🏥 CI FailureTest Setup Action: "latest" version lookup fails with 403 on private repo

[github-actions]

Summary

The Test Setup Action workflow (run #22732917329) failed on commit 8c6047f. Only the Test Action (Latest Version) job failed; the three other jobs (Specific Version, With Image Pull, Invalid Version) all passed.

Root Cause

action.yml fetches the latest release tag using an unauthenticated curl request:

VERSION=$(curl -fsSL "https://api.github.com/repos/github/gh-aw-firewall/releases/latest" | jq -r '.tag_name')
```

Since `github/gh-aw-firewall` is a **private repository**, unauthenticated GitHub API calls return **HTTP 403 Forbidden**:

```
Fetching latest release version...
curl: (22) The requested URL returned error: 403
##[error]Process completed with exit code 22.

Jobs that specify a concrete version (e.g., v0.7.0) skip this API call entirely and succeed. Only the latest path is broken.

Affected File

• action.yml lines 63–64 (and the fallback at line 66) — both curl calls lack an Authorization header

Recommended Fix

Add a token input to action.yml and pass it to the curl call:

# action.yml inputs
inputs:
  token:
    description: 'GitHub token for API access (required to resolve latest version on private repos)'
    required: false
    default: $\{\{ github.token }}

Then in the install step:

VERSION=$(curl -fsSL -H "Authorization: Bearer $INPUT_TOKEN" \
  "https://api.github.com/repos/\$\{REPO}/releases/latest" | jq -r '.tag_name')

And in test-action.yml test-action-latest job, pass the token explicitly (or rely on the default):

- name: Setup awf using action
  uses: ./
  with:
    token: $\{\{ github.token }}

References

• Failed run: https://github.com/github/gh-aw-firewall/actions/runs/22732917329
• Failed job: Test Action (Latest Version) (job 65926521778)
• Commit: 8c6047f17811b76723ea1a548485ebe9f9ba4055 (unrelated to this failure — failure is pre-existing)

Generated by CI Doctor

[github-actions]

🔁 Recurrence Detected

This failure has occurred again in a new CI run.

Run: 22968453890
Commit: cd53588bdae4224a53697cb9d87331ed43eebe2c
Time: 2026-03-11T18:34:23Z

Failure Details

The "Test Action (Latest Version)" job failed at the "Setup awf using action" step:

Fetching latest release version...
curl: (22) The requested URL returned error: 403
##[error]Process completed with exit code 22.

The action attempts to fetch the latest release from the GitHub API (unauthenticated) and receives a 403 Forbidden response. This is a recurring issue on this private repository where unauthenticated API requests are rate-limited or blocked.

Root Cause

The action.yml install script fetches the latest release version via curl without a GITHUB_TOKEN auth header. Private repositories require authentication for the GitHub Releases API.

Recommended Fix

Pass GITHUB_TOKEN in the curl request to authenticate the API call when resolving latest:

curl -fsSL -H "Authorization: Bearer $GITHUB_TOKEN" "$RELEASES_URL" ...

Note: The "Test Action (Specific Version)" and "Test Action (With Image Pull)" jobs both succeeded — only the latest version resolution is broken.

Generated by CI Doctor

[Mossaka]

Closing: automated CI issue spam cleanup. See root cause analysis below.