Add Token input for custom or unauthenticated API access

[Copilot]

No way to override or disable the token used for GitHub API calls when resolving latest version. This blocks workflows where github.token is unavailable, restricted, or where anonymous access is preferred to avoid rate-limit attribution.

Changes

• New Token input in action.yml — optional, defaults to ${{ github.token }} (backward compatible)
• Linux/macOS steps — conditional AUTH_HEADER bash array; omits Authorization header when token is empty
• Windows step — conditional $headers['Authorization'] addition; omits key when $env:GITHUB_TOKEN is empty
• All three env blocks — GITHUB_TOKEN: ${{ github.token }} → GITHUB_TOKEN: ${{ inputs.Token }}
• README — inputs table, secrets section, and usage examples updated
• Test — added ActionTestAnonymous job in Action-Test.yml that runs across all three platforms with Token: '' to validate unauthenticated API access

Usage

# Custom PAT
- uses: PSModule/install-powershell@v1
  with:
    Token: ${{ secrets.MY_GITHUB_PAT }}

# Anonymous (unauthenticated)
- uses: PSModule/install-powershell@v1
  with:
    Token: ''

No breaking changes — omitting Token preserves existing behavior.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add Token input for custom or unauthenticated API access</issue_title>
<issue_description>## Context

PSModule/Install-PowerShell is used in GitHub Actions workflows to install PowerShell Core on runners. When the action resolves the latest version, it queries the GitHub REST API to fetch release metadata from the PowerShell/PowerShell repository.

Some workflows run in environments where the default [github.token] https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication) is unavailable, has restricted permissions, or where a custom Personal Access Token (PAT) is preferred to avoid API rate limiting. In other cases, fully unauthenticated (anonymous) API access is desired.

Currently, there is no way to override or disable the token used by the action for GitHub API calls.

Request

The action should accept an optional token input that controls authentication for all GitHub API calls it makes.

What is expected

• A new optional input (e.g., Token) that defaults to ${{ github.token }} for backward compatibility.
• When set to a custom value, the action uses that token for all GitHub API calls.
• When set to an empty string (''), the action makes unauthenticated API calls (no Authorization header).

Acceptance criteria

• Existing workflows that do not specify Token continue to work exactly as before (backward compatible).
• A custom token can be provided and is used for all GitHub REST API calls across all platforms.
• An empty string disables the Authorization header entirely, allowing fully anonymous API access.
• The action does not leak the token value in logs.

---

Technical decisions

Input naming: Use Token as the input name — concise and consistent with other GitHub Actions conventions. Default value is ${{ github.token }} to maintain backward compatibility.

Environment variable: Continue using GITHUB_TOKEN as the env var name internally. The new input simply controls what value flows into it via GITHUB_TOKEN: ${{ inputs.Token }}.

Conditional authentication (Linux/macOS — bash): When GITHUB_TOKEN is empty, omit the -H "Authorization: Bearer ..." header from all curl calls that hit api.github.com. Use a helper variable or conditional flag, e.g.:

AUTH_HEADER=()
if [[ -n "$GITHUB_TOKEN" ]]; then
  AUTH_HEADER=(-H "Authorization: Bearer $GITHUB_TOKEN")
fi
# Then use: curl -s -f "${AUTH_HEADER[@]}" -H "Accept: ..." ...

Conditional authentication (Windows — PowerShell): When GITHUB_TOKEN is empty, do not include the Authorization key
in the $headers hashtable. E.g.:

$headers = @{
    'Accept'               = 'application/vnd.github+json'
    'X-GitHub-Api-Version' = '2022-11-28'
}
if ($env:GITHUB_TOKEN) {
    $headers['Authorization'] = "Bearer $($env:GITHUB_TOKEN)"
}

Scope of change: All three platform steps (Linux, macOS, Windows) in action.yml must be updated consistently. Each step's env block changes from GITHUB_TOKEN: ${{ github.token }} to GITHUB_TOKEN: ${{ inputs.Token }}, and each step's script is updated to conditionally include the auth header.

Affected API calls: Every curl (Linux/macOS) and Invoke-RestMethod (Windows) call that hits
api.github.com must be updated. The direct download URLs (e.g., github.com/.../releases/download/...) do not require authentication and should remain unchanged.

Breaking changes: None. The default value matches existing behavior (${{ github.token }}).

Documentation: Update the README inputs table and the "Secrets" / "How it works" sections.

---

Implementation plan

Core changes

• Add Token input to action.yml with required: false and default: '${{ github.token }}'
• Update the Linux step's env block: GITHUB_TOKEN: ${{ inputs.Token }}
• Update the Linux step's bash script to conditionally build the auth header for all API curl calls
• Update the macOS step's env block: GITHUB_TOKEN: ${{ inputs.Token }}
• Update the macOS step's bash script to conditionally build the auth header for all API curl calls
• Update the Windows step's env block: GITHUB_TOKEN: ${{ inputs.Token }}
• Update the Windows step's PowerShell script to conditionally include the Authorization header

Documentation

• Add Token row to the README inputs table
• Update the "Secrets" section to mention optional token usage
• Add a usage example showing custom token and another showing empty string (anonymous) usage
  </issue_description>

Comm...

• Fixes Add Token input for custom or unauthenticated API access #23

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Marius Storhaug (MariusStorhaug)]

Copilot Add a test that shows that the unauthenticated version works.

[Copilot]

@copilot Add a test that shows that the unauthenticated version works.

Added an ActionTestAnonymous job in Action-Test.yml (74612fe) that runs across all three platforms (ubuntu-latest, windows-latest, macOS-latest) with Token: ''. It installs the latest stable version using fully unauthenticated API calls and verifies the installed version is valid.