fix(deps): update module github.com/cli/cli/v2 to v2.67.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/cli/cli/v2	v2.62.0 -> v2.67.0

GitHub Vulnerability Alerts

CVE-2024-53858

Summary

A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com.

Details

This vulnerability stems from several gh commands used to clone a repository with submodules from a non-GitHub host including gh repo clone, gh repo fork, gh pr checkout. These GitHub CLI commands invoke git with instructions to retrieve authentication tokens using the credential.helper configuration variable for any host encountered.

Prior to 2.63.0, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts and have tokens sourced from the following environment variables before falling back to host-specific tokens stored within system-specific secured storage:

• GITHUB_ENTERPRISE_TOKEN
• GH_ENTERPRISE_TOKEN
• GITHUB_TOKEN when CODESPACES environment variable is set

The result being git sending authentication tokens when cloning submodules.

In 2.63.0, these GitHub CLI commands will limit the hosts for which gh acts as a credential helper to source authentication tokens. Additionally, GITHUB_TOKEN will only be used for GitHub.com and ghe.com.

Impact

Successful exploitation could lead to a third-party using leaked authentication tokens to access privileged resources.

Remediation and mitigation

1. Upgrade gh to 2.63.0
2. Revoke authentication tokens used with the GitHub CLI:
   • Personal access tokens
   • GitHub CLI OAuth app
3. Review your personal security log and any relevant audit logs for actions associated with your account or enterprise

CVE-2024-54132

Summary

A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download.

Details

This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value.

In 2.63.1, gh run download will not download artifacts named .. and . and instead exit with the following error message:

error downloading ..: would result in path traversal

Impact

Successful exploitation heightens the risk of local path traversal attack vectors exactly 1 directory higher than intended.

Remediation and Mitigation

1. Upgrade gh to 2.63.1
2. Implement additional validation to ensure artifact filenames do not contain potentially dangerous patterns, such as .., to prevent path traversal risks.

CVE-2025-25204

Summary

A bug in GitHub's Artifact Attestation CLI tool, gh attestation verify, may return an incorrect zero exit status when no matching attestations are found for the specified --predicate-type <value> or the default https://slsa.dev/provenance/v1 if not specified. This issue only arises if an artifact has an attestation with a predicate type different from the one provided in the command. As a result, users relying solely on these exit codes may mistakenly believe the attestation has been verified, despite the absence of an attestation with the specified predicate type and the tool printing a verification failure.

Users are advised to update gh to version v2.67.0 as soon as possible.

Initial report: https://github.com/cli/cli/issues/10418
Fix: https://github.com/cli/cli/pull/10421

Details

The gh attestation verify command fetches, loads, and attempts to verify attestations associated with a given artifact for a specified predicate type. If an attestation is found, but the predicate type does not match the one specified in the gh attestation verify command, the verification fails, but the program exits early.

Due to a re-used uninitialized error variable, when no matching attestations are found, the relevant function returns nil instead of an error, causing the program to exit with a status code of 0, which incorrectly suggests successful verification.

PoC

Run gh attestation verify with local attestations using the --bundle flag and specify a predicate type with --predicate-type that you know will not match any of the attestations the command will attempt to verify. Confirm that the command exits with a zero status code.

Impact

Users who rely exclusively on the exit status code of gh attestation verify may incorrectly verify an attestation when the attestation's predicate type does not match the specified predicate type in the command.

---

Release Notes

cli/cli (github.com/cli/cli/v2)

v2.67.0: GitHub CLI 2.67.0

Compare Source

Security

A bug in gh attestation verify may return an incorrect zero exit status when no matching attestations are found for the specified --predicate-type <value> or the default https://slsa.dev/provenance/v1 if not specified. This issue only arises if an artifact has an attestation with a predicate type different from the one provided in the command. As a result, users relying solely on these exit codes may mistakenly believe the attestation has been verified, despite the absence of an attestation with the specified predicate type and the tool printing a verification failure.

