From 6887606bf0e1fdcd42d0ea00ca174bfe1a86fa91 Mon Sep 17 00:00:00 2001
From: Ben Johnson <ben@binarylogic.com>
Date: Tue, 31 Mar 2026 10:32:06 -0700
Subject: [PATCH 1/4] fix: harden CLI CI toolchain access

---
 .github/workflows/_go-checks.yaml | 78 +++++++++++++++++++++++++++++++
 .github/workflows/nightly.yaml    | 13 ++++++
 bin/hermit.hcl                    |  2 +
 go.mod                            |  2 +-
 4 files changed, 94 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/_go-checks.yaml b/.github/workflows/_go-checks.yaml
index e532afd..75ba3c6 100644
--- a/.github/workflows/_go-checks.yaml
+++ b/.github/workflows/_go-checks.yaml
@@ -21,7 +21,20 @@ jobs:
     permissions:
       contents: read
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.TERO_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.TERO_BOT_PRIVATE_SIGNING_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Configure Git for private Hermit sources
+        run: git config --global url.https://x-access-token:${{ steps.generate-token.outputs.token }}@github.com/.insteadOf https://github.com/
 
       - name: Setup Hermit
         uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
@@ -37,7 +50,20 @@ jobs:
     permissions:
       contents: read
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.TERO_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.TERO_BOT_PRIVATE_SIGNING_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Configure Git for private Hermit sources
+        run: git config --global url.https://x-access-token:${{ steps.generate-token.outputs.token }}@github.com/.insteadOf https://github.com/
 
       - name: Setup Hermit
         uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
@@ -53,7 +79,20 @@ jobs:
     permissions:
       contents: read
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.TERO_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.TERO_BOT_PRIVATE_SIGNING_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Configure Git for private Hermit sources
+        run: git config --global url.https://x-access-token:${{ steps.generate-token.outputs.token }}@github.com/.insteadOf https://github.com/
 
       - name: Setup Hermit
         uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
@@ -69,7 +108,20 @@ jobs:
     permissions:
       contents: read
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.TERO_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.TERO_BOT_PRIVATE_SIGNING_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Configure Git for private Hermit sources
+        run: git config --global url.https://x-access-token:${{ steps.generate-token.outputs.token }}@github.com/.insteadOf https://github.com/
 
       - name: Setup Hermit
         uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
@@ -99,7 +151,20 @@ jobs:
     permissions:
       contents: read
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.TERO_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.TERO_BOT_PRIVATE_SIGNING_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Configure Git for private Hermit sources
+        run: git config --global url.https://x-access-token:${{ steps.generate-token.outputs.token }}@github.com/.insteadOf https://github.com/
 
       - name: Setup Hermit
         uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
@@ -120,7 +185,20 @@ jobs:
     permissions:
       contents: read
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.TERO_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.TERO_BOT_PRIVATE_SIGNING_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Configure Git for private Hermit sources
+        run: git config --global url.https://x-access-token:${{ steps.generate-token.outputs.token }}@github.com/.insteadOf https://github.com/
 
       - name: Setup Hermit
         uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
index 1b3cd34..ad03608 100644
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -24,7 +24,20 @@ jobs:
     permissions:
       contents: read
     steps:
+      - name: Generate token
+        id: generate-token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.TERO_BOT_CLIENT_ID }}
+          private-key: ${{ secrets.TERO_BOT_PRIVATE_SIGNING_KEY }}
+          owner: ${{ github.repository_owner }}
+
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+
+      - name: Configure Git for private Hermit sources
+        run: git config --global url.https://x-access-token:${{ steps.generate-token.outputs.token }}@github.com/.insteadOf https://github.com/
 
       - name: Setup Hermit
         uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
diff --git a/bin/hermit.hcl b/bin/hermit.hcl
index 081cbe8..297f158 100644
--- a/bin/hermit.hcl
+++ b/bin/hermit.hcl
@@ -1,2 +1,4 @@
+sources = ["https://github.com/usetero/hermit-packages.git", "https://github.com/cashapp/hermit-packages.git"]
+
 github-token-auth {
 }
diff --git a/go.mod b/go.mod
index 18e542c..cfdf539 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/usetero/cli
 
-go 1.25.0
+go 1.26.0
 
 require (
 	charm.land/bubbles/v2 v2.0.0-rc.1.0.20260109112849-ae99f46cec66

From c49e984c696b999c4519642c5a4a5a1e39e31702 Mon Sep 17 00:00:00 2001
From: Ben Johnson <ben@binarylogic.com>
Date: Tue, 31 Mar 2026 10:33:23 -0700
Subject: [PATCH 2/4] fix: refresh the actionlint workflow pin

