@htekdev/actions-debugger 1.0.24 → 1.0.25

package/errors/known-unsolved/environment-deployment-false-custom-protection.yml

@@ -0,0 +1,93 @@
+id: known-unsolved-029
+title: "deployment:false environment key incompatible with custom deployment protection rules"
+category: known-unsolved
+severity: limitation
+tags:
+  - environment
+  - deployment
+  - protection-rules
+  - custom-deployment-protection
+  - no-fix
+
+patterns:
+  - regex: "You cannot (use|disable) deployment.*custom deployment protection"
+    flags: "i"
+  - regex: "deployment: false.*is not supported.*protection rule"
+    flags: "i"
+
+error_messages:
+  - "You cannot use deployment: false when a custom deployment protection rule is configured for this environment."
+  - "Environments with custom deployment protection rules require automatic deployment tracking. Remove deployment: false to proceed."
+
+root_cause: |
+  GitHub Actions added deployment: false as a new key for environments in March 2026
+  (changelog 2026-03-19). This key lets workflows use environment secrets and variables
+  without creating a GitHub Deployment record, which was a long-requested feature for
+  teams who want secrets management without polluting the Deployments tab.
+
+  However, the deployment: false key is fundamentally incompatible with custom deployment
+  protection rules. Custom deployment protection rules (third-party apps registered via
+  the GitHub API to gate deployments) rely on GitHub Deployment events being created —
+  the protection rule callback fires when a deployment is created, approves or rejects it,
+  and the workflow proceeds based on the response.
+
+  When deployment: false is set, no Deployment record is created, so there is no event
+  to trigger the custom protection rule callback. GitHub therefore blocks the combination
+  entirely rather than silently skipping the protection rule check, which could create
+  a security bypass.
+
+  This is a platform-level design constraint with no workaround. Teams that need custom
+  deployment protection rules cannot use deployment: false and must keep auto-deployment
+  enabled.
+
+fix: |
+  There is no workaround. If your environment uses a custom deployment protection rule
+  (a third-party app that approves or rejects deployments), you cannot use deployment: false.
+
+  Options:
+  1. Remove the custom deployment protection rule if it is no longer needed, then use
+     deployment: false to stop creating Deployment records.
+  2. Keep auto-deployment enabled (omit deployment: false) and accept that deployments
+     will appear in the Deployments tab.
+  3. Use a different secrets management strategy (repository secrets, organization secrets,
+     or HashiCorp Vault) if you want to avoid environment-scoped secrets entirely.
+
+fix_code:
+  - language: yaml
+    label: "Valid: deployment:false without custom protection rules"
+    code: |
+      # Works only when the environment has NO custom deployment protection rules
+      jobs:
+        deploy:
+          environment:
+            name: staging
+            deployment: false   # Suppresses Deployment record creation
+          runs-on: ubuntu-latest
+          steps:
+            - run: echo "Using ${{ secrets.STAGING_API_KEY }} without creating a deployment"
+
+  - language: yaml
+    label: "Required: keep deployment enabled when custom protection rules are configured"
+    code: |
+      # When a custom deployment protection rule (third-party app) is registered
+      # on the environment, omit deployment:false entirely
+      jobs:
+        deploy:
+          environment:
+            name: production   # Has custom protection rule — must create deployment
+          runs-on: ubuntu-latest
+          steps:
+            - run: echo "Deployment record created; custom protection rule fires and must approve"
+
+prevention:
+  - "Check environment settings in Settings > Environments before adding deployment: false to confirm no custom protection rules are registered."
+  - "Document which environments use custom protection rules so team members know deployment: false is unavailable for those environments."
+  - "If you need both secrets management and no deployment records, consider migrating secrets to organization-level secrets with repository access restrictions."
+
+docs:
+  - url: "https://github.blog/changelog/2026-03-19-github-actions-late-march-2026-updates/"
+    label: "GitHub Changelog 2026-03-19: Environments without auto-deployment (deployment: false)"
+  - url: "https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment-without-auto-deployment"
+    label: "GitHub Docs: Using an environment without auto-deployment"
+  - url: "https://docs.github.com/en/actions/deployment/protecting-deployments/creating-custom-deployment-protection-rules"
+    label: "GitHub Docs: Creating custom deployment protection rules"

package/errors/permissions-auth/checkout-v6-cross-repo-token-override.yml

@@ -0,0 +1,103 @@
+id: permissions-auth-029
+title: "checkout@v6 http.extraheader overrides inline token for cross-repository push"
+category: permissions-auth
+severity: error
+tags:
+  - checkout
+  - v6
+  - cross-repo
+  - extraheader
+  - token
+  - push
+  - persist-credentials
+
+patterns:
+  - regex: "remote: Permission to .+ denied to github-actions\\[bot\\]"
+    flags: "i"
+  - regex: "fatal: unable to access '.+': The requested URL returned error: 403"
+    flags: "i"
+  - regex: "The requested URL returned error: 403"
+    flags: "i"
+
+error_messages:
+  - "remote: Permission to org/other-repo.git denied to github-actions[bot]."
+  - "fatal: unable to access 'https://github.com/org/other-repo.git/': The requested URL returned error: 403"
+
+root_cause: |
+  checkout@v6 changed how credentials are stored compared to v4/v5. Instead of writing the
+  GITHUB_TOKEN directly into .git/config, v6 stores credentials in a separate file under
+  $RUNNER_TEMP and registers it via a git includeIf directive. This injects an
+  http.extraheader = Authorization: Bearer <GITHUB_TOKEN> for ALL https://github.com/ URLs.
+
+  When a workflow adds a second remote using an inline Personal Access Token (PAT) in the URL
+  (e.g., https://PAT@github.com/other-org/other-repo.git), git still sends the checkout-injected
+  Authorization header alongside the URL-embedded token. The injected GITHUB_TOKEN header takes
+  precedence over the URL-embedded PAT, and since GITHUB_TOKEN only has access to the current
+  repository, the push to the other repository is rejected with 403 Forbidden.
+
+  This regression is specific to workflows that push to repositories other than the one that
+  was checked out. Workflows that only interact with the current repository are unaffected.
+
+fix: |
+  Option 1 (recommended): Set persist-credentials: false in the checkout step. This prevents
+  checkout@v6 from injecting the extraheader entirely. Configure authentication explicitly in
+  subsequent steps using the token in the remote URL or via GH_TOKEN environment variable.
+
+  Option 2 (targeted): Explicitly unset the http extraheader before performing cross-repo
+  operations. Add a step that clears the auth override for github.com URLs before pushing
+  to the other repository.
+
+  Option 3 (fallback): Pin to checkout@v5 for workflows that require cross-repo push
+  until a v6 upstream fix is available (actions/checkout#2424 is open).
+
+fix_code:
+  - language: yaml
+    label: "Option 1: Disable persist-credentials to prevent extraheader injection"
+    code: |
+      steps:
+        - name: Checkout current repo
+          uses: actions/checkout@v6
+          with:
+            persist-credentials: false   # No extraheader injected; manual auth required
+
+        - name: Push tag to target repository
+          env:
+            TARGET_PAT: ${{ secrets.TARGET_REPO_PAT }}
+          run: |
+            # Token embedded in remote URL; no competing extraheader present
+            TARGET_REMOTE="https://x-access-token:${TARGET_PAT}@github.com/org/target-repo.git"
+            git remote add target "${TARGET_REMOTE}"
+            git tag -f nightly
+            git push -f target nightly
+
+  - language: yaml
+    label: "Option 2: Clear the injected extraheader before cross-repo operations"
+    code: |
+      steps:
+        - uses: actions/checkout@v6
+
+        # ... build steps ...
+
+        - name: Unset checkout extraheader for cross-repo push
+          run: git config --unset-all "http.https://github.com/.extraheader" || true
+
+        - name: Push tag to target repository
+          env:
+            TARGET_PAT: ${{ secrets.TARGET_REPO_PAT }}
+          run: |
+            git remote add target "https://x-access-token:${TARGET_PAT}@github.com/org/target-repo.git"
+            git push -f target nightly
+
+prevention:
+  - "Use persist-credentials: false on all checkout steps in workflows that interact with multiple repositories."
+  - "Avoid embedding tokens directly in remote URLs when checkout@v6 is used without persist-credentials:false."
+  - "Test cross-repo operations in a staging branch after upgrading from checkout@v4 or v5 to v6."
+  - "Check actions/checkout release notes for credential storage changes when upgrading major versions."
+
+docs:
+  - url: "https://github.com/actions/checkout/issues/2424"
+    label: "actions/checkout#2424: Unable to create tags in another repo with v6"
+  - url: "https://github.com/actions/checkout/releases/tag/v6.0.0"
+    label: "checkout@v6.0.0 release notes — persist-credentials storage change"
+  - url: "https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication"
+    label: "GitHub Docs: Automatic token authentication and GITHUB_TOKEN scopes"

