logoalt Hacker News

semi-extrinsicyesterday at 7:50 PM2 repliesview on HN

Not immediately clear to me, is this limited to ghu_xxx type OAUTH tokens? And it's only relevant for PHP projects that use composer in GHA?

Replies

securesamlyesterday at 9:23 PM

It's limited to ghs_ (server to server token's), that have the new format enabled: https://github.blog/changelog/2026-04-24-notice-about-upcomi... (and actions that use the vulnerable package)

This include's the GITHUB_TOKEN that is builtin within a actions jobs.

jacobrussellyesterday at 8:00 PM

That's my understanding. This seems to only effect PHP projects that use Composer in GitHub actions. Examples being usage of shivammathur/setup-php and or php-actions/composer.