@htekdev/actions-debugger 1.0.110 → 1.0.111

package/errors/known-unsolved/ephemeral-jit-runner-lost-communication-false-positive.yml

@@ -0,0 +1,93 @@
+id: known-unsolved-058
+title: 'Ephemeral JIT Runner Reports "Lost Communication" Despite Successful Job Completion'
+category: known-unsolved
+severity: error
+tags:
+  - self-hosted
+  - ephemeral
+  - jit-runner
+  - lost-communication
+  - false-positive
+  - broker
+patterns:
+  - regex: 'The self-hosted runner lost communication with the server'
+    flags: 'i'
+  - regex: 'messageQueueLoopTokenSource|Stop message queue looping'
+    flags: 'i'
+error_messages:
+  - 'The self-hosted runner lost communication with the server'
+  - 'GET request to broker.actions.githubusercontent.com/message ... has been cancelled'
+  - 'TaskCanceledException: The operation was canceled'
+root_cause: |
+  In Runner.cs line 576, after a one-time-use (ephemeral/JIT) job completes, the message queue
+  is cancelled immediately with zero grace period:
+
+    messageQueueLoopTokenSource.Cancel();
+
+  This tears down the in-flight broker long-poll (GET broker.actions.githubusercontent.com/message)
+  immediately after CompleteJobAsync returns. GitHub's broker health monitor detects the TCP
+  disconnect and flags the runner as "lost communication" — racing against the pipeline service
+  that just received the successful completion.
+
+  Two independent GitHub backend systems race:
+  1. Pipeline service — received CompleteJobAsync, knows the job succeeded
+  2. Broker health monitor — sees TCP disconnect, flags runner as "lost communication"
+
+  When the broker monitor wins (which happens on ~5-10% of short jobs), the UI shows
+  "The self-hosted runner lost communication with the server" even though the worker exited
+  with code 100 (success) and the runner itself exited with return code 0.
+
+  The runner logs show all events at identical timestamps — zero delay between
+  "Received job status event. JobState: Online" and "messageQueueLoopTokenSource.Cancel()".
+
+  No user-side configuration can fix this. A code change to Runner.cs is required
+  (add ~5s grace delay before cancel). Source: actions/runner#4309 (March 2026, open bug,
+  affects runner v2.331.0+, ~5-10% failure rate on short ephemeral jobs).
+fix: |
+  There is no user-side configuration fix. The root cause is a zero-grace-period teardown
+  in Runner.cs that must be patched by GitHub.
+
+  Mitigations:
+  1. Verify the diagnostic logs — the job actually succeeded. Check _diag/Runner_*.log
+     for "return code 0" and "result: Succeeded" to confirm before concluding failure.
+  2. Retry the failed job — the "lost communication" is a false positive; re-running
+     produces a clean success.
+  3. Do not use ephemeral JIT runners as required status checks until actions/runner#4309
+     is resolved, or implement a workflow-level retry wrapper.
+  4. Alert on job result=="failure" not on "lost communication" text alone — false positives
+     from this race should not page on-call engineers.
+  5. Batch small jobs — the race is more likely on jobs shorter than 60 seconds. Combining
+     work into longer-running jobs reduces false positive frequency.
+fix_code:
+  - language: yaml
+    label: 'Confirm false positive by reading runner diagnostic log before retrying'
+    code: |
+      # After "lost communication" on an ephemeral JIT runner, check:
+      # _diag/Runner_YYYYMMDD-hhmmss-utc.log
+      #
+      # Successful completion signs (all at identical timestamps):
+      #   [INFO] finish job request for job {id} with result: Succeeded
+      #   [INFO] Job X completed with result: Succeeded
+      #   [INFO] Received job status event. JobState: Online
+      #   [INFO] Runner execution has finished with return code 0
+      #
+      # If these appear immediately before TaskCanceledException, the job DID succeed.
+      # Simply re-run the workflow — the retry will show a clean green result.
+      jobs:
+        build:
+          runs-on: [self-hosted, ephemeral, linux]
+          # Note: retry-on-failure logic can wrap this job in the caller:
+          steps:
+            - uses: actions/checkout@v4
+            - run: make build
+prevention:
+  - 'Treat "lost communication" on ephemeral JIT runners as a potential false positive — check _diag/Runner_*.log for "return code 0" before escalating.'
