Release Assets for private repo: Missing Access Token?

[eteubert]

Hi,

I tried using the "Release Assets" feature with a private repo. From the plugin update screen I can see it's trying to fetch the correct file.

https://github.com/myprivateorg/myprivate/releases/download/v0.1.3/myplugin-v0.1.3.zip

But it 404 fails. When I copy the URL to my browser, I can access and download it. Is it possible that the configured access token is not used here?

[afragen]

Let me take a look. Can you give afragen temporary access to the repo for me to test? I'll see what I can do without access though.

[eteubert]

Sure :) I just sent you an invite.

[afragen]

Thanks. I'll take a closer look.

[afragen]

Hmm. I'm looking locally and after installing and attempting to update, the download link has the access token, but I'm getting what appears to be a 404 error, Download failed. Not found.

Yes the link works when copied into a browser window.

Still looking.

[afragen]

I've followed this request through core and it comes back as a 404. I have no idea why and I'm not sure I can fix this.

[eteubert]

Thanks for following up so quickly and thoroughly. You're right, I can't even reach the URL via command line/curl. It always 404s. I contacted Github, asking if it's a bug on their end. Will follow up here once they reply.

[afragen]

Thanks

[eteubert]

Here's the answer from GitHub

I reviewed your cURL requests and see that you're making a call to github.com, > and not the GitHub API (https://api.github.com).

If you're interested in getting the release for that repository, I recommend > using this endpoint specifying the release's ID:

https://developer.github.com/v3/repos/releases/#get-a-single-release

Here's an example cURL request, where "123456" is a fictitious release ID:

curl -H "Authorization: token XXXXX" -IL "https://api.github.com/repos/> ORG/REPO/releases/123456"

You could fetch the releases for a repository using this endpoint, where each > release includes an id field:

https://developer.github.com/v3/repos/releases/#list-releases-for-a-repository

Here's the accompanying cURL request:

curl -H "Authorization: token XXXXX" -IL "https://api.github.com/repos/> ORG/REPO/releases"

I hope that helps, but let me know if you have any other questions!

---

That didn't really help but I found a solution diving into the API again:

Assuming we already know the tag name (which is the case in Github Updater), we can access the release directly like this:

curl -s -H "Authorization: token XXXXX" "https://api.github.com/repos/ORG/REPO/releases/tags/v0.1.3"

Which returns

{
    "url": "...",
    "assets": [
        {
          "url": "https://api.github.com/repos/ORG/REPO/releases/assets/123456",
          "id": 123456,
          "name": "br-wordpress-podlove-publisher-s3-v0.1.3.zip",
          "label": "",
          "uploader": {
            ...
          },
          "content_type": "application/zip",
          "state": "uploaded",
          "size": 1167766,
          "download_count": 9,
          "created_at": "2016-10-25T12:36:34Z",
          "updated_at": "2016-10-25T12:36:38Z",
          "browser_download_url": "https://github.com/ORG/REPO/releases/download/v0.1.3/br-wordpress-podlove-publisher-s3-v0.1.3.zip"
        }, {
            # more assets
        }
    ]
}

There can be multiple assets. You could apply the already defined naming scheme and filter, or simply take the first asset.

Now, the browser_download_url is the one we already know doesn't work except in the browser (as the name suggests :)).

However, I found this in the API docs:

To download the asset's binary content, set the Accept header of the request to application/octet-stream. The API will either redirect the client to the location, or stream it directly if possible. API clients should handle both a 200 or 302 response.

curl -L -s -H "Accept: application/octet-stream" "https://api.github.com/repos/ORG/REPO/releases/assets/2528260?access_token=XXXXX" > release.zip

This works—heureka! 💡

• -L: It's important to follow the location because the actual file is hosted on S3.
• -H "Accept: application/octet-stream": the header that tells GitHub to download rather than return a JSON response
• Access token: I had to use the parameter version here. When I used -H "Authorization: token XXXXX", I got a Bad Request response from Amazon.

It's probably a fair bit of work to implement but the approach should work. Until then you should add to the readme that asset downloading does not work for private repos for now.

[afragen]

Thanks! Great digging. Why couldn't it just be like public repos? 😝

I'll dig through this and figure out a fix. I'll let you know, but likely to take a couple of days.

[afragen]

I think you're going to like this.

Still cleaning up and working out the kinks.

[afragen]

@eteubert this should do it. 55413c2

Update to develop v6.0.0.6 and let me know how it works.

[eteubert]

Awesome :) Will give it a try in the next few days and report back. Read the commit just now and it looks great. Maybe mention in the docs that the first asset will be used, although I imagine few people will have more than one anyway.

[afragen]

The latest asset is the one used. https://developer.github.com/v3/repos/releases/#get-the-latest-release

I think it only returns a single asset. Also, because of the new HTTP lib in WP 4.6; this is minimum requirement.

[eteubert]

Just activated 6.0.0.6, now the plugins page shows a whitescreen with:

Fatal error: Uncaught Error: Cannot use object of type stdClass as array in /srv/www/wordpress-default/wp-content/plugins/github-updater-develop/src/GitHub_Updater/GitHub_API.php:147 Stack trace: #0 /srv/www/wordpress-default/wp-content/plugins/github-updater-develop/src/GitHub_Updater/Base.php(453): Fragen\GitHub_Updater\GitHub_API->get_remote_changes('CHANGES.md') #1 /srv/www/wordpress-default/wp-content/plugins/github-updater-develop/src/GitHub_Updater/Plugin.php(228): Fragen\GitHub_Updater\Base->get_remote_repo_meta(Object(stdClass)) #2 /srv/www/wordpress-default/wp-content/plugins/github-updater-develop/src/GitHub_Updater/Base.php(291): Fragen\GitHub_Updater\Plugin->get_remote_plugin_meta() #3 /srv/www/wordpress-default/wp-content/plugins/github-updater-develop/src/GitHub_Updater/Base.php(250): Fragen\GitHub_Updater\Base->forced_meta_update_plugins() #4 /srv/www/wordpress-default/wp-includes/plugin.php(524): Fragen\GitHub_Updater\Base->init('') #5 /srv/www/wordpress-default/wp-settings.php(411): do_action('init') #6 in /srv/www/wordpress-default/wp-content/plugins/github-updater-develop/src/GitHub_Updater/GitHub_API.php on line 147

[eteubert]

Forcing an array response for the api call fixes it for me:

# src/GitHub_Updater/GitHub_API.php l.134
$response = (array) $this->api( '/repos/:owner/:repo/contents/' . $changes );

[afragen]

I changed the format of the transient for optimization. Depending upon how you updated you could get this error. Install https://github.com/afragen/clear-github-updater-cache it will clear your transients and then deactivate.

[eteubert]

Ah, that makes sense. Thanks :)

[afragen]

If you update to the latest develop 6.0.0.8, it should automatically take care of that problem. Also, is the release asset update working?

[afragen]

@eteubert have you had a chance to re-test with the latest develop branch?

[eteubert]

Gave it a try with 6.0.0.16 and it worked 👍