fix: replace GitHub API with npm registry for version resolution

fengmk2 · fengmk2 · commit 5d67208c45e2 · 2026-04-16T10:16:38.000+08:00
The GitHub API was hitting 403 Forbidden errors due to rate limiting.
Since download URLs are deterministic (constructable from tag alone),
the GitHub API is unnecessary. Now specific tags resolve instantly
with zero network calls, and the latest version is resolved via the
npm registry dist-tags.
diff --git a/README.md b/README.md
@@ -40,7 +40,6 @@ Deployed to [Cloudflare Workers](https://workers.cloudflare.com/) via [Void](htt
 
 ### Environment variables
 
-| Variable       | Required | Description                                                |
-| -------------- | -------- | ---------------------------------------------------------- |
-| `GITHUB_TOKEN` | No       | GitHub token for higher API rate limits (60/hr -> 5000/hr) |
-| `VOID_TOKEN`   | Yes (CI) | Void deployment token                                      |
+| Variable     | Required | Description           |
+| ------------ | -------- | --------------------- |
+| `VOID_TOKEN` | Yes (CI) | Void deployment token |
diff --git a/routes/index.ts b/routes/index.ts
@@ -11,7 +11,6 @@ const ASSET_NAMES: Record<Arch, string> = {
   arm64: "vp-setup-aarch64-pc-windows-msvc.exe",
 };
 const LATEST_CACHE_TTL = 300; // 5 minutes
-const TAGGED_CACHE_TTL = 86400; // 24 hours
 const DEFAULT_DIST_TAG = "latest";
 
 type Arch = "x64" | "arm64";
@@ -21,11 +20,6 @@ interface CachedRelease {
   assets: Partial<Record<Arch, string>>;
 }
 
-interface GitHubRelease {
-  tag_name: string;
-  assets: Array<{ name: string; browser_download_url: string }>;
-}
-
 export function detectArch(
   queryArch: string | undefined,
   userAgent: string | undefined,
@@ -40,56 +34,11 @@ export function detectArch(
   return "x64";
 }
 
-export function parseRelease(release: GitHubRelease): CachedRelease | null {
-  const assets: Partial<Record<Arch, string>> = {};
-  for (const asset of release.assets) {
-    if (asset.name === ASSET_NAMES.x64) assets.x64 = asset.browser_download_url;
-    if (asset.name === ASSET_NAMES.arm64) assets.arm64 = asset.browser_download_url;
-  }
-  if (!assets.x64 && !assets.arm64) return null;
-  return { tag: release.tag_name, assets };
-}
-
-async function fetchGitHub(path: string, githubToken: string | undefined): Promise<Response> {
-  const headers: Record<string, string> = {
-    Accept: "application/vnd.github.v3+json",
-    "User-Agent": "vp-setup-exe-downloader",
-  };
-  if (githubToken) headers.Authorization = `Bearer ${githubToken}`;
-  return fetch(`https://api.github.com${path}`, { headers });
-}
-
-// "not-found" means the tag definitively doesn't exist (GitHub 404).
-// null means the API failed (rate limit, network error) — fallbacks may still work.
-export async function fetchRelease(
-  tag: string | undefined,
-  githubToken: string | undefined,
-): Promise<GitHubRelease | null | "not-found"> {
-  if (tag) {
-    const res = await fetchGitHub(
-      `/repos/${GITHUB_OWNER}/${GITHUB_REPO}/releases/tags/${tag}`,
-      githubToken,
-    );
-    if (!res.ok) {
-      console.error(`GitHub API error: ${res.status} ${res.statusText} for tag ${tag}`);
-      return res.status === 404 ? "not-found" : null;
-    }
-    return (await res.json()) as GitHubRelease;
-  }
-
+export async function resolveRelease(tag: string | undefined): Promise<CachedRelease | null> {
+  if (tag) return buildReleaseFromTag(tag);
   const version = await fetchNpmDistTagVersion(DEFAULT_DIST_TAG);
   if (!version) return null;
-  const res = await fetchGitHub(
-    `/repos/${GITHUB_OWNER}/${GITHUB_REPO}/releases/tags/v${version}`,
-    githubToken,
-  );
-  if (!res.ok) {
-    console.error(`GitHub API error: ${res.status} ${res.statusText} for default tag v${version}`);
-    // Treat all failures (incl. 404) as transient so getRelease doesn't cache a negative
-    // under `release:latest` when npm/GitHub are momentarily out of sync.
-    return null;
-  }
-  return (await res.json()) as GitHubRelease;
+  return buildReleaseFromTag(`v${version}`);
 }
 
 export function buildReleaseFromTag(tag: string): CachedRelease {
@@ -128,47 +77,26 @@ function staleCacheKey(tag: string | undefined): string {
   return `${cacheKey(tag)}:stale`;
 }
 
