Description
The downloadLogs() method in the WorkflowJobs and WorkflowRuns API fails when attempting to download GitHub Actions job logs. Instead of returning the log data, it fails with an Azure Blob Storage authentication error.
Environment
- Library version:
knplabs/github-api 3.16.0
- PHP version: 8.x
- HTTP client: Guzzle 7.10.0 (via PSR-18 discovery)
Expected Behavior
Calling downloadLogs() should return the ZIP archive containing the job logs as documented in the library's API.
Actual Behavior
The method throws an exception or returns an XML error response from Azure Blob Storage:
<?xml version="1.0" encoding="utf-8"?>
<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.</Message>
</Error>
Root Cause
The GitHub API endpoint /repos/{owner}/{repo}/actions/jobs/{job_id}/logs returns a 302 redirect to an Azure Blob Storage URL with a pre-signed SAS token in the query parameters.
The issue occurs because:
- HTTPlug's
RedirectPlugin is used by default in the library (added in Client.php)
- The RedirectPlugin preserves ALL headers by default (
preserve_header: true)
- When following the redirect to Azure Blob Storage, the GitHub
Authorization header is sent to Azure
- Azure Blob Storage doesn't understand GitHub's authentication format and rejects the request
- Unlike Guzzle's native
RedirectMiddleware (which strips Authorization and Cookie headers on cross-origin redirects), HTTPlug's RedirectPlugin has no such protection
Reproduction Steps
- Set up GitHub API client with valid authentication token
- Get a valid job ID from a workflow run
- Call
downloadLogs() on that job ID
- Observe the Azure authentication error
References
Description
The
downloadLogs()method in the WorkflowJobs and WorkflowRuns API fails when attempting to download GitHub Actions job logs. Instead of returning the log data, it fails with an Azure Blob Storage authentication error.Environment
knplabs/github-api3.16.0Expected Behavior
Calling
downloadLogs()should return the ZIP archive containing the job logs as documented in the library's API.Actual Behavior
The method throws an exception or returns an XML error response from Azure Blob Storage:
Root Cause
The GitHub API endpoint
/repos/{owner}/{repo}/actions/jobs/{job_id}/logsreturns a 302 redirect to an Azure Blob Storage URL with a pre-signed SAS token in the query parameters.The issue occurs because:
RedirectPluginis used by default in the library (added inClient.php)preserve_header: true)Authorizationheader is sent to AzureRedirectMiddleware(which stripsAuthorizationandCookieheaders on cross-origin redirects), HTTPlug'sRedirectPluginhas no such protectionReproduction Steps
downloadLogs()on that job IDReferences