fix(autoupdate): Ensure GitHub API requests use token

[z-Fng]

Motivation and Context

When retrieve hash from GitHub API, the token was not included in the request header.

Changes

• fix(autoupdate): Ensure GitHub API requests use token.
• refactor(autoupdate): .

Related Issues/PRs:

• feat(autoupdate): predefined hash case for GitHub #6416
• [Feature] Use asset.digest to check hash for github assets for releases #6381 (comment)
• Excavator - Handle GitHub API rate limiting GithubActions#64

How Has This Been Tested?

• https://github.com/z-Fng/Scoop-Extras/actions/runs/18986905102/job/54232436898

Checklist:

• I have read the Contributing Guide.
• I have ensured that I am targeting the develop branch.
• I have updated the documentation accordingly.
• I have updated the tests accordingly.
• I have added an entry in the CHANGELOG.

Summary by CodeRabbit

• Bug Fixes
  • Fixed missing API token in GitHub mode request headers, enabling proper authentication for GitHub-based autoupdate requests.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Added GitHub API token authentication to the autoupdate mechanism. When extracting JSON hashes from GitHub's API, the code now conditionally attaches an Authorization header with the token and sets the appropriate API version header for authenticated requests.

Changes

Cohort / File(s)	Summary
GitHub API Authentication CHANGELOG.md, lib/autoupdate.ps1	Added conditional logic in find_hash_in_json to include Authorization header with GitHub token and X-GitHub-Api-Version header when requesting from api.github.com. Updated changelog with bug fix entry documenting the missing API token header addition.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Straightforward conditional header attachment with minimal new logic
• Changes are focused and directly related to a single feature
• Changelog update is documentation-only
• Consider verifying: token availability check logic, header formatting correctness, and GitHub API version compatibility

Poem

🐰 A token now travels with every request,
Through GitHub's API gates, authenticated best,
Headers aligned, credentials in place,
Autoupdate hops forth at a swifter pace! 🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'fix(autoupdate): Ensure GitHub API requests use token' is closely related to the main objective of the changeset, which is to add the missing API token to GitHub API request headers in autoupdate functionality. The title clearly communicates the core fix but is slightly less specific than the commit message or PR description. However, it accurately represents the primary change and would be understood by teammates reviewing the history.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52a035b and 4531320.

📒 Files selected for processing (2)

• CHANGELOG.md (1 hunks)
• lib/autoupdate.ps1 (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-31T01:48:00.222Z

Learnt from: z-Fng
Repo: ScoopInstaller/Scoop PR: 6471
File: CHANGELOG.md:9-9
Timestamp: 2025-08-31T01:48:00.222Z
Learning: The Scoop project's CHANGELOG.md follows a convention of tracking PR numbers only, not issue numbers, according to the maintainer z-Fng.

Applied to files:

• CHANGELOG.md

🔇 Additional comments (1)

CHANGELOG.md (1)

14-14: LGTM! Changelog entry is correct.

The entry properly documents the bug fix with the correct PR reference and follows the project's convention of tracking PR numbers only.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Good fix, but strengthen the URL pattern matching for security.

The authentication logic correctly addresses the missing API token issue. However, the wildcard pattern *api.github.com/* could match unintended domains like badapi.github.com or api.github.com.evil.com, potentially leaking the token.

Apply this diff to use a more secure pattern:

-        if (($url -like '*api.github.com/*') -and (Get-GitHubToken)) {
+        if (($url -match '^https?://api\.github\.com/') -and (Get-GitHubToken)) {
             $wc.Headers.Add('Authorization', "Bearer $(Get-GitHubToken)")
             $wc.Headers.Add('X-GitHub-Api-Version', "2022-11-28")
         }

Please verify that Get-GitHubToken is available in the codebase:

---

🏁 Script executed:

#!/bin/bash
# Search for the Get-GitHubToken function definition
rg -n "function Get-GitHubToken" --type ps1

# Also check for any aliases or alternate definitions
rg -n "Get-GitHubToken" --type ps1 -C 2

Length of output: 55

---

🏁 Script executed:

#!/bin/bash
# Search for Get-GitHubToken in all PowerShell files without type constraint
fd -e ps1 -x rg -l "Get-GitHubToken" {}

# Get context around the function definition
fd -e ps1 -x rg -n "Get-GitHubToken|function Get-GitHubToken" -C 3 {}

Length of output: 1890

---

Strengthen the URL pattern matching for security—Get-GitHubToken is properly defined.

The authentication logic is sound, and Get-GitHubToken exists at line 580. However, the wildcard pattern *api.github.com/* is overly broad and could match unintended domains like badapi.github.com or api.github.com.evil.com. This is inconsistent with the more restrictive regex patterns used elsewhere in lib/download.ps1 (e.g., line 97: api\.github\.com/repos).

Apply this diff:

-        if (($url -like '*api.github.com/*') -and (Get-GitHubToken)) {
+        if (($url -match '^https?://api\.github\.com/') -and (Get-GitHubToken)) {
             $wc.Headers.Add('Authorization', "Bearer $(Get-GitHubToken)")
             $wc.Headers.Add('X-GitHub-Api-Version', "2022-11-28")
         }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (($url -like '*api.github.com/*') -and (Get-GitHubToken)) {
	$wc.Headers.Add('Authorization', "Bearer $(Get-GitHubToken)")
	$wc.Headers.Add('X-GitHub-Api-Version', "2022-11-28")
	}
	if (($url -match '^https?://api\.github\.com/') -and (Get-GitHubToken)) {
	$wc.Headers.Add('Authorization', "Bearer $(Get-GitHubToken)")
	$wc.Headers.Add('X-GitHub-Api-Version', "2022-11-28")
	}

🤖 Prompt for AI Agents

In lib/autoupdate.ps1 around lines 121 to 125, the URL wildcard
'*api.github.com/*' is too permissive and can match malicious hosts (e.g.
badapi.github.com); replace the simple wildcard test with a robust host check:
parse the URL into a [uri] and verify $uri.Host -eq 'api.github.com' (or
optionally match a strict regex like '^api\.github\.com$'), then only add the
Authorization and X-GitHub-Api-Version headers when that host check passes and
Get-GitHubToken returns a token.