@htekdev/actions-debugger 1.0.94 → 1.0.95

package/errors/caching-artifacts/caching-artifacts-052.yml

@@ -0,0 +1,107 @@
+id: caching-artifacts-052
+title: '`download-artifact@v4` `name:` Does Not Support Glob Patterns — Use `pattern:` Instead'
+category: caching-artifacts
+severity: silent-failure
+tags:
+  - download-artifact
+  - v4-breaking-change
+  - glob
+  - pattern
+  - migration
+  - artifact-download
+patterns:
+  - regex: 'download-artifact@v4|download-artifact@v3.*name.*\*'
+    flags: 'i'
+  - regex: 'name\s*:\s*[''"][^''"]*\*[^''"]*[''"]'
+    flags: 'i'
+error_messages:
+  - "No artifacts found with the provided name"
+  - "Error: Unable to find any artifacts for the associated workflow"
+  - "Unable to find artifact 'my-*-artifact'"
+root_cause: |
+  In `actions/download-artifact@v3`, the `name:` input accepted glob patterns
+  (e.g., `name: 'build-*'`) and would download all matching artifacts.
+  In `actions/download-artifact@v4` this behavior changed: `name:` now requires
+  an EXACT artifact name match. Glob characters in `name:` are treated as
+  literal characters, so `name: 'build-*'` looks for an artifact literally
+  named `build-*`, finds none, and either errors or silently downloads nothing
+  depending on the `error-no-files-found` setting.
+
+  The `pattern:` input was introduced in v4 as the replacement for glob-based
+  artifact selection. Migrating from v3 to v4 requires moving glob expressions
+  from `name:` to `pattern:`.
+
+  This silently impacts workflows that:
+  - Download multiple build artifacts from matrix jobs using a shared prefix
+  - Use wildcards to grab all artifacts from a set of parallel jobs
+  - Were migrated to v4 without reading the full migration guide
+fix: |
+  Replace glob patterns in `name:` with the `pattern:` input in
+  `actions/download-artifact@v4`. The `name:` input should only be used
+  when downloading a single artifact by its exact name.
+
+  When using `pattern:`, the action also has a `merge-multiple` option
+  that controls whether matched artifacts are merged into one directory
+  or placed in separate subdirectories.
+fix_code:
+  - language: yaml
+    label: "WRONG — glob in name: silently matches nothing in v4"
+    code: |
+      steps:
+        - uses: actions/download-artifact@v4
+          with:
+            name: 'build-*'      # ❌ globs not supported in name: for v4
+            path: ./artifacts
+  - language: yaml
+    label: "RIGHT — use pattern: for glob matching in v4"
+    code: |
+      steps:
+        - uses: actions/download-artifact@v4
+          with:
+            pattern: 'build-*'   # ✅ use pattern: for glob matching
+            path: ./artifacts
+            merge-multiple: true # flatten into single directory
+  - language: yaml
+    label: "RIGHT — download exact artifact by name in v4"
+    code: |
+      steps:
+        - uses: actions/download-artifact@v4
+          with:
+            name: build-linux-amd64   # ✅ exact name, no glob needed
+            path: ./dist/linux
+  - language: yaml
+    label: "Matrix upload + glob download pattern"
+    code: |
+      jobs:
+        build:
+          strategy:
+            matrix:
+              os: [linux, windows, macos]
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/upload-artifact@v4
+              with:
+                name: build-${{ matrix.os }}   # distinct name per job
+                path: ./dist/
+
+        package:
+          needs: build
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/download-artifact@v4
+              with:
+                pattern: 'build-*'      # ✅ downloads all build-* artifacts
+                path: ./all-builds
+                merge-multiple: false   # keep per-artifact subdirectories
+prevention:
+  - "When migrating from download-artifact@v3 to @v4, audit all `name:` inputs for glob characters and move them to `pattern:`."
+  - "Use `name:` only for exact single-artifact downloads; use `pattern:` for any glob or multi-artifact download."
+  - "Set `error-no-files-found: error` to fail fast when no artifacts match, exposing glob issues early."
+  - "Review the download-artifact v4 migration guide before updating the action version."
+docs:
+  - url: "https://github.com/actions/download-artifact/blob/main/docs/MIGRATION.md"
+    label: "download-artifact v4 migration guide"
+  - url: "https://github.com/actions/download-artifact#inputs"
+    label: "download-artifact — inputs reference (pattern vs name)"
+  - url: "https://github.com/actions/toolkit/releases/tag/%40actions%2Fartifact%402.0.0"
+    label: "actions/toolkit v2 — artifact v2 API underlying v4 action"

package/errors/known-unsolved/known-unsolved-053.yml

@@ -0,0 +1,114 @@
+id: known-unsolved-053
+title: '`workflow_dispatch` Has No Native Array or List Input Type — Must Serialize as JSON String'
+category: known-unsolved
+severity: limitation
+tags:
+  - workflow_dispatch
+  - inputs
+  - array
+  - list
+  - json
+  - limitation
+patterns:
+  - regex: 'workflow_dispatch.*inputs|inputs.*type\s*:\s*string.*array'
+    flags: 'im'
+  - regex: "fromJSON\\(.*inputs\\."
+    flags: 'i'
+error_messages:
+  - "Input type 'array' is not supported for workflow_dispatch"
+  - "Unexpected value 'array'"
+root_cause: |
+  GitHub Actions `workflow_dispatch` supports only five input types:
+  `string`, `boolean`, `choice`, `number`, and `environment`. There is no
+  native `array` or `list` type. Users who need to pass multiple values
+  (e.g., a list of services to deploy, a set of environments to target)
+  must serialize the array as a JSON string and parse it in the workflow.
+
+  This limitation affects:
+  - Manual dispatch with dynamic target lists
+  - CI/CD automation via the REST API (`POST /repos/.../actions/workflows/.../dispatches`)
+  - Reuse of workflow_dispatch workflows that naturally accept variable-length input
+  - Validation — no schema can prevent malformed JSON from being passed
+
+  A `type: array` schema was proposed in actions/runner#1844 (800+ reactions)
+  and remains one of the highest-voted open feature requests for GitHub Actions.
+fix: |
+  Serialize the array as a JSON string in the dispatch call and use
+  `fromJSON()` in the workflow to parse it into a matrix or loop variable.
+
+  Workarounds by use case:
+  1. **API dispatch**: Serialize to `'["a","b","c"]'` and use `fromJSON(inputs.targets)`
+  2. **UI dispatch**: Document the expected JSON format in the input description
+  3. **Choice type**: If the list is finite and known ahead of time, use
+     `type: choice` with predefined options instead
+  4. **Multiple boolean inputs**: For small fixed sets, use separate boolean
+     inputs per option (verbose but typed)
+fix_code:
+  - language: yaml
+    label: "Workaround — serialize array as JSON string, parse with fromJSON"
+    code: |
+      on:
+        workflow_dispatch:
+          inputs:
+            services:
+              description: 'JSON array of services to deploy e.g. ["api","worker","ui"]'
+              required: true
+              type: string
+              default: '["api","worker"]'
+
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          strategy:
+            matrix:
+              service: ${{ fromJSON(inputs.services) }}
+          steps:
+            - run: echo "Deploying ${{ matrix.service }}"
+  - language: yaml
+    label: "Workaround — comma-separated string split in shell"
+    code: |
+      on:
+        workflow_dispatch:
+          inputs:
+            environments:
+              description: 'Comma-separated environments e.g. staging,production'
+              required: true
+              type: string
+              default: 'staging'
+
+      jobs:
+        deploy:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Deploy to each environment
+              run: |
+                IFS=',' read -ra ENVS <<< "${{ inputs.environments }}"
+                for env in "${ENVS[@]}"; do
+                  echo "Deploying to: $env"
+                done
+  - language: yaml
+    label: "Alternative — use type: choice for known finite sets"
+    code: |
+      on:
+        workflow_dispatch:
+          inputs:
+            target_env:
+              description: 'Target environment'
+              required: true
+              type: choice
+              options:
+                - staging
+                - production
+                - both
+prevention:
+  - "Document the expected JSON format in the input `description` field so UI dispatchers know the required syntax."
+  - "Add a validation step that runs `echo '${{ inputs.targets }}' | jq .` to fail fast on malformed JSON before processing."
+  - "Consider using `type: choice` with predefined options if the list is small and known at workflow-definition time."
+  - "For API-driven workflows, generate the JSON array programmatically and pass it as a string in the dispatch payload."
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_dispatchinputsinput_idtype"
+    label: "workflow_dispatch input types — supported values"
+  - url: "https://github.com/actions/runner/issues/1844"
+    label: "actions/runner #1844 — Support array inputs for workflow_dispatch (800+ reactions)"
+  - url: "https://docs.github.com/en/rest/actions/workflows#create-a-workflow-dispatch-event"
+    label: "REST API — Create a workflow dispatch event"

