@htekdev/actions-debugger 1.0.4 → 1.0.5

package/errors/concurrency-timing/runner-group-not-found-race.yml

@@ -0,0 +1,97 @@
+id: "concurrency-timing-008"
+title: "Intermittent 'Required runner group not found' when ephemeral runner registers after job dispatch"
+category: "concurrency-timing"
+severity: "error"
+tags:
+  - "runner-group"
+  - "self-hosted"
+  - "ephemeral"
+  - "race-condition"
+  - "dispatch"
+  - "organization"
+patterns:
+  - regex: "Required runner group '.*' not found"
+    flags: "i"
+  - regex: "runner_group_id.*null"
+    flags: "i"
+error_messages:
+  - "Required runner group 'x' not found"
+root_cause: |
+  In autoscaling self-hosted runner setups (EC2, GKE ephemeral runners, ARC), the runner
+  must register with GitHub BEFORE the job dispatcher resolves runner group membership.
+
+  The race condition occurs when:
+  1. A workflow is triggered and GitHub's broker immediately tries to assign the job
+  2. The ephemeral runner is still initializing (EC2 bootstrap, container pull, ~2:30 min)
+  3. The broker resolves runner group membership before the new runner completes registration
+  4. The broker reports "Required runner group 'X' not found" and fails the job
+
+  This is intermittent: matrix jobs expose it clearly because some cells get
+  already-running (pre-registered) runners while others need a fresh runner, triggering
+  the race. Inspecting the failed job via the Jobs API shows `runner_group_id: null`
+  and `runner_name: null` throughout the queue duration even though the runner group
+  exists and has the correct repository access.
+
+  A separate but related pattern occurs with org-level runner group repository access
+  grants not propagating to the broker V2 protocol in time, causing identical symptoms
+  regardless of runner initialization speed.
+
+  Reported upstream: https://github.com/actions/runner/issues/4252
+  Related: https://github.com/actions/runner/issues/4429
+fix: |
+  For ephemeral autoscaling runners:
+  Implement a registration wait loop that polls the GitHub Runners API before signaling
+  the runner as available. The runner should only become eligible for jobs after the
+  broker has acknowledged its registration.
+
+  For org-level runner group access issues:
+  Verify that the target repository is in the runner group's allowed repositories list
+  via API. If misconfigured, re-registering the runner at repository level instead of
+  org level is a reliable workaround.
+
+  General mitigation: Add timeout-minutes to all jobs on self-hosted runners so stuck
+  queued jobs fail fast rather than waiting until the 6-hour workflow timeout.
+fix_code:
+  - language: yaml
+    label: "Add timeout-minutes to detect stuck queued jobs quickly"
+    code: |
+      jobs:
+        build:
+          runs-on:
+            group: my-runner-group
+            labels: [self-hosted, linux]
+          timeout-minutes: 10  # Fail fast if runner never picks up the job
+          steps:
+            - uses: actions/checkout@v4
+            - run: echo "Runner assigned successfully"
+  - language: yaml
+    label: "Verify runner group repository access via API"
+    code: |
+      jobs:
+        debug-runner-group:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Check runner group repository access
+              env:
+                GH_TOKEN: ${{ secrets.ORG_RUNNER_READ_TOKEN }}
+              run: |
+                echo "Runner groups and their visibility:"
+                gh api /orgs/${{ github.repository_owner }}/actions/runner-groups \
+                  --jq '.runner_groups[] | "\(.name) (id: \(.id)) — visibility: \(.visibility)"'
+
+                echo "Repositories allowed for runner group ID 1:"
+                gh api /orgs/${{ github.repository_owner }}/actions/runner-groups/1/repositories \
+                  --jq '.repositories[].full_name'
+prevention:
+  - "Add timeout-minutes to all jobs using self-hosted runners so stuck-queued jobs fail fast instead of waiting for the 6h workflow limit"
+  - "For ephemeral runners (EC2/ARC), implement a registration health check that polls the Runners API before the runner accepts jobs"
+  - "For org-level runners, verify group repository access via API after any runner group configuration change"
+  - "For matrix jobs with ephemeral runners, keep N idle pre-registered runners to avoid cold-start races"
+  - "Monitor runner_group_id via the Jobs API to detect dispatch failures early in autoscaling pipelines"
+docs:
+  - url: "https://github.com/actions/runner/issues/4252"
+    label: "actions/runner #4252 — Intermittent runner group not found"
+  - url: "https://github.com/actions/runner/issues/4429"
+    label: "actions/runner #4429 — Org-level runner never dispatched"
+  - url: "https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups"
+    label: "GitHub Docs — Managing runner group access"

