[
https://issues.apache.org/jira/browse/THRIFT-5989?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jens Geyer updated THRIFT-5989:
-------------------------------
Description:
GitHub is rolling out a new GITHUB_TOKEN format ({{{}ghs_<id>_<jwt>{}}}) that
contains dots. {{shivammathur/setup-php}} passes this token verbatim to
{{{}composer config --global github-oauth.github.com{}}}. Composer's token
validator ({{{}BaseIO.php{}}} line 143) rejects any token containing characters
outside {{{}[A-Za-z0-9-_]{}}}, causing {{composer install}} to fail with:
{quote}Your github oauth token for github.com contains invalid characters
{quote}
The rollout is gradual: runners provisioned earlier in a workflow run may still
receive the old opaque token format and succeed, while runners provisioned
later receive the JWT format and fail. The {{cross-test}} jobs are affected
first; the {{lib-php}} matrix jobs will follow as the rollout completes.
*Fix:* set {{COMPOSER_AUTH=}} as an environment variable on both {{composer
install}} steps ({{{}lib-php{}}} and {{{}cross-test{}}}). This env var is the
highest-priority Composer auth source and overrides whatever {{setup-php}}
wrote into the global config, without requiring a change to the {{setup-php}}
action pin.
The root incompatibility has been reported upstream to shivammathur/setup-php.
See also: [https://github.com/apache/thrift/pull/3469]
was:
GitHub is rolling out a new GITHUB_TOKEN format ({{ghs_<id>_<jwt>}}) that
contains dots. {{shivammathur/setup-php}} passes this token verbatim to
{{composer config --global github-oauth.github.com}}. Composer's token
validator ({{BaseIO.php}} line 143) rejects any token containing characters
outside {{[A-Za-z0-9-_]}}, causing {{composer install}} to fail with:
{quote}
Your github oauth token for github.com contains invalid characters
{quote}
The rollout is gradual: runners provisioned earlier in a workflow run may still
receive the old opaque token format and succeed, while runners provisioned
later receive the JWT format and fail. The {{cross-test}} jobs are affected
first; the {{lib-php}} matrix jobs will follow as the rollout completes.
*Fix:* set {{COMPOSER_AUTH={}}} as an environment variable on both {{composer
install}} steps ({{lib-php}} and {{cross-test}}). This env var is the
highest-priority Composer auth source and overrides whatever {{setup-php}}
wrote into the global config, without requiring a change to the {{setup-php}}
action pin.
The root incompatibility has been reported upstream to shivammathur/setup-php.
The incidental token exposure in the Composer error output has been reported to
GitHub Security (the token appeared unmasked in the public job log despite
GitHub masking it in the {{with:}} block).
See also: https://github.com/apache/thrift/pull/3469
> Work around JWT-format GITHUB_TOKEN breaking composer install in CI
> -------------------------------------------------------------------
>
> Key: THRIFT-5989
> URL: https://issues.apache.org/jira/browse/THRIFT-5989
> Project: Thrift
> Issue Type: Bug
> Components: PHP - Library
> Reporter: Jens Geyer
> Assignee: Jens Geyer
> Priority: Major
> Fix For: 0.24.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> GitHub is rolling out a new GITHUB_TOKEN format ({{{}ghs_<id>_<jwt>{}}}) that
> contains dots. {{shivammathur/setup-php}} passes this token verbatim to
> {{{}composer config --global github-oauth.github.com{}}}. Composer's token
> validator ({{{}BaseIO.php{}}} line 143) rejects any token containing
> characters outside {{{}[A-Za-z0-9-_]{}}}, causing {{composer install}} to
> fail with:
> {quote}Your github oauth token for github.com contains invalid characters
> {quote}
> The rollout is gradual: runners provisioned earlier in a workflow run may
> still receive the old opaque token format and succeed, while runners
> provisioned later receive the JWT format and fail. The {{cross-test}} jobs
> are affected first; the {{lib-php}} matrix jobs will follow as the rollout
> completes.
> *Fix:* set {{COMPOSER_AUTH=}} as an environment variable on both {{composer
> install}} steps ({{{}lib-php{}}} and {{{}cross-test{}}}). This env var is the
> highest-priority Composer auth source and overrides whatever {{setup-php}}
> wrote into the global config, without requiring a change to the {{setup-php}}
> action pin.
> The root incompatibility has been reported upstream to
> shivammathur/setup-php.
> See also: [https://github.com/apache/thrift/pull/3469]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
