chore(deps): update workflow dependencies

chore(deps): update workflow dependencies (major) (#967 )
Reviewed-on: https://gitea.com/gitea/runner/pulls/967 Reviewed-by: techknowlogick <9+techknowlogick@noreply.gitea.com> Co-authored-by: Renovate Bot <renovate-bot@gitea.com> Co-committed-by: Renovate Bot <renovate-bot@gitea.com>
2026-05-14 20:03:24 +02:00 · 2026-05-14 16:58:49 +00:00 · 2026-05-14 16:54:48 +00:00 · 2026-05-14 05:52:41 +00:00 · 2026-05-14 05:39:28 +00:00 · 2026-05-14 02:29:05 +00:00
1192 changed files with 5061 additions and 261150 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,52 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# IntelliJ
+.idea
+# Goland's output filename can not be set manually
+/go_build_*
+
+# MS VSCode
+.vscode
+__debug_bin*
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+
+*coverage.out
+coverage.all
+coverage.txt
+cpu.out
+
+*.db
+*.log
+
+/gitea-runner
+/debug
+
+/bin
+/dist
+/.env
+/.runner
+/config.yaml
+/Dockerfile
+.DS_Store
--- a/.editorconfig
+++ b/.editorconfig
@@ -12,5 +12,8 @@ insert_final_newline = true
 [*.{go}]
 indent_style = tab

+[go.*]
+indent_style = tab
+
 [Makefile]
 indent_style = tab
--- a/.gitea/workflows/release-nightly.yml
+++ b/.gitea/workflows/release-nightly.yml
@@ -24,7 +24,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: goreleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
        with:
          distribution: goreleaser-pro
          args: release --nightly
@@ -57,22 +57,22 @@ jobs:
          fetch-depth: 0 # all history for all branches and tags

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4

      - name: Set up Docker BuildX
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Echo the tag
-        run: echo "${{ env.DOCKER_ORG }}/act_runner:nightly${{ matrix.variant.tag_suffix }}"
+        run: echo "${{ env.DOCKER_ORG }}/runner:nightly${{ matrix.variant.tag_suffix }}"

      - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: ./Dockerfile
@@ -82,4 +82,4 @@ jobs:
            linux/arm64
          push: true
          tags: |
-            ${{ env.DOCKER_ORG }}/act_runner:nightly${{ matrix.variant.tag_suffix }}
+            ${{ env.DOCKER_ORG }}/runner:nightly${{ matrix.variant.tag_suffix }}
--- a/.gitea/workflows/release-tag.yml
+++ b/.gitea/workflows/release-tag.yml
@@ -17,13 +17,13 @@ jobs:
          go-version-file: "go.mod"
      - name: Import GPG key
        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@v7
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
      - name: goreleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
        with:
          distribution: goreleaser-pro
          args: release
@@ -60,28 +60,23 @@ jobs:
          fetch-depth: 0 # all history for all branches and tags

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4

      - name: Set up Docker BuildX
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

-      - name: Repo Meta
-        id: repo_meta
-        run: |
-          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}') >> $GITHUB_OUTPUT
-
      - name: "Docker meta"
        id: docker_meta
-        uses: https://github.com/docker/metadata-action@v5
+        uses: docker/metadata-action@v6
        with:
          images: |
-            ${{ env.DOCKER_ORG }}/${{ steps.repo_meta.outputs.REPO_NAME }}
+            ${{ env.DOCKER_ORG }}/runner
          tags: |
            type=semver,pattern={{major}}.{{minor}}.{{patch}}
            type=semver,pattern={{major}}.{{minor}}
@@ -91,7 +86,7 @@ jobs:
            suffix=${{ matrix.variant.tag_suffix }},onlatest=true

      - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: ./Dockerfile
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -1,7 +1,9 @@
 name: checks
 on:
-  - push
-  - pull_request
+  push:
+    branches:
+      - main
+  pull_request:

 jobs:
  lint:
@@ -17,4 +19,4 @@ jobs:
      - name: build
        run: make build
      - name: test
-        run: make test
+        run: make test
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-/act_runner
+/gitea-runner
 .env
 .runner
 coverage.txt
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -114,7 +114,7 @@ formatters:
      custom-order: true
      sections:
        - standard
-        - prefix(gitea.com/gitea/act_runner)
+        - prefix(gitea.com/gitea/runner)
        - blank
        - default
    gofumpt:
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,5 +1,7 @@
 version: 2

+project_name: gitea-runner
+
 before:
  hooks:
    - go mod tidy
@@ -63,7 +65,7 @@ builds:
  flags:
  - -trimpath
  ldflags:
-  - -s -w -X gitea.com/gitea/act_runner/internal/pkg/ver.version={{ .Summary }}
+  - -s -w -X gitea.com/gitea/runner/internal/pkg/ver.version={{ .Summary }}
  binary: >-
    {{ .ProjectName }}-
    {{- .Version }}-
@@ -86,7 +88,7 @@ blobs:
    provider: s3
    bucket: "{{ .Env.S3_BUCKET }}"
    region: "{{ .Env.S3_REGION }}"
-    directory: "act_runner/{{.Version}}"
+    directory: "gitea-runner/{{.Version}}"
    extra_files:
      - glob: ./**.xz
      - glob: ./**.sha256
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,10 @@
+- Use `make help` to find available development targets
+- Run `make fmt` to format `.go` files, and run `make lint-go` to lint them
+- Run `make tidy` after any `go.mod` changes
+- Run single go unit tests with `go test -run '^TestName$' ./modulepath/`
+- Add the current year into the copyright header of new `.go` files
+- Ensure no trailing whitespace in edited files
+- Never force-push, amend, or squash unless asked. Use new commits and normal push for pull request updates
+- Preserve existing code comments, do not remove or rewrite comments that are still relevant
+- Include authorship attribution in issue and pull request comments
+- Add `Co-Authored-By` lines to all commits, indicating name and model used
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1 @@
+@AGENTS.md
--- a/14
+++ b/14
@@ -9,19 +9,19 @@ RUN apk add --no-cache make git
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-}

-COPY . /opt/src/act_runner
-WORKDIR /opt/src/act_runner
+COPY . /opt/src/runner
+WORKDIR /opt/src/runner

 RUN make clean && make build

 ### DIND VARIANT
 #
 #
-FROM docker:28-dind AS dind
+FROM docker:29-dind AS dind

 RUN apk add --no-cache s6 bash git tzdata

-COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
 COPY scripts/run.sh /usr/local/bin/run.sh
 COPY scripts/s6 /etc/s6

@@ -32,12 +32,12 @@ ENTRYPOINT ["s6-svscan","/etc/s6"]
 ### DIND-ROOTLESS VARIANT
 #
 #
-FROM docker:28-dind-rootless AS dind-rootless
+FROM docker:29-dind-rootless AS dind-rootless

 USER root
 RUN apk add --no-cache s6 bash git tzdata

-COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
 COPY scripts/run.sh /usr/local/bin/run.sh
 COPY scripts/s6 /etc/s6

@@ -56,7 +56,7 @@ ENTRYPOINT ["s6-svscan","/etc/s6"]
 FROM alpine AS basic
 RUN apk add --no-cache tini bash git tzdata

-COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
 COPY scripts/run.sh /usr/local/bin/run.sh

 VOLUME /data
--- a/78
+++ b/78
@@ -1,30 +1,30 @@
 DIST := dist
-EXECUTABLE := act_runner
+EXECUTABLE := gitea-runner
 DIST_DIRS := $(DIST)/binaries $(DIST)/release
 GO ?= go
 SHASUM ?= shasum -a 256
 HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 XGO_VERSION := go-1.26.x
-GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10
+GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10

 LINUX_ARCHS ?= linux/amd64,linux/arm64
 DARWIN_ARCHS ?= darwin-12/amd64,darwin-12/arm64
 WINDOWS_ARCHS ?= windows/amd64
 GOFILES := $(shell find . -type f -name "*.go" -o -name "go.mod" ! -name "generated.*")

-DOCKER_IMAGE ?= gitea/act_runner
+DOCKER_IMAGE ?= gitea/runner
 DOCKER_TAG ?= nightly
 DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
 DOCKER_ROOTLESS_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)-dind-rootless

-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4
-GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1.3.0

-ifneq ($(shell uname), Darwin)
-	EXTLDFLAGS = -extldflags "-static" $(null)
-else
-	EXTLDFLAGS =
+STATIC ?=
+EXTLDFLAGS ?=
+ifneq ($(STATIC),)
+	EXTLDFLAGS = -extldflags "-static"
 endif

 ifeq ($(HAS_GO), GO)
@@ -67,12 +67,17 @@ else
 endif

 TAGS ?=
-LDFLAGS ?= -X "gitea.com/gitea/act_runner/internal/pkg/ver.version=v$(RELASE_VERSION)"
+LDFLAGS ?= -X "gitea.com/gitea/runner/internal/pkg/ver.version=v$(RELASE_VERSION)"

+.PHONY: all
 all: build

+.PHONY: help
+help: Makefile ## print Makefile help information.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m[TARGETS] default target: build\033[0m\n\n\033[35mTargets:\033[0m\n"} /^[0-9A-Za-z._-]+:.*?##/ { printf "  \033[36m%-45s\033[0m %s\n", $$1, $$2 }' Makefile
+
 .PHONY: fmt
-fmt:
+fmt: ## format the Go code
 	$(GO) run $(GOLANGCI_LINT_PACKAGE) fmt

 .PHONY: go-check
@@ -81,7 +86,7 @@ go-check:
 	$(eval MIN_GO_VERSION := $(shell printf "%03d%03d" $(shell echo '$(MIN_GO_VERSION_STR)' | tr '.' ' ')))
 	$(eval GO_VERSION := $(shell printf "%03d%03d" $(shell $(GO) version | grep -Eo '[0-9]+\.[0-9]+' | tr '.' ' ');))
 	@if [ "$(GO_VERSION)" -lt "$(MIN_GO_VERSION)" ]; then \
-		echo "Act Runner requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
+		echo "Gitea Runner requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
 		exit 1; \
 	fi

@@ -96,10 +101,14 @@ fmt-check: fmt

 .PHONY: deps-tools
 deps-tools: ## install tool dependencies
-	$(GO) install $(GOVULNCHECK_PACKAGE)
+	$(GO) install $(GOLANGCI_LINT_PACKAGE) & \
+	$(GO) install $(GXZ_PACKAGE) & \
+	$(GO) install $(XGO_PACKAGE) & \
+	$(GO) install $(GOVULNCHECK_PACKAGE) & \
+	wait

 .PHONY: lint
-lint: lint-go
+lint: lint-go ## lint everything

 .PHONY: lint-go
 lint-go: ## lint go files
@@ -114,58 +123,59 @@ security-check: deps-tools
 	GOEXPERIMENT= $(GO) run $(GOVULNCHECK_PACKAGE) -show color ./... || true

 .PHONY: tidy
-tidy:
+tidy: ## run go mod tidy
 	$(GO) mod tidy

 .PHONY: tidy-check
 tidy-check: tidy
-	@diff=$$(git diff -- go.mod go.sum); \
+	@diff=$$(git diff --color=always -- go.mod go.sum); \
 	if [ -n "$$diff" ]; then \
 		echo "Please run 'make tidy' and commit the result:"; \
-		echo "$${diff}"; \
+		printf "%s" "$${diff}"; \
 		exit 1; \
 	fi

-test: fmt-check security-check
+.PHONY: test
+test: fmt-check security-check ## test everything
 	@$(GO) test -race -short -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1

-install: $(GOFILES)
-	$(GO) install -v -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)'
+.PHONY: install
+install: $(GOFILES) ## install the runner binary via `go install`
+	$(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)'

-build: go-check $(EXECUTABLE)
+.PHONY: build
+build: go-check $(EXECUTABLE) ## build the runner binary

 $(EXECUTABLE): $(GOFILES)
-	$(GO) build -v -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)' -o $@
+	$(GO) build -v -tags '$(TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)' -o $@

 .PHONY: deps-backend
-deps-backend:
+deps-backend: ## install backend dependencies
 	$(GO) mod download
-	$(GO) install $(GXZ_PAGAGE)
-	$(GO) install $(XGO_PACKAGE)

 .PHONY: release
-release: release-windows release-linux release-darwin release-copy release-compress release-check
+release: release-windows release-linux release-darwin release-copy release-compress release-check ## build release artifacts

 $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)

 .PHONY: release-windows
 release-windows: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(WINDOWS_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(WINDOWS_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif

 .PHONY: release-linux
 release-linux: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif

 .PHONY: release-darwin
 release-darwin: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets '$(DARWIN_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w $(LDFLAGS)' -targets '$(DARWIN_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif
@@ -180,18 +190,20 @@ release-check: | $(DIST_DIRS)

 .PHONY: release-compress
 release-compress: | $(DIST_DIRS)
-	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && $(GO) run $(GXZ_PAGAGE) -k -9 $${file}; done;
+	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && $(GO) run $(GXZ_PACKAGE) -k -9 $${file}; done;

 .PHONY: docker
-docker:
+docker: ## build the docker image
 	if ! docker buildx version >/dev/null 2>&1; then \
 		ARG_DISABLE_CONTENT_TRUST=--disable-content-trust=false; \
 	fi; \
 	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_REF) .

-clean:
+.PHONY: clean
+clean: ## delete binary and coverage files
 	$(GO) clean -x -i ./...
 	rm -rf coverage.txt $(EXECUTABLE) $(DIST)

-version:
+.PHONY: version
+version: ## print the version
 	@echo $(VERSION)
--- a/README.md
+++ b/README.md
@@ -1,6 +1,4 @@
-# act runner
-
-Act runner is a runner for Gitea.
+# Gitea Runner

 ## Installation

@@ -10,7 +8,7 @@ Docker Engine Community version is required for docker mode. To install Docker C

 ### Download pre-built binary

-Visit [here](https://dl.gitea.com/act_runner/) and download the right version for your platform.
+Visit [here](https://dl.gitea.com/gitea-runner/) and download the right version for your platform.

 ### Build from source

@@ -26,8 +24,8 @@ make docker

 ## Quickstart

-Actions are disabled by default, so you need to add the following to the configuration file of your Gitea instance to enable it: 
-  
+Actions are disabled by default, so you need to add the following to the configuration file of your Gitea instance to enable it:
+
 ```ini
 [actions]
 ENABLED=true
@@ -36,7 +34,7 @@ ENABLED=true
 ### Register

 ```bash
-./act_runner register
+./gitea-runner register
 ```

 And you will be asked to input:
@@ -68,7 +66,7 @@ INFO Runner registered successfully.
 You can also register with command line arguments.

 ```bash
-./act_runner register --instance http://192.168.8.8:3000 --token <my_runner_token> --no-interactive
+./gitea-runner register --instance http://192.168.8.8:3000 --token <my_runner_token> --no-interactive
 ```

 If the registry succeed, it will run immediately. Next time, you could run the runner directly.
@@ -76,32 +74,69 @@ If the registry succeed, it will run immediately. Next time, you could run the r
 ### Run

 ```bash
-./act_runner daemon
+./gitea-runner daemon
 ```

 ### Run with docker

 ```bash
-docker run -e GITEA_INSTANCE_URL=https://your_gitea.com -e GITEA_RUNNER_REGISTRATION_TOKEN=<your_token> -v /var/run/docker.sock:/var/run/docker.sock --name my_runner gitea/act_runner:nightly
+docker run -e GITEA_INSTANCE_URL=https://your_gitea.com -e GITEA_RUNNER_REGISTRATION_TOKEN=<your_token> -v /var/run/docker.sock:/var/run/docker.sock --name my_runner gitea/runner:nightly
 ```

+Mount a volume on `/data` if you want the registration file and optional config to survive container recreation (see [scripts/run.sh](scripts/run.sh)).
+
 ### Configuration

-You can also configure the runner with a configuration file.
-The configuration file is a YAML file, you can generate a sample configuration file with `./act_runner generate-config`.
+The runner is configured with a YAML file. Generate a starting point (this matches what ships in the tree):

 ```bash
-./act_runner generate-config > config.yaml
+./gitea-runner generate-config > config.yaml
 ```

-You can specify the configuration file path with `-c`/`--config` argument.
+Pass it with `-c` / `--config` on any command that loads configuration (`register`, `daemon`, `cache-server`):

