@htekdev/actions-debugger 1.0.51 → 1.0.52

package/errors/caching-artifacts/caching-artifacts-036.yml

@@ -0,0 +1,155 @@
+id: caching-artifacts-036
+title: 'actions/cache post step skips save when job is cancelled — cache never populated after cancellation'
+category: caching-artifacts
+severity: silent-failure
+tags:
+  - actions-cache
+  - job-cancellation
+  - post-step
+  - cache-save
+  - cancel-in-progress
+  - concurrency
+  - always
+patterns:
+  - regex: 'Post\s+Run\s+actions/cache.*skipped|Cache\s+save\s+skipped'
+    flags: 'i'
+  - regex: 'uses:\s*actions/cache@'
+    flags: 'i'
+error_messages:
+  - 'Post Run actions/cache@v4 skipped'
+  - 'Cache save skipped'
+  - '##[warning]Cache save skipped.'
+  - 'Warning: Cache save failed.'
+root_cause: |
+  The actions/cache action saves the cache in a lifecycle "post" step that runs
+  automatically after the main job steps complete. When a job is cancelled — via
+  the Actions UI, concurrency cancel-in-progress, or exceeding job timeout-minutes
+  — post steps do NOT execute.
+
+  This creates a cache starvation loop:
+  1. Job starts with cache miss — slow dependency installation begins (minutes)
+  2. A new push triggers another workflow run while the first is still installing
+  3. concurrency: cancel-in-progress terminates the first run mid-install
+  4. The first run never reaches its post step — cache is not saved
+  5. The second run also sees a cache miss — the same slow install repeats
+  6. Repeated cancellations mean the cache is never populated
+
+  This is invisible in workflow logs: cancelled jobs simply show as cancelled with
+  no specific warning about the cache post step being skipped. Teams diagnose it
+  as "caching isn't working" without realizing cancellation is the root cause.
+
+  Affected workflows:
+  - Any workflow with concurrency: cancel-in-progress that also uses actions/cache
+  - Workflows with aggressive job timeout-minutes that expire during installs
+  - Flaky workflows that are frequently manually cancelled and re-run
+  - Matrix workflows where one failing matrix branch cancels siblings
+
+  When a job fails (but is not cancelled), post steps DO run normally — the issue
+  is specific to cancellations and hard timeouts.
+fix: |
+  Use the split actions/cache/restore + actions/cache/save pattern with
+  if: always() on the save step. This gives explicit control over cache saving
+  independent of the job lifecycle hooks:
+
+    - uses: actions/cache/restore@v4
+      id: cache-restore
+      with:
+        key: ...
+        path: ...
+
+    # ... install and build steps ...
+
+    - uses: actions/cache/save@v4
+      if: always()
+      with:
+        key: ${{ steps.cache-restore.outputs.cache-primary-key }}
+        path: ...
+
+  The split restore/save pattern (available since actions/cache v3.3.0 in 2023)
+  runs the save as an explicit step with if: always(), which executes during the
+  graceful shutdown window even when the job is being cancelled.
+
+  Important caveat: if the runner process is killed with SIGKILL (hard preemption,
+  host failure), no steps including if: always() will run — this is a
+  platform-level constraint outside GitHub Actions' control.
