@htekdev/actions-debugger 1.0.12 → 1.0.14

package/errors/caching-artifacts/cache-path-exclusion-glob-silent-noop.yml

@@ -0,0 +1,83 @@
+id: caching-artifacts-014
+title: "actions/cache Exclusion Globs (! patterns) Silently Ignored"
+category: caching-artifacts
+severity: silent-failure
+tags:
+  - cache
+  - glob
+  - exclusion
+  - negation
+  - silent-failure
+patterns:
+  - regex: "path:(?:[^#\\n]*\\n)+\\s*!\\S"
+    flags: "im"
+  - regex: "path:.*\\n.*!~/"
+    flags: "im"
+error_messages:
+  - "Cache saved with key"
+  - "Cache hit occurred on the primary key"
+root_cause: |
+  The `actions/cache` action uses `@actions/glob` with `implicitDescendants: false`
+  to resolve the `path:` input into a file list for `tar`. With this setting, each
+  pattern is matched only at the top level — subdirectory enumeration does not happen.
+  As a result, negation patterns like `!~/cache/temp` never find anything to exclude
+  because there are no implicitly enumerated descendants to match against.
+
+  The cache save and restore operations complete successfully with no error or warning.
+  The "excluded" directory is silently included in the archive, leading to:
+  - Larger caches than intended, consuming quota faster
+  - Sensitive or temporary files accidentally persisted across runs
+  - False-positive cache key hits (excluded dir content changes don't invalidate cache)
+
+  This is a long-standing known limitation of `actions/cache` that has been reported
+  since v1 and remains unfixed in v4.
+fix: |
+  `actions/cache` does not support exclusion globs. Restructure directories so the
+  content you want to cache lives in a dedicated subdirectory, and reference only that
+  path. If directory restructuring is not feasible, use a `run` step to create a
+  filtered `tar` archive before caching.
+fix_code:
+  - language: yaml
+    label: "BROKEN — exclusion pattern silently does nothing"
+    code: |
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/cache
+            !~/cache/temp     # Silently ignored — temp/ is still cached
+          key: ${{ runner.os }}-cache-${{ hashFiles('**/package-lock.json') }}
+  - language: yaml
+    label: "CORRECT — restructure: cache only the subdirectory you need"
+    code: |
+      # Put persistent cache content in ~/cache/persistent/
+      # Put temp files in ~/cache/temp/  (not cached)
+      - uses: actions/cache@v4
+        with:
+          path: ~/cache/persistent   # Cache only the isolated subdirectory
+          key: ${{ runner.os }}-cache-${{ hashFiles('**/package-lock.json') }}
+  - language: yaml
+    label: "CORRECT — manual tar with --exclude for complex cases"
+    code: |
+      - name: Save cache with exclusion
+        run: |
+          tar --exclude='$HOME/cache/temp' \
+              --exclude='$HOME/cache/.git' \
+              -czf /tmp/my-cache.tar.gz \
+              ~/cache
+
+      - uses: actions/cache@v4
+        with:
+          path: /tmp/my-cache.tar.gz
+          key: ${{ runner.os }}-filtered-${{ hashFiles('**/package-lock.json') }}
+prevention:
+  - "Never rely on `!` negation patterns in `actions/cache` `path:` — they are silently ignored."
+  - "Audit cache paths to confirm no sensitive, secret, or large temporary files are included."
+  - "Isolate cacheable build artifacts into dedicated subdirectories at project setup time."
+  - "Set `enableCrossOsArchive: false` (default) and test on each OS independently."
+docs:
+  - url: "https://github.com/actions/toolkit/issues/713"
+    label: "actions/toolkit#713 — Cache: excluding files or folders with ! not working"
+  - url: "https://github.com/actions/cache/blob/main/tips-and-workarounds.md"
+    label: "actions/cache — Tips and workarounds"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows"
+    label: "Caching dependencies to speed up workflows"

