Release version 0.51.3

test: Add pagination tests for cursor and page-based Link headers

.dockerignore

@@ -0,0 +1,75 @@
+# Docker ignore file to reduce build context size
+
+# Temp files
+*~
+~*
+.*~
+\#*
+.#*
+*#
+dist
+
+# Build files
+build
+dist
+pkg
+*.egg
+*.egg-info
+
+# Debian Files
+debian/files
+debian/python-github-backup*
+
+# Sphinx build
+doc/_build
+
+# Generated man page
+doc/github_backup.1
+
+# Annoying macOS files
+.DS_Store
+._*
+
+# IDE configuration files
+.vscode
+.atom
+.idea
+*.code-workspace
+
+# RSA
+id_rsa
+id_rsa.pub
+
+# Virtual env
+venv
+.venv
+
+# Git
+.git
+.gitignore
+.gitchangelog.rc
+.github
+
+# Documentation
+*.md
+!README.md
+
+# Environment variables files
+.env
+.env.*
+!.env.example
+*.log
+
+# Cache files
+**/__pycache__/
+*.py[cod]
+
+# Docker files
+docker-compose.yml
+Dockerfile*
+
+# Other files
+release
+*.tar
+*.zip
+*.gzip

.github/ISSUE_TEMPLATE/bug.yaml

@@ -0,0 +1,28 @@
+---
+name: Bug Report
+description: File a bug report.
+body:
+  - type: markdown
+    attributes:
+      value: |
+        # Important notice regarding filed issues
+
+        This project already fills my needs, and as such I have no real reason to continue it's development. This project is otherwise provided as is, and no support is given.
+
+        If pull requests implementing bug fixes or enhancements are pushed, I am happy to review and merge them (time permitting).
+
+        If you wish to have a bug fixed, you have a few options:
+
+        - Fix it yourself and file a pull request.
+        - File a bug and hope someone else fixes it for you.
+        - Pay me to fix it (my rate is $200 an hour, minimum 1 hour, contact me via my [github email address](https://github.com/josegonzalez) if you want to go this route).
+
+        In all cases, feel free to file an issue, they may be of help to others in the future.
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: Also tell us, what did you expect to happen?
+      placeholder: Tell us what you see!
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/feature.yaml

@@ -0,0 +1,27 @@
+---
+name: Feature Request
+description: File a feature request.
+body:
+  - type: markdown
+    attributes:
+      value: |
+        # Important notice regarding filed issues
+
+        This project already fills my needs, and as such I have no real reason to continue it's development. This project is otherwise provided as is, and no support is given.
+
+        If pull requests implementing bug fixes or enhancements are pushed, I am happy to review and merge them (time permitting).
+
+        If you wish to have a feature implemented, you have a few options:
+
+        - Implement it yourself and file a pull request.
+        - File an issue and hope someone else implements it for you.
+        - Pay me to implement it (my rate is $200 an hour, minimum 1 hour, contact me via my [github email address](https://github.com/josegonzalez) if you want to go this route).
+
+        In all cases, feel free to file an issue, they may be of help to others in the future.
+  - type: textarea
+    id: what-would-you-like-to-happen
+    attributes:
+      label: What would you like to happen?
+      description: Please describe in detail how the new functionality should work as well as any issues with existing functionality.
+    validations:
+      required: true

.github/workflows/automatic-release.yml

@@ -18,7 +18,7 @@ jobs:
         runs-on: ubuntu-24.04
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@v5
               with:
                 fetch-depth: 0
                 ssh-key: ${{ secrets.DEPLOY_PRIVATE_KEY }}
@@ -27,7 +27,7 @@ jobs:
                 git config --local user.email "action@github.com"
                 git config --local user.name "GitHub Action"
             - name: Setup Python
-              uses: actions/setup-python@v5
+              uses: actions/setup-python@v6
               with:
                 python-version: '3.12'
             - name: Install prerequisites

.github/workflows/docker.yml

@@ -38,7 +38,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
 

.github/workflows/lint.yml

@@ -15,16 +15,19 @@ jobs:
   lint:
     name: lint
     runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
-          python-version: "3.12"
+          python-version: ${{ matrix.python-version }}
           cache: "pip"
       - run: pip install -r release-requirements.txt && pip install wheel
       - run: flake8 --ignore=E501,E203,W503

.github/workflows/tagged-release.yml

@@ -10,7 +10,7 @@ on:
 jobs:
   tagged-release:
     name: tagged-release
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
 
     steps:
       - uses: "marvinpinto/action-automatic-releases@v1.2.1"

.github/workflows/test.yml

@@ -0,0 +1,33 @@
+---
+name: "test"
+
+# yamllint disable-line rule:truthy
+on:
+  pull_request:
+    branches:
+      - "*"
+  push:
+    branches:
+      - "main"
+      - "master"
+
+jobs:
+  test:
+    name: test
+    runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - name: Setup Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "pip"
+      - run: pip install -r release-requirements.txt
+      - run: pytest tests/ -v

.gitignore

@@ -1,4 +1,4 @@
-*.py[oc]
+*.py[cod]
 
 # Temp files
 *~
@@ -33,6 +33,7 @@ doc/github_backup.1
 # IDE configuration files
 .vscode
 .atom
+.idea
 
 README
 
@@ -42,3 +43,4 @@ id_rsa.pub
 
 # Virtual env
 venv
+.venv

Dockerfile

@@ -1,16 +1,38 @@
-FROM python:3.9.18-slim
+FROM python:3.12-alpine3.22 AS builder
 
-RUN --mount=type=cache,target=/var/cache/apt \
-    apt-get update && apt-get install -y git git-lfs
+RUN pip install --no-cache-dir --upgrade pip \
+    && pip install --no-cache-dir uv
 
-WORKDIR /usr/src/app
+WORKDIR /app
 
-COPY release-requirements.txt .
-RUN --mount=type=cache,target=/root/.cache/pip \
-    pip install -r release-requirements.txt
+RUN --mount=type=cache,target=/root/.cache/uv \
+    --mount=type=bind,source=requirements.txt,target=requirements.txt \
+    --mount=type=bind,source=release-requirements.txt,target=release-requirements.txt \
+    uv venv \
+    && uv pip install -r release-requirements.txt
 
 COPY . .
-RUN --mount=type=cache,target=/root/.cache/pip \
-    pip install .
+
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv pip install .
+
+
+FROM python:3.12-alpine3.22
+ENV PYTHONUNBUFFERED=1
+
+RUN apk add --no-cache \
+    ca-certificates \
+    git \
+    git-lfs \
+    && addgroup -g 1000 appuser \
+    && adduser -D -u 1000 -G appuser appuser
+
+COPY --from=builder --chown=appuser:appuser /app /app
+
+WORKDIR /app
+
+USER appuser
+
+ENV PATH="/app/.venv/bin:$PATH"
 
 ENTRYPOINT ["github-backup"]

ISSUE_TEMPLATE.md

@@ -1,13 +0,0 @@
-# Important notice regarding filed issues
-
-This project already fills my needs, and as such I have no real reason to continue it's development. This project is otherwise provided as is, and no support is given.
-
-If pull requests implementing bug fixes or enhancements are pushed, I am happy to review and merge them (time permitting).
-
-If you wish to have a bug fixed, you have a few options:
-
-- Fix it yourself and file a pull request.
-- File a bug and hope someone else fixes it for you.
-- Pay me to fix it (my rate is $200 an hour, minimum 1 hour, contact me via my [github email address](https://github.com/josegonzalez) if you want to go this route).
-
-In all cases, feel free to file an issue, they may be of help to others in the future.

