[GH-ISSUE #1605] Some formating yaml syntax errors can result in a complete Go crash #805

New issue

Closed

opened 2026-03-01 21:46:32 +03:00 by kerem · 6 comments

kerem commented 2026-03-01 21:46:32 +03:00

Owner

Copy link

Originally created by @Porkepix on GitHub (Feb 3, 2023).
Original GitHub issue: https://github.com/nektos/act/issues/1605

Bug report info

$ act --bug-report
act version:            0.2.42.r1.gf91b2aa5
GOOS:                   linux
GOARCH:                 amd64
NumCPU:                 16
Docker host:            DOCKER_HOST environment variable is unset/empty.
Sockets found:
	/var/run/docker.sock
Config files:
	/home/clement/.actrc:
		-P ubuntu-latest=catthehacker/ubuntu:act-latest
		-P ubuntu-22.04=catthehacker/ubuntu:act-22.04
		-P ubuntu-20.04=catthehacker/ubuntu:act-20.04
		-P ubuntu-18.04=catthehacker/ubuntu:act-18.04
	.actrc:
		-P ubuntu-latest=catthehacker/ubuntu:act-latest
		-P ubuntu-22.04=catthehacker/ubuntu:act-22.04
		-P ubuntu-20.04=catthehacker/ubuntu:act-20.04
		-P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Build info:
	Go version:            go1.20
	Module path:           command-line-arguments
	Main version:
	Main path:
	Main checksum:
	Build settings:
		-buildmode:           pie
		-compiler:            gc
		-trimpath:            true
		CGO_ENABLED:          1
		GOARCH:               amd64
		GOOS:                 linux
		GOAMD64:              v1
Docker Engine:
	Engine version:        20.10.23
	Engine runtime:        runc
	Cgroup version:        2
	Cgroup driver:         systemd
	Storage driver:        overlay2
	Registry URI:          https://index.docker.io/v1/
	OS:                    Arch Linux
	OS type:               linux
	OS version:
	OS arch:               x86_64
	OS kernel:             6.1.7-arch1-1
	OS CPU:                16
	OS memory:             31802 MB
	Security options:
		name=seccomp,profile=default
		name=cgroupns

Command used with act

act

Describe issue

A slight error in the yaml of an action can cause a complete Go panic

Link to GitHub repository

No response

Workflow content

This is action content, not workflow. You just need to call whatever action containing this mistake.
As explained below, the same mistake is caught if present in a workflow file.

- name: Foo
- uses: Foo/Bar

Relevant log output

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x5644f81519d3]