package/errors/known-unsolved/composite-action-env-not-updated-on-reuse.yml

@@ -0,0 +1,114 @@
+id: known-unsolved-013
+title: "GITHUB_ENV Set in Composite Action Not Updated on Repeated Calls in Same Job"
+category: known-unsolved
+severity: silent-failure
+tags:
+  - composite-action
+  - GITHUB_ENV
+  - env-var
+  - repeated-calls
+  - known-limitation
+patterns:
+  - regex: "echo.*>>\\s*\\$GITHUB_ENV"
+    flags: "i"
+  - regex: "GITHUB_ENV.*composite"
+    flags: "i"
+error_messages:
+  - "environment variable not updated on second call"
+  - "variable retains value from first call"
+root_cause: |
+  When a composite action sets an environment variable by appending to $GITHUB_ENV,
+  that variable is propagated to the parent job context after the composite action
+  completes. On the first call this works correctly. However, if the same composite
+  action is called a second time in the same job, the GITHUB_ENV write succeeds
+  internally but the parent job environment variable retains the value from the
+  first call.
+
+  This is a known platform limitation: GITHUB_ENV writes from within composite
+  actions are processed at step-boundary transitions. On repeated calls to the
+  same composite action in the same job, the runner does not re-apply the env
+  file changes correctly for variables already set — the first written value
+  persists for the job duration.
+
+  The limitation affects parameterized composite actions used as reusable units
+  that produce environment state, especially when called in loops, matrices, or
+  sequential steps with different inputs.
+
+  GitHub has not fixed this behavior; the recommended migration path is to use
+  GITHUB_OUTPUT instead of GITHUB_ENV for composite action outputs.
+fix: |
+  Replace $GITHUB_ENV writes with $GITHUB_OUTPUT writes inside composite actions.
+  Step outputs are properly scoped per-invocation and do not have the repeated-call
+  limitation. Read the output in the calling workflow using steps.<id>.outputs.<name>.
+
+  If environment variables are strictly required at the job level, set them in the
+  calling workflow from the composite action outputs, not inside the composite action.
+fix_code:
+  - language: yaml
+    label: "BROKEN composite action — GITHUB_ENV silently not updated on 2nd call"
+    code: |
+      # my-action/action.yml
+      inputs:
+        label:
+          required: true
+      runs:
+        using: composite
+        steps:
+          - run: echo "MY_LABEL=${{ inputs.label }}" >> $GITHUB_ENV
+            shell: bash
+      # Calling workflow:
+      # steps:
+      #   - uses: ./my-action
+      #     with: { label: "first" }   # MY_LABEL = "first" ✓
+      #   - uses: ./my-action
+      #     with: { label: "second" }  # MY_LABEL still "first" — silent bug!
+  - language: yaml
+    label: "CORRECT composite action — use GITHUB_OUTPUT"
+    code: |
+      # my-action/action.yml
+      inputs:
+        label:
+          required: true
+      outputs:
+        label:
+          description: "The resolved label"
+          value: ${{ steps.set.outputs.label }}
+      runs:
+        using: composite
+        steps:
+          - id: set
+            run: echo "label=${{ inputs.label }}" >> $GITHUB_OUTPUT
+            shell: bash
+  - language: yaml
+    label: "CORRECT calling workflow — propagate to env if needed"
+    code: |
+      steps:
+        - id: first
+          uses: ./my-action
+          with:
+            label: build-${{ github.sha }}
+
+        - id: second
+          uses: ./my-action
+          with:
+            label: deploy-${{ github.sha }}
+
+        - name: Use outputs from both calls
+          env:
+            FIRST_LABEL: ${{ steps.first.outputs.label }}
+            SECOND_LABEL: ${{ steps.second.outputs.label }}
+          run: |
+            echo "First: $FIRST_LABEL"
+            echo "Second: $SECOND_LABEL"
+prevention:
+  - "Never use $GITHUB_ENV in composite actions that may be called more than once per job."
+  - "Migrate all composite action side effects from GITHUB_ENV to GITHUB_OUTPUT."
+  - "Test composite actions by calling them twice in the same job to catch this bug early."
+  - "Prefer outputs over env-var side effects for cleaner and predictable reuse semantics."
+docs:
+  - url: "https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#outputs-for-composite-actions"
+    label: "Outputs for composite actions"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#setting-an-environment-variable"
+    label: "Workflow commands — setting an environment variable"
+  - url: "https://github.com/actions/runner/issues/789"
+    label: "actions/runner#789 — GITHUB_ENV does not update when running composite actions multiple times"

package/errors/runner-environment/az-powershell-14-to-15-breaking.yml

@@ -0,0 +1,108 @@
+id: runner-environment-034
+title: "Azure PowerShell Az Module Upgraded from 14.x to 15.x on All Runner Images"
+category: runner-environment
+severity: error
+tags:
+  - azure
+  - powershell
+  - az-module
+  - breaking-change
+  - runner-image
+  - migration
+patterns:
+  - regex: "Az\\.(?:Accounts|Compute|Storage|Network|Resources|KeyVault|Sql|Monitor).*not recognized|The term '.*-Az.*' is not recognized"
+    flags: "i"
+  - regex: "Install-Module.*Az.*RequiredVersion.*14"
+    flags: "i"
+  - regex: "Get-AzVM|Set-AzVMExtension|New-AzResourceGroup.*parameter.*was not found|does not exist in the cmdlet"
+    flags: "i"
+  - regex: "CommandNotFoundException.*Az\\.|ParameterBindingException.*Az\\."
+    flags: "i"
+error_messages:
+  - "The term 'Get-AzXxx' is not recognized as a name of a cmdlet"
+  - "A parameter cannot be found that matches parameter name"
+  - "Cannot process argument transformation on parameter"
+  - "Object reference not set to an instance of an object"
+root_cause: |
+  The Azure PowerShell (Az) module was upgraded from version 14.6.0 to 15.6.1 on all
+  GitHub-hosted runner images beginning June 8, 2026 (completing June 15, 2026).
+  This is a major version bump (14 → 15) and includes breaking changes:
+
+  - **Removed cmdlets**: Several deprecated cmdlets from Az 14.x were dropped with no
+    backward-compatible alias.
+  - **Parameter changes**: Some cmdlets have altered parameter names, types, or
+    removed optional parameters that were previously accepted.
+  - **Output type changes**: Return objects from certain cmdlets have changed shape,
+    breaking pipeline expressions like `(Get-AzXxx).Property`.
+  - **ARM64 images affected disproportionately**: windows-11-arm64 and
+    windows-11-vs2026-arm64 jumped from Az 12.5.0 directly to 15.6.1 — a 3-major-version
+    leap with significantly more accumulated breaking changes.
+
+  Unlike other software installed on runner images, the Az PowerShell module does NOT
+  have an LTS version — only the latest release receives security fixes and support.
+  Microsoft discontinued support for Az 14.x as of the 15.x release cycle.
+
+  The runner images affected and their before/after versions:
+  - ubuntu-22.04, ubuntu-24.04, macos-14/15/26, windows-2022/2025/2025-vs2026: 14.6.0 → 15.6.1
+  - windows-11-arm64, windows-11-vs2026-arm64: 12.5.0 → 15.6.1
+
+  Source: actions/runner-images#14104
+fix: |
+  **Option 1 — Pin to Az 14.6.0** (temporary fix while migrating):
+  Add an explicit Install-Module step at the start of any job using Az cmdlets.
+
+  **Option 2 — Migrate to Az 15.x** (recommended long-term):
+  Review the Az 15.x migration guide and update scripts to use the new cmdlet names,
+  parameters, and output types. Run `Get-AzVersion` to confirm the version in use.
+
+  **Diagnosis**: Use `Get-Module -Name Az.* -ListAvailable | Select Name, Version` to
+  confirm which Az module version is installed on the current runner.
+fix_code:
+  - language: yaml
+    label: "Pin Az module to 14.6.0 for immediate rollback"
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Pin Azure PowerShell to 14.6.0
+              shell: pwsh
+              run: |
+                Install-Module -Name Az -RequiredVersion 14.6.0 -Force -AllowClobber -Scope CurrentUser
+                Import-Module Az -RequiredVersion 14.6.0
+
+            - name: Azure login
+              uses: azure/login@v2
+              with:
+                client-id: ${{ secrets.AZURE_CLIENT_ID }}
+                tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+                subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+            - name: Run Azure operations
+              shell: pwsh
+              run: |
+                # Your existing Az 14.x scripts
+                Get-AzVM -ResourceGroupName $env:RG_NAME
+  - language: yaml
+    label: "Verify installed Az version (diagnosis step)"
+    code: |
+      - name: Check Az module version
+        shell: pwsh
+        run: |
+          Get-Module -Name Az.Accounts -ListAvailable | Select-Object Name, Version
+          Get-AzVersion
+prevention:
+  - "Subscribe to actions/runner-images announcements to get advance warning of Az module version changes."
+  - "Pin the Az module version explicitly in all CI workflows using `Install-Module -RequiredVersion` rather than relying on the runner image default."
+  - "Test Az-based workflows against the new version by temporarily installing Az 15.x before the runner image rollout date."
+  - "Review the Az 15.x migration guide (https://learn.microsoft.com/en-us/powershell/azure/migrate-az-15.0.0) when upgrading."
+  - "Use `Get-AzVersion` at the start of troublesome workflows to emit the exact Az version to logs."
+docs:
+  - url: "https://github.com/actions/runner-images/issues/14104"
+    label: "runner-images#14104 — Az module update announcement (14.6.0 → 15.6.1)"
+  - url: "https://learn.microsoft.com/en-us/powershell/azure/migrate-az-15.0.0"
+    label: "Az 15.x migration guide"
+  - url: "https://learn.microsoft.com/en-us/powershell/azure/azureps-support-lifecycle"
+    label: "Az PowerShell support lifecycle"
+  - url: "https://learn.microsoft.com/en-us/powershell/azure/release-notes-azureps"
+    label: "Az PowerShell release notes"

package/errors/runner-environment/ubuntu-2204-precached-docker-removed.yml

@@ -0,0 +1,110 @@
+id: runner-environment-035
+title: "ubuntu-22.04 Pre-Cached Docker Images Removed — Cold Pulls Now Required"
+category: runner-environment
+severity: warning
+tags:
+  - ubuntu
+  - docker
+  - pre-cached
+  - runner-image
+  - pull-rate
+  - performance
+patterns:
+  - regex: "Unable to find image '.*' locally"
+    flags: "i"
+  - regex: "Pulling from (?:library/)?(?:node|python|postgres|redis|mysql|nginx|ubuntu|alpine).*\nDigest:"
+    flags: "im"
+  - regex: "docker: Error response from daemon.*manifest.*not found"
+    flags: "i"
+error_messages:
+  - "Unable to find image 'node:lts-alpine' locally"
+  - "Unable to find image 'postgres:15' locally"
+  - "Unable to find image 'redis:7-alpine' locally"
+  - "Pulling from library/node"
+  - "Pulling from library/postgres"
+root_cause: |
+  Starting January 12, 2026, GitHub removed all pre-cached Docker images from the
+  ubuntu-22.04 runner image to address disk space limits. Previously, commonly used
+  Docker images (node, postgres, redis, mysql, python, nginx, alpine, etc.) were
+  pre-pulled into the runner's local Docker image cache, so `docker pull` or
+  `docker run` on those images started immediately without a network pull.
+
+  After the change, ALL Docker images must be pulled from the registry at runtime.
+  This has two main effects:
+
+  1. **Longer job times**: Cold pulls for large images (node, python, postgres) add
+     30-120+ seconds per job depending on image size and registry speed.
+
+  2. **DockerHub rate limit exposure**: Workflows that previously never hit the
+     DockerHub anonymous pull rate limit (100 pulls/6h per IP) may now exceed it
+     once caching is removed — especially on parallel matrix jobs all pulling the
+     same image from the same runner subnet IP.
+
+  The change only affects ubuntu-22.04. Ubuntu 24.04 and other images were not
+  pre-caching Docker images in the same way.
+
+  Source: actions/runner-images#13472
+fix: |
+  **Option 1 — Authenticate to DockerHub** to raise the rate limit to 200 pulls/6h
+  (free account) or unlimited (Pro/Team).
+
+  **Option 2 — Use GitHub Container Registry (ghcr.io)** for your own images —
+  these never count against DockerHub rate limits and pull faster from GitHub runners.
+
+  **Option 3 — Upgrade to ubuntu-24.04** if the workflow is not tied to ubuntu-22.04
+  specific packages. The 24.04 image has current tooling and better long-term support.
+
+  **Option 4 — Add a docker/login-action step** before any Docker operations to
+  authenticate even with a free DockerHub account, which 2x the anonymous rate limit.
+fix_code:
+  - language: yaml
+    label: "Authenticate to DockerHub to avoid rate limits on ubuntu-22.04"
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-22.04
+          steps:
+            - name: Log in to DockerHub
+              uses: docker/login-action@v3
+              with:
+                username: ${{ secrets.DOCKERHUB_USERNAME }}
+                password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+            - name: Run tests with Postgres
+              run: |
+                docker run --rm -d -p 5432:5432 \
+                  -e POSTGRES_PASSWORD=test \
+                  postgres:15-alpine
+  - language: yaml
+    label: "Use GitHub Container Registry instead of DockerHub"
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-22.04
+          permissions:
+            packages: read
+          steps:
+            - name: Log in to GHCR
+              uses: docker/login-action@v3
+              with:
+                registry: ghcr.io
+                username: ${{ github.actor }}
+                password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Run service container from GHCR
+              run: docker run --rm ghcr.io/myorg/my-image:latest
+prevention:
+  - "Authenticate to DockerHub in all workflows that pull images on ubuntu-22.04 runners."
+  - "Consider migrating ubuntu-22.04 workflows to ubuntu-24.04 — it's the current default and avoids this issue."
+  - "Prefer GitHub Container Registry (ghcr.io) for your own images to eliminate DockerHub rate limits entirely."
+  - "Use `docker/login-action` as a standard first step in any workflow that involves Docker image pulls."
+  - "Monitor job durations after runner image updates — unexpected slowdowns often signal a caching change."
+docs:
+  - url: "https://github.com/actions/runner-images/issues/13472"
+    label: "runner-images#13472 — ubuntu-22.04 pre-cached Docker images removal announcement"
+  - url: "https://github.com/actions/runner-images/issues/1445"
+    label: "runner-images#1445 — DockerHub pull rate limit discussion"
+  - url: "https://docs.docker.com/docker-hub/download-rate-limit/"
+    label: "DockerHub pull rate limits documentation"
+  - url: "https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry"
+    label: "Working with GitHub Container Registry (ghcr.io)"

package/errors/runner-environment/windows-msvc-ltcg-mixed-image-versions.yml

@@ -0,0 +1,112 @@
+id: runner-environment-036
+title: "Windows MSVC LTCG Linker Fails When Jobs in Same Run Receive Different Image Versions"
+category: runner-environment
+severity: error
+tags:
+  - windows
+  - msvc
+  - ltcg
+  - linker
+  - runner-image
+  - build
+  - vs2026
+patterns:
+  - regex: "C1900.*Il mismatch between 'P1' version.*and 'P2' version"
+    flags: "i"
+  - regex: "LNK1257.*code generation failed"
+    flags: "i"
+  - regex: "LNK2001.*unresolved external symbol __std_"
+    flags: "i"
+  - regex: "fatal error C1900"
+    flags: "i"
+error_messages:
+  - "EXEC : fatal error C1900: Il mismatch between 'P1' version '20251208' and 'P2' version '20250730'"
+  - "LINK : fatal error LNK1257: code generation failed"
+  - "skia.lib(...) : error LNK2001: unresolved external symbol __std_minmax_element_f_"
+  - "skia.lib(...) : error LNK2001: unresolved external symbol __std_max_element_2u"
+root_cause: |
+  GitHub Actions does not guarantee that all jobs within a single workflow run receive
+  the same concrete runner image version. When a runner image is being rolled out
+  (e.g., during a VS 2026 update or patch cycle), some jobs may be assigned to runners
+  with image version 20260510.103.1 while others receive 20260518.113.1 — even for
+  jobs with the same `runs-on: windows-2025-vs2026` label.
+
+  This becomes a hard build failure for workflows that use MSVC Link-Time Code
+  Generation (LTCG / /GL):
+  - Job A (build) compiles .obj and .lib files with /GL on image version X
+    → MSVC compiler emits Intermediate Language (IL) artifacts stamped with version X.
+  - Job B (link) downloads those artifacts and attempts to link them using /LTCG on
+    image version Y (a different MSVC toolset patch version).
+  - MSVC detects the IL version mismatch (C1900) and aborts: the IL produced by
+    one toolset cannot be consumed by a different toolset version.
+
+  The same failure can occur for any build pipeline that:
+  - Splits compilation and linking across separate jobs
+  - Uses artifact upload/download to pass compiled objects between jobs
+  - Relies on LTCG, MSVC STL internals, or other IL-sensitive optimizations
+
+  This is a known limitation of the GitHub Actions runner assignment model — image
+  rollouts are gradual across the runner pool, and job assignments are not pinned
+  to a specific image version within a run.
+
+  Source: actions/runner-images#14140
+fix: |
+  **Option 1 — Combine compile and link in a single job** so all MSVC operations
+  run on the same runner image. This eliminates the cross-image artifact transfer.
+
+  **Option 2 — Disable LTCG for CI builds** (/GL is a release optimization; most
+  CI builds only need it for final release binaries, not PRs or branch builds).
+
+  **Option 3 — Add MSVC toolset version check** in the link job to detect mismatches
+  before the link fails, and fail fast with a clear diagnostic message.
+
+  **Option 4 — Use a self-hosted runner** with a pinned image version for builds
+  that require LTCG across jobs.
+fix_code:
+  - language: yaml
+    label: "Combine compile and link in one job to avoid image mismatch"
+    code: |
+      jobs:
+        build-and-link:
+          runs-on: windows-2025-vs2026
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Configure CMake
+              run: cmake -B build -DCMAKE_BUILD_TYPE=Release
+
+            # Compile AND link in the same job — same image version guaranteed
+            - name: Build (compile + link)
+              run: cmake --build build --config Release
+  - language: yaml
+    label: "Disable LTCG on CI builds, enable only for release"
+    code: |
+      jobs:
+        build:
+          runs-on: windows-2025-vs2026
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Build without LTCG (CI)
+              # Pass -DNO_LTCG=1 or equivalent CMake flag to disable /GL and /LTCG
+              # LTCG is only enabled in the separate release workflow
+              run: cmake -B build -DCMAKE_BUILD_TYPE=Release -DENABLE_LTCG=OFF
+              env:
+                # Alternatively: override CFLAGS/CXXFLAGS directly
+                CFLAGS: /O2     # Optimize without /GL
+                CXXFLAGS: /O2
+prevention:
+  - "Never split MSVC compilation and LTCG linking across separate jobs that upload/download artifacts."
+  - "Disable /GL (LTCG) in CI builds — reserve it for final release artifact builds on a single job."
+  - "Monitor runner image rollout announcements; if a new Windows image version is being deployed, LTCG cross-job builds are at risk during the rollout window."
+  - "Add a MSVC version check step at the start of link jobs to emit the toolset version to logs for post-failure diagnosis."
+  - "Use self-hosted runners with pinned image versions for release builds that require LTCG across jobs."
+docs:
+  - url: "https://github.com/actions/runner-images/issues/14140"
+    label: "runner-images#14140 — MSVC LTCG linker failure from mixed image versions in same run"
+  - url: "https://learn.microsoft.com/en-us/cpp/build/reference/gl-whole-program-optimization"
+    label: "MSVC /GL (Whole Program Optimization) documentation"
+  - url: "https://learn.microsoft.com/en-us/cpp/build/reference/ltcg-link-time-code-generation"
+    label: "MSVC /LTCG (Link-Time Code Generation) documentation"
+  - url: "https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners"
+    label: "About GitHub-hosted runners"

