Add fallback for unauthenticated REST API access

Copilot · pelikhan · Copilot · commit dc8141bd448b · 2025-11-15T23:44:48.000Z
Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;
diff --git a/pkg/parser/remote_fetch.go b/pkg/parser/remote_fetch.go
@@ -1,6 +1,7 @@
 package parser
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 	"os/exec"
@@ -197,7 +198,9 @@ func resolveRefToSHA(owner, repo, ref string) (string, error) {
 	if err != nil {
 		outputStr := string(output)
 		if strings.Contains(outputStr, "GH_TOKEN") || strings.Contains(outputStr, "authentication") || strings.Contains(outputStr, "not logged into") {
-			return "", fmt.Errorf("failed to resolve ref to SHA: GitHub authentication required. Please run 'gh auth login' or set GH_TOKEN/GITHUB_TOKEN environment variable: %w", err)
+			// Try fallback without authentication
+			remoteLog.Printf("gh CLI authentication failed, trying unauthenticated REST API fallback")
+			return resolveRefToSHAUnauthenticated(owner, repo, ref)
 		}
 		return "", fmt.Errorf("failed to resolve ref %s to SHA for %s/%s: %s: %w", ref, owner, repo, strings.TrimSpace(outputStr), err)
 	}
@@ -236,7 +239,9 @@ func downloadFileFromGitHub(owner, repo, path, ref string) ([]byte, error) {
 		// Check if this is an authentication error
 		stderrStr := stderr.String()
 		if strings.Contains(stderrStr, "GH_TOKEN") || strings.Contains(stderrStr, "authentication") || strings.Contains(stderrStr, "not logged into") {
-			return nil, fmt.Errorf("failed to fetch file content: GitHub authentication required. Please run 'gh auth login' or set GH_TOKEN/GITHUB_TOKEN environment variable: %w", err)
+			// Try fallback without authentication
+			remoteLog.Printf("gh CLI authentication failed, trying unauthenticated REST API fallback")
+			return downloadFileFromGitHubUnauthenticated(owner, repo, path, ref)
 		}
 		return nil, fmt.Errorf("failed to fetch file content from %s/%s/%s@%s: %s: %w", owner, repo, path, ref, strings.TrimSpace(stderrStr), err)
 	}
@@ -256,3 +261,109 @@ func downloadFileFromGitHub(owner, repo, path, ref string) ([]byte, error) {
 
 	return content, nil
 }
+
+// resolveRefToSHAUnauthenticated resolves a git ref to SHA using unauthenticated REST API
+// This is a fallback for when gh CLI authentication is not available
+func resolveRefToSHAUnauthenticated(owner, repo, ref string) (string, error) {
+	remoteLog.Printf("Attempting to resolve ref %s to SHA for %s/%s using unauthenticated API", ref, owner, repo)
+	
+	// Use curl to make unauthenticated request
+	url := fmt.Sprintf("https://api.github.com/repos/%s/%s/commits/%s", owner, repo, ref)
+	cmd := exec.Command("curl", "-s", "-H", "Accept: application/vnd.github.v3+json", url)
+	
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("failed to resolve ref using unauthenticated API: %w", err)
+	}
+	
+	// Parse JSON response
+	var response struct {
+		SHA     string `json:"sha"`
+		Message string `json:"message"`
+	}
+	
+	if err := json.Unmarshal(output, &response); err != nil {
+		return "", fmt.Errorf("failed to parse JSON response: %w", err)
+	}
+	
+	// Check for error message in response
+	if response.Message != "" {
+		if strings.Contains(response.Message, "Not Found") {
+			return "", fmt.Errorf("ref %s not found in %s/%s", ref, owner, repo)
+		}
+		if strings.Contains(response.Message, "rate limit") {
+			return "", fmt.Errorf("GitHub API rate limit exceeded")
+		}
+		return "", fmt.Errorf("GitHub API error: %s", response.Message)
+	}
+	
+	// Validate it's a valid SHA (40 hex characters)
+	if len(response.SHA) != 40 || !isHexString(response.SHA) {
+		return "", fmt.Errorf("invalid SHA format returned: %s", response.SHA)
+	}
+	
+	remoteLog.Printf("Successfully resolved ref %s to SHA %s using unauthenticated API", ref, response.SHA)
+	return response.SHA, nil
+}
+
+// downloadFileFromGitHubUnauthenticated downloads a file using unauthenticated REST API
