For reference, and to clarify @theRealRobG 's doubts, here is the curl call to download release assets (not release source code) via the GitHub REST API:
curl \
--location \
--output release_asset.zip \
-H "Accept: application/octet-stream" \
-H "Authorization: token MY_GITHUB_PAT" \
"https://api.github.com/repos/{owner}/{repo}/releases/assets/{release_id}"
Where MY_GITHUB_PAT is a GitHub PAT with full repo permissions. You can find the full URL by copying the URL of the required release asset in the release's page on GitHub, and via the GitHub CLI:
$ gh release view THE_RELEASE_TAG --json apiUrl
The curl call can leverage a netrc file thus (as @MPLewis points out):
$ cat ~/.netrc
machine api.github.com
login MY_GITHUB_PAT
curl \
--location \
--netrc \
--output release_asset.zip \
-H "Accept: application/octet-stream" \
"https://api.github.com/repos/{owner}/{repo}/releases/assets/{release_id}"
It looks like Xcode 13 fails to add Swift packages that specify a binaryTarget with the URL of a GitHub asset in a private repo (even with a correctly formatted ~/.netrc file with suitable credentials):
targets: [
.binaryTarget(
name: "FrameworkName",
url: "https://api.github.com/repos/{owner}/{repo}/releases/assets/{release_id}",
checksum: "f7c06...."
I got in touch with GitHub support and they've confirmed that the GitHub API doesn't currently support this SPM functionality.
@NeoNacho How could we go about supporting this functionality in a future release of SPM?