@htekdev/actions-debugger 1.0.12 → 1.0.13

package/errors/caching-artifacts/cache-path-exclusion-glob-silent-noop.yml

@@ -0,0 +1,83 @@
+id: caching-artifacts-014
+title: "actions/cache Exclusion Globs (! patterns) Silently Ignored"
+category: caching-artifacts
+severity: silent-failure
+tags:
+  - cache
+  - glob
+  - exclusion
+  - negation
+  - silent-failure
+patterns:
+  - regex: "path:(?:[^#\\n]*\\n)+\\s*!\\S"
+    flags: "im"
+  - regex: "path:.*\\n.*!~/"
+    flags: "im"
+error_messages:
+  - "Cache saved with key"
+  - "Cache hit occurred on the primary key"
+root_cause: |
+  The `actions/cache` action uses `@actions/glob` with `implicitDescendants: false`
+  to resolve the `path:` input into a file list for `tar`. With this setting, each
+  pattern is matched only at the top level — subdirectory enumeration does not happen.
+  As a result, negation patterns like `!~/cache/temp` never find anything to exclude
+  because there are no implicitly enumerated descendants to match against.
+
+  The cache save and restore operations complete successfully with no error or warning.
+  The "excluded" directory is silently included in the archive, leading to:
+  - Larger caches than intended, consuming quota faster
+  - Sensitive or temporary files accidentally persisted across runs
+  - False-positive cache key hits (excluded dir content changes don't invalidate cache)
+
+  This is a long-standing known limitation of `actions/cache` that has been reported
+  since v1 and remains unfixed in v4.
+fix: |
+  `actions/cache` does not support exclusion globs. Restructure directories so the
+  content you want to cache lives in a dedicated subdirectory, and reference only that
+  path. If directory restructuring is not feasible, use a `run` step to create a
+  filtered `tar` archive before caching.
+fix_code:
+  - language: yaml
+    label: "BROKEN — exclusion pattern silently does nothing"
+    code: |
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/cache
+            !~/cache/temp     # Silently ignored — temp/ is still cached
+          key: ${{ runner.os }}-cache-${{ hashFiles('**/package-lock.json') }}
+  - language: yaml
+    label: "CORRECT — restructure: cache only the subdirectory you need"
+    code: |
+      # Put persistent cache content in ~/cache/persistent/
+      # Put temp files in ~/cache/temp/  (not cached)
+      - uses: actions/cache@v4
+        with:
+          path: ~/cache/persistent   # Cache only the isolated subdirectory
+          key: ${{ runner.os }}-cache-${{ hashFiles('**/package-lock.json') }}
+  - language: yaml
+    label: "CORRECT — manual tar with --exclude for complex cases"
+    code: |
+      - name: Save cache with exclusion
+        run: |
+          tar --exclude='$HOME/cache/temp' \
+              --exclude='$HOME/cache/.git' \
+              -czf /tmp/my-cache.tar.gz \
+              ~/cache
+
+      - uses: actions/cache@v4
+        with:
+          path: /tmp/my-cache.tar.gz
+          key: ${{ runner.os }}-filtered-${{ hashFiles('**/package-lock.json') }}
+prevention:
+  - "Never rely on `!` negation patterns in `actions/cache` `path:` — they are silently ignored."
+  - "Audit cache paths to confirm no sensitive, secret, or large temporary files are included."
+  - "Isolate cacheable build artifacts into dedicated subdirectories at project setup time."
+  - "Set `enableCrossOsArchive: false` (default) and test on each OS independently."
+docs:
+  - url: "https://github.com/actions/toolkit/issues/713"
+    label: "actions/toolkit#713 — Cache: excluding files or folders with ! not working"
+  - url: "https://github.com/actions/cache/blob/main/tips-and-workarounds.md"
+    label: "actions/cache — Tips and workarounds"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows"
+    label: "Caching dependencies to speed up workflows"

