@htekdev/actions-debugger 1.0.88 → 1.0.89

package/errors/silent-failures/silent-failures-082.yml

@@ -0,0 +1,93 @@
+id: silent-failures-082
+title: "pull_request_target checkout defaults to base branch, not PR head"
+category: silent-failures
+severity: silent-failure
+tags:
+  - pull_request_target
+  - checkout
+  - security
+  - fork
+  - base-branch
+patterns:
+  - regex: 'on:\s*\n\s+pull_request_target'
+    flags: 'im'
+  - regex: 'pull_request_target'
+    flags: 'i'
+error_messages:
+  - "Workflow runs on base branch code instead of PR contributor changes"
+  - "Tests pass on base but fail on PR code with no visible error in logs"
+root_cause: |
+  When a workflow is triggered by `pull_request_target`, GitHub Actions runs the workflow
+  from the TARGET repository's base branch — not the contributor's PR head. This is
+  intentional: `pull_request_target` provides write-level token access (for labeling,
+  commenting, posting status checks), so GitHub protects secrets by refusing to run
+  untrusted fork code with elevated permissions.
+
+  As a result, `actions/checkout` checks out `github.sha`, which resolves to the merge
+  base commit on the target branch. Any tests, linting, or code analysis in this
+  workflow validate the base branch, not the contributor's changes. The workflow
+  succeeds silently while testing the wrong code.
+fix: |
+  Option 1 (recommended — safe): Use `pull_request` (not `pull_request_target`) for
+  running PR code. `pull_request` triggers run with read-only tokens and check out the
+  PR head by default. Use `pull_request_target` only for privileged actions like posting
+  comments or labels.
+
+  Option 2 (explicit checkout — use with caution): Explicitly check out the PR head
+  using `github.event.pull_request.head.sha`. Only do this if you fully trust all
+  contributors and understand that fork code will execute with the repository write token.
+fix_code:
+  - language: yaml
+    label: "Recommended: use pull_request for code execution, pull_request_target for privileged writes"
+    code: |
+      # Workflow 1: run tests on PR code (read-only, safe for forks)
+      on:
+        pull_request:
+          branches: [main]
+
+      jobs:
+        test:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+              # Checks out PR head automatically — no ref: override needed
+            - run: npm test
+
+      ---
+      # Workflow 2: post labels (write access via pull_request_target)
+      on:
+        pull_request_target:
+          types: [opened]
+
+      jobs:
+        label:
+          runs-on: ubuntu-latest
+          permissions:
+            pull-requests: write
+          steps:
+            - uses: actions/labeler@v5
+              # Never runs contributor code here — only labels the PR
+  - language: yaml
+    label: "If you must run PR code under pull_request_target (risky)"
+    code: |
+      on:
+        pull_request_target:
+          branches: [main]
+
+      jobs:
+        test:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+              with:
+                ref: ${{ github.event.pull_request.head.sha }}
+                # WARNING: executes untrusted fork code with write-level token
+prevention:
+  - "Use pull_request (not pull_request_target) for workflows that run code — pull_request tokens are read-only and checkout the PR head correctly by default"
+  - "Reserve pull_request_target for privileged write-only actions: posting comments, applying labels, updating statuses — never checkout and execute untrusted PR code in these workflows"
+  - "If CI consistently passes but reviewers find bugs tests should catch, verify which commit your checkout step is using by printing github.sha vs github.event.pull_request.head.sha"
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target"
+    label: "pull_request_target event — security considerations"
+  - url: "https://securitylab.github.com/research/github-actions-preventing-pwn-requests/"
+    label: "GitHub Security Lab: Preventing pwn requests (pull_request_target risks)"

