@htekdev/actions-debugger 1.0.30 → 1.0.31

package/errors/permissions-auth/tj-actions-changed-files-supply-chain-cve-2025-30066.yml

@@ -0,0 +1,99 @@
+id: 'permissions-auth-030'
+title: 'tj-actions/changed-files supply chain attack exposed CI/CD secrets in workflow logs (CVE-2025-30066)'
+category: permissions-auth
+severity: error
+tags:
+  - supply-chain
+  - tj-actions
+  - changed-files
+  - cve-2025-30066
+  - secrets-exposed
+  - security
+  - third-party-action
+patterns:
+  - regex: 'tj-actions/changed-files@(?:v(?:1|35|44)\b|0e58ed8671d6b60d0890c21b07f8835ace038e67)'
+    flags: 'i'
+  - regex: '(?:memdump\.py|gist\.githubusercontent\.com/nikitastupin)'
+    flags: 'i'
+error_messages:
+  - 'Unexpected base64-encoded output in tj-actions/changed-files step logs'
+  - 'Unauthorized outbound request to gist.githubusercontent.com detected in workflow run'
+root_cause: |
+  Between March 14 and March 15, 2025, attackers compromised the tj-actions/changed-files
+  GitHub Action (CVE-2025-30066, GHSA-mw4p-6x4p-x5m5) by retroactively modifying multiple
+  version tags to reference a malicious commit SHA
+  (0e58ed8671d6b60d0890c21b07f8835ace038e67).
+
+  The malicious commit injected a Python script that:
+  1. Downloaded a memory-dump utility from a public GitHub Gist
+  2. Scanned the GitHub Actions Runner Worker process memory for secrets
+  3. Base64-encoded the extracted memory content
+  4. Printed the encoded secrets directly to the workflow log
+
+  For repositories with public workflow logs, these secrets were immediately publicly
+  accessible. Over 23,000 repositories were affected.
+
+  The attack exploited a fundamental trust model weakness: when workflows pin to a version
+  tag (e.g., @v35 or @v44.5.1) rather than a specific commit SHA, an attacker who gains
+  write access to the upstream repository can silently redirect any tag to malicious code.
+  The workflow continues to run without any error — it just also exfiltrates secrets.
+
+  The compromised tags included: v1.0.0, v35.7.7-sec, v44.5.1, and others.
+  The vulnerability window was March 14–15, 2025. Tags have since been updated to safe
+  code, but any secrets exposed during that window must be treated as compromised.
+fix: |
+  Immediate actions if your workflows ran tj-actions/changed-files between March 14-15, 2025:
+  1. Inspect workflow logs for unexpected base64 output in the changed-files step
+  2. Decode any suspicious output: echo 'BLOB' | base64 -d | base64 -d
+  3. Rotate ALL secrets (API keys, tokens, SSH keys, cloud credentials) that were present
+     in any workflow that used the affected action during the vulnerability window
+
+  For all workflows (ongoing prevention):
+  - Pin third-party actions to specific commit SHAs instead of version tags
+  - Use tools like StepSecurity Harden-Runner to detect unexpected outbound network calls
+  - Use tools like pin-github-action or GitHub's allowed-actions list to enforce SHA pinning
+fix_code:
+  - language: yaml
+    label: 'Pin third-party actions to a specific commit SHA instead of a version tag'
+    code: |
+      steps:
+        # Vulnerable: tag can be silently repointed to malicious code
+        # - uses: tj-actions/changed-files@v44
+        # - uses: tj-actions/changed-files@v44.5.1
+
+        # Safe: commit SHA is immutable — attacker cannot redirect it
+        - name: Get changed files
+          id: changed-files
+          uses: tj-actions/changed-files@823fcebdb31bb97eca5b8e3cd20bb12abfa9b68d
+          with:
+            files: |
+              src/**
+  - language: yaml
+    label: 'Use StepSecurity Harden-Runner to detect unauthorized outbound network calls'
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Harden runner
+              uses: step-security/harden-runner@v2
+              with:
+                egress-policy: audit   # or 'block' to prevent unauthorized calls
+            - name: Get changed files
+              uses: tj-actions/changed-files@823fcebdb31bb97eca5b8e3cd20bb12abfa9b68d
