@htekdev/actions-debugger 1.0.57 → 1.0.58

package/errors/caching-artifacts/caching-artifacts-040.yml

@@ -0,0 +1,112 @@
+id: caching-artifacts-040
+title: "actions/download-artifact@v4 cross-workflow download silently returns no artifacts without actions: read permission"
+category: caching-artifacts
+severity: error
+tags:
+  - download-artifact
+  - v4
+  - cross-workflow
+  - permissions
+  - actions-read
+  - run-id
+  - breaking-change
+patterns:
+  - regex: 'Unable to find any artifacts for the associated workflow'
+    flags: 'i'
+  - regex: 'No artifacts found for the associated workflow run'
+    flags: 'i'
+  - regex: 'run-id:.*\d+'
+    flags: 'i'
+  - regex: 'Resource not accessible by integration'
+    flags: 'i'
+error_messages:
+  - "Unable to find any artifacts for the associated workflow"
+  - "No artifacts found for the associated workflow run"
+  - "Resource not accessible by integration"
+  - "Error: Artifact download failed: 403 Forbidden"
+root_cause: |
+  actions/download-artifact@v4 introduced the ability to download artifacts produced
+  by a *different* workflow run (not just the current run) by specifying the `run-id`
+  input. This cross-workflow download requires the `actions: read` permission on the
+  GITHUB_TOKEN.
+
+  Workflows that do not explicitly declare `permissions: actions: read` will use the
+  default GITHUB_TOKEN permissions. In repositories where the default token permissions
+  are set to "read for all" at the org level, `actions` read may be granted by default
+  — but in repositories with restrictive default permissions or when only specific
+  permissions are declared in the workflow, `actions: read` is NOT automatically
+  included.
+
+  The misleading aspect is the error message: "Unable to find any artifacts for the
+  associated workflow" suggests the artifact does not exist, when in fact the issue is
+  a 403 permission denial. The action does not distinguish between "artifact not found"
+  and "access denied" in its error output.
+
+  This is a new permission requirement introduced in v4 that did not exist in v3
+  (which only supported downloading from the current workflow run and did not need
+  `actions` read access).
+
+  Common trigger scenario: a workflow that processes artifacts from a different trigger
+  (e.g., a deployment workflow that downloads build artifacts from a build workflow run)
+  is upgraded from download-artifact@v3 to @v4 and the `run-id` input is added — but
+  the required `permissions: actions: read` block is not added.
+fix: |
+  Add `actions: read` to the permissions block of the job or workflow that uses
+  `actions/download-artifact@v4` with a `run-id` input referencing a different workflow.
+
+  If the workflow or job already has a `permissions` block, add `actions: read` to it.
+  If there is no `permissions` block, add one with the minimum required permissions
+  including `actions: read` and `contents: read`.
