@htekdev/actions-debugger 1.0.48 → 1.0.49

package/errors/permissions-auth/permissions-auth-037.yml

@@ -0,0 +1,100 @@
+id: permissions-auth-037
+title: 'Environment secrets are only accessible to jobs that declare a matching environment: key — other jobs silently receive empty string'
+category: permissions-auth
+severity: silent-failure
+tags:
+  - environment
+  - secrets
+  - environment-secrets
+  - deployment-environment
+  - job-scoped
+  - secret-scope
+patterns:
+  - regex: 'environment:\s*[a-z0-9_-]+.*secrets\.|secrets\.[A-Z_]+'
+    flags: 'i'
+error_messages:
+  - "(No error — secrets.<SECRET_NAME> resolves to '' in jobs that do not declare the matching environment:)"
+root_cause: |
+  GitHub Actions supports three secret scopes with different visibility:
+  1. Repository secrets — available to all jobs in all workflows in the repository
+  2. Organization secrets — available to authorized repositories/workflows
+  3. Environment secrets — ONLY available to jobs that declare environment: <env-name>
+
+  Environment secrets are scoped to a specific deployment environment and are
+  intentionally isolated. A job that references secrets.MY_ENV_SECRET without
+  declaring environment: production receives '' (empty string) for that secret
+  with no error, no warning, and no indication that the secret exists elsewhere.
+
+  This isolation is a security feature: environment secrets are only released to
+  jobs that have satisfied environment protection rules (required reviewers, wait
+  timers, deployment branch policies). However it becomes a silent failure when:
+
+  - A secret is accidentally created in an environment instead of the repository scope
+  - A reusable workflow job uses the secret but the caller job did not declare environment:
+  - A job is refactored to remove environment: (to skip protection rules in testing) but
+    still references the now-inaccessible environment secret
+  - A developer expects an environment secret to work like a repository secret
+
+  The effect is indistinguishable from the secret not existing: the value is '' and the
+  job may fail with an auth error, a blank config value, or silently produce wrong output.
+fix: |
+  Determine the intended scope:
+  - If the secret should be accessible to all jobs: create it as a repository secret
+    (Settings > Secrets and variables > Actions > Repository secrets)
+  - If the secret must be gated by deployment protection rules: keep it as an environment
+    secret AND add environment: <env-name> to every job that needs it
+  - If both a repository secret and an environment secret share the same name:
+    the environment secret takes precedence in jobs that declare that environment
+
+  Use the GitHub Settings UI to confirm which scope a secret belongs to before
+  debugging unexpected empty values in run steps.
+fix_code:
+  - language: yaml
+    label: 'Add environment: to the job that needs the environment-scoped secret'
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          # Without this environment: key, secrets.DEPLOY_API_KEY is ''
+          # even though it exists as an environment secret for 'production'
+          environment: production
+          steps:
+            - name: Deploy to production
+              env:
+                API_KEY: ${{ secrets.DEPLOY_API_KEY }}
+              run: echo "Deploying with scoped key"
+
+  - language: yaml
+    label: 'Separate build (no environment) from deploy (with environment) to scope protection rules to deploy only'
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          # No environment: here — only repository-scoped secrets are needed for build
+          steps:
+            - uses: actions/checkout@v4
+            - run: echo "Building artifacts"
+
+        deploy:
+          needs: build
+          runs-on: ubuntu-latest
+          environment: production   # Required reviewers or wait timer enforced here
+          steps:
+            - name: Deploy
+              env:
+                # DEPLOY_KEY is an environment secret — only available because
+                # environment: production is declared on this job
+                DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
+              run: echo "Deploying with environment-scoped secret"
+prevention:
+  - 'When creating a secret, confirm its intended scope: environment secrets require the matching environment: on every job that needs them'
+  - 'If a secret is needed in a build job (no deployment environment), create it as a repository secret not an environment secret'
+  - 'Add environment: to reusable workflow caller jobs when the called workflow references environment-scoped secrets'
+  - 'Use the GitHub Settings UI to audit secret scopes when debugging empty secret values'
+docs:
+  - url: 'https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment'
+    label: 'GitHub Docs: Using environments for deployment'
+  - url: 'https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-environment'
+    label: 'GitHub Docs: Creating secrets for an environment'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idenvironment'
+    label: 'GitHub Docs: jobs.<job_id>.environment syntax'

