@htekdev/actions-debugger 1.0.109 → 1.0.111

package/errors/known-unsolved/ephemeral-jit-runner-lost-communication-false-positive.yml

@@ -0,0 +1,93 @@
+id: known-unsolved-058
+title: 'Ephemeral JIT Runner Reports "Lost Communication" Despite Successful Job Completion'
+category: known-unsolved
+severity: error
+tags:
+  - self-hosted
+  - ephemeral
+  - jit-runner
+  - lost-communication
+  - false-positive
+  - broker
+patterns:
+  - regex: 'The self-hosted runner lost communication with the server'
+    flags: 'i'
+  - regex: 'messageQueueLoopTokenSource|Stop message queue looping'
+    flags: 'i'
+error_messages:
+  - 'The self-hosted runner lost communication with the server'
+  - 'GET request to broker.actions.githubusercontent.com/message ... has been cancelled'
+  - 'TaskCanceledException: The operation was canceled'
+root_cause: |
+  In Runner.cs line 576, after a one-time-use (ephemeral/JIT) job completes, the message queue
+  is cancelled immediately with zero grace period:
+
+    messageQueueLoopTokenSource.Cancel();
+
+  This tears down the in-flight broker long-poll (GET broker.actions.githubusercontent.com/message)
+  immediately after CompleteJobAsync returns. GitHub's broker health monitor detects the TCP
+  disconnect and flags the runner as "lost communication" — racing against the pipeline service
+  that just received the successful completion.
+
+  Two independent GitHub backend systems race:
+  1. Pipeline service — received CompleteJobAsync, knows the job succeeded
+  2. Broker health monitor — sees TCP disconnect, flags runner as "lost communication"
+
+  When the broker monitor wins (which happens on ~5-10% of short jobs), the UI shows
+  "The self-hosted runner lost communication with the server" even though the worker exited
+  with code 100 (success) and the runner itself exited with return code 0.
+
+  The runner logs show all events at identical timestamps — zero delay between
+  "Received job status event. JobState: Online" and "messageQueueLoopTokenSource.Cancel()".
+
+  No user-side configuration can fix this. A code change to Runner.cs is required
+  (add ~5s grace delay before cancel). Source: actions/runner#4309 (March 2026, open bug,
+  affects runner v2.331.0+, ~5-10% failure rate on short ephemeral jobs).
+fix: |
+  There is no user-side configuration fix. The root cause is a zero-grace-period teardown
+  in Runner.cs that must be patched by GitHub.
+
+  Mitigations:
+  1. Verify the diagnostic logs — the job actually succeeded. Check _diag/Runner_*.log
+     for "return code 0" and "result: Succeeded" to confirm before concluding failure.
+  2. Retry the failed job — the "lost communication" is a false positive; re-running
+     produces a clean success.
+  3. Do not use ephemeral JIT runners as required status checks until actions/runner#4309
+     is resolved, or implement a workflow-level retry wrapper.
+  4. Alert on job result=="failure" not on "lost communication" text alone — false positives
+     from this race should not page on-call engineers.
+  5. Batch small jobs — the race is more likely on jobs shorter than 60 seconds. Combining
+     work into longer-running jobs reduces false positive frequency.
+fix_code:
+  - language: yaml
+    label: 'Confirm false positive by reading runner diagnostic log before retrying'
+    code: |
+      # After "lost communication" on an ephemeral JIT runner, check:
+      # _diag/Runner_YYYYMMDD-hhmmss-utc.log
+      #
+      # Successful completion signs (all at identical timestamps):
+      #   [INFO] finish job request for job {id} with result: Succeeded
+      #   [INFO] Job X completed with result: Succeeded
+      #   [INFO] Received job status event. JobState: Online
+      #   [INFO] Runner execution has finished with return code 0
+      #
+      # If these appear immediately before TaskCanceledException, the job DID succeed.
+      # Simply re-run the workflow — the retry will show a clean green result.
+      jobs:
+        build:
+          runs-on: [self-hosted, ephemeral, linux]
+          # Note: retry-on-failure logic can wrap this job in the caller:
+          steps:
+            - uses: actions/checkout@v4
+            - run: make build
+prevention:
+  - 'Treat "lost communication" on ephemeral JIT runners as a potential false positive — check _diag/Runner_*.log for "return code 0" before escalating.'