package/errors/runner-environment/maven-gradle-403-cache-backend-outage.yml

@@ -0,0 +1,116 @@
+id: runner-environment-075
+title: "Maven/Gradle 403 Forbidden when GitHub Actions cache backend is degraded"
+category: runner-environment
+severity: error
+tags:
+  - maven
+  - gradle
+  - 403
+  - cache-backend
+  - outage
+  - rate-limit
+  - sonatype
+  - dependency-download
+
+patterns:
+  - regex: "Received status code 403 from server"
+    flags: "i"
+  - regex: "Could not transfer artifact .+ from .+ Forbidden"
+    flags: "i"
+  - regex: "Our services aren't available right now"
+    flags: "i"
+  - regex: "Received HTTP 403 from Maven Repository"
+    flags: "i"
+
+error_messages:
+  - "Could not transfer artifact org.springframework:spring-core:jar:6.1.0 from/to central (https://repo.maven.apache.org/maven2): Received status code 403 from server: Forbidden"
+  - "Received status code 403 from server: Forbidden"
+  - "Our services aren't available right now\nWe're working to restore all services as soon as possible. Please check back soon."
+  - "Exception in thread \"main\" org.gradle.api.UncheckedIOException: com.amazonaws.SdkClientException: Unable to execute HTTP request: The target server failed to respond"
+
+root_cause: |
+  GitHub Actions cache backend (actions/cache) is an eventually-consistent distributed storage
+  system. During degradation incidents, cache restore operations fail with the message
+  "Our services aren't available right now" and exit 0 (the job continues). Maven and Gradle
+  builds that normally cache artifacts under .m2/repository or .gradle/caches fall through
+  to downloading all dependencies directly from Maven Central (repo.maven.apache.org).
+
+  GitHub-hosted runners share IP address ranges across thousands of concurrent workflow runs.
+  During a cache backend outage, every affected build simultaneously requests artifacts
+  from Maven Central. Sonatype (which operates Maven Central) rate-limits abusive traffic
+  patterns from shared IP ranges, returning HTTP 403 Forbidden. This creates a cascading
+  failure: one cache service incident causes all Java/Kotlin/Scala CI pipelines to fail
+  until the cache backend recovers.
+
+  The failure is misleading because the error comes from Maven Central, not GitHub, so
+  developers often suspect repository permissions, network configuration, or Sonatype policy
+  changes rather than GitHub infrastructure.
+
+fix: |
+  Short-term: Check GitHub Status (githubstatus.com) for cache service incidents before
+  debugging Maven/Gradle configuration. Retry the workflow after the incident resolves.
+
+  Medium-term: Add Maven retry configuration to pom.xml or build.gradle to tolerate
+  transient 403/429 responses. Configure a secondary mirror as a fallback to reduce
+  direct Maven Central dependency.
