i thought it may made sense to pledge early here.

"rpath wpath cpath" cannot be dropped as we don't know in advance if the
patch will require us to create a new file, and we need to create some
temp. files anyway even in nop mode.  in theory maybe we could spawn the
helpers early and drop "proc exec", but i'm still unsure if it's
feasible.  ('got patch' requires at least got-read-blob, plus the access
to the fileindex.  in the future if we add a -c flag to specify a commit
at which apply the diff it'll require more libexecs)

diff /home/op/w/got
commit - 595228385f8c74590756ff446d5b84aad0ebfda7
path + /home/op/w/got
blob - df883fd1dcb28651677ef268c491f878e506e7fe
file + got/got.c
--- got/got.c
+++ got/got.c
@@ -7948,6 +7948,12 @@ cmd_patch(int argc, char *argv[])
 	int patchfd;
 	int *pack_fds = NULL;
 
+#ifndef PROFILE
+	if (pledge("stdio rpath wpath cpath fattr proc exec sendfd flock "
+	    "unveil", NULL) == -1)
+		err(1, "pledge");
+#endif
+
 	while ((ch = getopt(argc, argv, "np:R")) != -1) {
 		switch (ch) {
 		case 'n':
@@ -8015,12 +8021,6 @@ cmd_patch(int argc, char *argv[])
 	if (error != NULL)
 		goto done;
 
-#ifndef PROFILE
-	if (pledge("stdio rpath wpath cpath fattr proc exec sendfd flock",
-	    NULL) == -1)
-		err(1, "pledge");
-#endif
-
 	error = got_patch(patchfd, worktree, repo, nop, strip, reverse,
 	    &patch_progress, NULL, check_cancelled, NULL);