package/errors/runner-environment/runner-environment-104.yml

@@ -0,0 +1,103 @@
+id: runner-environment-104
+title: 'Private container registry image (ghcr.io, Docker Hub private) requires credentials: in the container: block — a docker login step is too late'
+category: runner-environment
+severity: error
+tags:
+  - container
+  - ghcr
+  - private-registry
+  - credentials
+  - docker-pull
+  - job-container
+  - services
+patterns:
+  - regex: 'pull access denied.*repository does not exist or may require.*login'
+    flags: 'i'
+  - regex: 'unauthorized.*authentication required|denied.*requested access to the resource is denied'
+    flags: 'i'
+error_messages:
+  - 'Error response from daemon: pull access denied for ghcr.io/org/image, repository does not exist or may require docker login: denied'
+  - 'Error: unauthorized: authentication required'
+  - 'Error pulling image: denied: requested access to the resource is denied'
+  - 'toomanyrequests: You have reached your pull rate limit'
+root_cause: |
+  When a job specifies a container image via jobs.<id>.container.image:, GitHub Actions
+  pulls the image before the job starts — before any steps execute. There is no
+  opportunity to authenticate with a docker login step because steps run inside the
+  already-running container.
+
+  Many workflows attempt to call docker/login-action or similar in a step, but by
+  then the container pull has either succeeded or already failed. The login step
+  has no effect on the original image pull.
+
+  The same limitation applies to services containers (jobs.<id>.services.<id>.image:):
+  all service containers are also pulled at job startup before any steps run.
+
+  Common scenarios that hit this error:
+  - Private GitHub Container Registry (ghcr.io) images requiring a PAT with
+    read:packages scope
+  - Docker Hub private repository images (rate-limited or private-tier)
+  - Self-hosted or corporate registries requiring Basic auth
+  - AWS ECR private images (ECR is not directly supported via credentials: block —
+    see fix for the ECR-specific workaround)
+fix: |
+  Provide credentials in the container: or services: block using the credentials: key.
+  These credentials are used at image pull time, before any steps begin.
+
+  For ghcr.io: use github.actor as username and a PAT with read:packages scope as
+  password. If the package is in the same org and the repository has package access,
+  secrets.GITHUB_TOKEN may also work.
+
+  For Docker Hub: use a Docker Hub username and access token (not password).
+
+  For AWS ECR private images: use a self-hosted runner with ECR credentials
+  pre-configured on the host, or build a public mirror of your private image.
+  The credentials: block does not support dynamic ECR token retrieval.
+fix_code:
+  - language: yaml
+    label: 'Authenticate to a private ghcr.io image using credentials in the container block'
+    code: |
+      jobs:
+        test:
+          runs-on: ubuntu-latest
+          container:
+            image: ghcr.io/myorg/private-runner:latest
+            # credentials: evaluated at job startup BEFORE any steps run
+            credentials:
+              username: ${{ github.actor }}
+              password: ${{ secrets.GHCR_PAT }}
+              # For same-org packages with package access enabled:
+              # password: ${{ secrets.GITHUB_TOKEN }}
+          steps:
+            - uses: actions/checkout@v4
+            - run: echo "Running inside authenticated private container"
+
+  - language: yaml
+    label: 'Private Docker Hub image in a services block using credentials'
+    code: |
+      jobs:
+        integration-test:
+          runs-on: ubuntu-latest
+          services:
+            database:
+              image: myorg/private-db:5.7
+              # credentials: here too — service images are pulled before steps
+              credentials:
+                username: ${{ secrets.DOCKER_USERNAME }}
+                password: ${{ secrets.DOCKER_TOKEN }}
+              ports:
+                - 5432:5432
+          steps:
+            - uses: actions/checkout@v4
+            - run: echo "Integration test against private DB image"
+prevention:
+  - 'Always use the credentials: block inside container: or services: for private images — a docker login step in run: is too late'
+  - 'For same-org ghcr.io images, configure package visibility to allow GITHUB_TOKEN to avoid managing a separate PAT'
+  - 'Test authentication separately with docker pull from a local machine using the same credentials before wiring into a workflow'
+docs:
+  - url: 'https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idcontainer'
+    label: 'GitHub Docs: jobs.<job_id>.container.credentials'
+  - url: 'https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions'
+    label: 'GitHub Docs: Using GITHUB_TOKEN with GitHub Packages (ghcr.io)'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idservicesservice_idcredentials'
+    label: 'GitHub Docs: jobs.<job_id>.services.<service_id>.credentials'

