fix: check all github token sources in 403 rate limit warning

[jdx]

Summary

• The 403 Forbidden warning previously only checked the GITHUB_TOKEN env var, so users who configured a token via gh CLI, github_tokens.toml, credential_command, or git credential would still see the "GITHUB_TOKEN is not set" hint. Switched to github::resolve_token() so all supported sources are considered.
• Linked to https://mise.jdx.dev/dev-tools/github-tokens.html so users can discover alternate token sources.
• Softened the 403 cause wording — rate-limiting is the most common cause but not the only one.

Test plan

• cargo check
• Manually trigger a 403 with and without a token set via gh auth to confirm the warning only fires when no token is resolved

---

Note

Low Risk
Only changes error/warning messaging and the condition used to detect whether a GitHub token is available; no functional changes to GitHub API calls themselves.

Overview
Improves the user-facing warning shown when GitHub API requests fail with 403 Forbidden by clarifying that rate limiting is the most common (but not only) cause.

The warning now checks for any configured GitHub token via github::resolve_token("github.com") instead of only GITHUB_TOKEN, and updates the guidance text to point users to the docs for all supported token sources.

^{Reviewed by Cursor Bugbot for commit 6a654a2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR improves the GitHub 403 Forbidden error handler in src/main.rs by replacing the single env::GITHUB_TOKEN check with github::resolve_token("github.com"), which covers all supported token sources (env vars, gh CLI, github_tokens.toml, credential_command, and git credential). The warning text is also softened to acknowledge that rate-limiting is the most common cause but not the only one, and a docs link is added.

Confidence Score: 5/5

Safe to merge — change is limited to error message copy and token-check logic in a single error handler path.

All findings from prior review rounds are P2 or lower (the subprocess side-effect concern was already acknowledged and accepted in the previous thread). The new check correctly covers all token sources, the updated message text is accurate, and the docs link is valid. No correctness, security, or data-integrity issues remain.

No files require special attention.

Important Files Changed

Filename	Overview
src/main.rs	Replaces env-var-only token check with resolve_token() in the 403 error handler; updates warning text and adds a docs link — logic is correct and well-scoped.

Sequence Diagram

sequenceDiagram
    participant HTTP as HTTP Client
    participant Main as main.rs error handler
    participant Resolver as github::resolve_token

    HTTP->>Main: 403 Forbidden from api.github.com
    Main->>Main: warn("403 Forbidden - most commonly rate limit")
    Main->>Resolver: resolve_token("github.com")
    Note over Resolver: Checks in priority order:<br/>1. Env vars (MISE_GITHUB_TOKEN, GITHUB_TOKEN)<br/>2. credential_command<br/>3. github_tokens.toml<br/>4. gh CLI hosts.yml<br/>5. git credential fill
    Resolver-->>Main: Some(token) or None
    alt None - no token found
        Main->>Main: warn("No token found - unauthenticated requests have lower rate limit - see docs")
    else Some - token present
        Main->>Main: silent - token exists but may lack permissions
    end

Loading

_{Reviews (2): Last reviewed commit: "Merge branch 'main' into fix/github-toke..." | Re-trigger Greptile}

[greptile-apps]

Potential subprocess side-effects in error handler

resolve_token may invoke subprocesses (credential_command, git credential fill) if those sources are configured. Since this runs inside an error handler triggered by a 403, it adds latency and a small risk of spurious subprocess errors in an already-failed state. Consider limiting the check to cheaper sources (env vars + pre-loaded lazy statics like GH_HOSTS / MISE_GITHUB_TOKENS) by factoring out a lightweight has_any_token_configured() helper, or simply document that the extra cost is acceptable given it only fires on 403 errors.

This is fine to ship as-is — the subprocess paths are only reached when the user has explicitly configured those sources — but worth noting for any future hardening of the error path.

[gemini-code-assist]

Code Review

This pull request updates the GitHub rate limit error handling in src/main.rs. It refines the warning message for 403 Forbidden errors to include potential causes beyond rate limits and updates the token detection logic to use github::resolve_token instead of checking only the GITHUB_TOKEN environment variable. Additionally, the help message for missing tokens was expanded with more detailed instructions and a link to the documentation. I have no feedback to provide.

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.14 x -- echo	24.1 ± 0.5	23.0	26.5	1.00
mise x -- echo	25.0 ± 0.9	23.9	34.5	1.04 ± 0.04

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.14 env	24.0 ± 0.7	22.7	28.3	1.00
mise env	24.7 ± 0.9	23.5	29.4	1.03 ± 0.05

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.14 hook-env	24.5 ± 0.6	23.4	26.3	1.00
mise hook-env	25.0 ± 0.5	24.0	26.7	1.02 ± 0.03

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.14 ls	21.5 ± 0.5	20.6	23.5	1.00
mise ls	22.9 ± 0.6	21.4	25.5	1.06 ± 0.04

xtasks/test/perf

Command	mise-2026.4.14	mise	Variance
install (cached)	156ms	158ms	-1%
ls (cached)	82ms	83ms	-1%
bin-paths (cached)	86ms	87ms	-1%
task-ls (cached)	799ms	796ms	+0%