[GH-ISSUE #2197] act favors secrets from .secrets over values from -s #1037

New issue

Closed

opened 2026-03-01 21:48:23 +03:00 by kerem · 3 comments

kerem commented 2026-03-01 21:48:23 +03:00

Owner

Copy link

Originally created by @jsoref on GitHub (Feb 2, 2024).
Original GitHub issue: https://github.com/nektos/act/issues/2197

Bug report info

act version:            0.2.57
GOOS:                   darwin
GOARCH:                 arm64
NumCPU:                 10
Docker host:            DOCKER_HOST environment variable is not set
Sockets found:
	/var/run/docker.sock
Config files:           
	/Users/jsoref/.actrc:
		#-P ubuntu-latest=node:12.20.1-buster-slim
		#-P ubuntu-20.04=node:12.20.1-buster-slim
		#-P ubuntu-18.04=node:12.20.1-buster-slim
		-P ubuntu-latest=catthehacker/ubuntu:act-latest
		-P ubuntu-22.04=catthehacker/ubuntu:act-22.04
		-P ubuntu-20.04=catthehacker/ubuntu:act-20.04
		-P ubuntu-18.04=catthehacker/ubuntu:act-18.04
		-P ubuntu-16.04=catthehacker/ubuntu:act-16.04
		-P self-hosted=catthehacker/ubuntu:act-latest
		-P ubuntu-latest-4cpu=ubuntu:act-latest
		-P ubuntu-latest-8cpu=ubuntu:act-latest
Build info:
	Go version:            go1.21.5
	Module path:           command-line-arguments
	Main version:          
	Main path:             
	Main checksum:         
	Build settings:
		-buildmode:           exe
		-compiler:            gc
		-ldflags:             -X main.version=0.2.57
		DefaultGODEBUG:       panicnil=1
		CGO_ENABLED:          1
		CGO_CFLAGS:           
		CGO_CPPFLAGS:         
		CGO_CXXFLAGS:         
		CGO_LDFLAGS:          
		GOARCH:               arm64
		GOOS:                 darwin
Docker Engine:
	Engine version:        23.0.6
	Engine runtime:        runc
	Cgroup version:        1
	Cgroup driver:         cgroupfs
	Storage driver:        overlay2
	Registry URI:          https://index.docker.io/v1/
	OS:                    Alpine Linux v3.18
	OS type:               linux
	OS version:            3.18.5
	OS arch:               aarch64
	OS kernel:             6.1.64-0-virt
	OS CPU:                2
	OS memory:             1973 MB
	Security options:
		name=seccomp,profile=builtin

Command used with act

(~/code/nektos/act/dist/local/act --use-new-action-cache -j spelling -s "GITHUB_TOKEN=$GH_TOKEN" 2>&1)

Describe issue

Using a fine-grained token that allows contents:read for a private repository, act (using --use-new-action-cache) isn't able to retrieve my public action.

Link to GitHub repository

No response

Workflow content

name: Check Spelling

# Comment management is handled through a secondary job, for details see:
# https://github.com/check-spelling/check-spelling/wiki/Feature%3A-Restricted-Permissions
#
# `jobs.comment-push` runs when a push is made to a repository and the `jobs.spelling` job needs to make a comment
#   (in odd cases, it might actually run just to collapse a comment, but that's fairly rare)
#   it needs `contents: write` in order to add a comment.
#
# `jobs.comment-pr` runs when a pull_request is made to a repository and the `jobs.spelling` job needs to make a comment
#   or collapse a comment (in the case where it had previously made a comment and now no longer needs to show a comment)
#   it needs `pull-requests: write` in order to manipulate those comments.

# Updating pull request branches is managed via comment handling.
# For details, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-expect-list
#
# These elements work together to make it happen:
#
# `on.issue_comment`
#   This event listens to comments by users asking to update the metadata.
#
# `jobs.update`
#   This job runs in response to an issue_comment and will push a new commit
#   to update the spelling metadata.
#
# `with.experimental_apply_changes_via_bot`
#   Tells the action to support and generate messages that enable it
#   to make a commit to update the spelling metadata.
#
# `with.ssh_key`
#   In order to trigger workflows when the commit is made, you can provide a
#   secret (typically, a write-enabled github deploy key).
#
#   For background, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-with-deploy-key

# Sarif reporting
#
# Access to Sarif reports is generally restricted (by GitHub) to members of the repository.
#
# Requires enabling `security-events: write`
# and configuring the action with `use_sarif: 1`
#
#   For information on the feature, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Sarif-output

