Jens-G opened a new pull request, #3469:
URL: https://github.com/apache/thrift/pull/3469
## Summary
GitHub is rolling out a new `GITHUB_TOKEN` format — a JWT (`ghs_<id>_<jwt>`)
that contains dots. `shivammathur/setup-php` passes this token verbatim to
`composer config --global github-oauth.github.com`. Composer's token validator
(`BaseIO.php:143`) rejects any token containing characters outside
`[A-Za-z0-9\-_]`, causing `composer install` to fail with:
```
Your github oauth token for github.com contains invalid characters
```
The rollout is gradual: runners provisioned earlier in a workflow run may
still receive the old opaque token and succeed, while runners provisioned later
receive the JWT format and fail. Affected: `cross-test` jobs; `lib-php` matrix
jobs will follow as the rollout completes.
**Fix:** set `COMPOSER_AUTH: '{}'` as an environment variable on both
`composer install` steps (`lib-php` and `cross-test`). This env var is the
highest-priority Composer auth source and overrides whatever `setup-php` wrote
into the global config, without requiring a change to the `setup-php` action
pin.
The root incompatibility has been reported upstream to
`shivammathur/setup-php`. The incidental token exposure in the Composer error
output (the token appeared unmasked in the job log despite GitHub masking it in
the `with:` block) has been reported to GitHub Security.
## Test plan
- [ ] CI `lib-php` matrix passes on all PHP versions
- [ ] CI `cross-test` passes
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
Generated-by: Claude Sonnet 4.6 <[email protected]>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