-async function getRelease(
-  tag: string | undefined,
-  githubToken: string | undefined,
-): Promise<CachedRelease | null> {
-  const key = cacheKey(tag);
+async function getRelease(tag: string | undefined): Promise<CachedRelease | null> {
+  // Specific tag: deterministic URL construction, no network or cache needed
+  if (tag) return buildReleaseFromTag(tag);
+
+  // "Latest" path: use KV cache to avoid hitting npm on every request
+  const key = cacheKey(undefined);
   const cached = await kv.get<CachedRelease>(key);
   if (cached) return cached;
 
-  try {
-    const release = await fetchRelease(tag, githubToken);
-    if (release === "not-found") {
-      // Cache the negative result to avoid repeated API calls for the same bad tag
-      await kv.put(key, null, { ttl: LATEST_CACHE_TTL });
-      return null;
-    }
-    if (release) {
-      const parsed = parseRelease(release);
-      if (parsed) {
-        const ttl = tag ? TAGGED_CACHE_TTL : LATEST_CACHE_TTL;
-        const staleTtl = ttl + 3600;
-        await Promise.all([
-          kv.put(key, parsed, { ttl }),
-          kv.put(staleCacheKey(tag), parsed, { ttl: staleTtl }),
-        ]);
-        return parsed;
-      }
-    }
-  } catch (err) {
-    console.error("Failed to fetch release from GitHub:", err);
+  const release = await resolveRelease(undefined);
+  if (release) {
+    await Promise.all([
+      kv.put(key, release, { ttl: LATEST_CACHE_TTL }),
+      kv.put(staleCacheKey(undefined), release, { ttl: LATEST_CACHE_TTL + 3600 }),
+    ]);
+    return release;
   }
 
-  // Fallback 1: stale KV cache
-  const stale = await kv.get<CachedRelease>(staleCacheKey(tag));
-  if (stale) return stale;
-
-  // Fallback 2: construct download URLs from tag or npm registry version
-  if (tag) return buildReleaseFromTag(tag);
-  const version = await fetchNpmDistTagVersion(DEFAULT_DIST_TAG);
-  if (version) return buildReleaseFromTag(`v${version}`);
-
-  return null;
+  // npm unreachable — fall back to stale cache
+  return kv.get<CachedRelease>(staleCacheKey(undefined));
 }
 
 function escapeHtml(s: string): string {
@@ -306,15 +234,14 @@ setupDownloadLink();
 export const GET = defineHandler(async (c) => {
   const queryArch = c.req.query("arch");
   const tag = c.req.query("tag");
-  const githubToken = c.env.GITHUB_TOKEN as string | undefined;
 
   // When ?arch= is specified, redirect directly (backward-compatible for CLI/curl)
   if (queryArch) {
     const arch = detectArch(queryArch, c.req.header("user-agent"));
     if (arch === null) {
       return c.json({ error: "Invalid architecture. Use 'x64' or 'arm64'" }, 400);
     }
-    const release = await getRelease(tag || undefined, githubToken);
+    const release = await getRelease(tag || undefined);
     if (!release) {
       return c.json({ error: tag ? `Release '${tag}' not found` : "No release found" }, 404);
     }
@@ -326,7 +253,7 @@ export const GET = defineHandler(async (c) => {
   }
 
