Problem
When using terraform-branch-deploy on GitHub Enterprise Cloud with a custom domain (e.g., company.ghe.com), the astral-sh/setup-uv step fails with:
No (valid) GitHub token provided. Falling back to anonymous. Requests might be rate limited.
##[error]API rate limit exceeded for <IP>
Root Cause
The action invokes astral-sh/setup-uv without passing any inputs (~line 440 of action.yml):
- name: Setup UV
uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41
setup-uv defaults to ${{ github.token }} for its github-token input. On GHEC with custom domains, this token is scoped to the enterprise domain (e.g., company.ghe.com) and is not valid for api.github.com. When setup-uv tries to resolve the latest uv release from github.com/astral-sh/uv/releases, the token is rejected, it falls back to anonymous, and anonymous requests are rate-limited (60/hour shared across the runner IP).
This does not affect GHES (e.g., git.i.company.com) because GHES tokens happen to work differently, or the runner IPs aren't as heavily rate-limited.
Workaround
Users can add a uv.toml file at the repo root:
required-version = ">=0.7.0"
This causes setup-uv to skip the API lookup entirely and install the specified version.
Proposed Fix
Add a uv-version input to the action and pass it through to setup-uv:
# In action.yml inputs section:
inputs:
uv-version:
description: "Version of uv to install. Use 'latest' to fetch from GitHub API (requires valid github.com token). Default: '>=0.7.0'"
required: false
default: ">=0.7.0"
# In the setup-uv step:
- name: Setup UV
uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41
with:
version: ${{ inputs.uv-version }}By defaulting to a pinned minimum version (>=0.7.0) instead of latest, the action avoids the API call entirely for the common case. Users on github.com who want the absolute latest can set uv-version: latest.
Additional Consideration
The same issue could potentially affect hashicorp/setup-terraform if it queries github.com for releases. Worth auditing all tool-setup steps for GHEC compatibility.
Problem
When using
terraform-branch-deployon GitHub Enterprise Cloud with a custom domain (e.g.,company.ghe.com), theastral-sh/setup-uvstep fails with:Root Cause
The action invokes
astral-sh/setup-uvwithout passing any inputs (~line 440 of action.yml):setup-uvdefaults to${{ github.token }}for itsgithub-tokeninput. On GHEC with custom domains, this token is scoped to the enterprise domain (e.g.,company.ghe.com) and is not valid forapi.github.com. Whensetup-uvtries to resolve the latestuvrelease fromgithub.com/astral-sh/uv/releases, the token is rejected, it falls back to anonymous, and anonymous requests are rate-limited (60/hour shared across the runner IP).This does not affect GHES (e.g.,
git.i.company.com) because GHES tokens happen to work differently, or the runner IPs aren't as heavily rate-limited.Workaround
Users can add a
uv.tomlfile at the repo root:This causes
setup-uvto skip the API lookup entirely and install the specified version.Proposed Fix
Add a
uv-versioninput to the action and pass it through tosetup-uv:By defaulting to a pinned minimum version (
>=0.7.0) instead oflatest, the action avoids the API call entirely for the common case. Users on github.com who want the absolute latest can setuv-version: latest.Additional Consideration
The same issue could potentially affect
hashicorp/setup-terraformif it queries github.com for releases. Worth auditing all tool-setup steps for GHEC compatibility.