feat(swift): add GITHUB_TOKEN support for authenticated API requests

Add get_cached_with_headers to HttpCache for passing extra headers
(Authorization) to specific registries. SwiftRegistry reads GITHUB_TOKEN
from environment, increasing rate limit from 60 to 5000 requests/hour.

Author: bug-ops

Cargo.lock

@@ -172,6 +172,36 @@ impl HttpCache {
         self.fetch_and_store(url).await
     }
 
+    /// Fetches a URL with additional request headers, using the cache.
+    ///
+    /// Works the same as `get_cached` but injects extra headers (e.g., Authorization)
+    /// into every request. Useful for APIs that require authentication tokens.
+    pub async fn get_cached_with_headers(
+        &self,
+        url: &str,
+        extra_headers: &[(header::HeaderName, &str)],
+    ) -> Result<Bytes> {
+        if self.entries.len() >= MAX_CACHE_ENTRIES {
+            self.evict_entries();
+        }
+
+        if let Some(cached) = self.entries.get(url).map(|r| r.clone()) {
+            match self
+                .conditional_request_with_headers(url, &cached, extra_headers)
+                .await
+            {
+                Ok(Some(new_body)) => return Ok(new_body),
+                Ok(None) => return Ok(cached.body),
+                Err(e) => {
+                    tracing::warn!("conditional request failed, using cache: {e}");
+                    return Ok(cached.body);
+                }
+            }
+        }
+
+        self.fetch_and_store_with_headers(url, extra_headers).await
+    }
+
     /// Performs conditional HTTP request using cached validation headers.
     ///
     /// Sends `If-None-Match` (ETag) and/or `If-Modified-Since` headers
@@ -304,6 +334,124 @@ impl HttpCache {
         Ok(body)
     }
 
+    async fn conditional_request_with_headers(
+        &self,
+        url: &str,
+        cached: &CachedResponse,
+        extra_headers: &[(header::HeaderName, &str)],
+    ) -> Result<Option<Bytes>> {
+        ensure_https(url)?;
+        let mut request = self.client.get(url);
+
+        for (name, value) in extra_headers {
+            request = request.header(name, *value);
+        }
+        if let Some(etag) = &cached.etag {
+            request = request.header(header::IF_NONE_MATCH, etag);
+        }
+        if let Some(last_modified) = &cached.last_modified {
+            request = request.header(header::IF_MODIFIED_SINCE, last_modified);
+        }
+
+        let response = request.send().await.map_err(|e| DepsError::RegistryError {
+            package: url.to_string(),
+            source: e,
+        })?;
+
+        if response.status() == StatusCode::NOT_MODIFIED {
+            return Ok(None);
+        }
+
+        if !response.status().is_success() {
+            let status = response.status();
+            return Err(DepsError::CacheError(format!("HTTP {status} for {url}")));
+        }
+
+        let etag = response
+            .headers()
+            .get(header::ETAG)
+            .and_then(|v| v.to_str().ok())
+            .map(String::from);
+        let last_modified = response
+            .headers()
+            .get(header::LAST_MODIFIED)
+            .and_then(|v| v.to_str().ok())
+            .map(String::from);
+        let body = response
+            .bytes()
+            .await
+            .map_err(|e| DepsError::RegistryError {
+                package: url.to_string(),
+                source: e,
+            })?;
+
+        self.entries.insert(
+            url.to_string(),
+            CachedResponse {
+                body: body.clone(),
+                etag,
+                last_modified,
+                fetched_at: Instant::now(),
+            },
+        );
+
+        Ok(Some(body))
+    }
+
+    async fn fetch_and_store_with_headers(
+        &self,
+        url: &str,
+        extra_headers: &[(header::HeaderName, &str)],
+    ) -> Result<Bytes> {
+        ensure_https(url)?;
+        tracing::debug!("fetching fresh with headers: {url}");
+
+        let mut request = self.client.get(url);
+        for (name, value) in extra_headers {
+            request = request.header(name, *value);
+        }
+
+        let response = request.send().await.map_err(|e| DepsError::RegistryError {
+            package: url.to_string(),
+            source: e,
+        })?;
+
+        if !response.status().is_success() {
+            let status = response.status();
+            return Err(DepsError::CacheError(format!("HTTP {status} for {url}")));
+        }
+
+        let etag = response
+            .headers()
+            .get(header::ETAG)
+            .and_then(|v| v.to_str().ok())
+            .map(String::from);
+        let last_modified = response
+            .headers()
+            .get(header::LAST_MODIFIED)
+            .and_then(|v| v.to_str().ok())
+            .map(String::from);
+        let body = response
+            .bytes()
+            .await
+            .map_err(|e| DepsError::RegistryError {
+                package: url.to_string(),
+                source: e,
+            })?;
+
+        self.entries.insert(
+            url.to_string(),
+            CachedResponse {
+                body: body.clone(),
+                etag,
+                last_modified,
+                fetched_at: Instant::now(),
+            },
+        );
+
+        Ok(body)
+    }
+
     /// Clears all cached entries.
     ///
     /// This removes all cached responses, forcing the next request for