+// This is a fallback for when gh CLI authentication is not available
+func downloadFileFromGitHubUnauthenticated(owner, repo, path, ref string) ([]byte, error) {
+	remoteLog.Printf("Attempting to download %s/%s/%s@%s using unauthenticated API", owner, repo, path, ref)
+	
+	// Use curl to make unauthenticated request
+	url := fmt.Sprintf("https://api.github.com/repos/%s/%s/contents/%s?ref=%s", owner, repo, path, ref)
+	cmd := exec.Command("curl", "-s", "-H", "Accept: application/vnd.github.v3+json", url)
+	
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch file using unauthenticated API: %w", err)
+	}
+	
+	// Parse JSON response
+	var response struct {
+		Content  string `json:"content"`
+		Encoding string `json:"encoding"`
+		Message  string `json:"message"`
+	}
+	
+	if err := json.Unmarshal(output, &response); err != nil {
+		return nil, fmt.Errorf("failed to parse JSON response: %w", err)
+	}
+	
+	// Check for error message in response
+	if response.Message != "" {
+		if strings.Contains(response.Message, "Not Found") {
+			return nil, fmt.Errorf("file %s not found in %s/%s@%s", path, owner, repo, ref)
+		}
+		if strings.Contains(response.Message, "rate limit") {
+			return nil, fmt.Errorf("GitHub API rate limit exceeded")
+		}
+		return nil, fmt.Errorf("GitHub API error: %s", response.Message)
+	}
+	
+	// Verify encoding
+	if response.Encoding != "base64" {
+		return nil, fmt.Errorf("unexpected encoding: %s (expected base64)", response.Encoding)
+	}
+	
+	// Remove newlines and whitespace from base64 content
+	contentBase64 := strings.ReplaceAll(response.Content, "\n", "")
+	contentBase64 = strings.ReplaceAll(contentBase64, " ", "")
+	contentBase64 = strings.TrimSpace(contentBase64)
+	
+	if contentBase64 == "" {
+		return nil, fmt.Errorf("empty content returned from GitHub API")
+	}
+	
+	// Decode base64 content
+	decodeCmd := exec.Command("base64", "-d")
+	decodeCmd.Stdin = strings.NewReader(contentBase64)
+	content, err := decodeCmd.Output()
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode base64 content: %w", err)
+	}
+	
+	remoteLog.Printf("Successfully downloaded %s/%s/%s@%s using unauthenticated API (%d bytes)", owner, repo, path, ref, len(content))
+	return content, nil
+}
diff --git a/pkg/parser/remote_fetch_test.go b/pkg/parser/remote_fetch_test.go
@@ -0,0 +1,72 @@
+package parser
+
+import (
+	"encoding/json"
+	"testing"
+)
+
+func TestJSONParsing(t *testing.T) {
+	// Test SHA resolution JSON parsing
+	t.Run("parse SHA from commit response", func(t *testing.T) {
+		response := `{"sha":"1e366aa4518cf83d25defd84e454b9a41e87cf7c","node_id":"C_kwDOKr1234","commit":{"message":"test"}}`
+		
+		var parsed struct {
+			SHA     string `json:"sha"`
+			Message string `json:"message"`
+		}
+		
+		if err := json.Unmarshal([]byte(response), &parsed); err != nil {
+			t.Fatalf("Failed to parse JSON: %v", err)
+		}
+		
+		if parsed.SHA != "1e366aa4518cf83d25defd84e454b9a41e87cf7c" {
+			t.Errorf("Expected SHA 1e366aa4518cf83d25defd84e454b9a41e87cf7c, got %s", parsed.SHA)
+		}
+	})
+	
+	// Test file content JSON parsing
+	t.Run("parse content from file response", func(t *testing.T) {
+		response := `{"content":"IyBUZXN0IGNvbnRlbnQ=\n","encoding":"base64","name":"test.md"}`
+		
+		var parsed struct {
+			Content  string `json:"content"`
+			Encoding string `json:"encoding"`
+			Message  string `json:"message"`
+		}
+		
+		if err := json.Unmarshal([]byte(response), &parsed); err != nil {
+			t.Fatalf("Failed to parse JSON: %v", err)
+		}
+		
+		if parsed.Encoding != "base64" {
+			t.Errorf("Expected encoding base64, got %s", parsed.Encoding)
+		}
+		
+		if parsed.Content == "" {
+			t.Error("Expected non-empty content")
+		}
+	})
+	
+	// Test error response parsing
+	t.Run("parse error response", func(t *testing.T) {
+		response := `{"message":"Not Found","documentation_url":"https://docs.github.com/rest"}`