+  - 'Do not gate required status checks on ephemeral JIT runners until actions/runner#4309 is resolved upstream.'
+  - 'Alert on job result=="failure", not on the "lost communication" message text alone.'
+  - 'Batch work into longer jobs (>60s total) to reduce the broker teardown race frequency.'
+  - 'Watch actions/runner#4309 for an upstream fix (proposed: 5-second grace period before messageQueueLoopTokenSource.Cancel()).'
+docs:
+  - url: 'https://github.com/actions/runner/issues/4309'
+    label: 'actions/runner#4309: Ephemeral/JIT runner reports "lost communication" despite successful completion (March 2026)'
+  - url: 'https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners#using-just-in-time-runners'
+    label: 'GitHub Docs: Just-in-time (JIT) runners'

package/errors/runner-environment/arc-runner-v2332-container-github-env-permission-denied.yml

@@ -0,0 +1,117 @@
+id: runner-environment-178
+title: 'ARC Runner v2.332.0 Regression — Container Job GITHUB_ENV and Workspace Permission Denied'
+category: runner-environment
+severity: error
+tags:
+  - arc
+  - actions-runner-controller
+  - container-job
+  - permissions
+  - GITHUB_ENV
+  - non-root
+  - kubernetes
+  - regression
+  - v2.332
+patterns:
+  - regex: 'cannot create /__w/_temp/_runner_file_commands/set_env_[0-9a-f]+: Permission denied'
+    flags: 'i'
+  - regex: 'cannot create /__w/_temp/_runner_file_commands/add_path_[0-9a-f]+: Permission denied'
+    flags: 'i'
+  - regex: 'fatal: detected dubious ownership in repository at .+/__w/'
+    flags: 'i'
+  - regex: '_runner_file_commands.*Permission denied'
+    flags: 'i'
+error_messages:
+  - "/__w/_temp/36e38446.sh: 5: cannot create /__w/_temp/_runner_file_commands/set_env_7bb88aaa: Permission denied"
+  - "fatal: detected dubious ownership in repository at '/__w/repo/repo'"
+  - "/__w/_temp/_runner_file_commands/add_path_: Permission denied"
+root_cause: |
+  Upgrading Actions Runner Controller (ARC) from runner v2.330.0 to v2.332.0
+  introduces a compound regression that breaks container jobs using non-root users.
+
+  The regression spans two runner releases:
+
+  1. v2.331.0 changed the runner container base image from Ubuntu 22.04 to
+     Ubuntu 24.04. The newer base ships git 2.43+ which enforces stricter
+     safe.directory checks. The mounted workspace volume is owned by the runner
+     UID, so a container running as a different non-root UID receives
+     "fatal: detected dubious ownership" on any git operation.
+
+  2. v2.332.0 bumped container hooks to v0.8.1, which updated workspace
+     ownership handling for the runner pod itself — but not for downstream job
+     containers. The _runner_file_commands directory under /__w/_temp/ is
+     still created with runner UID ownership. When a container step writes to
+     $GITHUB_ENV, $GITHUB_OUTPUT, $GITHUB_PATH, or $GITHUB_STEP_SUMMARY via a
+     shell redirect, the shell (running as the container's non-root user) cannot
+     create the file and exits non-zero.
+
+  This regression affects:
+  - ARC-managed self-hosted runners on Kubernetes (EKS, GKE, AKS, on-prem)
+  - Any workflow using `container: image: my-image` with `options: --user <uid>`
+    or a non-root USER in the Dockerfile
+  - Workflows that previously worked on runner v2.330.0 and below
+
+  GitHub-hosted runners (ubuntu-latest, etc.) are NOT affected.
+fix: |
+  If you cannot immediately pin the runner version, add a workaround step at
+  the top of the affected job to fix ownership of the runner file command
+  directories. Alternatively, pin ARC runner images to v2.330.0 until an
+  upstream fix for container hooks is released.
+
+  The most robust long-term fix is to explicitly add the workspace to git's
+  safe.directory list and pre-create the file command directories with the
+  correct ownership.
