verify-action-build: treat Authorization: token/Bearer headers as data-fetch signal#851
Merged
Merged
Conversation
…fetch
manusa/actions-setup-minikube@v2.17.0 has a thin axios wrapper in
src/github.js that fetches GitHub release metadata as JSON:
return axios({method: 'GET', ...options, url, headers});
The file is a transport-layer helper — no data-parse markers, no
binary-handling markers — so `_file_is_pure_data_fetch` didn't
exempt it and the axios call landed in the unverified-download list.
Authorization headers with `token ` or `Bearer ` prefixes are an
unambiguous "authenticated API call" signal: public release-asset
downloads from S3 / CDN / GitHub Releases don't use bearer auth.
Add that as a data-parse marker so transport-layer API helpers stop
producing false positives. Real binary handlers in the same file
still trip `_JS_BINARY_HANDLE_PATTERNS` and override the exemption.
Surfaced while triaging #848.
Generated-by: Claude Opus 4.7 (1M context)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
manusa/actions-setup-minikube@v2.17.0has a thinaxioswrapper insrc/github.jsthat fetches GitHub release metadata. The file is a transport-layer helper (no data-parse markers, no binary-handling markers) so_file_is_pure_data_fetchdidn't exempt it and theaxios()call landed in the unverified-download list.Authorizationheader withtokenorBeareris an unambiguous "authenticated API call" signal — public release-asset downloads from S3 / CDN / GitHub Releases don't use bearer auth. Add it to_JS_DATA_PARSE_PATTERNSso transport-layer API helpers stop firing._JS_BINARY_HANDLE_PATTERNSand override the exemption — test asserts this.Surfaced while triaging #848.
Test plan
src/github.jsfrommanusa/actions-setup-minikube@v2.17.0.tc.downloadTool+tc.extractTar→ both downloads still flagged.uv run pytest utils/tests/— 273 passed.prek run --all-files— clean.