[jira] [Assigned] (THRIFT-5989) Work around JWT-format GITHUB_TOKEN breaking composer install in CI

Tue, 12 May 2026 15:58:09 -0700 


     [ 
https://issues.apache.org/jira/browse/THRIFT-5989?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jens Geyer reassigned THRIFT-5989:
----------------------------------

    Assignee: Jens Geyer

> Work around JWT-format GITHUB_TOKEN breaking composer install in CI
> -------------------------------------------------------------------
>
>                 Key: THRIFT-5989
>                 URL: https://issues.apache.org/jira/browse/THRIFT-5989
>             Project: Thrift
>          Issue Type: Bug
>          Components: PHP - Library
>            Reporter: Jens Geyer
>            Assignee: Jens Geyer
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> GitHub is rolling out a new GITHUB_TOKEN format ({{ghs_<id>_<jwt>}}) that 
> contains dots. {{shivammathur/setup-php}} passes this token verbatim to 
> {{composer config --global github-oauth.github.com}}. Composer's token 
> validator ({{BaseIO.php}} line 143) rejects any token containing characters 
> outside {{[A-Za-z0-9-_]}}, causing {{composer install}} to fail with:
> {quote}
> Your github oauth token for github.com contains invalid characters
> {quote}
> The rollout is gradual: runners provisioned earlier in a workflow run may 
> still receive the old opaque token format and succeed, while runners 
> provisioned later receive the JWT format and fail. The {{cross-test}} jobs 
> are affected first; the {{lib-php}} matrix jobs will follow as the rollout 
> completes.
> *Fix:* set {{COMPOSER_AUTH={}}} as an environment variable on both {{composer 
> install}} steps ({{lib-php}} and {{cross-test}}). This env var is the 
> highest-priority Composer auth source and overrides whatever {{setup-php}} 
> wrote into the global config, without requiring a change to the {{setup-php}} 
> action pin.
> The root incompatibility has been reported upstream to 
> shivammathur/setup-php. The incidental token exposure in the Composer error 
> output has been reported to GitHub Security (the token appeared unmasked in 
> the public job log despite GitHub masking it in the {{with:}} block).
> See also: https://github.com/apache/thrift/pull/3469



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to