Drop GitHub API calls from AI model discovery and download#21123
Merged
TurboGit merged 1 commit intoMay 25, 2026
Conversation
andriiryzhkov
added
priority: high
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Removes all
api.github.comcalls from the AI model flow. Behind shared NAT (corporate networks, VPNs, cloud VMs, classrooms) the 60 req/hr unauthenticated quota gets exhausted quickly and "darktable can't download models" was going to be the predictable complaint after release._find_latest_compatible_release: rewrote to fetchreleases-index.jsonfromraw.githubusercontent.com/<repo>/HEAD/releases-index.json(CDN, no API limit, branch-agnostic viaHEADso a futuremaster→mainrename doesn't break shipped binaries) instead of paginatingapi.github.com/repos/<repo>/releases._fetch_asset_digest: now reads SHA from the release's ownversions.json(same CDN path the manifest is already fetched from) instead ofapi.github.com/repos/<repo>/releases/tags/<tag>. Acts as the fallback for downloads that bypassdt_ai_models_check_updates.dt_ai_models_check_updates: parses the new nestedversions.jsonshape ({ models: { id: { version, sha256 } } }) and pre-populatesmodel->checksum, so the download flow has the SHA already when the user clicks download and the fallback above rarely fires.releases-index.jsonso a hypothetical futureschema: 2standalone file produces a clear log line instead of silent NULL.GtkMessageDialogwith the message, instead of leaving the "0% downloading: model" dialog stuck with the error crammed into a status label.Net: zero
api.github.comcalls in the AI model discovery + download path.Depends on
Requires darktable-org/darktable-ai#28 to be merged.
Trade-off worth flagging
There is no GitHub-side, non-API source of release-asset SHA256 – the digest is published only via the REST API. By switching to reading SHA from the maintainer-published
versions.json, integrity verification is now gated on the maintainer doing the right thing in the model repo. The C code refuses to download an asset whose SHA it cannot resolve, so the failure mode is secure-by-default (user blocked) rather than silent (download without verification).