package/errors/runner-environment/checkout-safe-directory-container.yml

@@ -0,0 +1,84 @@
+id: "runner-environment-022"
+title: "actions/checkout set-safe-directory only runs in post step — container jobs get dubious ownership errors"
+category: "runner-environment"
+severity: "error"
+tags:
+  - "actions/checkout"
+  - "safe-directory"
+  - "container"
+  - "dubious-ownership"
+  - "CVE-2022-24765"
+  - "post-step"
+patterns:
+  - regex: "fatal: detected dubious ownership in repository"
+    flags: "i"
+  - regex: "safe\\.directory.*not.*owned"
+    flags: "i"
+error_messages:
+  - "fatal: detected dubious ownership in repository at '/github/workspace'"
+  - "hint: git config --global --add safe.directory /github/workspace"
+root_cause: |
+  The `actions/checkout` action configures `safe.directory` to allow git operations in
+  the workspace. However, this configuration only runs in the **post step** (cleanup
+  phase), not during the main execution step.
+
+  In container jobs, the workspace is mounted from the host and may be owned by a
+  different UID than the user running inside the container. Git's safe.directory
+  protection (introduced in Git 2.35.2 for CVE-2022-24765) blocks access when the
+  directory owner differs from the running user.
+
+  Because safe.directory is only written during the post step — after all workflow
+  steps have already run — any subsequent git operations in the job's main steps
+  fail with "fatal: detected dubious ownership". This includes third-party actions
+  that internally invoke git (reviewdog, gitops tools, semantic-release, etc.).
+
+  Reported upstream: https://github.com/actions/checkout/issues/2031
+fix: |
+  Add an explicit safe.directory configuration step immediately after `actions/checkout`
+  in any container job that performs git operations. This ensures the directory is
+  trusted before any subsequent steps run.
+fix_code:
+  - language: yaml
+    label: "Add safe.directory config step after checkout in container jobs"
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          container: node:20-bookworm
+          steps:
+            - uses: actions/checkout@v4
+
+            # Workaround: post step safe.directory config doesn't help in container jobs
+            - name: Mark workspace as safe for git
+              run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+            - name: Run git-dependent steps
+              run: git log --oneline -5
+  - language: yaml
+    label: "Use wildcard to mark all directories safe in container workflows"
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          container: python:3.12-slim
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Configure git safe directories
+              run: |
+                git config --global --add safe.directory '*'
+
+            - name: Lint with pre-commit
+              run: pre-commit run --all-files
+prevention:
+  - "Always add a safe.directory config step after checkout when using container jobs"
+  - "Audit third-party actions in container jobs — reviewdog, semantic-release, and gitops tools invoke git internally"
+  - "Consider running without a container and using docker run explicitly if git safety is complex to manage"
+  - "Track https://github.com/actions/checkout/issues/2031 for an official fix from the actions team"
+docs:
+  - url: "https://github.com/actions/checkout/issues/2031"
+    label: "actions/checkout #2031 — safe.directory only set in post step"
+  - url: "https://github.blog/2022-04-12-git-security-vulnerability-announced/"
+    label: "Git CVE-2022-24765 — safe.directory background"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-where-your-workflow-runs/running-jobs-in-a-container"
+    label: "GitHub Docs — Running jobs in a container"

