[GH-ISSUE #1387] Multiline Environment variables isn't propagated by act between steps #731

Closed
opened 2026-03-01 21:45:53 +03:00 by kerem · 1 comment
Owner

Originally created by @zukwung on GitHub (Oct 13, 2022).
Original GitHub issue: https://github.com/nektos/act/issues/1387

Bug report info

act version:            0.2.32
GOOS:                   darwin
GOARCH:                 arm64
NumCPU:                 10
Docker host:            DOCKER_HOST environment variable is unset/empty.
Sockets found:
	/var/run/docker.sock
Config files:
	/Users/zack.wang/.actrc:
		-P ubuntu-latest=catthehacker/ubuntu:act-latest
		-P ubuntu-22.04=catthehacker/ubuntu:act-22.04
		-P ubuntu-20.04=catthehacker/ubuntu:act-20.04
		-P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Build info:
	Go version:            go1.19.1
	Module path:           command-line-arguments
	Main version:
	Main path:
	Main checksum:
	Build settings:
		-compiler:            gc
		-ldflags:             -X main.version=0.2.32
		CGO_ENABLED:          1
		CGO_CFLAGS:
		CGO_CPPFLAGS:
		CGO_CXXFLAGS:
		CGO_LDFLAGS:
		GOARCH:               arm64
		GOOS:                 darwin
Docker Engine:
	Engine version:        20.10.17
	Engine runtime:        runc
	Cgroup version:        2
	Cgroup driver:         cgroupfs
	Storage driver:        overlay2
	Registry URI:          https://index.docker.io/v1/
	OS:                    Docker Desktop
	OS type:               linux
	OS version:
	OS arch:               aarch64
	OS kernel:             5.10.124-linuxkit
	OS CPU:                5
	OS memory:             7851 MB
	Security options:
		name=seccomp,profile=default
		name=cgroupns

Command used with act

act -W .github/workflows/deploy-dev.yml -s ARTIFACTORY_USER -s ARTIFACTORY_PASSWORD -s GCP_SA_CICD_KEY="$(cat ~/.google/zack-wang.json | jq -rc )" --container-architecture linux/amd64

Describe issue

I noticed that the environment variable that the google-github-actions/auth@v0 action was not being propagated to the google-github-actions/setup-gcloud@v0 action. This is the recommended way by Google, and works in Github Actions.

What I did notice was that Google's auth module uses exportVariable from actions/toolkit, which seems like they recently added an UUID to the multiline environment variables, which means that the way that act matches multiline environment variables in the GITHUB_ENV file no longer works.

I tried playing around with the regex a little bit but I'm pretty bad at regex, otherwise I would submit a PR. What I noticed using regexr is the (\w+) part of ^([^<]+)<<(\w+)$ doesn't match the UUID, which is the issue.

No response

Workflow content

name: Deploy dev
on:
  push:
    branches:
      - develop
env:
  ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }}
  ARTIFACTORY_PASS: ${{ secrets.ARTIFACTORY_PASSWORD }}
  GCP_PROJECT: some-project
  ENVIRONMENT: dev
jobs:
  deploy:
    name: Deploy to dev
    permissions:
      contents: "read"
      id-token: "write"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@master
        with:
          fetch-depth: 0
      - name: Build
        run: |
          make build
      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v0
        with:
          credentials_json: ${{ secrets.GCP_SA_CICD_KEY }}
          project_id: ${{ env.GCP_PROJECT }}
      - name: Setup gcloud
        uses: google-github-actions/setup-gcloud@v0

