Use OS credential manager to store tokens

Also added device token generation

Author: brijeshb42

packages/code-infra/package.json

@@ -21,10 +21,6 @@
       "types": "./build/utils/changelog.d.mts",
       "default": "./src/utils/changelog.mjs"
     },
-    "./credentials": {
-      "types": "./build/utils/credentials.d.mts",
-      "default": "./src/utils/credentials.mjs"
-    },
     "./eslint": {
       "types": "./build/eslint/index.d.mts",
       "default": "./src/eslint/index.mjs"
@@ -62,6 +58,7 @@
     "@mui/internal-babel-plugin-display-name": "workspace:*",
     "@mui/internal-babel-plugin-minify-errors": "workspace:*",
     "@mui/internal-babel-plugin-resolve-imports": "workspace:*",
+    "@napi-rs/keyring": "^1.2.0",
     "@next/eslint-plugin-next": "^15.5.3",
     "@octokit/auth-action": "^6.0.1",
     "@octokit/rest": "^22.0.0",
@@ -86,6 +83,7 @@
     "globals": "^16.4.0",
     "globby": "^14.1.0",
     "minimatch": "^10.0.3",
+    "openid-client": "^6.8.0",
     "postcss-styled-syntax": "^0.7.1",
     "regexp.escape": "^2.0.1",
     "resolve-pkg-maps": "^1.0.0",

packages/code-infra/src/cli/cmdGithubAuth.mjs

@@ -0,0 +1,127 @@
+/* eslint-disable no-console */
+/**
+ * CLI command for GitHub OAuth authentication
+ *
+ * This file contains the user interaction and CLI-specific logic for GitHub authentication.
+ * It uses the core GitHub OAuth utilities from utils/github.mjs.
+ */
+
+import chalk from 'chalk';
+import * as client from 'openid-client';
+
+/**
+ * Interactive GitHub authentication with user prompts and device flow
+ *
+ * @param {import('../utils/github.mjs')} gh - GitHub utility module
+ * @returns {Promise<void>}
+ */
+async function authenticateWithGitHub(gh) {
+  try {
+    // Try to get existing valid token first
+    const existingToken = await gh.getStoredGitHubToken();
+    if (existingToken) {
+      console.log('✅ Using existing GitHub token');
+      return;
+    }
+  } catch (error) {
+    // No existing token or expired, continue with authentication
+  }
+
+  try {
+    // Try token refresh first
+    const refreshedToken = await gh.refreshGitHubToken();
+    if (refreshedToken) {
+      console.log('✅ GitHub token refreshed successfully');
+      return;
+    }
+  } catch (error) {
+    console.log('Token refresh failed, initiating new authentication...');
+  }
+
+  // Start new device flow authentication
+  console.log('Starting GitHub authentication...');
+
+  /** @type {{verification_uri: string, user_code: string, config: any, interval: number, device_code: string, expires_in: number}} */
+  const deviceFlow = await gh.initiateGitHubDeviceFlow();
+
+  console.log(`\nPlease visit: ${chalk.cyan(deviceFlow.verification_uri)}`);
+  console.log(`Enter code: ${chalk.blueBright(chalk.underline(deviceFlow.user_code))}`);
+  console.log('Waiting for authentication...');
+
+  // Poll for completion with user-friendly output
+  let accessToken = '';
+  let pollCount = 0;
+  const startPoll = async () => {
+    if (pollCount > 12) {
+      throw new Error('Authentication timed out. Please try again.');
+    }
+    pollCount += 1;
+    try {
+      // The built-in polling method is not reliable since it throws for unexpected response.
+      // So we handle the polling loop manually here.
+      const tokens = await client.pollDeviceAuthorizationGrant(deviceFlow.config, deviceFlow);
+      accessToken = tokens.access_token;
+
+      // Store the tokens using core utility
+      await gh.storeGitHubTokens(tokens);
+    } catch (err) {
+      if (err instanceof client.ClientError && err.code === 'OAUTH_INVALID_RESPONSE') {
+        // Still waiting for user authorization, continue polling
+        await startPoll();
+        return;
+      }
+      throw err;
+    }
+  };
+
+  await startPoll();
+
+  if (accessToken) {
+    console.log('✅ GitHub authentication successful');
+    return;
+  }
+
+  throw new Error('Authentication failed');
+}
+
+/**
+ * @typedef {Object} Args
+ * @property {boolean} authorize
+ * @property {boolean} clear
+ */
+
+export default /** @type {import('yargs').CommandModule<{}, Args>} */ ({
+  command: 'github',
+  describe: 'Authenticates the user with GitHub and stores the access token securely.',
+  builder: (yargs) =>
+    yargs
+      .option('authorize', {
+        type: 'boolean',
+        describe: 'Trigger the authentication flow to get a new token.',
+        default: false,
+      })
+      .option('clear', {
+        type: 'boolean',
+        describe: 'Clear stored GitHub authentication tokens.',
+        default: false,
+      }),
+  async handler(args) {
+    const gh = await import('../utils/github.mjs');
+    if (args.clear) {
+      try {
+        await gh.clearGitHubAuth();
+        console.log('✅ GitHub authentication cleared');
+      } catch (/** @type {any} */ error) {
+        console.error('❌ Failed to clear GitHub authentication:', error.message);
+        process.exit(1);
+      }
+    } else if (args.authorize) {
+      try {
+        await authenticateWithGitHub(gh);
+      } catch (/** @type {any} */ error) {
+        console.error('❌ GitHub authentication failed:', error.message);
+        process.exit(1);
+      }
+    }
+  },
+});

