Support GITHUB_TOKEN for HTTP Requests to github.com

[Listener430]

what

After the internal discussion and descoping of this PR there 2 parts left:

1. the support of the github token for the version command. The code checks if the token is set (e.g. via an env var) and if it is, the requests are done using the token. In case no token is provided, the requests to github are made without it.

2. for github links to folders and in case the ATMOS_GITHUB_TOKEN or GITHUB_TOKEN variable is set, the files are downloaded with go-getter (v1) that uses the token. The token is put into the url under the hood, so for the end user/custmer the interaction/syntax remains the same. I.e. the following commands specified in the vendor.yaml pull out the files from github using the token (not subject to anonymous users rate limits)

NB. github.com/analitikasi/Coonector.git - is a private repo

- component: "weather"
source: "github.com/analitikasi/Coonector.git//quick-start-simple/components/terraform/{{ .Component }}?ref={{.Version}}"
version: "main"
targets:
- "components/terraform/{{ .Component }}/{{.Version}}"
tags:
- demo

why

Bypass github ratelimits for non-auth requests (use a token instead)

references

• DEV-2778 (1 part out of 4 initially requested + 1 extra feature for repo cloning using the token)
• Supersedes Support GITHUB_TOKEN for HTTP Requests to github.com #871

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Enhanced GitHub client authentication by supporting optional token-based authentication.
  • Added custom GitHub URL detection and transformation for improved package downloading.
  • Introduced a new configuration option for GitHub token injection in the Atmos CLI.
  • Added a new environment variable ATMOS_GITHUB_TOKEN for Bearer token usage in GitHub API requests.

• Improvements

  • Introduced more flexible GitHub client creation process.
  • Added custom detection mechanisms for package downloads.
  • Improved URL handling for GitHub-based resources.
  • Established a default configuration setting for GitHub token injection.

• Documentation

  • Updated documentation to include the new inject_github_token configuration option in atmos.yaml.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request introduces enhancements to GitHub-related utility functions across multiple files, focusing on improving GitHub token authentication and detection mechanisms. The changes primarily revolve around creating a more flexible GitHub client that can handle authenticated and unauthenticated requests and implementing custom URL detection for GitHub repositories. The modifications aim to provide better support for GitHub token usage in various operations like vendoring, version checking, and remote configuration fetching.

Changes

File	Change Summary
pkg/utils/github_utils.go	Added newGitHubClient function to create authenticated/unauthenticated GitHub clients based on GITHUB_TOKEN. Modified GetLatestGitHubRepoRelease to use this new function.
internal/exec/validate_stacks.go	Updated downloadSchemaFromURL function to accept schema.AtmosConfiguration instead of a string.
internal/exec/vendor_model.go	Modified downloadAndInstall function to call RegisterCustomDetectors() if InjectGithubToken is enabled.
internal/exec/vendor_model_component.go	Added RegisterCustomDetectors() call in installComponent and installMixin functions based on InjectGithubToken flag.
internal/exec/vendor_utils.go	Introduced CustomGitHubDetector, added git::https scheme, and created RegisterCustomDetectors() function.
pkg/config/config.go	Added default configuration setting for inject_github_token in InitCliConfig function.
pkg/schema/schema.go	Introduced InjectGithubToken field in AtmosSettings struct.
website/docs/cli/configuration/configuration.mdx	Added inject_github_token configuration option in atmos.yaml documentation.

Assessment against linked issues

Objective	Addressed	Explanation
Support GITHUB_TOKEN for GitHub requests	✅
Enable fetching private configurations	✅
Avoid GitHub API rate limits	✅

Possibly related PRs

• Clean Terraform workspace before executing terraform init in the atmos.Component template function #775: The changes in this PR involve modifying the componentFunc to include a cleanup step for the Terraform workspace, which may relate to the handling of GitHub client authentication in the main PR by ensuring a clean state before operations.
• add support for disabling custom terraform shell prompt #786: This PR introduces a new configuration option for disabling custom Terraform shell prompts, which may indirectly relate to the changes in handling GitHub client authentication by improving user experience in command execution.
• Added Support for Automatic Templated File Search for Atmos Imports #795: The automatic detection of templated files during imports could relate to the main PR's focus on enhancing the flexibility of client creation, as both involve improving the handling of configurations and commands.

