Issue: Secrets do not appear to get used when used in env

[jmetzmeier]

Act version

act version 0.2.21

Expected behaviour

The workflow should use secrets supplied via the -s option. This workflow functions properly in Github actions.

Actual behaviour

When the secret gets to curl, it contains the value XXXXX-XXXXX-XXXXX-XXXXX

Workflow and/or repository

workflow

name: Main Workflow

on:
  push:

jobs:
  lint:
    name: lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: actions/setup-node@v1
        with:
          node-version: '14'
          registry-url: https://npm.pkg.github.com/
      - run: curl -v -O /dev/null https://x-access-token:${NODE_AUTH_TOKEN}@npm.pkg.github.com/download/REDACTED/0.0.4/9f531f2642f938ad0f9beea59c9edcf811af85c773fb897bc6a523f3b4380bba
        env:
          NODE_AUTH_TOKEN: ${{ secrets.WISER_PACKAGES }}
      - run: npm ci
        env:
          NODE_AUTH_TOKEN: ${{ secrets.WISER_PACKAGES }}
      - run: npm run test

Steps to reproduce

Use a workflow file that exports the value of a secret to an environment variable. In my curl example, I am using -v so I can see the headers sent in the request. I am running with act --insecure-secrets -s WISER_PACKAGES=REDACTED

| > GET /download/REDACTED/0.0.4/9f531f2642f938ad0f9beea59c9edcf811af85c773fb897bc6a523f3b4380bba HTTP/2 | > Host: npm.pkg.github.com | > authorization: Basic eC1hY2Nlc3MtdG9rZW46WFhYWFgtWFhYWFgtWFhYWFgtWFhYWFg= | > user-agent: curl/7.68.0 | > accept: /