 ```bash
-./act_runner -c config.yaml register # register with config file
-./act_runner -c config.yaml daemon # run with config file
+./gitea-runner -c config.yaml register
+./gitea-runner -c config.yaml daemon
+./gitea-runner -c config.yaml cache-server
 ```

-You can read the latest version of the configuration file online at [config.example.yaml](internal/pkg/config/config.example.yaml).
+Every option is described in [config.example.yaml](internal/pkg/config/config.example.yaml) (the same content `generate-config` prints).
+
+#### Without a config file
+
+If you omit `-c`, built-in defaults apply (same as an empty YAML document). A small set of **deprecated** environment variables can still override parts of that default config, but **only when no `-c` path was given**; they are ignored if you use a config file:
+
+| Variable | Effect |
+| --- | --- |
+| `GITEA_DEBUG` | If true, sets log level to `debug` |
+| `GITEA_TRACE` | If true, sets log level to `trace` |
+| `GITEA_RUNNER_CAPACITY` | Concurrent jobs (integer) |
+| `GITEA_RUNNER_FILE` | Registration state file path (default `.runner`) |
+| `GITEA_RUNNER_ENVIRON` | Extra job env vars as comma-separated `KEY:VALUE` pairs |
+| `GITEA_RUNNER_ENV_FILE` | Path to an env file merged into job env (same idea as `runner.env_file` in YAML) |
+
+Prefer a YAML file for all settings.
+
+#### Registration vs config labels
+
+If `runner.labels` is set in the YAML file, those labels are used during `register` and the `--labels` CLI flag is ignored.
+
+#### External cache (`actions/cache`)
+
+If `cache.external_server` is set, you must set `cache.external_secret` to the same value on this runner and on the standalone cache server. Run the server with `gitea-runner cache-server` using a config that defines `cache.external_secret` (and matching `cache.dir` / host / port as needed). Flags `--dir`, `--host`, and `--port` on `cache-server` override the file.
+
+#### Official Docker image
+
+Besides `GITEA_INSTANCE_URL` and `GITEA_RUNNER_REGISTRATION_TOKEN`, the image entrypoint supports optional variables such as `CONFIG_FILE` (passed through as `-c`), `GITEA_RUNNER_LABELS`, `GITEA_RUNNER_EPHEMERAL`, `GITEA_RUNNER_ONCE`, `GITEA_RUNNER_NAME`, `GITEA_MAX_REG_ATTEMPTS`, `RUNNER_STATE_FILE`, and `GITEA_RUNNER_REGISTRATION_TOKEN_FILE`. See [scripts/run.sh](scripts/run.sh) for exact behavior.
+
+For a fuller container-oriented walkthrough, see [examples/docker](examples/docker/README.md).
+
+When `container.bind_workdir` is enabled, stale task workspace directories can be cleaned while the runner is idle:
+- directories older than `runner.workdir_cleanup_age` are removed (default: `24h`; set `0` to disable)
+- cleanup runs every `runner.idle_cleanup_interval` (default: `10m`; set `0` to disable)
+- only purely numeric subdirectories under `container.workdir_parent` are treated as task workspaces and may be removed
+- cleanup assumes `container.workdir_parent` is not shared across multiple runners

 ### Example Deployments

--- a/act/artifactcache/handler.go
+++ b/act/artifactcache/handler.go
@@ -5,21 +5,28 @@
 package artifactcache

 import (
+	"context"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
+	"sync"
 	"sync/atomic"
 	"time"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

 	"github.com/julienschmidt/httprouter"
 	"github.com/sirupsen/logrus"
@@ -28,9 +35,36 @@ import (
 )

 const (
-	urlBase = "/_apis/artifactcache"
+	apiPath      = "/_apis/artifactcache"
+	internalPath = "/_internal"
+
+	// artifactURLTTL bounds how long a signed artifactLocation URL stays valid.
+	// Short enough that a leaked URL is near-worthless; long enough to let the
+	// @actions/cache client download a big blob that was returned from /cache.
+	artifactURLTTL = 10 * time.Minute
 )

+type credKey struct{}
+
+// JobCredential ties a per-job bearer token (ACTIONS_RUNTIME_TOKEN) to the
+// repository that owns it. Every cache entry is stamped with Repo on
+// reserve/commit and checked on read/write so one repo can never observe or
+// poison another repo's cache, even from inside a container that reaches the
+// cache server over the docker bridge network.
+type JobCredential struct {
+	Repo string
+}
+
+// credEntry holds a registered job's credential along with an active
+// registration count. RegisterJob is reference-counted so that if two tasks
+// briefly share an ACTIONS_RUNTIME_TOKEN — e.g. a runner that retries a task
+// after a crash before the old registration is revoked — the first task's
+// revoker does not cut the second task's auth out from under it.
+type credEntry struct {
+	cred JobCredential
+	refs int
+}
+
 type Handler struct {
 	dir      string
 	storage  *Storage
@@ -43,10 +77,36 @@ type Handler struct {
 	gcAt  time.Time

 	outboundIP string
+
+	// internalSecret guards /_internal/{register,revoke}. When set, a remote
+	// runner can use these endpoints to pre-register per-job
+	// ACTIONS_RUNTIME_TOKENs against this server, enabling the same
+	// per-job auth and repo scoping as the embedded handler over the
+	// network. Empty disables the control-plane entirely.
+	internalSecret string
+
+	// secret signs short-lived artifact download URLs. The @actions/cache
+	// toolkit does not send Authorization on the download request, so blob
+	// GETs authenticate via a per-URL HMAC signature with expiry rather than
+	// via the bearer token used for management endpoints.
+	secret []byte
+
+	credMu sync.RWMutex
+	creds  map[string]*credEntry
 }

-func StartHandler(dir, outboundIP string, port uint16, logger logrus.FieldLogger) (*Handler, error) {
-	h := &Handler{}
+// StartHandler opens the on-disk cache store and starts the HTTP server.
+//
+// internalSecret, when non-empty, enables a control-plane API at
+// /_internal/{register,revoke} that lets a remote runner pre-register the
+// per-job ACTIONS_RUNTIME_TOKENs it expects this server to honor. The
+// embedded in-process handler leaves it empty and registers tokens via the
+// in-process RegisterJob method directly.
+func StartHandler(dir, outboundIP string, port uint16, internalSecret string, logger logrus.FieldLogger) (*Handler, error) {
+	h := &Handler{
+		creds:          make(map[string]*credEntry),
+		internalSecret: internalSecret,
+	}

 	if logger == nil {
 		discard := logrus.New()
@@ -83,19 +143,37 @@ func StartHandler(dir, outboundIP string, port uint16, logger logrus.FieldLogger
 		h.outboundIP = ip.String()
 	}

+	secret, err := loadOrCreateSecret(dir)
+	if err != nil {
+		return nil, err
+	}
+	h.secret = secret
+
 	router := httprouter.New()
-	router.GET(urlBase+"/cache", h.middleware(h.find))
-	router.POST(urlBase+"/caches", h.middleware(h.reserve))
-	router.PATCH(urlBase+"/caches/:id", h.middleware(h.upload))
-	router.POST(urlBase+"/caches/:id", h.middleware(h.commit))
-	router.GET(urlBase+"/artifacts/:id", h.middleware(h.get))
-	router.POST(urlBase+"/clean", h.middleware(h.clean))
+	router.GET(apiPath+"/cache", h.bearerAuth(h.find))
+	router.POST(apiPath+"/caches", h.bearerAuth(h.reserve))
+	router.PATCH(apiPath+"/caches/:id", h.bearerAuth(h.upload))
+	router.POST(apiPath+"/caches/:id", h.bearerAuth(h.commit))
+	router.POST(apiPath+"/clean", h.bearerAuth(h.clean))
+	// Artifact GET is signed via query-string HMAC because @actions/cache
+	// does not attach Authorization when downloading archiveLocation.
+	router.GET(apiPath+"/artifacts/:id", h.signedURLAuth(h.get))
+	// Control-plane: a remote runner registers/revokes per-job tokens so the
+	// cache API can authenticate them. Always wired so the routes exist; the
+	// handlers themselves 401 when internalSecret is unset.
+	router.POST(internalPath+"/register", h.internalAuth(h.internalRegister))
+	router.POST(internalPath+"/revoke", h.internalAuth(h.internalRevoke))

 	h.router = router

 	h.gcCache()

-	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) // listen on all interfaces
+	// Listen on all interfaces. Binding to outboundIP only would give no real
+	// security benefit (it is the LAN/internet-facing address either way) and
+	// can break Docker Desktop variants where the host's outbound IP is not
+	// routable from inside the container network. Authentication is enforced
+	// by the bearer middleware and per-repo scoping, not by reachability.
+	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
 	if err != nil {
 		return nil, err
 	}
@@ -121,6 +199,91 @@ func (h *Handler) ExternalURL() string {
 		h.listener.Addr().(*net.TCPAddr).Port)
 }

+// RegisterJob makes token a valid bearer credential for cache requests from
+// the given repository and returns a function that removes it. The runner
+// calls this at job start and defers the returned func so that the credential
+// is only accepted while the job is running.
+//
+// Registrations are reference-counted: if a token is already registered, the
+// existing repo is kept and the refcount is incremented. The entry is
+// removed only when every revoker returned by RegisterJob has been called.
+// This keeps a stray re-registration from silently revoking a live job.
+func (h *Handler) RegisterJob(token, repo string) func() {
+	if h == nil || token == "" {
+		return func() {}
+	}
+	h.credMu.Lock()
+	if existing, ok := h.creds[token]; ok {
+		existing.refs++
+	} else {
+		h.creds[token] = &credEntry{
+			cred: JobCredential{Repo: repo},
+			refs: 1,
+		}
+	}
+	h.credMu.Unlock()
+	return func() {
+		h.credMu.Lock()
+		if entry, ok := h.creds[token]; ok {
+			entry.refs--
+			if entry.refs <= 0 {
+				delete(h.creds, token)
+			}
+		}
+		h.credMu.Unlock()
+	}
+}
+
+// RevokeJob explicitly revokes one registration of token, mirroring one call
+// of the closure returned by RegisterJob. Used by the control-plane endpoint
+// so a remote runner can revoke without holding the closure.
+func (h *Handler) RevokeJob(token string) {
+	if h == nil || token == "" {
+		return
+	}
+	h.credMu.Lock()
+	if entry, ok := h.creds[token]; ok {
+		entry.refs--
+		if entry.refs <= 0 {
+			delete(h.creds, token)
+		}
+	}
+	h.credMu.Unlock()
+}
+
+func (h *Handler) lookupCredential(token string) (JobCredential, bool) {
+	h.credMu.RLock()
+	entry, ok := h.creds[token]
+	h.credMu.RUnlock()
+	if !ok {
+		return JobCredential{}, false
+	}
+	return entry.cred, true
+}
+
+// loadOrCreateSecret returns the 32-byte HMAC signing key for artifact URLs,
+// persisted in dir/.secret so signed URLs handed out before a restart stay
+// valid across the restart and so the standalone cache-server can be pointed
+// at by config.Cache.ExternalServer without the URL rotating.
+func loadOrCreateSecret(dir string) ([]byte, error) {
+	path := filepath.Join(dir, ".secret")
+	if data, err := os.ReadFile(path); err == nil {
+		if secret, err := hex.DecodeString(strings.TrimSpace(string(data))); err == nil && len(secret) >= 32 {
+			return secret, nil
+		}
+	} else if !os.IsNotExist(err) {
+		return nil, fmt.Errorf("read cache secret: %w", err)
+	}
+	secret := make([]byte, 32)
+	if _, err := rand.Read(secret); err != nil {
+		return nil, fmt.Errorf("generate cache secret: %w", err)
+	}
+	if err := os.WriteFile(path, []byte(hex.EncodeToString(secret)), 0o600); err != nil {
+		return nil, fmt.Errorf("write cache secret: %w", err)
+	}
+	return secret, nil
+}
+
 func (h *Handler) Close() error {
 	if h == nil {
 		return nil
@@ -160,11 +323,8 @@ func (h *Handler) openDB() (*bolthold.Store, error) {

 // GET /_apis/artifactcache/cache
 func (h *Handler) find(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	cred := credFromContext(r.Context())
 	keys := strings.Split(r.URL.Query().Get("keys"), ",")
-	// cache keys are case insensitive
-	for i, key := range keys {
-		keys[i] = strings.ToLower(key)
-	}
 	version := r.URL.Query().Get("version")

 	db, err := h.openDB()
@@ -174,7 +334,7 @@ func (h *Handler) find(w http.ResponseWriter, r *http.Request, _ httprouter.Para
 	}
 	defer db.Close()

-	cache, err := findCache(db, keys, version)
+	cache, err := findCache(db, cred.Repo, keys, version)
 	if err != nil {
 		h.responseJSON(w, r, 500, err)
 		return
@@ -194,22 +354,22 @@ func (h *Handler) find(w http.ResponseWriter, r *http.Request, _ httprouter.Para
 	}
 	h.responseJSON(w, r, 200, map[string]any{
 		"result":          "hit",
-		"archiveLocation": fmt.Sprintf("%s%s/artifacts/%d", h.ExternalURL(), urlBase, cache.ID),
+		"archiveLocation": h.signedArtifactURL(cache.ID, time.Now().Add(artifactURLTTL)),
 		"cacheKey":        cache.Key,
 	})
 }

 // POST /_apis/artifactcache/caches
 func (h *Handler) reserve(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	cred := credFromContext(r.Context())
 	api := &Request{}
 	if err := json.NewDecoder(r.Body).Decode(api); err != nil {
 		h.responseJSON(w, r, 400, err)
 		return
 	}
-	// cache keys are case insensitive
-	api.Key = strings.ToLower(api.Key)

 	cache := api.ToCache()
+	cache.Repo = cred.Repo
 	db, err := h.openDB()
 	if err != nil {
 		h.responseJSON(w, r, 500, err)
@@ -231,6 +391,7 @@ func (h *Handler) reserve(w http.ResponseWriter, r *http.Request, _ httprouter.P

 // PATCH /_apis/artifactcache/caches/:id
 func (h *Handler) upload(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	cred := credFromContext(r.Context())
 	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
 	if err != nil {
 		h.responseJSON(w, r, 400, err)
@@ -253,6 +414,11 @@ func (h *Handler) upload(w http.ResponseWriter, r *http.Request, params httprout
 		return
 	}

+	if cache.Repo != cred.Repo {
+		h.responseJSON(w, r, 403, fmt.Errorf("cache %d: forbidden", id))
+		return
+	}
+
 	if cache.Complete {
 		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
 		return
@@ -272,6 +438,7 @@ func (h *Handler) upload(w http.ResponseWriter, r *http.Request, params httprout

 // POST /_apis/artifactcache/caches/:id
 func (h *Handler) commit(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	cred := credFromContext(r.Context())
 	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
 	if err != nil {
 		h.responseJSON(w, r, 400, err)
@@ -294,6 +461,11 @@ func (h *Handler) commit(w http.ResponseWriter, r *http.Request, params httprout
 		return
 	}

+	if cache.Repo != cred.Repo {
+		h.responseJSON(w, r, 403, fmt.Errorf("cache %d: forbidden", id))
+		return
+	}
+
 	if cache.Complete {
 		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
 		return
@@ -326,6 +498,10 @@ func (h *Handler) commit(w http.ResponseWriter, r *http.Request, params httprout
 }

 // GET /_apis/artifactcache/artifacts/:id
+// Authenticated via signed URL (see signedURLAuth), not bearer, because the
+// @actions/cache toolkit downloads archiveLocation without Authorization.
+// Repository scoping is already enforced at find() time; the signature binds
+// the URL to the specific cache ID and an expiry.
 func (h *Handler) get(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
 	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
 	if err != nil {
@@ -344,21 +520,158 @@ func (h *Handler) clean(w http.ResponseWriter, r *http.Request, _ httprouter.Par
 	h.responseJSON(w, r, 200)
 }

-func (h *Handler) middleware(handler httprouter.Handle) httprouter.Handle {
+// bearerAuth resolves ACTIONS_RUNTIME_TOKEN against the set of currently
+// registered jobs. A match attaches the job's JobCredential to the request
+// context; a miss returns 401 before the handler body runs.
+func (h *Handler) bearerAuth(handler httprouter.Handle) httprouter.Handle {
 	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
-		h.logger.Debugf("%s %s", r.Method, r.RequestURI)
+		h.logger.Debugf("%s %s", r.Method, r.URL.Path)
+		token := bearerToken(r)
+		if token == "" {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("missing bearer token"))
+			return
+		}
+		cred, ok := h.lookupCredential(token)
+		if !ok {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("unknown bearer token"))
+			return
+		}
+		ctx := context.WithValue(r.Context(), credKey{}, cred)
+		handler(w, r.WithContext(ctx), params)
+		go h.gcCache()
+	}
+}
+
+func (h *Handler) signedURLAuth(handler httprouter.Handle) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+		h.logger.Debugf("%s %s", r.Method, r.URL.Path)
+		id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+		if err != nil {
+			h.responseJSON(w, r, 400, err)
+			return
+		}
+		expStr := r.URL.Query().Get("exp")
+		sig := r.URL.Query().Get("sig")
+		if expStr == "" || sig == "" {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("missing signature"))
+			return
+		}
+		exp, err := strconv.ParseInt(expStr, 10, 64)
+		if err != nil {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("invalid expiry"))
+			return
+		}
+		if time.Now().Unix() > exp {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("signature expired"))
+			return
+		}
+		expected := h.computeSignature(id, exp)
+		if !hmac.Equal([]byte(sig), []byte(expected)) {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("bad signature"))
+			return
+		}
 		handler(w, r, params)
 		go h.gcCache()
 	}
 }

+// internalAuth gates the control-plane endpoints. The bearer must
+// constant-time-equal the configured internalSecret. If the secret is empty,
+// the control-plane is disabled and every request gets 404 — which matches
+// the upstream nektos/act behavior of "the route does not exist".
+func (h *Handler) internalAuth(handler httprouter.Handle) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+		if h.internalSecret == "" {
+			http.NotFound(w, r)
+			return
+		}
+		token := bearerToken(r)
+		if token == "" || !hmac.Equal([]byte(token), []byte(h.internalSecret)) {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("internal: bad secret"))
+			return
+		}
+		handler(w, r, params)
+	}
+}
+
+type internalRegisterBody struct {
+	Token string `json:"token"`
+	Repo  string `json:"repo"`
+}
+
+type internalRevokeBody struct {
+	Token string `json:"token"`
+}
+
+// POST /_internal/register
+func (h *Handler) internalRegister(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	var body internalRegisterBody
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		h.responseJSON(w, r, http.StatusBadRequest, err)
+		return
+	}
+	if body.Token == "" {
+		h.responseJSON(w, r, http.StatusBadRequest, errors.New("token is required"))
+		return
+	}
+	h.RegisterJob(body.Token, body.Repo)
+	h.responseJSON(w, r, http.StatusOK)
+}
+
+// POST /_internal/revoke
+func (h *Handler) internalRevoke(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	var body internalRevokeBody
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		h.responseJSON(w, r, http.StatusBadRequest, err)
+		return
+	}
+	if body.Token == "" {
+		h.responseJSON(w, r, http.StatusBadRequest, errors.New("token is required"))
+		return
+	}
+	h.RevokeJob(body.Token)
+	h.responseJSON(w, r, http.StatusOK)
+}
+
+func bearerToken(r *http.Request) string {
+	auth := r.Header.Get("Authorization")
+	const prefix = "Bearer "
+	if len(auth) > len(prefix) && strings.EqualFold(auth[:len(prefix)], prefix) {
+		return auth[len(prefix):]
+	}
+	return ""
+}
+
+func credFromContext(ctx context.Context) JobCredential {
+	if cred, ok := ctx.Value(credKey{}).(JobCredential); ok {
+		return cred
+	}
+	return JobCredential{}
+}
+
+func (h *Handler) computeSignature(cacheID, exp int64) string {
+	mac := hmac.New(sha256.New, h.secret)
+	fmt.Fprintf(mac, "%d:%d", cacheID, exp)
+	return hex.EncodeToString(mac.Sum(nil))
+}
+
+func (h *Handler) signedArtifactURL(cacheID uint64, exp time.Time) string {
+	expUnix := exp.Unix()
+	sig := h.computeSignature(int64(cacheID), expUnix)
+	q := url.Values{}
+	q.Set("exp", strconv.FormatInt(expUnix, 10))
+	q.Set("sig", sig)
+	return fmt.Sprintf("%s%s/artifacts/%d?%s", h.ExternalURL(), apiPath, cacheID, q.Encode())
+}
+
 // if not found, return (nil, nil) instead of an error.
-func findCache(db *bolthold.Store, keys []string, version string) (*Cache, error) {
+func findCache(db *bolthold.Store, repo string, keys []string, version string) (*Cache, error) {
 	cache := &Cache{}
 	for _, prefix := range keys {
 		// if a key in the list matches exactly, don't return partial matches
 		if err := db.FindOne(cache,
-			bolthold.Where("Key").Eq(prefix).
+			bolthold.Where("Repo").Eq(repo).
+				And("Key").Eq(prefix).
 				And("Version").Eq(version).
 				And("Complete").Eq(true).
 				SortBy("CreatedAt").Reverse()); err == nil || !errors.Is(err, bolthold.ErrNotFound) {
@@ -373,7 +686,8 @@ func findCache(db *bolthold.Store, keys []string, version string) (*Cache, error
 			continue
 		}
 		if err := db.FindOne(cache,
-			bolthold.Where("Key").RegExp(re).
+			bolthold.Where("Repo").Eq(repo).
+				And("Key").RegExp(re).
 				And("Version").Eq(version).
 				And("Complete").Eq(true).
 				SortBy("CreatedAt").Reverse()); err != nil {
@@ -419,7 +733,6 @@ const (
 	keepOld    = 5 * time.Minute
 )

-//nolint:gocyclo // function handles many cases
 func (h *Handler) gcCache() {
 	if h.gcing.Load() {
 		return
@@ -494,12 +807,16 @@ func (h *Handler) gcCache() {
 		}
 	}

-	// Remove the old caches with the same key and version, keep the latest one.
+	// Remove the old caches with the same key and version within the same
+	// repository, keep the latest one. Aggregation must include Repo so two
+	// repos that happen to share a (key, version) do not evict each other —
+	// otherwise per-repo scoping holds for reads but one repo can age
+	// another out after keepOld.
 	// Also keep the olds which have been used recently for a while in case of the cache is still in use.
 	if results, err := db.FindAggregate(
 		&Cache{},
 		bolthold.Where("Complete").Eq(true),
-		"Key", "Version",
+		"Repo", "Key", "Version",
 	); err != nil {
 		h.logger.Warnf("find aggregate caches: %v", err)
 	} else {
@@ -533,7 +850,7 @@ func (h *Handler) responseJSON(w http.ResponseWriter, r *http.Request, code int,
 	if len(v) == 0 || v[0] == nil {
 		data, _ = json.Marshal(struct{}{})
 	} else if err, ok := v[0].(error); ok {
-		h.logger.Errorf("%v %v: %v", r.Method, r.RequestURI, err)
+		h.logger.Errorf("%v %v: %v", r.Method, r.URL.Path, err)
 		data, _ = json.Marshal(map[string]any{
 			"error": err.Error(),
 		})
--- a/act/artifactcache/handler_test.go
+++ b/act/artifactcache/handler_test.go
@@ -22,12 +22,38 @@ import (
 	"go.etcd.io/bbolt"
 )

+// testToken is registered with the cache server in every test that needs to
+// make authenticated requests; testClient then attaches it as the
+// Authorization: Bearer header. testRepo is the repository scope used when
+// registering it; cross-repo isolation is exercised in its own test.
+const (
+	testToken = "test-runtime-token"
+	testRepo  = "owner/repo"
+)
+
+type bearerTransport struct{ token string }
+
+func (b *bearerTransport) RoundTrip(r *http.Request) (*http.Response, error) {
+	r.Header.Set("Authorization", "Bearer "+b.token)
+	return http.DefaultTransport.RoundTrip(r)
+}
+
+var testClient = &http.Client{Transport: &bearerTransport{token: testToken}}
+
+// signArtifactURL builds a signed download URL the same way the server does;
+// tests use it to reach the get handler directly without going through a
+// find/cache-hit round trip.
+func signArtifactURL(h *Handler, id int64) string {
+	return h.signedArtifactURL(uint64(id), time.Now().Add(artifactURLTTL))
+}
+
 func TestHandler(t *testing.T) {
 	dir := filepath.Join(t.TempDir(), "artifactcache")
-	handler, err := StartHandler(dir, "", 0, nil)
+	handler, err := StartHandler(dir, "", 0, "", nil)
 	require.NoError(t, err)
+	handler.RegisterJob(testToken, testRepo)

-	base := fmt.Sprintf("%s%s", handler.ExternalURL(), urlBase)
+	base := fmt.Sprintf("%s%s", handler.ExternalURL(), apiPath)

 	defer func() {
 		t.Run("inpect db", func(t *testing.T) {
@@ -45,7 +71,10 @@ func TestHandler(t *testing.T) {
 			require.NoError(t, handler.Close())
 			assert.Nil(t, handler.server)
 			assert.Nil(t, handler.listener)
-			_, err := http.Post(fmt.Sprintf("%s/caches/%d", base, 1), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(fmt.Sprintf("%s/caches/%d", base, 1), "", nil)
+			if err == nil {
+				resp.Body.Close()
+			}
 			assert.Error(t, err)
 		})
 	}()
@@ -53,8 +82,9 @@ func TestHandler(t *testing.T) {
 	t.Run("get not exist", func(t *testing.T) {
 		key := strings.ToLower(t.Name())
 		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
-		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version))
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		require.Equal(t, 204, resp.StatusCode)
 	})

@@ -68,16 +98,18 @@ func TestHandler(t *testing.T) {
 	})

 	t.Run("clean", func(t *testing.T) {
-		resp, err := http.Post(base+"/clean", "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Post(base+"/clean", "", nil)
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		assert.Equal(t, 200, resp.StatusCode)
 	})

 	t.Run("reserve with bad request", func(t *testing.T) {
 		body := []byte(`invalid json`)
 		require.NoError(t, err)
-		resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Post(base+"/caches", "application/json", bytes.NewReader(body))
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		assert.Equal(t, 400, resp.StatusCode)
 	})

@@ -94,8 +126,9 @@ func TestHandler(t *testing.T) {
 				Size:    100,
 			})
 			require.NoError(t, err)
-			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(base+"/caches", "application/json", bytes.NewReader(body))
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 200, resp.StatusCode)

 			require.NoError(t, json.NewDecoder(resp.Body).Decode(&first))
@@ -108,8 +141,9 @@ func TestHandler(t *testing.T) {
 				Size:    100,
 			})
 			require.NoError(t, err)
-			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(base+"/caches", "application/json", bytes.NewReader(body))
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 200, resp.StatusCode)

 			require.NoError(t, json.NewDecoder(resp.Body).Decode(&second))
@@ -125,8 +159,9 @@ func TestHandler(t *testing.T) {
 		require.NoError(t, err)
 		req.Header.Set("Content-Type", "application/octet-stream")
 		req.Header.Set("Content-Range", "bytes 0-99/*")
-		resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Do(req)
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		assert.Equal(t, 400, resp.StatusCode)
 	})

@@ -136,8 +171,9 @@ func TestHandler(t *testing.T) {
 		require.NoError(t, err)
 		req.Header.Set("Content-Type", "application/octet-stream")
 		req.Header.Set("Content-Range", "bytes 0-99/*")
-		resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Do(req)
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		assert.Equal(t, 400, resp.StatusCode)
 	})

@@ -155,8 +191,9 @@ func TestHandler(t *testing.T) {
 				Size:    100,
 			})
 			require.NoError(t, err)
-			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(base+"/caches", "application/json", bytes.NewReader(body))
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 200, resp.StatusCode)

 			got := struct {
@@ -171,13 +208,15 @@ func TestHandler(t *testing.T) {
 			require.NoError(t, err)
 			req.Header.Set("Content-Type", "application/octet-stream")
 			req.Header.Set("Content-Range", "bytes 0-99/*")
-			resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Do(req)
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 200, resp.StatusCode)
 		}
 		{
-			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil)
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 200, resp.StatusCode)
 		}
 		{
@@ -186,8 +225,9 @@ func TestHandler(t *testing.T) {
 			require.NoError(t, err)
 			req.Header.Set("Content-Type", "application/octet-stream")
 			req.Header.Set("Content-Range", "bytes 0-99/*")
-			resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Do(req)
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 400, resp.StatusCode)
 		}
 	})
@@ -206,8 +246,9 @@ func TestHandler(t *testing.T) {
 				Size:    100,
 			})
 			require.NoError(t, err)
-			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(base+"/caches", "application/json", bytes.NewReader(body))
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 200, resp.StatusCode)

 			got := struct {
@@ -222,24 +263,27 @@ func TestHandler(t *testing.T) {
 			require.NoError(t, err)
 			req.Header.Set("Content-Type", "application/octet-stream")
 			req.Header.Set("Content-Range", "bytes xx-99/*")
-			resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Do(req)
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 400, resp.StatusCode)
 		}
 	})

 	t.Run("commit with bad id", func(t *testing.T) {
 		{
-			resp, err := http.Post(base+"/caches/invalid_id", "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(base+"/caches/invalid_id", "", nil)
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 400, resp.StatusCode)
 		}
 	})

 	t.Run("commit with not exist id", func(t *testing.T) {
 		{
-			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, 100), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(fmt.Sprintf("%s/caches/%d", base, 100), "", nil)
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 400, resp.StatusCode)
 		}
 	})
@@ -258,8 +302,9 @@ func TestHandler(t *testing.T) {
 				Size:    100,
 			})
 			require.NoError(t, err)
-			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(base+"/caches", "application/json", bytes.NewReader(body))
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 200, resp.StatusCode)

 			got := struct {
@@ -274,18 +319,21 @@ func TestHandler(t *testing.T) {
 			require.NoError(t, err)
 			req.Header.Set("Content-Type", "application/octet-stream")
 			req.Header.Set("Content-Range", "bytes 0-99/*")
-			resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Do(req)
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 200, resp.StatusCode)
 		}
 		{
-			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil)
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 200, resp.StatusCode)
 		}
 		{
-			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil)
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 400, resp.StatusCode)
 		}
 	})
@@ -304,8 +352,9 @@ func TestHandler(t *testing.T) {
 				Size:    100,
 			})
 			require.NoError(t, err)
-			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(base+"/caches", "application/json", bytes.NewReader(body))
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 200, resp.StatusCode)

 			got := struct {
@@ -320,32 +369,37 @@ func TestHandler(t *testing.T) {
 			require.NoError(t, err)
 			req.Header.Set("Content-Type", "application/octet-stream")
 			req.Header.Set("Content-Range", "bytes 0-59/*")
-			resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Do(req)
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 200, resp.StatusCode)
 		}
 		{
-			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil)
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			assert.Equal(t, 500, resp.StatusCode)
 		}
 	})

 	t.Run("get with bad id", func(t *testing.T) {
-		resp, err := http.Get(base + "/artifacts/invalid_id") //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Get(base + "/artifacts/invalid_id")
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		require.Equal(t, 400, resp.StatusCode)
 	})

 	t.Run("get with not exist id", func(t *testing.T) {
-		resp, err := http.Get(fmt.Sprintf("%s/artifacts/%d", base, 100)) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Get(signArtifactURL(handler, 100))
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		require.Equal(t, 404, resp.StatusCode)
 	})

 	t.Run("get with not exist id", func(t *testing.T) {
-		resp, err := http.Get(fmt.Sprintf("%s/artifacts/%d", base, 100)) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Get(signArtifactURL(handler, 100))
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		require.Equal(t, 404, resp.StatusCode)
 	})

@@ -375,8 +429,9 @@ func TestHandler(t *testing.T) {
 			key + "_a",
 		}, ",")

-		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKeys, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKeys, version))
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		require.Equal(t, 200, resp.StatusCode)

 		/*
@@ -395,26 +450,31 @@ func TestHandler(t *testing.T) {
 		assert.Equal(t, "hit", got.Result)
 		assert.Equal(t, keys[except], got.CacheKey)

-		contentResp, err := http.Get(got.ArchiveLocation) //nolint:bodyclose // pre-existing issue from nektos/act
+		contentResp, err := testClient.Get(got.ArchiveLocation)
 		require.NoError(t, err)
+		defer contentResp.Body.Close()
 		require.Equal(t, 200, contentResp.StatusCode)
 		content, err := io.ReadAll(contentResp.Body)
 		require.NoError(t, err)
 		assert.Equal(t, contents[except], content)
 	})

-	t.Run("case insensitive", func(t *testing.T) {
+	t.Run("case preserved", func(t *testing.T) {
+		// Some actions (e.g. actions/setup-go, actions/setup-node) build cache keys that contain mixed-case fragments such as RUNNER_OS=Linux,
+		// then compare the cacheKey returned by the cache server to their original key with case-sensitive equality to decide whether the
+		// cache was a complete hit. The server must therefore preserve the original key case.
+
 		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
-		key := strings.ToLower(t.Name())
+		key := strings.ToLower(t.Name()) + "_ABC"
 		content := make([]byte, 100)
 		_, err := rand.Read(content)
 		require.NoError(t, err)
-		uploadCacheNormally(t, base, key+"_ABC", version, content)
+		uploadCacheNormally(t, base, key, version, content)

 		{
-			reqKey := key + "_aBc"
-			resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKey, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+			resp, err := testClient.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version))
 			require.NoError(t, err)
+			defer resp.Body.Close()
 			require.Equal(t, 200, resp.StatusCode)
 			got := struct {
 				Result          string `json:"result"`
@@ -423,7 +483,8 @@ func TestHandler(t *testing.T) {
 			}{}
 			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
 			assert.Equal(t, "hit", got.Result)
-			assert.Equal(t, key+"_abc", got.CacheKey)
+			assert.Equal(t, key, got.CacheKey)
+			assert.NotEqual(t, strings.ToLower(key), got.CacheKey)
 		}
 	})

@@ -452,8 +513,9 @@ func TestHandler(t *testing.T) {
 			key + "_a_b",
 		}, ",")

-		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKeys, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKeys, version))
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		require.Equal(t, 200, resp.StatusCode)

 		/*
@@ -470,8 +532,9 @@ func TestHandler(t *testing.T) {
 		require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
 		assert.Equal(t, keys[expect], got.CacheKey)

-		contentResp, err := http.Get(got.ArchiveLocation) //nolint:bodyclose // pre-existing issue from nektos/act
+		contentResp, err := testClient.Get(got.ArchiveLocation)
 		require.NoError(t, err)
+		defer contentResp.Body.Close()
 		require.Equal(t, 200, contentResp.StatusCode)
 		content, err := io.ReadAll(contentResp.Body)
 		require.NoError(t, err)
@@ -504,8 +567,9 @@ func TestHandler(t *testing.T) {
 			key + "_a_b",
 		}, ",")