package/errors/silent-failures/silent-failures-052.yml

@@ -0,0 +1,102 @@
+id: silent-failures-052
+title: 'Step outputs referenced in the job-level env: block are always empty string — job env is evaluated before any steps run'
+category: silent-failures
+severity: silent-failure
+tags:
+  - env
+  - steps-outputs
+  - job-level
+  - context-evaluation
+  - expression
+  - environment-variables
+patterns:
+  - regex: 'steps\.[a-z0-9_-]+\.outputs\.[a-z0-9_-]+'
+    flags: 'i'
+error_messages:
+  - "(No error — steps.<id>.outputs.<name> silently resolves to '' when used in a job-level env: block)"
+root_cause: |
+  GitHub Actions evaluates the jobs.<id>.env: block once at job initialization, before
+  any steps begin executing. At that point, the steps context exists but all step
+  outputs are empty — no step has run yet, so no outputs have been set.
+
+  This means that ${{ steps.my-step.outputs.value }} in the jobs.<id>.env: block
+  always resolves to '' regardless of what the step later produces. The job does not
+  fail or warn — the environment variable is simply set to empty string and all steps
+  that reference it via $VAR or %VAR% receive nothing.
+
+  This is a context availability limitation documented by GitHub, but it is easy to
+  miss because the expression syntax is valid and the job runs without error.
+
+  Affected env: scopes (evaluated before steps run):
+  - jobs.<id>.env: — job-level env block
+  - The workflow-level env: block also cannot access steps.*, for the same reason
+
+  Env scopes that CAN access step outputs (evaluated per-step):
+  - jobs.<id>.steps.<id>.env: — step-level env block, evaluated when that step runs
+
+  Common mistake: a developer sets a job-level env var to a computed step output
+  (e.g., a parsed version string or a generated artifact path) and then uses that
+  var in multiple subsequent steps, not realizing it is always empty.
+fix: |
+  Move the env: block referencing step outputs from job level down to the individual
+  step level. Step-level env: blocks are evaluated when that step runs, so earlier
+  step outputs are already populated.
+
+  If the same value is needed across many steps, pass it via $GITHUB_OUTPUT and
+  reference it inline with ${{ steps.step-id.outputs.name }} in each step's run:.
+fix_code:
+  - language: yaml
+    label: 'Move env that references step outputs from job level to step level'
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+
+          # WRONG: job-level env block — evaluated before any step runs
+          # steps.version.outputs.tag is '' here, no matter what the step produces
+          # env:
+          #   RELEASE_TAG: ${{ steps.version.outputs.tag }}
+
+          steps:
+            - name: Compute release tag
+              id: version
+              run: echo "tag=v1.2.3" >> $GITHUB_OUTPUT
+
+            - name: Build with release tag
+              # CORRECT: step-level env block — evaluated when this step runs
+              # steps.version.outputs.tag is populated by the prior step at this point
+              env:
+                RELEASE_TAG: ${{ steps.version.outputs.tag }}
+              run: echo "Building $RELEASE_TAG"
+
+            - name: Publish with release tag
+              env:
+                RELEASE_TAG: ${{ steps.version.outputs.tag }}
+              run: echo "Publishing $RELEASE_TAG"
+
+  - language: yaml
+    label: 'Use inline expression in run steps to avoid repeating step-level env blocks'
+    code: |
+      jobs:
+        release:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Resolve version
+              id: version
+              run: echo "tag=v2.0.0" >> $GITHUB_OUTPUT
+
+            - name: Tag Docker image
+              # Reference step output directly in run — no env: block needed
+              run: echo "Tagging image as ${{ steps.version.outputs.tag }}"
+
+            - name: Push Docker image
+              run: echo "Pushing tag ${{ steps.version.outputs.tag }}"
+prevention:
+  - 'Never reference steps.<id>.outputs.* in the jobs.<id>.env: block — use step-level env: or inline expressions in run: instead'
+  - 'Enable actionlint locally to catch step output references in job-level env blocks before they reach CI'
+  - 'When the same step output is needed in many steps, document it with a comment on the generating step so readers know where to look'
+docs:
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/contexts#context-availability'
+    label: 'GitHub Docs: Context availability — which contexts are accessible at each location'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables'
+    label: 'GitHub Docs: Store information in variables'

