fix(checkver): Harden github checkver

[chawyehsu]

Description

NOTE: With this change, one has to use "github": instead of "url": to specify checkver urls in github url format, explicitly. This could be considered a breaking change and is by intention, to narrow down the use of GitHub token to only when the checkver is explicitly set to github mode.

Motivation and Context

Closes #XXXX

Relates to #XXXX

How Has This Been Tested?

Run checkver.ps1 over local buckets.

Checklist:

• I have read the Contributing Guide.
• I have ensured that I am targeting the develop branch.
• I have updated the documentation accordingly.
• I have updated the tests accordingly.
• I have added an entry in the CHANGELOG.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Refactors GitHub checkver in bin/checkver.ps1 to accept string or object inputs, validate/normalize GitHub URLs, and only rewrite/use the GitHub API when GitHubToken is present. Adjusts async download tracking to register handlers per-download and initializes $in_progress to 0. Adds Unreleased changelog note.

Changes

Cohort / File(s)	Summary
GitHub checkver & async download logic bin/checkver.ps1	Accepts "github" or { "github": ... }; validates allowlisted GitHub URLs and api.github.com/repos/... patterns; normalizes non-API URLs to /releases/latest; only rewrites to/use GitHub API and injects Authorization: token $GitHubToken when $GitHubToken is present; removes prior $useGithubAPI inference. Moves async download handler registration to immediately before each DownloadDataAsync, sets $in_progress = 0, and increments per registered download (removes queue-length init).
Changelog CHANGELOG.md	Adds Unreleased bullet noting hardened GitHub checkver logic.

Sequence Diagram(s)

sequenceDiagram
    participant Script as Checkver Script
    participant Validator as URL Validator
    participant Token as GitHubToken Checker
    participant API as GitHub API (api.github.com)
    participant Site as GitHub Site (github.com)

    Script->>Validator: receive `checkver.github` (string or object)
    Validator-->>Script: validate as `github.com` or `api.github.com/repos/...`
    alt non-API URL
        Script->>Script: normalize to `/releases/latest`
    end
    Script->>Token: is `$GitHubToken` present?
    alt token present
        Script->>API: rewrite to `api.github.com/repos/...` and call releases/latest (with Authorization)
        API-->>Script: return release metadata
    else no token
        Script->>Site: fetch `/releases/latest` from github.com (no API rewrite)
        Site-->>Script: return release page data
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(checkver): Remove redundant always-true condition in GitHub checkver logic #6571: Also modifies bin/checkver.ps1 GitHub checkver control flow and the API usage gating.

Suggested reviewers

• niheaven

Poem

🐰
I hopped through code and trimmed each path,
Normalized releases and kept the math,
Tokens decide if APIs are shown,
I count downloads, one by one,
A carrot for tidy paths and home. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(checkver): Harden github checkver' directly and specifically describes the main change: hardening the GitHub checkver functionality, which aligns with the refactored validation logic and async download tracking improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bin/checkver.ps1`:
- Around line 169-176: The validation logs an error when $inputGithubUrl does
not match $githubUrlPattern but continues processing, causing the malformed $url
to be used (later passed to DownloadDataAsync inside the ForEach-Object loop);
after the existing error call for invalid $inputGithubUrl, add an explicit
return to skip the current iteration so the code does not trim/append
'/releases/latest' or queue DownloadDataAsync for an invalid URL.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7ab16cd2-3e3e-4de5-b019-fe82633b85be

📥 Commits

Reviewing files that changed from the base of the PR and between cc8d7ca and 2196ba0.

📒 Files selected for processing (1)

• bin/checkver.ps1

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bin/checkver.ps1`:
- Around line 159-177: The GitHub API repo URL case isn't normalized: when
$inputGithubUrl is an api.github.com/repos/<owner>/<repo> root URL it gets left
as-is and returns repo metadata the default $regex can't match; update the
normalization logic around $url (after computing $inputGithubUrl and trimming)
to detect api.github.com repo root URLs and append the releases endpoint (e.g.
add '/releases/latest') when the path is just /repos/<owner>/<repo> (i.e. $url
-like 'https://api.github.com/repos/*' but not containing an extra path
segment), so that $url always points to a releases endpoint that the default
$regex can parse.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c2062302-dfee-4324-a89b-19b2100ed25f

📥 Commits

Reviewing files that changed from the base of the PR and between c95c96e and afdda72.

📒 Files selected for processing (1)

• bin/checkver.ps1

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@bin/checkver.ps1`:
- Around line 259-261: The code increments $in_progress before calling
$wc.DownloadDataAsync, which can throw synchronously and leave the
downloadDataCompleted event never firing; move the $in_progress++ to after a
successful call to $wc.DownloadDataAsync (i.e., call Register-ObjectEvent $wc
downloadDataCompleted, then call $wc.DownloadDataAsync($url, $state), and only
then increment $in_progress), or alternatively capture the subscription (assign
Register-ObjectEvent to a variable), wrap the DownloadDataAsync call in
try/catch, and on exception unregister the event/subscription and avoid
incrementing (or decrement $in_progress) so the Wait-Event loop cannot deadlock.
- Around line 178-181: Update the replacement that transforms GitHub URLs when
$GitHubToken is set by escaping the dot in the regex so it matches a literal
period (use '(www\.)?github\.com' instead of '(www\.)?github.com'), and add a
short inline comment above the if ($GitHubToken) block explaining the dual-mode
behavior: when a token is present the script switches to the API endpoint and
adds the Authorization header via $wc.Headers.Add, otherwise it intentionally
falls back to unauthenticated HTML scraping to leverage GitHub's more permissive
HTML rate limits as a hardening fallback.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5251b0f9-50a9-4dd7-9996-eaf91cb4aac2

📥 Commits

Reviewing files that changed from the base of the PR and between 61d24d9 and 077b27d.

📒 Files selected for processing (1)

• bin/checkver.ps1

[z-Fng]

I noticed more rate limit errors in the Excavator workflow today.

P.S. The workflows for the main/extras/versions bucket are all using the develop branch (ScoopInstaller/Extras#17065).

• Before: https://github.com/ScoopInstaller/Extras/actions/runs/24873562472/job/72825162470
• Now: https://github.com/ScoopInstaller/Extras/actions/runs/25239910071/job/74013742590

Even though the URL indicates the GitHub API is being used, the requests are still missing a token in the header. Is this expected behavior? e.g.,

    "checkver": {
        "url": "https://api.github.com/repos/FiloSottile/age/releases",
        "regex": "/age-v([\\w.-]+)-windows"
    },

[chawyehsu]

See the PR note, it's expected breaking. You'll have to use github: instead of url: now.

[z-Fng]

See the PR note, it's expected breaking. You'll have to use github: instead of url: now.

Okay, got it. Sorry, I skimmed through it at first and didn't fully understand the intent of your note.

[chawyehsu]

@z-Fng You might be interested in reviewing the other changes in my checkver refinement series since you made relevant PRs before.

[z-Fng]

@z-Fng You might be interested in reviewing the other changes in my checkver refinement series since you made relevant PRs before.

OK, I will.

These changes are great. The code is much more readable and more secure than before.

However, to some extent, breaking changes could cause a lot of trouble for bucket maintainers, especially since some of our community buckets have tens of thousands of manifests. Furthermore, currently, we can only set scoop_repo and scoop_branch, but not scoop_version. This means when a new release is published, users have no warning — the breaking change hits them immediately. I was wondering if we could ask other maintainers for their opinions and implement a workaround in GitHubActions.