Limit GitHub tokens to github.com download URLs

2026-05-15 06:15:57 +00:00 · 2026-05-11 17:52:04 +01:00 · 2026-05-11 17:52:04 +01:00 · 2f9f369997
commit 2f9f369997
parent 88aa608651
3 changed files with 47 additions and 6 deletions
--- a/src/download/download-version.ts
+++ b/src/download/download-version.ts
@ -54,8 +54,7 @@ export async function downloadVersion(

  const mirrorUrl = rewriteToMirror(artifact.downloadUrl);
  const downloadUrl = mirrorUrl ?? artifact.downloadUrl;
-  // Don't send the GitHub token to the Astral mirror.
-  const downloadToken = mirrorUrl !== undefined ? undefined : githubToken;
+  const downloadToken = githubTokenForUrl(downloadUrl, githubToken);

  try {
    return await downloadArtifact(
@ -83,7 +82,7 @@ export async function downloadVersion(
      arch,
      version,
      resolvedChecksum,
-      githubToken,
+      githubTokenForUrl(artifact.downloadUrl, githubToken),
    );
  }
 }
@ -100,6 +99,19 @@ export function rewriteToMirror(url: string): string | undefined {
  return ASTRAL_MIRROR_PREFIX + url.slice(GITHUB_RELEASES_PREFIX.length);
 }

+function githubTokenForUrl(
+  downloadUrl: string,
+  githubToken: string,
+): string | undefined {
+  try {
+    return new URL(downloadUrl).origin === "https://github.com"
+      ? githubToken
+      : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
 async function downloadArtifact(
  downloadUrl: string,
  artifactName: string,