This authorization string decodes to x-access-token:XXXXX-XXXXX-XXXXX-XXXXX

act output

Log

$ act --insecure-secrets -s WISER_PACKAGES=REDACTED
[Publish/Publish    ] 🚀  Start image=catthehacker/ubuntu:act-latest
[Main Workflow/lint ] 🚀  Start image=catthehacker/ubuntu:act-latest
[Main Workflow/tests] 🚀  Start image=catthehacker/ubuntu:act-latest
[Publish/Publish    ]   🐳  docker run image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Main Workflow/tests]   🐳  docker run image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Main Workflow/lint ]   🐳  docker run image=catthehacker/ubuntu:act-latest platform=linux/amd64 entrypoint=["/usr/bin/tail" "-f" "/dev/null"] cmd=[]
[Publish/Publish    ]   🐳  docker cp src=/home/jmetzmeier/prog/wiser/auth-library/. dst=/home/jmetzmeier/prog/wiser/auth-library
[Main Workflow/tests]   🐳  docker cp src=/home/jmetzmeier/prog/wiser/auth-library/. dst=/home/jmetzmeier/prog/wiser/auth-library
[Main Workflow/lint ]   🐳  docker cp src=/home/jmetzmeier/prog/wiser/auth-library/. dst=/home/jmetzmeier/prog/wiser/auth-library
[Main Workflow/tests] ⭐  Run actions/checkout@master
[Main Workflow/lint ] ⭐  Run actions/checkout@master
[Main Workflow/tests]   ✅  Success - actions/checkout@master
[Main Workflow/lint ]   ✅  Success - actions/checkout@master
[Publish/Publish    ] ⭐  Run actions/setup-node@v1
[Publish/Publish    ]   ☁  git clone 'https://github.com/actions/setup-node' # ref=v1
[Main Workflow/lint ] ⭐  Run actions/setup-node@v1
[Main Workflow/lint ]   ☁  git clone 'https://github.com/actions/setup-node' # ref=v1
[Main Workflow/tests] ⭐  Run actions/setup-node@v1
[Main Workflow/tests]   ☁  git clone 'https://github.com/actions/setup-node' # ref=v1
[Publish/Publish    ]   🐳  docker cp src=/home/jmetzmeier/.cache/act/actions-setup-node@v1 dst=/actions/
[Main Workflow/lint ]   🐳  docker cp src=/home/jmetzmeier/.cache/act/actions-setup-node@v1 dst=/actions/
[Publish/Publish    ]   💬  ::debug::isExplicit: 
[Publish/Publish    ]   💬  ::debug::explicit? false
[Publish/Publish    ]   💬  ::debug::evaluating 0 versions
[Publish/Publish    ]   💬  ::debug::match not found
[Main Workflow/tests]   🐳  docker cp src=/home/jmetzmeier/.cache/act/actions-setup-node@v1 dst=/actions/
[Publish/Publish    ]   💬  ::debug::evaluating 450 versions
[Publish/Publish    ]   💬  ::debug::matched: v14.16.0
[Publish/Publish    ]   💬  ::debug::isExplicit: 14.16.0
[Publish/Publish    ]   💬  ::debug::explicit? true
[Publish/Publish    ]   💬  ::debug::checking cache: /opt/hostedtoolcache/node/14.16.0/x64
[Publish/Publish    ]   💬  ::debug::not found
[Main Workflow/lint ]   💬  ::debug::isExplicit: 
[Main Workflow/lint ]   💬  ::debug::explicit? false
[Main Workflow/lint ]   💬  ::debug::evaluating 0 versions
[Main Workflow/lint ]   💬  ::debug::match not found
[Publish/Publish    ]   💬  ::debug::Downloading https://nodejs.org/dist/v14.16.0/node-v14.16.0-linux-x64.tar.gz
[Publish/Publish    ]   💬  ::debug::Destination /tmp/ca32b13f-1ac6-4ccd-86fe-cbcd9cef6745
[Main Workflow/lint ]   💬  ::debug::evaluating 450 versions
[Main Workflow/lint ]   💬  ::debug::matched: v14.16.0
[Main Workflow/lint ]   💬  ::debug::isExplicit: 14.16.0
[Main Workflow/lint ]   💬  ::debug::explicit? true
[Main Workflow/lint ]   💬  ::debug::checking cache: /opt/hostedtoolcache/node/14.16.0/x64
[Main Workflow/lint ]   💬  ::debug::not found
[Main Workflow/lint ]   💬  ::debug::Downloading https://nodejs.org/dist/v14.16.0/node-v14.16.0-linux-x64.tar.gz
[Main Workflow/lint ]   💬  ::debug::Destination /tmp/47faac2c-f2ce-4855-bec3-165aac0032bf
[Main Workflow/tests]   💬  ::debug::isExplicit: 
[Main Workflow/tests]   💬  ::debug::explicit? false
[Main Workflow/tests]   💬  ::debug::evaluating 0 versions
[Main Workflow/tests]   💬  ::debug::match not found
[Main Workflow/tests]   💬  ::debug::evaluating 450 versions
[Main Workflow/tests]   💬  ::debug::matched: v14.16.0
[Main Workflow/tests]   💬  ::debug::isExplicit: 14.16.0
[Main Workflow/tests]   💬  ::debug::explicit? true
[Main Workflow/tests]   💬  ::debug::checking cache: /opt/hostedtoolcache/node/14.16.0/x64
[Main Workflow/tests]   💬  ::debug::not found
[Main Workflow/tests]   💬  ::debug::Downloading https://nodejs.org/dist/v14.16.0/node-v14.16.0-linux-x64.tar.gz
[Main Workflow/tests]   💬  ::debug::Destination /tmp/fb39882c-db22-40e5-b6fc-5a7892d53631
[Main Workflow/tests]   💬  ::debug::download complete
[Main Workflow/tests]   💬  ::debug::Checking tar --version
[Main Workflow/tests]   💬  ::debug::tar (GNU tar) 1.30%0ACopyright (C) 2017 Free Software Foundation, Inc.%0ALicense GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.%0AThis is free software: you are free to change and redistribute it.%0AThere is NO WARRANTY, to the extent permitted by law.%0A%0AWritten by John Gilmore and Jay Fenlason.
