Lab demo workflow failures
Overview​
[LAB] prefixed incidents in incident.io come from lab demo GitHub Actions. The tenant is in the incident title.
Workflows: Prepare Anomalous Login Demo, Prepare DLP Demo, Prepare IRM Demo, Prepare Malware Demo, Prepare Phishing Demo, Send Demo Email.
For each use case below: how to spot it, then what to do.
Timeout / flakiness​
How to spot - Failure message says timeout or job cancelled due to time; or the same workflow sometimes passes and sometimes fails (e.g. passes on re-run) with no clear code bug.
What to do - Re-run the workflow. If it keeps failing, treat as code or infra (e.g. add retries or increase timeout) or escalate if it clearly points to external/network.
Third-party, not API​
How to spot - Logs show 403, 401, “invalid token”, “expired”, “permission denied”, “forbidden”, or “unauthorized”; or “incident not created” / “demo not created” for a demo we don’t create (excluding Anomalous sign-in, which we do create). Also: errors about tenant config, credentials, or a service we don’t own.
What to do - Involve Michael or Yaniv Menasherov - they own lab envs and these integrations.
Code / our repo​
How to spot - Logs show a stack trace or exception in our code; a script in this repo fails; dependency install or workflow step fails; workflow YAML or env var problem; or our code errors on data we expected (e.g. parsing/validation in our integration). For Anomalous sign-in: we create that incident in our flow, so “incident not created” there points to our code.
What to do - Debug and fix in this repo (code, workflow, env vars, or integration logic).
Third-party API changed​
How to spot - Error suggests the external API response shape or contract changed: e.g. “field X not found”, schema validation failed, “unexpected response”, or our parsing fails on a response that used to work.
What to do - Updating our code to the new API is on us: debug and fix in this repo.