+prevention:
+  - 'Always pin third-party GitHub Actions to a specific commit SHA, not a version tag'
+  - 'Audit your workflows periodically for version-tagged (not SHA-pinned) third-party actions'
+  - 'Use StepSecurity Harden-Runner or similar tooling to detect anomalous outbound network requests in CI'
+  - 'Subscribe to security advisories for third-party actions your workflows depend on'
+  - 'Rotate secrets immediately if a supply chain compromise is announced for any action you use'
+  - 'Consider using a private action mirror with controlled updates rather than pulling from public repos'
+docs:
+  - url: 'https://github.com/tj-actions/changed-files/security/advisories/GHSA-mw4p-6x4p-x5m5'
+    label: 'GHSA-mw4p-6x4p-x5m5: tj-actions/changed-files supply chain attack advisory'
+  - url: 'https://www.cve.org/CVERecord?id=CVE-2025-30066'
+    label: 'CVE-2025-30066: NVD entry'
+  - url: 'https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions'
+    label: 'GitHub Docs: Security hardening — using third-party actions'
+  - url: 'https://docs.stepsecurity.io/harden-runner/'
+    label: 'StepSecurity Harden-Runner documentation'

package/errors/runner-environment/immutable-actions-pkg-domain-not-allowlisted.yml

@@ -0,0 +1,97 @@
+id: 'runner-environment-085'
+title: 'Self-hosted runner fails to download immutable actions — `pkg.actions.githubusercontent.com` not in network allowlist'
+category: runner-environment
+severity: error
+tags:
+  - self-hosted-runner
+  - immutable-actions
+  - network
+  - allowlist
+  - firewall
+  - pkg.actions.githubusercontent.com
+  - action-download
+patterns:
+  - regex: 'Failed to download action.*pkg\.actions\.githubusercontent\.com'
+    flags: 'i'
+  - regex: 'Unable to locate executable.*pkg\.actions\.githubusercontent\.com'
+    flags: 'i'
+  - regex: 'Error: An error occurred while loading the action.*pkg\.actions'
+    flags: 'i'
+  - regex: 'connect(?:ion)? (?:refused|timed? ?out).*pkg\.actions\.githubusercontent\.com'
+    flags: 'i'
+error_messages:
+  - "Error: Failed to download action 'actions/checkout@v4'. Actions requiring immutable action downloads from pkg.actions.githubusercontent.com are blocked."
+  - "Error: An error occurred while loading the action. Connection refused: pkg.actions.githubusercontent.com"
+root_cause: |
+  Starting February 2025, GitHub began migrating GitHub-hosted runners to use
+  "Immutable Actions" — a system where action code is downloaded from a new dedicated
+  CDN host (`pkg.actions.githubusercontent.com`) rather than being cloned directly from
+  the action's GitHub repository.
+
+  Self-hosted runners behind corporate firewalls or with strict network egress allowlists
+  fail to download actions when this new domain is not permitted, causing the job to fail
+  immediately during the action download phase before any user step runs.
+
+  The failure is distinct from a runtime error: the runner itself cannot fetch the action
+  code, so no build output is produced. Logs show a network-level failure during the
+  "Getting action download info" or "Download action repository" phase.
+
+  Organizations that previously configured their allowlist with `*.github.com`,
+  `codeload.github.com`, or `github.com` for action downloads must now also add
+  `pkg.actions.githubusercontent.com`.
+
+  Note: If your allowlist already includes `*.actions.githubusercontent.com`, no change
+  is required — the wildcard matches the new subdomain.
+fix: |
+  Add `pkg.actions.githubusercontent.com` to your self-hosted runner's outbound network
+  allowlist. Runners that already allow `*.actions.githubusercontent.com` via wildcard
+  do not require any change.
+
+  For Azure private networking, also update your NSG template with the additional IP
+  ranges published by GitHub in the February 2025 changelog.
+
+  For GitHub Enterprise Server customers using GitHub Connect: update your self-hosted
+  runner allowlists to include the new domain before enabling immutable actions.