Relevant log output

[Deploy dev/Deploy to dev] ⭐ Run Main Authenticate to Google Cloud
[Deploy dev/Deploy to dev]   🐳  docker cp src=/Users/***/.cache/act/google-github-actions-auth@v0/ dst=/var/run/act/actions/google-github-actions-auth@v0/
[Deploy dev/Deploy to dev]   🐳  docker exec cmd=[node /var/run/act/actions/google-github-actions-auth@v0/dist/main/index.js] user= workdir=
[Deploy dev/Deploy to dev]   💬  ::debug::Using credentials JSON
[Deploy dev/Deploy to dev]   💬  ::debug::Creating credentials file
| Created credentials file at "/Users/***/projects/example-service/gha-creds-ea16d0fc17d7332f.json"
|
[Deploy dev/Deploy to dev]   ⚙  ::set-output:: credentials_file_path=/Users/***/projects/example-service/gha-creds-ea16d0fc17d7332f.json
|
[Deploy dev/Deploy to dev]   ⚙  ::set-output:: project_id=some-project
[Deploy dev/Deploy to dev]   🚧  ::warning::Overwriting existing environment variable GCP_PROJECT (was: "some-project")
[Deploy dev/Deploy to dev]   ✅  Success - Main Authenticate to Google Cloud
[Deploy dev/Deploy to dev] ⭐ Run Main Setup gcloud
[Deploy dev/Deploy to dev]   🐳  docker cp src=/Users/***/.cache/act/google-github-actions-setup-gcloud@v0/ dst=/var/run/act/actions/google-github-actions-setup-gcloud@v0/
[Deploy dev/Deploy to dev]   🐳  docker exec cmd=[node /var/run/act/actions/google-github-actions-setup-gcloud@v0/dist/main/index.js] user= workdir=
[Deploy dev/Deploy to dev]   💬  ::debug::isExplicit: 405.0.0
[Deploy dev/Deploy to dev]   💬  ::debug::explicit? true
[Deploy dev/Deploy to dev]   💬  ::debug::checking cache: /opt/hostedtoolcache/gcloud/405.0.0/x64
[Deploy dev/Deploy to dev]   💬  ::debug::not found
[Deploy dev/Deploy to dev]   💬  ::debug::Downloading https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-405.0.0-linux-x86_64.tar.gz
[Deploy dev/Deploy to dev]   💬  ::debug::Destination /tmp/474dc037-92be-4cf8-9c4e-4e2c87ed34f0
[Deploy dev/Deploy to dev]   💬  ::debug::download complete
[Deploy dev/Deploy to dev]   💬  ::debug::Checking tar --version
[Deploy dev/Deploy to dev]   💬  ::debug::tar (GNU tar) 1.30%0ACopyright (C) 2017 Free Software Foundation, Inc.%0ALicense GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.%0AThis is free software: you are free to change and redistribute it.%0AThere is NO WARRANTY, to the extent permitted by law.%0A%0AWritten by John Gilmore and Jay Fenlason.
| [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /tmp/36a53bc8-f7c7-45c7-b9b8-5480c2e4d948 -f /tmp/474dc037-92be-4cf8-9c4e-4e2c87ed34f0
[Deploy dev/Deploy to dev]   💬  ::debug::Caching tool gcloud 405.0.0 x64
[Deploy dev/Deploy to dev]   💬  ::debug::source dir: /tmp/36a53bc8-f7c7-45c7-b9b8-5480c2e4d948/google-cloud-sdk
[Deploy dev/Deploy to dev]   💬  ::debug::destination /opt/hostedtoolcache/gcloud/405.0.0/x64
[Deploy dev/Deploy to dev]   💬  ::debug::finished caching tool
| No credentials detected, skipping authentication
[Deploy dev/Deploy to dev]   ✅  Success - Main Setup gcloud

Additional information

I also outputted the GITHUB_ENV file for reference, here is a snippet of the variables I need for gcloud setup to work.