Suggested reviewers

• aknysh
• Gowiem

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a0910ba and 9be2650.

📒 Files selected for processing (2)

• internal/exec/validate_stacks.go (3 hunks)
• pkg/schema/schema.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/schema/schema.go
• internal/exec/validate_stacks.go

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Summary

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary or @auto-summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @auto-title anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

pkg/utils/github_utils.go (2)

15-19: Consider logging when no token is found.
A small warning could clarify that requests will proceed unauthenticated. Mind potential security trade-offs in logging tokens if not handled carefully.

---

20-27: Potential opportunity for reusability.
If this function is called frequently under the same context, consider caching the client to avoid overhead from creating multiple clients.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52a3442 and 0c63e6d.

📒 Files selected for processing (1)

• pkg/utils/github_utils.go (1 hunks)

🔇 Additional comments (5)

pkg/utils/github_utils.go (5)

5-5: Import looks good.
No issues with using the "os" package here.

---

9-9: Dependency import is appropriate.
No issues with "golang.org/x/oauth2" for handling token-based authentication.

---

12-13: Clear documentation.
Your docstring effectively communicates the purpose of the function.

---

14-14: Function signature is well-defined.
The context parameter promotes flexible usage of cancellation and timeouts.

---

36-36: Nice integration.
Replacing direct client creation with newGitHubClient aligns well with the new pattern, enhancing consistency.

[osterman]

The most common use-case for fetching from GitHub is with vendoring.

Anywhere we use go-getter to fetch something from GitHub, we should check if there's a GITHUB_TOKEN set and if so, use it.

e.g. Use this to conditionally add a header (e.g. Authorization: Bearer ${GITHUB_TOKEN})

https://github.com/hashicorp/go-getter/blob/842d6c379e5e70d23905b8f6b5a25a80290acb66/get_http_test.go#L805

[mergify]

💥 This pull request now has conflicts. Could you fix it @Listener430? 🙏

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (3)

internal/exec/vendor_model.go (2)

239-251: Relocate roundTripperWithHeader to a shared package

To reuse the custom round tripper across the codebase, consider moving roundTripperWithHeader to a common utility package.

---

293-306: Extend GitHub host detection for custom domains

The current host check only matches github.com. To support GitHub Enterprise domains, consider using a more flexible condition.

Update the condition:

-	if githubToken != "" && strings.EqualFold(srcURL.Host, "github.com") {
+	if githubToken != "" && strings.Contains(srcURL.Host, "github.") {

internal/exec/validate_stacks.go (1)

382-390: Use GITHUB_TOKEN for schema downloads

Include the GITHUB_TOKEN when downloading the schema to handle authentication and rate limits.

Adjust the client initialization:

+	githubToken := os.Getenv("GITHUB_TOKEN")
+	var httpClient *http.Client
+	if githubToken != "" && strings.Contains(manifestURL, "github.com") {
+		httpClient = &http.Client{
+			Transport: roundTripperWithHeader{
+				headers: map[string]string{
+					"Authorization": fmt.Sprintf("Bearer %s", githubToken),
+				},
+			},
+		}
+	} else {
+		httpClient = http.DefaultClient
+	}
+
	client := &getter.Client{
+		Getters: []getter.Getter{
+			&getter.HttpGetter{Client: httpClient},
+		},
	}

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0c63e6d and 48baf08.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• examples/demo-vendoring/vendor.yaml (1 hunks)
• go.mod (2 hunks)
• internal/exec/validate_stacks.go (2 hunks)
• internal/exec/vendor_model.go (4 hunks)
• internal/exec/vendor_model_component.go (3 hunks)

🧰 Additional context used

📓 Learnings (1)

internal/exec/vendor_model_component.go (1)

Learnt from: aknysh
PR: cloudposse/atmos#768
File: internal/exec/vendor_model_component.go:3-20
Timestamp: 2024-11-18T13:59:10.824Z
Learning: When replacing significant dependencies like `go-getter` that require extensive changes, prefer to address them in separate PRs.

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Summary

🔇 Additional comments (2)

go.mod (2)

53-53: LGTM! OAuth2 package addition.

The addition of golang.org/x/oauth2 aligns perfectly with the PR objective of implementing GitHub token support.

---

28-28: Verify go-getter v2 compatibility.

The upgrade from v1 to v2 is a major version change that might have breaking changes.

Let's verify the impact:

✅ Verification successful

✅ go-getter v2 upgrade verified

The codebase consistently uses go-getter v2 with proper API patterns. No compatibility issues found.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for go-getter usage patterns that might need updates
ast-grep --pattern 'getter.$$$' 

# Also check for any v1 imports that might have been missed
rg --type go "github.com/hashicorp/go-getter\b" -A 2

Length of output: 2289

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

internal/exec/vendor_utils.go (1)

721-730: Consider adding error handling for detector registration.

While the implementation is correct, consider adding error handling for edge cases where detector registration might fail.

 func RegisterCustomDetectors() {
+    // Ensure we don't add duplicate detectors
+    for _, d := range getter.Detectors {
+        if _, ok := d.(*CustomGitHubDetector); ok {
+            return
+        }
+    }
     getter.Detectors = append(
         []getter.Detector{
             &CustomGitHubDetector{},
         },
         getter.Detectors...,
     )
 }

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 48baf08 and 5921941.

📒 Files selected for processing (4)

• internal/exec/validate_stacks.go (1 hunks)
• internal/exec/vendor_model.go (1 hunks)
• internal/exec/vendor_model_component.go (2 hunks)
• internal/exec/vendor_utils.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• internal/exec/vendor_model_component.go

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Build (windows-latest, windows)
• GitHub Check: Summary

🔇 Additional comments (6)

internal/exec/vendor_utils.go (4)

672-676: LGTM! Valid scheme list updated correctly.

The addition of git::https to the valid schemes list is necessary to support the new GitHub URL transformation feature.

---

681-684: Well-documented custom detector implementation.

The CustomGitHubDetector implementation follows the go-getter's detector interface pattern and includes clear documentation about its purpose.

Also applies to: 686-687

---

688-694: Robust URL handling and validation.

The implementation properly handles:

• Empty source URLs
• URLs without schemes (defaulting to HTTPS)

---

710-713: Secure token handling implementation.

The code securely:

• Retrieves the token from environment variable
• Uses URL's built-in methods for encoding credentials

internal/exec/validate_stacks.go (1)

382-382: LGTM! Detector registration properly placed.

The RegisterCustomDetectors() call is correctly placed before the client initialization.

internal/exec/vendor_model.go (1)

271-274: LGTM! Detector registration properly placed.

The RegisterCustomDetectors() call is correctly placed before the client initialization.

[osterman]

Note, tests are failing due to intermittent issue:

• helm repo update fails intermittently  bitnami/charts#31257

[osterman]

We also support remote schemas. We should make sure GitHub token is passed on those requests.

[osterman]

Let’s create a new core section of atmos.yaml

with a core.inject_github_token that defaults to true. Document this on the CLI configuration page. When false, we do not inject the parameter.

[Listener430]

support remote schemas

@osterman thanks, could you please share an example of "remote schemas" and what should be happening then?

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

website/docs/cli/configuration/configuration.mdx (1)

164-164: LGTM! Consider adding a link to the environment variables section.

The configuration setting is well-placed under the settings section. However, it would be helpful to add a reference to the corresponding environment variable ATMOS_GITHUB_TOKEN documented in the environment variables section.

