Align step failure log output with GitHub Actions (#927 )

Fixes #926. Before: <img src="/attachments/a5ae9221-eee2-410a-964e-6103ce126df4" alt="image.png" width="400"> After: <img width="400" alt="image.png" src="attachments/2f2d67c4-6080-4ec3-9ae5-df33e6479920"> Also gets rid of a bunch of emojis in the logging and the obsolete link to `nektos/act` and align some other error messages. --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Nicolas <bircni@icloud.com> Reviewed-on: https://gitea.com/gitea/runner/pulls/927 Reviewed-by: Nicolas <bircni@icloud.com> Co-authored-by: silverwind <me@silverwind.io> Co-committed-by: silverwind <me@silverwind.io>
feat: add startup janitor for stale bind-workdir task workspaces (#870 )
2026-05-08 08:13:25 +02:00 · 2026-05-05 20:17:32 +00:00 · 2026-05-05 20:11:44 +00:00 · 2026-05-05 18:28:12 +00:00 · 2026-05-04 12:44:49 +00:00 · 2026-05-03 11:36:03 +00:00
1997 changed files with 17923 additions and 246933 deletions
--- a/.codespellrc
+++ b/.codespellrc
@@ -1,6 +0,0 @@
-[codespell]
-# Ref: https://github.com/codespell-project/codespell#using-a-config-file
-skip = .git*,go.sum,package-lock.json,*.min.*,.codespellrc,testdata,./pkg/runner/hashfiles/index.js
-check-hidden = true
-ignore-regex = .*Te\{0\}st.*
-# ignore-words-list =
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,52 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# IntelliJ
+.idea
+# Goland's output filename can not be set manually
+/go_build_*
+
+# MS VSCode
+.vscode
+__debug_bin*
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+
+*coverage.out
+coverage.all
+coverage.txt
+cpu.out
+
+*.db
+*.log
+
+/gitea-runner
+/debug
+
+/bin
+/dist
+/.env
+/.runner
+/config.yaml
+/Dockerfile
+.DS_Store
--- a/.editorconfig
+++ b/.editorconfig
@@ -12,5 +12,8 @@ insert_final_newline = true
 [*.{go}]
 indent_style = tab

+[go.*]
+indent_style = tab
+
 [Makefile]
 indent_style = tab
--- a/.gitea/workflows/checks.yml
+++ b/.gitea/workflows/checks.yml
@@ -1,156 +0,0 @@
-name: checks
-on: [pull_request, workflow_dispatch]
-
-concurrency:
-  cancel-in-progress: true
-  group: ${{ github.workflow }}-${{ github.ref }}
-
-env:
-  ACT_OWNER: ${{ github.repository_owner }}
-  ACT_REPOSITORY: ${{ github.repository }}
-  CGO_ENABLED: 0
-  NO_QEMU: 1
-  NO_EXTERNAL_IP: 1
-  DOOD: 1
-
-jobs:
-  lint:
-    name: lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: golangci/golangci-lint-action@v8.0.0
-        with:
-          version: v2.1.6
-      - uses: megalinter/megalinter/flavors/go@v9.1.0
-        env:
-          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          VALIDATE_ALL_CODEBASE: false
-          GITHUB_STATUS_REPORTER: ${{ !env.ACT }}
-          GITHUB_COMMENT_REPORTER: ${{ !env.ACT }}
-
-  test-linux:
-    name: test-linux
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 2
-      - name: Cleanup Docker Engine
-        run: |
-          docker ps -a --format '{{ if eq (truncate .Names 4) "act-" }}
-          {{ .ID }}
-          {{end}}' | xargs -r docker rm -f || :
-          docker volume ls --format '{{ if eq (truncate .Name 4) "act-" }}
-          {{ .Name }}
-          {{ end }}' | xargs -r docker volume rm -f || :
-          docker images --format '{{ if eq (truncate .Repository 4) "act-" }}
-          {{ .ID }}
-          {{ end }}' | xargs -r docker rmi -f || :
-          docker images -q | xargs -r docker rmi || :
-      - name: Set up QEMU
-        if: '!env.NO_QEMU'
-        uses: docker/setup-qemu-action@v3
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: actions/cache@v4
-        if: ${{ !env.ACT }}
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Install gotestfmt
-        run: go install github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.5.0
-      # Regressions by Gitea Actions CI Migration
-      # GITHUB_REPOSITORY contains the server url
-      # ACTIONS_RUNTIME_URL provided to every step, act does not override
-      - name: Run Tests
-        run: |
-          unset ACTIONS_RUNTIME_URL
-          unset ACTIONS_RESULTS_URL
-          unset ACTIONS_RUNTIME_TOKEN
-          export GITHUB_REPOSITORY="${GITHUB_REPOSITORY#${SERVER_URL%/}/}"
-          export ACT_REPOSITORY="${GITHUB_REPOSITORY#${SERVER_URL%/}/}"
-          export ACT_OWNER="${ACT_OWNER#${SERVER_URL%/}/}"
-          env
-          go test -json -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m ./... | gotestfmt -hide successful-packages,empty-packages 2>&1
-        env:
-          SERVER_URL: ${{ github.server_url }}
-      - name: Run act from cli
-        run: go run main.go -P ubuntu-latest=node:16-buster-slim -C ./pkg/runner/testdata/ -W ./basic/push.yml
-      - name: Run act from cli without docker support
-        run: go run -tags WITHOUT_DOCKER main.go -P ubuntu-latest=-self-hosted -C ./pkg/runner/testdata/ -W ./local-action-js/push.yml
-
-  snapshot:
-    name: snapshot
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: actions/cache@v4
-        if: ${{ !env.ACT }}
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: GoReleaser
-        id: goreleaser
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          version: v2
-          args: release --snapshot --clean
-      - name: Setup Node
-        continue-on-error: true
-        uses: actions/setup-node@v6
-        with:
-          node-version: 20
-      - name: Install @actions/artifact@2.1.0
-        continue-on-error: true
-        run: npm install @actions/artifact@2.1.0
-      - name: Upload All
-        uses: actions/github-script@v8
-        continue-on-error: true
-        with:
-          script: |
-            // We do not use features depending on GITHUB_API_URL so we can hardcode it to avoid the GHES no support error
-            process.env["GITHUB_SERVER_URL"] = "https://github.com";
-            const {DefaultArtifactClient} = require('@actions/artifact');
-            const aartifact = new DefaultArtifactClient();
-            var artifacts = JSON.parse(process.env.ARTIFACTS);
-            for(var artifact of artifacts) {
-              if(artifact.type === "Binary") {
-                const {id, size} = await aartifact.uploadArtifact(
-                  // name of the artifact
-                  `${artifact.name}-${artifact.target}`,
-                  // files to include (supports absolute and relative paths)
-                  [artifact.path],
-                  process.cwd(),
-                  {
-                    // optional: how long to retain the artifact
-                    // if unspecified, defaults to repository/org retention settings (the limit of this value)
-                    retentionDays: 10
-                  }
-                );
-                console.log(`Created artifact with id: ${id} (bytes: ${size}`);
-              }
-            }
-        env:
-          ARTIFACTS: ${{ steps.goreleaser.outputs.artifacts }}
-      - name: Chocolatey
-        uses: ./.github/actions/choco
-        with:
-          version: v0.0.0-pr
--- a/.gitea/workflows/release-nightly.yml
+++ b/.gitea/workflows/release-nightly.yml
@@ -69,7 +69,7 @@ jobs:
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Echo the tag
-        run: echo "${{ env.DOCKER_ORG }}/act_runner:nightly${{ matrix.variant.tag_suffix }}"
+        run: echo "${{ env.DOCKER_ORG }}/runner:nightly${{ matrix.variant.tag_suffix }}"

      - name: Build and push
        uses: docker/build-push-action@v6
@@ -82,4 +82,4 @@ jobs:
            linux/arm64
          push: true
          tags: |
-            ${{ env.DOCKER_ORG }}/act_runner:nightly${{ matrix.variant.tag_suffix }}
+            ${{ env.DOCKER_ORG }}/runner:nightly${{ matrix.variant.tag_suffix }}
--- a/.gitea/workflows/release-tag.yml
+++ b/.gitea/workflows/release-tag.yml
@@ -17,7 +17,7 @@ jobs:
          go-version-file: "go.mod"
      - name: Import GPG key
        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@v7
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
@@ -39,6 +39,15 @@ jobs:
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
  release-image:
    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        variant:
+          - target: basic
+            tag_suffix: ""
+          - target: dind
+            tag_suffix: "-dind"
+          - target: dind-rootless
+            tag_suffix: "-dind-rootless"
    container:
      image: catthehacker/ubuntu:act-latest
    env:
@@ -62,50 +71,28 @@ jobs:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

-      - name: Get Meta
-        id: meta
-        run: |
-          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}') >> $GITHUB_OUTPUT
-          echo REPO_VERSION=${GITHUB_REF_NAME#v} >> $GITHUB_OUTPUT
+      - name: "Docker meta"
+        id: docker_meta
+        uses: https://github.com/docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.DOCKER_ORG }}/runner
+          tags: |
+            type=semver,pattern={{major}}.{{minor}}.{{patch}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+          flavor: |
+            latest=true
+            suffix=${{ matrix.variant.tag_suffix }},onlatest=true

      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
-          target: basic
+          target: ${{ matrix.variant.target }}
          platforms: |
            linux/amd64
            linux/arm64
          push: true
-          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}
-
-      - name: Build and push dind
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./Dockerfile
-          target: dind
-          platforms: |
-            linux/amd64
-            linux/arm64
-          push: true
-          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-dind
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}-dind
-
-      - name: Build and push dind-rootless
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./Dockerfile
-          target: dind-rootless
-          platforms: |
-            linux/amd64
-            linux/arm64
-          push: true
-          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-dind-rootless
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}-dind-rootless
+          tags: ${{ steps.docker_meta.outputs.tags }}
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -1,72 +0,0 @@
-name: release
-on:
-  push:
-    tags:
-      - v*
-
-jobs:
-  release:
-    # TODO use environment to scope secrets
-    name: release
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: actions/cache@v4
-        if: ${{ !env.ACT }}
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          version: latest
-          args: release --clean -f ./.goreleaser.yml -f ./.goreleaser.gitea.yml
-        env:
-          GITEA_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN || github.token }}
-      - name: Winget
-        uses: vedantmgoyal2009/winget-releaser@v2
-        with:
-          identifier: nektos.act
-          installers-regex: '_Windows_\w+\.zip$'
-          token: ${{ secrets.WINGET_TOKEN }}
-        if: env.ENABLED
-        env:
-          ENABLED: ${{ secrets.WINGET_TOKEN && '1' || '' }}
-      - name: Chocolatey
-        uses: ./.github/actions/choco
-        with:
-          version: ${{ github.ref }}
-          apiKey: ${{ secrets.CHOCO_APIKEY }}
-          push: true
-        if: env.ENABLED
-        env:
-          ENABLED: ${{ secrets.CHOCO_APIKEY && '1' || ''  }}
-      # TODO use ssh deployment key
-      - name: GitHub CLI extension
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{ secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN }}
-          script: |
-            const mainRef = (await github.rest.git.getRef({
-              owner: context.repo.owner,
-              repo: 'gh-act',
-              ref: 'heads/main',
-            })).data;
-            console.log(mainRef);
-            github.rest.git.createRef({
-              owner: 'nektos',
-              repo: 'gh-act',
-              ref: context.ref,
-              sha: mainRef.object.sha,
-            });
-        if: env.ENABLED
-        env:
-          ENABLED: ${{ (secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN) && '1' || ''  }}
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -1,7 +1,9 @@
 name: checks
 on:
-  - push
-  - pull_request
+  push:
+    branches:
+      - main
+  pull_request:

 jobs:
  lint:
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -1,88 +0,0 @@
-name: Bug report
-description: Use this template for reporting bugs/issues.
-labels:
-  - 'kind/bug'
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for taking the time to fill out this bug report!
-  - type: textarea
-    id: act-debug
-    attributes:
-      label: Bug report info
-      render: plain text
-      description: |
-        Output of `act --bug-report`
-      placeholder: |
-        act --bug-report
-    validations:
-      required: true
-  - type: textarea
-    id: act-command
-    attributes:
-      label: Command used with act
-      description: |
-        Please paste your whole command
-      placeholder: |
-        act -P ubuntu-latest=node:12 -v -d ...
-      render: sh
-    validations:
-      required: true
-  - type: textarea
-    id: what-happened
-    attributes:
-      label: Describe issue
-      description: |
-        Also tell us what did you expect to happen?
-      placeholder: |
-        Describe issue
-    validations:
-      required: true
-  - type: input
-    id: repo
-    attributes:
-      label: Link to GitHub repository
-      description: |
-        Provide link to GitHub repository, you can skip it if the repository is private or you don't have it on GitHub, otherwise please provide it as it might help us troubleshoot problem
-      placeholder: |
-        https://github.com/nektos/act
-    validations:
-      required: false
-  - type: textarea
-    id: workflow
-    attributes:
-      label: Workflow content
-      description: |
-        Please paste your **whole** workflow here
-      placeholder: |
-        name: My workflow
-        on: ['push', 'schedule']
-        jobs:
-          test:
-            runs-on: ubuntu-latest
-          env:
-            KEY: VAL
-        [...]
-      render: yml
-    validations:
-      required: true
-  - type: textarea
-    id: logs
-    attributes:
-      label: Relevant log output
-      description: |
-        Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks. Please verify that the log output doesn't contain any sensitive data.
-      render: sh
-      placeholder: |
-        Use `act -v` for verbose output
-    validations:
-      required: true
-  - type: textarea
-    id: additional-info
-    attributes:
-      label: Additional information
-      placeholder: |
-        Additional information that doesn't fit elsewhere
-    validations:
-      required: false
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,8 +0,0 @@
-blank_issues_enabled: true
-contact_links:
-  - name: Start a discussion
-    url: https://github.com/actions-oss/act-cli/discussions/new
-    about: You can ask for help here!
-  - name: Want to contribute to act?
-    url: https://github.com/actions-oss/act-cli/blob/main/CONTRIBUTING.md
-    about: Be sure to read contributing guidelines!
--- a/.github/ISSUE_TEMPLATE/feature_template.yml
+++ b/.github/ISSUE_TEMPLATE/feature_template.yml
@@ -1,28 +0,0 @@
-name: Feature request
-description: Use this template for requesting a feature/enhancement.
-labels:
-  - 'kind/feature-request'
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Please note that incompatibility with GitHub Actions should be opened as a bug report, not a new feature.
-  - type: input
-    id: act-version
-    attributes:
-      label: Act version
-      description: |
-        What version of `act` are you using? Version can be obtained via `act --version`
-        If you've built it from source, please provide commit hash
-      placeholder: |
-        act --version
-    validations:
-      required: true
-  - type: textarea
-    id: feature
-    attributes:
-      label: Feature description
-      description: Describe feature that you would like to see
-      placeholder: ...
-    validations:
-      required: true
--- a/.github/actions/choco/Dockerfile
+++ b/.github/actions/choco/Dockerfile
@@ -1,20 +0,0 @@
-FROM alpine:3.21
-
-ARG CHOCOVERSION=1.1.0
-
-RUN apk add --no-cache bash ca-certificates git \
-  && apk --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/edge/community add mono mono-dev \
-  && cert-sync /etc/ssl/certs/ca-certificates.crt \
-  && wget "https://github.com/chocolatey/choco/archive/${CHOCOVERSION}.tar.gz" -O- | tar -xzf - \
-  && cd choco-"${CHOCOVERSION}" \
-  && chmod +x build.sh zip.sh \
-  && ./build.sh -v \
-  && mv ./code_drop/chocolatey/console /opt/chocolatey \
-  && mkdir -p /opt/chocolatey/lib \
-  && rm -rf /choco-"${CHOCOVERSION}" \
-  && apk del mono-dev \
-  && rm -rf /var/cache/apk/*
-
-ENV ChocolateyInstall=/opt/chocolatey
-COPY entrypoint.sh /entrypoint.sh
-ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/choco/action.yml
+++ b/.github/actions/choco/action.yml
@@ -1,16 +0,0 @@
-name: 'Chocolatey Packager'
-description: 'Create the choco package and push it'
-inputs:
-  version:
-    description: 'Version of package'
-    required: false
-  apiKey:
-    description: 'API Key for chocolately'
-    required: false
-  push:
-    description: 'Option for if package is going to be pushed'
-    required: false
-    default: 'false'
-runs:
-  using: 'docker'
-  image: 'Dockerfile'
--- a/.github/actions/choco/entrypoint.sh
+++ b/.github/actions/choco/entrypoint.sh
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-set -e
-
-function choco {
-  mono /opt/chocolatey/choco.exe "$@" --allow-unofficial --nocolor
-}
-
-function get_version {
-  local version=${INPUT_VERSION:-$(git describe --tags)}
-  version=(${version//[!0-9.-]/})
-  local version_parts=(${version//-/ })
-  version=${version_parts[0]}
-  if [ ${#version_parts[@]} -gt 1 ]; then
-    version=${version_parts}.${version_parts[1]}
-  fi
-  echo "$version"
-}
-
-## Determine the version to pack
-VERSION=$(get_version)
-echo "Packing version ${VERSION} of act"
-rm -f act-cli.*.nupkg
-mkdir -p tools
-cp LICENSE tools/LICENSE.txt
-cp VERIFICATION tools/VERIFICATION.txt
-cp dist/act-cli_windows_amd64*/act.exe tools/
-choco pack act-cli.nuspec --version ${VERSION}
-if [[ "$INPUT_PUSH" == "true" ]]; then
-  choco push act-cli.${VERSION}.nupkg --api-key ${INPUT_APIKEY} -s https://push.chocolatey.org/ --timeout 180
-fi
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,23 +0,0 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-  - package-ecosystem: 'github-actions'
-    directory: '/'
-    schedule:
-      interval: 'monthly'
-    groups:
-      dependencies:
-        patterns:
-        - '*'
-  - package-ecosystem: 'gomod'
-    directory: '/'
-    schedule:
-      interval: 'monthly'
-    groups:
-      dependencies:
-        patterns:
-        - '*'
--- a/.github/workflows/.gitignore
+++ b/.github/workflows/.gitignore
@@ -1 +0,0 @@
-test-*.yml
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -1,151 +0,0 @@
-name: checks
-on: [pull_request, workflow_dispatch]
-
-concurrency:
-  cancel-in-progress: true
-  group: ${{ github.workflow }}-${{ github.ref }}
-
-env:
-  ACT_OWNER: ${{ github.repository_owner }}
-  ACT_REPOSITORY: ${{ github.repository }}
-  CGO_ENABLED: 0
-
-jobs:
-  lint:
-    name: lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: golangci/golangci-lint-action@v8.0.0
-        with:
-          version: v2.1.6
-      - uses: megalinter/megalinter/flavors/go@v9.1.0
-        env:
-          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          VALIDATE_ALL_CODEBASE: false
-          GITHUB_STATUS_REPORTER: ${{ !env.ACT }}
-          GITHUB_COMMENT_REPORTER: ${{ !env.ACT }}
-
-  test-linux:
-    name: test-linux
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 2
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: actions/cache@v4
-        if: ${{ !env.ACT }}
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: Install gotestfmt
-        run: go install github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.5.0
-      - name: Run Tests
-        run: go test -json -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m ./... | gotestfmt -hide successful-packages,empty-packages 2>&1
-      - name: Run act from cli
-        run: go run main.go -P ubuntu-latest=node:16-buster-slim -C ./pkg/runner/testdata/ -W ./basic/push.yml
-      - name: Run act from cli without docker support
-        run: go run -tags WITHOUT_DOCKER main.go -P ubuntu-latest=-self-hosted -C ./pkg/runner/testdata/ -W ./local-action-js/push.yml
-      - name: Upload Codecov report
-        uses: codecov/codecov-action@v5
-        with:
-          files: coverage.txt
-          fail_ci_if_error: true # optional (default = false)
-          token: ${{ secrets.CODECOV_TOKEN }}
-
-  test-host:
-    strategy:
-      matrix:
-        os:
-          - windows-latest
-          - macos-latest
-    name: test-host-${{matrix.os}}
-    runs-on: ${{matrix.os}}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 2
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - name: Install gotestfmt
-        run: go install github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.5.0
-      - name: Run Tests
-        run: go test -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m -run ^TestRunEventHostEnvironment$ ./...
-        shell: bash
-
-
-  snapshot:
-    name: snapshot
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: actions/cache@v4
-        if: ${{ !env.ACT }}
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: GoReleaser
-        id: goreleaser
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          version: v2
-          args: release --snapshot --clean
-      - name: Setup Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: 20
-      - name: Install @actions/artifact
-        run: npm install @actions/artifact
-      - name: Upload All
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const {DefaultArtifactClient} = require('@actions/artifact');
-            const aartifact = new DefaultArtifactClient();
-            var artifacts = JSON.parse(process.env.ARTIFACTS);
-            for(var artifact of artifacts) {
-              if(artifact.type === "Binary") {
-                const {id, size} = await aartifact.uploadArtifact(
-                  // name of the artifact
-                  `${artifact.name}-${artifact.target}`,
-                  // files to include (supports absolute and relative paths)
-                  [artifact.path],
-                  process.cwd(),
-                  {
-                    // optional: how long to retain the artifact
-                    // if unspecified, defaults to repository/org retention settings (the limit of this value)
-                    retentionDays: 10
-                  }
-                );
-                console.log(`Created artifact with id: ${id} (bytes: ${size}`);
-              }
-            }
-        env:
-          ARTIFACTS: ${{ steps.goreleaser.outputs.artifacts }}
-      - name: Chocolatey
-        uses: ./.github/actions/choco
-        with:
-          version: v0.0.0-pr
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -1,23 +0,0 @@
-# Codespell configuration is within .codespellrc
---
-name: Codespell
-
-on:
-  push:
-    branches: [master]
-  pull_request:
-    branches: [master]
-
-permissions:
-  contents: read
-
-jobs:
-  codespell:
-    name: Check for spelling errors
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5
-      - name: Codespell
-        uses: codespell-project/actions-codespell@v2
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@@ -1,30 +0,0 @@
-name: promote
-on:
-  schedule:
-    - cron: '0 2 1 * *'
-  workflow_dispatch: {}
-
-jobs:
-  release:
-    if: vars.ENABLE_PROMOTE || github.event_name != 'schedule'
-    name: promote
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-          ref: master
-          token: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
-      - uses: fregante/setup-git-user@v2
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: actions/cache@v4
-        if: ${{ !env.ACT }}
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - run: make promote
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,72 +0,0 @@
-name: release
-on:
-  push:
-    tags:
-      - v*
-
-jobs:
-  release:
-    # TODO use environment to scope secrets
-    name: release
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-          check-latest: true
-      - uses: actions/cache@v4
-        if: ${{ !env.ACT }}
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-      - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v6
-        with:
-          version: latest
-          args: release --clean
-        env:
-          GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN || github.token }}
-      - name: Winget
-        uses: vedantmgoyal2009/winget-releaser@v2
-        with:
-          identifier: nektos.act
-          installers-regex: '_Windows_\w+\.zip$'
-          token: ${{ secrets.WINGET_TOKEN }}
-        if: env.ENABLED
-        env:
-          ENABLED: ${{ secrets.WINGET_TOKEN && '1' || '' }}
-      - name: Chocolatey
-        uses: ./.github/actions/choco
-        with:
-          version: ${{ github.ref }}
-          apiKey: ${{ secrets.CHOCO_APIKEY }}
-          push: true
-        if: env.ENABLED
-        env:
-          ENABLED: ${{ secrets.CHOCO_APIKEY && '1' || ''  }}
-      # TODO use ssh deployment key
-      - name: GitHub CLI extension
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{ secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN }}
-          script: |
-            const mainRef = (await github.rest.git.getRef({
-              owner: context.repo.owner,
-              repo: 'gh-act',
-              ref: 'heads/main',
-            })).data;
-            console.log(mainRef);
-            github.rest.git.createRef({
-              owner: 'nektos',
-              repo: 'gh-act',
-              ref: context.ref,
-              sha: mainRef.object.sha,
-            });
-        if: env.ENABLED
-        env:
-          ENABLED: ${{ (secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN) && '1' || ''  }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,23 +0,0 @@
-name: 'Close stale issues'
-on:
-  schedule:
-    - cron: '0 0 * * *'
-
-jobs:
-  stale:
-    name: Stale
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/stale@v10
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          stale-issue-message: 'Issue is stale and will be closed in 14 days unless there is new activity'
-          stale-pr-message: 'PR is stale and will be closed in 14 days unless there is new activity'
-          stale-issue-label: 'stale'
-          exempt-issue-labels: 'stale-exempt,kind/feature-request'
-          stale-pr-label: 'stale'
-          exempt-pr-labels: 'stale-exempt'
-          remove-stale-when-updated: 'True'
-          operations-per-run: 500
-          days-before-stale: 180
-          days-before-close: 14
--- a/.gitignore
+++ b/.gitignore
@@ -1,8 +1,7 @@
-/act_runner
+/gitea-runner
 .env
 .runner
 coverage.txt
-/gitea-vet
 /config.yaml

 # Jetbrains
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -1,2 +0,0 @@
-b910a42edfab7a02b08a52ecef203fd419725642:pkg/container/testdata/docker-pull-options/config.json:generic-api-key:4
-710a3ac94c3dc0eaf680d417c87f37f92b4887f4:pkg/container/docker_pull_test.go:generic-api-key:45
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -13,6 +13,7 @@ linters:
    - forbidigo
    - gocheckcompilerdirectives
    - gocritic
+    - goheader
    - govet
    - ineffassign
    - mirror
@@ -35,23 +36,61 @@ linters:
      rules:
        main:
          deny:
+            - pkg: io/ioutil
+              desc: use os or io instead
+            - pkg: golang.org/x/exp
+              desc: it's experimental and unreliable
            - pkg: github.com/pkg/errors
-              desc: Please use "errors" package from standard library
-            - pkg: gotest.tools/v3
-              desc: Please keep tests unified using only github.com/stretchr/testify
-            - pkg: log
-              desc: Please keep logging unified using only github.com/sirupsen/logrus
+              desc: use builtin errors package instead
+    nolintlint:
+      allow-unused: false
+      require-explanation: true
+      require-specific: true
    gocritic:
+      enabled-checks:
+        - equalFold
      disabled-checks:
        - ifElseChain
-    gocyclo:
-      min-complexity: 20
-    importas:
-      alias:
-        - pkg: github.com/sirupsen/logrus
-          alias: log
-        - pkg: github.com/stretchr/testify/assert
-          alias: assert
+    revive:
+      severity: error
+      rules:
+        - name: blank-imports
+        - name: constant-logical-expr
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: dot-imports
+        - name: empty-lines
+        - name: error-return
+        - name: error-strings
+        - name: exported
+        - name: identical-branches
+        - name: if-return
+        - name: increment-decrement
+        - name: modifies-value-receiver
+        - name: package-comments
+        - name: redefines-builtin-id
+        - name: superfluous-else
+        - name: time-naming
+        - name: unexported-return
+        - name: var-declaration
+        - name: var-naming
+    staticcheck:
+      checks:
+        - all
+        - -ST1005
+    usetesting:
+      os-temp-dir: true
+    perfsprint:
+      concat-loop: false
+    govet:
+      enable:
+        - nilness
+        - unusedwrite
+    goheader:
+      values:
+        regexp:
+          HEADER: 'Copyright \d{4} The Gitea Authors\. All rights reserved\.(\nCopyright [^\n]+)*\nSPDX-License-Identifier: MIT'
+      template: '{{ HEADER }}'
  exclusions:
    generated: lax
    presets:
@@ -59,21 +98,28 @@ linters:
      - common-false-positives
      - legacy
      - std-error-handling
-    paths:
-      - report
-      - third_party$
-      - builtin$
-      - examples$
+    rules:
+      - linters:
+          - forbidigo
+        path: cmd
 issues:
  max-issues-per-linter: 0
  max-same-issues: 0
 formatters:
  enable:
-    - goimports
+    - gci
+    - gofumpt
+  settings:
+    gci:
+      custom-order: true
+      sections:
+        - standard
+        - prefix(gitea.com/gitea/runner)
+        - blank
+        - default
+    gofumpt:
+      extra-rules: true
  exclusions:
    generated: lax
-    paths:
-      - report
-      - third_party$
-      - builtin$
-      - examples$
+run:
+  timeout: 10m
--- a/.goreleaser.gitea.yml
+++ b/.goreleaser.gitea.yml
@@ -1,3 +0,0 @@
-gitea_urls:
-  api: https://gitea.com/api/v1/
-  download: https://gitea.com/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,5 +1,7 @@
 version: 2

