gh attestation download
gh attestation download [<file-path> | oci://<image-uri>] [--owner | --repo] [flags]
NOTE: This feature is currently in beta, and subject to change.
Download attestations associated with an artifact for offline use.
The command requires either:
- a file path to an artifact, or
- a container image URI (e.g.
oci://<image-uri>)- (note that if you provide an OCI URL, you must already be authenticated with its container registry)
In addition, the command requires either:
- the
--repoflag (e.g. --repo github/example). - the
--ownerflag (e.g. --owner github), or
The --repo flag value must match the name of the GitHub repository
that the artifact is linked with.
The --owner flag value must match the name of the GitHub organization
that the artifact's linked repository belongs to.
Any associated bundle(s) will be written to a file in the current directory named after the artifact's digest. For example, if the digest is "sha256:1234", the file will be named "sha256:1234.jsonl".
Options
-d,--digest-alg <string> (default "sha256")- The algorithm used to compute a digest of the artifact: {sha256|sha512}
-L,--limit <int> (default 30)- Maximum number of attestations to fetch
-o,--owner <string>- a GitHub organization to scope attestation lookup by
-
--predicate-type <string> - Filter attestations by provided predicate type
-R,--repo <string>- Repository name in the format <owner>/<repo>
Examples
# Download attestations for a local artifact linked with an organization
$ gh attestation download example.bin -o github
# Download attestations for a local artifact linked with a repository
$ gh attestation download example.bin -R github/example
# Download attestations for an OCI image linked with an organization
$ gh attestation download oci://example.com/foo/bar:latest -o github