What's Changed

• docs: improve docs for browse command as of #5352 by @ankddev in #10025
• Open PR against gh-merge-base by @heaths in #9712
• Add integration tests for gh attestation verify when the bundle-from-oci flag is specified by @malancas in #10020
• gh repo rename help text clarifies new repo name should not include owner by @BagToad in #10044
• fix: list branches in square brackets in gh run and gh codespace by @uday-rana in #10043
• Bump actions/attest-build-provenance from 1.4.4 to 2.1.0 by @dependabot in #10056
• Bump golang.org/x/crypto from 0.29.0 to 0.31.0 by @dependabot in #10070
• Improve documentation and error messaging for local extension installations without executables by @BagToad in #9933
• docs: better document auth scopes by @ankddev in #10026
• Sigstore verifier logic updates by @malancas in #9999
• gh pr merge --delete-branch exits with error when merge requested via merge queue by @BagToad in #10074
• sundry gh at inspect improvements by @phillmv in #9954
• Support pr view for intra-org forks by @williammartin in #10078
• Print policy information before verifying attestations by @malancas in #9891
• Improve error handling in apt setup script by @jobegrabber in #10055
• Use Windows compatible file name for downloaded attestations when running gh attestation download by @malancas in #10051
• Bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6 by @dependabot in #10094
• Perform all gh attestation verify policy options configuration in the newEnforcementCriteria() function by @malancas in #10012

New Contributors

• @ankddev made their first contribution in #10025
• @uday-rana made their first contribution in #10043
• @jobegrabber made their first contribution in #10055

Full Changelog: v2.63.2...v2.64.0

What's Changed

• Use consistent slice ordering in run download tests by @williammartin in #10006
• Fix bug when fetching bundles from OCI registry by @malancas in #10019
• Use safepaths for run download by @williammartin in #10009
• Error for mutually exclusive json and watch flags by @andyfeller in #10016

Full Changelog: v2.63.1...v2.63.2

What's Changed

• Fix formatting in git/client_test.go comments for linter by @BagToad in #9969
• Bump github.com/gabriel-vasile/mimetype from 1.4.6 to 1.4.7 by @dependabot in #9942
• Clarify which commands correspond to which DNF version under Linux install instructions by @BagToad in #9976
• When renaming an existing remote as part of remote creation in gh repo fork, log the change by @timrogers in #9983
• Fix PR checkout panic when base repo is not in remotes by @williammartin in #9992

Security

• A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download.

  For more information, see GHSA-2m9h-r57g-45pj

Full Changelog: v2.63.0...v2.63.1

What's Changed

• Support bare repo creation by @williammartin in #9905
• Refactor the getAttestations functions by @malancas in #9892
• Added a section on manual verification of the relases. by @kommendorkapten in #9936
• Adding option to return baseRefOid in pr view by @daliusd in #9938
• Update verification results printing by @malancas in #9937
• Fix some multiline command documentation to use heredoc strings by @BagToad in #9948
• Print friendly error when release create fails due to missing workflow OAuth scope by @BagToad in #9791

Full Changelog: v2.62.0...v2.63.0

Security

• A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com.

  For more information, see GHSA-jwcm-9g39-pmcw

New Contributors

• @daliusd made their first contribution in #9938

What's Changed

• Update monotonic verification logic and testing by @malancas in #9856
• Check extension for latest version when executed by @andyfeller in #9866
• Shorten extension release checking from 3s to 1s by @andyfeller in #9914
• Mention GitHub CLI team on discussion issues by @andyfeller in #9920

Full Changelog: v2.61.0...v2.62.0

Security

• A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the gh codespace ssh or gh codespace logs commands.

  For more information, see GHSA-p2h2-3vg9-4p87

GitHub CLI notifies users about latest extension upgrades

Similar to the notification of latest gh releases, the v2.62.0 version of GitHub CLI will notify users about latest extension upgrades when the extension is used:

$ gh ado2gh
...

A new release of ado2gh is available: 1.7.0 → 1.8.0
To upgrade, run: gh extension upgrade ado2gh --force
https://github.com/github/gh-ado2gh

Why does this matter?

This removes a common pain point of extension authors as they have had to reverse engineer and implement a similar mechanism within their extensions directly.

With this quality of life improvement, there are 2 big benefits:

1. Extension authors will hopefully see increased adoption of newer releases while having lower bar to maintaining their extensions.
2. GitHub CLI users will have greater awareness of new features, bug fixes, and security fixes to the extensions used.

What do you need to do?

Extension authors should review their extensions and consider removing any custom logic previously implemented to notify users of new releases.

Ensure users understand consequences before making repository visibility changes

In v2.61.0, gh repo edit command has been enhanced to inform users about consequences of changing visibility and ensure users are intentional before making irreversible changes:

1. Interactive gh repo edit visibility change requires confirmation when changing from public, private, or internal
2. Non-interactive gh repo edit --visibility change requires new --accept-visibility-change-consequences flag to confirm
3. New content to inform users of consequences
   • Incorporate GitHub Docs content into help usage and interactive gh repo edit experience
   • Expanded help usage to call out most concerning consequences
   • Display repository star and watcher counts to understand impact before confirming