+fix_code:
+  - language: yaml
+    label: 'Option A — Pre-create _runner_file_commands with container user ownership'
+    code: |
+      jobs:
+        build:
+          runs-on: self-hosted
+          container:
+            image: my-app:latest
+            options: --user 1000
+          steps:
+            - name: Fix runner file command directory ownership (v2.332.0 workaround)
+              # Run as root before any steps that use GITHUB_ENV/GITHUB_OUTPUT
+              run: |
+                chown -R 1000:1000 /__w/_temp/_runner_file_commands/ || true
+                git config --global --add safe.directory /__w/${{ github.repository }}
+              shell: bash
+              # Note: requires container image to have chown available as root
+  - language: yaml
+    label: 'Option B — Pin ARC runner image to v2.330.0 to avoid the regression'
+    code: |
+      # In your ARC HelmRelease or RunnerDeployment spec:
+      # spec:
+      #   template:
+      #     spec:
+      #       containers:
+      #         - name: runner
+      #           image: ghcr.io/actions/actions-runner:2.330.0
+  - language: yaml
+    label: 'Option C — Run container job as root to avoid UID mismatch'
+    code: |
+      jobs:
+        build:
+          runs-on: self-hosted
+          container:
+            image: my-app:latest
+            options: --user root   # avoid UID mismatch until ARC fix ships
+          steps:
+            - uses: actions/checkout@v4
+            - run: echo "FOO=bar" >> $GITHUB_ENV
+prevention:
+  - 'Test ARC runner version upgrades in a staging environment before rolling out to production — especially major bumps (v2.330 → v2.332).'
+  - 'Pin container jobs to run as root if your workflow uses GITHUB_ENV, GITHUB_OUTPUT, or GITHUB_PATH writes and you depend on non-root containers.'
+  - 'Subscribe to actions/runner releases and scan for changes to container-hooks between minor versions.'
+  - 'Add a smoke-test workflow that writes to GITHUB_ENV in a non-root container job — run it against each ARC upgrade to catch regressions early.'
+docs:
+  - url: 'https://github.com/actions/runner/issues/4302'
+    label: 'actions/runner #4302 — v2.332.0: Container jobs fail with permission denied on GITHUB_ENV and workspace'
+  - url: 'https://github.com/actions/runner/issues/4131'
+    label: 'actions/runner #4131 — Permissions issue on runners v2.330.0 (/home/runner ownership regression)'
+  - url: 'https://github.com/actions/runner/issues/4251'
+    label: 'actions/runner #4251 — TempDirectoryManager fails to clean temp directory (permission denied on v2.331.0)'
+  - url: 'https://github.com/actions/runner-container-hooks/issues/282'
+    label: 'runner-container-hooks #282 — Permissions denied on workingDir'

package/errors/runner-environment/node24-16-toolcache-regression-browser-install-fails.yml

@@ -0,0 +1,109 @@
+id: runner-environment-177
+title: 'Node.js 24.16.0 Toolcache Update Breaks Puppeteer, Playwright, and Cypress Browser Install'
+category: runner-environment
+severity: error
+tags:
+  - nodejs
+  - node24
+  - puppeteer
+  - playwright
+  - cypress
+  - toolcache
+  - browser-install
+  - extract-zip
+  - regression
+patterns:
+  - regex: 'Could not find Chrome \(ver\. \d+\.\d+\.\d+'
+    flags: 'i'
+  - regex: 'npx puppeteer browsers install .+ exited with code [^0]'
+    flags: 'i'
+  - regex: 'browserType\.launch: Executable doesn.t exist at .+/chromium'
+    flags: 'i'
+  - regex: 'Cannot find browser at path.*\.cache/puppeteer'
+    flags: 'i'
+  - regex: 'Failed to install browsers.*extract.*zip'
+    flags: 'i'
+error_messages:
+  - "Error: Could not find Chrome (ver. 146.0.7680.153). This can occur if either 1. you did not perform an installation before running the script (e.g. `npx puppeteer browsers install chrome-headless-shell`) or 2. your cache path is incorrectly configured"
+  - "browserType.launch: Executable doesn't exist at /home/runner/.cache/ms-playwright/chromium-1169/chrome-linux/chrome"
+  - "Error: Failed to install browsers at /home/runner/.cache/ms-playwright"
+root_cause: |
+  The ubuntu-24.04 image update from 20260518.149.1 → 20260525.161.1 bumped the
+  cached Node.js toolcache version from 24.15.0 to 24.16.0. Node.js 24.16.0
+  contains an upstream regression in the readable-stream.destroy() lifecycle
+  that breaks yauzl (a ZIP reading library) and extract-zip which depends on it.
