v2.27.0

• Record the git author identity and authored timestamp (not the committer) in pull_request attestation commits across all providers (#957).
• API key rotation: remove the duplicate key ID on failure and include details when rotation fails (#956).

The new base_ref field is rejected by Kosli servers older than kosli-dev/server#5898 (the attestation model is extra="forbid"). Self-hosted users must upgrade their Kosli server before upgrading this CLI, otherwise pull_request attestations will fail validation. Kosli SaaS (app.kosli.com / app.us.kosli.com) is already updated.

v2.26.0

Notable changes

• attest jira: documented automatic exclusion of Jira-like tokens that are immediately followed by a hyphen and digit (e.g. CVE identifiers)
• delete api-key: confirmation prompt now appears inline (answer typed on the same line); cancellation and deletion messages use consistent capitalisation and punctuation

What's Changed

• feat(list flows): add --name and --ignore-case search flags by @mbevc1 in #947
• docs(attest jira): improve CVE/multi-segment filtering help text by @jbrejner in #950
• chore: remove obsolete Claude instruction by @mbevc1 in #952
• fix(api-keys): inline confirmation prompt and unify message style by @mbevc1 in #948
• feat(environments): add new filtering and pagination flags by @mbevc1 in #951
• chore(deps): bump planetscale/ghcommit-action from 0.2.21 to 0.2.22 in the github-actions-dependencies group by @dependabot[bot] in #954
• chore(deps): bump the go-dependencies group with 5 updates by @dependabot[bot] in #955

Full Changelog: v2.25.0...v2.26.0

v2.25.0

Changelog

• 2a80f54 chore(deps): bump codecov/codecov-action from 6 to 7 (#942)
• 7ef6e64 chore(deps): bump planetscale/ghcommit-action (#939)
• 62809ab chore(deps): bump the go-dependencies group with 2 updates (#941)
• 6541925 chore(deps): bump the go-dependencies group with 8 updates (#932)
• c41ccef chore(deps): bump the go-dependencies group with 8 updates (#945)
• d6d4524 chore(deps): bump the go-dependencies group with 9 updates (#940)
• 4ead423 chore: improve Claude reviews (#946)
• 2c57076 ci(lint): forbid endian-unsafe patterns via golangci-lint (#933)
• d8c9698 feat: add s390x support to install-cli.sh (#936)
• 2cb999e feat: add service-account api-keys commands (#938)
• 1a8feca feat: add short aliases to top-level verb commands (#944)
• 1d4fdd6 fix: use git short sha as version metadata for unreleased builds (#935)

v2.24.2

Changelog

• 4acd31e feat: add linux/s390x build target to release distribution (#930)
• 1030045 fix(deps): bump go to 1.26.4 to address stdlib CVEs (#931)

v2.24.1

Changelog

• bbbb54a feat: display control identifier in assert artifact output for for_control policy failures (#926)

v2.24.0

The CLI now tries Bearer first (SonarQube Cloud and Server 10.0+) and transparently falls back to Basic for older self-hosted Servers, caching the resolved scheme for the run. SonarQube Cloud is always sent Bearer. Authentication failures now return a status-aware message (HTTP 401/403 token/permission, 5xx server-unavailable) instead of a single generic line.

• chore(deps): bump the Go dependencies group with 10 updates (#928)

Full changelog: v2.23.2...v2.24.0

v2.23.2

Changelog

• 0bf74d0 fix: deprecate --visibility flag instead of removing it (#923)

v2.23.1

Changelog

• 168dbc9 fix: keep hardcoded visibility for backwards compatibility (#922)

v2.23.0

• Added a deprecation warning when creating a flow without --template-file or --use-empty-template, indicating the legacy API endpoint will stop working in a future release.

NOTE : requires newest server to support dropping visibility. Please use newer CLI for backwards compatibility!

v2.22.1

Changelog

• 22f1449 chore(deps): bump the go-dependencies group with 10 updates (#914)
• 5d1e130 chore: bump OTel vulnerable dep (#916)
• 8040d80 fix: use url.JoinPath for list/diff command URLs (#915)