Apply review feedback

Author: mbg

lib/analyze-action.js

@@ -74,30 +74,32 @@ export function getApiClientWithExternalAuth(
 }
 
 /**
- * Gets a value for the `Authorization` header to download `url` or `undefined` if the
+ * Gets a value for the `Authorization` header for a request to `url`; or `undefined` if the
  * `Authorization` header should not be set for `url`.
  *
  * @param logger The logger to use for debugging messages.
  * @param apiDetails Details of the GitHub API we are using.
  * @param url The URL for which we want to add an `Authorization` header.
- * @param purpose A description of what we want to download, for debug messages.
+ *
  * @returns The value for the `Authorization` header or `undefined` if it shouldn't be populated.
  */
 export function getAuthorizationHeaderFor(
   logger: Logger,
   apiDetails: GitHubApiDetails,
   url: string,
-  purpose: string = "CodeQL tools",
 ): string | undefined {
+  // We only want to provide an authorization header if we are downloading
+  // from the same GitHub instance the Action is running on.
+  // This avoids leaking Enterprise tokens to dotcom.
   if (
     url.startsWith(`${apiDetails.url}/`) ||
     (apiDetails.apiURL && url.startsWith(`${apiDetails.apiURL}/`))
   ) {
-    logger.debug(`Providing an authorization token to download ${purpose}.`);
+    logger.debug(`Providing an authorization token for '${url}'.`);
     return `token ${apiDetails.auth}`;
   }
 
-  logger.debug(`Downloading ${purpose} without an authorization token.`);
+  logger.debug(`Requesting '${url}' without an authorization token.`);
   return undefined;
 }
 

lib/init-action-post.js

@@ -567,11 +567,9 @@ export const downloadCodeQL = async function (
   const headers: OutgoingHttpHeaders = {
     accept: "application/octet-stream",
   };
-  // We only want to provide an authorization header if we are downloading
-  // from the same GitHub instance the Action is running on.
-  // This avoids leaking Enterprise tokens to dotcom.
-  // We also don't want to send an authorization header if there's already a token provided in the URL.
   let authorization: string | undefined = undefined;
+
+  // We don't want to send an authorization header if there's already a token provided in the URL.
   if (searchParams.has("token")) {
     logger.debug("CodeQL tools URL contains an authorization token.");
   } else {

lib/init-action.js

@@ -193,15 +193,11 @@ async function getProxyBinaryPath(logger: Logger): Promise<string> {
 
   let proxyBin = toolcache.find(proxyFileName, proxyInfo.version);
   if (!proxyBin) {
-    // We only want to provide an authorization header if we are downloading
-    // from the same GitHub instance the Action is running on.
-    // This avoids leaking Enterprise tokens to dotcom.
     const apiDetails = getApiDetails();
     const authorization = getAuthorizationHeaderFor(
       logger,
       apiDetails,
       proxyInfo.url,
-      "`update-job-proxy`",
     );
     const temp = await toolcache.downloadTool(
       proxyInfo.url,