@htekdev/actions-debugger 1.0.109 → 1.0.110

package/errors/runner-environment/arc-runner-v2332-container-github-env-permission-denied.yml

@@ -0,0 +1,117 @@
+id: runner-environment-178
+title: 'ARC Runner v2.332.0 Regression — Container Job GITHUB_ENV and Workspace Permission Denied'
+category: runner-environment
+severity: error
+tags:
+  - arc
+  - actions-runner-controller
+  - container-job
+  - permissions
+  - GITHUB_ENV
+  - non-root
+  - kubernetes
+  - regression
+  - v2.332
+patterns:
+  - regex: 'cannot create /__w/_temp/_runner_file_commands/set_env_[0-9a-f]+: Permission denied'
+    flags: 'i'
+  - regex: 'cannot create /__w/_temp/_runner_file_commands/add_path_[0-9a-f]+: Permission denied'
+    flags: 'i'
+  - regex: 'fatal: detected dubious ownership in repository at .+/__w/'
+    flags: 'i'
+  - regex: '_runner_file_commands.*Permission denied'
+    flags: 'i'
+error_messages:
+  - "/__w/_temp/36e38446.sh: 5: cannot create /__w/_temp/_runner_file_commands/set_env_7bb88aaa: Permission denied"
+  - "fatal: detected dubious ownership in repository at '/__w/repo/repo'"
+  - "/__w/_temp/_runner_file_commands/add_path_: Permission denied"
+root_cause: |
+  Upgrading Actions Runner Controller (ARC) from runner v2.330.0 to v2.332.0
+  introduces a compound regression that breaks container jobs using non-root users.
+
+  The regression spans two runner releases:
+
+  1. v2.331.0 changed the runner container base image from Ubuntu 22.04 to
+     Ubuntu 24.04. The newer base ships git 2.43+ which enforces stricter
+     safe.directory checks. The mounted workspace volume is owned by the runner
+     UID, so a container running as a different non-root UID receives
+     "fatal: detected dubious ownership" on any git operation.
+
+  2. v2.332.0 bumped container hooks to v0.8.1, which updated workspace
+     ownership handling for the runner pod itself — but not for downstream job
+     containers. The _runner_file_commands directory under /__w/_temp/ is
+     still created with runner UID ownership. When a container step writes to
+     $GITHUB_ENV, $GITHUB_OUTPUT, $GITHUB_PATH, or $GITHUB_STEP_SUMMARY via a
+     shell redirect, the shell (running as the container's non-root user) cannot
+     create the file and exits non-zero.
+
+  This regression affects:
+  - ARC-managed self-hosted runners on Kubernetes (EKS, GKE, AKS, on-prem)
+  - Any workflow using `container: image: my-image` with `options: --user <uid>`
+    or a non-root USER in the Dockerfile
+  - Workflows that previously worked on runner v2.330.0 and below
+
+  GitHub-hosted runners (ubuntu-latest, etc.) are NOT affected.
+fix: |
+  If you cannot immediately pin the runner version, add a workaround step at
+  the top of the affected job to fix ownership of the runner file command
+  directories. Alternatively, pin ARC runner images to v2.330.0 until an
+  upstream fix for container hooks is released.
+
+  The most robust long-term fix is to explicitly add the workspace to git's
+  safe.directory list and pre-create the file command directories with the
+  correct ownership.
+fix_code:
+  - language: yaml
+    label: 'Option A — Pre-create _runner_file_commands with container user ownership'
+    code: |
+      jobs:
+        build:
+          runs-on: self-hosted
+          container:
+            image: my-app:latest
+            options: --user 1000
+          steps:
+            - name: Fix runner file command directory ownership (v2.332.0 workaround)
+              # Run as root before any steps that use GITHUB_ENV/GITHUB_OUTPUT
+              run: |
+                chown -R 1000:1000 /__w/_temp/_runner_file_commands/ || true
+                git config --global --add safe.directory /__w/${{ github.repository }}
+              shell: bash
+              # Note: requires container image to have chown available as root
+  - language: yaml
+    label: 'Option B — Pin ARC runner image to v2.330.0 to avoid the regression'
+    code: |
+      # In your ARC HelmRelease or RunnerDeployment spec:
+      # spec:
+      #   template:
+      #     spec:
+      #       containers:
+      #         - name: runner
+      #           image: ghcr.io/actions/actions-runner:2.330.0
+  - language: yaml
+    label: 'Option C — Run container job as root to avoid UID mismatch'
+    code: |
+      jobs:
+        build:
+          runs-on: self-hosted
+          container:
+            image: my-app:latest
+            options: --user root   # avoid UID mismatch until ARC fix ships
+          steps:
+            - uses: actions/checkout@v4
+            - run: echo "FOO=bar" >> $GITHUB_ENV
+prevention:
+  - 'Test ARC runner version upgrades in a staging environment before rolling out to production — especially major bumps (v2.330 → v2.332).'
