setupgit_test.go
index 01da33543ea..c1982f5531d 100644
--- a/pkg/cmd/auth/setupgit/setupgit_test.go
+++ b/pkg/cmd/auth/setupgit/setupgit_test.go
@@ -203,6 +203,6 @@ func Test_setupGitRun(t *testing.T) {
 
 func login(t *testing.T, c config.Config, hostname, username, token, gitProtocol string, secureStorage bool) {
 	t.Helper()
-	_, err := c.Authentication().Login(hostname, username, token, "https", secureStorage)
+	_, err := c.Authentication().Login(hostname, username, token, gitProtocol, secureStorage)
 	require.NoError(t, err)
 }
diff --git a/pkg/cmd/auth/token/token_test.go b/pkg/cmd/auth/token/token_test.go
index 6e9e246af59..995653fd148 100644
--- a/pkg/cmd/auth/token/token_test.go
+++ b/pkg/cmd/auth/token/token_test.go
@@ -274,6 +274,6 @@ func TestTokenRunSecureStorage(t *testing.T) {
 
 func login(t *testing.T, c config.Config, hostname, username, token, gitProtocol string, secureStorage bool) {
 	t.Helper()
-	_, err := c.Authentication().Login(hostname, username, token, "https", secureStorage)
+	_, err := c.Authentication().Login(hostname, username, token, gitProtocol, secureStorage)
 	require.NoError(t, err)
 }
diff --git a/pkg/cmd/issue/lock/lock.go b/pkg/cmd/issue/lock/lock.go
index 2cfe3880d2f..d330407989f 100644
--- a/pkg/cmd/issue/lock/lock.go
+++ b/pkg/cmd/issue/lock/lock.go
@@ -103,7 +103,7 @@ type LockOptions struct {
 	Interactive bool
 }
 
-func (opts *LockOptions) setCommonOptions(f *cmdutil.Factory, cmd *cobra.Command, args []string) {
+func (opts *LockOptions) setCommonOptions(f *cmdutil.Factory, args []string) {
 	opts.IO = f.IOStreams
 	opts.HttpClient = f.HttpClient
 	opts.Config = f.Config
@@ -129,7 +129,7 @@ func NewCmdLock(f *cmdutil.Factory, parentName string, runF func(string, *LockOp
 		Short: short,
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.setCommonOptions(f, cmd, args)
+			opts.setCommonOptions(f, args)
 
 			reasonProvided := cmd.Flags().Changed("reason")
 			if reasonProvided {
@@ -172,7 +172,7 @@ func NewCmdUnlock(f *cmdutil.Factory, parentName string, runF func(string, *Lock
 		Short: short,
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.setCommonOptions(f, cmd, args)
+			opts.setCommonOptions(f, args)
 
 			if runF != nil {
 				return runF(Unlock, opts)
@@ -261,7 +261,7 @@ func lockRun(state string, opts *LockOptions) error {
 
 	case Unlock:
 		if issuePr.Locked {
-			err = unlockLockable(httpClient, baseRepo, issuePr, opts)
+			err = unlockLockable(httpClient, baseRepo, issuePr)
 		} else {
 			successMsg = fmt.Sprintf("%s %s#%d already unlocked.  Nothing changed.\n",
 				parent.FullName, ghrepo.FullName(baseRepo), issuePr.Number)
@@ -303,7 +303,7 @@ func lockLockable(httpClient *http.Client, repo ghrepo.Interface, lockable *api.
 }
 
 // unlockLockable will unlock an issue or pull request
-func unlockLockable(httpClient *http.Client, repo ghrepo.Interface, lockable *api.Issue, opts *LockOptions) error {
+func unlockLockable(httpClient *http.Client, repo ghrepo.Interface, lockable *api.Issue) error {
 
 	var mutation struct {
 		UnlockLockable struct {
@@ -344,7 +344,7 @@ func relockLockable(httpClient *http.Client, repo ghrepo.Interface, lockable *ap
 		return relocked, nil
 	}
 
-	err = unlockLockable(httpClient, repo, lockable, opts)
+	err = unlockLockable(httpClient, repo, lockable)
 	if err != nil {
 		return relocked, err
 	}
diff --git a/pkg/cmd/pr/edit/edit_test.go b/pkg/cmd/pr/edit/edit_test.go
index 1f422f9a87a..0986797eacb 100644
--- a/pkg/cmd/pr/edit/edit_test.go
+++ b/pkg/cmd/pr/edit/edit_test.go
@@ -305,7 +305,7 @@ func Test_editRun(t *testing.T) {
 	tests := []struct {
 		name      string
 		input     *EditOptions
-		httpStubs func(*testing.T, *httpmock.Registry)
+		httpStubs func(*httpmock.Registry)
 		stdout    string
 		stderr    string
 	}{
@@ -359,12 +359,12 @@ func Test_editRun(t *testing.T) {
 				},
 				Fetcher: testFetcher{},
 			},
-			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
-				mockRepoMetadata(t, reg, false)
-				mockPullRequestUpdate(t, reg)
-				mockPullRequestReviewersUpdate(t, reg)
-				mockPullRequestUpdateLabels(t, reg)
-				mockProjectV2ItemUpdate(t, reg)
+			httpStubs: func(reg *httpmock.Registry) {
+				mockRepoMetadata(reg, false)
+				mockPullRequestUpdate(reg)
+				mockPullRequestReviewersUpdate(reg)
+				mockPullRequestUpdateLabels(reg)
+				mockProjectV2ItemUpdate(reg)
 			},
 			stdout: "https://github.com/OWNER/REPO/pull/123\n",
 		},
@@ -413,11 +413,11 @@ func Test_editRun(t *testing.T) {
 				},
 				Fetcher: testFetcher{},
 			},
-			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
-				mockRepoMetadata(t, reg, true)
-				mockPullRequestUpdate(t, reg)
-				mockPullRequestUpdateLabels(t, reg)
-				mockProjectV2ItemUpdate(t, reg)
+			httpStubs: func(reg *httpmock.Registry) {
+				mockRepoMetadata(reg, true)
+				mockPullRequestUpdate(reg)
+				mockPullRequestUpdateLabels(reg)
+				mockProjectV2ItemUpdate(reg)
 			},
 			stdout: "https://github.com/OWNER/REPO/pull/123\n",
 		},
@@ -433,12 +433,12 @@ func Test_editRun(t *testing.T) {
 				Fetcher:         testFetcher{},
 				EditorRetriever: testEditorRetriever{},
 			},
-			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
-				mockRepoMetadata(t, reg, false)
-				mockPullRequestUpdate(t, reg)
-				mockPullRequestReviewersUpdate(t, reg)
-				mockPullRequestUpdateLabels(t, reg)
-				mockProjectV2ItemUpdate(t, reg)
+			httpStubs: func(reg *httpmock.Registry) {
+				mockRepoMetadata(reg, false)
+				mockPullRequestUpdate(reg)
+				mockPullRequestReviewersUpdate(reg)
+				mockPullRequestUpdateLabels(reg)
+				mockProjectV2ItemUpdate(reg)
 			},
 			stdout: "https://github.com/OWNER/REPO/pull/123\n",
 		},
@@ -454,11 +454,11 @@ func Test_editRun(t *testing.T) {
 				Fetcher:         testFetcher{},
 				EditorRetriever: testEditorRetriever{},
 			},
-			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
-				mockRepoMetadata(t, reg, true)
-				mockPullRequestUpdate(t, reg)
-				mockPullRequestUpdateLabels(t, reg)
-				mockProjectV2ItemUpdate(t, reg)
+			httpStubs: func(reg *httpmock.Registry) {
+				mockRepoMetadata(reg, true)
+				mockPullRequestUpdate(reg)
+				mockPullRequestUpdateLabels(reg)
+				mockProjectV2ItemUpdate(reg)
 			},
 			stdout: "https://github.com/OWNER/REPO/pull/123\n",
 		},
@@ -472,7 +472,7 @@ func Test_editRun(t *testing.T) {
 
 			reg := &httpmock.Registry{}
 			defer reg.Verify(t)
-			tt.httpStubs(t, reg)
+			tt.httpStubs(reg)
 
 			httpClient := func() (*http.Client, error) { return &http.Client{Transport: reg}, nil }
 
@@ -487,7 +487,7 @@ func Test_editRun(t *testing.T) {
 	}
 }
 
-func mockRepoMetadata(_ *testing.T, reg *httpmock.Registry, skipReviewers bool) {
+func mockRepoMetadata(reg *httpmock.Registry, skipReviewers bool) {
 	reg.Register(
 		httpmock.GraphQL(`query RepositoryAssignableUsers\b`),
 		httpmock.StringResponse(`
@@ -595,19 +595,19 @@ func mockRepoMetadata(_ *testing.T, reg *httpmock.Registry, skipReviewers bool)
 	}
 }
 
-func mockPullRequestUpdate(t *testing.T, reg *httpmock.Registry) {
+func mockPullRequestUpdate(reg *httpmock.Registry) {
 	reg.Register(
 		httpmock.GraphQL(`mutation PullRequestUpdate\b`),
 		httpmock.StringResponse(`{}`))
 }
 
-func mockPullRequestReviewersUpdate(t *testing.T, reg *httpmock.Registry) {
+func mockPullRequestReviewersUpdate(reg *httpmock.Registry) {
 	reg.Register(
 		httpmock.GraphQL(`mutation PullRequestUpdateRequestReviews\b`),
 		httpmock.StringResponse(`{}`))
 }
 
-func mockPullRequestUpdateLabels(t *testing.T, reg *httpmock.Registry) {
+func mockPullRequestUpdateLabels(reg *httpmock.Registry) {
 	reg.Register(
 		httpmock.GraphQL(`mutation LabelAdd\b`),
 		httpmock.GraphQLMutation(`
@@ -622,7 +622,7 @@ func mockPullRequestUpdateLabels(t *testing.T, reg *httpmock.Registry) {
 	)
 }
 
-func mockProjectV2ItemUpdate(t *testing.T, reg *httpmock.Registry) {
+func mockProjectV2ItemUpdate(reg *httpmock.Registry) {
 	reg.Register(
 		httpmock.GraphQL(`mutation UpdateProjectV2Items\b`),
 		httpmock.GraphQLMutation(`
diff --git a/pkg/cmd/pr/review/review.go b/pkg/cmd/pr/review/review.go
index 3420d999aa2..b1cc500c244 100644
--- a/pkg/cmd/pr/review/review.go
+++ b/pkg/cmd/pr/review/review.go
@@ -157,15 +157,11 @@ func reviewRun(opts *ReviewOptions) error {
 
 	var reviewData *api.PullRequestReviewInput
 	if opts.InteractiveMode {
-		editorCommand, err := cmdutil.DetermineEditor(opts.Config)
+		reviewData, err = reviewSurvey(opts)
 		if err != nil {
 			return err
 		}
-		reviewData, err = reviewSurvey(opts, editorCommand)
-		if err != nil {
-			return err
-		}
-		if reviewData == nil && err == nil {
+		if reviewData == nil {
 			fmt.Fprint(opts.IO.ErrOut, "Discarding.\n")
 			return nil
 		}
@@ -205,7 +201,7 @@ func reviewRun(opts *ReviewOptions) error {
 	return nil
 }
 
-func reviewSurvey(opts *ReviewOptions, editorCommand string) (*api.PullRequestReviewInput, error) {
+func reviewSurvey(opts *ReviewOptions) (*api.PullRequestReviewInput, error) {
 	options := []string{"Comment", "Approve", "Request Changes"}
 	reviewType, err := opts.Prompter.Select(
 		"What kind of review do you want to give?",
diff --git a/pkg/cmd/pr/review/review_test.go b/pkg/cmd/pr/review/review_test.go
index 0d599167c0a..b27eb4f8a64 100644
--- a/pkg/cmd/pr/review/review_test.go
+++ b/pkg/cmd/pr/review/review_test.go
@@ -11,7 +11,6 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/internal/config"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
@@ -166,7 +165,7 @@ func Test_NewCmdReview(t *testing.T) {
 	}
 }
 
-func runCommand(rt http.RoundTripper, prompter prompter.Prompter, remotes context.Remotes, isTTY bool, cli string) (*test.CmdOut, error) {
+func runCommand(rt http.RoundTripper, prompter prompter.Prompter, isTTY bool, cli string) (*test.CmdOut, error) {
 	ios, _, stdout, stderr := iostreams.Test()
 	ios.SetStdoutTTY(isTTY)
 	ios.SetStdinTTY(isTTY)
@@ -249,7 +248,7 @@ func TestPRReview(t *testing.T) {
 					}),
 			)
 
-			output, err := runCommand(http, nil, nil, false, tt.args)
+			output, err := runCommand(http, nil, false, tt.args)
 			assert.NoError(t, err)
 			assert.Equal(t, "", output.String())
 			assert.Equal(t, "", output.Stderr())
@@ -278,13 +277,13 @@ func TestPRReview_interactive(t *testing.T) {
 		ConfirmFunc:        func(_ string, _ bool) (bool, error) { return true, nil },
 	}
 
-	output, err := runCommand(http, pm, nil, true, "")
+	output, err := runCommand(http, pm, true, "")
 	assert.NoError(t, err)
 	assert.Equal(t, heredoc.Doc(`
 		Got:
 
 		  cool story                                                                  
-		
+
 	`), output.String())
 	assert.Equal(t, "✓ Approved pull request OWNER/REPO#123\n", output.Stderr())
 }
@@ -300,7 +299,7 @@ func TestPRReview_interactive_no_body(t *testing.T) {
 		MarkdownEditorFunc: func(_, _ string, _ bool) (string, error) { return "", nil },
 	}
 
-	_, err := runCommand(http, pm, nil, true, "")
+	_, err := runCommand(http, pm, true, "")
 	assert.EqualError(t, err, "this type of review cannot be blank")
 }
 
@@ -325,7 +324,7 @@ func TestPRReview_interactive_blank_approve(t *testing.T) {
 		ConfirmFunc:        func(_ string, _ bool) (bool, error) { return true, nil },
 	}
 
-	output, err := runCommand(http, pm, nil, true, "")
+	output, err := runCommand(http, pm, true, "")
 	assert.NoError(t, err)
 	assert.Equal(t, "", output.String())
 	assert.Equal(t, "✓ Approved pull request OWNER/REPO#123\n", output.Stderr())
diff --git a/pkg/cmd/pr/status/http.go b/pkg/cmd/pr/status/http.go
index 755ccf30b59..bd7eb6a7814 100644
--- a/pkg/cmd/pr/status/http.go
+++ b/pkg/cmd/pr/status/http.go
@@ -59,7 +59,7 @@ func pullRequestStatus(httpClient *http.Client, repo ghrepo.Interface, options r
 		fragments = fmt.Sprintf("fragment pr on PullRequest{%s}fragment prWithReviews on PullRequest{...pr}", gr)
 	} else {
 		var err error
-		fragments, err = pullRequestFragment(repo.RepoHost(), options.ConflictStatus, options.CheckRunAndStatusContextCountsSupported)
+		fragments, err = pullRequestFragment(options.ConflictStatus, options.CheckRunAndStatusContextCountsSupported)
 		if err != nil {
 			return nil, err
 		}
@@ -188,7 +188,7 @@ func pullRequestStatus(httpClient *http.Client, repo ghrepo.Interface, options r
 	return &payload, nil
 }
 
-func pullRequestFragment(hostname string, conflictStatus bool, statusCheckRollupWithCountByState bool) (string, error) {
+func pullRequestFragment(conflictStatus bool, statusCheckRollupWithCountByState bool) (string, error) {
 	fields := []string{
 		"number", "title", "state", "url", "isDraft", "isCrossRepository",
 		"headRefName", "headRepositoryOwner", "mergeStateStatus",

From c9e8fd6c64f9030366990b5ce14ae2675226defd Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@users.noreply.github.com>
Date: Wed, 8 May 2024 07:44:52 -0600
Subject: [PATCH 037/253] Fix `attestation verify` source repository check bug
 (#9053)

* add build source repo URI extension when repo is provided, add integration tests for this change

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add initial docs on specifying cert identity

Signed-off-by: Meredith Lancaster <malancas@github.com>

* wording

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add reusable workflow example

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add more test cases

Signed-off-by: Meredith Lancaster <malancas@github.com>

* tweak to verify docs

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Phill MV <phillmv@github.com>
---
 pkg/cmd/attestation/verify/policy.go          | 21 +++--
 pkg/cmd/attestation/verify/verify.go          | 10 +++
 .../verify/verify_integration_test.go         | 82 +++++++++++++++++++
 3 files changed, 108 insertions(+), 5 deletions(-)
 create mode 100644 pkg/cmd/attestation/verify/verify_integration_test.go

diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go
index f96ca4e8a00..34a56294b90 100644
--- a/pkg/cmd/attestation/verify/policy.go
+++ b/pkg/cmd/attestation/verify/policy.go
@@ -28,17 +28,28 @@ func buildSANMatcher(san, sanRegex string) (verify.SubjectAlternativeNameMatcher
 	return sanMatcher, nil
 }
 
+func buildCertExtensions(opts *Options, runnerEnv string) certificate.Extensions {
+	extensions := certificate.Extensions{
+		Issuer:                   opts.OIDCIssuer,
+		SourceRepositoryOwnerURI: fmt.Sprintf("https://github.com/%s", opts.Owner),
+		RunnerEnvironment:        runnerEnv,
+	}
+
+	// if opts.Repo is set, set the SourceRepositoryURI field before returning the extensions
+	if opts.Repo != "" {
+		extensions.SourceRepositoryURI = fmt.Sprintf("https://github.com/%s", opts.Repo)
+	}
+	return extensions
+}
+
 func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.PolicyOption, error) {
 	sanMatcher, err := buildSANMatcher(opts.SAN, opts.SANRegex)
 	if err != nil {
 		return nil, err
 	}
 
-	extensions := certificate.Extensions{
-		Issuer:                   opts.OIDCIssuer,
-		SourceRepositoryOwnerURI: fmt.Sprintf("https://github.com/%s", opts.Owner),
-		RunnerEnvironment:        runnerEnv,
-	}
+	extensions := buildCertExtensions(opts, runnerEnv)
+
 	certId, err := verify.NewCertificateIdentity(sanMatcher, extensions)
 	if err != nil {
 		return nil, err
diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
index 08322771dee..182a857228d 100644
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@@ -54,6 +54,16 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 			To see the full results that are generated upon successful verification, i.e.
 			for use with a policy engine, provide the %[1]s--json-result%[1]s flag.
 
+			The attestation's certificate's Subject Alternative Name (SAN) identifies the entity
+			responsible for creating the attestation, which most of the time will be a GitHub
+			Actions workflow file located inside your repository. By default, this command uses
+			either the %[1]s--repo%[1]s or the %[1]s--owner%[1]s flag value to validate the SAN.
+
+			However, if you generate attestations with a reusable workflow then the SAN will
+			identify the reusable workflow – which may or may not be located inside your %[1]s--repo%[1]s
+			or %[1]s--owner%[1]s. In these situations, you can use the %[1]s--cert-identity%[1]s or
+			%[1]s--cert-identity-regex%[1]s flags to specify the reusable workflow's URI.
+
 			For more policy verification options, see the other available flags.
 			`, "`"),
 		Example: heredoc.Doc(`
diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go
new file mode 100644
index 00000000000..7cc1c81102c
--- /dev/null
+++ b/pkg/cmd/attestation/verify/verify_integration_test.go
@@ -0,0 +1,82 @@
+//go:build integration
+
+package verify
+
+import (
+	"testing"
+
+	"github.com/cli/cli/v2/pkg/cmd/attestation/api"
+	"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
+	"github.com/cli/cli/v2/pkg/cmd/attestation/io"
+	"github.com/cli/cli/v2/pkg/cmd/attestation/verification"
+	"github.com/cli/cli/v2/pkg/cmd/factory"
+	"github.com/stretchr/testify/require"
+)
+
+func TestVerifyIntegration(t *testing.T) {
+	logger := io.NewTestHandler()
+
+	sigstoreConfig := verification.SigstoreConfig{
+		Logger: logger,
+	}
+
+	cmdFactory := factory.New("test")
+
+	hc, err := cmdFactory.HttpClient()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	publicGoodOpts := Options{
+		APIClient:        api.NewLiveClient(hc, logger),
+		ArtifactPath:     artifactPath,
+		BundlePath:       bundlePath,
+		DigestAlgorithm:  "sha512",
+		Logger:           logger,
+		OCIClient:        oci.NewLiveClient(),
+		OIDCIssuer:       GitHubOIDCIssuer,
+		Owner:            "sigstore",
+		SANRegex:         "^https://github.com/sigstore/",
+		SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig),
+	}
+
+	t.Run("with valid owner", func(t *testing.T) {
+		err := runVerify(&publicGoodOpts)
+		require.NoError(t, err)
+	})
+
+	t.Run("with valid repo", func(t *testing.T) {
+		opts := publicGoodOpts
+		opts.Repo = "sigstore/sigstore-js"
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
+
+	t.Run("with valid owner and invalid repo", func(t *testing.T) {
+		opts := publicGoodOpts
+		opts.Repo = "sigstore/fakerepo"
+
+		err := runVerify(&opts)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found")
+	})
+
+	t.Run("with invalid owner", func(t *testing.T) {
+		opts := publicGoodOpts
+		opts.Owner = "fakeowner"
+
+		err := runVerify(&opts)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found")
+	})
+
+	t.Run("with invalid owner and invalid repo", func(t *testing.T) {
+		opts := publicGoodOpts
+		opts.Repo = "fakeowner/fakerepo"
+
+		err := runVerify(&opts)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found")
+	})
+}

From 70acabc132dfed206b4ea78c3ba05584c760f6ea Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Thu, 9 May 2024 08:27:58 -0400
Subject: [PATCH 038/253] Creating doc to capture Codespace usage guidance

---
 docs/codespaces.md | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 docs/codespaces.md

diff --git a/docs/codespaces.md b/docs/codespaces.md
new file mode 100644
index 00000000000..842b37e4c02
--- /dev/null
+++ b/docs/codespaces.md
@@ -0,0 +1,36 @@
+# Guide to working with Codespaces using the CLI
+
+For more information on Codespaces, see [Codespaces section in GitHub Docs](https://docs.github.com/en/codespaces).
+
+## Access to other repositories
+
+The codespace creation process will prompt you to review and authorize additional permissions defined in
+`devcontainer.json` at creation time:
+
+```json
+{
+  "customizations": {
+    "codespaces": {
+      "repositories": {
+        "my_org/my_repo": {
+          "permissions": {
+            "issues": "write"
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+However, any changes to `codespaces` customizations will not be re-evaluated for an existing
+codespace.  This requires you to create a new codespace in order to authorize the new
+permissions using `gh codespace create`.
+
+For more information, see ["Repository access"](https://docs.github.com/en/codespaces/managing-your-codespaces/managing-repository-access-for-your-codespaces).
+
+If additional access is needed for an existing codespace or access to a repository outside of
+your user or organization account, the use of a fine-grained personal access token as an
+environment variable or Codespaces secret might be considered.
+
+For more information, see ["Authenticating to repositories"](https://docs.github.com/en/codespaces/troubleshooting/troubleshooting-authentication-to-a-repository).

From 78091c4afffe926a3037a3720a868bd7324d6d38 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Thu, 9 May 2024 20:42:46 +0100
Subject: [PATCH 039/253] Fix query parameter name

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 api/queries_pr.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/queries_pr.go b/api/queries_pr.go
index ff8dc3cc8eb..7ecaad50b82 100644
--- a/api/queries_pr.go
+++ b/api/queries_pr.go
@@ -716,7 +716,7 @@ type RefComparison struct {
 }
 
 func ComparePullRequestBaseBranchWith(client *Client, repo ghrepo.Interface, prNumber int, headRef string) (*RefComparison, error) {
-	query := `query ComparePullRequestBaseBranchWith($owner: String!, $repo: String!, $pr_number: Int!, $headRef: String!) {
+	query := `query ComparePullRequestBaseBranchWith($owner: String!, $repo: String!, $pullRequestNumber: Int!, $headRef: String!) {
 		repository(owner: $owner, name: $repo) {
 			pullRequest(number: $pullRequestNumber) {
 				baseRef {

From 6d9dd577746b9ad0b56ea3f4c72badba7db95375 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Viktor=20Sz=C3=A9pe?= <viktor@szepe.net>
Date: Thu, 9 May 2024 20:15:27 +0000
Subject: [PATCH 040/253] Fix typos

---
 internal/featuredetection/feature_detection.go       | 2 +-
 pkg/cmd/attestation/verification/attestation_test.go | 2 +-
 pkg/cmd/cache/cache.go                               | 4 ++--
 pkg/cmd/cache/delete/delete.go                       | 4 ++--
 pkg/cmd/cache/list/list.go                           | 2 +-
 pkg/cmd/org/org.go                                   | 2 +-
 pkg/cmd/secret/set/set.go                            | 2 +-
 7 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/internal/featuredetection/feature_detection.go b/internal/featuredetection/feature_detection.go
index d289d025f5d..396d1eb5b2f 100644
--- a/internal/featuredetection/feature_detection.go
+++ b/internal/featuredetection/feature_detection.go
@@ -25,7 +25,7 @@ var allIssueFeatures = IssueFeatures{
 type PullRequestFeatures struct {
 	MergeQueue bool
 	// CheckRunAndStatusContextCounts indicates whether the API supports
-	// the checkRunCount, checkRunCountsByState, statusContextCount and stausContextCountsByState
+	// the checkRunCount, checkRunCountsByState, statusContextCount and statusContextCountsByState
 	// fields on the StatusCheckRollupContextConnection
 	CheckRunAndStatusContextCounts bool
 	CheckRunEvent                  bool
diff --git a/pkg/cmd/attestation/verification/attestation_test.go b/pkg/cmd/attestation/verification/attestation_test.go
index 1b3ed2cefd8..87a91cea99a 100644
--- a/pkg/cmd/attestation/verification/attestation_test.go
+++ b/pkg/cmd/attestation/verification/attestation_test.go
@@ -97,6 +97,6 @@ func TestFilterAttestations(t *testing.T) {
 
 	require.Len(t, filtered, 1)
 
-	filtered = FilterAttestations("NonExistantPredicate", attestations)
+	filtered = FilterAttestations("NonExistentPredicate", attestations)
 	require.Len(t, filtered, 0)
 }
diff --git a/pkg/cmd/cache/cache.go b/pkg/cmd/cache/cache.go
index db62c5e8185..897a3d9fd35 100644
--- a/pkg/cmd/cache/cache.go
+++ b/pkg/cmd/cache/cache.go
@@ -11,8 +11,8 @@ import (
 func NewCmdCache(f *cmdutil.Factory) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "cache <command>",
-		Short: "Manage Github Actions caches",
-		Long:  "Work with Github Actions caches.",
+		Short: "Manage GitHub Actions caches",
+		Long:  "Work with GitHub Actions caches.",
 		Example: heredoc.Doc(`
 			$ gh cache list
 			$ gh cache delete --all
diff --git a/pkg/cmd/cache/delete/delete.go b/pkg/cmd/cache/delete/delete.go
index 9a0783eb669..4794d1fbe67 100644
--- a/pkg/cmd/cache/delete/delete.go
+++ b/pkg/cmd/cache/delete/delete.go
@@ -34,9 +34,9 @@ func NewCmdDelete(f *cmdutil.Factory, runF func(*DeleteOptions) error) *cobra.Co
 
 	cmd := &cobra.Command{
 		Use:   "delete [<cache-id>| <cache-key> | --all]",
-		Short: "Delete Github Actions caches",
+		Short: "Delete GitHub Actions caches",
 		Long: `
-		Delete Github Actions caches.
+		Delete GitHub Actions caches.
 
 		Deletion requires authorization with the "repo" scope.
 `,
diff --git a/pkg/cmd/cache/list/list.go b/pkg/cmd/cache/list/list.go
index fcf9874f51a..f5aa8fd5aac 100644
--- a/pkg/cmd/cache/list/list.go
+++ b/pkg/cmd/cache/list/list.go
@@ -39,7 +39,7 @@ func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Comman
 
 	cmd := &cobra.Command{
 		Use:   "list",
-		Short: "List Github Actions caches",
+		Short: "List GitHub Actions caches",
 		Example: heredoc.Doc(`
 		# List caches for current repository
 		$ gh cache list
diff --git a/pkg/cmd/org/org.go b/pkg/cmd/org/org.go
index 9c44cf48a79..bc95e90827b 100644
--- a/pkg/cmd/org/org.go
+++ b/pkg/cmd/org/org.go
@@ -11,7 +11,7 @@ func NewCmdOrg(f *cmdutil.Factory) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "org <command>",
 		Short: "Manage organizations",
-		Long:  "Work with Github organizations.",
+		Long:  "Work with GitHub organizations.",
 		Example: heredoc.Doc(`
 			$ gh org list
 		`),
diff --git a/pkg/cmd/secret/set/set.go b/pkg/cmd/secret/set/set.go
index dcfd4df1493..1e66e38a99c 100644
--- a/pkg/cmd/secret/set/set.go
+++ b/pkg/cmd/secret/set/set.go
@@ -158,7 +158,7 @@ func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command
 	cmdutil.StringEnumFlag(cmd, &opts.Visibility, "visibility", "v", shared.Private, []string{shared.All, shared.Private, shared.Selected}, "Set visibility for an organization secret")
 	cmd.Flags().StringSliceVarP(&opts.RepositoryNames, "repos", "r", []string{}, "List of `repositories` that can access an organization or user secret")
 	cmd.Flags().StringVarP(&opts.Body, "body", "b", "", "The value for the secret (reads from standard input if not specified)")
-	cmd.Flags().BoolVar(&opts.DoNotStore, "no-store", false, "Print the encrypted, base64-encoded value instead of storing it on Github")
+	cmd.Flags().BoolVar(&opts.DoNotStore, "no-store", false, "Print the encrypted, base64-encoded value instead of storing it on GitHub")
 	cmd.Flags().StringVarP(&opts.EnvFile, "env-file", "f", "", "Load secret names and values from a dotenv-formatted `file`")
 	cmdutil.StringEnumFlag(cmd, &opts.Application, "app", "a", "", []string{shared.Actions, shared.Codespaces, shared.Dependabot}, "Set the application for a secret")
 

From 1d382306755effa57f9ff4a6a814f6def4a6bba4 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Fri, 10 May 2024 10:39:36 +0200
Subject: [PATCH 041/253] Move config interfaces into gh package (#9060)

---
 cmd/gen-docs/main.go                          |   3 +-
 internal/codespaces/api/api_test.go           |  42 ++---
 internal/config/auth_config_test.go           |   2 +-
 internal/config/config.go                     |  51 +-----
 internal/config/migrate_test.go               |  11 +-
 internal/config/stub.go                       |  16 +-
 internal/gh/gh.go                             | 158 ++++++++++++++++++
 .../config_mock.go => gh/mock/config.go}      |  39 ++---
 .../mock/migration.go}                        |  13 +-
 pkg/cmd/alias/delete/delete.go                |   4 +-
 pkg/cmd/alias/delete/delete_test.go           |   3 +-
 pkg/cmd/alias/imports/import.go               |   4 +-
 pkg/cmd/alias/imports/import_test.go          |   3 +-
 pkg/cmd/alias/list/list.go                    |   4 +-
 pkg/cmd/alias/list/list_test.go               |   3 +-
 pkg/cmd/alias/set/set.go                      |   4 +-
 pkg/cmd/alias/set/set_test.go                 |   3 +-
 pkg/cmd/api/api.go                            |   6 +-
 pkg/cmd/api/api_test.go                       |  28 ++--
 pkg/cmd/auth/login/login.go                   |   4 +-
 pkg/cmd/auth/login/login_test.go              |  13 +-
 pkg/cmd/auth/logout/logout.go                 |   4 +-
 pkg/cmd/auth/logout/logout_test.go            |  11 +-
 pkg/cmd/auth/refresh/refresh.go               |   4 +-
 pkg/cmd/auth/refresh/refresh_test.go          |   3 +-
 pkg/cmd/auth/setupgit/setupgit.go             |   4 +-
 pkg/cmd/auth/setupgit/setupgit_test.go        |  19 ++-
 pkg/cmd/auth/shared/writeable.go              |   4 +-
 pkg/cmd/auth/status/status.go                 |   3 +-
 pkg/cmd/auth/status/status_test.go            |  31 ++--
 pkg/cmd/auth/switch/switch.go                 |   4 +-
 pkg/cmd/auth/switch/switch_test.go            |   3 +-
 pkg/cmd/auth/token/token.go                   |   4 +-
 pkg/cmd/auth/token/token_test.go              |  27 +--
 pkg/cmd/config/get/get.go                     |   4 +-
 pkg/cmd/config/get/get_test.go                |   7 +-
 pkg/cmd/config/list/list.go                   |   3 +-
 pkg/cmd/config/list/list_test.go              |   9 +-
 pkg/cmd/config/set/set.go                     |   3 +-
 pkg/cmd/config/set/set_test.go                |   3 +-
 pkg/cmd/extension/browse/browse.go            |   4 +-
 pkg/cmd/extension/browse/browse_test.go       |   3 +-
 pkg/cmd/extension/command_test.go             |   3 +-
 pkg/cmd/extension/manager.go                  |   5 +-
 pkg/cmd/factory/default.go                    |   7 +-
 pkg/cmd/factory/default_test.go               |  38 +++--
 pkg/cmd/factory/remote_resolver.go            |   4 +-
 pkg/cmd/factory/remote_resolver_test.go       |  78 ++++-----
 pkg/cmd/gist/clone/clone.go                   |   4 +-
 pkg/cmd/gist/clone/clone_test.go              |   3 +-
 pkg/cmd/gist/create/create.go                 |   4 +-
 pkg/cmd/gist/create/create_test.go            |   3 +-
 pkg/cmd/gist/delete/delete.go                 |   4 +-
 pkg/cmd/gist/delete/delete_test.go            |   3 +-
 pkg/cmd/gist/edit/edit.go                     |   4 +-
 pkg/cmd/gist/edit/edit_test.go                |   3 +-
 pkg/cmd/gist/list/list.go                     |   4 +-
 pkg/cmd/gist/list/list_test.go                |   3 +-
 pkg/cmd/gist/rename/rename.go                 |   4 +-
 pkg/cmd/gist/rename/rename_test.go            |   3 +-
 pkg/cmd/gist/view/view.go                     |   4 +-
 pkg/cmd/gist/view/view_test.go                |   3 +-
 pkg/cmd/gpg-key/add/add.go                    |   4 +-
 pkg/cmd/gpg-key/add/add_test.go               |   3 +-
 pkg/cmd/gpg-key/delete/delete.go              |   4 +-
 pkg/cmd/gpg-key/delete/delete_test.go         |   3 +-
 pkg/cmd/gpg-key/list/list.go                  |   4 +-
 pkg/cmd/gpg-key/list/list_test.go             |   3 +-
 pkg/cmd/issue/create/create.go                |   4 +-
 pkg/cmd/issue/create/create_test.go           |   3 +-
 pkg/cmd/issue/delete/delete.go                |   4 +-
 pkg/cmd/issue/delete/delete_test.go           |   3 +-
 pkg/cmd/issue/list/list.go                    |   4 +-
 pkg/cmd/issue/list/list_test.go               |   3 +-
 pkg/cmd/issue/lock/lock.go                    |   4 +-
 pkg/cmd/issue/pin/pin.go                      |   4 +-
 pkg/cmd/issue/pin/pin_test.go                 |   3 +-
 pkg/cmd/issue/reopen/reopen.go                |   4 +-
 pkg/cmd/issue/reopen/reopen_test.go           |   3 +-
 pkg/cmd/issue/status/status.go                |   4 +-
 pkg/cmd/issue/status/status_test.go           |   3 +-
 pkg/cmd/issue/transfer/transfer.go            |   4 +-
 pkg/cmd/issue/transfer/transfer_test.go       |   3 +-
 pkg/cmd/issue/unpin/unpin.go                  |   4 +-
 pkg/cmd/issue/unpin/unpin_test.go             |   3 +-
 pkg/cmd/issue/view/view_test.go               |   3 +-
 pkg/cmd/org/list/list.go                      |   4 +-
 pkg/cmd/org/list/list_test.go                 |   5 +-
 pkg/cmd/pr/checkout/checkout.go               |   4 +-
 pkg/cmd/pr/checkout/checkout_test.go          |   9 +-
 pkg/cmd/pr/create/create.go                   |   4 +-
 pkg/cmd/pr/create/create_test.go              |   3 +-
 pkg/cmd/pr/edit/edit.go                       |   4 +-
 pkg/cmd/pr/merge/merge.go                     |   4 +-
 pkg/cmd/pr/review/review.go                   |   4 +-
 pkg/cmd/pr/review/review_test.go              |   3 +-
 pkg/cmd/pr/shared/commentable.go              |   6 +-
 pkg/cmd/pr/status/status.go                   |   4 +-
 pkg/cmd/pr/status/status_test.go              |   3 +-
 pkg/cmd/project/link/link.go                  |  11 +-
 pkg/cmd/project/link/link_test.go             |  10 +-
 pkg/cmd/project/unlink/unlink.go              |  11 +-
 pkg/cmd/project/unlink/unlink_test.go         |  10 +-
 pkg/cmd/release/create/create.go              |   4 +-
 pkg/cmd/release/create/create_test.go         |   3 +-
 pkg/cmd/repo/archive/archive.go               |   4 +-
 pkg/cmd/repo/clone/clone.go                   |   4 +-
 pkg/cmd/repo/clone/clone_test.go              |   3 +-
 pkg/cmd/repo/create/create.go                 |   4 +-
 pkg/cmd/repo/create/create_test.go            |   3 +-
 pkg/cmd/repo/fork/fork.go                     |   4 +-
 pkg/cmd/repo/fork/fork_test.go                |   7 +-
 pkg/cmd/repo/garden/garden.go                 |   4 +-
 pkg/cmd/repo/list/list.go                     |   4 +-
 pkg/cmd/repo/list/list_test.go                |  11 +-
 pkg/cmd/repo/rename/rename.go                 |   4 +-
 pkg/cmd/repo/rename/rename_test.go            |   3 +-
 pkg/cmd/repo/unarchive/unarchive.go           |   4 +-
 pkg/cmd/repo/view/view.go                     |   4 +-
 pkg/cmd/repo/view/view_test.go                |   3 +-
 pkg/cmd/ruleset/check/check.go                |   4 +-
 pkg/cmd/run/view/view_test.go                 |   3 +-
 pkg/cmd/search/shared/shared_test.go          |   3 +-
 pkg/cmd/secret/delete/delete.go               |   4 +-
 pkg/cmd/secret/delete/delete_test.go          |   9 +-
 pkg/cmd/secret/list/list.go                   |   6 +-
 pkg/cmd/secret/list/list_test.go              |   5 +-
 pkg/cmd/secret/set/set.go                     |   4 +-
 pkg/cmd/secret/set/set_test.go                |  11 +-
 pkg/cmd/ssh-key/add/add.go                    |   4 +-
 pkg/cmd/ssh-key/add/add_test.go               |   3 +-
 pkg/cmd/ssh-key/delete/delete.go              |   4 +-
 pkg/cmd/ssh-key/delete/delete_test.go         |   3 +-
 pkg/cmd/ssh-key/list/list.go                  |   4 +-
 pkg/cmd/ssh-key/list/list_test.go             |   3 +-
 pkg/cmd/status/status_test.go                 |   3 +-
 pkg/cmd/variable/delete/delete.go             |   4 +-
 pkg/cmd/variable/delete/delete_test.go        |   3 +-
 pkg/cmd/variable/list/list.go                 |   6 +-
 pkg/cmd/variable/list/list_test.go            |   3 +-
 pkg/cmd/variable/set/set.go                   |   4 +-
 pkg/cmd/variable/set/set_test.go              |   7 +-
 pkg/cmdutil/auth_check.go                     |   4 +-
 pkg/cmdutil/auth_check_test.go                |   5 +-
 pkg/cmdutil/factory.go                        |   4 +-
 pkg/cmdutil/legacy.go                         |   4 +-
 146 files changed, 665 insertions(+), 463 deletions(-)
 create mode 100644 internal/gh/gh.go
 rename internal/{config/config_mock.go => gh/mock/config.go} (94%)
 rename internal/{config/migration_mock.go => gh/mock/migration.go} (91%)

diff --git a/cmd/gen-docs/main.go b/cmd/gen-docs/main.go
index aa5c013ff65..0c9590fac5f 100644
--- a/cmd/gen-docs/main.go
+++ b/cmd/gen-docs/main.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/cli/cli/v2/internal/config"
 	"github.com/cli/cli/v2/internal/docs"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/root"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -48,7 +49,7 @@ func run(args []string) error {
 	rootCmd, _ := root.NewCmdRoot(&cmdutil.Factory{
 		IOStreams: ios,
 		Browser:   &browser{},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewFromString(""), nil
 		},
 		ExtensionManager: &em{},
diff --git a/internal/codespaces/api/api_test.go b/internal/codespaces/api/api_test.go
index 72265719793..9d06dcdaf94 100644
--- a/internal/codespaces/api/api_test.go
+++ b/internal/codespaces/api/api_test.go
@@ -12,6 +12,8 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
+	ghmock "github.com/cli/cli/v2/internal/gh/mock"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 )
 
@@ -137,13 +139,13 @@ func createHttpClient() (*http.Client, error) {
 func TestNew_APIURL_dotcomConfig(t *testing.T) {
 	t.Setenv("GITHUB_API_URL", "")
 	t.Setenv("GITHUB_SERVER_URL", "https://github.com")
-	cfg := &config.ConfigMock{
-		AuthenticationFunc: func() *config.AuthConfig {
+	cfg := &ghmock.ConfigMock{
+		AuthenticationFunc: func() gh.AuthConfig {
 			return &config.AuthConfig{}
 		},
 	}
 	f := &cmdutil.Factory{
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return cfg, nil
 		},
 	}
@@ -160,15 +162,15 @@ func TestNew_APIURL_dotcomConfig(t *testing.T) {
 func TestNew_APIURL_customConfig(t *testing.T) {
 	t.Setenv("GITHUB_API_URL", "")
 	t.Setenv("GITHUB_SERVER_URL", "https://github.mycompany.com")
-	cfg := &config.ConfigMock{
-		AuthenticationFunc: func() *config.AuthConfig {
+	cfg := &ghmock.ConfigMock{
+		AuthenticationFunc: func() gh.AuthConfig {
 			authCfg := &config.AuthConfig{}
 			authCfg.SetDefaultHost("github.mycompany.com", "GH_HOST")
 			return authCfg
 		},
 	}
 	f := &cmdutil.Factory{
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return cfg, nil
 		},
 	}
@@ -185,13 +187,13 @@ func TestNew_APIURL_customConfig(t *testing.T) {
 func TestNew_APIURL_env(t *testing.T) {
 	t.Setenv("GITHUB_API_URL", "https://api.mycompany.com")
 	t.Setenv("GITHUB_SERVER_URL", "https://mycompany.com")
-	cfg := &config.ConfigMock{
-		AuthenticationFunc: func() *config.AuthConfig {
+	cfg := &ghmock.ConfigMock{
+		AuthenticationFunc: func() gh.AuthConfig {
 			return &config.AuthConfig{}
 		},
 	}
 	f := &cmdutil.Factory{
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return cfg, nil
 		},
 	}
@@ -208,7 +210,7 @@ func TestNew_APIURL_env(t *testing.T) {
 func TestNew_APIURL_dotcomFallback(t *testing.T) {
 	t.Setenv("GITHUB_API_URL", "")
 	f := &cmdutil.Factory{
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return nil, errors.New("Failed to load")
 		},
 	}
@@ -222,13 +224,13 @@ func TestNew_APIURL_dotcomFallback(t *testing.T) {
 func TestNew_ServerURL_dotcomConfig(t *testing.T) {
 	t.Setenv("GITHUB_SERVER_URL", "")
 	t.Setenv("GITHUB_API_URL", "https://api.github.com")
-	cfg := &config.ConfigMock{
-		AuthenticationFunc: func() *config.AuthConfig {
+	cfg := &ghmock.ConfigMock{
+		AuthenticationFunc: func() gh.AuthConfig {
 			return &config.AuthConfig{}
 		},
 	}
 	f := &cmdutil.Factory{
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return cfg, nil
 		},
 	}
@@ -245,15 +247,15 @@ func TestNew_ServerURL_dotcomConfig(t *testing.T) {
 func TestNew_ServerURL_customConfig(t *testing.T) {
 	t.Setenv("GITHUB_SERVER_URL", "")
 	t.Setenv("GITHUB_API_URL", "https://github.mycompany.com/api/v3")
-	cfg := &config.ConfigMock{
-		AuthenticationFunc: func() *config.AuthConfig {
+	cfg := &ghmock.ConfigMock{
+		AuthenticationFunc: func() gh.AuthConfig {
 			authCfg := &config.AuthConfig{}
 			authCfg.SetDefaultHost("github.mycompany.com", "GH_HOST")
 			return authCfg
 		},
 	}
 	f := &cmdutil.Factory{
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return cfg, nil
 		},
 	}
@@ -270,13 +272,13 @@ func TestNew_ServerURL_customConfig(t *testing.T) {
 func TestNew_ServerURL_env(t *testing.T) {
 	t.Setenv("GITHUB_SERVER_URL", "https://mycompany.com")
 	t.Setenv("GITHUB_API_URL", "https://api.mycompany.com")
-	cfg := &config.ConfigMock{
-		AuthenticationFunc: func() *config.AuthConfig {
+	cfg := &ghmock.ConfigMock{
+		AuthenticationFunc: func() gh.AuthConfig {
 			return &config.AuthConfig{}
 		},
 	}
 	f := &cmdutil.Factory{
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return cfg, nil
 		},
 	}
@@ -293,7 +295,7 @@ func TestNew_ServerURL_env(t *testing.T) {
 func TestNew_ServerURL_dotcomFallback(t *testing.T) {
 	t.Setenv("GITHUB_SERVER_URL", "")
 	f := &cmdutil.Factory{
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return nil, errors.New("Failed to load")
 		},
 	}
diff --git a/internal/config/auth_config_test.go b/internal/config/auth_config_test.go
index 52373f3754a..ed000ff1837 100644
--- a/internal/config/auth_config_test.go
+++ b/internal/config/auth_config_test.go
@@ -13,7 +13,7 @@ import (
 // Note that NewIsolatedTestConfig sets up a Mock keyring as well
 func newTestAuthConfig(t *testing.T) *AuthConfig {
 	cfg, _ := NewIsolatedTestConfig(t)
-	return cfg.Authentication()
+	return &AuthConfig{cfg: cfg.cfg}
 }
 
 func TestTokenFromKeyring(t *testing.T) {
diff --git a/internal/config/config.go b/internal/config/config.go
index f3ed8cf6f9b..ad451ee97b3 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 	"slices"
 
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/keyring"
 	ghAuth "github.com/cli/go-gh/v2/pkg/auth"
 	ghConfig "github.com/cli/go-gh/v2/pkg/config"
@@ -27,49 +28,7 @@ const (
 	versionKey        = "version"
 )
 
-// This interface describes interacting with some persistent configuration for gh.
-//
-//go:generate moq -rm -out config_mock.go . Config
-type Config interface {
-	GetOrDefault(string, string) (string, error)
-	Set(string, string, string)
-	Write() error
-	Migrate(Migration) error
-
-	CacheDir() string
-
-	Aliases() *AliasConfig
-	Authentication() *AuthConfig
-	Browser(string) string
-	Editor(string) string
-	GitProtocol(string) string
-	HTTPUnixSocket(string) string
-	Pager(string) string
-	Prompt(string) string
-	Version() string
-}
-
-// Migration is the interface that config migrations must implement.
-//
-// Migrations will receive a copy of the config, and should modify that copy
-// as necessary. After migration has completed, the modified config contents
-// will be used.
-//
-// The calling code is expected to verify that the current version of the config
-// matches the PreVersion of the migration before calling Do, and will set the
-// config version to the PostVersion after the migration has completed successfully.
-//
-//go:generate moq -rm -out migration_mock.go . Migration
-type Migration interface {
-	// PreVersion is the required config version for this to be applied
-	PreVersion() string
-	// PostVersion is the config version that must be applied after migration
-	PostVersion() string
-	// Do is expected to apply any necessary changes to the config in place
-	Do(*ghConfig.Config) error
-}
-
-func NewConfig() (Config, error) {
+func NewConfig() (gh.Config, error) {
 	c, err := ghConfig.Read(fallbackConfig())
 	if err != nil {
 		return nil, err
@@ -123,11 +82,11 @@ func (c *cfg) Write() error {
 	return ghConfig.Write(c.cfg)
 }
 
-func (c *cfg) Aliases() *AliasConfig {
+func (c *cfg) Aliases() gh.AliasConfig {
 	return &AliasConfig{cfg: c.cfg}
 }
 
-func (c *cfg) Authentication() *AuthConfig {
+func (c *cfg) Authentication() gh.AuthConfig {
 	return &AuthConfig{cfg: c.cfg}
 }
 
@@ -166,7 +125,7 @@ func (c *cfg) Version() string {
 	return val
 }
 
-func (c *cfg) Migrate(m Migration) error {
+func (c *cfg) Migrate(m gh.Migration) error {
 	version := c.Version()
 
 	// If migration has already occurred then do not attempt to migrate again.
diff --git a/internal/config/migrate_test.go b/internal/config/migrate_test.go
index 19384855862..783f605a26a 100644
--- a/internal/config/migrate_test.go
+++ b/internal/config/migrate_test.go
@@ -8,6 +8,7 @@ import (
 	"path/filepath"
 	"testing"
 
+	ghmock "github.com/cli/cli/v2/internal/gh/mock"
 	ghConfig "github.com/cli/go-gh/v2/pkg/config"
 	"github.com/stretchr/testify/require"
 )
@@ -60,7 +61,7 @@ func TestMigrationAppliedBumpsVersion(t *testing.T) {
 	c.Set([]string{versionKey}, "expected-pre-version")
 	topLevelKey := []string{"toplevelkey"}
 
-	migration := &MigrationMock{
+	migration := &ghmock.MigrationMock{
 		DoFunc: func(config *ghConfig.Config) error {
 			config.Set(topLevelKey, "toplevelvalue")
 			return nil
@@ -96,7 +97,7 @@ func TestMigrationIsNoopWhenAlreadyApplied(t *testing.T) {
 	c := ghConfig.ReadFromString(testFullConfig())
 	c.Set([]string{versionKey}, "expected-post-version")
 
-	migration := &MigrationMock{
+	migration := &ghmock.MigrationMock{
 		DoFunc: func(config *ghConfig.Config) error {
 			return errors.New("is not called")
 		},
@@ -126,7 +127,7 @@ func TestMigrationErrorsWhenPreVersionMismatch(t *testing.T) {
 	c.Set([]string{versionKey}, "not-expected-pre-version")
 	topLevelKey := []string{"toplevelkey"}
 
-	migration := &MigrationMock{
+	migration := &ghmock.MigrationMock{
 		DoFunc: func(config *ghConfig.Config) error {
 			config.Set(topLevelKey, "toplevelvalue")
 			return nil
@@ -228,8 +229,8 @@ func makeFileUnwriteable(t *testing.T, file string) {
 	require.NoError(t, os.Chmod(file, 0000))
 }
 
-func mockMigration(doFunc func(config *ghConfig.Config) error) *MigrationMock {
-	return &MigrationMock{
+func mockMigration(doFunc func(config *ghConfig.Config) error) *ghmock.MigrationMock {
+	return &ghmock.MigrationMock{
 		DoFunc: doFunc,
 		PreVersionFunc: func() string {
 			return ""
diff --git a/internal/config/stub.go b/internal/config/stub.go
index 547ad951bb7..d0500cfe4b7 100644
--- a/internal/config/stub.go
+++ b/internal/config/stub.go
@@ -6,18 +6,20 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/cli/cli/v2/internal/gh"
+	ghmock "github.com/cli/cli/v2/internal/gh/mock"
 	"github.com/cli/cli/v2/internal/keyring"
 	ghConfig "github.com/cli/go-gh/v2/pkg/config"
 )
 
-func NewBlankConfig() *ConfigMock {
+func NewBlankConfig() *ghmock.ConfigMock {
 	return NewFromString(defaultConfigStr)
 }
 
-func NewFromString(cfgStr string) *ConfigMock {
+func NewFromString(cfgStr string) *ghmock.ConfigMock {
 	c := ghConfig.ReadFromString(cfgStr)
 	cfg := cfg{c}
-	mock := &ConfigMock{}
+	mock := &ghmock.ConfigMock{}
 	mock.GetOrDefaultFunc = func(host, key string) (string, error) {
 		return cfg.GetOrDefault(host, key)
 	}
@@ -27,13 +29,13 @@ func NewFromString(cfgStr string) *ConfigMock {
 	mock.WriteFunc = func() error {
 		return cfg.Write()
 	}
-	mock.MigrateFunc = func(m Migration) error {
+	mock.MigrateFunc = func(m gh.Migration) error {
 		return cfg.Migrate(m)
 	}
-	mock.AliasesFunc = func() *AliasConfig {
+	mock.AliasesFunc = func() gh.AliasConfig {
 		return &AliasConfig{cfg: c}
 	}
-	mock.AuthenticationFunc = func() *AuthConfig {
+	mock.AuthenticationFunc = func() gh.AuthConfig {
 		return &AuthConfig{
 			cfg: c,
 			defaultHostOverride: func() (string, string) {
@@ -88,7 +90,7 @@ func NewFromString(cfgStr string) *ConfigMock {
 // in the real implementation, sets the GH_CONFIG_DIR env var so that
 // any call to Write goes to a different location on disk, and then returns
 // the blank config and a function that reads any data written to disk.
-func NewIsolatedTestConfig(t *testing.T) (Config, func(io.Writer, io.Writer)) {
+func NewIsolatedTestConfig(t *testing.T) (*cfg, func(io.Writer, io.Writer)) {
 	keyring.MockInit()
 
 	c := ghConfig.ReadFromString("")
diff --git a/internal/gh/gh.go b/internal/gh/gh.go
new file mode 100644
index 00000000000..6e3094ea129
--- /dev/null
+++ b/internal/gh/gh.go
@@ -0,0 +1,158 @@
+// Package gh provides types that represent the domain of the CLI application.
+//
+// For example, the CLI expects to be able to get and set user configuration in order to perform its functionality,
+// so the Config interface is defined here, though the concrete implementation lives elsewhere. Though the current
+// implementation of config writes to certain files on disk, that is an implementation detail compared to the contract
+// laid out in the interface here.
+//
+// Currently this package is in an early state but we could imagine other domain concepts living here for interacting
+// with git or GitHub.
+package gh
+
+import (
+	ghConfig "github.com/cli/go-gh/v2/pkg/config"
+)
+
+// A Config implements persistent storage and modification of application configuration.
+//
+//go:generate moq -rm -pkg ghmock -out mock/config.go . Config
+type Config interface {
+	// GetOrDefault provides primitive access for fetching configuration values, optionally scoped by host.
+	GetOrDefault(hostname string, key string) (string, error)
+	// Set provides primitive access for setting configuration values, optionally scoped by host.
+	Set(hostname string, key string, value string)
+
+	// Browser returns the configured browser, optionally scoped by host.
+	Browser(hostname string) string
+	// Editor returns the configured editor, optionally scoped by host.
+	Editor(hostname string) string
+	// GitProtocol returns the configured git protocol, optionally scoped by host.
+	GitProtocol(hostname string) string
+	// HTTPUnixSocket returns the configured HTTP unix socket, optionally scoped by host.
+	HTTPUnixSocket(hostname string) string
+	// Pager returns the configured Pager, optionally scoped by host.
+	Pager(hostname string) string
+	// Prompt returns the configured prompt, optionally scoped by host.
+	Prompt(hostname string) string
+
+	// Aliases provides persistent storage and modification of command aliases.
+	Aliases() AliasConfig
+
+	// Authentication provides persistent storage and modification of authentication configuration.
+	Authentication() AuthConfig
+
+	// CacheDir returns the directory where the cacheable artifacts can be persisted.
+	CacheDir() string
+
+	// Migrate applies a migration to the configuration.
+	Migrate(Migration) error
+
+	// Version returns the current schema version of the configuration.
+	Version() string
+
+	// Write persists modifications to the configuration.
+	Write() error
+}
+
+// Migration is the interface that config migrations must implement.
+//
+// Migrations will receive a copy of the config, and should modify that copy
+// as necessary. After migration has completed, the modified config contents
+// will be used.
+//
+// The calling code is expected to verify that the current version of the config
+// matches the PreVersion of the migration before calling Do, and will set the
+// config version to the PostVersion after the migration has completed successfully.
+//
+//go:generate moq -rm  -pkg ghmock -out mock/migration.go . Migration
+type Migration interface {
+	// PreVersion is the required config version for this to be applied
+	PreVersion() string
+	// PostVersion is the config version that must be applied after migration
+	PostVersion() string
+	// Do is expected to apply any necessary changes to the config in place
+	Do(*ghConfig.Config) error
+}
+
+// AuthConfig is used for interacting with some persistent configuration for gh,
+// with knowledge on how to access encrypted storage when neccesarry.
+// Behavior is scoped to authentication specific tasks.
+type AuthConfig interface {
+	// ActiveToken will retrieve the active auth token for the given hostname, searching environment variables,
+	// general configuration, and finally encrypted storage.
+	ActiveToken(hostname string) (token string, source string)
+
+	// HasEnvToken returns true when a token has been specified in an environment variable, else returns false.
+	HasEnvToken() bool
+
+	// TokenFromKeyring will retrieve the auth token for the given hostname, only searching in encrypted storage.
+	TokenFromKeyring(hostname string) (token string, err error)
+
+	// TokenFromKeyringForUser will retrieve the auth token for the given hostname and username, only searching
+	// in encrypted storage.
+	//
+	// An empty username will return an error because the potential to return the currently active token under
+	// surprising cases is just too high to risk compared to the utility of having the function being smart.
+	TokenFromKeyringForUser(hostname, username string) (token string, err error)
+
+	// ActiveUser will retrieve the username for the active user at the given hostname.
+	//
+	// This will not be accurate if the oauth token is set from an environment variable.
+	ActiveUser(hostname string) (username string, err error)
+
+	// Hosts retrieves a list of known hosts.
+	Hosts() []string
+
+	// DefaultHost retrieves the default host.
+	DefaultHost() (host string, source string)
+
+	// Login will set user, git protocol, and auth token for the given hostname.
+	//
+	// If the encrypt option is specified it will first try to store the auth token
+	// in encrypted storage and will fall back to the general insecure configuration.
+	Login(hostname, username, token, gitProtocol string, secureStorage bool) (insecureStorageUsed bool, err error)
+
+	// SwitchUser switches the active user for a given hostname.
+	SwitchUser(hostname, user string) error
+
+	// Logout will remove user, git protocol, and auth token for the given hostname.
+	// It will remove the auth token from the encrypted storage if it exists there.
+	Logout(hostname, username string) error
+
+	// UsersForHost retrieves a list of users configured for a specific host.
+	UsersForHost(hostname string) []string
+
+	// TokenForUser retrieves the authentication token and its source for a specified user and hostname.
+	TokenForUser(hostname, user string) (token string, source string, err error)
+
+	// The following methods are only for testing and that is a design smell we should consider fixing.
+
+	// SetActiveToken will override any token resolution and return the given token and source for all calls to
+	// ActiveToken.
+	// Use for testing purposes only.
+	SetActiveToken(token, source string)
+
+	// SetHosts will override any hosts resolution and return the given hosts for all calls to Hosts.
+	// Use for testing purposes only.
+	SetHosts(hosts []string)
+
+	// SetDefaultHost will override any host resolution and return the given host and source for all calls to
+	// DefaultHost.
+	// Use for testing purposes only.
+	SetDefaultHost(host, source string)
+}
+
+// AliasConfig defines an interface for managing command aliases.
+type AliasConfig interface {
+	// Get retrieves the expansion for a specified alias.
+	Get(alias string) (expansion string, err error)
+
+	// Add adds a new alias with the specified expansion.
+	Add(alias, expansion string)
+
+	// Delete removes an alias.
+	Delete(alias string) error
+
+	// All returns a map of all aliases to their corresponding expansions.
+	All() map[string]string
+}
diff --git a/internal/config/config_mock.go b/internal/gh/mock/config.go
similarity index 94%
rename from internal/config/config_mock.go
rename to internal/gh/mock/config.go
index fc25ad850e5..736c8c26265 100644
--- a/internal/config/config_mock.go
+++ b/internal/gh/mock/config.go
@@ -1,26 +1,27 @@
 // Code generated by moq; DO NOT EDIT.
 // github.com/matryer/moq
 
-package config
+package ghmock
 
 import (
+	"github.com/cli/cli/v2/internal/gh"
 	"sync"
 )
 
-// Ensure, that ConfigMock does implement Config.
+// Ensure, that ConfigMock does implement gh.Config.
 // If this is not the case, regenerate this file with moq.
-var _ Config = &ConfigMock{}
+var _ gh.Config = &ConfigMock{}
 
-// ConfigMock is a mock implementation of Config.
+// ConfigMock is a mock implementation of gh.Config.
 //
 //	func TestSomethingThatUsesConfig(t *testing.T) {
 //
-//		// make and configure a mocked Config
+//		// make and configure a mocked gh.Config
 //		mockedConfig := &ConfigMock{
-//			AliasesFunc: func() *AliasConfig {
+//			AliasesFunc: func() gh.AliasConfig {
 //				panic("mock out the Aliases method")
 //			},
-//			AuthenticationFunc: func() *AuthConfig {
+//			AuthenticationFunc: func() gh.AuthConfig {
 //				panic("mock out the Authentication method")
 //			},
 //			BrowserFunc: func(s string) string {
@@ -41,7 +42,7 @@ var _ Config = &ConfigMock{}
 //			HTTPUnixSocketFunc: func(s string) string {
 //				panic("mock out the HTTPUnixSocket method")
 //			},
-//			MigrateFunc: func(migration Migration) error {
+//			MigrateFunc: func(migration gh.Migration) error {
 //				panic("mock out the Migrate method")
 //			},
 //			PagerFunc: func(s string) string {
@@ -61,16 +62,16 @@ var _ Config = &ConfigMock{}
 //			},
 //		}
 //
-//		// use mockedConfig in code that requires Config
+//		// use mockedConfig in code that requires gh.Config
 //		// and then make assertions.
 //
 //	}
 type ConfigMock struct {
 	// AliasesFunc mocks the Aliases method.
-	AliasesFunc func() *AliasConfig
+	AliasesFunc func() gh.AliasConfig
 
 	// AuthenticationFunc mocks the Authentication method.
-	AuthenticationFunc func() *AuthConfig
+	AuthenticationFunc func() gh.AuthConfig
 
 	// BrowserFunc mocks the Browser method.
 	BrowserFunc func(s string) string
@@ -91,7 +92,7 @@ type ConfigMock struct {
 	HTTPUnixSocketFunc func(s string) string
 
 	// MigrateFunc mocks the Migrate method.
-	MigrateFunc func(migration Migration) error
+	MigrateFunc func(migration gh.Migration) error
 
 	// PagerFunc mocks the Pager method.
 	PagerFunc func(s string) string
@@ -149,7 +150,7 @@ type ConfigMock struct {
 		// Migrate holds details about calls to the Migrate method.
 		Migrate []struct {
 			// Migration is the migration argument value.
-			Migration Migration
+			Migration gh.Migration
 		}
 		// Pager holds details about calls to the Pager method.
 		Pager []struct {
@@ -194,7 +195,7 @@ type ConfigMock struct {
 }
 
 // Aliases calls AliasesFunc.
-func (mock *ConfigMock) Aliases() *AliasConfig {
+func (mock *ConfigMock) Aliases() gh.AliasConfig {
 	if mock.AliasesFunc == nil {
 		panic("ConfigMock.AliasesFunc: method is nil but Config.Aliases was just called")
 	}
@@ -221,7 +222,7 @@ func (mock *ConfigMock) AliasesCalls() []struct {
 }
 
 // Authentication calls AuthenticationFunc.
-func (mock *ConfigMock) Authentication() *AuthConfig {
+func (mock *ConfigMock) Authentication() gh.AuthConfig {
 	if mock.AuthenticationFunc == nil {
 		panic("ConfigMock.AuthenticationFunc: method is nil but Config.Authentication was just called")
 	}
@@ -439,12 +440,12 @@ func (mock *ConfigMock) HTTPUnixSocketCalls() []struct {
 }
 
 // Migrate calls MigrateFunc.
-func (mock *ConfigMock) Migrate(migration Migration) error {
+func (mock *ConfigMock) Migrate(migration gh.Migration) error {
 	if mock.MigrateFunc == nil {
 		panic("ConfigMock.MigrateFunc: method is nil but Config.Migrate was just called")
 	}
 	callInfo := struct {
-		Migration Migration
+		Migration gh.Migration
 	}{
 		Migration: migration,
 	}
@@ -459,10 +460,10 @@ func (mock *ConfigMock) Migrate(migration Migration) error {
 //
 //	len(mockedConfig.MigrateCalls())
 func (mock *ConfigMock) MigrateCalls() []struct {
-	Migration Migration
+	Migration gh.Migration
 } {
 	var calls []struct {
-		Migration Migration
+		Migration gh.Migration
 	}
 	mock.lockMigrate.RLock()
 	calls = mock.calls.Migrate
diff --git a/internal/config/migration_mock.go b/internal/gh/mock/migration.go
similarity index 91%
rename from internal/config/migration_mock.go
rename to internal/gh/mock/migration.go
index bf8133fb47e..e534ef5c4bb 100644
--- a/internal/config/migration_mock.go
+++ b/internal/gh/mock/migration.go
@@ -1,22 +1,23 @@
 // Code generated by moq; DO NOT EDIT.
 // github.com/matryer/moq
 
-package config
+package ghmock
 
 import (
+	"github.com/cli/cli/v2/internal/gh"
 	ghConfig "github.com/cli/go-gh/v2/pkg/config"
 	"sync"
 )
 
-// Ensure, that MigrationMock does implement Migration.
+// Ensure, that MigrationMock does implement gh.Migration.
 // If this is not the case, regenerate this file with moq.
-var _ Migration = &MigrationMock{}
+var _ gh.Migration = &MigrationMock{}
 
-// MigrationMock is a mock implementation of Migration.
+// MigrationMock is a mock implementation of gh.Migration.
 //
 //	func TestSomethingThatUsesMigration(t *testing.T) {
 //
-//		// make and configure a mocked Migration
+//		// make and configure a mocked gh.Migration
 //		mockedMigration := &MigrationMock{
 //			DoFunc: func(config *ghConfig.Config) error {
 //				panic("mock out the Do method")
@@ -29,7 +30,7 @@ var _ Migration = &MigrationMock{}
 //			},
 //		}
 //
-//		// use mockedMigration in code that requires Migration
+//		// use mockedMigration in code that requires gh.Migration
 //		// and then make assertions.
 //
 //	}
diff --git a/pkg/cmd/alias/delete/delete.go b/pkg/cmd/alias/delete/delete.go
index 16e94304499..da69504a8e1 100644
--- a/pkg/cmd/alias/delete/delete.go
+++ b/pkg/cmd/alias/delete/delete.go
@@ -4,14 +4,14 @@ import (
 	"fmt"
 	"sort"
 
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/spf13/cobra"
 )
 
 type DeleteOptions struct {
-	Config func() (config.Config, error)
+	Config func() (gh.Config, error)
 	IO     *iostreams.IOStreams
 
 	Name string
diff --git a/pkg/cmd/alias/delete/delete_test.go b/pkg/cmd/alias/delete/delete_test.go
index 9990abdfce8..845119a8007 100644
--- a/pkg/cmd/alias/delete/delete_test.go
+++ b/pkg/cmd/alias/delete/delete_test.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/google/shlex"
@@ -161,7 +162,7 @@ func TestDeleteRun(t *testing.T) {
 			tt.opts.IO = ios
 
 			cfg := config.NewFromString(tt.config)
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
diff --git a/pkg/cmd/alias/imports/import.go b/pkg/cmd/alias/imports/import.go
index c70a150f35e..78959ece3fc 100644
--- a/pkg/cmd/alias/imports/import.go
+++ b/pkg/cmd/alias/imports/import.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 
 	"github.com/MakeNowJust/heredoc"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/alias/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -15,7 +15,7 @@ import (
 )
 
 type ImportOptions struct {
-	Config func() (config.Config, error)
+	Config func() (gh.Config, error)
 	IO     *iostreams.IOStreams
 
 	Filename          string
diff --git a/pkg/cmd/alias/imports/import_test.go b/pkg/cmd/alias/imports/import_test.go
index 024f52f02dd..c2ae16e7a16 100644
--- a/pkg/cmd/alias/imports/import_test.go
+++ b/pkg/cmd/alias/imports/import_test.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/alias/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -309,7 +310,7 @@ func TestImportRun(t *testing.T) {
 
 			readConfigs := config.StubWriteConfig(t)
 			cfg := config.NewFromString(tt.initConfig)
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
diff --git a/pkg/cmd/alias/list/list.go b/pkg/cmd/alias/list/list.go
index 2f17ed19534..c648b2e6d37 100644
--- a/pkg/cmd/alias/list/list.go
+++ b/pkg/cmd/alias/list/list.go
@@ -2,7 +2,7 @@ package list
 
 import (
 	"github.com/MakeNowJust/heredoc"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/spf13/cobra"
@@ -10,7 +10,7 @@ import (
 )
 
 type ListOptions struct {
-	Config func() (config.Config, error)
+	Config func() (gh.Config, error)
 	IO     *iostreams.IOStreams
 }
 
diff --git a/pkg/cmd/alias/list/list_test.go b/pkg/cmd/alias/list/list_test.go
index 2f8af41cd7a..0af36a38d08 100644
--- a/pkg/cmd/alias/list/list_test.go
+++ b/pkg/cmd/alias/list/list_test.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/stretchr/testify/assert"
@@ -66,7 +67,7 @@ func TestAliasList(t *testing.T) {
 
 			factory := &cmdutil.Factory{
 				IOStreams: ios,
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					return cfg, nil
 				},
 			}
diff --git a/pkg/cmd/alias/set/set.go b/pkg/cmd/alias/set/set.go
index e2661b7f7f8..c09f7c0ccb9 100644
--- a/pkg/cmd/alias/set/set.go
+++ b/pkg/cmd/alias/set/set.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 
 	"github.com/MakeNowJust/heredoc"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/alias/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -14,7 +14,7 @@ import (
 )
 
 type SetOptions struct {
-	Config func() (config.Config, error)
+	Config func() (gh.Config, error)
 	IO     *iostreams.IOStreams
 
 	Name              string
diff --git a/pkg/cmd/alias/set/set_test.go b/pkg/cmd/alias/set/set_test.go
index 4acb8b8b065..40198d878f6 100644
--- a/pkg/cmd/alias/set/set_test.go
+++ b/pkg/cmd/alias/set/set_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/alias/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -284,7 +285,7 @@ func TestSetRun(t *testing.T) {
 			cfg.WriteFunc = func() error {
 				return nil
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
diff --git a/pkg/cmd/api/api.go b/pkg/cmd/api/api.go
index 8184065cac5..b44cef2d409 100644
--- a/pkg/cmd/api/api.go
+++ b/pkg/cmd/api/api.go
@@ -17,7 +17,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghinstance"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/factory"
@@ -37,7 +37,7 @@ type ApiOptions struct {
 	AppVersion string
 	BaseRepo   func() (ghrepo.Interface, error)
 	Branch     func() (string, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
 
@@ -149,7 +149,7 @@ func NewCmdApi(f *cmdutil.Factory, runF func(*ApiOptions) error) *cobra.Command
 			$ gh api repos/{owner}/{repo}/issues --template \
 			  '{{range .}}{{.title}} ({{.labels | pluck "name" | join ", " | color "yellow"}}){{"\n"}}{{end}}'
 
-			# update allowed values of the "environment" custom property in a deeply nested array 
+			# update allowed values of the "environment" custom property in a deeply nested array
 			gh api --PATCH /orgs/{org}/properties/schema \
 			   -F 'properties[][property_name]=environment' \
 			   -F 'properties[][default_value]=production' \
diff --git a/pkg/cmd/api/api_test.go b/pkg/cmd/api/api_test.go
index 55138b3c7ea..a565312cd55 100644
--- a/pkg/cmd/api/api_test.go
+++ b/pkg/cmd/api/api_test.go
@@ -16,6 +16,8 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
+	ghmock "github.com/cli/cli/v2/internal/gh/mock"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -662,7 +664,7 @@ func Test_apiRun(t *testing.T) {
 			ios.SetStdoutTTY(tt.isatty)
 
 			tt.options.IO = ios
-			tt.options.Config = func() (config.Config, error) { return config.NewBlankConfig(), nil }
+			tt.options.Config = func() (gh.Config, error) { return config.NewBlankConfig(), nil }
 			tt.options.HttpClient = func() (*http.Client, error) {
 				var tr roundTripper = func(req *http.Request) (*http.Response, error) {
 					resp := tt.httpResponse
@@ -737,7 +739,7 @@ func Test_apiRun_paginationREST(t *testing.T) {
 			}
 			return &http.Client{Transport: tr}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 
@@ -809,7 +811,7 @@ func Test_apiRun_arrayPaginationREST(t *testing.T) {
 			}
 			return &http.Client{Transport: tr}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 
@@ -881,7 +883,7 @@ func Test_apiRun_arrayPaginationREST_with_headers(t *testing.T) {
 			}
 			return &http.Client{Transport: tr}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 
@@ -950,7 +952,7 @@ func Test_apiRun_paginationGraphQL(t *testing.T) {
 			}
 			return &http.Client{Transport: tr}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 
@@ -1049,7 +1051,7 @@ func Test_apiRun_paginationGraphQL_slurp(t *testing.T) {
 			}
 			return &http.Client{Transport: tr}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 
@@ -1161,7 +1163,7 @@ func Test_apiRun_paginated_template(t *testing.T) {
 			}
 			return &http.Client{Transport: tr}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 
@@ -1208,7 +1210,7 @@ func Test_apiRun_DELETE(t *testing.T) {
 	var gotRequest *http.Request
 	err := apiRun(&ApiOptions{
 		IO: ios,
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		HttpClient: func() (*http.Client, error) {
@@ -1293,7 +1295,7 @@ func Test_apiRun_inputFile(t *testing.T) {
 					}
 					return &http.Client{Transport: tr}, nil
 				},
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					return config.NewBlankConfig(), nil
 				},
 			}
@@ -1324,9 +1326,9 @@ func Test_apiRun_cache(t *testing.T) {
 	ios, _, stdout, stderr := iostreams.Test()
 	options := ApiOptions{
 		IO: ios,
-		Config: func() (config.Config, error) {
-			return &config.ConfigMock{
-				AuthenticationFunc: func() *config.AuthConfig {
+		Config: func() (gh.Config, error) {
+			return &ghmock.ConfigMock{
+				AuthenticationFunc: func() gh.AuthConfig {
 					return &config.AuthConfig{}
 				},
 				// Cached responses are stored in a tempdir that gets automatically cleaned up
@@ -1738,7 +1740,7 @@ func Test_apiRun_acceptHeader(t *testing.T) {
 			ios, _, _, _ := iostreams.Test()
 			tt.options.IO = ios
 
-			tt.options.Config = func() (config.Config, error) {
+			tt.options.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 
diff --git a/pkg/cmd/auth/login/login.go b/pkg/cmd/auth/login/login.go
index 64e84c0e288..9104dd175ea 100644
--- a/pkg/cmd/auth/login/login.go
+++ b/pkg/cmd/auth/login/login.go
@@ -9,7 +9,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/browser"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghinstance"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -20,7 +20,7 @@ import (
 
 type LoginOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 	GitClient  *git.Client
 	Prompter   shared.Prompt
diff --git a/pkg/cmd/auth/login/login_test.go b/pkg/cmd/auth/login/login_test.go
index 73aec604f75..d53dd3f0b34 100644
--- a/pkg/cmd/auth/login/login_test.go
+++ b/pkg/cmd/auth/login/login_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/internal/run"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -281,7 +282,7 @@ func Test_loginRun_nontty(t *testing.T) {
 		opts            *LoginOptions
 		env             map[string]string
 		httpStubs       func(*httpmock.Registry)
-		cfgStubs        func(*testing.T, config.Config)
+		cfgStubs        func(*testing.T, gh.Config)
 		wantHosts       string
 		wantErr         string
 		wantStderr      string
@@ -417,7 +418,7 @@ func Test_loginRun_nontty(t *testing.T) {
 				Hostname: "github.com",
 				Token:    "newUserToken",
 			},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				_, err := c.Authentication().Login("github.com", "monalisa", "abc123", "https", false)
 				require.NoError(t, err)
 			},
@@ -451,7 +452,7 @@ func Test_loginRun_nontty(t *testing.T) {
 			if tt.cfgStubs != nil {
 				tt.cfgStubs(t, cfg)
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
@@ -500,7 +501,7 @@ func Test_loginRun_Survey(t *testing.T) {
 		httpStubs       func(*httpmock.Registry)
 		prompterStubs   func(*prompter.PrompterMock)
 		runStubs        func(*run.CommandStubber)
-		cfgStubs        func(*testing.T, config.Config)
+		cfgStubs        func(*testing.T, gh.Config)
 		wantHosts       string
 		wantErrOut      *regexp.Regexp
 		wantSecureToken string
@@ -700,7 +701,7 @@ func Test_loginRun_Survey(t *testing.T) {
 					return -1, prompter.NoSuchPromptErr(prompt)
 				}
 			},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				_, err := c.Authentication().Login("github.com", "monalisa", "abc123", "https", false)
 				require.NoError(t, err)
 			},
@@ -744,7 +745,7 @@ func Test_loginRun_Survey(t *testing.T) {
 			if tt.cfgStubs != nil {
 				tt.cfgStubs(t, cfg)
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
diff --git a/pkg/cmd/auth/logout/logout.go b/pkg/cmd/auth/logout/logout.go
index 9d7642ee9b2..ef978ebac13 100644
--- a/pkg/cmd/auth/logout/logout.go
+++ b/pkg/cmd/auth/logout/logout.go
@@ -6,7 +6,7 @@ import (
 	"slices"
 
 	"github.com/MakeNowJust/heredoc"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -15,7 +15,7 @@ import (
 
 type LogoutOptions struct {
 	IO       *iostreams.IOStreams
-	Config   func() (config.Config, error)
+	Config   func() (gh.Config, error)
 	Prompter shared.Prompt
 	Hostname string
 	Username string
diff --git a/pkg/cmd/auth/logout/logout_test.go b/pkg/cmd/auth/logout/logout_test.go
index ca37770c36c..02386c55b12 100644
--- a/pkg/cmd/auth/logout/logout_test.go
+++ b/pkg/cmd/auth/logout/logout_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -124,7 +125,7 @@ type hostUsers struct {
 	users []user
 }
 
-type tokenAssertion func(t *testing.T, cfg config.Config)
+type tokenAssertion func(t *testing.T, cfg gh.Config)
 
 func Test_logoutRun_tty(t *testing.T) {
 	tests := []struct {
@@ -322,7 +323,7 @@ func Test_logoutRun_tty(t *testing.T) {
 				}
 			}
 
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
@@ -516,7 +517,7 @@ func Test_logoutRun_nontty(t *testing.T) {
 					)
 				}
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
@@ -552,7 +553,7 @@ func Test_logoutRun_nontty(t *testing.T) {
 }
 
 func hasNoToken(hostname string) tokenAssertion {
-	return func(t *testing.T, cfg config.Config) {
+	return func(t *testing.T, cfg gh.Config) {
 		t.Helper()
 
 		token, _ := cfg.Authentication().ActiveToken(hostname)
@@ -561,7 +562,7 @@ func hasNoToken(hostname string) tokenAssertion {
 }
 
 func hasActiveToken(hostname string, expectedToken string) tokenAssertion {
-	return func(t *testing.T, cfg config.Config) {
+	return func(t *testing.T, cfg gh.Config) {
 		t.Helper()
 
 		token, _ := cfg.Authentication().ActiveToken(hostname)
diff --git a/pkg/cmd/auth/refresh/refresh.go b/pkg/cmd/auth/refresh/refresh.go
index b77c45bac4f..4e675c5325c 100644
--- a/pkg/cmd/auth/refresh/refresh.go
+++ b/pkg/cmd/auth/refresh/refresh.go
@@ -8,7 +8,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/authflow"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -21,7 +21,7 @@ type username string
 
 type RefreshOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient *http.Client
 	GitClient  *git.Client
 	Prompter   shared.Prompt
diff --git a/pkg/cmd/auth/refresh/refresh_test.go b/pkg/cmd/auth/refresh/refresh_test.go
index 51fa66bd6d5..dfc52d949f1 100644
--- a/pkg/cmd/auth/refresh/refresh_test.go
+++ b/pkg/cmd/auth/refresh/refresh_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -441,7 +442,7 @@ func Test_refreshRun(t *testing.T) {
 				_, err := cfg.Authentication().Login(hostname, "test-user", "abc123", "https", false)
 				require.NoError(t, err)
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
diff --git a/pkg/cmd/auth/setupgit/setupgit.go b/pkg/cmd/auth/setupgit/setupgit.go
index cd7314dfd08..6bf85a7f4ce 100644
--- a/pkg/cmd/auth/setupgit/setupgit.go
+++ b/pkg/cmd/auth/setupgit/setupgit.go
@@ -5,7 +5,7 @@ import (
 	"strings"
 
 	"github.com/MakeNowJust/heredoc"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -18,7 +18,7 @@ type gitConfigurator interface {
 
 type SetupGitOptions struct {
 	IO           *iostreams.IOStreams
-	Config       func() (config.Config, error)
+	Config       func() (gh.Config, error)
 	Hostname     string
 	Force        bool
 	gitConfigure gitConfigurator
diff --git a/pkg/cmd/auth/setupgit/setupgit_test.go b/pkg/cmd/auth/setupgit/setupgit_test.go
index c1982f5531d..9e6550e548f 100644
--- a/pkg/cmd/auth/setupgit/setupgit_test.go
+++ b/pkg/cmd/auth/setupgit/setupgit_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/google/shlex"
@@ -81,7 +82,7 @@ func Test_setupGitRun(t *testing.T) {
 		name               string
 		opts               *SetupGitOptions
 		setupErr           error
-		cfgStubs           func(*testing.T, config.Config)
+		cfgStubs           func(*testing.T, gh.Config)
 		expectedHostsSetup []string
 		expectedErr        error
 		expectedErrOut     string
@@ -89,7 +90,7 @@ func Test_setupGitRun(t *testing.T) {
 		{
 			name: "opts.Config returns an error",
 			opts: &SetupGitOptions{
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					return nil, fmt.Errorf("oops")
 				},
 			},
@@ -100,7 +101,7 @@ func Test_setupGitRun(t *testing.T) {
 			opts: &SetupGitOptions{
 				Hostname: "ghe.io",
 			},
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "github.com", "test-user", "gho_ABCDEFG", "https", false)
 			},
 			expectedErr: errors.New("You are not logged into the GitHub host \"ghe.io\". Run gh auth login -h ghe.io to authenticate or provide `--force`"),
@@ -118,7 +119,7 @@ func Test_setupGitRun(t *testing.T) {
 			opts: &SetupGitOptions{
 				Hostname: "ghe.io",
 			},
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "ghe.io", "test-user", "gho_ABCDEFG", "https", false)
 			},
 			expectedHostsSetup: []string{"ghe.io"},
@@ -129,7 +130,7 @@ func Test_setupGitRun(t *testing.T) {
 				Hostname: "ghe.io",
 			},
 			setupErr: fmt.Errorf("broken"),
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "ghe.io", "test-user", "gho_ABCDEFG", "https", false)
 			},
 			expectedErr:    errors.New("failed to set up git credential helper: broken"),
@@ -144,7 +145,7 @@ func Test_setupGitRun(t *testing.T) {
 		{
 			name: "when there are known hosts, and no hostname is provided, set them all up",
 			opts: &SetupGitOptions{},
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "ghe.io", "test-user", "gho_ABCDEFG", "https", false)
 				login(t, cfg, "github.com", "test-user", "gho_ABCDEFG", "https", false)
 			},
@@ -154,7 +155,7 @@ func Test_setupGitRun(t *testing.T) {
 			name:     "when no hostname is provided but setting one up errors, that error is bubbled",
 			opts:     &SetupGitOptions{},
 			setupErr: fmt.Errorf("broken"),
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "ghe.io", "test-user", "gho_ABCDEFG", "https", false)
 			},
 			expectedErr:    errors.New("failed to set up git credential helper: broken"),
@@ -177,7 +178,7 @@ func Test_setupGitRun(t *testing.T) {
 			}
 
 			if tt.opts.Config == nil {
-				tt.opts.Config = func() (config.Config, error) {
+				tt.opts.Config = func() (gh.Config, error) {
 					return cfg, nil
 				}
 			}
@@ -201,7 +202,7 @@ func Test_setupGitRun(t *testing.T) {
 	}
 }
 
-func login(t *testing.T, c config.Config, hostname, username, token, gitProtocol string, secureStorage bool) {
+func login(t *testing.T, c gh.Config, hostname, username, token, gitProtocol string, secureStorage bool) {
 	t.Helper()
 	_, err := c.Authentication().Login(hostname, username, token, gitProtocol, secureStorage)
 	require.NoError(t, err)
diff --git a/pkg/cmd/auth/shared/writeable.go b/pkg/cmd/auth/shared/writeable.go
index e5ae9146942..381c7e02a66 100644
--- a/pkg/cmd/auth/shared/writeable.go
+++ b/pkg/cmd/auth/shared/writeable.go
@@ -3,10 +3,10 @@ package shared
 import (
 	"strings"
 
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 )
 
-func AuthTokenWriteable(authCfg *config.AuthConfig, hostname string) (string, bool) {
+func AuthTokenWriteable(authCfg gh.AuthConfig, hostname string) (string, bool) {
 	token, src := authCfg.ActiveToken(hostname)
 	return src, (token == "" || !strings.HasSuffix(src, "_TOKEN"))
 }
diff --git a/pkg/cmd/auth/status/status.go b/pkg/cmd/auth/status/status.go
index b6ae21cb68d..deb5ca6a13d 100644
--- a/pkg/cmd/auth/status/status.go
+++ b/pkg/cmd/auth/status/status.go
@@ -12,6 +12,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -124,7 +125,7 @@ func (e Entries) Strings(cs *iostreams.ColorScheme) []string {
 type StatusOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 
 	Hostname  string
 	ShowToken bool
diff --git a/pkg/cmd/auth/status/status_test.go b/pkg/cmd/auth/status/status_test.go
index a96b36c5bf2..ce4897978da 100644
--- a/pkg/cmd/auth/status/status_test.go
+++ b/pkg/cmd/auth/status/status_test.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -80,7 +81,7 @@ func Test_statusRun(t *testing.T) {
 		opts       StatusOptions
 		env        map[string]string
 		httpStubs  func(*httpmock.Registry)
-		cfgStubs   func(*testing.T, config.Config)
+		cfgStubs   func(*testing.T, gh.Config)
 		wantErr    error
 		wantOut    string
 		wantErrOut string
@@ -90,7 +91,7 @@ func Test_statusRun(t *testing.T) {
 			opts: StatusOptions{
 				Hostname: "github.com",
 			},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				login(t, c, "github.com", "monalisa", "abc123", "https")
 			},
 			httpStubs: func(reg *httpmock.Registry) {
@@ -110,7 +111,7 @@ func Test_statusRun(t *testing.T) {
 			opts: StatusOptions{
 				Hostname: "ghe.io",
 			},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				login(t, c, "github.com", "monalisa", "gho_abc123", "https")
 				login(t, c, "ghe.io", "monalisa-ghe", "gho_abc123", "https")
 			},
@@ -130,7 +131,7 @@ func Test_statusRun(t *testing.T) {
 		{
 			name: "missing scope",
 			opts: StatusOptions{},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				login(t, c, "ghe.io", "monalisa-ghe", "gho_abc123", "https")
 			},
 			httpStubs: func(reg *httpmock.Registry) {
@@ -151,7 +152,7 @@ func Test_statusRun(t *testing.T) {
 		{
 			name: "bad token",
 			opts: StatusOptions{},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				login(t, c, "ghe.io", "monalisa-ghe", "gho_abc123", "https")
 			},
 			httpStubs: func(reg *httpmock.Registry) {
@@ -170,7 +171,7 @@ func Test_statusRun(t *testing.T) {
 		{
 			name: "all good",
 			opts: StatusOptions{},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				login(t, c, "github.com", "monalisa", "gho_abc123", "https")
 				login(t, c, "ghe.io", "monalisa-ghe", "gho_abc123", "ssh")
 			},
@@ -204,7 +205,7 @@ func Test_statusRun(t *testing.T) {
 			name:     "token from env",
 			opts:     StatusOptions{},
 			env:      map[string]string{"GH_TOKEN": "gho_abc123"},
-			cfgStubs: func(t *testing.T, c config.Config) {},
+			cfgStubs: func(t *testing.T, c gh.Config) {},
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(
 					httpmock.REST("GET", ""),
@@ -225,7 +226,7 @@ func Test_statusRun(t *testing.T) {
 		{
 			name: "server-to-server token",
 			opts: StatusOptions{},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				login(t, c, "github.com", "monalisa", "ghs_abc123", "https")
 			},
 			httpStubs: func(reg *httpmock.Registry) {
@@ -245,7 +246,7 @@ func Test_statusRun(t *testing.T) {
 		{
 			name: "PAT V2 token",
 			opts: StatusOptions{},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				login(t, c, "github.com", "monalisa", "github_pat_abc123", "https")
 			},
 			httpStubs: func(reg *httpmock.Registry) {
@@ -267,7 +268,7 @@ func Test_statusRun(t *testing.T) {
 			opts: StatusOptions{
 				ShowToken: true,
 			},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				login(t, c, "github.com", "monalisa", "gho_abc123", "https")
 				login(t, c, "ghe.io", "monalisa-ghe", "gho_xyz456", "https")
 			},
@@ -298,7 +299,7 @@ func Test_statusRun(t *testing.T) {
 			opts: StatusOptions{
 				Hostname: "github.example.com",
 			},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				login(t, c, "github.com", "monalisa", "abc123", "https")
 			},
 			httpStubs:  func(reg *httpmock.Registry) {},
@@ -308,7 +309,7 @@ func Test_statusRun(t *testing.T) {
 		{
 			name: "multiple accounts on a host",
 			opts: StatusOptions{},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				login(t, c, "github.com", "monalisa", "gho_abc123", "https")
 				login(t, c, "github.com", "monalisa-2", "gho_abc123", "https")
 			},
@@ -335,7 +336,7 @@ func Test_statusRun(t *testing.T) {
 			name: "multiple hosts with multiple accounts with environment tokens and with errors",
 			opts: StatusOptions{},
 			env:  map[string]string{"GH_ENTERPRISE_TOKEN": "gho_abc123"},
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				login(t, c, "github.com", "monalisa", "gho_def456", "https")
 				login(t, c, "github.com", "monalisa-2", "gho_ghi789", "https")
 				login(t, c, "ghe.io", "monalisa-ghe", "gho_xyz123", "ssh")
@@ -398,7 +399,7 @@ func Test_statusRun(t *testing.T) {
 			if tt.cfgStubs != nil {
 				tt.cfgStubs(t, cfg)
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
@@ -430,7 +431,7 @@ func Test_statusRun(t *testing.T) {
 	}
 }
 
-func login(t *testing.T, c config.Config, hostname, username, protocol, token string) {
+func login(t *testing.T, c gh.Config, hostname, username, protocol, token string) {
 	t.Helper()
 	_, err := c.Authentication().Login(hostname, username, protocol, token, false)
 	require.NoError(t, err)
diff --git a/pkg/cmd/auth/switch/switch.go b/pkg/cmd/auth/switch/switch.go
index a01017609ea..8822c407bc3 100644
--- a/pkg/cmd/auth/switch/switch.go
+++ b/pkg/cmd/auth/switch/switch.go
@@ -6,7 +6,7 @@ import (
 	"slices"
 
 	"github.com/MakeNowJust/heredoc"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -15,7 +15,7 @@ import (
 
 type SwitchOptions struct {
 	IO       *iostreams.IOStreams
-	Config   func() (config.Config, error)
+	Config   func() (gh.Config, error)
 	Prompter shared.Prompt
 	Hostname string
 	Username string
diff --git a/pkg/cmd/auth/switch/switch_test.go b/pkg/cmd/auth/switch/switch_test.go
index efb69a56bdc..6ca77f44ca6 100644
--- a/pkg/cmd/auth/switch/switch_test.go
+++ b/pkg/cmd/auth/switch/switch_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/keyring"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -403,7 +404,7 @@ func TestSwitchRun(t *testing.T) {
 				}
 			}
 
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
diff --git a/pkg/cmd/auth/token/token.go b/pkg/cmd/auth/token/token.go
index 10a3019654b..9f4dcc1acad 100644
--- a/pkg/cmd/auth/token/token.go
+++ b/pkg/cmd/auth/token/token.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 
 	"github.com/MakeNowJust/heredoc"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/spf13/cobra"
@@ -12,7 +12,7 @@ import (
 
 type TokenOptions struct {
 	IO     *iostreams.IOStreams
-	Config func() (config.Config, error)
+	Config func() (gh.Config, error)
 
 	Hostname      string
 	Username      string
diff --git a/pkg/cmd/auth/token/token_test.go b/pkg/cmd/auth/token/token_test.go
index 995653fd148..1d731f2ed17 100644
--- a/pkg/cmd/auth/token/token_test.go
+++ b/pkg/cmd/auth/token/token_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/google/shlex"
@@ -56,7 +57,7 @@ func TestNewCmdToken(t *testing.T) {
 			ios, _, _, _ := iostreams.Test()
 			f := &cmdutil.Factory{
 				IOStreams: ios,
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					cfg := config.NewBlankConfig()
 					return cfg, nil
 				},
@@ -96,7 +97,7 @@ func TestTokenRun(t *testing.T) {
 		name       string
 		opts       TokenOptions
 		env        map[string]string
-		cfgStubs   func(*testing.T, config.Config)
+		cfgStubs   func(*testing.T, gh.Config)
 		wantStdout string
 		wantErr    bool
 		wantErrMsg string
@@ -104,7 +105,7 @@ func TestTokenRun(t *testing.T) {
 		{
 			name: "token",
 			opts: TokenOptions{},
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "github.com", "test-user", "gho_ABCDEFG", "https", false)
 			},
 			wantStdout: "gho_ABCDEFG\n",
@@ -114,7 +115,7 @@ func TestTokenRun(t *testing.T) {
 			opts: TokenOptions{
 				Hostname: "github.mycompany.com",
 			},
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "github.com", "test-user", "gho_ABCDEFG", "https", false)
 				login(t, cfg, "github.mycompany.com", "test-user", "gho_1234567", "https", false)
 			},
@@ -138,7 +139,7 @@ func TestTokenRun(t *testing.T) {
 		{
 			name: "uses default host when one is not provided",
 			opts: TokenOptions{},
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "github.com", "test-user", "gho_ABCDEFG", "https", false)
 				login(t, cfg, "github.mycompany.com", "test-user", "gho_1234567", "https", false)
 			},
@@ -151,7 +152,7 @@ func TestTokenRun(t *testing.T) {
 				Hostname: "github.com",
 				Username: "test-user",
 			},
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "github.com", "test-user", "gho_ABCDEFG", "https", false)
 				login(t, cfg, "github.com", "test-user-2", "gho_1234567", "https", false)
 			},
@@ -173,7 +174,7 @@ func TestTokenRun(t *testing.T) {
 				tt.cfgStubs(t, cfg)
 			}
 
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
@@ -193,7 +194,7 @@ func TestTokenRunSecureStorage(t *testing.T) {
 	tests := []struct {
 		name       string
 		opts       TokenOptions
-		cfgStubs   func(*testing.T, config.Config)
+		cfgStubs   func(*testing.T, gh.Config)
 		wantStdout string
 		wantErr    bool
 		wantErrMsg string
@@ -201,7 +202,7 @@ func TestTokenRunSecureStorage(t *testing.T) {
 		{
 			name: "token",
 			opts: TokenOptions{},
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "github.com", "test-user", "gho_ABCDEFG", "https", true)
 			},
 			wantStdout: "gho_ABCDEFG\n",
@@ -211,7 +212,7 @@ func TestTokenRunSecureStorage(t *testing.T) {
 			opts: TokenOptions{
 				Hostname: "mycompany.com",
 			},
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "mycompany.com", "test-user", "gho_1234567", "https", true)
 			},
 			wantStdout: "gho_1234567\n",
@@ -237,7 +238,7 @@ func TestTokenRunSecureStorage(t *testing.T) {
 				Hostname: "github.com",
 				Username: "test-user",
 			},
-			cfgStubs: func(t *testing.T, cfg config.Config) {
+			cfgStubs: func(t *testing.T, cfg gh.Config) {
 				login(t, cfg, "github.com", "test-user", "gho_ABCDEFG", "https", true)
 				login(t, cfg, "github.com", "test-user-2", "gho_1234567", "https", true)
 			},
@@ -256,7 +257,7 @@ func TestTokenRunSecureStorage(t *testing.T) {
 				tt.cfgStubs(t, cfg)
 			}
 
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
@@ -272,7 +273,7 @@ func TestTokenRunSecureStorage(t *testing.T) {
 	}
 }
 
-func login(t *testing.T, c config.Config, hostname, username, token, gitProtocol string, secureStorage bool) {
+func login(t *testing.T, c gh.Config, hostname, username, token, gitProtocol string, secureStorage bool) {
 	t.Helper()
 	_, err := c.Authentication().Login(hostname, username, token, gitProtocol, secureStorage)
 	require.NoError(t, err)
diff --git a/pkg/cmd/config/get/get.go b/pkg/cmd/config/get/get.go
index b65cf6bd360..e714c6a646b 100644
--- a/pkg/cmd/config/get/get.go
+++ b/pkg/cmd/config/get/get.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	"github.com/MakeNowJust/heredoc"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/spf13/cobra"
@@ -13,7 +13,7 @@ import (
 
 type GetOptions struct {
 	IO     *iostreams.IOStreams
-	Config config.Config
+	Config gh.Config
 
 	Hostname string
 	Key      string
diff --git a/pkg/cmd/config/get/get_test.go b/pkg/cmd/config/get/get_test.go
index baebb584af7..40eca49e591 100644
--- a/pkg/cmd/config/get/get_test.go
+++ b/pkg/cmd/config/get/get_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/google/shlex"
@@ -41,7 +42,7 @@ func TestNewCmdConfigGet(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			f := &cmdutil.Factory{
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					return config.NewBlankConfig(), nil
 				},
 			}
@@ -86,7 +87,7 @@ func Test_getRun(t *testing.T) {
 			name: "get key",
 			input: &GetOptions{
 				Key: "editor",
-				Config: func() config.Config {
+				Config: func() gh.Config {
 					cfg := config.NewBlankConfig()
 					cfg.Set("", "editor", "ed")
 					return cfg
@@ -99,7 +100,7 @@ func Test_getRun(t *testing.T) {
 			input: &GetOptions{
 				Hostname: "github.com",
 				Key:      "editor",
-				Config: func() config.Config {
+				Config: func() gh.Config {
 					cfg := config.NewBlankConfig()
 					cfg.Set("", "editor", "ed")
 					cfg.Set("github.com", "editor", "vim")
diff --git a/pkg/cmd/config/list/list.go b/pkg/cmd/config/list/list.go
index 2faed3f1590..da270713477 100644
--- a/pkg/cmd/config/list/list.go
+++ b/pkg/cmd/config/list/list.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/spf13/cobra"
@@ -11,7 +12,7 @@ import (
 
 type ListOptions struct {
 	IO     *iostreams.IOStreams
-	Config func() (config.Config, error)
+	Config func() (gh.Config, error)
 
 	Hostname string
 }
diff --git a/pkg/cmd/config/list/list_test.go b/pkg/cmd/config/list/list_test.go
index 94597941487..32088b32487 100644
--- a/pkg/cmd/config/list/list_test.go
+++ b/pkg/cmd/config/list/list_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/google/shlex"
@@ -35,7 +36,7 @@ func TestNewCmdConfigList(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			f := &cmdutil.Factory{
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					return config.NewBlankConfig(), nil
 				},
 			}
@@ -71,13 +72,13 @@ func Test_listRun(t *testing.T) {
 	tests := []struct {
 		name    string
 		input   *ListOptions
-		config  config.Config
+		config  gh.Config
 		stdout  string
 		wantErr bool
 	}{
 		{
 			name: "list",
-			config: func() config.Config {
+			config: func() gh.Config {
 				cfg := config.NewBlankConfig()
 				cfg.Set("HOST", "git_protocol", "ssh")
 				cfg.Set("HOST", "editor", "/usr/bin/vim")
@@ -101,7 +102,7 @@ browser=brave
 	for _, tt := range tests {
 		ios, _, stdout, _ := iostreams.Test()
 		tt.input.IO = ios
-		tt.input.Config = func() (config.Config, error) {
+		tt.input.Config = func() (gh.Config, error) {
 			return tt.config, nil
 		}
 
diff --git a/pkg/cmd/config/set/set.go b/pkg/cmd/config/set/set.go
index e99bfb17cc2..dedbd004471 100644
--- a/pkg/cmd/config/set/set.go
+++ b/pkg/cmd/config/set/set.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/spf13/cobra"
@@ -14,7 +15,7 @@ import (
 
 type SetOptions struct {
 	IO     *iostreams.IOStreams
-	Config config.Config
+	Config gh.Config
 
 	Key      string
 	Value    string
diff --git a/pkg/cmd/config/set/set_test.go b/pkg/cmd/config/set/set_test.go
index 2e26fd0447a..532d78f6213 100644
--- a/pkg/cmd/config/set/set_test.go
+++ b/pkg/cmd/config/set/set_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/google/shlex"
@@ -49,7 +50,7 @@ func TestNewCmdConfigSet(t *testing.T) {
 			_ = config.StubWriteConfig(t)
 
 			f := &cmdutil.Factory{
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					return config.NewBlankConfig(), nil
 				},
 			}
diff --git a/pkg/cmd/extension/browse/browse.go b/pkg/cmd/extension/browse/browse.go
index 47b3ea8b20d..21d254956f7 100644
--- a/pkg/cmd/extension/browse/browse.go
+++ b/pkg/cmd/extension/browse/browse.go
@@ -13,7 +13,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/charmbracelet/glamour"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/extensions"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -33,7 +33,7 @@ type ExtBrowseOpts struct {
 	Em           extensions.ExtensionManager
 	Client       *http.Client
 	Logger       *log.Logger
-	Cfg          config.Config
+	Cfg          gh.Config
 	Rg           *readmeGetter
 	Debug        bool
 	SingleColumn bool
diff --git a/pkg/cmd/extension/browse/browse_test.go b/pkg/cmd/extension/browse/browse_test.go
index 3c4ae87cab6..956ea0fc477 100644
--- a/pkg/cmd/extension/browse/browse_test.go
+++ b/pkg/cmd/extension/browse/browse_test.go
@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/repo/view"
 	"github.com/cli/cli/v2/pkg/extensions"
@@ -76,7 +77,7 @@ func Test_getExtensionRepos(t *testing.T) {
 	}
 	cfg := config.NewBlankConfig()
 
-	cfg.AuthenticationFunc = func() *config.AuthConfig {
+	cfg.AuthenticationFunc = func() gh.AuthConfig {
 		authCfg := &config.AuthConfig{}
 		authCfg.SetDefaultHost("github.com", "")
 		return authCfg
diff --git a/pkg/cmd/extension/command_test.go b/pkg/cmd/extension/command_test.go
index 094fa330af9..a7e9d517104 100644
--- a/pkg/cmd/extension/command_test.go
+++ b/pkg/cmd/extension/command_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -888,7 +889,7 @@ func TestNewCmdExtension(t *testing.T) {
 			}
 
 			f := cmdutil.Factory{
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					return config.NewBlankConfig(), nil
 				},
 				IOStreams:        ios,
diff --git a/pkg/cmd/extension/manager.go b/pkg/cmd/extension/manager.go
index a8d0db844b4..37d80573a94 100644
--- a/pkg/cmd/extension/manager.go
+++ b/pkg/cmd/extension/manager.go
@@ -17,6 +17,7 @@ import (
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/extensions"
 	"github.com/cli/cli/v2/pkg/findsh"
@@ -36,7 +37,7 @@ type Manager struct {
 	platform   func() (string, string)
 	client     *http.Client
 	gitClient  gitClient
-	config     config.Config
+	config     gh.Config
 	io         *iostreams.IOStreams
 	dryRunMode bool
 }
@@ -59,7 +60,7 @@ func NewManager(ios *iostreams.IOStreams, gc *git.Client) *Manager {
 	}
 }
 
-func (m *Manager) SetConfig(cfg config.Config) {
+func (m *Manager) SetConfig(cfg gh.Config) {
 	m.config = cfg
 }
 
diff --git a/pkg/cmd/factory/default.go b/pkg/cmd/factory/default.go
index dc5b37138e3..cb38c10feca 100644
--- a/pkg/cmd/factory/default.go
+++ b/pkg/cmd/factory/default.go
@@ -13,6 +13,7 @@ import (
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmd/extension"
@@ -134,10 +135,10 @@ func newPrompter(f *cmdutil.Factory) prompter.Prompter {
 	return prompter.New(editor, io.In, io.Out, io.ErrOut)
 }
 
-func configFunc() func() (config.Config, error) {
-	var cachedConfig config.Config
+func configFunc() func() (gh.Config, error) {
+	var cachedConfig gh.Config
 	var configError error
-	return func() (config.Config, error) {
+	return func() (gh.Config, error) {
 		if cachedConfig != nil || configError != nil {
 			return cachedConfig, configError
 		}
diff --git a/pkg/cmd/factory/default_test.go b/pkg/cmd/factory/default_test.go
index efd2f77939f..94955bb30ec 100644
--- a/pkg/cmd/factory/default_test.go
+++ b/pkg/cmd/factory/default_test.go
@@ -9,6 +9,8 @@ import (
 
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
+	ghmock "github.com/cli/cli/v2/internal/gh/mock"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -69,9 +71,9 @@ func Test_BaseRepo(t *testing.T) {
 				readRemotes: func() (git.RemoteSet, error) {
 					return tt.remotes, nil
 				},
-				getConfig: func() (config.Config, error) {
-					cfg := &config.ConfigMock{}
-					cfg.AuthenticationFunc = func() *config.AuthConfig {
+				getConfig: func() (gh.Config, error) {
+					cfg := &ghmock.ConfigMock{}
+					cfg.AuthenticationFunc = func() gh.AuthConfig {
 						authCfg := &config.AuthConfig{}
 						hosts := []string{"nonsense.com"}
 						if tt.override != "" {
@@ -207,9 +209,9 @@ func Test_SmartBaseRepo(t *testing.T) {
 				readRemotes: func() (git.RemoteSet, error) {
 					return tt.remotes, nil
 				},
-				getConfig: func() (config.Config, error) {
-					cfg := &config.ConfigMock{}
-					cfg.AuthenticationFunc = func() *config.AuthConfig {
+				getConfig: func() (gh.Config, error) {
+					cfg := &ghmock.ConfigMock{}
+					cfg.AuthenticationFunc = func() gh.AuthConfig {
 						authCfg := &config.AuthConfig{}
 						hosts := []string{"nonsense.com"}
 						if tt.override != "" {
@@ -256,7 +258,7 @@ func Test_OverrideBaseRepo(t *testing.T) {
 	tests := []struct {
 		name        string
 		remotes     git.RemoteSet
-		config      config.Config
+		config      gh.Config
 		envOverride string
 		argOverride string
 		wantsErr    bool
@@ -300,7 +302,7 @@ func Test_OverrideBaseRepo(t *testing.T) {
 				readRemotes: func() (git.RemoteSet, error) {
 					return tt.remotes, nil
 				},
-				getConfig: func() (config.Config, error) {
+				getConfig: func() (gh.Config, error) {
 					return tt.config, nil
 				},
 			}
@@ -323,7 +325,7 @@ func Test_ioStreams_pager(t *testing.T) {
 	tests := []struct {
 		name      string
 		env       map[string]string
-		config    config.Config
+		config    gh.Config
 		wantPager string
 	}{
 		{
@@ -374,7 +376,7 @@ func Test_ioStreams_pager(t *testing.T) {
 				}
 			}
 			f := New("1")
-			f.Config = func() (config.Config, error) {
+			f.Config = func() (gh.Config, error) {
 				if tt.config == nil {
 					return config.NewBlankConfig(), nil
 				} else {
@@ -390,7 +392,7 @@ func Test_ioStreams_pager(t *testing.T) {
 func Test_ioStreams_prompt(t *testing.T) {
 	tests := []struct {
 		name           string
-		config         config.Config
+		config         gh.Config
 		promptDisabled bool
 		env            map[string]string
 	}{
@@ -417,7 +419,7 @@ func Test_ioStreams_prompt(t *testing.T) {
 				}
 			}
 			f := New("1")
-			f.Config = func() (config.Config, error) {
+			f.Config = func() (gh.Config, error) {
 				if tt.config == nil {
 					return config.NewBlankConfig(), nil
 				} else {
@@ -458,7 +460,7 @@ func TestSSOURL(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			f := New("1")
-			f.Config = func() (config.Config, error) {
+			f.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 			ios, _, _, stderr := iostreams.Test()
@@ -487,7 +489,7 @@ func TestSSOURL(t *testing.T) {
 func TestNewGitClient(t *testing.T) {
 	tests := []struct {
 		name          string
-		config        config.Config
+		config        gh.Config
 		executable    string
 		wantAuthHosts []string
 		wantGhPath    string
@@ -503,7 +505,7 @@ func TestNewGitClient(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			f := New("1")
-			f.Config = func() (config.Config, error) {
+			f.Config = func() (gh.Config, error) {
 				if tt.config == nil {
 					return config.NewBlankConfig(), nil
 				} else {
@@ -522,16 +524,16 @@ func TestNewGitClient(t *testing.T) {
 	}
 }
 
-func defaultConfig() *config.ConfigMock {
+func defaultConfig() *ghmock.ConfigMock {
 	cfg := config.NewFromString("")
 	cfg.Set("nonsense.com", "oauth_token", "BLAH")
 	return cfg
 }
 
-func pagerConfig() config.Config {
+func pagerConfig() gh.Config {
 	return config.NewFromString("pager: CONFIG_PAGER")
 }
 
-func disablePromptConfig() config.Config {
+func disablePromptConfig() gh.Config {
 	return config.NewFromString("prompt: disabled")
 }
diff --git a/pkg/cmd/factory/remote_resolver.go b/pkg/cmd/factory/remote_resolver.go
index 6ef7c5e02d6..7e27834e2de 100644
--- a/pkg/cmd/factory/remote_resolver.go
+++ b/pkg/cmd/factory/remote_resolver.go
@@ -7,7 +7,7 @@ import (
 
 	"github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghinstance"
 	"github.com/cli/cli/v2/pkg/set"
 	"github.com/cli/go-gh/v2/pkg/ssh"
@@ -19,7 +19,7 @@ const (
 
 type remoteResolver struct {
 	readRemotes   func() (git.RemoteSet, error)
-	getConfig     func() (config.Config, error)
+	getConfig     func() (gh.Config, error)
 	urlTranslator context.Translator
 }
 
diff --git a/pkg/cmd/factory/remote_resolver_test.go b/pkg/cmd/factory/remote_resolver_test.go
index 0b4447ca093..8d537826eff 100644
--- a/pkg/cmd/factory/remote_resolver_test.go
+++ b/pkg/cmd/factory/remote_resolver_test.go
@@ -6,6 +6,8 @@ import (
 
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
+	ghmock "github.com/cli/cli/v2/internal/gh/mock"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -19,7 +21,7 @@ func Test_remoteResolver(t *testing.T) {
 	tests := []struct {
 		name     string
 		remotes  func() (git.RemoteSet, error)
-		config   config.Config
+		config   gh.Config
 		output   []string
 		wantsErr bool
 	}{
@@ -30,9 +32,9 @@ func Test_remoteResolver(t *testing.T) {
 					git.NewRemote("origin", "https://github.com/owner/repo.git"),
 				}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{})
 					authCfg.SetDefaultHost("github.com", "default")
@@ -47,9 +49,9 @@ func Test_remoteResolver(t *testing.T) {
 			remotes: func() (git.RemoteSet, error) {
 				return git.RemoteSet{}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{"example.com"})
 					authCfg.SetDefaultHost("example.com", "hosts")
@@ -66,9 +68,9 @@ func Test_remoteResolver(t *testing.T) {
 					git.NewRemote("origin", "https://test.com/owner/repo.git"),
 				}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{"example.com"})
 					authCfg.SetActiveToken("", "")
@@ -86,9 +88,9 @@ func Test_remoteResolver(t *testing.T) {
 					git.NewRemote("origin", "https://github.com/owner/repo.git"),
 				}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{"example.com"})
 					authCfg.SetDefaultHost("example.com", "hosts")
@@ -105,9 +107,9 @@ func Test_remoteResolver(t *testing.T) {
 					git.NewRemote("origin", "https://example.com/owner/repo.git"),
 				}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{"example.com"})
 					authCfg.SetDefaultHost("example.com", "default")
@@ -127,9 +129,9 @@ func Test_remoteResolver(t *testing.T) {
 					git.NewRemote("fork", "https://example.com/owner/repo.git"),
 				}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{"example.com"})
 					authCfg.SetDefaultHost("example.com", "default")
@@ -146,9 +148,9 @@ func Test_remoteResolver(t *testing.T) {
 					git.NewRemote("origin", "https://test.com/owner/repo.git"),
 				}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{"example.com", "github.com"})
 					authCfg.SetActiveToken("", "")
@@ -167,9 +169,9 @@ func Test_remoteResolver(t *testing.T) {
 					git.NewRemote("origin", "https://example.com/owner/repo.git"),
 				}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{"example.com", "github.com"})
 					authCfg.SetDefaultHost("github.com", "default")
@@ -190,9 +192,9 @@ func Test_remoteResolver(t *testing.T) {
 					git.NewRemote("test", "https://test.com/owner/repo.git"),
 				}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{"example.com", "github.com"})
 					authCfg.SetDefaultHost("github.com", "default")
@@ -209,9 +211,9 @@ func Test_remoteResolver(t *testing.T) {
 					git.NewRemote("origin", "https://example.com/owner/repo.git"),
 				}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{"example.com"})
 					authCfg.SetDefaultHost("test.com", "GH_HOST")
@@ -229,9 +231,9 @@ func Test_remoteResolver(t *testing.T) {
 					git.NewRemote("origin", "https://test.com/owner/repo.git"),
 				}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{"example.com"})
 					authCfg.SetDefaultHost("test.com", "GH_HOST")
@@ -250,9 +252,9 @@ func Test_remoteResolver(t *testing.T) {
 					git.NewRemote("origin", "https://test.com/owner/repo.git"),
 				}, nil
 			},
-			config: func() config.Config {
-				cfg := &config.ConfigMock{}
-				cfg.AuthenticationFunc = func() *config.AuthConfig {
+			config: func() gh.Config {
+				cfg := &ghmock.ConfigMock{}
+				cfg.AuthenticationFunc = func() gh.AuthConfig {
 					authCfg := &config.AuthConfig{}
 					authCfg.SetHosts([]string{"example.com", "test.com"})
 					authCfg.SetDefaultHost("test.com", "GH_HOST")
@@ -268,7 +270,7 @@ func Test_remoteResolver(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			rr := &remoteResolver{
 				readRemotes:   tt.remotes,
-				getConfig:     func() (config.Config, error) { return tt.config, nil },
+				getConfig:     func() (gh.Config, error) { return tt.config, nil },
 				urlTranslator: identityTranslator{},
 			}
 			resolver := rr.Resolver()
diff --git a/pkg/cmd/gist/clone/clone.go b/pkg/cmd/gist/clone/clone.go
index f33ee13c678..0f50bce31b3 100644
--- a/pkg/cmd/gist/clone/clone.go
+++ b/pkg/cmd/gist/clone/clone.go
@@ -7,7 +7,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghinstance"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -18,7 +18,7 @@ import (
 type CloneOptions struct {
 	HttpClient func() (*http.Client, error)
 	GitClient  *git.Client
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 
 	GitArgs   []string
diff --git a/pkg/cmd/gist/clone/clone_test.go b/pkg/cmd/gist/clone/clone_test.go
index 58ce55b52be..46ab53a0fd5 100644
--- a/pkg/cmd/gist/clone/clone_test.go
+++ b/pkg/cmd/gist/clone/clone_test.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/run"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -22,7 +23,7 @@ func runCloneCommand(httpClient *http.Client, cli string) (*test.CmdOut, error)
 		HttpClient: func() (*http.Client, error) {
 			return httpClient, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		GitClient: &git.Client{
diff --git a/pkg/cmd/gist/create/create.go b/pkg/cmd/gist/create/create.go
index ad293419f41..4403df9be79 100644
--- a/pkg/cmd/gist/create/create.go
+++ b/pkg/cmd/gist/create/create.go
@@ -16,7 +16,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/internal/browser"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghinstance"
 	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmd/gist/shared"
@@ -34,7 +34,7 @@ type CreateOptions struct {
 	FilenameOverride string
 	WebMode          bool
 
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 	Browser    browser.Browser
 }
diff --git a/pkg/cmd/gist/create/create_test.go b/pkg/cmd/gist/create/create_test.go
index 2302b96ddce..40c89c0d8d1 100644
--- a/pkg/cmd/gist/create/create_test.go
+++ b/pkg/cmd/gist/create/create_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/run"
 	"github.com/cli/cli/v2/pkg/cmd/gist/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -331,7 +332,7 @@ func Test_createRun(t *testing.T) {
 		}
 		tt.opts.HttpClient = mockClient
 
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 
diff --git a/pkg/cmd/gist/delete/delete.go b/pkg/cmd/gist/delete/delete.go
index 22d27b65d08..0b5224c8a74 100644
--- a/pkg/cmd/gist/delete/delete.go
+++ b/pkg/cmd/gist/delete/delete.go
@@ -7,7 +7,7 @@ import (
 	"strings"
 
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/gist/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -16,7 +16,7 @@ import (
 
 type DeleteOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 
 	Selector string
diff --git a/pkg/cmd/gist/delete/delete_test.go b/pkg/cmd/gist/delete/delete_test.go
index a6cde9ae0ff..00d9ab9618b 100644
--- a/pkg/cmd/gist/delete/delete_test.go
+++ b/pkg/cmd/gist/delete/delete_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -99,7 +100,7 @@ func Test_deleteRun(t *testing.T) {
 		tt.opts.HttpClient = func() (*http.Client, error) {
 			return &http.Client{Transport: reg}, nil
 		}
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 		ios, _, _, _ := iostreams.Test()
diff --git a/pkg/cmd/gist/edit/edit.go b/pkg/cmd/gist/edit/edit.go
index f2f04bd925e..d777e9581a0 100644
--- a/pkg/cmd/gist/edit/edit.go
+++ b/pkg/cmd/gist/edit/edit.go
@@ -13,7 +13,7 @@ import (
 	"strings"
 
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmd/gist/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -27,7 +27,7 @@ var editNextOptions = []string{"Edit another file", "Submit", "Cancel"}
 type EditOptions struct {
 	IO         *iostreams.IOStreams
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	Prompter   prompter.Prompter
 
 	Edit func(string, string, string, *iostreams.IOStreams) (string, error)
diff --git a/pkg/cmd/gist/edit/edit_test.go b/pkg/cmd/gist/edit/edit_test.go
index b57fa41cc25..11a32bc92fb 100644
--- a/pkg/cmd/gist/edit/edit_test.go
+++ b/pkg/cmd/gist/edit/edit_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmd/gist/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -554,7 +555,7 @@ func Test_editRun(t *testing.T) {
 		tt.opts.IO = ios
 		tt.opts.Selector = "1234"
 
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 
diff --git a/pkg/cmd/gist/list/list.go b/pkg/cmd/gist/list/list.go
index ee9fb25396d..5d0e4715021 100644
--- a/pkg/cmd/gist/list/list.go
+++ b/pkg/cmd/gist/list/list.go
@@ -6,7 +6,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/tableprinter"
 	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmd/gist/shared"
@@ -17,7 +17,7 @@ import (
 
 type ListOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 
 	Limit      int
diff --git a/pkg/cmd/gist/list/list_test.go b/pkg/cmd/gist/list/list_test.go
index 682ebe8dc97..a15bae6aa21 100644
--- a/pkg/cmd/gist/list/list_test.go
+++ b/pkg/cmd/gist/list/list_test.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -367,7 +368,7 @@ func Test_listRun(t *testing.T) {
 			return &http.Client{Transport: reg}, nil
 		}
 
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 
diff --git a/pkg/cmd/gist/rename/rename.go b/pkg/cmd/gist/rename/rename.go
index c23aca5794f..630e67019a3 100644
--- a/pkg/cmd/gist/rename/rename.go
+++ b/pkg/cmd/gist/rename/rename.go
@@ -10,7 +10,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/gist/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -19,7 +19,7 @@ import (
 
 type RenameOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 
 	Selector    string
diff --git a/pkg/cmd/gist/rename/rename_test.go b/pkg/cmd/gist/rename/rename_test.go
index 5413d87c93d..e835cc8a72b 100644
--- a/pkg/cmd/gist/rename/rename_test.go
+++ b/pkg/cmd/gist/rename/rename_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/gist/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -166,7 +167,7 @@ func TestRenameRun(t *testing.T) {
 		tt.opts.NewFileName = "new.txt"
 		tt.opts.IO = ios
 
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 
diff --git a/pkg/cmd/gist/view/view.go b/pkg/cmd/gist/view/view.go
index e4f5c84e1a4..2a19f595859 100644
--- a/pkg/cmd/gist/view/view.go
+++ b/pkg/cmd/gist/view/view.go
@@ -6,7 +6,7 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghinstance"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/internal/text"
@@ -23,7 +23,7 @@ type browser interface {
 
 type ViewOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 	Browser    browser
 	Prompter   prompter.Prompter
diff --git a/pkg/cmd/gist/view/view_test.go b/pkg/cmd/gist/view/view_test.go
index c571422c5e9..52e616f7cbb 100644
--- a/pkg/cmd/gist/view/view_test.go
+++ b/pkg/cmd/gist/view/view_test.go
@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmd/gist/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -370,7 +371,7 @@ func Test_viewRun(t *testing.T) {
 			return &http.Client{Transport: reg}, nil
 		}
 
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 
diff --git a/pkg/cmd/gpg-key/add/add.go b/pkg/cmd/gpg-key/add/add.go
index 54482d0299e..35ee1273622 100644
--- a/pkg/cmd/gpg-key/add/add.go
+++ b/pkg/cmd/gpg-key/add/add.go
@@ -8,7 +8,7 @@ import (
 	"os"
 
 	"github.com/MakeNowJust/heredoc"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/spf13/cobra"
@@ -16,7 +16,7 @@ import (
 
 type AddOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HTTPClient func() (*http.Client, error)
 
 	KeyFile string
diff --git a/pkg/cmd/gpg-key/add/add_test.go b/pkg/cmd/gpg-key/add/add_test.go
index 3cce519cf81..c6d7c18fbe5 100644
--- a/pkg/cmd/gpg-key/add/add_test.go
+++ b/pkg/cmd/gpg-key/add/add_test.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/stretchr/testify/assert"
@@ -125,7 +126,7 @@ func Test_runAdd(t *testing.T) {
 		if tt.httpStubs != nil {
 			tt.httpStubs(reg)
 		}
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 
diff --git a/pkg/cmd/gpg-key/delete/delete.go b/pkg/cmd/gpg-key/delete/delete.go
index f86957bdb4f..d0fb5c0d69c 100644
--- a/pkg/cmd/gpg-key/delete/delete.go
+++ b/pkg/cmd/gpg-key/delete/delete.go
@@ -5,7 +5,7 @@ import (
 	"net/http"
 	"strconv"
 
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -14,7 +14,7 @@ import (
 
 type DeleteOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 
 	KeyID     string
diff --git a/pkg/cmd/gpg-key/delete/delete_test.go b/pkg/cmd/gpg-key/delete/delete_test.go
index c9c29aa3c5d..115e72db239 100644
--- a/pkg/cmd/gpg-key/delete/delete_test.go
+++ b/pkg/cmd/gpg-key/delete/delete_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -201,7 +202,7 @@ func Test_deleteRun(t *testing.T) {
 		tt.opts.HttpClient = func() (*http.Client, error) {
 			return &http.Client{Transport: reg}, nil
 		}
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 		ios, _, stdout, _ := iostreams.Test()
diff --git a/pkg/cmd/gpg-key/list/list.go b/pkg/cmd/gpg-key/list/list.go
index 4c594c584a7..9acf1d7b6df 100644
--- a/pkg/cmd/gpg-key/list/list.go
+++ b/pkg/cmd/gpg-key/list/list.go
@@ -6,7 +6,7 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/tableprinter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -15,7 +15,7 @@ import (
 
 type ListOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HTTPClient func() (*http.Client, error)
 }
 
diff --git a/pkg/cmd/gpg-key/list/list_test.go b/pkg/cmd/gpg-key/list/list_test.go
index de702498c34..daf8c991d2c 100644
--- a/pkg/cmd/gpg-key/list/list_test.go
+++ b/pkg/cmd/gpg-key/list/list_test.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/stretchr/testify/assert"
@@ -130,7 +131,7 @@ func Test_listRun(t *testing.T) {
 			ios.SetStderrTTY(tt.isTTY)
 			opts := tt.opts
 			opts.IO = ios
-			opts.Config = func() (config.Config, error) { return config.NewBlankConfig(), nil }
+			opts.Config = func() (gh.Config, error) { return config.NewBlankConfig(), nil }
 			err := listRun(&opts)
 			if tt.wantErr {
 				assert.Error(t, err)
diff --git a/pkg/cmd/issue/create/create.go b/pkg/cmd/issue/create/create.go
index 9aa0fffa839..c359df2a029 100644
--- a/pkg/cmd/issue/create/create.go
+++ b/pkg/cmd/issue/create/create.go
@@ -8,7 +8,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/internal/browser"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/text"
 	prShared "github.com/cli/cli/v2/pkg/cmd/pr/shared"
@@ -19,7 +19,7 @@ import (
 
 type CreateOptions struct {
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	BaseRepo   func() (ghrepo.Interface, error)
 	Browser    browser.Browser
diff --git a/pkg/cmd/issue/create/create_test.go b/pkg/cmd/issue/create/create_test.go
index dcc4c7618e6..c70507327f0 100644
--- a/pkg/cmd/issue/create/create_test.go
+++ b/pkg/cmd/issue/create/create_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/internal/run"
@@ -364,7 +365,7 @@ func runCommandWithRootDirOverridden(rt http.RoundTripper, isTTY bool, cli strin
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: rt}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		BaseRepo: func() (ghrepo.Interface, error) {
diff --git a/pkg/cmd/issue/delete/delete.go b/pkg/cmd/issue/delete/delete.go
index 71c39da7466..a70c6abb2a2 100644
--- a/pkg/cmd/issue/delete/delete.go
+++ b/pkg/cmd/issue/delete/delete.go
@@ -5,7 +5,7 @@ import (
 	"net/http"
 
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/issue/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -16,7 +16,7 @@ import (
 
 type DeleteOptions struct {
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	BaseRepo   func() (ghrepo.Interface, error)
 	Prompter   iprompter
diff --git a/pkg/cmd/issue/delete/delete_test.go b/pkg/cmd/issue/delete/delete_test.go
index 2873262686d..bd83c826f01 100644
--- a/pkg/cmd/issue/delete/delete_test.go
+++ b/pkg/cmd/issue/delete/delete_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -31,7 +32,7 @@ func runCommand(rt http.RoundTripper, pm *prompter.MockPrompter, isTTY bool, cli
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: rt}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		BaseRepo: func() (ghrepo.Interface, error) {
diff --git a/pkg/cmd/issue/list/list.go b/pkg/cmd/issue/list/list.go
index 20e77e14177..47da51ae415 100644
--- a/pkg/cmd/issue/list/list.go
+++ b/pkg/cmd/issue/list/list.go
@@ -10,8 +10,8 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/internal/browser"
-	"github.com/cli/cli/v2/internal/config"
 	fd "github.com/cli/cli/v2/internal/featuredetection"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/text"
 	issueShared "github.com/cli/cli/v2/pkg/cmd/issue/shared"
@@ -24,7 +24,7 @@ import (
 
 type ListOptions struct {
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	BaseRepo   func() (ghrepo.Interface, error)
 	Browser    browser.Browser
diff --git a/pkg/cmd/issue/list/list_test.go b/pkg/cmd/issue/list/list_test.go
index 5bed620c139..e45fc76e47b 100644
--- a/pkg/cmd/issue/list/list_test.go
+++ b/pkg/cmd/issue/list/list_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/run"
 	prShared "github.com/cli/cli/v2/pkg/cmd/pr/shared"
@@ -34,7 +35,7 @@ func runCommand(rt http.RoundTripper, isTTY bool, cli string) (*test.CmdOut, err
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: rt}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		BaseRepo: func() (ghrepo.Interface, error) {
diff --git a/pkg/cmd/issue/lock/lock.go b/pkg/cmd/issue/lock/lock.go
index d330407989f..4e0dac05815 100644
--- a/pkg/cmd/issue/lock/lock.go
+++ b/pkg/cmd/issue/lock/lock.go
@@ -17,7 +17,7 @@ import (
 	"strings"
 
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	issueShared "github.com/cli/cli/v2/pkg/cmd/issue/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -92,7 +92,7 @@ func fields() []string {
 
 type LockOptions struct {
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	BaseRepo   func() (ghrepo.Interface, error)
 	Prompter   iprompter
diff --git a/pkg/cmd/issue/pin/pin.go b/pkg/cmd/issue/pin/pin.go
index 17032eff743..dfb11a8811c 100644
--- a/pkg/cmd/issue/pin/pin.go
+++ b/pkg/cmd/issue/pin/pin.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/issue/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -17,7 +17,7 @@ import (
 
 type PinOptions struct {
 	HttpClient  func() (*http.Client, error)
-	Config      func() (config.Config, error)
+	Config      func() (gh.Config, error)
 	IO          *iostreams.IOStreams
 	BaseRepo    func() (ghrepo.Interface, error)
 	SelectorArg string
diff --git a/pkg/cmd/issue/pin/pin_test.go b/pkg/cmd/issue/pin/pin_test.go
index b5c49622f3f..d4979a30dcb 100644
--- a/pkg/cmd/issue/pin/pin_test.go
+++ b/pkg/cmd/issue/pin/pin_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -139,7 +140,7 @@ func TestPinRun(t *testing.T) {
 		ios.SetStdoutTTY(tt.tty)
 		tt.opts.IO = ios
 
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 
diff --git a/pkg/cmd/issue/reopen/reopen.go b/pkg/cmd/issue/reopen/reopen.go
index 1a011a5f55b..92f18a7d979 100644
--- a/pkg/cmd/issue/reopen/reopen.go
+++ b/pkg/cmd/issue/reopen/reopen.go
@@ -5,7 +5,7 @@ import (
 	"net/http"
 
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/issue/shared"
 	prShared "github.com/cli/cli/v2/pkg/cmd/pr/shared"
@@ -17,7 +17,7 @@ import (
 
 type ReopenOptions struct {
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	BaseRepo   func() (ghrepo.Interface, error)
 
diff --git a/pkg/cmd/issue/reopen/reopen_test.go b/pkg/cmd/issue/reopen/reopen_test.go
index ceb3265f8a9..4b8b33ee1a6 100644
--- a/pkg/cmd/issue/reopen/reopen_test.go
+++ b/pkg/cmd/issue/reopen/reopen_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -28,7 +29,7 @@ func runCommand(rt http.RoundTripper, isTTY bool, cli string) (*test.CmdOut, err
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: rt}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		BaseRepo: func() (ghrepo.Interface, error) {
diff --git a/pkg/cmd/issue/status/status.go b/pkg/cmd/issue/status/status.go
index c9db94c9847..a57cd7d9edf 100644
--- a/pkg/cmd/issue/status/status.go
+++ b/pkg/cmd/issue/status/status.go
@@ -6,7 +6,7 @@ import (
 	"time"
 
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	issueShared "github.com/cli/cli/v2/pkg/cmd/issue/shared"
 	prShared "github.com/cli/cli/v2/pkg/cmd/pr/shared"
@@ -17,7 +17,7 @@ import (
 
 type StatusOptions struct {
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	BaseRepo   func() (ghrepo.Interface, error)
 
diff --git a/pkg/cmd/issue/status/status_test.go b/pkg/cmd/issue/status/status_test.go
index 297b45c063f..6fddf3b0c4e 100644
--- a/pkg/cmd/issue/status/status_test.go
+++ b/pkg/cmd/issue/status/status_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -27,7 +28,7 @@ func runCommand(rt http.RoundTripper, isTTY bool, cli string) (*test.CmdOut, err
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: rt}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		BaseRepo: func() (ghrepo.Interface, error) {
diff --git a/pkg/cmd/issue/transfer/transfer.go b/pkg/cmd/issue/transfer/transfer.go
index 8844e861f23..140d02b9194 100644
--- a/pkg/cmd/issue/transfer/transfer.go
+++ b/pkg/cmd/issue/transfer/transfer.go
@@ -5,7 +5,7 @@ import (
 	"net/http"
 
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/issue/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -16,7 +16,7 @@ import (
 
 type TransferOptions struct {
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	BaseRepo   func() (ghrepo.Interface, error)
 
diff --git a/pkg/cmd/issue/transfer/transfer_test.go b/pkg/cmd/issue/transfer/transfer_test.go
index 1f2f665e032..eed9c5d85c4 100644
--- a/pkg/cmd/issue/transfer/transfer_test.go
+++ b/pkg/cmd/issue/transfer/transfer_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -24,7 +25,7 @@ func runCommand(rt http.RoundTripper, cli string) (*test.CmdOut, error) {
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: rt}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		BaseRepo: func() (ghrepo.Interface, error) {
diff --git a/pkg/cmd/issue/unpin/unpin.go b/pkg/cmd/issue/unpin/unpin.go
index 428f8cde93a..3ac28d47cf5 100644
--- a/pkg/cmd/issue/unpin/unpin.go
+++ b/pkg/cmd/issue/unpin/unpin.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/issue/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -17,7 +17,7 @@ import (
 
 type UnpinOptions struct {
 	HttpClient  func() (*http.Client, error)
-	Config      func() (config.Config, error)
+	Config      func() (gh.Config, error)
 	IO          *iostreams.IOStreams
 	BaseRepo    func() (ghrepo.Interface, error)
 	SelectorArg string
diff --git a/pkg/cmd/issue/unpin/unpin_test.go b/pkg/cmd/issue/unpin/unpin_test.go
index ad7bf7aef3d..70a018d946f 100644
--- a/pkg/cmd/issue/unpin/unpin_test.go
+++ b/pkg/cmd/issue/unpin/unpin_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -139,7 +140,7 @@ func TestUnpinRun(t *testing.T) {
 		ios.SetStdoutTTY(tt.tty)
 		tt.opts.IO = ios
 
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 
diff --git a/pkg/cmd/issue/view/view_test.go b/pkg/cmd/issue/view/view_test.go
index f42895920ef..2f91ba13e64 100644
--- a/pkg/cmd/issue/view/view_test.go
+++ b/pkg/cmd/issue/view/view_test.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/run"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -31,7 +32,7 @@ func runCommand(rt http.RoundTripper, isTTY bool, cli string) (*test.CmdOut, err
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: rt}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		BaseRepo: func() (ghrepo.Interface, error) {
diff --git a/pkg/cmd/org/list/list.go b/pkg/cmd/org/list/list.go
index 888d76c74eb..0c2b96f782f 100644
--- a/pkg/cmd/org/list/list.go
+++ b/pkg/cmd/org/list/list.go
@@ -5,7 +5,7 @@ import (
 	"net/http"
 
 	"github.com/MakeNowJust/heredoc"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -14,7 +14,7 @@ import (
 
 type ListOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 
 	Limit int
diff --git a/pkg/cmd/org/list/list_test.go b/pkg/cmd/org/list/list_test.go
index 8efc0a49e02..3f81419e8cf 100644
--- a/pkg/cmd/org/list/list_test.go
+++ b/pkg/cmd/org/list/list_test.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -95,7 +96,7 @@ func TestListRun(t *testing.T) {
 				r.Register(
 					httpmock.GraphQL(`query OrganizationList\b`),
 					httpmock.StringResponse(`
-						{ "data": { "user": {	
+						{ "data": { "user": {
 							"organizations": { "nodes": [], "totalCount": 0 }
 						} } }`,
 					),
@@ -224,7 +225,7 @@ cli
 			ios.SetStderrTTY(tt.isTTY)
 
 			tt.opts.IO = ios
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 
diff --git a/pkg/cmd/pr/checkout/checkout.go b/pkg/cmd/pr/checkout/checkout.go
index 269c8aaab4e..f47f579f2c7 100644
--- a/pkg/cmd/pr/checkout/checkout.go
+++ b/pkg/cmd/pr/checkout/checkout.go
@@ -9,7 +9,7 @@ import (
 	"github.com/cli/cli/v2/api"
 	cliContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/pr/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -20,7 +20,7 @@ import (
 type CheckoutOptions struct {
 	HttpClient func() (*http.Client, error)
 	GitClient  *git.Client
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	Remotes    func() (cliContext.Remotes, error)
 	Branch     func() (string, error)
diff --git a/pkg/cmd/pr/checkout/checkout_test.go b/pkg/cmd/pr/checkout/checkout_test.go
index cc9aed0f027..1eda5dda2d1 100644
--- a/pkg/cmd/pr/checkout/checkout_test.go
+++ b/pkg/cmd/pr/checkout/checkout_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/run"
 	"github.com/cli/cli/v2/pkg/cmd/pr/shared"
@@ -82,7 +83,7 @@ func Test_checkoutRun(t *testing.T) {
 					finder := shared.NewMockFinder("123", pr, baseRepo)
 					return finder
 				}(),
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					return config.NewBlankConfig(), nil
 				},
 				Branch: func() (string, error) {
@@ -111,7 +112,7 @@ func Test_checkoutRun(t *testing.T) {
 					finder := shared.NewMockFinder("123", pr, baseRepo)
 					return finder
 				}(),
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					return config.NewBlankConfig(), nil
 				},
 				Branch: func() (string, error) {
@@ -138,7 +139,7 @@ func Test_checkoutRun(t *testing.T) {
 					finder := shared.NewMockFinder("123", pr, baseRepo)
 					return finder
 				}(),
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					return config.NewBlankConfig(), nil
 				},
 				Branch: func() (string, error) {
@@ -222,7 +223,7 @@ func runCommand(rt http.RoundTripper, remotes context.Remotes, branch string, cl
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: rt}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		Remotes: func() (context.Remotes, error) {
diff --git a/pkg/cmd/pr/create/create.go b/pkg/cmd/pr/create/create.go
index 38bc81a7211..54b6358ac59 100644
--- a/pkg/cmd/pr/create/create.go
+++ b/pkg/cmd/pr/create/create.go
@@ -18,7 +18,7 @@ import (
 	ghContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/browser"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmd/pr/shared"
@@ -32,7 +32,7 @@ type CreateOptions struct {
 	// This struct stores user input and factory functions
 	HttpClient func() (*http.Client, error)
 	GitClient  *git.Client
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	Remotes    func() (ghContext.Remotes, error)
 	Branch     func() (string, error)
diff --git a/pkg/cmd/pr/create/create_test.go b/pkg/cmd/pr/create/create_test.go
index b7d0e46ae8e..3b64688c34d 100644
--- a/pkg/cmd/pr/create/create_test.go
+++ b/pkg/cmd/pr/create/create_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/internal/run"
@@ -1411,7 +1412,7 @@ func Test_createRun(t *testing.T) {
 			opts.HttpClient = func() (*http.Client, error) {
 				return &http.Client{Transport: reg}, nil
 			}
-			opts.Config = func() (config.Config, error) {
+			opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 			opts.Remotes = func() (context.Remotes, error) {
diff --git a/pkg/cmd/pr/edit/edit.go b/pkg/cmd/pr/edit/edit.go
index d0dbcfbc233..3f80aa80aa4 100644
--- a/pkg/cmd/pr/edit/edit.go
+++ b/pkg/cmd/pr/edit/edit.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	shared "github.com/cli/cli/v2/pkg/cmd/pr/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -309,7 +309,7 @@ type EditorRetriever interface {
 }
 
 type editorRetriever struct {
-	config func() (config.Config, error)
+	config func() (gh.Config, error)
 }
 
 func (e editorRetriever) Retrieve() (string, error) {
diff --git a/pkg/cmd/pr/merge/merge.go b/pkg/cmd/pr/merge/merge.go
index a2f16e4da6e..1e7deabcbf1 100644
--- a/pkg/cmd/pr/merge/merge.go
+++ b/pkg/cmd/pr/merge/merge.go
@@ -10,7 +10,7 @@ import (
 	"github.com/cli/cli/v2/api"
 	ghContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/pr/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -680,7 +680,7 @@ func confirmSubmission(client *http.Client, opts *MergeOptions, action shared.Ac
 
 type userEditor struct {
 	io     *iostreams.IOStreams
-	config func() (config.Config, error)
+	config func() (gh.Config, error)
 }
 
 func (e *userEditor) Edit(filename, startingText string) (string, error) {
diff --git a/pkg/cmd/pr/review/review.go b/pkg/cmd/pr/review/review.go
index b1cc500c244..4fa973a8748 100644
--- a/pkg/cmd/pr/review/review.go
+++ b/pkg/cmd/pr/review/review.go
@@ -7,7 +7,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmd/pr/shared"
@@ -19,7 +19,7 @@ import (
 
 type ReviewOptions struct {
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	Prompter   prompter.Prompter
 
diff --git a/pkg/cmd/pr/review/review_test.go b/pkg/cmd/pr/review/review_test.go
index b27eb4f8a64..f9e00c3b8ee 100644
--- a/pkg/cmd/pr/review/review_test.go
+++ b/pkg/cmd/pr/review/review_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmd/pr/shared"
@@ -176,7 +177,7 @@ func runCommand(rt http.RoundTripper, prompter prompter.Prompter, isTTY bool, cl
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: rt}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		Prompter: prompter,
diff --git a/pkg/cmd/pr/shared/commentable.go b/pkg/cmd/pr/shared/commentable.go
index 808960b2428..7a38286d2ee 100644
--- a/pkg/cmd/pr/shared/commentable.go
+++ b/pkg/cmd/pr/shared/commentable.go
@@ -8,7 +8,7 @@ import (
 	"net/http"
 
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -206,7 +206,7 @@ func CommentableConfirmSubmitSurvey(p Prompt) func() (bool, error) {
 	}
 }
 
-func CommentableInteractiveEditSurvey(cf func() (config.Config, error), io *iostreams.IOStreams) func(string) (string, error) {
+func CommentableInteractiveEditSurvey(cf func() (gh.Config, error), io *iostreams.IOStreams) func(string) (string, error) {
 	return func(initialValue string) (string, error) {
 		editorCommand, err := cmdutil.DetermineEditor(cf)
 		if err != nil {
@@ -219,7 +219,7 @@ func CommentableInteractiveEditSurvey(cf func() (config.Config, error), io *iost
 	}
 }
 