+  - 'Do not gate required status checks on ephemeral JIT runners until actions/runner#4309 is resolved upstream.'
+  - 'Alert on job result=="failure", not on the "lost communication" message text alone.'
+  - 'Batch work into longer jobs (>60s total) to reduce the broker teardown race frequency.'
+  - 'Watch actions/runner#4309 for an upstream fix (proposed: 5-second grace period before messageQueueLoopTokenSource.Cancel()).'
+docs:
+  - url: 'https://github.com/actions/runner/issues/4309'
+    label: 'actions/runner#4309: Ephemeral/JIT runner reports "lost communication" despite successful completion (March 2026)'
+  - url: 'https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners#using-just-in-time-runners'
+    label: 'GitHub Docs: Just-in-time (JIT) runners'

package/errors/runner-environment/runner-registration-token-502-burst.yml

@@ -0,0 +1,102 @@
+id: runner-environment-179
+title: 'Runner Registration Token Endpoint Returns 502 Under Concurrent Spawn Bursts'
+category: runner-environment
+severity: error
+tags:
+  - self-hosted
+  - ephemeral
+  - registration
+  - autoscaler
+  - burst
+  - 502
+patterns:
+  - regex: 'HTTP Error 502: Bad Gateway'
+    flags: 'i'
+  - regex: 'registration-token.*502|502.*Bad Gateway.*registration'
+    flags: 'i'
+  - regex: 'HTTPError.*502|urlopen error.*502'
+    flags: 'i'
+error_messages:
+  - 'HTTP Error 502: Bad Gateway'
+  - 'urllib.error.HTTPError: HTTP Error 502: Bad Gateway'
+  - 'POST https://api.github.com/repos/{owner}/{repo}/actions/runners/registration-token — 502'
+root_cause: |
+  GitHub REST endpoint:
+    POST https://api.github.com/repos/{owner}/{repo}/actions/runners/registration-token
+
+  returns HTTP 502 Bad Gateway under burst load when many ephemeral runners attempt to
+  register concurrently (e.g., triggered by webhook-driven autoscalers on workflow_job.queued
+  events). The burst saturates the GitHub backend's registration token issuer.
+
+  The reference runner setup scripts (run.sh / config.sh flow) do NOT retry 5xx responses —
+  a single transient 502 causes the container to exit immediately before registration completes.
+  For ephemeral autoscaler setups (Modal, Lambda, Kubernetes pod-per-job), the container slot
+  is burned and no runner is available for the queued job.
+
+  Phantom containers accumulate: the autoscaler billed for the container, GitHub never received
+  a registration, and the autoscaler's max_containers cap can be held by dead slots — stalling
+  the merge queue for hours.
+
+  Source: actions/runner#4399 (May 2026, open issue, observed during 20+ concurrent registrations
+  — ~21 phantom containers during a webhook-driven burst at ~16:00-17:00 UTC on 2026-05-04).
+fix: |
+  1. Add exponential backoff to your registration token call (4 attempts, 2^n second delays).
+  2. Stagger autoscaler spawns with per-container random jitter (0-10 seconds) to break up
+     concurrent registration bursts before they hit the endpoint simultaneously.
+  3. Switch to JIT runner tokens — they are pre-assigned per job and do not require a burst-
+     sensitive registration token call:
+       POST /repos/{owner}/{repo}/actions/runners/generate-jitconfig
+  4. Reduce max_concurrent_spawns in your autoscaler to limit peak registration load.
+  5. Implement phantom container detection: health-check containers shortly after spawn and
+     kill any that failed to register within N seconds.
