fix(github): use GITHUB_TOKEN for attestation verification

jdx · jdx · commit 48df59b8b028 · 2025-12-18T22:40:34.000-06:00
Pass the GitHub token to sigstore_verification::verify_github_attestation
to avoid API rate limiting when verifying GitHub attestations.
diff --git a/src/backend/github.rs b/src/backend/github.rs
@@ -9,6 +9,7 @@ use crate::backend::static_helpers::{
 };
 use crate::cli::args::{BackendArg, ToolVersionType};
 use crate::config::{Config, Settings};
+use crate::env;
 use crate::file;
 use crate::http::HTTP;
 use crate::install_context::InstallContext;
@@ -939,7 +940,10 @@ impl UnifiedGitBackend {
         let (owner, repo_name) = (parts[0], parts[1]);
 
         match sigstore_verification::verify_github_attestation(
-            file_path, owner, repo_name, None, // No token - use public API
+            file_path,
+            owner,
+            repo_name,
+            env::GITHUB_TOKEN.as_deref(),
             None, // We don't know the expected workflow
         )
         .await
