mirror of
https://github.com/community-scripts/ProxmoxVE.git
synced 2026-04-28 11:50:06 +00:00
tools.func: prevent script crash when entering GitHub token after rate limit (#13638)
* fix(tools): prevent script crash when entering GitHub token after rate limit fetch_and_deploy_gh_release set attempt=0 after accepting a token, then immediately ran ((0++)) which evaluates to 0 (falsy) causing exit code 1 and killing the script under set -e. Fix: set attempt=1 and continue to restart the retry loop cleanly, giving the full max_retries budget with the new token. Also fix fetch_and_deploy_codeberg_release: replace ((attempt++)) with attempt=\ to avoid the same zero-evaluation crash on the first connection timeout (attempt starts at 0 in that loop). Fixes #13635 * feat(tools): add var_github_token support with token validation - Add var_github_token to all VAR_WHITELIST arrays in build.func so the token can be set via default.vars, app.vars, or environment variable - Map var_github_token -> GITHUB_TOKEN in default_var_settings() (env variable takes precedence over the var file value) - Add commented var_github_token example to the default.vars template - Add validate_github_token() to tools.func: * Calls GET /user to verify the token is accepted * Reports expiry date from x-oauth-expiry header (fine-grained PATs) * Warns when classic PAT is missing public_repo scope * Returns distinct exit codes: 0=valid, 1=invalid/expired, 2=no scope, 3=error - Update prompt_for_github_token(): * Non-interactive path now picks up var_github_token automatically * Interactive path also picks up var_github_token without prompting * Validates token immediately after entry; loops until valid or Ctrl+C
This commit is contained in:
CanbiZ (MickLesk)
GitHub
parent
f2d46dd8c8
commit
9a82ec48b2
2 changed files with 95 additions and 7 deletions
|
|
@ -1117,15 +1117,87 @@ is_package_installed() {
|
|||
fi
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# validate_github_token()
|
||||
# Checks a GitHub token via the /user endpoint.
|
||||
# Prints a status message and returns:
|
||||
# 0 - token is valid
|
||||
# 1 - token is invalid / expired (HTTP 401)
|
||||
# 2 - token has no public repo scope (HTTP 200 but missing scope)
|
||||
# 3 - network/API error
|
||||
# Also reports expiry date if the token carries an x-oauth-expiry header.
|
||||
# ------------------------------------------------------------------------------
|
||||
validate_github_token() {
|
||||
local token="${1:-${GITHUB_TOKEN:-}}"
|
||||
[[ -z "$token" ]] && return 3
|
||||
|
||||
local response headers http_code expiry_date scopes
|
||||
headers=$(mktemp)
|
||||
response=$(curl -sSL -w "%{http_code}" \
|
||||
-D "$headers" \
|
||||
-o /dev/null \
|
||||
-H "Authorization: Bearer $token" \
|
||||
-H "Accept: application/vnd.github+json" \
|
||||
-H "X-GitHub-Api-Version: 2022-11-28" \
|
||||
"https://api.github.com/user" 2>/dev/null) || { rm -f "$headers"; return 3; }
|
||||
http_code="$response"
|
||||
|
||||
# Read expiry header (fine-grained PATs carry this)
|
||||
expiry_date=$(grep -i '^github-authentication-token-expiration:' "$headers" \
|
||||
| sed 's/.*: *//' | tr -d '\r\n' || true)
|
||||
# Read token scopes (classic PATs)
|
||||
scopes=$(grep -i '^x-oauth-scopes:' "$headers" \
|
||||
| sed 's/.*: *//' | tr -d '\r\n' || true)
|
||||
rm -f "$headers"
|
||||
|
||||
case "$http_code" in
|
||||
200)
|
||||
if [[ -n "$expiry_date" ]]; then
|
||||
msg_ok "GitHub token is valid (expires: $expiry_date)."
|
||||
else
|
||||
msg_ok "GitHub token is valid (no expiry / fine-grained PAT)."
|
||||
fi
|
||||
# Warn if classic PAT has no public_repo scope
|
||||
if [[ -n "$scopes" && "$scopes" != *"public_repo"* && "$scopes" != *"repo"* ]]; then
|
||||
msg_warn "Token has no 'public_repo' scope - private repos and some release APIs may fail."
|
||||
return 2
|
||||
fi
|
||||
return 0
|
||||
;;
|
||||
401)
|
||||
msg_error "GitHub token is invalid or expired (HTTP 401)."
|
||||
return 1
|
||||
;;
|
||||
*)
|
||||
msg_warn "GitHub token validation returned HTTP $http_code - treating as valid."
|
||||
return 0
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Prompt user to enter a GitHub Personal Access Token (PAT) interactively
|
||||
# Returns 0 if a valid token was provided, 1 otherwise
|
||||
# ------------------------------------------------------------------------------
|
||||
prompt_for_github_token() {
|
||||
if [[ ! -t 0 ]]; then
|
||||
# Non-interactive: pick up var_github_token if set (from default.vars / app.vars / env)
|
||||
if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
|
||||
export GITHUB_TOKEN="${var_github_token}"
|
||||
msg_ok "GitHub token loaded from var_github_token."
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Prefer var_github_token when already set and no interactive override needed
|
||||
if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
|
||||
export GITHUB_TOKEN="${var_github_token}"
|
||||
msg_ok "GitHub token loaded from var_github_token."
|
||||
validate_github_token || true
|
||||
return 0
|
||||
fi
|
||||
|
||||
local reply
|
||||
read -rp "${TAB}Would you like to enter a GitHub Personal Access Token (PAT)? [y/N]: " reply
|
||||
reply="${reply:-n}"
|
||||
|
|
@ -1147,10 +1219,16 @@ prompt_for_github_token() {
|
|||
msg_warn "Token must not contain spaces. Please try again."
|
||||
continue
|
||||
fi
|
||||
break
|
||||
# Validate before accepting
|
||||
export GITHUB_TOKEN="$token"
|
||||
if validate_github_token "$token"; then
|
||||
break
|
||||
else
|
||||
msg_warn "Please enter a valid token, or press Ctrl+C to abort."
|
||||
unset GITHUB_TOKEN
|
||||
fi
|
||||
done
|
||||
|
||||
export GITHUB_TOKEN="$token"
|
||||
msg_ok "GitHub token has been set."
|
||||
return 0
|
||||
}
|
||||
|
|
@ -2860,7 +2938,7 @@ function fetch_and_deploy_codeberg_release() {
|
|||
|
||||
while ((attempt < ${#api_timeouts[@]})); do
|
||||
resp=$(curl --connect-timeout 10 --max-time "${api_timeouts[$attempt]}" -fsSL -w "%{http_code}" -o /tmp/codeberg_rel.json "$api_url") && success=true && break
|
||||
((attempt++))
|
||||
attempt=$((attempt + 1))
|
||||
if ((attempt < ${#api_timeouts[@]})); then
|
||||
msg_warn "API request timed out after ${api_timeouts[$((attempt - 1))]}s, retrying... (attempt $((attempt + 1))/${#api_timeouts[@]})"
|
||||
fi
|
||||
|
|
@ -3370,7 +3448,8 @@ function fetch_and_deploy_gh_release() {
|
|||
if prompt_for_github_token; then
|
||||
header=(-H "Authorization: token $GITHUB_TOKEN")
|
||||
retry_delay=2
|
||||
attempt=0
|
||||
attempt=1
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
else
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue