fix: replace orchestrator-develop branch references with main

The orchestrator-develop branch no longer exists. Update all fallback clone commands and test fixtures to use main instead. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ci: set macOS builds to continue-on-error
2026-06-10 16:03:54 -07:00 · 2026-03-09 20:08:44 +00:00 · 2026-03-05 23:33:48 +00:00 · 2026-03-05 14:10:24 +00:00 · 2026-03-05 13:00:17 +00:00 · 2026-03-05 07:58:58 +00:00
13 changed files with 953 additions and 1866 deletions
@@ -182,8 +182,8 @@ inputs:
    required: false
    default: ''
    description:
-      '[Orchestrator] Run a custom job instead of the standard build automation for orchestrator (in yaml format with
+      '[Orchestrator] Run a custom job instead of the standard build automation for orchestrator (in yaml format with the
-      the keys image, secrets (name, value object array), command line string)'
+      keys image, secrets (name, value object array), command line string)'
  awsStackName:
    default: 'game-ci'
    required: false
@@ -194,6 +194,42 @@ inputs:
    description:
      '[Orchestrator] Either local, k8s or aws can be used to run builds on a remote cluster. Additional parameters must
      be configured.'
  fallbackProviderStrategy:
    default: ''
    required: false
    description:
      '[Orchestrator] Fallback provider when the primary is unavailable. Used with runnerCheckEnabled for automatic
      failover, or as a catch-all if the primary provider fails to initialize.'
  runnerCheckEnabled:
    default: 'false'
    required: false
    description:
      '[Orchestrator] Check GitHub Actions runner availability before starting a build. When no suitable runners are
      available and fallbackProviderStrategy is set, automatically routes to the fallback provider.'
  runnerCheckLabels:
    default: ''
    required: false
    description:
      '[Orchestrator] Comma-separated runner labels to filter when checking availability (e.g. self-hosted,linux).
      When empty, checks all runners in the repository.'
  runnerCheckMinAvailable:
    default: '1'
    required: false
    description:
      '[Orchestrator] Minimum number of idle runners required for the primary provider. If fewer are available,
      routes to fallbackProviderStrategy.'
  retryOnFallback:
    default: 'false'
    required: false
    description:
      '[Orchestrator] When true and fallbackProviderStrategy is set, automatically retry the build on the fallback
      provider if the primary provider fails. Useful for long builds where transient cloud failures are common.'
  providerInitTimeout:
    default: '0'
    required: false
    description:
      '[Orchestrator] Maximum seconds to wait for the primary provider to initialize (setupWorkflow). If exceeded
      and fallbackProviderStrategy is set, switches to the fallback. Set to 0 to disable (default).'
  resourceTracking:
    default: 'false'
    required: false
@@ -279,30 +315,6 @@ inputs:
    description:
      '[Orchestrator] Specifies the repo for the unity builder. Useful if you forked the repo for testing, features, or
      fixes.'
  gitIntegrityCheck:
    description: 'Run git integrity checks before build (fsck, lock cleanup, submodule validation)'
    required: false
    default: 'false'
  gitAutoRecover:
    description: 'Attempt automatic recovery if git corruption is detected'
    required: false
    default: 'false'
  cleanReservedFilenames:
    description: 'Remove Windows reserved filenames that cause Unity import loops'
    required: false
    default: 'false'
  buildArchiveEnabled:
    description: 'Archive build output after successful build'
    required: false
    default: 'false'
  buildArchivePath:
    description: 'Path to store build archives'
    required: false
    default: './build-archives'
  buildArchiveRetention:
    description: 'Days to retain build archives before cleanup'
    required: false
    default: '30'
 outputs:
  volume:
@@ -38,7 +38,6 @@ const model_1 = __nccwpck_require__(41359);
 const cli_1 = __nccwpck_require__(55651);
 const mac_builder_1 = __importDefault(__nccwpck_require__(39364));
 const platform_setup_1 = __importDefault(__nccwpck_require__(64423));
 const reliability_1 = __nccwpck_require__(9842);
 async function runMain() {
    try {
        if (cli_1.Cli.InitCliMode()) {
@@ -47,32 +46,9 @@ async function runMain() {
        }
        model_1.Action.checkCompatibility();
        model_1.Cache.verify();
        // Always configure git environment for CI reliability
        reliability_1.BuildReliabilityService.configureGitEnvironment();
        const { workspace, actionFolder } = model_1.Action;
        const buildParameters = await model_1.BuildParameters.create();
        const baseImage = new model_1.ImageTag(buildParameters);
        // Pre-build reliability checks
        if (buildParameters.gitIntegrityCheck) {
            core.info('Running git integrity checks...');
            const isHealthy = reliability_1.BuildReliabilityService.checkGitIntegrity(workspace);
            reliability_1.BuildReliabilityService.cleanStaleLockFiles(workspace);
            reliability_1.BuildReliabilityService.validateSubmoduleBackingStores(workspace);
            if (buildParameters.cleanReservedFilenames) {
                reliability_1.BuildReliabilityService.cleanReservedFilenames(buildParameters.projectPath);
            }
            if (!isHealthy && buildParameters.gitAutoRecover) {
                core.info('Git corruption detected, attempting automatic recovery...');
                const recovered = reliability_1.BuildReliabilityService.recoverCorruptedRepo(workspace);
                if (!recovered) {
                    core.warning('Automatic recovery failed. Build may encounter issues.');
                }
            }
        }
        else if (buildParameters.cleanReservedFilenames) {
            // cleanReservedFilenames can run independently of gitIntegrityCheck
            reliability_1.BuildReliabilityService.cleanReservedFilenames(buildParameters.projectPath);
        }
        let exitCode = -1;
        if (buildParameters.providerStrategy === 'local') {
            core.info('Building locally');
@@ -90,12 +66,6 @@ async function runMain() {
            await model_1.Orchestrator.run(buildParameters, baseImage.toString());
            exitCode = 0;
        }
        // Post-build: archive and enforce retention
        if (buildParameters.buildArchiveEnabled && exitCode === 0) {
            core.info('Archiving build output...');
            reliability_1.BuildReliabilityService.archiveBuildOutput(buildParameters.buildPath, buildParameters.buildArchivePath);
            reliability_1.BuildReliabilityService.enforceRetention(buildParameters.buildArchivePath, buildParameters.buildArchiveRetention);
        }
        // Set output
        await model_1.Output.setBuildVersion(buildParameters.buildVersion);
        await model_1.Output.setAndroidVersionCode(buildParameters.androidVersionCode);
@@ -357,6 +327,12 @@ class BuildParameters {
            containerRegistryRepository: input_1.default.containerRegistryRepository,
            containerRegistryImageVersion: input_1.default.containerRegistryImageVersion,
            providerStrategy: orchestrator_options_1.default.providerStrategy,
            fallbackProviderStrategy: orchestrator_options_1.default.fallbackProviderStrategy,
            runnerCheckEnabled: orchestrator_options_1.default.runnerCheckEnabled,
            runnerCheckLabels: orchestrator_options_1.default.runnerCheckLabels,
            runnerCheckMinAvailable: orchestrator_options_1.default.runnerCheckMinAvailable,
            retryOnFallback: orchestrator_options_1.default.retryOnFallback,
            providerInitTimeout: orchestrator_options_1.default.providerInitTimeout,
            buildPlatform: orchestrator_options_1.default.buildPlatform,
            kubeConfig: orchestrator_options_1.default.kubeConfig,
            containerMemory: orchestrator_options_1.default.containerMemory,
@@ -405,12 +381,6 @@ class BuildParameters {
            cacheUnityInstallationOnMac: input_1.default.cacheUnityInstallationOnMac,
            unityHubVersionOnMac: input_1.default.unityHubVersionOnMac,
            dockerWorkspacePath: input_1.default.dockerWorkspacePath,
            gitIntegrityCheck: input_1.default.gitIntegrityCheck,
            gitAutoRecover: input_1.default.gitAutoRecover,
            cleanReservedFilenames: input_1.default.cleanReservedFilenames,
            buildArchiveEnabled: input_1.default.buildArchiveEnabled,
            buildArchivePath: input_1.default.buildArchivePath,
            buildArchiveRetention: input_1.default.buildArchiveRetention,
        };
    }
    static parseBuildFile(filename, platform, androidExportType) {
@@ -1862,28 +1832,6 @@ class Input {
    static get skipActivation() {
        return Input.getInput('skipActivation')?.toLowerCase() ?? 'false';
    }
    static get gitIntegrityCheck() {
        const input = Input.getInput('gitIntegrityCheck') ?? 'false';
        return input === 'true';
    }
    static get gitAutoRecover() {
        const input = Input.getInput('gitAutoRecover') ?? 'false';
        return input === 'true';
    }
    static get cleanReservedFilenames() {
        const input = Input.getInput('cleanReservedFilenames') ?? 'false';
        return input === 'true';
    }
    static get buildArchiveEnabled() {
        const input = Input.getInput('buildArchiveEnabled') ?? 'false';
        return input === 'true';
    }
    static get buildArchivePath() {
        return Input.getInput('buildArchivePath') ?? './build-archives';
    }
    static get buildArchiveRetention() {
        return Number.parseInt(Input.getInput('buildArchiveRetention') ?? '30', 10);
    }
    static ToEnvVarFormat(input) {
        if (input.toUpperCase() === input) {
            return input;
@@ -2262,6 +2210,25 @@ class OrchestratorOptions {
        }
        return provider || 'local';
    }
    static get fallbackProviderStrategy() {
        return OrchestratorOptions.getInput('fallbackProviderStrategy') || '';
    }
    static get runnerCheckEnabled() {
        return OrchestratorOptions.getInput('runnerCheckEnabled') === 'true';
    }
    static get runnerCheckLabels() {
        const labels = OrchestratorOptions.getInput('runnerCheckLabels');
        return labels ? labels.split(',').map((l) => l.trim()) : [];
    }
    static get runnerCheckMinAvailable() {
        return Number(OrchestratorOptions.getInput('runnerCheckMinAvailable')) || 1;
    }
    static get retryOnFallback() {
        return OrchestratorOptions.getInput('retryOnFallback') === 'true';
    }
    static get providerInitTimeout() {
        return Number(OrchestratorOptions.getInput('providerInitTimeout')) || 0;
    }
    static get containerCpu() {
        return OrchestratorOptions.getInput('containerCpu') || `1024`;
    }
@@ -2566,6 +2533,7 @@ const follow_log_stream_service_1 = __nccwpck_require__(36149);
 const orchestrator_result_1 = __importDefault(__nccwpck_require__(86819));
 const orchestrator_options_1 = __importDefault(__nccwpck_require__(82473));
 const resource_tracking_1 = __importDefault(__nccwpck_require__(42604));
 const runner_availability_service_1 = __nccwpck_require__(18876);
 class Orchestrator {
    static get isOrchestratorEnvironment() {
        return process.env[`GITHUB_ACTIONS`] !== `true`;
@@ -2602,6 +2570,26 @@ class Orchestrator {
    }
    static async setupSelectedBuildPlatform() {
        orchestrator_logger_1.default.log(`Orchestrator platform selected ${Orchestrator.buildParameters.providerStrategy}`);
        // Check runner availability and apply fallback if needed
        if (Orchestrator.buildParameters.runnerCheckEnabled && Orchestrator.buildParameters.fallbackProviderStrategy) {
            const owner = orchestrator_options_1.default.githubOwner;
            const repo = orchestrator_options_1.default.githubRepoName;
            const token = Orchestrator.buildParameters.gitPrivateToken || process.env.GITHUB_TOKEN || '';
            orchestrator_logger_1.default.log(`Checking runner availability (labels: [${Orchestrator.buildParameters.runnerCheckLabels.join(', ')}], min: ${Orchestrator.buildParameters.runnerCheckMinAvailable})`);
            const result = await runner_availability_service_1.RunnerAvailabilityService.checkAvailability(owner, repo, token, Orchestrator.buildParameters.runnerCheckLabels, Orchestrator.buildParameters.runnerCheckMinAvailable);
            orchestrator_logger_1.default.log(`Runner check: ${result.totalRunners} total, ${result.matchingRunners} matching, ${result.idleRunners} idle — ${result.reason}`);
            if (result.shouldFallback) {
                const original = Orchestrator.buildParameters.providerStrategy;
                const fallback = Orchestrator.buildParameters.fallbackProviderStrategy;
                orchestrator_logger_1.default.log(`Falling back from '${original}' to '${fallback}' — ${result.reason}`);
                Orchestrator.buildParameters.providerStrategy = fallback;
                core.setOutput('providerFallbackUsed', 'true');
                core.setOutput('providerFallbackReason', result.reason);
            }
            else {
                core.setOutput('providerFallbackUsed', 'false');
            }
        }
        // Detect LocalStack endpoints and handle AWS provider appropriately
        // AWS_FORCE_PROVIDER options:
        //   - 'aws': Force AWS provider (requires LocalStack Pro with ECS support)
@@ -2700,13 +2688,33 @@ class Orchestrator {
        if (baseImage.includes(`undefined`)) {
            throw new Error(`baseImage is undefined`);
        }
        try {
            return await Orchestrator.runWithProvider(buildParameters, baseImage);
        }
        catch (primaryError) {
            // Retry on fallback provider if enabled and a fallback is configured
            const fallback = buildParameters.fallbackProviderStrategy;
            const alreadyOnFallback = buildParameters.providerStrategy === fallback;
            if (buildParameters.retryOnFallback && fallback && !alreadyOnFallback) {
                orchestrator_logger_1.default.log(`Primary provider '${buildParameters.providerStrategy}' failed: ${primaryError.message}`);
                orchestrator_logger_1.default.log(`Retrying build on fallback provider '${fallback}'...`);
                buildParameters.providerStrategy = fallback;
                core.setOutput('providerFallbackUsed', 'true');
                core.setOutput('providerFallbackReason', `Primary provider failed: ${primaryError.message}`);
                return await Orchestrator.runWithProvider(buildParameters, baseImage);
            }
            throw primaryError;
        }
    }
    static async runWithProvider(buildParameters, baseImage) {
        await Orchestrator.setup(buildParameters);
        // When aws-local mode is enabled, validate AWS CloudFormation templates
        // This ensures AWS templates are correct even when executing via local-docker
        if (Orchestrator.validateAwsTemplates) {
            await Orchestrator.validateAwsCloudFormationTemplates();
        }
-        await Orchestrator.Provider.setupWorkflow(Orchestrator.buildParameters.buildGuid, Orchestrator.buildParameters, Orchestrator.buildParameters.branch, Orchestrator.defaultSecrets);
+        // Setup workflow with optional init timeout
        await Orchestrator.setupWorkflowWithTimeout();
        try {
            if (buildParameters.maxRetainedWorkspaces > 0) {
                Orchestrator.lockedWorkspace = shared_workspace_locking_1.default.NewWorkspaceName();
@@ -2756,6 +2764,24 @@ class Orchestrator {
            throw error;
        }
    }
    /**
     * Runs setupWorkflow with an optional timeout. If providerInitTimeout is set and the
     * provider takes longer than that to initialize, throws an error that triggers
     * retry-on-fallback (if enabled).