+
+  The affected tools all use @puppeteer/browsers or equivalent ZIP-based browser
+  downloaders internally:
+  - Puppeteer: `npx puppeteer browsers install chrome-headless-shell`
+  - Playwright: `npx playwright install chromium` / `npx playwright install --with-deps`
+  - Cypress: `npx cypress install`
+
+  The ZIP archive download completes successfully and the partial extraction
+  begins, but the stream destroy bug causes yauzl to exit before all entries
+  are written. The browser binary never lands on disk. The browser installer
+  exits 0 (or a non-descriptive exit code) and the next step fails with
+  "Could not find Chrome at path..." or a missing executable error.
+
+  Root upstream issues:
+  - https://github.com/nodejs/node/issues/63487 (yauzl/extract-zip hang / partial extraction)
+  - https://github.com/nodejs/node/issues/63638 (libuv regression on Windows)
+
+  Because actions/setup-node resolves to the cached Node.js 24.16.0 when
+  node-version: '24' or node-version: '24.x' is specified (or when using the
+  default runner-baked Node 24 on ubuntu-24.04), every workflow that installs
+  a browser via these tools is affected until Node.js 24.17.0 ships a fix.
+fix: |
+  Pin Node.js to 24.15.0 (the last known-good version) via actions/setup-node
+  until Node.js 24.17.0 is published and rolled into the runner toolcache.
+
+  If your workflow does not strictly require Node.js 24, fall back to Node.js 22
+  (the runner image default), which is unaffected by this regression.
+
+  Do NOT use node-version: '24' or node-version: 'latest' until the upstream
+  fix lands in Node.js 24.17.0.
+fix_code:
+  - language: yaml
+    label: 'Option A — Pin Node.js to 24.15.0 (last known-good release)'
+    code: |
+      steps:
+        - uses: actions/setup-node@v6
+          with:
+            node-version: '24.15.0'   # pin until Node 24.17.0 fixes readable-stream regression
+            cache: 'npm'
+
+        - name: Install Puppeteer Chrome
+          run: npx puppeteer browsers install chrome-headless-shell
+  - language: yaml
+    label: 'Option B — Fall back to Node.js 22 (unaffected)'
+    code: |
+      steps:
+        - uses: actions/setup-node@v6
+          with:
+            node-version: '22'        # LTS, not affected by readable-stream regression
+            cache: 'npm'
+
+        - name: Install Playwright browsers
+          run: npx playwright install --with-deps chromium
+  - language: yaml
+    label: 'Option C — Pin Playwright install to avoid extract-zip entirely (Playwright only)'
+    code: |
+      steps:
+        - uses: actions/setup-node@v6
+          with:
+            node-version: '24.15.0'
+        - uses: microsoft/playwright-github-action@v1   # uses pre-installed image browsers
+prevention:
+  - 'Pin node-version to a specific patch (e.g. 24.15.0) rather than a major/minor range in workflows that install browser binaries via npx commands.'
+  - 'After bumping Node.js versions, verify browser install steps succeed by checking the binary path explicitly with `ls -la ~/.cache/puppeteer` or equivalent before running tests.'
+  - 'Subscribe to actions/runner-images releases to catch toolcache updates that may include Node.js patch regressions.'
+  - 'For Playwright, prefer `npx playwright install --with-deps` combined with an explicit Node.js pin rather than relying on runner-image cached Node versions.'
