[CI Failure Doctor] npm ci fails with SSH authentication error for @actions/github-script dependency

[github-actions]

Summary

The CI failed on the main branch after merging PR #11029. Three jobs (lint-js, js, and build) all failed during the npm ci step with SSH authentication errors when trying to install the @actions/github-script dependency.

Failure Details

• Run: 21215912203
• Commit: f91c469
• Commit Message: "Remove unused terser dependency (Remove unused terser dependency #11029)"
• Branch: main
• Trigger: push (after merging PR Remove unused terser dependency #11029)
• Failed Jobs:
  • lint-js - Failed at "Install npm dependencies" step
  • js - Failed at "Install npm dependencies" step
  • build - Failed at "npm ci" step

Root Cause Analysis

PR #11029 added new package.json and package-lock.json files to actions/setup/js/. The issue stems from how the @actions/github-script dependency is specified and locked:

In package.json (line 6):

"@actions/github-script": "github:actions/github-script"

In package-lock.json:

"node_modules/@actions/github-script": {
  "version": "7.0.1",
  "resolved": "git+ssh://git@github.com/actions/github-script.git#450193c5abd4cdb17ba9f3ffcfe8f635c4bb6c2a",
  ...
}

When the package-lock.json was generated on the developer's machine, npm resolved the github:actions/github-script shorthand to a git+ssh:// URL. This happened because their local git configuration was set to use SSH for GitHub.

When npm ci runs in CI, it uses the exact URLs from package-lock.json (that's the whole point of npm ci - reproducible builds). Since the package-lock.json contains a git+ssh:// URL, npm tries to clone via SSH, which fails because:

1. GitHub Actions runners don't have SSH keys configured by default
2. There's no GH_TOKEN or SSH key that npm can use for git+ssh:// authentication

Failed Jobs and Errors

All three jobs failed at the npm installation step with the same root cause:

lint-js:
  ✅ Set up job
  ✅ Checkout code
  ✅ Set up Node.js
  ✅ Report Node cache status
  ❌ Install npm dependencies  <-- FAILED
  ⏭️  Lint JavaScript files (skipped)

js:
  ✅ Set up job
  ✅ Checkout code
  ✅ Set up Node.js
  ✅ Report Node cache status
  ❌ Install npm dependencies  <-- FAILED
  ⏭️  Setup prompt templates for tests (skipped)

build:
  ✅ Set up job
  ✅ Checkout code
  ✅ Set up Node.js
  ✅ Report Node cache status
  ✅ Set up Go
  ✅ Report Go cache status
  ❌ npm ci  <-- FAILED
  ⏭️  Build code (skipped)

Recommended Actions

Immediate Fix

Regenerate package-lock.json with HTTPS URLs instead of SSH:

# Configure git to use HTTPS for GitHub dependencies
git config --global url."https://github.com/".insteadOf "git@github.com:"

# Navigate to the directory
cd actions/setup/js

# Clean and regenerate
rm -rf node_modules package-lock.json
npm install

# Verify the change
grep -A 5 "@actions/github-script" package-lock.json
# Should now show: "resolved": "https://github.com/..." instead of "git+ssh://..."

# Commit and push
git add package-lock.json
git commit -m "Fix package-lock.json to use HTTPS URLs for GitHub dependencies"
git push

Alternative Solutions

1. Use a specific npm package version instead of the GitHub shorthand:

   "@actions/github-script": "^7.0.1"

   However, this might not work as @actions/github-script may not be published to npm.

2. Use HTTPS URL directly:

   "@actions/github-script": "https://github.com/actions/github-script.git"

3. Configure CI to use HTTPS (if we want to keep the current approach):
   Add a step before npm ci:

   - name: Configure git to use HTTPS
     run: git config --global url."https://github.com/".insteadOf "git@github.com:"

Prevention Strategies

1. Always configure git to use HTTPS before generating package-lock.json when working with GitHub dependencies specified as github:org/repo.

2. Add to development documentation:

   # In ~/.gitconfig, add:
   [url "https://github.com/"]
       insteadOf = git@github.com:

3. Consider CI pre-commit checks: Add a check to verify package-lock.json doesn't contain git+ssh:// URLs:

   if grep -q "git+ssh://" actions/setup/js/package-lock.json; then
     echo "Error: package-lock.json contains git+ssh:// URLs"
     exit 1
   fi

4. Use explicit HTTPS URLs in package.json for GitHub dependencies instead of the shorthand:

   "@actions/github-script": "https://github.com/actions/github-script.git#v7.0.1"

AI Team Self-Improvement

Add to .github/agents/developer.instructions.md or AGENTS.md:

### Package Lock File Guidelines

**CRITICAL - npm GitHub Dependencies:**

When adding or updating npm dependencies that use GitHub repositories (e.g., `"github:org/repo"`):

1. **ALWAYS configure git to use HTTPS before generating package-lock.json:**
   ```bash
   git config --global url."https://github.com/".insteadOf "git@github.com:"

2. After generating package-lock.json, verify it uses HTTPS URLs:

   # Should NOT find any git+ssh:// URLs
   ! grep -q "git+ssh://" package-lock.json

3. Why this matters:

   • npm ci in GitHub Actions uses exact URLs from package-lock.json
   • CI runners don't have SSH keys configured
   • git+ssh:// URLs will fail authentication in CI
   • This causes immediate CI failures that block all PRs

4. Before committing package-lock.json:

   # Check for SSH URLs
   grep -n "git+ssh://" actions/setup/js/package-lock.json
   # Should return empty (no matches)

Common mistake to avoid:

❌ BAD (in package-lock.json): "resolved": "git+ssh://git@github.com/..."
✅ GOOD (in package-lock.json): "resolved": "https://github.com/..."

## Historical Context

- This is the first time `package.json` and `package-lock.json` have been added to `actions/setup/js/`
- Previous CI failure (#11030) was related to peer dependency conflicts, not SSH authentication
- The repository has experienced several npm-related CI issues in the past, suggesting npm dependency management needs careful attention

## Investigation Metadata

- **Failure Pattern**: npm_ci_ssh_authentication
- **Category**: Dependencies / Configuration
- **Tags**: npm, ci, ssh, authentication, package-lock, github-dependency
- **Investigation Date**: 2026-01-21T15:51:25Z
- **Pattern Stored**: `/tmp/gh-aw/cache-memory/investigations/20260121-*-21215912203.json`




> AI generated by [CI Failure Doctor](https://github.com/githubnext/gh-aw/actions/runs/21216098782)
>
> To add this workflow in your repository, run `gh aw add githubnext/agentics/workflows/ci-doctor.md@ea350161ad5dcc9624cf510f134c6a9e39a6f94d`. See [usage guide](https://githubnext.github.io/gh-aw/guides/packaging-imports/).

<!-- gh-aw-agentic-workflow: CI Failure Doctor, engine: copilot, run: https://github.com/githubnext/gh-aw/actions/runs/21216098782 -->

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster