Do GitHub raw urls for private repositories expire? I'm referring to the link generated when you click the Raw button while viewing a file on github.com.
The link includes a token but there's no info about where that token comes from.
No one has clearly mentioned this, but the github raw urls expire in 7 days.
You can use longer lasting personal access tokens generated here: https://github.com/settings/tokens but those can only be used via curl:
curl -H 'Authorization: token <personal_token>' <raw_url>
Note that the personal access tokens expire if unused for an entire year.
That token comes from using OAuth with Git
https://<oauth-secret>:x-oauth-basic#raw.githubusercontent.com/<me>/<repo>/master/<file>
The raw.githubusercontent.com/<me>/<repo>/master/<file> part does not expire.
But it is to type 'y' before clicking 'Raw' on the GitHub page, in order to get the SHA1 as part of the url: that way, you are sure to reference always the same file version.
https://<oauth-secret>:x-oauth-basic#raw.githubusercontent.com/<me>/<repo>/<sha1>/<file>
^ ^^^^
The token part does not "expire" (but it can be deleted or revoked)
Please look at this API document, https://developer.github.com/v3/repos/contents/.
The URL should be:
curl -H 'Accept: application/vnd.github.VERSION.raw' -k \
https://{{githubhost}}/api/v3/repos/{{org}}/{{repo}}/contents/{{path}}?access_token=xxxx
It worked for me:
The access_token is personal access token.
And the path canbe a file or dir.
Related
Within a GitHub Actions workflow in repository A we are trying to download release assets from another private repository B. Therefore the runner (running in a workflow in repo A) needs to authenticate against repository B.
There seem to be 2 possible solutions for that:
Create a private access token (PAT)
Create a GitHub application and use that for authenticating
Since we do not want this setup to be dependent on individual users, option 1) seems like the wrong approach. But we somehow got stuck with option 2). What we did so far:
Create a GitHub application (not oauth, since it should be independent of the user)
Grant all permissions for repositories to this app
Install the app in our organisation
Generate an app private key and create a JWT token following the documentation here
Sending a curl request with this generated JWT token, like
curl -i -X POST \
-H "Authorization: Bearer YOUR_JWT" \
-H "Accept: application/vnd.github+json" \
https://api.github.com/app/installations/:installation_id/access_tokens
But this request always gives us a 401.
So first question is: are we on the right track here? Second question would be: how can we make this work?
It also puzzles us that we would have to re-create the JWT token with every workflow run (since we cannot use a long enough expiration time), and would rather like to have something that can be put into the secrets store of the workflow.
I accidentally leaked it. I searched the Github docs and account settings but did not find anything to recover.
You should be able to regenerate a new PAT (Personal Access Token), and invalidate/remove the previous one in your to access your Settings / Developer Settings / Personal access tokens / Tokens (classics) section.
Then you should be able to test your RSS feeds, knowning that, as the Feed API page mentions:
Private feeds are only returned when authenticating via Basic Auth (USERNAME:TOKEN) since current feed URIs use the older, non revocable auth tokens.
You can list your feeds with
curl \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer <YOUR-TOKEN>" \
https://api.github.com/feeds
Or use thrid-part GitHub feed generators like RSSHub (as listed here).
I am trying to download the latest artifact of a repository I don't own.
The API just gives me the following error:
{
"message": "You must have the actions scope to download artifacts.",
"documentation_url": "https://docs.github.com/rest/reference/actions#download-an-artifact"
}
The thing is, I don't see an "actions" box in when creating a personal access token. Here are the possible options, my token has access to "repo" and "workflow"
Is this on purpose, or have I missed something (another endpoint)?
As mentioned in the documentation:
Check headers to see what OAuth scopes you have, and what the API action accepts:
$ curl -H "Authorization: Bearer OAUTH-TOKEN" https://api.github.com/users/codertocat -I
HTTP/2 200
X-OAuth-Scopes: repo, user
X-Accepted-OAuth-Scopes: user
X-OAuth-Scopes lists the scopes your token has authorized.
X-Accepted-OAuth-Scopes lists the scopes that the action checks for.
So replace codertocat by the user of the repository you do not own, and check
X-Accepted-OAuth-Scopes to discover the expected scopes.
Compare them with X-OAuth-Scopes.
I have a private repository and access of the raw.githubusercontent.com by API is using the ?token=AEDIQE3IPAPDAXI6QPVEBALBSAPEU in the end of the file name. But this token change during the time (10 -15 days) and this is not so good for my purposes. I don't find any way to do not change the token information. Please, this kind of configuration is possible?
Since that token can change, you might consider creating a Personal Access Token (PAT), and downloading the files using the Authorization header instead of a token in the URL.
curl -H "Authorization: token ${PAT}" \
https://raw.githubusercontent.com/user/repo/main/file.txt
The other approach seen here would be, still with a PAT, to
curl -H "Authorization: token ${PAT}" \
https://github.com/<username>/<reponame>/raw/<branch>/<path-to-your-file>
This will return a “redirect (HTTP 302)” with location header value pointing to the URL with the token.
You can get the current "raw.githubusercontent.com" token that way.
I’m trying to use the Github v3 API - I already implemented the required OAuth flow and it works well.
Now I’m trying some of the Repos API endpoints (http://developer.github.com/v3/repos/).
So far, I’m able to get a List of my repos using: GET /user/repos
However, when I try to create a repo using POST /user/repos, I get a 404.
Any thoughts what I might be doing wrong?
Joubert
Can you please tell us how exactly you did the HTTP request? The 404 sounds like you were using a wrong path, probably. But to give a reliable answer instead a wild guess, we need to see your request, including how you are sending your token, just mask it with 'xxx' or something.
I'll show you in the meantime an example request, that is working:
curl -XPOST -H 'Authorization: token S3CR3T' https://api.github.com/user/repos -d '{"name":"my-new-repo","description":"my new repo description"}'
You would need to replace the OAuth token of course: S3CR3T
I had the same issue. The reason why you are getting a 404 with your oauth access token is that when you authorize to github you need to also additionally pass the scopes you want. For example, in the header you should see "X-OAuth-Scopes: repo, user", which means this user has read/write access to his profile and repositories. Once you have set the correct scopes you should be able to do POST/PUT requests just fine.
To see whether or not you have the correct permissions. You can do something like the following. Substitute the XXXXXXX with your access token.
curl -I https://api.github.com/user?access_token=XXXXXXXX
For creating repositories as a user you can use an personal access token and basic auth, which can be much simpler when you are fluffing around on the command line and have 2FA enabled.
curl -d '{"name":"test"}' -u githubuser:personaccesstoken https://api.github.com/user/repos
Create a personal access token here https://github.com/settings/tokens and make sure it has the 'repo' scope.
This script lets you read in in the token and project name as variables so you can use it in a script
#!/usr/bin/env bash -u
#
TOKEN=`cat token_file`
PROJECT=myproject
curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d '{"name": "'"$PROJECT"'"}' https://api.github.com/user/repos?access_token=$TOKEN