From 89b2566bb0cc8cd6c3a32a35e34d80af75ce6a25 Mon Sep 17 00:00:00 2001
From: Shivam Mathur <shivam_jpr@hotmail.com>
Date: Sat, 2 Aug 2025 12:12:58 +0530
Subject: [PATCH] Check github-token on enterprise

On GitHub enterprise we may get a Personal Access token or a default token generated by GitHub that maybe not have the permissions required to access public GitHub, so we check and add it only if it can authenticate with the public GitHub API
---
 README.md                       |  7 +++++--
 src/scripts/tools/add_tools.ps1 | 21 ++++++++++++++++++++-
 src/scripts/tools/add_tools.sh  | 16 ++++++++++++++--
 3 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 059deeac..3f7591ff 100644
--- a/README.md
+++ b/README.md
@@ -465,6 +465,7 @@ Disable coverage for these reasons:
 - Specify the GitHub token to use for authentication.
 - Accepts a `string`.
 - By default, `GITHUB_TOKEN` secret provided by GitHub Actions is used.
+- For GitHub Enterprise users, it is recommended to use a Personal Access Token (PAT).
 
 ### Outputs
 
@@ -797,8 +798,6 @@ restore-keys: ${{ runner.os }}-composer-${{ matrix.prefer }}-
 
 By default, setup-php uses the `GITHUB_TOKEN` secret that is generated for each workflow run. In case you want to use a Personal Access Token (PAT) instead, you can set the `github-token` input.
 
-The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version.
-
 ```yaml
 - name: Setup PHP
   uses: shivammathur/setup-php@v2
@@ -807,6 +806,10 @@ The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecat
     github-token: ${{ secrets.YOUR_PAT_TOKEN }}
 ```
 
+The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version.
+
+For GitHub Enterprise users, the `github-token` input does not default to the `GITHUB_TOKEN` secret. Therefore, it's recommended to set the `github-token` input to a Personal Access Token (PAT).
+
 ### Private Packagist Authentication
 
 If you use Private Packagist for your private composer dependencies, you can set the `PACKAGIST_TOKEN` environment variable to authenticate.
diff --git a/src/scripts/tools/add_tools.ps1 b/src/scripts/tools/add_tools.ps1
index a45362db..fb1a2d41 100644
--- a/src/scripts/tools/add_tools.ps1
+++ b/src/scripts/tools/add_tools.ps1
@@ -61,6 +61,19 @@ Function Update-AuthJson {
   Set-Content -Path $composer_home\auth.json -Value ($existing | ConvertTo-Json -Depth 5)
 }
 
+function Test-GitHubPublicAccess {
+  param(
+    [Parameter(Mandatory=$true)]
+    [string]$Token
+  )
+  try {
+    Invoke-RestMethod -Uri 'https://api.github.com/' -Headers @{ Authorization = "token $Token" } -ErrorAction Stop | Out-Null
+    return $true
+  } catch {
+    return $false
+  }
+}
+
 # Function to setup authentication in composer.
 Function Set-ComposerAuth() {
   if(Test-Path env:COMPOSER_AUTH_JSON) {
@@ -74,9 +87,15 @@ Function Set-ComposerAuth() {
   if(Test-Path env:PACKAGIST_TOKEN) {
     $composer_auth += '"http-basic": {"repo.packagist.com": { "username": "token", "password": "' + $env:PACKAGIST_TOKEN + '"}}'
   }
+  $write_token = $true
   $token = if ($env:COMPOSER_TOKEN) { $env:COMPOSER_TOKEN } else { $env:GITHUB_TOKEN }
   if ($token) {
-    $composer_auth += '"github-oauth": {"github.com": "' + $token + '"}'
+    if ($env:GITHUB_SERVER_URL -ne "https://github.com" -and -not(Test-GitHubPublicAccess $token)) {
+      $write_token = $false
+    }
+    if($write_token) {
+      $composer_auth += '"github-oauth": {"github.com": "' + $token + '"}'
+    }
   }
   if($composer_auth.length) {
     Update-AuthJson $composer_auth
diff --git a/src/scripts/tools/add_tools.sh b/src/scripts/tools/add_tools.sh
index 484f2233..15014f6e 100644
--- a/src/scripts/tools/add_tools.sh
+++ b/src/scripts/tools/add_tools.sh
@@ -65,6 +65,11 @@ update_auth_json() {
   printf '%s' "$merged" > "$composer_home/auth.json"
 }
 
+# Function to check if public GitHub token authentication is possible.
+can_access_public_github() {
+  curl --fail -s -H "Authorization: token $1" 'https://api.github.com/' >/dev/null 2>&1
+}
+
 # Function to setup authentication in composer.
 set_composer_auth() {
   if [ -n "$COMPOSER_AUTH_JSON" ]; then
@@ -78,8 +83,15 @@ set_composer_auth() {
   if [ -n "$PACKAGIST_TOKEN" ]; then
     composer_auth+=( '"http-basic": {"repo.packagist.com": { "username": "token", "password": "'"$PACKAGIST_TOKEN"'"}}' )
   fi
-  if [ -n "${COMPOSER_TOKEN:-$GITHUB_TOKEN}" ]; then
-    composer_auth+=( '"github-oauth": {"github.com": "'"${COMPOSER_TOKEN:-$GITHUB_TOKEN}"'"}' )
+  token="${COMPOSER_TOKEN:-$GITHUB_TOKEN}"
+  if [ -n "$token" ]; then
+    write_token=true
+    if [ "$GITHUB_SERVER_URL" != "https://github.com" ]; then
+      can_access_public_github "$token" || write_token=false
+    fi
+    if [ "$write_token" = 'true' ]; then
+      composer_auth+=( '"github-oauth": {"github.com": "'"$token"'"}' )
+    fi
   fi
   if ((${#composer_auth[@]})); then
     update_auth_json "${composer_auth[@]}"