Release Notes
Patch Changes
-
322529d: Document all environment variables and enable GOOGLE_WORKSPACE_CLI_CONFIG_DIR in release builds
-
2173a92: Send x-goog-user-project header when using ADC with a quota_project_id
-
1f47420: fix: extract CLA label job into dedicated workflow to prevent feedback loop
The Automation workflow's
check_run: [completed]trigger caused a feedback
loop — every workflow completion fired a check_run event, re-triggering
Automation, which produced another check_run event, and so on. Moving the
CLA label job to its owncla.ymlworkflow eliminates the trigger from
Automation entirely. -
132c3b1: fix: warn on credential file permission failures instead of ignoring
Replaced silent
let _ =onset_permissionscalls insave_encrypted
witheprintln!warnings so users are aware if their credential files
end up with insecure permissions. Also log keyring access failures
instead of silently falling through to file storage. -
a2cc523: Add
x86_64-unknown-linux-muslbuild target for Linux musl/static binary support -
c86b964: Fix multi-account selection: MCP server now respects
GOOGLE_WORKSPACE_CLI_ACCOUNTenv var (#221), and--accountflag before service name no longer causes parse errors (#181) -
ff53538: Fix scope selection to use first (broadest) scope instead of all method scopes, preventing gmail.metadata restrictions from blocking query parameters
-
c80eb52: Replace strip_suffix(".readonly").unwrap() with unwrap_or fallback
Two call sites used
.strip_suffix(".readonly").unwrap()which would
panic if a scope URL marked asis_readonlydidn't actually end with
".readonly". While the current data makes this unlikely, using
unwrap_oris a defensive improvement that prevents potential panics
from inconsistent discovery data. -
9a780d7: Log token cache decryption/parse errors instead of silently swallowing
Previously,
load_from_diskused four nestedif let Okblocks that
silently returned an empty map on any failure. When the encryption key
changed or the cache was corrupted, tokens silently stopped loading and
users were forced to re-authenticate with no explanation.Now logs specific warnings to stderr for decryption failures, invalid
UTF-8, and JSON parse errors, with a hint to re-authenticate. -
6daf90d: Fix MCP tool schemas to conditionally include
body,upload, andpage_allproperties only when the underlying Discovery Document method supports them.bodyis included only when a request body is defined,uploadonly whensupportsMediaUploadis true, andpage_allonly when the method has apageTokenparameter. Also drops emptybody: {}objects that LLMs commonly send on GET methods, preventing 400 errors from Google APIs.
Install gws 0.6.3
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/googleworkspace/cli/releases/download/v0.6.3/gws-installer.sh | shInstall prebuilt binaries via powershell script
powershell -ExecutionPolicy Bypass -c "irm https://github.com/googleworkspace/cli/releases/download/v0.6.3/gws-installer.ps1 | iex"Install prebuilt binaries into your npm project
npm install @googleworkspace/cli@0.6.3Download gws 0.6.3
| File | Platform | Checksum |
|---|---|---|
| gws-aarch64-apple-darwin.tar.gz | Apple Silicon macOS | checksum |
| gws-x86_64-apple-darwin.tar.gz | Intel macOS | checksum |
| gws-x86_64-pc-windows-msvc.tar.gz | x64 Windows | checksum |
| gws-aarch64-unknown-linux-gnu.tar.gz | ARM64 Linux | checksum |
| gws-x86_64-unknown-linux-gnu.tar.gz | x64 Linux | checksum |
| gws-aarch64-unknown-linux-musl.tar.gz | ARM64 MUSL Linux | checksum |
| gws-x86_64-unknown-linux-musl.tar.gz | x64 MUSL Linux | checksum |
Verifying GitHub Artifact Attestations
The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:
gh attestation verify <file-path of downloaded artifact> --repo googleworkspace/cliYou can also download the attestation from GitHub and verify against that directly:
gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>