Use OS credential manager to store tokens

Also added device token generation

Author: brijeshb42

packages/code-infra/package.json

@@ -21,14 +21,14 @@
       "types": "./build/utils/changelog.d.mts",
       "default": "./src/utils/changelog.mjs"
     },
-    "./credentials": {
-      "types": "./build/utils/credentials.d.mts",
-      "default": "./src/utils/credentials.mjs"
-    },
     "./eslint": {
       "types": "./build/eslint/index.d.mts",
       "default": "./src/eslint/index.mjs"
     },
+    "./github": {
+      "types": "./build/utils/github.d.mts",
+      "default": "./src/utils/github.mjs"
+    },
     "./markdownlint": {
       "types": "./build/markdownlint/index.d.mts",
       "default": "./src/markdownlint/index.mjs"
@@ -62,15 +62,18 @@
     "@mui/internal-babel-plugin-display-name": "workspace:*",
     "@mui/internal-babel-plugin-minify-errors": "workspace:*",
     "@mui/internal-babel-plugin-resolve-imports": "workspace:*",
+    "@napi-rs/keyring": "^1.2.0",
     "@next/eslint-plugin-next": "^15.5.3",
     "@octokit/auth-action": "^6.0.1",
+    "@octokit/oauth-methods": "^6.0.0",
     "@octokit/rest": "^22.0.0",
     "@pnpm/find-workspace-dir": "^1000.1.3",
     "babel-plugin-optimize-clsx": "^2.6.2",
     "babel-plugin-transform-inline-environment-variables": "^0.4.4",
     "babel-plugin-transform-react-remove-prop-types": "^0.4.24",
     "babel-plugin-transform-remove-imports": "^1.8.0",
     "chalk": "^5.6.2",
+    "clipboardy": "^4.0.0",
     "eslint-config-prettier": "^10.1.8",
     "eslint-import-resolver-typescript": "^4.4.4",
     "eslint-module-utils": "^2.12.1",
@@ -86,6 +89,7 @@
     "globals": "^16.4.0",
     "globby": "^14.1.0",
     "minimatch": "^10.0.3",
+    "open": "^10.2.0",
     "postcss-styled-syntax": "^0.7.1",
     "regexp.escape": "^2.0.1",
     "resolve-pkg-maps": "^1.0.0",

packages/code-infra/src/cli/cmdGithubAuth.mjs

@@ -0,0 +1,39 @@
+/* eslint-disable no-console */
+
+/**
+ * @typedef {Object} Args
+ * @property {boolean} authorize
+ * @property {boolean} clear
+ */
+
+export default /** @type {import('yargs').CommandModule<{}, Args>} */ ({
+  command: 'github',
+  describe: 'Authenticates the user with GitHub and stores the access token securely.',
+  builder: (yargs) =>
+    yargs
+      .option('authorize', {
+        type: 'boolean',
+        describe: 'Trigger the authentication flow to get a new token if not found.',
+        default: false,
+      })
+      .option('clear', {
+        type: 'boolean',
+        describe: 'Clear stored GitHub authentication tokens.',
+        default: false,
+      }),
+  async handler(args) {
+    const gh = await import('../utils/github.mjs');
+    if (args.clear) {
+      try {
+        await gh.clearGitHubAuth();
+        console.log('✅ GitHub authentication cleared');
+      } catch (/** @type {any} */ error) {
+        console.error('❌ Failed to clear GitHub authentication:', error.message);
+        process.exit(1);
+      }
+    } else if (args.authorize) {
+      await gh.endToEndGhAuthGetToken(true);
+      console.log('✅ GitHub authentication successful');
+    }
+  },
+});

packages/code-infra/src/cli/index.mjs

@@ -6,6 +6,7 @@ import cmdArgosPush from './cmdArgosPush.mjs';
 import cmdBuild from './cmdBuild.mjs';
 import cmdCopyFiles from './cmdCopyFiles.mjs';
 import cmdExtractErrorCodes from './cmdExtractErrorCodes.mjs';
+import cmdGithubAuth from './cmdGithubAuth.mjs';
 import cmdJsonLint from './cmdJsonLint.mjs';
 import cmdListWorkspaces from './cmdListWorkspaces.mjs';
 import cmdPublish from './cmdPublish.mjs';
@@ -21,6 +22,7 @@ yargs()
   .command(cmdBuild)
   .command(cmdCopyFiles)
   .command(cmdExtractErrorCodes)
+  .command(cmdGithubAuth)
   .command(cmdJsonLint)
   .command(cmdListWorkspaces)
   .command(cmdPublish)

packages/code-infra/src/utils/changelog.mjs

@@ -16,37 +16,41 @@ import { $ } from 'execa';
 /**
  * @param {Object} opts
  * @param {string} opts.cwd
+ * @param {boolean} [opts.fetchAll=true] Whether to fetch all tags from all remotes before finding the latest tag.
  * @returns {Promise<string>}
  */
 export async function findLatestTaggedVersion(opts) {
-  const { stdout } = await $({
-    cwd: opts.cwd,
-    // First fetch all tags from all remotes to ensure we have the latest tags. Uses -q flag to suppress output.
-    // And then find the latest tag matching "v*".
-  })`git fetch --tags --all -q && git describe --tags --abbrev=0 --match ${'v*'}`; // only include "version-tags"
+  const $$ = $({ cwd: opts.cwd });
+  const fetchAll = opts.fetchAll ?? true;
+  if (fetchAll) {
+    // Fetch all tags from all remotes to ensure we have the latest tags.
+    await $$`git fetch --tags --all`;
+  }
+  const { stdout } = await $$`git describe --tags --abbrev=0 --match ${'v*'}`; // only include "version-tags"
   return stdout.trim();
 }
 
 /**
  * @typedef {Object} FetchCommitsOptions
- * @property {string} token
  * @property {string} repo
  * @property {string} lastRelease
  * @property {string} release
+ * @property {string} token
  * @property {string} [org="mui"]
  */
 
 /**
  * Fetches commits between two refs (lastRelease..release) including PR details.
- * Throws if the `token` option is not provided.
+ * Automatically handles GitHub OAuth authentication.
  *
  * @param {FetchCommitsOptions} param0
  * @returns {Promise<FetchedCommitDetails[]>}
  */
 export async function fetchCommitsBetweenRefs({ org = 'mui', ...options }) {
   if (!options.token) {
-    throw new Error('Missing "token" option. The token needs `public_repo` permissions.');
+    throw new Error('GitHub token is required.');
   }
+
   const opts = { ...options, org };
 
   return await fetchCommitsRest(opts);
@@ -57,7 +61,7 @@ export async function fetchCommitsBetweenRefs({ org = 'mui', ...options }) {
  * It is more reliable than the GraphQL API but requires multiple network calls (1 + n).
  * One to list all commits between the two refs and then one for each commit to get the PR details.
  *
- * @param {FetchCommitsOptions & { org: string }} param0
+ * @param {FetchCommitsOptions & { org: string, token: string }} param0
  *
  * @returns {Promise<FetchedCommitDetails[]>}
  */