@htekdev/actions-debugger 1.0.119 → 1.0.120

package/errors/concurrency-timing/concurrency-timing-058.yml

@@ -0,0 +1,121 @@
+id: concurrency-timing-058
+title: "concurrency queue:max 100-Slot Overflow Silently Cancels the Oldest Pending Run"
+category: concurrency-timing
+severity: silent-failure
+tags:
+  - concurrency
+  - queue-max
+  - silent-cancel
+  - pending
+  - overflow
+  - deployment
+patterns:
+  - regex: 'queue.*max|queue:.*max'
+    flags: 'i'
+  - regex: 'This run was cancelled|run.*cancelled'
+    flags: 'i'
+error_messages:
+  - "This run was cancelled."
+  - "Run was cancelled."
+root_cause: |
+  GitHub Actions concurrency queue:max allows up to 100 workflow runs or jobs
+  to wait in a single concurrency group instead of being cancelled immediately.
+  When the 100-slot queue is already full and a new run arrives, the oldest
+  pending run in the queue is silently cancelled to make room.
+
+  The cancelled run shows "This run was cancelled." in the UI with no
+  indication that the cancellation was caused by queue overflow. This message
+  is identical to normal concurrency cancel-in-progress cancellations, making
+  it impossible to distinguish overflow cancellation from intentional
+  cancellation without additional observability.
+
+  This problem surfaces when:
+  - A pipeline is slower than the push rate (runs queue faster than they drain)
+  - A burst of commits or tags fires many workflow runs simultaneously
+  - A monorepo path filter causes many unrelated commits to all queue in the
+    same deployment concurrency group
+  - A workflow is accidentally triggered on every push to any branch and all
+    share a single production-deploy concurrency group
+
+  Note: queue:max and cancel-in-progress:true cannot be combined (validation
+  error). queue:max assumes you want all runs to eventually execute in order.
+fix: |
+  queue:max with 100 slots is generous for most pipelines. If you are hitting
+  the overflow limit, the queue depth is a symptom of a throughput mismatch:
+
+  1. Speed up the job so the queue drains faster than it fills. Profile and
+     optimize the slowest steps (build caching, parallelism inside the job).
+
+  2. Narrow the trigger to reduce unnecessary queuing:
+     - Use paths: filters so only relevant changes trigger the workflow
+     - Only trigger on specific branches (main, release/*) not all branches
+     - Use workflow_dispatch for on-demand deploys instead of automatic pushes
+
+  3. Split into multiple concurrency groups scoped per environment or service
+     component. Each group has its own 100-slot limit, distributing capacity
+     across workloads.
+
+  4. If strict ordering is not required and drops are acceptable, switch back
+     to queue:single (the default) with cancel-in-progress:false so only one
+     pending run is kept, avoiding the 100-slot limit entirely.
+fix_code:
+  - language: yaml
+    label: "queue:max — silently cancels oldest pending run when >100 queued"
+    code: |
+      on:
+        push:
+          branches: ['**']  # Triggers on every push to every branch
+
+      concurrency:
+        group: production-deploy     # All branches share ONE slot — queue fills fast
+        queue: max                   # Up to 100 queued; 101st silently cancels the 1st
+
+  - language: yaml
+    label: "Fixed — scope concurrency group per environment + narrow push trigger"
+    code: |
+      on:
+        push:
+          branches:
+            - main
+            - 'release/**'
+
+      concurrency:
+        # Each environment gets its own 100-slot queue
+        group: deploy-${{ github.event.deployment.environment || 'staging' }}-${{ github.ref_name }}
+        queue: max
+
+  - language: yaml
+    label: "Fixed — add observability step to detect queue overflow"
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          concurrency:
+            group: production-deploy
+            queue: max
+          steps:
+            - name: Check concurrency queue depth
+              env:
+                GH_TOKEN: ${{ github.token }}
+              run: |
+                PENDING=$(gh api \
+                  "repos/${{ github.repository }}/actions/runs?status=waiting&per_page=100" \
+                  --jq '[.workflow_runs[] | select(.name == "${{ github.workflow }}")] | length')
+                echo "Runs currently waiting in concurrency queue: $PENDING"
+                if [ "${PENDING:-0}" -ge 90 ]; then
+                  echo "::warning::Queue near capacity (${PENDING}/100). Oldest run may be dropped on next push."
