curl command failing to download release asset from private GitHub repo - github

According to multiple answers provided in other similar questions, I am trying to download a release assed from GitHub using curl, as follows:
curl -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: Bearer XXXXXXXX" -LJO https://github.com/Org/repo/releases/download/0.4.2/repo-linux-amd64
This keep fetching a file with content Not Found.
When opening the link https://github.com/Org/repo/releases/download/0.4.2/repo-linux-amd64 from an authenticated browser window, it does download the file.
I have also tested my token by running
curl -H "Authorization: token XXXXXXXX" https://api.github.com/user
What is more, the token has the right scopes given that
gh release download 0.4.2 --pattern repo-linux-amd64 -R Org/repo
also works (the token value is exported in the GITHUB_TOKEN environment variable).
I have also tried this variation (with token instead of Bearer in the Authorization header) and the end result is the same
curl -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" -H "Authorization: token XXXXXXXX" -LJO https://github.com/Org/repo/releases/download/0.4.2/repo-linux-amd64
What am I missing?

Related

GitHub Actions: Must have admin rights to trigger workflow_dispatch?

Using the github API I am trying to manually start a workflow using:
curl \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: MY_TOKEN" \
https://api.github.com/repos/djpr-data/djprdashdata/actions/workflows/refresh-data.yaml/dispatches
but I keep getting an authentication error:
{
"message": "Must have admin rights to Repository.",
"documentation_url": "https://docs.github.com/rest/reference/actions#create-a-workflow-dispatch-event"
}
This seems to be a similar issue to this question. But my PAT token has all admin and repo scopes selected. I also have my user account setup as admin for the repository and I have added a workflow dispatch to the workflow yaml file.
workflow_dispatch:
inputs:
tags:
description:
"run from cmdline"
I have been following the docs at https://docs.github.com/en/rest/actions/workflows#create-a-workflow-dispatch-event and have had no problems using the API to retrieve all previous workflow jobs. I have also tried the runs and jobs endpoints but get the same error. So I am now not sure what else I can do. Is there somewhere else I need to set permissions?
Thanks
This is a poor error message to tell you that your request is not formed correctly. If you want to pass a PAT as a header, you need to prefix it with token, as described in the docs:
-H "Authorization: token MY_TOKEN"
Once that's resolved, however, you'll also get an error because you don't pass the required ref payload. Assuming your default branch is main, here's a correct curl command:
> export MY_TOKEN=gha_abcdef
> curl \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token $MY_TOKEN" \
-d '{"ref": "main"}' \
https://api.github.com/repos/djpr-data/djprdashdata/actions/workflows/refresh-data.yaml/dispatches

What permissions is my github PAT missing?

I'm triggering a github action using a webhook. Until recently this worked perfectly but I got a request from Github to refresh my PAT to the new format and now I get a permission denied error. Am I missing a permission or has the authorization syntax changed?
This is the webhook I'm calling:
curl -d '{"ref":"v2.0","inputs":{"oga_no":"1369"}}' -H 'Accept: application/vnd.github.v3+json' -H 'Authorization: Basic ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' -H 'Content-Type: application/json;charset=utf-8' -X POST 'https://api.github.com/repos/ogauk/boatregister/actions/workflows/publish.yml/dispatches'
And this is the response:
{
"message": "Must have admin rights to Repository.",
"documentation_url": "https://docs.github.com/rest/reference/actions#create-a-workflow-dispatch-event"
}
Something must have changed with the new token format. I spotted a post with a slightly different syntax and tried it.
curl -d '{"ref":"v2.0","inputs":{"oga_no":"1369"}}' -H 'Accept: application/vnd.github.v3+json' -H 'Authorization: token ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' -H 'Content-Type: application/json;charset=utf-8' -X POST 'https://api.github.com/repos/ogauk/boatregister/actions/workflows/publish.yml/dispatches'
So changing Basic to token fixed my problem.

Unable to access github API getting bad credentials error

I am trying to add a custom code check for a PR. After doing some research I found out that it can be done using the API mentioned below.
POST /repos/{owner}/{repo}/check-runs
Initially, it was giving me this error:
{
"message": "You must authenticate via a GitHub App.",
"documentation_url": "https://docs.github.com/rest/reference/checks#create-a-check-run"
}
I followed the guideline provided in this link.
I created a GitHub app.
Gave it required permission.
Generated a private key.
Generated a JWT token using the private key.
Installed the Github app in the repo too
I created a curl request:
curl --location --request POST 'https://api.github.com/repos/X/X-app/check-runs' \
--header 'Accept: application/vnd.github.v3+json' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.X.X-X-SAFvDnSkaJDjMI2T_BAC2iLlRZ7uNyFSe-X-UgFBFjoFrwsbcYFKfDM8f3FNPYpA6afhr18DLZ6rzu35klA' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "loremipsum"
}'
But, now I am getting this error
{
"message": "Bad credentials",
"documentation_url": "https://docs.github.com/rest"
}
I am not sure what I am missing here.
I figured this out. The GH documentation is a bit unclear/misleading. Here are the steps to make this work:
with the JWT bearer token, list your installations and note the installation id for your app
$ curl -i \
-H "Authorization: Bearer YOUR_JWT" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/app/installations
then get an installation access token for the above id
$ curl -i -X POST \
-H "Authorization: Bearer YOUR_JWT" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/app/installations/:installation_id/access_tokens
then with that token create the check run but use "Authorization: token" header
curl -i -H "Authorization: token YOUR_INSTALLATION_ACCESS_TOKEN"