+fix_code:
+  - language: yaml
+    label: 'Python — retry-with-backoff on 502 when minting registration token'
+    code: |
+      import time, json, urllib.request, urllib.error
+
+      def mint_registration_token(owner, repo, github_token):
+          url = f"https://api.github.com/repos/{owner}/{repo}/actions/runners/registration-token"
+          headers = {
+              "Authorization": f"token {github_token}",
+              "Accept": "application/vnd.github+json",
+              "X-GitHub-Api-Version": "2022-11-28",
+          }
+          for attempt in range(4):
+              try:
+                  req = urllib.request.Request(url, method="POST", headers=headers)
+                  with urllib.request.urlopen(req, timeout=15) as resp:
+                      return json.load(resp)["token"]
+              except urllib.error.HTTPError as e:
+                  if 500 <= e.code < 600 and attempt < 3:
+                      delay = 2 ** attempt  # 1s, 2s, 4s
+                      print(f"Registration token {e.code}, retrying in {delay}s (attempt {attempt+1}/4)...")
+                      time.sleep(delay)
+                      continue
+                  raise
+  - language: yaml
+    label: 'Autoscaler — add random jitter per container spawn to break up burst'
+    code: |
+      import asyncio, random
+
+      async def handle_workflow_job_queued(event):
+          # Stagger spawns: random delay 0-10s reduces simultaneous token requests
+          jitter = random.uniform(0, 10)
+          await asyncio.sleep(jitter)
+          token = await mint_registration_token(owner, repo, github_token)
+          await spawn_ephemeral_container(token)
+prevention:
+  - 'Add exponential backoff (4 attempts, 2^n seconds) for 5xx responses in all registration token calls.'
+  - 'Add random per-container spawn jitter (0-10s) in your autoscaler to break up concurrent registration bursts.'
+  - 'Switch to JIT runner tokens (generate-jitconfig) for burst autoscaler workloads — they do not hit the burst-sensitive registration endpoint.'
+  - 'Monitor for phantom containers: any container that does not show as registered within 60 seconds of spawn should be terminated.'
+  - 'Cap max_concurrent_spawns conservatively (≤10) and tune based on observed 502 rates.'
+docs:
+  - url: 'https://github.com/actions/runner/issues/4399'
+    label: 'actions/runner#4399: Registration token endpoint returns 502 in bursts (May 2026)'
+  - url: 'https://docs.github.com/en/rest/actions/self-hosted-runners#create-a-registration-token-for-a-repository'
+    label: 'GitHub REST API: Create a registration token for a repository'
+  - url: 'https://docs.github.com/en/rest/actions/self-hosted-runners#create-configuration-for-a-just-in-time-runner-for-a-repository'
+    label: 'GitHub REST API: Create JIT runner config (avoids burst-sensitive registration token)'
+  - url: 'https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/autoscaling-with-self-hosted-runners'
+    label: 'GitHub Docs: Autoscaling with self-hosted runners'

package/errors/silent-failures/matrix-array-in-object-serialized-as-Array-string.yml

@@ -0,0 +1,127 @@
+id: silent-failures-098
+title: 'Matrix Array Output Nested in Object Property Serializes as "Array" String'
+category: silent-failures
+severity: silent-failure
+tags:
+  - matrix
+  - fromJSON
+  - job-outputs
+  - dynamic-matrix
+  - strategy
+  - serialization
+patterns:
+  - regex: '\bArray\b'
+    flags: ''
+  - regex: 'fromJSON\s*\(.*outputs\.[a-zA-Z_]+'
+    flags: 'i'
+error_messages:
+  - 'rhel Array'
+  - 'debian Array'
+  - 'distro = Array'
+  - 'component.distro: Array'
+root_cause: |
+  When a job output containing a JSON array string (e.g. '["el8","el9"]') is passed via
+  fromJSON() as a VALUE inside a matrix OBJECT property, the GitHub Actions expression engine
+  coerces the array to a string using JavaScript Array.prototype.toString(), which produces
+  the literal word "Array" instead of the array elements.
+
+  This happens because the matrix strategy parser evaluates object property values as strings
+  at expansion time. When fromJSON() returns a JavaScript array, the matrix serialization path
+  calls .toString() instead of expanding into multiple jobs.
