Fix ghs_ token regex: rebuild lib/ bundle and add missing hyphen

[hagould]

Updates the ghs_ token regex to support the new token format which allows dots and underscores ([A-Za-z0-9._-]) and variable length (no longer fixed at 36 chars).

See the changelog: https://github.blog/changelog/2026-05-15-github-app-installation-tokens-per-request-override-header/
Tracking in Slack: #tmp-stateless-app-tokens
Part of: https://github.com/github/authentication/issues/5980

Supersedes #3931 (from fork, had the correct source but stale bundle).
Fixes the compiled lib/entry-points.js bundle which was missing the - (hyphen) character in the ghs_ token regex character class.

The source .ts file correctly uses [A-Za-z0-9._-] but the committed bundle had [A-Za-z0-9._] — missing the hyphen that base64url encoding (RFC 4648 §5) uses in JWT signatures. This is the same bug class as CVE-2026-45793 (Composer token leak).

This PR rebuilds the bundle from the source to fix the mismatch.
Part of: github/authentication#6826

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the artifact scanner to detect the newer ghs_ token formats and improves scanning to avoid duplicate findings when patterns overlap.

Changes:

• Broadened ghs_ regex patterns to match newer token formats.
• Changed token scanning to iterate matches via matchAll() and de-duplicate findings by match index.
• Updated tests to cover the new ghs_ format and adjust expected token classification.

Show a summary per file

File	Description
src/artifact-scanner.ts	Updates ghs_ detection patterns and revises scanning logic to use matchAll() with de-duping.
src/artifact-scanner.test.ts	Adds test coverage for the new ghs_ format and updates expected token types.
lib/entry-points.js	Compiled/bundled output reflecting the source changes.

Copilot's findings

• Files reviewed: 2/3 changed files
• Comments generated: 7