Check github-token on enterprise

On GitHub enterprise we may get a Personal Access token or a default token generated by GitHub that maybe not have the permissions required to access public GitHub, so we check and add it only if it can authenticate with the public GitHub API
Override GITHUB_TOKEN if COMPOSER_TOKEN is set
2025-08-03 04:04:41 +07:00 · 2025-08-02 12:12:58 +05:30 · 2025-07-30 22:30:05 +05:30
3 changed files with 41 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -465,6 +465,7 @@ Disable coverage for these reasons:
 - Specify the GitHub token to use for authentication.
 - Accepts a `string`.
 - By default, `GITHUB_TOKEN` secret provided by GitHub Actions is used.
+- For GitHub Enterprise users, it is recommended to use a Personal Access Token (PAT).

 ### Outputs

@ -797,8 +798,6 @@ restore-keys: ${{ runner.os }}-composer-${{ matrix.prefer }}-

 By default, setup-php uses the `GITHUB_TOKEN` secret that is generated for each workflow run. In case you want to use a Personal Access Token (PAT) instead, you can set the `github-token` input.

-The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version.
-
 ```yaml
 - name: Setup PHP
  uses: shivammathur/setup-php@v2
@ -807,6 +806,10 @@ The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecat
    github-token: ${{ secrets.YOUR_PAT_TOKEN }}
 ```

+The `COMPOSER_TOKEN` and `GITHUB_TOKEN` environment variables have been deprecated in favor of the `github-token` input and will be removed in the next major version.
+
+For GitHub Enterprise users, the `github-token` input does not default to the `GITHUB_TOKEN` secret. Therefore, it's recommended to set the `github-token` input to a Personal Access Token (PAT).
+
 ### Private Packagist Authentication

 If you use Private Packagist for your private composer dependencies, you can set the `PACKAGIST_TOKEN` environment variable to authenticate.
--- a/src/scripts/tools/add_tools.ps1
+++ b/src/scripts/tools/add_tools.ps1
@ -61,6 +61,19 @@ Function Update-AuthJson {
  Set-Content -Path $composer_home\auth.json -Value ($existing | ConvertTo-Json -Depth 5)
 }

+function Test-GitHubPublicAccess {
+  param(
+    [Parameter(Mandatory=$true)]
+    [string]$Token
+  )
+  try {
+    Invoke-RestMethod -Uri 'https://api.github.com/' -Headers @{ Authorization = "token $Token" } -ErrorAction Stop | Out-Null
+    return $true
+  } catch {
+    return $false
+  }
+}
+
 # Function to setup authentication in composer.
 Function Set-ComposerAuth() {
  if(Test-Path env:COMPOSER_AUTH_JSON) {
@ -74,11 +87,15 @@ Function Set-ComposerAuth() {
  if(Test-Path env:PACKAGIST_TOKEN) {
    $composer_auth += '"http-basic": {"repo.packagist.com": { "username": "token", "password": "' + $env:PACKAGIST_TOKEN + '"}}'
  }
-  if(-not(Test-Path env:GITHUB_TOKEN) -and (Test-Path env:COMPOSER_TOKEN)) {
-    $env:GITHUB_TOKEN = $env:COMPOSER_TOKEN
-  }
-  if (Test-Path env:GITHUB_TOKEN) {
-    $composer_auth += '"github-oauth": {"github.com": "' + $env:GITHUB_TOKEN + '"}'
+  $write_token = $true
+  $token = if ($env:COMPOSER_TOKEN) { $env:COMPOSER_TOKEN } else { $env:GITHUB_TOKEN }
+  if ($token) {
+    if ($env:GITHUB_SERVER_URL -ne "https://github.com" -and -not(Test-GitHubPublicAccess $token)) {
+      $write_token = $false
+    }
+    if($write_token) {
+      $composer_auth += '"github-oauth": {"github.com": "' + $token + '"}'
+    }
  }
  if($composer_auth.length) {
    Update-AuthJson $composer_auth
--- a/src/scripts/tools/add_tools.sh
+++ b/src/scripts/tools/add_tools.sh
@ -65,6 +65,11 @@ update_auth_json() {
  printf '%s' "$merged" > "$composer_home/auth.json"
 }

+# Function to check if public GitHub token authentication is possible.
+can_access_public_github() {
+  curl --fail -s -H "Authorization: token $1" 'https://api.github.com/' >/dev/null 2>&1
+}
+
 # Function to setup authentication in composer.
 set_composer_auth() {
  if [ -n "$COMPOSER_AUTH_JSON" ]; then
@ -78,8 +83,15 @@ set_composer_auth() {
  if [ -n "$PACKAGIST_TOKEN" ]; then
    composer_auth+=( '"http-basic": {"repo.packagist.com": { "username": "token", "password": "'"$PACKAGIST_TOKEN"'"}}' )
  fi
-  if [ -n "${GITHUB_TOKEN:-$COMPOSER_TOKEN}" ]; then
-    composer_auth+=( '"github-oauth": {"github.com": "'"${GITHUB_TOKEN:-$COMPOSER_TOKEN}"'"}' )
+  token="${COMPOSER_TOKEN:-$GITHUB_TOKEN}"
+  if [ -n "$token" ]; then
+    write_token=true
+    if [ "$GITHUB_SERVER_URL" != "https://github.com" ]; then
+      can_access_public_github "$token" || write_token=false
+    fi
+    if [ "$write_token" = 'true' ]; then
+      composer_auth+=( '"github-oauth": {"github.com": "'"$token"'"}' )
+    fi
  fi
  if ((${#composer_auth[@]})); then
    update_auth_json "${composer_auth[@]}"