[
https://issues.apache.org/jira/browse/THRIFT-5988?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jens Geyer updated THRIFT-5988:
-------------------------------
Description:
Three housekeeping items left unaddressed when the PHP minimum version was
raised to 8.1, plus a CI fix.
h3. BoundaryValuesTest — replace magic float literals with named constants
The test file contained a stale comment:
{quote}
// TODO: replace literals with PHP_FLOAT_MAX/MIN/EPSILON when PHP 7.1 support
is dropped (available since PHP 7.2)
{quote}
The magic literals {{1.7976931348623158e+308}}, {{2.2250738585072014e-308}},
and {{2.2204460492503131e-16}} should be replaced with {{PHP_FLOAT_MAX}},
{{PHP_FLOAT_MIN}}, and {{PHP_FLOAT_EPSILON}} respectively, and the TODO comment
removed.
h3. lib/php/README.md — minimum PHP version still states 7.1
The opening paragraph reads "Thrift requires PHP 7.1". This is rendered on the
public Apache Thrift website. It should be updated to 8.1 to match the actual
minimum.
h3. TSSLServerSocket — public getSSLHost() removed without a deprecation period
{{getSSLHost(string $host): string}} was a public method callable by subclasses
and external code. It was silently replaced by {{private
ensureSslHostPrefix()}} with no deprecation notice, breaking any existing
caller. A {{@deprecated}} public shim should be restored that delegates to the
private method.
h3. build.yml CI fix — new JWT-based GITHUB_TOKEN format breaks Composer
GitHub is rolling out a new GITHUB_TOKEN format ({{ghs_<id>_<jwt>}}) that
contains dots. {{shivammathur/setup-php}} passes this token verbatim to
{{composer config --global github-oauth.github.com}}. Composer's token
validator ({{BaseIO.php:143}}) rejects tokens containing non-alphanumeric
characters, causing {{composer install}} to fail with:
{quote}
Your github oauth token for github.com contains invalid characters
{quote}
The fix sets {{COMPOSER_AUTH={}}} as an environment variable on both {{composer
install}} steps ({{lib-php}} and {{cross-test}}). This env var takes precedence
over the global Composer config that {{setup-php}} wrote, suppressing the
invalid token without changing the action pin.
Note: the leaked token is the ephemeral GITHUB_TOKEN (sub: integration/15368,
iss: github, 1-hour TTL, already expired). It is not a personal token. The leak
mechanism — Composer re-printing it in its error message after GitHub masked it
in the workflow {{with:}} block — should be reported to shivammathur/setup-php
and GitHub Security.
See also: https://github.com/apache/thrift/pull/3468
was:
Three housekeeping items left unaddressed when the PHP minimum version was
raised to 8.1.
h3. BoundaryValuesTest — replace magic float literals with named constants
The test file contained the comment:
{quote}
// TODO: replace literals with PHP_FLOAT_MAX/MIN/EPSILON when PHP 7.1 support
is dropped (available since PHP 7.2)
{quote}
The magic literals {{1.7976931348623158e+308}}, {{2.2250738585072014e-308}},
and {{2.2204460492503131e-16}} should be replaced with {{PHP_FLOAT_MAX}},
{{PHP_FLOAT_MIN}}, and {{PHP_FLOAT_EPSILON}} respectively, and the TODO comment
removed.
h3. lib/php/README.md — minimum PHP version still states 7.1
The opening paragraph of the PHP library README reads "Thrift requires PHP
7.1". This is rendered on the public Apache Thrift website. It should be
updated to 8.1 to match the actual minimum.
h3. TSSLServerSocket — public getSSLHost() removed without a deprecation period
{{getSSLHost(string $host): string}} was a public method callable by subclasses
and external code. It was silently replaced by {{private
ensureSslHostPrefix()}} with no deprecation notice, breaking any existing
caller at runtime. A {{@deprecated}} public shim should be restored that
delegates to the private method and documents that it will be removed in a
future release.
See also: https://github.com/apache/thrift/pull/3468
> PHP 8.1 upgrade follow-up: float constants, README version, and
> TSSLServerSocket API compatibility
> --------------------------------------------------------------------------------------------------
>
> Key: THRIFT-5988
> URL: https://issues.apache.org/jira/browse/THRIFT-5988
> Project: Thrift
> Issue Type: Improvement
> Components: PHP - Library
> Reporter: Jens Geyer
> Priority: Major
>
> Three housekeeping items left unaddressed when the PHP minimum version was
> raised to 8.1, plus a CI fix.
> h3. BoundaryValuesTest — replace magic float literals with named constants
> The test file contained a stale comment:
> {quote}
> // TODO: replace literals with PHP_FLOAT_MAX/MIN/EPSILON when PHP 7.1 support
> is dropped (available since PHP 7.2)
> {quote}
> The magic literals {{1.7976931348623158e+308}}, {{2.2250738585072014e-308}},
> and {{2.2204460492503131e-16}} should be replaced with {{PHP_FLOAT_MAX}},
> {{PHP_FLOAT_MIN}}, and {{PHP_FLOAT_EPSILON}} respectively, and the TODO
> comment removed.
> h3. lib/php/README.md — minimum PHP version still states 7.1
> The opening paragraph reads "Thrift requires PHP 7.1". This is rendered on
> the public Apache Thrift website. It should be updated to 8.1 to match the
> actual minimum.
> h3. TSSLServerSocket — public getSSLHost() removed without a deprecation
> period
> {{getSSLHost(string $host): string}} was a public method callable by
> subclasses and external code. It was silently replaced by {{private
> ensureSslHostPrefix()}} with no deprecation notice, breaking any existing
> caller. A {{@deprecated}} public shim should be restored that delegates to
> the private method.
> h3. build.yml CI fix — new JWT-based GITHUB_TOKEN format breaks Composer
> GitHub is rolling out a new GITHUB_TOKEN format ({{ghs_<id>_<jwt>}}) that
> contains dots. {{shivammathur/setup-php}} passes this token verbatim to
> {{composer config --global github-oauth.github.com}}. Composer's token
> validator ({{BaseIO.php:143}}) rejects tokens containing non-alphanumeric
> characters, causing {{composer install}} to fail with:
> {quote}
> Your github oauth token for github.com contains invalid characters
> {quote}
> The fix sets {{COMPOSER_AUTH={}}} as an environment variable on both
> {{composer install}} steps ({{lib-php}} and {{cross-test}}). This env var
> takes precedence over the global Composer config that {{setup-php}} wrote,
> suppressing the invalid token without changing the action pin.
> Note: the leaked token is the ephemeral GITHUB_TOKEN (sub: integration/15368,
> iss: github, 1-hour TTL, already expired). It is not a personal token. The
> leak mechanism — Composer re-printing it in its error message after GitHub
> masked it in the workflow {{with:}} block — should be reported to
> shivammathur/setup-php and GitHub Security.
> See also: https://github.com/apache/thrift/pull/3468
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
