Fix code review comments + disable authorization on redirections

Library/Homebrew/download_strategy.rb

@@ -388,7 +388,9 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
 
       ohai "Downloading #{url}"
 
-      resolved_url, _, url_time, = resolve_url_basename_time_file_size(url, timeout: end_time&.remaining!)
+      resolved_url, _, url_time, _, is_redirection =
+        resolve_url_basename_time_file_size(url, timeout: end_time&.remaining!)
+      meta[:headers].delete_if { |header| header[0].start_with?("Authorization") } if is_redirection
 
       fresh = if cached_location.exist? && url_time
         url_time <= cached_location.mtime
@@ -449,7 +451,7 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
     return @resolved_info_cache[url] if @resolved_info_cache.include?(url)
 
     if (domain = Homebrew::EnvConfig.artifact_domain)
-      url = url.sub(%r{^((ht|f)tps?://ghcr.io/)?}, "#{domain.chomp("/")}/")
+      url = url.sub(%r{^(https?://#{GitHubPackages::URL_DOMAIN}/)?}o, "#{domain.chomp("/")}/")
     end
 
     out, _, status= curl_output("--location", "--silent", "--head", "--request", "GET", url.to_s, timeout: timeout)
@@ -507,8 +509,9 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
            .last
 
     basename = filenames.last || parse_basename(redirect_url)
+    is_redirection = url != redirect_url
 
-    @resolved_info_cache[url] = [redirect_url, basename, time, file_size]
+    @resolved_info_cache[url] = [redirect_url, basename, time, file_size, is_redirection]
   end
 
   def _fetch(url:, resolved_url:, timeout:)
@@ -528,8 +531,6 @@ class CurlDownloadStrategy < AbstractFileDownloadStrategy
   def _curl_args
     args = []
 
-    args += ["-L"] if Homebrew::EnvConfig.artifact_domain
-
     args += ["-b", meta.fetch(:cookies).map { |k, v| "#{k}=#{v}" }.join(";")] if meta.key?(:cookies)
 
     args += ["-e", meta.fetch(:referer)] if meta.key?(:referer)
@@ -566,8 +567,9 @@ class CurlGitHubPackagesDownloadStrategy < CurlDownloadStrategy
   def initialize(url, name, version, **meta)
     meta ||= {}
     meta[:headers] ||= []
-    token = Homebrew::EnvConfig.artifact_domain ? ENV.fetch("HOMEBREW_REGISTRY_ACCESS_TOKEN", "") : "QQ=="
+    token = Homebrew::EnvConfig.docker_registry_token
-    meta[:headers] << ["Authorization: Bearer #{token}"] unless token.empty?
+    token ||= "QQ=="
+    meta[:headers] << ["Authorization: Bearer #{token}"] if token.present?
     super(url, name, version, meta)
   end
 

Library/Homebrew/env_config.rb

@@ -170,9 +170,8 @@ module Homebrew
         description: "Use this GitHub personal access token when accessing the GitHub Packages Registry "\
                      "(where bottles may be stored).",
       },
-      HOMEBREW_REGISTRY_ACCESS_TOKEN:         {
+      HOMEBREW_DOCKER_REGISTRY_TOKEN:         {
-        description: "Use this bearer token for authenticating with a private registry proxying GitHub "\
+        description: "Use this bearer token for authenticating with a Docker registry proxying GitHub Packages.",
-                     "Packages Registry.",
       },
       HOMEBREW_GITHUB_PACKAGES_USER:          {
         description: "Use this username when accessing the GitHub Packages Registry (where bottles may be stored).",

Library/Homebrew/github_packages.rb

@@ -15,7 +15,7 @@ class GitHubPackages
   URL_DOMAIN = "ghcr.io"
   URL_PREFIX = "https://#{URL_DOMAIN}/v2/"
   DOCKER_PREFIX = "docker://#{URL_DOMAIN}/"
-  private_constant :URL_DOMAIN
+  public_constant :URL_DOMAIN
   private_constant :URL_PREFIX
   private_constant :DOCKER_PREFIX