@htekdev/actions-debugger 1.0.55 → 1.0.57

package/errors/runner-environment/runner-environment-114.yml

@@ -0,0 +1,130 @@
+id: runner-environment-114
+title: "macOS-26 / Xcode 26 defaults to Swift 6 strict concurrency — existing Swift builds fail with actor isolation errors"
+category: runner-environment
+severity: error
+tags:
+  - macos-26
+  - xcode-26
+  - swift-6
+  - concurrency
+  - actor-isolation
+  - runner-image-update
+  - breaking-change
+patterns:
+  - regex: "error: sending '.*' to actor-isolated"
+    flags: 'i'
+  - regex: 'actor-isolated.*cannot.*referenced from.*non-isolated'
+    flags: 'i'
+  - regex: "error: '.*' cannot be used to satisfy the '@Sendable' requirement"
+    flags: 'i'
+  - regex: 'error:.*Sendable.*cannot conform.*in Swift 6'
+    flags: 'i'
+  - regex: 'main actor-isolated.*cannot be referenced from.*nonisolated'
+    flags: 'i'
+error_messages:
+  - "error: sending 'self' to actor-isolated initializer 'init()' risks causing data races"
+  - "error: actor-isolated property 'delegate' can not be referenced from a non-isolated context"
+  - "error: main actor-isolated class method 'viewDidLoad()' cannot be referenced from a nonisolated context"
+  - "error: 'Sendable'-conforming class 'MyViewController' cannot inherit from another class other than 'NSObject'"
+  - "error: expression is 'async' but is not marked with 'await'"
+root_cause: |
+  Xcode 26 (shipped with the macos-26 runner) defaults to Swift 6 language mode. Previous
+  Xcode versions (14, 15, 16) compiled in Swift 5 compatibility mode by default, which did not
+  enforce strict data-race safety checking.
+
+  Swift 6 enforces complete concurrency checking at compile time:
+  - All values shared across actor boundaries must conform to `Sendable`
+  - Calls to `@MainActor`-isolated methods from non-isolated contexts must be `await`-ed
+  - Closures passed to async contexts must be `@Sendable`
+  - Class hierarchies that cross actor boundaries require explicit `Sendable` conformance
+
+  Code that compiled and ran correctly under Swift 5 may produce dozens of compiler errors in
+  Swift 6, even if it had no actual concurrency bugs. The errors are not warnings — they are
+  hard build failures.
+
+  The macos-26 runner ships Xcode 26 as the default Xcode. Any workflow running `xcodebuild`
+  or `swift build` without an explicit Swift language version flag will pick up Swift 6.
+fix: |
+  Short-term: Pin to Swift 5 compatibility mode in your build command or project settings.
+
+  Option A — xcodebuild flag:
+    xcodebuild build -scheme MyScheme SWIFT_VERSION=5
+
+  Option B — Xcode build settings (xcconfig or project settings):
+    SWIFT_VERSION = 5
+
+  Option C — Package.swift swift-tools-version (for Swift Package Manager projects):
+    Change the first line to: // swift-tools-version: 5.10
+    This sets the package manifest version and implicitly enables Swift 5 mode for dependencies.
+
+  Option D — Per-target in Package.swift:
+    .target(name: "MyTarget", swiftSettings: [.unsafeFlags(["-swift-version", "5"])])
+
+  Long-term: Migrate your codebase to Swift 6 concurrency model by resolving actor isolation
+  errors. Apple provides a migration guide at developer.apple.com/documentation/swift/migrating-to-swift-6.
