Fixes #2680

Description

gh release download now works without authentication against public repositories, matching gh extension install. A token is still used when one is present.

Key Points

This change has three parts, from simplest to subtlest:

• Why drop the auth gate - the login requirement is unnecessary for public downloads.
• Fixing the by-tag race to be success oriented - an anonymous draft-lookup 403 no longer masks a release the REST lookup found.
• Honoring the gate under repo override - the cobra plumbing fix that makes the dropped gate apply to download.

Why drop the auth gate

Release endpoints for public repositories are readable anonymously over REST, so the login gate is unnecessary. Removing it is the same one-line cmdutil.DisableAuthCheck change that #13176 made for gh extension install.

The same logic here applies as with gh extension install:

What this says is that extension installation is going to happen unauthenticated whether we make it easier or not. We might as well make it easier and keep people installing through our core commands.

In gh release download - people are going to just curl the endpoint directly, and that degrades their experience since we provide a lot of abstractions over the API that make gh much more than a curl/gh api call.

But I'll broaden the conversation - we got feedback that folks are using gh release download more in CI and they want to secure their CI by not providing gh a token unless it's necessary. If you're downloading a public asset, that's not necessary and we force you to use a larger than necessary token scope.

Fixing the by-tag race to be success oriented

The by-tag path creates problems that make this deviate a bit from gh ext install - that's one reason why this diff is a bit bigger. FetchRelease races a published-release REST lookup against a draft-release GraphQL lookup. GraphQL rejects anonymous requests, so the draft lookup returns a 403. The old selector returned the first result unless it was exactly ErrReleaseNotFound, so that 403 could win the race and mask a release the REST lookup found.

The selector now prefers a found release and only errors when both lookups fail. We used to return whichever result arrived first, treating only a not-found error as a reason to wait for the second:

// Before - a non-not-found error from either lookup wins
res := <-results
if errors.Is(res.error, ErrReleaseNotFound) {
    res = <-results
    cancel()
} else {
    cancel()
    <-results // drain the channel
}
return res.release, res.error

Now we take a success from either lookup, and only surface an error when both fail:

// Now - a found release wins; an error needs both lookups to fail
first := <-results
if first.error == nil {
    cancel()
    <-results // drain the channel
    return first.release, nil
}

second := <-results
cancel()
if second.error == nil {
    return second.release, nil
}
if errors.Is(second.error, ErrReleaseNotFound) {
    return nil, second.error
}
return nil, first.error

This also stops a transient draft-lookup failure from masking a real release for authenticated users.

Honoring the gate under repo override

Removing the gate did not take effect on its own. release enables the -R/--repo override, and that installs a PersistentPreRunE on the release command. cobra runs only the nearest such hook walking up from the command you invoked, so the override hook shadows the root auth gate. The override re-runs the nearest ancestor hook to make up for that, but it handed the ancestor to the hook as the command, so the auth gate judged release instead of download and never saw download's DisableAuthCheck.

The fix keeps the invoked command and passes that leaf up, the node cobra would have judged if the repo override didn't muck with it:

// Before - climbs by reassigning cmd, so the gate is judged against the ancestor
for cmd.HasParent() {
    cmd = cmd.Parent()
    if cmd.PersistentPreRunE != nil {
        return cmd.PersistentPreRunE(cmd, args)
    }
}

// Now - keep the invoked leaf and pass it up
for p := overrideCmd.Parent(); p != nil; p = p.Parent() {
    if p.PersistentPreRunE != nil {
        return p.PersistentPreRunE(cmd, args)
    }
}

This mirrors cobra's own execute loop, which walks the parents but always hands them the leaf command. cobra's EnableTraverseRunHooks global would run the whole chain for us and maybe is a better long term fix, but it is process-wide and would change pre-run behavior for every command, so I'm not touching it here.

I guarded this with an integration test, since the bug only surfaces with the pieces wired together. Test_EnableRepoOverride_authCheckIntegration builds a root gate, a repo-override parent, and a leaf, then asserts the gate judged the leaf: opting out with DisableAuthCheck skips the check, otherwise the gate still runs. It lives in cmdutil beside the helper, since the coupling is the helper's, not any one command's.

Notes for reviewers

Three atomic commits:

• fix(release): don't let a failed draft lookup mask a found release changes the selector in FetchRelease and adds a regression case to the existing Test_downloadRun table.
• feat(release): allow download without authentication removes the gate in the download command.
• fix(cmdutil): honor DisableAuthCheck under repo-override parents fixes the repo-override helper so the gate removal actually takes effect, and adds an integration test that pins the coupling between repo override and the root auth gate.

Additional Context

• Allow certain requests to be unauthenticated. #2680 is the standing request to allow unauthenticated public requests, and its motivating example is gh release download on a public repo.
• Disable auth check for gh extension install #13176 removed the same gate for gh extension install and is the precedent this follows.