Fix ghs_ redaction pattern to support new token format#153
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates the default redaction pattern for ghs_ tokens to match GitHub’s new installation token format (allowing . and _ and variable length), and adjusts specs to ensure the new format is properly redacted.
Changes:
- Expand the
ghs_default regex to allow[A-Za-z0-9._]and variable length. - Update the existing
ghs_spec to expect full-token redaction. - Add a new spec case covering
ghs_tokens containing dots and underscores.
Show a summary per file
| File | Description |
|---|---|
| spec/lib/redacting_logger_spec.rb | Updates/extends redaction test cases to validate the new ghs_ token formats are fully redacted. |
| lib/patterns/default.rb | Broadens the default ghs_ redaction regex to match the new allowed character set and variable length. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 1
| /ghp_[A-Za-z0-9]{36,}|[0-9A-Fa-f]{40,}/, | ||
| /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/, # Fine Grained | ||
| /ghs_[a-zA-Z0-9]{36}/, # Temporary Actions Tokens | ||
| /ghs_[A-Za-z0-9._]{36,}/, # GitHub App installation tokens |
|
@hpsin you will also want to bump the version file and cut a new release: redacting-logger/lib/version.rb Line 5 in 4fff5a4 |
|
@github/authentication-reviewers — FYI, this draft PR updates the |
hagould
force-pushed
the
fix/ghs-token-regex-new-format
branch
from
d8e81b7 to
ac21280
Compare
|
@GrantBirki Pushed, could you help us with the release process? Also would like to know how many downstream services are dependent on this for log redaction - we're currently in the early stages of rolling out the new token format. |
|
@hagould simply merging this PR should kick off the release process and publish to RubyGems since you bumped the I don't work at GitHub any more and I won't comment publicly on the services at GitHub that use this Gem 😉. |
|
If this is still early on, I might consider adding some unit tests for this new redaction pattern as well -> https://github.com/github/redacting-logger/blob/main/spec/lib/redacting_logger_spec.rb |
Updates the
ghs_token regex to support the new token format which allows dots and underscores ([A-Za-z0-9._]) and variable length (no longer fixed at 36 chars).See the changelog: https://github.blog/changelog/2026-05-15-github-app-installation-tokens-per-request-override-header/
Tracking in Slack: #tmp-stateless-app-tokens
Part of: github/authentication#5980