+fix_code:
+  - language: yaml
+    label: "Add actions: read permission for cross-workflow artifact download"
+    code: |
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          permissions:
+            actions: read    # Required for download-artifact@v4 with run-id
+            contents: read
+          steps:
+            - name: Download build artifacts from build workflow
+              uses: actions/download-artifact@v4
+              with:
+                name: build-output
+                run-id: ${{ github.event.inputs.build_run_id }}
+                github-token: ${{ secrets.GITHUB_TOKEN }}
+  - language: yaml
+    label: "Workflow-level permissions for cross-workflow download"
+    code: |
+      on:
+        workflow_dispatch:
+          inputs:
+            build_run_id:
+              description: 'Run ID of the build workflow'
+              required: true
+              type: string
+
+      permissions:
+        actions: read
+        contents: read
+
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/download-artifact@v4
+              with:
+                name: dist
+                run-id: ${{ inputs.build_run_id }}
+                github-token: ${{ secrets.GITHUB_TOKEN }}
+prevention:
+  - "Whenever `run-id` is added to a download-artifact@v4 step, immediately add `actions: read` to the job permissions block"
+  - "Do not rely on default token permissions for cross-workflow operations — always declare explicit permission blocks"
+  - "Test cross-workflow downloads in a feature branch before merging — the permission error is deterministic, not flaky"
+  - "Add `github-token: ${{ secrets.GITHUB_TOKEN }}` explicitly to download-artifact@v4 steps that use run-id, as it clarifies the token in use"
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/storing-workflow-data-as-artifacts#downloading-artifacts-from-a-previous-workflow-run"
+    label: "GitHub Docs — Downloading artifacts from a previous workflow run"
+  - url: "https://github.com/actions/download-artifact/releases/tag/v4.0.0"
+    label: "actions/download-artifact v4.0.0 release notes — cross-workflow download"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-scopes"
+    label: "GitHub Docs — GITHUB_TOKEN permission scopes"

package/errors/permissions-auth/permissions-auth-042.yml

@@ -0,0 +1,125 @@
+id: permissions-auth-042
+title: "actions/attest-build-provenance requires both id-token: write AND attestations: write — missing attestations permission causes 403"
+category: permissions-auth
+severity: error
+tags:
+  - attestations
+  - attest-build-provenance
+  - id-token
+  - permissions
+  - supply-chain
+  - sigstore
+  - 403
+patterns:
+  - regex: 'attestations.*write.*required|write.*attestations.*required'
+    flags: 'i'
+  - regex: 'Resource not accessible by integration.*attest'
+    flags: 'i'
+  - regex: 'Error: Failed to create attestation'
+    flags: 'i'
+  - regex: 'permissions.*attestations.*write'
+    flags: 'i'
+error_messages:
+  - "Error: Failed to create attestation: Resource not accessible by integration"
+  - "Error: Failed to create attestation: 403 Forbidden"
+  - "RequestError [HttpError]: Resource not accessible by integration"
+  - "Error: Attestation creation failed: must have `attestations: write` permission"
+root_cause: |
+  GitHub's artifact attestation feature (GA May 2024, https://github.blog/changelog/2024-05-02-github-artifact-attestations-is-generally-available/)
+  allows workflows to generate Sigstore-compatible provenance attestations for build
+  artifacts using `actions/attest-build-provenance` or `actions/attest`.
+
+  These actions require TWO permissions on the GITHUB_TOKEN:
+  1. `id-token: write` — to fetch an OIDC token from GitHub's identity provider
+     (used to sign the attestation with Sigstore)
+  2. `attestations: write` — to store the attestation in GitHub's attestation store
+     (new permission introduced with the attestation feature)
+
+  Most early documentation examples, blog posts, and quickstarts only show
+  `id-token: write`, omitting `attestations: write`. Developers following these
+  examples get a cryptic 403 "Resource not accessible by integration" error when
+  the attest step runs, with no clear indication that a second permission is missing.
+
+  The error is consistent and not environment-specific — it will fail on every run
+  until the `attestations: write` permission is added.
+
+  Additionally, organization-level policies may restrict the use of attestations.
+  If the organization has disabled artifact attestations, the 403 will occur even
+  with both permissions present — the error message does not distinguish between
+  "missing permission" and "feature disabled by org policy".
+fix: |
+  Add BOTH `id-token: write` AND `attestations: write` to the permissions block
+  of the job that runs the attest-build-provenance action.
+
+  If your workflow or job already declares a `permissions` block, add both entries
+  to it. If your workflow has no permissions block, add one with both required
+  permissions plus any other permissions your workflow needs (e.g., `contents: read`
+  for checkout).
+
+  Note: `attestations: write` is only available on github.com. GitHub Enterprise
+  Server (GHES) requires GHES 3.12+ for attestation support.