package/errors/known-unsolved/composite-action-env-not-updated-on-reuse.yml

@@ -0,0 +1,114 @@
+id: known-unsolved-013
+title: "GITHUB_ENV Set in Composite Action Not Updated on Repeated Calls in Same Job"
+category: known-unsolved
+severity: silent-failure
+tags:
+  - composite-action
+  - GITHUB_ENV
+  - env-var
+  - repeated-calls
+  - known-limitation
+patterns:
+  - regex: "echo.*>>\\s*\\$GITHUB_ENV"
+    flags: "i"
+  - regex: "GITHUB_ENV.*composite"
+    flags: "i"
+error_messages:
+  - "environment variable not updated on second call"
+  - "variable retains value from first call"
+root_cause: |
+  When a composite action sets an environment variable by appending to $GITHUB_ENV,
+  that variable is propagated to the parent job context after the composite action
+  completes. On the first call this works correctly. However, if the same composite
+  action is called a second time in the same job, the GITHUB_ENV write succeeds
+  internally but the parent job environment variable retains the value from the
+  first call.
+
+  This is a known platform limitation: GITHUB_ENV writes from within composite
+  actions are processed at step-boundary transitions. On repeated calls to the
+  same composite action in the same job, the runner does not re-apply the env
+  file changes correctly for variables already set — the first written value
+  persists for the job duration.
+
+  The limitation affects parameterized composite actions used as reusable units
+  that produce environment state, especially when called in loops, matrices, or
+  sequential steps with different inputs.
+
+  GitHub has not fixed this behavior; the recommended migration path is to use
+  GITHUB_OUTPUT instead of GITHUB_ENV for composite action outputs.
+fix: |
+  Replace $GITHUB_ENV writes with $GITHUB_OUTPUT writes inside composite actions.
+  Step outputs are properly scoped per-invocation and do not have the repeated-call
+  limitation. Read the output in the calling workflow using steps.<id>.outputs.<name>.
+
+  If environment variables are strictly required at the job level, set them in the
+  calling workflow from the composite action outputs, not inside the composite action.
+fix_code:
+  - language: yaml
+    label: "BROKEN composite action — GITHUB_ENV silently not updated on 2nd call"
+    code: |
+      # my-action/action.yml
+      inputs:
+        label:
+          required: true
+      runs:
+        using: composite
+        steps:
+          - run: echo "MY_LABEL=${{ inputs.label }}" >> $GITHUB_ENV
+            shell: bash
+      # Calling workflow:
+      # steps:
+      #   - uses: ./my-action
+      #     with: { label: "first" }   # MY_LABEL = "first" ✓
+      #   - uses: ./my-action
+      #     with: { label: "second" }  # MY_LABEL still "first" — silent bug!
+  - language: yaml
+    label: "CORRECT composite action — use GITHUB_OUTPUT"
+    code: |
+      # my-action/action.yml
+      inputs:
+        label:
+          required: true
+      outputs:
+        label:
+          description: "The resolved label"
+          value: ${{ steps.set.outputs.label }}
+      runs:
+        using: composite
+        steps:
+          - id: set
+            run: echo "label=${{ inputs.label }}" >> $GITHUB_OUTPUT
+            shell: bash
+  - language: yaml
+    label: "CORRECT calling workflow — propagate to env if needed"
+    code: |
+      steps:
+        - id: first
+          uses: ./my-action
+          with:
+            label: build-${{ github.sha }}
+
+        - id: second
+          uses: ./my-action
+          with:
+            label: deploy-${{ github.sha }}
+
+        - name: Use outputs from both calls
+          env:
+            FIRST_LABEL: ${{ steps.first.outputs.label }}
+            SECOND_LABEL: ${{ steps.second.outputs.label }}
+          run: |
+            echo "First: $FIRST_LABEL"
+            echo "Second: $SECOND_LABEL"
+prevention:
+  - "Never use $GITHUB_ENV in composite actions that may be called more than once per job."
+  - "Migrate all composite action side effects from GITHUB_ENV to GITHUB_OUTPUT."
+  - "Test composite actions by calling them twice in the same job to catch this bug early."
+  - "Prefer outputs over env-var side effects for cleaner and predictable reuse semantics."
+docs:
+  - url: "https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#outputs-for-composite-actions"
+    label: "Outputs for composite actions"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#setting-an-environment-variable"
+    label: "Workflow commands — setting an environment variable"
+  - url: "https://github.com/actions/runner/issues/789"
+    label: "actions/runner#789 — GITHUB_ENV does not update when running composite actions multiple times"

