@htekdev/actions-debugger 1.0.106 → 1.0.107

package/errors/runner-environment/hashfiles-fails-on-macos-fail-to-hash-files-under-directory.yml

@@ -0,0 +1,116 @@
+id: runner-environment-176
+title: "hashFiles() fails on macOS with 'Fail to hash files under directory'"
+category: runner-environment
+severity: error
+tags:
+  - hashfiles
+  - macos
+  - runner-images
+  - cache
+  - expression
+  - image-regression
+patterns:
+  - regex: 'hashFiles\(.+\) failed\. Fail to hash files under directory'
+    flags: 'i'
+  - regex: 'The template is not valid.*hashFiles.*Fail to hash files'
+    flags: 'is'
+error_messages:
+  - "Error: The template is not valid. /Users/runner/work/.../action.yml (Line: 48, Col: 12): hashFiles('**/go.sum') failed. Fail to hash files under directory '/Users/runner/work/...'"
+  - "hashFiles('**/package-lock.json') failed. Fail to hash files under directory '/Users/runner/work/...'"
+root_cause: |
+  Certain macOS runner image versions (including macos-15-arm64 image
+  20251119.0020 through approximately 20251122) introduced a regression
+  where the hashFiles() expression function fails to enumerate files
+  under the workspace directory on macOS. The same workflow succeeds on
+  Linux and Windows runners.
+
+  The failure manifests whenever hashFiles() is used in any expression
+  context — strategy.matrix, cache key, conditional — on the affected
+  macOS runner image versions. The underlying cause is a filesystem
+  enumeration permission or path-resolution change introduced by the
+  runner image update (see actions/runner-images #13341). The issue was
+  not present in the previous macOS image version and reappeared without
+  workflow changes.
+
+  Root cause in runner-images: the runner image update changed system
+  configuration in a way that prevented the runner process from
+  recursively listing files under the workspace directory on macOS. The
+  fix was a runner image rollback / patch released around December 12,
+  2025.
+
+  This failure is a runner-image regression, not a workflow bug. It can
+  recur if future macOS runner image updates introduce similar filesystem
+  configuration changes.
+fix: |
+  If you encounter this error on macOS:
+
+  1. Wait for GitHub to release a patched macOS runner image — runner
+     image regressions are typically resolved within days. Monitor
+     actions/runner-images for the fix.
+
+  2. Pin your workflow to a specific macOS runner image version that
+     predates the regression while waiting for the fix.
+
+  3. As a temporary workaround, replace hashFiles() with a manual
+     hash computation step using sha256sum or similar:
+
+       - name: Compute hash manually (macOS workaround)
+         id: hash
+         run: |
+           echo "hash=$(find . -name 'go.sum' -exec sha256sum {} \; | sha256sum | cut -d' ' -f1)" >> $GITHUB_OUTPUT
+       - uses: actions/cache@v4
+         with:
+           path: ~/go/pkg/mod
+           key: ${{ runner.os }}-go-${{ steps.hash.outputs.hash }}
+
+  4. After the runner image is updated to a fixed version, remove the
+     workaround and restore hashFiles().
+fix_code:
+  - language: yaml
+    label: "Manual hash workaround for macOS hashFiles() regression"
+    code: |
+      jobs:
+        build:
+          runs-on: macos-latest
+
+          steps:
+            - uses: actions/checkout@v4
+
+            # Workaround: compute cache key hash manually when hashFiles() fails on macOS
+            - name: Compute go.sum hash
+              id: hash
+              run: |
+                echo "hash=$(find . -name 'go.sum' | sort | xargs sha256sum | sha256sum | cut -d' ' -f1)" \
+                  >> "$GITHUB_OUTPUT"
+
+            - uses: actions/cache@v4
+              with:
+                path: ~/go/pkg/mod
+                key: ${{ runner.os }}-go-${{ steps.hash.outputs.hash }}
+
+            - run: go build ./...
+  - language: yaml
+    label: "Pin to a known-good macOS runner image while waiting for fix"
+    code: |
+      jobs:
+        build:
+          # Pin to a specific macOS runner image version that predates the regression.
+          # Check https://github.com/actions/runner-images/releases for available versions.
+          runs-on: macos-15-arm64
+          # Alternatively, use an older pinned version: macos-14 or macos-15-xlarge
+          # when the current macos-latest image has the regression.
+prevention:
+  - "Subscribe to actions/runner-images release notifications to detect image regressions early."
+  - "When hashFiles() fails only on macOS (Linux/Windows succeed), suspect a runner image regression
+     rather than a workflow bug — check the actions/runner-images issue tracker for reports."
+  - "If CI budget allows, run a short nightly workflow that tests hashFiles() on all target OS
+     combinations to detect image regressions before they block your main CI."
+  - "When pinning a runner image version as a workaround, add a TODO comment and a link to the
+     upstream issue so the pin is removed once the fix is released."
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions#hashfiles"
+    label: "GitHub Actions: hashFiles() expression function"
+  - url: "https://github.com/actions/runner/issues/4134"
+    label: "actions/runner #4134: hashFiles on macOS fails with 'Fail to hash files under directory' (14 reactions, closed Dec 2025)"
+  - url: "https://github.com/actions/runner-images/issues/13341"
+    label: "actions/runner-images #13341: macOS hashFiles regression report (Nov 2025)"

package/errors/silent-failures/reusable-workflow-input-default-bypassed-by-empty-string.yml

@@ -0,0 +1,144 @@
+id: silent-failures-094
+title: "Reusable workflow input default: value silently ignored when caller passes empty string"
+category: silent-failures
+severity: silent-failure
+tags:
+  - reusable-workflow
+  - workflow-call
+  - inputs
+  - default
+  - empty-string
+  - silent-failure
+patterns:
+  - regex: 'on:\s*\n\s*workflow_call:'
+    flags: 'im'
+  - regex: 'inputs\.\w+\.default:'
+    flags: 'i'
+  - regex: 'with:\s*\n(?:\s+\w+:\s*\$\{\{[^}]+\}\}\s*\n)+'
+    flags: 'im'
+error_messages:
+  - "Reusable workflow input default value not used when caller passes empty string"
+  - "Expected default message, got empty string"
+  - "inputs.message is empty even though default is set"
+root_cause: |
+  The default: field in on.workflow_call.inputs is only applied when the input is
+  completely absent (not provided by the caller at all). It is NOT applied when the
+  caller explicitly passes an empty string "".
+
+  A very common pattern is a caller workflow that passes a workflow_dispatch input
+  directly to a reusable workflow:
+
+    # caller.yml
+    on:
+      workflow_dispatch:
+        inputs:
+          message:
+            type: string
+            required: false       # defaults to "" when not provided
+
+    jobs:
+      call:
+        uses: ./.github/workflows/reusable.yml
+        with:
+          message: ${{ inputs.message }}   # passes "" when dispatch runs without input
+
+    # reusable.yml
+    on:
+      workflow_call:
+        inputs:
+          message:
+            type: string
+            default: 'default message'
+
+  When a developer triggers the caller workflow_dispatch without providing the
+  message input, inputs.message resolves to "" (the workflow_dispatch default for
+  unset string inputs). The caller then passes "" to the reusable workflow. The
+  reusable workflow receives "" as an explicitly-provided value, so its own
+  default: 'default message' is never used. The job runs with message = "".
+
+  This is by design: GitHub Actions treats "" as a valid non-absent value. The
+  default: key only activates for truly absent inputs (when with: does not include
+  the key at all). Since ${{ inputs.message }} always resolves to some string (even
+  "", it is always present in the with: block, so the called workflow's default
+  is always bypassed.
+fix: |
+  Move the default value handling to the calling workflow rather than the reusable
+  workflow, using a conditional expression to fall back to the default:
+
+    # caller.yml — handle empty-string fallback here
+    jobs:
+      call:
+        uses: ./.github/workflows/reusable.yml
+        with:
+          message: ${{ inputs.message != '' && inputs.message || 'default message' }}
+
+  Alternatively, handle the fallback inside the reusable workflow steps using an
+  env variable substitution:
+
+    # reusable.yml
+    jobs:
+      run:
+        runs-on: ubuntu-latest
+        env:
+          EFFECTIVE_MESSAGE: ${{ inputs.message != '' && inputs.message || 'default message' }}
+        steps:
+          - run: echo "Message is $EFFECTIVE_MESSAGE"
+
+  Do NOT rely on default: in on.workflow_call.inputs when the caller may pass ""
+  via ${{ inputs.x }} from a workflow_dispatch input.
