@htekdev/actions-debugger 1.0.47 → 1.0.48

package/errors/permissions-auth/permissions-auth-036.yml

@@ -0,0 +1,96 @@
+id: permissions-auth-036
+title: 'GITHUB_TOKEN cannot push commits to branches protected by "Require signed commits" — token identity cannot sign'
+category: permissions-auth
+severity: error
+tags:
+  - github-token
+  - signed-commits
+  - branch-protection
+  - gpg
+  - push
+  - protected-branch
+patterns:
+  - regex: 'GH006.*Protected branch.*signed|Commits must have verified signatures'
+    flags: 'i'
+  - regex: 'Changes must be signed|protected branch.*signed.*commits'
+    flags: 'i'
+error_messages:
+  - 'remote: error: GH006: Protected branch update failed for refs/heads/main.'
+  - 'remote: error: Commits must have verified signatures.'
+  - 'remote: error: Changes must be signed.'
+root_cause: |
+  GitHub's "Require signed commits" branch protection rule requires every pushed commit
+  to carry a verified GPG or SSH signature. The GITHUB_TOKEN is a short-lived bearer token
+  scoped to a workflow run — it has no associated GPG or SSH signing key and cannot produce
+  verified commit signatures.
+
+  This means any workflow that creates commits and pushes them using GITHUB_TOKEN will fail
+  on branches protected by "Require signed commits", regardless of the token's permission
+  level. Having contents: write permission is necessary but not sufficient: the signature
+  requirement is enforced by a separate push hook after permission checks pass.
+
+  Common workflow patterns that hit this:
+  - Auto-commit actions (stefanzweifel/auto-commit-action, EndBug/add-and-commit) that
+    commit generated files (changelogs, coverage badges, built assets) back to main
+  - Release workflows that bump version numbers in committed files before tagging
+  - Automated dependency update workflows that commit lockfile changes
+  - Documentation generation workflows that commit generated API docs or OpenAPI specs
+
+  The GH006 error appears in the push step's output but the job may not fail loudly if
+  the step's exit code is not checked carefully. In some auto-commit actions, the failure
+  surfaces as an unexpected empty push with no error surfaced to the workflow summary.
+fix: |
+  Option 1 — Create a pull request instead of direct push (recommended): Use
+  peter-evans/create-pull-request or similar to push the auto-generated commit to a
+  feature branch, then open a PR. Feature branches are not subject to the main branch's
+  "Require signed commits" protection.
+
+  Option 2 — GitHub App with bypass: Create a GitHub App and add it to the branch
+  protection "Allow specific actors to bypass required pull request reviews and required
+  status checks" bypass list. Generate tokens for the App in the workflow and push with
+  the App token. The App's bot commits can bypass the signed-commits requirement if
+  explicitly listed as a bypass actor.
+
+  Option 3 — Signed commits via GitHub App SSH key: Configure a GitHub App with an
+  SSH signing key. Use the App installation token and the App's SSH key for commit
+  signing via GIT_COMMITTER_EMAIL and gpg.format = ssh configuration.
+
+  The GITHUB_TOKEN itself cannot be configured for commit signing — this is a platform
+  limitation with no in-token workaround.
+fix_code:
+  - language: yaml
+    label: 'Create a pull request instead of pushing directly — avoids signed commits requirement on main'
+    code: |
+      jobs:
+        update-generated:
+          runs-on: ubuntu-latest
+          permissions:
+            contents: write
+            pull-requests: write
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Regenerate files
+              run: make generate
+
+            - name: Create pull request for generated output
+              uses: peter-evans/create-pull-request@v7
+              with:
+                commit-message: 'chore: regenerate auto-generated files'
+                branch: automated/regenerate-output
+                title: 'chore: automated file regeneration'
+                body: 'Automated regeneration triggered by CI. Merge after review.'
+                # Commit targets the feature branch, not main — signed-commits rule on
+                # main does not apply to the automated/ branch
+prevention:
+  - 'Before enabling "Require signed commits" on a branch, audit all workflows that push commits using GITHUB_TOKEN to that branch'
+  - 'Use the create-pull-request pattern for auto-generated commits rather than pushing directly to protected branches'
+  - 'Document in workflow files that GITHUB_TOKEN cannot push to branches with signed-commits protection'
+  - 'If a GitHub App bypass is used, rotate the App private key regularly and scope permissions to the minimum required'
+docs:
+  - url: 'https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-signed-commits'
+    label: 'GitHub Docs: Require signed commits branch protection'
+  - url: 'https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification'
+    label: 'GitHub Docs: About commit signature verification'
+  - url: 'https://github.com/orgs/community/discussions/13836'
+    label: 'GitHub Community #13836: GITHUB_TOKEN cannot push to branch requiring signed commits'

