Add support for Bearer token in action archive downloads#4321
Merged
TingluoHuang merged 1 commit intomainfrom Mar 31, 2026
Merged
Add support for Bearer token in action archive downloads#4321TingluoHuang merged 1 commit intomainfrom
TingluoHuang merged 1 commit intomainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds opt-in Bearer authentication for action archive downloads when fetching directly from codeload hosts, behind a new feature flag.
Changes:
- Introduces
actions_use_bearer_token_for_codeloadfeature flag. - Updates action archive download auth header creation to use
Bearer <token>forcodeload.*URLs when flagged. - Keeps existing Basic auth behavior as the default fallback.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/Runner.Worker/ActionManager.cs | Adds feature-flagged Bearer auth path for codeload archive downloads while retaining Basic auth. |
| src/Runner.Common/Constants.cs | Declares the new feature flag constant used by the worker. |
TingluoHuang
force-pushed
the
users/tihuang/bearertoken
branch
from
97a2540 to
62a8f62
Compare
TingluoHuang
commented
Mar 31, 2026
| Trace.Info("Using Basic token for action archive download."); | ||
| var base64EncodingToken = Convert.ToBase64String(Encoding.UTF8.GetBytes($"x-access-token:{token}")); | ||
| HostContext.SecretMasker.AddValue(base64EncodingToken); | ||
| return new AuthenticationHeaderValue("Basic", base64EncodingToken); |
Member
Author
There was a problem hiding this comment.
the basic header works fine with codeload URL and api.github.com URL.
TingluoHuang
commented
Mar 31, 2026
| (parsedUrl.Host.StartsWith("codeload.", StringComparison.OrdinalIgnoreCase) || parsedUrl.PathAndQuery.StartsWith("/_codeload/", StringComparison.OrdinalIgnoreCase))) | ||
| { | ||
| Trace.Info("Using Bearer token for action archive download directly to codeload."); | ||
| return new AuthenticationHeaderValue("Bearer", token); |
Member
Author
There was a problem hiding this comment.
in case we are talking to codeload directly, pass bearer header
salmanmkc
approved these changes
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://github.com/github/actions-runtime/issues/5461