@htekdev/actions-debugger 1.0.56 → 1.0.58

package/errors/runner-environment/runner-environment-114.yml

@@ -0,0 +1,130 @@
+id: runner-environment-114
+title: "macOS-26 / Xcode 26 defaults to Swift 6 strict concurrency — existing Swift builds fail with actor isolation errors"
+category: runner-environment
+severity: error
+tags:
+  - macos-26
+  - xcode-26
+  - swift-6
+  - concurrency
+  - actor-isolation
+  - runner-image-update
+  - breaking-change
+patterns:
+  - regex: "error: sending '.*' to actor-isolated"
+    flags: 'i'
+  - regex: 'actor-isolated.*cannot.*referenced from.*non-isolated'
+    flags: 'i'
+  - regex: "error: '.*' cannot be used to satisfy the '@Sendable' requirement"
+    flags: 'i'
+  - regex: 'error:.*Sendable.*cannot conform.*in Swift 6'
+    flags: 'i'
+  - regex: 'main actor-isolated.*cannot be referenced from.*nonisolated'
+    flags: 'i'
+error_messages:
+  - "error: sending 'self' to actor-isolated initializer 'init()' risks causing data races"
+  - "error: actor-isolated property 'delegate' can not be referenced from a non-isolated context"
+  - "error: main actor-isolated class method 'viewDidLoad()' cannot be referenced from a nonisolated context"
+  - "error: 'Sendable'-conforming class 'MyViewController' cannot inherit from another class other than 'NSObject'"
+  - "error: expression is 'async' but is not marked with 'await'"
+root_cause: |
+  Xcode 26 (shipped with the macos-26 runner) defaults to Swift 6 language mode. Previous
+  Xcode versions (14, 15, 16) compiled in Swift 5 compatibility mode by default, which did not
+  enforce strict data-race safety checking.
+
+  Swift 6 enforces complete concurrency checking at compile time:
+  - All values shared across actor boundaries must conform to `Sendable`
+  - Calls to `@MainActor`-isolated methods from non-isolated contexts must be `await`-ed
+  - Closures passed to async contexts must be `@Sendable`
+  - Class hierarchies that cross actor boundaries require explicit `Sendable` conformance
+
+  Code that compiled and ran correctly under Swift 5 may produce dozens of compiler errors in
+  Swift 6, even if it had no actual concurrency bugs. The errors are not warnings — they are
+  hard build failures.
+
+  The macos-26 runner ships Xcode 26 as the default Xcode. Any workflow running `xcodebuild`
+  or `swift build` without an explicit Swift language version flag will pick up Swift 6.
+fix: |
+  Short-term: Pin to Swift 5 compatibility mode in your build command or project settings.
+
+  Option A — xcodebuild flag:
+    xcodebuild build -scheme MyScheme SWIFT_VERSION=5
+
+  Option B — Xcode build settings (xcconfig or project settings):
+    SWIFT_VERSION = 5
+
+  Option C — Package.swift swift-tools-version (for Swift Package Manager projects):
+    Change the first line to: // swift-tools-version: 5.10
+    This sets the package manifest version and implicitly enables Swift 5 mode for dependencies.
+
+  Option D — Per-target in Package.swift:
+    .target(name: "MyTarget", swiftSettings: [.unsafeFlags(["-swift-version", "5"])])
+
+  Long-term: Migrate your codebase to Swift 6 concurrency model by resolving actor isolation
+  errors. Apple provides a migration guide at developer.apple.com/documentation/swift/migrating-to-swift-6.