packages/code-infra/src/cli/index.mjs

@@ -6,6 +6,7 @@ import cmdArgosPush from './cmdArgosPush.mjs';
 import cmdBuild from './cmdBuild.mjs';
 import cmdCopyFiles from './cmdCopyFiles.mjs';
 import cmdExtractErrorCodes from './cmdExtractErrorCodes.mjs';
+import cmdGithubAuth from './cmdGithubAuth.mjs';
 import cmdJsonLint from './cmdJsonLint.mjs';
 import cmdListWorkspaces from './cmdListWorkspaces.mjs';
 import cmdPublish from './cmdPublish.mjs';
@@ -21,6 +22,7 @@ yargs()
   .command(cmdBuild)
   .command(cmdCopyFiles)
   .command(cmdExtractErrorCodes)
+  .command(cmdGithubAuth)
   .command(cmdJsonLint)
   .command(cmdListWorkspaces)
   .command(cmdPublish)

packages/code-infra/src/utils/changelog.mjs

@@ -1,5 +1,6 @@
 import { Octokit } from '@octokit/rest';
 import { $ } from 'execa';
+import { getGitHubToken } from './github.mjs';
 
 /**
  * @typedef {'team' | 'first_timer' | 'contributor'} AuthorAssociation
@@ -19,35 +20,31 @@ import { $ } from 'execa';
  * @returns {Promise<string>}
  */
 export async function findLatestTaggedVersion(opts) {
-  const { stdout } = await $({
-    cwd: opts.cwd,
-    // First fetch all tags from all remotes to ensure we have the latest tags. Uses -q flag to suppress output.
-    // And then find the latest tag matching "v*".
-  })`git fetch --tags --all -q && git describe --tags --abbrev=0 --match ${'v*'}`; // only include "version-tags"
+  const $$ = $({ cwd: opts.cwd });
+  await $$`git fetch --tags --all`; // Fetch all tags from all remotes to ensure we have the latest tags.
+  const { stdout } = await $$`git describe --tags --abbrev=0 --match ${'v*'}`; // only include "version-tags"
   return stdout.trim();
 }
 
 /**
  * @typedef {Object} FetchCommitsOptions
- * @property {string} token
  * @property {string} repo
  * @property {string} lastRelease
  * @property {string} release
+ * @property {string} [token]
  * @property {string} [org="mui"]
  */
 
 /**
  * Fetches commits between two refs (lastRelease..release) including PR details.
- * Throws if the `token` option is not provided.
+ * Automatically handles GitHub OAuth authentication.
  *
  * @param {FetchCommitsOptions} param0
  * @returns {Promise<FetchedCommitDetails[]>}
  */
 export async function fetchCommitsBetweenRefs({ org = 'mui', ...options }) {
-  if (!options.token) {
-    throw new Error('Missing "token" option. The token needs `public_repo` permissions.');
-  }
-  const opts = { ...options, org };
+  const token = options.token ?? (await getGitHubToken());
+  const opts = { ...options, token, org };
 
   return await fetchCommitsRest(opts);
 }
@@ -57,7 +54,7 @@ export async function fetchCommitsBetweenRefs({ org = 'mui', ...options }) {
  * It is more reliable than the GraphQL API but requires multiple network calls (1 + n).
  * One to list all commits between the two refs and then one for each commit to get the PR details.
  *
- * @param {FetchCommitsOptions & { org: string }} param0
+ * @param {FetchCommitsOptions & { org: string, token: string }} param0
  *
  * @returns {Promise<FetchedCommitDetails[]>}
  */