Prefer gh auth over GitHub tokens for Breeze

[leeyspaul]

This PR intentionally focuses on the Breeze auth-resolution paths first, keeping the change small enough to review safely while establishing a reusable helper that can be extended to prek or token-scope validation in follow-up work.

Normalize Breeze GitHub auth resolution so local GH_TOKEN / GITHUB_TOKEN no longer accidentally shadows a valid gh auth login credential.

This adds shared helpers for Breeze GitHub auth handling:

• run_gh_command(...) for commands that invoke the GitHub CLI directly. It first runs gh with GH_TOKEN / GITHUB_TOKEN removed so gh auth login can be used, then falls back to the original environment if needed.
• retrieve_github_token(...) for commands that need a token string. It preserves explicit --github-token values, otherwise prefers cleaned gh auth token, then falls back to GH_TOKEN / GITHUB_TOKEN.

The duplicated local gh auth token fallback logic in Breeze commands is replaced with the shared helper. This updates workflow-run, issue maintenance, CI upgrade, release issue/changelog generation, and provider metadata refresh paths.

The main design choice is to treat environment tokens as fallback credentials, not as the preferred local credential. This preserves CI/token-only compatibility while making local Breeze behavior less surprising when a stale or under-scoped GITHUB_TOKEN is present.

Tests added for:

• removing GH_TOKEN / GITHUB_TOKEN from the first gh attempt
• preferring cleaned gh auth token
• falling back to env tokens when gh auth is unavailable
• preserving explicit token arguments
• retrying direct gh commands with the original env only after cleaned-env failure

Related: #55567

---

Was generative AI tooling used to co-author this PR?

• Yes (please specify the tool below)

---

• Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
• For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
• When adding dependency, check compliance with the ASF 3rd Party License Policy.
• For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

[potiuk]

Approving in spirit — the design (cleaned-env-first, env-fallback) is the right call, the helpers are small, and CI flows that rely on GITHUB_TOKEN should be unaffected. Left individual comments on items worth fixing before merge:

• Possible dry-run regression in tigger_workflow (the only behavioral concern; the rest are nits).
• _get_github_token typing/redundancy in release_management_commands.py.
• Document the "explicit token equals env token" rule (or drop it if Click envvar=... isn't actually in play for --github-token).
• A few missing test cases (check=True raise path, FileNotFoundError, empty gh auth token stdout).
• Phrasing nit on the workflow-run GITHUB_TOKEN warning.

---

Drafted-by: Claude Opus 4.7 (1M context); reviewed by @potiuk before posting

[github-actions]

Backport failed to create: v3-2-test. View the failure log Run details

Note: As of Merging PRs targeted for Airflow 3.X
the committer who merges the PR is responsible for backporting the PRs that are bug fixes (generally speaking) to the maintenance branches.

In matter of doubt please ask in #release-management Slack channel.

Status	Branch	Result
❌	v3-2-test

You can attempt to backport this manually by running:

cherry_picker 7fef6c1 v3-2-test

This should apply the commit to the v3-2-test branch and leave the commit in conflict state marking
the files that need manual conflict resolution.

After you have resolved the conflicts, you can continue the backport process by running:

cherry_picker --continue

If you don't have cherry-picker installed, see the installation guide.