feat(docker): Allow authenticated calls to GitHub API during docker build

[wI2L]

Accept build arg GITHUB_TOKEN to authenticate calls made to GitHub API in common::install_from_gh_release function.

Closes #946

Put an x into the box if that apply:

• This PR introduces breaking change.
• This PR fixes a bug.
• This PR adds new functionality.
• This PR enhances existing functionality.

Description of your changes

Accept build arg GITHUB_TOKEN to authenticate calls made to GitHub API in common::install_from_gh_release function.

How can we test changes

Generate a GitHub PAT and export it in your env.
Run docker build -t pre-commit-terraform --build-arg GITHUB_TOKEN --build-arg INSTALL_ALL=true . to build the pre-commit, using the PAT during build time to authenticate calls.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Summary by CodeRabbit

• Chores

  • Build process now supports optional GitHub token authentication via build arguments, helping reduce rate limiting issues when resolving package releases during installation.

• Documentation

  • Added build instructions with examples showing how to provide GitHub authentication credentials using docker build arguments for improved API access.

Walkthrough

Added optional build-time GitHub token support: Dockerfile declares ARG GITHUB_TOKEN, install script tools/install/_common.sh uses it to add an Authorization header to curl requests when present, and README.md documents how to pass the token during docker build. (37 words)

Changes

Cohort / File(s)	Summary
Dockerfile (build args) Dockerfile	Added ARG GITHUB_TOKEN=${GITHUB_TOKEN:-""} to accept a GitHub token at build time; no ENV export added.
Install scripts tools/install/_common.sh	Replaced direct curl calls with a unified CURL_CMD/CURL_OPTS that conditionally includes Authorization: Bearer <token> when GITHUB_TOKEN is set; preserves -L and existing parsing behavior.
Documentation README.md	Documented that build install scripts call GitHub to resolve release URLs and added an example docker build --build-arg GITHUB_TOKEN=... to provide a token for authenticated requests.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant DockerBuild as Docker Build
    participant InstallScript as tools/install/_common.sh
    participant GitHubAPI as GitHub API

    User->>DockerBuild: docker build --build-arg GITHUB_TOKEN=ghp_***
    DockerBuild->>InstallScript: ARG GITHUB_TOKEN available at build-time
    InstallScript->>InstallScript: detect if GITHUB_TOKEN set
    alt token present
        InstallScript->>GitHubAPI: curl -H "Authorization: Bearer <token>" -L ...
    else no token
        InstallScript->>GitHubAPI: curl -L ...
    end
    GitHubAPI-->>InstallScript: release JSON / redirect URL
    InstallScript-->>DockerBuild: resolved release URL
    DockerBuild-->>User: image built

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review items:
  • Ensure ARG GITHUB_TOKEN default/quoting is correct and intentionally not exported as ENV.
  • Verify CURL_OPTS/CURL_CMD preserves -L and existing parsing (redirects and piping).
  • Check that tokens are not printed or logged (no accidental exposure in shell traces).
  • Validate README example for correctness.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description clearly explains that the PR adds support for a GITHUB_TOKEN build argument to authenticate GitHub API calls in the common::install_from_gh_release function, directly relating to the changeset.
Linked Issues check	✅ Passed	The PR successfully implements the objectives from issue #946: it adds GITHUB_TOKEN support to Dockerfile, documents the feature in README, and implements token-based Authorization header in the bash function to authenticate GitHub API calls.
Out of Scope Changes check	✅ Passed	All changes are scoped to the stated objectives: Dockerfile build argument addition, README documentation, and bash function enhancement for authenticated API calls.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Title check	✅ Passed	The title clearly summarizes the main change: enabling authenticated GitHub API calls during Docker builds via GITHUB_TOKEN support.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR adds support for authenticated GitHub API calls during Docker image builds by accepting a GITHUB_TOKEN build argument. This addresses API rate limiting issues when installing tools from GitHub releases.

Key Changes:

• Modified the common::install_from_gh_release function to conditionally include GitHub token authentication in curl requests
• Added GITHUB_TOKEN as a build argument and environment variable in the Dockerfile
• Updated documentation with instructions for using the GitHub token during builds

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
tools/install/_common.sh	Modified curl commands to conditionally include Authorization header when GITHUB_TOKEN is set
Dockerfile	Added GITHUB_TOKEN as a build argument and environment variable
README.md	Added documentation note explaining how to use GITHUB_TOKEN for authenticated API calls

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The GITHUB_TOKEN is not quoted in the Authorization header value. If the token contains spaces or special characters, this could lead to unexpected behavior or header injection. Wrap the variable in quotes: \"Authorization: Bearer ${GITHUB_TOKEN}\"

Suggested change

	[[ "$GITHUB_TOKEN" ]] && CURL_OPTS+=('-H' "Authorization: Bearer $GITHUB_TOKEN")
	[[ "$GITHUB_TOKEN" ]] && CURL_OPTS+=('-H' "Authorization: Bearer \"$GITHUB_TOKEN\"")

[wI2L]

I don't understand the CI logs, nor do I see how that's related to my changes.

