This repository is the maintained fork of the archived upstream
fossteams/teams-cli project. New changes should be proposed against this
repository.
Requirements:
- Go 1.26.1 or newer
- A terminal with cursor-addressing support
- Teams JWT files generated with
teams-token
Install dependencies and verify the local build:
go build ./...
go test ./...To run the TUI locally:
TERM=xterm-256color go run ./To limit the number of loaded messages per conversation:
TERM=xterm-256color go run ./ msg=20To inspect the runtime configuration surface:
go run ./ --helpTo enable debug logging while running locally:
TERM=xterm-256color go run ./ --debugTo run local diagnostics:
go run ./ doctorTo build release archives locally:
./scripts/build-release-artifacts.sh v0.2.1-testTo generate trusted-release metadata locally after building archives:
go install github.com/anchore/syft/cmd/syft@v1.42.3
./scripts/generate-release-sboms.sh v0.2.1-testKeyless signing and GitHub attestations are performed in GitHub Actions during
the protected main release flow, because they rely on GitHub OIDC and
repository-scoped attestation APIs.
Keep JWT files out of the repository.
- The app reads tokens from
~/.config/fossteams --token-dircan be used when token files live elsewhere- Runtime logs are written to a user-local log file, not into this repository
- Do not copy token files into this repository
- Do not commit
.jwtfiles or local auth artifacts
- Create a branch from
dev. - Keep changes scoped and explain the user-visible behavior.
- Run
go build ./...andgo test ./.... - Run
go run ./ doctorwhen changing token loading, refresh behavior, startup configuration, or logging behavior. - Update
README.mdandCHANGELOG.mdwhen behavior, controls, or runtime options change. - Open the pull request against this repository's
devbranch. - Wait for the governed checks to pass:
- the single
CI and Releaseworkflow, which now includes quality, platform, security, and release gating jobs - required job checks such as
CodeQL,Dependency Review, andSecret Detection
- the single
- Expect CODEOWNERS review for workflow, security-policy, and release-path changes.
The maintained fork now treats dev and main as protected branches.
devis the integration branch and should receive normal feature pull requestsmainis the release branch and should receive reviewed promotions fromdev- direct pushes are reserved for maintainer recovery cases
- signed commits are required on protected branches
- stale reviews should be refreshed after materially changing a pull request
- Keep
version.goatdevwhile iterating ondev - When preparing the next release, set
version.goto the next semantic version such asv0.2.1 - Update
CHANGELOG.mdfor that version before merging tomain - Pushing the versioned commit to
maintriggers the combined CI and release workflow - The
Publish Releasejob is gated by the protectedreleaseenvironment and requires manual approval before publication - Before publish, the workflow smoke-tests the built archives on the runner
- After approval, the workflow generates a bundled SPDX SBOM archive, signs the checksum file with a cosign keyless bundle, creates GitHub provenance attestations for release archives, creates the tag, and publishes the GitHub release automatically
- After the release branch has landed, move
devback toversion = "dev"for the next development cycle if needed
- If the release job is waiting for environment approval, reject it rather than publishing suspect artifacts
- After publication, prefer a new patch release over mutating or replacing an existing signed release
- Revert or fix on
dev, promote tomain, bump the next patch version, and let the governed release flow publish the replacement - If you must delete a release, record why in
CHANGELOG.mdor the release notes so the audit trail stays understandable
- Preserve keyboard-first navigation behavior
- Avoid committing local binaries, tokens, or machine-specific artifacts
- Add or update tests for navigation, ordering, loading, or option parsing when behavior changes
- Add or update tests for logging, redaction, or startup diagnostics when observability behavior changes
- Keep documentation aligned with the actual runtime behavior
- Review SECURITY.md before opening a public issue for any security-sensitive problem
- Never include JWTs, auth headers, cookies, or private Teams message content in issues, pull requests, or screenshots
- Prefer sanitized logs when reporting startup, refresh, or auth failures
This fork currently keeps the historical Go module path
github.com/fossteams/teams-cli for compatibility with existing scripts and
imports.
- Release binaries from this fork are the supported install path
- Any future module path change should be treated as a breaking release and
documented in
CHANGELOG.md