skip to Main Content

Background

I am working on a custom theme for my WordPress site which I would like to manage from a private GitHub repo. (This theme will never be pushed into the WordPress market place) The general idea would be that I use the repo to manage the code and then once I tag a new version, the tag would trigger an update for the WordPress theme.

I have this pattern working using the following as a template:
https://github.com/krafit/wp-gitlab-updater
(Yes, I know the repo is for Gitlab and not GitHub)

Since my repo is private, I will need to generate a user token to allow the theme to be updated. And because the user token is capable of accessing all my private repos, the idea of sharing the user token with another plugin is discomforting from a security standpoint. (Meaning, I’m uncomfortable using a plugin like: https://github.com/afragen/git-updater)

Question

The problem is that GitHub has deprecated the use of access_token as a query string parameter, so all tokens must be sent over as an Authorization header.

How do I add an authorization header to the request WordPress sends to download the artifact?

What I’ve Tried

When I check for new tags I use the code:

  protected function fetch_tags_from_repo( $git_url, $repo, $access_token ) {
    $request_url = "$git_url/repos/$repo/tags?access_token=$access_token";
    $args     = [
      "headers" => [
        "Accept" => "application/vnd.github.v3+json",
        "Authorization" => "token " . $access_token
      ]
    ];
    $request     = wp_safe_remote_get( $request_url, $args );

    return $request;
  }

This works without any issues. However…

During the pre_set_site_transient_update_themes hook I return an object that looks like:

  $transient->response[ $theme['name'] ]['theme']       = $theme['name'];
  $transient->response[ $theme['name'] ]['new_version'] = $latest_version;
  $transient->response[ $theme['name'] ]['package']     = $theme_package;

The problem is, I have no way of adding an Authorization header to the transient response object. Therefore, when WP later tries to download the artifact, it fails.

Note: The $theme_package string is a URL which looks like:

$theme_package = "$git_url/repos/$repo/zipball/refs/tags/$latest_version";

Any support appreciated, thank you!

2

Answers


  1. Chosen as BEST ANSWER

    Honestly, this problem has been exhausting and enough is enough...

    Answer

    Eject from GitHub and use Gitlab because they still support access_token as a header. They have unlimited free private repos <5gb storage.


  2. If you are planning to distribute the private repo with a license I recommend you not to expose your access credentials in the script.

    Instead you should use the GitHub PHP API together with a SSH Key that you setup in your repo settings or a GitHub App with access permission granted on your repo.

    Here is a solid SDK to start from:

    https://github.com/KnpLabs/php-github-api

    Alternatively as you suggested it in your answer, a third party service could be used to manage the credentials on your behalf.

    Gitlab is a nice generic and low cost option but if you are looking for something dedicated to WordPress development I recommend WP Package Editor (WP2E)

    Among other things the service uses a registered GitHub App to pull the latest version from public / private GitHub repositories:

    https://github.com/marketplace/wp-package-editor

    This is quoted from the documentation regarding how it is implemented with GitHub:

    For a script to be successfully imported to the library of repositories and later be synchronized as an installer dependency there are 4 conditions :

    1. The GitHub App must be connected to a WP2E account
    2. The “read-only” access to the repository must be granted to the WP2E GitHub App
    3. The script must be a valid WP theme or plugin
    4. The repository must have at least one “release” on GitHub

    Note: In order to synchronize with the GitHub account/repo the GitHub App should be integrated via the saas panel ( not directly via the GitHub Marketplace )

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search