[GH-ISSUE #2392] actions/checkout fails with: ref: ${{ github.event.pull_request.head.sha }} with un-pushed commits #1099

New issue

Closed

opened 2026-03-01 21:48:53 +03:00 by kerem · 8 comments

kerem commented 2026-03-01 21:48:53 +03:00

Owner

Copy link

Originally created by @brianjmurrell on GitHub (Jul 9, 2024).
Original GitHub issue: https://github.com/nektos/act/issues/2392

Bug report info

act version:            0.2.64
GOOS:                   linux
GOARCH:                 amd64
NumCPU:                 12
Docker host:            unix:///run/user/1001/podman/podman.sock
Sockets found:
        /var/run/docker.sock(broken)
        $XDG_RUNTIME_DIR/podman/podman.sock
Config files:           
        /home/brian/.config/act/actrc:
                -P ubuntu-latest=catthehacker/ubuntu:act-latest
                -P ubuntu-22.04=catthehacker/ubuntu:act-22.04
                -P ubuntu-20.04=catthehacker/ubuntu:act-20.04
                -P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Build info:
        Go version:            go1.22.4
        Module path:           github.com/nektos/act
        Main version:          (devel)
        Main path:             github.com/nektos/act
        Main checksum:         
        Build settings:
                -buildmode:           pie
                -compiler:            gc
                -trimpath:            true
                DefaultGODEBUG:       httplaxcontentlength=1,httpmuxgo121=1,tls10server=1,tlsrsakex=1,tlsunsafeekm=1
                CGO_ENABLED:          1
                GOARCH:               amd64
                GOOS:                 linux
                GOAMD64:              v1
Docker Engine:
        Engine version:        5.1.1
        Engine runtime:        crun
        Cgroup version:        2
        Cgroup driver:         systemd
        Storage driver:        overlay
        Registry URI:          
        OS:                    fedora
        OS type:               linux
        OS version:            40
        OS arch:               amd64
        OS kernel:             6.9.6-200.fc40.x86_64
        OS CPU:                12
        OS memory:             63943 MB
        Security options:
                name=seccomp,profile=default
                name=rootless
                name=selinux

Command used with act

act

Describe issue

It appears that act does some kind of override when it encounters:

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

where it copies the local directory to where the workflow is being run:

[Linting/ShellCheck] ⭐ Run Main Checkout code
[Linting/ShellCheck]   🐳  docker cp src=/foo/actions-lib/. dst=/foo/actions-lib
[Linting/ShellCheck]   ✅  Success - Main Checkout code

This seems reasonable/

This override does not seem to happen though when one adds:

        with:
          ref: ${{ github.event.pull_request.head.sha }}

to the actions/checkout step.

While it seems reasonable not to invoke the override when one specifies a ref:, I think when the ref is ${{ github.event.pull_request.head.sha }}, one expects the job to act on the current directory the same as if the ref: was not specified.

Link to GitHub repository

No response

Workflow content

name: Linting

# Always run on Pull Requests as then these checks can be marked as required.
on:
  push:
    branches:
      - master
  pull_request:

permissions: {}

jobs:
  shell-check:
    name: ShellCheck
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Add error parser
        run: echo -n "::add-matcher::shellcheck-matcher.json"
      - name: Run ShellCheck
        uses: ludeeus/action-shellcheck@2.0.0
        with:
          format: gcc

  linting-summary:
    name: Linting Summary
    runs-on: ubuntu-22.04
    needs: [shell-check]
    if: (!cancelled())
    steps:
      - name: Check if any job failed
        run: |
          if [[ -z "$(echo "${{ join(needs.*.result, '') }}" | sed -e 's/success//g')" ]]; then
            echo "All jobs succeeded"
          else
            echo "One or more jobs did not succeed"
            exit 1
          fi

Relevant log output

I suspect this is not really necessary.  If it is, I can add it.

