Automic Vault Fork Notes

This repository is the Automic Vault fork of GitHub CLI.

Automic Vault is a macOS-first secret and execution control system that keeps sensitive credentials behind explicit human approval in the Automic Vault GUI app instead of exposing them directly to terminal tools.

This fork currently adds the following behavior on top of upstream cli/cli:

• Direct macOS Keychain access from the signed gh binary instead of /usr/bin/security, so Keychain trust is attached to this app binary: Use signed gh binary for macOS keychain access
• Human approval gating for gh auth token through the Automic Vault GUI daemon before any token is read or printed: Gate auth token output behind Automic Vault approval
• A migration subcommand that the Automic Vault app uses when migrating secrets from the factory-release to our isotope.

The remainder of this README is the original upstream GitHub CLI README.

---

GitHub CLI

gh is GitHub on the command line. It brings pull requests, issues, and other GitHub concepts to the terminal next to where you are already working with git and your code.

GitHub CLI is supported for users on GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server 2.20+ with support for macOS, Windows, and Linux.

Documentation

For installation options see below, for usage instructions see the manual.

Contributing

If anything feels off or if you feel that some functionality is missing, please check out the contributing page. There you will find instructions for sharing your feedback, building the tool locally, and submitting pull requests to the project.

If you are a hubber and are interested in shipping new commands for the CLI, check out our doc on internal contributions

Installation

macOS

• Homebrew
• Precompiled binaries on releases page

For additional macOS packages and installers, see community-supported docs

Linux & Unix

• Debian, Raspberry Pi, Ubuntu
• Amazon Linux, CentOS, Fedora, openSUSE, RHEL, SUSE
• Precompiled binaries on releases page

For additional Linux & Unix packages and installers, see community-supported docs

Windows

• WinGet
• Precompiled binaries on releases page

For additional Windows packages and installers, see community-supported docs

Build from source

See here on how to build GitHub CLI from source.

GitHub Codespaces

To add GitHub CLI to your codespace, add the following to your devcontainer file:

"features": {
  "ghcr.io/devcontainers/features/github-cli:1": {}
}

GitHub Actions

GitHub-hosted runners have the GitHub CLI pre-installed, which is updated weekly.

If a specific version is needed, your GitHub Actions workflow will need to install it based on the macOS, Linux & Unix, or Windows instructions above.

For information on all pre-installed tools, see actions/runner-images

Verification of binaries

Since version 2.50.0, gh has been producing Build Provenance Attestation, enabling a cryptographically verifiable paper-trail back to the origin GitHub repository, git revision, and build instructions used. The build provenance attestations are signed and rely on Public Good Sigstore for PKI.

There are two common ways to verify a downloaded release, depending on whether gh is already installed or not. If gh is installed, it's trivial to verify a new release:

• Option 1: Using gh if already installed:

  $ gh at verify -R cli/cli gh_2.62.0_macOS_arm64.zip
  Loaded digest sha256:fdb77f31b8a6dd23c3fd858758d692a45f7fc76383e37d475bdcae038df92afc for file://gh_2.62.0_macOS_arm64.zip
  Loaded 1 attestation from GitHub API
  ✓ Verification succeeded!
  
  sha256:fdb77f31b8a6dd23c3fd858758d692a45f7fc76383e37d475bdcae038df92afc was attested by:
  REPO     PREDICATE_TYPE                  WORKFLOW
  cli/cli  https://slsa.dev/provenance/v1  .github/workflows/deployment.yml@refs/heads/trunk

• Option 2: Using Sigstore cosign:

  To perform this, download the attestation for the downloaded release and use cosign to verify the authenticity of the downloaded release:

  $ cosign verify-blob-attestation --bundle cli-cli-attestation-3120304.sigstore.json \
        --new-bundle-format \
        --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
        --certificate-identity="https://github.com/cli/cli/.github/workflows/deployment.yml@refs/heads/trunk" \
        gh_2.62.0_macOS_arm64.zip
  Verified OK

Comparison with hub

For many years, hub was the unofficial GitHub CLI tool. gh is a new project that helps us explore what an official GitHub CLI tool can look like with a fundamentally different design. While both tools bring GitHub to the terminal, hub behaves as a proxy to git, and gh is a standalone tool. Check out our more detailed explanation to learn more.