-		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKeys, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKeys, version))
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		require.Equal(t, 200, resp.StatusCode)

 		/*
@@ -523,8 +587,9 @@ func TestHandler(t *testing.T) {
 		require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
 		assert.Equal(t, keys[expect], got.CacheKey)

-		contentResp, err := http.Get(got.ArchiveLocation) //nolint:bodyclose // pre-existing issue from nektos/act
+		contentResp, err := testClient.Get(got.ArchiveLocation)
 		require.NoError(t, err)
+		defer contentResp.Body.Close()
 		require.Equal(t, 200, contentResp.StatusCode)
 		content, err := io.ReadAll(contentResp.Body)
 		require.NoError(t, err)
@@ -541,8 +606,9 @@ func uploadCacheNormally(t *testing.T, base, key, version string, content []byte
 			Size:    int64(len(content)),
 		})
 		require.NoError(t, err)
-		resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Post(base+"/caches", "application/json", bytes.NewReader(body))
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		assert.Equal(t, 200, resp.StatusCode)

 		got := struct {
@@ -557,19 +623,22 @@ func uploadCacheNormally(t *testing.T, base, key, version string, content []byte
 		require.NoError(t, err)
 		req.Header.Set("Content-Type", "application/octet-stream")
 		req.Header.Set("Content-Range", "bytes 0-99/*")
-		resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Do(req)
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		assert.Equal(t, 200, resp.StatusCode)
 	}
 	{
-		resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil)
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		assert.Equal(t, 200, resp.StatusCode)
 	}
 	var archiveLocation string
 	{
-		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version))
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		require.Equal(t, 200, resp.StatusCode)
 		got := struct {
 			Result          string `json:"result"`
@@ -578,12 +647,13 @@ func uploadCacheNormally(t *testing.T, base, key, version string, content []byte
 		}{}
 		require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
 		assert.Equal(t, "hit", got.Result)
-		assert.Equal(t, strings.ToLower(key), got.CacheKey)
+		assert.Equal(t, key, got.CacheKey)
 		archiveLocation = got.ArchiveLocation
 	}
 	{
-		resp, err := http.Get(archiveLocation) //nolint:bodyclose // pre-existing issue from nektos/act
+		resp, err := testClient.Get(archiveLocation)
 		require.NoError(t, err)
+		defer resp.Body.Close()
 		require.Equal(t, 200, resp.StatusCode)
 		got, err := io.ReadAll(resp.Body)
 		require.NoError(t, err)
@@ -593,7 +663,7 @@ func uploadCacheNormally(t *testing.T, base, key, version string, content []byte

 func TestHandler_gcCache(t *testing.T) {
 	dir := filepath.Join(t.TempDir(), "artifactcache")
-	handler, err := StartHandler(dir, "", 0, nil)
+	handler, err := StartHandler(dir, "", 0, "", nil)
 	require.NoError(t, err)

 	defer func() {
@@ -699,3 +769,421 @@ func TestHandler_gcCache(t *testing.T) {
 	}
 	require.NoError(t, db.Close())
 }
+
+// TestHandler_RejectsMissingBearer covers the advisory's root cause:
+// unauthenticated access to management endpoints is now refused with 401.
+func TestHandler_RejectsMissingBearer(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, "", nil)
+	require.NoError(t, err)
+	defer handler.Close()
+
+	base := handler.ExternalURL() + apiPath
+
+	for _, tc := range []struct {
+		name   string
+		method string
+		path   string
+		body   string
+	}{
+		{"find", http.MethodGet, "/cache?keys=x&version=y", ""},
+		{"reserve", http.MethodPost, "/caches", "{}"},
+		{"upload", http.MethodPatch, "/caches/1", ""},
+		{"commit", http.MethodPost, "/caches/1", ""},
+		{"clean", http.MethodPost, "/clean", ""},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			req, err := http.NewRequest(tc.method, base+tc.path, strings.NewReader(tc.body))
+			require.NoError(t, err)
+			resp, err := http.DefaultClient.Do(req)
+			require.NoError(t, err)
+			resp.Body.Close()
+			assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+		})
+	}
+}
+
+// TestHandler_RejectsUnknownBearer verifies that a bearer token is only
+// accepted after RegisterJob; stale/forged tokens cannot be replayed.
+func TestHandler_RejectsUnknownBearer(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, "", nil)
+	require.NoError(t, err)
+	defer handler.Close()
+
+	base := handler.ExternalURL() + apiPath
+
+	req, err := http.NewRequest(http.MethodGet, base+"/cache?keys=x&version=y", nil)
+	require.NoError(t, err)
+	req.Header.Set("Authorization", "Bearer not-a-registered-token")
+	resp, err := http.DefaultClient.Do(req)
+	require.NoError(t, err)
+	resp.Body.Close()
+	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+}
+
+// TestHandler_UnregisterRevokes ensures that the function returned by
+// RegisterJob invalidates the credential, so a token leaked at job time stops
+// working the moment the job ends instead of living for the runner's lifetime.
+func TestHandler_UnregisterRevokes(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, "", nil)
+	require.NoError(t, err)
+	defer handler.Close()
+
+	unregister := handler.RegisterJob("tmp-token", testRepo)
+
+	base := handler.ExternalURL() + apiPath
+	req, err := http.NewRequest(http.MethodGet, base+"/cache?keys=x&version=y", nil)
+	require.NoError(t, err)
+	req.Header.Set("Authorization", "Bearer tmp-token")
+
+	resp, err := http.DefaultClient.Do(req)
+	require.NoError(t, err)
+	resp.Body.Close()
+	assert.NotEqual(t, http.StatusUnauthorized, resp.StatusCode)
+
+	unregister()
+
+	resp, err = http.DefaultClient.Do(req)
+	require.NoError(t, err)
+	resp.Body.Close()
+	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+}
+
+// TestHandler_CrossRepoIsolation addresses the intra-runner poisoning vector
+// raised in GHSA-82g9-637c-2fx2: job containers can reach the cache server
+// over the docker bridge, so IP allowlisting alone does not stop a malicious
+// PR run from another repo. A cache entry created under repoA must be
+// invisible to queries scoped to repoB.
+func TestHandler_CrossRepoIsolation(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, "", nil)
+	require.NoError(t, err)
+	defer handler.Close()
+	handler.RegisterJob("token-a", "owner/repoA")
+	handler.RegisterJob("token-b", "owner/repoB")
+
+	base := handler.ExternalURL() + apiPath
+	key := "shared-key"
+	version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+	content := []byte("repoA-payload")
+
+	clientA := &http.Client{Transport: &bearerTransport{token: "token-a"}}
+	clientB := &http.Client{Transport: &bearerTransport{token: "token-b"}}
+
+	// repoA reserves + uploads + commits.
+	reserveBody, err := json.Marshal(&Request{Key: key, Version: version, Size: int64(len(content))})
+	require.NoError(t, err)
+	resp, err := clientA.Post(base+"/caches", "application/json", bytes.NewReader(reserveBody))
+	require.NoError(t, err)
+	var reserved struct {
+		CacheID uint64 `json:"cacheId"`
+	}
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&reserved))
+	resp.Body.Close()
+	require.NotZero(t, reserved.CacheID)
+
+	req, err := http.NewRequest(http.MethodPatch, fmt.Sprintf("%s/caches/%d", base, reserved.CacheID), bytes.NewReader(content))
+	require.NoError(t, err)
+	req.Header.Set("Content-Range", fmt.Sprintf("bytes 0-%d/*", len(content)-1))
+	resp, err = clientA.Do(req)
+	require.NoError(t, err)
+	resp.Body.Close()
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	resp, err = clientA.Post(fmt.Sprintf("%s/caches/%d", base, reserved.CacheID), "", nil)
+	require.NoError(t, err)
+	resp.Body.Close()
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	// repoB with a matching key and version must NOT see repoA's cache.
+	resp, err = clientB.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version))
+	require.NoError(t, err)
+	resp.Body.Close()
+	assert.Equal(t, http.StatusNoContent, resp.StatusCode)
+
+	// repoA still sees its own cache.
+	resp, err = clientA.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version))
+	require.NoError(t, err)
+	resp.Body.Close()
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	// repoB cannot upload to repoA's reserved id either (forbidden, not 401).
+	req, err = http.NewRequest(http.MethodPatch, fmt.Sprintf("%s/caches/%d", base, reserved.CacheID), bytes.NewReader([]byte("poison")))
+	require.NoError(t, err)
+	req.Header.Set("Content-Range", "bytes 0-5/*")
+	resp, err = clientB.Do(req)
+	require.NoError(t, err)
+	resp.Body.Close()
+	assert.Equal(t, http.StatusForbidden, resp.StatusCode)
+}
+
+// TestHandler_ArtifactSignature verifies that archive downloads reject
+// missing / tampered / expired signatures, so a leaked archiveLocation stops
+// working after artifactURLTTL even if the bearer token is still registered.
+func TestHandler_ArtifactSignature(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, "", nil)
+	require.NoError(t, err)
+	defer handler.Close()
+	handler.RegisterJob(testToken, testRepo)
+
+	base := handler.ExternalURL() + apiPath
+
+	t.Run("missing signature", func(t *testing.T) {
+		resp, err := testClient.Get(fmt.Sprintf("%s/artifacts/%d", base, 1))
+		require.NoError(t, err)
+		resp.Body.Close()
+		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+	})
+
+	t.Run("tampered signature", func(t *testing.T) {
+		good := handler.signedArtifactURL(1, time.Now().Add(artifactURLTTL))
+		bad := good[:len(good)-4] + "dead"
+		resp, err := testClient.Get(bad)
+		require.NoError(t, err)
+		resp.Body.Close()
+		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+	})
+
+	t.Run("expired signature", func(t *testing.T) {
+		expired := handler.signedArtifactURL(1, time.Now().Add(-time.Second))
+		resp, err := testClient.Get(expired)
+		require.NoError(t, err)
+		resp.Body.Close()
+		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+	})
+
+	t.Run("signature from a different server", func(t *testing.T) {
+		dir2 := filepath.Join(t.TempDir(), "artifactcache2")
+		other, err := StartHandler(dir2, "", 0, "", nil)
+		require.NoError(t, err)
+		defer other.Close()
+		otherURL := other.signedArtifactURL(1, time.Now().Add(artifactURLTTL))
+		// Rewrite the host so the request still lands on our handler, but
+		// the signature was computed with a different secret.
+		parts := strings.SplitN(otherURL, apiPath, 2)
+		forged := base + parts[1]
+		resp, err := testClient.Get(forged)
+		require.NoError(t, err)
+		resp.Body.Close()
+		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+	})
+}
+
+// TestHandler_SecretPersistsAcrossRestarts is the property that lets
+// gitea-runner cache-server be pointed at via cfg.Cache.ExternalServer: a
+// restart must not invalidate signed URLs the handler has already issued
+// (within their expiry window).
+func TestHandler_SecretPersistsAcrossRestarts(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+
+	first, err := StartHandler(dir, "127.0.0.1", 0, "", nil)
+	require.NoError(t, err)
+	exp := time.Now().Add(artifactURLTTL).Unix()
+	sig := first.computeSignature(42, exp)
+	require.NoError(t, first.Close())
+
+	second, err := StartHandler(dir, "127.0.0.1", 0, "", nil)
+	require.NoError(t, err)
+	defer second.Close()
+
+	assert.Equal(t, sig, second.computeSignature(42, exp))
+}
+
+// TestHandler_ArtifactSignatureDownload is a happy-path round trip that
+// ensures a real reserve/upload/commit/find/download flow still works after
+// the auth refactor.
+func TestHandler_ArtifactSignatureDownload(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, "", nil)
+	require.NoError(t, err)
+	defer handler.Close()
+	handler.RegisterJob(testToken, testRepo)
+
+	base := handler.ExternalURL() + apiPath
+	key := "download-key"
+	version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+	content := []byte("hello")
+	uploadCacheNormally(t, base, key, version, content)
+
+	resp, err := testClient.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version))
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+	var hit struct {
+		ArchiveLocation string `json:"archiveLocation"`
+	}
+	require.NoError(t, json.NewDecoder(resp.Body).Decode(&hit))
+	resp.Body.Close()
+
+	require.Contains(t, hit.ArchiveLocation, "sig=")
+	require.Contains(t, hit.ArchiveLocation, "exp=")
+
+	// Download without any Authorization header — the signature alone must
+	// be enough, because @actions/cache downloads archiveLocation unauth'd.
+	dl, err := http.Get(hit.ArchiveLocation)
+	require.NoError(t, err)
+	body, err := io.ReadAll(dl.Body)
+	dl.Body.Close()
+	require.NoError(t, err)
+	assert.Equal(t, http.StatusOK, dl.StatusCode)
+	assert.Equal(t, content, body)
+}
+
+// TestHandler_RegisterJob_RefCounted verifies that a duplicate RegisterJob
+// for the same token does not silently revoke the first registration on the
+// first revoker call. This matters if a runner ever re-registers a token
+// (restart mid-task, retry), which must not kill the live job's auth.
+func TestHandler_RegisterJob_RefCounted(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, "", nil)
+	require.NoError(t, err)
+	defer handler.Close()
+
+	first := handler.RegisterJob("shared", testRepo)
+	second := handler.RegisterJob("shared", testRepo)
+
+	base := handler.ExternalURL() + apiPath
+	probe := func() int {
+		req, err := http.NewRequest(http.MethodGet, base+"/cache?keys=x&version=v", nil)
+		require.NoError(t, err)
+		req.Header.Set("Authorization", "Bearer shared")
+		resp, err := http.DefaultClient.Do(req)
+		require.NoError(t, err)
+		resp.Body.Close()
+		return resp.StatusCode
+	}
+
+	require.NotEqual(t, http.StatusUnauthorized, probe())
+	first()
+	assert.NotEqual(t, http.StatusUnauthorized, probe(),
+		"token must stay valid while another registration holds the refcount")
+	second()
+	assert.Equal(t, http.StatusUnauthorized, probe(),
+		"token is revoked only after every revoker has run")
+}
+
+// TestHandler_GC_PerRepoDedup ensures duplicate-pruning does not evict
+// another repo's entry. Two repos reserve the same (key, version); after the
+// keepOld window, GC must keep the one from each repo.
+func TestHandler_GC_PerRepoDedup(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, "", nil)
+	require.NoError(t, err)
+	defer handler.Close()
+	handler.RegisterJob("tok-a", "owner/repoA")
+	handler.RegisterJob("tok-b", "owner/repoB")
+
+	key := "shared-dedup-key"
+	version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+
+	// Seed one completed cache per repo directly via the DB, bypassing the
+	// HTTP round trip so we can precisely control UsedAt.
+	db, err := handler.openDB()
+	require.NoError(t, err)
+	now := time.Now().Unix()
+	stale := time.Now().Add(-keepOld - time.Minute).Unix()
+	a := &Cache{Repo: "owner/repoA", Key: key, Version: version, Complete: true, CreatedAt: stale, UsedAt: stale, Size: 1}
+	b := &Cache{Repo: "owner/repoB", Key: key, Version: version, Complete: true, CreatedAt: now, UsedAt: now, Size: 1}
+	require.NoError(t, insertCache(db, a))
+	require.NoError(t, insertCache(db, b))
+	// Write the backing blobs so the dedup deletion has something to remove.
+	require.NoError(t, handler.storage.Write(a.ID, 0, strings.NewReader("a")))
+	_, err = handler.storage.Commit(a.ID, 1)
+	require.NoError(t, err)
+	require.NoError(t, handler.storage.Write(b.ID, 0, strings.NewReader("b")))
+	_, err = handler.storage.Commit(b.ID, 1)
+	require.NoError(t, err)
+	require.NoError(t, db.Close())
+
+	// Force GC to run regardless of the cooldown.
+	handler.gcAt = time.Time{}
+	handler.gcCache()
+
+	db, err = handler.openDB()
+	require.NoError(t, err)
+	defer db.Close()
+	var after []Cache
+	require.NoError(t, db.Find(&after, bolthold.Where("Key").Eq(key).And("Version").Eq(version)))
+
+	repos := make(map[string]bool)
+	for _, c := range after {
+		repos[c.Repo] = true
+	}
+	assert.True(t, repos["owner/repoA"], "repoA's cache must survive dedup against repoB")
+	assert.True(t, repos["owner/repoB"], "repoB's cache must survive dedup against repoA")
+}
+
+// TestHandler_InternalAPI_Disabled verifies that without an internalSecret
+// the control-plane routes are 404 — operators can't accidentally hit
+// register/revoke when the feature is off.
+func TestHandler_InternalAPI_Disabled(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, "", nil)
+	require.NoError(t, err)
+	defer handler.Close()
+
+	for _, ep := range []string{"/_internal/register", "/_internal/revoke"} {
+		resp, err := http.Post(handler.ExternalURL()+ep, "application/json", strings.NewReader(`{}`))
+		require.NoError(t, err)
+		resp.Body.Close()
+		assert.Equal(t, http.StatusNotFound, resp.StatusCode, ep)
+	}
+}
+
+// TestHandler_InternalAPI_AuthAndUsage covers the control-plane: bad/missing
+// secret → 401, malformed body → 400, happy path round-trips a token through
+// register → cache-API accepts it → revoke → cache-API rejects it.
+func TestHandler_InternalAPI_AuthAndUsage(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	const secret = "internal-secret"
+	handler, err := StartHandler(dir, "", 0, secret, nil)
+	require.NoError(t, err)
+	defer handler.Close()
+
+	base := handler.ExternalURL()
+
+	post := func(path, bearer, body string) int {
+		req, err := http.NewRequest(http.MethodPost, base+path, strings.NewReader(body))
+		require.NoError(t, err)
+		if bearer != "" {
+			req.Header.Set("Authorization", "Bearer "+bearer)
+		}
+		req.Header.Set("Content-Type", "application/json")
+		resp, err := http.DefaultClient.Do(req)
+		require.NoError(t, err)
+		resp.Body.Close()
+		return resp.StatusCode
+	}
+
+	t.Run("missing secret 401", func(t *testing.T) {
+		assert.Equal(t, http.StatusUnauthorized, post("/_internal/register", "", `{"token":"x","repo":"r"}`))
+	})
+	t.Run("wrong secret 401", func(t *testing.T) {
+		assert.Equal(t, http.StatusUnauthorized, post("/_internal/register", "wrong", `{"token":"x","repo":"r"}`))
+	})
+	t.Run("malformed body 400", func(t *testing.T) {
+		assert.Equal(t, http.StatusBadRequest, post("/_internal/register", secret, `not json`))
+	})
+	t.Run("missing token 400", func(t *testing.T) {
+		assert.Equal(t, http.StatusBadRequest, post("/_internal/register", secret, `{"repo":"r"}`))
+	})
+
+	t.Run("register then revoke round-trip", func(t *testing.T) {
+		probe := func(token string) int {
+			req, _ := http.NewRequest(http.MethodGet, base+apiPath+"/cache?keys=k&version=v", nil)
+			req.Header.Set("Authorization", "Bearer "+token)
+			resp, err := http.DefaultClient.Do(req)
+			require.NoError(t, err)
+			resp.Body.Close()
+			return resp.StatusCode
+		}
+
+		assert.Equal(t, http.StatusUnauthorized, probe("via-internal-api"))
+		assert.Equal(t, http.StatusOK, post("/_internal/register", secret, `{"token":"via-internal-api","repo":"owner/repo"}`))
+		assert.NotEqual(t, http.StatusUnauthorized, probe("via-internal-api"))
+		assert.Equal(t, http.StatusOK, post("/_internal/revoke", secret, `{"token":"via-internal-api"}`))
+		assert.Equal(t, http.StatusUnauthorized, probe("via-internal-api"))
+	})
+}
--- a/act/artifactcache/model.go
+++ b/act/artifactcache/model.go
@@ -29,6 +29,7 @@ func (c *Request) ToCache() *Cache {

 type Cache struct {
 	ID        uint64 `json:"id" boltholdKey:"ID"`
+	Repo      string `json:"repo" boltholdIndex:"Repo"`
 	Key       string `json:"key" boltholdIndex:"Key"`
 	Version   string `json:"version" boltholdIndex:"Version"`
 	Size      int64  `json:"cacheSize"`
--- a/act/artifactcache/testdata/example/example.yaml
+++ b/act/artifactcache/testdata/example/example.yaml
@@ -1,30 +0,0 @@
-# Copied from https://github.com/actions/cache#example-cache-workflow
-name: Caching Primes
-
-on: push
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      - run: env
-
-      - uses: actions/checkout@v3
-
-      - name: Cache Primes
-        id: cache-primes
-        uses: actions/cache@v3
-        with:
-          path: prime-numbers
-          key: ${{ runner.os }}-primes-${{ github.run_id }}
-          restore-keys: |
-            ${{ runner.os }}-primes
-            ${{ runner.os }}
-
-      - name: Generate Prime Numbers
-        if: steps.cache-primes.outputs.cache-hit != 'true'
-        run: cat /proc/sys/kernel/random/uuid > prime-numbers
-
-      - name: Use Prime Numbers
-        run: cat prime-numbers
--- a/act/artifacts/server.go
+++ b/act/artifacts/server.go
@@ -17,7 +17,7 @@ import (
 	"strings"
 	"time"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

 	"github.com/julienschmidt/httprouter"
 )
--- a/act/artifacts/server_test.go
+++ b/act/artifacts/server_test.go
@@ -17,8 +17,8 @@ import (
 	"testing"
 	"testing/fstest"

-	"gitea.com/gitea/act_runner/act/model"
-	"gitea.com/gitea/act_runner/act/runner"
+	"gitea.com/gitea/runner/act/model"
+	"gitea.com/gitea/runner/act/runner"

 	"github.com/julienschmidt/httprouter"
 	log "github.com/sirupsen/logrus"
@@ -202,7 +202,7 @@ func TestListArtifactContainer(t *testing.T) {
 		panic(err)
 	}

-	assert.Equal(1, len(response.Value)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Len(response.Value, 1)
 	assert.Equal("some/file", response.Value[0].Path)
 	assert.Equal("file", response.Value[0].ItemType)
 	assert.Equal("http://localhost/artifact/1/some/file/.", response.Value[0].ContentLocation)
@@ -260,7 +260,7 @@ func TestArtifactFlow(t *testing.T) {
 	defer cancel()

 	platforms := map[string]string{
-		"ubuntu-latest": "node:16-buster", // Don't use node:16-buster-slim because it doesn't have curl command, which is used in the tests
+		"ubuntu-latest": "node:24-bookworm", // Don't use node:24-bookworm-slim because it doesn't have curl command, which is used in the tests
 	}

 	tables := []TestJobFileInfo{
@@ -283,7 +283,7 @@ func runTestJobFile(ctx context.Context, t *testing.T, tjfi TestJobFileInfo) {
 		}

 		workdir, err := filepath.Abs(tjfi.workdir)
-		assert.Nil(t, err, workdir) //nolint:testifylint // pre-existing issue from nektos/act
+		assert.NoError(t, err, workdir) //nolint:testifylint // pre-existing issue from nektos/act
 		fullWorkflowPath := filepath.Join(workdir, tjfi.workflowPath)
 		runnerConfig := &runner.Config{
 			Workdir:               workdir,
@@ -299,16 +299,16 @@ func runTestJobFile(ctx context.Context, t *testing.T, tjfi TestJobFileInfo) {
 		}

 		runner, err := runner.New(runnerConfig)
-		assert.Nil(t, err, tjfi.workflowPath) //nolint:testifylint // pre-existing issue from nektos/act
+		assert.NoError(t, err, tjfi.workflowPath) //nolint:testifylint // pre-existing issue from nektos/act

 		planner, err := model.NewWorkflowPlanner(fullWorkflowPath, true)
-		assert.Nil(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act
+		assert.NoError(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act

 		plan, err := planner.PlanEvent(tjfi.eventName)
 		if err == nil {
 			err = runner.NewPlanExecutor(plan)(ctx)
 			if tjfi.errorMessage == "" {
-				assert.Nil(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act
+				assert.NoError(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act
 			} else {
 				assert.Error(t, err, tjfi.errorMessage) //nolint:testifylint // pre-existing issue from nektos/act
 			}
--- a/act/common/cartesian.go
+++ b/act/common/cartesian.go
@@ -4,6 +4,8 @@

 package common

+import "slices"
+
 // CartesianProduct takes map of lists and returns list of unique tuples
 func CartesianProduct(mapOfLists map[string][]any) []map[string]any {
 	listNames := make([]string, 0)
@@ -46,7 +48,7 @@ func cartN(a ...[]any) [][]any {
 		for j, n := range n {
 			pi[j] = a[j][n]
 		}
-		for j := len(n) - 1; j >= 0; j-- {
+		for j := range slices.Backward(n) {
 			n[j]++
 			if n[j] < len(a[j]) {
 				break
--- a/act/common/cartesian_test.go
+++ b/act/common/cartesian_test.go
@@ -35,9 +35,9 @@ func TestCartesianProduct(t *testing.T) {
 		"baz": {false, true},
 	}
 	output = CartesianProduct(input)
-	assert.Len(output, 0) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Empty(output)

 	input = map[string][]any{}
 	output = CartesianProduct(input)
-	assert.Len(output, 0) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Empty(output)
 }
--- a/act/common/executor.go
+++ b/act/common/executor.go
@@ -117,7 +117,7 @@ func NewParallelExecutor(parallel int, executors ...Executor) Executor {
 					log.Debugf("Worker %d executing task %d", workerID, taskCount)
 					// Recover from panics in executors to avoid crashing the worker
 					// goroutine which would leave the runner process hung.
-					// https://gitea.com/gitea/act_runner/issues/371
+					// https://gitea.com/gitea/runner/issues/371
 					errs <- func() (err error) {
 						defer func() {
 							if r := recover(); r != nil {
--- a/act/common/executor_test.go
+++ b/act/common/executor_test.go
@@ -21,11 +21,11 @@ func TestNewWorkflow(t *testing.T) {

 	// empty
 	emptyWorkflow := NewPipelineExecutor()
-	assert.Nil(emptyWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(emptyWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act

 	// error case
 	errorWorkflow := NewErrorExecutor(errors.New("test error"))
-	assert.NotNil(errorWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Error(errorWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act

 	// multiple success case
 	runcount := 0
@@ -38,7 +38,7 @@ func TestNewWorkflow(t *testing.T) {
 			runcount++
 			return nil
 		})
-	assert.Nil(successWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(successWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(2, runcount)
 }

@@ -60,7 +60,7 @@ func TestNewConditionalExecutor(t *testing.T) {
 		return nil
 	})(ctx)

-	assert.Nil(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(0, trueCount)
 	assert.Equal(1, falseCount)

@@ -74,7 +74,7 @@ func TestNewConditionalExecutor(t *testing.T) {
 		return nil
 	})(ctx)

-	assert.Nil(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(1, trueCount)
 	assert.Equal(1, falseCount)
 }
@@ -105,7 +105,7 @@ func TestNewParallelExecutor(t *testing.T) {

 	assert.Equal(int32(3), count.Load(), "should run all 3 executors")
 	assert.Equal(int32(2), maxCount.Load(), "should run at most 2 executors in parallel")
-	assert.Nil(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act

 	// Reset to test running the executor with 0 parallelism
 	count.Store(0)
@@ -116,7 +116,7 @@ func TestNewParallelExecutor(t *testing.T) {

 	assert.Equal(int32(3), count.Load(), "should run all 3 executors")
 	assert.Equal(int32(1), maxCount.Load(), "should run at most 1 executors in parallel")
-	assert.Nil(errSingle) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(errSingle)
 }

 func TestNewParallelExecutorFailed(t *testing.T) {
--- a/act/common/git/git.go
+++ b/act/common/git/git.go
@@ -15,7 +15,7 @@ import (
 	"strings"
 	"sync"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
@@ -32,12 +32,23 @@ var (
 	githubHTTPRegex     = regexp.MustCompile(`^https?://.*github.com.*/(.+)/(.+?)(?:.git)?$`)
 	githubSSHRegex      = regexp.MustCompile(`github.com[:/](.+)/(.+?)(?:.git)?$`)

-	cloneLock sync.Mutex
+	cloneLocks sync.Map // key: clone target directory; value: *sync.Mutex

 	ErrShortRef = errors.New("short SHA references are not supported")
 	ErrNoRepo   = errors.New("unable to find git repo")
 )

+// AcquireCloneLock returns an unlock function after locking the per-directory mutex for dir.
+// Only concurrent operations targeting the same directory are serialized; clones into different directories run in parallel.
+// Callers reading files inside dir (e.g. tarring a checked-out action into a job container) must hold this lock too,
+// otherwise a concurrent NewGitCloneExecutor on the same dir can mutate the worktree mid-read.
+func AcquireCloneLock(dir string) func() {
+	v, _ := cloneLocks.LoadOrStore(dir, &sync.Mutex{})
+	mu := v.(*sync.Mutex)
+	mu.Lock()
+	return mu.Unlock
+}
+
 type Error struct {
 	err    error
 	commit string
@@ -277,6 +288,7 @@ func CloneIfRequired(ctx context.Context, refName plumbing.ReferenceName, input

 func gitOptions(token string) (fetchOptions git.FetchOptions, pullOptions git.PullOptions) {
 	fetchOptions.RefSpecs = []config.RefSpec{"refs/*:refs/*", "HEAD:refs/heads/HEAD"}
+	fetchOptions.Force = true
 	pullOptions.Force = true

 	if token != "" {
@@ -292,16 +304,13 @@ func gitOptions(token string) (fetchOptions git.FetchOptions, pullOptions git.Pu
 }

 // NewGitCloneExecutor creates an executor to clone git repos
-//
-//nolint:gocyclo // function handles many cases
 func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
-		logger.Infof("  \u2601  git clone '%s' # ref=%s", input.URL, input.Ref)
+		logger.Infof("git clone '%s' # ref=%s", input.URL, input.Ref)
 		logger.Debugf("  cloning %s to %s", input.URL, input.Dir)

-		cloneLock.Lock()
-		defer cloneLock.Unlock()
+		defer AcquireCloneLock(input.Dir)()

 		refName := plumbing.ReferenceName("refs/heads/" + input.Ref)
 		r, err := CloneIfRequired(ctx, refName, input, logger)
--- a/act/common/git/git_test.go
+++ b/act/common/git/git_test.go
@@ -10,8 +10,11 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
+	"sync"
 	"syscall"
 	"testing"
+	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -220,6 +223,62 @@ func TestGitCloneExecutor(t *testing.T) {
 	}
 }

+func TestGitCloneExecutorNonFastForwardRef(t *testing.T) {
+	// Simulate the scenario where a remote ref (e.g. a GitHub PR head ref) changes
+	// non-fast-forward between two fetches. Before the fix, the fetch used Force=false,
+	// causing go-git to return ErrForceNeeded and short-circuit the checkout.
+
+	gitConfig()
+
+	// Create a bare "remote" repo with an initial commit on main and a feature branch.
+	remoteDir := t.TempDir()
+	require.NoError(t, gitCmd("init", "--bare", "--initial-branch=main", remoteDir))
+
+	// We need a working clone to push commits from.
+	workDir := t.TempDir()
+	require.NoError(t, gitCmd("clone", remoteDir, workDir))
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "initial"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "-u", "origin", "main"))
+
+	// Create a feature branch (simulates refs/pull/N/head).
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "feature-1"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "feature"))
+
+	// First clone via the executor — should succeed and cache the repo.
+	cloneDir := t.TempDir()
+	clone := NewGitCloneExecutor(NewGitCloneExecutorInput{
+		URL: remoteDir,
+		Ref: "main",
+		Dir: cloneDir,
+	})
+	require.NoError(t, clone(context.Background()))
+
+	// Now force-push the feature branch to a non-fast-forward commit (simulates
+	// a PR rebase). This makes refs/heads/feature non-fast-forward.
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "branch", "-D", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "feature-rewritten"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "--force", "origin", "feature"))
+
+	// Also advance main so we can verify the clone picks up the new commit.
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "second"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "main"))
+
+	// Second clone to the same directory — before the fix this returned ErrForceNeeded
+	// and left the working tree at the old commit.
+	err := clone(context.Background())
+	require.NoError(t, err, "fetch with non-fast-forward refs must not fail when Force=true")
+
+	// Verify the working tree was actually updated to the latest main commit.
+	out, err := exec.Command("git", "-C", cloneDir, "log", "--oneline", "-1", "--format=%s").Output()
+	require.NoError(t, err)
+	assert.Equal(t, "second", strings.TrimSpace(string(out)), "working tree should be at the latest commit")
+}
+
 func gitConfig() {
 	if os.Getenv("GITHUB_ACTIONS") == "true" {
 		var err error
@@ -246,3 +305,61 @@ func gitCmd(args ...string) error {
 	}
 	return nil
 }
+
+func TestAcquireCloneLock(t *testing.T) {
+	t.Run("same directory serializes", func(t *testing.T) {
+		dir := t.TempDir()
+
+		unlock1 := AcquireCloneLock(dir)
+
+		secondAcquired := make(chan struct{})
+		go func() {
+			unlock := AcquireCloneLock(dir)
+			close(secondAcquired)
+			unlock()
+		}()
+
+		select {
+		case <-secondAcquired:
+			t.Fatal("second acquire should block while first holds the lock")
+		case <-time.After(50 * time.Millisecond):
+		}
+
+		unlock1()
+
+		select {
+		case <-secondAcquired:
+		case <-time.After(time.Second):
+			t.Fatal("second acquire should proceed after first releases the lock")
+		}
+	})
+
+	t.Run("different directories do not block", func(t *testing.T) {
+		dirA := t.TempDir()
+		dirB := t.TempDir()
+
+		unlockA := AcquireCloneLock(dirA)
+		defer unlockA()
+
+		done := make(chan struct{})
+		go func() {
+			unlock := AcquireCloneLock(dirB)
+			unlock()
+			close(done)
+		}()
+
+		select {
+		case <-done:
+		case <-time.After(time.Second):
+			t.Fatal("acquire on a different directory must not block")
+		}
+	})
+
+	t.Run("same directory reuses the same mutex", func(t *testing.T) {
+		dir := t.TempDir()
+
+		v1, _ := cloneLocks.LoadOrStore(dir, &sync.Mutex{})
+		v2, _ := cloneLocks.LoadOrStore(dir, &sync.Mutex{})
+		require.Same(t, v1, v2)
+	})
+}
--- a/act/container/container_types.go
+++ b/act/container/container_types.go
@@ -6,13 +6,21 @@ package container

 import (
 	"context"
+	"fmt"
 	"io"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

 	"github.com/docker/go-connections/nat"
 )

+// ExitCodeError reports a non-zero process exit code from a container command.
+type ExitCodeError int
+
+func (e ExitCodeError) Error() string {
+	return fmt.Sprintf("Process completed with exit code %d.", int(e))
+}
+
 // NewContainerInput the input for the New function
 type NewContainerInput struct {
 	Image          string
--- a/act/container/docker_auth.go
+++ b/act/container/docker_auth.go
@@ -8,34 +8,38 @@ package container

 import (
 	"context"
-	"strings"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

+	"github.com/distribution/reference"
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/credentials"
-	"github.com/docker/docker/api/types/registry"
+	"github.com/moby/moby/api/types/registry"
 )

 func LoadDockerAuthConfig(ctx context.Context, image string) (registry.AuthConfig, error) {
 	logger := common.Logger(ctx)
-	config, err := config.Load(config.Dir())
+	// config.LoadDefaultConfigFile panics on nil io.Writer when the config
+	// file is malformed; use config.Load to route errors through the logger.
+	cfg, err := config.Load(config.Dir())
 	if err != nil {
 		logger.Warnf("Could not load docker config: %v", err)
 		return registry.AuthConfig{}, err
 	}
-
-	if !config.ContainsAuth() {
-		config.CredentialsStore = credentials.DetectDefaultStore(config.CredentialsStore)
+	if !cfg.ContainsAuth() {
+		cfg.CredentialsStore = credentials.DetectDefaultStore(cfg.CredentialsStore)
 	}

-	hostName := "index.docker.io"
-	index := strings.IndexRune(image, '/')
-	if index > -1 && (strings.ContainsAny(image[:index], ".:") || image[:index] == "localhost") {
-		hostName = image[:index]
+	registryKey := registryAuthConfigKey("docker.io")
+	if image != "" {
+		if registryRef, refErr := reference.ParseNormalizedNamed(image); refErr != nil {
+			logger.Warnf("Could not normalize image reference: %v", refErr)
+		} else {
