v2.63.0 seems to have broken attestation verify --bundle-from-oci flagΒ #10017
Description
Describe the bug
π I suspect that #9892 or #9937 (leaning towards the former) has broken the gh attestation verify command when used with the --bundle-from-oci flag. This is not fixed in v2.63.1.
Steps to reproduce the behavior
This matrix job checks the same behavior with various versions. Full workflow is here: https://github.com/falcorocks/lab/blob/artifact-attestation-example/.github/workflows/github-artifact-attestation.yaml. Example run: here. You can see that the command works for v2.62.0 but not for v2.63.0 or v2.63.1
verify:
needs: attest
strategy:
matrix:
version: [2.62.0, 2.63.0, 2.63.1]
runs-on: ubuntu-24.04
steps:
- run: wget https://github.com/cli/cli/releases/download/v${{ matrix.version }}/gh_${{ matrix.version }}_linux_amd64.tar.gz
- run: tar -xvzf gh_${{ matrix.version }}_linux_amd64.tar.gz
- run: sudo mv gh_*/bin/gh /usr/local/bin/
- run: gh --version
- run: gh attestation verify --bundle-from-oci --owner falcorocks oci://${{ env.REGISTRY }}/${{ env.IMAGE }}:${{ env.TAG }}
env:
GH_TOKEN: ${{ github.token }}Expected vs actual behavior
v2.62.0 is the correct behaviour: the bundle is discovered and verified
Logs
should not be necessary but happy to add them if necessary πͺ