fix(github): accept canonical versions host repo casing

[risu729]

Summary

• accept GitHub owner/repo casing canonicalized by GitHub when validating mise-versions release asset URLs
• keep the strict host, path shape, asset kind, and release-tag checks unchanged
• add regression coverage for the reported mixed-case Dicklesworthstone/Destructive_command_guard release asset URLs

How This Fixes It

mise asks mise-versions for cached GitHub release metadata using the backend slug the user requested, for example github:Dicklesworthstone/Destructive_command_guard@v0.5.6. Before using that metadata, mise validates every returned asset URL so a bad mirror response cannot make the GitHub backend silently select assets from an unrelated location.

The previous validation compared the owner and repo URL path segments byte-for-byte. GitHub owner and repository names are case-insensitive, and the GitHub API may return the canonical repository casing in browser_download_url and asset API URLs even when the request used different casing. That made valid mirror responses fail validation, emit mise-versions returned invalid GitHub release asset URLs, and fall back to the live GitHub API.

This PR adds github_repo_segment_matches, which uses ASCII case-insensitive comparison only for the GitHub owner and repository path segments in these two validated URL forms:

• https://github.com/{owner}/{repo}/releases/download/{tag}/{asset}
• https://api.github.com/repos/{owner}/{repo}/releases/assets/{id}

Everything else stays strict. The scheme and host must still be exactly https://github.com or https://api.github.com, the path must still have the expected shape, and the release tag comparison remains case-sensitive because Git tags are case-sensitive.

This deliberately does not make the client accept arbitrary renamed or transferred repositories with a different owner/repo. Without trusted canonical-repository metadata in the response, the client cannot distinguish a legitimate GitHub redirect from a bad mirror response that points at a different repository. The companion proxy-side PR, jdx/mise-versions#214, handles renamed/transferred repositories by following safe GitHub API redirects and preserving compatibility for current released mise clients.

Testing

• cargo fmt --check
• cargo test valid_github_
• mise run lint-fix

Summary by CodeRabbit

• Bug Fixes
  • GitHub URLs with mixed-case owner and repository names are now properly recognized and accepted for both browser downloads and GitHub asset API requests, improving URL handling compatibility.

[coderabbitai]

Too many files changed? Review this PR in Change Stack to see how the pieces fit before you dive in.

📝 Walkthrough

Walkthrough

URL validation functions for GitHub release downloads and asset APIs now perform case-insensitive matching on owner/repo path segments via a new helper function. Validation logic is refactored and test coverage is extended to verify mixed-case GitHub URLs are accepted.

Changes

Case-insensitive GitHub URL Validation

Layer / File(s)	Summary
Case-insensitive matcher and validation logic src/versions_host.rs	github_repo_segment_matches helper encapsulates case-insensitive string comparison. Both valid_github_browser_download_url and valid_github_asset_api_url are updated to use this matcher for owner/repo path validation instead of strict equality checks.
Mixed-case GitHub URL test coverage src/versions_host.rs	Unit tests for browser download and asset API URL validators are extended to verify that mixed-case GitHub owner/repo segments are accepted and validated correctly.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 URLs in mixed-case now harmonize,
Case-insensitive checks bring surprise,
A helper so neat, comparison complete,
GitHub repos matched with no defeat!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: making GitHub repository path matching case-insensitive while maintaining strict validation elsewhere.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR fixes a false-negative in mise-versions mirror response validation where GitHub's canonical casing for an owner or repository name differed from the casing used in the backend slug, causing valid asset URLs to be rejected and falling back to the live GitHub API. The fix adds a dedicated github_repo_segment_matches helper that uses ASCII case-insensitive comparison only for the owner and repo path segments, leaving the host, path shape, and tag comparisons strictly byte-for-byte.

• Adds github_repo_segment_matches with eq_ignore_ascii_case, applied to both valid_github_browser_download_url and valid_github_asset_api_url.
• Adds regression tests for the Dicklesworthstone/Destructive_command_guard case where the GitHub API returns a lowercase repo name in the download URL.

Confidence Score: 5/5

Safe to merge — the change is minimal, targeted, and well-tested with no regressions to existing strict checks.

The only relaxation is ASCII case-insensitive matching on owner and repo path segments, which mirrors GitHub's own case-insensitivity rules. The host, path shape, and tag comparisons remain byte-for-byte strict. The new tests cover the exact reported failure case and don't weaken any existing negative test assertions.

No files require special attention.

Important Files Changed

Filename	Overview
src/versions_host.rs	Introduces github_repo_segment_matches using eq_ignore_ascii_case for owner/repo path segments in both valid_github_browser_download_url and valid_github_asset_api_url; adds two regression tests for the mixed-case Dicklesworthstone/Destructive_command_guard case.

_{Reviews (1): Last reviewed commit: "fix(github): accept canonical versions h..." | Re-trigger Greptile}

[coderabbitai]

🧹 Nitpick comments (1)

src/versions_host.rs (1)

441-446: ⚡ Quick win

Cover owner-case mismatch explicitly in tests.

These cases currently vary repo casing, but owner casing is still identical between URL and expected input, so the owner-path case-insensitive branch is not directly locked in.

💡 Suggested test tweak

-            "https://github.com/Dicklesworthstone/destructive_command_guard/releases/download/v0.5.6/dcg-aarch64-apple-darwin.tar.xz",
+            "https://github.com/dicklesworthstone/destructive_command_guard/releases/download/v0.5.6/dcg-aarch64-apple-darwin.tar.xz",
...
-            "https://api.github.com/repos/Dicklesworthstone/destructive_command_guard/releases/assets/430632958",
+            "https://api.github.com/repos/dicklesworthstone/destructive_command_guard/releases/assets/430632958",

Also applies to: 480-484

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/versions_host.rs` around lines 441 - 446, The tests around
valid_github_browser_download_url should explicitly exercise owner-case
mismatch: modify or add assertions so the owner segment in the URL uses a
different case than the expected owner argument (e.g., URL owner
"dicklesworthstone" vs expected "Dicklesworthstone") to ensure the owner-path
case-insensitive branch is hit; apply the same change to the other occurrence
referenced (around the second test at lines 480-484) and keep repository/name
and tag casing as before while only altering the owner casing.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/versions_host.rs`:
- Around line 441-446: The tests around valid_github_browser_download_url should
explicitly exercise owner-case mismatch: modify or add assertions so the owner
segment in the URL uses a different case than the expected owner argument (e.g.,
URL owner "dicklesworthstone" vs expected "Dicklesworthstone") to ensure the
owner-path case-insensitive branch is hit; apply the same change to the other
occurrence referenced (around the second test at lines 480-484) and keep
repository/name and tag casing as before while only altering the owner casing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: de324795-c234-4726-b596-7d5b8f921b06

📥 Commits

Reviewing files that changed from the base of the PR and between ebf4795 and 68b2be0.

📒 Files selected for processing (1)

• src/versions_host.rs