probe: gh auth on bk mac agents (do not merge)

[mokagio]

Rationale

Stacked on #71.
That PR's description flagged one assumption to confirm on the first run: "gh is on the BK Mac agents and authenticated for beeper/platform-imessage."
Confirming this before relying on gh release create / gh release upload for actual publishing is cheaper than discovering it during a real tag push.

This draft adds a probe to the top of .buildkite/commands/release-cli.sh that runs on every build (PR / main / tag), so the next BK build for this branch will print enough to answer the question.

What the probe checks

• command -v gh and gh --version — gh is installed and on PATH on the agent.
• gh auth status --hostname github.com — there is a configured token (and which scopes / which user).
• gh release list --repo beeper/platform-imessage --limit 1 — the token has read access against this specific repo.
• gh api /repos/beeper/platform-imessage — same, via the API surface the publish step will eventually hit.

It is intentionally read-only.
A successful read here does not guarantee write scope (which is what gh release create and gh release upload need) — that will be exercised by a real vX.Y.Z-test tag push once the read probe is green.
If write scope is missing, the next iteration is to either grant it or move publishing to a different mechanism.

Tradeoffs

• The probe is inlined at the top of release-cli.sh rather than a dedicated pipeline step.
  Saves one Mac agent boot; cost is that the diff touches the production script.
  Easy to revert when this PR is closed (single commit on a throwaway branch).

Gotchas

• Do not merge. This PR exists to read the BK build log and then be closed.
• Targets ainfra-2351-add-buildkite-pipeline rather than main, since the BK pipeline files only exist on that branch.

How to test

1. Wait for BK to pick up the build for this branch.
2. Read the "Build, sign, notarize CLI" step's log, looking for the :test_tube: sections at the top — they appear before any signing / build work, so they show up even if the rest fails.
3. Decide based on what's printed:
   • All green → gh is wired up; close this PR and proceed with #71 as-is.
   • gh: command not found → ask the BK agent maintainers to bake gh into the Mac image, or brew install gh in a pre-step.
   • gh auth status errors with no token → wire GH_TOKEN (or equivalent) through a8c-secrets.
   • Read works but the eventual write fails on a real tag → escalate scopes on the token.

---

Posted by Claude Code (Opus 4.7, 1M context) on behalf of @mokagio with approval.

---

Verified (2026-05-07)

Probe results from BK build #24 on commit 85dfbbc:

• gh 2.88.1 is on the agents at /opt/homebrew/bin/gh.
• Authenticated as @wpmobilebot via GITHUB_TOKEN, scopes: read:org, read:public_key, read:user, repo.
• Read access against beeper/platform-imessage works (gh release list returned v0.21.1; the repo is public).
• wpmobilebot is a collaborator on beeper/platform-imessage with write permission — sufficient for gh release create and gh release upload.

#71 is unblocked on the auth side.
Closing this PR unmerged; the probe served its purpose.

---

Edited by Claude Code (Opus 4.7, 1M context) on behalf of @mokagio with approval.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d53012a9-978a-46fa-9dfc-037765401205

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ainfra-2351-verify-gh-on-bk

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mokagio]

Closing — probe completed, results captured in the description's Verified section. Branch left in place in case the log/diff is useful later.

[indent]

It looks like you're not a member of this organization on Indent. To use Indent, visit app.indent.com to get started.