What's Changed

• Add acceptance test for project command by @jtmcg in #9816
• Add comprehensive testscript for gh ruleset by @andyfeller in #9815
• Add comprehensive testscript for gh ext commandset by @andyfeller in #9810
• Require visibility confirmation in gh repo edit by @andyfeller in #9845
• Clean up skipped online tests for gh attestation verify by @malancas in #9838
• gh attestation verify should only verify provenance attestations by default by @malancas in #9825
• Set dnf5 commands as default by @its-miroma in #9844
• Fix verbiage for deleting workflow runs by @akx in #9876
• Bump github.com/creack/pty from 1.1.23 to 1.1.24 by @dependabot in #9862
• gh attestation verify policy enforcement refactor by @malancas in #9848
• Simplify Sigstore verification result handling in gh attestation verify by @malancas in #9877
• Print empty array for gh cache list when --json is provided by @williammartin in #9883
• Bump actions/attest-build-provenance from 1.4.3 to 1.4.4 by @dependabot in #9884
• Create the automatic key when specified with -i by @cmbrose in #9881
• fix: gh pr create -w ignore template flag by @nilvng in #9863

New Contributors

• @akx made their first contribution in #9876
• @nilvng made their first contribution in #9863

Full Changelog: v2.60.1...v2.61.0

This is a small patch release to fix installing gh via go install which was broken with v2.60.0.

What's Changed

• Update testscript to use hard fork by @williammartin in #9821

Full Changelog: v2.60.0...v2.60.1

What's Changed

• Add ArchivedAt field by @tsukasaI in #9790
• Include startedAt, completedAt in run steps data by @andyfeller in #9774
• Adjust environment help for host and tokens by @williammartin in #9809
• Add handling of empty titles for Issues and PRs by @jtmcg in #9701
• LiveSigstoreVerifier.Verify should error if no attestations are present by @phillmv in #9742
• gh at verify retries fetching attestations if it receives a 5xx by @phillmv in #9797
• Prevent local extension installations with invalid names and conflicts with core commands and other extensions by @BagToad in #9794
• Rewrite a sentence in CONTRIBUTING.md by @muzimuzhi in #9772
• Use new GitHub preview terms in working-with-us.md by @BagToad in #9800
• Use new GitHub previews terminology in attestation commands' help docs by @BagToad in #9799
• Clarify in README that gh is supported on GitHub Enterprise Cloud by @BagToad in #9805
• build(deps): bump github.com/gabriel-vasile/mimetype from 1.4.5 to 1.4.6 by @dependabot in #9752

Acceptance Test Changes

• Add acceptance tests for workflow, run, and cache commands by @BagToad in #9766
• Add basic api acceptance tests by @BagToad in #9770
• Add acceptance tests for release commands by @BagToad in #9771
• Add acceptance tests for org and ssh-key commands by @BagToad in #9812
• Add acceptance tests for gh auth commands by @jtmcg in #9787
• Add acceptance tests for repo commands by @jtmcg in #9783
• Add acceptance tests for search command by @BagToad in #9786
• Add acceptance tests for variable commands by @andyfeller in #978
• Add testscripts for gpg-key and label commands by @williammartin in #9811
• Use forked testscript for token redaction by @williammartin in #9804
• Add acceptance tests for secret commands by @andyfeller in #9782
• Note token redaction in Acceptance test README by @williammartin in #9813

New Contributors

• @tsukasaI made their first contribution in #9790

Full Changelog: v2.59.0...v2.60.0

What's Changed

• Allow community submitted design work by @BagToad in #9683
• Improve SECURITY.md with expectations for privately reported vulnerabilities by @BagToad in #9687
• Emit a log message when extension installation falls back to a darwin-amd64 binary on an Apple Silicon macOS device by @timrogers in #9650
• Print the login URL even when opening a browser by @ulfjack in #7091
• configurable maxwidth for markdown WithWrap() by @smemsh in #9626
• Handle errors when parsing hostname in auth flow by @BagToad in #9729
• Add repo license list/view and repo gitignore list/view by @BagToad in #9721
• Introduce testscript acceptance tests generally, and for the PR command specifically by @williammartin in #9745
• Support GH_ACCEPTANCE_SCRIPT env var to target a single script by @williammartin in #9756
• Ensure Acceptance defer failures are debuggable by @williammartin in #9754
• Add acceptance task to makefile by @williammartin in #9748
• Add Acceptance tests for issue command by @williammartin in #9757
• Update IsEnterprise and IsTenancy for orthogonality using go-gh by @jtmcg in #9755
• Supporting filtering on gist list by @heaths in #9728

New Contributors

• @ulfjack made their first contribution in #7091
• @smemsh made their first contribution in #9626

Full Changelog: v2.58.0...v2.59.0

What's Changed

• Better messaging for attestation verify custom issuer mismatch error by @bdehamer in #9616
• Enhance gh repo create docs, fix random cmd link by @andyfeller in #9630
• Add HasActiveToken method to AuthConfig to refactor auth check for attestation trusted-root command by @BagToad in #9635
• Improve the suggested command for creating an issue when an extension doesn't have a binary for your platform by @timrogers in #9608
• Disable auth check for attestation trusted-root command by @bdehamer in #9610
• build(deps): bump github.com/henvic/httpretty from 0.1.3 to 0.1.4 by @dependabot in #9645
• Fix tenant-awareness for trusted-root command by @bdehamer in #9638
• Replace "GitHub Enterprise Server" option with "other" in gh auth login prompting by @jtmcg in #9642
• build(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.4 to 2.0.5 by @dependabot in #9634
• Add dnf5 instructions to docs/install_linux.md by @its-miroma in #9660
• build(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.0.0 to 2.0.1 by @dependabot in #9688

New Contributors

• @its-miroma made their first contribution in #9660

Full Changelog: v2.57.0...v2.58.0