Accessibility

This release contains dark shipped changes that are part of a larger GitHub CLI accessibility preview still under development. More information about these will be announced later this month including various channels to work with GitHub and GitHub CLI maintainers on shaping these experiences.

Ensure table headers are thematically contrasting

#8292 is a long time issue where table headers were difficult to see in terminals with light background. Ahead of the aforementioned preview, v2.70.0 has shipped changes that improve the out-of-the-box experience based on terminal background detection.

The following screenshots demonstrate the Mac Terminal using the Basic profile, which responds to user's appearance preferences:

For more information including demos from various official distributions, see #10649.

What's Changed

✨ Features

• Update go-gh and document available sprig funcs by @BagToad in #10680
• Introducing experimental support for rendering markdown with customizable, accessible colors by @andyfeller @jtmcg in #10680
• Ensure table datetime columns have thematic, customizable muted text by @andyfeller in #10709
• Ensure table headers are thematically contrasting by @andyfeller in #10649
• Introduce configuration setting for displaying issue and pull request labels in rich truecolor by @andyfeller in #10720
• Ensure muted text is thematic and customizable by @andyfeller in #10737
• [gh repo create] Show host name in repo creation prompts by @iamazeem in #10516
• Introduce accessible prompter for screen readers (preview) by @BagToad in #10710

🐛 Fixes

• run list: do not fail on organization/enterprise ruleset imposed workflows by @BagToad in #10660
• Implement safeguard for gh alias delete test, prevent wiping out GitHub CLI configuration by @andyfeller in #10683
• Pin third party actions to commit sha by @BagToad in #10731
• Fallback to job run logs when step logs are missing by @babakks in #10740
• [gh ext] Fix GitKind extension directory path by @iamazeem in #10609
• Fix job log resolution to skip legacy logs in favour of normal/new ones by @babakks in #10769

📚 Docs & Chores

• ./script/sign cleanup by @iamazeem in #10599
• Fix typos in CONTRIBUTING.md by @rylwin in #10657
• Improve gh at verify --help, document json output by @phillmv in #10685
• Acceptance test issue/pr create/edit with project by @williammartin in #10707
• Escape dots in regexp pattern in README.md by @babakks in #10742
• Simplify cosign verification example by not using a regex. by @kommendorkapten in #10759
• Document UNKNOWN STEP in run view by @williammartin in #10770

Dependencies

• Update github.com/sigstore/sigstore-go to 0.7.1 and fix breaking function change by @malancas in #10749

New Contributors

• @rylwin made their first contribution in #10657

Full Changelog: v2.69.0...v2.70.0

What's Changed

Features

• Commands that accept filepath arguments will do glob expansion for * characters, by @iamazeem in #10413

Bug Fixes

• gh issue/pr comment --edit-last no longer creates a comment in non-interactive mode if there weren't one. A new flag --create-if-none provides this behaviour, by @andyfeller in #10625
• gh repo sync provides a more informative error for missing workflow permissions when the token is provided by a GitHub app, by @wata727 in #10574
• gh api no longer tries to encode URLs incorrectly, by @williammartin in #10630

Other

• Add cli-discuss-automation environment to triage.md by @jtmcg in #10552
• chore: remove redundant word in comment by @kevincatty in #10586
• Bump golang.org/x/net from 0.34.0 to 0.36.0 by @dependabot in #10593

New Contributors

• @kevincatty made their first contribution in #10586
• @wata727 made their first contribution in #10574

Full Changelog: v2.68.1...v2.69.0

What's Changed

• Fix secret command panic when base repo is determined via cwd by @williammartin in #10549

Full Changelog: v2.68.0...v2.68.1

What's Changed

✨ Features

• [gh repo view] Improve error message for forked repo by @iamazeem in #10334
• Add signer-digest, source-ref, and source-digest options for gh attestation verify by @malancas in #10308
• [gh pr checkout] Add --no-tags option to git fetch commands in checkout by @latzskim in #10479
• [gh issue/pr comment] Add --create-if-none and prompts to create a comment if no comment already exists by @latzskim in #10427
• [gh cache delete --all] Add --succeed-on-no-caches flag to return exit code 0 by @iamazeem in #10327
• [gh release create] Fail when there are no new commits since the last release by @iamazeem in #10398
• update default upstream when forking repo during PR creation by @daviddl9 in #10458

🐛 Fixes

• Refactor GetLocalAttestations and clean up custom registry transport by @malancas in #10382
• Check GH_REPO too in addition to --repo for disambiguation by @williammartin in #10539
  • (Fixes gh secret subcommands not working outside of a repository)
• Fix unhandled panic in FindWorkflow and add tests by @jtmcg in #10521
• Fix checkout when URL arg is from fork and cwd is upstream by @williammartin in #10512
• [gh api] Escape package name (URL encoding) for packages endpoint by @iamazeem in #10384
• Fix remoteResolver caching issue by @iamazeem in #10456
• Fix gh project item-edit to allow --number 0 as a valid value by @aryanbhosale in #10417
• Add mutex to fix race in attestation test client by @codysoyland in #10439
• Base64 decode GPG passphrase in deployment workflow by @BagToad in #10546