+docs:
+  - url: 'https://github.com/actions/runner-images/issues/14173'
+    label: 'runner-images #14173 — Puppeteer broken in Ubuntu 24.04 version 20260525.161.1'
+  - url: 'https://github.com/nodejs/node/issues/63487'
+    label: 'nodejs/node #63487 — yauzl/extract-zip hang and partial extraction (readable-stream regression)'
+  - url: 'https://github.com/nodejs/node/issues/63638'
+    label: 'nodejs/node #63638 — libuv regression in Node.js 24.16.0'
+  - url: 'https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20260525.161'
+    label: 'runner-images ubuntu24/20260525.161 release — Node.js toolcache bumped 24.15.0 → 24.16.0'

package/errors/runner-environment/runner-registration-token-502-burst.yml

@@ -0,0 +1,102 @@
+id: runner-environment-179
+title: 'Runner Registration Token Endpoint Returns 502 Under Concurrent Spawn Bursts'
+category: runner-environment
+severity: error
+tags:
+  - self-hosted
+  - ephemeral
+  - registration
+  - autoscaler
+  - burst
+  - 502
+patterns:
+  - regex: 'HTTP Error 502: Bad Gateway'
+    flags: 'i'
+  - regex: 'registration-token.*502|502.*Bad Gateway.*registration'
+    flags: 'i'
+  - regex: 'HTTPError.*502|urlopen error.*502'
+    flags: 'i'
+error_messages:
+  - 'HTTP Error 502: Bad Gateway'
+  - 'urllib.error.HTTPError: HTTP Error 502: Bad Gateway'
+  - 'POST https://api.github.com/repos/{owner}/{repo}/actions/runners/registration-token — 502'
+root_cause: |
+  GitHub REST endpoint:
+    POST https://api.github.com/repos/{owner}/{repo}/actions/runners/registration-token
+
+  returns HTTP 502 Bad Gateway under burst load when many ephemeral runners attempt to
+  register concurrently (e.g., triggered by webhook-driven autoscalers on workflow_job.queued
+  events). The burst saturates the GitHub backend's registration token issuer.
+
+  The reference runner setup scripts (run.sh / config.sh flow) do NOT retry 5xx responses —
+  a single transient 502 causes the container to exit immediately before registration completes.
+  For ephemeral autoscaler setups (Modal, Lambda, Kubernetes pod-per-job), the container slot
+  is burned and no runner is available for the queued job.
+
+  Phantom containers accumulate: the autoscaler billed for the container, GitHub never received
+  a registration, and the autoscaler's max_containers cap can be held by dead slots — stalling
+  the merge queue for hours.
+
+  Source: actions/runner#4399 (May 2026, open issue, observed during 20+ concurrent registrations
+  — ~21 phantom containers during a webhook-driven burst at ~16:00-17:00 UTC on 2026-05-04).
+fix: |
+  1. Add exponential backoff to your registration token call (4 attempts, 2^n second delays).
+  2. Stagger autoscaler spawns with per-container random jitter (0-10 seconds) to break up
+     concurrent registration bursts before they hit the endpoint simultaneously.
+  3. Switch to JIT runner tokens — they are pre-assigned per job and do not require a burst-
+     sensitive registration token call:
+       POST /repos/{owner}/{repo}/actions/runners/generate-jitconfig
+  4. Reduce max_concurrent_spawns in your autoscaler to limit peak registration load.
+  5. Implement phantom container detection: health-check containers shortly after spawn and
+     kill any that failed to register within N seconds.
+fix_code:
+  - language: yaml
+    label: 'Python — retry-with-backoff on 502 when minting registration token'
+    code: |
+      import time, json, urllib.request, urllib.error
+
+      def mint_registration_token(owner, repo, github_token):
+          url = f"https://api.github.com/repos/{owner}/{repo}/actions/runners/registration-token"
+          headers = {
+              "Authorization": f"token {github_token}",
+              "Accept": "application/vnd.github+json",
+              "X-GitHub-Api-Version": "2022-11-28",
+          }
+          for attempt in range(4):
+              try:
+                  req = urllib.request.Request(url, method="POST", headers=headers)
+                  with urllib.request.urlopen(req, timeout=15) as resp:
+                      return json.load(resp)["token"]
+              except urllib.error.HTTPError as e:
+                  if 500 <= e.code < 600 and attempt < 3:
+                      delay = 2 ** attempt  # 1s, 2s, 4s
+                      print(f"Registration token {e.code}, retrying in {delay}s (attempt {attempt+1}/4)...")
+                      time.sleep(delay)
+                      continue
+                  raise
+  - language: yaml
+    label: 'Autoscaler — add random jitter per container spawn to break up burst'
+    code: |
+      import asyncio, random
+
+      async def handle_workflow_job_queued(event):
+          # Stagger spawns: random delay 0-10s reduces simultaneous token requests
+          jitter = random.uniform(0, 10)
+          await asyncio.sleep(jitter)
+          token = await mint_registration_token(owner, repo, github_token)
+          await spawn_ephemeral_container(token)
+prevention:
+  - 'Add exponential backoff (4 attempts, 2^n seconds) for 5xx responses in all registration token calls.'