README.rst

@@ -9,8 +9,8 @@ The package can be used to backup an *entire* `Github <https://github.com/>`_ or
 Requirements
 ============
 
+- Python 3.10 or higher
 - GIT 1.9+
-- Python
 
 Installation
 ============
@@ -50,7 +50,7 @@ CLI Help output::
                   [--keychain-name OSX_KEYCHAIN_ITEM_NAME]
                   [--keychain-account OSX_KEYCHAIN_ITEM_ACCOUNT]
                   [--releases] [--latest-releases NUMBER_OF_LATEST_RELEASES]
-                  [--skip-prerelease] [--assets]
+                  [--skip-prerelease] [--assets] [--attachments]
                   [--exclude [REPOSITORY [REPOSITORY ...]]
                   [--throttle-limit THROTTLE_LIMIT] [--throttle-pause THROTTLE_PAUSE]
                   USER
@@ -133,6 +133,9 @@ CLI Help output::
       --skip-prerelease     skip prerelease and draft versions; only applies if including releases
       --assets              include assets alongside release information; only
                             applies if including releases
+      --attachments         download user-attachments from issues and pull requests
+                            to issues/attachments/{issue_number}/ and
+                            pulls/attachments/{pull_number}/ directories
       --exclude [REPOSITORY [REPOSITORY ...]]
                             names of repositories to exclude from backup.
       --throttle-limit THROTTLE_LIMIT
@@ -213,6 +216,29 @@ When you use the ``--lfs`` option, you will need to make sure you have Git LFS i
 Instructions on how to do this can be found on https://git-lfs.github.com.
 
 
+About Attachments
+-----------------
+
+When you use the ``--attachments`` option with ``--issues`` or ``--pulls``, the tool will download user-uploaded attachments (images, videos, documents, etc.) from issue and pull request descriptions and comments. In some circumstances attachments contain valuable data related to the topic, and without their backup important information or context might be lost inadvertently.
+
+Attachments are saved to ``issues/attachments/{issue_number}/`` and ``pulls/attachments/{pull_number}/`` directories, where ``{issue_number}`` is the GitHub issue number (e.g., issue #123 saves to ``issues/attachments/123/``). Each attachment directory contains:
+
+- The downloaded attachment files (named by their GitHub identifier with appropriate file extensions)
+- If multiple attachments have the same filename, conflicts are resolved with numeric suffixes (e.g., ``report.pdf``, ``report_1.pdf``, ``report_2.pdf``)
+- A ``manifest.json`` file documenting all downloads, including URLs, file metadata, and download status
+
+The tool automatically extracts file extensions from HTTP headers to ensure files can be more easily opened by your operating system.
+
+**Supported URL formats:**
+
+- Modern: ``github.com/user-attachments/{assets,files}/*``
+- Legacy: ``user-images.githubusercontent.com/*`` and ``private-user-images.githubusercontent.com/*``
+- Repo files: ``github.com/{owner}/{repo}/files/*`` (filtered to current repository)
+- Repo assets: ``github.com/{owner}/{repo}/assets/*`` (filtered to current repository)
+
+**Repository filtering** for repo files/assets handles renamed and transferred repositories gracefully. URLs are included if they either match the current repository name directly, or redirect to it (e.g., ``willmcgugan/rich`` redirects to ``Textualize/rich`` after transfer).
+
+
 Run in Docker container
 -----------------------
 
@@ -303,7 +329,7 @@ Quietly and incrementally backup useful Github user data (public and private rep
     export FINE_ACCESS_TOKEN=SOME-GITHUB-TOKEN
     GH_USER=YOUR-GITHUB-USER
 
-    github-backup -f $FINE_ACCESS_TOKEN --prefer-ssh -o ~/github-backup/ -l error -P -i --all-starred --starred --watched --followers --following --issues --issue-comments --issue-events --pulls --pull-comments --pull-commits --labels --milestones --repositories --wikis --releases --assets --pull-details --gists --starred-gists $GH_USER
+    github-backup -f $FINE_ACCESS_TOKEN --prefer-ssh -o ~/github-backup/ -l error -P -i --all-starred --starred --watched --followers --following --issues --issue-comments --issue-events --pulls --pull-comments --pull-commits --labels --milestones --repositories --wikis --releases --assets --attachments --pull-details --gists --starred-gists $GH_USER
     
 Debug an error/block or incomplete backup into a temporary directory. Omit "incremental" to fill a previous incomplete backup. ::
 

github_backup/__init__.py

@@ -1 +1 @@
-__version__ = "0.50.0"
+__version__ = "0.51.3"

github_backup/github_backup.py

@@ -37,22 +37,33 @@ FNULL = open(os.devnull, "w")
 FILE_URI_PREFIX = "file://"
 logger = logging.getLogger(__name__)
 
+# Setup SSL context with fallback chain
 https_ctx = ssl.create_default_context()
-if not https_ctx.get_ca_certs():
-    import warnings
-
-    warnings.warn(
-        "\n\nYOUR DEFAULT CA CERTS ARE EMPTY.\n"
-        + "PLEASE POPULATE ANY OF:"
-        + "".join(
-            ["\n - " + x for x in ssl.get_default_verify_paths() if type(x) is str]
-        )
-        + "\n",
-        stacklevel=2,
-    )
+if https_ctx.get_ca_certs():
+    # Layer 1: Certificates pre-loaded from system (file-based)
+    pass
+else:
+    paths = ssl.get_default_verify_paths()
+    if (paths.cafile and os.path.exists(paths.cafile)) or (
+        paths.capath and os.path.exists(paths.capath)
+    ):
+        # Layer 2: Cert paths exist, will be lazy-loaded on first use (directory-based)
+        pass
+    else:
+        # Layer 3: Try certifi package as optional fallback
+        try:
             import certifi
 
             https_ctx = ssl.create_default_context(cafile=certifi.where())
+        except ImportError:
+            # All layers failed - no certificates available anywhere
+            sys.exit(
+                "\nERROR: No CA certificates found. Cannot connect to GitHub over SSL.\n\n"
+                "Solutions you can explore:\n"
+                "  1. pip install certifi\n"
+                "  2. Alpine: apk add ca-certificates\n"
+                "  3. Debian/Ubuntu: apt-get install ca-certificates\n\n"
+            )
 
 
 def logging_subprocess(
@@ -420,6 +431,12 @@ def parse_args(args=None):
         dest="include_assets",
         help="include assets alongside release information; only applies if including releases",
     )
+    parser.add_argument(
+        "--attachments",
+        action="store_true",
+        dest="include_attachments",
+        help="download user-attachments from issues and pull requests",
+    )
     parser.add_argument(
         "--throttle-limit",
         dest="throttle_limit",
@@ -575,22 +592,26 @@ def retrieve_data_gen(args, template, query_args=None, single_request=False):
     auth = get_auth(args, encode=not args.as_app)
     query_args = get_query_args(query_args)
     per_page = 100
-    page = 0
+    next_url = None
 
     while True:
-        page = page + 1
+        if single_request:
+            request_per_page = None
+        else:
+            request_per_page = per_page
+
         request = _construct_request(
-            per_page,
-            page,
+            request_per_page,
             query_args,
-            template,
+            next_url or template,
             auth,
             as_app=args.as_app,
             fine=True if args.token_fine is not None else False,
         )  # noqa
-        r, errors = _get_response(request, auth, template)
+        r, errors = _get_response(request, auth, next_url or template)
 
         status_code = int(r.getcode())
+
         # Check if we got correct data
         try:
             response = json.loads(r.read().decode("utf-8"))
@@ -622,15 +643,14 @@ def retrieve_data_gen(args, template, query_args=None, single_request=False):
             retries += 1
             time.sleep(5)
             request = _construct_request(
-                per_page,
-                page,
+                request_per_page,
                 query_args,
-                template,
+                next_url or template,
                 auth,
                 as_app=args.as_app,
                 fine=True if args.token_fine is not None else False,
             )  # noqa
-            r, errors = _get_response(request, auth, template)
+            r, errors = _get_response(request, auth, next_url or template)
 