# Minimal workflow structure:
#
# on:
#   push:
#     ...
#   pull_request_target:
#     ...
# jobs:
#   # you only want the spelling job, all others should be omitted
#   spelling:
#     # remove `security-events: write` and `use_sarif: 1`
#     # remove `experimental_apply_changes_via_bot: 1`
#     ... otherwise adjust the `with:` as you wish

on:
  push:
    branches:
    - "**"
    tags-ignore:
    - "**"
  pull_request_target:
    branches:
    - "**"
    types:
    - 'opened'
    - 'reopened'
    - 'synchronize'
  issue_comment:
    types:
    - 'created'

jobs:
  spelling:
    name: Check Spelling
    permissions:
      contents: read
      pull-requests: read
      actions: read
    outputs:
      followup: ${{ steps.spelling.outputs.followup }}
    runs-on: ubuntu-latest
    if: ${{ contains(github.event_name, 'pull_request') || github.event_name == 'push' }}
    concurrency:
      group: spelling-${{ github.event.pull_request.number || github.ref }}
      # note: If you use only_check_changed_files, you do not want cancel-in-progress
      cancel-in-progress: true
    steps:
    - name: check-spelling
      id: spelling
      uses: check-spelling/check-spelling@prerelease
      with:
        config: .github/actions/spelling-data
        suppress_push_for_open_pull_request: ${{ github.actor != 'dependabot[bot]' && 1 }}
        checkout: true
        check_file_names: 1
        spell_check_this: check-spelling/spell-check-this@prerelease
        post_comment: 0
        use_magic_file: 1
        report-timing: 1
        warnings: bad-regex,binary-file,deprecated-feature,ignored-expect-variant,large-file,limited-references,no-newline-at-eof,noisy-file,non-alpha-in-dictionary,token-is-substring,unexpected-line-ending,whitespace-in-dictionary,minified-file,unsupported-configuration,no-files-to-check
        experimental_apply_changes_via_bot: 1
        use_sarif: ${{ (!github.event.pull_request || (github.event.pull_request.head.repo.full_name == github.repository)) && 1 }}
        extra_dictionary_limit: 20
        extra_dictionaries:
          cspell:software-terms/dict/softwareTerms.txt

  comment-push:
    name: Report (Push)
    # If your workflow isn't running on push, you can remove this job
    runs-on: ubuntu-latest
    needs: spelling
    permissions:
      actions: read
      contents: write
    if: (success() || failure()) && needs.spelling.outputs.followup && github.event_name == 'push'
    steps:
    - name: comment
      uses: check-spelling/check-spelling@prerelease
      with:
        config: .github/actions/spelling-data
        checkout: true
        spell_check_this: check-spelling/spell-check-this@prerelease
        task: ${{ needs.spelling.outputs.followup }}

  comment-pr:
    name: Report (PR)
    # If you workflow isn't running on pull_request*, you can remove this job
    runs-on: ubuntu-latest
    needs: spelling
    permissions:
      actions: read
      contents: read
      pull-requests: write
    if: (success() || failure()) && needs.spelling.outputs.followup && contains(github.event_name, 'pull_request')
    steps:
    - name: comment
      uses: check-spelling/check-spelling@prerelease
      with:
        config: .github/actions/spelling-data
        checkout: true
        spell_check_this: check-spelling/spell-check-this@prerelease
        task: ${{ needs.spelling.outputs.followup }}
        experimental_apply_changes_via_bot: 1

  update:
    name: Update PR
    permissions:
      contents: write
      pull-requests: write
      actions: read
    runs-on: ubuntu-latest
    if: ${{
        github.event_name == 'issue_comment' &&
        github.event.issue.pull_request &&
        contains(github.event.comment.body, '@check-spelling-bot apply')
      }}
    concurrency:
      group: spelling-update-${{ github.event.issue.number }}
      cancel-in-progress: false
    steps:
    - name: apply spelling updates
      uses: check-spelling/check-spelling@prerelease
      with:
        config: .github/actions/spelling-data
        experimental_apply_changes_via_bot: 1
        checkout: true
        ssh_key: "${{ secrets.CHECK_SPELLING }}"

Relevant log output

> Error: failed to fetch "https://github.com/check-spelling/check-spelling" version "prerelease": authentication required

Additional information

https://github.com/settings/tokens?type=beta
https://docs.github.com/en/rest/authentication/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28

Apparently I have an expired GITHUB_TOKEN in .secrets which has precedence over the -s GITHUB_TOKEN=.... This is undesirable.

