From 0da1792871c1e56905c95d47e0d30721f1b36be7 Mon Sep 17 00:00:00 2001
From: casjay <git-admin@casjaysdev.pro>
Date: Sun, 21 Jun 2026 19:07:39 -0400
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Retry=20GitHub=20API=20calls=20o?=
 =?UTF-8?q?n=20rate-limit=20403s=20during=20build=20=F0=9F=90=9B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Parallel multi-platform builds (amd64 + arm64) fire ~14 unauthenticated
GitHub API calls concurrently — well over the 60 req/hr limit — causing
05-custom.sh to fail with a 403 on dominikh/go-tools (staticcheck).
Fix: _gh_latest now retries up to 3 times with a 60-second delay on
failure before giving up. A GITHUB_TOKEN build arg is also wired through
to the build stage ENV so callers can pass --build-arg GITHUB_TOKEN=$(gh
auth token) to raise the limit to 5000 req/hr and avoid the delay.
- Dockerfile: add ARG GITHUB_TOKEN="" and ENV GITHUB_TOKEN in build stage
- rootfs/root/docker/setup/05-custom.sh: retry loop (3 attempts, 60s backoff) in _gh_latest

Dockerfile
rootfs/root/docker/setup/05-custom.sh
---
 Dockerfile                            |  4 ++++
 rootfs/root/docker/setup/05-custom.sh | 27 ++++++++++++++++++---------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 5a398a9..8d42dc2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -52,6 +52,9 @@ FROM ${PULL_URL}:${DISTRO_VERSION} AS build
 ARG TZ
 ARG USER
 ARG LICENSE
+# Optional: pass --build-arg GITHUB_TOKEN=$(gh auth token) to raise the API rate
+# limit from 60 to 5000 req/hr — avoids 403s in parallel multi-platform builds.
+ARG GITHUB_TOKEN=""
 ARG TIMEZONE
 ARG LANGUAGE
 ARG IMAGE_NAME
@@ -91,6 +94,7 @@ ENV GOTOOLCHAIN="auto"
 ENV GOFLAGS="-buildvcs=false"
 ENV GOTELEMETRY="off"
 ENV GOPROXY="https://proxy.golang.org,direct"
+ENV GITHUB_TOKEN="${GITHUB_TOKEN}"
 
 USER ${USER}
 WORKDIR /root
diff --git a/rootfs/root/docker/setup/05-custom.sh b/rootfs/root/docker/setup/05-custom.sh
index 809289e..14af04d 100755
--- a/rootfs/root/docker/setup/05-custom.sh
+++ b/rootfs/root/docker/setup/05-custom.sh
@@ -41,20 +41,29 @@ GOCACHE_BUILD="/tmp/go-build-cache"
 # - - - - - - - - - - - - - - - - - - - - - - - - -
 # Helpers
 
-# Return the latest release tag from GitHub; exits 1 if the version cannot be resolved
+# Return the latest release tag from GitHub; retries up to 3 times on transient errors
+# (rate-limit 403s are common in parallel multi-platform builds without a token).
+# Set GITHUB_TOKEN to raise the authenticated rate limit (5000 req/hr vs 60 req/hr).
 _gh_latest() {
   local repo="$1"
   local filter="${2:-.tag_name}"
   local auth_header=""
   [ -n "${GITHUB_TOKEN:-}" ] && auth_header="-H Authorization: token ${GITHUB_TOKEN}"
-  # shellcheck disable=SC2206
-  local ver
-  ver="$(curl -fsSL ${auth_header:+$auth_header} "https://api.github.com/repos/${repo}/releases/latest" | jq -r "${filter}")"
-  if [ -z "$ver" ] || [ "$ver" = "null" ]; then
-    echo "ERROR: could not resolve latest version for ${repo}" >&2
-    exit 1
-  fi
-  echo "$ver"
+  local ver attempt
+  for attempt in 1 2 3; do
+    # shellcheck disable=SC2206
+    ver="$(curl -fsSL ${auth_header:+$auth_header} "https://api.github.com/repos/${repo}/releases/latest" | jq -r "${filter}")"
+    if [ -n "$ver" ] && [ "$ver" != "null" ]; then
+      echo "$ver"
+      return 0
+    fi
+    if [ "$attempt" -lt 3 ]; then
+      echo "  rate-limited on ${repo} (attempt ${attempt}/3) — retrying in 60s..." >&2
+      sleep 60
+    fi
+  done
+  echo "ERROR: could not resolve latest version for ${repo} after 3 attempts" >&2
+  exit 1
 }
 
 # Download a tar.gz asset, find a named binary anywhere inside, install to GOBIN_DIR