+fix_code:
+  - language: yaml
+    label: "Apply the default in the caller with a conditional expression (recommended)"
+    code: |
+      # caller.yml
+      on:
+        workflow_dispatch:
+          inputs:
+            message:
+              type: string
+              required: false
+
+      jobs:
+        call:
+          uses: ./.github/workflows/reusable.yml
+          with:
+            # Use || to fall back to default when inputs.message is empty
+            message: ${{ inputs.message != '' && inputs.message || 'default message' }}
+  - language: yaml
+    label: "Apply the fallback inside the reusable workflow using env:"
+    code: |
+      # reusable.yml
+      on:
+        workflow_call:
+          inputs:
+            message:
+              type: string
+              required: false
+              # Note: default: here is bypassed when caller passes ""
+
+      jobs:
+        run:
+          runs-on: ubuntu-latest
+          env:
+            # Handle empty string at job level — inputs.message may be "" not null
+            EFFECTIVE_MESSAGE: ${{ inputs.message != '' && inputs.message || 'default message' }}
+          steps:
+            - name: Use effective message
+              run: echo "Message is $EFFECTIVE_MESSAGE"
+prevention:
+  - "Never place default values only in on.workflow_call.inputs.default when the caller
+     passes the input via ${{ inputs.x }} from a workflow_dispatch — the empty string
+     will always bypass the default."
+  - "Place fallback logic in the caller using '${{ inputs.x != '''''' && inputs.x || ''default'' }}'
+     to handle both absent and empty-string cases."
+  - "If you need the reusable workflow to have its own default, handle it via env: fallback
+     inside the job steps, not via on.workflow_call.inputs.default."
+  - "This behavior stems from GitHub Actions treating \"\" as an explicitly provided string
+     value rather than an absent/null input. Document this distinction for your team."
+docs:
+  - url: "https://docs.github.com/en/actions/sharing-automations/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow"
+    label: "GitHub Actions: Using inputs and secrets in a reusable workflow"
+  - url: "https://github.com/actions/runner/issues/2907"
+    label: "actions/runner #2907: Reusable workflow input default not used when caller passes empty string (16 reactions)"
+  - url: "https://github.com/actions/runner/issues/924"
+    label: "actions/runner #924: Differentiate between input parameter empty or not present (76 reactions, still open)"

package/errors/triggers/pull-request-paths-filter-evaluates-entire-pr-diff-not-latest-commit.yml

@@ -0,0 +1,137 @@
+id: triggers-068
+title: "pull_request paths/paths-ignore filter evaluates entire PR diff, not latest commit"
+category: triggers
+severity: silent-failure
+tags:
+  - paths-filter
+  - paths-ignore
+  - pull_request
+  - three-dot-diff
+  - silent-trigger
+  - monorepo
+patterns:
+  - regex: 'paths-ignore:'
+    flags: 'i'
+  - regex: 'on:\s*\n\s*pull_request:'
+    flags: 'im'
+error_messages:
+  - "Workflow triggers on push to README.md even though README.md is listed in paths-ignore"
+  - "paths-ignore not respected after one commit touches files outside the ignore list"
+  - "Workflow keeps running for all subsequent commits in PR even though only ignored files changed"
+root_cause: |
+  GitHub's paths and paths-ignore filters for pull_request (and pull_request_target)
+  events use a three-dot diff — a comparison between the most recent version of the
+  topic branch HEAD and the commit where the topic branch last diverged from the base
+  branch (the merge base). This diff encompasses ALL files changed across the entire
+  PR, not just the files changed in the most recent commit/push.
+
+  The practical consequence is: once any commit in the PR has touched a file that is
+  NOT in paths-ignore, the three-dot diff permanently includes that file for the
+  lifetime of the PR. All subsequent pushes to the same PR will also trigger the
+  workflow, even if those pushes only modify files listed in paths-ignore.