   // Serve the download page with client-side architecture detection
-  const release = await getRelease(tag || undefined, githubToken);
+  const release = await getRelease(tag || undefined);
   if (!release) {
     return c.json({ error: tag ? `Release '${tag}' not found` : "No release found" }, 404);
   }
diff --git a/tests/index.test.ts b/tests/index.test.ts
@@ -1,5 +1,5 @@
 import { afterEach, describe, expect, it, vi } from "vite-plus/test";
-import { buildReleaseFromTag, detectArch, fetchRelease, parseRelease } from "../routes/index";
+import { buildReleaseFromTag, detectArch, resolveRelease } from "../routes/index";
 
 describe("detectArch", () => {
   it("defaults to x64 when no query param or user-agent", () => {
@@ -64,62 +64,6 @@ describe("detectArch", () => {
   });
 });
 
-describe("parseRelease", () => {
-  it("parses both x64 and arm64 assets", () => {
-    const result = parseRelease({
-      tag_name: "v0.1.17-alpha.0",
-      assets: [
-        {
-          name: "vp-setup-x86_64-pc-windows-msvc.exe",
-          browser_download_url:
-            "https://github.com/voidzero-dev/vite-plus/releases/download/v0.1.17-alpha.0/vp-setup-x86_64-pc-windows-msvc.exe",
-        },
-        {
-          name: "vp-setup-aarch64-pc-windows-msvc.exe",
-          browser_download_url:
-            "https://github.com/voidzero-dev/vite-plus/releases/download/v0.1.17-alpha.0/vp-setup-aarch64-pc-windows-msvc.exe",
-        },
-      ],
-    });
-    expect(result).toEqual({
-      tag: "v0.1.17-alpha.0",
-      assets: {
-        x64: "https://github.com/voidzero-dev/vite-plus/releases/download/v0.1.17-alpha.0/vp-setup-x86_64-pc-windows-msvc.exe",
-        arm64:
-          "https://github.com/voidzero-dev/vite-plus/releases/download/v0.1.17-alpha.0/vp-setup-aarch64-pc-windows-msvc.exe",
-      },
-    });
-  });
-
-  it("returns null when no matching assets exist", () => {
-    const result = parseRelease({
-      tag_name: "v1.0.0",
-      assets: [
-        {
-          name: "some-other-file.tar.gz",
-          browser_download_url: "https://example.com/other.tar.gz",
-        },
-      ],
-    });
-    expect(result).toBeNull();
-  });
-
-  it("handles release with only x64 asset", () => {
-    const result = parseRelease({
-      tag_name: "v0.1.0",
-      assets: [
-        {
-          name: "vp-setup-x86_64-pc-windows-msvc.exe",
-          browser_download_url: "https://example.com/x64.exe",
-        },
-      ],
-    });
-    expect(result).not.toBeNull();
-    expect(result!.assets.x64).toBe("https://example.com/x64.exe");
-    expect(result!.assets.arm64).toBeUndefined();
-  });
-});
-
 describe("buildReleaseFromTag", () => {
   it("constructs download URLs from a tag", () => {
     const result = buildReleaseFromTag("v0.1.17-alpha.0");
@@ -134,130 +78,56 @@ describe("buildReleaseFromTag", () => {
   });
 });
 
-describe("fetchRelease", () => {
+describe("resolveRelease", () => {
   afterEach(() => vi.unstubAllGlobals());
 
-  it('returns "not-found" when GitHub returns 404 for a tag', async () => {
-    vi.stubGlobal(
-      "fetch",
-      vi
-        .fn()
-        .mockResolvedValue(new Response("Not Found", { status: 404, statusText: "Not Found" })),
-    );
-    const result = await fetchRelease("not-exists", undefined);
-    expect(result).toBe("not-found");
-  });
-
-  it("returns null when GitHub returns 403 (rate limited) for a tag", async () => {
-    vi.stubGlobal(
-      "fetch",
-      vi
-        .fn()
-        .mockResolvedValue(new Response("Forbidden", { status: 403, statusText: "Forbidden" })),
-    );
-    const result = await fetchRelease("v1.0.0", undefined);
-    expect(result).toBeNull();
-  });
+  it("returns a constructed release for a specific tag without any network call", async () => {
+    const fetchMock = vi.fn();
+    vi.stubGlobal("fetch", fetchMock);
 
-  it("returns null when GitHub returns 500 for a tag", async () => {
-    vi.stubGlobal(
-      "fetch",
-      vi.fn().mockResolvedValue(
-        new Response("Internal Server Error", {
-          status: 500,
-          statusText: "Internal Server Error",
-        }),
-      ),
-    );
-    const result = await fetchRelease("v1.0.0", undefined);
-    expect(result).toBeNull();
-  });
+    const result = await resolveRelease("v1.0.0");
 
