Artifactory: private GitHub repos require codeload.github.com workaround

[chkp-roniz]

Summary

When using JFrog Artifactory as a remote repository proxy for GitHub, downloading archive (zip) files from private repositories (including GitHub EMU accounts) fails because GitHub uses a redirect-based download flow that Artifactory cannot follow with authentication.

Problem

GitHub serves archive downloads differently for private vs public repos:

• Public repos: https://github.com/{owner}/{repo}/archive/refs/heads/{ref}.zip serves the zip directly — Artifactory can proxy this without issues.
• Private repos: The same URL returns a 302 redirect to https://codeload.github.com/{owner}/{repo}/legacy.zip/refs/heads/{ref}?token=<temporary-token>. Artifactory's remote repository cannot follow this cross-host redirect with proper authentication, resulting in a 404.

Workaround

The workaround is to configure the Artifactory remote repository's upstream URL to point to https://codeload.github.com/ instead of https://github.com/. The codeload endpoint serves the zip directly with token authentication (no redirect), which Artifactory can proxy correctly.

However, the URL pattern changes:

• github.com style: /{owner}/{repo}/archive/refs/heads/{ref}.zip
• codeload.github.com style: /{owner}/{repo}/zip/refs/heads/{ref}

This means APM's build_artifactory_archive_url() in utils/github_host.py currently only generates github.com-style and gitlab-style archive URLs. It does not generate codeload.github.com-style URLs, so Artifactory remote repos configured with the codeload workaround won't match APM's expected URL patterns.

Impact

This affects any organization using:

• GitHub EMU (Enterprise Managed Users) accounts with private repositories
• JFrog Artifactory as a registry proxy for GitHub
• APM for package management

Suggestion

Consider adding support for the codeload.github.com URL pattern in build_artifactory_archive_url():

# codeload.github.com style: /{owner}/{repo}/zip/refs/heads/{ref}
f"{base}/zip/refs/heads/{ref}",
# codeload.github.com tags fallback
f"{base}/zip/refs/tags/{ref}",

Additionally, APM could detect whether an Artifactory remote repo proxies github.com vs codeload.github.com and adjust the URL pattern accordingly.

Additional Artifactory Configuration Notes

For others hitting this issue, the Artifactory remote repository also requires:

1. Token authentication enabled with a GitHub PAT that has repo access
2. Include patterns set to allow the {owner}/{repo}/** path
3. Upstream URL set to https://codeload.github.com/ for private repos

🤖 Generated with Claude Code

[sergio-sisternes-epam]

Thanks for the detailed write-up, @chkp-roniz! This is a real pain point for orgs using Artifactory with private GitHub repos (especially EMU setups).

Accepting as an enhancement -- APM's current URL generation is correct for direct GitHub access, but adding codeload-style URL patterns to the probe tuple is a clean, non-breaking improvement that enables the Artifactory workaround.

PR #712 by @edenfunf implements this by appending the two codeload-style paths (/zip/refs/heads/{ref}, /zip/refs/tags/{ref}) to the existing URL tuple. It's approved and queued for merge once CI clears.