It is a PITA, but that can be significantly improved IMHO if you just write shell script wrappers for your tasks. Not only does it make it easier to run CI locally, but it also makes it so much easier to move platforms in the future.

When the GH action YAML is just invoking shell scripts, I find it quite pleasant to use

You've perfectly described how microsoft operates and how github actions is apparently based on AzureDevOps pipelines.

Could you elaborate on this bit on why Github's secret masking doesn't work here:

> GitHub Actions' built-in secret masker matches registered values as exact substrings. When the exception message is rendered by Symfony Console it may wrap, embed in In BaseIO.php line N: framing, or interleave with ANSI control sequences. So the masker does not redact, and the plaintext token reaches the log.

What does this log rendering look like such that the token from that code snippet becomes interleaved enough to not be a substring match?

I'm not familiar with composer/Symfony but I would expect something like:

  Line 34: Foo bar
  Line 34: <red>Foo bar</red>

Not immediately clear to me, is this limited to ghu_xxx type OAUTH tokens? And it's only relevant for PHP projects that use composer in GHA?

If everyone that can read the logs are people who can read the secrets, then nothing. If there are any log readers who should be be secret readers, its a potentially exposed secret.

Yes, it's a Composer issue (which is a PHP dependencies manager) with the new format of GITHUB_TOKEN.

It's not an issue in GHA itself, this time. But if you are a composer user in GH, you should definitely be warned (and worried).

it's not super clear, but that's my read as well... i think i can start lowering my panic levels now.