     */
    static async setupWorkflowWithTimeout() {
        const timeoutSeconds = Orchestrator.buildParameters.providerInitTimeout;
        const setupPromise = Orchestrator.Provider.setupWorkflow(Orchestrator.buildParameters.buildGuid, Orchestrator.buildParameters, Orchestrator.buildParameters.branch, Orchestrator.defaultSecrets);
        if (timeoutSeconds <= 0) {
            await setupPromise;
            return;
        }
        orchestrator_logger_1.default.log(`Provider init timeout: ${timeoutSeconds}s`);
        const timeoutPromise = new Promise((_, reject) => {
            setTimeout(() => reject(new Error(`Provider initialization timed out after ${timeoutSeconds}s`)), timeoutSeconds * 1000);
        });
        await Promise.race([setupPromise, timeoutPromise]);
    }
    static async updateStatusWithBuildParameters() {
        const content = { ...Orchestrator.buildParameters };
        content.gitPrivateToken = ``;
@@ -8697,6 +8723,176 @@ class ResourceTracking {
 exports["default"] = ResourceTracking;
 /***/ }),
 /***/ 18876:
 /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
 "use strict";
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.RunnerAvailabilityService = void 0;
 const core_1 = __nccwpck_require__(76762);
 const orchestrator_logger_1 = __importDefault(__nccwpck_require__(32549));
 /**
 * Maximum number of pages to fetch when paginating through GitHub API results.
 * 100 pages * 100 per page = 10,000 runners maximum.
 */
 const MAX_PAGINATION_PAGES = 100;
 /**
 * Total timeout in milliseconds for the pagination loop.
 * Prevents indefinite API calls if GitHub is slow or pagination is unexpectedly deep.
 */
 const PAGINATION_TIMEOUT_MS = 30000;
 /**
 * Checks GitHub Actions runner availability to support automatic provider fallback.
 *
 * When a user configures `runnerCheckEnabled: true` with a `fallbackProviderStrategy`,
 * this service queries the GitHub API for runner status before the build starts.
 * If insufficient runners are available, the orchestrator routes to the fallback provider.
 */
 class RunnerAvailabilityService {
    /**
     * Check if enough runners are available to handle the build.
     *
     * @param owner - GitHub repository owner
     * @param repo - GitHub repository name
     * @param token - GitHub token with repo/actions scope
     * @param requiredLabels - Labels runners must have (empty = any runner)
     * @param minAvailable - Minimum idle runners required
     * @returns RunnerCheckResult with decision and diagnostics
     */
    static async checkAvailability(owner, repo, token, requiredLabels, minAvailable) {
        if (!token) {
            return {
                shouldFallback: false,
                reason: 'No GitHub token available — skipping runner check',
                totalRunners: 0,
                matchingRunners: 0,
                idleRunners: 0,
            };
        }
        try {
            const octokit = new core_1.Octokit({ auth: token });
            // Fetch all runners for the repository
            const runners = await RunnerAvailabilityService.fetchRunners(octokit, owner, repo);
            if (runners.length === 0) {
                return {
                    shouldFallback: true,
                    reason: 'No runners registered for this repository',
                    totalRunners: 0,
                    matchingRunners: 0,
                    idleRunners: 0,
                };
            }
            // Filter by required labels
            const matching = RunnerAvailabilityService.filterByLabels(runners, requiredLabels);
            // Count idle (online + not busy)
            const idle = matching.filter((r) => r.status === 'online' && !r.busy);
            const result = {
                shouldFallback: idle.length < minAvailable,
                reason: idle.length >= minAvailable
                    ? `${idle.length} idle runner(s) available (need ${minAvailable})`
                    : `Only ${idle.length} idle runner(s) available, need ${minAvailable}`,
                totalRunners: runners.length,
                matchingRunners: matching.length,
                idleRunners: idle.length,
            };
            return result;
        }
        catch (error) {
            // If the API call fails (permissions, rate limit, etc.), don't block the build
            orchestrator_logger_1.default.log(`Runner availability check failed: ${error.message}`);
            return {
                shouldFallback: false,
                reason: `Runner check failed (${error.message}) — proceeding with primary provider`,
                totalRunners: 0,
                matchingRunners: 0,
                idleRunners: 0,
            };
        }
    }
    /**
     * Fetch all runners for a repository, handling pagination.
     *
     * Includes defensive limits:
     * - Maximum page count (MAX_PAGINATION_PAGES) to prevent infinite loops
     * - Total timeout (PAGINATION_TIMEOUT_MS) to prevent indefinite API calls
     * - Rate-limit detection (HTTP 403/429 with X-RateLimit-Remaining header)
     */
    static async fetchRunners(octokit, owner, repo) {
        const allRunners = [];
        let page = 1;
        const perPage = 100;
        const startTime = Date.now();
        while (page <= MAX_PAGINATION_PAGES) {
            // Check total timeout
            if (Date.now() - startTime > PAGINATION_TIMEOUT_MS) {
                orchestrator_logger_1.default.logWarning(`[RunnerAvailability] Pagination timeout reached after ${page - 1} pages and ${Date.now() - startTime}ms. ` +
                    `Using ${allRunners.length} runners found so far.`);
                break;
            }
            let response;
            try {
                response = await octokit.request('GET /repos/{owner}/{repo}/actions/runners', {
                    owner,
                    repo,
                    per_page: perPage,
                    page,
                });
            }
            catch (requestError) {
                // Octokit throws for non-2xx responses. Check if this is a rate limit error.
                const status = requestError.status ?? requestError.response?.status;
                if (status === 403 || status === 429) {
                    const resetTime = requestError.response?.headers?.['x-ratelimit-reset'] ?? requestError.headers?.['x-ratelimit-reset'];
                    const resetMessage = resetTime
                        ? ` Resets at ${new Date(Number.parseInt(String(resetTime), 10) * 1000).toISOString()}`
                        : '';
                    orchestrator_logger_1.default.logWarning(`[RunnerAvailability] GitHub API rate limit reached (HTTP ${status}).${resetMessage} ` +
                        `Using ${allRunners.length} runners found so far.`);
                    break;
                }
                // Re-throw non-rate-limit errors to be handled by the outer catch
                throw requestError;
            }
            const runners = (response.data.runners || []);
            allRunners.push(...runners);
            if (runners.length < perPage)
                break;
            page++;
        }
        if (page > MAX_PAGINATION_PAGES) {
            orchestrator_logger_1.default.logWarning(`[RunnerAvailability] Maximum pagination limit reached (${MAX_PAGINATION_PAGES} pages). ` +
                `Using ${allRunners.length} runners found so far.`);
        }
        if (allRunners.length === 0) {
            orchestrator_logger_1.default.log('[RunnerAvailability] No runners found. Possible causes: ' +
                'wrong token permissions (needs repo or actions scope), ' +
                'no self-hosted runners registered, ' +
                'or runners are registered at the organization level instead of the repository.');
        }
        return allRunners;
    }
    /**
     * Filter runners by required labels. A runner matches if it has ALL required labels.
     * If requiredLabels is empty, all runners match.
     */
    static filterByLabels(runners, requiredLabels) {
        if (requiredLabels.length === 0)
            return runners;
        return runners.filter((runner) => {
            const runnerLabelNames = runner.labels.map((l) => l.name.toLowerCase());
            return requiredLabels.every((required) => runnerLabelNames.includes(required.toLowerCase()));
        });
    }
 }
 exports.RunnerAvailabilityService = RunnerAvailabilityService;
 /***/ }),
 /***/ 54222:
@@ -9690,535 +9886,6 @@ class ContainerHookService {
 exports.ContainerHookService = ContainerHookService;
 /***/ }),
 /***/ 37347:
 /***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    var desc = Object.getOwnPropertyDescriptor(m, k);
    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
      desc = { enumerable: true, get: function() { return m[k]; } };
    }
    Object.defineProperty(o, k2, desc);
 }) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
 var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
 }) : function(o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
    __setModuleDefault(result, mod);
    return result;
 };
 var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.BuildReliabilityService = void 0;
 const node_child_process_1 = __nccwpck_require__(17718);
 const node_fs_1 = __importDefault(__nccwpck_require__(87561));
 const node_path_1 = __importDefault(__nccwpck_require__(49411));
 const core = __importStar(__nccwpck_require__(42186));
 /**
 * Build reliability features for hardening CI pipelines.
 * Provides git integrity checks, stale lock cleanup, submodule validation,
 * reserved filename removal, build archival, and git environment configuration.
 * All features are opt-in and fail gracefully (warnings only).
 */
 class BuildReliabilityService {
    /**
     * Run git fsck to check repository integrity.
     * Returns true if the repo is healthy, false if corruption detected.
     */
    static checkGitIntegrity(repoPath = '.') {
        core.info(`[Reliability] Checking git integrity in ${repoPath}`);
        try {
            const output = (0, node_child_process_1.execSync)(`git -C "${repoPath}" fsck --no-dangling`, {
                encoding: 'utf8',
                timeout: 120000,
                stdio: ['pipe', 'pipe', 'pipe'],
            });
            // Parse output for corruption indicators
            const corruptionPatterns = [
                /broken link/i,
                /missing (blob|tree|commit|tag)/i,
                /dangling/i,
                /corrupt/i,
                /error in /i,
            ];
            for (const pattern of corruptionPatterns) {
                if (pattern.test(output)) {
                    core.warning(`[Reliability] Git integrity check found issues: ${output.trim()}`);
                    return false;
                }
            }
            core.info('[Reliability] Git integrity check passed');
            return true;
        }
        catch (error) {
            // execSync throws on non-zero exit code
            const stderr = error.stderr?.toString() ?? error.message;
            core.warning(`[Reliability] Git integrity check failed: ${stderr}`);
            return false;
        }
    }
    /**
     * Remove stale .lock files from the .git directory.
     * Only removes lock files older than 10 minutes to avoid interfering with active operations.
     * Returns the number of lock files removed.
     */
    static cleanStaleLockFiles(repoPath = '.') {
        const gitDir = node_path_1.default.join(repoPath, '.git');
        if (!node_fs_1.default.existsSync(gitDir) || !node_fs_1.default.statSync(gitDir).isDirectory()) {
            return 0;
        }
        core.info(`[Reliability] Scanning for stale lock files in ${gitDir}`);
        const now = Date.now();
        let removed = 0;
        const cleanDirectory = (directory) => {
            if (!node_fs_1.default.existsSync(directory))
                return;
            try {
                const entries = node_fs_1.default.readdirSync(directory, { withFileTypes: true });
                for (const entry of entries) {
                    const fullPath = node_path_1.default.join(directory, entry.name);
                    if (entry.isDirectory()) {
                        cleanDirectory(fullPath);
                    }
                    else if (entry.name.endsWith('.lock')) {
                        // Check if it is a known lock file location OR under refs/
                        const relativePath = node_path_1.default.relative(gitDir, fullPath);
                        const isKnownLock = BuildReliabilityService.LOCK_FILE_NAMES.has(entry.name);
                        const isRefsLock = relativePath.startsWith('refs' + node_path_1.default.sep);
                        if (isKnownLock || isRefsLock) {
                            try {
                                const stat = node_fs_1.default.statSync(fullPath);
                                const ageMs = now - stat.mtimeMs;
                                if (ageMs > BuildReliabilityService.LOCK_FILE_MAX_AGE_MS) {
                                    node_fs_1.default.unlinkSync(fullPath);
                                    removed++;
                                    core.info(`[Reliability] Removed stale lock file (age: ${Math.round(ageMs / 1000)}s): ${relativePath}`);
                                }
                                else {
                                    core.info(`[Reliability] Lock file is recent (age: ${Math.round(ageMs / 1000)}s), skipping: ${relativePath}`);
                                }
                            }
                            catch {
                                core.warning(`[Reliability] Could not remove lock file: ${fullPath}`);
                            }
                        }
                    }
                }
            }
            catch {
                // Directory not accessible
            }
        };
        cleanDirectory(gitDir);
        if (removed > 0) {
            core.info(`[Reliability] Cleaned ${removed} stale lock file(s)`);
        }
        else {
            core.info('[Reliability] No stale lock files found');
        }
        return removed;
    }
    /**
     * Validate that submodule .git files point to existing backing stores
     * under .git/modules/. Returns list of submodule paths with broken backing stores.
