Conversation
Sending auth to github.com release-download URLs makes GitHub redirect to objects.githubusercontent.com (instead of the public release-assets host), which then 401s once reqwest strips the Authorization header on the cross-origin redirect. The result was vfox plugins (e.g. vfox-kotlin) failing pre-install HEAD checks whenever GITHUB_TOKEN was set. Mirror src/github.rs::is_github_api_url and only attach Authorization to api.github.com and api.*.ghe.com hosts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Resolving golangci-lint via @latest has flaked in CI ("no versions found for go:github.com/golangci/golangci-lint/cmd/golangci-lint"). Subpath resolution with @latest is still exercised by the kratos case on the next line, so pinning here removes a flake without losing coverage. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Greptile SummaryThis PR fixes two CI failures: it scopes GitHub auth headers in the vfox Lua HTTP module to REST API URLs only ( One minor observation: the comment says the logic "mirrors Confidence Score: 5/5Safe to merge — the fix is well-targeted and tests clearly cover the new behavior. Both changes are narrow and correct: the auth-scoping fix eliminates a real 401 bug and the updated tests prove the new semantics. The golangci-lint pin is a pure CI stability change. No P0/P1 findings. No files require special attention. Important Files Changed
Sequence DiagramsequenceDiagram
participant Plugin as vfox Plugin (Lua)
participant HTTP as http.rs add_default_headers
participant GH as github.com/releases/download
participant CDN as objects.githubusercontent.com
participant API as api.github.com
Note over HTTP: Before fix
Plugin->>HTTP: http.get(github.com/releases/download/...)
HTTP->>GH: GET + Authorization: Bearer token
GH-->>CDN: 302 redirect (auth stripped by reqwest)
CDN-->>Plugin: 401 Unauthorized
Note over HTTP: After fix
Plugin->>HTTP: http.get(github.com/releases/download/...)
HTTP->>GH: GET (no Authorization header)
GH-->>CDN: 302 redirect (public asset)
CDN-->>Plugin: 200 OK
Plugin->>HTTP: http.get(api.github.com/repos/.../releases)
HTTP->>API: GET + Authorization: Bearer token + x-github-api-version
API-->>Plugin: 200 OK
Reviews (1): Last reviewed commit: "test(go): pin golangci-lint version in i..." | Re-trigger Greptile |
There was a problem hiding this comment.
Code Review
This pull request modifies the logic for adding default headers to GitHub requests, specifically restricting the Authorization and x-github-api-version headers to api.github.com and api.*.ghe.com to avoid 401 errors on redirects. It also pins the golangci-lint version in an E2E test. Reviewers noted that the new API check is too restrictive for on-premise GitHub Enterprise installations and that removing raw.githubusercontent.com from the allowed list may break private repository downloads.
| let is_api = | ||
| host == "api.github.com" || (host.starts_with("api.") && host.ends_with(".ghe.com")); |
There was a problem hiding this comment.
The is_api check is quite restrictive for GitHub Enterprise (GHE) instances. While it correctly handles the new *.ghe.com domains, it will fail to attach authentication headers for traditional GHE installations hosted on custom internal domains (e.g., github.mycompany.com/api/v3).
Consider also checking if the URL path starts with /api/v3, which is the standard API prefix for GHE Server, to improve compatibility with on-premise installations.
let is_api =
host == "api.github.com"
|| (host.starts_with("api.") && host.ends_with(".ghe.com"))
|| url.path().starts_with("/api/v3");| let is_api = | ||
| host == "api.github.com" || (host.starts_with("api.") && host.ends_with(".ghe.com")); |
There was a problem hiding this comment.
This change stops sending the Authorization header to raw.githubusercontent.com. While this avoids the redirect issue described for github.com release assets, it will break the ability for vfox plugins to download files from private repositories via raw.githubusercontent.com.
If raw.githubusercontent.com does not suffer from the same 302-to-401 redirect issue as github.com, it might be worth keeping it in the allowed list to maintain support for private repository content.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.18 x -- echo |
22.5 ± 0.4 | 21.5 | 23.7 | 1.00 |
mise x -- echo |
23.3 ± 0.8 | 22.1 | 31.2 | 1.04 ± 0.04 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.18 env |
22.1 ± 0.7 | 20.8 | 31.0 | 1.00 |
mise env |
22.9 ± 0.8 | 21.6 | 30.7 | 1.04 ± 0.05 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.18 hook-env |
22.8 ± 0.6 | 21.8 | 31.0 | 1.00 |
mise hook-env |
23.6 ± 0.7 | 22.0 | 27.6 | 1.04 ± 0.04 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.18 ls |
20.1 ± 0.6 | 18.8 | 22.6 | 1.00 |
mise ls |
20.7 ± 0.6 | 19.7 | 25.7 | 1.03 ± 0.04 |
xtasks/test/perf
| Command | mise-2026.4.18 | mise | Variance |
|---|---|---|---|
| install (cached) | 146ms | -14% | |
| ls (cached) | 76ms | 79ms | -3% |
| bin-paths (cached) | 81ms | 84ms | -3% |
| task-ls (cached) | 833ms | 813ms | +2% |
Summary
Two fixes for the e2e failures observed on release PR #9258 (e2e-0, e2e-3):
GITHUB_TOKENis set and a vfox plugin (e.g. vfox-kotlin) callshttp.head/http.geton agithub.com/.../releases/download/...URL, GitHub redirects toobjects.githubusercontent.com(not the publicrelease-assets.githubusercontent.com). Once reqwest strips theAuthorizationheader on the cross-origin hop, that URL 401s. The plugin's pre-install check then errors with "Current version information not detected." Mirrorsrc/github.rs::is_github_api_urland only attach auth toapi.github.comandapi.*.ghe.comhosts.go:github.com/golangci/golangci-lint/cmd/golangci-lint@latestresolution flaked in CI ("no versions found"). Pin to1.64.8— the kratos case on the next line still exercises subpath@latestresolution.Test plan
cargo test -p vfox lua_mod::http -- --nocapture(17 passed)mise run test:e2e e2e/backend/test_vfox_kotlin_slowpasses locally withGITHUB_TOKENset (previously failed)mise run lint🤖 Generated with Claude Code
Note
Medium Risk
Changes when
Authorization/x-github-api-versionheaders are added, which can affect private GitHub/GHE API access and plugin download flows. Also adjusts e2e tooling to avoid CI flakes by pinninggolangci-lint.Overview
Fixes vfox Lua HTTP default header injection by only attaching GitHub
Authorizationandx-github-api-versionheaders for REST API hosts (api.github.comandapi.*.ghe.com), avoiding auth ongithub.comrelease download and other non-API GitHub content URLs that can break redirects.Updates unit tests to cover the new scoping (skip release downloads/raw content, include GHE API), and pins the e2e Go install test’s
golangci-linttool fromlatestto1.64.8to reduce CI resolution flakiness.Reviewed by Cursor Bugbot for commit 8b7f800. Bugbot is set up for automated code reviews on this repo. Configure here.