Authorization header no longer leaks to TUF mirrors in attestation commands
v2.93.0
1 feature3 fixesThis release1 featureNew capabilities3 fixesBug fixesAI-tallied from the release notes
Security
A security vulnerability has been identified, and fixed, that would incorrectly include authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands.
Users are advised to update gh to version v2.93.0 as soon as possible.
For more information see: https://github.com/cli/cli/security/advisories/GHSA-8xvp-7hj6-mcj9
Support agents in gh secret command set
The gh secret command set can now set agent secrets. For more information, see "Configuring secrets and variables for Copilot cloud agent".
What's Changed
✨ Features
- Allow agents as application for secrets by @tenjaa in https://github.com/cli/cli/pull/13421
🐛 Fixes
- fix(pr): remove numberFieldOnly optimization that skips API validation by @williammartin in https://github.com/cli/cli/pull/13327
- Print
gh auth refreshfor 401 returns by @333fred in https://github.com/cli/cli/pull/13068 - Derive digest algorithm from ref length in release verify commands by @bdehamer in https://github.com/cli/cli/pull/13430
📚 Docs & Chores
- Add missing //go:build integration tag to verify_integration_test.go by @pdostal in https://github.com/cli/cli/pull/13303
- Fix flaky accessible prompter Password test timeout by @pdostal in https://github.com/cli/cli/pull/13304
- Enable extended PR screening for external PRs by @tidy-dev in https://github.com/cli/cli/pull/13312
- Grammar fixes by @scop in https://github.com/cli/cli/pull/13326
- Bump
gh copilottelemetry sampling to 100% by @williammartin in https://github.com/cli/cli/pull/13362 - Record accessibility feature state in telemetry by @williammartin in https://github.com/cli/cli/pull/13363
- Poll TTY echo mode instead of sleeping in password tests by @pdostal in https://github.com/cli/cli/pull/13305
- Switch from actions/attest-build-provenance to actions/attest by @scop in https://github.com/cli/cli/pull/13325
- Fix skills acceptance tests by @williammartin in https://github.com/cli/cli/pull/13365
- Bump Go toolchain to 1.26.3 by @Copilot in https://github.com/cli/cli/pull/13367
- Trigger triage check-requirements on ready_for_review by @BagToad in https://github.com/cli/cli/pull/13383
- fix(copilot): hint to run copilot directly when exec fails by @babakks in https://github.com/cli/cli/pull/13393
- Update installation commands for GitHub CLI by @sassdawe in https://github.com/cli/cli/pull/13126
- Update CODEOWNERS for skills directory ownership by @williammartin in https://github.com/cli/cli/pull/13416
- fix(telemetry): prevent tzutil console flash on Windows by @adehad in https://github.com/cli/cli/pull/13353
- Fix bump-go.sh to tolerate missing toolchain directive by @Copilot in https://github.com/cli/cli/pull/12581
- docs: drop --repo gh-cli from dnf install lines by @c-tonneslan in https://github.com/cli/cli/pull/13444
- Remove third-party license debris by @williammartin in https://github.com/cli/cli/pull/13470
- Remove dependency on persistent token by @williammartin in https://github.com/cli/cli/pull/13474
- Remove discussion workflow by @williammartin in https://github.com/cli/cli/pull/13476
- Stop bumping homebrew on release by @williammartin in https://github.com/cli/cli/pull/13479
- build: update golang.org/x/crypto by @tommaso-moro in https://github.com/cli/cli/pull/13486
- Add 3 day dependabot cooldown period by @williammartin in https://github.com/cli/cli/pull/13488
- Run govulncheck daily instead of weekly by @williammartin in https://github.com/cli/cli/pull/13487
- SHA pin first-party GitHub Actions by @williammartin in https://github.com/cli/cli/pull/13491
- Link to Accessibility category for community discussions instead of ACR by @mxie in https://github.com/cli/cli/pull/13481
- docs: fix duplicated "of" in release-process-deep-dive by @vip892766gma in https://github.com/cli/cli/pull/13425
- chore(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 by @BagToad in https://github.com/cli/cli/pull/13510
- docs: note immutable releases starting v2.93.0 by @BagToad in https://github.com/cli/cli/pull/13518
- fix CI attestation integration tests after rename by @BagToad in https://github.com/cli/cli/pull/13536
:dependabot: Dependencies
- chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 by @dependabot[bot] in https://github.com/cli/cli/pull/13297
- chore(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6 by @dependabot[bot] in https://github.com/cli/cli/pull/13328
- chore(deps): bump golang.org/x/sys from 0.43.0 to 0.44.0 by @dependabot[bot] in https://github.com/cli/cli/pull/13381
- chore(deps): bump golang.org/x/term from 0.42.0 to 0.43.0 by @dependabot[bot] in https://github.com/cli/cli/pull/13396
- chore(deps): bump google.golang.org/grpc from 1.80.0 to 1.81.0 by @dependabot[bot] in https://github.com/cli/cli/pull/13346
- chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 by @dependabot[bot] in https://github.com/cli/cli/pull/13397
- chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 by @dependabot[bot] in https://github.com/cli/cli/pull/13420
- chore(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 by @dependabot[bot] in https://github.com/cli/cli/pull/13436
- chore(deps): bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 by @dependabot[bot] in https://github.com/cli/cli/pull/13461
- chore(deps): bump github/codeql-action from 4 to 4.35.5 by @dependabot[bot] in https://github.com/cli/cli/pull/13489
- chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.4.1 to 2.4.2 by @dependabot[bot] in https://github.com/cli/cli/pull/13462
- chore(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 by @dependabot[bot] in https://github.com/cli/cli/pull/13457
New Contributors
- @pdostal made their first contribution in https://github.com/cli/cli/pull/13303
- @333fred made their first contribution in https://github.com/cli/cli/pull/13068
- @scop made their first contribution in https://github.com/cli/cli/pull/13326
- @sassdawe made their first contribution in https://github.com/cli/cli/pull/13126
- @adehad made their first contribution in https://github.com/cli/cli/pull/13353
- @c-tonneslan made their first contribution in https://github.com/cli/cli/pull/13444
- @tenjaa made their first contribution in https://github.com/cli/cli/pull/13421
- @mxie made their first contribution in https://github.com/cli/cli/pull/13481
- @vip892766gma made their first contribution in https://github.com/cli/cli/pull/13425
Full Changelog: https://github.com/cli/cli/compare/v2.92.0...v2.93.0
Fetched May 27, 2026
