v2.49.0

Support for GitHub Artifact Attestations

v2.49.0 release introduces the attestation command set for downloading and verifying attestations about artifacts built in GitHub Actions! This is part of the larger Artifact Attestations initiative. An artifact attestation is a piece of cryptographically signed metadata that is generated as part of your artifact build process. These attestations bind artifacts to the details of the workflow run that produced them, and allow you to guarantee the integrity and provenance of any artifact built in GitHub Actions.

# Verify a local artifact
gh attestation verify artifact.bin -o <your org>

# Verify a local artifact against a local artifact attestation
gh attestation verify artifact.bin -b ./artifact-v0.0.1-bundle.json -o <your org>

# Verify an OCI image
gh attestation verify oci://ghcr.io/foo/bar:latest -o <your org>

# Download artifact attestations
gh attestation download artifact.bin -o <your org>

To get started, check out gh help attestation. You can also use the gh at <command> alias for short.

What's Changed

• Improve gh run rerun docs by @sochotnicky in https://github.com/cli/cli/pull/8969
• build(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 by @dependabot in https://github.com/cli/cli/pull/8981
• Update sigstore-go dependency to v0.3.0 by @malancas in https://github.com/cli/cli/pull/8977
• gh attestation tuf-root-verify offline test fix by @malancas in https://github.com/cli/cli/pull/8975
• Update gh attestation verify output by @malancas in https://github.com/cli/cli/pull/8991
• build(deps): bump google.golang.org/grpc from 1.62.1 to 1.62.2 by @dependabot in https://github.com/cli/cli/pull/8989
• Remove Hidden flag from gh attestation command by @malancas in https://github.com/cli/cli/pull/8998
• Add colon for gh secret set by @NeroBlackstone in https://github.com/cli/cli/pull/9004
• Improve errors when loading bundle locally fails by @williammartin in https://github.com/cli/cli/pull/8996
• Support offline mode for gh attestation verify by @steiza in https://github.com/cli/cli/pull/8997
• Add projectsV2 to JSON fields of gh repo commands by @babakks in https://github.com/cli/cli/pull/9007
• Support long URLs in gh repo clone by @babakks in https://github.com/cli/cli/pull/9008
• Fix issue with closing pager stream by @babakks in https://github.com/cli/cli/pull/9020
• proof of concept for flag-level disable auth check by @andyfeller in https://github.com/cli/cli/pull/9000
• Be more general with attestation host checks by @williammartin in https://github.com/cli/cli/pull/9019
• Add beta designation on attestation command set by @andyfeller in https://github.com/cli/cli/pull/9022
• Tweaked gh attestation help strings to generate nicer cli manual site. by @phillmv in https://github.com/cli/cli/pull/9025
• Update cli/go-gh to v2.9.0 by @andyfeller in https://github.com/cli/cli/pull/9023
• Document repo clone protocol behaviour by @williammartin in https://github.com/cli/cli/pull/9030

New Contributors

• @sochotnicky made their first contribution in https://github.com/cli/cli/pull/8969
• @NeroBlackstone made their first contribution in https://github.com/cli/cli/pull/9004
• @phillmv made their first contribution in https://github.com/cli/cli/pull/9025

Full Changelog: https://github.com/cli/cli/compare/v2.48.0...v2.49.0