SPM binary dependency in private GitHub release

theRealRobG · October 1, 2021, 9:31am

I have a project that produces an XCFramework which I zip and upload to the GitHub releases page of the private repository. I've added my personal access token to ~/.netrc and verified it working correctly against api.github.com. Following the GitHub REST reference I am able to find the relevant asset_id and declare a binary dependency as such:

.binaryTarget(
    name: privateName,
    url: "https://api.github.com/repos/\(owner)/\(repo)/releases/assets/\(assetId).zip", // must have .zip extension otherwise get "invalid extension" error - but seems GitHub API doesn't mind the file extension being added
    checksum: checksum
)

This however fails to pull in the binary content. When proxying the network traffic I can see that SPM is making the request without including the Accept: application/octet-stream header, and according to GitHub docs, without adding this header the response will just be a JSON output description of the asset. Based on this, SPM then fails the resolution with a checksum mismatch failure, since the response it got back is actually a JSON document rather than the zipped XCFramework.

Understandably SPM isn't setting any special request headers based on location; but:

Am I missing a more obvious way to depend on a binary hosted in a private GitHub release?
Is there a way to set custom headers on binary requests?
If there isn't a way currently, would it be considered to introduce a new parameter to Target.binaryTarget like customRequestHeaders: [String: String] = [:]?

As a point of reference, this is possible in Carthage via the use of the github origin keyword in the Cartfile, such as:

github "owner/repo" "release_tag"

For the special github case, Carthage first gets a release by tag name, then pulls in files that have .framework.zip (or .xcframework.zip when passing --use-xcframeworks arg) by correctly (for this scenario) setting the Accept: application/octet-stream.

Though from what I understand, this was a somewhat controversial feature introduction, as it gave special preference to GitHub integration over any other code repository. I imagine anything so custom wouldn't be desirable here, but any thoughts towards custom headers for binary targets?

eduardoperez-nbcuni · October 20, 2021, 9:26pm

I have seen these examples of using Github releases for the binary dependency download:

github.com

Appboy/appboy-ios-sdk/blob/master/Package.swift#L22


      
            .library(name: "AppboyKit", type: .static, targets: ["AppboyKit"]),
            .library(name: "AppboyUI", targets: ["AppboyUI"]),
            .library(name: "AppboyPushStory", targets: ["AppboyPushStory"])
          ],
          dependencies: [
            .package(name: "SDWebImage", url: "https://github.com/SDWebImage/SDWebImage.git", from: "5.8.2")
          ],
          targets: [
            .binaryTarget(
              name: "AppboyKitLibrary",
              url: "https://github.com/Appboy/appboy-ios-sdk/releases/download/4.5.0/AppboyKitLibrary.xcframework.zip",
              checksum: "963172c4ef6ed121a90c21aa5d038351184748262039199eaa23631ad3ea80c4"
            ),
            .target(
              name: "AppboyKit",
              dependencies: ["SDWebImage", "AppboyKitLibrary"],
              path: "AppboyKit",
              resources: [
                .process("Appboy.bundle")
              ],
              linkerSettings: [

github.com

Appboy/appboy-ios-sdk/blob/master/Package.swift#L56


      
            path: "AppboyUI",
            resources: [
              .process("ABKNewsFeed/Resources"),
              .process("ABKInAppMessage/Resources"),
              .process("ABKContentCards/Resources")
            ],
            publicHeadersPath: "include/AppboyUI"
          ),
          .binaryTarget(
            name: "AppboyPushStoryFramework",
            url: "https://github.com/Appboy/appboy-ios-sdk/releases/download/4.5.0/AppboyPushStoryFramework.xcframework.zip",
            checksum: "8c55069f0ad24ad6389764e4a6d4d85ac2f18964c1ed0c161f9d56e7a1e09cb4"
          ),
          .target(
            name: "AppboyPushStory",
            dependencies: ["AppboyPushStoryFramework"],
            path: "AppboyPushStory",
            resources: [
              .process("Resources/ABKPageView.nib")
            ]
          )

Although. I am not sure if this would be different for a private Github repository.

theRealRobG · October 21, 2021, 10:29am

Unfortunately when trying that with a private repository it doesn't seem that you are able to authenticate the request using basic auth. I've attempted this with a working .netrc in my home directory using the following curl:

curl -OLn "<<Private GitHub Release Page Asset Download URL>>"

But I always get "Not Found".