+fix_code:
+  - language: yaml
+    label: 'Split restore/save pattern with unconditional save to survive cancellation'
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          # Even with cancel-in-progress, the explicit save step will run
+          concurrency:
+            group: ${{ github.workflow }}-${{ github.ref }}
+            cancel-in-progress: true
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Restore cached dependencies
+              uses: actions/cache/restore@v4
+              id: cache-restore
+              with:
+                path: ~/.npm
+                key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
+                restore-keys: |
+                  ${{ runner.os }}-npm-
+
+            - name: Install dependencies
+              if: steps.cache-restore.outputs.cache-hit != 'true'
+              run: npm ci
+
+            - name: Run tests
+              run: npm test
+
+            - name: Save cache
+              uses: actions/cache/save@v4
+              if: always()   # Runs during graceful cancellation shutdown window
+              with:
+                path: ~/.npm
+                key: ${{ steps.cache-restore.outputs.cache-primary-key }}
+
+  - language: yaml
+    label: 'Python pip cache with split save pattern'
+    code: |
+      jobs:
+        test:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Restore pip cache
+              uses: actions/cache/restore@v4
+              id: pip-cache
+              with:
+                path: ~/.cache/pip
+                key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements*.txt') }}
+                restore-keys: |
+                  ${{ runner.os }}-pip-
+
+            - name: Install Python dependencies
+              run: pip install -r requirements.txt
+
+            - name: Run pytest
+              run: pytest
+
+            - name: Save pip cache
+              uses: actions/cache/save@v4
+              if: always()
+              with:
+                path: ~/.cache/pip
+                key: ${{ steps.pip-cache.outputs.cache-primary-key }}
+prevention:
+  - 'Prefer the split actions/cache/restore + actions/cache/save pattern over the combined actions/cache action for any workflow using concurrency: cancel-in-progress'
+  - 'Always add if: always() to explicit cache save steps so they execute regardless of upstream step failure or cancellation signal'
+  - 'Monitor workflow logs for "Post Run actions/cache skipped" messages — this is a reliable indicator that cache is never being populated after cancellations'
+  - 'Use actions/cache v3.3.0 or later — the split restore/save subactions were introduced in that release'
+docs:
+  - url: 'https://github.com/actions/cache/blob/main/save/README.md'
+    label: 'actions/cache: Explicit save action documentation'
+  - url: 'https://github.com/actions/cache#save-action'
+    label: 'actions/cache: Split restore and save usage pattern'
+  - url: 'https://github.com/orgs/community/discussions/47469'
+    label: 'GitHub Community #47469: Cache not saved when workflow is cancelled'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-syntax-for-github-actions#jobsjob_idstepsif'
+    label: 'GitHub Docs: Using conditions to control job execution'

package/errors/permissions-auth/permissions-auth-038.yml

@@ -0,0 +1,148 @@
+id: permissions-auth-038
+title: 'secrets: inherit does not propagate environment-scoped secrets to reusable workflows'
+category: permissions-auth
+severity: silent-failure
+tags:
+  - secrets-inherit
+  - reusable-workflows
+  - environment-secrets
+  - workflow-call
+  - empty-secret
+  - deployment-environment
+patterns:
+  - regex: 'secrets:\s*inherit'
+    flags: 'i'
+  - regex: 'uses:\s*[./\w@-]+\.ya?ml\b'
+    flags: 'i'
+error_messages:
+  - 'Error: Input required and not supplied'
+  - 'Secret value is empty in reusable workflow'
+  - '##[error]The secret variable name is invalid'
+root_cause: |
+  When a caller workflow uses secrets: inherit to call a reusable workflow
+  (on.workflow_call), GitHub passes repository-level and organization-level
+  secrets to the called workflow. However, environment-scoped secrets are NOT
+  inherited — they arrive as empty strings with no error or warning.
+
+  Environment secrets are tied to a named deployment environment (e.g.,
+  "production", "staging") and are only accessible to jobs that declare
+  environment: <name> in their configuration. The secrets: inherit mechanism
+  operates at the repository/org secret scope level. It cannot bridge environment
+  context to a called workflow's jobs because those jobs run in a separate
+  workflow execution context and do not inherit the caller job's environment
+  declaration.
+
+  Failure scenario:
+  1. Caller job declares environment: production (activates env secrets in the caller)
+  2. Caller job uses secrets: inherit to call ./reusable.yml
+  3. Reusable workflow job reads secrets.PROD_DB_PASSWORD (an environment secret)
+  4. Reusable workflow job sees PROD_DB_PASSWORD as empty string
+  5. No error is thrown — the secret silently resolves to ""
+
+  This is documented as a GitHub platform limitation in the reusable workflows
+  documentation. GitHub Community discussion #26671 has many reports of this
+  surprising behavior.
+
+  Distinction from permissions-auth-037 (environment-secrets-job-scope):
+  - permissions-auth-037 covers jobs in the SAME workflow that lack environment:
+    declarations failing to access environment secrets.
+  - This entry covers the cross-workflow boundary where secrets: inherit does not
+    transfer environment secrets from caller to called workflow at all.
+fix: |
+  Explicitly declare and map environment secrets at the workflow_call boundary.
+  In the reusable workflow, declare each secret in the on.workflow_call.secrets
+  block. At the call site, explicitly pass each environment secret using the
+  secrets: mapping block (not secrets: inherit):
+
+  In the reusable workflow (workflow_call trigger):
+    on:
+      workflow_call:
+        secrets:
+          db_password:
+            required: true
+          api_key:
+            required: false
+
+  In the calling workflow:
+    jobs:
+      deploy:
+        environment: production
+        uses: ./.github/workflows/deploy.yml
+        secrets:
+          db_password: ${{ secrets.PROD_DB_PASSWORD }}
+          api_key: ${{ secrets.PROD_API_KEY }}
+
+  Alternatively, if the reusable workflow is in the same repository and the
+  environment name is fixed, you can declare environment: production on the job
+  inside the reusable workflow directly. This makes environment secrets accessible
+  in the called workflow at the cost of coupling it to a specific environment name.