package/errors/runner-environment/self-hosted-runner-version-deprecated.yml

@@ -0,0 +1,99 @@
+id: "runner-environment-023"
+title: "Self-hosted runner on deprecated version stops receiving jobs"
+category: "runner-environment"
+severity: "error"
+tags:
+  - "self-hosted"
+  - "runner"
+  - "deprecated"
+  - "version"
+  - "cannot-receive-messages"
+  - "maintenance"
+patterns:
+  - regex: "Runner version v\\d+\\.\\d+\\.\\d+ is deprecated and cannot receive messages"
+    flags: "i"
+  - regex: "WRITE ERROR.*runner.*deprecated"
+    flags: "i"
+error_messages:
+  - "Runner version v2.332.0 is deprecated and cannot receive messages."
+  - "WRITE ERROR: An error occured: Runner version v2.XXX.X is deprecated and cannot receive messages."
+root_cause: |
+  GitHub periodically deprecates older self-hosted runner versions. Once a runner version
+  is past its deprecation deadline, the runner agent can no longer communicate with the
+  GitHub Actions broker service.
+
+  The runner process stays alive, appears online in the GitHub UI (Settings → Actions →
+  Runners), and is listed as "Active" — but it can no longer receive job assignments.
+  Jobs queued for a runner group containing only deprecated-version runners will either
+  stay "Queued" indefinitely or time out without a clear error in the workflow UI.
+
+  This is a silent failure mode: the runner shows as online, no workflow error is
+  surfaced, but jobs never start. The deprecation schedule is published in the GitHub
+  Changelog and actions/runner releases but teams often miss it without automated
+  update pipelines.
+
+  As of 2026, GitHub requires runners to be within approximately the last 6 months of
+  releases. Related issues: actions/runner #4305, actions/runner #4442
+fix: |
+  Update the runner binary to a currently supported version.
+
+  For manually managed runners:
+  1. SSH to the runner host
+  2. Stop the runner service: ./svc.sh stop
+  3. Download the latest runner from https://github.com/actions/runner/releases/latest
+  4. Extract to the runner directory (configuration is preserved via .runner file)
+  5. Restart: ./svc.sh start
+
+  For ARC (Actions Runner Controller) or autoscaling solutions: bump the runner image
+  version tag in your HelmRelease or Deployment manifest and redeploy.
+fix_code:
+  - language: yaml
+    label: "Scheduled workflow to alert on outdated runner versions"
+    code: |
+      name: Check self-hosted runner versions
+      on:
+        schedule:
+          - cron: '0 9 * * 1'  # Weekly Monday 9 AM
+
+      jobs:
+        check-runners:
+          runs-on: ubuntu-latest  # GitHub-hosted runner for this diagnostic
+          steps:
+            - name: List runner versions via API
+              env:
+                GH_TOKEN: ${{ secrets.RUNNER_READ_TOKEN }}
+              run: |
+                echo "=== Org runners ==="
+                gh api /orgs/${{ github.repository_owner }}/actions/runners \
+                  --jq '.runners[] | "\(.name): v\(.version) (\(.status))"'
+
+            - name: Check latest available version
+              run: |
+                LATEST=$(curl -sf https://api.github.com/repos/actions/runner/releases/latest | jq -r .tag_name)
+                echo "Latest runner version: $LATEST"
+                echo "Compare against your registered runners above"
+  - language: yaml
+    label: "ARC — bump runner version in HelmRelease"
+    code: |
+      # In your ARC HelmRelease or values.yaml
+      githubConfigUrl: "https://github.com/myorg"
+      template:
+        spec:
+          containers:
+            - name: runner
+              image: ghcr.io/actions/actions-runner:2.335.0  # Bump this regularly
+prevention:
+  - "Subscribe to the GitHub Changelog (https://github.blog/changelog/) or watch actions/runner releases for deprecation notices"
+  - "Use Actions Runner Controller (ARC) or an autoscaling solution to automate runner lifecycle management"
+  - "Schedule a weekly cron workflow that checks registered runner versions via the Runners API and alerts if any are outdated"
+  - "Pin runner version in IaC (Terraform, Ansible) and include a runner version bump in your monthly maintenance checklist"
+  - "Set up Dependabot or Renovate to auto-update runner image tags in Docker/ARC manifests"
+docs:
+  - url: "https://github.com/actions/runner/releases"
+    label: "actions/runner releases — version history and changelogs"
+  - url: "https://github.com/actions/runner/issues/4305"
+    label: "actions/runner #4305 — runner deprecated cannot receive messages"
+  - url: "https://github.com/actions/runner/issues/4442"
+    label: "actions/runner #4442 — version deprecation notice"
+  - url: "https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners"
+    label: "GitHub Docs — About self-hosted runners"