+                fi
+
+            - name: Deploy
+              run: ./deploy.sh
+prevention:
+  - "Monitor pipeline throughput: if runs consistently back up to 50+ in queue, the job is too slow for the push frequency."
+  - "Narrow workflow triggers with paths: and branches: filters to reduce unnecessary queuing."
+  - "Scope concurrency groups per environment or service to distribute the 100-slot limit across workloads."
+  - "Use queue:max only when strict ordering matters (deployments). For CI checks, cancel-in-progress:true is preferable."
+  - "The combination queue:max and cancel-in-progress:true is a workflow validation error — do not use both."
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-concurrency"
+    label: "GitHub Docs — Using concurrency (queue:max behavior and 100-slot limit)"
+  - url: "https://docs.github.com/en/actions/reference/limits"
+    label: "GitHub Actions Limits — Concurrency group queue: 100 runs per group"

package/errors/known-unsolved/known-unsolved-069.yml

@@ -0,0 +1,127 @@
+id: known-unsolved-069
+title: "Matrix Strategy Hard Limit: 256 Jobs Per Workflow Run"
+category: known-unsolved
+severity: error
+tags:
+  - matrix
+  - strategy
+  - job-limit
+  - dynamic-matrix
+  - fromjson
+  - scalability
+patterns:
+  - regex: 'matrix.*generates.*too many|too many.*entries.*matrix'
+    flags: 'i'
+  - regex: 'limited to 256|exceeding.*allowed maximum.*256|256.*jobs.*per.*workflow'
+    flags: 'i'
+error_messages:
+  - "Matrix generates too many entries. Limited to 256."
+root_cause: |
+  GitHub Actions enforces a hard limit of 256 jobs per workflow run across
+  all matrix dimensions. This is calculated as the total Cartesian product of
+  all matrix axes after applying include/exclude entries.
+
+  Common triggers:
+  - Dynamic matrices from fromJSON output that grow over time as new targets
+    are added to a test matrix config file
+  - Multi-dimensional matrices (os x language x version) where the product
+    of all axis sizes exceeds 256
+  - Adding include: entries on top of an already-large base matrix, each
+    include: adds one additional job that counts against the 256 limit
+  - Monorepo CI matrices that test all services x all supported runtimes
+
+  The error fires immediately when the workflow is queued and prevents any
+  jobs from running. GitHub reports the total generated count in the error
+  message: "Matrix generates N entries. Limited to 256."
+
+  This limit applies equally to GitHub-hosted and self-hosted runners and
+  cannot be increased by contacting support.
+fix: |
+  The 256-job-per-run limit is hard and cannot be increased. Options:
+
+  1. Split across multiple workflow files, each handling a subset of targets.
+     Trigger them from a parent coordinator workflow or via separate triggers.
+
+  2. Reduce matrix dimensions: test only meaningful combinations using
+     explicit include: lists rather than full Cartesian products. Not every
+     OS x language x version triplet needs to be tested.
+
+  3. Chunk using workflow_dispatch fan-out: a generator job creates N chunks
+     of at most 256 items and dispatches sub-workflow runs per chunk via
+     repository_dispatch or workflow_dispatch API calls.
+
+  4. Use a single job with a shell loop for some dimensions: instead of
+     separate matrix jobs per version, loop over versions inside one job step.
+     Sacrifices parallelism but avoids the limit entirely.