     */
    static validateSubmoduleBackingStores(repoPath = '.') {
        const broken = [];
        const gitmodulesPath = node_path_1.default.join(repoPath, '.gitmodules');
        if (!node_fs_1.default.existsSync(gitmodulesPath)) {
            core.info('[Reliability] No .gitmodules found, skipping submodule validation');
            return broken;
        }
        core.info(`[Reliability] Validating submodule backing stores in ${repoPath}`);
        try {
            const content = node_fs_1.default.readFileSync(gitmodulesPath, 'utf8');
            const pathMatches = content.matchAll(/path\s*=\s*(.+)/g);
            for (const match of pathMatches) {
                const submodulePath = match[1].trim();
                const gitFile = node_path_1.default.join(repoPath, submodulePath, '.git');
                if (!node_fs_1.default.existsSync(gitFile)) {
                    // Submodule not initialized -- not necessarily broken
                    continue;
                }
                try {
                    const stat = node_fs_1.default.statSync(gitFile);
                    if (stat.isFile()) {
                        // .git is a file -- should contain "gitdir: <path>"
                        const gitFileContent = node_fs_1.default.readFileSync(gitFile, 'utf8').trim();
                        const gitdirMatch = gitFileContent.match(/^gitdir:\s*(.+)$/);
                        if (gitdirMatch) {
                            const backingStore = node_path_1.default.resolve(node_path_1.default.join(repoPath, submodulePath), gitdirMatch[1]);
                            if (!node_fs_1.default.existsSync(backingStore)) {
                                broken.push(submodulePath);
                                core.warning(`[Reliability] Submodule ${submodulePath} has broken backing store: ${backingStore}`);
                            }
                            else {
                                core.info(`[Reliability] Submodule ${submodulePath} backing store OK`);
                            }
                        }
                        else {
                            broken.push(submodulePath);
                            core.warning(`[Reliability] Submodule ${submodulePath} .git file has invalid format`);
                        }
                    }
                }
                catch {
                    // Can't read .git file
                    core.warning(`[Reliability] Could not read .git file for submodule: ${submodulePath}`);
                }
            }
        }
        catch (error) {
            core.warning(`[Reliability] Could not read .gitmodules: ${error.message}`);
        }
        if (broken.length > 0) {
            core.warning(`[Reliability] ${broken.length} submodule(s) have broken backing stores`);
        }
        else {
            core.info('[Reliability] All submodule backing stores are valid');
        }
        return broken;
    }
    /**
     * Orchestrate recovery of a corrupted repository.
     * Sequence: fsck -> clean locks -> re-fetch -> retry fsck.
     * Returns true if recovery succeeded.
     */
    static recoverCorruptedRepo(repoPath = '.') {
        core.warning(`[Reliability] Attempting automatic recovery for ${repoPath}`);
        // Step 1: Clean stale lock files that may be preventing operations
        const locksRemoved = BuildReliabilityService.cleanStaleLockFiles(repoPath);
        if (locksRemoved > 0) {
            core.info(`[Reliability] Recovery: cleaned ${locksRemoved} lock file(s)`);
        }
        // Step 2: Re-fetch to restore missing objects
        try {
            core.info('[Reliability] Recovery: re-fetching from remote');
            (0, node_child_process_1.execSync)(`git -C "${repoPath}" fetch --all`, {
                encoding: 'utf8',
                timeout: 300000,
                stdio: ['pipe', 'pipe', 'pipe'],
            });
            core.info('[Reliability] Recovery: fetch completed');
        }
        catch (error) {
            core.warning(`[Reliability] Recovery: fetch failed: ${error.stderr?.toString() ?? error.message}`);
        }
        // Step 3: Retry fsck
        const healthy = BuildReliabilityService.checkGitIntegrity(repoPath);
        if (healthy) {
            core.info('[Reliability] Recovery succeeded -- repository is healthy');
        }
        else {
            core.warning('[Reliability] Recovery failed -- repository still has integrity issues');
        }
        return healthy;
    }
    /**
     * Scan a directory tree for files/directories with Windows reserved names.
     * These names (con, prn, aux, nul, com1-9, lpt1-9) with any extension
     * cause Unity asset importer infinite loops on Windows.
     * Returns list of paths that were removed.
     */
    static cleanReservedFilenames(projectPath) {
        const assetsPath = node_path_1.default.join(projectPath, 'Assets');
        if (!node_fs_1.default.existsSync(assetsPath)) {
            core.info(`[Reliability] No Assets directory found at ${assetsPath}, skipping reserved filename scan`);
            return [];
        }
        core.info(`[Reliability] Scanning for reserved filenames in ${assetsPath}`);
        const cleaned = [];
        const scanDirectory = (directory) => {
            try {
                const entries = node_fs_1.default.readdirSync(directory, { withFileTypes: true });
                for (const entry of entries) {
                    const nameWithoutExtension = entry.name.split('.')[0].toLowerCase();
                    const fullPath = node_path_1.default.join(directory, entry.name);
                    if (BuildReliabilityService.RESERVED_NAMES.has(nameWithoutExtension)) {
                        try {
                            if (entry.isDirectory()) {
                                node_fs_1.default.rmSync(fullPath, { recursive: true, force: true });
                            }
                            else {
                                node_fs_1.default.unlinkSync(fullPath);
                            }
                            cleaned.push(fullPath);
                            core.warning(`[Reliability] Removed reserved filename: ${fullPath}`);
                        }
                        catch {
                            core.warning(`[Reliability] Could not remove reserved filename: ${fullPath}`);
                        }
                    }
                    else if (entry.isDirectory()) {
                        scanDirectory(fullPath);
                    }
                }
            }
            catch {
                // Directory not accessible
            }
        };
        scanDirectory(assetsPath);
        if (cleaned.length > 0) {
            core.warning(`[Reliability] Cleaned ${cleaned.length} reserved filename(s)`);
        }
        else {
            core.info('[Reliability] No reserved filenames found');
        }
        return cleaned;
    }
    /**
     * Get available disk space in megabytes for a given directory.
     * Returns -1 if the check fails (unknown space).
     *
     * Cross-platform: uses wmic on Windows, df on Unix.
     */
    static getAvailableSpaceMB(directoryPath) {
        try {
            if (process.platform === 'win32') {
                const drive = node_path_1.default.parse(directoryPath).root;
                const driveLetter = drive.replace(/[:\\\/]/g, '');
                const output = (0, node_child_process_1.execFileSync)('wmic', ['logicaldisk', 'where', `DeviceID='${driveLetter}:'`, 'get', 'FreeSpace', '/value'], { encoding: 'utf8', timeout: 10000 });
                const match = output.match(/FreeSpace=(\d+)/);
                return match ? Number.parseInt(match[1], 10) / (1024 * 1024) : -1;
            }
            else {
                const output = (0, node_child_process_1.execFileSync)('df', ['-BM', '--output=avail', directoryPath], {
                    encoding: 'utf8',
                    timeout: 10000,
                });
                const lines = output.trim().split('\n');
                return Number.parseInt(lines[lines.length - 1], 10);
            }
        }
        catch {
            return -1; // Unknown, caller should proceed with warning
        }
    }
    /**
     * Calculate the total size of a directory in megabytes.
     * Returns -1 if the calculation fails.
     */
    static getDirectorySizeMB(directoryPath) {
        try {
            const stat = node_fs_1.default.statSync(directoryPath);
            if (!stat.isDirectory()) {
                return stat.size / (1024 * 1024);
            }
            let totalBytes = 0;
            const walkDirectory = (dir) => {
                const entries = node_fs_1.default.readdirSync(dir, { withFileTypes: true });
                for (const entry of entries) {
                    const fullPath = node_path_1.default.join(dir, entry.name);
                    if (entry.isDirectory()) {
                        walkDirectory(fullPath);
                    }
                    else {
                        try {
                            totalBytes += node_fs_1.default.statSync(fullPath).size;
                        }
                        catch {
                            // Skip inaccessible files
                        }
                    }
                }
            };
            walkDirectory(directoryPath);
            return totalBytes / (1024 * 1024);
        }
        catch {
            return -1;
        }
    }
    /**
     * Create a tar.gz archive of build output.
     *
     * Validates disk space before archiving. Skips archival with a warning
     * if insufficient space is detected, preventing partial writes on full disks.
     */
    static archiveBuildOutput(sourcePath, archivePath) {
        if (!node_fs_1.default.existsSync(sourcePath)) {
            core.info(`[Reliability] No build output to archive at ${sourcePath}`);
            return;
        }
        node_fs_1.default.mkdirSync(archivePath, { recursive: true });
        // Check available disk space before archiving
        const sourceSizeMB = BuildReliabilityService.getDirectorySizeMB(sourcePath);
        const availableSpaceMB = BuildReliabilityService.getAvailableSpaceMB(archivePath);
        if (sourceSizeMB >= 0 && availableSpaceMB >= 0) {
            const neededMB = Math.ceil(sourceSizeMB * 1.1); // 10% safety margin
            if (availableSpaceMB < neededMB) {
                core.warning(`[Reliability] Insufficient disk space for archive. ` +
                    `Need ~${neededMB}MB, available: ${Math.floor(availableSpaceMB)}MB. Skipping archive.`);
                return;
            }
            core.info(`[Reliability] Disk space check passed: need ~${neededMB}MB, available: ${Math.floor(availableSpaceMB)}MB`);
        }
        else if (availableSpaceMB < 0) {
            core.warning('[Reliability] Could not determine available disk space. Proceeding with archive cautiously.');
        }
        const timestamp = new Date().toISOString().replace(/[.:]/g, '-');
        const archiveFile = node_path_1.default.join(archivePath, `build-${timestamp}.tar.gz`);
        try {
            (0, node_child_process_1.execSync)(`tar -czf "${archiveFile}" -C "${node_path_1.default.dirname(sourcePath)}" "${node_path_1.default.basename(sourcePath)}"`, {
                encoding: 'utf8',
                timeout: 600000,
                stdio: ['pipe', 'pipe', 'pipe'],
            });
            core.info(`[Reliability] Build output archived to ${archiveFile}`);
        }
        catch (error) {
            core.warning(`[Reliability] Failed to archive build output: ${error.stderr?.toString() ?? error.message}`);
            // Clean up partial archive if it exists to avoid leaving corrupted files
            try {
                if (node_fs_1.default.existsSync(archiveFile)) {
                    node_fs_1.default.unlinkSync(archiveFile);
                    core.info(`[Reliability] Cleaned up partial archive: ${archiveFile}`);
                }
            }
            catch {
                // Best-effort cleanup
            }
        }
    }
    /**
     * Enforce retention policy -- delete archives older than the retention period.
     * Returns the number of old archives removed.
     */
    static enforceRetention(archivePath, retentionDays) {
        if (!node_fs_1.default.existsSync(archivePath)) {
            return 0;
        }
        const now = Date.now();
        const retentionMs = retentionDays * 24 * 60 * 60 * 1000;
        let removed = 0;
        try {
            const entries = node_fs_1.default.readdirSync(archivePath, { withFileTypes: true });
            for (const entry of entries) {
                const fullPath = node_path_1.default.join(archivePath, entry.name);
                try {
                    const stat = node_fs_1.default.statSync(fullPath);
                    const ageMs = now - stat.mtimeMs;
                    if (ageMs > retentionMs) {
                        if (entry.isDirectory()) {
                            node_fs_1.default.rmSync(fullPath, { recursive: true, force: true });
                        }
                        else {
                            node_fs_1.default.unlinkSync(fullPath);
                        }
                        removed++;
                        core.info(`[Reliability] Removed old archive: ${entry.name} (age: ${Math.round(ageMs / (24 * 60 * 60 * 1000))} days)`);
                    }
                }
                catch {
                    core.warning(`[Reliability] Could not process archive entry: ${fullPath}`);
                }
            }
        }
        catch {
            core.warning(`[Reliability] Could not read archive directory: ${archivePath}`);
            return 0;
        }
        if (removed > 0) {
            core.info(`[Reliability] Retention enforced: removed ${removed} old archive(s), retention: ${retentionDays} days`);
        }
        return removed;
    }
    /**
     * Configure git environment variables for CI reliability.
     * Sets GIT_TERMINAL_PROMPT=0, increases http.postBuffer, enables core.longpaths.