+
+  Note: secrets: inherit and explicit secrets: mapping cannot be combined on the
+  same uses: step. Choose one approach: either inherit all repo/org secrets, or
+  map explicitly (which also allows passing environment secrets).
+fix_code:
+  - language: yaml
+    label: 'Reusable workflow — declare required secrets in workflow_call trigger'
+    code: |
+      # .github/workflows/deploy-reusable.yml
+      on:
+        workflow_call:
+          secrets:
+            db_password:
+              required: true
+            api_key:
+              required: true
+
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Deploy application
+              env:
+                DB_PASSWORD: ${{ secrets.db_password }}
+                API_KEY: ${{ secrets.api_key }}
+              run: ./scripts/deploy.sh
+
+  - language: yaml
+    label: 'Caller workflow — explicitly map environment secrets (not secrets: inherit)'
+    code: |
+      # .github/workflows/deploy-caller.yml
+      jobs:
+        call-deploy:
+          environment: production       # Activates environment secrets in this calling job
+          uses: ./.github/workflows/deploy-reusable.yml
+          # WRONG: secrets: inherit     -- passes repo/org secrets but NOT environment secrets
+          secrets:
+            db_password: ${{ secrets.PROD_DB_PASSWORD }}    # Environment secret — must be explicit
+            api_key: ${{ secrets.PROD_API_KEY }}            # Environment secret — must be explicit
+
+  - language: yaml
+    label: 'Alternative — declare environment inside the reusable workflow job'
+    code: |
+      # .github/workflows/deploy-reusable.yml (alternative approach)
+      on:
+        workflow_call: {}
+
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          environment: production       # Directly activates environment secrets here
+          steps:                        # Couples reusable workflow to environment name
+            - name: Deploy application
+              env:
+                DB_PASSWORD: ${{ secrets.PROD_DB_PASSWORD }}
+              run: ./scripts/deploy.sh
+prevention:
+  - 'Never rely on secrets: inherit to pass environment-scoped secrets — always map them explicitly in the secrets: block of the workflow_call invocation'
+  - 'In reusable workflows, declare all required secrets in on.workflow_call.secrets with required: true so missing secrets fail loudly rather than silently resolving to empty strings'
+  - 'Document which secrets in your reusable workflow are environment-scoped vs repository-scoped so callers know the correct passing strategy'
+  - 'Test reusable workflows end-to-end from a caller workflow before deploying to production — secrets: inherit working in testing does not guarantee environment secrets work correctly'
+docs:
+  - url: 'https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-secrets-to-called-workflows'
+    label: 'GitHub Docs: Passing secrets to called workflows'
+  - url: 'https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-environment'
+    label: 'GitHub Docs: Creating secrets for an environment'
+  - url: 'https://github.com/orgs/community/discussions/26671'
+    label: 'GitHub Community #26671: secrets: inherit not passing environment secrets'
+  - url: 'https://docs.github.com/en/actions/sharing-automations/reusing-workflows#limitations'
+    label: 'GitHub Docs: Reusable workflows — limitations'

package/errors/runner-environment/runner-environment-110.yml

@@ -0,0 +1,113 @@
+id: runner-environment-110
+title: 'actions/checkout default fetch-depth:1 shallow clone breaks git describe and changelog generation'
+category: runner-environment
+severity: error
+tags:
+  - checkout
+  - fetch-depth
+  - shallow-clone
+  - git-describe
+  - versioning
+  - changelog
+  - tags
+  - release
+patterns:
+  - regex: 'fatal:\s*No names found.*cannot describe|No tag can describe'
+    flags: 'i'
+  - regex: 'fetch-depth:\s*[01]\b'
+    flags: 'i'
+error_messages:
+  - 'fatal: No names found, cannot describe anything.'
+  - 'fatal: No tags can describe ''HEAD''.'
