[BUG] Composite actions should be provisioned with `ACTIONS_RUNTIME_TOKEN` just like the node and docker ones

Currently, ACTIONS_RUNTIME_TOKEN is exposed to nodejs and docker action types, but not the composite ones. So accessing it is rather limited to 2/3 types of the action types. It's not a private implementation detail and GitHub's own docs even show accessing it through the normal JS env var interface (process.env): https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#requesting-the-jwt-using-environment-variables. There's also no recommendations not to use it, it's rather undocumented that it's surprisingly inaccessible from within non-actions and composite actions.

Which is why I think it's actually a bug that got overlooked, unintentionally vendor-locking the action authors to docker or nodejs. It shouldn't be like this so I'm filing this issue to ask this (and related) env vars to be exposed to all action types equally.

The other action implementations set the env var like this:

• nodejs: https://github.com/actions/runner/blob/9e3e57ff90c089641a3a5833c2211841da1a37f8/src/Runner.Worker/Handlers/NodeScriptActionHandler.cs#L56
• container: https://github.com/actions/runner/blob/9e3e57ff90c089641a3a5833c2211841da1a37f8/src/Runner.Worker/Handlers/ContainerActionHandler.cs#L221

This issue is stale because it has been open 365 days with no activity. Remove stale label or comment or this will be closed in 15 days.

unstale

unstale

unstale

unstale

If someone else stumbles upon this bug before it's resolved, as I did, I found that using this action exposes the variable to other workflow steps and helps work around it.