You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Fixed
Secret scanner — GitHub App / Actions tokens.scanSecrets recognized ghp_ / gho_ / github_pat_ but missed the GitHub App token family: ghs_ (server-to-server — the GITHUB_TOKEN minted into every GitHub
Actions run and the output of actions/create-github-app-token), ghu_
(user-to-server), and ghr_ (refresh). An agent exfiltrating a ghs_ token
to an external host therefore slipped the secret-exfil gate. This is the
credential class stolen in the tj-actions/changed-files supply-chain attack
(CVE-2025-30066). Now matched (gh[sur]_[A-Za-z0-9]{30,}) and blocked on
egress; pinned by a regression test.