GitHub addon downloads fail without PAT - downloadUrl uses API URL instead of browser_download_url

[MattressPadley]

Bug Description

GitHub-hosted addons fail to install/update when the user does not have a GitHub Personal Access Token configured. The downloaded zip file is invalid because WowUp receives JSON API metadata instead of the actual binary.

Root Cause

In the built v2.22.0 app, github-addon-provider always uses asset.url (the GitHub API URL, e.g. https://api.github.com/repos/.../releases/assets/12345) for the downloadUrl, regardless of whether a PAT is configured.

Without a PAT, getDownloadAuth() returns undefined (no Accept: application/octet-stream header). GitHub's API then returns a JSON metadata response instead of the binary content. This JSON gets saved as a .zip file, which fails to extract with:

Error: end of central directory record signature not found

The same issue affects release.json metadata fetching — WowUp receives API metadata about the asset instead of the actual release.json content, causing:

TypeError: Cannot read properties of undefined (reading 'find')
    at getValidAssetFromMetadata

Affected Code

Three locations in the built main.js (corresponding to github-addon-provider.ts):

1. searchByUrl (initial install from URL):

   // Built code uses:
   downloadUrl: B?.url ?? ""
   // Should be:
   downloadUrl: B?.browser_download_url ?? ""

2. getById (updates/reinstalls):

   // Built code uses:
   downloadUrl: D?.url ?? ""
   // Should be:
   downloadUrl: D?.browser_download_url ?? ""

3. getReleaseMetadata (release.json fetch):

   // Built code uses:
   o = i.url
   // Should be conditional:
   o = r ? i.url : i.browser_download_url

Note

The source code on GitHub already contains a hasPat conditional (hasPat ? asset?.url : asset?.browser_download_url), but the v2.22.0 build does not include this fix. The built JS unconditionally uses asset.url.

Related

• Install from URL works, update/reinstall on older version fails #103 — same symptoms (install from URL works, update/reinstall fails)
• WowUp/WowUp#1541 — equivalent fix for the main WowUp repo

Reproduction

1. Do NOT configure a GitHub PAT in WowUp-CF
2. Install any GitHub-hosted addon by repo URL (e.g. https://github.com/MattressPadley/WoW-PadleyUI)
3. Observe end of central directory record signature not found error in logs
4. Observe [DownloadFile] log line shows https://api.github.com/repos/.../releases/assets/... instead of https://github.com/.../releases/download/.../addon.zip

Workaround

Extract the app.asar, replace the three asset.url references with asset.browser_download_url in the minified JS, and repack.

[MattressPadley]

Update: Confirmed on v2.22.1-beta.3

The searchByUrl path (initial install) is fixed in the beta — it now uses browser_download_url||url. However, the getById path (updates/reinstalls) is still broken in the beta build:

downloadUrl: 'https://api.github.com/repos/MattressPadley/WoW-PadleyUI/releases/assets/369802669'

Built JS in beta.3 shows:

• searchByUrl: B?.browser_download_url||B?.url||"" — fixed
• getById: D?.url??"" — still broken

So the fix from PR WowUp/WowUp#1541 was only partially applied. The update flow still uses asset.url unconditionally, causing the same end of central directory record signature not found error when updating an already-installed GitHub addon.

[mathwro]

I see the same issue, but this repo is not actively being maintained, so it might be worth reposting the issue to the main repo @MattressPadley