-func CommentableEditSurvey(cf func() (config.Config, error), io *iostreams.IOStreams) func(string) (string, error) {
+func CommentableEditSurvey(cf func() (gh.Config, error), io *iostreams.IOStreams) func(string) (string, error) {
 	return func(initialValue string) (string, error) {
 		editorCommand, err := cmdutil.DetermineEditor(cf)
 		if err != nil {
diff --git a/pkg/cmd/pr/status/status.go b/pkg/cmd/pr/status/status.go
index bb7bb735d4a..2cd28f2edc6 100644
--- a/pkg/cmd/pr/status/status.go
+++ b/pkg/cmd/pr/status/status.go
@@ -13,8 +13,8 @@ import (
 	"github.com/cli/cli/v2/api"
 	ghContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/config"
 	fd "github.com/cli/cli/v2/internal/featuredetection"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmd/pr/shared"
@@ -26,7 +26,7 @@ import (
 type StatusOptions struct {
 	HttpClient func() (*http.Client, error)
 	GitClient  *git.Client
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	BaseRepo   func() (ghrepo.Interface, error)
 	Remotes    func() (ghContext.Remotes, error)
diff --git a/pkg/cmd/pr/status/status_test.go b/pkg/cmd/pr/status/status_test.go
index 3df04850344..e8e4875592d 100644
--- a/pkg/cmd/pr/status/status_test.go
+++ b/pkg/cmd/pr/status/status_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
 	fd "github.com/cli/cli/v2/internal/featuredetection"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/run"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -37,7 +38,7 @@ func runCommandWithDetector(rt http.RoundTripper, branch string, isTTY bool, cli
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: rt}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		BaseRepo: func() (ghrepo.Interface, error) {
diff --git a/pkg/cmd/project/link/link.go b/pkg/cmd/project/link/link.go
index 56c7b5ebac6..1e334af8c7e 100644
--- a/pkg/cmd/project/link/link.go
+++ b/pkg/cmd/project/link/link.go
@@ -2,18 +2,19 @@ package link
 
 import (
 	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/project/shared/client"
 	"github.com/cli/cli/v2/pkg/cmd/project/shared/queries"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/spf13/cobra"
-	"net/http"
-	"strconv"
-	"strings"
 )
 
 type linkOpts struct {
@@ -30,7 +31,7 @@ type linkOpts struct {
 
 type linkConfig struct {
 	httpClient func() (*http.Client, error)
-	config     func() (config.Config, error)
+	config     func() (gh.Config, error)
 	client     *queries.Client
 	opts       linkOpts
 	io         *iostreams.IOStreams
diff --git a/pkg/cmd/project/link/link_test.go b/pkg/cmd/project/link/link_test.go
index cd9aa074ef7..23fcfb106bc 100644
--- a/pkg/cmd/project/link/link_test.go
+++ b/pkg/cmd/project/link/link_test.go
@@ -1,7 +1,11 @@
 package link
 
 import (
+	"net/http"
+	"testing"
+
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/project/shared/queries"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -9,8 +13,6 @@ import (
 	"github.com/google/shlex"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/h2non/gock.v1"
-	"net/http"
-	"testing"
 )
 
 func TestNewCmdLink(t *testing.T) {
@@ -277,7 +279,7 @@ func TestRunLink_Repo(t *testing.T) {
 		httpClient: func() (*http.Client, error) {
 			return http.DefaultClient, nil
 		},
-		config: func() (config.Config, error) {
+		config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		io: ios,
@@ -389,7 +391,7 @@ func TestRunLink_Team(t *testing.T) {
 		httpClient: func() (*http.Client, error) {
 			return http.DefaultClient, nil
 		},
-		config: func() (config.Config, error) {
+		config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		io: ios,
diff --git a/pkg/cmd/project/unlink/unlink.go b/pkg/cmd/project/unlink/unlink.go
index 87a5e585bf8..7a75db6d154 100644
--- a/pkg/cmd/project/unlink/unlink.go
+++ b/pkg/cmd/project/unlink/unlink.go
@@ -2,18 +2,19 @@ package unlink
 
 import (
 	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/project/shared/client"
 	"github.com/cli/cli/v2/pkg/cmd/project/shared/queries"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/spf13/cobra"
-	"net/http"
-	"strconv"
-	"strings"
 )
 
 type unlinkOpts struct {
@@ -30,7 +31,7 @@ type unlinkOpts struct {
 
 type unlinkConfig struct {
 	httpClient func() (*http.Client, error)
-	config     func() (config.Config, error)
+	config     func() (gh.Config, error)
 	client     *queries.Client
 	opts       unlinkOpts
 	io         *iostreams.IOStreams
diff --git a/pkg/cmd/project/unlink/unlink_test.go b/pkg/cmd/project/unlink/unlink_test.go
index 7735fbe0c36..0846d786aa1 100644
--- a/pkg/cmd/project/unlink/unlink_test.go
+++ b/pkg/cmd/project/unlink/unlink_test.go
@@ -1,7 +1,11 @@
 package unlink
 
 import (
+	"net/http"
+	"testing"
+
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/project/shared/queries"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -9,8 +13,6 @@ import (
 	"github.com/google/shlex"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/h2non/gock.v1"
-	"net/http"
-	"testing"
 )
 
 func TestNewCmdUnlink(t *testing.T) {
@@ -277,7 +279,7 @@ func TestRunUnlink_Repo(t *testing.T) {
 		httpClient: func() (*http.Client, error) {
 			return http.DefaultClient, nil
 		},
-		config: func() (config.Config, error) {
+		config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		io: ios,
@@ -389,7 +391,7 @@ func TestRunUnlink_Team(t *testing.T) {
 		httpClient: func() (*http.Client, error) {
 			return http.DefaultClient, nil
 		},
-		config: func() (config.Config, error) {
+		config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		io: ios,
diff --git a/pkg/cmd/release/create/create.go b/pkg/cmd/release/create/create.go
index f575a339a09..d702226dd2d 100644
--- a/pkg/cmd/release/create/create.go
+++ b/pkg/cmd/release/create/create.go
@@ -11,7 +11,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmd/release/shared"
@@ -29,7 +29,7 @@ type iprompter interface {
 
 type CreateOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 	GitClient  *git.Client
 	BaseRepo   func() (ghrepo.Interface, error)
diff --git a/pkg/cmd/release/create/create_test.go b/pkg/cmd/release/create/create_test.go
index 6dccf9f200a..ed7d99c1e94 100644
--- a/pkg/cmd/release/create/create_test.go
+++ b/pkg/cmd/release/create/create_test.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/internal/run"
@@ -1694,7 +1695,7 @@ func Test_createRun_interactive(t *testing.T) {
 				return ghrepo.FromFullName("OWNER/REPO")
 			}
 
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 
diff --git a/pkg/cmd/repo/archive/archive.go b/pkg/cmd/repo/archive/archive.go
index dbf2d209e56..86e1a6df728 100644
--- a/pkg/cmd/repo/archive/archive.go
+++ b/pkg/cmd/repo/archive/archive.go
@@ -7,7 +7,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -18,7 +18,7 @@ import (
 
 type ArchiveOptions struct {
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 	Confirmed  bool
 	IO         *iostreams.IOStreams
diff --git a/pkg/cmd/repo/clone/clone.go b/pkg/cmd/repo/clone/clone.go
index bb586410ae7..28001e6fe18 100644
--- a/pkg/cmd/repo/clone/clone.go
+++ b/pkg/cmd/repo/clone/clone.go
@@ -10,7 +10,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -21,7 +21,7 @@ import (
 type CloneOptions struct {
 	HttpClient func() (*http.Client, error)
 	GitClient  *git.Client
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 
 	GitArgs      []string
diff --git a/pkg/cmd/repo/clone/clone_test.go b/pkg/cmd/repo/clone/clone_test.go
index ebdc6351a79..471ed05ddc2 100644
--- a/pkg/cmd/repo/clone/clone_test.go
+++ b/pkg/cmd/repo/clone/clone_test.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/run"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -102,7 +103,7 @@ func runCloneCommand(httpClient *http.Client, cli string) (*test.CmdOut, error)
 		HttpClient: func() (*http.Client, error) {
 			return httpClient, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		GitClient: &git.Client{
diff --git a/pkg/cmd/repo/create/create.go b/pkg/cmd/repo/create/create.go
index a55d60746f2..af30f402970 100644
--- a/pkg/cmd/repo/create/create.go
+++ b/pkg/cmd/repo/create/create.go
@@ -17,7 +17,7 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/repo/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -38,7 +38,7 @@ type iprompter interface {
 type CreateOptions struct {
 	HttpClient func() (*http.Client, error)
 	GitClient  *git.Client
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	Prompter   iprompter
 	BackOff    backoff.BackOff
diff --git a/pkg/cmd/repo/create/create_test.go b/pkg/cmd/repo/create/create_test.go
index 4c84138e03e..e6576ebd067 100644
--- a/pkg/cmd/repo/create/create_test.go
+++ b/pkg/cmd/repo/create/create_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/internal/run"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -831,7 +832,7 @@ func Test_createRun(t *testing.T) {
 		tt.opts.HttpClient = func() (*http.Client, error) {
 			return &http.Client{Transport: reg}, nil
 		}
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 
diff --git a/pkg/cmd/repo/fork/fork.go b/pkg/cmd/repo/fork/fork.go
index fe59ab31f70..a5e9066b272 100644
--- a/pkg/cmd/repo/fork/fork.go
+++ b/pkg/cmd/repo/fork/fork.go
@@ -14,7 +14,7 @@ import (
 	"github.com/cli/cli/v2/api"
 	ghContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/repo/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -32,7 +32,7 @@ type iprompter interface {
 type ForkOptions struct {
 	HttpClient func() (*http.Client, error)
 	GitClient  *git.Client
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	BaseRepo   func() (ghrepo.Interface, error)
 	Remotes    func() (ghContext.Remotes, error)
diff --git a/pkg/cmd/repo/fork/fork_test.go b/pkg/cmd/repo/fork/fork_test.go
index 7f37c0ae9c7..b1b62e11ad8 100644
--- a/pkg/cmd/repo/fork/fork_test.go
+++ b/pkg/cmd/repo/fork/fork_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/internal/run"
@@ -211,7 +212,7 @@ func TestRepoFork(t *testing.T) {
 		httpStubs   func(*httpmock.Registry)
 		execStubs   func(*run.CommandStubber)
 		promptStubs func(*prompter.MockPrompter)
-		cfgStubs    func(*testing.T, config.Config)
+		cfgStubs    func(*testing.T, gh.Config)
 		remotes     []*context.Remote
 		wantOut     string
 		wantErrOut  string
@@ -254,7 +255,7 @@ func TestRepoFork(t *testing.T) {
 					Repo: ghrepo.New("OWNER", "REPO"),
 				},
 			},
-			cfgStubs: func(_ *testing.T, c config.Config) {
+			cfgStubs: func(_ *testing.T, c gh.Config) {
 				c.Set("", "git_protocol", "")
 			},
 			httpStubs: forkPost,
@@ -735,7 +736,7 @@ func TestRepoFork(t *testing.T) {
 			if tt.cfgStubs != nil {
 				tt.cfgStubs(t, cfg)
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return cfg, nil
 			}
 
diff --git a/pkg/cmd/repo/garden/garden.go b/pkg/cmd/repo/garden/garden.go
index 1ae88deae88..d9342f9cb06 100644
--- a/pkg/cmd/repo/garden/garden.go
+++ b/pkg/cmd/repo/garden/garden.go
@@ -13,7 +13,7 @@ import (
 	"strings"
 
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -90,7 +90,7 @@ type GardenOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
 	BaseRepo   func() (ghrepo.Interface, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 
 	RepoArg string
 }
diff --git a/pkg/cmd/repo/list/list.go b/pkg/cmd/repo/list/list.go
index e4814272345..2cee2c480f2 100644
--- a/pkg/cmd/repo/list/list.go
+++ b/pkg/cmd/repo/list/list.go
@@ -10,8 +10,8 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
 	fd "github.com/cli/cli/v2/internal/featuredetection"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/tableprinter"
 	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -20,7 +20,7 @@ import (
 
 type ListOptions struct {
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	IO         *iostreams.IOStreams
 	Exporter   cmdutil.Exporter
 	Detector   fd.Detector
diff --git a/pkg/cmd/repo/list/list_test.go b/pkg/cmd/repo/list/list_test.go
index 1a209e04d93..bd51cadfc03 100644
--- a/pkg/cmd/repo/list/list_test.go
+++ b/pkg/cmd/repo/list/list_test.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/cli/cli/v2/internal/config"
 	fd "github.com/cli/cli/v2/internal/featuredetection"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -282,7 +283,7 @@ func runCommand(rt http.RoundTripper, isTTY bool, cli string) (*test.CmdOut, err
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: rt}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 	}
@@ -325,7 +326,7 @@ func TestRepoList_nontty(t *testing.T) {
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: httpReg}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		Now: func() time.Time {
@@ -366,7 +367,7 @@ func TestRepoList_tty(t *testing.T) {
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: httpReg}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		Now: func() time.Time {
@@ -436,7 +437,7 @@ func TestRepoList_noVisibilityField(t *testing.T) {
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: reg}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		Now: func() time.Time {
@@ -474,7 +475,7 @@ func TestRepoList_invalidOwner(t *testing.T) {
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: reg}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		Now: func() time.Time {
diff --git a/pkg/cmd/repo/rename/rename.go b/pkg/cmd/repo/rename/rename.go
index df56af951db..7a011b4e3ff 100644
--- a/pkg/cmd/repo/rename/rename.go
+++ b/pkg/cmd/repo/rename/rename.go
@@ -9,7 +9,7 @@ import (
 	"github.com/cli/cli/v2/api"
 	ghContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -26,7 +26,7 @@ type RenameOptions struct {
 	GitClient       *git.Client
 	IO              *iostreams.IOStreams
 	Prompter        iprompter
-	Config          func() (config.Config, error)
+	Config          func() (gh.Config, error)
 	BaseRepo        func() (ghrepo.Interface, error)
 	Remotes         func() (ghContext.Remotes, error)
 	DoConfirm       bool
diff --git a/pkg/cmd/repo/rename/rename_test.go b/pkg/cmd/repo/rename/rename_test.go
index 68499b2fa1f..da40e51b0b0 100644
--- a/pkg/cmd/repo/rename/rename_test.go
+++ b/pkg/cmd/repo/rename/rename_test.go
@@ -8,6 +8,7 @@ import (
 	"github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/internal/run"
@@ -230,7 +231,7 @@ func TestRenameRun(t *testing.T) {
 			return repo, nil
 		}
 
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 
diff --git a/pkg/cmd/repo/unarchive/unarchive.go b/pkg/cmd/repo/unarchive/unarchive.go
index 08108f21125..74d84a7798e 100644
--- a/pkg/cmd/repo/unarchive/unarchive.go
+++ b/pkg/cmd/repo/unarchive/unarchive.go
@@ -7,7 +7,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -17,7 +17,7 @@ import (
 
 type UnarchiveOptions struct {
 	HttpClient func() (*http.Client, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 	Confirmed  bool
 	IO         *iostreams.IOStreams
diff --git a/pkg/cmd/repo/view/view.go b/pkg/cmd/repo/view/view.go
index 3351d9cd91c..136384152a8 100644
--- a/pkg/cmd/repo/view/view.go
+++ b/pkg/cmd/repo/view/view.go
@@ -11,7 +11,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/internal/browser"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -26,7 +26,7 @@ type ViewOptions struct {
 	BaseRepo   func() (ghrepo.Interface, error)
 	Browser    browser.Browser
 	Exporter   cmdutil.Exporter
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 
 	RepoArg string
 	Web     bool
diff --git a/pkg/cmd/repo/view/view_test.go b/pkg/cmd/repo/view/view_test.go
index 16b5257838a..a8361e9ef69 100644
--- a/pkg/cmd/repo/view/view_test.go
+++ b/pkg/cmd/repo/view/view_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/run"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -530,7 +531,7 @@ func Test_ViewRun_WithoutUsername(t *testing.T) {
 			return &http.Client{Transport: reg}, nil
 		},
 		IO: io,
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 	}
diff --git a/pkg/cmd/ruleset/check/check.go b/pkg/cmd/ruleset/check/check.go
index 7d82990c442..b56476d840c 100644
--- a/pkg/cmd/ruleset/check/check.go
+++ b/pkg/cmd/ruleset/check/check.go
@@ -10,7 +10,7 @@ import (
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/browser"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/text"
 	"github.com/cli/cli/v2/pkg/cmd/ruleset/shared"
@@ -22,7 +22,7 @@ import (
 type CheckOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 	Git        *git.Client
 	Browser    browser.Browser
diff --git a/pkg/cmd/run/view/view_test.go b/pkg/cmd/run/view/view_test.go
index 38ae1be44ad..6e433186453 100644
--- a/pkg/cmd/run/view/view_test.go
+++ b/pkg/cmd/run/view/view_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmd/run/shared"
@@ -140,7 +141,7 @@ func TestNewCmdView(t *testing.T) {
 
 			f := &cmdutil.Factory{
 				IOStreams: ios,
-				Config: func() (config.Config, error) {
+				Config: func() (gh.Config, error) {
 					return config.NewBlankConfig(), nil
 				},
 			}
diff --git a/pkg/cmd/search/shared/shared_test.go b/pkg/cmd/search/shared/shared_test.go
index 9d977cc83b8..689459d399d 100644
--- a/pkg/cmd/search/shared/shared_test.go
+++ b/pkg/cmd/search/shared/shared_test.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/factory"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/cli/cli/v2/pkg/search"
@@ -15,7 +16,7 @@ import (
 
 func TestSearcher(t *testing.T) {
 	f := factory.New("1")
-	f.Config = func() (config.Config, error) {
+	f.Config = func() (gh.Config, error) {
 		return config.NewBlankConfig(), nil
 	}
 	_, err := Searcher(f)
diff --git a/pkg/cmd/secret/delete/delete.go b/pkg/cmd/secret/delete/delete.go
index a86784ff243..9a299ce4fa1 100644
--- a/pkg/cmd/secret/delete/delete.go
+++ b/pkg/cmd/secret/delete/delete.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/secret/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -17,7 +17,7 @@ import (
 type DeleteOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 
 	SecretName  string
diff --git a/pkg/cmd/secret/delete/delete_test.go b/pkg/cmd/secret/delete/delete_test.go
index 8474e90c0b2..9d2c078c7c3 100644
--- a/pkg/cmd/secret/delete/delete_test.go
+++ b/pkg/cmd/secret/delete/delete_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -162,7 +163,7 @@ func Test_removeRun_repo(t *testing.T) {
 		tt.opts.HttpClient = func() (*http.Client, error) {
 			return &http.Client{Transport: reg}, nil
 		}
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 		tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
@@ -190,7 +191,7 @@ func Test_removeRun_env(t *testing.T) {
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: reg}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		BaseRepo: func() (ghrepo.Interface, error) {
@@ -247,7 +248,7 @@ func Test_removeRun_org(t *testing.T) {
 
 			ios, _, _, _ := iostreams.Test()
 
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 			tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
@@ -281,7 +282,7 @@ func Test_removeRun_user(t *testing.T) {
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: reg}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		SecretName:  "cool_secret",
diff --git a/pkg/cmd/secret/list/list.go b/pkg/cmd/secret/list/list.go
index 0d2e6f3f1e4..9e1fd305d04 100644
--- a/pkg/cmd/secret/list/list.go
+++ b/pkg/cmd/secret/list/list.go
@@ -9,7 +9,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/tableprinter"
 	"github.com/cli/cli/v2/pkg/cmd/secret/shared"
@@ -21,7 +21,7 @@ import (
 type ListOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 	Now        func() time.Time
 	Exporter   cmdutil.Exporter
@@ -138,7 +138,7 @@ func listRun(opts *ListOptions) error {
 	case shared.Environment:
 		secrets, err = getEnvSecrets(client, baseRepo, envName)
 	case shared.Organization, shared.User:
-		var cfg config.Config
+		var cfg gh.Config
 		var host string
 
 		cfg, err = opts.Config()
diff --git a/pkg/cmd/secret/list/list_test.go b/pkg/cmd/secret/list/list_test.go
index f52e153f0c4..2e7b1906531 100644
--- a/pkg/cmd/secret/list/list_test.go
+++ b/pkg/cmd/secret/list/list_test.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/secret/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -418,7 +419,7 @@ func Test_listRun(t *testing.T) {
 			tt.opts.HttpClient = func() (*http.Client, error) {
 				return &http.Client{Transport: reg}, nil
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 			tt.opts.Now = func() time.Time {
@@ -611,7 +612,7 @@ func Test_listRun_populatesNumSelectedReposIfRequired(t *testing.T) {
 			opts.HttpClient = func() (*http.Client, error) {
 				return &http.Client{Transport: reg}, nil
 			}
-			opts.Config = func() (config.Config, error) {
+			opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 			opts.Now = func() time.Time {
diff --git a/pkg/cmd/secret/set/set.go b/pkg/cmd/secret/set/set.go
index 1e66e38a99c..755bdda1f8b 100644
--- a/pkg/cmd/secret/set/set.go
+++ b/pkg/cmd/secret/set/set.go
@@ -11,7 +11,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/secret/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -25,7 +25,7 @@ import (
 type SetOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 	Prompter   iprompter
 
diff --git a/pkg/cmd/secret/set/set_test.go b/pkg/cmd/secret/set/set_test.go
index 3b46e63f163..5c8d6f693d4 100644
--- a/pkg/cmd/secret/set/set_test.go
+++ b/pkg/cmd/secret/set/set_test.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmd/secret/shared"
@@ -265,7 +266,7 @@ func Test_setRun_repo(t *testing.T) {
 				HttpClient: func() (*http.Client, error) {
 					return &http.Client{Transport: reg}, nil
 				},
-				Config: func() (config.Config, error) { return config.NewBlankConfig(), nil },
+				Config: func() (gh.Config, error) { return config.NewBlankConfig(), nil },
 				BaseRepo: func() (ghrepo.Interface, error) {
 					return ghrepo.FromFullName("owner/repo")
 				},
@@ -306,7 +307,7 @@ func Test_setRun_env(t *testing.T) {
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: reg}, nil
 		},
-		Config: func() (config.Config, error) { return config.NewBlankConfig(), nil },
+		Config: func() (gh.Config, error) { return config.NewBlankConfig(), nil },
 		BaseRepo: func() (ghrepo.Interface, error) {
 			return ghrepo.FromFullName("owner/repo")
 		},
@@ -407,7 +408,7 @@ func Test_setRun_org(t *testing.T) {
 			tt.opts.HttpClient = func() (*http.Client, error) {
 				return &http.Client{Transport: reg}, nil
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 			tt.opts.IO = ios
@@ -489,7 +490,7 @@ func Test_setRun_user(t *testing.T) {
 			tt.opts.HttpClient = func() (*http.Client, error) {
 				return &http.Client{Transport: reg}, nil
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 			tt.opts.IO = ios
@@ -527,7 +528,7 @@ func Test_setRun_shouldNotStore(t *testing.T) {
 		HttpClient: func() (*http.Client, error) {
 			return &http.Client{Transport: reg}, nil
 		},
-		Config: func() (config.Config, error) {
+		Config: func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		},
 		BaseRepo: func() (ghrepo.Interface, error) {
diff --git a/pkg/cmd/ssh-key/add/add.go b/pkg/cmd/ssh-key/add/add.go
index 553c3598585..c620d438bfa 100644
--- a/pkg/cmd/ssh-key/add/add.go
+++ b/pkg/cmd/ssh-key/add/add.go
@@ -6,7 +6,7 @@ import (
 	"net/http"
 	"os"
 
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/ssh-key/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -15,7 +15,7 @@ import (
 
 type AddOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HTTPClient func() (*http.Client, error)
 
 	KeyFile string
diff --git a/pkg/cmd/ssh-key/add/add_test.go b/pkg/cmd/ssh-key/add/add_test.go
index 43222a6c44e..6d30b6d0d83 100644
--- a/pkg/cmd/ssh-key/add/add_test.go
+++ b/pkg/cmd/ssh-key/add/add_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/stretchr/testify/assert"
@@ -131,7 +132,7 @@ func Test_runAdd(t *testing.T) {
 		if tt.httpStubs != nil {
 			tt.httpStubs(reg)
 		}
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 
diff --git a/pkg/cmd/ssh-key/delete/delete.go b/pkg/cmd/ssh-key/delete/delete.go
index b6ed9f01429..670b47b3e07 100644
--- a/pkg/cmd/ssh-key/delete/delete.go
+++ b/pkg/cmd/ssh-key/delete/delete.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"net/http"
 
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -13,7 +13,7 @@ import (
 
 type DeleteOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 
 	KeyID     string
diff --git a/pkg/cmd/ssh-key/delete/delete_test.go b/pkg/cmd/ssh-key/delete/delete_test.go
index 85e79de3a56..be2917c824f 100644
--- a/pkg/cmd/ssh-key/delete/delete_test.go
+++ b/pkg/cmd/ssh-key/delete/delete_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -187,7 +188,7 @@ func Test_deleteRun(t *testing.T) {
 		tt.opts.HttpClient = func() (*http.Client, error) {
 			return &http.Client{Transport: reg}, nil
 		}
-		tt.opts.Config = func() (config.Config, error) {
+		tt.opts.Config = func() (gh.Config, error) {
 			return config.NewBlankConfig(), nil
 		}
 		ios, _, stdout, _ := iostreams.Test()
diff --git a/pkg/cmd/ssh-key/list/list.go b/pkg/cmd/ssh-key/list/list.go
index f00075944bf..eebc82f908f 100644
--- a/pkg/cmd/ssh-key/list/list.go
+++ b/pkg/cmd/ssh-key/list/list.go
@@ -9,7 +9,7 @@ import (
 	"time"
 
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/tableprinter"
 	"github.com/cli/cli/v2/pkg/cmd/ssh-key/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -19,7 +19,7 @@ import (
 
 type ListOptions struct {
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HTTPClient func() (*http.Client, error)
 }
 
diff --git a/pkg/cmd/ssh-key/list/list_test.go b/pkg/cmd/ssh-key/list/list_test.go
index ab28c34c37f..77ee26600af 100644
--- a/pkg/cmd/ssh-key/list/list_test.go
+++ b/pkg/cmd/ssh-key/list/list_test.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
 )
@@ -233,7 +234,7 @@ func TestListRun(t *testing.T) {
 
 			opts := tt.opts
 			opts.IO = ios
-			opts.Config = func() (config.Config, error) { return config.NewBlankConfig(), nil }
+			opts.Config = func() (gh.Config, error) { return config.NewBlankConfig(), nil }
 
 			err := listRun(&opts)
 			if (err != nil) != tt.wantErr {
diff --git a/pkg/cmd/status/status_test.go b/pkg/cmd/status/status_test.go
index d9fdd54bcf5..9be333de73d 100644
--- a/pkg/cmd/status/status_test.go
+++ b/pkg/cmd/status/status_test.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -59,7 +60,7 @@ func TestNewCmdStatus(t *testing.T) {
 
 		f := &cmdutil.Factory{
 			IOStreams: ios,
-			Config: func() (config.Config, error) {
+			Config: func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			},
 		}
diff --git a/pkg/cmd/variable/delete/delete.go b/pkg/cmd/variable/delete/delete.go
index 1c6ab72ee14..3617f318802 100644
--- a/pkg/cmd/variable/delete/delete.go
+++ b/pkg/cmd/variable/delete/delete.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/variable/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -17,7 +17,7 @@ import (
 type DeleteOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 
 	VariableName string
diff --git a/pkg/cmd/variable/delete/delete_test.go b/pkg/cmd/variable/delete/delete_test.go
index a71e032c36b..e659f96a6c9 100644
--- a/pkg/cmd/variable/delete/delete_test.go
+++ b/pkg/cmd/variable/delete/delete_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
@@ -130,7 +131,7 @@ func TestRemoveRun(t *testing.T) {
 				return &http.Client{Transport: reg}, nil
 			}
 
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 
diff --git a/pkg/cmd/variable/list/list.go b/pkg/cmd/variable/list/list.go
index 6d82d51a2b4..1c29cfe2fcb 100644
--- a/pkg/cmd/variable/list/list.go
+++ b/pkg/cmd/variable/list/list.go
@@ -8,7 +8,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/tableprinter"
 	"github.com/cli/cli/v2/pkg/cmd/variable/shared"
@@ -20,7 +20,7 @@ import (
 type ListOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 	Now        func() time.Time
 
@@ -112,7 +112,7 @@ func listRun(opts *ListOptions) error {
 	case shared.Environment:
 		variables, err = getEnvVariables(client, baseRepo, envName)
 	case shared.Organization:
-		var cfg config.Config
+		var cfg gh.Config
 		var host string
 		cfg, err = opts.Config()
 		if err != nil {
diff --git a/pkg/cmd/variable/list/list_test.go b/pkg/cmd/variable/list/list_test.go
index ed0eadf3805..0629bb2c76f 100644
--- a/pkg/cmd/variable/list/list_test.go
+++ b/pkg/cmd/variable/list/list_test.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/variable/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -238,7 +239,7 @@ func Test_listRun(t *testing.T) {
 			tt.opts.HttpClient = func() (*http.Client, error) {
 				return &http.Client{Transport: reg}, nil
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 			tt.opts.Now = func() time.Time {
diff --git a/pkg/cmd/variable/set/set.go b/pkg/cmd/variable/set/set.go
index 95685e81b99..890c1e3fa1a 100644
--- a/pkg/cmd/variable/set/set.go
+++ b/pkg/cmd/variable/set/set.go
@@ -10,7 +10,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/variable/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -27,7 +27,7 @@ type iprompter interface {
 type SetOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 	Prompter   iprompter
 
diff --git a/pkg/cmd/variable/set/set_test.go b/pkg/cmd/variable/set/set_test.go
index 1395d0fce56..4e77d5900f9 100644
--- a/pkg/cmd/variable/set/set_test.go
+++ b/pkg/cmd/variable/set/set_test.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/cmd/variable/shared"
@@ -210,7 +211,7 @@ func Test_setRun_repo(t *testing.T) {
 				HttpClient: func() (*http.Client, error) {
 					return &http.Client{Transport: reg}, nil
 				},
-				Config: func() (config.Config, error) { return config.NewBlankConfig(), nil },
+				Config: func() (gh.Config, error) { return config.NewBlankConfig(), nil },
 				BaseRepo: func() (ghrepo.Interface, error) {
 					return ghrepo.FromFullName("owner/repo")
 				},
@@ -283,7 +284,7 @@ func Test_setRun_env(t *testing.T) {
 				HttpClient: func() (*http.Client, error) {
 					return &http.Client{Transport: reg}, nil
 				},
-				Config: func() (config.Config, error) { return config.NewBlankConfig(), nil },
+				Config: func() (gh.Config, error) { return config.NewBlankConfig(), nil },
 				BaseRepo: func() (ghrepo.Interface, error) {
 					return ghrepo.FromFullName("owner/repo")
 				},
@@ -394,7 +395,7 @@ func Test_setRun_org(t *testing.T) {
 			tt.opts.HttpClient = func() (*http.Client, error) {
 				return &http.Client{Transport: reg}, nil
 			}
-			tt.opts.Config = func() (config.Config, error) {
+			tt.opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
 			tt.opts.IO = ios
diff --git a/pkg/cmdutil/auth_check.go b/pkg/cmdutil/auth_check.go
index fb269704f0b..d8a43176ac5 100644
--- a/pkg/cmdutil/auth_check.go
+++ b/pkg/cmdutil/auth_check.go
@@ -3,7 +3,7 @@ package cmdutil
 import (
 	"reflect"
 
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
@@ -26,7 +26,7 @@ func DisableAuthCheckFlag(flag *pflag.Flag) {
 	flag.Annotations[skipAuthCheckAnnotation] = []string{"true"}
 }
 
-func CheckAuth(cfg config.Config) bool {
+func CheckAuth(cfg gh.Config) bool {
 	if cfg.Authentication().HasEnvToken() {
 		return true
 	}
diff --git a/pkg/cmdutil/auth_check_test.go b/pkg/cmdutil/auth_check_test.go
index 02d1fd775da..05eb0254a13 100644
--- a/pkg/cmdutil/auth_check_test.go
+++ b/pkg/cmdutil/auth_check_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/require"
 )
@@ -12,7 +13,7 @@ func Test_CheckAuth(t *testing.T) {
 	tests := []struct {
 		name     string
 		env      map[string]string
-		cfgStubs func(*testing.T, config.Config)
+		cfgStubs func(*testing.T, gh.Config)
 		expected bool
 	}{
 		{
@@ -26,7 +27,7 @@ func Test_CheckAuth(t *testing.T) {
 		},
 		{
 			name: "known host",
-			cfgStubs: func(t *testing.T, c config.Config) {
+			cfgStubs: func(t *testing.T, c gh.Config) {
 				_, err := c.Authentication().Login("github.com", "test-user", "test-token", "https", false)
 				require.NoError(t, err)
 			},
diff --git a/pkg/cmdutil/factory.go b/pkg/cmdutil/factory.go
index b48dceed35e..07ffbee64ad 100644
--- a/pkg/cmdutil/factory.go
+++ b/pkg/cmdutil/factory.go
@@ -9,7 +9,7 @@ import (
 	"github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/browser"
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/pkg/extensions"
@@ -28,7 +28,7 @@ type Factory struct {
 
 	BaseRepo   func() (ghrepo.Interface, error)
 	Branch     func() (string, error)
-	Config     func() (config.Config, error)
+	Config     func() (gh.Config, error)
 	HttpClient func() (*http.Client, error)
 	Remotes    func() (context.Remotes, error)
 }
diff --git a/pkg/cmdutil/legacy.go b/pkg/cmdutil/legacy.go
index 1f247d4e672..0cc9674e10a 100644
--- a/pkg/cmdutil/legacy.go
+++ b/pkg/cmdutil/legacy.go
@@ -4,12 +4,12 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
 )
 
 // TODO: consider passing via Factory
 // TODO: support per-hostname settings
-func DetermineEditor(cf func() (config.Config, error)) (string, error) {
+func DetermineEditor(cf func() (gh.Config, error)) (string, error) {
 	editorCommand := os.Getenv("GH_EDITOR")
 	if editorCommand == "" {
 		cfg, err := cf()

From 8a82e3a85631809ce17d4a45fb5cb845680b4518 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Wed, 8 May 2024 13:23:08 +0200
Subject: [PATCH 042/253] Provide more type safety around config values

---
 internal/config/config.go      |  68 ++++++-----
 internal/config/config_test.go |  62 +++++-----
 internal/config/stub.go        |  26 ++---
 internal/gh/gh.go              |   5 +-
 internal/gh/mock/config.go     | 203 +++++++++++++++++----------------
 pkg/cmd/config/get/get.go      |  15 ++-
 pkg/cmd/config/get/get_test.go |  25 ++--
 pkg/cmd/config/list/list.go    |   9 +-
 pkg/cmd/config/set/set_test.go |   6 +-
 pkg/option/option.go           | 115 +++++++++++++++++++
 10 files changed, 331 insertions(+), 203 deletions(-)
 create mode 100644 pkg/option/option.go

diff --git a/internal/config/config.go b/internal/config/config.go
index ad451ee97b3..cf4d761c1ad 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/keyring"
+	o "github.com/cli/cli/v2/pkg/option"
 	ghAuth "github.com/cli/go-gh/v2/pkg/auth"
 	ghConfig "github.com/cli/go-gh/v2/pkg/config"
 )
@@ -41,28 +42,32 @@ type cfg struct {
 	cfg *ghConfig.Config
 }
 
-func (c *cfg) Get(hostname, key string) (string, error) {
+func (c *cfg) Get(hostname, key string) o.Option[string] {
 	if hostname != "" {
 		val, err := c.cfg.Get([]string{hostsKey, hostname, key})
 		if err == nil {
-			return val, err
+			return o.Some(val)
 		}
 	}
 
-	return c.cfg.Get([]string{key})
+	val, err := c.cfg.Get([]string{key})
+	if err == nil {
+		return o.Some(val)
+	}
+
+	return o.None[string]()
 }
 
-func (c *cfg) GetOrDefault(hostname, key string) (string, error) {
-	val, err := c.Get(hostname, key)
-	if err == nil {
-		return val, err
+func (c *cfg) GetOrDefault(hostname, key string) o.Option[string] {
+	if val := c.Get(hostname, key); val.IsSome() {
+		return val
 	}
 
-	if val, ok := defaultFor(key); ok {
-		return val, nil
+	if defaultVal := defaultFor(key); defaultVal.IsSome() {
+		return defaultVal
 	}
 
-	return val, err
+	return o.None[string]()
 }
 
 func (c *cfg) Set(hostname, key, value string) {
@@ -91,42 +96,43 @@ func (c *cfg) Authentication() gh.AuthConfig {
 }
 
 func (c *cfg) Browser(hostname string) string {
-	val, _ := c.GetOrDefault(hostname, browserKey)
-	return val
+	// Intentionally panic as this is a programmer error
+	return c.GetOrDefault(hostname, browserKey).Unwrap()
 }
 
 func (c *cfg) Editor(hostname string) string {
-	val, _ := c.GetOrDefault(hostname, editorKey)
-	return val
+	// Intentionally panic as this is a programmer error
+	return c.GetOrDefault(hostname, editorKey).Unwrap()
 }
 
 func (c *cfg) GitProtocol(hostname string) string {
-	val, _ := c.GetOrDefault(hostname, gitProtocolKey)
-	return val
+	// Intentionally panic as this is a programmer error
+	return c.GetOrDefault(hostname, gitProtocolKey).Unwrap()
 }
 
 func (c *cfg) HTTPUnixSocket(hostname string) string {
-	val, _ := c.GetOrDefault(hostname, httpUnixSocketKey)
-	return val
+	// Intentionally panic as this is a programmer error
+	return c.GetOrDefault(hostname, httpUnixSocketKey).Unwrap()
 }
 
 func (c *cfg) Pager(hostname string) string {
-	val, _ := c.GetOrDefault(hostname, pagerKey)
-	return val
+	// Intentionally panic as this is a programmer error
+	return c.GetOrDefault(hostname, pagerKey).Unwrap()
 }
 
 func (c *cfg) Prompt(hostname string) string {
-	val, _ := c.GetOrDefault(hostname, promptKey)
-	return val
+	// Intentionally panic as this is a programmer error
+	return c.GetOrDefault(hostname, promptKey).Unwrap()
 }
 
-func (c *cfg) Version() string {
-	val, _ := c.GetOrDefault("", versionKey)
-	return val
+func (c *cfg) Version() o.Option[string] {
+	return c.Get("", versionKey)
 }
 
 func (c *cfg) Migrate(m gh.Migration) error {
-	version := c.Version()
+	// If there is no version entry we must never have applied a migration, and the following conditional logic
+	// handles the version as an empty string correctly.
+	version := c.Version().UnwrapOrZero()
 
 	// If migration has already occurred then do not attempt to migrate again.
 	if m.PostVersion() == version {
@@ -156,16 +162,16 @@ func (c *cfg) CacheDir() string {
 	return ghConfig.CacheDir()
 }
 
-func defaultFor(key string) (string, bool) {
+func defaultFor(key string) o.Option[string] {
 	for _, co := range ConfigOptions() {
 		if co.Key == key {
-			return co.DefaultValue, true
+			return o.Some(co.DefaultValue)
 		}
 	}
-	return "", false
+	return o.None[string]()
 }
 
-// AuthConfig is used for interacting with some persistent configuration for gh,
+// AuthConfig is used for interacting with o.Some persistent configuration for gh,
 // with knowledge on how to access encrypted storage when neccesarry.
 // Behavior is scoped to authentication specific tasks.
 type AuthConfig struct {
@@ -332,7 +338,7 @@ func (c *AuthConfig) SwitchUser(hostname, user string) error {
 	if err != nil {
 		// Given that activateUser can only fail before the config is written, or when writing the config
 		// we know for sure that the config has not been written. However, we still should restore it back
-		// to its previous clean state just in case something else tries to make use of the config, or tries
+		// to its previous clean state just in case o.Something else tries to make use of the config, or tries
 		// to write it again.
 		if previousSource == "keyring" {
 			if setErr := keyring.Set(keyringServiceName(hostname), "", previouslyActiveToken); setErr != nil {
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index f6832f4a4cc..3d13fb7d7d7 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -37,12 +37,10 @@ func TestGetNonExistentKey(t *testing.T) {
 	cfg := newTestConfig()
 
 	// When we get a key that has no value
-	val, err := cfg.Get("", "non-existent-key")
+	optionalVal := cfg.Get("", "non-existent-key")
 
-	// Then it returns an error and the value is empty
-	var keyNotFoundError *ghConfig.KeyNotFoundError
-	require.ErrorAs(t, err, &keyNotFoundError)
-	require.Empty(t, val)
+	// Then it returns a None variant
+	require.True(t, optionalVal.IsNone(), "expected there to be no value")
 }
 
 func TestGetNonExistentHostSpecificKey(t *testing.T) {
@@ -50,12 +48,10 @@ func TestGetNonExistentHostSpecificKey(t *testing.T) {
 	cfg := newTestConfig()
 
 	// When we get a key for a host that has no value
-	val, err := cfg.Get("non-existent-host", "non-existent-key")
+	optionalVal := cfg.Get("non-existent-host", "non-existent-key")
 
-	// Then it returns an error and the value is empty
-	var keyNotFoundError *ghConfig.KeyNotFoundError
-	require.ErrorAs(t, err, &keyNotFoundError)
-	require.Empty(t, val)
+	// Then it returns a None variant
+	require.True(t, optionalVal.IsNone(), "expected there to be no value")
 }
 
 func TestGetExistingTopLevelKey(t *testing.T) {
@@ -64,11 +60,11 @@ func TestGetExistingTopLevelKey(t *testing.T) {
 	cfg.Set("", "top-level-key", "top-level-value")
 
 	// When we get that key
-	val, err := cfg.Get("non-existent-host", "top-level-key")
+	optionalVal := cfg.Get("non-existent-host", "top-level-key")
 
-	// Then it returns successfully with the correct value
-	require.NoError(t, err)
-	require.Equal(t, "top-level-value", val)
+	// Then it returns a Some variant containing the correct value
+	require.True(t, optionalVal.IsSome(), "expected there to be a value")
+	require.Equal(t, "top-level-value", optionalVal.Unwrap())
 }
 
 func TestGetExistingHostSpecificKey(t *testing.T) {
@@ -77,11 +73,11 @@ func TestGetExistingHostSpecificKey(t *testing.T) {
 	cfg.Set("github.com", "host-specific-key", "host-specific-value")
 
 	// When we get that key
-	val, err := cfg.Get("github.com", "host-specific-key")
+	optionalVal := cfg.Get("github.com", "host-specific-key")
 
-	// Then it returns successfully with the correct value
-	require.NoError(t, err)
-	require.Equal(t, "host-specific-value", val)
+	// Then it returns a Some variant containing the correct value
+	require.True(t, optionalVal.IsSome(), "expected there to be a value")
+	require.Equal(t, "host-specific-value", optionalVal.Unwrap())
 }
 
 func TestGetHostnameSpecificKeyFallsBackToTopLevel(t *testing.T) {
@@ -90,11 +86,11 @@ func TestGetHostnameSpecificKeyFallsBackToTopLevel(t *testing.T) {
 	cfg.Set("", "key", "value")
 
 	// When we get that key on a specific host
-	val, err := cfg.Get("github.com", "key")
+	optionalVal := cfg.Get("github.com", "key")
 
-	// Then it returns successfully, falling back to the top level config
-	require.NoError(t, err)
-	require.Equal(t, "value", val)
+	// Then it returns a Some variant containing the correct value by falling back to the top level config
+	require.True(t, optionalVal.IsSome(), "expected there to be a value")
+	require.Equal(t, "value", optionalVal.Unwrap())
 }
 
 func TestGetOrDefaultApplicationDefaults(t *testing.T) {
@@ -116,11 +112,11 @@ func TestGetOrDefaultApplicationDefaults(t *testing.T) {
 			cfg := newTestConfig()
 
 			// When we get a key that has no value, but has a default
-			val, err := cfg.GetOrDefault("", tt.key)
+			optionalVal := cfg.GetOrDefault("", tt.key)
 
-			// Then it returns the default value
-			require.NoError(t, err)
-			require.Equal(t, tt.expectedDefault, val)
+			// Then there is an entry with the default value, and source set as default
+			require.True(t, optionalVal.IsSome(), "expected there to be a value")
+			require.Equal(t, tt.expectedDefault, optionalVal.Unwrap())
 		})
 	}
 }
@@ -131,12 +127,12 @@ func TestGetOrDefaultExistingKey(t *testing.T) {
 	cfg.Set("", gitProtocolKey, "ssh")
 
 	// When we get that key
-	val, err := cfg.GetOrDefault("", gitProtocolKey)
+	optionalVal := cfg.GetOrDefault("", gitProtocolKey)
 
 	// Then it returns successfully with the correct value, and doesn't fall back
 	// to the default
-	require.NoError(t, err)
-	require.Equal(t, "ssh", val)
+	require.True(t, optionalVal.IsSome(), "expected there to be a value")
+	require.Equal(t, "ssh", optionalVal.Unwrap())
 }
 
 func TestGetOrDefaultNotFoundAndNoDefault(t *testing.T) {
@@ -144,12 +140,10 @@ func TestGetOrDefaultNotFoundAndNoDefault(t *testing.T) {
 	cfg := newTestConfig()
 
 	// When we get a non-existent-key that has no default
-	val, err := cfg.GetOrDefault("", "non-existent-key")
+	optionalEntry := cfg.GetOrDefault("", "non-existent-key")
 
-	// Then it returns an error and the value is empty
-	var keyNotFoundError *ghConfig.KeyNotFoundError
-	require.ErrorAs(t, err, &keyNotFoundError)
-	require.Empty(t, val)
+	// Then it returns with no entry
+	require.False(t, optionalEntry.IsSome(), "expected the config to not contain a value")
 }
 
 func TestFallbackConfig(t *testing.T) {
diff --git a/internal/config/stub.go b/internal/config/stub.go
index d0500cfe4b7..ec088ed070f 100644
--- a/internal/config/stub.go
+++ b/internal/config/stub.go
@@ -9,6 +9,7 @@ import (
 	"github.com/cli/cli/v2/internal/gh"
 	ghmock "github.com/cli/cli/v2/internal/gh/mock"
 	"github.com/cli/cli/v2/internal/keyring"
+	o "github.com/cli/cli/v2/pkg/option"
 	ghConfig "github.com/cli/go-gh/v2/pkg/config"
 )
 
@@ -20,7 +21,7 @@ func NewFromString(cfgStr string) *ghmock.ConfigMock {
 	c := ghConfig.ReadFromString(cfgStr)
 	cfg := cfg{c}
 	mock := &ghmock.ConfigMock{}
-	mock.GetOrDefaultFunc = func(host, key string) (string, error) {
+	mock.GetOrDefaultFunc = func(host, key string) o.Option[string] {
 		return cfg.GetOrDefault(host, key)
 	}
 	mock.SetFunc = func(host, key, value string) {
@@ -52,32 +53,25 @@ func NewFromString(cfgStr string) *ghmock.ConfigMock {
 		}
 	}
 	mock.BrowserFunc = func(hostname string) string {
-		val, _ := cfg.GetOrDefault(hostname, browserKey)
-		return val
+		return cfg.Browser(hostname)
 	}
 	mock.EditorFunc = func(hostname string) string {
-		val, _ := cfg.GetOrDefault(hostname, editorKey)
-		return val
+		return cfg.Editor(hostname)
 	}
 	mock.GitProtocolFunc = func(hostname string) string {
-		val, _ := cfg.GetOrDefault(hostname, gitProtocolKey)
-		return val
+		return cfg.GitProtocol(hostname)
 	}
 	mock.HTTPUnixSocketFunc = func(hostname string) string {
-		val, _ := cfg.GetOrDefault(hostname, httpUnixSocketKey)
-		return val
+		return cfg.HTTPUnixSocket(hostname)
 	}
 	mock.PagerFunc = func(hostname string) string {
-		val, _ := cfg.GetOrDefault(hostname, pagerKey)
-		return val
+		return cfg.Pager(hostname)
 	}
 	mock.PromptFunc = func(hostname string) string {
-		val, _ := cfg.GetOrDefault(hostname, promptKey)
-		return val
+		return cfg.Prompt(hostname)
 	}
-	mock.VersionFunc = func() string {
-		val, _ := cfg.GetOrDefault("", versionKey)
-		return val
+	mock.VersionFunc = func() o.Option[string] {
+		return cfg.Version()
 	}
 	mock.CacheDirFunc = func() string {
 		return cfg.CacheDir()
diff --git a/internal/gh/gh.go b/internal/gh/gh.go
index 6e3094ea129..5abde3af734 100644
--- a/internal/gh/gh.go
+++ b/internal/gh/gh.go
@@ -10,6 +10,7 @@
 package gh
 
 import (
+	o "github.com/cli/cli/v2/pkg/option"
 	ghConfig "github.com/cli/go-gh/v2/pkg/config"
 )
 
@@ -18,7 +19,7 @@ import (
 //go:generate moq -rm -pkg ghmock -out mock/config.go . Config
 type Config interface {
 	// GetOrDefault provides primitive access for fetching configuration values, optionally scoped by host.
-	GetOrDefault(hostname string, key string) (string, error)
+	GetOrDefault(hostname string, key string) o.Option[string]
 	// Set provides primitive access for setting configuration values, optionally scoped by host.
 	Set(hostname string, key string, value string)
 
@@ -48,7 +49,7 @@ type Config interface {
 	Migrate(Migration) error
 
 	// Version returns the current schema version of the configuration.
-	Version() string
+	Version() o.Option[string]
 
 	// Write persists modifications to the configuration.
 	Write() error
diff --git a/internal/gh/mock/config.go b/internal/gh/mock/config.go
index 736c8c26265..18d9e0cbc54 100644
--- a/internal/gh/mock/config.go
+++ b/internal/gh/mock/config.go
@@ -5,6 +5,7 @@ package ghmock
 
 import (
 	"github.com/cli/cli/v2/internal/gh"
+	o "github.com/cli/cli/v2/pkg/option"
 	"sync"
 )
 
@@ -24,37 +25,37 @@ var _ gh.Config = &ConfigMock{}
 //			AuthenticationFunc: func() gh.AuthConfig {
 //				panic("mock out the Authentication method")
 //			},
-//			BrowserFunc: func(s string) string {
+//			BrowserFunc: func(hostname string) string {
 //				panic("mock out the Browser method")
 //			},
 //			CacheDirFunc: func() string {
 //				panic("mock out the CacheDir method")
 //			},
-//			EditorFunc: func(s string) string {
+//			EditorFunc: func(hostname string) string {
 //				panic("mock out the Editor method")
 //			},
-//			GetOrDefaultFunc: func(s1 string, s2 string) (string, error) {
+//			GetOrDefaultFunc: func(hostname string, key string) o.Option[string] {
 //				panic("mock out the GetOrDefault method")
 //			},
-//			GitProtocolFunc: func(s string) string {
+//			GitProtocolFunc: func(hostname string) string {
 //				panic("mock out the GitProtocol method")
 //			},
-//			HTTPUnixSocketFunc: func(s string) string {
+//			HTTPUnixSocketFunc: func(hostname string) string {
 //				panic("mock out the HTTPUnixSocket method")
 //			},
 //			MigrateFunc: func(migration gh.Migration) error {
 //				panic("mock out the Migrate method")
 //			},
-//			PagerFunc: func(s string) string {
+//			PagerFunc: func(hostname string) string {
 //				panic("mock out the Pager method")
 //			},
-//			PromptFunc: func(s string) string {
+//			PromptFunc: func(hostname string) string {
 //				panic("mock out the Prompt method")
 //			},
-//			SetFunc: func(s1 string, s2 string, s3 string)  {
+//			SetFunc: func(hostname string, key string, value string)  {
 //				panic("mock out the Set method")
 //			},
-//			VersionFunc: func() string {
+//			VersionFunc: func() o.Option[string] {
 //				panic("mock out the Version method")
 //			},
 //			WriteFunc: func() error {
@@ -74,37 +75,37 @@ type ConfigMock struct {
 	AuthenticationFunc func() gh.AuthConfig
 
 	// BrowserFunc mocks the Browser method.
-	BrowserFunc func(s string) string
+	BrowserFunc func(hostname string) string
 
 	// CacheDirFunc mocks the CacheDir method.
 	CacheDirFunc func() string
 
 	// EditorFunc mocks the Editor method.
-	EditorFunc func(s string) string
+	EditorFunc func(hostname string) string
 
 	// GetOrDefaultFunc mocks the GetOrDefault method.
-	GetOrDefaultFunc func(s1 string, s2 string) (string, error)
+	GetOrDefaultFunc func(hostname string, key string) o.Option[string]
 
 	// GitProtocolFunc mocks the GitProtocol method.
-	GitProtocolFunc func(s string) string
+	GitProtocolFunc func(hostname string) string
 
 	// HTTPUnixSocketFunc mocks the HTTPUnixSocket method.
-	HTTPUnixSocketFunc func(s string) string
+	HTTPUnixSocketFunc func(hostname string) string
 
 	// MigrateFunc mocks the Migrate method.
 	MigrateFunc func(migration gh.Migration) error
 
 	// PagerFunc mocks the Pager method.
-	PagerFunc func(s string) string
+	PagerFunc func(hostname string) string
 
 	// PromptFunc mocks the Prompt method.
-	PromptFunc func(s string) string
+	PromptFunc func(hostname string) string
 
 	// SetFunc mocks the Set method.
-	SetFunc func(s1 string, s2 string, s3 string)
+	SetFunc func(hostname string, key string, value string)
 
 	// VersionFunc mocks the Version method.
-	VersionFunc func() string
+	VersionFunc func() o.Option[string]
 
 	// WriteFunc mocks the Write method.
 	WriteFunc func() error
@@ -119,33 +120,33 @@ type ConfigMock struct {
 		}
 		// Browser holds details about calls to the Browser method.
 		Browser []struct {
-			// S is the s argument value.
-			S string
+			// Hostname is the hostname argument value.
+			Hostname string
 		}
 		// CacheDir holds details about calls to the CacheDir method.
 		CacheDir []struct {
 		}
 		// Editor holds details about calls to the Editor method.
 		Editor []struct {
-			// S is the s argument value.
-			S string
+			// Hostname is the hostname argument value.
+			Hostname string
 		}
 		// GetOrDefault holds details about calls to the GetOrDefault method.
 		GetOrDefault []struct {
-			// S1 is the s1 argument value.
-			S1 string
-			// S2 is the s2 argument value.
-			S2 string
+			// Hostname is the hostname argument value.
+			Hostname string
+			// Key is the key argument value.
+			Key string
 		}
 		// GitProtocol holds details about calls to the GitProtocol method.
 		GitProtocol []struct {
-			// S is the s argument value.
-			S string
+			// Hostname is the hostname argument value.
+			Hostname string
 		}
 		// HTTPUnixSocket holds details about calls to the HTTPUnixSocket method.
 		HTTPUnixSocket []struct {
-			// S is the s argument value.
-			S string
+			// Hostname is the hostname argument value.
+			Hostname string
 		}
 		// Migrate holds details about calls to the Migrate method.
 		Migrate []struct {
@@ -154,22 +155,22 @@ type ConfigMock struct {
 		}
 		// Pager holds details about calls to the Pager method.
 		Pager []struct {
-			// S is the s argument value.
-			S string
+			// Hostname is the hostname argument value.
+			Hostname string
 		}
 		// Prompt holds details about calls to the Prompt method.
 		Prompt []struct {
-			// S is the s argument value.
-			S string
+			// Hostname is the hostname argument value.
+			Hostname string
 		}
 		// Set holds details about calls to the Set method.
 		Set []struct {
-			// S1 is the s1 argument value.
-			S1 string
-			// S2 is the s2 argument value.
-			S2 string
-			// S3 is the s3 argument value.
-			S3 string
+			// Hostname is the hostname argument value.
+			Hostname string
+			// Key is the key argument value.
+			Key string
+			// Value is the value argument value.
+			Value string
 		}
 		// Version holds details about calls to the Version method.
 		Version []struct {
@@ -249,19 +250,19 @@ func (mock *ConfigMock) AuthenticationCalls() []struct {
 }
 
 // Browser calls BrowserFunc.
-func (mock *ConfigMock) Browser(s string) string {
+func (mock *ConfigMock) Browser(hostname string) string {
 	if mock.BrowserFunc == nil {
 		panic("ConfigMock.BrowserFunc: method is nil but Config.Browser was just called")
 	}
 	callInfo := struct {
-		S string
+		Hostname string
 	}{
-		S: s,
+		Hostname: hostname,
 	}
 	mock.lockBrowser.Lock()
 	mock.calls.Browser = append(mock.calls.Browser, callInfo)
 	mock.lockBrowser.Unlock()
-	return mock.BrowserFunc(s)
+	return mock.BrowserFunc(hostname)
 }
 
 // BrowserCalls gets all the calls that were made to Browser.
@@ -269,10 +270,10 @@ func (mock *ConfigMock) Browser(s string) string {
 //
 //	len(mockedConfig.BrowserCalls())
 func (mock *ConfigMock) BrowserCalls() []struct {
-	S string
+	Hostname string
 } {
 	var calls []struct {
-		S string
+		Hostname string
 	}
 	mock.lockBrowser.RLock()
 	calls = mock.calls.Browser
@@ -308,19 +309,19 @@ func (mock *ConfigMock) CacheDirCalls() []struct {
 }
 
 // Editor calls EditorFunc.
-func (mock *ConfigMock) Editor(s string) string {
+func (mock *ConfigMock) Editor(hostname string) string {
 	if mock.EditorFunc == nil {
 		panic("ConfigMock.EditorFunc: method is nil but Config.Editor was just called")
 	}
 	callInfo := struct {
-		S string
+		Hostname string
 	}{
-		S: s,
+		Hostname: hostname,
 	}
 	mock.lockEditor.Lock()
 	mock.calls.Editor = append(mock.calls.Editor, callInfo)
 	mock.lockEditor.Unlock()
-	return mock.EditorFunc(s)
+	return mock.EditorFunc(hostname)
 }
 
 // EditorCalls gets all the calls that were made to Editor.
@@ -328,10 +329,10 @@ func (mock *ConfigMock) Editor(s string) string {
 //
 //	len(mockedConfig.EditorCalls())
 func (mock *ConfigMock) EditorCalls() []struct {
-	S string
+	Hostname string
 } {
 	var calls []struct {
-		S string
+		Hostname string
 	}
 	mock.lockEditor.RLock()
 	calls = mock.calls.Editor
@@ -340,21 +341,21 @@ func (mock *ConfigMock) EditorCalls() []struct {
 }
 
 // GetOrDefault calls GetOrDefaultFunc.
-func (mock *ConfigMock) GetOrDefault(s1 string, s2 string) (string, error) {
+func (mock *ConfigMock) GetOrDefault(hostname string, key string) o.Option[string] {
 	if mock.GetOrDefaultFunc == nil {
 		panic("ConfigMock.GetOrDefaultFunc: method is nil but Config.GetOrDefault was just called")
 	}
 	callInfo := struct {
-		S1 string
-		S2 string
+		Hostname string
+		Key      string
 	}{
-		S1: s1,
-		S2: s2,
+		Hostname: hostname,
+		Key:      key,
 	}
 	mock.lockGetOrDefault.Lock()
 	mock.calls.GetOrDefault = append(mock.calls.GetOrDefault, callInfo)
 	mock.lockGetOrDefault.Unlock()
-	return mock.GetOrDefaultFunc(s1, s2)
+	return mock.GetOrDefaultFunc(hostname, key)
 }
 
 // GetOrDefaultCalls gets all the calls that were made to GetOrDefault.
@@ -362,12 +363,12 @@ func (mock *ConfigMock) GetOrDefault(s1 string, s2 string) (string, error) {
 //
 //	len(mockedConfig.GetOrDefaultCalls())
 func (mock *ConfigMock) GetOrDefaultCalls() []struct {
-	S1 string
-	S2 string
+	Hostname string
+	Key      string
 } {
 	var calls []struct {
-		S1 string
-		S2 string
+		Hostname string
+		Key      string
 	}
 	mock.lockGetOrDefault.RLock()
 	calls = mock.calls.GetOrDefault
@@ -376,19 +377,19 @@ func (mock *ConfigMock) GetOrDefaultCalls() []struct {
 }
 
 // GitProtocol calls GitProtocolFunc.
-func (mock *ConfigMock) GitProtocol(s string) string {
+func (mock *ConfigMock) GitProtocol(hostname string) string {
 	if mock.GitProtocolFunc == nil {
 		panic("ConfigMock.GitProtocolFunc: method is nil but Config.GitProtocol was just called")
 	}
 	callInfo := struct {
-		S string
+		Hostname string
 	}{
-		S: s,
+		Hostname: hostname,
 	}
 	mock.lockGitProtocol.Lock()
 	mock.calls.GitProtocol = append(mock.calls.GitProtocol, callInfo)
 	mock.lockGitProtocol.Unlock()
-	return mock.GitProtocolFunc(s)
+	return mock.GitProtocolFunc(hostname)
 }
 
 // GitProtocolCalls gets all the calls that were made to GitProtocol.
@@ -396,10 +397,10 @@ func (mock *ConfigMock) GitProtocol(s string) string {
 //
 //	len(mockedConfig.GitProtocolCalls())
 func (mock *ConfigMock) GitProtocolCalls() []struct {
-	S string
+	Hostname string
 } {
 	var calls []struct {
-		S string
+		Hostname string
 	}
 	mock.lockGitProtocol.RLock()
 	calls = mock.calls.GitProtocol
@@ -408,19 +409,19 @@ func (mock *ConfigMock) GitProtocolCalls() []struct {
 }
 
 // HTTPUnixSocket calls HTTPUnixSocketFunc.
-func (mock *ConfigMock) HTTPUnixSocket(s string) string {
+func (mock *ConfigMock) HTTPUnixSocket(hostname string) string {
 	if mock.HTTPUnixSocketFunc == nil {
 		panic("ConfigMock.HTTPUnixSocketFunc: method is nil but Config.HTTPUnixSocket was just called")
 	}
 	callInfo := struct {
-		S string
+		Hostname string
 	}{
-		S: s,
+		Hostname: hostname,
 	}
 	mock.lockHTTPUnixSocket.Lock()
 	mock.calls.HTTPUnixSocket = append(mock.calls.HTTPUnixSocket, callInfo)
 	mock.lockHTTPUnixSocket.Unlock()
-	return mock.HTTPUnixSocketFunc(s)
+	return mock.HTTPUnixSocketFunc(hostname)
 }
 
 // HTTPUnixSocketCalls gets all the calls that were made to HTTPUnixSocket.
@@ -428,10 +429,10 @@ func (mock *ConfigMock) HTTPUnixSocket(s string) string {
 //
 //	len(mockedConfig.HTTPUnixSocketCalls())
 func (mock *ConfigMock) HTTPUnixSocketCalls() []struct {
-	S string
+	Hostname string
 } {
 	var calls []struct {
-		S string
+		Hostname string
 	}
 	mock.lockHTTPUnixSocket.RLock()
 	calls = mock.calls.HTTPUnixSocket
@@ -472,19 +473,19 @@ func (mock *ConfigMock) MigrateCalls() []struct {
 }
 
 // Pager calls PagerFunc.
-func (mock *ConfigMock) Pager(s string) string {
+func (mock *ConfigMock) Pager(hostname string) string {
 	if mock.PagerFunc == nil {
 		panic("ConfigMock.PagerFunc: method is nil but Config.Pager was just called")
 	}
 	callInfo := struct {
-		S string
+		Hostname string
 	}{
-		S: s,
+		Hostname: hostname,
 	}
 	mock.lockPager.Lock()
 	mock.calls.Pager = append(mock.calls.Pager, callInfo)
 	mock.lockPager.Unlock()
-	return mock.PagerFunc(s)
+	return mock.PagerFunc(hostname)
 }
 
 // PagerCalls gets all the calls that were made to Pager.
@@ -492,10 +493,10 @@ func (mock *ConfigMock) Pager(s string) string {
 //
 //	len(mockedConfig.PagerCalls())
 func (mock *ConfigMock) PagerCalls() []struct {
-	S string
+	Hostname string
 } {
 	var calls []struct {
-		S string
+		Hostname string
 	}
 	mock.lockPager.RLock()
 	calls = mock.calls.Pager
@@ -504,19 +505,19 @@ func (mock *ConfigMock) PagerCalls() []struct {
 }
 
 // Prompt calls PromptFunc.
-func (mock *ConfigMock) Prompt(s string) string {
+func (mock *ConfigMock) Prompt(hostname string) string {
 	if mock.PromptFunc == nil {
 		panic("ConfigMock.PromptFunc: method is nil but Config.Prompt was just called")
 	}
 	callInfo := struct {
-		S string
+		Hostname string
 	}{
-		S: s,
+		Hostname: hostname,
 	}
 	mock.lockPrompt.Lock()
 	mock.calls.Prompt = append(mock.calls.Prompt, callInfo)
 	mock.lockPrompt.Unlock()
-	return mock.PromptFunc(s)
+	return mock.PromptFunc(hostname)
 }
 
 // PromptCalls gets all the calls that were made to Prompt.
@@ -524,10 +525,10 @@ func (mock *ConfigMock) Prompt(s string) string {
 //
 //	len(mockedConfig.PromptCalls())
 func (mock *ConfigMock) PromptCalls() []struct {
-	S string
+	Hostname string
 } {
 	var calls []struct {
-		S string
+		Hostname string
 	}
 	mock.lockPrompt.RLock()
 	calls = mock.calls.Prompt
@@ -536,23 +537,23 @@ func (mock *ConfigMock) PromptCalls() []struct {
 }
 
 // Set calls SetFunc.
-func (mock *ConfigMock) Set(s1 string, s2 string, s3 string) {
+func (mock *ConfigMock) Set(hostname string, key string, value string) {
 	if mock.SetFunc == nil {
 		panic("ConfigMock.SetFunc: method is nil but Config.Set was just called")
 	}
 	callInfo := struct {
-		S1 string
-		S2 string
-		S3 string
+		Hostname string
+		Key      string
+		Value    string
 	}{
-		S1: s1,
-		S2: s2,
-		S3: s3,
+		Hostname: hostname,
+		Key:      key,
+		Value:    value,
 	}
 	mock.lockSet.Lock()
 	mock.calls.Set = append(mock.calls.Set, callInfo)
 	mock.lockSet.Unlock()
-	mock.SetFunc(s1, s2, s3)
+	mock.SetFunc(hostname, key, value)
 }
 
 // SetCalls gets all the calls that were made to Set.
@@ -560,14 +561,14 @@ func (mock *ConfigMock) Set(s1 string, s2 string, s3 string) {
 //
 //	len(mockedConfig.SetCalls())
 func (mock *ConfigMock) SetCalls() []struct {
-	S1 string
-	S2 string
-	S3 string
+	Hostname string
+	Key      string
+	Value    string
 } {
 	var calls []struct {
-		S1 string
-		S2 string
-		S3 string
+		Hostname string
+		Key      string
+		Value    string
 	}
 	mock.lockSet.RLock()
 	calls = mock.calls.Set
@@ -576,7 +577,7 @@ func (mock *ConfigMock) SetCalls() []struct {
 }
 
 // Version calls VersionFunc.
-func (mock *ConfigMock) Version() string {
+func (mock *ConfigMock) Version() o.Option[string] {
 	if mock.VersionFunc == nil {
 		panic("ConfigMock.VersionFunc: method is nil but Config.Version was just called")
 	}
diff --git a/pkg/cmd/config/get/get.go b/pkg/cmd/config/get/get.go
index e714c6a646b..82d75111bbf 100644
--- a/pkg/cmd/config/get/get.go
+++ b/pkg/cmd/config/get/get.go
@@ -64,13 +64,22 @@ func getRun(opts *GetOptions) error {
 		return nil
 	}
 
-	val, err := opts.Config.GetOrDefault(opts.Hostname, opts.Key)
-	if err != nil {
-		return err
+	optionalValue := opts.Config.GetOrDefault(opts.Hostname, opts.Key)
+	if optionalValue.IsNone() {
+		return nonExistentKeyError{key: opts.Key}
 	}
 
+	val := optionalValue.Unwrap()
 	if val != "" {
 		fmt.Fprintf(opts.IO.Out, "%s\n", val)
 	}
 	return nil
 }
+
+type nonExistentKeyError struct {
+	key string
+}
+
+func (e nonExistentKeyError) Error() string {
+	return fmt.Sprintf("could not find key \"%s\"", e.key)
+}
diff --git a/pkg/cmd/config/get/get_test.go b/pkg/cmd/config/get/get_test.go
index 40eca49e591..6320ffa16b9 100644
--- a/pkg/cmd/config/get/get_test.go
+++ b/pkg/cmd/config/get/get_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/google/shlex"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestNewCmdConfigGet(t *testing.T) {
@@ -77,11 +78,10 @@ func TestNewCmdConfigGet(t *testing.T) {
 
 func Test_getRun(t *testing.T) {
 	tests := []struct {
-		name    string
-		input   *GetOptions
-		stdout  string
-		stderr  string
-		wantErr bool
+		name   string
+		input  *GetOptions
+		stdout string
+		err    error
 	}{
 		{
 			name: "get key",
@@ -109,17 +109,24 @@ func Test_getRun(t *testing.T) {
 			},
 			stdout: "vim\n",
 		},
+		{
+			name: "non-existent key",
+			input: &GetOptions{
+				Key:    "non-existent",
+				Config: config.NewBlankConfig(),
+			},
+			err: nonExistentKeyError{key: "non-existent"},
+		},
 	}
 
 	for _, tt := range tests {
-		ios, _, stdout, stderr := iostreams.Test()
+		ios, _, stdout, _ := iostreams.Test()
 		tt.input.IO = ios
 
 		t.Run(tt.name, func(t *testing.T) {
 			err := getRun(tt.input)
-			assert.NoError(t, err)
-			assert.Equal(t, tt.stdout, stdout.String())
-			assert.Equal(t, tt.stderr, stderr.String())
+			require.Equal(t, err, tt.err)
+			require.Equal(t, tt.stdout, stdout.String())
 		})
 	}
 }
diff --git a/pkg/cmd/config/list/list.go b/pkg/cmd/config/list/list.go
index da270713477..7e4efc06c6b 100644
--- a/pkg/cmd/config/list/list.go
+++ b/pkg/cmd/config/list/list.go
@@ -58,11 +58,12 @@ func listRun(opts *ListOptions) error {
 	configOptions := config.ConfigOptions()
 
 	for _, key := range configOptions {
-		val, err := cfg.GetOrDefault(host, key.Key)
-		if err != nil {
-			return err
+		optionalValue := cfg.GetOrDefault(host, key.Key)
+		if optionalValue.IsNone() {
+			return fmt.Errorf("invalid key: %s", key.Key)
 		}
-		fmt.Fprintf(opts.IO.Out, "%s=%s\n", key.Key, val)
+
+		fmt.Fprintf(opts.IO.Out, "%s=%s\n", key.Key, optionalValue.Unwrap())
 	}
 
 	return nil
diff --git a/pkg/cmd/config/set/set_test.go b/pkg/cmd/config/set/set_test.go
index 532d78f6213..98c5fb1f210 100644
--- a/pkg/cmd/config/set/set_test.go
+++ b/pkg/cmd/config/set/set_test.go
@@ -150,9 +150,9 @@ func Test_setRun(t *testing.T) {
 			assert.Equal(t, tt.stdout, stdout.String())
 			assert.Equal(t, tt.stderr, stderr.String())
 
-			val, err := tt.input.Config.GetOrDefault(tt.input.Hostname, tt.input.Key)
-			assert.NoError(t, err)
-			assert.Equal(t, tt.expectedValue, val)
+			optionalValue := tt.input.Config.GetOrDefault(tt.input.Hostname, tt.input.Key)
+			assert.True(t, optionalValue.IsSome(), "expected value to be set")
+			assert.Equal(t, tt.expectedValue, optionalValue.Unwrap())
 		})
 	}
 }
diff --git a/pkg/option/option.go b/pkg/option/option.go
new file mode 100644
index 00000000000..6120994baff
--- /dev/null
+++ b/pkg/option/option.go
@@ -0,0 +1,115 @@
+package o
+
+import "fmt"
+
+// Option represents an optional value. The [Some] variant contains a value and
+// the [None] variant represents the absence of a value.
+type Option[T any] struct {
+	value   T
+	present bool
+}
+
+// Some instantiates an [Option] with a value.
+func Some[T any](value T) Option[T] {
+	return Option[T]{value, true}
+}
+
+// None instantiates an [Option] with no value.
+func None[T any]() Option[T] {
+	return Option[T]{}
+}
+
+// String implements the [fmt.Stringer] interface.
+func (o Option[T]) String() string {
+	if o.present {
+		return fmt.Sprintf("Some(%v)", o.value)
+	}
+
+	return "None"
+}
+
+var _ fmt.Stringer = Option[struct{}]{}
+
+// Unwrap returns the underlying value of a [Some] variant, or panics if called
+// on a [None] variant.
+func (o Option[T]) Unwrap() T {
+	if o.present {
+		return o.value
+	}
+
+	panic("called `Option.Unwrap()` on a `None` value")
+}
+
+// UnwrapOr returns the underlying value of a [Some] variant, or the provided
+// value on a [None] variant.
+func (o Option[T]) UnwrapOr(value T) T {
+	if o.present {
+		return o.value
+	}
+
+	return value
+}
+
+// UnwrapOrElse returns the underlying value of a [Some] variant, or the result
+// of calling the provided function on a [None] variant.
+func (o Option[T]) UnwrapOrElse(f func() T) T {
+	if o.present {
+		return o.value
+	}
+
+	return f()
+}
+
+// UnwrapOrZero returns the underlying value of a [Some] variant, or the zero
+// value on a [None] variant.
+func (o Option[T]) UnwrapOrZero() T {
+	if o.present {
+		return o.value
+	}
+
+	var value T
+	return value
+}
+
+// IsSome returns true if the [Option] is a [Some] variant.
+func (o Option[T]) IsSome() bool {
+	return o.present
+}
+
+// IsSome returns true if the [Option] is a [Some] variant and the value inside of it equals the provided value.
+// func (o Option[T]) Is(t T) bool {
+// 	return o.present && o.value == t
+// }
+
+func (o Option[T]) IsSomeAnd(f func(T) bool) bool {
+	return o.present && f(o.value)
+}
+
+// IsNone returns true if the [Option] is a [None] variant.
+func (o Option[T]) IsNone() bool {
+	return !o.present
+}
+
+// Value returns the underlying value and true for a [Some] variant, or the
+// zero value and false for a [None] variant.
+func (o Option[T]) Value() (T, bool) {
+	return o.value, o.present
+}
+
+// Expect returns the underlying value for a [Some] variant, or panics with the
+// provided message for a [None] variant.
+func (o Option[T]) Expect(message string) T {
+	if o.present {
+		return o.value
+	}
+
+	panic(message)
+}
+
+func Map[T any, U any](f func(T) U, o Option[T]) Option[U] {
+	if o.present {
+		return Some(f(o.value))
+	}
+
+	return None[U]()
+}

From 8a4f32b4e20a01278d863204154dbae177ebb015 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Wed, 8 May 2024 13:47:34 +0200
Subject: [PATCH 043/253] Make config list less fallible

---
 internal/config/config.go        |  25 ++++-
 internal/config/config_test.go   | 101 +++++++----------
 pkg/cmd/config/list/list.go      |   9 +-
 pkg/cmd/config/list/list_test.go |   6 +-
 pkg/option/option.go             |  38 ++++---
 pkg/option/option_test.go        | 181 +++++++++++++++++++++++++++++++
 6 files changed, 267 insertions(+), 93 deletions(-)
 create mode 100644 pkg/option/option_test.go

diff --git a/internal/config/config.go b/internal/config/config.go
index cf4d761c1ad..0b5adc3dd86 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -42,7 +42,7 @@ type cfg struct {
 	cfg *ghConfig.Config
 }
 
-func (c *cfg) Get(hostname, key string) o.Option[string] {
+func (c *cfg) get(hostname, key string) o.Option[string] {
 	if hostname != "" {
 		val, err := c.cfg.Get([]string{hostsKey, hostname, key})
 		if err == nil {
@@ -59,7 +59,7 @@ func (c *cfg) Get(hostname, key string) o.Option[string] {
 }
 
 func (c *cfg) GetOrDefault(hostname, key string) o.Option[string] {
-	if val := c.Get(hostname, key); val.IsSome() {
+	if val := c.get(hostname, key); val.IsSome() {
 		return val
 	}
 
@@ -126,7 +126,7 @@ func (c *cfg) Prompt(hostname string) string {
 }
 
 func (c *cfg) Version() o.Option[string] {
-	return c.Get("", versionKey)
+	return c.get("", versionKey)
 }
 
 func (c *cfg) Migrate(m gh.Migration) error {
@@ -513,6 +513,7 @@ type ConfigOption struct {
 	Description   string
 	DefaultValue  string
 	AllowedValues []string
+	CurrentValue  func(c gh.Config, hostname string) string
 }
 
 func ConfigOptions() []ConfigOption {
@@ -522,32 +523,50 @@ func ConfigOptions() []ConfigOption {
 			Description:   "the protocol to use for git clone and push operations",
 			DefaultValue:  "https",
 			AllowedValues: []string{"https", "ssh"},
+			CurrentValue: func(c gh.Config, hostname string) string {
+				return c.GitProtocol(hostname)
+			},
 		},
 		{
 			Key:          editorKey,
 			Description:  "the text editor program to use for authoring text",
 			DefaultValue: "",
+			CurrentValue: func(c gh.Config, hostname string) string {
+				return c.Editor(hostname)
+			},
 		},
 		{
 			Key:           promptKey,
 			Description:   "toggle interactive prompting in the terminal",
 			DefaultValue:  "enabled",
 			AllowedValues: []string{"enabled", "disabled"},
+			CurrentValue: func(c gh.Config, hostname string) string {
+				return c.Prompt(hostname)
+			},
 		},
 		{
 			Key:          pagerKey,
 			Description:  "the terminal pager program to send standard output to",
 			DefaultValue: "",
+			CurrentValue: func(c gh.Config, hostname string) string {
+				return c.Pager(hostname)
+			},
 		},
 		{
 			Key:          httpUnixSocketKey,
 			Description:  "the path to a Unix socket through which to make an HTTP connection",
 			DefaultValue: "",
+			CurrentValue: func(c gh.Config, hostname string) string {
+				return c.HTTPUnixSocket(hostname)
+			},
 		},
 		{
 			Key:          browserKey,
 			Description:  "the web browser to use for opening URLs",
 			DefaultValue: "",
+			CurrentValue: func(c gh.Config, hostname string) string {
+				return c.Browser(hostname)
+			},
 		},
 	}
 }
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index 3d13fb7d7d7..fdad219655a 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -32,120 +32,95 @@ func TestNewConfigProvidesFallback(t *testing.T) {
 	requireKeyWithValue(t, spiedCfg, []string{browserKey}, "")
 }
 
-func TestGetNonExistentKey(t *testing.T) {
+func TestGetOrDefaultApplicationDefaults(t *testing.T) {
+	tests := []struct {
+		key             string
+		expectedDefault string
+	}{
+		{gitProtocolKey, "https"},
+		{editorKey, ""},
+		{promptKey, "enabled"},
+		{pagerKey, ""},
+		{httpUnixSocketKey, ""},
+		{browserKey, ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.key, func(t *testing.T) {
+			// Given we have no top level configuration
+			cfg := newTestConfig()
+
+			// When we get a key that has no value, but has a default
+			optionalVal := cfg.GetOrDefault("", tt.key)
+
+			// Then there is an entry with the default value, and source set as default
+			require.True(t, optionalVal.IsSome(), "expected there to be a value")
+			require.Equal(t, tt.expectedDefault, optionalVal.Unwrap())
+		})
+	}
+}
+
+func TestGetOrDefaultNonExistentKey(t *testing.T) {
 	// Given we have no top level configuration
 	cfg := newTestConfig()
 
 	// When we get a key that has no value
-	optionalVal := cfg.Get("", "non-existent-key")
+	optionalVal := cfg.GetOrDefault("", "non-existent-key")
 
 	// Then it returns a None variant
 	require.True(t, optionalVal.IsNone(), "expected there to be no value")
 }
 
-func TestGetNonExistentHostSpecificKey(t *testing.T) {
+func TestGetOrDefaultNonExistentHostSpecificKey(t *testing.T) {
 	// Given have no top level configuration
 	cfg := newTestConfig()
 
 	// When we get a key for a host that has no value
-	optionalVal := cfg.Get("non-existent-host", "non-existent-key")
+	optionalVal := cfg.GetOrDefault("non-existent-host", "non-existent-key")
 
 	// Then it returns a None variant
 	require.True(t, optionalVal.IsNone(), "expected there to be no value")
 }
 
-func TestGetExistingTopLevelKey(t *testing.T) {
+func TestGetOrDefaultExistingTopLevelKey(t *testing.T) {
 	// Given have a top level config entry
 	cfg := newTestConfig()
 	cfg.Set("", "top-level-key", "top-level-value")
 
 	// When we get that key
-	optionalVal := cfg.Get("non-existent-host", "top-level-key")
+	optionalVal := cfg.GetOrDefault("non-existent-host", "top-level-key")
 
 	// Then it returns a Some variant containing the correct value
 	require.True(t, optionalVal.IsSome(), "expected there to be a value")
 	require.Equal(t, "top-level-value", optionalVal.Unwrap())
 }
 
-func TestGetExistingHostSpecificKey(t *testing.T) {
+func TestGetOrDefaultExistingHostSpecificKey(t *testing.T) {
 	// Given have a host specific config entry
 	cfg := newTestConfig()
 	cfg.Set("github.com", "host-specific-key", "host-specific-value")
 
 	// When we get that key
-	optionalVal := cfg.Get("github.com", "host-specific-key")
+	optionalVal := cfg.GetOrDefault("github.com", "host-specific-key")
 
 	// Then it returns a Some variant containing the correct value
 	require.True(t, optionalVal.IsSome(), "expected there to be a value")
 	require.Equal(t, "host-specific-value", optionalVal.Unwrap())
 }
 
-func TestGetHostnameSpecificKeyFallsBackToTopLevel(t *testing.T) {
+func TestGetOrDefaultHostnameSpecificKeyFallsBackToTopLevel(t *testing.T) {
 	// Given have a top level config entry
 	cfg := newTestConfig()
 	cfg.Set("", "key", "value")
 
 	// When we get that key on a specific host
-	optionalVal := cfg.Get("github.com", "key")
+	optionalVal := cfg.GetOrDefault("github.com", "key")
 
 	// Then it returns a Some variant containing the correct value by falling back to the top level config
 	require.True(t, optionalVal.IsSome(), "expected there to be a value")
 	require.Equal(t, "value", optionalVal.Unwrap())
 }
 
-func TestGetOrDefaultApplicationDefaults(t *testing.T) {
-	tests := []struct {
-		key             string
-		expectedDefault string
-	}{
-		{gitProtocolKey, "https"},
-		{editorKey, ""},
-		{promptKey, "enabled"},
-		{pagerKey, ""},
-		{httpUnixSocketKey, ""},
-		{browserKey, ""},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.key, func(t *testing.T) {
-			// Given we have no top level configuration
-			cfg := newTestConfig()
-
-			// When we get a key that has no value, but has a default
-			optionalVal := cfg.GetOrDefault("", tt.key)
-
-			// Then there is an entry with the default value, and source set as default
-			require.True(t, optionalVal.IsSome(), "expected there to be a value")
-			require.Equal(t, tt.expectedDefault, optionalVal.Unwrap())
-		})
-	}
-}
-
-func TestGetOrDefaultExistingKey(t *testing.T) {
-	// Given have a top level config entry
-	cfg := newTestConfig()
-	cfg.Set("", gitProtocolKey, "ssh")
-
-	// When we get that key
-	optionalVal := cfg.GetOrDefault("", gitProtocolKey)
-
-	// Then it returns successfully with the correct value, and doesn't fall back
-	// to the default
-	require.True(t, optionalVal.IsSome(), "expected there to be a value")
-	require.Equal(t, "ssh", optionalVal.Unwrap())
-}
-
-func TestGetOrDefaultNotFoundAndNoDefault(t *testing.T) {
-	// Given have no configuration
-	cfg := newTestConfig()
-
-	// When we get a non-existent-key that has no default
-	optionalEntry := cfg.GetOrDefault("", "non-existent-key")
-
-	// Then it returns with no entry
-	require.False(t, optionalEntry.IsSome(), "expected the config to not contain a value")
-}
-
 func TestFallbackConfig(t *testing.T) {
 	cfg := fallbackConfig()
 	requireKeyWithValue(t, cfg, []string{gitProtocolKey}, "https")
diff --git a/pkg/cmd/config/list/list.go b/pkg/cmd/config/list/list.go
index 7e4efc06c6b..d7e9751e00f 100644
--- a/pkg/cmd/config/list/list.go
+++ b/pkg/cmd/config/list/list.go
@@ -57,13 +57,8 @@ func listRun(opts *ListOptions) error {
 
 	configOptions := config.ConfigOptions()
 
-	for _, key := range configOptions {
-		optionalValue := cfg.GetOrDefault(host, key.Key)
-		if optionalValue.IsNone() {
-			return fmt.Errorf("invalid key: %s", key.Key)
-		}
-
-		fmt.Fprintf(opts.IO.Out, "%s=%s\n", key.Key, optionalValue.Unwrap())
+	for _, option := range configOptions {
+		fmt.Fprintf(opts.IO.Out, "%s=%s\n", option.Key, option.CurrentValue(cfg, host))
 	}
 
 	return nil
diff --git a/pkg/cmd/config/list/list_test.go b/pkg/cmd/config/list/list_test.go
index 32088b32487..b6a9d0fcaf1 100644
--- a/pkg/cmd/config/list/list_test.go
+++ b/pkg/cmd/config/list/list_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/google/shlex"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestNewCmdConfigList(t *testing.T) {
@@ -108,9 +109,8 @@ browser=brave
 
 		t.Run(tt.name, func(t *testing.T) {
 			err := listRun(tt.input)
-			assert.NoError(t, err)
-			assert.Equal(t, tt.stdout, stdout.String())
-			//assert.Equal(t, tt.stderr, stderr.String())
+			require.NoError(t, err)
+			require.Equal(t, tt.stdout, stdout.String())
 		})
 	}
 }
diff --git a/pkg/option/option.go b/pkg/option/option.go
index 6120994baff..30fdc141264 100644
--- a/pkg/option/option.go
+++ b/pkg/option/option.go
@@ -1,3 +1,24 @@
+// MIT License
+
+// Copyright (c) 2022 Tom Godkin
+
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
 package o
 
 import "fmt"
@@ -76,15 +97,6 @@ func (o Option[T]) IsSome() bool {
 	return o.present
 }
 
-// IsSome returns true if the [Option] is a [Some] variant and the value inside of it equals the provided value.
-// func (o Option[T]) Is(t T) bool {
-// 	return o.present && o.value == t
-// }
-
-func (o Option[T]) IsSomeAnd(f func(T) bool) bool {
-	return o.present && f(o.value)
-}
-
 // IsNone returns true if the [Option] is a [None] variant.
 func (o Option[T]) IsNone() bool {
 	return !o.present
@@ -105,11 +117,3 @@ func (o Option[T]) Expect(message string) T {
 
 	panic(message)
 }
-
-func Map[T any, U any](f func(T) U, o Option[T]) Option[U] {
-	if o.present {
-		return Some(f(o.value))
-	}
-
-	return None[U]()
-}
diff --git a/pkg/option/option_test.go b/pkg/option/option_test.go
new file mode 100644
index 00000000000..5e5068124af
--- /dev/null
+++ b/pkg/option/option_test.go
@@ -0,0 +1,181 @@
+// MIT License
+
+// Copyright (c) 2022 Tom Godkin
+
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+package o_test
+
+import (
+	"fmt"
+	"testing"
+
+	o "github.com/cli/cli/v2/pkg/option"
+	"github.com/stretchr/testify/require"
+)
+
+func ExampleOption_Unwrap() {
+	fmt.Println(o.Some(4).Unwrap())
+	// Output: 4
+}
+
+func ExampleOption_UnwrapOr() {
+	fmt.Println(o.Some(4).UnwrapOr(3))
+	fmt.Println(o.None[int]().UnwrapOr(3))
+	// Output:
+	// 4
+	// 3
+}
+
+func ExampleOption_UnwrapOrElse() {
+	fmt.Println(o.Some(4).UnwrapOrElse(func() int {
+		return 3
+	}))
+
+	fmt.Println(o.None[int]().UnwrapOrElse(func() int {
+		return 3
+	}))
+
+	// Output:
+	// 4
+	// 3
+}
+
+func ExampleOption_UnwrapOrZero() {
+	fmt.Println(o.Some(4).UnwrapOrZero())
+	fmt.Println(o.None[int]().UnwrapOrZero())
+
+	// Output
+	// 4
+	// 0
+}
+
+func ExampleOption_IsSome() {
+	fmt.Println(o.Some(4).IsSome())
+	fmt.Println(o.None[int]().IsSome())
+
+	// Output:
+	// true
+	// false
+}
+
+func ExampleOption_IsNone() {
+	fmt.Println(o.Some(4).IsNone())
+	fmt.Println(o.None[int]().IsNone())
+
+	// Output:
+	// false
+	// true
+}
+
+func ExampleOption_Value() {
+	value, ok := o.Some(4).Value()
+	fmt.Println(value)
+	fmt.Println(ok)
+
+	// Output:
+	// 4
+	// true
+}
+
+func ExampleOption_Expect() {
+	fmt.Println(o.Some(4).Expect("oops"))
+
+	// Output: 4
+}
+
+func TestSomeStringer(t *testing.T) {
+	require.Equal(t, fmt.Sprintf("%s", o.Some("foo")), "Some(foo)") //nolint:gosimple
+	require.Equal(t, fmt.Sprintf("%s", o.Some(42)), "Some(42)")     //nolint:gosimple
+}
+
+func TestNoneStringer(t *testing.T) {
+	require.Equal(t, fmt.Sprintf("%s", o.None[string]()), "None") //nolint:gosimple
+}
+
+func TestSomeUnwrap(t *testing.T) {
+	require.Equal(t, o.Some(42).Unwrap(), 42)
+}
+
+func TestNoneUnwrap(t *testing.T) {
+	defer func() {
+		require.Equal(t, fmt.Sprint(recover()), "called `Option.Unwrap()` on a `None` value")
+	}()
+
+	o.None[string]().Unwrap()
+	t.Error("did not panic")
+}
+
+func TestSomeUnwrapOr(t *testing.T) {
+	require.Equal(t, o.Some(42).UnwrapOr(3), 42)
+}
+
+func TestNoneUnwrapOr(t *testing.T) {
+	require.Equal(t, o.None[int]().UnwrapOr(3), 3)
+}
+
+func TestSomeUnwrapOrElse(t *testing.T) {
+	require.Equal(t, o.Some(42).UnwrapOrElse(func() int { return 41 }), 42)
+}
+
+func TestNoneUnwrapOrElse(t *testing.T) {
+	require.Equal(t, o.None[int]().UnwrapOrElse(func() int { return 41 }), 41)
+}
+
+func TestSomeUnwrapOrZero(t *testing.T) {
+	require.Equal(t, o.Some(42).UnwrapOrZero(), 42)
+}
+
+func TestNoneUnwrapOrZero(t *testing.T) {
+	require.Equal(t, o.None[int]().UnwrapOrZero(), 0)
+}
+
+func TestIsSome(t *testing.T) {
+	require.True(t, o.Some(42).IsSome())
+	require.False(t, o.None[int]().IsSome())
+}
+
+func TestIsNone(t *testing.T) {
+	require.False(t, o.Some(42).IsNone())
+	require.True(t, o.None[int]().IsNone())
+}
+
+func TestSomeValue(t *testing.T) {
+	value, ok := o.Some(42).Value()
+	require.Equal(t, value, 42)
+	require.True(t, ok)
+}
+
+func TestNoneValue(t *testing.T) {
+	value, ok := o.None[int]().Value()
+	require.Equal(t, value, 0)
+	require.False(t, ok)
+}
+
+func TestSomeExpect(t *testing.T) {
+	require.Equal(t, o.Some(42).Expect("oops"), 42)
+}
+
+func TestNoneExpect(t *testing.T) {
+	defer func() {
+		require.Equal(t, fmt.Sprint(recover()), "oops")
+	}()
+
+	o.None[int]().Expect("oops")
+	t.Error("did not panic")
+}

From d0e436b36958456249c275ee1745ebc6352407c1 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Wed, 8 May 2024 13:49:37 +0200
Subject: [PATCH 044/253] Avoid reconstructing config Options on each use

---
 internal/config/config.go   | 94 ++++++++++++++++++-------------------
 pkg/cmd/config/config.go    |  2 +-
 pkg/cmd/config/list/list.go |  2 +-
 pkg/cmd/config/set/set.go   |  4 +-
 4 files changed, 50 insertions(+), 52 deletions(-)

diff --git a/internal/config/config.go b/internal/config/config.go
index 0b5adc3dd86..3a6cdf4d72b 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -163,7 +163,7 @@ func (c *cfg) CacheDir() string {
 }
 
 func defaultFor(key string) o.Option[string] {
-	for _, co := range ConfigOptions() {
+	for _, co := range Options {
 		if co.Key == key {
 			return o.Some(co.DefaultValue)
 		}
@@ -516,59 +516,57 @@ type ConfigOption struct {
 	CurrentValue  func(c gh.Config, hostname string) string
 }
 
-func ConfigOptions() []ConfigOption {
-	return []ConfigOption{
-		{
-			Key:           gitProtocolKey,
-			Description:   "the protocol to use for git clone and push operations",
-			DefaultValue:  "https",
-			AllowedValues: []string{"https", "ssh"},
-			CurrentValue: func(c gh.Config, hostname string) string {
-				return c.GitProtocol(hostname)
-			},
+var Options = []ConfigOption{
+	{
+		Key:           gitProtocolKey,
+		Description:   "the protocol to use for git clone and push operations",
+		DefaultValue:  "https",
+		AllowedValues: []string{"https", "ssh"},
+		CurrentValue: func(c gh.Config, hostname string) string {
+			return c.GitProtocol(hostname)
 		},
-		{
-			Key:          editorKey,
-			Description:  "the text editor program to use for authoring text",
-			DefaultValue: "",
-			CurrentValue: func(c gh.Config, hostname string) string {
-				return c.Editor(hostname)
-			},
+	},
+	{
+		Key:          editorKey,
+		Description:  "the text editor program to use for authoring text",
+		DefaultValue: "",
+		CurrentValue: func(c gh.Config, hostname string) string {
+			return c.Editor(hostname)
 		},
-		{
-			Key:           promptKey,
-			Description:   "toggle interactive prompting in the terminal",
-			DefaultValue:  "enabled",
-			AllowedValues: []string{"enabled", "disabled"},
-			CurrentValue: func(c gh.Config, hostname string) string {
-				return c.Prompt(hostname)
-			},
+	},
+	{
+		Key:           promptKey,
+		Description:   "toggle interactive prompting in the terminal",
+		DefaultValue:  "enabled",
+		AllowedValues: []string{"enabled", "disabled"},
+		CurrentValue: func(c gh.Config, hostname string) string {
+			return c.Prompt(hostname)
 		},
-		{
-			Key:          pagerKey,
-			Description:  "the terminal pager program to send standard output to",
-			DefaultValue: "",
-			CurrentValue: func(c gh.Config, hostname string) string {
-				return c.Pager(hostname)
-			},
+	},
+	{
+		Key:          pagerKey,
+		Description:  "the terminal pager program to send standard output to",
+		DefaultValue: "",
+		CurrentValue: func(c gh.Config, hostname string) string {
+			return c.Pager(hostname)
 		},
-		{
-			Key:          httpUnixSocketKey,
-			Description:  "the path to a Unix socket through which to make an HTTP connection",
-			DefaultValue: "",
-			CurrentValue: func(c gh.Config, hostname string) string {
-				return c.HTTPUnixSocket(hostname)
-			},
+	},
+	{
+		Key:          httpUnixSocketKey,
+		Description:  "the path to a Unix socket through which to make an HTTP connection",
+		DefaultValue: "",
+		CurrentValue: func(c gh.Config, hostname string) string {
+			return c.HTTPUnixSocket(hostname)
 		},
-		{
-			Key:          browserKey,
-			Description:  "the web browser to use for opening URLs",
-			DefaultValue: "",
-			CurrentValue: func(c gh.Config, hostname string) string {
-				return c.Browser(hostname)
-			},
+	},
+	{
+		Key:          browserKey,
+		Description:  "the web browser to use for opening URLs",
+		DefaultValue: "",
+		CurrentValue: func(c gh.Config, hostname string) string {
+			return c.Browser(hostname)
 		},
-	}
+	},
 }
 
 func HomeDirPath(subdir string) (string, error) {
diff --git a/pkg/cmd/config/config.go b/pkg/cmd/config/config.go
index 20a66027966..2661c336968 100644
--- a/pkg/cmd/config/config.go
+++ b/pkg/cmd/config/config.go
@@ -17,7 +17,7 @@ func NewCmdConfig(f *cmdutil.Factory) *cobra.Command {
 	longDoc := strings.Builder{}
 	longDoc.WriteString("Display or change configuration settings for gh.\n\n")
 	longDoc.WriteString("Current respected settings:\n")
-	for _, co := range config.ConfigOptions() {
+	for _, co := range config.Options {
 		longDoc.WriteString(fmt.Sprintf("- `%s`: %s", co.Key, co.Description))
 		if len(co.AllowedValues) > 0 {
 			longDoc.WriteString(fmt.Sprintf(" {%s}", strings.Join(co.AllowedValues, "|")))
diff --git a/pkg/cmd/config/list/list.go b/pkg/cmd/config/list/list.go
index d7e9751e00f..6cac775faad 100644
--- a/pkg/cmd/config/list/list.go
+++ b/pkg/cmd/config/list/list.go
@@ -55,7 +55,7 @@ func listRun(opts *ListOptions) error {
 		host, _ = cfg.Authentication().DefaultHost()
 	}
 
-	configOptions := config.ConfigOptions()
+	configOptions := config.Options
 
 	for _, option := range configOptions {
 		fmt.Fprintf(opts.IO.Out, "%s=%s\n", option.Key, option.CurrentValue(cfg, host))
diff --git a/pkg/cmd/config/set/set.go b/pkg/cmd/config/set/set.go
index dedbd004471..a1fb2bbe90d 100644
--- a/pkg/cmd/config/set/set.go
+++ b/pkg/cmd/config/set/set.go
@@ -88,7 +88,7 @@ func setRun(opts *SetOptions) error {
 }
 
 func ValidateKey(key string) error {
-	for _, configKey := range config.ConfigOptions() {
+	for _, configKey := range config.Options {
 		if key == configKey.Key {
 			return nil
 		}
@@ -108,7 +108,7 @@ func (e InvalidValueError) Error() string {
 func ValidateValue(key, value string) error {
 	var validValues []string
 
-	for _, v := range config.ConfigOptions() {
+	for _, v := range config.Options {
 		if v.Key == key {
 			validValues = v.AllowedValues
 			break

From 07e0ff712762354e53be95cf120e21e6836642dd Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Wed, 8 May 2024 14:41:26 +0200
Subject: [PATCH 045/253] Fix repo fork to use remote protocol if none
 configured

---
 internal/config/config.go       | 38 ++++++++++++++++------------
 internal/config/config_test.go  | 45 +++++++++++++++++++--------------
 internal/config/stub.go         | 14 +++++-----
 internal/gh/gh.go               | 26 ++++++++++++++-----
 internal/gh/mock/config.go      | 42 +++++++++++++++---------------
 pkg/cmd/auth/refresh/refresh.go |  2 +-
 pkg/cmd/auth/status/status.go   |  2 +-
 pkg/cmd/config/get/get.go       |  6 ++---
 pkg/cmd/config/set/set_test.go  |  7 ++---
 pkg/cmd/extension/manager.go    |  2 +-
 pkg/cmd/factory/default.go      |  6 ++---
 pkg/cmd/gist/clone/clone.go     |  2 +-
 pkg/cmd/pr/checkout/checkout.go |  2 +-
 pkg/cmd/pr/create/create.go     |  2 +-
 pkg/cmd/repo/clone/clone.go     |  4 +--
 pkg/cmd/repo/create/create.go   |  6 ++---
 pkg/cmd/repo/fork/fork.go       |  6 +++--
 pkg/cmd/repo/fork/fork_test.go  |  6 ++---
 pkg/cmd/repo/rename/rename.go   |  2 +-
 pkg/cmdutil/legacy.go           |  2 +-
 pkg/option/option.go            |  8 ++++++
 pkg/option/option_test.go       | 18 +++++++++++++
 22 files changed, 151 insertions(+), 97 deletions(-)

diff --git a/internal/config/config.go b/internal/config/config.go
index 3a6cdf4d72b..a671f152191 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -58,16 +58,22 @@ func (c *cfg) get(hostname, key string) o.Option[string] {
 	return o.None[string]()
 }
 
-func (c *cfg) GetOrDefault(hostname, key string) o.Option[string] {
+func (c *cfg) GetOrDefault(hostname, key string) o.Option[gh.ConfigEntry] {
 	if val := c.get(hostname, key); val.IsSome() {
-		return val
+		return o.Map(val, toConfigEntry(gh.ConfigUserProvided))
 	}
 
 	if defaultVal := defaultFor(key); defaultVal.IsSome() {
-		return defaultVal
+		return o.Map(defaultVal, toConfigEntry(gh.ConfigDefaultProvided))
 	}
 
-	return o.None[string]()
+	return o.None[gh.ConfigEntry]()
+}
+
+func toConfigEntry(source gh.ConfigSource) func(val string) gh.ConfigEntry {
+	return func(val string) gh.ConfigEntry {
+		return gh.ConfigEntry{Value: val, Source: source}
+	}
 }
 
 func (c *cfg) Set(hostname, key, value string) {
@@ -95,32 +101,32 @@ func (c *cfg) Authentication() gh.AuthConfig {
 	return &AuthConfig{cfg: c.cfg}
 }
 
-func (c *cfg) Browser(hostname string) string {
+func (c *cfg) Browser(hostname string) gh.ConfigEntry {
 	// Intentionally panic as this is a programmer error
 	return c.GetOrDefault(hostname, browserKey).Unwrap()
 }
 
-func (c *cfg) Editor(hostname string) string {
+func (c *cfg) Editor(hostname string) gh.ConfigEntry {
 	// Intentionally panic as this is a programmer error
 	return c.GetOrDefault(hostname, editorKey).Unwrap()
 }
 
-func (c *cfg) GitProtocol(hostname string) string {
+func (c *cfg) GitProtocol(hostname string) gh.ConfigEntry {
 	// Intentionally panic as this is a programmer error
 	return c.GetOrDefault(hostname, gitProtocolKey).Unwrap()
 }
 
-func (c *cfg) HTTPUnixSocket(hostname string) string {
+func (c *cfg) HTTPUnixSocket(hostname string) gh.ConfigEntry {
 	// Intentionally panic as this is a programmer error
 	return c.GetOrDefault(hostname, httpUnixSocketKey).Unwrap()
 }
 
-func (c *cfg) Pager(hostname string) string {
+func (c *cfg) Pager(hostname string) gh.ConfigEntry {
 	// Intentionally panic as this is a programmer error
 	return c.GetOrDefault(hostname, pagerKey).Unwrap()
 }
 
-func (c *cfg) Prompt(hostname string) string {
+func (c *cfg) Prompt(hostname string) gh.ConfigEntry {
 	// Intentionally panic as this is a programmer error
 	return c.GetOrDefault(hostname, promptKey).Unwrap()
 }
@@ -523,7 +529,7 @@ var Options = []ConfigOption{
 		DefaultValue:  "https",
 		AllowedValues: []string{"https", "ssh"},
 		CurrentValue: func(c gh.Config, hostname string) string {
-			return c.GitProtocol(hostname)
+			return c.GitProtocol(hostname).Value
 		},
 	},
 	{
@@ -531,7 +537,7 @@ var Options = []ConfigOption{
 		Description:  "the text editor program to use for authoring text",
 		DefaultValue: "",
 		CurrentValue: func(c gh.Config, hostname string) string {
-			return c.Editor(hostname)
+			return c.Editor(hostname).Value
 		},
 	},
 	{
@@ -540,7 +546,7 @@ var Options = []ConfigOption{
 		DefaultValue:  "enabled",
 		AllowedValues: []string{"enabled", "disabled"},
 		CurrentValue: func(c gh.Config, hostname string) string {
-			return c.Prompt(hostname)
+			return c.Prompt(hostname).Value
 		},
 	},
 	{
@@ -548,7 +554,7 @@ var Options = []ConfigOption{
 		Description:  "the terminal pager program to send standard output to",
 		DefaultValue: "",
 		CurrentValue: func(c gh.Config, hostname string) string {
-			return c.Pager(hostname)
+			return c.Pager(hostname).Value
 		},
 	},
 	{
@@ -556,7 +562,7 @@ var Options = []ConfigOption{
 		Description:  "the path to a Unix socket through which to make an HTTP connection",
 		DefaultValue: "",
 		CurrentValue: func(c gh.Config, hostname string) string {
-			return c.HTTPUnixSocket(hostname)
+			return c.HTTPUnixSocket(hostname).Value
 		},
 	},
 	{
@@ -564,7 +570,7 @@ var Options = []ConfigOption{
 		Description:  "the web browser to use for opening URLs",
 		DefaultValue: "",
 		CurrentValue: func(c gh.Config, hostname string) string {
-			return c.Browser(hostname)
+			return c.Browser(hostname).Value
 		},
 	},
 }
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index fdad219655a..fef87ddc644 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -1,10 +1,12 @@
 package config
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 
+	"github.com/cli/cli/v2/internal/gh"
 	ghConfig "github.com/cli/go-gh/v2/pkg/config"
 )
 
@@ -51,11 +53,12 @@ func TestGetOrDefaultApplicationDefaults(t *testing.T) {
 			cfg := newTestConfig()
 
 			// When we get a key that has no value, but has a default
-			optionalVal := cfg.GetOrDefault("", tt.key)
+			optionalEntry := cfg.GetOrDefault("", tt.key)
 
 			// Then there is an entry with the default value, and source set as default
-			require.True(t, optionalVal.IsSome(), "expected there to be a value")
-			require.Equal(t, tt.expectedDefault, optionalVal.Unwrap())
+			entry := optionalEntry.Expect(fmt.Sprintf("expected there to be a value for %s", tt.key))
+			require.Equal(t, tt.expectedDefault, entry.Value)
+			require.Equal(t, gh.ConfigDefaultProvided, entry.Source)
 		})
 	}
 }
@@ -65,10 +68,10 @@ func TestGetOrDefaultNonExistentKey(t *testing.T) {
 	cfg := newTestConfig()
 
 	// When we get a key that has no value
-	optionalVal := cfg.GetOrDefault("", "non-existent-key")
+	optionalEntry := cfg.GetOrDefault("", "non-existent-key")
 
 	// Then it returns a None variant
-	require.True(t, optionalVal.IsNone(), "expected there to be no value")
+	require.True(t, optionalEntry.IsNone(), "expected there to be no value")
 }
 
 func TestGetOrDefaultNonExistentHostSpecificKey(t *testing.T) {
@@ -76,10 +79,10 @@ func TestGetOrDefaultNonExistentHostSpecificKey(t *testing.T) {
 	cfg := newTestConfig()
 
 	// When we get a key for a host that has no value
-	optionalVal := cfg.GetOrDefault("non-existent-host", "non-existent-key")
+	optionalEntry := cfg.GetOrDefault("non-existent-host", "non-existent-key")
 
 	// Then it returns a None variant
-	require.True(t, optionalVal.IsNone(), "expected there to be no value")
+	require.True(t, optionalEntry.IsNone(), "expected there to be no value")
 }
 
 func TestGetOrDefaultExistingTopLevelKey(t *testing.T) {
@@ -88,11 +91,12 @@ func TestGetOrDefaultExistingTopLevelKey(t *testing.T) {
 	cfg.Set("", "top-level-key", "top-level-value")
 
 	// When we get that key
-	optionalVal := cfg.GetOrDefault("non-existent-host", "top-level-key")
+	optionalEntry := cfg.GetOrDefault("non-existent-host", "top-level-key")
 
-	// Then it returns a Some variant containing the correct value
-	require.True(t, optionalVal.IsSome(), "expected there to be a value")
-	require.Equal(t, "top-level-value", optionalVal.Unwrap())
+	// Then it returns a Some variant containing the correct value and a source of user
+	entry := optionalEntry.Expect("expected there to be a value")
+	require.Equal(t, "top-level-value", entry.Value)
+	require.Equal(t, gh.ConfigUserProvided, entry.Source)
 }
 
 func TestGetOrDefaultExistingHostSpecificKey(t *testing.T) {
@@ -101,11 +105,12 @@ func TestGetOrDefaultExistingHostSpecificKey(t *testing.T) {
 	cfg.Set("github.com", "host-specific-key", "host-specific-value")
 
 	// When we get that key
-	optionalVal := cfg.GetOrDefault("github.com", "host-specific-key")
+	optionalEntry := cfg.GetOrDefault("github.com", "host-specific-key")
 
-	// Then it returns a Some variant containing the correct value
-	require.True(t, optionalVal.IsSome(), "expected there to be a value")
-	require.Equal(t, "host-specific-value", optionalVal.Unwrap())
+	// Then it returns a Some variant containing the correct value and a source of user
+	entry := optionalEntry.Expect("expected there to be a value")
+	require.Equal(t, "host-specific-value", entry.Value)
+	require.Equal(t, gh.ConfigUserProvided, entry.Source)
 }
 
 func TestGetOrDefaultHostnameSpecificKeyFallsBackToTopLevel(t *testing.T) {
@@ -114,11 +119,13 @@ func TestGetOrDefaultHostnameSpecificKeyFallsBackToTopLevel(t *testing.T) {
 	cfg.Set("", "key", "value")
 
 	// When we get that key on a specific host
-	optionalVal := cfg.GetOrDefault("github.com", "key")
+	optionalEntry := cfg.GetOrDefault("github.com", "key")
 
-	// Then it returns a Some variant containing the correct value by falling back to the top level config
-	require.True(t, optionalVal.IsSome(), "expected there to be a value")
-	require.Equal(t, "value", optionalVal.Unwrap())
+	// Then it returns a Some variant containing the correct value by falling back
+	// to the top level config, with a source of user
+	entry := optionalEntry.Expect("expected there to be a value")
+	require.Equal(t, "value", entry.Value)
+	require.Equal(t, gh.ConfigUserProvided, entry.Source)
 }
 
 func TestFallbackConfig(t *testing.T) {
diff --git a/internal/config/stub.go b/internal/config/stub.go
index ec088ed070f..c8986872146 100644
--- a/internal/config/stub.go
+++ b/internal/config/stub.go
@@ -21,7 +21,7 @@ func NewFromString(cfgStr string) *ghmock.ConfigMock {
 	c := ghConfig.ReadFromString(cfgStr)
 	cfg := cfg{c}
 	mock := &ghmock.ConfigMock{}
-	mock.GetOrDefaultFunc = func(host, key string) o.Option[string] {
+	mock.GetOrDefaultFunc = func(host, key string) o.Option[gh.ConfigEntry] {
 		return cfg.GetOrDefault(host, key)
 	}
 	mock.SetFunc = func(host, key, value string) {
@@ -52,22 +52,22 @@ func NewFromString(cfgStr string) *ghmock.ConfigMock {
 			},
 		}
 	}
-	mock.BrowserFunc = func(hostname string) string {
+	mock.BrowserFunc = func(hostname string) gh.ConfigEntry {
 		return cfg.Browser(hostname)
 	}
-	mock.EditorFunc = func(hostname string) string {
+	mock.EditorFunc = func(hostname string) gh.ConfigEntry {
 		return cfg.Editor(hostname)
 	}
-	mock.GitProtocolFunc = func(hostname string) string {
+	mock.GitProtocolFunc = func(hostname string) gh.ConfigEntry {
 		return cfg.GitProtocol(hostname)
 	}
-	mock.HTTPUnixSocketFunc = func(hostname string) string {
+	mock.HTTPUnixSocketFunc = func(hostname string) gh.ConfigEntry {
 		return cfg.HTTPUnixSocket(hostname)
 	}
-	mock.PagerFunc = func(hostname string) string {
+	mock.PagerFunc = func(hostname string) gh.ConfigEntry {
 		return cfg.Pager(hostname)
 	}
-	mock.PromptFunc = func(hostname string) string {
+	mock.PromptFunc = func(hostname string) gh.ConfigEntry {
 		return cfg.Prompt(hostname)
 	}
 	mock.VersionFunc = func() o.Option[string] {
diff --git a/internal/gh/gh.go b/internal/gh/gh.go
index 5abde3af734..a6db43d6698 100644
--- a/internal/gh/gh.go
+++ b/internal/gh/gh.go
@@ -14,27 +14,39 @@ import (
 	ghConfig "github.com/cli/go-gh/v2/pkg/config"
 )
 
+type ConfigSource string
+
+const (
+	ConfigDefaultProvided ConfigSource = "default"
+	ConfigUserProvided    ConfigSource = "user"
+)
+
+type ConfigEntry struct {
+	Value  string
+	Source ConfigSource
+}
+
 // A Config implements persistent storage and modification of application configuration.
 //
 //go:generate moq -rm -pkg ghmock -out mock/config.go . Config
 type Config interface {
 	// GetOrDefault provides primitive access for fetching configuration values, optionally scoped by host.
-	GetOrDefault(hostname string, key string) o.Option[string]
+	GetOrDefault(hostname string, key string) o.Option[ConfigEntry]
 	// Set provides primitive access for setting configuration values, optionally scoped by host.
 	Set(hostname string, key string, value string)
 
 	// Browser returns the configured browser, optionally scoped by host.
-	Browser(hostname string) string
+	Browser(hostname string) ConfigEntry
 	// Editor returns the configured editor, optionally scoped by host.
-	Editor(hostname string) string
+	Editor(hostname string) ConfigEntry
 	// GitProtocol returns the configured git protocol, optionally scoped by host.
-	GitProtocol(hostname string) string
+	GitProtocol(hostname string) ConfigEntry
 	// HTTPUnixSocket returns the configured HTTP unix socket, optionally scoped by host.
-	HTTPUnixSocket(hostname string) string
+	HTTPUnixSocket(hostname string) ConfigEntry
 	// Pager returns the configured Pager, optionally scoped by host.
-	Pager(hostname string) string
+	Pager(hostname string) ConfigEntry
 	// Prompt returns the configured prompt, optionally scoped by host.
-	Prompt(hostname string) string
+	Prompt(hostname string) ConfigEntry
 
 	// Aliases provides persistent storage and modification of command aliases.
 	Aliases() AliasConfig
diff --git a/internal/gh/mock/config.go b/internal/gh/mock/config.go
index 18d9e0cbc54..502047240b5 100644
--- a/internal/gh/mock/config.go
+++ b/internal/gh/mock/config.go
@@ -25,31 +25,31 @@ var _ gh.Config = &ConfigMock{}
 //			AuthenticationFunc: func() gh.AuthConfig {
 //				panic("mock out the Authentication method")
 //			},
-//			BrowserFunc: func(hostname string) string {
+//			BrowserFunc: func(hostname string) gh.ConfigEntry {
 //				panic("mock out the Browser method")
 //			},
 //			CacheDirFunc: func() string {
 //				panic("mock out the CacheDir method")
 //			},
-//			EditorFunc: func(hostname string) string {
+//			EditorFunc: func(hostname string) gh.ConfigEntry {
 //				panic("mock out the Editor method")
 //			},
-//			GetOrDefaultFunc: func(hostname string, key string) o.Option[string] {
+//			GetOrDefaultFunc: func(hostname string, key string) o.Option[gh.ConfigEntry] {
 //				panic("mock out the GetOrDefault method")
 //			},
-//			GitProtocolFunc: func(hostname string) string {
+//			GitProtocolFunc: func(hostname string) gh.ConfigEntry {
 //				panic("mock out the GitProtocol method")
 //			},
-//			HTTPUnixSocketFunc: func(hostname string) string {
+//			HTTPUnixSocketFunc: func(hostname string) gh.ConfigEntry {
 //				panic("mock out the HTTPUnixSocket method")
 //			},
 //			MigrateFunc: func(migration gh.Migration) error {
 //				panic("mock out the Migrate method")
 //			},
-//			PagerFunc: func(hostname string) string {
+//			PagerFunc: func(hostname string) gh.ConfigEntry {
 //				panic("mock out the Pager method")
 //			},
-//			PromptFunc: func(hostname string) string {
+//			PromptFunc: func(hostname string) gh.ConfigEntry {
 //				panic("mock out the Prompt method")
 //			},
 //			SetFunc: func(hostname string, key string, value string)  {
@@ -75,31 +75,31 @@ type ConfigMock struct {
 	AuthenticationFunc func() gh.AuthConfig
 
 	// BrowserFunc mocks the Browser method.
-	BrowserFunc func(hostname string) string
+	BrowserFunc func(hostname string) gh.ConfigEntry
 
 	// CacheDirFunc mocks the CacheDir method.
 	CacheDirFunc func() string
 
 	// EditorFunc mocks the Editor method.
-	EditorFunc func(hostname string) string
+	EditorFunc func(hostname string) gh.ConfigEntry
 
 	// GetOrDefaultFunc mocks the GetOrDefault method.
-	GetOrDefaultFunc func(hostname string, key string) o.Option[string]
+	GetOrDefaultFunc func(hostname string, key string) o.Option[gh.ConfigEntry]
 
 	// GitProtocolFunc mocks the GitProtocol method.
-	GitProtocolFunc func(hostname string) string
+	GitProtocolFunc func(hostname string) gh.ConfigEntry
 
 	// HTTPUnixSocketFunc mocks the HTTPUnixSocket method.
-	HTTPUnixSocketFunc func(hostname string) string
+	HTTPUnixSocketFunc func(hostname string) gh.ConfigEntry
 
 	// MigrateFunc mocks the Migrate method.
 	MigrateFunc func(migration gh.Migration) error
 
 	// PagerFunc mocks the Pager method.
-	PagerFunc func(hostname string) string
+	PagerFunc func(hostname string) gh.ConfigEntry
 
 	// PromptFunc mocks the Prompt method.
-	PromptFunc func(hostname string) string
+	PromptFunc func(hostname string) gh.ConfigEntry
 
 	// SetFunc mocks the Set method.
 	SetFunc func(hostname string, key string, value string)
@@ -250,7 +250,7 @@ func (mock *ConfigMock) AuthenticationCalls() []struct {
 }
 
 // Browser calls BrowserFunc.
-func (mock *ConfigMock) Browser(hostname string) string {
+func (mock *ConfigMock) Browser(hostname string) gh.ConfigEntry {
 	if mock.BrowserFunc == nil {
 		panic("ConfigMock.BrowserFunc: method is nil but Config.Browser was just called")
 	}
@@ -309,7 +309,7 @@ func (mock *ConfigMock) CacheDirCalls() []struct {
 }
 
 // Editor calls EditorFunc.
-func (mock *ConfigMock) Editor(hostname string) string {
+func (mock *ConfigMock) Editor(hostname string) gh.ConfigEntry {
 	if mock.EditorFunc == nil {
 		panic("ConfigMock.EditorFunc: method is nil but Config.Editor was just called")
 	}
@@ -341,7 +341,7 @@ func (mock *ConfigMock) EditorCalls() []struct {
 }
 
 // GetOrDefault calls GetOrDefaultFunc.
-func (mock *ConfigMock) GetOrDefault(hostname string, key string) o.Option[string] {
+func (mock *ConfigMock) GetOrDefault(hostname string, key string) o.Option[gh.ConfigEntry] {
 	if mock.GetOrDefaultFunc == nil {
 		panic("ConfigMock.GetOrDefaultFunc: method is nil but Config.GetOrDefault was just called")
 	}
@@ -377,7 +377,7 @@ func (mock *ConfigMock) GetOrDefaultCalls() []struct {
 }
 
 // GitProtocol calls GitProtocolFunc.
-func (mock *ConfigMock) GitProtocol(hostname string) string {
+func (mock *ConfigMock) GitProtocol(hostname string) gh.ConfigEntry {
 	if mock.GitProtocolFunc == nil {
 		panic("ConfigMock.GitProtocolFunc: method is nil but Config.GitProtocol was just called")
 	}
@@ -409,7 +409,7 @@ func (mock *ConfigMock) GitProtocolCalls() []struct {
 }
 
 // HTTPUnixSocket calls HTTPUnixSocketFunc.
-func (mock *ConfigMock) HTTPUnixSocket(hostname string) string {
+func (mock *ConfigMock) HTTPUnixSocket(hostname string) gh.ConfigEntry {
 	if mock.HTTPUnixSocketFunc == nil {
 		panic("ConfigMock.HTTPUnixSocketFunc: method is nil but Config.HTTPUnixSocket was just called")
 	}
@@ -473,7 +473,7 @@ func (mock *ConfigMock) MigrateCalls() []struct {
 }
 
 // Pager calls PagerFunc.
-func (mock *ConfigMock) Pager(hostname string) string {
+func (mock *ConfigMock) Pager(hostname string) gh.ConfigEntry {
 	if mock.PagerFunc == nil {
 		panic("ConfigMock.PagerFunc: method is nil but Config.Pager was just called")
 	}
@@ -505,7 +505,7 @@ func (mock *ConfigMock) PagerCalls() []struct {
 }
 
 // Prompt calls PromptFunc.
-func (mock *ConfigMock) Prompt(hostname string) string {
+func (mock *ConfigMock) Prompt(hostname string) gh.ConfigEntry {
 	if mock.PromptFunc == nil {
 		panic("ConfigMock.PromptFunc: method is nil but Config.Prompt was just called")
 	}
diff --git a/pkg/cmd/auth/refresh/refresh.go b/pkg/cmd/auth/refresh/refresh.go
index 4e675c5325c..262b8fb31ef 100644
--- a/pkg/cmd/auth/refresh/refresh.go
+++ b/pkg/cmd/auth/refresh/refresh.go
@@ -177,7 +177,7 @@ func refreshRun(opts *RefreshOptions) error {
 		Prompter:   opts.Prompter,
 		GitClient:  opts.GitClient,
 	}
-	gitProtocol := cfg.GitProtocol(hostname)
+	gitProtocol := cfg.GitProtocol(hostname).Value
 	if opts.Interactive && gitProtocol == "https" {
 		if err := credentialFlow.Prompt(hostname); err != nil {
 			return err
diff --git a/pkg/cmd/auth/status/status.go b/pkg/cmd/auth/status/status.go
index deb5ca6a13d..153c03c0483 100644
--- a/pkg/cmd/auth/status/status.go
+++ b/pkg/cmd/auth/status/status.go
@@ -201,7 +201,7 @@ func statusRun(opts *StatusOptions) error {
 		}
 
 		var activeUser string
-		gitProtocol := cfg.GitProtocol(hostname)
+		gitProtocol := cfg.GitProtocol(hostname).Value
 		activeUserToken, activeUserTokenSource := authCfg.ActiveToken(hostname)
 		if authTokenWriteable(activeUserTokenSource) {
 			activeUser, _ = authCfg.ActiveUser(hostname)
diff --git a/pkg/cmd/config/get/get.go b/pkg/cmd/config/get/get.go
index 82d75111bbf..bec22a979ff 100644
--- a/pkg/cmd/config/get/get.go
+++ b/pkg/cmd/config/get/get.go
@@ -64,12 +64,12 @@ func getRun(opts *GetOptions) error {
 		return nil
 	}
 
-	optionalValue := opts.Config.GetOrDefault(opts.Hostname, opts.Key)
-	if optionalValue.IsNone() {
+	optionalEntry := opts.Config.GetOrDefault(opts.Hostname, opts.Key)
+	if optionalEntry.IsNone() {
 		return nonExistentKeyError{key: opts.Key}
 	}
 
-	val := optionalValue.Unwrap()
+	val := optionalEntry.Unwrap().Value
 	if val != "" {
 		fmt.Fprintf(opts.IO.Out, "%s\n", val)
 	}
diff --git a/pkg/cmd/config/set/set_test.go b/pkg/cmd/config/set/set_test.go
index 98c5fb1f210..adfb7ba7492 100644
--- a/pkg/cmd/config/set/set_test.go
+++ b/pkg/cmd/config/set/set_test.go
@@ -150,9 +150,10 @@ func Test_setRun(t *testing.T) {
 			assert.Equal(t, tt.stdout, stdout.String())
 			assert.Equal(t, tt.stderr, stderr.String())
 
-			optionalValue := tt.input.Config.GetOrDefault(tt.input.Hostname, tt.input.Key)
-			assert.True(t, optionalValue.IsSome(), "expected value to be set")
-			assert.Equal(t, tt.expectedValue, optionalValue.Unwrap())
+			optionalEntry := tt.input.Config.GetOrDefault(tt.input.Hostname, tt.input.Key)
+			entry := optionalEntry.Expect("expected a value to be set")
+			assert.Equal(t, tt.expectedValue, entry.Value)
+			assert.Equal(t, gh.ConfigUserProvided, entry.Source)
 		})
 	}
 }
diff --git a/pkg/cmd/extension/manager.go b/pkg/cmd/extension/manager.go
index 37d80573a94..0ab429c2e8e 100644
--- a/pkg/cmd/extension/manager.go
+++ b/pkg/cmd/extension/manager.go
@@ -347,7 +347,7 @@ func writeManifest(dir, name string, data []byte) (writeErr error) {
 }
 
 func (m *Manager) installGit(repo ghrepo.Interface, target string) error {
-	protocol := m.config.GitProtocol(repo.RepoHost())
+	protocol := m.config.GitProtocol(repo.RepoHost()).Value
 	cloneURL := ghrepo.FormatRemoteURL(repo, protocol)
 
 	var commitSHA string
diff --git a/pkg/cmd/factory/default.go b/pkg/cmd/factory/default.go
index cb38c10feca..7abf3ca5f5f 100644
--- a/pkg/cmd/factory/default.go
+++ b/pkg/cmd/factory/default.go
@@ -185,7 +185,7 @@ func ioStreams(f *cmdutil.Factory) *iostreams.IOStreams {
 
 	if _, ghPromptDisabled := os.LookupEnv("GH_PROMPT_DISABLED"); ghPromptDisabled {
 		io.SetNeverPrompt(true)
-	} else if prompt := cfg.Prompt(""); prompt == "disabled" {
+	} else if prompt := cfg.Prompt(""); prompt.Value == "disabled" {
 		io.SetNeverPrompt(true)
 	}
 
@@ -195,8 +195,8 @@ func ioStreams(f *cmdutil.Factory) *iostreams.IOStreams {
 	// 3. PAGER
 	if ghPager, ghPagerExists := os.LookupEnv("GH_PAGER"); ghPagerExists {
 		io.SetPager(ghPager)
-	} else if pager := cfg.Pager(""); pager != "" {
-		io.SetPager(pager)
+	} else if pager := cfg.Pager(""); pager.Value != "" {
+		io.SetPager(pager.Value)
 	}
 
 	return io
diff --git a/pkg/cmd/gist/clone/clone.go b/pkg/cmd/gist/clone/clone.go
index 0f50bce31b3..6fa6f226aaa 100644
--- a/pkg/cmd/gist/clone/clone.go
+++ b/pkg/cmd/gist/clone/clone.go
@@ -80,7 +80,7 @@ func cloneRun(opts *CloneOptions) error {
 			return err
 		}
 		hostname, _ := cfg.Authentication().DefaultHost()
-		protocol := cfg.GitProtocol(hostname)
+		protocol := cfg.GitProtocol(hostname).Value
 		gistURL = formatRemoteURL(hostname, gistURL, protocol)
 	}
 
diff --git a/pkg/cmd/pr/checkout/checkout.go b/pkg/cmd/pr/checkout/checkout.go
index f47f579f2c7..f566cbe1d66 100644
--- a/pkg/cmd/pr/checkout/checkout.go
+++ b/pkg/cmd/pr/checkout/checkout.go
@@ -84,7 +84,7 @@ func checkoutRun(opts *CheckoutOptions) error {
 	if err != nil {
 		return err
 	}
-	protocol := cfg.GitProtocol(baseRepo.RepoHost())
+	protocol := cfg.GitProtocol(baseRepo.RepoHost()).Value
 
 	remotes, err := opts.Remotes()
 	if err != nil {
diff --git a/pkg/cmd/pr/create/create.go b/pkg/cmd/pr/create/create.go
index 54b6358ac59..7c3faecc3fe 100644
--- a/pkg/cmd/pr/create/create.go
+++ b/pkg/cmd/pr/create/create.go
@@ -870,7 +870,7 @@ func handlePush(opts CreateOptions, ctx CreateContext) error {
 			return err
 		}
 
-		cloneProtocol := cfg.GitProtocol(headRepo.RepoHost())
+		cloneProtocol := cfg.GitProtocol(headRepo.RepoHost()).Value
 		headRepoURL := ghrepo.FormatRemoteURL(headRepo, cloneProtocol)
 		gitClient := ctx.GitClient
 		origin, _ := remotes.FindByName("origin")
diff --git a/pkg/cmd/repo/clone/clone.go b/pkg/cmd/repo/clone/clone.go
index 28001e6fe18..1466cd96a0d 100644
--- a/pkg/cmd/repo/clone/clone.go
+++ b/pkg/cmd/repo/clone/clone.go
@@ -153,7 +153,7 @@ func cloneRun(opts *CloneOptions) error {
 			return err
 		}
 
-		protocol = cfg.GitProtocol(repo.RepoHost())
+		protocol = cfg.GitProtocol(repo.RepoHost()).Value
 	}
 
 	wantsWiki := strings.HasSuffix(repo.RepoName(), ".wiki")
@@ -187,7 +187,7 @@ func cloneRun(opts *CloneOptions) error {
 
 	// If the repo is a fork, add the parent as an upstream remote and set the parent as the default repo.
 	if canonicalRepo.Parent != nil {
-		protocol := cfg.GitProtocol(canonicalRepo.Parent.RepoHost())
+		protocol := cfg.GitProtocol(canonicalRepo.Parent.RepoHost()).Value
 		upstreamURL := ghrepo.FormatRemoteURL(canonicalRepo.Parent, protocol)
 
 		upstreamName := opts.UpstreamName
diff --git a/pkg/cmd/repo/create/create.go b/pkg/cmd/repo/create/create.go
index af30f402970..48a331bddbb 100644
--- a/pkg/cmd/repo/create/create.go
+++ b/pkg/cmd/repo/create/create.go
@@ -396,7 +396,7 @@ func createFromScratch(opts *CreateOptions) error {
 	}
 
 	if opts.Clone {
-		protocol := cfg.GitProtocol(repo.RepoHost())
+		protocol := cfg.GitProtocol(repo.RepoHost()).Value
 		remoteURL := ghrepo.FormatRemoteURL(repo, protocol)
 
 		if !opts.AddReadme && opts.LicenseTemplate == "" && opts.GitIgnoreTemplate == "" && opts.Template == "" {
@@ -494,7 +494,7 @@ func createFromTemplate(opts *CreateOptions) error {
 	}
 
 	if opts.Clone {
-		protocol := cfg.GitProtocol(repo.RepoHost())
+		protocol := cfg.GitProtocol(repo.RepoHost()).Value
 		remoteURL := ghrepo.FormatRemoteURL(repo, protocol)
 
 		if err := cloneWithRetry(opts, remoteURL, templateRepoMainBranch); err != nil {
@@ -617,7 +617,7 @@ func createFromLocal(opts *CreateOptions) error {
 		fmt.Fprintln(stdout, repo.URL)
 	}
 
-	protocol := cfg.GitProtocol(repo.RepoHost())
+	protocol := cfg.GitProtocol(repo.RepoHost()).Value
 	remoteURL := ghrepo.FormatRemoteURL(repo, protocol)
 
 	if opts.Interactive {
diff --git a/pkg/cmd/repo/fork/fork.go b/pkg/cmd/repo/fork/fork.go
index a5e9066b272..a49f5d567d0 100644
--- a/pkg/cmd/repo/fork/fork.go
+++ b/pkg/cmd/repo/fork/fork.go
@@ -243,7 +243,9 @@ func forkRun(opts *ForkOptions) error {
 	if err != nil {
 		return err
 	}
-	protocol := cfg.GitProtocol(repoToFork.RepoHost())
+	protocolConfig := cfg.GitProtocol(repoToFork.RepoHost())
+	protocolIsConfiguredByUser := protocolConfig.Source == gh.ConfigUserProvided
+	protocol := protocolConfig.Value
 
 	gitClient := opts.GitClient
 	ctx := context.Background()
@@ -254,7 +256,7 @@ func forkRun(opts *ForkOptions) error {
 			return err
 		}
 
-		if protocol == "" { // user has no set preference
+		if !protocolIsConfiguredByUser {
 			if remote, err := remotes.FindByRepo(repoToFork.RepoOwner(), repoToFork.RepoName()); err == nil {
 				scheme := ""
 				if remote.FetchURL != nil {
diff --git a/pkg/cmd/repo/fork/fork_test.go b/pkg/cmd/repo/fork/fork_test.go
index b1b62e11ad8..0f94496f0c4 100644
--- a/pkg/cmd/repo/fork/fork_test.go
+++ b/pkg/cmd/repo/fork/fork_test.go
@@ -234,6 +234,9 @@ func TestRepoFork(t *testing.T) {
 					Repo: ghrepo.New("OWNER", "REPO"),
 				},
 			},
+			cfgStubs: func(_ *testing.T, c gh.Config) {
+				c.Set("", "git_protocol", "https")
+			},
 			httpStubs: forkPost,
 			execStubs: func(cs *run.CommandStubber) {
 				cs.Register(`git remote add fork https://github\.com/someone/REPO\.git`, 0, "")
@@ -255,9 +258,6 @@ func TestRepoFork(t *testing.T) {
 					Repo: ghrepo.New("OWNER", "REPO"),
 				},
 			},
-			cfgStubs: func(_ *testing.T, c gh.Config) {
-				c.Set("", "git_protocol", "")
-			},
 			httpStubs: forkPost,
 			execStubs: func(cs *run.CommandStubber) {
 				cs.Register(`git remote add fork git@github\.com:someone/REPO\.git`, 0, "")
diff --git a/pkg/cmd/repo/rename/rename.go b/pkg/cmd/repo/rename/rename.go
index 7a011b4e3ff..3676f93fee3 100644
--- a/pkg/cmd/repo/rename/rename.go
+++ b/pkg/cmd/repo/rename/rename.go
@@ -153,7 +153,7 @@ func updateRemote(repo ghrepo.Interface, renamed ghrepo.Interface, opts *RenameO
 		return nil, err
 	}
 
-	protocol := cfg.GitProtocol(repo.RepoHost())
+	protocol := cfg.GitProtocol(repo.RepoHost()).Value
 
 	remotes, err := opts.Remotes()
 	if err != nil {
diff --git a/pkg/cmdutil/legacy.go b/pkg/cmdutil/legacy.go
index 0cc9674e10a..04e72aedb53 100644
--- a/pkg/cmdutil/legacy.go
+++ b/pkg/cmdutil/legacy.go
@@ -16,7 +16,7 @@ func DetermineEditor(cf func() (gh.Config, error)) (string, error) {
 		if err != nil {
 			return "", fmt.Errorf("could not read config: %w", err)
 		}
-		editorCommand = cfg.Editor("")
+		editorCommand = cfg.Editor("").Value
 	}
 
 	return editorCommand, nil
diff --git a/pkg/option/option.go b/pkg/option/option.go
index 30fdc141264..081ccb6325b 100644
--- a/pkg/option/option.go
+++ b/pkg/option/option.go
@@ -117,3 +117,11 @@ func (o Option[T]) Expect(message string) T {
 
 	panic(message)
 }
+
+func Map[T, U any](o Option[T], f func(T) U) Option[U] {
+	if o.present {
+		return Some(f(o.value))
+	}
+
+	return None[U]()
+}
diff --git a/pkg/option/option_test.go b/pkg/option/option_test.go
index 5e5068124af..0f28dd5d436 100644
--- a/pkg/option/option_test.go
+++ b/pkg/option/option_test.go
@@ -99,6 +99,19 @@ func ExampleOption_Expect() {
 	// Output: 4
 }
 
+func ExampleMap() {
+	fmt.Println(o.Map(o.Some(2), double))
+	fmt.Println(o.Map(o.None[int](), double))
+
+	// Output:
+	// Some(4)
+	// None
+}
+
+func double(i int) int {
+	return i * 2
+}
+
 func TestSomeStringer(t *testing.T) {
 	require.Equal(t, fmt.Sprintf("%s", o.Some("foo")), "Some(foo)") //nolint:gosimple
 	require.Equal(t, fmt.Sprintf("%s", o.Some(42)), "Some(42)")     //nolint:gosimple
@@ -179,3 +192,8 @@ func TestNoneExpect(t *testing.T) {
 	o.None[int]().Expect("oops")
 	t.Error("did not panic")
 }
+
+func TestMap(t *testing.T) {
+	require.Equal(t, o.Map(o.Some(2), double), o.Some(4))
+	require.True(t, o.Map(o.None[int](), double).IsNone())
+}

From bc5329e9dbefd252a749c22b9fc8b8170942b81d Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Wed, 8 May 2024 18:09:58 +0200
Subject: [PATCH 046/253] Fix mistaken find and replace for Option type

---
 internal/config/config.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/config/config.go b/internal/config/config.go
index a671f152191..082adb6f021 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -177,7 +177,7 @@ func defaultFor(key string) o.Option[string] {
 	return o.None[string]()
 }
 
-// AuthConfig is used for interacting with o.Some persistent configuration for gh,
+// AuthConfig is used for interacting with some persistent configuration for gh,
 // with knowledge on how to access encrypted storage when neccesarry.
 // Behavior is scoped to authentication specific tasks.
 type AuthConfig struct {
@@ -344,7 +344,7 @@ func (c *AuthConfig) SwitchUser(hostname, user string) error {
 	if err != nil {
 		// Given that activateUser can only fail before the config is written, or when writing the config
 		// we know for sure that the config has not been written. However, we still should restore it back
-		// to its previous clean state just in case o.Something else tries to make use of the config, or tries
+		// to its previous clean state just in case something else tries to make use of the config, or tries
 		// to write it again.
 		if previousSource == "keyring" {
 			if setErr := keyring.Set(keyringServiceName(hostname), "", previouslyActiveToken); setErr != nil {

From 88631d13d4027acb76f0f7b18e5a7dea0e2454ea Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Wed, 8 May 2024 18:14:36 +0200
Subject: [PATCH 047/253] Remove unnecessary config list variable

---
 pkg/cmd/config/list/list.go | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pkg/cmd/config/list/list.go b/pkg/cmd/config/list/list.go
index 6cac775faad..1cfb92c87f5 100644
--- a/pkg/cmd/config/list/list.go
+++ b/pkg/cmd/config/list/list.go
@@ -55,9 +55,7 @@ func listRun(opts *ListOptions) error {
 		host, _ = cfg.Authentication().DefaultHost()
 	}
 
-	configOptions := config.Options
-
-	for _, option := range configOptions {
+	for _, option := range config.Options {
 		fmt.Fprintf(opts.IO.Out, "%s=%s\n", option.Key, option.CurrentValue(cfg, host))
 	}
 

From 85e81a50daeedd86dc6dfd35329603bda92e9ed3 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Fri, 10 May 2024 10:55:34 +0200
Subject: [PATCH 048/253] Comment further on config changes

---
 internal/config/config.go | 18 ++++++++++++------
 pkg/option/option.go      |  1 +
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/internal/config/config.go b/internal/config/config.go
index 082adb6f021..fbdcdef9539 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -60,16 +60,22 @@ func (c *cfg) get(hostname, key string) o.Option[string] {
 
 func (c *cfg) GetOrDefault(hostname, key string) o.Option[gh.ConfigEntry] {
 	if val := c.get(hostname, key); val.IsSome() {
+		// Map the Option[string] to Option[gh.ConfigEntry] with a source of ConfigUserProvided
 		return o.Map(val, toConfigEntry(gh.ConfigUserProvided))
 	}
 
 	if defaultVal := defaultFor(key); defaultVal.IsSome() {
+		// Map the Option[string] to Option[gh.ConfigEntry] with a source of ConfigDefaultProvided
 		return o.Map(defaultVal, toConfigEntry(gh.ConfigDefaultProvided))
 	}
 
 	return o.None[gh.ConfigEntry]()
 }
 
+// toConfigEntry is a helper function to convert a string value to a ConfigEntry with a given source.
+//
+// It's a bit of FP style but it allows us to map an Option[string] to Option[gh.ConfigEntry] without
+// unwrapping the it and rewrapping it.
 func toConfigEntry(source gh.ConfigSource) func(val string) gh.ConfigEntry {
 	return func(val string) gh.ConfigEntry {
 		return gh.ConfigEntry{Value: val, Source: source}
@@ -102,32 +108,32 @@ func (c *cfg) Authentication() gh.AuthConfig {
 }
 
 func (c *cfg) Browser(hostname string) gh.ConfigEntry {
-	// Intentionally panic as this is a programmer error
+	// Intentionally panic if there is no user provided value or default value (which would be a programmer error)
 	return c.GetOrDefault(hostname, browserKey).Unwrap()
 }
 
 func (c *cfg) Editor(hostname string) gh.ConfigEntry {
-	// Intentionally panic as this is a programmer error
+	// Intentionally panic if there is no user provided value or default value (which would be a programmer error)
 	return c.GetOrDefault(hostname, editorKey).Unwrap()
 }
 
 func (c *cfg) GitProtocol(hostname string) gh.ConfigEntry {
-	// Intentionally panic as this is a programmer error
+	// Intentionally panic if there is no user provided value or default value (which would be a programmer error)
 	return c.GetOrDefault(hostname, gitProtocolKey).Unwrap()
 }
 
 func (c *cfg) HTTPUnixSocket(hostname string) gh.ConfigEntry {
-	// Intentionally panic as this is a programmer error
+	// Intentionally panic if there is no user provided value or default value (which would be a programmer error)
 	return c.GetOrDefault(hostname, httpUnixSocketKey).Unwrap()
 }
 
 func (c *cfg) Pager(hostname string) gh.ConfigEntry {
-	// Intentionally panic as this is a programmer error
+	// Intentionally panic if there is no user provided value or default value (which would be a programmer error)
 	return c.GetOrDefault(hostname, pagerKey).Unwrap()
 }
 
 func (c *cfg) Prompt(hostname string) gh.ConfigEntry {
-	// Intentionally panic as this is a programmer error
+	// Intentionally panic if there is no user provided value or default value (which would be a programmer error)
 	return c.GetOrDefault(hostname, promptKey).Unwrap()
 }
 
diff --git a/pkg/option/option.go b/pkg/option/option.go
index 081ccb6325b..84aa8a6a238 100644
--- a/pkg/option/option.go
+++ b/pkg/option/option.go
@@ -118,6 +118,7 @@ func (o Option[T]) Expect(message string) T {
 	panic(message)
 }
 
+// Map applies a function to the contained value of (if [Some]), or returns [None].
 func Map[T, U any](o Option[T], f func(T) U) Option[U] {
 	if o.present {
 		return Some(f(o.value))

From a9fa1407b6f97156fab8455f9fd3f23079388f83 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Fri, 10 May 2024 11:05:59 +0200
Subject: [PATCH 049/253] Add further docs to Option type

---
 pkg/option/option.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkg/option/option.go b/pkg/option/option.go
index 84aa8a6a238..8d3b70f3f7c 100644
--- a/pkg/option/option.go
+++ b/pkg/option/option.go
@@ -19,6 +19,12 @@
 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 // SOFTWARE.
+
+// o provides an Option type to represent values that may or may not be present.
+//
+// This code was copies from https://github.com/BooleanCat/go-functional@ae5a155c0e997d1c5de53ea8b49109aca9c53d9f
+// and we've added the Map function and associated tests. It was pulled into the project because I believe if we're
+// using Option, it should be a core domain type rather than a dependency.
 package o
 
 import "fmt"
@@ -119,6 +125,9 @@ func (o Option[T]) Expect(message string) T {
 }
 
 // Map applies a function to the contained value of (if [Some]), or returns [None].
+//
+// Use this function very sparingly as it can lead to very unidiomatic and surprising Go code. However,
+// there are times when used judiciiously, it is significantly more ergonomic than unwrapping the Option.
 func Map[T, U any](o Option[T], f func(T) U) Option[U] {
 	if o.present {
 		return Some(f(o.value))

From b918967bf5d81a5da6e998712565991221243eb4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 13 May 2024 14:53:11 +0000
Subject: [PATCH 050/253] build(deps): bump github.com/sigstore/protobuf-specs
 from 0.3.1 to 0.3.2

Bumps [github.com/sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/sigstore/protobuf-specs/releases)
- [Changelog](https://github.com/sigstore/protobuf-specs/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/protobuf-specs/compare/v0.3.1...v0.3.2)

---
updated-dependencies:
- dependency-name: github.com/sigstore/protobuf-specs
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 4 ++--
 go.sum | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 3e6e52ce627..b39baffd0bf 100644
--- a/go.mod
+++ b/go.mod
@@ -37,7 +37,7 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/rivo/tview v0.0.0-20221029100920-c4a7e501810d
 	github.com/shurcooL/githubv4 v0.0.0-20230704064427-599ae7bbf278
-	github.com/sigstore/protobuf-specs v0.3.1
+	github.com/sigstore/protobuf-specs v0.3.2
 	github.com/sigstore/sigstore-go v0.3.0
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
@@ -48,7 +48,7 @@ require (
 	golang.org/x/term v0.19.0
 	golang.org/x/text v0.14.0
 	google.golang.org/grpc v1.62.2
-	google.golang.org/protobuf v1.33.0
+	google.golang.org/protobuf v1.34.1
 	gopkg.in/h2non/gock.v1 v1.1.2
 	gopkg.in/yaml.v3 v3.0.1
 )
diff --git a/go.sum b/go.sum
index 6cb70bf60df..1af962cac3f 100644
--- a/go.sum
+++ b/go.sum
@@ -384,8 +384,8 @@ github.com/shurcooL/githubv4 v0.0.0-20230704064427-599ae7bbf278 h1:kdEGVAV4sO46D
 github.com/shurcooL/githubv4 v0.0.0-20230704064427-599ae7bbf278/go.mod h1:zqMwyHmnN/eDOZOdiTohqIUKUrTFX62PNlu7IJdu0q8=
 github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 h1:17JxqqJY66GmZVHkmAsGEkcIu0oCe3AM420QDgGwZx0=
 github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466/go.mod h1:9dIRpgIY7hVhoqfe0/FcYp0bpInZaT7dc3BYOprrIUE=
-github.com/sigstore/protobuf-specs v0.3.1 h1:9aJQrPq7iRDSLBNg//zsP7tAzxdHnD1sA+1FyCCrkrQ=
-github.com/sigstore/protobuf-specs v0.3.1/go.mod h1:HfkcPi5QXteuew4+c5ONz8vYQ8aOH//ZTQ3gg0X8ZUA=
+github.com/sigstore/protobuf-specs v0.3.2 h1:nCVARCN+fHjlNCk3ThNXwrZRqIommIeNKWwQvORuRQo=
+github.com/sigstore/protobuf-specs v0.3.2/go.mod h1:RZ0uOdJR4OB3tLQeAyWoJFbNCBFrPQdcokntde4zRBA=
 github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
 github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
 github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4=
@@ -543,8 +543,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
 google.golang.org/grpc v1.62.2 h1:iEIj1U5qjyBjzkM5nk3Fq+S1IbjbXSyqeULZ1Nfo4AA=
 google.golang.org/grpc v1.62.2/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
-google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
-google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
+google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

From 178fc2e51ead22bd0ef2904b4b5e3018d657914d Mon Sep 17 00:00:00 2001
From: nobe4 <nobe4@users.noreply.github.com>
Date: Tue, 14 May 2024 07:57:38 +0200
Subject: [PATCH 051/253] feat: add json output for PR checks

---
 pkg/cmd/pr/checks/checks.go | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/pkg/cmd/pr/checks/checks.go b/pkg/cmd/pr/checks/checks.go
index 335226a9c74..26931b99280 100644
--- a/pkg/cmd/pr/checks/checks.go
+++ b/pkg/cmd/pr/checks/checks.go
@@ -20,10 +20,23 @@ import (
 
 const defaultInterval time.Duration = 10 * time.Second
 
+var prChecksFields = []string{
+	"name",
+	"state",
+	"startedAt",
+	"completedAt",
+	"link",
+	"bucket",
+	"event",
+	"workflow",
+	"description",
+}
+
 type ChecksOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
 	Browser    browser.Browser
+	Exporter   cmdutil.Exporter
 