...
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE<<ghadelimiter_b8273c6d-d535-419a-a010-b0aaac240e36
/Users/***/projects/example-service/gha-creds-aec040d7acfde018.json
ghadelimiter_b8273c6d-d535-419a-a010-b0aaac240e36
GOOGLE_APPLICATION_CREDENTIALS<<ghadelimiter_fcab5a3f-69f9-4d06-b897-814292c36928
/Users/***/projects/example-service/gha-creds-aec040d7acfde018.json
ghadelimiter_fcab5a3f-69f9-4d06-b897-814292c36928
GOOGLE_GHA_CREDS_PATH<<ghadelimiter_caf51d78-24f6-48ab-9d60-ec2052fa081d
/Users/***/projects/example-service/gha-creds-aec040d7acfde018.json
ghadelimiter_caf51d78-24f6-48ab-9d60-ec2052fa081d
...
Originally created by @zukwung on GitHub (Oct 13, 2022). Original GitHub issue: https://github.com/nektos/act/issues/1387 ### Bug report info ```plain text act version: 0.2.32 GOOS: darwin GOARCH: arm64 NumCPU: 10 Docker host: DOCKER_HOST environment variable is unset/empty. Sockets found: /var/run/docker.sock Config files: /Users/zack.wang/.actrc: -P ubuntu-latest=catthehacker/ubuntu:act-latest -P ubuntu-22.04=catthehacker/ubuntu:act-22.04 -P ubuntu-20.04=catthehacker/ubuntu:act-20.04 -P ubuntu-18.04=catthehacker/ubuntu:act-18.04 Build info: Go version: go1.19.1 Module path: command-line-arguments Main version: Main path: Main checksum: Build settings: -compiler: gc -ldflags: -X main.version=0.2.32 CGO_ENABLED: 1 CGO_CFLAGS: CGO_CPPFLAGS: CGO_CXXFLAGS: CGO_LDFLAGS: GOARCH: arm64 GOOS: darwin Docker Engine: Engine version: 20.10.17 Engine runtime: runc Cgroup version: 2 Cgroup driver: cgroupfs Storage driver: overlay2 Registry URI: https://index.docker.io/v1/ OS: Docker Desktop OS type: linux OS version: OS arch: aarch64 OS kernel: 5.10.124-linuxkit OS CPU: 5 OS memory: 7851 MB Security options: name=seccomp,profile=default name=cgroupns ``` ### Command used with act ```sh act -W .github/workflows/deploy-dev.yml -s ARTIFACTORY_USER -s ARTIFACTORY_PASSWORD -s GCP_SA_CICD_KEY="$(cat ~/.google/zack-wang.json | jq -rc )" --container-architecture linux/amd64 ``` ### Describe issue I noticed that the environment variable that the `google-github-actions/auth@v0` action was not being propagated to the `google-github-actions/setup-gcloud@v0` action. This is the recommended way by Google, and works in Github Actions. What I did notice was that Google's auth module uses [exportVariable](https://github.com/google-github-actions/auth/blob/2671692c371cbef34ed8ded9f197670c88c9d343/src/main.ts#L299-L307) from actions/toolkit, which seems like they recently added [an UUID to the multiline environment variables](https://github.com/actions/toolkit/pull/1178/files#diff-9ce6eb99f5fb5529e795254801e03ae56d67d3d5fcbec635f91e9a8a61ad8b64R27-R47), which means that the way that act matches [multiline environment variables](https://github.com/nektos/act/blob/679cac167726d0c419e50a8dedc5ab9d34618c6d/pkg/container/docker_run.go#L448) in the `GITHUB_ENV` file no longer works. I tried playing around with the regex a little bit but I'm pretty bad at regex, otherwise I would submit a PR. What I noticed using regexr is the `(\w+)` part of `^([^<]+)<<(\w+)$` doesn't match the UUID, which is the issue. ### Link to GitHub repository _No response_ ### Workflow content ```yml name: Deploy dev on: push: branches: - develop env: ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }} ARTIFACTORY_PASS: ${{ secrets.ARTIFACTORY_PASSWORD }} GCP_PROJECT: some-project ENVIRONMENT: dev jobs: deploy: name: Deploy to dev permissions: contents: "read" id-token: "write" runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@master with: fetch-depth: 0 - name: Build run: | make build - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v0 with: credentials_json: ${{ secrets.GCP_SA_CICD_KEY }} project_id: ${{ env.GCP_PROJECT }} - name: Setup gcloud uses: google-github-actions/setup-gcloud@v0 ``` ### Relevant log output ```sh [Deploy dev/Deploy to dev] ⭐ Run Main Authenticate to Google Cloud [Deploy dev/Deploy to dev] 🐳 docker cp src=/Users/***/.cache/act/google-github-actions-auth@v0/ dst=/var/run/act/actions/google-github-actions-auth@v0/ [Deploy dev/Deploy to dev] 🐳 docker exec cmd=[node /var/run/act/actions/google-github-actions-auth@v0/dist/main/index.js] user= workdir= [Deploy dev/Deploy to dev] 💬 ::debug::Using credentials JSON [Deploy dev/Deploy to dev] 💬 ::debug::Creating credentials file | Created credentials file at "/Users/***/projects/example-service/gha-creds-ea16d0fc17d7332f.json" | [Deploy dev/Deploy to dev] ⚙ ::set-output:: credentials_file_path=/Users/***/projects/example-service/gha-creds-ea16d0fc17d7332f.json | [Deploy dev/Deploy to dev] ⚙ ::set-output:: project_id=some-project [Deploy dev/Deploy to dev] 🚧 ::warning::Overwriting existing environment variable GCP_PROJECT (was: "some-project") [Deploy dev/Deploy to dev] ✅ Success - Main Authenticate to Google Cloud [Deploy dev/Deploy to dev] ⭐ Run Main Setup gcloud [Deploy dev/Deploy to dev] 🐳 docker cp src=/Users/***/.cache/act/google-github-actions-setup-gcloud@v0/ dst=/var/run/act/actions/google-github-actions-setup-gcloud@v0/ [Deploy dev/Deploy to dev] 🐳 docker exec cmd=[node /var/run/act/actions/google-github-actions-setup-gcloud@v0/dist/main/index.js] user= workdir= [Deploy dev/Deploy to dev] 💬 ::debug::isExplicit: 405.0.0 [Deploy dev/Deploy to dev] 💬 ::debug::explicit? true [Deploy dev/Deploy to dev] 💬 ::debug::checking cache: /opt/hostedtoolcache/gcloud/405.0.0/x64 [Deploy dev/Deploy to dev] 💬 ::debug::not found [Deploy dev/Deploy to dev] 💬 ::debug::Downloading https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-405.0.0-linux-x86_64.tar.gz [Deploy dev/Deploy to dev] 💬 ::debug::Destination /tmp/474dc037-92be-4cf8-9c4e-4e2c87ed34f0 [Deploy dev/Deploy to dev] 💬 ::debug::download complete [Deploy dev/Deploy to dev] 💬 ::debug::Checking tar --version [Deploy dev/Deploy to dev] 💬 ::debug::tar (GNU tar) 1.30%0ACopyright (C) 2017 Free Software Foundation, Inc.%0ALicense GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.%0AThis is free software: you are free to change and redistribute it.%0AThere is NO WARRANTY, to the extent permitted by law.%0A%0AWritten by John Gilmore and Jay Fenlason. | [command]/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /tmp/36a53bc8-f7c7-45c7-b9b8-5480c2e4d948 -f /tmp/474dc037-92be-4cf8-9c4e-4e2c87ed34f0 [Deploy dev/Deploy to dev] 💬 ::debug::Caching tool gcloud 405.0.0 x64 [Deploy dev/Deploy to dev] 💬 ::debug::source dir: /tmp/36a53bc8-f7c7-45c7-b9b8-5480c2e4d948/google-cloud-sdk [Deploy dev/Deploy to dev] 💬 ::debug::destination /opt/hostedtoolcache/gcloud/405.0.0/x64 [Deploy dev/Deploy to dev] 💬 ::debug::finished caching tool | No credentials detected, skipping authentication [Deploy dev/Deploy to dev] ✅ Success - Main Setup gcloud ``` ### Additional information I also outputted the GITHUB_ENV file for reference, here is a snippet of the variables I need for gcloud setup to work. ``` ... CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE<<ghadelimiter_b8273c6d-d535-419a-a010-b0aaac240e36 /Users/***/projects/example-service/gha-creds-aec040d7acfde018.json ghadelimiter_b8273c6d-d535-419a-a010-b0aaac240e36 GOOGLE_APPLICATION_CREDENTIALS<<ghadelimiter_fcab5a3f-69f9-4d06-b897-814292c36928 /Users/***/projects/example-service/gha-creds-aec040d7acfde018.json ghadelimiter_fcab5a3f-69f9-4d06-b897-814292c36928 GOOGLE_GHA_CREDS_PATH<<ghadelimiter_caf51d78-24f6-48ab-9d60-ec2052fa081d /Users/***/projects/example-service/gha-creds-aec040d7acfde018.json ghadelimiter_caf51d78-24f6-48ab-9d60-ec2052fa081d ... ```
kerem 2026-03-01 21:45:53 +03:00
  • closed this issue
  • added the
    kind/bug
    label
Author
Owner