     */
    static configureGitEnvironment() {
        core.info('[Reliability] Configuring git environment for CI');
        // Prevent git from prompting for credentials (hangs in CI)
        process.env.GIT_TERMINAL_PROMPT = '0';
        core.info('[Reliability] Set GIT_TERMINAL_PROMPT=0');
        try {
            // Increase http.postBuffer to 500MB for large pushes
            (0, node_child_process_1.execSync)('git config --global http.postBuffer 524288000', {
                encoding: 'utf8',
                timeout: 10000,
                stdio: ['pipe', 'pipe', 'pipe'],
            });
            core.info('[Reliability] Set http.postBuffer=524288000 (500MB)');
        }
        catch (error) {
            core.warning(`[Reliability] Could not set http.postBuffer: ${error.message}`);
        }
        try {
            // Enable long paths on Windows
            (0, node_child_process_1.execSync)('git config --global core.longpaths true', {
                encoding: 'utf8',
                timeout: 10000,
                stdio: ['pipe', 'pipe', 'pipe'],
            });
            core.info('[Reliability] Set core.longpaths=true');
        }
        catch (error) {
            core.warning(`[Reliability] Could not set core.longpaths: ${error.message}`);
        }
    }
 }
 exports.BuildReliabilityService = BuildReliabilityService;
 // Windows reserved device names that cause Unity asset importer infinite loops
 BuildReliabilityService.RESERVED_NAMES = new Set([
    'con',
    'prn',
    'aux',
    'nul',
    'com1',
    'com2',
    'com3',
    'com4',
    'com5',
    'com6',
    'com7',
    'com8',
    'com9',
    'lpt1',
    'lpt2',
    'lpt3',
    'lpt4',
    'lpt5',
    'lpt6',
    'lpt7',
    'lpt8',
    'lpt9',
 ]);
 // Lock files to look for in the .git directory
 BuildReliabilityService.LOCK_FILE_NAMES = new Set(['index.lock', 'shallow.lock', 'config.lock', 'HEAD.lock']);
 // Maximum age in milliseconds before a lock file is considered stale (10 minutes)
 BuildReliabilityService.LOCK_FILE_MAX_AGE_MS = 10 * 60 * 1000;
 /***/ }),
 /***/ 9842:
 /***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
 "use strict";
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.BuildReliabilityService = void 0;
 var build_reliability_service_1 = __nccwpck_require__(37347);
 Object.defineProperty(exports, "BuildReliabilityService", ({ enumerable: true, get: function () { return build_reliability_service_1.BuildReliabilityService; } }));
 /***/ }),
 /***/ 23451:
@@ -3,7 +3,6 @@ import { Action, BuildParameters, Cache, Orchestrator, Docker, ImageTag, Output
 import { Cli } from './model/cli/cli';
 import MacBuilder from './model/mac-builder';
 import PlatformSetup from './model/platform-setup';
 import { BuildReliabilityService } from './model/orchestrator/services/reliability';
 async function runMain() {
  try {
@@ -15,38 +14,11 @@ async function runMain() {
    Action.checkCompatibility();
    Cache.verify();
    // Always configure git environment for CI reliability
    BuildReliabilityService.configureGitEnvironment();
    const { workspace, actionFolder } = Action;
    const buildParameters = await BuildParameters.create();
    const baseImage = new ImageTag(buildParameters);
    // Pre-build reliability checks
    if (buildParameters.gitIntegrityCheck) {
      core.info('Running git integrity checks...');
      const isHealthy = BuildReliabilityService.checkGitIntegrity(workspace);
      BuildReliabilityService.cleanStaleLockFiles(workspace);
      BuildReliabilityService.validateSubmoduleBackingStores(workspace);
      if (buildParameters.cleanReservedFilenames) {
        BuildReliabilityService.cleanReservedFilenames(buildParameters.projectPath);
      }
      if (!isHealthy && buildParameters.gitAutoRecover) {
        core.info('Git corruption detected, attempting automatic recovery...');
        const recovered = BuildReliabilityService.recoverCorruptedRepo(workspace);
        if (!recovered) {
          core.warning('Automatic recovery failed. Build may encounter issues.');
        }
      }
    } else if (buildParameters.cleanReservedFilenames) {
      // cleanReservedFilenames can run independently of gitIntegrityCheck
      BuildReliabilityService.cleanReservedFilenames(buildParameters.projectPath);
    }
    let exitCode = -1;
    if (buildParameters.providerStrategy === 'local') {
@@ -65,13 +37,6 @@ async function runMain() {
      exitCode = 0;
    }
    // Post-build: archive and enforce retention
    if (buildParameters.buildArchiveEnabled && exitCode === 0) {
      core.info('Archiving build output...');
      BuildReliabilityService.archiveBuildOutput(buildParameters.buildPath, buildParameters.buildArchivePath);
      BuildReliabilityService.enforceRetention(buildParameters.buildArchivePath, buildParameters.buildArchiveRetention);
    }
    // Set output
    await Output.setBuildVersion(buildParameters.buildVersion);
    await Output.setAndroidVersionCode(buildParameters.androidVersionCode);
@@ -54,6 +54,12 @@ class BuildParameters {
  public sshAgent!: string;
  public sshPublicKeysDirectoryPath!: string;
  public providerStrategy!: string;
  public fallbackProviderStrategy!: string;
  public runnerCheckEnabled!: boolean;
  public runnerCheckLabels!: string[];
  public runnerCheckMinAvailable!: number;
  public retryOnFallback!: boolean;
  public providerInitTimeout!: number;
  public gitPrivateToken!: string;
  public awsStackName!: string;
  public awsEndpoint?: string;
@@ -106,12 +112,6 @@ class BuildParameters {
  public cacheUnityInstallationOnMac!: boolean;
  public unityHubVersionOnMac!: string;
  public dockerWorkspacePath!: string;
  public gitIntegrityCheck!: boolean;
  public gitAutoRecover!: boolean;
  public cleanReservedFilenames!: boolean;
  public buildArchiveEnabled!: boolean;
  public buildArchivePath!: string;
  public buildArchiveRetention!: number;
  public static shouldUseRetainedWorkspaceMode(buildParameters: BuildParameters) {
    return buildParameters.maxRetainedWorkspaces > 0 && Orchestrator.lockedWorkspace !== ``;
@@ -200,6 +200,12 @@ class BuildParameters {
      containerRegistryRepository: Input.containerRegistryRepository,
      containerRegistryImageVersion: Input.containerRegistryImageVersion,
      providerStrategy: OrchestratorOptions.providerStrategy,
      fallbackProviderStrategy: OrchestratorOptions.fallbackProviderStrategy,
      runnerCheckEnabled: OrchestratorOptions.runnerCheckEnabled,
      runnerCheckLabels: OrchestratorOptions.runnerCheckLabels,
      runnerCheckMinAvailable: OrchestratorOptions.runnerCheckMinAvailable,
      retryOnFallback: OrchestratorOptions.retryOnFallback,
      providerInitTimeout: OrchestratorOptions.providerInitTimeout,
      buildPlatform: OrchestratorOptions.buildPlatform,
      kubeConfig: OrchestratorOptions.kubeConfig,
      containerMemory: OrchestratorOptions.containerMemory,
@@ -248,12 +254,6 @@ class BuildParameters {
      cacheUnityInstallationOnMac: Input.cacheUnityInstallationOnMac,
      unityHubVersionOnMac: Input.unityHubVersionOnMac,
      dockerWorkspacePath: Input.dockerWorkspacePath,
      gitIntegrityCheck: Input.gitIntegrityCheck,
      gitAutoRecover: Input.gitAutoRecover,
      cleanReservedFilenames: Input.cleanReservedFilenames,
      buildArchiveEnabled: Input.buildArchiveEnabled,
      buildArchivePath: Input.buildArchivePath,
      buildArchiveRetention: Input.buildArchiveRetention,
    };
  }
@@ -282,38 +282,6 @@ class Input {
    return Input.getInput('skipActivation')?.toLowerCase() ?? 'false';
  }
  static get gitIntegrityCheck(): boolean {
    const input = Input.getInput('gitIntegrityCheck') ?? 'false';
    return input === 'true';
  }
  static get gitAutoRecover(): boolean {
    const input = Input.getInput('gitAutoRecover') ?? 'false';
    return input === 'true';
  }
  static get cleanReservedFilenames(): boolean {
    const input = Input.getInput('cleanReservedFilenames') ?? 'false';
    return input === 'true';
  }
  static get buildArchiveEnabled(): boolean {
    const input = Input.getInput('buildArchiveEnabled') ?? 'false';
    return input === 'true';
  }
  static get buildArchivePath(): string {
    return Input.getInput('buildArchivePath') ?? './build-archives';
  }
  static get buildArchiveRetention(): number {
    return Number.parseInt(Input.getInput('buildArchiveRetention') ?? '30', 10);
  }
  public static ToEnvVarFormat(input: string) {
    if (input.toUpperCase() === input) {
      return input;
@@ -138,6 +138,32 @@ class OrchestratorOptions {
    return provider || 'local';
  }
  static get fallbackProviderStrategy(): string {
    return OrchestratorOptions.getInput('fallbackProviderStrategy') || '';
  }
  static get runnerCheckEnabled(): boolean {
    return OrchestratorOptions.getInput('runnerCheckEnabled') === 'true';
  }
  static get runnerCheckLabels(): string[] {
    const labels = OrchestratorOptions.getInput('runnerCheckLabels');
    return labels ? labels.split(',').map((l) => l.trim()) : [];
  }
  static get runnerCheckMinAvailable(): number {
    return Number(OrchestratorOptions.getInput('runnerCheckMinAvailable')) || 1;
  }
  static get retryOnFallback(): boolean {
    return OrchestratorOptions.getInput('retryOnFallback') === 'true';
  }
  static get providerInitTimeout(): number {
    return Number(OrchestratorOptions.getInput('providerInitTimeout')) || 0;
  }
  static get containerCpu(): string {
    return OrchestratorOptions.getInput('containerCpu') || `1024`;
  }
@@ -20,6 +20,7 @@ import { FollowLogStreamService } from './services/core/follow-log-stream-servic
 import OrchestratorResult from './services/core/orchestrator-result';
 import OrchestratorOptions from './options/orchestrator-options';
 import ResourceTracking from './services/core/resource-tracking';
 import { RunnerAvailabilityService } from './services/core/runner-availability-service';
 class Orchestrator {
  public static Provider: ProviderInterface;
@@ -76,6 +77,42 @@ class Orchestrator {
  private static async setupSelectedBuildPlatform() {
    OrchestratorLogger.log(`Orchestrator platform selected ${Orchestrator.buildParameters.providerStrategy}`);
    // Check runner availability and apply fallback if needed
    if (Orchestrator.buildParameters.runnerCheckEnabled && Orchestrator.buildParameters.fallbackProviderStrategy) {
      const owner = OrchestratorOptions.githubOwner;
      const repo = OrchestratorOptions.githubRepoName;
      const token = Orchestrator.buildParameters.gitPrivateToken || process.env.GITHUB_TOKEN || '';
      OrchestratorLogger.log(
        `Checking runner availability (labels: [${Orchestrator.buildParameters.runnerCheckLabels.join(', ')}], min: ${
          Orchestrator.buildParameters.runnerCheckMinAvailable
        })`,
      );
      const result = await RunnerAvailabilityService.checkAvailability(
        owner,
        repo,
        token,
        Orchestrator.buildParameters.runnerCheckLabels,
        Orchestrator.buildParameters.runnerCheckMinAvailable,
      );
      OrchestratorLogger.log(
        `Runner check: ${result.totalRunners} total, ${result.matchingRunners} matching, ${result.idleRunners} idle — ${result.reason}`,
      );
      if (result.shouldFallback) {
        const original = Orchestrator.buildParameters.providerStrategy;
        const fallback = Orchestrator.buildParameters.fallbackProviderStrategy;
        OrchestratorLogger.log(`Falling back from '${original}' to '${fallback}' — ${result.reason}`);
        Orchestrator.buildParameters.providerStrategy = fallback;
        core.setOutput('providerFallbackUsed', 'true');
        core.setOutput('providerFallbackReason', result.reason);
      } else {
        core.setOutput('providerFallbackUsed', 'false');
      }
    }
    // Detect LocalStack endpoints and handle AWS provider appropriately
    // AWS_FORCE_PROVIDER options:
    //   - 'aws': Force AWS provider (requires LocalStack Pro with ECS support)
@@ -182,6 +219,30 @@ class Orchestrator {
    if (baseImage.includes(`undefined`)) {
      throw new Error(`baseImage is undefined`);
    }
    try {
      return await Orchestrator.runWithProvider(buildParameters, baseImage);
    } catch (primaryError: any) {
      // Retry on fallback provider if enabled and a fallback is configured
      const fallback = buildParameters.fallbackProviderStrategy;
      const alreadyOnFallback = buildParameters.providerStrategy === fallback;
      if (buildParameters.retryOnFallback && fallback && !alreadyOnFallback) {
        OrchestratorLogger.log(
          `Primary provider '${buildParameters.providerStrategy}' failed: ${primaryError.message}`,
        );
        OrchestratorLogger.log(`Retrying build on fallback provider '${fallback}'...`);
        buildParameters.providerStrategy = fallback;
        core.setOutput('providerFallbackUsed', 'true');
        core.setOutput('providerFallbackReason', `Primary provider failed: ${primaryError.message}`);
        return await Orchestrator.runWithProvider(buildParameters, baseImage);
      }
      throw primaryError;
    }
  }
  private static async runWithProvider(buildParameters: BuildParameters, baseImage: string) {
    await Orchestrator.setup(buildParameters);
    // When aws-local mode is enabled, validate AWS CloudFormation templates
@@ -189,12 +250,10 @@ class Orchestrator {
    if (Orchestrator.validateAwsTemplates) {
      await Orchestrator.validateAwsCloudFormationTemplates();
    }
-    await Orchestrator.Provider.setupWorkflow(
+
-      Orchestrator.buildParameters.buildGuid,
+    // Setup workflow with optional init timeout
-      Orchestrator.buildParameters,
+    await Orchestrator.setupWorkflowWithTimeout();
-      Orchestrator.buildParameters.branch,
+
      Orchestrator.defaultSecrets,
    );
    try {
      if (buildParameters.maxRetainedWorkspaces > 0) {
        Orchestrator.lockedWorkspace = SharedWorkspaceLocking.NewWorkspaceName();
@@ -275,6 +334,39 @@ class Orchestrator {
    }
  }
  /**
   * Runs setupWorkflow with an optional timeout. If providerInitTimeout is set and the
   * provider takes longer than that to initialize, throws an error that triggers
   * retry-on-fallback (if enabled).
