Release: Added extra debug when doing kosli attest pullrequest github if the debug flag is set (#839)

* debug(github): log GitHub HTTP requests/responses under --debug

Adds a debug http.RoundTripper to the github client so every REST and
GraphQL call (request method/URL/headers/body and response status/headers/body)
is dumped to stderr with the [debug-github] prefix when --debug is set.
Authorization header is redacted to the last 4 chars to make CI logs safe
to share. Wires global.Debug through NewGithubRetrieverFunc / NewGithubConfig
/ NewGithubClientFromToken and updates affected tests.

Also adds .github/workflows/debug-build.yml to build the CLI on this
branch and upload it as the kosli-debug artifact for ad-hoc debugging.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(github): silence errcheck on debug Fprintf calls

CI golangci-lint flagged the Fprintf calls in the debug RoundTripper
because their error returns weren't checked. Wrap them in a small logf
helper that explicitly discards the error — write failures to a debug
stderr stream are not actionable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: fix Debug build trigger to match this branch name

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: debug-build runs on any branch and produces all platforms

Trigger on every push (and workflow_dispatch). Cross-compile for the
five platforms GoReleaser produces (linux/darwin/windows × amd64/arm64
where applicable) and bundle them into a single kosli-debug artifact.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: split debug-build into one artifact per platform

Use a matrix so each platform builds in its own job and uploads a
separate kosli-debug-<os>-<arch> artifact, instead of one large zip.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: write each artifact URL to the run summary

upload-artifact@v4+ returns an artifact-url output. Append a markdown
link for each platform's artifact to $GITHUB_STEP_SUMMARY so the run
page shows direct download links instead of having to dig into the
Artifacts panel.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: also expose nightly.link URLs in debug-build summary

Add a second public-download link alongside each GitHub artifact link.
nightly.link is an OAuth proxy that lets anyone download a public
repo's Actions artifacts without signing in to GitHub.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* debug(github): redact Cookie/Set-Cookie/Proxy-Authorization too

The debug RoundTripper was only redacting Authorization. Add Cookie,
Set-Cookie, and Proxy-Authorization to the redaction list so a corporate
proxy password (Proxy-Authorization is commonly Basic <base64(user:pass)>
in HTTPS_PROXY setups) doesn't leak into shared debug logs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci: remove temporary debug-build workflow

This workflow was added to produce ad-hoc kosli-debug binaries while
debugging the GitHub auth issue. The debug logging itself remains in
the github transport.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(github): cover redactAuthHeader and redactSensitiveHeader

These are pure security-relevant helpers in the debug RoundTripper.
Add table tests covering the branches: scheme + long/short/4-char
token, no-scheme long/short/empty values, the case-insensitive
Authorization match, the fully-redacted families (Cookie, Set-Cookie,
Proxy-Authorization), pass-through for non-sensitive headers, and
explicit assertion that X-OAuth-Scopes is intentionally not redacted
(useful for diagnosing GitHub permission failures).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: ToreMerkely

docs.kosli.com/assets/metadata.json

@@ -1 +1 @@
-{"currentversion": "v2.17.2"}
+{"currentversion": "v2.17.3"}

docs.kosli.com/content/legacy_ref/v2.15.2/_index.md

@@ -1,7 +1,7 @@
 ---
 title: v2.15.3
 bookCollapseSection: true
-weight: 603
+weight: 604
 ---
 
 # v2.15.3

docs.kosli.com/content/legacy_ref/v2.15.3/_index.md

@@ -1,7 +1,7 @@
 ---
 title: v2.16.0
 bookCollapseSection: true
-weight: 602
+weight: 603
 ---
 
 # v2.16.0

docs.kosli.com/content/legacy_ref/v2.16.0/_index.md

@@ -1,7 +1,7 @@
 ---
 title: v2.17.0
 bookCollapseSection: true
-weight: 601
+weight: 602
 ---
 
 # v2.17.0

docs.kosli.com/content/legacy_ref/v2.17.0/_index.md

@@ -1,7 +1,7 @@
 ---
 title: v2.17.1
 bookCollapseSection: true
-weight: 600
+weight: 601
 ---
 
 # v2.17.1

docs.kosli.com/content/legacy_ref/v2.17.1/_index.md

@@ -0,0 +1,7 @@
+---
+title: v2.17.2
+bookCollapseSection: true
+weight: 600
+---
+
+# v2.17.2

docs.kosli.com/content/legacy_ref/v2.17.2/_index.md

@@ -15,12 +15,18 @@ kosli allow artifact [IMAGE-NAME | FILE-PATH | DIR-PATH] [flags]
 
 Add an artifact to an environment's allowlist.  
 
-The artifact fingerprint can be provided directly with the `--fingerprint` flag, or 
+The artifact fingerprint can be provided directly with the `--fingerprint` flag, or
 calculated based on `--artifact-type` flag.
 
 Artifact type can be one of: "file" for files, "dir" for directories, "oci" for container
 images in registries or "docker" for local docker images.
 
+Note: `--artifact-type=docker` reads the image's repo digest via the local Docker daemon.
+The image must have been pushed to or pulled from a registry for a repo digest to exist;
+a freshly built image (just `docker build`) will not have one. If the image is already in
+a registry, prefer `--artifact-type=oci`, which fetches the digest directly from the
+registry without needing a local Docker daemon.
+
 
 
 ## Flags