Add gh CLI setup command step to both automations

meysholdt · ona-agent · meysholdt · commit 5e876b9fbbee · 2026-03-08T18:54:03.000Z
Installs gh if missing, authenticates via git credential helper token.

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/.ona/fix-codescan-alert.yaml b/.ona/fix-codescan-alert.yaml
@@ -11,6 +11,27 @@ action:
     maxParallel: 1
     maxTotal: 10
   steps:
+    - task:
+        command: |
+          set -e
+          if ! command -v gh &>/dev/null; then
+            echo "Installing GitHub CLI..."
+            (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y))
+            sudo mkdir -p -m 755 /etc/apt/keyrings
+            out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg && cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
+            sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
+            echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
+            sudo apt update && sudo apt install gh -y
+          fi
+          echo "gh version: $(gh --version | head -1)"
+          TOKEN=$(git credential fill <<EOF | grep password | cut -d= -f2
+          protocol=https
+          host=github.com
+
+          EOF
+          )
+          echo "$TOKEN" | gh auth login --with-token
+          gh auth status
     - agent:
         prompt: |
           Query the GitHub code scanning alerts for this repository using the GitHub CLI:
diff --git a/.ona/fix-dependabot-alert.yaml b/.ona/fix-dependabot-alert.yaml
@@ -11,6 +11,27 @@ action:
     maxParallel: 1
     maxTotal: 10
   steps:
+    - task:
+        command: |
+          set -e
+          if ! command -v gh &>/dev/null; then
+            echo "Installing GitHub CLI..."
+            (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y))
+            sudo mkdir -p -m 755 /etc/apt/keyrings
+            out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg && cat $out | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
+            sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
+            echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
+            sudo apt update && sudo apt install gh -y
+          fi
+          echo "gh version: $(gh --version | head -1)"
+          TOKEN=$(git credential fill <<EOF | grep password | cut -d= -f2
+          protocol=https
+          host=github.com
+
+          EOF
+          )
+          echo "$TOKEN" | gh auth login --with-token
+          gh auth status
     - agent:
         prompt: |
           Query the GitHub Dependabot alerts for this repository using the GitHub CLI:
