From feaa43b4d3b84f6435c1ccecfb91a941075262bb Mon Sep 17 00:00:00 2001
From: tehw0lf <tehwolf@protonmail.com>
Date: Mon, 13 Apr 2026 17:57:43 +0200
Subject: [PATCH 1/3] fix(ci): add pull-requests: write permission for npm
 audit autofix

---
 .github/workflows/build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a804500..d6ed6f1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,6 +17,7 @@ jobs:
             packages: write
             id-token: write
             security-events: write
+            pull-requests: write
         with:
             tool: "npm"
             lint: "run lint"

From a0834c36ec1b710cbbdc0a4e5bce7ba4fad3ac1a Mon Sep 17 00:00:00 2001
From: tehw0lf <tehwolf@protonmail.com>
Date: Sun, 19 Apr 2026 21:52:08 +0200
Subject: [PATCH 2/3] fix: support private GitHub repos by not sending auth
 header to download_url

GitHub's signed download_url for private repos already includes an access
token as a query param. Sending an Authorization header alongside it triggers
a CORS preflight on raw.githubusercontent.com that gets blocked with 403.
Fall back to the API url + base64 decode only when download_url is null.
---
 src/components/YamlLoader.tsx | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/components/YamlLoader.tsx b/src/components/YamlLoader.tsx
index 898dc64..437998b 100644
--- a/src/components/YamlLoader.tsx
+++ b/src/components/YamlLoader.tsx
@@ -161,7 +161,7 @@ async function readDropItems(dataTransfer: DataTransfer): Promise<{ name: string
 
 // ─── GitHub API helpers ───────────────────────────────────────────────────────
 
-interface GhFile { name: string; download_url: string; type: string; }
+interface GhFile { name: string; download_url: string | null; url: string; type: string; }
 
 async function fetchWorkflowsFromGitHub(
   repo: string,
@@ -185,7 +185,15 @@ async function fetchWorkflowsFromGitHub(
 
   const contents = await Promise.all(
     yamlFiles.map(async f => {
-      const r = await fetch(f.download_url, token ? { headers } : {});
+      // download_url for private repos includes a signed token, so no Auth header needed.
+      // download_url is null only in rare edge cases; fall back to API url + base64 decode.
+      if (!f.download_url) {
+        const r = await fetch(f.url, { headers });
+        if (!r.ok) throw new Error(`Failed to fetch ${f.name}: ${r.status}`);
+        const data = await r.json();
+        return { name: f.name, content: atob(data.content.replace(/\n/g, '')) };
+      }
+      const r = await fetch(f.download_url);
       return { name: f.name, content: await r.text() };
     })
   );

From cc631281d9cb5ebd6652ba995bb4759f1add05ce Mon Sep 17 00:00:00 2001
From: tehw0lf <tehwolf@protonmail.com>
Date: Sun, 19 Apr 2026 21:54:01 +0200
Subject: [PATCH 3/3] fix: update version to 1.0.4 in package.json and
 package-lock.json

* Bumped version from 1.0.3 to 1.0.4 in both package.json and package-lock.json
* Ensures consistency across project files
---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 22af922..ead80bd 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "flowdive",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "flowdive",
-      "version": "1.0.3",
+      "version": "1.0.4",
       "dependencies": {
         "@dagrejs/dagre": "^3.0.0",
         "@tailwindcss/vite": "^4.2.2",
diff --git a/package.json b/package.json
index 713c3dd..dc9e1b8 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "name": "flowdive",
   "description": "Dive into your GitHub Actions workflows — interactive visualization with drill-down navigation and graph view.",
   "private": true,
-  "version": "1.0.3",
+  "version": "1.0.4",
   "type": "module",
   "scripts": {
     "dev": "vite",