Additional information

No response

Originally created by @brianjmurrell on GitHub (Jul 9, 2024). Original GitHub issue: https://github.com/nektos/act/issues/2392 ### Bug report info ```plain text act version: 0.2.64 GOOS: linux GOARCH: amd64 NumCPU: 12 Docker host: unix:///run/user/1001/podman/podman.sock Sockets found: /var/run/docker.sock(broken) $XDG_RUNTIME_DIR/podman/podman.sock Config files: /home/brian/.config/act/actrc: -P ubuntu-latest=catthehacker/ubuntu:act-latest -P ubuntu-22.04=catthehacker/ubuntu:act-22.04 -P ubuntu-20.04=catthehacker/ubuntu:act-20.04 -P ubuntu-18.04=catthehacker/ubuntu:act-18.04 Build info: Go version: go1.22.4 Module path: github.com/nektos/act Main version: (devel) Main path: github.com/nektos/act Main checksum: Build settings: -buildmode: pie -compiler: gc -trimpath: true DefaultGODEBUG: httplaxcontentlength=1,httpmuxgo121=1,tls10server=1,tlsrsakex=1,tlsunsafeekm=1 CGO_ENABLED: 1 GOARCH: amd64 GOOS: linux GOAMD64: v1 Docker Engine: Engine version: 5.1.1 Engine runtime: crun Cgroup version: 2 Cgroup driver: systemd Storage driver: overlay Registry URI: OS: fedora OS type: linux OS version: 40 OS arch: amd64 OS kernel: 6.9.6-200.fc40.x86_64 OS CPU: 12 OS memory: 63943 MB Security options: name=seccomp,profile=default name=rootless name=selinux ``` ### Command used with act ```sh act ``` ### Describe issue It appears that `act` does some kind of override when it encounters: ```yaml steps: - name: Checkout code uses: actions/checkout@v4 ``` where it copies the local directory to where the workflow is being run: ``` [Linting/ShellCheck] ⭐ Run Main Checkout code [Linting/ShellCheck] 🐳 docker cp src=/foo/actions-lib/. dst=/foo/actions-lib [Linting/ShellCheck] ✅ Success - Main Checkout code ``` This seems reasonable/ This override does not seem to happen though when one adds: ``` with: ref: ${{ github.event.pull_request.head.sha }} ``` to the `actions/checkout` step. While it seems reasonable not to invoke the override when one specifies a `ref:`, I think when the _ref_ is `${{ github.event.pull_request.head.sha }}`, one expects the job to act on the current directory the same as if the `ref:` was not specified. ### Link to GitHub repository _No response_ ### Workflow content ```yml name: Linting # Always run on Pull Requests as then these checks can be marked as required. on: push: branches: - master pull_request: permissions: {} jobs: shell-check: name: ShellCheck runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} - name: Add error parser run: echo -n "::add-matcher::shellcheck-matcher.json" - name: Run ShellCheck uses: ludeeus/action-shellcheck@2.0.0 with: format: gcc linting-summary: name: Linting Summary runs-on: ubuntu-22.04 needs: [shell-check] if: (!cancelled()) steps: - name: Check if any job failed run: | if [[ -z "$(echo "${{ join(needs.*.result, '') }}" | sed -e 's/success//g')" ]]; then echo "All jobs succeeded" else echo "One or more jobs did not succeed" exit 1 fi ``` ### Relevant log output ```sh I suspect this is not really necessary. If it is, I can add it. ``` ### Additional information _No response_

kerem 2026-03-01 21:48:53 +03:00

• closed this issue
• added the
  stale
  kind/bug
  labels

kerem commented 2026-03-01 21:48:54 +03:00

Author

Owner

Copy link

@brianjmurrell commented on GitHub (Jul 17, 2024):

Any thoughts on this one? It's kind of defeating the purpose of act to have to keep pushing every tiny change to GitHub.

<!-- gh-comment-id:2233718060 --> @brianjmurrell commented on GitHub (Jul 17, 2024): Any thoughts on this one? It's kind of defeating the purpose of `act` to have to keep pushing every tiny change to GitHub.

kerem commented 2026-03-01 21:48:54 +03:00

Author

Owner

Copy link

@cwrau commented on GitHub (Jul 24, 2024):

Any thoughts on this one? It's kind of defeating the purpose of act to have to keep pushing every tiny change to GitHub.