📚 Docs & Chores

• Deep Dive Document Release Process by @williammartin in #10503
• Inconsistent format of examples in help text by @iamazeem in #10508
• Inconsistent format of description of flags (starting with lowercase letter) by @iamazeem in #10507
• Update Go version to 1.23 in CONTRIBUTING.md by @williammartin in #10504
• Fix minor auth login help typo by @williammartin in #10501
• docs: document how to revoke gh OAuth tokens in auth logout's help by @BagToad in #10490
• chore: update codespaces Go version by @BagToad in #10491
• Allow injection of TUFMetadataDir in tests by @williammartin in #10478
• refactor: use a more straightforward return value by @beforetech in #10489
• Use subtests in attestation verification integration tests by @williammartin in #10463
• Fix typo in README by @iamazeem in #10445
• Update usage to lower-kebab-case by @iamazeem in #10447
• Standardize URLs by @iamazeem in #10429
• Remove trailing whitespace by @iamazeem in #10430

Dependencies

• Bump actions/attest-build-provenance from 2.2.0 to 2.2.2 by @dependabot in #10518
• Bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5 by @dependabot in #10499
• Bump github.com/spf13/pflag from 1.0.5 to 1.0.6 by @dependabot in #10338

Security

A bug in gh attestation verify may return an incorrect zero exit status when no matching attestations are found for the specified --predicate-type <value> or the default https://slsa.dev/provenance/v1 if not specified. This issue only arises if an artifact has an attestation with a predicate type different from the one provided in the command. As a result, users relying solely on these exit codes may mistakenly believe the attestation has been verified, despite the absence of an attestation with the specified predicate type and the tool printing a verification failure.

Users are advised to update gh to version v2.67.0 as soon as possible.

For more information, see GHSA-fgw4-v983-mgp8

gh pr checkout now supports interactively selecting a pull request

Similar to commands like gh workflow run which prompts for a workflow to run, now gh pr checkout will prompt for a pull request to checkout. The list is currently limited to the most recent 10 pull requests in the repository.

Big thank you to @nilvng for implementing this 🙌

Contributing guidelines updated

We've updated our CONTRIBUTING.md guidelines to give more clarity around old help wanted issues.

TLDR:

• Please directly mention @cli/code-reviewers when an issue you want to work on does not have clear Acceptance Criteria
• Please only open pull requests for issues with both the help wanted label and clear Acceptance Criteria
• Please avoid expanding pull request scope to include changes that are not described in the connected issue's Acceptance Criteria

Note: Acceptance Criteria is posted as an issue comment by a core maintainer.

See #10381 and #10395 for more information.

❓ Have feedback on anything? We'd love to hear from you in a discussion post ❤️

What's Changed

✨ Features

• feat: let user select pr to checkout by @nilvng in #9868
• feat: Add support for deleting autolink references by @hoffm in #10362
• [gh extensions install] Improve help text and error message by @iamazeem in #10333
• Error when gh repo rename is used with a new repo name that contains an owner by @timrogers in #10364
• Attestation bundle fetch improvements by @malancas in #10233
• [gh project item-list] Add iterationId field in ProjectV2ItemFieldIterationValue by @iamazeem in #10329

🐛 Fixes

• [gh api] Fix mutual exclusion messages of --slurp flag by @iamazeem in #10332
• Exit with error if no matching predicate type exists by @kommendorkapten in #10421
• Do not try to parse bodies for HEAD requests by @jsoref in #10388
• [gh project item-edit] Fix number type by @iamazeem in #10374
• [gh workflow run] Improve error handling for --ref flag by @iamazeem in #10328
• [gh config] Escape pipe symbol in Long desc for website manual by @iamazeem in #10371

📚 Docs & Chores

• Fix logic error in contributing docs by @BagToad in #10395
• Docs: Clarify guidelines for help wanted issues and pull requests by @BagToad in #10381
• [gh pr status] Mention gh pr checks in the Long section by @iamazeem in #10389
• [docs/releasing.md] Add basic info for homebrew update flow by @iamazeem in #10344
• [gh issue/pr list] Improve help text by @iamazeem in #10335
• Remove v1 project 'add to board' automation from prauto workflow by @hoffm in #10331
• Note: the following pair of PRs was reverted and never made into a release
  • [gh repo edit] Allow setting commit message defaults by @iamazeem in #10363
  • Revert "[gh repo edit] Allow setting commit message defaults" by @BagToad in #10372

Dependencies

• Bump google.golang.org/protobuf from 1.36.4 to 1.36.5 by @dependabot in #10379

Full Changelog: v2.66.1...v2.67.0

Hotfix: gh pr view fails with provided URL

This addresses a regression in gh pr view was reported in #10352. This regression was due to a change in v2.66.0 that no longer allowed gh pr subcommands to execute properly outside of a git repo.