+  - 'Add random per-container spawn jitter (0-10s) in your autoscaler to break up concurrent registration bursts.'
+  - 'Switch to JIT runner tokens (generate-jitconfig) for burst autoscaler workloads — they do not hit the burst-sensitive registration endpoint.'
+  - 'Monitor for phantom containers: any container that does not show as registered within 60 seconds of spawn should be terminated.'
+  - 'Cap max_concurrent_spawns conservatively (≤10) and tune based on observed 502 rates.'
+docs:
+  - url: 'https://github.com/actions/runner/issues/4399'
+    label: 'actions/runner#4399: Registration token endpoint returns 502 in bursts (May 2026)'
+  - url: 'https://docs.github.com/en/rest/actions/self-hosted-runners#create-a-registration-token-for-a-repository'
+    label: 'GitHub REST API: Create a registration token for a repository'
+  - url: 'https://docs.github.com/en/rest/actions/self-hosted-runners#create-configuration-for-a-just-in-time-runner-for-a-repository'
+    label: 'GitHub REST API: Create JIT runner config (avoids burst-sensitive registration token)'
+  - url: 'https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners'
+    label: 'GitHub Docs: Autoscaling with self-hosted runners'

package/errors/silent-failures/matrix-array-in-object-serialized-as-Array-string.yml

@@ -0,0 +1,127 @@
+id: silent-failures-098
+title: 'Matrix Array Output Nested in Object Property Serializes as "Array" String'
+category: silent-failures
+severity: silent-failure
+tags:
+  - matrix
+  - fromJSON
+  - job-outputs
+  - dynamic-matrix
+  - strategy
+  - serialization
+patterns:
+  - regex: '\bArray\b'
+    flags: ''
+  - regex: 'fromJSON\s*\(.*outputs\.[a-zA-Z_]+'
+    flags: 'i'
+error_messages:
+  - 'rhel Array'
+  - 'debian Array'
+  - 'distro = Array'
+  - 'component.distro: Array'
+root_cause: |
+  When a job output containing a JSON array string (e.g. '["el8","el9"]') is passed via
+  fromJSON() as a VALUE inside a matrix OBJECT property, the GitHub Actions expression engine
+  coerces the array to a string using JavaScript Array.prototype.toString(), which produces
+  the literal word "Array" instead of the array elements.
+
+  This happens because the matrix strategy parser evaluates object property values as strings
+  at expansion time. When fromJSON() returns a JavaScript array, the matrix serialization path
+  calls .toString() instead of expanding into multiple jobs.
+
+  The bug only triggers when the array is nested INSIDE an object:
+
+    # BROKEN — array inside object property
+    strategy:
+      matrix:
+        component:
+          - name: rhel
+            distro: ${{ fromJSON(needs.define-matrix.outputs.rpms) }}
+            # ^ distro becomes the string "Array", not ["el8","el9"]
+
+  The same fromJSON() call works correctly at the TOP LEVEL of the matrix:
+
+    # WORKS — array at top level dimension
+    strategy:
+      matrix:
+        distro: ${{ fromJSON(needs.define-matrix.outputs.rpms) }}
+
+  The job does NOT fail — it silently runs with matrix.component.distro set to "Array",
+  producing wrong build targets with no error or warning.
+
+  Source: actions/runner#3794 (April 2025, labeled bug, open as of April 2026 after stale
+  cycle — author confirmed still broken).
+fix: |
+  Restructure the matrix to avoid placing fromJSON() array outputs inside object properties.
+
+  Option 1 — Pre-compute the full cross-product as a JSON array of objects in the matrix-
+  generating job and pass it as a single fromJSON() at the include level.
+
+  Option 2 — Use separate top-level matrix dimensions instead of grouping into objects.
+
+  If object grouping is required for semantic reasons, flatten the arrays at generation time
+  using jq and emit a fully-expanded JSON array of objects from the setup step.