package/errors/silent-failures/silent-failures-083.yml

@@ -0,0 +1,64 @@
+id: silent-failures-083
+title: "matrix strategy fail-fast true by default silently cancels all remaining jobs on first failure"
+category: silent-failures
+severity: silent-failure
+tags:
+  - matrix
+  - fail-fast
+  - cancellation
+  - strategy
+  - parallel-jobs
+patterns:
+  - regex: 'strategy:\s*\n\s+matrix:'
+    flags: 'im'
+  - regex: 'Some jobs were not executed because a previous required job failed'
+    flags: 'i'
+error_messages:
+  - "Some jobs were not executed because a previous required job failed"
+  - "Skipping this step because a previous step failed or the workflow was cancelled"
+  - "This job was cancelled because another job in the workflow failed"
+root_cause: |
+  GitHub Actions matrix strategy has `fail-fast: true` as the default. When any single
+  matrix job fails, GitHub immediately cancels all remaining in-progress and queued
+  matrix jobs from the same workflow run.
+
+  This means:
+  - You only see the failure from the first (or earliest) failing matrix combination
+  - All other combinations — whether they would pass or fail — are cancelled immediately
+  - The workflow summary shows cancelled jobs with no diagnostic information
+  - Developers may spend time fixing the first failure only to discover a second unrelated
+    failure in a different matrix combination afterward
+
+  Many developers set up matrix builds specifically to validate across multiple
+  OS/language version combinations and expect every combination to run to completion.
+fix: |
+  Explicitly set `fail-fast: false` in your matrix strategy to allow all matrix jobs to
+  run to completion regardless of individual failures. This provides a complete picture
+  of which matrix combinations are broken.
+fix_code:
+  - language: yaml
+    label: "Set fail-fast: false to run all matrix combinations to completion"
+    code: |
+      jobs:
+        test:
+          strategy:
+            fail-fast: false    # default is true — set false for full matrix visibility
+            matrix:
+              os: [ubuntu-latest, windows-latest, macos-latest]
+              node: [18, 20, 22]
+          runs-on: ${{ matrix.os }}
+          steps:
+            - uses: actions/checkout@v4
+            - uses: actions/setup-node@v4
+              with:
+                node-version: ${{ matrix.node }}
+            - run: npm test
+prevention:
+  - "Always explicitly set fail-fast: false when you want all matrix combinations to run — for example when building cross-platform or cross-version compatibility matrices"
+  - "The default fail-fast: true is intentional for workflows where you only care about any single failure (saves CI minutes), but must be changed when you need full failure visibility"
+  - "If matrix jobs are silently cancelled and show no error output, check whether fail-fast: true (or its absence — the default) is the cause"
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast"
+    label: "jobs.<job_id>.strategy.fail-fast documentation"
+  - url: "https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix"
+    label: "Matrix strategy documentation"

package/errors/silent-failures/silent-failures-084.yml

@@ -0,0 +1,96 @@
+id: silent-failures-084
+title: "github.sha on pull_request event is the ephemeral merge commit SHA, not the PR head commit"
+category: silent-failures
+severity: silent-failure
+tags:
+  - github-sha
+  - pull_request
+  - merge-commit
+  - docker
+  - tagging
+  - status-checks
+patterns:
+  - regex: '\$\{\{\s*github\.sha\s*\}\}'
+    flags: 'i'
+  - regex: 'github\.sha'
+    flags: 'i'
+error_messages:
+  - "Docker image tagged with SHA not found in git history"
+  - "Deployment status does not appear on the PR commit"
+  - "Commit status check not visible on pull request"
+root_cause: |
+  On `pull_request` events, `github.sha` is NOT the PR branch's head commit SHA. It is
+  the SHA of a temporary merge commit that GitHub creates automatically to simulate
+  "what would happen if this PR were merged right now." This ephemeral merge commit:
+
+  - Does NOT appear in the repository's git history
+  - Changes every time the base branch advances, even with no new PR commits
+  - Is not accessible via normal git operations outside the workflow run
+
+  Consequences developers hit in the wild:
+  - Docker images tagged with `github.sha` have tags that don't correspond to any real
+    commit, making rollbacks and tracing impossible
+  - Commit status checks or deployment markers posted to `github.sha` don't appear on
+    any commit in the PR and are effectively invisible to reviewers
+  - Scripts that fetch the commit from the API using github.sha return 404
+
+  The actual PR head commit SHA is available via `github.event.pull_request.head.sha`.
+fix: |
+  Use `github.event.pull_request.head.sha` to get the actual PR head commit on
+  pull_request events. For workflows triggered by both push and pull_request, use a
+  conditional to select the correct SHA per event type.
+fix_code:
+  - language: yaml
+    label: "Get the correct SHA for both push and pull_request events"
+    code: |
+      jobs:
+        build:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v4
+
+            - name: Resolve commit SHA
+              id: sha
+              run: |
+                if [ "${{ github.event_name }}" = "pull_request" ]; then
+                  echo "value=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
+                else
+                  echo "value=${{ github.sha }}" >> $GITHUB_OUTPUT
+                fi
+
+            - name: Tag Docker image with correct SHA
+              run: |
+                docker build -t myapp:${{ steps.sha.outputs.value }} .
+                docker push myapp:${{ steps.sha.outputs.value }}
+  - language: yaml
+    label: "Post commit status to the correct PR head SHA"
+    code: |
+      on:
+        pull_request:
+
+      jobs:
+        status:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Post status to actual PR commit
+              uses: actions/github-script@v7
+              with:
+                script: |
+                  // Use PR head SHA, not github.sha (merge commit)
+                  await github.rest.repos.createCommitStatus({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    sha: context.payload.pull_request.head.sha,
+                    state: 'success',
+                    description: 'Build passed',
+                    context: 'ci/build'
+                  });
+prevention:
+  - "Never tag Docker images or create commit statuses using github.sha on pull_request events — use github.event.pull_request.head.sha for the real PR head"
+  - "If deployment statuses or commit checks are missing from PR commits, verify you are not posting them to github.sha (the merge commit)"
+  - "The merge commit SHA changes every time the base branch gets new commits, even without new PR activity — this makes github.sha unstable for artifact tagging on PRs"
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request"
+    label: "pull_request event — note on github.sha merge commit"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#github-context"
+    label: "GitHub context — sha property"