+project_name: gitea-runner
+
 before:
  hooks:
    - go mod tidy
@@ -63,7 +65,7 @@ builds:
  flags:
  - -trimpath
  ldflags:
-  - -s -w -X gitea.com/gitea/act_runner/internal/pkg/ver.version={{ .Summary }}
+  - -s -w -X gitea.com/gitea/runner/internal/pkg/ver.version={{ .Summary }}
  binary: >-
    {{ .ProjectName }}-
    {{- .Version }}-
@@ -86,7 +88,7 @@ blobs:
    provider: s3
    bucket: "{{ .Env.S3_BUCKET }}"
    region: "{{ .Env.S3_REGION }}"
-    directory: "act_runner/{{.Version}}"
+    directory: "gitea-runner/{{.Version}}"
    extra_files:
      - glob: ./**.xz
      - glob: ./**.sha256
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,54 +0,0 @@
-version: 2
-before:
-  hooks:
-    - go mod tidy
-builds:
-  - env:
-      - CGO_ENABLED=0
-    goos:
-      - darwin
-      - linux
-      - windows
-    goarch:
-      - amd64
-      - '386'
-      - arm64
-      - arm
-      - riscv64
-    goarm:
-      - '6'
-      - '7'
-    ignore:
-      - goos: windows
-        goarm: '6'
-    binary: act
-checksum:
-  name_template: 'checksums.txt'
-archives:
-  - name_template: >-
-      {{ .ProjectName }}_
-      {{- title .Os }}_
-      {{- if eq .Arch "amd64" }}x86_64
-      {{- else if eq .Arch "386" }}i386
-      {{- else }}{{ .Arch }}{{ end }}
-      {{- if .Arm }}v{{ .Arm }}{{ end }}
-    format_overrides:
-      - goos: windows
-        formats:
-        - zip
-changelog:
-  groups:
-    - title: 'New Features'
-      regexp: "^.*feat[(\\w)]*:+.*$"
-      order: 0
-    - title: 'Bug fixes'
-      regexp: "^.*fix[(\\w)]*:+.*$"
-      order: 1
-    - title: 'Documentation updates'
-      regexp: "^.*docs[(\\w)]*:+.*$"
-      order: 2
-    - title: 'Other'
-      order: 999
-release:
-  prerelease: auto
-  mode: append
--- a/.markdownlint.yml
+++ b/.markdownlint.yml
@@ -1,12 +0,0 @@
-# Default state for all rules
-default: true
-
-# MD013/line-length - Line length
-MD013:
-  line_length: 1024
-
-# MD033/no-inline-html - Inline HTML
-MD033: false
-
-# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
-MD041: false
--- a/.mega-linter.yml
+++ b/.mega-linter.yml
@@ -1,20 +0,0 @@
---
-APPLY_FIXES: none
-DISABLE:
-  - ACTION
-  - BASH
-  - COPYPASTE
-  - DOCKERFILE
-  - GO
-  - JAVASCRIPT
-  - SPELL
-DISABLE_LINTERS:
-  - YAML_YAMLLINT
-  - MARKDOWN_MARKDOWN_TABLE_FORMATTER
-  - MARKDOWN_MARKDOWN_LINK_CHECK
-  - REPOSITORY_CHECKOV
-  - REPOSITORY_TRIVY
-FILTER_REGEX_EXCLUDE: (.*testdata/*|install.sh|pkg/container/docker_cli.go|pkg/container/DOCKER_LICENSE|VERSION)
-MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdownlint.yml
-PARALLEL: false
-PRINT_ALPACA: false
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -1,98 +0,0 @@
-
-pull_request_rules:
-  - name: warn on conflicts
-    conditions:
-      - -draft
-      - -closed
-      - -merged
-      - conflict
-    actions:
-      comment:
-        message: '@{{author}} this pull request is now in conflict 😩'
-      label:
-        add:
-          - conflict
-  - name: remove conflict label if not needed
-    conditions:
-      - -conflict
-    actions:
-      label:
-        remove:
-          - conflict
-  - name: warn on needs-work
-    conditions:
-      - -draft
-      - -closed
-      - -merged
-      - or:
-          - check-failure=lint
-          - check-failure=test-linux
-          - check-failure=codecov/patch
-          - check-failure=codecov/project
-          - check-failure=snapshot
-    actions:
-      comment:
-        message: '@{{author}} this pull request has failed checks 🛠'
-      label:
-        add:
-          - needs-work
-  - name: remove needs-work label if not needed
-    conditions:
-      - check-success=lint
-      - check-success=test-linux
-      - check-success=codecov/patch
-      - check-success=codecov/project
-      - check-success=snapshot
-    actions:
-      label:
-        remove:
-          - needs-work
-  - name: Automatic maintainer assignment
-    conditions:
-      - '-approved-reviews-by=@nektos/act-maintainers'
-      - -draft
-      - -merged
-      - -closed
-      - -conflict
-      - check-success=lint
-      - check-success=test-linux
-      - check-success=codecov/patch
-      - check-success=codecov/project
-      - check-success=snapshot
-    actions:
-      request_reviews:
-        teams:
-          - '@nektos/act-maintainers'
-  - name: Automatic merge on approval
-    conditions: []
-    actions:
-      queue:
-queue_rules:
-  - name: default
-    queue_conditions:
-      - '#changes-requested-reviews-by=0'
-      - or:
-          - 'approved-reviews-by=@nektos/act-committers'
-          - 'author~=^dependabot(|-preview)\[bot\]$'
-          - and:
-              - 'approved-reviews-by=@nektos/act-maintainers'
-              - '#approved-reviews-by>=2'
-          - and:
-              - 'author=@nektos/act-maintainers'
-              - 'approved-reviews-by=@nektos/act-maintainers'
-              - '#approved-reviews-by>=1'
-      - -draft
-      - -merged
-      - -closed
-      - check-success=lint
-      - check-success=test-linux
-      - check-success=codecov/patch
-      - check-success=codecov/project
-      - check-success=snapshot
-    merge_conditions:
-      - check-success=lint
-      - check-success=test-linux
-      - check-success=codecov/patch
-      - check-success=codecov/project
-      - check-success=snapshot
-    merge_method: squash
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,2 +0,0 @@
-**/testdata
-pkg/runner/res
--- a/.prettierrc.yml
+++ b/.prettierrc.yml
@@ -1,7 +0,0 @@
-overrides:
-  - files: '*.yml'
-    options:
-      singleQuote: true
-  - files: '*.json'
-    options:
-      singleQuote: false
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -1,9 +0,0 @@
-{
-  "recommendations": [
-    "editorconfig.editorconfig",
-    "golang.go",
-    "davidanson.vscode-markdownlint",
-    "esbenp.prettier-vscode",
-    "redhat.vscode-yaml"
-  ]
-}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,14 +0,0 @@
-{
-  "go.lintTool": "golangci-lint",
-  "go.lintFlags": ["--fix"],
-  "go.testTimeout": "300s",
-  "[json]": {
-    "editor.defaultFormatter": "esbenp.prettier-vscode"
-  },
-  "[markdown]": {
-    "editor.defaultFormatter": "esbenp.prettier-vscode"
-  },
-  "[yaml]": {
-    "editor.defaultFormatter": "esbenp.prettier-vscode"
-  }
-}
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,10 @@
+- Use `make help` to find available development targets
+- Run `make fmt` to format `.go` files, and run `make lint-go` to lint them
+- Run `make tidy` after any `go.mod` changes
+- Run single go unit tests with `go test -run '^TestName$' ./modulepath/`
+- Add the current year into the copyright header of new `.go` files
+- Ensure no trailing whitespace in edited files
+- Never force-push, amend, or squash unless asked. Use new commits and normal push for pull request updates
+- Preserve existing code comments, do not remove or rewrite comments that are still relevant
+- Include authorship attribution in issue and pull request comments
+- Add `Co-Authored-By` lines to all commits, indicating name and model used
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1 @@
+@AGENTS.md
--- a/1
+++ b/1
@@ -1 +0,0 @@
-*       @nektos/act-maintainers
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,69 +0,0 @@
-# Contributing to Act
-
-Help wanted! We'd love your contributions to Act. Please review the following guidelines before contributing. Also, feel free to propose changes to these guidelines by updating this file and submitting a pull request.
-
- [I have a question...](#questions)
- [I found a bug...](#bugs)
- [I have a feature request...](#features)
- [I have a contribution to share...](#process)
-
-## <a id="questions"></a> Have a Question?
-
-Please don't open a GitHub issue for questions about how to use `act`, as the goal is to use issues for managing bugs and feature requests. Issues that are related to general support will be closed and redirected to our gitter room.
-
-For all support related questions, please ask the question in discussions: [actions-oss/act-cli](https://github.com/actions-oss/act-cli/discussions).
-
-## <a id="bugs"></a> Found a Bug?
-
-If you've identified a bug in `act`, please [submit an issue](#issue) to our GitHub repo: [actions-oss/act-cli](https://github.com/actions-oss/act-cli/issues/new). Please also feel free to submit a [Pull Request](#pr) with a fix for the bug!
-
-## <a id="features"></a> Have a Feature Request?
-
-All feature requests should start with [submitting an issue](#issue) documenting the user story and acceptance criteria. Again, feel free to submit a [Pull Request](#pr) with a proposed implementation of the feature.
-
-## <a id="process"></a> Ready to Contribute
-
-### <a id="issue"></a> Create an issue
-
-Before submitting a new issue, please search the issues to make sure there isn't a similar issue doesn't already exist.
-
-Assuming no existing issues exist, please ensure you include required information when submitting the issue to ensure we can quickly reproduce your issue.
-
-We may have additional questions and will communicate through the GitHub issue, so please respond back to our questions to help reproduce and resolve the issue as quickly as possible.
-
-New issues can be created with in our [GitHub repo](https://github.com/actions-oss/act-cli/issues/new).
-
-### <a id="pr"></a>Pull Requests
-
-Pull requests should target the `master` branch. Please also reference the issue from the description of the pull request using [special keyword syntax](https://help.github.com/articles/closing-issues-via-commit-messages/) to auto close the issue when the PR is merged. For example, include the phrase `fixes #14` in the PR description to have issue #14 auto close. Please send documentation updates for the [act user guide](https://actions-oss.github.io/act-docs/) to [actions-oss/act-docs](https://github.com/actions-oss/act-docs).
-
-### <a id="style"></a> Styleguide
-
-When submitting code, please make every effort to follow existing conventions and style in order to keep the code as readable as possible. Here are a few points to keep in mind:
-
- Please run `go fmt ./...` before committing to ensure code aligns with go standards.
- We use [`golangci-lint`](https://golangci-lint.run/) for linting Go code, run `golangci-lint run --fix` before submitting PR. Editors such as Visual Studio Code or JetBrains IntelliJ; with Go support plugin will offer `golangci-lint` automatically.
- There are additional linters and formatters for files such as Markdown documents or YAML/JSON:
-  - Please refer to the [Makefile](Makefile) or [`lint` job in our workflow](.github/workflows/checks.yml) to see how to those linters/formatters work.
-  - You can lint codebase by running `go run main.go -j lint --env RUN_LOCAL=true` or `act -j lint --env RUN_LOCAL=true`
-  - In `Makefile`, there are tools that require `npx` which is shipped with `nodejs`.
-  - Our `Makefile` exports `GITHUB_TOKEN` from `~/.config/github/token`, you have been warned.
-  - You can run `make pr` to cleanup dependencies, format/lint code and run tests.
- All dependencies must be defined in the `go.mod` file.
-  - Advanced IDEs and code editors (like VSCode) will take care of that, but to be sure, run `go mod tidy` to validate dependencies.
- For details on the approved style, check out [Effective Go](https://golang.org/doc/effective_go.html).
- Before running tests, please be aware that they are multi-architecture so for them to not fail, you need to run `docker run --privileged --rm tonistiigi/binfmt --install amd64,arm64` before ([more info available in #765](https://github.com/nektos/act/issues/765)).
-
-Also, consider the original design principles:
-
- **Polyglot** - There will be no prescribed language or framework for developing the microservices. The only requirement will be that the service will be run inside a container and exposed via an HTTP endpoint.
- **Cloud Provider** - At this point, the tool will assume AWS for the cloud provider and will not be written in a cloud agnostic manner. However, this does not preclude refactoring to add support for other providers at a later time.
- **Declarative** - All resource administration will be handled in a declarative vs. imperative manner. A file will be used to declared the desired state of the resources and the tool will simply assert the actual state matches the desired state. The tool will accomplish this by generating CloudFormation templates.
- **Stateless** - The tool will not maintain its own state. Rather, it will rely on the CloudFormation stacks to determine the state of the platform.
- **Secure** - All security will be managed by AWS IAM credentials. No additional authentication or authorization mechanisms will be introduced.
-
-### License
-
-By contributing your code, you agree to license your contribution under the terms of the [MIT License](LICENSE).
-
-All files are released with the MIT license.
--- a/10
+++ b/10
@@ -9,8 +9,8 @@ RUN apk add --no-cache make git
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-}

-COPY . /opt/src/act_runner
-WORKDIR /opt/src/act_runner
+COPY . /opt/src/runner
+WORKDIR /opt/src/runner

 RUN make clean && make build

@@ -21,7 +21,7 @@ FROM docker:28-dind AS dind

 RUN apk add --no-cache s6 bash git tzdata

-COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
 COPY scripts/run.sh /usr/local/bin/run.sh
 COPY scripts/s6 /etc/s6

@@ -37,7 +37,7 @@ FROM docker:28-dind-rootless AS dind-rootless
 USER root
 RUN apk add --no-cache s6 bash git tzdata

-COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
 COPY scripts/run.sh /usr/local/bin/run.sh
 COPY scripts/s6 /etc/s6

@@ -56,7 +56,7 @@ ENTRYPOINT ["s6-svscan","/etc/s6"]
 FROM alpine AS basic
 RUN apk add --no-cache tini bash git tzdata

-COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
 COPY scripts/run.sh /usr/local/bin/run.sh

 VOLUME /data
--- a/106
+++ b/106
@@ -1,32 +1,30 @@
 DIST := dist
-EXECUTABLE := act_runner
-GOFMT ?= gofumpt -l
+EXECUTABLE := gitea-runner
 DIST_DIRS := $(DIST)/binaries $(DIST)/release
 GO ?= go
 SHASUM ?= shasum -a 256
 HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 XGO_VERSION := go-1.26.x
-GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10
+GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10

 LINUX_ARCHS ?= linux/amd64,linux/arm64
 DARWIN_ARCHS ?= darwin-12/amd64,darwin-12/arm64
 WINDOWS_ARCHS ?= windows/amd64
-GO_FMT_FILES := $(shell find . -type f -name "*.go" ! -name "generated.*")
 GOFILES := $(shell find . -type f -name "*.go" -o -name "go.mod" ! -name "generated.*")

-DOCKER_IMAGE ?= gitea/act_runner
+DOCKER_IMAGE ?= gitea/runner
 DOCKER_TAG ?= nightly
 DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
 DOCKER_ROOTLESS_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)-dind-rootless

-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.10.1
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4
 GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1

-ifneq ($(shell uname), Darwin)
-	EXTLDFLAGS = -extldflags "-static" $(null)
-else
-	EXTLDFLAGS =
+STATIC ?=
+EXTLDFLAGS ?=
+ifneq ($(STATIC),)
+	EXTLDFLAGS = -extldflags "-static"
 endif

 ifeq ($(HAS_GO), GO)
@@ -68,19 +66,19 @@ else
 	endif
 endif

-GO_PACKAGES_TO_VET ?= $(filter-out gitea.com/gitea/act_runner/internal/pkg/client/mocks,$(shell $(GO) list ./...))
-
-
 TAGS ?=
-LDFLAGS ?= -X "gitea.com/gitea/act_runner/internal/pkg/ver.version=v$(RELASE_VERSION)"
+LDFLAGS ?= -X "gitea.com/gitea/runner/internal/pkg/ver.version=v$(RELASE_VERSION)"

+.PHONY: all
 all: build

-fmt:
-	@hash gofumpt > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) install mvdan.cc/gofumpt@latest; \
-	fi
-	$(GOFMT) -w $(GO_FMT_FILES)
+.PHONY: help
+help: Makefile ## print Makefile help information.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m[TARGETS] default target: build\033[0m\n\n\033[35mTargets:\033[0m\n"} /^[0-9A-Za-z._-]+:.*?##/ { printf "  \033[36m%-45s\033[0m %s\n", $$1, $$2 }' Makefile
+
+.PHONY: fmt
+fmt: ## format the Go code
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) fmt

 .PHONY: go-check
 go-check:
@@ -88,28 +86,29 @@ go-check:
 	$(eval MIN_GO_VERSION := $(shell printf "%03d%03d" $(shell echo '$(MIN_GO_VERSION_STR)' | tr '.' ' ')))
 	$(eval GO_VERSION := $(shell printf "%03d%03d" $(shell $(GO) version | grep -Eo '[0-9]+\.[0-9]+' | tr '.' ' ');))
 	@if [ "$(GO_VERSION)" -lt "$(MIN_GO_VERSION)" ]; then \
-		echo "Act Runner requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
+		echo "Gitea Runner requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
 		exit 1; \
 	fi

 .PHONY: fmt-check
-fmt-check:
-	@hash gofumpt > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) install mvdan.cc/gofumpt@latest; \
-	fi
-	@diff=$$($(GOFMT) -d $(GO_FMT_FILES)); \
+fmt-check: fmt
+	@diff=$$(git diff --color=always); \
 	if [ -n "$$diff" ]; then \
 		echo "Please run 'make fmt' and commit the result:"; \
-		echo "$${diff}"; \
+		printf "%s" "$${diff}"; \
 		exit 1; \
-	fi;
+	fi

 .PHONY: deps-tools
 deps-tools: ## install tool dependencies
-	$(GO) install $(GOVULNCHECK_PACKAGE)
+	$(GO) install $(GOLANGCI_LINT_PACKAGE) & \
+	$(GO) install $(GXZ_PACKAGE) & \
+	$(GO) install $(XGO_PACKAGE) & \
+	$(GO) install $(GOVULNCHECK_PACKAGE) & \
+	wait

 .PHONY: lint
-lint: lint-go vet
+lint: lint-go ## lint everything

 .PHONY: lint-go
 lint-go: ## lint go files
@@ -124,64 +123,59 @@ security-check: deps-tools
 	GOEXPERIMENT= $(GO) run $(GOVULNCHECK_PACKAGE) -show color ./... || true

 .PHONY: tidy
-tidy:
+tidy: ## run go mod tidy
 	$(GO) mod tidy

 .PHONY: tidy-check
 tidy-check: tidy
-	@diff=$$(git diff -- go.mod go.sum); \
+	@diff=$$(git diff --color=always -- go.mod go.sum); \
 	if [ -n "$$diff" ]; then \
 		echo "Please run 'make tidy' and commit the result:"; \
-		echo "$${diff}"; \
+		printf "%s" "$${diff}"; \
 		exit 1; \
 	fi

-test: fmt-check security-check
-	@$(GO) test -race -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+.PHONY: test
+test: fmt-check security-check ## test everything
+	@$(GO) test -race -short -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1

-.PHONY: vet
-vet:
-	@echo "Running go vet..."
-	@$(GO) build code.gitea.io/gitea-vet
-	@$(GO) vet -vettool=gitea-vet $(GO_PACKAGES_TO_VET)
+.PHONY: install
+install: $(GOFILES) ## install the runner binary via `go install`
+	$(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)'

-install: $(GOFILES)
-	$(GO) install -v -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)'
-
-build: go-check $(EXECUTABLE)
+.PHONY: build
+build: go-check $(EXECUTABLE) ## build the runner binary

 $(EXECUTABLE): $(GOFILES)
-	$(GO) build -v -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)' -o $@
+	$(GO) build -v -tags '$(TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)' -o $@

 .PHONY: deps-backend
-deps-backend:
+deps-backend: ## install backend dependencies
 	$(GO) mod download
-	$(GO) install $(GXZ_PAGAGE)
-	$(GO) install $(XGO_PACKAGE)

 .PHONY: release
-release: release-windows release-linux release-darwin release-copy release-compress release-check
+release: release-windows release-linux release-darwin release-copy release-compress release-check ## build release artifacts

 $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)

 .PHONY: release-windows
 release-windows: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(WINDOWS_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(WINDOWS_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif

 .PHONY: release-linux
 release-linux: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif

 .PHONY: release-darwin
 release-darwin: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets '$(DARWIN_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w $(LDFLAGS)' -targets '$(DARWIN_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif
@@ -196,18 +190,20 @@ release-check: | $(DIST_DIRS)

 .PHONY: release-compress
 release-compress: | $(DIST_DIRS)
-	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && $(GO) run $(GXZ_PAGAGE) -k -9 $${file}; done;
+	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && $(GO) run $(GXZ_PACKAGE) -k -9 $${file}; done;

 .PHONY: docker
-docker:
+docker: ## build the docker image
 	if ! docker buildx version >/dev/null 2>&1; then \
 		ARG_DISABLE_CONTENT_TRUST=--disable-content-trust=false; \
 	fi; \
 	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_REF) .

-clean:
+.PHONY: clean
+clean: ## delete binary and coverage files
 	$(GO) clean -x -i ./...
 	rm -rf coverage.txt $(EXECUTABLE) $(DIST)

-version:
+.PHONY: version
+version: ## print the version
 	@echo $(VERSION)
--- a/README.md
+++ b/README.md
@@ -1,6 +1,4 @@
-# act runner
-
-Act runner is a runner for Gitea based on [Gitea fork](https://gitea.com/gitea/act) of [act](https://github.com/nektos/act).
+# Gitea Runner

 ## Installation

@@ -10,7 +8,7 @@ Docker Engine Community version is required for docker mode. To install Docker C

 ### Download pre-built binary

-Visit [here](https://dl.gitea.com/act_runner/) and download the right version for your platform.
+Visit [here](https://dl.gitea.com/gitea-runner/) and download the right version for your platform.

 ### Build from source

@@ -36,7 +34,7 @@ ENABLED=true
 ### Register

 ```bash
-./act_runner register
+./gitea-runner register
 ```

 And you will be asked to input:
@@ -68,7 +66,7 @@ INFO Runner registered successfully.
 You can also register with command line arguments.

 ```bash
-./act_runner register --instance http://192.168.8.8:3000 --token <my_runner_token> --no-interactive
+./gitea-runner register --instance http://192.168.8.8:3000 --token <my_runner_token> --no-interactive
 ```

 If the registry succeed, it will run immediately. Next time, you could run the runner directly.
@@ -76,32 +74,69 @@ If the registry succeed, it will run immediately. Next time, you could run the r
 ### Run

 ```bash
-./act_runner daemon
+./gitea-runner daemon
 ```

 ### Run with docker

 ```bash
-docker run -e GITEA_INSTANCE_URL=https://your_gitea.com -e GITEA_RUNNER_REGISTRATION_TOKEN=<your_token> -v /var/run/docker.sock:/var/run/docker.sock --name my_runner gitea/act_runner:nightly
+docker run -e GITEA_INSTANCE_URL=https://your_gitea.com -e GITEA_RUNNER_REGISTRATION_TOKEN=<your_token> -v /var/run/docker.sock:/var/run/docker.sock --name my_runner gitea/runner:nightly
 ```

+Mount a volume on `/data` if you want the registration file and optional config to survive container recreation (see [scripts/run.sh](scripts/run.sh)).
+
 ### Configuration

-You can also configure the runner with a configuration file.
-The configuration file is a YAML file, you can generate a sample configuration file with `./act_runner generate-config`.
+The runner is configured with a YAML file. Generate a starting point (this matches what ships in the tree):

 ```bash
-./act_runner generate-config > config.yaml
+./gitea-runner generate-config > config.yaml
 ```

-You can specify the configuration file path with `-c`/`--config` argument.
+Pass it with `-c` / `--config` on any command that loads configuration (`register`, `daemon`, `cache-server`):

 ```bash
-./act_runner -c config.yaml register # register with config file
-./act_runner -c config.yaml daemon # run with config file
+./gitea-runner -c config.yaml register
+./gitea-runner -c config.yaml daemon
+./gitea-runner -c config.yaml cache-server
 ```

-You can read the latest version of the configuration file online at [config.example.yaml](internal/pkg/config/config.example.yaml).
+Every option is described in [config.example.yaml](internal/pkg/config/config.example.yaml) (the same content `generate-config` prints).
+
+#### Without a config file
+
+If you omit `-c`, built-in defaults apply (same as an empty YAML document). A small set of **deprecated** environment variables can still override parts of that default config, but **only when no `-c` path was given**; they are ignored if you use a config file:
+
+| Variable | Effect |
+| --- | --- |
+| `GITEA_DEBUG` | If true, sets log level to `debug` |
+| `GITEA_TRACE` | If true, sets log level to `trace` |
+| `GITEA_RUNNER_CAPACITY` | Concurrent jobs (integer) |
+| `GITEA_RUNNER_FILE` | Registration state file path (default `.runner`) |
+| `GITEA_RUNNER_ENVIRON` | Extra job env vars as comma-separated `KEY:VALUE` pairs |
+| `GITEA_RUNNER_ENV_FILE` | Path to an env file merged into job env (same idea as `runner.env_file` in YAML) |
+
+Prefer a YAML file for all settings.
+
+#### Registration vs config labels
+
+If `runner.labels` is set in the YAML file, those labels are used during `register` and the `--labels` CLI flag is ignored.
+
+#### External cache (`actions/cache`)
+
+If `cache.external_server` is set, you must set `cache.external_secret` to the same value on this runner and on the standalone cache server. Run the server with `gitea-runner cache-server` using a config that defines `cache.external_secret` (and matching `cache.dir` / host / port as needed). Flags `--dir`, `--host`, and `--port` on `cache-server` override the file.
+
+#### Official Docker image
+
+Besides `GITEA_INSTANCE_URL` and `GITEA_RUNNER_REGISTRATION_TOKEN`, the image entrypoint supports optional variables such as `CONFIG_FILE` (passed through as `-c`), `GITEA_RUNNER_LABELS`, `GITEA_RUNNER_EPHEMERAL`, `GITEA_RUNNER_ONCE`, `GITEA_RUNNER_NAME`, `GITEA_MAX_REG_ATTEMPTS`, `RUNNER_STATE_FILE`, and `GITEA_RUNNER_REGISTRATION_TOKEN_FILE`. See [scripts/run.sh](scripts/run.sh) for exact behavior.
+
+For a fuller container-oriented walkthrough, see [examples/docker](examples/docker/README.md).
+
+When `container.bind_workdir` is enabled, stale task workspace directories can be cleaned while the runner is idle:
+- directories older than `runner.workdir_cleanup_age` are removed (default: `24h`; set `0` to disable)
+- cleanup runs every `runner.idle_cleanup_interval` (default: `10m`; set `0` to disable)
+- only purely numeric subdirectories under `container.workdir_parent` are treated as task workspaces and may be removed
+- cleanup assumes `container.workdir_parent` is not shared across multiple runners

 ### Example Deployments

--- a/5
+++ b/5
@@ -1,5 +0,0 @@
-VERIFICATION
-Verification is intended to assist the Chocolatey moderators and community
-in verifying that this package's contents are trustworthy.
-
-Checksums: https://github.com/nektos/act/releases, in the checksums.txt file
--- a/1
+++ b/1
@@ -1 +0,0 @@
-0.4.0
--- a/act-cli.nuspec
+++ b/act-cli.nuspec
@@ -1,26 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Do not remove this test for UTF-8: if “Ω” doesn’t appear as greek uppercase omega letter enclosed in quotation marks, you should use an editor that supports UTF-8, not this one. -->
-<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
-  <metadata>
-    <id>act-cli</id>
-    <version>0.0.0</version>
-    <packageSourceUrl>https://github.com/nektos/act</packageSourceUrl>
-    <owners>nektos</owners>
-    <title>act (GitHub Actions CLI)</title>
-    <authors>nektos</authors>
-    <projectUrl>https://github.com/nektos/act</projectUrl>
-    <iconUrl>https://raw.githubusercontent.com/wiki/nektos/act/img/logo-150.png</iconUrl>
-    <copyright>Nektos</copyright>
-    <licenseUrl>https://raw.githubusercontent.com/nektos/act/master/LICENSE</licenseUrl>
-    <requireLicenseAcceptance>true</requireLicenseAcceptance>
-    <projectSourceUrl>https://github.com/nektos/act</projectSourceUrl>
-    <docsUrl>https://raw.githubusercontent.com/nektos/act/master/README.md</docsUrl>
-    <bugTrackerUrl>https://github.com/nektos/act/issues</bugTrackerUrl>
-    <tags>act github-actions actions golang ci devops</tags>
-    <summary>Run your GitHub Actions locally 🚀</summary>
-    <description>Run your GitHub Actions locally 🚀</description>
-  </metadata>
-  <files>
-    <file src="tools/**" target="tools" />
-  </files>
-</package>
--- a/act/LICENSE
+++ b/act/LICENSE
@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2022 The Gitea Authors
+Copyright (c) 2019
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/act/artifactcache/doc.go
+++ b/act/artifactcache/doc.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 // Package artifactcache provides a cache handler for the runner.
 //
 // Inspired by https://github.com/sp-ricard-valverde/github-act-cache-server
--- a/act/artifactcache/handler.go
+++ b/act/artifactcache/handler.go
@@ -0,0 +1,884 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifactcache
+
+import (
+	"context"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/julienschmidt/httprouter"
+	"github.com/sirupsen/logrus"
+	"github.com/timshannon/bolthold"
+	"go.etcd.io/bbolt"
+)
+
+const (
+	apiPath      = "/_apis/artifactcache"
+	internalPath = "/_internal"
+
+	// artifactURLTTL bounds how long a signed artifactLocation URL stays valid.
+	// Short enough that a leaked URL is near-worthless; long enough to let the
+	// @actions/cache client download a big blob that was returned from /cache.
+	artifactURLTTL = 10 * time.Minute
+)
+
+type credKey struct{}
+
+// JobCredential ties a per-job bearer token (ACTIONS_RUNTIME_TOKEN) to the
+// repository that owns it. Every cache entry is stamped with Repo on
+// reserve/commit and checked on read/write so one repo can never observe or
+// poison another repo's cache, even from inside a container that reaches the
+// cache server over the docker bridge network.
+type JobCredential struct {
+	Repo string
+}
+
+// credEntry holds a registered job's credential along with an active
+// registration count. RegisterJob is reference-counted so that if two tasks
+// briefly share an ACTIONS_RUNTIME_TOKEN — e.g. a runner that retries a task
+// after a crash before the old registration is revoked — the first task's
+// revoker does not cut the second task's auth out from under it.
+type credEntry struct {
+	cred JobCredential
+	refs int
+}
+
+type Handler struct {
+	dir      string
+	storage  *Storage
+	router   *httprouter.Router
+	listener net.Listener
+	server   *http.Server
+	logger   logrus.FieldLogger
+
+	gcing atomic.Bool
+	gcAt  time.Time
+
+	outboundIP string
+
+	// internalSecret guards /_internal/{register,revoke}. When set, a remote
+	// runner can use these endpoints to pre-register per-job
+	// ACTIONS_RUNTIME_TOKENs against this server, enabling the same
+	// per-job auth and repo scoping as the embedded handler over the
+	// network. Empty disables the control-plane entirely.
+	internalSecret string
+
+	// secret signs short-lived artifact download URLs. The @actions/cache
+	// toolkit does not send Authorization on the download request, so blob
+	// GETs authenticate via a per-URL HMAC signature with expiry rather than
+	// via the bearer token used for management endpoints.
+	secret []byte
+
+	credMu sync.RWMutex
+	creds  map[string]*credEntry
+}
+
+// StartHandler opens the on-disk cache store and starts the HTTP server.
+//
+// internalSecret, when non-empty, enables a control-plane API at
+// /_internal/{register,revoke} that lets a remote runner pre-register the
+// per-job ACTIONS_RUNTIME_TOKENs it expects this server to honor. The
+// embedded in-process handler leaves it empty and registers tokens via the
+// in-process RegisterJob method directly.
+func StartHandler(dir, outboundIP string, port uint16, internalSecret string, logger logrus.FieldLogger) (*Handler, error) {
+	h := &Handler{
+		creds:          make(map[string]*credEntry),
+		internalSecret: internalSecret,
+	}
+
+	if logger == nil {
+		discard := logrus.New()
+		discard.Out = io.Discard
+		logger = discard
+	}
+	logger = logger.WithField("module", "artifactcache")
+	h.logger = logger
+
+	if dir == "" {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return nil, err
+		}
+		dir = filepath.Join(home, ".cache", "actcache")
+	}
+	if err := os.MkdirAll(dir, 0o755); err != nil {
+		return nil, err
+	}
+
+	h.dir = dir
+
+	storage, err := NewStorage(filepath.Join(dir, "cache"))
+	if err != nil {
+		return nil, err
+	}
+	h.storage = storage
+
+	if outboundIP != "" {
+		h.outboundIP = outboundIP
+	} else if ip := common.GetOutboundIP(); ip == nil {
+		return nil, errors.New("unable to determine outbound IP address")
+	} else {
+		h.outboundIP = ip.String()
+	}
+
+	secret, err := loadOrCreateSecret(dir)
+	if err != nil {
+		return nil, err
+	}
+	h.secret = secret
+
+	router := httprouter.New()
+	router.GET(apiPath+"/cache", h.bearerAuth(h.find))
+	router.POST(apiPath+"/caches", h.bearerAuth(h.reserve))
+	router.PATCH(apiPath+"/caches/:id", h.bearerAuth(h.upload))
+	router.POST(apiPath+"/caches/:id", h.bearerAuth(h.commit))
+	router.POST(apiPath+"/clean", h.bearerAuth(h.clean))
+	// Artifact GET is signed via query-string HMAC because @actions/cache
+	// does not attach Authorization when downloading archiveLocation.
+	router.GET(apiPath+"/artifacts/:id", h.signedURLAuth(h.get))
+	// Control-plane: a remote runner registers/revokes per-job tokens so the
+	// cache API can authenticate them. Always wired so the routes exist; the
+	// handlers themselves 401 when internalSecret is unset.
+	router.POST(internalPath+"/register", h.internalAuth(h.internalRegister))
+	router.POST(internalPath+"/revoke", h.internalAuth(h.internalRevoke))
+
+	h.router = router
+
+	h.gcCache()
+
+	// Listen on all interfaces. Binding to outboundIP only would give no real
+	// security benefit (it is the LAN/internet-facing address either way) and
+	// can break Docker Desktop variants where the host's outbound IP is not
+	// routable from inside the container network. Authentication is enforced
+	// by the bearer middleware and per-repo scoping, not by reachability.
+	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
+	if err != nil {
+		return nil, err
+	}
+	server := &http.Server{
+		ReadHeaderTimeout: 2 * time.Second,
+		Handler:           router,
+	}
+	go func() {
+		if err := server.Serve(listener); err != nil && errors.Is(err, net.ErrClosed) {
+			logger.Errorf("http serve: %v", err)
+		}
+	}()
+	h.listener = listener
+	h.server = server
+
+	return h, nil
+}
+
+func (h *Handler) ExternalURL() string {
+	// TODO: make the external url configurable if necessary
+	return fmt.Sprintf("http://%s:%d",
+		h.outboundIP,
+		h.listener.Addr().(*net.TCPAddr).Port)
+}
+
+// RegisterJob makes token a valid bearer credential for cache requests from
+// the given repository and returns a function that removes it. The runner
+// calls this at job start and defers the returned func so that the credential
+// is only accepted while the job is running.
+//
+// Registrations are reference-counted: if a token is already registered, the
+// existing repo is kept and the refcount is incremented. The entry is
+// removed only when every revoker returned by RegisterJob has been called.
+// This keeps a stray re-registration from silently revoking a live job.
+func (h *Handler) RegisterJob(token, repo string) func() {
+	if h == nil || token == "" {
+		return func() {}
+	}
+	h.credMu.Lock()
+	if existing, ok := h.creds[token]; ok {
+		existing.refs++
+	} else {
+		h.creds[token] = &credEntry{
+			cred: JobCredential{Repo: repo},
+			refs: 1,
+		}
+	}
+	h.credMu.Unlock()
+	return func() {
+		h.credMu.Lock()
+		if entry, ok := h.creds[token]; ok {
+			entry.refs--
+			if entry.refs <= 0 {
+				delete(h.creds, token)
+			}
+		}
+		h.credMu.Unlock()
+	}
+}
+
+// RevokeJob explicitly revokes one registration of token, mirroring one call
+// of the closure returned by RegisterJob. Used by the control-plane endpoint
+// so a remote runner can revoke without holding the closure.
+func (h *Handler) RevokeJob(token string) {
+	if h == nil || token == "" {
+		return
+	}
+	h.credMu.Lock()
+	if entry, ok := h.creds[token]; ok {
+		entry.refs--
+		if entry.refs <= 0 {
+			delete(h.creds, token)
+		}
+	}
+	h.credMu.Unlock()
+}
+
+func (h *Handler) lookupCredential(token string) (JobCredential, bool) {
+	h.credMu.RLock()
+	entry, ok := h.creds[token]
+	h.credMu.RUnlock()
+	if !ok {
+		return JobCredential{}, false
+	}
+	return entry.cred, true
+}
+
+// loadOrCreateSecret returns the 32-byte HMAC signing key for artifact URLs,
+// persisted in dir/.secret so signed URLs handed out before a restart stay
+// valid across the restart and so the standalone cache-server can be pointed
+// at by config.Cache.ExternalServer without the URL rotating.
+func loadOrCreateSecret(dir string) ([]byte, error) {
+	path := filepath.Join(dir, ".secret")
+	if data, err := os.ReadFile(path); err == nil {
+		if secret, err := hex.DecodeString(strings.TrimSpace(string(data))); err == nil && len(secret) >= 32 {
+			return secret, nil
+		}
+	} else if !os.IsNotExist(err) {
+		return nil, fmt.Errorf("read cache secret: %w", err)
+	}
+	secret := make([]byte, 32)
+	if _, err := rand.Read(secret); err != nil {
+		return nil, fmt.Errorf("generate cache secret: %w", err)
+	}
+	if err := os.WriteFile(path, []byte(hex.EncodeToString(secret)), 0o600); err != nil {
+		return nil, fmt.Errorf("write cache secret: %w", err)
+	}
+	return secret, nil
+}
+
+func (h *Handler) Close() error {
+	if h == nil {
+		return nil
+	}
+	var retErr error
+	if h.server != nil {
+		err := h.server.Close()
+		if err != nil {
+			retErr = err
+		}
+		h.server = nil
+	}
+	if h.listener != nil {
+		err := h.listener.Close()
+		if errors.Is(err, net.ErrClosed) {
+			err = nil
+		}
+		if err != nil {
+			retErr = err
+		}
+		h.listener = nil
+	}
+	return retErr
+}
+
+func (h *Handler) openDB() (*bolthold.Store, error) {
+	return bolthold.Open(filepath.Join(h.dir, "bolt.db"), 0o644, &bolthold.Options{
+		Encoder: json.Marshal,
+		Decoder: json.Unmarshal,
+		Options: &bbolt.Options{
+			Timeout:      5 * time.Second,
+			NoGrowSync:   bbolt.DefaultOptions.NoGrowSync,
+			FreelistType: bbolt.DefaultOptions.FreelistType,
+		},
+	})
+}
+
+// GET /_apis/artifactcache/cache
+func (h *Handler) find(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	cred := credFromContext(r.Context())
+	keys := strings.Split(r.URL.Query().Get("keys"), ",")
+	// cache keys are case insensitive
+	for i, key := range keys {
+		keys[i] = strings.ToLower(key)
+	}
+	version := r.URL.Query().Get("version")
+
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	cache, err := findCache(db, cred.Repo, keys, version)
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	if cache == nil {
+		h.responseJSON(w, r, 204)
+		return
+	}
+
+	if ok, err := h.storage.Exist(cache.ID); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	} else if !ok {
+		_ = db.Delete(cache.ID, cache)
+		h.responseJSON(w, r, 204)
+		return
+	}
+	h.responseJSON(w, r, 200, map[string]any{
+		"result":          "hit",
+		"archiveLocation": h.signedArtifactURL(cache.ID, time.Now().Add(artifactURLTTL)),
+		"cacheKey":        cache.Key,
+	})
+}
+
+// POST /_apis/artifactcache/caches
+func (h *Handler) reserve(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	cred := credFromContext(r.Context())
+	api := &Request{}
+	if err := json.NewDecoder(r.Body).Decode(api); err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+	// cache keys are case insensitive
+	api.Key = strings.ToLower(api.Key)
+
+	cache := api.ToCache()
+	cache.Repo = cred.Repo
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	now := time.Now().Unix()
+	cache.CreatedAt = now
+	cache.UsedAt = now
+	if err := insertCache(db, cache); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	h.responseJSON(w, r, 200, map[string]any{
+		"cacheId": cache.ID,
+	})
+}
+
+// PATCH /_apis/artifactcache/caches/:id
+func (h *Handler) upload(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	cred := credFromContext(r.Context())
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+
+	cache := &Cache{}
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.Get(id, cache); err != nil {
+		if errors.Is(err, bolthold.ErrNotFound) {
+			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
+			return
+		}
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	if cache.Repo != cred.Repo {
+		h.responseJSON(w, r, 403, fmt.Errorf("cache %d: forbidden", id))
+		return
+	}
+
+	if cache.Complete {
+		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
+		return
+	}
+	db.Close()
+	start, _, err := parseContentRange(r.Header.Get("Content-Range"))
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+	if err := h.storage.Write(cache.ID, start, r.Body); err != nil {
+		h.responseJSON(w, r, 500, err)
+	}
+	h.useCache(id)
+	h.responseJSON(w, r, 200)
+}
+
+// POST /_apis/artifactcache/caches/:id
+func (h *Handler) commit(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	cred := credFromContext(r.Context())
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+
+	cache := &Cache{}
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.Get(id, cache); err != nil {
+		if errors.Is(err, bolthold.ErrNotFound) {
+			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
+			return
+		}
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	if cache.Repo != cred.Repo {
+		h.responseJSON(w, r, 403, fmt.Errorf("cache %d: forbidden", id))
+		return
+	}
+
+	if cache.Complete {
+		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
+		return
+	}
+
+	db.Close()
+
+	size, err := h.storage.Commit(cache.ID, cache.Size)
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	// write real size back to cache, it may be different from the current value when the request doesn't specify it.
+	cache.Size = size
+
+	db, err = h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	cache.Complete = true
+	if err := db.Update(cache.ID, cache); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	h.responseJSON(w, r, 200)
+}
+
+// GET /_apis/artifactcache/artifacts/:id
+// Authenticated via signed URL (see signedURLAuth), not bearer, because the
+// @actions/cache toolkit downloads archiveLocation without Authorization.
+// Repository scoping is already enforced at find() time; the signature binds
+// the URL to the specific cache ID and an expiry.
+func (h *Handler) get(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+	h.useCache(id)
+	h.storage.Serve(w, r, uint64(id))
+}
+
+// POST /_apis/artifactcache/clean
+func (h *Handler) clean(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	// TODO: don't support force deleting cache entries
+	// see: https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
+
+	h.responseJSON(w, r, 200)
+}
+
+// bearerAuth resolves ACTIONS_RUNTIME_TOKEN against the set of currently
+// registered jobs. A match attaches the job's JobCredential to the request
+// context; a miss returns 401 before the handler body runs.
+func (h *Handler) bearerAuth(handler httprouter.Handle) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+		h.logger.Debugf("%s %s", r.Method, r.URL.Path)
+		token := bearerToken(r)
+		if token == "" {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("missing bearer token"))
+			return
+		}
+		cred, ok := h.lookupCredential(token)
+		if !ok {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("unknown bearer token"))
+			return
+		}
+		ctx := context.WithValue(r.Context(), credKey{}, cred)
+		handler(w, r.WithContext(ctx), params)
+		go h.gcCache()
+	}
+}
+
+func (h *Handler) signedURLAuth(handler httprouter.Handle) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+		h.logger.Debugf("%s %s", r.Method, r.URL.Path)
+		id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+		if err != nil {
+			h.responseJSON(w, r, 400, err)
+			return
+		}
+		expStr := r.URL.Query().Get("exp")
+		sig := r.URL.Query().Get("sig")
+		if expStr == "" || sig == "" {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("missing signature"))
+			return
+		}
+		exp, err := strconv.ParseInt(expStr, 10, 64)
+		if err != nil {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("invalid expiry"))
+			return
+		}
+		if time.Now().Unix() > exp {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("signature expired"))
+			return
+		}
+		expected := h.computeSignature(id, exp)
+		if !hmac.Equal([]byte(sig), []byte(expected)) {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("bad signature"))
+			return
+		}
+		handler(w, r, params)
+		go h.gcCache()
+	}
+}
+
+// internalAuth gates the control-plane endpoints. The bearer must
+// constant-time-equal the configured internalSecret. If the secret is empty,
+// the control-plane is disabled and every request gets 404 — which matches
+// the upstream nektos/act behavior of "the route does not exist".
+func (h *Handler) internalAuth(handler httprouter.Handle) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+		if h.internalSecret == "" {
+			http.NotFound(w, r)
+			return
+		}
+		token := bearerToken(r)
+		if token == "" || !hmac.Equal([]byte(token), []byte(h.internalSecret)) {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("internal: bad secret"))
+			return
+		}
+		handler(w, r, params)
+	}
+}
+
+type internalRegisterBody struct {
+	Token string `json:"token"`
+	Repo  string `json:"repo"`
+}
+
+type internalRevokeBody struct {
+	Token string `json:"token"`
+}
+
+// POST /_internal/register
+func (h *Handler) internalRegister(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	var body internalRegisterBody
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		h.responseJSON(w, r, http.StatusBadRequest, err)
+		return
+	}
+	if body.Token == "" {
+		h.responseJSON(w, r, http.StatusBadRequest, errors.New("token is required"))
+		return
+	}
+	h.RegisterJob(body.Token, body.Repo)
+	h.responseJSON(w, r, http.StatusOK)
+}
+
+// POST /_internal/revoke
+func (h *Handler) internalRevoke(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	var body internalRevokeBody
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		h.responseJSON(w, r, http.StatusBadRequest, err)
+		return
+	}
+	if body.Token == "" {
+		h.responseJSON(w, r, http.StatusBadRequest, errors.New("token is required"))
+		return
+	}
+	h.RevokeJob(body.Token)
+	h.responseJSON(w, r, http.StatusOK)
+}
+
+func bearerToken(r *http.Request) string {
+	auth := r.Header.Get("Authorization")
+	const prefix = "Bearer "
+	if len(auth) > len(prefix) && strings.EqualFold(auth[:len(prefix)], prefix) {
+		return auth[len(prefix):]
+	}
+	return ""
+}
+
+func credFromContext(ctx context.Context) JobCredential {
+	if cred, ok := ctx.Value(credKey{}).(JobCredential); ok {
+		return cred
+	}
+	return JobCredential{}
+}
+
+func (h *Handler) computeSignature(cacheID, exp int64) string {
+	mac := hmac.New(sha256.New, h.secret)
+	fmt.Fprintf(mac, "%d:%d", cacheID, exp)
+	return hex.EncodeToString(mac.Sum(nil))
+}
+
+func (h *Handler) signedArtifactURL(cacheID uint64, exp time.Time) string {
+	expUnix := exp.Unix()
+	sig := h.computeSignature(int64(cacheID), expUnix)
+	q := url.Values{}
+	q.Set("exp", strconv.FormatInt(expUnix, 10))
+	q.Set("sig", sig)
+	return fmt.Sprintf("%s%s/artifacts/%d?%s", h.ExternalURL(), apiPath, cacheID, q.Encode())
+}
+
+// if not found, return (nil, nil) instead of an error.
+func findCache(db *bolthold.Store, repo string, keys []string, version string) (*Cache, error) {
+	cache := &Cache{}
+	for _, prefix := range keys {
+		// if a key in the list matches exactly, don't return partial matches
+		if err := db.FindOne(cache,
+			bolthold.Where("Repo").Eq(repo).
+				And("Key").Eq(prefix).
+				And("Version").Eq(version).
+				And("Complete").Eq(true).
+				SortBy("CreatedAt").Reverse()); err == nil || !errors.Is(err, bolthold.ErrNotFound) {
+			if err != nil {
+				return nil, fmt.Errorf("find cache: %w", err)
+			}
+			return cache, nil
+		}
+		prefixPattern := "^" + regexp.QuoteMeta(prefix)
+		re, err := regexp.Compile(prefixPattern)
+		if err != nil {
+			continue
+		}
+		if err := db.FindOne(cache,
+			bolthold.Where("Repo").Eq(repo).
+				And("Key").RegExp(re).
+				And("Version").Eq(version).
+				And("Complete").Eq(true).
+				SortBy("CreatedAt").Reverse()); err != nil {
+			if errors.Is(err, bolthold.ErrNotFound) {
+				continue
+			}
+			return nil, fmt.Errorf("find cache: %w", err)
+		}
+		return cache, nil
+	}
+	return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+}
+
+func insertCache(db *bolthold.Store, cache *Cache) error {
+	if err := db.Insert(bolthold.NextSequence(), cache); err != nil {
+		return fmt.Errorf("insert cache: %w", err)
+	}
+	// write back id to db
+	if err := db.Update(cache.ID, cache); err != nil {
+		return fmt.Errorf("write back id to db: %w", err)
+	}
+	return nil
+}
+
+func (h *Handler) useCache(id int64) {
+	db, err := h.openDB()
+	if err != nil {
+		return
+	}
+	defer db.Close()
+	cache := &Cache{}
+	if err := db.Get(id, cache); err != nil {
+		return
+	}
+	cache.UsedAt = time.Now().Unix()
+	_ = db.Update(cache.ID, cache)
+}
+
+const (
+	keepUsed   = 30 * 24 * time.Hour
+	keepUnused = 7 * 24 * time.Hour
+	keepTemp   = 5 * time.Minute
+	keepOld    = 5 * time.Minute
+)
+
+func (h *Handler) gcCache() {
+	if h.gcing.Load() {
+		return
+	}
+	if !h.gcing.CompareAndSwap(false, true) {
+		return
+	}
+	defer h.gcing.Store(false)
+
+	if time.Since(h.gcAt) < time.Hour {
+		h.logger.Debugf("skip gc: %v", h.gcAt.String())
+		return
+	}
+	h.gcAt = time.Now()
+	h.logger.Debugf("gc: %v", h.gcAt.String())
+
+	db, err := h.openDB()
+	if err != nil {
+		return
+	}
+	defer db.Close()
+
+	// Remove the caches which are not completed for a while, they are most likely to be broken.
+	var caches []*Cache
+	if err := db.Find(&caches, bolthold.
+		Where("UsedAt").Lt(time.Now().Add(-keepTemp).Unix()).
+		And("Complete").Eq(false),
+	); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+
+	// Remove the old caches which have not been used recently.
+	caches = caches[:0]
+	if err := db.Find(&caches, bolthold.
+		Where("UsedAt").Lt(time.Now().Add(-keepUnused).Unix()),
+	); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+
+	// Remove the old caches which are too old.
+	caches = caches[:0]
+	if err := db.Find(&caches, bolthold.
+		Where("CreatedAt").Lt(time.Now().Add(-keepUsed).Unix()),
+	); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+
+	// Remove the old caches with the same key and version within the same
+	// repository, keep the latest one. Aggregation must include Repo so two
+	// repos that happen to share a (key, version) do not evict each other —
+	// otherwise per-repo scoping holds for reads but one repo can age
+	// another out after keepOld.
+	// Also keep the olds which have been used recently for a while in case of the cache is still in use.
+	if results, err := db.FindAggregate(
+		&Cache{},
+		bolthold.Where("Complete").Eq(true),
+		"Repo", "Key", "Version",
+	); err != nil {
+		h.logger.Warnf("find aggregate caches: %v", err)
+	} else {
+		for _, result := range results {
+			if result.Count() <= 1 {
+				continue
+			}
+			result.Sort("CreatedAt")
+			caches = caches[:0]
+			result.Reduction(&caches)
+			for _, cache := range caches[:len(caches)-1] {
+				if time.Since(time.Unix(cache.UsedAt, 0)) < keepOld {
+					// Keep it since it has been used recently, even if it's old.
+					// Or it could break downloading in process.
+					continue
+				}
+				h.storage.Remove(cache.ID)
+				if err := db.Delete(cache.ID, cache); err != nil {
+					h.logger.Warnf("delete cache: %v", err)
+					continue
+				}
+				h.logger.Infof("deleted cache: %+v", cache)
+			}
+		}
+	}
+}
+
+func (h *Handler) responseJSON(w http.ResponseWriter, r *http.Request, code int, v ...any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	var data []byte
+	if len(v) == 0 || v[0] == nil {
+		data, _ = json.Marshal(struct{}{})
+	} else if err, ok := v[0].(error); ok {
+		h.logger.Errorf("%v %v: %v", r.Method, r.URL.Path, err)
+		data, _ = json.Marshal(map[string]any{
+			"error": err.Error(),
+		})
+	} else {
+		data, _ = json.Marshal(v[0])
+	}
+	w.WriteHeader(code)
+	_, _ = w.Write(data)
+}
+
+func parseContentRange(s string) (int64, int64, error) {
+	// support the format like "bytes 11-22/*" only
+	s, _, _ = strings.Cut(strings.TrimPrefix(s, "bytes "), "/")
+	s1, s2, _ := strings.Cut(s, "-")
+
+	start, err := strconv.ParseInt(s1, 10, 64)
+	if err != nil {
+		return 0, 0, fmt.Errorf("parse %q: %w", s, err)
+	}
+	stop, err := strconv.ParseInt(s2, 10, 64)
+	if err != nil {
+		return 0, 0, fmt.Errorf("parse %q: %w", s, err)
+	}
+	return start, stop, nil
+}
--- a/act/artifactcache/handler_test.go
+++ b/act/artifactcache/handler_test.go
--- a/act/artifactcache/model.go
+++ b/act/artifactcache/model.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package artifactcache

 type Request struct {
@@ -25,6 +29,7 @@ func (c *Request) ToCache() *Cache {

 type Cache struct {
 	ID        uint64 `json:"id" boltholdKey:"ID"`
+	Repo      string `json:"repo" boltholdIndex:"Repo"`
 	Key       string `json:"key" boltholdIndex:"Key"`
 	Version   string `json:"version" boltholdIndex:"Version"`
 	Size      int64  `json:"cacheSize"`
--- a/act/artifactcache/storage.go
+++ b/act/artifactcache/storage.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package artifactcache

 import (
@@ -6,6 +10,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strconv"
 )

 type Storage struct {
@@ -103,11 +108,11 @@ func (s *Storage) Remove(id uint64) {
 }

 func (s *Storage) filename(id uint64) string {
-	return filepath.Join(s.rootDir, fmt.Sprintf("%02x", id%0xff), fmt.Sprint(id))
+	return filepath.Join(s.rootDir, fmt.Sprintf("%02x", id%0xff), strconv.FormatUint(id, 10))
 }

 func (s *Storage) tempDir(id uint64) string {
-	return filepath.Join(s.rootDir, "tmp", fmt.Sprint(id))
+	return filepath.Join(s.rootDir, "tmp", strconv.FormatUint(id, 10))
 }

 func (s *Storage) tempName(id uint64, offset int64) string {
--- a/act/artifactcache/testdata/example/example.yaml
+++ b/act/artifactcache/testdata/example/example.yaml
--- a/act/artifacts/server.go
+++ b/act/artifacts/server.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package artifacts

 import (
@@ -13,9 +17,9 @@ import (
 	"strings"
 	"time"