package/errors/silent-failures/app-store-ios26-sdk-required.yml

@@ -0,0 +1,113 @@
+id: silent-failures-017
+title: "iOS App Store Upload Fails Silently — macOS-latest Uses Xcode 16.4 but Apple Requires iOS 26 SDK"
+category: silent-failures
+severity: silent-failure
+tags:
+  - macos
+  - xcode
+  - ios
+  - app-store
+  - sdk
+  - silent-failure
+  - apple
+patterns:
+  - regex: "built with the iOS (?:18|17|16)\\.\\d SDK"
+    flags: "i"
+  - regex: "must be built with the iOS 26 SDK or later.*App Store"
+    flags: "i"
+  - regex: "Invalid Toolchain.*iOS.*SDK.*required"
+    flags: "i"
+  - regex: "ITMS-90725|ITMS-90206"
+    flags: "i"
+error_messages:
+  - "This app was built with the iOS 18.5 SDK. All iOS and iPadOS apps must be built with the iOS 26 SDK or later in order to be uploaded to App Store Connect."
+  - "ERROR ITMS-90725: SDK Version Issue - This app was built with the iOS 18.5 SDK"
+  - "Invalid Toolchain. New apps and app updates must be built with the public iOS 26 SDK or later"
+root_cause: |
+  Apple requires that all new iOS/iPadOS App Store submissions be built with the
+  iOS 26 SDK or later (enforced starting mid-2026). However, `macos-latest` currently
+  points to macOS 15 (until the macOS 26 migration completes in July 2026), and
+  macOS 15 runner images ship with Xcode 16.4 as the default — which includes the
+  iOS 18.5 SDK, NOT the iOS 26 SDK.
+
+  The failure is a classic silent-failure pattern:
+  - The build step SUCCEEDS with zero errors or warnings.
+  - The archive step SUCCEEDS.
+  - The upload/export to App Store Connect FAILS with the SDK version error.
+  - Because the failure occurs at the distribution stage (not compilation), it
+    can be misdiagnosed as a signing, provisioning, or network issue.
+
+  Workflows that use `uses: maxim-lobanov/setup-xcode` with an explicit 16.x version,
+  or that rely on `macos-latest` defaults without explicit Xcode pinning, will
+  silently produce an .ipa or .xcarchive that cannot be submitted to App Store Connect.
+
+  After the `macos-latest` migration to macOS 26 completes (July 15, 2026), the default
+  Xcode will be 26.4.1+, which includes the iOS 26 SDK and resolves this issue.
+  Until then, explicit Xcode pinning is required.
+
+  Source: actions/runner-images#14165
+fix: |
+  **Immediate fix**: Pin Xcode to 26.x explicitly using `maxim-lobanov/setup-xcode`
+  before any build or archive steps. Use `macos-26` as the runner to ensure Xcode 26
+  is available.
+
+  **For teams not ready to migrate to Xcode 26**: Use `macos-26` and pin to Xcode 26.4.1
+  or later — this is required by Apple regardless of code changes.
+
+  **Verify the SDK in use** by adding `xcodebuild -showsdks` before the build step.
+fix_code:
+  - language: yaml
+    label: "Pin to macOS 26 + Xcode 26 for App Store submissions"
+    code: |
+      jobs:
+        release:
+          runs-on: macos-26   # Explicit: don't rely on macos-latest during transition
+          steps:
+            - uses: actions/checkout@v4
+
+            # Explicitly select Xcode 26 (includes iOS 26 SDK required by App Store)
+            - uses: maxim-lobanov/setup-xcode@v1
+              with:
+                xcode-version: '26.4'   # or '26.5' once generally available
+
+            - name: Verify SDK
+              run: xcodebuild -showsdks | grep -i iphoneos
+
+            - name: Archive
+              run: |
+                xcodebuild archive \
+                  -scheme MyApp \
+                  -archivePath $RUNNER_TEMP/MyApp.xcarchive \
+                  -destination generic/platform=iOS
+
+            - name: Export for App Store
+              run: |
+                xcodebuild -exportArchive \
+                  -archivePath $RUNNER_TEMP/MyApp.xcarchive \
+                  -exportOptionsPlist ExportOptions.plist \
+                  -exportPath $RUNNER_TEMP/MyApp.ipa
+  - language: yaml
+    label: "Check installed Xcode versions and default SDK (diagnosis)"
+    code: |
+      - name: Diagnose Xcode and SDK versions
+        run: |
+          echo "=== Default Xcode ==="
+          xcode-select -p
+          xcodebuild -version
+          echo "=== Available SDKs ==="
+          xcodebuild -showsdks | grep -i iphone
+prevention:
+  - "Never rely on `macos-latest` default Xcode for App Store release builds — always pin the Xcode version explicitly."
+  - "Use `xcodebuild -showsdks` as an early workflow step to emit the active iOS SDK version to logs."
+  - "Run a smoke test of the App Store export (not just the build) in CI to catch SDK requirement errors before manual submission."
+  - "Subscribe to Apple Developer news for SDK requirement enforcement dates and plan runner image migrations in advance."
+  - "Pin `runs-on: macos-26` explicitly rather than `macos-latest` for release workflows during the macOS version transition period."
+docs:
+  - url: "https://github.com/actions/runner-images/issues/14165"
+    label: "runner-images#14165 — macOS-latest Xcode 16.4 breaks App Store submissions"
+  - url: "https://github.com/actions/runner-images/issues/14167"
+    label: "runner-images#14167 — macos-latest will use macos-26 in June 2026"
+  - url: "https://github.com/maxim-lobanov/setup-xcode"
+    label: "maxim-lobanov/setup-xcode — Pin Xcode version in workflows"
+  - url: "https://developer.apple.com/news/releases/"
+    label: "Apple Developer News — SDK requirement announcements"