 	Finder   shared.PRFinder
 	Detector fd.Detector
@@ -97,6 +110,8 @@ func NewCmdChecks(f *cmdutil.Factory, runF func(*ChecksOptions) error) *cobra.Co
 	cmd.Flags().IntVarP(&interval, "interval", "i", 10, "Refresh interval in seconds when using `--watch` flag")
 	cmd.Flags().BoolVar(&opts.Required, "required", false, "Only show checks that are required")
 
+	cmdutil.AddJSONFlags(cmd, &opts.Exporter, prChecksFields)
+
 	return cmd
 }
 
@@ -161,6 +176,10 @@ func checksRun(opts *ChecksOptions) error {
 		return err
 	}
 
+	if opts.Exporter != nil {
+		return opts.Exporter.Write(opts.IO, checks)
+	}
+
 	if opts.Watch {
 		opts.IO.StartAlternateScreenBuffer()
 	} else {

From 8a1995c98d728dccb2e3dc5bae034c583ea646ed Mon Sep 17 00:00:00 2001
From: nobe4 <nobe4@users.noreply.github.com>
Date: Tue, 14 May 2024 08:05:47 +0200
Subject: [PATCH 052/253] fix: rename fields list

---
 pkg/cmd/pr/checks/checks.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/pr/checks/checks.go b/pkg/cmd/pr/checks/checks.go
index 26931b99280..bbf2f453bec 100644
--- a/pkg/cmd/pr/checks/checks.go
+++ b/pkg/cmd/pr/checks/checks.go
@@ -20,7 +20,7 @@ import (
 
 const defaultInterval time.Duration = 10 * time.Second
 
-var prChecksFields = []string{
+var prCheckFields = []string{
 	"name",
 	"state",
 	"startedAt",
@@ -110,7 +110,7 @@ func NewCmdChecks(f *cmdutil.Factory, runF func(*ChecksOptions) error) *cobra.Co
 	cmd.Flags().IntVarP(&interval, "interval", "i", 10, "Refresh interval in seconds when using `--watch` flag")
 	cmd.Flags().BoolVar(&opts.Required, "required", false, "Only show checks that are required")
 
-	cmdutil.AddJSONFlags(cmd, &opts.Exporter, prChecksFields)
+	cmdutil.AddJSONFlags(cmd, &opts.Exporter, prCheckFields)
 
 	return cmd
 }

From ac5510362b68198786a4494a2e914ea4d25867d3 Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Tue, 14 May 2024 09:49:07 -0400
Subject: [PATCH 053/253] Implement ExportData to filter json fields

In order to filter json fields, the `ExportData` interface needed to be implemented with logic that iterated on the selected fields.
---
 pkg/cmd/pr/checks/aggregate.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/cmd/pr/checks/aggregate.go b/pkg/cmd/pr/checks/aggregate.go
index 40e34e79a9d..91cec43355e 100644
--- a/pkg/cmd/pr/checks/aggregate.go
+++ b/pkg/cmd/pr/checks/aggregate.go
@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/cli/cli/v2/api"
+	"github.com/cli/cli/v2/pkg/cmdutil"
 )
 
 type check struct {
@@ -28,6 +29,10 @@ type checkCounts struct {
 	Canceled int
 }
 
+func (ch *check) ExportData(fields []string) map[string]interface{} {
+	return cmdutil.StructExportData(ch, fields)
+}
+
 func aggregateChecks(checkContexts []api.CheckContext, requiredChecks bool) (checks []check, counts checkCounts) {
 	for _, c := range eliminateDuplicates(checkContexts) {
 		if requiredChecks && !c.IsRequired {

From c80ba706a384bb887494ef081f7bed7132e1da3b Mon Sep 17 00:00:00 2001
From: Wing <damianleung@gmail.com>
Date: Tue, 14 May 2024 22:18:32 +0200
Subject: [PATCH 054/253] WIP add remote check to secret and variable commands

---
 pkg/cmd/secret/delete/delete.go   | 12 ++++++++++++
 pkg/cmd/secret/list/list.go       | 12 ++++++++++++
 pkg/cmd/secret/set/set.go         | 13 +++++++++++++
 pkg/cmd/variable/delete/delete.go | 11 +++++++++++
 pkg/cmd/variable/list/list.go     | 12 ++++++++++++
 pkg/cmd/variable/set/set.go       | 13 +++++++++++++
 pkg/cmdutil/errors.go             | 16 ++++++++++++++++
 7 files changed, 89 insertions(+)

diff --git a/pkg/cmd/secret/delete/delete.go b/pkg/cmd/secret/delete/delete.go
index 9a299ce4fa1..f996d6f17b8 100644
--- a/pkg/cmd/secret/delete/delete.go
+++ b/pkg/cmd/secret/delete/delete.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
+	ghContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/secret/shared"
@@ -19,12 +20,15 @@ type DeleteOptions struct {
 	IO         *iostreams.IOStreams
 	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
+	Remotes    func() (ghContext.Remotes, error)
 
 	SecretName  string
 	OrgName     string
 	EnvName     string
 	UserSecrets bool
 	Application string
+
+	HasRepoOverride bool
 }
 
 func NewCmdDelete(f *cmdutil.Factory, runF func(*DeleteOptions) error) *cobra.Command {
@@ -32,6 +36,7 @@ func NewCmdDelete(f *cmdutil.Factory, runF func(*DeleteOptions) error) *cobra.Co
 		IO:         f.IOStreams,
 		Config:     f.Config,
 		HttpClient: f.HttpClient,
+		Remotes:    f.Remotes,
 	}
 
 	cmd := &cobra.Command{
@@ -53,6 +58,8 @@ func NewCmdDelete(f *cmdutil.Factory, runF func(*DeleteOptions) error) *cobra.Co
 				return err
 			}
 
+			opts.HasRepoOverride = cmd.Flags().Changed("repo")
+
 			opts.SecretName = args[0]
 
 			if runF != nil {
@@ -103,6 +110,11 @@ func removeRun(opts *DeleteOptions) error {
 		if err != nil {
 			return err
 		}
+
+		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
+		if err != nil {
+			return err
+		}
 	}
 
 	var path string
diff --git a/pkg/cmd/secret/list/list.go b/pkg/cmd/secret/list/list.go
index 9e1fd305d04..b87c31998cb 100644
--- a/pkg/cmd/secret/list/list.go
+++ b/pkg/cmd/secret/list/list.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
+	ghContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/tableprinter"
@@ -23,6 +24,7 @@ type ListOptions struct {
 	IO         *iostreams.IOStreams
 	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
+	Remotes    func() (ghContext.Remotes, error)
 	Now        func() time.Time
 	Exporter   cmdutil.Exporter
 
@@ -30,6 +32,8 @@ type ListOptions struct {
 	EnvName     string
 	UserSecrets bool
 	Application string
+
+	HasRepoOverride bool
 }
 
 var secretFields = []string{
@@ -47,6 +51,7 @@ func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Comman
 		IO:         f.IOStreams,
 		Config:     f.Config,
 		HttpClient: f.HttpClient,
+		Remotes:    f.Remotes,
 		Now:        time.Now,
 	}
 
@@ -70,6 +75,8 @@ func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Comman
 				return err
 			}
 
+			opts.HasRepoOverride = cmd.Flags().Changed("repo")
+
 			if runF != nil {
 				return runF(opts)
 			}
@@ -101,6 +108,11 @@ func listRun(opts *ListOptions) error {
 		if err != nil {
 			return err
 		}
+
+		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
+		if err != nil {
+			return err
+		}
 	}
 
 	secretEntity, err := shared.GetSecretEntity(orgName, envName, opts.UserSecrets)
diff --git a/pkg/cmd/secret/set/set.go b/pkg/cmd/secret/set/set.go
index 755bdda1f8b..dade133af2a 100644
--- a/pkg/cmd/secret/set/set.go
+++ b/pkg/cmd/secret/set/set.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
+	ghContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/secret/shared"
@@ -27,6 +28,7 @@ type SetOptions struct {
 	IO         *iostreams.IOStreams
 	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
+	Remotes    func() (ghContext.Remotes, error)
 	Prompter   iprompter
 
 	RandomOverride func() io.Reader
@@ -41,6 +43,8 @@ type SetOptions struct {
 	RepositoryNames []string
 	EnvFile         string
 	Application     string
+
+	HasRepoOverride bool
 }
 
 type iprompter interface {
@@ -52,6 +56,7 @@ func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command
 		IO:         f.IOStreams,
 		Config:     f.Config,
 		HttpClient: f.HttpClient,
+		Remotes:    f.Remotes,
 		Prompter:   f.Prompter,
 	}
 
@@ -144,6 +149,8 @@ func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command
 				}
 			}
 
+			opts.HasRepoOverride = cmd.Flags().Changed("repo")
+
 			if runF != nil {
 				return runF(opts)
 			}
@@ -187,6 +194,12 @@ func setRun(opts *SetOptions) error {
 		if err != nil {
 			return err
 		}
+
+		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
+		if err != nil {
+			return err
+		}
+
 		host = baseRepo.RepoHost()
 	} else {
 		cfg, err := opts.Config()
diff --git a/pkg/cmd/variable/delete/delete.go b/pkg/cmd/variable/delete/delete.go
index 3617f318802..6bea12d56df 100644
--- a/pkg/cmd/variable/delete/delete.go
+++ b/pkg/cmd/variable/delete/delete.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
+	ghContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/variable/shared"
@@ -19,10 +20,13 @@ type DeleteOptions struct {
 	IO         *iostreams.IOStreams
 	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
+	Remotes    func() (ghContext.Remotes, error)
 
 	VariableName string
 	OrgName      string
 	EnvName      string
+
+	HasRepoOverride bool
 }
 
 func NewCmdDelete(f *cmdutil.Factory, runF func(*DeleteOptions) error) *cobra.Command {
@@ -30,6 +34,7 @@ func NewCmdDelete(f *cmdutil.Factory, runF func(*DeleteOptions) error) *cobra.Co
 		IO:         f.IOStreams,
 		Config:     f.Config,
 		HttpClient: f.HttpClient,
+		Remotes:    f.Remotes,
 	}
 
 	cmd := &cobra.Command{
@@ -51,6 +56,7 @@ func NewCmdDelete(f *cmdutil.Factory, runF func(*DeleteOptions) error) *cobra.Co
 			}
 
 			opts.VariableName = args[0]
+			opts.HasRepoOverride = cmd.Flags().Changed("repo")
 
 			if runF != nil {
 				return runF(opts)
@@ -89,6 +95,11 @@ func removeRun(opts *DeleteOptions) error {
 		if err != nil {
 			return err
 		}
+
+		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
+		if err != nil {
+			return err
+		}
 	}
 
 	var path string
diff --git a/pkg/cmd/variable/list/list.go b/pkg/cmd/variable/list/list.go
index 1c29cfe2fcb..9389dbdf5b5 100644
--- a/pkg/cmd/variable/list/list.go
+++ b/pkg/cmd/variable/list/list.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
+	ghContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/tableprinter"
@@ -22,12 +23,15 @@ type ListOptions struct {
 	IO         *iostreams.IOStreams
 	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
+	Remotes    func() (ghContext.Remotes, error)
 	Now        func() time.Time
 
 	Exporter cmdutil.Exporter
 
 	OrgName string
 	EnvName string
+
+	HasRepoOverride bool
 }
 
 var variableFields = []string{
@@ -44,6 +48,7 @@ func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Comman
 		IO:         f.IOStreams,
 		Config:     f.Config,
 		HttpClient: f.HttpClient,
+		Remotes:    f.Remotes,
 		Now:        time.Now,
 	}
 
@@ -66,6 +71,8 @@ func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Comman
 				return err
 			}
 
+			opts.HasRepoOverride = cmd.Flags().Changed("repo")
+
 			if runF != nil {
 				return runF(opts)
 			}
@@ -96,6 +103,11 @@ func listRun(opts *ListOptions) error {
 		if err != nil {
 			return err
 		}
+
+		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
+		if err != nil {
+			return err
+		}
 	}
 
 	variableEntity, err := shared.GetVariableEntity(orgName, envName)
diff --git a/pkg/cmd/variable/set/set.go b/pkg/cmd/variable/set/set.go
index 890c1e3fa1a..55f74666f9b 100644
--- a/pkg/cmd/variable/set/set.go
+++ b/pkg/cmd/variable/set/set.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
+	ghContext "github.com/cli/cli/v2/context"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/pkg/cmd/variable/shared"
@@ -29,6 +30,7 @@ type SetOptions struct {
 	IO         *iostreams.IOStreams
 	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
+	Remotes    func() (ghContext.Remotes, error)
 	Prompter   iprompter
 
 	VariableName    string
@@ -38,6 +40,8 @@ type SetOptions struct {
 	Visibility      string
 	RepositoryNames []string
 	EnvFile         string
+
+	HasRepoOverride bool
 }
 
 func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command {
@@ -45,6 +49,7 @@ func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command
 		IO:         f.IOStreams,
 		Config:     f.Config,
 		HttpClient: f.HttpClient,
+		Remotes:    f.Remotes,
 		Prompter:   f.Prompter,
 	}
 
@@ -121,6 +126,8 @@ func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command
 				}
 			}
 
+			opts.HasRepoOverride = cmd.Flags().Changed("repo")
+
 			if runF != nil {
 				return runF(opts)
 			}
@@ -161,6 +168,12 @@ func setRun(opts *SetOptions) error {
 		if err != nil {
 			return err
 		}
+
+		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
+		if err != nil {
+			return err
+		}
+
 		host = baseRepo.RepoHost()
 	} else {
 		cfg, err := opts.Config()
diff --git a/pkg/cmdutil/errors.go b/pkg/cmdutil/errors.go
index 26a059d251b..4d8defbec58 100644
--- a/pkg/cmdutil/errors.go
+++ b/pkg/cmdutil/errors.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"github.com/AlecAivazis/survey/v2/terminal"
+	ghContext "github.com/cli/cli/v2/context"
 )
 
 // FlagErrorf returns a new FlagError that wraps an error produced by
@@ -57,6 +58,21 @@ func MutuallyExclusive(message string, conditions ...bool) error {
 	return nil
 }
 
+func ValidateHasOnlyOneRemote(hasRepoOverride bool, remotes func() (ghContext.Remotes, error)) error {
+	if !hasRepoOverride {
+		remotes, err := remotes()
+		if err != nil {
+			return err
+		}
+
+		if remotes.Len() > 1 {
+			return fmt.Errorf("multiple remotes detected %v. please specify which repo to use by providing the -R or --repo argument", remotes)
+		}
+	}
+
+	return nil
+}
+
 type NoResultsError struct {
 	message string
 }

From a6c0d3b0b37692f00beb85fbc9bdf8483d5e9f22 Mon Sep 17 00:00:00 2001
From: leevic31 <leevic31@gmail.com>
Date: Wed, 15 May 2024 15:29:12 -0400
Subject: [PATCH 055/253] removed tty message

---
 pkg/cmd/extension/command.go      | 12 +-----------
 pkg/cmd/extension/command_test.go | 16 ++++++++--------
 2 files changed, 9 insertions(+), 19 deletions(-)

diff --git a/pkg/cmd/extension/command.go b/pkg/cmd/extension/command.go
index ae0cc77031e..aa005ddbc02 100644
--- a/pkg/cmd/extension/command.go
+++ b/pkg/cmd/extension/command.go
@@ -63,17 +63,7 @@ func NewCmdExtension(f *cmdutil.Factory) *cobra.Command {
 			}
 			return cmdutil.SilentError
 		}
-		if io.IsStdoutTTY() {
-			successStr := "Successfully"
-			if flagDryRun {
-				successStr = "Would have"
-			}
-			extensionStr := "extension"
-			if name == "" {
-				extensionStr = "extensions"
-			}
-			fmt.Fprintf(io.Out, "%s %s upgraded %s\n", cs.SuccessIcon(), successStr, extensionStr)
-		}
+
 		return nil
 	}
 
diff --git a/pkg/cmd/extension/command_test.go b/pkg/cmd/extension/command_test.go
index a7e9d517104..e16ab69b159 100644
--- a/pkg/cmd/extension/command_test.go
+++ b/pkg/cmd/extension/command_test.go
@@ -332,7 +332,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "✓ Successfully upgraded extension\n",
+			wantStdout: "",
 		},
 		{
 			name: "upgrade an extension dry run",
@@ -352,7 +352,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "✓ Would have upgraded extension\n",
+			wantStdout: "",
 		},
 		{
 			name: "upgrade an extension notty",
@@ -385,7 +385,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "✓ Successfully upgraded extension\n",
+			wantStdout: "",
 		},
 		{
 			name: "upgrade extension error",
@@ -420,7 +420,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "✓ Successfully upgraded extension\n",
+			wantStdout: "",
 		},
 		{
 			name: "upgrade an extension full name",
@@ -436,7 +436,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "✓ Successfully upgraded extension\n",
+			wantStdout: "",
 		},
 		{
 			name: "upgrade all",
@@ -452,7 +452,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "✓ Successfully upgraded extensions\n",
+			wantStdout: "",
 		},
 		{
 			name: "upgrade all dry run",
@@ -472,7 +472,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "✓ Would have upgraded extensions\n",
+			wantStdout: "",
 		},
 		{
 			name: "upgrade all none installed",
@@ -853,7 +853,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "✓ Successfully upgraded extension\n",
+			wantStdout: "",
 		},
 	}
 

From a3d65e0dcee92c68f55a518b1557b456400829b6 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 12:28:58 +0200
Subject: [PATCH 056/253] Extract units for configuring and updating git
 credential helpers

---
 pkg/cmd/auth/refresh/refresh.go               |  13 +-
 pkg/cmd/auth/setupgit/setupgit.go             |  12 +-
 pkg/cmd/auth/shared/git_credential.go         | 125 ++++--------------
 pkg/cmd/auth/shared/git_credential_test.go    |  27 ++--
 .../shared/gitcredentials/gitcredentials.go   | 117 ++++++++++++++++
 pkg/cmd/auth/shared/login_flow.go             |  13 +-
 6 files changed, 189 insertions(+), 118 deletions(-)
 create mode 100644 pkg/cmd/auth/shared/gitcredentials/gitcredentials.go

diff --git a/pkg/cmd/auth/refresh/refresh.go b/pkg/cmd/auth/refresh/refresh.go
index 262b8fb31ef..fed0aae033e 100644
--- a/pkg/cmd/auth/refresh/refresh.go
+++ b/pkg/cmd/auth/refresh/refresh.go
@@ -10,6 +10,7 @@ import (
 	"github.com/cli/cli/v2/internal/authflow"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/cli/cli/v2/pkg/set"
@@ -173,9 +174,15 @@ func refreshRun(opts *RefreshOptions) error {
 	}
 
 	credentialFlow := &shared.GitCredentialFlow{
-		Executable: opts.MainExecutable,
-		Prompter:   opts.Prompter,
-		GitClient:  opts.GitClient,
+		Prompter:  opts.Prompter,
+		GitClient: opts.GitClient,
+		HelperConfigurer: &gitcredentials.HelperConfigurer{
+			SelfExecutablePath: opts.MainExecutable,
+			GitClient:          opts.GitClient,
+		},
+		Updater: &gitcredentials.Updater{
+			GitClient: opts.GitClient,
+		},
 	}
 	gitProtocol := cfg.GitProtocol(hostname).Value
 	if opts.Interactive && gitProtocol == "https" {
diff --git a/pkg/cmd/auth/setupgit/setupgit.go b/pkg/cmd/auth/setupgit/setupgit.go
index 6bf85a7f4ce..e134ed10b97 100644
--- a/pkg/cmd/auth/setupgit/setupgit.go
+++ b/pkg/cmd/auth/setupgit/setupgit.go
@@ -7,6 +7,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/spf13/cobra"
@@ -53,8 +54,14 @@ func NewCmdSetupGit(f *cmdutil.Factory, runF func(*SetupGitOptions) error) *cobr
 		`),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.gitConfigure = &shared.GitCredentialFlow{
-				Executable: f.Executable(),
-				GitClient:  f.GitClient,
+				GitClient: f.GitClient,
+				HelperConfigurer: &gitcredentials.HelperConfigurer{
+					SelfExecutablePath: f.Executable(),
+					GitClient:          f.GitClient,
+				},
+				Updater: &gitcredentials.Updater{
+					GitClient: f.GitClient,
+				},
 			}
 			if opts.Hostname == "" && opts.Force {
 				return cmdutil.FlagErrorf("`--force` must be used in conjunction with `--hostname`")
@@ -111,6 +118,7 @@ func setupGitRun(opts *SetupGitOptions) error {
 	}
 
 	for _, hostname := range hostnames {
+		// TODO: Use gitcredentials.HelperConfigurer here
 		if err := opts.gitConfigure.Setup(hostname, "", ""); err != nil {
 			return fmt.Errorf("failed to set up git credential helper: %s", err)
 		}
diff --git a/pkg/cmd/auth/shared/git_credential.go b/pkg/cmd/auth/shared/git_credential.go
index 8624cf00bef..6d522acb6d0 100644
--- a/pkg/cmd/auth/shared/git_credential.go
+++ b/pkg/cmd/auth/shared/git_credential.go
@@ -1,23 +1,24 @@
 package shared
 
 import (
-	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"path/filepath"
 	"strings"
 
-	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/ghinstance"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 	"github.com/google/shlex"
 )
 
 type GitCredentialFlow struct {
-	Executable string
-	Prompter   Prompt
-	GitClient  *git.Client
+	Prompter  Prompt
+	GitClient *git.Client
+
+	HelperConfigurer *gitcredentials.HelperConfigurer
+	Updater          *gitcredentials.Updater
 
 	shouldSetup bool
 	helper      string
@@ -61,101 +62,14 @@ func (flow *GitCredentialFlow) Setup(hostname, username, authToken string) error
 }
 
 func (flow *GitCredentialFlow) gitCredentialSetup(hostname, username, password string) error {
-	gitClient := flow.GitClient
-	ctx := context.Background()
-
+	// If there is no credential helper configured then we will set ourselves up as
+	// the credential helper for this host.
 	if flow.helper == "" {
-		credHelperKeys := []string{
-			gitCredentialHelperKey(hostname),
-		}
-
-		gistHost := strings.TrimSuffix(ghinstance.GistHost(hostname), "/")
-		if strings.HasPrefix(gistHost, "gist.") {
-			credHelperKeys = append(credHelperKeys, gitCredentialHelperKey(gistHost))
-		}
-
-		var configErr error
-
-		for _, credHelperKey := range credHelperKeys {
-			if configErr != nil {
-				break
-			}
-			// first use a blank value to indicate to git we want to sever the chain of credential helpers
-			preConfigureCmd, err := gitClient.Command(ctx, "config", "--global", "--replace-all", credHelperKey, "")
-			if err != nil {
-				configErr = err
-				break
-			}
-			if _, err = preConfigureCmd.Output(); err != nil {
-				configErr = err
-				break
-			}
-
-			// second configure the actual helper for this host
-			configureCmd, err := gitClient.Command(ctx,
-				"config", "--global", "--add",
-				credHelperKey,
-				fmt.Sprintf("!%s auth git-credential", shellQuote(flow.Executable)),
-			)
-			if err != nil {
-				configErr = err
-			} else {
-				_, configErr = configureCmd.Output()
-			}
-		}
-
-		return configErr
+		return flow.HelperConfigurer.Configure(hostname)
 	}
 
-	// clear previous cached credentials
-	rejectCmd, err := gitClient.Command(ctx, "credential", "reject")
-	if err != nil {
-		return err
-	}
-
-	rejectCmd.Stdin = bytes.NewBufferString(heredoc.Docf(`
-		protocol=https
-		host=%s
-	`, hostname))
-
-	_, err = rejectCmd.Output()
-	if err != nil {
-		return err
-	}
-
-	approveCmd, err := gitClient.Command(ctx, "credential", "approve")
-	if err != nil {
-		return err
-	}
-
-	approveCmd.Stdin = bytes.NewBufferString(heredoc.Docf(`
-		protocol=https
-		host=%s
-		username=%s
-		password=%s
-	`, hostname, username, password))
-
-	_, err = approveCmd.Output()
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func gitCredentialHelperKey(hostname string) string {
-	host := strings.TrimSuffix(ghinstance.HostPrefix(hostname), "/")
-	return fmt.Sprintf("credential.%s.helper", host)
-}
-
-func gitCredentialHelper(gitClient *git.Client, hostname string) (helper string, err error) {
-	ctx := context.Background()
-	helper, err = gitClient.Config(ctx, gitCredentialHelperKey(hostname))
-	if helper != "" {
-		return
-	}
-	helper, err = gitClient.Config(ctx, "credential.helper")
-	return
+	// Otherwise, we'll tell git to inform the existing credential helper of the new credentials.
+	return flow.Updater.Update(hostname, username, password)
 }
 
 func isOurCredentialHelper(cmd string) bool {
@@ -179,9 +93,18 @@ func isGitMissing(err error) bool {
 	return errors.As(err, &errNotInstalled)
 }
 
-func shellQuote(s string) string {
-	if strings.ContainsAny(s, " $\\") {
-		return "'" + s + "'"
+func gitCredentialHelperKey(hostname string) string {
+	host := strings.TrimSuffix(ghinstance.HostPrefix(hostname), "/")
+	return fmt.Sprintf("credential.%s.helper", host)
+}
+
+func gitCredentialHelper(gitClient *git.Client, hostname string) (helper string, err error) {
+	ctx := context.TODO()
+
+	helper, err = gitClient.Config(ctx, gitCredentialHelperKey(hostname))
+	if helper != "" {
+		return
 	}
-	return s
+	helper, err = gitClient.Config(ctx, "credential.helper")
+	return
 }
diff --git a/pkg/cmd/auth/shared/git_credential_test.go b/pkg/cmd/auth/shared/git_credential_test.go
index 9d3e90cc431..017c649ddc8 100644
--- a/pkg/cmd/auth/shared/git_credential_test.go
+++ b/pkg/cmd/auth/shared/git_credential_test.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/run"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 )
 
 func TestGitCredentialSetup_configureExisting(t *testing.T) {
@@ -14,9 +15,11 @@ func TestGitCredentialSetup_configureExisting(t *testing.T) {
 	cs.Register(`git credential approve`, 0, "")
 
 	f := GitCredentialFlow{
-		Executable: "gh",
-		helper:     "osxkeychain",
-		GitClient:  &git.Client{GitPath: "some/path/git"},
+		helper:    "osxkeychain",
+		GitClient: &git.Client{GitPath: "some/path/git"},
+		Updater: &gitcredentials.Updater{
+			GitClient: &git.Client{GitPath: "some/path/git"},
+		},
 	}
 
 	if err := f.gitCredentialSetup("example.com", "monalisa", "PASSWD"); err != nil {
@@ -61,9 +64,12 @@ func TestGitCredentialsSetup_setOurs_GH(t *testing.T) {
 	})
 
 	f := GitCredentialFlow{
-		Executable: "/path/to/gh",
-		helper:     "",
-		GitClient:  &git.Client{GitPath: "some/path/git"},
+		helper:    "",
+		GitClient: &git.Client{GitPath: "some/path/git"},
+		HelperConfigurer: &gitcredentials.HelperConfigurer{
+			SelfExecutablePath: "/path/to/gh",
+			GitClient:          &git.Client{GitPath: "some/path/git"},
+		},
 	}
 
 	if err := f.gitCredentialSetup("github.com", "monalisa", "PASSWD"); err != nil {
@@ -93,9 +99,12 @@ func TestGitCredentialSetup_setOurs_nonGH(t *testing.T) {
 	})
 
 	f := GitCredentialFlow{
-		Executable: "/path/to/gh",
-		helper:     "",
-		GitClient:  &git.Client{GitPath: "some/path/git"},
+		helper:    "",
+		GitClient: &git.Client{GitPath: "some/path/git"},
+		HelperConfigurer: &gitcredentials.HelperConfigurer{
+			SelfExecutablePath: "/path/to/gh",
+			GitClient:          &git.Client{GitPath: "some/path/git"},
+		},
 	}
 
 	if err := f.gitCredentialSetup("example.com", "monalisa", "PASSWD"); err != nil {
diff --git a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
new file mode 100644
index 00000000000..d4f3616e3cb
--- /dev/null
+++ b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
@@ -0,0 +1,117 @@
+package gitcredentials
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/MakeNowJust/heredoc"
+	"github.com/cli/cli/v2/git"
+	"github.com/cli/cli/v2/internal/ghinstance"
+)
+
+type HelperConfigurer struct {
+	SelfExecutablePath string
+	GitClient          *git.Client
+}
+
+func (hc *HelperConfigurer) Configure(hostname string) error {
+	ctx := context.TODO()
+
+	credHelperKeys := []string{
+		gitCredentialHelperKey(hostname),
+	}
+
+	gistHost := strings.TrimSuffix(ghinstance.GistHost(hostname), "/")
+	if strings.HasPrefix(gistHost, "gist.") {
+		credHelperKeys = append(credHelperKeys, gitCredentialHelperKey(gistHost))
+	}
+
+	var configErr error
+
+	for _, credHelperKey := range credHelperKeys {
+		if configErr != nil {
+			break
+		}
+		// first use a blank value to indicate to git we want to sever the chain of credential helpers
+		preConfigureCmd, err := hc.GitClient.Command(ctx, "config", "--global", "--replace-all", credHelperKey, "")
+		if err != nil {
+			configErr = err
+			break
+		}
+		if _, err = preConfigureCmd.Output(); err != nil {
+			configErr = err
+			break
+		}
+
+		// second configure the actual helper for this host
+		configureCmd, err := hc.GitClient.Command(ctx,
+			"config", "--global", "--add",
+			credHelperKey,
+			fmt.Sprintf("!%s auth git-credential", shellQuote(hc.SelfExecutablePath)),
+		)
+		if err != nil {
+			configErr = err
+		} else {
+			_, configErr = configureCmd.Output()
+		}
+	}
+
+	return configErr
+}
+
+func gitCredentialHelperKey(hostname string) string {
+	host := strings.TrimSuffix(ghinstance.HostPrefix(hostname), "/")
+	return fmt.Sprintf("credential.%s.helper", host)
+}
+
+func shellQuote(s string) string {
+	if strings.ContainsAny(s, " $\\") {
+		return "'" + s + "'"
+	}
+	return s
+}
+
+type Updater struct {
+	GitClient *git.Client
+}
+
+func (u *Updater) Update(hostname, username, password string) error {
+	ctx := context.TODO()
+
+	// clear previous cached credentials
+	rejectCmd, err := u.GitClient.Command(ctx, "credential", "reject")
+	if err != nil {
+		return err
+	}
+
+	rejectCmd.Stdin = bytes.NewBufferString(heredoc.Docf(`
+		protocol=https
+		host=%s
+	`, hostname))
+
+	_, err = rejectCmd.Output()
+	if err != nil {
+		return err
+	}
+
+	approveCmd, err := u.GitClient.Command(ctx, "credential", "approve")
+	if err != nil {
+		return err
+	}
+
+	approveCmd.Stdin = bytes.NewBufferString(heredoc.Docf(`
+		protocol=https
+		host=%s
+		username=%s
+		password=%s
+	`, hostname, username, password))
+
+	_, err = approveCmd.Output()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/pkg/cmd/auth/shared/login_flow.go b/pkg/cmd/auth/shared/login_flow.go
index 5a1df34c6e0..dc6ff3cad82 100644
--- a/pkg/cmd/auth/shared/login_flow.go
+++ b/pkg/cmd/auth/shared/login_flow.go
@@ -15,6 +15,7 @@ import (
 	"github.com/cli/cli/v2/internal/authflow"
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/ghinstance"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 	"github.com/cli/cli/v2/pkg/cmd/ssh-key/add"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/cli/cli/v2/pkg/ssh"
@@ -72,9 +73,15 @@ func Login(opts *LoginOptions) error {
 	var additionalScopes []string
 
 	credentialFlow := &GitCredentialFlow{
-		Executable: opts.Executable,
-		Prompter:   opts.Prompter,
-		GitClient:  opts.GitClient,
+		Prompter:  opts.Prompter,
+		GitClient: opts.GitClient,
+		HelperConfigurer: &gitcredentials.HelperConfigurer{
+			SelfExecutablePath: opts.Executable,
+			GitClient:          opts.GitClient,
+		},
+		Updater: &gitcredentials.Updater{
+			GitClient: opts.GitClient,
+		},
 	}
 	if opts.Interactive && gitProtocol == "https" {
 		if err := credentialFlow.Prompt(hostname); err != nil {

From af589aa2f3f495fa65d91d581dade0923636a5f8 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 12:39:11 +0200
Subject: [PATCH 057/253] Move fetching configured helper into gitcredentials

---
 pkg/cmd/auth/refresh/refresh.go               |  2 +-
 pkg/cmd/auth/setupgit/setupgit.go             |  2 +-
 pkg/cmd/auth/shared/git_credential.go         | 27 +++----------------
 pkg/cmd/auth/shared/git_credential_test.go    |  4 +--
 .../shared/gitcredentials/gitcredentials.go   | 23 ++++++++++++----
 pkg/cmd/auth/shared/login_flow.go             |  2 +-
 6 files changed, 27 insertions(+), 33 deletions(-)

diff --git a/pkg/cmd/auth/refresh/refresh.go b/pkg/cmd/auth/refresh/refresh.go
index fed0aae033e..2c059a670a6 100644
--- a/pkg/cmd/auth/refresh/refresh.go
+++ b/pkg/cmd/auth/refresh/refresh.go
@@ -176,7 +176,7 @@ func refreshRun(opts *RefreshOptions) error {
 	credentialFlow := &shared.GitCredentialFlow{
 		Prompter:  opts.Prompter,
 		GitClient: opts.GitClient,
-		HelperConfigurer: &gitcredentials.HelperConfigurer{
+		HelperConfig: &gitcredentials.HelperConfig{
 			SelfExecutablePath: opts.MainExecutable,
 			GitClient:          opts.GitClient,
 		},
diff --git a/pkg/cmd/auth/setupgit/setupgit.go b/pkg/cmd/auth/setupgit/setupgit.go
index e134ed10b97..bcfd7207cde 100644
--- a/pkg/cmd/auth/setupgit/setupgit.go
+++ b/pkg/cmd/auth/setupgit/setupgit.go
@@ -55,7 +55,7 @@ func NewCmdSetupGit(f *cmdutil.Factory, runF func(*SetupGitOptions) error) *cobr
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.gitConfigure = &shared.GitCredentialFlow{
 				GitClient: f.GitClient,
-				HelperConfigurer: &gitcredentials.HelperConfigurer{
+				HelperConfig: &gitcredentials.HelperConfig{
 					SelfExecutablePath: f.Executable(),
 					GitClient:          f.GitClient,
 				},
diff --git a/pkg/cmd/auth/shared/git_credential.go b/pkg/cmd/auth/shared/git_credential.go
index 6d522acb6d0..0c1bc065623 100644
--- a/pkg/cmd/auth/shared/git_credential.go
+++ b/pkg/cmd/auth/shared/git_credential.go
@@ -1,14 +1,11 @@
 package shared
 
 import (
-	"context"
 	"errors"
-	"fmt"
 	"path/filepath"
 	"strings"
 
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/ghinstance"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 	"github.com/google/shlex"
 )
@@ -17,8 +14,8 @@ type GitCredentialFlow struct {
 	Prompter  Prompt
 	GitClient *git.Client
 
-	HelperConfigurer *gitcredentials.HelperConfigurer
-	Updater          *gitcredentials.Updater
+	HelperConfig *gitcredentials.HelperConfig
+	Updater      *gitcredentials.Updater
 
 	shouldSetup bool
 	helper      string
@@ -27,7 +24,7 @@ type GitCredentialFlow struct {
 
 func (flow *GitCredentialFlow) Prompt(hostname string) error {
 	var gitErr error
-	flow.helper, gitErr = gitCredentialHelper(flow.GitClient, hostname)
+	flow.helper, gitErr = flow.HelperConfig.ConfiguredHelper(hostname)
 	if isOurCredentialHelper(flow.helper) {
 		flow.scopes = append(flow.scopes, "workflow")
 		return nil
@@ -65,7 +62,7 @@ func (flow *GitCredentialFlow) gitCredentialSetup(hostname, username, password s
 	// If there is no credential helper configured then we will set ourselves up as
 	// the credential helper for this host.
 	if flow.helper == "" {
-		return flow.HelperConfigurer.Configure(hostname)
+		return flow.HelperConfig.Configure(hostname)
 	}
 
 	// Otherwise, we'll tell git to inform the existing credential helper of the new credentials.
@@ -92,19 +89,3 @@ func isGitMissing(err error) bool {
 	var errNotInstalled *git.NotInstalled
 	return errors.As(err, &errNotInstalled)
 }
-
-func gitCredentialHelperKey(hostname string) string {
-	host := strings.TrimSuffix(ghinstance.HostPrefix(hostname), "/")
-	return fmt.Sprintf("credential.%s.helper", host)
-}
-
-func gitCredentialHelper(gitClient *git.Client, hostname string) (helper string, err error) {
-	ctx := context.TODO()
-
-	helper, err = gitClient.Config(ctx, gitCredentialHelperKey(hostname))
-	if helper != "" {
-		return
-	}
-	helper, err = gitClient.Config(ctx, "credential.helper")
-	return
-}
diff --git a/pkg/cmd/auth/shared/git_credential_test.go b/pkg/cmd/auth/shared/git_credential_test.go
index 017c649ddc8..b2f3df7f8de 100644
--- a/pkg/cmd/auth/shared/git_credential_test.go
+++ b/pkg/cmd/auth/shared/git_credential_test.go
@@ -66,7 +66,7 @@ func TestGitCredentialsSetup_setOurs_GH(t *testing.T) {
 	f := GitCredentialFlow{
 		helper:    "",
 		GitClient: &git.Client{GitPath: "some/path/git"},
-		HelperConfigurer: &gitcredentials.HelperConfigurer{
+		HelperConfig: &gitcredentials.HelperConfig{
 			SelfExecutablePath: "/path/to/gh",
 			GitClient:          &git.Client{GitPath: "some/path/git"},
 		},
@@ -101,7 +101,7 @@ func TestGitCredentialSetup_setOurs_nonGH(t *testing.T) {
 	f := GitCredentialFlow{
 		helper:    "",
 		GitClient: &git.Client{GitPath: "some/path/git"},
-		HelperConfigurer: &gitcredentials.HelperConfigurer{
+		HelperConfig: &gitcredentials.HelperConfig{
 			SelfExecutablePath: "/path/to/gh",
 			GitClient:          &git.Client{GitPath: "some/path/git"},
 		},
diff --git a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
index d4f3616e3cb..1f8bafb0791 100644
--- a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
+++ b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
@@ -11,21 +11,21 @@ import (
 	"github.com/cli/cli/v2/internal/ghinstance"
 )
 
-type HelperConfigurer struct {
+type HelperConfig struct {
 	SelfExecutablePath string
 	GitClient          *git.Client
 }
 
-func (hc *HelperConfigurer) Configure(hostname string) error {
+func (hc *HelperConfig) Configure(hostname string) error {
 	ctx := context.TODO()
 
 	credHelperKeys := []string{
-		gitCredentialHelperKey(hostname),
+		keyFor(hostname),
 	}
 
 	gistHost := strings.TrimSuffix(ghinstance.GistHost(hostname), "/")
 	if strings.HasPrefix(gistHost, "gist.") {
-		credHelperKeys = append(credHelperKeys, gitCredentialHelperKey(gistHost))
+		credHelperKeys = append(credHelperKeys, keyFor(gistHost))
 	}
 
 	var configErr error
@@ -61,7 +61,20 @@ func (hc *HelperConfigurer) Configure(hostname string) error {
 	return configErr
 }
 
-func gitCredentialHelperKey(hostname string) string {
+func (hc *HelperConfig) ConfiguredHelper(hostname string) (string, error) {
+	ctx := context.TODO()
+
+	helper, err := hc.GitClient.Config(ctx, keyFor(hostname))
+	if helper != "" {
+		// TODO: This is a direct refactoring removing named and naked returns
+		// but we should probably look closer at the error handling here
+		return helper, err
+	}
+
+	return hc.GitClient.Config(ctx, "credential.helper")
+}
+
+func keyFor(hostname string) string {
 	host := strings.TrimSuffix(ghinstance.HostPrefix(hostname), "/")
 	return fmt.Sprintf("credential.%s.helper", host)
 }
diff --git a/pkg/cmd/auth/shared/login_flow.go b/pkg/cmd/auth/shared/login_flow.go
index dc6ff3cad82..d357df5ff1c 100644
--- a/pkg/cmd/auth/shared/login_flow.go
+++ b/pkg/cmd/auth/shared/login_flow.go
@@ -75,7 +75,7 @@ func Login(opts *LoginOptions) error {
 	credentialFlow := &GitCredentialFlow{
 		Prompter:  opts.Prompter,
 		GitClient: opts.GitClient,
-		HelperConfigurer: &gitcredentials.HelperConfigurer{
+		HelperConfig: &gitcredentials.HelperConfig{
 			SelfExecutablePath: opts.Executable,
 			GitClient:          opts.GitClient,
 		},

From bd4ba5c39a06cdcd1163436bd347b9995c0c906f Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 13:09:42 +0200
Subject: [PATCH 058/253] Make gitcredential helper smarter

---
 pkg/cmd/auth/refresh/refresh.go               |  3 +-
 pkg/cmd/auth/setupgit/setupgit.go             |  1 -
 pkg/cmd/auth/shared/git_credential.go         | 43 +++--------
 pkg/cmd/auth/shared/git_credential_test.go    | 50 +-----------
 .../shared/gitcredentials/gitcredentials.go   | 42 ++++++++--
 .../gitcredentials/gitcredentials_test.go     | 76 +++++++++++++++++++
 pkg/cmd/auth/shared/login_flow.go             |  3 +-
 7 files changed, 128 insertions(+), 90 deletions(-)
 create mode 100644 pkg/cmd/auth/shared/gitcredentials/gitcredentials_test.go

diff --git a/pkg/cmd/auth/refresh/refresh.go b/pkg/cmd/auth/refresh/refresh.go
index 2c059a670a6..4b8a7e4c01a 100644
--- a/pkg/cmd/auth/refresh/refresh.go
+++ b/pkg/cmd/auth/refresh/refresh.go
@@ -174,8 +174,7 @@ func refreshRun(opts *RefreshOptions) error {
 	}
 
 	credentialFlow := &shared.GitCredentialFlow{
-		Prompter:  opts.Prompter,
-		GitClient: opts.GitClient,
+		Prompter: opts.Prompter,
 		HelperConfig: &gitcredentials.HelperConfig{
 			SelfExecutablePath: opts.MainExecutable,
 			GitClient:          opts.GitClient,
diff --git a/pkg/cmd/auth/setupgit/setupgit.go b/pkg/cmd/auth/setupgit/setupgit.go
index bcfd7207cde..4ac8d5f7832 100644
--- a/pkg/cmd/auth/setupgit/setupgit.go
+++ b/pkg/cmd/auth/setupgit/setupgit.go
@@ -54,7 +54,6 @@ func NewCmdSetupGit(f *cmdutil.Factory, runF func(*SetupGitOptions) error) *cobr
 		`),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.gitConfigure = &shared.GitCredentialFlow{
-				GitClient: f.GitClient,
 				HelperConfig: &gitcredentials.HelperConfig{
 					SelfExecutablePath: f.Executable(),
 					GitClient:          f.GitClient,
diff --git a/pkg/cmd/auth/shared/git_credential.go b/pkg/cmd/auth/shared/git_credential.go
index 0c1bc065623..5a9c20b440e 100644
--- a/pkg/cmd/auth/shared/git_credential.go
+++ b/pkg/cmd/auth/shared/git_credential.go
@@ -2,30 +2,26 @@ package shared
 
 import (
 	"errors"
-	"path/filepath"
-	"strings"
 
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
-	"github.com/google/shlex"
 )
 
 type GitCredentialFlow struct {
-	Prompter  Prompt
-	GitClient *git.Client
+	Prompter Prompt
 
 	HelperConfig *gitcredentials.HelperConfig
 	Updater      *gitcredentials.Updater
 
 	shouldSetup bool
-	helper      string
+	helper      gitcredentials.Helper
 	scopes      []string
 }
 
 func (flow *GitCredentialFlow) Prompt(hostname string) error {
-	var gitErr error
-	flow.helper, gitErr = flow.HelperConfig.ConfiguredHelper(hostname)
-	if isOurCredentialHelper(flow.helper) {
+	var configuredHelperErr error
+	flow.helper, configuredHelperErr = flow.HelperConfig.ConfiguredHelper(hostname)
+	if flow.helper.IsOurs() {
 		flow.scopes = append(flow.scopes, "workflow")
 		return nil
 	}
@@ -37,9 +33,11 @@ func (flow *GitCredentialFlow) Prompt(hostname string) error {
 	flow.shouldSetup = result
 
 	if flow.shouldSetup {
-		if isGitMissing(gitErr) {
-			return gitErr
+		var errNotInstalled *git.NotInstalled
+		if errors.As(err, &errNotInstalled) {
+			return configuredHelperErr
 		}
+
 		flow.scopes = append(flow.scopes, "workflow")
 	}
 
@@ -61,31 +59,10 @@ func (flow *GitCredentialFlow) Setup(hostname, username, authToken string) error
 func (flow *GitCredentialFlow) gitCredentialSetup(hostname, username, password string) error {
 	// If there is no credential helper configured then we will set ourselves up as
 	// the credential helper for this host.
-	if flow.helper == "" {
+	if !flow.helper.IsConfigured() {
 		return flow.HelperConfig.Configure(hostname)
 	}
 
 	// Otherwise, we'll tell git to inform the existing credential helper of the new credentials.
 	return flow.Updater.Update(hostname, username, password)
 }
-
-func isOurCredentialHelper(cmd string) bool {
-	if !strings.HasPrefix(cmd, "!") {
-		return false
-	}
-
-	args, err := shlex.Split(cmd[1:])
-	if err != nil || len(args) == 0 {
-		return false
-	}
-
-	return strings.TrimSuffix(filepath.Base(args[0]), ".exe") == "gh"
-}
-
-func isGitMissing(err error) bool {
-	if err == nil {
-		return false
-	}
-	var errNotInstalled *git.NotInstalled
-	return errors.As(err, &errNotInstalled)
-}
diff --git a/pkg/cmd/auth/shared/git_credential_test.go b/pkg/cmd/auth/shared/git_credential_test.go
index b2f3df7f8de..211e8da999f 100644
--- a/pkg/cmd/auth/shared/git_credential_test.go
+++ b/pkg/cmd/auth/shared/git_credential_test.go
@@ -15,8 +15,7 @@ func TestGitCredentialSetup_configureExisting(t *testing.T) {
 	cs.Register(`git credential approve`, 0, "")
 
 	f := GitCredentialFlow{
-		helper:    "osxkeychain",
-		GitClient: &git.Client{GitPath: "some/path/git"},
+		helper: gitcredentials.Helper{Cmd: "osxkeychain"},
 		Updater: &gitcredentials.Updater{
 			GitClient: &git.Client{GitPath: "some/path/git"},
 		},
@@ -64,8 +63,7 @@ func TestGitCredentialsSetup_setOurs_GH(t *testing.T) {
 	})
 
 	f := GitCredentialFlow{
-		helper:    "",
-		GitClient: &git.Client{GitPath: "some/path/git"},
+		helper: gitcredentials.Helper{},
 		HelperConfig: &gitcredentials.HelperConfig{
 			SelfExecutablePath: "/path/to/gh",
 			GitClient:          &git.Client{GitPath: "some/path/git"},
@@ -99,8 +97,7 @@ func TestGitCredentialSetup_setOurs_nonGH(t *testing.T) {
 	})
 
 	f := GitCredentialFlow{
-		helper:    "",
-		GitClient: &git.Client{GitPath: "some/path/git"},
+		helper: gitcredentials.Helper{},
 		HelperConfig: &gitcredentials.HelperConfig{
 			SelfExecutablePath: "/path/to/gh",
 			GitClient:          &git.Client{GitPath: "some/path/git"},
@@ -111,44 +108,3 @@ func TestGitCredentialSetup_setOurs_nonGH(t *testing.T) {
 		t.Errorf("GitCredentialSetup() error = %v", err)
 	}
 }
-
-func Test_isOurCredentialHelper(t *testing.T) {
-	tests := []struct {
-		name string
-		arg  string
-		want bool
-	}{
-		{
-			name: "blank",
-			arg:  "",
-			want: false,
-		},
-		{
-			name: "invalid",
-			arg:  "!",
-			want: false,
-		},
-		{
-			name: "osxkeychain",
-			arg:  "osxkeychain",
-			want: false,
-		},
-		{
-			name: "looks like gh but isn't",
-			arg:  "gh auth",
-			want: false,
-		},
-		{
-			name: "ours",
-			arg:  "!/path/to/gh auth",
-			want: true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := isOurCredentialHelper(tt.arg); got != tt.want {
-				t.Errorf("isOurCredentialHelper() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
diff --git a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
index 1f8bafb0791..50ce7502dd4 100644
--- a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
+++ b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
@@ -4,11 +4,13 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"path/filepath"
 	"strings"
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/ghinstance"
+	"github.com/google/shlex"
 )
 
 type HelperConfig struct {
@@ -61,17 +63,47 @@ func (hc *HelperConfig) Configure(hostname string) error {
 	return configErr
 }
 
-func (hc *HelperConfig) ConfiguredHelper(hostname string) (string, error) {
+type Helper struct {
+	Cmd string
+}
+
+func (h Helper) IsConfigured() bool {
+	return h.Cmd != ""
+}
+
+func (h Helper) IsOurs() bool {
+	if !strings.HasPrefix(h.Cmd, "!") {
+		return false
+	}
+
+	args, err := shlex.Split(h.Cmd[1:])
+	if err != nil || len(args) == 0 {
+		return false
+	}
+
+	return strings.TrimSuffix(filepath.Base(args[0]), ".exe") == "gh"
+}
+
+func (hc *HelperConfig) ConfiguredHelper(hostname string) (Helper, error) {
 	ctx := context.TODO()
 
-	helper, err := hc.GitClient.Config(ctx, keyFor(hostname))
-	if helper != "" {
+	hostHelperCmd, err := hc.GitClient.Config(ctx, keyFor(hostname))
+	if hostHelperCmd != "" {
 		// TODO: This is a direct refactoring removing named and naked returns
 		// but we should probably look closer at the error handling here
-		return helper, err
+		return Helper{
+			Cmd: hostHelperCmd,
+		}, err
+	}
+
+	globalHelperCmd, err := hc.GitClient.Config(ctx, "credential.helper")
+	if globalHelperCmd != "" {
+		return Helper{
+			Cmd: globalHelperCmd,
+		}, err
 	}
 
-	return hc.GitClient.Config(ctx, "credential.helper")
+	return Helper{}, nil
 }
 
 func keyFor(hostname string) string {
diff --git a/pkg/cmd/auth/shared/gitcredentials/gitcredentials_test.go b/pkg/cmd/auth/shared/gitcredentials/gitcredentials_test.go
new file mode 100644
index 00000000000..2a9b6e6f958
--- /dev/null
+++ b/pkg/cmd/auth/shared/gitcredentials/gitcredentials_test.go
@@ -0,0 +1,76 @@
+package gitcredentials_test
+
+import (
+	"testing"
+
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
+)
+
+func TestHelperIsOurs(t *testing.T) {
+	tests := []struct {
+		name string
+		cmd  string
+		want bool
+	}{
+		{
+			name: "blank",
+			cmd:  "",
+			want: false,
+		},
+		{
+			name: "invalid",
+			cmd:  "!",
+			want: false,
+		},
+		{
+			name: "osxkeychain",
+			cmd:  "osxkeychain",
+			want: false,
+		},
+		{
+			name: "looks like gh but isn't",
+			cmd:  "gh auth",
+			want: false,
+		},
+		{
+			name: "ours",
+			cmd:  "!/path/to/gh auth",
+			want: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			h := gitcredentials.Helper{Cmd: tt.cmd}
+			if got := h.IsOurs(); got != tt.want {
+				t.Errorf("IsOurs() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestHelperIsConfigured(t *testing.T) {
+	tests := []struct {
+		name string
+		cmd  string
+		want bool
+	}{
+		{
+			name: "blank is not configured",
+			cmd:  "",
+			want: false,
+		},
+		{
+			name: "anything else is configured",
+			cmd:  "unimportant",
+			want: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			h := gitcredentials.Helper{Cmd: tt.cmd}
+			if got := h.IsConfigured(); got != tt.want {
+				t.Errorf("IsConfigured() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/pkg/cmd/auth/shared/login_flow.go b/pkg/cmd/auth/shared/login_flow.go
index d357df5ff1c..b0feddd2f04 100644
--- a/pkg/cmd/auth/shared/login_flow.go
+++ b/pkg/cmd/auth/shared/login_flow.go
@@ -73,8 +73,7 @@ func Login(opts *LoginOptions) error {
 	var additionalScopes []string
 
 	credentialFlow := &GitCredentialFlow{
-		Prompter:  opts.Prompter,
-		GitClient: opts.GitClient,
+		Prompter: opts.Prompter,
 		HelperConfig: &gitcredentials.HelperConfig{
 			SelfExecutablePath: opts.Executable,
 			GitClient:          opts.GitClient,

From 177cf7d35ba8d93ecc404d618c56bc4888045b9c Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 13:11:00 +0200
Subject: [PATCH 059/253] Rename gitcredentials Configure to ConfigureOurs

---
 pkg/cmd/auth/shared/git_credential.go                | 2 +-
 pkg/cmd/auth/shared/gitcredentials/gitcredentials.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/auth/shared/git_credential.go b/pkg/cmd/auth/shared/git_credential.go
index 5a9c20b440e..7ddd9aeaee6 100644
--- a/pkg/cmd/auth/shared/git_credential.go
+++ b/pkg/cmd/auth/shared/git_credential.go
@@ -60,7 +60,7 @@ func (flow *GitCredentialFlow) gitCredentialSetup(hostname, username, password s
 	// If there is no credential helper configured then we will set ourselves up as
 	// the credential helper for this host.
 	if !flow.helper.IsConfigured() {
-		return flow.HelperConfig.Configure(hostname)
+		return flow.HelperConfig.ConfigureOurs(hostname)
 	}
 
 	// Otherwise, we'll tell git to inform the existing credential helper of the new credentials.
diff --git a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
index 50ce7502dd4..2c1e7ddcfc2 100644
--- a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
+++ b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
@@ -18,7 +18,7 @@ type HelperConfig struct {
 	GitClient          *git.Client
 }
 
-func (hc *HelperConfig) Configure(hostname string) error {
+func (hc *HelperConfig) ConfigureOurs(hostname string) error {
 	ctx := context.TODO()
 
 	credHelperKeys := []string{

From c16836bcf712ad05b537b0cd089f2f98ad12f243 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 13:33:02 +0200
Subject: [PATCH 060/253] Use tighter interface in setup-git

---
 pkg/cmd/auth/setupgit/setupgit.go      | 31 ++++++++++----------------
 pkg/cmd/auth/setupgit/setupgit_test.go | 15 +++++--------
 2 files changed, 18 insertions(+), 28 deletions(-)

diff --git a/pkg/cmd/auth/setupgit/setupgit.go b/pkg/cmd/auth/setupgit/setupgit.go
index 4ac8d5f7832..c1200b47576 100644
--- a/pkg/cmd/auth/setupgit/setupgit.go
+++ b/pkg/cmd/auth/setupgit/setupgit.go
@@ -6,23 +6,22 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/gh"
-	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/spf13/cobra"
 )
 
-type gitConfigurator interface {
-	Setup(hostname, username, authToken string) error
+type gitCredentialsConfigurer interface {
+	ConfigureOurs(hostname string) error
 }
 
 type SetupGitOptions struct {
-	IO           *iostreams.IOStreams
-	Config       func() (gh.Config, error)
-	Hostname     string
-	Force        bool
-	gitConfigure gitConfigurator
+	IO                      *iostreams.IOStreams
+	Config                  func() (gh.Config, error)
+	Hostname                string
+	Force                   bool
+	CredentialsHelperConfig gitCredentialsConfigurer
 }
 
 func NewCmdSetupGit(f *cmdutil.Factory, runF func(*SetupGitOptions) error) *cobra.Command {
@@ -53,14 +52,9 @@ func NewCmdSetupGit(f *cmdutil.Factory, runF func(*SetupGitOptions) error) *cobr
 			$ gh auth setup-git --hostname enterprise.internal
 		`),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			opts.gitConfigure = &shared.GitCredentialFlow{
-				HelperConfig: &gitcredentials.HelperConfig{
-					SelfExecutablePath: f.Executable(),
-					GitClient:          f.GitClient,
-				},
-				Updater: &gitcredentials.Updater{
-					GitClient: f.GitClient,
-				},
+			opts.CredentialsHelperConfig = &gitcredentials.HelperConfig{
+				SelfExecutablePath: f.Executable(),
+				GitClient:          f.GitClient,
 			}
 			if opts.Hostname == "" && opts.Force {
 				return cmdutil.FlagErrorf("`--force` must be used in conjunction with `--hostname`")
@@ -98,7 +92,7 @@ func setupGitRun(opts *SetupGitOptions) error {
 			)
 		}
 
-		if err := opts.gitConfigure.Setup(opts.Hostname, "", ""); err != nil {
+		if err := opts.CredentialsHelperConfig.ConfigureOurs(opts.Hostname); err != nil {
 			return fmt.Errorf("failed to set up git credential helper: %s", err)
 		}
 
@@ -117,8 +111,7 @@ func setupGitRun(opts *SetupGitOptions) error {
 	}
 
 	for _, hostname := range hostnames {
-		// TODO: Use gitcredentials.HelperConfigurer here
-		if err := opts.gitConfigure.Setup(hostname, "", ""); err != nil {
+		if err := opts.CredentialsHelperConfig.ConfigureOurs(hostname); err != nil {
 			return fmt.Errorf("failed to set up git credential helper: %s", err)
 		}
 	}
diff --git a/pkg/cmd/auth/setupgit/setupgit_test.go b/pkg/cmd/auth/setupgit/setupgit_test.go
index 9e6550e548f..8d9dc2d2153 100644
--- a/pkg/cmd/auth/setupgit/setupgit_test.go
+++ b/pkg/cmd/auth/setupgit/setupgit_test.go
@@ -15,19 +15,16 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-type mockGitConfigurer struct {
+type gitCredentialsConfigurerSpy struct {
 	hosts    []string
 	setupErr error
 }
 
-func (gf *mockGitConfigurer) SetupFor(hostname string) []string {
-	return gf.hosts
-}
-
-func (gf *mockGitConfigurer) Setup(hostname, username, authToken string) error {
+func (gf *gitCredentialsConfigurerSpy) ConfigureOurs(hostname string) error {
 	gf.hosts = append(gf.hosts, hostname)
 	return gf.setupErr
 }
+
 func TestNewCmdSetupGit(t *testing.T) {
 	tests := []struct {
 		name     string
@@ -183,8 +180,8 @@ func Test_setupGitRun(t *testing.T) {
 				}
 			}
 
-			gcSpy := &mockGitConfigurer{setupErr: tt.setupErr}
-			tt.opts.gitConfigure = gcSpy
+			credentialsConfigurerSpy := &gitCredentialsConfigurerSpy{setupErr: tt.setupErr}
+			tt.opts.CredentialsHelperConfig = credentialsConfigurerSpy
 
 			err := setupGitRun(tt.opts)
 			if tt.expectedErr != nil {
@@ -194,7 +191,7 @@ func Test_setupGitRun(t *testing.T) {
 			}
 
 			if tt.expectedHostsSetup != nil {
-				require.Equal(t, tt.expectedHostsSetup, gcSpy.hosts)
+				require.Equal(t, tt.expectedHostsSetup, credentialsConfigurerSpy.hosts)
 			}
 
 			require.Equal(t, tt.expectedErrOut, stderr.String())

From 818d4ba5b843ce448158e9c755cb2c43ecbcf8cc Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 13:11:58 +0200
Subject: [PATCH 061/253] Remove unnecessary credential setup private method

---
 pkg/cmd/auth/shared/git_credential.go      |  6 +-----
 pkg/cmd/auth/shared/git_credential_test.go | 16 ++++++++--------
 2 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/pkg/cmd/auth/shared/git_credential.go b/pkg/cmd/auth/shared/git_credential.go
index 7ddd9aeaee6..d21c60dfc93 100644
--- a/pkg/cmd/auth/shared/git_credential.go
+++ b/pkg/cmd/auth/shared/git_credential.go
@@ -53,10 +53,6 @@ func (flow *GitCredentialFlow) ShouldSetup() bool {
 }
 
 func (flow *GitCredentialFlow) Setup(hostname, username, authToken string) error {
-	return flow.gitCredentialSetup(hostname, username, authToken)
-}
-
-func (flow *GitCredentialFlow) gitCredentialSetup(hostname, username, password string) error {
 	// If there is no credential helper configured then we will set ourselves up as
 	// the credential helper for this host.
 	if !flow.helper.IsConfigured() {
@@ -64,5 +60,5 @@ func (flow *GitCredentialFlow) gitCredentialSetup(hostname, username, password s
 	}
 
 	// Otherwise, we'll tell git to inform the existing credential helper of the new credentials.
-	return flow.Updater.Update(hostname, username, password)
+	return flow.Updater.Update(hostname, username, authToken)
 }
diff --git a/pkg/cmd/auth/shared/git_credential_test.go b/pkg/cmd/auth/shared/git_credential_test.go
index 211e8da999f..19ab9b752a6 100644
--- a/pkg/cmd/auth/shared/git_credential_test.go
+++ b/pkg/cmd/auth/shared/git_credential_test.go
@@ -8,7 +8,7 @@ import (
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 )
 
-func TestGitCredentialSetup_configureExisting(t *testing.T) {
+func TestSetup_configureExisting(t *testing.T) {
 	cs, restoreRun := run.Stub()
 	defer restoreRun(t)
 	cs.Register(`git credential reject`, 0, "")
@@ -21,8 +21,8 @@ func TestGitCredentialSetup_configureExisting(t *testing.T) {
 		},
 	}
 
-	if err := f.gitCredentialSetup("example.com", "monalisa", "PASSWD"); err != nil {
-		t.Errorf("GitCredentialSetup() error = %v", err)
+	if err := f.Setup("example.com", "monalisa", "PASSWD"); err != nil {
+		t.Errorf("Setup() error = %v", err)
 	}
 }
 
@@ -70,13 +70,13 @@ func TestGitCredentialsSetup_setOurs_GH(t *testing.T) {
 		},
 	}
 
-	if err := f.gitCredentialSetup("github.com", "monalisa", "PASSWD"); err != nil {
-		t.Errorf("GitCredentialSetup() error = %v", err)
+	if err := f.Setup("github.com", "monalisa", "PASSWD"); err != nil {
+		t.Errorf("Setup() error = %v", err)
 	}
 
 }
 
-func TestGitCredentialSetup_setOurs_nonGH(t *testing.T) {
+func TestSetup_setOurs_nonGH(t *testing.T) {
 	cs, restoreRun := run.Stub()
 	defer restoreRun(t)
 	cs.Register(`git config --global --replace-all credential\.`, 0, "", func(args []string) {
@@ -104,7 +104,7 @@ func TestGitCredentialSetup_setOurs_nonGH(t *testing.T) {
 		},
 	}
 
-	if err := f.gitCredentialSetup("example.com", "monalisa", "PASSWD"); err != nil {
-		t.Errorf("GitCredentialSetup() error = %v", err)
+	if err := f.Setup("example.com", "monalisa", "PASSWD"); err != nil {
+		t.Errorf("Setup() error = %v", err)
 	}
 }

From 187c5016f0c5e508093b56d0f4da78b7a1404118 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 13:28:03 +0200
Subject: [PATCH 062/253] Comment the git credential flow

---
 pkg/cmd/auth/shared/git_credential.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/pkg/cmd/auth/shared/git_credential.go b/pkg/cmd/auth/shared/git_credential.go
index d21c60dfc93..cba252d72a2 100644
--- a/pkg/cmd/auth/shared/git_credential.go
+++ b/pkg/cmd/auth/shared/git_credential.go
@@ -19,13 +19,20 @@ type GitCredentialFlow struct {
 }
 
 func (flow *GitCredentialFlow) Prompt(hostname string) error {
+	// First we'll fetch the credential helper that would be used for this host
 	var configuredHelperErr error
 	flow.helper, configuredHelperErr = flow.HelperConfig.ConfiguredHelper(hostname)
+	// If the helper is gh itself, then we don't need to ask the user if they want to update their git credentials
+	// because it will happen automatically by virtue of the fact that gh will return the active token.
+	//
+	// Since gh is the helper, this token may be used for git operations, so we'll additionally request the workflow
+	// scope to ensure that git push operations that include workflow changes succeed.
 	if flow.helper.IsOurs() {
 		flow.scopes = append(flow.scopes, "workflow")
 		return nil
 	}
 
+	// Prompt the user for whether they want to configure git with the newly obtained token
 	result, err := flow.Prompter.Confirm("Authenticate Git with your GitHub credentials?", true)
 	if err != nil {
 		return err
@@ -33,11 +40,24 @@ func (flow *GitCredentialFlow) Prompt(hostname string) error {
 	flow.shouldSetup = result
 
 	if flow.shouldSetup {
+		// If the user does want to configure git, we'll check the error returned from fetching the configured helper
+		// above. If the error indicates that git isn't installed, we'll return an error now to ensure that the auth
+		// flow is aborted before the user goes any further.
+		//
+		// Note that this is _slightly_ naive because there may be other reasons that fetching the configured helper
+		// fails that might cause later failures but this code has existed for a long time and I don't want to change
+		// it as part of a refactoring.
+		//
+		// Refs:
+		//  * https://git-scm.com/docs/git-config#_description
+		//  * https://github.com/cli/cli/pull/4109
 		var errNotInstalled *git.NotInstalled
 		if errors.As(err, &errNotInstalled) {
 			return configuredHelperErr
 		}
 
+		// On the other hand, if the user has requested setup we'll additionally request the workflow
+		// scope to ensure that git push operations that include workflow changes succeed.
 		flow.scopes = append(flow.scopes, "workflow")
 	}
 

From d75548a63016b9001215a6e223cd82a1273e26d5 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 13:48:53 +0200
Subject: [PATCH 063/253] Comment the new gitcredentials package

---
 pkg/cmd/auth/shared/gitcredentials/gitcredentials.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
index 2c1e7ddcfc2..c4626ff5cbe 100644
--- a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
+++ b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
@@ -13,11 +13,14 @@ import (
 	"github.com/google/shlex"
 )
 
+// A HelperConfig is used to configure and inspect the state of git credential helpers.
 type HelperConfig struct {
 	SelfExecutablePath string
 	GitClient          *git.Client
 }
 
+// ConfigureOurs sets up the git credential helper chain to use the GitHub CLI credential helper for git repositories
+// including gists.
 func (hc *HelperConfig) ConfigureOurs(hostname string) error {
 	ctx := context.TODO()
 
@@ -63,14 +66,17 @@ func (hc *HelperConfig) ConfigureOurs(hostname string) error {
 	return configErr
 }
 
+// A Helper represents a git credential helper configuration.
 type Helper struct {
 	Cmd string
 }
 
+// IsConfigured returns true if the helper has a non-empty command, i.e. the git config had an entry
 func (h Helper) IsConfigured() bool {
 	return h.Cmd != ""
 }
 
+// IsOurs returns true if the helper command is the GitHub CLI credential helper
 func (h Helper) IsOurs() bool {
 	if !strings.HasPrefix(h.Cmd, "!") {
 		return false
@@ -84,6 +90,7 @@ func (h Helper) IsOurs() bool {
 	return strings.TrimSuffix(filepath.Base(args[0]), ".exe") == "gh"
 }
 
+// ConfiguredHelper returns the configured git credential helper for a given hostname.
 func (hc *HelperConfig) ConfiguredHelper(hostname string) (Helper, error) {
 	ctx := context.TODO()
 
@@ -118,10 +125,13 @@ func shellQuote(s string) string {
 	return s
 }
 
+// An Updater is used to update the git credentials for a given hostname.
 type Updater struct {
 	GitClient *git.Client
 }
 
+// Update updates the git credentials for a given hostname, first by rejecting any existing credentials and then
+// approving the new credentials.
 func (u *Updater) Update(hostname, username, password string) error {
 	ctx := context.TODO()
 

From e07a26d81cc879f27690a0a431d16833564cd1bf Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 14:33:33 +0200
Subject: [PATCH 064/253] Move gitcredentials HelperConfig and add tests

---
 .../shared/gitcredentials/gitcredentials.go   | 117 ------------
 .../gitcredentials/gitcredentials_test.go     |  76 --------
 .../shared/gitcredentials/helper_config.go    | 124 ++++++++++++
 .../gitcredentials/helper_config_test.go      | 176 ++++++++++++++++++
 4 files changed, 300 insertions(+), 193 deletions(-)
 delete mode 100644 pkg/cmd/auth/shared/gitcredentials/gitcredentials_test.go
 create mode 100644 pkg/cmd/auth/shared/gitcredentials/helper_config.go
 create mode 100644 pkg/cmd/auth/shared/gitcredentials/helper_config_test.go

diff --git a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
index c4626ff5cbe..9ffa443e7cf 100644
--- a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
+++ b/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
@@ -3,128 +3,11 @@ package gitcredentials
 import (
 	"bytes"
 	"context"
-	"fmt"
-	"path/filepath"
-	"strings"
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/git"
-	"github.com/cli/cli/v2/internal/ghinstance"
-	"github.com/google/shlex"
 )
 
-// A HelperConfig is used to configure and inspect the state of git credential helpers.
-type HelperConfig struct {
-	SelfExecutablePath string
-	GitClient          *git.Client
-}
-
-// ConfigureOurs sets up the git credential helper chain to use the GitHub CLI credential helper for git repositories
-// including gists.
-func (hc *HelperConfig) ConfigureOurs(hostname string) error {
-	ctx := context.TODO()
-
-	credHelperKeys := []string{
-		keyFor(hostname),
-	}
-
-	gistHost := strings.TrimSuffix(ghinstance.GistHost(hostname), "/")
-	if strings.HasPrefix(gistHost, "gist.") {
-		credHelperKeys = append(credHelperKeys, keyFor(gistHost))
-	}
-
-	var configErr error
-
-	for _, credHelperKey := range credHelperKeys {
-		if configErr != nil {
-			break
-		}
-		// first use a blank value to indicate to git we want to sever the chain of credential helpers
-		preConfigureCmd, err := hc.GitClient.Command(ctx, "config", "--global", "--replace-all", credHelperKey, "")
-		if err != nil {
-			configErr = err
-			break
-		}
-		if _, err = preConfigureCmd.Output(); err != nil {
-			configErr = err
-			break
-		}
-
-		// second configure the actual helper for this host
-		configureCmd, err := hc.GitClient.Command(ctx,
-			"config", "--global", "--add",
-			credHelperKey,
-			fmt.Sprintf("!%s auth git-credential", shellQuote(hc.SelfExecutablePath)),
-		)
-		if err != nil {
-			configErr = err
-		} else {
-			_, configErr = configureCmd.Output()
-		}
-	}
-
-	return configErr
-}
-
-// A Helper represents a git credential helper configuration.
-type Helper struct {
-	Cmd string
-}
-
-// IsConfigured returns true if the helper has a non-empty command, i.e. the git config had an entry
-func (h Helper) IsConfigured() bool {
-	return h.Cmd != ""
-}
-
-// IsOurs returns true if the helper command is the GitHub CLI credential helper
-func (h Helper) IsOurs() bool {
-	if !strings.HasPrefix(h.Cmd, "!") {
-		return false
-	}
-
-	args, err := shlex.Split(h.Cmd[1:])
-	if err != nil || len(args) == 0 {
-		return false
-	}
-
-	return strings.TrimSuffix(filepath.Base(args[0]), ".exe") == "gh"
-}
-
-// ConfiguredHelper returns the configured git credential helper for a given hostname.
-func (hc *HelperConfig) ConfiguredHelper(hostname string) (Helper, error) {
-	ctx := context.TODO()
-
-	hostHelperCmd, err := hc.GitClient.Config(ctx, keyFor(hostname))
-	if hostHelperCmd != "" {
-		// TODO: This is a direct refactoring removing named and naked returns
-		// but we should probably look closer at the error handling here
-		return Helper{
-			Cmd: hostHelperCmd,
-		}, err
-	}
-
-	globalHelperCmd, err := hc.GitClient.Config(ctx, "credential.helper")
-	if globalHelperCmd != "" {
-		return Helper{
-			Cmd: globalHelperCmd,
-		}, err
-	}
-
-	return Helper{}, nil
-}
-
-func keyFor(hostname string) string {
-	host := strings.TrimSuffix(ghinstance.HostPrefix(hostname), "/")
-	return fmt.Sprintf("credential.%s.helper", host)
-}
-
-func shellQuote(s string) string {
-	if strings.ContainsAny(s, " $\\") {
-		return "'" + s + "'"
-	}
-	return s
-}
-
 // An Updater is used to update the git credentials for a given hostname.
 type Updater struct {
 	GitClient *git.Client
diff --git a/pkg/cmd/auth/shared/gitcredentials/gitcredentials_test.go b/pkg/cmd/auth/shared/gitcredentials/gitcredentials_test.go
deleted file mode 100644
index 2a9b6e6f958..00000000000
--- a/pkg/cmd/auth/shared/gitcredentials/gitcredentials_test.go
+++ /dev/null
@@ -1,76 +0,0 @@
-package gitcredentials_test
-
-import (
-	"testing"
-
-	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
-)
-
-func TestHelperIsOurs(t *testing.T) {
-	tests := []struct {
-		name string
-		cmd  string
-		want bool
-	}{
-		{
-			name: "blank",
-			cmd:  "",
-			want: false,
-		},
-		{
-			name: "invalid",
-			cmd:  "!",
-			want: false,
-		},
-		{
-			name: "osxkeychain",
-			cmd:  "osxkeychain",
-			want: false,
-		},
-		{
-			name: "looks like gh but isn't",
-			cmd:  "gh auth",
-			want: false,
-		},
-		{
-			name: "ours",
-			cmd:  "!/path/to/gh auth",
-			want: true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			h := gitcredentials.Helper{Cmd: tt.cmd}
-			if got := h.IsOurs(); got != tt.want {
-				t.Errorf("IsOurs() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestHelperIsConfigured(t *testing.T) {
-	tests := []struct {
-		name string
-		cmd  string
-		want bool
-	}{
-		{
-			name: "blank is not configured",
-			cmd:  "",
-			want: false,
-		},
-		{
-			name: "anything else is configured",
-			cmd:  "unimportant",
-			want: true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			h := gitcredentials.Helper{Cmd: tt.cmd}
-			if got := h.IsConfigured(); got != tt.want {
-				t.Errorf("IsConfigured() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
diff --git a/pkg/cmd/auth/shared/gitcredentials/helper_config.go b/pkg/cmd/auth/shared/gitcredentials/helper_config.go
new file mode 100644
index 00000000000..9e9b4eaadb1
--- /dev/null
+++ b/pkg/cmd/auth/shared/gitcredentials/helper_config.go
@@ -0,0 +1,124 @@
+package gitcredentials
+
+import (
+	"context"
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/cli/cli/v2/git"
+	"github.com/cli/cli/v2/internal/ghinstance"
+	"github.com/google/shlex"
+)
+
+// A HelperConfig is used to configure and inspect the state of git credential helpers.
+type HelperConfig struct {
+	SelfExecutablePath string
+	GitClient          *git.Client
+}
+
+// ConfigureOurs sets up the git credential helper chain to use the GitHub CLI credential helper for git repositories
+// including gists.
+func (hc *HelperConfig) ConfigureOurs(hostname string) error {
+	ctx := context.TODO()
+
+	credHelperKeys := []string{
+		keyFor(hostname),
+	}
+
+	gistHost := strings.TrimSuffix(ghinstance.GistHost(hostname), "/")
+	if strings.HasPrefix(gistHost, "gist.") {
+		credHelperKeys = append(credHelperKeys, keyFor(gistHost))
+	}
+
+	var configErr error
+
+	for _, credHelperKey := range credHelperKeys {
+		if configErr != nil {
+			break
+		}
+		// first use a blank value to indicate to git we want to sever the chain of credential helpers
+		preConfigureCmd, err := hc.GitClient.Command(ctx, "config", "--global", "--replace-all", credHelperKey, "")
+		if err != nil {
+			configErr = err
+			break
+		}
+		if _, err = preConfigureCmd.Output(); err != nil {
+			configErr = err
+			break
+		}
+
+		// second configure the actual helper for this host
+		configureCmd, err := hc.GitClient.Command(ctx,
+			"config", "--global", "--add",
+			credHelperKey,
+			fmt.Sprintf("!%s auth git-credential", shellQuote(hc.SelfExecutablePath)),
+		)
+		if err != nil {
+			configErr = err
+		} else {
+			_, configErr = configureCmd.Output()
+		}
+	}
+
+	return configErr
+}
+
+// A Helper represents a git credential helper configuration.
+type Helper struct {
+	Cmd string
+}
+
+// IsConfigured returns true if the helper has a non-empty command, i.e. the git config had an entry
+func (h Helper) IsConfigured() bool {
+	return h.Cmd != ""
+}
+
+// IsOurs returns true if the helper command is the GitHub CLI credential helper
+func (h Helper) IsOurs() bool {
+	if !strings.HasPrefix(h.Cmd, "!") {
+		return false
+	}
+
+	args, err := shlex.Split(h.Cmd[1:])
+	if err != nil || len(args) == 0 {
+		return false
+	}
+
+	return strings.TrimSuffix(filepath.Base(args[0]), ".exe") == "gh"
+}
+
+// ConfiguredHelper returns the configured git credential helper for a given hostname.
+func (hc *HelperConfig) ConfiguredHelper(hostname string) (Helper, error) {
+	ctx := context.TODO()
+
+	hostHelperCmd, err := hc.GitClient.Config(ctx, keyFor(hostname))
+	if hostHelperCmd != "" {
+		// TODO: This is a direct refactoring removing named and naked returns
+		// but we should probably look closer at the error handling here
+		return Helper{
+			Cmd: hostHelperCmd,
+		}, err
+	}
+
+	globalHelperCmd, err := hc.GitClient.Config(ctx, "credential.helper")
+	if globalHelperCmd != "" {
+		return Helper{
+			Cmd: globalHelperCmd,
+		}, err
+	}
+
+	return Helper{}, nil
+}
+
+func keyFor(hostname string) string {
+	host := strings.TrimSuffix(ghinstance.HostPrefix(hostname), "/")
+	return fmt.Sprintf("credential.%s.helper", host)
+}
+
+func shellQuote(s string) string {
+	if strings.ContainsAny(s, " $\\") {
+		return "'" + s + "'"
+	}
+	return s
+}
diff --git a/pkg/cmd/auth/shared/gitcredentials/helper_config_test.go b/pkg/cmd/auth/shared/gitcredentials/helper_config_test.go
new file mode 100644
index 00000000000..acf5612ca4a
--- /dev/null
+++ b/pkg/cmd/auth/shared/gitcredentials/helper_config_test.go
@@ -0,0 +1,176 @@
+package gitcredentials_test
+
+import (
+	"context"
+	"path/filepath"
+	"testing"
+
+	"github.com/cli/cli/v2/git"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
+	"github.com/stretchr/testify/require"
+)
+
+func withIsolatedGitConfig(t *testing.T) {
+	t.Helper()
+
+	// https://git-scm.com/docs/git-config#ENVIRONMENT
+	// Set the global git config to a temporary file
+	tmpDir := t.TempDir()
+	configFile := filepath.Join(tmpDir, ".gitconfig")
+	t.Setenv("GIT_CONFIG_GLOBAL", configFile)
+
+	// And disable git reading the system config
+	t.Setenv("GIT_CONFIG_NOSYSTEM", "true")
+}
+
+func configureTestCredentialHelper(t *testing.T, key string) {
+	t.Helper()
+
+	gc := &git.Client{}
+	cmd, err := gc.Command(context.Background(), "config", "--global", "--add", key, "test-helper")
+	require.NoError(t, err)
+	require.NoError(t, cmd.Run())
+}
+
+func TestConfigureOursNoPreexistingHelpersConfigured(t *testing.T) {
+	// Given there are no credential helpers configured
+	withIsolatedGitConfig(t)
+
+	// When we configure ourselves as the git credential helper
+	hc := gitcredentials.HelperConfig{
+		SelfExecutablePath: "/path/to/gh",
+		GitClient:          &git.Client{},
+	}
+	require.NoError(t, hc.ConfigureOurs("github.com"))
+
+	// Then the git config should be updated to use our credential helper for both repos and gists
+	repoHelper, err := hc.ConfiguredHelper("github.com")
+	require.NoError(t, err)
+	require.True(t, repoHelper.IsConfigured(), "expected our helper to be configured")
+	require.True(t, repoHelper.IsOurs(), "expected the helper to be ours but was %q", repoHelper.Cmd)
+
+	gistHelper, err := hc.ConfiguredHelper("gist.github.com")
+	require.NoError(t, err)
+	require.True(t, gistHelper.IsConfigured(), "expected our helper to be configured")
+	require.True(t, gistHelper.IsOurs(), "expected the helper to be ours but was %q", gistHelper.Cmd)
+}
+
+func TestConfigureOursWithPreexistingHelpersConfigured(t *testing.T) {
+	// Given there are other credential helpers configured
+	withIsolatedGitConfig(t)
+	configureTestCredentialHelper(t, "credential.helper")
+	configureTestCredentialHelper(t, "credential.https://github.com.helper")
+
+	// When we configure ourselves as the git credential helper
+	hc := gitcredentials.HelperConfig{
+		SelfExecutablePath: "/path/to/gh",
+		GitClient:          &git.Client{},
+	}
+	require.NoError(t, hc.ConfigureOurs("github.com"))
+
+	// Then the git config should be updated to use our credential repoHelper for both repos and gists
+	repoHelper, err := hc.ConfiguredHelper("github.com")
+	require.NoError(t, err)
+	require.True(t, repoHelper.IsConfigured(), "expected our helper to be configured")
+	require.True(t, repoHelper.IsOurs(), "expected the helper to be ours but was %q", repoHelper.Cmd)
+
+	gistHelper, err := hc.ConfiguredHelper("gist.github.com")
+	require.NoError(t, err)
+	require.True(t, gistHelper.IsConfigured(), "expected our helper to be configured")
+	require.True(t, gistHelper.IsOurs(), "expected the helper to be ours but was %q", gistHelper.Cmd)
+}
+
+func TestConfiguredHelperNoPreexistingHelpersConfigured(t *testing.T) {
+	// Given there are no credential helpers configured
+	withIsolatedGitConfig(t)
+
+	// When we check the configured helper for a hostname
+	hc := gitcredentials.HelperConfig{
+		SelfExecutablePath: "/path/to/gh",
+		GitClient:          &git.Client{},
+	}
+	helper, err := hc.ConfiguredHelper("github.com")
+
+	// Then the helper should not be configured and not ours
+	require.NoError(t, err)
+	require.False(t, helper.IsConfigured(), "expected no helper to be configured")
+	require.False(t, helper.IsOurs(), "expected the helper not to be ours but was %q", helper.Cmd)
+}
+
+func TestConfiguredHelperWithPreexistingGlobalHelperConfigured(t *testing.T) {
+	// Given there is a global credential helper configured
+	withIsolatedGitConfig(t)
+	configureTestCredentialHelper(t, "credential.helper")
+
+	// When we check the configured helper for a hostname
+	hc := gitcredentials.HelperConfig{
+		SelfExecutablePath: "/path/to/gh",
+		GitClient:          &git.Client{},
+	}
+	helper, err := hc.ConfiguredHelper("github.com")
+
+	// Then the helper should be configured, but not ours
+	require.NoError(t, err)
+	require.True(t, helper.IsConfigured(), "expected no helper to be configured")
+	require.False(t, helper.IsOurs(), "expected the helper not to be ours but was %q", helper.Cmd)
+}
+
+func TestConfiguredHelperWithPreexistingHostHelperConfigured(t *testing.T) {
+	// Given there is a credential helper configured for a hostname
+	withIsolatedGitConfig(t)
+	configureTestCredentialHelper(t, "credential.https://github.com.helper")
+
+	// When we check the configured helper for a hostname
+	hc := gitcredentials.HelperConfig{
+		SelfExecutablePath: "/path/to/gh",
+		GitClient:          &git.Client{},
+	}
+	helper, err := hc.ConfiguredHelper("github.com")
+
+	// Then the helper should be configured, but not ours
+	require.NoError(t, err)
+	require.True(t, helper.IsConfigured(), "expected no helper to be configured")
+	require.False(t, helper.IsOurs(), "expected the helper not to be ours but was %q", helper.Cmd)
+}
+
+func TestHelperIsOurs(t *testing.T) {
+	tests := []struct {
+		name string
+		cmd  string
+		want bool
+	}{
+		{
+			name: "blank",
+			cmd:  "",
+			want: false,
+		},
+		{
+			name: "invalid",
+			cmd:  "!",
+			want: false,
+		},
+		{
+			name: "osxkeychain",
+			cmd:  "osxkeychain",
+			want: false,
+		},
+		{
+			name: "looks like gh but isn't",
+			cmd:  "gh auth",
+			want: false,
+		},
+		{
+			name: "ours",
+			cmd:  "!/path/to/gh auth",
+			want: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			h := gitcredentials.Helper{Cmd: tt.cmd}
+			if got := h.IsOurs(); got != tt.want {
+				t.Errorf("IsOurs() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

From 37abb3ec96a48c0082d5000d580e398095a9efeb Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 14:38:51 +0200
Subject: [PATCH 065/253] Fix mistaken git installation error check

---
 pkg/cmd/auth/shared/git_credential.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/auth/shared/git_credential.go b/pkg/cmd/auth/shared/git_credential.go
index cba252d72a2..c98992a76bd 100644
--- a/pkg/cmd/auth/shared/git_credential.go
+++ b/pkg/cmd/auth/shared/git_credential.go
@@ -52,7 +52,7 @@ func (flow *GitCredentialFlow) Prompt(hostname string) error {
 		//  * https://git-scm.com/docs/git-config#_description
 		//  * https://github.com/cli/cli/pull/4109
 		var errNotInstalled *git.NotInstalled
-		if errors.As(err, &errNotInstalled) {
+		if errors.As(configuredHelperErr, &errNotInstalled) {
 			return configuredHelperErr
 		}
 

From 64d50e6fbc4438c2e07b65e5509fc55d7db1f75a Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 15:37:18 +0200
Subject: [PATCH 066/253] Add tests for gitcredentials Updater

---
 .../{gitcredentials.go => updater.go}         |  0
 .../shared/gitcredentials/updater_test.go     | 85 +++++++++++++++++++
 2 files changed, 85 insertions(+)
 rename pkg/cmd/auth/shared/gitcredentials/{gitcredentials.go => updater.go} (100%)
 create mode 100644 pkg/cmd/auth/shared/gitcredentials/updater_test.go

diff --git a/pkg/cmd/auth/shared/gitcredentials/gitcredentials.go b/pkg/cmd/auth/shared/gitcredentials/updater.go
similarity index 100%
rename from pkg/cmd/auth/shared/gitcredentials/gitcredentials.go
rename to pkg/cmd/auth/shared/gitcredentials/updater.go
diff --git a/pkg/cmd/auth/shared/gitcredentials/updater_test.go b/pkg/cmd/auth/shared/gitcredentials/updater_test.go
new file mode 100644
index 00000000000..10a9c5c6c55
--- /dev/null
+++ b/pkg/cmd/auth/shared/gitcredentials/updater_test.go
@@ -0,0 +1,85 @@
+package gitcredentials_test
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"path/filepath"
+	"testing"
+
+	"github.com/MakeNowJust/heredoc"
+	"github.com/cli/cli/v2/git"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
+	"github.com/stretchr/testify/require"
+)
+
+func configureStoreCredentialHelper(t *testing.T) {
+	t.Helper()
+	tmpCredentialsFile := filepath.Join(t.TempDir(), "credentials")
+
+	gc := &git.Client{}
+	// Use `--file` to store credentials in a temporary file that gets cleaned up when the test has finished running
+	cmd, err := gc.Command(context.Background(), "config", "--global", "--add", "credential.helper", fmt.Sprintf("store --file %s", tmpCredentialsFile))
+	require.NoError(t, err)
+	require.NoError(t, cmd.Run())
+}
+
+func fillCredentials(t *testing.T) string {
+	gc := &git.Client{}
+	fillCmd, err := gc.Command(context.Background(), "credential", "fill")
+	require.NoError(t, err)
+
+	fillCmd.Stdin = bytes.NewBufferString(heredoc.Docf(`
+		protocol=https
+		host=%s
+	`, "github.com"))
+
+	b, err := fillCmd.Output()
+	require.NoError(t, err)
+
+	return string(b)
+}
+
+func TestUpdateAddsNewCredentials(t *testing.T) {
+	// Given we have an isolated git config and we're using the built in store credential helper
+	// https://git-scm.com/docs/git-credential-store
+	withIsolatedGitConfig(t)
+	configureStoreCredentialHelper(t)
+
+	// When we add new credentials
+	u := &gitcredentials.Updater{
+		GitClient: &git.Client{},
+	}
+	require.NoError(t, u.Update("github.com", "monalisa", "password"))
+
+	// Then our credential description is successfully filled
+	require.Equal(t, heredoc.Doc(`
+protocol=https
+host=github.com
+username=monalisa
+password=password
+`), fillCredentials(t))
+}
+
+func TestUpdateReplacesOldCredentials(t *testing.T) {
+	// Given we have an isolated git config and we're using the built in store credential helper
+	// https://git-scm.com/docs/git-credential-store
+	// and we have existing credentials
+	withIsolatedGitConfig(t)
+	configureStoreCredentialHelper(t)
+
+	// When we replace old credentials
+	u := &gitcredentials.Updater{
+		GitClient: &git.Client{},
+	}
+	require.NoError(t, u.Update("github.com", "monalisa", "old-password"))
+	require.NoError(t, u.Update("github.com", "monalisa", "new-password"))
+
+	// Then our credential description is successfully filled
+	require.Equal(t, heredoc.Doc(`
+protocol=https
+host=github.com
+username=monalisa
+password=new-password
+`), fillCredentials(t))
+}

From 3803fd04b9150e40bb5a573d28f562e712cf0ca4 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 16 May 2024 17:01:41 +0200
Subject: [PATCH 067/253] Add Helper test for Windows

---
 .../gitcredentials/helper_config_test.go       | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/auth/shared/gitcredentials/helper_config_test.go b/pkg/cmd/auth/shared/gitcredentials/helper_config_test.go
index acf5612ca4a..b7ddbb8830e 100644
--- a/pkg/cmd/auth/shared/gitcredentials/helper_config_test.go
+++ b/pkg/cmd/auth/shared/gitcredentials/helper_config_test.go
@@ -3,6 +3,7 @@ package gitcredentials_test
 import (
 	"context"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/cli/cli/v2/git"
@@ -135,9 +136,10 @@ func TestConfiguredHelperWithPreexistingHostHelperConfigured(t *testing.T) {
 
 func TestHelperIsOurs(t *testing.T) {
 	tests := []struct {
-		name string
-		cmd  string
-		want bool
+		name        string
+		cmd         string
+		want        bool
+		windowsOnly bool
 	}{
 		{
 			name: "blank",
@@ -164,9 +166,19 @@ func TestHelperIsOurs(t *testing.T) {
 			cmd:  "!/path/to/gh auth",
 			want: true,
 		},
+		{
+			name:        "ours - Windows edition",
+			cmd:         `!'C:\Program Files\GitHub CLI\gh.exe' auth git-credential`,
+			want:        true,
+			windowsOnly: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			if tt.windowsOnly && runtime.GOOS != "windows" {
+				t.Skip("skipping test on non-Windows platform")
+			}
+
 			h := gitcredentials.Helper{Cmd: tt.cmd}
 			if got := h.IsOurs(); got != tt.want {
 				t.Errorf("IsOurs() = %v, want %v", got, tt.want)

From 1dfcaab1022883b497161929d4db770d64cc5c96 Mon Sep 17 00:00:00 2001
From: leevic31 <leevic31@gmail.com>
Date: Thu, 16 May 2024 15:31:56 -0400
Subject: [PATCH 068/253] Added TTY message to summarize checking extension
 upgrades

---
 pkg/cmd/extension/command.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/cmd/extension/command.go b/pkg/cmd/extension/command.go
index aa005ddbc02..82e81c15f51 100644
--- a/pkg/cmd/extension/command.go
+++ b/pkg/cmd/extension/command.go
@@ -64,6 +64,10 @@ func NewCmdExtension(f *cmdutil.Factory) *cobra.Command {
 			return cmdutil.SilentError
 		}
 
+		if io.IsStdoutTTY() {
+			fmt.Fprintf(io.Out, "%s Successfully checked extension upgrades\n", cs.SuccessIcon())
+		}
+
 		return nil
 	}
 

From e3d5c063ef38ff4ecbe3de3152003b54d7a7f05d Mon Sep 17 00:00:00 2001
From: leevic31 <leevic31@gmail.com>
Date: Thu, 16 May 2024 15:38:49 -0400
Subject: [PATCH 069/253] Added summary TTY message to tests

---
 pkg/cmd/extension/command_test.go | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/pkg/cmd/extension/command_test.go b/pkg/cmd/extension/command_test.go
index e16ab69b159..fc9c414a31b 100644
--- a/pkg/cmd/extension/command_test.go
+++ b/pkg/cmd/extension/command_test.go
@@ -332,7 +332,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "",
+			wantStdout: "✓ Successfully checked extension upgrades\n",
 		},
 		{
 			name: "upgrade an extension dry run",
@@ -352,7 +352,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "",
+			wantStdout: "✓ Successfully checked extension upgrades\n",
 		},
 		{
 			name: "upgrade an extension notty",
@@ -385,7 +385,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "",
+			wantStdout: "✓ Successfully checked extension upgrades\n",
 		},
 		{
 			name: "upgrade extension error",
@@ -420,7 +420,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "",
+			wantStdout: "✓ Successfully checked extension upgrades\n",
 		},
 		{
 			name: "upgrade an extension full name",
@@ -436,7 +436,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "",
+			wantStdout: "✓ Successfully checked extension upgrades\n",
 		},
 		{
 			name: "upgrade all",
@@ -452,7 +452,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "",
+			wantStdout: "✓ Successfully checked extension upgrades\n",
 		},
 		{
 			name: "upgrade all dry run",
@@ -472,7 +472,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "",
+			wantStdout: "✓ Successfully checked extension upgrades\n",
 		},
 		{
 			name: "upgrade all none installed",
@@ -853,7 +853,7 @@ func TestNewCmdExtension(t *testing.T) {
 				}
 			},
 			isTTY:      true,
-			wantStdout: "",
+			wantStdout: "✓ Successfully checked extension upgrades\n",
 		},
 	}
 

From 222d6c8e658ea46952af2560cedbce30716951b1 Mon Sep 17 00:00:00 2001
From: leevic31 <leevic31@gmail.com>
Date: Thu, 16 May 2024 15:41:47 -0400
Subject: [PATCH 070/253] Removed unused param flagDryRun from upgradeFunc

---
 pkg/cmd/extension/command.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/extension/command.go b/pkg/cmd/extension/command.go
index 82e81c15f51..b3c7b0c9f01 100644
--- a/pkg/cmd/extension/command.go
+++ b/pkg/cmd/extension/command.go
@@ -50,7 +50,7 @@ func NewCmdExtension(f *cmdutil.Factory) *cobra.Command {
 		Aliases: []string{"extensions", "ext"},
 	}
 
-	upgradeFunc := func(name string, flagForce, flagDryRun bool) error {
+	upgradeFunc := func(name string, flagForce bool) error {
 		cs := io.ColorScheme()
 		err := m.Upgrade(name, flagForce)
 		if err != nil {
@@ -330,7 +330,7 @@ func NewCmdExtension(f *cmdutil.Factory) *cobra.Command {
 					if ext, err := checkValidExtension(cmd.Root(), m, repo.RepoName(), repo.RepoOwner()); err != nil {
 						// If an existing extension was found and --force was specified, attempt to upgrade.
 						if forceFlag && ext != nil {
-							return upgradeFunc(ext.Name(), forceFlag, false)
+							return upgradeFunc(ext.Name(), forceFlag)
 						}
 
 						if errors.Is(err, alreadyInstalledError) {
@@ -399,7 +399,7 @@ func NewCmdExtension(f *cmdutil.Factory) *cobra.Command {
 					if flagDryRun {
 						m.EnableDryRunMode()
 					}
-					return upgradeFunc(name, flagForce, flagDryRun)
+					return upgradeFunc(name, flagForce)
 				},
 			}
 			cmd.Flags().BoolVar(&flagAll, "all", false, "Upgrade all extensions")

From 3ea937d903caec84c1181b995dac3b2ad7d6ed34 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Fri, 17 May 2024 13:26:23 +0200
Subject: [PATCH 071/253] Inject GitCredentialFlow to LoginFlow as test seam

---
 pkg/cmd/auth/login/login.go            | 33 ++++++++++++++++----------
 pkg/cmd/auth/shared/login_flow.go      | 23 ++++--------------
 pkg/cmd/auth/shared/login_flow_test.go |  6 +++++
 3 files changed, 32 insertions(+), 30 deletions(-)

diff --git a/pkg/cmd/auth/login/login.go b/pkg/cmd/auth/login/login.go
index 9104dd175ea..9e27f28ac72 100644
--- a/pkg/cmd/auth/login/login.go
+++ b/pkg/cmd/auth/login/login.go
@@ -12,6 +12,7 @@ import (
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghinstance"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	ghAuth "github.com/cli/go-gh/v2/pkg/auth"
@@ -195,18 +196,26 @@ func loginRun(opts *LoginOptions) error {
 	}
 
 	return shared.Login(&shared.LoginOptions{
-		IO:               opts.IO,
-		Config:           authCfg,
-		HTTPClient:       httpClient,
-		Hostname:         hostname,
-		Interactive:      opts.Interactive,
-		Web:              opts.Web,
-		Scopes:           opts.Scopes,
-		Executable:       opts.MainExecutable,
-		GitProtocol:      opts.GitProtocol,
-		Prompter:         opts.Prompter,
-		GitClient:        opts.GitClient,
-		Browser:          opts.Browser,
+		IO:          opts.IO,
+		Config:      authCfg,
+		HTTPClient:  httpClient,
+		Hostname:    hostname,
+		Interactive: opts.Interactive,
+		Web:         opts.Web,
+		Scopes:      opts.Scopes,
+		GitProtocol: opts.GitProtocol,
+		Prompter:    opts.Prompter,
+		Browser:     opts.Browser,
+		CredentialFlow: &shared.GitCredentialFlow{
+			Prompter: opts.Prompter,
+			HelperConfig: &gitcredentials.HelperConfig{
+				SelfExecutablePath: opts.MainExecutable,
+				GitClient:          opts.GitClient,
+			},
+			Updater: &gitcredentials.Updater{
+				GitClient: opts.GitClient,
+			},
+		},
 		SecureStorage:    !opts.InsecureStorage,
 		SkipSSHKeyPrompt: opts.SkipSSHKeyPrompt,
 	})
diff --git a/pkg/cmd/auth/shared/login_flow.go b/pkg/cmd/auth/shared/login_flow.go
index b0feddd2f04..93455e8ee77 100644
--- a/pkg/cmd/auth/shared/login_flow.go
+++ b/pkg/cmd/auth/shared/login_flow.go
@@ -11,11 +11,9 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
-	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/authflow"
 	"github.com/cli/cli/v2/internal/browser"
 	"github.com/cli/cli/v2/internal/ghinstance"
-	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 	"github.com/cli/cli/v2/pkg/cmd/ssh-key/add"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/cli/cli/v2/pkg/ssh"
@@ -32,15 +30,14 @@ type LoginOptions struct {
 	IO               *iostreams.IOStreams
 	Config           iconfig
 	HTTPClient       *http.Client
-	GitClient        *git.Client
 	Hostname         string
 	Interactive      bool
 	Web              bool
 	Scopes           []string
-	Executable       string
 	GitProtocol      string
 	Prompter         Prompt
 	Browser          browser.Browser
+	CredentialFlow   *GitCredentialFlow
 	SecureStorage    bool
 	SkipSSHKeyPrompt bool
 
@@ -72,21 +69,11 @@ func Login(opts *LoginOptions) error {
 
 	var additionalScopes []string
 
-	credentialFlow := &GitCredentialFlow{
-		Prompter: opts.Prompter,
-		HelperConfig: &gitcredentials.HelperConfig{
-			SelfExecutablePath: opts.Executable,
-			GitClient:          opts.GitClient,
-		},
-		Updater: &gitcredentials.Updater{
-			GitClient: opts.GitClient,
-		},
-	}
 	if opts.Interactive && gitProtocol == "https" {
-		if err := credentialFlow.Prompt(hostname); err != nil {
+		if err := opts.CredentialFlow.Prompt(hostname); err != nil {
 			return err
 		}
-		additionalScopes = append(additionalScopes, credentialFlow.Scopes()...)
+		additionalScopes = append(additionalScopes, opts.CredentialFlow.Scopes()...)
 	}
 
 	var keyToUpload string
@@ -214,8 +201,8 @@ func Login(opts *LoginOptions) error {
 		fmt.Fprintf(opts.IO.ErrOut, "%s Authentication credentials saved in plain text\n", cs.Yellow("!"))
 	}
 
-	if credentialFlow.ShouldSetup() {
-		err := credentialFlow.Setup(hostname, username, authToken)
+	if opts.CredentialFlow.ShouldSetup() {
+		err := opts.CredentialFlow.Setup(hostname, username, authToken)
 		if err != nil {
 			return err
 		}
diff --git a/pkg/cmd/auth/shared/login_flow_test.go b/pkg/cmd/auth/shared/login_flow_test.go
index b9396a1a16e..fc58ea5eaf9 100644
--- a/pkg/cmd/auth/shared/login_flow_test.go
+++ b/pkg/cmd/auth/shared/login_flow_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/cli/cli/v2/internal/run"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/cli/cli/v2/pkg/ssh"
@@ -255,6 +256,11 @@ func TestLogin(t *testing.T) {
 			tt.opts.IO = ios
 			tt.opts.Config = &cfg
 			tt.opts.HTTPClient = &http.Client{Transport: reg}
+			// TODO: test the usage of the credential flow, which is currently untested.
+			tt.opts.CredentialFlow = &GitCredentialFlow{
+				HelperConfig: &gitcredentials.HelperConfig{},
+				Updater:      &gitcredentials.Updater{},
+			}
 
 			if tt.runStubs != nil {
 				rs, runRestore := run.Stub()

From ba1afa2c5d03d252b6717bc6a8e2b64f68de4b60 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Fri, 17 May 2024 14:16:14 +0200
Subject: [PATCH 072/253] Add HelperConfig contract test and FakeHelperConfig

---
 pkg/cmd/auth/shared/contract/helper_config.go |  59 +++++++++
 pkg/cmd/auth/shared/git_credential.go         |   5 +
 .../gitcredentials/fake_helper_config.go      |  49 ++++++++
 .../gitcredentials/fake_helper_config_test.go |  32 +++++
 .../gitcredentials/helper_config_test.go      | 113 ++++--------------
 5 files changed, 170 insertions(+), 88 deletions(-)
 create mode 100644 pkg/cmd/auth/shared/contract/helper_config.go
 create mode 100644 pkg/cmd/auth/shared/gitcredentials/fake_helper_config.go
 create mode 100644 pkg/cmd/auth/shared/gitcredentials/fake_helper_config_test.go

diff --git a/pkg/cmd/auth/shared/contract/helper_config.go b/pkg/cmd/auth/shared/contract/helper_config.go
new file mode 100644
index 00000000000..287eb7c90aa
--- /dev/null
+++ b/pkg/cmd/auth/shared/contract/helper_config.go
@@ -0,0 +1,59 @@
+package contract
+
+import (
+	"testing"
+
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
+	"github.com/stretchr/testify/require"
+)
+
+type HelperConfig struct {
+	NewHelperConfig func(t *testing.T) shared.HelperConfig
+	ConfigureHelper func(t *testing.T, hostname string)
+}
+
+func (contract HelperConfig) Test(t *testing.T) {
+	t.Run("when there are no credential helpers, configures gh for repo and gist host", func(t *testing.T) {
+		hc := contract.NewHelperConfig(t)
+		require.NoError(t, hc.ConfigureOurs("github.com"))
+
+		repoHelper, err := hc.ConfiguredHelper("github.com")
+		require.NoError(t, err)
+		require.True(t, repoHelper.IsConfigured(), "expected our helper to be configured")
+		require.True(t, repoHelper.IsOurs(), "expected the helper to be ours but was %q", repoHelper.Cmd)
+
+		gistHelper, err := hc.ConfiguredHelper("gist.github.com")
+		require.NoError(t, err)
+		require.True(t, gistHelper.IsConfigured(), "expected our helper to be configured")
+		require.True(t, gistHelper.IsOurs(), "expected the helper to be ours but was %q", gistHelper.Cmd)
+	})
+
+	t.Run("when there is a global credential helper, it should be configured but not ours", func(t *testing.T) {
+		hc := contract.NewHelperConfig(t)
+		contract.ConfigureHelper(t, "credential.helper")
+
+		helper, err := hc.ConfiguredHelper("github.com")
+		require.NoError(t, err)
+		require.True(t, helper.IsConfigured(), "expected helper to be configured")
+		require.False(t, helper.IsOurs(), "expected the helper not to be ours but was %q", helper.Cmd)
+	})
+
+	t.Run("when there is a host credential helper, it should be configured but not ours", func(t *testing.T) {
+		hc := contract.NewHelperConfig(t)
+		contract.ConfigureHelper(t, "credential.https://github.com.helper")
+
+		helper, err := hc.ConfiguredHelper("github.com")
+		require.NoError(t, err)
+		require.True(t, helper.IsConfigured(), "expected helper to be configured")
+		require.False(t, helper.IsOurs(), "expected the helper not to be ours but was %q", helper.Cmd)
+	})
+
+	t.Run("returns non configured helper when no helpers are configured", func(t *testing.T) {
+		hc := contract.NewHelperConfig(t)
+
+		helper, err := hc.ConfiguredHelper("github.com")
+		require.NoError(t, err)
+		require.False(t, helper.IsConfigured(), "expected no helper to be configured")
+		require.False(t, helper.IsOurs(), "expected the helper not to be ours but was %q", helper.Cmd)
+	})
+}
diff --git a/pkg/cmd/auth/shared/git_credential.go b/pkg/cmd/auth/shared/git_credential.go
index c98992a76bd..ad552730e49 100644
--- a/pkg/cmd/auth/shared/git_credential.go
+++ b/pkg/cmd/auth/shared/git_credential.go
@@ -7,6 +7,11 @@ import (
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 )
 
+type HelperConfig interface {
+	ConfigureOurs(hostname string) error
+	ConfiguredHelper(hostname string) (gitcredentials.Helper, error)
+}
+
 type GitCredentialFlow struct {
 	Prompter Prompt
 
diff --git a/pkg/cmd/auth/shared/gitcredentials/fake_helper_config.go b/pkg/cmd/auth/shared/gitcredentials/fake_helper_config.go
new file mode 100644
index 00000000000..f6ae2f2c067
--- /dev/null
+++ b/pkg/cmd/auth/shared/gitcredentials/fake_helper_config.go
@@ -0,0 +1,49 @@
+package gitcredentials
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/cli/cli/v2/internal/ghinstance"
+)
+
+type FakeHelperConfig struct {
+	SelfExecutablePath string
+	Helpers            map[string]Helper
+}
+
+// ConfigureOurs sets up the git credential helper chain to use the GitHub CLI credential helper for git repositories
+// including gists.
+func (hc *FakeHelperConfig) ConfigureOurs(hostname string) error {
+	credHelperKeys := []string{
+		keyFor(hostname),
+	}
+
+	gistHost := strings.TrimSuffix(ghinstance.GistHost(hostname), "/")
+	if strings.HasPrefix(gistHost, "gist.") {
+		credHelperKeys = append(credHelperKeys, keyFor(gistHost))
+	}
+
+	for _, credHelperKey := range credHelperKeys {
+		hc.Helpers[credHelperKey] = Helper{
+			Cmd: fmt.Sprintf("!%s auth git-credential", shellQuote(hc.SelfExecutablePath)),
+		}
+	}
+
+	return nil
+}
+
+// ConfiguredHelper returns the configured git credential helper for a given hostname.
+func (hc *FakeHelperConfig) ConfiguredHelper(hostname string) (Helper, error) {
+	helper, ok := hc.Helpers[keyFor(hostname)]
+	if ok {
+		return helper, nil
+	}
+
+	helper, ok = hc.Helpers["credential.helper"]
+	if ok {
+		return helper, nil
+	}
+
+	return Helper{}, nil
+}
diff --git a/pkg/cmd/auth/shared/gitcredentials/fake_helper_config_test.go b/pkg/cmd/auth/shared/gitcredentials/fake_helper_config_test.go
new file mode 100644
index 00000000000..441972affb9
--- /dev/null
+++ b/pkg/cmd/auth/shared/gitcredentials/fake_helper_config_test.go
@@ -0,0 +1,32 @@
+package gitcredentials_test
+
+import (
+	"testing"
+
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/contract"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
+)
+
+func TestFakeHelperConfigContract(t *testing.T) {
+	// Note that this being mutated by `NewHelperConfig` makes these tests not parallelizable
+	var fhc *gitcredentials.FakeHelperConfig
+
+	contract.HelperConfig{
+		NewHelperConfig: func(t *testing.T) shared.HelperConfig {
+			// Mutate the closed over fhc so that ConfigureHelper is able to configure helpers
+			// for tests. An alternative would be to provide the Helper as an argument back to ConfigureHelper
+			// but then we'd have to type assert it back to *FakeHelperConfig, which is probably more trouble than
+			// it's worth to parallelize these tests, sinced it's not even possible to parallelize the real Helperconfig
+			// ones due to them using t.Setenv
+			fhc = &gitcredentials.FakeHelperConfig{
+				SelfExecutablePath: "/path/to/gh",
+				Helpers:            map[string]gitcredentials.Helper{},
+			}
+			return fhc
+		},
+		ConfigureHelper: func(t *testing.T, hostname string) {
+			fhc.Helpers[hostname] = gitcredentials.Helper{Cmd: "test-helper"}
+		},
+	}.Test(t)
+}
diff --git a/pkg/cmd/auth/shared/gitcredentials/helper_config_test.go b/pkg/cmd/auth/shared/gitcredentials/helper_config_test.go
index b7ddbb8830e..80ffac85a36 100644
--- a/pkg/cmd/auth/shared/gitcredentials/helper_config_test.go
+++ b/pkg/cmd/auth/shared/gitcredentials/helper_config_test.go
@@ -7,6 +7,8 @@ import (
 	"testing"
 
 	"github.com/cli/cli/v2/git"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared"
+	"github.com/cli/cli/v2/pkg/cmd/auth/shared/contract"
 	"github.com/cli/cli/v2/pkg/cmd/auth/shared/gitcredentials"
 	"github.com/stretchr/testify/require"
 )
@@ -33,105 +35,40 @@ func configureTestCredentialHelper(t *testing.T, key string) {
 	require.NoError(t, cmd.Run())
 }
 
-func TestConfigureOursNoPreexistingHelpersConfigured(t *testing.T) {
-	// Given there are no credential helpers configured
-	withIsolatedGitConfig(t)
-
-	// When we configure ourselves as the git credential helper
-	hc := gitcredentials.HelperConfig{
-		SelfExecutablePath: "/path/to/gh",
-		GitClient:          &git.Client{},
-	}
-	require.NoError(t, hc.ConfigureOurs("github.com"))
+func TestHelperConfigContract(t *testing.T) {
+	contract.HelperConfig{
+		NewHelperConfig: func(t *testing.T) shared.HelperConfig {
+			withIsolatedGitConfig(t)
 
-	// Then the git config should be updated to use our credential helper for both repos and gists
-	repoHelper, err := hc.ConfiguredHelper("github.com")
-	require.NoError(t, err)
-	require.True(t, repoHelper.IsConfigured(), "expected our helper to be configured")
-	require.True(t, repoHelper.IsOurs(), "expected the helper to be ours but was %q", repoHelper.Cmd)
-
-	gistHelper, err := hc.ConfiguredHelper("gist.github.com")
-	require.NoError(t, err)
-	require.True(t, gistHelper.IsConfigured(), "expected our helper to be configured")
-	require.True(t, gistHelper.IsOurs(), "expected the helper to be ours but was %q", gistHelper.Cmd)
+			return &gitcredentials.HelperConfig{
+				SelfExecutablePath: "/path/to/gh",
+				GitClient:          &git.Client{},
+			}
+		},
+		ConfigureHelper: func(t *testing.T, hostname string) {
+			configureTestCredentialHelper(t, hostname)
+		},
+	}.Test(t)
 }
 
-func TestConfigureOursWithPreexistingHelpersConfigured(t *testing.T) {
-	// Given there are other credential helpers configured
+// This is a whitebox test unlike the contract because although we don't use the exact configured command, it's
+// important that it is exactly right since git uses it.
+func TestSetsCorrectCommandInGitConfig(t *testing.T) {
 	withIsolatedGitConfig(t)
-	configureTestCredentialHelper(t, "credential.helper")
-	configureTestCredentialHelper(t, "credential.https://github.com.helper")
 
-	// When we configure ourselves as the git credential helper
-	hc := gitcredentials.HelperConfig{
+	gc := &git.Client{}
+	hc := &gitcredentials.HelperConfig{
 		SelfExecutablePath: "/path/to/gh",
-		GitClient:          &git.Client{},
+		GitClient:          gc,
 	}
 	require.NoError(t, hc.ConfigureOurs("github.com"))
 
-	// Then the git config should be updated to use our credential repoHelper for both repos and gists
-	repoHelper, err := hc.ConfiguredHelper("github.com")
+	// Check that the correct command was set in the git config
+	cmd, err := gc.Command(context.Background(), "config", "--get", "credential.https://github.com.helper")
 	require.NoError(t, err)
-	require.True(t, repoHelper.IsConfigured(), "expected our helper to be configured")
-	require.True(t, repoHelper.IsOurs(), "expected the helper to be ours but was %q", repoHelper.Cmd)
-
-	gistHelper, err := hc.ConfiguredHelper("gist.github.com")
-	require.NoError(t, err)
-	require.True(t, gistHelper.IsConfigured(), "expected our helper to be configured")
-	require.True(t, gistHelper.IsOurs(), "expected the helper to be ours but was %q", gistHelper.Cmd)
-}
-
-func TestConfiguredHelperNoPreexistingHelpersConfigured(t *testing.T) {
-	// Given there are no credential helpers configured
-	withIsolatedGitConfig(t)
-
-	// When we check the configured helper for a hostname
-	hc := gitcredentials.HelperConfig{
-		SelfExecutablePath: "/path/to/gh",
-		GitClient:          &git.Client{},
-	}
-	helper, err := hc.ConfiguredHelper("github.com")
-
-	// Then the helper should not be configured and not ours
-	require.NoError(t, err)
-	require.False(t, helper.IsConfigured(), "expected no helper to be configured")
-	require.False(t, helper.IsOurs(), "expected the helper not to be ours but was %q", helper.Cmd)
-}
-
-func TestConfiguredHelperWithPreexistingGlobalHelperConfigured(t *testing.T) {
-	// Given there is a global credential helper configured
-	withIsolatedGitConfig(t)
-	configureTestCredentialHelper(t, "credential.helper")
-
-	// When we check the configured helper for a hostname
-	hc := gitcredentials.HelperConfig{
-		SelfExecutablePath: "/path/to/gh",
-		GitClient:          &git.Client{},
-	}
-	helper, err := hc.ConfiguredHelper("github.com")
-
-	// Then the helper should be configured, but not ours
-	require.NoError(t, err)
-	require.True(t, helper.IsConfigured(), "expected no helper to be configured")
-	require.False(t, helper.IsOurs(), "expected the helper not to be ours but was %q", helper.Cmd)
-}
-
-func TestConfiguredHelperWithPreexistingHostHelperConfigured(t *testing.T) {
-	// Given there is a credential helper configured for a hostname
-	withIsolatedGitConfig(t)
-	configureTestCredentialHelper(t, "credential.https://github.com.helper")
-
-	// When we check the configured helper for a hostname
-	hc := gitcredentials.HelperConfig{
-		SelfExecutablePath: "/path/to/gh",
-		GitClient:          &git.Client{},
-	}
-	helper, err := hc.ConfiguredHelper("github.com")
-
-	// Then the helper should be configured, but not ours
+	output, err := cmd.Output()
 	require.NoError(t, err)
-	require.True(t, helper.IsConfigured(), "expected no helper to be configured")
-	require.False(t, helper.IsOurs(), "expected the helper not to be ours but was %q", helper.Cmd)
+	require.Equal(t, "!/path/to/gh auth git-credential\n", string(output))
 }
 
 func TestHelperIsOurs(t *testing.T) {

From 540bda1a6b0bb4ecaaba75a56663a878a443ae34 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Fri, 17 May 2024 14:31:21 +0200
Subject: [PATCH 073/253] Test git credentials are configured in LoginFlow

---
 pkg/cmd/auth/shared/git_credential.go  |  2 +-
 pkg/cmd/auth/shared/login_flow_test.go | 56 ++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/auth/shared/git_credential.go b/pkg/cmd/auth/shared/git_credential.go
index ad552730e49..e3136de43b0 100644
--- a/pkg/cmd/auth/shared/git_credential.go
+++ b/pkg/cmd/auth/shared/git_credential.go
@@ -15,7 +15,7 @@ type HelperConfig interface {
 type GitCredentialFlow struct {
 	Prompter Prompt
 
-	HelperConfig *gitcredentials.HelperConfig
+	HelperConfig HelperConfig
 	Updater      *gitcredentials.Updater
 
 	shouldSetup bool
diff --git a/pkg/cmd/auth/shared/login_flow_test.go b/pkg/cmd/auth/shared/login_flow_test.go
index fc58ea5eaf9..2f8f7c33884 100644
--- a/pkg/cmd/auth/shared/login_flow_test.go
+++ b/pkg/cmd/auth/shared/login_flow_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/cli/cli/v2/pkg/ssh"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 type tinyConfig map[string]string
@@ -288,6 +289,61 @@ func TestLogin(t *testing.T) {
 	}
 }
 
+func TestAuthenticatingGitCredentials(t *testing.T) {
+	// Given we have no host or global credential helpers configured
+	// And given they have chosen https as their git protocol
+	// When they choose to authenticate git with their GitHub credentials
+	// Then gh is configured as their credential helper for that host
+	ios, _, _, _ := iostreams.Test()
+
+	reg := &httpmock.Registry{}
+	defer reg.Verify(t)
+	reg.Register(
+		httpmock.REST("GET", "api/v3/"),
+		httpmock.ScopesResponder("repo,read:org"))
+	reg.Register(
+		httpmock.GraphQL(`query UserCurrent\b`),
+		httpmock.StringResponse(`{"data":{"viewer":{ "login": "monalisa" }}}`))
+
+	opts := &LoginOptions{
+		IO:          ios,
+		Config:      tinyConfig{},
+		HTTPClient:  &http.Client{Transport: reg},
+		Hostname:    "example.com",
+		Interactive: true,
+		GitProtocol: "https",
+		Prompter: &prompter.PrompterMock{
+			SelectFunc: func(prompt, _ string, opts []string) (int, error) {
+				if prompt == "How would you like to authenticate GitHub CLI?" {
+					return prompter.IndexFor(opts, "Paste an authentication token")
+				}
+				return -1, prompter.NoSuchPromptErr(prompt)
+			},
+			AuthTokenFunc: func() (string, error) {
+				return "ATOKEN", nil
+			},
+		},
+		CredentialFlow: &GitCredentialFlow{
+			Prompter: &prompter.PrompterMock{
+				ConfirmFunc: func(prompt string, _ bool) (bool, error) {
+					return true, nil
+				},
+			},
+			HelperConfig: &gitcredentials.FakeHelperConfig{
+				SelfExecutablePath: "/path/to/gh",
+				Helpers:            map[string]gitcredentials.Helper{},
+			},
+			// Updater not required for this test as we will be setting gh as the helper
+		},
+	}
+
+	require.NoError(t, Login(opts))
+
+	helper, err := opts.CredentialFlow.HelperConfig.ConfiguredHelper("example.com")
+	require.NoError(t, err)
+	require.True(t, helper.IsOurs(), "expected gh to be the configured helper")
+}
+
 func Test_scopesSentence(t *testing.T) {
 	type args struct {
 		scopes []string

From 3fe555b0bb7c83cb6f06e83de929c6c3ef1300f2 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Fri, 17 May 2024 14:33:19 +0200
Subject: [PATCH 074/253] Comment the purpose of the helper config contract

---
 pkg/cmd/auth/shared/contract/helper_config.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/cmd/auth/shared/contract/helper_config.go b/pkg/cmd/auth/shared/contract/helper_config.go
index 287eb7c90aa..d507e10910c 100644
--- a/pkg/cmd/auth/shared/contract/helper_config.go
+++ b/pkg/cmd/auth/shared/contract/helper_config.go
@@ -7,6 +7,11 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+// This HelperConfig contract exist to ensure that any HelperConfig implementation conforms to this behaviour.
+// This is useful because we can swap in fake implementations for testing, rather than requiring our tests to be
+// isolated from git.
+//
+// See for example, TestAuthenticatingGitCredentials for LoginFlow.
 type HelperConfig struct {
 	NewHelperConfig func(t *testing.T) shared.HelperConfig
 	ConfigureHelper func(t *testing.T, hostname string)

From a37253746e249fe57babe130f23e64698be85ce3 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Fri, 17 May 2024 14:51:02 +0200
Subject: [PATCH 075/253] Remove TODO and add comment on LoginFlow tests

---
 pkg/cmd/auth/shared/login_flow_test.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/auth/shared/login_flow_test.go b/pkg/cmd/auth/shared/login_flow_test.go
index 2f8f7c33884..8c8ba5d7275 100644
--- a/pkg/cmd/auth/shared/login_flow_test.go
+++ b/pkg/cmd/auth/shared/login_flow_test.go
@@ -257,10 +257,10 @@ func TestLogin(t *testing.T) {
 			tt.opts.IO = ios
 			tt.opts.Config = &cfg
 			tt.opts.HTTPClient = &http.Client{Transport: reg}
-			// TODO: test the usage of the credential flow, which is currently untested.
 			tt.opts.CredentialFlow = &GitCredentialFlow{
-				HelperConfig: &gitcredentials.HelperConfig{},
-				Updater:      &gitcredentials.Updater{},
+				// Intentionally not instantiating anything in here because the tests do not hit this code path.
+				// Right now it's better to panic if we write a test that hits the code than say, start calling
+				// out to git unintentionally.
 			}
 
 			if tt.runStubs != nil {

From dd7ea5adff6a7cbb51c0f5d2a07d4be4f94cba16 Mon Sep 17 00:00:00 2001
From: gabemontero <gmontero@redhat.com>
Date: Sat, 16 Mar 2024 11:30:33 -0400
Subject: [PATCH 076/253] list the various alias permutations for the command
 and subcommands

this occurs from either utlizing the help function for a specific command/subcommand
combination or when 'gh reference' lists the command tree
---
 pkg/cmd/root/help.go           | 34 +++++++++++++++++++++++++++++++++-
 pkg/cmd/root/help_reference.go |  4 ++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/root/help.go b/pkg/cmd/root/help.go
index 7180a3152e0..e2cf4f9e061 100644
--- a/pkg/cmd/root/help.go
+++ b/pkg/cmd/root/help.go
@@ -132,7 +132,7 @@ func rootHelpFunc(f *cmdutil.Factory, command *cobra.Command, args []string) {
 	helpEntries = append(helpEntries, helpEntry{"USAGE", command.UseLine()})
 
 	if len(command.Aliases) > 0 {
-		helpEntries = append(helpEntries, helpEntry{"ALIASES", strings.Join(command.Aliases, "\n")})
+		helpEntries = append(helpEntries, helpEntry{"ALIASES", buildAliases(command, command.Aliases) + "\n"})
 	}
 
 	for _, g := range GroupedCommands(command) {
@@ -302,3 +302,35 @@ func dedent(s string) string {
 	}
 	return strings.TrimSuffix(buf.String(), "\n")
 }
+
+func buildAliases(cmd *cobra.Command, aliasList []string) string {
+	if len(aliasList) == 0 {
+		return "No Aliases"
+	}
+	if !cmd.HasParent() {
+		return strings.Join(aliasList, " ")
+	}
+
+	if cmd.Parent().HasParent() {
+		// prepend cmd.Name so unaliased is first
+		aliasList = append([]string{cmd.Name()}, aliasList...)
+	}
+	list := append(cmd.Parent().Aliases, cmd.Parent().Name())
+	sort.Strings(list)
+	sep := ","
+	newAliasList := []string{}
+	if !cmd.Parent().HasParent() {
+		// trim last comma
+		idx := len(aliasList) - 1
+		last := aliasList[idx]
+		last = strings.TrimSuffix(last, ",")
+		aliasList[idx] = last
+		sep = ""
+	}
+	for _, c := range list {
+		for _, a := range aliasList {
+			newAliasList = append(newAliasList, fmt.Sprintf("%s %s%s", c, a, sep))
+		}
+	}
+	return buildAliases(cmd.Parent(), newAliasList)
+}
diff --git a/pkg/cmd/root/help_reference.go b/pkg/cmd/root/help_reference.go
index 76e9db24ef7..6bc29066b38 100644
--- a/pkg/cmd/root/help_reference.go
+++ b/pkg/cmd/root/help_reference.go
@@ -62,6 +62,10 @@ func cmdRef(w io.Writer, cmd *cobra.Command, depth int) {
 		fmt.Fprintf(w, "```\n%s````\n\n", dedent(flagUsages))
 	}
 
+	// Aliases
+	fmt.Fprintf(w, "%s\n\n", "Aliases")
+	fmt.Fprintf(w, "\n%s\n\n", dedent(buildAliases(cmd, cmd.Aliases)))
+
 	// Subcommands
 	for _, c := range cmd.Commands() {
 		if c.Hidden {

From 7dd35e7470c0c9c29731cf767f2bd135aac28f72 Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Fri, 10 May 2024 14:31:56 -0400
Subject: [PATCH 077/253] Conditionalize references, remove redundant alias

This commit adds conditional logic in `gh reference` to only show aliases if
there are aliases to see.  Additionally, this removes the unaliased command
name from being shown under aliases.
---
 pkg/cmd/root/help.go           | 4 ----
 pkg/cmd/root/help_reference.go | 6 ++++--
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/pkg/cmd/root/help.go b/pkg/cmd/root/help.go
index e2cf4f9e061..fbfd5991aff 100644
--- a/pkg/cmd/root/help.go
+++ b/pkg/cmd/root/help.go
@@ -311,10 +311,6 @@ func buildAliases(cmd *cobra.Command, aliasList []string) string {
 		return strings.Join(aliasList, " ")
 	}
 
-	if cmd.Parent().HasParent() {
-		// prepend cmd.Name so unaliased is first
-		aliasList = append([]string{cmd.Name()}, aliasList...)
-	}
 	list := append(cmd.Parent().Aliases, cmd.Parent().Name())
 	sort.Strings(list)
 	sep := ","
diff --git a/pkg/cmd/root/help_reference.go b/pkg/cmd/root/help_reference.go
index 6bc29066b38..99c669e7a92 100644
--- a/pkg/cmd/root/help_reference.go
+++ b/pkg/cmd/root/help_reference.go
@@ -63,8 +63,10 @@ func cmdRef(w io.Writer, cmd *cobra.Command, depth int) {
 	}
 
 	// Aliases
-	fmt.Fprintf(w, "%s\n\n", "Aliases")
-	fmt.Fprintf(w, "\n%s\n\n", dedent(buildAliases(cmd, cmd.Aliases)))
+	if len(cmd.Aliases) > 0 {
+		fmt.Fprintf(w, "%s\n\n", "Aliases")
+		fmt.Fprintf(w, "\n%s\n\n", dedent(buildAliases(cmd, cmd.Aliases)))
+	}
 
 	// Subcommands
 	for _, c := range cmd.Commands() {

From c2657532756892b6f4f634bec35d35a50328f6ac Mon Sep 17 00:00:00 2001
From: gabemontero <gmontero@redhat.com>
Date: Fri, 10 May 2024 16:44:20 -0400
Subject: [PATCH 078/253] remove no-op if clause that returns 'No Aliases'

---
 pkg/cmd/root/help.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pkg/cmd/root/help.go b/pkg/cmd/root/help.go
index fbfd5991aff..2d8c2afd46b 100644
--- a/pkg/cmd/root/help.go
+++ b/pkg/cmd/root/help.go
@@ -304,9 +304,6 @@ func dedent(s string) string {
 }
 
 func buildAliases(cmd *cobra.Command, aliasList []string) string {
-	if len(aliasList) == 0 {
-		return "No Aliases"
-	}
 	if !cmd.HasParent() {
 		return strings.Join(aliasList, " ")
 	}

From 77f964aa1202b02eb96581c80aff648bcd31ba0a Mon Sep 17 00:00:00 2001
From: gabemontero <gmontero@redhat.com>
Date: Fri, 17 May 2024 08:25:54 -0400
Subject: [PATCH 079/253] williammartin simplifications

---
 pkg/cmd/root/help.go           | 38 +++++++++++++++-------------------
 pkg/cmd/root/help_reference.go |  2 +-
 2 files changed, 18 insertions(+), 22 deletions(-)

diff --git a/pkg/cmd/root/help.go b/pkg/cmd/root/help.go
index 2d8c2afd46b..4ace9ec0d2c 100644
--- a/pkg/cmd/root/help.go
+++ b/pkg/cmd/root/help.go
@@ -132,7 +132,7 @@ func rootHelpFunc(f *cmdutil.Factory, command *cobra.Command, args []string) {
 	helpEntries = append(helpEntries, helpEntry{"USAGE", command.UseLine()})
 
 	if len(command.Aliases) > 0 {
-		helpEntries = append(helpEntries, helpEntry{"ALIASES", buildAliases(command, command.Aliases) + "\n"})
+		helpEntries = append(helpEntries, helpEntry{"ALIASES", strings.Join(buildAliasList(command, command.Aliases), ", ") + "\n"})
 	}
 
 	for _, g := range GroupedCommands(command) {
@@ -303,27 +303,23 @@ func dedent(s string) string {
 	return strings.TrimSuffix(buf.String(), "\n")
 }
 
-func buildAliases(cmd *cobra.Command, aliasList []string) string {
+func buildAliasList(cmd *cobra.Command, aliases []string) []string {
 	if !cmd.HasParent() {
-		return strings.Join(aliasList, " ")
-	}
-
-	list := append(cmd.Parent().Aliases, cmd.Parent().Name())
-	sort.Strings(list)
-	sep := ","
-	newAliasList := []string{}
-	if !cmd.Parent().HasParent() {
-		// trim last comma
-		idx := len(aliasList) - 1
-		last := aliasList[idx]
-		last = strings.TrimSuffix(last, ",")
-		aliasList[idx] = last
-		sep = ""
-	}
-	for _, c := range list {
-		for _, a := range aliasList {
-			newAliasList = append(newAliasList, fmt.Sprintf("%s %s%s", c, a, sep))
+		return aliases
+	}
+
+	parentAliases := append(cmd.Parent().Aliases, cmd.Parent().Name())
+	sort.Strings(parentAliases)
+
+	var aliasesWithParentAliases []string
+	// e.g aliases = [ls]
+	for _, alias := range aliases {
+		// e.g parentAliases = [codespaces, cs]
+		for _, parentAlias := range parentAliases {
+			// e.g. aliasesWithParentAliases = [codespaces list, codespaces ls, cs list, cs ls]
+			aliasesWithParentAliases = append(aliasesWithParentAliases, fmt.Sprintf("%s %s", parentAlias, alias))
 		}
 	}
-	return buildAliases(cmd.Parent(), newAliasList)
+
+	return buildAliasList(cmd.Parent(), aliasesWithParentAliases)
 }
diff --git a/pkg/cmd/root/help_reference.go b/pkg/cmd/root/help_reference.go
index 99c669e7a92..56aa86c3341 100644
--- a/pkg/cmd/root/help_reference.go
+++ b/pkg/cmd/root/help_reference.go
@@ -65,7 +65,7 @@ func cmdRef(w io.Writer, cmd *cobra.Command, depth int) {
 	// Aliases
 	if len(cmd.Aliases) > 0 {
 		fmt.Fprintf(w, "%s\n\n", "Aliases")
-		fmt.Fprintf(w, "\n%s\n\n", dedent(buildAliases(cmd, cmd.Aliases)))
+		fmt.Fprintf(w, "\n%s\n\n", dedent(strings.Join(buildAliasList(cmd, cmd.Aliases), ", ")))
 	}
 
 	// Subcommands

From 39e4cbd9739b9575245d7500eb2d71dce7321cd1 Mon Sep 17 00:00:00 2001
From: gabemontero <gmontero@redhat.com>
Date: Fri, 17 May 2024 09:25:06 -0400
Subject: [PATCH 080/253] update generated content for man pages and website

---
 internal/docs/docs_test.go     |  9 +++++++++
 internal/docs/man.go           |  9 +++++++++
 internal/docs/man_test.go      | 15 +++++++++++++++
 internal/docs/markdown.go      | 10 ++++++++++
 internal/docs/markdown_test.go | 14 ++++++++++++++
 pkg/cmd/root/help.go           |  6 +++---
 pkg/cmd/root/help_reference.go |  2 +-
 7 files changed, 61 insertions(+), 4 deletions(-)

diff --git a/internal/docs/docs_test.go b/internal/docs/docs_test.go
index 06e924224e1..71c0186a942 100644
--- a/internal/docs/docs_test.go
+++ b/internal/docs/docs_test.go
@@ -28,6 +28,8 @@ func init() {
 
 	jsonCmd.Flags().StringSlice("json", nil, "help message for flag json")
 
+	aliasCmd.Flags().StringSlice("yang", nil, "help message for flag yang")
+
 	echoCmd.AddCommand(timesCmd, echoSubCmd, deprecatedCmd)
 	rootCmd.AddCommand(printCmd, echoCmd, dummyCmd)
 }
@@ -75,6 +77,13 @@ var printCmd = &cobra.Command{
 	Long:  `an absolutely utterly useless command for testing.`,
 }
 
+var aliasCmd = &cobra.Command{
+	Use:     "ying [yang]",
+	Short:   "The ying and yang of it all",
+	Long:    "an absolutely utterly useless command for testing aliases!.",
+	Aliases: []string{"yoo", "foo"},
+}
+
 var jsonCmd = &cobra.Command{
 	Use:   "blah --json <fields>",
 	Short: "View details in JSON",
diff --git a/internal/docs/man.go b/internal/docs/man.go
index 41d3371db5d..5ac353a4631 100644
--- a/internal/docs/man.go
+++ b/internal/docs/man.go
@@ -179,6 +179,14 @@ func manPrintOptions(buf *bytes.Buffer, command *cobra.Command) {
 	}
 }
 
+func manPrintAliases(buf *bytes.Buffer, command *cobra.Command) {
+	if len(command.Aliases) > 0 {
+		buf.WriteString("# ALIASES\n")
+		buf.WriteString(strings.Join(root.BuildAliasList(command, command.Aliases), ", "))
+		buf.WriteString("\n")
+	}
+}
+
 func manPrintJSONFields(buf *bytes.Buffer, command *cobra.Command) {
 	raw, ok := command.Annotations["help:json-fields"]
 	if !ok {
@@ -207,6 +215,7 @@ func genMan(cmd *cobra.Command, header *GenManHeader) []byte {
 		}
 	}
 	manPrintOptions(buf, cmd)
+	manPrintAliases(buf, cmd)
 	manPrintJSONFields(buf, cmd)
 	if len(cmd.Example) > 0 {
 		buf.WriteString("# EXAMPLE\n")
diff --git a/internal/docs/man_test.go b/internal/docs/man_test.go
index 287f356ed7e..2a0f6a7f73b 100644
--- a/internal/docs/man_test.go
+++ b/internal/docs/man_test.go
@@ -98,6 +98,21 @@ func TestGenManSeeAlso(t *testing.T) {
 	}
 }
 
+func TestGenManAliases(t *testing.T) {
+	buf := new(bytes.Buffer)
+	header := &GenManHeader{}
+	if err := renderMan(aliasCmd, header, buf); err != nil {
+		t.Fatal(err)
+	}
+
+	output := buf.String()
+
+	checkStringContains(t, output, translate(aliasCmd.Name()))
+	checkStringContains(t, output, "ALIASES")
+	checkStringContains(t, output, "foo")
+	checkStringContains(t, output, "yoo")
+}
+
 func TestGenManJSONFields(t *testing.T) {
 	buf := new(bytes.Buffer)
 	header := &GenManHeader{}
diff --git a/internal/docs/markdown.go b/internal/docs/markdown.go
index 19899110d8a..825db931cb7 100644
--- a/internal/docs/markdown.go
+++ b/internal/docs/markdown.go
@@ -26,6 +26,15 @@ func printJSONFields(w io.Writer, cmd *cobra.Command) {
 	fmt.Fprint(w, "\n\n")
 }
 
+func printAliases(w io.Writer, cmd *cobra.Command) {
+	if len(cmd.Aliases) > 0 {
+		fmt.Fprintf(w, "### ALIASES\n\n")
+		fmt.Fprint(w, text.FormatSlice(strings.Split(strings.Join(root.BuildAliasList(cmd, cmd.Aliases), ", "), ","), 0, 0, "", "", true))
+		fmt.Fprint(w, "\n\n")
+	}
+
+}
+
 func printOptions(w io.Writer, cmd *cobra.Command) error {
 	flags := cmd.NonInheritedFlags()
 	flags.SetOutput(w)
@@ -147,6 +156,7 @@ func genMarkdownCustom(cmd *cobra.Command, w io.Writer, linkHandler func(string)
 	if err := printOptions(w, cmd); err != nil {
 		return err
 	}
+	printAliases(w, cmd)
 	printJSONFields(w, cmd)
 	fmt.Fprint(w, "{% endraw %}\n")
 
diff --git a/internal/docs/markdown_test.go b/internal/docs/markdown_test.go
index 0710cad716d..59cb2b34d99 100644
--- a/internal/docs/markdown_test.go
+++ b/internal/docs/markdown_test.go
@@ -70,6 +70,20 @@ func TestGenMdNoHiddenParents(t *testing.T) {
 	checkStringOmits(t, output, "Options inherited from parent commands")
 }
 
+func TestGenMdAliases(t *testing.T) {
+	buf := new(bytes.Buffer)
+	if err := genMarkdownCustom(aliasCmd, buf, nil); err != nil {
+		t.Fatal(err)
+	}
+	output := buf.String()
+
+	checkStringContains(t, output, aliasCmd.Long)
+	checkStringContains(t, output, jsonCmd.Example)
+	checkStringContains(t, output, "ALIASES")
+	checkStringContains(t, output, "yoo")
+	checkStringContains(t, output, "foo")
+}
+
 func TestGenMdJSONFields(t *testing.T) {
 	buf := new(bytes.Buffer)
 	if err := genMarkdownCustom(jsonCmd, buf, nil); err != nil {
diff --git a/pkg/cmd/root/help.go b/pkg/cmd/root/help.go
index 4ace9ec0d2c..ee5db5e6843 100644
--- a/pkg/cmd/root/help.go
+++ b/pkg/cmd/root/help.go
@@ -132,7 +132,7 @@ func rootHelpFunc(f *cmdutil.Factory, command *cobra.Command, args []string) {
 	helpEntries = append(helpEntries, helpEntry{"USAGE", command.UseLine()})
 
 	if len(command.Aliases) > 0 {
-		helpEntries = append(helpEntries, helpEntry{"ALIASES", strings.Join(buildAliasList(command, command.Aliases), ", ") + "\n"})
+		helpEntries = append(helpEntries, helpEntry{"ALIASES", strings.Join(BuildAliasList(command, command.Aliases), ", ") + "\n"})
 	}
 
 	for _, g := range GroupedCommands(command) {
@@ -303,7 +303,7 @@ func dedent(s string) string {
 	return strings.TrimSuffix(buf.String(), "\n")
 }
 
-func buildAliasList(cmd *cobra.Command, aliases []string) []string {
+func BuildAliasList(cmd *cobra.Command, aliases []string) []string {
 	if !cmd.HasParent() {
 		return aliases
 	}
@@ -321,5 +321,5 @@ func buildAliasList(cmd *cobra.Command, aliases []string) []string {
 		}
 	}
 
-	return buildAliasList(cmd.Parent(), aliasesWithParentAliases)
+	return BuildAliasList(cmd.Parent(), aliasesWithParentAliases)
 }
diff --git a/pkg/cmd/root/help_reference.go b/pkg/cmd/root/help_reference.go
index 56aa86c3341..fb2e74aa00a 100644
--- a/pkg/cmd/root/help_reference.go
+++ b/pkg/cmd/root/help_reference.go
@@ -65,7 +65,7 @@ func cmdRef(w io.Writer, cmd *cobra.Command, depth int) {
 	// Aliases
 	if len(cmd.Aliases) > 0 {
 		fmt.Fprintf(w, "%s\n\n", "Aliases")
-		fmt.Fprintf(w, "\n%s\n\n", dedent(strings.Join(buildAliasList(cmd, cmd.Aliases), ", ")))
+		fmt.Fprintf(w, "\n%s\n\n", dedent(strings.Join(BuildAliasList(cmd, cmd.Aliases), ", ")))
 	}
 
 	// Subcommands

From b1a6ce3e759e3a4060e980242f76da3b975d0c20 Mon Sep 17 00:00:00 2001
From: Paul <44974737+paulober@users.noreply.github.com>
Date: Tue, 21 May 2024 18:23:01 +0200
Subject: [PATCH 081/253] Update pkg title

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 build/macOS/distribution.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/macOS/distribution.xml b/build/macOS/distribution.xml
index 35f14d930f0..beca0689ce7 100644
--- a/build/macOS/distribution.xml
+++ b/build/macOS/distribution.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
 <installer-gui-script minSpecVersion="1">
-    <title>Github Cli</title>
+    <title>GitHub CLI</title>
     <license file="LICENSE" mime-type="text/plain"/>
     <options hostArchitectures="arm64,x86_64" customize="never" require-scripts="false" allow-external-scripts="false"/>
     <domains enable_localSystem="true"/>

From aeb0ac74ec6475c4a3a71dfd98e6d6bb1161604e Mon Sep 17 00:00:00 2001
From: Paul <44974737+paulober@users.noreply.github.com>
Date: Tue, 21 May 2024 18:26:03 +0200
Subject: [PATCH 082/253] Update choice title

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 build/macOS/distribution.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/macOS/distribution.xml b/build/macOS/distribution.xml
index beca0689ce7..96d59376869 100644
--- a/build/macOS/distribution.xml
+++ b/build/macOS/distribution.xml
@@ -8,7 +8,7 @@
     <choices-outline>
         <line choice="gh-cli"/>
     </choices-outline>
-    <choice id="gh-cli" title="Github Cli (universal)">
+    <choice id="gh-cli" title="GitHub CLI (universal)">
         <pkg-ref id="com.github.cli.pkg"/>
     </choice>
 

From eb23e0723e00e68a735bb35ad4469a8456c82ba0 Mon Sep 17 00:00:00 2001
From: Paul <44974737+paulober@users.noreply.github.com>
Date: Tue, 21 May 2024 19:39:25 +0200
Subject: [PATCH 083/253] Indentation fix

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 script/pkgmacos | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/script/pkgmacos b/script/pkgmacos
index ba72fef9ece..74035680852 100755
--- a/script/pkgmacos
+++ b/script/pkgmacos
@@ -69,11 +69,11 @@ build_pkg() {
 
     # build pkg
     pkgbuild \
-    --root "$payload_root" \
-    --identifier "com.github.cli" \
-    --version "$tag_name" \
-    --install-location "/" \
-    "dist/com.github.cli.pkg"
+        --root "$payload_root" \
+        --identifier "com.github.cli" \
+        --version "$tag_name" \
+        --install-location "/" \
+        "dist/com.github.cli.pkg"
 
     # setup resources
     mkdir "build/macOS/resources"

From f9d6b1d99b70a17467f3a7894fbc2fd4ca3d60aa Mon Sep 17 00:00:00 2001
From: Paul <44974737+paulober@users.noreply.github.com>
Date: Tue, 21 May 2024 19:43:31 +0200
Subject: [PATCH 084/253] Fix indentation

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 script/pkgmacos | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/script/pkgmacos b/script/pkgmacos
index 74035680852..2dc0f84984a 100755
--- a/script/pkgmacos
+++ b/script/pkgmacos
@@ -84,12 +84,12 @@ build_pkg() {
     if [ -n "$APPLE_DEVELOPER_INSTALLER_ID" ]; then
         # build and sign production package with license
         productbuild \
-        --distribution "./build/macOS/distribution.xml" \
-        --resources "./build/macOS/resources" \
-        --package-path "./dist" \
-        --timestamp \
-        --sign "${APPLE_DEVELOPER_INSTALLER_ID?}" \
-        "./dist/gh_${tag_name}_macOS_universal.pkg"
+            --distribution "./build/macOS/distribution.xml" \
+            --resources "./build/macOS/resources" \
+            --package-path "./dist" \
+            --timestamp \
+            --sign "${APPLE_DEVELOPER_INSTALLER_ID?}" \
+            "./dist/gh_${tag_name}_macOS_universal.pkg"
     else
         echo "skipping macOS pkg code-signing; APPLE_DEVELOPER_INSTALLER_ID not set" >&2
 

From 80830d769e77a0dc02594f9561ec6c31fffaf8cf Mon Sep 17 00:00:00 2001
From: Paul <44974737+paulober@users.noreply.github.com>
Date: Tue, 21 May 2024 19:46:51 +0200
Subject: [PATCH 085/253] Fix indentation

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 script/pkgmacos | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/script/pkgmacos b/script/pkgmacos
index 2dc0f84984a..5c5730184ce 100755
--- a/script/pkgmacos
+++ b/script/pkgmacos
@@ -95,10 +95,10 @@ build_pkg() {
 
         # build production package with license without signing
         productbuild \
-        --distribution "./build/macOS/distribution.xml" \
-        --resources "./build/macOS/resources" \
-        --package-path "./dist" \
-        "./dist/gh_${tag_name}_macOS_universal.pkg"
+            --distribution "./build/macOS/distribution.xml" \
+            --resources "./build/macOS/resources" \
+            --package-path "./dist" \
+            "./dist/gh_${tag_name}_macOS_universal.pkg"
     fi
 
     # remove temp installer so it does not get uploaded

From 140edf7327beb9af5a51ee6975fed08648dca9e1 Mon Sep 17 00:00:00 2001
From: nobe4 <nobe4@users.noreply.github.com>
Date: Tue, 21 May 2024 19:54:56 +0200
Subject: [PATCH 086/253] feat: add support for stateReason in `gh pr view`
 (#9080)

---
 api/query_builder.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/api/query_builder.go b/api/query_builder.go
index 3ccc1ff2e6d..0f131232c9a 100644
--- a/api/query_builder.go
+++ b/api/query_builder.go
@@ -268,6 +268,7 @@ var IssueFields = []string{
 	"title",
 	"updatedAt",
 	"url",
+	"stateReason",
 }
 
 var PullRequestFields = append(IssueFields,
@@ -298,6 +299,12 @@ var PullRequestFields = append(IssueFields,
 	"statusCheckRollup",
 )
 
+// Some fields are only valid in the context of issues.
+var issueOnlyFields = []string{
+	"isPinned",
+	"stateReason",
+}
+
 // IssueGraphQL constructs a GraphQL query fragment for a set of issue fields.
 func IssueGraphQL(fields []string) string {
 	var q []string
@@ -363,10 +370,9 @@ func IssueGraphQL(fields []string) string {
 // PullRequestGraphQL constructs a GraphQL query fragment for a set of pull request fields.
 // It will try to sanitize the fields to just those available on pull request.
 func PullRequestGraphQL(fields []string) string {
-	invalidFields := []string{"isPinned", "stateReason"}
 	s := set.NewStringSet()
 	s.AddValues(fields)
-	s.RemoveValues(invalidFields)
+	s.RemoveValues(issueOnlyFields)
 	return IssueGraphQL(s.ToSlice())
 }
 

From d2d599daf5af60fa1f38e4875c5bd8fdfaf74235 Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Tue, 21 May 2024 20:00:59 +0200
Subject: [PATCH 087/253] Undo goreleaser change

Signed-off-by: paulober <44974737+paulober@users.noreply.github.com>
---
 .goreleaser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index cafb5eb05de..e469af09136 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -10,7 +10,7 @@ before:
     - >-
       {{ if eq .Runtime.Goos "windows" }}echo{{ end }} make manpages GH_VERSION={{.Version}}
     - >-
-      {{ if ne .Runtime.Goos "windows" }}echo{{ end }} make completions
+      {{ if ne .Runtime.Goos "linux" }}echo{{ end }} make completions
 
 builds:
   - id: macos #build:macos

From 6e58a2a216934348de34d36e7ff9f28d1a64ab77 Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Tue, 21 May 2024 22:57:01 +0200
Subject: [PATCH 088/253] Fix indentation

Signed-off-by: paulober <44974737+paulober@users.noreply.github.com>
---
 script/pkgmacos | 104 ++++++++++++++++++++++++------------------------
 1 file changed, 52 insertions(+), 52 deletions(-)

diff --git a/script/pkgmacos b/script/pkgmacos
index 5c5730184ce..1933f7a3e2f 100755
--- a/script/pkgmacos
+++ b/script/pkgmacos
@@ -51,58 +51,58 @@ merge_binaries() {
 }
 
 build_pkg() {
-    # setup payload
-    mkdir -p "${payload_local_bin}"
-    mkdir -p "${payload_man1}"
-    mkdir -p "${payload_zsh_site_functions}"
-
-    # copy man pages
-    for file in ./share/man/man1/gh*.1; do
-        cp "$file" "${payload_man1}"
-    done
-    # Include only Zsh completions,
-    # the recommended/only option on macOS since Catalina for default shell.
-    cp "./share/zsh/site-functions/_gh" "${payload_zsh_site_functions}"
-
-    # merge binaries
-    merge_binaries
-
-    # build pkg
-    pkgbuild \
-        --root "$payload_root" \
-        --identifier "com.github.cli" \
-        --version "$tag_name" \
-        --install-location "/" \
-        "dist/com.github.cli.pkg"
-
-    # setup resources
-    mkdir "build/macOS/resources"
-    cp "LICENSE" "build/macOS/resources"
-    touch .gi
-
-    # build distribution
-    if [ -n "$APPLE_DEVELOPER_INSTALLER_ID" ]; then
-        # build and sign production package with license
-        productbuild \
-            --distribution "./build/macOS/distribution.xml" \
-            --resources "./build/macOS/resources" \
-            --package-path "./dist" \
-            --timestamp \
-            --sign "${APPLE_DEVELOPER_INSTALLER_ID?}" \
-            "./dist/gh_${tag_name}_macOS_universal.pkg"
-    else
-        echo "skipping macOS pkg code-signing; APPLE_DEVELOPER_INSTALLER_ID not set" >&2
-
-        # build production package with license without signing
-        productbuild \
-            --distribution "./build/macOS/distribution.xml" \
-            --resources "./build/macOS/resources" \
-            --package-path "./dist" \
-            "./dist/gh_${tag_name}_macOS_universal.pkg"
-    fi
-
-    # remove temp installer so it does not get uploaded
-    rm "dist/com.github.cli.pkg"
+  # setup payload
+  mkdir -p "${payload_local_bin}"
+  mkdir -p "${payload_man1}"
+  mkdir -p "${payload_zsh_site_functions}"
+
+  # copy man pages
+  for file in ./share/man/man1/gh*.1; do
+    cp "$file" "${payload_man1}"
+  done
+  # Include only Zsh completions,
+  # the recommended/only option on macOS since Catalina for default shell.
+  cp "./share/zsh/site-functions/_gh" "${payload_zsh_site_functions}"
+
+  # merge binaries
+  merge_binaries
+
+  # build pkg
+  pkgbuild \
+    --root "$payload_root" \
+    --identifier "com.github.cli" \
+    --version "$tag_name" \
+    --install-location "/" \
+    "dist/com.github.cli.pkg"
+
+  # setup resources
+  mkdir "build/macOS/resources"
+  cp "LICENSE" "build/macOS/resources"
+  touch .gi
+
+  # build distribution
+  if [ -n "$APPLE_DEVELOPER_INSTALLER_ID" ]; then
+    # build and sign production package with license
+    productbuild \
+      --distribution "./build/macOS/distribution.xml" \
+      --resources "./build/macOS/resources" \
+      --package-path "./dist" \
+      --timestamp \
+      --sign "${APPLE_DEVELOPER_INSTALLER_ID?}" \
+      "./dist/gh_${tag_name}_macOS_universal.pkg"
+  else
+    echo "skipping macOS pkg code-signing; APPLE_DEVELOPER_INSTALLER_ID not set" >&2
+
+    # build production package with license without signing
+    productbuild \
+      --distribution "./build/macOS/distribution.xml" \
+      --resources "./build/macOS/resources" \
+      --package-path "./dist" \
+      "./dist/gh_${tag_name}_macOS_universal.pkg"
+  fi
+
+  # remove temp installer so it does not get uploaded
+  rm "dist/com.github.cli.pkg"
 }
 
 build_pkg

From 18f41db31aff753491a7cf3260ad4d9d0d79f4af Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Wed, 22 May 2024 00:27:29 +0200
Subject: [PATCH 089/253] Removed redundant specifications

Signed-off-by: paulober <44974737+paulober@users.noreply.github.com>
---
 build/macOS/distribution.xml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/build/macOS/distribution.xml b/build/macOS/distribution.xml
index 96d59376869..54818f52ae7 100644
--- a/build/macOS/distribution.xml
+++ b/build/macOS/distribution.xml
@@ -4,7 +4,7 @@
     <license file="LICENSE" mime-type="text/plain"/>
     <options hostArchitectures="arm64,x86_64" customize="never" require-scripts="false" allow-external-scripts="false"/>
     <domains enable_localSystem="true"/>
-    
+
     <choices-outline>
         <line choice="gh-cli"/>
     </choices-outline>
@@ -12,8 +12,5 @@
         <pkg-ref id="com.github.cli.pkg"/>
     </choice>
 
-    <pkg-ref id="com.github.cli.pkg" auth="Root" packageIdentifier="com.github.cli">#com.github.cli.pkg</pkg-ref>
-    <pkg-ref id="com.github.cli.pkg" auth="Root" packageIdentifier="com.github.cli">
-        <bundle-version/>
-    </pkg-ref>
+    <pkg-ref id="com.github.cli.pkg" auth="root">#com.github.cli.pkg</pkg-ref>
 </installer-gui-script>

From 3830c3356c30141c3bfa330691ce86d51de85d7b Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Wed, 22 May 2024 01:43:16 +0200
Subject: [PATCH 090/253] Cleanup pkgmacos build script

Signed-off-by: paulober <44974737+paulober@users.noreply.github.com>
---
 script/pkgmacos | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/script/pkgmacos b/script/pkgmacos
index 1933f7a3e2f..cc3d09e1548 100755
--- a/script/pkgmacos
+++ b/script/pkgmacos
@@ -36,6 +36,26 @@ while [ $# -gt 0 ]; do
   esac
 done
 
+# check os requirements: is running macOS 13+ and pkgbuild + productbuild are available
+os_version=$(sw_vers -productVersion)
+major_version=${os_version%%.*}
+
+if (( major_version < 13 )); then
+  echo "This script requires macOS 13 or later. You are running macOS ${os_version}." >&2
+  exit 1
+fi
+
+if ! command -v pkgbuild &> /dev/null; then
+  echo "pkgbuild could not be found. Please install Xcode Command Line Tools." >&2
+  exit 1
+fi
+
+if ! command -v productbuild &> /dev/null; then
+  echo "productbuild could not be found. Please install Xcode Command Line Tools." >&2
+  exit 1
+fi
+# end of os requirements check
+
 # gh-binary paths
 bin_path="/bin/gh"
 arm64_bin="dist/macos_darwin_arm64$bin_path"
@@ -78,7 +98,6 @@ build_pkg() {
   # setup resources
   mkdir "build/macOS/resources"
   cp "LICENSE" "build/macOS/resources"
-  touch .gi
 
   # build distribution
   if [ -n "$APPLE_DEVELOPER_INSTALLER_ID" ]; then
@@ -100,9 +119,13 @@ build_pkg() {
       --package-path "./dist" \
       "./dist/gh_${tag_name}_macOS_universal.pkg"
   fi
+}
 
+cleanup() {
   # remove temp installer so it does not get uploaded
-  rm "dist/com.github.cli.pkg"
+  rm -f "dist/com.github.cli.pkg"
 }
 
+trap cleanup EXIT
+
 build_pkg

From 9454d5e71c83a4c0901f7b428aa74793c66b2435 Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Wed, 22 May 2024 01:47:48 +0200
Subject: [PATCH 091/253] Change minimum build script macOS version

Signed-off-by: paulober <44974737+paulober@users.noreply.github.com>
---
 script/pkgmacos | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/script/pkgmacos b/script/pkgmacos
index cc3d09e1548..7547c34beaa 100755
--- a/script/pkgmacos
+++ b/script/pkgmacos
@@ -36,12 +36,12 @@ while [ $# -gt 0 ]; do
   esac
 done
 
-# check os requirements: is running macOS 13+ and pkgbuild + productbuild are available
+# check os requirements: is running macOS 12+ and pkgbuild + productbuild are available
 os_version=$(sw_vers -productVersion)
 major_version=${os_version%%.*}
 
-if (( major_version < 13 )); then
-  echo "This script requires macOS 13 or later. You are running macOS ${os_version}." >&2
+if (( major_version < 12 )); then
+  echo "This script requires macOS 12 or later. You are running macOS ${os_version}." >&2
   exit 1
 fi
 

From 105bafd2ec2d4f73f9b48bd7d0a00a8ddaad16b6 Mon Sep 17 00:00:00 2001
From: cawfeecake <48775802+cawfeecake@users.noreply.github.com>
Date: Wed, 22 May 2024 05:39:13 -0700
Subject: [PATCH 092/253] fix: rename the `Attempts` field to `Attempt`; expose
 in `gh run view` and `gh run ls` (#8905)

Co-authored-by: William Martin <williammartin@github.com>
---
 pkg/cmd/run/shared/shared.go      | 3 ++-
 pkg/cmd/run/shared/shared_test.go | 9 +++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/run/shared/shared.go b/pkg/cmd/run/shared/shared.go
index 6c76714fd28..a5bccee8572 100644
--- a/pkg/cmd/run/shared/shared.go
+++ b/pkg/cmd/run/shared/shared.go
@@ -72,6 +72,7 @@ var RunFields = []string{
 	"createdAt",
 	"updatedAt",
 	"startedAt",
+	"attempt",
 	"status",
 	"conclusion",
 	"event",
@@ -97,7 +98,7 @@ type Run struct {
 	workflowName   string // cache column
 	WorkflowID     int64  `json:"workflow_id"`
 	Number         int64  `json:"run_number"`
-	Attempts       uint64 `json:"run_attempt"`
+	Attempt        uint64 `json:"run_attempt"`
 	HeadBranch     string `json:"head_branch"`
 	JobsURL        string `json:"jobs_url"`
 	HeadCommit     Commit `json:"head_commit"`
diff --git a/pkg/cmd/run/shared/shared_test.go b/pkg/cmd/run/shared/shared_test.go
index 815a6556cbb..15663cd0a67 100644
--- a/pkg/cmd/run/shared/shared_test.go
+++ b/pkg/cmd/run/shared/shared_test.go
@@ -189,6 +189,15 @@ func TestRunExportData(t *testing.T) {
 			},
 			output: `{"jobs":[{"completedAt":"2022-07-20T11:21:16Z","conclusion":"success","databaseId":123456,"name":"macos","startedAt":"2022-07-20T11:20:13Z","status":"completed","steps":[{"conclusion":"success","name":"Checkout","number":1,"status":"completed"}],"url":"https://example.com/OWNER/REPO/actions/runs/123456"},{"completedAt":"2022-07-20T11:23:16Z","conclusion":"error","databaseId":234567,"name":"windows","startedAt":"2022-07-20T11:20:55Z","status":"completed","steps":[{"conclusion":"error","name":"Checkout","number":2,"status":"completed"}],"url":"https://example.com/OWNER/REPO/actions/runs/234567"}]}`,
 		},
+		{
+			name:   "exports workflow run with attempt count",
+			fields: []string{"attempt"},
+			run: Run{
+				Attempt: 1,
+				Jobs:    []Job{},
+			},
+			output: `{"attempt":1}`,
+		},
 	}
 
 	for _, tt := range tests {

From e5e5c4fc43a771270e1e88a0cecb62441fcaa466 Mon Sep 17 00:00:00 2001
From: Katsuhiko Anda <katsuhiko.anda@goinc.jp>
Date: Thu, 23 May 2024 03:13:16 +0000
Subject: [PATCH 093/253] Update regex in changedFilesNames to handle quoted
 paths

---
 pkg/cmd/pr/diff/diff.go      | 4 ++--
 pkg/cmd/pr/diff/diff_test.go | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/pr/diff/diff.go b/pkg/cmd/pr/diff/diff.go
index c837a530ad1..b2b7957d50f 100644
--- a/pkg/cmd/pr/diff/diff.go
+++ b/pkg/cmd/pr/diff/diff.go
@@ -274,11 +274,11 @@ func changedFilesNames(w io.Writer, r io.Reader) error {
 		return err
 	}
 
-	pattern := regexp.MustCompile(`(?:^|\n)diff\s--git.*\sb/(.*)`)
+	pattern := regexp.MustCompile(`(?:^|\n)diff\s--git.*\s(["]?)b/(.*)`)
 	matches := pattern.FindAllStringSubmatch(string(diff), -1)
 
 	for _, val := range matches {
-		name := strings.TrimSpace(val[1])
+		name := strings.TrimSpace(val[1] + val[2])
 		if _, err := w.Write([]byte(name + "\n")); err != nil {
 			return err
 		}
diff --git a/pkg/cmd/pr/diff/diff_test.go b/pkg/cmd/pr/diff/diff_test.go
index cff9f04c8bc..be8c48428b3 100644
--- a/pkg/cmd/pr/diff/diff_test.go
+++ b/pkg/cmd/pr/diff/diff_test.go
@@ -358,6 +358,10 @@ func Test_changedFileNames(t *testing.T) {
 			input:  fmt.Sprintf("diff --git a/baz.go b/baz.go\n--- a/baz.go\n+++ b/baz.go\n+foo\n-b%sr", strings.Repeat("a", 2*lineBufferSize)),
 			output: "baz.go\n",
 		},
+		{
+			input:  "diff --git \"a/\343\202\212\343\203\274\343\201\251\343\201\277\343\203\274.md\" \"b/\343\202\212\343\203\274\343\201\251\343\201\277\343\203\274.md\"",
+			output: "\"\343\202\212\343\203\274\343\201\251\343\201\277\343\203\274.md\"\n",
+		},
 	}
 	for _, tt := range inputs {
 		buf := bytes.Buffer{}

From a66a646ca5e8486c57f7e2e7f13a7a70c938a395 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 23 May 2024 11:59:56 +0200
Subject: [PATCH 094/253] Add comment to pr diff regex

---
 pkg/cmd/pr/diff/diff.go | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/pr/diff/diff.go b/pkg/cmd/pr/diff/diff.go
index b2b7957d50f..acf17462c5e 100644
--- a/pkg/cmd/pr/diff/diff.go
+++ b/pkg/cmd/pr/diff/diff.go
@@ -51,11 +51,11 @@ func NewCmdDiff(f *cmdutil.Factory, runF func(*DiffOptions) error) *cobra.Comman
 		Use:   "diff [<number> | <url> | <branch>]",
 		Short: "View changes in a pull request",
 		Long: heredoc.Docf(`
-			View changes in a pull request. 
+			View changes in a pull request.
 
 			Without an argument, the pull request that belongs to the current branch
 			is selected.
-			
+
 			With %[1]s--web%[1]s flag, open the pull request diff in a web browser instead.
 		`, "`"),
 		Args: cobra.MaximumNArgs(1),
@@ -274,6 +274,24 @@ func changedFilesNames(w io.Writer, r io.Reader) error {
 		return err
 	}
 
+	// This is kind of a gnarly regex. We're looking lines of the format:
+	// diff --git a/9114-triage b/9114-triage
+	// diff --git "a/hello-\360\237\230\200-world" "b/hello-\360\237\230\200-world"
+	//
+	// From these lines we would look to extract:
+	// 9114-triage
+	// "hello-\360\237\230\200-world"
+	//
+	// Note that the b/ is removed but in the second case the preceeding quote remains.
+	// This is important for how git handles filenames that would be quoted with core.quotePath.
+	// https://git-scm.com/docs/git-config#Documentation/git-config.txt-corequotePath
+	//
+	// Thus we capture the quote if it exists, and everything that follows the b/
+	// We then concatenate those two capture groups together which for the examples above would be:
+	// `` + 9114-triage
+	// `"`` + hello-\360\237\230\200-world"
+	//
+	// Where I'm using the `` to indicate a string to avoid confusion with the " character.
 	pattern := regexp.MustCompile(`(?:^|\n)diff\s--git.*\s(["]?)b/(.*)`)
 	matches := pattern.FindAllStringSubmatch(string(diff), -1)
 

From 08a5589abe296482fc439df1c08a1ba36c1ec809 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arne=20J=C3=B8rgensen?= <arne@arnested.dk>
Date: Thu, 23 May 2024 17:11:53 +0200
Subject: [PATCH 095/253] Add a `gh variable get FOO` command (#9106)

Closes #9103.

---------

Co-authored-by: William Martin <williammartin@github.com>
---
 pkg/cmd/variable/get/get.go      | 132 ++++++++++++++++++++
 pkg/cmd/variable/get/get_test.go | 202 +++++++++++++++++++++++++++++++
 pkg/cmd/variable/variable.go     |   2 +
 3 files changed, 336 insertions(+)
 create mode 100644 pkg/cmd/variable/get/get.go
 create mode 100644 pkg/cmd/variable/get/get_test.go

diff --git a/pkg/cmd/variable/get/get.go b/pkg/cmd/variable/get/get.go
new file mode 100644
index 00000000000..a946411340c
--- /dev/null
+++ b/pkg/cmd/variable/get/get.go
@@ -0,0 +1,132 @@
+package get
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/MakeNowJust/heredoc"
+	"github.com/cli/cli/v2/api"
+	"github.com/cli/cli/v2/internal/gh"
+	"github.com/cli/cli/v2/internal/ghrepo"
+	"github.com/cli/cli/v2/pkg/cmd/variable/shared"
+	"github.com/cli/cli/v2/pkg/cmdutil"
+	"github.com/cli/cli/v2/pkg/iostreams"
+	"github.com/spf13/cobra"
+)
+
+type GetOptions struct {
+	HttpClient func() (*http.Client, error)
+	IO         *iostreams.IOStreams
+	Config     func() (gh.Config, error)
+	BaseRepo   func() (ghrepo.Interface, error)
+
+	VariableName string
+	OrgName      string
+	EnvName      string
+}
+
+type getVariableResponse struct {
+	Value string `json:"value"`
+	// Other available but unused fields
+	// Name             string            `json:"name"`
+	// UpdatedAt        time.Time         `json:"updated_at"`
+	// Visibility       shared.Visibility `json:"visibility"`
+	// SelectedReposURL string            `json:"selected_repositories_url"`
+	// NumSelectedRepos int               `json:"num_selected_repos"`
+}
+
+func NewCmdGet(f *cmdutil.Factory, runF func(*GetOptions) error) *cobra.Command {
+	opts := &GetOptions{
+		IO:         f.IOStreams,
+		Config:     f.Config,
+		HttpClient: f.HttpClient,
+	}
+
+	cmd := &cobra.Command{
+		Use:   "get <variable-name>",
+		Short: "Get variables",
+		Long: heredoc.Doc(`
+			Get a variable on one of the following levels:
+			- repository (default): available to GitHub Actions runs or Dependabot in a repository
+			- environment: available to GitHub Actions runs for a deployment environment in a repository
+			- organization: available to GitHub Actions runs or Dependabot within an organization
+		`),
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// support `-R, --repo` override
+			opts.BaseRepo = f.BaseRepo
+
+			if err := cmdutil.MutuallyExclusive("specify only one of `--org` or `--env`", opts.OrgName != "", opts.EnvName != ""); err != nil {
+				return err
+			}
+
+			opts.VariableName = args[0]
+
+			if runF != nil {
+				return runF(opts)
+			}
+
+			return getRun(opts)
+		},
+	}
+	cmd.Flags().StringVarP(&opts.OrgName, "org", "o", "", "Get a variable for an organization")
+	cmd.Flags().StringVarP(&opts.EnvName, "env", "e", "", "Get a variable for an environment")
+
+	return cmd
+}
+
+func getRun(opts *GetOptions) error {
+	c, err := opts.HttpClient()
+	if err != nil {
+		return fmt.Errorf("could not create http client: %w", err)
+	}
+	client := api.NewClientFromHTTP(c)
+
+	orgName := opts.OrgName
+	envName := opts.EnvName
+
+	variableEntity, err := shared.GetVariableEntity(orgName, envName)
+	if err != nil {
+		return err
+	}
+
+	var baseRepo ghrepo.Interface
+	if variableEntity == shared.Repository || variableEntity == shared.Environment {
+		baseRepo, err = opts.BaseRepo()
+		if err != nil {
+			return err
+		}
+	}
+
+	var path string
+	switch variableEntity {
+	case shared.Organization:
+		path = fmt.Sprintf("orgs/%s/actions/variables/%s", orgName, opts.VariableName)
+	case shared.Environment:
+		path = fmt.Sprintf("repos/%s/environments/%s/variables/%s", ghrepo.FullName(baseRepo), envName, opts.VariableName)
+	case shared.Repository:
+		path = fmt.Sprintf("repos/%s/actions/variables/%s", ghrepo.FullName(baseRepo), opts.VariableName)
+	}
+
+	cfg, err := opts.Config()
+	if err != nil {
+		return err
+	}
+
+	host, _ := cfg.Authentication().DefaultHost()
+
+	var response getVariableResponse
+	if err = client.REST(host, "GET", path, nil, &response); err != nil {
+		var httpErr api.HTTPError
+		if errors.As(err, &httpErr) && httpErr.StatusCode == http.StatusNotFound {
+			return fmt.Errorf("variable %s was not found", opts.VariableName)
+		}
+
+		return fmt.Errorf("failed to get variable %s: %w", opts.VariableName, err)
+	}
+
+	fmt.Fprintf(opts.IO.Out, "%s\n", response.Value)
+
+	return nil
+}
diff --git a/pkg/cmd/variable/get/get_test.go b/pkg/cmd/variable/get/get_test.go
new file mode 100644
index 00000000000..60e2d8fa6ed
--- /dev/null
+++ b/pkg/cmd/variable/get/get_test.go
@@ -0,0 +1,202 @@
+package get
+
+import (
+	"bytes"
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/cli/cli/v2/internal/config"
+	"github.com/cli/cli/v2/internal/gh"
+	"github.com/cli/cli/v2/internal/ghrepo"
+	"github.com/cli/cli/v2/pkg/cmdutil"
+	"github.com/cli/cli/v2/pkg/httpmock"
+	"github.com/cli/cli/v2/pkg/iostreams"
+	"github.com/google/shlex"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewCmdGet(t *testing.T) {
+	tests := []struct {
+		name    string
+		cli     string
+		wants   GetOptions
+		wantErr error
+	}{
+		{
+			name: "repo",
+			cli:  "FOO",
+			wants: GetOptions{
+				OrgName:      "",
+				VariableName: "FOO",
+			},
+		},
+		{
+			name: "org",
+			cli:  "-o TestOrg BAR",
+			wants: GetOptions{
+				OrgName:      "TestOrg",
+				VariableName: "BAR",
+			},
+		},
+		{
+			name: "env",
+			cli:  "-e Development BAZ",
+			wants: GetOptions{
+				EnvName:      "Development",
+				VariableName: "BAZ",
+			},
+		},
+		{
+			name:    "org and env",
+			cli:     "-o TestOrg -e Development QUX",
+			wantErr: cmdutil.FlagErrorf("%s", "specify only one of `--org` or `--env`"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ios, _, _, _ := iostreams.Test()
+			f := &cmdutil.Factory{
+				IOStreams: ios,
+			}
+
+			argv, err := shlex.Split(tt.cli)
+			assert.NoError(t, err)
+
+			var gotOpts *GetOptions
+			cmd := NewCmdGet(f, func(opts *GetOptions) error {
+				gotOpts = opts
+				return nil
+			})
+			cmd.SetArgs(argv)
+			cmd.SetIn(&bytes.Buffer{})
+			cmd.SetOut(&bytes.Buffer{})
+			cmd.SetErr(&bytes.Buffer{})
+
+			_, err = cmd.ExecuteC()
+			if tt.wantErr != nil {
+				require.Equal(t, err, tt.wantErr)
+				return
+			}
+			require.NoError(t, err)
+
+			require.Equal(t, tt.wants.OrgName, gotOpts.OrgName)
+			require.Equal(t, tt.wants.EnvName, gotOpts.EnvName)
+			require.Equal(t, tt.wants.VariableName, gotOpts.VariableName)
+		})
+	}
+}
+
+func Test_getRun(t *testing.T) {
+	tests := []struct {
+		name      string
+		opts      *GetOptions
+		httpStubs func(*httpmock.Registry)
+		wantOut   string
+		wantErr   error
+	}{
+		{
+			name: "getting repo variable",
+			opts: &GetOptions{
+				VariableName: "VARIABLE_ONE",
+			},
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.REST("GET", "repos/owner/repo/actions/variables/VARIABLE_ONE"),
+					httpmock.JSONResponse(getVariableResponse{
+						Value: "repo_var",
+					}))
+			},
+			wantOut: "repo_var\n",
+		},
+		{
+			name: "getting org variable",
+			opts: &GetOptions{
+				OrgName:      "TestOrg",
+				VariableName: "VARIABLE_ONE",
+			},
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.REST("GET", "orgs/TestOrg/actions/variables/VARIABLE_ONE"),
+					httpmock.JSONResponse(getVariableResponse{
+						Value: "org_var",
+					}))
+			},
+			wantOut: "org_var\n",
+		},
+		{
+			name: "getting env variable",
+			opts: &GetOptions{
+				EnvName:      "Development",
+				VariableName: "VARIABLE_ONE",
+			},
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.REST("GET", "repos/owner/repo/environments/Development/variables/VARIABLE_ONE"),
+					httpmock.JSONResponse(getVariableResponse{
+						Value: "env_var",
+					}))
+			},
+			wantOut: "env_var\n",
+		},
+		{
+			name: "when the variable is not found, an error is returned",
+			opts: &GetOptions{
+				VariableName: "VARIABLE_ONE",
+			},
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.REST("GET", "repos/owner/repo/actions/variables/VARIABLE_ONE"),
+					httpmock.StatusStringResponse(404, "not found"),
+				)
+			},
+			wantErr: fmt.Errorf("variable VARIABLE_ONE was not found"),
+		},
+		{
+			name: "when getting any variable from API fails, the error is bubbled with context",
+			opts: &GetOptions{
+				VariableName: "VARIABLE_ONE",
+			},
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.REST("GET", "repos/owner/repo/actions/variables/VARIABLE_ONE"),
+					httpmock.StatusStringResponse(400, "not found"),
+				)
+			},
+			wantErr: fmt.Errorf("failed to get variable VARIABLE_ONE: HTTP 400 (https://api.github.com/repos/owner/repo/actions/variables/VARIABLE_ONE)"),
+		},
+	}
+
+	for _, tt := range tests {
+		var runTest = func(tty bool) func(t *testing.T) {
+			return func(t *testing.T) {
+				reg := &httpmock.Registry{}
+				tt.httpStubs(reg)
+				defer reg.Verify(t)
+
+				ios, _, stdout, _ := iostreams.Test()
+				ios.SetStdoutTTY(tty)
+
+				tt.opts.IO = ios
+				tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
+					return ghrepo.FromFullName("owner/repo")
+				}
+				tt.opts.HttpClient = func() (*http.Client, error) {
+					return &http.Client{Transport: reg}, nil
+				}
+				tt.opts.Config = func() (gh.Config, error) {
+					return config.NewBlankConfig(), nil
+				}
+
+				err := getRun(tt.opts)
+				if err != nil {
+					require.EqualError(t, tt.wantErr, err.Error())
+					return
+				}
+
+				require.NoError(t, err)
+				require.Equal(t, tt.wantOut, stdout.String())
+			}
+		}
+
+		t.Run(tt.name+" tty", runTest(true))
+		t.Run(tt.name+" no-tty", runTest(false))
+	}
+}
diff --git a/pkg/cmd/variable/variable.go b/pkg/cmd/variable/variable.go
index f064a81e359..15ff387444f 100644
--- a/pkg/cmd/variable/variable.go
+++ b/pkg/cmd/variable/variable.go
@@ -3,6 +3,7 @@ package variable
 import (
 	"github.com/MakeNowJust/heredoc"
 	cmdDelete "github.com/cli/cli/v2/pkg/cmd/variable/delete"
+	cmdGet "github.com/cli/cli/v2/pkg/cmd/variable/get"
 	cmdList "github.com/cli/cli/v2/pkg/cmd/variable/list"
 	cmdSet "github.com/cli/cli/v2/pkg/cmd/variable/set"
 	"github.com/cli/cli/v2/pkg/cmdutil"
@@ -21,6 +22,7 @@ func NewCmdVariable(f *cmdutil.Factory) *cobra.Command {
 
 	cmdutil.EnableRepoOverride(cmd, f)
 
+	cmd.AddCommand(cmdGet.NewCmdGet(f, nil))
 	cmd.AddCommand(cmdSet.NewCmdSet(f, nil))
 	cmd.AddCommand(cmdList.NewCmdList(f, nil))
 	cmd.AddCommand(cmdDelete.NewCmdDelete(f, nil))

From 85f424bb08a163622fdedbcfc603da09e6f22009 Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Fri, 24 May 2024 15:19:54 +0200
Subject: [PATCH 096/253] Fix directory already exists

Signed-off-by: paulober <44974737+paulober@users.noreply.github.com>
---
 script/pkgmacos | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/script/pkgmacos b/script/pkgmacos
index 7547c34beaa..7ffdea3246a 100755
--- a/script/pkgmacos
+++ b/script/pkgmacos
@@ -96,7 +96,7 @@ build_pkg() {
     "dist/com.github.cli.pkg"
 
   # setup resources
-  mkdir "build/macOS/resources"
+  mkdir -p "build/macOS/resources"
   cp "LICENSE" "build/macOS/resources"
 
   # build distribution

From 74392ff654f6fe9da5eb03d69bc52d21d6084505 Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Fri, 24 May 2024 15:25:02 +0200
Subject: [PATCH 097/253] Added make macospkg target

Signed-off-by: paulober <44974737+paulober@users.noreply.github.com>
---
 Makefile | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Makefile b/Makefile
index 7dac0d29051..e68b6893942 100644
--- a/Makefile
+++ b/Makefile
@@ -93,3 +93,11 @@ uninstall:
 	rm -f ${DESTDIR}${datadir}/bash-completion/completions/gh
 	rm -f ${DESTDIR}${datadir}/fish/vendor_completions.d/gh.fish
 	rm -f ${DESTDIR}${datadir}/zsh/site-functions/_gh
+
+.PHONY: macospkg
+macospkg: manpages completions
+ifndef VERSION
+	$(error VERSION is not set. Use `make macospkg VERSION=vX.Y.Z`)
+endif
+	./script/release --local "$(VERSION)" --platform macos
+	./script/pkgmacos $(VERSION)

From 1990952a62f30fda1ff3255f7e7c033651235119 Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Fri, 24 May 2024 16:08:22 +0200
Subject: [PATCH 098/253] Fix distribution.xml + min macos version requirements

Signed-off-by: paulober <44974737+paulober@users.noreply.github.com>
---
 build/macOS/distribution.xml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/build/macOS/distribution.xml b/build/macOS/distribution.xml
index 54818f52ae7..773321da362 100644
--- a/build/macOS/distribution.xml
+++ b/build/macOS/distribution.xml
@@ -1,9 +1,21 @@
 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<installer-gui-script minSpecVersion="1">
+<installer-gui-script minSpecVersion="2">
     <title>GitHub CLI</title>
     <license file="LICENSE" mime-type="text/plain"/>
-    <options hostArchitectures="arm64,x86_64" customize="never" require-scripts="false" allow-external-scripts="false"/>
+    <options hostArchitectures="arm64,x86_64" customize="never" require-scripts="true" allow-external-scripts="false"/>
     <domains enable_localSystem="true"/>
+    <installation-check script="installCheck();"/>
+    <script>
+    function installCheck() {
+      if (!(system.compareVersions(system.version.ProductVersion, '12') &gt;= 0)) {
+        my.result.title = 'Unable to install';
+        my.result.message = 'GitHub CLI requires macOS 12 or later.';
+        my.result.type = 'Fatal';
+        return false;
+      }
+      return true;
+    }
+    </script>
 
     <choices-outline>
         <line choice="gh-cli"/>

From 27262ff5aef4eb9a84f814f22a7d03d9e874a09c Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Fri, 24 May 2024 16:15:04 +0200
Subject: [PATCH 099/253] Added native min os version blocking

Signed-off-by: paulober <44974737+paulober@users.noreply.github.com>
---
 build/macOS/distribution.xml | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/build/macOS/distribution.xml b/build/macOS/distribution.xml
index 773321da362..dc93628f831 100644
--- a/build/macOS/distribution.xml
+++ b/build/macOS/distribution.xml
@@ -7,15 +7,20 @@
     <installation-check script="installCheck();"/>
     <script>
     function installCheck() {
-      if (!(system.compareVersions(system.version.ProductVersion, '12') &gt;= 0)) {
-        my.result.title = 'Unable to install';
-        my.result.message = 'GitHub CLI requires macOS 12 or later.';
-        my.result.type = 'Fatal';
-        return false;
-      }
-      return true;
+        // this check is redundant, but it produces a user friendly error message
+        // compared to a disabled install button caused by allowed-os-versions
+        if (!(system.compareVersions(system.version.ProductVersion, '12') &gt;= 0)) {
+            my.result.title = 'Unable to install';
+            my.result.message = 'GitHub CLI requires macOS 12 or later.';
+            my.result.type = 'Fatal';
+            return false;
+        }
+        return true;
     }
     </script>
+    <allowed-os-versions>
+        <os-version min="12.0" />
+    </allowed-os-versions>
 
     <choices-outline>
         <line choice="gh-cli"/>

From b2fead7dffdbf9ca0a337dc94db02f0ced497021 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 24 May 2024 14:47:29 +0000
Subject: [PATCH 100/253] build(deps): bump github.com/gabriel-vasile/mimetype
 from 1.4.3 to 1.4.4

Bumps [github.com/gabriel-vasile/mimetype](https://github.com/gabriel-vasile/mimetype) from 1.4.3 to 1.4.4.
- [Release notes](https://github.com/gabriel-vasile/mimetype/releases)
- [Commits](https://github.com/gabriel-vasile/mimetype/compare/v1.4.3...v1.4.4)

---
updated-dependencies:
- dependency-name: github.com/gabriel-vasile/mimetype
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 12 ++++++------
 go.sum | 24 ++++++++++++------------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/go.mod b/go.mod
index b39baffd0bf..ad96b9e24d9 100644
--- a/go.mod
+++ b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.4
 	github.com/creack/pty v1.1.21
 	github.com/distribution/reference v0.5.0
-	github.com/gabriel-vasile/mimetype v1.4.3
+	github.com/gabriel-vasile/mimetype v1.4.4
 	github.com/gdamore/tcell/v2 v2.5.4
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.19.1
@@ -43,10 +43,10 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 	github.com/zalando/go-keyring v0.2.4
-	golang.org/x/crypto v0.22.0
+	golang.org/x/crypto v0.23.0
 	golang.org/x/sync v0.6.0
-	golang.org/x/term v0.19.0
-	golang.org/x/text v0.14.0
+	golang.org/x/term v0.20.0
+	golang.org/x/text v0.15.0
 	google.golang.org/grpc v1.62.2
 	google.golang.org/protobuf v1.34.1
 	gopkg.in/h2non/gock.v1 v1.1.2
@@ -158,8 +158,8 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
 	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
diff --git a/go.sum b/go.sum
index 1af962cac3f..d6b01f87f8d 100644
--- a/go.sum
+++ b/go.sum
@@ -149,8 +149,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
-github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
+github.com/gabriel-vasile/mimetype v1.4.4 h1:QjV6pZ7/XZ7ryI2KuyeEDE8wnh7fHP9YnQy+R0LnH8I=
+github.com/gabriel-vasile/mimetype v1.4.4/go.mod h1:JwLei5XPtWdGiMFB5Pjle1oEeoSeEuJfJE+TtfvdB/s=
 github.com/gdamore/encoding v1.0.0 h1:+7OoQ1Bc6eTm5niUzBa0Ctsh6JbMW6Ra+YNuAtDBdko=
 github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo5dl+VrEg=
 github.com/gdamore/tcell/v2 v2.5.4 h1:TGU4tSjD3sCL788vFNeJnTdzpNKIw1H5dgLnJRQVv/k=
@@ -481,8 +481,8 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -491,8 +491,8 @@ golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
-golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
 golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -510,19 +510,19 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
-golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

From f66367d3425c570386dc7a91ddba707b58529b0f Mon Sep 17 00:00:00 2001
From: paulober <44974737+paulober@users.noreply.github.com>
Date: Fri, 24 May 2024 19:20:39 +0200
Subject: [PATCH 101/253] Integrate argument array to remove duplicate code

Signed-off-by: paulober <44974737+paulober@users.noreply.github.com>
---
 script/pkgmacos | 42 ++++++++++++++++++++----------------------
 1 file changed, 20 insertions(+), 22 deletions(-)

diff --git a/script/pkgmacos b/script/pkgmacos
index 7ffdea3246a..38103277eaa 100755
--- a/script/pkgmacos
+++ b/script/pkgmacos
@@ -58,8 +58,8 @@ fi
 
 # gh-binary paths
 bin_path="/bin/gh"
-arm64_bin="dist/macos_darwin_arm64$bin_path"
-amd64_bin="dist/macos_darwin_amd64_v1$bin_path"
+arm64_bin="./dist/macos_darwin_arm64$bin_path"
+amd64_bin="./dist/macos_darwin_amd64_v1$bin_path"
 # payload paths
 payload_root="pkg_payload"
 payload_local_bin="${payload_root}/usr/local/bin"
@@ -93,37 +93,35 @@ build_pkg() {
     --identifier "com.github.cli" \
     --version "$tag_name" \
     --install-location "/" \
-    "dist/com.github.cli.pkg"
+    "./dist/com.github.cli.pkg"
 
   # setup resources
-  mkdir -p "build/macOS/resources"
-  cp "LICENSE" "build/macOS/resources"
+  mkdir -p "./build/macOS/resources"
+  cp "LICENSE" "./build/macOS/resources"
 
-  # build distribution
+  PRODUCTBUILD_ARGS=()
+
+  # include signing if developer id is set
   if [ -n "$APPLE_DEVELOPER_INSTALLER_ID" ]; then
-    # build and sign production package with license
-    productbuild \
-      --distribution "./build/macOS/distribution.xml" \
-      --resources "./build/macOS/resources" \
-      --package-path "./dist" \
-      --timestamp \
-      --sign "${APPLE_DEVELOPER_INSTALLER_ID?}" \
-      "./dist/gh_${tag_name}_macOS_universal.pkg"
+    PRODUCTBUILD_ARGS+=("--timestamp")
+    PRODUCTBUILD_ARGS+=("--sign")
+    PRODUCTBUILD_ARGS+=("${APPLE_DEVELOPER_INSTALLER_ID}")
   else
     echo "skipping macOS pkg code-signing; APPLE_DEVELOPER_INSTALLER_ID not set" >&2
-
-    # build production package with license without signing
-    productbuild \
-      --distribution "./build/macOS/distribution.xml" \
-      --resources "./build/macOS/resources" \
-      --package-path "./dist" \
-      "./dist/gh_${tag_name}_macOS_universal.pkg"
   fi
+
+  # build distribution
+  productbuild \
+    --distribution "./build/macOS/distribution.xml" \
+    --resources "./build/macOS/resources" \
+    --package-path "./dist" \
+    "${PRODUCTBUILD_ARGS[@]}" \
+    "./dist/gh_${tag_name}_macOS_universal.pkg"
 }
 
 cleanup() {
   # remove temp installer so it does not get uploaded
-  rm -f "dist/com.github.cli.pkg"
+  rm -f "./dist/com.github.cli.pkg"
 }
 
 trap cleanup EXIT

From 279d53af987edf231767142be967f8003da7397e Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Fri, 24 May 2024 15:09:40 -0400
Subject: [PATCH 102/253] Remove `v` prefix when `pkgmacos` is called

Existing Mac OS release artifacts use the tag name / version in the file name but drop the `v` prefix.  This does the same for the Mac OS installer.
---
 script/pkgmacos | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/script/pkgmacos b/script/pkgmacos
index 38103277eaa..a5c9134f107 100755
--- a/script/pkgmacos
+++ b/script/pkgmacos
@@ -30,7 +30,7 @@ while [ $# -gt 0 ]; do
     exit 1
     ;;
   * )
-    tag_name="$1"
+    tag_name="${1#v}"
     shift 1
     ;;
   esac

From bdc40a00d40fb6f5ff23a48d8812b40638a18a13 Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Fri, 24 May 2024 15:26:37 -0400
Subject: [PATCH 103/253] Update readme about MacOS pkg

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6e0c7de6aea..f637eabcfe2 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@ If you are a hubber and are interested in shipping new commands for the CLI, che
 
 ### macOS
 
-`gh` is available via [Homebrew][], [MacPorts][], [Conda][], [Spack][], [Webi][], and as a downloadable binary from the [releases page][].
+`gh` is available via [Homebrew][], [MacPorts][], [Conda][], [Spack][], [Webi][], and as a downloadable binary including Mac OS installer `.pkg` from the [releases page][].
 
 #### Homebrew
 

From d8219426ba7e4a3358607a1dd6fcd862c3ebeb4a Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sat, 25 May 2024 15:11:23 +0100
Subject: [PATCH 104/253] Move `Variable` type and
 `PopulateSelectedRepositoryInformation` func to shared

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/variable/list/list.go      | 60 ++++++------------------------
 pkg/cmd/variable/list/list_test.go | 10 ++---
 pkg/cmd/variable/shared/shared.go  | 52 ++++++++++++++++++++++++++
 3 files changed, 68 insertions(+), 54 deletions(-)

diff --git a/pkg/cmd/variable/list/list.go b/pkg/cmd/variable/list/list.go
index 1c29cfe2fcb..2d26a03b6a2 100644
--- a/pkg/cmd/variable/list/list.go
+++ b/pkg/cmd/variable/list/list.go
@@ -30,15 +30,6 @@ type ListOptions struct {
 	EnvName string
 }
 
-var variableFields = []string{
-	"name",
-	"value",
-	"visibility",
-	"updatedAt",
-	"numSelectedRepos",
-	"selectedReposURL",
-}
-
 func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Command {
 	opts := &ListOptions{
 		IO:         f.IOStreams,
@@ -76,7 +67,7 @@ func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Comman
 
 	cmd.Flags().StringVarP(&opts.OrgName, "org", "o", "", "List variables for an organization")
 	cmd.Flags().StringVarP(&opts.EnvName, "env", "e", "", "List variables for an environment")
-	cmdutil.AddJSONFlags(cmd, &opts.Exporter, variableFields)
+	cmdutil.AddJSONFlags(cmd, &opts.Exporter, shared.VariableJSONFields)
 
 	return cmd
 }
@@ -103,7 +94,7 @@ func listRun(opts *ListOptions) error {
 		return err
 	}
 
-	var variables []Variable
+	var variables []shared.Variable
 	showSelectedRepoInfo := opts.IO.IsStdoutTTY()
 
 	switch variableEntity {
@@ -170,20 +161,7 @@ func listRun(opts *ListOptions) error {
 	return nil
 }
 
-type Variable struct {
-	Name             string            `json:"name"`
-	Value            string            `json:"value"`
-	UpdatedAt        time.Time         `json:"updated_at"`
-	Visibility       shared.Visibility `json:"visibility"`
-	SelectedReposURL string            `json:"selected_repositories_url"`
-	NumSelectedRepos int               `json:"num_selected_repos"`
-}
-
-func (v *Variable) ExportData(fields []string) map[string]interface{} {
-	return cmdutil.StructExportData(v, fields)
-}
-
-func fmtVisibility(s Variable) string {
+func fmtVisibility(s shared.Variable) string {
 	switch s.Visibility {
 	case shared.All:
 		return "Visible to all repositories"
@@ -199,22 +177,23 @@ func fmtVisibility(s Variable) string {
 	return ""
 }
 
-func getRepoVariables(client *http.Client, repo ghrepo.Interface) ([]Variable, error) {
+func getRepoVariables(client *http.Client, repo ghrepo.Interface) ([]shared.Variable, error) {
 	return getVariables(client, repo.RepoHost(), fmt.Sprintf("repos/%s/actions/variables", ghrepo.FullName(repo)))
 }
 
-func getEnvVariables(client *http.Client, repo ghrepo.Interface, envName string) ([]Variable, error) {
+func getEnvVariables(client *http.Client, repo ghrepo.Interface, envName string) ([]shared.Variable, error) {
 	path := fmt.Sprintf("repos/%s/environments/%s/variables", ghrepo.FullName(repo), envName)
 	return getVariables(client, repo.RepoHost(), path)
 }
 
-func getOrgVariables(client *http.Client, host, orgName string, showSelectedRepoInfo bool) ([]Variable, error) {
+func getOrgVariables(client *http.Client, host, orgName string, showSelectedRepoInfo bool) ([]shared.Variable, error) {
 	variables, err := getVariables(client, host, fmt.Sprintf("orgs/%s/actions/variables", orgName))
 	if err != nil {
 		return nil, err
 	}
+	apiClient := api.NewClientFromHTTP(client)
 	if showSelectedRepoInfo {
-		err = populateSelectedRepositoryInformation(client, host, variables)
+		err = shared.PopulateMultipleSelectedRepositoryInformation(apiClient, host, variables)
 		if err != nil {
 			return nil, err
 		}
@@ -222,13 +201,13 @@ func getOrgVariables(client *http.Client, host, orgName string, showSelectedRepo
 	return variables, nil
 }
 
-func getVariables(client *http.Client, host, path string) ([]Variable, error) {
-	var results []Variable
+func getVariables(client *http.Client, host, path string) ([]shared.Variable, error) {
+	var results []shared.Variable
 	apiClient := api.NewClientFromHTTP(client)
 	path = fmt.Sprintf("%s?per_page=100", path)
 	for path != "" {
 		response := struct {
-			Variables []Variable
+			Variables []shared.Variable
 		}{}
 		var err error
 		path, err = apiClient.RESTWithNext(host, "GET", path, nil, &response)
@@ -239,20 +218,3 @@ func getVariables(client *http.Client, host, path string) ([]Variable, error) {
 	}
 	return results, nil
 }
-
-func populateSelectedRepositoryInformation(client *http.Client, host string, variables []Variable) error {
-	apiClient := api.NewClientFromHTTP(client)
-	for i, variable := range variables {
-		if variable.SelectedReposURL == "" {
-			continue
-		}
-		response := struct {
-			TotalCount int `json:"total_count"`
-		}{}
-		if err := apiClient.REST(host, "GET", variable.SelectedReposURL, nil, &response); err != nil {
-			return fmt.Errorf("failed determining selected repositories for %s: %w", variable.Name, err)
-		}
-		variables[i].NumSelectedRepos = response.TotalCount
-	}
-	return nil
-}
diff --git a/pkg/cmd/variable/list/list_test.go b/pkg/cmd/variable/list/list_test.go
index 0629bb2c76f..d9443b2ac3f 100644
--- a/pkg/cmd/variable/list/list_test.go
+++ b/pkg/cmd/variable/list/list_test.go
@@ -175,9 +175,9 @@ func Test_listRun(t *testing.T) {
 			t1, _ := time.Parse("2006-01-02", "2020-12-04")
 			t2, _ := time.Parse("2006-01-02", "1975-11-30")
 			payload := struct {
-				Variables []Variable
+				Variables []shared.Variable
 			}{
-				Variables: []Variable{
+				Variables: []shared.Variable{
 					{
 						Name:      "VARIABLE_ONE",
 						Value:     "one",
@@ -196,7 +196,7 @@ func Test_listRun(t *testing.T) {
 				},
 			}
 			if tt.opts.OrgName != "" {
-				payload.Variables = []Variable{
+				payload.Variables = []shared.Variable{
 					{
 						Name:       "VARIABLE_ONE",
 						Value:      "org_one",
@@ -279,7 +279,7 @@ func Test_getVariables_pagination(t *testing.T) {
 func TestExportVariables(t *testing.T) {
 	ios, _, stdout, _ := iostreams.Test()
 	tf, _ := time.Parse(time.RFC3339, "2024-01-01T00:00:00Z")
-	vs := []Variable{{
+	vs := []shared.Variable{{
 		Name:             "v1",
 		Value:            "test1",
 		UpdatedAt:        tf,
@@ -288,7 +288,7 @@ func TestExportVariables(t *testing.T) {
 		NumSelectedRepos: 1,
 	}}
 	exporter := cmdutil.NewJSONExporter()
-	exporter.SetFields(variableFields)
+	exporter.SetFields(shared.VariableJSONFields)
 	require.NoError(t, exporter.Write(ios, vs))
 	require.JSONEq(t,
 		`[{"name":"v1","numSelectedRepos":1,"selectedReposURL":"https://someurl.com","updatedAt":"2024-01-01T00:00:00Z","value":"test1","visibility":"all"}]`,
diff --git a/pkg/cmd/variable/shared/shared.go b/pkg/cmd/variable/shared/shared.go
index e9975dd5cc5..d9489f219c1 100644
--- a/pkg/cmd/variable/shared/shared.go
+++ b/pkg/cmd/variable/shared/shared.go
@@ -2,6 +2,11 @@ package shared
 
 import (
 	"errors"
+	"fmt"
+	"time"
+
+	"github.com/cli/cli/v2/api"
+	"github.com/cli/cli/v2/pkg/cmdutil"
 )
 
 type Visibility string
@@ -20,6 +25,28 @@ const (
 	Environment  = "environment"
 )
 
+type Variable struct {
+	Name             string     `json:"name"`
+	Value            string     `json:"value"`
+	UpdatedAt        time.Time  `json:"updated_at"`
+	Visibility       Visibility `json:"visibility"`
+	SelectedReposURL string     `json:"selected_repositories_url"`
+	NumSelectedRepos int        `json:"num_selected_repos"`
+}
+
+var VariableJSONFields = []string{
+	"name",
+	"value",
+	"visibility",
+	"updatedAt",
+	"numSelectedRepos",
+	"selectedReposURL",
+}
+
+func (v *Variable) ExportData(fields []string) map[string]interface{} {
+	return cmdutil.StructExportData(v, fields)
+}
+
 func GetVariableEntity(orgName, envName string) (VariableEntity, error) {
 	orgSet := orgName != ""
 	envSet := envName != ""
@@ -36,3 +63,28 @@ func GetVariableEntity(orgName, envName string) (VariableEntity, error) {
 	}
 	return Repository, nil
 }
+
+func PopulateMultipleSelectedRepositoryInformation(apiClient *api.Client, host string, variables []Variable) error {
+	for i, variable := range variables {
+		if err := PopulateSelectedRepositoryInformation(apiClient, host, &variable); err != nil {
+			return err
+		}
+		variables[i] = variable
+	}
+	return nil
+}
+
+func PopulateSelectedRepositoryInformation(apiClient *api.Client, host string, variable *Variable) error {
+	if variable.SelectedReposURL == "" {
+		return nil
+	}
+
+	response := struct {
+		TotalCount int `json:"total_count"`
+	}{}
+	if err := apiClient.REST(host, "GET", variable.SelectedReposURL, nil, &response); err != nil {
+		return fmt.Errorf("failed determining selected repositories for %s: %w", variable.Name, err)
+	}
+	variable.NumSelectedRepos = response.TotalCount
+	return nil
+}

From 2a5a4ce1623f0363e3ef211ad7e2761fb48efb92 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sat, 25 May 2024 15:12:51 +0100
Subject: [PATCH 105/253] Add tests for JSON output

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/variable/list/list_test.go | 58 +++++++++++++++++++++++++++---
 1 file changed, 53 insertions(+), 5 deletions(-)

diff --git a/pkg/cmd/variable/list/list_test.go b/pkg/cmd/variable/list/list_test.go
index d9443b2ac3f..bd7924f74a2 100644
--- a/pkg/cmd/variable/list/list_test.go
+++ b/pkg/cmd/variable/list/list_test.go
@@ -81,10 +81,11 @@ func TestNewCmdList(t *testing.T) {
 
 func Test_listRun(t *testing.T) {
 	tests := []struct {
-		name    string
-		tty     bool
-		opts    *ListOptions
-		wantOut []string
+		name       string
+		tty        bool
+		opts       *ListOptions
+		jsonFields []string
+		wantOut    []string
 	}{
 		{
 			name: "repo tty",
@@ -107,6 +108,17 @@ func Test_listRun(t *testing.T) {
 				"VARIABLE_THREE\tthree\t1975-11-30T00:00:00Z",
 			},
 		},
+		{
+			name:       "repo not tty, json",
+			tty:        false,
+			opts:       &ListOptions{},
+			jsonFields: []string{"name", "value"},
+			wantOut: []string{`[
+				{"name":"VARIABLE_ONE","value":"one"},
+				{"name":"VARIABLE_TWO","value":"two"},
+				{"name":"VARIABLE_THREE","value":"three"}
+			]`},
+		},
 		{
 			name: "org tty",
 			tty:  true,
@@ -132,6 +144,19 @@ func Test_listRun(t *testing.T) {
 				"VARIABLE_THREE\torg_three\t1975-11-30T00:00:00Z\tSELECTED",
 			},
 		},
+		{
+			name: "org not tty, json",
+			tty:  false,
+			opts: &ListOptions{
+				OrgName: "UmbrellaCorporation",
+			},
+			jsonFields: []string{"name", "value"},
+			wantOut: []string{`[
+				{"name":"VARIABLE_ONE","value":"org_one"},
+				{"name":"VARIABLE_TWO","value":"org_two"},
+				{"name":"VARIABLE_THREE","value":"org_three"}
+			]`},
+		},
 		{
 			name: "env tty",
 			tty:  true,
@@ -157,6 +182,19 @@ func Test_listRun(t *testing.T) {
 				"VARIABLE_THREE\tthree\t1975-11-30T00:00:00Z",
 			},
 		},
+		{
+			name: "env not tty, json",
+			tty:  false,
+			opts: &ListOptions{
+				EnvName: "Development",
+			},
+			jsonFields: []string{"name", "value"},
+			wantOut: []string{`[
+				{"name":"VARIABLE_ONE","value":"one"},
+				{"name":"VARIABLE_TWO","value":"two"},
+				{"name":"VARIABLE_THREE","value":"three"}
+			]`},
+		},
 	}
 
 	for _, tt := range tests {
@@ -247,11 +285,21 @@ func Test_listRun(t *testing.T) {
 				return t
 			}
 
+			if tt.jsonFields != nil {
+				jsonExporter := cmdutil.NewJSONExporter()
+				jsonExporter.SetFields(tt.jsonFields)
+				tt.opts.Exporter = jsonExporter
+			}
+
 			err := listRun(tt.opts)
 			assert.NoError(t, err)
 
 			expected := fmt.Sprintf("%s\n", strings.Join(tt.wantOut, "\n"))
-			assert.Equal(t, expected, stdout.String())
+			if tt.jsonFields != nil {
+				assert.JSONEq(t, expected, stdout.String())
+			} else {
+				assert.Equal(t, expected, stdout.String())
+			}
 		})
 	}
 }

From 9d8b7833041086c93aa0d85227311c90c4f65aae Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sat, 25 May 2024 15:18:05 +0100
Subject: [PATCH 106/253] Use `Variable` type defined in `shared` package

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/variable/get/get.go      | 18 +++++-------------
 pkg/cmd/variable/get/get_test.go |  7 ++++---
 2 files changed, 9 insertions(+), 16 deletions(-)

diff --git a/pkg/cmd/variable/get/get.go b/pkg/cmd/variable/get/get.go
index a946411340c..5bfd3ad3bb7 100644
--- a/pkg/cmd/variable/get/get.go
+++ b/pkg/cmd/variable/get/get.go
@@ -21,21 +21,13 @@ type GetOptions struct {
 	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 
+	Exporter cmdutil.Exporter
+
 	VariableName string
 	OrgName      string
 	EnvName      string
 }
 
-type getVariableResponse struct {
-	Value string `json:"value"`
-	// Other available but unused fields
-	// Name             string            `json:"name"`
-	// UpdatedAt        time.Time         `json:"updated_at"`
-	// Visibility       shared.Visibility `json:"visibility"`
-	// SelectedReposURL string            `json:"selected_repositories_url"`
-	// NumSelectedRepos int               `json:"num_selected_repos"`
-}
-
 func NewCmdGet(f *cmdutil.Factory, runF func(*GetOptions) error) *cobra.Command {
 	opts := &GetOptions{
 		IO:         f.IOStreams,
@@ -116,8 +108,8 @@ func getRun(opts *GetOptions) error {
 
 	host, _ := cfg.Authentication().DefaultHost()
 
-	var response getVariableResponse
-	if err = client.REST(host, "GET", path, nil, &response); err != nil {
+	var variable shared.Variable
+	if err = client.REST(host, "GET", path, nil, &variable); err != nil {
 		var httpErr api.HTTPError
 		if errors.As(err, &httpErr) && httpErr.StatusCode == http.StatusNotFound {
 			return fmt.Errorf("variable %s was not found", opts.VariableName)
@@ -126,7 +118,7 @@ func getRun(opts *GetOptions) error {
 		return fmt.Errorf("failed to get variable %s: %w", opts.VariableName, err)
 	}
 
-	fmt.Fprintf(opts.IO.Out, "%s\n", response.Value)
+	fmt.Fprintf(opts.IO.Out, "%s\n", variable.Value)
 
 	return nil
 }
diff --git a/pkg/cmd/variable/get/get_test.go b/pkg/cmd/variable/get/get_test.go
index 60e2d8fa6ed..d7b08c4a049 100644
--- a/pkg/cmd/variable/get/get_test.go
+++ b/pkg/cmd/variable/get/get_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/cli/cli/v2/internal/config"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
+	"github.com/cli/cli/v2/pkg/cmd/variable/shared"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
@@ -104,7 +105,7 @@ func Test_getRun(t *testing.T) {
 			},
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("GET", "repos/owner/repo/actions/variables/VARIABLE_ONE"),
-					httpmock.JSONResponse(getVariableResponse{
+					httpmock.JSONResponse(shared.Variable{
 						Value: "repo_var",
 					}))
 			},
@@ -118,7 +119,7 @@ func Test_getRun(t *testing.T) {
 			},
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("GET", "orgs/TestOrg/actions/variables/VARIABLE_ONE"),
-					httpmock.JSONResponse(getVariableResponse{
+					httpmock.JSONResponse(shared.Variable{
 						Value: "org_var",
 					}))
 			},
@@ -132,7 +133,7 @@ func Test_getRun(t *testing.T) {
 			},
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("GET", "repos/owner/repo/environments/Development/variables/VARIABLE_ONE"),
-					httpmock.JSONResponse(getVariableResponse{
+					httpmock.JSONResponse(shared.Variable{
 						Value: "env_var",
 					}))
 			},

From 96549077cc0394e78aba4e355cbdd03d720c35f6 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sat, 25 May 2024 15:18:42 +0100
Subject: [PATCH 107/253] Add `--json` option support

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/variable/get/get.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkg/cmd/variable/get/get.go b/pkg/cmd/variable/get/get.go
index 5bfd3ad3bb7..33d6abb7bf1 100644
--- a/pkg/cmd/variable/get/get.go
+++ b/pkg/cmd/variable/get/get.go
@@ -64,6 +64,7 @@ func NewCmdGet(f *cmdutil.Factory, runF func(*GetOptions) error) *cobra.Command
 	}
 	cmd.Flags().StringVarP(&opts.OrgName, "org", "o", "", "Get a variable for an organization")
 	cmd.Flags().StringVarP(&opts.EnvName, "env", "e", "", "Get a variable for an environment")
+	cmdutil.AddJSONFlags(cmd, &opts.Exporter, shared.VariableJSONFields)
 
 	return cmd
 }
@@ -118,6 +119,14 @@ func getRun(opts *GetOptions) error {
 		return fmt.Errorf("failed to get variable %s: %w", opts.VariableName, err)
 	}
 
+	if err := shared.PopulateSelectedRepositoryInformation(client, host, &variable); err != nil {
+		return err
+	}
+
+	if opts.Exporter != nil {
+		return opts.Exporter.Write(opts.IO, &variable)
+	}
+
 	fmt.Fprintf(opts.IO.Out, "%s\n", variable.Value)
 
 	return nil

From ab85baaab42d03b064fec18caa741543bc9de3c9 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sat, 25 May 2024 15:24:19 +0100
Subject: [PATCH 108/253] Add test to verify JSON exporter gets set

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/variable/get/get_test.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pkg/cmd/variable/get/get_test.go b/pkg/cmd/variable/get/get_test.go
index d7b08c4a049..77ad34ab810 100644
--- a/pkg/cmd/variable/get/get_test.go
+++ b/pkg/cmd/variable/get/get_test.go
@@ -54,6 +54,18 @@ func TestNewCmdGet(t *testing.T) {
 			cli:     "-o TestOrg -e Development QUX",
 			wantErr: cmdutil.FlagErrorf("%s", "specify only one of `--org` or `--env`"),
 		},
+		{
+			name: "json",
+			cli:  "--json name,value FOO",
+			wants: GetOptions{
+				VariableName: "FOO",
+				Exporter: func() cmdutil.Exporter {
+					exporter := cmdutil.NewJSONExporter()
+					exporter.SetFields([]string{"name", "value"})
+					return exporter
+				}(),
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -86,6 +98,7 @@ func TestNewCmdGet(t *testing.T) {
 			require.Equal(t, tt.wants.OrgName, gotOpts.OrgName)
 			require.Equal(t, tt.wants.EnvName, gotOpts.EnvName)
 			require.Equal(t, tt.wants.VariableName, gotOpts.VariableName)
+			require.Equal(t, tt.wants.Exporter, gotOpts.Exporter)
 		})
 	}
 }

From 840ddc5df5d9e597f5bca716829e31e0d9143657 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sat, 25 May 2024 22:25:46 +0100
Subject: [PATCH 109/253] Only populate selected repo information for JSON
 output

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/variable/get/get.go | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/pkg/cmd/variable/get/get.go b/pkg/cmd/variable/get/get.go
index 33d6abb7bf1..32b4c5e6271 100644
--- a/pkg/cmd/variable/get/get.go
+++ b/pkg/cmd/variable/get/get.go
@@ -119,15 +119,13 @@ func getRun(opts *GetOptions) error {
 		return fmt.Errorf("failed to get variable %s: %w", opts.VariableName, err)
 	}
 
-	if err := shared.PopulateSelectedRepositoryInformation(client, host, &variable); err != nil {
-		return err
-	}
-
 	if opts.Exporter != nil {
+		if err := shared.PopulateSelectedRepositoryInformation(client, host, &variable); err != nil {
+			return err
+		}
 		return opts.Exporter.Write(opts.IO, &variable)
 	}
 
 	fmt.Fprintf(opts.IO.Out, "%s\n", variable.Value)
-
 	return nil
 }

From 7add5a47bd9c240d991e55f6d7d9d98654d9fb8d Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sat, 25 May 2024 23:54:31 +0100
Subject: [PATCH 110/253] Add test for JSON output

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/variable/get/get_test.go | 56 ++++++++++++++++++++++++++++----
 1 file changed, 50 insertions(+), 6 deletions(-)

diff --git a/pkg/cmd/variable/get/get_test.go b/pkg/cmd/variable/get/get_test.go
index 77ad34ab810..049c7575bef 100644
--- a/pkg/cmd/variable/get/get_test.go
+++ b/pkg/cmd/variable/get/get_test.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 	"testing"
+	"time"
 
 	"github.com/cli/cli/v2/internal/config"
 	"github.com/cli/cli/v2/internal/gh"
@@ -104,12 +105,15 @@ func TestNewCmdGet(t *testing.T) {
 }
 
 func Test_getRun(t *testing.T) {
+	tf, _ := time.Parse(time.RFC3339, "2024-01-01T00:00:00Z")
+
 	tests := []struct {
-		name      string
-		opts      *GetOptions
-		httpStubs func(*httpmock.Registry)
-		wantOut   string
-		wantErr   error
+		name       string
+		opts       *GetOptions
+		httpStubs  func(*httpmock.Registry)
+		jsonFields []string
+		wantOut    string
+		wantErr    error
 	}{
 		{
 			name: "getting repo variable",
@@ -152,6 +156,36 @@ func Test_getRun(t *testing.T) {
 			},
 			wantOut: "env_var\n",
 		},
+		{
+			name: "json",
+			opts: &GetOptions{
+				VariableName: "VARIABLE_ONE",
+			},
+			jsonFields: []string{"name", "value", "visibility", "updatedAt", "numSelectedRepos", "selectedReposURL"},
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.REST("GET", "repos/owner/repo/actions/variables/VARIABLE_ONE"),
+					httpmock.JSONResponse(shared.Variable{
+						Name:             "VARIABLE_ONE",
+						Value:            "repo_var",
+						UpdatedAt:        tf,
+						Visibility:       shared.Organization,
+						SelectedReposURL: "path/to/fetch/selected/repos",
+						NumSelectedRepos: 0, // This should be populated in a second API call.
+					}))
+				reg.Register(httpmock.REST("GET", "path/to/fetch/selected/repos"),
+					httpmock.JSONResponse(map[string]interface{}{
+						"total_count": 99,
+					}))
+			},
+			wantOut: `{
+				"name": "VARIABLE_ONE",
+				"value": "repo_var",
+				"updatedAt": "2024-01-01T00:00:00Z",
+				"visibility": "organization",
+				"selectedReposURL": "path/to/fetch/selected/repos",
+				"numSelectedRepos": 99
+			}`,
+		},
 		{
 			name: "when the variable is not found, an error is returned",
 			opts: &GetOptions{
@@ -199,6 +233,12 @@ func Test_getRun(t *testing.T) {
 					return config.NewBlankConfig(), nil
 				}
 
+				if tt.jsonFields != nil {
+					exporter := cmdutil.NewJSONExporter()
+					exporter.SetFields(tt.jsonFields)
+					tt.opts.Exporter = exporter
+				}
+
 				err := getRun(tt.opts)
 				if err != nil {
 					require.EqualError(t, tt.wantErr, err.Error())
@@ -206,7 +246,11 @@ func Test_getRun(t *testing.T) {
 				}
 
 				require.NoError(t, err)
-				require.Equal(t, tt.wantOut, stdout.String())
+				if tt.jsonFields != nil {
+					require.JSONEq(t, tt.wantOut, stdout.String())
+				} else {
+					require.Equal(t, tt.wantOut, stdout.String())
+				}
 			}
 		}
 

From 43e3e9410e44757489ea08ffe1b51904042b9098 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sat, 25 May 2024 23:55:01 +0100
Subject: [PATCH 111/253] Add test for exporting as JSON

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/variable/get/get_test.go | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/pkg/cmd/variable/get/get_test.go b/pkg/cmd/variable/get/get_test.go
index 049c7575bef..cb710613eba 100644
--- a/pkg/cmd/variable/get/get_test.go
+++ b/pkg/cmd/variable/get/get_test.go
@@ -258,3 +258,22 @@ func Test_getRun(t *testing.T) {
 		t.Run(tt.name+" no-tty", runTest(false))
 	}
 }
+
+func TestExportVariables(t *testing.T) {
+	ios, _, stdout, _ := iostreams.Test()
+	tf, _ := time.Parse(time.RFC3339, "2024-01-01T00:00:00Z")
+	vs := &shared.Variable{
+		Name:             "v1",
+		Value:            "test1",
+		UpdatedAt:        tf,
+		Visibility:       shared.All,
+		SelectedReposURL: "https://someurl.com",
+		NumSelectedRepos: 1,
+	}
+	exporter := cmdutil.NewJSONExporter()
+	exporter.SetFields(shared.VariableJSONFields)
+	require.NoError(t, exporter.Write(ios, vs))
+	require.JSONEq(t,
+		`{"name":"v1","numSelectedRepos":1,"selectedReposURL":"https://someurl.com","updatedAt":"2024-01-01T00:00:00Z","value":"test1","visibility":"all"}`,
+		stdout.String())
+}

From 94dff4de04b06bad72a51fde8fbe736df7069a4b Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 26 May 2024 00:05:04 +0100
Subject: [PATCH 112/253] Add `createdAt` field to `Variable` type

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/variable/shared/shared.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/cmd/variable/shared/shared.go b/pkg/cmd/variable/shared/shared.go
index d9489f219c1..c681242bc3f 100644
--- a/pkg/cmd/variable/shared/shared.go
+++ b/pkg/cmd/variable/shared/shared.go
@@ -29,6 +29,7 @@ type Variable struct {
 	Name             string     `json:"name"`
 	Value            string     `json:"value"`
 	UpdatedAt        time.Time  `json:"updated_at"`
+	CreatedAt        time.Time  `json:"created_at"`
 	Visibility       Visibility `json:"visibility"`
 	SelectedReposURL string     `json:"selected_repositories_url"`
 	NumSelectedRepos int        `json:"num_selected_repos"`
@@ -39,6 +40,7 @@ var VariableJSONFields = []string{
 	"value",
 	"visibility",
 	"updatedAt",
+	"createdAt",
 	"numSelectedRepos",
 	"selectedReposURL",
 }

From 4aa6f8f2f3a8d24ece1cea0971dddecbfb7285f3 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 26 May 2024 00:05:23 +0100
Subject: [PATCH 113/253] Add `createdAt` field to tests

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/variable/get/get_test.go   | 7 +++++--
 pkg/cmd/variable/list/list_test.go | 3 ++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/variable/get/get_test.go b/pkg/cmd/variable/get/get_test.go
index cb710613eba..4a03beb6a4e 100644
--- a/pkg/cmd/variable/get/get_test.go
+++ b/pkg/cmd/variable/get/get_test.go
@@ -161,13 +161,14 @@ func Test_getRun(t *testing.T) {
 			opts: &GetOptions{
 				VariableName: "VARIABLE_ONE",
 			},
-			jsonFields: []string{"name", "value", "visibility", "updatedAt", "numSelectedRepos", "selectedReposURL"},
+			jsonFields: []string{"name", "value", "visibility", "updatedAt", "createdAt", "numSelectedRepos", "selectedReposURL"},
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("GET", "repos/owner/repo/actions/variables/VARIABLE_ONE"),
 					httpmock.JSONResponse(shared.Variable{
 						Name:             "VARIABLE_ONE",
 						Value:            "repo_var",
 						UpdatedAt:        tf,
+						CreatedAt:        tf,
 						Visibility:       shared.Organization,
 						SelectedReposURL: "path/to/fetch/selected/repos",
 						NumSelectedRepos: 0, // This should be populated in a second API call.
@@ -181,6 +182,7 @@ func Test_getRun(t *testing.T) {
 				"name": "VARIABLE_ONE",
 				"value": "repo_var",
 				"updatedAt": "2024-01-01T00:00:00Z",
+				"createdAt": "2024-01-01T00:00:00Z",
 				"visibility": "organization",
 				"selectedReposURL": "path/to/fetch/selected/repos",
 				"numSelectedRepos": 99
@@ -266,6 +268,7 @@ func TestExportVariables(t *testing.T) {
 		Name:             "v1",
 		Value:            "test1",
 		UpdatedAt:        tf,
+		CreatedAt:        tf,
 		Visibility:       shared.All,
 		SelectedReposURL: "https://someurl.com",
 		NumSelectedRepos: 1,
@@ -274,6 +277,6 @@ func TestExportVariables(t *testing.T) {
 	exporter.SetFields(shared.VariableJSONFields)
 	require.NoError(t, exporter.Write(ios, vs))
 	require.JSONEq(t,
-		`{"name":"v1","numSelectedRepos":1,"selectedReposURL":"https://someurl.com","updatedAt":"2024-01-01T00:00:00Z","value":"test1","visibility":"all"}`,
+		`{"name":"v1","numSelectedRepos":1,"selectedReposURL":"https://someurl.com","updatedAt":"2024-01-01T00:00:00Z","createdAt":"2024-01-01T00:00:00Z","value":"test1","visibility":"all"}`,
 		stdout.String())
 }
diff --git a/pkg/cmd/variable/list/list_test.go b/pkg/cmd/variable/list/list_test.go
index bd7924f74a2..ed4d59c59da 100644
--- a/pkg/cmd/variable/list/list_test.go
+++ b/pkg/cmd/variable/list/list_test.go
@@ -331,6 +331,7 @@ func TestExportVariables(t *testing.T) {
 		Name:             "v1",
 		Value:            "test1",
 		UpdatedAt:        tf,
+		CreatedAt:        tf,
 		Visibility:       shared.All,
 		SelectedReposURL: "https://someurl.com",
 		NumSelectedRepos: 1,
@@ -339,6 +340,6 @@ func TestExportVariables(t *testing.T) {
 	exporter.SetFields(shared.VariableJSONFields)
 	require.NoError(t, exporter.Write(ios, vs))
 	require.JSONEq(t,
-		`[{"name":"v1","numSelectedRepos":1,"selectedReposURL":"https://someurl.com","updatedAt":"2024-01-01T00:00:00Z","value":"test1","visibility":"all"}]`,
+		`[{"name":"v1","numSelectedRepos":1,"selectedReposURL":"https://someurl.com","updatedAt":"2024-01-01T00:00:00Z","createdAt":"2024-01-01T00:00:00Z","value":"test1","visibility":"all"}]`,
 		stdout.String())
 }

From 8d0518645f309d5ceec8eab9663299e4b75f33b4 Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@users.noreply.github.com>
Date: Tue, 28 May 2024 07:13:34 -0600
Subject: [PATCH 114/253] Add integration tests for `gh attestation verify`
 shared workflow use case (#9107)

* add initial shared workflow use case tests and test data

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add more shared workflow tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

* cleanup tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

* pr feedback, replace shared with reusable

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use demo repository with reusable workflow tests

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 .../test/data/reusable-workflow-artifact      | Bin 0 -> 2962 bytes
 ...eusable-workflow-attestation.sigstore.json |  62 ++++++++++++++++
 .../verify/verify_integration_test.go         |  68 ++++++++++++++++++
 3 files changed, 130 insertions(+)
 create mode 100644 pkg/cmd/attestation/test/data/reusable-workflow-artifact
 create mode 100644 pkg/cmd/attestation/test/data/reusable-workflow-attestation.sigstore.json

diff --git a/pkg/cmd/attestation/test/data/reusable-workflow-artifact b/pkg/cmd/attestation/test/data/reusable-workflow-artifact
new file mode 100644
index 0000000000000000000000000000000000000000..391e327c952a04c6a40cf9a068bcc66555c29728
GIT binary patch
literal 2962
zcma)8c{J2}A0BENgM?;~sZh2oGqz-jkbR6{ZZ`=HiA*(PWHOdYmO++KNS5p(m26o;
z7}>@cTcjB(3YnRZ?cS2!>E3g@?{(hy+<xElobUPm^L(Dq?>wLLc^r^iwn6{^fB>NF
zPTdJrrf5ny@0HHOJ|52ENIsWNs}nE!26z!X2%cW*XT0#f2rL#yz>%<6I5Eg5zCxr;
zLm0SrnUbndYJziCtr$w!lUGtwELG$8_!s$&yN?&rVD@W1bT!~sEbN@4r(z@30P_ju
zn+q2zn&g6SQ`Q#VqTKbUdZ_UGCa)qW<Ii?zOU&;rI>TkIcEXBUv}%8?Q#_o?UV2{9
zZ`bVx^E`dIK-n)=?1uYOqCoaRtiz8EI(Qx6Q;J_0Z36%rcK`s0A01%-?g0C}19c7f
z_j3m4Pg2JbynPWUi({tdrpHXPo$$U)UD1uh8?i?X-0_Y!sD|omM-Jj^bzi=MSoe!)
z#9vSIiK{U`C-2p%{P{K63RAfo_Q7E5HvVQ7bBX0Y9P&1>dk@+e>{)btrydeL2AYTg
zs}+?s1Pw|zNyL_!$rt(P!0e4ti-~Sz6qO#pKbksWT@x9k#1;>zb&m*mGd1$-NmE)J
z6e~!Z5O9$iGpJ5!9O(hSznO`TBV^ZI+Lhs&8eAY10$}NTxDopZD!A5|<1Qbn$M_$r
zu!TFd->C3qLvtmU5t-ACvLM|!#mhbgk)OtvN!wggiNxW)OA*Yob$fJMa8Dq%N%y40
zcff@3EprqmF~YE;8+fXsSp+Ws?RW!ud^bG2D5ZiSXD`y%Rr7AeVQ;~+n6^B`;}iBT
zkFf?y@v1_HYX-b)O8lCVX+5S7R|L=1i*xdz{KYsEHFn}yuTmBvGeavV@`lXeYjIL?
zuAH0h95U`f2tSO^Hs&V3Xiq?TQh_M3e)9ZVp?J+FZGa7F+{5x~&^{+qa@0znQvCa%
z=JzPNrInI!t^kn<p6o)pCV5RR+sYQ{S{j6@PJLc2^GT4ykK`+UlPGy5MayEa)fX}@
z;5}Ml&PamU_|g?8ed45mxb?|mbGZi=)1SKzROB_JUv@kX9US*lS6Bsi%|~W-V%#72
zNQ!VJW;3-u;Ph?bKwr&^AN`Dz@cY@)Zr_I98i+$4!CyCSn}<qR9-1JyL*pLs4;@f~
z@!3q0y{=zJ)&fg4k`&GRr9J$1jjrEG{`EnO&vd?;*m@nas%ba%?Nf?@05>|yMQFdI
zxTA@lUK)Rh<4EsN)M&d|p+RbjOI&6cnuJ)kdX30UaJ79u{#>{s-AMk*hs1?_GMawR
zHfD!%7A86lxGT-ifh1)RS1?jJaQREM@pyJCJ3cR#JMhN;SxBSgWf(N(WRe*t*6^#*
zT*B5ANhT7asU|t+tO_x6vWD2mIw<u=(QLLnydaiM)Y7~wI~WtCe7C{n(1{SJj$RBm
z?~bUG^vSu7TdV*9OIaV*6Z`70Xn)N8^wwhW{EzBucHKyvTUwQP#DR{3`NN<{qc_dE
zg;zEv)|T~Gsm-fx%kJ&*{n@C{Y>$-65{)t-82IU078jknEE=904O$YSMKA6fZ{EqF
ztsK~^FqzcF_mW_LLP@<7s<)^RoJF|*S$_Ddv;s_jA0cRH<f``~bxgmQTP<$cTRc-m
zLW5xTpUx(829Kw39$^F@t+XW;IYsVo2ux&e1KprRkCs20II=G}-#f`W-Dp^-E<b<1
z|1l}Of27#Fx!~5x`_O~2h>s<|?84B?GIA)9X>$%v@iS>7vwH4ROsaMsEAGy2N^+00
zjF^gay(N6*`KzfU6&1X><xWGe)O#yw4)-NhWQa;bjG~8zmX=8}^xV9d0z8fRF7Cx#
zdpWzWCL1YHDN%jh8)J|hwX>r241|Pqwi;i!vwiyz?c5l2@1fEpzN-;|VNN(=pmBkY
zdv}Lca(>`eQ9%Om;7i1@z^D16>E(se3;Sn=*onRy8K@k_32VU*Bn#I9qtHifn);Gm
z*F5-zW1p0Lp1o7e#z0&rDqBSj-c9|kae7HC^7J?El>cukU&4%+n2{G)hJp+bcTzPv
zMdPGUJ4dMw?ahkSiZ_n)>ja6{ZV0l=S)<*1AJ+$@f_hhD=tU~vN<-hsQ_sSmo1(}=
z&i5lcg3MipJtQ0*PW4VwiPbCJ5y#s*<)G8;Q*}mRh~NorT%hKF=ZlHOmt*O|?`SH~
zqoJp6#)DMJRu{_!VK)=pyuUo>{Bp!B8{Im$p&yAYxg^`oB!|9s{kq7E2CuKLoL{fB
zq0(lUheF#DyL66<R(jPq6-!mlK+cI>P0h^$?tBWCCdpRUhu(G>7l;HRO%SA<4zr;U
zf!lX~3;#V)VGmZ^n4~)`B-rNGe!)8XIeBB2I(x6De#E}Ax9TZ`%}Ib81WTP^S1pgB
z*DgypnmboGQ|3M6a@;WE=bN6eTwVh+9->3L8p@@v2B2~eNe?KKZe2OsuC*TfJ7TSb
zF}A$xZj+K$)DB8^g`74smfznt$J_JSOy}3VX(}*kYE$6VfU6r>c_TLtuLx*z8o&9j
z0KZ87a}%wLgdkmc8|XXKetr`<SzB1x2{Eiu^nvY2b(OweMioY5So_UIG##mKtJaOE
z#8}&QtHG}$K&6iT8vWXuBijA%1bY~Wffcop?aJ!5^lrOKjPd~$)O$f2yIPELiOvX}
z#z4M6^_IPx<OlpyrPKB!*1LG>Bze&Jd6gtzBKCq;fY${$DUgI@sC6r&2Gx~&5J)<*
z7is?jWkaXWY%V2JGtwi<2LQD2p#JlvFcwGA81n=MjSy}EpuBBjXvtozs+u+9Gi~WX
zg%K35ZLv4m<{|iLH34N;JI(oqxVMk<`If&M+KT0k533hy9#AkVR1lVH&TJ*p%`Ltj
zb{c<W`!R9nN-5X8ml*sI{KA-g2^~|%RS~jq>1Thb2B})O9t-ta##%D8lol9nT`hWp
zX`~>H{DkJ~x(G#$2Rcy~#ZEJpD5rgTAdk-azP|n8<8(&sm|;nzM|R=CB;ewdo6-|u
z>J_=-Chw9PwNHb3s(KtXC?UZatP@2`Vpe_h8QF?}neylzZ<tO}T!#oN)&i&X)G_#q
zXz*ZCMxbz3fi5(<0-ryRACw@=Q1k{2%~Au+v_y-@r7it8!bDmod0yk=hiv)($&L4a
z|M&{SzF+^I<NllPf90q@*#LmTu(lt3Kb@*JlW!i4zsc=De~JB9@;?S;GxKIU|IPgA
r=b8Uu?#&f8yZEmP)nRS|Kdt>wPdgxiyrc>M0C}gKHxzZ?@2~#=zy=9m

literal 0
HcmV?d00001

diff --git a/pkg/cmd/attestation/test/data/reusable-workflow-attestation.sigstore.json b/pkg/cmd/attestation/test/data/reusable-workflow-attestation.sigstore.json
new file mode 100644
index 00000000000..4150fad0170
--- /dev/null
+++ b/pkg/cmd/attestation/test/data/reusable-workflow-attestation.sigstore.json
@@ -0,0 +1,62 @@
+{
+  "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
+  "verificationMaterial": {
+    "tlogEntries": [
+      {
+        "logIndex": "96764485",
+        "logId": {
+          "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+        },
+        "kindVersion": {
+          "kind": "dsse",
+          "version": "0.0.1"
+        },
+        "integratedTime": "1716578064",
+        "inclusionPromise": {
+          "signedEntryTimestamp": "MEUCIBnCAgBND2tf60dg5uvlw0EBbBRhFtMuP3YTRpIQj2hCAiEAmWSymilD/iY97X11tLGE/Jrs4/QZRttQl5D3IHYN8LA="
+        },
+        "inclusionProof": {
+          "logIndex": "92601054",
+          "rootHash": "WV7orTEdDpnb8KICQSRSexYSaLmAdRbXTg8+XqxWWKM=",
+          "treeSize": "92601055",
+          "hashes": [
+            "CB1xVx3PJNW+3zlLJ2FfIeZja6SZuS+CBsQCEl1mZig=",
+            "leemdxn7IXyI3q5qnApFVDe1ZvxriyA99ml3CUxZdMo=",
+            "BNjYNzNQTGe2feyWagoeovSY94wFKEvCwsDDSuzoFc8=",
+            "gYAfWQoQuzl03VxmY8Y3zYfncEwyL/PymMwBXa+7LZs=",
+            "CdX/d9Kws+qekjkNvppM9hV7QIjKwmJczmJluOKB1Eo=",
+            "PdM9YH9JZZGlnM6sSgQ4j241nCzAf4tHUdnVKxY2X30=",
+            "w1bdD4n0CWmWRMvbt7/8QhI/0ssitiB4Qmeqwbv7Qr0=",
+            "S0w2zc7ITyKJF8zP4N6Smews+cUnI/VSUDI3GWnvzKU=",
+            "cGxCXxLX5YX3M/3uGLofaY5t2NN03RonodHiEtVlZ3U=",
+            "o6CV1vxHmEXX1iLR5/z1R7XDl8m/IVrKD8CrdxzMfWw=",
+            "3fqMF47gbRivMozMOuE+dTj9UudYsqX4JcAhydLaReg=",
+            "Tg/ftnzNsPhNUlXIBEhRDG1F7eTihz/Ur47mvsRbz7g=",
+            "nPoKmHvc25emt5VYLI6G6uXL9un4iz3AWRbp0O/EjoE=",
+            "cX3Agx+hP66t1ZLbX/yHbfjU46/3m/VAmWyG/fhxAVc=",
+            "sjohk/3DQIfXTgf/5XpwtdF7yNbrf8YykOMHr1CyBYQ=",
+            "98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="
+          ],
+          "checkpoint": {
+            "envelope": "rekor.sigstore.dev - 2605736670972794746\n92601055\nWV7orTEdDpnb8KICQSRSexYSaLmAdRbXTg8+XqxWWKM=\n\n— rekor.sigstore.dev wNI9ajBEAiBCgSIjeltjI7SNI4GdxgiZj+WQML61UMuVCiYMENL7UgIgZtS/hrR/3eEzhJAxFMuP1hymkxaOMT4UAYgiMLuje1I=\n"
+          }
+        },
+        "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiZHNzZSIsInNwZWMiOnsiZW52ZWxvcGVIYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiOWVhZGU5MWI0YjE4ZWIyNzg0M2E1MGQzMWY5MjQ1MzZlMjRmYzFkNDg2MDU0OGRhN2JiMDkzNGM3ZTJiM2Q1NiJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjNjMzZjNGE5OGZjNTU4MTg3YWM2MTc1ZWZkN2E3NmUwZjc2NDIwOWZkY2VjMGRhMzFhNDc5Y2E0MjY3MmM0ZmEifSwic2lnbmF0dXJlcyI6W3sic2lnbmF0dXJlIjoiTUVZQ0lRRHJTN3VRMTlOa1dGUERGMjc2ejFhY25zeStad3BSY1NYZTkyYVNjbUJVaUFJaEFNdXBVM1djSmRJVnVkWHBXTm9zU1FILzZLRncwMVc2MWh1WHZEbC9xYklFIiwidmVyaWZpZXIiOiJMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VoUlJFTkRRbk5oWjBGM1NVSkJaMGxWVUdreGNHNVNjRFYyTDB3eFdtbFhSVEZ0T1dnMWJVSkdhVU00ZDBObldVbExiMXBKZW1vd1JVRjNUWGNLVG5wRlZrMUNUVWRCTVZWRlEyaE5UV015Ykc1ak0xSjJZMjFWZFZwSFZqSk5ValIzU0VGWlJGWlJVVVJGZUZaNllWZGtlbVJIT1hsYVV6RndZbTVTYkFwamJURnNXa2RzYUdSSFZYZElhR05PVFdwUmQwNVVTVEJOVkd0NFRrUkpNRmRvWTA1TmFsRjNUbFJKTUUxVWEzbE9SRWt3VjJwQlFVMUdhM2RGZDFsSUNrdHZXa2w2YWpCRFFWRlpTVXR2V2tsNmFqQkVRVkZqUkZGblFVVXZWMFptTTBOTWFtUktVV3N2Y1c5RGJHNHZTMlpUTVVscmVVdGhRbEJTU0hZM2FrNEtTR05TT0ZOV1RIcElNMU55U2poUGFETnVOMGRVV0ZkeGJrNTBUMkZuWlhkcWFqQm9iVmgxTUZkSFZEQXlSRVZ6YW1GUFEwSmxWWGRuWjFob1RVRTBSd3BCTVZWa1JIZEZRaTkzVVVWQmQwbElaMFJCVkVKblRsWklVMVZGUkVSQlMwSm5aM0pDWjBWR1FsRmpSRUY2UVdSQ1owNVdTRkUwUlVablVWVlVNell5Q2pVNU4waDVXR1YwTXpoSmRtMXZRVTVZZFZnd2FtOUZkMGgzV1VSV1VqQnFRa0puZDBadlFWVXpPVkJ3ZWpGWmEwVmFZalZ4VG1wd1MwWlhhWGhwTkZrS1drUTRkMmRaT0VkQk1WVmtSVkZGUWk5M1UwSm9SRU5DWjFsYUwyRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3eVpIQmtSMmd4V1drNWFBcGpibEp3V20xR2FtUkRNV2hrU0ZKc1l6TlNhR1JIYkhaaWJrMTBaREk1ZVdFeVduTmlNMlI2VEhrMWJtRllVbTlrVjBsMlpESTVlV0V5V25OaU0yUjZDa3d5UmpCa1IxWjZaRU0xTldKWGVFRk5SR3hwVGtSck1WbDZUbTFOVkVwcVRucG5ORTFYU1hwWk1rMTRUbnBKZDA5WFJYcE5hbU16VDFSSmQwNXFWbW9LVFZkRmVGcEVRVFZDWjI5eVFtZEZSVUZaVHk5TlFVVkNRa04wYjJSSVVuZGplbTkyVEROU2RtRXlWblZNYlVacVpFZHNkbUp1VFhWYU1td3dZVWhXYVFwa1dFNXNZMjFPZG1KdVVteGlibEYxV1RJNWRFMUNPRWREYVhOSFFWRlJRbWMzT0hkQlVVbEZSVmhrZG1OdGRHMWlSemt6V0RKU2NHTXpRbWhrUjA1dkNrMUVXVWREYVhOSFFWRlJRbWMzT0hkQlVVMUZTMFJyTVZsdFJtMU5hbU42VDBSc2JFOUVUbXhPYlVVeFdYcFJORnBxVVhsYVZFVTFUVWRSTUU5SFVUTUtXVmRLYWxwWFJYaFBWMVYzVEdkWlMwdDNXVUpDUVVkRWRucEJRa0pCVVdkUmJsWndZa2RSWjB4NVFrSmtTRkpzWXpOUloweDVRbGRhV0Vwd1dtNXJad3BMUms1dldWaEtiRnBEYTNkSloxbExTM2RaUWtKQlIwUjJla0ZDUWxGUlZXSlhSbk5aVnpWcVdWaE5kbGxZVWpCYVdFNHdURmRTYkdKWE9IZElVVmxMQ2t0M1dVSkNRVWRFZG5wQlFrSm5VVkJqYlZadFkzazViMXBYUm10amVUbDBXVmRzZFUxRWMwZERhWE5IUVZGUlFtYzNPSGRCVVdkRlRGRjNjbUZJVWpBS1kwaE5Oa3g1T1RCaU1uUnNZbWsxYUZrelVuQmlNalY2VEcxa2NHUkhhREZaYmxaNldsaEthbUl5TlRCYVZ6VXdURzFPZG1KVVEwSnJRVmxMUzNkWlFncENRVWRFZG5wQlFrTlJVMEpuVVhndllVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKa2NHUkhhREZaYVRsb1kyNVNjRnB0Um1wa1F6Rm9DbVJJVW14ak0xSm9aRWRzZG1KdVRYUmtNamw1WVRKYWMySXpaSHBNZVRWdVlWaFNiMlJYU1haa01qbDVZVEphYzJJelpIcE1Na1l3WkVkV2VtUkROVFVLWWxkNFFVMUViR2xPUkdzeFdYcE9iVTFVU21wT2VtYzBUVmRKZWxreVRYaE9la2wzVDFkRmVrMXFZek5QVkVsM1RtcFdhazFYUlhoYVJFRTBRbWR2Y2dwQ1owVkZRVmxQTDAxQlJVdENRMjlOUzBSQk5WbHFVVFZPVjAxNldtcEZlVmw2WXpSUFJFWnBUVEpPYWsxVVkzbE5SR3hvVFhwSk0wNTZhM2xOUkZreENsbDZSbWhOVjFGM1NGRlpTMHQzV1VKQ1FVZEVkbnBCUWtOM1VWQkVRVEZ1WVZoU2IyUlhTWFJoUnpsNlpFZFdhMDFFWTBkRGFYTkhRVkZSUW1jM09IY0tRVkYzUlV0UmQyNWhTRkl3WTBoTk5reDVPVzVoV0ZKdlpGZEpkVmt5T1hSTU1qRm9Za2RHZFZreVJucE1Na1l3WkVkV2VtUkRNV3RhVnpGMlRVUm5Sd3BEYVhOSFFWRlJRbWMzT0hkQlVUQkZTMmQzYjA5VVZtbFpWMWw1VG5wTk5FOVhWVFJOTWxVeVdWUldhazVFYUcxT1JFcHNUVlJyZDFwRVVUUmFSR1JvQ2xsdFRteFpWRVUxV2xSQlprSm5iM0pDWjBWRlFWbFBMMDFCUlU5Q1FrVk5SRE5LYkZwdVRYWmhSMVpvV2toTmRtSlhSbkJpYWtGYVFtZHZja0puUlVVS1FWbFBMMDFCUlZCQ1FYTk5RMVJuZDA1RVFUTk5SR042VGxSQmNrSm5iM0pDWjBWRlFWbFBMMDFCUlZGQ1FqQk5SekpvTUdSSVFucFBhVGgyV2pKc01BcGhTRlpwVEcxT2RtSlRPWFJaVjNob1ltMU9hR042UVZsQ1oyOXlRbWRGUlVGWlR5OU5RVVZTUWtGdlRVTkVSVEpOYWxFMFRWUlZlazFIVVVkRGFYTkhDa0ZSVVVKbk56aDNRVkpKUlZabmVGVmhTRkl3WTBoTk5reDVPVzVoV0ZKdlpGZEpkVmt5T1hSTU1qRm9Za2RHZFZreVJucE1Na1l3WkVkV2VtUkRNV3NLV2xjeGRreDVOVzVoV0ZKdlpGZEpkbVF5T1hsaE1scHpZak5rZWt3elRtOVpXRXBzV2tNMU5XSlhlRUZqYlZadFkzazViMXBYUm10amVUbDBXVmRzZFFwTlJHZEhRMmx6UjBGUlVVSm5OemgzUVZKTlJVdG5kMjlQVkZacFdWZFplVTU2VFRSUFYxVTBUVEpWTWxsVVZtcE9SR2h0VGtSS2JFMVVhM2RhUkZFMENscEVaR2haYlU1c1dWUkZOVnBVUVdoQ1oyOXlRbWRGUlVGWlR5OU5RVVZWUWtKTlRVVllaSFpqYlhSdFlrYzVNMWd5VW5Cak0wSm9aRWRPYjAxR2IwY0tRMmx6UjBGUlVVSm5OemgzUVZKVlJWUkJlRXRoU0ZJd1kwaE5Oa3g1T1c1aFdGSnZaRmRKZFZreU9YUk1NakZvWWtkR2RWa3lSbnBNTWtZd1pFZFdlZ3BrUXpGcldsY3hka3d5Um1wa1IyeDJZbTVOZG1OdVZuVmplVGcxVFdwSk5FOUVWVFJQVkZWNlRESkdNR1JIVm5SalNGSjZUSHBGZDBabldVdExkMWxDQ2tKQlIwUjJla0ZDUm1kUlNVUkJXbmRrVjBwellWZE5kMmRaYjBkRGFYTkhRVkZSUWpGdWEwTkNRVWxGWmtGU05rRklaMEZrWjBSa1VGUkNjWGh6WTFJS1RXMU5Xa2hvZVZwYWVtTkRiMnR3WlhWT05EaHlaaXRJYVc1TFFVeDViblZxWjBGQlFWa3JjMEp3Wlc5QlFVRkZRWGRDU0UxRlZVTkpRMk5XWlZNM1VncE9OWE5zTjNSbVJFZHFSMG96Y0hWd2RITmtZbnBIYW00MVJrUjJZbGRKYkZRdk5XdEJhVVZCYmxRd01EUnFTMkV5ZFVwT01HczRjRU5JUjJjNWRYb3hDbE4wTldGemN6QnJkVXRCWVZob2NIVmtabXQzUTJkWlNVdHZXa2w2YWpCRlFYZE5SR0ZCUVhkYVVVbDRRVXhzVnpSNlVXRTBWRGRUU205VFVTOTZSM2NLYlhaNmVtaHBXSGhSY21sSlJrbHpZMmRGYm1sMVoyNDJhVEJ4TDNFd1ZWRnZVMlIwZFZKM1pWaHdXbG94VVVsM1dIbDJVelZ2TkZVd1EwRldWU3RCUkFveVIwMWpWbGR4UXpFNFRYQk1jazFRTmpkUVUxZEdjVmhEZFU0MFRtNDFaMVpRVGxnd00zZHlVMHgyVFZkeldWQUtMUzB0TFMxRlRrUWdRMFZTVkVsR1NVTkJWRVV0TFMwdExRbz0ifV19fQ=="
+      }
+    ],
+    "timestampVerificationData": {
+    },
+    "certificate": {
+      "rawBytes": "MIIHQDCCBsagAwIBAgIUPi1pnRp5v/L1ZiWE1m9h5mBFiC8wCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwNTI0MTkxNDI0WhcNMjQwNTI0MTkyNDI0WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/WFf3CLjdJQk/qoCln/KfS1IkyKaBPRHv7jNHcR8SVLzH3SrJ8Oh3n7GTXWqnNtOagewjj0hmXu0WGT02DEsjaOCBeUwggXhMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUT362597HyXet38IvmoANXuX0joEwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wgY8GA1UdEQEB/wSBhDCBgYZ/aHR0cHM6Ly9naXRodWIuY29tL2dpdGh1Yi9hcnRpZmFjdC1hdHRlc3RhdGlvbnMtd29ya2Zsb3dzLy5naXRodWIvd29ya2Zsb3dzL2F0dGVzdC55bWxAMDliNDk1YzNmMTJjNzg4MWIzY2MxNzIwOWEzMjc3OTIwNjVjMWExZDA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDk1YmFmMjczODllODNlNmE1YzQ4ZjQyZTE5MGQ0OGQ3YWJjZWExOWUwLgYKKwYBBAGDvzABBAQgQnVpbGQgLyBBdHRlc3QgLyBWZXJpZnkgKFNoYXJlZCkwIgYKKwYBBAGDvzABBQQUbWFsYW5jYXMvYXR0ZXN0LWRlbW8wHQYKKwYBBAGDvzABBgQPcmVmcy9oZWFkcy9tYWluMDsGCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTCBkAYKKwYBBAGDvzABCQSBgQx/aHR0cHM6Ly9naXRodWIuY29tL2dpdGh1Yi9hcnRpZmFjdC1hdHRlc3RhdGlvbnMtd29ya2Zsb3dzLy5naXRodWIvd29ya2Zsb3dzL2F0dGVzdC55bWxAMDliNDk1YzNmMTJjNzg4MWIzY2MxNzIwOWEzMjc3OTIwNjVjMWExZDA4BgorBgEEAYO/MAEKBCoMKDA5YjQ5NWMzZjEyYzc4ODFiM2NjMTcyMDlhMzI3NzkyMDY1YzFhMWQwHQYKKwYBBAGDvzABCwQPDA1naXRodWItaG9zdGVkMDcGCisGAQQBg78wAQwEKQwnaHR0cHM6Ly9naXRodWIuY29tL21hbGFuY2FzL2F0dGVzdC1kZW1vMDgGCisGAQQBg78wAQ0EKgwoOTViYWYyNzM4OWU4M2U2YTVjNDhmNDJlMTkwZDQ4ZDdhYmNlYTE5ZTAfBgorBgEEAYO/MAEOBBEMD3JlZnMvaGVhZHMvbWFpbjAZBgorBgEEAYO/MAEPBAsMCTgwNDA3MDczNTArBgorBgEEAYO/MAEQBB0MG2h0dHBzOi8vZ2l0aHViLmNvbS9tYWxhbmNhczAYBgorBgEEAYO/MAERBAoMCDE2MjQ4MTUzMGQGCisGAQQBg78wARIEVgxUaHR0cHM6Ly9naXRodWIuY29tL21hbGFuY2FzL2F0dGVzdC1kZW1vLy5naXRodWIvd29ya2Zsb3dzL3NoYXJlZC55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoOTViYWYyNzM4OWU4M2U2YTVjNDhmNDJlMTkwZDQ4ZDdhYmNlYTE5ZTAhBgorBgEEAYO/MAEUBBMMEXdvcmtmbG93X2Rpc3BhdGNoMFoGCisGAQQBg78wARUETAxKaHR0cHM6Ly9naXRodWIuY29tL21hbGFuY2FzL2F0dGVzdC1kZW1vL2FjdGlvbnMvcnVucy85MjI4ODU4OTUzL2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAY+sBpeoAAAEAwBHMEUCICcVeS7RN5sl7tfDGjGJ3puptsdbzGjn5FDvbWIlT/5kAiEAnT004jKa2uJN0k8pCHGg9uz1St5ass0kuKAaXhpudfkwCgYIKoZIzj0EAwMDaAAwZQIxALlW4zQa4T7SJoSQ/zGwmvzzhiXxQriIFIscgEniugn6i0q/q0UQoSdtuRweXpZZ1QIwXyvS5o4U0CAVU+AD2GMcVWqC18MpLrMP67PSWFqXCuN4Nn5gVPNX03wrSLvMWsYP"
+    }
+  },
+  "dsseEnvelope": {
+    "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2l0aHViX3Byb3ZlbmFuY2VfZGVtby0wLjAuMC1weTMtbm9uZS1hbnkud2hsIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjQ5YTNhYTYwNzVlMGY0OWY4Mjg0M2U3NGI1YmFhNjE0YWQyYTU4OGU2Njc1NjEyYmYxMDhhMGEwMDhjNWFjMjUifX1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YxIiwicHJlZGljYXRlIjp7ImJ1aWxkRGVmaW5pdGlvbiI6eyJidWlsZFR5cGUiOiJodHRwczovL3Nsc2EtZnJhbWV3b3JrLmdpdGh1Yi5pby9naXRodWItYWN0aW9ucy1idWlsZHR5cGVzL3dvcmtmbG93L3YxIiwiZXh0ZXJuYWxQYXJhbWV0ZXJzIjp7IndvcmtmbG93Ijp7InJlZiI6InJlZnMvaGVhZHMvbWFpbiIsInJlcG9zaXRvcnkiOiJodHRwczovL2dpdGh1Yi5jb20vbWFsYW5jYXMvYXR0ZXN0LWRlbW8iLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3Mvc2hhcmVkLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJyZXBvc2l0b3J5X2lkIjoiODA0MDcwNzM1IiwicmVwb3NpdG9yeV9vd25lcl9pZCI6IjE2MjQ4MTUzIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9tYWxhbmNhcy9hdHRlc3QtZGVtb0ByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsiZ2l0Q29tbWl0IjoiOTViYWYyNzM4OWU4M2U2YTVjNDhmNDJlMTkwZDQ4ZDdhYmNlYTE5ZSJ9fV19LCJydW5EZXRhaWxzIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9ydW5uZXIvZ2l0aHViLWhvc3RlZCJ9LCJtZXRhZGF0YSI6eyJpbnZvY2F0aW9uSWQiOiJodHRwczovL2dpdGh1Yi5jb20vbWFsYW5jYXMvYXR0ZXN0LWRlbW8vYWN0aW9ucy9ydW5zLzkyMjg4NTg5NTMvYXR0ZW1wdHMvMSJ9fX19",
+    "payloadType": "application/vnd.in-toto+json",
+    "signatures": [
+      {
+        "sig": "MEYCIQDrS7uQ19NkWFPDF276z1acnsy+ZwpRcSXe92aScmBUiAIhAMupU3WcJdIVudXpWNosSQH/6KFw01W61huXvDl/qbIE"
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go
index 7cc1c81102c..66e8d8dc60f 100644
--- a/pkg/cmd/attestation/verify/verify_integration_test.go
+++ b/pkg/cmd/attestation/verify/verify_integration_test.go
@@ -8,6 +8,7 @@ import (
 	"github.com/cli/cli/v2/pkg/cmd/attestation/api"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/io"
+	"github.com/cli/cli/v2/pkg/cmd/attestation/test"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/verification"
 	"github.com/cli/cli/v2/pkg/cmd/factory"
 	"github.com/stretchr/testify/require"
@@ -80,3 +81,70 @@ func TestVerifyIntegration(t *testing.T) {
 		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found")
 	})
 }
+
+func TestVerifyIntegrationReusableWorkflow(t *testing.T) {
+	artifactPath := test.NormalizeRelativePath("../test/data/reusable-workflow-artifact")
+	bundlePath := test.NormalizeRelativePath("../test/data/reusable-workflow-attestation.sigstore.json")
+
+	logger := io.NewTestHandler()
+
+	sigstoreConfig := verification.SigstoreConfig{
+		Logger: logger,
+	}
+
+	cmdFactory := factory.New("test")
+
+	hc, err := cmdFactory.HttpClient()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	baseOpts := Options{
+		APIClient:        api.NewLiveClient(hc, logger),
+		ArtifactPath:     artifactPath,
+		BundlePath:       bundlePath,
+		DigestAlgorithm:  "sha256",
+		Logger:           logger,
+		OCIClient:        oci.NewLiveClient(),
+		OIDCIssuer:       GitHubOIDCIssuer,
+		SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig),
+	}
+
+	t.Run("with owner and valid reusable workflow SAN", func(t *testing.T) {
+		opts := baseOpts
+		opts.Owner = "malancas"
+		opts.SAN = "https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml@09b495c3f12c7881b3cc17209a327792065c1a1d"
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
+
+	t.Run("with owner and valid reusable workflow SAN regex", func(t *testing.T) {
+		opts := baseOpts
+		opts.Owner = "malancas"
+		opts.SANRegex = "^https://github.com/github/artifact-attestations-workflows/"
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
+
+	t.Run("with repo and valid reusable workflow SAN", func(t *testing.T) {
+		opts := baseOpts
+		opts.Owner = "malancas"
+		opts.Repo = "malancas/attest-demo"
+		opts.SAN = "https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml@09b495c3f12c7881b3cc17209a327792065c1a1d"
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
+
+	t.Run("with repo and valid reusable workflow SAN regex", func(t *testing.T) {
+		opts := baseOpts
+		opts.Owner = "malancas"
+		opts.Repo = "malancas/attest-demo"
+		opts.SANRegex = "^https://github.com/github/artifact-attestations-workflows/"
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
+}

From e55093347c69ef9a86afbd7245724f91bed5d3f1 Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@users.noreply.github.com>
Date: Tue, 28 May 2024 10:10:50 -0600
Subject: [PATCH 115/253] Add build provenance for gh CLI releases (#9087)

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 .github/workflows/deployment.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index 9655d19bf69..21811ea3c54 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -6,7 +6,9 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  attestations: write
   contents: write
+  id-token: write
 
 on:
   workflow_dispatch:
@@ -275,6 +277,11 @@ jobs:
           rm -rf dist
           mkdir dist
           mv -v {linux,macos,windows}/gh_* dist/
+      - name: Attest release artifacts
+        if: inputs.environment == 'production'
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-path: "dist/gh_*"
       - name: Install packaging dependencies
         run: sudo apt-get install -y rpm reprepro
       - name: Set up GPG

From f3f93c6f744721af1caf826b155d3b4b3d1d4f01 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Tue, 28 May 2024 19:07:23 +0200
Subject: [PATCH 116/253] Build completions during release on macos

---
 .goreleaser.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index e469af09136..a7b293d6e56 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -7,11 +7,10 @@ release:
 
 before:
   hooks:
-    - >-
+    - >- # The linux and windows archives package the manpages below
       {{ if eq .Runtime.Goos "windows" }}echo{{ end }} make manpages GH_VERSION={{.Version}}
-    - >-
-      {{ if ne .Runtime.Goos "linux" }}echo{{ end }} make completions
-
+    - >- # On linux the completions are used in nfpms below, but on macos they are used outside in the deployment build.
+      {{ if eq .Runtime.Goos "windows" }}echo{{ end }} make completions
 builds:
   - id: macos #build:macos
     goos: [darwin]

From 2bb99001cd866f3305db29b0176636481d425991 Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Wed, 29 May 2024 10:31:39 -0400
Subject: [PATCH 117/253] Clarify Mac OS Installer packages are unsigned

Relates #9139

This commit clarifies Mac OS Installer packages are unsigned due to additional work to obtain an Apple Developer ID Installer-signing identity.
---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index f637eabcfe2..4532a353d8a 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,9 @@ If you are a hubber and are interested in shipping new commands for the CLI, che
 
 `gh` is available via [Homebrew][], [MacPorts][], [Conda][], [Spack][], [Webi][], and as a downloadable binary including Mac OS installer `.pkg` from the [releases page][].
 
+> [!NOTE]
+> As of May 29th, Mac OS installer `.pkg` are unsigned with efforts prioritized in [`cli/cli#9139`](https://github.com/cli/cli/issues/9139) to support signing them.
+
 #### Homebrew
 
 | Install:          | Upgrade:          |

From fe880a3015258b3fabffd197749ecf6cb058a496 Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Wed, 29 May 2024 16:18:18 -0400
Subject: [PATCH 118/253] Ensure signed RPMs have attestations

Thanks to @malancas for highlighting issue ordering of RPM signing and attestations!  Now, all artifacts should have attestations appropriately generated
---
 .github/workflows/deployment.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index 21811ea3c54..00948b50f37 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -277,11 +277,6 @@ jobs:
           rm -rf dist
           mkdir dist
           mv -v {linux,macos,windows}/gh_* dist/
-      - name: Attest release artifacts
-        if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
-        with:
-          subject-path: "dist/gh_*"
       - name: Install packaging dependencies
         run: sudo apt-get install -y rpm reprepro
       - name: Set up GPG
@@ -302,6 +297,11 @@ jobs:
         run: |
           cp script/rpmmacros ~/.rpmmacros
           rpmsign --addsign dist/*.rpm
+      - name: Attest release artifacts
+        if: inputs.environment == 'production'
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        with:
+          subject-path: "dist/gh_*"
       - name: Run createrepo
         env:
           GPG_SIGN: ${{ inputs.environment == 'production' }}

From cd5562f5ac6e14bf905b1ffc3fe8bcc8a6fe9b2a Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@users.noreply.github.com>
Date: Thu, 30 May 2024 07:40:55 -0600
Subject: [PATCH 119/253] Add `signer-repo` and `signer-workflow` flags to `gh
 attestation verify` (#9137)

* add signer-repo and signer-workflow flags

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add check for SignerRepo option

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add helper function and comment for clarity

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update flag comment

Signed-off-by: Meredith Lancaster <malancas@github.com>

* reference correct field

Signed-off-by: Meredith Lancaster <malancas@github.com>

* move function to more relevant file

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Update pkg/cmd/attestation/verify/verify.go

Co-authored-by: Zach Steindler <steiza@github.com>

* Update pkg/cmd/attestation/verify/verify.go

Co-authored-by: Zach Steindler <steiza@github.com>

* make all reusable workflow flags mutually exclusive

Signed-off-by: Meredith Lancaster <malancas@github.com>

* accept signer workflow without host

Signed-off-by: Meredith Lancaster <malancas@github.com>

* support client optionally providing host with signer workflow flag

Signed-off-by: Meredith Lancaster <malancas@github.com>

* comment

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add tests for parsing signer workflow

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Zach Steindler <steiza@github.com>
---
 pkg/cmd/attestation/verify/options.go         | 34 +++++---
 pkg/cmd/attestation/verify/policy.go          | 83 ++++++++++++++++--
 pkg/cmd/attestation/verify/policy_test.go     | 64 ++++++++++++++
 pkg/cmd/attestation/verify/verify.go          |  5 +-
 .../verify/verify_integration_test.go         | 87 +++++++++++++++++++
 5 files changed, 252 insertions(+), 21 deletions(-)

diff --git a/pkg/cmd/attestation/verify/options.go b/pkg/cmd/attestation/verify/options.go
index bfa03f16e72..08bb75072a4 100644
--- a/pkg/cmd/attestation/verify/options.go
+++ b/pkg/cmd/attestation/verify/options.go
@@ -5,6 +5,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/api"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/io"
@@ -16,6 +17,7 @@ import (
 type Options struct {
 	ArtifactPath         string
 	BundlePath           string
+	Config               func() (gh.Config, error)
 	CustomTrustedRoot    string
 	DenySelfHostedRunner bool
 	DigestAlgorithm      string
@@ -27,6 +29,8 @@ type Options struct {
 	Repo                 string
 	SAN                  string
 	SANRegex             string
+	SignerRepo           string
+	SignerWorkflow       string
 	APIClient            api.Client
 	Logger               *io.Handler
 	OCIClient            oci.Client
@@ -51,12 +55,12 @@ func (opts *Options) SetPolicyFlags() {
 		// to Owner
 		opts.Owner = splitRepo[0]
 
-		if opts.SAN == "" && opts.SANRegex == "" {
+		if !isSignerIdentityProvided(opts) {
 			opts.SANRegex = expandToGitHubURL(opts.Repo)
 		}
 		return
 	}
-	if opts.SAN == "" && opts.SANRegex == "" {
+	if !isSignerIdentityProvided(opts) {
 		opts.SANRegex = expandToGitHubURL(opts.Owner)
 	}
 }
@@ -64,13 +68,14 @@ func (opts *Options) SetPolicyFlags() {
 // AreFlagsValid checks that the provided flag combination is valid
 // and returns an error otherwise
 func (opts *Options) AreFlagsValid() error {
-	// check that Repo is in the expected format if provided
-	if opts.Repo != "" {
-		// we expect the repo argument to be in the format <OWNER>/<REPO>
-		splitRepo := strings.Split(opts.Repo, "/")
-		if len(splitRepo) != 2 {
-			return fmt.Errorf("invalid value provided for repo: %s", opts.Repo)
-		}
+	// If provided, check that the Repo option is in the expected format <OWNER>/<REPO>
+	if opts.Repo != "" && !isProvidedRepoValid(opts.Repo) {
+		return fmt.Errorf("invalid value provided for repo: %s", opts.Repo)
+	}
+
+	// If provided, check that the SignerRepo option is in the expected format <OWNER>/<REPO>
+	if opts.SignerRepo != "" && !isProvidedRepoValid(opts.SignerRepo) {
+		return fmt.Errorf("invalid value provided for signer-repo: %s", opts.SignerRepo)
 	}
 
 	// Check that limit is between 1 and 1000
@@ -81,6 +86,13 @@ func (opts *Options) AreFlagsValid() error {
 	return nil
 }
 
-func expandToGitHubURL(ownerOrRepo string) string {
-	return fmt.Sprintf("^https://github.com/%s/", ownerOrRepo)
+// check if any of the signer identity flags have been provided
+func isSignerIdentityProvided(opts *Options) bool {
+	return opts.SAN != "" || opts.SANRegex != "" || opts.SignerRepo != "" || opts.SignerWorkflow != ""
+}
+
+func isProvidedRepoValid(repo string) bool {
+	// we expect a provided repository argument be in the format <OWNER>/<REPO>
+	splitRepo := strings.Split(repo, "/")
+	return len(splitRepo) == 2
 }
diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go
index 34a56294b90..e411e3104c8 100644
--- a/pkg/cmd/attestation/verify/policy.go
+++ b/pkg/cmd/attestation/verify/policy.go
@@ -2,6 +2,8 @@ package verify
 
 import (
 	"fmt"
+	"os"
+	"regexp"
 
 	"github.com/sigstore/sigstore-go/pkg/fulcio/certificate"
 	"github.com/sigstore/sigstore-go/pkg/verify"
@@ -14,18 +16,30 @@ const (
 	GitHubOIDCIssuer = "https://token.actions.githubusercontent.com"
 	// represents the GitHub hosted runner in the certificate RunnerEnvironment extension
 	GitHubRunner = "github-hosted"
+	githubHost   = "github.com"
+	hostRegex    = `^[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+.*$`
 )
 
-func buildSANMatcher(san, sanRegex string) (verify.SubjectAlternativeNameMatcher, error) {
-	if san == "" && sanRegex == "" {
-		return verify.SubjectAlternativeNameMatcher{}, nil
-	}
+func expandToGitHubURL(ownerOrRepo string) string {
+	return fmt.Sprintf("^https://github.com/%s/", ownerOrRepo)
+}
 
-	sanMatcher, err := verify.NewSANMatcher(san, "", sanRegex)
-	if err != nil {
-		return verify.SubjectAlternativeNameMatcher{}, err
+func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error) {
+	if opts.SignerRepo != "" {
+		signedRepoRegex := expandToGitHubURL(opts.SignerRepo)
+		return verify.NewSANMatcher("", "", signedRepoRegex)
+	} else if opts.SignerWorkflow != "" {
+		validatedWorkflowRegex, err := validateSignerWorkflow(opts)
+		if err != nil {
+			return verify.SubjectAlternativeNameMatcher{}, err
+		}
+
+		return verify.NewSANMatcher("", "", validatedWorkflowRegex)
+	} else if opts.SAN != "" || opts.SANRegex != "" {
+		return verify.NewSANMatcher(opts.SAN, "", opts.SANRegex)
 	}
-	return sanMatcher, nil
+
+	return verify.SubjectAlternativeNameMatcher{}, nil
 }
 
 func buildCertExtensions(opts *Options, runnerEnv string) certificate.Extensions {
@@ -43,7 +57,7 @@ func buildCertExtensions(opts *Options, runnerEnv string) certificate.Extensions
 }
 
 func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.PolicyOption, error) {
-	sanMatcher, err := buildSANMatcher(opts.SAN, opts.SANRegex)
+	sanMatcher, err := buildSANMatcher(opts)
 	if err != nil {
 		return nil, err
 	}
@@ -93,3 +107,54 @@ func buildVerifyPolicy(opts *Options, a artifact.DigestedArtifact) (verify.Polic
 	policy := verify.NewPolicy(artifactDigestPolicyOption, certIdOption)
 	return policy, nil
 }
+
+func addSchemeToRegex(s string) string {
+	return fmt.Sprintf("^https://%s", s)
+}
+
+func validateSignerWorkflow(opts *Options) (string, error) {
+	// we expect a provided workflow argument be in the format [HOST/]/<OWNER>/<REPO>/path/to/workflow.yml
+	// if the provided workflow does not contain a host, set the host
+	match, err := regexp.MatchString(hostRegex, opts.SignerWorkflow)
+	if err != nil {
+		return "", err
+	}
+
+	if match {
+		return addSchemeToRegex(opts.SignerWorkflow), nil
+	}
+
+	// if the provided workflow does not contain a host, check for a host
+	// and prepend it to the workflow
+	host, err := chooseHost(opts)
+	if err != nil {
+		return "", err
+	}
+
+	return addSchemeToRegex(fmt.Sprintf("%s/%s", host, opts.SignerWorkflow)), nil
+}
+
+// if a host was not provided as part of a flag argument choose a host based
+// on gh cli configuration
+func chooseHost(opts *Options) (string, error) {
+	// check if GH_HOST is set and use that host if it is
+	host := os.Getenv("GH_HOST")
+	if host != "" {
+		return host, nil
+	}
+
+	// check if the CLI is authenticated with any hosts
+	cfg, err := opts.Config()
+	if err != nil {
+		return "", err
+	}
+
+	// if authenticated, return the authenticated host
+	authCfg := cfg.Authentication()
+	if host, _ := authCfg.DefaultHost(); host != "" {
+		return host, nil
+	}
+
+	// if not authenticated, return the default host github.com
+	return githubHost, nil
+}
diff --git a/pkg/cmd/attestation/verify/policy_test.go b/pkg/cmd/attestation/verify/policy_test.go
index f1514431483..40435d19ea6 100644
--- a/pkg/cmd/attestation/verify/policy_test.go
+++ b/pkg/cmd/attestation/verify/policy_test.go
@@ -1,10 +1,12 @@
 package verify
 
 import (
+	"os"
 	"testing"
 
 	"github.com/cli/cli/v2/pkg/cmd/attestation/artifact"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
+	"github.com/cli/cli/v2/pkg/cmd/factory"
 
 	"github.com/stretchr/testify/require"
 )
@@ -29,3 +31,65 @@ func TestBuildPolicy(t *testing.T) {
 	_, err = buildVerifyPolicy(opts, *artifact)
 	require.NoError(t, err)
 }
+
+func ValidateSignerWorkflow(t *testing.T) {
+	type testcase struct {
+		name                   string
+		providedSignerWorkflow string
+		expectedWorkflowRegex  string
+		ghHost                 string
+		authHost               string
+	}
+
+	testcases := []testcase{
+		{
+			name:                   "workflow with no host specified",
+			providedSignerWorkflow: "github/artifact-attestations-workflows/.github/workflows/attest.yml",
+			expectedWorkflowRegex:  "^https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
+		},
+		{
+			name:                   "workflow with host specified",
+			providedSignerWorkflow: "github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
+			expectedWorkflowRegex:  "^https://github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
+		},
+		{
+			name:                   "workflow with GH_HOST set",
+			providedSignerWorkflow: "github/artifact-attestations-workflows/.github/workflows/attest.yml",
+			expectedWorkflowRegex:  "^https://myhost.github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
+			ghHost:                 "myhost.github.com",
+		},
+		{
+			name:                   "workflow with authenticated host",
+			providedSignerWorkflow: "github/artifact-attestations-workflows/.github/workflows/attest.yml",
+			expectedWorkflowRegex:  "^https://authedhost.github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
+			authHost:               "authedhost.github.com",
+		},
+	}
+
+	for _, tc := range testcases {
+		cmdFactory := factory.New("test")
+
+		opts := &Options{
+			Config:         cmdFactory.Config,
+			SignerWorkflow: tc.providedSignerWorkflow,
+		}
+
+		if tc.ghHost != "" {
+			err := os.Setenv("GH_HOST", tc.ghHost)
+			require.NoError(t, err)
+		}
+
+		if tc.authHost != "" {
+			cfg, err := opts.Config()
+			require.NoError(t, err)
+
+			// if authenticated, return the authenticated host
+			authCfg := cfg.Authentication()
+			authCfg.SetDefaultHost(tc.authHost, "")
+		}
+
+		workflowRegex, err := validateSignerWorkflow(opts)
+		require.NoError(t, err)
+		require.Equal(t, tc.expectedWorkflowRegex, workflowRegex)
+	}
+}
diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
index 182a857228d..99e7403e1a6 100644
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@@ -123,6 +123,7 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 			}
 
 			opts.SigstoreVerifier = verification.NewLiveSigstoreVerifier(config)
+			opts.Config = f.Config
 
 			if err := runVerify(opts); err != nil {
 				return fmt.Errorf("\nError: %v", err)
@@ -148,7 +149,9 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 	verifyCmd.Flags().BoolVarP(&opts.DenySelfHostedRunner, "deny-self-hosted-runners", "", false, "Fail verification for attestations generated on self-hosted runners")
 	verifyCmd.Flags().StringVarP(&opts.SAN, "cert-identity", "", "", "Enforce that the certificate's subject alternative name matches the provided value exactly")
 	verifyCmd.Flags().StringVarP(&opts.SANRegex, "cert-identity-regex", "i", "", "Enforce that the certificate's subject alternative name matches the provided regex")
-	verifyCmd.MarkFlagsMutuallyExclusive("cert-identity", "cert-identity-regex")
+	verifyCmd.Flags().StringVarP(&opts.SignerRepo, "signer-repo", "", "", "Repository of reusable workflow that signed attestation in the format <owner>/<repo>")
+	verifyCmd.Flags().StringVarP(&opts.SignerWorkflow, "signer-workflow", "", "", "Workflow that signed attestation in the format [host/]<owner>/<repo>/<path>/<to>/<workflow>")
+	verifyCmd.MarkFlagsMutuallyExclusive("cert-identity", "cert-identity-regex", "signer-repo", "signer-workflow")
 	verifyCmd.Flags().StringVarP(&opts.OIDCIssuer, "cert-oidc-issuer", "", GitHubOIDCIssuer, "Issuer of the OIDC token")
 
 	return verifyCmd
diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go
index 66e8d8dc60f..d3de162a64b 100644
--- a/pkg/cmd/attestation/verify/verify_integration_test.go
+++ b/pkg/cmd/attestation/verify/verify_integration_test.go
@@ -128,6 +128,15 @@ func TestVerifyIntegrationReusableWorkflow(t *testing.T) {
 		require.NoError(t, err)
 	})
 
+	t.Run("with owner and valid reusable signer repo", func(t *testing.T) {
+		opts := baseOpts
+		opts.Owner = "malancas"
+		opts.SignerRepo = "github/artifact-attestations-workflows"
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
+
 	t.Run("with repo and valid reusable workflow SAN", func(t *testing.T) {
 		opts := baseOpts
 		opts.Owner = "malancas"
@@ -147,4 +156,82 @@ func TestVerifyIntegrationReusableWorkflow(t *testing.T) {
 		err := runVerify(&opts)
 		require.NoError(t, err)
 	})
+
+	t.Run("with repo and valid reusable signer repo", func(t *testing.T) {
+		opts := baseOpts
+		opts.Owner = "malancas"
+		opts.Repo = "malancas/attest-demo"
+		opts.SignerRepo = "github/artifact-attestations-workflows"
+
+		err := runVerify(&opts)
+		require.NoError(t, err)
+	})
+}
+
+func TestVerifyIntegrationReusableWorkflowSignerWorkflow(t *testing.T) {
+	artifactPath := test.NormalizeRelativePath("../test/data/reusable-workflow-artifact")
+	bundlePath := test.NormalizeRelativePath("../test/data/reusable-workflow-attestation.sigstore.json")
+
+	logger := io.NewTestHandler()
+
+	sigstoreConfig := verification.SigstoreConfig{
+		Logger: logger,
+	}
+
+	cmdFactory := factory.New("test")
+
+	hc, err := cmdFactory.HttpClient()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	baseOpts := Options{
+		APIClient:        api.NewLiveClient(hc, logger),
+		ArtifactPath:     artifactPath,
+		BundlePath:       bundlePath,
+		Config:           cmdFactory.Config,
+		DigestAlgorithm:  "sha256",
+		Logger:           logger,
+		OCIClient:        oci.NewLiveClient(),
+		OIDCIssuer:       GitHubOIDCIssuer,
+		Owner:            "malancas",
+		Repo:             "malancas/attest-demo",
+		SigstoreVerifier: verification.NewLiveSigstoreVerifier(sigstoreConfig),
+	}
+
+	type testcase struct {
+		name           string
+		signerWorkflow string
+		expectErr      bool
+	}
+
+	testcases := []testcase{
+		{
+			name:           "with invalid signer workflow",
+			signerWorkflow: "foo/bar/.github/workflows/attest.yml",
+			expectErr:      true,
+		},
+		{
+			name:           "valid signer workflow with host",
+			signerWorkflow: "github.com/github/artifact-attestations-workflows/.github/workflows/attest.yml",
+			expectErr:      false,
+		},
+		{
+			name:           "valid signer workflow without host (defaults to github.com)",
+			signerWorkflow: "github/artifact-attestations-workflows/.github/workflows/attest.yml",
+			expectErr:      false,
+		},
+	}
+
+	for _, tc := range testcases {
+		opts := baseOpts
+		opts.SignerWorkflow = tc.signerWorkflow
+
+		err := runVerify(&opts)
+		if tc.expectErr {
+			require.Error(t, err, "expected error for '%s'", tc.name)
+		} else {
+			require.NoError(t, err, "unexpected error for '%s'", tc.name)
+		}
+	}
 }

From fc8b86b4c8bbcbe0711d2703f24926e3f08afa60 Mon Sep 17 00:00:00 2001
From: Houssem Ben Ali <hbenali.tn@gmail.com>
Date: Thu, 30 May 2024 17:31:09 +0200
Subject: [PATCH 120/253] Specify rpm repository to avoid conflicts with
 community repositories

---
 docs/install_linux.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/install_linux.md b/docs/install_linux.md
index 454e880e09a..3b82a55930d 100644
--- a/docs/install_linux.md
+++ b/docs/install_linux.md
@@ -40,7 +40,7 @@ Install from our package repository for immediate access to latest releases:
 ```bash
 sudo dnf install 'dnf-command(config-manager)'
 sudo dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
-sudo dnf install gh
+sudo dnf install gh --repo gh-cli
 ```
 
 Alternatively, install from the [community repository](https://packages.fedoraproject.org/pkgs/gh/gh/):

From 5364a0c5297886a17b5d04dcab464e4ae1d7c46d Mon Sep 17 00:00:00 2001
From: Wing <damianleung@gmail.com>
Date: Sun, 2 Jun 2024 12:27:32 +0200
Subject: [PATCH 121/253] add tests

---
 pkg/cmd/secret/delete/delete_test.go   | 118 +++++++++++++++++
 pkg/cmd/secret/list/list_test.go       | 169 +++++++++++++++++++++++++
 pkg/cmd/secret/set/set_test.go         | 139 ++++++++++++++++++++
 pkg/cmd/variable/delete/delete_test.go | 119 +++++++++++++++++
 pkg/cmd/variable/list/list_test.go     | 166 ++++++++++++++++++++++++
 pkg/cmd/variable/set/set_test.go       | 135 ++++++++++++++++++++
 pkg/cmdutil/errors.go                  |   2 +-
 7 files changed, 847 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/secret/delete/delete_test.go b/pkg/cmd/secret/delete/delete_test.go
index 9d2c078c7c3..80859616787 100644
--- a/pkg/cmd/secret/delete/delete_test.go
+++ b/pkg/cmd/secret/delete/delete_test.go
@@ -5,6 +5,8 @@ import (
 	"net/http"
 	"testing"
 
+	ghContext "github.com/cli/cli/v2/context"
+	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
@@ -294,3 +296,119 @@ func Test_removeRun_user(t *testing.T) {
 
 	reg.Verify(t)
 }
+
+func Test_removeRun_remote_validation(t *testing.T) {
+	tests := []struct {
+		name     string
+		opts     *DeleteOptions
+		wantPath string
+		wantErr  bool
+		errMsg   string
+	}{
+		{
+			name: "single repo detected",
+			opts: &DeleteOptions{
+				Application: "actions",
+				SecretName:  "cool_secret",
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+					}, nil
+				}},
+			wantPath: "repos/owner/repo/actions/secrets/cool_secret",
+		},
+		{
+			name: "multi repo detected",
+			opts: &DeleteOptions{
+				Application: "actions",
+				SecretName:  "cool_secret",
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				}},
+			wantErr: true,
+			errMsg:  "multiple remotes detected [origin upstream]. please specify which repo to use by providing the -R or --repo argument",
+		},
+		{
+			name: "multi repo detected - single repo given",
+			opts: &DeleteOptions{
+				Application:     "actions",
+				SecretName:      "cool_secret",
+				HasRepoOverride: true,
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				}},
+			wantPath: "repos/owner/repo/actions/secrets/cool_secret",
+		},
+	}
+
+	for _, tt := range tests {
+		reg := &httpmock.Registry{}
+
+		if tt.wantPath != "" {
+			reg.Register(
+				httpmock.REST("DELETE", tt.wantPath),
+				httpmock.StatusStringResponse(204, "No Content"))
+		}
+
+		ios, _, _, _ := iostreams.Test()
+
+		tt.opts.IO = ios
+		tt.opts.HttpClient = func() (*http.Client, error) {
+			return &http.Client{Transport: reg}, nil
+		}
+		tt.opts.Config = func() (gh.Config, error) {
+			return config.NewBlankConfig(), nil
+		}
+		tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
+			return ghrepo.FromFullName("owner/repo")
+		}
+
+		err := removeRun(tt.opts)
+		if tt.wantErr {
+			assert.EqualError(t, err, tt.errMsg)
+		} else {
+			assert.NoError(t, err)
+		}
+
+		reg.Verify(t)
+	}
+}
diff --git a/pkg/cmd/secret/list/list_test.go b/pkg/cmd/secret/list/list_test.go
index 2e7b1906531..a66b913ea99 100644
--- a/pkg/cmd/secret/list/list_test.go
+++ b/pkg/cmd/secret/list/list_test.go
@@ -9,6 +9,8 @@ import (
 	"testing"
 	"time"
 
+	ghContext "github.com/cli/cli/v2/context"
+	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
@@ -442,6 +444,173 @@ func Test_listRun(t *testing.T) {
 	}
 }
 
+func Test_listRunRemoteValidation(t *testing.T) {
+	tests := []struct {
+		name    string
+		tty     bool
+		json    bool
+		opts    *ListOptions
+		wantOut []string
+		wantErr bool
+		errMsg  string
+	}{
+		{
+			name: "single repo detected",
+			tty:  false,
+			opts: &ListOptions{
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+					}, nil
+				},
+			},
+			wantOut: []string{
+				"SECRET_ONE\t1988-10-11T00:00:00Z",
+				"SECRET_TWO\t2020-12-04T00:00:00Z",
+				"SECRET_THREE\t1975-11-30T00:00:00Z",
+			},
+		},
+		{
+			name: "multi repo detected",
+			tty:  false,
+			opts: &ListOptions{
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				},
+			},
+			wantOut: []string{},
+			wantErr: true,
+			errMsg:  "multiple remotes detected [origin upstream]. please specify which repo to use by providing the -R or --repo argument",
+		},
+		{
+			name: "multi repo detected - single repo given",
+			tty:  false,
+			opts: &ListOptions{
+				HasRepoOverride: true,
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				},
+			},
+			wantOut: []string{
+				"SECRET_ONE\t1988-10-11T00:00:00Z",
+				"SECRET_TWO\t2020-12-04T00:00:00Z",
+				"SECRET_THREE\t1975-11-30T00:00:00Z",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			reg := &httpmock.Registry{}
+			reg.Verify(t)
+
+			path := "repos/owner/repo/actions/secrets"
+
+			t0, _ := time.Parse("2006-01-02", "1988-10-11")
+			t1, _ := time.Parse("2006-01-02", "2020-12-04")
+			t2, _ := time.Parse("2006-01-02", "1975-11-30")
+			payload := struct {
+				Secrets []Secret
+			}{
+				Secrets: []Secret{
+					{
+						Name:      "SECRET_ONE",
+						UpdatedAt: t0,
+					},
+					{
+						Name:      "SECRET_TWO",
+						UpdatedAt: t1,
+					},
+					{
+						Name:      "SECRET_THREE",
+						UpdatedAt: t2,
+					},
+				},
+			}
+
+			reg.Register(httpmock.REST("GET", path), httpmock.JSONResponse(payload))
+
+			ios, _, stdout, _ := iostreams.Test()
+
+			ios.SetStdoutTTY(tt.tty)
+
+			tt.opts.IO = ios
+			tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
+				return ghrepo.FromFullName("owner/repo")
+			}
+			tt.opts.HttpClient = func() (*http.Client, error) {
+				return &http.Client{Transport: reg}, nil
+			}
+			tt.opts.Config = func() (gh.Config, error) {
+				return config.NewBlankConfig(), nil
+			}
+			tt.opts.Now = func() time.Time {
+				t, _ := time.Parse(time.RFC822, "15 Mar 23 00:00 UTC")
+				return t
+			}
+
+			if tt.json {
+				exporter := cmdutil.NewJSONExporter()
+				exporter.SetFields(secretFields)
+				tt.opts.Exporter = exporter
+			}
+
+			err := listRun(tt.opts)
+			if tt.wantErr {
+				assert.EqualError(t, err, tt.errMsg)
+
+				return
+			}
+
+			assert.NoError(t, err)
+
+			if len(tt.wantOut) > 1 {
+				expected := fmt.Sprintf("%s\n", strings.Join(tt.wantOut, "\n"))
+				assert.Equal(t, expected, stdout.String())
+			}
+		})
+	}
+}
+
 // Test_listRun_populatesNumSelectedReposIfRequired asserts that NumSelectedRepos
 // field is populated **only** when it's going to be presented in the output. Since
 // populating this field costs further API requests (one per secret), it's important
diff --git a/pkg/cmd/secret/set/set_test.go b/pkg/cmd/secret/set/set_test.go
index 5c8d6f693d4..68c7624dd25 100644
--- a/pkg/cmd/secret/set/set_test.go
+++ b/pkg/cmd/secret/set/set_test.go
@@ -10,6 +10,8 @@ import (
 	"testing"
 
 	"github.com/MakeNowJust/heredoc"
+	ghContext "github.com/cli/cli/v2/context"
+	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
@@ -700,6 +702,143 @@ func Test_getSecretsFromOptions(t *testing.T) {
 	}
 }
 
+func Test_setRun_remote_validation(t *testing.T) {
+	tests := []struct {
+		name    string
+		opts    *SetOptions
+		wantApp string
+		wantErr bool
+		errMsg  string
+	}{
+		{
+			name: "single repo detected",
+			opts: &SetOptions{
+				Application: "actions",
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+					}, nil
+				},
+			},
+			wantApp: "actions",
+		},
+		{
+			name: "multi repo detected",
+			opts: &SetOptions{
+				Application: "actions",
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				},
+			},
+			wantErr: true,
+			errMsg:  "multiple remotes detected [origin upstream]. please specify which repo to use by providing the -R or --repo argument",
+		},
+		{
+			name: "multi repo detected - single repo given",
+			opts: &SetOptions{
+				Application:     "actions",
+				HasRepoOverride: true,
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				},
+			},
+			wantApp: "actions",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			reg := &httpmock.Registry{}
+
+			if tt.wantApp != "" {
+				reg.Register(httpmock.REST("GET", fmt.Sprintf("repos/owner/repo/%s/secrets/public-key", tt.wantApp)),
+					httpmock.JSONResponse(PubKey{ID: "123", Key: "CDjXqf7AJBXWhMczcy+Fs7JlACEptgceysutztHaFQI="}))
+
+				reg.Register(httpmock.REST("PUT", fmt.Sprintf("repos/owner/repo/%s/secrets/cool_secret", tt.wantApp)),
+					httpmock.StatusStringResponse(201, `{}`))
+			}
+
+			ios, _, _, _ := iostreams.Test()
+
+			opts := &SetOptions{
+				HttpClient: func() (*http.Client, error) {
+					return &http.Client{Transport: reg}, nil
+				},
+				Config: func() (gh.Config, error) { return config.NewBlankConfig(), nil },
+				BaseRepo: func() (ghrepo.Interface, error) {
+					return ghrepo.FromFullName("owner/repo")
+				},
+				IO:              ios,
+				SecretName:      "cool_secret",
+				Body:            "a secret",
+				RandomOverride:  fakeRandom,
+				Application:     tt.opts.Application,
+				HasRepoOverride: tt.opts.HasRepoOverride,
+				Remotes:         tt.opts.Remotes,
+			}
+
+			err := setRun(opts)
+			if tt.wantErr {
+				assert.EqualError(t, err, tt.errMsg)
+			} else {
+				assert.NoError(t, err)
+			}
+
+			reg.Verify(t)
+
+			if tt.wantApp != "" && !tt.wantErr {
+				data, err := io.ReadAll(reg.Requests[1].Body)
+				assert.NoError(t, err)
+
+				var payload SecretPayload
+				err = json.Unmarshal(data, &payload)
+				assert.NoError(t, err)
+				assert.Equal(t, payload.KeyID, "123")
+				assert.Equal(t, payload.EncryptedValue, "UKYUCbHd0DJemxa3AOcZ6XcsBwALG9d4bpB8ZT0gSV39vl3BHiGSgj8zJapDxgB2BwqNqRhpjC4=")
+			}
+		})
+	}
+}
+
 func fakeRandom() io.Reader {
 	return bytes.NewReader(bytes.Repeat([]byte{5}, 32))
 }
diff --git a/pkg/cmd/variable/delete/delete_test.go b/pkg/cmd/variable/delete/delete_test.go
index e659f96a6c9..0fa53af4e9e 100644
--- a/pkg/cmd/variable/delete/delete_test.go
+++ b/pkg/cmd/variable/delete/delete_test.go
@@ -5,6 +5,8 @@ import (
 	"net/http"
 	"testing"
 
+	ghContext "github.com/cli/cli/v2/context"
+	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
@@ -144,3 +146,120 @@ func TestRemoveRun(t *testing.T) {
 		})
 	}
 }
+
+func TestNewCmdDeleteRemoteValidation(t *testing.T) {
+	tests := []struct {
+		name     string
+		opts     *DeleteOptions
+		wantPath string
+		wantsErr bool
+		errMsg   string
+	}{
+		{
+			name: "single repo detected",
+			opts: &DeleteOptions{
+				VariableName: "cool",
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+					}, nil
+				}},
+			wantPath: "repos/owner/repo/actions/variables/cool",
+		},
+		{
+			name: "multi repo detected",
+			opts: &DeleteOptions{
+				VariableName: "cool",
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				}},
+			wantsErr: true,
+			errMsg:   "multiple remotes detected [origin upstream]. please specify which repo to use by providing the -R or --repo argument",
+		},
+		{
+			name: "multi repo detected - single repo given",
+			opts: &DeleteOptions{
+				VariableName:    "cool",
+				HasRepoOverride: true,
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				}},
+			wantPath: "repos/owner/repo/actions/variables/cool",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			reg := &httpmock.Registry{}
+			defer reg.Verify(t)
+
+			if tt.wantPath != "" {
+				reg.Register(httpmock.REST("DELETE", tt.wantPath),
+					httpmock.StatusStringResponse(204, "No Content"))
+			}
+
+			ios, _, _, _ := iostreams.Test()
+			tt.opts.IO = ios
+
+			tt.opts.HttpClient = func() (*http.Client, error) {
+				return &http.Client{Transport: reg}, nil
+			}
+
+			tt.opts.Config = func() (gh.Config, error) {
+				return config.NewBlankConfig(), nil
+			}
+
+			tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
+				return ghrepo.FromFullName("owner/repo")
+			}
+
+			err := removeRun(tt.opts)
+			if tt.wantsErr {
+				assert.EqualError(t, err, tt.errMsg)
+
+				return
+			}
+
+			assert.NoError(t, err)
+		})
+	}
+}
diff --git a/pkg/cmd/variable/list/list_test.go b/pkg/cmd/variable/list/list_test.go
index 0629bb2c76f..16af80d5580 100644
--- a/pkg/cmd/variable/list/list_test.go
+++ b/pkg/cmd/variable/list/list_test.go
@@ -9,6 +9,8 @@ import (
 	"testing"
 	"time"
 
+	ghContext "github.com/cli/cli/v2/context"
+	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
@@ -256,6 +258,170 @@ func Test_listRun(t *testing.T) {
 	}
 }
 
+func Test_listRunRemoteValidation(t *testing.T) {
+	tests := []struct {
+		name     string
+		tty      bool
+		opts     *ListOptions
+		wantPath string
+		wantOut  []string
+		wantErr  bool
+		errMsg   string
+	}{
+		{
+			name: "single repo detected",
+			tty:  false,
+			opts: &ListOptions{
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+					}, nil
+				},
+			},
+			wantPath: "repos/owner/repo/actions/variables",
+			wantOut: []string{
+				"VARIABLE_ONE\tone\t1988-10-11T00:00:00Z",
+				"VARIABLE_TWO\ttwo\t2020-12-04T00:00:00Z",
+				"VARIABLE_THREE\tthree\t1975-11-30T00:00:00Z",
+			},
+		},
+		{
+			name: "multi repo detected",
+			tty:  false,
+			opts: &ListOptions{
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				},
+			},
+			wantOut: []string{},
+			wantErr: true,
+			errMsg:  "multiple remotes detected [origin upstream]. please specify which repo to use by providing the -R or --repo argument",
+		},
+		{
+			name: "multi repo detected - single repo given",
+			tty:  false,
+			opts: &ListOptions{
+				HasRepoOverride: true,
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				},
+			},
+			wantPath: "repos/owner/repo/actions/variables",
+			wantOut: []string{
+				"VARIABLE_ONE\tone\t1988-10-11T00:00:00Z",
+				"VARIABLE_TWO\ttwo\t2020-12-04T00:00:00Z",
+				"VARIABLE_THREE\tthree\t1975-11-30T00:00:00Z",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			reg := &httpmock.Registry{}
+			defer reg.Verify(t)
+
+			t0, _ := time.Parse("2006-01-02", "1988-10-11")
+			t1, _ := time.Parse("2006-01-02", "2020-12-04")
+			t2, _ := time.Parse("2006-01-02", "1975-11-30")
+			payload := struct {
+				Variables []Variable
+			}{
+				Variables: []Variable{
+					{
+						Name:      "VARIABLE_ONE",
+						Value:     "one",
+						UpdatedAt: t0,
+					},
+					{
+						Name:      "VARIABLE_TWO",
+						Value:     "two",
+						UpdatedAt: t1,
+					},
+					{
+						Name:      "VARIABLE_THREE",
+						Value:     "three",
+						UpdatedAt: t2,
+					},
+				},
+			}
+
+			if tt.wantPath != "" {
+				reg.Register(httpmock.REST("GET", tt.wantPath), httpmock.JSONResponse(payload))
+			}
+
+			ios, _, stdout, _ := iostreams.Test()
+
+			ios.SetStdoutTTY(tt.tty)
+
+			tt.opts.IO = ios
+			tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
+				return ghrepo.FromFullName("owner/repo")
+			}
+			tt.opts.HttpClient = func() (*http.Client, error) {
+				return &http.Client{Transport: reg}, nil
+			}
+			tt.opts.Config = func() (gh.Config, error) {
+				return config.NewBlankConfig(), nil
+			}
+			tt.opts.Now = func() time.Time {
+				t, _ := time.Parse(time.RFC822, "15 Mar 23 00:00 UTC")
+				return t
+			}
+
+			err := listRun(tt.opts)
+			if tt.wantErr {
+				assert.Error(t, err)
+				assert.Equal(t, tt.errMsg, err.Error())
+				return
+			}
+
+			assert.NoError(t, err)
+
+			expected := fmt.Sprintf("%s\n", strings.Join(tt.wantOut, "\n"))
+			assert.Equal(t, expected, stdout.String())
+		})
+	}
+}
+
 func Test_getVariables_pagination(t *testing.T) {
 	reg := &httpmock.Registry{}
 	defer reg.Verify(t)
diff --git a/pkg/cmd/variable/set/set_test.go b/pkg/cmd/variable/set/set_test.go
index 4e77d5900f9..1428a03c93c 100644
--- a/pkg/cmd/variable/set/set_test.go
+++ b/pkg/cmd/variable/set/set_test.go
@@ -9,6 +9,8 @@ import (
 	"testing"
 
 	"github.com/MakeNowJust/heredoc"
+	ghContext "github.com/cli/cli/v2/context"
+	"github.com/cli/cli/v2/git"
 	"github.com/cli/cli/v2/internal/config"
 	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
@@ -559,3 +561,136 @@ func Test_getVariablesFromOptions(t *testing.T) {
 		})
 	}
 }
+
+func Test_setRun_remote_validation(t *testing.T) {
+	tests := []struct {
+		name      string
+		opts      *SetOptions
+		httpStubs func(*httpmock.Registry)
+		wantOut   string
+		wantErr   bool
+		errMsg    string
+	}{
+		{
+			name: "single repo detected",
+			opts: &SetOptions{
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+					}, nil
+				},
+			},
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.REST("POST", "repos/owner/repo/actions/variables"),
+					httpmock.StatusStringResponse(201, `{}`))
+			},
+		},
+		{
+			name: "multi repo detected",
+			opts: &SetOptions{
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				},
+			},
+			wantErr: true,
+			errMsg:  "multiple remotes detected [origin upstream]. please specify which repo to use by providing the -R or --repo argument",
+		},
+		{
+			name: "multi repo detected - single repo given",
+			opts: &SetOptions{
+				HasRepoOverride: true,
+				Remotes: func() (ghContext.Remotes, error) {
+					remote := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "origin",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+					remote2 := &ghContext.Remote{
+						Remote: &git.Remote{
+							Name: "upstream",
+						},
+						Repo: ghrepo.New("owner", "repo"),
+					}
+
+					return ghContext.Remotes{
+						remote,
+						remote2,
+					}, nil
+				},
+			},
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.REST("POST", "repos/owner/repo/actions/variables"),
+					httpmock.StatusStringResponse(201, `{}`))
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			reg := &httpmock.Registry{}
+			defer reg.Verify(t)
+
+			if tt.httpStubs != nil {
+				tt.httpStubs(reg)
+			}
+
+			ios, _, _, _ := iostreams.Test()
+
+			opts := &SetOptions{
+				HttpClient: func() (*http.Client, error) {
+					return &http.Client{Transport: reg}, nil
+				},
+				Config: func() (gh.Config, error) { return config.NewBlankConfig(), nil },
+				BaseRepo: func() (ghrepo.Interface, error) {
+					return ghrepo.FromFullName("owner/repo")
+				},
+				IO:              ios,
+				VariableName:    "cool_variable",
+				Body:            "a variable",
+				HasRepoOverride: tt.opts.HasRepoOverride,
+				Remotes:         tt.opts.Remotes,
+			}
+
+			err := setRun(opts)
+			if tt.wantErr {
+				assert.EqualError(t, err, tt.errMsg)
+
+				return
+			}
+
+			assert.NoError(t, err)
+
+			data, err := io.ReadAll(reg.Requests[len(reg.Requests)-1].Body)
+			assert.NoError(t, err)
+
+			var payload setPayload
+			err = json.Unmarshal(data, &payload)
+			assert.NoError(t, err)
+			assert.Equal(t, payload.Value, "a variable")
+		})
+	}
+}
diff --git a/pkg/cmdutil/errors.go b/pkg/cmdutil/errors.go
index 4d8defbec58..81f2becc223 100644
--- a/pkg/cmdutil/errors.go
+++ b/pkg/cmdutil/errors.go
@@ -59,7 +59,7 @@ func MutuallyExclusive(message string, conditions ...bool) error {
 }
 
 func ValidateHasOnlyOneRemote(hasRepoOverride bool, remotes func() (ghContext.Remotes, error)) error {
-	if !hasRepoOverride {
+	if !hasRepoOverride && remotes != nil {
 		remotes, err := remotes()
 		if err != nil {
 			return err

From a10e5328982f72a2098deb7c32021beca7ab2ff5 Mon Sep 17 00:00:00 2001
From: Josh Ward <55707591+joshuajtward@users.noreply.github.com>
Date: Mon, 3 Jun 2024 09:53:34 +0100
Subject: [PATCH 122/253] feat: add `-a` flag to `gh run list`

---
 pkg/cmd/run/list/list.go | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/run/list/list.go b/pkg/cmd/run/list/list.go
index 1d9dad6b60a..39487983ea6 100644
--- a/pkg/cmd/run/list/list.go
+++ b/pkg/cmd/run/list/list.go
@@ -5,6 +5,8 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/MakeNowJust/heredoc"
+
 	"github.com/cli/cli/v2/api"
 	"github.com/cli/cli/v2/internal/ghrepo"
 	"github.com/cli/cli/v2/internal/tableprinter"
@@ -35,6 +37,7 @@ type ListOptions struct {
 	Event            string
 	Created          string
 	Commit           string
+	All              bool
 
 	now time.Time
 }
@@ -52,8 +55,14 @@ func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Comman
 	}
 
 	cmd := &cobra.Command{
-		Use:     "list",
-		Short:   "List recent workflow runs",
+		Use:   "list",
+		Short: "List recent workflow runs",
+		Long: heredoc.Docf(`
+		    List recent workflow runs.
+
+			Note that providing the %[1]sworkflow_name%[1]s to the %[1]s-w%[1]s flag will not fetch disabled workflows. 
+			Also pass the %[1]s-a%[1]s flag to fetch disabled workflow runs using the %[1]sworkflow_name%[1]s and the %[1]s-w%[1]s flag.
+		`, "`"),
 		Aliases: []string{"ls"},
 		Args:    cobra.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -79,6 +88,7 @@ func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Comman
 	cmd.Flags().StringVarP(&opts.Event, "event", "e", "", "Filter runs by which `event` triggered the run")
 	cmd.Flags().StringVarP(&opts.Created, "created", "", "", "Filter runs by the `date` it was created")
 	cmd.Flags().StringVarP(&opts.Commit, "commit", "c", "", "Filter runs by the `SHA` of the commit")
+	cmd.Flags().BoolVarP(&opts.All, "all", "a", false, "Include disabled workflows")
 	cmdutil.StringEnumFlag(cmd, &opts.Status, "status", "s", "", shared.AllStatuses, "Filter runs by status")
 	cmdutil.AddJSONFlags(cmd, &opts.Exporter, shared.RunFields)
 
@@ -111,6 +121,9 @@ func listRun(opts *ListOptions) error {
 	opts.IO.StartProgressIndicator()
 	if opts.WorkflowSelector != "" {
 		states := []workflowShared.WorkflowState{workflowShared.Active}
+		if opts.All {
+			states = append(states, workflowShared.DisabledManually, workflowShared.DisabledInactivity)
+		}
 		if workflow, err := workflowShared.ResolveWorkflow(
 			opts.Prompter, opts.IO, client, baseRepo, false, opts.WorkflowSelector,
 			states); err == nil {

From 3a1f3854a43b7475c3d5aad8b7f087623d19c795 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=B3bert=20Papp?= <papp.robert.s@gmail.com>
Date: Tue, 4 Jun 2024 10:51:38 +0100
Subject: [PATCH 123/253] Add GH_DEBUG to issue template

---
 .github/ISSUE_TEMPLATE/bug_report.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 16e5348f13a..ba92b7650dd 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -24,3 +24,4 @@ A clear and concise description of what you expected to happen and what actually
 ### Logs
 
 Paste the activity from your command line. Redact if needed.
+Tip: Set `GH_DEBUG=true` (verbose logs) or `GH_DEBUG=api` (verbose logs with HTTP traffic details)

From 215456e8ae3c10b0cfc897ce94fa9d15237c167a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 4 Jun 2024 14:47:16 +0000
Subject: [PATCH 124/253] build(deps): bump actions/attest-build-provenance
 from 1.1.2 to 1.2.0

Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.1.2 to 1.2.0.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](https://github.com/actions/attest-build-provenance/compare/173725a1209d09b31f9d30a3890cf2757ebbff0d...49df96e17e918a15956db358890b08e61c704919)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/deployment.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index 00948b50f37..6bd86dda667 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -299,7 +299,7 @@ jobs:
           rpmsign --addsign dist/*.rpm
       - name: Attest release artifacts
         if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0
         with:
           subject-path: "dist/gh_*"
       - name: Run createrepo

From e8a13cfed3153301335b5afa18df25708db404fb Mon Sep 17 00:00:00 2001
From: Phill MV <phillmv@github.com>
Date: Tue, 4 Jun 2024 15:52:54 -0400
Subject: [PATCH 125/253] replaced deprecated --json-result flag with
 --format=json in the gh at docstring.

