May 13, 2026
Secrets out, comment claws out
GitHub Actions issued GitHub_TOKEN disclosure in GitHub Actions logs
A tiny code mismatch turned build logs into a panic zone, and commenters instantly started pointing fingers
TLDR: A bug in a widely used tool caused temporary GitHub access codes to appear in automation logs, which could expose them briefly before they expire. Commenters split between panic, blame-shifting, and nitpicking the headline, turning a security bug into a full-on who’s-at-fault debate.
The tech world got a fresh workflow horror story this week: a bug caused some secret access codes used in GitHub Actions — GitHub’s tool for automating software jobs — to spill into build logs. The twist? The community reaction was almost more dramatic than the bug itself. One camp went full alarm bell, with the original reporter urging teams to disable GitHub Actions immediately if they weren’t sure what version of Composer they were running. That’s the kind of comment that sends engineering group chats straight into meltdown mode.
But then came the classic internet pile-on. Some commenters used the moment to dunk on GitHub Actions as a whole, calling it a pain for “serious DevOps” and basically saying, yep, this tracks. Others slammed the headline itself, arguing people were blaming the wrong villain. Their big complaint: this wasn’t really GitHub “leaking” secrets on its own — it was Composer, a popular PHP tool, mishandling a new token format and printing the full code into the logs when it didn’t like a dash character. In other words, part security scare, part naming controversy.
There was also a quieter thread of anxiety underneath the chaos: what does this mean for private repositories, where code is locked down and leaks feel extra scary? The answer softened the panic a little — these tokens usually expire fast and are limited in scope — but not enough to stop the comment-section courtroom drama. The mood was a mix of “this is bad”, “everyone is overreacting”, and “please fix the headline before the internet loses it.”
Key Points
- •Composer can print the full value of a GitHub token to stderr if the token fails its GitHub OAuth token character validation.
- •GitHub’s newer GitHub Actions GITHUB_TOKEN format includes hyphens, which do not match Composer’s validation regex `^[.A-Za-z0-9_]+$`.
- •Common GitHub Actions setups can trigger the issue because actions such as shivammathur/setup-php automatically place GITHUB_TOKEN into Composer’s global auth.json.
- •The leak occurs because Composer includes the rejected token verbatim in an UnexpectedValueException that Symfony Console prints to stderr.
- •The article describes the issue as medium severity, with impact constrained by token scope and expiration time, though other future credentials failing validation could expose the same leak pattern.