Fix private repo downloads using GitHub API

Author: aminland

scripts/postinstall.js

@@ -61,7 +61,7 @@ function getGitHubToken() {
 	return null;
 }
 
-function httpsGet(url, token = null) {
+function httpsGet(url, token = null, isBinaryDownload = false) {
 	return new Promise((resolve, reject) => {
 		const headers = { "User-Agent": "relay-dedup-installer" };
 
@@ -70,19 +70,20 @@ function httpsGet(url, token = null) {
 			headers["Authorization"] = `token ${token}`;
 		}
 
-		// For GitHub release assets, we need to accept the binary
-		if (url.includes("github.com") && url.includes("/releases/download/")) {
+		// For downloading binary assets from API URL
+		if (isBinaryDownload) {
 			headers["Accept"] = "application/octet-stream";
 		}
 
 		https
 			.get(url, { headers }, (res) => {
-				// Follow redirects (pass token only for same-origin redirects)
+				// Follow redirects (don't pass token to external domains like S3)
 				if (res.statusCode === 301 || res.statusCode === 302) {
 					const redirectUrl = res.headers.location;
-					// Don't pass token to external domains (like S3)
-					const sameOrigin = redirectUrl.includes("github.com");
-					return httpsGet(redirectUrl, sameOrigin ? token : null)
+					const sameOrigin =
+						redirectUrl.includes("github.com") ||
+						redirectUrl.includes("api.github.com");
+					return httpsGet(redirectUrl, sameOrigin ? token : null, isBinaryDownload)
 						.then(resolve)
 						.catch(reject);
 				}
@@ -99,21 +100,44 @@ function httpsGet(url, token = null) {
 	});
 }
 
+async function getAssetUrl(version, assetName, token) {
+	// For private repos, we need to use the API to get the asset download URL
+	const apiUrl = `https://api.github.com/repos/${REPO}/releases/tags/v${version}`;
+
+	const response = await httpsGet(apiUrl, token);
+	const release = JSON.parse(response.toString());
+
+	if (!release.assets) {
+		throw new Error(`No assets found in release v${version}`);
+	}
+
+	const asset = release.assets.find((a) => a.name === assetName);
+	if (!asset) {
+		const available = release.assets.map((a) => a.name).join(", ");
+		throw new Error(`Asset ${assetName} not found. Available: ${available}`);
+	}
+
+	// Return the API URL for downloading (works for private repos)
+	return asset.url;
+}
+
 async function downloadBinary() {
 	const target = getTarget();
 	const version = getVersion();
 	const token = getGitHubToken();
 	const assetName = `${BINARY_NAME}-${target}.tar.gz`;
-	const url = `https://github.com/${REPO}/releases/download/v${version}/${assetName}`;
 
 	console.log(`Downloading ${BINARY_NAME} v${version} for ${getPlatformKey()}...`);
-	console.log(`  ${url}`);
 	if (token) {
 		console.log(`  (using GitHub token for authentication)`);
 	}
 
 	try {
-		const tarGz = await httpsGet(url, token);
+		// Get the asset download URL from the API
+		const assetUrl = await getAssetUrl(version, assetName, token);
+		console.log(`  ${assetUrl}`);
+
+		const tarGz = await httpsGet(assetUrl, token, true);
 
 		// Extract tar.gz
 		const tar = zlib.gunzipSync(tarGz);