-  it("returns the release when GitHub returns 200 for a tag", async () => {
-    const release = {
-      tag_name: "v1.0.0",
-      assets: [
-        {
-          name: "vp-setup-x86_64-pc-windows-msvc.exe",
-          browser_download_url: "https://example.com/x64.exe",
-        },
-      ],
-    };
-    vi.stubGlobal(
-      "fetch",
-      vi.fn().mockResolvedValue(new Response(JSON.stringify(release), { status: 200 })),
-    );
-    const result = await fetchRelease("v1.0.0", undefined);
-    expect(result).toEqual(release);
+    expect(result).toEqual(buildReleaseFromTag("v1.0.0"));
+    expect(fetchMock).not.toHaveBeenCalled();
   });
 
-  it("default path: resolves via npm latest dist-tag then fetches that GitHub tag", async () => {
-    const release = {
-      tag_name: "v0.1.17",
-      assets: [
-        {
-          name: "vp-setup-x86_64-pc-windows-msvc.exe",
-          browser_download_url:
-            "https://github.com/voidzero-dev/vite-plus/releases/download/v0.1.17/vp-setup-x86_64-pc-windows-msvc.exe",
-        },
-      ],
-    };
+  it("resolves latest version via npm and returns a constructed release", async () => {
     const fetchMock = vi
       .fn()
       .mockResolvedValueOnce(
         new Response(JSON.stringify({ "dist-tags": { latest: "0.1.17" } }), { status: 200 }),
-      )
-      .mockResolvedValueOnce(new Response(JSON.stringify(release), { status: 200 }));
+      );
     vi.stubGlobal("fetch", fetchMock);
 
-    const result = await fetchRelease(undefined, undefined);
+    const result = await resolveRelease(undefined);
 
-    expect(result).toEqual(release);
-    expect(fetchMock).toHaveBeenCalledTimes(2);
-    const secondCallUrl = fetchMock.mock.calls[1][0];
-    expect(secondCallUrl).toContain("/releases/tags/v0.1.17");
+    expect(result).toEqual(buildReleaseFromTag("v0.1.17"));
+    expect(fetchMock).toHaveBeenCalledTimes(1);
   });
 
-  it("default path: returns null and skips GitHub when npm registry fails", async () => {
+  it("returns null when npm registry is unreachable", async () => {
     const fetchMock = vi
       .fn()
       .mockResolvedValueOnce(
         new Response("Service Unavailable", { status: 503, statusText: "Service Unavailable" }),
       );
     vi.stubGlobal("fetch", fetchMock);
 
-    const result = await fetchRelease(undefined, undefined);
+    const result = await resolveRelease(undefined);
 
     expect(result).toBeNull();
-    expect(fetchMock).toHaveBeenCalledTimes(1);
   });
 
-  it("default path: returns null and skips GitHub when npm has no latest dist-tag", async () => {
+  it("returns null when npm has no latest dist-tag", async () => {
     const fetchMock = vi
       .fn()
       .mockResolvedValueOnce(
         new Response(JSON.stringify({ "dist-tags": { alpha: "0.1.17-alpha.5" } }), { status: 200 }),
       );
     vi.stubGlobal("fetch", fetchMock);
 
-    const result = await fetchRelease(undefined, undefined);
-
-    expect(result).toBeNull();
-    expect(fetchMock).toHaveBeenCalledTimes(1);
-  });
-
-  it('default path: returns null (not "not-found") when GitHub 404s the resolved tag', async () => {
-    const fetchMock = vi
-      .fn()
-      .mockResolvedValueOnce(
-        new Response(JSON.stringify({ "dist-tags": { latest: "0.1.17" } }), { status: 200 }),
-      )
-      .mockResolvedValueOnce(new Response("Not Found", { status: 404, statusText: "Not Found" }));
-    vi.stubGlobal("fetch", fetchMock);
-
-    const result = await fetchRelease(undefined, undefined);
+    const result = await resolveRelease(undefined);
 
     expect(result).toBeNull();
-    expect(fetchMock).toHaveBeenCalledTimes(2);
   });
 });