package/errors/silent-failures/cache-hit-restore-keys-misleading.yml

@@ -0,0 +1,82 @@
+id: "silent-failures-010"
+title: "cache-hit output is 'true' on restore-keys partial match, not just exact key"
+category: "silent-failures"
+severity: "silent-failure"
+tags:
+  - "actions/cache"
+  - "cache-hit"
+  - "restore-keys"
+  - "partial-match"
+  - "output"
+  - "exact-match"
+patterns:
+  - regex: "cache-hit.*true"
+    flags: "i"
+error_messages:
+  - "cache-hit: true"
+root_cause: |
+  The `cache-hit` output of `actions/cache` is documented to return `true` for an exact
+  cache key match. In practice, `cache-hit` also returns `true` when the key matched via
+  `restore-keys` (a partial/fallback match), not only for exact key hits.
+
+  Workflows that gate post-build steps on `steps.cache.outputs.cache-hit == 'true'` to
+  skip dependency installs assume an exact match. When a restore-keys match occurs,
+  `cache-hit` is `true` even though the cache may be stale or from a different branch.
+  The correct exact-match indicator is the `exact-match` output (available in
+  actions/cache v4+) or comparing `cache-matched-key` against the computed key.
+
+  Reported upstream: https://github.com/actions/cache/issues/1675
+fix: |
+  Use the `exact-match` output (actions/cache v4+) to determine if the restore was an
+  exact key match. `cache-hit` alone does not distinguish between exact and partial
+  (restore-keys) matches.
+
+  Alternatively, compare the `cache-matched-key` output against the expected key to
+  determine if the restore was exact.
+fix_code:
+  - language: yaml
+    label: "Use exact-match output (actions/cache v4+)"
+    code: |
+      - name: Restore cache
+        id: cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      # Only skip install on EXACT key match, not partial restore-keys hit
+      - name: Install dependencies
+        if: steps.cache.outputs.exact-match != 'true'
+        run: npm ci
+  - language: yaml
+    label: "Compare cache-matched-key to verify exact hit"
+    code: |
+      - name: Restore cache
+        id: cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.npm
+          key: npm-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: npm-
+
+      - name: Install or skip dependencies
+        run: |
+          EXPECTED_KEY="npm-${{ hashFiles('**/package-lock.json') }}"
+          if [ "${{ steps.cache.outputs.cache-matched-key }}" = "$EXPECTED_KEY" ]; then
+            echo "Exact cache hit — skipping npm ci"
+          else
+            echo "Partial/stale restore-keys hit — running npm ci"
+            npm ci
+          fi
+prevention:
+  - "Never rely on cache-hit == 'true' alone to skip dependency installs; it fires on partial restore-keys matches too"
+  - "Use the exact-match output (actions/cache v4+) when you need to distinguish exact vs partial cache hits"
+  - "Use cache-matched-key output to log or compare the actual key that was restored"
+  - "If using restore-keys, always validate that your skip-install condition handles partial matches correctly"
+docs:
+  - url: "https://github.com/actions/cache/issues/1675"
+    label: "actions/cache #1675 — cache-hit true on restore-keys match"
+  - url: "https://github.com/actions/cache#outputs"
+    label: "actions/cache outputs documentation"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "65+ real GitHub Actions errors, queryable by agents. MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",