[WIP] Fix SSH authentication error in npm ci for GitHub script dependency

[Copilot]

Thanks for assigning this issue to me. I'm starting to work on it and will keep this PR's description up to date as I form a plan and make progress.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[CI Failure Doctor] npm ci fails with SSH authentication error for @actions/github-script dependency</issue_title>
<issue_description>## Summary

The CI failed on the main branch after merging PR #11029. Three jobs (lint-js, js, and build) all failed during the npm ci step with SSH authentication errors when trying to install the @actions/github-script dependency.

Failure Details

• Run: 21215912203
• Commit: f91c469
• Commit Message: "Remove unused terser dependency (Remove unused terser dependency #11029)"
• Branch: main
• Trigger: push (after merging PR Remove unused terser dependency #11029)
• Failed Jobs:
  • lint-js - Failed at "Install npm dependencies" step
  • js - Failed at "Install npm dependencies" step
  • build - Failed at "npm ci" step

Root Cause Analysis

PR #11029 added new package.json and package-lock.json files to actions/setup/js/. The issue stems from how the @actions/github-script dependency is specified and locked:

In package.json (line 6):

"@actions/github-script": "github:actions/github-script"

In package-lock.json:

"node_modules/@actions/github-script": {
  "version": "7.0.1",
  "resolved": "git+ssh://git@github.com/actions/github-script.git#450193c5abd4cdb17ba9f3ffcfe8f635c4bb6c2a",
  ...
}

When the package-lock.json was generated on the developer's machine, npm resolved the github:actions/github-script shorthand to a git+ssh:// URL. This happened because their local git configuration was set to use SSH for GitHub.

When npm ci runs in CI, it uses the exact URLs from package-lock.json (that's the whole point of npm ci - reproducible builds). Since the package-lock.json contains a git+ssh:// URL, npm tries to clone via SSH, which fails because:

1. GitHub Actions runners don't have SSH keys configured by default
2. There's no GH_TOKEN or SSH key that npm can use for git+ssh:// authentication

Failed Jobs and Errors

All three jobs failed at the npm installation step with the same root cause:

lint-js:
  ✅ Set up job
  ✅ Checkout code
  ✅ Set up Node.js
  ✅ Report Node cache status
  ❌ Install npm dependencies  <-- FAILED
  ⏭️  Lint JavaScript files (skipped)

js:
  ✅ Set up job
  ✅ Checkout code
  ✅ Set up Node.js
  ✅ Report Node cache status
  ❌ Install npm dependencies  <-- FAILED
  ⏭️  Setup prompt templates for tests (skipped)

build:
  ✅ Set up job
  ✅ Checkout code
  ✅ Set up Node.js
  ✅ Report Node cache status
  ✅ Set up Go
  ✅ Report Go cache status
  ❌ npm ci  <-- FAILED
  ⏭️  Build code (skipped)

Recommended Actions

Immediate Fix

Regenerate package-lock.json with HTTPS URLs instead of SSH:

# Configure git to use HTTPS for GitHub dependencies
git config --global url."https://github.com/".insteadOf "git@github.com:"

# Navigate to the directory
cd actions/setup/js

# Clean and regenerate
rm -rf node_modules package-lock.json
npm install

# Verify the change
grep -A 5 "@actions/github-script" package-lock.json
# Should now show: "resolved": "https://github.com/..." instead of "git+ssh://..."

# Commit and push
git add package-lock.json
git commit -m "Fix package-lock.json to use HTTPS URLs for GitHub dependencies"
git push

Alternative Solutions

1. Use a specific npm package version instead of the GitHub shorthand:

   "@actions/github-script": "^7.0.1"

   However, this might not work as @actions/github-script may not be published to npm.

2. Use HTTPS URL directly:

   "@actions/github-script": "https://github.com/actions/github-script.git"

3. Configure CI to use HTTPS (if we want to keep the current approach):
   Add a step before npm ci:

   - name: Configure git to use HTTPS
     run: git config --global url."https://github.com/".insteadOf "git@github.com:"

Prevention Strategies

1. Always configure git to use HTTPS before generating package-lock.json when working with GitHub dependencies specified as github:org/repo.

2. Add to development documentation:

   # In ~/.gitconfig, add:
   [url "https://github.com/"]
       insteadOf = git@github.com:

3. Consider CI pre-commit checks: Add a check to verify package-lock.json doesn't contain git+ssh:// URLs:

   if grep -q "git+ssh://" actions/setup/js/package-lock.json; then
     echo "Error: package-lock.json contains git+ssh:// URLs"
     exit 1
   fi

4. Use explicit HTTPS URLs in package.json for GitHub dependencies instead of the shorthand:

   "@actions/github-script": "https://github.com/actions/github-script.git#v7.0.1"

AI Team Self-Improvement

Add to .github/agents/developer.instructions.md or AGENTS.md:

### Package Lock File Guideli...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes githubnext/gh-aw#11040

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for you](https://github.com/githubnext/gh-aw/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo.