Same for my instance. Did you resolved this issue?
Same problem here.
I freshed installed as I was having an error with my previous installation, seemed fine. It didn’t ask for a token, just OAuth.
However, after installing a new repository I got rate limited.
I don’t have that “Github HACS” in the dashboard.
Just this:
And this is my error:
Is there no way to add a token to bypass that problem?
O auth still rate limits against your account/token. You can make a sensor from a token to see the number of calls also the HA info page will show the number of calls. I believe that after 13 hours the number of call settles down. The rate limit resets to 5000 every hour too.
You need to make sure NOTHING else is making calls on your account. I set up a new github just for HACS.
How can I make that sensor?
It doesn’t appear by default, just the one shown above.
Here is mine:
# Github Rate Limits
- platform: rest
resource: https://api.github.com/rate_limit
name: Github HACS
value_template: '{{ value_json.resources.core.used }}'
headers:
Authorization: token 3abxxxxxxxxxxxxxxxxxxxd6e27
Accept: application/vnd.github.v3+json
Content-Type: application/json
User-Agent: Home Assistant REST sensor
With the new integration that doesn’t make sense, as there ir no authorization token given, just a 4+4 alpha code.
It makes perfect sense and works if you get a token on the github account. You asked I answered. It works,
I have a token on github, but not configured in HACS as the new version doesn’t allow to configure it.
It wasn’t working as I didn’t create a token before the OAuth.
I have now done that and now it’s getting request for that token.
So, basically, create a token before authorizing HACS.
Thank you @DavidFW1960
Thanks for the info on this (I also hit the rate limit on initial setup). Did you manage to find out why it needs to make so many calls? I know I can set up a new GitHub account for this but that’s a workaround for something which feels a bit wrong.
Can someone explain to me why HACS needs auth with github? All of the repos are public it can pull the source without auth, why?
As far as I know/understand you need auth to pull the data through the API.
You don’t need auth to pull data from Github. All of those repos are public. It’s a fundamental design flaw. Are there alternatives to HACS with similar adoption?
It’s not about whether the repos are public or not, the API limits unauthenticated calls to 60 per hour -> https://docs.github.com/en/rest/guides/getting-started-with-the-rest-api#authentication
HACS pulls the github source code to HA. Pulling source code shouldn’t require any authentication to Github. Just like when you visit Github, you don’t need to log in to view any public repo code in Github. If you use the Github API to pull code, then yes and it’s subject to Github API rate limit. However, why use the Github API when you can do the same with git? It doesn’t need any auth and therefore no rate limit. That’s a fundamental design flaw.
Then ask the dev of HACS why he implemented it this way, or even better create a PR that fixes this “fundamental flaw” as from your comments it sounds so obvious and easy to do.
^^^ that, what @Burningstone said…
…and:
- it is best practice to use the API, Github is not very amused with people using web scraping
- the API is secure, with a web scan no one can assure the files aren’t compromised
- all technical changes on Github side would be needed to be updated, every time, just by knowing, because Github doesn’t give out changelogs for their page. With the use of the API this can’t happen.
- the work to setup web scraping is far more complex, and simply not usable.
Where did I get that from? From the developer documentation on Github.
I was not suggesting web scrapping. Instead use the public GitHub git API as opposed to Github API. For example, use git clone https://github.com/thomasloven/lovelace-card-mod.git to get the full repo or curl https://raw.githubusercontent.com/thomasloven/lovelace-card-mod/master/hacs.json to get repo meta data. The git API is well established and HACS can use gitpython for git and PycURL for downloading meta data. Using the git API is not in any way insecure compared to the Github API. The repos or files are all https from github domain. In fact, it’s actually insecure to authorize HACS to use my github account. From their configuration documentation, it’s not clear what OAuth Scope HACS is requesting. After going through this flow. HACS could do something sinister without my knowledge, like downloading code in my private repo or pushing commits to my private repos. Put it harshly, this is actually phishing. I would definitely be using their Personal Access Token option to limit the scope to public repo only.
It’s pretty clear when you give HACS permissions as listed. In any case, if you have an issue with this, raise an issue in the appropriate place (the HACS repo) which isn’t here.
Please tell me what permission HACS is request from this how this is different from phishing emails