Originally created by @jsoref on GitHub (Feb 2, 2024). Original GitHub issue: https://github.com/nektos/act/issues/2197 ### Bug report info ```plain text act version: 0.2.57 GOOS: darwin GOARCH: arm64 NumCPU: 10 Docker host: DOCKER_HOST environment variable is not set Sockets found: /var/run/docker.sock Config files: /Users/jsoref/.actrc: #-P ubuntu-latest=node:12.20.1-buster-slim #-P ubuntu-20.04=node:12.20.1-buster-slim #-P ubuntu-18.04=node:12.20.1-buster-slim -P ubuntu-latest=catthehacker/ubuntu:act-latest -P ubuntu-22.04=catthehacker/ubuntu:act-22.04 -P ubuntu-20.04=catthehacker/ubuntu:act-20.04 -P ubuntu-18.04=catthehacker/ubuntu:act-18.04 -P ubuntu-16.04=catthehacker/ubuntu:act-16.04 -P self-hosted=catthehacker/ubuntu:act-latest -P ubuntu-latest-4cpu=ubuntu:act-latest -P ubuntu-latest-8cpu=ubuntu:act-latest Build info: Go version: go1.21.5 Module path: command-line-arguments Main version: Main path: Main checksum: Build settings: -buildmode: exe -compiler: gc -ldflags: -X main.version=0.2.57 DefaultGODEBUG: panicnil=1 CGO_ENABLED: 1 CGO_CFLAGS: CGO_CPPFLAGS: CGO_CXXFLAGS: CGO_LDFLAGS: GOARCH: arm64 GOOS: darwin Docker Engine: Engine version: 23.0.6 Engine runtime: runc Cgroup version: 1 Cgroup driver: cgroupfs Storage driver: overlay2 Registry URI: https://index.docker.io/v1/ OS: Alpine Linux v3.18 OS type: linux OS version: 3.18.5 OS arch: aarch64 OS kernel: 6.1.64-0-virt OS CPU: 2 OS memory: 1973 MB Security options: name=seccomp,profile=builtin ``` ### Command used with act ```sh (~/code/nektos/act/dist/local/act --use-new-action-cache -j spelling -s "GITHUB_TOKEN=$GH_TOKEN" 2>&1) ``` ### Describe issue Using a fine-grained token that allows contents:read for a private repository, act (using `--use-new-action-cache`) isn't able to retrieve my public action. ### Link to GitHub repository _No response_ ### Workflow content ```yml name: Check Spelling # Comment management is handled through a secondary job, for details see: # https://github.com/check-spelling/check-spelling/wiki/Feature%3A-Restricted-Permissions # # `jobs.comment-push` runs when a push is made to a repository and the `jobs.spelling` job needs to make a comment # (in odd cases, it might actually run just to collapse a comment, but that's fairly rare) # it needs `contents: write` in order to add a comment. # # `jobs.comment-pr` runs when a pull_request is made to a repository and the `jobs.spelling` job needs to make a comment # or collapse a comment (in the case where it had previously made a comment and now no longer needs to show a comment) # it needs `pull-requests: write` in order to manipulate those comments. # Updating pull request branches is managed via comment handling. # For details, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-expect-list # # These elements work together to make it happen: # # `on.issue_comment` # This event listens to comments by users asking to update the metadata. # # `jobs.update` # This job runs in response to an issue_comment and will push a new commit # to update the spelling metadata. # # `with.experimental_apply_changes_via_bot` # Tells the action to support and generate messages that enable it # to make a commit to update the spelling metadata. # # `with.ssh_key` # In order to trigger workflows when the commit is made, you can provide a # secret (typically, a write-enabled github deploy key). # # For background, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-with-deploy-key # Sarif reporting # # Access to Sarif reports is generally restricted (by GitHub) to members of the repository. # # Requires enabling `security-events: write` # and configuring the action with `use_sarif: 1` # # For information on the feature, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Sarif-output # Minimal workflow structure: # # on: # push: # ... # pull_request_target: # ... # jobs: # # you only want the spelling job, all others should be omitted # spelling: # # remove `security-events: write` and `use_sarif: 1` # # remove `experimental_apply_changes_via_bot: 1` # ... otherwise adjust the `with:` as you wish on: push: branches: - "**" tags-ignore: - "**" pull_request_target: branches: - "**" types: - 'opened' - 'reopened' - 'synchronize' issue_comment: types: - 'created' jobs: spelling: name: Check Spelling permissions: contents: read pull-requests: read actions: read outputs: followup: ${{ steps.spelling.outputs.followup }} runs-on: ubuntu-latest if: ${{ contains(github.event_name, 'pull_request') || github.event_name == 'push' }} concurrency: group: spelling-${{ github.event.pull_request.number || github.ref }} # note: If you use only_check_changed_files, you do not want cancel-in-progress cancel-in-progress: true steps: - name: check-spelling id: spelling uses: check-spelling/check-spelling@prerelease with: config: .github/actions/spelling-data suppress_push_for_open_pull_request: ${{ github.actor != 'dependabot[bot]' && 1 }} checkout: true check_file_names: 1 spell_check_this: check-spelling/spell-check-this@prerelease post_comment: 0 use_magic_file: 1 report-timing: 1 warnings: bad-regex,binary-file,deprecated-feature,ignored-expect-variant,large-file,limited-references,no-newline-at-eof,noisy-file,non-alpha-in-dictionary,token-is-substring,unexpected-line-ending,whitespace-in-dictionary,minified-file,unsupported-configuration,no-files-to-check experimental_apply_changes_via_bot: 1 use_sarif: ${{ (!github.event.pull_request || (github.event.pull_request.head.repo.full_name == github.repository)) && 1 }} extra_dictionary_limit: 20 extra_dictionaries: cspell:software-terms/dict/softwareTerms.txt comment-push: name: Report (Push) # If your workflow isn't running on push, you can remove this job runs-on: ubuntu-latest needs: spelling permissions: actions: read contents: write if: (success() || failure()) && needs.spelling.outputs.followup && github.event_name == 'push' steps: - name: comment uses: check-spelling/check-spelling@prerelease with: config: .github/actions/spelling-data checkout: true spell_check_this: check-spelling/spell-check-this@prerelease task: ${{ needs.spelling.outputs.followup }} comment-pr: name: Report (PR) # If you workflow isn't running on pull_request*, you can remove this job runs-on: ubuntu-latest needs: spelling permissions: actions: read contents: read pull-requests: write if: (success() || failure()) && needs.spelling.outputs.followup && contains(github.event_name, 'pull_request') steps: - name: comment uses: check-spelling/check-spelling@prerelease with: config: .github/actions/spelling-data checkout: true spell_check_this: check-spelling/spell-check-this@prerelease task: ${{ needs.spelling.outputs.followup }} experimental_apply_changes_via_bot: 1 update: name: Update PR permissions: contents: write pull-requests: write actions: read runs-on: ubuntu-latest if: ${{ github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '@check-spelling-bot apply') }} concurrency: group: spelling-update-${{ github.event.issue.number }} cancel-in-progress: false steps: - name: apply spelling updates uses: check-spelling/check-spelling@prerelease with: config: .github/actions/spelling-data experimental_apply_changes_via_bot: 1 checkout: true ssh_key: "${{ secrets.CHECK_SPELLING }}" ``` ### Relevant log output ```sh > Error: failed to fetch "https://github.com/check-spelling/check-spelling" version "prerelease": authentication required ``` ### Additional information https://github.com/settings/tokens?type=beta https://docs.github.com/en/rest/authentication/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28 Apparently I have an expired GITHUB_TOKEN in `.secrets` which has precedence over the `-s GITHUB_TOKEN=...`. This is undesirable.

