Skip to content

flake: CI infrastructure issue - step-security/harden-runner download 401 #1396

New issue
New issue
Open
Open
flake: CI infrastructure issue - step-security/harden-runner download 401#1396
Assignees
mafredri
@flake-investigator

Description

@flake-investigator
flake-investigator
bot
opened on Mar 12, 2026

CI Run Link: https://github.com/coder/coder/actions/runs/22984459853

Branch: main
Commit: 3325b869033448aa05a54612a57e1794c6b006ac ("fix(chatd): skip provider-executed tools in message repair (#22976)") by Kyle Carberry kyle@coder.com

Timing verification:

  • changes job failed at 2026-03-12T02:54:52Z
  • Slack alert at 2026-03-12T02:57:22Z

What failed

  • Job: changes (GitHub-hosted ubuntu-24.04 runner)
  • Failure happened before any repo checkout; action download failed with 401.
  • required job failed only because changes failed.

Evidence (changes job)

##[warning]Failed to download action 'https://api.github.com/repos/step-security/harden-runner/tarball/5ef0c079ce82195b2a36a210272d6b661572d83e'. Error: Response status code does not indicate success: 401 (Unauthorized).
##[warning]Back off 13.349 seconds before retry.
##[warning]Failed to download action 'https://api.github.com/repos/step-security/harden-runner/tarball/5ef0c079ce82195b2a36a210272d6b661572d83e'. Error: Response status code does not indicate success: 401 (Unauthorized).
##[warning]Back off 17.925 seconds before retry.
##[error]Response status code does not indicate success: 401 (Unauthorized).

Evidence (required job)

Checking required checks
- changes: failure
...
One of the required checks has failed or has been cancelled
##[error]Process completed with exit code 1.

Root cause classification

  • Infrastructure / GitHub Actions service: unauthorized error downloading a public action tarball (step-security/harden-runner). No test failures, no panic/OOM, no data race.

Duplicates search (coder/internal)

  • "harden-runner" 401 Unauthorized
  • "Failed to download action" unauthorized
  • "step-security" action download
  • "Required checks" changes failure
  • Closed issues last 30 days with those queries
    Result: no matching open/closed issues found.

Assignment analysis

  • Failure is in CI workflow action download, not a test file; blame/test-level ownership not applicable.
  • Recent CI workflow changes:
    • git log --oneline -10 .github/workflows/ci.yaml
      • a96ec4c397e1 (Mathias Fredriksson) build/CI workflow updates
      • 51a627c10794 (Ethan) CI workflow adjustments
      • 06cfe2705a43 (dependabot) action version bumps (includes harden-runner)
  • Assigning to @mafredri as most recent human maintainer of ci.yaml for triage.

Suggested next steps

  • Re-run the workflow to confirm it was transient.
  • If recurring, consider adding retries around action download or investigating GitHub API auth/token permissions for Actions.

Reproduction

  • Not deterministic; re-run workflow.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions