Description

We're occasionally getting rate-limited calling the Github API to download the web3signer_tests. E.g. https://github.com/sigp/lighthouse/actions/runs/3708544134/jobs/6286220721

The code triggering the rate limit is:

Running that API call in a loop in my terminal I can trigger a 403 response by making more than 60 requests/second:

{"message":"API rate limit exceeded for x.x.x.x. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)","documentation_url":"https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting"}

Steps to resolve

I think the best option would be to plumb the GITHUB_TOKEN into that build script so that it can use it to bypass the rate limit. The build script could read an optional secret from its env when it runs and add this to the request headers (when running locally the header would not be added).

I think if we do something like echo ${{ secrets.GITHUB_TOKEN }} >> $GITHUB_ENV that might be OK, as long as Github scrubs the token from the logs. Tokens are unique to each CI run and have very limited read permissions on pull requests. See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token