+fix_code:
+  - language: yaml
+    label: "Broken — Cartesian product silently grows past 256 as versions are added"
+    code: |
+      strategy:
+        matrix:
+          os: [ubuntu-22.04, ubuntu-24.04, windows-2022, macos-14, macos-15]
+          node: [18, 20, 22, 23]
+          python: ['3.9', '3.10', '3.11', '3.12', '3.13']
+          # 5 x 4 x 5 = 100 jobs today — fine, but adding node 24 pushes to 125,
+          # adding python 3.14 pushes to 150, and so on until 256 is silently hit
+
+  - language: yaml
+    label: "Fixed — explicit include list tests only meaningful combinations"
+    code: |
+      strategy:
+        matrix:
+          include:
+            # Test LTS node on primary OS with latest stable Python
+            - os: ubuntu-24.04
+              node: 20
+              python: '3.12'
+            - os: ubuntu-24.04
+              node: 22
+              python: '3.12'
+            # Windows only gets the most recent LTS
+            - os: windows-2022
+              node: 20
+              python: '3.11'
+            # macOS gets one combination
+            - os: macos-15
+              node: 20
+              python: '3.12'
+          # Total: 4 jobs instead of 100+ from full Cartesian product
+
+  - language: yaml
+    label: "Defensive — validate dynamic matrix size before passing to strategy"
+    code: |
+      jobs:
+        generate-matrix:
+          runs-on: ubuntu-latest
+          outputs:
+            matrix: ${{ steps.gen.outputs.matrix }}
+          steps:
+            - id: gen
+              run: |
+                MATRIX=$(cat test-matrix.json)
+                COUNT=$(echo "$MATRIX" | jq '.include | length')
+                if [ "$COUNT" -gt 256 ]; then
+                  echo "::error::Matrix has $COUNT entries (limit: 256). Split into multiple workflows."
+                  exit 1
+                fi
+                echo "matrix=$MATRIX" >> "$GITHUB_OUTPUT"
+
+        test:
+          needs: generate-matrix
+          strategy:
+            matrix: ${{ fromJSON(needs.generate-matrix.outputs.matrix) }}
+          runs-on: ${{ matrix.os }}
+          steps:
+            - run: echo "Testing ${{ matrix.os }} / ${{ matrix.version }}"
+prevention:
+  - "Before adding a new matrix axis, calculate the new total job count — it must stay at or below 256."
+  - "For dynamic matrices (fromJSON), validate the output list length in the generator job and fail fast if > 256."
+  - "Prefer explicit include: lists over full Cartesian products when not all dimension combinations are meaningful."
+  - "Monitor matrix job counts over time: a previously-safe matrix silently crosses 256 as new versions are added."
+  - "Document the current job count in a comment next to the matrix block so reviewers notice when PRs push it higher."
+docs:
+  - url: "https://docs.github.com/en/actions/reference/limits"
+    label: "GitHub Actions Limits — Job Matrix: 256 jobs per workflow run"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow"
+    label: "GitHub Docs — Using a matrix for your jobs"

package/errors/permissions-auth/permissions-auth-070.yml

@@ -0,0 +1,136 @@
+id: permissions-auth-070
+title: "GITHUB_TOKEN packages:write Cannot Delete GitHub Container Registry Packages"
+category: permissions-auth
+severity: error
+tags:
+  - github-packages
+  - ghcr
+  - container-registry
+  - packages-delete
+  - permissions
+  - pat
+patterns:
+  - regex: 'delete.*package.*403|package.*delete.*forbidden'
+    flags: 'i'
+  - regex: 'Resource not accessible by integration'
+    flags: 'i'
+error_messages:
+  - "Resource not accessible by integration"
+  - "HttpError: Resource not accessible by integration"
+  - "403 Forbidden"
+root_cause: |
+  GitHub Container Registry (ghcr.io) and other granular-permission package
+  registries (npm, NuGet, RubyGems on ghpr) use package-level access control
+  that is separate from repository permissions. The GITHUB_TOKEN workflow
+  permission block supports packages: write, which grants the ability to:
+  - Publish (push) new package versions
+  - Update package metadata and visibility
+
+  However, packages: write does NOT grant the ability to DELETE package
+  versions. Deletion of granular-permission packages requires the delete:packages
+  scope, which exists only on classic personal access tokens (PATs) — there is
+  no equivalent permission in the GITHUB_TOKEN fine-grained model.