+fix_code:
+  - language: yaml
+    label: "Pin SWIFT_VERSION=5 in xcodebuild to restore Swift 5 compatibility on macos-26"
+    code: |
+      jobs:
+        build:
+          runs-on: macos-26
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Build (Swift 5 compatibility mode)
+              run: |
+                xcodebuild build \
+                  -scheme MyApp \
+                  -destination 'platform=macOS' \
+                  SWIFT_VERSION=5
+
+            - name: Test (Swift 5 compatibility mode)
+              run: |
+                xcodebuild test \
+                  -scheme MyApp \
+                  -destination 'platform=macOS' \
+                  SWIFT_VERSION=5
+  - language: yaml
+    label: "Pin swift-tools-version in Package.swift for SPM projects"
+    code: |
+      # In Package.swift — change the first line to request Swift 5 tools:
+      # // swift-tools-version: 5.10
+      #
+      # Then in the workflow:
+      jobs:
+        build:
+          runs-on: macos-26
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Build Swift package
+              run: swift build -c release
+  - language: yaml
+    label: "Temporarily pin to macos-15 while migrating to Swift 6"
+    code: |
+      jobs:
+        build:
+          # TODO: Migrate to Swift 6 and update to macos-26
+          # Track progress at: <link to your Swift 6 migration issue>
+          runs-on: macos-15
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Build
+              run: xcodebuild build -scheme MyApp -destination 'platform=macOS'
+prevention:
+  - "Test workflows on macos-26 before relying on macos-latest switching to it"
+  - "Specify SWIFT_VERSION explicitly in Xcode project settings rather than relying on Xcode defaults"
+  - "Enable strict concurrency warnings (SWIFT_STRICT_CONCURRENCY=complete) in Swift 5 mode to preview Swift 6 errors before migrating"
+  - "Watch github.com/actions/runner-images release notes for macos-latest label changes"
+  - "Pin swift-tools-version in Package.swift to document the intended Swift compatibility level"
+docs:
+  - url: "https://developer.apple.com/documentation/swift/migrating-to-swift-6"
+    label: "Apple Developer — Migrating to Swift 6"
+  - url: "https://www.swift.org/migration/documentation/swift-6-concurrency-migration-guide/"
+    label: "Swift.org — Swift 6 Concurrency Migration Guide"
+  - url: "https://github.com/actions/runner-images/blob/main/images/macos/macos-26-Readme.md"
+    label: "runner-images — macOS 26 image README (Xcode default version)"
+  - url: "https://developer.apple.com/documentation/xcode-release-notes"
+    label: "Xcode Release Notes — Xcode 26 language defaults"

package/errors/runner-environment/runner-environment-115.yml

@@ -0,0 +1,120 @@
+id: runner-environment-115
+title: "ubuntu-22.04/24.04 OpenSSL 3 disables legacy TLS renegotiation — SSL handshake failures connecting to legacy servers"
+category: runner-environment
+severity: error
+tags:
+  - ubuntu-22.04
+  - ubuntu-24.04
+  - openssl-3
+  - tls
+  - ssl
+  - renegotiation
+  - runner-image-update
+  - networking
+patterns:
+  - regex: 'unsafe legacy renegotiation disabled'
+    flags: 'i'
+  - regex: 'SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST'
+    flags: 'i'
+  - regex: 'error:0A000179:SSL routines.*unsafe legacy renegotiation'
+    flags: 'i'
+  - regex: 'UNSAFE_LEGACY_RENEGOTIATION_DISABLED'
+    flags: 'i'
+  - regex: 'ssl.*renegotiation.*not allowed'
+    flags: 'i'
+error_messages:
+  - "error:0A000179:SSL routines::unsafe legacy renegotiation disabled"
+  - "SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST"
+  - "ssl.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:997)"
+  - "OpenSSL Error: error:0A000179:SSL routines:ssl3_read_bytes:unsafe legacy renegotiation disabled"
+  - "curl: (35) OpenSSL SSL_connect: error:0A000179:SSL routines::unsafe legacy renegotiation disabled"
+  - "java.io.IOException: Error writing to server: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake"
+root_cause: |
+  Ubuntu 22.04 and 24.04 ship OpenSSL 3.0+. OpenSSL 3.0 enforces RFC 5746 (TLS Renegotiation
+  Indication Extension) by default and rejects connections to TLS servers that do not advertise
+  support for secure renegotiation in the initial ClientHello/ServerHello handshake.
+
+  Servers compiled against older OpenSSL (< 0.9.8m) or certain embedded TLS stacks do not send
+  the `renegotiation_info` extension and are therefore rejected by OpenSSL 3.0 clients with
+  `UNSAFE_LEGACY_RENEGOTIATION_DISABLED`.