package/errors/silent-failures/continue-on-error-failure-fn-bypassed.yml

@@ -0,0 +1,90 @@
+id: silent-failures-016
+title: "failure() Returns false After continue-on-error Step"
+category: silent-failures
+severity: silent-failure
+tags:
+  - continue-on-error
+  - failure
+  - status-functions
+  - error-handler
+  - silent-failure
+patterns:
+  - regex: "continue-on-error:\\s*true"
+    flags: "i"
+  - regex: "if:\\s*(\\$\\{\\{\\s*)?failure\\(\\)"
+    flags: "i"
+error_messages:
+  - "Skipping step: due to a failed condition"
+root_cause: |
+  When a step has `continue-on-error: true` and that step fails, GitHub Actions
+  records the step outcome as failure but immediately converts the job aggregate
+  status back to success before evaluating the next step. This means that
+  failure() in a subsequent step's if condition evaluates to false — the runner
+  sees the job as currently-successful, not currently-failed.
+
+  The continue-on-error flag was designed to allow a job to proceed past a failing
+  step, but the side effect is that it consumes the failure signal from all
+  status-check functions. Developers commonly write error-handler steps using
+  if: failure(), expecting them to trigger when the prior step fails, but this
+  pattern silently breaks when continue-on-error: true is present on that prior step.
+
+  The step individual outcome context (steps.<id>.outcome) is the only reliable
+  way to detect the specific step result after continue-on-error.
+fix: |
+  Replace if: failure() with if: steps.<step_id>.outcome == 'failure' when
+  writing error handlers for specific steps that use continue-on-error: true.
+  The steps.<id>.outcome context holds the actual step result regardless of
+  job-level status modifications.
+fix_code:
+  - language: yaml
+    label: "WRONG — failure() never triggers after continue-on-error"
+    code: |
+      steps:
+        - name: Risky operation
+          id: risky
+          continue-on-error: true
+          run: ./might-fail.sh
+
+        - name: Handle failure
+          if: failure()      # NEVER RUNS — job status was reset to success
+          run: ./notify-on-failure.sh
+  - language: yaml
+    label: "CORRECT — check specific step outcome"
+    code: |
+      steps:
+        - name: Risky operation
+          id: risky
+          continue-on-error: true
+          run: ./might-fail.sh
+
+        - name: Handle failure
+          if: steps.risky.outcome == 'failure'
+          run: ./notify-on-failure.sh
+
+        - name: Continue regardless
+          run: echo "Job continues either way"
+  - language: yaml
+    label: "CORRECT — combine with always() for comprehensive guards"
+    code: |
+      steps:
+        - name: Risky operation
+          id: risky
+          continue-on-error: true
+          run: ./might-fail.sh
+
+        - name: Handle step failure
+          if: always() && steps.risky.outcome == 'failure'
+          run: |
+            echo "::warning::Risky operation failed"
+            echo "## Failed" >> $GITHUB_STEP_SUMMARY
+prevention:
+  - "Never use if: failure() as handler for a step with continue-on-error: true — use steps.<id>.outcome."
+  - "Reserve failure() for handlers that should trigger on any upstream job failure."
+  - "Add step IDs to all continue-on-error steps so outcome checking is always possible."
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-conditions-to-control-job-execution"
+    label: "Using conditions to control job execution"
+  - url: "https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error"
+    label: "continue-on-error workflow syntax"
+  - url: "https://github.com/actions/toolkit/issues/1034"
+    label: "actions/toolkit#1034 — Wrong behaviour combining continue-on-error and failure()"

package/errors/silent-failures/if-mixed-expression-always-true.yml

@@ -0,0 +1,71 @@
+id: silent-failures-015
+title: "Mixing ${{ }} Interpolation Inside if: Condition Causes Step to Always Run"
+category: silent-failures
+severity: silent-failure
+tags:
+  - if-condition
+  - expression
+  - interpolation
+  - always-runs
+  - silent-failure
+patterns:
+  - regex: "if:.*==.*'[^']*\\$\\{\\{[^}]+\\}\\}[^']*'"
+    flags: "i"
+  - regex: "if:.*'[^']*\\$\\{\\{[^}]+\\}\\}[^']*'.*=="
+    flags: "i"
+error_messages:
+  - "step runs unexpectedly even when condition should be false"
+  - "if condition always evaluates true"
+root_cause: |
+  When the `if:` field contains BOTH bare comparison operators AND a `${{ }}`
+  interpolation fragment within a quoted string (e.g.,
+  `if: github.ref == 'refs/heads/${{ env.BRANCH }}'`), GitHub Actions wraps the
+  entire bare-string value in `${{ ... }}` for expression evaluation. This makes
+  the outer expression evaluate the literal string
+  `"github.ref == 'refs/heads/main'"` — a non-empty string — which is always truthy.
+
+  The runner does not parse the embedded `${{ }}` fragment as an inner expression;
+  it only processes the outer auto-wrap. The result is that the step runs on every
+  trigger regardless of the actual comparison result — a textbook silent failure
+  since the workflow file looks syntactically correct and no error is emitted.
+fix: |
+  Wrap the ENTIRE `if:` condition in `${{ }}` so the runner treats it as an
+  expression from the start. Use the `format()` function or direct context
+  comparisons instead of embedding `${{ }}` inside quoted strings.
+fix_code:
+  - language: yaml
+    label: "WRONG — mixed interpolation, step always runs"
+    code: |
+      env:
+        TARGET_BRANCH: main
+      steps:
+        - name: Deploy to production
+          # This ALWAYS runs — the string is truthy regardless of branch
+          if: github.ref == 'refs/heads/${{ env.TARGET_BRANCH }}'
+          run: ./deploy.sh
+  - language: yaml
+    label: "CORRECT — wrap entire condition in ${{ }}"
+    code: |
+      env:
+        TARGET_BRANCH: main
+      steps:
+        - name: Deploy to production
+          if: ${{ github.ref == format('refs/heads/{0}', env.TARGET_BRANCH) }}
+          run: ./deploy.sh
+  - language: yaml
+    label: "CORRECT — direct string literal comparison"
+    code: |
+      steps:
+        - name: Deploy to production
+          if: ${{ github.ref == 'refs/heads/main' }}
+          run: ./deploy.sh
+prevention:
+  - "Never embed `${{ }}` fragments inside quoted strings within `if:` — always wrap the entire condition."
+  - "Lint workflows with `actionlint` — it flags mixed expression/literal patterns in `if:` fields."
+  - "Prefer `format()` or direct context references over string interpolation in conditionals."
+  - "Test conditions on branches that should NOT match to verify they don't run."
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions"
+    label: "Evaluate expressions in workflows and actions"
+  - url: "https://github.com/actions/runner/issues/1173"
+    label: "actions/runner#1173 — If condition always evaluated as true when containing ${{ }} inside"

