Composer leaks contents of tokens configured as GitHub OAuth tokens

I was the reporter on this one. If you have Github Actions in your organization, disable them immediately if you're unsure which version of composer your Github Actions run.

GHA have always been a PITA for any serious DevOps; it's quite clear they were designed to integrate in 7 lines of code and then tell everyone who complains that they're doing it wrong.

This does not surprise me.

I may be silly but why would you ever want to validate the structure of an opaque authentication key? Couldn't you just hit an harmless endpoint (e.g. /rate_limit) to see if it returns 401 or not?

What is the security implication for private repos?

The title suggests it is a Github issue but really it is https://github.com/composer/composer no? I would edit the title for clarity.

the title is incorrect; it's not a github error but php composer's github action. cc @dang before people freak out