Prevent falling back to default token for onprem

src/Runner.Sdk/Util/UrlUtil.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Linq;
 using System.Net.Http.Headers;
+using System.Text.RegularExpressions;
 
 namespace GitHub.Runner.Sdk
 {
@@ -21,6 +22,28 @@ public static bool IsHostedServer(UriBuilder gitHubUrl)
                 gitHubUrl.Host.EndsWith(".ghe.com", StringComparison.OrdinalIgnoreCase);
         }
 
+        // For GitHub Enterprise Cloud with data residency, we allow fallback to GitHub.com for Actions resolution
+        public static bool IsGHECDRFallbackToDotcom(UriBuilder gitHubUrl, ActionDownloadInfo downloadInfo)
+        {
+            string pattern = @"^https?:\/\/api\.github\.com\/repos\/[^\/]+\/[^\/]+\/(tar|zip)ball\/[a-zA-Z0-9._\/-]+$";
+#if OS_WINDOWS
+            if (downloadInfo.ZipballUrl != null && !Regex.IsMatch(downloadInfo.ZipballUrl.ToString(), pattern))
+#else
+            if (downloadInfo.TarballUrl != null && !Regex.IsMatch(downloadInfo.TarballUrl.ToString(), pattern))
+#endif
+            {
+                return false;
+            }
+
+            if (gitHubUrl.Host.EndsWith(".ghe.localhost", StringComparison.OrdinalIgnoreCase) ||
+                gitHubUrl.Host.EndsWith(".ghe.com", StringComparison.OrdinalIgnoreCase))
+            {
+                return true;
+            }
+
+            return false;
+        }
+
         public static Uri GetCredentialEmbeddedUrl(Uri baseUrl, string username, string password)
         {
             ArgUtil.NotNull(baseUrl, nameof(baseUrl));

src/Runner.Worker/ActionManager.cs

@@ -739,13 +739,31 @@ private async Task BuildActionContainerAsync(IExecutionContext executionContext,
             ArgUtil.NotNull(actionDownloadInfos.Actions, nameof(actionDownloadInfos.Actions));
             var defaultAccessToken = executionContext.GetGitHubContext("token");
 
+            // Get GitHub URL for OnPrem fallback logic
+            UriBuilder gitHubUrl = null;
+            var serverUrl = executionContext.GetGitHubContext("server_url");
+            if (!string.IsNullOrEmpty(serverUrl))
+            {
+                gitHubUrl = new UriBuilder(serverUrl);
+            }
+            else
+            {
+                // Fallback to runner settings if GitHub context doesn't have server_url
+                var configurationStore = HostContext.GetService<IConfigurationStore>();
+                var runnerSettings = configurationStore.GetSettings();
+                if (!string.IsNullOrEmpty(runnerSettings.GitHubUrl))
+                {
+                    gitHubUrl = new UriBuilder(runnerSettings.GitHubUrl);
+                }
+            }
+
             foreach (var actionDownloadInfo in actionDownloadInfos.Actions.Values)
             {
                 // Add secret
                 HostContext.SecretMasker.AddValue(actionDownloadInfo.Authentication?.Token);
 
-                // Default auth token
-                if (string.IsNullOrEmpty(actionDownloadInfo.Authentication?.Token))
+                // Use default auth token unless falling back from OnPrem
+                if (string.IsNullOrEmpty(actionDownloadInfo.Authentication?.Token) && !UrlUtil.IsGHECDRFallbackToDotcom(gitHubUrl, actionDownloadInfo))
                 {
                     actionDownloadInfo.Authentication = new WebApi.ActionDownloadAuthentication { Token = defaultAccessToken };
                 }