Merge branch 'main' into mbg/dep-caching/telemetry

src/api-client.ts

@@ -4,6 +4,7 @@ import * as retry from "@octokit/plugin-retry";
 import consoleLogLevel from "console-log-level";
 
 import { getActionVersion, getRequiredInput } from "./actions-util";
+import { Logger } from "./logging";
 import { getRepositoryNwo, RepositoryNwo } from "./repository";
 import {
   ConfigurationError,
@@ -54,7 +55,7 @@ function createApiClientWithDetails(
   );
 }
 
-export function getApiDetails() {
+export function getApiDetails(): GitHubApiDetails {
   return {
     auth: getRequiredInput("token"),
     url: getRequiredEnvParam("GITHUB_SERVER_URL"),
@@ -72,6 +73,36 @@ export function getApiClientWithExternalAuth(
   return createApiClientWithDetails(apiDetails, { allowExternal: true });
 }
 
+/**
+ * Gets a value for the `Authorization` header for a request to `url`; or `undefined` if the
+ * `Authorization` header should not be set for `url`.
+ *
+ * @param logger The logger to use for debugging messages.
+ * @param apiDetails Details of the GitHub API we are using.
+ * @param url The URL for which we want to add an `Authorization` header.
+ *
+ * @returns The value for the `Authorization` header or `undefined` if it shouldn't be populated.
+ */
+export function getAuthorizationHeaderFor(
+  logger: Logger,
+  apiDetails: GitHubApiDetails,
+  url: string,
+): string | undefined {
+  // We only want to provide an authorization header if we are downloading
+  // from the same GitHub instance the Action is running on.
+  // This avoids leaking Enterprise tokens to dotcom.
+  if (
+    url.startsWith(`${apiDetails.url}/`) ||
+    (apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`))
+  ) {
+    logger.debug(`Providing an authorization token.`);
+    return `token ${apiDetails.auth}`;
+  }
+
+  logger.debug(`Not using an authorization token.`);
+  return undefined;
+}
+
 let cachedGitHubVersion: GitHubVersion | undefined = undefined;
 
 export async function getGitHubVersionFromApi(