[GH-ISSUE #2698] Job output secret accessible in act nott in github action #1221

New issue

Open

opened 2026-03-01 21:49:46 +03:00 by kerem · 0 comments

kerem commented

2026-03-01 21:49:46 +03:00

Owner

Originally created by @ErnestoArtigas on GitHub (Mar 17, 2025).
Original GitHub issue: https://github.com/nektos/act/issues/2698

Bug report info

act version:            0.2.75
GOOS:                   windows
GOARCH:                 amd64
NumCPU:                 16
Docker host:            DOCKER_HOST environment variable is not set
Sockets found:
        \\.\pipe\docker_engine(broken)
Config files:
        C:\Users\MyUser\AppData\Local\act\actrc:
                -P ubuntu-latest=catthehacker/ubuntu:act-latest
                -P ubuntu-22.04=catthehacker/ubuntu:act-22.04
                -P ubuntu-20.04=catthehacker/ubuntu:act-20.04
                -P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Build info:
        Go version:            go1.23.6
        Module path:           github.com/nektos/act
        Main version:          (devel)
        Main path:             github.com/nektos/act
        Main checksum:
        Build settings:
                -buildmode:           exe
                -compiler:            gc
                -ldflags:             -s -w -X main.version=0.2.75 -X main.commit=bd97dc8d9422a8b04e6193c6c86afa8a7a693fdf -X main.date=2025-03-01T02:31:09Z -X main.builtBy=goreleaser
                CGO_ENABLED:          0
                GOARCH:               amd64
                GOOS:                 windows
                GOAMD64:              v1
                vcs:                  git
                vcs.revision:         bd97dc8d9422a8b04e6193c6c86afa8a7a693fdf
                vcs.time:             2025-03-01T02:30:53Z
                vcs.modified:         false
Docker Engine:
        Engine version:        28.0.1
        Engine runtime:        runc
        Cgroup version:        1
        Cgroup driver:         cgroupfs
        Storage driver:        overlay2
        Registry URI:          https://index.docker.io/v1/
        OS:                    Docker Desktop
        OS type:               linux
        OS version:
        OS arch:               x86_64
        OS kernel:             5.15.153.1-microsoft-standard-WSL2
        OS CPU:                16
        OS memory:             15946 MB
        Security options:
                name=seccomp,profile=unconfined

Command used with act

act -W .\.github\workflows\test-workflow.yaml --secret VARIABLE=dummy

Describe issue

I've found a bug, where you can use the output of a job that is Github flags as a secret, whereas on Github Actions' runner it won't be picked up.

In this stripped down code, I have a workflow with two jobs. first_job outputs a value called secret_variable, which value is a secret that is outputted in the step dummy_step. The second job, test, tries to use it. In act, it outputs the value without issues:

[Test workflow/test     ] ⭐ Run Main echo output [***]
[Test workflow/test     ]   🐳  docker exec cmd=[bash -e /var/run/act/workflow/0] user= workdir=
| output [***]
[Test workflow/test     ]   ✅  Success - Main echo output [***]

However, in Github Actions' runner, it won't be picked up:

2025-03-17T19:15:41.5516700Z ##[group]Run echo output []
2025-03-17T19:15:41.5518055Z [36;1mecho output [][0m
2025-03-17T19:15:41.5954286Z shell: /usr/bin/bash -e {0}
2025-03-17T19:15:41.5955824Z ##[endgroup]
2025-03-17T19:15:41.6220465Z output []

From the logs from the first_job, Github Actions' runner won't pick the secret because it's flagged as well:

2025-03-17T19:15:33.3559517Z ##[warning]Skip output 'secret_variable' since it may contain secret.

The only way to "fix" the issue is to move the dummy_step in the same job that calls it, as Github refuses to output a secret flagged variable from a job to another. Act not acting like Github Actions' led me to an issue where my workflow worked locally, but not on Github Actions' runner.