package/errors/yaml-syntax/yaml-syntax-056.yml

@@ -0,0 +1,87 @@
+id: yaml-syntax-056
+title: "env context unavailable inside with: inputs of uses: steps"
+category: yaml-syntax
+severity: error
+tags:
+  - env-context
+  - with-inputs
+  - uses
+  - expression-context
+  - action-inputs
+patterns:
+  - regex: "Unrecognized named-value: 'env'"
+    flags: 'i'
+  - regex: 'Invalid workflow file.*Unrecognized named-value'
+    flags: 'i'
+error_messages:
+  - "Unrecognized named-value: 'env'. Located at position 1 within expression: env.MY_VAR"
+  - "Invalid workflow file: .github/workflows/ci.yml (Line 14, Col 15): Unrecognized named-value: 'env'"
+  - "The workflow is not valid. .github/workflows/build.yml: Unrecognized named-value: 'env'"
+root_cause: |
+  The `env` context is NOT available inside the `with:` input block of a `uses:` step.
+  GitHub Actions evaluates `uses:` step inputs using a restricted set of contexts, and
+  `env` is explicitly excluded because env var values may depend on previous step
+  outputs (which are also unavailable at `with:` evaluation time).
+
+  Contexts available in `with:` inputs: `github`, `needs`, `strategy`, `matrix`,
+  `secrets`, `inputs`, `vars`, and `steps` (but only from previously completed steps).
+  The `env` context, `runner` context, and job-level env vars are all unavailable.
+
+  This catches developers who define env vars at the workflow or job level and then try
+  to pass them as action inputs, which fails with "Unrecognized named-value: 'env'".
+fix: |
+  Three options:
+  1. Reference the value directly (hardcoded or via a different supported context)
+  2. Use `vars` context (repository/org variables) — available in `with:` blocks
+  3. Capture the env value in a prior step's GITHUB_OUTPUT and reference it via
+     `steps.<id>.outputs.<name>` in the subsequent `uses:` step
+fix_code:
+  - language: yaml
+    label: "Wrong: env context in with: inputs (causes parse error)"
+    code: |
+      env:
+        API_URL: https://api.example.com
+
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: my-org/deploy-action@v1
+              with:
+                url: ${{ env.API_URL }}   # ERROR: Unrecognized named-value: 'env'
+  - language: yaml
+    label: "Fix option A: use vars context (repository variable)"
+    code: |
+      # Set API_URL as a repository variable in Settings > Secrets and variables > Variables
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: my-org/deploy-action@v1
+              with:
+                url: ${{ vars.API_URL }}   # vars context IS available in with:
+  - language: yaml
+    label: "Fix option B: capture in prior step output, reference via steps context"
+    code: |
+      env:
+        API_URL: https://api.example.com
+
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - id: config
+              run: echo "api_url=$API_URL" >> $GITHUB_OUTPUT
+
+            - uses: my-org/deploy-action@v1
+              with:
+                url: ${{ steps.config.outputs.api_url }}   # steps context IS available
+prevention:
+  - "In with: inputs, only use: github, needs, strategy, matrix, secrets, inputs, vars, and steps (from prior completed steps) — never env or runner"
+  - "For static configuration values, prefer repository variables (vars context) over env — vars are available everywhere env is not"
+  - "If you need a dynamically computed value (from a script or env var) in a with: block, capture it to GITHUB_OUTPUT in a prior step and reference via steps.<id>.outputs"
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#context-availability"
+    label: "Context availability table — which contexts are valid per syntax location"
+  - url: "https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepswith"
+    label: "jobs.<job_id>.steps[*].with syntax documentation"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.88",
+  "version": "1.0.89",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",