+  - 'error: No annotated tags can describe'
+  - '##[error]fatal: no tag exactly matches'
+root_cause: |
+  actions/checkout defaults to fetch-depth: 1 — a shallow clone that downloads
+  only the single most recent commit. This optimizes CI download speed but breaks
+  any operation that requires commit history or reachable tag ancestry:
+
+  - git describe --tags: requires a tag somewhere in the commit ancestry chain.
+    With depth 1, no ancestor commits exist, so no tags are reachable unless the
+    HEAD commit IS exactly the tagged commit. Returns "fatal: No names found,
+    cannot describe anything."
+
+  - Changelog generators (conventional-changelog, release-please, git-cliff,
+    semantic-release): need commit history to determine what changed since the
+    last release. With depth 1, they see zero commits and produce empty changelogs.
+
+  - Semantic versioning tools that count commits since last tag always return 0
+    because no prior commits (and thus no tags) are in the shallow history.
+
+  - Branch comparison and merge-base operations: git merge-base fails or produces
+    incorrect results with no shared history available.
+
+  A common workaround attempt — using fetch-tags: true with fetch-depth: 1 —
+  fetches tag objects but NOT the commits they point to in history, so
+  git describe still fails. The tags exist as objects but are not reachable from
+  HEAD via the commit graph.
+
+  This is one of the most-discussed GitHub Community topics: the checkout step
+  looks correct, CI succeeds, but release version numbers or changelogs are
+  unexpectedly empty or wrong, often discovered only after a real release attempt.
+fix: |
+  Set fetch-depth: 0 to fetch complete commit history including all tags:
+
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+  For large repositories where full history is prohibitively slow, use targeted
+  approaches:
+  - fetch-depth: 50 covers the last 50 commits — sufficient for active repos
+    that tag frequently, but risky for repos with infrequent tagging.
+  - fetch-depth: 0 combined with --filter=blob:none (partial clone) gets history
+    metadata without full file blobs — not directly configurable in the action but
+    achievable via fetch options in post-checkout scripts for advanced cases.
+
+  For changelog and release tools (release-please, git-cliff, semantic-release,
+  conventional-changelog), always use fetch-depth: 0. These tools explicitly
+  require full history and their documentation states this requirement.
+fix_code:
+  - language: yaml
+    label: 'Full history checkout for git describe and changelog generation tools'
+    code: |
+      jobs:
+        release:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+              with:
+                fetch-depth: 0   # Full history required for version detection and changelogs
+                # Default fetch-depth: 1 (shallow) causes "No names found, cannot describe"
+
+            - name: Generate changelog
+              uses: orhun/git-cliff-action@v3
+              with:
+                config: cliff.toml
+
+  - language: yaml
+    label: 'Partial depth with fetch-tags for large repos — use with caution'
+    code: |
+      jobs:
+        version:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+              with:
+                fetch-depth: 100   # Last 100 commits — sufficient for frequently-tagged repos
+                fetch-tags: true   # Fetch tag objects so they appear in tag list
+                # WARNING: fetch-tags: true with a shallow clone fetches tag OBJECTS
+                # but NOT their commit ancestors — git describe may still fail if
+                # the tag is older than fetch-depth commits. Use fetch-depth: 0 to be safe.
+prevention:
+  - 'Set fetch-depth: 0 in any workflow that uses git describe, generates a changelog, or computes a semantic version from commit history'
+  - 'Document in your workflow why fetch-depth: 0 is required so future maintainers do not revert it to the shallow default'
+  - 'Do not assume fetch-tags: true solves shallow clone limitations for git describe — the tag objects must be reachable in the commit graph'
+  - 'Keep the default fetch-depth: 1 only for workflows that never need commit history — pure build and test jobs with no versioning or history analysis'
+docs:
+  - url: 'https://github.com/actions/checkout#usage'
+    label: 'actions/checkout: fetch-depth parameter documentation'
+  - url: 'https://github.com/orgs/community/discussions/25702'
+    label: 'GitHub Community: git describe fails with actions/checkout shallow clone'
+  - url: 'https://github.com/actions/checkout/issues/701'
+    label: 'actions/checkout #701: fetch-tags does not help with git describe on shallow clone'

package/errors/silent-failures/silent-failures-053.yml

@@ -0,0 +1,111 @@
+id: silent-failures-053
+title: 'workflow_dispatch boolean inputs arrive as strings — if: inputs.flag is always truthy'
+category: silent-failures
+severity: silent-failure
+tags:
+  - workflow-dispatch
+  - boolean-inputs
+  - type-coercion
+  - inputs-context
+  - string-comparison
+  - if-condition
+patterns:
+  - regex: 'inputs\.\w+\s*==\s*true\b'
+    flags: 'i'
+  - regex: 'if:\s*inputs\.\w+'
+    flags: 'i'
+error_messages:
+  - 'Step always runs even when boolean input is set to false'
+  - 'Boolean workflow_dispatch input behaves as truthy regardless of value'
+root_cause: |
+  GitHub Actions workflow_dispatch inputs defined with type: boolean are passed
+  to the workflow as strings ("true" or "false"), not as JavaScript/YAML booleans.