             status_code = int(r.getcode())
             try:
@@ -660,7 +680,16 @@ def retrieve_data_gen(args, template, query_args=None, single_request=False):
             if type(response) is list:
                 for resp in response:
                     yield resp
-                if len(response) < per_page:
+                # Parse Link header for next page URL (cursor-based pagination)
+                link_header = r.headers.get("Link", "")
+                next_url = None
+                if link_header:
+                    # Parse Link header: <https://api.github.com/...?per_page=100&after=cursor>; rel="next"
+                    for link in link_header.split(","):
+                        if 'rel="next"' in link:
+                            next_url = link[link.find("<") + 1:link.find(">")]
+                            break
+                if not next_url:
                     break
             elif type(response) is dict and single_request:
                 yield response
@@ -713,16 +742,29 @@ def _get_response(request, auth, template):
 
 
 def _construct_request(
-    per_page, page, query_args, template, auth, as_app=None, fine=False
+    per_page, query_args, template, auth, as_app=None, fine=False
 ):
-    querystring = urlencode(
-        dict(
-            list({"per_page": per_page, "page": page}.items())
-            + list(query_args.items())
-        )
-    )
+    # If template is already a full URL with query params (from Link header), use it directly
+    if "?" in template and template.startswith("http"):
+        request_url = template
+        # Extract query string for logging
+        querystring = template.split("?", 1)[1]
+    else:
+        # Build URL with query parameters
+        all_query_args = {}
+        if per_page:
+            all_query_args["per_page"] = per_page
+        if query_args:
+            all_query_args.update(query_args)
 
-    request = Request(template + "?" + querystring)
+        request_url = template
+        if all_query_args:
+            querystring = urlencode(all_query_args)
+            request_url = template + "?" + querystring
+        else:
+            querystring = ""
+
+    request = Request(request_url)
     if auth is not None:
         if not as_app:
             if fine:
@@ -735,7 +777,11 @@ def _construct_request(
             request.add_header(
                 "Accept", "application/vnd.github.machine-man-preview+json"
             )
-    logger.info("Requesting {}?{}".format(template, querystring))
+
+    log_url = template if "?" not in template else template.split("?")[0]
+    if querystring:
+        log_url += "?" + querystring
+    logger.info("Requesting {}".format(log_url))
     return request
 
 
@@ -797,6 +843,8 @@ class S3HTTPRedirectHandler(HTTPRedirectHandler):
         request = super(S3HTTPRedirectHandler, self).redirect_request(
             req, fp, code, msg, headers, newurl
         )
+        # Only delete Authorization header if it exists (attachments may not have it)
+        if "Authorization" in request.headers:
             del request.headers["Authorization"]
         return request
 
@@ -807,8 +855,7 @@ def download_file(url, path, auth, as_app=False, fine=False):
         return
 
     request = _construct_request(
-        per_page=100,
-        page=1,
+        per_page=None,
         query_args={},
         template=url,
         auth=auth,
@@ -850,6 +897,585 @@ def download_file(url, path, auth, as_app=False, fine=False):
         )
 
