fix comment

Author: wxiaoguang

routers/api/v1/api.go

@@ -1409,7 +1409,7 @@ func Routes() *web.Router {
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository))
 
 		// Artifacts direct download endpoint authenticates via signed url
-		// TODO: need to clarify whether to use repoAssignment or not
+		// it is protected by the "sig" parameter (to help to access private repo), so no need to use other middlewares
 		m.Get("/repos/{username}/{reponame}/actions/artifacts/{artifact_id}/zip/raw", repo.DownloadArtifactRaw)
 
 		// Notifications (requires notifications scope)

routers/api/v1/repo/action.go

@@ -1103,7 +1103,7 @@ func buildSignature(endp, expires string, artifactID int64) []byte {
 }
 
 func buildDownloadRawEndpoint(repo *repo_model.Repository, artifactID int64) string {
-	return fmt.Sprintf("api/v1/repos/%s/%s//actions/artifacts/%d/zip/raw", url.PathEscape(repo.OwnerName), url.PathEscape(repo.Name), artifactID)
+	return fmt.Sprintf("api/v1/repos/%s/%s/actions/artifacts/%d/zip/raw", url.PathEscape(repo.OwnerName), url.PathEscape(repo.Name), artifactID)
 }
 
 func buildSigURL(ctx go_context.Context, endPoint string, artifactID int64) string {
@@ -1176,7 +1176,7 @@ func DownloadArtifact(ctx *context.APIContext) {
 
 // DownloadArtifactRaw Downloads a specific artifact for a workflow run directly.
 func DownloadArtifactRaw(ctx *context.APIContext) {
-	// TODO: if it needs to skip "repoAssignment" middleware, it could query the repo from path params: ctx.PathParam("username"), ctx.PathParam("reponame")
+	// it doesn't use repoAssignment middleware, so it needs to prepare the repo and check permission (sig) by itself
 	repo, err := repo_model.GetRepositoryByOwnerAndName(ctx, ctx.PathParam("username"), ctx.PathParam("reponame"))
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {