From c1969f052340c461e18781ba8fa77ab5fefe69ec Mon Sep 17 00:00:00 2001 From: ejahnGithub Date: Tue, 23 Sep 2025 16:45:26 -0400 Subject: [PATCH 1/2] remove hidden value for release verify cmd --- pkg/cmd/release/verify-asset/verify_asset.go | 3 +-- pkg/cmd/release/verify/verify.go | 7 +++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/pkg/cmd/release/verify-asset/verify_asset.go b/pkg/cmd/release/verify-asset/verify_asset.go index cad436eaa..6bd975f72 100644 --- a/pkg/cmd/release/verify-asset/verify_asset.go +++ b/pkg/cmd/release/verify-asset/verify_asset.go @@ -55,8 +55,7 @@ func NewCmdVerifyAsset(f *cmdutil.Factory, runF func(*VerifyAssetConfig) error) * The asset's digest matches the subject in the attestation * The attestation is associated with the specified release `), - Hidden: true, - Args: cobra.MaximumNArgs(2), + Args: cobra.MaximumNArgs(2), Example: heredoc.Doc(` # Verify an asset from the latest release $ gh release verify-asset ./dist/my-asset.zip diff --git a/pkg/cmd/release/verify/verify.go b/pkg/cmd/release/verify/verify.go index f0b92677a..99cf54e48 100644 --- a/pkg/cmd/release/verify/verify.go +++ b/pkg/cmd/release/verify/verify.go @@ -41,10 +41,9 @@ func NewCmdVerify(f *cmdutil.Factory, runF func(config *VerifyConfig) error) *co opts := &VerifyOptions{} cmd := &cobra.Command{ - Use: "verify []", - Short: "Verify the attestation for a GitHub Release.", - Hidden: true, - Args: cobra.MaximumNArgs(1), + Use: "verify []", + Short: "Verify the attestation for a GitHub Release.", + Args: cobra.MaximumNArgs(1), Long: heredoc.Doc(` Verify that a GitHub Release is accompanied by a valid cryptographically signed attestation. From a2034545cc2611b419e8438340378056deb88b5a Mon Sep 17 00:00:00 2001 From: ejahnGithub Date: Wed, 24 Sep 2025 14:04:28 -0400 Subject: [PATCH 2/2] update the description --- pkg/cmd/release/verify-asset/verify_asset.go | 12 +++--------- pkg/cmd/release/verify/verify.go | 10 +++------- 2 files changed, 6 insertions(+), 16 deletions(-) diff --git a/pkg/cmd/release/verify-asset/verify_asset.go b/pkg/cmd/release/verify-asset/verify_asset.go index 6bd975f72..43cdec990 100644 --- a/pkg/cmd/release/verify-asset/verify_asset.go +++ b/pkg/cmd/release/verify-asset/verify_asset.go @@ -40,20 +40,14 @@ func NewCmdVerifyAsset(f *cmdutil.Factory, runF func(*VerifyAssetConfig) error) cmd := &cobra.Command{ Use: "verify-asset [] ", - Short: "Verify that a given asset originated from a specific GitHub Release.", + Short: "Verify that a given asset originated from a release", Long: heredoc.Doc(` Verify that a given asset file originated from a specific GitHub Release using cryptographically signed attestations. - ## Understanding Verification - An attestation is a claim made by GitHub regarding a release and its assets. - ## What This Command Does - - This command checks that the asset you provide matches an attestation produced by GitHub for a particular release. - It ensures the asset's integrity by validating: - * The asset's digest matches the subject in the attestation - * The attestation is associated with the specified release + This command checks that the asset you provide matches a valid attestation for the specified release (or the latest release, if no tag is given). + It ensures the asset's integrity by validating that the asset's digest matches the subject in the attestation and that the attestation is associated with the release. `), Args: cobra.MaximumNArgs(2), Example: heredoc.Doc(` diff --git a/pkg/cmd/release/verify/verify.go b/pkg/cmd/release/verify/verify.go index 99cf54e48..2654977f7 100644 --- a/pkg/cmd/release/verify/verify.go +++ b/pkg/cmd/release/verify/verify.go @@ -42,19 +42,15 @@ func NewCmdVerify(f *cmdutil.Factory, runF func(config *VerifyConfig) error) *co cmd := &cobra.Command{ Use: "verify []", - Short: "Verify the attestation for a GitHub Release.", + Short: "Verify the attestation for a release", Args: cobra.MaximumNArgs(1), Long: heredoc.Doc(` Verify that a GitHub Release is accompanied by a valid cryptographically signed attestation. - ## Understanding Verification - An attestation is a claim made by GitHub regarding a release and its assets. - ## What This Command Does - - This command checks that the specified release (or the latest release, if no tag is given) has a valid attestation. - It fetches the attestation for the release and prints out metadata about all assets referenced in the attestation, including their digests. + This command checks that the specified release (or the latest release, if no tag is given) has a valid attestation. + It fetches the attestation for the release and prints metadata about all assets referenced in the attestation, including their digests. `), Example: heredoc.Doc(` # Verify the latest release