Limit GitHub tokens to github.com download URLs

__tests__/download/download-version.test.ts

@@ -223,7 +223,7 @@ describe("download-version", () => {
       );
     });
 
-    it("does not rewrite non-GitHub URLs", async () => {
+    it("does not send the token to non-GitHub URLs from the default manifest", async () => {
       mockGetArtifact.mockResolvedValue({
         archiveFormat: "tar.gz",
         checksum: "abc123",
@@ -241,8 +241,30 @@ describe("download-version", () => {
       expect(mockDownloadTool).toHaveBeenCalledWith(
         "https://example.com/uv.tar.gz",
         undefined,
+        undefined,
+      );
+    });
+
+    it("does not send the token to GitHub lookalike hosts", async () => {
+      mockGetArtifact.mockResolvedValue({
+        archiveFormat: "tar.gz",
+        checksum: "abc123",
+        downloadUrl: "https://github.com.evil.test/uv.tar.gz",
+      });
+
+      await downloadVersion(
+        "unknown-linux-gnu",
+        "x86_64",
+        "0.9.26",
+        undefined,
         "token",
       );
+
+      expect(mockDownloadTool).toHaveBeenCalledWith(
+        "https://github.com.evil.test/uv.tar.gz",
+        undefined,
+        undefined,
+      );
     });
 
     it("falls back to GitHub Releases when the mirror fails", async () => {

dist/setup/index.cjs

@@ -96989,7 +96989,7 @@ async function downloadVersion(platform2, arch3, version3, checksum, githubToken
   const resolvedChecksum = manifestUrl === void 0 ? checksum : resolveChecksum(checksum, artifact.checksum);
   const mirrorUrl = rewriteToMirror(artifact.downloadUrl);
   const downloadUrl = mirrorUrl ?? artifact.downloadUrl;
-  const downloadToken = mirrorUrl !== void 0 ? void 0 : githubToken;
+  const downloadToken = githubTokenForUrl(downloadUrl, githubToken);
   try {
     return await downloadArtifact(
       downloadUrl,
@@ -97014,7 +97014,7 @@ async function downloadVersion(platform2, arch3, version3, checksum, githubToken
       arch3,
       version3,
       resolvedChecksum,
-      githubToken
+      githubTokenForUrl(artifact.downloadUrl, githubToken)
     );
   }
 }
@@ -97024,6 +97024,13 @@ function rewriteToMirror(url2) {
   }
   return ASTRAL_MIRROR_PREFIX + url2.slice(GITHUB_RELEASES_PREFIX.length);
 }
+function githubTokenForUrl(downloadUrl, githubToken) {
+  try {
+    return new URL(downloadUrl).origin === "https://github.com" ? githubToken : void 0;
+  } catch {
+    return void 0;
+  }
+}
 async function downloadArtifact(downloadUrl, artifactName, platform2, arch3, version3, checksum, githubToken) {
   info(`Downloading uv from "${downloadUrl}" ...`);
   const downloadPath = await downloadTool(

src/download/download-version.ts

@@ -54,8 +54,7 @@ export async function downloadVersion(
 
   const mirrorUrl = rewriteToMirror(artifact.downloadUrl);
   const downloadUrl = mirrorUrl ?? artifact.downloadUrl;
-  // Don't send the GitHub token to the Astral mirror.
-  const downloadToken = mirrorUrl !== undefined ? undefined : githubToken;
+  const downloadToken = githubTokenForUrl(downloadUrl, githubToken);
 
   try {
     return await downloadArtifact(
@@ -83,7 +82,7 @@ export async function downloadVersion(
       arch,
       version,
       resolvedChecksum,
-      githubToken,
+      githubTokenForUrl(artifact.downloadUrl, githubToken),
     );
   }
 }
@@ -100,6 +99,19 @@ export function rewriteToMirror(url: string): string | undefined {
   return ASTRAL_MIRROR_PREFIX + url.slice(GITHUB_RELEASES_PREFIX.length);
 }
 
+function githubTokenForUrl(
+  downloadUrl: string,
+  githubToken: string,
+): string | undefined {
+  try {
+    return new URL(downloadUrl).origin === "https://github.com"
+      ? githubToken
+      : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
 async function downloadArtifact(
   downloadUrl: string,
   artifactName: string,