From 36040b424bee9ea69d8da2e9124bfabb2877c2bd Mon Sep 17 00:00:00 2001 From: Leon Haffmans Date: Fri, 5 Jun 2026 08:17:06 +0200 Subject: [PATCH 1/4] chore(deps): Bump bo4e-cli from 1.2.1 to 1.2.2 --- .github/actions/setup-bo4e/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/setup-bo4e/action.yml b/.github/actions/setup-bo4e/action.yml index dcde0b661..827b28ec5 100644 --- a/.github/actions/setup-bo4e/action.yml +++ b/.github/actions/setup-bo4e/action.yml @@ -5,7 +5,7 @@ inputs: version: description: bo4e CLI release tag to install. required: false - default: v1.2.1 + default: v1.2.2 runs: using: composite From 0000eabc664a0dd6a7020fef3a7ba3f31d02f637 Mon Sep 17 00:00:00 2001 From: Leon Haffmans Date: Fri, 5 Jun 2026 08:29:47 +0200 Subject: [PATCH 2/4] Adapt script regex to reflect current bo4e-cli implementation --- scripts/generate_docs_assets.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/generate_docs_assets.py b/scripts/generate_docs_assets.py index 7c0ab4feb..da369cfb3 100644 --- a/scripts/generate_docs_assets.py +++ b/scripts/generate_docs_assets.py @@ -81,7 +81,7 @@ # (crates/bo4e-cli/src/io/github.rs). Used to diagnose token format issues # before invoking the CLI. _BO4E_TOKEN_RE = re.compile( - r"^(gh[pousr]_[A-Za-z0-9_]{36,251}" r"|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}" r"|v[0-9]\.[0-9a-f]{40})$" + r"^(gh[pousr]_[A-Za-z0-9_]{36,}" r"|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}" r"|v[0-9]\.[0-9a-f]{40})$" ) From 88d0e39dbf6b6f304ea314b9371968bc773a7b14 Mon Sep 17 00:00:00 2001 From: Leon Haffmans <49658102+lord-haffi@users.noreply.github.com> Date: Fri, 5 Jun 2026 06:45:32 +0000 Subject: [PATCH 3/4] chore(scripts): print sorted body anagram in auth diagnostic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The bo4e-cli regex still rejects the GitHub Actions installation token even after lifting the length cap (bo4e-cli#176, v1.2.2). Hypothesis: the new `ghs_…` tokens contain characters outside the regex's [A-Za-z0-9_] body charset (`-`, `+`, `/`, `=`, …). Add a sorted-character anagram of the body (everything after the 4-char prefix) to the [auth] line. The anagram reveals the character multiset without leaking position, so we can confirm or refute the hypothesis from the next CI failure log. Co-Authored-By: Claude Opus 4.7 --- scripts/generate_docs_assets.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/scripts/generate_docs_assets.py b/scripts/generate_docs_assets.py index da369cfb3..defbd1031 100644 --- a/scripts/generate_docs_assets.py +++ b/scripts/generate_docs_assets.py @@ -81,7 +81,7 @@ # (crates/bo4e-cli/src/io/github.rs). Used to diagnose token format issues # before invoking the CLI. _BO4E_TOKEN_RE = re.compile( - r"^(gh[pousr]_[A-Za-z0-9_]{36,}" r"|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}" r"|v[0-9]\.[0-9a-f]{40})$" + r"^(gh[pousr]_[A-Za-z0-9_]{36,}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}|v[0-9]\.[0-9a-f]{40})$" ) @@ -408,14 +408,27 @@ def main() -> int: # Diagnostics — useful when CI fails surprisingly. Never print the token # value. The length and prefix are not unique to any single secret and - # therefore aren't masked by GitHub Actions' log scrubber. + # therefore aren't masked by GitHub Actions' log scrubber. The + # body-anagram (sorted characters after the 4-char prefix) reveals the + # character multiset without leaking position; with it we can tell + # whether GitHub is now issuing tokens that include characters outside + # the bo4e-cli regex's [A-Za-z0-9_] body charset (e.g. '-', '+', '/', + # '=', '.'), which would explain the regex rejecting a length-valid + # token. + def _body_anagram(token: str) -> str: + return "".join(sorted(token[4:])) + def _describe(env_name: str) -> str: value = os.environ.get(env_name, "") if not value: return f"{env_name}=unset" prefix = value[:4] bo4e_valid = bool(_BO4E_TOKEN_RE.match(value)) - return f"{env_name}=set (len={len(value)}, prefix={prefix!r}, " f"bo4e-regex-valid={bo4e_valid})" + return ( + f"{env_name}=set (len={len(value)}, prefix={prefix!r}, " + f"bo4e-regex-valid={bo4e_valid}, " + f"body-anagram={_body_anagram(value)!r})" + ) print(f"[auth] {_describe('GITHUB_ACCESS_TOKEN')}") print(f"[auth] {_describe('GITHUB_TOKEN')}") From 91f7bf71c13a02e50d1adf49f557376e69fa3f31 Mon Sep 17 00:00:00 2001 From: Leon Haffmans <49658102+lord-haffi@users.noreply.github.com> Date: Fri, 5 Jun 2026 07:53:58 +0000 Subject: [PATCH 4/4] chore(deps): bump bo4e-cli to v1.2.3, sync script regex MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit v1.2.3 widens the token-validation regex body charset from `[A-Za-z0-9_]` to `[A-Za-z0-9_.\-]`, accepting GitHub's new JWT-encoded `ghs_…` Actions installation tokens (bo4e-cli#178). Mirror the charset in the script's diagnostic regex so `bo4e-regex-valid=True` lines up with the CLI's verdict again. Co-Authored-By: Claude Opus 4.7 --- .github/actions/setup-bo4e/action.yml | 2 +- scripts/generate_docs_assets.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/setup-bo4e/action.yml b/.github/actions/setup-bo4e/action.yml index 827b28ec5..558f611a2 100644 --- a/.github/actions/setup-bo4e/action.yml +++ b/.github/actions/setup-bo4e/action.yml @@ -5,7 +5,7 @@ inputs: version: description: bo4e CLI release tag to install. required: false - default: v1.2.2 + default: v1.2.3 runs: using: composite diff --git a/scripts/generate_docs_assets.py b/scripts/generate_docs_assets.py index defbd1031..4ecc6a00c 100644 --- a/scripts/generate_docs_assets.py +++ b/scripts/generate_docs_assets.py @@ -81,7 +81,7 @@ # (crates/bo4e-cli/src/io/github.rs). Used to diagnose token format issues # before invoking the CLI. _BO4E_TOKEN_RE = re.compile( - r"^(gh[pousr]_[A-Za-z0-9_]{36,}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}|v[0-9]\.[0-9a-f]{40})$" + r"^(gh[pousr]_[A-Za-z0-9_.\-]{36,}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}|v[0-9]\.[0-9a-f]{40})$" )