php · asgrim · Aug 27, 2025 · Aug 25, 2025
diff --git a/src/SelfManage/Verify/GithubCliAttestationVerification.php b/src/SelfManage/Verify/GithubCliAttestationVerification.php
@@ -14,11 +14,13 @@
 
 use function implode;
 use function sprintf;
+use function str_starts_with;
 
 /** @internal This is not public API for PIE, so should not be depended upon unless you accept the risk of BC breaks */
 final class GithubCliAttestationVerification implements VerifyPiePhar
 {
     private const GH_CLI_NAME             = 'gh';
+    private const GH_ATTESTATION_COMMAND  = 'attestation';
     private const GH_VERIFICATION_TIMEOUT = 30;
 
     public function __construct(private readonly ExecutableFinder $executableFinder)
@@ -33,9 +35,20 @@ public function verify(ReleaseMetadata $releaseMetadata, BinaryFile $pharFilenam
             throw GithubCliNotAvailable::fromExpectedGhToolName(self::GH_CLI_NAME);
         }
 
+        // Try to use `gh attestation --help` to ensure it is not an old `gh` cli version
+        try {
+            Process::run([$gh, self::GH_ATTESTATION_COMMAND, '--help'], null, self::GH_VERIFICATION_TIMEOUT);
+        } catch (ProcessFailedException $attestationCommandCheck) {
+            if (str_starts_with($attestationCommandCheck->getProcess()->getErrorOutput(), sprintf('unknown command "%s" for "%s"', self::GH_ATTESTATION_COMMAND, self::GH_CLI_NAME))) {
+                throw GithubCliNotAvailable::withMissingAttestationCommand(self::GH_CLI_NAME);
+            }
+
+            throw $attestationCommandCheck;
+        }
+
         $verificationCommand = [
             $gh,
-            'attestation',
+            self::GH_ATTESTATION_COMMAND,
             'verify',
             '--owner=php',
             $pharFilename->filePath,

diff --git a/src/SelfManage/Verify/GithubCliNotAvailable.php b/src/SelfManage/Verify/GithubCliNotAvailable.php
@@ -14,4 +14,9 @@ public static function fromExpectedGhToolName(string $expectedGhToolName): self
     {
         return new self(sprintf('The GitHub "%s" CLI tool was not available.', $expectedGhToolName));
     }
+
+    public static function withMissingAttestationCommand(string $expectedGhToolName): self
+    {
+        return new self(sprintf('The GitHub "%s" CLI tool was available, but the `gh attestation` command failed; perhaps this version is out of date.', $expectedGhToolName));
+    }
 }
diff --git a/test/assets/fake-gh-cli/unhappy.bat b/test/assets/fake-gh-cli/unhappy.bat
@@ -1,2 +1,8 @@
+@echo off
+if "%*" == "" goto main
+echo %* | findstr /C:"--help" >nul
+if %errorlevel% == 0 exit /b 0
+
+:main
 echo "Pretending to be gh cli - unhappy path"
 exit /b 1
diff --git a/test/assets/fake-gh-cli/unhappy.sh b/test/assets/fake-gh-cli/unhappy.sh
@@ -1,4 +1,8 @@
 #!/usr/bin/env bash
 
+if [[ "$*" == *"--help"* ]]; then
+    exit 0
+fi
+
 echo "Pretending to be gh cli - unhappy path"
 exit 1