package/errors/silent-failures/continue-on-error-failure-fn-bypassed.yml

@@ -0,0 +1,90 @@
+id: silent-failures-016
+title: "failure() Returns false After continue-on-error Step"
+category: silent-failures
+severity: silent-failure
+tags:
+  - continue-on-error
+  - failure
+  - status-functions
+  - error-handler
+  - silent-failure
+patterns:
+  - regex: "continue-on-error:\\s*true"
+    flags: "i"
+  - regex: "if:\\s*(\\$\\{\\{\\s*)?failure\\(\\)"
+    flags: "i"
+error_messages:
+  - "Skipping step: due to a failed condition"
+root_cause: |
+  When a step has `continue-on-error: true` and that step fails, GitHub Actions
+  records the step outcome as failure but immediately converts the job aggregate
+  status back to success before evaluating the next step. This means that
+  failure() in a subsequent step's if condition evaluates to false — the runner
+  sees the job as currently-successful, not currently-failed.
+
+  The continue-on-error flag was designed to allow a job to proceed past a failing
+  step, but the side effect is that it consumes the failure signal from all
+  status-check functions. Developers commonly write error-handler steps using
+  if: failure(), expecting them to trigger when the prior step fails, but this
+  pattern silently breaks when continue-on-error: true is present on that prior step.
+
+  The step individual outcome context (steps.<id>.outcome) is the only reliable
+  way to detect the specific step result after continue-on-error.
+fix: |
+  Replace if: failure() with if: steps.<step_id>.outcome == 'failure' when
+  writing error handlers for specific steps that use continue-on-error: true.
+  The steps.<id>.outcome context holds the actual step result regardless of
+  job-level status modifications.
+fix_code:
+  - language: yaml
+    label: "WRONG — failure() never triggers after continue-on-error"
+    code: |
+      steps:
+        - name: Risky operation
+          id: risky
+          continue-on-error: true
+          run: ./might-fail.sh
+
+        - name: Handle failure
+          if: failure()      # NEVER RUNS — job status was reset to success
+          run: ./notify-on-failure.sh
+  - language: yaml
+    label: "CORRECT — check specific step outcome"
+    code: |
+      steps:
+        - name: Risky operation
+          id: risky
+          continue-on-error: true
+          run: ./might-fail.sh
+
+        - name: Handle failure
+          if: steps.risky.outcome == 'failure'
+          run: ./notify-on-failure.sh
+
+        - name: Continue regardless
+          run: echo "Job continues either way"
+  - language: yaml
+    label: "CORRECT — combine with always() for comprehensive guards"
+    code: |
+      steps:
+        - name: Risky operation
+          id: risky
+          continue-on-error: true
+          run: ./might-fail.sh
+
+        - name: Handle step failure
+          if: always() && steps.risky.outcome == 'failure'
+          run: |
+            echo "::warning::Risky operation failed"
+            echo "## Failed" >> $GITHUB_STEP_SUMMARY
+prevention:
+  - "Never use if: failure() as handler for a step with continue-on-error: true — use steps.<id>.outcome."
+  - "Reserve failure() for handlers that should trigger on any upstream job failure."
+  - "Add step IDs to all continue-on-error steps so outcome checking is always possible."
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-conditions-to-control-job-execution"
+    label: "Using conditions to control job execution"
+  - url: "https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error"
+    label: "continue-on-error workflow syntax"
+  - url: "https://github.com/actions/toolkit/issues/1034"
+    label: "actions/toolkit#1034 — Wrong behaviour combining continue-on-error and failure()"