+  - 'Pin container jobs to run as root if your workflow uses GITHUB_ENV, GITHUB_OUTPUT, or GITHUB_PATH writes and you depend on non-root containers.'
+  - 'Subscribe to actions/runner releases and scan for changes to container-hooks between minor versions.'
+  - 'Add a smoke-test workflow that writes to GITHUB_ENV in a non-root container job — run it against each ARC upgrade to catch regressions early.'
+docs:
+  - url: 'https://github.com/actions/runner/issues/4302'
+    label: 'actions/runner #4302 — v2.332.0: Container jobs fail with permission denied on GITHUB_ENV and workspace'
+  - url: 'https://github.com/actions/runner/issues/4131'
+    label: 'actions/runner #4131 — Permissions issue on runners v2.330.0 (/home/runner ownership regression)'
+  - url: 'https://github.com/actions/runner/issues/4251'
+    label: 'actions/runner #4251 — TempDirectoryManager fails to clean temp directory (permission denied on v2.331.0)'
+  - url: 'https://github.com/actions/runner-container-hooks/issues/282'
+    label: 'runner-container-hooks #282 — Permissions denied on workingDir'

package/errors/runner-environment/node24-16-toolcache-regression-browser-install-fails.yml

@@ -0,0 +1,109 @@
+id: runner-environment-177
+title: 'Node.js 24.16.0 Toolcache Update Breaks Puppeteer, Playwright, and Cypress Browser Install'
+category: runner-environment
+severity: error
+tags:
+  - nodejs
+  - node24
+  - puppeteer
+  - playwright
+  - cypress
+  - toolcache
+  - browser-install
+  - extract-zip
+  - regression
+patterns:
+  - regex: 'Could not find Chrome \(ver\. \d+\.\d+\.\d+'
+    flags: 'i'
+  - regex: 'npx puppeteer browsers install .+ exited with code [^0]'
+    flags: 'i'
+  - regex: 'browserType\.launch: Executable doesn.t exist at .+/chromium'
+    flags: 'i'
+  - regex: 'Cannot find browser at path.*\.cache/puppeteer'
+    flags: 'i'
+  - regex: 'Failed to install browsers.*extract.*zip'
+    flags: 'i'
+error_messages:
+  - "Error: Could not find Chrome (ver. 146.0.7680.153). This can occur if either 1. you did not perform an installation before running the script (e.g. `npx puppeteer browsers install chrome-headless-shell`) or 2. your cache path is incorrectly configured"
+  - "browserType.launch: Executable doesn't exist at /home/runner/.cache/ms-playwright/chromium-1169/chrome-linux/chrome"
+  - "Error: Failed to install browsers at /home/runner/.cache/ms-playwright"
+root_cause: |
+  The ubuntu-24.04 image update from 20260518.149.1 → 20260525.161.1 bumped the
+  cached Node.js toolcache version from 24.15.0 to 24.16.0. Node.js 24.16.0
+  contains an upstream regression in the readable-stream.destroy() lifecycle
+  that breaks yauzl (a ZIP reading library) and extract-zip which depends on it.
+
+  The affected tools all use @puppeteer/browsers or equivalent ZIP-based browser
+  downloaders internally:
+  - Puppeteer: `npx puppeteer browsers install chrome-headless-shell`
+  - Playwright: `npx playwright install chromium` / `npx playwright install --with-deps`
+  - Cypress: `npx cypress install`
+
+  The ZIP archive download completes successfully and the partial extraction
+  begins, but the stream destroy bug causes yauzl to exit before all entries
+  are written. The browser binary never lands on disk. The browser installer
+  exits 0 (or a non-descriptive exit code) and the next step fails with
+  "Could not find Chrome at path..." or a missing executable error.
