act favors secrets from `.secrets` over values from `-s`
jsoref opened this issue · comments
Bug report info
act version: 0.2.57
GOOS: darwin
GOARCH: arm64
NumCPU: 10
Docker host: DOCKER_HOST environment variable is not set
Sockets found:
/var/run/docker.sock
Config files:
/Users/jsoref/.actrc:
#-P ubuntu-latest=node:12.20.1-buster-slim
#-P ubuntu-20.04=node:12.20.1-buster-slim
#-P ubuntu-18.04=node:12.20.1-buster-slim
-P ubuntu-latest=catthehacker/ubuntu:act-latest
-P ubuntu-22.04=catthehacker/ubuntu:act-22.04
-P ubuntu-20.04=catthehacker/ubuntu:act-20.04
-P ubuntu-18.04=catthehacker/ubuntu:act-18.04
-P ubuntu-16.04=catthehacker/ubuntu:act-16.04
-P self-hosted=catthehacker/ubuntu:act-latest
-P ubuntu-latest-4cpu=ubuntu:act-latest
-P ubuntu-latest-8cpu=ubuntu:act-latest
Build info:
Go version: go1.21.5
Module path: command-line-arguments
Main version:
Main path:
Main checksum:
Build settings:
-buildmode: exe
-compiler: gc
-ldflags: -X main.version=0.2.57
DefaultGODEBUG: panicnil=1
CGO_ENABLED: 1
CGO_CFLAGS:
CGO_CPPFLAGS:
CGO_CXXFLAGS:
CGO_LDFLAGS:
GOARCH: arm64
GOOS: darwin
Docker Engine:
Engine version: 23.0.6
Engine runtime: runc
Cgroup version: 1
Cgroup driver: cgroupfs
Storage driver: overlay2
Registry URI: https://index.docker.io/v1/
OS: Alpine Linux v3.18
OS type: linux
OS version: 3.18.5
OS arch: aarch64
OS kernel: 6.1.64-0-virt
OS CPU: 2
OS memory: 1973 MB
Security options:
name=seccomp,profile=builtin
Command used with act
(~/code/nektos/act/dist/local/act --use-new-action-cache -j spelling -s "GITHUB_TOKEN=$GH_TOKEN" 2>&1)
Describe issue
Using a fine-grained token that allows contents:read for a private repository, act (using --use-new-action-cache
) isn't able to retrieve my public action.
