fix: public github release downloads should not be authenticated

yeikel · yeikel · commit f8ef0794c774 · 2026-02-08T18:51:50.000-05:00
diff --git a/internal/handlers/git_server.go b/internal/handlers/git_server.go
@@ -323,6 +323,10 @@ func getCredentialsForRequest(r *http.Request, credentials *gitCredentialsMap, e
 		return nil
 	}
 
+	if isPublicGitHubDownload(host, r.URL.Path) {
+		return nil
+	}
+
 	// Get credentials for the host that not unscoped to specific repositories.
 	hostCreds := credentials.get(host)
 	credsForRequest := hostCreds.getCredentialsForRepo(allReposScopeIdentifier)
@@ -343,6 +347,12 @@ func getCredentialsForRequest(r *http.Request, credentials *gitCredentialsMap, e
 	return credsForRequest
 }
 
+// GitHub release download URLs are public
+// and do not require authentication
+func isPublicGitHubDownload(host string, path string) bool {
+	return host == "github.com" && strings.Contains(path, "/releases/download/")
+}
+
 // HandleResponse handles retrying failed auth responses with alternate credentials
 // when there are multiple tokens configured for the git server.
 //
diff --git a/internal/handlers/git_server_test.go b/internal/handlers/git_server_test.go
@@ -124,6 +124,31 @@ func TestGitServerHandler(t *testing.T) {
 		"valid github request")
 }
 
+func TestGitServerPublicReleaseDownload(t *testing.T) {
+	installationCred := testGitSourceCred("github.com", "x-access-token", "v1.token")
+	gheCred := testGitSourceCred("ghe.some-corp.com", "x-access-token", "corp")
+	mavenCred := config.Credential{
+		"type": "maven_repository",
+		"host": "myHost.com",
+	}
+
+	credentials := config.Credentials{
+		installationCred,
+		gheCred,
+		mavenCred,
+	}
+	handler := NewGitServerHandler(credentials, nil)
+
+	req := httptest.NewRequest("HEAD", "https://github.com/gradle/gradle-distributions/releases/download/v9.3.0/gradle-9.3.0-bin.zip", nil)
+	req, _ = handler.HandleRequest(req, nil)
+	assertUnauthenticated(t, req, "Public release download URL should not be authenticated")
+
+	req = httptest.NewRequest("HEAD", "https://myHost.com/releases/download/v9.3.0/gradle-9.3.0-bin.zip", nil)
+	req, _ = handler.HandleRequest(req, nil)
+	assertUnauthenticated(t, req, "Public release download URL should not be authenticated by the git handler")
+
+}
+
 func TestGitServerHandler_AuthenticatedAccessToGitHubRepos(t *testing.T) {
 	installationToken1 := "v1.token1"
 	privateRepo1Cred := testGitSourceCred("github.com", "x-access-token", installationToken1, withAccessibleRepos([]string{"github/private-repo-1"}))