+fix_code:
+  - language: yaml
+    label: 'Required network allowlist domains for self-hosted runners (as of Feb 2025)'
+    code: |
+      # Ensure these domains/IPs are allowed for outbound HTTPS (443) from your runners:
+      #
+      # Existing required domains (unchanged):
+      #   github.com
+      #   api.github.com
+      #   *.actions.githubusercontent.com   <- wildcard covers new subdomain too
+      #   codeload.github.com
+      #   results-receiver.actions.githubusercontent.com
+      #
+      # New domain required for immutable actions (Feb 2025):
+      #   pkg.actions.githubusercontent.com
+      #
+      # If you use domain-specific (not wildcard) allowlists, add:
+      #   pkg.actions.githubusercontent.com
+  - language: yaml
+    label: 'Verify immutable actions network access with a diagnostic step'
+    code: |
+      jobs:
+        network-check:
+          runs-on: [self-hosted]
+          steps:
+            - name: Check immutable actions domain reachability
+              run: |
+                curl -sSf --max-time 10 \
+                  https://pkg.actions.githubusercontent.com \
+                  -o /dev/null -w "HTTP %{http_code}\n" \
+                  || echo "BLOCKED: pkg.actions.githubusercontent.com unreachable"
+prevention:
+  - 'Use wildcard domain entries (`*.actions.githubusercontent.com`) in your network allowlist rather than enumerating specific subdomains'
+  - 'Subscribe to GitHub Changelog (github.blog/changelog) to catch new domain requirements before they cause outages'
+  - 'Periodically run network reachability checks against all required GitHub Actions domains from your runner environment'
+  - 'Document your runner network requirements in runbooks and tie allowlist updates to a change management process'
+docs:
+  - url: 'https://github.blog/changelog/2025-02-12-notice-of-upcoming-deprecations-and-breaking-changes-for-github-actions/'
+    label: 'GitHub Changelog 2025-02-12: Immutable Actions migration and network allowlist updates'
+  - url: 'https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#communication-between-self-hosted-runners-and-github'
+    label: 'GitHub Docs: Self-hosted runner network communication requirements'
+  - url: 'https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#hardening-for-self-hosted-runners'
+    label: 'GitHub Docs: Security hardening for self-hosted runners'

package/errors/silent-failures/github-ref-full-path-comparison-always-false.yml

@@ -0,0 +1,97 @@
+id: 'silent-failures-036'
+title: '`if: github.ref == ''main''` silently never matches — ref contains full `refs/heads/main` path'
+category: silent-failures
+severity: silent-failure
+tags:
+  - github-ref
+  - ref-name
+  - branch-comparison
+  - if-condition
+  - refs/heads
+  - silent-skip
+patterns:
+  - regex: 'github\.ref\s*[!=]=\s*[''"](?:main|master|develop|release|staging)[''"]'
+    flags: 'i'
+  - regex: 'github\.ref\s*[!=]=\s*[''"][a-z][a-z0-9_/-]*[^/][''"](?!\s*#.*refs/heads)'
+    flags: 'i'
+error_messages:
+  - "Step was skipped because the condition was false: github.ref == 'main'"
+  - "Job skipped: if: github.ref == 'master'"
+root_cause: |
+  `github.ref` always returns the full Git reference path, never just the branch name:
+  - Push to `main` branch: `refs/heads/main`
+  - Pull request: `refs/pull/123/merge`
+  - Tag push: `refs/tags/v1.0.0`
+
+  When a developer writes `if: github.ref == 'main'`, the condition always evaluates
+  to false because `'main'` != `'refs/heads/main'`. The step or job is silently skipped
+  with no error — only a "skipped" indicator in the UI, which is easy to overlook.
+
+  This is the most-viewed GitHub Actions question on Stack Overflow (SO #58033366,
+  478,000+ views), confirming how frequently developers encounter this mismatch.
