github/client.go

@@ -159,6 +159,11 @@ func (c *Client) doRequest(ctx context.Context, method, url string, accept strin
 
 	const maxErrorBodyBytes = 64 * 1024
 
+	// Reject non-HTTPS URLs early since the URL is immutable across retries.
+	if c.token != "" && !c.allowInsecureHTTP && !strings.HasPrefix(url, "https://") {
+		return nil, fmt.Errorf("refusing to send credentials over non-HTTPS URL %q (use AllowInsecureHTTP option for trusted networks)", url)
+	}
+
 	var lastErr error
 	for attempt := 0; attempt < maxAttempts; attempt++ {
 		if attempt > 0 {
@@ -183,10 +188,6 @@ func (c *Client) doRequest(ctx context.Context, method, url string, accept strin
 			return nil, fmt.Errorf("create request: %w", err)
 		}
 		if c.token != "" {
-			// Refuse to send credentials over plaintext unless explicitly allowed.
-			if !c.allowInsecureHTTP && req.URL.Scheme != "https" {
-				return nil, fmt.Errorf("refusing to send credentials over non-HTTPS URL %q (use AllowInsecureHTTP option for trusted networks)", req.URL.Host)
-			}
 			req.Header.Set("Authorization", "Bearer "+c.token)
 		}
 		req.Header.Set("User-Agent", userAgent)

github/files.go

@@ -42,7 +42,7 @@ func (c *Client) ListContents(ctx context.Context, owner, repo, path string) ([]
 	if err := json.Unmarshal(body, &entries); err != nil {
 		var single entry
 		if err2 := json.Unmarshal(body, &single); err2 != nil {
-			return nil, fmt.Errorf("parse contents JSON: %w", err)
+			return nil, fmt.Errorf("parse contents JSON: %w", err2)
 		}
 		entries = []entry{single}
 	}