   */
  private static async setupWorkflowWithTimeout() {
    const timeoutSeconds = Orchestrator.buildParameters.providerInitTimeout;
    const setupPromise = Orchestrator.Provider.setupWorkflow(
      Orchestrator.buildParameters.buildGuid,
      Orchestrator.buildParameters,
      Orchestrator.buildParameters.branch,
      Orchestrator.defaultSecrets,
    );
    if (timeoutSeconds <= 0) {
      await setupPromise;
      return;
    }
    OrchestratorLogger.log(`Provider init timeout: ${timeoutSeconds}s`);
    const timeoutPromise = new Promise<never>((_, reject) => {
      setTimeout(
        () => reject(new Error(`Provider initialization timed out after ${timeoutSeconds}s`)),
        timeoutSeconds * 1000,
      );
    });
    await Promise.race([setupPromise, timeoutPromise]);
  }
  private static async updateStatusWithBuildParameters() {
    const content = { ...Orchestrator.buildParameters };
    content.gitPrivateToken = ``;
@@ -0,0 +1,318 @@
 import { RunnerAvailabilityService } from './runner-availability-service';
 // Mock @octokit/core
 jest.mock('@octokit/core', () => ({
  Octokit: jest.fn().mockImplementation(() => ({
    request: jest.fn(),
  })),
 }));
 jest.mock('./orchestrator-logger', () => ({
  __esModule: true,
  default: {
    log: jest.fn(),
    logWarning: jest.fn(),
    error: jest.fn(),
  },
 }));
 import { Octokit } from '@octokit/core';
 const MockedOctokit = Octokit as jest.MockedClass<typeof Octokit>;
 function createMockRunners(runners: Array<{ name: string; status: string; busy: boolean; labels: string[] }>) {
  return runners.map((r, i) => ({
    id: i + 1,
    name: r.name,
    status: r.status,
    busy: r.busy,
    labels: r.labels.map((l) => ({ name: l })),
  }));
 }
 describe('RunnerAvailabilityService', () => {
  beforeEach(() => {
    jest.clearAllMocks();
  });
  describe('checkAvailability', () => {
    it('should skip check and not fallback when no token is provided', async () => {
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', '', [], 1);
      expect(result.shouldFallback).toBe(false);
      expect(result.reason).toContain('No GitHub token');
    });
    it('should fallback when no runners are registered', async () => {
      const mockRequest = jest.fn().mockResolvedValue({ status: 200, data: { runners: [] } });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', 'token', [], 1);
      expect(result.shouldFallback).toBe(true);
      expect(result.reason).toContain('No runners registered');
      expect(result.totalRunners).toBe(0);
    });
    it('should not fallback when enough idle runners are available', async () => {
      const runners = createMockRunners([
        { name: 'runner-1', status: 'online', busy: false, labels: ['self-hosted', 'linux'] },
        { name: 'runner-2', status: 'online', busy: false, labels: ['self-hosted', 'linux'] },
      ]);
      const mockRequest = jest.fn().mockResolvedValue({ status: 200, data: { runners } });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', 'token', [], 1);
      expect(result.shouldFallback).toBe(false);
      expect(result.idleRunners).toBe(2);
      expect(result.totalRunners).toBe(2);
    });
    it('should fallback when all runners are busy', async () => {
      const runners = createMockRunners([
        { name: 'runner-1', status: 'online', busy: true, labels: ['self-hosted'] },
        { name: 'runner-2', status: 'online', busy: true, labels: ['self-hosted'] },
      ]);
      const mockRequest = jest.fn().mockResolvedValue({ status: 200, data: { runners } });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', 'token', [], 1);
      expect(result.shouldFallback).toBe(true);
      expect(result.idleRunners).toBe(0);
      expect(result.matchingRunners).toBe(2);
    });
    it('should fallback when all runners are offline', async () => {
      const runners = createMockRunners([
        { name: 'runner-1', status: 'offline', busy: false, labels: ['self-hosted'] },
      ]);
      const mockRequest = jest.fn().mockResolvedValue({ status: 200, data: { runners } });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', 'token', [], 1);
      expect(result.shouldFallback).toBe(true);
      expect(result.idleRunners).toBe(0);
    });
    it('should filter runners by required labels', async () => {
      const runners = createMockRunners([
        { name: 'linux-runner', status: 'online', busy: false, labels: ['self-hosted', 'linux'] },
        { name: 'windows-runner', status: 'online', busy: false, labels: ['self-hosted', 'windows'] },
      ]);
      const mockRequest = jest.fn().mockResolvedValue({ status: 200, data: { runners } });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability(
        'owner',
        'repo',
        'token',
        ['self-hosted', 'linux'],
        1,
      );
      expect(result.shouldFallback).toBe(false);
      expect(result.matchingRunners).toBe(1);
      expect(result.idleRunners).toBe(1);
      expect(result.totalRunners).toBe(2);
    });
    it('should fallback when no runners match required labels', async () => {
      const runners = createMockRunners([
        { name: 'windows-runner', status: 'online', busy: false, labels: ['self-hosted', 'windows'] },
      ]);
      const mockRequest = jest.fn().mockResolvedValue({ status: 200, data: { runners } });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability(
        'owner',
        'repo',
        'token',
        ['self-hosted', 'linux'],
        1,
      );
      expect(result.shouldFallback).toBe(true);
      expect(result.matchingRunners).toBe(0);
      expect(result.idleRunners).toBe(0);
    });
    it('should respect minAvailable threshold', async () => {
      const runners = createMockRunners([{ name: 'runner-1', status: 'online', busy: false, labels: ['self-hosted'] }]);
      const mockRequest = jest.fn().mockResolvedValue({ status: 200, data: { runners } });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      // Need 2, have 1 — should fallback
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', 'token', [], 2);
      expect(result.shouldFallback).toBe(true);
      expect(result.idleRunners).toBe(1);
    });
    it('should be case-insensitive for label matching', async () => {
      const runners = createMockRunners([
        { name: 'runner-1', status: 'online', busy: false, labels: ['Self-Hosted', 'Linux'] },
      ]);
      const mockRequest = jest.fn().mockResolvedValue({ status: 200, data: { runners } });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability(
        'owner',
        'repo',
        'token',
        ['self-hosted', 'linux'],
        1,
      );
      expect(result.shouldFallback).toBe(false);
      expect(result.matchingRunners).toBe(1);
    });
    it('should not fallback on API error (fail-open)', async () => {
      const mockRequest = jest.fn().mockRejectedValue(new Error('403 Forbidden'));
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', 'token', [], 1);
      expect(result.shouldFallback).toBe(false);
      expect(result.reason).toContain('Runner check failed');
    });
    it('should count only online+idle runners', async () => {
      const runners = createMockRunners([
        { name: 'idle', status: 'online', busy: false, labels: ['self-hosted'] },
        { name: 'busy', status: 'online', busy: true, labels: ['self-hosted'] },
        { name: 'offline', status: 'offline', busy: false, labels: ['self-hosted'] },
      ]);
      const mockRequest = jest.fn().mockResolvedValue({ status: 200, data: { runners } });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', 'token', [], 1);
      expect(result.shouldFallback).toBe(false);
      expect(result.totalRunners).toBe(3);
      expect(result.matchingRunners).toBe(3);
      expect(result.idleRunners).toBe(1);
    });
  });
  describe('pagination limits', () => {
    it('should stop paginating after reaching the page limit', async () => {
      // Return full pages (100 runners each) to force continued pagination
      let callCount = 0;
      const mockRequest = jest.fn().mockImplementation(() => {
        callCount++;
        const runners = createMockRunners(
          Array.from({ length: 100 }, (_, i) => ({
            name: `runner-${callCount}-${i}`,
            status: 'online' as const,
            busy: false,
            labels: ['self-hosted'],
          })),
        );
        return Promise.resolve({ status: 200, data: { runners } });
      });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', 'token', [], 1);
      // Should have called at most 100 pages (the MAX_PAGINATION_PAGES limit)
      expect(mockRequest).toHaveBeenCalledTimes(100);
      // Should still have runners from the pages it did fetch
      expect(result.totalRunners).toBe(10000);
      expect(result.shouldFallback).toBe(false);
    });
    it('should stop paginating on rate limit (HTTP 403)', async () => {
      let callCount = 0;
      const mockRequest = jest.fn().mockImplementation(() => {
        callCount++;
        if (callCount === 2) {
          // Octokit throws for non-2xx responses
          const error: any = new Error('API rate limit exceeded');
          error.status = 403;
          error.response = {
            status: 403,
            headers: { 'x-ratelimit-reset': String(Math.floor(Date.now() / 1000) + 3600) },
          };
          return Promise.reject(error);
        }
        const runners = createMockRunners(
          Array.from({ length: 100 }, (_, i) => ({
            name: `runner-${i}`,
            status: 'online' as const,
            busy: false,
            labels: ['self-hosted'],
          })),
        );
        return Promise.resolve({ status: 200, data: { runners } });
      });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', 'token', [], 1);
      // Should have stopped at page 2 (rate limited)
      expect(mockRequest).toHaveBeenCalledTimes(2);
      // Should use the 100 runners from the first page
      expect(result.totalRunners).toBe(100);
      expect(result.shouldFallback).toBe(false);
    });
    it('should stop paginating on rate limit (HTTP 429)', async () => {
      let callCount = 0;
      const mockRequest = jest.fn().mockImplementation(() => {
        callCount++;
        if (callCount === 1) {
          // Octokit throws for non-2xx responses
          const error: any = new Error('Too Many Requests');
          error.status = 429;
          error.response = { status: 429, headers: {} };
          return Promise.reject(error);
        }
        return Promise.resolve({ status: 200, data: { runners: [] } });
      });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', 'token', [], 1);
      // Should have stopped at first page (rate limited immediately)
      expect(mockRequest).toHaveBeenCalledTimes(1);
      // No runners found — should fallback
      expect(result.totalRunners).toBe(0);
      expect(result.shouldFallback).toBe(true);
    });
    it('should handle pagination timeout gracefully', async () => {
      // Mock Date.now to simulate timeout
      const originalDateNow = Date.now;
      let callCount = 0;
      const mockRequest = jest.fn().mockImplementation(() => {
        callCount++;
        // After first call, advance time past the timeout
        if (callCount >= 2) {
          Date.now = jest.fn(() => originalDateNow() + 31_000);
        }
        const runners = createMockRunners(
          Array.from({ length: 100 }, (_, i) => ({
            name: `runner-${callCount}-${i}`,
            status: 'online' as const,
            busy: false,
            labels: ['self-hosted'],
          })),
        );
        return Promise.resolve({ status: 200, data: { runners } });
      });
      MockedOctokit.mockImplementation(() => ({ request: mockRequest } as any));
      const result = await RunnerAvailabilityService.checkAvailability('owner', 'repo', 'token', [], 1);
      // Should have stopped after timeout was detected (2 pages: first succeeds, second triggers timeout check)
      expect(mockRequest.mock.calls.length).toBeLessThanOrEqual(3);
      // Should have runners from pages fetched before timeout
      expect(result.totalRunners).toBeGreaterThan(0);
      // Restore
      Date.now = originalDateNow;
    });
  });
 });
@@ -0,0 +1,205 @@
 import { Octokit } from '@octokit/core';
 import OrchestratorLogger from './orchestrator-logger';
 interface GitHubRunner {
  id: number;
  name: string;
  status: 'online' | 'offline';
  busy: boolean;
  labels: Array<{ name: string }>;
 }
 interface RunnerCheckResult {
  shouldFallback: boolean;
  reason: string;
  totalRunners: number;
  matchingRunners: number;
  idleRunners: number;
 }
 /**
 * Maximum number of pages to fetch when paginating through GitHub API results.
 * 100 pages * 100 per page = 10,000 runners maximum.
 */
 const MAX_PAGINATION_PAGES = 100;
 /**
 * Total timeout in milliseconds for the pagination loop.
 * Prevents indefinite API calls if GitHub is slow or pagination is unexpectedly deep.
 */
 const PAGINATION_TIMEOUT_MS = 30_000;
 /**
 * Checks GitHub Actions runner availability to support automatic provider fallback.
 *
 * When a user configures `runnerCheckEnabled: true` with a `fallbackProviderStrategy`,
 * this service queries the GitHub API for runner status before the build starts.
 * If insufficient runners are available, the orchestrator routes to the fallback provider.
 */
 export class RunnerAvailabilityService {
  /**
   * Check if enough runners are available to handle the build.
   *
   * @param owner - GitHub repository owner
   * @param repo - GitHub repository name
   * @param token - GitHub token with repo/actions scope
   * @param requiredLabels - Labels runners must have (empty = any runner)
   * @param minAvailable - Minimum idle runners required
   * @returns RunnerCheckResult with decision and diagnostics
   */
  static async checkAvailability(
    owner: string,
    repo: string,
    token: string,
    requiredLabels: string[],
    minAvailable: number,
  ): Promise<RunnerCheckResult> {
    if (!token) {
      return {
        shouldFallback: false,
        reason: 'No GitHub token available — skipping runner check',
        totalRunners: 0,
        matchingRunners: 0,
        idleRunners: 0,
      };
    }
    try {
      const octokit = new Octokit({ auth: token });
      // Fetch all runners for the repository
      const runners = await RunnerAvailabilityService.fetchRunners(octokit, owner, repo);
      if (runners.length === 0) {
        return {
          shouldFallback: true,
          reason: 'No runners registered for this repository',
          totalRunners: 0,
          matchingRunners: 0,
          idleRunners: 0,
        };
      }
      // Filter by required labels
      const matching = RunnerAvailabilityService.filterByLabels(runners, requiredLabels);
      // Count idle (online + not busy)
      const idle = matching.filter((r) => r.status === 'online' && !r.busy);
      const result: RunnerCheckResult = {
        shouldFallback: idle.length < minAvailable,
        reason:
          idle.length >= minAvailable
            ? `${idle.length} idle runner(s) available (need ${minAvailable})`
            : `Only ${idle.length} idle runner(s) available, need ${minAvailable}`,
        totalRunners: runners.length,
        matchingRunners: matching.length,
        idleRunners: idle.length,
      };
      return result;
    } catch (error: any) {
      // If the API call fails (permissions, rate limit, etc.), don't block the build
      OrchestratorLogger.log(`Runner availability check failed: ${error.message}`);
      return {
        shouldFallback: false,
        reason: `Runner check failed (${error.message}) — proceeding with primary provider`,
        totalRunners: 0,
        matchingRunners: 0,
        idleRunners: 0,
      };
    }
  }
  /**
   * Fetch all runners for a repository, handling pagination.
   *
   * Includes defensive limits:
   * - Maximum page count (MAX_PAGINATION_PAGES) to prevent infinite loops
   * - Total timeout (PAGINATION_TIMEOUT_MS) to prevent indefinite API calls
   * - Rate-limit detection (HTTP 403/429 with X-RateLimit-Remaining header)
   */
  private static async fetchRunners(octokit: Octokit, owner: string, repo: string): Promise<GitHubRunner[]> {
    const allRunners: GitHubRunner[] = [];
    let page = 1;
    const perPage = 100;
    const startTime = Date.now();
    while (page <= MAX_PAGINATION_PAGES) {
      // Check total timeout
      if (Date.now() - startTime > PAGINATION_TIMEOUT_MS) {
        OrchestratorLogger.logWarning(
          `[RunnerAvailability] Pagination timeout reached after ${page - 1} pages and ${Date.now() - startTime}ms. ` +
            `Using ${allRunners.length} runners found so far.`,
        );
        break;
      }
      let response: any;
      try {
        response = await octokit.request('GET /repos/{owner}/{repo}/actions/runners', {
          owner,
          repo,
          per_page: perPage,
          page,
        });
      } catch (requestError: any) {
        // Octokit throws for non-2xx responses. Check if this is a rate limit error.
        const status = requestError.status ?? requestError.response?.status;
        if (status === 403 || status === 429) {
          const resetTime =
            requestError.response?.headers?.['x-ratelimit-reset'] ?? requestError.headers?.['x-ratelimit-reset'];
          const resetMessage = resetTime
            ? ` Resets at ${new Date(Number.parseInt(String(resetTime), 10) * 1000).toISOString()}`
            : '';
          OrchestratorLogger.logWarning(
            `[RunnerAvailability] GitHub API rate limit reached (HTTP ${status}).${resetMessage} ` +
              `Using ${allRunners.length} runners found so far.`,
          );
          break;
        }
        // Re-throw non-rate-limit errors to be handled by the outer catch
        throw requestError;
      }
      const runners = (response.data.runners || []) as GitHubRunner[];
      allRunners.push(...runners);
      if (runners.length < perPage) break;
      page++;
    }
    if (page > MAX_PAGINATION_PAGES) {
      OrchestratorLogger.logWarning(
        `[RunnerAvailability] Maximum pagination limit reached (${MAX_PAGINATION_PAGES} pages). ` +
          `Using ${allRunners.length} runners found so far.`,
      );
    }
    if (allRunners.length === 0) {
      OrchestratorLogger.log(
        '[RunnerAvailability] No runners found. Possible causes: ' +
          'wrong token permissions (needs repo or actions scope), ' +
          'no self-hosted runners registered, ' +
          'or runners are registered at the organization level instead of the repository.',
      );
    }
    return allRunners;
  }
  /**
   * Filter runners by required labels. A runner matches if it has ALL required labels.
