Minor fixes

sebastianrath · sebastianrath · commit 7022005fed12 · 2026-02-16T00:22:42.000-05:00
diff --git a/github/server/cache.go b/github/server/cache.go
@@ -211,47 +211,54 @@ func (s *Server) handleGetCacheEntryDownloadURL(w http.ResponseWriter, r *http.R
 		scope = req.Metadata.Scope
 	}
 
-	s.mu.RLock()
-	defer s.mu.RUnlock()
+	type match struct {
+		id  int64
+		key string
+	}
+
+	var found *match
 
+	s.mu.RLock()
 	// 1. Exact match: scope + key + version
 	exactKey := scope + "/" + req.Key + "/" + req.Version
 	if entry, ok := s.caches[exactKey]; ok && entry.Finalized {
-		downloadURL := s.makeSignedURL("GET", entry.ID)
-		writeJSON(w, http.StatusOK, GetCacheEntryDownloadURLResponse{
-			Ok:                true,
-			SignedDownloadURL: downloadURL,
-			MatchedKey:        entry.Key,
-		})
-		return
+		found = &match{id: entry.ID, key: entry.Key}
 	}
 
 	// 2. Prefix match with restore_keys
-	for _, rk := range req.RestoreKeys {
-		var best *CacheEntry
-		for _, entry := range s.caches {
-			if entry.Scope != scope || entry.Version != req.Version {
-				continue
-			}
-			if !entry.Finalized {
-				continue
-			}
-			if !strings.HasPrefix(entry.Key, rk) {
-				continue
+	if found == nil {
+		for _, rk := range req.RestoreKeys {
+			var best *CacheEntry
+			for _, entry := range s.caches {
+				if entry.Scope != scope || entry.Version != req.Version {
+					continue
+				}
+				if !entry.Finalized {
+					continue
+				}
+				if !strings.HasPrefix(entry.Key, rk) {
+					continue
+				}
+				if best == nil || entry.CreatedAt.After(best.CreatedAt) {
+					best = entry
+				}
 			}
-			if best == nil || entry.CreatedAt.After(best.CreatedAt) {
-				best = entry
+			if best != nil {
+				found = &match{id: best.ID, key: best.Key}
+				break
 			}
 		}
-		if best != nil {
-			downloadURL := s.makeSignedURL("GET", best.ID)
-			writeJSON(w, http.StatusOK, GetCacheEntryDownloadURLResponse{
-				Ok:                true,
-				SignedDownloadURL: downloadURL,
-				MatchedKey:        best.Key,
-			})
-			return
-		}
+	}
+	s.mu.RUnlock()
+
+	if found != nil {
+		downloadURL := s.makeSignedURL("GET", found.id)
+		writeJSON(w, http.StatusOK, GetCacheEntryDownloadURLResponse{
+			Ok:                true,
+			SignedDownloadURL: downloadURL,
+			MatchedKey:        found.key,
+		})
+		return
 	}
 
 	writeTwirpError(w, http.StatusNotFound, "not_found", "cache entry not found")
diff --git a/github/server/legacy.go b/github/server/legacy.go
@@ -70,6 +70,11 @@ func (s *Server) handleLegacyCreate(w http.ResponseWriter, r *http.Request) {
 
 // PUT /v3-upload/{containerId}?itemPath={path}
 func (s *Server) handleLegacyUpload(w http.ResponseWriter, r *http.Request) {
+	if !hasBearer(r) {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
 	cidStr := r.PathValue("containerId")
 	cid, err := strconv.ParseInt(cidStr, 10, 64)
 	if err != nil {
@@ -114,7 +119,11 @@ func (s *Server) handleLegacyUpload(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if start > 0 {
-		f.Seek(start, io.SeekStart)
+		if _, err := f.Seek(start, io.SeekStart); err != nil {
+			f.Close()
+			http.Error(w, "storage error", http.StatusInternalServerError)
+			return
+		}
 	}
 	n, copyErr := io.Copy(f, r.Body)
 	if err := f.Close(); err != nil && copyErr == nil {
@@ -199,6 +208,11 @@ func (s *Server) handleLegacyList(w http.ResponseWriter, r *http.Request) {
 
 // GET /download-v3/{containerId}?itemPath={prefix}
 func (s *Server) handleLegacyListFiles(w http.ResponseWriter, r *http.Request) {
+	if !hasBearer(r) {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
 	cidStr := r.PathValue("containerId")
 	cid, err := strconv.ParseInt(cidStr, 10, 64)
 	if err != nil {
@@ -239,6 +253,11 @@ func (s *Server) handleLegacyListFiles(w http.ResponseWriter, r *http.Request) {
 
