Support for GitHub Release Attestations

This release introduces the release verify and release verify-asset commands for verifying GitHub Release attestations. Part of the Immutable Releases initiative, a release attestation provides a signed, timestamped binding between a release, its git tag, and any associated assets. These new commands provide a convenient way to verify the integrity of an immutable release against its attestation.

• Verify the latest release has a valid attestation: gh release verify
• Verify a specific release by tag: gh release verify v1.2.3
• Verify an asset from the latest release: gh release verify-asset my-asset.zip
• Verify a local asset file originated from a specific release: gh release verify-asset v1.2.3 my-asset.zip

These commands help ensure that releases and their assets are authentic and haven’t been tampered with, providing an additional layer of security for your software supply chain.

gh auth status Supports JSON Output

This release adds support for the --json flag in gh auth status. Run gh auth status --help for more information and usage examples.

What's Changed

✨ Features

• Add alias co for pr checkout by @babakks in #11804
• Add JSON output to gh auth status by @benjlevesque in #11544
• release verify and release verify-asset are now visible by @ejahnGithub in #11801

🐛 Fixes

• Fix no tagname logic for release verify-asset by @ejahnGithub in #11798

📚 Docs & Chores

• refactor: use strings.FieldsFuncSeq to reduce memory allocations by @juejinyuxitu in #11805

New Contributors

• @juejinyuxitu made their first contribution in #11805

Full Changelog: v2.80.0...v2.81.0