 
+def download_attachment_file(url, path, auth, as_app=False, fine=False):
+    """Download attachment file directly (not via GitHub API).
+
+    Similar to download_file() but for direct file URLs, not API endpoints.
+    Attachment URLs (user-images, user-attachments) are direct downloads,
+    not API endpoints, so we skip _construct_request() which adds API params.
+
+    URL Format Support & Authentication Requirements:
+
+    | URL Format                                   | Auth Required | Notes                    |
+    |----------------------------------------------|---------------|--------------------------|
+    | github.com/user-attachments/assets/*         | Private only  | Modern format (2024+)    |
+    | github.com/user-attachments/files/*          | Private only  | Modern format (2024+)    |
+    | user-images.githubusercontent.com/*          | No (public)   | Legacy CDN, all eras     |
+    | private-user-images.githubusercontent.com/*  | JWT in URL    | Legacy private (5min)    |
+    | github.com/{owner}/{repo}/files/*            | Repo filter   | Old repo files           |
+
+    - Modern user-attachments: Requires GitHub token auth for private repos
+    - Legacy public CDN: No auth needed/accepted (returns 400 with auth header)
+    - Legacy private CDN: Uses JWT token embedded in URL, no GitHub token needed
+    - Repo files: Filtered to current repository only during extraction
+
+    Returns dict with metadata:
+        - success: bool
+        - http_status: int (200, 404, etc.)
+        - content_type: str or None
+        - original_filename: str or None (from Content-Disposition)
+        - size_bytes: int or None
+        - error: str or None
+    """
+    import re
+    from datetime import datetime, timezone
+
+    metadata = {
+        "url": url,
+        "success": False,
+        "http_status": None,
+        "content_type": None,
+        "original_filename": None,
+        "size_bytes": None,
+        "downloaded_at": datetime.now(timezone.utc).isoformat(),
+        "error": None,
+    }
+
+    # Create simple request (no API query params)
+    request = Request(url)
+    request.add_header("Accept", "application/octet-stream")
+
+    # Add authentication header only for modern github.com/user-attachments URLs
+    # Legacy CDN URLs (user-images.githubusercontent.com) are public and don't need/accept auth
+    # Private CDN URLs (private-user-images) use JWT tokens embedded in the URL
+    if auth is not None and "github.com/user-attachments/" in url:
+        if not as_app:
+            if fine:
+                # Fine-grained token: plain token with "token " prefix
+                request.add_header("Authorization", "token " + auth)
+            else:
+                # Classic token: base64-encoded with "Basic " prefix
+                request.add_header("Authorization", "Basic ".encode("ascii") + auth)
+        else:
+            # App authentication
+            auth = auth.encode("ascii")
+            request.add_header("Authorization", "token ".encode("ascii") + auth)
+
+    # Reuse S3HTTPRedirectHandler from download_file()
+    opener = build_opener(S3HTTPRedirectHandler)
+
+    temp_path = path + ".temp"
+
+    try:
+        response = opener.open(request)
+        metadata["http_status"] = response.getcode()
+
+        # Extract Content-Type
+        content_type = response.headers.get("Content-Type", "").split(";")[0].strip()
+        if content_type:
+            metadata["content_type"] = content_type
+
+        # Extract original filename from Content-Disposition header
+        # Format: attachment; filename=example.mov or attachment;filename="example.mov"
+        content_disposition = response.headers.get("Content-Disposition", "")
+        if content_disposition:
+            # Match: filename=something or filename="something" or filename*=UTF-8''something
+            match = re.search(r'filename\*?=["\']?([^"\';\r\n]+)', content_disposition)
+            if match:
+                original_filename = match.group(1).strip()
+                # Handle RFC 5987 encoding: filename*=UTF-8''example.mov
+                if "UTF-8''" in original_filename:
+                    original_filename = original_filename.split("UTF-8''")[1]
+                metadata["original_filename"] = original_filename
+
+        # Fallback: Extract filename from final URL after redirects
+        # This handles user-attachments/assets URLs which redirect to S3 with filename.ext
+        if not metadata["original_filename"]:
+            from urllib.parse import urlparse, unquote
+
+            final_url = response.geturl()
+            parsed = urlparse(final_url)
+            # Get filename from path (last component before query string)
+            path_parts = parsed.path.split("/")
+            if path_parts:
+                # URL might be encoded, decode it
+                filename_from_url = unquote(path_parts[-1])
+                # Only use if it has an extension
+                if "." in filename_from_url:
+                    metadata["original_filename"] = filename_from_url
+
+        # Download file to temporary location
+        chunk_size = 16 * 1024
+        bytes_downloaded = 0
+        with open(temp_path, "wb") as f:
+            while True:
+                chunk = response.read(chunk_size)
+                if not chunk:
+                    break
+                f.write(chunk)
+                bytes_downloaded += len(chunk)
+
+        # Atomic rename to final location
+        os.rename(temp_path, path)
+
+        metadata["size_bytes"] = bytes_downloaded
+        metadata["success"] = True
+
+    except HTTPError as exc:
+        metadata["http_status"] = exc.code
+        metadata["error"] = str(exc.reason)
+        logger.warning(
+            "Skipping download of attachment {0} due to HTTPError: {1}".format(
+                url, exc.reason
+            )
+        )
+    except URLError as e:
+        metadata["error"] = str(e.reason)
+        logger.warning(
+            "Skipping download of attachment {0} due to URLError: {1}".format(
+                url, e.reason
+            )
+        )
+    except socket.error as e:
+        metadata["error"] = str(e.strerror) if hasattr(e, "strerror") else str(e)
+        logger.warning(
+            "Skipping download of attachment {0} due to socket error: {1}".format(
+                url, e.strerror if hasattr(e, "strerror") else str(e)
+            )
+        )
+    except Exception as e:
+        metadata["error"] = str(e)
+        logger.warning(
+            "Skipping download of attachment {0} due to error: {1}".format(url, str(e))
+        )
+        # Clean up temp file if it was partially created
+        if os.path.exists(temp_path):
+            try:
+                os.remove(temp_path)
+            except Exception:
+                pass
+
+    return metadata
+
+
+def extract_attachment_urls(item_data, issue_number=None, repository_full_name=None):
+    """Extract GitHub-hosted attachment URLs from issue/PR body and comments.
+
+    What qualifies as an attachment?
+    There is no "attachment" concept in the GitHub API - it's a user behavior pattern
+    we've identified through analysis of real-world repositories. We define attachments as:
+
+    - User-uploaded files hosted on GitHub's CDN domains
+    - Found outside of code blocks (not examples/documentation)
+    - Matches known GitHub attachment URL patterns
+
+    This intentionally captures bare URLs pasted by users, not just markdown/HTML syntax.
+    Some false positives (example URLs in documentation) may occur - these fail gracefully
+    with HTTP 404 and are logged in the manifest.
+
+    Supported URL formats:
+    - Modern: github.com/user-attachments/{assets,files}/*
+    - Legacy: user-images.githubusercontent.com/* (including private-user-images)
+    - Repo files: github.com/{owner}/{repo}/files/* (filtered to current repo)
+    - Repo assets: github.com/{owner}/{repo}/assets/* (filtered to current repo)
+
+    Repository filtering (repo files/assets only):
+    - Direct match: URL is for current repository → included
+    - Redirect match: URL redirects to current repository → included (handles renames/transfers)
+    - Different repo: URL is for different repository → excluded
+
+    Code block filtering:
+    - Removes fenced code blocks (```) and inline code (`) before extraction
+    - Prevents extracting URLs from code examples and documentation snippets
+
+    Args:
+        item_data: Issue or PR data dict
+        issue_number: Issue/PR number for logging
+        repository_full_name: Full repository name (owner/repo) for filtering repo-scoped URLs
+    """
+    import re
+
+    urls = []
+
+    # Define all GitHub attachment patterns
+    # Stop at markdown punctuation: whitespace, ), `, ", >, <
+    # Trailing sentence punctuation (. ! ? , ; : ' ") is stripped in post-processing
+    patterns = [
+        r'https://github\.com/user-attachments/(?:assets|files)/[^\s\)`"<>]+',  # Modern
+        r'https://(?:private-)?user-images\.githubusercontent\.com/[^\s\)`"<>]+',  # Legacy CDN
+    ]
+
+    # Add repo-scoped patterns (will be filtered by repository later)
+    # These patterns match ANY repo, then we filter to current repo with redirect checking
+    repo_files_pattern = r'https://github\.com/[^/]+/[^/]+/files/\d+/[^\s\)`"<>]+'
+    repo_assets_pattern = r'https://github\.com/[^/]+/[^/]+/assets/\d+/[^\s\)`"<>]+'
+    patterns.append(repo_files_pattern)
+    patterns.append(repo_assets_pattern)
+
+    def clean_url(url):
+        """Remove trailing sentence and markdown punctuation that's not part of the URL."""
+        return url.rstrip(".!?,;:'\")")
+
+    def remove_code_blocks(text):
+        """Remove markdown code blocks (fenced and inline) from text.
+
+        This prevents extracting URLs from code examples like:
+        - Fenced code blocks: ```code```
+        - Inline code: `code`
+        """
+        # Remove fenced code blocks first (```...```)
+        # DOTALL flag makes . match newlines
+        text = re.sub(r"```.*?```", "", text, flags=re.DOTALL)
+
+        # Remove inline code (`...`)
+        # Non-greedy match between backticks
+        text = re.sub(r"`[^`]*`", "", text)
+
+        return text
+
+    def is_repo_scoped_url(url):
+        """Check if URL is a repo-scoped attachment (files or assets)."""
+        return bool(
+            re.match(r"https://github\.com/[^/]+/[^/]+/(?:files|assets)/\d+/", url)
+        )
+
+    def check_redirect_to_current_repo(url, current_repo):
+        """Check if URL redirects to current repository.
+
+        Returns True if:
+        - URL is already for current repo
+        - URL redirects (301/302) to current repo (handles renames/transfers)
+
+        Returns False otherwise (URL is for a different repo).
+        """
+        # Extract owner/repo from URL
+        match = re.match(r"https://github\.com/([^/]+)/([^/]+)/", url)
+        if not match:
+            return False
+
+        url_owner, url_repo = match.groups()
+        url_repo_full = f"{url_owner}/{url_repo}"
+
+        # Direct match - no need to check redirect
+        if url_repo_full.lower() == current_repo.lower():
+            return True
+
+        # Different repo - check if it redirects to current repo
+        # This handles repository transfers and renames
+        try:
+            import urllib.request
+            import urllib.error
+
+            # Make HEAD request with redirect following disabled
+            # We need to manually handle redirects to see the Location header
+            request = urllib.request.Request(url, method="HEAD")
+            request.add_header("User-Agent", "python-github-backup")
+
+            # Create opener that does NOT follow redirects
+            class NoRedirectHandler(urllib.request.HTTPRedirectHandler):
+                def redirect_request(self, req, fp, code, msg, headers, newurl):
+                    return None  # Don't follow redirects
+
+            opener = urllib.request.build_opener(NoRedirectHandler)
+
+            try:
+                _ = opener.open(request, timeout=10)
+                # Got 200 - URL works as-is but for different repo
+                return False
+            except urllib.error.HTTPError as e:
+                # Check if it's a redirect (301, 302, 307, 308)
+                if e.code in (301, 302, 307, 308):
+                    location = e.headers.get("Location", "")
+                    # Check if redirect points to current repo
+                    if location:
+                        redirect_match = re.match(
+                            r"https://github\.com/([^/]+)/([^/]+)/", location
+                        )
+                        if redirect_match:
+                            redirect_owner, redirect_repo = redirect_match.groups()
+                            redirect_repo_full = f"{redirect_owner}/{redirect_repo}"
+                            return redirect_repo_full.lower() == current_repo.lower()
+                return False
+        except Exception:
+            # On any error (timeout, network issue, etc.), be conservative
+            # and exclude the URL to avoid downloading from wrong repos
+            return False
+
+    # Extract from body
+    body = item_data.get("body") or ""
+    # Remove code blocks before searching for URLs
+    body_cleaned = remove_code_blocks(body)
+    for pattern in patterns:
+        found_urls = re.findall(pattern, body_cleaned)
+        urls.extend([clean_url(url) for url in found_urls])
+
+    # Extract from issue comments
+    if "comment_data" in item_data:
+        for comment in item_data["comment_data"]:
+            comment_body = comment.get("body") or ""
+            # Remove code blocks before searching for URLs
+            comment_cleaned = remove_code_blocks(comment_body)
+            for pattern in patterns:
+                found_urls = re.findall(pattern, comment_cleaned)
+                urls.extend([clean_url(url) for url in found_urls])
+
+    # Extract from PR regular comments
+    if "comment_regular_data" in item_data:
+        for comment in item_data["comment_regular_data"]:
+            comment_body = comment.get("body") or ""
+            # Remove code blocks before searching for URLs
+            comment_cleaned = remove_code_blocks(comment_body)
+            for pattern in patterns:
+                found_urls = re.findall(pattern, comment_cleaned)
+                urls.extend([clean_url(url) for url in found_urls])
+
+    regex_urls = list(set(urls))  # dedupe
+
+    # Filter repo-scoped URLs to current repository only
+    # This handles repository transfers/renames via redirect checking
+    if repository_full_name:
+        filtered_urls = []
+        for url in regex_urls:
+            if is_repo_scoped_url(url):
+                # Check if URL belongs to current repo (or redirects to it)
+                if check_redirect_to_current_repo(url, repository_full_name):
+                    filtered_urls.append(url)
+                # else: skip URLs from other repositories
+            else:
+                # Non-repo-scoped URLs (user-attachments, CDN) - always include
+                filtered_urls.append(url)
+        regex_urls = filtered_urls
+
+    return regex_urls
+
+
+def get_attachment_filename(url):
+    """Get filename from attachment URL, handling all GitHub formats.
+
+    Formats:
+    - github.com/user-attachments/assets/{uuid} → uuid (add extension later)
+    - github.com/user-attachments/files/{id}/{filename} → filename
+    - github.com/{owner}/{repo}/files/{id}/{filename} → filename
+    - user-images.githubusercontent.com/{user}/{hash}.{ext} → hash.ext
+    - private-user-images.githubusercontent.com/...?jwt=... → extract from path
+    """
+    from urllib.parse import urlparse
+
+    parsed = urlparse(url)
+    path_parts = parsed.path.split("/")
+
+    # Modern: /user-attachments/files/{id}/{filename}
+    if "user-attachments/files" in parsed.path:
+        return path_parts[-1]
+
+    # Modern: /user-attachments/assets/{uuid}
+    elif "user-attachments/assets" in parsed.path:
+        return path_parts[-1]  # extension added later via detect_and_add_extension
+
+    # Repo files: /{owner}/{repo}/files/{id}/{filename}
+    elif "/files/" in parsed.path and len(path_parts) >= 2:
+        return path_parts[-1]
+
+    # Legacy: user-images.githubusercontent.com/{user}/{hash-with-ext}
+    elif "githubusercontent.com" in parsed.netloc:
+        return path_parts[-1]  # Already has extension usually
+
+    # Fallback: use last path component
+    return path_parts[-1] if path_parts[-1] else "unknown_attachment"
+
+
+def resolve_filename_collision(filepath):
+    """Resolve filename collisions using counter suffix pattern.
+
+    If filepath exists, returns a new filepath with counter suffix.
+    Pattern: report.pdf → report_1.pdf → report_2.pdf
+
+    Also protects against manifest.json collisions by treating it as reserved.
+
+    Args:
+        filepath: Full path to file that might exist
+
+    Returns:
+        filepath that doesn't collide (may be same as input if no collision)
+    """
+    directory = os.path.dirname(filepath)
+    filename = os.path.basename(filepath)
+
+    # Protect manifest.json - it's a reserved filename
+    if filename == "manifest.json":
+        name, ext = os.path.splitext(filename)
+        counter = 1
+        while True:
+            new_filename = f"{name}_{counter}{ext}"
+            new_filepath = os.path.join(directory, new_filename)
+            if not os.path.exists(new_filepath):
+                return new_filepath
+            counter += 1
+
+    if not os.path.exists(filepath):
+        return filepath
+
+    name, ext = os.path.splitext(filename)
+
+    counter = 1
+    while True:
+        new_filename = f"{name}_{counter}{ext}"
+        new_filepath = os.path.join(directory, new_filename)
+        if not os.path.exists(new_filepath):
+            return new_filepath
+        counter += 1
+
+
+def download_attachments(
+    args, item_cwd, item_data, number, repository, item_type="issue"
+):
+    """Download user-attachments from issue/PR body and comments with manifest.
+
+    Args:
+        args: Command line arguments
+        item_cwd: Working directory (issue_cwd or pulls_cwd)
+        item_data: Issue or PR data dict
+        number: Issue or PR number
+        repository: Repository dict
+        item_type: "issue" or "pull" for logging/manifest
+    """
+    import json
+    from datetime import datetime, timezone
+
+    item_type_display = "issue" if item_type == "issue" else "pull request"
+
+    urls = extract_attachment_urls(
+        item_data, issue_number=number, repository_full_name=repository["full_name"]
+    )
+    if not urls:
+        return
+
+    attachments_dir = os.path.join(item_cwd, "attachments", str(number))
+    manifest_path = os.path.join(attachments_dir, "manifest.json")
+
+    # Load existing manifest to prevent duplicate downloads
+    existing_urls = set()
+    existing_metadata = []
+    if os.path.exists(manifest_path):
+        try:
+            with open(manifest_path, "r") as f:
+                existing_manifest = json.load(f)
+                all_metadata = existing_manifest.get("attachments", [])
+                # Only skip URLs that were successfully downloaded OR failed with permanent errors
+                # Retry transient failures (5xx, timeouts, network errors)
+                for item in all_metadata:
+                    if item.get("success"):
+                        existing_urls.add(item["url"])
+                    else:
+                        # Check if this is a permanent failure (don't retry) or transient (retry)
+                        http_status = item.get("http_status")
+                        if http_status in [404, 410, 451]:
+                            # Permanent failures - don't retry
+                            existing_urls.add(item["url"])
+                # Transient failures (5xx, auth errors, timeouts) will be retried
+                existing_metadata = all_metadata
+        except (json.JSONDecodeError, IOError):
+            # If manifest is corrupted, re-download everything
+            logger.warning(
+                "Corrupted manifest for {0} #{1}, will re-download".format(
+                    item_type_display, number
+                )
+            )
+            existing_urls = set()
+            existing_metadata = []
+
+    # Filter to only new URLs
+    new_urls = [url for url in urls if url not in existing_urls]
+
+    if not new_urls and existing_urls:
+        logger.debug(
+            "Skipping attachments for {0} #{1} (all {2} already downloaded)".format(
+                item_type_display, number, len(urls)
+            )
+        )
+        return
+
+    if new_urls:
+        logger.info(
+            "Downloading {0} new attachment(s) for {1} #{2}".format(
+                len(new_urls), item_type_display, number
+            )
+        )
+
+    mkdir_p(item_cwd, attachments_dir)
+
+    # Collect metadata for manifest (start with existing)
+    attachment_metadata_list = existing_metadata[:]
+
+    for url in new_urls:
+        filename = get_attachment_filename(url)
+        filepath = os.path.join(attachments_dir, filename)
+
+        # Download and get metadata
+        metadata = download_attachment_file(
+            url,
+            filepath,
+            get_auth(args, encode=not args.as_app),
+            as_app=args.as_app,
+            fine=args.token_fine is not None,
+        )
+
+        # If download succeeded but we got an extension from Content-Disposition,
+        # we may need to rename the file to add the extension
+        if metadata["success"] and metadata.get("original_filename"):
+            original_ext = os.path.splitext(metadata["original_filename"])[1]
+            current_ext = os.path.splitext(filepath)[1]
+
+            # Add extension if not present
+            if original_ext and current_ext != original_ext:
+                final_filepath = filepath + original_ext
+                # Check for collision again with new extension
+                final_filepath = resolve_filename_collision(final_filepath)
+                logger.debug(
+                    "Adding extension {0} to {1}".format(original_ext, filepath)
+                )
+
+                # Rename to add extension (already atomic from download)
+                try:
+                    os.rename(filepath, final_filepath)
+                    metadata["saved_as"] = os.path.basename(final_filepath)
+                except Exception as e:
+                    logger.warning(
+                        "Could not add extension to {0}: {1}".format(filepath, str(e))
+                    )
+                    metadata["saved_as"] = os.path.basename(filepath)
+            else:
+                metadata["saved_as"] = os.path.basename(filepath)
+        elif metadata["success"]:
+            metadata["saved_as"] = os.path.basename(filepath)
+        else:
+            metadata["saved_as"] = None
+
+        attachment_metadata_list.append(metadata)
+
+    # Write manifest
+    if attachment_metadata_list:
+        manifest = {
+            "issue_number": number,
+            "issue_type": item_type,
+            "repository": f"{args.user}/{args.repository}"
+            if hasattr(args, "repository") and args.repository
+            else args.user,
+            "manifest_updated_at": datetime.now(timezone.utc).isoformat(),
+            "attachments": attachment_metadata_list,
+        }
+
+        manifest_path = os.path.join(attachments_dir, "manifest.json")
+        with open(manifest_path + ".temp", "w") as f:
+            json.dump(manifest, f, indent=2)
+            os.rename(manifest_path + ".temp", manifest_path)  # Atomic write
+        logger.debug(
+            "Wrote manifest for {0} #{1}: {2} attachments".format(
+                item_type_display, number, len(attachment_metadata_list)
+            )
+        )
+
+
 def get_authenticated_user(args):
     template = "https://{0}/user".format(get_github_api_host(args))
     data = retrieve_data(args, template, single_request=True)
@@ -885,9 +1511,13 @@ def retrieve_repositories(args, authenticated_user):
         )
 