+			registryKey = registryAuthConfigKey(reference.Domain(registryRef))
+		}
 	}

-	authConfig, err := config.GetAuthConfig(hostName)
+	authConfig, err := cfg.GetAuthConfig(registryKey)
 	if err != nil {
 		logger.Warnf("Could not get auth config from docker config: %v", err)
 		return registry.AuthConfig{}, err
@@ -46,17 +50,20 @@ func LoadDockerAuthConfig(ctx context.Context, image string) (registry.AuthConfi

 func LoadDockerAuthConfigs(ctx context.Context) map[string]registry.AuthConfig {
 	logger := common.Logger(ctx)
-	config, err := config.Load(config.Dir())
+	cfg, err := config.Load(config.Dir())
 	if err != nil {
 		logger.Warnf("Could not load docker config: %v", err)
 		return nil
 	}
-
-	if !config.ContainsAuth() {
-		config.CredentialsStore = credentials.DetectDefaultStore(config.CredentialsStore)
+	if !cfg.ContainsAuth() {
+		cfg.CredentialsStore = credentials.DetectDefaultStore(cfg.CredentialsStore)
 	}

-	creds, _ := config.GetAllCredentials()
+	creds, err := cfg.GetAllCredentials()
+	if err != nil {
+		logger.Warnf("Could not get docker auth configs: %v", err)
+		return nil
+	}
 	authConfigs := make(map[string]registry.AuthConfig, len(creds))
 	for k, v := range creds {
 		authConfigs[k] = registry.AuthConfig(v)
@@ -64,3 +71,10 @@ func LoadDockerAuthConfigs(ctx context.Context) map[string]registry.AuthConfig {

 	return authConfigs
 }
+
+func registryAuthConfigKey(domainName string) string {
+	if domainName == "docker.io" || domainName == "index.docker.io" {
+		return "https://index.docker.io/v1/"
+	}
+	return domainName
+}
--- a/act/container/docker_build.go
+++ b/act/container/docker_build.go
@@ -12,13 +12,14 @@ import (
 	"os"
 	"path/filepath"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/pkg/archive"
-	// github.com/docker/docker/builder/dockerignore is deprecated
-	"github.com/moby/buildkit/frontend/dockerfile/dockerignore"
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/compression"
+	"github.com/moby/moby/client"
 	"github.com/moby/patternmatcher"
+	"github.com/moby/patternmatcher/ignorefile"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
 )

 // NewDockerBuildExecutor function to create a run executor for the container
@@ -26,9 +27,9 @@ func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
 		if input.Platform != "" {
-			logger.Infof("%sdocker build -t %s --platform %s %s", logPrefix, input.ImageTag, input.Platform, input.ContextDir)
+			logger.Infof("docker build -t %s --platform %s %s", input.ImageTag, input.Platform, input.ContextDir)
 		} else {
-			logger.Infof("%sdocker build -t %s %s", logPrefix, input.ImageTag, input.ContextDir)
+			logger.Infof("docker build -t %s %s", input.ImageTag, input.ContextDir)
 		}
 		if common.Dryrun(ctx) {
 			return nil
@@ -43,13 +44,19 @@ func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {
 		logger.Debugf("Building image from '%v'", input.ContextDir)

 		tags := []string{input.ImageTag}
-		options := types.ImageBuildOptions{
+		options := client.ImageBuildOptions{
 			Tags:        tags,
 			Remove:      true,
-			Platform:    input.Platform,
 			AuthConfigs: LoadDockerAuthConfigs(ctx),
 			Dockerfile:  input.Dockerfile,
 		}
+		platform, err := parsePlatform(input.Platform)
+		if err != nil {
+			return err
+		}
+		if platform != nil {
+			options.Platforms = []specs.Platform{*platform}
+		}
 		var buildContext io.ReadCloser
 		if input.BuildContext != nil {
 			buildContext = io.NopCloser(input.BuildContext)
@@ -77,7 +84,7 @@ func createBuildContext(ctx context.Context, contextDir, relDockerfile string) (
 	common.Logger(ctx).Debugf("Creating archive for build context dir '%s' with relative dockerfile '%s'", contextDir, relDockerfile)

 	// And canonicalize dockerfile name to a platform-independent one
-	relDockerfile = archive.CanonicalTarNameForPath(relDockerfile)
+	relDockerfile = filepath.ToSlash(relDockerfile)

 	f, err := os.Open(filepath.Join(contextDir, ".dockerignore"))
 	if err != nil && !os.IsNotExist(err) {
@@ -87,7 +94,7 @@ func createBuildContext(ctx context.Context, contextDir, relDockerfile string) (

 	var excludes []string
 	if err == nil {
-		excludes, err = dockerignore.ReadAll(f) //nolint:staticcheck // pre-existing issue from nektos/act
+		excludes, err = ignorefile.ReadAll(f)
 		if err != nil {
 			return nil, err
 		}
@@ -107,9 +114,8 @@ func createBuildContext(ctx context.Context, contextDir, relDockerfile string) (
 		includes = append(includes, ".dockerignore", relDockerfile)
 	}

-	compression := archive.Uncompressed
 	buildCtx, err := archive.TarWithOptions(contextDir, &archive.TarOptions{
-		Compression:     compression,
+		Compression:     compression.None,
 		ExcludePatterns: excludes,
 		IncludeFiles:    includes,
 	})
--- a/act/container/docker_cli.go
+++ b/act/container/docker_cli.go
--- a/act/container/docker_cli_test.go
+++ b/act/container/docker_cli_test.go
@@ -16,15 +16,18 @@ package container
 import (
 	"fmt"
 	"io"
+	"net/netip"
 	"os"
 	"runtime"
 	"strings"
 	"testing"
 	"time"

-	"github.com/docker/docker/api/types/container"
-	networktypes "github.com/docker/docker/api/types/network"
 	"github.com/docker/go-connections/nat"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/moby/moby/api/types/container"
+	networktypes "github.com/moby/moby/api/types/network"
 	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
 	"gotest.tools/v3/assert"
@@ -77,21 +80,21 @@ func setupRunFlags() (*pflag.FlagSet, *containerOptions) {
 	return flags, copts
 }

-func mustParse(t *testing.T, args string) (*container.Config, *container.HostConfig) {
+func mustParse(t *testing.T, args string) (*container.Config, *container.HostConfig, *networktypes.NetworkingConfig) {
 	t.Helper()
-	config, hostConfig, _, err := parseRun(append(strings.Split(args, " "), "ubuntu", "bash"))
+	config, hostConfig, networkingConfig, err := parseRun(append(strings.Split(args, " "), "ubuntu", "bash"))
 	assert.NilError(t, err)
-	return config, hostConfig
+	return config, hostConfig, networkingConfig
 }

 func TestParseRunLinks(t *testing.T) {
-	if _, hostConfig := mustParse(t, "--link a:b"); len(hostConfig.Links) == 0 || hostConfig.Links[0] != "a:b" {
+	if _, hostConfig, _ := mustParse(t, "--link a:b"); len(hostConfig.Links) == 0 || hostConfig.Links[0] != "a:b" {
 		t.Fatalf("Error parsing links. Expected []string{\"a:b\"}, received: %v", hostConfig.Links)
 	}
-	if _, hostConfig := mustParse(t, "--link a:b --link c:d"); len(hostConfig.Links) < 2 || hostConfig.Links[0] != "a:b" || hostConfig.Links[1] != "c:d" {
+	if _, hostConfig, _ := mustParse(t, "--link a:b --link c:d"); len(hostConfig.Links) < 2 || hostConfig.Links[0] != "a:b" || hostConfig.Links[1] != "c:d" {
 		t.Fatalf("Error parsing links. Expected []string{\"a:b\", \"c:d\"}, received: %v", hostConfig.Links)
 	}
-	if _, hostConfig := mustParse(t, ""); len(hostConfig.Links) != 0 {
+	if _, hostConfig, _ := mustParse(t, ""); len(hostConfig.Links) != 0 {
 		t.Fatalf("Error parsing links. No link expected, received: %v", hostConfig.Links)
 	}
 }
@@ -140,7 +143,7 @@ func TestParseRunAttach(t *testing.T) {
 	}
 	for _, tc := range tests {
 		t.Run(tc.input, func(t *testing.T) {
-			config, _ := mustParse(t, tc.input)
+			config, _, _ := mustParse(t, tc.input)
 			assert.Equal(t, config.AttachStdin, tc.expected.AttachStdin)
 			assert.Equal(t, config.AttachStdout, tc.expected.AttachStdout)
 			assert.Equal(t, config.AttachStderr, tc.expected.AttachStderr)
@@ -194,11 +197,10 @@ func TestParseRunWithInvalidArgs(t *testing.T) {
 	}
 }

-//nolint:gocyclo // function handles many cases
-func TestParseWithVolumes(t *testing.T) {
+func TestParseWithVolumes(t *testing.T) { //nolint:gocyclo // verbatim copy from docker/cli tests
 	// A single volume
 	arr, tryit := setupPlatformVolume([]string{`/tmp`}, []string{`c:\tmp`})
-	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds != nil {
+	if config, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds != nil {
 		t.Fatalf("Error parsing volume flags, %q should not mount-bind anything. Received %v", tryit, hostConfig.Binds)
 	} else if _, exists := config.Volumes[arr[0]]; !exists {
 		t.Fatalf("Error parsing volume flags, %q is missing from volumes. Received %v", tryit, config.Volumes)
@@ -206,7 +208,7 @@ func TestParseWithVolumes(t *testing.T) {

 	// Two volumes
 	arr, tryit = setupPlatformVolume([]string{`/tmp`, `/var`}, []string{`c:\tmp`, `c:\var`})
-	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds != nil {
+	if config, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds != nil {
 		t.Fatalf("Error parsing volume flags, %q should not mount-bind anything. Received %v", tryit, hostConfig.Binds)
 	} else if _, exists := config.Volumes[arr[0]]; !exists {
 		t.Fatalf("Error parsing volume flags, %s is missing from volumes. Received %v", arr[0], config.Volumes)
@@ -216,13 +218,13 @@ func TestParseWithVolumes(t *testing.T) {

 	// A single bind mount
 	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`}, []string{os.Getenv("TEMP") + `:c:\containerTmp`})
-	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || hostConfig.Binds[0] != arr[0] {
+	if config, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || hostConfig.Binds[0] != arr[0] {
 		t.Fatalf("Error parsing volume flags, %q should mount-bind the path before the colon into the path after the colon. Received %v %v", arr[0], hostConfig.Binds, config.Volumes)
 	}

 	// Two bind mounts.
 	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`, `/hostVar:/containerVar`}, []string{os.Getenv("ProgramData") + `:c:\ContainerPD`, os.Getenv("TEMP") + `:c:\containerTmp`})
-	if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+	if _, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
 		t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
 	}

@@ -231,26 +233,26 @@ func TestParseWithVolumes(t *testing.T) {
 	arr, tryit = setupPlatformVolume(
 		[]string{`/hostTmp:/containerTmp:ro`, `/hostVar:/containerVar:rw`},
 		[]string{os.Getenv("TEMP") + `:c:\containerTmp:rw`, os.Getenv("ProgramData") + `:c:\ContainerPD:rw`})
-	if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+	if _, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
 		t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
 	}

 	// Similar to previous test but with alternate modes which are only supported by Linux
 	if runtime.GOOS != "windows" {
 		arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp:ro,Z`, `/hostVar:/containerVar:rw,Z`}, []string{})
-		if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+		if _, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
 			t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
 		}

 		arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp:Z`, `/hostVar:/containerVar:z`}, []string{})
-		if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+		if _, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
 			t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
 		}
 	}

 	// One bind mount and one volume
 	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`, `/containerVar`}, []string{os.Getenv("TEMP") + `:c:\containerTmp`, `c:\containerTmp`})
-	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] {
+	if config, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] {
 		t.Fatalf("Error parsing volume flags, %s and %s should only one and only one bind mount %s. Received %s", arr[0], arr[1], arr[0], hostConfig.Binds)
 	} else if _, exists := config.Volumes[arr[1]]; !exists {
 		t.Fatalf("Error parsing volume flags %s and %s. %s is missing from volumes. Received %v", arr[0], arr[1], arr[1], config.Volumes)
@@ -259,7 +261,7 @@ func TestParseWithVolumes(t *testing.T) {
 	// Root to non-c: drive letter (Windows specific)
 	if runtime.GOOS == "windows" {
 		arr, tryit = setupPlatformVolume([]string{}, []string{os.Getenv("SystemDrive") + `\:d:`})
-		if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] || len(config.Volumes) != 0 {
+		if config, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] || len(config.Volumes) != 0 {
 			t.Fatalf("Error parsing %s. Should have a single bind mount and no volumes", arr[0])
 		}
 	}
@@ -295,6 +297,36 @@ func compareRandomizedStrings(a, b, c, d string) error {
 	return errors.Errorf("strings don't match")
 }

+func mustNetworkPort(t *testing.T, value string) networktypes.Port {
+	t.Helper()
+
+	port, err := networktypes.ParsePort(value)
+	if err != nil {
+		t.Fatalf("failed to parse network port %q: %v", value, err)
+	}
+	return port
+}
+
+func mustAddr(t *testing.T, value string) netip.Addr {
+	t.Helper()
+
+	addr, err := netip.ParseAddr(value)
+	if err != nil {
+		t.Fatalf("failed to parse address %q: %v", value, err)
+	}
+	return addr
+}
+
+func mustAddrs(t *testing.T, values ...string) []netip.Addr {
+	t.Helper()
+
+	addrs := make([]netip.Addr, 0, len(values))
+	for _, value := range values {
+		addrs = append(addrs, mustAddr(t, value))
+	}
+	return addrs
+}
+
 // Simple parse with MacAddress validation
 func TestParseWithMacAddress(t *testing.T) {
 	invalidMacAddress := "--mac-address=invalidMacAddress"
@@ -302,9 +334,10 @@ func TestParseWithMacAddress(t *testing.T) {
 	if _, _, _, err := parseRun([]string{invalidMacAddress, "img", "cmd"}); err != nil && err.Error() != "invalidMacAddress is not a valid mac address" {
 		t.Fatalf("Expected an error with %v mac-address, got %v", invalidMacAddress, err)
 	}
-	if config, _ := mustParse(t, validMacAddress); config.MacAddress != "92:d0:c6:0a:29:33" { //nolint:staticcheck // pre-existing issue from nektos/act
-		t.Fatalf("Expected the config to have '92:d0:c6:0a:29:33' as MacAddress, got '%v'", config.MacAddress) //nolint:staticcheck // pre-existing issue from nektos/act
-	}
+	_, hostConfig, networkingConfig := mustParse(t, validMacAddress)
+	endpoint := networkingConfig.EndpointsConfig[string(hostConfig.NetworkMode)]
+	assert.Check(t, endpoint != nil)
+	assert.Equal(t, "92:d0:c6:0a:29:33", endpoint.MacAddress.String())
 }

 func TestRunFlagsParseWithMemory(t *testing.T) {
@@ -313,7 +346,7 @@ func TestRunFlagsParseWithMemory(t *testing.T) {
 	err := flags.Parse(args)
 	assert.ErrorContains(t, err, `invalid argument "invalid" for "-m, --memory" flag`)

-	_, hostconfig := mustParse(t, "--memory=1G")
+	_, hostconfig, _ := mustParse(t, "--memory=1G")
 	assert.Check(t, is.Equal(int64(1073741824), hostconfig.Memory))
 }

@@ -323,10 +356,10 @@ func TestParseWithMemorySwap(t *testing.T) {
 	err := flags.Parse(args)
 	assert.ErrorContains(t, err, `invalid argument "invalid" for "--memory-swap" flag`)

-	_, hostconfig := mustParse(t, "--memory-swap=1G")
+	_, hostconfig, _ := mustParse(t, "--memory-swap=1G")
 	assert.Check(t, is.Equal(int64(1073741824), hostconfig.MemorySwap))

-	_, hostconfig = mustParse(t, "--memory-swap=-1")
+	_, hostconfig, _ = mustParse(t, "--memory-swap=-1")
 	assert.Check(t, is.Equal(int64(-1), hostconfig.MemorySwap))
 }

@@ -341,14 +374,14 @@ func TestParseHostname(t *testing.T) {
 	hostnameWithDomain := "--hostname=hostname.domainname"
 	hostnameWithDomainTld := "--hostname=hostname.domainname.tld"
 	for hostname, expectedHostname := range validHostnames {
-		if config, _ := mustParse(t, "--hostname="+hostname); config.Hostname != expectedHostname {
+		if config, _, _ := mustParse(t, "--hostname="+hostname); config.Hostname != expectedHostname {
 			t.Fatalf("Expected the config to have 'hostname' as %q, got %q", expectedHostname, config.Hostname)
 		}
 	}
-	if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" || config.Domainname != "" {
+	if config, _, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" || config.Domainname != "" {
 		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got %q", config.Hostname)
 	}
-	if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" || config.Domainname != "" {
+	if config, _, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" || config.Domainname != "" {
 		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got %q", config.Hostname)
 	}
 }
@@ -362,26 +395,28 @@ func TestParseHostnameDomainname(t *testing.T) {
 		"domainname-63-bytes-long-should-be-valid-and-without-any-errors": "domainname-63-bytes-long-should-be-valid-and-without-any-errors",
 	}
 	for domainname, expectedDomainname := range validDomainnames {
-		if config, _ := mustParse(t, "--domainname="+domainname); config.Domainname != expectedDomainname {
+		if config, _, _ := mustParse(t, "--domainname="+domainname); config.Domainname != expectedDomainname {
 			t.Fatalf("Expected the config to have 'domainname' as %q, got %q", expectedDomainname, config.Domainname)
 		}
 	}
-	if config, _ := mustParse(t, "--hostname=some.prefix --domainname=domainname"); config.Hostname != "some.prefix" || config.Domainname != "domainname" {
+	if config, _, _ := mustParse(t, "--hostname=some.prefix --domainname=domainname"); config.Hostname != "some.prefix" || config.Domainname != "domainname" {
 		t.Fatalf("Expected the config to have 'hostname' as 'some.prefix' and 'domainname' as 'domainname', got %q and %q", config.Hostname, config.Domainname)
 	}
-	if config, _ := mustParse(t, "--hostname=another-prefix --domainname=domainname.tld"); config.Hostname != "another-prefix" || config.Domainname != "domainname.tld" {
+	if config, _, _ := mustParse(t, "--hostname=another-prefix --domainname=domainname.tld"); config.Hostname != "another-prefix" || config.Domainname != "domainname.tld" {
 		t.Fatalf("Expected the config to have 'hostname' as 'another-prefix' and 'domainname' as 'domainname.tld', got %q and %q", config.Hostname, config.Domainname)
 	}
 }

 func TestParseWithExpose(t *testing.T) {
-	invalids := map[string]string{
-		":":                   "invalid port format for --expose: :",
-		"8080:9090":           "invalid port format for --expose: 8080:9090",
-		"NaN/tcp":             `invalid range format for --expose: NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
-		"NaN-NaN/tcp":         `invalid range format for --expose: NaN-NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
-		"8080-NaN/tcp":        `invalid range format for --expose: 8080-NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
-		"1234567890-8080/tcp": `invalid range format for --expose: 1234567890-8080/tcp, error: strconv.ParseUint: parsing "1234567890": value out of range`,
+	invalids := []string{
+		":",
+		"8080:9090",
+		"/tcp",
+		"/udp",
+		"NaN/tcp",
+		"NaN-NaN/tcp",
+		"8080-NaN/tcp",
+		"1234567890-8080/tcp",
 	}
 	valids := map[string][]nat.Port{
 		"8080/tcp":      {"8080/tcp"},
@@ -390,9 +425,9 @@ func TestParseWithExpose(t *testing.T) {
 		"8080-8080/udp": {"8080/udp"},
 		"8080-8082/tcp": {"8080/tcp", "8081/tcp", "8082/tcp"},
 	}
-	for expose, expectedError := range invalids {
-		if _, _, _, err := parseRun([]string{fmt.Sprintf("--expose=%v", expose), "img", "cmd"}); err == nil || err.Error() != expectedError {
-			t.Fatalf("Expected error '%v' with '--expose=%v', got '%v'", expectedError, expose, err)
+	for _, expose := range invalids {
+		if _, _, _, err := parseRun([]string{fmt.Sprintf("--expose=%v", expose), "img", "cmd"}); err == nil {
+			t.Fatalf("Expected error with '--expose=%v', got none", expose)
 		}
 	}
 	for expose, exposedPorts := range valids {
@@ -404,7 +439,7 @@ func TestParseWithExpose(t *testing.T) {
 			t.Fatalf("Expected %v exposed port, got %v", len(exposedPorts), len(config.ExposedPorts))
 		}
 		for _, port := range exposedPorts {
-			if _, ok := config.ExposedPorts[port]; !ok {
+			if _, ok := config.ExposedPorts[mustNetworkPort(t, string(port))]; !ok {
 				t.Fatalf("Expected %v, got %v", exposedPorts, config.ExposedPorts)
 			}
 		}
@@ -419,7 +454,7 @@ func TestParseWithExpose(t *testing.T) {
 	}
 	ports := []nat.Port{"80/tcp", "81/tcp"}
 	for _, port := range ports {
-		if _, ok := config.ExposedPorts[port]; !ok {
+		if _, ok := config.ExposedPorts[mustNetworkPort(t, string(port))]; !ok {
 			t.Fatalf("Expected %v, got %v", ports, config.ExposedPorts)
 		}
 	}
@@ -499,9 +534,9 @@ func TestParseNetworkConfig(t *testing.T) {
 			expected: map[string]*networktypes.EndpointSettings{
 				"net1": {
 					IPAMConfig: &networktypes.EndpointIPAMConfig{
-						IPv4Address:  "172.20.88.22",
-						IPv6Address:  "2001:db8::8822",
-						LinkLocalIPs: []string{"169.254.2.2", "fe80::169:254:2:2"},
+						IPv4Address:  mustAddr(t, "172.20.88.22"),
+						IPv6Address:  mustAddr(t, "2001:db8::8822"),
+						LinkLocalIPs: mustAddrs(t, "169.254.2.2", "fe80::169:254:2:2"),
 					},
 					Links:   []string{"foo:bar", "bar:baz"},
 					Aliases: []string{"web1", "web2"},
@@ -528,9 +563,9 @@ func TestParseNetworkConfig(t *testing.T) {
 				"net1": {
 					DriverOpts: map[string]string{"field1": "value1"},
 					IPAMConfig: &networktypes.EndpointIPAMConfig{
-						IPv4Address:  "172.20.88.22",
-						IPv6Address:  "2001:db8::8822",
-						LinkLocalIPs: []string{"169.254.2.2", "fe80::169:254:2:2"},
+						IPv4Address:  mustAddr(t, "172.20.88.22"),
+						IPv6Address:  mustAddr(t, "2001:db8::8822"),
+						LinkLocalIPs: mustAddrs(t, "169.254.2.2", "fe80::169:254:2:2"),
 					},
 					Links:   []string{"foo:bar", "bar:baz"},
 					Aliases: []string{"web1", "web2"},
@@ -539,8 +574,8 @@ func TestParseNetworkConfig(t *testing.T) {
 				"net3": {
 					DriverOpts: map[string]string{"field3": "value3"},
 					IPAMConfig: &networktypes.EndpointIPAMConfig{
-						IPv4Address: "172.20.88.22",
-						IPv6Address: "2001:db8::8822",
+						IPv4Address: mustAddr(t, "172.20.88.22"),
+						IPv6Address: mustAddr(t, "2001:db8::8822"),
 					},
 					Aliases: []string{"web3"},
 				},
@@ -557,8 +592,8 @@ func TestParseNetworkConfig(t *testing.T) {
 						"field2": "value2",
 					},
 					IPAMConfig: &networktypes.EndpointIPAMConfig{
-						IPv4Address: "172.20.88.22",
-						IPv6Address: "2001:db8::8822",
+						IPv4Address: mustAddr(t, "172.20.88.22"),
+						IPv6Address: mustAddr(t, "2001:db8::8822"),
 					},
 					Aliases: []string{"web1", "web2"},
 				},
@@ -611,7 +646,9 @@ func TestParseNetworkConfig(t *testing.T) {

 			assert.NilError(t, err)
 			assert.DeepEqual(t, hConfig.NetworkMode, tc.expectedCfg.NetworkMode)
-			assert.DeepEqual(t, nwConfig.EndpointsConfig, tc.expected)
+			if diff := cmp.Diff(tc.expected, nwConfig.EndpointsConfig, cmpopts.EquateComparable(netip.Addr{})); diff != "" {
+				t.Fatalf("unexpected endpoints (-want +got):\n%s", diff)
+			}
 		})
 	}
 }
@@ -632,7 +669,7 @@ func TestParseModes(t *testing.T) {
 	}

 	// uts ko
-	_, _, _, err = parseRun([]string{"--uts=container:", "img", "cmd"}) //nolint:dogsled // ignoring multiple returns in test helpers
+	_, _, _, err = parseRun([]string{"--uts=container:", "img", "cmd"}) //nolint:dogsled // verbatim copy from docker/cli tests
 	assert.ErrorContains(t, err, "--uts: invalid UTS mode")

 	// uts ok
@@ -692,10 +729,9 @@ func TestParseRestartPolicy(t *testing.T) {
 }

 func TestParseRestartPolicyAutoRemove(t *testing.T) {
-	expected := "Conflicting options: --restart and --rm"
-	_, _, _, err := parseRun([]string{"--rm", "--restart=always", "img", "cmd"}) //nolint:dogsled // ignoring multiple returns in test helpers
-	if err == nil || err.Error() != expected {
-		t.Fatalf("Expected error %v, but got none", expected)
+	_, _, _, err := parseRun([]string{"--rm", "--restart=always", "img", "cmd"}) //nolint:dogsled // verbatim copy from docker/cli tests
+	if err == nil {
+		t.Fatal("Expected error for conflicting --restart and --rm, but got none")
 	}
 }

@@ -753,7 +789,7 @@ func TestParseLoggingOpts(t *testing.T) {
 	}
 }

-func TestParseEnvfileVariables(t *testing.T) { //nolint:dupl // pre-existing issue from nektos/act
+func TestParseEnvfileVariables(t *testing.T) { //nolint:dupl // verbatim copy from docker/cli tests
 	e := "open nonexistent: no such file or directory"
 	if runtime.GOOS == "windows" {
 		e = "open nonexistent: The system cannot find the file specified."
@@ -796,7 +832,7 @@ func TestParseEnvfileVariablesWithBOMUnicode(t *testing.T) {
 	}

 	// UTF16 with BOM
-	e := "contains invalid utf8 bytes at line"
+	e := "invalid env file"
 	if _, _, _, err := parseRun([]string{"--env-file=testdata/utf16.env", "img", "cmd"}); err == nil || !strings.Contains(err.Error(), e) {
 		t.Fatalf("Expected an error with message '%s', got %v", e, err)
 	}
@@ -806,7 +842,7 @@ func TestParseEnvfileVariablesWithBOMUnicode(t *testing.T) {
 	}
 }

-func TestParseLabelfileVariables(t *testing.T) { //nolint:dupl // pre-existing issue from nektos/act
+func TestParseLabelfileVariables(t *testing.T) { //nolint:dupl // verbatim copy from docker/cli tests
 	e := "open nonexistent: no such file or directory"
 	if runtime.GOOS == "windows" {
 		e = "open nonexistent: The system cannot find the file specified."
--- a/act/container/docker_images.go
+++ b/act/container/docker_images.go
@@ -10,8 +10,8 @@ import (
 	"context"
 	"fmt"

-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/client"
+	cerrdefs "github.com/containerd/errdefs"
+	"github.com/moby/moby/client"
 )

 // ImageExistsLocally returns a boolean indicating if an image with the
@@ -23,8 +23,8 @@ func ImageExistsLocally(ctx context.Context, imageName, platform string) (bool,
 	}
 	defer cli.Close()

-	inspectImage, _, err := cli.ImageInspectWithRaw(ctx, imageName)
-	if client.IsErrNotFound(err) {
+	inspectImage, err := cli.ImageInspect(ctx, imageName)
+	if cerrdefs.IsNotFound(err) {
 		return false, nil
 	} else if err != nil {
 		return false, err
@@ -46,14 +46,14 @@ func RemoveImage(ctx context.Context, imageName string, force, pruneChildren boo
 	}
 	defer cli.Close()

-	inspectImage, _, err := cli.ImageInspectWithRaw(ctx, imageName)
-	if client.IsErrNotFound(err) {
+	inspectImage, err := cli.ImageInspect(ctx, imageName)
+	if cerrdefs.IsNotFound(err) {
 		return false, nil
 	} else if err != nil {
 		return false, err
 	}

-	if _, err = cli.ImageRemove(ctx, inspectImage.ID, types.ImageRemoveOptions{
+	if _, err = cli.ImageRemove(ctx, inspectImage.ID, client.ImageRemoveOptions{
 		Force:         force,
 		PruneChildren: pruneChildren,
 	}); err != nil {
--- a/act/container/docker_images_test.go
+++ b/act/container/docker_images_test.go
@@ -9,8 +9,8 @@ import (
 	"io"
 	"testing"

-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/client"
+	"github.com/moby/moby/client"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 )
@@ -29,43 +29,43 @@ func TestImageExistsLocally(t *testing.T) {

 	// Test if image exists with specific tag
 	invalidImageTag, err := ImageExistsLocally(ctx, "library/alpine:this-random-tag-will-never-exist", "linux/amd64")
-	assert.Nil(t, err)                      //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, false, invalidImageTag) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.False(t, invalidImageTag)

 	// Test if image exists with specific architecture (image platform)
 	invalidImagePlatform, err := ImageExistsLocally(ctx, "alpine:latest", "windows/amd64")
-	assert.Nil(t, err)                           //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, false, invalidImagePlatform) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.False(t, invalidImagePlatform)

 	// pull an image
-	cli, err := client.NewClientWithOpts(client.FromEnv)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	cli.NegotiateAPIVersion(context.Background())
+	cli, err := client.New(client.FromEnv)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	defer cli.Close()

 	// Chose alpine latest because it's so small
 	// maybe we should build an image instead so that tests aren't reliable on dockerhub
-	readerDefault, err := cli.ImagePull(ctx, "node:16-buster-slim", types.ImagePullOptions{
-		Platform: "linux/amd64",
+	readerDefault, err := cli.ImagePull(ctx, "node:24-bookworm-slim", client.ImagePullOptions{
+		Platforms: []specs.Platform{{OS: "linux", Architecture: "amd64"}},
 	})
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	defer readerDefault.Close()
 	_, err = io.ReadAll(readerDefault)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

-	imageDefaultArchExists, err := ImageExistsLocally(ctx, "node:16-buster-slim", "linux/amd64")
-	assert.Nil(t, err)                            //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, true, imageDefaultArchExists) //nolint:testifylint // pre-existing issue from nektos/act
+	imageDefaultArchExists, err := ImageExistsLocally(ctx, "node:24-bookworm-slim", "linux/amd64")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.True(t, imageDefaultArchExists)

 	// Validate if another architecture platform can be pulled
-	readerArm64, err := cli.ImagePull(ctx, "node:16-buster-slim", types.ImagePullOptions{
-		Platform: "linux/arm64",
+	readerArm64, err := cli.ImagePull(ctx, "node:24-bookworm-slim", client.ImagePullOptions{
+		Platforms: []specs.Platform{{OS: "linux", Architecture: "arm64"}},
 	})
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	defer readerArm64.Close()
 	_, err = io.ReadAll(readerArm64)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

-	imageArm64Exists, err := ImageExistsLocally(ctx, "node:16-buster-slim", "linux/arm64")
-	assert.Nil(t, err)                      //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, true, imageArm64Exists) //nolint:testifylint // pre-existing issue from nektos/act
+	imageArm64Exists, err := ImageExistsLocally(ctx, "node:24-bookworm-slim", "linux/arm64")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.True(t, imageArm64Exists)
 }
--- a/act/container/docker_logger.go
+++ b/act/container/docker_logger.go
@@ -26,8 +26,6 @@ type dockerMessage struct {
 	Progress string `json:"progress"`
 }

-const logPrefix = "  \U0001F433  "
-
 func logDockerResponse(logger logrus.FieldLogger, dockerResponse io.ReadCloser, isError bool) error {
 	if dockerResponse == nil {
 		return nil
--- a/act/container/docker_network.go
+++ b/act/container/docker_network.go
@@ -9,9 +9,9 @@ package container
 import (
 	"context"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

-	"github.com/docker/docker/api/types"
+	"github.com/moby/moby/client"
 )

 func NewDockerNetworkCreateExecutor(name string) common.Executor {
@@ -23,20 +23,20 @@ func NewDockerNetworkCreateExecutor(name string) common.Executor {
 		defer cli.Close()

 		// Only create the network if it doesn't exist
-		networks, err := cli.NetworkList(ctx, types.NetworkListOptions{})
+		networks, err := cli.NetworkList(ctx, client.NetworkListOptions{})
 		if err != nil {
 			return err
 		}
 		// For Gitea, reduce log noise
 		// common.Logger(ctx).Debugf("%v", networks)
-		for _, network := range networks {
-			if network.Name == name {
+		for _, n := range networks.Items {
+			if n.Name == name {
 				common.Logger(ctx).Debugf("Network %v exists", name)
 				return nil
 			}
 		}

-		_, err = cli.NetworkCreate(ctx, name, types.NetworkCreate{
+		_, err = cli.NetworkCreate(ctx, name, client.NetworkCreateOptions{
 			Driver: "bridge",
 			Scope:  "local",
 		})
@@ -56,23 +56,23 @@ func NewDockerNetworkRemoveExecutor(name string) common.Executor {
 		}
 		defer cli.Close()

-		// Make shure that all network of the specified name are removed
+		// Make sure that all network of the specified name are removed
 		// cli.NetworkRemove refuses to remove a network if there are duplicates
-		networks, err := cli.NetworkList(ctx, types.NetworkListOptions{})
+		networks, err := cli.NetworkList(ctx, client.NetworkListOptions{})
 		if err != nil {
 			return err
 		}
 		// For Gitea, reduce log noise
 		// common.Logger(ctx).Debugf("%v", networks)
-		for _, network := range networks {
-			if network.Name == name {
-				result, err := cli.NetworkInspect(ctx, network.ID, types.NetworkInspectOptions{})
+		for _, n := range networks.Items {
+			if n.Name == name {
+				result, err := cli.NetworkInspect(ctx, n.ID, client.NetworkInspectOptions{})
 				if err != nil {
 					return err
 				}

-				if len(result.Containers) == 0 {
-					if err = cli.NetworkRemove(ctx, network.ID); err != nil {
+				if len(result.Network.Containers) == 0 {
+					if _, err = cli.NetworkRemove(ctx, n.ID, client.NetworkRemoveOptions{}); err != nil {
 						common.Logger(ctx).Debugf("%v", err)
 					}
 				} else {
--- a/act/container/docker_platform.go
+++ b/act/container/docker_platform.go
@@ -0,0 +1,39 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2025 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"fmt"
+	"strings"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// parsePlatform parses an "os/arch[/variant]" string into a Platform. An empty input
+// returns (nil, nil), meaning "no platform constraint". A non-empty but malformed
+// string is rejected explicitly so it cannot silently fall through to the daemon's
+// default architecture.
+func parsePlatform(platform string) (*specs.Platform, error) {
+	if platform == "" {
+		return nil, nil //nolint:nilnil // no platform constraint requested
+	}
+
+	parts := strings.Split(platform, "/")
+	if len(parts) < 2 || len(parts) > 3 || parts[0] == "" || parts[1] == "" || (len(parts) == 3 && parts[2] == "") {
+		return nil, fmt.Errorf("invalid platform %q: expected os/arch[/variant]", platform)
+	}
+
+	spec := &specs.Platform{
+		OS:           strings.ToLower(parts[0]),
+		Architecture: strings.ToLower(parts[1]),
+	}
+	if len(parts) == 3 {
+		spec.Variant = strings.ToLower(parts[2])
+	}
+
+	return spec, nil
+}
--- a/act/container/docker_platform_test.go
+++ b/act/container/docker_platform_test.go
@@ -0,0 +1,63 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParsePlatform(t *testing.T) {
+	t.Run("empty input returns nil platform without error", func(t *testing.T) {
+		got, err := parsePlatform("")
+		require.NoError(t, err)
+		assert.Nil(t, got)
+	})
+
+	t.Run("os/arch", func(t *testing.T) {
+		got, err := parsePlatform("linux/amd64")
+		require.NoError(t, err)
+		require.NotNil(t, got)
+		assert.Equal(t, "linux", got.OS)
+		assert.Equal(t, "amd64", got.Architecture)
+		assert.Empty(t, got.Variant)
+	})
+
+	t.Run("os/arch/variant", func(t *testing.T) {
+		got, err := parsePlatform("linux/arm/v7")
+		require.NoError(t, err)
+		require.NotNil(t, got)
+		assert.Equal(t, "linux", got.OS)
+		assert.Equal(t, "arm", got.Architecture)
+		assert.Equal(t, "v7", got.Variant)
+	})
+
+	t.Run("input is lowercased", func(t *testing.T) {
+		got, err := parsePlatform("Linux/AMD64/V8")
+		require.NoError(t, err)
+		require.NotNil(t, got)
+		assert.Equal(t, "linux", got.OS)
+		assert.Equal(t, "amd64", got.Architecture)
+		assert.Equal(t, "v8", got.Variant)
+	})
+
+	for _, bad := range []string{
+		"amd64",
+		"linux",
+		"linux/",
+		"/amd64",
+		"/",
+		"//",
+		"linux/arm/",
+		"linux/arm/v7/extra",
+	} {
+		t.Run("rejects "+bad, func(t *testing.T) {
+			got, err := parsePlatform(bad)
+			require.Error(t, err)
+			assert.Nil(t, got)
+		})
+	}
+}
--- a/act/container/docker_pull.go
+++ b/act/container/docker_pull.go
@@ -8,23 +8,23 @@ package container

 import (
 	"context"
-	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"strings"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

 	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/registry"
+	"github.com/moby/moby/api/pkg/authconfig"
+	"github.com/moby/moby/api/types/registry"
+	"github.com/moby/moby/client"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
 )

 // NewDockerPullExecutor function to create a run executor for the container
 func NewDockerPullExecutor(input NewDockerPullExecutorInput) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
-		logger.Debugf("%sdocker pull %v", logPrefix, input.Image)
+		logger.Debugf("docker pull %v", input.Image)

 		if common.Dryrun(ctx) {
 			return nil
@@ -78,26 +78,29 @@ func NewDockerPullExecutor(input NewDockerPullExecutorInput) common.Executor {
 	}
 }

-func getImagePullOptions(ctx context.Context, input NewDockerPullExecutorInput) (types.ImagePullOptions, error) {
-	imagePullOptions := types.ImagePullOptions{
-		Platform: input.Platform,
+func getImagePullOptions(ctx context.Context, input NewDockerPullExecutorInput) (client.ImagePullOptions, error) {
+	imagePullOptions := client.ImagePullOptions{}
+	platform, err := parsePlatform(input.Platform)
+	if err != nil {
+		return imagePullOptions, err
+	}
+	if platform != nil {
+		imagePullOptions.Platforms = []specs.Platform{*platform}
 	}
 	logger := common.Logger(ctx)

 	if input.Username != "" && input.Password != "" {
 		logger.Debugf("using authentication for docker pull")

-		authConfig := registry.AuthConfig{
+		encodedAuth, err := authconfig.Encode(registry.AuthConfig{
 			Username: input.Username,
 			Password: input.Password,
-		}
-
-		encodedJSON, err := json.Marshal(authConfig)
+		})
 		if err != nil {
 			return imagePullOptions, err
 		}

-		imagePullOptions.RegistryAuth = base64.URLEncoding.EncodeToString(encodedJSON)
+		imagePullOptions.RegistryAuth = encodedAuth
 	} else {
 		authConfig, err := LoadDockerAuthConfig(ctx, input.Image)
 		if err != nil {
@@ -108,19 +111,17 @@ func getImagePullOptions(ctx context.Context, input NewDockerPullExecutorInput)
 		}
 		logger.Info("using DockerAuthConfig authentication for docker pull")

-		encodedJSON, err := json.Marshal(authConfig)
+		imagePullOptions.RegistryAuth, err = authconfig.Encode(authConfig)
 		if err != nil {
 			return imagePullOptions, err
 		}
-
-		imagePullOptions.RegistryAuth = base64.URLEncoding.EncodeToString(encodedJSON)
 	}

 	return imagePullOptions, nil
 }

-func cleanImage(ctx context.Context, image string) string {
-	ref, err := reference.ParseAnyReference(image)
+func cleanImage(ctx context.Context, imageName string) string {
+	ref, err := reference.ParseAnyReference(imageName)
 	if err != nil {
 		common.Logger(ctx).Error(err)
 		return ""
--- a/act/container/docker_pull_test.go
+++ b/act/container/docker_pull_test.go
@@ -43,7 +43,7 @@ func TestGetImagePullOptions(t *testing.T) {
 	config.SetDir("/non-existent/docker")

 	options, err := getImagePullOptions(ctx, NewDockerPullExecutorInput{})
-	assert.Nil(t, err, "Failed to create ImagePullOptions")                                                     //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err, "Failed to create ImagePullOptions")                                                 //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, "", options.RegistryAuth, "RegistryAuth should be empty if no username or password is set") //nolint:testifylint // pre-existing issue from nektos/act

 	options, err = getImagePullOptions(ctx, NewDockerPullExecutorInput{
@@ -51,7 +51,7 @@ func TestGetImagePullOptions(t *testing.T) {
 		Username: "username",
 		Password: "password",
 	})
-	assert.Nil(t, err, "Failed to create ImagePullOptions") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err, "Failed to create ImagePullOptions") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, "eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwicGFzc3dvcmQiOiJwYXNzd29yZCJ9", options.RegistryAuth, "Username and Password should be provided")

 	config.SetDir("testdata/docker-pull-options")
@@ -59,6 +59,6 @@ func TestGetImagePullOptions(t *testing.T) {
 	options, err = getImagePullOptions(ctx, NewDockerPullExecutorInput{
 		Image: "nektos/act",
 	})
-	assert.Nil(t, err, "Failed to create ImagePullOptions") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err, "Failed to create ImagePullOptions") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, "eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwicGFzc3dvcmQiOiJwYXNzd29yZFxuIiwic2VydmVyYWRkcmVzcyI6Imh0dHBzOi8vaW5kZXguZG9ja2VyLmlvL3YxLyJ9", options.RegistryAuth, "RegistryAuth should be taken from local docker config")
 }
--- a/act/container/docker_run.go
+++ b/act/container/docker_run.go
@@ -20,25 +20,25 @@ import (
 	"strconv"
 	"strings"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/filecollector"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/filecollector"

+	"dario.cat/mergo"
 	"github.com/Masterminds/semver"
 	"github.com/docker/cli/cli/compose/loader"
 	"github.com/docker/cli/cli/connhelper"
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/mount"
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/client"
-	"github.com/docker/docker/pkg/stdcopy"
 	"github.com/go-git/go-billy/v5/helper/polyfill"
 	"github.com/go-git/go-billy/v5/osfs"
 	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
 	"github.com/gobwas/glob"
-	"github.com/imdario/mergo"
 	"github.com/joho/godotenv"
 	"github.com/kballard/go-shellquote"
+	"github.com/moby/moby/api/pkg/stdcopy"
+	"github.com/moby/moby/api/types/container"
+	"github.com/moby/moby/api/types/mount"
+	"github.com/moby/moby/api/types/network"
+	"github.com/moby/moby/api/types/system"
+	"github.com/moby/moby/client"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/pflag"
 	"golang.org/x/term"
@@ -53,7 +53,7 @@ func NewContainer(input *NewContainerInput) ExecutionsEnvironment {

 func (cr *containerReference) ConnectToNetwork(name string) common.Executor {
 	return common.
-		NewDebugExecutor("%sdocker network connect %s %s", logPrefix, name, cr.input.Name).
+		NewDebugExecutor("docker network connect %s %s", name, cr.input.Name).
 		Then(
 			common.NewPipelineExecutor(
 				cr.connect(),
@@ -64,9 +64,13 @@ func (cr *containerReference) ConnectToNetwork(name string) common.Executor {

 func (cr *containerReference) connectToNetwork(name string, aliases []string) common.Executor {
 	return func(ctx context.Context) error {
-		return cr.cli.NetworkConnect(ctx, name, cr.input.Name, &network.EndpointSettings{
-			Aliases: aliases,
+		_, err := cr.cli.NetworkConnect(ctx, name, client.NetworkConnectOptions{
+			Container: cr.input.Name,
+			EndpointConfig: &network.EndpointSettings{
+				Aliases: aliases,
+			},
 		})
+		return err
 	}
 }

@@ -74,7 +78,7 @@ func (cr *containerReference) connectToNetwork(name string, aliases []string) co
 // API version is 1.41 and beyond
 func supportsContainerImagePlatform(ctx context.Context, cli client.APIClient) bool {
 	logger := common.Logger(ctx)
-	ver, err := cli.ServerVersion(ctx)
+	ver, err := cli.ServerVersion(ctx, client.ServerVersionOptions{})
 	if err != nil {
 		logger.Panicf("Failed to get Docker API Version: %s", err)
 		return false
@@ -90,7 +94,7 @@ func supportsContainerImagePlatform(ctx context.Context, cli client.APIClient) b

 func (cr *containerReference) Create(capAdd, capDrop []string) common.Executor {
 	return common.
-		NewInfoExecutor("%sdocker create image=%s platform=%s entrypoint=%+q cmd=%+q network=%+q", logPrefix, cr.input.Image, cr.input.Platform, cr.input.Entrypoint, cr.input.Cmd, cr.input.NetworkMode).
+		NewInfoExecutor("docker create image=%s platform=%s entrypoint=%+q cmd=%+q network=%+q", cr.input.Image, cr.input.Platform, cr.input.Entrypoint, cr.input.Cmd, cr.input.NetworkMode).
 		Then(
 			common.NewPipelineExecutor(
 				cr.connect(),
@@ -102,7 +106,7 @@ func (cr *containerReference) Create(capAdd, capDrop []string) common.Executor {

 func (cr *containerReference) Start(attach bool) common.Executor {
 	return common.
-		NewInfoExecutor("%sdocker run image=%s platform=%s entrypoint=%+q cmd=%+q network=%+q", logPrefix, cr.input.Image, cr.input.Platform, cr.input.Entrypoint, cr.input.Cmd, cr.input.NetworkMode).
+		NewInfoExecutor("docker run image=%s platform=%s entrypoint=%+q cmd=%+q network=%+q", cr.input.Image, cr.input.Platform, cr.input.Entrypoint, cr.input.Cmd, cr.input.NetworkMode).
 		Then(
 			common.NewPipelineExecutor(
 				cr.connect(),
@@ -125,7 +129,7 @@ func (cr *containerReference) Start(attach bool) common.Executor {

 func (cr *containerReference) Pull(forcePull bool) common.Executor {
 	return common.
-		NewInfoExecutor("%sdocker pull image=%s platform=%s username=%s forcePull=%t", logPrefix, cr.input.Image, cr.input.Platform, cr.input.Username, forcePull).
+		NewInfoExecutor("docker pull image=%s platform=%s username=%s forcePull=%t", cr.input.Image, cr.input.Platform, cr.input.Username, forcePull).
 		Then(
 			NewDockerPullExecutor(NewDockerPullExecutorInput{
 				Image:     cr.input.Image,
@@ -147,7 +151,7 @@ func (cr *containerReference) Copy(destPath string, files ...*FileEntry) common.

 func (cr *containerReference) CopyDir(destPath, srcPath string, useGitIgnore bool) common.Executor {
 	return common.NewPipelineExecutor(
-		common.NewInfoExecutor("%sdocker cp src=%s dst=%s", logPrefix, srcPath, destPath),
+		common.NewInfoExecutor("docker cp src=%s dst=%s", srcPath, destPath),
 		cr.copyDir(destPath, srcPath, useGitIgnore),
 		func(ctx context.Context) error {
 			// If this fails, then folders have wrong permissions on non root container
@@ -163,8 +167,11 @@ func (cr *containerReference) GetContainerArchive(ctx context.Context, srcPath s
 	if common.Dryrun(ctx) {
 		return nil, errors.New("DRYRUN is not supported in GetContainerArchive")
 	}
-	a, _, err := cr.cli.CopyFromContainer(ctx, cr.id, srcPath)
-	return a, err
+	result, err := cr.cli.CopyFromContainer(ctx, cr.id, client.CopyFromContainerOptions{SourcePath: srcPath})
+	if err != nil {
+		return nil, err
+	}
+	return result.Content, nil
 }

 func (cr *containerReference) UpdateFromEnv(srcPath string, env *map[string]string) common.Executor {
@@ -177,7 +184,7 @@ func (cr *containerReference) UpdateFromImageEnv(env *map[string]string) common.

 func (cr *containerReference) Exec(command []string, env map[string]string, user, workdir string) common.Executor {
 	return common.NewPipelineExecutor(
-		common.NewInfoExecutor("%sdocker exec cmd=[%s] user=%s workdir=%s", logPrefix, strings.Join(command, " "), user, workdir),
+		common.NewInfoExecutor("docker exec cmd=[%s] user=%s workdir=%s", strings.Join(command, " "), user, workdir),
 		cr.connect(),
 		cr.find(),
 		cr.exec(command, env, user, workdir),
@@ -222,22 +229,27 @@ func GetDockerClient(ctx context.Context) (cli client.APIClient, err error) {
 		if err != nil {
 			return nil, err
 		}
-		cli, err = client.NewClientWithOpts(
+		cli, err = client.New(
 			client.WithHost(helper.Host),
 			client.WithDialContext(helper.Dialer),
 		)
 	} else {
-		cli, err = client.NewClientWithOpts(client.FromEnv)
+		cli, err = client.New(client.FromEnv)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to docker daemon: %w", err)
 	}
-	cli.NegotiateAPIVersion(ctx)
+	// Best-effort API version negotiation, matching the old client.NegotiateAPIVersion
+	// behaviour. Ping failures here are non-fatal: the connection is exercised again on
+	// the first real call, and the client falls back to the daemon's default API version.
+	if _, err := cli.Ping(ctx, client.PingOptions{NegotiateAPIVersion: true}); err != nil {
+		common.Logger(ctx).Warnf("docker daemon ping during version negotiation failed, continuing: %v", err)
+	}

 	return cli, nil
 }

-func GetHostInfo(ctx context.Context) (info types.Info, err error) { //nolint:staticcheck // pre-existing issue from nektos/act
+func GetHostInfo(ctx context.Context) (info system.Info, err error) {
 	var cli client.APIClient
 	cli, err = GetDockerClient(ctx)
 	if err != nil {
@@ -245,12 +257,12 @@ func GetHostInfo(ctx context.Context) (info types.Info, err error) { //nolint:st
 	}
 	defer cli.Close()

-	info, err = cli.Info(ctx)
+	result, err := cli.Info(ctx, client.InfoOptions{})
 	if err != nil {
 		return info, err
 	}

-	return info, nil
+	return result.Info, nil
 }

 // Arch fetches values from docker info and translates architecture to
@@ -307,14 +319,14 @@ func (cr *containerReference) find() common.Executor {
 		if cr.id != "" {
 			return nil
 		}
-		containers, err := cr.cli.ContainerList(ctx, types.ContainerListOptions{ //nolint:staticcheck // pre-existing issue from nektos/act
+		containers, err := cr.cli.ContainerList(ctx, client.ContainerListOptions{
 			All: true,
 		})
 		if err != nil {
 			return fmt.Errorf("failed to list containers: %w", err)
 		}

-		for _, c := range containers {
+		for _, c := range containers.Items {
 			for _, name := range c.Names {
 				if name[1:] == cr.input.Name {
 					cr.id = c.ID
@@ -335,7 +347,7 @@ func (cr *containerReference) remove() common.Executor {
 		}

 		logger := common.Logger(ctx)
-		err := cr.cli.ContainerRemove(ctx, cr.id, types.ContainerRemoveOptions{ //nolint:staticcheck // pre-existing issue from nektos/act
+		_, err := cr.cli.ContainerRemove(ctx, cr.id, client.ContainerRemoveOptions{
 			RemoveVolumes: true,
 			Force:         true,
 		})
@@ -440,12 +452,20 @@ func (cr *containerReference) create(capAdd, capDrop []string) common.Executor {
 		logger := common.Logger(ctx)
 		isTerminal := term.IsTerminal(int(os.Stdout.Fd()))
 		input := cr.input
+		exposedPorts, err := convertPortSet(input.ExposedPorts)
+		if err != nil {
+			return err
+		}
+		portBindings, err := convertPortMap(input.PortBindings)
+		if err != nil {
+			return err
+		}

 		config := &container.Config{
 			Image:        input.Image,
 			WorkingDir:   input.WorkingDir,
 			Env:          input.Env,
-			ExposedPorts: input.ExposedPorts,
+			ExposedPorts: exposedPorts,
 			Tty:          isTerminal,
 		}
 		// For Gitea, reduce log noise
@@ -470,15 +490,9 @@ func (cr *containerReference) create(capAdd, capDrop []string) common.Executor {

 		var platSpecs *specs.Platform
 		if supportsContainerImagePlatform(ctx, cr.cli) && cr.input.Platform != "" {
-			desiredPlatform := strings.SplitN(cr.input.Platform, `/`, 2)
-
-			if len(desiredPlatform) != 2 {
-				return fmt.Errorf("incorrect container platform option '%s'", cr.input.Platform)
-			}
-
-			platSpecs = &specs.Platform{
-				Architecture: desiredPlatform[1],
-				OS:           desiredPlatform[0],
+			platSpecs, err = parsePlatform(cr.input.Platform)
+			if err != nil {
+				return err
 			}
 		}

@@ -490,13 +504,13 @@ func (cr *containerReference) create(capAdd, capDrop []string) common.Executor {
 			NetworkMode:  container.NetworkMode(input.NetworkMode),
 			Privileged:   input.Privileged,
 			UsernsMode:   container.UsernsMode(input.UsernsMode),
-			PortBindings: input.PortBindings,
+			PortBindings: portBindings,
 			AutoRemove:   input.AutoRemove,
 		}
 		// For Gitea, reduce log noise
 		// logger.Debugf("Common container.HostConfig ==> %+v", hostConfig)

-		config, hostConfig, err := cr.mergeContainerConfigs(ctx, config, hostConfig)
+		config, hostConfig, err = cr.mergeContainerConfigs(ctx, config, hostConfig)
 		if err != nil {
 			return err
 		}
@@ -520,7 +534,13 @@ func (cr *containerReference) create(capAdd, capDrop []string) common.Executor {
 			}
 		}

-		resp, err := cr.cli.ContainerCreate(ctx, config, hostConfig, networkingConfig, platSpecs, input.Name)
+		resp, err := cr.cli.ContainerCreate(ctx, client.ContainerCreateOptions{
+			Config:           config,
+			HostConfig:       hostConfig,
+			NetworkingConfig: networkingConfig,
+			Platform:         platSpecs,
+			Name:             input.Name,
+		})
 		if err != nil {
 			return fmt.Errorf("failed to create container: '%w'", err)
 		}
@@ -538,7 +558,7 @@ func (cr *containerReference) extractFromImageEnv(env *map[string]string) common
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)

-		inspect, _, err := cr.cli.ImageInspectWithRaw(ctx, cr.input.Image)
+		inspect, err := cr.cli.ImageInspect(ctx, cr.input.Image)
 		if err != nil {
 			logger.Error(err)
 			return fmt.Errorf("inspect image: %w", err)
@@ -602,12 +622,12 @@ func (cr *containerReference) exec(cmd []string, env map[string]string, user, wo
 		}
 		logger.Debugf("Working directory '%s'", wd)

-		idResp, err := cr.cli.ContainerExecCreate(ctx, cr.id, types.ExecConfig{
+		idResp, err := cr.cli.ExecCreate(ctx, cr.id, client.ExecCreateOptions{
 			User:         user,
 			Cmd:          cmd,
 			WorkingDir:   wd,
 			Env:          envList,
-			Tty:          isTerminal,
+			TTY:          isTerminal,
 			AttachStderr: true,
 			AttachStdout: true,
 		})
@@ -615,38 +635,34 @@ func (cr *containerReference) exec(cmd []string, env map[string]string, user, wo
 			return fmt.Errorf("failed to create exec: %w", err)
 		}

-		resp, err := cr.cli.ContainerExecAttach(ctx, idResp.ID, types.ExecStartCheck{
-			Tty: isTerminal,
+		resp, err := cr.cli.ExecAttach(ctx, idResp.ID, client.ExecAttachOptions{
+			TTY: isTerminal,
 		})
 		if err != nil {
 			return fmt.Errorf("failed to attach to exec: %w", err)
 		}
 		defer resp.Close()

-		err = cr.waitForCommand(ctx, isTerminal, resp, idResp, user, workdir)
+		err = cr.waitForCommand(ctx, isTerminal, resp.HijackedResponse, idResp, user, workdir)
 		if err != nil {
 			return err
 		}

-		inspectResp, err := cr.cli.ContainerExecInspect(ctx, idResp.ID)
+		inspectResp, err := cr.cli.ExecInspect(ctx, idResp.ID, client.ExecInspectOptions{})
 		if err != nil {
 			return fmt.Errorf("failed to inspect exec: %w", err)
 		}

-		switch inspectResp.ExitCode {
-		case 0:
+		if inspectResp.ExitCode == 0 {
 			return nil
-		case 127:
-			return fmt.Errorf("exitcode '%d': command not found, please refer to https://github.com/nektos/act/issues/107 for more information", inspectResp.ExitCode)
-		default:
-			return fmt.Errorf("exitcode '%d': failure", inspectResp.ExitCode)
 		}
+		return ExitCodeError(inspectResp.ExitCode)
 	}
 }

 func (cr *containerReference) tryReadID(opt string, cbk func(id int)) common.Executor {
 	return func(ctx context.Context) error {
-		idResp, err := cr.cli.ContainerExecCreate(ctx, cr.id, types.ExecConfig{
+		idResp, err := cr.cli.ExecCreate(ctx, cr.id, client.ExecCreateOptions{
 			Cmd:          []string{"id", opt},
 			AttachStdout: true,
 			AttachStderr: true,
@@ -655,7 +671,7 @@ func (cr *containerReference) tryReadID(opt string, cbk func(id int)) common.Exe
 			return nil
 		}

-		resp, err := cr.cli.ContainerExecAttach(ctx, idResp.ID, types.ExecStartCheck{})
+		resp, err := cr.cli.ExecAttach(ctx, idResp.ID, client.ExecAttachOptions{})
 		if err != nil {
 			return nil
 		}
@@ -685,7 +701,7 @@ func (cr *containerReference) tryReadGID() common.Executor {
 	return cr.tryReadID("-g", func(id int) { cr.GID = id })
 }

-func (cr *containerReference) waitForCommand(ctx context.Context, isTerminal bool, resp types.HijackedResponse, _ types.IDResponse, _, _ string) error {
+func (cr *containerReference) waitForCommand(ctx context.Context, isTerminal bool, resp client.HijackedResponse, _ client.ExecCreateResult, _, _ string) error {
 	logger := common.Logger(ctx)

 	cmdResponse := make(chan error)
@@ -740,12 +756,18 @@ func (cr *containerReference) CopyTarStream(ctx context.Context, destPath string
 		Typeflag: tar.TypeDir,
 	})
 	tw.Close()
-	err := cr.cli.CopyToContainer(ctx, cr.id, "/", buf, types.CopyToContainerOptions{})
+	_, err := cr.cli.CopyToContainer(ctx, cr.id, client.CopyToContainerOptions{
+		DestinationPath: "/",
+		Content:         buf,
+	})
 	if err != nil {
 		return fmt.Errorf("failed to mkdir to copy content to container: %w", err)
 	}
 	// Copy Content
-	err = cr.cli.CopyToContainer(ctx, cr.id, destPath, tarStream, types.CopyToContainerOptions{})
+	_, err = cr.cli.CopyToContainer(ctx, cr.id, client.CopyToContainerOptions{
+		DestinationPath: destPath,
+		Content:         tarStream,
+	})
 	if err != nil {
 		return fmt.Errorf("failed to copy content to container: %w", err)
 	}
@@ -819,7 +841,10 @@ func (cr *containerReference) copyDir(dstPath, srcPath string, useGitIgnore bool
 		if err != nil {
 			return fmt.Errorf("failed to seek tar archive: %w", err)
 		}
-		err = cr.cli.CopyToContainer(ctx, cr.id, "/", tarFile, types.CopyToContainerOptions{})
+		_, err = cr.cli.CopyToContainer(ctx, cr.id, client.CopyToContainerOptions{
+			DestinationPath: "/",
+			Content:         tarFile,
+		})
 		if err != nil {
 			return fmt.Errorf("failed to copy content to container: %w", err)
 		}
@@ -853,7 +878,10 @@ func (cr *containerReference) copyContent(dstPath string, files ...*FileEntry) c
 		}

 		logger.Debugf("Extracting content to '%s'", dstPath)
-		err := cr.cli.CopyToContainer(ctx, cr.id, dstPath, &buf, types.CopyToContainerOptions{})
+		_, err := cr.cli.CopyToContainer(ctx, cr.id, client.CopyToContainerOptions{
+			DestinationPath: dstPath,
+			Content:         &buf,
+		})
 		if err != nil {
 			return fmt.Errorf("failed to copy content to container: %w", err)
 		}
@@ -863,7 +891,7 @@ func (cr *containerReference) copyContent(dstPath string, files ...*FileEntry) c

 func (cr *containerReference) attach() common.Executor {
 	return func(ctx context.Context) error {
-		out, err := cr.cli.ContainerAttach(ctx, cr.id, types.ContainerAttachOptions{ //nolint:staticcheck // pre-existing issue from nektos/act
+		out, err := cr.cli.ContainerAttach(ctx, cr.id, client.ContainerAttachOptions{
 			Stream: true,
 			Stdout: true,
 			Stderr: true,
@@ -901,7 +929,7 @@ func (cr *containerReference) start() common.Executor {
 		logger := common.Logger(ctx)
 		logger.Debugf("Starting container: %v", cr.id)

-		if err := cr.cli.ContainerStart(ctx, cr.id, types.ContainerStartOptions{}); err != nil { //nolint:staticcheck // pre-existing issue from nektos/act
+		if _, err := cr.cli.ContainerStart(ctx, cr.id, client.ContainerStartOptions{}); err != nil {
 			return fmt.Errorf("failed to start container: %w", err)
 		}

@@ -913,14 +941,16 @@ func (cr *containerReference) start() common.Executor {
 func (cr *containerReference) wait() common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
-		statusCh, errCh := cr.cli.ContainerWait(ctx, cr.id, container.WaitConditionNotRunning)
+		waitResult := cr.cli.ContainerWait(ctx, cr.id, client.ContainerWaitOptions{
+			Condition: container.WaitConditionNotRunning,
+		})
 		var statusCode int64
 		select {
-		case err := <-errCh:
+		case err := <-waitResult.Error:
 			if err != nil {
 				return fmt.Errorf("failed to wait for container: %w", err)
 			}
-		case status := <-statusCh:
+		case status := <-waitResult.Result:
 			statusCode = status.StatusCode
 		}

@@ -930,7 +960,7 @@ func (cr *containerReference) wait() common.Executor {
 			return nil
 		}

-		return fmt.Errorf("exit with `FAILURE`: %v", statusCode)
+		return ExitCodeError(statusCode)
 	}
 }

--- a/act/container/docker_run_test.go
+++ b/act/container/docker_run_test.go
@@ -15,20 +15,25 @@ import (
 	"testing"
 	"time"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/client"
+	"github.com/moby/moby/api/types/container"
+	mobyclient "github.com/moby/moby/client"
 	"github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 )

 func TestDocker(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
 	ctx := context.Background()
 	client, err := GetDockerClient(ctx)
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	if err != nil {
+		t.Skipf("skipping integration test: %v", err)
+	}
 	defer client.Close()

 	dockerBuild := NewDockerBuildExecutor(NewDockerBuildExecutorInput{
@@ -66,28 +71,33 @@ func TestDocker(t *testing.T) {
 }

 type mockDockerClient struct {
-	client.APIClient
+	mobyclient.APIClient
 	mock.Mock
 }

-func (m *mockDockerClient) ContainerExecCreate(ctx context.Context, id string, opts types.ExecConfig) (types.IDResponse, error) {
+func (m *mockDockerClient) ExecCreate(ctx context.Context, id string, opts mobyclient.ExecCreateOptions) (mobyclient.ExecCreateResult, error) {
 	args := m.Called(ctx, id, opts)
-	return args.Get(0).(types.IDResponse), args.Error(1)
+	return args.Get(0).(mobyclient.ExecCreateResult), args.Error(1)
 }

-func (m *mockDockerClient) ContainerExecAttach(ctx context.Context, id string, opts types.ExecStartCheck) (types.HijackedResponse, error) {
+func (m *mockDockerClient) ExecAttach(ctx context.Context, id string, opts mobyclient.ExecAttachOptions) (mobyclient.ExecAttachResult, error) {
 	args := m.Called(ctx, id, opts)
-	return args.Get(0).(types.HijackedResponse), args.Error(1)
+	return args.Get(0).(mobyclient.ExecAttachResult), args.Error(1)
 }

-func (m *mockDockerClient) ContainerExecInspect(ctx context.Context, execID string) (types.ContainerExecInspect, error) {
-	args := m.Called(ctx, execID)
-	return args.Get(0).(types.ContainerExecInspect), args.Error(1)
+func (m *mockDockerClient) ExecInspect(ctx context.Context, execID string, opts mobyclient.ExecInspectOptions) (mobyclient.ExecInspectResult, error) {
+	args := m.Called(ctx, execID, opts)
+	return args.Get(0).(mobyclient.ExecInspectResult), args.Error(1)
 }

-func (m *mockDockerClient) CopyToContainer(ctx context.Context, id, path string, content io.Reader, options types.CopyToContainerOptions) error {
-	args := m.Called(ctx, id, path, content, options)
-	return args.Error(0)
+func (m *mockDockerClient) ContainerWait(ctx context.Context, containerID string, opts mobyclient.ContainerWaitOptions) mobyclient.ContainerWaitResult {
+	args := m.Called(ctx, containerID, opts)
+	return args.Get(0).(mobyclient.ContainerWaitResult)
+}
+
+func (m *mockDockerClient) CopyToContainer(ctx context.Context, id string, options mobyclient.CopyToContainerOptions) (mobyclient.CopyToContainerResult, error) {
+	args := m.Called(ctx, id, options)
+	return args.Get(0).(mobyclient.CopyToContainerResult), args.Error(1)
 }

 type endlessReader struct {
@@ -119,10 +129,12 @@ func TestDockerExecAbort(t *testing.T) {
 	conn.On("Write", mock.AnythingOfType("[]uint8")).Return(1, nil)

 	client := &mockDockerClient{}
-	client.On("ContainerExecCreate", ctx, "123", mock.AnythingOfType("types.ExecConfig")).Return(types.IDResponse{ID: "id"}, nil)
-	client.On("ContainerExecAttach", ctx, "id", mock.AnythingOfType("types.ExecStartCheck")).Return(types.HijackedResponse{
-		Conn:   conn,
-		Reader: bufio.NewReader(endlessReader{}),
+	client.On("ExecCreate", ctx, "123", mock.AnythingOfType("client.ExecCreateOptions")).Return(mobyclient.ExecCreateResult{ID: "id"}, nil)
+	client.On("ExecAttach", ctx, "id", mock.AnythingOfType("client.ExecAttachOptions")).Return(mobyclient.ExecAttachResult{
+		HijackedResponse: mobyclient.HijackedResponse{
+			Conn:   conn,
+			Reader: bufio.NewReader(endlessReader{}),
+		},
 	}, nil)

 	cr := &containerReference{
@@ -156,12 +168,14 @@ func TestDockerExecFailure(t *testing.T) {
 	conn := &mockConn{}

 	client := &mockDockerClient{}
-	client.On("ContainerExecCreate", ctx, "123", mock.AnythingOfType("types.ExecConfig")).Return(types.IDResponse{ID: "id"}, nil)
-	client.On("ContainerExecAttach", ctx, "id", mock.AnythingOfType("types.ExecStartCheck")).Return(types.HijackedResponse{
-		Conn:   conn,
-		Reader: bufio.NewReader(strings.NewReader("output")),
+	client.On("ExecCreate", ctx, "123", mock.AnythingOfType("client.ExecCreateOptions")).Return(mobyclient.ExecCreateResult{ID: "id"}, nil)
+	client.On("ExecAttach", ctx, "id", mock.AnythingOfType("client.ExecAttachOptions")).Return(mobyclient.ExecAttachResult{
+		HijackedResponse: mobyclient.HijackedResponse{
+			Conn:   conn,
+			Reader: bufio.NewReader(strings.NewReader("output")),
+		},
 	}, nil)
-	client.On("ContainerExecInspect", ctx, "id").Return(types.ContainerExecInspect{
+	client.On("ExecInspect", ctx, "id", mobyclient.ExecInspectOptions{}).Return(mobyclient.ExecInspectResult{
 		ExitCode: 1,
 	}, nil)

@@ -174,20 +188,56 @@ func TestDockerExecFailure(t *testing.T) {
 	}

 	err := cr.exec([]string{""}, map[string]string{}, "user", "workdir")(ctx)
-	assert.Error(t, err, "exit with `FAILURE`: 1") //nolint:testifylint // pre-existing issue from nektos/act
+	var exitErr ExitCodeError
+	require.ErrorAs(t, err, &exitErr)
+	assert.Equal(t, ExitCodeError(1), exitErr)
+	assert.Equal(t, "Process completed with exit code 1.", err.Error())

 	conn.AssertExpectations(t)
 	client.AssertExpectations(t)
 }

+func TestDockerWaitFailure(t *testing.T) {
+	ctx := context.Background()
+
+	statusCh := make(chan container.WaitResponse, 1)
+	statusCh <- container.WaitResponse{StatusCode: 2}
+	errCh := make(chan error, 1)
+
+	client := &mockDockerClient{}
+	client.On("ContainerWait", ctx, "123", mobyclient.ContainerWaitOptions{Condition: container.WaitConditionNotRunning}).
+		Return(mobyclient.ContainerWaitResult{
+			Result: (<-chan container.WaitResponse)(statusCh),
+			Error:  (<-chan error)(errCh),
+		})
+
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.wait()(ctx)
+	var exitErr ExitCodeError
+	require.ErrorAs(t, err, &exitErr)
+	assert.Equal(t, ExitCodeError(2), exitErr)
+	assert.Equal(t, "Process completed with exit code 2.", err.Error())
+
+	client.AssertExpectations(t)
+}
+
 func TestDockerCopyTarStream(t *testing.T) {
 	ctx := context.Background()

-	conn := &mockConn{}
-
 	client := &mockDockerClient{}
-	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(nil)
-	client.On("CopyToContainer", ctx, "123", "/var/run/act", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(nil)
+	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
+		return opts.DestinationPath == "/" && opts.Content != nil
+	})).Return(mobyclient.CopyToContainerResult{}, nil)
+	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
+		return opts.DestinationPath == "/var/run/act" && opts.Content != nil
+	})).Return(mobyclient.CopyToContainerResult{}, nil)
 	cr := &containerReference{
 		id:  "123",
 		cli: client,
@@ -198,20 +248,18 @@ func TestDockerCopyTarStream(t *testing.T) {

 	_ = cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})

-	conn.AssertExpectations(t)
 	client.AssertExpectations(t)
 }

 func TestDockerCopyTarStreamErrorInCopyFiles(t *testing.T) {
 	ctx := context.Background()

-	conn := &mockConn{}
-
 	merr := errors.New("Failure")

 	client := &mockDockerClient{}
-	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(merr)
-	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(merr)
+	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
+		return opts.DestinationPath == "/" && opts.Content != nil
+	})).Return(mobyclient.CopyToContainerResult{}, merr)
 	cr := &containerReference{
 		id:  "123",
 		cli: client,
@@ -223,20 +271,21 @@ func TestDockerCopyTarStreamErrorInCopyFiles(t *testing.T) {
 	err := cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
 	assert.ErrorIs(t, err, merr) //nolint:testifylint // pre-existing issue from nektos/act

-	conn.AssertExpectations(t)
 	client.AssertExpectations(t)
 }

 func TestDockerCopyTarStreamErrorInMkdir(t *testing.T) {
 	ctx := context.Background()

-	conn := &mockConn{}
-
 	merr := errors.New("Failure")

 	client := &mockDockerClient{}
-	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(nil)
-	client.On("CopyToContainer", ctx, "123", "/var/run/act", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(merr)
+	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
+		return opts.DestinationPath == "/" && opts.Content != nil
+	})).Return(mobyclient.CopyToContainerResult{}, nil)
+	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
+		return opts.DestinationPath == "/var/run/act" && opts.Content != nil
+	})).Return(mobyclient.CopyToContainerResult{}, merr)
 	cr := &containerReference{
 		id:  "123",
 		cli: client,
@@ -248,7 +297,6 @@ func TestDockerCopyTarStreamErrorInMkdir(t *testing.T) {
 	err := cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
 	assert.ErrorIs(t, err, merr) //nolint:testifylint // pre-existing issue from nektos/act

-	conn.AssertExpectations(t)
 	client.AssertExpectations(t)
 }

--- a/act/container/docker_socket_test.go
+++ b/act/container/docker_socket_test.go
@@ -29,7 +29,7 @@ func TestGetSocketAndHostWithSocket(t *testing.T) {
 	ret, err := GetSocketAndHost(socketURI)

 	// Assert
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{socketURI, dockerHost}, ret)
 }

@@ -42,7 +42,7 @@ func TestGetSocketAndHostNoSocket(t *testing.T) {
 	ret, err := GetSocketAndHost("")

 	// Assert
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{dockerHost, dockerHost}, ret)
 }

@@ -57,8 +57,8 @@ func TestGetSocketAndHostOnlySocket(t *testing.T) {
 	ret, err := GetSocketAndHost(socketURI)

 	// Assert
-	assert.NoError(t, err, "Expected no error from GetSocketAndHost")            //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, true, defaultSocketFound, "Expected to find default socket") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err, "Expected no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.True(t, defaultSocketFound, "Expected to find default socket")
 	assert.Equal(t, socketURI, ret.Socket, "Expected socket to match common location")
 	assert.Equal(t, defaultSocket, ret.Host, "Expected ret.Host to match default socket location")
 }
@@ -73,7 +73,7 @@ func TestGetSocketAndHostDontMount(t *testing.T) {
 	ret, err := GetSocketAndHost("-")

 	// Assert
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{"-", dockerHost}, ret)
 }

@@ -87,8 +87,8 @@ func TestGetSocketAndHostNoHostNoSocket(t *testing.T) {
 	ret, err := GetSocketAndHost("")

 	// Assert
-	assert.Equal(t, true, found, "Expected a default socket to be found") //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Nil(t, err, "Expected no error from GetSocketAndHost")         //nolint:testifylint // pre-existing issue from nektos/act
+	assert.True(t, found, "Expected a default socket to be found")
+	assert.NoError(t, err, "Expected no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{defaultSocket, defaultSocket}, ret, "Expected to match default socket location")
 }

@@ -112,8 +112,8 @@ func TestGetSocketAndHostNoHostNoSocketDefaultLocation(t *testing.T) {

 	// Assert
 	assert.Equal(t, unixSocket, defaultSocket, "Expected default socket to match common socket location")
-	assert.Equal(t, true, found, "Expected default socket to be found") //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Nil(t, err, "Expected no error from GetSocketAndHost")       //nolint:testifylint // pre-existing issue from nektos/act
+	assert.True(t, found, "Expected default socket to be found")
+	assert.NoError(t, err, "Expected no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{unixSocket, unixSocket}, ret, "Expected to match default socket location")
 }

@@ -128,7 +128,7 @@ func TestGetSocketAndHostNoHostInvalidSocket(t *testing.T) {
 	ret, err := GetSocketAndHost(mySocket)

 	// Assert
-	assert.Equal(t, false, found, "Expected no default socket to be found")      //nolint:testifylint // pre-existing issue from nektos/act
+	assert.False(t, found, "Expected no default socket to be found")
 	assert.Equal(t, "", defaultSocket, "Expected no default socket to be found") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{}, ret, "Expected to match default socket location")