goroutine 62 [running]:
github.com/nektos/act/pkg/runner.runPreStep.func1({0x5644f85876d0, 0xc0003a5ec0})
        github.com/nektos/act/pkg/runner/action.go:503 +0x6b3
github.com/nektos/act/pkg/runner.runStepExecutor.func1({0x5644f85876d0, 0xc0003a5ec0})
        github.com/nektos/act/pkg/runner/step.go:109 +0x9c3
github.com/nektos/act/pkg/common.Executor.If.func1({0x5644f85876d0, 0xc0003a5ec0})
        github.com/nektos/act/pkg/common/executor.go:149 +0x48
github.com/nektos/act/pkg/common.Executor.If.func1({0x5644f85876d0, 0xc0003a5ec0})
        github.com/nektos/act/pkg/common/executor.go:149 +0x48
github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc0003a5ec0})
        github.com/nektos/act/pkg/common/executor.go:141 +0x144
github.com/nektos/act/pkg/runner.useStepLogger.func1({0x5644f85876d0, 0xc00040f620})
        github.com/nektos/act/pkg/runner/job_executor.go:190 +0x39e
github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc00040f620})
        github.com/nektos/act/pkg/common/executor.go:141 +0x144
github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc00040f620})
        github.com/nektos/act/pkg/common/executor.go:129 +0x34
github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc00040f620})
        github.com/nektos/act/pkg/common/executor.go:129 +0x34
github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc00040f620})
        github.com/nektos/act/pkg/common/executor.go:129 +0x34
github.com/nektos/act/pkg/common.Executor.Finally.func1({0x5644f85876d0, 0xc00040f620})
        github.com/nektos/act/pkg/common/executor.go:175 +0x34
github.com/nektos/act/pkg/common.Executor.Finally.func1({0x5644f85876d0, 0xc00040f620})
        github.com/nektos/act/pkg/common/executor.go:175 +0x34
github.com/nektos/act/pkg/common.Executor.Finally.func1({0x5644f85876d0, 0xc00040f620})
        github.com/nektos/act/pkg/common/executor.go:175 +0x34
github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc00040f620})
        github.com/nektos/act/pkg/common/executor.go:141 +0x144
github.com/nektos/act/pkg/runner.(*RunContext).Executor.func1({0x5644f85876d0, 0xc00040f620})
        github.com/nektos/act/pkg/runner/run_context.go:428 +0x58
github.com/nektos/act/pkg/runner.(*runnerImpl).NewPlanExecutor.func1.1({0x5644f85876d0, 0xc00040eab0})
        github.com/nektos/act/pkg/runner/runner.go:141 +0x193
github.com/nektos/act/pkg/common.NewParallelExecutor.func1.1(0x0?, 0x0?)
        github.com/nektos/act/pkg/common/executor.go:100 +0x5c
created by github.com/nektos/act/pkg/common.NewParallelExecutor.func1
        github.com/nektos/act/pkg/common/executor.go:98 +0x89

Additional information

The error happened on a slight error in an action I was working on: a dash arrived on a uses: line while there was already a - name: on top of it.

The same mistake is caught for workflows so the panic only happens for actions.
In workflows we get something like this:
Error: Invalid run/uses syntax for job:foo step:bar