 // GET /artifact/{path...}
 func (s *Server) handleLegacyDownload(w http.ResponseWriter, r *http.Request) {
+	if !hasBearer(r) {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
 	fullPath := r.PathValue("path")
 	before, after, ok := strings.Cut(fullPath, "/")
 	if !ok {
diff --git a/github/server/legacy_test.go b/github/server/legacy_test.go
@@ -60,6 +60,7 @@ func TestLegacyFullCycle(t *testing.T) {
 	// 2. Upload file
 	req, _ := http.NewRequest("PUT", uploadURL+"?itemPath=data/file.txt", bytes.NewReader(fileContent))
 	req.Header.Set("Content-Type", "application/octet-stream")
+	req.Header.Set("Authorization", "Bearer test-token")
 	uploadResp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		t.Fatalf("upload: %v", err)
@@ -115,7 +116,9 @@ func TestLegacyFullCycle(t *testing.T) {
 	contentLocation := filesResult.Value[0]["contentLocation"].(string)
 
 	// 6. Download file
-	dlResp, err := http.Get(contentLocation)
+	dlReq, _ := http.NewRequest("GET", contentLocation, nil)
+	dlReq.Header.Set("Authorization", "Bearer test-token")
+	dlResp, err := http.DefaultClient.Do(dlReq)
 	if err != nil {
 		t.Fatalf("download: %v", err)
 	}
@@ -148,6 +151,7 @@ func TestLegacyChunkedUpload(t *testing.T) {
 	// Upload chunk 1
 	req, _ := http.NewRequest("PUT", uploadURL+"?itemPath=file.bin", bytes.NewReader(chunk1))
 	req.Header.Set("Content-Range", fmt.Sprintf("bytes 0-%d/%d", len(chunk1)-1, total))
+	req.Header.Set("Authorization", "Bearer test-token")
 	r, _ := http.DefaultClient.Do(req)
 	r.Body.Close()
 	if r.StatusCode != http.StatusCreated {
@@ -157,6 +161,7 @@ func TestLegacyChunkedUpload(t *testing.T) {
 	// Upload chunk 2
 	req, _ = http.NewRequest("PUT", uploadURL+"?itemPath=file.bin", bytes.NewReader(chunk2))
 	req.Header.Set("Content-Range", fmt.Sprintf("bytes %d-%d/%d", len(chunk1), total-1, total))
+	req.Header.Set("Authorization", "Bearer test-token")
 	r, _ = http.DefaultClient.Do(req)
 	r.Body.Close()
 	if r.StatusCode != http.StatusCreated {
@@ -184,7 +189,9 @@ func TestLegacyChunkedUpload(t *testing.T) {
 	resp.Body.Close()
 	contentLocation := filesResult.Value[0]["contentLocation"].(string)
 
-	dlResp, _ := http.Get(contentLocation)
+	dlReq, _ := http.NewRequest("GET", contentLocation, nil)
+	dlReq.Header.Set("Authorization", "Bearer test-token")
+	dlResp, _ := http.DefaultClient.Do(dlReq)
 	defer dlResp.Body.Close()
 	data, _ := io.ReadAll(dlResp.Body)
 	expected := append(chunk1, chunk2...)
@@ -215,6 +222,7 @@ func TestLegacyGzipRoundtrip(t *testing.T) {
 	// Upload with Content-Encoding: gzip
 	req, _ := http.NewRequest("PUT", uploadURL+"?itemPath=data.gz", bytes.NewReader(gzipData))
 	req.Header.Set("Content-Encoding", "gzip")
+	req.Header.Set("Authorization", "Bearer test-token")
 	r, _ := http.DefaultClient.Do(req)
 	r.Body.Close()
 	if r.StatusCode != http.StatusCreated {
@@ -239,7 +247,9 @@ func TestLegacyGzipRoundtrip(t *testing.T) {
 	// Use raw HTTP transport to avoid automatic decompression
 	transport := &http.Transport{DisableCompression: true}
 	client := &http.Client{Transport: transport}
-	dlResp, _ := client.Get(filesResult.Value[0]["contentLocation"].(string))
+	dlReq, _ := http.NewRequest("GET", filesResult.Value[0]["contentLocation"].(string), nil)
+	dlReq.Header.Set("Authorization", "Bearer test-token")
+	dlResp, _ := client.Do(dlReq)
 	defer dlResp.Body.Close()
 
 	if dlResp.Header.Get("Content-Encoding") != "gzip" {
@@ -272,6 +282,7 @@ func TestLegacyMultipleFiles(t *testing.T) {
 
 	for path, content := range files {
 		req, _ := http.NewRequest("PUT", uploadURL+"?itemPath="+path, bytes.NewReader([]byte(content)))
+		req.Header.Set("Authorization", "Bearer test-token")
 		r, _ := http.DefaultClient.Do(req)
 		r.Body.Close()
 	}
@@ -319,14 +330,14 @@ func TestLegacyNotFound(t *testing.T) {
 	}
 
 	// Download non-existent container
-	dlResp, _ := http.Get(ts.URL + "/download-v3/9999")
+	dlResp := legacyRequest(t, ts, "GET", "/download-v3/9999", nil)
 	dlResp.Body.Close()
 	if dlResp.StatusCode != http.StatusNotFound {
 		t.Fatalf("expected 404, got %d", dlResp.StatusCode)
 	}
 
