glasp v0.3.0 & v0.4.0 - PKCE Support, Timeouts, and Retries
DEV Community

glasp v0.3.0 & v0.4.0 - PKCE Support, Timeouts, and Retries

Last time I wrote about using glasp, a Go-based, npm-free CLI for Google Apps Script (GAS), in GitHub Actions.

Previous post: Lean, Fast, Simple - npm-free GAS Deployment on GitHub Actions with glasp

This time, a quick rundown of what landed in v0.3.0 and v0.4.0.

v0.3.0: PKCE support

glasp login now supports PKCE (RFC 7636) as an opt-in.

glasp login --pkce
# or
GLASP_USE_PKCE=1 glasp login

Each login generates a code_verifier and sends an S256 code_challenge to Google. It's a defense against authorization code interception, and it coexists fine with the existing client_secret flow.

It only applies to the interactive login - --auth / GLASP_AUTH for CI is untouched. Off by default. Worth turning on if you're in a stricter security environment.

v0.4.0: Timeouts and retries

The focus here is basically "can this run unattended in CI/CD without falling over."

Timeouts

Script API requests previously had no timeout - a stuck request could hang the job indefinitely. v0.4.0 adds a 180s default.

glasp push --timeout 60   # set to 60s
glasp push --no-timeout   # disable

Also configurable via GLASP_TIMEOUT / GLASP_NO_TIMEOUT env vars or timeoutSeconds in .glasp/config.json.

Priority: --no-timeout > flag/env > config > default. If the config file is broken, it warns instead of silently falling back.

Retries

Transient failures (5xx, 429) now get retried automatically.

glasp push --max-retries 5
glasp push --no-retries
  • 3 retries by default (up to 4 attempts total)
  • Only applies to idempotent commands: push, pull, clone, list-deployments
  • Commands with side effects (create-script, run-function, etc.) are never retried
  • Exponential backoff with jitter, respecting Retry-After

It's implemented as a single http.RoundTripper wrapper, so the Google SDK itself isn't touched - same pattern as the timeout implementation.

retryTransport → oauth2.Transport → http.DefaultTransport

Some refactoring, too

Internal packages got reorganized (#107), and the hand-rolled retry transport was swapped for go-retryablehttp (#112). No behavior change, just easier to maintain going forward.

In GitHub Actions

Bump to v0.4.0 and the timeout/retry defaults just apply. Nothing else to do.

- uses: actions/checkout@v4
- uses: takihito/glasp@v0.4.0
  with:
    version: 'v0.4.0'
    auth: ${{ secrets.CLASPRC_JSON }}
- run: glasp push

If you're hitting rate limits often, bumping --max-retries helps.

Wrapping up

  • v0.3.0: PKCE if you want a slightly harder login flow
  • v0.4.0: no more hanging, no more failing on transient errors

No flashy new commands here - just reliability improvements that quietly matter.

  • GitHub Repository: takihito/glasp
  • Release v0.3.0
  • Release v0.4.0
  • glasp Documentation

Comments

No comments yet. Start the discussion.