+fix_code:
+  - language: yaml
+    label: "Pin SWIFT_VERSION=5 in xcodebuild to restore Swift 5 compatibility on macos-26"
+    code: |
+      jobs:
+        build:
+          runs-on: macos-26
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Build (Swift 5 compatibility mode)
+              run: |
+                xcodebuild build \
+                  -scheme MyApp \
+                  -destination 'platform=macOS' \
+                  SWIFT_VERSION=5
+
+            - name: Test (Swift 5 compatibility mode)
+              run: |
+                xcodebuild test \
+                  -scheme MyApp \
+                  -destination 'platform=macOS' \
+                  SWIFT_VERSION=5
+  - language: yaml
+    label: "Pin swift-tools-version in Package.swift for SPM projects"
+    code: |
+      # In Package.swift — change the first line to request Swift 5 tools:
+      # // swift-tools-version: 5.10
+      #
+      # Then in the workflow:
+      jobs:
+        build:
+          runs-on: macos-26
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Build Swift package
+              run: swift build -c release
+  - language: yaml
+    label: "Temporarily pin to macos-15 while migrating to Swift 6"
+    code: |
+      jobs:
+        build:
+          # TODO: Migrate to Swift 6 and update to macos-26
+          # Track progress at: <link to your Swift 6 migration issue>
+          runs-on: macos-15
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Build
+              run: xcodebuild build -scheme MyApp -destination 'platform=macOS'
+prevention:
+  - "Test workflows on macos-26 before relying on macos-latest switching to it"
+  - "Specify SWIFT_VERSION explicitly in Xcode project settings rather than relying on Xcode defaults"
+  - "Enable strict concurrency warnings (SWIFT_STRICT_CONCURRENCY=complete) in Swift 5 mode to preview Swift 6 errors before migrating"
+  - "Watch github.com/actions/runner-images release notes for macos-latest label changes"
+  - "Pin swift-tools-version in Package.swift to document the intended Swift compatibility level"
+docs:
+  - url: "https://developer.apple.com/documentation/swift/migrating-to-swift-6"
+    label: "Apple Developer — Migrating to Swift 6"
+  - url: "https://www.swift.org/migration/documentation/swift-6-concurrency-migration-guide/"
+    label: "Swift.org — Swift 6 Concurrency Migration Guide"
+  - url: "https://github.com/actions/runner-images/blob/main/images/macos/macos-26-Readme.md"
+    label: "runner-images — macOS 26 image README (Xcode default version)"
+  - url: "https://developer.apple.com/documentation/xcode-release-notes"
+    label: "Xcode Release Notes — Xcode 26 language defaults"

package/errors/runner-environment/runner-environment-115.yml

@@ -0,0 +1,120 @@
+id: runner-environment-115
+title: "ubuntu-22.04/24.04 OpenSSL 3 disables legacy TLS renegotiation — SSL handshake failures connecting to legacy servers"
+category: runner-environment
+severity: error
+tags:
+  - ubuntu-22.04
+  - ubuntu-24.04
+  - openssl-3
+  - tls
+  - ssl
+  - renegotiation
+  - runner-image-update
+  - networking
+patterns:
+  - regex: 'unsafe legacy renegotiation disabled'
+    flags: 'i'
+  - regex: 'SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST'
+    flags: 'i'
+  - regex: 'error:0A000179:SSL routines.*unsafe legacy renegotiation'
+    flags: 'i'
+  - regex: 'UNSAFE_LEGACY_RENEGOTIATION_DISABLED'
+    flags: 'i'
+  - regex: 'ssl.*renegotiation.*not allowed'
+    flags: 'i'
+error_messages:
+  - "error:0A000179:SSL routines::unsafe legacy renegotiation disabled"
+  - "SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST"
+  - "ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)"
+  - "OpenSSL Error: error:0A000179:SSL routines:ssl3_read_bytes:unsafe legacy renegotiation disabled"
+  - "curl: (35) OpenSSL SSL_connect: error:0A000179:SSL routines::unsafe legacy renegotiation disabled"
+  - "java.io.IOException: Error writing to server: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake"
+root_cause: |
+  Ubuntu 22.04 and 24.04 ship OpenSSL 3.0+. OpenSSL 3.0 enforces RFC 5746 (TLS Renegotiation
+  Indication Extension) by default and rejects connections to TLS servers that do not advertise
+  support for secure renegotiation in the initial ClientHello/ServerHello handshake.
+
+  Servers compiled against older OpenSSL (< 0.9.8m) or certain embedded TLS stacks do not send
+  the `renegotiation_info` extension and are therefore rejected by OpenSSL 3.0 clients with
+  `UNSAFE_LEGACY_RENEGOTIATION_DISABLED`.
+
+  This commonly surfaces when:
+  - Workflows connect to internal/staging HTTPS servers running old TLS stacks
+  - docker-compose services use self-signed certs from outdated libraries
+  - gRPC clients compiled against old OpenSSL connect to legacy gRPC servers
+  - curl/wget calls target third-party APIs that have not updated their TLS handshake
+  - Java HTTPS tests connect to embedded Jetty/Netty servers with old SSL config
+
+  The error did not occur on ubuntu-20.04 (OpenSSL 1.1.1, which allowed legacy renegotiation
+  by default). Workflows migrating from ubuntu-20.04 to 22.04/24.04 encounter it for the first
+  time.
+fix: |
+  Option 1 (recommended for CI): Append `UnsafeLegacyRenegotiation = true` to the OpenSSL
+  config file at the start of the job. This is acceptable in CI/testing contexts where you
+  control the environment; never use this in production.
+
+  Option 2: Set OPENSSL_CONF to /dev/null to bypass the OpenSSL configuration file entirely.
+  Use only for quick diagnostics or tests against known internal servers.
+
+  Option 3 (recommended long-term): Upgrade the legacy server's TLS library so it advertises
+  RFC 5746 support. For embedded test servers, upgrade the underlying HTTP/TLS library version.
+
+  Option 4: Use `curl --no-sessionid` or `curl --legacy-renegotiation` (curl 7.83+) for
+  specific curl-based steps without affecting the whole environment.
+fix_code:
+  - language: yaml
+    label: "Enable UnsafeLegacyRenegotiation in OpenSSL config for CI (workaround)"
+    code: |
+      jobs:
+        integration-test:
+          runs-on: ubuntu-24.04
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Allow legacy TLS renegotiation (CI workaround for legacy test servers)
+              run: |
+                echo "Options = UnsafeLegacyRenegotiation" | \
+                  sudo tee -a /etc/ssl/openssl.cnf
+
+            - name: Run integration tests
+              run: npm test
+  - language: yaml
+    label: "Override OPENSSL_CONF per-step (minimal blast radius)"
+    code: |
+      jobs:
+        integration-test:
+          runs-on: ubuntu-24.04
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Test against legacy HTTPS endpoint
+              env:
+                OPENSSL_CONF: /dev/null
+              run: |
+                curl -v https://legacy-test-server.internal/health
+  - language: yaml
+    label: "Set OPENSSL_CONF at job level (affects all steps)"
+    code: |
+      jobs:
+        integration-test:
+          runs-on: ubuntu-24.04
+          env:
+            OPENSSL_CONF: /dev/null
+          steps:
+            - uses: actions/checkout@v4
+            - run: npm test
+prevention:
+  - "Upgrade internal/staging test servers to modern TLS libraries that support RFC 5746"
+  - "Use `openssl s_client -connect host:443` in CI to detect legacy renegotiation issues before they block builds"
+  - "Avoid pinning to ubuntu-20.04 as a permanent workaround — it reached EOL and will be removed from runner images"
+  - "When upgrading from ubuntu-20.04 to 22.04/24.04, run a connectivity smoke-test against all HTTPS endpoints the workflow touches"
+  - "Use testcontainers or modern embedded test server libraries that ship up-to-date TLS stacks"
+docs:
+  - url: "https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html"
+    label: "OpenSSL 3.0 — SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option"
+  - url: "https://github.com/actions/runner-images/issues/6399"
+    label: "runner-images #6399 — OpenSSL 3 renegotiation issues on ubuntu-22.04"
+  - url: "https://github.com/openssl/openssl/issues/17593"
+    label: "OpenSSL #17593 — Legacy renegotiation rejection in 3.0"
+  - url: "https://www.rfc-editor.org/rfc/rfc5746"
+    label: "RFC 5746 — TLS Renegotiation Indication Extension"

package/errors/runner-environment/runner-environment-116.yml

@@ -0,0 +1,106 @@
+id: runner-environment-116
+title: "actions/setup-python with cache: pip fails when no standard requirements file exists in the repository"
+category: runner-environment
+severity: error
+tags:
+  - setup-python
+  - pip
+  - caching
+  - requirements
+  - dependency-file
+  - cache-dependency-path
+patterns:
+  - regex: 'No file found with the provided path.*requirements'
+    flags: 'i'
+  - regex: 'No dependencies file path found for pip'
+    flags: 'i'
+  - regex: 'Couldn''t find a dependency file for pip'
+    flags: 'i'
+  - regex: 'Error: No file found with the provided path'
+    flags: 'i'
+error_messages:
+  - "Error: No file found with the provided path: requirements.txt"
+  - "No dependencies file path found for pip"
+  - "Couldn't find a dependency file for pip"
+  - "Error: No file found with the provided path: **/requirements.txt"
+root_cause: |
+  When `actions/setup-python` is configured with `cache: 'pip'`, it searches the
+  repository for a standard Python dependency file to use as the cache hash key.
