@htekdev/actions-debugger 1.0.61 → 1.0.62

package/errors/permissions-auth/permissions-auth-044.yml

@@ -0,0 +1,82 @@
+id: permissions-auth-044
+title: "OIDC token sub claim format changes inside reusable workflow jobs, breaking cloud provider trust policies"
+category: permissions-auth
+severity: error
+tags:
+  - oidc
+  - reusable-workflow
+  - aws
+  - gcp
+  - trust-policy
+  - sub-claim
+  - job-workflow-ref
+patterns:
+  - regex: 'Not authorized to perform sts:AssumeRoleWithWebIdentity'
+    flags: i
+  - regex: 'failed to generate Google Cloud federated token'
+    flags: i
+  - regex: 'Credentials could not be loaded.*Could not load credentials from any providers'
+    flags: i
+error_messages:
+  - "An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity"
+  - "Error: google-github-actions/auth failed to generate Google Cloud federated token for..."
+  - "Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers"
+root_cause: |
+  When a job runs inside a reusable workflow (called via uses:), GitHub changes the format of
+  the OIDC token sub claim to include the calling workflow's path. For a direct job the sub is:
+    repo:ORG/REPO:ref:refs/heads/main
+  For a job inside a reusable workflow the sub becomes:
+    repo:ORG/REPO:job_workflow_ref:ORG/REPO/.github/workflows/reusable.yml@refs/heads/main
+  AWS IAM OIDC trust policies and GCP Workload Identity Federation attribute conditions that
+  were configured to match the simpler ref-based sub format now reject the OIDC token with an
+  AccessDenied error. The error message gives no indication that the sub claim format changed —
+  it looks identical to any other OIDC trust policy mismatch.
+fix: |
+  Update the cloud provider's OIDC trust policy to match the new sub claim format used by
+  reusable workflow jobs. For AWS, update the IAM trust policy StringLike condition to match
+  job_workflow_ref instead of ref. For GCP, update the attribute condition in the Workload
+  Identity Pool provider. Alternatively, use GitHub's OIDC subject claim customization feature
+  (repo Settings → Actions → General → OIDC subject claims) to define a consistent sub claim
+  template that works for both caller and reusable workflow jobs.
+fix_code:
+  - language: yaml
+    label: "Reusable workflow with id-token permission declared (required)"
+    code: |
+      # In the reusable workflow file (.github/workflows/reusable.yml):
+      on:
+        workflow_call:
+
+      permissions:
+        id-token: write
+        contents: read
+
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Configure AWS credentials
+              uses: aws-actions/configure-aws-credentials@v4
+              with:
+                role-to-assume: arn:aws:iam::123456789:role/my-role
+                aws-region: us-east-1
+  - language: yaml
+    label: "AWS IAM trust policy StringLike condition for reusable workflow sub claim"
+    code: |
+      # Update AWS IAM role trust policy Condition block to match reusable workflow sub format.
+      # Old (direct job):   "repo:ORG/REPO:ref:refs/heads/main"
+      # New (reusable job): "repo:ORG/REPO:job_workflow_ref:ORG/REPO/.github/workflows/reusable.yml@refs/heads/main"
+      #
+      # Use a wildcard to allow both patterns:
+      # "token.actions.githubusercontent.com:sub": "StringLike": ["repo:ORG/REPO:*"]
+prevention:
+  - "When refactoring direct jobs into reusable workflows, update cloud OIDC trust policies before deploying"
+  - "Use GitHub subject claim customization to define a consistent sub format that works across direct and reusable jobs"
+  - "Document the expected OIDC sub claim format in the reusable workflow README alongside cloud policy requirements"
+  - "Test OIDC authentication in a staging cloud environment when moving jobs into reusable workflows"
+docs:
+  - url: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/using-openid-connect-with-reusable-workflows
+    label: "GitHub Docs: Using OIDC with reusable workflows"
+  - url: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-subject-claims-for-an-organization-or-repository
+    label: "GitHub Docs: Customizing OIDC subject claims"
+  - url: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
+    label: "AWS Docs: Creating IAM OIDC identity providers"

