Update ghs_ token regex to support new stateless token format

[hpsin]

Required changes

This repo needs its ghs_ token regex updated to support the new stateless token format, which allows dots, underscores, and dashes ([A-Za-z0-9._-]) and is variable length (no longer fixed at 36 chars after the prefix).

See the changelog: https://github.blog/changelog/2026-05-15-github-app-installation-tokens-per-request-override-header/
Tracking in Slack: #tmp-stateless-app-tokens
Part of: github/authentication#6826 (child of github/authentication#5980)

File to update

actions/setup/js/redact_secrets.cjs

Find the ghs_ pattern and:

1. Replace the character class [A-Za-z0-9] → [A-Za-z0-9._-]
2. Remove any trailing \b word boundary anchors
3. Change fixed-length quantifiers like {36} → {36,}

Example fix

// Before
/ghs_[A-Za-z0-9]{36,}/g

// After
// New format allows dots, underscores, and dashes; variable length (min 36 chars after prefix).
// https://github.blog/changelog/2026-05-15-github-app-installation-tokens-per-request-override-header/
/ghs_[A-Za-z0-9._-]{36,}/g

Context

An automated sweep pushed a fix branch (fix/ghs-token-regex-new-format) to the hpsin fork but PR creation was blocked by permissions. A team member with write access will need to either open a PR from that branch or apply the fix directly.

Compare URL: main...hpsin:fix/ghs-token-regex-new-format