+
+  This means three common patterns silently misbehave:
+  - if: inputs.dry_run                      evaluates to always truthy (non-empty string)
+  - if: inputs.dry_run == true              always false (string "true" != boolean true)
+  - if: inputs.dry_run == false             always false (string "false" != boolean false)
+
+  The GitHub Actions expression evaluator converts the inputs context to strings
+  at the boundary between the event payload and the workflow context. Even though
+  the UI renders a checkbox, the underlying value is the literal string "true" or
+  "false". This behavior is consistent across workflow_dispatch and workflow_call
+  inputs of type boolean.
+
+  GitHub Community discussion #51504 documents this as expected behavior, but
+  thousands of developers are surprised by the mismatch between the checkbox UI
+  and the string runtime value.
+
+  Affected patterns:
+  - if: inputs.dry_run (truthy check — always true for any non-empty string value)
+  - if: inputs.flag == true (boolean comparison — always false for string "true")
+  - Ternary: ${{ inputs.flag && 'yes' || 'no' }} returns "yes" even when flag is "false"
+fix: |
+  Always compare workflow_dispatch boolean inputs to the string literal 'true'
+  or 'false':
+
+  - if: inputs.dry_run == 'true'       correct
+  - if: inputs.dry_run != 'true'       correct negation (catches "false" and "")
+  - if: inputs.dry_run == true         WRONG — string never equals boolean
+  - if: inputs.dry_run                 WRONG — always truthy for non-empty string
+
+  For workflow_call with boolean inputs, the same string coercion applies when
+  the calling workflow passes the value via the inputs: block.
+
+  The fromJSON() function converts the string to a real boolean if needed for
+  complex conditions: fromJSON(inputs.dry_run) returns actual true/false booleans.
+fix_code:
+  - language: yaml
+    label: 'Correct boolean input comparison using string equality'
+    code: |
+      on:
+        workflow_dispatch:
+          inputs:
+            dry_run:
+              description: 'Run without making changes'
+              type: boolean
+              default: false
+
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Deploy (skip if dry run)
+              # WRONG: if: inputs.dry_run          -- always truthy (non-empty string)
+              # WRONG: if: inputs.dry_run == true   -- string never equals boolean
+              if: inputs.dry_run != 'true'
+              run: echo "Deploying..."
+
+            - name: Dry run notice
+              if: inputs.dry_run == 'true'
+              run: echo "Dry run mode — no changes made"
+
+  - language: yaml
+    label: 'Use fromJSON() to convert to real boolean for complex conditions'
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Conditional step using fromJSON conversion
+              if: fromJSON(inputs.dry_run) == false
+              run: echo "Not a dry run — proceeding"
+
+            - name: Set environment variable from boolean input
+              env:
+                # fromJSON converts "true"/"false" string to actual boolean
+                DRY_RUN: ${{ fromJSON(inputs.dry_run) }}
+              run: |
+                echo "Dry run mode: $DRY_RUN"
+prevention:
+  - 'Always compare workflow_dispatch boolean inputs to the string literal ''true'' or ''false'', not to boolean true/false'
+  - 'Never use ''if: inputs.flag'' alone as a boolean check — the non-empty string "false" is truthy in GitHub Actions expressions'
+  - 'Use fromJSON(inputs.flag) when you need a real boolean value in expressions or env: context'
+  - 'Add a comment in your workflow noting that boolean dispatch inputs are strings at runtime to warn future maintainers'
+docs:
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-syntax-for-github-actions#onworkflow_dispatchinputs'
+    label: 'GitHub Docs: workflow_dispatch inputs syntax'
+  - url: 'https://github.com/orgs/community/discussions/51504'
+    label: 'GitHub Community #51504: Boolean inputs in workflow_dispatch are strings'
+  - url: 'https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions#fromjson'
+    label: 'GitHub Docs: fromJSON expression function'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.51",
+  "version": "1.0.52",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",