+
+  Root upstream issues:
+  - https://github.com/nodejs/node/issues/63487 (yauzl/extract-zip hang / partial extraction)
+  - https://github.com/nodejs/node/issues/63638 (libuv regression on Windows)
+
+  Because actions/setup-node resolves to the cached Node.js 24.16.0 when
+  node-version: '24' or node-version: '24.x' is specified (or when using the
+  default runner-baked Node 24 on ubuntu-24.04), every workflow that installs
+  a browser via these tools is affected until Node.js 24.17.0 ships a fix.
+fix: |
+  Pin Node.js to 24.15.0 (the last known-good version) via actions/setup-node
+  until Node.js 24.17.0 is published and rolled into the runner toolcache.
+
+  If your workflow does not strictly require Node.js 24, fall back to Node.js 22
+  (the runner image default), which is unaffected by this regression.
+
+  Do NOT use node-version: '24' or node-version: 'latest' until the upstream
+  fix lands in Node.js 24.17.0.
+fix_code:
+  - language: yaml
+    label: 'Option A — Pin Node.js to 24.15.0 (last known-good release)'
+    code: |
+      steps:
+        - uses: actions/setup-node@v6
+          with:
+            node-version: '24.15.0'   # pin until Node 24.17.0 fixes readable-stream regression
+            cache: 'npm'
+
+        - name: Install Puppeteer Chrome
+          run: npx puppeteer browsers install chrome-headless-shell
+  - language: yaml
+    label: 'Option B — Fall back to Node.js 22 (unaffected)'
+    code: |
+      steps:
+        - uses: actions/setup-node@v6
+          with:
+            node-version: '22'        # LTS, not affected by readable-stream regression
+            cache: 'npm'
+
+        - name: Install Playwright browsers
+          run: npx playwright install --with-deps chromium
+  - language: yaml
+    label: 'Option C — Pin Playwright install to avoid extract-zip entirely (Playwright only)'
+    code: |
+      steps:
+        - uses: actions/setup-node@v6
+          with:
+            node-version: '24.15.0'
+        - uses: microsoft/playwright-github-action@v1   # uses pre-installed image browsers
+prevention:
+  - 'Pin node-version to a specific patch (e.g. 24.15.0) rather than a major/minor range in workflows that install browser binaries via npx commands.'
+  - 'After bumping Node.js versions, verify browser install steps succeed by checking the binary path explicitly with `ls -la ~/.cache/puppeteer` or equivalent before running tests.'
+  - 'Subscribe to actions/runner-images releases to catch toolcache updates that may include Node.js patch regressions.'
+  - 'For Playwright, prefer `npx playwright install --with-deps` combined with an explicit Node.js pin rather than relying on runner-image cached Node versions.'
+docs:
+  - url: 'https://github.com/actions/runner-images/issues/14173'
+    label: 'runner-images #14173 — Puppeteer broken in Ubuntu 24.04 version 20260525.161.1'
+  - url: 'https://github.com/nodejs/node/issues/63487'
+    label: 'nodejs/node #63487 — yauzl/extract-zip hang and partial extraction (readable-stream regression)'
+  - url: 'https://github.com/nodejs/node/issues/63638'
+    label: 'nodejs/node #63638 — libuv regression in Node.js 24.16.0'
+  - url: 'https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20260525.161'
+    label: 'runner-images ubuntu24/20260525.161 release — Node.js toolcache bumped 24.15.0 → 24.16.0'

package/errors/silent-failures/setup-node-falls-through-wrong-version-on-download-failure.yml

@@ -0,0 +1,112 @@
+id: silent-failures-097
+title: 'setup-node Silently Uses Runner-Baked Node Version When Download Fails — Wrong Version Active'
+category: silent-failures
+severity: silent-failure
+tags:
+  - setup-node
+  - nodejs
+  - download-failure
+  - silent-failure
+  - wrong-version
+  - toolcache
+  - hosted-runner
+  - fallthrough
+patterns:
+  - regex: 'Attempting to download \d+\.\d+\.\d+\.\.\.'
+    flags: 'i'
+  - regex: 'Cannot find module.*engines.*node.*>=\s*24'
+    flags: 'i'
+  - regex: 'The engine .node. is incompatible with this module\. Expected version .+\. Got .2[0-2]\.'
+    flags: 'i'
+  - regex: 'ELIFECYCLE.*node --version.*v2[0-2]\.'
+    flags: 'i'
+error_messages:
+  - "Attempting to download 24.15.0..."
