Update ghs_ redaction regex for new stateless token format

[Copilot]

ghs_ installation tokens now use a stateless, variable-length format and may include ., _, and -. The existing pattern was still split between legacy fixed-length matching and JWT-like segmentation logic, which could miss valid new-format tokens.

• Regex update (secret redaction core)

  • Replaced the ghs_ built-in pattern in actions/setup/js/redact_secrets.cjs with a single format-aligned matcher:
    • character set: [0-9A-Za-z._-]
    • minimum length after prefix: {36,}
  • Removed legacy branching for fixed-length vs segmented token shapes.

• Test alignment + boundary coverage

  • Updated ghs_ expectations in actions/setup/js/redact_secrets.test.cjs to match the new canonical pattern.
  • Added/adjusted cases to explicitly cover:
    • exact minimum-length ghs_ tokens,
    • tokens containing dash/dot/underscore,
    • non-matches for invalid characters and below-minimum length.

// before
/ghs_(?:[0-9a-zA-Z]{36}(?![0-9A-Za-z._-])|[0-9A-Za-z_-]{10,}(?:\.[0-9A-Za-z_-]{10,}){2,})/g

// after
/ghs_[0-9A-Za-z._-]{36,}/g

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

No action needed: PR #35063 is already merged. Reviewed the ghs_ regex simplification — change is a reasonable simplification that trades a complex alternation for a single greedy character class with a 36-char minimum. No blocking correctness or security issues identified; over-redaction risk is acceptable for a secret-redaction tool.

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

No ADR enforcement needed: PR #35063 does not have the 'implementation' label and has 0 new lines in default business logic directories (src/, lib/, pkg/, internal/, app/, core/, domain/, services/, api/), which is well below the 100-line threshold.

[github-actions]

🧪 Test Quality Sentinel completed test quality analysis.

[github-actions]

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · sonnet46 1.3M

[github-actions]

[/tdd] Stale test name: "JWT-like" no longer reflects the new unified format — consider renaming to something like "should redact boundary-length GitHub Server-to-Server Token (ghs_)".

💡 Suggested rename

it("should redact boundary-length GitHub Server-to-Server Token (ghs_)", async () => {

The JWT-segment structure was intentional in the old test (it verified the dot-separated 3-segment shape). Since the token format is now just ghs_[A-Za-z0-9._-]{36,}, the "JWT-like" label is misleading and may confuse future readers about what invariant is actually being asserted.

[github-actions]

🧪 Test Quality Sentinel Report

✅ Test Quality Score: 80/100 — Excellent

Analyzed 3 test(s): 3 design, 0 implementation, 0 guideline violation(s).

📊 Metrics & Test Classification (3 tests analyzed)

Metric	Value
New/modified tests analyzed	3
✅ Design tests (behavioral contracts)	3 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	3 (100%)
Duplicate test clusters	0
Test inflation detected	Yes (24 test lines / 4 production lines = 6:1 ratio)
🚨 Coding-guideline violations	0

Test Classification Details

Test	File	Classification	Issues Detected
should redact long JWT-like GitHub Server-to-Server Token (ghs_)	actions/setup/js/redact_secrets.test.cjs:173	✅ Design	None — verifies JWT-format token with dots is redacted
should redact boundary-length JWT-like GitHub Server-to-Server Token (ghs_)	actions/setup/js/redact_secrets.test.cjs:191	✅ Design	Boundary-length edge case (exactly 36 chars after prefix)
should redact dash-containing GitHub Server-to-Server Token (ghs_)	actions/setup/js/redact_secrets.test.cjs:205	✅ Design	Multi-special-char edge case (dashes, dots, underscores)

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 0 tests
• 🟨 JavaScript (*.test.cjs): 3 tests (vitest)

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). The 3 new tests directly verify the behavioral contract of the updated ghs_ regex — that tokens containing dots, dashes, and underscores in the new stateless format are correctly redacted.

i️ Note on test inflation (6:1 ratio)

The test file grew at a 6:1 ratio vs the production file (+24 vs +4 lines), which exceeds the 2:1 threshold and triggered a 10-point deduction. However, in this context the inflation is expected and appropriate: a single regex change warrants multiple test cases covering distinct token formats (classic, long JWT-like, boundary-length, and dash-containing). No remediation needed.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

🧪 Test quality analysis by Test Quality Sentinel · sonnet46 1.6M · ◷

[github-actions]

✅ Test Quality Sentinel: 80/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 3 new tests verify behavioral contracts for the updated ghs_ regex supporting the new stateless token format.