Similar thing is happening to us, we're trying to test CI without pushing, but act fails with;

| [command]/usr/bin/git branch --list --remote origin/fix/base-cluster/kube-janitor-image
[getChangedCharts/Get changed charts in last commit/getChangedCharts]   💬  ::debug::0
[getChangedCharts/Get changed charts in last commit/getChangedCharts]   💬  ::debug::
| [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules origin +2692876eaaecf95c4ccdc5086f1fda7ec35f3994:refs/remotes/origin/fix/base-cluster/kube-janitor-image
| fatal: remote error: upload-pack: not our ref 2692876eaaecf95c4ccdc5086f1fda7ec35f3994
| The process '/usr/bin/git' failed with exit code 128
| Waiting 19 seconds before trying again
| [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules origin +2692876eaaecf95c4ccdc5086f1fda7ec35f3994:refs/remotes/origin/fix/base-cluster/kube-janitor-image
| fatal: remote error: upload-pack: not our ref 2692876eaaecf95c4ccdc5086f1fda7ec35f3994
| The process '/usr/bin/git' failed with exit code 128
| Waiting 16 seconds before trying again
| [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules origin +2692876eaaecf95c4ccdc5086f1fda7ec35f3994:refs/remotes/origin/fix/base-cluster/kube-janitor-image
| fatal: remote error: upload-pack: not our ref 2692876eaaecf95c4ccdc5086f1fda7ec35f3994

fix/base-cluster/kube-janitor-image being the local and not pushed branch I'm currently working on

<!-- gh-comment-id:2247441438 --> @cwrau commented on GitHub (Jul 24, 2024): > Any thoughts on this one? It's kind of defeating the purpose of `act` to have to keep pushing every tiny change to GitHub. Similar thing is happening to us, we're trying to test CI without pushing, but `act` fails with; ``` | [command]/usr/bin/git branch --list --remote origin/fix/base-cluster/kube-janitor-image [getChangedCharts/Get changed charts in last commit/getChangedCharts] 💬 ::debug::0 [getChangedCharts/Get changed charts in last commit/getChangedCharts] 💬 ::debug:: | [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules origin +2692876eaaecf95c4ccdc5086f1fda7ec35f3994:refs/remotes/origin/fix/base-cluster/kube-janitor-image | fatal: remote error: upload-pack: not our ref 2692876eaaecf95c4ccdc5086f1fda7ec35f3994 | The process '/usr/bin/git' failed with exit code 128 | Waiting 19 seconds before trying again | [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules origin +2692876eaaecf95c4ccdc5086f1fda7ec35f3994:refs/remotes/origin/fix/base-cluster/kube-janitor-image | fatal: remote error: upload-pack: not our ref 2692876eaaecf95c4ccdc5086f1fda7ec35f3994 | The process '/usr/bin/git' failed with exit code 128 | Waiting 16 seconds before trying again | [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules origin +2692876eaaecf95c4ccdc5086f1fda7ec35f3994:refs/remotes/origin/fix/base-cluster/kube-janitor-image | fatal: remote error: upload-pack: not our ref 2692876eaaecf95c4ccdc5086f1fda7ec35f3994 ``` `fix/base-cluster/kube-janitor-image` being the local and not pushed branch I'm currently working on

kerem commented 2026-03-01 21:48:54 +03:00

Author

Owner

Copy link

@barneyjackson commented on GitHub (Sep 5, 2024):

Looking at the same issue. Could the --local-repository flag be helpful?

Will report back any findings...

<!-- gh-comment-id:2332206397 --> @barneyjackson commented on GitHub (Sep 5, 2024): Looking at the same issue. Could the `--local-repository` flag be helpful? Will report back any findings...

kerem commented 2026-03-01 21:48:54 +03:00

Author

Owner

Copy link

@nmarulo commented on GitHub (Sep 17, 2024):

I have the same problem.

