Pre-flight request fails for private repository

SO question


I’m trying to call Github REST API from client-side javascript (in browser).

My code does the following (I’m trying to get a zip containing the branch mkdocs_page of my private repository) :

    const endpoint = 'https://api.github.com';
    const resource = '/repos/astariul/private-gh-pages/zipball/mkdocs_page';
    const options = {
      mode: 'cors',
      headers: {
        'Authorization': 'Basic ' + btoa(`${pat}`),  // pat contains my Personal Access Token
      }
    }

    return fetch(`${endpoint}${resource}`, options);

But it does not work :

The preflight request fails with 404.

The console error message :

Access to fetch at ‘https//api.github.com/repos/astariul/private-gh-pages/zipball/mkdocs_page’ from origin ‘null’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: It does not have HTTP ok status.


In the process of debugging this, I tried to reproduce the problem with curl. And when I specify an authenticated request, it works :

curl --user "<my_PAT_token>" -i https://api.github.com/repos/astariul/private-gh-pages/zipball/mkdocs_page -X OPTIONS

HTTP/1.1 204 No Content

But if the request is not authenticated, it does not work :

curl -i https://api.github.com/repos/astariul/private-gh-pages/zipball/mkdocs_page -X OPTIONS

HTTP/1.1 404 Not Found


Note : it works fine when I’m trying to get the master branch (authenticated or not). However it fails after, when being redirected :

Access to fetch at ‘https//codeload.github.com/astariul/private-gh-pages/legacy.zip/refs/heads/main?token=XXX’ (redirected from ‘https//api.github.com/repos/astariul/private-gh-pages/zipball’) from origin ‘null’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.


Is it a bug in the Github API ? Or I’m doing something wrong ?