fix(github): use full token resolution chain for attestation verification#9154
Merged
fix(github): use full token resolution chain for attestation verification#9154
Conversation
…tion Attestation verification was calling GitHub APIs with only the env-var token (MISE_GITHUB_TOKEN / GITHUB_TOKEN), ignoring credential_command, github_tokens.toml, gh CLI, and git credential fill. Unauthenticated requests hit GitHub's IP-based rate limit even when a valid token was configured via the credential helper. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the GitHub backend to resolve authentication tokens dynamically based on the API URL, enabling support for GitHub Enterprise. A review comment suggests simplifying the resolve_token_for_api_url function by removing redundant host canonicalization and avoiding unnecessary string allocations.
Contributor
Greptile SummaryThis PR fixes GitHub attestation verification to use the full token resolution chain (credential command, Confidence Score: 5/5Safe to merge — targeted, correct fix with no blocking issues. All three call sites are correctly updated; No files require special attention. Important Files Changed
Sequence DiagramsequenceDiagram
participant Caller as Attestation Caller
participant RTFAU as resolve_token_for_api_url(api_url)
participant RT as resolve_token(host)
participant Env as Env Vars
participant CC as credential_command
participant TF as github_tokens.toml
participant GH as gh CLI
participant GC as git credential
Caller->>RTFAU: api_url (e.g. "https://api.github.com")
RTFAU->>RTFAU: parse hostname → "api.github.com" (fallback if parse fails)
RTFAU->>RT: resolve_token("api.github.com")
RT->>RT: canonicalize → lookup_host="github.com"
RT->>Env: MISE_GITHUB_TOKEN / GITHUB_TOKEN?
alt env var set
Env-->>RT: token
else
RT->>CC: credential_command?
alt credential_command configured
CC-->>RT: token
else
RT->>TF: github_tokens.toml entry?
alt entry found
TF-->>RT: token
else
RT->>GH: gh CLI hosts.yml?
alt gh token found
GH-->>RT: token
else
RT->>GC: git credential fill?
GC-->>RT: token or None
end
end
end
end
RT-->>RTFAU: Option<(token, source)>
RTFAU-->>Caller: Option<String> (token only)
Reviews (3): Last reviewed commit: "fix(github): simplify api url token reso..." | Re-trigger Greptile |
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.15 x -- echo |
22.7 ± 0.5 | 21.8 | 25.2 | 1.00 |
mise x -- echo |
22.7 ± 0.8 | 21.8 | 33.0 | 1.00 ± 0.04 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.15 env |
22.2 ± 0.8 | 21.2 | 33.1 | 1.00 ± 0.05 |
mise env |
22.1 ± 0.7 | 20.9 | 31.2 | 1.00 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.15 hook-env |
22.8 ± 0.9 | 21.8 | 37.9 | 1.01 ± 0.05 |
mise hook-env |
22.5 ± 0.6 | 21.6 | 28.9 | 1.00 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.15 ls |
19.7 ± 0.4 | 18.9 | 22.1 | 1.00 |
mise ls |
19.8 ± 0.7 | 19.1 | 26.4 | 1.01 ± 0.04 |
xtasks/test/perf
| Command | mise-2026.4.15 | mise | Variance |
|---|---|---|---|
| install (cached) | 147ms | 149ms | -1% |
| ls (cached) | 77ms | 78ms | -1% |
| bin-paths (cached) | 85ms | 83ms | +2% |
| task-ls (cached) | 824ms | 803ms | +2% |
mise-en-dev
added a commit
that referenced
this pull request
Apr 17, 2026
### 🚀 Features - **(registry)** add .perl-version support for perl by @ergofriend in [#9102](#9102) - **(task)** add Tera template support for inline table run tasks by @iamkroot in [#9079](#9079) ### 🐛 Bug Fixes - **(env)** use runtime symlink paths for fuzzy versions by @jdx in [#9143](#9143) - **(github)** use full token resolution chain for attestation verification by @jdx in [#9154](#9154) - **(go)** Remove install-time version override for subpath packages by @c22 in [#9135](#9135) - **(npm)** respect install_before when resolving dist-tag versions by @webkaz in [#9145](#9145) - **(self-update)** ensure subcommand exists by @salim-b in [#9144](#9144) - **(task)** show available tasks when run target missing by @jdx in [#9141](#9141) - **(task)** forward task help args and add raw_args by @jdx in [#9118](#9118) - **(task)** remove red/yellow from task prefix colors by @lechuckcaptain in [#8782](#8782) - **(task)** merge TOML task block into same-named file task and surface resolved dir by @jdx in [#9147](#9147) - **(toolset)** round-trip