+fix_code:
+  - language: yaml
+    label: 'Workaround — pre-compute full matrix as JSON array, expand via include'
+    code: |
+      jobs:
+        define-matrix:
+          runs-on: ubuntu-latest
+          outputs:
+            matrix: ${{ steps.build.outputs.matrix }}
+          steps:
+            - id: build
+              run: |
+                # Build the full cross-product as a JSON array of objects
+                matrix=$(jq -nc '[
+                  {"arch":"x86_64","runner":"ubuntu-24.04","component":"rhel","distro":"el8"},
+                  {"arch":"x86_64","runner":"ubuntu-24.04","component":"rhel","distro":"el9"},
+                  {"arch":"x86_64","runner":"ubuntu-24.04","component":"debian","distro":"focal"},
+                  {"arch":"aarch64","runner":"ubuntu-24.04-arm","component":"rhel","distro":"el8"},
+                  {"arch":"aarch64","runner":"ubuntu-24.04-arm","component":"rhel","distro":"el9"},
+                  {"arch":"aarch64","runner":"ubuntu-24.04-arm","component":"debian","distro":"focal"}
+                ]')
+                echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
+
+        build:
+          needs: define-matrix
+          runs-on: ${{ matrix.runner }}
+          strategy:
+            matrix:
+              include: ${{ fromJSON(needs.define-matrix.outputs.matrix) }}
+          steps:
+            - run: echo "${{ matrix.component }} ${{ matrix.distro }} on ${{ matrix.arch }}"
+  - language: yaml
+    label: 'Debug step — detect "Array" serialization early'
+    code: |
+      jobs:
+        build:
+          needs: define-matrix
+          runs-on: ubuntu-latest
+          strategy:
+            matrix:
+              # Use top-level dimensions — arrays work at this level
+              distro: ${{ fromJSON(needs.define-matrix.outputs.rpms) }}
+              arch: [x86_64, aarch64]
+          steps:
+            - name: Verify matrix values are not "Array"
+              run: |
+                DISTRO="${{ matrix.distro }}"
+                if [ "$DISTRO" = "Array" ]; then
+                  echo "::error::matrix.distro serialized as 'Array' — fromJSON() inside object bug"
+                  exit 1
+                fi
+                echo "distro=$DISTRO"
+prevention:
+  - 'Never place fromJSON() array outputs as values inside matrix object properties — use top-level dimensions or pre-computed include arrays.'
+  - 'Add a guard step that fails if any matrix value equals the string "Array" to catch this bug early.'
+  - 'Generate complex multi-dimensional matrix shapes in the setup job as a single JSON array, then expand via include: ${{ fromJSON(...) }}.'
+  - 'Track actions/runner#3794 for an upstream fix to the matrix object property serialization bug.'
+docs:
+  - url: 'https://github.com/actions/runner/issues/3794'
+    label: 'actions/runner#3794: array outputs not understood by matrix when nested inside object (April 2025, open)'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow'
+    label: 'GitHub Docs: Using a matrix for your jobs'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions#fromjson'
+    label: 'GitHub Docs: fromJSON expression function'

package/errors/silent-failures/setup-node-falls-through-wrong-version-on-download-failure.yml

@@ -0,0 +1,112 @@
+id: silent-failures-097
+title: 'setup-node Silently Uses Runner-Baked Node Version When Download Fails — Wrong Version Active'
+category: silent-failures
+severity: silent-failure
+tags:
+  - setup-node
+  - nodejs
+  - download-failure
+  - silent-failure
+  - wrong-version
+  - toolcache
+  - hosted-runner
+  - fallthrough
+patterns:
+  - regex: 'Attempting to download \d+\.\d+\.\d+\.\.\.'
+    flags: 'i'
+  - regex: 'Cannot find module.*engines.*node.*>=\s*24'
+    flags: 'i'
+  - regex: 'The engine .node. is incompatible with this module\. Expected version .+\. Got .2[0-2]\.'
+    flags: 'i'
+  - regex: 'ELIFECYCLE.*node --version.*v2[0-2]\.'
+    flags: 'i'
+error_messages:
+  - "Attempting to download 24.15.0..."
+  - "error: The engine 'node' is incompatible with this module. Expected version '>=24.0.0'. Got '22.14.0'"
+  - "npm ERR! code ELIFECYCLE"
+  - "Error: Cannot find module 'node:crypto' (Node.js version too old)"
+root_cause: |
+  When actions/setup-node's download or extract path fails transiently —
+  network blip, manifest miss, partial extract from a concurrent toolcache
+  write, or a transient S3/CDN cache failure — the action does not surface the
+  error. Instead, it falls back to a secondary download path. If that secondary
+  path also fails or returns an unusable toolPath, setup-node adds an empty or
+  incorrect directory to PATH and exits 0 (success).