 	assert.Error(t, err, "Expected an error in invalid state")
@@ -147,8 +147,8 @@ func TestGetSocketAndHostOnlySocketValidButUnusualLocation(t *testing.T) {
 	// Assert
 	// Default socket locations
 	assert.Equal(t, "", defaultSocket, "Expect default socket location to be empty") //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, false, found, "Expected no default socket to be found")          //nolint:testifylint // pre-existing issue from nektos/act
+	assert.False(t, found, "Expected no default socket to be found")
 	// Sane default
-	assert.Nil(t, err, "Expect no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err, "Expect no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, socketURI, ret.Host, "Expect host to default to unusual socket")
 }
--- a/act/container/docker_stub.go
+++ b/act/container/docker_stub.go
@@ -10,9 +10,9 @@ import (
 	"context"
 	"runtime"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

-	"github.com/docker/docker/api/types"
+	"github.com/moby/moby/api/types/system"
 	"github.com/pkg/errors"
 )

@@ -51,8 +51,8 @@ func RunnerArch(ctx context.Context) string {
 	return runtime.GOOS
 }

-func GetHostInfo(ctx context.Context) (info types.Info, err error) {
-	return types.Info{}, nil
+func GetHostInfo(ctx context.Context) (info system.Info, err error) {
+	return system.Info{}, nil
 }

 func NewDockerVolumeRemoveExecutor(volume string, force bool) common.Executor {
--- a/act/container/docker_volume.go
+++ b/act/container/docker_volume.go
@@ -9,10 +9,9 @@ package container
 import (
 	"context"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

-	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/api/types/volume"
+	"github.com/moby/moby/client"
 )

 func NewDockerVolumeRemoveExecutor(volumeName string, force bool) common.Executor {
@@ -23,12 +22,12 @@ func NewDockerVolumeRemoveExecutor(volumeName string, force bool) common.Executo
 		}
 		defer cli.Close()

-		list, err := cli.VolumeList(ctx, volume.ListOptions{Filters: filters.NewArgs()})
+		list, err := cli.VolumeList(ctx, client.VolumeListOptions{})
 		if err != nil {
 			return err
 		}

-		for _, vol := range list.Volumes {
+		for _, vol := range list.Items {
 			if vol.Name == volumeName {
 				return removeExecutor(volumeName, force)(ctx)
 			}
@@ -42,7 +41,7 @@ func NewDockerVolumeRemoveExecutor(volumeName string, force bool) common.Executo
 func removeExecutor(volume string, force bool) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
-		logger.Debugf("%sdocker volume rm %s", logPrefix, volume)
+		logger.Debugf("docker volume rm %s", volume)

 		if common.Dryrun(ctx) {
 			return nil
@@ -54,6 +53,7 @@ func removeExecutor(volume string, force bool) common.Executor {
 		}
 		defer cli.Close()

-		return cli.VolumeRemove(ctx, volume, force)
+		_, err = cli.VolumeRemove(ctx, volume, client.VolumeRemoveOptions{Force: force})
+		return err
 	}
 }
--- a/act/container/host_environment.go
+++ b/act/container/host_environment.go
@@ -16,12 +16,14 @@ import (
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
+	"sync"
 	"time"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/filecollector"
-	"gitea.com/gitea/act_runner/act/lookpath"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/filecollector"
+	"gitea.com/gitea/runner/act/lookpath"

 	"github.com/go-git/go-billy/v5/helper/polyfill"
 	"github.com/go-git/go-billy/v5/osfs"
@@ -34,9 +36,15 @@ type HostEnvironment struct {
 	TmpDir    string
 	ToolCache string
 	Workdir   string
-	ActPath   string
-	CleanUp   func()
-	StdOut    io.Writer
+	// BindWorkdir is true when the app runner mounts the workspace on the host and
+	// deletes the task directory after the job; host teardown must not remove Workdir.
+	BindWorkdir bool
+	ActPath     string
+	CleanUp     func()
+	StdOut      io.Writer
+
+	mu          sync.Mutex
+	runningPIDs map[int]struct{}
 }

 func (e *HostEnvironment) Create(_, _ []string) common.Executor {
@@ -344,8 +352,30 @@ func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline st
 	if ppty != nil {
 		go writeKeepAlive(ppty)
 	}
-	err = cmd.Run()
+	// Split Start/Wait so the PID can be registered before the process can exit;
+	// cmd.Run() would block until exit, by which time the PID may have been reused.
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	if cmd.Process != nil {
+		e.mu.Lock()
+		if e.runningPIDs == nil {
+			e.runningPIDs = map[int]struct{}{}
+		}
+		e.runningPIDs[cmd.Process.Pid] = struct{}{}
+		e.mu.Unlock()
+		defer func(pid int) {
+			e.mu.Lock()
+			delete(e.runningPIDs, pid)
+			e.mu.Unlock()
+		}(cmd.Process.Pid)
+	}
+	err = cmd.Wait()
 	if err != nil {
+		var exitErr *exec.ExitError
+		if errors.As(err, &exitErr) {
+			return ExitCodeError(exitErr.ExitCode())
+		}
 		return err
 	}
 	if tty != nil {
@@ -385,12 +415,83 @@ func (e *HostEnvironment) UpdateFromEnv(srcPath string, env *map[string]string)
 	return parseEnvFile(e, srcPath, env)
 }

+func removePathWithRetry(ctx context.Context, path string) error {
+	if path == "" {
+		return nil
+	}
+	attempts := 1
+	delay := time.Duration(0)
+	if runtime.GOOS == "windows" {
+		attempts = 5
+		delay = 200 * time.Millisecond
+	}
+	var lastErr error
+	for i := 0; i < attempts; i++ {
+		if i > 0 {
+			select {
+			case <-ctx.Done():
+				return ctx.Err()
+			case <-time.After(delay):
+			}
+		}
+		lastErr = os.RemoveAll(path)
+		if lastErr == nil {
+			return nil
+		}
+	}
+	return lastErr
+}
+
+func (e *HostEnvironment) terminateRunningProcesses(ctx context.Context) {
+	if runtime.GOOS != "windows" {
+		return
+	}
+	e.mu.Lock()
+	pids := make([]int, 0, len(e.runningPIDs))
+	for pid := range e.runningPIDs {
+		pids = append(pids, pid)
+	}
+	e.mu.Unlock()
+
+	if len(pids) == 0 {
+		return
+	}
+
+	logger := common.Logger(ctx)
+	for _, pid := range pids {
+		// Best-effort: forcibly terminate process tree to release file handles
+		// so that workspace cleanup can succeed on Windows.
+		cmd := exec.CommandContext(ctx, "taskkill", "/PID", strconv.Itoa(pid), "/T", "/F")
+		out, err := cmd.CombinedOutput()
+		if err != nil {
+			logger.Debugf("taskkill failed for pid=%d: %v output=%s", pid, err, strings.TrimSpace(string(out)))
+		}
+	}
+}
+
 func (e *HostEnvironment) Remove() common.Executor {
 	return func(ctx context.Context) error {
+		// Ensure any lingering child processes are ended before attempting
+		// to remove the workspace (Windows file locks otherwise prevent cleanup).
+		e.terminateRunningProcesses(ctx)
+
+		// Only removes per-job misc state. Must not remove the cache/toolcache root.
 		if e.CleanUp != nil {
 			e.CleanUp()
 		}
-		return os.RemoveAll(e.Path)
+		logger := common.Logger(ctx)
+		var errs []error
+		if err := removePathWithRetry(ctx, e.Path); err != nil {
+			logger.Warnf("failed to remove host misc state %s: %v", e.Path, err)
+			errs = append(errs, err)
+		}
+		if !e.BindWorkdir && e.Workdir != "" {
+			if err := removePathWithRetry(ctx, e.Workdir); err != nil {
+				logger.Warnf("failed to remove host workspace %s: %v", e.Workdir, err)
+				errs = append(errs, err)
+			}
+		}
+		return errors.Join(errs...)
 	}
 }

--- a/act/container/host_environment_test.go
+++ b/act/container/host_environment_test.go
@@ -11,9 +11,14 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"runtime"
 	"testing"

+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 // Type assert HostEnvironment implements ExecutionsEnvironment
@@ -69,3 +74,76 @@ func TestGetContainerArchive(t *testing.T) {
 	_, err = reader.Next()
 	assert.ErrorIs(t, err, io.EOF)
 }
+
+func TestHostEnvironmentExecExitCode(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("uses POSIX shell")
+	}
+	dir := t.TempDir()
+	ctx := context.Background()
+	e := &HostEnvironment{
+		Path:      filepath.Join(dir, "path"),
+		TmpDir:    filepath.Join(dir, "tmp"),
+		ToolCache: filepath.Join(dir, "tool_cache"),
+		ActPath:   filepath.Join(dir, "act_path"),
+		StdOut:    io.Discard,
+		Workdir:   filepath.Join(dir, "path"),
+	}
+	for _, p := range []string{e.Path, e.TmpDir, e.ToolCache, e.ActPath} {
+		assert.NoError(t, os.MkdirAll(p, 0o700)) //nolint:testifylint // test setup
+	}
+
+	err := e.Exec([]string{"sh", "-c", "exit 3"}, map[string]string{"PATH": os.Getenv("PATH")}, "", "")(ctx)
+	var exitErr ExitCodeError
+	require.ErrorAs(t, err, &exitErr)
+	assert.Equal(t, ExitCodeError(3), exitErr)
+	assert.Equal(t, "Process completed with exit code 3.", err.Error())
+}
+
+func TestHostEnvironmentRemoveCleansWorkdir(t *testing.T) {
+	logger := logrus.New()
+	ctx := common.WithLogger(context.Background(), logrus.NewEntry(logger))
+	base := t.TempDir()
+	miscRoot := filepath.Join(base, "misc")
+	path := filepath.Join(miscRoot, "hostexecutor")
+	require.NoError(t, os.MkdirAll(path, 0o700))
+	workdir := filepath.Join(base, "workspace", "owner", "repo")
+	require.NoError(t, os.MkdirAll(workdir, 0o700))
+
+	e := &HostEnvironment{
+		Path:        path,
+		Workdir:     workdir,
+		BindWorkdir: false,
+		CleanUp: func() {
+			_ = os.RemoveAll(miscRoot)
+		},
+		StdOut: os.Stdout,
+	}
+	require.NoError(t, e.Remove()(ctx))
+	_, err := os.Stat(workdir)
+	assert.ErrorIs(t, err, os.ErrNotExist)
+}
+
+func TestHostEnvironmentRemoveSkipsWorkdirWhenBindWorkdir(t *testing.T) {
+	logger := logrus.New()
+	ctx := common.WithLogger(context.Background(), logrus.NewEntry(logger))
+	base := t.TempDir()
+	miscRoot := filepath.Join(base, "misc")
+	path := filepath.Join(miscRoot, "hostexecutor")
+	require.NoError(t, os.MkdirAll(path, 0o700))
+	workdir := filepath.Join(base, "workspace", "123", "owner", "repo")
+	require.NoError(t, os.MkdirAll(workdir, 0o700))
+
+	e := &HostEnvironment{
+		Path:        path,
+		Workdir:     workdir,
+		BindWorkdir: true,
+		CleanUp: func() {
+			_ = os.RemoveAll(miscRoot)
+		},
+		StdOut: os.Stdout,
+	}
+	require.NoError(t, e.Remove()(ctx))
+	_, err := os.Stat(workdir)
+	require.NoError(t, err)
+}
--- a/act/container/parse_env_file.go
+++ b/act/container/parse_env_file.go
@@ -12,7 +12,7 @@ import (
 	"io"
 	"strings"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"
 )

 func parseEnvFile(e Container, srcPath string, env *map[string]string) common.Executor {
--- a/act/exprparser/functions.go
+++ b/act/exprparser/functions.go
@@ -18,7 +18,7 @@ import (
 	"strconv"
 	"strings"

-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
 	"github.com/rhysd/actionlint"
--- a/act/exprparser/functions_test.go
+++ b/act/exprparser/functions_test.go
@@ -8,7 +8,7 @@ import (
 	"path/filepath"
 	"testing"

-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/stretchr/testify/assert"
 )
@@ -43,7 +43,7 @@ func TestFunctionContains(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 			assert.Equal(t, tt.expected, output)
 		})
@@ -72,7 +72,7 @@ func TestFunctionStartsWith(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 			assert.Equal(t, tt.expected, output)
 		})
@@ -101,7 +101,7 @@ func TestFunctionEndsWith(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 			assert.Equal(t, tt.expected, output)
 		})
@@ -128,7 +128,7 @@ func TestFunctionJoin(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 			assert.Equal(t, tt.expected, output)
 		})
@@ -154,7 +154,7 @@ func TestFunctionToJSON(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 			assert.Equal(t, tt.expected, output)
 		})
@@ -177,7 +177,7 @@ func TestFunctionFromJSON(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 			assert.Equal(t, tt.expected, output)
 		})
@@ -205,9 +205,9 @@ func TestFunctionHashFiles(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			workdir, err := filepath.Abs("testdata")
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 			output, err := NewInterpeter(env, Config{WorkingDir: workdir}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 			assert.Equal(t, tt.expected, output)
 		})
@@ -248,7 +248,7 @@ func TestFunctionFormat(t *testing.T) {
 			if tt.error != nil {
 				assert.Equal(t, tt.error, err.Error())
 			} else {
-				assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+				assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 				assert.Equal(t, tt.expected, output)
 			}
 		})
--- a/act/exprparser/interpreter.go
+++ b/act/exprparser/interpreter.go
@@ -12,7 +12,7 @@ import (
 	"reflect"
 	"strings"

-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/rhysd/actionlint"
 )
@@ -156,7 +156,6 @@ func (impl *interperterImpl) evaluateNode(exprNode actionlint.ExprNode) (any, er
 	}
 }

-//nolint:gocyclo // function handles many cases
 func (impl *interperterImpl) evaluateVariable(variableNode *actionlint.VariableNode) (any, error) {
 	switch strings.ToLower(variableNode.Name) {
 	case "github":
@@ -252,7 +251,7 @@ func (impl *interperterImpl) evaluateArrayDeref(arrayDerefNode *actionlint.Array

 func (impl *interperterImpl) getPropertyValue(left reflect.Value, property string) (value any, err error) {
 	switch left.Kind() {
-	case reflect.Ptr:
+	case reflect.Pointer:
 		return impl.getPropertyValue(left.Elem(), property)

 	case reflect.Struct:
@@ -322,7 +321,7 @@ func (impl *interperterImpl) getPropertyValue(left reflect.Value, property strin
 }

 func (impl *interperterImpl) getMapValue(value reflect.Value) (any, error) {
-	if value.Kind() == reflect.Ptr {
+	if value.Kind() == reflect.Pointer {
 		return impl.getMapValue(value.Elem())
 	}

@@ -584,7 +583,6 @@ func (impl *interperterImpl) evaluateLogicalCompare(compareNode *actionlint.Logi
 	return nil, fmt.Errorf("Unable to compare incompatibles types '%s' and '%s'", leftValue.Kind(), rightValue.Kind())
 }

-//nolint:gocyclo // function handles many cases
 func (impl *interperterImpl) evaluateFuncCall(funcCallNode *actionlint.FuncCallNode) (any, error) {
 	args := make([]reflect.Value, 0)

--- a/act/exprparser/interpreter_test.go
+++ b/act/exprparser/interpreter_test.go
@@ -8,7 +8,7 @@ import (
 	"math"
 	"testing"

-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/stretchr/testify/assert"
 )
@@ -35,7 +35,7 @@ func TestLiterals(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 			assert.Equal(t, tt.expected, output)
 		})
@@ -105,10 +105,10 @@ func TestOperators(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
 			if tt.error != "" {
-				assert.NotNil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+				assert.Error(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 				assert.Equal(t, tt.error, err.Error())
 			} else {
-				assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+				assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 			}

 			assert.Equal(t, tt.expected, output)
@@ -157,7 +157,7 @@ func TestOperatorsCompare(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 			assert.Equal(t, tt.expected, output)
 		})
@@ -520,7 +520,7 @@ func TestOperatorsBooleanEvaluation(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 			if expected, ok := tt.expected.(float64); ok && math.IsNaN(expected) {
 				assert.True(t, math.IsNaN(output.(float64)))
@@ -624,7 +624,7 @@ func TestContexts(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 			assert.Equal(t, tt.expected, output)
 		})
--- a/act/filecollector/file_collector.go
+++ b/act/filecollector/file_collector.go
@@ -73,10 +73,16 @@ func (cc *CopyCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string
 	if err := os.MkdirAll(filepath.Dir(fdestpath), 0o777); err != nil {
 		return err
 	}
+	// Remove any existing destination so we can overwrite read-only files
+	// (e.g. git pack files at mode 0444 trip EACCES on macOS and "Access is
+	// denied" on Windows when reopened with O_WRONLY) and so os.Symlink does
+	// not fail with EEXIST. os.Remove clears the Windows read-only attribute
+	// internally; on Unix unlink only needs write permission on the parent.
+	_ = os.Remove(fdestpath)
 	if f == nil {
 		return os.Symlink(linkName, fdestpath)
 	}
-	df, err := os.OpenFile(fdestpath, os.O_CREATE|os.O_WRONLY, fi.Mode())
+	df, err := os.OpenFile(fdestpath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, fi.Mode())
 	if err != nil {
 		return err
 	}
@@ -128,7 +134,6 @@ func (*DefaultFs) Readlink(path string) (string, error) {
 	return os.Readlink(path)
 }

-//nolint:gocyclo // function handles many cases
 func (fc *FileCollector) CollectFiles(ctx context.Context, submodulePath []string) filepath.WalkFunc {
 	i, _ := fc.Fs.OpenGitIndex(path.Join(fc.SrcPath, path.Join(submodulePath...)))
 	return func(file string, fi os.FileInfo, err error) error {
--- a/act/filecollector/file_collector_test.go
+++ b/act/filecollector/file_collector_test.go
@@ -8,7 +8,9 @@ import (
 	"archive/tar"
 	"context"
 	"io"
+	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"

@@ -20,6 +22,7 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/format/index"
 	"github.com/go-git/go-git/v5/storage/filesystem"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 type memoryFs struct {
@@ -174,3 +177,47 @@ func TestSymlinks(t *testing.T) {
 	assert.Equal(t, ".env", files["test.env"].Linkname)
 	assert.ErrorIs(t, err, io.EOF, "tar must be read cleanly to EOF")
 }
+
+// Regression for https://gitea.com/gitea/runner/issues/876 and /941:
+// re-copying an action directory must overwrite a pre-existing read-only
+// file (e.g. a git pack .idx at mode 0444) instead of failing with EACCES
+// on macOS or "Access is denied" on Windows.
+func TestCopyCollectorWriteFileOverwritesReadOnlyFile(t *testing.T) {
+	dst := t.TempDir()
+	target := filepath.Join(dst, "sub", "pack.idx")
+	require.NoError(t, os.MkdirAll(filepath.Dir(target), 0o755))
+	require.NoError(t, os.WriteFile(target, []byte("old"), 0o444))
+
+	src := filepath.Join(t.TempDir(), "pack.idx")
+	require.NoError(t, os.WriteFile(src, []byte("new"), 0o444))
+	fi, err := os.Stat(src)
+	require.NoError(t, err)
+
+	cc := &CopyCollector{DstDir: dst}
+	require.NoError(t, cc.WriteFile("sub/pack.idx", fi, "", strings.NewReader("new")))
+
+	got, err := os.ReadFile(target)
+	require.NoError(t, err)
+	assert.Equal(t, "new", string(got))
+}
+
+// Without the destination removal, os.Symlink fails with EEXIST when the
+// path already holds a regular file from an earlier copy of the action.
+func TestCopyCollectorWriteFileOverwritesFileWithSymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("creating symlinks requires elevated privileges on Windows")
+	}
+	dst := t.TempDir()
+	target := filepath.Join(dst, "link")
+	require.NoError(t, os.WriteFile(target, []byte("stale"), 0o644))
+
+	fi, err := os.Lstat(target)
+	require.NoError(t, err)
+
+	cc := &CopyCollector{DstDir: dst}
+	require.NoError(t, cc.WriteFile("link", fi, "target", nil))
+
+	resolved, err := os.Readlink(target)
+	require.NoError(t, err)
+	assert.Equal(t, "target", resolved)
+}
--- a/act/model/github_context.go
+++ b/act/model/github_context.go
@@ -9,8 +9,8 @@ import (
 	"fmt"
 	"strings"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/common/git"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/common/git"
 )

 type GithubContext struct {
--- a/act/model/planner.go
+++ b/act/model/planner.go
@@ -61,8 +61,6 @@ type WorkflowFiles struct {
 }

 // NewWorkflowPlanner will load a specific workflow, all workflows from a directory or all workflows from a directory and its subdirectories
-//
-//nolint:gocyclo // function handles many cases
 func NewWorkflowPlanner(path string, noWorkflowRecurse bool) (WorkflowPlanner, error) {
 	path, err := filepath.Abs(path)
 	if err != nil {
--- a/act/model/planner_test.go
+++ b/act/model/planner_test.go
@@ -57,11 +57,11 @@ func TestWorkflow(t *testing.T) {

 	// Check that an invalid job id returns error
 	result, err := createStages(&workflow, "invalid_job_id")
-	assert.NotNil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Error(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Nil(t, result)

 	// Check that an valid job id returns non-error
 	result, err = createStages(&workflow, "valid_job")
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.NotNil(t, result)
 }
--- a/act/model/testdata/container-volumes/push.yml
+++ b/act/model/testdata/container-volumes/push.yml
@@ -5,7 +5,7 @@ jobs:
  with-volumes:
    runs-on: ubuntu-latest
    container:
-      image: node:16-buster-slim
+      image: node:24-bookworm-slim
      volumes:
        - my_docker_volume:/path/to/volume
        - /path/to/nonexist/directory
--- a/act/model/workflow.go
+++ b/act/model/workflow.go
@@ -15,7 +15,7 @@ import (
 	"strconv"
 	"strings"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

 	log "github.com/sirupsen/logrus"
 	"go.yaml.in/yaml/v4"
@@ -440,8 +440,6 @@ func (j *Job) Matrix() map[string][]any {

 // GetMatrixes returns the matrix cross product
 // It skips includes and hard fails excludes for non-existing keys
-//
-//nolint:gocyclo // function handles many cases
 func (j *Job) GetMatrixes() ([]map[string]any, error) {
 	matrixes := make([]map[string]any, 0)
 	if j.Strategy != nil {
--- a/act/model/workflow_test.go
+++ b/act/model/workflow_test.go
@@ -56,7 +56,7 @@ jobs:
 	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act

 	newSchedules = workflow.OnSchedule()
-	assert.Len(t, newSchedules, 0) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Empty(t, newSchedules)

 	yaml = `
 name: local-action-docker-url
@@ -74,7 +74,7 @@ jobs:
 	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act

 	newSchedules = workflow.OnSchedule()
-	assert.Len(t, newSchedules, 0) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Empty(t, newSchedules)

 	yaml = `
 name: local-action-docker-url
@@ -91,7 +91,7 @@ jobs:
 	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act

 	newSchedules = workflow.OnSchedule()
-	assert.Len(t, newSchedules, 0) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Empty(t, newSchedules)
 }

 func TestReadWorkflow_StringEvent(t *testing.T) {
@@ -870,7 +870,7 @@ jobs:
 					assert.Nil(t, matrix, "matrix should be nil for jobs without strategy")
 				} else {
 					assert.NotNil(t, matrix, "matrix should not be nil")
-					assert.Equal(t, tt.wantLen, len(matrix), "matrix should have expected number of keys") //nolint:testifylint // pre-existing issue from nektos/act
+					assert.Len(t, matrix, tt.wantLen, "matrix should have expected number of keys")
 					if tt.checkFn != nil {
 						tt.checkFn(t, matrix)
 					}
--- a/act/runner/action.go
+++ b/act/runner/action.go
@@ -18,9 +18,10 @@ import (
 	"runtime"
 	"strings"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/container"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/common/git"
+	"gitea.com/gitea/runner/act/container"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/kballard/go-shellquote"
 )
@@ -44,6 +45,11 @@ type runAction func(step actionStep, actionDir string, remoteAction *remoteActio
 //go:embed res/trampoline.js
 var trampoline embed.FS

+var (
+	ContainerImageExistsLocally     = container.ImageExistsLocally
+	ContainerNewDockerBuildExecutor = container.NewDockerBuildExecutor
+)
+
 func readActionImpl(ctx context.Context, step *model.Step, actionDir, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error) {
 	logger := common.Logger(ctx)
 	allErrors := []error{}
@@ -148,6 +154,8 @@ func maybeCopyToActionDir(ctx context.Context, step actionStep, actionDir, actio
 		return rc.JobContainer.CopyTarStream(ctx, containerActionDirCopy, ta)
 	}

+	defer git.AcquireCloneLock(actionDir)()
+
 	if err := removeGitIgnore(ctx, actionDir); err != nil {
 		return err
 	}
@@ -197,7 +205,7 @@ func runActionImpl(step actionStep, actionDir string, remoteAction *remoteAction
 			if remoteAction == nil {
 				location = containerActionDir
 			}
-			return execAsDocker(ctx, step, actionName, location, remoteAction == nil)
+			return execAsDocker(ctx, step, actionName, actionDir, location, remoteAction == nil)
 		case x.IsComposite():
 			if err := maybeCopyToActionDir(ctx, step, actionDir, actionPath, containerActionDir); err != nil {
 				return err
@@ -265,9 +273,7 @@ func removeGitIgnore(ctx context.Context, directory string) error {
 }

 // TODO: break out parts of function to reduce complexicity
-//
-//nolint:gocyclo // function handles many cases
-func execAsDocker(ctx context.Context, step actionStep, actionName, basedir string, localAction bool) error {
+func execAsDocker(ctx context.Context, step actionStep, actionName, actionDir, basedir string, localAction bool) error {
 	logger := common.Logger(ctx)
 	rc := step.getRunContext()
 	action := step.getActionModel()
@@ -286,12 +292,12 @@ func execAsDocker(ctx context.Context, step actionStep, actionName, basedir stri
 		image = strings.ToLower(image)
 		contextDir, fileName := filepath.Split(filepath.Join(basedir, action.Runs.Image))

-		anyArchExists, err := container.ImageExistsLocally(ctx, image, "any")
+		anyArchExists, err := ContainerImageExistsLocally(ctx, image, "any")
 		if err != nil {
 			return err
 		}

-		correctArchExists, err := container.ImageExistsLocally(ctx, image, rc.Config.ContainerArchitecture)
+		correctArchExists, err := ContainerImageExistsLocally(ctx, image, rc.Config.ContainerArchitecture)
 		if err != nil {
 			return err
 		}
@@ -323,13 +329,21 @@ func execAsDocker(ctx context.Context, step actionStep, actionName, basedir stri
 				}
 				defer buildContext.Close()
 			}
-			prepImage = container.NewDockerBuildExecutor(container.NewDockerBuildExecutorInput{
+			prepImage = ContainerNewDockerBuildExecutor(container.NewDockerBuildExecutorInput{
 				ContextDir:   contextDir,
 				Dockerfile:   fileName,
 				ImageTag:     image,
 				BuildContext: buildContext,
 				Platform:     rc.Config.ContainerArchitecture,
 			})
+			if buildContext == nil {
+				// Held across the whole build: the daemon drains contextDir lazily.
+				inner := prepImage
+				prepImage = func(ctx context.Context) error {
+					defer git.AcquireCloneLock(actionDir)()
+					return inner(ctx)
+				}
+			}
 		} else {
 			logger.Debugf("image '%s' for architecture '%s' already exists", image, rc.Config.ContainerArchitecture)
 		}
@@ -429,7 +443,7 @@ func newStepContainer(ctx context.Context, step step, image string, cmd, entrypo
 		Image:        image,
 		Username:     rc.Config.Secrets["DOCKER_USERNAME"],
 		Password:     rc.Config.Secrets["DOCKER_PASSWORD"],
-		Name:         createSimpleContainerName(rc.jobContainerName(), "STEP-"+stepModel.ID),
+		Name:         createContainerName(rc.jobContainerName(), "STEP-"+stepModel.ID),
 		Env:          envList,
 		Mounts:       mounts,
 		NetworkMode:  networkMode,
--- a/act/runner/action_composite.go
+++ b/act/runner/action_composite.go
@@ -11,8 +11,8 @@ import (
 	"strconv"
 	"strings"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/model"
 )

 func evaluateCompositeInputAndEnv(ctx context.Context, parent *RunContext, step actionStep) map[string]string {
--- a/act/runner/action_test.go
+++ b/act/runner/action_test.go
@@ -9,9 +9,14 @@ import (
 	"io"
 	"io/fs"
 	"strings"
+	"sync"
 	"testing"
+	"time"

-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/common/git"
+	"gitea.com/gitea/runner/act/container"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -137,7 +142,7 @@ runs:

 			action, err := readActionImpl(context.Background(), tt.step, "actionDir", "actionPath", readFile, writeFile)

-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 			assert.Equal(t, tt.expected, action)

 			closerMock.AssertExpectations(t)
@@ -247,8 +252,158 @@ func TestActionRunner(t *testing.T) {

 			err := runActionImpl(tt.step, "dir", newRemoteAction("org/repo/path@ref"))(ctx)

-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 			cm.AssertExpectations(t)
 		})
 	}
 }
+
+func TestMaybeCopyToActionDirHoldsCloneLock(t *testing.T) {
+	ctx := context.Background()
+
+	actionDir := t.TempDir()
+
+	releaseCopy := make(chan struct{})
+	release := sync.OnceFunc(func() { close(releaseCopy) })
+	defer release()
+
+	copyEntered := make(chan struct{})
+
+	cm := &containerMock{}
+	cm.On("CopyDir", "/var/run/act/actions/", actionDir+"/", false).Return(func(ctx context.Context) error {
+		close(copyEntered)
+		<-releaseCopy
+		return nil
+	})
+
+	step := &stepActionRemote{
+		Step: &model.Step{Uses: "remote/action@v1"},
+		RunContext: &RunContext{
+			Config:       &Config{},
+			JobContainer: cm,
+		},
+	}
+
+	copyDone := make(chan error, 1)
+	go func() {
+		copyDone <- maybeCopyToActionDir(ctx, step, actionDir, "", "/var/run/act/actions/")
+	}()
+
+	select {
+	case <-copyEntered:
+	case err := <-copyDone:
+		t.Fatalf("maybeCopyToActionDir returned before CopyDir was entered: %v", err)
+	case <-time.After(time.Second):
+		t.Fatal("CopyDir was not entered within 1 second")
+	}
+
+	peerAcquired := make(chan struct{})
+	go func() {
+		unlock := git.AcquireCloneLock(actionDir)
+		close(peerAcquired)
+		unlock()
+	}()
+
+	select {
+	case <-peerAcquired:
+		t.Fatal("peer AcquireCloneLock returned while CopyDir was running")
+	case <-time.After(50 * time.Millisecond):
+	}
+
+	release()
+
+	select {
+	case err := <-copyDone:
+		if err != nil {
+			t.Fatalf("maybeCopyToActionDir returned error: %v", err)
+		}
+	case <-time.After(time.Second):
+		t.Fatal("maybeCopyToActionDir did not return after CopyDir was unblocked")
+	}
+
+	select {
+	case <-peerAcquired:
+	case <-time.After(time.Second):
+		t.Fatal("peer AcquireCloneLock did not proceed after lock released")
+	}
+
+	cm.AssertExpectations(t)
+}
+
+func TestExecAsDockerHoldsCloneLockForRemoteUncached(t *testing.T) {
+	actionDir := t.TempDir()
+
+	unlockOnce := sync.OnceFunc(git.AcquireCloneLock(actionDir))
+	defer unlockOnce()
+
+	innerEntered := make(chan struct{})
+	releaseInner := make(chan struct{})
+	releaseOnce := sync.OnceFunc(func() { close(releaseInner) })
+	defer releaseOnce()
+
+	origImageExists := ContainerImageExistsLocally
+	ContainerImageExistsLocally = func(_ context.Context, _, _ string) (bool, error) {
+		return false, nil
+	}
+	defer func() { ContainerImageExistsLocally = origImageExists }()
+
+	origBuildExec := ContainerNewDockerBuildExecutor
+	ContainerNewDockerBuildExecutor = func(_ container.NewDockerBuildExecutorInput) common.Executor {
+		return func(_ context.Context) error {
+			close(innerEntered)
+			<-releaseInner
+			return nil
+		}
+	}
+	defer func() { ContainerNewDockerBuildExecutor = origBuildExec }()
+
+	step := &stepActionRemote{
+		Step: &model.Step{ID: "1", Uses: "remote/action@v1", With: map[string]string{}},
+		RunContext: &RunContext{
+			Config: &Config{},
+			Run: &model.Run{
+				JobID: "1",
+				Workflow: &model.Workflow{
+					Name: "wf",
+					Jobs: map[string]*model.Job{"1": {}},
+				},
+			},
+			JobContainer: &containerMock{},
+		},
+		action: &model.Action{Runs: model.ActionRuns{Using: "docker", Image: "Dockerfile"}},
+		env:    map[string]string{},
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	done := make(chan error, 1)
+	go func() { done <- execAsDocker(ctx, step, "test-action", actionDir, actionDir, false) }()
+
+	select {
+	case <-innerEntered:
+		t.Fatal("inner build executor ran before clone lock was released")
+	case err := <-done:
+		t.Fatalf("execAsDocker returned before inner was entered: %v", err)
+	case <-time.After(50 * time.Millisecond):
+	}
+
+	unlockOnce()
+
+	select {
+	case <-innerEntered:
+	case err := <-done:
+		t.Fatalf("execAsDocker returned without entering inner: %v", err)
+	case <-time.After(time.Second):
+		t.Fatal("inner build executor not entered after lock released")
+	}
+
+	cancel()
+	releaseOnce()
+
+	select {
+	case <-done:
+	case <-time.After(time.Second):
+		t.Fatal("execAsDocker did not return after inner was released and ctx was canceled")
+	}
+}
--- a/act/runner/command.go
+++ b/act/runner/command.go
@@ -9,7 +9,7 @@ import (
 	"regexp"
 	"strings"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"
 )

 var commandPatternGA *regexp.Regexp
@@ -120,7 +120,7 @@ func (rc *RunContext) setOutput(ctx context.Context, kvPairs map[string]string,

 	result, ok := rc.StepResults[stepID]
 	if !ok {
-		logger.Infof("  \U00002757  no outputs used step '%s'", stepID)
+		logger.Infof("No outputs registered for step '%s'", stepID)
 		return
 	}

--- a/act/runner/command_test.go
+++ b/act/runner/command_test.go
@@ -11,8 +11,8 @@ import (
 	"os"
 	"testing"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/assert"
--- a/act/runner/container_mock_test.go
+++ b/act/runner/container_mock_test.go
@@ -8,8 +8,8 @@ import (
 	"context"
 	"io"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/container"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/container"

 	"github.com/stretchr/testify/mock"
 )
--- a/act/runner/expression.go
+++ b/act/runner/expression.go
@@ -15,10 +15,10 @@ import (
 	"strings"
 	"time"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/container"
-	"gitea.com/gitea/act_runner/act/exprparser"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/container"
+	"gitea.com/gitea/runner/act/exprparser"
+	"gitea.com/gitea/runner/act/model"

 	_ "embed"

@@ -405,7 +405,6 @@ func escapeFormatString(in string) string {
 	return strings.ReplaceAll(strings.ReplaceAll(in, "{", "{{"), "}", "}}")
 }

-//nolint:gocyclo // function handles many cases
 func rewriteSubExpression(ctx context.Context, in string, forceFormat bool) (string, error) { //nolint:unparam // pre-existing issue from nektos/act
 	if !strings.Contains(in, "${{") || !strings.Contains(in, "}}") {
 		return in, nil
@@ -472,7 +471,6 @@ func rewriteSubExpression(ctx context.Context, in string, forceFormat bool) (str
 	return out, nil
 }

-//nolint:gocyclo // function handles many cases
 func getEvaluatorInputs(ctx context.Context, rc *RunContext, step step, ghc *model.GithubContext) map[string]any {
 	inputs := map[string]any{}

--- a/act/runner/expression_test.go
+++ b/act/runner/expression_test.go
@@ -8,8 +8,8 @@ import (
 	"context"
 	"testing"

-	"gitea.com/gitea/act_runner/act/exprparser"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/exprparser"
+	"gitea.com/gitea/runner/act/model"

 	assert "github.com/stretchr/testify/assert"
 	yaml "go.yaml.in/yaml/v4"
--- a/act/runner/job_executor.go
+++ b/act/runner/job_executor.go
@@ -10,8 +10,8 @@ import (
 	"strconv"
 	"time"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/model"
 )

 type jobInfo interface {
@@ -24,7 +24,13 @@ type jobInfo interface {
 	result(result string)
 }

-//nolint:contextcheck,gocyclo // composes many step executors
+// reportStepError emits the GitHub Actions ##[error] annotation and records
+// the error against the job so the job is reported as failed.
+func reportStepError(ctx context.Context, err error) {
+	common.Logger(ctx).Errorf("##[error]%v", err)
+	common.SetJobError(ctx, err)
+}
+
 func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executor {
 	steps := make([]common.Executor, 0)
 	preSteps := make([]common.Executor, 0)
@@ -33,7 +39,7 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo
 	steps = append(steps, func(ctx context.Context) error {
 		logger := common.Logger(ctx)
 		if len(info.matrix()) > 0 {
-			logger.Infof("\U0001F9EA  Matrix: %v", info.matrix())
