Check github-token on enterprise

On GitHub enterprise we may get a Personal Access token or a default token generated by GitHub that maybe not have the permissions required to access public GitHub, so we check and add it only if it can authenticate with the public GitHub API

README.md

@@ -465,6 +465,7 @@ Disable coverage for these reasons:
 - Specify the GitHub token to use for authentication.
 - Accepts a `string`.
 - By default, `GITHUB_TOKEN` secret provided by GitHub Actions is used.
+- For GitHub Enterprise users, it is recommended to use a Personal Access Token (PAT).
 
 ### Outputs
 
@@ -797,8 +798,6 @@ restore-keys: ${{ runner.os }}-composer-${{ matrix.prefer }}-
 
 By default, setup-php uses the `GITHUB_TOKEN` secret that is generated for each workflow run. In case you want to use a Personal Access Token (PAT) instead, you can set the `github-token` input.
 
-The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version.
-
 ```yaml
 - name: Setup PHP
   uses: shivammathur/setup-php@v2
@@ -807,6 +806,10 @@ The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecat
     github-token: ${{ secrets.YOUR_PAT_TOKEN }}
 ```
 
+The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version.
+
+For GitHub Enterprise users, the `github-token` input does not default to the `GITHUB_TOKEN` secret. Therefore, it's recommended to set the `github-token` input to a Personal Access Token (PAT).
+
 ### Private Packagist Authentication
 
 If you use Private Packagist for your private composer dependencies, you can set the `PACKAGIST_TOKEN` environment variable to authenticate.

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "setup-php",
-  "version": "2.35.1",
+  "version": "2.35.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "setup-php",
-      "version": "2.35.1",
+      "version": "2.35.2",
       "license": "MIT",
       "dependencies": {
         "@actions/core": "^1.11.1",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "setup-php",
-  "version": "2.35.1",
+  "version": "2.35.2",
   "private": false,
   "description": "Setup PHP for use with GitHub Actions",
   "main": "lib/install.js",

src/scripts/tools/add_tools.ps1

@@ -28,8 +28,8 @@ Function Edit-ComposerConfig() {
   Set-ComposerAuth
 }
 
-# Function to merge auth.json fragments.
-Function Get-MergedAuthJson {
+# Function to update auth.json.
+Function Update-AuthJson {
   [CmdletBinding()]
   param(
     [Parameter(Mandatory)][string[]] $ComposerAuth
@@ -58,7 +58,20 @@ Function Get-MergedAuthJson {
       }
     }
   }
-  return $existing | ConvertTo-Json -Depth 5
+  Set-Content -Path $composer_home\auth.json -Value ($existing | ConvertTo-Json -Depth 5)
+}
+
+function Test-GitHubPublicAccess {
+  param(
+    [Parameter(Mandatory=$true)]
+    [string]$Token
+  )
+  try {
+    Invoke-RestMethod -Uri 'https://api.github.com/' -Headers @{ Authorization = "token $Token" } -ErrorAction Stop | Out-Null
+    return $true
+  } catch {
+    return $false
+  }
 }
 
 # Function to setup authentication in composer.
@@ -74,14 +87,18 @@ Function Set-ComposerAuth() {
   if(Test-Path env:PACKAGIST_TOKEN) {
     $composer_auth += '"http-basic": {"repo.packagist.com": { "username": "token", "password": "' + $env:PACKAGIST_TOKEN + '"}}'
   }
-  if(-not(Test-Path env:GITHUB_TOKEN) -and (Test-Path env:COMPOSER_TOKEN)) {
-    $env:GITHUB_TOKEN = $env:COMPOSER_TOKEN
-  }
-  if (Test-Path env:GITHUB_TOKEN) {
-    $composer_auth += '"github-oauth": {"github.com": "' + $env:GITHUB_TOKEN + '"}'
+  $write_token = $true
+  $token = if ($env:COMPOSER_TOKEN) { $env:COMPOSER_TOKEN } else { $env:GITHUB_TOKEN }
+  if ($token) {
+    if ($env:GITHUB_SERVER_URL -ne "https://github.com" -and -not(Test-GitHubPublicAccess $token)) {
+      $write_token = $false
+    }
+    if($write_token) {
+      $composer_auth += '"github-oauth": {"github.com": "' + $token + '"}'
+    }
   }
   if($composer_auth.length) {
-    Set-Content -Path $composer_home\auth.json -Value (Get-MergedAuthJson $composer_auth)
+    Update-AuthJson $composer_auth
   }
 }
 

src/scripts/tools/add_tools.sh

@@ -47,7 +47,7 @@ configure_composer() {
 }
 
 # Function to merge auth.json fragments.
-get_merged_auth_json() {
+update_auth_json() {
   local auth_file="$composer_home/auth.json"
   local merged
   [[ -f "$auth_file" ]] && merged=$(<"$auth_file") || merged='{}'
@@ -62,7 +62,12 @@ get_merged_auth_json() {
       end
     ')
   done
-  printf '%s' "$merged"
+  printf '%s' "$merged" > "$composer_home/auth.json"
+}
+
+# Function to check if public GitHub token authentication is possible.
+can_access_public_github() {
+  curl --fail -s -H "Authorization: token $1" 'https://api.github.com/' >/dev/null 2>&1
 }
 
 # Function to setup authentication in composer.
@@ -78,11 +83,18 @@ set_composer_auth() {
   if [ -n "$PACKAGIST_TOKEN" ]; then
     composer_auth+=( '"http-basic": {"repo.packagist.com": { "username": "token", "password": "'"$PACKAGIST_TOKEN"'"}}' )
   fi
-  if [ -n "${GITHUB_TOKEN:-$COMPOSER_TOKEN}" ]; then
-    composer_auth+=( '"github-oauth": {"github.com": "'"${GITHUB_TOKEN:-$COMPOSER_TOKEN}"'"}' )
+  token="${COMPOSER_TOKEN:-$GITHUB_TOKEN}"
+  if [ -n "$token" ]; then
+    write_token=true
+    if [ "$GITHUB_SERVER_URL" != "https://github.com" ]; then
+      can_access_public_github "$token" || write_token=false
+    fi
+    if [ "$write_token" = 'true' ]; then
+      composer_auth+=( '"github-oauth": {"github.com": "'"$token"'"}' )
+    fi
   fi
   if ((${#composer_auth[@]})); then
-    get_merged_auth_json "${composer_auth[@]}" | tee "$composer_home/auth.json" >/dev/null
+    update_auth_json "${composer_auth[@]}"
   fi
 }