+  - "error: The engine 'node' is incompatible with this module. Expected version '>=24.0.0'. Got '22.14.0'"
+  - "npm ERR! code ELIFECYCLE"
+  - "Error: Cannot find module 'node:crypto' (Node.js version too old)"
+root_cause: |
+  When actions/setup-node's download or extract path fails transiently —
+  network blip, manifest miss, partial extract from a concurrent toolcache
+  write, or a transient S3/CDN cache failure — the action does not surface the
+  error. Instead, it falls back to a secondary download path. If that secondary
+  path also fails or returns an unusable toolPath, setup-node adds an empty or
+  incorrect directory to PATH and exits 0 (success).
+
+  Because the setup-node step succeeds, the runner-baked Node.js version
+  (e.g. v22.x on ubuntu-latest after the Node 20 removal) remains on PATH.
+  Downstream steps execute against the wrong Node.js major version with no
+  indication that setup-node did not install the requested version.
+
+  The mechanism (in official_builds.ts, as of 2026-05-21):
+  - Download/extract errors are logged via core.info(), not core.warning()
+    or core.error(), so they are buried in normal output
+  - After the fallback download attempt, there is no post-condition check
+    that verifies node --version matches the requested version
+  - core.addPath() is called even if toolPath/bin is empty or stale
+
+  Reported failing run: https://github.com/n8n-io/n8n/actions/runs/26100630929
+  The run showed "Attempting to download 24.15.0..." → 33 seconds of silence →
+  next step ran against runner-baked v20.20.0 with no error from setup-node.
+
+  This is distinct from silent-failures-028 which covers self-hosted runners
+  where node is completely absent (node: not found). This entry covers hosted
+  runners where the wrong version is silently active and node IS found.
+
+  Root upstream issue: actions/toolkit#804 — concurrent toolcache writes create
+  partial extracts that pass path existence checks.
+fix: |
+  Add an explicit node --version verification step immediately after setup-node
+  and fail the job if the version does not match. This is the external workaround
+  used by affected projects (e.g., n8n/n8n PR #30849).
+
+  Until actions/setup-node ships a built-in post-install assertion, this
+  workflow-level guard is the only reliable way to catch the silent fallthrough.
+fix_code:
+  - language: yaml
+    label: 'Add explicit version verification after setup-node'
+    code: |
+      steps:
+        - uses: actions/setup-node@v6
+          with:
+            node-version: '24'
+            cache: 'npm'
+
+        - name: Verify Node.js version
+          shell: bash
+          run: |
+            ACTUAL=$(node --version)
+            EXPECTED_MAJOR="24"
+            if [[ "$ACTUAL" != v${EXPECTED_MAJOR}.* ]]; then
+              echo "::error::setup-node installed Node ${EXPECTED_MAJOR} but \`node --version\` reports $ACTUAL"
+              echo "::error::This usually indicates a transient download failure or partial toolcache extract."
+              exit 1
+            fi
+            echo "Node.js version confirmed: $ACTUAL"
+
+        - name: Install dependencies
+          run: npm ci
+  - language: yaml
+    label: 'Pin to exact patch version to reduce toolcache misses'
+    code: |
+      steps:
+        - uses: actions/setup-node@v6
+          with:
+            node-version: '24.15.0'   # exact pin reduces manifest/toolcache lookup failures
+            cache: 'npm'
+
+        - name: Verify Node.js version (belt-and-suspenders)
+          run: |
+            node --version | grep -E '^v24\.15\.' || (echo "Wrong Node version" && exit 1)
+prevention:
+  - 'Always verify node --version matches the requested major after setup-node, especially in workflows that depend on Node.js 24+ features or native modules.'
+  - 'Pin to an exact patch version (e.g. 24.15.0) rather than a range (24.x) to avoid unexpected toolcache miss fallbacks.'
+  - 'If you see "Attempting to download X.Y.Z..." followed by an unusually long pause in setup-node output, the download may have stalled and the fallback path may be active.'
+  - 'Watch setup-node releases for a built-in post-install assertion fix (tracked in actions/setup-node#1556 and actions/toolkit#804).'
+docs:
+  - url: 'https://github.com/actions/setup-node/issues/1556'
+    label: 'setup-node #1556 — setup-node silently falls through to runner-baked Node on download/extract failure'
+  - url: 'https://github.com/actions/toolkit/issues/804'
+    label: 'actions/toolkit #804 — Concurrent toolcache writes cause partial extracts on multi-tenant runners'
+  - url: 'https://github.com/n8n-io/n8n/pull/30849'
+    label: 'n8n/n8n PR #30849 — External Verify Node.js Version workaround'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.109",
+  "version": "1.0.110",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",