From 2a7ba470b8edec83063a6ea51f322937adf7608f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 14 Jan 2026 10:06:36 +0000
Subject: [PATCH 1/3] fixup! Adding winget workflows

According to the winget-create documentation, for CI/CD scenarios it is
recommended to use the WINGET_CREATE_GITHUB_TOKEN environment variable
to pass the token to wingetcreate.exe rather than the -t command-line
flag.

The concern is that command-line arguments might be logged in process
listings, whereas environment variables are more secure as they are not
typically exposed in such listings.

This is not so much a concern in our use case, because we diligently
mask out the secret value from the logs.

Co-authored-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 .github/workflows/release-winget.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release-winget.yml b/.github/workflows/release-winget.yml
index 42fddedddaa1ec..fa51b9174cccba 100644
--- a/.github/workflows/release-winget.yml
+++ b/.github/workflows/release-winget.yml
@@ -73,12 +73,12 @@ jobs:
                  "$($asset_arm64_url)|arm64|user"
 
           # Download the token from Azure Key Vault and mask it in the logs
-          az keyvault secret download --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} --vault-name ${{ secrets.AZURE_VAULT }} --file token.txt
-          Write-Host -NoNewLine "::add-mask::$(Get-Content token.txt)"
+          $env:WINGET_CREATE_GITHUB_TOKEN = az keyvault secret show --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} --vault-name ${{ secrets.AZURE_VAULT }} --query "value" -o tsv
+          Write-Host -NoNewLine "::add-mask::$env:WINGET_CREATE_GITHUB_TOKEN"
 
           # Submit the manifest to the winget-pkgs repository
           $manifestDirectory = "$PWD\manifests\m\Microsoft\Git\$version"
-          $output = & .\wingetcreate.exe submit -t "$(Get-Content token.txt)" $manifestDirectory
+          $output = & .\wingetcreate.exe submit $manifestDirectory
           Write-Host $output
           $url = ($output | Select-String -Pattern 'https://\S+' | ForEach-Object { $_.Matches.Value })[0]
           Write-Host "::notice::Submitted ${env:TAG_NAME} to winget as $url"

From b7d2bbe261247e0f776c5b14fba960d96292ee4d Mon Sep 17 00:00:00 2001
From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Wed, 14 Jan 2026 12:04:17 +0100
Subject: [PATCH 2/3] fixup! Adding winget workflows

In https://github.com/microsoft/git/actions/runs/20960814462, the
workflow printed an unwanted aka.ms URL in the notice. This was because
the pattern used to filter the wingetcreate.exe output was too broad and
matched any https:// URL.

Let's be more specific and only match the actual PR URL pattern:
https://github.com/microsoft/winget-pkgs/pull/<number>

This ensures that only the relevant pull request URL is captured and
displayed in the notice, ignoring aka.ms URLs and other unrelated URLs.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 .github/workflows/release-winget.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-winget.yml b/.github/workflows/release-winget.yml
index fa51b9174cccba..0585b6341c9913 100644
--- a/.github/workflows/release-winget.yml
+++ b/.github/workflows/release-winget.yml
@@ -80,6 +80,6 @@ jobs:
           $manifestDirectory = "$PWD\manifests\m\Microsoft\Git\$version"
           $output = & .\wingetcreate.exe submit $manifestDirectory
           Write-Host $output
-          $url = ($output | Select-String -Pattern 'https://\S+' | ForEach-Object { $_.Matches.Value })[0]
+          $url = ($output | Select-String -Pattern 'https://github\.com/microsoft/winget-pkgs/pull/\S+' | ForEach-Object { $_.Matches.Value })[0]
           Write-Host "::notice::Submitted ${env:TAG_NAME} to winget as $url"
         shell: powershell

From 20f24e2c310e0905eba54da0975b31ac9afe6e0f Mon Sep 17 00:00:00 2001
From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Wed, 14 Jan 2026 12:52:29 +0100
Subject: [PATCH 3/3] fixup! Adding winget workflows

Let's use the token also for the `wingetcreate.exe update` call.

This commit is best viewed with `--color-moved`.

Pointed-out-by: Matthew John Cheetham <mjcheetham@outlook.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 .github/workflows/release-winget.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release-winget.yml b/.github/workflows/release-winget.yml
index 0585b6341c9913..42a78fcfe884ee 100644
--- a/.github/workflows/release-winget.yml
+++ b/.github/workflows/release-winget.yml
@@ -62,6 +62,10 @@ jobs:
           $env:TAG_NAME -match 'v(.*?)vfs\.(.*)'
           $version = $Matches[1] + $Matches[2]
 
+          # Download the token from Azure Key Vault and mask it in the logs
+          $env:WINGET_CREATE_GITHUB_TOKEN = az keyvault secret show --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} --vault-name ${{ secrets.AZURE_VAULT }} --query "value" -o tsv
+          Write-Host -NoNewLine "::add-mask::$env:WINGET_CREATE_GITHUB_TOKEN"
+
           # Download wingetcreate and create manifests
           Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile wingetcreate.exe
           .\wingetcreate.exe update Microsoft.Git `
@@ -72,10 +76,6 @@ jobs:
                  "$($asset_arm64_url)|arm64|machine" `
                  "$($asset_arm64_url)|arm64|user"
 
-          # Download the token from Azure Key Vault and mask it in the logs
-          $env:WINGET_CREATE_GITHUB_TOKEN = az keyvault secret show --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} --vault-name ${{ secrets.AZURE_VAULT }} --query "value" -o tsv
-          Write-Host -NoNewLine "::add-mask::$env:WINGET_CREATE_GITHUB_TOKEN"
-
           # Submit the manifest to the winget-pkgs repository
           $manifestDirectory = "$PWD\manifests\m\Microsoft\Git\$version"
           $output = & .\wingetcreate.exe submit $manifestDirectory