package/errors/runner-environment/runner-environment-123.yml

@@ -0,0 +1,61 @@
+id: runner-environment-123
+title: "actions/checkout@v6 breaks Docker container actions that use git authentication"
+category: runner-environment
+severity: error
+tags:
+  - checkout
+  - v6
+  - docker
+  - container-action
+  - git-auth
+  - breaking-change
+patterns:
+  - regex: 'fatal: could not read Username for.*No such device or address'
+    flags: i
+  - regex: 'fatal: Authentication failed for.*github\.com'
+    flags: i
+  - regex: 'fatal: credential helper.*is not executable'
+    flags: i
+error_messages:
+  - "fatal: could not read Username for 'https://github.com/': No such device or address"
+  - "fatal: Authentication failed for 'https://github.com/org/repo.git/'"
+  - "Error: The process '/usr/bin/git' failed with exit code 128"
+root_cause: |
+  actions/checkout@v6 changed credential storage: credentials are now written to the runner's
+  native credential manager rather than the global gitconfig file. Docker container actions run
+  in isolated containers without access to the runner host's credential store, so any git
+  operations inside a Docker-based action or container: job that require authentication fail.
+  This is a breaking change from v5, where credentials were written to gitconfig and could be
+  inherited by Docker containers. The v6 runner PR #4011 introduced this mechanism and Docker
+  container action support is gated behind a feature flag not yet enabled for all runners.
+fix: |
+  Pin to actions/checkout@v5 for workflows that rely on Docker container actions making
+  authenticated git calls. Monitor the actions/checkout issue tracker for v6 Docker container
+  action support. Alternatively, pass the GITHUB_TOKEN as an environment variable to the Docker
+  action and configure credentials inside the container's own entrypoint script.
+fix_code:
+  - language: yaml
+    label: "Pin to actions/checkout@v5 for Docker container action compatibility"
+    code: |
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+  - language: yaml
+    label: "Pass token as env var to Docker action for container-side credential setup"
+    code: |
+      - name: Run Docker-based action with explicit token
+        uses: org/my-docker-action@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+prevention:
+  - "Pin actions/checkout to a tested major version and review release notes before upgrading to a new major"
+  - "Audit workflows for Docker container actions that perform authenticated repository operations before upgrading checkout"
+  - "Test Docker-based custom actions in CI against the new checkout version before rolling out"
+docs:
+  - url: https://github.com/actions/checkout/issues/2313
+    label: "actions/checkout#2313: v6 breaks Docker actions that use git authentication"
+  - url: https://github.com/orgs/community/discussions/179107
+    label: "GitHub Community: actions/checkout v6 changes discussion"
+  - url: https://github.com/actions/runner/pull/4011
+    label: "actions/runner PR#4011: credential manager changes introduced in v6"

package/errors/runner-environment/runner-environment-124.yml

@@ -0,0 +1,68 @@
+id: runner-environment-124
+title: "actions/setup-go@v6 GOTOOLCHAIN auto mode downloads unexpected Go version from go.mod toolchain directive"
+category: runner-environment
+severity: silent-failure
+tags:
+  - setup-go
+  - v6
+  - gotoolchain
+  - go-version
+  - toolchain-directive
+  - breaking-change
+patterns:
+  - regex: 'go: downloading go\d+\.\d+\.\d+ \('
+    flags: i
+  - regex: 'toolchain go\d+\.\d+\.\d+ cannot be used because it would require a later version'
+    flags: i
+  - regex: 'go: toolchain go\d+\.\d+\.\d+ not available on GOPROXY'
+    flags: i
+error_messages:
+  - "go: downloading go1.23.4 (linux/amd64)"
+  - "toolchain go1.23.4 cannot be used because it would require a later version"
+  - "go: toolchain go1.23.4 not available on GOPROXY"
+root_cause: |
+  actions/setup-go@v6 (released September 2025) changed toolchain handling to honor Go 1.21+
+  GOTOOLCHAIN semantics. When a go.mod file contains a 'toolchain goX.Y.Z' directive and
+  GOTOOLCHAIN is set to 'auto' (the default for Go 1.21+), Go will automatically download the
+  toolchain version specified in go.mod rather than using the version installed by setup-go.
+  The workflow runs with a different Go version than the one specified in the go-version: input,
+  causing unexpected behavior, build failures, or unintended Go version usage. In v5, setup-go
+  implicitly set GOTOOLCHAIN=local, preventing automatic toolchain downloads. v6 removed this
+  implicit override, meaning go.mod toolchain directives now take effect in CI.
+fix: |
+  Set GOTOOLCHAIN=local in the step environment to force Go to use exactly the version installed
+  by setup-go, ignoring the toolchain directive in go.mod. Alternatively, align the go-version:
+  input with the toolchain directive in go.mod, or use go-version-file: go.mod to let setup-go
+  read the version directly from the module file.
+fix_code:
+  - language: yaml
+    label: "Set GOTOOLCHAIN=local to prevent auto-download — use exactly the installed version"
+    code: |
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: '1.22'
+
+      - name: Build
+        run: go build ./...
+        env:
+          GOTOOLCHAIN: local   # disables auto-download; uses only the version from setup-go
+  - language: yaml
+    label: "Or read go-version directly from go.mod to stay aligned with the toolchain directive"
+    code: |
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod   # reads 'go X.Y' line from go.mod; stays in sync automatically
+prevention:
+  - "After upgrading to setup-go@v6, verify the actual Go version used in builds matches the go-version: input"
+  - "Add GOTOOLCHAIN=local to workflow env or per-step env to opt out of automatic toolchain download behavior"
+  - "Keep the go.mod toolchain directive in sync with the go-version: value specified in setup-go"
+  - "Use go-version-file: go.mod instead of an explicit go-version: value to stay automatically aligned"
+docs:
+  - url: https://github.com/actions/setup-go/releases/tag/v6.0.0
+    label: "actions/setup-go v6.0.0 release notes — toolchain handling breaking change"
+  - url: https://github.com/actions/setup-go/pull/460
+    label: "actions/setup-go PR#460: Improve toolchain handling"
+  - url: https://go.dev/doc/toolchain
+    label: "Go documentation: Toolchains — GOTOOLCHAIN environment variable"

