Skip to content

fix(github): scope auth headers to API URLs#9271

Merged
jdx merged 1 commit intojdx:mainfrom
risu729:codex/github-api-only-auth
Apr 21, 2026
Merged

fix(github): scope auth headers to API URLs#9271
jdx merged 1 commit intojdx:mainfrom
risu729:codex/github-api-only-auth

Conversation

@risu729
Copy link
Copy Markdown
Contributor

@risu729 risu729 commented Apr 20, 2026
edited
Loading

Summary

  • Stop adding GitHub Authorization and X-GitHub-Api-Version headers to non-API GitHub URLs, including github.com release browser downloads and *.githubusercontent.com content/CDN hosts.
  • Keep GitHub auth/version headers for REST API URLs: api.github.com, GHES-style HOSTNAME/api/v3, and GHE.com data-residency api.SUBDOMAIN.ghe.com.
  • Remove the stale is_gh_host HTTP routing branch so GitHub header generation is reached only for URLs classified as GitHub REST API URLs.
  • Preserve API asset downloads by keeping Accept: application/octet-stream on /releases/assets/ API URLs only.
  • Add regression coverage for browser/download hosts, GitHub API URLs, GHES API paths, GHE.com data-residency API hosts, and GHES/GHE.com browser URLs that must not receive auth headers.

Root Cause

The token/header policy added for GitHub-related hosts was too broad. Public release browser URLs on github.com can reject requests when a GitHub token is attached, which forces mise to fall back to the API asset URL. That fallback still works, but it loses the clearer browser download URL/filename path and increases API usage, which earlier work tried to avoid.

GHE Notes

  • GitHub Enterprise Cloud without data residency uses the normal GitHub.com REST API host.
  • GitHub Enterprise Server uses https://HOSTNAME/api/v3/..., so this keeps auth on non-github.com /api/v3 URLs.
  • GitHub Enterprise Cloud with data residency uses SUBDOMAIN.ghe.com for the web host and api.SUBDOMAIN.ghe.com for REST API. Token lookup tries SUBDOMAIN.ghe.com before api.SUBDOMAIN.ghe.com, matching the platform hostname users authenticate with, while still not sending headers to the web/download host.
  • GHE.com web hosts are explicitly excluded from the GHES /api/v3 path matcher; only api.SUBDOMAIN.ghe.com is treated as a GHE.com REST API host.

Review Follow-up

  • Addressed review feedback to remove the redundant is_gh_host branch from src/http.rs now that github::get_headers and is_github_api_url enforce API-only header behavior.
  • Addressed review feedback to exclude .ghe.com web hosts from the GHES /api/v3 path arm.
  • Added the missing GHES browser download no-auth regression case.
  • Left MISE_GITHUB_ENTERPRISE_TOKEN precedence unchanged for non-github.com API hosts, including api.SUBDOMAIN.ghe.com, because this PR is scoped to header destination safety and the existing token precedence treats non-github.com GitHub Enterprise hosts as enterprise hosts.

References

Tests

  • cargo fmt --all
  • cargo test --all-features github::tests
  • git diff --check
  • curl -sSIL on the reported github.com/cuotos/ecs-exec-pf asset URL returns 200 and redirects to release-assets.githubusercontent.com without auth headers.

Notes: mise run format did not discover tasks in this checkout, so I ran cargo fmt --all directly. Broad cargo clippy --all-features -- -Dwarnings and cargo clippy -p mise --all-features --no-deps -- -Dwarnings currently fail on unrelated pre-existing clippy warnings outside this change.

This PR description was AI-generated.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 20, 2026
edited
Loading

Greptile Summary

This PR fixes a token-leaking regression by scoping GitHub Authorization and X-GitHub-Api-Version headers exclusively to REST API URLs (api.github.com, GHES /api/v3 paths, and api.SUBDOMAIN.ghe.com), removing them from github.com browser downloads and *.githubusercontent.com CDN hosts that can reject authenticated requests. It also updates resolve_token to perform ordered multi-host lookups for GHE.com API hosts. Both concerns raised in the prior review round — excluding .ghe.com web hosts from the GHES path arm and adding a GHES browser-download no-auth regression test — are addressed in the current head.

Confidence Score: 5/5

Safe to merge; no P0/P1 issues found and all prior review concerns are resolved.

All previously flagged concerns (GHE.com .ghe.com web host exclusion in the GHES path arm, missing GHES browser-download no-auth test) are addressed in the current head. The URL classification logic is well-tested with positive and negative cases for github.com, githubusercontent.com, GHES, and GHE.com data-residency hosts. No correctness, security, or data-integrity issues remain.

No files require special attention.