+
+  Because the setup-node step succeeds, the runner-baked Node.js version
+  (e.g. v22.x on ubuntu-latest after the Node 20 removal) remains on PATH.
+  Downstream steps execute against the wrong Node.js major version with no
+  indication that setup-node did not install the requested version.
+
+  The mechanism (in official_builds.ts, as of 2026-05-21):
+  - Download/extract errors are logged via core.info(), not core.warning()
+    or core.error(), so they are buried in normal output
+  - After the fallback download attempt, there is no post-condition check
+    that verifies node --version matches the requested version
+  - core.addPath() is called even if toolPath/bin is empty or stale
+
+  Reported failing run: https://github.com/n8n-io/n8n/actions/runs/26100630929
+  The run showed "Attempting to download 24.15.0..." → 33 seconds of silence →
+  next step ran against runner-baked v20.20.0 with no error from setup-node.
+
+  This is distinct from silent-failures-028 which covers self-hosted runners
+  where node is completely absent (node: not found). This entry covers hosted
+  runners where the wrong version is silently active and node IS found.
+
+  Root upstream issue: actions/toolkit#804 — concurrent toolcache writes create
+  partial extracts that pass path existence checks.
+fix: |
+  Add an explicit node --version verification step immediately after setup-node
+  and fail the job if the version does not match. This is the external workaround
+  used by affected projects (e.g., n8n/n8n PR #30849).
+
+  Until actions/setup-node ships a built-in post-install assertion, this
+  workflow-level guard is the only reliable way to catch the silent fallthrough.
+fix_code:
+  - language: yaml
+    label: 'Add explicit version verification after setup-node'
+    code: |
+      steps:
+        - uses: actions/setup-node@v6
+          with:
+            node-version: '24'
+            cache: 'npm'
+
+        - name: Verify Node.js version
+          shell: bash
+          run: |
+            ACTUAL=$(node --version)
+            EXPECTED_MAJOR="24"
+            if [[ "$ACTUAL" != v${EXPECTED_MAJOR}.* ]]; then
+              echo "::error::setup-node installed Node ${EXPECTED_MAJOR} but \`node --version\` reports $ACTUAL"
+              echo "::error::This usually indicates a transient download failure or partial toolcache extract."
+              exit 1
+            fi
+            echo "Node.js version confirmed: $ACTUAL"
+
+        - name: Install dependencies
+          run: npm ci
+  - language: yaml
+    label: 'Pin to exact patch version to reduce toolcache misses'
+    code: |
+      steps:
+        - uses: actions/setup-node@v6
+          with:
+            node-version: '24.15.0'   # exact pin reduces manifest/toolcache lookup failures
+            cache: 'npm'
+
+        - name: Verify Node.js version (belt-and-suspenders)
+          run: |
+            node --version | grep -E '^v24\.15\.' || (echo "Wrong Node version" && exit 1)
+prevention:
+  - 'Always verify node --version matches the requested major after setup-node, especially in workflows that depend on Node.js 24+ features or native modules.'
+  - 'Pin to an exact patch version (e.g. 24.15.0) rather than a range (24.x) to avoid unexpected toolcache miss fallbacks.'
+  - 'If you see "Attempting to download X.Y.Z..." followed by an unusually long pause in setup-node output, the download may have stalled and the fallback path may be active.'
+  - 'Watch setup-node releases for a built-in post-install assertion fix (tracked in actions/setup-node#1556 and actions/toolkit#804).'
+docs:
+  - url: 'https://github.com/actions/setup-node/issues/1556'
+    label: 'setup-node #1556 — setup-node silently falls through to runner-baked Node on download/extract failure'
+  - url: 'https://github.com/actions/toolkit/issues/804'
+    label: 'actions/toolkit #804 — Concurrent toolcache writes cause partial extracts on multi-tenant runners'
+  - url: 'https://github.com/n8n-io/n8n/pull/30849'
+    label: 'n8n/n8n PR #30849 — External Verify Node.js Version workaround'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.109",
+  "version": "1.0.111",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",