+
+  Long-term: Host a private artifact cache (Nexus, Artifactory, or AWS CodeArtifact)
+  that proxies Maven Central. This prevents GitHub runner IP ranges from hitting Maven
+  Central directly and provides a stable fallback during GitHub cache outages.
+
+fix_code:
+  - language: yaml
+    label: "Workflow: Add retry wrapper step for Maven builds during cache degradation"
+    code: |
+      steps:
+        - uses: actions/cache@v4
+          id: maven-cache
+          with:
+            path: ~/.m2/repository
+            key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+            restore-keys: |
+              ${{ runner.os }}-maven-
+
+        - name: Check cache status and set retry flag
+          if: steps.maven-cache.outputs.cache-hit != 'true'
+          run: echo "MAVEN_OPTS=-Dmaven.artifact.threads=5" >> $GITHUB_ENV
+
+        - name: Build with Maven
+          run: mvn --batch-mode --no-transfer-progress -T 1C verify
+
+  - language: yaml
+    label: "Maven settings.xml: Add mirror fallback to reduce direct Maven Central load"
+    code: |
+      # .github/maven-settings.xml — add to repository root
+      # Reference in workflow: mvn -s .github/maven-settings.xml ...
+      #
+      # <settings>
+      #   <mirrors>
+      #     <mirror>
+      #       <id>central-mirror</id>
+      #       <mirrorOf>central</mirrorOf>
+      #       <url>https://repo1.maven.org/maven2/</url>
+      #     </mirror>
+      #   </mirrors>
+      # </settings>
+      #
+      # Then in workflow:
+      - name: Build with Maven (mirror fallback)
+        run: mvn -s .github/maven-settings.xml --batch-mode verify
+
+prevention:
+  - "Monitor githubstatus.com/history for GitHub Actions cache incidents before assuming build failures are configuration errors."
+  - "Add --no-transfer-progress to Maven commands to reduce output noise; add -Dmaven.artifact.threads=3 to reduce concurrent Central requests."
+  - "Configure restore-keys fallback in actions/cache so partial cache hits reduce Maven Central traffic."
+  - "Consider self-hosted Nexus or AWS CodeArtifact as a Maven Central proxy for production CI pipelines."
+  - "Add 'if: always()' or cache-miss detection to skip cache restore wait during known outages."
+
+docs:
+  - url: "https://github.com/actions/runner/issues/4180"
+    label: "actions/runner#4180: CI Runners Failing with 403 Forbidden for Maven/Gradle (75 reactions)"
+  - url: "https://www.githubstatus.com/"
+    label: "GitHub Status — check for Actions cache service incidents"
+  - url: "https://central.sonatype.org/faq/rate-limiting/"
+    label: "Sonatype Maven Central: Rate limiting and fair use policy"
+  - url: "https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows"
+    label: "GitHub Docs: Caching dependencies to speed up workflows"