package/errors/triggers/triggers-037.yml

@@ -0,0 +1,79 @@
+id: triggers-037
+title: 'on.release types: [published] does not fire for pre-releases — prereleased is a separate event type'
+category: triggers
+severity: silent-failure
+tags:
+  - release
+  - prereleased
+  - published
+  - event-types
+  - pre-release
+  - trigger-filter
+patterns:
+  - regex: 'on:\s*\n\s+release:\s*\n\s+types:\s*\[.*published(?!.*prereleased)'
+    flags: 'i'
+error_messages:
+  - "(No error — workflow simply does not trigger when a pre-release is published via the GitHub UI or API)"
+root_cause: |
+  GitHub's release event distinguishes two separate activity types for publishing:
+  - published: fires when a full (non-pre) release is published (is_prerelease: false)
+  - prereleased: fires when a pre-release is published (is_prerelease: true)
+
+  The published type does NOT include pre-releases. A workflow with
+  types: [published] will never fire when "Set as a pre-release" is checked in
+  the GitHub UI, or when a release is created with prerelease: true via the Releases API.
+
+  This silently skips release automation (npm publish, Docker image push, deployment
+  pipelines) for pre-release versions (e.g., v2.0.0-rc.1, v1.5.0-beta.3).
+  No warning, no skipped-run entry in the Actions tab — the event simply never arrives.
+
+  Note: the created type fires for both releases AND pre-releases when they are first
+  created as drafts, not when published. The released type fires for both
+  published and prereleased events and is the simplest way to catch both.
+fix: |
+  To fire on BOTH full releases and pre-releases: add prereleased to the types list,
+  or switch to types: [released] which fires for both without listing each type.
+
+  To fire ONLY on pre-releases: use types: [prereleased].
+
+  To distinguish inside the workflow: check github.event.release.prerelease (boolean).
+fix_code:
+  - language: yaml
+    label: 'Include prereleased to fire for both full releases and pre-releases'
+    code: |
+      on:
+        release:
+          # published fires only for full releases
+          # prereleased fires only for pre-releases
+          # List both to catch all published releases
+          types: [published, prereleased]
+
+      jobs:
+        publish:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Set dist-tag based on release type
+              id: meta
+              run: |
+                if [ "${{ github.event.release.prerelease }}" = "true" ]; then
+                  echo "dist_tag=next" >> $GITHUB_OUTPUT
+                else
+                  echo "dist_tag=latest" >> $GITHUB_OUTPUT
+                fi
+
+  - language: yaml
+    label: 'Use released to always fire for both release types without listing each'
+    code: |
+      on:
+        release:
+          # released is equivalent to [published, prereleased] — fires for both
+          types: [released]
+prevention:
+  - 'Always include prereleased in types: if pre-release automation is expected (npm publish, Docker push, deploy)'
+  - 'Test release workflows by creating a GitHub pre-release — verify the workflow appears in the Actions tab'
+  - 'Use github.event.release.prerelease (boolean) to branch behavior inside the workflow rather than relying on separate trigger types'
+docs:
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#release'
+    label: 'GitHub Docs: release event and activity types'
+  - url: 'https://docs.github.com/en/rest/releases/releases#create-a-release'
+    label: 'GitHub REST API: Create a release (prerelease field)'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.48",
+  "version": "1.0.49",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",