glasp v0.3.0 & v0.4.0 - PKCE Support, Timeouts, and Retries
Last time I wrote about using glasp, a Go-based, npm-free CLI for Google Apps Script (GAS), in GitHub Actions.
Previous post: Lean, Fast, Simple - npm-free GAS Deployment on GitHub Actions with glasp
This time, a quick rundown of what landed in v0.3.0 and v0.4.0.
v0.3.0: PKCE support
glasp login now supports PKCE (RFC 7636) as an opt-in.
glasp login --pkce
# or
GLASP_USE_PKCE=1 glasp login
Each login generates a code_verifier and sends an S256 code_challenge to Google. It's a defense against authorization code interception, and it coexists fine with the existing client_secret flow.
It only applies to the interactive login - --auth / GLASP_AUTH for CI is untouched. Off by default. Worth turning on if you're in a stricter security environment.
v0.4.0: Timeouts and retries
The focus here is basically "can this run unattended in CI/CD without falling over."
Timeouts
Script API requests previously had no timeout - a stuck request could hang the job indefinitely. v0.4.0 adds a 180s default.
glasp push --timeout 60 # set to 60s
glasp push --no-timeout # disable
Also configurable via GLASP_TIMEOUT / GLASP_NO_TIMEOUT env vars or timeoutSeconds in .glasp/config.json.
Priority: --no-timeout > flag/env > config > default. If the config file is broken, it warns instead of silently falling back.
Retries
Transient failures (5xx, 429) now get retried automatically.
glasp push --max-retries 5
glasp push --no-retries
- 3 retries by default (up to 4 attempts total)
- Only applies to idempotent commands:
push,pull,clone,list-deployments - Commands with side effects (
create-script,run-function, etc.) are never retried - Exponential backoff with jitter, respecting
Retry-After
It's implemented as a single http.RoundTripper wrapper, so the Google SDK itself isn't touched - same pattern as the timeout implementation.
retryTransport → oauth2.Transport → http.DefaultTransport
Some refactoring, too
Internal packages got reorganized (#107), and the hand-rolled retry transport was swapped for go-retryablehttp (#112). No behavior change, just easier to maintain going forward.
In GitHub Actions
Bump to v0.4.0 and the timeout/retry defaults just apply. Nothing else to do.
- uses: actions/checkout@v4
- uses: takihito/glasp@v0.4.0
with:
version: 'v0.4.0'
auth: ${{ secrets.CLASPRC_JSON }}
- run: glasp push
If you're hitting rate limits often, bumping --max-retries helps.
Wrapping up
- v0.3.0: PKCE if you want a slightly harder login flow
- v0.4.0: no more hanging, no more failing on transient errors
No flashy new commands here - just reliability improvements that quietly matter.
- GitHub Repository: takihito/glasp
- Release v0.3.0
- Release v0.4.0
- glasp Documentation
Comments
No comments yet. Start the discussion.