+
+  Common variants:
+  - `if: github.ref == 'main'` → always false
+  - `if: github.ref == 'master'` → always false
+  - `if: github.ref != 'main'` → always true (everything runs)
+  - `if: github.ref == 'refs/heads/main' && github.ref == 'refs/tags/v*'` → impossible
+    (a ref cannot be both)
+  - On tag push: `if: github.ref == 'refs/heads/main'` → always false (it is `refs/tags/…`)
+fix: |
+  Option 1 — Use `github.ref_name` (recommended, available since runner 2.276.0 / Jan 2022):
+  `github.ref_name` returns just the branch or tag name without the `refs/heads/` or
+  `refs/tags/` prefix, making comparisons intuitive.
+
+  Option 2 — Compare against the full ref path:
+  Use `github.ref == 'refs/heads/main'` instead of `github.ref == 'main'`.
+
+  Option 3 — Match on event type:
+  Use `github.event_name == 'push'` to restrict steps to push (not PR) events, which is
+  often the underlying intent.
+fix_code:
+  - language: yaml
+    label: 'Use github.ref_name for simple branch/tag name comparison'
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Deploy to production
+              # github.ref_name returns 'main', 'v1.0.0', etc. (no refs/ prefix)
+              if: github.ref_name == 'main'
+              run: echo "Deploying"
+  - language: yaml
+    label: 'Use full ref path if you need github.ref specifically'
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Only on main branch push (not tags or PRs)
+              if: github.ref == 'refs/heads/main'
+              run: echo "Deploying"
+            - name: Only on version tags
+              if: startsWith(github.ref, 'refs/tags/v')
+              run: echo "Releasing"
+  - language: yaml
+    label: 'Use event_name to distinguish push from pull_request'
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Only on direct pushes, not PRs
+              if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+              run: echo "Deploying"
+prevention:
+  - 'Never compare `github.ref` to a bare branch name — it always includes the `refs/heads/` prefix'
+  - 'Prefer `github.ref_name` for branch/tag name comparisons when using runner 2.276.0+ (Jan 2022)'
+  - 'Verify your `if:` logic by inspecting the actual `github.ref` value in a debug step: `run: echo "${{ github.ref }}"`'
+  - 'Use the GitHub Actions context documentation to confirm which format each context variable uses'
+docs:
+  - url: 'https://docs.github.com/en/actions/learn-github-actions/contexts#github-context'
+    label: 'GitHub Docs: github context — github.ref and github.ref_name'
+  - url: 'https://stackoverflow.com/questions/58033366/how-to-get-the-current-branch-within-github-actions'
+    label: 'Stack Overflow #58033366 (428 votes, 478K views): How to get the current branch within GitHub Actions'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-conditions-to-control-job-execution'
+    label: 'GitHub Docs: Using conditions to control job execution'

package/errors/silent-failures/head-commit-null-on-pull-request.yml

@@ -0,0 +1,121 @@
+id: 'silent-failures-037'
+title: '`github.event.head_commit` is null on `pull_request` and `workflow_dispatch` events — commit message access silently fails'
+category: silent-failures
+severity: silent-failure
+tags:
+  - head-commit
+  - commit-message
+  - pull-request
+  - workflow-dispatch
+  - event-payload
+  - null-context
+  - silent-skip
+patterns:
+  - regex: 'github\.event\.head_commit\.(?:message|author|id|timestamp)'
+    flags: 'i'
+  - regex: 'github\.event\.head_commit\s+is\s+null'
+    flags: 'i'
+error_messages:
+  - "Error: Unhandled error: TypeError: Cannot read properties of null (reading 'message')"
+  - "Expression evaluation failed: github.event.head_commit is null"
+  - "Step was skipped because the condition was false: contains(github.event.head_commit.message, '[skip ci]')"
+root_cause: |
+  `github.event.head_commit` is only populated on `push` events. It is `null` (not an
+  empty object) on all other event types, including:
+  - `pull_request` and `pull_request_target`
+  - `workflow_dispatch`
+  - `workflow_call`
+  - `schedule`
+  - `release`
+  - `repository_dispatch`
+
+  This causes several silent failure patterns:
+  1. **Silent [skip ci] bypass**: A common pattern is
+     `if: "!contains(github.event.head_commit.message, '[skip ci]')"`.