-	"github.com/julienschmidt/httprouter"
+	"gitea.com/gitea/runner/act/common"

-	"github.com/actions-oss/act-cli/pkg/common"
+	"github.com/julienschmidt/httprouter"
 )

 type FileContainerResourceURL struct {
@@ -55,8 +59,7 @@ type WriteFS interface {
 	OpenAppendable(name string) (WritableFile, error)
 }

-type readWriteFSImpl struct {
-}
+type readWriteFSImpl struct{}

 func (fwfs readWriteFSImpl) Open(name string) (fs.File, error) {
 	return os.Open(name)
@@ -74,7 +77,6 @@ func (fwfs readWriteFSImpl) OpenAppendable(name string) (WritableFile, error) {
 		return nil, err
 	}
 	file, err := os.OpenFile(name, os.O_CREATE|os.O_RDWR, 0o644)
-
 	if err != nil {
 		return nil, err
 	}
@@ -88,7 +90,7 @@ func (fwfs readWriteFSImpl) OpenAppendable(name string) (WritableFile, error) {

 var gzipExtension = ".gz__"

-func safeResolve(baseDir string, relPath string) string {
+func safeResolve(baseDir, relPath string) string {
 	return filepath.Join(baseDir, filepath.Clean(filepath.Join(string(os.PathSeparator), relPath)))
 }

@@ -127,7 +129,6 @@ func uploads(router *httprouter.Router, baseDir string, fsys WriteFS) {
 			}
 			return fsys.OpenWritable(safePath)
 		}()
-
 		if err != nil {
 			panic(err)
 		}
@@ -135,11 +136,11 @@ func uploads(router *httprouter.Router, baseDir string, fsys WriteFS) {

 		writer, ok := file.(io.Writer)
 		if !ok {
-			panic(errors.New("file is not writable"))
+			panic(errors.New("File is not writable"))
 		}

 		if req.Body == nil {
-			panic(errors.New("no body given"))
+			panic(errors.New("No body given"))
 		}

 		_, err = io.Copy(writer, req.Body)
@@ -160,7 +161,7 @@ func uploads(router *httprouter.Router, baseDir string, fsys WriteFS) {
 		}
 	})

-	router.PATCH("/_apis/pipelines/workflows/:runId/artifacts", func(w http.ResponseWriter, _ *http.Request, _ httprouter.Params) {
+	router.PATCH("/_apis/pipelines/workflows/:runId/artifacts", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
 		json, err := json.Marshal(ResponseMessage{
 			Message: "success",
 		})
@@ -214,7 +215,7 @@ func downloads(router *httprouter.Router, baseDir string, fsys fs.FS) {
 		safePath := safeResolve(baseDir, filepath.Join(container, itemPath))

 		var files []ContainerItem
-		err := fs.WalkDir(fsys, safePath, func(path string, entry fs.DirEntry, _ error) error {
+		err := fs.WalkDir(fsys, safePath, func(path string, entry fs.DirEntry, err error) error {
 			if !entry.IsDir() {
 				rel, err := filepath.Rel(safePath, path)
 				if err != nil {
@@ -253,7 +254,7 @@ func downloads(router *httprouter.Router, baseDir string, fsys fs.FS) {
 		}
 	})

-	router.GET("/artifact/*path", func(w http.ResponseWriter, _ *http.Request, params httprouter.Params) {
+	router.GET("/artifact/*path", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
 		path := params.ByName("path")[1:]

 		safePath := safeResolve(baseDir, path)
@@ -275,7 +276,7 @@ func downloads(router *httprouter.Router, baseDir string, fsys fs.FS) {
 	})
 }

-func Serve(ctx context.Context, artifactPath string, addr string, port string) context.CancelFunc {
+func Serve(ctx context.Context, artifactPath, addr, port string) context.CancelFunc {
 	serverContext, cancel := context.WithCancel(ctx)
 	logger := common.Logger(serverContext)

@@ -289,7 +290,6 @@ func Serve(ctx context.Context, artifactPath string, addr string, port string) c
 	fsys := readWriteFSImpl{}
 	uploads(router, artifactPath, fsys)
 	downloads(router, artifactPath, fsys)
-	RoutesV4(router, artifactPath, fsys, fsys)

 	server := &http.Server{
 		Addr:              fmt.Sprintf("%s:%s", addr, port),
@@ -310,7 +310,7 @@ func Serve(ctx context.Context, artifactPath string, addr string, port string) c
 		<-serverContext.Done()

 		if err := server.Shutdown(ctx); err != nil {
-			logger.Errorf("failed shutdown gracefully - force shutdown: %v", err)
+			logger.Errorf("Failed shutdown gracefully - force shutdown: %v", err)
 			server.Close()
 		}
 	}()
--- a/act/artifacts/server_test.go
+++ b/act/artifacts/server_test.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package artifacts

 import (
@@ -13,12 +17,12 @@ import (
 	"testing"
 	"testing/fstest"

+	"gitea.com/gitea/runner/act/model"
+	"gitea.com/gitea/runner/act/runner"
+
 	"github.com/julienschmidt/httprouter"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
-
-	"github.com/actions-oss/act-cli/pkg/model"
-	"github.com/actions-oss/act-cli/pkg/runner"
 )

 type writableMapFile struct {
@@ -39,7 +43,7 @@ type writeMapFS struct {
 }

 func (fsys writeMapFS) OpenWritable(name string) (WritableFile, error) {
-	var file = &writableMapFile{
+	file := &writableMapFile{
 		MapFile: fstest.MapFile{
 			Data: []byte("content2"),
 		},
@@ -50,7 +54,7 @@ func (fsys writeMapFS) OpenWritable(name string) (WritableFile, error) {
 }

 func (fsys writeMapFS) OpenAppendable(name string) (WritableFile, error) {
-	var file = &writableMapFile{
+	file := &writableMapFile{
 		MapFile: fstest.MapFile{
 			Data: []byte("content2"),
 		},
@@ -63,12 +67,12 @@ func (fsys writeMapFS) OpenAppendable(name string) (WritableFile, error) {
 func TestNewArtifactUploadPrepare(t *testing.T) {
 	assert := assert.New(t)

-	var memfs = fstest.MapFS(map[string]*fstest.MapFile{})
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})

 	router := httprouter.New()
 	uploads(router, "artifact/server/path", writeMapFS{memfs})

-	req, _ := http.NewRequest("POST", "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
+	req, _ := http.NewRequest(http.MethodPost, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
 	rr := httptest.NewRecorder()

 	router.ServeHTTP(rr, req)
@@ -89,12 +93,12 @@ func TestNewArtifactUploadPrepare(t *testing.T) {
 func TestArtifactUploadBlob(t *testing.T) {
 	assert := assert.New(t)

-	var memfs = fstest.MapFS(map[string]*fstest.MapFile{})
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})

 	router := httprouter.New()
 	uploads(router, "artifact/server/path", writeMapFS{memfs})

-	req, _ := http.NewRequest("PUT", "http://localhost/upload/1?itemPath=some/file", strings.NewReader("content"))
+	req, _ := http.NewRequest(http.MethodPut, "http://localhost/upload/1?itemPath=some/file", strings.NewReader("content"))
 	rr := httptest.NewRecorder()

 	router.ServeHTTP(rr, req)
@@ -116,12 +120,12 @@ func TestArtifactUploadBlob(t *testing.T) {
 func TestFinalizeArtifactUpload(t *testing.T) {
 	assert := assert.New(t)

-	var memfs = fstest.MapFS(map[string]*fstest.MapFile{})
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})

 	router := httprouter.New()
 	uploads(router, "artifact/server/path", writeMapFS{memfs})

-	req, _ := http.NewRequest("PATCH", "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
+	req, _ := http.NewRequest(http.MethodPatch, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
 	rr := httptest.NewRecorder()

 	router.ServeHTTP(rr, req)
@@ -142,7 +146,7 @@ func TestFinalizeArtifactUpload(t *testing.T) {
 func TestListArtifacts(t *testing.T) {
 	assert := assert.New(t)

-	var memfs = fstest.MapFS(map[string]*fstest.MapFile{
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
 		"artifact/server/path/1/file.txt": {
 			Data: []byte(""),
 		},
@@ -151,7 +155,7 @@ func TestListArtifacts(t *testing.T) {
 	router := httprouter.New()
 	downloads(router, "artifact/server/path", memfs)

-	req, _ := http.NewRequest("GET", "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
 	rr := httptest.NewRecorder()

 	router.ServeHTTP(rr, req)
@@ -174,7 +178,7 @@ func TestListArtifacts(t *testing.T) {
 func TestListArtifactContainer(t *testing.T) {
 	assert := assert.New(t)

-	var memfs = fstest.MapFS(map[string]*fstest.MapFile{
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
 		"artifact/server/path/1/some/file": {
 			Data: []byte(""),
 		},
@@ -183,7 +187,7 @@ func TestListArtifactContainer(t *testing.T) {
 	router := httprouter.New()
 	downloads(router, "artifact/server/path", memfs)

-	req, _ := http.NewRequest("GET", "http://localhost/download/1?itemPath=some/file", nil)
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/download/1?itemPath=some/file", nil)
 	rr := httptest.NewRecorder()

 	router.ServeHTTP(rr, req)
@@ -198,7 +202,7 @@ func TestListArtifactContainer(t *testing.T) {
 		panic(err)
 	}

-	assert.Equal(1, len(response.Value))
+	assert.Len(response.Value, 1)
 	assert.Equal("some/file", response.Value[0].Path)
 	assert.Equal("file", response.Value[0].ItemType)
 	assert.Equal("http://localhost/artifact/1/some/file/.", response.Value[0].ContentLocation)
@@ -207,7 +211,7 @@ func TestListArtifactContainer(t *testing.T) {
 func TestDownloadArtifactFile(t *testing.T) {
 	assert := assert.New(t)

-	var memfs = fstest.MapFS(map[string]*fstest.MapFile{
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
 		"artifact/server/path/1/some/file": {
 			Data: []byte("content"),
 		},
@@ -216,7 +220,7 @@ func TestDownloadArtifactFile(t *testing.T) {
 	router := httprouter.New()
 	downloads(router, "artifact/server/path", memfs)

-	req, _ := http.NewRequest("GET", "http://localhost/artifact/1/some/file", nil)
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/artifact/1/some/file", nil)
 	rr := httptest.NewRecorder()

 	router.ServeHTTP(rr, req)
@@ -249,9 +253,6 @@ func TestArtifactFlow(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping integration test")
 	}
-	if _, ok := os.LookupEnv("NO_EXTERNAL_IP"); ok {
-		t.Skip("skipping test because QEMU is disabled")
-	}

 	ctx := context.Background()

@@ -265,7 +266,6 @@ func TestArtifactFlow(t *testing.T) {
 	tables := []TestJobFileInfo{
 		{"testdata", "upload-and-download", "push", "", platforms, ""},
 		{"testdata", "GHSL-2023-004", "push", "", platforms, ""},
-		{"testdata", "v4", "push", "", platforms, ""},
 	}
 	log.SetLevel(log.DebugLevel)

@@ -276,14 +276,14 @@ func TestArtifactFlow(t *testing.T) {

 func runTestJobFile(ctx context.Context, t *testing.T, tjfi TestJobFileInfo) {
 	t.Run(tjfi.workflowPath, func(t *testing.T) {
-		fmt.Printf("::group::%s\n", tjfi.workflowPath)
+		fmt.Printf("::group::%s\n", tjfi.workflowPath) //nolint:forbidigo // pre-existing issue from nektos/act

 		if err := os.RemoveAll(artifactsPath); err != nil {
 			panic(err)
 		}

 		workdir, err := filepath.Abs(tjfi.workdir)
-		assert.Nil(t, err, workdir)
+		assert.NoError(t, err, workdir) //nolint:testifylint // pre-existing issue from nektos/act
 		fullWorkflowPath := filepath.Join(workdir, tjfi.workflowPath)
 		runnerConfig := &runner.Config{
 			Workdir:               workdir,
@@ -299,28 +299,30 @@ func runTestJobFile(ctx context.Context, t *testing.T, tjfi TestJobFileInfo) {
 		}

 		runner, err := runner.New(runnerConfig)
-		assert.Nil(t, err, tjfi.workflowPath)
+		assert.NoError(t, err, tjfi.workflowPath) //nolint:testifylint // pre-existing issue from nektos/act

-		planner, err := model.NewWorkflowPlanner(fullWorkflowPath, model.PlannerConfig{})
-		assert.Nil(t, err, fullWorkflowPath)
+		planner, err := model.NewWorkflowPlanner(fullWorkflowPath, true)
+		assert.NoError(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act

 		plan, err := planner.PlanEvent(tjfi.eventName)
 		if err == nil {
 			err = runner.NewPlanExecutor(plan)(ctx)
 			if tjfi.errorMessage == "" {
-				assert.Nil(t, err, fullWorkflowPath)
+				assert.NoError(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act
 			} else {
-				assert.Error(t, err, tjfi.errorMessage)
+				assert.Error(t, err, tjfi.errorMessage) //nolint:testifylint // pre-existing issue from nektos/act
 			}
 		} else {
 			assert.Nil(t, plan)
 		}

-		fmt.Println("::endgroup::")
+		fmt.Println("::endgroup::") //nolint:forbidigo // pre-existing issue from nektos/act
 	})
 }

 func TestMkdirFsImplSafeResolve(t *testing.T) {
+	assert := assert.New(t)
+
 	baseDir := "/foo/bar"

 	tests := map[string]struct {
@@ -338,7 +340,6 @@ func TestMkdirFsImplSafeResolve(t *testing.T) {

 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
-			assert := assert.New(t)
 			assert.Equal(tc.want, safeResolve(baseDir, tc.input))
 		})
 	}
@@ -347,7 +348,7 @@ func TestMkdirFsImplSafeResolve(t *testing.T) {
 func TestDownloadArtifactFileUnsafePath(t *testing.T) {
 	assert := assert.New(t)

-	var memfs = fstest.MapFS(map[string]*fstest.MapFile{
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
 		"artifact/server/path/some/file": {
 			Data: []byte("content"),
 		},
@@ -356,7 +357,7 @@ func TestDownloadArtifactFileUnsafePath(t *testing.T) {
 	router := httprouter.New()
 	downloads(router, "artifact/server/path", memfs)

-	req, _ := http.NewRequest("GET", "http://localhost/artifact/2/../../some/file", nil)
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/artifact/2/../../some/file", nil)
 	rr := httptest.NewRecorder()

 	router.ServeHTTP(rr, req)
@@ -373,12 +374,12 @@ func TestDownloadArtifactFileUnsafePath(t *testing.T) {
 func TestArtifactUploadBlobUnsafePath(t *testing.T) {
 	assert := assert.New(t)

-	var memfs = fstest.MapFS(map[string]*fstest.MapFile{})
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})

 	router := httprouter.New()
 	uploads(router, "artifact/server/path", writeMapFS{memfs})

-	req, _ := http.NewRequest("PUT", "http://localhost/upload/1?itemPath=../../some/file", strings.NewReader("content"))
+	req, _ := http.NewRequest(http.MethodPut, "http://localhost/upload/1?itemPath=../../some/file", strings.NewReader("content"))
 	rr := httptest.NewRecorder()

 	router.ServeHTTP(rr, req)
--- a/act/artifacts/testdata/GHSL-2023-004/artifacts.yml
+++ b/act/artifacts/testdata/GHSL-2023-004/artifacts.yml
--- a/act/artifacts/testdata/upload-and-download/artifacts.yml
+++ b/act/artifacts/testdata/upload-and-download/artifacts.yml
--- a/act/common/cartesian.go
+++ b/act/common/cartesian.go
@@ -1,9 +1,13 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package common

 // CartesianProduct takes map of lists and returns list of unique tuples
-func CartesianProduct(mapOfLists map[string][]interface{}) []map[string]interface{} {
+func CartesianProduct(mapOfLists map[string][]any) []map[string]any {
 	listNames := make([]string, 0)
-	lists := make([][]interface{}, 0)
+	lists := make([][]any, 0)
 	for k, v := range mapOfLists {
 		listNames = append(listNames, k)
 		lists = append(lists, v)
@@ -11,9 +15,9 @@ func CartesianProduct(mapOfLists map[string][]interface{}) []map[string]interfac

 	listCart := cartN(lists...)

-	rtn := make([]map[string]interface{}, 0)
+	rtn := make([]map[string]any, 0)
 	for _, list := range listCart {
-		vMap := make(map[string]interface{})
+		vMap := make(map[string]any)
 		for i, v := range list {
 			vMap[listNames[i]] = v
 		}
@@ -22,7 +26,7 @@ func CartesianProduct(mapOfLists map[string][]interface{}) []map[string]interfac
 	return rtn
 }

-func cartN(a ...[]interface{}) [][]interface{} {
+func cartN(a ...[]any) [][]any {
 	c := 1
 	for _, a := range a {
 		c *= len(a)
@@ -30,8 +34,8 @@ func cartN(a ...[]interface{}) [][]interface{} {
 	if c == 0 || len(a) == 0 {
 		return nil
 	}
-	p := make([][]interface{}, c)
-	b := make([]interface{}, c*len(a))
+	p := make([][]any, c)
+	b := make([]any, c*len(a))
 	n := make([]int, len(a))
 	s := 0
 	for i := range p {
--- a/act/common/cartesian_test.go
+++ b/act/common/cartesian_test.go
@@ -1,3 +1,7 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package common

 import (
@@ -8,7 +12,7 @@ import (

 func TestCartesianProduct(t *testing.T) {
 	assert := assert.New(t)
-	input := map[string][]interface{}{
+	input := map[string][]any{
 		"foo": {1, 2, 3, 4},
 		"bar": {"a", "b", "c"},
 		"baz": {false, true},
@@ -25,15 +29,15 @@ func TestCartesianProduct(t *testing.T) {
 		assert.Contains(v, "baz")
 	}

-	input = map[string][]interface{}{
+	input = map[string][]any{
 		"foo": {1, 2, 3, 4},
 		"bar": {},
 		"baz": {false, true},
 	}
 	output = CartesianProduct(input)
-	assert.Len(output, 0)
+	assert.Empty(output)

-	input = map[string][]interface{}{}
+	input = map[string][]any{}
 	output = CartesianProduct(input)
-	assert.Len(output, 0)
+	assert.Empty(output)
 }
--- a/act/common/draw.go
+++ b/act/common/draw.go
@@ -1,3 +1,7 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package common

 import (
@@ -72,6 +76,7 @@ func (p *Pen) drawTopBars(buf io.Writer, labels ...string) {
 	}
 	fmt.Fprintf(buf, "\n")
 }
+
 func (p *Pen) drawBottomBars(buf io.Writer, labels ...string) {
 	style := styleDefs[p.style]
 	for _, label := range labels {
@@ -83,6 +88,7 @@ func (p *Pen) drawBottomBars(buf io.Writer, labels ...string) {
 	}
 	fmt.Fprintf(buf, "\n")
 }
+
 func (p *Pen) drawLabels(buf io.Writer, labels ...string) {
 	style := styleDefs[p.style]
 	for _, label := range labels {
@@ -125,11 +131,8 @@ func (p *Pen) DrawBoxes(labels ...string) *Drawing {

 // Draw to writer
 func (d *Drawing) Draw(writer io.Writer, centerOnWidth int) {
-	padSize := (centerOnWidth - d.GetWidth()) / 2
-	if padSize < 0 {
-		padSize = 0
-	}
-	for _, l := range strings.Split(d.buf.String(), "\n") {
+	padSize := max((centerOnWidth-d.GetWidth())/2, 0)
+	for l := range strings.SplitSeq(d.buf.String(), "\n") {
 		if len(l) > 0 {
 			padding := strings.Repeat(" ", padSize)
 			fmt.Fprintf(writer, "%s%s\n", padding, l)
--- a/act/common/dryrun.go
+++ b/act/common/dryrun.go
@@ -1,3 +1,7 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package common

 import (
--- a/act/common/executor.go
+++ b/act/common/executor.go
@@ -1,9 +1,13 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package common

 import (
 	"context"
-	"errors"
 	"fmt"
+	"runtime/debug"

 	log "github.com/sirupsen/logrus"
 )
@@ -19,7 +23,7 @@ func (w Warning) Error() string {
 }

 // Warningf create a warning
-func Warningf(format string, args ...interface{}) Warning {
+func Warningf(format string, args ...any) Warning {
 	w := Warning{
 		Message: fmt.Sprintf(format, args...),
 	}
@@ -33,7 +37,7 @@ type Executor func(ctx context.Context) error
 type Conditional func(ctx context.Context) bool

 // NewInfoExecutor is an executor that logs messages
-func NewInfoExecutor(format string, args ...interface{}) Executor {
+func NewInfoExecutor(format string, args ...any) Executor {
 	return func(ctx context.Context) error {
 		logger := Logger(ctx)
 		logger.Infof(format, args...)
@@ -42,7 +46,7 @@ func NewInfoExecutor(format string, args ...interface{}) Executor {
 }

 // NewDebugExecutor is an executor that logs messages
-func NewDebugExecutor(format string, args ...interface{}) Executor {
+func NewDebugExecutor(format string, args ...any) Executor {
 	return func(ctx context.Context) error {
 		logger := Logger(ctx)
 		logger.Debugf(format, args...)
@@ -53,7 +57,7 @@ func NewDebugExecutor(format string, args ...interface{}) Executor {
 // NewPipelineExecutor creates a new executor from a series of other executors
 func NewPipelineExecutor(executors ...Executor) Executor {
 	if len(executors) == 0 {
-		return func(_ context.Context) error {
+		return func(ctx context.Context) error {
 			return nil
 		}
 	}
@@ -69,7 +73,7 @@ func NewPipelineExecutor(executors ...Executor) Executor {
 }

 // NewConditionalExecutor creates a new executor based on conditions
-func NewConditionalExecutor(conditional Conditional, trueExecutor Executor, falseExecutor Executor) Executor {
+func NewConditionalExecutor(conditional Conditional, trueExecutor, falseExecutor Executor) Executor {
 	return func(ctx context.Context) error {
 		if conditional(ctx) {
 			if trueExecutor != nil {
@@ -86,7 +90,7 @@ func NewConditionalExecutor(conditional Conditional, trueExecutor Executor, fals

 // NewErrorExecutor creates a new executor that always errors out
 func NewErrorExecutor(err error) Executor {
-	return func(_ context.Context) error {
+	return func(ctx context.Context) error {
 		return err
 	}
 }
@@ -102,22 +106,40 @@ func NewParallelExecutor(parallel int, executors ...Executor) Executor {
 			parallel = 1
 		}

+		log.Infof("NewParallelExecutor: Creating %d workers for %d executors", parallel, len(executors))
+
 		for i := 0; i < parallel; i++ {
-			go func(work <-chan Executor, errs chan<- error) {
+			go func(workerID int, work <-chan Executor, errs chan<- error) {
+				log.Debugf("Worker %d started", workerID)
+				taskCount := 0
 				for executor := range work {
-					errs <- executor(ctx)
+					taskCount++
+					log.Debugf("Worker %d executing task %d", workerID, taskCount)
+					// Recover from panics in executors to avoid crashing the worker
+					// goroutine which would leave the runner process hung.
+					// https://gitea.com/gitea/runner/issues/371
+					errs <- func() (err error) {
+						defer func() {
+							if r := recover(); r != nil {
+								log.Errorf("panic in executor: %v\n%s", r, debug.Stack())
+								err = fmt.Errorf("panic: %v", r)
 							}
-			}(work, errs)
+						}()
+						return executor(ctx)
+					}()
+				}
+				log.Debugf("Worker %d finished (%d tasks executed)", workerID, taskCount)
+			}(i, work, errs)
 		}

-		for i := 0; i < len(executors); i++ {
+		for i := range executors {
 			work <- executors[i]
 		}
 		close(work)

 		// Executor waits all executors to cleanup these resources.
 		var firstErr error
-		for i := 0; i < len(executors); i++ {
+		for range executors {
 			err := <-errs
 			if firstErr == nil {
 				firstErr = err
@@ -131,31 +153,6 @@ func NewParallelExecutor(parallel int, executors ...Executor) Executor {
 	}
 }

-func NewFieldExecutor(name string, value interface{}, exec Executor) Executor {
-	return func(ctx context.Context) error {
-		return exec(WithLogger(ctx, Logger(ctx).WithField(name, value)))
-	}
-}
-
-// Then runs another executor if this executor succeeds
-func (e Executor) ThenError(then func(ctx context.Context, err error) error) Executor {
-	return func(ctx context.Context) error {
-		err := e(ctx)
-		if err != nil {
-			switch err.(type) {
-			case Warning:
-				Logger(ctx).Warning(err.Error())
-			default:
-				return then(ctx, err)
-			}
-		}
-		if ctx.Err() != nil {
-			return ctx.Err()
-		}
-		return then(ctx, err)
-	}
-}
-
 // Then runs another executor if this executor succeeds
 func (e Executor) Then(then Executor) Executor {
 	return func(ctx context.Context) error {
@@ -175,25 +172,6 @@ func (e Executor) Then(then Executor) Executor {
 	}
 }

-// Then runs another executor if this executor succeeds
-func (e Executor) OnError(then Executor) Executor {
-	return func(ctx context.Context) error {
-		err := e(ctx)
-		if err != nil {
-			switch err.(type) {
-			case Warning:
-				Logger(ctx).Warning(err.Error())
-			default:
-				return errors.Join(err, then(ctx))
-			}
-		}
-		if ctx.Err() != nil {
-			return ctx.Err()
-		}
-		return nil
-	}
-}
-
 // If only runs this executor if conditional is true
 func (e Executor) If(conditional Conditional) Executor {
 	return func(ctx context.Context) error {
@@ -216,22 +194,20 @@ func (e Executor) IfNot(conditional Conditional) Executor {

 // IfBool only runs this executor if conditional is true
 func (e Executor) IfBool(conditional bool) Executor {
-	return e.If(func(_ context.Context) bool {
+	return e.If(func(ctx context.Context) bool {
 		return conditional
 	})
 }

 // Finally adds an executor to run after other executor
 func (e Executor) Finally(finally Executor) Executor {
-	return func(ctx context.Context) (err error) {
-		defer func() {
+	return func(ctx context.Context) error {
+		err := e(ctx)
 		err2 := finally(ctx)
 		if err2 != nil {
-				err = fmt.Errorf("error occurred running finally: %v (original error: %v)", err2, err)
+			return fmt.Errorf("Error occurred running finally: %v (original error: %v)", err2, err)
 		}
-		}()
-		err = e(ctx)
-		return
+		return err
 	}
 }

