From 77557fa3993e075c27572045b0d159865c23016b Mon Sep 17 00:00:00 2001
From: Taiki Endo <te316e89@gmail.com>
Date: Fri, 10 Apr 2026 02:37:36 +0900
Subject: [PATCH] Do not set DEFAULT_GITHUB_TOKEN if cargo-binstall fallback is
 disabled

---
 CHANGELOG.md | 2 ++
 README.md    | 2 ++
 action.yml   | 4 ++--
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 456d0d8b..9b84d168 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,8 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com
 
 ## [Unreleased]
 
+- Enhance security when cargo-binstall fallback is disabled.
+
 - Update `rclone@latest` to 1.73.4.
 
 ## [2.75.2] - 2026-04-09
diff --git a/README.md b/README.md
index a2055bdb..b897ffee 100644
--- a/README.md
+++ b/README.md
@@ -124,6 +124,8 @@ When installing with `tool: <tool_name>` or `tool: <tool_name>@<omitted_version>
 
 See the linked documentation for information on security when installed using [snap](https://snapcraft.io/docs) or [cargo-binstall](https://github.com/cargo-bins/cargo-binstall#faq).
 
+The default fallback (cargo-binstall) is often affected by GitHub's API rate limits, so we pass the `${{ github.token }}` to cargo-binstall. Disabling the cargo-binstall fallback prevent passing token so helps enhance security.
+
 See the [Supported tools section](#supported-tools) for how to ensure that fallback is not used.
 
 ## Compatibility
diff --git a/action.yml b/action.yml
index 1632a5b3..46f84f7a 100644
--- a/action.yml
+++ b/action.yml
@@ -47,7 +47,7 @@ runs:
         INPUT_TOOL: ${{ inputs.tool }}
         INPUT_CHECKSUM: ${{ inputs.checksum }}
         INPUT_FALLBACK: ${{ inputs.fallback }}
-        DEFAULT_GITHUB_TOKEN: ${{ github.token }}
+        DEFAULT_GITHUB_TOKEN: ${{ inputs.fallback == 'cargo-binstall' && github.token || '' }}
         ACTION_USER_AGENT: ${{ github.action_repository }} (${{ github.action_ref }})
       if: runner.os != 'Windows'
     # Use pwsh and retry on bash startup failure to work around windows-11-arm runner bug:
@@ -77,6 +77,6 @@ runs:
         INPUT_TOOL: ${{ inputs.tool }}
         INPUT_CHECKSUM: ${{ inputs.checksum }}
         INPUT_FALLBACK: ${{ inputs.fallback }}
-        DEFAULT_GITHUB_TOKEN: ${{ github.token }}
+        DEFAULT_GITHUB_TOKEN: ${{ inputs.fallback == 'cargo-binstall' && github.token || '' }}
         ACTION_USER_AGENT: ${{ github.action_repository }} (${{ github.action_ref }})
       if: runner.os == 'Windows'