Important Files Changed

Filename Overview
src/github.rs Introduces is_github_api_url to gate auth/version headers to REST API URLs only; adds is_ghe_com_api_host, is_ghes_api_path, token_lookup_hosts, and refactors resolve_token to use ordered host lookups; replaces the old is_githubusercontent_auth_host helper; adds comprehensive regression tests. Both prior review concerns (.ghe.com exclusion in GHES path arm, GHES browser-download no-auth test) are addressed.
src/http.rs Simplifies host_auth_headers by delegating to is_github_api_url from github.rs, removing the old overly-broad is_github predicate that included github.com browser URLs and all githubusercontent.com hosts.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Outbound HTTP request] --> B{is_github_api_url?}
    B -- yes --> C[github::get_headers]
    C --> D{resolve_token host}
    D --> E[Add Authorization + X-GitHub-Api-Version]
    E --> F{path contains /releases/assets/}
    F -- yes --> G[Add Accept: application/octet-stream]
    F -- no --> H[Return headers]
    G --> H

    B -- no --> I{is_gitlab_host?}
    I -- yes --> J[gitlab::get_headers]
    I -- no --> K{is_forgejo_host?}
    K -- yes --> L[forgejo::get_headers]
    K -- no --> M[Empty HeaderMap]

    subgraph is_github_api_url logic
        N[host == api.github.com] --> O[true]
        P[is_ghe_com_api_host: api.*.ghe.com] --> O
        Q[host != github.com AND not .githubusercontent.com AND not .ghe.com AND is_ghes_api_path /api/v3] --> O
    end
Loading

Reviews (3): Last reviewed commit: "fix(github): scope auth headers to API U..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 20, 2026
View reviewed changes
Comment thread src/github.rs
Comment thread src/github.rs
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refines the identification of GitHub API URLs and improves token resolution logic, notably adding support for ghe.com hosts and ensuring authentication headers are only sent to REST API endpoints. Key changes include the introduction of is_github_api_url and a multi-host lookup strategy in resolve_token. Feedback suggests extending the is_ghcom exclusion to ghe.com hosts to prevent unintended enterprise token usage and removing a redundant check in src/http.rs.

Comment thread src/github.rs
Comment thread src/http.rs Outdated
@risu729 risu729 force-pushed the codex/github-api-only-auth branch from 4d782c8 to fdf976f Compare April 20, 2026 23:23
@risu729 risu729 force-pushed the codex/github-api-only-auth branch from fdf976f to b50f55e Compare April 20, 2026 23:31
@risu729 risu729 marked this pull request as ready for review April 20, 2026 23:33
@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector Bot commented Apr 20, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@jdx jdx merged commit f4d20a8 into jdx:main Apr 21, 2026
34 checks passed
@mise-en-dev mise-en-dev mentioned this pull request Apr 21, 2026
Merged
@risu729 risu729 deleted the codex/github-api-only-auth branch April 21, 2026 00:24
jdx pushed a commit that referenced this pull request Apr 22, 2026
@mise-en-dev
chore: release 2026.4.19 (#9258)
251df44 
### 🚀 Features

- **(backend)** support aqua vars templates by @risu729 in
[#9110](#9110)
- add gsudo (Sudo for Windows) to registry by @matracey in
[#9281](#9281)

### 🐛 Bug Fixes

- **(cli)** retrieve token from github helper for `self-update` command
by @sushichan044 in [#9259](#9259)
- **(github)** scope auth headers to API URLs by @risu729 in
[#9271](#9271)
- **(vfox)** use github token for lua http requests by @jdx in
[#9257](#9257)

### 📚 Documentation

- add aube hero banner by @jdx in
[#9265](#9265)
- add en.dev footer by @jdx in
[#9267](#9267)
- implement landing page design by @jdx in
[#9266](#9266)

### 📦️ Dependency Updates

- lock file maintenance by @renovate[bot] in
[#9268](#9268)

### 📦 Registry

- add llama.cpp
([github:ggml-org/llama.cpp](https://github.com/ggml-org/llama.cpp)) by
@igor-makarov in [#9282](#9282)
- add kiro-cli by @shalk in
[#9274](#9274)
- add flux-operator & flux-operator-mcp by @monotek in
[#8852](#8852)

### Chore

- **(release)** add en.dev sponsor blurb to release notes by @jdx in
[#9272](#9272)
- bump communique to 1.0.1 by @jdx in
[#9264](#9264)

### New Contributors

- @monotek made their first contribution in
[#8852](#8852)
- @igor-makarov made their first contribution in
[#9282](#9282)

## 📦 Aqua Registry Updates

#### New Packages (2)

-
[`controlplaneio-fluxcd/flux-operator/flux-operator-mcp`](https://github.com/controlplaneio-fluxcd/flux-operator/flux-operator-mcp)
- [`endevco/aube`](https://github.com/endevco/aube)

#### Updated Packages (1)

- [`graelo/pumas`](https://github.com/graelo/pumas)
@BrewTestBot BrewTestBot mentioned this pull request Apr 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@risu729 @jdx