--- a/act/common/executor_max_parallel_test.go
+++ b/act/common/executor_max_parallel_test.go
@@ -0,0 +1,89 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// Simple fast test that verifies max-parallel: 2 limits concurrency
+func TestMaxParallel2Quick(t *testing.T) {
+	ctx := context.Background()
+
+	var currentRunning atomic.Int32
+	var maxSimultaneous atomic.Int32
+
+	executors := make([]Executor, 4)
+	for i := range 4 {
+		executors[i] = func(ctx context.Context) error {
+			current := currentRunning.Add(1)
+
+			// Update max if needed
+			for {
+				maxValue := maxSimultaneous.Load()
+				if current <= maxValue || maxSimultaneous.CompareAndSwap(maxValue, current) {
+					break
+				}
+			}
+
+			time.Sleep(10 * time.Millisecond)
+			currentRunning.Add(-1)
+			return nil
+		}
+	}
+
+	err := NewParallelExecutor(2, executors...)(ctx)
+
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.LessOrEqual(t, maxSimultaneous.Load(), int32(2),
+		"Should not exceed max-parallel: 2")
+}
+
+// Test that verifies max-parallel: 1 enforces sequential execution
+func TestMaxParallel1Sequential(t *testing.T) {
+	ctx := context.Background()
+
+	var currentRunning atomic.Int32
+	var maxSimultaneous atomic.Int32
+	var executionOrder []int
+	var orderMutex sync.Mutex
+
+	executors := make([]Executor, 5)
+	for i := range 5 {
+		taskID := i
+		executors[i] = func(ctx context.Context) error {
+			current := currentRunning.Add(1)
+
+			// Track execution order
+			orderMutex.Lock()
+			executionOrder = append(executionOrder, taskID)
+			orderMutex.Unlock()
+
+			// Update max if needed
+			for {
+				maxValue := maxSimultaneous.Load()
+				if current <= maxValue || maxSimultaneous.CompareAndSwap(maxValue, current) {
+					break
+				}
+			}
+
+			time.Sleep(20 * time.Millisecond)
+			currentRunning.Add(-1)
+			return nil
+		}
+	}
+
+	err := NewParallelExecutor(1, executors...)(ctx)
+
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, int32(1), maxSimultaneous.Load(),
+		"max-parallel: 1 should only run 1 task at a time")
+	assert.Len(t, executionOrder, 5, "All 5 tasks should have executed")
+}
--- a/act/common/executor_parallel_advanced_test.go
+++ b/act/common/executor_parallel_advanced_test.go
@@ -0,0 +1,283 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestMaxParallelJobExecution tests actual job execution with max-parallel
+func TestMaxParallelJobExecution(t *testing.T) {
+	t.Run("MaxParallel=1 Sequential", func(t *testing.T) {
+		var currentRunning atomic.Int32
+		var maxConcurrent int32
+		var executionOrder []int
+		var mu sync.Mutex
+
+		executors := make([]Executor, 5)
+		for i := range 5 {
+			taskID := i
+			executors[i] = func(ctx context.Context) error {
+				current := currentRunning.Add(1)
+
+				// Track max concurrent
+				for {
+					maxValue := atomic.LoadInt32(&maxConcurrent)
+					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
+						break
+					}
+				}
+
+				mu.Lock()
+				executionOrder = append(executionOrder, taskID)
+				mu.Unlock()
+
+				time.Sleep(10 * time.Millisecond)
+				currentRunning.Add(-1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(1, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.Equal(t, int32(1), maxConcurrent, "Should never exceed 1 concurrent execution")
+		assert.Len(t, executionOrder, 5, "All tasks should execute")
+	})
+
+	t.Run("MaxParallel=3 Limited", func(t *testing.T) {
+		var currentRunning atomic.Int32
+		var maxConcurrent int32
+
+		executors := make([]Executor, 10)
+		for i := range 10 {
+			executors[i] = func(ctx context.Context) error {
+				current := currentRunning.Add(1)
+
+				for {
+					maxValue := atomic.LoadInt32(&maxConcurrent)
+					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
+						break
+					}
+				}
+
+				time.Sleep(20 * time.Millisecond)
+				currentRunning.Add(-1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(3, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.LessOrEqual(t, int(maxConcurrent), 3, "Should never exceed 3 concurrent executions")
+		assert.GreaterOrEqual(t, int(maxConcurrent), 1, "Should have at least 1 concurrent execution")
+	})
+
+	t.Run("MaxParallel=0 Uses1Worker", func(t *testing.T) {
+		var maxConcurrent int32
+		var currentRunning atomic.Int32
+
+		executors := make([]Executor, 5)
+		for i := range 5 {
+			executors[i] = func(ctx context.Context) error {
+				current := currentRunning.Add(1)
+
+				for {
+					maxValue := atomic.LoadInt32(&maxConcurrent)
+					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
+						break
+					}
+				}
+
+				time.Sleep(10 * time.Millisecond)
+				currentRunning.Add(-1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		// When maxParallel is 0 or negative, it defaults to 1
+		err := NewParallelExecutor(0, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.Equal(t, int32(1), maxConcurrent, "Should use 1 worker when max-parallel is 0")
+	})
+}
+
+// TestMaxParallelWithErrors tests error handling with max-parallel
+func TestMaxParallelWithErrors(t *testing.T) {
+	t.Run("OneTaskFailsOthersContinue", func(t *testing.T) {
+		var successCount int32
+
+		executors := make([]Executor, 5)
+		for i := range 5 {
+			taskID := i
+			executors[i] = func(ctx context.Context) error {
+				if taskID == 2 {
+					return assert.AnError
+				}
+				atomic.AddInt32(&successCount, 1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(2, executors...)(ctx)
+
+		// Should return the error from task 2
+		assert.Error(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		// Other tasks should still execute
+		assert.Equal(t, int32(4), successCount, "4 tasks should succeed")
+	})
+
+	t.Run("ContextCancellation", func(t *testing.T) {
+		ctx, cancel := context.WithCancel(context.Background())
+
+		var startedCount int32
+		executors := make([]Executor, 10)
+		for i := range 10 {
+			executors[i] = func(ctx context.Context) error {
+				atomic.AddInt32(&startedCount, 1)
+				time.Sleep(100 * time.Millisecond)
+				return nil
+			}
+		}
+
+		// Cancel after a short delay
+		go func() {
+			time.Sleep(30 * time.Millisecond)
+			cancel()
+		}()
+
+		err := NewParallelExecutor(3, executors...)(ctx)
+		assert.Error(t, err)                     //nolint:testifylint // pre-existing issue from nektos/act
+		assert.ErrorIs(t, err, context.Canceled) //nolint:testifylint // pre-existing issue from nektos/act
+
+		// Not all tasks should start due to cancellation (but timing may vary)
+		// Just verify cancellation occurred
+		t.Logf("Started %d tasks before cancellation", startedCount)
+	})
+}
+
+// TestMaxParallelPerformance tests performance characteristics
+func TestMaxParallelPerformance(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping performance test in short mode")
+	}
+
+	t.Run("ParallelFasterThanSequential", func(t *testing.T) {
+		executors := make([]Executor, 10)
+		for i := range 10 {
+			executors[i] = func(ctx context.Context) error {
+				time.Sleep(50 * time.Millisecond)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+
+		// Sequential (max-parallel=1)
+		start := time.Now()
+		err := NewParallelExecutor(1, executors...)(ctx)
+		sequentialDuration := time.Since(start)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		// Parallel (max-parallel=5)
+		start = time.Now()
+		err = NewParallelExecutor(5, executors...)(ctx)
+		parallelDuration := time.Since(start)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		// Parallel should be significantly faster
+		assert.Less(t, parallelDuration, sequentialDuration/2,
+			"Parallel execution should be at least 2x faster")
+	})
+
+	t.Run("OptimalWorkerCount", func(t *testing.T) {
+		executors := make([]Executor, 20)
+		for i := range 20 {
+			executors[i] = func(ctx context.Context) error {
+				time.Sleep(10 * time.Millisecond)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+
+		// Test with different worker counts
+		workerCounts := []int{1, 2, 5, 10, 20}
+		durations := make(map[int]time.Duration)
+
+		for _, count := range workerCounts {
+			start := time.Now()
+			err := NewParallelExecutor(count, executors...)(ctx)
+			durations[count] = time.Since(start)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+		}
+
+		// More workers should generally be faster (up to a point)
+		assert.Less(t, durations[5], durations[1], "5 workers should be faster than 1")
+		assert.Less(t, durations[10], durations[2], "10 workers should be faster than 2")
+	})
+}
+
+// TestMaxParallelResourceSharing tests resource sharing scenarios
+func TestMaxParallelResourceSharing(t *testing.T) {
+	t.Run("SharedResourceWithMutex", func(t *testing.T) {
+		var sharedCounter int
+		var mu sync.Mutex
+
+		executors := make([]Executor, 100)
+		for i := range 100 {
+			executors[i] = func(ctx context.Context) error {
+				mu.Lock()
+				sharedCounter++
+				mu.Unlock()
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(10, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.Equal(t, 100, sharedCounter, "All tasks should increment counter")
+	})
+
+	t.Run("ChannelCommunication", func(t *testing.T) {
+		resultChan := make(chan int, 50)
+
+		executors := make([]Executor, 50)
+		for i := range 50 {
+			taskID := i
+			executors[i] = func(ctx context.Context) error {
+				resultChan <- taskID
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(5, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		close(resultChan)
+
+		results := make(map[int]bool)
+		for result := range resultChan {
+			results[result] = true
+		}
+
+		assert.Len(t, results, 50, "All task IDs should be received")
+	})
+}
--- a/act/common/executor_test.go
+++ b/act/common/executor_test.go
@@ -0,0 +1,158 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+	"errors"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewWorkflow(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx := context.Background()
+
+	// empty
+	emptyWorkflow := NewPipelineExecutor()
+	assert.NoError(emptyWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// error case
+	errorWorkflow := NewErrorExecutor(errors.New("test error"))
+	assert.Error(errorWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// multiple success case
+	runcount := 0
+	successWorkflow := NewPipelineExecutor(
+		func(ctx context.Context) error {
+			runcount++
+			return nil
+		},
+		func(ctx context.Context) error {
+			runcount++
+			return nil
+		})
+	assert.NoError(successWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(2, runcount)
+}
+
+func TestNewConditionalExecutor(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx := context.Background()
+
+	trueCount := 0
+	falseCount := 0
+
+	err := NewConditionalExecutor(func(ctx context.Context) bool {
+		return false
+	}, func(ctx context.Context) error {
+		trueCount++
+		return nil
+	}, func(ctx context.Context) error {
+		falseCount++
+		return nil
+	})(ctx)
+
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(0, trueCount)
+	assert.Equal(1, falseCount)
+
+	err = NewConditionalExecutor(func(ctx context.Context) bool {
+		return true
+	}, func(ctx context.Context) error {
+		trueCount++
+		return nil
+	}, func(ctx context.Context) error {
+		falseCount++
+		return nil
+	})(ctx)
+
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(1, trueCount)
+	assert.Equal(1, falseCount)
+}
+
+func TestNewParallelExecutor(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx := context.Background()
+
+	var count, activeCount, maxCount atomic.Int32
+	emptyWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count.Add(1)
+
+		active := activeCount.Add(1)
+		for {
+			m := maxCount.Load()
+			if active <= m || maxCount.CompareAndSwap(m, active) {
+				break
+			}
+		}
+		time.Sleep(2 * time.Second)
+		activeCount.Add(-1)
+
+		return nil
+	})
+
+	err := NewParallelExecutor(2, emptyWorkflow, emptyWorkflow, emptyWorkflow)(ctx)
+
+	assert.Equal(int32(3), count.Load(), "should run all 3 executors")
+	assert.Equal(int32(2), maxCount.Load(), "should run at most 2 executors in parallel")
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// Reset to test running the executor with 0 parallelism
+	count.Store(0)
+	activeCount.Store(0)
+	maxCount.Store(0)
+
+	errSingle := NewParallelExecutor(0, emptyWorkflow, emptyWorkflow, emptyWorkflow)(ctx)
+
+	assert.Equal(int32(3), count.Load(), "should run all 3 executors")
+	assert.Equal(int32(1), maxCount.Load(), "should run at most 1 executors in parallel")
+	assert.NoError(errSingle)
+}
+
+func TestNewParallelExecutorFailed(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	count := 0
+	errorWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count++
+		return errors.New("fake error")
+	})
+	err := NewParallelExecutor(1, errorWorkflow)(ctx)
+	assert.Equal(1, count)
+	assert.ErrorIs(context.Canceled, err)
+}
+
+func TestNewParallelExecutorCanceled(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	errExpected := errors.New("fake error")
+
+	var count atomic.Int32
+	successWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count.Add(1)
+		return nil
+	})
+	errorWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count.Add(1)
+		return errExpected
+	})
+	err := NewParallelExecutor(3, errorWorkflow, successWorkflow, successWorkflow)(ctx)
+	assert.Equal(int32(3), count.Load())
+	assert.Error(errExpected, err) //nolint:testifylint // pre-existing issue from nektos/act
+}
--- a/act/common/file.go
+++ b/act/common/file.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package common

 import (
@@ -7,7 +11,7 @@ import (
 )

 // CopyFile copy file
-func CopyFile(source string, dest string) (err error) {
+func CopyFile(source, dest string) (err error) {
 	sourcefile, err := os.Open(source)
 	if err != nil {
 		return err
@@ -30,11 +34,11 @@ func CopyFile(source string, dest string) (err error) {
 		}
 	}

-	return
+	return err
 }

 // CopyDir recursive copy of directory
-func CopyDir(source string, dest string) (err error) {
+func CopyDir(source, dest string) (err error) {
 	// get properties of source dir
 	sourceinfo, err := os.Stat(source)
 	if err != nil {
@@ -59,13 +63,13 @@ func CopyDir(source string, dest string) (err error) {
 			// create sub-directories - recursively
 			err = CopyDir(sourcefilepointer, destinationfilepointer)
 			if err != nil {
-				fmt.Println(err)
+				fmt.Println(err) //nolint:forbidigo // pre-existing issue from nektos/act
 			}
 		} else {
 			// perform copy
 			err = CopyFile(sourcefilepointer, destinationfilepointer)
 			if err != nil {
-				fmt.Println(err)
+				fmt.Println(err) //nolint:forbidigo // pre-existing issue from nektos/act
 			}
 		}
 	}
--- a/act/common/git/git.go
+++ b/act/common/git/git.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package git

 import (
@@ -11,6 +15,8 @@ import (
 	"strings"
 	"sync"

+	"gitea.com/gitea/runner/act/common"
+
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/plumbing"
@@ -18,8 +24,6 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/mattn/go-isatty"
 	log "github.com/sirupsen/logrus"
-
-	"github.com/actions-oss/act-cli/pkg/common"
 )

 var (
@@ -28,12 +32,21 @@ var (
 	githubHTTPRegex     = regexp.MustCompile(`^https?://.*github.com.*/(.+)/(.+?)(?:.git)?$`)
 	githubSSHRegex      = regexp.MustCompile(`github.com[:/](.+)/(.+?)(?:.git)?$`)

-	cloneLock sync.Mutex
+	cloneLocks sync.Map // key: clone target directory; value: *sync.Mutex

 	ErrShortRef = errors.New("short SHA references are not supported")
 	ErrNoRepo   = errors.New("unable to find git repo")
 )

+// acquireCloneLock returns an unlock function after locking the per-directory mutex for dir.
+// Only concurrent operations targeting the same directory are erialized; clones into different directories run in parallel.
+func acquireCloneLock(dir string) func() {
+	v, _ := cloneLocks.LoadOrStore(dir, &sync.Mutex{})
+	mu := v.(*sync.Mutex)
+	mu.Lock()
+	return mu.Unlock
+}
+
 type Error struct {
 	err    error
 	commit string
@@ -52,7 +65,7 @@ func (e *Error) Commit() string {
 }

 // FindGitRevision get the current git revision
-func FindGitRevision(ctx context.Context, file string) (shortSha string, sha string, err error) {
+func FindGitRevision(ctx context.Context, file string) (shortSha, sha string, err error) {
 	logger := common.Logger(ctx)

 	gitDir, err := git.PlainOpenWithOptions(
@@ -62,7 +75,6 @@ func FindGitRevision(ctx context.Context, file string) (shortSha string, sha str
 			EnableDotGitCommonDir: true,
 		},
 	)
-
 	if err != nil {
 		logger.WithError(err).Error("path", file, "not located inside a git repository")
 		return "", "", err
@@ -74,7 +86,7 @@ func FindGitRevision(ctx context.Context, file string) (shortSha string, sha str
 	}

 	if head.Hash().IsZero() {
-		return "", "", fmt.Errorf("head sha1 could not be resolved")
+		return "", "", errors.New("HEAD sha1 could not be resolved")
 	}

 	hash := head.Hash().String()
@@ -96,8 +108,8 @@ func FindGitRef(ctx context.Context, file string) (string, error) {
 	logger.Debugf("HEAD points to '%s'", ref)

 	// Prefer the git library to iterate over the references and find a matching tag or branch.
-	var refTag = ""
-	var refBranch = ""
+	refTag := ""
+	refBranch := ""
 	repo, err := git.PlainOpenWithOptions(
 		file,
 		&git.PlainOpenOptions{
@@ -105,7 +117,6 @@ func FindGitRef(ctx context.Context, file string) (string, error) {
 			EnableDotGitCommonDir: true,
 		},
 	)
-
 	if err != nil {
 		return "", err
 	}
@@ -126,7 +137,7 @@ func FindGitRef(ctx context.Context, file string) (string, error) {
 		 * it means we checked out a branch
 		 *
 		 * If a branches matches first we must continue and check all tags (all references)
-		 * in case we match with a tag later in the iteration
+		 * in case we match with a tag later in the interation
 		 */
 		if r.Hash().String() == ref {
 			if r.Name().IsTag() {
@@ -144,7 +155,6 @@ func FindGitRef(ctx context.Context, file string) (string, error) {

 		return nil
 	})
-
 	if err != nil {
 		return "", err
 	}
@@ -198,37 +208,24 @@ func findGitRemoteURL(_ context.Context, file, remoteName string) (string, error
 	return remote.Config().URLs[0], nil
 }

-type findStringSubmatcher interface {
-	FindStringSubmatch(string) []string
-}
-
-func matchesRegex(url string, matchers ...findStringSubmatcher) []string {
-	for _, regex := range matchers {
-		if matches := regex.FindStringSubmatch(url); matches != nil {
-			return matches
-		}
-	}
-
-	return nil
-}
-
-// TODO deprecate and remove githubInstance parameter
-func findGitSlug(url string, _ /* githubInstance */ string) (string, string, error) {
-	if matches := matchesRegex(url, codeCommitHTTPRegex, codeCommitSSHRegex); matches != nil {
+func findGitSlug(url, githubInstance string) (string, string, error) { //nolint:unparam // pre-existing issue from nektos/act
+	if matches := codeCommitHTTPRegex.FindStringSubmatch(url); matches != nil {
 		return "CodeCommit", matches[2], nil
-	}
-
-	if matches := matchesRegex(url, githubHTTPRegex, githubSSHRegex); matches != nil {
+	} else if matches := codeCommitSSHRegex.FindStringSubmatch(url); matches != nil {
+		return "CodeCommit", matches[2], nil
+	} else if matches := githubHTTPRegex.FindStringSubmatch(url); matches != nil {
 		return "GitHub", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
-	}
-
-	if matches := matchesRegex(url,
-		regexp.MustCompile(`^https?://(?:[^/]+)/([^/]+)/([^/]+)(?:.git)?$`),
-		regexp.MustCompile(`([^/]+)[:/]([^/]+)/([^/]+)(?:.git)?$`),
-	); matches != nil {
+	} else if matches := githubSSHRegex.FindStringSubmatch(url); matches != nil {
+		return "GitHub", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
+	} else if githubInstance != "github.com" {
+		gheHTTPRegex := regexp.MustCompile(fmt.Sprintf(`^https?://%s/(.+)/(.+?)(?:.git)?$`, githubInstance))
+		gheSSHRegex := regexp.MustCompile(githubInstance + "[:/](.+)/(.+?)(?:.git)?$")
+		if matches := gheHTTPRegex.FindStringSubmatch(url); matches != nil {
+			return "GitHubEnterprise", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
+		} else if matches := gheSSHRegex.FindStringSubmatch(url); matches != nil {
 			return "GitHubEnterprise", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
 		}
-
+	}
 	return "", url, nil
 }

@@ -239,19 +236,13 @@ type NewGitCloneExecutorInput struct {
 	Dir         string
 	Token       string
 	OfflineMode bool
+
+	// For Gitea
+	InsecureSkipTLS bool
 }

 // CloneIfRequired ...
 func CloneIfRequired(ctx context.Context, refName plumbing.ReferenceName, input NewGitCloneExecutorInput, logger log.FieldLogger) (*git.Repository, error) {
-	// If the remote URL has changed, remove the directory and clone again.
-	if r, err := git.PlainOpen(input.Dir); err == nil {
-		if remote, err := r.Remote("origin"); err == nil {
-			if len(remote.Config().URLs) > 0 && remote.Config().URLs[0] != input.URL {
-				_ = os.RemoveAll(input.Dir)
-			}
-		}
-	}
-
 	r, err := git.PlainOpen(input.Dir)
 	if err != nil {
 		var progressWriter io.Writer
@@ -261,7 +252,7 @@ func CloneIfRequired(ctx context.Context, refName plumbing.ReferenceName, input
 			} else if lgr, ok := logger.(*log.Logger); ok {
 				progressWriter = lgr.WriterLevel(log.DebugLevel)
 			} else {
-				log.Errorf("unable to get writer from logger (type=%T)", logger)
+				log.Errorf("Unable to get writer from logger (type=%T)", logger)
 				progressWriter = os.Stdout
 			}
 		}
@@ -269,6 +260,8 @@ func CloneIfRequired(ctx context.Context, refName plumbing.ReferenceName, input
 		cloneOptions := git.CloneOptions{
 			URL:      input.URL,
 			Progress: progressWriter,
+
+			InsecureSkipTLS: input.InsecureSkipTLS, // For Gitea
 		}
 		if input.Token != "" {
 			cloneOptions.Auth = &http.BasicAuth{
@@ -279,7 +272,7 @@ func CloneIfRequired(ctx context.Context, refName plumbing.ReferenceName, input

 		r, err = git.PlainCloneContext(ctx, input.Dir, false, &cloneOptions)
 		if err != nil {
-			logger.Errorf("unable to clone %v %s: %v", input.URL, refName, err)
+			logger.Errorf("Unable to clone %v %s: %v", input.URL, refName, err)
 			return nil, err
 		}

@@ -293,6 +286,7 @@ func CloneIfRequired(ctx context.Context, refName plumbing.ReferenceName, input

 func gitOptions(token string) (fetchOptions git.FetchOptions, pullOptions git.PullOptions) {
 	fetchOptions.RefSpecs = []config.RefSpec{"refs/*:refs/*", "HEAD:refs/heads/HEAD"}
+	fetchOptions.Force = true
 	pullOptions.Force = true

 	if token != "" {
@@ -308,18 +302,15 @@ func gitOptions(token string) (fetchOptions git.FetchOptions, pullOptions git.Pu
 }

 // NewGitCloneExecutor creates an executor to clone git repos
-//
-//nolint:gocyclo
 func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
 		logger.Infof("  \u2601  git clone '%s' # ref=%s", input.URL, input.Ref)
 		logger.Debugf("  cloning %s to %s", input.URL, input.Dir)

-		cloneLock.Lock()
-		defer cloneLock.Unlock()
+		defer acquireCloneLock(input.Dir)()

-		refName := plumbing.ReferenceName(fmt.Sprintf("refs/heads/%s", input.Ref))
+		refName := plumbing.ReferenceName("refs/heads/" + input.Ref)
 		r, err := CloneIfRequired(ctx, refName, input, logger)
 		if err != nil {
 			return err
@@ -330,6 +321,11 @@ func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 		// fetch latest changes
 		fetchOptions, pullOptions := gitOptions(input.Token)

+		if input.InsecureSkipTLS { // For Gitea
+			fetchOptions.InsecureSkipTLS = true
+			pullOptions.InsecureSkipTLS = true
+		}
+
 		if !isOfflineMode {
 			err = r.Fetch(&fetchOptions)
 			if err != nil && !errors.Is(err, git.NoErrAlreadyUpToDate) {
@@ -340,10 +336,10 @@ func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 		var hash *plumbing.Hash
 		rev := plumbing.Revision(input.Ref)
 		if hash, err = r.ResolveRevision(rev); err != nil {
-			logger.Errorf("unable to resolve %s: %v", input.Ref, err)
+			logger.Errorf("Unable to resolve %s: %v", input.Ref, err)
 		}

-		if hash.String() != input.Ref && len(input.Ref) >= 4 && strings.HasPrefix(hash.String(), input.Ref) {
+		if hash.String() != input.Ref && strings.HasPrefix(hash.String(), input.Ref) {
 			return &Error{
 				err:    ErrShortRef,
 				commit: hash.String(),
@@ -369,7 +365,7 @@ func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 		}

 		if hash, err = r.ResolveRevision(rev); err != nil {
-			logger.Errorf("unable to resolve %s: %v", input.Ref, err)
+			logger.Errorf("Unable to resolve %s: %v", input.Ref, err)
 			return err
 		}

@@ -390,7 +386,7 @@ func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 				Branch: sourceRef,
 				Force:  true,
 			}); err != nil {
-				logger.Errorf("unable to checkout %s: %v", sourceRef, err)
+				logger.Errorf("Unable to checkout %s: %v", sourceRef, err)
 				return err
 			}
 		}
@@ -404,7 +400,7 @@ func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 		if hash.String() != input.Ref && refType == "branch" {
 			logger.Debugf("Provided ref is not a sha. Updating branch ref after pull")
 			if hash, err = r.ResolveRevision(rev); err != nil {
-				logger.Errorf("unable to resolve %s: %v", input.Ref, err)
+				logger.Errorf("Unable to resolve %s: %v", input.Ref, err)
 				return err
 			}
 		}
@@ -412,7 +408,7 @@ func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 			Hash:  *hash,
 			Force: true,
 		}); err != nil {
-			logger.Errorf("unable to checkout %s: %v", *hash, err)
+			logger.Errorf("Unable to checkout %s: %v", *hash, err)
 			return err
 		}

@@ -420,7 +416,7 @@ func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 			Mode:   git.HardReset,
 			Commit: *hash,
 		}); err != nil {
-			logger.Errorf("unable to reset to %s: %v", hash.String(), err)
+			logger.Errorf("Unable to reset to %s: %v", hash.String(), err)
 			return err
 		}

--- a/act/common/git/git_test.go
+++ b/act/common/git/git_test.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package git

 import (
@@ -6,51 +10,48 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
+	"sync"
 	"syscall"
 	"testing"
+	"time"

 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-
-	"github.com/actions-oss/act-cli/pkg/common"
 )

 func TestFindGitSlug(t *testing.T) {
 	assert := assert.New(t)

-	var slugTests = []struct {
+	slugTests := []struct {
 		url      string // input
 		provider string // expected result
 		slug     string // expected result
 	}{
 		{"https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo-name", "CodeCommit", "my-repo-name"},
 		{"ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/my-repo", "CodeCommit", "my-repo"},
-		{"git@github.com:actions-oss/act-cli.git", "GitHub", "actions-oss/act-cli"},
-		{"git@github.com:actions-oss/act-cli", "GitHub", "actions-oss/act-cli"},
-		{"https://github.com/actions-oss/act-cli.git", "GitHub", "actions-oss/act-cli"},
-		{"http://github.com/actions-oss/act-cli.git", "GitHub", "actions-oss/act-cli"},
-		{"https://github.com/actions-oss/act-cli", "GitHub", "actions-oss/act-cli"},
-		{"http://github.com/actions-oss/act-cli", "GitHub", "actions-oss/act-cli"},
+		{"git@github.com:nektos/act.git", "GitHub", "nektos/act"},
+		{"git@github.com:nektos/act", "GitHub", "nektos/act"},
+		{"https://github.com/nektos/act.git", "GitHub", "nektos/act"},
+		{"http://github.com/nektos/act.git", "GitHub", "nektos/act"},
+		{"https://github.com/nektos/act", "GitHub", "nektos/act"},
+		{"http://github.com/nektos/act", "GitHub", "nektos/act"},
 		{"git+ssh://git@github.com/owner/repo.git", "GitHub", "owner/repo"},
 		{"http://myotherrepo.com/act.git", "", "http://myotherrepo.com/act.git"},
-		{"https://gitea.com/actions-oss/act-cli.git", "GitHubEnterprise", "actions-oss/act-cli.git"},
 	}

 	for _, tt := range slugTests {
 		provider, slug, err := findGitSlug(tt.url, "github.com")

-		assert.NoError(err)
+		assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
 		assert.Equal(tt.provider, provider)
 		assert.Equal(tt.slug, slug)
 	}
 }

 func testDir(t *testing.T) string {
-	basedir, err := os.MkdirTemp("", "act-test")
-	require.NoError(t, err)
-	t.Cleanup(func() { _ = os.RemoveAll(basedir) })
-	return basedir
+	return t.TempDir()
 }

 func cleanGitHooks(dir string) error {
@@ -80,23 +81,23 @@ func TestFindGitRemoteURL(t *testing.T) {
 	basedir := testDir(t)
 	gitConfig()
 	err := gitCmd("init", basedir)
-	assert.NoError(err)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
 	err = cleanGitHooks(basedir)
-	assert.NoError(err)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act

 	remoteURL := "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo-name"
 	err = gitCmd("-C", basedir, "remote", "add", "origin", remoteURL)
-	assert.NoError(err)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act

 	u, err := findGitRemoteURL(context.Background(), basedir, "origin")
-	assert.NoError(err)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(remoteURL, u)

 	remoteURL = "git@github.com/AwesomeOwner/MyAwesomeRepo.git"
 	err = gitCmd("-C", basedir, "remote", "add", "upstream", remoteURL)
-	assert.NoError(err)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
 	u, err = findGitRemoteURL(context.Background(), basedir, "upstream")
-	assert.NoError(err)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(remoteURL, u)
 }

