Composer GHSA-f9f8-rm49-7jv2: audit Actions logs for token disclosure

[apermo]

Composer ≤ 2.9.7 / ≤ 2.2.27 / ≤ 1.10.27 interpolates GitHub Actions tokens
verbatim into stderr when validating new-format tokens containing hyphens,
exposing the full GITHUB_TOKEN / App installation token in job logs.

• Advisory: GHSA-f9f8-rm49-7jv2
• Fix: Composer 2.9.8 / 2.2.28 / 1.10.28
• Write-up: https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/

This repo runs Composer via shivammathur/setup-php@v2 (no pinned tools: composer:X.Y.Z) in:

• .github/workflows/lint.yml
• .github/workflows/pr-validation.yml

Action items

• No code change required — setup-php@v2 pulls the latest stable Composer on each run, so the next CI run picks up 2.9.8 automatically.
• Audit recent Actions logs for raw token strings (ghs_, gho_, ghu_, github_pat_). TTL: ≤ 6h on GitHub-hosted runners, ≤ 24h on self-hosted.
• If a write-scoped token was logged within its TTL, review commits / releases / packages from that window for unauthorized changes.
• Force a fresh run on the default branch to confirm patched Composer is in use.

Optional hardening

Pin a minimum Composer version explicitly:

- uses: shivammathur/setup-php@v2
  with:
    tools: composer:^2.9.8

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. If this issue is still relevant, please add a label or comment.