ghir is a CLI making past GitHub Releases immutable.
About GitHub Immutable Releases, please see the following links:
- https://github.blog/changelog/2025-08-26-releases-now-support-immutability-in-public-preview/
- https://github.com/orgs/community/discussions/171210
Immutable Releases protect your software supply chain by preventing any changes to released assets. While enabling Immutable Releases is straightforward, previously created releases remain vulnerable. ghir is a CLI tool that secures your past releases by making them immutable.
- Enable Immutable Releases
- Run ghir
ghir [--log-level <debug|info|warn|error>] [--enable-ghtkn] <repo full name>e.g.
ghir aquaproj/aquaghir requires a GitHub Access Token.
- Required Permissions:
contents:write - Scopes (accessible repositories): A repository to be updated
Environment Variables
GHIR_GITHUB_TOKENGITHUB_TOKEN
Or you can also use ghtkn integration.
ghir --enable-ghtkn <repo>Or
export GHIR_ENABLE_GHTKN=true- Get GitHub Releases by GitHub API
- Exclude draft releases and immutable releases
- Update releases without any parameters by GitHub API to make all releases immutable
ghir alone can only be executed in a single repository.
However, by combining other tools, you can run ghir against multiple repositories.
cat repos.txt
username_or_orgname/foo
username_or_orgname/bar
cat repos.txt | xargs -n 1 ghirExample 2: use gh repo list
gh repo list <username_or_orgname> --source --no-archived --json nameWithOwner --template '{{range .}}{{.nameWithOwner}}{{"\n"}}{{end}}' --limit 100 | xargs -n 1 ghirRelease attestations aren't created if releases were created before April 2025. I sent a feature request to GitHub. For more details, please see the discussion.