@@ -109,8 +110,8 @@ func TestGitFindRef(t *testing.T) {
 		Assert  func(t *testing.T, ref string, err error)
 	}{
 		"new_repo": {
-			Prepare: func(_ *testing.T, _ string) {},
-			Assert: func(t *testing.T, _ string, err error) {
+			Prepare: func(t *testing.T, dir string) {},
+			Assert: func(t *testing.T, ref string, err error) {
 				require.Error(t, err)
 			},
 		},
@@ -213,15 +214,71 @@ func TestGitCloneExecutor(t *testing.T) {

 			err := clone(context.Background())
 			if tt.Err != nil {
-				assert.Error(t, err)
+				assert.Error(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 				assert.Equal(t, tt.Err, err)
 			} else {
-				assert.Empty(t, err)
+				assert.Empty(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 			}
 		})
 	}
 }

+func TestGitCloneExecutorNonFastForwardRef(t *testing.T) {
+	// Simulate the scenario where a remote ref (e.g. a GitHub PR head ref) changes
+	// non-fast-forward between two fetches. Before the fix, the fetch used Force=false,
+	// causing go-git to return ErrForceNeeded and short-circuit the checkout.
+
+	gitConfig()
+
+	// Create a bare "remote" repo with an initial commit on main and a feature branch.
+	remoteDir := t.TempDir()
+	require.NoError(t, gitCmd("init", "--bare", "--initial-branch=main", remoteDir))
+
+	// We need a working clone to push commits from.
+	workDir := t.TempDir()
+	require.NoError(t, gitCmd("clone", remoteDir, workDir))
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "initial"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "-u", "origin", "main"))
+
+	// Create a feature branch (simulates refs/pull/N/head).
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "feature-1"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "feature"))
+
+	// First clone via the executor — should succeed and cache the repo.
+	cloneDir := t.TempDir()
+	clone := NewGitCloneExecutor(NewGitCloneExecutorInput{
+		URL: remoteDir,
+		Ref: "main",
+		Dir: cloneDir,
+	})
+	require.NoError(t, clone(context.Background()))
+
+	// Now force-push the feature branch to a non-fast-forward commit (simulates
+	// a PR rebase). This makes refs/heads/feature non-fast-forward.
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "branch", "-D", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "feature-rewritten"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "--force", "origin", "feature"))
+
+	// Also advance main so we can verify the clone picks up the new commit.
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "second"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "main"))
+
+	// Second clone to the same directory — before the fix this returned ErrForceNeeded
+	// and left the working tree at the old commit.
+	err := clone(context.Background())
+	require.NoError(t, err, "fetch with non-fast-forward refs must not fail when Force=true")
+
+	// Verify the working tree was actually updated to the latest main commit.
+	out, err := exec.Command("git", "-C", cloneDir, "log", "--oneline", "-1", "--format=%s").Output()
+	require.NoError(t, err)
+	assert.Equal(t, "second", strings.TrimSpace(string(out)), "working tree should be at the latest commit")
+}
+
 func gitConfig() {
 	if os.Getenv("GITHUB_ACTIONS") == "true" {
 		var err error
@@ -242,37 +299,67 @@ func gitCmd(args ...string) error {
 	err := cmd.Run()
 	if exitError, ok := err.(*exec.ExitError); ok {
 		if waitStatus, ok := exitError.Sys().(syscall.WaitStatus); ok {
-			return fmt.Errorf("exit error %d", waitStatus.ExitStatus())
+			return fmt.Errorf("Exit error %d", waitStatus.ExitStatus())
 		}
 		return exitError
 	}
 	return nil
 }

-func TestCloneIfRequired(t *testing.T) {
-	tempDir := t.TempDir()
-	ctx := context.Background()
+func TestAcquireCloneLock(t *testing.T) {
+	t.Run("same directory serializes", func(t *testing.T) {
+		dir := t.TempDir()

-	t.Run("clone", func(t *testing.T) {
-		repo, err := CloneIfRequired(ctx, "refs/heads/main", NewGitCloneExecutorInput{
-			URL: "https://github.com/actions/checkout",
-			Dir: tempDir,
-		}, common.Logger(ctx))
-		assert.NoError(t, err)
-		assert.NotNil(t, repo)
+		unlock1 := acquireCloneLock(dir)
+
+		secondAcquired := make(chan struct{})
+		go func() {
+			unlock := acquireCloneLock(dir)
+			close(secondAcquired)
+			unlock()
+		}()
+
+		select {
+		case <-secondAcquired:
+			t.Fatal("second acquire should block while first holds the lock")
+		case <-time.After(50 * time.Millisecond):
+		}
+
+		unlock1()
+
+		select {
+		case <-secondAcquired:
+		case <-time.After(time.Second):
+			t.Fatal("second acquire should proceed after first releases the lock")
+		}
 	})

-	t.Run("clone different remote", func(t *testing.T) {
-		repo, err := CloneIfRequired(ctx, "refs/heads/main", NewGitCloneExecutorInput{
-			URL: "https://github.com/actions/setup-go",
-			Dir: tempDir,
-		}, common.Logger(ctx))
-		require.NoError(t, err)
-		require.NotNil(t, repo)
+	t.Run("different directories do not block", func(t *testing.T) {
+		dirA := t.TempDir()
+		dirB := t.TempDir()

-		remote, err := repo.Remote("origin")
-		require.NoError(t, err)
-		require.Len(t, remote.Config().URLs, 1)
-		assert.Equal(t, "https://github.com/actions/setup-go", remote.Config().URLs[0])
+		unlockA := acquireCloneLock(dirA)
+		defer unlockA()
+
+		done := make(chan struct{})
+		go func() {
+			unlock := acquireCloneLock(dirB)
+			unlock()
+			close(done)
+		}()
+
+		select {
+		case <-done:
+		case <-time.After(time.Second):
+			t.Fatal("acquire on a different directory must not block")
+		}
+	})
+
+	t.Run("same directory reuses the same mutex", func(t *testing.T) {
+		dir := t.TempDir()
+
+		v1, _ := cloneLocks.LoadOrStore(dir, &sync.Mutex{})
+		v2, _ := cloneLocks.LoadOrStore(dir, &sync.Mutex{})
+		require.Same(t, v1, v2)
 	})
 }
--- a/act/common/job_error.go
+++ b/act/common/job_error.go
@@ -0,0 +1,34 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+)
+
+type jobErrorContextKey string
+
+const jobErrorContextKeyVal = jobErrorContextKey("job.error")
+
+// JobError returns the job error for current context if any
+func JobError(ctx context.Context) error {
+	val := ctx.Value(jobErrorContextKeyVal)
+	if val != nil {
+		if container, ok := val.(map[string]error); ok {
+			return container["error"]
+		}
+	}
+	return nil
+}
+
+func SetJobError(ctx context.Context, err error) {
+	ctx.Value(jobErrorContextKeyVal).(map[string]error)["error"] = err
+}
+
+// WithJobErrorContainer adds a value to the context as a container for an error
+func WithJobErrorContainer(ctx context.Context) context.Context {
+	container := map[string]error{}
+	return context.WithValue(ctx, jobErrorContextKeyVal, container)
+}
--- a/act/common/line_writer.go
+++ b/act/common/line_writer.go
@@ -1,3 +1,7 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package common

 import (
--- a/act/common/line_writer_test.go
+++ b/act/common/line_writer_test.go
@@ -1,3 +1,7 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package common

 import (
@@ -18,7 +22,7 @@ func TestLineWriter(t *testing.T) {
 	assert := assert.New(t)
 	write := func(s string) {
 		n, err := lineWriter.Write([]byte(s))
-		assert.NoError(err)
+		assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
 		assert.Equal(len(s), n, s)
 	}

--- a/act/common/logger.go
+++ b/act/common/logger.go
@@ -0,0 +1,52 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+
+	"github.com/sirupsen/logrus"
+)
+
+type loggerContextKey string
+
+const loggerContextKeyVal = loggerContextKey("logrus.FieldLogger")
+
+// Logger returns the appropriate logger for current context
+func Logger(ctx context.Context) logrus.FieldLogger {
+	val := ctx.Value(loggerContextKeyVal)
+	if val != nil {
+		if logger, ok := val.(logrus.FieldLogger); ok {
+			return logger
+		}
+	}
+	return logrus.StandardLogger()
+}
+
+// WithLogger adds a value to the context for the logger
+func WithLogger(ctx context.Context, logger logrus.FieldLogger) context.Context {
+	return context.WithValue(ctx, loggerContextKeyVal, logger)
+}
+
+type loggerHookKey string
+
+const loggerHookKeyVal = loggerHookKey("logrus.Hook")
+
+// LoggerHook returns the appropriate logger hook for current context
+// the hook affects job logger, not global logger
+func LoggerHook(ctx context.Context) logrus.Hook {
+	val := ctx.Value(loggerHookKeyVal)
+	if val != nil {
+		if hook, ok := val.(logrus.Hook); ok {
+			return hook
+		}
+	}
+	return nil
+}
+
+// WithLoggerHook adds a value to the context for the logger hook
+func WithLoggerHook(ctx context.Context, hook logrus.Hook) context.Context {
+	return context.WithValue(ctx, loggerHookKeyVal, hook)
+}
--- a/act/common/outbound_ip.go
+++ b/act/common/outbound_ip.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package common

 import (
--- a/act/container/DOCKER_LICENSE
+++ b/act/container/DOCKER_LICENSE
--- a/act/container/container_types.go
+++ b/act/container/container_types.go
@@ -1,15 +1,26 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package container

 import (
 	"context"
+	"fmt"
 	"io"
-	"os"

-	"github.com/actions-oss/act-cli/pkg/common"
+	"gitea.com/gitea/runner/act/common"
+
 	"github.com/docker/go-connections/nat"
-	"golang.org/x/term"
 )

+// ExitCodeError reports a non-zero process exit code from a container command.
+type ExitCodeError int
+
+func (e ExitCodeError) Error() string {
+	return fmt.Sprintf("Process completed with exit code %d.", int(e))
+}
+
 // NewContainerInput the input for the New function
 type NewContainerInput struct {
 	Image          string
@@ -32,21 +43,26 @@ type NewContainerInput struct {
 	NetworkAliases []string
 	ExposedPorts   nat.PortSet
 	PortBindings   nat.PortMap
+
+	// Gitea specific
+	AutoRemove   bool
+	ValidVolumes []string
 }

 // FileEntry is a file to copy to a container
 type FileEntry struct {
 	Name string
-	Mode uint32
+	Mode int64
 	Body string
 }

 // Container for managing docker run containers
 type Container interface {
-	Create(capAdd []string, capDrop []string) common.Executor
+	Create(capAdd, capDrop []string) common.Executor
+	ConnectToNetwork(name string) common.Executor
 	Copy(destPath string, files ...*FileEntry) common.Executor
 	CopyTarStream(ctx context.Context, destPath string, tarStream io.Reader) error
-	CopyDir(destPath string, srcPath string, useGitIgnore bool) common.Executor
+	CopyDir(destPath, srcPath string, useGitIgnore bool) common.Executor
 	GetContainerArchive(ctx context.Context, srcPath string) (io.ReadCloser, error)
 	Pull(forcePull bool) common.Executor
 	Start(attach bool) common.Executor
@@ -56,7 +72,6 @@ type Container interface {
 	Remove() common.Executor
 	Close() common.Executor
 	ReplaceLogWriter(io.Writer, io.Writer) (io.Writer, io.Writer)
-	GetHealth(ctx context.Context) Health
 }

 // NewDockerBuildExecutorInput the input for the NewDockerBuildExecutor function
@@ -76,21 +91,3 @@ type NewDockerPullExecutorInput struct {
 	Username  string
 	Password  string
 }
-
-type Health int
-
-const (
-	HealthStarting Health = iota
-	HealthHealthy
-	HealthUnHealthy
-)
-
-var containerAllocateTerminal bool
-
-func init() {
-	containerAllocateTerminal = term.IsTerminal(int(os.Stdout.Fd()))
-}
-
-func SetContainerAllocateTerminal(val bool) {
-	containerAllocateTerminal = val
-}
--- a/act/container/docker_auth.go
+++ b/act/container/docker_auth.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 //go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container
@@ -6,7 +10,8 @@ import (
 	"context"
 	"strings"

-	"github.com/actions-oss/act-cli/pkg/common"
+	"gitea.com/gitea/runner/act/common"
+
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/credentials"
 	"github.com/docker/docker/api/types/registry"
--- a/act/container/docker_build.go
+++ b/act/container/docker_build.go
@@ -1,21 +1,23 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 //go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container

 import (
 	"context"
-	"errors"
 	"io"
 	"os"
 	"path/filepath"

-	"github.com/docker/docker/api/types/build"
-	"github.com/moby/go-archive"
+	"gitea.com/gitea/runner/act/common"

+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/archive"
+	"github.com/moby/buildkit/frontend/dockerfile/dockerignore"
 	"github.com/moby/patternmatcher"
-	"github.com/moby/patternmatcher/ignorefile"
-
-	"github.com/actions-oss/act-cli/pkg/common"
 )

 // NewDockerBuildExecutor function to create a run executor for the container
@@ -40,7 +42,7 @@ func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {
 		logger.Debugf("Building image from '%v'", input.ContextDir)

 		tags := []string{input.ImageTag}
-		options := build.ImageBuildOptions{
+		options := types.ImageBuildOptions{
 			Tags:        tags,
 			Remove:      true,
 			Platform:    input.Platform,
@@ -62,15 +64,19 @@ func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {
 		logger.Debugf("Creating image from context dir '%s' with tag '%s' and platform '%s'", input.ContextDir, input.ImageTag, input.Platform)
 		resp, err := cli.ImageBuild(ctx, buildContext, options)

-		err = errors.Join(err, logDockerResponse(logger, resp.Body, err != nil))
+		err = logDockerResponse(logger, resp.Body, err != nil)
+		if err != nil {
 			return err
 		}
+		return nil
+	}
 }
-func createBuildContext(ctx context.Context, contextDir string, relDockerfile string) (io.ReadCloser, error) {
+
+func createBuildContext(ctx context.Context, contextDir, relDockerfile string) (io.ReadCloser, error) {
 	common.Logger(ctx).Debugf("Creating archive for build context dir '%s' with relative dockerfile '%s'", contextDir, relDockerfile)

 	// And canonicalize dockerfile name to a platform-independent one
-	relDockerfile = filepath.ToSlash(relDockerfile)
+	relDockerfile = archive.CanonicalTarNameForPath(relDockerfile)

 	f, err := os.Open(filepath.Join(contextDir, ".dockerignore"))
 	if err != nil && !os.IsNotExist(err) {
@@ -80,7 +86,7 @@ func createBuildContext(ctx context.Context, contextDir string, relDockerfile st

 	var excludes []string
 	if err == nil {
-		excludes, err = ignorefile.ReadAll(f)
+		excludes, err = dockerignore.ReadAll(f) //nolint:staticcheck // pre-existing issue from nektos/act
 		if err != nil {
 			return nil, err
 		}
@@ -93,7 +99,7 @@ func createBuildContext(ctx context.Context, contextDir string, relDockerfile st
 	// removed. The daemon will remove them for us, if needed, after it
 	// parses the Dockerfile. Ignore errors here, as they will have been
 	// caught by validateContextDirectory above.
-	var includes = []string{"."}
+	includes := []string{"."}
 	keepThem1, _ := patternmatcher.Matches(".dockerignore", excludes)
 	keepThem2, _ := patternmatcher.Matches(relDockerfile, excludes)
 	if keepThem1 || keepThem2 {
--- a/act/container/docker_cli.go
+++ b/act/container/docker_cli.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 //go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 // This file is exact copy of https://github.com/docker/cli/blob/9ac8584acfd501c3f4da0e845e3a40ed15c85041/cli/command/container/opts.go
@@ -7,7 +11,7 @@
 // See DOCKER_LICENSE for the full license text.
 //

-//nolint:unparam,errcheck,depguard,deadcode,unused
+//nolint:errcheck,depguard,unused // verbatim copy from docker/cli with minimal changes
 package container

 import (
@@ -19,6 +23,7 @@ import (
 	"path/filepath"
 	"reflect"
 	"regexp"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -37,9 +42,7 @@ import (
 	"github.com/spf13/pflag"
 )

-var (
-	deviceCgroupRuleRegexp = regexp.MustCompile(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`)
-)
+var deviceCgroupRuleRegexp = regexp.MustCompile(`^[acb] ([0-9]+|\*):([0-9]+|\*) [rwm]{1,3}$`)

 // containerOptions is a data object with all the options for creating a container
 type containerOptions struct {
@@ -108,7 +111,7 @@ type containerOptions struct {
 	cpusetCpus         string
 	cpusetMems         string
 	blkioWeight        uint16
-	ioMaxBandwidth     uint64
+	ioMaxBandwidth     opts.MemBytes
 	ioMaxIOps          uint64
 	swappiness         int64
 	netMode            opts.NetworkOpt
@@ -285,7 +288,7 @@ func addFlags(flags *pflag.FlagSet) *containerOptions {
 	flags.Var(&copts.deviceReadIOps, "device-read-iops", "Limit read rate (IO per second) from a device")
 	flags.Var(&copts.deviceWriteBps, "device-write-bps", "Limit write rate (bytes per second) to a device")
 	flags.Var(&copts.deviceWriteIOps, "device-write-iops", "Limit write rate (IO per second) to a device")
-	flags.Uint64Var(&copts.ioMaxBandwidth, "io-maxbandwidth", 0, "Maximum IO bandwidth limit for the system drive (Windows only)")
+	flags.Var(&copts.ioMaxBandwidth, "io-maxbandwidth", "Maximum IO bandwidth limit for the system drive (Windows only)")
 	flags.SetAnnotation("io-maxbandwidth", "ostype", []string{"windows"})
 	flags.Uint64Var(&copts.ioMaxIOps, "io-maxiops", 0, "Maximum IOps limit for the system drive (Windows only)")
 	flags.SetAnnotation("io-maxiops", "ostype", []string{"windows"})
@@ -321,8 +324,6 @@ type containerConfig struct {
 // parse parses the args for the specified command and generates a Config,
 // a HostConfig and returns them with the specified command.
 // If the specified args are not valid, it will return an error.
-//
-//nolint:gocyclo
 func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*containerConfig, error) {
 	var (
 		attachStdin  = copts.attach.Get("stdin")
@@ -388,7 +389,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con

 	// Can't evaluate options passed into --tmpfs until we actually mount
 	tmpfs := make(map[string]string)
-	for _, t := range copts.tmpfs.GetSlice() {
+	for _, t := range copts.tmpfs.GetAll() {
 		if arr := strings.SplitN(t, ":", 2); len(arr) > 1 {
 			tmpfs[arr[0]] = arr[1]
 		} else {
@@ -412,7 +413,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		entrypoint = []string{""}
 	}

-	publishOpts := copts.publish.GetSlice()
+	publishOpts := copts.publish.GetAll()
 	var (
 		ports         map[nat.Port]struct{}
 		portBindings  map[nat.Port][]nat.PortBinding
@@ -430,7 +431,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 	}

 	// Merge in exposed ports to the map of published ports
-	for _, e := range copts.expose.GetSlice() {
+	for _, e := range copts.expose.GetAll() {
 		if strings.Contains(e, ":") {
 			return nil, errors.Errorf("invalid port format for --expose: %s", e)
 		}
@@ -459,7 +460,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 	// parsing flags, we haven't yet sent a _ping to the daemon to determine
 	// what operating system it is.
 	deviceMappings := []container.DeviceMapping{}
-	for _, device := range copts.devices.GetSlice() {
+	for _, device := range copts.devices.GetAll() {
 		var (
 			validated     string
 			deviceMapping container.DeviceMapping
@@ -477,13 +478,13 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 	}

 	// collect all the environment variables for the container
-	envVariables, err := opts.ReadKVEnvStrings(copts.envFile.GetSlice(), copts.env.GetSlice())
+	envVariables, err := opts.ReadKVEnvStrings(copts.envFile.GetAll(), copts.env.GetAll())
 	if err != nil {
 		return nil, err
 	}

 	// collect all the labels for the container
-	labels, err := opts.ReadKVStrings(copts.labelsFile.GetSlice(), copts.labels.GetSlice())
+	labels, err := opts.ReadKVStrings(copts.labelsFile.GetAll(), copts.labels.GetAll())
 	if err != nil {
 		return nil, err
 	}
@@ -513,19 +514,19 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		return nil, err
 	}

-	loggingOpts, err := parseLoggingOpts(copts.loggingDriver, copts.loggingOpts.GetSlice())
+	loggingOpts, err := parseLoggingOpts(copts.loggingDriver, copts.loggingOpts.GetAll())
 	if err != nil {
 		return nil, err
 	}

-	securityOpts, err := parseSecurityOpts(copts.securityOpt.GetSlice())
+	securityOpts, err := parseSecurityOpts(copts.securityOpt.GetAll())
 	if err != nil {
 		return nil, err
 	}

 	securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(securityOpts)

-	storageOpts, err := parseStorageOpts(copts.storageOpt.GetSlice())
+	storageOpts, err := parseStorageOpts(copts.storageOpt.GetAll())
 	if err != nil {
 		return nil, err
 	}
@@ -559,7 +560,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 			return nil, errors.Errorf("--health-retries cannot be negative")
 		}
 		if copts.healthStartPeriod < 0 {
-			return nil, fmt.Errorf("--health-start-period cannot be negative")
+			return nil, errors.New("--health-start-period cannot be negative")
 		}

 		healthConfig = &container.HealthConfig{
@@ -597,9 +598,9 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		BlkioDeviceReadIOps:  copts.deviceReadIOps.GetList(),
 		BlkioDeviceWriteIOps: copts.deviceWriteIOps.GetList(),
 		IOMaximumIOps:        copts.ioMaxIOps,
-		IOMaximumBandwidth:   copts.ioMaxBandwidth,
+		IOMaximumBandwidth:   uint64(copts.ioMaxBandwidth),
 		Ulimits:              copts.ulimits.GetList(),
-		DeviceCgroupRules:    copts.deviceCgroupRules.GetSlice(),
+		DeviceCgroupRules:    copts.deviceCgroupRules.GetAll(),
 		Devices:              deviceMappings,
 		DeviceRequests:       copts.gpus.Value(),
 	}
@@ -640,7 +641,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		AutoRemove:      copts.autoRemove,
 		Privileged:      copts.privileged,
 		PortBindings:    portBindings,
-		Links:           copts.links.GetSlice(),
+		Links:           copts.links.GetAll(),
 		PublishAllPorts: copts.publishAll,
 		// Make sure the dns fields are never nil.
 		// New containers don't ever have those fields nil,
@@ -650,17 +651,17 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		DNS:            copts.dns.GetAllOrEmpty(),
 		DNSSearch:      copts.dnsSearch.GetAllOrEmpty(),
 		DNSOptions:     copts.dnsOptions.GetAllOrEmpty(),
-		ExtraHosts:     copts.extraHosts.GetSlice(),
-		VolumesFrom:    copts.volumesFrom.GetSlice(),
+		ExtraHosts:     copts.extraHosts.GetAll(),
+		VolumesFrom:    copts.volumesFrom.GetAll(),
 		IpcMode:        container.IpcMode(copts.ipcMode),
 		NetworkMode:    container.NetworkMode(copts.netMode.NetworkMode()),
 		PidMode:        pidMode,
 		UTSMode:        utsMode,
 		UsernsMode:     usernsMode,
 		CgroupnsMode:   cgroupnsMode,
-		CapAdd:         strslice.StrSlice(copts.capAdd.GetSlice()),
-		CapDrop:        strslice.StrSlice(copts.capDrop.GetSlice()),
-		GroupAdd:       copts.groupAdd.GetSlice(),
+		CapAdd:         strslice.StrSlice(copts.capAdd.GetAll()),
+		CapDrop:        strslice.StrSlice(copts.capDrop.GetAll()),
+		GroupAdd:       copts.groupAdd.GetAll(),
 		RestartPolicy:  restartPolicy,
 		SecurityOpt:    securityOpts,
 		StorageOpt:     storageOpts,
@@ -679,7 +680,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 	}

 	if copts.autoRemove && !hostConfig.RestartPolicy.IsNone() {
-		return nil, errors.Errorf("conflicting options: --restart and --rm")
+		return nil, errors.Errorf("Conflicting options: --restart and --rm")
 	}

 	// only set this value if the user provided the flag, else it should default to nil
@@ -778,11 +779,11 @@ func applyContainerOptions(n *opts.NetworkAttachmentOpts, copts *containerOption
 	}
 	if copts.aliases.Len() > 0 {
 		n.Aliases = make([]string, copts.aliases.Len())
-		copy(n.Aliases, copts.aliases.GetSlice())
+		copy(n.Aliases, copts.aliases.GetAll())
 	}
 	if copts.links.Len() > 0 {
 		n.Links = make([]string, copts.links.Len())
-		copy(n.Links, copts.links.GetSlice())
+		copy(n.Links, copts.links.GetAll())
 	}
 	if copts.ipv4Address != "" {
 		n.IPv4Address = copts.ipv4Address
@@ -794,7 +795,7 @@ func applyContainerOptions(n *opts.NetworkAttachmentOpts, copts *containerOption
 	// TODO should linkLocalIPs be added to the _first_ network only, or to _all_ networks? (should this be a per-network option as well?)
 	if copts.linkLocalIPs.Len() > 0 {
 		n.LinkLocalIPs = make([]string, copts.linkLocalIPs.Len())
-		copy(n.LinkLocalIPs, copts.linkLocalIPs.GetSlice())
+		copy(n.LinkLocalIPs, copts.linkLocalIPs.GetAll())
 	}
 	return nil
 }
@@ -836,7 +837,7 @@ func convertToStandardNotation(ports []string) ([]string, error) {
 	for _, publish := range ports {
 		if strings.Contains(publish, "=") {
 			params := map[string]string{"protocol": "tcp"}
-			for _, param := range strings.Split(publish, ",") {
+			for param := range strings.SplitSeq(publish, ",") {
 				opt := strings.Split(param, "=")
 				if len(opt) < 2 {
 					return optsList, errors.Errorf("invalid publish opts format (should be name=value but got '%s')", param)
@@ -868,7 +869,7 @@ func parseSecurityOpts(securityOpts []string) ([]string, error) {
 			if strings.Contains(opt, ":") {
 				con = strings.SplitN(opt, ":", 2)
 			} else {
-				return securityOpts, errors.Errorf("invalid --security-opt: %q", opt)
+				return securityOpts, errors.Errorf("Invalid --security-opt: %q", opt)
 			}
 		}
 		if con[0] == "seccomp" && con[1] != "unconfined" {
@@ -987,7 +988,7 @@ func validateDeviceCgroupRule(val string) (string, error) {
 // validDeviceMode checks if the mode for device is valid or not.
 // Valid mode is a composition of r (read), w (write), and m (mknod).
 func validDeviceMode(mode string) bool {
-	var legalDeviceMode = map[rune]bool{
+	legalDeviceMode := map[rune]bool{
 		'r': true,
 		'w': true,
 		'm': true,
@@ -1005,7 +1006,7 @@ func validDeviceMode(mode string) bool {
 }