package/errors/permissions-auth/permissions-auth-053.yml

@@ -0,0 +1,103 @@
+id: permissions-auth-053
+title: 'GITHUB_TOKEN `packages: write` Cannot Delete Package Versions — Requires PAT with `delete:packages`'
+category: permissions-auth
+severity: error
+tags:
+  - packages
+  - github-token
+  - delete-packages
+  - container-registry
+  - package-cleanup
+  - permissions
+patterns:
+  - regex: 'Resource not accessible by integration'
+    flags: 'i'
+  - regex: 'DELETE.*packages.*versions|packages.*DELETE.*versions'
+    flags: 'i'
+  - regex: '403.*package|package.*403'
+    flags: 'i'
+error_messages:
+  - "Resource not accessible by integration"
+  - "403 Forbidden — DELETE https://api.github.com/user/packages/{type}/{name}/versions/{id}"
+  - "Error: Resource not accessible by integration (HTTP 403)"
+root_cause: |
+  The `packages: write` permission in `GITHUB_TOKEN` grants the ability to
+  publish and overwrite package versions but does NOT include the ability to
+  delete them. Package version deletion requires account-level permission
+  (`delete:packages` OAuth scope) that cannot be granted to an installation
+  token. The GitHub Packages REST API delete endpoint
+  (`DELETE /user/packages/{type}/{name}/versions/{id}` or the org equivalent)
+  validates the caller's account-level scope, which GITHUB_TOKEN—being a
+  repository-scoped installation token—can never satisfy regardless of the
+  `permissions: packages: write` declaration in the workflow.
+
+  This commonly surfaces in:
+  - Container image cleanup jobs that try to prune old tags/digests
+  - npm, Maven, or RubyGems package version retention workflows
+  - Automated housekeeping that uses `ghcr.io` image management actions
+fix: |
+  Store a fine-grained or classic PAT with `delete:packages` scope as a
+  repository secret (e.g., `PACKAGES_DELETE_TOKEN`) and use that token when
+  calling the Packages delete API or actions that delete package versions.
+
+  For GitHub Container Registry (ghcr.io) image pruning, use a PAT or a
+  GitHub App installation token with Packages write + admin scope. Pass it
+  as the `token:` input to the relevant cleanup action.
+fix_code:
+  - language: yaml
+    label: "WRONG — GITHUB_TOKEN cannot delete package versions (403)"
+    code: |
+      jobs:
+        cleanup:
+          runs-on: ubuntu-latest
+          permissions:
+            packages: write   # ❌ write permission does not grant delete
+          steps:
+            - name: Delete old package version
+              run: |
+                # This call will return 403 "Resource not accessible by integration"
+                VERSION_ID=12345
+                curl -X DELETE \
+                  -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+                  https://api.github.com/user/packages/container/my-image/versions/$VERSION_ID
+  - language: yaml
+    label: "RIGHT — use a PAT with delete:packages scope"
+    code: |
+      jobs:
+        cleanup:
+          runs-on: ubuntu-latest
+          steps:
+            - name: Delete old package version
+              env:
+                GH_TOKEN: ${{ secrets.PACKAGES_DELETE_TOKEN }}  # PAT with delete:packages
+              run: |
+                VERSION_ID=12345
+                curl -X DELETE \
+                  -H "Authorization: Bearer $GH_TOKEN" \
+                  https://api.github.com/user/packages/container/my-image/versions/$VERSION_ID
+  - language: yaml
+    label: "RIGHT — ghcr.io cleanup action with PAT"
+    code: |
+      jobs:
+        cleanup-images:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: snok/container-retention-policy@v3
+              with:
+                account: user
+                token: ${{ secrets.PACKAGES_DELETE_TOKEN }}  # PAT with delete:packages
+                image-names: my-image
+                cut-off: 7 days ago UTC
+                keep-n-most-recent: 5
+prevention:
+  - "Never assume `packages: write` is sufficient for full package lifecycle management — deletion is always PAT-only."
+  - "Create a dedicated PAT or GitHub App with `delete:packages` scope and store it as a secret for cleanup workflows."
+  - "Scope cleanup jobs separately from build jobs so the PAT is only used where deletion is needed."
+  - "Document in your workflow that PACKAGES_DELETE_TOKEN requires `delete:packages` scope so it is renewed with the right scopes."
+docs:
+  - url: "https://docs.github.com/en/rest/packages/packages#delete-a-package-version-for-a-user"
+    label: "REST API — Delete a package version for a user"
+  - url: "https://docs.github.com/en/packages/learn-github-packages/about-permissions-for-github-packages#about-scopes-and-permissions-for-package-registries"
+    label: "About permissions for GitHub Packages"
+  - url: "https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token"
+    label: "Creating a fine-grained PAT with delete:packages"