   * If requiredLabels is empty, all runners match.
   */
  private static filterByLabels(runners: GitHubRunner[], requiredLabels: string[]): GitHubRunner[] {
    if (requiredLabels.length === 0) return runners;
    return runners.filter((runner) => {
      const runnerLabelNames = runner.labels.map((l) => l.name.toLowerCase());
      return requiredLabels.every((required) => runnerLabelNames.includes(required.toLowerCase()));
    });
  }
 }
@@ -1,638 +0,0 @@
 import { execSync, execFileSync } from 'node:child_process';
 import fs from 'node:fs';
 import path from 'node:path';
 import { BuildReliabilityService } from './build-reliability-service';
 // Mock dependencies
 jest.mock('node:child_process');
 jest.mock('node:fs');
 jest.mock('@actions/core', () => ({
  info: jest.fn(),
  warning: jest.fn(),
 }));
 const mockExecSync = execSync as jest.MockedFunction<typeof execSync>;
 const mockExecFileSync = execFileSync as jest.MockedFunction<typeof execFileSync>;
 const mockFs = fs as jest.Mocked<typeof fs>;
 describe('BuildReliabilityService', () => {
  beforeEach(() => {
    jest.clearAllMocks();
  });
  // =========================================================================
  // checkGitIntegrity
  // =========================================================================
  describe('checkGitIntegrity', () => {
    it('should return true when fsck succeeds with clean output', () => {
      mockExecSync.mockReturnValue('');
      const result = BuildReliabilityService.checkGitIntegrity('/repo');
      expect(result).toBe(true);
      expect(mockExecSync).toHaveBeenCalledWith(
        'git -C "/repo" fsck --no-dangling',
        expect.objectContaining({ encoding: 'utf8' }),
      );
    });
    it('should return false when fsck output contains corruption indicators', () => {
      mockExecSync.mockReturnValue('broken link from tree abc123');
      const result = BuildReliabilityService.checkGitIntegrity('/repo');
      expect(result).toBe(false);
    });
    it('should return false when fsck output contains missing objects', () => {
      mockExecSync.mockReturnValue('missing blob abc123');
      const result = BuildReliabilityService.checkGitIntegrity('/repo');
      expect(result).toBe(false);
    });
    it('should return false when execSync throws (non-zero exit code)', () => {
      mockExecSync.mockImplementation(() => {
        const error: any = new Error('fsck failed');
        error.stderr = Buffer.from('error: bad object HEAD');
        throw error;
      });
      const result = BuildReliabilityService.checkGitIntegrity('/repo');
      expect(result).toBe(false);
    });
    it('should use current directory when no repoPath provided', () => {
      mockExecSync.mockReturnValue('');
      BuildReliabilityService.checkGitIntegrity();
      expect(mockExecSync).toHaveBeenCalledWith('git -C "." fsck --no-dangling', expect.anything());
    });
  });
  // =========================================================================
  // cleanStaleLockFiles
  // =========================================================================
  describe('cleanStaleLockFiles', () => {
    it('should return 0 when .git directory does not exist', () => {
      mockFs.existsSync.mockReturnValue(false);
      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
      expect(result).toBe(0);
    });
    it('should remove lock files older than 10 minutes', () => {
      const now = Date.now();
      const oldTime = now - 15 * 60 * 1000; // 15 minutes ago
      mockFs.existsSync.mockReturnValue(true);
      mockFs.statSync.mockImplementation((filePath: any) => {
        if (filePath === path.join('/repo', '.git')) {
          return { isDirectory: () => true } as fs.Stats;
        }
        return { mtimeMs: oldTime } as fs.Stats;
      });
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/repo', '.git')) {
          return [
            { name: 'index.lock', isDirectory: () => false },
            { name: 'HEAD.lock', isDirectory: () => false },
          ] as any;
        }
        return [];
      });
      mockFs.unlinkSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
      expect(result).toBe(2);
      expect(mockFs.unlinkSync).toHaveBeenCalledTimes(2);
    });
    it('should NOT remove lock files younger than 10 minutes', () => {
      const now = Date.now();
      const recentTime = now - 2 * 60 * 1000; // 2 minutes ago
      mockFs.existsSync.mockReturnValue(true);
      mockFs.statSync.mockImplementation((filePath: any) => {
        if (filePath === path.join('/repo', '.git')) {
          return { isDirectory: () => true } as fs.Stats;
        }
        return { mtimeMs: recentTime } as fs.Stats;
      });
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/repo', '.git')) {
          return [{ name: 'index.lock', isDirectory: () => false }] as any;
        }
        return [];
      });
      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
      expect(result).toBe(0);
      expect(mockFs.unlinkSync).not.toHaveBeenCalled();
    });
    it('should recursively scan refs directory for lock files', () => {
      const now = Date.now();
      const oldTime = now - 15 * 60 * 1000;
      mockFs.existsSync.mockReturnValue(true);
      mockFs.statSync.mockImplementation((filePath: any) => {
        if (filePath === path.join('/repo', '.git')) {
          return { isDirectory: () => true } as fs.Stats;
        }
        return { mtimeMs: oldTime } as fs.Stats;
      });
      mockFs.readdirSync.mockImplementation((dir: any) => {
        const gitDir = path.join('/repo', '.git');
        if (dir === gitDir) {
          return [{ name: 'refs', isDirectory: () => true }] as any;
        }
        if (dir === path.join(gitDir, 'refs')) {
          return [{ name: 'heads', isDirectory: () => true }] as any;
        }
        if (dir === path.join(gitDir, 'refs', 'heads')) {
          return [{ name: 'main.lock', isDirectory: () => false }] as any;
        }
        return [];
      });
      mockFs.unlinkSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.cleanStaleLockFiles('/repo');
      expect(result).toBe(1);
    });
  });
  // =========================================================================
  // validateSubmoduleBackingStores
  // =========================================================================
  describe('validateSubmoduleBackingStores', () => {
    it('should return empty array when .gitmodules does not exist', () => {
      mockFs.existsSync.mockReturnValue(false);
      const result = BuildReliabilityService.validateSubmoduleBackingStores('/repo');
      expect(result).toEqual([]);
    });
    it('should detect broken backing store for submodule', () => {
      mockFs.existsSync.mockImplementation((p: any) => {
        if (p === path.join('/repo', '.gitmodules')) return true;
        if (p === path.join('/repo', 'lib/sub', '.git')) return true;
        // Backing store does not exist
        return false;
      });
      mockFs.readFileSync.mockImplementation((p: any) => {
        if (p === path.join('/repo', '.gitmodules')) {
          return '[submodule "sub"]\n\tpath = lib/sub\n\turl = https://example.com/sub.git';
        }
        if (p === path.join('/repo', 'lib/sub', '.git')) {
          return 'gitdir: ../../.git/modules/lib/sub';
        }
        return '';
      });
      mockFs.statSync.mockReturnValue({ isFile: () => true } as fs.Stats);
      const result = BuildReliabilityService.validateSubmoduleBackingStores('/repo');
      expect(result).toContain('lib/sub');
    });
    it('should return empty array when all submodule backing stores are valid', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readFileSync.mockImplementation((p: any) => {
        if (p === path.join('/repo', '.gitmodules')) {
          return '[submodule "sub"]\n\tpath = lib/sub\n\turl = https://example.com/sub.git';
        }
        if (p === path.join('/repo', 'lib/sub', '.git')) {
          return 'gitdir: ../../.git/modules/lib/sub';
        }
        return '';
      });
      mockFs.statSync.mockReturnValue({ isFile: () => true } as fs.Stats);
      const result = BuildReliabilityService.validateSubmoduleBackingStores('/repo');
      expect(result).toEqual([]);
    });
  });
  // =========================================================================
  // recoverCorruptedRepo
  // =========================================================================
  describe('recoverCorruptedRepo', () => {
    it('should orchestrate fsck cleanup and re-fetch, returning true on success', () => {
      // cleanStaleLockFiles: no .git dir
      mockFs.existsSync.mockReturnValue(false);
      mockFs.statSync.mockReturnValue({ isDirectory: () => false } as fs.Stats);
      // fetch succeeds, then fsck succeeds
      mockExecSync.mockReturnValue('');
      const result = BuildReliabilityService.recoverCorruptedRepo('/repo');
      expect(result).toBe(true);
      // Should have called fetch
      expect(mockExecSync).toHaveBeenCalledWith('git -C "/repo" fetch --all', expect.anything());
    });
    it('should return false when recovery fails to restore integrity', () => {
      mockFs.existsSync.mockReturnValue(false);
      mockFs.statSync.mockReturnValue({ isDirectory: () => false } as fs.Stats);
      // fetch succeeds, but fsck fails
      mockExecSync.mockImplementation((cmd: any) => {
        if (typeof cmd === 'string' && cmd.includes('fetch')) return '';
        if (typeof cmd === 'string' && cmd.includes('fsck')) {
          return 'missing blob abc123';
        }
        return '';
      });
      const result = BuildReliabilityService.recoverCorruptedRepo('/repo');
      expect(result).toBe(false);
    });
    it('should continue recovery even when fetch fails', () => {
      mockFs.existsSync.mockReturnValue(false);
      mockFs.statSync.mockReturnValue({ isDirectory: () => false } as fs.Stats);
      let callCount = 0;
      mockExecSync.mockImplementation((cmd: any) => {
        callCount++;
        if (typeof cmd === 'string' && cmd.includes('fetch')) {
          throw new Error('network error');
        }
        // fsck call
        return '';
      });
      const result = BuildReliabilityService.recoverCorruptedRepo('/repo');
      // Should still attempt fsck after failed fetch
      expect(callCount).toBeGreaterThanOrEqual(2);
    });
  });
  // =========================================================================
  // cleanReservedFilenames
  // =========================================================================
  describe('cleanReservedFilenames', () => {
    it('should return empty array when Assets directory does not exist', () => {
      mockFs.existsSync.mockReturnValue(false);
      const result = BuildReliabilityService.cleanReservedFilenames('/project');
      expect(result).toEqual([]);
    });
    it('should remove files with reserved names (con, prn, aux, nul)', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/project', 'Assets')) {
          return [
            { name: 'con.txt', isDirectory: () => false },
            { name: 'PRN.meta', isDirectory: () => false },
            { name: 'aux.shader', isDirectory: () => false },
            { name: 'nul.png', isDirectory: () => false },
            { name: 'valid-file.cs', isDirectory: () => false },
          ] as any;
        }
        return [];
      });
      mockFs.unlinkSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.cleanReservedFilenames('/project');
      expect(result).toHaveLength(4);
      expect(mockFs.unlinkSync).toHaveBeenCalledTimes(4);
    });
    it('should remove directories with reserved names', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/project', 'Assets')) {
          return [{ name: 'com1', isDirectory: () => true }] as any;
        }
        return [];
      });
      mockFs.rmSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.cleanReservedFilenames('/project');
      expect(result).toHaveLength(1);
      expect(mockFs.rmSync).toHaveBeenCalledWith(path.join('/project', 'Assets', 'com1'), {
        recursive: true,
        force: true,
      });
    });
    it('should detect COM1 through COM9 and LPT1 through LPT9', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/project', 'Assets')) {
          return [
            { name: 'com1.txt', isDirectory: () => false },
            { name: 'COM9.meta', isDirectory: () => false },
            { name: 'lpt1.dat', isDirectory: () => false },
            { name: 'LPT9.log', isDirectory: () => false },
          ] as any;
        }
        return [];
      });
      mockFs.unlinkSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.cleanReservedFilenames('/project');
      expect(result).toHaveLength(4);
    });
    it('should not remove files that merely contain reserved names as substrings', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockImplementation((dir: any) => {
        if (dir === path.join('/project', 'Assets')) {
          return [
            { name: 'controller.cs', isDirectory: () => false },
            { name: 'printer-utils.cs', isDirectory: () => false },
            { name: 'auxiliary.shader', isDirectory: () => false },
          ] as any;
        }
        return [];
      });
      const result = BuildReliabilityService.cleanReservedFilenames('/project');
      expect(result).toHaveLength(0);
    });
  });
  // =========================================================================
  // getAvailableSpaceMB
  // =========================================================================
  describe('getAvailableSpaceMB', () => {
    it('should return -1 when the check fails', () => {
      mockExecFileSync.mockImplementation(() => {
        throw new Error('Command failed');
      });
      const result = BuildReliabilityService.getAvailableSpaceMB('/some/path');
      expect(result).toBe(-1);
    });
    it('should parse wmic output on Windows', () => {
      const originalPlatform = process.platform;
      Object.defineProperty(process, 'platform', { value: 'win32' });
      // 10 GB in bytes
      mockExecFileSync.mockReturnValue('\r\nFreeSpace=10737418240\r\n' as any);
      const result = BuildReliabilityService.getAvailableSpaceMB('C:\\builds');
      // 10737418240 / (1024 * 1024) = 10240 MB
      expect(result).toBeCloseTo(10240, 0);
      Object.defineProperty(process, 'platform', { value: originalPlatform });
    });
    it('should parse df output on Unix', () => {
      const originalPlatform = process.platform;
      Object.defineProperty(process, 'platform', { value: 'linux' });