What's Changed

• Hotfix: gh pr view fails with provided URL by @jtmcg in #10354

Full Changelog: v2.66.0...v2.66.1

gh pr view and gh pr status now respect common triangular workflow configurations

Previously, gh pr view and gh pr status would fail for pull request's (PR) open in triangular workflows. This was due to gh being unable to identify the PR's corresponding remote and branch refs on GitHub.

Now, gh pr view and gh pr status should successfully identify the PR's refs when the following common git configurations are used:

• branch.<branchName>.pushremote is set
• remote.pushDefault is set

Branch specific configuration, the former, supersedes repo specific configuration, the latter.

Additionally, if the @{push} revision syntax for git resolves for a branch, gh pr view and gh pr status should work regardless of additional config settings.

For more information, see

• #9363
• #9364
• #9365
• #9374

gh secret list, gh secret set, and gh secret delete now require repository selection when multiple git remotes are present

Previously, gh secret list, gh secret set, and gh secret delete would determine which remote to target for interacting with GitHub Actions secrets. Remotes marked as default using gh repo set-default or through other gh commands had higher priority when figuring out which repository to interact with. This could have unexpected outcomes when using gh secret commands with forked repositories as the upstream repository would generally be selected.

Now, gh secret commands require users to disambiguate which repository should be the target if multiple remotes are present and the -R, --repo flag is not provided.

For more information, see #4688

Extension update notices now notify once every 24 hours per extension and can be disabled

Previously, the GitHub CLI would notify users about newer versions every time an extension was executed. This did not match GitHub CLI notices, which only notified users once every 24 hours and could be disabled through an environment variable.

Now, extension update notices will behave similar to GitHub CLI notices. To disable extension update notices, set the GH_NO_EXTENSION_UPDATE_NOTIFIER environment variable.

For more information, see #9925

What's Changed

✨ Features

• Draft for discussing testing around extension update checking behavior by @andyfeller in #9985
• Make extension update check non-blocking by @andyfeller in #10239
• Ensure extension update notices only notify once within 24 hours, provide ability to disable all extension update notices by @andyfeller in #9934
• feat: make the extension upgrade fancier by @nobe4 in #10194
• fix: padded display by @nobe4 in #10216
• Update gh attestation attestation bundle fetching logic by @malancas in #10185
• Require repo disambiguation for secret commands by @williammartin in #10209
• show error message for rerun workflow older than a month ago by @iamrajhans in #10227
• Update gh attestation verify table output by @malancas in #10104
• Enable MSI building for Windows arm64 by @dennisameling in #10297
• feat: Add support for creating autolink references by @hoffm in #10180
• Find PRs using @{push} by @Frederick888 in #9208
• feat: Add support for viewing autolink references by @hoffm in #10324
• Update gh attestation bundle fetching logic by @malancas in #10339

🐛 Fixes

• gh gist delete: prompt for gist id by @danochoa in #10154
• Better handling for waiting for codespaces to become ready by @cmbrose in #10198
• Fix: gh gist view and gh gist edit prompts with no TTY by @mateusmarquezini in #10048
• Remove naked return values from ReadBranchConfig and prSelectorForCurrentBranch by @jtmcg in #10197
• Add job to deployment workflow to validate the tag name for a given release by @jtmcg in #10121
• [gh run list] Stop progress indicator on failure from --workflow flag by @iamazeem in #10323
• Update deployment.yml by @andyfeller in #10340

📚 Docs & Chores

• Add affected version heading to bug report issue form by @BagToad in #10269
• chore: fix some comments by @petercover in #10296
• Update triage.md to reflect FR experiment outcome by @jtmcg in #10196
• Clear up --with-token fine grained PAT usage by @williammartin in #10186
• Correct help documentation around template use in gh issue create by @andyfeller in #10208
• chore: fix some function names in comment by @zhuhaicity in #10225
• Tiny typo fix by @robmorgan in #10265
• add install instructions for Manjaro Linux by @AMS21 in #10236
• Update test to be compatible with latest Glamour v0.8.0 by @ottok in #10151
• Add more gh attestation verify integration tests by @malancas in #10102