<!-- gh-comment-id:2356199846 --> @nmarulo commented on GitHub (Sep 17, 2024): I have the same problem.

kerem commented 2026-03-01 21:48:55 +03:00

Author

Owner

Copy link

@neumachen commented on GitHub (Sep 19, 2024):

I think the issue here is not in act by itself, but in the action/checkout action. I tried the --local-repository, but no dice. Unless we can redirect the clone from Github, to the local copy, or even skip it, I think that would fix this.

<!-- gh-comment-id:2362206552 --> @neumachen commented on GitHub (Sep 19, 2024): I think the issue here is not in act by itself, but in the action/checkout action. I tried the --local-repository, but no dice. Unless we can redirect the clone from Github, to the local copy, or even skip it, I think that would fix this.

kerem commented 2026-03-01 21:48:55 +03:00

Author

Owner

Copy link

@robwhiteston commented on GitHub (Oct 10, 2024):

I am not sure if this is related to this bug, or if its something different, but I started using act today and I am seeing a weird failure related actions/checkout@v4. My action file has 5 jobs in it. In the first job, we checkout the repo with actions/checkout like this:

Increment_Release_Tag:
    runs-on:  ${{ vars.GHA_RUNTIME_IMAGE }}
    outputs:
      NEW_TAG: ${{ steps.calculate_new_tag.outputs.NEW_TAG }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
...

And that works just fine. But, in the second job, we checkout the repo again like this:

Build_Packages_And_Push_To_Code_Artifact:
    needs: [Increment_Release_Tag]
    runs-on: ${{ vars.GHA_RUNTIME_IMAGE }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: ${{ needs.Increment_Release_Tag.outputs.NEW_TAG }}

And this step fails with what looks like an authentication error related to cloning the "actions" repo:

[Release-Creation/Build_Packages_And_Push_To_Code_Artifact] 🐳 docker exec cmd=[node --no-warnings -e console.log(process.execPath)] user= workdir=
[Release-Creation/Build_Packages_And_Push_To_Code_Artifact] ☁ git clone 'https://github.com/actions/checkout' # ref=v4
[Release-Creation/Build_Packages_And_Push_To_Code_Artifact] Unable to clone https://github.com/actions/checkout refs/heads/v4: authentication required

I tried adding an if: ${{ env.ACT }} line to the second job's checkout call to skip it, but, it seems like the step can't be skipped (or I am doing it wrong). Also, if I remove the 'with: ref...' clauses from the checkout step, I get the same error.

<!-- gh-comment-id:2403656590 --> @robwhiteston commented on GitHub (Oct 10, 2024): I am not sure if this is related to this bug, or if its something different, but I started using act today and I am seeing a weird failure related `actions/checkout@v4`. My action file has 5 jobs in it. In the first job, we checkout the repo with actions/checkout like this: ``` Increment_Release_Tag: runs-on: ${{ vars.GHA_RUNTIME_IMAGE }} outputs: NEW_TAG: ${{ steps.calculate_new_tag.outputs.NEW_TAG }} steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 ... ``` And that works just fine. But, in the second job, we checkout the repo again like this: ``` Build_Packages_And_Push_To_Code_Artifact: needs: [Increment_Release_Tag] runs-on: ${{ vars.GHA_RUNTIME_IMAGE }} steps: - name: Checkout uses: actions/checkout@v4 with: ref: ${{ needs.Increment_Release_Tag.outputs.NEW_TAG }} ``` And this step fails with what looks like an authentication error related to cloning the "actions" repo: >[Release-Creation/Build_Packages_And_Push_To_Code_Artifact] 🐳 docker exec cmd=[node --no-warnings -e console.log(process.execPath)] user= workdir= [Release-Creation/Build_Packages_And_Push_To_Code_Artifact] ☁ git clone 'https://github.com/actions/checkout' # ref=v4 [Release-Creation/Build_Packages_And_Push_To_Code_Artifact] Unable to clone https://github.com/actions/checkout refs/heads/v4: authentication required I tried adding an `if: ${{ env.ACT }}` line to the second job's checkout call to skip it, but, it seems like the step can't be skipped (or I am doing it wrong). Also, if I remove the 'with: ref...' clauses from the checkout step, I get the same error.

