ghr: a toolkit for GitHub releases
Why ghr exists, how installs are verified with GitHub's checksum, minisign, and sigstore, and what it looks like to install ghr with ghr itself.
Read more →
ghr is a single static binary that picks the right release asset for your OS and architecture, then verifies it with minisign, sigstore, or a plain checksum — on Mac, Linux, and Windows, and in GitHub Actions.
curl -fsSL https://raw.githubusercontent.com/cataggar/ghr/main/install.sh | shiwr -useb https://raw.githubusercontent.com/cataggar/ghr/main/install.ps1 | iexbrew install cataggar/ghr/ghr # or: winget install ghrpipx install ghr-bin # or: uv tool install ghr-binghr picks the right archive for your OS and CPU architecture automatically — one command works on macOS, Linux, and Windows.
Every install can check GitHub's own SHA-256, a minisign signature, and a sigstore bundle before anything is extracted.
actions/install and actions/download install several tools in one cached step, sharing an HTTP client and auth token.
ghr can install itself from its own releases — the same verification path every other tool gets.
ghr minisign sign reads its secret key and password from the environment, so a release job is a single step.
Mirroring or re-publishing a project's releases is a normal GitHub fork — no separate registry to run.
Why ghr exists, how installs are verified with GitHub's checksum, minisign, and sigstore, and what it looks like to install ghr with ghr itself.
Read more →Teaching ghr to install WASI 0.3 WebAssembly components straight from a GitHub release — a 3 KB app that runs unmodified on Windows, Linux, and macOS.
Read more →A two-component WebAssembly example — a web component and a storage component talking over a component-model interface — installed with a single ghr command.
Read more →