     if args.repository:
+        if "/" in args.repository:
+            repo_path = args.repository
+        else:
+            repo_path = "{0}/{1}".format(args.user, args.repository)
         single_request = True
-        template = "https://{0}/repos/{1}/{2}".format(
-            get_github_api_host(args), args.user, args.repository
+        template = "https://{0}/repos/{1}".format(
+            get_github_api_host(args), repo_path
         )
 
     repos = retrieve_data(args, template, single_request=single_request)
@@ -928,6 +1558,8 @@ def retrieve_repositories(args, authenticated_user):
 
 
 def filter_repositories(args, unfiltered_repositories):
+    if args.repository:
+        return unfiltered_repositories
     logger.info("Filtering repositories")
 
     repositories = []
@@ -1134,6 +1766,10 @@ def backup_issues(args, repo_cwd, repository, repos_template):
         if args.include_issue_events or args.include_everything:
             template = events_template.format(number)
             issues[number]["event_data"] = retrieve_data(args, template)
+        if args.include_attachments:
+            download_attachments(
+                args, issue_cwd, issues[number], number, repository, item_type="issue"
+            )
 
         with codecs.open(issue_file + ".temp", "w", encoding="utf-8") as f:
             json_dump(issue, f)
@@ -1205,6 +1841,10 @@ def backup_pulls(args, repo_cwd, repository, repos_template):
         if args.include_pull_commits or args.include_everything:
             template = commits_template.format(number)
             pulls[number]["commit_data"] = retrieve_data(args, template)
+        if args.include_attachments:
+            download_attachments(
+                args, pulls_cwd, pulls[number], number, repository, item_type="pull"
+            )
 
         with codecs.open(pull_file + ".temp", "w", encoding="utf-8") as f:
             json_dump(pull, f)

pytest.ini

@@ -0,0 +1,6 @@
+[pytest]
+testpaths = tests
+python_files = test_*.py
+python_classes = Test*
+python_functions = test_*
+addopts = -v

release-requirements.txt

@@ -1,39 +1,40 @@
 autopep8==2.3.2
-black==25.1.0
-bleach==6.2.0
-certifi==2025.1.31
-charset-normalizer==3.4.1
-click==8.1.8
+black==25.11.0
+bleach==6.3.0
+certifi==2025.11.12
+charset-normalizer==3.4.4
+click==8.3.0
 colorama==0.4.6
-docutils==0.21.2
-flake8==7.1.2
+docutils==0.22.3
+flake8==7.3.0
 gitchangelog==3.0.4
-idna==3.10
-importlib-metadata==8.6.1
+pytest==8.3.3
+idna==3.11
+importlib-metadata==8.7.0
 jaraco.classes==3.4.0
 keyring==25.6.0
-markdown-it-py==3.0.0
+markdown-it-py==4.0.0
 mccabe==0.7.0
 mdurl==0.1.2
-more-itertools==10.6.0
-mypy-extensions==1.0.0
-packaging==24.2
+more-itertools==10.8.0
+mypy-extensions==1.1.0
+packaging==25.0
 pathspec==0.12.1
 pkginfo==1.12.1.2
-platformdirs==4.3.6
-pycodestyle==2.12.1
-pyflakes==3.2.0
-Pygments==2.19.1
+platformdirs==4.5.0
+pycodestyle==2.14.0
+pyflakes==3.4.0
+Pygments==2.19.2
 readme-renderer==44.0
-requests==2.32.3
+requests==2.32.5
 requests-toolbelt==1.0.0
 restructuredtext-lint==1.4.0
 rfc3986==2.0.0
-rich==13.9.4
-setuptools==75.8.0
+rich==14.2.0
+setuptools==80.9.0
 six==1.17.0
 tqdm==4.67.1
-twine==6.1.0
-urllib3==2.3.0
+twine==6.2.0
+urllib3==2.5.0
 webencodings==0.5.1
-zipp==3.21.0
+zipp==3.23.0

requirements.txt

@@ -1 +0,0 @@
-

setup.py

@@ -40,15 +40,16 @@ setup(
         "Development Status :: 5 - Production/Stable",
         "Topic :: System :: Archiving :: Backup",
         "License :: OSI Approved :: MIT License",
-        "Programming Language :: Python :: 3.8",
-        "Programming Language :: Python :: 3.9",
         "Programming Language :: Python :: 3.10",
         "Programming Language :: Python :: 3.11",
         "Programming Language :: Python :: 3.12",
+        "Programming Language :: Python :: 3.13",
+        "Programming Language :: Python :: 3.14",
     ],
     description="backup a github user or organization",
     long_description=open_file("README.rst").read(),
     long_description_content_type="text/x-rst",
     install_requires=open_file("requirements.txt").readlines(),
+    python_requires=">=3.10",
     zip_safe=True,
 )

tests/__init__.py

@@ -0,0 +1 @@
+"""Tests for python-github-backup."""

