feat(docker): Allow authenticated calls to GitHub API (#947)

Accept build arg `GITHUB_TOKEN` to authenticate calls made to
GitHub API in `common::install_from_gh_release` function.

Author: wI2L

Dockerfile

@@ -65,6 +65,8 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \
         echo "TRIVY_VERSION=latest"          >> /.env \
     ; fi
 
+ARG GITHUB_TOKEN=${GITHUB_TOKEN:-""}
+
 # Docker `RUN`s shouldn't be consolidated here
 # hadolint global ignore=DL3059
 RUN /install/opentofu.sh

README.md

@@ -136,6 +136,12 @@ docker build -t pre-commit-terraform \
 
 Set `-e PRE_COMMIT_COLOR=never` to disable the color output in `pre-commit`.
 
+> **NOTE**
+> The build install scripts are calling the GitHub API to resolve the release URL. If you need to authenticate those calls, you can pass a GitHub token (the `GITHUB_TOKEN` environment variable is expected to be set with an [access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)):
+> ```bash
+> docker build -t pre-commit-terraform --build-arg GITHUB_TOKEN .
+> ```
+
 </details>
 
 

tools/install/_common.sh

@@ -60,11 +60,16 @@ function common::install_from_gh_release {
 
   # Download tool
   local -r RELEASES="https://api.github.com/repos/${GH_ORG}/${TOOL}/releases"
+  local CURL_OPTS=()
+
+  [[ $GITHUB_TOKEN ]] && CURL_OPTS+=('-H' "Authorization: Bearer $GITHUB_TOKEN")
+
+  local -r CURL_CMD=("curl" "${CURL_OPTS[@]}")
 
   if [[ $VERSION == latest ]]; then
-    curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_LATEST")" > "$PKG"
+    "${CURL_CMD[@]}" -L "$("${CURL_CMD[@]}" -s "${RELEASES}/latest" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_LATEST")" > "$PKG"
   else
-    curl -L "$(curl -s "$RELEASES" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_SPECIFIC_VERSION")" > "$PKG"
+    "${CURL_CMD[@]}" -L "$("${CURL_CMD[@]}" -s "$RELEASES" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_SPECIFIC_VERSION")" > "$PKG"
   fi
 
   # Make tool ready to use