[yermulnik]

LGTM
@wI2L Have you tested it works as expected with both set and unset GITHUB_TOKEN env var (and respectively with both --build-arg GITHUB_TOKEN present and absent)? Thanks

[wI2L]

@yermulnik Yes I did, with a set -eux directive in the modified function (that I later removed). I'll provide the build logs of the different scenarios tomorrow, along with the requested syntax/doc changes 👍

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

Dockerfile (1)

68-69: Correct token propagation to build environment.

The ARG and ENV declarations properly propagate the GitHub token into the builder stage environment where the install scripts will access it. The empty default ensures backward compatibility.

Operational note: For enhanced security in CI/CD pipelines, consider using Docker BuildKit secrets (--secret GITHUB_TOKEN) instead of build arguments, which prevents the token from being visible in layer metadata. This approach keeps the token out of image history while still making it available during builds.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7058185 and 76b30ac.

📒 Files selected for processing (3)

• Dockerfile (1 hunks)
• README.md (1 hunks)
• tools/install/_common.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• README.md

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-12T19:43:31.295Z

Learnt from: actuarysailor
Repo: antonbabenko/pre-commit-terraform PR: 925
File: Dockerfile.tools:92-108
Timestamp: 2025-08-12T19:43:31.295Z
Learning: In Dockerfile.tools, the version checking script at the end of the builder stage is intentionally designed to download the latest versions of tools when not specified in build args and echo the installed versions for verification/debugging purposes during the build process. This behavior is by design to track what actual tool versions end up in the container.

Applied to files:

• tools/install/_common.sh
• Dockerfile

🔇 Additional comments (2)

tools/install/_common.sh (2)

65-69: Proper token-aware curl construction.

The CURL_OPTS array pattern correctly builds curl options conditionally based on GITHUB_TOKEN presence, and the Authorization header format is correct for GitHub API authentication. The quoting approach aligns with previous feedback.

---

72-72: Correct nested curl invocations with token support.

The nested curl pattern is correct: inner call retrieves the release asset URL (with auth header if token present), outer call downloads the asset. The array expansion "${CURL_CMD[@]}" properly passes all curl options including the Authorization header to both calls.

Also applies to: 74-74

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove debug flag: set -eux should be deleted.

The set -eux flag enables verbose command output (-x) which will clutter build logs during tool installations. The PR description states you previously added this for debugging and then removed it, but it's still present in the code. Remove this line to keep build output clean.

-  set -eux
-
   # Download tool

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

set -eux

🤖 Prompt for AI Agents

In tools/install/_common.sh around line 61, remove the debug flag invocation
"set -eux" (or replace it with a minimal safe set like "set -e" if you want to
keep exit-on-error), so that the script no longer enables verbose command
tracing (-x) which clutters build logs; update the file to delete that line and
run a quick lint/run of the installer to confirm no unintended side effects.

[wI2L]

Will amend to remove that.

[coderabbitai]

@wI2L, thank you for confirming! Looking forward to seeing the updated code. 👍

[wI2L]

@yermulnik

Here are the build logs, for 3 different scenarios. I have added a temporary set -eux before the newly added lines in order to show the executed commands in the install scripts:

• Without auth/build arg:
  build-no-auth.log

• Witout auth/with build arg and empty env var:
  build-no-auth-empty-env-var.log

• With auth/env var set with token:
  build-with-auth.log

[yermulnik]

Here are the build logs, for 3 different scenarios.

Looks great. Thank you. Hopefully @MaxymVlasov will have a chance to review shortly.

[yermulnik]

LGTM. Differing approval to @MaxymVlasov

[MaxymVlasov]

Regarding failed checks, they are not related to your PR.
Checking with @webknjaz how to fix it, as previously it worked fine.
Sadly, but we will not be able to merge it w/o bypassing branch-protection requirements, so we'll try to figure it out quickly

[wI2L]

No worries, I'm not in a hurry 👍

[wI2L]

Thank you @MaxymVlasov for the followup

[antonbabenko]

This PR is included in version 1.104.0 🎉