 // validateDevice validates a path for devices
-func validateDevice(val string, serverOS string) (string, error) {
+func validateDevice(val, serverOS string) (string, error) {
 	switch serverOS {
 	case "linux":
 		return validateLinuxPath(val, validDeviceMode)
@@ -1066,11 +1067,9 @@ func validateLinuxPath(val string, validator func(string) bool) (string, error)
 // validateAttach validates that the specified string is a valid attach option.
 func validateAttach(val string) (string, error) {
 	s := strings.ToLower(val)
-	for _, str := range []string{"stdin", "stdout", "stderr"} {
-		if s == str {
+	if slices.Contains([]string{"stdin", "stdout", "stderr"}, s) {
 		return s, nil
 	}
-	}
 	return val, errors.Errorf("valid streams are STDIN, STDOUT and STDERR")
 }

--- a/act/container/docker_cli_test.go
+++ b/act/container/docker_cli_test.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 // This file is exact copy of https://github.com/docker/cli/blob/9ac8584acfd501c3f4da0e845e3a40ed15c85041/cli/command/container/opts_test.go with:
 // * appended with license information
 // * commented out case 'invalid-mixed-network-types' in test TestParseNetworkConfig
@@ -6,7 +10,7 @@
 // See DOCKER_LICENSE for the full license text.
 //

-//nolint:unparam,whitespace,depguard,dupl,gocritic
+//nolint:depguard,gocritic // verbatim copy from docker/cli tests
 package container

 import (
@@ -73,21 +77,21 @@ func setupRunFlags() (*pflag.FlagSet, *containerOptions) {
 	return flags, copts
 }

-func mustParse(t *testing.T, args string) (*container.Config, *container.HostConfig, *networktypes.NetworkingConfig) {
+func mustParse(t *testing.T, args string) (*container.Config, *container.HostConfig) {
 	t.Helper()
-	config, hostConfig, networkingConfig, err := parseRun(append(strings.Split(args, " "), "ubuntu", "bash"))
+	config, hostConfig, _, err := parseRun(append(strings.Split(args, " "), "ubuntu", "bash"))
 	assert.NilError(t, err)
-	return config, hostConfig, networkingConfig
+	return config, hostConfig
 }

 func TestParseRunLinks(t *testing.T) {
-	if _, hostConfig, _ := mustParse(t, "--link a:b"); len(hostConfig.Links) == 0 || hostConfig.Links[0] != "a:b" {
+	if _, hostConfig := mustParse(t, "--link a:b"); len(hostConfig.Links) == 0 || hostConfig.Links[0] != "a:b" {
 		t.Fatalf("Error parsing links. Expected []string{\"a:b\"}, received: %v", hostConfig.Links)
 	}
-	if _, hostConfig, _ := mustParse(t, "--link a:b --link c:d"); len(hostConfig.Links) < 2 || hostConfig.Links[0] != "a:b" || hostConfig.Links[1] != "c:d" {
+	if _, hostConfig := mustParse(t, "--link a:b --link c:d"); len(hostConfig.Links) < 2 || hostConfig.Links[0] != "a:b" || hostConfig.Links[1] != "c:d" {
 		t.Fatalf("Error parsing links. Expected []string{\"a:b\", \"c:d\"}, received: %v", hostConfig.Links)
 	}
-	if _, hostConfig, _ := mustParse(t, ""); len(hostConfig.Links) != 0 {
+	if _, hostConfig := mustParse(t, ""); len(hostConfig.Links) != 0 {
 		t.Fatalf("Error parsing links. No link expected, received: %v", hostConfig.Links)
 	}
 }
@@ -136,7 +140,7 @@ func TestParseRunAttach(t *testing.T) {
 	}
 	for _, tc := range tests {
 		t.Run(tc.input, func(t *testing.T) {
-			config, _, _ := mustParse(t, tc.input)
+			config, _ := mustParse(t, tc.input)
 			assert.Equal(t, config.AttachStdin, tc.expected.AttachStdin)
 			assert.Equal(t, config.AttachStdout, tc.expected.AttachStdout)
 			assert.Equal(t, config.AttachStderr, tc.expected.AttachStderr)
@@ -190,12 +194,10 @@ func TestParseRunWithInvalidArgs(t *testing.T) {
 	}
 }

-//nolint:gocyclo
 func TestParseWithVolumes(t *testing.T) {
-
 	// A single volume
 	arr, tryit := setupPlatformVolume([]string{`/tmp`}, []string{`c:\tmp`})
-	if config, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds != nil {
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds != nil {
 		t.Fatalf("Error parsing volume flags, %q should not mount-bind anything. Received %v", tryit, hostConfig.Binds)
 	} else if _, exists := config.Volumes[arr[0]]; !exists {
 		t.Fatalf("Error parsing volume flags, %q is missing from volumes. Received %v", tryit, config.Volumes)
@@ -203,7 +205,7 @@ func TestParseWithVolumes(t *testing.T) {

 	// Two volumes
 	arr, tryit = setupPlatformVolume([]string{`/tmp`, `/var`}, []string{`c:\tmp`, `c:\var`})
-	if config, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds != nil {
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds != nil {
 		t.Fatalf("Error parsing volume flags, %q should not mount-bind anything. Received %v", tryit, hostConfig.Binds)
 	} else if _, exists := config.Volumes[arr[0]]; !exists {
 		t.Fatalf("Error parsing volume flags, %s is missing from volumes. Received %v", arr[0], config.Volumes)
@@ -213,13 +215,13 @@ func TestParseWithVolumes(t *testing.T) {

 	// A single bind mount
 	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`}, []string{os.Getenv("TEMP") + `:c:\containerTmp`})
-	if config, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || hostConfig.Binds[0] != arr[0] {
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || hostConfig.Binds[0] != arr[0] {
 		t.Fatalf("Error parsing volume flags, %q should mount-bind the path before the colon into the path after the colon. Received %v %v", arr[0], hostConfig.Binds, config.Volumes)
 	}

 	// Two bind mounts.
 	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`, `/hostVar:/containerVar`}, []string{os.Getenv("ProgramData") + `:c:\ContainerPD`, os.Getenv("TEMP") + `:c:\containerTmp`})
-	if _, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+	if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
 		t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
 	}

@@ -228,26 +230,26 @@ func TestParseWithVolumes(t *testing.T) {
 	arr, tryit = setupPlatformVolume(
 		[]string{`/hostTmp:/containerTmp:ro`, `/hostVar:/containerVar:rw`},
 		[]string{os.Getenv("TEMP") + `:c:\containerTmp:rw`, os.Getenv("ProgramData") + `:c:\ContainerPD:rw`})
-	if _, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+	if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
 		t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
 	}

 	// Similar to previous test but with alternate modes which are only supported by Linux
 	if runtime.GOOS != "windows" {
 		arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp:ro,Z`, `/hostVar:/containerVar:rw,Z`}, []string{})
-		if _, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+		if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
 			t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
 		}

 		arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp:Z`, `/hostVar:/containerVar:z`}, []string{})
-		if _, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+		if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
 			t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
 		}
 	}

 	// One bind mount and one volume
 	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`, `/containerVar`}, []string{os.Getenv("TEMP") + `:c:\containerTmp`, `c:\containerTmp`})
-	if config, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] {
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] {
 		t.Fatalf("Error parsing volume flags, %s and %s should only one and only one bind mount %s. Received %s", arr[0], arr[1], arr[0], hostConfig.Binds)
 	} else if _, exists := config.Volumes[arr[1]]; !exists {
 		t.Fatalf("Error parsing volume flags %s and %s. %s is missing from volumes. Received %v", arr[0], arr[1], arr[1], config.Volumes)
@@ -256,18 +258,17 @@ func TestParseWithVolumes(t *testing.T) {
 	// Root to non-c: drive letter (Windows specific)
 	if runtime.GOOS == "windows" {
 		arr, tryit = setupPlatformVolume([]string{}, []string{os.Getenv("SystemDrive") + `\:d:`})
-		if config, hostConfig, _ := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] || len(config.Volumes) != 0 {
+		if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] || len(config.Volumes) != 0 {
 			t.Fatalf("Error parsing %s. Should have a single bind mount and no volumes", arr[0])
 		}
 	}
-
 }

 // setupPlatformVolume takes two arrays of volume specs - a Unix style
 // spec and a Windows style spec. Depending on the platform being unit tested,
 // it returns one of them, along with a volume string that would be passed
 // on the docker CLI (e.g. -v /bar -v /foo).
-func setupPlatformVolume(u []string, w []string) ([]string, string) {
+func setupPlatformVolume(u, w []string) ([]string, string) {
 	var a []string
 	if runtime.GOOS == "windows" {
 		a = w
@@ -300,9 +301,9 @@ func TestParseWithMacAddress(t *testing.T) {
 	if _, _, _, err := parseRun([]string{invalidMacAddress, "img", "cmd"}); err != nil && err.Error() != "invalidMacAddress is not a valid mac address" {
 		t.Fatalf("Expected an error with %v mac-address, got %v", invalidMacAddress, err)
 	}
-	config, hostConfig, _ := mustParse(t, validMacAddress)
-	fmt.Printf("MacAddress: %+v\n", hostConfig)
-	assert.Equal(t, "92:d0:c6:0a:29:33", config.MacAddress) //nolint:staticcheck
+	if config, _ := mustParse(t, validMacAddress); config.MacAddress != "92:d0:c6:0a:29:33" { //nolint:staticcheck // pre-existing issue from nektos/act
+		t.Fatalf("Expected the config to have '92:d0:c6:0a:29:33' as MacAddress, got '%v'", config.MacAddress) //nolint:staticcheck // pre-existing issue from nektos/act
+	}
 }

 func TestRunFlagsParseWithMemory(t *testing.T) {
@@ -311,7 +312,7 @@ func TestRunFlagsParseWithMemory(t *testing.T) {
 	err := flags.Parse(args)
 	assert.ErrorContains(t, err, `invalid argument "invalid" for "-m, --memory" flag`)

-	_, hostconfig, _ := mustParse(t, "--memory=1G")
+	_, hostconfig := mustParse(t, "--memory=1G")
 	assert.Check(t, is.Equal(int64(1073741824), hostconfig.Memory))
 }

@@ -321,10 +322,10 @@ func TestParseWithMemorySwap(t *testing.T) {
 	err := flags.Parse(args)
 	assert.ErrorContains(t, err, `invalid argument "invalid" for "--memory-swap" flag`)

-	_, hostconfig, _ := mustParse(t, "--memory-swap=1G")
+	_, hostconfig := mustParse(t, "--memory-swap=1G")
 	assert.Check(t, is.Equal(int64(1073741824), hostconfig.MemorySwap))

-	_, hostconfig, _ = mustParse(t, "--memory-swap=-1")
+	_, hostconfig = mustParse(t, "--memory-swap=-1")
 	assert.Check(t, is.Equal(int64(-1), hostconfig.MemorySwap))
 }

@@ -339,14 +340,14 @@ func TestParseHostname(t *testing.T) {
 	hostnameWithDomain := "--hostname=hostname.domainname"
 	hostnameWithDomainTld := "--hostname=hostname.domainname.tld"
 	for hostname, expectedHostname := range validHostnames {
-		if config, _, _ := mustParse(t, fmt.Sprintf("--hostname=%s", hostname)); config.Hostname != expectedHostname {
+		if config, _ := mustParse(t, "--hostname="+hostname); config.Hostname != expectedHostname {
 			t.Fatalf("Expected the config to have 'hostname' as %q, got %q", expectedHostname, config.Hostname)
 		}
 	}
-	if config, _, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" || config.Domainname != "" {
+	if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" || config.Domainname != "" {
 		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got %q", config.Hostname)
 	}
-	if config, _, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" || config.Domainname != "" {
+	if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" || config.Domainname != "" {
 		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got %q", config.Hostname)
 	}
 }
@@ -360,14 +361,14 @@ func TestParseHostnameDomainname(t *testing.T) {
 		"domainname-63-bytes-long-should-be-valid-and-without-any-errors": "domainname-63-bytes-long-should-be-valid-and-without-any-errors",
 	}
 	for domainname, expectedDomainname := range validDomainnames {
-		if config, _, _ := mustParse(t, "--domainname="+domainname); config.Domainname != expectedDomainname {
+		if config, _ := mustParse(t, "--domainname="+domainname); config.Domainname != expectedDomainname {
 			t.Fatalf("Expected the config to have 'domainname' as %q, got %q", expectedDomainname, config.Domainname)
 		}
 	}
-	if config, _, _ := mustParse(t, "--hostname=some.prefix --domainname=domainname"); config.Hostname != "some.prefix" || config.Domainname != "domainname" {
+	if config, _ := mustParse(t, "--hostname=some.prefix --domainname=domainname"); config.Hostname != "some.prefix" || config.Domainname != "domainname" {
 		t.Fatalf("Expected the config to have 'hostname' as 'some.prefix' and 'domainname' as 'domainname', got %q and %q", config.Hostname, config.Domainname)
 	}
-	if config, _, _ := mustParse(t, "--hostname=another-prefix --domainname=domainname.tld"); config.Hostname != "another-prefix" || config.Domainname != "domainname.tld" {
+	if config, _ := mustParse(t, "--hostname=another-prefix --domainname=domainname.tld"); config.Hostname != "another-prefix" || config.Domainname != "domainname.tld" {
 		t.Fatalf("Expected the config to have 'hostname' as 'another-prefix' and 'domainname' as 'domainname.tld', got %q and %q", config.Hostname, config.Domainname)
 	}
 }
@@ -376,8 +377,6 @@ func TestParseWithExpose(t *testing.T) {
 	invalids := map[string]string{
 		":":                   "invalid port format for --expose: :",
 		"8080:9090":           "invalid port format for --expose: 8080:9090",
-		"/tcp":                "invalid range format for --expose: /tcp, error: empty string specified for ports",
-		"/udp":                "invalid range format for --expose: /udp, error: empty string specified for ports",
 		"NaN/tcp":             `invalid range format for --expose: NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
 		"NaN-NaN/tcp":         `invalid range format for --expose: NaN-NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
 		"8080-NaN/tcp":        `invalid range format for --expose: 8080-NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
@@ -461,7 +460,6 @@ func TestParseDevice(t *testing.T) {
 			t.Fatalf("Expected %v, got %v", deviceMapping, hostconfig.Devices)
 		}
 	}
-
 }

 func TestParseNetworkConfig(t *testing.T) {
@@ -633,7 +631,7 @@ func TestParseModes(t *testing.T) {
 	}

 	// uts ko
-	_, _, _, err = parseRun([]string{"--uts=container:", "img", "cmd"}) //nolint:dogsled
+	_, _, _, err = parseRun([]string{"--uts=container:", "img", "cmd"})
 	assert.ErrorContains(t, err, "--uts: invalid UTS mode")

 	// uts ok
@@ -677,7 +675,7 @@ func TestParseRestartPolicy(t *testing.T) {
 		},
 	}
 	for restart, expectedError := range invalids {
-		if _, _, _, err := parseRun([]string{fmt.Sprintf("--restart=%s", restart), "img", "cmd"}); err == nil || err.Error() != expectedError {
+		if _, _, _, err := parseRun([]string{"--restart=" + restart, "img", "cmd"}); err == nil || err.Error() != expectedError {
 			t.Fatalf("Expected an error with message '%v' for %v, got %v", expectedError, restart, err)
 		}
 	}
@@ -693,8 +691,8 @@ func TestParseRestartPolicy(t *testing.T) {
 }

 func TestParseRestartPolicyAutoRemove(t *testing.T) {
-	expected := "conflicting options: --restart and --rm"
-	_, _, _, err := parseRun([]string{"--rm", "--restart=always", "img", "cmd"}) //nolint:dogsled
+	expected := "Conflicting options: --restart and --rm"
+	_, _, _, err := parseRun([]string{"--rm", "--restart=always", "img", "cmd"})
 	if err == nil || err.Error() != expected {
 		t.Fatalf("Expected error %v, but got none", expected)
 	}
@@ -754,7 +752,7 @@ func TestParseLoggingOpts(t *testing.T) {
 	}
 }

-func TestParseEnvfileVariables(t *testing.T) {
+func TestParseEnvfileVariables(t *testing.T) { //nolint:dupl // pre-existing issue from nektos/act
 	e := "open nonexistent: no such file or directory"
 	if runtime.GOOS == "windows" {
 		e = "open nonexistent: The system cannot find the file specified."
@@ -797,7 +795,7 @@ func TestParseEnvfileVariablesWithBOMUnicode(t *testing.T) {
 	}

 	// UTF16 with BOM
-	e := "invalid env file"
+	e := "contains invalid utf8 bytes at line"
 	if _, _, _, err := parseRun([]string{"--env-file=testdata/utf16.env", "img", "cmd"}); err == nil || !strings.Contains(err.Error(), e) {
 		t.Fatalf("Expected an error with message '%s', got %v", e, err)
 	}
@@ -807,7 +805,7 @@ func TestParseEnvfileVariablesWithBOMUnicode(t *testing.T) {
 	}
 }

-func TestParseLabelfileVariables(t *testing.T) {
+func TestParseLabelfileVariables(t *testing.T) { //nolint:dupl // pre-existing issue from nektos/act
 	e := "open nonexistent: no such file or directory"
 	if runtime.GOOS == "windows" {
 		e = "open nonexistent: The system cannot find the file specified."
@@ -966,7 +964,6 @@ func TestConvertToStandardNotation(t *testing.T) {

 	for key, ports := range valid {
 		convertedPorts, err := convertToStandardNotation(ports)
-
 		if err != nil {
 			assert.NilError(t, err)
 		}
--- a/act/container/docker_images.go
+++ b/act/container/docker_images.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 //go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container
@@ -6,21 +10,21 @@ import (
 	"context"
 	"fmt"

-	cerrdefs "github.com/containerd/errdefs"
-	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
 )

 // ImageExistsLocally returns a boolean indicating if an image with the
 // requested name, tag and architecture exists in the local docker image store
-func ImageExistsLocally(ctx context.Context, imageName string, platform string) (bool, error) {
+func ImageExistsLocally(ctx context.Context, imageName, platform string) (bool, error) {
 	cli, err := GetDockerClient(ctx)
 	if err != nil {
 		return false, err
 	}
 	defer cli.Close()

-	inspectImage, err := cli.ImageInspect(ctx, imageName)
-	if cerrdefs.IsNotFound(err) {
+	inspectImage, _, err := cli.ImageInspectWithRaw(ctx, imageName)
+	if client.IsErrNotFound(err) {
 		return false, nil
 	} else if err != nil {
 		return false, err
@@ -35,21 +39,21 @@ func ImageExistsLocally(ctx context.Context, imageName string, platform string)

 // RemoveImage removes image from local store, the function is used to run different
 // container image architectures
-func RemoveImage(ctx context.Context, imageName string, force bool, pruneChildren bool) (bool, error) {
+func RemoveImage(ctx context.Context, imageName string, force, pruneChildren bool) (bool, error) {
 	cli, err := GetDockerClient(ctx)
 	if err != nil {
 		return false, err
 	}
 	defer cli.Close()

-	inspectImage, err := cli.ImageInspect(ctx, imageName)
-	if cerrdefs.IsNotFound(err) {
+	inspectImage, _, err := cli.ImageInspectWithRaw(ctx, imageName)
+	if client.IsErrNotFound(err) {
 		return false, nil
 	} else if err != nil {
 		return false, err
 	}

-	if _, err = cli.ImageRemove(ctx, inspectImage.ID, image.RemoveOptions{
+	if _, err = cli.ImageRemove(ctx, inspectImage.ID, types.ImageRemoveOptions{
 		Force:         force,
 		PruneChildren: pruneChildren,
 	}); err != nil {
--- a/act/container/docker_images_test.go
+++ b/act/container/docker_images_test.go
@@ -1,12 +1,15 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package container

 import (
 	"context"
 	"io"
-	"os"
 	"testing"

-	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -26,59 +29,43 @@ func TestImageExistsLocally(t *testing.T) {

 	// Test if image exists with specific tag
 	invalidImageTag, err := ImageExistsLocally(ctx, "library/alpine:this-random-tag-will-never-exist", "linux/amd64")
-	assert.Nil(t, err)
-	assert.Equal(t, false, invalidImageTag)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.False(t, invalidImageTag)

 	// Test if image exists with specific architecture (image platform)
 	invalidImagePlatform, err := ImageExistsLocally(ctx, "alpine:latest", "windows/amd64")
-	assert.Nil(t, err)
-	assert.Equal(t, false, invalidImagePlatform)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.False(t, invalidImagePlatform)

 	// pull an image
 	cli, err := client.NewClientWithOpts(client.FromEnv)
-	assert.Nil(t, err)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	cli.NegotiateAPIVersion(context.Background())

 	// Chose alpine latest because it's so small
 	// maybe we should build an image instead so that tests aren't reliable on dockerhub
-	readerDefault, err := cli.ImagePull(ctx, "node:16-buster-slim", image.PullOptions{
+	readerDefault, err := cli.ImagePull(ctx, "node:16-buster-slim", types.ImagePullOptions{
 		Platform: "linux/amd64",
 	})
-	assert.Nil(t, err)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	defer readerDefault.Close()
 	_, err = io.ReadAll(readerDefault)
-	assert.Nil(t, err)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 	imageDefaultArchExists, err := ImageExistsLocally(ctx, "node:16-buster-slim", "linux/amd64")
-	assert.Nil(t, err)
-	assert.Equal(t, true, imageDefaultArchExists)
-}
-
-func TestImageExistsLocallyQemu(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping integration test")
-	}
-	if _, ok := os.LookupEnv("NO_QEMU"); ok {
-		t.Skip("skipping test because QEMU is disabled")
-	}
-
-	ctx := context.Background()
-
-	// pull an image
-	cli, err := client.NewClientWithOpts(client.FromEnv)
-	assert.Nil(t, err)
-	cli.NegotiateAPIVersion(context.Background())
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.True(t, imageDefaultArchExists)

 	// Validate if another architecture platform can be pulled
-	readerArm64, err := cli.ImagePull(ctx, "node:16-buster-slim", image.PullOptions{
+	readerArm64, err := cli.ImagePull(ctx, "node:16-buster-slim", types.ImagePullOptions{
 		Platform: "linux/arm64",
 	})
-	assert.Nil(t, err)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	defer readerArm64.Close()
 	_, err = io.ReadAll(readerArm64)
-	assert.Nil(t, err)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act

 	imageArm64Exists, err := ImageExistsLocally(ctx, "node:16-buster-slim", "linux/arm64")
-	assert.Nil(t, err)
-	assert.Equal(t, true, imageArm64Exists)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.True(t, imageArm64Exists)
 }
--- a/act/container/docker_logger.go
+++ b/act/container/docker_logger.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 //go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container
@@ -74,7 +78,7 @@ func logDockerResponse(logger logrus.FieldLogger, dockerResponse io.ReadCloser,
 	return nil
 }

-func writeLog(logger logrus.FieldLogger, isError bool, format string, args ...interface{}) {
+func writeLog(logger logrus.FieldLogger, isError bool, format string, args ...any) {
 	if isError {
 		logger.Errorf(format, args...)
 	} else {
--- a/act/container/docker_network.go
+++ b/act/container/docker_network.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 //go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container
@@ -5,8 +9,9 @@ package container
 import (
 	"context"

-	"github.com/actions-oss/act-cli/pkg/common"
-	"github.com/docker/docker/api/types/network"
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/docker/docker/api/types"
 )

 func NewDockerNetworkCreateExecutor(name string) common.Executor {
@@ -18,11 +23,12 @@ func NewDockerNetworkCreateExecutor(name string) common.Executor {
 		defer cli.Close()

 		// Only create the network if it doesn't exist
-		networks, err := cli.NetworkList(ctx, network.ListOptions{})
+		networks, err := cli.NetworkList(ctx, types.NetworkListOptions{})
 		if err != nil {
 			return err
 		}
-		common.Logger(ctx).Debugf("%v", networks)
+		// For Gitea, reduce log noise
+		// common.Logger(ctx).Debugf("%v", networks)
 		for _, network := range networks {
 			if network.Name == name {
 				common.Logger(ctx).Debugf("Network %v exists", name)
@@ -30,7 +36,7 @@ func NewDockerNetworkCreateExecutor(name string) common.Executor {
 			}
 		}

-		_, err = cli.NetworkCreate(ctx, name, network.CreateOptions{
+		_, err = cli.NetworkCreate(ctx, name, types.NetworkCreate{
 			Driver: "bridge",
 			Scope:  "local",
 		})
@@ -50,22 +56,23 @@ func NewDockerNetworkRemoveExecutor(name string) common.Executor {
 		}
 		defer cli.Close()

-		// Make sure that all network of the specified name are removed
+		// Make shure that all network of the specified name are removed
 		// cli.NetworkRemove refuses to remove a network if there are duplicates
-		networks, err := cli.NetworkList(ctx, network.ListOptions{})
+		networks, err := cli.NetworkList(ctx, types.NetworkListOptions{})
 		if err != nil {
 			return err
 		}
-		common.Logger(ctx).Debugf("%v", networks)
-		for _, net := range networks {
-			if net.Name == name {
-				result, err := cli.NetworkInspect(ctx, net.ID, network.InspectOptions{})
+		// For Gitea, reduce log noise
+		// common.Logger(ctx).Debugf("%v", networks)
+		for _, network := range networks {
+			if network.Name == name {
+				result, err := cli.NetworkInspect(ctx, network.ID, types.NetworkInspectOptions{})
 				if err != nil {
 					return err
 				}

 				if len(result.Containers) == 0 {
-					if err = cli.NetworkRemove(ctx, net.ID); err != nil {
+					if err = cli.NetworkRemove(ctx, network.ID); err != nil {
 						common.Logger(ctx).Debugf("%v", err)
 					}
 				} else {
--- a/act/container/docker_pull.go
+++ b/act/container/docker_pull.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 //go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container
@@ -9,11 +13,11 @@ import (
 	"fmt"
 	"strings"

-	"github.com/distribution/reference"
-	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/registry"
+	"gitea.com/gitea/runner/act/common"

-	"github.com/actions-oss/act-cli/pkg/common"
+	"github.com/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/registry"
 )

 // NewDockerPullExecutor function to create a run executor for the container
@@ -74,8 +78,8 @@ func NewDockerPullExecutor(input NewDockerPullExecutorInput) common.Executor {
 	}
 }

-func getImagePullOptions(ctx context.Context, input NewDockerPullExecutorInput) (image.PullOptions, error) {
-	imagePullOptions := image.PullOptions{
+func getImagePullOptions(ctx context.Context, input NewDockerPullExecutorInput) (types.ImagePullOptions, error) {
+	imagePullOptions := types.ImagePullOptions{
 		Platform: input.Platform,
 	}
 	logger := common.Logger(ctx)
--- a/act/container/docker_pull_test.go
+++ b/act/container/docker_pull_test.go
@@ -1,3 +1,7 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package container

 import (
@@ -5,7 +9,6 @@ import (
 	"testing"

 	"github.com/docker/cli/cli/config"
-
 	log "github.com/sirupsen/logrus"
 	assert "github.com/stretchr/testify/assert"
 )
@@ -40,15 +43,15 @@ func TestGetImagePullOptions(t *testing.T) {
 	config.SetDir("/non-existent/docker")

 	options, err := getImagePullOptions(ctx, NewDockerPullExecutorInput{})
-	assert.Nil(t, err, "Failed to create ImagePullOptions")
-	assert.Equal(t, "", options.RegistryAuth, "RegistryAuth should be empty if no username or password is set")
+	assert.NoError(t, err, "Failed to create ImagePullOptions")                                                 //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, "", options.RegistryAuth, "RegistryAuth should be empty if no username or password is set") //nolint:testifylint // pre-existing issue from nektos/act

 	options, err = getImagePullOptions(ctx, NewDockerPullExecutorInput{
 		Image:    "",
 		Username: "username",
 		Password: "password",
 	})
-	assert.Nil(t, err, "Failed to create ImagePullOptions")
+	assert.NoError(t, err, "Failed to create ImagePullOptions") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, "eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwicGFzc3dvcmQiOiJwYXNzd29yZCJ9", options.RegistryAuth, "Username and Password should be provided")

 	config.SetDir("testdata/docker-pull-options")
@@ -56,6 +59,6 @@ func TestGetImagePullOptions(t *testing.T) {
 	options, err = getImagePullOptions(ctx, NewDockerPullExecutorInput{
 		Image: "nektos/act",
 	})
-	assert.Nil(t, err, "Failed to create ImagePullOptions")
+	assert.NoError(t, err, "Failed to create ImagePullOptions") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, "eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwicGFzc3dvcmQiOiJwYXNzd29yZFxuIiwic2VydmVyYWRkcmVzcyI6Imh0dHBzOi8vaW5kZXguZG9ja2VyLmlvL3YxLyJ9", options.RegistryAuth, "RegistryAuth should be taken from local docker config")
 }
--- a/act/container/docker_run.go
+++ b/act/container/docker_run.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 //go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container
@@ -15,28 +19,29 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
-	"time"

