From a435c7080b94a37cb000028b35c8b7a5cd05a239 Mon Sep 17 00:00:00 2001
From: Alex Blackie <alex@blackie.ca>
Date: Fri, 15 Aug 2025 17:50:05 -0400
Subject: [PATCH] Fix GitHub release assets URL validation (#35287)

GitHub changed where the attachments on releases are stored, which means
repo migrations with releases now fail because the redirect URLs don't
match the base URL validation. We need to update the base URL check to
check for the `release-assets` subdomain as well.
---
 services/migrations/github.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/services/migrations/github.go b/services/migrations/github.go
index d0a0d719869c3..199ed38ddfeff 100644
--- a/services/migrations/github.go
+++ b/services/migrations/github.go
@@ -354,7 +354,8 @@ func (g *GithubDownloaderV3) convertGithubRelease(ctx context.Context, rel *gith
 
 				// Prevent open redirect
 				if !hasBaseURL(redirectURL, g.baseURL) &&
-					!hasBaseURL(redirectURL, "https://objects.githubusercontent.com/") {
+					!hasBaseURL(redirectURL, "https://objects.githubusercontent.com/") &&
+					!hasBaseURL(redirectURL, "https://release-assets.githubusercontent.com/") {
 					WarnAndNotice("Unexpected AssetURL for assetID[%d] in %s: %s", asset.GetID(), g, redirectURL)
 
 					return io.NopCloser(strings.NewReader(redirectURL)), nil