antonbabenko · MaxymVlasov · Nov 20, 2025 · Nov 16, 2025 · Nov 20, 2025 · MaxymVlasov
@@ -30,19 +30,19 @@
 #
 # Install tools
 #
 ARG OPENTOFU_VERSION=${OPENTOFU_VERSION:-false}
 ARG TERRAFORM_VERSION=${TERRAFORM_VERSION:-false}

 ARG CHECKOV_VERSION=${CHECKOV_VERSION:-false}
 ARG HCLEDIT_VERSION=${HCLEDIT_VERSION:-false}
 ARG INFRACOST_VERSION=${INFRACOST_VERSION:-false}
 ARG TERRAFORM_DOCS_VERSION=${TERRAFORM_DOCS_VERSION:-false}
 ARG TERRAGRUNT_VERSION=${TERRAGRUNT_VERSION:-false}
 ARG TERRASCAN_VERSION=${TERRASCAN_VERSION:-false}
 ARG TFLINT_VERSION=${TFLINT_VERSION:-false}
 ARG TFSEC_VERSION=${TFSEC_VERSION:-false}
 ARG TFUPDATE_VERSION=${TFUPDATE_VERSION:-false}
 ARG TRIVY_VERSION=${TRIVY_VERSION:-false}


 # Tricky thing to install all tools by set only one arg.
@@ -65,6 +65,8 @@
         echo "TRIVY_VERSION=latest"          >> /.env \
     ; fi
 
+ARG GITHUB_TOKEN=${GITHUB_TOKEN:-""}
+
 # Docker `RUN`s shouldn't be consolidated here
 # hadolint global ignore=DL3059
 RUN /install/opentofu.sh
@@ -148,9 +150,9 @@

 COPY tools/entrypoint.sh /entrypoint.sh

 ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always}

 ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-}
 ENV INFRACOST_SKIP_UPDATE_CHECK=${INFRACOST_SKIP_UPDATE_CHECK:-false}

 ENTRYPOINT [ "/entrypoint.sh" ]
@@ -136,6 +136,12 @@ docker build -t pre-commit-terraform \
 
 Set `-e PRE_COMMIT_COLOR=never` to disable the color output in `pre-commit`.
 
+> **NOTE**
+> The build install scripts are calling the GitHub API to resolve the release URL. If you need to authenticate those calls, you can pass a GitHub token (the `GITHUB_TOKEN` environment variable is expected to be set with an [access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)):
+> ```bash
+> docker build -t pre-commit-terraform --build-arg GITHUB_TOKEN .
+> ```
+
 </details>
 
 

@@ -60,11 +60,16 @@ function common::install_from_gh_release {
 
   # Download tool
   local -r RELEASES="https://api.github.com/repos/${GH_ORG}/${TOOL}/releases"
+  local CURL_OPTS=()
+
+  [[ $GITHUB_TOKEN ]] && CURL_OPTS+=('-H' "Authorization: Bearer $GITHUB_TOKEN")
+
+  local -r CURL_CMD=("curl" "${CURL_OPTS[@]}")
 
   if [[ $VERSION == latest ]]; then
-    curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_LATEST")" > "$PKG"
+    "${CURL_CMD[@]}" -L "$("${CURL_CMD[@]}" -s "${RELEASES}/latest" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_LATEST")" > "$PKG"
   else
-    curl -L "$(curl -s "$RELEASES" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_SPECIFIC_VERSION")" > "$PKG"
+    "${CURL_CMD[@]}" -L "$("${CURL_CMD[@]}" -s "$RELEASES" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_SPECIFIC_VERSION")" > "$PKG"
   fi
 
   # Make tool ready to use