+fix_code:
+  - language: yaml
+    label: "Correct permissions for actions/attest-build-provenance"
+    code: |
+      jobs:
+        build-and-attest:
+          runs-on: ubuntu-latest
+          permissions:
+            id-token: write      # Required: OIDC token for Sigstore signing
+            attestations: write  # Required: write attestation to GitHub store
+            contents: read       # Required: checkout
+
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Build artifact
+              run: |
+                npm ci
+                npm run build
+                tar -czf dist.tar.gz dist/
+
+            - name: Generate build provenance attestation
+              uses: actions/attest-build-provenance@v2
+              with:
+                subject-path: dist.tar.gz
+  - language: yaml
+    label: "Attest multiple subjects (container image + artifact)"
+    code: |
+      jobs:
+        release:
+          runs-on: ubuntu-latest
+          permissions:
+            id-token: write
+            attestations: write
+            contents: read
+            packages: write  # If pushing to GHCR
+
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Attest binary
+              uses: actions/attest-build-provenance@v2
+              with:
+                subject-path: bin/myapp
+
+            - name: Attest container image
+              uses: actions/attest-build-provenance@v2
+              with:
+                subject-name: ghcr.io/${{ github.repository }}/myapp
+                subject-digest: ${{ steps.push.outputs.digest }}
+                push-to-registry: true
+prevention:
+  - "Always include BOTH `id-token: write` and `attestations: write` in the permissions block — neither alone is sufficient"
+  - "Copy the permissions block from the official actions/attest-build-provenance README examples, not from third-party blog posts"
+  - "Use `gh attestation verify <artifact>` locally to test that attestations were created successfully after the workflow runs"
+  - "For GHES deployments, verify the GHES version is 3.12+ before adding attestation steps to workflows"
+docs:
+  - url: "https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds"
+    label: "GitHub Docs — Using artifact attestations to establish provenance"
+  - url: "https://github.blog/changelog/2024-05-02-github-artifact-attestations-is-generally-available/"
+    label: "GitHub Changelog — Artifact attestations GA (May 2024)"
+  - url: "https://github.com/actions/attest-build-provenance"
+    label: "actions/attest-build-provenance — README and required permissions"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token"
+    label: "GitHub Docs — GITHUB_TOKEN permission scopes (attestations: write)"

package/errors/runner-environment/runner-environment-118.yml

@@ -0,0 +1,102 @@
+id: runner-environment-118
+title: "Node.js 20 actions deprecated — forced to Node.js 24 runtime starting June 16, 2026"
+category: runner-environment
+severity: warning
+tags:
+  - node-20
+  - node-24
+  - deprecation
+  - actions-runtime
+  - checkout
+  - setup-node
+  - self-hosted-runner
+patterns:
+  - regex: 'Node\.js 20 actions are deprecated'
+    flags: 'i'
+  - regex: 'forced to run with Node\.js 24 by default'
+    flags: 'i'
+  - regex: 'using:\s*node20'
+    flags: 'i'
+  - regex: 'ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION'
+    flags: 'i'
+error_messages:
+  - "Node.js 20 actions are deprecated. Actions will be forced to run with Node.js 24 by default starting June 16th, 2026."
+  - "Node.js 20 will be removed from the runner on September 16th, 2026."
+  - "Please check if updated versions of these actions are available that support Node.js 24."
+root_cause: |
+  GitHub deprecated Node.js 20 as the runtime for GitHub Actions in September 2025
+  (https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/).
+  Starting June 16, 2026, actions that declare `using: node20` are force-upgraded to
+  Node.js 24 on hosted runners. Node.js 20 will be fully removed from hosted runners
+  on September 16, 2026.
+
+  This affects two distinct scenarios:
+
+  1. First-party GitHub-maintained actions (actions/checkout@v4, actions/setup-node@v4,
+     actions/upload-artifact@v4, etc.) — GitHub is updating these actions to ship Node.js 24
+     variants. Pinning to older major versions (e.g., @v4 without updating) will trigger
+     the deprecation warning until updated versions are pinned.
