Skip to main content

GitHub Downloader

GitHub Downloader (ghd) is an experimental CLI for installing GitHub release assets only after the selected artifact passes strict integrity and provenance checks.

ghd is built for projects that publish binaries through GitHub Releases and want consumers to verify more than a checksum. It checks the immutable GitHub release record, SLSA provenance, and the GitHub Actions workflow identity before it downloads or installs a release asset.

Start Here

  • Get started with ghd walks through a first verified download and install.
  • Manage packages covers the common package lifecycle: repository indexing, discovery, install, check, update, verify, and uninstall.
  • Security model explains what ghd verifies and what it intentionally does not claim to solve.
  • Publisher guide explains how maintainers can publish GitHub releases that ghd can verify and install.
  • Reference lists command targets, flags, output modes, local paths, and ghd.toml fields.

Current Status

ghd does not have a public release yet. Until the first release exists, installation is manual: download the matching release asset from GitHub Releases once it is published, put the ghd binary on your PATH, and run ghd --help to confirm it is available.

The current documentation reflects the implemented command surface and the live first-party example release meigma/ghd/ghd-example@1.1.1.