Do not set DEFAULT_GITHUB_TOKEN if cargo-binstall fallback is disabled

CHANGELOG.md

@@ -10,6 +10,8 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com
 
 ## [Unreleased]
 
+- Enhance security when cargo-binstall fallback is disabled.
+
 - Update `rclone@latest` to 1.73.4.
 
 ## [2.75.2] - 2026-04-09

README.md

@@ -124,6 +124,8 @@ When installing with `tool: <tool_name>` or `tool: <tool_name>@<omitted_version>
 
 See the linked documentation for information on security when installed using [snap](https://snapcraft.io/docs) or [cargo-binstall](https://github.com/cargo-bins/cargo-binstall#faq).
 
+The default fallback (cargo-binstall) is often affected by GitHub's API rate limits, so we pass the `${{ github.token }}` to cargo-binstall. Disabling the cargo-binstall fallback prevent passing token so helps enhance security.
+
 See the [Supported tools section](#supported-tools) for how to ensure that fallback is not used.
 
 ## Compatibility

action.yml

@@ -47,7 +47,7 @@ runs:
         INPUT_TOOL: ${{ inputs.tool }}
         INPUT_CHECKSUM: ${{ inputs.checksum }}
         INPUT_FALLBACK: ${{ inputs.fallback }}
-        DEFAULT_GITHUB_TOKEN: ${{ github.token }}
+        DEFAULT_GITHUB_TOKEN: ${{ inputs.fallback == 'cargo-binstall' && github.token || '' }}
         ACTION_USER_AGENT: ${{ github.action_repository }} (${{ github.action_ref }})
       if: runner.os != 'Windows'
     # Use pwsh and retry on bash startup failure to work around windows-11-arm runner bug:
@@ -77,6 +77,6 @@ runs:
         INPUT_TOOL: ${{ inputs.tool }}
         INPUT_CHECKSUM: ${{ inputs.checksum }}
         INPUT_FALLBACK: ${{ inputs.fallback }}
-        DEFAULT_GITHUB_TOKEN: ${{ github.token }}
+        DEFAULT_GITHUB_TOKEN: ${{ inputs.fallback == 'cargo-binstall' && github.token || '' }}
         ACTION_USER_AGENT: ${{ github.action_repository }} (${{ github.action_ref }})
       if: runner.os == 'Windows'