+
+  This commonly surfaces when:
+  - Workflows connect to internal/staging HTTPS servers running old TLS stacks
+  - docker-compose services use self-signed certs from outdated libraries
+  - gRPC clients compiled against old OpenSSL connect to legacy gRPC servers
+  - curl/wget calls target third-party APIs that have not updated their TLS handshake
+  - Java HTTPS tests connect to embedded Jetty/Netty servers with old SSL config
+
+  The error did not occur on ubuntu-20.04 (OpenSSL 1.1.1, which allowed legacy renegotiation
+  by default). Workflows migrating from ubuntu-20.04 to 22.04/24.04 encounter it for the first
+  time.
+fix: |
+  Option 1 (recommended for CI): Append `UnsafeLegacyRenegotiation = true` to the OpenSSL
+  config file at the start of the job. This is acceptable in CI/testing contexts where you
+  control the environment; never use this in production.
+
+  Option 2: Set OPENSSL_CONF to /dev/null to bypass the OpenSSL configuration file entirely.
+  Use only for quick diagnostics or tests against known internal servers.
+
+  Option 3 (recommended long-term): Upgrade the legacy server's TLS library so it advertises
+  RFC 5746 support. For embedded test servers, upgrade the underlying HTTP/TLS library version.
+
+  Option 4: Use `curl --no-sessionid` or `curl --legacy-renegotiation` (curl 7.83+) for
+  specific curl-based steps without affecting the whole environment.
+fix_code:
+  - language: yaml
+    label: "Enable UnsafeLegacyRenegotiation in OpenSSL config for CI (workaround)"
+    code: |
+      jobs:
+        integration-test:
+          runs-on: ubuntu-24.04
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Allow legacy TLS renegotiation (CI workaround for legacy test servers)
+              run: |
+                echo "Options = UnsafeLegacyRenegotiation" | \
+                  sudo tee -a /etc/ssl/openssl.cnf
+
+            - name: Run integration tests
+              run: npm test
+  - language: yaml
+    label: "Override OPENSSL_CONF per-step (minimal blast radius)"
+    code: |
+      jobs:
+        integration-test:
+          runs-on: ubuntu-24.04
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Test against legacy HTTPS endpoint
+              env:
+                OPENSSL_CONF: /dev/null
+              run: |
+                curl -v https://legacy-test-server.internal/health
+  - language: yaml
+    label: "Set OPENSSL_CONF at job level (affects all steps)"
+    code: |
+      jobs:
+        integration-test:
+          runs-on: ubuntu-24.04
+          env:
+            OPENSSL_CONF: /dev/null
+          steps:
+            - uses: actions/checkout@v4
+            - run: npm test
+prevention:
+  - "Upgrade internal/staging test servers to modern TLS libraries that support RFC 5746"
+  - "Use `openssl s_client -connect host:443` in CI to detect legacy renegotiation issues before they block builds"
+  - "Avoid pinning to ubuntu-20.04 as a permanent workaround — it reached EOL and will be removed from runner images"
+  - "When upgrading from ubuntu-20.04 to 22.04/24.04, run a connectivity smoke-test against all HTTPS endpoints the workflow touches"
+  - "Use testcontainers or modern embedded test server libraries that ship up-to-date TLS stacks"
+docs:
+  - url: "https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html"
+    label: "OpenSSL 3.0 — SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION option"
+  - url: "https://github.com/actions/runner-images/issues/6399"
+    label: "runner-images #6399 — OpenSSL 3 renegotiation issues on ubuntu-22.04"
+  - url: "https://github.com/openssl/openssl/issues/17593"
+    label: "OpenSSL #17593 — Legacy renegotiation rejection in 3.0"
+  - url: "https://www.rfc-editor.org/rfc/rfc5746"
+    label: "RFC 5746 — TLS Renegotiation Indication Extension"

package/errors/runner-environment/runner-environment-116.yml

@@ -0,0 +1,106 @@
+id: runner-environment-116
+title: "actions/setup-python with cache: pip fails when no standard requirements file exists in the repository"
+category: runner-environment
+severity: error
+tags:
+  - setup-python
+  - pip
+  - caching
+  - requirements
+  - dependency-file
+  - cache-dependency-path
+patterns:
+  - regex: 'No file found with the provided path.*requirements'
+    flags: 'i'
+  - regex: 'No dependencies file path found for pip'
+    flags: 'i'
+  - regex: 'Couldn''t find a dependency file for pip'
+    flags: 'i'
+  - regex: 'Error: No file found with the provided path'
+    flags: 'i'
+error_messages:
+  - "Error: No file found with the provided path: requirements.txt"
+  - "No dependencies file path found for pip"
+  - "Couldn't find a dependency file for pip"
+  - "Error: No file found with the provided path: **/requirements.txt"
+root_cause: |
+  When `actions/setup-python` is configured with `cache: 'pip'`, it searches the
+  repository for a standard Python dependency file to use as the cache hash key.
