fix: add interactive GitHub PAT prompt on rate limit / auth failure

When a GitHub API call fails with HTTP 401 (invalid token) or HTTP 403
(rate limit exceeded), the user is now prompted interactively to enter a
GitHub Personal Access Token (PAT). The token is validated (no empty
input, no whitespace) before being set and the API call is retried.

This applies to both github_api_call() and fetch_and_deploy_gh_release().

Closes #12615

CHANGELOG.md

@@ -412,6 +412,13 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 ## 2026-03-07
 
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Update Rdtclient to dotnet 10.0 [@asylumexp](https://github.com/asylumexp) ([#12638](https://github.com/community-scripts/ProxmoxVE/pull/12638))
+    - fix(immich): fix update script failing to add Debian testing repo when preferences file already exists [@Copilot](https://github.com/Copilot) ([#12631](https://github.com/community-scripts/ProxmoxVE/pull/12631))
+
 ## 2026-03-06
 
 ### 🚀 Updated Scripts

ct/immich.sh

@@ -36,9 +36,13 @@ function update_script() {
     exit
   fi
 
-  if [[ ! -f /etc/apt/preferences.d/preferences ]]; then
+  if ! grep -qE '(^|[[:space:]])testing([[:space:]]|$)' /etc/apt/sources.list.d/debian.sources 2>/dev/null; then
     msg_info "Adding Debian Testing repo"
-    sed -i 's/ trixie-updates/ trixie-updates testing/g' /etc/apt/sources.list.d/debian.sources
+    if grep -q "trixie-updates" /etc/apt/sources.list.d/debian.sources 2>/dev/null; then
+      sed -i 's/ trixie-updates/ trixie-updates testing/g' /etc/apt/sources.list.d/debian.sources
+    else
+      sed -i '/^[[:space:]]*Suites:.*trixie/ s/$/ testing/' /etc/apt/sources.list.d/debian.sources
+    fi
     cat <<EOF >/etc/apt/preferences.d/preferences
 Package: *
 Pin: release a=unstable

frontend/public/json/github-versions.json

@@ -1,5 +1,5 @@
 {
-  "generated": "2026-03-07T00:19:56Z",
+  "generated": "2026-03-07T18:06:42Z",
   "versions": [
     {
       "slug": "2fauth",
@@ -116,9 +116,9 @@
     {
       "slug": "bentopdf",
       "repo": "alam00000/bentopdf",
-      "version": "v2.4.0",
+      "version": "v2.4.1",
       "pinned": false,
-      "date": "2026-03-01T14:25:43Z"
+      "date": "2026-03-07T09:14:39Z"
     },
     {
       "slug": "beszel",
@@ -284,9 +284,9 @@
     {
       "slug": "discopanel",
       "repo": "nickheyer/discopanel",
-      "version": "v2.0.0",
+      "version": "v2.0.1",
       "pinned": false,
-      "date": "2026-03-06T08:19:39Z"
+      "date": "2026-03-07T02:43:33Z"
     },
     {
       "slug": "dispatcharr",
@@ -438,9 +438,9 @@
     {
       "slug": "ghostfolio",
       "repo": "ghostfolio/ghostfolio",
-      "version": "2.247.0",
+      "version": "2.248.0",
       "pinned": false,
-      "date": "2026-03-04T07:48:00Z"
+      "date": "2026-03-07T17:24:24Z"
     },
     {
       "slug": "gitea",
@@ -452,9 +452,9 @@
     {
       "slug": "gitea-mirror",
       "repo": "RayLabsHQ/gitea-mirror",
-      "version": "v3.12.4",
+      "version": "v3.12.5",
       "pinned": false,
-      "date": "2026-03-06T05:02:40Z"
+      "date": "2026-03-07T01:30:40Z"
     },
     {
       "slug": "glance",
@@ -557,9 +557,9 @@
     {
       "slug": "homebox",
       "repo": "sysadminsmedia/homebox",
-      "version": "v0.24.0",
+      "version": "v0.24.1",
       "pinned": false,
-      "date": "2026-03-03T16:09:55Z"
+      "date": "2026-03-07T15:41:21Z"
     },
     {
       "slug": "homepage",
@@ -613,9 +613,9 @@
     {
       "slug": "jackett",
       "repo": "Jackett/Jackett",
-      "version": "v0.24.1292",
+      "version": "v0.24.1307",
       "pinned": false,
-      "date": "2026-03-06T05:57:21Z"
+      "date": "2026-03-07T05:55:30Z"
     },
     {
       "slug": "jellystat",
@@ -872,9 +872,9 @@
     {
       "slug": "metube",
       "repo": "alexta69/metube",
-      "version": "2026.03.06",
+      "version": "2026.03.07",
       "pinned": false,
-      "date": "2026-03-06T13:52:56Z"
+      "date": "2026-03-07T14:14:57Z"
     },
     {
       "slug": "miniflux",
@@ -1145,9 +1145,9 @@
     {
       "slug": "pocketid",
       "repo": "pocket-id/pocket-id",
-      "version": "v2.3.0",
+      "version": "v2.4.0",
       "pinned": false,
-      "date": "2026-02-23T19:50:48Z"
+      "date": "2026-03-07T17:51:41Z"
     },
     {
       "slug": "powerdns",
@@ -1355,9 +1355,9 @@
     {
       "slug": "scanopy",
       "repo": "scanopy/scanopy",
-      "version": "v0.14.14",
+      "version": "v0.14.15",
       "pinned": false,
-      "date": "2026-03-06T06:50:38Z"
+      "date": "2026-03-06T23:06:01Z"
     },
     {
       "slug": "scraparr",
@@ -1467,9 +1467,9 @@
     {
       "slug": "sportarr",
       "repo": "Sportarr/Sportarr",
-      "version": "v4.0.986.1061",
+      "version": "v4.0.988.1063",
       "pinned": false,
-      "date": "2026-03-06T01:04:24Z"
+      "date": "2026-03-07T12:15:33Z"
     },
     {
       "slug": "stirling-pdf",
@@ -1796,9 +1796,9 @@
     {
       "slug": "yubal",
       "repo": "guillevc/yubal",
-      "version": "v0.6.2",
+      "version": "v0.6.3",
       "pinned": false,
-      "date": "2026-02-24T15:15:46Z"
+      "date": "2026-03-07T03:24:05Z"
     },
     {
       "slug": "zerobyte",

