FRESH

Hacker News

Composer leaks contents of tokens configured as GitHub OAuth tokens

65 points by damienwebdev

by damienwebdev

3 subcomments

I was the reporter on this one. If you have Github Actions in your organization, disable them immediately if you're unsure which version of composer your Github Actions run.

by ShowalkKama

0 subcomment

I may be silly but why would you ever want to validate the structure of an opaque authentication key? Couldn't you just hit an harmless endpoint (e.g. /rate_limit) to see if it returns 401 or not?

by Normal_gaussian

2 subcomments

GHA have always been a PITA for any serious DevOps; it's quite clear they were designed to integrate in 7 lines of code and then tell everyone who complains that they're doing it wrong.
This does not surprise me.

by micksmix

0 subcomment

by euph0ria

1 subcomments

by esafak

2 subcomments

The title suggests it is a Github issue but really it is https://github.com/composer/composer no? I would edit the title for clarity.

by h1fra

2 subcomments

the title is incorrect; it's not a github error but php composer's github action. cc @dang before people freak out