Users are advised to update gh to version v2.67.0 as soon as possible.

For more information, see GHSA-fgw4-v983-mgp8

gh pr checkout now supports interactively selecting a pull request

Similar to commands like gh workflow run which prompts for a workflow to run, now gh pr checkout will prompt for a pull request to checkout. The list is currently limited to the most recent 10 pull requests in the repository.

393797385-499b5dfb-3103-42b8-876a-3a2d4d7173c8.mov

Big thank you to @​nilvng for implementing this 🙌

Contributing guidelines updated

We've updated our CONTRIBUTING.md guidelines to give more clarity around old help wanted issues.

TLDR:

• Please directly mention @cli/code-reviewers when an issue you want to work on does not have clear Acceptance Criteria
• Please only open pull requests for issues with both the help wanted label and clear Acceptance Criteria
• Please avoid expanding pull request scope to include changes that are not described in the connected issue's Acceptance Criteria

Note: Acceptance Criteria is posted as an issue comment by a core maintainer.

See #​10381 and #​10395 for more information.

❓ Have feedback on anything? We'd love to hear from you in a discussion post ❤️

What's Changed

✨ Features

• feat: let user select pr to checkout by @​nilvng in #​9868
• feat: Add support for deleting autolink references by @​hoffm in #​10362
• [gh extensions install] Improve help text and error message by @​iamazeem in #​10333
• Error when gh repo rename is used with a new repo name that contains an owner by @​timrogers in #​10364
• Attestation bundle fetch improvements by @​malancas in #​10233
• [gh project item-list] Add iterationId field in ProjectV2ItemFieldIterationValue by @​iamazeem in #​10329

🐛 Fixes

• [gh api] Fix mutual exclusion messages of --slurp flag by @​iamazeem in #​10332
• Exit with error if no matching predicate type exists by @​kommendorkapten in #​10421
• Do not try to parse bodies for HEAD requests by @​jsoref in #​10388
• [gh project item-edit] Fix number type by @​iamazeem in #​10374
• [gh workflow run] Improve error handling for --ref flag by @​iamazeem in #​10328
• [gh config] Escape pipe symbol in Long desc for website manual by @​iamazeem in #​10371

📚 Docs & Chores

• Fix logic error in contributing docs by @​BagToad in #​10395
• Docs: Clarify guidelines for help wanted issues and pull requests by @​BagToad in #​10381
• [gh pr status] Mention gh pr checks in the Long section by @​iamazeem in #​10389
• [docs/releasing.md] Add basic info for homebrew update flow by @​iamazeem in #​10344
• [gh issue/pr list] Improve help text by @​iamazeem in #​10335
• Remove v1 project 'add to board' automation from prauto workflow by @​hoffm in #​10331
• Note: the following pair of PRs was reverted and never made into a release
  • [gh repo edit] Allow setting commit message defaults by @​iamazeem in #​10363
  • Revert "[gh repo edit] Allow setting commit message defaults" by @​BagToad in #​10372

Dependencies

• Bump google.golang.org/protobuf from 1.36.4 to 1.36.5 by @​dependabot in #​10379

Full Changelog: cli/cli@v2.66.1...v2.67.0

v2.66.1: GitHub CLI 2.66.1

Compare Source

Hotfix: gh pr view fails with provided URL

This addresses a regression in gh pr view was reported in #​10352. This regression was due to a change in v2.66.0 that no longer allowed gh pr subcommands to execute properly outside of a git repo.

What's Changed

• Hotfix: gh pr view fails with provided URL by @​jtmcg in #​10354

Full Changelog: cli/cli@v2.66.0...v2.66.1

v2.66.0: GitHub CLI 2.66.0

Compare Source

gh pr view and gh pr status now respect common triangular workflow configurations

Previously, gh pr view and gh pr status would fail for pull request's (PR) open in triangular workflows. This was due to gh being unable to identify the PR's corresponding remote and branch refs on GitHub.