Originally created by @Porkepix on GitHub (Feb 3, 2023). Original GitHub issue: https://github.com/nektos/act/issues/1605 ### Bug report info ```plain text $ act --bug-report act version: 0.2.42.r1.gf91b2aa5 GOOS: linux GOARCH: amd64 NumCPU: 16 Docker host: DOCKER_HOST environment variable is unset/empty. Sockets found: /var/run/docker.sock Config files: /home/clement/.actrc: -P ubuntu-latest=catthehacker/ubuntu:act-latest -P ubuntu-22.04=catthehacker/ubuntu:act-22.04 -P ubuntu-20.04=catthehacker/ubuntu:act-20.04 -P ubuntu-18.04=catthehacker/ubuntu:act-18.04 .actrc: -P ubuntu-latest=catthehacker/ubuntu:act-latest -P ubuntu-22.04=catthehacker/ubuntu:act-22.04 -P ubuntu-20.04=catthehacker/ubuntu:act-20.04 -P ubuntu-18.04=catthehacker/ubuntu:act-18.04 Build info: Go version: go1.20 Module path: command-line-arguments Main version: Main path: Main checksum: Build settings: -buildmode: pie -compiler: gc -trimpath: true CGO_ENABLED: 1 GOARCH: amd64 GOOS: linux GOAMD64: v1 Docker Engine: Engine version: 20.10.23 Engine runtime: runc Cgroup version: 2 Cgroup driver: systemd Storage driver: overlay2 Registry URI: https://index.docker.io/v1/ OS: Arch Linux OS type: linux OS version: OS arch: x86_64 OS kernel: 6.1.7-arch1-1 OS CPU: 16 OS memory: 31802 MB Security options: name=seccomp,profile=default name=cgroupns ``` ### Command used with act ```sh act ``` ### Describe issue A slight error in the `yaml` of an action can cause a complete Go panic ### Link to GitHub repository _No response_ ### Workflow content This is action content, not workflow. You just need to call whatever action containing this mistake. As explained below, the same mistake is caught if present in a workflow file. ```yml - name: Foo - uses: Foo/Bar ``` ### Relevant log output ```sh panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x5644f81519d3] goroutine 62 [running]: github.com/nektos/act/pkg/runner.runPreStep.func1({0x5644f85876d0, 0xc0003a5ec0}) github.com/nektos/act/pkg/runner/action.go:503 +0x6b3 github.com/nektos/act/pkg/runner.runStepExecutor.func1({0x5644f85876d0, 0xc0003a5ec0}) github.com/nektos/act/pkg/runner/step.go:109 +0x9c3 github.com/nektos/act/pkg/common.Executor.If.func1({0x5644f85876d0, 0xc0003a5ec0}) github.com/nektos/act/pkg/common/executor.go:149 +0x48 github.com/nektos/act/pkg/common.Executor.If.func1({0x5644f85876d0, 0xc0003a5ec0}) github.com/nektos/act/pkg/common/executor.go:149 +0x48 github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc0003a5ec0}) github.com/nektos/act/pkg/common/executor.go:141 +0x144 github.com/nektos/act/pkg/runner.useStepLogger.func1({0x5644f85876d0, 0xc00040f620}) github.com/nektos/act/pkg/runner/job_executor.go:190 +0x39e github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc00040f620}) github.com/nektos/act/pkg/common/executor.go:141 +0x144 github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc00040f620}) github.com/nektos/act/pkg/common/executor.go:129 +0x34 github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc00040f620}) github.com/nektos/act/pkg/common/executor.go:129 +0x34 github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc00040f620}) github.com/nektos/act/pkg/common/executor.go:129 +0x34 github.com/nektos/act/pkg/common.Executor.Finally.func1({0x5644f85876d0, 0xc00040f620}) github.com/nektos/act/pkg/common/executor.go:175 +0x34 github.com/nektos/act/pkg/common.Executor.Finally.func1({0x5644f85876d0, 0xc00040f620}) github.com/nektos/act/pkg/common/executor.go:175 +0x34 github.com/nektos/act/pkg/common.Executor.Finally.func1({0x5644f85876d0, 0xc00040f620}) github.com/nektos/act/pkg/common/executor.go:175 +0x34 github.com/nektos/act/pkg/common.Executor.Then.func1({0x5644f85876d0, 0xc00040f620}) github.com/nektos/act/pkg/common/executor.go:141 +0x144 github.com/nektos/act/pkg/runner.(*RunContext).Executor.func1({0x5644f85876d0, 0xc00040f620}) github.com/nektos/act/pkg/runner/run_context.go:428 +0x58 github.com/nektos/act/pkg/runner.(*runnerImpl).NewPlanExecutor.func1.1({0x5644f85876d0, 0xc00040eab0}) github.com/nektos/act/pkg/runner/runner.go:141 +0x193 github.com/nektos/act/pkg/common.NewParallelExecutor.func1.1(0x0?, 0x0?) github.com/nektos/act/pkg/common/executor.go:100 +0x5c created by github.com/nektos/act/pkg/common.NewParallelExecutor.func1 github.com/nektos/act/pkg/common/executor.go:98 +0x89 ``` ### Additional information The error happened on a slight error in an action I was working on: a dash arrived on a `uses:` line while there was already a `- name:` on top of it. The same mistake is caught for workflows so the panic only happens for actions. In workflows we get something like this: `Error: Invalid run/uses syntax for job:foo step:bar`

kerem 2026-03-01 21:46:32 +03:00

• closed this issue
• added the
  kind/bug
  label

kerem commented 2026-03-01 21:46:33 +03:00

Author

Owner

Copy link

@KnisterPeter commented on GitHub (Feb 6, 2023):

Just run https://github.com/rhysd/actionlint right before calling act and you are good to go.