Link to GitHub repository

No response

Workflow content

name: Test workflow

on:
  push:
    branches:
      - "main"

jobs:
  first_job:
    runs-on: ubuntu-latest
    outputs:
      secret_variable: ${{ steps.dummy_step.outputs.value }}

    steps:
      - id: dummy_step
        run: echo "value=${{ secrets.VARIABLE }}" >> $GITHUB_OUTPUT

  test:
    needs: [first_job]
    runs-on: ubuntu-latest

    steps:
      - run: echo output [${{ needs.first_job.outputs.secret_variable }}]

Relevant log output

Because there were multiple logs, they are included in the Describe issue paragraph

Additional information

No response

Originally created by @ErnestoArtigas on GitHub (Mar 17, 2025). Original GitHub issue: https://github.com/nektos/act/issues/2698 ### Bug report info ```plain text act version: 0.2.75 GOOS: windows GOARCH: amd64 NumCPU: 16 Docker host: DOCKER_HOST environment variable is not set Sockets found: \\.\pipe\docker_engine(broken) Config files: C:\Users\MyUser\AppData\Local\act\actrc: -P ubuntu-latest=catthehacker/ubuntu:act-latest -P ubuntu-22.04=catthehacker/ubuntu:act-22.04 -P ubuntu-20.04=catthehacker/ubuntu:act-20.04 -P ubuntu-18.04=catthehacker/ubuntu:act-18.04 Build info: Go version: go1.23.6 Module path: github.com/nektos/act Main version: (devel) Main path: github.com/nektos/act Main checksum: Build settings: -buildmode: exe -compiler: gc -ldflags: -s -w -X main.version=0.2.75 -X main.commit=bd97dc8d9422a8b04e6193c6c86afa8a7a693fdf -X main.date=2025-03-01T02:31:09Z -X main.builtBy=goreleaser CGO_ENABLED: 0 GOARCH: amd64 GOOS: windows GOAMD64: v1 vcs: git vcs.revision: bd97dc8d9422a8b04e6193c6c86afa8a7a693fdf vcs.time: 2025-03-01T02:30:53Z vcs.modified: false Docker Engine: Engine version: 28.0.1 Engine runtime: runc Cgroup version: 1 Cgroup driver: cgroupfs Storage driver: overlay2 Registry URI: https://index.docker.io/v1/ OS: Docker Desktop OS type: linux OS version: OS arch: x86_64 OS kernel: 5.15.153.1-microsoft-standard-WSL2 OS CPU: 16 OS memory: 15946 MB Security options: name=seccomp,profile=unconfined ``` ### Command used with act ```sh act -W .\.github\workflows\test-workflow.yaml --secret VARIABLE=dummy ``` ### Describe issue I've found a bug, where you can use the output of a job that is Github flags as a secret, whereas on Github Actions' runner it won't be picked up. In this stripped down code, I have a workflow with two jobs. `first_job` outputs a value called `secret_variable`, which value is a secret that is outputted in the step `dummy_step`. The second job, `test`, tries to use it. In act, it outputs the value without issues: ```sh [Test workflow/test ] ⭐ Run Main echo output [***] [Test workflow/test ] 🐳 docker exec cmd=[bash -e /var/run/act/workflow/0] user= workdir= | output [***] [Test workflow/test ] ✅ Success - Main echo output [***] ``` However, in Github Actions' runner, it won't be picked up: ```sh 2025-03-17T19:15:41.5516700Z ##[group]Run echo output [] 2025-03-17T19:15:41.5518055Z [36;1mecho output [][0m 2025-03-17T19:15:41.5954286Z shell: /usr/bin/bash -e {0} 2025-03-17T19:15:41.5955824Z ##[endgroup] 2025-03-17T19:15:41.6220465Z output [] ``` From the logs from the `first_job`, Github Actions' runner won't pick the secret because it's flagged as well: ```sh 2025-03-17T19:15:33.3559517Z ##[warning]Skip output 'secret_variable' since it may contain secret. ``` The only way to "fix" the issue is to move the `dummy_step` in the same job that calls it, as Github refuses to output a secret flagged variable from a job to another. Act not acting like Github Actions' led me to an issue where my workflow worked locally, but not on Github Actions' runner. ### Link to GitHub repository _No response_ ### Workflow content ```yml name: Test workflow on: push: branches: - "main" jobs: first_job: runs-on: ubuntu-latest outputs: secret_variable: ${{ steps.dummy_step.outputs.value }} steps: - id: dummy_step run: echo "value=${{ secrets.VARIABLE }}" >> $GITHUB_OUTPUT test: needs: [first_job] runs-on: ubuntu-latest steps: - run: echo output [${{ needs.first_job.outputs.secret_variable }}] ``` ### Relevant log output ```sh Because there were multiple logs, they are included in the Describe issue paragraph ``` ### Additional information _No response_