[GH-ISSUE #1387] Multiline Environment variables isn't propagated by act between steps #731

New issue

Closed

opened 2026-03-01 21:45:53 +03:00 by kerem · 1 comment

kerem commented 2026-03-01 21:45:53 +03:00

Owner

Copy link

Originally created by @zukwung on GitHub (Oct 13, 2022).
Original GitHub issue: https://github.com/nektos/act/issues/1387

Bug report info

act version:            0.2.32
GOOS:                   darwin
GOARCH:                 arm64
NumCPU:                 10
Docker host:            DOCKER_HOST environment variable is unset/empty.
Sockets found:
	/var/run/docker.sock
Config files:
	/Users/zack.wang/.actrc:
		-P ubuntu-latest=catthehacker/ubuntu:act-latest
		-P ubuntu-22.04=catthehacker/ubuntu:act-22.04
		-P ubuntu-20.04=catthehacker/ubuntu:act-20.04
		-P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Build info:
	Go version:            go1.19.1
	Module path:           command-line-arguments
	Main version:
	Main path:
	Main checksum:
	Build settings:
		-compiler:            gc
		-ldflags:             -X main.version=0.2.32
		CGO_ENABLED:          1
		CGO_CFLAGS:
		CGO_CPPFLAGS:
		CGO_CXXFLAGS:
		CGO_LDFLAGS:
		GOARCH:               arm64
		GOOS:                 darwin
Docker Engine:
	Engine version:        20.10.17
	Engine runtime:        runc
	Cgroup version:        2
	Cgroup driver:         cgroupfs
	Storage driver:        overlay2
	Registry URI:          https://index.docker.io/v1/
	OS:                    Docker Desktop
	OS type:               linux
	OS version:
	OS arch:               aarch64
	OS kernel:             5.10.124-linuxkit
	OS CPU:                5
	OS memory:             7851 MB
	Security options:
		name=seccomp,profile=default
		name=cgroupns

Command used with act

act -W .github/workflows/deploy-dev.yml -s ARTIFACTORY_USER -s ARTIFACTORY_PASSWORD -s GCP_SA_CICD_KEY="$(cat ~/.google/zack-wang.json | jq -rc )" --container-architecture linux/amd64

Describe issue

I noticed that the environment variable that the google-github-actions/auth@v0 action was not being propagated to the google-github-actions/setup-gcloud@v0 action. This is the recommended way by Google, and works in Github Actions.

What I did notice was that Google's auth module uses exportVariable from actions/toolkit, which seems like they recently added an UUID to the multiline environment variables, which means that the way that act matches multiline environment variables in the GITHUB_ENV file no longer works.

I tried playing around with the regex a little bit but I'm pretty bad at regex, otherwise I would submit a PR. What I noticed using regexr is the (\w+) part of ^([^<]+)<<(\w+)$ doesn't match the UUID, which is the issue.

Link to GitHub repository

No response

Workflow content

name: Deploy dev
on:
  push:
    branches:
      - develop
env:
  ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }}
  ARTIFACTORY_PASS: ${{ secrets.ARTIFACTORY_PASSWORD }}
  GCP_PROJECT: some-project
  ENVIRONMENT: dev
jobs:
  deploy:
    name: Deploy to dev
    permissions:
      contents: "read"
      id-token: "write"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@master
        with:
          fetch-depth: 0
      - name: Build
        run: |
          make build
      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v0
        with:
          credentials_json: ${{ secrets.GCP_SA_CICD_KEY }}
          project_id: ${{ env.GCP_PROJECT }}
      - name: Setup gcloud
        uses: google-github-actions/setup-gcloud@v0

Relevant log output

[Deploy dev/Deploy to dev] ⭐ Run Main Authenticate to Google Cloud
[Deploy dev/Deploy to dev]   🐳  docker cp src=/Users/***/.cache/act/google-github-actions-auth@v0/ dst=/var/run/act/actions/google-github-actions-auth@v0/
[Deploy dev/Deploy to dev]   🐳  docker exec cmd=[node /var/run/act/actions/google-github-actions-auth@v0/dist/main/index.js] user= workdir=
[Deploy dev/Deploy to dev]   💬  ::debug::Using credentials JSON
[Deploy dev/Deploy to dev]   💬  ::debug::Creating credentials file
| Created credentials file at "/Users/***/projects/example-service/gha-creds-ea16d0fc17d7332f.json"
|
[Deploy dev/Deploy to dev]   ⚙  ::set-output:: credentials_file_path=/Users/***/projects/example-service/gha-creds-ea16d0fc17d7332f.json
|
[Deploy dev/Deploy to dev]   ⚙  ::set-output:: project_id=some-project
[Deploy dev/Deploy to dev]   🚧  ::warning::Overwriting existing environment variable GCP_PROJECT (was: "some-project")
[Deploy dev/Deploy to dev]   ✅  Success - Main Authenticate to Google Cloud
[Deploy dev/Deploy to dev] ⭐ Run Main Setup gcloud
[Deploy dev/Deploy to dev]   🐳  docker cp src=/Users/***/.cache/act/google-github-actions-setup-gcloud@v0/ dst=/var/run/act/actions/google-github-actions-setup-gcloud@v0/
[Deploy dev/Deploy to dev]   🐳  docker exec cmd=[node /var/run/act/actions/google-github-actions-setup-gcloud@v0/dist/main/index.js] user= workdir=
[Deploy dev/Deploy to dev]   💬  ::debug::isExplicit: 405.0.0
[Deploy dev/Deploy to dev]   💬  ::debug::explicit? true
[Deploy dev/Deploy to dev]   💬  ::debug::checking cache: /opt/hostedtoolcache/gcloud/405.0.0/x64
[Deploy dev/Deploy to dev]   💬  ::debug::not found
[Deploy dev/Deploy to dev]   💬  ::debug::Downloading https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-405.0.0-linux-x86_64.tar.gz
[Deploy dev/Deploy to dev]   💬  ::debug::Destination /tmp/474dc037-92be-4cf8-9c4e-4e2c87ed34f0
[Deploy dev/Deploy to dev]   💬  ::debug::download complete
[Deploy dev/Deploy to dev]   💬  ::debug::Checking tar --version
[Deploy dev/Deploy to dev]   💬  ::debug::tar (GNU tar) 1.30%0ACopyright (C) 2017 Free Software Foundation, Inc.%0ALicense GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.%0AThis is free software: you are free to change and redistribute it.%0AThere is NO WARRANTY, to the extent permitted by law.%0A%0AWritten by John Gilmore and Jay Fenlason.
| [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /tmp/36a53bc8-f7c7-45c7-b9b8-5480c2e4d948 -f /tmp/474dc037-92be-4cf8-9c4e-4e2c87ed34f0
[Deploy dev/Deploy to dev]   💬  ::debug::Caching tool gcloud 405.0.0 x64
[Deploy dev/Deploy to dev]   💬  ::debug::source dir: /tmp/36a53bc8-f7c7-45c7-b9b8-5480c2e4d948/google-cloud-sdk
[Deploy dev/Deploy to dev]   💬  ::debug::destination /opt/hostedtoolcache/gcloud/405.0.0/x64
[Deploy dev/Deploy to dev]   💬  ::debug::finished caching tool
| No credentials detected, skipping authentication
[Deploy dev/Deploy to dev]   ✅  Success - Main Setup gcloud

Additional information

I also outputted the GITHUB_ENV file for reference, here is a snippet of the variables I need for gcloud setup to work.

...
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE<<ghadelimiter_b8273c6d-d535-419a-a010-b0aaac240e36
/Users/***/projects/example-service/gha-creds-aec040d7acfde018.json
ghadelimiter_b8273c6d-d535-419a-a010-b0aaac240e36
GOOGLE_APPLICATION_CREDENTIALS<<ghadelimiter_fcab5a3f-69f9-4d06-b897-814292c36928
/Users/***/projects/example-service/gha-creds-aec040d7acfde018.json
ghadelimiter_fcab5a3f-69f9-4d06-b897-814292c36928
GOOGLE_GHA_CREDS_PATH<<ghadelimiter_caf51d78-24f6-48ab-9d60-ec2052fa081d
/Users/***/projects/example-service/gha-creds-aec040d7acfde018.json
ghadelimiter_caf51d78-24f6-48ab-9d60-ec2052fa081d
...

