diff --git a/README.md b/README.md index 059deeac..3f7591ff 100644 --- a/README.md +++ b/README.md @@ -465,6 +465,7 @@ Disable coverage for these reasons: - Specify the GitHub token to use for authentication. - Accepts a `string`. - By default, `GITHUB_TOKEN` secret provided by GitHub Actions is used. +- For GitHub Enterprise users, it is recommended to use a Personal Access Token (PAT). ### Outputs @@ -797,8 +798,6 @@ restore-keys: ${{ runner.os }}-composer-${{ matrix.prefer }}- By default, setup-php uses the `GITHUB_TOKEN` secret that is generated for each workflow run. In case you want to use a Personal Access Token (PAT) instead, you can set the `github-token` input. -The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version. - ```yaml - name: Setup PHP uses: shivammathur/setup-php@v2 @@ -807,6 +806,10 @@ The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecat github-token: ${{ secrets.YOUR_PAT_TOKEN }} ``` +The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version. + +For GitHub Enterprise users, the `github-token` input does not default to the `GITHUB_TOKEN` secret. Therefore, it's recommended to set the `github-token` input to a Personal Access Token (PAT). + ### Private Packagist Authentication If you use Private Packagist for your private composer dependencies, you can set the `PACKAGIST_TOKEN` environment variable to authenticate. diff --git a/src/scripts/tools/add_tools.ps1 b/src/scripts/tools/add_tools.ps1 index a45362db..fb1a2d41 100644 --- a/src/scripts/tools/add_tools.ps1 +++ b/src/scripts/tools/add_tools.ps1 @@ -61,6 +61,19 @@ Function Update-AuthJson { Set-Content -Path $composer_home\auth.json -Value ($existing | ConvertTo-Json -Depth 5) } +function Test-GitHubPublicAccess { + param( + [Parameter(Mandatory=$true)] + [string]$Token + ) + try { + Invoke-RestMethod -Uri 'https://api.github.com/' -Headers @{ Authorization = "token $Token" } -ErrorAction Stop | Out-Null + return $true + } catch { + return $false + } +} + # Function to setup authentication in composer. Function Set-ComposerAuth() { if(Test-Path env:COMPOSER_AUTH_JSON) { @@ -74,9 +87,15 @@ Function Set-ComposerAuth() { if(Test-Path env:PACKAGIST_TOKEN) { $composer_auth += '"http-basic": {"repo.packagist.com": { "username": "token", "password": "' + $env:PACKAGIST_TOKEN + '"}}' } + $write_token = $true $token = if ($env:COMPOSER_TOKEN) { $env:COMPOSER_TOKEN } else { $env:GITHUB_TOKEN } if ($token) { - $composer_auth += '"github-oauth": {"github.com": "' + $token + '"}' + if ($env:GITHUB_SERVER_URL -ne "https://github.com" -and -not(Test-GitHubPublicAccess $token)) { + $write_token = $false + } + if($write_token) { + $composer_auth += '"github-oauth": {"github.com": "' + $token + '"}' + } } if($composer_auth.length) { Update-AuthJson $composer_auth diff --git a/src/scripts/tools/add_tools.sh b/src/scripts/tools/add_tools.sh index 484f2233..15014f6e 100644 --- a/src/scripts/tools/add_tools.sh +++ b/src/scripts/tools/add_tools.sh @@ -65,6 +65,11 @@ update_auth_json() { printf '%s' "$merged" > "$composer_home/auth.json" } +# Function to check if public GitHub token authentication is possible. +can_access_public_github() { + curl --fail -s -H "Authorization: token $1" 'https://api.github.com/' >/dev/null 2>&1 +} + # Function to setup authentication in composer. set_composer_auth() { if [ -n "$COMPOSER_AUTH_JSON" ]; then @@ -78,8 +83,15 @@ set_composer_auth() { if [ -n "$PACKAGIST_TOKEN" ]; then composer_auth+=( '"http-basic": {"repo.packagist.com": { "username": "token", "password": "'"$PACKAGIST_TOKEN"'"}}' ) fi - if [ -n "${COMPOSER_TOKEN:-$GITHUB_TOKEN}" ]; then - composer_auth+=( '"github-oauth": {"github.com": "'"${COMPOSER_TOKEN:-$GITHUB_TOKEN}"'"}' ) + token="${COMPOSER_TOKEN:-$GITHUB_TOKEN}" + if [ -n "$token" ]; then + write_token=true + if [ "$GITHUB_SERVER_URL" != "https://github.com" ]; then + can_access_public_github "$token" || write_token=false + fi + if [ "$write_token" = 'true' ]; then + composer_auth+=( '"github-oauth": {"github.com": "'"$token"'"}' ) + fi fi if ((${#composer_auth[@]})); then update_auth_json "${composer_auth[@]}"