---
 pkg/cmd/attestation/verify/verify.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
index 99e7403e1a6..526194d93a5 100644
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@@ -52,7 +52,7 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 			provide a path to the %[1]s--bundle%[1]s flag.
 
 			To see the full results that are generated upon successful verification, i.e.
-			for use with a policy engine, provide the %[1]s--json-result%[1]s flag.
+			for use with a policy engine, provide the %[1]s--format=json%[1]s flag.
 
 			The attestation's certificate's Subject Alternative Name (SAN) identifies the entity
 			responsible for creating the attestation, which most of the time will be a GitHub

From d66624810485a35c816492e29bd0fb5adcfca3e1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 5 Jun 2024 14:34:35 +0000
Subject: [PATCH 126/253] build(deps): bump goreleaser/goreleaser-action from 5
 to 6

Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 5 to 6.
- [Release notes](https://github.com/goreleaser/goreleaser-action/releases)
- [Commits](https://github.com/goreleaser/goreleaser-action/compare/v5...v6)

---
updated-dependencies:
- dependency-name: goreleaser/goreleaser-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/deployment.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index 00948b50f37..6e895fe17e9 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -40,7 +40,7 @@ jobs:
         with:
           go-version-file: 'go.mod'
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
         with:
           version: "~1.17.1"
           install-only: true
@@ -92,7 +92,7 @@ jobs:
           security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "$keychain_password" "$keychain"
           rm "$RUNNER_TEMP/cert.p12"
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
         with:
           version: "~1.17.1"
           install-only: true
@@ -145,7 +145,7 @@ jobs:
         with:
           go-version-file: 'go.mod'
       - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@v5
+        uses: goreleaser/goreleaser-action@v6
         with:
           version: "~1.17.1"
           install-only: true

From e91860d3e9ad3660d55b06361cda41c3af27cb9c Mon Sep 17 00:00:00 2001
From: AlanD20 <aland20@pm.me>
Date: Fri, 7 Jun 2024 09:07:05 +0200
Subject: [PATCH 127/253] Bump go-keyring to fix keepassxc prompt confirmation

---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index ad96b9e24d9..706bd3a7bf7 100644
--- a/go.mod
+++ b/go.mod
@@ -42,7 +42,7 @@ require (
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
-	github.com/zalando/go-keyring v0.2.4
+	github.com/zalando/go-keyring v0.2.5
 	golang.org/x/crypto v0.23.0
 	golang.org/x/sync v0.6.0
 	golang.org/x/term v0.20.0
diff --git a/go.sum b/go.sum
index d6b01f87f8d..169ad8130b5 100644
--- a/go.sum
+++ b/go.sum
@@ -453,8 +453,8 @@ github.com/yuin/goldmark v1.5.4 h1:2uY/xC0roWy8IBEGLgB1ywIoEJFGmRrX21YQcvGZzjU=
 github.com/yuin/goldmark v1.5.4/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark-emoji v1.0.2 h1:c/RgTShNgHTtc6xdz2KKI74jJr6rWi7FPgnP9GAsO5s=
 github.com/yuin/goldmark-emoji v1.0.2/go.mod h1:RhP/RWpexdp+KHs7ghKnifRoIs/Bq4nDS7tRbCkOwKY=
-github.com/zalando/go-keyring v0.2.4 h1:wi2xxTqdiwMKbM6TWwi+uJCG/Tum2UV0jqaQhCa9/68=
-github.com/zalando/go-keyring v0.2.4/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk=
+github.com/zalando/go-keyring v0.2.5 h1:Bc2HHpjALryKD62ppdEzaFG6VxL6Bc+5v0LYpN8Lba8=
+github.com/zalando/go-keyring v0.2.5/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk=
 go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
 go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=

From 1a470b3df87c028614bc3139df0d5bd490a2aa8a Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 10 Jun 2024 14:55:11 +0000
Subject: [PATCH 128/253] build(deps): bump github.com/gorilla/websocket from
 1.5.1 to 1.5.2

Bumps [github.com/gorilla/websocket](https://github.com/gorilla/websocket) from 1.5.1 to 1.5.2.
- [Release notes](https://github.com/gorilla/websocket/releases)
- [Commits](https://github.com/gorilla/websocket/compare/v1.5.1...v1.5.2)

---
updated-dependencies:
- dependency-name: github.com/gorilla/websocket
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 706bd3a7bf7..b75a6bdaf88 100644
--- a/go.mod
+++ b/go.mod
@@ -22,7 +22,7 @@ require (
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.19.1
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
-	github.com/gorilla/websocket v1.5.1
+	github.com/gorilla/websocket v1.5.2
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-version v1.3.0
 	github.com/henvic/httpretty v0.1.3
diff --git a/go.sum b/go.sum
index 169ad8130b5..f9d61ed6023 100644
--- a/go.sum
+++ b/go.sum
@@ -218,8 +218,8 @@ github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/
 github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4=
 github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
-github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
-github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
+github.com/gorilla/websocket v1.5.2 h1:qoW6V1GT3aZxybsbC6oLnailWnB+qTMVwMreOso9XUw=
+github.com/gorilla/websocket v1.5.2/go.mod h1:0n9H61RBAcf5/38py2MCYbxzPIY9rOkpvvMT24Rqs30=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=

From 945b6682c89a39b38a059bf00448d6ebb7bb5d92 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 11 Jun 2024 14:22:24 +0000
Subject: [PATCH 129/253] build(deps): bump google.golang.org/protobuf from
 1.34.1 to 1.34.2

Bumps google.golang.org/protobuf from 1.34.1 to 1.34.2.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 706bd3a7bf7..33f3efe8839 100644
--- a/go.mod
+++ b/go.mod
@@ -48,7 +48,7 @@ require (
 	golang.org/x/term v0.20.0
 	golang.org/x/text v0.15.0
 	google.golang.org/grpc v1.62.2
-	google.golang.org/protobuf v1.34.1
+	google.golang.org/protobuf v1.34.2
 	gopkg.in/h2non/gock.v1 v1.1.2
 	gopkg.in/yaml.v3 v3.0.1
 )
diff --git a/go.sum b/go.sum
index 169ad8130b5..8e2d2dfe7ed 100644
--- a/go.sum
+++ b/go.sum
@@ -543,8 +543,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
 google.golang.org/grpc v1.62.2 h1:iEIj1U5qjyBjzkM5nk3Fq+S1IbjbXSyqeULZ1Nfo4AA=
 google.golang.org/grpc v1.62.2/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

From c2f2753051b69df551fc4c65bfc264d16d855a86 Mon Sep 17 00:00:00 2001
From: Josh Ward <55707591+joshuajtward@users.noreply.github.com>
Date: Thu, 13 Jun 2024 09:23:33 +0100
Subject: [PATCH 130/253] add comment to call out potentially brittle use of
 workflowShared

---
 pkg/cmd/run/list/list.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/cmd/run/list/list.go b/pkg/cmd/run/list/list.go
index 39487983ea6..9f4c7113261 100644
--- a/pkg/cmd/run/list/list.go
+++ b/pkg/cmd/run/list/list.go
@@ -120,8 +120,11 @@ func listRun(opts *ListOptions) error {
 
 	opts.IO.StartProgressIndicator()
 	if opts.WorkflowSelector != "" {
+		// initially the workflow state is limited to 'active'
 		states := []workflowShared.WorkflowState{workflowShared.Active}
 		if opts.All {
+			// the all flag tells us to add the remaining workflow states
+			// note: this will be incomplete if more workflow states are added to `workflowShared`
 			states = append(states, workflowShared.DisabledManually, workflowShared.DisabledInactivity)
 		}
 		if workflow, err := workflowShared.ResolveWorkflow(

From f647131e1d19da4d470cfeb5e936589e12e42960 Mon Sep 17 00:00:00 2001
From: Wing <damianleung@gmail.com>
Date: Thu, 13 Jun 2024 14:33:06 +0200
Subject: [PATCH 131/253] Gracefully degrade when fetching annotations fails
 due to 403 (#9113)

Co-authored-by: William Martin <williammartin@github.com>
---
 pkg/cmd/run/shared/shared.go    | 19 ++++++++++++++++-
 pkg/cmd/run/shared/test.go      | 10 +++++++++
 pkg/cmd/run/view/view.go        | 15 +++++++++++--
 pkg/cmd/run/view/view_test.go   | 32 +++++++++++++++++++++++++++
 pkg/cmd/run/watch/watch.go      | 23 ++++++++++++--------
 pkg/cmd/run/watch/watch_test.go | 38 +++++++++++++++++++++++++++++++++
 6 files changed, 125 insertions(+), 12 deletions(-)

diff --git a/pkg/cmd/run/shared/shared.go b/pkg/cmd/run/shared/shared.go
index a5bccee8572..e5f09dec968 100644
--- a/pkg/cmd/run/shared/shared.go
+++ b/pkg/cmd/run/shared/shared.go
@@ -261,6 +261,14 @@ type CheckRun struct {
 	ID int64
 }
 
+var ErrMissingAnnotationsPermissions = errors.New("missing annotations permissions error")
+
+// GetAnnotations fetches annotations from the REST API.
+//
+// If the job has no annotations, an empy slice is returned.
+// If the API returns a 403, a custom ErrMissingAnnotationsPermissions error is returned.
+//
+// When fine-grained PATs support checks:read permission, we can remove the need for this at the call sites.
 func GetAnnotations(client *api.Client, repo ghrepo.Interface, job Job) ([]Annotation, error) {
 	var result []*Annotation
 
@@ -269,9 +277,18 @@ func GetAnnotations(client *api.Client, repo ghrepo.Interface, job Job) ([]Annot
 	err := client.REST(repo.RepoHost(), "GET", path, nil, &result)
 	if err != nil {
 		var httpError api.HTTPError
-		if errors.As(err, &httpError) && httpError.StatusCode == 404 {
+		if !errors.As(err, &httpError) {
+			return nil, err
+		}
+
+		if httpError.StatusCode == http.StatusNotFound {
 			return []Annotation{}, nil
 		}
+
+		if httpError.StatusCode == http.StatusForbidden {
+			return nil, ErrMissingAnnotationsPermissions
+		}
+
 		return nil, err
 	}
 
diff --git a/pkg/cmd/run/shared/test.go b/pkg/cmd/run/shared/test.go
index e44debaa406..b854019bd5c 100644
--- a/pkg/cmd/run/shared/test.go
+++ b/pkg/cmd/run/shared/test.go
@@ -109,6 +109,16 @@ var FailedJob Job = Job{
 	},
 }
 
+var SuccessfulJobAnnotations []Annotation = []Annotation{
+	{
+		JobName:   "cool job",
+		Message:   "the job is happy",
+		Path:      "blaze.py",
+		Level:     "notice",
+		StartLine: 420,
+	},
+}
+
 var FailedJobAnnotations []Annotation = []Annotation{
 	{
 		JobName:   "sad job",
diff --git a/pkg/cmd/run/view/view.go b/pkg/cmd/run/view/view.go
index e88054ef8e0..73ef7bb1ed7 100644
--- a/pkg/cmd/run/view/view.go
+++ b/pkg/cmd/run/view/view.go
@@ -338,10 +338,17 @@ func runView(opts *ViewOptions) error {
 	}
 
 	var annotations []shared.Annotation
+	var missingAnnotationsPermissions bool
+
 	for _, job := range jobs {
 		as, err := shared.GetAnnotations(client, repo, job)
 		if err != nil {
-			return fmt.Errorf("failed to get annotations: %w", err)
+			if err != shared.ErrMissingAnnotationsPermissions {
+				return fmt.Errorf("failed to get annotations: %w", err)
+			}
+
+			missingAnnotationsPermissions = true
+			break
 		}
 		annotations = append(annotations, as...)
 	}
@@ -373,7 +380,11 @@ func runView(opts *ViewOptions) error {
 		fmt.Fprintln(out, shared.RenderJobs(cs, jobs, true))
 	}
 
-	if len(annotations) > 0 {
+	if missingAnnotationsPermissions {
+		fmt.Fprintln(out)
+		fmt.Fprintln(out, cs.Bold("ANNOTATIONS"))
+		fmt.Fprintln(out, "requesting annotations returned 403 Forbidden as the token does not have sufficient permissions. Note that it is not currently possible to create a fine-grained PAT with the `checks:read` permission.")
+	} else if len(annotations) > 0 {
 		fmt.Fprintln(out)
 		fmt.Fprintln(out, cs.Bold("ANNOTATIONS"))
 		fmt.Fprintln(out, shared.RenderAnnotations(cs, annotations))
diff --git a/pkg/cmd/run/view/view_test.go b/pkg/cmd/run/view/view_test.go
index 6e433186453..44ca69fa689 100644
--- a/pkg/cmd/run/view/view_test.go
+++ b/pkg/cmd/run/view/view_test.go
@@ -1320,6 +1320,38 @@ func TestViewRun(t *testing.T) {
 			errMsg:  "failed to get annotations: HTTP 500 (https://api.github.com/repos/OWNER/REPO/check-runs/20/annotations)",
 			wantErr: true,
 		},
+		{
+			name: "annotation endpoint forbidden (fine grained tokens)",
+			tty:  true,
+			opts: &ViewOptions{
+				RunID: "1234",
+			},
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/actions/runs/1234"),
+					httpmock.JSONResponse(shared.FailedRun))
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/actions/workflows/123"),
+					httpmock.JSONResponse(shared.TestWorkflow))
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/actions/runs/1234/artifacts"),
+					httpmock.StringResponse(`{}`))
+				reg.Register(
+					httpmock.GraphQL(`query PullRequestForRun`),
+					httpmock.StringResponse(``))
+				reg.Register(
+					httpmock.REST("GET", "runs/1234/jobs"),
+					httpmock.JSONResponse(shared.JobsPayload{
+						Jobs: []shared.Job{
+							shared.FailedJob,
+						},
+					}))
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/check-runs/20/annotations"),
+					httpmock.StatusStringResponse(403, "Forbidden"))
+			},
+			wantOut: "\nX trunk CI · 1234\nTriggered via push about 59 minutes ago\n\nJOBS\nX sad job in 4m34s (ID 20)\n  ✓ barf the quux\n  X quux the barf\n\nANNOTATIONS\nrequesting annotations returned 403 Forbidden as the token does not have sufficient permissions. Note that it is not currently possible to create a fine-grained PAT with the `checks:read` permission.\n\nTo see what failed, try: gh run view 1234 --log-failed\nView this run on GitHub: https://github.com/runs/1234\n",
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/pkg/cmd/run/watch/watch.go b/pkg/cmd/run/watch/watch.go
index c2067bf1933..9f4f37c2fe5 100644
--- a/pkg/cmd/run/watch/watch.go
+++ b/pkg/cmd/run/watch/watch.go
@@ -219,19 +219,24 @@ func renderRun(out io.Writer, opts WatchOptions, client *api.Client, repo ghrepo
 	}
 
 	var annotations []shared.Annotation
+	var missingAnnotationsPermissions bool
 
-	var annotationErr error
-	var as []shared.Annotation
 	for _, job := range jobs {
 		if as, ok := annotationCache[job.ID]; ok {
 			annotations = as
 			continue
 		}
 
-		as, annotationErr = shared.GetAnnotations(client, repo, job)
-		if annotationErr != nil {
+		as, err := shared.GetAnnotations(client, repo, job)
+		if err != nil {
+			if err != shared.ErrMissingAnnotationsPermissions {
+				return nil, fmt.Errorf("failed to get annotations: %w", err)
+			}
+
+			missingAnnotationsPermissions = true
 			break
 		}
+
 		annotations = append(annotations, as...)
 
 		if job.Status != shared.InProgress {
@@ -239,10 +244,6 @@ func renderRun(out io.Writer, opts WatchOptions, client *api.Client, repo ghrepo
 		}
 	}
 
-	if annotationErr != nil {
-		return nil, fmt.Errorf("failed to get annotations: %w", annotationErr)
-	}
-
 	fmt.Fprintln(out, shared.RenderRunHeader(cs, *run, text.FuzzyAgo(opts.Now(), run.StartedTime()), prNumber, 0))
 	fmt.Fprintln(out)
 
@@ -254,7 +255,11 @@ func renderRun(out io.Writer, opts WatchOptions, client *api.Client, repo ghrepo
 
 	fmt.Fprintln(out, shared.RenderJobs(cs, jobs, true))
 
-	if len(annotations) > 0 {
+	if missingAnnotationsPermissions {
+		fmt.Fprintln(out)
+		fmt.Fprintln(out, cs.Bold("ANNOTATIONS"))
+		fmt.Fprintf(out, "requesting annotations returned 403 Forbidden as the token does not have sufficient permissions. Note that it is not currently possible to create a fine-grained PAT with the `checks:read` permission.")
+	} else if len(annotations) > 0 {
 		fmt.Fprintln(out)
 		fmt.Fprintln(out, cs.Bold("ANNOTATIONS"))
 		fmt.Fprintln(out, shared.RenderAnnotations(cs, annotations))
diff --git a/pkg/cmd/run/watch/watch_test.go b/pkg/cmd/run/watch/watch_test.go
index a73fd294998..442ef42520d 100644
--- a/pkg/cmd/run/watch/watch_test.go
+++ b/pkg/cmd/run/watch/watch_test.go
@@ -326,6 +326,44 @@ func TestWatchRun(t *testing.T) {
 			wantErr: true,
 			errMsg:  "failed to get run: HTTP 404: run 1234 not found (https://api.github.com/repos/OWNER/REPO/actions/runs/1234?exclude_pull_requests=true)",
 		},
+		{
+			name: "annotation endpoint forbidden (fine grained tokens)",
+			tty:  true,
+			opts: &WatchOptions{
+				RunID: "2",
+			},
+			httpStubs: func(reg *httpmock.Registry) {
+				inProgressRun := shared.TestRunWithCommit(2, shared.InProgress, "", "commit2")
+				completedRun := shared.TestRun(2, shared.Completed, shared.Success)
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/actions/runs/2"),
+					httpmock.JSONResponse(inProgressRun))
+				reg.Register(
+					httpmock.REST("GET", "runs/2/jobs"),
+					httpmock.JSONResponse(shared.JobsPayload{
+						Jobs: []shared.Job{
+							shared.SuccessfulJob,
+							shared.FailedJob,
+						},
+					}))
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/check-runs/10/annotations"),
+					httpmock.JSONResponse(shared.SuccessfulJobAnnotations))
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/check-runs/20/annotations"),
+					httpmock.StatusStringResponse(403, "Forbidden"))
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/actions/runs/2"),
+					httpmock.JSONResponse(completedRun))
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/actions/workflows/123"),
+					httpmock.JSONResponse(shared.TestWorkflow))
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/actions/workflows/123"),
+					httpmock.JSONResponse(shared.TestWorkflow))
+			},
+			wantOut: "\x1b[?1049h\x1b[?1049l✓ trunk CI · 2\nTriggered via push about 59 minutes ago\n\nJOBS\n✓ cool job in 4m34s (ID 10)\n  ✓ fob the barz\n  ✓ barz the fob\nX sad job in 4m34s (ID 20)\n  ✓ barf the quux\n  X quux the barf\n\nANNOTATIONS\nrequesting annotations returned 403 Forbidden as the token does not have sufficient permissions. Note that it is not currently possible to create a fine-grained PAT with the `checks:read` permission.\n✓ Run CI (2) completed with 'success'\n",
+		},
 	}
 
 	for _, tt := range tests {

From 6190e269a0ad51b3243102e09f9d4d29584f3e25 Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Thu, 13 Jun 2024 11:30:38 -0400
Subject: [PATCH 132/253] Add `gh run list` tests for workflow selector

This commit adds tests to ensure disabled workflows are outputted as expected when called by name and the appropriate flags.
---
 pkg/cmd/run/list/list.go      |   6 +-
 pkg/cmd/run/list/list_test.go | 151 ++++++++++++++++++++++++++++++++++
 pkg/cmd/run/shared/test.go    |  12 ++-
 3 files changed, 161 insertions(+), 8 deletions(-)

diff --git a/pkg/cmd/run/list/list.go b/pkg/cmd/run/list/list.go
index 9f4c7113261..21e6c7fafff 100644
--- a/pkg/cmd/run/list/list.go
+++ b/pkg/cmd/run/list/list.go
@@ -60,7 +60,7 @@ func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Comman
 		Long: heredoc.Docf(`
 		    List recent workflow runs.
 
-			Note that providing the %[1]sworkflow_name%[1]s to the %[1]s-w%[1]s flag will not fetch disabled workflows. 
+			Note that providing the %[1]sworkflow_name%[1]s to the %[1]s-w%[1]s flag will not fetch disabled workflows.
 			Also pass the %[1]s-a%[1]s flag to fetch disabled workflow runs using the %[1]sworkflow_name%[1]s and the %[1]s-w%[1]s flag.
 		`, "`"),
 		Aliases: []string{"ls"},
@@ -127,9 +127,7 @@ func listRun(opts *ListOptions) error {
 			// note: this will be incomplete if more workflow states are added to `workflowShared`
 			states = append(states, workflowShared.DisabledManually, workflowShared.DisabledInactivity)
 		}
-		if workflow, err := workflowShared.ResolveWorkflow(
-			opts.Prompter, opts.IO, client, baseRepo, false, opts.WorkflowSelector,
-			states); err == nil {
+		if workflow, err := workflowShared.ResolveWorkflow(opts.Prompter, opts.IO, client, baseRepo, false, opts.WorkflowSelector, states); err == nil {
 			filters.WorkflowID = workflow.ID
 			filters.WorkflowName = workflow.Name
 		} else {
diff --git a/pkg/cmd/run/list/list_test.go b/pkg/cmd/run/list/list_test.go
index 762cc8cb77e..7717c2ff98f 100644
--- a/pkg/cmd/run/list/list_test.go
+++ b/pkg/cmd/run/list/list_test.go
@@ -2,6 +2,7 @@ package list
 
 import (
 	"bytes"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -181,6 +182,156 @@ func TestListRun(t *testing.T) {
 				X       cool commit  CI        trunk   push   10    4m34s    about 4 minutes ago
 			`),
 		},
+		{
+			name: "inactive disabled workflow selected",
+			opts: &ListOptions{
+				Limit:            defaultLimit,
+				now:              shared.TestRunStartTime.Add(time.Minute*4 + time.Second*34),
+				WorkflowSelector: "d. inact",
+				All:              false,
+			},
+			isTTY: true,
+			stubs: func(reg *httpmock.Registry) {
+				// Uses abbreviated names and commit messages because of output column limit
+				workflow := workflowShared.Workflow{
+					Name:  "d. inact",
+					ID:    1206,
+					Path:  ".github/workflows/disabledInactivity.yml",
+					State: workflowShared.DisabledInactivity,
+				}
+
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/actions/workflows"),
+					httpmock.JSONResponse(workflowShared.WorkflowsPayload{
+						Workflows: []workflowShared.Workflow{
+							workflow,
+						},
+					}))
+			},
+			wantErr:    true,
+			wantErrMsg: "could not find any workflows named d. inact",
+		},
+		{
+			name: "inactive disabled workflow selected and all states applied",
+			opts: &ListOptions{
+				Limit:            defaultLimit,
+				now:              shared.TestRunStartTime.Add(time.Minute*4 + time.Second*34),
+				WorkflowSelector: "d. inact",
+				All:              true,
+			},
+			isTTY: true,
+			stubs: func(reg *httpmock.Registry) {
+				// Uses abbreviated names and commit messages because of output column limit
+				workflow := workflowShared.Workflow{
+					Name:  "d. inact",
+					ID:    1206,
+					Path:  ".github/workflows/disabledInactivity.yml",
+					State: workflowShared.DisabledInactivity,
+				}
+
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/actions/workflows"),
+					httpmock.JSONResponse(workflowShared.WorkflowsPayload{
+						Workflows: []workflowShared.Workflow{
+							workflow,
+						},
+					}))
+				reg.Register(
+					httpmock.REST("GET", fmt.Sprintf("repos/OWNER/REPO/actions/workflows/%d/runs", workflow.ID)),
+					httpmock.JSONResponse(shared.RunsPayload{
+						WorkflowRuns: []shared.Run{
+							shared.TestRunWithWorkflowAndCommit(workflow.ID, 101, shared.Completed, shared.TimedOut, "dicto"),
+							shared.TestRunWithWorkflowAndCommit(workflow.ID, 102, shared.InProgress, shared.TimedOut, "diito"),
+							shared.TestRunWithWorkflowAndCommit(workflow.ID, 103, shared.Completed, shared.Success, "dics"),
+							shared.TestRunWithWorkflowAndCommit(workflow.ID, 104, shared.Completed, shared.Cancelled, "dicc"),
+							shared.TestRunWithWorkflowAndCommit(workflow.ID, 105, shared.Completed, shared.Failure, "dicf"),
+						},
+					}))
+			},
+			wantOut: heredoc.Doc(`
+				STATUS  TITLE  WORKFLOW  BRANCH  EVENT  ID   ELAPSED  AGE
+				X       dicto  d. inact  trunk   push   101  4m34s    about 4 minutes ago
+				*       diito  d. inact  trunk   push   102  4m34s    about 4 minutes ago
+				✓       dics   d. inact  trunk   push   103  4m34s    about 4 minutes ago
+				X       dicc   d. inact  trunk   push   104  4m34s    about 4 minutes ago
+				X       dicf   d. inact  trunk   push   105  4m34s    about 4 minutes ago
+			`),
+		},
+		{
+			name: "manually disabled workflow selected",
+			opts: &ListOptions{
+				Limit:            defaultLimit,
+				now:              shared.TestRunStartTime.Add(time.Minute*4 + time.Second*34),
+				WorkflowSelector: "d. man",
+				All:              false,
+			},
+			isTTY: true,
+			stubs: func(reg *httpmock.Registry) {
+				// Uses abbreviated names and commit messages because of output column limit
+				workflow := workflowShared.Workflow{
+					Name:  "d. man",
+					ID:    456,
+					Path:  ".github/workflows/disabled.yml",
+					State: workflowShared.DisabledManually,
+				}
+
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/actions/workflows"),
+					httpmock.JSONResponse(workflowShared.WorkflowsPayload{
+						Workflows: []workflowShared.Workflow{
+							workflow,
+						},
+					}))
+			},
+			wantErr:    true,
+			wantErrMsg: "could not find any workflows named d. man",
+		},
+		{
+			name: "manually disabled workflow selected and all states applied",
+			opts: &ListOptions{
+				Limit:            defaultLimit,
+				now:              shared.TestRunStartTime.Add(time.Minute*4 + time.Second*34),
+				WorkflowSelector: "d. man",
+				All:              true,
+			},
+			isTTY: true,
+			stubs: func(reg *httpmock.Registry) {
+				// Uses abbreviated names and commit messages because of output column limit
+				workflow := workflowShared.Workflow{
+					Name:  "d. man",
+					ID:    456,
+					Path:  ".github/workflows/disabled.yml",
+					State: workflowShared.DisabledManually,
+				}
+
+				reg.Register(
+					httpmock.REST("GET", "repos/OWNER/REPO/actions/workflows"),
+					httpmock.JSONResponse(workflowShared.WorkflowsPayload{
+						Workflows: []workflowShared.Workflow{
+							workflow,
+						},
+					}))
+				reg.Register(
+					httpmock.REST("GET", fmt.Sprintf("repos/OWNER/REPO/actions/workflows/%d/runs", workflow.ID)),
+					httpmock.JSONResponse(shared.RunsPayload{
+						WorkflowRuns: []shared.Run{
+							shared.TestRunWithWorkflowAndCommit(workflow.ID, 201, shared.Completed, shared.TimedOut, "dmcto"),
+							shared.TestRunWithWorkflowAndCommit(workflow.ID, 202, shared.InProgress, shared.TimedOut, "dmito"),
+							shared.TestRunWithWorkflowAndCommit(workflow.ID, 203, shared.Completed, shared.Success, "dmcs"),
+							shared.TestRunWithWorkflowAndCommit(workflow.ID, 204, shared.Completed, shared.Cancelled, "dmcc"),
+							shared.TestRunWithWorkflowAndCommit(workflow.ID, 205, shared.Completed, shared.Failure, "dmcf"),
+						},
+					}))
+			},
+			wantOut: heredoc.Doc(`
+				STATUS  TITLE  WORKFLOW  BRANCH  EVENT  ID   ELAPSED  AGE
+				X       dmcto  d. man    trunk   push   201  4m34s    about 4 minutes ago
+				*       dmito  d. man    trunk   push   202  4m34s    about 4 minutes ago
+				✓       dmcs   d. man    trunk   push   203  4m34s    about 4 minutes ago
+				X       dmcc   d. man    trunk   push   204  4m34s    about 4 minutes ago
+				X       dmcf   d. man    trunk   push   205  4m34s    about 4 minutes ago
+			`),
+		},
 		{
 			name: "default arguments nontty",
 			opts: &ListOptions{
diff --git a/pkg/cmd/run/shared/test.go b/pkg/cmd/run/shared/test.go
index e44debaa406..41d8cb4d526 100644
--- a/pkg/cmd/run/shared/test.go
+++ b/pkg/cmd/run/shared/test.go
@@ -15,21 +15,25 @@ func TestRun(id int64, s Status, c Conclusion) Run {
 }
 
 func TestRunWithCommit(id int64, s Status, c Conclusion, commit string) Run {
+	return TestRunWithWorkflowAndCommit(123, id, s, c, commit)
+}
+
+func TestRunWithWorkflowAndCommit(workflowId, runId int64, s Status, c Conclusion, commit string) Run {
 	return Run{
-		WorkflowID: 123,
-		ID:         id,
+		WorkflowID: workflowId,
+		ID:         runId,
 		CreatedAt:  TestRunStartTime,
 		UpdatedAt:  TestRunStartTime.Add(time.Minute*4 + time.Second*34),
 		Status:     s,
 		Conclusion: c,
 		Event:      "push",
 		HeadBranch: "trunk",
-		JobsURL:    fmt.Sprintf("https://api.github.com/runs/%d/jobs", id),
+		JobsURL:    fmt.Sprintf("https://api.github.com/runs/%d/jobs", runId),
 		HeadCommit: Commit{
 			Message: commit,
 		},
 		HeadSha: "1234567890",
-		URL:     fmt.Sprintf("https://github.com/runs/%d", id),
+		URL:     fmt.Sprintf("https://github.com/runs/%d", runId),
 		HeadRepository: Repo{
 			Owner: struct{ Login string }{Login: "OWNER"},
 			Name:  "REPO",

From 307d07ebfd1523f89838ea200ff51a5a489e2093 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=B3bert=20Papp?= <papp.robert.s@gmail.com>
Date: Thu, 13 Jun 2024 19:47:30 +0100
Subject: [PATCH 133/253] Update .github/ISSUE_TEMPLATE/bug_report.md

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 .github/ISSUE_TEMPLATE/bug_report.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index ba92b7650dd..9fd45a56ac1 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -24,4 +24,6 @@ A clear and concise description of what you expected to happen and what actually
 ### Logs
 
 Paste the activity from your command line. Redact if needed.
-Tip: Set `GH_DEBUG=true` (verbose logs) or `GH_DEBUG=api` (verbose logs with HTTP traffic details)
+
+> [!NOTE]
+> Set `GH_DEBUG=true` for verbose logs or `GH_DEBUG=api` for verbose logs with HTTP traffic details.

From 59fae5b4a863b728f43d002f158c9afc17076bf6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 14 Jun 2024 14:33:37 +0000
Subject: [PATCH 134/253] build(deps): bump github.com/gorilla/websocket from
 1.5.2 to 1.5.3

Bumps [github.com/gorilla/websocket](https://github.com/gorilla/websocket) from 1.5.2 to 1.5.3.
- [Release notes](https://github.com/gorilla/websocket/releases)
- [Commits](https://github.com/gorilla/websocket/compare/v1.5.2...v1.5.3)

---
updated-dependencies:
- dependency-name: github.com/gorilla/websocket
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 7e3a87b91c6..2d912a5f6d1 100644
--- a/go.mod
+++ b/go.mod
@@ -22,7 +22,7 @@ require (
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.19.1
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
-	github.com/gorilla/websocket v1.5.2
+	github.com/gorilla/websocket v1.5.3
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-version v1.3.0
 	github.com/henvic/httpretty v0.1.3
diff --git a/go.sum b/go.sum
index 7e58a387e9f..16ab25bd0f3 100644
--- a/go.sum
+++ b/go.sum
@@ -218,8 +218,8 @@ github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/
 github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4=
 github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
-github.com/gorilla/websocket v1.5.2 h1:qoW6V1GT3aZxybsbC6oLnailWnB+qTMVwMreOso9XUw=
-github.com/gorilla/websocket v1.5.2/go.mod h1:0n9H61RBAcf5/38py2MCYbxzPIY9rOkpvvMT24Rqs30=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=

From c572383bda78534ec4fa41939e0a0db8531887fe Mon Sep 17 00:00:00 2001
From: Forrin <Forrin@users.noreply.github.com>
Date: Fri, 14 Jun 2024 12:55:58 -0500
Subject: [PATCH 135/253] Attestation Verification - Buffer Fix (#9198)

* swap scanner to readline for attestations
* replace readLine with readBytes
---
 pkg/cmd/attestation/verification/attestation.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/pkg/cmd/attestation/verification/attestation.go b/pkg/cmd/attestation/verification/attestation.go
index 0b6499ecedf..52a8ff02547 100644
--- a/pkg/cmd/attestation/verification/attestation.go
+++ b/pkg/cmd/attestation/verification/attestation.go
@@ -73,21 +73,21 @@ func loadBundlesFromJSONLinesFile(path string) ([]*api.Attestation, error) {
 
 	attestations := []*api.Attestation{}
 
-	scanner := bufio.NewScanner(file)
-	for scanner.Scan() {
-		b := scanner.Bytes()
+	reader := bufio.NewReader(file)
+
+	var line []byte
+	line, err = reader.ReadBytes('\n')
+	for err == nil {
 		var bundle bundle.ProtobufBundle
 		bundle.Bundle = new(protobundle.Bundle)
-		err = bundle.UnmarshalJSON(b)
+		err = bundle.UnmarshalJSON(line)
 		if err != nil {
 			return nil, fmt.Errorf("failed to unmarshal bundle from JSON: %v", err)
 		}
 		a := api.Attestation{Bundle: &bundle}
 		attestations = append(attestations, &a)
-	}
 
-	if err := scanner.Err(); err != nil {
-		return nil, err
+		line, err = reader.ReadBytes('\n')
 	}
 
 	return attestations, nil

From 6e77b2d685e783ca0f008b80603a3e59ccf3834e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 17 Jun 2024 14:16:51 +0000
Subject: [PATCH 136/253] build(deps): bump github.com/spf13/cobra from 1.8.0
 to 1.8.1

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.8.0 to 1.8.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.8.0...v1.8.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 2 +-
 go.sum | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/go.mod b/go.mod
index 7e3a87b91c6..c9b3425fab4 100644
--- a/go.mod
+++ b/go.mod
@@ -39,7 +39,7 @@ require (
 	github.com/shurcooL/githubv4 v0.0.0-20230704064427-599ae7bbf278
 	github.com/sigstore/protobuf-specs v0.3.2
 	github.com/sigstore/sigstore-go v0.3.0
-	github.com/spf13/cobra v1.8.0
+	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 	github.com/zalando/go-keyring v0.2.5
diff --git a/go.sum b/go.sum
index 7e58a387e9f..32820a67bff 100644
--- a/go.sum
+++ b/go.sum
@@ -109,7 +109,6 @@ github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AX
 github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
 github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
@@ -411,8 +410,8 @@ github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
 github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
 github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
 github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=

From 651d7135dc30c3db00d5afca3850819485549232 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 18 Jun 2024 14:40:06 +0000
Subject: [PATCH 137/253] build(deps): bump actions/attest-build-provenance
 from 1.2.0 to 1.3.2

Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.2.0 to 1.3.2.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](https://github.com/actions/attest-build-provenance/compare/49df96e17e918a15956db358890b08e61c704919...bdd51370e0416ac948727f861e03c2f05d32d78e)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/deployment.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index b37cfb23613..d085655746c 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -299,7 +299,7 @@ jobs:
           rpmsign --addsign dist/*.rpm
       - name: Attest release artifacts
         if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919 # v1.2.0
+        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
         with:
           subject-path: "dist/gh_*"
       - name: Run createrepo

From 152607e0e8373c7570705b2f3a3636c99707bd76 Mon Sep 17 00:00:00 2001
From: Phill MV <phillmv@github.com>
Date: Sun, 23 Jun 2024 21:53:09 -0400
Subject: [PATCH 138/253] Removed beta note from `gh at verify`, clarified
 reusable workflows use case.

---
 pkg/cmd/attestation/verify/verify.go | 43 +++++++++++++++++++---------
 1 file changed, 29 insertions(+), 14 deletions(-)

diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
index 526194d93a5..8a640bf1c99 100644
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@@ -25,18 +25,22 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 		Args:  cmdutil.ExactArgs(1, "must specify file path or container image URI, as well as one of --owner or --repo"),
 		Short: "Verify an artifact's integrity using attestations",
 		Long: heredoc.Docf(`
-			### NOTE: This feature is currently in beta, and subject to change.
-
 			Verify the integrity and provenance of an artifact using its associated
 			cryptographically signed attestations.
 
-			The command requires either:
+			In order to verify an attestation, you must validate the identity of the Actions
+			workflow that produced the attestation (a.k.a. the signer workflow). Given this
+			identity, the verification process checks the signatures in the attestations,
+			and confirms that the attestation refers to provided artifact.
+
+			To specify the artifact, the command requires:
 			* a file path to an artifact, or
 			* a container image URI (e.g. %[1]soci://<image-uri>%[1]s)
 			  * (note that if you provide an OCI URL, you must already be authenticated with
 			its container registry)
 
-			In addition, the command requires either:
+			To fetch the attestation, and validate the identity of the signer, the command
+			requires either:
 			* the %[1]s--repo%[1]s flag (e.g. --repo github/example).
 			* the %[1]s--owner%[1]s flag (e.g. --owner github), or
 
@@ -54,27 +58,38 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 			To see the full results that are generated upon successful verification, i.e.
 			for use with a policy engine, provide the %[1]s--format=json%[1]s flag.
 
-			The attestation's certificate's Subject Alternative Name (SAN) identifies the entity
-			responsible for creating the attestation, which most of the time will be a GitHub
-			Actions workflow file located inside your repository. By default, this command uses
+			The signer workflow's identity is validated against the attestation's
+			certificate's Subject Alternative Name (SAN). Often, the signer workflow is the
+			same workflow that originated the run and generated the attestation, and will
+			be located inside your repository. For this reason, by default this command uses
 			either the %[1]s--repo%[1]s or the %[1]s--owner%[1]s flag value to validate the SAN.
 
-			However, if you generate attestations with a reusable workflow then the SAN will
-			identify the reusable workflow – which may or may not be located inside your %[1]s--repo%[1]s
-			or %[1]s--owner%[1]s. In these situations, you can use the %[1]s--cert-identity%[1]s or
-			%[1]s--cert-identity-regex%[1]s flags to specify the reusable workflow's URI.
+			However, sometimes the originating workflow is not be the same workflow that
+			performed the signing. If your attestation was generated via a reusable
+			workflow, then that reusable workflow is the signer whose identity needs to be
+			validated. In this situation, the signer workflow may or may not be located
+			inside your %[1]s--repo%[1]s or %[1]s--owner%[1]s.
+
+			When using reusable workflows, use the %[1]s--signer-repo%[1]s, %[1]s--signer-workflow%[1]s,
+			or %[1]s--cert-identity%[1]s flags to validate the signer workflow's identity.
 
 			For more policy verification options, see the other available flags.
 			`, "`"),
 		Example: heredoc.Doc(`
-			# Verify a local artifact linked with a repository
+			# Verify an artifact linked with a repository
 			$ gh attestation verify example.bin --repo github/example
 
-			# Verify a local artifact linked with an organization
+			# Verify an artifact linked with an organization
 			$ gh attestation verify example.bin --owner github
 
-			# Verify an OCI image using locally stored attestations
+			# Verify an artifact and output the full verification result
+			$ gh attestation verify example.bin --owner github --format json
+
+			# Verify an OCI image using attestations stored on disk
 			$ gh attestation verify oci://<image-uri> --owner github --bundle sha256:foo.jsonl
+
+			# Verify an artifact signed with a reusable workflow
+			$ gh attestation verify example.bin --owner github --signer-repo actions/example
 		`),
 		// PreRunE is used to validate flags before the command is run
 		// If an error is returned, its message will be printed to the terminal

From 40abc9a7856a5732eee366b587258bb9a5523254 Mon Sep 17 00:00:00 2001
From: Phill MV <phillmv@github.com>
Date: Sun, 23 Jun 2024 21:54:01 -0400
Subject: [PATCH 139/253] Removed beta note from `gh at download`.

---
 pkg/cmd/attestation/download/download.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkg/cmd/attestation/download/download.go b/pkg/cmd/attestation/download/download.go
index 3af3b62005c..b73513341cb 100644
--- a/pkg/cmd/attestation/download/download.go
+++ b/pkg/cmd/attestation/download/download.go
@@ -23,8 +23,6 @@ func NewDownloadCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Comman
 		Args:  cmdutil.ExactArgs(1, "must specify file path or container image URI, as well as one of --owner or --repo"),
 		Short: "Download an artifact's attestations for offline use",
 		Long: heredoc.Docf(`
-			### NOTE: This feature is currently in beta, and subject to change.
-
 			Download attestations associated with an artifact for offline use.
 
 			The command requires either:

From 8318e7a1dea01008cc13d8c3ee21c2f7ed4b3de2 Mon Sep 17 00:00:00 2001
From: Phill MV <phillmv@github.com>
Date: Mon, 24 Jun 2024 09:32:32 -0400
Subject: [PATCH 140/253] Actually, let's keep `download` in beta for now.

---
 pkg/cmd/attestation/download/download.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/cmd/attestation/download/download.go b/pkg/cmd/attestation/download/download.go
index b73513341cb..b6459b1fd71 100644
--- a/pkg/cmd/attestation/download/download.go
+++ b/pkg/cmd/attestation/download/download.go
@@ -23,6 +23,8 @@ func NewDownloadCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Comman
 		Args:  cmdutil.ExactArgs(1, "must specify file path or container image URI, as well as one of --owner or --repo"),
 		Short: "Download an artifact's attestations for offline use",
 		Long: heredoc.Docf(`
+   	  		### NOTE: This feature is currently in beta, and subject to change.
+
 			Download attestations associated with an artifact for offline use.
 
 			The command requires either:

From 846b6ec20b13b9419daa1d5e3c8fdbc7e820fd81 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Mon, 24 Jun 2024 15:41:22 +0200
Subject: [PATCH 141/253] Fix whitespacing

---
 pkg/cmd/attestation/download/download.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/attestation/download/download.go b/pkg/cmd/attestation/download/download.go
index b6459b1fd71..3af3b62005c 100644
--- a/pkg/cmd/attestation/download/download.go
+++ b/pkg/cmd/attestation/download/download.go
@@ -23,7 +23,7 @@ func NewDownloadCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Comman
 		Args:  cmdutil.ExactArgs(1, "must specify file path or container image URI, as well as one of --owner or --repo"),
 		Short: "Download an artifact's attestations for offline use",
 		Long: heredoc.Docf(`
-   	  		### NOTE: This feature is currently in beta, and subject to change.
+			### NOTE: This feature is currently in beta, and subject to change.
 
 			Download attestations associated with an artifact for offline use.
 

From d7c56bfb13f99b1df9d3a6f867cae60091171c44 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Mon, 24 Jun 2024 15:46:00 +0200
Subject: [PATCH 142/253] Remove beta note from attestation top level command

---
 pkg/cmd/attestation/attestation.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkg/cmd/attestation/attestation.go b/pkg/cmd/attestation/attestation.go
index 423de1807e2..121ae3db01f 100644
--- a/pkg/cmd/attestation/attestation.go
+++ b/pkg/cmd/attestation/attestation.go
@@ -17,8 +17,6 @@ func NewCmdAttestation(f *cmdutil.Factory) *cobra.Command {
 		Short:   "Work with artifact attestations",
 		Aliases: []string{"at"},
 		Long: heredoc.Doc(`
-			### NOTE: This feature is currently in beta, and subject to change.
-
 			Download and verify artifact attestations.
 			`),
 	}

From 31b424a1d2344204e2dcdee30d48cf4b9caa5bd1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Jun 2024 13:52:48 +0000
Subject: [PATCH 143/253] build(deps): bump
 github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.19.1 to 0.19.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.19.1...v0.19.2)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 2d912a5f6d1..abe127cfe9e 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/gabriel-vasile/mimetype v1.4.4
 	github.com/gdamore/tcell/v2 v2.5.4
 	github.com/google/go-cmp v0.6.0
-	github.com/google/go-containerregistry v0.19.1
+	github.com/google/go-containerregistry v0.19.2
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/gorilla/websocket v1.5.3
 	github.com/hashicorp/go-multierror v1.1.1
diff --git a/go.sum b/go.sum
index 16ab25bd0f3..ad62d0a87ec 100644
--- a/go.sum
+++ b/go.sum
@@ -198,8 +198,8 @@ github.com/google/certificate-transparency-go v1.1.8 h1:LGYKkgZF7satzgTak9R4yzfJ
 github.com/google/certificate-transparency-go v1.1.8/go.mod h1:bV/o8r0TBKRf1X//iiiSgWrvII4d7/8OiA+3vG26gI8=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.19.1 h1:yMQ62Al6/V0Z7CqIrrS1iYoA5/oQCm88DeNujc7C1KY=
-github.com/google/go-containerregistry v0.19.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
+github.com/google/go-containerregistry v0.19.2 h1:TannFKE1QSajsP6hPWb5oJNgKe1IKjHukIKDUmvsV6w=
+github.com/google/go-containerregistry v0.19.2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=

From 06607d3e95b6862d7e79eb4da77ac3aa23961767 Mon Sep 17 00:00:00 2001
From: Phill MV <phillmv@github.com>
Date: Mon, 24 Jun 2024 10:05:58 -0400
Subject: [PATCH 144/253] s/originated/caller/ workflow

---
 pkg/cmd/attestation/verify/verify.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
index 8a640bf1c99..4db18e0b16d 100644
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@@ -60,11 +60,11 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 
 			The signer workflow's identity is validated against the attestation's
 			certificate's Subject Alternative Name (SAN). Often, the signer workflow is the
-			same workflow that originated the run and generated the attestation, and will
-			be located inside your repository. For this reason, by default this command uses
+			same workflow that started the run and generated the attestation, and will be
+			located inside your repository. For this reason, by default this command uses
 			either the %[1]s--repo%[1]s or the %[1]s--owner%[1]s flag value to validate the SAN.
 
-			However, sometimes the originating workflow is not be the same workflow that
+			However, sometimes the caller workflow is not be the same workflow that
 			performed the signing. If your attestation was generated via a reusable
 			workflow, then that reusable workflow is the signer whose identity needs to be
 			validated. In this situation, the signer workflow may or may not be located

From c25dacc33e6a443be1fa74943818a9acae14a96f Mon Sep 17 00:00:00 2001
From: Phill MV <phillmv@github.com>
Date: Mon, 24 Jun 2024 13:32:51 -0400
Subject: [PATCH 145/253] Update pkg/cmd/attestation/verify/verify.go

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 pkg/cmd/attestation/verify/verify.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
index 4db18e0b16d..9ddf2f97f79 100644
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@@ -64,7 +64,7 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 			located inside your repository. For this reason, by default this command uses
 			either the %[1]s--repo%[1]s or the %[1]s--owner%[1]s flag value to validate the SAN.
 
-			However, sometimes the caller workflow is not be the same workflow that
+			However, sometimes the caller workflow is not the same workflow that
 			performed the signing. If your attestation was generated via a reusable
 			workflow, then that reusable workflow is the signer whose identity needs to be
 			validated. In this situation, the signer workflow may or may not be located

From c9f9fac7dc36b5cab36cd0788b1da42423b0972d Mon Sep 17 00:00:00 2001
From: Phill MV <phillmv@github.com>
Date: Mon, 24 Jun 2024 13:33:10 -0400
Subject: [PATCH 146/253] Update pkg/cmd/attestation/verify/verify.go

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 pkg/cmd/attestation/verify/verify.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
index 9ddf2f97f79..60196583a32 100644
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@@ -58,8 +58,8 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 			To see the full results that are generated upon successful verification, i.e.
 			for use with a policy engine, provide the %[1]s--format=json%[1]s flag.
 
-			The signer workflow's identity is validated against the attestation's
-			certificate's Subject Alternative Name (SAN). Often, the signer workflow is the
+			The signer workflow's identity is validated against the Subject Alternative Name (SAN)
+			within the attestation certificate. Often, the signer workflow is the
 			same workflow that started the run and generated the attestation, and will be
 			located inside your repository. For this reason, by default this command uses
 			either the %[1]s--repo%[1]s or the %[1]s--owner%[1]s flag value to validate the SAN.

From ee7bca679b6ba959e8448c2376f2ac0a06bc2e54 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Jun 2024 22:16:58 +0000
Subject: [PATCH 147/253] build(deps): bump
 github.com/hashicorp/go-retryablehttp

Bumps [github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp) from 0.7.5 to 0.7.7.
- [Changelog](https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/go-retryablehttp/compare/v0.7.5...v0.7.7)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-retryablehttp
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod |  4 ++--
 go.sum | 14 ++++++--------
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/go.mod b/go.mod
index 7bf5e5c38ce..4f4ed3a004e 100644
--- a/go.mod
+++ b/go.mod
@@ -74,7 +74,7 @@ require (
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v24.0.9+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
-	github.com/fatih/color v1.14.1 // indirect
+	github.com/fatih/color v1.16.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/gdamore/encoding v1.0.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
@@ -98,7 +98,7 @@ require (
 	github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/itchyny/gojq v0.12.15 // indirect
diff --git a/go.sum b/go.sum
index bbfc11fa381..f02aba3f340 100644
--- a/go.sum
+++ b/go.sum
@@ -140,8 +140,8 @@ github.com/docker/docker v24.0.9+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bc
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
-github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
+github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
+github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
@@ -226,13 +226,12 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
-github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=
-github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs=
@@ -421,7 +420,6 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

From 85387fdc67f6a88c3870fe80ee35c5ca39f007db Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Tue, 25 Jun 2024 10:35:31 -0400
Subject: [PATCH 148/253] Update .github/ISSUE_TEMPLATE/bug_report.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Róbert Papp <papp.robert.s@gmail.com>
---
 .github/ISSUE_TEMPLATE/bug_report.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
index 9fd45a56ac1..00f2a0ba533 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -25,5 +25,4 @@ A clear and concise description of what you expected to happen and what actually
 
 Paste the activity from your command line. Redact if needed.
 
-> [!NOTE]
-> Set `GH_DEBUG=true` for verbose logs or `GH_DEBUG=api` for verbose logs with HTTP traffic details.
+<!-- Note: Set `GH_DEBUG=true` for verbose logs or `GH_DEBUG=api` for verbose logs with HTTP traffic details. -->

From d4e33858efe4b8b96dafc13fa2e806ec857886c0 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Tue, 25 Jun 2024 17:02:00 +0200
Subject: [PATCH 149/253] Fetch variable selected repo relationship when
 required

---
 pkg/cmd/variable/list/list.go      |  17 ++++-
 pkg/cmd/variable/list/list_test.go | 117 +++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/variable/list/list.go b/pkg/cmd/variable/list/list.go
index 2d26a03b6a2..764c0af4d13 100644
--- a/pkg/cmd/variable/list/list.go
+++ b/pkg/cmd/variable/list/list.go
@@ -3,6 +3,7 @@ package list
 import (
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 	"time"
 
@@ -30,6 +31,8 @@ type ListOptions struct {
 	EnvName string
 }
 
+const fieldNumSelectedRepos = "numSelectedRepos"
+
 func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Command {
 	opts := &ListOptions{
 		IO:         f.IOStreams,
@@ -94,9 +97,21 @@ func listRun(opts *ListOptions) error {
 		return err
 	}
 
-	var variables []shared.Variable
+	// Since populating the `NumSelectedRepos` field costs further API requests
+	// (one per secret), it's important to avoid extra calls when the output will
+	// not present the field's value. So, we should only populate this field in
+	// these cases:
+	//  1. The command is run in the TTY mode without the `--json <fields>` option.
+	//  2. The command is run with `--json <fields>` option, and `numSelectedRepos`
+	//     is among the selected fields. In this case, TTY mode is irrelevant.
 	showSelectedRepoInfo := opts.IO.IsStdoutTTY()
+	if opts.Exporter != nil {
+		// Note that if there's an exporter set, then we don't mind the TTY mode
+		// because we just have to populate the requested fields.
+		showSelectedRepoInfo = slices.Contains(opts.Exporter.Fields(), fieldNumSelectedRepos)
+	}
 
+	var variables []shared.Variable
 	switch variableEntity {
 	case shared.Repository:
 		variables, err = getRepoVariables(client, baseRepo)
diff --git a/pkg/cmd/variable/list/list_test.go b/pkg/cmd/variable/list/list_test.go
index ed4d59c59da..4933d3957e4 100644
--- a/pkg/cmd/variable/list/list_test.go
+++ b/pkg/cmd/variable/list/list_test.go
@@ -304,6 +304,123 @@ func Test_listRun(t *testing.T) {
 	}
 }
 
+// Test_listRun_populatesNumSelectedReposIfRequired asserts that NumSelectedRepos
+// field is populated **only** when it's going to be presented in the output. Since
+// populating this field costs further API requests (one per variable), it's important
+// to avoid extra calls when the output will not present the field's value. Note
+// that NumSelectedRepos is only meant for organization variables.
+//
+// We should only populate the NumSelectedRepos field in these cases:
+//  1. The command is run in the TTY mode without the `--json <fields>` option.
+//  2. The command is run with `--json <fields>` option, and `numSelectedRepos`
+//     is among the selected fields. In this case, TTY mode is irrelevant.
+func Test_listRun_populatesNumSelectedReposIfRequired(t *testing.T) {
+	tests := []struct {
+		name          string
+		tty           bool
+		jsonFields    []string
+		wantPopulated bool
+	}{
+		{
+			name:          "org tty",
+			tty:           true,
+			wantPopulated: true,
+		},
+		{
+			name:          "org tty, json with numSelectedRepos",
+			tty:           true,
+			jsonFields:    []string{"numSelectedRepos"},
+			wantPopulated: true,
+		},
+		{
+			name:          "org tty, json without numSelectedRepos",
+			tty:           true,
+			jsonFields:    []string{"name"},
+			wantPopulated: false,
+		},
+		{
+			name:          "org not tty",
+			tty:           false,
+			wantPopulated: false,
+		},
+		{
+			name:          "org not tty, json with numSelectedRepos",
+			tty:           false,
+			jsonFields:    []string{"numSelectedRepos"},
+			wantPopulated: true,
+		},
+		{
+			name:          "org not tty, json without numSelectedRepos",
+			tty:           false,
+			jsonFields:    []string{"name"},
+			wantPopulated: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			reg := &httpmock.Registry{}
+			reg.Verify(t)
+
+			reg.Register(
+				httpmock.REST("GET", "orgs/umbrellaOrganization/actions/variables"),
+				httpmock.JSONResponse(struct{ Variables []shared.Variable }{
+					[]shared.Variable{
+						{
+							Name:             "VARIABLE",
+							Visibility:       shared.Selected,
+							SelectedReposURL: "https://api.github.com/orgs/umbrellaOrganization/actions/variables/VARIABLE/repositories",
+						},
+					},
+				}))
+			reg.Register(
+				httpmock.REST("GET", "orgs/umbrellaOrganization/actions/variables/VARIABLE/repositories"),
+				httpmock.JSONResponse(struct {
+					TotalCount int `json:"total_count"`
+				}{999}))
+
+			opts := &ListOptions{
+				OrgName: "umbrellaOrganization",
+			}
+
+			if tt.jsonFields != nil {
+				exporter := cmdutil.NewJSONExporter()
+				exporter.SetFields(tt.jsonFields)
+				opts.Exporter = exporter
+			}
+
+			ios, _, _, _ := iostreams.Test()
+			ios.SetStdoutTTY(tt.tty)
+			opts.IO = ios
+
+			opts.BaseRepo = func() (ghrepo.Interface, error) {
+				return ghrepo.FromFullName("owner/repo")
+			}
+			opts.HttpClient = func() (*http.Client, error) {
+				return &http.Client{Transport: reg}, nil
+			}
+			opts.Config = func() (gh.Config, error) {
+				return config.NewBlankConfig(), nil
+			}
+			opts.Now = func() time.Time {
+				t, _ := time.Parse(time.RFC822, "4 Apr 24 00:00 UTC")
+				return t
+			}
+
+			require.NoError(t, listRun(opts))
+
+			if tt.wantPopulated {
+				// There should be 2 requests; one to get the variables list and
+				// another to populate the numSelectedRepos field.
+				assert.Len(t, reg.Requests, 2)
+			} else {
+				// Only one requests to get the variables list.
+				assert.Len(t, reg.Requests, 1)
+			}
+		})
+	}
+}
+
 func Test_getVariables_pagination(t *testing.T) {
 	reg := &httpmock.Registry{}
 	defer reg.Verify(t)

From f972050dc92c435c75b6ae7559592bfe28fa3dbd Mon Sep 17 00:00:00 2001
From: Zach Steindler <steiza@github.com>
Date: Mon, 1 Jul 2024 11:50:39 -0400
Subject: [PATCH 150/253] gh attestation trusted-root subcommand (#9206)

Adds `trusted-root` subcommand to `gh attestation`.

For use in upcoming docs on how to do offline verification with artifact
attestations.

---------

Signed-off-by: Zach Steindler <steiza@github.com>
Co-authored-by: Fredrik Skogman <kommendorkapten@github.com>
---
 pkg/cmd/attestation/attestation.go            |   4 +-
 .../attestation/test/data/trusted_root.json   |  91 +-----------
 .../attestation/trustedroot/trustedroot.go    | 131 ++++++++++++++++++
 .../trustedroot_test.go}                      |  68 +++++----
 .../tufrootverify/tufrootverify.go            |  87 ------------
 pkg/cmd/attestation/verification/sigstore.go  | 113 ++++++++++++---
 .../verification/sigstore_integration_test.go |   4 +-
 pkg/cmd/attestation/verify/options.go         |   2 +-
 pkg/cmd/attestation/verify/verify.go          |  10 +-
 pkg/cmd/attestation/verify/verify_test.go     |   2 +-
 10 files changed, 276 insertions(+), 236 deletions(-)
 create mode 100644 pkg/cmd/attestation/trustedroot/trustedroot.go
 rename pkg/cmd/attestation/{tufrootverify/tufrootverify_test.go => trustedroot/trustedroot_test.go} (62%)
 delete mode 100644 pkg/cmd/attestation/tufrootverify/tufrootverify.go

diff --git a/pkg/cmd/attestation/attestation.go b/pkg/cmd/attestation/attestation.go
index 121ae3db01f..ea1e0c08c12 100644
--- a/pkg/cmd/attestation/attestation.go
+++ b/pkg/cmd/attestation/attestation.go
@@ -4,7 +4,7 @@ import (
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/download"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/inspect"
-	"github.com/cli/cli/v2/pkg/cmd/attestation/tufrootverify"
+	"github.com/cli/cli/v2/pkg/cmd/attestation/trustedroot"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/verify"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 
@@ -24,7 +24,7 @@ func NewCmdAttestation(f *cmdutil.Factory) *cobra.Command {
 	root.AddCommand(download.NewDownloadCmd(f, nil))
 	root.AddCommand(inspect.NewInspectCmd(f, nil))
 	root.AddCommand(verify.NewVerifyCmd(f, nil))
-	root.AddCommand(tufrootverify.NewTUFRootVerifyCmd(f, nil))
+	root.AddCommand(trustedroot.NewTrustedRootCmd(f, nil))
 
 	return root
 }
diff --git a/pkg/cmd/attestation/test/data/trusted_root.json b/pkg/cmd/attestation/test/data/trusted_root.json
index b8706cb3e37..eddf07bbb4b 100644
--- a/pkg/cmd/attestation/test/data/trusted_root.json
+++ b/pkg/cmd/attestation/test/data/trusted_root.json
@@ -1,90 +1 @@
-{
-  "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
-  "tlogs": [
-    {
-      "baseUrl": "https://rekor.sigstore.dev",
-      "hashAlgorithm": "SHA2_256",
-      "publicKey": {
-        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwrkBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==",
-        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
-        "validFor": {
-          "start": "2021-01-12T11:53:27.000Z"
-        }
-      },
-      "logId": {
-        "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
-      }
-    }
-  ],
-  "certificateAuthorities": [
-    {
-      "subject": {
-        "organization": "sigstore.dev",
-        "commonName": "sigstore"
-      },
-      "uri": "https://fulcio.sigstore.dev",
-      "certChain": {
-        "certificates": [
-          {
-            "rawBytes": "MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAqMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIxMDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSyA7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0JcastaRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2uSu1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJxVe/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uupHr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ=="
-          }
-        ]
-      },
-      "validFor": {
-        "start": "2021-03-07T03:20:29.000Z",
-        "end": "2022-12-31T23:59:59.999Z"
-      }
-    },
-    {
-      "subject": {
-        "organization": "sigstore.dev",
-        "commonName": "sigstore"
-      },
-      "uri": "https://fulcio.sigstore.dev",
-      "certChain": {
-        "certificates": [
-          {
-            "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="
-          },
-          {
-            "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"
-          }
-        ]
-      },
-      "validFor": {
-        "start": "2022-04-13T20:06:15.000Z"
-      }
-    }
-  ],
-  "ctlogs": [
-    {
-      "baseUrl": "https://ctfe.sigstore.dev/test",
-      "hashAlgorithm": "SHA2_256",
-      "publicKey": {
-        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3PyudDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w==",
-        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
-        "validFor": {
-          "start": "2021-03-14T00:00:00.000Z",
-          "end": "2022-10-31T23:59:59.999Z"
-        }
-      },
-      "logId": {
-        "keyId": "CGCS8ChS/2hF0dFrJ4ScRWcYrBY9wzjSbea8IgY2b3I="
-      }
-    },
-    {
-      "baseUrl": "https://ctfe.sigstore.dev/2022",
-      "hashAlgorithm": "SHA2_256",
-      "publicKey": {
-        "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiPSlFi0CmFTfEjCUqF9HuCEcYXNKAaYalIJmBZ8yyezPjTqhxrKBpMnaocVtLJBI1eM3uXnQzQGAJdJ4gs9Fyw==",
-        "keyDetails": "PKIX_ECDSA_P256_SHA_256",
-        "validFor": {
-          "start": "2022-10-20T00:00:00.000Z"
-        }
-      },
-      "logId": {
-        "keyId": "3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4="
-      }
-    }
-  ]
-}
+{"mediaType":"application/vnd.dev.sigstore.trustedroot+json;version=0.1","tlogs":[{"baseUrl":"https://rekor.sigstore.dev","hashAlgorithm":"SHA2_256","publicKey":{"rawBytes":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwrkBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==","keyDetails":"PKIX_ECDSA_P256_SHA_256","validFor":{"start":"2021-01-12T11:53:27.000Z"}},"logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}}],"certificateAuthorities":[{"subject":{"organization":"sigstore.dev","commonName":"sigstore"},"uri":"https://fulcio.sigstore.dev","certChain":{"certificates":[{"rawBytes":"MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAqMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIxMDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSyA7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0JcastaRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2uSu1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJxVe/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uupHr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ=="}]},"validFor":{"start":"2021-03-07T03:20:29.000Z","end":"2022-12-31T23:59:59.999Z"}},{"subject":{"organization":"sigstore.dev","commonName":"sigstore"},"uri":"https://fulcio.sigstore.dev","certChain":{"certificates":[{"rawBytes":"MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="},{"rawBytes":"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"}]},"validFor":{"start":"2022-04-13T20:06:15.000Z"}}],"ctlogs":[{"baseUrl":"https://ctfe.sigstore.dev/test","hashAlgorithm":"SHA2_256","publicKey":{"rawBytes":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3PyudDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w==","keyDetails":"PKIX_ECDSA_P256_SHA_256","validFor":{"start":"2021-03-14T00:00:00.000Z","end":"2022-10-31T23:59:59.999Z"}},"logId":{"keyId":"CGCS8ChS/2hF0dFrJ4ScRWcYrBY9wzjSbea8IgY2b3I="}},{"baseUrl":"https://ctfe.sigstore.dev/2022","hashAlgorithm":"SHA2_256","publicKey":{"rawBytes":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiPSlFi0CmFTfEjCUqF9HuCEcYXNKAaYalIJmBZ8yyezPjTqhxrKBpMnaocVtLJBI1eM3uXnQzQGAJdJ4gs9Fyw==","keyDetails":"PKIX_ECDSA_P256_SHA_256","validFor":{"start":"2022-10-20T00:00:00.000Z"}},"logId":{"keyId":"3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4="}}]}
diff --git a/pkg/cmd/attestation/trustedroot/trustedroot.go b/pkg/cmd/attestation/trustedroot/trustedroot.go
new file mode 100644
index 00000000000..09ab9a6c90e
--- /dev/null
+++ b/pkg/cmd/attestation/trustedroot/trustedroot.go
@@ -0,0 +1,131 @@
+package trustedroot
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/cli/cli/v2/pkg/cmd/attestation/auth"
+	"github.com/cli/cli/v2/pkg/cmd/attestation/verification"
+	"github.com/cli/cli/v2/pkg/cmdutil"
+
+	"github.com/MakeNowJust/heredoc"
+	"github.com/sigstore/sigstore-go/pkg/tuf"
+	"github.com/spf13/cobra"
+)
+
+type Options struct {
+	TufUrl      string
+	TufRootPath string
+	VerifyOnly  bool
+}
+
+type tufClientInstantiator func(o *tuf.Options) (*tuf.Client, error)
+
+func NewTrustedRootCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command {
+	opts := &Options{}
+	trustedRootCmd := cobra.Command{
+		Use:   "trusted-root [--tuf-url <url> --tuf-root <file-path>] [--verify-only]",
+		Args:  cobra.ExactArgs(0),
+		Short: "Output trusted_root.jsonl contents, likely for offline verification",
+		Long: heredoc.Docf(`
+			### NOTE: This feature is currently in beta, and subject to change.
+
+            Output contents for a trusted_root.jsonl file, likely for offline verification.
+
+            When using %[1]sgh attestation verify%[1]s, if your machine is on the internet,
+            this will happen automatically. But to do offline verification, you need to
+            supply a trusted root file with %[1]s--custom-trusted-root%[1]s; this command
+            will help you fetch a %[1]strusted_root.jsonl%[1]s file for that purpose.
+
+            You can call this command without any flags to get a trusted root file covering
+            the Sigstore Public Good Instance as well as GitHub's Sigstore instance.
+
+            Otherwise you can use %[1]s--tuf-url%[1]s to specify the URL of a custom TUF
+            repository mirror, and %[1]s--tuf-root%[1]s should be the path to the
+            %[1]sroot.json%[1]s file that you securely obtained out-of-band.
+
+            If you just want to verify the integrity of your local TUF repository, and don't
+            want the contents of a trusted_root.jsonl file, use %[1]s--verify-only%[1]s.
+		`, "`"),
+		Example: heredoc.Doc(`
+			# Get a trusted_root.jsonl for both Sigstore Public Good and GitHub's instance
+			gh attestation trusted-root
+		`),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := auth.IsHostSupported(); err != nil {
+				return err
+			}
+
+			if runF != nil {
+				return runF(opts)
+			}
+
+			if err := getTrustedRoot(tuf.New, opts); err != nil {
+				return fmt.Errorf("Failed to verify the TUF repository: %w", err)
+			}
+
+			return nil
+		},
+	}
+
+	trustedRootCmd.Flags().StringVarP(&opts.TufUrl, "tuf-url", "", "", "URL to the TUF repository mirror")
+	trustedRootCmd.Flags().StringVarP(&opts.TufRootPath, "tuf-root", "", "", "Path to the TUF root.json file on disk")
+	trustedRootCmd.MarkFlagsRequiredTogether("tuf-url", "tuf-root")
+	trustedRootCmd.Flags().BoolVarP(&opts.VerifyOnly, "verify-only", "", false, "Don't output trusted_root.jsonl contents")
+
+	return &trustedRootCmd
+}
+
+func getTrustedRoot(makeTUF tufClientInstantiator, opts *Options) error {
+	var tufOptions []*tuf.Options
+
+	tufOpt := verification.DefaultOptionsWithCacheSetting()
+	// Disable local caching, so we get up-to-date response from TUF repository
+	tufOpt.CacheValidity = 0
+
+	if opts.TufUrl != "" && opts.TufRootPath != "" {
+		tufRoot, err := os.ReadFile(opts.TufRootPath)
+		if err != nil {
+			return fmt.Errorf("failed to read root file %s: %v", opts.TufRootPath, err)
+		}
+
+		tufOpt.Root = tufRoot
+		tufOpt.RepositoryBaseURL = opts.TufUrl
+		tufOptions = append(tufOptions, tufOpt)
+	} else {
+		// Get from both Sigstore public good and GitHub private instance
+		tufOptions = append(tufOptions, tufOpt)
+
+		tufOpt = verification.GitHubTUFOptions()
+		tufOpt.CacheValidity = 0
+		tufOptions = append(tufOptions, tufOpt)
+	}
+
+	for _, tufOpt = range tufOptions {
+		tufClient, err := makeTUF(tufOpt)
+		if err != nil {
+			return fmt.Errorf("failed to create TUF client: %v", err)
+		}
+
+		t, err := tufClient.GetTarget("trusted_root.json")
+		if err != nil {
+			return err
+		}
+
+		output := new(bytes.Buffer)
+		err = json.Compact(output, t)
+		if err != nil {
+			return err
+		}
+
+		if !opts.VerifyOnly {
+			fmt.Println(output)
+		} else {
+			fmt.Printf("Local TUF repository for %s updated and verified\n", tufOpt.RepositoryBaseURL)
+		}
+	}
+
+	return nil
+}
diff --git a/pkg/cmd/attestation/tufrootverify/tufrootverify_test.go b/pkg/cmd/attestation/trustedroot/trustedroot_test.go
similarity index 62%
rename from pkg/cmd/attestation/tufrootverify/tufrootverify_test.go
rename to pkg/cmd/attestation/trustedroot/trustedroot_test.go
index fb4d90cdbf9..d67075f207f 100644
--- a/pkg/cmd/attestation/tufrootverify/tufrootverify_test.go
+++ b/pkg/cmd/attestation/trustedroot/trustedroot_test.go
@@ -1,4 +1,4 @@
-package tufrootverify
+package trustedroot
 
 import (
 	"bytes"
@@ -6,16 +6,16 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/cli/cli/v2/pkg/cmd/attestation/test"
-	"github.com/cli/cli/v2/pkg/cmdutil"
-	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/sigstore/sigstore-go/pkg/tuf"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	"github.com/cli/cli/v2/pkg/cmd/attestation/test"
+	"github.com/cli/cli/v2/pkg/cmdutil"
+	"github.com/cli/cli/v2/pkg/iostreams"
 )
 
-func TestNewTUFRootVerifyCmd(t *testing.T) {
+func TestNewTrustedRootCmd(t *testing.T) {
 	testIO, _, _, _ := iostreams.Test()
 	f := &cmdutil.Factory{
 		IOStreams: testIO,
@@ -27,29 +27,37 @@ func TestNewTUFRootVerifyCmd(t *testing.T) {
 		wantsErr bool
 	}{
 		{
-			name:     "Missing mirror flag",
-			cli:      "--root ../verification/embed/tuf-repo.github.com/root.json",
-			wantsErr: true,
+			name:     "Happy path",
+			cli:      "",
+			wantsErr: false,
 		},
 		{
-			name:     "Missing root flag",
-			cli:      "--mirror https://tuf-repo.github.com",
-			wantsErr: true,
+			name:     "Happy path",
+			cli:      "--verify-only",
+			wantsErr: false,
 		},
 		{
-			name:     "Has all required flags",
-			cli:      "--mirror https://tuf-repo.github.com --root ../verification/embed/tuf-repo.github.com/root.json",
+			name:     "Custom TUF happy path",
+			cli:      "--tuf-url https://tuf-repo.github.com --tuf-root ../verification/embed/tuf-repo.github.com/root.json",
 			wantsErr: false,
 		},
+		{
+			name:     "Missing tuf-root flag",
+			cli:      "--tuf-url https://tuf-repo.github.com",
+			wantsErr: true,
+		},
 	}
 
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			cmd := NewTUFRootVerifyCmd(f, func() error {
+			cmd := NewTrustedRootCmd(f, func(_ *Options) error {
 				return nil
 			})
 
-			argv := strings.Split(tc.cli, " ")
+			argv := []string{}
+			if tc.cli != "" {
+				argv = strings.Split(tc.cli, " ")
+			}
 			cmd.SetArgs(argv)
 			cmd.SetIn(&bytes.Buffer{})
 			cmd.SetOut(&bytes.Buffer{})
@@ -64,33 +72,35 @@ func TestNewTUFRootVerifyCmd(t *testing.T) {
 	}
 }
 
-var newTUFMockClient tufClientInstantiator = func(o *tuf.Options) (*tuf.Client, error) {
-	return &tuf.Client{}, nil
-}
-
 var newTUFErrClient tufClientInstantiator = func(o *tuf.Options) (*tuf.Client, error) {
 	return nil, fmt.Errorf("failed to create TUF client")
 }
 
-func TestTUFRootVerify(t *testing.T) {
+func TestGetTrustedRoot(t *testing.T) {
 	mirror := "https://tuf-repo.github.com"
 	root := test.NormalizeRelativePath("../verification/embed/tuf-repo.github.com/root.json")
 
+	opts := &Options{
+		TufUrl:      mirror,
+		TufRootPath: root,
+	}
+
 	t.Run("successfully verifies TUF root", func(t *testing.T) {
-		err := tufRootVerify(newTUFMockClient, mirror, root)
+		err := getTrustedRoot(tuf.New, opts)
 		require.NoError(t, err)
 	})
 
-	t.Run("fails because the root cannot be found", func(t *testing.T) {
-		notFoundRoot := test.NormalizeRelativePath("./does/not/exist/root.json")
-		err := tufRootVerify(newTUFMockClient, mirror, notFoundRoot)
+	t.Run("failed to create TUF root", func(t *testing.T) {
+		err := getTrustedRoot(newTUFErrClient, opts)
 		require.Error(t, err)
-		require.ErrorContains(t, err, "failed to read root file")
+		require.ErrorContains(t, err, "failed to create TUF client")
 	})
 
-	t.Run("failed to create TUF root", func(t *testing.T) {
-		err := tufRootVerify(newTUFErrClient, mirror, root)
+	t.Run("fails because the root cannot be found", func(t *testing.T) {
+		opts.TufRootPath = test.NormalizeRelativePath("./does/not/exist/root.json")
+		err := getTrustedRoot(tuf.New, opts)
 		require.Error(t, err)
-		require.ErrorContains(t, err, "failed to create TUF client")
+		require.ErrorContains(t, err, "failed to read root file")
 	})
+
 }
diff --git a/pkg/cmd/attestation/tufrootverify/tufrootverify.go b/pkg/cmd/attestation/tufrootverify/tufrootverify.go
deleted file mode 100644
index b7fac9efeaa..00000000000
--- a/pkg/cmd/attestation/tufrootverify/tufrootverify.go
+++ /dev/null
@@ -1,87 +0,0 @@
-package tufrootverify
-
-import (
-	"fmt"
-	"os"
-
-	"github.com/cli/cli/v2/pkg/cmd/attestation/auth"
-	"github.com/cli/cli/v2/pkg/cmd/attestation/verification"
-	"github.com/cli/cli/v2/pkg/cmdutil"
-
-	"github.com/MakeNowJust/heredoc"
-	"github.com/sigstore/sigstore-go/pkg/tuf"
-	"github.com/spf13/cobra"
-)
-
-type tufClientInstantiator func(o *tuf.Options) (*tuf.Client, error)
-
-func NewTUFRootVerifyCmd(f *cmdutil.Factory, runF func() error) *cobra.Command {
-	var mirror string
-	var root string
-	var cmd = cobra.Command{
-		Use:    "tuf-root-verify --mirror <mirror-url> --root <root.json>",
-		Args:   cobra.ExactArgs(0),
-		Short:  "Verify the TUF repository from a provided TUF root",
-		Hidden: true,
-		Long: heredoc.Docf(`
-			### NOTE: This feature is currently in beta, and subject to change.
-
-			Verify a TUF repository with a local TUF root.
-
-			The command requires you provide the %[1]s--mirror%[1]s flag, which should be the URL
-			of the TUF repository mirror.
-
-			The command also requires you provide the %[1]s--root%[1]s flag, which should be the
-			path to the TUF root file.
-
-			GitHub relies on TUF to securely deliver the trust root for our signing authority.
-			For more information on TUF, see the official documentation: <https://theupdateframework.github.io/>.
-		`, "`"),
-		Example: heredoc.Doc(`
-			# Verify the TUF repository from a provided TUF root
-			gh attestation tuf-root-verify --mirror https://tuf-repo.github.com --root /path/to/1.root.json
-		`),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			if err := auth.IsHostSupported(); err != nil {
-				return err
-			}
-
-			if runF != nil {
-				return runF()
-			}
-
-			if err := tufRootVerify(tuf.New, mirror, root); err != nil {
-				return fmt.Errorf("Failed to verify the TUF repository: %w", err)
-			}
-
-			io := f.IOStreams
-			fmt.Sprintln(io.Out, io.ColorScheme().Green("Successfully verified the TUF repository"))
-			return nil
-		},
-	}
-
-	cmd.Flags().StringVarP(&mirror, "mirror", "m", "", "URL to the TUF repository mirror")
-	cmd.MarkFlagRequired("mirror") //nolint:errcheck
-	cmd.Flags().StringVarP(&root, "root", "r", "", "Path to the TUF root file on disk")
-	cmd.MarkFlagRequired("root") //nolint:errcheck
-
-	return &cmd
-}
-
-func tufRootVerify(makeTUF tufClientInstantiator, mirror, root string) error {
-	rb, err := os.ReadFile(root)
-	if err != nil {
-		return fmt.Errorf("failed to read root file %s: %v", root, err)
-	}
-	opts := verification.GitHubTUFOptions()
-	opts.Root = rb
-	opts.RepositoryBaseURL = mirror
-	// The purpose is the verify the TUF root and repository, make
-	// sure there is no caching enabled
-	opts.CacheValidity = 0
-	if _, err = makeTUF(opts); err != nil {
-		return fmt.Errorf("failed to create TUF client: %v", err)
-	}
-
-	return nil
-}
diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go
index a55f4510d05..b3a4aca5099 100644
--- a/pkg/cmd/attestation/verification/sigstore.go
+++ b/pkg/cmd/attestation/verification/sigstore.go
@@ -1,7 +1,11 @@
 package verification
 
 import (
+	"bufio"
+	"bytes"
+	"crypto/x509"
 	"fmt"
+	"os"
 
 	"github.com/cli/cli/v2/pkg/cmd/attestation/api"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/io"
@@ -29,9 +33,9 @@ type SigstoreResults struct {
 }
 
 type SigstoreConfig struct {
-	CustomTrustedRoot string
-	Logger            *io.Handler
-	NoPublicGood      bool
+	TrustedRoot  string
+	Logger       *io.Handler
+	NoPublicGood bool
 }
 
 type SigstoreVerifier interface {
@@ -65,13 +69,68 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.ProtobufBundle) (*verify
 	}
 	issuer := leafCert.Issuer.Organization[0]
 
-	// if user provided a custom trusted root file path, use the custom verifier
-	if v.config.CustomTrustedRoot != "" {
-		customVerifier, err := newCustomVerifier(v.config.CustomTrustedRoot)
+	if v.config.TrustedRoot != "" {
+		customTrustRoots, err := os.ReadFile(v.config.TrustedRoot)
 		if err != nil {
-			return nil, "", fmt.Errorf("failed to create custom verifier: %v", err)
+			return nil, "", fmt.Errorf("unable to read file %s: %v", v.config.TrustedRoot, err)
 		}
-		return customVerifier, issuer, nil
+
+		reader := bufio.NewReader(bytes.NewReader(customTrustRoots))
+		var line []byte
+		var readError error
+		line, readError = reader.ReadBytes('\n')
+		for readError == nil {
+			// Load each trusted root
+			trustedRoot, err := root.NewTrustedRootFromJSON(line)
+			if err != nil {
+				return nil, "", fmt.Errorf("failed to create custom verifier: %v", err)
+			}
+
+			// Compare bundle leafCert issuer with trusted root cert authority
+			certAuthorities := trustedRoot.FulcioCertificateAuthorities()
+			for _, certAuthority := range certAuthorities {
+				lowestCert, err := getLowestCertInChain(&certAuthority)
+				if err != nil {
+					return nil, "", err
+				}
+
+				if len(lowestCert.Issuer.Organization) == 0 {
+					continue
+				}
+
+				if lowestCert.Issuer.Organization[0] == issuer {
+					// Determine what policy to use with this trusted root.
+					//
+					// Note that we are *only* inferring the policy with the
+					// issuer. We *must* use the trusted root provided.
+					if issuer == PublicGoodIssuerOrg {
+						if v.config.NoPublicGood {
+							return nil, "", fmt.Errorf("Detected public good instance but requested verification without public good instance")
+						}
+						verifier, err := newPublicGoodVerifierWithTrustedRoot(trustedRoot)
+						if err != nil {
+							return nil, "", err
+						}
+						return verifier, issuer, nil
+					} else if issuer == GitHubIssuerOrg {
+						verifier, err := newGitHubVerifierWithTrustedRoot(trustedRoot)
+						if err != nil {
+							return nil, "", err
+						}
+						return verifier, issuer, nil
+					} else {
+						// Make best guess at reasonable policy
+						customVerifier, err := newCustomVerifier(trustedRoot)
+						if err != nil {
+							return nil, "", fmt.Errorf("failed to create custom verifier: %v", err)
+						}
+						return customVerifier, issuer, nil
+					}
+				}
+			}
+			line, readError = reader.ReadBytes('\n')
+		}
+		return nil, "", fmt.Errorf("unable to use provided trusted roots")
 	}
 
 	if leafCert.Issuer.Organization[0] == PublicGoodIssuerOrg && !v.config.NoPublicGood {
@@ -93,6 +152,18 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.ProtobufBundle) (*verify
 	return nil, "", fmt.Errorf("leaf certificate issuer is not recognized")
 }
 
+func getLowestCertInChain(ca *root.CertificateAuthority) (*x509.Certificate, error) {
+	if ca.Leaf != nil {
+		return ca.Leaf, nil
+	} else if len(ca.Intermediates) > 0 {
+		return ca.Intermediates[0], nil
+	} else if ca.Root != nil {
+		return ca.Root, nil
+	}
+
+	return nil, fmt.Errorf("certificate authority had no certificates")
+}
+
 func (v *LiveSigstoreVerifier) Verify(attestations []*api.Attestation, policy verify.PolicyBuilder) *SigstoreResults {
 	// initialize the processing results before attempting to verify
 	// with multiple verifiers
@@ -143,21 +214,17 @@ func (v *LiveSigstoreVerifier) Verify(attestations []*api.Attestation, policy ve
 	}
 }
 
-func newCustomVerifier(trustedRootFilePath string) (*verify.SignedEntityVerifier, error) {
-	trustedRoot, err := root.NewTrustedRootFromPath(trustedRootFilePath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create trusted root from file %s: %v", trustedRootFilePath, err)
-	}
-
+func newCustomVerifier(trustedRoot *root.TrustedRoot) (*verify.SignedEntityVerifier, error) {
+	// All we know about this trust root is its configuration so make some
+	// educated guesses as to what the policy should be.
 	verifierConfig := []verify.VerifierOption{}
-	verifierConfig = append(verifierConfig, verify.WithSignedCertificateTimestamps(1))
+	// This requires some independent corroboration of the signing certificate
+	// (e.g. from Sigstore Fulcio) time, one of:
+	// - a signed timestamp from a timestamp authority in the trusted root
+	// - a transparency log entry (e.g. from Sigstore Rekor)
 	verifierConfig = append(verifierConfig, verify.WithObserverTimestamps(1))
 
 	// Infer verification options from contents of trusted root
-	if len(trustedRoot.TimestampingAuthorities()) > 0 {
-		verifierConfig = append(verifierConfig, verify.WithSignedTimestamps(1))
-	}
-
 	if len(trustedRoot.RekorLogs()) > 0 {
 		verifierConfig = append(verifierConfig, verify.WithTransparencyLog(1))
 	}
@@ -180,6 +247,10 @@ func newGitHubVerifier() (*verify.SignedEntityVerifier, error) {
 	if err != nil {
 		return nil, err
 	}
+	return newGitHubVerifierWithTrustedRoot(trustedRoot)
+}
+
+func newGitHubVerifierWithTrustedRoot(trustedRoot *root.TrustedRoot) (*verify.SignedEntityVerifier, error) {
 	gv, err := verify.NewSignedEntityVerifier(trustedRoot, verify.WithSignedTimestamps(1))
 	if err != nil {
 		return nil, fmt.Errorf("failed to create GitHub verifier: %v", err)
@@ -199,6 +270,10 @@ func newPublicGoodVerifier() (*verify.SignedEntityVerifier, error) {
 		return nil, fmt.Errorf("failed to get trusted root: %v", err)
 	}
 
+	return newPublicGoodVerifierWithTrustedRoot(trustedRoot)
+}
+
+func newPublicGoodVerifierWithTrustedRoot(trustedRoot *root.TrustedRoot) (*verify.SignedEntityVerifier, error) {
 	sv, err := verify.NewSignedEntityVerifier(trustedRoot, verify.WithSignedCertificateTimestamps(1), verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
 	if err != nil {
 		return nil, fmt.Errorf("failed to create Public Good verifier: %v", err)
diff --git a/pkg/cmd/attestation/verification/sigstore_integration_test.go b/pkg/cmd/attestation/verification/sigstore_integration_test.go
index aa6dd3e740f..2fab9dfac29 100644
--- a/pkg/cmd/attestation/verification/sigstore_integration_test.go
+++ b/pkg/cmd/attestation/verification/sigstore_integration_test.go
@@ -92,8 +92,8 @@ func TestLiveSigstoreVerifier(t *testing.T) {
 		attestations := getAttestationsFor(t, "../test/data/sigstore-js-2.1.0_with_2_bundles.jsonl")
 
 		verifier := NewLiveSigstoreVerifier(SigstoreConfig{
-			Logger:            io.NewTestHandler(),
-			CustomTrustedRoot: test.NormalizeRelativePath("../test/data/trusted_root.json"),
+			Logger:      io.NewTestHandler(),
+			TrustedRoot: test.NormalizeRelativePath("../test/data/trusted_root.json"),
 		})
 
 		res := verifier.Verify(attestations, publicGoodPolicy(t))
diff --git a/pkg/cmd/attestation/verify/options.go b/pkg/cmd/attestation/verify/options.go
index 08bb75072a4..da2c7bb4e88 100644
--- a/pkg/cmd/attestation/verify/options.go
+++ b/pkg/cmd/attestation/verify/options.go
@@ -18,7 +18,7 @@ type Options struct {
 	ArtifactPath         string
 	BundlePath           string
 	Config               func() (gh.Config, error)
-	CustomTrustedRoot    string
+	TrustedRoot          string
 	DenySelfHostedRunner bool
 	DigestAlgorithm      string
 	Limit                int
diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
index 60196583a32..16b9477e8ad 100644
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@@ -132,9 +132,9 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 			}
 
 			config := verification.SigstoreConfig{
-				CustomTrustedRoot: opts.CustomTrustedRoot,
-				Logger:            opts.Logger,
-				NoPublicGood:      opts.NoPublicGood,
+				TrustedRoot:  opts.TrustedRoot,
+				Logger:       opts.Logger,
+				NoPublicGood: opts.NoPublicGood,
 			}
 
 			opts.SigstoreVerifier = verification.NewLiveSigstoreVerifier(config)
@@ -156,8 +156,8 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command
 	verifyCmd.MarkFlagsMutuallyExclusive("owner", "repo")
 	verifyCmd.MarkFlagsOneRequired("owner", "repo")
 	verifyCmd.Flags().StringVarP(&opts.PredicateType, "predicate-type", "", "", "Filter attestations by provided predicate type")
-	verifyCmd.Flags().BoolVarP(&opts.NoPublicGood, "no-public-good", "", false, "Only verify attestations signed with GitHub's Sigstore instance")
-	verifyCmd.Flags().StringVarP(&opts.CustomTrustedRoot, "custom-trusted-root", "", "", "Path to a custom trustedroot.json file to use for verification")
+	verifyCmd.Flags().BoolVarP(&opts.NoPublicGood, "no-public-good", "", false, "Do not verify attestations signed with Sigstore public good instance")
+	verifyCmd.Flags().StringVarP(&opts.TrustedRoot, "custom-trusted-root", "", "", "Path to a trusted_root.jsonl file; likely for offline verification")
 	verifyCmd.Flags().IntVarP(&opts.Limit, "limit", "L", api.DefaultLimit, "Maximum number of attestations to fetch")
 	cmdutil.AddFormatFlags(verifyCmd, &opts.exporter)
 	// policy enforcement flags
diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go
index ef778f45492..f0cc2170947 100644
--- a/pkg/cmd/attestation/verify/verify_test.go
+++ b/pkg/cmd/attestation/verify/verify_test.go
@@ -220,7 +220,7 @@ func TestNewVerifyCmd(t *testing.T) {
 
 			assert.Equal(t, tc.wants.ArtifactPath, opts.ArtifactPath)
 			assert.Equal(t, tc.wants.BundlePath, opts.BundlePath)
-			assert.Equal(t, tc.wants.CustomTrustedRoot, opts.CustomTrustedRoot)
+			assert.Equal(t, tc.wants.TrustedRoot, opts.TrustedRoot)
 			assert.Equal(t, tc.wants.DenySelfHostedRunner, opts.DenySelfHostedRunner)
 			assert.Equal(t, tc.wants.DigestAlgorithm, opts.DigestAlgorithm)
 			assert.Equal(t, tc.wants.Limit, opts.Limit)

From 9b40e0ca15e842052b3e7fe840baa06c9e6a894c Mon Sep 17 00:00:00 2001
From: Corey Christous <cchristous@gmail.com>
Date: Sun, 7 Jul 2024 13:57:05 -0400
Subject: [PATCH 151/253] Update create.go

---
 pkg/cmd/release/create/create.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/release/create/create.go b/pkg/cmd/release/create/create.go
index a8e894d2a60..1cfc5ba06a4 100644
--- a/pkg/cmd/release/create/create.go
+++ b/pkg/cmd/release/create/create.go
@@ -116,7 +116,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			Use release notes from a file
 			$ gh release create v1.2.3 -F changelog.md
    
-   			Don't mark the release as latest
+			Don't mark the release as latest
 			$ gh release create v1.2.3 --latest=false 
 
 			Upload all tarballs in a directory as release assets

From 8f77b4a23ffc6d1f90add52013e617d7229a9b8a Mon Sep 17 00:00:00 2001
From: notomo <notomo.motono@gmail.com>
Date: Sun, 19 Mar 2023 15:28:38 +0900
Subject: [PATCH 152/253] Add `issue create --editor`

---
 pkg/cmd/issue/create/create.go             |  55 ++++++++---
 pkg/cmd/issue/create/create_test.go        | 101 +++++++++++++++++++++
 pkg/cmd/pr/shared/survey.go                |  20 ++++
 pkg/cmd/pr/shared/templates.go             |  18 +++-
 pkg/cmd/pr/shared/templates_test.go        |   6 +-
 pkg/githubtemplate/github_template.go      |  15 +++
 pkg/githubtemplate/github_template_test.go |  61 +++++++++++++
 7 files changed, 260 insertions(+), 16 deletions(-)

diff --git a/pkg/cmd/issue/create/create.go b/pkg/cmd/issue/create/create.go
index c359df2a029..a83e746171e 100644
--- a/pkg/cmd/issue/create/create.go
+++ b/pkg/cmd/issue/create/create.go
@@ -18,16 +18,18 @@ import (
 )
 
 type CreateOptions struct {
-	HttpClient func() (*http.Client, error)
-	Config     func() (gh.Config, error)
-	IO         *iostreams.IOStreams
-	BaseRepo   func() (ghrepo.Interface, error)
-	Browser    browser.Browser
-	Prompter   prShared.Prompt
+	HttpClient       func() (*http.Client, error)
+	Config           func() (gh.Config, error)
+	IO               *iostreams.IOStreams
+	BaseRepo         func() (ghrepo.Interface, error)
+	Browser          browser.Browser
+	Prompter         prShared.Prompt
+	TitledEditSurvey func(string, string) (string, string, error)
 
 	RootDirOverride string
 
 	HasRepoOverride bool
+	EditorMode      bool
 	WebMode         bool
 	RecoverFile     string
 
@@ -44,11 +46,12 @@ type CreateOptions struct {
 
 func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Command {
 	opts := &CreateOptions{
-		IO:         f.IOStreams,
-		HttpClient: f.HttpClient,
-		Config:     f.Config,
-		Browser:    f.Browser,
-		Prompter:   f.Prompter,
+		IO:               f.IOStreams,
+		HttpClient:       f.HttpClient,
+		Config:           f.Config,
+		Browser:          f.Browser,
+		Prompter:         f.Prompter,
+		TitledEditSurvey: prShared.TitledEditSurvey(f.Config, f.IOStreams),
 	}
 
 	var bodyFile string
@@ -96,12 +99,20 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 				return errors.New("`--template` is not supported when using `--body` or `--body-file`")
 			}
 
-			opts.Interactive = !(titleProvided && bodyProvided)
+			opts.Interactive = !opts.EditorMode && !(titleProvided && bodyProvided)
 
 			if opts.Interactive && !opts.IO.CanPrompt() {
 				return cmdutil.FlagErrorf("must provide `--title` and `--body` when not running interactively")
 			}
 
+			if err := cmdutil.MutuallyExclusive(
+				"specify only one of `--editor` or `--web`",
+				opts.EditorMode,
+				opts.WebMode,
+			); err != nil {
+				return err
+			}
+
 			if runF != nil {
 				return runF(opts)
 			}
@@ -112,6 +123,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 	cmd.Flags().StringVarP(&opts.Title, "title", "t", "", "Supply a title. Will prompt for one otherwise.")
 	cmd.Flags().StringVarP(&opts.Body, "body", "b", "", "Supply a body. Will prompt for one otherwise.")
 	cmd.Flags().StringVarP(&bodyFile, "body-file", "F", "", "Read body text from `file` (use \"-\" to read from standard input)")
+	cmd.Flags().BoolVarP(&opts.EditorMode, "editor", "e", false, "Skip prompts and open the text editor to write the title and body in. The first line is the title and the rest text is the body.")
 	cmd.Flags().BoolVarP(&opts.WebMode, "web", "w", false, "Open the browser to create an issue")
 	cmd.Flags().StringSliceVarP(&opts.Assignees, "assignee", "a", nil, "Assign people by their `login`. Use \"@me\" to self-assign.")
 	cmd.Flags().StringSliceVarP(&opts.Labels, "label", "l", nil, "Add labels by `name`")
@@ -285,6 +297,25 @@ func createRun(opts *CreateOptions) (err error) {
 			return
 		}
 	} else {
+		if opts.EditorMode {
+			if opts.Template != "" {
+				var template prShared.Template
+				template, err = tpl.Select(opts.Template)
+				if err != nil {
+					return
+				}
+				if tb.Title == "" {
+					tb.Title = template.Title()
+				}
+				templateNameForSubmit = template.NameForSubmit()
+				tb.Body = string(template.Body())
+			}
+
+			tb.Title, tb.Body, err = opts.TitledEditSurvey(tb.Title, tb.Body)
+			if err != nil {
+				return
+			}
+		}
 		if tb.Title == "" {
 			err = fmt.Errorf("title can't be blank")
 			return
diff --git a/pkg/cmd/issue/create/create_test.go b/pkg/cmd/issue/create/create_test.go
index c70507327f0..476faa9ecbc 100644
--- a/pkg/cmd/issue/create/create_test.go
+++ b/pkg/cmd/issue/create/create_test.go
@@ -125,6 +125,41 @@ func TestNewCmdCreate(t *testing.T) {
 			cli:      `-t mytitle --template "bug report" --body-file "body_file.md"`,
 			wantsErr: true,
 		},
+		{
+			name:     "editor",
+			tty:      false,
+			cli:      "--editor",
+			wantsErr: false,
+			wantsOpts: CreateOptions{
+				Title:       "",
+				Body:        "",
+				RecoverFile: "",
+				WebMode:     false,
+				EditorMode:  true,
+				Interactive: false,
+			},
+		},
+		{
+			name:     "editor and template",
+			tty:      false,
+			cli:      `--editor --template "bug report"`,
+			wantsErr: false,
+			wantsOpts: CreateOptions{
+				Title:       "",
+				Body:        "",
+				RecoverFile: "",
+				WebMode:     false,
+				EditorMode:  true,
+				Template:    "bug report",
+				Interactive: false,
+			},
+		},
+		{
+			name:     "editor and web",
+			tty:      false,
+			cli:      "--editor --web",
+			wantsErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -310,6 +345,72 @@ func Test_createRun(t *testing.T) {
 			},
 			wantsErr: "cannot open in browser: maximum URL length exceeded",
 		},
+		{
+			name: "editor",
+			httpStubs: func(r *httpmock.Registry) {
+				r.Register(
+					httpmock.GraphQL(`query RepositoryInfo\b`),
+					httpmock.StringResponse(`
+			{ "data": { "repository": {
+				"id": "REPOID",
+				"hasIssuesEnabled": true
+			} } }`))
+				r.Register(
+					httpmock.GraphQL(`mutation IssueCreate\b`),
+					httpmock.GraphQLMutation(`
+		{ "data": { "createIssue": { "issue": {
+			"URL": "https://github.com/OWNER/REPO/issues/12"
+		} } } }
+	`, func(inputs map[string]interface{}) {
+						assert.Equal(t, "title", inputs["title"])
+						assert.Equal(t, "body", inputs["body"])
+					}))
+			},
+			opts: CreateOptions{
+				EditorMode:       true,
+				TitledEditSurvey: func(string, string) (string, string, error) { return "title", "body", nil },
+			},
+			wantsStdout: "https://github.com/OWNER/REPO/issues/12\n",
+			wantsStderr: "\nCreating issue in OWNER/REPO\n\n",
+		},
+		{
+			name: "editor and template",
+			httpStubs: func(r *httpmock.Registry) {
+				r.Register(
+					httpmock.GraphQL(`query RepositoryInfo\b`),
+					httpmock.StringResponse(`
+			{ "data": { "repository": {
+				"id": "REPOID",
+				"hasIssuesEnabled": true
+			} } }`))
+				r.Register(
+					httpmock.GraphQL(`query IssueTemplates\b`),
+					httpmock.StringResponse(`
+			{ "data": { "repository": { "issueTemplates": [
+				{ "name": "Bug report",
+				  "title": "bug: ",
+				  "body": "Does not work :((" }
+			] } } }`),
+				)
+				r.Register(
+					httpmock.GraphQL(`mutation IssueCreate\b`),
+					httpmock.GraphQLMutation(`
+		{ "data": { "createIssue": { "issue": {
+			"URL": "https://github.com/OWNER/REPO/issues/12"
+		} } } }
+	`, func(inputs map[string]interface{}) {
+						assert.Equal(t, "bug: ", inputs["title"])
+						assert.Equal(t, "Does not work :((", inputs["body"])
+					}))
+			},
+			opts: CreateOptions{
+				EditorMode:       true,
+				Template:         "Bug report",
+				TitledEditSurvey: func(title string, body string) (string, string, error) { return title, body, nil },
+			},
+			wantsStdout: "https://github.com/OWNER/REPO/issues/12\n",
+			wantsStderr: "\nCreating issue in OWNER/REPO\n\n",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/cmd/pr/shared/survey.go b/pkg/cmd/pr/shared/survey.go
index 393b877578f..8396a4f16d4 100644
--- a/pkg/cmd/pr/shared/survey.go
+++ b/pkg/cmd/pr/shared/survey.go
@@ -5,8 +5,11 @@ import (
 	"strings"
 
 	"github.com/cli/cli/v2/api"
+	"github.com/cli/cli/v2/internal/gh"
 	"github.com/cli/cli/v2/internal/ghrepo"
+	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/iostreams"
+	"github.com/cli/cli/v2/pkg/surveyext"
 )
 
 type Action int
@@ -317,3 +320,20 @@ func MetadataSurvey(p Prompt, io *iostreams.IOStreams, baseRepo ghrepo.Interface
 
 	return nil
 }
+
+func TitledEditSurvey(cf func() (gh.Config, error), io *iostreams.IOStreams) func(string, string) (string, string, error) {
+	return func(initialTitle, initialBody string) (string, string, error) {
+		editorCommand, err := cmdutil.DetermineEditor(cf)
+		if err != nil {
+			return "", "", err
+		}
+		initialValue := initialTitle + "\n" + initialBody
+		titleAndBody, err := surveyext.Edit(editorCommand, "*.md", initialValue, io.In, io.Out, io.ErrOut)
+		if err != nil {
+			return "", "", err
+		}
+		titleAndBody = strings.ReplaceAll(titleAndBody, "\r\n", "\n")
+		title, body, _ := strings.Cut(titleAndBody, "\n")
+		return title, body, nil
+	}
+}
diff --git a/pkg/cmd/pr/shared/templates.go b/pkg/cmd/pr/shared/templates.go
index f46a9f1d44f..a3ffa13beac 100644
--- a/pkg/cmd/pr/shared/templates.go
+++ b/pkg/cmd/pr/shared/templates.go
@@ -16,8 +16,9 @@ import (
 )
 
 type issueTemplate struct {
-	Gname string `graphql:"name"`
-	Gbody string `graphql:"body"`
+	Gname  string `graphql:"name"`
+	Gbody  string `graphql:"body"`
+	Gtitle string `graphql:"title"`
 }
 
 type pullRequestTemplate struct {
@@ -37,6 +38,10 @@ func (t *issueTemplate) Body() []byte {
 	return []byte(t.Gbody)
 }
 
+func (t *issueTemplate) Title() string {
+	return t.Gtitle
+}
+
 func (t *pullRequestTemplate) Name() string {
 	return t.Gname
 }
@@ -49,6 +54,10 @@ func (t *pullRequestTemplate) Body() []byte {
 	return []byte(t.Gbody)
 }
 
+func (t *pullRequestTemplate) Title() string {
+	return ""
+}
+
 func listIssueTemplates(httpClient *http.Client, repo ghrepo.Interface) ([]Template, error) {
 	var query struct {
 		Repository struct {
@@ -109,6 +118,7 @@ type Template interface {
 	Name() string
 	NameForSubmit() string
 	Body() []byte
+	Title() string
 }
 
 type iprompter interface {
@@ -294,3 +304,7 @@ func (t *filesystemTemplate) NameForSubmit() string {
 func (t *filesystemTemplate) Body() []byte {
 	return githubtemplate.ExtractContents(t.path)
 }
+
+func (t *filesystemTemplate) Title() string {
+	return githubtemplate.ExtractTitle(t.path)
+}
diff --git a/pkg/cmd/pr/shared/templates_test.go b/pkg/cmd/pr/shared/templates_test.go
index 319d9daa5e8..cb3dbb704e8 100644
--- a/pkg/cmd/pr/shared/templates_test.go
+++ b/pkg/cmd/pr/shared/templates_test.go
@@ -27,8 +27,8 @@ func TestTemplateManager_hasAPI(t *testing.T) {
 		httpmock.GraphQL(`query IssueTemplates\b`),
 		httpmock.StringResponse(`{"data":{"repository":{
 			"issueTemplates": [
-				{"name": "Bug report", "body": "I found a problem"},
-				{"name": "Feature request", "body": "I need a feature"}
+				{"name": "Bug report", "body": "I found a problem", "title": "bug: "},
+				{"name": "Feature request", "body": "I need a feature", "title": "request: "}
 			]
 		}}}`))
 
@@ -62,6 +62,7 @@ func TestTemplateManager_hasAPI(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "Feature request", tpl.NameForSubmit())
 	assert.Equal(t, "I need a feature", string(tpl.Body()))
+	assert.Equal(t, "request: ", tpl.Title())
 }
 
 func TestTemplateManager_hasAPI_PullRequest(t *testing.T) {
@@ -112,6 +113,7 @@ func TestTemplateManager_hasAPI_PullRequest(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "", tpl.NameForSubmit())
 	assert.Equal(t, "I fixed a problem", string(tpl.Body()))
+	assert.Equal(t, "", tpl.Title())
 }
 
 func TestTemplateManagerSelect(t *testing.T) {
diff --git a/pkg/githubtemplate/github_template.go b/pkg/githubtemplate/github_template.go
index c52c3e4b4ee..4eb8b64e9f8 100644
--- a/pkg/githubtemplate/github_template.go
+++ b/pkg/githubtemplate/github_template.go
@@ -98,6 +98,21 @@ func ExtractName(filePath string) string {
 	return path.Base(filePath)
 }
 
+// ExtractTitle returns the title of the template from YAML front-matter
+func ExtractTitle(filePath string) string {
+	contents, err := os.ReadFile(filePath)
+	frontmatterBoundaries := detectFrontmatter(contents)
+	if err == nil && frontmatterBoundaries[0] == 0 {
+		templateData := struct {
+			Title string
+		}{}
+		if err := yaml.Unmarshal(contents[0:frontmatterBoundaries[1]], &templateData); err == nil && templateData.Title != "" {
+			return templateData.Title
+		}
+	}
+	return ""
+}
+
 // ExtractContents returns the template contents without the YAML front-matter
 func ExtractContents(filePath string) []byte {
 	contents, err := os.ReadFile(filePath)
diff --git a/pkg/githubtemplate/github_template_test.go b/pkg/githubtemplate/github_template_test.go
index eb31484a579..20709f7e64b 100644
--- a/pkg/githubtemplate/github_template_test.go
+++ b/pkg/githubtemplate/github_template_test.go
@@ -319,6 +319,67 @@ about: This is how you report bugs
 	}
 }
 
+func TestExtractTitle(t *testing.T) {
+	tmpfile, err := os.CreateTemp(t.TempDir(), "gh-cli")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer tmpfile.Close()
+
+	type args struct {
+		filePath string
+	}
+	tests := []struct {
+		name    string
+		prepare string
+		args    args
+		want    string
+	}{
+		{
+			name: "Complete front-matter",
+			prepare: `---
+name: Bug Report
+title: 'bug: '
+about: This is how you report bugs
+---
+
+**Template contents**
+`,
+			args: args{
+				filePath: tmpfile.Name(),
+			},
+			want: "bug: ",
+		},
+		{
+			name: "Incomplete front-matter",
+			prepare: `---
+about: This is how you report bugs
+---
+`,
+			args: args{
+				filePath: tmpfile.Name(),
+			},
+			want: "",
+		},
+		{
+			name:    "No front-matter",
+			prepare: `name: This is not yaml!`,
+			args: args{
+				filePath: tmpfile.Name(),
+			},
+			want: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_ = os.WriteFile(tmpfile.Name(), []byte(tt.prepare), 0600)
+			if got := ExtractTitle(tt.args.filePath); got != tt.want {
+				t.Errorf("ExtractTitle() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestExtractContents(t *testing.T) {
 	tmpfile, err := os.CreateTemp(t.TempDir(), "gh-cli")
 	if err != nil {

From 30b32865333e7236bf5b6d5980697e03b82c5501 Mon Sep 17 00:00:00 2001
From: notomo <notomo.motono@gmail.com>
Date: Wed, 3 Jul 2024 20:27:11 +0900
Subject: [PATCH 153/253] Add prefer_editor_prompt config

---
 internal/config/config.go        | 41 ++++++++++++------
 internal/config/stub.go          |  3 ++
 internal/gh/gh.go                |  2 +
 internal/gh/mock/config.go       | 72 +++++++++++++++++++++++++-------
 pkg/cmd/config/list/list_test.go |  2 +
 5 files changed, 94 insertions(+), 26 deletions(-)

diff --git a/internal/config/config.go b/internal/config/config.go
index fbdcdef9539..29b66b73bb8 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -15,18 +15,19 @@ import (
 )
 
 const (
-	aliasesKey        = "aliases"
-	browserKey        = "browser"
-	editorKey         = "editor"
-	gitProtocolKey    = "git_protocol"
-	hostsKey          = "hosts"
-	httpUnixSocketKey = "http_unix_socket"
-	oauthTokenKey     = "oauth_token"
-	pagerKey          = "pager"
-	promptKey         = "prompt"
-	userKey           = "user"
-	usersKey          = "users"
-	versionKey        = "version"
+	aliasesKey            = "aliases"
+	browserKey            = "browser"
+	editorKey             = "editor"
+	gitProtocolKey        = "git_protocol"
+	hostsKey              = "hosts"
+	httpUnixSocketKey     = "http_unix_socket"
+	oauthTokenKey         = "oauth_token"
+	pagerKey              = "pager"
+	promptKey             = "prompt"
+	preferEditorPromptKey = "prefer_editor_prompt"
+	userKey               = "user"
+	usersKey              = "users"
+	versionKey            = "version"
 )
 
 func NewConfig() (gh.Config, error) {
@@ -137,6 +138,11 @@ func (c *cfg) Prompt(hostname string) gh.ConfigEntry {
 	return c.GetOrDefault(hostname, promptKey).Unwrap()
 }
 
+func (c *cfg) PreferEditorPrompt(hostname string) gh.ConfigEntry {
+	// Intentionally panic if there is no user provided value or default value (which would be a programmer error)
+	return c.GetOrDefault(hostname, preferEditorPromptKey).Unwrap()
+}
+
 func (c *cfg) Version() o.Option[string] {
 	return c.get("", versionKey)
 }
@@ -509,6 +515,8 @@ git_protocol: https
 editor:
 # When to interactively prompt. This is a global config that cannot be overridden by hostname. Supported values: enabled, disabled
 prompt: enabled
+# Preference for editor-based interactive prompting. This is a global config that cannot be overridden by hostname. Supported values: enabled, disabled
+prefer_editor_prompt: disabled
 # A pager program to send command output to, e.g. "less". If blank, will refer to environment. Set the value to "cat" to disable the pager.
 pager:
 # Aliases allow you to create nicknames for gh commands
@@ -555,6 +563,15 @@ var Options = []ConfigOption{
 			return c.Prompt(hostname).Value
 		},
 	},
+	{
+		Key:           preferEditorPromptKey,
+		Description:   "toggle preference for editor-based interactive prompting in the terminal",
+		DefaultValue:  "disabled",
+		AllowedValues: []string{"enabled", "disabled"},
+		CurrentValue: func(c gh.Config, hostname string) string {
+			return c.PreferEditorPrompt(hostname).Value
+		},
+	},
 	{
 		Key:          pagerKey,
 		Description:  "the terminal pager program to send standard output to",
diff --git a/internal/config/stub.go b/internal/config/stub.go
index c8986872146..71d44556dc1 100644
--- a/internal/config/stub.go
+++ b/internal/config/stub.go
@@ -70,6 +70,9 @@ func NewFromString(cfgStr string) *ghmock.ConfigMock {
 	mock.PromptFunc = func(hostname string) gh.ConfigEntry {
 		return cfg.Prompt(hostname)
 	}
+	mock.PreferEditorPromptFunc = func(hostname string) gh.ConfigEntry {
+		return cfg.PreferEditorPrompt(hostname)
+	}
 	mock.VersionFunc = func() o.Option[string] {
 		return cfg.Version()
 	}
diff --git a/internal/gh/gh.go b/internal/gh/gh.go
index a6db43d6698..c39734075e6 100644
--- a/internal/gh/gh.go
+++ b/internal/gh/gh.go
@@ -47,6 +47,8 @@ type Config interface {
 	Pager(hostname string) ConfigEntry
 	// Prompt returns the configured prompt, optionally scoped by host.
 	Prompt(hostname string) ConfigEntry
+	// PreferEditorPrompt returns the configured editor-based prompt, optionally scoped by host.
+	PreferEditorPrompt(hostname string) ConfigEntry
 
 	// Aliases provides persistent storage and modification of command aliases.
 	Aliases() AliasConfig
diff --git a/internal/gh/mock/config.go b/internal/gh/mock/config.go
index 502047240b5..569af1facb4 100644
--- a/internal/gh/mock/config.go
+++ b/internal/gh/mock/config.go
@@ -49,6 +49,9 @@ var _ gh.Config = &ConfigMock{}
 //			PagerFunc: func(hostname string) gh.ConfigEntry {
 //				panic("mock out the Pager method")
 //			},
+//			PreferEditorPromptFunc: func(hostname string) gh.ConfigEntry {
+//				panic("mock out the PreferEditorPrompt method")
+//			},
 //			PromptFunc: func(hostname string) gh.ConfigEntry {
 //				panic("mock out the Prompt method")
 //			},
@@ -98,6 +101,9 @@ type ConfigMock struct {
 	// PagerFunc mocks the Pager method.
 	PagerFunc func(hostname string) gh.ConfigEntry
 
+	// PreferEditorPromptFunc mocks the PreferEditorPrompt method.
+	PreferEditorPromptFunc func(hostname string) gh.ConfigEntry
+
 	// PromptFunc mocks the Prompt method.
 	PromptFunc func(hostname string) gh.ConfigEntry
 
@@ -158,6 +164,11 @@ type ConfigMock struct {
 			// Hostname is the hostname argument value.
 			Hostname string
 		}
+		// PreferEditorPrompt holds details about calls to the PreferEditorPrompt method.
+		PreferEditorPrompt []struct {
+			// Hostname is the hostname argument value.
+			Hostname string
+		}
 		// Prompt holds details about calls to the Prompt method.
 		Prompt []struct {
 			// Hostname is the hostname argument value.
@@ -179,20 +190,21 @@ type ConfigMock struct {
 		Write []struct {
 		}
 	}
-	lockAliases        sync.RWMutex
-	lockAuthentication sync.RWMutex
-	lockBrowser        sync.RWMutex
-	lockCacheDir       sync.RWMutex
-	lockEditor         sync.RWMutex
-	lockGetOrDefault   sync.RWMutex
-	lockGitProtocol    sync.RWMutex
-	lockHTTPUnixSocket sync.RWMutex
-	lockMigrate        sync.RWMutex
-	lockPager          sync.RWMutex
-	lockPrompt         sync.RWMutex
-	lockSet            sync.RWMutex
-	lockVersion        sync.RWMutex
-	lockWrite          sync.RWMutex
+	lockAliases            sync.RWMutex
+	lockAuthentication     sync.RWMutex
+	lockBrowser            sync.RWMutex
+	lockCacheDir           sync.RWMutex
+	lockEditor             sync.RWMutex
+	lockGetOrDefault       sync.RWMutex
+	lockGitProtocol        sync.RWMutex
+	lockHTTPUnixSocket     sync.RWMutex
+	lockMigrate            sync.RWMutex
+	lockPager              sync.RWMutex
+	lockPreferEditorPrompt sync.RWMutex
+	lockPrompt             sync.RWMutex
+	lockSet                sync.RWMutex
+	lockVersion            sync.RWMutex
+	lockWrite              sync.RWMutex
 }
 
 // Aliases calls AliasesFunc.
@@ -504,6 +516,38 @@ func (mock *ConfigMock) PagerCalls() []struct {
 	return calls
 }
 
+// PreferEditorPrompt calls PreferEditorPromptFunc.
+func (mock *ConfigMock) PreferEditorPrompt(hostname string) gh.ConfigEntry {
+	if mock.PreferEditorPromptFunc == nil {
+		panic("ConfigMock.PreferEditorPromptFunc: method is nil but Config.PreferEditorPrompt was just called")
+	}
+	callInfo := struct {
+		Hostname string
+	}{
+		Hostname: hostname,
+	}
+	mock.lockPreferEditorPrompt.Lock()
+	mock.calls.PreferEditorPrompt = append(mock.calls.PreferEditorPrompt, callInfo)
+	mock.lockPreferEditorPrompt.Unlock()
+	return mock.PreferEditorPromptFunc(hostname)
+}
+
+// PreferEditorPromptCalls gets all the calls that were made to PreferEditorPrompt.
+// Check the length with:
+//
+//	len(mockedConfig.PreferEditorPromptCalls())
+func (mock *ConfigMock) PreferEditorPromptCalls() []struct {
+	Hostname string
+} {
+	var calls []struct {
+		Hostname string
+	}
+	mock.lockPreferEditorPrompt.RLock()
+	calls = mock.calls.PreferEditorPrompt
+	mock.lockPreferEditorPrompt.RUnlock()
+	return calls
+}
+
 // Prompt calls PromptFunc.
 func (mock *ConfigMock) Prompt(hostname string) gh.ConfigEntry {
 	if mock.PromptFunc == nil {
diff --git a/pkg/cmd/config/list/list_test.go b/pkg/cmd/config/list/list_test.go
index b6a9d0fcaf1..65f83d659c3 100644
--- a/pkg/cmd/config/list/list_test.go
+++ b/pkg/cmd/config/list/list_test.go
@@ -84,6 +84,7 @@ func Test_listRun(t *testing.T) {
 				cfg.Set("HOST", "git_protocol", "ssh")
 				cfg.Set("HOST", "editor", "/usr/bin/vim")
 				cfg.Set("HOST", "prompt", "disabled")
+				cfg.Set("HOST", "prefer_editor_prompt", "enabled")
 				cfg.Set("HOST", "pager", "less")
 				cfg.Set("HOST", "http_unix_socket", "")
 				cfg.Set("HOST", "browser", "brave")
@@ -93,6 +94,7 @@ func Test_listRun(t *testing.T) {
 			stdout: `git_protocol=ssh
 editor=/usr/bin/vim
 prompt=disabled
+prefer_editor_prompt=enabled
 pager=less
 http_unix_socket=
 browser=brave

From 50d0cb72799807aa1456b04d5d3b22222e2c1e10 Mon Sep 17 00:00:00 2001
From: notomo <notomo.motono@gmail.com>
Date: Thu, 4 Jul 2024 20:31:24 +0900
Subject: [PATCH 154/253] Use prefer_editor_prompt config by `issue create`

---
 pkg/cmd/issue/create/create.go      |  6 ++++++
 pkg/cmd/issue/create/create_test.go | 24 +++++++++++++++++++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/issue/create/create.go b/pkg/cmd/issue/create/create.go
index a83e746171e..dcf75e04035 100644
--- a/pkg/cmd/issue/create/create.go
+++ b/pkg/cmd/issue/create/create.go
@@ -80,6 +80,12 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			opts.BaseRepo = f.BaseRepo
 			opts.HasRepoOverride = cmd.Flags().Changed("repo")
 
+			config, err := f.Config()
+			if err != nil {
+				return err
+			}
+			opts.EditorMode = opts.EditorMode || config.PreferEditorPrompt("").Value == "enabled"
+
 			titleProvided := cmd.Flags().Changed("title")
 			bodyProvided := cmd.Flags().Changed("body")
 			if bodyFile != "" {
diff --git a/pkg/cmd/issue/create/create_test.go b/pkg/cmd/issue/create/create_test.go
index 476faa9ecbc..74c9d0d9a83 100644
--- a/pkg/cmd/issue/create/create_test.go
+++ b/pkg/cmd/issue/create/create_test.go
@@ -38,6 +38,7 @@ func TestNewCmdCreate(t *testing.T) {
 		tty       bool
 		stdin     string
 		cli       string
+		config    string
 		wantsErr  bool
 		wantsOpts CreateOptions
 	}{
@@ -126,7 +127,7 @@ func TestNewCmdCreate(t *testing.T) {
 			wantsErr: true,
 		},
 		{
-			name:     "editor",
+			name:     "editor by cli",
 			tty:      false,
 			cli:      "--editor",
 			wantsErr: false,
@@ -139,6 +140,21 @@ func TestNewCmdCreate(t *testing.T) {
 				Interactive: false,
 			},
 		},
+		{
+			name:     "editor by config",
+			tty:      false,
+			cli:      "",
+			config:   "prefer_editor_prompt: enabled",
+			wantsErr: false,
+			wantsOpts: CreateOptions{
+				Title:       "",
+				Body:        "",
+				RecoverFile: "",
+				WebMode:     false,
+				EditorMode:  true,
+				Interactive: false,
+			},
+		},
 		{
 			name:     "editor and template",
 			tty:      false,
@@ -173,6 +189,12 @@ func TestNewCmdCreate(t *testing.T) {
 
 			f := &cmdutil.Factory{
 				IOStreams: ios,
+				Config: func() (gh.Config, error) {
+					if tt.config != "" {
+						return config.NewFromString(tt.config), nil
+					}
+					return config.NewBlankConfig(), nil
+				},
 			}
 
 			var opts *CreateOptions

From 0d37174076f0a3d78921cc20ab08a7c9f1493c89 Mon Sep 17 00:00:00 2001
From: notomo <notomo.motono@gmail.com>
Date: Tue, 9 Jul 2024 08:26:10 +0900
Subject: [PATCH 155/253] Add editor hint message

---
 pkg/cmd/issue/create/create.go   |  2 +-
 pkg/cmd/pr/shared/survey.go      | 36 +++++++++++++++++++++++++-------
 pkg/cmd/pr/shared/survey_test.go | 35 +++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 9 deletions(-)

diff --git a/pkg/cmd/issue/create/create.go b/pkg/cmd/issue/create/create.go
index dcf75e04035..22090634029 100644
--- a/pkg/cmd/issue/create/create.go
+++ b/pkg/cmd/issue/create/create.go
@@ -51,7 +51,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 		Config:           f.Config,
 		Browser:          f.Browser,
 		Prompter:         f.Prompter,
-		TitledEditSurvey: prShared.TitledEditSurvey(f.Config, f.IOStreams),
+		TitledEditSurvey: prShared.TitledEditSurvey(&prShared.UserEditor{Config: f.Config, IO: f.IOStreams}),
 	}
 
 	var bodyFile string
diff --git a/pkg/cmd/pr/shared/survey.go b/pkg/cmd/pr/shared/survey.go
index 8396a4f16d4..5f4bf7dd9f6 100644
--- a/pkg/cmd/pr/shared/survey.go
+++ b/pkg/cmd/pr/shared/survey.go
@@ -321,19 +321,39 @@ func MetadataSurvey(p Prompt, io *iostreams.IOStreams, baseRepo ghrepo.Interface
 	return nil
 }
 
-func TitledEditSurvey(cf func() (gh.Config, error), io *iostreams.IOStreams) func(string, string) (string, string, error) {
+type Editor interface {
+	Edit(filename, initialValue string) (string, error)
+}
+
+type UserEditor struct {
+	IO     *iostreams.IOStreams
+	Config func() (gh.Config, error)
+}
+
+func (e *UserEditor) Edit(filename, initialValue string) (string, error) {
+	editorCommand, err := cmdutil.DetermineEditor(e.Config)
+	if err != nil {
+		return "", err
+	}
+	return surveyext.Edit(editorCommand, filename, initialValue, e.IO.In, e.IO.Out, e.IO.ErrOut)
+}
+
+const editorHintMarker = "------------------------ >8 ------------------------"
+const editorHint = `
+Please Enter the title on the first line and the body on subsequent lines.
+Lines below dotted lines will be ignored, and an empty title aborts the creation process.`
+
+func TitledEditSurvey(editor Editor) func(string, string) (string, string, error) {
 	return func(initialTitle, initialBody string) (string, string, error) {
-		editorCommand, err := cmdutil.DetermineEditor(cf)
-		if err != nil {
-			return "", "", err
-		}
-		initialValue := initialTitle + "\n" + initialBody
-		titleAndBody, err := surveyext.Edit(editorCommand, "*.md", initialValue, io.In, io.Out, io.ErrOut)
+		initialValue := strings.Join([]string{initialTitle, initialBody, editorHintMarker, editorHint}, "\n")
+		titleAndBody, err := editor.Edit("*.md", initialValue)
 		if err != nil {
 			return "", "", err
 		}
+
 		titleAndBody = strings.ReplaceAll(titleAndBody, "\r\n", "\n")
+		titleAndBody, _, _ = strings.Cut(titleAndBody, editorHintMarker)
 		title, body, _ := strings.Cut(titleAndBody, "\n")
-		return title, body, nil
+		return title, strings.TrimSuffix(body, "\n"), nil
 	}
 }
diff --git a/pkg/cmd/pr/shared/survey_test.go b/pkg/cmd/pr/shared/survey_test.go
index 4653ce08b46..8df49278507 100644
--- a/pkg/cmd/pr/shared/survey_test.go
+++ b/pkg/cmd/pr/shared/survey_test.go
@@ -123,3 +123,38 @@ func TestMetadataSurvey_keepExisting(t *testing.T) {
 	assert.Equal(t, []string{"good first issue"}, state.Labels)
 	assert.Equal(t, []string{"The road to 1.0"}, state.Projects)
 }
+
+func TestTitledEditSurvey_cleanupHint(t *testing.T) {
+	var editorInitialText string
+	editor := &testEditor{
+		edit: func(s string) (string, error) {
+			editorInitialText = s
+			return `editedTitle
+editedBody
+------------------------ >8 ------------------------
+
+Please Enter the title on the first line and the body on subsequent lines.
+Lines below dotted lines will be ignored, and an empty title aborts the creation process.`, nil
+		},
+	}
+
+	title, body, err := TitledEditSurvey(editor)("initialTitle", "initialBody")
+	assert.NoError(t, err)
+
+	assert.Equal(t, `initialTitle
+initialBody
+------------------------ >8 ------------------------
+
+Please Enter the title on the first line and the body on subsequent lines.
+Lines below dotted lines will be ignored, and an empty title aborts the creation process.`, editorInitialText)
+	assert.Equal(t, "editedTitle", title)
+	assert.Equal(t, "editedBody", body)
+}
+
+type testEditor struct {
+	edit func(string) (string, error)
+}
+
+func (e testEditor) Edit(filename, text string) (string, error) {
+	return e.edit(text)
+}

From 0b32e66bba57587d5a2399dd9a9405d9f32c198d Mon Sep 17 00:00:00 2001
From: notomo <notomo.motono@gmail.com>
Date: Tue, 9 Jul 2024 20:42:50 +0900
Subject: [PATCH 156/253] Enable to use --web even though editor is enabled by
 config

---
 pkg/cmd/issue/create/create.go      | 18 +++++++++---------
 pkg/cmd/issue/create/create_test.go | 15 +++++++++++++++
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/pkg/cmd/issue/create/create.go b/pkg/cmd/issue/create/create.go
index 22090634029..98b05a5e3e8 100644
--- a/pkg/cmd/issue/create/create.go
+++ b/pkg/cmd/issue/create/create.go
@@ -80,11 +80,19 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			opts.BaseRepo = f.BaseRepo
 			opts.HasRepoOverride = cmd.Flags().Changed("repo")
 
+			if err := cmdutil.MutuallyExclusive(
+				"specify only one of `--editor` or `--web`",
+				opts.EditorMode,
+				opts.WebMode,
+			); err != nil {
+				return err
+			}
+
 			config, err := f.Config()
 			if err != nil {
 				return err
 			}
-			opts.EditorMode = opts.EditorMode || config.PreferEditorPrompt("").Value == "enabled"
+			opts.EditorMode = !opts.WebMode && (opts.EditorMode || config.PreferEditorPrompt("").Value == "enabled")
 
 			titleProvided := cmd.Flags().Changed("title")
 			bodyProvided := cmd.Flags().Changed("body")
@@ -111,14 +119,6 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 				return cmdutil.FlagErrorf("must provide `--title` and `--body` when not running interactively")
 			}
 
-			if err := cmdutil.MutuallyExclusive(
-				"specify only one of `--editor` or `--web`",
-				opts.EditorMode,
-				opts.WebMode,
-			); err != nil {
-				return err
-			}
-
 			if runF != nil {
 				return runF(opts)
 			}
diff --git a/pkg/cmd/issue/create/create_test.go b/pkg/cmd/issue/create/create_test.go
index 74c9d0d9a83..bd544990f3d 100644
--- a/pkg/cmd/issue/create/create_test.go
+++ b/pkg/cmd/issue/create/create_test.go
@@ -176,6 +176,21 @@ func TestNewCmdCreate(t *testing.T) {
 			cli:      "--editor --web",
 			wantsErr: true,
 		},
+		{
+			name:     "can use web even though editor is enabled by config",
+			tty:      false,
+			cli:      `--web --title mytitle --body "issue body"`,
+			config:   "prefer_editor_prompt: enabled",
+			wantsErr: false,
+			wantsOpts: CreateOptions{
+				Title:       "mytitle",
+				Body:        "issue body",
+				RecoverFile: "",
+				WebMode:     true,
+				EditorMode:  false,
+				Interactive: false,
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From 4511a8b4c4483dcbd2145907ed16113cf4b93c92 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 10 Jul 2024 14:21:15 +0000
Subject: [PATCH 157/253] build(deps): bump actions/attest-build-provenance
 from 1.3.2 to 1.3.3

Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.3.2 to 1.3.3.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](https://github.com/actions/attest-build-provenance/compare/bdd51370e0416ac948727f861e03c2f05d32d78e...5e9cb68e95676991667494a6a4e59b8a2f13e1d0)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/deployment.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index d085655746c..2e87e242924 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -299,7 +299,7 @@ jobs:
           rpmsign --addsign dist/*.rpm
       - name: Attest release artifacts
         if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@bdd51370e0416ac948727f861e03c2f05d32d78e # v1.3.2
+        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3
         with:
           subject-path: "dist/gh_*"
       - name: Run createrepo

From 172a9de2fe8384e533a5ec5affd2ceed0218a5c3 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 11 Jul 2024 16:30:35 +0200
Subject: [PATCH 158/253] Ensure PR does not panic when stateReason is
 requested

---
 api/query_builder.go | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/api/query_builder.go b/api/query_builder.go
index 0f131232c9a..0aa89513de8 100644
--- a/api/query_builder.go
+++ b/api/query_builder.go
@@ -249,7 +249,7 @@ func RequiredStatusCheckRollupGraphQL(prID, after string, includeEvent bool) str
 	}`), afterClause, prID, eventField)
 }
 
-var IssueFields = []string{
+var sharedIssuePRFields = []string{
 	"assignees",
 	"author",
 	"body",
@@ -268,10 +268,20 @@ var IssueFields = []string{
 	"title",
 	"updatedAt",
 	"url",
+}
+
+// Some fields are only valid in the context of issues.
+// They need to be enumerated separately in order to be filtered
+// from existing code that expects to be able to pass Issue fields
+// to PR queries, e.g. the PullRequestGraphql function.
+var issueOnlyFields = []string{
+	"isPinned",
 	"stateReason",
 }
 
-var PullRequestFields = append(IssueFields,
+var IssueFields = append(sharedIssuePRFields, issueOnlyFields...)
+
+var PullRequestFields = append(sharedIssuePRFields,
 	"additions",
 	"autoMergeRequest",
 	"baseRefName",
@@ -299,12 +309,6 @@ var PullRequestFields = append(IssueFields,
 	"statusCheckRollup",
 )
 
-// Some fields are only valid in the context of issues.
-var issueOnlyFields = []string{
-	"isPinned",
-	"stateReason",
-}
-
 // IssueGraphQL constructs a GraphQL query fragment for a set of issue fields.
 func IssueGraphQL(fields []string) string {
 	var q []string

From 3b2ba9e1fa9600aeb077946370968a849947e97b Mon Sep 17 00:00:00 2001
From: Jesse Houwing <jesse.houwing@gmail.com>
Date: Fri, 12 Jul 2024 13:20:43 +0200
Subject: [PATCH 159/253] docs: Update documentation for `gh repo create` to
 clarify owner

---
 pkg/cmd/repo/create/create.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/cmd/repo/create/create.go b/pkg/cmd/repo/create/create.go
index 48a331bddbb..78618c5aa31 100644
--- a/pkg/cmd/repo/create/create.go
+++ b/pkg/cmd/repo/create/create.go
@@ -88,6 +88,9 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			To create a remote repository non-interactively, supply the repository name and one of %[1]s--public%[1]s, %[1]s--private%[1]s, or %[1]s--internal%[1]s.
 			Pass %[1]s--clone%[1]s to clone the new repository locally.
 