Originally created by @zukwung on GitHub (Oct 13, 2022). Original GitHub issue: https://github.com/nektos/act/issues/1387 ### Bug report info ```plain text act version: 0.2.32 GOOS: darwin GOARCH: arm64 NumCPU: 10 Docker host: DOCKER_HOST environment variable is unset/empty. Sockets found: /var/run/docker.sock Config files: /Users/zack.wang/.actrc: -P ubuntu-latest=catthehacker/ubuntu:act-latest -P ubuntu-22.04=catthehacker/ubuntu:act-22.04 -P ubuntu-20.04=catthehacker/ubuntu:act-20.04 -P ubuntu-18.04=catthehacker/ubuntu:act-18.04 Build info: Go version: go1.19.1 Module path: command-line-arguments Main version: Main path: Main checksum: Build settings: -compiler: gc -ldflags: -X main.version=0.2.32 CGO_ENABLED: 1 CGO_CFLAGS: CGO_CPPFLAGS: CGO_CXXFLAGS: CGO_LDFLAGS: GOARCH: arm64 GOOS: darwin Docker Engine: Engine version: 20.10.17 Engine runtime: runc Cgroup version: 2 Cgroup driver: cgroupfs Storage driver: overlay2 Registry URI: https://index.docker.io/v1/ OS: Docker Desktop OS type: linux OS version: OS arch: aarch64 OS kernel: 5.10.124-linuxkit OS CPU: 5 OS memory: 7851 MB Security options: name=seccomp,profile=default name=cgroupns ``` ### Command used with act ```sh act -W .github/workflows/deploy-dev.yml -s ARTIFACTORY_USER -s ARTIFACTORY_PASSWORD -s GCP_SA_CICD_KEY="$(cat ~/.google/zack-wang.json | jq -rc )" --container-architecture linux/amd64 ``` ### Describe issue I noticed that the environment variable that the `google-github-actions/auth@v0` action was not being propagated to the `google-github-actions/setup-gcloud@v0` action. This is the recommended way by Google, and works in Github Actions. What I did notice was that Google's auth module uses [exportVariable](https://github.com/google-github-actions/auth/blob/2671692c371cbef34ed8ded9f197670c88c9d343/src/main.ts#L299-L307) from actions/toolkit, which seems like they recently added [an UUID to the multiline environment variables](https://github.com/actions/toolkit/pull/1178/files#diff-9ce6eb99f5fb5529e795254801e03ae56d67d3d5fcbec635f91e9a8a61ad8b64R27-R47), which means that the way that act matches [multiline environment variables](https://github.com/nektos/act/blob/679cac167726d0c419e50a8dedc5ab9d34618c6d/pkg/container/docker_run.go#L448) in the `GITHUB_ENV` file no longer works. I tried playing around with the regex a little bit but I'm pretty bad at regex, otherwise I would submit a PR. What I noticed using regexr is the `(\w+)` part of `^([^<]+)<<(\w+)$` doesn't match the UUID, which is the issue. ### Link to GitHub repository _No response_ ### Workflow content ```yml name: Deploy dev on: push: branches: - develop env: ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} ARTIFACTORY_PASS: ${{ secrets.ARTIFACTORY_PASSWORD }} GCP_PROJECT: some-project ENVIRONMENT: dev jobs: deploy: name: Deploy to dev permissions: contents: "read" id-token: "write" runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@master with: fetch-depth: 0 - name: Build run: | make build - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v0 with: credentials_json: ${{ secrets.GCP_SA_CICD_KEY }} project_id: ${{ env.GCP_PROJECT }} - name: Setup gcloud uses: google-github-actions/setup-gcloud@v0 ``` ### Relevant log output ```sh [Deploy dev/Deploy to dev] ⭐ Run Main Authenticate to Google Cloud [Deploy dev/Deploy to dev] 🐳 docker cp src=/Users/***/.cache/act/google-github-actions-auth@v0/ dst=/var/run/act/actions/google-github-actions-auth@v0/ [Deploy dev/Deploy to dev] 🐳 docker exec cmd=[node /var/run/act/actions/google-github-actions-auth@v0/dist/main/index.js] user= workdir= [Deploy dev/Deploy to dev] 💬 ::debug::Using credentials JSON [Deploy dev/Deploy to dev] 💬 ::debug::Creating credentials file | Created credentials file at "/Users/***/projects/example-service/gha-creds-ea16d0fc17d7332f.json" | [Deploy dev/Deploy to dev] ⚙ ::set-output:: credentials_file_path=/Users/***/projects/example-service/gha-creds-ea16d0fc17d7332f.json | [Deploy dev/Deploy to dev] ⚙ ::set-output:: project_id=some-project [Deploy dev/Deploy to dev] 🚧 ::warning::Overwriting existing environment variable GCP_PROJECT (was: "some-project") [Deploy dev/Deploy to dev] ✅ Success - Main Authenticate to Google Cloud [Deploy dev/Deploy to dev] ⭐ Run Main Setup gcloud [Deploy dev/Deploy to dev] 🐳 docker cp src=/Users/***/.cache/act/google-github-actions-setup-gcloud@v0/ dst=/var/run/act/actions/google-github-actions-setup-gcloud@v0/ [Deploy dev/Deploy to dev] 🐳 docker exec cmd=[node /var/run/act/actions/google-github-actions-setup-gcloud@v0/dist/main/index.js] user= workdir= [Deploy dev/Deploy to dev] 💬 ::debug::isExplicit: 405.0.0 [Deploy dev/Deploy to dev] 💬 ::debug::explicit? true [Deploy dev/Deploy to dev] 💬 ::debug::checking cache: /opt/hostedtoolcache/gcloud/405.0.0/x64 [Deploy dev/Deploy to dev] 💬 ::debug::not found [Deploy dev/Deploy to dev] 💬 ::debug::Downloading https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-405.0.0-linux-x86_64.tar.gz [Deploy dev/Deploy to dev] 💬 ::debug::Destination /tmp/474dc037-92be-4cf8-9c4e-4e2c87ed34f0 [Deploy dev/Deploy to dev] 💬 ::debug::download complete [Deploy dev/Deploy to dev] 💬 ::debug::Checking tar --version [Deploy dev/Deploy to dev] 💬 ::debug::tar (GNU tar) 1.30%0ACopyright (C) 2017 Free Software Foundation, Inc.%0ALicense GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.%0AThis is free software: you are free to change and redistribute it.%0AThere is NO WARRANTY, to the extent permitted by law.%0A%0AWritten by John Gilmore and Jay Fenlason. | [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /tmp/36a53bc8-f7c7-45c7-b9b8-5480c2e4d948 -f /tmp/474dc037-92be-4cf8-9c4e-4e2c87ed34f0 [Deploy dev/Deploy to dev] 💬 ::debug::Caching tool gcloud 405.0.0 x64 [Deploy dev/Deploy to dev] 💬 ::debug::source dir: /tmp/36a53bc8-f7c7-45c7-b9b8-5480c2e4d948/google-cloud-sdk [Deploy dev/Deploy to dev] 💬 ::debug::destination /opt/hostedtoolcache/gcloud/405.0.0/x64 [Deploy dev/Deploy to dev] 💬 ::debug::finished caching tool | No credentials detected, skipping authentication [Deploy dev/Deploy to dev] ✅ Success - Main Setup gcloud ``` ### Additional information I also outputted the GITHUB_ENV file for reference, here is a snippet of the variables I need for gcloud setup to work. ``` ... CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE<<ghadelimiter_b8273c6d-d535-419a-a010-b0aaac240e36 /Users/***/projects/example-service/gha-creds-aec040d7acfde018.json ghadelimiter_b8273c6d-d535-419a-a010-b0aaac240e36 GOOGLE_APPLICATION_CREDENTIALS<<ghadelimiter_fcab5a3f-69f9-4d06-b897-814292c36928 /Users/***/projects/example-service/gha-creds-aec040d7acfde018.json ghadelimiter_fcab5a3f-69f9-4d06-b897-814292c36928 GOOGLE_GHA_CREDS_PATH<<ghadelimiter_caf51d78-24f6-48ab-9d60-ec2052fa081d /Users/***/projects/example-service/gha-creds-aec040d7acfde018.json ghadelimiter_caf51d78-24f6-48ab-9d60-ec2052fa081d ... ```