tests/test_attachments.py

@@ -0,0 +1,353 @@
+"""Behavioral tests for attachment functionality."""
+
+import json
+import os
+import tempfile
+from pathlib import Path
+from unittest.mock import Mock
+
+import pytest
+
+from github_backup import github_backup
+
+
+@pytest.fixture
+def attachment_test_setup(tmp_path):
+    """Fixture providing setup and helper for attachment download tests."""
+    from unittest.mock import patch
+
+    issue_cwd = tmp_path / "issues"
+    issue_cwd.mkdir()
+
+    # Mock args
+    args = Mock()
+    args.as_app = False
+    args.token_fine = None
+    args.token_classic = None
+    args.username = None
+    args.password = None
+    args.osx_keychain_item_name = None
+    args.osx_keychain_item_account = None
+    args.user = "testuser"
+    args.repository = "testrepo"
+
+    repository = {"full_name": "testuser/testrepo"}
+
+    def call_download(issue_data, issue_number=123):
+        """Call download_attachments with mocked HTTP downloads.
+
+        Returns list of URLs that were actually downloaded.
+        """
+        downloaded_urls = []
+
+        def mock_download(url, path, auth, as_app, fine):
+            downloaded_urls.append(url)
+            return {
+                "success": True,
+                "saved_as": os.path.basename(path),
+                "url": url,
+            }
+
+        with patch(
+            "github_backup.github_backup.download_attachment_file",
+            side_effect=mock_download,
+        ):
+            github_backup.download_attachments(
+                args, str(issue_cwd), issue_data, issue_number, repository
+            )
+
+        return downloaded_urls
+
+    return {
+        "issue_cwd": str(issue_cwd),
+        "args": args,
+        "repository": repository,
+        "call_download": call_download,
+    }
+
+
+class TestURLExtraction:
+    """Test URL extraction with realistic issue content."""
+
+    def test_mixed_urls(self):
+        issue_data = {
+            "body": """
+            ## Bug Report
+
+            When uploading files, I see this error. Here's a screenshot:
+            https://github.com/user-attachments/assets/abc123def456
+
+            The logs show: https://github.com/user-attachments/files/789/error-log.txt
+
+            This is similar to https://github.com/someorg/somerepo/issues/42 but different.
+
+            You can also see the video at https://user-images.githubusercontent.com/12345/video-demo.mov
+
+            Here's how to reproduce:
+            ```bash
+            # Don't extract this example URL:
+            curl https://github.com/user-attachments/assets/example999
+            ```
+
+            More info at https://docs.example.com/guide
+
+            Also see this inline code `https://github.com/user-attachments/files/111/inline.pdf` should not extract.
+
+            Final attachment: https://github.com/user-attachments/files/222/report.pdf.
+            """,
+            "comment_data": [
+                {
+                    "body": "Here's another attachment: https://private-user-images.githubusercontent.com/98765/secret.png?jwt=token123"
+                },
+                {
+                    "body": """
+                    Example code:
+                    ```python
+                    url = "https://github.com/user-attachments/assets/code-example"
+                    ```
+                    But this is real: https://github.com/user-attachments/files/333/actual.zip
+                    """
+                },
+            ],
+        }
+
+        # Extract URLs
+        urls = github_backup.extract_attachment_urls(issue_data)
+
+        expected_urls = [
+            "https://github.com/user-attachments/assets/abc123def456",
+            "https://github.com/user-attachments/files/789/error-log.txt",
+            "https://user-images.githubusercontent.com/12345/video-demo.mov",
+            "https://github.com/user-attachments/files/222/report.pdf",
+            "https://private-user-images.githubusercontent.com/98765/secret.png?jwt=token123",
+            "https://github.com/user-attachments/files/333/actual.zip",
+        ]
+
+        assert set(urls) == set(expected_urls)
+
+    def test_trailing_punctuation_stripped(self):
+        """URLs with trailing punctuation should have punctuation stripped."""
+        issue_data = {
+            "body": """
+            See this file: https://github.com/user-attachments/files/1/doc.pdf.
+            And this one (https://github.com/user-attachments/files/2/image.png).
+            Check it out! https://github.com/user-attachments/files/3/data.csv!
+            """
+        }
+
+        urls = github_backup.extract_attachment_urls(issue_data)
+
+        expected = [
+            "https://github.com/user-attachments/files/1/doc.pdf",
+            "https://github.com/user-attachments/files/2/image.png",
+            "https://github.com/user-attachments/files/3/data.csv",
+        ]
+        assert set(urls) == set(expected)
+
+    def test_deduplication_across_body_and_comments(self):
+        """Same URL in body and comments should only appear once."""
+        duplicate_url = "https://github.com/user-attachments/assets/abc123"
+
+        issue_data = {
+            "body": f"First mention: {duplicate_url}",
+            "comment_data": [
+                {"body": f"Second mention: {duplicate_url}"},
+                {"body": f"Third mention: {duplicate_url}"},
+            ],
+        }
+
+        urls = github_backup.extract_attachment_urls(issue_data)
+
+        assert set(urls) == {duplicate_url}
+
+
+class TestFilenameExtraction:
+    """Test filename extraction from different URL types."""
+
+    def test_modern_assets_url(self):
+        """Modern assets URL returns UUID."""
+        url = "https://github.com/user-attachments/assets/abc123def456"
+        filename = github_backup.get_attachment_filename(url)
+        assert filename == "abc123def456"
+
+    def test_modern_files_url(self):
+        """Modern files URL returns filename."""
+        url = "https://github.com/user-attachments/files/12345/report.pdf"
+        filename = github_backup.get_attachment_filename(url)
+        assert filename == "report.pdf"
+
+    def test_legacy_cdn_url(self):
+        """Legacy CDN URL returns filename with extension."""
+        url = "https://user-images.githubusercontent.com/123456/abc-def.png"
+        filename = github_backup.get_attachment_filename(url)
+        assert filename == "abc-def.png"
+
+    def test_private_cdn_url(self):
+        """Private CDN URL returns filename."""
+        url = "https://private-user-images.githubusercontent.com/98765/secret.png?jwt=token123"
+        filename = github_backup.get_attachment_filename(url)
+        assert filename == "secret.png"
+
+    def test_repo_files_url(self):
+        """Repo-scoped files URL returns filename."""
+        url = "https://github.com/owner/repo/files/789/document.txt"
+        filename = github_backup.get_attachment_filename(url)
+        assert filename == "document.txt"
+
+
+class TestFilenameCollision:
+    """Test filename collision resolution."""
+
+    def test_collision_behavior(self):
+        """Test filename collision resolution with real files."""
+        with tempfile.TemporaryDirectory() as tmpdir:
+            # No collision - file doesn't exist
+            result = github_backup.resolve_filename_collision(
+                os.path.join(tmpdir, "report.pdf")
+            )
+            assert result == os.path.join(tmpdir, "report.pdf")
+
+            # Create the file, now collision exists
+            Path(os.path.join(tmpdir, "report.pdf")).touch()
+            result = github_backup.resolve_filename_collision(
+                os.path.join(tmpdir, "report.pdf")
+            )
+            assert result == os.path.join(tmpdir, "report_1.pdf")
+
+            # Create report_1.pdf too
+            Path(os.path.join(tmpdir, "report_1.pdf")).touch()
+            result = github_backup.resolve_filename_collision(
+                os.path.join(tmpdir, "report.pdf")
+            )
+            assert result == os.path.join(tmpdir, "report_2.pdf")
+
+    def test_manifest_reserved(self):
+        """manifest.json is always treated as reserved."""
+        with tempfile.TemporaryDirectory() as tmpdir:
+            # Even if manifest.json doesn't exist, should get manifest_1.json
+            result = github_backup.resolve_filename_collision(
+                os.path.join(tmpdir, "manifest.json")
+            )
+            assert result == os.path.join(tmpdir, "manifest_1.json")
+
+
+class TestManifestDuplicatePrevention:
+    """Test that manifest prevents duplicate downloads (the bug fix)."""
+
+    def test_manifest_filters_existing_urls(self, attachment_test_setup):
+        """URLs in manifest are not re-downloaded."""
+        setup = attachment_test_setup
+
+        # Create manifest with existing URLs
+        attachments_dir = os.path.join(setup["issue_cwd"], "attachments", "123")
+        os.makedirs(attachments_dir)
+        manifest_path = os.path.join(attachments_dir, "manifest.json")
+
+        manifest = {
+            "attachments": [
+                {
+                    "url": "https://github.com/user-attachments/assets/old1",
+                    "success": True,
+                    "saved_as": "old1.pdf",
+                },
+                {
+                    "url": "https://github.com/user-attachments/assets/old2",
+                    "success": True,
+                    "saved_as": "old2.pdf",
+                },
+            ]
+        }
+        with open(manifest_path, "w") as f:
+            json.dump(manifest, f)
+
+        # Issue data with 2 old URLs and 1 new URL
+        issue_data = {
+            "body": """
+            Old: https://github.com/user-attachments/assets/old1
+            Old: https://github.com/user-attachments/assets/old2
+            New: https://github.com/user-attachments/assets/new1
+            """
+        }
+
+        downloaded_urls = setup["call_download"](issue_data)
+
+        # Should only download the NEW URL (old ones filtered by manifest)
+        assert len(downloaded_urls) == 1
+        assert downloaded_urls[0] == "https://github.com/user-attachments/assets/new1"
+
+    def test_no_manifest_downloads_all(self, attachment_test_setup):
+        """Without manifest, all URLs should be downloaded."""
+        setup = attachment_test_setup
+
+        # Issue data with 2 URLs
+        issue_data = {
+            "body": """
+            https://github.com/user-attachments/assets/url1
+            https://github.com/user-attachments/assets/url2
+            """
+        }
+
+        downloaded_urls = setup["call_download"](issue_data)
+
+        # Should download ALL URLs (no manifest to filter)
+        assert len(downloaded_urls) == 2
+        assert set(downloaded_urls) == {
+            "https://github.com/user-attachments/assets/url1",
+            "https://github.com/user-attachments/assets/url2",
+        }
+
+    def test_manifest_skips_permanent_failures(self, attachment_test_setup):
+        """Manifest skips permanent failures (404, 410) but retries transient (503)."""
+        setup = attachment_test_setup
+
+        # Create manifest with different failure types
+        attachments_dir = os.path.join(setup["issue_cwd"], "attachments", "123")
+        os.makedirs(attachments_dir)
+        manifest_path = os.path.join(attachments_dir, "manifest.json")
+
+        manifest = {
+            "attachments": [
+                {
+                    "url": "https://github.com/user-attachments/assets/success",
+                    "success": True,
+                    "saved_as": "success.pdf",
+                },
+                {
+                    "url": "https://github.com/user-attachments/assets/notfound",
+                    "success": False,
+                    "http_status": 404,
+                },
+                {
+                    "url": "https://github.com/user-attachments/assets/gone",
+                    "success": False,
+                    "http_status": 410,
+                },
+                {
+                    "url": "https://github.com/user-attachments/assets/unavailable",
+                    "success": False,
+                    "http_status": 503,
+                },
+            ]
+        }
+        with open(manifest_path, "w") as f:
+            json.dump(manifest, f)
+
+        # Issue data has all 4 URLs
+        issue_data = {
+            "body": """
+            https://github.com/user-attachments/assets/success
+            https://github.com/user-attachments/assets/notfound
+            https://github.com/user-attachments/assets/gone
+            https://github.com/user-attachments/assets/unavailable
+            """
+        }
+
+        downloaded_urls = setup["call_download"](issue_data)
+
+        # Should only retry 503 (transient failure)
+        # Success, 404, and 410 should be skipped
+        assert len(downloaded_urls) == 1
+        assert (
+            downloaded_urls[0]
+            == "https://github.com/user-attachments/assets/unavailable"
+        )