-      inject_github_token: true # Adds the GITHUB_TOKEN as a Bearer token for GitHub API requests.
+      inject_github_token: true # Adds the GITHUB_TOKEN as a Bearer token for GitHub API requests. Can be overridden by ATMOS_GITHUB_TOKEN environment variable.

internal/exec/vendor_utils.go (2)

716-736: Simplify token selection logic.

The token selection logic could be more concise and clearer. Consider using a helper function to encapsulate the token selection logic.

-tokenATMOS := os.Getenv("ATMOS_GITHUB_TOKEN")
-tokenGitHub := os.Getenv("GITHUB_TOKEN")
-
-var usedToken string
-var tokenSource string
-
-// 1. If ATMOS_GITHUB_TOKEN is set, always use that
-if tokenATMOS != "" {
-    usedToken = tokenATMOS
-    tokenSource = "ATMOS_GITHUB_TOKEN"
-    u.LogDebug(d.AtmosConfig, fmt.Sprintf("ATMOS_GITHUB_TOKEN is set; using it for %s\n", src))
-} else {
-    // 2. Otherwise, only inject GITHUB_TOKEN if cfg.Settings.InjectGithubToken == true
-    if d.AtmosConfig.Settings.InjectGithubToken && tokenGitHub != "" {
-        usedToken = tokenGitHub
-        tokenSource = "GITHUB_TOKEN"
-        u.LogTrace(d.AtmosConfig, fmt.Sprintf("InjectGithubToken=true and GITHUB_TOKEN is set, using it for %s\n", src))
-    } else {
-        u.LogTrace(d.AtmosConfig, fmt.Sprintf("No ATMOS_GITHUB_TOKEN found or GITHUB_TOKEN unavailable. Won't inject for %s\n", src))
-    }
-}
+token, source := selectGitHubToken(d.AtmosConfig)
+if token != "" {
+    u.LogDebug(d.AtmosConfig, fmt.Sprintf("%s is set; using it for %s\n", source, src))
+} else {
+    u.LogTrace(d.AtmosConfig, fmt.Sprintf("No suitable GitHub token found. Won't inject for %s\n", src))
+}

Add this helper function:

func selectGitHubToken(config schema.AtmosConfiguration) (token, source string) {
    if t := os.Getenv("ATMOS_GITHUB_TOKEN"); t != "" {
        return t, "ATMOS_GITHUB_TOKEN"
    }
    if config.Settings.InjectGithubToken {
        if t := os.Getenv("GITHUB_TOKEN"); t != "" {
            return t, "GITHUB_TOKEN"
        }
    }
    return "", ""
}

---

755-764: LGTM! Consider adding more detailed documentation.

The implementation correctly prepends the custom detector. Consider adding more detailed documentation about when this function should be called and its thread-safety characteristics.

-// RegisterCustomDetectors prepends the custom detector so it runs before
-// the built-in ones. Any code that calls go-getter should invoke this.
+// RegisterCustomDetectors prepends the CustomGitHubDetector to the list of go-getter
+// detectors, ensuring it runs before built-in detectors. This function should be called
+// before any go-getter operations that might involve GitHub URLs.
+//
+// Note: This function modifies the global getter.Detectors slice and should be called
+// with appropriate synchronization in concurrent contexts.
 func RegisterCustomDetectors(atmosConfig schema.AtmosConfiguration) {

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 668d239 and 0df374a.

📒 Files selected for processing (2)

• internal/exec/vendor_utils.go (2 hunks)
• website/docs/cli/configuration/configuration.mdx (3 hunks)

🧰 Additional context used

📓 Learnings (1)

website/docs/cli/configuration/configuration.mdx (1)

Learnt from: osterman
PR: cloudposse/atmos#912
File: website/docs/cli/configuration/configuration.mdx:113-114
Timestamp: 2025-01-09T20:02:37.990Z
Learning: The `inject_github_token` setting should be placed under the top-level `settings` section in `atmos.yaml` instead of creating a new `core` section.