+
+  Example: a PR starts by pushing a Go source file (triggers the workflow). The
+  developer then pushes a README.md-only commit. Despite README.md being in
+  paths-ignore, the entire PR diff still includes the earlier Go change, so the
+  workflow fires again.
+
+  This behavior is documented under "Git diff comparisons" in the GitHub Actions
+  workflow syntax reference but is widely misunderstood.
+
+  Contrast with push events: push filters only examine files changed in the
+  individual push commit(s), so paths-ignore works as most developers expect.
+fix: |
+  Option 1 — Use dorny/paths-filter to gate job execution at the step/job level
+  based on files changed only in the current push (most reliable workaround):
+
+    jobs:
+      guard:
+        runs-on: ubuntu-latest
+        outputs:
+          changed: ${{ steps.filter.outputs.src }}
+        steps:
+          - uses: actions/checkout@v4
+          - uses: dorny/paths-filter@v3
+            id: filter
+            with:
+              filters: |
+                src:
+                  - 'src/**'
+                  - '!README.md'
+
+      build:
+        needs: guard
+        if: needs.guard.outputs.changed == 'true'
+        runs-on: ubuntu-latest
+        steps:
+          - run: echo "only runs if src changed in latest push"
+
+  Option 2 — Accept that pull_request paths filtering is PR-wide and use it only
+  for coarse-grained "should this workflow category run at all" decisions, not for
+  per-commit granularity.
+
+  Option 3 — Remove paths/paths-ignore from the pull_request trigger entirely and
+  use conditional job-level steps with dorny/paths-filter instead.
+fix_code:
+  - language: yaml
+    label: "Use dorny/paths-filter for per-commit path gating (recommended)"
+    code: |
+      on:
+        pull_request:
+          branches: [main]
+          # No paths/paths-ignore here — filter is done per-commit in the job
+
+      jobs:
+        check-changes:
+          runs-on: ubuntu-latest
+          outputs:
+            src_changed: ${{ steps.filter.outputs.src }}
+          steps:
+            - uses: actions/checkout@v4
+            - uses: dorny/paths-filter@v3
+              id: filter
+              with:
+                filters: |
+                  src:
+                    - 'src/**'
+                    - '*.go'
+                    - '!**/*.md'
+
+        build:
+          needs: check-changes
+          if: needs.check-changes.outputs.src_changed == 'true'
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+            - run: make build
+  - language: yaml
+    label: "What NOT to do — paths-ignore on pull_request silently fails after first non-ignored commit"
+    code: |
+      # This looks correct but DOES NOT work as expected for pull_request events:
+      on:
+        pull_request:
+          paths-ignore:
+            - '**.md'      # <-- evaluated against entire PR diff, not latest push
+            - 'docs/**'
+
+      # After any commit in the PR touches a non-md file, ALL subsequent commits
+      # trigger this workflow, even if those commits only change .md files.
+prevention:
+  - "Do not rely on paths-ignore to prevent a workflow from running on documentation-only
+     follow-up commits in a PR — it only works until any non-ignored file is committed to
+     the PR branch."
+  - "Use dorny/paths-filter or similar per-commit path detection actions instead of workflow-level
+     paths-ignore for pull_request events when per-commit granularity is needed."
+  - "For monorepos, consider separate workflows per component triggered by dorny/paths-filter
+     outputs rather than native paths filters."
+  - "paths-ignore works reliably for push events (single commit diff) — the behavior difference
+     between push and pull_request is a common source of confusion."
+docs:
+  - url: "https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#git-diff-comparisons"
+    label: "GitHub Actions workflow syntax: Git diff comparisons"
+  - url: "https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#onpushpull_requestpull_request_targetpathspaths-ignore"
+    label: "GitHub Actions: paths and paths-ignore filter syntax"
+  - url: "https://github.com/actions/runner/issues/2324"
+    label: "actions/runner #2324: on.pull_request.paths-ignore are not respected correctly (64 reactions, still open)"
+  - url: "https://github.com/dorny/paths-filter"
+    label: "dorny/paths-filter — per-commit path change detection action"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.106",
+  "version": "1.0.107",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",