package/errors/yaml-syntax/needs-skipped-if-requires-always.yml

@@ -0,0 +1,100 @@
+id: yaml-syntax-018
+title: "Job if: Condition Skipped When Needed Job Is Skipped — Requires always() &&"
+category: yaml-syntax
+severity: error
+tags:
+  - needs
+  - skipped
+  - if-condition
+  - always
+  - job-level
+patterns:
+  - regex: "needs.*result.*skipped"
+    flags: "i"
+  - regex: "if:.*needs\\.[a-z_-]+\\.outputs"
+    flags: "i"
+error_messages:
+  - "Skipping job: due to job needs not meeting conditions"
+  - "Job was skipped"
+root_cause: |
+  When a job declares `needs: [job_a, job_b]` and any of those upstream jobs is in
+  a `skipped` state, GitHub Actions propagates the skip to the dependent job by
+  default — even when that job has its own `if:` condition that evaluates to `true`.
+
+  GitHub Actions imposes an implicit rule: all `needs` jobs must have
+  `result == 'success'` unless the dependent job's condition explicitly overrides
+  the check. A skipped upstream job does NOT satisfy the implicit success requirement.
+  The `if:` condition is NOT evaluated as a full override — it is only evaluated
+  AFTER the implicit needs-success check passes, so if that check fails the `if:`
+  is never reached.
+
+  The fix is `always() &&` at the start of the `if:` condition, which bypasses the
+  implicit needs-success requirement and forces the runner to evaluate the full condition.
+fix: |
+  Prepend `always() &&` to any job-level `if:` where an upstream `needs` job may be
+  legitimately skipped. Alternatively, explicitly allow skipped results:
+  `needs.job_name.result == 'success' || needs.job_name.result == 'skipped'`.
+fix_code:
+  - language: yaml
+    label: "WRONG — deploy skipped even though if evaluates true"
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          outputs:
+            should_deploy: ${{ steps.check.outputs.deploy }}
+          steps:
+            - id: check
+              run: echo "deploy=true" >> $GITHUB_OUTPUT
+
+        integration-tests:
+          needs: build
+          if: ${{ needs.build.outputs.should_deploy == 'false' }}
+          runs-on: ubuntu-latest
+          steps:
+            - run: echo "optional integration tests"
+
+        deploy:
+          needs: [build, integration-tests]
+          # PROBLEM: integration-tests was skipped → deploy is also skipped
+          # even though the condition below is true
+          if: ${{ needs.build.outputs.should_deploy == 'true' }}
+          runs-on: ubuntu-latest
+          steps:
+            - run: ./deploy.sh
+  - language: yaml
+    label: "CORRECT — prepend always() to force evaluation"
+    code: |
+      jobs:
+        deploy:
+          needs: [build, integration-tests]
+          if: always() && needs.build.outputs.should_deploy == 'true'
+          runs-on: ubuntu-latest
+          steps:
+            - run: ./deploy.sh
+  - language: yaml
+    label: "CORRECT — explicit skipped result check"
+    code: |
+      jobs:
+        deploy:
+          needs: [build, integration-tests]
+          if: |
+            always() &&
+            needs.build.result == 'success' &&
+            (needs.integration-tests.result == 'success' ||
+             needs.integration-tests.result == 'skipped')
+          runs-on: ubuntu-latest
+          steps:
+            - run: ./deploy.sh
+prevention:
+  - "Add `always() &&` to any job `if:` condition where upstream `needs` jobs may be skipped."
+  - "Treat a skipped upstream need as equivalent to a failed need unless `always()` is used."
+  - "Map your workflow DAG — anywhere a branch is optionally skipped, downstream jobs need `always()`."
+  - "Use `actionlint` to surface potential needs/if interaction issues statically."
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idif"
+    label: "jobs.<job_id>.if — Workflow syntax"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-conditions-to-control-job-execution#using-status-check-functions"
+    label: "Using status check functions (always, failure, success, cancelled)"
+  - url: "https://github.com/actions/runner/issues/491"
+    label: "actions/runner#491 — Job if condition not evaluated correctly if needs job is skipped"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.12",
+  "version": "1.0.14",
   "description": "65+ real GitHub Actions errors, queryable by agents. MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",