      mockExecFileSync.mockReturnValue('  Avail\n  5120M\n' as any);
      const result = BuildReliabilityService.getAvailableSpaceMB('/builds');
      expect(result).toBe(5120);
      Object.defineProperty(process, 'platform', { value: originalPlatform });
    });
  });
  // =========================================================================
  // getDirectorySizeMB
  // =========================================================================
  describe('getDirectorySizeMB', () => {
    it('should return file size for a single file', () => {
      // 5 MB in bytes
      mockFs.statSync.mockReturnValue({ isDirectory: () => false, size: 5 * 1024 * 1024 } as any);
      const result = BuildReliabilityService.getDirectorySizeMB('/path/to/file.zip');
      expect(result).toBeCloseTo(5, 0);
    });
    it('should return total size for a directory tree', () => {
      const subDir = path.join('/build', 'sub');
      mockFs.statSync.mockImplementation((p: any) => {
        const pathStr = typeof p === 'string' ? p : p.toString();
        if (pathStr === '/build' || pathStr === subDir) {
          return { isDirectory: () => true, size: 0 } as any;
        }
        return { isDirectory: () => false, size: 1024 * 1024 } as any; // 1 MB each
      });
      mockFs.readdirSync.mockImplementation((dirPath: any, _options?: any) => {
        const dirStr = typeof dirPath === 'string' ? dirPath : dirPath.toString();
        if (dirStr === '/build') {
          return [
            { name: 'file1.bin', isDirectory: () => false },
            { name: 'sub', isDirectory: () => true },
          ] as any;
        }
        if (dirStr === subDir) {
          return [{ name: 'file2.bin', isDirectory: () => false }] as any;
        }
        return [] as any;
      });
      const result = BuildReliabilityService.getDirectorySizeMB('/build');
      expect(result).toBeCloseTo(2, 0); // 2 files * 1 MB each
    });
    it('should return -1 when calculation fails', () => {
      mockFs.statSync.mockImplementation(() => {
        throw new Error('Access denied');
      });
      const result = BuildReliabilityService.getDirectorySizeMB('/inaccessible');
      expect(result).toBe(-1);
    });
  });
  // =========================================================================
  // archiveBuildOutput
  // =========================================================================
  describe('archiveBuildOutput', () => {
    it('should skip archiving when source path does not exist', () => {
      mockFs.existsSync.mockReturnValue(false);
      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
      expect(mockExecSync).not.toHaveBeenCalled();
    });
    it('should create archive directory and tar.gz output', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.mkdirSync.mockReturnValue(undefined as any);
      mockExecSync.mockReturnValue('');
      // Make disk space check return unknown so we proceed
      mockExecFileSync.mockImplementation(() => {
        throw new Error('Command not found');
      });
      mockFs.statSync.mockImplementation(() => {
        throw new Error('Not mocked');
      });
      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
      expect(mockFs.mkdirSync).toHaveBeenCalledWith('/archives', { recursive: true });
      expect(mockExecSync).toHaveBeenCalledWith(expect.stringContaining('tar -czf'), expect.anything());
    });
    it('should skip archival when insufficient disk space', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.mkdirSync.mockReturnValue(undefined as any);
      // Source is 1000 MB
      mockFs.statSync.mockImplementation((p: any) => {
        const pathStr = typeof p === 'string' ? p : p.toString();
        if (pathStr.endsWith('big-file.bin')) {
          return { isDirectory: () => false, size: 1000 * 1024 * 1024 } as any;
        }
        return { isDirectory: () => true, size: 0 } as any;
      });
      mockFs.readdirSync.mockImplementation(() => {
        return [{ name: 'big-file.bin', isDirectory: () => false }] as any;
      });
      // Only 500 MB available
      const originalPlatform = process.platform;
      Object.defineProperty(process, 'platform', { value: 'linux' });
      mockExecFileSync.mockReturnValue('  Avail\n  500M\n' as any);
      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
      // Should NOT have attempted the tar command
      expect(mockExecSync).not.toHaveBeenCalledWith(expect.stringContaining('tar'), expect.anything());
      Object.defineProperty(process, 'platform', { value: originalPlatform });
    });
    it('should clean up partial archive on tar failure', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.mkdirSync.mockReturnValue(undefined as any);
      mockFs.unlinkSync.mockReturnValue(undefined);
      // Make disk space check return unknown so we proceed
      mockExecFileSync.mockImplementation(() => {
        throw new Error('Command not found');
      });
      mockFs.statSync.mockImplementation(() => {
        throw new Error('Not mocked');
      });
      // tar command fails
      mockExecSync.mockImplementation(() => {
        const error: any = new Error('tar failed');
        error.stderr = Buffer.from('No space left on device');
        throw error;
      });
      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
      // Should have attempted to clean up the partial archive
      // (existsSync returns true for the partial file)
      expect(mockFs.unlinkSync).toHaveBeenCalled();
    });
    it('should proceed with warning when disk space check fails', () => {
      mockFs.existsSync.mockReturnValue(true);
      mockFs.mkdirSync.mockReturnValue(undefined as any);
      mockExecSync.mockReturnValue('');
      // Disk space check fails
      mockExecFileSync.mockImplementation(() => {
        throw new Error('Command not found');
      });
      // Directory size check also fails
      mockFs.statSync.mockImplementation(() => {
        throw new Error('Not mocked');
      });
      BuildReliabilityService.archiveBuildOutput('/builds/output', '/archives');
      // Should still proceed with tar
      expect(mockExecSync).toHaveBeenCalledWith(expect.stringContaining('tar -czf'), expect.anything());
    });
  });
  // =========================================================================
  // enforceRetention
  // =========================================================================
  describe('enforceRetention', () => {
    it('should return 0 when archive path does not exist', () => {
      mockFs.existsSync.mockReturnValue(false);
      const result = BuildReliabilityService.enforceRetention('/archive', 30);
      expect(result).toBe(0);
    });
    it('should remove archives older than retention period', () => {
      const now = Date.now();
      const oldTime = now - 45 * 24 * 60 * 60 * 1000; // 45 days ago
      const recentTime = now - 5 * 24 * 60 * 60 * 1000; // 5 days ago
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockReturnValue([
        { name: 'build-old.tar.gz', isDirectory: () => false },
        { name: 'build-recent.tar.gz', isDirectory: () => false },
      ] as any);
      mockFs.statSync.mockImplementation((p: any) => {
        if ((p as string).includes('old')) {
          return { mtimeMs: oldTime } as fs.Stats;
        }
        return { mtimeMs: recentTime } as fs.Stats;
      });
      mockFs.unlinkSync.mockReturnValue(undefined);
      const result = BuildReliabilityService.enforceRetention('/archive', 30);
      expect(result).toBe(1);
      expect(mockFs.unlinkSync).toHaveBeenCalledTimes(1);
    });
    it('should keep all archives within retention period', () => {
      const now = Date.now();
      const recentTime = now - 5 * 24 * 60 * 60 * 1000;
      mockFs.existsSync.mockReturnValue(true);
      mockFs.readdirSync.mockReturnValue([
        { name: 'build-1.tar.gz', isDirectory: () => false },
        { name: 'build-2.tar.gz', isDirectory: () => false },
      ] as any);
      mockFs.statSync.mockReturnValue({ mtimeMs: recentTime } as fs.Stats);
      const result = BuildReliabilityService.enforceRetention('/archive', 30);
      expect(result).toBe(0);
    });
  });
  // =========================================================================
  // configureGitEnvironment
  // =========================================================================
  describe('configureGitEnvironment', () => {
    it('should set GIT_TERMINAL_PROMPT=0 in process.env', () => {
      mockExecSync.mockReturnValue('');
      BuildReliabilityService.configureGitEnvironment();
      expect(process.env.GIT_TERMINAL_PROMPT).toBe('0');
    });
    it('should configure http.postBuffer via git config', () => {
      mockExecSync.mockReturnValue('');
      BuildReliabilityService.configureGitEnvironment();
      expect(mockExecSync).toHaveBeenCalledWith('git config --global http.postBuffer 524288000', expect.anything());
    });
    it('should configure core.longpaths via git config', () => {
      mockExecSync.mockReturnValue('');
      BuildReliabilityService.configureGitEnvironment();
      expect(mockExecSync).toHaveBeenCalledWith('git config --global core.longpaths true', expect.anything());
    });
    it('should warn but not throw when git config commands fail', () => {
      const core = require('@actions/core');
      mockExecSync.mockImplementation(() => {
        throw new Error('git config failed');
      });
      // Should not throw
      expect(() => BuildReliabilityService.configureGitEnvironment()).not.toThrow();
      expect(core.warning).toHaveBeenCalled();
    });
  });
 });
@@ -1,527 +0,0 @@
 import { execSync, execFileSync } from 'node:child_process';
 import fs from 'node:fs';
 import path from 'node:path';
 import * as core from '@actions/core';
 /**
 * Build reliability features for hardening CI pipelines.
 * Provides git integrity checks, stale lock cleanup, submodule validation,
 * reserved filename removal, build archival, and git environment configuration.
 * All features are opt-in and fail gracefully (warnings only).
 */
 export class BuildReliabilityService {
  // Windows reserved device names that cause Unity asset importer infinite loops
  private static readonly RESERVED_NAMES = new Set([
    'con',
    'prn',
    'aux',
    'nul',
    'com1',
    'com2',
    'com3',
    'com4',
    'com5',
    'com6',
    'com7',
    'com8',
    'com9',
    'lpt1',
    'lpt2',
    'lpt3',
    'lpt4',
    'lpt5',
    'lpt6',
    'lpt7',
    'lpt8',
    'lpt9',
  ]);
  // Lock files to look for in the .git directory
  private static readonly LOCK_FILE_NAMES = new Set(['index.lock', 'shallow.lock', 'config.lock', 'HEAD.lock']);
  // Maximum age in milliseconds before a lock file is considered stale (10 minutes)
  private static readonly LOCK_FILE_MAX_AGE_MS = 10 * 60 * 1000;
  /**
   * Run git fsck to check repository integrity.
   * Returns true if the repo is healthy, false if corruption detected.
   */
  static checkGitIntegrity(repoPath: string = '.'): boolean {
    core.info(`[Reliability] Checking git integrity in ${repoPath}`);
    try {
      const output = execSync(`git -C "${repoPath}" fsck --no-dangling`, {
        encoding: 'utf8',
        timeout: 120_000,
        stdio: ['pipe', 'pipe', 'pipe'],
      });
      // Parse output for corruption indicators
      const corruptionPatterns = [
        /broken link/i,
        /missing (blob|tree|commit|tag)/i,
        /dangling/i,
        /corrupt/i,
        /error in /i,
      ];
      for (const pattern of corruptionPatterns) {
        if (pattern.test(output)) {
          core.warning(`[Reliability] Git integrity check found issues: ${output.trim()}`);
          return false;
        }
      }
      core.info('[Reliability] Git integrity check passed');
      return true;
    } catch (error: any) {
      // execSync throws on non-zero exit code
      const stderr = error.stderr?.toString() ?? error.message;
      core.warning(`[Reliability] Git integrity check failed: ${stderr}`);
      return false;
    }
  }
  /**
   * Remove stale .lock files from the .git directory.
   * Only removes lock files older than 10 minutes to avoid interfering with active operations.
   * Returns the number of lock files removed.
   */
  static cleanStaleLockFiles(repoPath: string = '.'): number {
    const gitDir = path.join(repoPath, '.git');
    if (!fs.existsSync(gitDir) || !fs.statSync(gitDir).isDirectory()) {
      return 0;
    }
    core.info(`[Reliability] Scanning for stale lock files in ${gitDir}`);
    const now = Date.now();
    let removed = 0;
    const cleanDirectory = (directory: string): void => {
      if (!fs.existsSync(directory)) return;
      try {
        const entries = fs.readdirSync(directory, { withFileTypes: true });
        for (const entry of entries) {
          const fullPath = path.join(directory, entry.name);
          if (entry.isDirectory()) {
            cleanDirectory(fullPath);
          } else if (entry.name.endsWith('.lock')) {
            // Check if it is a known lock file location OR under refs/
            const relativePath = path.relative(gitDir, fullPath);
            const isKnownLock = BuildReliabilityService.LOCK_FILE_NAMES.has(entry.name);
            const isRefsLock = relativePath.startsWith('refs' + path.sep);
            if (isKnownLock || isRefsLock) {
              try {
                const stat = fs.statSync(fullPath);
                const ageMs = now - stat.mtimeMs;
                if (ageMs > BuildReliabilityService.LOCK_FILE_MAX_AGE_MS) {
                  fs.unlinkSync(fullPath);
                  removed++;
                  core.info(
                    `[Reliability] Removed stale lock file (age: ${Math.round(ageMs / 1000)}s): ${relativePath}`,
                  );
                } else {
                  core.info(
                    `[Reliability] Lock file is recent (age: ${Math.round(ageMs / 1000)}s), skipping: ${relativePath}`,
                  );
                }
              } catch {
                core.warning(`[Reliability] Could not remove lock file: ${fullPath}`);
              }
            }
          }
        }
      } catch {
        // Directory not accessible
      }
    };
    cleanDirectory(gitDir);
    if (removed > 0) {
      core.info(`[Reliability] Cleaned ${removed} stale lock file(s)`);
    } else {
      core.info('[Reliability] No stale lock files found');
    }
    return removed;
  }
  /**
   * Validate that submodule .git files point to existing backing stores
   * under .git/modules/. Returns list of submodule paths with broken backing stores.