tests/test_pagination.py

@@ -0,0 +1,153 @@
+"""Tests for Link header pagination handling."""
+
+import json
+from unittest.mock import Mock, patch
+
+import pytest
+
+from github_backup import github_backup
+
+
+class MockHTTPResponse:
+    """Mock HTTP response for paginated API calls."""
+
+    def __init__(self, data, link_header=None):
+        self._content = json.dumps(data).encode("utf-8")
+        self._link_header = link_header
+        self._read = False
+        self.reason = "OK"
+
+    def getcode(self):
+        return 200
+
+    def read(self):
+        if self._read:
+            return b""
+        self._read = True
+        return self._content
+
+    def get_header(self, name, default=None):
+        """Mock method for headers.get()."""
+        return self.headers.get(name, default)
+
+    @property
+    def headers(self):
+        headers = {"x-ratelimit-remaining": "5000"}
+        if self._link_header:
+            headers["Link"] = self._link_header
+        return headers
+
+
+@pytest.fixture
+def mock_args():
+    """Mock args for retrieve_data_gen."""
+    args = Mock()
+    args.as_app = False
+    args.token_fine = None
+    args.token_classic = "fake_token"
+    args.username = None
+    args.password = None
+    args.osx_keychain_item_name = None
+    args.osx_keychain_item_account = None
+    args.throttle_limit = None
+    args.throttle_pause = 0
+    return args
+
+
+def test_cursor_based_pagination(mock_args):
+    """Link header with 'after' cursor parameter works correctly."""
+
+    # Simulate issues endpoint behavior: returns cursor in Link header
+    responses = [
+        # Issues endpoint returns 'after' cursor parameter (not 'page')
+        MockHTTPResponse(
+            data=[{"issue": i} for i in range(1, 101)],  # Page 1 contents
+            link_header='<https://api.github.com/repos/owner/repo/issues?per_page=100&after=ABC123&page=2>; rel="next"',
+        ),
+        MockHTTPResponse(
+            data=[{"issue": i} for i in range(101, 151)],  # Page 2 contents
+            link_header=None,  # No Link header - signals end of pagination
+        ),
+    ]
+    requests_made = []
+
+    def mock_urlopen(request, *args, **kwargs):
+        url = request.get_full_url()
+        requests_made.append(url)
+        return responses[len(requests_made) - 1]
+
+    with patch("github_backup.github_backup.urlopen", side_effect=mock_urlopen):
+        results = list(
+            github_backup.retrieve_data_gen(
+                mock_args, "https://api.github.com/repos/owner/repo/issues"
+            )
+        )
+
+    # Verify all items retrieved and cursor was used in second request
+    assert len(results) == 150
+    assert len(requests_made) == 2
+    assert "after=ABC123" in requests_made[1]
+
+
+def test_page_based_pagination(mock_args):
+    """Link header with 'page' parameter works correctly."""
+
+    # Simulate pulls/repos endpoint behavior: returns page numbers in Link header
+    responses = [
+        # Pulls endpoint uses traditional 'page' parameter (not cursor)
+        MockHTTPResponse(
+            data=[{"pull": i} for i in range(1, 101)],  # Page 1 contents
+            link_header='<https://api.github.com/repos/owner/repo/pulls?per_page=100&page=2>; rel="next"',
+        ),
+        MockHTTPResponse(
+            data=[{"pull": i} for i in range(101, 181)],  # Page 2 contents
+            link_header=None,  # No Link header - signals end of pagination
+        ),
+    ]
+    requests_made = []
+
+    def mock_urlopen(request, *args, **kwargs):
+        url = request.get_full_url()
+        requests_made.append(url)
+        return responses[len(requests_made) - 1]
+
+    with patch("github_backup.github_backup.urlopen", side_effect=mock_urlopen):
+        results = list(
+            github_backup.retrieve_data_gen(
+                mock_args, "https://api.github.com/repos/owner/repo/pulls"
+            )
+        )
+
+    # Verify all items retrieved and page parameter was used (not cursor)
+    assert len(results) == 180
+    assert len(requests_made) == 2
+    assert "page=2" in requests_made[1]
+    assert "after" not in requests_made[1]
+
+
+def test_no_link_header_stops_pagination(mock_args):
+    """Pagination stops when Link header is absent."""
+
+    # Simulate endpoint with results that fit in a single page
+    responses = [
+        MockHTTPResponse(
+            data=[{"label": i} for i in range(1, 51)],  # Page contents
+            link_header=None,  # No Link header - signals end of pagination
+        )
+    ]
+    requests_made = []
+
+    def mock_urlopen(request, *args, **kwargs):
+        requests_made.append(request.get_full_url())
+        return responses[len(requests_made) - 1]
+
+    with patch("github_backup.github_backup.urlopen", side_effect=mock_urlopen):
+        results = list(
+            github_backup.retrieve_data_gen(
+                mock_args, "https://api.github.com/repos/owner/repo/labels"
+            )
+        )
+
+    # Verify pagination stopped after first request
+    assert len(results) == 50
+    assert len(requests_made) == 1