Add GitHub token support for private repo installs

Author: aminland

scripts/postinstall.js

@@ -40,13 +40,52 @@ function getVersion() {
 	return pkg.version;
 }
 
-function httpsGet(url) {
+function getGitHubToken() {
+	// Check environment variables first
+	if (process.env.GITHUB_TOKEN) return process.env.GITHUB_TOKEN;
+	if (process.env.GH_TOKEN) return process.env.GH_TOKEN;
+
+	// Try gh CLI (GitHub's official CLI)
+	try {
+		const token = execSync("gh auth token", {
+			encoding: "utf8",
+			stdio: ["pipe", "pipe", "pipe"],
+		}).trim();
+		if (token && token.startsWith("gh")) {
+			return token;
+		}
+	} catch {
+		// gh CLI not installed or not logged in
+	}
+
+	return null;
+}
+
+function httpsGet(url, token = null, isBinaryDownload = false) {
 	return new Promise((resolve, reject) => {
+		const headers = { "User-Agent": "relay-dedup-installer" };
+
+		// Add auth header for private repos
+		if (token) {
+			headers["Authorization"] = `token ${token}`;
+		}
+
+		// For downloading binary assets from API URL
+		if (isBinaryDownload) {
+			headers["Accept"] = "application/octet-stream";
+		}
+
 		https
-			.get(url, { headers: { "User-Agent": "relay-dedup-installer" } }, (res) => {
-				// Follow redirects
+			.get(url, { headers }, (res) => {
+				// Follow redirects (don't pass token to external domains like S3)
 				if (res.statusCode === 301 || res.statusCode === 302) {
-					return httpsGet(res.headers.location).then(resolve).catch(reject);
+					const redirectUrl = res.headers.location;
+					const sameOrigin =
+						redirectUrl.includes("github.com") ||
+						redirectUrl.includes("api.github.com");
+					return httpsGet(redirectUrl, sameOrigin ? token : null, isBinaryDownload)
+						.then(resolve)
+						.catch(reject);
 				}
 				if (res.statusCode !== 200) {
 					reject(new Error(`HTTP ${res.statusCode}: ${url}`));
@@ -61,17 +100,44 @@ function httpsGet(url) {
 	});
 }
 
+async function getAssetUrl(version, assetName, token) {
+	// For private repos, we need to use the API to get the asset download URL
+	const apiUrl = `https://api.github.com/repos/${REPO}/releases/tags/v${version}`;
+
+	const response = await httpsGet(apiUrl, token);
+	const release = JSON.parse(response.toString());
+
+	if (!release.assets) {
+		throw new Error(`No assets found in release v${version}`);
+	}
+
+	const asset = release.assets.find((a) => a.name === assetName);
+	if (!asset) {
+		const available = release.assets.map((a) => a.name).join(", ");
+		throw new Error(`Asset ${assetName} not found. Available: ${available}`);
+	}
+
+	// Return the API URL for downloading (works for private repos)
+	return asset.url;
+}
+
 async function downloadBinary() {
 	const target = getTarget();
 	const version = getVersion();
+	const token = getGitHubToken();
 	const assetName = `${BINARY_NAME}-${target}.tar.gz`;
-	const url = `https://github.com/${REPO}/releases/download/v${version}/${assetName}`;
 
 	console.log(`Downloading ${BINARY_NAME} v${version} for ${getPlatformKey()}...`);
-	console.log(`  ${url}`);
+	if (token) {
+		console.log(`  (using GitHub token for authentication)`);
+	}
 
 	try {
-		const tarGz = await httpsGet(url);
+		// Get the asset download URL from the API
+		const assetUrl = await getAssetUrl(version, assetName, token);
+		console.log(`  ${assetUrl}`);
+
+		const tarGz = await httpsGet(assetUrl, token, true);
 
 		// Extract tar.gz
 		const tar = zlib.gunzipSync(tarGz);
@@ -93,6 +159,11 @@ async function downloadBinary() {
 		if (error.message.includes("404")) {
 			console.error(`\nError: No prebuilt binary found for ${getPlatformKey()}`);
 			console.error(`Release v${version} may not exist or may not have binaries yet.`);
+			if (!token) {
+				console.error(`\nThis is a private repo - you need to set GITHUB_TOKEN:`);
+				console.error(`  export GITHUB_TOKEN=ghp_your_token_here`);
+				console.error(`  pnpm install`);
+			}
 			console.error(`\nYou can build from source with: cargo build --release`);
 		} else {
 			console.error(`\nError downloading binary: ${error.message}`);