+
+  2. Community and custom actions that declare `using: node20` in their action.yml —
+     these will be silently force-upgraded to Node.js 24, which may break actions that
+     rely on Node.js 20 APIs, native modules compiled for Node 20, or behavior differences
+     between Node 20 and Node 24 (e.g., stricter URL parsing, OpenSSL changes).
+
+  3. Self-hosted runners with Node.js 18/20 installed — if the runner does not have
+     Node.js 24 available and FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 is set to true, the
+     action will fail to find a suitable runtime.
+
+  The deprecation warning appears as an annotation on every workflow run that uses an
+  affected action. While currently advisory, it becomes a hard failure on September 16, 2026.
+fix: |
+  Update all first-party GitHub actions to their latest versions that ship Node.js 24
+  support. For actions/checkout, setup-node, upload-artifact, download-artifact, and
+  other official actions, check the latest release tag.
+
+  For self-hosted runners, install Node.js 24 on the runner host before June 16, 2026.
+
+  For custom or community actions you maintain, update action.yml to declare
+  `using: node24` and update package.json to target Node.js 24.
+
+  To opt in early and test Node.js 24 behavior before the forced cutover, set the
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 environment variable to `true` in your workflow
+  or at the runner level.
+fix_code:
+  - language: yaml
+    label: "Update first-party actions to Node.js 24 compatible versions"
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          steps:
+            # Update to latest versions that support Node.js 24
+            - uses: actions/checkout@v4.2.2        # or latest v5 when available
+            - uses: actions/setup-node@v4.1.0      # or latest
+            - uses: actions/upload-artifact@v4.4.0 # or latest
+            - uses: actions/download-artifact@v4.2.0
+  - language: yaml
+    label: "Opt in early to Node.js 24 for testing"
+    code: |
+      env:
+        FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
+
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+            - name: Run build
+              run: npm ci && npm run build
+prevention:
+  - "Pin actions to specific minor versions (e.g., @v4.2.2) and use Dependabot or Renovate to auto-update them"
+  - "Add FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true to workflow env to test Node.js 24 compatibility before the forced cutover"
+  - "For self-hosted runners, ensure Node.js 24 is installed and available on PATH before June 16, 2026"
+  - "Audit custom actions in your organization for `using: node20` declarations and update them to `using: node24`"
+  - "Subscribe to the GitHub Changelog (https://github.blog/changelog/) to catch runtime deprecations early"
+docs:
+  - url: "https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/"
+    label: "GitHub Changelog — Deprecation of Node.js 20 on GitHub Actions runners (Sept 2025)"
+  - url: "https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runsusing"
+    label: "GitHub Docs — Action metadata syntax: runs.using"
+  - url: "https://nodejs.org/en/about/previous-releases"
+    label: "Node.js release schedule — LTS lifecycle"

package/errors/silent-failures/silent-failures-059.yml

@@ -0,0 +1,104 @@
+id: silent-failures-059
+title: "ubuntu-latest label changed to ubuntu-24.04 — workflows silently regress without any code change"
+category: silent-failures
+severity: silent-failure
+tags:
+  - ubuntu-latest
+  - ubuntu-24.04
+  - runner-label
+  - breaking-change
+  - silent-regression
+  - changelog
+patterns:
+  - regex: 'runs-on:\s*ubuntu-latest'
+    flags: 'i'
+  - regex: 'GITHUB_ENV.*ubuntu-24\.04'
+    flags: 'i'
+  - regex: 'ImageVersion.*24\.04'
+    flags: 'i'
+error_messages:
+  - "ubuntu-latest now points to ubuntu-24.04"
+  - "ImageVersion: 24.04"
+  - "DISTRIB_CODENAME=noble"
+root_cause: |
+  GitHub periodically updates the `ubuntu-latest` runner label to point to a newer
+  Ubuntu LTS release. When GitHub updated `ubuntu-latest` from ubuntu-22.04 to
+  ubuntu-24.04, workflows using `runs-on: ubuntu-latest` silently started running on
+  a different operating system with no error, no annotation, and no workflow file change.