+			logger.Infof("Matrix: %v", info.matrix())
 		}
 		return nil
 	})
@@ -76,33 +82,36 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo

 		preExec := step.pre()
 		preSteps = append(preSteps, useStepLogger(rc, stepModel, stepStagePre, func(ctx context.Context) error {
-			logger := common.Logger(ctx)
 			preErr := preExec(ctx)
 			if preErr != nil {
-				logger.Errorf("%v", preErr)
-				common.SetJobError(ctx, preErr)
+				reportStepError(ctx, preErr)
 			} else if ctx.Err() != nil {
-				logger.Errorf("%v", ctx.Err())
-				common.SetJobError(ctx, ctx.Err())
+				reportStepError(ctx, ctx.Err())
 			}
 			return preErr
 		}))

 		stepExec := step.main()
 		steps = append(steps, useStepLogger(rc, stepModel, stepStageMain, func(ctx context.Context) error {
-			logger := common.Logger(ctx)
 			err := stepExec(ctx)
 			if err != nil {
-				logger.Errorf("%v", err)
-				common.SetJobError(ctx, err)
+				reportStepError(ctx, err)
 			} else if ctx.Err() != nil {
-				logger.Errorf("%v", ctx.Err())
-				common.SetJobError(ctx, ctx.Err())
+				reportStepError(ctx, ctx.Err())
 			}
 			return nil
 		}))

-		postExec := useStepLogger(rc, stepModel, stepStagePost, step.post())
+		postFn := step.post()
+		postExec := useStepLogger(rc, stepModel, stepStagePost, func(ctx context.Context) error {
+			err := postFn(ctx)
+			if err != nil {
+				reportStepError(ctx, err)
+			} else if ctx.Err() != nil {
+				reportStepError(ctx, ctx.Err())
+			}
+			return err
+		})
 		if postExecutor != nil {
 			// run the post executor in reverse order
 			postExecutor = postExec.Finally(postExecutor)
@@ -137,7 +146,7 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo
 			// if !rc.IsHostEnv(ctx) && rc.Config.ContainerNetworkMode == "" {
 			// 	// clean network in docker mode only
 			// 	// if the value of `ContainerNetworkMode` is empty string,
-			// 	// it means that the network to which containers are connecting is created by `act_runner`,
+			// 	// it means that the network to which containers are connecting is created by `runner`,
 			// 	// so, we should remove the network at last.
 			// 	networkName, _ := rc.networkName()
 			// 	logger.Infof("Cleaning up network for job %s, and network name is: %s", rc.JobName, networkName)
@@ -157,7 +166,7 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo
 	pipeline = append(pipeline, steps...)

 	return common.NewPipelineExecutor(info.startContainer(), common.NewPipelineExecutor(pipeline...).
-		Finally(func(ctx context.Context) error { //nolint:contextcheck // intentionally detaches from canceled parent
+		Finally(func(ctx context.Context) error {
 			var cancel context.CancelFunc
 			if ctx.Err() == context.Canceled {
 				// in case of an aborted run, we still should execute the
@@ -197,7 +206,7 @@ func setJobResult(ctx context.Context, info jobInfo, rc *RunContext, success boo
 		jobResultMessage = "failed"
 	}

-	logger.WithField("jobResult", jobResult).Infof("\U0001F3C1  Job %s", jobResultMessage)
+	logger.WithField("jobResult", jobResult).Infof("Job %s", jobResultMessage)
 }

 func setJobOutputs(ctx context.Context, rc *RunContext) {
--- a/act/runner/job_executor_test.go
+++ b/act/runner/job_executor_test.go
@@ -12,9 +12,9 @@ import (
 	"slices"
 	"testing"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/container"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/container"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -331,7 +331,7 @@ func TestNewJobExecutor(t *testing.T) {

 			executor := newJobExecutor(jim, sfm, rc)
 			err := executor(ctx)
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 			assert.Equal(t, tt.executedSteps, executorOrder)

 			jim.AssertExpectations(t)
--- a/act/runner/local_repository_cache.go
+++ b/act/runner/local_repository_cache.go
@@ -16,7 +16,7 @@ import (
 	"path/filepath"
 	"strings"

-	"gitea.com/gitea/act_runner/act/filecollector"
+	"gitea.com/gitea/runner/act/filecollector"
 )

 type LocalRepositoryCache struct {
--- a/act/runner/logger.go
+++ b/act/runner/logger.go
@@ -13,7 +13,7 @@ import (
 	"strings"
 	"sync"

-	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/runner/act/common"

 	"github.com/sirupsen/logrus"
 	"golang.org/x/term"
@@ -30,6 +30,11 @@ const (
 	gray    = 37
 )

+const (
+	rawOutputField      = "raw_output"
+	scriptLineCyanField = "script_line_cyan"
+)
+
 var (
 	colors    []int
 	nextColor int
@@ -161,6 +166,8 @@ func withStepLogger(ctx context.Context, stepNumber int, stepID, stepName, stage

 type entryProcessor func(entry *logrus.Entry) *logrus.Entry

+// valueMasker applies secrets and ::add-mask:: patterns to every log entry, including
+// raw_output (command/stream) lines; there is no bypass by field.
 func valueMasker(insecureSecrets bool, secrets map[string]string) entryProcessor {
 	return func(entry *logrus.Entry) *logrus.Entry {
 		if insecureSecrets {
@@ -227,8 +234,12 @@ func (f *jobLogFormatter) printColored(b *bytes.Buffer, entry *logrus.Entry) {
 		debugFlag = "[DEBUG] "
 	}

-	if entry.Data["raw_output"] == true {
-		fmt.Fprintf(b, "\x1b[%dm|\x1b[0m %s", f.color, entry.Message)
+	if entry.Data[rawOutputField] == true {
+		if entry.Data[scriptLineCyanField] == true {
+			fmt.Fprintf(b, "\x1b[%dm|\x1b[0m \x1b[36;1m%s\x1b[0m", f.color, entry.Message)
+		} else {
+			fmt.Fprintf(b, "\x1b[%dm|\x1b[0m %s", f.color, entry.Message)
+		}
 	} else if entry.Data["dryrun"] == true {
 		fmt.Fprintf(b, "\x1b[1m\x1b[%dm\x1b[7m*DRYRUN*\x1b[0m \x1b[%dm[%s] \x1b[0m%s%s", gray, f.color, job, debugFlag, entry.Message)
 	} else {
@@ -251,7 +262,7 @@ func (f *jobLogFormatter) print(b *bytes.Buffer, entry *logrus.Entry) {
 		debugFlag = "[DEBUG] "
 	}

-	if entry.Data["raw_output"] == true {
+	if entry.Data[rawOutputField] == true {
 		fmt.Fprintf(b, "[%s]   | %s", job, entry.Message)
 	} else if entry.Data["dryrun"] == true {
 		fmt.Fprintf(b, "*DRYRUN* [%s] %s%s", job, debugFlag, entry.Message)
--- a/act/runner/max_parallel_test.go
+++ b/act/runner/max_parallel_test.go
@@ -6,7 +6,7 @@ package runner
 import (
 	"testing"

-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/stretchr/testify/assert"
 	"go.yaml.in/yaml/v4"
@@ -60,7 +60,7 @@ func TestMaxParallelStrategy(t *testing.T) {
 			matrixes, err := job.GetMatrixes()
 			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 			assert.NotNil(t, matrixes)
-			assert.Equal(t, 5, len(matrixes)) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.Len(t, matrixes, 5)
 			assert.Equal(t, tt.expectedMaxParallel, job.Strategy.MaxParallel)
 		})
 	}
--- a/act/runner/reusable_workflow.go
+++ b/act/runner/reusable_workflow.go
@@ -7,19 +7,15 @@ package runner
 import (
 	"archive/tar"
 	"context"
-	"errors"
 	"fmt"
-	"io/fs"
 	"net/url"
-	"os"
 	"path"
 	"regexp"
 	"strings"
-	"sync"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/common/git"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/common/git"
+	"gitea.com/gitea/runner/act/model"
 )

 func newLocalReusableWorkflowExecutor(rc *RunContext) common.Executor {
@@ -51,7 +47,7 @@ func newLocalReusableWorkflowExecutor(rc *RunContext) common.Executor {
 	token := rc.Config.GetToken()

 	return common.NewPipelineExecutor(
-		newMutexExecutor(cloneIfRequired(rc, *remoteReusableWorkflow, workflowDir, token)),
+		cloneRemoteReusableWorkflow(rc, remoteReusableWorkflow.CloneURL(), remoteReusableWorkflow.Ref, workflowDir, token),
 		newReusableWorkflowExecutor(rc, workflowDir, remoteReusableWorkflow.FilePath()),
 	)
 }
@@ -85,7 +81,7 @@ func newRemoteReusableWorkflowExecutor(rc *RunContext) common.Executor {
 	token := getGitCloneToken(rc.Config, remoteReusableWorkflow.CloneURL())

 	return common.NewPipelineExecutor(
-		newMutexExecutor(cloneIfRequired(rc, *remoteReusableWorkflow, workflowDir, token)),
+		cloneRemoteReusableWorkflow(rc, remoteReusableWorkflow.CloneURL(), remoteReusableWorkflow.Ref, workflowDir, token),
 		newReusableWorkflowExecutor(rc, workflowDir, remoteReusableWorkflow.FilePath()),
 	)
 }
@@ -125,46 +121,37 @@ func newActionCacheReusableWorkflowExecutor(rc *RunContext, filename string, rem
 	}
 }

-var executorLock sync.Mutex
-
-func newMutexExecutor(executor common.Executor) common.Executor {
+// cloneRemoteReusableWorkflow always invokes the clone executor — moving refs
+// (branches, tags) must be re-resolved each run, matching GitHub Actions.
+//
+// Callers must not change remoteReusableWorkflow.URL, because:
+//  1. Gitea doesn't support specifying GithubContext.ServerURL by the GITHUB_SERVER_URL env
+//  2. Gitea has already full URL with rc.Config.GitHubInstance when calling newRemoteReusableWorkflowWithPlat
+//
+// remoteReusableWorkflow.URL = rc.getGithubContext(ctx).ServerURL
+func cloneRemoteReusableWorkflow(rc *RunContext, cloneURL, ref, targetDirectory, token string) common.Executor {
 	return func(ctx context.Context) error {
-		executorLock.Lock()
-		defer executorLock.Unlock()
-
-		return executor(ctx)
+		cloneURL = rc.NewExpressionEvaluator(ctx).Interpolate(ctx, cloneURL)
+		return git.NewGitCloneExecutor(git.NewGitCloneExecutorInput{
+			URL:         cloneURL,
+			Ref:         ref,
+			Dir:         targetDirectory,
+			Token:       token,
+			OfflineMode: rc.Config.ActionOfflineMode,
+		})(ctx)
 	}
 }

-func cloneIfRequired(rc *RunContext, remoteReusableWorkflow remoteReusableWorkflow, targetDirectory, token string) common.Executor {
-	return common.NewConditionalExecutor(
-		func(ctx context.Context) bool {
-			_, err := os.Stat(targetDirectory)
-			notExists := errors.Is(err, fs.ErrNotExist)
-			return notExists
-		},
-		func(ctx context.Context) error {
-			// interpolate the cloneURL
-			cloneURL := rc.NewExpressionEvaluator(ctx).Interpolate(ctx, remoteReusableWorkflow.CloneURL())
-			// Do not change the remoteReusableWorkflow.URL, because:
-			// 	1. Gitea doesn't support specifying GithubContext.ServerURL by the GITHUB_SERVER_URL env
-			//	2. Gitea has already full URL with rc.Config.GitHubInstance when calling newRemoteReusableWorkflowWithPlat
-			// remoteReusableWorkflow.URL = rc.getGithubContext(ctx).ServerURL
-			return git.NewGitCloneExecutor(git.NewGitCloneExecutorInput{
-				URL:         cloneURL,
-				Ref:         remoteReusableWorkflow.Ref,
-				Dir:         targetDirectory,
-				Token:       token,
-				OfflineMode: rc.Config.ActionOfflineMode,
-			})(ctx)
-		},
-		nil,
-	)
-}
+var modelNewWorkflowPlanner = model.NewWorkflowPlanner

 func newReusableWorkflowExecutor(rc *RunContext, directory, workflow string) common.Executor {
 	return func(ctx context.Context) error {
-		planner, err := model.NewWorkflowPlanner(path.Join(directory, workflow), true)
+		// Scoped to the yaml read so concurrent invocations don't serialize
+		// on the whole job run.
+		planner, err := func() (model.WorkflowPlanner, error) {
+			defer git.AcquireCloneLock(directory)()
+			return modelNewWorkflowPlanner(path.Join(directory, workflow), true)
+		}()
 		if err != nil {
 			return err
 		}
@@ -298,7 +285,7 @@ func setReusedWorkflowCallerResult(rc *RunContext, runner Runner) common.Executo
 				rc.caller.setReusedWorkflowJobResult(rc.JobName, reusedWorkflowJobResult)
 			} else {
 				rc.result(reusedWorkflowJobResult)
-				logger.WithField("jobResult", reusedWorkflowJobResult).Infof("\U0001F3C1  Job %s", reusedWorkflowJobResultMessage)
+				logger.WithField("jobResult", reusedWorkflowJobResult).Infof("Job %s", reusedWorkflowJobResultMessage)
 			}
 		}

--- a/act/runner/reusable_workflow_test.go
+++ b/act/runner/reusable_workflow_test.go
@@ -0,0 +1,134 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package runner
+
+import (
+	"context"
+	"errors"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sync"
+	"testing"
+	"time"
+
+	"gitea.com/gitea/runner/act/common/git"
+	"gitea.com/gitea/runner/act/model"
+
+	"github.com/stretchr/testify/require"
+)
+
+// Regression test for go-gitea/gitea#37483: a remote reusable workflow at a moving
+// ref (branch/tag) must reflect the new tip on every invocation, not stay pinned
+// to the cache populated on the first run.
+func TestReusableWorkflowCachedBranchRefRefreshes(t *testing.T) {
+	if _, err := exec.LookPath("git"); err != nil {
+		t.Skip("git not available in PATH")
+	}
+
+	remoteDir := t.TempDir()
+	gitMust(t, "", "init", "--bare", "--initial-branch=master", remoteDir)
+
+	workDir := t.TempDir()
+	gitMust(t, "", "clone", remoteDir, workDir)
+	gitMust(t, workDir, "config", "user.email", "test@test")
+	gitMust(t, workDir, "config", "user.name", "test")
+	gitMust(t, workDir, "checkout", "-b", "master")
+
+	const workflowPath = ".gitea/workflows/reusable.yml"
+	tmpl := func(tag string) string {
+		return "name: reusable\non:\n  workflow_call:\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - run: echo " + tag + "\n"
+	}
+
+	require.NoError(t, os.MkdirAll(filepath.Join(workDir, ".gitea/workflows"), 0o755))
+	require.NoError(t, os.WriteFile(filepath.Join(workDir, workflowPath), []byte(tmpl("v1")), 0o644))
+	gitMust(t, workDir, "add", workflowPath)
+	gitMust(t, workDir, "commit", "-m", "v1")
+	gitMust(t, workDir, "push", "-u", "origin", "master")
+
+	rc := &RunContext{
+		Config: &Config{},
+		Run: &model.Run{
+			JobID: "j1",
+			Workflow: &model.Workflow{
+				Name: "wf",
+				Jobs: map[string]*model.Job{"j1": {}},
+			},
+		},
+	}
+	cacheDir := t.TempDir()
+
+	require.NoError(t, cloneRemoteReusableWorkflow(rc, remoteDir, "master", cacheDir, "")(context.Background()))
+	got, err := os.ReadFile(filepath.Join(cacheDir, workflowPath))
+	require.NoError(t, err)
+	require.Equal(t, tmpl("v1"), string(got))
+
+	// Branch tip moves; cache key (cacheDir) does not.
+	require.NoError(t, os.WriteFile(filepath.Join(workDir, workflowPath), []byte(tmpl("v2")), 0o644))
+	gitMust(t, workDir, "commit", "-am", "v2")
+	gitMust(t, workDir, "push", "origin", "master")
+
+	require.NoError(t, cloneRemoteReusableWorkflow(rc, remoteDir, "master", cacheDir, "")(context.Background()))
+	got, err = os.ReadFile(filepath.Join(cacheDir, workflowPath))
+	require.NoError(t, err)
+	require.Equal(t, tmpl("v2"), string(got), "cached workflow file must reflect the updated branch tip")
+}
+
+func TestNewReusableWorkflowExecutorHoldsCloneLock(t *testing.T) {
+	workflowDir := t.TempDir()
+
+	unlockOnce := sync.OnceFunc(git.AcquireCloneLock(workflowDir))
+	defer unlockOnce()
+
+	plannerCalled := make(chan struct{})
+
+	origPlanner := modelNewWorkflowPlanner
+	modelNewWorkflowPlanner = func(string, bool) (model.WorkflowPlanner, error) {
+		close(plannerCalled)
+		return nil, errors.New("stop")
+	}
+	defer func() { modelNewWorkflowPlanner = origPlanner }()
+
+	rc := &RunContext{
+		Config: &Config{},
+		Run:    &model.Run{Workflow: &model.Workflow{Jobs: map[string]*model.Job{}}},
+	}
+	exec := newReusableWorkflowExecutor(rc, workflowDir, "reusable.yml")
+
+	done := make(chan error, 1)
+	go func() { done <- exec(context.Background()) }()
+
+	select {
+	case <-plannerCalled:
+		t.Fatal("planner ran while clone lock was held")
+	case err := <-done:
+		t.Fatalf("executor returned before planner was reached: %v", err)
+	case <-time.After(50 * time.Millisecond):
+	}
+
+	unlockOnce()
+
+	select {
+	case <-plannerCalled:
+	case <-time.After(time.Second):
+		t.Fatal("planner not called after lock was released")
+	}
+
+	select {
+	case err := <-done:
+		require.Error(t, err)
+	case <-time.After(time.Second):
+		t.Fatal("executor did not return after planner ran")
+	}
+}
+
+func gitMust(t *testing.T, dir string, args ...string) {
+	t.Helper()
+	cmd := exec.Command("git", args...)
+	if dir != "" {
+		cmd.Dir = dir
+	}
+	out, err := cmd.CombinedOutput()
+	require.NoError(t, err, "git %v: %s", args, string(out))
+}
--- a/act/runner/run_context.go
+++ b/act/runner/run_context.go
@@ -23,10 +23,10 @@ import (
 	"strings"
 	"time"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/container"
-	"gitea.com/gitea/act_runner/act/exprparser"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/container"
+	"gitea.com/gitea/runner/act/exprparser"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/docker/go-connections/nat"
 	"github.com/opencontainers/selinux/go-selinux"
@@ -101,8 +101,7 @@ func (rc *RunContext) jobContainerName() string {
 	if rc.caller != nil {
 		nameParts = append(nameParts, "CALLED-BY-"+rc.caller.runContext.JobName)
 	}
-	// return createSimpleContainerName(rc.Config.ContainerNamePrefix, "WORKFLOW-"+rc.Run.Workflow.Name, "JOB-"+rc.Name)
-	return createSimpleContainerName(nameParts...) // For Gitea
+	return createContainerName(nameParts...) // For Gitea
 }

 // networkNameForGitea return the name of the network
@@ -194,7 +193,7 @@ func (rc *RunContext) GetBindsAndMounts() ([]string, map[string]string) {
 func (rc *RunContext) startHostEnvironment() common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
-		rawLogger := logger.WithField("raw_output", true)
+		rawLogger := logger.WithField(rawOutputField, true)
 		logWriter := common.NewLineWriter(rc.commandHandler(ctx), func(s string) bool {
 			if rc.Config.LogOutput {
 				rawLogger.Infof("%s", s)
@@ -221,11 +220,12 @@ func (rc *RunContext) startHostEnvironment() common.Executor {
 		}
 		toolCache := filepath.Join(cacheDir, "tool_cache")
 		rc.JobContainer = &container.HostEnvironment{
-			Path:      path,
-			TmpDir:    runnerTmp,
-			ToolCache: toolCache,
-			Workdir:   rc.Config.Workdir,
-			ActPath:   actPath,
+			Path:        path,
+			TmpDir:      runnerTmp,
+			ToolCache:   toolCache,
+			Workdir:     rc.Config.Workdir,
+			BindWorkdir: rc.Config.BindWorkdir,
+			ActPath:     actPath,
 			CleanUp: func() {
 				os.RemoveAll(miscpath)
 			},
@@ -260,12 +260,24 @@ func (rc *RunContext) startHostEnvironment() common.Executor {
 	}
 }

-//nolint:gocyclo // function handles many cases
+// printStartJobContainerGroup mirrors actions/runner's "Starting job container"
+// section: emit the group header and summary, return a closer for ::endgroup::.
+func printStartJobContainerGroup(ctx context.Context, image, name, network string) func() {
+	rawLogger := common.Logger(ctx).WithField(rawOutputField, true)
+	rawLogger.Infof("::group::Starting job container")
+	rawLogger.Infof("image: %s", image)
+	rawLogger.Infof("name: %s", name)
+	rawLogger.Infof("network: %s", network)
+	return func() {
+		rawLogger.Infof("::endgroup::")
+	}
+}
+
 func (rc *RunContext) startJobContainer() common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
 		image := rc.platformImage(ctx)
-		rawLogger := logger.WithField("raw_output", true)
+		rawLogger := logger.WithField(rawOutputField, true)
 		logWriter := common.NewLineWriter(rc.commandHandler(ctx), func(s string) bool {
 			if rc.Config.LogOutput {
 				rawLogger.Infof("%s", s)
@@ -280,7 +292,6 @@ func (rc *RunContext) startJobContainer() common.Executor {
 			return fmt.Errorf("failed to handle credentials: %s", err)
 		}

-		logger.Infof("\U0001f680  Start image=%s", image)
 		name := rc.jobContainerName()
 		// For gitea, to support --volumes-from <container_name_or_id> in options.
 		// We need to set the container name to the environment variable.
@@ -383,7 +394,7 @@ func (rc *RunContext) startJobContainer() common.Executor {
 						if createAndDeleteNetwork {
 							// clean network if it has been created by act
 							// if using service containers
-							// it means that the network to which containers are connecting is created by `act_runner`,
+							// it means that the network to which containers are connecting is created by `runner`,
 							// so, we should remove the network at last.
 							logger.Infof("Cleaning up network for job %s, and network name is: %s", rc.JobName, networkName)
 							if err := container.NewDockerNetworkRemoveExecutor(networkName)(ctx); err != nil {
@@ -425,6 +436,7 @@ func (rc *RunContext) startJobContainer() common.Executor {
 			return errors.New("Failed to create job container")
 		}

+		defer printStartJobContainerGroup(ctx, image, name, networkName)()
 		return common.NewPipelineExecutor(
 			rc.pullServicesImages(rc.Config.ForcePull),
 			rc.JobContainer.Pull(rc.Config.ForcePull),
@@ -731,7 +743,7 @@ func (rc *RunContext) isEnabled(ctx context.Context) (bool, error) {
 	jobType, jobTypeErr := job.Type()

 	if runJobErr != nil {
-		return false, fmt.Errorf("  \u274C  Error in if-expression: \"if: %s\" (%s)", job.If.Value, runJobErr)
+		return false, fmt.Errorf("if-expression %q evaluation failed: %s", job.If.Value, runJobErr)
 	}

 	if jobType == model.JobTypeInvalid {
@@ -754,7 +766,7 @@ func (rc *RunContext) isEnabled(ctx context.Context) (bool, error) {
 	img := rc.platformImage(ctx)
 	if img == "" {
 		for _, platformName := range rc.runsOnPlatformNames(ctx) {
-			l.Infof("\U0001F6A7  Skipping unsupported platform -- Try running with `-P %+v=...`", platformName)
+			l.Infof("Skipping unsupported platform -- Try running with `-P %+v=...`", platformName)
 		}
 		return false, nil
 	}
@@ -769,7 +781,6 @@ func mergeMaps(maps ...map[string]string) map[string]string {
 	return rtnMap
 }

-// Deprecated: use createSimpleContainerName
 func createContainerName(parts ...string) string {
 	name := strings.Join(parts, "-")
 	pattern := regexp.MustCompile("[^a-zA-Z0-9]")
@@ -783,22 +794,6 @@ func createContainerName(parts ...string) string {
 	return fmt.Sprintf("%s-%x", trimmedName, hash)
 }

-func createSimpleContainerName(parts ...string) string {
-	pattern := regexp.MustCompile("[^a-zA-Z0-9-]")
-	name := make([]string, 0, len(parts))
-	for _, v := range parts {
-		v = pattern.ReplaceAllString(v, "-")
-		v = strings.Trim(v, "-")
-		for strings.Contains(v, "--") {
-			v = strings.ReplaceAll(v, "--", "-")
-		}
-		if v != "" {
-			name = append(name, v)
-		}
-	}
-	return strings.Join(name, "_")
-}
-
 func trimToLen(s string, l int) string {
 	if l < 0 {
 		l = 0
@@ -826,7 +821,6 @@ func (rc *RunContext) getStepsContext() map[string]*model.StepResult {
 	return rc.StepResults
 }

-//nolint:gocyclo // function handles many cases
 func (rc *RunContext) getGithubContext(ctx context.Context) *model.GithubContext {
 	logger := common.Logger(ctx)
 	ghc := &model.GithubContext{
--- a/act/runner/run_context_test.go
+++ b/act/runner/run_context_test.go
@@ -5,6 +5,7 @@
 package runner

 import (
+	"bytes"
 	"context"
 	"fmt"
 	"os"
@@ -12,8 +13,9 @@ import (
 	"strings"
 	"testing"

-	"gitea.com/gitea/act_runner/act/exprparser"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/exprparser"
+	"gitea.com/gitea/runner/act/model"

 	log "github.com/sirupsen/logrus"
 	assert "github.com/stretchr/testify/assert"
@@ -282,7 +284,7 @@ func TestGetGitHubContext(t *testing.T) {
 	log.SetLevel(log.DebugLevel)

 	cwd, err := os.Getwd()
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 	rc := &RunContext{
 		Config: &Config{
@@ -622,23 +624,38 @@ func TestRunContextGetEnv(t *testing.T) {
 	}
 }

-func Test_createSimpleContainerName(t *testing.T) {
-	tests := []struct {
-		parts []string
-		want  string
-	}{
-		{
-			parts: []string{"a--a", "BB正", "c-C"},
-			want:  "a-a_BB_c-C",
-		},
-		{
-			parts: []string{"a-a", "", "-"},
-			want:  "a-a",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(strings.Join(tt.parts, " "), func(t *testing.T) {
-			assert.Equalf(t, tt.want, createSimpleContainerName(tt.parts...), "createSimpleContainerName(%v)", tt.parts)
-		})
-	}
+func TestCreateContainerNameBoundedForLongMatrixInput(t *testing.T) {
+	longMatrixValue := strings.Repeat("os=ubuntu-latest-go=1.24-node=22-", 20)
+	name := createContainerName(
+		"gitea",
+		"WORKFLOW-super-long-workflow-name",
+		"JOB-build-matrix-"+longMatrixValue,
+	)
+
+	assert.LessOrEqual(t, len(name), 128)
+	assert.LessOrEqual(t, len(name+"-env"), 255)
+	assert.LessOrEqual(t, len(name+"-network"), 255)
+	assert.LessOrEqual(t, len(name+"-job1234567890"), 255)
+}
+
+func TestPrintStartJobContainerGroupGolden(t *testing.T) {
+	buf := &bytes.Buffer{}
+	logger := log.New()
+	logger.SetOutput(buf)
+	logger.SetLevel(log.InfoLevel)
+	logger.SetFormatter(&jobLogFormatter{color: cyan})
+	entry := logger.WithFields(log.Fields{"job": "j1"})
+	ctx := common.WithLogger(context.Background(), entry)
+
+	printStartJobContainerGroup(ctx, "node:20", "GITEA-WORKFLOW-build-JOB-test", "gitea-runner-network")()
+
+	want := strings.Join([]string{
+		"[j1]   | ::group::Starting job container",
+		"[j1]   | image: node:20",
+		"[j1]   | name: GITEA-WORKFLOW-build-JOB-test",
+		"[j1]   | network: gitea-runner-network",
+		"[j1]   | ::endgroup::",
+		"",
+	}, "\n")
+	assert.Equal(t, want, buf.String())
 }
--- a/act/runner/runner.go
+++ b/act/runner/runner.go
@@ -13,10 +13,10 @@ import (
 	"sync"
 	"time"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/model"

-	docker_container "github.com/docker/docker/api/types/container"
+	docker_container "github.com/moby/moby/api/types/container"
 	log "github.com/sirupsen/logrus"
 )

@@ -137,8 +137,6 @@ func (runner *runnerImpl) configure() (Runner, error) {
 }

 // NewPlanExecutor ...
-//
-//nolint:gocyclo // function handles many cases
 func (runner *runnerImpl) NewPlanExecutor(plan *model.Plan) common.Executor {
 	maxJobNameLen := 0

--- a/act/runner/runner_test.go
+++ b/act/runner/runner_test.go
@@ -16,8 +16,8 @@ import (
 	"strings"
 	"testing"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/joho/godotenv"
 	log "github.com/sirupsen/logrus"
@@ -26,7 +26,7 @@ import (
 )

 var (
-	baseImage = "node:16-buster-slim"
+	baseImage = "node:24-bookworm-slim"
 	platforms map[string]string
 	logLevel  = log.DebugLevel
 	workdir   = "testdata"
@@ -87,7 +87,7 @@ func TestGraphMissingEvent(t *testing.T) {
 	plan, err := planner.PlanEvent("push")
 	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.NotNil(t, plan)
-	assert.Equal(t, 0, len(plan.Stages)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Empty(t, plan.Stages)

 	assert.Contains(t, buf.String(), "no events found for workflow: no-event.yml")
 	log.SetOutput(out)
@@ -100,7 +100,7 @@ func TestGraphMissingFirst(t *testing.T) {
 	plan, err := planner.PlanEvent("push")
 	assert.EqualError(t, err, "unable to build dependency graph for no first (no-first.yml)") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.NotNil(t, plan)
-	assert.Equal(t, 0, len(plan.Stages)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Empty(t, plan.Stages)
 }

 func TestGraphWithMissing(t *testing.T) {
@@ -114,7 +114,7 @@ func TestGraphWithMissing(t *testing.T) {

 	plan, err := planner.PlanEvent("push")
 	assert.NotNil(t, plan)
-	assert.Equal(t, 0, len(plan.Stages))                                                    //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Empty(t, plan.Stages)
 	assert.EqualError(t, err, "unable to build dependency graph for missing (missing.yml)") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Contains(t, buf.String(), "unable to build dependency graph for missing (missing.yml)")
 	log.SetOutput(out)
@@ -134,7 +134,7 @@ func TestGraphWithSomeMissing(t *testing.T) {
 	plan, err := planner.PlanAll()
 	assert.Error(t, err, "unable to build dependency graph for no first (no-first.yml)") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.NotNil(t, plan)
-	assert.Equal(t, 1, len(plan.Stages)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Len(t, plan.Stages, 1)
 	assert.Contains(t, buf.String(), "unable to build dependency graph for missing (missing.yml)")
 	assert.Contains(t, buf.String(), "unable to build dependency graph for no first (no-first.yml)")
 	log.SetOutput(out)
@@ -159,7 +159,7 @@ func TestGraphEvent(t *testing.T) {
 	plan, err = planner.PlanEvent("release")
 	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.NotNil(t, plan)
-	assert.Equal(t, 0, len(plan.Stages)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Empty(t, plan.Stages)
 }

 type TestJobFileInfo struct {
@@ -177,7 +177,7 @@ func (j *TestJobFileInfo) runTest(ctx context.Context, t *testing.T, cfg *Config
 	log.SetLevel(logLevel)

 	workdir, err := filepath.Abs(j.workdir)
-	assert.Nil(t, err, workdir) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err, workdir) //nolint:testifylint // pre-existing issue from nektos/act

 	fullWorkflowPath := filepath.Join(workdir, j.workflowPath)
 	runnerConfig := &Config{
@@ -197,17 +197,17 @@ func (j *TestJobFileInfo) runTest(ctx context.Context, t *testing.T, cfg *Config
 	}

 	runner, err := New(runnerConfig)
-	assert.Nil(t, err, j.workflowPath) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err, j.workflowPath) //nolint:testifylint // pre-existing issue from nektos/act

 	planner, err := model.NewWorkflowPlanner(fullWorkflowPath, true)
-	assert.Nil(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act

 	plan, err := planner.PlanEvent(j.eventName)
 	assert.True(t, (err == nil) != (plan == nil), "PlanEvent should return either a plan or an error") //nolint:testifylint // pre-existing issue from nektos/act
 	if err == nil && plan != nil {
 		err = runner.NewPlanExecutor(plan)(ctx)
 		if j.errorMessage == "" {
-			assert.Nil(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act
 		} else {
 			assert.Error(t, err, j.errorMessage) //nolint:testifylint // pre-existing issue from nektos/act
 		}
@@ -230,11 +230,9 @@ func TestRunEvent(t *testing.T) {
 	tables := []TestJobFileInfo{
 		// Shells
 		{workdir, "shells/defaults", "push", "", platforms, secrets},
-		// TODO: figure out why it fails
-		// {workdir, "shells/custom", "push", "", map[string]string{"ubuntu-latest": "catthehacker/ubuntu:pwsh-latest"}, }, // custom image with pwsh
 		{workdir, "shells/pwsh", "push", "", map[string]string{"ubuntu-latest": "catthehacker/ubuntu:pwsh-latest"}, secrets}, // custom image with pwsh
 		{workdir, "shells/bash", "push", "", platforms, secrets},
-		{workdir, "shells/python", "push", "", map[string]string{"ubuntu-latest": "node:16-buster"}, secrets}, // slim doesn't have python
+		{workdir, "shells/python", "push", "", map[string]string{"ubuntu-latest": "node:24-bookworm"}, secrets}, // slim doesn't have python
 		{workdir, "shells/sh", "push", "", platforms, secrets},

 		// Local action
@@ -463,7 +461,7 @@ func TestDryrunEvent(t *testing.T) {
 		{workdir, "shells/defaults", "push", "", platforms, secrets},
 		{workdir, "shells/pwsh", "push", "", map[string]string{"ubuntu-latest": "catthehacker/ubuntu:pwsh-latest"}, secrets}, // custom image with pwsh
 		{workdir, "shells/bash", "push", "", platforms, secrets},
-		{workdir, "shells/python", "push", "", map[string]string{"ubuntu-latest": "node:16-buster"}, secrets}, // slim doesn't have python
+		{workdir, "shells/python", "push", "", map[string]string{"ubuntu-latest": "node:24-bookworm"}, secrets}, // slim doesn't have python
 		{workdir, "shells/sh", "push", "", platforms, secrets},

 		// Local action
@@ -593,7 +591,7 @@ func TestRunWithService(t *testing.T) {
 	ctx := context.Background()

 	platforms := map[string]string{
-		"ubuntu-latest": "node:12.20.1-buster-slim",
+		"ubuntu-latest": "node:24-bookworm-slim",
 	}

 	workflowPath := "services"
--- a/act/runner/step.go
+++ b/act/runner/step.go
@@ -13,10 +13,10 @@ import (
 	"strings"
 	"time"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/container"
-	"gitea.com/gitea/act_runner/act/exprparser"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/container"
+	"gitea.com/gitea/runner/act/exprparser"
+	"gitea.com/gitea/runner/act/model"
 )

 type step interface {
@@ -107,7 +107,7 @@ func runStepExecutor(step step, stage stepStage, executor common.Executor) commo
 		if strings.Contains(stepString, "::add-mask::") {
 			stepString = "add-mask command"
 		}
-		logger.Infof("\u2B50 Run %s %s", stage, stepString)
+		logger.Infof("Run %s %s", stage, stepString)

 		// Prepare and clean Runner File Commands
 		actPath := rc.JobContainer.GetActPath()
@@ -158,7 +158,7 @@ func runStepExecutor(step step, stage stepStage, executor common.Executor) commo
 		err = executor(timeoutctx)

 		if err == nil {
-			logger.WithField("stepResult", stepResult.Outcome).Infof("  \u2705  Success - %s %s", stage, stepString)
+			logger.WithField("stepResult", stepResult.Outcome).Infof("Success - %s %s", stage, stepString)
 		} else {
 			stepResult.Outcome = model.StepStatusFailure

@@ -169,6 +169,7 @@ func runStepExecutor(step step, stage stepStage, executor common.Executor) commo
 			}

 			if continueOnError {
+				logger.Errorf("##[error]%v", err)
 				logger.Infof("Failed but continue next step")
 				err = nil
 				stepResult.Conclusion = model.StepStatusSuccess
@@ -176,7 +177,9 @@ func runStepExecutor(step step, stage stepStage, executor common.Executor) commo
 				stepResult.Conclusion = model.StepStatusFailure
 			}

-			logger.WithField("stepResult", stepResult.Outcome).Errorf("  \u274C  Failure - %s %s", stage, stepString)
+			// Infof: Errorf entries are promoted to the user log by the reporter,
+			// which would duplicate the ##[error] annotation emitted elsewhere.
+			logger.WithField("stepResult", stepResult.Outcome).Infof("Failure - %s %s", stage, stepString)
 		}
 		// Process Runner File Commands
 		orgerr := err
@@ -268,7 +271,7 @@ func isStepEnabled(ctx context.Context, expr string, step step, stage stepStage)

 	runStep, err := EvalBool(ctx, rc.NewStepExpressionEvaluator(ctx, step), expr, defaultStatusCheck)
 	if err != nil {
-		return false, fmt.Errorf("  \u274C  Error in if-expression: \"if: %s\" (%s)", expr, err)
+		return false, fmt.Errorf("if-expression %q evaluation failed: %s", expr, err)
 	}

 	return runStep, nil
@@ -284,7 +287,7 @@ func isContinueOnError(ctx context.Context, expr string, step step, _ stepStage)

 	continueOnError, err := EvalBool(ctx, rc.NewStepExpressionEvaluator(ctx, step), expr, exprparser.DefaultStatusCheckNone)
 	if err != nil {
-		return false, fmt.Errorf("  \u274C  Error in continue-on-error-expression: \"continue-on-error: %s\" (%s)", expr, err)
+		return false, fmt.Errorf("continue-on-error expression %q evaluation failed: %s", expr, err)
 	}

 	return continueOnError, nil
--- a/act/runner/step_action_local.go
+++ b/act/runner/step_action_local.go
@@ -15,8 +15,8 @@ import (
 	"path"
 	"path/filepath"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/model"
 )

 type stepActionLocal struct {
@@ -44,6 +44,10 @@ func (sal *stepActionLocal) main() common.Executor {
 			return nil
 		}

+		printRunActionHeader(ctx, sal.Step, sal.env, sal.getRunContext())
+		rawLogger := common.Logger(ctx).WithField(rawOutputField, true)
+		defer rawLogger.Infof("::endgroup::")
+
 		actionDir := filepath.Join(sal.getRunContext().Config.Workdir, sal.Step.Uses)

 		localReader := func(ctx context.Context) actionYamlReader {
--- a/act/runner/step_action_local_test.go
+++ b/act/runner/step_action_local_test.go
@@ -12,8 +12,8 @@ import (
 	"strings"
 	"testing"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -97,10 +97,10 @@ func TestStepActionLocalTest(t *testing.T) {
 	})

 	err := sal.pre()(ctx)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 	err = sal.main()(ctx)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 	cm.AssertExpectations(t)
 	salm.AssertExpectations(t)
--- a/act/runner/step_action_remote.go
+++ b/act/runner/step_action_remote.go