package/errors/runner-environment/runner-environment-103.yml

@@ -0,0 +1,100 @@
+id: runner-environment-103
+title: "actions/setup-go cache skipped with 'no file matched go.sum' when go.sum is absent or not at workspace root"
+category: runner-environment
+severity: warning
+tags:
+  - setup-go
+  - go
+  - cache
+  - go-sum
+  - monorepo
+  - cache-miss
+  - cache-dependency-path
+patterns:
+  - regex: 'No file.*matched.*go\.sum|go\.sum.*not.*found.*cache'
+    flags: 'i'
+  - regex: 'setup-go.*cache.*skip|Unable to find.*go\.sum'
+    flags: 'i'
+error_messages:
+  - 'Warning: No file in /home/runner/work/repo/repo matched to [**/go.sum, !**/vendor/**], make sure you have checked out the target repository'
+  - 'go.sum not found, module cache will not be saved'
+  - 'Cache miss — no go.sum file located at expected path'
+root_cause: |
+  actions/setup-go uses go.sum as the cache key hash source. When cache: true (the default
+  since setup-go@v4), the action runs hashFiles('**/go.sum') to compute the cache key.
+  If no go.sum file is found anywhere in the workspace, the action emits a warning and
+  silently skips saving and restoring the module cache entirely — the job continues with
+  exit 0 but all Go dependencies are downloaded from scratch on every run.
+
+  Common root causes:
+
+  1. New project: go mod tidy has not been run — go.sum does not yet exist in the repo.
+
+  2. Monorepo layout: Go modules live under subdirectories (e.g., services/api/go.sum).
+     The default glob **/go.sum should find nested files, but when combined with the
+     !**/vendor/** exclusion or when the repo structure is non-standard, detection can fail.
+
+  3. Go workspace (go.work): modules are organized under subdirectories managed by a
+     go.work file; individual go.sum files may be present but not at the expected root.
+
+  4. Ordering issue: actions/setup-go runs before actions/checkout, so go.sum is not
+     yet in the workspace when the cache key is computed.
+
+  5. go.sum is listed in .gitignore (non-standard but seen in internal tooling repos
+     that regenerate dependencies on every run).
+
+  The missing-cache warning is only visible in the setup-go step's log output and does
+  not fail the workflow. On large Go projects, silent cache bypass wastes 60-120+ seconds
+  downloading modules from proxy.golang.org on every CI run.
+fix: |
+  For monorepo or nested module layouts, explicitly set cache-dependency-path to the
+  location of the go.sum file(s). A glob pattern can match multiple modules if needed.
+
+  For new projects: run go mod tidy locally and commit go.sum before pushing.
+
+  For go.work workspaces: list each module's go.sum explicitly in cache-dependency-path
+  to ensure all modules participate in the cache key.
+
+  Always confirm actions/checkout runs before actions/setup-go in the steps list.
+fix_code:
+  - language: yaml
+    label: 'Set cache-dependency-path for a nested module in a monorepo'
+    code: |
+      steps:
+        - uses: actions/checkout@v4
+
+        - uses: actions/setup-go@v5
+          with:
+            go-version: '1.22'
+            cache: true
+            # Explicit path overrides default glob — required when go.sum is not at repo root
+            cache-dependency-path: services/api/go.sum
+
+  - language: yaml
+    label: 'Multiple modules in a go.work workspace — list all go.sum paths'
+    code: |
+      steps:
+        - uses: actions/checkout@v4
+
+        - uses: actions/setup-go@v5
+          with:
+            go-version: '1.22'
+            cache: true
+            # Multi-line value: each module go.sum contributes to the aggregate cache key
+            cache-dependency-path: |
+              services/api/go.sum
+              services/worker/go.sum
+              pkg/shared/go.sum
+prevention:
+  - 'Always run go mod tidy before the first commit to ensure go.sum exists in the repository'
+  - 'In monorepos, explicitly set cache-dependency-path rather than relying on the default **/go.sum glob'
+  - 'Check the setup-go step output for "No file matched" warnings — caching may be silently disabled without failing the job'
+  - 'Ensure actions/checkout runs before actions/setup-go so go.sum is present when the cache key is computed'
+  - 'Never add go.sum to .gitignore — it is required for reproducible builds and module cache keying'
+docs:
+  - url: 'https://github.com/actions/setup-go#caching-dependency-files-and-build-outputs'
+    label: 'actions/setup-go: Caching dependency files and build outputs'
+  - url: 'https://github.com/actions/setup-go/issues/289'
+    label: 'setup-go #289: Cache fails when go.sum not at repository root'
+  - url: 'https://docs.github.com/en/actions/use-cases-and-examples/building-and-testing/building-and-testing-go'
+    label: 'GitHub Docs: Building and testing Go'

package/errors/silent-failures/silent-failures-051.yml

@@ -0,0 +1,107 @@
+id: silent-failures-051
+title: 'environment.url expression evaluates to empty string when referencing steps.*.outputs — resolved before steps run'
+category: silent-failures
+severity: silent-failure
+tags:
+  - environment
+  - deployment-url
+  - step-outputs
+  - expression-evaluation
+  - dynamic-url
+  - deployment-widget
+patterns:
+  - regex: 'environment.*url.*steps\.\w+\.outputs\.\w+'
+    flags: 'i'
+  - regex: 'deployment.*url.*empty|environment.*url.*not.*set|page_url.*empty'
+    flags: 'i'
+error_messages:
+  - 'Deployment environment shows no URL in GitHub UI despite environment.url referencing a step output'
+  - 'Deployment URL is empty string — steps.deploy.outputs.url is non-empty in the step logs'
+root_cause: |
+  The jobs.<id>.environment.url field is evaluated at job scheduling time — before ANY steps
+  in the job have run and before any step outputs exist. Expressions that reference
+  steps.*.outputs.* from the same job silently resolve to empty string. GitHub does not
+  emit a warning or error when this occurs.
+
+  This is a fundamental evaluation ordering constraint: the environment block (both name and
+  url) is part of the workflow plan GitHub evaluates once when the job is queued. The job
+  has not yet started, so step outputs are undefined and resolve to empty.
+
+  Contexts SAFE to use in environment.url (available at scheduling time):
+  - github.* — static for the run
+  - vars.* — repository/org/environment variables
+  - inputs.* — workflow_dispatch or workflow_call inputs
+  - needs.<prior-job>.outputs.* — outputs from already-completed upstream jobs
+  - env.* declared at the job level
+
+  Contexts that silently resolve to empty in environment.url:
+  - steps.*.outputs.* — step has not run yet
+  - steps.*.conclusion / steps.*.outcome — step has not run yet
+  - Any runtime-computed value from within the same job
+
+  Common scenario: a deploy step creates a preview URL (e.g., Vercel preview, Heroku review
+  app, AWS CloudFormation output), writes it to GITHUB_OUTPUT, and the developer tries to
+  surface it via environment.url so it appears in the GitHub deployment widget on the PR.
+  The widget shows no URL, and no error is ever raised.
+fix: |
+  Route the dynamic deployment URL through job outputs of the deploy job, then reference
+  needs.deploy.outputs.<name> in a dependent job's environment.url. The needs context IS
+  available at scheduling time for downstream jobs because the upstream job has already
+  completed.
+
+  For cases where the URL can be computed entirely from pre-execution contexts (github.ref_name,
+  inputs.*, vars.*), use a static URL expression directly in environment.url without
+  any step output dependency.
+fix_code:
+  - language: yaml
+    label: 'Two-job pattern — expose deployment URL as job output, reference via needs in downstream job'
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          outputs:
+            # Promote step output to job output — available to downstream jobs via needs
+            app_url: ${{ steps.deploy.outputs.url }}
+          steps:
+            - uses: actions/checkout@v4
+            - name: Deploy
+              id: deploy
+              run: |
+                DEPLOY_URL="https://preview-${{ github.run_id }}.example.com"
+                echo "url=${DEPLOY_URL}" >> $GITHUB_OUTPUT
+
+        link-deployment:
+          needs: deploy
+          runs-on: ubuntu-latest
+          environment:
+            name: preview
+            # needs.deploy.outputs.* resolves correctly — deploy job already completed
+            url: ${{ needs.deploy.outputs.app_url }}
+          steps:
+            - run: echo "Linked deployment to ${{ needs.deploy.outputs.app_url }}"
+
+  - language: yaml
+    label: 'Static URL pattern using pre-execution context (no step output dependency)'
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          environment:
+            name: preview
+            # github.ref_name is available at scheduling time — always resolves correctly
+            url: 'https://preview-${{ github.ref_name }}.example.com'
+          steps:
+            - uses: actions/checkout@v4
+            - run: echo "deploying..."
+prevention:
+  - 'Never reference steps.*.outputs.* directly in environment.url — promote to a job output and reference via needs in a downstream job instead'
+  - 'Test environment.url by checking the deployment widget on a pull request — an empty URL indicates the expression evaluated to empty string at scheduling time'
+  - 'Document the two-job deploy-then-link pattern in team workflow templates to prevent rediscovery'
+  - 'If the URL requires a step output, always add an outputs: block to the job and reference it via needs.<job>.outputs.<name> in a downstream job'
+docs:
+  - url: 'https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idenvironment'
+    label: 'GitHub Docs: jobs.<job_id>.environment syntax'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/passing-information-between-jobs'
+    label: 'GitHub Docs: Passing information between jobs'
+  - url: 'https://github.com/orgs/community/discussions/9366'
+    label: 'GitHub Community #9366: Dynamic environment URL from step output resolves to empty'

package/errors/triggers/triggers-036.yml

@@ -0,0 +1,73 @@
+id: triggers-036
+title: 'branches-ignore filter does not suppress tag pushes — tags always fire unless tags-ignore is also specified'
+category: triggers
+severity: silent-failure
+tags:
+  - push
+  - branches-ignore
+  - tags
+  - tag-push
+  - filter
+  - trigger-bypass
+patterns:
+  - regex: 'on.*push.*branches-ignore|branches-ignore.*\*\*'
+    flags: 'i'
+  - regex: 'tag.*push.*trigger.*unexpected|branches-ignore.*tags.*still.*fire'
+    flags: 'i'
+error_messages:
+  - "Workflow triggered by tag push despite branches-ignore: ['**'] — expected no branch pushes to trigger"
+  - 'v1.2.3 tag push fires a workflow that should only run on branch pushes'
+root_cause: |
+  GitHub Actions push event filters (branches:, branches-ignore:, paths:, paths-ignore:) apply
+  only to branch-ref pushes. Tag pushes target a refs/tags/* ref, not a refs/heads/* ref, and
+  are entirely unaffected by branch filters.
+
+  When a workflow declares on: push with branches-ignore: but no tags: or tags-ignore: filter,
+  all tag pushes trigger the workflow unconditionally regardless of the branch filter.
+
+  A critical misunderstanding: adding branches-ignore: ['**'] looks like it "disables all push
+  triggers" but it only disables branch pushes. Tag pushes still fire unconditionally.
+
+  GitHub documentation states that push event filters are independent per ref type: branch
+  filters only affect refs/heads/* pushes, and tag filters only affect refs/tags/* pushes.
+  They do not compose across ref types — setting one does not implicitly filter the other.
+
+  Consequence: release tag pushes (v1.2.3) trigger CI and CD workflows not designed for them,
+  potentially running expensive test suites or deploying artifacts on every version tag.
+  This is among the top-voted GitHub Community questions about push event triggers and
+  appears repeatedly in Stack Overflow answers on the [github-actions] tag.
+fix: |
+  Add an explicit tags-ignore: ['**'] filter to prevent all tag pushes from triggering the
+  workflow. Alternatively, use an explicit branches: allowlist — but note that branch
+  allowlists also do not suppress tag pushes; tags-ignore: is always required separately.
+
+  For workflows intended ONLY for tags (release workflows), remove branches filters entirely
+  and add tags: with the desired semver glob pattern.
+fix_code:
+  - language: yaml
+    label: 'Add tags-ignore to explicitly suppress all tag pushes alongside branches-ignore'
+    code: |
+      on:
+        push:
+          branches-ignore:
+            - 'dependabot/**'
+          tags-ignore:
+            - '**'    # Required — branches-ignore does NOT suppress tag pushes
+  - language: yaml
+    label: 'Release workflow — run only on semver tags, no branch triggers'
+    code: |
+      on:
+        push:
+          tags:
+            - 'v[0-9]+.[0-9]+.[0-9]+'    # Only fires on semver tags like v1.2.3
+          # No branches filter — exclusive tag-only trigger
+prevention:
+  - "When adding branches or branches-ignore filters, always decide explicitly whether tag pushes should be included or excluded — then set tags: or tags-ignore: accordingly"
+  - 'Use actionlint to validate push trigger filter combinations before committing'
+  - 'Document the intent in workflow comments: "This workflow runs on branch pushes only. Tag pushes excluded via tags-ignore."'
+  - 'Audit release tag workflows to confirm they use tags: filters rather than relying on implicit gaps in branch filters'
+docs:
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#push'
+    label: 'GitHub Docs: push event — filter pattern cheat sheet'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore'
+    label: 'GitHub Docs: on.push branches/tags filter syntax'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.47",
+  "version": "1.0.48",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",