fetch-gh-release-asset: Doesn't seem to work for private org

Ok, I found out what was going on. It turns out the default secrets.GITHUB_TOKEN doesn’t have enough permissions, the owner(me) has to make a personal access token with at least the scope org:hook to be able to list release assets. And then reference it as a GitHub secret and then access it

I was testing this out today and, from what I can tell, the default GITHUB_TOKEN secret is able to list the releases and download assets.

Here’s my workflow:

name: Test default GitHub token scope
on:
  push:
    branches:
      - tmp/test-gh-token-scope

jobs:
  test:
    runs-on: ubuntu-20.04
    steps:
      - name: test
        run: |
          curl \
          --url https://api.github.com/repos/${{ github.repository }}/releases/tags/v1.0.0 \
          --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
          --header 'content-type: application/json'

      # This asset ID was hard-coded just as a proof of concept
      - name: test download
        run: |
          curl \
          -J \
          -L \
          --url https://api.github.com/repos/${{ github.repository }}/releases/assets/31496287 \
          --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
          --header "Accept: application/octet-stream" \
          -o ./test.zip

      - name: list
        run: ls -alh ./test.zip

And the workflow run:

I’m wondering if maybe the issue is how you’re passing the token here? https://github.com/dsaltares/fetch-gh-release-asset/blob/7efc464cc8b520a51e69391e37626fa2fe07f776/fetch_github_asset.sh#L30

Maybe instead you need to use the authorization: Bearer style I’m using above. I found that example in the GH Actions docs: https://docs.github.com/en/actions/reference/authentication-in-a-workflow#example-calling-the-rest-api

Reporting some progress: I’m getting a 404 on the first curl request, I suspect that’s because my org is renamed so I’m investigating this.