kerem 2026-03-01 21:48:23 +03:00

• closed this issue
• added the
  kind/bug
  label

kerem commented 2026-03-01 21:48:24 +03:00

Author

Owner

Copy link

@ChristopherHX commented on GitHub (Feb 2, 2024):

Weird I have just created a fine grained PAT.

With almost no access, but - uses: actions/cache@refs/heads/main and other public actions didn't break for me

Does act use the correct GITHUB_TOKEN?

Using - uses: christopherhx/ghat3@test works, access denied for you
Using - uses: christopherhx/ghat2@test access denied, but expeced

Using a .secrets file with content

GITHUB_TOKEN=github_pat_...

BTW: I don't care about leaking these private repo names.

<!-- gh-comment-id:1924767376 --> @ChristopherHX commented on GitHub (Feb 2, 2024): Weird I have just created a fine grained PAT. With almost no access, but `- uses: actions/cache@refs/heads/main` and other public actions didn't break for me  Does act use the correct GITHUB_TOKEN? Using ` - uses: christopherhx/ghat3@test` works, access denied for you Using ` - uses: christopherhx/ghat2@test` access denied, but expeced Using a `.secrets` file with content ``` GITHUB_TOKEN=github_pat_... ``` BTW: I don't care about leaking these private repo names.

kerem commented 2026-03-01 21:48:24 +03:00

Author

Owner

Copy link

@ChristopherHX commented on GitHub (Feb 2, 2024):

A .secrets file with an invalid GITHUB_TOKEN secret seem to override the GITHUB_TOKEN passed from the cli.

Is that the bug you are seeing?

<!-- gh-comment-id:1924775693 --> @ChristopherHX commented on GitHub (Feb 2, 2024): A `.secrets` file with an invalid GITHUB_TOKEN secret seem to override the GITHUB_TOKEN passed from the cli. Is that the bug you are seeing?

kerem commented 2026-03-01 21:48:24 +03:00

Author

Owner

Copy link

@jsoref commented on GitHub (Feb 2, 2024):

You're right, there was an expired token in .secrets.

Sorry.

<!-- gh-comment-id:1924793353 --> @jsoref commented on GitHub (Feb 2, 2024): You're right, there was an expired token in `.secrets`. Sorry.

kerem referenced this issue 2026-03-01 21:52:28 +03:00

[PR #1037] [MERGED] build(deps): bump github.com/docker/distribution from 2.8.0+incompatible to 2.8.1+incompatible #1740

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/go_modules/github.com/go-git/go-git/v5-5.18.0

dependabot/go_modules/dependencies-08815e2262

mergify/configuration-deprecated-update

dependabot/github_actions/dependencies-a3a104477f

chore/simplify-ci-and-makefile

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

panekj/ci/improve-jobs

fix-skip-non-yaml-files-in-dir

normalize-pull-rebuild-flags

fix-no-recurse-by-default

2517-poor-error-for-incomplete-action-step

2472-make-use-new-action-cache-the-new-default-for-downloading-actions

act-tart

act-lxc

act-oidc

act-dind

avoid-slash-in-actor

dependabot/go_modules/github.com/docker/docker-26.1.4incompatible

meta-keep-filetime

local-repository-action-cache

pr-merger

update-docker-deps

follow_local_action_symlink

boltdb-lock-in-handler

use-socket-path

no-pull-no-rebuild

path-issues

fix/env

feat/podman

refactor/testdata

v0.2.87

v0.2.86

v0.2.85

v0.2.84

v0.2.83

v0.2.82

v0.2.81

v0.2.80

v0.2.79

v0.2.78

v0.2.77

v0.2.76

v0.2.75

v0.2.74

v0.2.73

v0.2.72

v0.2.71

v0.2.70

v0.2.69

v0.2.68

v0.2.67

v0.2.66

v0.2.65

v0.2.64

v0.2.63

v0.2.62

v0.2.61

v0.2.60

v0.2.59

v0.2.58

v0.2.57

v0.2.56

v0.2.55

v0.2.54

v0.2.53

v0.2.52

v0.2.51

v0.2.50

v0.2.49

v0.2.48

v0.2.47

v0.2.46

v0.2.45

v0.2.44

v0.2.43

v0.2.42

v0.2.41

v0.2.40

v0.2.39

v0.2.38

v0.2.37

v0.2.36

v0.2.35

v0.2.34

v0.2.33

v0.2.32

v0.2.31

v0.2.30

v0.2.29

v0.2.28

v0.2.27

v0.2.26

v0.2.25

v0.2.24

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

area/action

  

area/cli

  

area/docs

  

area/image

  

area/runner

  

area/workflow

  

backlog

  

confirmed/not-planned

  

kind/bug

  

kind/discussion

  

kind/external

  

kind/feature-request

  

kind/question

  

meta/duplicate

  

meta/invalid

  

meta/need-more-info

  

meta/resolved

  

meta/wontfix

  

meta/workaround

  

needs-work

  

pull-request

Mirrored from GitHub Pull Request

  

review/not-planned

  

size/M

  

size/XL

  

size/XXL

  

stale

  

stale-exempt

No labels

area/action

area/cli

area/docs

area/image

area/runner

area/workflow

backlog

confirmed/not-planned

kind/bug

kind/discussion

kind/external

kind/feature-request

kind/question

meta/duplicate

meta/invalid

meta/need-more-info

meta/resolved

meta/wontfix

meta/workaround

needs-work

pull-request

review/not-planned

size/M

size/XL

size/XXL

stale

stale-exempt

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/act#1037

No description provided.