Jens Geyer created THRIFT-5989:
----------------------------------
Summary: Work around JWT-format GITHUB_TOKEN breaking composer
install in CI
Key: THRIFT-5989
URL: https://issues.apache.org/jira/browse/THRIFT-5989
Project: Thrift
Issue Type: Bug
Components: PHP - Library
Reporter: Jens Geyer
GitHub is rolling out a new GITHUB_TOKEN format ({{ghs_<id>_<jwt>}}) that
contains dots. {{shivammathur/setup-php}} passes this token verbatim to
{{composer config --global github-oauth.github.com}}. Composer's token
validator ({{BaseIO.php}} line 143) rejects any token containing characters
outside {{[A-Za-z0-9-_]}}, causing {{composer install}} to fail with:
{quote}
Your github oauth token for github.com contains invalid characters
{quote}
The rollout is gradual: runners provisioned earlier in a workflow run may still
receive the old opaque token format and succeed, while runners provisioned
later receive the JWT format and fail. The {{cross-test}} jobs are affected
first; the {{lib-php}} matrix jobs will follow as the rollout completes.
*Fix:* set {{COMPOSER_AUTH={}}} as an environment variable on both {{composer
install}} steps ({{lib-php}} and {{cross-test}}). This env var is the
highest-priority Composer auth source and overrides whatever {{setup-php}}
wrote into the global config, without requiring a change to the {{setup-php}}
action pin.
The root incompatibility has been reported upstream to shivammathur/setup-php.
The incidental token exposure in the Composer error output has been reported to
GitHub Security (the token appeared unmasked in the public job log despite
GitHub masking it in the {{with:}} block).
See also: https://github.com/apache/thrift/pull/3469
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
