Feature Request: gh attestation download: Remove authentication requirement to increase adoption

[jonahbeckford]

Describe the feature or problem you’d like to solve

The instructions in https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/verify-attestations-offline:

gh attestation download PATH/TO/YOUR/BUILD/ARTIFACT-BINARY -R ORGANIZATION_NAME/REPOSITORY_NAME

require a valid GH_TOKEN or gh auth login. That complicates using it to verify attestations.

It would be great if GitHub attestations were adopted widely, and user friction doesn't help.

Proposed solution

Treat attestations as public for public projects. That benefits the CLI and its users because simplifying adoption improves supply chain security for everybody.

Additional context

This is part of a bigger review at https://github.com/diskuv/dk/blob/V2_4/docs/posts/2025-10-24-overview-ci-attestations.md

[github-actions]

Thank you for your issue! We have categorized it as a feature request, and it has been added to our backlog. In doing so, we are not committing to implementing this feature at this time, but, we will consider it for future releases based on community feedback and our own product roadmap.

Unless you see the help wanted Contributions welcome label, we are not currently looking for external contributions for this feature.

If you come across this issue and would like to see it implemented, please add a thumbs up! This will help us prioritize the feature. Please only comment if you have additional information or viewpoints to contribute.

[babakks]

Thanks for your feedback, @jonahbeckford! 🙏

However, this is closely related to #11803, especially #11803 (comment). Please let me know if that answers your request.

[BagToad]

Going to close this as duplicate for now, but please feel free to comment if we misunderstood!