kerem commented 2026-03-01 21:48:55 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Apr 9, 2025):

Issue is stale and will be closed in 14 days unless there is new activity

<!-- gh-comment-id:2787916771 --> @github-actions[bot] commented on GitHub (Apr 9, 2025): Issue is stale and will be closed in 14 days unless there is new activity

kerem commented 2026-03-01 21:48:55 +03:00

Author

Owner

Copy link

@surgiie commented on GitHub (Oct 31, 2025):

I have hit very similar issues and tedious roadblocks due to unpushed commits, i opened a feature request ticket; https://github.com/nektos/act/issues/2392

<!-- gh-comment-id:3474642761 --> @surgiie commented on GitHub (Oct 31, 2025): I have hit very similar issues and tedious roadblocks due to unpushed commits, i opened a feature request ticket; https://github.com/nektos/act/issues/2392

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/go_modules/github.com/go-git/go-git/v5-5.18.0

dependabot/go_modules/dependencies-08815e2262

mergify/configuration-deprecated-update

dependabot/github_actions/dependencies-a3a104477f

chore/simplify-ci-and-makefile

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

panekj/ci/improve-jobs

fix-skip-non-yaml-files-in-dir

normalize-pull-rebuild-flags

fix-no-recurse-by-default

2517-poor-error-for-incomplete-action-step

2472-make-use-new-action-cache-the-new-default-for-downloading-actions

act-tart

act-lxc

act-oidc

act-dind

avoid-slash-in-actor

dependabot/go_modules/github.com/docker/docker-26.1.4incompatible

meta-keep-filetime

local-repository-action-cache

pr-merger

update-docker-deps

follow_local_action_symlink

boltdb-lock-in-handler

use-socket-path

no-pull-no-rebuild

path-issues

fix/env

feat/podman

refactor/testdata

v0.2.87

v0.2.86

v0.2.85

v0.2.84

v0.2.83

v0.2.82

v0.2.81

v0.2.80

v0.2.79

v0.2.78

v0.2.77

v0.2.76

v0.2.75

v0.2.74

v0.2.73

v0.2.72

v0.2.71

v0.2.70

v0.2.69

v0.2.68

v0.2.67

v0.2.66

v0.2.65

v0.2.64

v0.2.63

v0.2.62

v0.2.61

v0.2.60

v0.2.59

v0.2.58

v0.2.57

v0.2.56

v0.2.55

v0.2.54

v0.2.53

v0.2.52

v0.2.51

v0.2.50

v0.2.49

v0.2.48

v0.2.47

v0.2.46

v0.2.45

v0.2.44

v0.2.43

v0.2.42

v0.2.41

v0.2.40

v0.2.39

v0.2.38

v0.2.37

v0.2.36

v0.2.35

v0.2.34

v0.2.33

v0.2.32

v0.2.31

v0.2.30

v0.2.29

v0.2.28

v0.2.27

v0.2.26

v0.2.25

v0.2.24

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

area/action

  

area/cli

  

area/docs

  

area/image

  

area/runner

  

area/workflow

  

backlog

  

confirmed/not-planned

  

kind/bug

  

kind/discussion

  

kind/external

  

kind/feature-request

  

kind/question

  

meta/duplicate

  

meta/invalid

  

meta/need-more-info

  

meta/resolved

  

meta/wontfix

  

meta/workaround

  

needs-work

  

pull-request

Mirrored from GitHub Pull Request

  

review/not-planned

  

size/M

  

size/XL

  

size/XXL

  

stale

  

stale-exempt

No labels

area/action

area/cli

area/docs

area/image

area/runner

area/workflow

backlog

confirmed/not-planned

kind/bug

kind/discussion

kind/external

kind/feature-request

kind/question

meta/duplicate

meta/invalid

meta/need-more-info

meta/resolved

meta/wontfix

meta/workaround

needs-work

pull-request

review/not-planned

size/M

size/XL

size/XXL

stale

stale-exempt

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/act#1099

No description provided.