<!-- gh-comment-id:1419105190 --> @KnisterPeter commented on GitHub (Feb 6, 2023): Just run https://github.com/rhysd/actionlint right before calling `act` and you are good to go.

kerem commented 2026-03-01 21:46:33 +03:00

Author

Owner

Copy link

@Porkepix commented on GitHub (Feb 6, 2023):

Just run rhysd/actionlint right before calling act and you are good to go.

@KnisterPeter Yes linting is always a good idea. However, I don't think a complete crash of the program is something that should be considered as a normal behavior, even if this is due to a user's mistake.

Note that the same mistake is caught when done in the workflow file, as mentioned at the end of my message.
I believe the same kind of mistake should be handled the same way and caught the same way for actions as it's already done for workflows, wouldn't you agree?

<!-- gh-comment-id:1419109141 --> @Porkepix commented on GitHub (Feb 6, 2023): > Just run [rhysd/actionlint](https://github.com/rhysd/actionlint) right before calling `act` and you are good to go. @KnisterPeter Yes linting is always a good idea. However, I don't think a complete crash of the program is something that should be considered as a normal behavior, even if this is due to a user's mistake. Note that the same mistake is caught when done in the workflow file, as mentioned at the end of my message. I believe the same kind of mistake should be handled the same way and caught the same way for actions as it's already done for workflows, wouldn't you agree?

kerem commented 2026-03-01 21:46:33 +03:00

Author

Owner

Copy link

@KnisterPeter commented on GitHub (Feb 6, 2023):

Given that an invalid yaml file is syntactic garbage I'm not sure if I would agree. It might be good to not just panic, but the result would be the exact same as of now.

But feel free to provide a pull request with a fix for this. We are happy for every contribution.

<!-- gh-comment-id:1419111974 --> @KnisterPeter commented on GitHub (Feb 6, 2023): Given that an invalid yaml file is syntactic garbage I'm not sure if I would agree. It might be good to not just panic, but the result would be the exact same as of now. But feel free to provide a pull request with a fix for this. We are happy for every contribution.

kerem commented 2026-03-01 21:46:33 +03:00

Author

Owner

Copy link

@ChristopherHX commented on GitHub (Feb 6, 2023):

@KnisterPeter actionlint doesn't support composite actions. We should fix crashs in act.

I add it to my backlog for act.

<!-- gh-comment-id:1419113634 --> @ChristopherHX commented on GitHub (Feb 6, 2023): @KnisterPeter actionlint doesn't support composite actions. We should fix crashs in act. I add it to my backlog for act.

kerem commented 2026-03-01 21:46:33 +03:00

Author

Owner

Copy link

@ChristopherHX commented on GitHub (Feb 6, 2023):

You get now Invalid run/uses syntax for job:composite-job step:Foo for local actions. Your remote action example is now a failure instead of a crash, without more information.

<!-- gh-comment-id:1419788576 --> @ChristopherHX commented on GitHub (Feb 6, 2023): You get now [Invalid run/uses syntax for job:composite-job step:Foo](https://github.com/nektos/act/actions/runs/4107970704/jobs/7088102311#step:4:3155) for local actions. Your remote action example is now a failure instead of a crash, without more information.

kerem commented 2026-03-01 21:46:33 +03:00

Author

Owner

Copy link

@Porkepix commented on GitHub (Feb 6, 2023):

You get now Invalid run/uses syntax for job:composite-job step:Foo for local actions. Your remote action example is now a failure instead of a crash, without more information.

Yes, I think providing an accurate explanation of the problem would mean analyzing deeply the file and basically reimplement most of the features of a linter.
The most important is to not get a crash, and at the very least the message is clear enough the yaml file have an issue and is malformed: with the crash it took me some time to figure out the issue was on my end and that my yaml file was malformed.