+
+  The bug only triggers when the array is nested INSIDE an object:
+
+    # BROKEN — array inside object property
+    strategy:
+      matrix:
+        component:
+          - name: rhel
+            distro: ${{ fromJSON(needs.define-matrix.outputs.rpms) }}
+            # ^ distro becomes the string "Array", not ["el8","el9"]
+
+  The same fromJSON() call works correctly at the TOP LEVEL of the matrix:
+
+    # WORKS — array at top level dimension
+    strategy:
+      matrix:
+        distro: ${{ fromJSON(needs.define-matrix.outputs.rpms) }}
+
+  The job does NOT fail — it silently runs with matrix.component.distro set to "Array",
+  producing wrong build targets with no error or warning.
+
+  Source: actions/runner#3794 (April 2025, labeled bug, open as of April 2026 after stale
+  cycle — author confirmed still broken).
+fix: |
+  Restructure the matrix to avoid placing fromJSON() array outputs inside object properties.
+
+  Option 1 — Pre-compute the full cross-product as a JSON array of objects in the matrix-
+  generating job and pass it as a single fromJSON() at the include level.
+
+  Option 2 — Use separate top-level matrix dimensions instead of grouping into objects.
+
+  If object grouping is required for semantic reasons, flatten the arrays at generation time
+  using jq and emit a fully-expanded JSON array of objects from the setup step.
+fix_code:
+  - language: yaml
+    label: 'Workaround — pre-compute full matrix as JSON array, expand via include'
+    code: |
+      jobs:
+        define-matrix:
+          runs-on: ubuntu-latest
+          outputs:
+            matrix: ${{ steps.build.outputs.matrix }}
+          steps:
+            - id: build
+              run: |
+                # Build the full cross-product as a JSON array of objects
+                matrix=$(jq -nc '[
+                  {"arch":"x86_64","runner":"ubuntu-24.04","component":"rhel","distro":"el8"},
+                  {"arch":"x86_64","runner":"ubuntu-24.04","component":"rhel","distro":"el9"},
+                  {"arch":"x86_64","runner":"ubuntu-24.04","component":"debian","distro":"focal"},
+                  {"arch":"aarch64","runner":"ubuntu-24.04-arm","component":"rhel","distro":"el8"},
+                  {"arch":"aarch64","runner":"ubuntu-24.04-arm","component":"rhel","distro":"el9"},
+                  {"arch":"aarch64","runner":"ubuntu-24.04-arm","component":"debian","distro":"focal"}
+                ]')
+                echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
+
+        build:
+          needs: define-matrix
+          runs-on: ${{ matrix.runner }}
+          strategy:
+            matrix:
+              include: ${{ fromJSON(needs.define-matrix.outputs.matrix) }}
+          steps:
+            - run: echo "${{ matrix.component }} ${{ matrix.distro }} on ${{ matrix.arch }}"
+  - language: yaml
+    label: 'Debug step — detect "Array" serialization early'
+    code: |
+      jobs:
+        build:
+          needs: define-matrix
+          runs-on: ubuntu-latest
+          strategy:
+            matrix:
+              # Use top-level dimensions — arrays work at this level
+              distro: ${{ fromJSON(needs.define-matrix.outputs.rpms) }}
+              arch: [x86_64, aarch64]
+          steps:
+            - name: Verify matrix values are not "Array"
+              run: |
+                DISTRO="${{ matrix.distro }}"
+                if [ "$DISTRO" = "Array" ]; then
+                  echo "::error::matrix.distro serialized as 'Array' — fromJSON() inside object bug"
+                  exit 1
+                fi
+                echo "distro=$DISTRO"
+prevention:
+  - 'Never place fromJSON() array outputs as values inside matrix object properties — use top-level dimensions or pre-computed include arrays.'
+  - 'Add a guard step that fails if any matrix value equals the string "Array" to catch this bug early.'
+  - 'Generate complex multi-dimensional matrix shapes in the setup job as a single JSON array, then expand via include: ${{ fromJSON(...) }}.'
+  - 'Track actions/runner#3794 for an upstream fix to the matrix object property serialization bug.'
+docs:
+  - url: 'https://github.com/actions/runner/issues/3794'
+    label: 'actions/runner#3794: array outputs not understood by matrix when nested inside object (April 2025, open)'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow'
+    label: 'GitHub Docs: Using a matrix for your jobs'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions#fromjson'
+    label: 'GitHub Docs: fromJSON expression function'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.110",
+  "version": "1.0.111",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",