@@ -16,9 +16,9 @@ import (
 	"regexp"
 	"strings"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/common/git"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/common/git"
+	"gitea.com/gitea/runner/act/model"

 	gogit "github.com/go-git/go-git/v5"
 )
@@ -39,7 +39,6 @@ type stepActionRemote struct {

 var stepActionRemoteNewCloneExecutor = git.NewGitCloneExecutor

-//nolint:gocyclo // function handles many cases
 func (sar *stepActionRemote) prepareActionExecutor() common.Executor {
 	return func(ctx context.Context) error {
 		if sar.remoteAction != nil && sar.action != nil {
@@ -146,6 +145,7 @@ func (sar *stepActionRemote) prepareActionExecutor() common.Executor {
 		return common.NewPipelineExecutor(
 			ntErr,
 			func(ctx context.Context) error {
+				defer git.AcquireCloneLock(actionDir)()
 				actionModel, err := sar.readAction(ctx, sar.Step, actionDir, sar.remoteAction.Path, remoteReader(ctx), os.WriteFile)
 				sar.action = actionModel
 				return err
@@ -166,6 +166,10 @@ func (sar *stepActionRemote) main() common.Executor {
 	return common.NewPipelineExecutor(
 		sar.prepareActionExecutor(),
 		runStepExecutor(sar, stepStageMain, func(ctx context.Context) error {
+			printRunActionHeader(ctx, sar.Step, sar.env, sar.RunContext)
+			rawLogger := common.Logger(ctx).WithField(rawOutputField, true)
+			defer rawLogger.Infof("::endgroup::")
+
 			github := sar.getGithubContext(ctx)
 			if sar.remoteAction.IsCheckout() && isLocalCheckout(github, sar.Step) && !sar.RunContext.Config.NoSkipCheckout {
 				if sar.RunContext.Config.BindWorkdir {
--- a/act/runner/step_action_remote_test.go
+++ b/act/runner/step_action_remote_test.go
@@ -14,9 +14,9 @@ import (
 	"testing"
 	"time"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/common/git"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/common/git"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -272,8 +272,8 @@ func TestStepActionRemotePre(t *testing.T) {

 			err := sar.pre()(ctx)

-			assert.Nil(t, err)                  //nolint:testifylint // pre-existing issue from nektos/act
-			assert.Equal(t, true, clonedAction) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.True(t, clonedAction)

 			sarm.AssertExpectations(t)
 		})
@@ -343,8 +343,8 @@ func TestStepActionRemotePreThroughAction(t *testing.T) {

 			err := sar.pre()(ctx)

-			assert.Nil(t, err)                  //nolint:testifylint // pre-existing issue from nektos/act
-			assert.Equal(t, true, clonedAction) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.True(t, clonedAction)

 			sarm.AssertExpectations(t)
 		})
@@ -419,7 +419,7 @@ func TestStepActionRemotePreThroughActionToken(t *testing.T) {

 			err := sar.pre()(ctx)

-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 			// Verify that the clone was called (URL should be redirected to github.com)
 			assert.True(t, actualURL != "", "Expected clone to be called") //nolint:testifylint // pre-existing issue from nektos/act
 			assert.Equal(t, "https://github.com/org/repo", actualURL, "URL should be redirected to github.com")
--- a/act/runner/step_docker.go
+++ b/act/runner/step_docker.go
@@ -9,9 +9,9 @@ import (
 	"fmt"
 	"strings"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/container"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/container"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/kballard/go-shellquote"
 )
@@ -116,6 +116,10 @@ func (sd *stepDocker) newStepContainer(ctx context.Context, image string, cmd, e
 	envList = append(envList, fmt.Sprintf("%s=%s", "RUNNER_TEMP", "/tmp"))

 	binds, mounts := rc.GetBindsAndMounts()
+	networkMode := "container:" + rc.jobContainerName()
+	if rc.IsHostEnv(ctx) {
+		networkMode = "default"
+	}
 	stepContainer := ContainerNewContainer(&container.NewContainerInput{
 		Cmd:          cmd,
 		Entrypoint:   entrypoint,
@@ -123,10 +127,10 @@ func (sd *stepDocker) newStepContainer(ctx context.Context, image string, cmd, e
 		Image:        image,
 		Username:     rc.Config.Secrets["DOCKER_USERNAME"],
 		Password:     rc.Config.Secrets["DOCKER_PASSWORD"],
-		Name:         createSimpleContainerName(rc.jobContainerName(), "STEP-"+step.ID),
+		Name:         createContainerName(rc.jobContainerName(), "STEP-"+step.ID),
 		Env:          envList,
 		Mounts:       mounts,
-		NetworkMode:  "container:" + rc.jobContainerName(),
+		NetworkMode:  networkMode,
 		Binds:        binds,
 		Stdout:       logWriter,
 		Stderr:       logWriter,
--- a/act/runner/step_docker_test.go
+++ b/act/runner/step_docker_test.go
@@ -8,10 +8,11 @@ import (
 	"bytes"
 	"context"
 	"io"
+	"strings"
 	"testing"

-	"gitea.com/gitea/act_runner/act/container"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/container"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -101,7 +102,7 @@ func TestStepDockerMain(t *testing.T) {
 	cm.On("GetContainerArchive", ctx, "/var/run/act/workflow/pathcmd.txt").Return(io.NopCloser(&bytes.Buffer{}), nil)

 	err := sd.main()(ctx)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 	assert.Equal(t, "node:14", input.Image)

@@ -113,8 +114,86 @@ func TestStepDockerPrePost(t *testing.T) {
 	sd := &stepDocker{}

 	err := sd.pre()(ctx)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 	err = sd.post()(ctx)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err)
+}
+
+func TestStepDockerNewStepContainerNetworkMode(t *testing.T) {
+	cases := []struct {
+		name          string
+		platform      string
+		expectDefault bool
+	}{
+		{
+			name:          "docker mode attaches to job container network",
+			platform:      "node:14",
+			expectDefault: false,
+		},
+		{
+			name:          "host mode uses default network",
+			platform:      "-self-hosted",
+			expectDefault: true,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			cm := &containerMock{}
+
+			var captured *container.NewContainerInput
+			origContainerNewContainer := ContainerNewContainer
+			ContainerNewContainer = func(input *container.NewContainerInput) container.ExecutionsEnvironment {
+				captured = input
+				return cm
+			}
+			defer func() {
+				ContainerNewContainer = origContainerNewContainer
+			}()
+
+			ctx := context.Background()
+
+			platform := tc.platform
+			sd := &stepDocker{
+				RunContext: &RunContext{
+					StepResults: map[string]*model.StepResult{},
+					Config: &Config{
+						PlatformPicker: func(_ []string) string {
+							return platform
+						},
+					},
+					Run: &model.Run{
+						JobID: "1",
+						Workflow: &model.Workflow{
+							Jobs: map[string]*model.Job{
+								"1": {},
+							},
+						},
+					},
+					JobContainer: cm,
+				},
+				Step: &model.Step{
+					ID:   "1",
+					Uses: "docker://alpine:3.20",
+				},
+			}
+			sd.RunContext.ExprEval = sd.RunContext.NewExpressionEvaluator(ctx)
+
+			assert.Equal(t, tc.expectDefault, sd.RunContext.IsHostEnv(ctx),
+				"IsHostEnv mismatch for platform %q", tc.platform)
+
+			_ = sd.newStepContainer(ctx, "alpine:3.20", []string{"echo", "hello"}, nil)
+
+			if tc.expectDefault {
+				assert.Equal(t, "default", captured.NetworkMode,
+					"host-mode step container must use 'default' network, got %q",
+					captured.NetworkMode)
+			} else {
+				assert.True(t, strings.HasPrefix(captured.NetworkMode, "container:"),
+					"docker-mode step container must attach to job container network, got %q",
+					captured.NetworkMode)
+			}
+		})
+	}
 }
--- a/act/runner/step_factory.go
+++ b/act/runner/step_factory.go
@@ -7,7 +7,7 @@ package runner
 import (
 	"fmt"

-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/model"
 )

 type stepFactory interface {
--- a/act/runner/step_factory_test.go
+++ b/act/runner/step_factory_test.go
@@ -7,7 +7,7 @@ package runner
 import (
 	"testing"

-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/stretchr/testify/assert"
 )
@@ -67,7 +67,7 @@ func TestStepFactoryNewStep(t *testing.T) {
 			step, err := sf.newStep(tt.model, &RunContext{})

 			assert.True(t, tt.check((step)))
-			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			assert.NoError(t, err)
 		})
 	}
 }
--- a/act/runner/step_run.go
+++ b/act/runner/step_run.go
@@ -9,23 +9,27 @@ import (
 	"fmt"
 	"maps"
 	"runtime"
+	"slices"
 	"strings"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/container"
-	"gitea.com/gitea/act_runner/act/lookpath"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/container"
+	"gitea.com/gitea/runner/act/lookpath"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/kballard/go-shellquote"
+	yaml "go.yaml.in/yaml/v4"
 )

 type stepRun struct {
-	Step             *model.Step
-	RunContext       *RunContext
-	cmd              []string
-	cmdline          string
-	env              map[string]string
-	WorkingDirectory string
+	Step               *model.Step
+	RunContext         *RunContext
+	cmd                []string
+	cmdline            string
+	env                map[string]string
+	WorkingDirectory   string
+	interpolatedScript string
+	shellCommand       string
 }

 func (sr *stepRun) pre() common.Executor {
@@ -39,15 +43,154 @@ func (sr *stepRun) main() common.Executor {
 	return runStepExecutor(sr, stepStageMain, common.NewPipelineExecutor(
 		sr.setupShellCommandExecutor(),
 		func(ctx context.Context) error {
-			sr.getRunContext().ApplyExtraPath(ctx, &sr.env)
-			if he, ok := sr.getRunContext().JobContainer.(*container.HostEnvironment); ok && he != nil {
+			rc := sr.getRunContext()
+			// Apply ::add-path:: effects before printing so PATH is accurate in the env: block.
+			rc.ApplyExtraPath(ctx, &sr.env)
+			sr.printRunScriptActionDetails(ctx)
+			if he, ok := rc.JobContainer.(*container.HostEnvironment); ok && he != nil {
 				return he.ExecWithCmdLine(sr.cmd, sr.cmdline, sr.env, "", sr.WorkingDirectory)(ctx)
 			}
-			return sr.getRunContext().JobContainer.Exec(sr.cmd, sr.env, "", sr.WorkingDirectory)(ctx)
+			return rc.JobContainer.Exec(sr.cmd, sr.env, "", sr.WorkingDirectory)(ctx)
 		},
 	))
 }

+// printRunScriptActionDetails mirrors actions/runner ScriptHandler.PrintActionDetails
+// for script steps.
+func (sr *stepRun) printRunScriptActionDetails(ctx context.Context) {
+	rawLogger := common.Logger(ctx).WithField(rawOutputField, true)
+	scriptLineLogger := rawLogger.WithField(scriptLineCyanField, true)
+
+	normalized := strings.TrimRight(strings.ReplaceAll(sr.interpolatedScript, "\r\n", "\n"), "\n")
+
+	rawLogger.Infof("::group::Run %s", sr.runScriptGroupTitle(normalized))
+
+	if normalized != "" {
+		for line := range strings.SplitSeq(normalized, "\n") {
+			scriptLineLogger.Info(line)
+		}
+	}
+
+	rawLogger.Infof("shell: %s", sr.shellCommand)
+
+	printStepEnvBlock(ctx, sr.Step, sr.env, sr.getRunContext())
+	rawLogger.Infof("::endgroup::")
+}
+
+// printRunActionHeader mirrors actions/runner's "Run <action>" header for `uses:` steps,
+// including the with: inputs and the step-level env: block. The caller is responsible
+// for emitting ::endgroup:: after the action finishes.
+func printRunActionHeader(ctx context.Context, step *model.Step, env map[string]string, rc *RunContext) {
+	if step == nil {
+		return
+	}
+	rawLogger := common.Logger(ctx).WithField(rawOutputField, true)
+
+	title := step.Uses
+	if step.Name != "" {
+		title = step.Name
+	}
+	rawLogger.Infof("::group::Run %s", title)
+
+	if len(step.With) > 0 {
+		rawLogger.Infof("with:")
+		for _, k := range slices.Sorted(maps.Keys(step.With)) {
+			rawLogger.Infof("  %s: %s", k, step.With[k])
+		}
+	}
+
+	printStepEnvBlock(ctx, step, env, rc)
+}
+
+// printStepEnvBlock emits the declared-env block (YAML order, internal vars filtered)
+// shared by the run: and uses: "Run" headers.
+func printStepEnvBlock(ctx context.Context, step *model.Step, env map[string]string, rc *RunContext) {
+	rawLogger := common.Logger(ctx).WithField(rawOutputField, true)
+	caseInsensitive := rc != nil && rc.JobContainer != nil && rc.JobContainer.IsEnvironmentCaseInsensitive()
+	var visible []string
+	for _, k := range stepDeclaredEnvKeysInOrder(step) {
+		if !isInternalEnvKey(k, caseInsensitive) {
+			visible = append(visible, k)
+		}
+	}
+	if len(visible) == 0 {
+		return
+	}
+	rawLogger.Infof("env:")
+	envLookup := env
+	if caseInsensitive {
+		envLookup = make(map[string]string, len(env))
+		for k, v := range env {
+			envLookup[strings.ToUpper(k)] = v
+		}
+	}
+	for _, k := range visible {
+		lookupKey := k
+		if caseInsensitive {
+			lookupKey = strings.ToUpper(k)
+		}
+		rawLogger.Infof("  %s: %s", k, envLookup[lookupKey])
+	}
+}
+
+// isInternalEnvKey matches actions/runner's filtered set of vars that are hidden
+// from the "Run" header's env: block because they are injected by the runner itself.
+func isInternalEnvKey(k string, caseInsensitive bool) bool {
+	upper := k
+	if caseInsensitive {
+		upper = strings.ToUpper(k)
+	}
+	switch upper {
+	case "PATH", "HOME", "CI":
+		return true
+	}
+	return strings.HasPrefix(upper, "GITHUB_") ||
+		strings.HasPrefix(upper, "GITEA_") ||
+		strings.HasPrefix(upper, "RUNNER_") ||
+		strings.HasPrefix(upper, "INPUT_")
+}
+
+func (sr *stepRun) runScriptGroupTitle(normalizedScript string) string {
+	trimmed := strings.TrimLeft(normalizedScript, " \t\r\n")
+	if idx := strings.IndexAny(trimmed, "\r\n"); idx >= 0 {
+		trimmed = trimmed[:idx]
+	}
+	if trimmed != "" {
+		return trimmed
+	}
+	if sr.Step != nil {
+		if sr.Step.Name != "" {
+			return sr.Step.Name
+		}
+		return sr.Step.ID
+	}
+	return ""
+}
+
+// stepDeclaredEnvKeysInOrder walks the raw YAML Env mapping so keys are emitted in
+// the order the workflow author wrote them; step.Environment() decodes into a Go map
+// and loses ordering.
+func stepDeclaredEnvKeysInOrder(step *model.Step) []string {
+	if step == nil || step.Env.Kind != yaml.MappingNode {
+		return nil
+	}
+	content := step.Env.Content
+	keys := make([]string, 0, len(content)/2)
+	seen := make(map[string]struct{}, len(content)/2)
+	for i := 0; i+1 < len(content); i += 2 {
+		k := content[i]
+		if k.Kind != yaml.ScalarNode || k.Tag == "!!merge" || k.Value == "<<" {
+			continue
+		}
+		if _, dup := seen[k.Value]; dup {
+			continue
+		}
+		seen[k.Value] = struct{}{}
+		keys = append(keys, k.Value)
+	}
+	return keys
+}
+
 func (sr *stepRun) post() common.Executor {
 	return func(ctx context.Context) error {
 		return nil
@@ -111,8 +254,10 @@ func (sr *stepRun) setupShellCommand(ctx context.Context) (name, script string,
 	step := sr.Step

 	script = sr.RunContext.NewStepExpressionEvaluator(ctx, sr).Interpolate(ctx, step.Run)
+	sr.interpolatedScript = script

 	scCmd := step.ShellCommand()
+	sr.shellCommand = scCmd

 	name = getScriptName(sr.RunContext, step)

--- a/act/runner/step_run_print_test.go
+++ b/act/runner/step_run_print_test.go
@@ -0,0 +1,182 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2026 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package runner
+
+import (
+	"bytes"
+	"context"
+	"strings"
+	"testing"
+
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/model"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	yaml "go.yaml.in/yaml/v4"
+)
+
+func TestRunScriptGroupTitle(t *testing.T) {
+	sr := &stepRun{Step: &model.Step{Name: "Build"}}
+	assert.Equal(t, "make build", sr.runScriptGroupTitle("make build"))
+	assert.Equal(t, "echo one", sr.runScriptGroupTitle("  \techo one\necho two"))
+	assert.Equal(t, "Build", sr.runScriptGroupTitle(""))
+
+	sr = &stepRun{Step: &model.Step{ID: "s1"}}
+	assert.Equal(t, "s1", sr.runScriptGroupTitle("\n  \n"))
+}
+
+func TestStepDeclaredEnvOrderPreservesYAML(t *testing.T) {
+	raw := `id: s1
+run: "echo 1"
+env:
+  GITHUB_TOKEN: tok
+  PATH: /custom/bin
+  MY_VAR: hello
+`
+	var step model.Step
+	require.NoError(t, yaml.Unmarshal([]byte(raw), &step))
+	assert.Equal(t, []string{"GITHUB_TOKEN", "PATH", "MY_VAR"}, stepDeclaredEnvKeysInOrder(&step))
+}
+
+func TestStepDeclaredEnvKeysInOrderEmpty(t *testing.T) {
+	assert.Nil(t, stepDeclaredEnvKeysInOrder(nil))
+	assert.Empty(t, stepDeclaredEnvKeysInOrder(&model.Step{}))
+}
+
+func TestStepDeclaredEnvKeysIgnoreYAMLMergeKey(t *testing.T) {
+	doc := `
+common: &common
+  COMMON_A: a
+  COMMON_B: b
+step:
+  env:
+    LOCAL_BEFORE: before
+    <<: *common
+    COMMON_B: overridden
+    LOCAL_AFTER: after
+`
+	var root struct {
+		Step model.Step `yaml:"step"`
+	}
+	require.NoError(t, yaml.Unmarshal([]byte(doc), &root))
+
+	keys := stepDeclaredEnvKeysInOrder(&root.Step)
+	assert.Equal(t, []string{"LOCAL_BEFORE", "COMMON_B", "LOCAL_AFTER"}, keys)
+}
+
+func TestPrintRunScriptActionDetailsGolden(t *testing.T) {
+	raw := `id: s1
+name: Build
+run: |
+  echo one
+  echo two
+shell: pwsh
+env:
+  PATH_PREFIX: /custom/bin
+  GITHUB_TOKEN: tok
+  GREETING: hello
+`
+	var step model.Step
+	require.NoError(t, yaml.Unmarshal([]byte(raw), &step))
+
+	buf := &bytes.Buffer{}
+	logger := logrus.New()
+	logger.SetOutput(buf)
+	logger.SetLevel(logrus.InfoLevel)
+	logger.SetFormatter(&jobLogFormatter{color: cyan})
+	entry := logger.WithFields(logrus.Fields{"job": "j1"})
+	ctx := common.WithLogger(context.Background(), entry)
+
+	sr := &stepRun{
+		Step:               &step,
+		RunContext:         &RunContext{},
+		shellCommand:       "pwsh -command . '{0}'",
+		interpolatedScript: "echo one\necho two\n",
+		env: map[string]string{
+			"PATH_PREFIX":  "/custom/bin",
+			"GITHUB_TOKEN": "tok",
+			"GREETING":     "hello",
+		},
+	}
+
+	sr.printRunScriptActionDetails(ctx)
+
+	want := strings.Join([]string{
+		"[j1]   | ::group::Run echo one",
+		"[j1]   | echo one",
+		"[j1]   | echo two",
+		"[j1]   | shell: pwsh -command . '{0}'",
+		"[j1]   | env:",
+		"[j1]   |   PATH_PREFIX: /custom/bin",
+		"[j1]   |   GREETING: hello",
+		"[j1]   | ::endgroup::",
+		"",
+	}, "\n")
+	assert.Equal(t, want, buf.String())
+}
+
+func TestPrintRunActionHeaderGolden(t *testing.T) {
+	raw := `id: s1
+uses: actions/checkout@v4
+with:
+  fetch-depth: "0"
+  token: secret
+env:
+  CUSTOM: value
+  GITHUB_TOKEN: tok
+`
+	var step model.Step
+	require.NoError(t, yaml.Unmarshal([]byte(raw), &step))
+
+	buf := &bytes.Buffer{}
+	logger := logrus.New()
+	logger.SetOutput(buf)
+	logger.SetLevel(logrus.InfoLevel)
+	logger.SetFormatter(&jobLogFormatter{color: cyan})
+	entry := logger.WithFields(logrus.Fields{"job": "j1"})
+	ctx := common.WithLogger(context.Background(), entry)
+
+	printRunActionHeader(ctx, &step, map[string]string{"CUSTOM": "value", "GITHUB_TOKEN": "tok"}, &RunContext{})
+
+	want := strings.Join([]string{
+		"[j1]   | ::group::Run actions/checkout@v4",
+		"[j1]   | with:",
+		"[j1]   |   fetch-depth: 0",
+		"[j1]   |   token: secret",
+		"[j1]   | env:",
+		"[j1]   |   CUSTOM: value",
+		"",
+	}, "\n")
+	assert.Equal(t, want, buf.String())
+}
+
+func TestIsInternalEnvKey(t *testing.T) {
+	for _, k := range []string{"PATH", "HOME", "CI", "GITHUB_TOKEN", "GITEA_ACTIONS", "RUNNER_OS", "INPUT_FOO"} {
+		assert.True(t, isInternalEnvKey(k, false), k)
+	}
+	for _, k := range []string{"PATH_PREFIX", "MY_VAR", "GREETING", "HOMEPAGE"} {
+		assert.False(t, isInternalEnvKey(k, false), k)
+	}
+	assert.True(t, isInternalEnvKey("path", true))
+	assert.False(t, isInternalEnvKey("path", false))
+}
+
+func TestPrintColoredScriptLineCyan(t *testing.T) {
+	f := &jobLogFormatter{color: cyan}
+	entry := &logrus.Entry{
+		Level:   logrus.InfoLevel,
+		Message: "echo one",
+		Data: logrus.Fields{
+			"job":               "j1",
+			rawOutputField:      true,
+			scriptLineCyanField: true,
+		},
+	}
+	buf := &bytes.Buffer{}
+	f.printColored(buf, entry)
+	assert.Equal(t, "\x1b[36m|\x1b[0m \x1b[36;1mecho one\x1b[0m", buf.String())
+}
--- a/act/runner/step_run_test.go
+++ b/act/runner/step_run_test.go
@@ -10,8 +10,8 @@ import (
 	"io"
 	"testing"

-	"gitea.com/gitea/act_runner/act/container"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/container"
+	"gitea.com/gitea/runner/act/model"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -81,7 +81,7 @@ func TestStepRun(t *testing.T) {
 	cm.On("GetContainerArchive", ctx, "/var/run/act/workflow/pathcmd.txt").Return(io.NopCloser(&bytes.Buffer{}), nil)

 	err := sr.main()(ctx)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 	cm.AssertExpectations(t)
 }
@@ -91,8 +91,8 @@ func TestStepRunPrePost(t *testing.T) {
 	sr := &stepRun{}

 	err := sr.pre()(ctx)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 	err = sr.post()(ctx)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err)
 }
--- a/act/runner/step_test.go
+++ b/act/runner/step_test.go
@@ -8,8 +8,8 @@ import (
 	"context"
 	"testing"

-	"gitea.com/gitea/act_runner/act/common"
-	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/model"

 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -156,7 +156,7 @@ func TestSetupEnv(t *testing.T) {
 	sm.On("getEnv").Return(&env)

 	err := setupEnv(context.Background(), sm)
-	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 	// These are commit or system specific
 	delete((env), "GITHUB_REF")
@@ -318,35 +318,35 @@ func TestIsContinueOnError(t *testing.T) {
 	step := createTestStep(t, "name: test")
 	continueOnError, err := isContinueOnError(context.Background(), step.getStepModel().RawContinueOnError, step, stepStageMain)
 	assertObject.False(continueOnError)
-	assertObject.Nil(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assertObject.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act

 	// explcit true
 	step = createTestStep(t, "continue-on-error: true")
 	continueOnError, err = isContinueOnError(context.Background(), step.getStepModel().RawContinueOnError, step, stepStageMain)
 	assertObject.True(continueOnError)
-	assertObject.Nil(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assertObject.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act

 	// explicit false
 	step = createTestStep(t, "continue-on-error: false")
 	continueOnError, err = isContinueOnError(context.Background(), step.getStepModel().RawContinueOnError, step, stepStageMain)
 	assertObject.False(continueOnError)
-	assertObject.Nil(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assertObject.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act

 	// expression true
 	step = createTestStep(t, "continue-on-error: ${{ 'test' == 'test' }}")
 	continueOnError, err = isContinueOnError(context.Background(), step.getStepModel().RawContinueOnError, step, stepStageMain)
 	assertObject.True(continueOnError)
-	assertObject.Nil(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assertObject.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act

 	// expression false
 	step = createTestStep(t, "continue-on-error: ${{ 'test' != 'test' }}")
 	continueOnError, err = isContinueOnError(context.Background(), step.getStepModel().RawContinueOnError, step, stepStageMain)
 	assertObject.False(continueOnError)
-	assertObject.Nil(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assertObject.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act

 	// expression parse error
 	step = createTestStep(t, "continue-on-error: ${{ 'test' != test }}")
 	continueOnError, err = isContinueOnError(context.Background(), step.getStepModel().RawContinueOnError, step, stepStageMain)
 	assertObject.False(continueOnError)
-	assertObject.NotNil(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assertObject.Error(err)
 }
--- a/act/runner/testdata/actions-environment-and-context-tests/js/action.yml
+++ b/act/runner/testdata/actions-environment-and-context-tests/js/action.yml
@@ -1,5 +1,5 @@
 name: 'Test'
 description: 'Test'
 runs:
-  using: 'node12'
+  using: 'node24'
  main: 'index.js'
--- a/act/runner/testdata/actions/action1/Dockerfile
+++ b/act/runner/testdata/actions/action1/Dockerfile
@@ -1 +1 @@
-FROM ubuntu:18.04
+FROM ubuntu:24.04
--- a/act/runner/testdata/actions/docker-local-noargs/Dockerfile
+++ b/act/runner/testdata/actions/docker-local-noargs/Dockerfile
@@ -1,5 +1,5 @@
 # Container image that runs your code
-FROM node:12-buster-slim
+FROM node:24-bookworm-slim

 # Copies your code file from your action repository to the filesystem path `/` of the container
 COPY entrypoint.sh /entrypoint.sh
--- a/act/runner/testdata/actions/docker-local/Dockerfile
+++ b/act/runner/testdata/actions/docker-local/Dockerfile
@@ -1,5 +1,5 @@
 # Container image that runs your code
-FROM node:16-buster-slim
+FROM node:24-bookworm-slim

 # Copies your code file from your action repository to the filesystem path `/` of the container
 COPY entrypoint.sh /entrypoint.sh
--- a/act/runner/testdata/actions/docker-url/action.yml
+++ b/act/runner/testdata/actions/docker-url/action.yml
@@ -8,7 +8,7 @@ inputs:
    default: World
 runs:
  using: docker
-  image: docker://node:16-buster-slim
+  image: docker://node:24-bookworm-slim
  entrypoint: /bin/sh -c
  env:
    TEST: enabled
--- a/act/runner/testdata/actions/node12/action.yml
+++ b/act/runner/testdata/actions/node12/action.yml
@@ -1,13 +0,0 @@
-name: 'Hello World'
-description: 'Greet someone and record the time'
-inputs:
-  who-to-greet:  # id of input
-    description: 'Who to greet'
-    required: true
-    default: 'World'
-outputs:
-  time: # id of output
-    description: 'The time we greeted you'
-runs:
-  using: 'node12'
-  main: 'dist/index.js'
--- a/act/runner/testdata/actions/node12/index.js
+++ b/act/runner/testdata/actions/node12/index.js
@@ -1,15 +0,0 @@
-const core = require('@actions/core');
-const github = require('@actions/github');
-
-try {
-  // `who-to-greet` input defined in action metadata file
-  const nameToGreet = core.getInput('who-to-greet');
-  console.log(`Hello ${nameToGreet}!`);
-  const time = (new Date()).toTimeString();
-  core.setOutput("time", time);
-  // Get the JSON webhook payload for the event that triggered the workflow
-  const payload = JSON.stringify(github.context.payload, undefined, 2)
-  console.log(`The event payload: ${payload}`);
-} catch (error) {
-  core.setFailed(error.message);
-}
--- a/act/runner/testdata/actions/node12/node_modules/.bin/ncc
+++ b/act/runner/testdata/actions/node12/node_modules/.bin/ncc
@@ -1 +0,0 @@
-../@vercel/ncc/dist/ncc/cli.js
--- a/act/runner/testdata/actions/node12/node_modules/.bin/uuid
+++ b/act/runner/testdata/actions/node12/node_modules/.bin/uuid
@@ -1 +0,0 @@
-../uuid/dist/bin/uuid
--- a/act/runner/testdata/actions/node12/node_modules/.package-lock.json
+++ b/act/runner/testdata/actions/node12/node_modules/.package-lock.json
@@ -1,244 +0,0 @@
-{
-  "name": "node12",
-  "version": "1.0.0",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {
-    "node_modules/@actions/core": {
-      "version": "1.10.0",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
-      "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
-      "dependencies": {
-        "@actions/http-client": "^2.0.1",
-        "uuid": "^8.3.2"
-      }
-    },
-    "node_modules/@actions/github": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-4.0.0.tgz",
-      "integrity": "sha512-Ej/Y2E+VV6sR9X7pWL5F3VgEWrABaT292DRqRU6R4hnQjPtC/zD3nagxVdXWiRQvYDh8kHXo7IDmG42eJ/dOMA==",
-      "dependencies": {
-        "@actions/http-client": "^1.0.8",
-        "@octokit/core": "^3.0.0",
-        "@octokit/plugin-paginate-rest": "^2.2.3",
-        "@octokit/plugin-rest-endpoint-methods": "^4.0.0"
-      }
-    },
-    "node_modules/@actions/github/node_modules/@actions/http-client": {
-      "version": "1.0.11",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
-      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
-      "dependencies": {
-        "tunnel": "0.0.6"
-      }
-    },
-    "node_modules/@actions/http-client": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.1.1.tgz",
-      "integrity": "sha512-qhrkRMB40bbbLo7gF+0vu+X+UawOvQQqNAA/5Unx774RS8poaOhThDOG6BGmxvAnxhQnDp2BG/ZUm65xZILTpw==",
-      "dependencies": {
-        "tunnel": "^0.0.6"
-      }
-    },
-    "node_modules/@octokit/auth-token": {
-      "version": "2.5.0",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.5.0.tgz",
-      "integrity": "sha512-r5FVUJCOLl19AxiuZD2VRZ/ORjp/4IN98Of6YJoJOkY75CIBuYfmiNHGrDwXr+aLGG55igl9QrxX3hbiXlLb+g==",
-      "dependencies": {
-        "@octokit/types": "^6.0.3"
-      }
-    },
-    "node_modules/@octokit/core": {
-      "version": "3.6.0",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-3.6.0.tgz",
-      "integrity": "sha512-7RKRKuA4xTjMhY+eG3jthb3hlZCsOwg3rztWh75Xc+ShDWOfDDATWbeZpAHBNRpm4Tv9WgBMOy1zEJYXG6NJ7Q==",
-      "dependencies": {
-        "@octokit/auth-token": "^2.4.4",
-        "@octokit/graphql": "^4.5.8",
-        "@octokit/request": "^5.6.3",
-        "@octokit/request-error": "^2.0.5",
-        "@octokit/types": "^6.0.3",
-        "before-after-hook": "^2.2.0",
-        "universal-user-agent": "^6.0.0"
-      }
-    },
-    "node_modules/@octokit/endpoint": {
-      "version": "6.0.12",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.12.tgz",
-      "integrity": "sha512-lF3puPwkQWGfkMClXb4k/eUT/nZKQfxinRWJrdZaJO85Dqwo/G0yOC434Jr2ojwafWJMYqFGFa5ms4jJUgujdA==",
-      "dependencies": {
-        "@octokit/types": "^6.0.3",
-        "is-plain-object": "^5.0.0",
-        "universal-user-agent": "^6.0.0"
-      }
-    },
-    "node_modules/@octokit/graphql": {
-      "version": "4.8.0",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-4.8.0.tgz",
-      "integrity": "sha512-0gv+qLSBLKF0z8TKaSKTsS39scVKF9dbMxJpj3U0vC7wjNWFuIpL/z76Qe2fiuCbDRcJSavkXsVtMS6/dtQQsg==",
-      "dependencies": {
-        "@octokit/request": "^5.6.0",
-        "@octokit/types": "^6.0.3",
-        "universal-user-agent": "^6.0.0"
-      }
-    },
-    "node_modules/@octokit/openapi-types": {
-      "version": "12.11.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-12.11.0.tgz",
-      "integrity": "sha512-VsXyi8peyRq9PqIz/tpqiL2w3w80OgVMwBHltTml3LmVvXiphgeqmY9mvBw9Wu7e0QWk/fqD37ux8yP5uVekyQ=="
-    },
-    "node_modules/@octokit/plugin-paginate-rest": {
-      "version": "2.21.3",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.21.3.tgz",
-      "integrity": "sha512-aCZTEf0y2h3OLbrgKkrfFdjRL6eSOo8komneVQJnYecAxIej7Bafor2xhuDJOIFau4pk0i/P28/XgtbyPF0ZHw==",
-      "dependencies": {
-        "@octokit/types": "^6.40.0"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=2"
-      }
-    },
-    "node_modules/@octokit/plugin-rest-endpoint-methods": {
-      "version": "4.15.1",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-4.15.1.tgz",
-      "integrity": "sha512-4gQg4ySoW7ktKB0Mf38fHzcSffVZd6mT5deJQtpqkuPuAqzlED5AJTeW8Uk7dPRn7KaOlWcXB0MedTFJU1j4qA==",
-      "dependencies": {
-        "@octokit/types": "^6.13.0",
-        "deprecation": "^2.3.1"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=3"
-      }
-    },
-    "node_modules/@octokit/request": {
-      "version": "5.6.3",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.6.3.tgz",
-      "integrity": "sha512-bFJl0I1KVc9jYTe9tdGGpAMPy32dLBXXo1dS/YwSCTL/2nd9XeHsY616RE3HPXDVk+a+dBuzyz5YdlXwcDTr2A==",
-      "dependencies": {
-        "@octokit/endpoint": "^6.0.1",
-        "@octokit/request-error": "^2.1.0",
-        "@octokit/types": "^6.16.1",
-        "is-plain-object": "^5.0.0",
-        "node-fetch": "^2.6.7",
-        "universal-user-agent": "^6.0.0"
-      }
-    },
-    "node_modules/@octokit/request-error": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz",
-      "integrity": "sha512-1VIvgXxs9WHSjicsRwq8PlR2LR2x6DwsJAaFgzdi0JfJoGSO8mYI/cHJQ+9FbN21aa+DrgNLnwObmyeSC8Rmpg==",
-      "dependencies": {
-        "@octokit/types": "^6.0.3",
-        "deprecation": "^2.0.0",
-        "once": "^1.4.0"
-      }
-    },
-    "node_modules/@octokit/types": {
-      "version": "6.41.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-6.41.0.tgz",
-      "integrity": "sha512-eJ2jbzjdijiL3B4PrSQaSjuF2sPEQPVCPzBvTHJD9Nz+9dw2SGH4K4xeQJ77YfTq5bRQ+bD8wT11JbeDPmxmGg==",
-      "dependencies": {
-        "@octokit/openapi-types": "^12.11.0"
-      }
-    },
-    "node_modules/@vercel/ncc": {
-      "version": "0.24.1",
-      "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.24.1.tgz",
-      "integrity": "sha512-r9m7brz2hNmq5TF3sxrK4qR/FhXn44XIMglQUir4sT7Sh5GOaYXlMYikHFwJStf8rmQGTlvOoBXt4yHVonRG8A==",
-      "dev": true,
-      "bin": {
-        "ncc": "dist/ncc/cli.js"
-      }
-    },
-    "node_modules/before-after-hook": {
-      "version": "2.2.3",
-      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
-      "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="
-    },
-    "node_modules/deprecation": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz",
-      "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ=="
-    },
-    "node_modules/is-plain-object": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-5.0.0.tgz",
-      "integrity": "sha512-VRSzKkbMm5jMDoKLbltAkFQ5Qr7VDiTFGXxYFXXowVj387GeGNOCsOH6Msy00SGZ3Fp84b1Naa1psqgcCIEP5Q==",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/node-fetch": {
-      "version": "2.6.12",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.12.tgz",
-      "integrity": "sha512-C/fGU2E8ToujUivIO0H+tpQ6HWo4eEmchoPIoXtxCrVghxdKq+QOHqEZW7tuP3KlV3bC8FRMO5nMCC7Zm1VP6g==",
-      "dependencies": {
-        "whatwg-url": "^5.0.0"
-      },
-      "engines": {
-        "node": "4.x || >=6.0.0"
-      },
-      "peerDependencies": {
-        "encoding": "^0.1.0"
-      },
-      "peerDependenciesMeta": {
-        "encoding": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/once": {
-      "version": "1.4.0",
-      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
-      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
-      "dependencies": {
-        "wrappy": "1"
-      }
-    },
-    "node_modules/tr46": {
-      "version": "0.0.3",
-      "resolved": "https://registry.npmjs.org/tr46/-/tr46-0.0.3.tgz",
-      "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw=="
-    },
-    "node_modules/tunnel": {
-      "version": "0.0.6",
-      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
-      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
-      "engines": {
-        "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
-      }
-    },
-    "node_modules/universal-user-agent": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.0.tgz",
-      "integrity": "sha512-isyNax3wXoKaulPDZWHQqbmIx1k2tb9fb3GGDBRxCscfYV2Ch7WxPArBsFEG8s/safwXTT7H4QGhaIkTp9447w=="
-    },
-    "node_modules/uuid": {
-      "version": "8.3.2",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
-      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
-      "bin": {
-        "uuid": "dist/bin/uuid"
-      }
-    },
-    "node_modules/webidl-conversions": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
-      "integrity": "sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ=="
-    },
-    "node_modules/whatwg-url": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-5.0.0.tgz",
-      "integrity": "sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==",
-      "dependencies": {
-        "tr46": "~0.0.3",
-        "webidl-conversions": "^3.0.0"
-      }
-    },
-    "node_modules/wrappy": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
-      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
-    }
-  }
-}
--- a/Show More
+++ b/Show More