package/errors/silent-failures/undefined-env-expression-empty-string-silent.yml

@@ -12,7 +12,7 @@ tags:
 patterns:
   - regex: '\$\{\{\s*env\.[A-Za-z_][A-Za-z0-9_]*\s*\}\}'
     flags: "i"
-  - regex: "expression.*evaluates.*empty.*string|undefined.*variable.*no.*error"
+  - regex: 'expression.*evaluates.*empty.*string|undefined.*variable.*no.*error'
     flags: "i"
 error_messages:
   - "(no error shown -- undefined env/context variables produce empty strings silently)"

package/errors/yaml-syntax/case-function-runner-version-too-old.yml

@@ -0,0 +1,100 @@
+id: yaml-syntax-031
+title: "case() expression function fails with 'Unrecognized function' on runners older than 2.329.0"
+category: yaml-syntax
+severity: error
+tags:
+  - case-function
+  - expressions
+  - runner-version
+  - self-hosted
+  - composite-action
+  - if-condition
+
+patterns:
+  - regex: "Unrecognized function: 'case'"
+    flags: "i"
+  - regex: "The workflow is not valid.*Unrecognized function.*case"
+    flags: "i"
+
+error_messages:
+  - "Unrecognized function: 'case'. Located at position 1 within expression: case(github.event_name == 'push', 'deploy', github.event_name == 'pull_request', 'review', 'skip')"
+  - "The workflow is not valid. .github/workflows/deploy.yml (Line: 24, Col: 16): Unrecognized function: 'case'"
+
+root_cause: |
+  GitHub introduced the case() expression function in runner version 2.329.0 (January 2026,
+  announced in the GitHub Actions changelog on 2026-01-29). The case() function enables
+  conditional branching similar to SQL CASE expressions, supporting if-else and switch-case
+  patterns in workflow expressions.
+
+  Self-hosted runners that have not been updated to version 2.329.0 or later do not recognize
+  case() as a valid function. When any workflow step, job-level if: condition, output mapping,
+  or composite action uses ${{ case(...) }}, the runner throws "Unrecognized function: 'case'"
+  and the job fails immediately.
+
+  GitHub-hosted runners (ubuntu-latest, windows-latest, macos-latest) receive runner updates
+  automatically and are not affected. Only self-hosted runners with version pinning or delayed
+  update policies encounter this error.
+
+  A secondary regression occurred in runner 2.333.0 (March 2026) where case() was temporarily
+  broken for composite actions specifically, producing the same error. This was resolved in
+  2.333.1.
+
+fix: |
+  For self-hosted runners: Update the runner to version 2.329.0 or later. Runner updates
+  can be applied via the GitHub Actions runner update script or by re-registering the runner
+  with the latest version from the GitHub Actions runner releases page.
+
+  To verify your runner version: check Settings > Actions > Runners in your repository or
+  organization, or inspect the runner binary with ./actions-runner/config.sh --version.
+
+  Temporary workaround: Rewrite case() expressions using nested ternary-style expressions
+  that work on all runner versions, then migrate to case() once runners are updated.
+
+fix_code:
+  - language: yaml
+    label: "New (requires runner 2.329.0+): using case() for conditional output"
+    code: |
+      jobs:
+        determine-env:
+          runs-on: self-hosted
+          outputs:
+            environment: ${{ steps.set-env.outputs.env }}
+          steps:
+            - id: set-env
+              run: echo "env=${{ case(github.ref == 'refs/heads/main', 'production', github.ref == 'refs/heads/staging', 'staging', 'development') }}" >> $GITHUB_OUTPUT
+
+  - language: yaml
+    label: "Fallback for runners older than 2.329.0 (works on all versions)"
+    code: |
+      jobs:
+        determine-env:
+          runs-on: self-hosted
+          outputs:
+            environment: ${{ steps.set-env.outputs.env }}
+          steps:
+            - id: set-env
+              run: |
+                REF="${{ github.ref }}"
+                if [[ "$REF" == "refs/heads/main" ]]; then
+                  echo "env=production" >> $GITHUB_OUTPUT
+                elif [[ "$REF" == "refs/heads/staging" ]]; then
+                  echo "env=staging" >> $GITHUB_OUTPUT
+                else
+                  echo "env=development" >> $GITHUB_OUTPUT
+                fi
+
+prevention:
+  - "Pin runner version in self-hosted runner documentation and set up automated update notifications."
+  - "Add a workflow step that logs the runner version (echo $ACTIONS_RUNNER_VERSION) to surface version mismatches early."
+  - "Test new expression functions on GitHub-hosted runners first; then roll out to self-hosted after confirming the runner version."
+  - "Configure runner auto-update policies — GitHub recommends keeping self-hosted runners within 2 major versions of the latest."
+
+docs:
+  - url: "https://github.blog/changelog/2026-01-29-github-actions-smarter-editing-clearer-debugging-and-a-new-case-function/"
+    label: "GitHub Changelog 2026-01-29: New case() function introduction"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions"
+    label: "GitHub Docs: Expressions — case() function reference"
+  - url: "https://github.com/actions/runner/issues/4315"
+    label: "actions/runner#4315: Runner v2.333.0 breaks case function (regression)"
+  - url: "https://github.com/actions/runner/releases"
+    label: "GitHub Actions Runner releases — version history"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.24",
+  "version": "1.0.25",
   "description": "65+ real GitHub Actions errors, queryable by agents. MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",