misc/tools.func

@@ -1079,6 +1079,44 @@ is_package_installed() {
   dpkg-query -W -f='${Status}' "$package" 2>/dev/null | grep -q "^install ok installed$"
 }
 
+# ------------------------------------------------------------------------------
+# Prompt user to enter a GitHub Personal Access Token (PAT) interactively
+# Returns 0 if a valid token was provided, 1 otherwise
+# ------------------------------------------------------------------------------
+prompt_for_github_token() {
+  if [[ ! -t 0 ]]; then
+    return 1
+  fi
+
+  local reply
+  read -rp "${TAB}Would you like to enter a GitHub Personal Access Token (PAT)? [y/N]: " reply
+  reply="${reply:-n}"
+
+  if [[ ! "${reply,,}" =~ ^(y|yes)$ ]]; then
+    return 1
+  fi
+
+  local token
+  while true; do
+    read -rp "${TAB}Enter your GitHub PAT: " token
+    # Trim leading/trailing whitespace
+    token="$(echo "$token" | xargs)"
+    if [[ -z "$token" ]]; then
+      msg_warn "Token cannot be empty. Please try again."
+      continue
+    fi
+    if [[ "$token" =~ [[:space:]] ]]; then
+      msg_warn "Token must not contain spaces. Please try again."
+      continue
+    fi
+    break
+  done
+
+  export GITHUB_TOKEN="$token"
+  msg_ok "GitHub token has been set."
+  return 0
+}
+
 # ------------------------------------------------------------------------------
 # GitHub API call with authentication and rate limit handling
 # ------------------------------------------------------------------------------
@@ -1091,7 +1129,8 @@ github_api_call() {
   local header_args=()
   [[ -n "${GITHUB_TOKEN:-}" ]] && header_args=(-H "Authorization: Bearer $GITHUB_TOKEN")
 
