fix: public github release downloads should not be authenticated

yeikel · yeikel · commit 4dd505533e69 · 2026-02-04T09:20:02.000-05:00
diff --git a/internal/handlers/git_server.go b/internal/handlers/git_server.go
@@ -327,6 +327,12 @@ func getCredentialsForRequest(r *http.Request, credentials *gitCredentialsMap, e
 	hostCreds := credentials.get(host)
 	credsForRequest := hostCreds.getCredentialsForRepo(allReposScopeIdentifier)
 
+	// GitHub release download URLs are public
+	// and do not require authentication
+	if len(credsForRequest) != 0 && isGitHubReleaseDownload(r.URL.Path) {
+		return nil
+	}
+
 	// Append any repo-scoped credentials
 	if org, repo, ok := extractor(r.URL.Path); ok {
 		nwo := fmt.Sprintf("%s/%s", org, repo)
@@ -343,6 +349,10 @@ func getCredentialsForRequest(r *http.Request, credentials *gitCredentialsMap, e
 	return credsForRequest
 }
 
+func isGitHubReleaseDownload(path string) bool {
+	return strings.Contains(path, "/releases/download/")
+}
+
 // HandleResponse handles retrying failed auth responses with alternate credentials
 // when there are multiple tokens configured for the git server.
 //
diff --git a/internal/handlers/git_server_test.go b/internal/handlers/git_server_test.go
@@ -124,6 +124,21 @@ func TestGitServerHandler(t *testing.T) {
 		"valid github request")
 }
 
+func TestGitServerPublicReleaseDownload(t *testing.T) {
+	installationCred := testGitSourceCred("github.com", "x-access-token", "v1.token")
+	gheCred := testGitSourceCred("ghe.some-corp.com", "x-access-token", "corp")
+
+	credentials := config.Credentials{
+		installationCred,
+		gheCred,
+	}
+	handler := NewGitServerHandler(credentials, nil)
+
+	req := httptest.NewRequest("HEAD", "https://github.com/gradle/gradle-distributions/releases/download/v9.3.0/gradle-9.3.0-bin.zip", nil)
+	req, _ = handler.HandleRequest(req, nil)
+	assertUnauthenticated(t, req, "Public release download URL should not be authenticated")
+}
+
 func TestGitServerHandler_AuthenticatedAccessToGitHubRepos(t *testing.T) {
 	installationToken1 := "v1.token1"
 	privateRepo1Cred := testGitSourceCred("github.com", "x-access-token", installationToken1, withAccessibleRepos([]string{"github/private-repo-1"}))