+
+  This is a silent failure because:
+  - The workflow YAML file is unchanged
+  - GitHub Actions does not emit any warning when the label target changes
+  - Workflow run logs show "ubuntu-24.04" only in the runner image annotation, which
+    many developers don't actively monitor
+  - All jobs complete with exit code 0 even though the software environment changed
+
+  Ubuntu 24.04 (Noble) introduced multiple breaking changes relative to 22.04 (Jammy):
+  - Python 3.12 as default (removes distutils, changes pip behavior)
+  - OpenSSL 3.3 with stricter TLS renegotiation defaults
+  - nftables replaces iptables (breaks Docker networking setups using iptables rules)
+  - python3-distutils apt package removed
+  - python alias may not resolve to python3 in all contexts
+  - libssl1.1 removed (only libssl3 available)
+  - Various default package versions changed (gcc, make, cmake)
+
+  Any workflow that relied on implicit ubuntu-22.04 behavior while pinning only
+  `ubuntu-latest` is at risk of silent behavioral changes, test flakiness, or
+  hard build failures that appear unrelated to any code change.
+fix: |
+  Pin the runner to an explicit Ubuntu version to opt out of automatic label
+  updates. Use `runs-on: ubuntu-22.04` if you need the previous behavior, or
+  explicitly migrate to `runs-on: ubuntu-24.04` and verify all workflow steps
+  work correctly.
+
+  To identify which runner version you are actually running, add a diagnostic step:
+
+  ```bash
+  echo "Runner: $RUNNER_OS $ImageVersion"
+  lsb_release -a
+  ```
+
+  Review each ubuntu-24.04 breaking change that applies to your workflow and
+  address them before pinning to ubuntu-24.04. See the related runner-environment
+  entries for specific package and API breakages.
+fix_code:
+  - language: yaml
+    label: "Pin to explicit Ubuntu version instead of ubuntu-latest"
+    code: |
+      jobs:
+        build:
+          # Pin explicitly instead of ubuntu-latest to avoid silent label updates
+          runs-on: ubuntu-22.04   # or ubuntu-24.04 after testing
+
+          # To migrate to 24.04, test explicitly first:
+          # runs-on: ubuntu-24.04
+          steps:
+            - uses: actions/checkout@v4
+            - name: Show runner info
+              run: lsb_release -a && python3 --version
+  - language: yaml
+    label: "Matrix strategy to test across Ubuntu versions before committing"
+    code: |
+      jobs:
+        test:
+          strategy:
+            matrix:
+              os: [ubuntu-22.04, ubuntu-24.04]
+          runs-on: ${{ matrix.os }}
+          steps:
+            - uses: actions/checkout@v4
+            - name: Run tests
+              run: npm test
+prevention:
+  - "Never use `ubuntu-latest` in production workflows — pin to an explicit version (ubuntu-22.04, ubuntu-24.04)"
+  - "Subscribe to GitHub Changelog announcements for runner label change notices before they go live"
+  - "Add a matrix build that tests both current and next Ubuntu LTS versions as part of ongoing CI"
+  - "Include a step that prints `lsb_release -a` to make runner version visible in logs without digging into annotations"
+  - "When migrating to a new Ubuntu version, run `apt-cache policy <package>` to verify package availability before deploying"
+docs:
+  - url: "https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources"
+    label: "GitHub Docs — Supported runners (ubuntu-latest current target)"
+  - url: "https://github.blog/changelog/2025-01-16-github-actions-all-actions-on-ubuntu-latest-will-now-be-run-on-ubuntu-24-04/"
+    label: "GitHub Changelog — ubuntu-latest updated to ubuntu-24.04"
+  - url: "https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md"
+    label: "runner-images — Ubuntu 24.04 pre-installed software list"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.57",
+  "version": "1.0.58",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",