+  The action looks for these files by default (in order):
+
+  - `requirements.txt`
+  - `requirements/*.txt`
+  - `Pipfile.lock`
+  - `poetry.lock`
+  - `pyproject.toml` (only if it contains a `[project]` or `[tool.poetry]` section)
+  - `setup.cfg` (only if it contains `[options]` with `install_requires`)
+
+  If none of these files are present, the action fails with an error during the
+  cache configuration phase. This commonly affects repositories that:
+
+  - Use a custom requirements filename (e.g., `dev-requirements.txt`, `requirements-dev.txt`)
+  - Store requirements in a non-standard path (e.g., `ci/requirements.txt`, `tests/requirements.txt`)
+  - Use only `setup.py` for dependency declaration (not recognized by default)
+  - Generate requirements dynamically at build time
+  - Are library repos with no explicit requirements file (dependencies in `pyproject.toml`
+    but without a recognized table)
+
+  The error appears either immediately at setup time or during the post-step cache save
+  phase, depending on the setup-python version.
+fix: |
+  Provide the `cache-dependency-path` input to explicitly point to your dependency
+  file(s). This input accepts glob patterns and newline-separated paths.
+
+  If your repository has no dependency files at all (e.g., it generates them
+  dynamically), remove `cache: 'pip'` and implement pip caching manually using
+  `actions/cache@v4`, using a hash of whatever inputs determine your dependency set
+  (e.g., a Makefile, Dockerfile, or script).
+fix_code:
+  - language: yaml
+    label: "Specify non-standard requirements file path"
+    code: |
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+          cache-dependency-path: ci/requirements.txt   # Non-standard path
+
+  - language: yaml
+    label: "Multiple dependency files with glob pattern"
+    code: |
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+          cache-dependency-path: |
+            requirements.txt
+            requirements-dev.txt
+            tests/requirements.txt
+
+  - language: yaml
+    label: "Manual pip caching when no dependency file exists"
+    code: |
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          # Omit cache: pip — handle caching manually
+
+      - name: Cache pip packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: pip-${{ runner.os }}-${{ hashFiles('setup.py', 'Makefile') }}
+          restore-keys: |
+            pip-${{ runner.os }}-
+prevention:
+  - "Always set cache-dependency-path when your requirements file is not named requirements.txt or in the root directory"
+  - "Standard filenames recognized automatically: requirements.txt, Pipfile.lock, poetry.lock, pyproject.toml (with [project] table), setup.cfg (with install_requires)"
+  - "If using poetry, set cache: 'poetry' instead of cache: 'pip' — it detects poetry.lock automatically"
+  - "Consider adding a requirements.txt generated from pyproject.toml or poetry.lock to your repo for compatibility with setup-python caching"
+docs:
+  - url: "https://github.com/actions/setup-python#caching-packages-dependencies"
+    label: "actions/setup-python — Caching packages documentation"
+  - url: "https://github.com/actions/setup-python/blob/main/docs/advanced-usage.md#caching-packages"
+    label: "actions/setup-python — Advanced caching usage"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows"
+    label: "GitHub Docs — Caching dependencies to speed up workflows"

package/errors/runner-environment/runner-environment-117.yml

@@ -0,0 +1,109 @@
+id: runner-environment-117
+title: "aws-actions/configure-aws-credentials@v4 requires explicit aws-region — silent failure after version bump from v1/v2"
+category: runner-environment
+severity: error
+tags:
+  - aws
+  - configure-aws-credentials
+  - aws-region
+  - oidc
+  - version-upgrade
+  - breaking-change
+patterns:
+  - regex: 'Must provide region information'
+    flags: 'i'
+  - regex: 'Input required and not supplied:\s*aws-region'
+    flags: 'i'
+  - regex: 'Region is not set|No region provided|aws.region.*not.*set'
+    flags: 'i'
+error_messages:
+  - "Must provide region information"
+  - "Input required and not supplied: aws-region"
+  - "Region is not set"
+  - "No region provided"
+root_cause: |
+  aws-actions/configure-aws-credentials@v4 (and v2+) made aws-region a required
+  input for all authentication methods. In @v1, aws-region was optional and could
+  be derived from the AWS_DEFAULT_REGION environment variable already present on
+  the runner or set in a prior step.
+
+  When Dependabot, Renovate, or a manual version bump updates configure-aws-credentials
+  from @v1 to @v4, workflows that relied on region auto-detection or inherited
+  environment variables begin failing with "Must provide region information" or
+  "Input required and not supplied: aws-region".
+
+  Additional breaking changes between v1 and v4 that affect real workflows:
+
+  1. aws-region is now required (was optional in v1 when AWS_DEFAULT_REGION was set)
+  2. mask-aws-account-id is now always true and cannot be disabled — workflows
+     logging the account ID for debugging will see '***' in all log output
+  3. OIDC token audience: v4 defaults to 'sts.amazonaws.com'; older IAM OIDC
+     trust policies configured for a different audience must be updated
+  4. Node.js runtime: updated from Node 16 to Node 20, which may cause issues
+     on very old self-hosted runners (Node 20 requires glibc 2.17+)
+  5. role-session-name auto-generation format changed — if downstream IAM policies
+     or CloudTrail queries match on session name patterns, they may stop matching
+fix: |
+  Add an explicit aws-region input to every configure-aws-credentials step.
+
+  For OIDC-based auth, also verify your IAM trust policy's Condition block is
+  compatible with the @v4 defaults (audience: sts.amazonaws.com, subject claim
+  format: repo:OWNER/REPO:ref:refs/heads/BRANCH).
+
+  Store the region in a repository or organization variable (vars.AWS_REGION)
+  to avoid hardcoding the same region string across multiple workflow files.
+fix_code:
+  - language: yaml
+    label: "configure-aws-credentials@v4 with required aws-region (OIDC)"
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          permissions:
+            id-token: write   # Required for OIDC
+            contents: read
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v4
+              with:
+                aws-region: us-east-1            # Required in v4 (was optional in v1)
+                role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+                role-session-name: GitHubActionsSession
+
+            - name: Deploy
+              run: aws s3 sync dist/ s3://${{ vars.S3_BUCKET }}/
+  - language: yaml
+    label: "configure-aws-credentials@v4 with static key auth"
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Configure AWS credentials (static keys)
+              uses: aws-actions/configure-aws-credentials@v4
+              with:
+                aws-region: ${{ vars.AWS_REGION }}   # Use variable, not hardcoded
+                aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+            - name: Deploy
+              run: aws s3 sync dist/ s3://${{ vars.S3_BUCKET }}/
+prevention:
+  - "Always specify aws-region explicitly in every configure-aws-credentials step — never rely on AWS_DEFAULT_REGION"
+  - "Store the AWS region in a repository variable (vars.AWS_REGION) to keep it consistent and easy to change"
+  - "When Dependabot bumps configure-aws-credentials to a new major version, review the release notes and test in a non-production environment first"
+  - "After bumping to v4, validate your IAM OIDC trust policy: the audience should be 'sts.amazonaws.com' and the subject claim format should match repo:OWNER/REPO:ref:refs/..."
+  - "Use actionlint locally to catch missing required inputs before committing workflow files"
+docs:
+  - url: "https://github.com/aws-actions/configure-aws-credentials"
+    label: "aws-actions/configure-aws-credentials — README and migration guide"
+  - url: "https://github.com/aws-actions/configure-aws-credentials/releases"
+    label: "aws-actions/configure-aws-credentials — Release notes (v4 breaking changes)"
+  - url: "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html"
+    label: "AWS Docs — Creating OpenID Connect identity providers"
+  - url: "https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services"
+    label: "GitHub Docs — Configuring OIDC in Amazon Web Services"

package/errors/silent-failures/silent-failures-056.yml

@@ -0,0 +1,105 @@
+id: silent-failures-056
+title: "'continue-on-error: true' makes a failed job report success in required status checks"
+category: silent-failures
+severity: silent-failure
+tags:
+  - continue-on-error
+  - required-status-checks
+  - branch-protection
+  - checks-api
+  - silent
+  - branch-protection-bypass
+patterns:
+  - regex: 'continue-on-error:\s*true'
+    flags: i
+error_messages:
+  - "Job succeeded (continue-on-error)"
+  - "Required status check passed (job actually failed but continue-on-error: true)"
+root_cause: |
+  When a job has continue-on-error: true set, GitHub Actions converts the job's conclusion
+  from failure to success before writing the result to the Checks API. The branch
+  protection system only sees the API-level conclusion — which is "success" — and allows
+  the pull request to merge.
+
+  The job timeline in the GitHub UI shows a yellow icon with "(Cancelled)" or similar
+  wording, but the Checks API and branch protection treat it as passed. Developers
+  relying on required status checks to enforce quality gates unknowingly lose that
+  protection for any job marked continue-on-error: true.
+
+  This is particularly dangerous on jobs that run security scans, license checks, or
+  integration tests where the team deliberately added them as required checks to block
+  broken or risky changes from merging.
+fix: |
+  Avoid using continue-on-error: true on jobs that are configured as required status
+  checks in branch protection rules. Instead, handle acceptable failure conditions
+  explicitly inside the job using if: steps.*.outcome == 'failure' logic.
+
+  If you need to always continue a workflow past a flaky or optional step but still
+  surface failures in status checks, use a separate sentinel job that:
+  1. Depends on the real job with needs:
+  2. Runs with if: always()
+  3. Fails explicitly if the upstream job failed
+
+  This pattern separates "keep the workflow running" from "record the real outcome".
+fix_code:
+  - language: yaml
+    label: "Problem: continue-on-error silently hides failures from status checks"
+    code: |
+      jobs:
+        security-scan:
+          runs-on: ubuntu-latest
+          continue-on-error: true   # DANGER: required status check will PASS even if scan fails
+          steps:
+            - name: Run security scan
+              run: ./run-scan.sh
+  - language: yaml
+    label: "Fix: use a sentinel job to preserve the real outcome"
+    code: |
+      jobs:
+        security-scan:
+          runs-on: ubuntu-latest
+          # No continue-on-error here
+          steps:
+            - name: Run security scan
+              run: ./run-scan.sh
+
+        # This is the job to set as the required status check
+        security-gate:
+          runs-on: ubuntu-latest
+          needs: [security-scan]
+          if: always()
+          steps:
+            - name: Check security scan result
+              if: needs.security-scan.result != 'success'
+              run: |
+                echo "Security scan did not pass (result: ${{ needs.security-scan.result }})"
+                exit 1
+  - language: yaml
+    label: "Alternative: handle acceptable failures inside the step, not the job"
+    code: |
+      jobs:
+        test:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Run optional extended tests
+              id: extended
+              run: ./run-extended-tests.sh
+              continue-on-error: true   # Step-level is safer than job-level
+
+            - name: Fail job if extended tests failed unexpectedly
+              if: steps.extended.outcome == 'failure'
+              run: |
+                echo "Extended tests failed — blocking merge"
+                exit 1
+prevention:
+  - "Never set continue-on-error: true at the job level for jobs that are required status checks"
+  - "Use continue-on-error: true at the step level instead — it does not affect the Checks API job conclusion"
+  - "Audit your branch protection required checks against all jobs that have continue-on-error: true"
+  - "Use the sentinel job pattern to separate workflow continuation from status reporting"
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idcontinue-on-error"
+    label: "GitHub Docs: continue-on-error syntax"
+  - url: "https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging"
+    label: "GitHub Docs: Required status checks before merging"
+  - url: "https://docs.github.com/en/rest/checks/runs"
+    label: "GitHub REST API: Checks runs"