cli/cli v2.49.0

GitHub CLI 2.49.0

on GitHub

Support for GitHub Artifact Attestations

v2.49.0 release introduces the attestation command set for downloading and verifying attestations about artifacts built in GitHub Actions! This is part of the larger Artifact Attestations initiative. An artifact attestation is a piece of cryptographically signed metadata that is generated as part of your artifact build process. These attestations bind artifacts to the details of the workflow run that produced them, and allow you to guarantee the integrity and provenance of any artifact built in GitHub Actions.

# Verify a local artifact
gh attestation verify artifact.bin -o <your org>

# Verify a local artifact against a local artifact attestation
gh attestation verify artifact.bin -b ./artifact-v0.0.1-bundle.json -o <your org>

# Verify an OCI image
gh attestation verify oci://ghcr.io/foo/bar:latest -o <your org>

# Download artifact attestations
gh attestation download artifact.bin -o <your org>

To get started, check out gh help attestation. You can also use the gh at <command> alias for short.

What's Changed

• Improve gh run rerun docs by @sochotnicky in #8969
• build(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 by @dependabot in #8981
• Update sigstore-go dependency to v0.3.0 by @malancas in #8977
• gh attestation tuf-root-verify offline test fix by @malancas in #8975
• Update gh attestation verify output by @malancas in #8991
• build(deps): bump google.golang.org/grpc from 1.62.1 to 1.62.2 by @dependabot in #8989
• Remove Hidden flag from gh attestation command by @malancas in #8998
• Add colon for gh secret set by @NeroBlackstone in #9004
• Improve errors when loading bundle locally fails by @williammartin in #8996
• Support offline mode for gh attestation verify by @steiza in #8997
• Add projectsV2 to JSON fields of gh repo commands by @babakks in #9007
• Support long URLs in gh repo clone by @babakks in #9008
• Fix issue with closing pager stream by @babakks in #9020
• proof of concept for flag-level disable auth check by @andyfeller in #9000
• Be more general with attestation host checks by @williammartin in #9019
• Add beta designation on attestation command set by @andyfeller in #9022
• Tweaked gh attestation help strings to generate nicer cli manual site. by @phillmv in #9025
• Update cli/go-gh to v2.9.0 by @andyfeller in #9023
• Document repo clone protocol behaviour by @williammartin in #9030

New Contributors

• @sochotnicky made their first contribution in #8969
• @NeroBlackstone made their first contribution in #9004
• @phillmv made their first contribution in #9025

Full Changelog: v2.48.0...v2.49.0