+  The action looks for these files by default (in order):
+
+  - `requirements.txt`
+  - `requirements/*.txt`
+  - `Pipfile.lock`
+  - `poetry.lock`
+  - `pyproject.toml` (only if it contains a `[project]` or `[tool.poetry]` section)
+  - `setup.cfg` (only if it contains `[options]` with `install_requires`)
+
+  If none of these files are present, the action fails with an error during the
+  cache configuration phase. This commonly affects repositories that:
+
+  - Use a custom requirements filename (e.g., `dev-requirements.txt`, `requirements-dev.txt`)
+  - Store requirements in a non-standard path (e.g., `ci/requirements.txt`, `tests/requirements.txt`)
+  - Use only `setup.py` for dependency declaration (not recognized by default)
+  - Generate requirements dynamically at build time
+  - Are library repos with no explicit requirements file (dependencies in `pyproject.toml`
+    but without a recognized table)
+
+  The error appears either immediately at setup time or during the post-step cache save
+  phase, depending on the setup-python version.
+fix: |
+  Provide the `cache-dependency-path` input to explicitly point to your dependency
+  file(s). This input accepts glob patterns and newline-separated paths.
+
+  If your repository has no dependency files at all (e.g., it generates them
+  dynamically), remove `cache: 'pip'` and implement pip caching manually using
+  `actions/cache@v4`, using a hash of whatever inputs determine your dependency set
+  (e.g., a Makefile, Dockerfile, or script).
+fix_code:
+  - language: yaml
+    label: "Specify non-standard requirements file path"
+    code: |
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+          cache-dependency-path: ci/requirements.txt   # Non-standard path
+
+  - language: yaml
+    label: "Multiple dependency files with glob pattern"
+    code: |
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+          cache-dependency-path: |
+            requirements.txt
+            requirements-dev.txt
+            tests/requirements.txt
+
+  - language: yaml
+    label: "Manual pip caching when no dependency file exists"
+    code: |
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          # Omit cache: pip — handle caching manually
+
+      - name: Cache pip packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: pip-${{ runner.os }}-${{ hashFiles('setup.py', 'Makefile') }}
+          restore-keys: |
+            pip-${{ runner.os }}-
+prevention:
+  - "Always set cache-dependency-path when your requirements file is not named requirements.txt or in the root directory"
+  - "Standard filenames recognized automatically: requirements.txt, Pipfile.lock, poetry.lock, pyproject.toml (with [project] table), setup.cfg (with install_requires)"
+  - "If using poetry, set cache: 'poetry' instead of cache: 'pip' — it detects poetry.lock automatically"
+  - "Consider adding a requirements.txt generated from pyproject.toml or poetry.lock to your repo for compatibility with setup-python caching"
+docs:
+  - url: "https://github.com/actions/setup-python#caching-packages-dependencies"
+    label: "actions/setup-python — Caching packages documentation"
+  - url: "https://github.com/actions/setup-python/blob/main/docs/advanced-usage.md#caching-packages"
+    label: "actions/setup-python — Advanced caching usage"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows"
+    label: "GitHub Docs — Caching dependencies to speed up workflows"

package/errors/runner-environment/runner-environment-117.yml

@@ -0,0 +1,109 @@
+id: runner-environment-117
+title: "aws-actions/configure-aws-credentials@v4 requires explicit aws-region — silent failure after version bump from v1/v2"
+category: runner-environment
+severity: error
+tags:
+  - aws
+  - configure-aws-credentials
+  - aws-region
+  - oidc
+  - version-upgrade
+  - breaking-change
+patterns:
+  - regex: 'Must provide region information'
+    flags: 'i'
+  - regex: 'Input required and not supplied:\s*aws-region'
+    flags: 'i'
+  - regex: 'Region is not set|No region provided|aws.region.*not.*set'
+    flags: 'i'
+error_messages:
+  - "Must provide region information"
+  - "Input required and not supplied: aws-region"
+  - "Region is not set"
+  - "No region provided"
+root_cause: |
+  aws-actions/configure-aws-credentials@v4 (and v2+) made aws-region a required
+  input for all authentication methods. In @v1, aws-region was optional and could
+  be derived from the AWS_DEFAULT_REGION environment variable already present on
+  the runner or set in a prior step.
+
+  When Dependabot, Renovate, or a manual version bump updates configure-aws-credentials
+  from @v1 to @v4, workflows that relied on region auto-detection or inherited
+  environment variables begin failing with "Must provide region information" or
+  "Input required and not supplied: aws-region".
+
+  Additional breaking changes between v1 and v4 that affect real workflows:
+
+  1. aws-region is now required (was optional in v1 when AWS_DEFAULT_REGION was set)
+  2. mask-aws-account-id is now always true and cannot be disabled — workflows
+     logging the account ID for debugging will see '***' in all log output
+  3. OIDC token audience: v4 defaults to 'sts.amazonaws.com'; older IAM OIDC
+     trust policies configured for a different audience must be updated
+  4. Node.js runtime: updated from Node 16 to Node 20, which may cause issues
+     on very old self-hosted runners (Node 20 requires glibc 2.17+)
+  5. role-session-name auto-generation format changed — if downstream IAM policies
+     or CloudTrail queries match on session name patterns, they may stop matching
+fix: |
+  Add an explicit aws-region input to every configure-aws-credentials step.
+
+  For OIDC-based auth, also verify your IAM trust policy's Condition block is
+  compatible with the @v4 defaults (audience: sts.amazonaws.com, subject claim
+  format: repo:OWNER/REPO:ref:refs/heads/BRANCH).
+
+  Store the region in a repository or organization variable (vars.AWS_REGION)
+  to avoid hardcoding the same region string across multiple workflow files.
+fix_code:
+  - language: yaml
+    label: "configure-aws-credentials@v4 with required aws-region (OIDC)"
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          permissions:
+            id-token: write   # Required for OIDC
+            contents: read
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v4
+              with:
+                aws-region: us-east-1            # Required in v4 (was optional in v1)
+                role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+                role-session-name: GitHubActionsSession
+
+            - name: Deploy
+              run: aws s3 sync dist/ s3://${{ vars.S3_BUCKET }}/
+  - language: yaml
+    label: "configure-aws-credentials@v4 with static key auth"
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Configure AWS credentials (static keys)
+              uses: aws-actions/configure-aws-credentials@v4
+              with:
+                aws-region: ${{ vars.AWS_REGION }}   # Use variable, not hardcoded
+                aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+            - name: Deploy
+              run: aws s3 sync dist/ s3://${{ vars.S3_BUCKET }}/
+prevention:
+  - "Always specify aws-region explicitly in every configure-aws-credentials step — never rely on AWS_DEFAULT_REGION"
+  - "Store the AWS region in a repository variable (vars.AWS_REGION) to keep it consistent and easy to change"
+  - "When Dependabot bumps configure-aws-credentials to a new major version, review the release notes and test in a non-production environment first"
+  - "After bumping to v4, validate your IAM OIDC trust policy: the audience should be 'sts.amazonaws.com' and the subject claim format should match repo:OWNER/REPO:ref:refs/..."
+  - "Use actionlint locally to catch missing required inputs before committing workflow files"
+docs:
+  - url: "https://github.com/aws-actions/configure-aws-credentials"
+    label: "aws-actions/configure-aws-credentials — README and migration guide"
+  - url: "https://github.com/aws-actions/configure-aws-credentials/releases"
+    label: "aws-actions/configure-aws-credentials — Release notes (v4 breaking changes)"
+  - url: "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html"
+    label: "AWS Docs — Creating OpenID Connect identity providers"
+  - url: "https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services"
+    label: "GitHub Docs — Configuring OIDC in Amazon Web Services"

package/errors/runner-environment/runner-environment-118.yml

@@ -0,0 +1,102 @@
+id: runner-environment-118
+title: "Node.js 20 actions deprecated — forced to Node.js 24 runtime starting June 16, 2026"
+category: runner-environment
+severity: warning
+tags:
+  - node-20
+  - node-24
+  - deprecation
+  - actions-runtime
+  - checkout
+  - setup-node
+  - self-hosted-runner
+patterns:
+  - regex: 'Node\.js 20 actions are deprecated'
+    flags: 'i'
+  - regex: 'forced to run with Node\.js 24 by default'
+    flags: 'i'
+  - regex: 'using:\s*node20'
+    flags: 'i'
+  - regex: 'ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION'
+    flags: 'i'
+error_messages:
+  - "Node.js 20 actions are deprecated. Actions will be forced to run with Node.js 24 by default starting June 16th, 2026."
+  - "Node.js 20 will be removed from the runner on September 16th, 2026."
+  - "Please check if updated versions of these actions are available that support Node.js 24."
+root_cause: |
+  GitHub deprecated Node.js 20 as the runtime for GitHub Actions in September 2025
+  (https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/).
+  Starting June 16, 2026, actions that declare `using: node20` are force-upgraded to
+  Node.js 24 on hosted runners. Node.js 20 will be fully removed from hosted runners
+  on September 16, 2026.
+
+  This affects two distinct scenarios:
+
+  1. First-party GitHub-maintained actions (actions/checkout@v4, actions/setup-node@v4,
+     actions/upload-artifact@v4, etc.) — GitHub is updating these actions to ship Node.js 24
+     variants. Pinning to older major versions (e.g., @v4 without updating) will trigger
+     the deprecation warning until updated versions are pinned.
+
+  2. Community and custom actions that declare `using: node20` in their action.yml —
+     these will be silently force-upgraded to Node.js 24, which may break actions that
+     rely on Node.js 20 APIs, native modules compiled for Node 20, or behavior differences
+     between Node 20 and Node 24 (e.g., stricter URL parsing, OpenSSL changes).
+
+  3. Self-hosted runners with Node.js 18/20 installed — if the runner does not have
+     Node.js 24 available and FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 is set to true, the
+     action will fail to find a suitable runtime.
+
+  The deprecation warning appears as an annotation on every workflow run that uses an
+  affected action. While currently advisory, it becomes a hard failure on September 16, 2026.
+fix: |
+  Update all first-party GitHub actions to their latest versions that ship Node.js 24
+  support. For actions/checkout, setup-node, upload-artifact, download-artifact, and
+  other official actions, check the latest release tag.
+
+  For self-hosted runners, install Node.js 24 on the runner host before June 16, 2026.
+
+  For custom or community actions you maintain, update action.yml to declare
+  `using: node24` and update package.json to target Node.js 24.
+
+  To opt in early and test Node.js 24 behavior before the forced cutover, set the
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 environment variable to `true` in your workflow
+  or at the runner level.
+fix_code:
+  - language: yaml
+    label: "Update first-party actions to Node.js 24 compatible versions"
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          steps:
+            # Update to latest versions that support Node.js 24
+            - uses: actions/checkout@v4.2.2        # or latest v5 when available
+            - uses: actions/setup-node@v4.1.0      # or latest
+            - uses: actions/upload-artifact@v4.4.0 # or latest
+            - uses: actions/download-artifact@v4.2.0
+  - language: yaml
+    label: "Opt in early to Node.js 24 for testing"
+    code: |
+      env:
+        FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
+
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+            - name: Run build
+              run: npm ci && npm run build
+prevention:
+  - "Pin actions to specific minor versions (e.g., @v4.2.2) and use Dependabot or Renovate to auto-update them"
+  - "Add FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true to workflow env to test Node.js 24 compatibility before the forced cutover"
+  - "For self-hosted runners, ensure Node.js 24 is installed and available on PATH before June 16, 2026"
+  - "Audit custom actions in your organization for `using: node20` declarations and update them to `using: node24`"
+  - "Subscribe to the GitHub Changelog (https://github.blog/changelog/) to catch runtime deprecations early"
+docs:
+  - url: "https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/"
+    label: "GitHub Changelog — Deprecation of Node.js 20 on GitHub Actions runners (Sept 2025)"
+  - url: "https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runsusing"
+    label: "GitHub Docs — Action metadata syntax: runs.using"
+  - url: "https://nodejs.org/en/about/previous-releases"
+    label: "Node.js release schedule — LTS lifecycle"