Link to GitHub repository
No response
Workflow content
name: Check Spelling
# Comment management is handled through a secondary job, for details see:
# https://github.com/check-spelling/check-spelling/wiki/Feature%3A-Restricted-Permissions
#
# `jobs.comment-push` runs when a push is made to a repository and the `jobs.spelling` job needs to make a comment
# (in odd cases, it might actually run just to collapse a comment, but that's fairly rare)
# it needs `contents: write` in order to add a comment.
#
# `jobs.comment-pr` runs when a pull_request is made to a repository and the `jobs.spelling` job needs to make a comment
# or collapse a comment (in the case where it had previously made a comment and now no longer needs to show a comment)
# it needs `pull-requests: write` in order to manipulate those comments.
# Updating pull request branches is managed via comment handling.
# For details, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-expect-list
#
# These elements work together to make it happen:
#
# `on.issue_comment`
# This event listens to comments by users asking to update the metadata.
#
# `jobs.update`
# This job runs in response to an issue_comment and will push a new commit
# to update the spelling metadata.
#
# `with.experimental_apply_changes_via_bot`
# Tells the action to support and generate messages that enable it
# to make a commit to update the spelling metadata.
#
# `with.ssh_key`
# In order to trigger workflows when the commit is made, you can provide a
# secret (typically, a write-enabled github deploy key).
#
# For background, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-with-deploy-key
# Sarif reporting
#
# Access to Sarif reports is generally restricted (by GitHub) to members of the repository.
#
# Requires enabling `security-events: write`
# and configuring the action with `use_sarif: 1`
#
# For information on the feature, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Sarif-output
# Minimal workflow structure:
#
# on:
# push:
# ...
# pull_request_target:
# ...
# jobs:
# # you only want the spelling job, all others should be omitted
# spelling:
# # remove `security-events: write` and `use_sarif: 1`
# # remove `experimental_apply_changes_via_bot: 1`
# ... otherwise adjust the `with:` as you wish
on:
push:
branches:
- "**"
tags-ignore:
- "**"
pull_request_target:
branches:
- "**"
types:
- 'opened'
- 'reopened'
- 'synchronize'
issue_comment:
types:
- 'created'
jobs:
spelling:
name: Check Spelling
permissions:
contents: read
pull-requests: read
actions: read
outputs:
followup: ${{ steps.spelling.outputs.followup }}
runs-on: ubuntu-latest
if: ${{ contains(github.event_name, 'pull_request') || github.event_name == 'push' }}
concurrency:
group: spelling-${{ github.event.pull_request.number || github.ref }}
# note: If you use only_check_changed_files, you do not want cancel-in-progress
cancel-in-progress: true
steps:
- name: check-spelling
id: spelling
uses: check-spelling/check-spelling@prerelease
with:
config: .github/actions/spelling-data
suppress_push_for_open_pull_request: ${{ github.actor != 'dependabot[bot]' && 1 }}
checkout: true
check_file_names: 1
spell_check_this: check-spelling/spell-check-this@prerelease
post_comment: 0
use_magic_file: 1
report-timing: 1
warnings: bad-regex,binary-file,deprecated-feature,ignored-expect-variant,large-file,limited-references,no-newline-at-eof,noisy-file,non-alpha-in-dictionary,token-is-substring,unexpected-line-ending,whitespace-in-dictionary,minified-file,unsupported-configuration,no-files-to-check
experimental_apply_changes_via_bot: 1
use_sarif: ${{ (!github.event.pull_request || (github.event.pull_request.head.repo.full_name == github.repository)) && 1 }}
extra_dictionary_limit: 20
extra_dictionaries:
cspell:software-terms/dict/softwareTerms.txt
comment-push:
name: Report (Push)
# If your workflow isn't running on push, you can remove this job
runs-on: ubuntu-latest
needs: spelling
permissions:
actions: read
contents: write
if: (success() || failure()) && needs.spelling.outputs.followup && github.event_name == 'push'
steps:
- name: comment
uses: check-spelling/check-spelling@prerelease
with:
config: .github/actions/spelling-data
checkout: true
spell_check_this: check-spelling/spell-check-this@prerelease
task: ${{ needs.spelling.outputs.followup }}
comment-pr:
name: Report (PR)
# If you workflow isn't running on pull_request*, you can remove this job
runs-on: ubuntu-latest
needs: spelling
permissions:
actions: read
contents: read
pull-requests: write
if: (success() || failure()) && needs.spelling.outputs.followup && contains(github.event_name, 'pull_request')
steps:
- name: comment
uses: check-spelling/check-spelling@prerelease
with:
config: .github/actions/spelling-data
checkout: true
spell_check_this: check-spelling/spell-check-this@prerelease
task: ${{ needs.spelling.outputs.followup }}
experimental_apply_changes_via_bot: 1
update:
name: Update PR
permissions:
contents: write
pull-requests: write
actions: read
runs-on: ubuntu-latest
if: ${{
github.event_name == 'issue_comment' &&
github.event.issue.pull_request &&
contains(github.event.comment.body, '@check-spelling-bot apply')
}}
concurrency:
group: spelling-update-${{ github.event.issue.number }}
cancel-in-progress: false
steps:
- name: apply spelling updates
uses: check-spelling/check-spelling@prerelease
with:
config: .github/actions/spelling-data
experimental_apply_changes_via_bot: 1
checkout: true
ssh_key: "${{ secrets.CHECK_SPELLING }}"
Relevant log output
> Error: failed to fetch "https://github.com/check-spelling/check-spelling" version "prerelease": authentication required
Additional information
https://github.com/settings/tokens?type=beta
https://docs.github.com/en/rest/authentication/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28
Apparently I have an expired GITHUB_TOKEN in .secrets
which has precedence over the -s GITHUB_TOKEN=...
. This is undesirable.
Weird I have just created a fine grained PAT.
With almost no access, but - uses: actions/cache@refs/heads/main
and other public actions didn't break for me
Does act use the correct GITHUB_TOKEN?
Using - uses: christopherhx/ghat3@test
works, access denied for you
Using - uses: christopherhx/ghat2@test
access denied, but expeced
Using a .secrets
file with content
GITHUB_TOKEN=github_pat_...
BTW: I don't care about leaking these private repo names.
A .secrets
file with an invalid GITHUB_TOKEN secret seem to override the GITHUB_TOKEN passed from the cli.
Is that the bug you are seeing?
You're right, there was an expired token in .secrets
.
Sorry.