Now, gh pr view and gh pr status should successfully identify the PR's refs when the following common git configurations are used:

• branch.<branchName>.pushremote is set
• remote.pushDefault is set

Branch specific configuration, the former, supersedes repo specific configuration, the latter.

Additionally, if the @{push} revision syntax for git resolves for a branch, gh pr view and gh pr status should work regardless of additional config settings.

For more information, see

• #​9363
• #​9364
• #​9365
• #​9374

gh secret list, gh secret set, and gh secret delete now require repository selection when multiple git remotes are present

Previously, gh secret list, gh secret set, and gh secret delete would determine which remote to target for interacting with GitHub Actions secrets. Remotes marked as default using gh repo set-default or through other gh commands had higher priority when figuring out which repository to interact with. This could have unexpected outcomes when using gh secret commands with forked repositories as the upstream repository would generally be selected.

Now, gh secret commands require users to disambiguate which repository should be the target if multiple remotes are present and the -R, --repo flag is not provided.

For more information, see #​4688

Extension update notices now notify once every 24 hours per extension and can be disabled

Previously, the GitHub CLI would notify users about newer versions every time an extension was executed. This did not match GitHub CLI notices, which only notified users once every 24 hours and could be disabled through an environment variable.

Now, extension update notices will behave similar to GitHub CLI notices. To disable extension update notices, set the GH_NO_EXTENSION_UPDATE_NOTIFIER environment variable.

For more information, see #​9925

What's Changed

✨ Features

• Draft for discussing testing around extension update checking behavior by @​andyfeller in #​9985
• Make extension update check non-blocking by @​andyfeller in #​10239
• Ensure extension update notices only notify once within 24 hours, provide ability to disable all extension update notices by @​andyfeller in #​9934
• feat: make the extension upgrade fancier by @​nobe4 in #​10194
• fix: padded display by @​nobe4 in #​10216
• Update gh attestation attestation bundle fetching logic by @​malancas in #​10185
• Require repo disambiguation for secret commands by @​williammartin in #​10209
• show error message for rerun workflow older than a month ago by @​iamrajhans in #​10227
• Update gh attestation verify table output by @​malancas in #​10104
• Enable MSI building for Windows arm64 by @​dennisameling in #​10297
• feat: Add support for creating autolink references by @​hoffm in #​10180
• Find PRs using @{push} by @​Frederick888 in #​9208
• feat: Add support for viewing autolink references by @​hoffm in #​10324
• Update gh attestation bundle fetching logic by @​malancas in #​10339

🐛 Fixes

• gh gist delete: prompt for gist id by @​danochoa in #​10154
• Better handling for waiting for codespaces to become ready by @​cmbrose in #​10198
• Fix: gh gist view and gh gist edit prompts with no TTY by @​mateusmarquezini in #​10048
• Remove naked return values from ReadBranchConfig and prSelectorForCurrentBranch by @​jtmcg in #​10197
• Add job to deployment workflow to validate the tag name for a given release by @​jtmcg in #​10121
• [gh run list] Stop progress indicator on failure from --workflow flag by @​iamazeem in #​10323
• Update deployment.yml by @​andyfeller in #​10340

📚 Docs & Chores

• Add affected version heading to bug report issue form by @​BagToad in #​10269
• chore: fix some comments by @​petercover in #​10296
• Update triage.md to reflect FR experiment outcome by @​jtmcg in #​10196
• Clear up --with-token fine grained PAT usage by @​williammartin in #​10186
• Correct help documentation around template use in gh issue create by @​andyfeller in #​10208
• chore: fix some function names in comment by @​zhuhaicity in #​10225
• Tiny typo fix by @​robmorgan in #​10265
• add install instructions for Manjaro Linux by @​AMS21 in #​10236
• Update test to be compatible with latest Glamour v0.8.0 by @​ottok in #​10151
• Add more gh attestation verify integration tests by @​malancas in #​10102