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: [localstack] demo-localstack
• GitHub Check: Acceptance Tests (macos-latest, macos)
• GitHub Check: Acceptance Tests (windows-latest, windows)
• GitHub Check: Summary

🔇 Additional comments (5)

website/docs/cli/configuration/configuration.mdx (2)

200-204: LGTM! Documentation is clear and comprehensive.

The documentation for the inject_github_token setting is well-structured and provides clear information about:

• The purpose of the setting
• The behavior with GITHUB_TOKEN
• The override capability with ATMOS_GITHUB_TOKEN

---

675-675: LGTM! Environment variables are well documented.

The environment variables table has been updated with:

• The JSON Schema manifest path
• Version check configuration
• GitHub token configuration

All entries follow the established format and provide clear descriptions.

Also applies to: 679-680

internal/exec/vendor_utils.go (3)

14-14: LGTM! Import added for go-getter package.

The addition of the go-getter package is appropriate for implementing GitHub token support.

---

672-676: LGTM! Added support for git::https scheme.

The addition of "git::https" to valid schemes is necessary for supporting authenticated git cloning operations.

---

694-697: 🛠️ Refactor suggestion

Add URL validation before scheme injection.

The current implementation should validate the URL structure more thoroughly before prepending 'https://'.

 if !strings.Contains(src, "://") {
+    // Validate URL format before processing
+    if strings.Contains(src, "..") || strings.Contains(src, "\\") {
+        return "", false, fmt.Errorf("invalid URL format: %s", src)
+    }
     u.LogDebug(d.AtmosConfig, fmt.Sprintf("No scheme in %q, prepending 'https://'", src))
     src = "https://" + src
 }

Likely invalid or redundant comment.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

internal/exec/vendor_utils.go (1)

715-735: Consider environment variable documentation.

The code handles both ATMOS_GITHUB_TOKEN and GITHUB_TOKEN, but users might not be aware of this hierarchy.

Consider adding a code comment explaining the token precedence:

+    // Token precedence:
+    // 1. ATMOS_GITHUB_TOKEN (if set, always used)
+    // 2. GITHUB_TOKEN (only used if InjectGithubToken=true)
     atmosGitHubToken := os.Getenv("ATMOS_GITHUB_TOKEN")
     gitHubToken := os.Getenv("GITHUB_TOKEN")

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0df374a and a0910ba.

📒 Files selected for processing (1)

• internal/exec/vendor_utils.go (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (2)

• GitHub Check: Build (windows-latest, windows)
• GitHub Check: Summary

🔇 Additional comments (4)

internal/exec/vendor_utils.go (4)

14-14: LGTM! Import of go-getter package.

The addition of the go-getter package import aligns with the implementation of GitHub token support.

---

672-676: LGTM! Valid URI scheme extension.

The addition of git::https to valid schemes is correct and necessary for supporting authenticated git operations.

---

753-762: LGTM! Custom detector registration.

The implementation correctly prepends the custom detector to ensure it runs before built-in detectors.

---

737-746: Verify token injection behavior.

Let's verify that token injection behaves correctly when credentials are already present in the URL.

✅ Verification successful

Token injection implementation verified and secure.

The token injection behavior is correctly implemented with proper credential checks. The codebase contains a single, consistent implementation that safely handles existing credentials and follows GitHub's token authentication pattern.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for existing token handling patterns in the codebase

# Look for URL patterns with embedded credentials
rg -n "://.*:.*@.*github\.com"

# Look for other token injection implementations
ast-grep --pattern 'if $token != "" {
  $$$
  parsedURL.User = $$$
}'

Length of output: 104

---

Script:

#!/bin/bash
# Search for URL parsing and credential handling patterns
ast-grep --pattern 'parsedURL := url.Parse($_)'

# Look for URL user/password checks
ast-grep --pattern 'parsedURL.User.Username()'

# Search for token injection patterns with any variable name
ast-grep --pattern 'parsedURL.User = url.UserPassword($_, $_)'

# Find URL credential handling patterns
rg -n "User = url\.UserPassword\(" -A 2

Length of output: 844

[github-actions]

These changes were released in v1.146.0.