package/errors/silent-failures/silent-failures-087.yml

@@ -0,0 +1,120 @@
+id: silent-failures-087
+title: '`fail-fast: false` Does Not Prevent Downstream `needs:` Jobs From Being Skipped When Matrix Jobs Fail'
+category: silent-failures
+severity: silent-failure
+tags:
+  - matrix
+  - fail-fast
+  - needs
+  - downstream-job
+  - skipped
+  - strategy
+patterns:
+  - regex: 'fail-fast\s*:\s*false'
+    flags: 'i'
+  - regex: 'needs\s*:.*matrix|matrix.*needs\s*:'
+    flags: 'im'
+error_messages:
+  - "This job was skipped"
+  - "Job 'X' is skipped because all dependencies failed or were skipped"
+root_cause: |
+  `strategy.fail-fast: false` only prevents other MATRIX jobs from being
+  cancelled when one matrix job fails. It does NOT affect how downstream
+  jobs that `needs:` the matrix job handle the overall result.
+
+  When at least one matrix job fails (even with `fail-fast: false` allowing
+  all others to complete), the `needs.<matrix-job>.result` for the downstream
+  job evaluates to `'failure'`. A downstream job with a standard `needs:`
+  dependency is then SKIPPED — not because of `fail-fast`, but because its
+  dependency is in a failed state.
+
+  This surprises developers who add `fail-fast: false` expecting the entire
+  pipeline to continue running end-to-end. The final summary/report job
+  that needs the matrix job is silently skipped, producing no output.
+fix: |
+  Add `if: always()` to downstream jobs that should run regardless of matrix
+  outcome. Then explicitly check `needs.<job>.result` values to determine
+  pass/fail:
+
+  - `if: always()` ensures the job is never skipped due to upstream failure
+  - Check `contains(needs.*.result, 'failure')` to detect any matrix failure
+  - Use `needs.<job>.result == 'success'` for strict pass gates
+fix_code:
+  - language: yaml
+    label: "WRONG — summary job silently skipped when matrix job fails"
+    code: |
+      jobs:
+        test:
+          strategy:
+            fail-fast: false  # ❌ allows all matrix jobs to run, but...
+            matrix:
+              node: [18, 20, 22]
+          runs-on: ubuntu-latest
+          steps:
+            - run: npm test
+
+        summary:
+          needs: test           # ❌ still skipped if any matrix job failed
+          runs-on: ubuntu-latest
+          steps:
+            - run: echo "All tests done"
+  - language: yaml
+    label: "RIGHT — use if: always() and check result explicitly"
+    code: |
+      jobs:
+        test:
+          strategy:
+            fail-fast: false
+            matrix:
+              node: [18, 20, 22]
+          runs-on: ubuntu-latest
+          steps:
+            - run: npm test
+
+        summary:
+          needs: test
+          if: always()          # ✅ runs even when test jobs failed
+          runs-on: ubuntu-latest
+          steps:
+            - name: Check matrix results
+              if: contains(needs.test.result, 'failure')
+              run: |
+                echo "One or more matrix jobs failed"
+                exit 1
+            - name: Success
+              run: echo "All matrix jobs passed"
+  - language: yaml
+    label: "RIGHT — gate final deploy only when all matrix jobs pass"
+    code: |
+      jobs:
+        test:
+          strategy:
+            fail-fast: false
+            matrix:
+              node: [18, 20, 22]
+          runs-on: ubuntu-latest
+          outputs:
+            result: ${{ job.status }}
+          steps:
+            - run: npm test
+
+        deploy:
+          needs: test
+          if: always() && needs.test.result == 'success'  # ✅ explicit success check
+          runs-on: ubuntu-latest
+          steps:
+            - run: echo "Deploying"
+prevention:
+  - "Always add `if: always()` to aggregation/summary/deploy jobs that need to run after a matrix job."
+  - "Explicitly check `needs.<job>.result` or `contains(needs.*.result, 'failure')` rather than relying on implicit pass-through."
+  - "Understand that `fail-fast: false` is matrix-scoped — it does not change how the `needs:` graph handles failures."
+  - "Use job outputs combined with `if: always()` to build robust reporting jobs that capture all matrix outcomes."
+docs:
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-jobs-in-a-workflow#defining-prerequisite-jobs"
+    label: "Defining prerequisite jobs — needs context and result values"
+  - url: "https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast"
+    label: "workflow syntax — jobs.<job_id>.strategy.fail-fast"
+  - url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/evaluate-expressions-in-workflows-and-actions#status-check-functions"
+    label: "Status check functions — always(), success(), failure()"
+  - url: "https://github.com/orgs/community/discussions/26822"
+    label: "GitHub Community — fail-fast: false but summary job still skipped"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@htekdev/actions-debugger",
-  "version": "1.0.94",
+  "version": "1.0.95",
   "description": "65+ real GitHub Actions errors, queryable by agents. CLI + MCP server + Copilot skills + error database.",
   "type": "module",
   "main": "./dist/index.js",