crates/deps-core/src/cache.rs

@@ -13,6 +13,7 @@ workspace = true
 
 [dependencies]
 deps-core = { workspace = true }
+reqwest = { workspace = true }
 regex = { workspace = true }
 semver = { workspace = true }
 serde = { workspace = true, features = ["derive"] }

crates/deps-swift/Cargo.toml

@@ -42,12 +42,37 @@ impl std::error::Error for InvalidOwnerRepo {}
 #[derive(Clone)]
 pub struct SwiftRegistry {
     cache: Arc<HttpCache>,
+    auth_headers: Vec<(reqwest::header::HeaderName, String)>,
 }
 
 impl SwiftRegistry {
     /// Creates a new Swift registry client with the given HTTP cache.
-    pub const fn new(cache: Arc<HttpCache>) -> Self {
-        Self { cache }
+    ///
+    /// Reads `GITHUB_TOKEN` from environment for authenticated requests
+    /// (5000 req/h vs 60 req/h unauthenticated).
+    pub fn new(cache: Arc<HttpCache>) -> Self {
+        let auth_headers = std::env::var("GITHUB_TOKEN")
+            .ok()
+            .map(|token| {
+                tracing::info!("GITHUB_TOKEN detected, using authenticated GitHub API requests");
+                vec![(
+                    reqwest::header::AUTHORIZATION,
+                    format!("Bearer {token}"),
+                )]
+            })
+            .unwrap_or_default();
+
+        Self {
+            cache,
+            auth_headers,
+        }
+    }
+
+    fn headers(&self) -> Vec<(reqwest::header::HeaderName, &str)> {
+        self.auth_headers
+            .iter()
+            .map(|(k, v): &(reqwest::header::HeaderName, String)| (k.clone(), v.as_str()))
+            .collect()
     }
 
     /// Fetches all semver-tagged versions for a package.
@@ -56,7 +81,10 @@ impl SwiftRegistry {
     pub async fn get_versions(&self, name: &str) -> Result<Vec<SwiftVersion>> {
         validate_owner_repo(name)?;
         let url = format!("{GITHUB_API}/repos/{name}/tags?per_page=100");
-        let data = self.cache.get_cached(&url).await?;
+        let data = self
+            .cache
+            .get_cached_with_headers(&url, &self.headers())
+            .await?;
         parse_tags_response(&data)
     }
 
@@ -90,7 +118,10 @@ impl SwiftRegistry {
             "{GITHUB_API}/search/repositories?q={}+language:swift&per_page={limit}",
             urlencoding::encode(query)
         );
-        let data = self.cache.get_cached(&url).await?;
+        let data = self
+            .cache
+            .get_cached_with_headers(&url, &self.headers())
+            .await?;
         parse_search_response(&data)
     }
 }