Add masking pattern for new GitHub App installation token format

[Copilot]

GitHub is rolling out a new stateless format for App installation tokens starting April 27th 2026. The existing pattern ghs_[a-zA-Z0-9]{36} only matches the old 40-char opaque tokens and will miss the new ghs_APPID_JWT format (~520 chars, variable length).

Changes

• actions/instrument/job/inject_and_init.sh: Added new masking pattern alongside the existing one in all 5 redaction locations (log attributes, log body, metric attributes, span attributes, span name):

ghs_[0-9]+_[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+

This matches the new ghs_<AppID>_<JWT> structure where the JWT portion uses standard base64url-with-dots encoding. The old ghs_[a-zA-Z0-9]{36} pattern is retained for tokens issued before the rollout (valid up to 1h, their normal expiry).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• github.blog
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • Triggering command: /usr/bin/curl curl -s REDACTED (dns block)
• https://api.github.com/meta
  • Triggering command: /usr/bin/curl curl -s REDACTED git pipe�� get --global cal/bin/git user.name (http block)
  • Triggering command: /usr/bin/curl curl -fsSL REDACTED git conf�� --global ] | @tsv k/_actions/plengauer/opentelemetry-github/v5.50.0/actions/instrument/job/bin/git (http block)
• https://api.github.com/repos/github/advisory-database
  • Triggering command: /usr/bin/curl curl -fsSL REDACTED mkfifo y_sh�� (http block)
• https://api.github.com/repos/github/advisory-database/contents
  • Triggering command: /usr/bin/curl curl -fsSL REDACTED mkfifo y_sh�� (http block)
• https://api.github.com/repos/github/super-linter/issues
  • Triggering command: /usr/bin/wget wget -q -O - REDACTED (http block)
• https://api.github.com/search/code
  • Triggering command: /usr/bin/curl curl -fsSL REDACTED mktemp Zwf -p /tmp /usr/bin/cat (http block)
• https://api.github.com/search/issues
  • Triggering command: `/usr/bin/python3 python3 -c
    import urllib.request, json

Try GitHub API search for issues mentioning the new format

url = 'REDACTED'
req = urllib.request.Request(url, headers={
cat pipe�� /usr/bin/mkfifo cat /usr/bin/cat /usr/bin/mktemp mkfifo /usr/bin/cat cat pipe�� /usr/bin/rm cat /usr/bin/cat /usr/bin/sleep rm /usr/bin/rm cat` (http block)

• https://api.github.com/secret-scanning/alerts
  • Triggering command: /usr/bin/curl curl -fsSL REDACTED git pipe�� get --global /usr/local/bin/git copilot.originalmktemp (http block)
• webcache.googleusercontent.com
  • Triggering command: `/usr/bin/python3 python3 -c
    import urllib.request, re

Try to get cached version via Wayback machine or similar

urls = [
'REDACTED',
] mktemp pipe�� -p /tmp /usr/bin/rm /usr/bin/cat mkfifo /usr/bin/cat rm Hmx_�� ub.com/rate_limit cat /usr/bin/cat /usr/bin/sleep rm /usr/bin/git cat` (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[plengauer]

Hello, thanks for contributing for the first time!

[Copilot]

Pull request overview

Updates the GitHub Actions job instrumentation to continue redacting GitHub App installation tokens as GitHub rolls out a new stateless ghs_<AppID>_<JWT> format, ensuring tokens don’t leak into OTLP logs/metrics/traces.

Changes:

• Added a new ghs_<AppID>_<JWT> masking regex alongside the existing ghs_[a-zA-Z0-9]{36} rule.
• Applied the new rule consistently across all five existing redaction surfaces (log attributes/body, metric attributes, span attributes/name).