Github CDN Links for private repos can't be viewed in other tools #61412
Unanswered
alex-statsig
asked this question in
Pull Requests
Replies: 1 comment
-
Just met the similar issue editing markdown file from private repository in VS Code. I wonder if there is a way to authenticate your account in VS Code to make those assets visible. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Product Feedback
Body
Github CDN Links for private repos are private – I think this is somewhat by design, but leads to some inconveniences. In particular, it makes it hard to view images on commits through other tools (since you aren't authenticated to view the image there, even though you're authenticated to view the message and get the image's URL). In my case, I want to be able to see screenshots from people's commits (from their PRs) in VSCode with an extension that shows blame on hover, but they fail to load.
In a public repo, when you upload an image for issues / PRs, you get a link like
https://github.com/statsig-io/statsig-feedback/assets/[id-stuff]
. When you actually navigate to this, it resolves to something likehttps://github-production-user-asset-6210df.s3.amazonaws.com/[id-stuff].png
.In a private repo, the initial link looks similar but resolves to
https://github-production-user-asset-6210df.s3.amazonaws.com/[id-stuff].png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=...
(if you make the request with cookies giving access to the repo)I'm assuming the intent is to protect against some brute force attacks revealing images from private repos, but it feels like then the first link should just contain necessary authentication (random token). I understand this could allow a one time leak to give permanent access, but with one time access an actor could download the image anyway.
Beta Was this translation helpful? Give feedback.
All reactions