nektos
Job output secret accessible in act nott in github action
Bug report info
act version: 0.2.75
GOOS: windows
GOARCH: amd64
NumCPU: 16
Docker host: DOCKER_HOST environment variable is not set
Sockets found:
\\.\pipe\docker_engine(broken)
Config files:
C:\Users\MyUser\AppData\Local\act\actrc:
-P ubuntu-latest=catthehacker/ubuntu:act-latest
-P ubuntu-22.04=catthehacker/ubuntu:act-22.04
-P ubuntu-20.04=catthehacker/ubuntu:act-20.04
-P ubuntu-18.04=catthehacker/ubuntu:act-18.04
Build info:
Go version: go1.23.6
Module path: github.com/nektos/act
Main version: (devel)
Main path: github.com/nektos/act
Main checksum:
Build settings:
-buildmode: exe
-compiler: gc
-ldflags: -s -w -X main.version=0.2.75 -X main.commit=bd97dc8d9422a8b04e6193c6c86afa8a7a693fdf -X main.date=2025-03-01T02:31:09Z -X main.builtBy=goreleaser
CGO_ENABLED: 0
GOARCH: amd64
GOOS: windows
GOAMD64: v1
vcs: git
vcs.revision: bd97dc8d9422a8b04e6193c6c86afa8a7a693fdf
vcs.time: 2025-03-01T02:30:53Z
vcs.modified: false
Docker Engine:
Engine version: 28.0.1
Engine runtime: runc
Cgroup version: 1
Cgroup driver: cgroupfs
Storage driver: overlay2
Registry URI: https://index.docker.io/v1/
OS: Docker Desktop
OS type: linux
OS version:
OS arch: x86_64
OS kernel: 5.15.153.1-microsoft-standard-WSL2
OS CPU: 16
OS memory: 15946 MB
Security options:
name=seccomp,profile=unconfined
Command used with act
act -W .\.github\workflows\test-workflow.yaml --secret VARIABLE=dummy
Describe issue
I've found a bug, where you can use the output of a job that is Github flags as a secret, whereas on Github Actions' runner it won't be picked up.
In this stripped down code, I have a workflow with two jobs. first_job outputs a value called secret_variable, which value is a secret that is outputted in the step dummy_step. The second job, test, tries to use it. In act, it outputs the value without issues:
[Test workflow/test ] ⭐ Run Main echo output [***]
[Test workflow/test ] 🐳 docker exec cmd=[bash -e /var/run/act/workflow/0] user= workdir=
| output [***]
[Test workflow/test ] ✅ Success - Main echo output [***]
However, in Github Actions' runner, it won't be picked up:
2025-03-17T19:15:41.5516700Z ##[group]Run echo output []
2025-03-17T19:15:41.5518055Z [36;1mecho output [][0m
2025-03-17T19:15:41.5954286Z shell: /usr/bin/bash -e {0}
2025-03-17T19:15:41.5955824Z ##[endgroup]
2025-03-17T19:15:41.6220465Z output []
From the logs from the first_job, Github Actions' runner won't pick the secret because it's flagged as well:
2025-03-17T19:15:33.3559517Z ##[warning]Skip output 'secret_variable' since it may contain secret.
The only way to "fix" the issue is to move the dummy_step in the same job that calls it, as Github refuses to output a secret flagged variable from a job to another. Act not acting like Github Actions' led me to an issue where my workflow worked locally, but not on Github Actions' runner.
Link to GitHub repository
No response
Workflow content
name: Test workflow
on:
push:
branches:
- "main"
jobs:
first_job:
runs-on: ubuntu-latest
outputs:
secret_variable: ${{ steps.dummy_step.outputs.value }}
steps:
- id: dummy_step
run: echo "value=${{ secrets.VARIABLE }}" >> $GITHUB_OUTPUT
test:
needs: [first_job]
runs-on: ubuntu-latest
steps:
- run: echo output [${{ needs.first_job.outputs.secret_variable }}]
Relevant log output
Because there were multiple logs, they are included in the Describe issue paragraph
Additional information
No response