Dependencies

• Bump github.com/mattn/go-colorable from 0.1.13 to 0.1.14 by @​dependabot in #​10215
• Bump github.com/sigstore/protobuf-specs from 0.3.2 to 0.3.3 by @​dependabot in #​10214
• Bump github.com/gabriel-vasile/mimetype from 1.4.7 to 1.4.8 by @​dependabot in #​10184
• Bump google.golang.org/protobuf from 1.36.2 to 1.36.3 by @​dependabot in #​10250
• Bump golangci-linter and address failures to prepare for Go 1.24 strictness by @​mikelolasagasti in #​10279
• Bump github.com/google/go-containerregistry from 0.20.2 to 0.20.3 by @​dependabot in #​10257
• Bump actions/attest-build-provenance from 2.1.0 to 2.2.0 by @​dependabot in #​10300
• Bump google.golang.org/protobuf from 1.36.3 to 1.36.4 by @​dependabot in #​10306
• Upgrade sigstore-go to v0.7.0: fixes #​10114 formatting issue by @​codysoyland in #​10309
• Bump github.com/in-toto/attestation from 1.1.0 to 1.1.1 by @​dependabot in #​10319

New Contributors

Big thank you to our many new and longtime contributors making this release happen!! ❤️ ✨

• @​zhuhaicity made their first contribution in #​10225
• @​danochoa made their first contribution in #​10154
• @​robmorgan made their first contribution in #​10265
• @​iamrajhans made their first contribution in #​10227
• @​AMS21 made their first contribution in #​10236
• @​petercover made their first contribution in #​10296
• @​ottok made their first contribution in #​10151
• @​dennisameling made their first contribution in #​10297
• @​iamazeem made their first contribution in #​10323
• @​Frederick888 made their first contribution in #​9208

Full Changelog: cli/cli@v2.65.0...v2.66.0

v2.65.0: GitHub CLI 2.65.0

Compare Source

What's Changed

• Document the base repo resolution functions by @​williammartin in #​10110
• Update releasing.md by @​andyfeller in #​10116
• Document how to set gh-merge-base by @​heaths in #​10112
• Upgrade golang.org/x/net to v0.33.0 by @​jtmcg in #​10135
• add pending status for workflow runs by @​dziamidchyk in #​10143
• Remove release discussion posts and clean up related block in deployment yml by @​shauryatiwari1 in #​10145
• docs(repo): make explicit which branch is used when creating a repo by @​nobe4 in #​10163
• feat: Add support for listing autolink references by @​hoffm in #​10124
• Add mention of classic token in gh auth login docs by @​jtmcg in #​10164
• Feat: Allow setting security_and_analysis settings in gh repo edit by @​ChandranshuRao14 in #​10139
• Upgrade generated workflows by @​jsoref in #​10181
• Myriad fixes to provide clarity on determining tracking ref in PR create by @​williammartin in #​10187
• Handle missing upstream configs for gh pr create by @​cmbrose in #​10177
• fix(repo fork): add non-TTY output when fork is newly created by @​aryanbhosale in #​10158
• Bump cli/go-gh for indirect security vulnerability by @​andyfeller in #​10190

New Contributors

• @​dziamidchyk made their first contribution in #​10143
• @​shauryatiwari1 made their first contribution in #​10145
• @​hoffm made their first contribution in #​10124
• @​ChandranshuRao14 made their first contribution in #​10139