| [command]/usr/bin/tar xz --warning=no-unknown-keyword -C /tmp/63167891-feec-4f17-8516-afbcef6ccfba -f /tmp/fb39882c-db22-40e5-b6fc-5a7892d53631
[Main Workflow/tests]   💬  ::debug::Caching tool node 14.16.0 x64
[Main Workflow/tests]   💬  ::debug::source dir: /tmp/63167891-feec-4f17-8516-afbcef6ccfba/node-v14.16.0-linux-x64
[Main Workflow/tests]   💬  ::debug::destination /opt/hostedtoolcache/node/14.16.0/x64
[Main Workflow/tests]   💬  ::debug::finished caching tool
[Main Workflow/tests]   ⚙  ::add-path:: /opt/hostedtoolcache/node/14.16.0/x64/bin
| [command]/opt/hostedtoolcache/node/14.16.0/x64/bin/node --version
| v14.16.0
| [command]/opt/hostedtoolcache/node/14.16.0/x64/bin/npm --version
| 6.14.11
[Main Workflow/tests]   💬  ::debug::Setting auth in /tmp/.npmrc
[Main Workflow/tests]   ❓  ##[add-matcher]/actions/actions-setup-node@v1/.github/tsc.json
[Main Workflow/tests]   ❓  ##[add-matcher]/actions/actions-setup-node@v1/.github/eslint-stylish.json
[Main Workflow/tests]   ❓  ##[add-matcher]/actions/actions-setup-node@v1/.github/eslint-compact.json
[Main Workflow/tests]   ✅  Success - actions/setup-node@v1
[Main Workflow/tests] ⭐  Run curl -v -O /dev/null https://x-access-token:${NODE_AUTH_TOKEN}@npm.pkg.github.com/download/REDACTED/0.0.4/9f531f2642f938ad0f9beea59c9edcf811af85c773fb897bc6a523f3b4380bba
| * Closing connection -1
| curl: (3) URL using bad/illegal format or missing URL
| *   Trying 140.82.114.33:443...
| * TCP_NODELAY set
| * Connected to npm.pkg.github.com (140.82.114.33) port 443 (#0)
| * ALPN, offering h2
| * ALPN, offering http/1.1
| * successfully set certificate verify locations:
| *   CAfile: /etc/ssl/certs/ca-certificates.crt
|   CApath: /etc/ssl/certs
| * TLSv1.3 (OUT), TLS handshake, Client hello (1):
| * TLSv1.3 (IN), TLS handshake, Server hello (2):
| * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
| * TLSv1.3 (IN), TLS handshake, Certificate (11):
| * TLSv1.3 (IN), TLS handshake, CERT verify (15):
| * TLSv1.3 (IN), TLS handshake, Finished (20):
| * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
| * TLSv1.3 (OUT), TLS handshake, Finished (20):
| * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
| * ALPN, server accepted to use h2
| * Server certificate:
| *  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.pkg.github.com
| *  start date: Apr 29 00:00:00 2020 GMT
| *  expire date: May  6 12:00:00 2022 GMT
| *  subjectAltName: host "npm.pkg.github.com" matched cert's "*.pkg.github.com"
| *  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
| *  SSL certificate verify ok.
| * Using HTTP2, server supports multi-use
| * Connection state changed (HTTP/2 confirmed)
| * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
| * Server auth using Basic with user 'x-access-token'
| * Using Stream ID: 1 (easy handle 0x55d2a64d6e10)
| > GET /download/REDACTED/0.0.4/9f531f2642f938ad0f9beea59c9edcf811af85c773fb897bc6a523f3b4380bba HTTP/2
| > Host: npm.pkg.github.com
| > authorization: Basic eC1hY2Nlc3MtdG9rZW46WFhYWFgtWFhYWFgtWFhYWFgtWFhYWFg=
| > user-agent: curl/7.68.0
| > accept: */*
| > 
| * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
| * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
| * old SSL session ID is stale, removing
| * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
| < HTTP/2 401 
| < access-control-allow-methods: GET, OPTIONS
| < access-control-allow-origin: *
| < content-security-policy: default-src 'none';
| < content-type: application/json; charset=utf-8
| < server: GitHub Registry
| < strict-transport-security: max-age=31536000;
| < x-content-type-options: nosniff
| < x-frame-options: DENY
| < x-xss-protection: 1; mode=block
| < date: Tue, 06 Apr 2021 17:39:44 GMT
| < content-length: 168
| < x-github-request-id: C5AC:755F:192A5C:6FF07F:606C9CE0
| < 
| {"error":"Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured."}
| * Connection #0 to host npm.pkg.github.com left intact
[Main Workflow/tests]   ✅  Success - curl -v -O /dev/null https://x-access-token:${NODE_AUTH_TOKEN}@npm.pkg.github.com/download/REDACTED/0.0.4/9f531f2642f938ad0f9beea59c9edcf811af85c773fb897bc6a523f3b4380bba

[github-actions[bot]]

Issue is stale and will be closed in 14 days unless there is new activity

[ThrowJojo]

I was able to get this to work by passing the --insecure-secrets flag

[jmetzmeier]

I apologize for messing up the triage on this one by accidentally closing the issue.

[github-actions[bot]]

Issue is stale and will be closed in 14 days unless there is new activity