@jbvirt commented on GitHub (Jan 14, 2023):

I am still noticing this issue on the latest release.
For example this step in a composite action:

- name: "Verify file."
  uses: packagetest/composite-action/rockylinux@master
  with:
    args: bash "verify_file.sh" "${{ inputs.file }}" "${{ inputs.gpgKey }}"

In this step, inputs.gpgKey is a multi-line secret. It gets passed to a docker action like so:

runs:
using: docker
image: Dockerfile
args:
- "${{ inputs.args }}"

On GitHub, the startup script of the Dockerfile reads in the multiline secret as a single parameter. In act, however, the secret is treated as many different parameters and split on spaces.

The workaround for act is to wrap the multiline secret in dingle/double quotes in the workflow file like so:
"'${{ inputs.gpgKey }}'". Unfortunately, this will cause the secret to be wrapped in the quotes on GitHub, and it will need to be accounted for in any scripts using it as a parameter.

<!-- gh-comment-id:1382705988 --> @jbvirt commented on GitHub (Jan 14, 2023): I am still noticing this issue on the latest release. For example this step in a composite action: ```yaml - name: "Verify file." uses: packagetest/composite-action/rockylinux@master with: args: bash "verify_file.sh" "${{ inputs.file }}" "${{ inputs.gpgKey }}" ``` In this step, `inputs.gpgKey` is a multi-line secret. It gets passed to a docker action like so: ```yaml runs: using: docker image: Dockerfile args: - "${{ inputs.args }}" ``` On GitHub, the startup script of the Dockerfile reads in the multiline secret as a single parameter. In `act`, however, the secret is treated as many different parameters and split on spaces. The workaround for `act` is to wrap the multiline secret in dingle/double quotes in the workflow file like so: `"'${{ inputs.gpgKey }}'"`. Unfortunately, this will cause the secret to be wrapped in the quotes on GitHub, and it will need to be accounted for in any scripts using it as a parameter.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/act#731
No description provided.