serialized tool options by @atharvasingh7007 in [#9124](#9124) - **(vfox)** fallback to absolute bin path if env_keys not set by @80avin in [#9151](#9151) ### 📚 Documentation - make agent guide wording generic by @jdx in [#9142](#9142) ### 📦️ Dependency Updates - update ghcr.io/jdx/mise:deb docker digest to e019cb9 by @renovate[bot] in [#9160](#9160) - update ghcr.io/jdx/mise:copr docker digest to 8d25608 by @renovate[bot] in [#9159](#9159) - update ghcr.io/jdx/mise:rpm docker digest to 22e52da by @renovate[bot] in [#9161](#9161) - update ghcr.io/jdx/mise:alpine docker digest to a3da97c by @renovate[bot] in [#9158](#9158) - update rust docker digest to 4a2ef38 by @renovate[bot] in [#9162](#9162) - update ubuntu:24.04 docker digest to c4a8d55 by @renovate[bot] in [#9164](#9164) - update rust crate aws-lc-rs to v1.16.3 by @renovate[bot] in [#9165](#9165) - update ubuntu docker tag to resolute-20260413 by @renovate[bot] in [#9169](#9169) - update rust crate clap to v4.6.1 by @renovate[bot] in [#9166](#9166) - update taiki-e/install-action digest to a2352fc by @renovate[bot] in [#9163](#9163) - update rust crate ctor to 0.10 by @renovate[bot] in [#9170](#9170) - update rust crate tokio to v1.52.1 by @renovate[bot] in [#9167](#9167) - update rust crate rmcp-macros to 0.17 by @renovate[bot] in [#9173](#9173) - update rust crate signal-hook to 0.4 by @renovate[bot] in [#9177](#9177) - update rust crate zipsign-api to 0.2 by @renovate[bot] in [#9180](#9180) - update rust crate toml_edit to 0.25 by @renovate[bot] in [#9179](#9179) - update rust crate strum to 0.28 by @renovate[bot] in [#9178](#9178) ### 📦 Registry - add ibmcloud by @dnwe in [#9139](#9139) - add rush by @jdx in [#9146](#9146) ### New Contributors - @80avin made their first contribution in [#9151](#9151) - @atharvasingh7007 made their first contribution in [#9124](#9124) - @lechuckcaptain made their first contribution in [#8782](#8782) - @ergofriend made their first contribution in [#9102](#9102) - @dnwe made their first contribution in [#9139](#9139) ## 📦 Aqua Registry Updates #### New Packages (3) - [`controlplaneio-fluxcd/flux-operator`](https://github.com/controlplaneio-fluxcd/flux-operator) - [`dependency-check/DependencyCheck`](https://github.com/dependency-check/DependencyCheck) - [`kiro.dev/kiro-cli`](https://github.com/kiro.dev/kiro-cli) #### Updated Packages (2) - [`jreleaser/jreleaser/standalone`](https://github.com/jreleaser/jreleaser/standalone) - [`sigstore/cosign`](https://github.com/sigstore/cosign)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
MISE_GITHUB_TOKEN/GITHUB_TOKEN) to the GitHub API, bypassing the full token resolution chaincredential_command,github_tokens.toml, theghCLI, andgit credential fillwere silently ignored during attestation callsFix
github::resolve_token_for_api_url(api_url)tosrc/github.rs— parses the hostname from the API URL and delegates to the existingresolve_tokenpriority chainenv::GITHUB_TOKEN.as_deref()call sites in attestation verification (detect_provenance_type,verify_provenance_at_lock_time,try_verify_github_attestations) with the new helperapi_urlin scope; it now derives it fromself.get_api_url(&tv.request.options())Test plan
credential_command(not env var) — should verify without 403mise run test🤖 Generated with Claude Code
Note
Medium Risk
Touches provenance/attestation verification and how auth tokens are selected, which can affect security verification outcomes and GitHub rate-limiting behavior, but the change is small and reuses existing token-resolution logic.
Overview
GitHub attestation detection and verification now authenticate using the same per-host token resolution chain as normal GitHub API requests, rather than only
GITHUB_TOKEN/MISE_GITHUB_TOKEN.This adds
github::resolve_token_for_api_url()and updates all GitHub attestation call sites inbackend/github.rs(including the install-time path that now derivesapi_urlfrom options) to pass the resolved token for the configured API base URL, improving behavior for enterprise/custom hosts and non-env token sources (credential command, tokens file, gh CLI, git credentials).Reviewed by Cursor Bugbot for commit fa5005e. Bugbot is set up for automated code reviews on this repo. Configure here.