GitHub Actions has exposed GITHUB_TOKEN values in build logs after a change in Composer’s token validation. When a token contains a hyphen, Composer throws an exception that prints the raw token to stderr. The exception bubbles through Symfony Console, bypassing GitHub’s secret masker and leaking credentials to anyone who can read the logs today.

The flaw stems from Composer’s regex ^[.A-Za-z0-9_]+$ that rejects any token with a hyphen, a character common in the new ghs_<id>_<base64url-JWT> format GitHub introduced for Actions and App installation tokens. Since the regex was set in 2021, it never anticipated URL‑safe base64 characters in the future security landscape for CI pipelines across thousands of repositories.

Because GITHUB_TOKEN scopes to a single repository and expires when a job ends—typically within six hours on GitHub‑hosted runners—the immediate blast radius is limited. However, if the token leaks before the job fails, any downstream tool that captures stderr, such as log shippers or monitoring dashboards, records the credential in plaintext for developers to investigate.

GitHub’s secret masker matches exact substrings, so it cannot redact the exception message that may wrap or embed ANSI codes. The issue is already affecting popular Actions like shivammathur/setup-php, which auto‑register the token in Composer’s auth.json. Until the regex is updated or a workaround is applied, teams must revoke exposed tokens immediately to mitigate the risk.