Skip to content

CI: Pin shivammathur/setup-php before broken GitHub auth fix#7792

Merged
JonnyBurger merged 2 commits into
mainfrom
jonnyburger/fix-php-composer-ci-auth
May 29, 2026
Merged

CI: Pin shivammathur/setup-php before broken GitHub auth fix#7792
JonnyBurger merged 2 commits into
mainfrom
jonnyburger/fix-php-composer-ci-auth

Conversation

@JonnyBurger
Copy link
Copy Markdown
Member

@JonnyBurger JonnyBurger commented May 29, 2026
edited
Loading

Problem

The "SSR + Monorepo checks" CI job was consistently failing in the php-package.test.ts test with:

In BaseIO.php line 140:
Your github oauth token for github.com contains invalid characters: "ghs_15 *** *** ..."

Root Cause

shivammathur/setup-php@v2 is a floating tag. On May 13 2026, it received security patch GHSA-f9f8-rm49-7jv2 ("Fix GitHub auth handling for composer in affected versions") which changed how the Composer GitHub OAuth token is configured. The new behavior sets the token in a way that Composer rejects as having invalid characters.

Fix

Pin shivammathur/setup-php to commit ac9c9532 — the last commit before that security patch was applied.

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 29, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
bugs Ready Ready Preview, Comment May 29, 2026 11:20am
remotion Ready Ready Preview, Comment May 29, 2026 11:20am

Request Review

pullfrog[bot]
pullfrog Bot reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@pullfrog pullfrog Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ No new issues found.

Reviewed changes — Adds a step to clear the Composer GitHub OAuth token after shivammathur/setup-php@v2 in the SSR CI job, fixing a failure where Composer rejects the GITHUB_TOKEN as having invalid characters.

  • Add Remove Composer GitHub auth step — runs composer config -g --unset github-oauth.github.com || true immediately after PHP setup to prevent php-package.test.ts from failing on a corrupt token.

Pullfrog  | View workflow run | Using Kimi K2𝕏

@JonnyBurger
CI: Pin shivammathur/setup-php before broken GitHub auth fix
1d7d6f5 
shivammathur/setup-php@v2 received a security patch on May 13
(GHSA-f9f8-rm49-7jv2) that changed how Composer GitHub auth is handled,
which broke Composer token handling and caused the PHP package tests to
fail with 'invalid characters' errors.

Pin to ac9c9532 (the last commit before that change).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@JonnyBurger JonnyBurger force-pushed the jonnyburger/fix-php-composer-ci-auth branch from 9ea5bcf to 1d7d6f5 Compare May 29, 2026 09:55
@JonnyBurger JonnyBurger changed the title CI: Fix PHP Composer auth in SSR job CI: Pin shivammathur/setup-php before broken GitHub auth fix May 29, 2026
@JonnyBurger
CI: Disable setup-php Composer tooling
7e97048 
Avoid setup-php writing GitHub Actions tokens into Composer auth. The PHP package tests use bundled composer.phar versions, which then reject the masked ghs token from auth.json. Keep setup-php on v2 and skip its default Composer setup.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@JonnyBurger JonnyBurger merged commit 67c2105 into main May 29, 2026
16 checks passed
@JonnyBurger JonnyBurger deleted the jonnyburger/fix-php-composer-ci-auth branch May 29, 2026 11:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pullfrog pullfrog[bot] pullfrog[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JonnyBurger