Github Actions and the hashFiles incident

HW42 hw42 at ipsumj.de
Mon Nov 24 08:24:52 UTC 2025 

kpcyrd, 2025-11-23 21:15 +01:00:
> Dear Reproducible Builds list,
> 
> one of my pipelines was failing today with the following error:
> 
>  > Error: The template is not valid. .github/workflows/rust.yml (Line: 
> 57, Col: 14): hashFiles('**/Cargo.lock') failed. Fail to hash files 
> under directory '/Users/runner/work/tokio-ar/tokio-ar'
> 
> It's caused by the following line for cache-key calculation:
> 
>  > key: ${{ runner.os }}-cargo-debug-${{ hashFiles('**/Cargo.lock') }}
> 
> This I had copied over from a different project so I was surprised this 
> is now failing. I tried to figure out if maybe the commit wasn't checked 
> out correctly, but then noticed this seems to be an ongoing regression:
> 
> - https://github.com/actions/runner/issues/449 (originally from 2020, 
> but recent comments from 2025)
> - https://github.com/actions/runner-images/issues/13341
> - https://github.com/orgs/community/discussions/180160
> 
> There's a lot of people affected right now. Well, happens, but in this 
> discussion thread a comment caught my attention however:
> 
>  > @andrzejressel:
>  > 
> https://github.com/andrzejressel/pulumi-gestalt/actions/runs/19598070772/job/56125529525?pr=1503#step:2:5454 
> - I think someone edited this file manually - it does not match repo: 
> https://github.com/actions/runner/blob/main/src/Misc/layoutbin/hashFiles/index.js#L5442
> 
> Curious!

Interesting find.

> The comment links to the current `main` branch, I noticed there's 
> release tags (which would be a simple solution to this mismatch 
> mystery), I tried the same file from `v2.330.0` first, which didn't 
> match, then tried `v2.329.0` which _almost_ matches.

Which matches the log that says:

    2025-11-22T16:17:42.0583520Z Current runner version: '2.329.0'

> But not entirely:
> 
> ```
> --- index-v2.329.0.js	2025-11-23 19:58:21.222607998 +0100
> +++ job-logs.js	2025-11-23 19:57:45.889321750 +0100
> @@ -1,4 +1,4 @@
> -/******/ (() => { // webpackBootstrap
> +/******/ (() => { // webpackBootstrap
>   /******/ 	var __webpack_modules__ = ({
> 
>   /***/ 2627:
> @@ -2361,7 +2361,7 @@
>           if (!options.headers) {
>               throw Error('The request has no headers');
>           }
> -        options.headers['Authorization'] = `Bearer ${this.token}`;
> +        options.headers['Authorization'] = `***;
>       }
>       // This handler cannot handle 401
>       canHandleAuthentication() {
> @@ -5435,4 +5435,13 @@
>   /******/ 	module.exports = __webpack_exports__;
>   /******/ 	
>   /******/ })()
> -;
> \ No newline at end of file
> +;*****************/
> +/******/ 	
> +/******/ 	// startup
> +/******/ 	// Load entry module and return exports
> +/******/ 	// This entry module is referenced by other modules so it 
> can't be inlined
> +/******/ 	var __webpack_exports__ = __nccwpck_require__(4711);
> +/******/ 	module.exports = __webpack_exports__;
> +/******/ 	
> +/******/ })()
> +;
> ```
> 
> The first hunk is due to `0xef 0xbb 0xbf` and likely inserted by the CI:
> https://en.wikipedia.org/wiki/Byte_order_mark

Indeed. If you download the full log it's at the start of the log not of
the cat output.

> The second hunk I assume is log redaction along the lines of `Bearer 
> (.*)` to avoid leaking secrets/credentials.
> 
> The third hunk I don't have an explanation for. At first it looks like 
> this is comments-only, but `/******/` starts and also immediately ends a 
> block comment, so the code after is indeed executed.

Looks like at bug at the code that deploys the runner code.

$ dd if=index-v2.330.0.js of=o.js
359+1 records in
359+1 records out
184207 bytes (184 kB, 180 KiB) copied, 0.00310911 s, 59.2 MB/s
$ dd if=index-v2.329.0.js of=o.js conv=notrunc
359+1 records in
359+1 records out
183884 bytes (184 kB, 180 KiB) copied, 0.00622775 s, 29.5 MB/s
$ diff --color -u job-logs.js o.js 
--- job-logs.js	2025-11-24 08:27:49.502969286 +0100
+++ o.js	2025-11-24 09:19:50.057536968 +0100
@@ -1,4 +1,4 @@
-/******/ (() => { // webpackBootstrap
+/******/ (() => { // webpackBootstrap
 /******/ 	var __webpack_modules__ = ({
 
 /***/ 2627:
@@ -2361,7 +2361,7 @@
         if (!options.headers) {
             throw Error('The request has no headers');
         }
-        options.headers['Authorization'] = `***;
+        options.headers['Authorization'] = `Bearer ${this.token}`;
     }
     // This handler cannot handle 401
     canHandleAuthentication() {
@@ -5444,4 +5444,4 @@
 /******/ 	module.exports = __webpack_exports__;
 /******/ 	
 /******/ })()
-;
+;
\ No newline at end of file
$ 

So, luckily, mostly harmless. Just a missing truncation on a file write
somewhere.

Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20251124/5c7f6b54/attachment.sig>

More information about the rb-general mailing list