feat(docker): Allow authenticated calls to GitHub API

Accept build arg `GITHUB_TOKEN` to authenticate calls made to
GitHub API in `common::install_from_gh_release` function.

Closes #946

Author: wI2L

Dockerfile

@@ -65,6 +65,9 @@ RUN if [ "$INSTALL_ALL" != "false" ]; then \
         echo "TRIVY_VERSION=latest"          >> /.env \
     ; fi
 
+ARG GITHUB_TOKEN=""
+ENV GITHUB_TOKEN=${GITHUB_TOKEN}
+
 # Docker `RUN`s shouldn't be consolidated here
 # hadolint global ignore=DL3059
 RUN /install/opentofu.sh

README.md

@@ -136,6 +136,10 @@ docker build -t pre-commit-terraform \
 
 Set `-e PRE_COMMIT_COLOR=never` to disable the color output in `pre-commit`.
 
+> [!NOTE]
+> The build install scripts are calling the GitHub API to resolve the release URL. If you need to authenticate those calls, you can pass a GitHub token (the `GITHUB_TOKEN` environment variable is expected to be set with an [access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)):
+> `docker build -t pre-commit-terraform --build-arg GITHUB_TOKEN .`
+
 </details>
 
 

tools/install/_common.sh

@@ -58,13 +58,20 @@ function common::install_from_gh_release {
       ;;
   esac
 
+  set -eux
+
   # Download tool
   local -r RELEASES="https://api.github.com/repos/${GH_ORG}/${TOOL}/releases"
+  local CURL_OPTS=()
+
+  [[ $GITHUB_TOKEN ]] && CURL_OPTS+=('-H' "Authorization: Bearer $GITHUB_TOKEN")
+
+  local -r CURL_CMD=("curl" "${CURL_OPTS[@]}")
 
   if [[ $VERSION == latest ]]; then
-    curl -L "$(curl -s "${RELEASES}/latest" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_LATEST")" > "$PKG"
+    "${CURL_CMD[@]}" -L "$("${CURL_CMD[@]}" -s "${RELEASES}/latest" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_LATEST")" > "$PKG"
   else
-    curl -L "$(curl -s "$RELEASES" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_SPECIFIC_VERSION")" > "$PKG"
+    "${CURL_CMD[@]}" -L "$("${CURL_CMD[@]}" -s "$RELEASES" | grep -o -E -i -m 1 "$GH_RELEASE_REGEX_SPECIFIC_VERSION")" > "$PKG"
   fi
 
   # Make tool ready to use