package/errors/silent-failures/silent-failures-062.yml

@@ -0,0 +1,66 @@
+id: silent-failures-062
+title: "actions/cache save failure emits Warning annotation but does not fail the workflow step"
+category: silent-failures
+severity: silent-failure
+tags:
+  - cache
+  - cache-save
+  - warning
+  - non-fatal
+  - false-success
+  - cache-service
+patterns:
+  - regex: 'Warning: Failed to save:.*Failed to CreateCacheEntry.*non-retryable'
+    flags: i
+  - regex: 'Warning: Failed to restore:.*Failed to GetCacheEntryDownloadURL.*non-retryable'
+    flags: i
+error_messages:
+  - "Warning: Failed to save: Failed to CreateCacheEntry: Received non-retryable error: Failed request: (404) Not Found: invalid request"
+  - "Warning: Failed to restore: Failed to GetCacheEntryDownloadURL: Received non-retryable error: Failed request: (404) Not Found: invalid request"
+root_cause: |
+  The actions/cache and actions/cache/save actions treat upload failures as non-fatal warnings
+  rather than step errors. When the GitHub cache backend returns an error (4xx/5xx), is
+  unavailable, or rejects the request, the action emits a yellow Warning annotation in the
+  workflow log but exits with code 0. The workflow step is marked green (success). Downstream
+  runs then see genuine "Cache not found" misses since nothing was persisted. Developers assume
+  the cache was saved based on the green checkmark, spending hours debugging unreliable cache
+  restore before finding the Warning annotation buried in the save step output. This behavior is
+  intentional — cache is treated as an optimization, not a requirement — but it means failures
+  are invisible unless annotations are actively checked.
+fix: |
+  Check step-level annotations (the yellow warning triangle icon) on cache save steps, not just
+  the green/red status indicator. Use fail-on-cache-miss: true on restore steps when cache
+  availability is critical to your build speed so that a missing cache surfaces as a hard
+  failure. For save failures there is no built-in fail flag — add a downstream validation step
+  if guaranteed cache persistence is required. Always use supported cache action versions
+  (actions/cache@v3 or @v4) to ensure compatibility with the current cache backend service.
+fix_code:
+  - language: yaml
+    label: "Use fail-on-cache-miss on restore to surface missing cache as an error"
+    code: |
+      - name: Restore build cache
+        id: restore-cache
+        uses: actions/cache/restore@v4
+        with:
+          key: ${{ runner.os }}-build-${{ hashFiles('**/package-lock.json') }}
+          path: ~/.npm
+          fail-on-cache-miss: true   # step fails with error if nothing was previously saved
+
+      - name: Save build cache
+        if: always()
+        uses: actions/cache/save@v4
+        with:
+          key: ${{ runner.os }}-build-${{ hashFiles('**/package-lock.json') }}
+          path: ~/.npm
+prevention:
+  - "Always check workflow annotations (yellow warning triangle) in addition to the step pass/fail status"
+  - "Use actions/cache@v4 or @v3 — deprecated pinned SHAs may fail silently after the cache backend migration"
+  - "Use fail-on-cache-miss: true on restore steps to make cache misses visible as hard failures"
+  - "Monitor the actions/cache issue tracker when cache restore reliability degrades — backend incidents are reported quickly"
+docs:
+  - url: https://github.com/actions/cache/issues/1541
+    label: "actions/cache#1541: Bug: Failed to CreateCacheEntry (29 reactions, Feb 2025)"
+  - url: https://github.com/actions/cache/discussions/1510
+    label: "actions/cache Discussion#1510: Deprecation Notice — upgrade to latest before Feb 2025"
+  - url: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows
+    label: "GitHub Docs: Caching dependencies — fail-on-cache-miss option"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.61",
+  "version": "1.0.62",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",