fix: allow --use-version artifact downloads without GitHub token

[osterman]

what

• Allow unauthenticated artifact downloads for public repositories via --use-version flag
• Metadata fetching (PR info, workflow runs, artifact listing) and artifact downloads now work without authentication on public repos per GitHub API docs
• Replace upfront GetGitHubTokenOrError() gate with optional GetGitHubToken() in InstallFromPR() and InstallFromSHA()
• Skip Authorization header when token is unavailable in downloadPRArtifact()
• Add smart HTTP error handling with buildDownloadHTTPError() to distinguish auth failures from rate limiting

why

• Users without GitHub token environment variables couldn't install PR artifacts, even for public repositories
• Rate limit errors (429) were reported generically as "HTTP 429" with no actionable context
• Need to properly surface rate limit information (60/hr for unauthenticated, 5,000/hr for authenticated) to guide users

references

• Fixes the issue where atmos --use-version=2129 fails with "authentication failed" when no GITHUB_TOKEN is set
• GitHub API documentation confirms artifact downloads work without authentication for public repositories

Summary by CodeRabbit

• New Features
  • GitHub authentication is now optional; public repositories can be downloaded without a token.
  • Enhanced error messages for artifact downloads that distinguish authentication failures, rate limits, and other HTTP errors.

[mergify]

Important

Cloud Posse Engineering Team Review Required

This pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes.

To expedite this process, reach out to us on Slack in the #pr-reviews channel.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5172d489-5a09-4a27-b476-232dbbee87c6

📥 Commits

Reviewing files that changed from the base of the PR and between 07c2b54 and 15a9c2a.

📒 Files selected for processing (1)

• pkg/toolchain/pr_artifact_test.go

---

📝 Walkthrough

Walkthrough

The changes introduce optional GitHub token authentication for artifact downloads in the Go toolchain. Token retrieval is now non-blocking, allowing public repository flows to proceed without authentication. A new error builder improves HTTP failure diagnostics. Documentation is updated to reflect unauthenticated access capability.

Changes

Cohort / File(s)	Summary
Documentation & API Updates docs/prd/auth-context-multi-identity.md, pkg/github/artifacts.go	AWS SDK reference link updated; GetPRHeadSHA signature expanded with optional token parameter; method documentation clarified to reflect unauthenticated access for public repos.
Token Handling & Error Management pkg/toolchain/pr_artifact.go, pkg/toolchain/sha_artifact.go	Token retrieval changed from required (GetGitHubTokenOrError) to optional (GetGitHubToken), allowing execution without auth. New buildDownloadHTTPError helper provides context-aware HTTP error handling for auth failures and rate limits. Authorization header only set when token present.
Test Coverage pkg/toolchain/pr_artifact_test.go	Comprehensive HTTP-related test suite added: validates buildDownloadHTTPError mapping, successful downloads with/without tokens, authorization header behavior, authentication errors, and rate limit handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• aknysh

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 72.97% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the core change: enabling artifact downloads without GitHub token authentication for public repositories.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch osterman/public-artifact-fetch

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

examples/locals/components/terraform/myapp/main.tf (1)

36-50: Outputs look fine for demo purposes.

The outputs are straightforward passthrough values. For a mock component in the examples directory, this is adequate. If you want consistency with the variable definitions, you could add description attributes to the outputs, but it's optional for fixture code.

💡 Optional: Add descriptions to outputs for consistency

 output "name" {
+  description = "Application name"
   value = var.name
 }

 output "full_name" {
+  description = "Full application name (computed from locals)"
   value = var.full_name
 }

 output "deploy_target" {
+  description = "Deployment target (computed from conditional locals)"
   value = var.deploy_target
 }

 output "tags" {
+  description = "Resource tags (computed from locals)"
   value = var.tags
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@examples/locals/components/terraform/myapp/main.tf` around lines 36 - 50,
Outputs in main.tf are plain passthroughs and the reviewer suggested optionally
adding descriptions for consistency; update the output blocks for name,
full_name, deploy_target, and tags to include a description attribute (e.g.,
description = "Component name", "Full name of the component", "Deployment
target", "Tags map/list") so each output block (output "name", output
"full_name", output "deploy_target", output "tags") includes a descriptive
string matching the intent of the corresponding variable.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@examples/locals/components/terraform/myapp/main.tf`:
- Around line 36-50: Outputs in main.tf are plain passthroughs and the reviewer
suggested optionally adding descriptions for consistency; update the output
blocks for name, full_name, deploy_target, and tags to include a description
attribute (e.g., description = "Component name", "Full name of the component",
"Deployment target", "Tags map/list") so each output block (output "name",
output "full_name", output "deploy_target", output "tags") includes a
descriptive string matching the intent of the corresponding variable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e4b7cc25-304e-46f0-b61b-a425b0d3e8c9

📥 Commits

Reviewing files that changed from the base of the PR and between c9f5f50 and 07c2b54.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (23)

• NOTICE
• docs/fixes/2026-03-15-locals-terraform-state-missing-stack-context.md
• docs/prd/auth-context-multi-identity.md
• examples/locals/README.md
• examples/locals/components/terraform/myapp/main.tf
• examples/locals/stacks/deploy/dev.yaml
• examples/locals/stacks/deploy/prod.yaml
• examples/quick-start-advanced/Dockerfile
• go.mod
• internal/exec/stack_processor_utils.go
• internal/exec/stack_processor_utils_test.go
• internal/terraform_backend/terraform_backend_s3.go
• pkg/ai/analyze/analyze_test.go
• pkg/devcontainer/lifecycle_rebuild_test.go
• pkg/github/artifacts.go
• pkg/toolchain/pr_artifact.go
• pkg/toolchain/sha_artifact.go
• tests/cli_locals_test.go
• tests/fixtures/scenarios/locals-conditional/atmos.yaml
• tests/fixtures/scenarios/locals-conditional/components/terraform/mock/main.tf
• tests/fixtures/scenarios/locals-conditional/stacks/deploy/pr-empty.yaml
• tests/fixtures/scenarios/locals-conditional/stacks/deploy/pr-set.yaml
• website/docs/stacks/locals.mdx

💤 Files with no reviewable changes (1)

• internal/terraform_backend/terraform_backend_s3.go

[osterman]

@copilot this looks like a dirty merge update. It's showing thousands of lines changed, even though it was just a simple change.

[Copilot]

@osterman I've opened a new pull request, #2213, to work on those changes. Once the pull request is ready, I'll request review from you.

[codecov]

Codecov Report

❌ Patch coverage is 94.44444% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.91%. Comparing base (e0dc13b) to head (e19ba36).

Files with missing lines	Patch %	Lines
pkg/toolchain/pr_artifact.go	94.28%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2212      +/-   ##
==========================================
+ Coverage   76.83%   76.91%   +0.07%     
==========================================
  Files        1001     1001              
  Lines       95361    95383      +22     
==========================================
+ Hits        73274    73363      +89     
+ Misses      17820    17746      -74     
- Partials     4267     4274       +7     

Flag	Coverage Δ
unittests	76.91% <94.44%> (+0.07%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
pkg/github/artifacts.go	83.70% <ø> (+7.30%)	⬆️
pkg/toolchain/sha_artifact.go	75.59% <100.00%> (+2.72%)	⬆️
pkg/toolchain/pr_artifact.go	65.47% <94.28%> (+9.70%)	⬆️

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mergify]

💥 This pull request now has conflicts. Could you fix it @osterman? 🙏