+
+  As a result, workflows that use actions/delete-package-versions (or make
+  direct REST API calls to DELETE /user/packages/{type}/{name}/versions/{id}
+  or DELETE /orgs/{org}/packages/{type}/{package_name}/versions/{id}) always
+  fail with 403 "Resource not accessible by integration" even with:
+    permissions:
+      packages: write
+
+  Note: Repository-scoped packages (Apache Maven, legacy Gradle) that inherit
+  repository permissions may behave differently — deletion can work via the
+  repo admin role. Container Registry packages always use granular permissions.
+fix: |
+  Replace GITHUB_TOKEN with a token that carries delete:packages authority.
+
+  Option 1 (recommended for orgs): GitHub App token
+  - Create a GitHub App with "Packages: Read & Write" and "Packages: Admin"
+    permissions
+  - Install the app on the org or repo
+  - Use actions/create-github-app-token to generate a token in the workflow
+  - Pass the token to the deletion step
+
+  Option 2 (simpler for personal/small-team repos): Classic PAT
+  - Generate a classic PAT (Settings > Developer settings > Personal access
+    tokens > Tokens (classic)) with the delete:packages scope
+  - Store as a repository or organization secret
+  - Reference the secret in the deletion step
+
+  Option 3 (repo-scoped packages only — Apache Maven, Gradle):
+  - Ensure the package uses repository-scoped permissions (not granular)
+  - Grant the workflow admin access to the repository
+  - This does NOT apply to ghcr.io container images, which always require
+    a PAT or App approach for deletion
+fix_code:
+  - language: yaml
+    label: "Broken — GITHUB_TOKEN packages:write cannot delete container images"
+    code: |
+      permissions:
+        packages: write  # Grants publish access but NOT delete access
+
+      jobs:
+        cleanup:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Delete old versions
+              uses: actions/delete-package-versions@v5
+              with:
+                package-name: my-image
+                package-type: container
+                min-versions-to-keep: 5
+                token: ${{ secrets.GITHUB_TOKEN }}  # Fails with 403 for container packages
+
+  - language: yaml
+    label: "Fixed — classic PAT with delete:packages scope"
+    code: |
+      permissions:
+        packages: write
+
+      jobs:
+        cleanup:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Delete old versions
+              uses: actions/delete-package-versions@v5
+              with:
+                package-name: my-image
+                package-type: container
+                min-versions-to-keep: 5
+                # Classic PAT must have: write:packages + delete:packages scopes
+                token: ${{ secrets.PAT_DELETE_PACKAGES }}
+
+  - language: yaml
+    label: "Fixed — GitHub App token (recommended for organizations)"
+    code: |
+      jobs:
+        cleanup:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Generate GitHub App token
+              id: app-token
+              uses: actions/create-github-app-token@v1
+              with:
+                app-id: ${{ vars.PACKAGE_CLEANUP_APP_ID }}
+                private-key: ${{ secrets.PACKAGE_CLEANUP_APP_KEY }}
+
+            - name: Delete old container image versions
+              uses: actions/delete-package-versions@v5
+              with:
+                package-name: my-image
+                package-type: container
+                min-versions-to-keep: 5
+                token: ${{ steps.app-token.outputs.token }}
+prevention:
+  - "Never assume packages:write grants deletion rights — it only covers publish and metadata operations."
+  - "Provision a dedicated classic PAT or GitHub App with package admin access for all cleanup/retention workflows."
+  - "Document which secrets are needed for deletion workflows so maintainers do not accidentally replace them with GITHUB_TOKEN."
+  - "Audit all uses of actions/delete-package-versions in your org to confirm each workflow uses an appropriate token."
+  - "Prefer GitHub App tokens over classic PATs for org workflows — PAT credentials are tied to a specific user account."
+docs:
+  - url: "https://docs.github.com/en/packages/learn-github-packages/about-permissions-for-github-packages"
+    label: "GitHub Docs — About permissions for GitHub Packages (granular vs repository-scoped)"
+  - url: "https://github.com/actions/delete-package-versions"
+    label: "actions/delete-package-versions — token requirements"
+  - url: "https://docs.github.com/en/rest/packages/packages"
+    label: "GitHub REST API — Packages DELETE endpoints"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.119",
+  "version": "1.0.120",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",