kerem 2026-03-01 21:45:53 +03:00

• closed this issue
• added the
  kind/bug
  label

kerem commented 2026-03-01 21:45:54 +03:00

Author

Owner

Copy link

@jbvirt commented on GitHub (Jan 14, 2023):

I am still noticing this issue on the latest release.
For example this step in a composite action:

- name: "Verify file."
  uses: packagetest/composite-action/rockylinux@master
  with:
    args: bash "verify_file.sh" "${{ inputs.file }}" "${{ inputs.gpgKey }}"

In this step, inputs.gpgKey is a multi-line secret. It gets passed to a docker action like so:

runs:
using: docker
image: Dockerfile
args:
- "${{ inputs.args }}"

On GitHub, the startup script of the Dockerfile reads in the multiline secret as a single parameter. In act, however, the secret is treated as many different parameters and split on spaces.

The workaround for act is to wrap the multiline secret in dingle/double quotes in the workflow file like so:
"'${{ inputs.gpgKey }}'". Unfortunately, this will cause the secret to be wrapped in the quotes on GitHub, and it will need to be accounted for in any scripts using it as a parameter.

<!-- gh-comment-id:1382705988 --> @jbvirt commented on GitHub (Jan 14, 2023): I am still noticing this issue on the latest release. For example this step in a composite action: ```yaml - name: "Verify file." uses: packagetest/composite-action/rockylinux@master with: args: bash "verify_file.sh" "${{ inputs.file }}" "${{ inputs.gpgKey }}" ``` In this step, `inputs.gpgKey` is a multi-line secret. It gets passed to a docker action like so: ```yaml runs: using: docker image: Dockerfile args: - "${{ inputs.args }}" ``` On GitHub, the startup script of the Dockerfile reads in the multiline secret as a single parameter. In `act`, however, the secret is treated as many different parameters and split on spaces. The workaround for `act` is to wrap the multiline secret in dingle/double quotes in the workflow file like so: `"'${{ inputs.gpgKey }}'"`. Unfortunately, this will cause the secret to be wrapped in the quotes on GitHub, and it will need to be accounted for in any scripts using it as a parameter.

kerem referenced this issue 2026-03-01 21:51:47 +03:00

[PR #731] [MERGED] fix: update codecov action (again) #1582

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/go_modules/github.com/go-git/go-git/v5-5.18.0

dependabot/go_modules/dependencies-08815e2262

mergify/configuration-deprecated-update

dependabot/github_actions/dependencies-a3a104477f

chore/simplify-ci-and-makefile

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

panekj/ci/improve-jobs

fix-skip-non-yaml-files-in-dir

normalize-pull-rebuild-flags

fix-no-recurse-by-default

2517-poor-error-for-incomplete-action-step

2472-make-use-new-action-cache-the-new-default-for-downloading-actions

act-tart

act-lxc

act-oidc

act-dind

avoid-slash-in-actor

dependabot/go_modules/github.com/docker/docker-26.1.4incompatible

meta-keep-filetime

local-repository-action-cache

pr-merger

update-docker-deps

follow_local_action_symlink

boltdb-lock-in-handler

use-socket-path

no-pull-no-rebuild

path-issues

fix/env

feat/podman

refactor/testdata

v0.2.87

v0.2.86

v0.2.85

v0.2.84

v0.2.83

v0.2.82

v0.2.81

v0.2.80

v0.2.79

v0.2.78

v0.2.77

v0.2.76

v0.2.75

v0.2.74

v0.2.73

v0.2.72

v0.2.71

v0.2.70

v0.2.69

v0.2.68

v0.2.67

v0.2.66

v0.2.65

v0.2.64

v0.2.63

v0.2.62

v0.2.61

v0.2.60

v0.2.59

v0.2.58

v0.2.57

v0.2.56

v0.2.55

v0.2.54

v0.2.53

v0.2.52

v0.2.51

v0.2.50

v0.2.49

v0.2.48

v0.2.47

v0.2.46

v0.2.45

v0.2.44

v0.2.43

v0.2.42

v0.2.41

v0.2.40

v0.2.39

v0.2.38

v0.2.37

v0.2.36

v0.2.35

v0.2.34

v0.2.33

v0.2.32

v0.2.31

v0.2.30

v0.2.29

v0.2.28

v0.2.27

v0.2.26

v0.2.25

v0.2.24

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

area/action

  

area/cli

  

area/docs

  

area/image

  

area/runner

  

area/workflow

  

backlog

  

confirmed/not-planned

  

kind/bug

  

kind/discussion

  

kind/external

  

kind/feature-request

  

kind/question

  

meta/duplicate

  

meta/invalid

  

meta/need-more-info

  

meta/resolved

  

meta/wontfix

  

meta/workaround

  

needs-work

  

pull-request

Mirrored from GitHub Pull Request

  

review/not-planned

  

size/M

  

size/XL

  

size/XXL

  

stale

  

stale-exempt

No labels

area/action

area/cli

area/docs

area/image

area/runner

area/workflow

backlog

confirmed/not-planned

kind/bug

kind/discussion

kind/external

kind/feature-request

kind/question

meta/duplicate

meta/invalid

meta/need-more-info

meta/resolved

meta/wontfix

meta/workaround

needs-work

pull-request

review/not-planned

size/M

size/XL

size/XXL

stale

stale-exempt

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/act#731

No description provided.