Composer leaks GITHUB_TOKEN values containing hyphens into CI logs because a 2021 regex rejects the new ghs_<id>_<base64url-JWT> token format and embeds the raw token in an exception message.
Key Takeaways
BaseIO.php throws UnexpectedValueException with the token interpolated verbatim when it fails ^[.A-Za-z0-9_]+$ validation; Symfony Console prints this to stderr.
GitHub’s new structured installation tokens use base64url encoding, which includes -, so they reliably trigger the bug.
Popular Actions like shivammathur/setup-php auto-register GITHUB_TOKEN into auth.json, meaning the leak requires no unusual user configuration.
GitHub Actions’ secret masker does not redact the token because Symfony Console may wrap, frame, or interleave ANSI sequences with the message before it reaches the log.
Blast radius is bounded for short-lived workflow tokens (expire on job end, 6h max on hosted runners), but longer-lived App-minted tokens containing - face greater exposure.
Hacker News Comment Review
The bug reporter advises disabling GitHub Actions immediately if the Composer version used in your workflows is unknown, treating it as an active incident.
Commenters view this as symptomatic of GitHub Actions’ shallow integration design, where convenience defaults (auto-injecting credentials) create systemic leak primitives.