+		
+		var parsed struct {
+			SHA     string `json:"sha"`
+			Message string `json:"message"`
+		}
+		
+		if err := json.Unmarshal([]byte(response), &parsed); err != nil {
+			t.Fatalf("Failed to parse JSON: %v", err)
+		}
+		
+		if parsed.Message != "Not Found" {
+			t.Errorf("Expected message 'Not Found', got %s", parsed.Message)
+		}
+		
+		if parsed.SHA != "" {
+			t.Errorf("Expected empty SHA for error response, got %s", parsed.SHA)
+		}
+	})
+}
+
diff --git a/pkg/workflow/data/action_pins.json b/pkg/workflow/data/action_pins.json
@@ -1,104 +1,4 @@
 {
   "entries": {
-    "actions/ai-inference@v1": {
-      "repo": "actions/ai-inference",
-      "version": "v1",
-      "sha": "b81b2afb8390ee6839b494a404766bef6493c7d9"
-    },
-    "actions/cache@v4": {
-      "repo": "actions/cache",
-      "version": "v4",
-      "sha": "0057852bfaa89a56745cba8c7296529d2fc39830"
-    },
-    "actions/checkout@v5": {
-      "repo": "actions/checkout",
-      "version": "v5",
-      "sha": "08c6903cd8c0fde910a37f88322edcfb5dd907a8"
-    },
-    "actions/download-artifact@v6": {
-      "repo": "actions/download-artifact",
-      "version": "v6",
-      "sha": "018cc2cf5baa6db3ef3c5f8a56943fffe632ef53"
-    },
-    "actions/github-script@v8": {
-      "repo": "actions/github-script",
-      "version": "v8",
-      "sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
-    },
-    "actions/setup-dotnet@v4": {
-      "repo": "actions/setup-dotnet",
-      "version": "v4",
-      "sha": "67a3573c9a986a3f9c594539f4ab511d57bb3ce9"
-    },
-    "actions/setup-go@v5": {
-      "repo": "actions/setup-go",
-      "version": "v5",
-      "sha": "d35c59abb061a4a6fb18e82ac0862c26744d6ab5"
-    },
-    "actions/setup-java@v4": {
-      "repo": "actions/setup-java",
-      "version": "v4",
-      "sha": "c5195efecf7bdfc987ee8bae7a71cb8b11521c00"
-    },
-    "actions/setup-node@v6": {
-      "repo": "actions/setup-node",
-      "version": "v6",
-      "sha": "2028fbc5c25fe9cf00d9f06a71cc4710d4507903"
-    },
-    "actions/setup-python@v5": {
-      "repo": "actions/setup-python",
-      "version": "v5",
-      "sha": "a26af69be951a213d495a4c3e4e4022e16d87065"
-    },
-    "actions/upload-artifact@v4": {
-      "repo": "actions/upload-artifact",
-      "version": "v4",
-      "sha": "ea165f8d65b6e75b540449e92b4886f43607fa02"
-    },
-    "actions/upload-artifact@v5": {
-      "repo": "actions/upload-artifact",
-      "version": "v5",
-      "sha": "330a01c490aca151604b8cf639adc76d48f6c5d4"
-    },
-    "astral-sh/setup-uv@v5": {
-      "repo": "astral-sh/setup-uv",
-      "version": "v5",
-      "sha": "e58605a9b6da7c637471fab8847a5e5a6b8df081"
-    },
-    "denoland/setup-deno@v2": {
-      "repo": "denoland/setup-deno",
-      "version": "v2",
-      "sha": "e95548e56dfa95d4e1a28d6f422fafe75c4c26fb"
-    },
-    "erlef/setup-beam@v1": {
-      "repo": "erlef/setup-beam",
-      "version": "v1",
-      "sha": "3559ac3b631a9560f28817e8e7fdde1638664336"
-    },
-    "github/codeql-action/upload-sarif@v3": {
-      "repo": "github/codeql-action/upload-sarif",
-      "version": "v3",
-      "sha": "fb2a9d4376843ba94460a73c39ca9a98b33a12ac"
-    },
-    "haskell-actions/setup@v2": {
-      "repo": "haskell-actions/setup",
-      "version": "v2",
-      "sha": "d5d0f498b388e1a0eab1cd150202f664c5738e35"
-    },
-    "oven-sh/setup-bun@v2": {
-      "repo": "oven-sh/setup-bun",
-      "version": "v2",
-      "sha": "735343b667d3e6f658f44d0eca948eb6282f2b76"
-    },
-    "ruby/setup-ruby@v1": {
-      "repo": "ruby/setup-ruby",
-      "version": "v1",
-      "sha": "e5517072e87f198d9533967ae13d97c11b604005"
-    },
-    "super-linter/super-linter@v8.2.1": {
-      "repo": "super-linter/super-linter",
-      "version": "v8.2.1",
-      "sha": "2bdd90ed3262e023ac84bf8fe35dc480721fc1f2"
-    }
   }
 }
