Security

A security vulnerability has been identified, and fixed, that would incorrectly include authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands.

Users are advised to update gh to version v2.93.0 as soon as possible.

For more information see: GHSA-8xvp-7hj6-mcj9

Support agents in gh secret command set

The gh secret command set can now set agent secrets. For more information, see "Configuring secrets and variables for Copilot cloud agent".

What's Changed

✨ Features

• Allow agents as application for secrets by @tenjaa in #13421

🐛 Fixes

• fix(pr): remove numberFieldOnly optimization that skips API validation by @williammartin in #13327
• Print gh auth refresh for 401 returns by @333fred in #13068
• Derive digest algorithm from ref length in release verify commands by @bdehamer in #13430

📚 Docs & Chores

• Add missing //go:build integration tag to verify_integration_test.go by @pdostal in #13303
• Fix flaky accessible prompter Password test timeout by @pdostal in #13304
• Enable extended PR screening for external PRs by @tidy-dev in #13312
• Grammar fixes by @scop in #13326
• Bump gh copilot telemetry sampling to 100% by @williammartin in #13362
• Record accessibility feature state in telemetry by @williammartin in #13363
• Poll TTY echo mode instead of sleeping in password tests by @pdostal in #13305
• Switch from actions/attest-build-provenance to actions/attest by @scop in #13325
• Fix skills acceptance tests by @williammartin in #13365
• Bump Go toolchain to 1.26.3 by @Copilot in #13367
• Trigger triage check-requirements on ready_for_review by @BagToad in #13383
• fix(copilot): hint to run copilot directly when exec fails by @babakks in #13393
• Update installation commands for GitHub CLI by @sassdawe in #13126
• Update CODEOWNERS for skills directory ownership by @williammartin in #13416
• fix(telemetry): prevent tzutil console flash on Windows by @adehad in #13353
• Fix bump-go.sh to tolerate missing toolchain directive by @Copilot in #12581
• docs: drop --repo gh-cli from dnf install lines by @c-tonneslan in #13444
• Remove third-party license debris by @williammartin in #13470
• Remove dependency on persistent token by @williammartin in #13474
• Remove discussion workflow by @williammartin in #13476
• Stop bumping homebrew on release by @williammartin in #13479
• build: update golang.org/x/crypto by @tommaso-moro in #13486
• Add 3 day dependabot cooldown period by @williammartin in #13488
• Run govulncheck daily instead of weekly by @williammartin in #13487
• SHA pin first-party GitHub Actions by @williammartin in #13491
• Link to Accessibility category for community discussions instead of ACR by @mxie in #13481
• docs: fix duplicated "of" in release-process-deep-dive by @vip892766gma in #13425
• chore(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 by @BagToad in #13510
• docs: note immutable releases starting v2.93.0 by @BagToad in #13518
• fix CI attestation integration tests after rename by @BagToad in #13536

Dependencies

• chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.2.1 by @dependabot[bot] in #13297
• chore(deps): bump github.com/klauspost/compress from 1.18.5 to 1.18.6 by @dependabot[bot] in #13328
• chore(deps): bump golang.org/x/sys from 0.43.0 to 0.44.0 by @dependabot[bot] in #13381
• chore(deps): bump golang.org/x/term from 0.42.0 to 0.43.0 by @dependabot[bot] in #13396
• chore(deps): bump google.golang.org/grpc from 1.80.0 to 1.81.0 by @dependabot[bot] in #13346
• chore(deps): bump golang.org/x/text from 0.36.0 to 0.37.0 by @dependabot[bot] in #13397
• chore(deps): bump golang.org/x/crypto from 0.50.0 to 0.51.0 by @dependabot[bot] in #13420
• chore(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 by @dependabot[bot] in #13436
• chore(deps): bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 by @dependabot[bot] in #13461
• chore(deps): bump github/codeql-action from 4 to 4.35.5 by @dependabot[bot] in #13489
• chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.4.1 to 2.4.2 by @dependabot[bot] in #13462
• chore(deps): bump github.com/google/go-containerregistry from 0.21.5 to 0.21.6 by @dependabot[bot] in #13457

New Contributors

• @pdostal made their first contribution in #13303
• @333fred made their first contribution in #13068
• @scop made their first contribution in #13326
• @sassdawe made their first contribution in #13126
• @adehad made their first contribution in #13353
• @c-tonneslan made their first contribution in #13444
• @tenjaa made their first contribution in #13421
• @mxie made their first contribution in #13481
• @vip892766gma made their first contribution in #13425

Full Changelog: v2.92.0...v2.93.0