From 4619ea1ed1d0934ed8ddd601e19a82791a3b7d07 Mon Sep 17 00:00:00 2001
From: William Poussier <william.poussier@gmail.com>
Date: Sun, 16 Nov 2025 19:28:51 +0100
Subject: [PATCH] feat(docker): Allow authenticated calls to GitHub API

Accept build arg `GITHUB_TOKEN` to authenticate calls made to
GitHub API in `common::install_from_gh_release` function.

Closes #946
---
 Dockerfile               | 2 ++
 README.md                | 6 ++++++
 tools/install/_common.sh | 9 +++++++--
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ba98ef6b6..c7c53cd13 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -65,6 +65,8 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \
         echo "TRIVY_VERSION=latest"          >> /.env \
     ; fi
 
+ARG GITHUB_TOKEN=${GITHUB_TOKEN:-""}
+
 # Docker `RUN`s shouldn't be consolidated here
 # hadolint global ignore=DL3059
 RUN /install/opentofu.sh
diff --git a/README.md b/README.md
index 4fc4f41d2..2ca672780 100644
--- a/README.md
+++ b/README.md
@@ -136,6 +136,12 @@ docker build -t pre-commit-terraform \
 
 Set `-e PRE_COMMIT_COLOR=never` to disable the color output in `pre-commit`.
 
+> **NOTE**
+> The build install scripts are calling the GitHub API to resolve the release URL. If you need to authenticate those calls, you can pass a GitHub token (the `GITHUB_TOKEN` environment variable is expected to be set with an [access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)):
+> ```bash
+> docker build -t pre-commit-terraform --build-arg GITHUB_TOKEN .
+> ```
+
 </details>
 
 
diff --git a/tools/install/_common.sh b/tools/install/_common.sh
index 70297f297..eaaafa0cd 100755
--- a/tools/install/_common.sh
+++ b/tools/install/_common.sh
@@ -60,11 +60,16 @@ function common::install_from_gh_release {
 
   # Download tool
   local -r RELEASES="https://api.github.com/repos/${GH_ORG}/${TOOL}/releases"
+  local CURL_OPTS=()
+
+  [[ $GITHUB_TOKEN ]] && CURL_OPTS+=('-H' "Authorization: Bearer $GITHUB_TOKEN")
+
+  local -r CURL_CMD=("curl" "${CURL_OPTS[@]}")
 
   if [[ $VERSION == latest ]]; then
-    curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_LATEST")" > "$PKG"
+    "${CURL_CMD[@]}" -L "$("${CURL_CMD[@]}" -s "${RELEASES}/latest" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_LATEST")" > "$PKG"
   else
-    curl -L "$(curl -s "$RELEASES" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_SPECIFIC_VERSION")" > "$PKG"
+    "${CURL_CMD[@]}" -L "$("${CURL_CMD[@]}" -s "$RELEASES" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_SPECIFIC_VERSION")" > "$PKG"
   fi
 
   # Make tool ready to use