brew install gh # install gh cli on mac with brew
brew upgrade gh # upgradeOther OS's can find instructions here
# start interactive setup
$ gh auth login
# authenticate to github.com by reading the token from a file
$ gh auth login --with-token < mytoken.txt
# authenticate from standard input
$ echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token
# authenticate from environment variable
$ export GH_TOKEN=${{ secrets.GITHUB_TOKEN }}See the docs for further information.
Adds a status check to the branch protection status check contexts.
See the docs for more information.
Adds a user from an Enterprise into an org. See: Documentation
Adds an IP to an enterprise's or organization's IP allow list.
Use the get-enterprise-id.sh or get-organization-id.sh script to get the owner ID.
See the docs for further information.
Adds a team to a repository with a given permission level
Adds (invites) a user to an organization team
Change a repository visibility to internal, for example
Creates an enterprise organization - you just need to pass in the enterprise ID (obtained via) along with billing email, admin logins, and organization name
Creates an organization webhook, with a secret, with some help from jq.
Create a new repo from a repo template - note that it only creates as public or private, if you want internal you have to do a subsequent call (see change-repository-visibility.sh)
Deletes a release from a repository - need the ID of the release
Deletes a repo - also works if the repository is locked from a failed migration, etc.
May need to run this first in order for the gh cli to be able to have delete repo permissions:
gh auth refresh -h github.com -s delete_repo
Downloads a release artifact from a private/internal repository. Can either download latest version or specific version, and supports file pattern matching to download one or multiple files. See docs for more info.
Using curl, wget, or gh release download to download public release assets.
Enable actions on repository - similar to API example, but using gh cli
Generates release notes between two tags. See the release notes docs on further customizations and the API docs for info on the API.
Gets the status of Actions on a repository (ie, if Actions are disabled)
Gets the usage of Actions on a repository; example output:
actions/checkout@3
github/codeql-action/analyze@2
github/codeql-action/autobuild@2
github/codeql-action/init@2
actions/dependency-review-action@3
Get the slug of the apps installed in an organization.
Gets a branch protection rule for a given branch.
Gets the branch protection status check contexts.
See the docs for more information.
Get code scanning analyses status for every repository in an organization.
Example output:
"joshjohanning-org/ghas-demo","CodeQL","refs/pull/140/merge","2023-04-28T07:08:36Z",".github/workflows/codeql-analysis.yml:analyze"
"joshjohanning-org/zero-to-hero-codeql-test","CodeQL","refs/heads/main","2023-04-23T20:28:16Z",".github/workflows/codeql-analysis.yml:analyze"
"joshjohanning-org/Python_scripts_examples","CodeQL","refs/heads/main","2023-04-24T14:21:16Z",".github/workflows/codeql-analysis.yml:analyze"
joshjohanning-org/.github, no code scanning results
"joshjohanning-org/azdo-terraform-tailspin","defsec","refs/heads/main","2023-04-22T21:35:22Z",".github/workflows/tfsec-analysis.yml:tfsec"
Gets the commits of since a certain date - date should be in ISO 8601 format, ie: since=2022-03-28T16:00:49Z
Gets dependencies used in the repository, including the ecosystem and version number.
Example output:
npm/[email protected]
pypi/[email protected]
maven/io.jsonwebtoken/[email protected]
golang/github.com/mattn/[email protected]
githubactions/actions/checkout@3
In a 1 year block, return the date of the first non-public contribution
The date of the first restricted contribution the user made in this time period. Can only be non-null when the user has enabled private contribution counts.
See also: Another example
Get the enterprise ID used for other GraphQL calls. Use the URL slug of the Enterprise as the input.
Adding -H X-Github-Next-Global-ID:1 per the documentation here to get the new ID format:
- https://github.blog/changelog/2022-11-10-graphql-legacy-global-id-deprecation-message/
- https://docs.github.com/en/graphql/guides/migrating-graphql-global-node-ids
Gets the current IP allow list for an enterprise.
See the docs for further information.
Gets all organizations for a given enterprise. Handles pagination.
Queries every organization in an enterprise and returns whether the user is a member or a member + admin of the organization.
Queries the enterprise for all organizations given the specified role (e.g.: which organizations is the user an admin of)
Gets info about an enterprise using the EnterpriseOwnerInfo GraphQL object.
Gets the usage of a label in a repository. Returns data in table format.
Get the organization ID used for other GraphQL calls. Use the login of the Organization as the input.
Adding -H X-Github-Next-Global-ID:1 per the documentation here to get the new ID format:
- https://github.blog/changelog/2022-11-10-graphql-legacy-global-id-deprecation-message/
- https://docs.github.com/en/graphql/guides/migrating-graphql-global-node-ids
Gets the current IP allow list for an organization.
See the docs for further information.
Get a total count of the primary language of repositories in an organization.
Example output:
21 Shell
11 JavaScript
11 Dockerfile
10 C#
4 Java
Gets a list of members in an organization using the REST API (able to get their ID to tie to Git event audit log)
Gets a list of members (via GraphQL) and their role in an organization
Gets the repository count in an organization
Gets the members of a team
Gets a team
Get outside collaborators added to a repository
Retrieve the download URL for the latest version of a package in GitHub Packages. See: Documentation
Note: No longer works for GitHub.com and deprecated for GHES 3.7+. See Changelog post, GraphQL breaking changes, and GHES 3.7 deprecations
Retrieve the download URL for a specific version of an Maven package in GitHub Packages.
Retrieve the download URL for a specific version of an NPM package in GitHub Packages.
Retrieve the download URL for a specific version of an Maven package in GitHub Packages.
Retrieve the download URL for a specific version of a package in GitHub Packages. See: Documentation
Note: No longer works for GitHub.com and deprecated for GHES 3.7+. See Changelog post, GraphQL breaking changes, and GHES 3.7 deprecations
Gets a list of releases for a repository
Get repositories not using actions, by files committed in the .github/workflows directory
Get repositories using actions, by files committed in the .github/workflows directory
Get repositories that have a CircleCI configuration file .circleci/config.yml
(not perfect, doesn't search for codeql*.yml)
Get repositories that have a CodeQL configuration file .github/workflows/codeql.yml
Get the repository language information (ie: JavaScript, Python, etc) for all repositories in an organization. Can specify how many language results to return (top X).
Example output:
repo,language
ghas-demo,Java
zero-to-hero-codeql-test,C#
Python_scripts_examples,Python
Get the repository license information (ie: MIT, Apache 2.0, etc) for all repositories in an organization.
Gets a list of topics for a repository
Gets details about a repo
Similar to get-repository-users-by-permission.sh except that it loops through all repositories. See the below note about cumulative permissions; if you query for push you will also get users for maintain and admin, but you can pass in a false and retrieve only users who have push.
Example output:
repo,login,permission
ghas-demo,joshgoldfishturtle,admin
ghas-demo,joshjohanning,admin
zero-to-hero-codeql-test,joshjohanning,admin
Python_scripts_examples,joshjohanning,admin
Gets a list of users by permission level for a repository (ie: retrieve the list of users who have admin access to a repository). For write access, use push as the permission. There is a flag to either cumulatively return permissions (ie: push returns those with maintain and admin as well), but the default is explicitly return users with the permission you specify.
Example output:
login,permission
joshgoldfishturtle,admin
joshjohanning,admin
Returns the permission for everyone who can access the repo and how they access it (direct, team, org)
Retrieves the SAML linked identity of a user in a GitHub Enterprise.
May need to run this first in order for the gh cli to be able to retrieve the SAML information for organizations:
gh auth refresh -h github.com -s admin:enterprise
Retrieves the SAML linked identity of a user in a GitHub organization.
May need to run this first in order for the gh cli to be able to retrieve the SAML information for organizations:
gh auth refresh -h github.com -s admin:org
Gets the SBOM for a repository.
Uses the search API for code search.
Retrieves all SSO enabled PATs users have created for an organization.
Retrieves all SSO-enabled SSH keys users have created for an organization.
Retrieves the ID of a user for other GraphQL calls
Gets a list of users directly added to repositories
Example output:
"ghas-demo", "joshjohanning", "ADMIN"
"ghas-demo", "FluffyCarlton", "WRITE"
"Test-Migrate", "joshjohanning", "ADMIN"
Removes a status check from the branch protection status check contexts.
See the docs for more information.
Removes an enterprise user. See notes:
- Get enterprise id:
./get-enterprise-id.sh - Get user id by one of the following:
- List org members and get the id from there:
./get-organization-members.sh - Get user id:
./get-user-id.sh
- List org members and get the id from there:
Revokes an SSO-enabled PAT that a user created in an organization.
Renaming a repo
Code search in an organization.
See the docs and StackOverflow for more information.
Set the branch protection status check contexts.
See the docs for more information.
Sets the IP allow list to enabled/disable for an enterprise or organization. You can't enable the IP allow list unless the IP running the script is in the list.
See the docs for further information.
Retrieves a list of users who have SSO-enabled personal access tokens in an organization.
Updates a branch protection rule for a given branch.
Adds your account to an organization in an enterprise as an owner, member, or leave the organization.