From 894284d10e817073f42ea40084a0b10dd0e34b19 Mon Sep 17 00:00:00 2001
From: Hirsch Singhal <hpsin@h6cw215236.localdomain>
Date: Mon, 25 May 2026 09:44:03 -0700
Subject: [PATCH 1/4] Fix ghs token redaction regex

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 lib/patterns/default.rb           | 2 +-
 spec/lib/redacting_logger_spec.rb | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/patterns/default.rb b/lib/patterns/default.rb
index c658b45..01bb0c1 100644
--- a/lib/patterns/default.rb
+++ b/lib/patterns/default.rb
@@ -12,7 +12,7 @@ module Patterns
     # https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
     /ghp_[A-Za-z0-9]{36,}|[0-9A-Fa-f]{40,}/,
     /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/, # Fine Grained
-    /ghs_[a-zA-Z0-9]{36}/, # Temporary Actions Tokens
+    /ghs_[A-Za-z0-9._]{36,}/, # GitHub App installation tokens
 
     # JWT Token
     # https://en.wikipedia.org/wiki/JSON_Web_Token
diff --git a/spec/lib/redacting_logger_spec.rb b/spec/lib/redacting_logger_spec.rb
index 1294e5c..c292e93 100644
--- a/spec/lib/redacting_logger_spec.rb
+++ b/spec/lib/redacting_logger_spec.rb
@@ -82,9 +82,14 @@
         expected_message: "token [REDACTED]"
       },
       {
-        case: "github action pat",
+        case: "github app installation token",
         message: "token ghs_1234567890abcdefghijklmnopqrstuvwxyz123456",
-        expected_message: "token [REDACTED]123456"
+        expected_message: "token [REDACTED]"
+      },
+      {
+        case: "github app installation token with dots and underscores",
+        message: "token ghs_Abcdef1234567890ghijklmnopqrstu.vw_xyz.1234567890",
+        expected_message: "token [REDACTED]"
       },
       {
         case: "custom token",

From 9d91197b390f9041c99d5f9f76a9648aaa3225e5 Mon Sep 17 00:00:00 2001
From: Hirsch Singhal <1666363+hpsin@users.noreply.github.com>
Date: Tue, 26 May 2026 09:31:13 -0700
Subject: [PATCH 2/4] Fix ghs_ regex: add dash to character class
 [A-Za-z0-9._-]

---
 lib/patterns/default.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/patterns/default.rb b/lib/patterns/default.rb
index 01bb0c1..087883a 100644
--- a/lib/patterns/default.rb
+++ b/lib/patterns/default.rb
@@ -12,7 +12,7 @@ module Patterns
     # https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
     /ghp_[A-Za-z0-9]{36,}|[0-9A-Fa-f]{40,}/,
     /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/, # Fine Grained
-    /ghs_[A-Za-z0-9._]{36,}/, # GitHub App installation tokens
+    /ghs_[A-Za-z0-9._-]{36,}/, # GitHub App installation tokens
 
     # JWT Token
     # https://en.wikipedia.org/wiki/JSON_Web_Token

From ac21280b23781ac9fc1b7ca9865663fc9223bb85 Mon Sep 17 00:00:00 2001
From: hagould <hagould@github.com>
Date: Tue, 26 May 2026 15:36:22 -0700
Subject: [PATCH 3/4] Bump version to 1.5.2

---
 lib/version.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/version.rb b/lib/version.rb
index d8fe2df..95e78b9 100644
--- a/lib/version.rb
+++ b/lib/version.rb
@@ -2,6 +2,6 @@
 
 module RedactingLogger
   module Version
-    VERSION = "1.5.1"
+    VERSION = "1.5.2"
   end
 end

From 17f270e2488aff3d912d1a14ea648207e79e4e2b Mon Sep 17 00:00:00 2001
From: hagould <hagould@github.com>
Date: Wed, 27 May 2026 10:59:18 -0700
Subject: [PATCH 4/4] Add test coverage for ghs_ token edge cases

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 spec/lib/redacting_logger_spec.rb | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/spec/lib/redacting_logger_spec.rb b/spec/lib/redacting_logger_spec.rb
index c292e93..eefcc56 100644
--- a/spec/lib/redacting_logger_spec.rb
+++ b/spec/lib/redacting_logger_spec.rb
@@ -91,6 +91,31 @@
         message: "token ghs_Abcdef1234567890ghijklmnopqrstu.vw_xyz.1234567890",
         expected_message: "token [REDACTED]"
       },
+      {
+        case: "github app installation token with dashes",
+        message: "token ghs_Abcdef-1234567890-ghijklmnopqrstu-vwxyz",
+        expected_message: "token [REDACTED]"
+      },
+      {
+        case: "github app installation token with mixed special chars",
+        message: "token ghs_abc.DEF-123_ghi.JKL-456_mno.PQR-789_stu",
+        expected_message: "token [REDACTED]"
+      },
+      {
+        case: "github app installation token at minimum length (36 chars after prefix)",
+        message: "token ghs_abcdefghijklmnopqrstuvwxyz1234567890",
+        expected_message: "token [REDACTED]"
+      },
+      {
+        case: "github app installation token longer than 36 chars",
+        message: "token ghs_abcdefghijklmnopqrstuvwxyz1234567890.extra-chars_here.more",
+        expected_message: "token [REDACTED]"
+      },
+      {
+        case: "github app installation token too short to match",
+        message: "token ghs_tooshort",
+        expected_message: "token ghs_tooshort"
+      },
       {
         case: "custom token",
         message: "token token_ABCDE",