Configuration of reCAPTCHA for Keycloak via CLI

Is there a way to configure reCAPTCHA via the CLI for a Keycloak standalone installation? To be more precise, is it possible to carry out all the steps described here in the Keycloak docs with the help of kcadm.sh?
You can achieve that by using Keycloak Admin REST API.
The first step is to get an admin token, so that one can call the Rest API:
curl -d "client_id=admin-cli" \
-d "username=$ADMIN_NAME" \
-d "password=$ADMIN_PASSWORD" \
-d "grant_type=password" \
https://$KEYCLOAK_IP/auth/realms/master/protocol/openid-connect/token
You will get a json response with the admin token. Extract the access token from that response (lets called $ACCESS_TOKEN).
Now, we need to get the list of all executions linked to the registration flow:
curl -X GET https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/authentication/flows/registration/executions \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"
From that json response, extract the id of the "providerId=registration-recaptcha-action". Lets call that id, $ID_RECAPTCHA.
Next make the reCaptcha required at the registration:
CAPTCHA_DATA='{"id":"$ID_RECAPTCHA","requirement":"REQUIRED","providerId":"registration-recaptcha-action"}'
curl -X PUT https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/authentication/flows/registration/executions \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"\
-d "$JSON_DATA"
Finally, to configure your own captcha:
CONFIG_DATA='{"config":{"site.key":"<YOUR SITE KEY>","secret":"<YOUR SECRET>","useRecaptchaNet":"<True or False>"},"alias":"<The CAPTCHA ALIAS>"}'
curl -X POST https://$KEYCLOAK_IP/auth/admin/realms/$REALM_NAME/authentication/executions/$ID_RECAPTCHA/config \
-H "Content-Type: application/json" \
-H "Authorization: bearer $ACCESS_TOKEN"\
Next, the best thing is to automatize this process with, for instance, some bash scripts.

How do I download a file from a GitHub draft

I am using AppVeyor to set up the CI for a GitHub repository and upload the build artifacts to a draft named CI builds. The file is e.g. located under
https://github.com/an_organisation/a_project/releases/tag/untagged-1111aaaacccc0000dddd/filename.tar.gz
and can be accessed and downloaded from a browser.
Now I would like to access those uploaded artifact from another AppVeyor project (i.e. an appveyor.yml script). I tried without success to download with AppVeyor DownloadFile command, curl, and wget using the following commands
set DOWNLOAD_FILENAME=filename.tar.gz
set DOWNLOAD_ADDRESS=https://github.com/an_organisation/a_project/releases/download/untagged-1111aaaacccc0000dddd/$DOWNLOAD_FILENAME
wget --header "Authorization: token $GH_AUTH_TOKEN" --output-document=$DOWNLOAD_FILENAME $DOWNLOAD_ADDRESS
wget --auth-no-challenge --header "Accept:application/octet-stream" --output-document=$DOWNLOAD_FILENAME "$DOWNLOAD_ADDRESS?access_token:$GH_AUTH_TOKEN"
curl -fsSL -G --user "$APPVEYOR_ACCOUNT_NAME:$GH_AUTH_TOKEN" -o $DOWNLOAD_FILENAME $DOWNLOAD_ADDRESS
curl -fsSL -G -H "Authorization: token $GH_AUTH_TOKEN" -H "Accept: application/octet-stream" -o $DOWNLOAD_FILENAME $DOWNLOAD_ADDRESS
curl -fsSL -G -H "Authorization: token $GH_AUTH_TOKEN" -H "Accept: application/octet-stream" -o $DOWNLOAD_FILENAME https://api.github.com/repos/an_organisation/a_project/releases/download/untagged-1111aaaacccc0000dddd/
Slowly I get a feeling that a file download from a draft via GitHub API or download link is not possible.
What is the correct command to download such a file?
TLDR Use the Get Release asset API with header Accept: application/octet-stream :
curl -OJ -L -H "Accept: application/octet-stream" \
-H "Authorization: Token $YOUR_TOKEN" \
"https://api.github.com/repos/$REPO/releases/assets/$ASSET_ID"
You need to have the assetID. In order to have it you need the releaseID if you have not already this information use GET /repos/:user/:repo/releases :
curl -s -H "Authorization: Token $YOUR_TOKEN" \
"https://api.github.com/repos/$REPO/releases" | jq '.[] | {(.name): .id}'
Then get the assets IDs use GET /repos/:user/:repo/releases/:release_id :
curl -s -H "Authorization: Token $YOUR_TOKEN" \
"https://api.github.com/repos/$REPO/releases/$RELEASE_ID" | \
jq -r '.assets[] | {(.id |tostring): .name}'
Then once you have assetID (maybe you already had it btw) you can finally use GET /repos/:user/:repo/releases/assets/:asset_id with header Accept: application/octet-stream. From the documentation :
To download the asset's binary content, set the Accept header of the
request to application/octet-stream. The API will either redirect the
client to the location, or stream it directly if possible. API clients
should handle both a 200 or 302 response.
The following download the file locally :
curl -OJ -L -H "Accept: application/octet-stream" \
-H "Authorization: Token $YOUR_TOKEN" \
"https://api.github.com/repos/$REPO/releases/assets/$ASSET_ID"