+                        If the %[1]sOWNER/%[1]s portion of the %[1]sOWNER/REPO%[1]s name argument is omitted, it
+			defaults to the name of the authenticating user.
+
 			To create a remote repository from an existing local repository, specify the source directory with %[1]s--source%[1]s.
 			By default, the remote repository name will be the name of the source directory.
 			Pass %[1]s--push%[1]s to push any local commits to the new repository.
@@ -99,6 +102,9 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			# create a new remote repository and clone it locally
 			gh repo create my-project --public --clone
 
+                        # create a new remote repository in a different organization
+			gh repo create my-org/my-project --public
+
 			# create a remote repository from the current directory
 			gh repo create my-project --private --source=. --remote=upstream
 		`),

From 940b54c70896cc7c83c2cf5de4345b2d4cafc405 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Thu, 11 Jul 2024 17:00:49 +0200
Subject: [PATCH 160/253] Add tests for JSON field support on issue and pr view
 commands

---
 pkg/cmd/issue/view/view_test.go      | 26 +++++++++++++++
 pkg/cmd/pr/view/view_test.go         | 49 ++++++++++++++++++++++++++++
 pkg/jsonfieldstest/jsonfieldstest.go | 47 ++++++++++++++++++++++++++
 3 files changed, 122 insertions(+)
 create mode 100644 pkg/jsonfieldstest/jsonfieldstest.go

diff --git a/pkg/cmd/issue/view/view_test.go b/pkg/cmd/issue/view/view_test.go
index 2f91ba13e64..f77db9abc52 100644
--- a/pkg/cmd/issue/view/view_test.go
+++ b/pkg/cmd/issue/view/view_test.go
@@ -16,11 +16,37 @@ import (
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
+	"github.com/cli/cli/v2/pkg/jsonfieldstest"
 	"github.com/cli/cli/v2/test"
 	"github.com/google/shlex"
 	"github.com/stretchr/testify/assert"
 )
 
+func TestJSONFields(t *testing.T) {
+	jsonfieldstest.ExpectCommandToSupportJSONFields(t, NewCmdView, []string{
+		"assignees",
+		"author",
+		"body",
+		"closed",
+		"comments",
+		"createdAt",
+		"closedAt",
+		"id",
+		"labels",
+		"milestone",
+		"number",
+		"projectCards",
+		"projectItems",
+		"reactionGroups",
+		"state",
+		"title",
+		"updatedAt",
+		"url",
+		"isPinned",
+		"stateReason",
+	})
+}
+
 func runCommand(rt http.RoundTripper, isTTY bool, cli string) (*test.CmdOut, error) {
 	ios, _, stdout, stderr := iostreams.Test()
 	ios.SetStdoutTTY(isTTY)
diff --git a/pkg/cmd/pr/view/view_test.go b/pkg/cmd/pr/view/view_test.go
index 6fc955bc31d..0efe667a758 100644
--- a/pkg/cmd/pr/view/view_test.go
+++ b/pkg/cmd/pr/view/view_test.go
@@ -18,12 +18,61 @@ import (
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
+	"github.com/cli/cli/v2/pkg/jsonfieldstest"
 	"github.com/cli/cli/v2/test"
 	"github.com/google/shlex"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
+func TestJSONFields(t *testing.T) {
+	jsonfieldstest.ExpectCommandToSupportJSONFields(t, NewCmdView, []string{
+		"additions",
+		"assignees",
+		"author",
+		"autoMergeRequest",
+		"baseRefName",
+		"body",
+		"changedFiles",
+		"closed",
+		"closedAt",
+		"comments",
+		"commits",
+		"createdAt",
+		"deletions",
+		"files",
+		"headRefName",
+		"headRefOid",
+		"headRepository",
+		"headRepositoryOwner",
+		"id",
+		"isCrossRepository",
+		"isDraft",
+		"labels",
+		"latestReviews",
+		"maintainerCanModify",
+		"mergeCommit",
+		"mergeStateStatus",
+		"mergeable",
+		"mergedAt",
+		"mergedBy",
+		"milestone",
+		"number",
+		"potentialMergeCommit",
+		"projectCards",
+		"projectItems",
+		"reactionGroups",
+		"reviewDecision",
+		"reviewRequests",
+		"reviews",
+		"state",
+		"statusCheckRollup",
+		"title",
+		"updatedAt",
+		"url",
+	})
+}
+
 func Test_NewCmdView(t *testing.T) {
 	tests := []struct {
 		name    string
diff --git a/pkg/jsonfieldstest/jsonfieldstest.go b/pkg/jsonfieldstest/jsonfieldstest.go
new file mode 100644
index 00000000000..21140024b44
--- /dev/null
+++ b/pkg/jsonfieldstest/jsonfieldstest.go
@@ -0,0 +1,47 @@
+package jsonfieldstest
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/cli/cli/v2/pkg/cmdutil"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func jsonFieldsFor(cmd *cobra.Command) []string {
+	// This annotation is added by the `cmdutil.AddJSONFlags` function.
+	//
+	// This is an extremely janky way to get access to this information but due to the fact we pass
+	// around concrete cobra.Command structs, there's no viable way to have typed access to the fields.
+	//
+	// It's also kind of fragile because it's several hops away from the code that actually validates the usage
+	// of these flags, so it's possible for things to get out of sync.
+	stringFields, ok := cmd.Annotations["help:json-fields"]
+	if !ok {
+		return nil
+	}
+
+	return strings.Split(stringFields, ",")
+}
+
+// NewCmdFunc represents the typical function signature we use for creating commands e.g. `NewCmdView`.
+//
+// It is generic over `T` as each command construction has their own Options type e.g. `ViewOptions`
+type NewCmdFunc[T any] func(f *cmdutil.Factory, runF func(*T) error) *cobra.Command
+
+// ExpectCommandToSupportJSONFields asserts that the provided command supports exactly the provided fields.
+// Ordering of the expected fields is not important.
+//
+// Make sure you are not pointing to the same slice of fields in the test and the implementation.
+// It can be a little tedious to rewrite the fields inline in the test but it's significantly more useful because:
+//   - It forces the test author to think about and convey exactly the expected fields for a command
+//   - It avoids accidentally adding fields to a command, and the test passing unintentionally
+func ExpectCommandToSupportJSONFields[T any](t *testing.T, fn NewCmdFunc[T], expectedFields []string) {
+	t.Helper()
+
+	actualFields := jsonFieldsFor(fn(&cmdutil.Factory{}, nil))
+	assert.Equal(t, len(actualFields), len(expectedFields), "expected number of fields to match")
+	require.ElementsMatch(t, expectedFields, actualFields)
+}

From 28cc56cd456b51b3858e0556228ba26373777513 Mon Sep 17 00:00:00 2001
From: notomo <notomo.motono@gmail.com>
Date: Sat, 13 Jul 2024 11:01:48 +0900
Subject: [PATCH 161/253] Raise error if editor is used in non-tty mode

---
 pkg/cmd/issue/create/create.go      |  3 +++
 pkg/cmd/issue/create/create_test.go | 16 +++++++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/pkg/cmd/issue/create/create.go b/pkg/cmd/issue/create/create.go
index 98b05a5e3e8..6de78f2e1a7 100644
--- a/pkg/cmd/issue/create/create.go
+++ b/pkg/cmd/issue/create/create.go
@@ -118,6 +118,9 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			if opts.Interactive && !opts.IO.CanPrompt() {
 				return cmdutil.FlagErrorf("must provide `--title` and `--body` when not running interactively")
 			}
+			if opts.EditorMode && !opts.IO.CanPrompt() {
+				return errors.New("--editor or enabled prefer_editor_prompt configuration are not supported in non-tty mode")
+			}
 
 			if runF != nil {
 				return runF(opts)
diff --git a/pkg/cmd/issue/create/create_test.go b/pkg/cmd/issue/create/create_test.go
index bd544990f3d..9ae959c5797 100644
--- a/pkg/cmd/issue/create/create_test.go
+++ b/pkg/cmd/issue/create/create_test.go
@@ -128,7 +128,7 @@ func TestNewCmdCreate(t *testing.T) {
 		},
 		{
 			name:     "editor by cli",
-			tty:      false,
+			tty:      true,
 			cli:      "--editor",
 			wantsErr: false,
 			wantsOpts: CreateOptions{
@@ -142,7 +142,7 @@ func TestNewCmdCreate(t *testing.T) {
 		},
 		{
 			name:     "editor by config",
-			tty:      false,
+			tty:      true,
 			cli:      "",
 			config:   "prefer_editor_prompt: enabled",
 			wantsErr: false,
@@ -157,7 +157,7 @@ func TestNewCmdCreate(t *testing.T) {
 		},
 		{
 			name:     "editor and template",
-			tty:      false,
+			tty:      true,
 			cli:      `--editor --template "bug report"`,
 			wantsErr: false,
 			wantsOpts: CreateOptions{
@@ -172,13 +172,13 @@ func TestNewCmdCreate(t *testing.T) {
 		},
 		{
 			name:     "editor and web",
-			tty:      false,
+			tty:      true,
 			cli:      "--editor --web",
 			wantsErr: true,
 		},
 		{
 			name:     "can use web even though editor is enabled by config",
-			tty:      false,
+			tty:      true,
 			cli:      `--web --title mytitle --body "issue body"`,
 			config:   "prefer_editor_prompt: enabled",
 			wantsErr: false,
@@ -191,6 +191,12 @@ func TestNewCmdCreate(t *testing.T) {
 				Interactive: false,
 			},
 		},
+		{
+			name:     "editor with non-tty",
+			tty:      false,
+			cli:      "--editor",
+			wantsErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From 171e8d33f8c7996ec0d67cdb6cbfa1917ed0e136 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Tue, 16 Jul 2024 15:02:22 +0100
Subject: [PATCH 162/253] Print message on stdout instead of stderr

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update.go      |  4 ++--
 pkg/cmd/pr/update/update_test.go | 16 +++++-----------
 2 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/pkg/cmd/pr/update/update.go b/pkg/cmd/pr/update/update.go
index 2d84a7ac1d5..323ca7bcc5c 100644
--- a/pkg/cmd/pr/update/update.go
+++ b/pkg/cmd/pr/update/update.go
@@ -111,7 +111,7 @@ func updateRun(opts *UpdateOptions) error {
 	cs := opts.IO.ColorScheme()
 	if comparison.BehindBy == 0 {
 		// The PR branch is not behind the base branch, so it'a already up-to-date.
-		fmt.Fprintf(opts.IO.ErrOut, "%s PR branch already up-to-date\n", cs.SuccessIcon())
+		fmt.Fprintf(opts.IO.Out, "%s PR branch already up-to-date\n", cs.SuccessIcon())
 		return nil
 	}
 
@@ -122,7 +122,7 @@ func updateRun(opts *UpdateOptions) error {
 		return err
 	}
 
-	fmt.Fprintf(opts.IO.ErrOut, "%s PR branch updated\n", cs.SuccessIcon())
+	fmt.Fprintf(opts.IO.Out, "%s PR branch updated\n", cs.SuccessIcon())
 	return nil
 }
 
diff --git a/pkg/cmd/pr/update/update_test.go b/pkg/cmd/pr/update/update_test.go
index e55391aeb56..e7bfd51e95a 100644
--- a/pkg/cmd/pr/update/update_test.go
+++ b/pkg/cmd/pr/update/update_test.go
@@ -114,7 +114,6 @@ func Test_updateRun(t *testing.T) {
 		input     *UpdateOptions
 		httpStubs func(*testing.T, *httpmock.Registry)
 		stdout    string
-		stderr    string
 		wantsErr  string
 	}{
 		{
@@ -152,8 +151,7 @@ func Test_updateRun(t *testing.T) {
 						assert.Equal(t, "head-repository-owner:head-ref-name", inputs["headRef"])
 					}))
 			},
-			stdout: "",
-			stderr: "✓ PR branch already up-to-date\n",
+			stdout: "✓ PR branch already up-to-date\n",
 		},
 		{
 			name: "success, already up-to-date, PR branch on the same repo as base",
@@ -189,8 +187,7 @@ func Test_updateRun(t *testing.T) {
 						assert.Equal(t, "head-ref-name", inputs["headRef"])
 					}))
 			},
-			stdout: "",
-			stderr: "✓ PR branch already up-to-date\n",
+			stdout: "✓ PR branch already up-to-date\n",
 		},
 		{
 			name: "success, merge",
@@ -232,8 +229,7 @@ func Test_updateRun(t *testing.T) {
 						assert.Equal(t, "MERGE", inputs["updateMethod"])
 					}))
 			},
-			stdout: "",
-			stderr: "✓ PR branch updated\n",
+			stdout: "✓ PR branch updated\n",
 		},
 		{
 			name: "success, rebase",
@@ -276,8 +272,7 @@ func Test_updateRun(t *testing.T) {
 						assert.Equal(t, "REBASE", inputs["updateMethod"])
 					}))
 			},
-			stdout: "",
-			stderr: "✓ PR branch updated\n",
+			stdout: "✓ PR branch updated\n",
 		},
 		{
 			name: "failure, API error on ref comparison request",
@@ -347,7 +342,7 @@ func Test_updateRun(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ios, _, stdout, stderr := iostreams.Test()
+			ios, _, stdout, _ := iostreams.Test()
 			ios.SetStdoutTTY(true)
 			ios.SetStdinTTY(true)
 			ios.SetStderrTTY(true)
@@ -382,7 +377,6 @@ func Test_updateRun(t *testing.T) {
 			}
 
 			assert.Equal(t, tt.stdout, stdout.String())
-			assert.Equal(t, tt.stderr, stderr.String())
 		})
 	}
 }

From 1a6f59820e50b1b3222b5fa8ef0e0695ecf92901 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Tue, 16 Jul 2024 15:05:43 +0100
Subject: [PATCH 163/253] Remove unused flag

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update.go | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkg/cmd/pr/update/update.go b/pkg/cmd/pr/update/update.go
index 323ca7bcc5c..4d170ac96d3 100644
--- a/pkg/cmd/pr/update/update.go
+++ b/pkg/cmd/pr/update/update.go
@@ -72,8 +72,6 @@ func NewCmdUpdate(f *cmdutil.Factory, runF func(*UpdateOptions) error) *cobra.Co
 
 	cmd.Flags().BoolVar(&opts.Rebase, "rebase", false, "Update PR branch by rebasing on top of latest base branch")
 
-	_ = cmdutil.RegisterBranchCompletionFlags(f.GitClient, cmd, "base")
-
 	return cmd
 }
 

From feb5aa55b982ea9a0eb79667147f859e22d3e770 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Tue, 16 Jul 2024 15:28:27 +0100
Subject: [PATCH 164/253] Add separate type for `PullRequest.Mergeable` field

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 api/queries_pr.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/api/queries_pr.go b/api/queries_pr.go
index 7ecaad50b82..0ef089bb540 100644
--- a/api/queries_pr.go
+++ b/api/queries_pr.go
@@ -16,6 +16,14 @@ type PullRequestAndTotalCount struct {
 	SearchCapped bool
 }
 
+type PullRequestMergeable string
+
+const (
+	PullRequestMergeableConflicting PullRequestMergeable = "CONFLICTING"
+	PullRequestMergeableMergeable   PullRequestMergeable = "MERGEABLE"
+	PullRequestMergeableUnknown     PullRequestMergeable = "UNKNOWN"
+)
+
 type PullRequest struct {
 	ID                  string
 	Number              int
@@ -27,7 +35,7 @@ type PullRequest struct {
 	HeadRefName         string
 	HeadRefOid          string
 	Body                string
-	Mergeable           string
+	Mergeable           PullRequestMergeable
 	Additions           int
 	Deletions           int
 	ChangedFiles        int

From 28c72eb5b70389e2b038725fad18b5fd854fae9d Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Tue, 16 Jul 2024 15:29:11 +0100
Subject: [PATCH 165/253] Replace literals with consts for `Mergeable` field
 values

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/status/status.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/pr/status/status.go b/pkg/cmd/pr/status/status.go
index 2cd28f2edc6..27666461d4c 100644
--- a/pkg/cmd/pr/status/status.go
+++ b/pkg/cmd/pr/status/status.go
@@ -276,14 +276,14 @@ func printPrs(io *iostreams.IOStreams, totalCount int, prs ...api.PullRequest) {
 				fmt.Fprint(w, cs.Green(fmt.Sprintf("✓ %s Approved", s)))
 			}
 
-			if pr.Mergeable == "MERGEABLE" {
+			if pr.Mergeable == api.PullRequestMergeableMergeable {
 				// prefer "No merge conflicts" to "Mergeable" as there is more to mergeability
 				// than the git status. Missing or failing required checks prevent merging
 				// even though a PR is technically mergeable, which is often a source of confusion.
 				fmt.Fprintf(w, " %s", cs.Green("✓ No merge conflicts"))
-			} else if pr.Mergeable == "CONFLICTING" {
+			} else if pr.Mergeable == api.PullRequestMergeableConflicting {
 				fmt.Fprintf(w, " %s", cs.Red("× Merge conflicts"))
-			} else if pr.Mergeable == "UNKNOWN" {
+			} else if pr.Mergeable == api.PullRequestMergeableUnknown {
 				fmt.Fprintf(w, " %s", cs.Yellow("! Merge conflict status unknown"))
 			}
 

From 497a915a46d43b0ca12273be9ab0958bce4a7502 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Tue, 16 Jul 2024 15:29:53 +0100
Subject: [PATCH 166/253] Return error if PR is not mergeable

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update.go      |  9 +++++++--
 pkg/cmd/pr/update/update_test.go | 22 +++++++++++++++++++++-
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/pr/update/update.go b/pkg/cmd/pr/update/update.go
index 4d170ac96d3..dda1fa3e86c 100644
--- a/pkg/cmd/pr/update/update.go
+++ b/pkg/cmd/pr/update/update.go
@@ -78,7 +78,7 @@ func NewCmdUpdate(f *cmdutil.Factory, runF func(*UpdateOptions) error) *cobra.Co
 func updateRun(opts *UpdateOptions) error {
 	findOptions := shared.FindOptions{
 		Selector: opts.SelectorArg,
-		Fields:   []string{"id", "number", "headRefName", "headRefOid", "headRepositoryOwner"},
+		Fields:   []string{"id", "number", "headRefName", "headRefOid", "headRepositoryOwner", "mergeable"},
 	}
 
 	pr, repo, err := opts.Finder.Find(findOptions)
@@ -86,6 +86,12 @@ func updateRun(opts *UpdateOptions) error {
 		return err
 	}
 
+	cs := opts.IO.ColorScheme()
+	if pr.Mergeable == api.PullRequestMergeableConflicting {
+		fmt.Fprintf(opts.IO.ErrOut, "%s Cannot update PR branch due to conflicts\n", cs.FailureIcon())
+		return cmdutil.SilentError
+	}
+
 	httpClient, err := opts.HttpClient()
 	if err != nil {
 		return err
@@ -106,7 +112,6 @@ func updateRun(opts *UpdateOptions) error {
 		return err
 	}
 
-	cs := opts.IO.ColorScheme()
 	if comparison.BehindBy == 0 {
 		// The PR branch is not behind the base branch, so it'a already up-to-date.
 		fmt.Fprintf(opts.IO.Out, "%s PR branch already up-to-date\n", cs.SuccessIcon())
diff --git a/pkg/cmd/pr/update/update_test.go b/pkg/cmd/pr/update/update_test.go
index e7bfd51e95a..546ca0ed211 100644
--- a/pkg/cmd/pr/update/update_test.go
+++ b/pkg/cmd/pr/update/update_test.go
@@ -105,6 +105,7 @@ func Test_updateRun(t *testing.T) {
 				HeadRefOid:          "head-ref-oid",
 				HeadRefName:         "head-ref-name",
 				HeadRepositoryOwner: api.Owner{Login: "head-repository-owner"},
+				Mergeable:           api.PullRequestMergeableMergeable,
 			}, ghrepo.New("OWNER", "REPO")),
 		}
 	}
@@ -114,6 +115,7 @@ func Test_updateRun(t *testing.T) {
 		input     *UpdateOptions
 		httpStubs func(*testing.T, *httpmock.Registry)
 		stdout    string
+		stderr    string
 		wantsErr  string
 	}{
 		{
@@ -163,6 +165,7 @@ func Test_updateRun(t *testing.T) {
 					HeadRefOid:          "head-ref-oid",
 					HeadRefName:         "head-ref-name",
 					HeadRepositoryOwner: api.Owner{Login: "OWNER"},
+					Mergeable:           api.PullRequestMergeableMergeable,
 				}, ghrepo.New("OWNER", "REPO")),
 			},
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
@@ -189,6 +192,22 @@ func Test_updateRun(t *testing.T) {
 			},
 			stdout: "✓ PR branch already up-to-date\n",
 		},
+		{
+			name: "failure, not mergeable due to conflicts",
+			input: &UpdateOptions{
+				SelectorArg: "123",
+				Finder: shared.NewMockFinder("123", &api.PullRequest{
+					ID:                  "123",
+					Number:              123,
+					HeadRefOid:          "head-ref-oid",
+					HeadRefName:         "head-ref-name",
+					HeadRepositoryOwner: api.Owner{Login: "OWNER"},
+					Mergeable:           api.PullRequestMergeableConflicting,
+				}, ghrepo.New("OWNER", "REPO")),
+			},
+			stderr:   "X Cannot update PR branch due to conflicts\n",
+			wantsErr: cmdutil.SilentError.Error(),
+		},
 		{
 			name: "success, merge",
 			input: &UpdateOptions{
@@ -342,7 +361,7 @@ func Test_updateRun(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ios, _, stdout, _ := iostreams.Test()
+			ios, _, stdout, stderr := iostreams.Test()
 			ios.SetStdoutTTY(true)
 			ios.SetStdinTTY(true)
 			ios.SetStderrTTY(true)
@@ -377,6 +396,7 @@ func Test_updateRun(t *testing.T) {
 			}
 
 			assert.Equal(t, tt.stdout, stdout.String())
+			assert.Equal(t, tt.stderr, stderr.String())
 		})
 	}
 }

From 5d2378dc1d9a48e56ba40098791cd0e4e322f9c5 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Tue, 16 Jul 2024 17:30:48 +0100
Subject: [PATCH 167/253] Handle merge conflict error

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/cmd/pr/update/update.go b/pkg/cmd/pr/update/update.go
index dda1fa3e86c..6572a13b0ed 100644
--- a/pkg/cmd/pr/update/update.go
+++ b/pkg/cmd/pr/update/update.go
@@ -3,6 +3,7 @@ package update
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/cli/cli/v2/api"
@@ -122,6 +123,11 @@ func updateRun(opts *UpdateOptions) error {
 	err = updatePullRequestBranch(apiClient, repo, pr.ID, pr.HeadRefOid, opts.Rebase)
 	opts.IO.StopProgressIndicator()
 	if err != nil {
+		// TODO: this is a best effort approach and not a resilient way of handling API errors.
+		if strings.Contains(err.Error(), "GraphQL: merge conflict between base and head (updatePullRequestBranch)") {
+			fmt.Fprintf(opts.IO.ErrOut, "%s Cannot update PR branch due to conflicts\n", cs.FailureIcon())
+			return cmdutil.SilentError
+		}
 		return err
 	}
 

From 989152e64ff396ceec1402b7f386f40a035b1e4c Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Tue, 16 Jul 2024 17:33:59 +0100
Subject: [PATCH 168/253] Add test case for merge conflict error

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update_test.go | 44 ++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/pkg/cmd/pr/update/update_test.go b/pkg/cmd/pr/update/update_test.go
index 546ca0ed211..2b7bb0682a8 100644
--- a/pkg/cmd/pr/update/update_test.go
+++ b/pkg/cmd/pr/update/update_test.go
@@ -315,6 +315,50 @@ func Test_updateRun(t *testing.T) {
 			},
 			wantsErr: "GraphQL: some error",
 		},
+		{
+			name: "failure, merge conflict error on update request",
+			input: &UpdateOptions{
+				SelectorArg: "123",
+			},
+			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
+				reg.Register(
+					httpmock.GraphQL(`query ComparePullRequestBaseBranchWith\b`),
+					httpmock.GraphQLQuery(`{
+						"data": {
+							"repository": {
+								"pullRequest": {
+									"baseRef": {
+										"compare": {
+											"aheadBy": 999,
+											"behindBy": 999,
+											"Status": "BEHIND"
+										}
+									}
+								}
+							}
+						}
+					}`, func(_ string, inputs map[string]interface{}) {
+						assert.Equal(t, float64(123), inputs["pullRequestNumber"])
+						assert.Equal(t, "head-repository-owner:head-ref-name", inputs["headRef"])
+					}))
+				reg.Register(
+					httpmock.GraphQL(`mutation PullRequestUpdateBranch\b`),
+					httpmock.GraphQLMutation(`{
+						"data": {},
+						"errors": [
+							{
+								"message": "merge conflict between base and head (updatePullRequestBranch)"
+							}
+						]
+					}`, func(inputs map[string]interface{}) {
+						assert.Equal(t, "123", inputs["pullRequestId"])
+						assert.Equal(t, "head-ref-oid", inputs["expectedHeadOid"])
+						assert.Equal(t, "MERGE", inputs["updateMethod"])
+					}))
+			},
+			stderr:   "X Cannot update PR branch due to conflicts\n",
+			wantsErr: cmdutil.SilentError.Error(),
+		},
 		{
 			name: "failure, API error on update request",
 			input: &UpdateOptions{

From b584895ad8a8f703d1807755019db43e0eca5ec7 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Wed, 17 Jul 2024 18:45:57 +0100
Subject: [PATCH 169/253] Rename `gh pr update` to `gh pr update-branch`

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/pr.go                 |  4 +--
 pkg/cmd/pr/update/update.go      | 18 ++++++-------
 pkg/cmd/pr/update/update_test.go | 44 ++++++++++++++++----------------
 3 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/pkg/cmd/pr/pr.go b/pkg/cmd/pr/pr.go
index aaf15b651a3..d6a1e46e1c3 100644
--- a/pkg/cmd/pr/pr.go
+++ b/pkg/cmd/pr/pr.go
@@ -16,7 +16,7 @@ import (
 	cmdReopen "github.com/cli/cli/v2/pkg/cmd/pr/reopen"
 	cmdReview "github.com/cli/cli/v2/pkg/cmd/pr/review"
 	cmdStatus "github.com/cli/cli/v2/pkg/cmd/pr/status"
-	cmdUpdate "github.com/cli/cli/v2/pkg/cmd/pr/update"
+	cmdUpdateBranch "github.com/cli/cli/v2/pkg/cmd/pr/update"
 	cmdView "github.com/cli/cli/v2/pkg/cmd/pr/view"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/spf13/cobra"
@@ -58,7 +58,7 @@ func NewCmdPR(f *cmdutil.Factory) *cobra.Command {
 		cmdChecks.NewCmdChecks(f, nil),
 		cmdReview.NewCmdReview(f, nil),
 		cmdMerge.NewCmdMerge(f, nil),
-		cmdUpdate.NewCmdUpdate(f, nil),
+		cmdUpdateBranch.NewCmdUpdateBranch(f, nil),
 		cmdReady.NewCmdReady(f, nil),
 		cmdComment.NewCmdComment(f, nil),
 		cmdClose.NewCmdClose(f, nil),
diff --git a/pkg/cmd/pr/update/update.go b/pkg/cmd/pr/update/update.go
index 6572a13b0ed..a6b30370575 100644
--- a/pkg/cmd/pr/update/update.go
+++ b/pkg/cmd/pr/update/update.go
@@ -16,7 +16,7 @@ import (
 	"github.com/spf13/cobra"
 )
 
-type UpdateOptions struct {
+type UpdateBranchOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
 	GitClient  *git.Client
@@ -27,15 +27,15 @@ type UpdateOptions struct {
 	Rebase      bool
 }
 
-func NewCmdUpdate(f *cmdutil.Factory, runF func(*UpdateOptions) error) *cobra.Command {
-	opts := &UpdateOptions{
+func NewCmdUpdateBranch(f *cmdutil.Factory, runF func(*UpdateBranchOptions) error) *cobra.Command {
+	opts := &UpdateBranchOptions{
 		IO:         f.IOStreams,
 		HttpClient: f.HttpClient,
 		GitClient:  f.GitClient,
 	}
 
 	cmd := &cobra.Command{
-		Use:   "update [<number> | <url> | <branch>]",
+		Use:   "update-branch [<number> | <url> | <branch>]",
 		Short: "Update a pull request branch",
 		Long: heredoc.Docf(`
 			Update a pull request branch with latest changes of the base branch.
@@ -47,9 +47,9 @@ func NewCmdUpdate(f *cmdutil.Factory, runF func(*UpdateOptions) error) *cobra.Co
 			branch, the %[1]s--rebase%[1]s option should be provided.
 		`, "`"),
 		Example: heredoc.Doc(`
-			$ gh pr update 23
-			$ gh pr update 23 --rebase
-			$ gh pr update 23 --repo owner/repo
+			$ gh pr update-branch 23
+			$ gh pr update-branch 23 --rebase
+			$ gh pr update-branch 23 --repo owner/repo
 		`),
 		Args: cobra.MaximumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -67,7 +67,7 @@ func NewCmdUpdate(f *cmdutil.Factory, runF func(*UpdateOptions) error) *cobra.Co
 				return runF(opts)
 			}
 
-			return updateRun(opts)
+			return updateBranchRun(opts)
 		},
 	}
 
@@ -76,7 +76,7 @@ func NewCmdUpdate(f *cmdutil.Factory, runF func(*UpdateOptions) error) *cobra.Co
 	return cmd
 }
 
-func updateRun(opts *UpdateOptions) error {
+func updateBranchRun(opts *UpdateBranchOptions) error {
 	findOptions := shared.FindOptions{
 		Selector: opts.SelectorArg,
 		Fields:   []string{"id", "number", "headRefName", "headRefOid", "headRepositoryOwner", "mergeable"},
diff --git a/pkg/cmd/pr/update/update_test.go b/pkg/cmd/pr/update/update_test.go
index 2b7bb0682a8..dbb749bec08 100644
--- a/pkg/cmd/pr/update/update_test.go
+++ b/pkg/cmd/pr/update/update_test.go
@@ -16,36 +16,36 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestNewCmdUpdate(t *testing.T) {
+func TestNewCmdUpdateBranch(t *testing.T) {
 	tests := []struct {
 		name     string
 		input    string
-		output   UpdateOptions
+		output   UpdateBranchOptions
 		wantsErr string
 	}{
 		{
 			name:   "no argument",
 			input:  "",
-			output: UpdateOptions{},
+			output: UpdateBranchOptions{},
 		},
 		{
 			name:  "with argument",
 			input: "23",
-			output: UpdateOptions{
+			output: UpdateBranchOptions{
 				SelectorArg: "23",
 			},
 		},
 		{
 			name:  "no argument, --rebase",
 			input: "--rebase",
-			output: UpdateOptions{
+			output: UpdateBranchOptions{
 				Rebase: true,
 			},
 		},
 		{
 			name:  "with argument, --rebase",
 			input: "23 --rebase",
-			output: UpdateOptions{
+			output: UpdateBranchOptions{
 				SelectorArg: "23",
 				Rebase:      true,
 			},
@@ -67,8 +67,8 @@ func TestNewCmdUpdate(t *testing.T) {
 				IOStreams: ios,
 			}
 
-			var gotOpts *UpdateOptions
-			cmd := NewCmdUpdate(f, func(opts *UpdateOptions) error {
+			var gotOpts *UpdateBranchOptions
+			cmd := NewCmdUpdateBranch(f, func(opts *UpdateBranchOptions) error {
 				gotOpts = opts
 				return nil
 			})
@@ -96,9 +96,9 @@ func TestNewCmdUpdate(t *testing.T) {
 	}
 }
 
-func Test_updateRun(t *testing.T) {
-	defaultInput := func() UpdateOptions {
-		return UpdateOptions{
+func Test_updateBranchRun(t *testing.T) {
+	defaultInput := func() UpdateBranchOptions {
+		return UpdateBranchOptions{
 			Finder: shared.NewMockFinder("123", &api.PullRequest{
 				ID:                  "123",
 				Number:              123,
@@ -112,7 +112,7 @@ func Test_updateRun(t *testing.T) {
 
 	tests := []struct {
 		name      string
-		input     *UpdateOptions
+		input     *UpdateBranchOptions
 		httpStubs func(*testing.T, *httpmock.Registry)
 		stdout    string
 		stderr    string
@@ -120,7 +120,7 @@ func Test_updateRun(t *testing.T) {
 	}{
 		{
 			name: "failure, pr not found",
-			input: &UpdateOptions{
+			input: &UpdateBranchOptions{
 				Finder:      shared.NewMockFinder("", nil, nil),
 				SelectorArg: "123",
 			},
@@ -128,7 +128,7 @@ func Test_updateRun(t *testing.T) {
 		},
 		{
 			name: "success, already up-to-date",
-			input: &UpdateOptions{
+			input: &UpdateBranchOptions{
 				SelectorArg: "123",
 			},
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
@@ -157,7 +157,7 @@ func Test_updateRun(t *testing.T) {
 		},
 		{
 			name: "success, already up-to-date, PR branch on the same repo as base",
-			input: &UpdateOptions{
+			input: &UpdateBranchOptions{
 				SelectorArg: "123",
 				Finder: shared.NewMockFinder("123", &api.PullRequest{
 					ID:                  "123",
@@ -194,7 +194,7 @@ func Test_updateRun(t *testing.T) {
 		},
 		{
 			name: "failure, not mergeable due to conflicts",
-			input: &UpdateOptions{
+			input: &UpdateBranchOptions{
 				SelectorArg: "123",
 				Finder: shared.NewMockFinder("123", &api.PullRequest{
 					ID:                  "123",
@@ -210,7 +210,7 @@ func Test_updateRun(t *testing.T) {
 		},
 		{
 			name: "success, merge",
-			input: &UpdateOptions{
+			input: &UpdateBranchOptions{
 				SelectorArg: "123",
 			},
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
@@ -252,7 +252,7 @@ func Test_updateRun(t *testing.T) {
 		},
 		{
 			name: "success, rebase",
-			input: &UpdateOptions{
+			input: &UpdateBranchOptions{
 				SelectorArg: "123",
 				Rebase:      true,
 			},
@@ -295,7 +295,7 @@ func Test_updateRun(t *testing.T) {
 		},
 		{
 			name: "failure, API error on ref comparison request",
-			input: &UpdateOptions{
+			input: &UpdateBranchOptions{
 				SelectorArg: "123",
 			},
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
@@ -317,7 +317,7 @@ func Test_updateRun(t *testing.T) {
 		},
 		{
 			name: "failure, merge conflict error on update request",
-			input: &UpdateOptions{
+			input: &UpdateBranchOptions{
 				SelectorArg: "123",
 			},
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
@@ -361,7 +361,7 @@ func Test_updateRun(t *testing.T) {
 		},
 		{
 			name: "failure, API error on update request",
-			input: &UpdateOptions{
+			input: &UpdateBranchOptions{
 				SelectorArg: "123",
 			},
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
@@ -430,7 +430,7 @@ func Test_updateRun(t *testing.T) {
 			tt.input.IO = ios
 			tt.input.HttpClient = httpClient
 
-			err := updateRun(tt.input)
+			err := updateBranchRun(tt.input)
 
 			if tt.wantsErr != "" {
 				assert.EqualError(t, err, tt.wantsErr)

From 5b71586f3973b560781b22d8682ee1ff68fe3ddd Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Wed, 17 Jul 2024 18:50:59 +0100
Subject: [PATCH 170/253] Rename package name to `update_branch`

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/update/update.go      | 2 +-
 pkg/cmd/pr/update/update_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/pr/update/update.go b/pkg/cmd/pr/update/update.go
index a6b30370575..023fdae50d8 100644
--- a/pkg/cmd/pr/update/update.go
+++ b/pkg/cmd/pr/update/update.go
@@ -1,4 +1,4 @@
-package update
+package update_branch
 
 import (
 	"fmt"
diff --git a/pkg/cmd/pr/update/update_test.go b/pkg/cmd/pr/update/update_test.go
index dbb749bec08..fa0902c3cd0 100644
--- a/pkg/cmd/pr/update/update_test.go
+++ b/pkg/cmd/pr/update/update_test.go
@@ -1,4 +1,4 @@
-package update
+package update_branch
 
 import (
 	"bytes"

From 5b918cfdf0fe781a500624131e0bec8220ad4edb Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Wed, 17 Jul 2024 18:52:23 +0100
Subject: [PATCH 171/253] Rename package directory and files

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/pr.go                                                | 2 +-
 pkg/cmd/pr/{update/update.go => update-branch/update_branch.go} | 0
 .../update_test.go => update-branch/update_branch_test.go}      | 0
 3 files changed, 1 insertion(+), 1 deletion(-)
 rename pkg/cmd/pr/{update/update.go => update-branch/update_branch.go} (100%)
 rename pkg/cmd/pr/{update/update_test.go => update-branch/update_branch_test.go} (100%)

diff --git a/pkg/cmd/pr/pr.go b/pkg/cmd/pr/pr.go
index d6a1e46e1c3..406cc08b79e 100644
--- a/pkg/cmd/pr/pr.go
+++ b/pkg/cmd/pr/pr.go
@@ -16,7 +16,7 @@ import (
 	cmdReopen "github.com/cli/cli/v2/pkg/cmd/pr/reopen"
 	cmdReview "github.com/cli/cli/v2/pkg/cmd/pr/review"
 	cmdStatus "github.com/cli/cli/v2/pkg/cmd/pr/status"
-	cmdUpdateBranch "github.com/cli/cli/v2/pkg/cmd/pr/update"
+	cmdUpdateBranch "github.com/cli/cli/v2/pkg/cmd/pr/update-branch"
 	cmdView "github.com/cli/cli/v2/pkg/cmd/pr/view"
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/spf13/cobra"
diff --git a/pkg/cmd/pr/update/update.go b/pkg/cmd/pr/update-branch/update_branch.go
similarity index 100%
rename from pkg/cmd/pr/update/update.go
rename to pkg/cmd/pr/update-branch/update_branch.go
diff --git a/pkg/cmd/pr/update/update_test.go b/pkg/cmd/pr/update-branch/update_branch_test.go
similarity index 100%
rename from pkg/cmd/pr/update/update_test.go
rename to pkg/cmd/pr/update-branch/update_branch_test.go

From e0c03fc60352af2caf5d60dbb3cfad258a53f318 Mon Sep 17 00:00:00 2001
From: Jesse Houwing <jesse.houwing@gmail.com>
Date: Thu, 18 Jul 2024 10:20:44 +0200
Subject: [PATCH 172/253] Remove redundant whitespace

---
 pkg/cmd/repo/create/create.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/repo/create/create.go b/pkg/cmd/repo/create/create.go
index 78618c5aa31..05e8909e1d2 100644
--- a/pkg/cmd/repo/create/create.go
+++ b/pkg/cmd/repo/create/create.go
@@ -102,7 +102,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			# create a new remote repository and clone it locally
 			gh repo create my-project --public --clone
 
-                        # create a new remote repository in a different organization
+			# create a new remote repository in a different organization
 			gh repo create my-org/my-project --public
 
 			# create a remote repository from the current directory

From a81a1f7e906ef3666ef3913efd1232afea634bd4 Mon Sep 17 00:00:00 2001
From: Zach Steindler <steiza@github.com>
Date: Fri, 19 Jul 2024 09:24:47 -0400
Subject: [PATCH 173/253] Remove attestation test that requires being online
 (#9340)

Signed-off-by: Zach Steindler <steiza@github.com>
---
 pkg/cmd/attestation/trustedroot/trustedroot_test.go | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/pkg/cmd/attestation/trustedroot/trustedroot_test.go b/pkg/cmd/attestation/trustedroot/trustedroot_test.go
index d67075f207f..70b5ae2a145 100644
--- a/pkg/cmd/attestation/trustedroot/trustedroot_test.go
+++ b/pkg/cmd/attestation/trustedroot/trustedroot_test.go
@@ -85,11 +85,6 @@ func TestGetTrustedRoot(t *testing.T) {
 		TufRootPath: root,
 	}
 
-	t.Run("successfully verifies TUF root", func(t *testing.T) {
-		err := getTrustedRoot(tuf.New, opts)
-		require.NoError(t, err)
-	})
-
 	t.Run("failed to create TUF root", func(t *testing.T) {
 		err := getTrustedRoot(newTUFErrClient, opts)
 		require.Error(t, err)

From 17257df06458838c7c7309128ad0ca4e7f9f0457 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 21 Jul 2024 12:45:28 +0100
Subject: [PATCH 174/253] Verify `--body` and `--body-file` are not assignable
 at the same time

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/issue/edit/edit_test.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/cmd/issue/edit/edit_test.go b/pkg/cmd/issue/edit/edit_test.go
index db0b09d2d0f..b6b7e8f186c 100644
--- a/pkg/cmd/issue/edit/edit_test.go
+++ b/pkg/cmd/issue/edit/edit_test.go
@@ -104,6 +104,11 @@ func TestNewCmdEdit(t *testing.T) {
 			},
 			wantsErr: false,
 		},
+		{
+			name:     "both body and body-file flags",
+			input:    "23 --body foo --body-file bar",
+			wantsErr: true,
+		},
 		{
 			name:  "add-assignee flag",
 			input: "23 --add-assignee monalisa,hubot",

From 9dabc3b8dd282275a785a2461370fee907af847c Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 21 Jul 2024 12:53:15 +0100
Subject: [PATCH 175/253] Remove unused expected `output` from test case (with
 `wantsErr: true`)

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/issue/edit/edit_test.go | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/pkg/cmd/issue/edit/edit_test.go b/pkg/cmd/issue/edit/edit_test.go
index b6b7e8f186c..a7e68cbc03a 100644
--- a/pkg/cmd/issue/edit/edit_test.go
+++ b/pkg/cmd/issue/edit/edit_test.go
@@ -226,17 +226,8 @@ func TestNewCmdEdit(t *testing.T) {
 			wantsErr: false,
 		},
 		{
-			name:  "interactive multiple issues",
-			input: "23 34",
-			output: EditOptions{
-				SelectorArgs: []string{"23", "34"},
-				Editable: prShared.Editable{
-					Labels: prShared.EditableSlice{
-						Add:    []string{"bug"},
-						Edited: true,
-					},
-				},
-			},
+			name:     "interactive multiple issues",
+			input:    "23 34",
 			wantsErr: true,
 		},
 	}

From 683576d6bf509e1602d38a44554a38abd6994b79 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 21 Jul 2024 12:54:23 +0100
Subject: [PATCH 176/253] Add `--remove-milestone` option

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/issue/edit/edit.go | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/issue/edit/edit.go b/pkg/cmd/issue/edit/edit.go
index 1b775f88bc9..7b971946870 100644
--- a/pkg/cmd/issue/edit/edit.go
+++ b/pkg/cmd/issue/edit/edit.go
@@ -32,6 +32,7 @@ type EditOptions struct {
 	Interactive  bool
 
 	prShared.Editable
+	RemoveMilestone bool
 }
 
 func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Command {
@@ -62,6 +63,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 			$ gh issue edit 23 --add-assignee "@me" --remove-assignee monalisa,hubot
 			$ gh issue edit 23 --add-project "Roadmap" --remove-project v1,v2
 			$ gh issue edit 23 --milestone "Version 1"
+			$ gh issue edit 23 --remove-milestone
 			$ gh issue edit 23 --body-file body.txt
 			$ gh issue edit 23 34 --add-label "help wanted"
 		`),
@@ -95,6 +97,14 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 				}
 			}
 
+			if err := cmdutil.MutuallyExclusive(
+				"specify only one of `--milestone` or `--remove-milestone`",
+				flags.Changed("milestone"),
+				opts.RemoveMilestone,
+			); err != nil {
+				return err
+			}
+
 			if flags.Changed("title") {
 				opts.Editable.Title.Edited = true
 			}
@@ -107,8 +117,12 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 			if flags.Changed("add-project") || flags.Changed("remove-project") {
 				opts.Editable.Projects.Edited = true
 			}
-			if flags.Changed("milestone") {
+			if flags.Changed("milestone") || opts.RemoveMilestone {
 				opts.Editable.Milestone.Edited = true
+
+				// Note that when `--remove-milestone` is provided, the value of
+				// `opts.Editable.Milestone.Value` will automatically be empty,
+				// which results in milestone association removal.
 			}
 
 			if !opts.Editable.Dirty() {
@@ -141,6 +155,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Add, "add-project", nil, "Add the issue to projects by `name`")
 	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Remove, "remove-project", nil, "Remove the issue from projects by `name`")
 	cmd.Flags().StringVarP(&opts.Editable.Milestone.Value, "milestone", "m", "", "Edit the milestone the issue belongs to by `name`")
+	cmd.Flags().BoolVar(&opts.RemoveMilestone, "remove-milestone", false, "Remove the milestone the issue belongs to")
 
 	return cmd
 }

From 168a8832f087ba1a3a021c16b96743c42959f0f4 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 21 Jul 2024 12:55:47 +0100
Subject: [PATCH 177/253] Assert correct parsing of `--remove-milestone` option

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/issue/edit/edit_test.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pkg/cmd/issue/edit/edit_test.go b/pkg/cmd/issue/edit/edit_test.go
index a7e68cbc03a..1457c646403 100644
--- a/pkg/cmd/issue/edit/edit_test.go
+++ b/pkg/cmd/issue/edit/edit_test.go
@@ -211,6 +211,20 @@ func TestNewCmdEdit(t *testing.T) {
 			},
 			wantsErr: false,
 		},
+		{
+			name:  "remove-milestone flag",
+			input: "23 --remove-milestone",
+			output: EditOptions{
+				SelectorArgs: []string{"23"},
+				Editable: prShared.Editable{
+					Milestone: prShared.EditableString{
+						Value:  "",
+						Edited: true,
+					},
+				},
+			},
+			wantsErr: false,
+		},
 		{
 			name:  "add label to multiple issues",
 			input: "23 34 --add-label bug",

From 42da8baf7046b801e4c9c78a23effc048a2c81c5 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 21 Jul 2024 12:56:14 +0100
Subject: [PATCH 178/253] Verify `--milestone` and `--remove-milestone` are not
 assignable at the same time

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/issue/edit/edit_test.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/cmd/issue/edit/edit_test.go b/pkg/cmd/issue/edit/edit_test.go
index 1457c646403..40fe6491cbe 100644
--- a/pkg/cmd/issue/edit/edit_test.go
+++ b/pkg/cmd/issue/edit/edit_test.go
@@ -225,6 +225,11 @@ func TestNewCmdEdit(t *testing.T) {
 			},
 			wantsErr: false,
 		},
+		{
+			name:     "both milestone and remove-milestone flags",
+			input:    "23 --milestone foo --remove-milestone",
+			wantsErr: true,
+		},
 		{
 			name:  "add label to multiple issues",
 			input: "23 34 --add-label bug",

From 0a3a12839dd54a282c6035e1c30a49b25ee868c0 Mon Sep 17 00:00:00 2001
From: Simon <33755707+Stausssi@users.noreply.github.com>
Date: Sun, 23 Jun 2024 11:56:10 +0000
Subject: [PATCH 179/253] Exit with 1 on authentication failure

---
 pkg/cmd/auth/status/status.go      | 26 ++++++++++++---
 pkg/cmd/auth/status/status_test.go | 52 ++++++++++++++++++++++++++++--
 2 files changed, 72 insertions(+), 6 deletions(-)

diff --git a/pkg/cmd/auth/status/status.go b/pkg/cmd/auth/status/status.go
index 153c03c0483..2d08c555a4f 100644
--- a/pkg/cmd/auth/status/status.go
+++ b/pkg/cmd/auth/status/status.go
@@ -217,6 +217,10 @@ func statusRun(opts *StatusOptions) error {
 		})
 		statuses[hostname] = append(statuses[hostname], entry)
 
+		if err == nil && !isValidEntry(entry) {
+			err = cmdutil.SilentError
+		}
+
 		users := authCfg.UsersForHost(hostname)
 		for _, username := range users {
 			if username == activeUser {
@@ -233,6 +237,10 @@ func statusRun(opts *StatusOptions) error {
 				username:    username,
 			})
 			statuses[hostname] = append(statuses[hostname], entry)
+
+			if err == nil && !isValidEntry(entry) {
+				err = cmdutil.SilentError
+			}
 		}
 	}
 
@@ -243,15 +251,20 @@ func statusRun(opts *StatusOptions) error {
 			continue
 		}
 
+		stream := stdout
+		if err != nil {
+			stream = stderr
+		}
+
 		if prevEntry {
-			fmt.Fprint(stdout, "\n")
+			fmt.Fprint(stream, "\n")
 		}
 		prevEntry = true
-		fmt.Fprintf(stdout, "%s\n", cs.Bold(hostname))
-		fmt.Fprintf(stdout, "%s", strings.Join(entries.Strings(cs), "\n"))
+		fmt.Fprintf(stream, "%s\n", cs.Bold(hostname))
+		fmt.Fprintf(stream, "%s", strings.Join(entries.Strings(cs), "\n"))
 	}
 
-	return nil
+	return err
 }
 
 func displayToken(token string, printRaw bool) string {
@@ -356,3 +369,8 @@ func buildEntry(httpClient *http.Client, opts buildEntryOptions) Entry {
 func authTokenWriteable(src string) bool {
 	return !strings.HasSuffix(src, "_TOKEN")
 }
+
+func isValidEntry(entry Entry) bool {
+	_, ok := entry.(validEntry)
+	return ok
+}
diff --git a/pkg/cmd/auth/status/status_test.go b/pkg/cmd/auth/status/status_test.go
index ce4897978da..03c26ca0489 100644
--- a/pkg/cmd/auth/status/status_test.go
+++ b/pkg/cmd/auth/status/status_test.go
@@ -100,7 +100,8 @@ func Test_statusRun(t *testing.T) {
 					return nil, context.DeadlineExceeded
 				})
 			},
-			wantOut: heredoc.Doc(`
+			wantErr: cmdutil.SilentError,
+			wantErrOut: heredoc.Doc(`
 				github.com
 				  X Timeout trying to log in to github.com account monalisa (GH_CONFIG_DIR/hosts.yml)
 				  - Active account: true
@@ -159,7 +160,53 @@ func Test_statusRun(t *testing.T) {
 				// mock for HeaderHasMinimumScopes api requests to a non-github.com host
 				reg.Register(httpmock.REST("GET", "api/v3/"), httpmock.StatusStringResponse(400, "no bueno"))
 			},
+			wantErr: cmdutil.SilentError,
+			wantErrOut: heredoc.Doc(`
+				ghe.io
+				  X Failed to log in to ghe.io account monalisa-ghe (GH_CONFIG_DIR/hosts.yml)
+				  - Active account: true
+				  - The token in GH_CONFIG_DIR/hosts.yml is invalid.
+				  - To re-authenticate, run: gh auth login -h ghe.io
+				  - To forget about this account, run: gh auth logout -h ghe.io -u monalisa-ghe
+			`),
+		},
+		{
+			name: "bad token on other host",
+			opts: StatusOptions{
+				Hostname: "ghe.io",
+			},
+			cfgStubs: func(t *testing.T, c gh.Config) {
+				login(t, c, "github.com", "monalisa", "gho_abc123", "https")
+				login(t, c, "ghe.io", "monalisa-ghe", "gho_abc123", "https")
+			},
+			httpStubs: func(reg *httpmock.Registry) {
+				// mocks for HeaderHasMinimumScopes api requests to a non-github.com host
+				reg.Register(httpmock.REST("GET", "api/v3/"), httpmock.WithHeader(httpmock.ScopesResponder("repo,read:org"), "X-Oauth-Scopes", "repo, read:org"))
+			},
 			wantOut: heredoc.Doc(`
+				ghe.io
+				  ✓ Logged in to ghe.io account monalisa-ghe (GH_CONFIG_DIR/hosts.yml)
+				  - Active account: true
+				  - Git operations protocol: https
+				  - Token: gho_******
+				  - Token scopes: 'repo', 'read:org'
+			`),
+		},
+		{
+			name: "bad token on selected host",
+			opts: StatusOptions{
+				Hostname: "ghe.io",
+			},
+			cfgStubs: func(t *testing.T, c gh.Config) {
+				login(t, c, "github.com", "monalisa", "gho_abc123", "https")
+				login(t, c, "ghe.io", "monalisa-ghe", "gho_abc123", "https")
+			},
+			httpStubs: func(reg *httpmock.Registry) {
+				// mocks for HeaderHasMinimumScopes api requests to a non-github.com host
+				reg.Register(httpmock.REST("GET", "api/v3/"), httpmock.StatusStringResponse(400, "no bueno"))
+			},
+			wantErr: cmdutil.SilentError,
+			wantErrOut: heredoc.Doc(`
 				ghe.io
 				  X Failed to log in to ghe.io account monalisa-ghe (GH_CONFIG_DIR/hosts.yml)
 				  - Active account: true
@@ -355,7 +402,8 @@ func Test_statusRun(t *testing.T) {
 					httpmock.GraphQL(`query UserCurrent\b`),
 					httpmock.StringResponse(`{"data":{"viewer":{"login":"monalisa-ghe-2"}}}`))
 			},
-			wantOut: heredoc.Doc(`
+			wantErr: cmdutil.SilentError,
+			wantErrOut: heredoc.Doc(`
 				github.com
 				  ✓ Logged in to github.com account monalisa-2 (GH_CONFIG_DIR/hosts.yml)
 				  - Active account: true

From a6a1a58dd8e0f2ce42fdd0cbcf8f14b8d9dc7e6e Mon Sep 17 00:00:00 2001
From: Chris Buckley <chris@cmbuckley.co.uk>
Date: Mon, 22 Jul 2024 19:36:20 +0100
Subject: [PATCH 180/253] Update documentation for gh api PATCH

---
 pkg/cmd/api/api.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/api/api.go b/pkg/cmd/api/api.go
index b44cef2d409..c8eac91152f 100644
--- a/pkg/cmd/api/api.go
+++ b/pkg/cmd/api/api.go
@@ -150,7 +150,7 @@ func NewCmdApi(f *cmdutil.Factory, runF func(*ApiOptions) error) *cobra.Command
 			  '{{range .}}{{.title}} ({{.labels | pluck "name" | join ", " | color "yellow"}}){{"\n"}}{{end}}'
 
 			# update allowed values of the "environment" custom property in a deeply nested array
-			gh api --PATCH /orgs/{org}/properties/schema \
+			gh api -X PATCH /orgs/{org}/properties/schema \
 			   -F 'properties[][property_name]=environment' \
 			   -F 'properties[][default_value]=production' \
 			   -F 'properties[][allowed_values][]=staging' \

From e7606363fb45b9592383bba54495f42eb90ffb87 Mon Sep 17 00:00:00 2001
From: Stausssi <33755707+Stausssi@users.noreply.github.com>
Date: Mon, 22 Jul 2024 20:36:22 +0200
Subject: [PATCH 181/253] document exit code behavior

---
 pkg/cmd/auth/status/status.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/auth/status/status.go b/pkg/cmd/auth/status/status.go
index 2d08c555a4f..2139bda1e25 100644
--- a/pkg/cmd/auth/status/status.go
+++ b/pkg/cmd/auth/status/status.go
@@ -145,8 +145,11 @@ func NewCmdStatus(f *cmdutil.Factory, runF func(*StatusOptions) error) *cobra.Co
 		Long: heredoc.Docf(`
 			Display active account and authentication state on each known GitHub host.
 
-			For each host, the authentication state of each known account is tested and any issues are included in
-			the output. Each host section will indicate the active account, which will be used when targeting that host.
+			For each host, the authentication state of each known account is tested and any issues are included in the output.
+			Each host section will indicate the active account, which will be used when targeting that host.
+			If an account on any host (or only the one given via %[1]s--hostname%[1]s) has authentication issues,
+			the command will exit with 1 and output to stderr.
+
 			To change the active account for a host, see %[1]sgh auth switch%[1]s.
 		`, "`"),
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -158,7 +161,7 @@ func NewCmdStatus(f *cmdutil.Factory, runF func(*StatusOptions) error) *cobra.Co
 		},
 	}
 
-	cmd.Flags().StringVarP(&opts.Hostname, "hostname", "h", "", "Check a specific hostname's auth status")
+	cmd.Flags().StringVarP(&opts.Hostname, "hostname", "h", "", "Check only a specific hostname's auth status")
 	cmd.Flags().BoolVarP(&opts.ShowToken, "show-token", "t", false, "Display the auth token")
 
 	return cmd

From 32e499e090af181ae78c303269b9d69bf89ea295 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Tue, 23 Jul 2024 13:14:27 +0200
Subject: [PATCH 182/253] Add examples for template usage in PR and issue
 creation

---
 pkg/cmd/issue/create/create.go | 3 ++-
 pkg/cmd/pr/create/create.go    | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/issue/create/create.go b/pkg/cmd/issue/create/create.go
index 6de78f2e1a7..33b5830122b 100644
--- a/pkg/cmd/issue/create/create.go
+++ b/pkg/cmd/issue/create/create.go
@@ -72,6 +72,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			$ gh issue create --assignee monalisa,hubot
 			$ gh issue create --assignee "@me"
 			$ gh issue create --project "Roadmap"
+			$ gh issue create --template "bug_report.md"
 		`),
 		Args:    cmdutil.NoArgsQuoteReminder,
 		Aliases: []string{"new"},
@@ -139,7 +140,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 	cmd.Flags().StringSliceVarP(&opts.Projects, "project", "p", nil, "Add the issue to projects by `name`")
 	cmd.Flags().StringVarP(&opts.Milestone, "milestone", "m", "", "Add the issue to a milestone by `name`")
 	cmd.Flags().StringVar(&opts.RecoverFile, "recover", "", "Recover input from a failed run of create")
-	cmd.Flags().StringVarP(&opts.Template, "template", "T", "", "Template `name` to use as starting body text")
+	cmd.Flags().StringVarP(&opts.Template, "template", "T", "", "Template `file` to use as starting body text")
 
 	return cmd
 }
diff --git a/pkg/cmd/pr/create/create.go b/pkg/cmd/pr/create/create.go
index 7c3faecc3fe..23f30206929 100644
--- a/pkg/cmd/pr/create/create.go
+++ b/pkg/cmd/pr/create/create.go
@@ -131,6 +131,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			$ gh pr create --reviewer monalisa,hubot  --reviewer myorg/team-name
 			$ gh pr create --project "Roadmap"
 			$ gh pr create --base develop --head monalisa:feature
+			$ gh pr create --template "pull_request_template.md"
 		`),
 		Args:    cmdutil.NoArgsQuoteReminder,
 		Aliases: []string{"new"},

From 8a0d361bac357180c109c12e77adbe01040b7754 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Sun, 23 Jun 2024 19:31:49 +0200
Subject: [PATCH 183/253] Expose fullDatabaseId for PR json export

---
 api/queries_pr.go            | 1 +
 api/query_builder.go         | 1 +
 pkg/cmd/pr/view/view_test.go | 1 +
 3 files changed, 3 insertions(+)

diff --git a/api/queries_pr.go b/api/queries_pr.go
index 0ef089bb540..370f2db2455 100644
--- a/api/queries_pr.go
+++ b/api/queries_pr.go
@@ -26,6 +26,7 @@ const (
 
 type PullRequest struct {
 	ID                  string
+	FullDatabaseID      string
 	Number              int
 	Title               string
 	State               string
diff --git a/api/query_builder.go b/api/query_builder.go
index 0aa89513de8..30dbeb869e0 100644
--- a/api/query_builder.go
+++ b/api/query_builder.go
@@ -289,6 +289,7 @@ var PullRequestFields = append(sharedIssuePRFields,
 	"commits",
 	"deletions",
 	"files",
+	"fullDatabaseId",
 	"headRefName",
 	"headRefOid",
 	"headRepository",
diff --git a/pkg/cmd/pr/view/view_test.go b/pkg/cmd/pr/view/view_test.go
index 0efe667a758..2b99df9315a 100644
--- a/pkg/cmd/pr/view/view_test.go
+++ b/pkg/cmd/pr/view/view_test.go
@@ -41,6 +41,7 @@ func TestJSONFields(t *testing.T) {
 		"createdAt",
 		"deletions",
 		"files",
+		"fullDatabaseId",
 		"headRefName",
 		"headRefOid",
 		"headRepository",

From 13dea3e35dffcb408d61e47aacc99b8953cfdab0 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Tue, 23 Jul 2024 13:33:39 +0200
Subject: [PATCH 184/253] Add test for release view json export fields

---
 pkg/cmd/release/view/view_test.go | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/pkg/cmd/release/view/view_test.go b/pkg/cmd/release/view/view_test.go
index c8b83792380..9e071f1aae9 100644
--- a/pkg/cmd/release/view/view_test.go
+++ b/pkg/cmd/release/view/view_test.go
@@ -14,11 +14,33 @@ import (
 	"github.com/cli/cli/v2/pkg/cmdutil"
 	"github.com/cli/cli/v2/pkg/httpmock"
 	"github.com/cli/cli/v2/pkg/iostreams"
+	"github.com/cli/cli/v2/pkg/jsonfieldstest"
 	"github.com/google/shlex"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
+func TestJSONFields(t *testing.T) {
+	jsonfieldstest.ExpectCommandToSupportJSONFields(t, NewCmdView, []string{
+		"apiUrl",
+		"author",
+		"assets",
+		"body",
+		"createdAt",
+		"id",
+		"isDraft",
+		"isPrerelease",
+		"name",
+		"publishedAt",
+		"tagName",
+		"tarballUrl",
+		"targetCommitish",
+		"uploadUrl",
+		"url",
+		"zipballUrl",
+	})
+}
+
 func Test_NewCmdView(t *testing.T) {
 	tests := []struct {
 		name    string

From 99ff84bdd9b64889dc02af8e6ea0d54b3c6f27ce Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Tue, 23 Jul 2024 13:34:11 +0200
Subject: [PATCH 185/253] Alphabetise release json fields

---
 pkg/cmd/release/shared/fetch.go | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/pkg/cmd/release/shared/fetch.go b/pkg/cmd/release/shared/fetch.go
index 84a9a369bb2..05a5fed1d41 100644
--- a/pkg/cmd/release/shared/fetch.go
+++ b/pkg/cmd/release/shared/fetch.go
@@ -21,22 +21,22 @@ import (
 )
 
 var ReleaseFields = []string{
-	"url",
 	"apiUrl",
-	"uploadUrl",
-	"tarballUrl",
-	"zipballUrl",
-	"id",
-	"tagName",
-	"name",
+	"author",
+	"assets",
 	"body",
+	"createdAt",
+	"id",
 	"isDraft",
 	"isPrerelease",
-	"createdAt",
+	"name",
 	"publishedAt",
+	"tagName",
+	"tarballUrl",
 	"targetCommitish",
-	"author",
-	"assets",
+	"uploadUrl",
+	"url",
+	"zipballUrl",
 }
 
 type Release struct {

From c13d161271977562afcc1647efa2b5b849fe0cad Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Tue, 23 Jul 2024 13:36:44 +0200
Subject: [PATCH 186/253] Export databaseId for releases

---
 pkg/cmd/release/shared/fetch.go   | 1 +
 pkg/cmd/release/view/view_test.go | 1 +
 2 files changed, 2 insertions(+)

diff --git a/pkg/cmd/release/shared/fetch.go b/pkg/cmd/release/shared/fetch.go
index 05a5fed1d41..c9cf7a6a413 100644
--- a/pkg/cmd/release/shared/fetch.go
+++ b/pkg/cmd/release/shared/fetch.go
@@ -26,6 +26,7 @@ var ReleaseFields = []string{
 	"assets",
 	"body",
 	"createdAt",
+	"databaseId",
 	"id",
 	"isDraft",
 	"isPrerelease",
diff --git a/pkg/cmd/release/view/view_test.go b/pkg/cmd/release/view/view_test.go
index 9e071f1aae9..629c0728dc2 100644
--- a/pkg/cmd/release/view/view_test.go
+++ b/pkg/cmd/release/view/view_test.go
@@ -27,6 +27,7 @@ func TestJSONFields(t *testing.T) {
 		"assets",
 		"body",
 		"createdAt",
+		"databaseId",
 		"id",
 		"isDraft",
 		"isPrerelease",

From c16becc07ecbcf021b9e67971378eb92363c8d1c Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Tue, 23 Jul 2024 16:44:49 +0200
Subject: [PATCH 187/253] Slightly clarify when CLI will exit with 4

---
 pkg/cmd/root/help_topic.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/root/help_topic.go b/pkg/cmd/root/help_topic.go
index f04a573fdca..4786a993b0c 100644
--- a/pkg/cmd/root/help_topic.go
+++ b/pkg/cmd/root/help_topic.go
@@ -266,7 +266,7 @@ var HelpTopics = []helpTopic{
 
 			- If a command is running but gets cancelled, the exit code will be 2
 
-			- If a command encounters an authentication issue, the exit code will be 4
+			- If a command requires authentication, the exit code will be 4
 
 			NOTE: It is possible that a particular command may have more exit codes, so it is a good
 			practice to check documentation for the command if you are relying on exit codes to

From fd51a6930832d7bbc61ad6b8d56ab67b99f3fc39 Mon Sep 17 00:00:00 2001
From: Hiran Wijesinghe <wwijesing1@bnl.gov>
Date: Wed, 24 Jul 2024 06:35:24 -0400
Subject: [PATCH 188/253] Handle `--bare` clone targets (#9271)

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 git/client.go      |  5 +++++
 git/client_test.go | 18 +++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/git/client.go b/git/client.go
index b0194affc43..560eccfddcb 100644
--- a/git/client.go
+++ b/git/client.go
@@ -11,6 +11,7 @@ import (
 	"path"
 	"regexp"
 	"runtime"
+	"slices"
 	"sort"
 	"strings"
 	"sync"
@@ -594,6 +595,10 @@ func (c *Client) Clone(ctx context.Context, cloneURL string, args []string, mods
 		cloneArgs = append(cloneArgs, target)
 	} else {
 		target = path.Base(strings.TrimSuffix(cloneURL, ".git"))
+
+		if slices.Contains(cloneArgs, "--bare") {
+			target += ".git"
+		}
 	}
 	cloneArgs = append([]string{"clone"}, cloneArgs...)
 	cmd, err := c.AuthenticatedCommand(ctx, cloneArgs...)
diff --git a/git/client_test.go b/git/client_test.go
index 4206836590e..1e30323176e 100644
--- a/git/client_test.go
+++ b/git/client_test.go
@@ -1267,6 +1267,7 @@ func TestClientPush(t *testing.T) {
 func TestClientClone(t *testing.T) {
 	tests := []struct {
 		name          string
+		args          []string
 		mods          []CommandModifier
 		cmdExitStatus int
 		cmdStdout     string
@@ -1277,22 +1278,37 @@ func TestClientClone(t *testing.T) {
 	}{
 		{
 			name:        "clone",
+			args:        []string{},
 			wantCmdArgs: `path/to/git -c credential.helper= -c credential.helper=!"gh" auth git-credential clone github.com/cli/cli`,
 			wantTarget:  "cli",
 		},
 		{
 			name:        "accepts command modifiers",
+			args:        []string{},
 			mods:        []CommandModifier{WithRepoDir("/path/to/repo")},
 			wantCmdArgs: `path/to/git -C /path/to/repo -c credential.helper= -c credential.helper=!"gh" auth git-credential clone github.com/cli/cli`,
 			wantTarget:  "cli",
 		},
 		{
 			name:          "git error",
+			args:          []string{},
 			cmdExitStatus: 1,
 			cmdStderr:     "git error message",
 			wantCmdArgs:   `path/to/git -c credential.helper= -c credential.helper=!"gh" auth git-credential clone github.com/cli/cli`,
 			wantErrorMsg:  "failed to run git: git error message",
 		},
+		{
+			name:        "bare clone",
+			args:        []string{"--bare"},
+			wantCmdArgs: `path/to/git -c credential.helper= -c credential.helper=!"gh" auth git-credential clone --bare github.com/cli/cli`,
+			wantTarget:  "cli.git",
+		},
+		{
+			name:        "bare clone with explicit target",
+			args:        []string{"cli-bare", "--bare"},
+			wantCmdArgs: `path/to/git -c credential.helper= -c credential.helper=!"gh" auth git-credential clone --bare github.com/cli/cli cli-bare`,
+			wantTarget:  "cli-bare",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1301,7 +1317,7 @@ func TestClientClone(t *testing.T) {
 				GitPath:        "path/to/git",
 				commandContext: cmdCtx,
 			}
-			target, err := client.Clone(context.Background(), "github.com/cli/cli", []string{}, tt.mods...)
+			target, err := client.Clone(context.Background(), "github.com/cli/cli", tt.args, tt.mods...)
 			assert.Equal(t, tt.wantCmdArgs, strings.Join(cmd.Args[3:], " "))
 			if tt.wantErrorMsg == "" {
 				assert.NoError(t, err)

From 658f125ab365af7e442ddf58542cf47af1684a17 Mon Sep 17 00:00:00 2001
From: Zach Steindler <steiza@github.com>
Date: Thu, 25 Jul 2024 14:59:39 -0400
Subject: [PATCH 189/253] Update sigstore-go in gh CLI to v0.5.1 (#9366)

Signed-off-by: Zach Steindler <steiza@github.com>
---
 .github/workflows/lint.yml                    |   2 +-
 go.mod                                        |  49 +++--
 go.sum                                        | 175 +++++++++---------
 internal/codespaces/rpc/invoker.go            |   3 +-
 pkg/cmd/attestation/verification/sigstore.go  |   4 +-
 pkg/cmd/attestation/verify/policy.go          |  14 +-
 .../verify/verify_integration_test.go         |   6 +-
 7 files changed, 129 insertions(+), 124 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 4a97da25be0..0a6c0d9db29 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -32,7 +32,7 @@ jobs:
           go mod verify
           go mod download
 
-          LINT_VERSION=1.54.1
+          LINT_VERSION=1.59.1
           curl -fsSL https://github.com/golangci/golangci-lint/releases/download/v${LINT_VERSION}/golangci-lint-${LINT_VERSION}-linux-amd64.tar.gz | \
             tar xz --strip-components 1 --wildcards \*/golangci-lint
           mkdir -p bin && mv golangci-lint bin/
diff --git a/go.mod b/go.mod
index e723f71a51b..2e653052cb4 100644
--- a/go.mod
+++ b/go.mod
@@ -1,14 +1,14 @@
 module github.com/cli/cli/v2
 
-go 1.22
+go 1.22.0
 
-toolchain go1.22.2
+toolchain go1.22.5
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.7
 	github.com/MakeNowJust/heredoc v1.0.0
 	github.com/briandowns/spinner v1.18.1
-	github.com/cenkalti/backoff/v4 v4.2.1
+	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/charmbracelet/glamour v0.7.0
 	github.com/charmbracelet/lipgloss v0.10.1-0.20240413172830-d0be07ea6b9c
 	github.com/cli/go-gh/v2 v2.9.0
@@ -20,7 +20,7 @@ require (
 	github.com/gabriel-vasile/mimetype v1.4.4
 	github.com/gdamore/tcell/v2 v2.5.4
 	github.com/google/go-cmp v0.6.0
-	github.com/google/go-containerregistry v0.19.2
+	github.com/google/go-containerregistry v0.20.0
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/gorilla/websocket v1.5.3
 	github.com/hashicorp/go-multierror v1.1.1
@@ -38,16 +38,16 @@ require (
 	github.com/rivo/tview v0.0.0-20221029100920-c4a7e501810d
 	github.com/shurcooL/githubv4 v0.0.0-20240120211514-18a1ae0e79dc
 	github.com/sigstore/protobuf-specs v0.3.2
-	github.com/sigstore/sigstore-go v0.3.0
+	github.com/sigstore/sigstore-go v0.5.1
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 	github.com/zalando/go-keyring v0.2.5
-	golang.org/x/crypto v0.23.0
-	golang.org/x/sync v0.6.0
-	golang.org/x/term v0.20.0
-	golang.org/x/text v0.15.0
-	google.golang.org/grpc v1.62.2
+	golang.org/x/crypto v0.25.0
+	golang.org/x/sync v0.7.0
+	golang.org/x/term v0.22.0
+	golang.org/x/text v0.16.0
+	google.golang.org/grpc v1.64.1
 	google.golang.org/protobuf v1.34.2
 	gopkg.in/h2non/gock.v1 v1.1.2
 	gopkg.in/yaml.v3 v3.0.1
@@ -78,6 +78,7 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/gdamore/encoding v1.0.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
+	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
@@ -91,8 +92,7 @@ require (
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
-	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/certificate-transparency-go v1.1.8 // indirect
+	github.com/google/certificate-transparency-go v1.2.1 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/css v1.0.0 // indirect
 	github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 // indirect
@@ -106,7 +106,7 @@ require (
 	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/klauspost/compress v1.17.4 // indirect
-	github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -133,7 +133,7 @@ require (
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 // indirect
 	github.com/sigstore/rekor v1.3.6 // indirect
-	github.com/sigstore/sigstore v1.8.3 // indirect
+	github.com/sigstore/sigstore v1.8.7 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
@@ -143,7 +143,7 @@ require (
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
-	github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.0.0 // indirect
 	github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
@@ -151,18 +151,17 @@ require (
 	github.com/yuin/goldmark v1.5.4 // indirect
 	github.com/yuin/goldmark-emoji v1.0.2 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
-	go.opentelemetry.io/otel v1.24.0 // indirect
-	go.opentelemetry.io/otel/metric v1.24.0 // indirect
-	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	go.opentelemetry.io/otel v1.27.0 // indirect
+	go.opentelemetry.io/otel/metric v1.27.0 // indirect
+	go.opentelemetry.io/otel/trace v1.27.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/net v0.25.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
-	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
+	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
+	golang.org/x/mod v0.19.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 )
diff --git a/go.sum b/go.sum
index c23ae16a032..460a2f65af9 100644
--- a/go.sum
+++ b/go.sum
@@ -1,6 +1,6 @@
 cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM=
-cloud.google.com/go/compute v1.25.0 h1:H1/4SqSUhjPFE7L5ddzHOfY2bCAvjwNRZPNl6Ni5oYU=
-cloud.google.com/go/compute v1.25.0/go.mod h1:GR7F0ZPZH8EhChlMo9FkLd7eUTwEymjqQagxzilIxIE=
+cloud.google.com/go/compute v1.25.1 h1:ZRpHJedLtTpKgr3RV1Fx23NuaAEN1Zfx9hw1u4aJdjU=
+cloud.google.com/go/compute v1.25.1/go.mod h1:oopOIR53ly6viBYxaDhBfJwzUAxf1zE//uf3IB011ls=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/iam v1.1.6 h1:bEa06k05IO4f4uJonbB5iAgKTPpABy1ayxaIZV/GHVc=
@@ -42,34 +42,34 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/aws/aws-sdk-go v1.51.6 h1:Ld36dn9r7P9IjU8WZSaswQ8Y/XUCRpewim5980DwYiU=
 github.com/aws/aws-sdk-go v1.51.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
-github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA=
-github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I=
-github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg=
-github.com/aws/aws-sdk-go-v2/config v1.27.9/go.mod h1:dK1FQfpwpql83kbD873E9vz4FyAxuJtR22wzoXn3qq0=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.9/go.mod h1:446YhIdmSV0Jf/SLafGZalQo+xr2iw7/fzXGDPTU1yQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4/go.mod h1:84KyjNZdHC6QZW08nfHI6yZgPd+qRgaWcYsyLUo3QY8=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 h1:sHmMWWX5E7guWEFQ9SVo6A3S4xpPrWnd77a6y4WM6PU=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4/go.mod h1:WjpDrhWisWOIoS9n3nk67A3Ll1vfULJ9Kq6h29HTD48=
+github.com/aws/aws-sdk-go-v2 v1.27.2 h1:pLsTXqX93rimAOZG2FIYraDQstZaaGVVN4tNw65v0h8=
+github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk=
+github.com/aws/aws-sdk-go-v2/config v1.27.18/go.mod h1:0xz6cgdX55+kmppvPm2IaKzIXOheGJhAufacPJaXZ7c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18 h1:D/ALDWqK4JdY3OFgA2thcPO1c9aYTT5STS/CvnkqY1c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.18/go.mod h1:JuitCWq+F5QGUrmMPsk945rop6bB57jdscu+Glozdnc=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 h1:dDgptDO9dxeFkXy+tEgVkzSClHZje/6JkPW5aZyEvrQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5/go.mod h1:gjvE2KBUgUQhcv89jqxrIxH9GaKs1JbZzWejj/DaHGA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 h1:cy8ahBJuhtM8GTTSyOkfy6WVPV1IE+SS5/wfXUYuulw=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9/go.mod h1:CZBXGLaJnEZI6EVNcPd7a6B5IC5cA/GkRWtu9fp3S6Y=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 h1:A4SYk07ef04+vxZToz9LWvAXl9LW0NClpPpMsi31cz0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9/go.mod h1:5jJcHuwDagxN+ErjQ3PU3ocf6Ylc/p9x+BLO/+X4iXw=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 h1:b+E7zIUHMmcB4Dckjpkapoy47W6C9QBv/zoUP+Hn8Kc=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6/go.mod h1:S2fNV0rxrP78NhPbCZeQgY8H9jdDMeGtwcfZIRxzBqU=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 h1:o4T+fKxA3gTMcluBNZZXE9DNaMkJuUL1O3mffCUjoJo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11/go.mod h1:84oZdJ+VjuJKs9v1UTC9NaodRZRseOXCTgku+vQJWR8=
 github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 h1:yS0JkEdV6h9JOo8sy2JSpjX+i7vsKifU8SIeHrqiDhU=
 github.com/aws/aws-sdk-go-v2/service/kms v1.30.0/go.mod h1:+I8VUUSVD4p5ISQtzpgSva4I8cJ4SQ4b1dcBcof7O+g=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 h1:mnbuWHOcM70/OFUlZZ5rcdfA8PflGXXiefU/O+1S3+8=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.3/go.mod h1:5HFu51Elk+4oRBZVxmHrSds5jFXmFj8C3w7DVF2gnrs=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 h1:uLq0BKatTmDzWa/Nu4WO0M1AaQDaPpwTKAeByEc6WFM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3/go.mod h1:b+qdhjnxj8GSR6t5YfphOffeoQSQ1KmpoVVuBn+PWxs=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 h1:J/PpTf/hllOjx8Xu9DMflff3FajfLxqM5+tepvVXmxg=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.5/go.mod h1:0ih0Z83YDH/QeQ6Ori2yGE2XvWYv/Xm+cZc01LC6oK0=
-github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw=
-github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 h1:gEYM2GSpr4YNWc6hCd5nod4+d4kd9vWIAWrmGuLdlMw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.20.11/go.mod h1:gVvwPdPNYehHSP9Rs7q27U1EU+3Or2ZpXvzAYJNh63w=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 h1:iXjh3uaH3vsVcnyZX7MqCoCfcyxIrVE9iOQruRaWPrQ=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5/go.mod h1:5ZXesEuy/QcO0WUnt+4sDkxhdXRHTu2yG0uCSH8B6os=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 h1:M/1u4HBpwLuMtjlxuI2y6HoVLzF5e2mfxHCg7ZVMYmk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.28.12/go.mod h1:kcfd+eTdEi/40FIbLq4Hif3XMXnl5b/+t/KTfLt9xIk=
+github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
+github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
@@ -82,8 +82,8 @@ github.com/briandowns/spinner v1.18.1 h1:yhQmQtM1zsqFsouh09Bk/jCjd50pC3EOGsh28gL
 github.com/briandowns/spinner v1.18.1/go.mod h1:mQak9GHqbspjC/5iUx3qMlIho8xBS/ppAL/hX5SmPJU=
 github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
 github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
-github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
-github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charmbracelet/glamour v0.7.0 h1:2BtKGZ4iVJCDfMF229EzbeR1QRKLWztO9dMtjmqZSng=
@@ -158,6 +158,8 @@ github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyN
 github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
 github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -183,8 +185,10 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
-github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
-github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
+github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
+github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
@@ -193,12 +197,12 @@ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/certificate-transparency-go v1.1.8 h1:LGYKkgZF7satzgTak9R4yzfJXEeYVAjV6/EAEJOf1to=
-github.com/google/certificate-transparency-go v1.1.8/go.mod h1:bV/o8r0TBKRf1X//iiiSgWrvII4d7/8OiA+3vG26gI8=
+github.com/google/certificate-transparency-go v1.2.1 h1:4iW/NwzqOqYEEoCBEFP+jPbBXbLqMpq3CifMyOnDUME=
+github.com/google/certificate-transparency-go v1.2.1/go.mod h1:bvn/ytAccv+I6+DGkqpvSsEdiVGramgaSC6RD3tEmeE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.19.2 h1:TannFKE1QSajsP6hPWb5oJNgKe1IKjHukIKDUmvsV6w=
-github.com/google/go-containerregistry v0.19.2/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
+github.com/google/go-containerregistry v0.20.0 h1:wRqHpOeVh3DnenOrPy9xDOLdnLatiGuuNRVelR2gSbg=
+github.com/google/go-containerregistry v0.20.0/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
@@ -242,6 +246,9 @@ github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0S
 github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
 github.com/hashicorp/go-version v1.3.0 h1:McDWVJIU/y+u1BRV06dPaLfLCaT7fUTJLp5r04x7iNw=
 github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/vault/api v1.12.2 h1:7YkCTE5Ni90TcmYHDBExdt4WGJxhpzaHqR6uGbQb/rE=
@@ -284,8 +291,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e h1:RLTpX495BXToqxpM90Ws4hXEo4Wfh81jr9DX1n/4WOo=
-github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e/go.mod h1:EAuqr9VFWxBi9nD5jc/EA2MT1RFty9288TF6zdtYoCU=
+github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ=
+github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
@@ -342,8 +349,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
-github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
+github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
+github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
 github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
 github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
 github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
@@ -386,10 +393,10 @@ github.com/sigstore/protobuf-specs v0.3.2 h1:nCVARCN+fHjlNCk3ThNXwrZRqIommIeNKWw
 github.com/sigstore/protobuf-specs v0.3.2/go.mod h1:RZ0uOdJR4OB3tLQeAyWoJFbNCBFrPQdcokntde4zRBA=
 github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
 github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
-github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4=
-github.com/sigstore/sigstore v1.8.3/go.mod h1:mqbTEariiGA94cn6G3xnDiV6BD8eSLdL/eA7bvJ0fVs=
-github.com/sigstore/sigstore-go v0.3.0 h1:SxYqfonBrEhw8bNDelMieymxhdv7R9itiNZmtjOwKKU=
-github.com/sigstore/sigstore-go v0.3.0/go.mod h1:oJOH7UP8aTjAGnIVwq9sDif8M4CSCik84yN1vBuESbE=
+github.com/sigstore/sigstore v1.8.7 h1:L7/zKauHTg0d0Hukx7qlR4nifh6T6O6UIt9JBwAmTIg=
+github.com/sigstore/sigstore v1.8.7/go.mod h1:MPiQ/NIV034Fc3Kk2IX9/XmBQdK60wfmpvgK9Z1UjRA=
+github.com/sigstore/sigstore-go v0.5.1 h1:5IhKvtjlQBeLnjKkzMELNG4tIBf+xXQkDzhLV77+/8Y=
+github.com/sigstore/sigstore-go v0.5.1/go.mod h1:TuOfV7THHqiDaUHuJ5+QN23RP/YoKmsbwJpY+aaYPN0=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18=
 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g=
@@ -433,8 +440,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 h1:27XWhDZHPD+cufF6qSdYx6PgGQvD2jJ6pq9sDvR6VBk=
-github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU=
+github.com/theupdateframework/go-tuf/v2 v2.0.0 h1:rD8d9RotYBprZVgC+9oyTZ5MmawepnTSTqoDuxjWgbs=
+github.com/theupdateframework/go-tuf/v2 v2.0.0/go.mod h1:baB22nBHeHBCeuGZcIlctNq4P61PcOdyARlplg5xmLA=
 github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e h1:BuzhfgfWQbX0dWzYzT1zsORLnHRv3bcRcsaUk0VmXA8=
 github.com/thlib/go-timezone-local v0.0.0-20210907160436-ef149e42d28e/go.mod h1:/Tnicc6m/lsJE0irFMA0LfIwTBo4QP7A8IfyIv4zZKI=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
@@ -456,18 +463,18 @@ go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd
 go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw=
-go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
-go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
-go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
-go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
-go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
-go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
-go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
-go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 h1:vS1Ao/R55RNV4O7TA2Qopok8yN+X0LIP6RVWLFkprck=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0/go.mod h1:BMsdeOxN04K0L5FNUBfjFdvwWGNe/rkmSwH4Aelu/X0=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 h1:9l89oX4ba9kHbBol3Xin3leYJ+252h0zszDtBwyKe2A=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0/go.mod h1:XLZfZboOJWHNKUv7eH0inh0E9VV6eWDFB/9yJyTLPp0=
+go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg=
+go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ=
+go.opentelemetry.io/otel/metric v1.27.0 h1:hvj3vdEKyeCi4YaYfNjv2NUje8FqKqUY8IlF0FxV/ik=
+go.opentelemetry.io/otel/metric v1.27.0/go.mod h1:mVFgmRlhljgBiuk/MP/oKylr4hs85GZAylncepAX/ak=
+go.opentelemetry.io/otel/sdk v1.27.0 h1:mlk+/Y1gLPLn84U4tI8d3GNJmGT/eXe3ZuOXN9kTWmI=
+go.opentelemetry.io/otel/sdk v1.27.0/go.mod h1:Ha9vbLwJE6W86YstIywK2xFfPjbWlCuwPtMkKdz/Y4A=
+go.opentelemetry.io/otel/trace v1.27.0 h1:IqYb813p7cmbHk0a5y6pD5JPakbVfftRXABGt5/Rscw=
+go.opentelemetry.io/otel/trace v1.27.0/go.mod h1:6RiD1hkAprV4/q+yd2ln1HG9GoPx39SuvvstaLBl+l4=
 go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk=
 go.step.sm/crypto v0.44.2/go.mod h1:x1439EnFhadzhkuaGX7sz03LEMQ+jV4gRamf5LCZJQQ=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -478,24 +485,24 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o=
+golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
+golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
-golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -507,46 +514,42 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
+golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.172.0 h1:/1OcMZGPmW1rX2LCu2CmGUD1KXK1+pfzxotxyRUCCdk=
 google.golang.org/api v0.172.0/go.mod h1:+fJZq6QXWfa9pXhnIzsjx4yI22d4aI9ZpLb58gvXjis=
-google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
-google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 h1:ImUcDPHjTrAqNhlOkSocDLfG9rrNHH7w7uoKWPaWZ8s=
 google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7/go.mod h1:/3XmxOjePkvmKrHuBy4zNFw7IzxJXtAgdpXi8Ll990U=
-google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 h1:oqta3O3AnlWbmIE3bFnWbu4bRxZjfbWCp0cKSuZh01E=
-google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7/go.mod h1:VQW3tUculP/D4B+xVCo+VgSq8As6wA9ZjHl//pmk+6s=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
-google.golang.org/grpc v1.62.2 h1:iEIj1U5qjyBjzkM5nk3Fq+S1IbjbXSyqeULZ1Nfo4AA=
-google.golang.org/grpc v1.62.2/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
+google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 h1:P8OJ/WCl/Xo4E4zoe4/bifHpSmmKwARqyqE4nW6J2GQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5/go.mod h1:RGnPtTG7r4i8sPlNyDeikXF99hMM+hN6QMm4ooG9g2g=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 h1:Q2RxlXqh1cgzzUgV261vBO2jI5R/3DD1J2pM0nI4NhU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
+google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA=
+google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=
-gopkg.in/go-jose/go-jose.v2 v2.6.3/go.mod h1:zzZDPkNNw/c9IE7Z9jr11mBZQhKQTMzoEEIoEdZlFBI=
 gopkg.in/h2non/gock.v1 v1.1.2 h1:jBbHXgGBK/AoPVfJh5x4r/WxIrElvbLel8TCZkkZJoY=
 gopkg.in/h2non/gock.v1 v1.1.2/go.mod h1:n7UGz/ckNChHiK05rDoiC4MYSunEC/lyaUm2WWaDva0=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
diff --git a/internal/codespaces/rpc/invoker.go b/internal/codespaces/rpc/invoker.go
index a0830d2fce1..b9d3218027a 100644
--- a/internal/codespaces/rpc/invoker.go
+++ b/internal/codespaces/rpc/invoker.go
@@ -116,9 +116,8 @@ func connect(ctx context.Context, fwd portforwarder.PortForwarder) (Invoker, err
 		// Attempt to connect to the port
 		opts := []grpc.DialOption{
 			grpc.WithTransportCredentials(insecure.NewCredentials()),
-			grpc.WithBlock(),
 		}
-		conn, err = grpc.DialContext(connectctx, localAddress, opts...)
+		conn, err = grpc.NewClient(localAddress, opts...)
 		ch <- err // nil if we successfully connected
 	}()
 
diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go
index b3a4aca5099..0e6d01d9bec 100644
--- a/pkg/cmd/attestation/verification/sigstore.go
+++ b/pkg/cmd/attestation/verification/sigstore.go
@@ -60,8 +60,8 @@ func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.ProtobufBundle) (*verify
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to get bundle verification content: %v", err)
 	}
-	leafCert, ok := verifyContent.HasCertificate()
-	if !ok {
+	leafCert := verifyContent.GetCertificate()
+	if leafCert == nil {
 		return nil, "", fmt.Errorf("leaf cert not found")
 	}
 	if len(leafCert.Issuer.Organization) != 1 {
diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go
index e411e3104c8..959bd08a96c 100644
--- a/pkg/cmd/attestation/verify/policy.go
+++ b/pkg/cmd/attestation/verify/policy.go
@@ -27,16 +27,16 @@ func expandToGitHubURL(ownerOrRepo string) string {
 func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error) {
 	if opts.SignerRepo != "" {
 		signedRepoRegex := expandToGitHubURL(opts.SignerRepo)
-		return verify.NewSANMatcher("", "", signedRepoRegex)
+		return verify.NewSANMatcher("", signedRepoRegex)
 	} else if opts.SignerWorkflow != "" {
 		validatedWorkflowRegex, err := validateSignerWorkflow(opts)
 		if err != nil {
 			return verify.SubjectAlternativeNameMatcher{}, err
 		}
 
-		return verify.NewSANMatcher("", "", validatedWorkflowRegex)
+		return verify.NewSANMatcher("", validatedWorkflowRegex)
 	} else if opts.SAN != "" || opts.SANRegex != "" {
-		return verify.NewSANMatcher(opts.SAN, "", opts.SANRegex)
+		return verify.NewSANMatcher(opts.SAN, opts.SANRegex)
 	}
 
 	return verify.SubjectAlternativeNameMatcher{}, nil
@@ -44,7 +44,6 @@ func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error
 
 func buildCertExtensions(opts *Options, runnerEnv string) certificate.Extensions {
 	extensions := certificate.Extensions{
-		Issuer:                   opts.OIDCIssuer,
 		SourceRepositoryOwnerURI: fmt.Sprintf("https://github.com/%s", opts.Owner),
 		RunnerEnvironment:        runnerEnv,
 	}
@@ -62,9 +61,14 @@ func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.Pol
 		return nil, err
 	}
 
+	issuerMatcher, err := verify.NewIssuerMatcher(opts.OIDCIssuer, "")
+	if err != nil {
+		return nil, err
+	}
+
 	extensions := buildCertExtensions(opts, runnerEnv)
 
-	certId, err := verify.NewCertificateIdentity(sanMatcher, extensions)
+	certId, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go
index d3de162a64b..6833043b8ca 100644
--- a/pkg/cmd/attestation/verify/verify_integration_test.go
+++ b/pkg/cmd/attestation/verify/verify_integration_test.go
@@ -60,7 +60,7 @@ func TestVerifyIntegration(t *testing.T) {
 
 		err := runVerify(&opts)
 		require.Error(t, err)
-		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found")
+		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SourceRepositoryURI to be \"https://github.com/sigstore/fakerepo\", got \"https://github.com/sigstore/sigstore-js\"")
 	})
 
 	t.Run("with invalid owner", func(t *testing.T) {
@@ -69,7 +69,7 @@ func TestVerifyIntegration(t *testing.T) {
 
 		err := runVerify(&opts)
 		require.Error(t, err)
-		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found")
+		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SourceRepositoryOwnerURI to be \"https://github.com/fakeowner\", got \"https://github.com/sigstore\"")
 	})
 
 	t.Run("with invalid owner and invalid repo", func(t *testing.T) {
@@ -78,7 +78,7 @@ func TestVerifyIntegration(t *testing.T) {
 
 		err := runVerify(&opts)
 		require.Error(t, err)
-		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching certificate identity found")
+		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SourceRepositoryURI to be \"https://github.com/fakeowner/fakerepo\"")
 	})
 }
 

From 1fb6df60087a8519673954cdf825f2c6a3d8cb44 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 26 Jul 2024 14:56:47 +0000
Subject: [PATCH 190/253] build(deps): bump github.com/gabriel-vasile/mimetype
 from 1.4.4 to 1.4.5

Bumps [github.com/gabriel-vasile/mimetype](https://github.com/gabriel-vasile/mimetype) from 1.4.4 to 1.4.5.
- [Release notes](https://github.com/gabriel-vasile/mimetype/releases)
- [Commits](https://github.com/gabriel-vasile/mimetype/compare/v1.4.4...v1.4.5)

---
updated-dependencies:
- dependency-name: github.com/gabriel-vasile/mimetype
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 4 ++--
 go.sum | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 2e653052cb4..099ab7a2e5a 100644
--- a/go.mod
+++ b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.4
 	github.com/creack/pty v1.1.21
 	github.com/distribution/reference v0.5.0
-	github.com/gabriel-vasile/mimetype v1.4.4
+	github.com/gabriel-vasile/mimetype v1.4.5
 	github.com/gdamore/tcell/v2 v2.5.4
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.20.0
@@ -158,7 +158,7 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
 	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/net v0.27.0 // indirect
 	golang.org/x/sys v0.22.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 // indirect
diff --git a/go.sum b/go.sum
index 460a2f65af9..3702e12c6d3 100644
--- a/go.sum
+++ b/go.sum
@@ -148,8 +148,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/gabriel-vasile/mimetype v1.4.4 h1:QjV6pZ7/XZ7ryI2KuyeEDE8wnh7fHP9YnQy+R0LnH8I=
-github.com/gabriel-vasile/mimetype v1.4.4/go.mod h1:JwLei5XPtWdGiMFB5Pjle1oEeoSeEuJfJE+TtfvdB/s=
+github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4=
+github.com/gabriel-vasile/mimetype v1.4.5/go.mod h1:ibHel+/kbxn9x2407k1izTA1S81ku1z/DlgOW2QE0M4=
 github.com/gdamore/encoding v1.0.0 h1:+7OoQ1Bc6eTm5niUzBa0Ctsh6JbMW6Ra+YNuAtDBdko=
 github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo5dl+VrEg=
 github.com/gdamore/tcell/v2 v2.5.4 h1:TGU4tSjD3sCL788vFNeJnTdzpNKIw1H5dgLnJRQVv/k=
@@ -495,8 +495,8 @@ golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
 golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

From 6e34e81b764c8587d8c5bbf7e9e2a63449e3c22a Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 28 Jul 2024 15:22:54 +0100
Subject: [PATCH 191/253] Point to `Editable.MilestoneId` method

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/issue/edit/edit.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/issue/edit/edit.go b/pkg/cmd/issue/edit/edit.go
index 7b971946870..263a48f20bd 100644
--- a/pkg/cmd/issue/edit/edit.go
+++ b/pkg/cmd/issue/edit/edit.go
@@ -122,7 +122,8 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 
 				// Note that when `--remove-milestone` is provided, the value of
 				// `opts.Editable.Milestone.Value` will automatically be empty,
-				// which results in milestone association removal.
+				// which results in milestone association removal. For reference,
+				// see the `Editable.MilestoneId` method.
 			}
 
 			if !opts.Editable.Dirty() {

From 4c8ec84e2654ad6d622107e3a8d675a2d05c1388 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 28 Jul 2024 15:23:19 +0100
Subject: [PATCH 192/253] Improve `--remove-milestone` option description

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/issue/edit/edit.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/issue/edit/edit.go b/pkg/cmd/issue/edit/edit.go
index 263a48f20bd..de334148a7a 100644
--- a/pkg/cmd/issue/edit/edit.go
+++ b/pkg/cmd/issue/edit/edit.go
@@ -156,7 +156,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Add, "add-project", nil, "Add the issue to projects by `name`")
 	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Remove, "remove-project", nil, "Remove the issue from projects by `name`")
 	cmd.Flags().StringVarP(&opts.Editable.Milestone.Value, "milestone", "m", "", "Edit the milestone the issue belongs to by `name`")
-	cmd.Flags().BoolVar(&opts.RemoveMilestone, "remove-milestone", false, "Remove the milestone the issue belongs to")
+	cmd.Flags().BoolVar(&opts.RemoveMilestone, "remove-milestone", false, "Remove the milestone association from the issue")
 
 	return cmd
 }

From 1520292726db9e5e7c0b6e35918792f34e47304d Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 28 Jul 2024 15:40:38 +0100
Subject: [PATCH 193/253] Add `--remove-milestone` option

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/edit/edit.go | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/pr/edit/edit.go b/pkg/cmd/pr/edit/edit.go
index 3f80aa80aa4..2f288857b3f 100644
--- a/pkg/cmd/pr/edit/edit.go
+++ b/pkg/cmd/pr/edit/edit.go
@@ -30,6 +30,7 @@ type EditOptions struct {
 	Interactive bool
 
 	shared.Editable
+	RemoveMilestone bool
 }
 
 func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Command {
@@ -63,6 +64,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 			$ gh pr edit 23 --add-assignee "@me" --remove-assignee monalisa,hubot
 			$ gh pr edit 23 --add-project "Roadmap" --remove-project v1,v2
 			$ gh pr edit 23 --milestone "Version 1"
+			$ gh pr edit 23 --remove-milestone
 		`),
 		Args: cobra.MaximumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -95,6 +97,14 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 				}
 			}
 
+			if err := cmdutil.MutuallyExclusive(
+				"specify only one of `--milestone` or `--remove-milestone`",
+				flags.Changed("milestone"),
+				opts.RemoveMilestone,
+			); err != nil {
+				return err
+			}
+
 			if flags.Changed("title") {
 				opts.Editable.Title.Edited = true
 			}
@@ -116,8 +126,13 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 			if flags.Changed("add-project") || flags.Changed("remove-project") {
 				opts.Editable.Projects.Edited = true
 			}
-			if flags.Changed("milestone") {
+			if flags.Changed("milestone") || opts.RemoveMilestone {
 				opts.Editable.Milestone.Edited = true
+
+				// Note that when `--remove-milestone` is provided, the value of
+				// `opts.Editable.Milestone.Value` will automatically be empty,
+				// which results in milestone association removal. For reference,
+				// see the `Editable.MilestoneId` method.
 			}
 
 			if !opts.Editable.Dirty() {
@@ -149,6 +164,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Add, "add-project", nil, "Add the pull request to projects by `name`")
 	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Remove, "remove-project", nil, "Remove the pull request from projects by `name`")
 	cmd.Flags().StringVarP(&opts.Editable.Milestone.Value, "milestone", "m", "", "Edit the milestone the pull request belongs to by `name`")
+	cmd.Flags().BoolVar(&opts.RemoveMilestone, "remove-milestone", false, "Remove the milestone association from the pull request")
 
 	_ = cmdutil.RegisterBranchCompletionFlags(f.GitClient, cmd, "base")
 

From 6dc8cc41d0ed2892d14089781540fb9b4ef788d7 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 28 Jul 2024 15:41:54 +0100
Subject: [PATCH 194/253] Verify `--body` and `--body-file` are not assignable
 at the same time

---
 pkg/cmd/pr/edit/edit_test.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/cmd/pr/edit/edit_test.go b/pkg/cmd/pr/edit/edit_test.go
index 0986797eacb..6884d3d6e9c 100644
--- a/pkg/cmd/pr/edit/edit_test.go
+++ b/pkg/cmd/pr/edit/edit_test.go
@@ -112,6 +112,11 @@ func TestNewCmdEdit(t *testing.T) {
 			},
 			wantsErr: false,
 		},
+		{
+			name:     "both body and body-file flags",
+			input:    "23 --body foo --body-file bar",
+			wantsErr: true,
+		},
 		{
 			name:  "base flag",
 			input: "23 --base base-branch-name",

From 605b4b19e11c5c5deb50d5fc5683312620d4ec24 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 28 Jul 2024 15:43:38 +0100
Subject: [PATCH 195/253] Assert correct parsing of `--remove-milestone` option

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/edit/edit_test.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pkg/cmd/pr/edit/edit_test.go b/pkg/cmd/pr/edit/edit_test.go
index 6884d3d6e9c..35840559fb4 100644
--- a/pkg/cmd/pr/edit/edit_test.go
+++ b/pkg/cmd/pr/edit/edit_test.go
@@ -261,6 +261,20 @@ func TestNewCmdEdit(t *testing.T) {
 			},
 			wantsErr: false,
 		},
+		{
+			name:  "remove-milestone flag",
+			input: "23 --remove-milestone",
+			output: EditOptions{
+				SelectorArg: "23",
+				Editable: shared.Editable{
+					Milestone: shared.EditableString{
+						Value:  "",
+						Edited: true,
+					},
+				},
+			},
+			wantsErr: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From c9fb4ed0996e8b56ac755fe1d0d738f893e46906 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sun, 28 Jul 2024 15:44:05 +0100
Subject: [PATCH 196/253] Verify `--milestone` and `--remove-milestone` are not
 assignable at the same time

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/edit/edit_test.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/cmd/pr/edit/edit_test.go b/pkg/cmd/pr/edit/edit_test.go
index 35840559fb4..3c4882961ad 100644
--- a/pkg/cmd/pr/edit/edit_test.go
+++ b/pkg/cmd/pr/edit/edit_test.go
@@ -275,6 +275,11 @@ func TestNewCmdEdit(t *testing.T) {
 			},
 			wantsErr: false,
 		},
+		{
+			name:     "both milestone and remove-milestone flags",
+			input:    "23 --milestone foo --remove-milestone",
+			wantsErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From fbae0e223eb007fec12ed2dceafb91bcd6446988 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Jul 2024 19:59:50 +0000
Subject: [PATCH 197/253] build(deps): bump
 github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.20.0 to 0.20.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.20.0...v0.20.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 099ab7a2e5a..a607e4adf16 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/gabriel-vasile/mimetype v1.4.5
 	github.com/gdamore/tcell/v2 v2.5.4
 	github.com/google/go-cmp v0.6.0
-	github.com/google/go-containerregistry v0.20.0
+	github.com/google/go-containerregistry v0.20.1
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/gorilla/websocket v1.5.3
 	github.com/hashicorp/go-multierror v1.1.1
diff --git a/go.sum b/go.sum
index 3702e12c6d3..ffb608ffb57 100644
--- a/go.sum
+++ b/go.sum
@@ -201,8 +201,8 @@ github.com/google/certificate-transparency-go v1.2.1 h1:4iW/NwzqOqYEEoCBEFP+jPbB
 github.com/google/certificate-transparency-go v1.2.1/go.mod h1:bvn/ytAccv+I6+DGkqpvSsEdiVGramgaSC6RD3tEmeE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.20.0 h1:wRqHpOeVh3DnenOrPy9xDOLdnLatiGuuNRVelR2gSbg=
-github.com/google/go-containerregistry v0.20.0/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
+github.com/google/go-containerregistry v0.20.1 h1:eTgx9QNYugV4DN5mz4U8hiAGTi1ybXn0TPi4Smd8du0=
+github.com/google/go-containerregistry v0.20.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=

From 842562d3dbc6c7a0ed62d1e16a95a9dce8f1904e Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 29 Jul 2024 21:36:48 +0100
Subject: [PATCH 198/253] Use closure-scoped variable to catch
 `--remove-milestone` option

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/edit/edit.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkg/cmd/pr/edit/edit.go b/pkg/cmd/pr/edit/edit.go
index 2f288857b3f..21aa80c07d7 100644
--- a/pkg/cmd/pr/edit/edit.go
+++ b/pkg/cmd/pr/edit/edit.go
@@ -30,7 +30,6 @@ type EditOptions struct {
 	Interactive bool
 
 	shared.Editable
-	RemoveMilestone bool
 }
 
 func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Command {
@@ -44,6 +43,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 	}
 
 	var bodyFile string
+	var removeMilestone bool
 
 	cmd := &cobra.Command{
 		Use:   "edit [<number> | <url> | <branch>]",
@@ -100,7 +100,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 			if err := cmdutil.MutuallyExclusive(
 				"specify only one of `--milestone` or `--remove-milestone`",
 				flags.Changed("milestone"),
-				opts.RemoveMilestone,
+				opts.removeMilestone,
 			); err != nil {
 				return err
 			}
@@ -126,7 +126,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 			if flags.Changed("add-project") || flags.Changed("remove-project") {
 				opts.Editable.Projects.Edited = true
 			}
-			if flags.Changed("milestone") || opts.RemoveMilestone {
+			if flags.Changed("milestone") || opts.removeMilestone {
 				opts.Editable.Milestone.Edited = true
 
 				// Note that when `--remove-milestone` is provided, the value of
@@ -164,7 +164,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Add, "add-project", nil, "Add the pull request to projects by `name`")
 	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Remove, "remove-project", nil, "Remove the pull request from projects by `name`")
 	cmd.Flags().StringVarP(&opts.Editable.Milestone.Value, "milestone", "m", "", "Edit the milestone the pull request belongs to by `name`")
-	cmd.Flags().BoolVar(&opts.RemoveMilestone, "remove-milestone", false, "Remove the milestone association from the pull request")
+	cmd.Flags().BoolVar(&removeMilestone, "remove-milestone", false, "Remove the milestone association from the pull request")
 
 	_ = cmdutil.RegisterBranchCompletionFlags(f.GitClient, cmd, "base")
 

From a73ae65ca81d9c3647725ec7e3391f196dfa49b1 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 29 Jul 2024 21:37:55 +0100
Subject: [PATCH 199/253] Use closure-scoped variable to catch
 `--remove-milestone` option

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/issue/edit/edit.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkg/cmd/issue/edit/edit.go b/pkg/cmd/issue/edit/edit.go
index de334148a7a..11a69383d3c 100644
--- a/pkg/cmd/issue/edit/edit.go
+++ b/pkg/cmd/issue/edit/edit.go
@@ -32,7 +32,6 @@ type EditOptions struct {
 	Interactive  bool
 
 	prShared.Editable
-	RemoveMilestone bool
 }
 
 func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Command {
@@ -47,6 +46,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 	}
 
 	var bodyFile string
+	var removeMilestone bool
 
 	cmd := &cobra.Command{
 		Use:   "edit {<numbers> | <urls>}",
@@ -100,7 +100,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 			if err := cmdutil.MutuallyExclusive(
 				"specify only one of `--milestone` or `--remove-milestone`",
 				flags.Changed("milestone"),
-				opts.RemoveMilestone,
+				removeMilestone,
 			); err != nil {
 				return err
 			}
@@ -117,7 +117,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 			if flags.Changed("add-project") || flags.Changed("remove-project") {
 				opts.Editable.Projects.Edited = true
 			}
-			if flags.Changed("milestone") || opts.RemoveMilestone {
+			if flags.Changed("milestone") || removeMilestone {
 				opts.Editable.Milestone.Edited = true
 
 				// Note that when `--remove-milestone` is provided, the value of
@@ -156,7 +156,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Add, "add-project", nil, "Add the issue to projects by `name`")
 	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Remove, "remove-project", nil, "Remove the issue from projects by `name`")
 	cmd.Flags().StringVarP(&opts.Editable.Milestone.Value, "milestone", "m", "", "Edit the milestone the issue belongs to by `name`")
-	cmd.Flags().BoolVar(&opts.RemoveMilestone, "remove-milestone", false, "Remove the milestone association from the issue")
+	cmd.Flags().BoolVar(&removeMilestone, "remove-milestone", false, "Remove the milestone association from the issue")
 
 	return cmd
 }

From 58e61967774d93e02d5a03946a4845f0ce1814be Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 29 Jul 2024 21:41:43 +0100
Subject: [PATCH 200/253] Fix missing variable

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/pr/edit/edit.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/pr/edit/edit.go b/pkg/cmd/pr/edit/edit.go
index 21aa80c07d7..9dc19001189 100644
--- a/pkg/cmd/pr/edit/edit.go
+++ b/pkg/cmd/pr/edit/edit.go
@@ -100,7 +100,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 			if err := cmdutil.MutuallyExclusive(
 				"specify only one of `--milestone` or `--remove-milestone`",
 				flags.Changed("milestone"),
-				opts.removeMilestone,
+				removeMilestone,
 			); err != nil {
 				return err
 			}
@@ -126,7 +126,7 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 			if flags.Changed("add-project") || flags.Changed("remove-project") {
 				opts.Editable.Projects.Edited = true
 			}
-			if flags.Changed("milestone") || opts.removeMilestone {
+			if flags.Changed("milestone") || removeMilestone {
 				opts.Editable.Milestone.Edited = true
 
 				// Note that when `--remove-milestone` is provided, the value of

From b9963809c2e56332b2facd6699d6054ed77ecc21 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 29 Jul 2024 23:25:34 +0100
Subject: [PATCH 201/253] Use signature-stripped tag annotation content

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/release/create/create.go | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/pkg/cmd/release/create/create.go b/pkg/cmd/release/create/create.go
index 1cfc5ba06a4..132e2c801fa 100644
--- a/pkg/cmd/release/create/create.go
+++ b/pkg/cmd/release/create/create.go
@@ -516,12 +516,32 @@ func createRun(opts *CreateOptions) error {
 }
 
 func gitTagInfo(client *git.Client, tagName string) (string, error) {
-	cmd, err := client.Command(context.Background(), "tag", "--list", tagName, "--format=%(contents:subject)%0a%0a%(contents:body)")
+	contentCmd, err := client.Command(context.Background(), "tag", "--list", tagName, "--format=%(contents)")
 	if err != nil {
 		return "", err
 	}
-	b, err := cmd.Output()
-	return string(b), err
+	content, err := contentCmd.Output()
+	if err != nil {
+		return "", err
+	}
+
+	signatureCmd, err := client.Command(context.Background(), "tag", "--list", tagName, "--format=%(contents:signature)")
+	if err != nil {
+		return "", err
+	}
+	signature, err := signatureCmd.Output()
+	if err != nil {
+		return "", err
+	}
+
+	if len(signature) == 0 {
+		// The tag annotation content has no trailing signature to strip out,
+		// so we return the entire content.
+		return string(content), nil
+	}
+
+	body, _ := strings.CutSuffix(string(content), "\n"+string(signature))
+	return body, nil
 }
 
 func detectPreviousTag(client *git.Client, headRef string) (string, error) {

From df3b0627fd697b30bffd1f11ad887b8795f4cf7d Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 29 Jul 2024 23:26:03 +0100
Subject: [PATCH 202/253] Add test for `gitTagInfo`

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/release/create/create_test.go | 76 +++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/pkg/cmd/release/create/create_test.go b/pkg/cmd/release/create/create_test.go
index ed7d99c1e94..a66bb58991e 100644
--- a/pkg/cmd/release/create/create_test.go
+++ b/pkg/cmd/release/create/create_test.go
@@ -1751,6 +1751,82 @@ func Test_createRun_interactive(t *testing.T) {
 	}
 }
 
+func Test_gitTagInfo(t *testing.T) {
+	const tagName = "foo"
+	const contentCmd = "git tag --list foo --format=%\\(contents\\)"
+	const signatureCmd = "git tag --list foo --format=%\\(contents:signature\\)"
+
+	tests := []struct {
+		name       string
+		runStubs   func(*run.CommandStubber)
+		wantErr    string
+		wantResult string
+	}{
+		{
+			name: "no signature",
+			runStubs: func(cs *run.CommandStubber) {
+				cs.Register(contentCmd, 0, "some\nmultiline\ncontent")
+				cs.Register(signatureCmd, 0, "")
+			},
+			wantResult: "some\nmultiline\ncontent",
+		},
+		{
+			name: "with signature",
+			runStubs: func(cs *run.CommandStubber) {
+				cs.Register(contentCmd, 0, "some\nmultiline\ncontent\n-----BEGIN SIGNATURE-----\nfoo\n-----END SIGNATURE-----")
+				cs.Register(signatureCmd, 0, "-----BEGIN SIGNATURE-----\nfoo\n-----END SIGNATURE-----")
+			},
+			wantResult: "some\nmultiline\ncontent",
+		},
+		{
+			name: "with signature in content but not as true signature",
+			runStubs: func(cs *run.CommandStubber) {
+				cs.Register(contentCmd, 0, "some\nmultiline\ncontent\n-----BEGIN SIGNATURE-----\nfoo\n-----END SIGNATURE-----")
+				cs.Register(signatureCmd, 0, "")
+			},
+			wantResult: "some\nmultiline\ncontent\n-----BEGIN SIGNATURE-----\nfoo\n-----END SIGNATURE-----",
+		},
+		{
+			name: "error getting content",
+			runStubs: func(cs *run.CommandStubber) {
+				cs.Register(contentCmd, 1, "some error")
+			},
+			wantErr: fmt.Sprintf("failed to run git: %s exited with status 1", contentCmd),
+		},
+		{
+			name: "error getting signature",
+			runStubs: func(cs *run.CommandStubber) {
+				cs.Register(contentCmd, 0, "whatever")
+				cs.Register(signatureCmd, 1, "some error")
+			},
+			wantErr: fmt.Sprintf("failed to run git: %s exited with status 1", signatureCmd),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gitClient := &git.Client{GitPath: "some/path/git"}
+
+			rs, teardown := run.Stub()
+			defer teardown(t)
+			if tt.runStubs != nil {
+				tt.runStubs(rs)
+			}
+
+			result, err := gitTagInfo(gitClient, tagName)
+
+			if tt.wantErr != "" {
+				require.EqualError(t, err, tt.wantErr)
+				return
+			} else {
+				require.NoError(t, err)
+			}
+
+			assert.Equal(t, tt.wantResult, result)
+		})
+	}
+}
+
 func boolPtr(b bool) *bool {
 	return &b
 }

From 46814b37598c9a0dc13f4345dc6152684af93172 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Mon, 29 Jul 2024 23:26:19 +0100
Subject: [PATCH 203/253] Add example for `--notes-from-tag`

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/release/create/create.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkg/cmd/release/create/create.go b/pkg/cmd/release/create/create.go
index 132e2c801fa..412c93328fe 100644
--- a/pkg/cmd/release/create/create.go
+++ b/pkg/cmd/release/create/create.go
@@ -115,6 +115,9 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 
 			Use release notes from a file
 			$ gh release create v1.2.3 -F changelog.md
+
+			Use annotated tag notes
+			$ gh release create v1.2.3 --notes-from-tag
    
 			Don't mark the release as latest
 			$ gh release create v1.2.3 --latest=false 

From 8ea1b8973a63ccd2fd503ff60bae51d5ee17f372 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Tue, 30 Jul 2024 00:21:19 +0100
Subject: [PATCH 204/253] Update tests with changes to `gitTagInfo` function

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/release/create/create_test.go | 127 +++++++++++---------------
 1 file changed, 53 insertions(+), 74 deletions(-)

diff --git a/pkg/cmd/release/create/create_test.go b/pkg/cmd/release/create/create_test.go
index a66bb58991e..6dd2b484459 100644
--- a/pkg/cmd/release/create/create_test.go
+++ b/pkg/cmd/release/create/create_test.go
@@ -412,6 +412,14 @@ func Test_NewCmdCreate(t *testing.T) {
 }
 
 func Test_createRun(t *testing.T) {
+	const contentCmd = `git tag --list .* --format=%\(contents\)`
+	const signatureCmd = `git tag --list .* --format=%\(contents:signature\)`
+
+	defaultRunStubs := func(rs *run.CommandStubber) {
+		rs.Register(contentCmd, 0, "")
+		rs.Register(signatureCmd, 0, "")
+	}
+
 	tests := []struct {
 		name       string
 		isTTY      bool
@@ -432,9 +440,7 @@ func Test_createRun(t *testing.T) {
 				BodyProvided: true,
 				Target:       "",
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases"), httpmock.RESTPayload(201, `{
 					"url": "https://api.github.com/releases/123",
@@ -464,9 +470,7 @@ func Test_createRun(t *testing.T) {
 				Target:             "",
 				DiscussionCategory: "General",
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases"), httpmock.RESTPayload(201, `{
 					"url": "https://api.github.com/releases/123",
@@ -496,9 +500,7 @@ func Test_createRun(t *testing.T) {
 				BodyProvided: true,
 				Target:       "main",
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases"), httpmock.RESTPayload(201, `{
 					"url": "https://api.github.com/releases/123",
@@ -527,9 +529,7 @@ func Test_createRun(t *testing.T) {
 				Draft:        true,
 				Target:       "",
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases"), httpmock.RESTPayload(201, `{
 					"url": "https://api.github.com/releases/123",
@@ -558,9 +558,7 @@ func Test_createRun(t *testing.T) {
 				BodyProvided:  true,
 				GenerateNotes: false,
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases"), httpmock.RESTPayload(201, `{
 					"url": "https://api.github.com/releases/123",
@@ -589,9 +587,7 @@ func Test_createRun(t *testing.T) {
 				BodyProvided:  true,
 				GenerateNotes: true,
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases"), httpmock.RESTPayload(201, `{
 					"url": "https://api.github.com/releases/123",
@@ -621,9 +617,7 @@ func Test_createRun(t *testing.T) {
 				GenerateNotes: true,
 				NotesStartTag: "v1.1.0",
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases/generate-notes"),
 					httpmock.RESTPayload(200, `{
@@ -664,9 +658,7 @@ func Test_createRun(t *testing.T) {
 				GenerateNotes: true,
 				NotesStartTag: "v1.1.0",
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases/generate-notes"),
 					httpmock.RESTPayload(200, `{
@@ -715,9 +707,7 @@ func Test_createRun(t *testing.T) {
 				},
 				Concurrency: 1,
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("HEAD", "repos/OWNER/REPO/releases/tags/v1.2.3"), httpmock.StatusStringResponse(404, ``))
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases"), httpmock.RESTPayload(201, `{
@@ -776,9 +766,7 @@ func Test_createRun(t *testing.T) {
 				},
 				Concurrency: 1,
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("HEAD", "repos/OWNER/REPO/releases/tags/v1.2.3"), httpmock.StatusStringResponse(404, ``))
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases"), httpmock.RESTPayload(201, `{
@@ -838,9 +826,7 @@ func Test_createRun(t *testing.T) {
 				},
 				Concurrency: 1,
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("HEAD", "repos/OWNER/REPO/releases/tags/v1.2.3"), httpmock.StatusStringResponse(200, ``))
 			},
@@ -868,9 +854,7 @@ func Test_createRun(t *testing.T) {
 				},
 				Concurrency: 1,
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("HEAD", "repos/OWNER/REPO/releases/tags/v1.2.3"), httpmock.StatusStringResponse(404, ``))
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases"), httpmock.StatusStringResponse(201, `{
@@ -905,9 +889,7 @@ func Test_createRun(t *testing.T) {
 				},
 				Concurrency: 1,
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("HEAD", "repos/OWNER/REPO/releases/tags/v1.2.3"), httpmock.StatusStringResponse(404, ``))
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases"), httpmock.StatusStringResponse(201, `{
@@ -943,9 +925,7 @@ func Test_createRun(t *testing.T) {
 				},
 				Concurrency: 1,
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("HEAD", "repos/OWNER/REPO/releases/tags/v1.2.3"), httpmock.StatusStringResponse(200, ``))
 			},
@@ -974,9 +954,7 @@ func Test_createRun(t *testing.T) {
 				DiscussionCategory: "general",
 				Concurrency:        1,
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("HEAD", "repos/OWNER/REPO/releases/tags/v1.2.3"), httpmock.StatusStringResponse(404, ``))
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases"), httpmock.RESTPayload(201, `{
@@ -1027,7 +1005,8 @@ func Test_createRun(t *testing.T) {
 				NotesFromTag: true,
 			},
 			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "some tag message")
+				rs.Register(contentCmd, 0, "some tag message")
+				rs.Register(signatureCmd, 0, "")
 			},
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(
@@ -1064,7 +1043,8 @@ func Test_createRun(t *testing.T) {
 				NotesFromTag: true,
 			},
 			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "some tag message")
+				rs.Register(contentCmd, 0, "some tag message")
+				rs.Register(signatureCmd, 0, "")
 			},
 			httpStubs: func(t *testing.T, reg *httpmock.Registry) {
 				reg.Register(
@@ -1099,10 +1079,8 @@ func Test_createRun(t *testing.T) {
 				Assets:       []*shared.AssetForUpload(nil),
 				NotesFromTag: true,
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "")
-			},
-			wantErr: "cannot generate release notes from tag v1.2.3 as it does not exist locally",
+			runStubs: defaultRunStubs,
+			wantErr:  "cannot generate release notes from tag v1.2.3 as it does not exist locally",
 		},
 	}
 	for _, tt := range tests {
@@ -1149,6 +1127,13 @@ func Test_createRun(t *testing.T) {
 }
 
 func Test_createRun_interactive(t *testing.T) {
+	const contentCmd = `git tag --list .* --format=%\(contents\)`
+	const signatureCmd = `git tag --list .* --format=%\(contents:signature\)`
+
+	defaultRunStubs := func(rs *run.CommandStubber) {
+		rs.Register(contentCmd, 1, "")
+	}
+
 	tests := []struct {
 		name          string
 		httpStubs     func(*httpmock.Registry)
@@ -1185,9 +1170,7 @@ func Test_createRun_interactive(t *testing.T) {
 					return false, nil
 				})
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 1, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("GET", "repos/OWNER/REPO/tags"), httpmock.StatusStringResponse(200, `[
 					{ "name": "v1.2.3" }, { "name": "v1.2.2" }, { "name": "v1.0.0" }, { "name": "v0.1.2" }
@@ -1234,9 +1217,7 @@ func Test_createRun_interactive(t *testing.T) {
 					return false, nil
 				})
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 1, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("GET", "repos/OWNER/REPO/tags"), httpmock.StatusStringResponse(200, `[
 					{ "name": "v1.2.2" }, { "name": "v1.0.0" }, { "name": "v0.1.2" }
@@ -1283,9 +1264,7 @@ func Test_createRun_interactive(t *testing.T) {
 					return false, nil
 				})
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 1, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("GET", "repos/OWNER/REPO/tags"), httpmock.StatusStringResponse(200, `[
 					{ "name": "v1.2.2" }, { "name": "v1.0.0" }, { "name": "v0.1.2" }
@@ -1332,9 +1311,7 @@ func Test_createRun_interactive(t *testing.T) {
 					return false, nil
 				})
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 1, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases/generate-notes"),
 					httpmock.StatusStringResponse(200, `{
@@ -1381,7 +1358,7 @@ func Test_createRun_interactive(t *testing.T) {
 				})
 			},
 			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 1, "")
+				defaultRunStubs(rs)
 				rs.Register(`git describe --tags --abbrev=0 HEAD\^`, 0, "v1.2.2\n")
 				rs.Register(`git .+log .+v1\.2\.2\.\.HEAD$`, 0, "commit subject\n\ncommit body\n")
 			},
@@ -1427,7 +1404,8 @@ func Test_createRun_interactive(t *testing.T) {
 				})
 			},
 			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "hello from annotated tag")
+				rs.Register(contentCmd, 0, "hello from annotated tag")
+				rs.Register(signatureCmd, 0, "")
 				rs.Register(`git describe --tags --abbrev=0 v1\.2\.3\^`, 1, "")
 			},
 			httpStubs: func(reg *httpmock.Registry) {
@@ -1456,7 +1434,8 @@ func Test_createRun_interactive(t *testing.T) {
 				TagName: "v1.2.3",
 			},
 			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "tag exists")
+				rs.Register(contentCmd, 0, "tag exists")
+				rs.Register(signatureCmd, 0, "")
 			},
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.GraphQL("RepositoryFindRef"),
@@ -1489,7 +1468,8 @@ func Test_createRun_interactive(t *testing.T) {
 				})
 			},
 			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "tag exists")
+				rs.Register(contentCmd, 0, "tag exists")
+				rs.Register(signatureCmd, 0, "")
 			},
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases/generate-notes"),
@@ -1536,9 +1516,7 @@ func Test_createRun_interactive(t *testing.T) {
 					return false, nil
 				})
 			},
-			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 1, "")
-			},
+			runStubs: defaultRunStubs,
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("POST", "repos/OWNER/REPO/releases/generate-notes"),
 					httpmock.RESTPayload(200, `{
@@ -1591,7 +1569,7 @@ func Test_createRun_interactive(t *testing.T) {
 				})
 			},
 			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 1, "")
+				defaultRunStubs(rs)
 				rs.Register(`git .+log .+v1\.1\.0\.\.HEAD$`, 0, "commit subject\n\ncommit body\n")
 			},
 			httpStubs: func(reg *httpmock.Registry) {
@@ -1639,7 +1617,8 @@ func Test_createRun_interactive(t *testing.T) {
 				})
 			},
 			runStubs: func(rs *run.CommandStubber) {
-				rs.Register(`git tag --list`, 0, "tag exists")
+				rs.Register(contentCmd, 0, "tag exists")
+				rs.Register(signatureCmd, 0, "")
 			},
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.GraphQL("RepositoryFindRef"),
@@ -1753,8 +1732,8 @@ func Test_createRun_interactive(t *testing.T) {
 
 func Test_gitTagInfo(t *testing.T) {
 	const tagName = "foo"
-	const contentCmd = "git tag --list foo --format=%\\(contents\\)"
-	const signatureCmd = "git tag --list foo --format=%\\(contents:signature\\)"
+	const contentCmd = `git tag --list foo --format=%\(contents\)`
+	const signatureCmd = `git tag --list foo --format=%\(contents:signature\)`
 
 	tests := []struct {
 		name       string

From dc4e9cb5323ebbad58030a4c3bdb3930e6c54547 Mon Sep 17 00:00:00 2001
From: ejahnGithub <ejahngithub@github.com>
Date: Tue, 30 Jul 2024 12:11:25 -0700
Subject: [PATCH 205/253] handle attest case insensitivity

---
 .../attestation/verification/extensions.go    | 27 +++++++++++++++++++
 pkg/cmd/attestation/verify/policy.go          | 17 ++++--------
 pkg/cmd/attestation/verify/verify.go          |  6 +++++
 3 files changed, 38 insertions(+), 12 deletions(-)
 create mode 100644 pkg/cmd/attestation/verification/extensions.go

diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go
new file mode 100644
index 00000000000..ffbefb9d35b
--- /dev/null
+++ b/pkg/cmd/attestation/verification/extensions.go
@@ -0,0 +1,27 @@
+package verification
+
+import (
+	"fmt"
+	"strings"
+)
+
+func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, repo string) error {
+	for _, attestation := range results {
+		if owner != "" {
+			expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner)
+			sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI
+			if !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
+				return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI)
+			}
+		}
+
+		if repo != "" {
+			expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo)
+			sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI
+			if !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) {
+				return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", expectedSourceRepositoryURI, sourceRepositoryURI)
+			}
+		}
+	}
+	return nil
+}
diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go
index 959bd08a96c..938e8048fdc 100644
--- a/pkg/cmd/attestation/verify/policy.go
+++ b/pkg/cmd/attestation/verify/policy.go
@@ -21,7 +21,7 @@ const (
 )
 
 func expandToGitHubURL(ownerOrRepo string) string {
-	return fmt.Sprintf("^https://github.com/%s/", ownerOrRepo)
+	return fmt.Sprintf("(?i)^https://github.com/%s/", ownerOrRepo)
 }
 
 func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error) {
@@ -42,17 +42,10 @@ func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error
 	return verify.SubjectAlternativeNameMatcher{}, nil
 }
 
-func buildCertExtensions(opts *Options, runnerEnv string) certificate.Extensions {
-	extensions := certificate.Extensions{
-		SourceRepositoryOwnerURI: fmt.Sprintf("https://github.com/%s", opts.Owner),
-		RunnerEnvironment:        runnerEnv,
+func buildCertExtensions(runnerEnv string) certificate.Extensions {
+	return certificate.Extensions{
+		RunnerEnvironment: runnerEnv,
 	}
-
-	// if opts.Repo is set, set the SourceRepositoryURI field before returning the extensions
-	if opts.Repo != "" {
-		extensions.SourceRepositoryURI = fmt.Sprintf("https://github.com/%s", opts.Repo)
-	}
-	return extensions
 }
 
 func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.PolicyOption, error) {
@@ -66,7 +59,7 @@ func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.Pol
 		return nil, err
 	}
 
-	extensions := buildCertExtensions(opts, runnerEnv)
+	extensions := buildCertExtensions(runnerEnv)
 
 	certId, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions)
 	if err != nil {
diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go
index 16b9477e8ad..e1a5b1c50ce 100644
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@@ -235,6 +235,12 @@ func runVerify(opts *Options) error {
 		return sigstoreRes.Error
 	}
 
+	// Verify extensions
+	if err := verification.VerifyCertExtensions(sigstoreRes.VerifyResults, opts.Owner, opts.Repo); err != nil {
+		opts.Logger.Println(opts.Logger.ColorScheme.Red("✗ Verification failed"))
+		return err
+	}
+
 	opts.Logger.Println(opts.Logger.ColorScheme.Green("✓ Verification succeeded!\n"))
 
 	// If an exporter is provided with the --json flag, write the results to the terminal in JSON format

From c1adb1a6cfcb932660dd852bb01284a4d836de85 Mon Sep 17 00:00:00 2001
From: ejahnGithub <ejahngithub@github.com>
Date: Tue, 30 Jul 2024 12:24:27 -0700
Subject: [PATCH 206/253] added

---
 .../verification/extensions_test.go           | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 pkg/cmd/attestation/verification/extensions_test.go

diff --git a/pkg/cmd/attestation/verification/extensions_test.go b/pkg/cmd/attestation/verification/extensions_test.go
new file mode 100644
index 00000000000..829ebb231c7
--- /dev/null
+++ b/pkg/cmd/attestation/verification/extensions_test.go
@@ -0,0 +1,41 @@
+package verification
+
+import (
+	"testing"
+
+	"github.com/sigstore/sigstore-go/pkg/fulcio/certificate"
+	"github.com/sigstore/sigstore-go/pkg/verify"
+	"github.com/stretchr/testify/require"
+)
+
+func TestVerifyCertExtensions(t *testing.T) {
+	results := []*AttestationProcessingResult{
+		{
+			VerificationResult: &verify.VerificationResult{
+				Signature: &verify.SignatureVerificationResult{
+					Certificate: &certificate.Summary{
+						Extensions: certificate.Extensions{
+							SourceRepositoryOwnerURI: "https://github.com/owner",
+							SourceRepositoryURI:      "https://github.com/owner/repo",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	err := VerifyCertExtensions(results, "owner", "owner/repo")
+	require.NoError(t, err)
+
+	err = VerifyCertExtensions(results, "", "owner/repo")
+	require.NoError(t, err)
+
+	err = VerifyCertExtensions(results, "owner", "")
+	require.NoError(t, err)
+
+	err = VerifyCertExtensions(results, "wrong", "")
+	require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/wrong, got https://github.com/owner")
+
+	err = VerifyCertExtensions(results, "", "wrong")
+	require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo")
+}

From e21e5ef5c5d4fabc0848b3f52b8351f3d5fa0b74 Mon Sep 17 00:00:00 2001
From: ejahnGithub <ejahngithub@github.com>
Date: Tue, 30 Jul 2024 13:09:28 -0700
Subject: [PATCH 207/253] update test

---
 .../attestation/verification/extensions.go    |  4 +-
 .../verification/extensions_test.go           | 37 ++++++++++++-------
 pkg/cmd/attestation/verify/options_test.go    |  4 +-
 pkg/cmd/attestation/verify/verify_test.go     | 16 ++++----
 4 files changed, 35 insertions(+), 26 deletions(-)

diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go
index ffbefb9d35b..cadb2668f0c 100644
--- a/pkg/cmd/attestation/verification/extensions.go
+++ b/pkg/cmd/attestation/verification/extensions.go
@@ -10,7 +10,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string,
 		if owner != "" {
 			expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner)
 			sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI
-			if !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
+			if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
 				return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI)
 			}
 		}
@@ -18,7 +18,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string,
 		if repo != "" {
 			expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo)
 			sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI
-			if !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) {
+			if sourceRepositoryURI != "" && !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) {
 				return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", expectedSourceRepositoryURI, sourceRepositoryURI)
 			}
 		}
diff --git a/pkg/cmd/attestation/verification/extensions_test.go b/pkg/cmd/attestation/verification/extensions_test.go
index 829ebb231c7..c04d2966460 100644
--- a/pkg/cmd/attestation/verification/extensions_test.go
+++ b/pkg/cmd/attestation/verification/extensions_test.go
@@ -24,18 +24,27 @@ func TestVerifyCertExtensions(t *testing.T) {
 		},
 	}
 
-	err := VerifyCertExtensions(results, "owner", "owner/repo")
-	require.NoError(t, err)
-
-	err = VerifyCertExtensions(results, "", "owner/repo")
-	require.NoError(t, err)
-
-	err = VerifyCertExtensions(results, "owner", "")
-	require.NoError(t, err)
-
-	err = VerifyCertExtensions(results, "wrong", "")
-	require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/wrong, got https://github.com/owner")
-
-	err = VerifyCertExtensions(results, "", "wrong")
-	require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo")
+	t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) {
+		err := VerifyCertExtensions(results, "owner", "owner/repo")
+		require.NoError(t, err)
+	})
+	t.Run("VerifyCertExtensions with repo", func(t *testing.T) {
+		err := VerifyCertExtensions(results, "", "owner/repo")
+		require.NoError(t, err)
+	})
+
+	t.Run("VerifyCertExtensions with owner", func(t *testing.T) {
+		err := VerifyCertExtensions(results, "owner", "")
+		require.NoError(t, err)
+	})
+
+	t.Run("VerifyCertExtensions with wrong owner", func(t *testing.T) {
+		err := VerifyCertExtensions(results, "wrong", "")
+		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/wrong, got https://github.com/owner")
+	})
+
+	t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) {
+		err := VerifyCertExtensions(results, "", "wrong")
+		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo")
+	})
 }
diff --git a/pkg/cmd/attestation/verify/options_test.go b/pkg/cmd/attestation/verify/options_test.go
index a7430017efc..aea131b279f 100644
--- a/pkg/cmd/attestation/verify/options_test.go
+++ b/pkg/cmd/attestation/verify/options_test.go
@@ -70,7 +70,7 @@ func TestSetPolicyFlags(t *testing.T) {
 		opts.SetPolicyFlags()
 		require.Equal(t, "sigstore", opts.Owner)
 		require.Equal(t, "sigstore/sigstore-js", opts.Repo)
-		require.Equal(t, "^https://github.com/sigstore/sigstore-js/", opts.SANRegex)
+		require.Equal(t, "(?i)^https://github.com/sigstore/sigstore-js/", opts.SANRegex)
 	})
 
 	t.Run("does not set SANRegex when SANRegex and Repo are provided", func(t *testing.T) {
@@ -99,7 +99,7 @@ func TestSetPolicyFlags(t *testing.T) {
 
 		opts.SetPolicyFlags()
 		require.Equal(t, "sigstore", opts.Owner)
-		require.Equal(t, "^https://github.com/sigstore/", opts.SANRegex)
+		require.Equal(t, "(?i)^https://github.com/sigstore/", opts.SANRegex)
 	})
 
 	t.Run("does not set SANRegex when SANRegex and Owner are provided", func(t *testing.T) {
diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go
index f0cc2170947..182a66012a9 100644
--- a/pkg/cmd/attestation/verify/verify_test.go
+++ b/pkg/cmd/attestation/verify/verify_test.go
@@ -76,7 +76,7 @@ func TestNewVerifyCmd(t *testing.T) {
 				Limit:            30,
 				OIDCIssuer:       GitHubOIDCIssuer,
 				Owner:            "sigstore",
-				SANRegex:         "^https://github.com/sigstore/",
+				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
 			},
 			wantsErr: false,
@@ -91,7 +91,7 @@ func TestNewVerifyCmd(t *testing.T) {
 				Limit:            30,
 				OIDCIssuer:       GitHubOIDCIssuer,
 				Owner:            "sigstore",
-				SANRegex:         "^https://github.com/sigstore/",
+				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
 			},
 			wantsErr: false,
@@ -105,7 +105,7 @@ func TestNewVerifyCmd(t *testing.T) {
 				OIDCIssuer:       GitHubOIDCIssuer,
 				Owner:            "sigstore",
 				Limit:            30,
-				SANRegex:         "^https://github.com/sigstore/",
+				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
 			},
 			wantsErr: true,
@@ -133,7 +133,7 @@ func TestNewVerifyCmd(t *testing.T) {
 				Limit:            30,
 				OIDCIssuer:       GitHubOIDCIssuer,
 				Owner:            "sigstore",
-				SANRegex:         "^https://github.com/sigstore/",
+				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
 			},
 			wantsErr: false,
@@ -147,7 +147,7 @@ func TestNewVerifyCmd(t *testing.T) {
 				OIDCIssuer:       GitHubOIDCIssuer,
 				Owner:            "sigstore",
 				Limit:            101,
-				SANRegex:         "^https://github.com/sigstore/",
+				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
 			},
 			wantsErr: false,
@@ -161,7 +161,7 @@ func TestNewVerifyCmd(t *testing.T) {
 				OIDCIssuer:       GitHubOIDCIssuer,
 				Owner:            "sigstore",
 				Limit:            0,
-				SANRegex:         "^https://github.com/sigstore/",
+				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
 			},
 			wantsErr: true,
@@ -176,7 +176,7 @@ func TestNewVerifyCmd(t *testing.T) {
 				OIDCIssuer:       GitHubOIDCIssuer,
 				Owner:            "sigstore",
 				SAN:              "https://github.com/sigstore/",
-				SANRegex:         "^https://github.com/sigstore/",
+				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
 			},
 			wantsErr: true,
@@ -191,7 +191,7 @@ func TestNewVerifyCmd(t *testing.T) {
 				Limit:            30,
 				OIDCIssuer:       GitHubOIDCIssuer,
 				Owner:            "sigstore",
-				SANRegex:         "^https://github.com/sigstore/",
+				SANRegex:         "(?i)^https://github.com/sigstore/",
 				SigstoreVerifier: verification.NewMockSigstoreVerifier(t),
 			},
 			wantsExporter: true,

From 580ddf69979777481acd2b4d0cff92eb8795a204 Mon Sep 17 00:00:00 2001
From: ejahnGithub <ejahngithub@github.com>
Date: Tue, 30 Jul 2024 13:14:16 -0700
Subject: [PATCH 208/253] minor fix

---
 pkg/cmd/attestation/verification/extensions.go | 13 +++++++------
 pkg/cmd/attestation/verify/policy.go           | 11 ++++-------
 2 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go
index cadb2668f0c..6d093a5d77b 100644
--- a/pkg/cmd/attestation/verification/extensions.go
+++ b/pkg/cmd/attestation/verification/extensions.go
@@ -7,15 +7,16 @@ import (
 
 func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, repo string) error {
 	for _, attestation := range results {
-		if owner != "" {
-			expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner)
-			sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI
-			if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
-				return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI)
-			}
+		// TODO: handle proxima prefix
+		expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner)
+		sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI
+		if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
+			return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI)
 		}
 
+		// if repo is set, check the SourceRepositoryURI field
 		if repo != "" {
+			// TODO: handle proxima prefix
 			expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo)
 			sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI
 			if sourceRepositoryURI != "" && !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) {
diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go
index 938e8048fdc..4d850ddcc7b 100644
--- a/pkg/cmd/attestation/verify/policy.go
+++ b/pkg/cmd/attestation/verify/policy.go
@@ -21,6 +21,7 @@ const (
 )
 
 func expandToGitHubURL(ownerOrRepo string) string {
+	// TODO: handle proxima prefix
 	return fmt.Sprintf("(?i)^https://github.com/%s/", ownerOrRepo)
 }
 
@@ -42,12 +43,6 @@ func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error
 	return verify.SubjectAlternativeNameMatcher{}, nil
 }
 
-func buildCertExtensions(runnerEnv string) certificate.Extensions {
-	return certificate.Extensions{
-		RunnerEnvironment: runnerEnv,
-	}
-}
-
 func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.PolicyOption, error) {
 	sanMatcher, err := buildSANMatcher(opts)
 	if err != nil {
@@ -59,7 +54,9 @@ func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.Pol
 		return nil, err
 	}
 
-	extensions := buildCertExtensions(runnerEnv)
+	extensions := certificate.Extensions{
+		RunnerEnvironment: runnerEnv,
+	}
 
 	certId, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions)
 	if err != nil {

From 596ee8bd7116c659e3cba95a792d327171732f15 Mon Sep 17 00:00:00 2001
From: ejahnGithub <ejahngithub@github.com>
Date: Tue, 30 Jul 2024 13:22:49 -0700
Subject: [PATCH 209/253] update test

---
 pkg/cmd/attestation/verification/extensions_test.go   | 6 +-----
 pkg/cmd/attestation/verify/verify_integration_test.go | 6 +++---
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/pkg/cmd/attestation/verification/extensions_test.go b/pkg/cmd/attestation/verification/extensions_test.go
index c04d2966460..7aec4ec4563 100644
--- a/pkg/cmd/attestation/verification/extensions_test.go
+++ b/pkg/cmd/attestation/verification/extensions_test.go
@@ -28,10 +28,6 @@ func TestVerifyCertExtensions(t *testing.T) {
 		err := VerifyCertExtensions(results, "owner", "owner/repo")
 		require.NoError(t, err)
 	})
-	t.Run("VerifyCertExtensions with repo", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner/repo")
-		require.NoError(t, err)
-	})
 
 	t.Run("VerifyCertExtensions with owner", func(t *testing.T) {
 		err := VerifyCertExtensions(results, "owner", "")
@@ -44,7 +40,7 @@ func TestVerifyCertExtensions(t *testing.T) {
 	})
 
 	t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "wrong")
+		err := VerifyCertExtensions(results, "owner", "wrong")
 		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo")
 	})
 }
diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go
index 6833043b8ca..9ad7a87a3c3 100644
--- a/pkg/cmd/attestation/verify/verify_integration_test.go
+++ b/pkg/cmd/attestation/verify/verify_integration_test.go
@@ -60,7 +60,7 @@ func TestVerifyIntegration(t *testing.T) {
 
 		err := runVerify(&opts)
 		require.Error(t, err)
-		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SourceRepositoryURI to be \"https://github.com/sigstore/fakerepo\", got \"https://github.com/sigstore/sigstore-js\"")
+		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/sigstore/fakerepo, got https://github.com/sigstore/sigstore-js")
 	})
 
 	t.Run("with invalid owner", func(t *testing.T) {
@@ -69,7 +69,7 @@ func TestVerifyIntegration(t *testing.T) {
 
 		err := runVerify(&opts)
 		require.Error(t, err)
-		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SourceRepositoryOwnerURI to be \"https://github.com/fakeowner\", got \"https://github.com/sigstore\"")
+		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/fakeowner, got https://github.com/sigstore")
 	})
 
 	t.Run("with invalid owner and invalid repo", func(t *testing.T) {
@@ -78,7 +78,7 @@ func TestVerifyIntegration(t *testing.T) {
 
 		err := runVerify(&opts)
 		require.Error(t, err)
-		require.ErrorContains(t, err, "verifying with issuer \"sigstore.dev\": failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SourceRepositoryURI to be \"https://github.com/fakeowner/fakerepo\"")
+		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/fakeowner/fakerepo, got https://github.com/sigstore/sigstore-js")
 	})
 }
 

From a7d04fc2ec066265c0571fda56ecce5eac1df060 Mon Sep 17 00:00:00 2001
From: Bryan Honof <bryanhonof@bryans-mbp.space.flox.local>
Date: Wed, 31 Jul 2024 00:13:08 +0200
Subject: [PATCH 210/253] Add Flox as an installation option

---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 4532a353d8a..1ddeb1dfe03 100644
--- a/README.md
+++ b/README.md
@@ -60,6 +60,14 @@ Additional Conda installation options available on the [gh-feedstock page](https
 
 For more information about the Webi installer see [its homepage](https://webinstall.dev/).
 
+#### Flox
+
+| Install:          | Upgrade:                |
+| ----------------- | ----------------------- |
+| `flox install gh` | `flox upgrade toplevel` |
+
+For more information about Flox, see [its homepage](https://flox.dev)
+
 ### Linux & BSD
 
 `gh` is available via:

From 1eaf712dd13c976b5225279a5e7e66564a7f03f1 Mon Sep 17 00:00:00 2001
From: ejahnGithub <ejahngithub@github.com>
Date: Wed, 31 Jul 2024 07:29:43 -0700
Subject: [PATCH 211/253] update test and remove logic to check
 SourceRepositoryOwnerURI is empty string

---
 .../attestation/verification/extensions.go    |  4 ++--
 .../attestation/verification/mock_verifier.go |  4 +++-
 pkg/cmd/attestation/verify/verify_test.go     | 20 ++++++++++++++++++-
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go
index 6d093a5d77b..1915152dc3d 100644
--- a/pkg/cmd/attestation/verification/extensions.go
+++ b/pkg/cmd/attestation/verification/extensions.go
@@ -10,7 +10,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string,
 		// TODO: handle proxima prefix
 		expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner)
 		sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI
-		if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
+		if !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
 			return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI)
 		}
 
@@ -19,7 +19,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string,
 			// TODO: handle proxima prefix
 			expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo)
 			sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI
-			if sourceRepositoryURI != "" && !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) {
+			if !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) {
 				return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", expectedSourceRepositoryURI, sourceRepositoryURI)
 			}
 		}
diff --git a/pkg/cmd/attestation/verification/mock_verifier.go b/pkg/cmd/attestation/verification/mock_verifier.go
index a8579b57810..dcbfb1ba2df 100644
--- a/pkg/cmd/attestation/verification/mock_verifier.go
+++ b/pkg/cmd/attestation/verification/mock_verifier.go
@@ -31,7 +31,9 @@ func (v *MockSigstoreVerifier) Verify(attestations []*api.Attestation, policy ve
 			Signature: &verify.SignatureVerificationResult{
 				Certificate: &certificate.Summary{
 					Extensions: certificate.Extensions{
-						BuildSignerURI: "https://github.com/github/example/.github/workflows/release.yml@refs/heads/main",
+						BuildSignerURI:           "https://github.com/github/example/.github/workflows/release.yml@refs/heads/main",
+						SourceRepositoryOwnerURI: "https://github.com/sigstore",
+						SourceRepositoryURI:      "https://github.com/sigstore/sigstore-js",
 					},
 				},
 			},
diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go
index 182a66012a9..8d06617f30f 100644
--- a/pkg/cmd/attestation/verify/verify_test.go
+++ b/pkg/cmd/attestation/verify/verify_test.go
@@ -340,14 +340,32 @@ func TestRunVerify(t *testing.T) {
 		require.Nil(t, runVerify(&opts))
 	})
 
+	t.Run("with owner which not matches SourceRepositoryOwnerURI", func(t *testing.T) {
+		opts := publicGoodOpts
+		opts.BundlePath = ""
+		opts.Owner = "owner"
+
+		err := runVerify(&opts)
+		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/owner, got https://github.com/sigstore")
+	})
+
 	t.Run("with repo", func(t *testing.T) {
 		opts := publicGoodOpts
 		opts.BundlePath = ""
-		opts.Repo = "github/example"
+		opts.Repo = "sigstore/sigstore-js"
 
 		require.Nil(t, runVerify(&opts))
 	})
 
+	t.Run("with repo which not matches SourceRepositoryURI", func(t *testing.T) {
+		opts := publicGoodOpts
+		opts.BundlePath = ""
+		opts.Repo = "wrong/example"
+
+		err := runVerify(&opts)
+		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong/example, got https://github.com/sigstore/sigstore-js")
+	})
+
 	t.Run("with invalid repo", func(t *testing.T) {
 		opts := publicGoodOpts
 		opts.BundlePath = ""

From ad96ad3580a9503389745f460d45ffe1a1857802 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 31 Jul 2024 14:55:39 +0000
Subject: [PATCH 212/253] build(deps): bump actions/attest-build-provenance
 from 1.3.3 to 1.4.0

Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.3.3 to 1.4.0.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](https://github.com/actions/attest-build-provenance/compare/5e9cb68e95676991667494a6a4e59b8a2f13e1d0...210c1913531870065f03ce1f9440dd87bc0938cd)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/deployment.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index 2e87e242924..564eb647cfd 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -299,7 +299,7 @@ jobs:
           rpmsign --addsign dist/*.rpm
       - name: Attest release artifacts
         if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 # v1.3.3
+        uses: actions/attest-build-provenance@210c1913531870065f03ce1f9440dd87bc0938cd # v1.4.0
         with:
           subject-path: "dist/gh_*"
       - name: Run createrepo

From 22a5a4c899cec911152cbb27acb539ee7505655d Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Fri, 2 Aug 2024 10:36:32 -0400
Subject: [PATCH 213/253] Update `gh variable get` to use repo host

Closes #9274

This change addresses a bug where repository and repository environment variables are not being retrieved from the appropriate host, causing GHES users to fail without specifying `GH_HOST` to force `gh variable set` to do the right thing.