+     On a `pull_request` event, `github.event.head_commit` is null, so the expression
+     evaluates as `!contains(null, '[skip ci]')` → `!false` → `true`. Every PR run
+     executes unconditionally, ignoring any [skip ci] intent.
+  2. **Runtime crash in scripts**: GitHub Script or shell steps that access
+     `${{ github.event.head_commit.message }}` on PR events receive an empty string
+     silently, or throw a TypeError if accessed via JavaScript.
+  3. **Commit metadata loss in multi-event workflows**: Workflows triggered by both
+     `push` and `pull_request` may use `head_commit` data in notifications or logs;
+     the PR trigger silently produces empty/null values for all commit fields.
+
+  This is documented in Stack Overflow question #63441440 (Score: 95, 100,000+ views).
+fix: |
+  Use a multi-event compatible approach to access commit messages:
+  - For `pull_request`: use `github.event.pull_request.head.sha` and fetch the commit
+    via the API, or use `github-script` with `octokit.rest.repos.getCommit()`
+  - For `push`: `github.event.head_commit.message` works directly
+  - For a robust cross-event solution: use `actions/checkout` with fetch-depth and
+    run `git log -1 --format=%s` in a shell step — this works regardless of event type
+  - For [skip ci] detection: use the `github.event.commits` array (available on `push`)
+    or check PR body/title instead of commit message for multi-event workflows
+fix_code:
+  - language: yaml
+    label: 'Guard head_commit access with event_name check'
+    code: |
+      steps:
+        - name: Get commit message (push events only)
+          if: github.event_name == 'push'
+          run: echo "Commit: ${{ github.event.head_commit.message }}"
+
+        - name: Get HEAD commit message (all events via shell)
+          run: |
+            MSG=$(git log -1 --format='%s')
+            echo "Commit: $MSG"
+  - language: yaml
+    label: 'Cross-event [skip ci] detection using shell git log'
+    code: |
+      jobs:
+        check-skip:
+          runs-on: ubuntu-latest
+          outputs:
+            skip: ${{ steps.skip-check.outputs.skip }}
+          steps:
+            - uses: actions/checkout@v4
+              with:
+                fetch-depth: 2
+            - id: skip-check
+              run: |
+                MSG=$(git log -1 --format='%s')
+                if echo "$MSG" | grep -q '\[skip ci\]'; then
+                  echo "skip=true" >> "$GITHUB_OUTPUT"
+                else
+                  echo "skip=false" >> "$GITHUB_OUTPUT"
+                fi
+
+        build:
+          needs: check-skip
+          if: needs.check-skip.outputs.skip != 'true'
+          runs-on: ubuntu-latest
+          steps:
+            - run: echo "Building"
+  - language: yaml
+    label: 'Fetch commit message via API for pull_request events'
+    code: |
+      steps:
+        - name: Get PR head commit message
+          if: github.event_name == 'pull_request'
+          uses: actions/github-script@v7
+          with:
+            script: |
+              const { data } = await github.rest.repos.getCommit({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                ref: context.payload.pull_request.head.sha
+              });
+              console.log('Commit message:', data.commit.message);
+prevention:
+  - 'Always guard `github.event.head_commit` access with `if: github.event_name == ''push''`'
+  - 'For multi-event workflows needing commit messages, use `git log -1 --format=%s` after checkout rather than the event context'
+  - 'Do not use `github.event.head_commit.message` for [skip ci] detection — it silently fails on PRs and dispatches'
+  - 'Add `run: echo "${{ toJSON(github.event) }}"` to debug which event fields are available for each trigger'
+docs:
+  - url: 'https://docs.github.com/en/webhooks/webhook-events-and-payloads#push'
+    label: 'GitHub Docs: push event payload — head_commit field'
+  - url: 'https://docs.github.com/en/webhooks/webhook-events-and-payloads#pull_request'
+    label: 'GitHub Docs: pull_request event payload (no head_commit field)'
+  - url: 'https://stackoverflow.com/questions/63441440/get-github-commit-message-in-pull-request-actions'
+    label: 'Stack Overflow #63441440 (95 votes, 100K views): Get GitHub commit message in pull request Actions'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.30",
+  "version": "1.0.31",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",