From 8126ccb21a9bcb9663d5e62f5bd7b5e5ce92ca8d Mon Sep 17 00:00:00 2001
From: Piotr Osiewicz <24362066+osiewicz@users.noreply.github.com>
Date: Thu, 18 Jun 2026 00:32:17 +0200
Subject: [PATCH] Fix install script (use GITHUB_TOKEN if available)

---
 public/install.sh | 54 ++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 49 insertions(+), 5 deletions(-)

diff --git a/public/install.sh b/public/install.sh
index 1f561c1..a682b9b 100644
--- a/public/install.sh
+++ b/public/install.sh
@@ -17,12 +17,41 @@ if ! command -v curl >/dev/null 2>&1; then
   exit 1
 fi
 
+# curl >= 7.71 can also retry rate-limit 403s (--retry-all-errors); older builds
+# still retry connection errors, 5xx and 429 via plain --retry.
+RETRY_ALL=0
+if curl --help all 2>/dev/null | grep -q -- '--retry-all-errors'; then
+  RETRY_ALL=1
+fi
+
+# Retry transient GitHub failures with exponential backoff: CDN 504s, request
+# timeouts, and (where supported) rate-limit 403s.
+get() {
+  if [ "$RETRY_ALL" -eq 1 ]; then
+    curl -fsSL --retry 5 --retry-max-time 60 --retry-all-errors "$@"
+  else
+    curl -fsSL --retry 5 --retry-max-time 60 "$@"
+  fi
+}
+
+# A token (exported by CI as GITHUB_TOKEN / GH_TOKEN) lifts the GitHub API limit
+# from 60 req/hr per IP. Shared CI runner IPs routinely exhaust the anonymous
+# quota — the usual cause of an intermittent HTTP 403 on the release lookup.
+TOKEN="${GITHUB_TOKEN:-${GH_TOKEN:-}}"
+
+releases() {
+  if [ -n "$TOKEN" ]; then
+    get -H "Accept: application/vnd.github+json" \
+      -H "Authorization: Bearer ${TOKEN}" "$1"
+  else
+    get -H "Accept: application/vnd.github+json" "$1"
+  fi
+}
+
 # The /releases endpoint lists ALL releases (prereleases included) sorted
 # newest-first. The /releases/latest endpoint excludes prereleases, which
 # is why we don't use it.
-TAG="$(curl -fsSL \
-  -H "Accept: application/vnd.github+json" \
-  "https://api.github.com/repos/${REPO}/releases?per_page=1" \
+TAG="$(releases "https://api.github.com/repos/${REPO}/releases?per_page=1" \
   | sed -n 's/.*"tag_name": *"\([^"]*\)".*/\1/p' \
   | head -n 1)"
 
@@ -33,6 +62,21 @@ if [ -z "${TAG}" ]; then
 fi
 
 UPSTREAM="https://github.com/${REPO}/releases/download/${TAG}/${ASSET}"
-
 echo "wezel-install: resolving ${TAG} -> ${ASSET}" >&2
-curl -fsSL "${UPSTREAM}" | sh
+
+# Run the bundled installer, retrying the whole thing: its binary-tarball
+# download can hit transient GitHub CDN errors (e.g. HTTP 504) with no retry
+# of its own.
+n=1
+while :; do
+  if installer="$(get "${UPSTREAM}")" && printf '%s\n' "${installer}" | sh; then
+    exit 0
+  fi
+  if [ "${n}" -ge 3 ]; then
+    echo "wezel-install: installer failed after ${n} attempts" >&2
+    exit 1
+  fi
+  echo "wezel-install: attempt ${n} failed, retrying in $((n * 3))s..." >&2
+  sleep "$((n * 3))"
+  n=$((n + 1))
+done