In addition, the tests for this command have been updated to check both github.com and GHES variations to ensure this works.
---
 pkg/cmd/variable/get/get.go      | 16 +++++++------
 pkg/cmd/variable/get/get_test.go | 39 ++++++++++++++++++++++++++++++--
 pkg/httpmock/stub.go             |  9 ++++++++
 3 files changed, 55 insertions(+), 9 deletions(-)

diff --git a/pkg/cmd/variable/get/get.go b/pkg/cmd/variable/get/get.go
index 32b4c5e6271..e4def5a03b2 100644
--- a/pkg/cmd/variable/get/get.go
+++ b/pkg/cmd/variable/get/get.go
@@ -92,23 +92,25 @@ func getRun(opts *GetOptions) error {
 		}
 	}
 
+	cfg, err := opts.Config()
+	if err != nil {
+		return err
+	}
+
 	var path string
+	var host string
 	switch variableEntity {
 	case shared.Organization:
 		path = fmt.Sprintf("orgs/%s/actions/variables/%s", orgName, opts.VariableName)
+		host, _ = cfg.Authentication().DefaultHost()
 	case shared.Environment:
 		path = fmt.Sprintf("repos/%s/environments/%s/variables/%s", ghrepo.FullName(baseRepo), envName, opts.VariableName)
+		host = baseRepo.RepoHost()
 	case shared.Repository:
 		path = fmt.Sprintf("repos/%s/actions/variables/%s", ghrepo.FullName(baseRepo), opts.VariableName)
+		host = baseRepo.RepoHost()
 	}
 
-	cfg, err := opts.Config()
-	if err != nil {
-		return err
-	}
-
-	host, _ := cfg.Authentication().DefaultHost()
-
 	var variable shared.Variable
 	if err = client.REST(host, "GET", path, nil, &variable); err != nil {
 		var httpErr api.HTTPError
diff --git a/pkg/cmd/variable/get/get_test.go b/pkg/cmd/variable/get/get_test.go
index 4a03beb6a4e..e85910152b7 100644
--- a/pkg/cmd/variable/get/get_test.go
+++ b/pkg/cmd/variable/get/get_test.go
@@ -110,6 +110,7 @@ func Test_getRun(t *testing.T) {
 	tests := []struct {
 		name       string
 		opts       *GetOptions
+		host       string
 		httpStubs  func(*httpmock.Registry)
 		jsonFields []string
 		wantOut    string
@@ -120,8 +121,23 @@ func Test_getRun(t *testing.T) {
 			opts: &GetOptions{
 				VariableName: "VARIABLE_ONE",
 			},
+			host: "github.com",
 			httpStubs: func(reg *httpmock.Registry) {
-				reg.Register(httpmock.REST("GET", "repos/owner/repo/actions/variables/VARIABLE_ONE"),
+				reg.Register(httpmock.WithHost(httpmock.REST("GET", "repos/owner/repo/actions/variables/VARIABLE_ONE"), "api.github.com"),
+					httpmock.JSONResponse(shared.Variable{
+						Value: "repo_var",
+					}))
+			},
+			wantOut: "repo_var\n",
+		},
+		{
+			name: "getting GHES repo variable",
+			opts: &GetOptions{
+				VariableName: "VARIABLE_ONE",
+			},
+			host: "ghe.io",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("GET", "api/v3/repos/owner/repo/actions/variables/VARIABLE_ONE"), "ghe.io"),
 					httpmock.JSONResponse(shared.Variable{
 						Value: "repo_var",
 					}))
@@ -148,8 +164,24 @@ func Test_getRun(t *testing.T) {
 				EnvName:      "Development",
 				VariableName: "VARIABLE_ONE",
 			},
+			host: "github.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("GET", "repos/owner/repo/environments/Development/variables/VARIABLE_ONE"), "api.github.com"),
+					httpmock.JSONResponse(shared.Variable{
+						Value: "env_var",
+					}))
+			},
+			wantOut: "env_var\n",
+		},
+		{
+			name: "getting GHES env variable",
+			opts: &GetOptions{
+				EnvName:      "Development",
+				VariableName: "VARIABLE_ONE",
+			},
+			host: "ghe.io",
 			httpStubs: func(reg *httpmock.Registry) {
-				reg.Register(httpmock.REST("GET", "repos/owner/repo/environments/Development/variables/VARIABLE_ONE"),
+				reg.Register(httpmock.WithHost(httpmock.REST("GET", "api/v3/repos/owner/repo/environments/Development/variables/VARIABLE_ONE"), "ghe.io"),
 					httpmock.JSONResponse(shared.Variable{
 						Value: "env_var",
 					}))
@@ -226,6 +258,9 @@ func Test_getRun(t *testing.T) {
 
 				tt.opts.IO = ios
 				tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
+					if tt.host != "" {
+						return ghrepo.FromFullNameWithHost("owner/repo", tt.host)
+					}
 					return ghrepo.FromFullName("owner/repo")
 				}
 				tt.opts.HttpClient = func() (*http.Client, error) {
diff --git a/pkg/httpmock/stub.go b/pkg/httpmock/stub.go
index 147d36fc826..e7534d7f807 100644
--- a/pkg/httpmock/stub.go
+++ b/pkg/httpmock/stub.go
@@ -123,6 +123,15 @@ func StringResponse(body string) Responder {
 	}
 }
 
+func WithHost(matcher Matcher, host string) Matcher {
+	return func(req *http.Request) bool {
+		if !strings.EqualFold(req.Host, host) {
+			return false
+		}
+		return matcher(req)
+	}
+}
+
 func WithHeader(responder Responder, header string, value string) Responder {
 	return func(req *http.Request) (*http.Response, error) {
 		resp, _ := responder(req)

From d7b8ecf33dee8b0582e2514d9821e6225c58ab7c Mon Sep 17 00:00:00 2001
From: Yukai Chou <muzimuzhi@gmail.com>
Date: Fri, 2 Aug 2024 03:55:20 +0800
Subject: [PATCH 214/253] Unify use of tab indent in non-test source files

Found with
    rg '(^ | \t|\t )' -g '*.go' -g '!*_test.go'

Mixed indent exceptions:
- wrapped long list items with extra 2-space indent
- code snippets using space indent
- commented code lines having "\t*// \t+" prefix
---
 api/queries_issue.go                          |  2 +-
 api/query_builder.go                          |  8 +-
 pkg/cmd/attestation/attestation.go            |  2 +-
 .../attestation/trustedroot/trustedroot.go    | 24 +++---
 pkg/cmd/codespace/ssh.go                      |  2 +-
 pkg/cmd/pr/list/list.go                       |  2 +-
 pkg/cmd/pr/merge/merge.go                     |  2 +-
 pkg/cmd/pr/status/http.go                     | 34 ++++----
 pkg/cmd/release/create/create.go              |  2 +-
 pkg/cmd/repo/create/create.go                 |  2 +-
 pkg/cmd/repo/credits/credits.go               | 18 ++---
 pkg/cmd/root/help_topic.go                    | 79 +++++++++----------
 pkg/cmd/run/download/download.go              | 16 ++--
 pkg/cmd/run/list/list.go                      |  2 +-
 pkg/cmd/search/commits/commits.go             |  4 +-
 pkg/cmd/search/issues/issues.go               |  5 +-
 pkg/cmd/search/prs/prs.go                     |  4 +-
 pkg/cmd/search/repos/repos.go                 |  4 +-
 pkg/cmd/variable/variable.go                  |  2 +-
 pkg/cmd/workflow/run/run.go                   |  2 +-
 pkg/cmd/workflow/view/view.go                 |  8 +-
 pkg/surveyext/editor.go                       |  6 +-
 22 files changed, 114 insertions(+), 116 deletions(-)

diff --git a/api/queries_issue.go b/api/queries_issue.go
index 62531e84eb5..094b6b198c7 100644
--- a/api/queries_issue.go
+++ b/api/queries_issue.go
@@ -286,7 +286,7 @@ func IssueStatus(client *Client, repo ghrepo.Interface, options IssueStatusOptio
 				}
 			}
 		}
-    }`
+	}`
 
 	variables := map[string]interface{}{
 		"owner":  repo.RepoOwner(),
diff --git a/api/query_builder.go b/api/query_builder.go
index 30dbeb869e0..75517939688 100644
--- a/api/query_builder.go
+++ b/api/query_builder.go
@@ -152,13 +152,13 @@ func StatusCheckRollupGraphQLWithCountByState() string {
 					contexts {
 						checkRunCount,
 						checkRunCountsByState {
-						  state,
-						  count
+							state,
+							count
 						},
 						statusContextCount,
 						statusContextCountsByState {
-						  state,
-						  count
+							state,
+							count
 						}
 					}
 				}
diff --git a/pkg/cmd/attestation/attestation.go b/pkg/cmd/attestation/attestation.go
index ea1e0c08c12..a6229e6363b 100644
--- a/pkg/cmd/attestation/attestation.go
+++ b/pkg/cmd/attestation/attestation.go
@@ -18,7 +18,7 @@ func NewCmdAttestation(f *cmdutil.Factory) *cobra.Command {
 		Aliases: []string{"at"},
 		Long: heredoc.Doc(`
 			Download and verify artifact attestations.
-			`),
+		`),
 	}
 
 	root.AddCommand(download.NewDownloadCmd(f, nil))
diff --git a/pkg/cmd/attestation/trustedroot/trustedroot.go b/pkg/cmd/attestation/trustedroot/trustedroot.go
index 09ab9a6c90e..e28ceab6289 100644
--- a/pkg/cmd/attestation/trustedroot/trustedroot.go
+++ b/pkg/cmd/attestation/trustedroot/trustedroot.go
@@ -32,22 +32,22 @@ func NewTrustedRootCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Com
 		Long: heredoc.Docf(`
 			### NOTE: This feature is currently in beta, and subject to change.
 
-            Output contents for a trusted_root.jsonl file, likely for offline verification.
+			Output contents for a trusted_root.jsonl file, likely for offline verification.
 
-            When using %[1]sgh attestation verify%[1]s, if your machine is on the internet,
-            this will happen automatically. But to do offline verification, you need to
-            supply a trusted root file with %[1]s--custom-trusted-root%[1]s; this command
-            will help you fetch a %[1]strusted_root.jsonl%[1]s file for that purpose.
+			When using %[1]sgh attestation verify%[1]s, if your machine is on the internet,
+			this will happen automatically. But to do offline verification, you need to
+			supply a trusted root file with %[1]s--custom-trusted-root%[1]s; this command
+			will help you fetch a %[1]strusted_root.jsonl%[1]s file for that purpose.
 
-            You can call this command without any flags to get a trusted root file covering
-            the Sigstore Public Good Instance as well as GitHub's Sigstore instance.
+			You can call this command without any flags to get a trusted root file covering
+			the Sigstore Public Good Instance as well as GitHub's Sigstore instance.
 
-            Otherwise you can use %[1]s--tuf-url%[1]s to specify the URL of a custom TUF
-            repository mirror, and %[1]s--tuf-root%[1]s should be the path to the
-            %[1]sroot.json%[1]s file that you securely obtained out-of-band.
+			Otherwise you can use %[1]s--tuf-url%[1]s to specify the URL of a custom TUF
+			repository mirror, and %[1]s--tuf-root%[1]s should be the path to the
+			%[1]sroot.json%[1]s file that you securely obtained out-of-band.
 
-            If you just want to verify the integrity of your local TUF repository, and don't
-            want the contents of a trusted_root.jsonl file, use %[1]s--verify-only%[1]s.
+			If you just want to verify the integrity of your local TUF repository, and don't
+			want the contents of a trusted_root.jsonl file, use %[1]s--verify-only%[1]s.
 		`, "`"),
 		Example: heredoc.Doc(`
 			# Get a trusted_root.jsonl for both Sigstore Public Good and GitHub's instance
diff --git a/pkg/cmd/codespace/ssh.go b/pkg/cmd/codespace/ssh.go
index 571f7426777..c6c3943e240 100644
--- a/pkg/cmd/codespace/ssh.go
+++ b/pkg/cmd/codespace/ssh.go
@@ -60,7 +60,7 @@ func newSSHCmd(app *App) *cobra.Command {
 			The %[1]sssh%[1]s command will automatically create a public/private ssh key pair in the
 			%[1]s~/.ssh%[1]s directory if you do not have an existing valid key pair. When selecting the
 			key pair to use, the preferred order is:
-			  
+
 			1. Key specified by %[1]s-i%[1]s in %[1]s<ssh-flags>%[1]s
 			2. Automatic key, if it already exists
 			3. First valid key pair in ssh config (according to %[1]sssh -G%[1]s)
diff --git a/pkg/cmd/pr/list/list.go b/pkg/cmd/pr/list/list.go
index 7721ecc1be6..93a9b8b4b68 100644
--- a/pkg/cmd/pr/list/list.go
+++ b/pkg/cmd/pr/list/list.go
@@ -72,7 +72,7 @@ func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Comman
 
 			Find a PR that introduced a given commit
 			$ gh pr list --search "<SHA>" --state merged
-    	`),
+		`),
 		Aliases: []string{"ls"},
 		Args:    cmdutil.NoArgsQuoteReminder,
 		RunE: func(cmd *cobra.Command, args []string) error {
diff --git a/pkg/cmd/pr/merge/merge.go b/pkg/cmd/pr/merge/merge.go
index 1e7deabcbf1..e3d1a14eee2 100644
--- a/pkg/cmd/pr/merge/merge.go
+++ b/pkg/cmd/pr/merge/merge.go
@@ -88,7 +88,7 @@ func NewCmdMerge(f *cmdutil.Factory, runF func(*MergeOptions) error) *cobra.Comm
 			If required checks have not yet passed, auto-merge will be enabled.
 			If required checks have passed, the pull request will be added to the merge queue.
 			To bypass a merge queue and merge directly, pass the %[1]s--admin%[1]s flag.
-    	`, "`"),
+		`, "`"),
 		Args: cobra.MaximumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.Finder = shared.NewFinder(f)
diff --git a/pkg/cmd/pr/status/http.go b/pkg/cmd/pr/status/http.go
index bd7eb6a7814..1eb12ed74d1 100644
--- a/pkg/cmd/pr/status/http.go
+++ b/pkg/cmd/pr/status/http.go
@@ -101,23 +101,23 @@ func pullRequestStatus(httpClient *http.Client, repo ghrepo.Interface, options r
 	}
 
 	query := fragments + queryPrefix + `
-      viewerCreated: search(query: $viewerQuery, type: ISSUE, first: $per_page) {
-       totalCount: issueCount
-        edges {
-          node {
-            ...prWithReviews
-          }
-        }
-      }
-      reviewRequested: search(query: $reviewerQuery, type: ISSUE, first: $per_page) {
-        totalCount: issueCount
-        edges {
-          node {
-            ...pr
-          }
-        }
-      }
-    }
+			viewerCreated: search(query: $viewerQuery, type: ISSUE, first: $per_page) {
+				totalCount: issueCount
+				edges {
+					node {
+					...prWithReviews
+					}
+				}
+			}
+			reviewRequested: search(query: $reviewerQuery, type: ISSUE, first: $per_page) {
+				totalCount: issueCount
+				edges {
+					node {
+					...pr
+					}
+				}
+			}
+		}
 	`
 
 	currentUsername := options.Username
diff --git a/pkg/cmd/release/create/create.go b/pkg/cmd/release/create/create.go
index 1cfc5ba06a4..95453250eda 100644
--- a/pkg/cmd/release/create/create.go
+++ b/pkg/cmd/release/create/create.go
@@ -115,7 +115,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 
 			Use release notes from a file
 			$ gh release create v1.2.3 -F changelog.md
-   
+
 			Don't mark the release as latest
 			$ gh release create v1.2.3 --latest=false 
 
diff --git a/pkg/cmd/repo/create/create.go b/pkg/cmd/repo/create/create.go
index 05e8909e1d2..9074ea117f9 100644
--- a/pkg/cmd/repo/create/create.go
+++ b/pkg/cmd/repo/create/create.go
@@ -88,7 +88,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			To create a remote repository non-interactively, supply the repository name and one of %[1]s--public%[1]s, %[1]s--private%[1]s, or %[1]s--internal%[1]s.
 			Pass %[1]s--clone%[1]s to clone the new repository locally.
 
-                        If the %[1]sOWNER/%[1]s portion of the %[1]sOWNER/REPO%[1]s name argument is omitted, it
+			If the %[1]sOWNER/%[1]s portion of the %[1]sOWNER/REPO%[1]s name argument is omitted, it
 			defaults to the name of the authenticating user.
 
 			To create a remote repository from an existing local repository, specify the source directory with %[1]s--source%[1]s.
diff --git a/pkg/cmd/repo/credits/credits.go b/pkg/cmd/repo/credits/credits.go
index 4b7b9fb289f..7db08a2314e 100644
--- a/pkg/cmd/repo/credits/credits.go
+++ b/pkg/cmd/repo/credits/credits.go
@@ -79,18 +79,18 @@ func NewCmdRepoCredits(f *cmdutil.Factory, runF func(*CreditsOptions) error) *co
 		Use:   "credits [<repository>]",
 		Short: "View credits for a repository",
 		Example: heredoc.Doc(`
-      # view credits for the current repository
-      $ gh repo credits
+			# view credits for the current repository
+			$ gh repo credits
 
-      # view credits for a specific repository
-      $ gh repo credits cool/repo
+			# view credits for a specific repository
+			$ gh repo credits cool/repo
 
-      # print a non-animated thank you
-      $ gh repo credits -s
+			# print a non-animated thank you
+			$ gh repo credits -s
 
-      # pipe to just print the contributors, one per line
-      $ gh repo credits | cat
-    `),
+			# pipe to just print the contributors, one per line
+			$ gh repo credits | cat
+		`),
 		Args: cobra.MaximumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if len(args) > 0 {
diff --git a/pkg/cmd/root/help_topic.go b/pkg/cmd/root/help_topic.go
index 4786a993b0c..3da5bf476e4 100644
--- a/pkg/cmd/root/help_topic.go
+++ b/pkg/cmd/root/help_topic.go
@@ -158,25 +158,25 @@ var HelpTopics = []helpTopic{
 			$ gh pr list --json number,title,author
 			[
 			  {
-				"author": {
-				  "login": "monalisa"
-				},
-				"number": 123,
-				"title": "A helpful contribution"
+			    "author": {
+			      "login": "monalisa"
+			    },
+			    "number": 123,
+			    "title": "A helpful contribution"
 			  },
 			  {
-				"author": {
-				  "login": "codercat"
-				},
-				"number": 124,
-				"title": "Improve the docs"
+			    "author": {
+			      "login": "codercat"
+			    },
+			    "number": 124,
+			    "title": "Improve the docs"
 			  },
 			  {
-				"author": {
-				  "login": "cli-maintainer"
-				},
-				"number": 125,
-				"title": "An exciting new feature"
+			    "author": {
+			      "login": "cli-maintainer"
+			    },
+			    "number": 125,
+			    "title": "An exciting new feature"
 			  }
 			]
 
@@ -193,32 +193,31 @@ var HelpTopics = []helpTopic{
 			  | map(.labels = (.labels | map(.name))) # show only the label names
 			  | .[:3]                                 # select the first 3 results'
 			  [
-				{
-				  "labels": [
-					"enhancement",
-					"needs triage"
-				  ],
-				  "number": 123,
-				  "title": "A helpful contribution"
-				},
-				{
-				  "labels": [
-					"help wanted",
-					"docs",
-					"good first issue"
-				  ],
-				  "number": 125,
-				  "title": "Improve the docs"
-				},
-				{
-				  "labels": [
-					"enhancement",
-				  ],
-				  "number": 7221,
-				  "title": "An exciting new feature"
-				}
+			    {
+			      "labels": [
+			        "enhancement",
+			        "needs triage"
+			      ],
+			      "number": 123,
+			      "title": "A helpful contribution"
+			    },
+			    {
+			      "labels": [
+			        "help wanted",
+			        "docs",
+			        "good first issue"
+			      ],
+			      "number": 125,
+			      "title": "Improve the docs"
+			    },
+			    {
+			      "labels": [
+			        "enhancement",
+			      ],
+			      "number": 7221,
+			      "title": "An exciting new feature"
+			    }
 			  ]
-			  
 			# using the --template flag with the hyperlink helper
 			gh issue list --json title,url --template '{{range .}}{{hyperlink .url .title}}{{"\n"}}{{end}}'
 
diff --git a/pkg/cmd/run/download/download.go b/pkg/cmd/run/download/download.go
index 993e16e525e..18a10df80b4 100644
--- a/pkg/cmd/run/download/download.go
+++ b/pkg/cmd/run/download/download.go
@@ -51,17 +51,17 @@ func NewCmdDownload(f *cmdutil.Factory, runF func(*DownloadOptions) error) *cobr
 		`),
 		Args: cobra.MaximumNArgs(1),
 		Example: heredoc.Doc(`
-		  # Download all artifacts generated by a workflow run
-		  $ gh run download <run-id>
+			# Download all artifacts generated by a workflow run
+			$ gh run download <run-id>
 
-		  # Download a specific artifact within a run
-		  $ gh run download <run-id> -n <name>
+			# Download a specific artifact within a run
+			$ gh run download <run-id> -n <name>
 
-		  # Download specific artifacts across all runs in a repository
-		  $ gh run download -n <name1> -n <name2>
+			# Download specific artifacts across all runs in a repository
+			$ gh run download -n <name1> -n <name2>
 
-		  # Select artifacts to download interactively
-		  $ gh run download
+			# Select artifacts to download interactively
+			$ gh run download
 		`),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if len(args) > 0 {
diff --git a/pkg/cmd/run/list/list.go b/pkg/cmd/run/list/list.go
index 21e6c7fafff..793bfbb856e 100644
--- a/pkg/cmd/run/list/list.go
+++ b/pkg/cmd/run/list/list.go
@@ -58,7 +58,7 @@ func NewCmdList(f *cmdutil.Factory, runF func(*ListOptions) error) *cobra.Comman
 		Use:   "list",
 		Short: "List recent workflow runs",
 		Long: heredoc.Docf(`
-		    List recent workflow runs.
+			List recent workflow runs.
 
 			Note that providing the %[1]sworkflow_name%[1]s to the %[1]s-w%[1]s flag will not fetch disabled workflows.
 			Also pass the %[1]s-a%[1]s flag to fetch disabled workflow runs using the %[1]sworkflow_name%[1]s and the %[1]s-w%[1]s flag.
diff --git a/pkg/cmd/search/commits/commits.go b/pkg/cmd/search/commits/commits.go
index 698e933bbb5..6a9f58b8687 100644
--- a/pkg/cmd/search/commits/commits.go
+++ b/pkg/cmd/search/commits/commits.go
@@ -45,7 +45,7 @@ func NewCmdCommits(f *cmdutil.Factory, runF func(*CommitsOptions) error) *cobra.
 
 			GitHub search syntax is documented at:
 			<https://docs.github.com/search-github/searching-on-github/searching-commits>
-    `),
+		`),
 		Example: heredoc.Doc(`
 			# search commits matching set of keywords "readme" and "typo"
 			$ gh search commits readme typo
@@ -64,7 +64,7 @@ func NewCmdCommits(f *cmdutil.Factory, runF func(*CommitsOptions) error) *cobra.
 
 			# search commits authored before February 1st, 2022
 			$ gh search commits --author-date="<2022-02-01"
-    `),
+		`),
 		RunE: func(c *cobra.Command, args []string) error {
 			if len(args) == 0 && c.Flags().NFlag() == 0 {
 				return cmdutil.FlagErrorf("specify search keywords or flags")
diff --git a/pkg/cmd/search/issues/issues.go b/pkg/cmd/search/issues/issues.go
index ec79097476b..a8be32f71ed 100644
--- a/pkg/cmd/search/issues/issues.go
+++ b/pkg/cmd/search/issues/issues.go
@@ -34,7 +34,7 @@ func NewCmdIssues(f *cmdutil.Factory, runF func(*shared.IssuesOptions) error) *c
 
 			GitHub search syntax is documented at:
 			<https://docs.github.com/search-github/searching-on-github/searching-issues-and-pull-requests>
-    `),
+		`),
 		Example: heredoc.Doc(`
 			# search issues matching set of keywords "readme" and "typo"
 			$ gh search issues readme typo
@@ -56,8 +56,7 @@ func NewCmdIssues(f *cmdutil.Factory, runF func(*shared.IssuesOptions) error) *c
 
 			# search issues only from un-archived repositories (default is all repositories)
 			$ gh search issues --owner github --archived=false
-
-    `),
+		`),
 		RunE: func(c *cobra.Command, args []string) error {
 			if len(args) == 0 && c.Flags().NFlag() == 0 {
 				return cmdutil.FlagErrorf("specify search keywords or flags")
diff --git a/pkg/cmd/search/prs/prs.go b/pkg/cmd/search/prs/prs.go
index 5da7b18f723..32565a580e8 100644
--- a/pkg/cmd/search/prs/prs.go
+++ b/pkg/cmd/search/prs/prs.go
@@ -36,7 +36,7 @@ func NewCmdPrs(f *cmdutil.Factory, runF func(*shared.IssuesOptions) error) *cobr
 
 			GitHub search syntax is documented at:
 			<https://docs.github.com/search-github/searching-on-github/searching-issues-and-pull-requests>
-    `),
+		`),
 		Example: heredoc.Doc(`
 			# search pull requests matching set of keywords "fix" and "bug"
 			$ gh search prs fix bug
@@ -58,7 +58,7 @@ func NewCmdPrs(f *cmdutil.Factory, runF func(*shared.IssuesOptions) error) *cobr
 
 			# search pull requests only from un-archived repositories (default is all repositories)
 			$ gh search prs --owner github --archived=false
-    `),
+		`),
 		RunE: func(c *cobra.Command, args []string) error {
 			if len(args) == 0 && c.Flags().NFlag() == 0 {
 				return cmdutil.FlagErrorf("specify search keywords or flags")
diff --git a/pkg/cmd/search/repos/repos.go b/pkg/cmd/search/repos/repos.go
index 26bee450eda..88b8db13f64 100644
--- a/pkg/cmd/search/repos/repos.go
+++ b/pkg/cmd/search/repos/repos.go
@@ -46,7 +46,7 @@ func NewCmdRepos(f *cmdutil.Factory, runF func(*ReposOptions) error) *cobra.Comm
 
 			GitHub search syntax is documented at:
 			<https://docs.github.com/search-github/searching-on-github/searching-for-repositories>
-    `),
+		`),
 		Example: heredoc.Doc(`
 			# search repositories matching set of keywords "cli" and "shell"
 			$ gh search repos cli shell
@@ -68,7 +68,7 @@ func NewCmdRepos(f *cmdutil.Factory, runF func(*ReposOptions) error) *cobra.Comm
 
 			# search repositories excluding archived repositories
 			$ gh search repos --archived=false
-    `),
+		`),
 		RunE: func(c *cobra.Command, args []string) error {
 			if len(args) == 0 && c.Flags().NFlag() == 0 {
 				return cmdutil.FlagErrorf("specify search keywords or flags")
diff --git a/pkg/cmd/variable/variable.go b/pkg/cmd/variable/variable.go
index 15ff387444f..920268c41bb 100644
--- a/pkg/cmd/variable/variable.go
+++ b/pkg/cmd/variable/variable.go
@@ -17,7 +17,7 @@ func NewCmdVariable(f *cmdutil.Factory) *cobra.Command {
 		Long: heredoc.Docf(`
 			Variables can be set at the repository, environment or organization level for use in
 			GitHub Actions or Dependabot. Run %[1]sgh help variable set%[1]s to learn how to get started.
-    `, "`"),
+		`, "`"),
 	}
 
 	cmdutil.EnableRepoOverride(cmd, f)
diff --git a/pkg/cmd/workflow/run/run.go b/pkg/cmd/workflow/run/run.go
index 19c650984df..b7ab530985e 100644
--- a/pkg/cmd/workflow/run/run.go
+++ b/pkg/cmd/workflow/run/run.go
@@ -64,7 +64,7 @@ func NewCmdRun(f *cmdutil.Factory, runF func(*RunOptions) error) *cobra.Command
 			- Interactively
 			- Via %[1]s-f/--raw-field%[1]s or %[1]s-F/--field%[1]s flags
 			- As JSON, via standard input
-    `, "`"),
+		`, "`"),
 		Example: heredoc.Doc(`
 			# Have gh prompt you for what workflow you'd like to run and interactively collect inputs
 			$ gh workflow run
diff --git a/pkg/cmd/workflow/view/view.go b/pkg/cmd/workflow/view/view.go
index 28e5617663b..188d79e2222 100644
--- a/pkg/cmd/workflow/view/view.go
+++ b/pkg/cmd/workflow/view/view.go
@@ -56,11 +56,11 @@ func NewCmdView(f *cmdutil.Factory, runF func(*ViewOptions) error) *cobra.Comman
 		Short: "View the summary of a workflow",
 		Args:  cobra.MaximumNArgs(1),
 		Example: heredoc.Doc(`
-		  # Interactively select a workflow to view
-		  $ gh workflow view
+			# Interactively select a workflow to view
+			$ gh workflow view
 
-		  # View a specific workflow
-		  $ gh workflow view 0451
+			# View a specific workflow
+			$ gh workflow view 0451
 		`),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			// support `-R, --repo` override
diff --git a/pkg/surveyext/editor.go b/pkg/surveyext/editor.go
index 420ecc4e554..82533f91329 100644
--- a/pkg/surveyext/editor.go
+++ b/pkg/surveyext/editor.go
@@ -46,10 +46,10 @@ var EditorQuestionTemplate = `
 {{- color .Config.Icons.Question.Format }}{{ .Config.Icons.Question.Text }} {{color "reset"}}
 {{- color "default+hb"}}{{ .Message }} {{color "reset"}}
 {{- if .ShowAnswer}}
-  {{- color "cyan"}}{{.Answer}}{{color "reset"}}{{"\n"}}
+	{{- color "cyan"}}{{.Answer}}{{color "reset"}}{{"\n"}}
 {{- else }}
-  {{- if and .Help (not .ShowHelp)}}{{color "cyan"}}[{{ .Config.HelpInput }} for help]{{color "reset"}} {{end}}
-  {{- if and .Default (not .HideDefault)}}{{color "white"}}({{.Default}}) {{color "reset"}}{{end}}
+	{{- if and .Help (not .ShowHelp)}}{{color "cyan"}}[{{ .Config.HelpInput }} for help]{{color "reset"}} {{end}}
+	{{- if and .Default (not .HideDefault)}}{{color "white"}}({{.Default}}) {{color "reset"}}{{end}}
 	{{- color "cyan"}}[(e) to launch {{ .EditorCommand }}{{- if .BlankAllowed }}, enter to skip{{ end }}] {{color "reset"}}
 {{- end}}`
 

From c088951944082eb4c474097edb1861ed07d6c856 Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Fri, 2 Aug 2024 15:11:22 -0400
Subject: [PATCH 215/253] Fix host handling in variable and secret delete

This change updates `gh variable delete` and `gh secret delete` to use the host associated with the repository rather than the default host.  Along with these changes is minor refactoring of the tests to ensure appropriate Dotcom vs GHES targeting works as expected.

Minor edit to `gh variable get` testing to simplify some conditional logic in test setup.
---
 pkg/cmd/secret/delete/delete.go        |  17 ++--
 pkg/cmd/secret/delete/delete_test.go   | 127 ++++++++++++++++++-------
 pkg/cmd/variable/delete/delete.go      |  16 ++--
 pkg/cmd/variable/delete/delete_test.go |  60 +++++++++---
 pkg/cmd/variable/get/get_test.go       |  17 ++--
 5 files changed, 166 insertions(+), 71 deletions(-)

diff --git a/pkg/cmd/secret/delete/delete.go b/pkg/cmd/secret/delete/delete.go
index 9a299ce4fa1..564e8633fa8 100644
--- a/pkg/cmd/secret/delete/delete.go
+++ b/pkg/cmd/secret/delete/delete.go
@@ -105,25 +105,28 @@ func removeRun(opts *DeleteOptions) error {
 		}
 	}
 
+	cfg, err := opts.Config()
+	if err != nil {
+		return err
+	}
+
 	var path string
+	var host string
 	switch secretEntity {
 	case shared.Organization:
 		path = fmt.Sprintf("orgs/%s/%s/secrets/%s", orgName, secretApp, opts.SecretName)
+		host, _ = cfg.Authentication().DefaultHost()
 	case shared.Environment:
 		path = fmt.Sprintf("repos/%s/environments/%s/secrets/%s", ghrepo.FullName(baseRepo), envName, opts.SecretName)
+		host = baseRepo.RepoHost()
 	case shared.User:
 		path = fmt.Sprintf("user/codespaces/secrets/%s", opts.SecretName)
+		host, _ = cfg.Authentication().DefaultHost()
 	case shared.Repository:
 		path = fmt.Sprintf("repos/%s/%s/secrets/%s", ghrepo.FullName(baseRepo), secretApp, opts.SecretName)
+		host = baseRepo.RepoHost()
 	}
 
-	cfg, err := opts.Config()
-	if err != nil {
-		return err
-	}
-
-	host, _ := cfg.Authentication().DefaultHost()
-
 	err = client.REST(host, "DELETE", path, nil, nil)
 	if err != nil {
 		return fmt.Errorf("failed to delete secret %s: %w", opts.SecretName, err)
diff --git a/pkg/cmd/secret/delete/delete_test.go b/pkg/cmd/secret/delete/delete_test.go
index 9d2c078c7c3..bd5053f4d59 100644
--- a/pkg/cmd/secret/delete/delete_test.go
+++ b/pkg/cmd/secret/delete/delete_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/google/shlex"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestNewCmdDelete(t *testing.T) {
@@ -121,9 +122,10 @@ func TestNewCmdDelete(t *testing.T) {
 
 func Test_removeRun_repo(t *testing.T) {
 	tests := []struct {
-		name     string
-		opts     *DeleteOptions
-		wantPath string
+		name      string
+		opts      *DeleteOptions
+		host      string
+		httpStubs func(*httpmock.Registry)
 	}{
 		{
 			name: "Actions",
@@ -131,7 +133,21 @@ func Test_removeRun_repo(t *testing.T) {
 				Application: "actions",
 				SecretName:  "cool_secret",
 			},
-			wantPath: "repos/owner/repo/actions/secrets/cool_secret",
+			host: "github.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "repos/owner/repo/actions/secrets/cool_secret"), "api.github.com"), httpmock.StatusStringResponse(204, "No Content"))
+			},
+		},
+		{
+			name: "Actions GHES",
+			opts: &DeleteOptions{
+				Application: "actions",
+				SecretName:  "cool_secret",
+			},
+			host: "example.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "api/v3/repos/owner/repo/actions/secrets/cool_secret"), "example.com"), httpmock.StatusStringResponse(204, "No Content"))
+			},
 		},
 		{
 			name: "Dependabot",
@@ -139,23 +155,38 @@ func Test_removeRun_repo(t *testing.T) {
 				Application: "dependabot",
 				SecretName:  "cool_dependabot_secret",
 			},
-			wantPath: "repos/owner/repo/dependabot/secrets/cool_dependabot_secret",
+			host: "github.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "repos/owner/repo/dependabot/secrets/cool_dependabot_secret"), "api.github.com"), httpmock.StatusStringResponse(204, "No Content"))
+			},
+		},
+		{
+			name: "Dependabot GHES",
+			opts: &DeleteOptions{
+				Application: "dependabot",
+				SecretName:  "cool_dependabot_secret",
+			},
+			host: "example.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "api/v3/repos/owner/repo/dependabot/secrets/cool_dependabot_secret"), "example.com"), httpmock.StatusStringResponse(204, "No Content"))
+			},
 		},
 		{
 			name: "defaults to Actions",
 			opts: &DeleteOptions{
 				SecretName: "cool_secret",
 			},
-			wantPath: "repos/owner/repo/actions/secrets/cool_secret",
+			host: "github.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "repos/owner/repo/actions/secrets/cool_secret"), "api.github.com"), httpmock.StatusStringResponse(204, "No Content"))
+			},
 		},
 	}
 
 	for _, tt := range tests {
 		reg := &httpmock.Registry{}
-
-		reg.Register(
-			httpmock.REST("DELETE", tt.wantPath),
-			httpmock.StatusStringResponse(204, "No Content"))
+		tt.httpStubs(reg)
+		defer reg.Verify(t)
 
 		ios, _, _, _ := iostreams.Test()
 
@@ -167,44 +198,70 @@ func Test_removeRun_repo(t *testing.T) {
 			return config.NewBlankConfig(), nil
 		}
 		tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
-			return ghrepo.FromFullName("owner/repo")
+			return ghrepo.FromFullNameWithHost("owner/repo", tt.host)
 		}
 
 		err := removeRun(tt.opts)
 		assert.NoError(t, err)
-
-		reg.Verify(t)
 	}
 }
 
 func Test_removeRun_env(t *testing.T) {
-	reg := &httpmock.Registry{}
-
-	reg.Register(
-		httpmock.REST("DELETE", "repos/owner/repo/environments/development/secrets/cool_secret"),
-		httpmock.StatusStringResponse(204, "No Content"))
-
-	ios, _, _, _ := iostreams.Test()
-
-	opts := &DeleteOptions{
-		IO: ios,
-		HttpClient: func() (*http.Client, error) {
-			return &http.Client{Transport: reg}, nil
-		},
-		Config: func() (gh.Config, error) {
-			return config.NewBlankConfig(), nil
+	tests := []struct {
+		name      string
+		opts      *DeleteOptions
+		host      string
+		httpStubs func(*httpmock.Registry)
+	}{
+		{
+			name: "delete environment secret",
+			opts: &DeleteOptions{
+				SecretName: "cool_secret",
+				EnvName:    "development",
+			},
+			host: "github.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "repos/owner/repo/environments/development/secrets/cool_secret"), "api.github.com"),
+					httpmock.StatusStringResponse(204, "No Content"))
+			},
 		},
-		BaseRepo: func() (ghrepo.Interface, error) {
-			return ghrepo.FromFullName("owner/repo")
+		{
+			name: "delete environment secret GHES",
+			opts: &DeleteOptions{
+				SecretName: "cool_secret",
+				EnvName:    "development",
+			},
+			host: "example.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "api/v3/repos/owner/repo/environments/development/secrets/cool_secret"), "example.com"),
+					httpmock.StatusStringResponse(204, "No Content"))
+			},
 		},
-		SecretName: "cool_secret",
-		EnvName:    "development",
 	}
 
-	err := removeRun(opts)
-	assert.NoError(t, err)
+	for _, tt := range tests {
+		reg := &httpmock.Registry{}
+		tt.httpStubs(reg)
+		defer reg.Verify(t)
 
-	reg.Verify(t)
+		ios, _, _, _ := iostreams.Test()
+		tt.opts.IO = ios
+		tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
+			if tt.host != "" {
+				return ghrepo.FromFullNameWithHost("owner/repo", tt.host)
+			}
+			return ghrepo.FromFullName("owner/repo")
+		}
+		tt.opts.HttpClient = func() (*http.Client, error) {
+			return &http.Client{Transport: reg}, nil
+		}
+		tt.opts.Config = func() (gh.Config, error) {
+			return config.NewBlankConfig(), nil
+		}
+
+		err := removeRun(tt.opts)
+		require.NoError(t, err)
+	}
 }
 
 func Test_removeRun_org(t *testing.T) {
diff --git a/pkg/cmd/variable/delete/delete.go b/pkg/cmd/variable/delete/delete.go
index 3617f318802..d5132016751 100644
--- a/pkg/cmd/variable/delete/delete.go
+++ b/pkg/cmd/variable/delete/delete.go
@@ -91,23 +91,25 @@ func removeRun(opts *DeleteOptions) error {
 		}
 	}
 
+	cfg, err := opts.Config()
+	if err != nil {
+		return err
+	}
+
 	var path string
+	var host string
 	switch variableEntity {
 	case shared.Organization:
 		path = fmt.Sprintf("orgs/%s/actions/variables/%s", orgName, opts.VariableName)
+		host, _ = cfg.Authentication().DefaultHost()
 	case shared.Environment:
 		path = fmt.Sprintf("repos/%s/environments/%s/variables/%s", ghrepo.FullName(baseRepo), envName, opts.VariableName)
+		host = baseRepo.RepoHost()
 	case shared.Repository:
 		path = fmt.Sprintf("repos/%s/actions/variables/%s", ghrepo.FullName(baseRepo), opts.VariableName)
+		host = baseRepo.RepoHost()
 	}
 
-	cfg, err := opts.Config()
-	if err != nil {
-		return err
-	}
-
-	host, _ := cfg.Authentication().DefaultHost()
-
 	err = client.REST(host, "DELETE", path, nil, nil)
 	if err != nil {
 		return fmt.Errorf("failed to delete variable %s: %w", opts.VariableName, err)
diff --git a/pkg/cmd/variable/delete/delete_test.go b/pkg/cmd/variable/delete/delete_test.go
index e659f96a6c9..d00bef8fb73 100644
--- a/pkg/cmd/variable/delete/delete_test.go
+++ b/pkg/cmd/variable/delete/delete_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/cli/cli/v2/pkg/iostreams"
 	"github.com/google/shlex"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestNewCmdDelete(t *testing.T) {
@@ -87,16 +88,32 @@ func TestNewCmdDelete(t *testing.T) {
 
 func TestRemoveRun(t *testing.T) {
 	tests := []struct {
-		name     string
-		opts     *DeleteOptions
-		wantPath string
+		name      string
+		opts      *DeleteOptions
+		host      string
+		httpStubs func(*httpmock.Registry)
 	}{
 		{
 			name: "repo",
 			opts: &DeleteOptions{
 				VariableName: "cool_variable",
 			},
-			wantPath: "repos/owner/repo/actions/variables/cool_variable",
+			host: "github.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "repos/owner/repo/actions/variables/cool_variable"), "api.github.com"),
+					httpmock.StatusStringResponse(204, "No Content"))
+			},
+		},
+		{
+			name: "repo GHES",
+			opts: &DeleteOptions{
+				VariableName: "cool_variable",
+			},
+			host: "example.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "api/v3/repos/owner/repo/actions/variables/cool_variable"), "example.com"),
+					httpmock.StatusStringResponse(204, "No Content"))
+			},
 		},
 		{
 			name: "env",
@@ -104,7 +121,23 @@ func TestRemoveRun(t *testing.T) {
 				VariableName: "cool_variable",
 				EnvName:      "development",
 			},
-			wantPath: "repos/owner/repo/environments/development/variables/cool_variable",
+			host: "github.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "repos/owner/repo/environments/development/variables/cool_variable"), "api.github.com"),
+					httpmock.StatusStringResponse(204, "No Content"))
+			},
+		},
+		{
+			name: "env GHES",
+			opts: &DeleteOptions{
+				VariableName: "cool_variable",
+				EnvName:      "development",
+			},
+			host: "example.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "api/v3/repos/owner/repo/environments/development/variables/cool_variable"), "example.com"),
+					httpmock.StatusStringResponse(204, "No Content"))
+			},
 		},
 		{
 			name: "org",
@@ -112,35 +145,34 @@ func TestRemoveRun(t *testing.T) {
 				VariableName: "cool_variable",
 				OrgName:      "UmbrellaCorporation",
 			},
-			wantPath: "orgs/UmbrellaCorporation/actions/variables/cool_variable",
+			host: "github.com",
+			httpStubs: func(reg *httpmock.Registry) {
+				reg.Register(httpmock.WithHost(httpmock.REST("DELETE", "orgs/UmbrellaCorporation/actions/variables/cool_variable"), "api.github.com"),
+					httpmock.StatusStringResponse(204, "No Content"))
+			},
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			reg := &httpmock.Registry{}
+			tt.httpStubs(reg)
 			defer reg.Verify(t)
 
-			reg.Register(httpmock.REST("DELETE", tt.wantPath),
-				httpmock.StatusStringResponse(204, "No Content"))
-
 			ios, _, _, _ := iostreams.Test()
 			tt.opts.IO = ios
-
 			tt.opts.HttpClient = func() (*http.Client, error) {
 				return &http.Client{Transport: reg}, nil
 			}
-
 			tt.opts.Config = func() (gh.Config, error) {
 				return config.NewBlankConfig(), nil
 			}
-
 			tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
-				return ghrepo.FromFullName("owner/repo")
+				return ghrepo.FromFullNameWithHost("owner/repo", tt.host)
 			}
 
 			err := removeRun(tt.opts)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 		})
 	}
 }
diff --git a/pkg/cmd/variable/get/get_test.go b/pkg/cmd/variable/get/get_test.go
index e85910152b7..82b602c9e30 100644
--- a/pkg/cmd/variable/get/get_test.go
+++ b/pkg/cmd/variable/get/get_test.go
@@ -135,9 +135,9 @@ func Test_getRun(t *testing.T) {
 			opts: &GetOptions{
 				VariableName: "VARIABLE_ONE",
 			},
-			host: "ghe.io",
+			host: "example.com",
 			httpStubs: func(reg *httpmock.Registry) {
-				reg.Register(httpmock.WithHost(httpmock.REST("GET", "api/v3/repos/owner/repo/actions/variables/VARIABLE_ONE"), "ghe.io"),
+				reg.Register(httpmock.WithHost(httpmock.REST("GET", "api/v3/repos/owner/repo/actions/variables/VARIABLE_ONE"), "example.com"),
 					httpmock.JSONResponse(shared.Variable{
 						Value: "repo_var",
 					}))
@@ -150,6 +150,7 @@ func Test_getRun(t *testing.T) {
 				OrgName:      "TestOrg",
 				VariableName: "VARIABLE_ONE",
 			},
+			host: "github.com",
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("GET", "orgs/TestOrg/actions/variables/VARIABLE_ONE"),
 					httpmock.JSONResponse(shared.Variable{
@@ -179,9 +180,9 @@ func Test_getRun(t *testing.T) {
 				EnvName:      "Development",
 				VariableName: "VARIABLE_ONE",
 			},
-			host: "ghe.io",
+			host: "example.com",
 			httpStubs: func(reg *httpmock.Registry) {
-				reg.Register(httpmock.WithHost(httpmock.REST("GET", "api/v3/repos/owner/repo/environments/Development/variables/VARIABLE_ONE"), "ghe.io"),
+				reg.Register(httpmock.WithHost(httpmock.REST("GET", "api/v3/repos/owner/repo/environments/Development/variables/VARIABLE_ONE"), "example.com"),
 					httpmock.JSONResponse(shared.Variable{
 						Value: "env_var",
 					}))
@@ -193,6 +194,7 @@ func Test_getRun(t *testing.T) {
 			opts: &GetOptions{
 				VariableName: "VARIABLE_ONE",
 			},
+			host:       "github.com",
 			jsonFields: []string{"name", "value", "visibility", "updatedAt", "createdAt", "numSelectedRepos", "selectedReposURL"},
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("GET", "repos/owner/repo/actions/variables/VARIABLE_ONE"),
@@ -225,6 +227,7 @@ func Test_getRun(t *testing.T) {
 			opts: &GetOptions{
 				VariableName: "VARIABLE_ONE",
 			},
+			host: "github.com",
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("GET", "repos/owner/repo/actions/variables/VARIABLE_ONE"),
 					httpmock.StatusStringResponse(404, "not found"),
@@ -237,6 +240,7 @@ func Test_getRun(t *testing.T) {
 			opts: &GetOptions{
 				VariableName: "VARIABLE_ONE",
 			},
+			host: "github.com",
 			httpStubs: func(reg *httpmock.Registry) {
 				reg.Register(httpmock.REST("GET", "repos/owner/repo/actions/variables/VARIABLE_ONE"),
 					httpmock.StatusStringResponse(400, "not found"),
@@ -258,10 +262,7 @@ func Test_getRun(t *testing.T) {
 
 				tt.opts.IO = ios
 				tt.opts.BaseRepo = func() (ghrepo.Interface, error) {
-					if tt.host != "" {
-						return ghrepo.FromFullNameWithHost("owner/repo", tt.host)
-					}
-					return ghrepo.FromFullName("owner/repo")
+					return ghrepo.FromFullNameWithHost("owner/repo", tt.host)
 				}
 				tt.opts.HttpClient = func() (*http.Client, error) {
 					return &http.Client{Transport: reg}, nil

From 8356df0188597c9fbfc692e70e79615c596cb102 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 7 Aug 2024 14:25:20 +0000
Subject: [PATCH 216/253] build(deps): bump
 github.com/google/go-containerregistry

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.20.1 to 0.20.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.20.1...v0.20.2)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod |  5 ++---
 go.sum | 10 ++++------
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/go.mod b/go.mod
index a607e4adf16..96935c68e0f 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/gabriel-vasile/mimetype v1.4.5
 	github.com/gdamore/tcell/v2 v2.5.4
 	github.com/google/go-cmp v0.6.0
-	github.com/google/go-containerregistry v0.20.1
+	github.com/google/go-containerregistry v0.20.2
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/gorilla/websocket v1.5.3
 	github.com/hashicorp/go-multierror v1.1.1
@@ -70,9 +70,8 @@ require (
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
 	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/docker/cli v24.0.0+incompatible // indirect
+	github.com/docker/cli v27.1.1+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v24.0.9+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
diff --git a/go.sum b/go.sum
index ffb608ffb57..11eeb541122 100644
--- a/go.sum
+++ b/go.sum
@@ -131,12 +131,10 @@ github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E=
 github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
-github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qeXMx3O0wqM=
-github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE=
+github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v24.0.9+incompatible h1:HPGzNmwfLZWdxHqK9/II92pyi1EpYKsAqcl4G0Of9v0=
-github.com/docker/docker v24.0.9+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
@@ -201,8 +199,8 @@ github.com/google/certificate-transparency-go v1.2.1 h1:4iW/NwzqOqYEEoCBEFP+jPbB
 github.com/google/certificate-transparency-go v1.2.1/go.mod h1:bvn/ytAccv+I6+DGkqpvSsEdiVGramgaSC6RD3tEmeE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.20.1 h1:eTgx9QNYugV4DN5mz4U8hiAGTi1ybXn0TPi4Smd8du0=
-github.com/google/go-containerregistry v0.20.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
+github.com/google/go-containerregistry v0.20.2 h1:B1wPJ1SN/S7pB+ZAimcciVD+r+yV/l/DSArMxlbwseo=
+github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEvalZBqs6AoLeWfUy34nQC8=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=

From e2275d7ef62c13fe63c80dd204e2a64417be2d8c Mon Sep 17 00:00:00 2001
From: benebsiny <stu995106@hotmail.com.tw>
Date: Wed, 7 Aug 2024 23:14:15 +0800
Subject: [PATCH 217/253] Add `pr create --editor`

---
 pkg/cmd/pr/create/create.go      | 178 ++++++++++++++++++++-----------
 pkg/cmd/pr/create/create_test.go |  92 ++++++++++++++++
 2 files changed, 207 insertions(+), 63 deletions(-)

diff --git a/pkg/cmd/pr/create/create.go b/pkg/cmd/pr/create/create.go
index 23f30206929..acdc0ee82b7 100644
--- a/pkg/cmd/pr/create/create.go
+++ b/pkg/cmd/pr/create/create.go
@@ -30,15 +30,16 @@ import (
 
 type CreateOptions struct {
 	// This struct stores user input and factory functions
-	HttpClient func() (*http.Client, error)
-	GitClient  *git.Client
-	Config     func() (gh.Config, error)
-	IO         *iostreams.IOStreams
-	Remotes    func() (ghContext.Remotes, error)
-	Branch     func() (string, error)
-	Browser    browser.Browser
-	Prompter   shared.Prompt
-	Finder     shared.PRFinder
+	HttpClient       func() (*http.Client, error)
+	GitClient        *git.Client
+	Config           func() (gh.Config, error)
+	IO               *iostreams.IOStreams
+	Remotes          func() (ghContext.Remotes, error)
+	Branch           func() (string, error)
+	Browser          browser.Browser
+	Prompter         shared.Prompt
+	Finder           shared.PRFinder
+	TitledEditSurvey func(string, string) (string, string, error)
 
 	TitleProvided bool
 	BodyProvided  bool
@@ -49,6 +50,7 @@ type CreateOptions struct {
 	Autofill    bool
 	FillVerbose bool
 	FillFirst   bool
+	EditorMode  bool
 	WebMode     bool
 	RecoverFile string
 
@@ -88,14 +90,15 @@ type CreateContext struct {
 
 func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Command {
 	opts := &CreateOptions{
-		IO:         f.IOStreams,
-		HttpClient: f.HttpClient,
-		GitClient:  f.GitClient,
-		Config:     f.Config,
-		Remotes:    f.Remotes,
-		Branch:     f.Branch,
-		Browser:    f.Browser,
-		Prompter:   f.Prompter,
+		IO:               f.IOStreams,
+		HttpClient:       f.HttpClient,
+		GitClient:        f.GitClient,
+		Config:           f.Config,
+		Remotes:          f.Remotes,
+		Branch:           f.Branch,
+		Browser:          f.Browser,
+		Prompter:         f.Prompter,
+		TitledEditSurvey: shared.TitledEditSurvey(&shared.UserEditor{Config: f.Config, IO: f.IOStreams}),
 	}
 
 	var bodyFile string
@@ -177,6 +180,20 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 				return cmdutil.FlagErrorf("`--fill-verbose` is not supported with `--fill`")
 			}
 
+			if err := cmdutil.MutuallyExclusive(
+				"specify only one of `--editor` or `--web`",
+				opts.EditorMode,
+				opts.WebMode,
+			); err != nil {
+				return err
+			}
+
+			config, err := f.Config()
+			if err != nil {
+				return err
+			}
+			opts.EditorMode = !opts.WebMode && (opts.EditorMode || config.PreferEditorPrompt("").Value == "enabled")
+
 			opts.BodyProvided = cmd.Flags().Changed("body")
 			if bodyFile != "" {
 				b, err := cmdutil.ReadFile(bodyFile, opts.IO.In)
@@ -195,6 +212,10 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 				return cmdutil.FlagErrorf("must provide `--title` and `--body` (or `--fill` or `fill-first` or `--fillverbose`) when not running interactively")
 			}
 
+			if opts.EditorMode && !opts.IO.CanPrompt() {
+				return errors.New("--editor or enabled prefer_editor_prompt configuration are not supported in non-tty mode")
+			}
+
 			if opts.DryRun && opts.WebMode {
 				return cmdutil.FlagErrorf("`--dry-run` is not supported when using `--web`")
 			}
@@ -213,6 +234,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 	fl.StringVarP(&bodyFile, "body-file", "F", "", "Read body text from `file` (use \"-\" to read from standard input)")
 	fl.StringVarP(&opts.BaseBranch, "base", "B", "", "The `branch` into which you want your code merged")
 	fl.StringVarP(&opts.HeadBranch, "head", "H", "", "The `branch` that contains commits for your pull request (default [current branch])")
+	fl.BoolVarP(&opts.EditorMode, "editor", "e", false, "Skip prompts and open the text editor to write the title and body in. The first line is the title and the rest text is the body.")
 	fl.BoolVarP(&opts.WebMode, "web", "w", false, "Open the web browser to create a pull request")
 	fl.BoolVarP(&opts.FillVerbose, "fill-verbose", "", false, "Use commits msg+body for description")
 	fl.BoolVarP(&opts.Autofill, "fill", "f", false, "Use commit info for title and body")
@@ -315,7 +337,7 @@ func createRun(opts *CreateOptions) (err error) {
 			ghrepo.FullName(ctx.BaseRepo))
 	}
 
-	if opts.FillVerbose || opts.Autofill || opts.FillFirst || (opts.TitleProvided && opts.BodyProvided) {
+	if !opts.EditorMode && (opts.FillVerbose || opts.Autofill || opts.FillFirst || (opts.TitleProvided && opts.BodyProvided)) {
 		err = handlePush(*opts, *ctx)
 		if err != nil {
 			return
@@ -330,71 +352,101 @@ func createRun(opts *CreateOptions) (err error) {
 		}
 	}
 
-	if !opts.TitleProvided {
-		err = shared.TitleSurvey(opts.Prompter, state)
-		if err != nil {
-			return
-		}
+	action := shared.SubmitAction
+	if opts.IsDraft {
+		action = shared.SubmitDraftAction
 	}
 
-	defer shared.PreserveInput(opts.IO, state, &err)()
+	tpl := shared.NewTemplateManager(client.HTTP(), ctx.BaseRepo, opts.Prompter, opts.RootDirOverride, opts.RepoOverride == "", true)
 
-	if !opts.BodyProvided {
-		templateContent := ""
-		if opts.RecoverFile == "" {
-			tpl := shared.NewTemplateManager(client.HTTP(), ctx.BaseRepo, opts.Prompter, opts.RootDirOverride, opts.RepoOverride == "", true)
+	if opts.EditorMode {
+		if opts.Template != "" {
 			var template shared.Template
-
-			if opts.Template != "" {
-				template, err = tpl.Select(opts.Template)
-				if err != nil {
-					return
-				}
-			} else {
-				template, err = tpl.Choose()
-				if err != nil {
-					return
-				}
+			template, err = tpl.Select(opts.Template)
+			if err != nil {
+				return
 			}
-
-			if template != nil {
-				templateContent = string(template.Body())
+			if state.Title == "" {
+				state.Title = template.Title()
 			}
+			state.Body = string(template.Body())
 		}
 
-		err = shared.BodySurvey(opts.Prompter, state, templateContent)
+		state.Title, state.Body, err = opts.TitledEditSurvey(state.Title, state.Body)
 		if err != nil {
 			return
 		}
-	}
+		if state.Title == "" {
+			err = fmt.Errorf("title can't be blank")
+			return
+		}
+	} else {
 
-	openURL, err = generateCompareURL(*ctx, *state)
-	if err != nil {
-		return
-	}
+		if !opts.TitleProvided {
+			err = shared.TitleSurvey(opts.Prompter, state)
+			if err != nil {
+				return
+			}
+		}
 
-	allowPreview := !state.HasMetadata() && shared.ValidURL(openURL) && !opts.DryRun
-	allowMetadata := ctx.BaseRepo.ViewerCanTriage()
-	action, err := shared.ConfirmPRSubmission(opts.Prompter, allowPreview, allowMetadata, state.Draft)
-	if err != nil {
-		return fmt.Errorf("unable to confirm: %w", err)
-	}
+		defer shared.PreserveInput(opts.IO, state, &err)()
+
+		if !opts.BodyProvided {
+			templateContent := ""
+			if opts.RecoverFile == "" {
+				var template shared.Template
+
+				if opts.Template != "" {
+					template, err = tpl.Select(opts.Template)
+					if err != nil {
+						return
+					}
+				} else {
+					template, err = tpl.Choose()
+					if err != nil {
+						return
+					}
+				}
+
+				if template != nil {
+					templateContent = string(template.Body())
+				}
+			}
 
-	if action == shared.MetadataAction {
-		fetcher := &shared.MetadataFetcher{
-			IO:        opts.IO,
-			APIClient: client,
-			Repo:      ctx.BaseRepo,
-			State:     state,
+			err = shared.BodySurvey(opts.Prompter, state, templateContent)
+			if err != nil {
+				return
+			}
 		}
-		err = shared.MetadataSurvey(opts.Prompter, opts.IO, ctx.BaseRepo, fetcher, state)
+
+		openURL, err = generateCompareURL(*ctx, *state)
 		if err != nil {
 			return
 		}
 
-		action, err = shared.ConfirmPRSubmission(opts.Prompter, !state.HasMetadata() && !opts.DryRun, false, state.Draft)
+		allowPreview := !state.HasMetadata() && shared.ValidURL(openURL) && !opts.DryRun
+		allowMetadata := ctx.BaseRepo.ViewerCanTriage()
+		action, err = shared.ConfirmPRSubmission(opts.Prompter, allowPreview, allowMetadata, state.Draft)
 		if err != nil {
-			return
+			return fmt.Errorf("unable to confirm: %w", err)
+		}
+
+		if action == shared.MetadataAction {
+			fetcher := &shared.MetadataFetcher{
+				IO:        opts.IO,
+				APIClient: client,
+				Repo:      ctx.BaseRepo,
+				State:     state,
+			}
+			err = shared.MetadataSurvey(opts.Prompter, opts.IO, ctx.BaseRepo, fetcher, state)
+			if err != nil {
+				return
+			}
+
+			action, err = shared.ConfirmPRSubmission(opts.Prompter, !state.HasMetadata() && !opts.DryRun, false, state.Draft)
+			if err != nil {
+				return
+			}
 		}
 	}
 
diff --git a/pkg/cmd/pr/create/create_test.go b/pkg/cmd/pr/create/create_test.go
index 3b64688c34d..e0347945c38 100644
--- a/pkg/cmd/pr/create/create_test.go
+++ b/pkg/cmd/pr/create/create_test.go
@@ -40,6 +40,7 @@ func TestNewCmdCreate(t *testing.T) {
 		tty       bool
 		stdin     string
 		cli       string
+		config    string
 		wantsErr  bool
 		wantsOpts CreateOptions
 	}{
@@ -202,6 +203,64 @@ func TestNewCmdCreate(t *testing.T) {
 			cli:      "--web --dry-run",
 			wantsErr: true,
 		},
+		{
+			name:     "editor by cli",
+			tty:      true,
+			cli:      "--editor",
+			wantsErr: false,
+			wantsOpts: CreateOptions{
+				Title:               "",
+				Body:                "",
+				RecoverFile:         "",
+				WebMode:             false,
+				EditorMode:          true,
+				MaintainerCanModify: true,
+			},
+		},
+		{
+			name:     "editor by config",
+			tty:      true,
+			cli:      "",
+			config:   "prefer_editor_prompt: enabled",
+			wantsErr: false,
+			wantsOpts: CreateOptions{
+				Title:               "",
+				Body:                "",
+				RecoverFile:         "",
+				WebMode:             false,
+				EditorMode:          true,
+				MaintainerCanModify: true,
+			},
+		},
+		{
+			name:     "editor and web",
+			tty:      true,
+			cli:      "--editor --web",
+			wantsErr: true,
+		},
+		{
+			name:     "can use web even though editor is enabled by config",
+			tty:      true,
+			cli:      `--web --title mytitle --body "issue body"`,
+			config:   "prefer_editor_prompt: enabled",
+			wantsErr: false,
+			wantsOpts: CreateOptions{
+				Title:               "mytitle",
+				Body:                "issue body",
+				TitleProvided:       true,
+				BodyProvided:        true,
+				RecoverFile:         "",
+				WebMode:             true,
+				EditorMode:          false,
+				MaintainerCanModify: true,
+			},
+		},
+		{
+			name:     "editor with non-tty",
+			tty:      false,
+			cli:      "--editor",
+			wantsErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -215,6 +274,12 @@ func TestNewCmdCreate(t *testing.T) {
 
 			f := &cmdutil.Factory{
 				IOStreams: ios,
+				Config: func() (gh.Config, error) {
+					if tt.config != "" {
+						return config.NewFromString(tt.config), nil
+					}
+					return config.NewBlankConfig(), nil
+				},
 			}
 
 			var opts *CreateOptions
@@ -1372,6 +1437,33 @@ func Test_createRun(t *testing.T) {
 			expectedOut:    "https://github.com/OWNER/REPO/pull/12\n",
 			expectedErrOut: "\nCreating pull request for feature into master in OWNER/REPO\n\n",
 		},
+		{
+			name: "editor",
+			httpStubs: func(r *httpmock.Registry, t *testing.T) {
+				r.Register(
+					httpmock.GraphQL(`mutation PullRequestCreate\b`),
+					httpmock.GraphQLMutation(`
+						{
+						"data": { "createPullRequest": { "pullRequest": {
+							"URL": "https://github.com/OWNER/REPO/pull/12"
+							} } }
+						}
+				`, func(inputs map[string]interface{}) {
+						assert.Equal(t, "title", inputs["title"])
+						assert.Equal(t, "body", inputs["body"])
+					}))
+			},
+			setup: func(opts *CreateOptions, t *testing.T) func() {
+				opts.EditorMode = true
+				opts.HeadBranch = "feature"
+				opts.TitledEditSurvey = func(string, string) (string, string, error) { return "title", "body", nil }
+				return func() {}
+			},
+			cmdStubs: func(cs *run.CommandStubber) {
+				cs.Register("git -c log.ShowSignature=false log --pretty=format:%H%x00%s%x00%b%x00 --cherry origin/master...feature", 0, "")
+			},
+			expectedOut: "https://github.com/OWNER/REPO/pull/12\n",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From c5ea30da4789facca19aaeff6efb2acceb88a57b Mon Sep 17 00:00:00 2001
From: Tyler McGoffin <jtmcg@github.com>
Date: Wed, 7 Aug 2024 10:57:02 -0700
Subject: [PATCH 218/253] Add Acceptance Criteria requirement to triage.md for
 accepted issues

To better facilitate community collaboration and to help reduce the amount
of information any collaborator needs to peruse in a given issue,
clear Acceptance Criteria on accepted issues should be included. This will
reduce the amount of back and forth on PRs submitted by ensuring
expectations for a given issue are clear
---
 docs/triage.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/triage.md b/docs/triage.md
index ae9b0c15c89..327756c8b31 100644
--- a/docs/triage.md
+++ b/docs/triage.md
@@ -8,6 +8,8 @@ triage role. The initial expectation is that the person in the role for the week
 
 Review and label [open issues missing either the `enhancement`, `bug`, or `docs` label](https://github.com/cli/cli/issues?q=is%3Aopen+is%3Aissue+-label%3Abug%2Cenhancement%2Cdocs+).
 
+Any issue that is accepted to be done as either an `enhancement`, `bug`, or `docs` requires explicit Acceptance Criteria in a comment on the issue before it is triaged.
+
 To be considered triaged, `enhancement` issues require at least one of the following additional labels:
 
 - `core`: reserved for the core CLI team

From fa06623f9b428f29aeba54c5f45c005e78334b5a Mon Sep 17 00:00:00 2001
From: Tyler McGoffin <jtmcg@github.com>
Date: Wed, 7 Aug 2024 11:46:22 -0700
Subject: [PATCH 219/253] Update docs/triage.md

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 docs/triage.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/triage.md b/docs/triage.md
index 327756c8b31..d78a81aed5c 100644
--- a/docs/triage.md
+++ b/docs/triage.md
@@ -8,7 +8,7 @@ triage role. The initial expectation is that the person in the role for the week
 
 Review and label [open issues missing either the `enhancement`, `bug`, or `docs` label](https://github.com/cli/cli/issues?q=is%3Aopen+is%3Aissue+-label%3Abug%2Cenhancement%2Cdocs+).
 
-Any issue that is accepted to be done as either an `enhancement`, `bug`, or `docs` requires explicit Acceptance Criteria in a comment on the issue before it is triaged.
+Any issue that is accepted to be done as either an `enhancement`, `bug`, or `docs` requires explicit Acceptance Criteria in a comment on the issue before `needs-triage` label is removed.
 
 To be considered triaged, `enhancement` issues require at least one of the following additional labels:
 

From e18c00228314340509ec0c56f15a992a2950ba09 Mon Sep 17 00:00:00 2001
From: benebsiny <stu995106@hotmail.com.tw>
Date: Thu, 8 Aug 2024 18:07:52 +0800
Subject: [PATCH 220/253] Deduplicate the initialization of editor mode

---
 pkg/cmd/issue/create/create.go | 15 ++-------------
 pkg/cmd/pr/create/create.go    |  8 ++------
 pkg/cmd/pr/shared/survey.go    | 24 ++++++++++++++++++++++++
 3 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/pkg/cmd/issue/create/create.go b/pkg/cmd/issue/create/create.go
index 33b5830122b..1af25180f82 100644
--- a/pkg/cmd/issue/create/create.go
+++ b/pkg/cmd/issue/create/create.go
@@ -81,19 +81,11 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			opts.BaseRepo = f.BaseRepo
 			opts.HasRepoOverride = cmd.Flags().Changed("repo")
 
-			if err := cmdutil.MutuallyExclusive(
-				"specify only one of `--editor` or `--web`",
-				opts.EditorMode,
-				opts.WebMode,
-			); err != nil {
-				return err
-			}
-
-			config, err := f.Config()
+			var err error
+			opts.EditorMode, err = prShared.InitEditorMode(f, opts.EditorMode, opts.WebMode, opts.IO.CanPrompt())
 			if err != nil {
 				return err
 			}
-			opts.EditorMode = !opts.WebMode && (opts.EditorMode || config.PreferEditorPrompt("").Value == "enabled")
 
 			titleProvided := cmd.Flags().Changed("title")
 			bodyProvided := cmd.Flags().Changed("body")
@@ -119,9 +111,6 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 			if opts.Interactive && !opts.IO.CanPrompt() {
 				return cmdutil.FlagErrorf("must provide `--title` and `--body` when not running interactively")
 			}
-			if opts.EditorMode && !opts.IO.CanPrompt() {
-				return errors.New("--editor or enabled prefer_editor_prompt configuration are not supported in non-tty mode")
-			}
 
 			if runF != nil {
 				return runF(opts)
diff --git a/pkg/cmd/pr/create/create.go b/pkg/cmd/pr/create/create.go
index acdc0ee82b7..d854002022a 100644
--- a/pkg/cmd/pr/create/create.go
+++ b/pkg/cmd/pr/create/create.go
@@ -188,11 +188,11 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 				return err
 			}
 
-			config, err := f.Config()
+			var err error
+			opts.EditorMode, err = shared.InitEditorMode(f, opts.EditorMode, opts.WebMode, opts.IO.CanPrompt())
 			if err != nil {
 				return err
 			}
-			opts.EditorMode = !opts.WebMode && (opts.EditorMode || config.PreferEditorPrompt("").Value == "enabled")
 
 			opts.BodyProvided = cmd.Flags().Changed("body")
 			if bodyFile != "" {
@@ -212,10 +212,6 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 				return cmdutil.FlagErrorf("must provide `--title` and `--body` (or `--fill` or `fill-first` or `--fillverbose`) when not running interactively")
 			}
 
-			if opts.EditorMode && !opts.IO.CanPrompt() {
-				return errors.New("--editor or enabled prefer_editor_prompt configuration are not supported in non-tty mode")
-			}
-
 			if opts.DryRun && opts.WebMode {
 				return cmdutil.FlagErrorf("`--dry-run` is not supported when using `--web`")
 			}
diff --git a/pkg/cmd/pr/shared/survey.go b/pkg/cmd/pr/shared/survey.go
index 5f4bf7dd9f6..5b8bde0ebd0 100644
--- a/pkg/cmd/pr/shared/survey.go
+++ b/pkg/cmd/pr/shared/survey.go
@@ -1,6 +1,7 @@
 package shared
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 
@@ -357,3 +358,26 @@ func TitledEditSurvey(editor Editor) func(string, string) (string, string, error
 		return title, strings.TrimSuffix(body, "\n"), nil
 	}
 }
+
+func InitEditorMode(f *cmdutil.Factory, editorMode bool, webMode bool, canPrompt bool) (bool, error) {
+	if err := cmdutil.MutuallyExclusive(
+		"specify only one of `--editor` or `--web`",
+		editorMode,
+		webMode,
+	); err != nil {
+		return false, err
+	}
+
+	config, err := f.Config()
+	if err != nil {
+		return false, err
+	}
+
+	editorMode = !webMode && (editorMode || config.PreferEditorPrompt("").Value == "enabled")
+
+	if editorMode && !canPrompt {
+		return false, errors.New("--editor or enabled prefer_editor_prompt configuration are not supported in non-tty mode")
+	}
+
+	return editorMode, nil
+}

From 330a385f9e060824e63ad886bd3a97140217e6e6 Mon Sep 17 00:00:00 2001
From: Junichi Sato <22004610+sato11@users.noreply.github.com>
Date: Thu, 8 Aug 2024 19:28:03 +0900
Subject: [PATCH 221/253] Document that `gh run download` downloads the latest
 artifact by default

This commit addresses the documentation issue.

The discussion at #7018 has confirmed that it is undocumented that
the current behavior of `gh run download` with `-n` and no `run-id`
downloads the latest artifact.

Although the behavior has not been created intentionally, it is the one
that should be documented and the future releases should warn before
a breaking change.
---
 pkg/cmd/run/download/download.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/run/download/download.go b/pkg/cmd/run/download/download.go
index 18a10df80b4..99ec45bbeec 100644
--- a/pkg/cmd/run/download/download.go
+++ b/pkg/cmd/run/download/download.go
@@ -42,13 +42,17 @@ func NewCmdDownload(f *cmdutil.Factory, runF func(*DownloadOptions) error) *cobr
 	cmd := &cobra.Command{
 		Use:   "download [<run-id>]",
 		Short: "Download artifacts generated by a workflow run",
-		Long: heredoc.Doc(`
+		Long: heredoc.Docf(`
 			Download artifacts generated by a GitHub Actions workflow run.
 
 			The contents of each artifact will be extracted under separate directories based on
 			the artifact name. If only a single artifact is specified, it will be extracted into
 			the current directory.
-		`),
+
+			By default, this command downloads the latest artifact created and uploaded through
+			GitHub Actions. Because workflows can delete or overwrite artifacts, %[1]s<run-id>%[1]s
+			must be used to select an artifact from a specific workflow run.
+		`, "`"),
 		Args: cobra.MaximumNArgs(1),
 		Example: heredoc.Doc(`
 			# Download all artifacts generated by a workflow run

From ab34d868aa8d99fc33eedcbf5ad64122aa814a34 Mon Sep 17 00:00:00 2001
From: Prabhat Kumar Sahu <prabhat1015@gmail.com>
Date: Fri, 9 Aug 2024 02:14:52 +0530
Subject: [PATCH 222/253] Change `gh repo set-default --view` to print to
 `stderr` when no default exists (#9431)

Change logging of `gh repo set-default --view` to `stderr` when no default exists to better conform with expectations and unix standards.

---------

Signed-off-by: Prabhat <iprabhatdev@gmail.com>
---
 pkg/cmd/repo/setdefault/setdefault.go      |  5 ++---
 pkg/cmd/repo/setdefault/setdefault_test.go | 13 ++++++++++---
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/pkg/cmd/repo/setdefault/setdefault.go b/pkg/cmd/repo/setdefault/setdefault.go
index d54d3956a75..eb8fcfb5a57 100644
--- a/pkg/cmd/repo/setdefault/setdefault.go
+++ b/pkg/cmd/repo/setdefault/setdefault.go
@@ -121,12 +121,11 @@ func setDefaultRun(opts *SetDefaultOptions) error {
 	if opts.ViewMode {
 		if currentDefaultRepo != nil {
 			fmt.Fprintln(opts.IO.Out, displayRemoteRepoName(currentDefaultRepo))
-		} else if opts.IO.IsStdoutTTY() {
-			fmt.Fprintln(opts.IO.Out, "no default repository has been set; use `gh repo set-default` to select one")
+		} else {
+			fmt.Fprintln(opts.IO.ErrOut, "no default repository has been set; use `gh repo set-default` to select one")
 		}
 		return nil
 	}
-
 	cs := opts.IO.ColorScheme()
 
 	if opts.UnsetMode {
diff --git a/pkg/cmd/repo/setdefault/setdefault_test.go b/pkg/cmd/repo/setdefault/setdefault_test.go
index a89effa1499..55a0193d593 100644
--- a/pkg/cmd/repo/setdefault/setdefault_test.go
+++ b/pkg/cmd/repo/setdefault/setdefault_test.go
@@ -135,6 +135,7 @@ func TestDefaultRun(t *testing.T) {
 		gitStubs      func(*run.CommandStubber)
 		prompterStubs func(*prompter.PrompterMock)
 		wantStdout    string
+		wantStderr    string
 		wantErr       bool
 		errMsg        string
 	}{
@@ -175,10 +176,11 @@ func TestDefaultRun(t *testing.T) {
 					Repo:   repo1,
 				},
 			},
-			wantStdout: "no default repository has been set; use `gh repo set-default` to select one\n",
+			wantStderr: "no default repository has been set; use `gh repo set-default` to select one\n",
 		},
 		{
 			name: "view mode no current default",
+			tty:  false,
 			opts: SetDefaultOptions{ViewMode: true},
 			remotes: []*context.Remote{
 				{
@@ -186,6 +188,7 @@ func TestDefaultRun(t *testing.T) {
 					Repo:   repo1,
 				},
 			},
+			wantStderr: "no default repository has been set; use `gh repo set-default` to select one\n",
 		},
 		{
 			name: "view mode with base resolved current default",
@@ -466,7 +469,7 @@ func TestDefaultRun(t *testing.T) {
 			return &http.Client{Transport: reg}, nil
 		}
 
-		io, _, stdout, _ := iostreams.Test()
+		io, _, stdout, stderr := iostreams.Test()
 		io.SetStdinTTY(tt.tty)
 		io.SetStdoutTTY(tt.tty)
 		io.SetStderrTTY(tt.tty)
@@ -498,7 +501,11 @@ func TestDefaultRun(t *testing.T) {
 				return
 			}
 			assert.NoError(t, err)
-			assert.Equal(t, tt.wantStdout, stdout.String())
+			if tt.wantStdout != "" {
+				assert.Equal(t, tt.wantStdout, stdout.String())
+			} else {
+				assert.Equal(t, tt.wantStderr, stderr.String())
+			}
 		})
 	}
 }

From 574e1310720e7ca120e01e58923a8c90026ece9c Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Fri, 9 Aug 2024 16:02:04 -0400
Subject: [PATCH 223/253] Require Sigstore Bundle v0.3 when verifying with `gh
 attestation`

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 ....12-py3-none-any-bundle-missing-cert.jsonl |   2 +-
 ...bundle-missing-verification-material.jsonl |   2 +-
 ...ance_demo-0.0.12-py3-none-any-bundle.jsonl |   2 +-
 .../data/sigstore-js-2.1.0-bundle-v0.1.json   |  61 ++++++++++
 .../test/data/sigstore-js-2.1.0-bundle.json   | 114 +++++++++---------
 .../sigstore-js-2.1.0_with_2_bundles.jsonl    |   4 +-
 .../sigstoreBundle-invalid-signature.json     |  64 +++++++---
 pkg/cmd/attestation/verification/sigstore.go  |   3 +
 .../verification/sigstore_integration_test.go |  13 ++
 9 files changed, 180 insertions(+), 85 deletions(-)
 create mode 100644 pkg/cmd/attestation/test/data/sigstore-js-2.1.0-bundle-v0.1.json

diff --git a/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle-missing-cert.jsonl b/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle-missing-cert.jsonl
index e07ec7edaa6..092383a0b3a 100644
--- a/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle-missing-cert.jsonl
+++ b/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle-missing-cert.jsonl
@@ -1 +1 @@
-{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"publicKey":{},"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIC0jADAgEAMIICyQYJKoZIhvcNAQcCoIICujCCArYCAQMxDTALBglghkgBZQMEAgIwgbwGCyqGSIb3DQEJEAEEoIGsBIGpMIGmAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgGIbhbjwKQeOttAHpYr4ZdztGymTk4PPmJo1M4wwN9s8CFQDfGDV1B9hFrCLmzlcmvopZMaQOpxgPMjAyNDA0MjIxNzMzMjZaMAMCAQGgNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIFRpbWVzdGFtcGluZ6AAMYIB3zCCAdsCAQEwSjAyMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xGTAXBgNVBAMTEFRTQSBpbnRlcm1lZGlhdGUCFDQ1ZZrWbr6Lo5+CsIgv6MSK/IcQMAsGCWCGSAFlAwQCAqCCAQUwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNDA0MjIxNzMzMjZaMD8GCSqGSIb3DQEJBDEyBDAGSn57m09Ro452Mj6xp7ld68UOS58CRbsUAX0K7Oesj8Kcpo2xKRMwapTRYFWZF84wgYcGCyqGSIb3DQEJEAIvMXgwdjB0MHIEIC4X67ezV4q0OFecnkRUAx6sVRjb/Q6nZYy0cfMfHKgBME4wNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIGludGVybWVkaWF0ZQIUNDVlmtZuvoujn4KwiC/oxIr8hxAwCgYIKoZIzj0EAwMEaDBmAjEA0DIXC6giK74kBGL9WRcy99QAvkKWM2N20fNLFxTVrPglT0oNrTzTiyVQgIN6w1/gAjEAqxEuJp/bRj/ADIHoCBp2+K+zI2opxLbD4rj3jLaezHnoNOYpLwP3lIwFDhYU1a8a"}]}}}
+{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"publicKey":{},"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIC0jADAgEAMIICyQYJKoZIhvcNAQcCoIICujCCArYCAQMxDTALBglghkgBZQMEAgIwgbwGCyqGSIb3DQEJEAEEoIGsBIGpMIGmAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgGIbhbjwKQeOttAHpYr4ZdztGymTk4PPmJo1M4wwN9s8CFQDfGDV1B9hFrCLmzlcmvopZMaQOpxgPMjAyNDA0MjIxNzMzMjZaMAMCAQGgNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIFRpbWVzdGFtcGluZ6AAMYIB3zCCAdsCAQEwSjAyMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xGTAXBgNVBAMTEFRTQSBpbnRlcm1lZGlhdGUCFDQ1ZZrWbr6Lo5+CsIgv6MSK/IcQMAsGCWCGSAFlAwQCAqCCAQUwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNDA0MjIxNzMzMjZaMD8GCSqGSIb3DQEJBDEyBDAGSn57m09Ro452Mj6xp7ld68UOS58CRbsUAX0K7Oesj8Kcpo2xKRMwapTRYFWZF84wgYcGCyqGSIb3DQEJEAIvMXgwdjB0MHIEIC4X67ezV4q0OFecnkRUAx6sVRjb/Q6nZYy0cfMfHKgBME4wNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIGludGVybWVkaWF0ZQIUNDVlmtZuvoujn4KwiC/oxIr8hxAwCgYIKoZIzj0EAwMEaDBmAjEA0DIXC6giK74kBGL9WRcy99QAvkKWM2N20fNLFxTVrPglT0oNrTzTiyVQgIN6w1/gAjEAqxEuJp/bRj/ADIHoCBp2+K+zI2opxLbD4rj3jLaezHnoNOYpLwP3lIwFDhYU1a8a"}]}}}
diff --git a/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle-missing-verification-material.jsonl b/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle-missing-verification-material.jsonl
index 935bc9ce833..95610f10e6e 100644
--- a/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle-missing-verification-material.jsonl
+++ b/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle-missing-verification-material.jsonl
@@ -1 +1 @@
-{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2l0aHViX3Byb3ZlbmFuY2VfZGVtby0wLjAuMTItcHkzLW5vbmUtYW55LndobCIsImRpZ2VzdCI6eyJzaGEyNTYiOiJhZTU3OTM2ZGVmNTliYzRjNzVlZGQzYTgzN2Q4OWJjZWZjNmQzYTVlMzFkNTVhNmZhN2E3MTYyNGY5MmMzYzNiIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MSIsInByZWRpY2F0ZSI6eyJidWlsZERlZmluaXRpb24iOnsiYnVpbGRUeXBlIjoiaHR0cHM6Ly9zbHNhLWZyYW1ld29yay5naXRodWIuaW8vZ2l0aHViLWFjdGlvbnMtYnVpbGR0eXBlcy93b3JrZmxvdy92MSIsImV4dGVybmFsUGFyYW1ldGVycyI6eyJ3b3JrZmxvdyI6eyJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvYXR0ZXN0LWRlbW8iLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3MvYnVpbGQtcHl0aG9uLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJyZXBvc2l0b3J5X2lkIjoiNzYzMjg3NTMyIiwicmVwb3NpdG9yeV9vd25lcl9pZCI6IjQ0MDM2NTYyIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiJhNmMyM2I5ODA2YzU5MzY2NGY2ODYzN2M4ZjlkNDVkZmNmOThiMmRiIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vL2FjdGlvbnMvcnVucy84Nzg4Mzg5NjAxL2F0dGVtcHRzLzEifX19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIAgJYzFW0xtAGqTzSn8UWxvT16QLL1qLolcylZsN39U/AiEA/HSUE5sCPEkEHuZgsPS7LkZ9SkMlHGHhpMU3RsV/cYw="}]}}
+{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.3","dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2l0aHViX3Byb3ZlbmFuY2VfZGVtby0wLjAuMTItcHkzLW5vbmUtYW55LndobCIsImRpZ2VzdCI6eyJzaGEyNTYiOiJhZTU3OTM2ZGVmNTliYzRjNzVlZGQzYTgzN2Q4OWJjZWZjNmQzYTVlMzFkNTVhNmZhN2E3MTYyNGY5MmMzYzNiIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MSIsInByZWRpY2F0ZSI6eyJidWlsZERlZmluaXRpb24iOnsiYnVpbGRUeXBlIjoiaHR0cHM6Ly9zbHNhLWZyYW1ld29yay5naXRodWIuaW8vZ2l0aHViLWFjdGlvbnMtYnVpbGR0eXBlcy93b3JrZmxvdy92MSIsImV4dGVybmFsUGFyYW1ldGVycyI6eyJ3b3JrZmxvdyI6eyJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvYXR0ZXN0LWRlbW8iLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3MvYnVpbGQtcHl0aG9uLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJyZXBvc2l0b3J5X2lkIjoiNzYzMjg3NTMyIiwicmVwb3NpdG9yeV9vd25lcl9pZCI6IjQ0MDM2NTYyIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiJhNmMyM2I5ODA2YzU5MzY2NGY2ODYzN2M4ZjlkNDVkZmNmOThiMmRiIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vL2FjdGlvbnMvcnVucy84Nzg4Mzg5NjAxL2F0dGVtcHRzLzEifX19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIAgJYzFW0xtAGqTzSn8UWxvT16QLL1qLolcylZsN39U/AiEA/HSUE5sCPEkEHuZgsPS7LkZ9SkMlHGHhpMU3RsV/cYw="}]}}
diff --git a/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle.jsonl b/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle.jsonl
index 209b2373efe..4dffc8fd614 100644
--- a/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle.jsonl
+++ b/pkg/cmd/attestation/test/data/github_provenance_demo-0.0.12-py3-none-any-bundle.jsonl
@@ -1 +1 @@
-{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.2","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIGZjCCBeygAwIBAgIUZCNUZ8MMbrK0CrXtb6QFhFMAA6wwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwyMB4XDTI0MDQyMjE3MzMyNloXDTI0MDQyMjE3NDMyNlowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLq8PHWv71CECMctIxOYXeUm893MJEazyiLqAJPmEHx8oJsk+vYt8zvEjfL6OAiUpR60Cfk5moqCrr4WwvM3jPujggUKMIIFBjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFK10jC8CJcrMLDA80Jf4joCWq+H5MB8GA1UdIwQYMBaAFJtL5A5EGdvYbrWHWsiaGyEZn/4jMGcGA1UdEQEB/wRdMFuGWWh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vLy5naXRodWIvd29ya2Zsb3dzL2J1aWxkLXB5dGhvbi55bWxAcmVmcy9oZWFkcy9tYWluMDkGCisGAQQBg78wAQEEK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wHwYKKwYBBAGDvzABAgQRd29ya2Zsb3dfZGlzcGF0Y2gwNgYKKwYBBAGDvzABAwQoYTZjMjNiOTgwNmM1OTM2NjRmNjg2MzdjOGY5ZDQ1ZGZjZjk4YjJkYjAvBgorBgEEAYO/MAEEBCFCdWlsZCBwYWNrYWdlIGFuZCBwdWJsaXNoIHRvIFB5UEkwIQYKKwYBBAGDvzABBQQTYWN0aW9ucy9hdHRlc3QtZGVtbzAdBgorBgEEAYO/MAEGBA9yZWZzL2hlYWRzL21haW4wOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMGkGCisGAQQBg78wAQkEWwxZaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvYXR0ZXN0LWRlbW8vLmdpdGh1Yi93b3JrZmxvd3MvYnVpbGQtcHl0aG9uLnltbEByZWZzL2hlYWRzL21haW4wOAYKKwYBBAGDvzABCgQqDChhNmMyM2I5ODA2YzU5MzY2NGY2ODYzN2M4ZjlkNDVkZmNmOThiMmRiMB0GCisGAQQBg78wAQsEDwwNZ2l0aHViLWhvc3RlZDA2BgorBgEEAYO/MAEMBCgMJmh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vMDgGCisGAQQBg78wAQ0EKgwoYTZjMjNiOTgwNmM1OTM2NjRmNjg2MzdjOGY5ZDQ1ZGZjZjk4YjJkYjAfBgorBgEEAYO/MAEOBBEMD3JlZnMvaGVhZHMvbWFpbjAZBgorBgEEAYO/MAEPBAsMCTc2MzI4NzUzMjAqBgorBgEEAYO/MAEQBBwMGmh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zMBgGCisGAQQBg78wAREECgwINDQwMzY1NjIwaQYKKwYBBAGDvzABEgRbDFlodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9hdHRlc3QtZGVtby8uZ2l0aHViL3dvcmtmbG93cy9idWlsZC1weXRob24ueW1sQHJlZnMvaGVhZHMvbWFpbjA4BgorBgEEAYO/MAETBCoMKGE2YzIzYjk4MDZjNTkzNjY0ZjY4NjM3YzhmOWQ0NWRmY2Y5OGIyZGIwIQYKKwYBBAGDvzABFAQTDBF3b3JrZmxvd19kaXNwYXRjaDBZBgorBgEEAYO/MAEVBEsMSWh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vL2FjdGlvbnMvcnVucy84Nzg4Mzg5NjAxL2F0dGVtcHRzLzEwFwYKKwYBBAGDvzABFgQJDAdwcml2YXRlMAoGCCqGSM49BAMDA2gAMGUCME4MEsuiTVolcvctwKJn7TEfi9mIXxhfBRcV0Nox1UPvdc4EyO/gjYPqfWVbqi74CgIxANLkoV0aAeOaIuA1srkA1uIGmhuA820pXs0kbqW06cNuJie4+3B4PydoYoJjy1BZCQ=="}]},"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIC0jADAgEAMIICyQYJKoZIhvcNAQcCoIICujCCArYCAQMxDTALBglghkgBZQMEAgIwgbwGCyqGSIb3DQEJEAEEoIGsBIGpMIGmAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgGIbhbjwKQeOttAHpYr4ZdztGymTk4PPmJo1M4wwN9s8CFQDfGDV1B9hFrCLmzlcmvopZMaQOpxgPMjAyNDA0MjIxNzMzMjZaMAMCAQGgNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIFRpbWVzdGFtcGluZ6AAMYIB3zCCAdsCAQEwSjAyMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xGTAXBgNVBAMTEFRTQSBpbnRlcm1lZGlhdGUCFDQ1ZZrWbr6Lo5+CsIgv6MSK/IcQMAsGCWCGSAFlAwQCAqCCAQUwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNDA0MjIxNzMzMjZaMD8GCSqGSIb3DQEJBDEyBDAGSn57m09Ro452Mj6xp7ld68UOS58CRbsUAX0K7Oesj8Kcpo2xKRMwapTRYFWZF84wgYcGCyqGSIb3DQEJEAIvMXgwdjB0MHIEIC4X67ezV4q0OFecnkRUAx6sVRjb/Q6nZYy0cfMfHKgBME4wNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIGludGVybWVkaWF0ZQIUNDVlmtZuvoujn4KwiC/oxIr8hxAwCgYIKoZIzj0EAwMEaDBmAjEA0DIXC6giK74kBGL9WRcy99QAvkKWM2N20fNLFxTVrPglT0oNrTzTiyVQgIN6w1/gAjEAqxEuJp/bRj/ADIHoCBp2+K+zI2opxLbD4rj3jLaezHnoNOYpLwP3lIwFDhYU1a8a"}]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2l0aHViX3Byb3ZlbmFuY2VfZGVtby0wLjAuMTItcHkzLW5vbmUtYW55LndobCIsImRpZ2VzdCI6eyJzaGEyNTYiOiJhZTU3OTM2ZGVmNTliYzRjNzVlZGQzYTgzN2Q4OWJjZWZjNmQzYTVlMzFkNTVhNmZhN2E3MTYyNGY5MmMzYzNiIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MSIsInByZWRpY2F0ZSI6eyJidWlsZERlZmluaXRpb24iOnsiYnVpbGRUeXBlIjoiaHR0cHM6Ly9zbHNhLWZyYW1ld29yay5naXRodWIuaW8vZ2l0aHViLWFjdGlvbnMtYnVpbGR0eXBlcy93b3JrZmxvdy92MSIsImV4dGVybmFsUGFyYW1ldGVycyI6eyJ3b3JrZmxvdyI6eyJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvYXR0ZXN0LWRlbW8iLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3MvYnVpbGQtcHl0aG9uLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJyZXBvc2l0b3J5X2lkIjoiNzYzMjg3NTMyIiwicmVwb3NpdG9yeV9vd25lcl9pZCI6IjQ0MDM2NTYyIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiJhNmMyM2I5ODA2YzU5MzY2NGY2ODYzN2M4ZjlkNDVkZmNmOThiMmRiIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vL2FjdGlvbnMvcnVucy84Nzg4Mzg5NjAxL2F0dGVtcHRzLzEifX19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIAgJYzFW0xtAGqTzSn8UWxvT16QLL1qLolcylZsN39U/AiEA/HSUE5sCPEkEHuZgsPS7LkZ9SkMlHGHhpMU3RsV/cYw="}]}}
+{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"certificate":{"rawBytes":"MIIGZjCCBeygAwIBAgIUZCNUZ8MMbrK0CrXtb6QFhFMAA6wwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZGdWxjaW8gSW50ZXJtZWRpYXRlIGwyMB4XDTI0MDQyMjE3MzMyNloXDTI0MDQyMjE3NDMyNlowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLq8PHWv71CECMctIxOYXeUm893MJEazyiLqAJPmEHx8oJsk+vYt8zvEjfL6OAiUpR60Cfk5moqCrr4WwvM3jPujggUKMIIFBjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFK10jC8CJcrMLDA80Jf4joCWq+H5MB8GA1UdIwQYMBaAFJtL5A5EGdvYbrWHWsiaGyEZn/4jMGcGA1UdEQEB/wRdMFuGWWh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vLy5naXRodWIvd29ya2Zsb3dzL2J1aWxkLXB5dGhvbi55bWxAcmVmcy9oZWFkcy9tYWluMDkGCisGAQQBg78wAQEEK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wHwYKKwYBBAGDvzABAgQRd29ya2Zsb3dfZGlzcGF0Y2gwNgYKKwYBBAGDvzABAwQoYTZjMjNiOTgwNmM1OTM2NjRmNjg2MzdjOGY5ZDQ1ZGZjZjk4YjJkYjAvBgorBgEEAYO/MAEEBCFCdWlsZCBwYWNrYWdlIGFuZCBwdWJsaXNoIHRvIFB5UEkwIQYKKwYBBAGDvzABBQQTYWN0aW9ucy9hdHRlc3QtZGVtbzAdBgorBgEEAYO/MAEGBA9yZWZzL2hlYWRzL21haW4wOwYKKwYBBAGDvzABCAQtDCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMGkGCisGAQQBg78wAQkEWwxZaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvYXR0ZXN0LWRlbW8vLmdpdGh1Yi93b3JrZmxvd3MvYnVpbGQtcHl0aG9uLnltbEByZWZzL2hlYWRzL21haW4wOAYKKwYBBAGDvzABCgQqDChhNmMyM2I5ODA2YzU5MzY2NGY2ODYzN2M4ZjlkNDVkZmNmOThiMmRiMB0GCisGAQQBg78wAQsEDwwNZ2l0aHViLWhvc3RlZDA2BgorBgEEAYO/MAEMBCgMJmh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vMDgGCisGAQQBg78wAQ0EKgwoYTZjMjNiOTgwNmM1OTM2NjRmNjg2MzdjOGY5ZDQ1ZGZjZjk4YjJkYjAfBgorBgEEAYO/MAEOBBEMD3JlZnMvaGVhZHMvbWFpbjAZBgorBgEEAYO/MAEPBAsMCTc2MzI4NzUzMjAqBgorBgEEAYO/MAEQBBwMGmh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zMBgGCisGAQQBg78wAREECgwINDQwMzY1NjIwaQYKKwYBBAGDvzABEgRbDFlodHRwczovL2dpdGh1Yi5jb20vYWN0aW9ucy9hdHRlc3QtZGVtby8uZ2l0aHViL3dvcmtmbG93cy9idWlsZC1weXRob24ueW1sQHJlZnMvaGVhZHMvbWFpbjA4BgorBgEEAYO/MAETBCoMKGE2YzIzYjk4MDZjNTkzNjY0ZjY4NjM3YzhmOWQ0NWRmY2Y5OGIyZGIwIQYKKwYBBAGDvzABFAQTDBF3b3JrZmxvd19kaXNwYXRjaDBZBgorBgEEAYO/MAEVBEsMSWh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vL2FjdGlvbnMvcnVucy84Nzg4Mzg5NjAxL2F0dGVtcHRzLzEwFwYKKwYBBAGDvzABFgQJDAdwcml2YXRlMAoGCCqGSM49BAMDA2gAMGUCME4MEsuiTVolcvctwKJn7TEfi9mIXxhfBRcV0Nox1UPvdc4EyO/gjYPqfWVbqi74CgIxANLkoV0aAeOaIuA1srkA1uIGmhuA820pXs0kbqW06cNuJie4+3B4PydoYoJjy1BZCQ=="},"timestampVerificationData":{"rfc3161Timestamps":[{"signedTimestamp":"MIIC0jADAgEAMIICyQYJKoZIhvcNAQcCoIICujCCArYCAQMxDTALBglghkgBZQMEAgIwgbwGCyqGSIb3DQEJEAEEoIGsBIGpMIGmAgEBBgkrBgEEAYO/MAIwMTANBglghkgBZQMEAgEFAAQgGIbhbjwKQeOttAHpYr4ZdztGymTk4PPmJo1M4wwN9s8CFQDfGDV1B9hFrCLmzlcmvopZMaQOpxgPMjAyNDA0MjIxNzMzMjZaMAMCAQGgNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIFRpbWVzdGFtcGluZ6AAMYIB3zCCAdsCAQEwSjAyMRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xGTAXBgNVBAMTEFRTQSBpbnRlcm1lZGlhdGUCFDQ1ZZrWbr6Lo5+CsIgv6MSK/IcQMAsGCWCGSAFlAwQCAqCCAQUwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yNDA0MjIxNzMzMjZaMD8GCSqGSIb3DQEJBDEyBDAGSn57m09Ro452Mj6xp7ld68UOS58CRbsUAX0K7Oesj8Kcpo2xKRMwapTRYFWZF84wgYcGCyqGSIb3DQEJEAIvMXgwdjB0MHIEIC4X67ezV4q0OFecnkRUAx6sVRjb/Q6nZYy0cfMfHKgBME4wNqQ0MDIxFTATBgNVBAoTDEdpdEh1YiwgSW5jLjEZMBcGA1UEAxMQVFNBIGludGVybWVkaWF0ZQIUNDVlmtZuvoujn4KwiC/oxIr8hxAwCgYIKoZIzj0EAwMEaDBmAjEA0DIXC6giK74kBGL9WRcy99QAvkKWM2N20fNLFxTVrPglT0oNrTzTiyVQgIN6w1/gAjEAqxEuJp/bRj/ADIHoCBp2+K+zI2opxLbD4rj3jLaezHnoNOYpLwP3lIwFDhYU1a8a"}]}},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2l0aHViX3Byb3ZlbmFuY2VfZGVtby0wLjAuMTItcHkzLW5vbmUtYW55LndobCIsImRpZ2VzdCI6eyJzaGEyNTYiOiJhZTU3OTM2ZGVmNTliYzRjNzVlZGQzYTgzN2Q4OWJjZWZjNmQzYTVlMzFkNTVhNmZhN2E3MTYyNGY5MmMzYzNiIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MSIsInByZWRpY2F0ZSI6eyJidWlsZERlZmluaXRpb24iOnsiYnVpbGRUeXBlIjoiaHR0cHM6Ly9zbHNhLWZyYW1ld29yay5naXRodWIuaW8vZ2l0aHViLWFjdGlvbnMtYnVpbGR0eXBlcy93b3JrZmxvdy92MSIsImV4dGVybmFsUGFyYW1ldGVycyI6eyJ3b3JrZmxvdyI6eyJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL2FjdGlvbnMvYXR0ZXN0LWRlbW8iLCJwYXRoIjoiLmdpdGh1Yi93b3JrZmxvd3MvYnVpbGQtcHl0aG9uLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoid29ya2Zsb3dfZGlzcGF0Y2giLCJyZXBvc2l0b3J5X2lkIjoiNzYzMjg3NTMyIiwicmVwb3NpdG9yeV9vd25lcl9pZCI6IjQ0MDM2NTYyIn19LCJyZXNvbHZlZERlcGVuZGVuY2llcyI6W3sidXJpIjoiZ2l0K2h0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiJhNmMyM2I5ODA2YzU5MzY2NGY2ODYzN2M4ZjlkNDVkZmNmOThiMmRiIn19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL2F0dGVzdC1kZW1vL2FjdGlvbnMvcnVucy84Nzg4Mzg5NjAxL2F0dGVtcHRzLzEifX19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEUCIAgJYzFW0xtAGqTzSn8UWxvT16QLL1qLolcylZsN39U/AiEA/HSUE5sCPEkEHuZgsPS7LkZ9SkMlHGHhpMU3RsV/cYw="}]}}
diff --git a/pkg/cmd/attestation/test/data/sigstore-js-2.1.0-bundle-v0.1.json b/pkg/cmd/attestation/test/data/sigstore-js-2.1.0-bundle-v0.1.json
new file mode 100644
index 00000000000..d91176e098c
--- /dev/null
+++ b/pkg/cmd/attestation/test/data/sigstore-js-2.1.0-bundle-v0.1.json
@@ -0,0 +1,61 @@
+{
+    "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
+    "verificationMaterial": {
+      "x509CertificateChain": {
+        "certificates": [
+          {
+            "rawBytes": "MIIGtDCCBjugAwIBAgIUCJLipSt09KLFc0JYfuDrSan//LswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwODI5MTU0MDIzWhcNMjMwODI5MTU1MDIzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPfm6LPXQeJTC89UOqiNWmnZYGmX4T3iLZGi0EV4bfOoM86Hza94XqyuwxAoWpCPecFCEbAe8l2dg/er3O9LEFqOCBVowggVWMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUeqpCXHr3pcUaL3EFKR+KsmuKQqowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wYwYDVR0RAQH/BFkwV4ZVaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBIGCisGAQQBg78wAQIEBHB1c2gwNgYKKwYBBAGDvzABAwQoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAVBgorBgEEAYO/MAEEBAdSZWxlYXNlMCIGCisGAQQBg78wAQUEFHNpZ3N0b3JlL3NpZ3N0b3JlLWpzMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wZQYKKwYBBAGDvzABCQRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNwYKKwYBBAGDvzABDAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMwOAYKKwYBBAGDvzABDQQqDCgyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0MB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNDk1NTc0NTU1MCsGCisGAQQBg78wARAEHQwbaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlMBgGCisGAQQBg78wAREECgwINzEwOTYzNTMwZQYKKwYBBAGDvzABEgRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAUBgorBgEEAYO/MAEUBAYMBHB1c2gwWgYKKwYBBAGDvzABFQRMDEpodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABikHz+vwAAAQDAEcwRQIgZEo8c0eCZHEh4uzzJzFz9T+EfSTNTtB2FIH18vXpkOsCIQDE1MTti9RoDnRO3SET1Zkad6FoTx/k6ztQcwIDPmnRxTAKBggqhkjOPQQDAwNnADBkAjBB06fmNXx6ToaClFg2kOxnfLGgrvoR3F5GjDtvDBB8m9SWQNzL211jYmS/g+YbbyUCMC+ad6jIK+efe4XOIlhLcWxeZbBtMjKSrPxmm4jR3BFQQOBR+8r27CioyhxoSqvLuw=="
+          }
+        ]
+      },
+      "tlogEntries": [
+        {
+          "logIndex": "33351527",
+          "logId": {
+            "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+          },
+          "kindVersion": {
+            "kind": "intoto",
+            "version": "0.0.2"
+          },
+          "integratedTime": "1693323623",
+          "inclusionPromise": {
+            "signedEntryTimestamp": "MEYCIQDhWvNSLvnq5ZS3qTIgC7K2uQFeA0g8FEEjNo1UQxeubAIhALDrD1uIiUkk3tQNp/4gKT/9j8zEyyxi9Ti+qaD8q2vI"
+          },
+          "inclusionProof": {
+            "logIndex": "29188096",
+            "rootHash": "fbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=",
+            "treeSize": "29188099",
+            "hashes": [
+              "z7VKeAC2d2x18Vtxt7n40GS3gtc1xfRwjjxxzpy/Trw=",
+              "/Kd8ZuCLZ7MukSwpjaSgxKFl5X2vdHWk6/qpNrkiUJo=",
+              "vvkKs7IShUI15nVb9c5olPgBnL9r4uP7+d5KzV0hSjs=",
+              "Fg4p0WJZw8Lghrpxkx1SXgzfroTeIIrEgEbfgr9IdXY=",
+              "bH8NahqE+hQ58Qxhg0V5fYusFQ1xsaQ/rK6slWVRT5k=",
+              "HplNgZ3/afEHq52zcfL2s1AKisOYDdMCWK1jOu1tGyw=",
+              "uOPuC2YDmwZe989ZN3Lgh5CKMXh9HETrSNgf0jV0WkM=",
+              "eVsvWKnEZ1+Xo3Ba15DfEiIhhmlrEaIeb+VfYmx8KhY=",
+              "uLuBRins5nkqq2rqd17R27pQTUF+xetttC6MsmlUzd0=",
+              "jRUq4D8O+FI47Wbw96s7yHCu4qzWUxpIVfxQEeprDmc=",
+              "rXEsmEJN4PEoTU8US4qVtdIsGB1MCiRlGOepoiC99kM="
+            ],
+            "checkpoint": {
+              "envelope": "rekor.sigstore.dev - 2605736670972794746\n29188099\nfbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=\nTimestamp: 1693323623528968756\n\n— rekor.sigstore.dev wNI9ajBEAiAK0YTbxRlhOZeeP+844Y+W7iz+hsFIF8x2NYsmuaxifAIgYUFSurlKwN7j5jCwpqSVrkbouQoYIYlyWU9Om16svmI=\n"
+            }
+          },
+          "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWQwUkVORFFtcDFaMEYzU1VKQlowbFZRMHBNYVhCVGREQTVTMHhHWXpCS1dXWjFSSEpUWVc0dkwweHpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA5RVNUVk5WRlV3VFVSSmVsZG9ZMDVOYWsxM1QwUkpOVTFVVlRGTlJFbDZWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWUVptMDJURkJZVVdWS1ZFTTRPVlZQY1dsT1YyMXVXbGxIYlZnMFZETnBURnBIYVRBS1JWWTBZbVpQYjAwNE5raDZZVGswV0hGNWRYZDRRVzlYY0VOUVpXTkdRMFZpUVdVNGJESmtaeTlsY2pOUE9VeEZSbkZQUTBKV2IzZG5aMVpYVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbGNYQkRDbGhJY2pOd1kxVmhURE5GUmt0U0swdHpiWFZMVVhGdmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxbDNXVVJXVWpCU1FWRklMMEpHYTNkV05GcFdZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wcHNZa2RXYUdNeVZYVmxWekZ6VVVoS2JGcHVUWFpoUjFab0NscElUWFppVjBad1ltcEJOVUpuYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQUtZVWhXYVdSWVRteGpiVTUyWW01U2JHSnVVWFZaTWpsMFRVSkpSME5wYzBkQlVWRkNaemM0ZDBGUlNVVkNTRUl4WXpKbmQwNW5XVXRMZDFsQ1FrRkhSQXAyZWtGQ1FYZFJiMDFxV210TlZGa3hUVlJOZWs5RVdtMWFiVVpvVG5wcmQxbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZXQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUVdSVFdsZDRiRmxZVG14TlEwbEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVWklUbkJhTTA0d1lqTktiRXd6VG5BS1dqTk9NR0l6U214TVYzQjZUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJXVVZFTTBwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUZENaMjl5UW1kRlJRcEJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFDbVJETldwaU1qQjNXbEZaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbGhFUmxadlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyWXpKc2JtTXpVbllLWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VFhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYlFwamVUbHZXbGRHYTJONU9YUlpWMngxVFVSblIwTnBjMGRCVVZGQ1p6YzRkMEZSYjBWTFozZHZUV3BhYTAxVVdURk5WRTE2VDBSYWJWcHRSbWhPZW10M0NsbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZrUW1kdmNrSm5SVVZCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOEtZak5PTUZwWFVYZE9kMWxMUzNkWlFrSkJSMFIyZWtGQ1JFRlJjRVJEWkc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFpqTW14dVl6TlNkZ3BqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZDA5QldVdExkMWxDUWtGSFJIWjZRVUpFVVZGeFJFTm5lVTV0VVhoT2FsVjRUWHBOTkU1dFdtMVpWMFV6Q2s5VVFtbE5WMDE2VFcxWk5VMXFZekZPUkZKdFRWUk5lVTF0VlRCTlZHc3dUVUk0UjBOcGMwZEJVVkZDWnpjNGQwRlJORVZGVVhkUVkyMVdiV041T1c4S1dsZEdhMk41T1hSWlYyeDFUVUpyUjBOcGMwZEJVVkZDWnpjNGQwRlJPRVZEZDNkS1RrUnJNVTVVWXpCT1ZGVXhUVU56UjBOcGMwZEJVVkZDWnpjNGR3cEJVa0ZGU0ZGM1ltRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3elRuQmFNMDR3WWpOS2JFMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVrVkZDa05uZDBsT2VrVjNUMVJaZWs1VVRYZGFVVmxMUzNkWlFrSkJSMFIyZWtGQ1JXZFNXRVJHVm05a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFlLWXpKc2JtTXpVblpqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbU50Vm5OYVYwWjZXbE0xTlFwaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkpOUlV0bmQyOU5hbHByVFZSWk1VMVVUWHBQUkZwdENscHRSbWhPZW10M1dXcEdhazE2U20xUFZFa3pUbFJSTUZwcVJYcE5ha3BzVGtSRk5VNUVRVlZDWjI5eVFtZEZSVUZaVHk5TlFVVlZRa0ZaVFVKSVFqRUtZekpuZDFkbldVdExkMWxDUWtGSFJIWjZRVUpHVVZKTlJFVndiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkZ3BqTW14dVl6TlNkbU50VlhSaGJrMTJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZXWGROVkZFd1QwUm5NazVxV1haWldGSXdXbGN4ZDJSSVRYWk5WRUZYQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhV2RaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamhDU0c5QlpVRkNNa0ZPTURrS1RVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcGEwaDZLM1ozUVVGQlVVUkJSV04zVWxGSlp3cGFSVzg0WXpCbFExcElSV2cwZFhwNlNucEdlamxVSzBWbVUxUk9WSFJDTWtaSlNERTRkbGh3YTA5elEwbFJSRVV4VFZSMGFUbFNiMFJ1VWs4elUwVlVDakZhYTJGa05rWnZWSGd2YXpaNmRGRmpkMGxFVUcxdVVuaFVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXVRVVJDYTBGcVFrSXdObVp0VGxoNE5sUnZZVU1LYkVabk1tdFBlRzVtVEVkbmNuWnZVak5HTlVkcVJIUjJSRUpDT0cwNVUxZFJUbnBNTWpFeGFsbHRVeTluSzFsaVlubFZRMDFESzJGa05tcEpTeXRsWmdwbE5GaFBTV3hvVEdOWGVHVmFZa0owVFdwTFUzSlFlRzF0TkdwU00wSkdVVkZQUWxJck9ISXlOME5wYjNsb2VHOVRjWFpNZFhjOVBRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdCIsInNpZyI6IlRVVlJRMGxEWVhSb2JsUkljMlJtV25GSWNUTnBXRXhxVFdVd1ZGVTViRXhaYmxJeGVtazNNM0JSZFZobU5VdElRV2xDTWpOS2FDdG5VMll4VVVWRGJrRlRSMlZ3TW1VeVRVZHVVRmhwYjFWTVZqUjJRMGxUU2tKdWEwcGFaejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjFiZDg4ZTA1NGY2OGE3ZDE3MzkzNjcyYjAzZmExOGZkNjRmMGRjZDVmY2M1NDAzNWMxOWZlNjQwMWNmMmNmNWUifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4Y2ViNGFiODEyNzczMTQ3M2E5ZWM4MTE0MGNiNjg0OWNmOGU5NzBjZGEzMmJhZWYwOTlkZjQ4YmEzMjY0NDQyIn19fX0="
+        }
+      ],
+      "timestampVerificationData": null
+    },
+    "dsseEnvelope": {
+      "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsImRpZ2VzdCI6eyJzaGE1MTIiOiI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vc2xzYS1mcmFtZXdvcmsuZ2l0aHViLmlvL2dpdGh1Yi1hY3Rpb25zLWJ1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcyIsInBhdGgiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoicHVzaCIsInJlcG9zaXRvcnlfaWQiOiI0OTU1NzQ1NTUiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNzEwOTYzNTMifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiIyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0In19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcy9hY3Rpb25zL3J1bnMvNjAxNDQ4ODY2Ni9hdHRlbXB0cy8xIn19fX0=",
+      "payloadType": "application/vnd.in-toto+json",
+      "signatures": [
+        {
+          "sig": "MEQCICathnTHsdfZqHq3iXLjMe0TU9lLYnR1zi73pQuXf5KHAiB23Jh+gSf1QECnASGep2e2MGnPXioULV4vCISJBnkJZg==",
+          "keyid": ""
+        }
+      ]
+    }
+  }
diff --git a/pkg/cmd/attestation/test/data/sigstore-js-2.1.0-bundle.json b/pkg/cmd/attestation/test/data/sigstore-js-2.1.0-bundle.json
index d91176e098c..d318ea31976 100644
--- a/pkg/cmd/attestation/test/data/sigstore-js-2.1.0-bundle.json
+++ b/pkg/cmd/attestation/test/data/sigstore-js-2.1.0-bundle.json
@@ -1,61 +1,55 @@
 {
-    "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
-    "verificationMaterial": {
-      "x509CertificateChain": {
-        "certificates": [
-          {
-            "rawBytes": "MIIGtDCCBjugAwIBAgIUCJLipSt09KLFc0JYfuDrSan//LswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwODI5MTU0MDIzWhcNMjMwODI5MTU1MDIzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPfm6LPXQeJTC89UOqiNWmnZYGmX4T3iLZGi0EV4bfOoM86Hza94XqyuwxAoWpCPecFCEbAe8l2dg/er3O9LEFqOCBVowggVWMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUeqpCXHr3pcUaL3EFKR+KsmuKQqowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wYwYDVR0RAQH/BFkwV4ZVaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBIGCisGAQQBg78wAQIEBHB1c2gwNgYKKwYBBAGDvzABAwQoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAVBgorBgEEAYO/MAEEBAdSZWxlYXNlMCIGCisGAQQBg78wAQUEFHNpZ3N0b3JlL3NpZ3N0b3JlLWpzMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wZQYKKwYBBAGDvzABCQRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNwYKKwYBBAGDvzABDAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMwOAYKKwYBBAGDvzABDQQqDCgyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0MB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNDk1NTc0NTU1MCsGCisGAQQBg78wARAEHQwbaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlMBgGCisGAQQBg78wAREECgwINzEwOTYzNTMwZQYKKwYBBAGDvzABEgRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAUBgorBgEEAYO/MAEUBAYMBHB1c2gwWgYKKwYBBAGDvzABFQRMDEpodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABikHz+vwAAAQDAEcwRQIgZEo8c0eCZHEh4uzzJzFz9T+EfSTNTtB2FIH18vXpkOsCIQDE1MTti9RoDnRO3SET1Zkad6FoTx/k6ztQcwIDPmnRxTAKBggqhkjOPQQDAwNnADBkAjBB06fmNXx6ToaClFg2kOxnfLGgrvoR3F5GjDtvDBB8m9SWQNzL211jYmS/g+YbbyUCMC+ad6jIK+efe4XOIlhLcWxeZbBtMjKSrPxmm4jR3BFQQOBR+8r27CioyhxoSqvLuw=="
-          }
-        ]
-      },
-      "tlogEntries": [
-        {
-          "logIndex": "33351527",
-          "logId": {
-            "keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
-          },
-          "kindVersion": {
-            "kind": "intoto",
-            "version": "0.0.2"
-          },
-          "integratedTime": "1693323623",
-          "inclusionPromise": {
-            "signedEntryTimestamp": "MEYCIQDhWvNSLvnq5ZS3qTIgC7K2uQFeA0g8FEEjNo1UQxeubAIhALDrD1uIiUkk3tQNp/4gKT/9j8zEyyxi9Ti+qaD8q2vI"
-          },
-          "inclusionProof": {
-            "logIndex": "29188096",
-            "rootHash": "fbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=",
-            "treeSize": "29188099",
-            "hashes": [
-              "z7VKeAC2d2x18Vtxt7n40GS3gtc1xfRwjjxxzpy/Trw=",
-              "/Kd8ZuCLZ7MukSwpjaSgxKFl5X2vdHWk6/qpNrkiUJo=",
-              "vvkKs7IShUI15nVb9c5olPgBnL9r4uP7+d5KzV0hSjs=",
-              "Fg4p0WJZw8Lghrpxkx1SXgzfroTeIIrEgEbfgr9IdXY=",
-              "bH8NahqE+hQ58Qxhg0V5fYusFQ1xsaQ/rK6slWVRT5k=",
-              "HplNgZ3/afEHq52zcfL2s1AKisOYDdMCWK1jOu1tGyw=",
-              "uOPuC2YDmwZe989ZN3Lgh5CKMXh9HETrSNgf0jV0WkM=",
-              "eVsvWKnEZ1+Xo3Ba15DfEiIhhmlrEaIeb+VfYmx8KhY=",
-              "uLuBRins5nkqq2rqd17R27pQTUF+xetttC6MsmlUzd0=",
-              "jRUq4D8O+FI47Wbw96s7yHCu4qzWUxpIVfxQEeprDmc=",
-              "rXEsmEJN4PEoTU8US4qVtdIsGB1MCiRlGOepoiC99kM="
-            ],
-            "checkpoint": {
-              "envelope": "rekor.sigstore.dev - 2605736670972794746\n29188099\nfbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=\nTimestamp: 1693323623528968756\n\n— rekor.sigstore.dev wNI9ajBEAiAK0YTbxRlhOZeeP+844Y+W7iz+hsFIF8x2NYsmuaxifAIgYUFSurlKwN7j5jCwpqSVrkbouQoYIYlyWU9Om16svmI=\n"
-            }
-          },
-          "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWQwUkVORFFtcDFaMEYzU1VKQlowbFZRMHBNYVhCVGREQTVTMHhHWXpCS1dXWjFSSEpUWVc0dkwweHpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA5RVNUVk5WRlV3VFVSSmVsZG9ZMDVOYWsxM1QwUkpOVTFVVlRGTlJFbDZWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWUVptMDJURkJZVVdWS1ZFTTRPVlZQY1dsT1YyMXVXbGxIYlZnMFZETnBURnBIYVRBS1JWWTBZbVpQYjAwNE5raDZZVGswV0hGNWRYZDRRVzlYY0VOUVpXTkdRMFZpUVdVNGJESmtaeTlsY2pOUE9VeEZSbkZQUTBKV2IzZG5aMVpYVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbGNYQkRDbGhJY2pOd1kxVmhURE5GUmt0U0swdHpiWFZMVVhGdmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxbDNXVVJXVWpCU1FWRklMMEpHYTNkV05GcFdZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wcHNZa2RXYUdNeVZYVmxWekZ6VVVoS2JGcHVUWFpoUjFab0NscElUWFppVjBad1ltcEJOVUpuYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQUtZVWhXYVdSWVRteGpiVTUyWW01U2JHSnVVWFZaTWpsMFRVSkpSME5wYzBkQlVWRkNaemM0ZDBGUlNVVkNTRUl4WXpKbmQwNW5XVXRMZDFsQ1FrRkhSQXAyZWtGQ1FYZFJiMDFxV210TlZGa3hUVlJOZWs5RVdtMWFiVVpvVG5wcmQxbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZXQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUVdSVFdsZDRiRmxZVG14TlEwbEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVWklUbkJhTTA0d1lqTktiRXd6VG5BS1dqTk9NR0l6U214TVYzQjZUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJXVVZFTTBwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUZENaMjl5UW1kRlJRcEJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFDbVJETldwaU1qQjNXbEZaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbGhFUmxadlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyWXpKc2JtTXpVbllLWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VFhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYlFwamVUbHZXbGRHYTJONU9YUlpWMngxVFVSblIwTnBjMGRCVVZGQ1p6YzRkMEZSYjBWTFozZHZUV3BhYTAxVVdURk5WRTE2VDBSYWJWcHRSbWhPZW10M0NsbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZrUW1kdmNrSm5SVVZCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOEtZak5PTUZwWFVYZE9kMWxMUzNkWlFrSkJSMFIyZWtGQ1JFRlJjRVJEWkc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFpqTW14dVl6TlNkZ3BqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZDA5QldVdExkMWxDUWtGSFJIWjZRVUpFVVZGeFJFTm5lVTV0VVhoT2FsVjRUWHBOTkU1dFdtMVpWMFV6Q2s5VVFtbE5WMDE2VFcxWk5VMXFZekZPUkZKdFRWUk5lVTF0VlRCTlZHc3dUVUk0UjBOcGMwZEJVVkZDWnpjNGQwRlJORVZGVVhkUVkyMVdiV041T1c4S1dsZEdhMk41T1hSWlYyeDFUVUpyUjBOcGMwZEJVVkZDWnpjNGQwRlJPRVZEZDNkS1RrUnJNVTVVWXpCT1ZGVXhUVU56UjBOcGMwZEJVVkZDWnpjNGR3cEJVa0ZGU0ZGM1ltRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3elRuQmFNMDR3WWpOS2JFMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVrVkZDa05uZDBsT2VrVjNUMVJaZWs1VVRYZGFVVmxMUzNkWlFrSkJSMFIyZWtGQ1JXZFNXRVJHVm05a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFlLWXpKc2JtTXpVblpqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbU50Vm5OYVYwWjZXbE0xTlFwaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkpOUlV0bmQyOU5hbHByVFZSWk1VMVVUWHBQUkZwdENscHRSbWhPZW10M1dXcEdhazE2U20xUFZFa3pUbFJSTUZwcVJYcE5ha3BzVGtSRk5VNUVRVlZDWjI5eVFtZEZSVUZaVHk5TlFVVlZRa0ZaVFVKSVFqRUtZekpuZDFkbldVdExkMWxDUWtGSFJIWjZRVUpHVVZKTlJFVndiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkZ3BqTW14dVl6TlNkbU50VlhSaGJrMTJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZXWGROVkZFd1QwUm5NazVxV1haWldGSXdXbGN4ZDJSSVRYWk5WRUZYQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhV2RaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamhDU0c5QlpVRkNNa0ZPTURrS1RVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcGEwaDZLM1ozUVVGQlVVUkJSV04zVWxGSlp3cGFSVzg0WXpCbFExcElSV2cwZFhwNlNucEdlamxVSzBWbVUxUk9WSFJDTWtaSlNERTRkbGh3YTA5elEwbFJSRVV4VFZSMGFUbFNiMFJ1VWs4elUwVlVDakZhYTJGa05rWnZWSGd2YXpaNmRGRmpkMGxFVUcxdVVuaFVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXVRVVJDYTBGcVFrSXdObVp0VGxoNE5sUnZZVU1LYkVabk1tdFBlRzVtVEVkbmNuWnZVak5HTlVkcVJIUjJSRUpDT0cwNVUxZFJUbnBNTWpFeGFsbHRVeTluSzFsaVlubFZRMDFESzJGa05tcEpTeXRsWmdwbE5GaFBTV3hvVEdOWGVHVmFZa0owVFdwTFUzSlFlRzF0TkdwU00wSkdVVkZQUWxJck9ISXlOME5wYjNsb2VHOVRjWFpNZFhjOVBRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdCIsInNpZyI6IlRVVlJRMGxEWVhSb2JsUkljMlJtV25GSWNUTnBXRXhxVFdVd1ZGVTViRXhaYmxJeGVtazNNM0JSZFZobU5VdElRV2xDTWpOS2FDdG5VMll4VVVWRGJrRlRSMlZ3TW1VeVRVZHVVRmhwYjFWTVZqUjJRMGxUU2tKdWEwcGFaejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjFiZDg4ZTA1NGY2OGE3ZDE3MzkzNjcyYjAzZmExOGZkNjRmMGRjZDVmY2M1NDAzNWMxOWZlNjQwMWNmMmNmNWUifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4Y2ViNGFiODEyNzczMTQ3M2E5ZWM4MTE0MGNiNjg0OWNmOGU5NzBjZGEzMmJhZWYwOTlkZjQ4YmEzMjY0NDQyIn19fX0="
-        }
-      ],
-      "timestampVerificationData": null
-    },
-    "dsseEnvelope": {
-      "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsImRpZ2VzdCI6eyJzaGE1MTIiOiI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vc2xzYS1mcmFtZXdvcmsuZ2l0aHViLmlvL2dpdGh1Yi1hY3Rpb25zLWJ1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcyIsInBhdGgiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoicHVzaCIsInJlcG9zaXRvcnlfaWQiOiI0OTU1NzQ1NTUiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNzEwOTYzNTMifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiIyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0In19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcy9hY3Rpb25zL3J1bnMvNjAxNDQ4ODY2Ni9hdHRlbXB0cy8xIn19fX0=",
-      "payloadType": "application/vnd.in-toto+json",
-      "signatures": [
-        {
-          "sig": "MEQCICathnTHsdfZqHq3iXLjMe0TU9lLYnR1zi73pQuXf5KHAiB23Jh+gSf1QECnASGep2e2MGnPXioULV4vCISJBnkJZg==",
-          "keyid": ""
-        }
-      ]
-    }
-  }
+	"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
+	"verificationMaterial": {
+		"certificate": {
+			"rawBytes": "MIIGtDCCBjugAwIBAgIUCJLipSt09KLFc0JYfuDrSan//LswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwODI5MTU0MDIzWhcNMjMwODI5MTU1MDIzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPfm6LPXQeJTC89UOqiNWmnZYGmX4T3iLZGi0EV4bfOoM86Hza94XqyuwxAoWpCPecFCEbAe8l2dg/er3O9LEFqOCBVowggVWMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUeqpCXHr3pcUaL3EFKR+KsmuKQqowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wYwYDVR0RAQH/BFkwV4ZVaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBIGCisGAQQBg78wAQIEBHB1c2gwNgYKKwYBBAGDvzABAwQoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAVBgorBgEEAYO/MAEEBAdSZWxlYXNlMCIGCisGAQQBg78wAQUEFHNpZ3N0b3JlL3NpZ3N0b3JlLWpzMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wZQYKKwYBBAGDvzABCQRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNwYKKwYBBAGDvzABDAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMwOAYKKwYBBAGDvzABDQQqDCgyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0MB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNDk1NTc0NTU1MCsGCisGAQQBg78wARAEHQwbaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlMBgGCisGAQQBg78wAREECgwINzEwOTYzNTMwZQYKKwYBBAGDvzABEgRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAUBgorBgEEAYO/MAEUBAYMBHB1c2gwWgYKKwYBBAGDvzABFQRMDEpodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABikHz+vwAAAQDAEcwRQIgZEo8c0eCZHEh4uzzJzFz9T+EfSTNTtB2FIH18vXpkOsCIQDE1MTti9RoDnRO3SET1Zkad6FoTx/k6ztQcwIDPmnRxTAKBggqhkjOPQQDAwNnADBkAjBB06fmNXx6ToaClFg2kOxnfLGgrvoR3F5GjDtvDBB8m9SWQNzL211jYmS/g+YbbyUCMC+ad6jIK+efe4XOIlhLcWxeZbBtMjKSrPxmm4jR3BFQQOBR+8r27CioyhxoSqvLuw=="
+		},
+		"tlogEntries": [
+			{
+				"logIndex": "33351527",
+				"logId": {
+					"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="
+				},
+				"kindVersion": {
+					"kind": "intoto",
+					"version": "0.0.2"
+				},
+				"integratedTime": "1693323623",
+				"inclusionPromise": {
+					"signedEntryTimestamp": "MEYCIQDhWvNSLvnq5ZS3qTIgC7K2uQFeA0g8FEEjNo1UQxeubAIhALDrD1uIiUkk3tQNp/4gKT/9j8zEyyxi9Ti+qaD8q2vI"
+				},
+				"inclusionProof": {
+					"logIndex": "29188096",
+					"rootHash": "fbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=",
+					"treeSize": "29188099",
+					"hashes": [
+						"z7VKeAC2d2x18Vtxt7n40GS3gtc1xfRwjjxxzpy/Trw=",
+						"/Kd8ZuCLZ7MukSwpjaSgxKFl5X2vdHWk6/qpNrkiUJo=",
+						"vvkKs7IShUI15nVb9c5olPgBnL9r4uP7+d5KzV0hSjs=",
+						"Fg4p0WJZw8Lghrpxkx1SXgzfroTeIIrEgEbfgr9IdXY=",
+						"bH8NahqE+hQ58Qxhg0V5fYusFQ1xsaQ/rK6slWVRT5k=",
+						"HplNgZ3/afEHq52zcfL2s1AKisOYDdMCWK1jOu1tGyw=",
+						"uOPuC2YDmwZe989ZN3Lgh5CKMXh9HETrSNgf0jV0WkM=",
+						"eVsvWKnEZ1+Xo3Ba15DfEiIhhmlrEaIeb+VfYmx8KhY=",
+						"uLuBRins5nkqq2rqd17R27pQTUF+xetttC6MsmlUzd0=",
+						"jRUq4D8O+FI47Wbw96s7yHCu4qzWUxpIVfxQEeprDmc=",
+						"rXEsmEJN4PEoTU8US4qVtdIsGB1MCiRlGOepoiC99kM="
+					],
+					"checkpoint": {
+						"envelope": "rekor.sigstore.dev - 2605736670972794746\n29188099\nfbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=\nTimestamp: 1693323623528968756\n\n— rekor.sigstore.dev wNI9ajBEAiAK0YTbxRlhOZeeP+844Y+W7iz+hsFIF8x2NYsmuaxifAIgYUFSurlKwN7j5jCwpqSVrkbouQoYIYlyWU9Om16svmI=\n"
+					}
+				},
+				"canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWQwUkVORFFtcDFaMEYzU1VKQlowbFZRMHBNYVhCVGREQTVTMHhHWXpCS1dXWjFSSEpUWVc0dkwweHpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA5RVNUVk5WRlV3VFVSSmVsZG9ZMDVOYWsxM1QwUkpOVTFVVlRGTlJFbDZWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWUVptMDJURkJZVVdWS1ZFTTRPVlZQY1dsT1YyMXVXbGxIYlZnMFZETnBURnBIYVRBS1JWWTBZbVpQYjAwNE5raDZZVGswV0hGNWRYZDRRVzlYY0VOUVpXTkdRMFZpUVdVNGJESmtaeTlsY2pOUE9VeEZSbkZQUTBKV2IzZG5aMVpYVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbGNYQkRDbGhJY2pOd1kxVmhURE5GUmt0U0swdHpiWFZMVVhGdmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxbDNXVVJXVWpCU1FWRklMMEpHYTNkV05GcFdZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wcHNZa2RXYUdNeVZYVmxWekZ6VVVoS2JGcHVUWFpoUjFab0NscElUWFppVjBad1ltcEJOVUpuYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQUtZVWhXYVdSWVRteGpiVTUyWW01U2JHSnVVWFZaTWpsMFRVSkpSME5wYzBkQlVWRkNaemM0ZDBGUlNVVkNTRUl4WXpKbmQwNW5XVXRMZDFsQ1FrRkhSQXAyZWtGQ1FYZFJiMDFxV210TlZGa3hUVlJOZWs5RVdtMWFiVVpvVG5wcmQxbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZXQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUVdSVFdsZDRiRmxZVG14TlEwbEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVWklUbkJhTTA0d1lqTktiRXd6VG5BS1dqTk9NR0l6U214TVYzQjZUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJXVVZFTTBwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUZENaMjl5UW1kRlJRcEJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFDbVJETldwaU1qQjNXbEZaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbGhFUmxadlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyWXpKc2JtTXpVbllLWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VFhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYlFwamVUbHZXbGRHYTJONU9YUlpWMngxVFVSblIwTnBjMGRCVVZGQ1p6YzRkMEZSYjBWTFozZHZUV3BhYTAxVVdURk5WRTE2VDBSYWJWcHRSbWhPZW10M0NsbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZrUW1kdmNrSm5SVVZCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOEtZak5PTUZwWFVYZE9kMWxMUzNkWlFrSkJSMFIyZWtGQ1JFRlJjRVJEWkc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFpqTW14dVl6TlNkZ3BqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZDA5QldVdExkMWxDUWtGSFJIWjZRVUpFVVZGeFJFTm5lVTV0VVhoT2FsVjRUWHBOTkU1dFdtMVpWMFV6Q2s5VVFtbE5WMDE2VFcxWk5VMXFZekZPUkZKdFRWUk5lVTF0VlRCTlZHc3dUVUk0UjBOcGMwZEJVVkZDWnpjNGQwRlJORVZGVVhkUVkyMVdiV041T1c4S1dsZEdhMk41T1hSWlYyeDFUVUpyUjBOcGMwZEJVVkZDWnpjNGQwRlJPRVZEZDNkS1RrUnJNVTVVWXpCT1ZGVXhUVU56UjBOcGMwZEJVVkZDWnpjNGR3cEJVa0ZGU0ZGM1ltRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3elRuQmFNMDR3WWpOS2JFMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVrVkZDa05uZDBsT2VrVjNUMVJaZWs1VVRYZGFVVmxMUzNkWlFrSkJSMFIyZWtGQ1JXZFNXRVJHVm05a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFlLWXpKc2JtTXpVblpqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbU50Vm5OYVYwWjZXbE0xTlFwaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkpOUlV0bmQyOU5hbHByVFZSWk1VMVVUWHBQUkZwdENscHRSbWhPZW10M1dXcEdhazE2U20xUFZFa3pUbFJSTUZwcVJYcE5ha3BzVGtSRk5VNUVRVlZDWjI5eVFtZEZSVUZaVHk5TlFVVlZRa0ZaVFVKSVFqRUtZekpuZDFkbldVdExkMWxDUWtGSFJIWjZRVUpHVVZKTlJFVndiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkZ3BqTW14dVl6TlNkbU50VlhSaGJrMTJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZXWGROVkZFd1QwUm5NazVxV1haWldGSXdXbGN4ZDJSSVRYWk5WRUZYQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhV2RaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamhDU0c5QlpVRkNNa0ZPTURrS1RVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcGEwaDZLM1ozUVVGQlVVUkJSV04zVWxGSlp3cGFSVzg0WXpCbFExcElSV2cwZFhwNlNucEdlamxVSzBWbVUxUk9WSFJDTWtaSlNERTRkbGh3YTA5elEwbFJSRVV4VFZSMGFUbFNiMFJ1VWs4elUwVlVDakZhYTJGa05rWnZWSGd2YXpaNmRGRmpkMGxFVUcxdVVuaFVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXVRVVJDYTBGcVFrSXdObVp0VGxoNE5sUnZZVU1LYkVabk1tdFBlRzVtVEVkbmNuWnZVak5HTlVkcVJIUjJSRUpDT0cwNVUxZFJUbnBNTWpFeGFsbHRVeTluSzFsaVlubFZRMDFESzJGa05tcEpTeXRsWmdwbE5GaFBTV3hvVEdOWGVHVmFZa0owVFdwTFUzSlFlRzF0TkdwU00wSkdVVkZQUWxJck9ISXlOME5wYjNsb2VHOVRjWFpNZFhjOVBRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdCIsInNpZyI6IlRVVlJRMGxEWVhSb2JsUkljMlJtV25GSWNUTnBXRXhxVFdVd1ZGVTViRXhaYmxJeGVtazNNM0JSZFZobU5VdElRV2xDTWpOS2FDdG5VMll4VVVWRGJrRlRSMlZ3TW1VeVRVZHVVRmhwYjFWTVZqUjJRMGxUU2tKdWEwcGFaejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjFiZDg4ZTA1NGY2OGE3ZDE3MzkzNjcyYjAzZmExOGZkNjRmMGRjZDVmY2M1NDAzNWMxOWZlNjQwMWNmMmNmNWUifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4Y2ViNGFiODEyNzczMTQ3M2E5ZWM4MTE0MGNiNjg0OWNmOGU5NzBjZGEzMmJhZWYwOTlkZjQ4YmEzMjY0NDQyIn19fX0="
+			}
+		]
+	},
+	"dsseEnvelope": {
+		"payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsImRpZ2VzdCI6eyJzaGE1MTIiOiI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vc2xzYS1mcmFtZXdvcmsuZ2l0aHViLmlvL2dpdGh1Yi1hY3Rpb25zLWJ1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcyIsInBhdGgiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoicHVzaCIsInJlcG9zaXRvcnlfaWQiOiI0OTU1NzQ1NTUiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNzEwOTYzNTMifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiIyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0In19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcy9hY3Rpb25zL3J1bnMvNjAxNDQ4ODY2Ni9hdHRlbXB0cy8xIn19fX0=",
+		"payloadType": "application/vnd.in-toto+json",
+		"signatures": [
+			{
+				"sig": "MEQCICathnTHsdfZqHq3iXLjMe0TU9lLYnR1zi73pQuXf5KHAiB23Jh+gSf1QECnASGep2e2MGnPXioULV4vCISJBnkJZg=="
+			}
+		]
+	}
+}
diff --git a/pkg/cmd/attestation/test/data/sigstore-js-2.1.0_with_2_bundles.jsonl b/pkg/cmd/attestation/test/data/sigstore-js-2.1.0_with_2_bundles.jsonl
index a4aca34d031..265b1666df2 100644
--- a/pkg/cmd/attestation/test/data/sigstore-js-2.1.0_with_2_bundles.jsonl
+++ b/pkg/cmd/attestation/test/data/sigstore-js-2.1.0_with_2_bundles.jsonl
@@ -1,2 +1,2 @@
-{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIGtDCCBjugAwIBAgIUCJLipSt09KLFc0JYfuDrSan//LswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwODI5MTU0MDIzWhcNMjMwODI5MTU1MDIzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPfm6LPXQeJTC89UOqiNWmnZYGmX4T3iLZGi0EV4bfOoM86Hza94XqyuwxAoWpCPecFCEbAe8l2dg/er3O9LEFqOCBVowggVWMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUeqpCXHr3pcUaL3EFKR+KsmuKQqowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wYwYDVR0RAQH/BFkwV4ZVaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBIGCisGAQQBg78wAQIEBHB1c2gwNgYKKwYBBAGDvzABAwQoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAVBgorBgEEAYO/MAEEBAdSZWxlYXNlMCIGCisGAQQBg78wAQUEFHNpZ3N0b3JlL3NpZ3N0b3JlLWpzMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wZQYKKwYBBAGDvzABCQRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNwYKKwYBBAGDvzABDAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMwOAYKKwYBBAGDvzABDQQqDCgyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0MB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNDk1NTc0NTU1MCsGCisGAQQBg78wARAEHQwbaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlMBgGCisGAQQBg78wAREECgwINzEwOTYzNTMwZQYKKwYBBAGDvzABEgRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAUBgorBgEEAYO/MAEUBAYMBHB1c2gwWgYKKwYBBAGDvzABFQRMDEpodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABikHz+vwAAAQDAEcwRQIgZEo8c0eCZHEh4uzzJzFz9T+EfSTNTtB2FIH18vXpkOsCIQDE1MTti9RoDnRO3SET1Zkad6FoTx/k6ztQcwIDPmnRxTAKBggqhkjOPQQDAwNnADBkAjBB06fmNXx6ToaClFg2kOxnfLGgrvoR3F5GjDtvDBB8m9SWQNzL211jYmS/g+YbbyUCMC+ad6jIK+efe4XOIlhLcWxeZbBtMjKSrPxmm4jR3BFQQOBR+8r27CioyhxoSqvLuw=="}]},"tlogEntries":[{"logIndex":"33351527","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1693323623","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDhWvNSLvnq5ZS3qTIgC7K2uQFeA0g8FEEjNo1UQxeubAIhALDrD1uIiUkk3tQNp/4gKT/9j8zEyyxi9Ti+qaD8q2vI"},"inclusionProof":{"logIndex":"29188096","rootHash":"fbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=","treeSize":"29188099","hashes":["z7VKeAC2d2x18Vtxt7n40GS3gtc1xfRwjjxxzpy/Trw=","/Kd8ZuCLZ7MukSwpjaSgxKFl5X2vdHWk6/qpNrkiUJo=","vvkKs7IShUI15nVb9c5olPgBnL9r4uP7+d5KzV0hSjs=","Fg4p0WJZw8Lghrpxkx1SXgzfroTeIIrEgEbfgr9IdXY=","bH8NahqE+hQ58Qxhg0V5fYusFQ1xsaQ/rK6slWVRT5k=","HplNgZ3/afEHq52zcfL2s1AKisOYDdMCWK1jOu1tGyw=","uOPuC2YDmwZe989ZN3Lgh5CKMXh9HETrSNgf0jV0WkM=","eVsvWKnEZ1+Xo3Ba15DfEiIhhmlrEaIeb+VfYmx8KhY=","uLuBRins5nkqq2rqd17R27pQTUF+xetttC6MsmlUzd0=","jRUq4D8O+FI47Wbw96s7yHCu4qzWUxpIVfxQEeprDmc=","rXEsmEJN4PEoTU8US4qVtdIsGB1MCiRlGOepoiC99kM="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n29188099\nfbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=\nTimestamp: 1693323623528968756\n\n— rekor.sigstore.dev wNI9ajBEAiAK0YTbxRlhOZeeP+844Y+W7iz+hsFIF8x2NYsmuaxifAIgYUFSurlKwN7j5jCwpqSVrkbouQoYIYlyWU9Om16svmI=\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWQwUkVORFFtcDFaMEYzU1VKQlowbFZRMHBNYVhCVGREQTVTMHhHWXpCS1dXWjFSSEpUWVc0dkwweHpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA5RVNUVk5WRlV3VFVSSmVsZG9ZMDVOYWsxM1QwUkpOVTFVVlRGTlJFbDZWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWUVptMDJURkJZVVdWS1ZFTTRPVlZQY1dsT1YyMXVXbGxIYlZnMFZETnBURnBIYVRBS1JWWTBZbVpQYjAwNE5raDZZVGswV0hGNWRYZDRRVzlYY0VOUVpXTkdRMFZpUVdVNGJESmtaeTlsY2pOUE9VeEZSbkZQUTBKV2IzZG5aMVpYVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbGNYQkRDbGhJY2pOd1kxVmhURE5GUmt0U0swdHpiWFZMVVhGdmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxbDNXVVJXVWpCU1FWRklMMEpHYTNkV05GcFdZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wcHNZa2RXYUdNeVZYVmxWekZ6VVVoS2JGcHVUWFpoUjFab0NscElUWFppVjBad1ltcEJOVUpuYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQUtZVWhXYVdSWVRteGpiVTUyWW01U2JHSnVVWFZaTWpsMFRVSkpSME5wYzBkQlVWRkNaemM0ZDBGUlNVVkNTRUl4WXpKbmQwNW5XVXRMZDFsQ1FrRkhSQXAyZWtGQ1FYZFJiMDFxV210TlZGa3hUVlJOZWs5RVdtMWFiVVpvVG5wcmQxbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZXQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUVdSVFdsZDRiRmxZVG14TlEwbEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVWklUbkJhTTA0d1lqTktiRXd6VG5BS1dqTk9NR0l6U214TVYzQjZUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJXVVZFTTBwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUZENaMjl5UW1kRlJRcEJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFDbVJETldwaU1qQjNXbEZaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbGhFUmxadlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyWXpKc2JtTXpVbllLWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VFhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYlFwamVUbHZXbGRHYTJONU9YUlpWMngxVFVSblIwTnBjMGRCVVZGQ1p6YzRkMEZSYjBWTFozZHZUV3BhYTAxVVdURk5WRTE2VDBSYWJWcHRSbWhPZW10M0NsbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZrUW1kdmNrSm5SVVZCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOEtZak5PTUZwWFVYZE9kMWxMUzNkWlFrSkJSMFIyZWtGQ1JFRlJjRVJEWkc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFpqTW14dVl6TlNkZ3BqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZDA5QldVdExkMWxDUWtGSFJIWjZRVUpFVVZGeFJFTm5lVTV0VVhoT2FsVjRUWHBOTkU1dFdtMVpWMFV6Q2s5VVFtbE5WMDE2VFcxWk5VMXFZekZPUkZKdFRWUk5lVTF0VlRCTlZHc3dUVUk0UjBOcGMwZEJVVkZDWnpjNGQwRlJORVZGVVhkUVkyMVdiV041T1c4S1dsZEdhMk41T1hSWlYyeDFUVUpyUjBOcGMwZEJVVkZDWnpjNGQwRlJPRVZEZDNkS1RrUnJNVTVVWXpCT1ZGVXhUVU56UjBOcGMwZEJVVkZDWnpjNGR3cEJVa0ZGU0ZGM1ltRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3elRuQmFNMDR3WWpOS2JFMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVrVkZDa05uZDBsT2VrVjNUMVJaZWs1VVRYZGFVVmxMUzNkWlFrSkJSMFIyZWtGQ1JXZFNXRVJHVm05a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFlLWXpKc2JtTXpVblpqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbU50Vm5OYVYwWjZXbE0xTlFwaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkpOUlV0bmQyOU5hbHByVFZSWk1VMVVUWHBQUkZwdENscHRSbWhPZW10M1dXcEdhazE2U20xUFZFa3pUbFJSTUZwcVJYcE5ha3BzVGtSRk5VNUVRVlZDWjI5eVFtZEZSVUZaVHk5TlFVVlZRa0ZaVFVKSVFqRUtZekpuZDFkbldVdExkMWxDUWtGSFJIWjZRVUpHVVZKTlJFVndiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkZ3BqTW14dVl6TlNkbU50VlhSaGJrMTJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZXWGROVkZFd1QwUm5NazVxV1haWldGSXdXbGN4ZDJSSVRYWk5WRUZYQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhV2RaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamhDU0c5QlpVRkNNa0ZPTURrS1RVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcGEwaDZLM1ozUVVGQlVVUkJSV04zVWxGSlp3cGFSVzg0WXpCbFExcElSV2cwZFhwNlNucEdlamxVSzBWbVUxUk9WSFJDTWtaSlNERTRkbGh3YTA5elEwbFJSRVV4VFZSMGFUbFNiMFJ1VWs4elUwVlVDakZhYTJGa05rWnZWSGd2YXpaNmRGRmpkMGxFVUcxdVVuaFVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXVRVVJDYTBGcVFrSXdObVp0VGxoNE5sUnZZVU1LYkVabk1tdFBlRzVtVEVkbmNuWnZVak5HTlVkcVJIUjJSRUpDT0cwNVUxZFJUbnBNTWpFeGFsbHRVeTluSzFsaVlubFZRMDFESzJGa05tcEpTeXRsWmdwbE5GaFBTV3hvVEdOWGVHVmFZa0owVFdwTFUzSlFlRzF0TkdwU00wSkdVVkZQUWxJck9ISXlOME5wYjNsb2VHOVRjWFpNZFhjOVBRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdCIsInNpZyI6IlRVVlJRMGxEWVhSb2JsUkljMlJtV25GSWNUTnBXRXhxVFdVd1ZGVTViRXhaYmxJeGVtazNNM0JSZFZobU5VdElRV2xDTWpOS2FDdG5VMll4VVVWRGJrRlRSMlZ3TW1VeVRVZHVVRmhwYjFWTVZqUjJRMGxUU2tKdWEwcGFaejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjFiZDg4ZTA1NGY2OGE3ZDE3MzkzNjcyYjAzZmExOGZkNjRmMGRjZDVmY2M1NDAzNWMxOWZlNjQwMWNmMmNmNWUifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4Y2ViNGFiODEyNzczMTQ3M2E5ZWM4MTE0MGNiNjg0OWNmOGU5NzBjZGEzMmJhZWYwOTlkZjQ4YmEzMjY0NDQyIn19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsImRpZ2VzdCI6eyJzaGE1MTIiOiI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vc2xzYS1mcmFtZXdvcmsuZ2l0aHViLmlvL2dpdGh1Yi1hY3Rpb25zLWJ1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcyIsInBhdGgiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoicHVzaCIsInJlcG9zaXRvcnlfaWQiOiI0OTU1NzQ1NTUiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNzEwOTYzNTMifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiIyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0In19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcy9hY3Rpb25zL3J1bnMvNjAxNDQ4ODY2Ni9hdHRlbXB0cy8xIn19fX0=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCICathnTHsdfZqHq3iXLjMe0TU9lLYnR1zi73pQuXf5KHAiB23Jh+gSf1QECnASGep2e2MGnPXioULV4vCISJBnkJZg==","keyid":""}]}}
-{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIGtDCCBjugAwIBAgIUCJLipSt09KLFc0JYfuDrSan//LswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwODI5MTU0MDIzWhcNMjMwODI5MTU1MDIzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPfm6LPXQeJTC89UOqiNWmnZYGmX4T3iLZGi0EV4bfOoM86Hza94XqyuwxAoWpCPecFCEbAe8l2dg/er3O9LEFqOCBVowggVWMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUeqpCXHr3pcUaL3EFKR+KsmuKQqowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wYwYDVR0RAQH/BFkwV4ZVaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBIGCisGAQQBg78wAQIEBHB1c2gwNgYKKwYBBAGDvzABAwQoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAVBgorBgEEAYO/MAEEBAdSZWxlYXNlMCIGCisGAQQBg78wAQUEFHNpZ3N0b3JlL3NpZ3N0b3JlLWpzMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wZQYKKwYBBAGDvzABCQRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNwYKKwYBBAGDvzABDAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMwOAYKKwYBBAGDvzABDQQqDCgyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0MB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNDk1NTc0NTU1MCsGCisGAQQBg78wARAEHQwbaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlMBgGCisGAQQBg78wAREECgwINzEwOTYzNTMwZQYKKwYBBAGDvzABEgRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAUBgorBgEEAYO/MAEUBAYMBHB1c2gwWgYKKwYBBAGDvzABFQRMDEpodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABikHz+vwAAAQDAEcwRQIgZEo8c0eCZHEh4uzzJzFz9T+EfSTNTtB2FIH18vXpkOsCIQDE1MTti9RoDnRO3SET1Zkad6FoTx/k6ztQcwIDPmnRxTAKBggqhkjOPQQDAwNnADBkAjBB06fmNXx6ToaClFg2kOxnfLGgrvoR3F5GjDtvDBB8m9SWQNzL211jYmS/g+YbbyUCMC+ad6jIK+efe4XOIlhLcWxeZbBtMjKSrPxmm4jR3BFQQOBR+8r27CioyhxoSqvLuw=="}]},"tlogEntries":[{"logIndex":"33351527","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1693323623","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDhWvNSLvnq5ZS3qTIgC7K2uQFeA0g8FEEjNo1UQxeubAIhALDrD1uIiUkk3tQNp/4gKT/9j8zEyyxi9Ti+qaD8q2vI"},"inclusionProof":{"logIndex":"29188096","rootHash":"fbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=","treeSize":"29188099","hashes":["z7VKeAC2d2x18Vtxt7n40GS3gtc1xfRwjjxxzpy/Trw=","/Kd8ZuCLZ7MukSwpjaSgxKFl5X2vdHWk6/qpNrkiUJo=","vvkKs7IShUI15nVb9c5olPgBnL9r4uP7+d5KzV0hSjs=","Fg4p0WJZw8Lghrpxkx1SXgzfroTeIIrEgEbfgr9IdXY=","bH8NahqE+hQ58Qxhg0V5fYusFQ1xsaQ/rK6slWVRT5k=","HplNgZ3/afEHq52zcfL2s1AKisOYDdMCWK1jOu1tGyw=","uOPuC2YDmwZe989ZN3Lgh5CKMXh9HETrSNgf0jV0WkM=","eVsvWKnEZ1+Xo3Ba15DfEiIhhmlrEaIeb+VfYmx8KhY=","uLuBRins5nkqq2rqd17R27pQTUF+xetttC6MsmlUzd0=","jRUq4D8O+FI47Wbw96s7yHCu4qzWUxpIVfxQEeprDmc=","rXEsmEJN4PEoTU8US4qVtdIsGB1MCiRlGOepoiC99kM="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n29188099\nfbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=\nTimestamp: 1693323623528968756\n\n— rekor.sigstore.dev wNI9ajBEAiAK0YTbxRlhOZeeP+844Y+W7iz+hsFIF8x2NYsmuaxifAIgYUFSurlKwN7j5jCwpqSVrkbouQoYIYlyWU9Om16svmI=\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWQwUkVORFFtcDFaMEYzU1VKQlowbFZRMHBNYVhCVGREQTVTMHhHWXpCS1dXWjFSSEpUWVc0dkwweHpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA5RVNUVk5WRlV3VFVSSmVsZG9ZMDVOYWsxM1QwUkpOVTFVVlRGTlJFbDZWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWUVptMDJURkJZVVdWS1ZFTTRPVlZQY1dsT1YyMXVXbGxIYlZnMFZETnBURnBIYVRBS1JWWTBZbVpQYjAwNE5raDZZVGswV0hGNWRYZDRRVzlYY0VOUVpXTkdRMFZpUVdVNGJESmtaeTlsY2pOUE9VeEZSbkZQUTBKV2IzZG5aMVpYVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbGNYQkRDbGhJY2pOd1kxVmhURE5GUmt0U0swdHpiWFZMVVhGdmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxbDNXVVJXVWpCU1FWRklMMEpHYTNkV05GcFdZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wcHNZa2RXYUdNeVZYVmxWekZ6VVVoS2JGcHVUWFpoUjFab0NscElUWFppVjBad1ltcEJOVUpuYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQUtZVWhXYVdSWVRteGpiVTUyWW01U2JHSnVVWFZaTWpsMFRVSkpSME5wYzBkQlVWRkNaemM0ZDBGUlNVVkNTRUl4WXpKbmQwNW5XVXRMZDFsQ1FrRkhSQXAyZWtGQ1FYZFJiMDFxV210TlZGa3hUVlJOZWs5RVdtMWFiVVpvVG5wcmQxbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZXQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUVdSVFdsZDRiRmxZVG14TlEwbEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVWklUbkJhTTA0d1lqTktiRXd6VG5BS1dqTk9NR0l6U214TVYzQjZUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJXVVZFTTBwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUZENaMjl5UW1kRlJRcEJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFDbVJETldwaU1qQjNXbEZaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbGhFUmxadlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyWXpKc2JtTXpVbllLWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VFhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYlFwamVUbHZXbGRHYTJONU9YUlpWMngxVFVSblIwTnBjMGRCVVZGQ1p6YzRkMEZSYjBWTFozZHZUV3BhYTAxVVdURk5WRTE2VDBSYWJWcHRSbWhPZW10M0NsbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZrUW1kdmNrSm5SVVZCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOEtZak5PTUZwWFVYZE9kMWxMUzNkWlFrSkJSMFIyZWtGQ1JFRlJjRVJEWkc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFpqTW14dVl6TlNkZ3BqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZDA5QldVdExkMWxDUWtGSFJIWjZRVUpFVVZGeFJFTm5lVTV0VVhoT2FsVjRUWHBOTkU1dFdtMVpWMFV6Q2s5VVFtbE5WMDE2VFcxWk5VMXFZekZPUkZKdFRWUk5lVTF0VlRCTlZHc3dUVUk0UjBOcGMwZEJVVkZDWnpjNGQwRlJORVZGVVhkUVkyMVdiV041T1c4S1dsZEdhMk41T1hSWlYyeDFUVUpyUjBOcGMwZEJVVkZDWnpjNGQwRlJPRVZEZDNkS1RrUnJNVTVVWXpCT1ZGVXhUVU56UjBOcGMwZEJVVkZDWnpjNGR3cEJVa0ZGU0ZGM1ltRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3elRuQmFNMDR3WWpOS2JFMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVrVkZDa05uZDBsT2VrVjNUMVJaZWs1VVRYZGFVVmxMUzNkWlFrSkJSMFIyZWtGQ1JXZFNXRVJHVm05a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFlLWXpKc2JtTXpVblpqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbU50Vm5OYVYwWjZXbE0xTlFwaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkpOUlV0bmQyOU5hbHByVFZSWk1VMVVUWHBQUkZwdENscHRSbWhPZW10M1dXcEdhazE2U20xUFZFa3pUbFJSTUZwcVJYcE5ha3BzVGtSRk5VNUVRVlZDWjI5eVFtZEZSVUZaVHk5TlFVVlZRa0ZaVFVKSVFqRUtZekpuZDFkbldVdExkMWxDUWtGSFJIWjZRVUpHVVZKTlJFVndiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkZ3BqTW14dVl6TlNkbU50VlhSaGJrMTJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZXWGROVkZFd1QwUm5NazVxV1haWldGSXdXbGN4ZDJSSVRYWk5WRUZYQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhV2RaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamhDU0c5QlpVRkNNa0ZPTURrS1RVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcGEwaDZLM1ozUVVGQlVVUkJSV04zVWxGSlp3cGFSVzg0WXpCbFExcElSV2cwZFhwNlNucEdlamxVSzBWbVUxUk9WSFJDTWtaSlNERTRkbGh3YTA5elEwbFJSRVV4VFZSMGFUbFNiMFJ1VWs4elUwVlVDakZhYTJGa05rWnZWSGd2YXpaNmRGRmpkMGxFVUcxdVVuaFVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXVRVVJDYTBGcVFrSXdObVp0VGxoNE5sUnZZVU1LYkVabk1tdFBlRzVtVEVkbmNuWnZVak5HTlVkcVJIUjJSRUpDT0cwNVUxZFJUbnBNTWpFeGFsbHRVeTluSzFsaVlubFZRMDFESzJGa05tcEpTeXRsWmdwbE5GaFBTV3hvVEdOWGVHVmFZa0owVFdwTFUzSlFlRzF0TkdwU00wSkdVVkZQUWxJck9ISXlOME5wYjNsb2VHOVRjWFpNZFhjOVBRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdCIsInNpZyI6IlRVVlJRMGxEWVhSb2JsUkljMlJtV25GSWNUTnBXRXhxVFdVd1ZGVTViRXhaYmxJeGVtazNNM0JSZFZobU5VdElRV2xDTWpOS2FDdG5VMll4VVVWRGJrRlRSMlZ3TW1VeVRVZHVVRmhwYjFWTVZqUjJRMGxUU2tKdWEwcGFaejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjFiZDg4ZTA1NGY2OGE3ZDE3MzkzNjcyYjAzZmExOGZkNjRmMGRjZDVmY2M1NDAzNWMxOWZlNjQwMWNmMmNmNWUifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4Y2ViNGFiODEyNzczMTQ3M2E5ZWM4MTE0MGNiNjg0OWNmOGU5NzBjZGEzMmJhZWYwOTlkZjQ4YmEzMjY0NDQyIn19fX0="}],"timestampVerificationData":null},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsImRpZ2VzdCI6eyJzaGE1MTIiOiI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vc2xzYS1mcmFtZXdvcmsuZ2l0aHViLmlvL2dpdGh1Yi1hY3Rpb25zLWJ1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcyIsInBhdGgiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoicHVzaCIsInJlcG9zaXRvcnlfaWQiOiI0OTU1NzQ1NTUiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNzEwOTYzNTMifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiIyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0In19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcy9hY3Rpb25zL3J1bnMvNjAxNDQ4ODY2Ni9hdHRlbXB0cy8xIn19fX0=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCICathnTHsdfZqHq3iXLjMe0TU9lLYnR1zi73pQuXf5KHAiB23Jh+gSf1QECnASGep2e2MGnPXioULV4vCISJBnkJZg==","keyid":""}]}}
+{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"certificate":{"rawBytes":"MIIGtDCCBjugAwIBAgIUCJLipSt09KLFc0JYfuDrSan//LswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwODI5MTU0MDIzWhcNMjMwODI5MTU1MDIzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPfm6LPXQeJTC89UOqiNWmnZYGmX4T3iLZGi0EV4bfOoM86Hza94XqyuwxAoWpCPecFCEbAe8l2dg/er3O9LEFqOCBVowggVWMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUeqpCXHr3pcUaL3EFKR+KsmuKQqowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wYwYDVR0RAQH/BFkwV4ZVaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBIGCisGAQQBg78wAQIEBHB1c2gwNgYKKwYBBAGDvzABAwQoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAVBgorBgEEAYO/MAEEBAdSZWxlYXNlMCIGCisGAQQBg78wAQUEFHNpZ3N0b3JlL3NpZ3N0b3JlLWpzMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wZQYKKwYBBAGDvzABCQRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNwYKKwYBBAGDvzABDAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMwOAYKKwYBBAGDvzABDQQqDCgyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0MB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNDk1NTc0NTU1MCsGCisGAQQBg78wARAEHQwbaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlMBgGCisGAQQBg78wAREECgwINzEwOTYzNTMwZQYKKwYBBAGDvzABEgRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAUBgorBgEEAYO/MAEUBAYMBHB1c2gwWgYKKwYBBAGDvzABFQRMDEpodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABikHz+vwAAAQDAEcwRQIgZEo8c0eCZHEh4uzzJzFz9T+EfSTNTtB2FIH18vXpkOsCIQDE1MTti9RoDnRO3SET1Zkad6FoTx/k6ztQcwIDPmnRxTAKBggqhkjOPQQDAwNnADBkAjBB06fmNXx6ToaClFg2kOxnfLGgrvoR3F5GjDtvDBB8m9SWQNzL211jYmS/g+YbbyUCMC+ad6jIK+efe4XOIlhLcWxeZbBtMjKSrPxmm4jR3BFQQOBR+8r27CioyhxoSqvLuw=="},"tlogEntries":[{"logIndex":"33351527","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1693323623","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDhWvNSLvnq5ZS3qTIgC7K2uQFeA0g8FEEjNo1UQxeubAIhALDrD1uIiUkk3tQNp/4gKT/9j8zEyyxi9Ti+qaD8q2vI"},"inclusionProof":{"logIndex":"29188096","rootHash":"fbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=","treeSize":"29188099","hashes":["z7VKeAC2d2x18Vtxt7n40GS3gtc1xfRwjjxxzpy/Trw=","/Kd8ZuCLZ7MukSwpjaSgxKFl5X2vdHWk6/qpNrkiUJo=","vvkKs7IShUI15nVb9c5olPgBnL9r4uP7+d5KzV0hSjs=","Fg4p0WJZw8Lghrpxkx1SXgzfroTeIIrEgEbfgr9IdXY=","bH8NahqE+hQ58Qxhg0V5fYusFQ1xsaQ/rK6slWVRT5k=","HplNgZ3/afEHq52zcfL2s1AKisOYDdMCWK1jOu1tGyw=","uOPuC2YDmwZe989ZN3Lgh5CKMXh9HETrSNgf0jV0WkM=","eVsvWKnEZ1+Xo3Ba15DfEiIhhmlrEaIeb+VfYmx8KhY=","uLuBRins5nkqq2rqd17R27pQTUF+xetttC6MsmlUzd0=","jRUq4D8O+FI47Wbw96s7yHCu4qzWUxpIVfxQEeprDmc=","rXEsmEJN4PEoTU8US4qVtdIsGB1MCiRlGOepoiC99kM="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n29188099\nfbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=\nTimestamp: 1693323623528968756\n\n— rekor.sigstore.dev wNI9ajBEAiAK0YTbxRlhOZeeP+844Y+W7iz+hsFIF8x2NYsmuaxifAIgYUFSurlKwN7j5jCwpqSVrkbouQoYIYlyWU9Om16svmI=\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWQwUkVORFFtcDFaMEYzU1VKQlowbFZRMHBNYVhCVGREQTVTMHhHWXpCS1dXWjFSSEpUWVc0dkwweHpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA5RVNUVk5WRlV3VFVSSmVsZG9ZMDVOYWsxM1QwUkpOVTFVVlRGTlJFbDZWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWUVptMDJURkJZVVdWS1ZFTTRPVlZQY1dsT1YyMXVXbGxIYlZnMFZETnBURnBIYVRBS1JWWTBZbVpQYjAwNE5raDZZVGswV0hGNWRYZDRRVzlYY0VOUVpXTkdRMFZpUVdVNGJESmtaeTlsY2pOUE9VeEZSbkZQUTBKV2IzZG5aMVpYVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbGNYQkRDbGhJY2pOd1kxVmhURE5GUmt0U0swdHpiWFZMVVhGdmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxbDNXVVJXVWpCU1FWRklMMEpHYTNkV05GcFdZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wcHNZa2RXYUdNeVZYVmxWekZ6VVVoS2JGcHVUWFpoUjFab0NscElUWFppVjBad1ltcEJOVUpuYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQUtZVWhXYVdSWVRteGpiVTUyWW01U2JHSnVVWFZaTWpsMFRVSkpSME5wYzBkQlVWRkNaemM0ZDBGUlNVVkNTRUl4WXpKbmQwNW5XVXRMZDFsQ1FrRkhSQXAyZWtGQ1FYZFJiMDFxV210TlZGa3hUVlJOZWs5RVdtMWFiVVpvVG5wcmQxbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZXQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUVdSVFdsZDRiRmxZVG14TlEwbEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVWklUbkJhTTA0d1lqTktiRXd6VG5BS1dqTk9NR0l6U214TVYzQjZUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJXVVZFTTBwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUZENaMjl5UW1kRlJRcEJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFDbVJETldwaU1qQjNXbEZaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbGhFUmxadlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyWXpKc2JtTXpVbllLWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VFhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYlFwamVUbHZXbGRHYTJONU9YUlpWMngxVFVSblIwTnBjMGRCVVZGQ1p6YzRkMEZSYjBWTFozZHZUV3BhYTAxVVdURk5WRTE2VDBSYWJWcHRSbWhPZW10M0NsbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZrUW1kdmNrSm5SVVZCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOEtZak5PTUZwWFVYZE9kMWxMUzNkWlFrSkJSMFIyZWtGQ1JFRlJjRVJEWkc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFpqTW14dVl6TlNkZ3BqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZDA5QldVdExkMWxDUWtGSFJIWjZRVUpFVVZGeFJFTm5lVTV0VVhoT2FsVjRUWHBOTkU1dFdtMVpWMFV6Q2s5VVFtbE5WMDE2VFcxWk5VMXFZekZPUkZKdFRWUk5lVTF0VlRCTlZHc3dUVUk0UjBOcGMwZEJVVkZDWnpjNGQwRlJORVZGVVhkUVkyMVdiV041T1c4S1dsZEdhMk41T1hSWlYyeDFUVUpyUjBOcGMwZEJVVkZDWnpjNGQwRlJPRVZEZDNkS1RrUnJNVTVVWXpCT1ZGVXhUVU56UjBOcGMwZEJVVkZDWnpjNGR3cEJVa0ZGU0ZGM1ltRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3elRuQmFNMDR3WWpOS2JFMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVrVkZDa05uZDBsT2VrVjNUMVJaZWs1VVRYZGFVVmxMUzNkWlFrSkJSMFIyZWtGQ1JXZFNXRVJHVm05a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFlLWXpKc2JtTXpVblpqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbU50Vm5OYVYwWjZXbE0xTlFwaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkpOUlV0bmQyOU5hbHByVFZSWk1VMVVUWHBQUkZwdENscHRSbWhPZW10M1dXcEdhazE2U20xUFZFa3pUbFJSTUZwcVJYcE5ha3BzVGtSRk5VNUVRVlZDWjI5eVFtZEZSVUZaVHk5TlFVVlZRa0ZaVFVKSVFqRUtZekpuZDFkbldVdExkMWxDUWtGSFJIWjZRVUpHVVZKTlJFVndiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkZ3BqTW14dVl6TlNkbU50VlhSaGJrMTJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZXWGROVkZFd1QwUm5NazVxV1haWldGSXdXbGN4ZDJSSVRYWk5WRUZYQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhV2RaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamhDU0c5QlpVRkNNa0ZPTURrS1RVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcGEwaDZLM1ozUVVGQlVVUkJSV04zVWxGSlp3cGFSVzg0WXpCbFExcElSV2cwZFhwNlNucEdlamxVSzBWbVUxUk9WSFJDTWtaSlNERTRkbGh3YTA5elEwbFJSRVV4VFZSMGFUbFNiMFJ1VWs4elUwVlVDakZhYTJGa05rWnZWSGd2YXpaNmRGRmpkMGxFVUcxdVVuaFVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXVRVVJDYTBGcVFrSXdObVp0VGxoNE5sUnZZVU1LYkVabk1tdFBlRzVtVEVkbmNuWnZVak5HTlVkcVJIUjJSRUpDT0cwNVUxZFJUbnBNTWpFeGFsbHRVeTluSzFsaVlubFZRMDFESzJGa05tcEpTeXRsWmdwbE5GaFBTV3hvVEdOWGVHVmFZa0owVFdwTFUzSlFlRzF0TkdwU00wSkdVVkZQUWxJck9ISXlOME5wYjNsb2VHOVRjWFpNZFhjOVBRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdCIsInNpZyI6IlRVVlJRMGxEWVhSb2JsUkljMlJtV25GSWNUTnBXRXhxVFdVd1ZGVTViRXhaYmxJeGVtazNNM0JSZFZobU5VdElRV2xDTWpOS2FDdG5VMll4VVVWRGJrRlRSMlZ3TW1VeVRVZHVVRmhwYjFWTVZqUjJRMGxUU2tKdWEwcGFaejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjFiZDg4ZTA1NGY2OGE3ZDE3MzkzNjcyYjAzZmExOGZkNjRmMGRjZDVmY2M1NDAzNWMxOWZlNjQwMWNmMmNmNWUifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4Y2ViNGFiODEyNzczMTQ3M2E5ZWM4MTE0MGNiNjg0OWNmOGU5NzBjZGEzMmJhZWYwOTlkZjQ4YmEzMjY0NDQyIn19fX0="}]},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsImRpZ2VzdCI6eyJzaGE1MTIiOiI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vc2xzYS1mcmFtZXdvcmsuZ2l0aHViLmlvL2dpdGh1Yi1hY3Rpb25zLWJ1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcyIsInBhdGgiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoicHVzaCIsInJlcG9zaXRvcnlfaWQiOiI0OTU1NzQ1NTUiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNzEwOTYzNTMifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiIyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0In19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcy9hY3Rpb25zL3J1bnMvNjAxNDQ4ODY2Ni9hdHRlbXB0cy8xIn19fX0=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCICathnTHsdfZqHq3iXLjMe0TU9lLYnR1zi73pQuXf5KHAiB23Jh+gSf1QECnASGep2e2MGnPXioULV4vCISJBnkJZg=="}]}}
+{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"certificate":{"rawBytes":"MIIGtDCCBjugAwIBAgIUCJLipSt09KLFc0JYfuDrSan//LswCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwODI5MTU0MDIzWhcNMjMwODI5MTU1MDIzWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPfm6LPXQeJTC89UOqiNWmnZYGmX4T3iLZGi0EV4bfOoM86Hza94XqyuwxAoWpCPecFCEbAe8l2dg/er3O9LEFqOCBVowggVWMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUeqpCXHr3pcUaL3EFKR+KsmuKQqowHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wYwYDVR0RAQH/BFkwV4ZVaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzLy5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBIGCisGAQQBg78wAQIEBHB1c2gwNgYKKwYBBAGDvzABAwQoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAVBgorBgEEAYO/MAEEBAdSZWxlYXNlMCIGCisGAQQBg78wAQUEFHNpZ3N0b3JlL3NpZ3N0b3JlLWpzMB0GCisGAQQBg78wAQYED3JlZnMvaGVhZHMvbWFpbjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wZQYKKwYBBAGDvzABCQRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wAQoEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwNwYKKwYBBAGDvzABDAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMwOAYKKwYBBAGDvzABDQQqDCgyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0MB8GCisGAQQBg78wAQ4EEQwPcmVmcy9oZWFkcy9tYWluMBkGCisGAQQBg78wAQ8ECwwJNDk1NTc0NTU1MCsGCisGAQQBg78wARAEHQwbaHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlMBgGCisGAQQBg78wAREECgwINzEwOTYzNTMwZQYKKwYBBAGDvzABEgRXDFVodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoMjZkMTY1MTMzODZmZmFhNzkwYjFjMzJmOTI3NTQ0ZjEzMjJlNDE5NDAUBgorBgEEAYO/MAEUBAYMBHB1c2gwWgYKKwYBBAGDvzABFQRMDEpodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUvc2lnc3RvcmUtanMvYWN0aW9ucy9ydW5zLzYwMTQ0ODg2NjYvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABikHz+vwAAAQDAEcwRQIgZEo8c0eCZHEh4uzzJzFz9T+EfSTNTtB2FIH18vXpkOsCIQDE1MTti9RoDnRO3SET1Zkad6FoTx/k6ztQcwIDPmnRxTAKBggqhkjOPQQDAwNnADBkAjBB06fmNXx6ToaClFg2kOxnfLGgrvoR3F5GjDtvDBB8m9SWQNzL211jYmS/g+YbbyUCMC+ad6jIK+efe4XOIlhLcWxeZbBtMjKSrPxmm4jR3BFQQOBR+8r27CioyhxoSqvLuw=="},"tlogEntries":[{"logIndex":"33351527","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1693323623","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDhWvNSLvnq5ZS3qTIgC7K2uQFeA0g8FEEjNo1UQxeubAIhALDrD1uIiUkk3tQNp/4gKT/9j8zEyyxi9Ti+qaD8q2vI"},"inclusionProof":{"logIndex":"29188096","rootHash":"fbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=","treeSize":"29188099","hashes":["z7VKeAC2d2x18Vtxt7n40GS3gtc1xfRwjjxxzpy/Trw=","/Kd8ZuCLZ7MukSwpjaSgxKFl5X2vdHWk6/qpNrkiUJo=","vvkKs7IShUI15nVb9c5olPgBnL9r4uP7+d5KzV0hSjs=","Fg4p0WJZw8Lghrpxkx1SXgzfroTeIIrEgEbfgr9IdXY=","bH8NahqE+hQ58Qxhg0V5fYusFQ1xsaQ/rK6slWVRT5k=","HplNgZ3/afEHq52zcfL2s1AKisOYDdMCWK1jOu1tGyw=","uOPuC2YDmwZe989ZN3Lgh5CKMXh9HETrSNgf0jV0WkM=","eVsvWKnEZ1+Xo3Ba15DfEiIhhmlrEaIeb+VfYmx8KhY=","uLuBRins5nkqq2rqd17R27pQTUF+xetttC6MsmlUzd0=","jRUq4D8O+FI47Wbw96s7yHCu4qzWUxpIVfxQEeprDmc=","rXEsmEJN4PEoTU8US4qVtdIsGB1MCiRlGOepoiC99kM="],"checkpoint":{"envelope":"rekor.sigstore.dev - 2605736670972794746\n29188099\nfbEijQTFeiQCldZqez/u/WcrNPk4nxXI5ihofHYjFUA=\nTimestamp: 1693323623528968756\n\n— rekor.sigstore.dev wNI9ajBEAiAK0YTbxRlhOZeeP+844Y+W7iz+hsFIF8x2NYsmuaxifAIgYUFSurlKwN7j5jCwpqSVrkbouQoYIYlyWU9Om16svmI=\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVWQwUkVORFFtcDFaMEYzU1VKQlowbFZRMHBNYVhCVGREQTVTMHhHWXpCS1dXWjFSSEpUWVc0dkwweHpkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDA5RVNUVk5WRlV3VFVSSmVsZG9ZMDVOYWsxM1QwUkpOVTFVVlRGTlJFbDZWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWUVptMDJURkJZVVdWS1ZFTTRPVlZQY1dsT1YyMXVXbGxIYlZnMFZETnBURnBIYVRBS1JWWTBZbVpQYjAwNE5raDZZVGswV0hGNWRYZDRRVzlYY0VOUVpXTkdRMFZpUVdVNGJESmtaeTlsY2pOUE9VeEZSbkZQUTBKV2IzZG5aMVpYVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWbGNYQkRDbGhJY2pOd1kxVmhURE5GUmt0U0swdHpiWFZMVVhGdmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQxbDNXVVJXVWpCU1FWRklMMEpHYTNkV05GcFdZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRETk9jRm96VGpCaU0wcHNURE5PY0FwYU0wNHdZak5LYkV4WGNIcE1lVFZ1WVZoU2IyUlhTWFprTWpsNVlUSmFjMkl6WkhwTU0wcHNZa2RXYUdNeVZYVmxWekZ6VVVoS2JGcHVUWFpoUjFab0NscElUWFppVjBad1ltcEJOVUpuYjNKQ1owVkZRVmxQTDAxQlJVSkNRM1J2WkVoU2QyTjZiM1pNTTFKMllUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQUtZVWhXYVdSWVRteGpiVTUyWW01U2JHSnVVWFZaTWpsMFRVSkpSME5wYzBkQlVWRkNaemM0ZDBGUlNVVkNTRUl4WXpKbmQwNW5XVXRMZDFsQ1FrRkhSQXAyZWtGQ1FYZFJiMDFxV210TlZGa3hUVlJOZWs5RVdtMWFiVVpvVG5wcmQxbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZXQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVVZDUVdSVFdsZDRiRmxZVG14TlEwbEhRMmx6UjBGUlVVSm5OemgzUVZGVlJVWklUbkJhTTA0d1lqTktiRXd6VG5BS1dqTk9NR0l6U214TVYzQjZUVUl3UjBOcGMwZEJVVkZDWnpjNGQwRlJXVVZFTTBwc1dtNU5kbUZIVm1oYVNFMTJZbGRHY0dKcVFUZENaMjl5UW1kRlJRcEJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveFl6SldlVmt5T1hWa1IxWjFDbVJETldwaU1qQjNXbEZaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbGhFUmxadlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5XcGlNakIyWXpKc2JtTXpVbllLWTIxVmRtTXliRzVqTTFKMlkyMVZkR0Z1VFhaTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpqYlZaeldsZEdlbHBUTlRWaVYzaEJZMjFXYlFwamVUbHZXbGRHYTJONU9YUlpWMngxVFVSblIwTnBjMGRCVVZGQ1p6YzRkMEZSYjBWTFozZHZUV3BhYTAxVVdURk5WRTE2VDBSYWJWcHRSbWhPZW10M0NsbHFSbXBOZWtwdFQxUkpNMDVVVVRCYWFrVjZUV3BLYkU1RVJUVk9SRUZrUW1kdmNrSm5SVVZCV1U4dlRVRkZURUpCT0UxRVYyUndaRWRvTVZscE1XOEtZak5PTUZwWFVYZE9kMWxMUzNkWlFrSkJSMFIyZWtGQ1JFRlJjRVJEWkc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFpqTW14dVl6TlNkZ3BqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZDA5QldVdExkMWxDUWtGSFJIWjZRVUpFVVZGeFJFTm5lVTV0VVhoT2FsVjRUWHBOTkU1dFdtMVpWMFV6Q2s5VVFtbE5WMDE2VFcxWk5VMXFZekZPUkZKdFRWUk5lVTF0VlRCTlZHc3dUVUk0UjBOcGMwZEJVVkZDWnpjNGQwRlJORVZGVVhkUVkyMVdiV041T1c4S1dsZEdhMk41T1hSWlYyeDFUVUpyUjBOcGMwZEJVVkZDWnpjNGQwRlJPRVZEZDNkS1RrUnJNVTVVWXpCT1ZGVXhUVU56UjBOcGMwZEJVVkZDWnpjNGR3cEJVa0ZGU0ZGM1ltRklVakJqU0UwMlRIazVibUZZVW05a1YwbDFXVEk1ZEV3elRuQmFNMDR3WWpOS2JFMUNaMGREYVhOSFFWRlJRbWMzT0hkQlVrVkZDa05uZDBsT2VrVjNUMVJaZWs1VVRYZGFVVmxMUzNkWlFrSkJSMFIyZWtGQ1JXZFNXRVJHVm05a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFlLWXpKc2JtTXpVblpqYlZWMll6SnNibU16VW5aamJWVjBZVzVOZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbU50Vm5OYVYwWjZXbE0xTlFwaVYzaEJZMjFXYldONU9XOWFWMFpyWTNrNWRGbFhiSFZOUkdkSFEybHpSMEZSVVVKbk56aDNRVkpOUlV0bmQyOU5hbHByVFZSWk1VMVVUWHBQUkZwdENscHRSbWhPZW10M1dXcEdhazE2U20xUFZFa3pUbFJSTUZwcVJYcE5ha3BzVGtSRk5VNUVRVlZDWjI5eVFtZEZSVUZaVHk5TlFVVlZRa0ZaVFVKSVFqRUtZekpuZDFkbldVdExkMWxDUWtGSFJIWjZRVUpHVVZKTlJFVndiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtTXliRzVqTTFKMlkyMVZkZ3BqTW14dVl6TlNkbU50VlhSaGJrMTJXVmRPTUdGWE9YVmplVGw1WkZjMWVreDZXWGROVkZFd1QwUm5NazVxV1haWldGSXdXbGN4ZDJSSVRYWk5WRUZYQ2tKbmIzSkNaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhV2RaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamhDU0c5QlpVRkNNa0ZPTURrS1RVZHlSM2g0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKcGEwaDZLM1ozUVVGQlVVUkJSV04zVWxGSlp3cGFSVzg0WXpCbFExcElSV2cwZFhwNlNucEdlamxVSzBWbVUxUk9WSFJDTWtaSlNERTRkbGh3YTA5elEwbFJSRVV4VFZSMGFUbFNiMFJ1VWs4elUwVlVDakZhYTJGa05rWnZWSGd2YXpaNmRGRmpkMGxFVUcxdVVuaFVRVXRDWjJkeGFHdHFUMUJSVVVSQmQwNXVRVVJDYTBGcVFrSXdObVp0VGxoNE5sUnZZVU1LYkVabk1tdFBlRzVtVEVkbmNuWnZVak5HTlVkcVJIUjJSRUpDT0cwNVUxZFJUbnBNTWpFeGFsbHRVeTluSzFsaVlubFZRMDFESzJGa05tcEpTeXRsWmdwbE5GaFBTV3hvVEdOWGVHVmFZa0owVFdwTFUzSlFlRzF0TkdwU00wSkdVVkZQUWxJck9ISXlOME5wYjNsb2VHOVRjWFpNZFhjOVBRb3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdCIsInNpZyI6IlRVVlJRMGxEWVhSb2JsUkljMlJtV25GSWNUTnBXRXhxVFdVd1ZGVTViRXhaYmxJeGVtazNNM0JSZFZobU5VdElRV2xDTWpOS2FDdG5VMll4VVVWRGJrRlRSMlZ3TW1VeVRVZHVVRmhwYjFWTVZqUjJRMGxUU2tKdWEwcGFaejA5In1dfSwiaGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjFiZDg4ZTA1NGY2OGE3ZDE3MzkzNjcyYjAzZmExOGZkNjRmMGRjZDVmY2M1NDAzNWMxOWZlNjQwMWNmMmNmNWUifSwicGF5bG9hZEhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI4Y2ViNGFiODEyNzczMTQ3M2E5ZWM4MTE0MGNiNjg0OWNmOGU5NzBjZGEzMmJhZWYwOTlkZjQ4YmEzMjY0NDQyIn19fX0="}]},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGtnOm5wbS9zaWdzdG9yZUAyLjEuMCIsImRpZ2VzdCI6eyJzaGE1MTIiOiI5MGYyMjNmOTkyZTRjODhkZDA2OGNkMmE1ZmM1N2Y5ZDJiMzA3OTgzNDNkZDZlMzhmMjljMjQwZTA0YmEwOTBlZjgzMWY4NDQ5MDg0N2M0ZTgyYjkyMzJjNzhlOGEyNTg0NjNiMWU1NWMwZjc0NjlmNzMwMjY1MDA4ZmE2NjMzZiJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJwcmVkaWNhdGUiOnsiYnVpbGREZWZpbml0aW9uIjp7ImJ1aWxkVHlwZSI6Imh0dHBzOi8vc2xzYS1mcmFtZXdvcmsuZ2l0aHViLmlvL2dpdGh1Yi1hY3Rpb25zLWJ1aWxkdHlwZXMvd29ya2Zsb3cvdjEiLCJleHRlcm5hbFBhcmFtZXRlcnMiOnsid29ya2Zsb3ciOnsicmVmIjoicmVmcy9oZWFkcy9tYWluIiwicmVwb3NpdG9yeSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcyIsInBhdGgiOiIuZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbCJ9fSwiaW50ZXJuYWxQYXJhbWV0ZXJzIjp7ImdpdGh1YiI6eyJldmVudF9uYW1lIjoicHVzaCIsInJlcG9zaXRvcnlfaWQiOiI0OTU1NzQ1NTUiLCJyZXBvc2l0b3J5X293bmVyX2lkIjoiNzEwOTYzNTMifX0sInJlc29sdmVkRGVwZW5kZW5jaWVzIjpbeyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3NpZ3N0b3JlL3NpZ3N0b3JlLWpzQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJnaXRDb21taXQiOiIyNmQxNjUxMzM4NmZmYWE3OTBiMWMzMmY5Mjc1NDRmMTMyMmU0MTk0In19XX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hY3Rpb25zL3J1bm5lci9naXRodWItaG9zdGVkIn0sIm1ldGFkYXRhIjp7Imludm9jYXRpb25JZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS9zaWdzdG9yZS1qcy9hY3Rpb25zL3J1bnMvNjAxNDQ4ODY2Ni9hdHRlbXB0cy8xIn19fX0=","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEQCICathnTHsdfZqHq3iXLjMe0TU9lLYnR1zi73pQuXf5KHAiB23Jh+gSf1QECnASGep2e2MGnPXioULV4vCISJBnkJZg=="}]}}
diff --git a/pkg/cmd/attestation/test/data/sigstoreBundle-invalid-signature.json b/pkg/cmd/attestation/test/data/sigstoreBundle-invalid-signature.json
index b1275cebc6c..0cf79254c4f 100644
--- a/pkg/cmd/attestation/test/data/sigstoreBundle-invalid-signature.json
+++ b/pkg/cmd/attestation/test/data/sigstoreBundle-invalid-signature.json
@@ -1,6 +1,9 @@
 {
-	"mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.1",
+	"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
 	"verificationMaterial": {
+		"certificate": {
+			"rawBytes": "MIICnzCCAiWgAwIBAgIUVHwehOtGn4KSD1H8RI581MfbyewwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjIxMTA4MjI1ODA2WhcNMjIxMTA4MjMwODA2WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGg6Hjxt2UNiJ1kwwq5XQIIwMZnJfVQ3bF01uZKteMdcV/3qhCmWOecoxRqwrbYTshGg9NyXcBbve6zKwZVTLeqOCAUQwggFAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU7WpR60sCpgfu04wcsjvCFxt0fMkwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERYnJpYW5AZGVoYW1lci5jb20wLAYKKwYBBAGDvzABAQQeaHR0cHM6Ly9naXRodWIuY29tL2xvZ2luL29hdXRoMIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGEWXcR8AAABAMARjBEAiBRTrGE5Y1EnYniaJB+nsv89VaYx3QZjocEin3r91wfkAIgMss+fssu5SLQkn7WDTKXgow7SxbHYSZj3ykxArVnuzEwCgYIKoZIzj0EAwMDaAAwZQIxAPjSGddLIvyUMGIkZ+u6JhE9p1Njt3dEtwYkMxfnEV2k7MH1BVmxg9PsJjqycfi+eAIwDaKn2CdOxKsxcgYNi4HviEnZqxmeDyo2YFItzpHfIMQmcRSl91UeOSC8+PuGgwMK"
+		},
 		"tlogEntries": [
 			{
 				"logIndex": "6751924",
@@ -13,35 +16,56 @@
 				},
 				"integratedTime": "1667948287",
 				"inclusionPromise": {
-					"signedEntryTimestamp": "MEQCIEzguFRaGzOpMw9JJGUfqSJQ11qlzpcyVCkZfZYPwpLCAiBzdU4LnjtVKYCfyoTImFh3OLFWeOKygtS47Z8fp1GYHg=="
+					"signedEntryTimestamp": "MEQCIFC8EPrNU+kRCqHOJaGuw3NAFkJGYu8mssUaq71sR98pAiA5+SpNdFL5RrjyhulMo3t5xcc03srLlQmKx42LRiqGew=="
+				},
+				"inclusionProof": {
+					"logIndex": "2588493",
+					"rootHash": "N40Xn7VxprmSXoUSY27Bs6T2t0JvHShIY/7ekL0/p6U=",
+					"treeSize": "115826880",
+					"hashes": [
+						"qvPXILBiRJD+OZ8vUgQLlRe5QmJsbQgoKDYXbcQplZk=",
+						"ian1jlZJxuli49MJF79fN6RiMaQO8dj7Wk2o/gVJqTg=",
+						"4L82HI4fzDUm6Jl+jPDaotc3bWW9y9h08g5sJGavPko=",
+						"X3+ZmsxVTa8t+uRGaK4vgzJVAxjZL+5o35ueQA3WaRc=",
+						"Z6I4B7xGG98tCAWz7rdIxW36r8Uz2vPr+wZAiVJqLyU=",
+						"WTb/xFvgwNmpinr1+xKCbNZOGo8L6GN8oZ+snwmYESw=",
+						"lFxAqYOFdddHV349DzPLmsyPzCfzimnNKWk1itLLwy8=",
+						"BbtQkfipdk2Xwc3ijUSX5V0bxHNuPvbjq6csMZGrBh4=",
+						"8/XdI9PzRMcytBFkEv9WbIMNJaHkkFgZV39VNAzf6ho=",
+						"KmwX1cdeUfdQlFjqvqLQxKaOBoZ4/aIo2bUo9WzrGRc=",
+						"nffHMg5IaQx0gI0QG0A2cqRlajxbh7v6kdWKpQBowKY=",
+						"4n+4WqZcfi237GTZjbCgWwhN/oUnzHXSh67xV3R4GTE=",
+						"tfxH1EZ2uVk8MeHZ/7cxcSL1NALf27pfII4YVRfrMFU=",
+						"bdkHN9diWTXM0z5GECHlDIMvSl8koq33Vd8mSdNrhhY=",
+						"abpenKLgpX4ElLQbHYkjZzj0QptcTE9yujFeVSmMOtw=",
+						"qeGjNnuDqq2S63UDs3gJ2cfvolHGXREL/fc30SXYbFk=",
+						"ucRPSmGLhm/SyHL7chQ5vBEFull08HzsqtAC0TQ91tY=",
+						"EiS8ntcvGnB1xcGZg9Cf3fTkV1wBcJNVtSWKIYVZqAU=",
+						"Mx1LEx7szsPd62CGkL6HM+NWkOy9YwZTwukJEVgH7Cw=",
+						"s2Z13KVYurVY6F1AUhr8Uby4RE3RXW1XEC2tWWdzCjI=",
+						"QRfYxLEHh/FwMZqWnxNNW+x3lY7o3LM86BW+z0MpMN4=",
+						"J0dGjQ7V5bETi7p7eWg2ephCQ32QBLMWY5HxFcuGfR4=",
+						"uFGzOQorMYmYZ2yumLpgr1tvXvZaL+tTTCqaXa7Hdds=",
+						"Lksw/hm/y+1p33SaEF8/60gPvFVNkueBpDWJ1tAVcAo=",
+						"Soaoms+sNcJd3K95DWx//GJEbZPyr/e4cUVyLXK9tnk=",
+						"WcosyVcuwpv56nBkSbKEnSPbHesdKOoUykqVThLEqoo=",
+						"gY2fcNwGuA3cp7tQHZoB084DsKFwbF4tW78KgehHwfE="
+					],
+					"checkpoint": {
+						"envelope": "rekor.sigstore.dev - 2605736670972794746\n115826880\nN40Xn7VxprmSXoUSY27Bs6T2t0JvHShIY/7ekL0/p6U=\n\n— rekor.sigstore.dev wNI9ajBEAiBNjSQhOIg1Ch0UbbX+JZj5y//ajY0isa4dJsVajHo2ogIgGDm73+f2+vbJgbSqtqmPdXfb6Rm/vEIF3cli7j1KZ0I=\n"
+					}
 				},
 				"canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoidGV4dC9wbGFpbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVU51ZWtORFFXbFhaMEYzU1VKQlowbFZWa2gzWldoUGRFZHVORXRUUkRGSU9GSkpOVGd4VFdaaWVXVjNkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BKZUUxVVFUUk5ha2t4VDBSQk1sZG9ZMDVOYWtsNFRWUkJORTFxVFhkUFJFRXlWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWSFp6WklhbmgwTWxWT2FVb3hhM2QzY1RWWVVVbEpkMDFhYmtwbVZsRXpZa1l3TVhVS1drdDBaVTFrWTFZdk0zRm9RMjFYVDJWamIzaFNjWGR5WWxsVWMyaEhaemxPZVZoalFtSjJaVFo2UzNkYVZsUk1aWEZQUTBGVlVYZG5aMFpCVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZVM1YzQlNDall3YzBOd1oyWjFNRFIzWTNOcWRrTkdlSFF3WmsxcmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQwaDNXVVJXVWpCU1FWRklMMEpDVlhkRk5FVlNXVzVLY0ZsWE5VRmFSMVp2V1ZjeGJHTnBOV3BpTWpCM1RFRlpTMHQzV1VKQ1FVZEVkbnBCUWdwQlVWRmxZVWhTTUdOSVRUWk1lVGx1WVZoU2IyUlhTWFZaTWpsMFRESjRkbG95YkhWTU1qbG9aRmhTYjAxSlIwcENaMjl5UW1kRlJVRmtXalZCWjFGRENrSkljMFZsVVVJelFVaFZRVE5VTUhkaGMySklSVlJLYWtkU05HTnRWMk16UVhGS1MxaHlhbVZRU3pNdmFEUndlV2RET0hBM2J6UkJRVUZIUlZkWVkxSUtPRUZCUVVKQlRVRlNha0pGUVdsQ1VsUnlSMFUxV1RGRmJsbHVhV0ZLUWl0dWMzWTRPVlpoV1hnelVWcHFiMk5GYVc0emNqa3hkMlpyUVVsblRYTnpLd3BtYzNOMU5WTk1VV3R1TjFkRVZFdFlaMjkzTjFONFlraFpVMXBxTTNscmVFRnlWbTUxZWtWM1EyZFpTVXR2V2tsNmFqQkZRWGROUkdGQlFYZGFVVWw0Q2tGUWFsTkhaR1JNU1haNVZVMUhTV3RhSzNVMlNtaEZPWEF4VG1wME0yUkZkSGRaYTAxNFptNUZWakpyTjAxSU1VSldiWGhuT1ZCelNtcHhlV05tYVNzS1pVRkpkMFJoUzI0eVEyUlBlRXR6ZUdObldVNXBORWgyYVVWdVduRjRiV1ZFZVc4eVdVWkpkSHB3U0daSlRWRnRZMUpUYkRreFZXVlBVME00SzFCMVJ3cG5kMDFMQ2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIiwic2lnIjoiVFVWVlEwbERWV2hCVm1WM1puZExiR3MxWmxaNmNGSkVWVkJvUlhjNVR6aEpNbkI0UXpWdVZHNVFabGxFUW5OUFFXbEZRVEJhUm5Gek9UbFJaMUk1YlVGMFJrMVhkRmR5VDJwdFZVTTBOM3BuWVc5dmJFdEpiMHhJTDA5M1pFMDkifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiZGNiNDkyNTljODY2MDdjMzQ2MzVkYWJiNDQzMWYwNjVlOWE3YTczNDcwNGNiNzNmMGFhMGY2YWFhMzg5NmEwNCJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjY4ZTY1NmIyNTFlNjdlODM1OGJlZjg0ODNhYjBkNTFjNjYxOWYzZTdhMWE5ZjBlNzU4MzhkNDFmZjM2OGY3MjgifX19fQ=="
 			}
 		],
-		"timestampVerificationData": {
-			"rfc3161Timestamps": []
-		},
-		"x509CertificateChain": {
-			"certificates": [
-				{
-					"rawBytes": "MIICnzCCAiWgAwIBAgIUVHwehOtGn4KSD1H8RI581MfbyewwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjIxMTA4MjI1ODA2WhcNMjIxMTA4MjMwODA2WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGg6Hjxt2UNiJ1kwwq5XQIIwMZnJfVQ3bF01uZKteMdcV/3qhCmWOecoxRqwrbYTshGg9NyXcBbve6zKwZVTLeqOCAUQwggFAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU7WpR60sCpgfu04wcsjvCFxt0fMkwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0RAQH/BBUwE4ERYnJpYW5AZGVoYW1lci5jb20wLAYKKwYBBAGDvzABAQQeaHR0cHM6Ly9naXRodWIuY29tL2xvZ2luL29hdXRoMIGJBgorBgEEAdZ5AgQCBHsEeQB3AHUA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGEWXcR8AAABAMARjBEAiBRTrGE5Y1EnYniaJB+nsv89VaYx3QZjocEin3r91wfkAIgMss+fssu5SLQkn7WDTKXgow7SxbHYSZj3ykxArVnuzEwCgYIKoZIzj0EAwMDaAAwZQIxAPjSGddLIvyUMGIkZ+u6JhE9p1Njt3dEtwYkMxfnEV2k7MH1BVmxg9PsJjqycfi+eAIwDaKn2CdOxKsxcgYNi4HviEnZqxmeDyo2YFItzpHfIMQmcRSl91UeOSC8+PuGgwMK"
-				},
-				{
-					"rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="
-				},
-				{
-					"rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"
-				}
-			]
-		}
+		"timestampVerificationData": {}
 	},
 	"dsseEnvelope": {
 		"payload": "aGVsbG8sIHdvcmxkIQ==",
 		"payloadType": "text/plain",
 		"signatures": [
 			{
-				"sig": "NEUCICUhAVewfwKlk5fVzpRDUPhEw9O8I2pxC5nTnPfYDBsOAiEA0ZFqs99QgR9mAtFMWtWrOjmUC47zgaoolKIoLH/OwdM=",
-				"keyid": ""
+				"sig": "NEUCICUhAVewfwKlk5fVzpRDUPhEw9O8I2pxC5nTnPfYDBsOAiEA0ZFqs99QgR9mAtFMWtWrOjmUC47zgaoolKIoLH/OwdM="
 			}
 		]
 	}
diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go
index 0e6d01d9bec..b4e0ef8c02e 100644
--- a/pkg/cmd/attestation/verification/sigstore.go
+++ b/pkg/cmd/attestation/verification/sigstore.go
@@ -56,6 +56,9 @@ func NewLiveSigstoreVerifier(config SigstoreConfig) *LiveSigstoreVerifier {
 }
 