 	// Download non-existent file
-	dlResp, _ = http.Get(ts.URL + "/artifact/9999/nofile.txt")
+	dlResp = legacyRequest(t, ts, "GET", "/artifact/9999/nofile.txt", nil)
 	dlResp.Body.Close()
 	if dlResp.StatusCode != http.StatusNotFound {
 		t.Fatalf("expected 404, got %d", dlResp.StatusCode)
diff --git a/github/server/server.go b/github/server/server.go
@@ -271,6 +271,16 @@ func (s *Server) handleCreateArtifact(w http.ResponseWriter, r *http.Request, ru
 
 	blobPath := s.artifactBlobPath(req.WorkflowRunBackendID, req.Name)
 
+	safeDir, err := utils.SafeJoinPath(s.storageDir, filepath.Base(req.WorkflowRunBackendID))
+	if err != nil {
+		writeTwirpError(w, http.StatusBadRequest, "invalid_argument", "invalid artifact path")
+		return
+	}
+	if err := os.MkdirAll(safeDir, 0o755); err != nil {
+		writeTwirpError(w, http.StatusInternalServerError, "internal", "failed to create storage directory")
+		return
+	}
+
 	s.mu.Lock()
 	if existing, ok := s.artifacts[key]; ok && existing.Finalized {
 		s.mu.Unlock()
@@ -298,16 +308,6 @@ func (s *Server) handleCreateArtifact(w http.ResponseWriter, r *http.Request, ru
 	s.uploadMu[id] = &sync.Mutex{}
 	s.mu.Unlock()
 
-	safeDir, err := utils.SafeJoinPath(s.storageDir, filepath.Base(req.WorkflowRunBackendID))
-	if err != nil {
-		writeTwirpError(w, http.StatusBadRequest, "invalid_argument", "invalid artifact path")
-		return
-	}
-	if err := os.MkdirAll(safeDir, 0o755); err != nil {
-		writeTwirpError(w, http.StatusInternalServerError, "internal", "failed to create storage directory")
-		return
-	}
-
 	uploadURL := s.makeSignedURL("PUT", id)
 
 	writeJSON(w, http.StatusOK, CreateArtifactResponse{
@@ -480,6 +480,16 @@ func (s *Server) handleMigrateArtifact(w http.ResponseWriter, r *http.Request, r
 	key := req.WorkflowRunBackendID + "/" + req.Name
 	blobPath := s.artifactBlobPath(req.WorkflowRunBackendID, req.Name)
 
+	safeDir, err := utils.SafeJoinPath(s.storageDir, filepath.Base(req.WorkflowRunBackendID))
+	if err != nil {
+		writeTwirpError(w, http.StatusBadRequest, "invalid_argument", "invalid artifact path")
+		return
+	}
+	if err := os.MkdirAll(safeDir, 0o755); err != nil {
+		writeTwirpError(w, http.StatusInternalServerError, "internal", "failed to create storage directory")
+		return
+	}
+
 	s.mu.Lock()
 	if existing, ok := s.artifacts[key]; ok && existing.Finalized {
 		s.mu.Unlock()
@@ -501,16 +511,6 @@ func (s *Server) handleMigrateArtifact(w http.ResponseWriter, r *http.Request, r
 	s.uploadMu[id] = &sync.Mutex{}
 	s.mu.Unlock()
 
-	safeDir, err := utils.SafeJoinPath(s.storageDir, filepath.Base(req.WorkflowRunBackendID))
-	if err != nil {
-		writeTwirpError(w, http.StatusBadRequest, "invalid_argument", "invalid artifact path")
-		return
-	}
-	if err := os.MkdirAll(safeDir, 0o755); err != nil {
-		writeTwirpError(w, http.StatusInternalServerError, "internal", "failed to create storage directory")
-		return
-	}
-
 	uploadURL := s.makeSignedURL("PUT", id)
 
 	writeJSON(w, http.StatusOK, MigrateArtifactResponse{
diff --git a/github/server/start.go b/github/server/start.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"crypto/rand"
+	"errors"
 	"fmt"
 	"net"
 	"net/http"
@@ -85,7 +86,7 @@ func StartServer(cfg Config) (*RunningServer, error) {
 	}
 
 	go func() {
-		if err := httpServer.Serve(listener); err != nil {
+		if err := httpServer.Serve(listener); err != nil && !errors.Is(err, http.ErrServerClosed) {
 			fmt.Fprintf(os.Stderr, "server error: %v\n", err)
 		}
 	}()

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@ package server`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"crypto/rand"`
	`5`	`+ "errors"`
`5`	`6`	`"fmt"`
`6`	`7`	`"net"`
`7`	`8`	`"net/http"`
`@@ -85,7 +86,7 @@ func StartServer(cfg Config) (*RunningServer, error) {`
`85`	`86`	`}`
`86`	`87`
`87`	`88`	`go func() {`
`88`		`- if err := httpServer.Serve(listener); err != nil {`
	`89`	`+ if err := httpServer.Serve(listener); err != nil && !errors.Is(err, http.ErrServerClosed) {`
`89`	`90`	`fmt.Fprintf(os.Stderr, "server error: %v\n", err)`
`90`	`91`	`}`
`91`	`92`	`}()`