Dependencies

• Bump github.com/mattn/go-colorable from 0.1.13 to 0.1.14 by @dependabot in #10215
• Bump github.com/sigstore/protobuf-specs from 0.3.2 to 0.3.3 by @dependabot in #10214
• Bump github.com/gabriel-vasile/mimetype from 1.4.7 to 1.4.8 by @dependabot in #10184
• Bump google.golang.org/protobuf from 1.36.2 to 1.36.3 by @dependabot in #10250
• Bump golangci-linter and address failures to prepare for Go 1.24 strictness by @mikelolasagasti in #10279
• Bump github.com/google/go-containerregistry from 0.20.2 to 0.20.3 by @dependabot in #10257
• Bump actions/attest-build-provenance from 2.1.0 to 2.2.0 by @dependabot in #10300
• Bump google.golang.org/protobuf from 1.36.3 to 1.36.4 by @dependabot in #10306
• Upgrade sigstore-go to v0.7.0: fixes #10114 formatting issue by @codysoyland in #10309
• Bump github.com/in-toto/attestation from 1.1.0 to 1.1.1 by @dependabot in #10319

New Contributors

Big thank you to our many new and longtime contributors making this release happen!! ❤️ ✨

• @zhuhaicity made their first contribution in #10225
• @danochoa made their first contribution in #10154
• @robmorgan made their first contribution in #10265
• @iamrajhans made their first contribution in #10227
• @AMS21 made their first contribution in #10236
• @petercover made their first contribution in #10296
• @ottok made their first contribution in #10151
• @dennisameling made their first contribution in #10297
• @iamazeem made their first contribution in #10323
• @Frederick888 made their first contribution in #9208

Full Changelog: v2.65.0...v2.66.0

What's Changed

• Document the base repo resolution functions by @williammartin in #10110
• Update releasing.md by @andyfeller in #10116
• Document how to set gh-merge-base by @heaths in #10112
• Upgrade golang.org/x/net to v0.33.0 by @jtmcg in #10135
• add pending status for workflow runs by @dziamidchyk in #10143
• Remove release discussion posts and clean up related block in deployment yml by @shauryatiwari1 in #10145
• docs(repo): make explicit which branch is used when creating a repo by @nobe4 in #10163
• feat: Add support for listing autolink references by @hoffm in #10124
• Add mention of classic token in gh auth login docs by @jtmcg in #10164
• Feat: Allow setting security_and_analysis settings in gh repo edit by @ChandranshuRao14 in #10139
• Upgrade generated workflows by @jsoref in #10181
• Myriad fixes to provide clarity on determining tracking ref in PR create by @williammartin in #10187
• Handle missing upstream configs for gh pr create by @cmbrose in #10177
• fix(repo fork): add non-TTY output when fork is newly created by @aryanbhosale in #10158
• Bump cli/go-gh for indirect security vulnerability by @andyfeller in #10190

New Contributors

• @dziamidchyk made their first contribution in #10143
• @shauryatiwari1 made their first contribution in #10145
• @hoffm made their first contribution in #10124
• @ChandranshuRao14 made their first contribution in #10139

Full Changelog: v2.64.0...v2.65.0

What's Changed

• docs: improve docs for browse command as of #5352 by @ankddev in #10025
• Open PR against gh-merge-base by @heaths in #9712
• Add integration tests for gh attestation verify when the bundle-from-oci flag is specified by @malancas in #10020
• gh repo rename help text clarifies new repo name should not include owner by @BagToad in #10044
• fix: list branches in square brackets in gh run and gh codespace by @uday-rana in #10043
• Bump actions/attest-build-provenance from 1.4.4 to 2.1.0 by @dependabot in #10056
• Bump golang.org/x/crypto from 0.29.0 to 0.31.0 by @dependabot in #10070
• Improve documentation and error messaging for local extension installations without executables by @BagToad in #9933
• docs: better document auth scopes by @ankddev in #10026
• Sigstore verifier logic updates by @malancas in #9999
• gh pr merge --delete-branch exits with error when merge requested via merge queue by @BagToad in #10074
• sundry gh at inspect improvements by @phillmv in #9954
• Support pr view for intra-org forks by @williammartin in #10078
• Print policy information before verifying attestations by @malancas in #9891
• Improve error handling in apt setup script by @jobegrabber in #10055
• Use Windows compatible file name for downloaded attestations when running gh attestation download by @malancas in #10051
• Bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6 by @dependabot in #10094
• Perform all gh attestation verify policy options configuration in the newEnforcementCriteria() function by @malancas in #10012

New Contributors

• @ankddev made their first contribution in #10025
• @uday-rana made their first contribution in #10043
• @jobegrabber made their first contribution in #10055

Full Changelog: v2.63.2...v2.64.0

What's Changed

• Use consistent slice ordering in run download tests by @williammartin in #10006
• Fix bug when fetching bundles from OCI registry by @malancas in #10019
• Use safepaths for run download by @williammartin in #10009
• Error for mutually exclusive json and watch flags by @andyfeller in #10016

Full Changelog: v2.63.1...v2.63.2