Full Changelog: cli/cli@v2.64.0...v2.65.0

v2.64.0: GitHub CLI 2.64.0

Compare Source

What's Changed

• docs: improve docs for browse command as of #​5352 by @​ankddev in #​10025
• Open PR against gh-merge-base by @​heaths in #​9712
• Add integration tests for gh attestation verify when the bundle-from-oci flag is specified by @​malancas in #​10020
• gh repo rename help text clarifies new repo name should not include owner by @​BagToad in #​10044
• fix: list branches in square brackets in gh run and gh codespace by @​uday-rana in #​10043
• Bump actions/attest-build-provenance from 1.4.4 to 2.1.0 by @​dependabot in #​10056
• Bump golang.org/x/crypto from 0.29.0 to 0.31.0 by @​dependabot in #​10070
• Improve documentation and error messaging for local extension installations without executables by @​BagToad in #​9933
• docs: better document auth scopes by @​ankddev in #​10026
• Sigstore verifier logic updates by @​malancas in #​9999
• gh pr merge --delete-branch exits with error when merge requested via merge queue by @​BagToad in #​10074
• sundry gh at inspect improvements by @​phillmv in #​9954
• Support pr view for intra-org forks by @​williammartin in #​10078
• Print policy information before verifying attestations by @​malancas in #​9891
• Improve error handling in apt setup script by @​jobegrabber in #​10055
• Use Windows compatible file name for downloaded attestations when running gh attestation download by @​malancas in #​10051
• Bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6 by @​dependabot in #​10094
• Perform all gh attestation verify policy options configuration in the newEnforcementCriteria() function by @​malancas in #​10012

New Contributors

• @​ankddev made their first contribution in #​10025
• @​uday-rana made their first contribution in #​10043
• @​jobegrabber made their first contribution in #​10055

Full Changelog: cli/cli@v2.63.2...v2.64.0

v2.63.2: GitHub CLI 2.63.2

Compare Source

What's Changed

• Use consistent slice ordering in run download tests by @​williammartin in #​10006
• Fix bug when fetching bundles from OCI registry by @​malancas in #​10019
• Use safepaths for run download by @​williammartin in #​10009
• Error for mutually exclusive json and watch flags by @​andyfeller in #​10016

Full Changelog: cli/cli@v2.63.1...v2.63.2

v2.63.1: GitHub CLI 2.63.1

Compare Source

What's Changed

• Fix formatting in git/client_test.go comments for linter by @​BagToad in #​9969
• Bump github.com/gabriel-vasile/mimetype from 1.4.6 to 1.4.7 by @​dependabot in #​9942
• Clarify which commands correspond to which DNF version under Linux install instructions by @​BagToad in #​9976
• When renaming an existing remote as part of remote creation in gh repo fork, log the change by @​timrogers in #​9983
• Fix PR checkout panic when base repo is not in remotes by @​williammartin in #​9992

Security

• A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download.

  For more information, see GHSA-2m9h-r57g-45pj

Full Changelog: cli/cli@v2.63.0...v2.63.1

v2.63.0: GitHub CLI 2.63.0

Compare Source

What's Changed

• Support bare repo creation by @​williammartin in #​9905
• Refactor the getAttestations functions by @​malancas in #​9892
• Added a section on manual verification of the relases. by @​kommendorkapten in #​9936
• Adding option to return baseRefOid in pr view by @​daliusd in #​9938
• Update verification results printing by @​malancas in #​9937
• Fix some multiline command documentation to use heredoc strings by @​BagToad in #​9948
• Print friendly error when release create fails due to missing workflow OAuth scope by @​BagToad in #​9791

Full Changelog: cli/cli@v2.62.0...v2.63.0

Security

• A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com.

  For more information, see GHSA-jwcm-9g39-pmcw

New Contributors

• @​daliusd made their first contribution in #​9938

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 6 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.22.5 -> 1.23.0
github.com/cli/go-gh/v2	v2.11.0 -> v2.11.2
github.com/mattn/go-colorable	v0.1.13 -> v0.1.14
github.com/muesli/termenv	v0.15.2 -> v0.15.3-0.20240618155329-98d742f6907a
golang.org/x/net	v0.30.0 -> v0.34.0
golang.org/x/sys	v0.26.0 -> v0.29.0
golang.org/x/term	v0.25.0 -> v0.28.0

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/mattn/go-colorable	v0.1.13 -> v0.1.14