-  for attempt in $(seq 1 $max_retries); do
+  local attempt=1
+  while ((attempt <= max_retries)); do
     local http_code
     http_code=$(curl -sSL -w "%{http_code}" -o "$output_file" \
       -H "Accept: application/vnd.github+json" \
@@ -1108,7 +1147,11 @@ github_api_call() {
       if [[ -n "${GITHUB_TOKEN:-}" ]]; then
         msg_error "Your GITHUB_TOKEN appears to be invalid or expired."
       else
-        msg_error "The repository may require authentication. Try: export GITHUB_TOKEN=\"ghp_your_token\""
+        msg_error "The repository may require authentication."
+      fi
+      if prompt_for_github_token; then
+        header_args=(-H "Authorization: Bearer $GITHUB_TOKEN")
+        continue
       fi
       return 1
       ;;
@@ -1118,9 +1161,16 @@ github_api_call() {
         msg_warn "GitHub API rate limit, waiting ${retry_delay}s... (attempt $attempt/$max_retries)"
         sleep "$retry_delay"
         retry_delay=$((retry_delay * 2))
+        ((attempt++))
         continue
       fi
       msg_error "GitHub API rate limit exceeded (HTTP 403)."
+      if prompt_for_github_token; then
+        header_args=(-H "Authorization: Bearer $GITHUB_TOKEN")
+        retry_delay=2
+        attempt=1
+        continue
+      fi
       msg_error "To increase the limit, export a GitHub token before running the script:"
       msg_error "  export GITHUB_TOKEN=\"ghp_your_token_here\""
       return 1
@@ -1132,6 +1182,7 @@ github_api_call() {
     000 | "")
       if [[ $attempt -lt $max_retries ]]; then
         sleep "$retry_delay"
+        ((attempt++))
         continue
       fi
       msg_error "GitHub API connection failed (no response)."
@@ -1141,12 +1192,14 @@ github_api_call() {
     *)
       if [[ $attempt -lt $max_retries ]]; then
         sleep "$retry_delay"
+        ((attempt++))
         continue
       fi
       msg_error "GitHub API call failed (HTTP $http_code)."
       return 1
       ;;
     esac
+    ((attempt++))
   done
 
   msg_error "GitHub API call failed after ${max_retries} attempts: ${url}"
@@ -3123,11 +3176,30 @@ function fetch_and_deploy_gh_release() {
     if [[ "$http_code" == "200" ]]; then
       success=true
       break
+    elif [[ "$http_code" == "401" ]]; then
+      msg_error "GitHub API authentication failed (HTTP 401)."
+      if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+        msg_error "Your GITHUB_TOKEN appears to be invalid or expired."
+      else
+        msg_error "The repository may require authentication."
+      fi
+      if prompt_for_github_token; then
+        header=(-H "Authorization: token $GITHUB_TOKEN")
+        continue
+      fi
+      break
     elif [[ "$http_code" == "403" ]]; then
       if ((attempt < max_retries)); then
         msg_warn "GitHub API rate limit hit, retrying in ${retry_delay}s... (attempt $attempt/$max_retries)"
         sleep "$retry_delay"
         retry_delay=$((retry_delay * 2))
+      else
+        msg_error "GitHub API rate limit exceeded (HTTP 403)."
+        if prompt_for_github_token; then
+          header=(-H "Authorization: token $GITHUB_TOKEN")
+          retry_delay=2
+          attempt=0
+        fi
       fi
     else
       sleep "$retry_delay"
@@ -3136,21 +3208,10 @@ function fetch_and_deploy_gh_release() {
   done
 
   if ! $success; then
-    if [[ "$http_code" == "401" ]]; then
-      msg_error "GitHub API authentication failed (HTTP 401)."
-      if [[ -n "${GITHUB_TOKEN:-}" ]]; then
-        msg_error "Your GITHUB_TOKEN appears to be invalid or expired."
-      else
-        msg_error "The repository may require authentication. Try: export GITHUB_TOKEN=\"ghp_your_token\""
-      fi
-    elif [[ "$http_code" == "403" ]]; then
-      msg_error "GitHub API rate limit exceeded (HTTP 403)."
-      msg_error "To increase the limit, export a GitHub token before running the script:"
-      msg_error "  export GITHUB_TOKEN=\"ghp_your_token_here\""
-    elif [[ "$http_code" == "000" || -z "$http_code" ]]; then
+    if [[ "$http_code" == "000" || -z "$http_code" ]]; then
       msg_error "GitHub API connection failed (no response)."
       msg_error "Check your network/DNS: curl -sSL https://api.github.com/rate_limit"
-    else
+    elif [[ "$http_code" != "401" ]]; then
       msg_error "Failed to fetch release metadata (HTTP $http_code)"
     fi
     return 1