 func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.ProtobufBundle) (*verify.SignedEntityVerifier, string, error) {
+	if !b.MinVersion("0.3") {
+		return nil, "", fmt.Errorf("unsupported bundle version: %s", b.MediaType)
+	}
 	verifyContent, err := b.VerificationContent()
 	if err != nil {
 		return nil, "", fmt.Errorf("failed to get bundle verification content: %v", err)
diff --git a/pkg/cmd/attestation/verification/sigstore_integration_test.go b/pkg/cmd/attestation/verification/sigstore_integration_test.go
index 2fab9dfac29..48d1f4b4994 100644
--- a/pkg/cmd/attestation/verification/sigstore_integration_test.go
+++ b/pkg/cmd/attestation/verification/sigstore_integration_test.go
@@ -100,6 +100,19 @@ func TestLiveSigstoreVerifier(t *testing.T) {
 		require.Len(t, res.VerifyResults, 2)
 		require.NoError(t, res.Error)
 	})
+
+	t.Run("with invalid bundle version", func(t *testing.T) {
+		attestations := getAttestationsFor(t, "../test/data/sigstore-js-2.1.0-bundle-v0.1.json")
+		require.Len(t, attestations, 1)
+
+		verifier := NewLiveSigstoreVerifier(SigstoreConfig{
+			Logger: io.NewTestHandler(),
+		})
+
+		res := verifier.Verify(attestations, publicGoodPolicy(t))
+		require.Len(t, res.VerifyResults, 0)
+		require.ErrorContains(t, res.Error, "unsupported bundle version")
+	})
 }
 
 func publicGoodPolicy(t *testing.T) verify.PolicyBuilder {

From b783441540009cb6b58736185521778a4e70aa3c Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Fri, 9 Aug 2024 16:14:04 -0400
Subject: [PATCH 224/253] Fix tests

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/cmd/attestation/api/client_test.go | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/pkg/cmd/attestation/api/client_test.go b/pkg/cmd/attestation/api/client_test.go
index 7044a1cc544..693e3266e91 100644
--- a/pkg/cmd/attestation/api/client_test.go
+++ b/pkg/cmd/attestation/api/client_test.go
@@ -62,14 +62,14 @@ func TestGetByDigest(t *testing.T) {
 
 	require.Equal(t, 5, len(attestations))
 	bundle := (attestations)[0].Bundle
-	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle+json;version=0.1")
+	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle.v0.3+json")
 
 	attestations, err = c.GetByOwnerAndDigest(testOwner, testDigest, DefaultLimit)
 	require.NoError(t, err)
 
 	require.Equal(t, 5, len(attestations))
 	bundle = (attestations)[0].Bundle
-	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle+json;version=0.1")
+	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle.v0.3+json")
 }
 
 func TestGetByDigestGreaterThanLimit(t *testing.T) {
@@ -82,14 +82,14 @@ func TestGetByDigestGreaterThanLimit(t *testing.T) {
 
 	require.Equal(t, 3, len(attestations))
 	bundle := (attestations)[0].Bundle
-	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle+json;version=0.1")
+	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle.v0.3+json")
 
 	attestations, err = c.GetByOwnerAndDigest(testOwner, testDigest, limit)
 	require.NoError(t, err)
 
 	require.Equal(t, len(attestations), limit)
 	bundle = (attestations)[0].Bundle
-	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle+json;version=0.1")
+	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle.v0.3+json")
 }
 
 func TestGetByDigestWithNextPage(t *testing.T) {
@@ -99,14 +99,14 @@ func TestGetByDigestWithNextPage(t *testing.T) {
 
 	require.Equal(t, len(attestations), 10)
 	bundle := (attestations)[0].Bundle
-	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle+json;version=0.1")
+	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle.v0.3+json")
 
 	attestations, err = c.GetByOwnerAndDigest(testOwner, testDigest, DefaultLimit)
 	require.NoError(t, err)
 
 	require.Equal(t, len(attestations), 10)
 	bundle = (attestations)[0].Bundle
-	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle+json;version=0.1")
+	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle.v0.3+json")
 }
 
 func TestGetByDigestGreaterThanLimitWithNextPage(t *testing.T) {
@@ -119,14 +119,14 @@ func TestGetByDigestGreaterThanLimitWithNextPage(t *testing.T) {
 
 	require.Equal(t, len(attestations), limit)
 	bundle := (attestations)[0].Bundle
-	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle+json;version=0.1")
+	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle.v0.3+json")
 
 	attestations, err = c.GetByOwnerAndDigest(testOwner, testDigest, limit)
 	require.NoError(t, err)
 
 	require.Equal(t, len(attestations), limit)
 	bundle = (attestations)[0].Bundle
-	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle+json;version=0.1")
+	require.Equal(t, bundle.GetMediaType(), "application/vnd.dev.sigstore.bundle.v0.3+json")
 }
 
 func TestGetByDigest_NoAttestationsFound(t *testing.T) {

From 35b2cf70cf360fa8ab70d71207c7bcc087422a1a Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Fri, 9 Aug 2024 16:36:16 -0400
Subject: [PATCH 225/253] Change to requiring bundle v0.2

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 pkg/cmd/attestation/verification/sigstore.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go
index b4e0ef8c02e..d86a709b55a 100644
--- a/pkg/cmd/attestation/verification/sigstore.go
+++ b/pkg/cmd/attestation/verification/sigstore.go
@@ -56,7 +56,7 @@ func NewLiveSigstoreVerifier(config SigstoreConfig) *LiveSigstoreVerifier {
 }
 
 func (v *LiveSigstoreVerifier) chooseVerifier(b *bundle.ProtobufBundle) (*verify.SignedEntityVerifier, string, error) {
-	if !b.MinVersion("0.3") {
+	if !b.MinVersion("0.2") {
 		return nil, "", fmt.Errorf("unsupported bundle version: %s", b.MediaType)
 	}
 	verifyContent, err := b.VerificationContent()

From 18d58b8d84bf1998dd3a0c6a292690069cf9d6b8 Mon Sep 17 00:00:00 2001
From: Tyler McGoffin <jtmcg@github.com>
Date: Fri, 9 Aug 2024 13:55:14 -0700
Subject: [PATCH 226/253] Replace `--project.*` flags' `name` with `title` in
 docs (#9443)

With the upcoming migration from v1 project to v2 projects, we'd like the
language in our documentation to align with v2 project language. In v2,
projects are referred to by `title` and not `name`, though they are
functionally equivalent under the hood for the CLI
---
 pkg/cmd/issue/create/create.go | 2 +-
 pkg/cmd/issue/edit/edit.go     | 4 ++--
 pkg/cmd/pr/create/create.go    | 2 +-
 pkg/cmd/pr/edit/edit.go        | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkg/cmd/issue/create/create.go b/pkg/cmd/issue/create/create.go
index 33b5830122b..160249e099d 100644
--- a/pkg/cmd/issue/create/create.go
+++ b/pkg/cmd/issue/create/create.go
@@ -137,7 +137,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 	cmd.Flags().BoolVarP(&opts.WebMode, "web", "w", false, "Open the browser to create an issue")
 	cmd.Flags().StringSliceVarP(&opts.Assignees, "assignee", "a", nil, "Assign people by their `login`. Use \"@me\" to self-assign.")
 	cmd.Flags().StringSliceVarP(&opts.Labels, "label", "l", nil, "Add labels by `name`")
-	cmd.Flags().StringSliceVarP(&opts.Projects, "project", "p", nil, "Add the issue to projects by `name`")
+	cmd.Flags().StringSliceVarP(&opts.Projects, "project", "p", nil, "Add the issue to projects by `title`")
 	cmd.Flags().StringVarP(&opts.Milestone, "milestone", "m", "", "Add the issue to a milestone by `name`")
 	cmd.Flags().StringVar(&opts.RecoverFile, "recover", "", "Recover input from a failed run of create")
 	cmd.Flags().StringVarP(&opts.Template, "template", "T", "", "Template `file` to use as starting body text")
diff --git a/pkg/cmd/issue/edit/edit.go b/pkg/cmd/issue/edit/edit.go
index 11a69383d3c..18067319f40 100644
--- a/pkg/cmd/issue/edit/edit.go
+++ b/pkg/cmd/issue/edit/edit.go
@@ -153,8 +153,8 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 	cmd.Flags().StringSliceVar(&opts.Editable.Assignees.Remove, "remove-assignee", nil, "Remove assigned users by their `login`. Use \"@me\" to unassign yourself.")
 	cmd.Flags().StringSliceVar(&opts.Editable.Labels.Add, "add-label", nil, "Add labels by `name`")
 	cmd.Flags().StringSliceVar(&opts.Editable.Labels.Remove, "remove-label", nil, "Remove labels by `name`")
-	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Add, "add-project", nil, "Add the issue to projects by `name`")
-	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Remove, "remove-project", nil, "Remove the issue from projects by `name`")
+	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Add, "add-project", nil, "Add the issue to projects by `title`")
+	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Remove, "remove-project", nil, "Remove the issue from projects by `title`")
 	cmd.Flags().StringVarP(&opts.Editable.Milestone.Value, "milestone", "m", "", "Edit the milestone the issue belongs to by `name`")
 	cmd.Flags().BoolVar(&removeMilestone, "remove-milestone", false, "Remove the milestone association from the issue")
 
diff --git a/pkg/cmd/pr/create/create.go b/pkg/cmd/pr/create/create.go
index 23f30206929..c6c49ac32fe 100644
--- a/pkg/cmd/pr/create/create.go
+++ b/pkg/cmd/pr/create/create.go
@@ -220,7 +220,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 	fl.StringSliceVarP(&opts.Reviewers, "reviewer", "r", nil, "Request reviews from people or teams by their `handle`")
 	fl.StringSliceVarP(&opts.Assignees, "assignee", "a", nil, "Assign people by their `login`. Use \"@me\" to self-assign.")
 	fl.StringSliceVarP(&opts.Labels, "label", "l", nil, "Add labels by `name`")
-	fl.StringSliceVarP(&opts.Projects, "project", "p", nil, "Add the pull request to projects by `name`")
+	fl.StringSliceVarP(&opts.Projects, "project", "p", nil, "Add the pull request to projects by `title`")
 	fl.StringVarP(&opts.Milestone, "milestone", "m", "", "Add the pull request to a milestone by `name`")
 	fl.Bool("no-maintainer-edit", false, "Disable maintainer's ability to modify pull request")
 	fl.StringVar(&opts.RecoverFile, "recover", "", "Recover input from a failed run of create")
diff --git a/pkg/cmd/pr/edit/edit.go b/pkg/cmd/pr/edit/edit.go
index 9dc19001189..3c8d73ad393 100644
--- a/pkg/cmd/pr/edit/edit.go
+++ b/pkg/cmd/pr/edit/edit.go
@@ -161,8 +161,8 @@ func NewCmdEdit(f *cmdutil.Factory, runF func(*EditOptions) error) *cobra.Comman
 	cmd.Flags().StringSliceVar(&opts.Editable.Assignees.Remove, "remove-assignee", nil, "Remove assigned users by their `login`. Use \"@me\" to unassign yourself.")
 	cmd.Flags().StringSliceVar(&opts.Editable.Labels.Add, "add-label", nil, "Add labels by `name`")
 	cmd.Flags().StringSliceVar(&opts.Editable.Labels.Remove, "remove-label", nil, "Remove labels by `name`")
-	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Add, "add-project", nil, "Add the pull request to projects by `name`")
-	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Remove, "remove-project", nil, "Remove the pull request from projects by `name`")
+	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Add, "add-project", nil, "Add the pull request to projects by `title`")
+	cmd.Flags().StringSliceVar(&opts.Editable.Projects.Remove, "remove-project", nil, "Remove the pull request from projects by `title`")
 	cmd.Flags().StringVarP(&opts.Editable.Milestone.Value, "milestone", "m", "", "Edit the milestone the pull request belongs to by `name`")
 	cmd.Flags().BoolVar(&removeMilestone, "remove-milestone", false, "Remove the milestone association from the pull request")
 

From ac77d6750dcd148c0b58665987132e28ee56aaf0 Mon Sep 17 00:00:00 2001
From: Yukai Chou <muzimuzhi@gmail.com>
Date: Sat, 10 Aug 2024 10:20:53 +0800
Subject: [PATCH 227/253] Wrap flags with backticks, continued

---
 pkg/cmd/repo/view/view.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkg/cmd/repo/view/view.go b/pkg/cmd/repo/view/view.go
index 136384152a8..d0370203a60 100644
--- a/pkg/cmd/repo/view/view.go
+++ b/pkg/cmd/repo/view/view.go
@@ -45,13 +45,15 @@ func NewCmdView(f *cmdutil.Factory, runF func(*ViewOptions) error) *cobra.Comman
 	cmd := &cobra.Command{
 		Use:   "view [<repository>]",
 		Short: "View a repository",
-		Long: `Display the description and the README of a GitHub repository.
+		Long: heredoc.Docf(`
+			Display the description and the README of a GitHub repository.
 
-With no argument, the repository for the current directory is displayed.
+			With no argument, the repository for the current directory is displayed.
 
-With '--web', open the repository in a web browser instead.
+			With %[1]s--web%[1]s, open the repository in a web browser instead.
 
-With '--branch', view a specific branch of the repository.`,
+			With %[1]s--branch%[1]s, view a specific branch of the repository.
+		`, "`"),
 		Args: cobra.MaximumNArgs(1),
 		RunE: func(c *cobra.Command, args []string) error {
 			if len(args) > 0 {

From b36b39df60f1d87c26f33a612d5e5881e125c5ca Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sat, 10 Aug 2024 21:29:22 +0100
Subject: [PATCH 228/253] Explain why not looking for signature begin marker

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/release/create/create.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/cmd/release/create/create.go b/pkg/cmd/release/create/create.go
index 412c93328fe..581255c81cf 100644
--- a/pkg/cmd/release/create/create.go
+++ b/pkg/cmd/release/create/create.go
@@ -528,6 +528,12 @@ func gitTagInfo(client *git.Client, tagName string) (string, error) {
 		return "", err
 	}
 
+	// If there is a signature, we should strip it from the end of the content.
+	// Note that, we can achieve this by looking for markers like "-----BEGIN PGP
+	// SIGNATURE-----" and cut the remaining text from the content, but this is
+	// not a safe approach, because, although unlikely, the content can contain
+	// a signature-like section which we shouldn't leave it as is. So, we need
+	// to get the tag signature as a whole, if any, and remote it from the content.
 	signatureCmd, err := client.Command(context.Background(), "tag", "--list", tagName, "--format=%(contents:signature)")
 	if err != nil {
 		return "", err

From 668dbcefc68bf1b246b75d86b52e75160fc0cd52 Mon Sep 17 00:00:00 2001
From: "Babak K. Shandiz" <babak.k.shandiz@gmail.com>
Date: Sat, 10 Aug 2024 21:50:31 +0100
Subject: [PATCH 229/253] Add test cases for PGP, SSH and X.509 signatures

Signed-off-by: Babak K. Shandiz <babak.k.shandiz@gmail.com>
---
 pkg/cmd/release/create/create_test.go | 34 +++++++++++++++++++++++----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/pkg/cmd/release/create/create_test.go b/pkg/cmd/release/create/create_test.go
index 6dd2b484459..85c1c3f3f02 100644
--- a/pkg/cmd/release/create/create_test.go
+++ b/pkg/cmd/release/create/create_test.go
@@ -1750,20 +1750,44 @@ func Test_gitTagInfo(t *testing.T) {
 			wantResult: "some\nmultiline\ncontent",
 		},
 		{
-			name: "with signature",
+			name: "with signature (PGP)",
 			runStubs: func(cs *run.CommandStubber) {
-				cs.Register(contentCmd, 0, "some\nmultiline\ncontent\n-----BEGIN SIGNATURE-----\nfoo\n-----END SIGNATURE-----")
-				cs.Register(signatureCmd, 0, "-----BEGIN SIGNATURE-----\nfoo\n-----END SIGNATURE-----")
+				cs.Register(contentCmd, 0, "some\nmultiline\ncontent\n-----BEGIN PGP SIGNATURE-----\n\nfoo\n-----END PGP SIGNATURE-----")
+				cs.Register(signatureCmd, 0, "-----BEGIN PGP SIGNATURE-----\n\nfoo\n-----END PGP SIGNATURE-----")
+			},
+			wantResult: "some\nmultiline\ncontent",
+		},
+		{
+			name: "with signature (PGP, RFC1991)",
+			runStubs: func(cs *run.CommandStubber) {
+				cs.Register(contentCmd, 0, "some\nmultiline\ncontent\n-----BEGIN PGP MESSAGE-----\n\nfoo\n-----END PGP MESSAGE-----")
+				cs.Register(signatureCmd, 0, "-----BEGIN PGP MESSAGE-----\n\nfoo\n-----END PGP MESSAGE-----")
+			},
+			wantResult: "some\nmultiline\ncontent",
+		},
+		{
+			name: "with signature (SSH)",
+			runStubs: func(cs *run.CommandStubber) {
+				cs.Register(contentCmd, 0, "some\nmultiline\ncontent\n-----BEGIN SSH SIGNATURE-----\nfoo\n-----END SSH SIGNATURE-----")
+				cs.Register(signatureCmd, 0, "-----BEGIN SSH SIGNATURE-----\nfoo\n-----END SSH SIGNATURE-----")
+			},
+			wantResult: "some\nmultiline\ncontent",
+		},
+		{
+			name: "with signature (X.509)",
+			runStubs: func(cs *run.CommandStubber) {
+				cs.Register(contentCmd, 0, "some\nmultiline\ncontent\n-----BEGIN SIGNED MESSAGE-----\nfoo\n-----END SIGNED MESSAGE-----")
+				cs.Register(signatureCmd, 0, "-----BEGIN SIGNED MESSAGE-----\nfoo\n-----END SIGNED MESSAGE-----")
 			},
 			wantResult: "some\nmultiline\ncontent",
 		},
 		{
 			name: "with signature in content but not as true signature",
 			runStubs: func(cs *run.CommandStubber) {
-				cs.Register(contentCmd, 0, "some\nmultiline\ncontent\n-----BEGIN SIGNATURE-----\nfoo\n-----END SIGNATURE-----")
+				cs.Register(contentCmd, 0, "some\nmultiline\ncontent\n-----BEGIN PGP SIGNATURE-----\n\nfoo\n-----END PGP SIGNATURE-----")
 				cs.Register(signatureCmd, 0, "")
 			},
-			wantResult: "some\nmultiline\ncontent\n-----BEGIN SIGNATURE-----\nfoo\n-----END SIGNATURE-----",
+			wantResult: "some\nmultiline\ncontent\n-----BEGIN PGP SIGNATURE-----\n\nfoo\n-----END PGP SIGNATURE-----",
 		},
 		{
 			name: "error getting content",

From 81e7ecdfc135854c2609f769c4b47251da80b78e Mon Sep 17 00:00:00 2001
From: Wing <damianleung@gmail.com>
Date: Mon, 12 Aug 2024 15:05:52 +0200
Subject: [PATCH 230/253] prompt to select a repo in interactive mode

---
 pkg/cmd/secret/set/set.go    | 29 +++++++++++++++++++++++------
 pkg/cmd/variable/set/set.go  | 29 +++++++++++++++++++++++------
 pkg/cmdutil/flags.go         |  8 ++++++++
 pkg/cmdutil/repo_override.go | 33 +++++++++++++++++++++++++++++++++
 4 files changed, 87 insertions(+), 12 deletions(-)

diff --git a/pkg/cmd/secret/set/set.go b/pkg/cmd/secret/set/set.go
index dade133af2a..9f37970080d 100644
--- a/pkg/cmd/secret/set/set.go
+++ b/pkg/cmd/secret/set/set.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/base64"
 	"fmt"
+	"github.com/cli/cli/v2/internal/prompter"
 	"io"
 	"net/http"
 	"os"
@@ -29,7 +30,7 @@ type SetOptions struct {
 	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 	Remotes    func() (ghContext.Remotes, error)
-	Prompter   iprompter
+	Prompter   prompter.Prompter
 
 	RandomOverride func() io.Reader
 
@@ -45,10 +46,7 @@ type SetOptions struct {
 	Application     string
 
 	HasRepoOverride bool
-}
-
-type iprompter interface {
-	Password(string) (string, error)
+	Interactive     bool
 }
 
 func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command {
@@ -82,6 +80,9 @@ func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command
 			# Read secret value from an environment variable
 			$ gh secret set MYSECRET --body "$ENV_VALUE"
 
+			# Set secret for a specific remote repository
+			$ gh secret set MYSECRET --repo origin/repo --body "$ENV_VALUE"
+
 			# Read secret value from a file
 			$ gh secret set MYSECRET < myfile.txt
 
@@ -111,6 +112,8 @@ func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command
 			// support `-R, --repo` override
 			opts.BaseRepo = f.BaseRepo
 
+			flagCount := cmdutil.CountSetFlags(cmd.Flags())
+
 			if err := cmdutil.MutuallyExclusive("specify only one of `--org`, `--env`, or `--user`", opts.OrgName != "", opts.EnvName != "", opts.UserSecrets); err != nil {
 				return err
 			}
@@ -129,6 +132,10 @@ func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command
 				}
 			} else {
 				opts.SecretName = args[0]
+
+				if flagCount == 0 {
+					opts.Interactive = true
+				}
 			}
 
 			if cmd.Flags().Changed("visibility") {
@@ -197,7 +204,17 @@ func setRun(opts *SetOptions) error {
 
 		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
 		if err != nil {
-			return err
+			if opts.Interactive {
+				selectedRepo, errSelectedRepo := cmdutil.PromptForRepo(baseRepo, opts.Remotes, opts.Prompter)
+
+				if errSelectedRepo != nil {
+					return errSelectedRepo
+				}
+
+				baseRepo = selectedRepo
+			} else {
+				return err
+			}
 		}
 
 		host = baseRepo.RepoHost()
diff --git a/pkg/cmd/variable/set/set.go b/pkg/cmd/variable/set/set.go
index 55f74666f9b..ab5e8e21444 100644
--- a/pkg/cmd/variable/set/set.go
+++ b/pkg/cmd/variable/set/set.go
@@ -3,6 +3,7 @@ package set
 import (
 	"bytes"
 	"fmt"
+	"github.com/cli/cli/v2/internal/prompter"
 	"io"
 	"net/http"
 	"os"
@@ -21,17 +22,13 @@ import (
 	"github.com/spf13/cobra"
 )
 
-type iprompter interface {
-	Input(string, string) (string, error)
-}
-
 type SetOptions struct {
 	HttpClient func() (*http.Client, error)
 	IO         *iostreams.IOStreams
 	Config     func() (gh.Config, error)
 	BaseRepo   func() (ghrepo.Interface, error)
 	Remotes    func() (ghContext.Remotes, error)
-	Prompter   iprompter
+	Prompter   prompter.Prompter
 
 	VariableName    string
 	OrgName         string
@@ -42,6 +39,7 @@ type SetOptions struct {
 	EnvFile         string
 
 	HasRepoOverride bool
+	Interactive     bool
 }
 
 func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command {
@@ -72,6 +70,9 @@ func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command
 			# Read variable value from an environment variable
 			$ gh variable set MYVARIABLE --body "$ENV_VALUE"
 
+			# Set secret for a specific remote repository
+			$ gh variable set MYVARIABLE --repo origin/repo --body "$ENV_VALUE"
+
 			# Read variable value from a file
 			$ gh variable set MYVARIABLE < myfile.txt
 
@@ -92,6 +93,8 @@ func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command
 			// support `-R, --repo` override
 			opts.BaseRepo = f.BaseRepo
 
+			flagCount := cmdutil.CountSetFlags(cmd.Flags())
+
 			if err := cmdutil.MutuallyExclusive("specify only one of `--org` or `--env`", opts.OrgName != "", opts.EnvName != ""); err != nil {
 				return err
 			}
@@ -106,6 +109,10 @@ func NewCmdSet(f *cmdutil.Factory, runF func(*SetOptions) error) *cobra.Command
 				}
 			} else {
 				opts.VariableName = args[0]
+
+				if flagCount == 0 {
+					opts.Interactive = true
+				}
 			}
 
 			if cmd.Flags().Changed("visibility") {
@@ -171,7 +178,17 @@ func setRun(opts *SetOptions) error {
 
 		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
 		if err != nil {
-			return err
+			if opts.Interactive {
+				selectedRepo, errSelectedRepo := cmdutil.PromptForRepo(baseRepo, opts.Remotes, opts.Prompter)
+
+				if errSelectedRepo != nil {
+					return errSelectedRepo
+				}
+
+				baseRepo = selectedRepo
+			} else {
+				return err
+			}
 		}
 
 		host = baseRepo.RepoHost()
diff --git a/pkg/cmdutil/flags.go b/pkg/cmdutil/flags.go
index c0064099cdd..fadbc5fbed7 100644
--- a/pkg/cmdutil/flags.go
+++ b/pkg/cmdutil/flags.go
@@ -180,3 +180,11 @@ func isIncluded(value string, opts []string) bool {
 	}
 	return false
 }
+
+func CountSetFlags(flags *pflag.FlagSet) int {
+	count := 0
+	flags.Visit(func(f *pflag.Flag) {
+		count++
+	})
+	return count
+}
diff --git a/pkg/cmdutil/repo_override.go b/pkg/cmdutil/repo_override.go
index 791dd919a21..41a4a47998a 100644
--- a/pkg/cmdutil/repo_override.go
+++ b/pkg/cmdutil/repo_override.go
@@ -1,11 +1,13 @@
 package cmdutil
 
 import (
+	ghContext "github.com/cli/cli/v2/context"
 	"os"
 	"sort"
 	"strings"
 
 	"github.com/cli/cli/v2/internal/ghrepo"
+	"github.com/cli/cli/v2/internal/prompter"
 	"github.com/spf13/cobra"
 )
 
@@ -68,3 +70,34 @@ func OverrideBaseRepoFunc(f *Factory, override string) func() (ghrepo.Interface,
 	}
 	return f.BaseRepo
 }
+
+func PromptForRepo(baseRepo ghrepo.Interface, remotes func() (ghContext.Remotes, error), survey prompter.Prompter) (ghrepo.Interface, error) {
+	var defaultRepo string
+	var remoteArray []string
+
+	if remotes, _ := remotes(); remotes != nil {
+		if defaultRemote, _ := remotes.ResolvedRemote(); defaultRemote != nil {
+			// this is a remote explicitly chosen via `repo set-default`
+			defaultRepo = ghrepo.FullName(defaultRemote)
+		} else if len(remotes) > 0 {
+			// as a fallback, just pick the first remote
+			defaultRepo = ghrepo.FullName(remotes[0])
+		}
+
+		for _, remote := range remotes {
+			remoteArray = append(remoteArray, ghrepo.FullName(remote))
+		}
+	}
+
+	baseRepoInput, errInput := survey.Select("Select a base repo", defaultRepo, remoteArray)
+	if errInput != nil {
+		return baseRepo, errInput
+	}
+
+	selectedRepo, errSelectedRepo := ghrepo.FromFullName(remoteArray[baseRepoInput])
+	if errSelectedRepo != nil {
+		return baseRepo, errSelectedRepo
+	}
+
+	return selectedRepo, nil
+}

From df723bdb3933b94d32d92dae47c9faf9544d8cd0 Mon Sep 17 00:00:00 2001
From: Wing <damianleung@gmail.com>
Date: Mon, 12 Aug 2024 15:20:00 +0200
Subject: [PATCH 231/253] fix lint

---
 pkg/cmd/variable/list/list_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/variable/list/list_test.go b/pkg/cmd/variable/list/list_test.go
index d4cfcdbac9c..f71220e9693 100644
--- a/pkg/cmd/variable/list/list_test.go
+++ b/pkg/cmd/variable/list/list_test.go
@@ -528,9 +528,9 @@ func Test_listRunRemoteValidation(t *testing.T) {
 			t1, _ := time.Parse("2006-01-02", "2020-12-04")
 			t2, _ := time.Parse("2006-01-02", "1975-11-30")
 			payload := struct {
-				Variables []Variable
+				Variables []shared.Variable
 			}{
-				Variables: []Variable{
+				Variables: []shared.Variable{
 					{
 						Name:      "VARIABLE_ONE",
 						Value:     "one",

From 369a105c45dc0b99dafca5c39290a1ed2f7bdfc9 Mon Sep 17 00:00:00 2001
From: Andy Feller <andyfeller@github.com>
Date: Mon, 12 Aug 2024 10:00:37 -0400
Subject: [PATCH 232/253] Minor grammatical fix

---
 pkg/cmd/issue/create/create.go | 2 +-
 pkg/cmd/pr/create/create.go    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/issue/create/create.go b/pkg/cmd/issue/create/create.go
index 1af25180f82..a5119cb5467 100644
--- a/pkg/cmd/issue/create/create.go
+++ b/pkg/cmd/issue/create/create.go
@@ -122,7 +122,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 	cmd.Flags().StringVarP(&opts.Title, "title", "t", "", "Supply a title. Will prompt for one otherwise.")
 	cmd.Flags().StringVarP(&opts.Body, "body", "b", "", "Supply a body. Will prompt for one otherwise.")
 	cmd.Flags().StringVarP(&bodyFile, "body-file", "F", "", "Read body text from `file` (use \"-\" to read from standard input)")
-	cmd.Flags().BoolVarP(&opts.EditorMode, "editor", "e", false, "Skip prompts and open the text editor to write the title and body in. The first line is the title and the rest text is the body.")
+	cmd.Flags().BoolVarP(&opts.EditorMode, "editor", "e", false, "Skip prompts and open the text editor to write the title and body in. The first line is the title and the remaining text is the body.")
 	cmd.Flags().BoolVarP(&opts.WebMode, "web", "w", false, "Open the browser to create an issue")
 	cmd.Flags().StringSliceVarP(&opts.Assignees, "assignee", "a", nil, "Assign people by their `login`. Use \"@me\" to self-assign.")
 	cmd.Flags().StringSliceVarP(&opts.Labels, "label", "l", nil, "Add labels by `name`")
diff --git a/pkg/cmd/pr/create/create.go b/pkg/cmd/pr/create/create.go
index d854002022a..8c91713a163 100644
--- a/pkg/cmd/pr/create/create.go
+++ b/pkg/cmd/pr/create/create.go
@@ -230,7 +230,7 @@ func NewCmdCreate(f *cmdutil.Factory, runF func(*CreateOptions) error) *cobra.Co
 	fl.StringVarP(&bodyFile, "body-file", "F", "", "Read body text from `file` (use \"-\" to read from standard input)")
 	fl.StringVarP(&opts.BaseBranch, "base", "B", "", "The `branch` into which you want your code merged")
 	fl.StringVarP(&opts.HeadBranch, "head", "H", "", "The `branch` that contains commits for your pull request (default [current branch])")
-	fl.BoolVarP(&opts.EditorMode, "editor", "e", false, "Skip prompts and open the text editor to write the title and body in. The first line is the title and the rest text is the body.")
+	fl.BoolVarP(&opts.EditorMode, "editor", "e", false, "Skip prompts and open the text editor to write the title and body in. The first line is the title and the remaining text is the body.")
 	fl.BoolVarP(&opts.WebMode, "web", "w", false, "Open the web browser to create a pull request")
 	fl.BoolVarP(&opts.FillVerbose, "fill-verbose", "", false, "Use commits msg+body for description")
 	fl.BoolVarP(&opts.Autofill, "fill", "f", false, "Use commit info for title and body")

From da43f6e47692035eef91841906ecdb0ad1517e4d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 12 Aug 2024 15:00:14 +0000
Subject: [PATCH 233/253] build(deps): bump actions/attest-build-provenance
 from 1.4.0 to 1.4.1

Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1.4.0 to 1.4.1.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](https://github.com/actions/attest-build-provenance/compare/210c1913531870065f03ce1f9440dd87bc0938cd...310b0a4a3b0b78ef57ecda988ee04b132db73ef8)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/deployment.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index 564eb647cfd..51b47e6d8b5 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -299,7 +299,7 @@ jobs:
           rpmsign --addsign dist/*.rpm
       - name: Attest release artifacts
         if: inputs.environment == 'production'
-        uses: actions/attest-build-provenance@210c1913531870065f03ce1f9440dd87bc0938cd # v1.4.0
+        uses: actions/attest-build-provenance@310b0a4a3b0b78ef57ecda988ee04b132db73ef8 # v1.4.1
         with:
           subject-path: "dist/gh_*"
       - name: Run createrepo

From e5248b8fd44470f08402d72028fc69de881595c3 Mon Sep 17 00:00:00 2001
From: Tyler McGoffin <jtmcg@github.com>
Date: Mon, 12 Aug 2024 14:16:09 -0700
Subject: [PATCH 234/253] Update `gh search prs --project` flag doc to specify
 `owner/number` syntax

There are no code changes required to make this work. I added a test
specifying `<owner>/<number>` and nothing failed. Any syntax issues are
returned by the api with a generic message:

```
Invalid search query "project:\"<string>\" type:pr".
An invalid project was specified.
```

This, combined with the updated docstring, should be sufficient for users
to troubleshoot any issues with the `--project` flag syntax
---
 pkg/cmd/search/prs/prs.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/search/prs/prs.go b/pkg/cmd/search/prs/prs.go
index 32565a580e8..fa00677e613 100644
--- a/pkg/cmd/search/prs/prs.go
+++ b/pkg/cmd/search/prs/prs.go
@@ -168,7 +168,7 @@ func NewCmdPrs(f *cmdutil.Factory, runF func(*shared.IssuesOptions) error) *cobr
 	cmd.Flags().BoolVar(&noLabel, "no-label", false, "Filter on missing label")
 	cmd.Flags().BoolVar(&noMilestone, "no-milestone", false, "Filter on missing milestone")
 	cmd.Flags().BoolVar(&noProject, "no-project", false, "Filter on missing project")
-	cmd.Flags().StringVar(&opts.Query.Qualifiers.Project, "project", "", "Filter on project board `number`")
+	cmd.Flags().StringVar(&opts.Query.Qualifiers.Project, "project", "", "Filter on project board `owner/number`")
 	cmd.Flags().StringVar(&opts.Query.Qualifiers.Reactions, "reactions", "", "Filter on `number` of reactions")
 	cmd.Flags().StringSliceVarP(&opts.Query.Qualifiers.Repo, "repo", "R", nil, "Filter on repository")
 	cmdutil.StringEnumFlag(cmd, &opts.Query.Qualifiers.State, "state", "", "", []string{"open", "closed"}, "Filter based on state")

From c838da9ee1f0ffa4e764761dc90b46accd6f0da5 Mon Sep 17 00:00:00 2001
From: Tyler McGoffin <jtmcg@github.com>
Date: Mon, 12 Aug 2024 14:36:56 -0700
Subject: [PATCH 235/253] Update `gh search issues --project` flag doc to
 specify `owner/number` syntax

There are no code changes required to make this work. I added a test
specifying `<owner>/<number>` and nothing failed. Any syntax issues are
returned by the api with a generic message:

```
Invalid search query "project:\"<string>\" type:issue".
An invalid project was specified.
```

This, combined with the updated docstring, should be sufficient for users
to troubleshoot any issues with the `--project` flag syntax
---
 pkg/cmd/search/issues/issues.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/search/issues/issues.go b/pkg/cmd/search/issues/issues.go
index a8be32f71ed..793eecc6198 100644
--- a/pkg/cmd/search/issues/issues.go
+++ b/pkg/cmd/search/issues/issues.go
@@ -157,7 +157,7 @@ func NewCmdIssues(f *cmdutil.Factory, runF func(*shared.IssuesOptions) error) *c
 	cmd.Flags().BoolVar(&noLabel, "no-label", false, "Filter on missing label")
 	cmd.Flags().BoolVar(&noMilestone, "no-milestone", false, "Filter on missing milestone")
 	cmd.Flags().BoolVar(&noProject, "no-project", false, "Filter on missing project")
-	cmd.Flags().StringVar(&opts.Query.Qualifiers.Project, "project", "", "Filter on project board `number`")
+	cmd.Flags().StringVar(&opts.Query.Qualifiers.Project, "project", "", "Filter on project board `owner/number`")
 	cmd.Flags().StringVar(&opts.Query.Qualifiers.Reactions, "reactions", "", "Filter on `number` of reactions")
 	cmd.Flags().StringSliceVarP(&opts.Query.Qualifiers.Repo, "repo", "R", nil, "Filter on repository")
 	cmdutil.StringEnumFlag(cmd, &opts.Query.Qualifiers.State, "state", "", "", []string{"open", "closed"}, "Filter based on state")

From 025dcc8e959d04e6017113dc5cf600c8e0839bff Mon Sep 17 00:00:00 2001
From: bagtoad <47394200+BagToad@users.noreply.github.com>
Date: Wed, 14 Aug 2024 10:20:41 -0600
Subject: [PATCH 236/253] Use latest checkout version, generate attestations,
 and specify go version file input.

---
 pkg/cmd/extension/ext_tmpls/goBinWorkflow.yml    | 5 ++++-
 pkg/cmd/extension/ext_tmpls/otherBinWorkflow.yml | 3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/extension/ext_tmpls/goBinWorkflow.yml b/pkg/cmd/extension/ext_tmpls/goBinWorkflow.yml
index dfda64d0e8f..9557f7200c2 100644
--- a/pkg/cmd/extension/ext_tmpls/goBinWorkflow.yml
+++ b/pkg/cmd/extension/ext_tmpls/goBinWorkflow.yml
@@ -10,5 +10,8 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: cli/gh-extension-precompile@v1
+        with:
+          generate_attestations: true
+          go_version_file: go.mod
diff --git a/pkg/cmd/extension/ext_tmpls/otherBinWorkflow.yml b/pkg/cmd/extension/ext_tmpls/otherBinWorkflow.yml
index 5b7c867a102..60669be0836 100644
--- a/pkg/cmd/extension/ext_tmpls/otherBinWorkflow.yml
+++ b/pkg/cmd/extension/ext_tmpls/otherBinWorkflow.yml
@@ -10,7 +10,8 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: cli/gh-extension-precompile@v1
         with:
           build_script_override: "script/build.sh"
+          generate_attestations: true

From 820f4f34694ddfeba8f6719e863419d53dc5c956 Mon Sep 17 00:00:00 2001
From: Kynan Ware <47394200+BagToad@users.noreply.github.com>
Date: Wed, 14 Aug 2024 12:02:11 -0600
Subject: [PATCH 237/253] Do not generate build attestations for
 otherBinWorkflow.yml

---
 pkg/cmd/extension/ext_tmpls/otherBinWorkflow.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pkg/cmd/extension/ext_tmpls/otherBinWorkflow.yml b/pkg/cmd/extension/ext_tmpls/otherBinWorkflow.yml
index 60669be0836..78ba05171c8 100644
--- a/pkg/cmd/extension/ext_tmpls/otherBinWorkflow.yml
+++ b/pkg/cmd/extension/ext_tmpls/otherBinWorkflow.yml
@@ -14,4 +14,3 @@ jobs:
       - uses: cli/gh-extension-precompile@v1
         with:
           build_script_override: "script/build.sh"
-          generate_attestations: true

From 0835642d3f94d1d87da3fbc005c6c8d42a072679 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Aug 2024 11:35:19 -0700
Subject: [PATCH 238/253] build(deps): bump github.com/creack/pty from 1.1.21
 to 1.1.23 (#9459)

Bumps [github.com/creack/pty](https://github.com/creack/pty) from 1.1.21 to 1.1.23.
- [Release notes](https://github.com/creack/pty/releases)
- [Commits](https://github.com/creack/pty/compare/v1.1.21...v1.1.23)

---
updated-dependencies:
- dependency-name: github.com/creack/pty
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 96935c68e0f..68d87c03411 100644
--- a/go.mod
+++ b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/cli/oauth v1.0.1
 	github.com/cli/safeexec v1.0.1
 	github.com/cpuguy83/go-md2man/v2 v2.0.4
-	github.com/creack/pty v1.1.21
+	github.com/creack/pty v1.1.23
 	github.com/distribution/reference v0.5.0
 	github.com/gabriel-vasile/mimetype v1.4.5
 	github.com/gdamore/tcell/v2 v2.5.4
diff --git a/go.sum b/go.sum
index 11eeb541122..1ed19f12cb7 100644
--- a/go.sum
+++ b/go.sum
@@ -112,8 +112,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t
 github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
-github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0=
+github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 h1:vU+EP9ZuFUCYE0NYLwTSob+3LNEJATzNfP/DC7SWGWI=
 github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
 github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs=

From 5b7070f027aa7537a869dc6456640e159a303f95 Mon Sep 17 00:00:00 2001
From: Kynan Ware <47394200+BagToad@users.noreply.github.com>
Date: Wed, 14 Aug 2024 15:16:45 -0600
Subject: [PATCH 239/253] include required permissions to generate attestations

---
 pkg/cmd/extension/ext_tmpls/goBinWorkflow.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/cmd/extension/ext_tmpls/goBinWorkflow.yml b/pkg/cmd/extension/ext_tmpls/goBinWorkflow.yml
index 9557f7200c2..080019c2a91 100644
--- a/pkg/cmd/extension/ext_tmpls/goBinWorkflow.yml
+++ b/pkg/cmd/extension/ext_tmpls/goBinWorkflow.yml
@@ -5,6 +5,8 @@ on:
       - "v*"
 permissions:
   contents: write
+  id-token: write
+  attestations: write
 
 jobs:
   release:

From 4618a267de22bea9f348f04e591a1d32c7b0d18c Mon Sep 17 00:00:00 2001
From: Cody Soyland <codysoyland@github.com>
Date: Thu, 15 Aug 2024 13:06:54 -0400
Subject: [PATCH 240/253] Update attestation TUF root

Signed-off-by: Cody Soyland <codysoyland@github.com>
---
 .../embed/tuf-repo.github.com/root.json       | 326 +++++++++---------
 1 file changed, 165 insertions(+), 161 deletions(-)

diff --git a/pkg/cmd/attestation/verification/embed/tuf-repo.github.com/root.json b/pkg/cmd/attestation/verification/embed/tuf-repo.github.com/root.json
index 2990a2665fd..0d20e8f504d 100644
--- a/pkg/cmd/attestation/verification/embed/tuf-repo.github.com/root.json
+++ b/pkg/cmd/attestation/verification/embed/tuf-repo.github.com/root.json
@@ -1,163 +1,167 @@
 {
-    "signatures": [
-        {
-            "keyid": "a10513a5ab61acd0c6b6fbe0504856ead18f3b17c4fabbe3fa848c79a5a187cf",
-            "sig": "304402203c8f5f7443f7052923e82f9ca0b1bb61a33498444076a2f43e1285a47f6e562d022014de99a7e5413440896b6804944e3c49390cfe6e617211b8dc42a8e67675bc13"
-        },
-        {
-            "keyid": "d6a89e23fb22801a0d1186bf1bdd007e228f65a8aa9964d24d06cb5fbb0ce91c",
-            "sig": "3044022009a20307f974af7e05cc9564eea497f45062e3b21272d1062713b3d22c868298022059d032ad973a28bdbd03959cf96b21398b6b6e2ca618c17ce6c13712246343a2"
-        },
-        {
-            "keyid": "539dde44014c850fe6eeb8b299eb7dae2e1f4bf83454b949e98aa73542cdc65a",
-            "sig": "3045022100edd270d36d0c8468b9a1f2ef1c81a270c72ffd50c65bca0ed1ebd424df09f64b022002b27ffafd7bc5bdfc25281b5b9b597cf2d67d4eeb4af2ff45eb3e666b860c21"
-        },
-        {
-            "keyid": "88737ccdac7b49cc237e9aaead81be2a40278b886a693d8149a19cf543f093d3",
-            "sig": "30460221008d7d95434e576d5876b2db30fd645505ca546618bbc7a8e4b39f64e6a36df9ad022100c00a5294e4ddd02d48d28918b87a06bdfdeccd0618ecdcec29bb2597a05fe474"
-        },
-        {
-            "keyid": "5e01c9a0b2641a8965a4a74e7df0bc7b2d8278a2c3ca0cf7a3f2f783d3c69800",
-            "sig": "30450220215fb3d19d94560a3a2a6067a71c92daf867d13700c9500c4c32d8009a48a634022100df9fb6cee786313bf6c363daac4de39b3dd531f211f81d2391c41bd2d0f91a80"
-        },
-        {
-            "keyid": "4f4d1dd75f2d7f3860e3a068d7bed90dec5f0faafcbe1ace7fb7d95d29e07228",
-            "sig": "304502204091ac5e61b6462d262ecc8442781dd09843bed39942a95a4884c8c6a2c212ef022100dcee86392748f48950d04d539ac1a6643ed1f0b4bd6856f8aeb5a135826c846f"
-        },
-        {
-            "keyid": "eb8eff37f93af2faaba519f341decec3cecd3eeafcace32966db9723842c8a62",
-            "sig": "30460221009188548601a43b501223caeefca4876ae892e18a85c885004b4c8aeeb05a4421022100abdcc72d94597f8297d6297897ff96f285168dbe6b3d57f846dbc7a2948d2935"
-        },
-        {
-            "keyid": "8b498a80a1b7af188c10c9abdf6aade81d14faaffcde2abcd6063baa673ebd12",
-            "sig": "3046022100b440561545d48759dc4140cda9f8af7c9405a101d6136dd0a26edd6562b7064f022100cafa917ed90350494e47d226b64a8ec63ef5ceebb8ba4d2dec2ce018e4ad402a"
-        }
+ "signatures": [
+  {
+   "keyid": "4f4d1dd75f2d7f3860e3a068d7bed90dec5f0faafcbe1ace7fb7d95d29e07228",
+   "sig": ""
+  },
+  {
+   "keyid": "eb8eff37f93af2faaba519f341decec3cecd3eeafcace32966db9723842c8a62",
+   "sig": ""
+  },
+  {
+   "keyid": "539dde44014c850fe6eeb8b299eb7dae2e1f4bf83454b949e98aa73542cdc65a",
+   "sig": ""
+  },
+  {
+   "keyid": "a10513a5ab61acd0c6b6fbe0504856ead18f3b17c4fabbe3fa848c79a5a187cf",
+   "sig": "3046022100ca341d3ba2ef7657d69c2825729959681f55aec497b612e81a547e2abb616b49022100cd605b412a3d991f92e0818e07e60383bbd23904723eec221d6e39fdfeae3104"
+  },
+  {
+   "keyid": "5e01c9a0b2641a8965a4a74e7df0bc7b2d8278a2c3ca0cf7a3f2f783d3c69800",
+   "sig": "3046022100d0f70effe60d6a18319e2890088cd01d45c654ee6d2ce1d5c3cdcf2dc7f637570221008f947a2d7334d948f1c4794b0a465f1dfb99a578dd8d1f4563cee0581f457db2"
+  },
+  {
+   "keyid": "54809115b40137aac01af4b7ac2408c77ea0d58fa4dad48fc3196497d2a26f44",
+   "sig": "304502201ae931db1c48020fb37af54d446ac856306f619dfc3f93ddcff70d2880e443dc022100992b70451aa74805adef24e85ec352e598812267f623979bd4ce719b66b62d22"
+  },
+  {
+   "keyid": "88737ccdac7b49cc237e9aaead81be2a40278b886a693d8149a19cf543f093d3",
+   "sig": "3045022023bba8e14c177609f43873aa0087ef983ddd2bad9a0a832c0cf279e1be8798f2022100facfaecc1d7ee793042eaaa6970fb9ca700c3bdbf4ee43ed0f8d0fc3aef96563"
+  },
+  {
+   "keyid": "d6a89e23fb22801a0d1186bf1bdd007e228f65a8aa9964d24d06cb5fbb0ce91c",
+   "sig": "3046022100d2f6cceb05d135ce6a6ce7fe1dc76c24508154ad71c433028e64ca95ba716ffb022100f0592d60eb67508dd5f9cc593a4cca33bbaf94882c3d74a560fda845a456c6cc"
+  },
+  {
+   "keyid": "8b498a80a1b7af188c10c9abdf6aade81d14faaffcde2abcd6063baa673ebd12",
+   "sig": "30450221009af2f0c534ed92de909a3b727f7101319c18e10623de8f48a0eba980d3d54d830220095842b16c58567c71f9dfa0b54e79daca1b2fecf3cb2ea4ee6d8393bdf93294"
+  }
+ ],
+ "signed": {
+  "_type": "root",
+  "consistent_snapshot": true,
+  "expires": "2025-04-11T14:36:57Z",
+  "keys": {
+   "4f4d1dd75f2d7f3860e3a068d7bed90dec5f0faafcbe1ace7fb7d95d29e07228": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENki7aZVips5SgRzCd/Om0CGzQKY/\nnv84giqVDmdwb2ys82Z6soFLasvYYEEQcwqaC170n9gr93wHUgPc796uJA==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@ashtom"
+   },
+   "539dde44014c850fe6eeb8b299eb7dae2e1f4bf83454b949e98aa73542cdc65a": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElD0o2sOZN9n3RKQ7PtMLAoXj+2Ai\nn4PKT/pfnzDlNLrD3VTQwCc4sR4t+OLu4KQ+qk+kXkR9YuBsu3bdJZ1OWw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@nerdneha"
+   },
+   "54809115b40137aac01af4b7ac2408c77ea0d58fa4dad48fc3196497d2a26f44": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEimKcdST+ORD+g0aGEFDOVZDAaIYg\nIgesNKiIe2L7MUsYx5UHhzQ08quvew13eYSCNJnfwooFZu7cdTu8AwqFjQ==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@alexiswales"
+   },
+   "88737ccdac7b49cc237e9aaead81be2a40278b886a693d8149a19cf543f093d3": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBagkskNOpOTbetTX5CdnvMy+LiWn\nonRrNrqAHL4WgiebH7Uig7GLhC3bkeA/qgb926/vr9qhOPG9Buj2HatrPw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@gregose"
+   },
+   "8b498a80a1b7af188c10c9abdf6aade81d14faaffcde2abcd6063baa673ebd12": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7IEoVNwrprchXGhT5sAhSax7SOd3\n8duuISghCzfmHdKJWSbV2wJRamRiUVRtmA83K/qm5cT20WXMCT5QeM/D3A==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@trevrosen"
+   },
+   "a10513a5ab61acd0c6b6fbe0504856ead18f3b17c4fabbe3fa848c79a5a187cf": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC2wJ3xscyXxBLybJ9FVjwkyQMe53\nRHUz77AjMO8MzVaT8xw6ZvJqdNZiytYtigWULlINxw6frNsWJKb/f7lC8A==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@kommendorkapten"
+   },
+   "d6a89e23fb22801a0d1186bf1bdd007e228f65a8aa9964d24d06cb5fbb0ce91c": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDdORwcruW3gqAgaLjH/nNdGMB4kQ\nAvA+wD6DyO4P/wR8ee2ce83NZHq1ZADKhve0rlYKaKy3CqyQ5SmlZ36Zhw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@krukow"
+   },
+   "eb8eff37f93af2faaba519f341decec3cecd3eeafcace32966db9723842c8a62": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENynVdQnM9h7xU71G7PiJpQaDemub\nkbjsjYwLlPJTQVuxQO8WeIpJf8MEh5rf01t2dDIuCsZ5gRx+QvDv0UzfsA==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@mph4"
+   },
+   "eb9799b483affac9da87ef4c9ea467928415c961349e607e5e6e485679b07f8f": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENKNcNcX+d73lS1TRFb9Vnp8JvOoh\nzYQ+in43iGenbG8RGo9L/6FJ2hoRbVU6xskvyuErcdPbCdI4GxrQ5i8hkw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-online-uri": "azurekms://production-tuf-root.vault.azure.net/keys/Online-Key/aaf375fd8ed24acb949a5cc173700b05"
+   }
+  },
+  "roles": {
+   "root": {
+    "keyids": [
+     "a10513a5ab61acd0c6b6fbe0504856ead18f3b17c4fabbe3fa848c79a5a187cf",
+     "4f4d1dd75f2d7f3860e3a068d7bed90dec5f0faafcbe1ace7fb7d95d29e07228",
+     "88737ccdac7b49cc237e9aaead81be2a40278b886a693d8149a19cf543f093d3",
+     "d6a89e23fb22801a0d1186bf1bdd007e228f65a8aa9964d24d06cb5fbb0ce91c",
+     "eb8eff37f93af2faaba519f341decec3cecd3eeafcace32966db9723842c8a62",
+     "8b498a80a1b7af188c10c9abdf6aade81d14faaffcde2abcd6063baa673ebd12",
+     "539dde44014c850fe6eeb8b299eb7dae2e1f4bf83454b949e98aa73542cdc65a",
+     "54809115b40137aac01af4b7ac2408c77ea0d58fa4dad48fc3196497d2a26f44"
     ],
-    "signed": {
-        "_type": "root",
-        "consistent_snapshot": true,
-        "expires": "2024-06-23T08:29:18Z",
-        "keys": {
-            "4f4d1dd75f2d7f3860e3a068d7bed90dec5f0faafcbe1ace7fb7d95d29e07228": {
-                "keytype": "ecdsa",
-                "keyval": {
-                    "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENki7aZVips5SgRzCd/Om0CGzQKY/\nnv84giqVDmdwb2ys82Z6soFLasvYYEEQcwqaC170n9gr93wHUgPc796uJA==\n-----END PUBLIC KEY-----\n"
-                },
-                "scheme": "ecdsa-sha2-nistp256",
-                "x-tuf-on-ci-keyowner": "@ashtom"
-            },
-            "539dde44014c850fe6eeb8b299eb7dae2e1f4bf83454b949e98aa73542cdc65a": {
-                "keytype": "ecdsa",
-                "keyval": {
-                    "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElD0o2sOZN9n3RKQ7PtMLAoXj+2Ai\nn4PKT/pfnzDlNLrD3VTQwCc4sR4t+OLu4KQ+qk+kXkR9YuBsu3bdJZ1OWw==\n-----END PUBLIC KEY-----\n"
-                },
-                "scheme": "ecdsa-sha2-nistp256",
-                "x-tuf-on-ci-keyowner": "@nerdneha"
-            },
-            "5e01c9a0b2641a8965a4a74e7df0bc7b2d8278a2c3ca0cf7a3f2f783d3c69800": {
-                "keytype": "ecdsa",
-                "keyval": {
-                    "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC9RNAsuDCNO6T7qA7Y5F8orw2tIW\nr7rUr4ffxvzTMrbkVtjR/trtE0q0+T0zQ8TWLyI6EYMwb947ej2ItfkOyA==\n-----END PUBLIC KEY-----\n"
-                },
-                "scheme": "ecdsa-sha2-nistp256",
-                "x-tuf-on-ci-keyowner": "@jacobdepriest"
-            },
-            "88737ccdac7b49cc237e9aaead81be2a40278b886a693d8149a19cf543f093d3": {
-                "keytype": "ecdsa",
-                "keyval": {
-                    "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBagkskNOpOTbetTX5CdnvMy+LiWn\nonRrNrqAHL4WgiebH7Uig7GLhC3bkeA/qgb926/vr9qhOPG9Buj2HatrPw==\n-----END PUBLIC KEY-----\n"
-                },
-                "scheme": "ecdsa-sha2-nistp256",
-                "x-tuf-on-ci-keyowner": "@gregose"
-            },
-            "8b498a80a1b7af188c10c9abdf6aade81d14faaffcde2abcd6063baa673ebd12": {
-                "keytype": "ecdsa",
-                "keyval": {
-                    "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7IEoVNwrprchXGhT5sAhSax7SOd3\n8duuISghCzfmHdKJWSbV2wJRamRiUVRtmA83K/qm5cT20WXMCT5QeM/D3A==\n-----END PUBLIC KEY-----\n"
-                },
-                "scheme": "ecdsa-sha2-nistp256",
-                "x-tuf-on-ci-keyowner": "@trevrosen"
-            },
-            "a10513a5ab61acd0c6b6fbe0504856ead18f3b17c4fabbe3fa848c79a5a187cf": {
-                "keytype": "ecdsa",
-                "keyval": {
-                    "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC2wJ3xscyXxBLybJ9FVjwkyQMe53\nRHUz77AjMO8MzVaT8xw6ZvJqdNZiytYtigWULlINxw6frNsWJKb/f7lC8A==\n-----END PUBLIC KEY-----\n"
-                },
-                "scheme": "ecdsa-sha2-nistp256",
-                "x-tuf-on-ci-keyowner": "@kommendorkapten"
-            },
-            "d6a89e23fb22801a0d1186bf1bdd007e228f65a8aa9964d24d06cb5fbb0ce91c": {
-                "keytype": "ecdsa",
-                "keyval": {
-                    "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDdORwcruW3gqAgaLjH/nNdGMB4kQ\nAvA+wD6DyO4P/wR8ee2ce83NZHq1ZADKhve0rlYKaKy3CqyQ5SmlZ36Zhw==\n-----END PUBLIC KEY-----\n"
-                },
-                "scheme": "ecdsa-sha2-nistp256",
-                "x-tuf-on-ci-keyowner": "@krukow"
-            },
-            "eb8eff37f93af2faaba519f341decec3cecd3eeafcace32966db9723842c8a62": {
-                "keytype": "ecdsa",
-                "keyval": {
-                    "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENynVdQnM9h7xU71G7PiJpQaDemub\nkbjsjYwLlPJTQVuxQO8WeIpJf8MEh5rf01t2dDIuCsZ5gRx+QvDv0UzfsA==\n-----END PUBLIC KEY-----\n"
-                },
-                "scheme": "ecdsa-sha2-nistp256",
-                "x-tuf-on-ci-keyowner": "@mph4"
-            },
-            "eb9799b483affac9da87ef4c9ea467928415c961349e607e5e6e485679b07f8f": {
-                "keytype": "ecdsa",
-                "keyval": {
-                    "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENKNcNcX+d73lS1TRFb9Vnp8JvOoh\nzYQ+in43iGenbG8RGo9L/6FJ2hoRbVU6xskvyuErcdPbCdI4GxrQ5i8hkw==\n-----END PUBLIC KEY-----\n"
-                },
-                "scheme": "ecdsa-sha2-nistp256",
-                "x-tuf-on-ci-online-uri": "azurekms://production-tuf-root.vault.azure.net/keys/Online-Key/aaf375fd8ed24acb949a5cc173700b05"
-            }
-        },
-        "roles": {
-            "root": {
-                "keyids": [
-                    "a10513a5ab61acd0c6b6fbe0504856ead18f3b17c4fabbe3fa848c79a5a187cf",
-                    "4f4d1dd75f2d7f3860e3a068d7bed90dec5f0faafcbe1ace7fb7d95d29e07228",
-                    "88737ccdac7b49cc237e9aaead81be2a40278b886a693d8149a19cf543f093d3",
-                    "5e01c9a0b2641a8965a4a74e7df0bc7b2d8278a2c3ca0cf7a3f2f783d3c69800",
-                    "d6a89e23fb22801a0d1186bf1bdd007e228f65a8aa9964d24d06cb5fbb0ce91c",
-                    "eb8eff37f93af2faaba519f341decec3cecd3eeafcace32966db9723842c8a62",
-                    "8b498a80a1b7af188c10c9abdf6aade81d14faaffcde2abcd6063baa673ebd12",
-                    "539dde44014c850fe6eeb8b299eb7dae2e1f4bf83454b949e98aa73542cdc65a"
-                ],
-                "threshold": 3
-            },
-            "snapshot": {
-                "keyids": [
-                    "eb9799b483affac9da87ef4c9ea467928415c961349e607e5e6e485679b07f8f"
-                ],
-                "threshold": 1,
-                "x-tuf-on-ci-expiry-period": 21,
-                "x-tuf-on-ci-signing-period": 7
-            },
-            "targets": {
-                "keyids": [
-                    "a10513a5ab61acd0c6b6fbe0504856ead18f3b17c4fabbe3fa848c79a5a187cf",
-                    "4f4d1dd75f2d7f3860e3a068d7bed90dec5f0faafcbe1ace7fb7d95d29e07228",
-                    "88737ccdac7b49cc237e9aaead81be2a40278b886a693d8149a19cf543f093d3",
-                    "5e01c9a0b2641a8965a4a74e7df0bc7b2d8278a2c3ca0cf7a3f2f783d3c69800",
-                    "d6a89e23fb22801a0d1186bf1bdd007e228f65a8aa9964d24d06cb5fbb0ce91c",
-                    "eb8eff37f93af2faaba519f341decec3cecd3eeafcace32966db9723842c8a62",
-                    "8b498a80a1b7af188c10c9abdf6aade81d14faaffcde2abcd6063baa673ebd12",
-                    "539dde44014c850fe6eeb8b299eb7dae2e1f4bf83454b949e98aa73542cdc65a"
-                ],
-                "threshold": 3
-            },
-            "timestamp": {
-                "keyids": [
-                    "eb9799b483affac9da87ef4c9ea467928415c961349e607e5e6e485679b07f8f"
-                ],
-                "threshold": 1,
-                "x-tuf-on-ci-expiry-period": 7,
-                "x-tuf-on-ci-signing-period": 6
-            }
-        },
-        "spec_version": "1.0.31",
-        "version": 1,
-        "x-tuf-on-ci-expiry-period": 240,
-        "x-tuf-on-ci-signing-period": 60
-    }
-}
+    "threshold": 3
+   },
+   "snapshot": {
+    "keyids": [
+     "eb9799b483affac9da87ef4c9ea467928415c961349e607e5e6e485679b07f8f"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 21,
+    "x-tuf-on-ci-signing-period": 7
+   },
+   "targets": {
+    "keyids": [
+     "a10513a5ab61acd0c6b6fbe0504856ead18f3b17c4fabbe3fa848c79a5a187cf",
+     "4f4d1dd75f2d7f3860e3a068d7bed90dec5f0faafcbe1ace7fb7d95d29e07228",
+     "88737ccdac7b49cc237e9aaead81be2a40278b886a693d8149a19cf543f093d3",
+     "d6a89e23fb22801a0d1186bf1bdd007e228f65a8aa9964d24d06cb5fbb0ce91c",
+     "eb8eff37f93af2faaba519f341decec3cecd3eeafcace32966db9723842c8a62",
+     "8b498a80a1b7af188c10c9abdf6aade81d14faaffcde2abcd6063baa673ebd12",
+     "539dde44014c850fe6eeb8b299eb7dae2e1f4bf83454b949e98aa73542cdc65a",
+     "54809115b40137aac01af4b7ac2408c77ea0d58fa4dad48fc3196497d2a26f44"
+    ],
+    "threshold": 3
+   },
+   "timestamp": {
+    "keyids": [
+     "eb9799b483affac9da87ef4c9ea467928415c961349e607e5e6e485679b07f8f"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 7,
+    "x-tuf-on-ci-signing-period": 6
+   }
+  },
+  "spec_version": "1.0.31",
+  "version": 3,
+  "x-tuf-on-ci-expiry-period": 240,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}
\ No newline at end of file

From d707102958deda188ddd44f44854dab25394eadb Mon Sep 17 00:00:00 2001
From: Kynan Ware <47394200+BagToad@users.noreply.github.com>
Date: Thu, 15 Aug 2024 11:24:40 -0600
Subject: [PATCH 241/253] Add a note about external contributors to
 `working-with-us.md`

---
 docs/working-with-us.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/working-with-us.md b/docs/working-with-us.md
index b4163350b0c..38326921eac 100644
--- a/docs/working-with-us.md
+++ b/docs/working-with-us.md
@@ -4,6 +4,9 @@ POV: your team at GitHub is interested in shipping a new command in `gh`.
 
 This document outlines the process the CLI team prefers for helping ensure success both for your new feature and the CLI project as a whole.
 
+> [!NOTE]
+> External contributors, please see [CONTRIBUTING.md](/.github/CONTRIBUTING.md).
+
 ## Step 0: Create an extension
 
 Even if you want to see your code merged into `gh`, you should start with [an extension](https://docs.github.com/en/github-cli/github-cli/creating-github-cli-extensions) written in Go and leveraging [go-gh](https://github.com/cli/go-gh). Though `gh` extensions can be written in any language, we treat Go as a first class experience and ship a library of helpers for extensions written in Go.

From 5798eb7c4b40561afff241a61ae59285e025d811 Mon Sep 17 00:00:00 2001
From: Wing <damianleung@gmail.com>
Date: Fri, 16 Aug 2024 09:04:57 +0200
Subject: [PATCH 242/253] use default set remote if available

---
 pkg/cmd/factory/default_test.go           |  2 +-
 pkg/cmd/secret/set/set.go                 |  6 +++++-
 pkg/cmd/variable/set/set.go               |  6 +++++-
 pkg/cmdutil/{repo_override.go => repo.go} | 13 ++++++++++++-
 4 files changed, 23 insertions(+), 4 deletions(-)
 rename pkg/cmdutil/{repo_override.go => repo.go} (89%)

diff --git a/pkg/cmd/factory/default_test.go b/pkg/cmd/factory/default_test.go
index 94955bb30ec..481516ac373 100644
--- a/pkg/cmd/factory/default_test.go
+++ b/pkg/cmd/factory/default_test.go
@@ -253,7 +253,7 @@ func Test_SmartBaseRepo(t *testing.T) {
 	}
 }
 
-// Defined in pkg/cmdutil/repo_override.go but test it along with other BaseRepo functions
+// Defined in pkg/cmdutil/repo.go but test it along with other BaseRepo functions
 func Test_OverrideBaseRepo(t *testing.T) {
 	tests := []struct {
 		name        string
diff --git a/pkg/cmd/secret/set/set.go b/pkg/cmd/secret/set/set.go
index 9f37970080d..f7f0f37e141 100644
--- a/pkg/cmd/secret/set/set.go
+++ b/pkg/cmd/secret/set/set.go
@@ -204,7 +204,11 @@ func setRun(opts *SetOptions) error {
 
 		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
 		if err != nil {
-			if opts.Interactive {
+			defaultRepo := cmdutil.DefaultRepo(opts.Remotes)
+
+			if defaultRepo != nil {
+				baseRepo = defaultRepo
+			} else if opts.Interactive {
 				selectedRepo, errSelectedRepo := cmdutil.PromptForRepo(baseRepo, opts.Remotes, opts.Prompter)
 
 				if errSelectedRepo != nil {
diff --git a/pkg/cmd/variable/set/set.go b/pkg/cmd/variable/set/set.go
index ab5e8e21444..f4afb378756 100644
--- a/pkg/cmd/variable/set/set.go
+++ b/pkg/cmd/variable/set/set.go
@@ -178,7 +178,11 @@ func setRun(opts *SetOptions) error {
 
 		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
 		if err != nil {
-			if opts.Interactive {
+			defaultRepo := cmdutil.DefaultRepo(opts.Remotes)
+
+			if defaultRepo != nil {
+				baseRepo = defaultRepo
+			} else if opts.Interactive {
 				selectedRepo, errSelectedRepo := cmdutil.PromptForRepo(baseRepo, opts.Remotes, opts.Prompter)
 
 				if errSelectedRepo != nil {
diff --git a/pkg/cmdutil/repo_override.go b/pkg/cmdutil/repo.go
similarity index 89%
rename from pkg/cmdutil/repo_override.go
rename to pkg/cmdutil/repo.go
index 41a4a47998a..f1f7d455d57 100644
--- a/pkg/cmdutil/repo_override.go
+++ b/pkg/cmdutil/repo.go
@@ -71,14 +71,25 @@ func OverrideBaseRepoFunc(f *Factory, override string) func() (ghrepo.Interface,
 	return f.BaseRepo
 }
 
+func DefaultRepo(remotes func() (ghContext.Remotes, error)) ghrepo.Interface {
+	if remotes, _ := remotes(); remotes != nil {
+		if defaultRemote, _ := remotes.ResolvedRemote(); defaultRemote != nil {
+			return defaultRemote.Repo
+		}
+	}
+
+	return nil
+}
+
 func PromptForRepo(baseRepo ghrepo.Interface, remotes func() (ghContext.Remotes, error), survey prompter.Prompter) (ghrepo.Interface, error) {
 	var defaultRepo string
 	var remoteArray []string
+	var selectedRepo ghrepo.Interface
 
 	if remotes, _ := remotes(); remotes != nil {
 		if defaultRemote, _ := remotes.ResolvedRemote(); defaultRemote != nil {
 			// this is a remote explicitly chosen via `repo set-default`
-			defaultRepo = ghrepo.FullName(defaultRemote)
+			return defaultRemote.Repo, nil
 		} else if len(remotes) > 0 {
 			// as a fallback, just pick the first remote
 			defaultRepo = ghrepo.FullName(remotes[0])

From 01f19354f78aacc16a7434ae3764aeb61ad8a76a Mon Sep 17 00:00:00 2001
From: Wing <damianleung@gmail.com>
Date: Fri, 16 Aug 2024 09:11:37 +0200
Subject: [PATCH 243/253] add todos for tests

---
 pkg/cmd/secret/set/set_test.go   | 2 ++
 pkg/cmd/variable/set/set_test.go | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/pkg/cmd/secret/set/set_test.go b/pkg/cmd/secret/set/set_test.go
index 68c7624dd25..b1a38e28bf5 100644
--- a/pkg/cmd/secret/set/set_test.go
+++ b/pkg/cmd/secret/set/set_test.go
@@ -549,6 +549,8 @@ func Test_setRun_shouldNotStore(t *testing.T) {
 	assert.Equal(t, "", stderr.String())
 }
 
+// TOOD: add test for getRemote_prompt
+
 func Test_getBody(t *testing.T) {
 	tests := []struct {
 		name    string
diff --git a/pkg/cmd/variable/set/set_test.go b/pkg/cmd/variable/set/set_test.go
index 1428a03c93c..3c56fcf07cf 100644
--- a/pkg/cmd/variable/set/set_test.go
+++ b/pkg/cmd/variable/set/set_test.go
@@ -419,6 +419,8 @@ func Test_setRun_org(t *testing.T) {
 	}
 }
 
+// TOOD: add test for getRemote_prompt
+
 func Test_getBody_prompt(t *testing.T) {
 	ios, _, _, _ := iostreams.Test()
 	ios.SetStdinTTY(true)

From 1886fb46aba416e01e5b6ab43fc8e744342d8fb1 Mon Sep 17 00:00:00 2001
From: Prabhat Kumar Sahu <iprabhatdev@gmail.com>
Date: Sat, 17 Aug 2024 03:00:11 +0530
Subject: [PATCH 244/253] Fix pr checks exit code (#9452)

* Enhance  with exit code documentation

* Add new error message for PR check

* Refine gh pr checks: Add exit code 8

* Update EXIT CODES section format in man page generation
---
 internal/docs/man.go        | 10 ++++++++++
 internal/docs/man_test.go   | 25 +++++++++++++++++++++++++
 pkg/cmd/pr/checks/checks.go |  3 +++
 pkg/cmd/root/help.go        |  1 +
 4 files changed, 39 insertions(+)

diff --git a/internal/docs/man.go b/internal/docs/man.go
index 5ac353a4631..66878d27877 100644
--- a/internal/docs/man.go
+++ b/internal/docs/man.go
@@ -198,6 +198,15 @@ func manPrintJSONFields(buf *bytes.Buffer, command *cobra.Command) {
 	buf.WriteString("\n")
 }
 
+func manPrintExitCodes(buf *bytes.Buffer) {
+	buf.WriteString("# EXIT CODES\n")
+	buf.WriteString("0: Successful execution\n\n")
+	buf.WriteString("1: Error\n\n")
+	buf.WriteString("2: Command canceled\n\n")
+	buf.WriteString("4: Authentication required\n\n")
+	buf.WriteString("NOTE: Specific commands may have additional exit codes. Refer to the command's help for more information.\n\n")
+}
+
 func genMan(cmd *cobra.Command, header *GenManHeader) []byte {
 	cmd.InitDefaultHelpCmd()
 	cmd.InitDefaultHelpFlag()
@@ -217,6 +226,7 @@ func genMan(cmd *cobra.Command, header *GenManHeader) []byte {
 	manPrintOptions(buf, cmd)
 	manPrintAliases(buf, cmd)
 	manPrintJSONFields(buf, cmd)
+	manPrintExitCodes(buf)
 	if len(cmd.Example) > 0 {
 		buf.WriteString("# EXAMPLE\n")
 		buf.WriteString(fmt.Sprintf("```\n%s\n```\n", cmd.Example))
diff --git a/internal/docs/man_test.go b/internal/docs/man_test.go
index 2a0f6a7f73b..4db6b74590c 100644
--- a/internal/docs/man_test.go
+++ b/internal/docs/man_test.go
@@ -129,6 +129,31 @@ func TestGenManJSONFields(t *testing.T) {
 	checkStringContains(t, output, "baz")
 }
 
+func TestGenManDocExitCodes(t *testing.T) {
+	header := &GenManHeader{
+		Title:   "Project",
+		Section: "1",
+	}
+	cmd := &cobra.Command{
+		Use:   "test-command",
+		Short: "A test command",
+		Long:  "A test command for checking exit codes section",
+	}
+	buf := new(bytes.Buffer)
+	if err := renderMan(cmd, header, buf); err != nil {
+		t.Fatal(err)
+	}
+	output := buf.String()
+
+	// Check for the presence of the exit codes section
+	checkStringContains(t, output, ".SH EXIT CODES")
+	checkStringContains(t, output, "0: Successful execution")
+	checkStringContains(t, output, "1: Error")
+	checkStringContains(t, output, "2: Command canceled")
+	checkStringContains(t, output, "4: Authentication required")
+	checkStringContains(t, output, "NOTE: Specific commands may have additional exit codes. Refer to the command's help for more information.")
+}
+
 func TestManPrintFlagsHidesShortDeprecated(t *testing.T) {
 	c := &cobra.Command{}
 	c.Flags().StringP("foo", "f", "default", "Foo flag")
diff --git a/pkg/cmd/pr/checks/checks.go b/pkg/cmd/pr/checks/checks.go
index bbf2f453bec..40b395897d8 100644
--- a/pkg/cmd/pr/checks/checks.go
+++ b/pkg/cmd/pr/checks/checks.go
@@ -66,6 +66,9 @@ func NewCmdChecks(f *cmdutil.Factory, runF func(*ChecksOptions) error) *cobra.Co
 
 			Without an argument, the pull request that belongs to the current branch
 			is selected.
+
+			Additional exit codes:
+				8: Checks pending
 		`),
 		Args: cobra.MaximumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
diff --git a/pkg/cmd/root/help.go b/pkg/cmd/root/help.go
index ee5db5e6843..a7daa7b847f 100644
--- a/pkg/cmd/root/help.go
+++ b/pkg/cmd/root/help.go
@@ -182,6 +182,7 @@ func rootHelpFunc(f *cmdutil.Factory, command *cobra.Command, args []string) {
 	helpEntries = append(helpEntries, helpEntry{"LEARN MORE", heredoc.Docf(`
 		Use %[1]sgh <command> <subcommand> --help%[1]s for more information about a command.
 		Read the manual at https://cli.github.com/manual
+		Learn about exit codes using %[1]sgh help exit-codes%[1]s
 	`, "`")})
 
 	out := f.IOStreams.Out

From 800f99d9fa9fcdc32a0c37a3eed46586f64ff987 Mon Sep 17 00:00:00 2001
From: Arun <arun@arun.blog>
Date: Thu, 8 Aug 2024 21:27:35 -0700
Subject: [PATCH 245/253] Describe bucket and state JSON fields in pr checks
 command

While the `state` field corresponds 1:1 with different GitHub Actions
states, the `bucket` field is an abstraction of the CLI that lacked
documentation. This both adds documentation about the existence of the
`bucket` field and enumerates the possible values.
---
 pkg/cmd/pr/checks/checks.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/pr/checks/checks.go b/pkg/cmd/pr/checks/checks.go
index 40b395897d8..797c19c199a 100644
--- a/pkg/cmd/pr/checks/checks.go
+++ b/pkg/cmd/pr/checks/checks.go
@@ -61,15 +61,18 @@ func NewCmdChecks(f *cmdutil.Factory, runF func(*ChecksOptions) error) *cobra.Co
 	cmd := &cobra.Command{
 		Use:   "checks [<number> | <url> | <branch>]",
 		Short: "Show CI status for a single pull request",
-		Long: heredoc.Doc(`
+		Long: heredoc.Docf(`
 			Show CI status for a single pull request.
 
 			Without an argument, the pull request that belongs to the current branch
 			is selected.
 
+			When the %[1]s--json%[1]s flag is used, it includes a %[1]sbucket%[1]s field, which categorizes
+			the %[1]sstate%[1]s field into %[1]spass%[1]s, %[1]sfail%[1]s, %[1]spending%[1]s, %[1]sskipping%[1]s, or %[1]scancel%[1]s.
+
 			Additional exit codes:
 				8: Checks pending
-		`),
+		`, "`"),
 		Args: cobra.MaximumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.Finder = shared.NewFinder(f)

From 56e1cdae9e5e5f5f69ecc92cef8b49a7f2a33f0c Mon Sep 17 00:00:00 2001
From: benebsiny <stu995106@hotmail.com.tw>
Date: Sat, 17 Aug 2024 12:04:09 +0800
Subject: [PATCH 246/253] fix behavior for `issue develop -b non-exist-branch`

---
 api/queries_branch_issue_reference.go | 6 +++++-
 pkg/cmd/issue/develop/develop.go      | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/api/queries_branch_issue_reference.go b/api/queries_branch_issue_reference.go
index 16e36831ba4..0b60ff9359c 100644
--- a/api/queries_branch_issue_reference.go
+++ b/api/queries_branch_issue_reference.go
@@ -138,7 +138,11 @@ func FindRepoBranchID(client *Client, repo ghrepo.Interface, ref string) (string
 
 	branchID := query.Repository.Ref.Target.Oid
 	if branchID == "" {
-		branchID = query.Repository.DefaultBranchRef.Target.Oid
+		if ref != "" {
+			return "", "", fmt.Errorf("could not find branch %q in %s", ref, ghrepo.FullName(repo))
+		} else {
+			branchID = query.Repository.DefaultBranchRef.Target.Oid
+		}
 	}
 
 	return query.Repository.Id, branchID, nil
diff --git a/pkg/cmd/issue/develop/develop.go b/pkg/cmd/issue/develop/develop.go
index 32423af3546..16429140906 100644
--- a/pkg/cmd/issue/develop/develop.go
+++ b/pkg/cmd/issue/develop/develop.go
@@ -106,7 +106,7 @@ func NewCmdDevelop(f *cmdutil.Factory, runF func(*DevelopOptions) error) *cobra.
 
 	fl := cmd.Flags()
 	fl.StringVar(&opts.BranchRepo, "branch-repo", "", "Name or URL of the repository where you want to create your new branch")
-	fl.StringVarP(&opts.BaseBranch, "base", "b", "", "Name of the base branch you want to make your new branch from")
+	fl.StringVarP(&opts.BaseBranch, "base", "b", "", "Name of the remote base branch you want to make your new branch from")
 	fl.BoolVarP(&opts.Checkout, "checkout", "c", false, "Checkout the branch after creating it")
 	fl.BoolVarP(&opts.List, "list", "l", false, "List linked branches for the issue")
 	fl.StringVarP(&opts.Name, "name", "n", "", "Name of the branch to create")

From e269d43c5a5b2d4ef3dfce14427835a732426662 Mon Sep 17 00:00:00 2001
From: benebsiny <stu995106@hotmail.com.tw>
Date: Sat, 17 Aug 2024 13:47:02 +0800
Subject: [PATCH 247/253] add testing

---
 pkg/cmd/issue/develop/develop_test.go | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/pkg/cmd/issue/develop/develop_test.go b/pkg/cmd/issue/develop/develop_test.go
index 7532ffb38bb..c35bcb845fa 100644
--- a/pkg/cmd/issue/develop/develop_test.go
+++ b/pkg/cmd/issue/develop/develop_test.go
@@ -515,6 +515,31 @@ func TestDevelopRun(t *testing.T) {
 			},
 			expectedOut: "github.com/OWNER/REPO/tree/my-branch\n",
 		},
+		{
+			name: "develop with base branch which does not exist",
+			opts: &DevelopOptions{
+				IssueSelector: "123",
+				BaseBranch:    "does-not-exist-branch",
+			},
+			remotes: map[string]string{
+				"origin": "OWNER/REPO",
+			},
+			httpStubs: func(reg *httpmock.Registry, t *testing.T) {
+				reg.Register(
+					httpmock.GraphQL(`query LinkedBranchFeature\b`),
+					httpmock.StringResponse(featureEnabledPayload),
+				)
+				reg.Register(
+					httpmock.GraphQL(`query IssueByNumber\b`),
+					httpmock.StringResponse(`{"data":{"repository":{"hasIssuesEnabled":true,"issue":{"id": "SOMEID","number":123,"title":"my issue"}}}}`),
+				)
+				reg.Register(
+					httpmock.GraphQL(`query FindRepoBranchID\b`),
+					httpmock.StringResponse(`{"data":{"repository":{"id":"REPOID","defaultBranchRef":{"target":{"oid":"DEFAULTOID"}},"ref":null}}}`),
+				)
+			},
+			wantErr: "could not find branch \"does-not-exist-branch\" in OWNER/REPO",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From 04b4122e61484f4e43d6fe991e89d79ec4c9f707 Mon Sep 17 00:00:00 2001
From: EBIBO <stu995106@hotmail.com.tw>
Date: Sun, 18 Aug 2024 09:25:30 +0800
Subject: [PATCH 248/253] Update api/queries_branch_issue_reference.go

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 api/queries_branch_issue_reference.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/api/queries_branch_issue_reference.go b/api/queries_branch_issue_reference.go
index 0b60ff9359c..54a9144b0ee 100644
--- a/api/queries_branch_issue_reference.go
+++ b/api/queries_branch_issue_reference.go
@@ -140,9 +140,8 @@ func FindRepoBranchID(client *Client, repo ghrepo.Interface, ref string) (string
 	if branchID == "" {
 		if ref != "" {
 			return "", "", fmt.Errorf("could not find branch %q in %s", ref, ghrepo.FullName(repo))
-		} else {
-			branchID = query.Repository.DefaultBranchRef.Target.Oid
 		}
+		branchID = query.Repository.DefaultBranchRef.Target.Oid
 	}
 
 	return query.Repository.Id, branchID, nil

From 08aafc5484a16886582ef5380c3d026c8dae1d06 Mon Sep 17 00:00:00 2001
From: EBIBO <stu995106@hotmail.com.tw>
Date: Sun, 18 Aug 2024 09:25:39 +0800
Subject: [PATCH 249/253] Update pkg/cmd/issue/develop/develop.go

Co-authored-by: Andy Feller <andyfeller@github.com>
---
 pkg/cmd/issue/develop/develop.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cmd/issue/develop/develop.go b/pkg/cmd/issue/develop/develop.go
index 16429140906..fa01a3dacbf 100644
--- a/pkg/cmd/issue/develop/develop.go
+++ b/pkg/cmd/issue/develop/develop.go
@@ -106,7 +106,7 @@ func NewCmdDevelop(f *cmdutil.Factory, runF func(*DevelopOptions) error) *cobra.
 
 	fl := cmd.Flags()
 	fl.StringVar(&opts.BranchRepo, "branch-repo", "", "Name or URL of the repository where you want to create your new branch")
-	fl.StringVarP(&opts.BaseBranch, "base", "b", "", "Name of the remote base branch you want to make your new branch from")
+	fl.StringVarP(&opts.BaseBranch, "base", "b", "", "Name of the remote branch you want to make your new branch from")
 	fl.BoolVarP(&opts.Checkout, "checkout", "c", false, "Checkout the branch after creating it")
 	fl.BoolVarP(&opts.List, "list", "l", false, "List linked branches for the issue")
 	fl.StringVarP(&opts.Name, "name", "n", "", "Name of the branch to create")

From d40175fbe5a2ad8652af19bc56b347adb932b3a2 Mon Sep 17 00:00:00 2001
From: William Martin <williammartin@github.com>
Date: Mon, 19 Aug 2024 13:48:45 +0200
Subject: [PATCH 250/253] Add flox to linux installation instructions

---
 docs/install_linux.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/docs/install_linux.md b/docs/install_linux.md
index 3b82a55930d..15619fe967f 100644
--- a/docs/install_linux.md
+++ b/docs/install_linux.md
@@ -204,6 +204,20 @@ Nix/NixOS users can install from [nixpkgs](https://search.nixos.org/packages?que
 nix-env -iA nixos.gh
 ```
 
+### Flox
+
+Flox users can install from the [official community nixpkgs](https://github.com/flox/nixpkgs).
+
+```bash
+# To install
+flox install gh
+
+# To upgrade
+flox upgrade toplevel
+```
+
+For more information about Flox, see [its homepage](https://flox.dev).
+
 ### openSUSE Tumbleweed
 
 openSUSE Tumbleweed users can install from the [official distribution repo](https://software.opensuse.org/package/gh):

From 5212f12ca5efd431aebbec82d7881058a176315a Mon Sep 17 00:00:00 2001
From: Wing <damianleung@gmail.com>
Date: Wed, 21 Aug 2024 17:07:18 +0200
Subject: [PATCH 251/253] Revert "use default set remote if available"

This reverts commit 5798eb7c4b40561afff241a61ae59285e025d811.
---
 pkg/cmd/factory/default_test.go           |  2 +-
 pkg/cmd/secret/set/set.go                 |  6 +-----
 pkg/cmd/variable/set/set.go               |  6 +-----
 pkg/cmdutil/{repo.go => repo_override.go} | 13 +------------
 4 files changed, 4 insertions(+), 23 deletions(-)
 rename pkg/cmdutil/{repo.go => repo_override.go} (89%)

diff --git a/pkg/cmd/factory/default_test.go b/pkg/cmd/factory/default_test.go
index 481516ac373..94955bb30ec 100644
--- a/pkg/cmd/factory/default_test.go
+++ b/pkg/cmd/factory/default_test.go
@@ -253,7 +253,7 @@ func Test_SmartBaseRepo(t *testing.T) {
 	}
 }
 
-// Defined in pkg/cmdutil/repo.go but test it along with other BaseRepo functions
+// Defined in pkg/cmdutil/repo_override.go but test it along with other BaseRepo functions
 func Test_OverrideBaseRepo(t *testing.T) {
 	tests := []struct {
 		name        string
diff --git a/pkg/cmd/secret/set/set.go b/pkg/cmd/secret/set/set.go
index f7f0f37e141..9f37970080d 100644
--- a/pkg/cmd/secret/set/set.go
+++ b/pkg/cmd/secret/set/set.go
@@ -204,11 +204,7 @@ func setRun(opts *SetOptions) error {
 
 		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
 		if err != nil {
-			defaultRepo := cmdutil.DefaultRepo(opts.Remotes)
-
-			if defaultRepo != nil {
-				baseRepo = defaultRepo
-			} else if opts.Interactive {
+			if opts.Interactive {
 				selectedRepo, errSelectedRepo := cmdutil.PromptForRepo(baseRepo, opts.Remotes, opts.Prompter)
 
 				if errSelectedRepo != nil {
diff --git a/pkg/cmd/variable/set/set.go b/pkg/cmd/variable/set/set.go
index f4afb378756..ab5e8e21444 100644
--- a/pkg/cmd/variable/set/set.go
+++ b/pkg/cmd/variable/set/set.go
@@ -178,11 +178,7 @@ func setRun(opts *SetOptions) error {
 
 		err = cmdutil.ValidateHasOnlyOneRemote(opts.HasRepoOverride, opts.Remotes)
 		if err != nil {
-			defaultRepo := cmdutil.DefaultRepo(opts.Remotes)
-
-			if defaultRepo != nil {
-				baseRepo = defaultRepo
-			} else if opts.Interactive {
+			if opts.Interactive {
 				selectedRepo, errSelectedRepo := cmdutil.PromptForRepo(baseRepo, opts.Remotes, opts.Prompter)
 
 				if errSelectedRepo != nil {
diff --git a/pkg/cmdutil/repo.go b/pkg/cmdutil/repo_override.go
similarity index 89%
rename from pkg/cmdutil/repo.go
rename to pkg/cmdutil/repo_override.go
index f1f7d455d57..41a4a47998a 100644
--- a/pkg/cmdutil/repo.go
+++ b/pkg/cmdutil/repo_override.go
@@ -71,25 +71,14 @@ func OverrideBaseRepoFunc(f *Factory, override string) func() (ghrepo.Interface,
 	return f.BaseRepo
 }
 
-func DefaultRepo(remotes func() (ghContext.Remotes, error)) ghrepo.Interface {
-	if remotes, _ := remotes(); remotes != nil {
-		if defaultRemote, _ := remotes.ResolvedRemote(); defaultRemote != nil {
-			return defaultRemote.Repo
-		}
-	}
-
-	return nil
-}
-
 func PromptForRepo(baseRepo ghrepo.Interface, remotes func() (ghContext.Remotes, error), survey prompter.Prompter) (ghrepo.Interface, error) {
 	var defaultRepo string
 	var remoteArray []string
-	var selectedRepo ghrepo.Interface
 
 	if remotes, _ := remotes(); remotes != nil {
 		if defaultRemote, _ := remotes.ResolvedRemote(); defaultRemote != nil {
 			// this is a remote explicitly chosen via `repo set-default`
-			return defaultRemote.Repo, nil
+			defaultRepo = ghrepo.FullName(defaultRemote)
 		} else if len(remotes) > 0 {
 			// as a fallback, just pick the first remote
 			defaultRepo = ghrepo.FullName(remotes[0])

From 0f9ad3b262d6a27ba362cbed928d1a0f168b787a Mon Sep 17 00:00:00 2001
From: Wing <damianleung@gmail.com>
Date: Wed, 21 Aug 2024 18:16:06 +0200
Subject: [PATCH 252/253] update docs for set-default

NOTE: gh does not use the default repository for managing repository and environment secrets or variables.
---
 pkg/cmd/repo/setdefault/setdefault.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/repo/setdefault/setdefault.go b/pkg/cmd/repo/setdefault/setdefault.go
index eb8fcfb5a57..69be625d627 100644
--- a/pkg/cmd/repo/setdefault/setdefault.go
+++ b/pkg/cmd/repo/setdefault/setdefault.go
@@ -30,7 +30,8 @@ func explainer() string {
 		 - viewing and creating issues
 		 - viewing and creating releases
 		 - working with GitHub Actions
-		 - adding repository and environment secrets`)
+
+		### NOTE: gh does not use the default repository for managing repository and environment secrets or variables.`)
 }
 
 type iprompter interface {

From 97b10370e1dec2f7be3665646d9a7b088edb180e Mon Sep 17 00:00:00 2001
From: Wing <damianleung@gmail.com>
Date: Wed, 21 Aug 2024 18:31:27 +0200
Subject: [PATCH 253/253] update setdefault test

---
 pkg/cmd/repo/setdefault/setdefault_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/repo/setdefault/setdefault_test.go b/pkg/cmd/repo/setdefault/setdefault_test.go
index 55a0193d593..897e020c739 100644
--- a/pkg/cmd/repo/setdefault/setdefault_test.go
+++ b/pkg/cmd/repo/setdefault/setdefault_test.go
@@ -382,7 +382,7 @@ func TestDefaultRun(t *testing.T) {
 					}
 				}
 			},
-			wantStdout: "This command sets the default remote repository to use when querying the\nGitHub API for the locally cloned repository.\n\ngh uses the default repository for things like:\n\n - viewing and creating pull requests\n - viewing and creating issues\n - viewing and creating releases\n - working with GitHub Actions\n - adding repository and environment secrets\n\n✓ Set OWNER2/REPO2 as the default repository for the current directory\n",
+			wantStdout: "This command sets the default remote repository to use when querying the\nGitHub API for the locally cloned repository.\n\ngh uses the default repository for things like:\n\n - viewing and creating pull requests\n - viewing and creating issues\n - viewing and creating releases\n - working with GitHub Actions\n\n### NOTE: gh does not use the default repository for managing repository and environment secrets or variables.\n\n✓ Set OWNER2/REPO2 as the default repository for the current directory\n",
 		},
 		{
 			name: "interactive mode only one known host",
@@ -456,7 +456,7 @@ func TestDefaultRun(t *testing.T) {
 					}
 				}
 			},
-			wantStdout: "This command sets the default remote repository to use when querying the\nGitHub API for the locally cloned repository.\n\ngh uses the default repository for things like:\n\n - viewing and creating pull requests\n - viewing and creating issues\n - viewing and creating releases\n - working with GitHub Actions\n - adding repository and environment secrets\n\n✓ Set OWNER2/REPO2 as the default repository for the current directory\n",
+			wantStdout: "This command sets the default remote repository to use when querying the\nGitHub API for the locally cloned repository.\n\ngh uses the default repository for things like:\n\n - viewing and creating pull requests\n - viewing and creating issues\n - viewing and creating releases\n - working with GitHub Actions\n\n### NOTE: gh does not use the default repository for managing repository and environment secrets or variables.\n\n✓ Set OWNER2/REPO2 as the default repository for the current directory\n",
 		},
 	}