---
 .github/workflows/workflow-lint.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/workflow-lint.yaml b/.github/workflows/workflow-lint.yaml
index a9b3ae8..ed0bb25 100644
--- a/.github/workflows/workflow-lint.yaml
+++ b/.github/workflows/workflow-lint.yaml
@@ -20,6 +20,6 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run actionlint
-        uses: reviewdog/action-actionlint@f45e6423f07e6ea6fce879bbdb0d74407c1fbf55 # v1
+        uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1
         with:
           fail_level: any

From 59407124c8c017f952ced4813decacc9db91352f Mon Sep 17 00:00:00 2001
From: Ben Johnson <ben@binarylogic.com>
Date: Tue, 31 Mar 2026 10:37:36 -0700
Subject: [PATCH 3/4] fix: update the CLI Go toolchain patch level

---
 .github/workflows/ci.yaml              | 2 +-
 .github/workflows/pr-ci.yaml           | 4 ++--
 .github/workflows/security.yaml        | 2 +-
 .github/workflows/workflow-lint.yaml   | 2 +-
 bin/{.go-1.26.0.pkg => .go-1.26.1.pkg} | 0
 bin/go                                 | 2 +-
 bin/gofmt                              | 2 +-
 go.mod                                 | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)
 rename bin/{.go-1.26.0.pkg => .go-1.26.1.pkg} (100%)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 8b9ea16..aafdff0 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -2,7 +2,7 @@ name: CI
 
 on:
   push:
-    branches: [master]
+    branches: [master, arch-reset]
   workflow_dispatch:
 
 concurrency:
diff --git a/.github/workflows/pr-ci.yaml b/.github/workflows/pr-ci.yaml
index f8ae6f5..1ddcd0a 100644
--- a/.github/workflows/pr-ci.yaml
+++ b/.github/workflows/pr-ci.yaml
@@ -2,9 +2,9 @@ name: PR CI
 
 on:
   pull_request:
-    branches: [master]
+    branches: [master, arch-reset]
   merge_group:
-    branches: [master]
+    branches: [master, arch-reset]
   workflow_dispatch:
 
 concurrency:
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
index d1db722..77eeb75 100644
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -2,7 +2,7 @@ name: Security
 
 on:
   pull_request:
-    branches: [master]
+    branches: [master, arch-reset]
   schedule:
     - cron: "30 7 * * 1"
   workflow_dispatch:
diff --git a/.github/workflows/workflow-lint.yaml b/.github/workflows/workflow-lint.yaml
index ed0bb25..ccc75fd 100644
--- a/.github/workflows/workflow-lint.yaml
+++ b/.github/workflows/workflow-lint.yaml
@@ -2,7 +2,7 @@ name: Workflow Lint
 
 on:
   pull_request:
-    branches: [master]
+    branches: [master, arch-reset]
     paths:
       - .github/workflows/**
       - .github/actions/**
diff --git a/bin/.go-1.26.0.pkg b/bin/.go-1.26.1.pkg
similarity index 100%
rename from bin/.go-1.26.0.pkg
rename to bin/.go-1.26.1.pkg
diff --git a/bin/go b/bin/go
index eabd385..99e8783 120000
--- a/bin/go
+++ b/bin/go
@@ -1 +1 @@
-.go-1.26.0.pkg
\ No newline at end of file
+.go-1.26.1.pkg
\ No newline at end of file
diff --git a/bin/gofmt b/bin/gofmt
index eabd385..99e8783 120000
--- a/bin/gofmt
+++ b/bin/gofmt
@@ -1 +1 @@
-.go-1.26.0.pkg
\ No newline at end of file
+.go-1.26.1.pkg
\ No newline at end of file
diff --git a/go.mod b/go.mod
index cfdf539..7266de5 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/usetero/cli
 
-go 1.26.0
+go 1.26.1
 
 require (
 	charm.land/bubbles/v2 v2.0.0-rc.1.0.20260109112849-ae99f46cec66

From 790374c61b65bb6f993b83d6be51b664814c0f9a Mon Sep 17 00:00:00 2001
From: Ben Johnson <ben@binarylogic.com>
Date: Tue, 31 Mar 2026 10:45:37 -0700
Subject: [PATCH 4/4] fix: add ripgrep to the Hermit toolchain

---
 bin/.ripgrep-15.1.0.pkg | 1 +
 bin/rg                  | 1 +
 2 files changed, 2 insertions(+)
 create mode 120000 bin/.ripgrep-15.1.0.pkg
 create mode 120000 bin/rg

diff --git a/bin/.ripgrep-15.1.0.pkg b/bin/.ripgrep-15.1.0.pkg
new file mode 120000
index 0000000..383f451
--- /dev/null
+++ b/bin/.ripgrep-15.1.0.pkg
@@ -0,0 +1 @@
+hermit
\ No newline at end of file
diff --git a/bin/rg b/bin/rg
new file mode 120000
index 0000000..fa2775b
--- /dev/null
+++ b/bin/rg
@@ -0,0 +1 @@
+.ripgrep-15.1.0.pkg
\ No newline at end of file