package/errors/silent-failures/if-mixed-expression-always-true.yml

@@ -0,0 +1,71 @@
+id: silent-failures-015
+title: "Mixing ${{ }} Interpolation Inside if: Condition Causes Step to Always Run"
+category: silent-failures
+severity: silent-failure
+tags:
+  - if-condition
+  - expression
+  - interpolation
+  - always-runs
+  - silent-failure
+patterns:
+  - regex: "if:.*==.*'[^']*\\$\\{\\{[^}]+\\}\\}[^']*'"
+    flags: "i"
+  - regex: "if:.*'[^']*\\$\\{\\{[^}]+\\}\\}[^']*'.*=="
+    flags: "i"
+error_messages:
+  - "step runs unexpectedly even when condition should be false"
+  - "if condition always evaluates true"
+root_cause: |
+  When the `if:` field contains BOTH bare comparison operators AND a `${{ }}`
+  interpolation fragment within a quoted string (e.g.,
+  `if: github.ref == 'refs/heads/${{ env.BRANCH }}'`), GitHub Actions wraps the
+  entire bare-string value in `${{ ... }}` for expression evaluation. This makes
+  the outer expression evaluate the literal string
+  `"github.ref == 'refs/heads/main'"` — a non-empty string — which is always truthy.
+
+  The runner does not parse the embedded `${{ }}` fragment as an inner expression;
+  it only processes the outer auto-wrap. The result is that the step runs on every
+  trigger regardless of the actual comparison result — a textbook silent failure
+  since the workflow file looks syntactically correct and no error is emitted.
+fix: |
+  Wrap the ENTIRE `if:` condition in `${{ }}` so the runner treats it as an
+  expression from the start. Use the `format()` function or direct context
+  comparisons instead of embedding `${{ }}` inside quoted strings.
+fix_code:
+  - language: yaml
+    label: "WRONG — mixed interpolation, step always runs"
+    code: |
+      env:
+        TARGET_BRANCH: main
+      steps:
+        - name: Deploy to production
+          # This ALWAYS runs — the string is truthy regardless of branch
+          if: github.ref == 'refs/heads/${{ env.TARGET_BRANCH }}'
+          run: ./deploy.sh
+  - language: yaml
+    label: "CORRECT — wrap entire condition in ${{ }}"
+    code: |
+      env:
+        TARGET_BRANCH: main
+      steps:
+        - name: Deploy to production
+          if: ${{ github.ref == format('refs/heads/{0}', env.TARGET_BRANCH) }}
+          run: ./deploy.sh
+  - language: yaml
+    label: "CORRECT — direct string literal comparison"
+    code: |
+      steps:
+        - name: Deploy to production
+          if: ${{ github.ref == 'refs/heads/main' }}
+          run: ./deploy.sh
+prevention:
+  - "Never embed `${{ }}` fragments inside quoted strings within `if:` — always wrap the entire condition."
+  - "Lint workflows with `actionlint` — it flags mixed expression/literal patterns in `if:` fields."
+  - "Prefer `format()` or direct context references over string interpolation in conditionals."
+  - "Test conditions on branches that should NOT match to verify they don't run."
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions"
+    label: "Evaluate expressions in workflows and actions"
+  - url: "https://github.com/actions/runner/issues/1173"
+    label: "actions/runner#1173 — If condition always evaluated as true when containing ${{ }} inside"

package/errors/yaml-syntax/needs-skipped-if-requires-always.yml

@@ -0,0 +1,100 @@
+id: yaml-syntax-018
+title: "Job if: Condition Skipped When Needed Job Is Skipped — Requires always() &&"
+category: yaml-syntax
+severity: error
+tags:
+  - needs
+  - skipped
+  - if-condition
+  - always
+  - job-level
+patterns:
+  - regex: "needs.*result.*skipped"
+    flags: "i"
+  - regex: "if:.*needs\\.[a-z_-]+\\.outputs"
+    flags: "i"
+error_messages:
+  - "Skipping job: due to job needs not meeting conditions"
+  - "Job was skipped"
+root_cause: |
+  When a job declares `needs: [job_a, job_b]` and any of those upstream jobs is in
+  a `skipped` state, GitHub Actions propagates the skip to the dependent job by
+  default — even when that job has its own `if:` condition that evaluates to `true`.
+
+  GitHub Actions imposes an implicit rule: all `needs` jobs must have
+  `result == 'success'` unless the dependent job's condition explicitly overrides
+  the check. A skipped upstream job does NOT satisfy the implicit success requirement.
+  The `if:` condition is NOT evaluated as a full override — it is only evaluated
+  AFTER the implicit needs-success check passes, so if that check fails the `if:`
+  is never reached.
+
+  The fix is `always() &&` at the start of the `if:` condition, which bypasses the
+  implicit needs-success requirement and forces the runner to evaluate the full condition.
+fix: |
+  Prepend `always() &&` to any job-level `if:` where an upstream `needs` job may be
+  legitimately skipped. Alternatively, explicitly allow skipped results:
+  `needs.job_name.result == 'success' || needs.job_name.result == 'skipped'`.
+fix_code:
+  - language: yaml
+    label: "WRONG — deploy skipped even though if evaluates true"
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          outputs:
+            should_deploy: ${{ steps.check.outputs.deploy }}
+          steps:
+            - id: check
+              run: echo "deploy=true" >> $GITHUB_OUTPUT
+
+        integration-tests:
+          needs: build
+          if: ${{ needs.build.outputs.should_deploy == 'false' }}
+          runs-on: ubuntu-latest
+          steps:
+            - run: echo "optional integration tests"
+
+        deploy:
+          needs: [build, integration-tests]
+          # PROBLEM: integration-tests was skipped → deploy is also skipped
+          # even though the condition below is true
+          if: ${{ needs.build.outputs.should_deploy == 'true' }}
+          runs-on: ubuntu-latest
+          steps:
+            - run: ./deploy.sh
+  - language: yaml
+    label: "CORRECT — prepend always() to force evaluation"
+    code: |
+      jobs:
+        deploy:
+          needs: [build, integration-tests]
+          if: always() && needs.build.outputs.should_deploy == 'true'
+          runs-on: ubuntu-latest
+          steps:
+            - run: ./deploy.sh
+  - language: yaml
+    label: "CORRECT — explicit skipped result check"
+    code: |
+      jobs:
+        deploy:
+          needs: [build, integration-tests]
+          if: |
+            always() &&
+            needs.build.result == 'success' &&
+            (needs.integration-tests.result == 'success' ||
+             needs.integration-tests.result == 'skipped')
+          runs-on: ubuntu-latest
+          steps:
+            - run: ./deploy.sh
+prevention:
+  - "Add `always() &&` to any job `if:` condition where upstream `needs` jobs may be skipped."
+  - "Treat a skipped upstream need as equivalent to a failed need unless `always()` is used."
+  - "Map your workflow DAG — anywhere a branch is optionally skipped, downstream jobs need `always()`."
+  - "Use `actionlint` to surface potential needs/if interaction issues statically."
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idif"
+    label: "jobs.<job_id>.if — Workflow syntax"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-conditions-to-control-job-execution#using-status-check-functions"
+    label: "Using status check functions (always, failure, success, cancelled)"
+  - url: "https://github.com/actions/runner/issues/491"
+    label: "actions/runner#491 — Job if condition not evaluated correctly if needs job is skipped"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.12",
+  "version": "1.0.13",
   "description": "65+ real GitHub Actions errors, queryable by agents. MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",