<!-- gh-comment-id:1419801264 --> @Porkepix commented on GitHub (Feb 6, 2023): > You get now [Invalid run/uses syntax for job:composite-job step:Foo](https://github.com/nektos/act/actions/runs/4107970704/jobs/7088102311#step:4:3155) for local actions. Your remote action example is now a failure instead of a crash, without more information. Yes, I think providing an accurate explanation of the problem would mean analyzing deeply the file and basically reimplement most of the features of a linter. The most important is to not get a crash, and at the very least the message is clear enough the yaml file have an issue and is malformed: with the crash it took me some time to figure out the issue was on my end and that my yaml file was malformed.

kerem referenced this issue 2026-03-01 21:51:57 +03:00

[PR #805] [CLOSED] build(deps): bump github.com/go-git/go-git/v5 from 5.2.0 to 5.4.2 #1621

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/go_modules/github.com/go-git/go-git/v5-5.18.0

dependabot/go_modules/dependencies-08815e2262

mergify/configuration-deprecated-update

dependabot/github_actions/dependencies-a3a104477f

chore/simplify-ci-and-makefile

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

panekj/ci/improve-jobs

fix-skip-non-yaml-files-in-dir

normalize-pull-rebuild-flags

fix-no-recurse-by-default

2517-poor-error-for-incomplete-action-step

2472-make-use-new-action-cache-the-new-default-for-downloading-actions

act-tart

act-lxc

act-oidc

act-dind

avoid-slash-in-actor

dependabot/go_modules/github.com/docker/docker-26.1.4incompatible

meta-keep-filetime

local-repository-action-cache

pr-merger

update-docker-deps

follow_local_action_symlink

boltdb-lock-in-handler

use-socket-path

no-pull-no-rebuild

path-issues

fix/env

feat/podman

refactor/testdata

v0.2.87

v0.2.86

v0.2.85

v0.2.84

v0.2.83

v0.2.82

v0.2.81

v0.2.80

v0.2.79

v0.2.78

v0.2.77

v0.2.76

v0.2.75

v0.2.74

v0.2.73

v0.2.72

v0.2.71

v0.2.70

v0.2.69

v0.2.68

v0.2.67

v0.2.66

v0.2.65

v0.2.64

v0.2.63

v0.2.62

v0.2.61

v0.2.60

v0.2.59

v0.2.58

v0.2.57

v0.2.56

v0.2.55

v0.2.54

v0.2.53

v0.2.52

v0.2.51

v0.2.50

v0.2.49

v0.2.48

v0.2.47

v0.2.46

v0.2.45

v0.2.44

v0.2.43

v0.2.42

v0.2.41

v0.2.40

v0.2.39

v0.2.38

v0.2.37

v0.2.36

v0.2.35

v0.2.34

v0.2.33

v0.2.32

v0.2.31

v0.2.30

v0.2.29

v0.2.28

v0.2.27

v0.2.26

v0.2.25

v0.2.24

v0.2.23

v0.2.22

v0.2.21

v0.2.20

v0.2.19

v0.2.18

v0.2.17

v0.2.16

v0.2.15

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

area/action

  

area/cli

  

area/docs

  

area/image

  

area/runner

  

area/workflow

  

backlog

  

confirmed/not-planned

  

kind/bug

  

kind/discussion

  

kind/external

  

kind/feature-request

  

kind/question

  

meta/duplicate

  

meta/invalid

  

meta/need-more-info

  

meta/resolved

  

meta/wontfix

  

meta/workaround

  

needs-work

  

pull-request

Mirrored from GitHub Pull Request

  

review/not-planned

  

size/M

  

size/XL

  

size/XXL

  

stale

  

stale-exempt

No labels

area/action

area/cli

area/docs

area/image

area/runner

area/workflow

backlog

confirmed/not-planned

kind/bug

kind/discussion

kind/external

kind/feature-request

kind/question

meta/duplicate

meta/invalid

meta/need-more-info

meta/resolved

meta/wontfix

meta/workaround

needs-work

pull-request

review/not-planned

size/M

size/XL

size/XXL

stale

stale-exempt

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/act#805

No description provided.