Subject: CVS commit: pkgsrc/net/gh
From: Benny Siegert
Date: 2025-03-01 21:07:57
Message id: 20250301200757.79E3DFBE1@cvs.NetBSD.org

Log Message:
gh: update to 2.67.0

2.67.0

Security

A bug in gh attestation verify may return an incorrect zero exit status
when no matching attestations are found for the specified
--predicate-type <value> or the default https://slsa.dev/provenance/v1
if not specified. This issue only arises if an artifact has an
attestation with a predicate type different from the one provided in the
command. As a result, users relying solely on these exit codes may
mistakenly believe the attestation has been verified, despite the
absence of an attestation with the specified predicate type and the tool
printing a verification failure.

Users are advised to update gh to version v2.67.0 as soon as possible.

For more information, see GHSA-fgw4-v983-mgp8

2.66.0

- gh pr view and gh pr status now respect common triangular workflow
  configurations
- gh secret list, gh secret set, and gh secret delete now require
  repository selection when multiple git remotes are present
- Extension update notices now notify once every 24 hours per extension
  and can be disabled

Files:
RevisionActionfile
1.88modifypkgsrc/net/gh/Makefile
1.44modifypkgsrc/net/gh/distinfo
1.38modifypkgsrc/net/gh/go-modules.mk