   */
  static validateSubmoduleBackingStores(repoPath: string = '.'): string[] {
    const broken: string[] = [];
    const gitmodulesPath = path.join(repoPath, '.gitmodules');
    if (!fs.existsSync(gitmodulesPath)) {
      core.info('[Reliability] No .gitmodules found, skipping submodule validation');
      return broken;
    }
    core.info(`[Reliability] Validating submodule backing stores in ${repoPath}`);
    try {
      const content = fs.readFileSync(gitmodulesPath, 'utf8');
      const pathMatches = content.matchAll(/path\s*=\s*(.+)/g);
      for (const match of pathMatches) {
        const submodulePath = match[1].trim();
        const gitFile = path.join(repoPath, submodulePath, '.git');
        if (!fs.existsSync(gitFile)) {
          // Submodule not initialized -- not necessarily broken
          continue;
        }
        try {
          const stat = fs.statSync(gitFile);
          if (stat.isFile()) {
            // .git is a file -- should contain "gitdir: <path>"
            const gitFileContent = fs.readFileSync(gitFile, 'utf8').trim();
            const gitdirMatch = gitFileContent.match(/^gitdir:\s*(.+)$/);
            if (gitdirMatch) {
              const backingStore = path.resolve(path.join(repoPath, submodulePath), gitdirMatch[1]);
              if (!fs.existsSync(backingStore)) {
                broken.push(submodulePath);
                core.warning(`[Reliability] Submodule ${submodulePath} has broken backing store: ${backingStore}`);
              } else {
                core.info(`[Reliability] Submodule ${submodulePath} backing store OK`);
              }
            } else {
              broken.push(submodulePath);
              core.warning(`[Reliability] Submodule ${submodulePath} .git file has invalid format`);
            }
          }
        } catch {
          // Can't read .git file
          core.warning(`[Reliability] Could not read .git file for submodule: ${submodulePath}`);
        }
      }
    } catch (error: any) {
      core.warning(`[Reliability] Could not read .gitmodules: ${error.message}`);
    }
    if (broken.length > 0) {
      core.warning(`[Reliability] ${broken.length} submodule(s) have broken backing stores`);
    } else {
      core.info('[Reliability] All submodule backing stores are valid');
    }
    return broken;
  }
  /**
   * Orchestrate recovery of a corrupted repository.
   * Sequence: fsck -> clean locks -> re-fetch -> retry fsck.
   * Returns true if recovery succeeded.
   */
  static recoverCorruptedRepo(repoPath: string = '.'): boolean {
    core.warning(`[Reliability] Attempting automatic recovery for ${repoPath}`);
    // Step 1: Clean stale lock files that may be preventing operations
    const locksRemoved = BuildReliabilityService.cleanStaleLockFiles(repoPath);
    if (locksRemoved > 0) {
      core.info(`[Reliability] Recovery: cleaned ${locksRemoved} lock file(s)`);
    }
    // Step 2: Re-fetch to restore missing objects
    try {
      core.info('[Reliability] Recovery: re-fetching from remote');
      execSync(`git -C "${repoPath}" fetch --all`, {
        encoding: 'utf8',
        timeout: 300_000,
        stdio: ['pipe', 'pipe', 'pipe'],
      });
      core.info('[Reliability] Recovery: fetch completed');
    } catch (error: any) {
      core.warning(`[Reliability] Recovery: fetch failed: ${error.stderr?.toString() ?? error.message}`);
    }
    // Step 3: Retry fsck
    const healthy = BuildReliabilityService.checkGitIntegrity(repoPath);
    if (healthy) {
      core.info('[Reliability] Recovery succeeded -- repository is healthy');
    } else {
      core.warning('[Reliability] Recovery failed -- repository still has integrity issues');
    }
    return healthy;
  }
  /**
   * Scan a directory tree for files/directories with Windows reserved names.
   * These names (con, prn, aux, nul, com1-9, lpt1-9) with any extension
   * cause Unity asset importer infinite loops on Windows.
   * Returns list of paths that were removed.
   */
  static cleanReservedFilenames(projectPath: string): string[] {
    const assetsPath = path.join(projectPath, 'Assets');
    if (!fs.existsSync(assetsPath)) {
      core.info(`[Reliability] No Assets directory found at ${assetsPath}, skipping reserved filename scan`);
      return [];
    }
    core.info(`[Reliability] Scanning for reserved filenames in ${assetsPath}`);
    const cleaned: string[] = [];
    const scanDirectory = (directory: string): void => {
      try {
        const entries = fs.readdirSync(directory, { withFileTypes: true });
        for (const entry of entries) {
          const nameWithoutExtension = entry.name.split('.')[0].toLowerCase();
          const fullPath = path.join(directory, entry.name);
          if (BuildReliabilityService.RESERVED_NAMES.has(nameWithoutExtension)) {
            try {
              if (entry.isDirectory()) {
                fs.rmSync(fullPath, { recursive: true, force: true });
              } else {
                fs.unlinkSync(fullPath);
              }
              cleaned.push(fullPath);
              core.warning(`[Reliability] Removed reserved filename: ${fullPath}`);
            } catch {
              core.warning(`[Reliability] Could not remove reserved filename: ${fullPath}`);
            }
          } else if (entry.isDirectory()) {
            scanDirectory(fullPath);
          }
        }
      } catch {
        // Directory not accessible
      }
    };
    scanDirectory(assetsPath);
    if (cleaned.length > 0) {
      core.warning(`[Reliability] Cleaned ${cleaned.length} reserved filename(s)`);
    } else {
      core.info('[Reliability] No reserved filenames found');
    }
    return cleaned;
  }
  /**
   * Get available disk space in megabytes for a given directory.
   * Returns -1 if the check fails (unknown space).
   *
   * Cross-platform: uses wmic on Windows, df on Unix.
   */
  static getAvailableSpaceMB(directoryPath: string): number {
    try {
      if (process.platform === 'win32') {
        const drive = path.parse(directoryPath).root;
        const driveLetter = drive.replace(/[:\\\/]/g, '');
        const output = execFileSync(
          'wmic',
          ['logicaldisk', 'where', `DeviceID='${driveLetter}:'`, 'get', 'FreeSpace', '/value'],
          { encoding: 'utf8', timeout: 10_000 },
        );
        const match = output.match(/FreeSpace=(\d+)/);
        return match ? Number.parseInt(match[1], 10) / (1024 * 1024) : -1;
      } else {
        const output = execFileSync('df', ['-BM', '--output=avail', directoryPath], {
          encoding: 'utf8',
          timeout: 10_000,
        });
        const lines = output.trim().split('\n');
        return Number.parseInt(lines[lines.length - 1], 10);
      }
    } catch {
      return -1; // Unknown, caller should proceed with warning
    }
  }
  /**
   * Calculate the total size of a directory in megabytes.
   * Returns -1 if the calculation fails.
   */
  static getDirectorySizeMB(directoryPath: string): number {
    try {
      const stat = fs.statSync(directoryPath);
      if (!stat.isDirectory()) {
        return stat.size / (1024 * 1024);
      }
      let totalBytes = 0;
      const walkDirectory = (dir: string): void => {
        const entries = fs.readdirSync(dir, { withFileTypes: true });
        for (const entry of entries) {
          const fullPath = path.join(dir, entry.name);
          if (entry.isDirectory()) {
            walkDirectory(fullPath);
          } else {
            try {
              totalBytes += fs.statSync(fullPath).size;
            } catch {
              // Skip inaccessible files
            }
          }
        }
      };
      walkDirectory(directoryPath);
      return totalBytes / (1024 * 1024);
    } catch {
      return -1;
    }
  }
  /**
   * Create a tar.gz archive of build output.
   *
   * Validates disk space before archiving. Skips archival with a warning
   * if insufficient space is detected, preventing partial writes on full disks.
   */
  static archiveBuildOutput(sourcePath: string, archivePath: string): void {
    if (!fs.existsSync(sourcePath)) {
      core.info(`[Reliability] No build output to archive at ${sourcePath}`);
      return;
    }
    fs.mkdirSync(archivePath, { recursive: true });
    // Check available disk space before archiving
    const sourceSizeMB = BuildReliabilityService.getDirectorySizeMB(sourcePath);
    const availableSpaceMB = BuildReliabilityService.getAvailableSpaceMB(archivePath);
    if (sourceSizeMB >= 0 && availableSpaceMB >= 0) {
      const neededMB = Math.ceil(sourceSizeMB * 1.1); // 10% safety margin
      if (availableSpaceMB < neededMB) {
        core.warning(
          `[Reliability] Insufficient disk space for archive. ` +
            `Need ~${neededMB}MB, available: ${Math.floor(availableSpaceMB)}MB. Skipping archive.`,
        );
        return;
      }
      core.info(
        `[Reliability] Disk space check passed: need ~${neededMB}MB, available: ${Math.floor(availableSpaceMB)}MB`,
      );
    } else if (availableSpaceMB < 0) {
      core.warning('[Reliability] Could not determine available disk space. Proceeding with archive cautiously.');
    }
    const timestamp = new Date().toISOString().replace(/[.:]/g, '-');
    const archiveFile = path.join(archivePath, `build-${timestamp}.tar.gz`);
    try {
      execSync(`tar -czf "${archiveFile}" -C "${path.dirname(sourcePath)}" "${path.basename(sourcePath)}"`, {
        encoding: 'utf8',
        timeout: 600_000,
        stdio: ['pipe', 'pipe', 'pipe'],
      });
      core.info(`[Reliability] Build output archived to ${archiveFile}`);
    } catch (error: any) {
      core.warning(`[Reliability] Failed to archive build output: ${error.stderr?.toString() ?? error.message}`);
      // Clean up partial archive if it exists to avoid leaving corrupted files
      try {
        if (fs.existsSync(archiveFile)) {
          fs.unlinkSync(archiveFile);
          core.info(`[Reliability] Cleaned up partial archive: ${archiveFile}`);
        }
      } catch {
        // Best-effort cleanup
      }
    }
  }
  /**
   * Enforce retention policy -- delete archives older than the retention period.
   * Returns the number of old archives removed.
   */
  static enforceRetention(archivePath: string, retentionDays: number): number {
    if (!fs.existsSync(archivePath)) {
      return 0;
    }
    const now = Date.now();
    const retentionMs = retentionDays * 24 * 60 * 60 * 1000;
    let removed = 0;
    try {
      const entries = fs.readdirSync(archivePath, { withFileTypes: true });
      for (const entry of entries) {
        const fullPath = path.join(archivePath, entry.name);
        try {
          const stat = fs.statSync(fullPath);
          const ageMs = now - stat.mtimeMs;
          if (ageMs > retentionMs) {
            if (entry.isDirectory()) {
              fs.rmSync(fullPath, { recursive: true, force: true });
            } else {
              fs.unlinkSync(fullPath);
            }
            removed++;
            core.info(
              `[Reliability] Removed old archive: ${entry.name} (age: ${Math.round(
                ageMs / (24 * 60 * 60 * 1000),
              )} days)`,
            );
          }
        } catch {
          core.warning(`[Reliability] Could not process archive entry: ${fullPath}`);
        }
      }
    } catch {
      core.warning(`[Reliability] Could not read archive directory: ${archivePath}`);
      return 0;
    }
    if (removed > 0) {
      core.info(
        `[Reliability] Retention enforced: removed ${removed} old archive(s), retention: ${retentionDays} days`,
      );
    }
    return removed;
  }
  /**
   * Configure git environment variables for CI reliability.
   * Sets GIT_TERMINAL_PROMPT=0, increases http.postBuffer, enables core.longpaths.
   */
  static configureGitEnvironment(): void {
    core.info('[Reliability] Configuring git environment for CI');
    // Prevent git from prompting for credentials (hangs in CI)
    process.env.GIT_TERMINAL_PROMPT = '0';
    core.info('[Reliability] Set GIT_TERMINAL_PROMPT=0');
    try {
      // Increase http.postBuffer to 500MB for large pushes
      execSync('git config --global http.postBuffer 524288000', {
        encoding: 'utf8',
        timeout: 10_000,
        stdio: ['pipe', 'pipe', 'pipe'],
      });
      core.info('[Reliability] Set http.postBuffer=524288000 (500MB)');
    } catch (error: any) {
      core.warning(`[Reliability] Could not set http.postBuffer: ${error.message}`);
    }
    try {
      // Enable long paths on Windows
      execSync('git config --global core.longpaths true', {
        encoding: 'utf8',
        timeout: 10_000,
        stdio: ['pipe', 'pipe', 'pipe'],
      });
      core.info('[Reliability] Set core.longpaths=true');
    } catch (error: any) {
      core.warning(`[Reliability] Could not set core.longpaths: ${error.message}`);
    }
  }
 }
@@ -1 +0,0 @@
 export { BuildReliabilityService } from './build-reliability-service';
Author	SHA1	Message	Date
frostebite	dcb0894d0e	fix: replace orchestrator-develop branch references with main The orchestrator-develop branch no longer exists. Update all fallback clone commands and test fixtures to use main instead. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-09 20:08:44 +00:00
frostebite	90b9b0c7b0	ci: set macOS builds to continue-on-error Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 23:33:48 +00:00
frostebite	e9c247f04f	style: fix prettier formatting Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 14:10:24 +00:00
frostebite	cff759721a	fix(load-balancing): add pagination limits and rate-limit detection Cap pagination at 100 pages (10,000 runners max), detect GitHub API rate limiting (403/429) with reset time reporting, add 30-second total timeout for pagination loop. Log clear diagnostic when no runners found suggesting possible causes (token permissions, runner registration). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 13:00:17 +00:00
frostebite	7e9d0bf53e	test(orchestrator): add runner availability service tests Covers: no token skip, no runners fallback, busy/offline runners, label filtering (case-insensitive), minAvailable threshold, fail-open on API error, mixed runner states. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 07:58:58 +00:00
frostebite	8194790728	feat(orchestrator): add retry-on-fallback and provider init timeout Adds retryOnFallback (retry failed builds on alternate provider) and providerInitTimeout (swap provider if init takes too long). Refactors run() into run()/runWithProvider() to support retry loop. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 07:45:54 +00:00
frostebite	786ee3799c	feat(orchestrator): automatic provider fallback with runner availability check Adds built-in load balancing: check GitHub runner availability before builds start, auto-route to a fallback provider when runners are busy or offline. Eliminates the need for a separate check-runner job. New inputs: fallbackProviderStrategy, runnerCheckEnabled, runnerCheckLabels, runnerCheckMinAvailable. Outputs providerFallbackUsed and providerFallbackReason for workflow visibility. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-05 07:39:23 +00:00
		`@@ -1 +0,0 @@`
			`export { BuildReliabilityService } from './build-reliability-service';`