fix: check all github token sources in 403 rate limit warning#9121
Conversation
The 403 warning only checked the GITHUB_TOKEN env var, missing tokens from gh CLI, github_tokens.toml, credential_command, and git credential. Use github::resolve_token() so the warning isn't shown spuriously when a token is set via an alternate source, and link to the docs page listing all supported sources. Also soften the 403 cause language since the rate limit is the most common but not the only reason.
Greptile SummaryThis PR improves the GitHub 403 Forbidden error handler in Confidence Score: 5/5Safe to merge — change is limited to error message copy and token-check logic in a single error handler path. All findings from prior review rounds are P2 or lower (the subprocess side-effect concern was already acknowledged and accepted in the previous thread). The new check correctly covers all token sources, the updated message text is accurate, and the docs link is valid. No correctness, security, or data-integrity issues remain. No files require special attention. Important Files Changed
Sequence DiagramsequenceDiagram
participant HTTP as HTTP Client
participant Main as main.rs error handler
participant Resolver as github::resolve_token
HTTP->>Main: 403 Forbidden from api.github.com
Main->>Main: warn("403 Forbidden - most commonly rate limit")
Main->>Resolver: resolve_token("github.com")
Note over Resolver: Checks in priority order:<br/>1. Env vars (MISE_GITHUB_TOKEN, GITHUB_TOKEN)<br/>2. credential_command<br/>3. github_tokens.toml<br/>4. gh CLI hosts.yml<br/>5. git credential fill
Resolver-->>Main: Some(token) or None
alt None - no token found
Main->>Main: warn("No token found - unauthenticated requests have lower rate limit - see docs")
else Some - token present
Main->>Main: silent - token exists but may lack permissions
end
Reviews (2): Last reviewed commit: "Merge branch 'main' into fix/github-toke..." | Re-trigger Greptile |
| "GitHub API returned a 403 Forbidden error. This is most commonly caused by exceeding the rate limit, though other causes (e.g. insufficient token permissions) are possible." | ||
| ); | ||
| if env::GITHUB_TOKEN.is_none() { | ||
| if github::resolve_token("github.com").is_none() { |
There was a problem hiding this comment.
resolve_token may invoke subprocesses (credential_command, git credential fill) if those sources are configured. Since this runs inside an error handler triggered by a 403, it adds latency and a small risk of spurious subprocess errors in an already-failed state. Consider limiting the check to cheaper sources (env vars + pre-loaded lazy statics like GH_HOSTS / MISE_GITHUB_TOKENS) by factoring out a lightweight has_any_token_configured() helper, or simply document that the extra cost is acceptable given it only fires on 403 errors.
This is fine to ship as-is — the subprocess paths are only reached when the user has explicitly configured those sources — but worth noting for any future hardening of the error path.
There was a problem hiding this comment.
Code Review
This pull request updates the GitHub rate limit error handling in src/main.rs. It refines the warning message for 403 Forbidden errors to include potential causes beyond rate limits and updates the token detection logic to use github::resolve_token instead of checking only the GITHUB_TOKEN environment variable. Additionally, the help message for missing tokens was expanded with more detailed instructions and a link to the documentation. I have no feedback to provide.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.14 x -- echo |
24.1 ± 0.5 | 23.0 | 26.5 | 1.00 |
mise x -- echo |
25.0 ± 0.9 | 23.9 | 34.5 | 1.04 ± 0.04 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.14 env |
24.0 ± 0.7 | 22.7 | 28.3 | 1.00 |
mise env |
24.7 ± 0.9 | 23.5 | 29.4 | 1.03 ± 0.05 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.14 hook-env |
24.5 ± 0.6 | 23.4 | 26.3 | 1.00 |
mise hook-env |
25.0 ± 0.5 | 24.0 | 26.7 | 1.02 ± 0.03 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.14 ls |
21.5 ± 0.5 | 20.6 | 23.5 | 1.00 |
mise ls |
22.9 ± 0.6 | 21.4 | 25.5 | 1.06 ± 0.04 |
xtasks/test/perf
| Command | mise-2026.4.14 | mise | Variance |
|---|---|---|---|
| install (cached) | 156ms | 158ms | -1% |
| ls (cached) | 82ms | 83ms | -1% |
| bin-paths (cached) | 86ms | 87ms | -1% |
| task-ls (cached) | 799ms | 796ms | +0% |
### 🐛 Bug Fixes - **(env)** use OS path separator for path-list env vars on Windows by @richardthe3rd in [#9058](#9058) - check all github token sources in 403 rate limit warning by @jdx in [#9121](#9121) ### 📚 Documentation - add settings section for java by @roele in [#9126](#9126) ### 📦 Registry - added podlet by @tony-sol in [#9134](#9134) - add maturin by @Bing-su in [#9113](#9113) ### New Contributors - @Bing-su made their first contribution in [#9113](#9113) ## 📦 Aqua Registry Updates #### Updated Packages (2) - [`fwdcloudsec/granted`](https://github.com/fwdcloudsec/granted) - [`watchexec/watchexec`](https://github.com/watchexec/watchexec)
Summary
GITHUB_TOKENenv var, so users who configured a token viaghCLI,github_tokens.toml,credential_command, orgit credentialwould still see the "GITHUB_TOKEN is not set" hint. Switched togithub::resolve_token()so all supported sources are considered.Test plan
cargo checkgh authto confirm the warning only fires when no token is resolvedNote
Low Risk
Only changes error/warning messaging and the condition used to detect whether a GitHub token is available; no functional changes to GitHub API calls themselves.
Overview
Improves the user-facing warning shown when GitHub API requests fail with
403 Forbiddenby clarifying that rate limiting is the most common (but not only) cause.The warning now checks for any configured GitHub token via
github::resolve_token("github.com")instead of onlyGITHUB_TOKEN, and updates the guidance text to point users to the docs for all supported token sources.Reviewed by Cursor Bugbot for commit 6a654a2. Bugbot is set up for automated code reviews on this repo. Configure here.