Y
Hacker News
new
|
ask
|
show
|
jobs
by
semi-extrinsic
38 days ago
Not immediately clear to me, is this limited to ghu_xxx type OAUTH tokens? And it's only relevant for PHP projects that use composer in GHA?
2 comments
jacobrussell
38 days ago
That's my understanding. This seems to only effect PHP projects that use Composer in GitHub actions. Examples being usage of shivammathur/setup-php and or php-actions/composer.
link
securesaml
38 days ago
It's limited to ghs_ (server to server token's), that have the new format enabled:
https://github.blog/changelog/2026-04-24-notice-about-upcomi...
(and actions that use the vulnerable package)
This include's the GITHUB_TOKEN that is builtin within a actions jobs.
link