Adopt isPermissionError helper for gh CLI auth-error detection

[Copilot]

Four call sites in pkg/cli were reimplementing auth-error substring checks inline instead of using the existing isPermissionError helper in audit.go, causing the checked substring sets to drift independently across files.

Changes

pkg/cli/audit.go

• Splits isPermissionError into an internal isPermissionErrorStr(s string) bool that operates on raw strings (enabling callers that check combined error+output messages) and a thin isPermissionError(err error) bool wrapper
• Widens the canonical substring set to the union of all caller needs, adding "not logged into any GitHub hosts", "To use GitHub CLI in a GitHub Actions workflow", and "gh auth login" (previously only checked inline in logs_github_api.go)
• Adds is403Error(err error) bool for 403 HTTP status checks

Call site consolidation

• logs_download.go (×2): strings.Contains(err.Error(), "exit status 4") → isPermissionError(err)
• logs_github_api.go: five-clause inline auth check → isPermissionErrorStr(combinedMsg) (preserves combined error+output matching)
• secrets.go, mcp_secrets.go: strings.Contains(err.Error(), "403") → is403Error(err)
• secrets.go: fixes inverted 403 guard logic (!is403Error → is403Error) to match the comment's stated intent

Before / After (logs_download.go)

// Before
if strings.Contains(err.Error(), "exit status 4") {
    return errors.New("GitHub CLI authentication required. Run 'gh auth login' first")
}

// After
if isPermissionError(err) {
    return errors.New("GitHub CLI authentication required. Run 'gh auth login' first")
}

Tests

• Extends TestIsPermissionError with the three new substrings
• Adds TestIsPermissionErrorStr covering the string-based helper
• Adds TestIs403Error

[Copilot]

Pull request overview

This PR centralizes GitHub CLI authentication and permission-error detection helpers across several pkg/cli call sites.

Changes:

• Extracts string-based permission detection and adds a shared 403 helper.
• Replaces inline auth/403 substring checks in logs and secrets flows.
• Extends helper unit tests for additional auth and 403 cases.

Show a summary per file

File	Description
pkg/cli/audit.go	Adds shared string/error permission helpers and 403 detection.
pkg/cli/audit_test.go	Adds coverage for new helper behavior.
pkg/cli/logs_github_api.go	Uses the shared auth helper for workflow-run listing failures.
pkg/cli/logs_download.go	Uses the shared auth helper for log/artifact download failures.
pkg/cli/mcp_secrets.go	Uses the shared 403 helper for skipped secret checks.
pkg/cli/secrets.go	Uses the shared 403 helper in secret availability checks.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 6/6 changed files
• Comments generated: 3