-	"dario.cat/mergo"
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/filecollector"
+
 	"github.com/Masterminds/semver"
+	"github.com/docker/cli/cli/compose/loader"
 	"github.com/docker/cli/cli/connhelper"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/api/types/system"
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/pkg/stdcopy"
 	"github.com/go-git/go-billy/v5/helper/polyfill"
 	"github.com/go-git/go-billy/v5/osfs"
 	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"github.com/gobwas/glob"
+	"github.com/imdario/mergo"
 	"github.com/joho/godotenv"
 	"github.com/kballard/go-shellquote"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/pflag"
-
-	"github.com/actions-oss/act-cli/pkg/common"
-	"github.com/actions-oss/act-cli/pkg/filecollector"
+	"golang.org/x/term"
 )

 // NewContainer creates a reference to a container
@@ -46,6 +51,25 @@ func NewContainer(input *NewContainerInput) ExecutionsEnvironment {
 	return cr
 }

+func (cr *containerReference) ConnectToNetwork(name string) common.Executor {
+	return common.
+		NewDebugExecutor("%sdocker network connect %s %s", logPrefix, name, cr.input.Name).
+		Then(
+			common.NewPipelineExecutor(
+				cr.connect(),
+				cr.connectToNetwork(name, cr.input.NetworkAliases),
+			).IfNot(common.Dryrun),
+		)
+}
+
+func (cr *containerReference) connectToNetwork(name string, aliases []string) common.Executor {
+	return func(ctx context.Context) error {
+		return cr.cli.NetworkConnect(ctx, name, cr.input.Name, &network.EndpointSettings{
+			Aliases: aliases,
+		})
+	}
+}
+
 // supportsContainerImagePlatform returns true if the underlying Docker server
 // API version is 1.41 and beyond
 func supportsContainerImagePlatform(ctx context.Context, cli client.APIClient) bool {
@@ -64,7 +88,7 @@ func supportsContainerImagePlatform(ctx context.Context, cli client.APIClient) b
 	return constraint.Check(sv)
 }

-func (cr *containerReference) Create(capAdd []string, capDrop []string) common.Executor {
+func (cr *containerReference) Create(capAdd, capDrop []string) common.Executor {
 	return common.
 		NewInfoExecutor("%sdocker create image=%s platform=%s entrypoint=%+q cmd=%+q network=%+q", logPrefix, cr.input.Image, cr.input.Platform, cr.input.Entrypoint, cr.input.Cmd, cr.input.NetworkMode).
 		Then(
@@ -121,7 +145,7 @@ func (cr *containerReference) Copy(destPath string, files ...*FileEntry) common.
 	).IfNot(common.Dryrun)
 }

-func (cr *containerReference) CopyDir(destPath string, srcPath string, useGitIgnore bool) common.Executor {
+func (cr *containerReference) CopyDir(destPath, srcPath string, useGitIgnore bool) common.Executor {
 	return common.NewPipelineExecutor(
 		common.NewInfoExecutor("%sdocker cp src=%s dst=%s", logPrefix, srcPath, destPath),
 		cr.copyDir(destPath, srcPath, useGitIgnore),
@@ -137,7 +161,7 @@ func (cr *containerReference) CopyDir(destPath string, srcPath string, useGitIgn

 func (cr *containerReference) GetContainerArchive(ctx context.Context, srcPath string) (io.ReadCloser, error) {
 	if common.Dryrun(ctx) {
-		return nil, fmt.Errorf("dryrun is not supported in GetContainerArchive")
+		return nil, errors.New("DRYRUN is not supported in GetContainerArchive")
 	}
 	a, _, err := cr.cli.CopyFromContainer(ctx, cr.id, srcPath)
 	return a, err
@@ -156,7 +180,7 @@ func (cr *containerReference) Exec(command []string, env map[string]string, user
 		common.NewInfoExecutor("%sdocker exec cmd=[%s] user=%s workdir=%s", logPrefix, strings.Join(command, " "), user, workdir),
 		cr.connect(),
 		cr.find(),
-		cr.execExt(command, env, user, workdir),
+		cr.exec(command, env, user, workdir),
 	).IfNot(common.Dryrun)
 }

@@ -169,31 +193,7 @@ func (cr *containerReference) Remove() common.Executor {
 	).IfNot(common.Dryrun)
 }

-func (cr *containerReference) GetHealth(ctx context.Context) Health {
-	resp, err := cr.cli.ContainerInspect(ctx, cr.id)
-	logger := common.Logger(ctx)
-	if err != nil {
-		logger.Errorf("failed to query container health %s", err)
-		return HealthUnHealthy
-	}
-	if resp.Config == nil || resp.Config.Healthcheck == nil || resp.State == nil || resp.State.Health == nil || len(resp.Config.Healthcheck.Test) == 1 && strings.EqualFold(resp.Config.Healthcheck.Test[0], "NONE") {
-		logger.Debugf("no container health check defined")
-		return HealthHealthy
-	}
-
-	logger.Infof("container health of %s (%s) is %s", cr.id, resp.Config.Image, resp.State.Health.Status)
-	switch resp.State.Health.Status {
-	case "starting":
-		return HealthStarting
-	case "healthy":
-		return HealthHealthy
-	case "unhealthy":
-		return HealthUnHealthy
-	}
-	return HealthUnHealthy
-}
-
-func (cr *containerReference) ReplaceLogWriter(stdout io.Writer, stderr io.Writer) (io.Writer, io.Writer) {
+func (cr *containerReference) ReplaceLogWriter(stdout, stderr io.Writer) (io.Writer, io.Writer) {
 	out := cr.input.Stdout
 	err := cr.input.Stderr

@@ -237,7 +237,7 @@ func GetDockerClient(ctx context.Context) (cli client.APIClient, err error) {
 	return cli, nil
 }

-func GetHostInfo(ctx context.Context) (info system.Info, err error) {
+func GetHostInfo(ctx context.Context) (info types.Info, err error) { //nolint:staticcheck // pre-existing issue from nektos/act
 	var cli client.APIClient
 	cli, err = GetDockerClient(ctx)
 	if err != nil {
@@ -290,7 +290,7 @@ func (cr *containerReference) connect() common.Executor {
 }

 func (cr *containerReference) Close() common.Executor {
-	return func(_ context.Context) error {
+	return func(ctx context.Context) error {
 		if cr.cli != nil {
 			err := cr.cli.Close()
 			cr.cli = nil
@@ -307,7 +307,7 @@ func (cr *containerReference) find() common.Executor {
 		if cr.id != "" {
 			return nil
 		}
-		containers, err := cr.cli.ContainerList(ctx, container.ListOptions{
+		containers, err := cr.cli.ContainerList(ctx, types.ContainerListOptions{ //nolint:staticcheck // pre-existing issue from nektos/act
 			All: true,
 		})
 		if err != nil {
@@ -335,7 +335,7 @@ func (cr *containerReference) remove() common.Executor {
 		}

 		logger := common.Logger(ctx)
-		err := cr.cli.ContainerRemove(ctx, cr.id, container.RemoveOptions{
+		err := cr.cli.ContainerRemove(ctx, cr.id, types.ContainerRemoveOptions{ //nolint:staticcheck // pre-existing issue from nektos/act
 			RemoveVolumes: true,
 			Force:         true,
 		})
@@ -363,30 +363,50 @@ func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config

 	optionsArgs, err := shellquote.Split(input.Options)
 	if err != nil {
-		return nil, nil, fmt.Errorf("cannot split container options: '%s': '%w'", input.Options, err)
+		return nil, nil, fmt.Errorf("Cannot split container options: '%s': '%w'", input.Options, err)
 	}

 	err = flags.Parse(optionsArgs)
 	if err != nil {
-		return nil, nil, fmt.Errorf("cannot parse container options: '%s': '%w'", input.Options, err)
+		return nil, nil, fmt.Errorf("Cannot parse container options: '%s': '%w'", input.Options, err)
 	}

+	// FIXME: If everything is fine after gitea/act v0.260.0, remove the following comment.
+	// In the old fork version, the code is
+	// if len(copts.netMode.Value()) == 0 {
+	// 	if err = copts.netMode.Set("host"); err != nil {
+	// 		return nil, nil, fmt.Errorf("Cannot parse networkmode=host. This is an internal error and should not happen: '%w'", err)
+	// 	}
+	// }
+	// And it has been commented with:
+	//   If a service container's network is set to `host`, the container will not be able to
+	//   connect to the specified network created for the job container and the service containers.
+	//   So comment out the following code.
+	// Not the if it's necessary to comment it in the new version,
+	// since it's cr.input.NetworkMode now.
+
 	if len(copts.netMode.Value()) == 0 {
 		if err = copts.netMode.Set(cr.input.NetworkMode); err != nil {
-			return nil, nil, fmt.Errorf("cannot parse networkmode=%s. This is an internal error and should not happen: '%w'", cr.input.NetworkMode, err)
+			return nil, nil, fmt.Errorf("Cannot parse networkmode=%s. This is an internal error and should not happen: '%w'", cr.input.NetworkMode, err)
 		}
 	}

+	// If the `privileged` config has been disabled, `copts.privileged` need to be forced to false,
+	// even if the user specifies `--privileged` in the options string.
+	if !hostConfig.Privileged {
+		copts.privileged = false
+	}
+
 	containerConfig, err := parse(flags, copts, runtime.GOOS)
 	if err != nil {
-		return nil, nil, fmt.Errorf("cannot process container options: '%s': '%w'", input.Options, err)
+		return nil, nil, fmt.Errorf("Cannot process container options: '%s': '%w'", input.Options, err)
 	}

 	logger.Debugf("Custom container.Config from options ==> %+v", containerConfig.Config)

-	err = mergo.Merge(config, containerConfig.Config, mergo.WithOverride)
+	err = mergo.Merge(config, containerConfig.Config, mergo.WithOverride, mergo.WithAppendSlice)
 	if err != nil {
-		return nil, nil, fmt.Errorf("cannot merge container.Config options: '%s': '%w'", input.Options, err)
+		return nil, nil, fmt.Errorf("Cannot merge container.Config options: '%s': '%w'", input.Options, err)
 	}
 	logger.Debugf("Merged container.Config ==> %+v", config)

@@ -396,24 +416,29 @@ func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config
 	hostConfig.Mounts = append(hostConfig.Mounts, containerConfig.HostConfig.Mounts...)
 	binds := hostConfig.Binds
 	mounts := hostConfig.Mounts
+	networkMode := hostConfig.NetworkMode
 	err = mergo.Merge(hostConfig, containerConfig.HostConfig, mergo.WithOverride)
 	if err != nil {
-		return nil, nil, fmt.Errorf("cannot merge container.HostConfig options: '%s': '%w'", input.Options, err)
+		return nil, nil, fmt.Errorf("Cannot merge container.HostConfig options: '%s': '%w'", input.Options, err)
 	}
 	hostConfig.Binds = binds
 	hostConfig.Mounts = mounts
+	if len(copts.netMode.Value()) > 0 {
+		logger.Warn("--network and --net in the options will be ignored.")
+	}
+	hostConfig.NetworkMode = networkMode
 	logger.Debugf("Merged container.HostConfig ==> %+v", hostConfig)

 	return config, hostConfig, nil
 }

-func (cr *containerReference) create(capAdd []string, capDrop []string) common.Executor {
+func (cr *containerReference) create(capAdd, capDrop []string) common.Executor {
 	return func(ctx context.Context) error {
 		if cr.id != "" {
 			return nil
 		}
 		logger := common.Logger(ctx)
-		isTerminal := containerAllocateTerminal
+		isTerminal := term.IsTerminal(int(os.Stdout.Fd()))
 		input := cr.input

 		config := &container.Config{
@@ -423,7 +448,8 @@ func (cr *containerReference) create(capAdd []string, capDrop []string) common.E
 			ExposedPorts: input.ExposedPorts,
 			Tty:          isTerminal,
 		}
-		logger.Debugf("Common container.Config ==> %+v", config)
+		// For Gitea, reduce log noise
+		// logger.Debugf("Common container.Config ==> %+v", config)

 		if len(input.Cmd) != 0 {
 			config.Cmd = input.Cmd
@@ -465,16 +491,22 @@ func (cr *containerReference) create(capAdd []string, capDrop []string) common.E
 			Privileged:   input.Privileged,
 			UsernsMode:   container.UsernsMode(input.UsernsMode),
 			PortBindings: input.PortBindings,
+			AutoRemove:   input.AutoRemove,
 		}
-		logger.Debugf("Common container.HostConfig ==> %+v", hostConfig)
+		// For Gitea, reduce log noise
+		// logger.Debugf("Common container.HostConfig ==> %+v", hostConfig)

 		config, hostConfig, err := cr.mergeContainerConfigs(ctx, config, hostConfig)
 		if err != nil {
 			return err
 		}

+		// For Gitea
+		config, hostConfig = cr.sanitizeConfig(ctx, config, hostConfig)
+
 		var networkingConfig *network.NetworkingConfig
-		logger.Debugf("input.NetworkAliases ==> %v", input.NetworkAliases)
+		// For Gitea, reduce log noise
+		// logger.Debugf("input.NetworkAliases ==> %v", input.NetworkAliases)
 		n := hostConfig.NetworkMode
 		// IsUserDefined and IsHost are broken on windows
 		if n.IsUserDefined() && n != "host" && len(input.NetworkAliases) > 0 {
@@ -506,7 +538,7 @@ func (cr *containerReference) extractFromImageEnv(env *map[string]string) common
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)

-		inspect, err := cr.cli.ImageInspect(ctx, cr.input.Image)
+		inspect, _, err := cr.cli.ImageInspectWithRaw(ctx, cr.input.Image)
 		if err != nil {
 			logger.Error(err)
 			return fmt.Errorf("inspect image: %w", err)
@@ -539,7 +571,8 @@ func (cr *containerReference) extractFromImageEnv(env *map[string]string) common
 	}
 }

-func (cr *containerReference) exec(ctx context.Context, cmd []string, env map[string]string, user, workdir string) error {
+func (cr *containerReference) exec(cmd []string, env map[string]string, user, workdir string) common.Executor {
+	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
 		// Fix slashes when running on Windows
 		if runtime.GOOS == "windows" {
@@ -551,7 +584,7 @@ func (cr *containerReference) exec(ctx context.Context, cmd []string, env map[st
 		}

 		logger.Debugf("Exec command '%s'", cmd)
-	isTerminal := containerAllocateTerminal
+		isTerminal := term.IsTerminal(int(os.Stdout.Fd()))
 		envList := make([]string, 0)
 		for k, v := range env {
 			envList = append(envList, fmt.Sprintf("%s=%s", k, v))
@@ -569,7 +602,7 @@ func (cr *containerReference) exec(ctx context.Context, cmd []string, env map[st
 		}
 		logger.Debugf("Working directory '%s'", wd)

-	idResp, err := cr.cli.ContainerExecCreate(ctx, cr.id, container.ExecOptions{
+		idResp, err := cr.cli.ContainerExecCreate(ctx, cr.id, types.ExecConfig{
 			User:         user,
 			Cmd:          cmd,
 			WorkingDir:   wd,
@@ -582,7 +615,7 @@ func (cr *containerReference) exec(ctx context.Context, cmd []string, env map[st
 			return fmt.Errorf("failed to create exec: %w", err)
 		}

-	resp, err := cr.cli.ContainerExecAttach(ctx, idResp.ID, container.ExecStartOptions{
+		resp, err := cr.cli.ContainerExecAttach(ctx, idResp.ID, types.ExecStartCheck{
 			Tty: isTerminal,
 		})
 		if err != nil {
@@ -590,7 +623,7 @@ func (cr *containerReference) exec(ctx context.Context, cmd []string, env map[st
 		}
 		defer resp.Close()

-	err = cr.waitForCommand(ctx, isTerminal, resp)
+		err = cr.waitForCommand(ctx, isTerminal, resp, idResp, user, workdir)
 		if err != nil {
 			return err
 		}
@@ -600,47 +633,16 @@ func (cr *containerReference) exec(ctx context.Context, cmd []string, env map[st
 			return fmt.Errorf("failed to inspect exec: %w", err)
 		}

-	switch inspectResp.ExitCode {
-	case 0:
+		if inspectResp.ExitCode == 0 {
 			return nil
-	case 127:
-		return fmt.Errorf("exitcode '%d': command not found, please refer to https://github.com/nektos/act/issues/107 for more information", inspectResp.ExitCode)
-	default:
-		return fmt.Errorf("exitcode '%d': failure", inspectResp.ExitCode)
-	}
-}
-
-//nolint:contextcheck
-func (cr *containerReference) execExt(cmd []string, env map[string]string, user, workdir string) common.Executor {
-	return func(ctx context.Context) error {
-		logger := common.Logger(ctx)
-		done := make(chan error)
-		go func() {
-			defer func() {
-				done <- errors.New("invalid Operation")
-			}()
-			done <- cr.exec(ctx, cmd, env, user, workdir)
-		}()
-		select {
-		case <-ctx.Done():
-			timed, cancelTimed := context.WithTimeout(context.Background(), 2*time.Minute)
-			defer cancelTimed()
-			err := cr.cli.ContainerKill(timed, cr.id, "kill")
-			if err != nil {
-				logger.Error(err)
-			}
-			_ = cr.start()(timed)
-			logger.Info("This step was cancelled")
-			return fmt.Errorf("this step was cancelled: %w", ctx.Err())
-		case ret := <-done:
-			return ret
 		}
+		return ExitCodeError(inspectResp.ExitCode)
 	}
 }

 func (cr *containerReference) tryReadID(opt string, cbk func(id int)) common.Executor {
 	return func(ctx context.Context) error {
-		idResp, err := cr.cli.ContainerExecCreate(ctx, cr.id, container.ExecOptions{
+		idResp, err := cr.cli.ContainerExecCreate(ctx, cr.id, types.ExecConfig{
 			Cmd:          []string{"id", opt},
 			AttachStdout: true,
 			AttachStderr: true,
@@ -649,7 +651,7 @@ func (cr *containerReference) tryReadID(opt string, cbk func(id int)) common.Exe
 			return nil
 		}

-		resp, err := cr.cli.ContainerExecAttach(ctx, idResp.ID, container.ExecStartOptions{})
+		resp, err := cr.cli.ContainerExecAttach(ctx, idResp.ID, types.ExecStartCheck{})
 		if err != nil {
 			return nil
 		}
@@ -679,7 +681,7 @@ func (cr *containerReference) tryReadGID() common.Executor {
 	return cr.tryReadID("-g", func(id int) { cr.GID = id })
 }

-func (cr *containerReference) waitForCommand(ctx context.Context, isTerminal bool, resp types.HijackedResponse) error {
+func (cr *containerReference) waitForCommand(ctx context.Context, isTerminal bool, resp types.HijackedResponse, _ types.IDResponse, _, _ string) error {
 	logger := common.Logger(ctx)

 	cmdResponse := make(chan error)
@@ -725,9 +727,6 @@ func (cr *containerReference) waitForCommand(ctx context.Context, isTerminal boo
 }

 func (cr *containerReference) CopyTarStream(ctx context.Context, destPath string, tarStream io.Reader) error {
-	if common.Dryrun(ctx) {
-		return nil
-	}
 	// Mkdir
 	buf := &bytes.Buffer{}
 	tw := tar.NewWriter(buf)
@@ -737,12 +736,12 @@ func (cr *containerReference) CopyTarStream(ctx context.Context, destPath string
 		Typeflag: tar.TypeDir,
 	})
 	tw.Close()
-	err := cr.cli.CopyToContainer(ctx, cr.id, "/", buf, container.CopyToContainerOptions{})
+	err := cr.cli.CopyToContainer(ctx, cr.id, "/", buf, types.CopyToContainerOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to mkdir to copy content to container: %w", err)
 	}
 	// Copy Content
-	err = cr.cli.CopyToContainer(ctx, cr.id, destPath, tarStream, container.CopyToContainerOptions{})
+	err = cr.cli.CopyToContainer(ctx, cr.id, destPath, tarStream, types.CopyToContainerOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to copy content to container: %w", err)
 	}
@@ -753,7 +752,7 @@ func (cr *containerReference) CopyTarStream(ctx context.Context, destPath string
 	return nil
 }

-func (cr *containerReference) copyDir(dstPath string, srcPath string, useGitIgnore bool) common.Executor {
+func (cr *containerReference) copyDir(dstPath, srcPath string, useGitIgnore bool) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
 		tarFile, err := os.CreateTemp("", "act")
@@ -816,7 +815,7 @@ func (cr *containerReference) copyDir(dstPath string, srcPath string, useGitIgno
 		if err != nil {
 			return fmt.Errorf("failed to seek tar archive: %w", err)
 		}
-		err = cr.cli.CopyToContainer(ctx, cr.id, "/", tarFile, container.CopyToContainerOptions{})
+		err = cr.cli.CopyToContainer(ctx, cr.id, "/", tarFile, types.CopyToContainerOptions{})
 		if err != nil {
 			return fmt.Errorf("failed to copy content to container: %w", err)
 		}
@@ -833,7 +832,7 @@ func (cr *containerReference) copyContent(dstPath string, files ...*FileEntry) c
 			logger.Debugf("Writing entry to tarball %s len:%d", file.Name, len(file.Body))
 			hdr := &tar.Header{
 				Name: file.Name,
-				Mode: int64(file.Mode),
+				Mode: file.Mode,
 				Size: int64(len(file.Body)),
 				Uid:  cr.UID,
 				Gid:  cr.GID,
@@ -850,7 +849,7 @@ func (cr *containerReference) copyContent(dstPath string, files ...*FileEntry) c
 		}

 		logger.Debugf("Extracting content to '%s'", dstPath)
-		err := cr.cli.CopyToContainer(ctx, cr.id, dstPath, &buf, container.CopyToContainerOptions{})
+		err := cr.cli.CopyToContainer(ctx, cr.id, dstPath, &buf, types.CopyToContainerOptions{})
 		if err != nil {
 			return fmt.Errorf("failed to copy content to container: %w", err)
 		}
@@ -860,7 +859,7 @@ func (cr *containerReference) copyContent(dstPath string, files ...*FileEntry) c

 func (cr *containerReference) attach() common.Executor {
 	return func(ctx context.Context) error {
-		out, err := cr.cli.ContainerAttach(ctx, cr.id, container.AttachOptions{
+		out, err := cr.cli.ContainerAttach(ctx, cr.id, types.ContainerAttachOptions{ //nolint:staticcheck // pre-existing issue from nektos/act
 			Stream: true,
 			Stdout: true,
 			Stderr: true,
@@ -868,7 +867,7 @@ func (cr *containerReference) attach() common.Executor {
 		if err != nil {
 			return fmt.Errorf("failed to attach to container: %w", err)
 		}
-		isTerminal := containerAllocateTerminal
+		isTerminal := term.IsTerminal(int(os.Stdout.Fd()))

 		var outWriter io.Writer
 		outWriter = cr.input.Stdout
@@ -898,7 +897,7 @@ func (cr *containerReference) start() common.Executor {
 		logger := common.Logger(ctx)
 		logger.Debugf("Starting container: %v", cr.id)

-		if err := cr.cli.ContainerStart(ctx, cr.id, container.StartOptions{}); err != nil {
+		if err := cr.cli.ContainerStart(ctx, cr.id, types.ContainerStartOptions{}); err != nil { //nolint:staticcheck // pre-existing issue from nektos/act
 			return fmt.Errorf("failed to start container: %w", err)
 		}

@@ -927,6 +926,66 @@ func (cr *containerReference) wait() common.Executor {
 			return nil
 		}

-		return fmt.Errorf("exit with `FAILURE`: %v", statusCode)
+		return ExitCodeError(statusCode)
 	}
 }
+
+// For Gitea
+// sanitizeConfig remove the invalid configurations from `config` and `hostConfig`
+func (cr *containerReference) sanitizeConfig(ctx context.Context, config *container.Config, hostConfig *container.HostConfig) (*container.Config, *container.HostConfig) {
+	logger := common.Logger(ctx)
+
+	if len(cr.input.ValidVolumes) > 0 {
+		globs := make([]glob.Glob, 0, len(cr.input.ValidVolumes))
+		for _, v := range cr.input.ValidVolumes {
+			if g, err := glob.Compile(v); err != nil {
+				logger.Errorf("create glob from %s error: %v", v, err)
+			} else {
+				globs = append(globs, g)
+			}
+		}
+		isValid := func(v string) bool {
+			for _, g := range globs {
+				if g.Match(v) {
+					return true
+				}
+			}
+			return false
+		}
+		// sanitize binds
+		sanitizedBinds := make([]string, 0, len(hostConfig.Binds))
+		for _, bind := range hostConfig.Binds {
+			parsed, err := loader.ParseVolume(bind)
+			if err != nil {
+				logger.Warnf("parse volume [%s] error: %v", bind, err)
+				continue
+			}
+			if parsed.Source == "" {
+				// anonymous volume
+				sanitizedBinds = append(sanitizedBinds, bind)
+				continue
+			}
+			if isValid(parsed.Source) {
+				sanitizedBinds = append(sanitizedBinds, bind)
+			} else {
+				logger.Warnf("[%s] is not a valid volume, will be ignored", parsed.Source)
+			}
+		}
+		hostConfig.Binds = sanitizedBinds
+		// sanitize mounts
+		sanitizedMounts := make([]mount.Mount, 0, len(hostConfig.Mounts))
+		for _, mt := range hostConfig.Mounts {
+			if isValid(mt.Source) {
+				sanitizedMounts = append(sanitizedMounts, mt)
+			} else {
+				logger.Warnf("[%s] is not a valid volume, will be ignored", mt.Source)
+			}
+		}
+		hostConfig.Mounts = sanitizedMounts
+	} else {
+		hostConfig.Binds = []string{}
+		hostConfig.Mounts = []mount.Mount{}
+	}
+
+	return config, hostConfig
+}
--- a/act/container/docker_run_test.go
+++ b/act/container/docker_run_test.go
@@ -0,0 +1,366 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"errors"
+	"io"
+	"net"
+	"strings"
+	"testing"
+	"time"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+	"github.com/sirupsen/logrus/hooks/test"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDocker(t *testing.T) {
+	ctx := context.Background()
+	client, err := GetDockerClient(ctx)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	defer client.Close()
+
+	dockerBuild := NewDockerBuildExecutor(NewDockerBuildExecutorInput{
+		ContextDir: "testdata",
+		ImageTag:   "envmergetest",
+	})
+
+	err = dockerBuild(ctx)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	cr := &containerReference{
+		cli: client,
+		input: &NewContainerInput{
+			Image: "envmergetest",
+		},
+	}
+	env := map[string]string{
+		"PATH":         "/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin",
+		"RANDOM_VAR":   "WITH_VALUE",
+		"ANOTHER_VAR":  "",
+		"CONFLICT_VAR": "I_EXIST_IN_MULTIPLE_PLACES",
+	}
+
+	envExecutor := cr.extractFromImageEnv(&env)
+	err = envExecutor(ctx)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, map[string]string{
+		"PATH":            "/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin:/this/path/does/not/exists/anywhere:/this/either",
+		"RANDOM_VAR":      "WITH_VALUE",
+		"ANOTHER_VAR":     "",
+		"SOME_RANDOM_VAR": "",
+		"ANOTHER_ONE":     "BUT_I_HAVE_VALUE",
+		"CONFLICT_VAR":    "I_EXIST_IN_MULTIPLE_PLACES",
+	}, env)
+}
+
+type mockDockerClient struct {
+	client.APIClient
+	mock.Mock
+}
+
+func (m *mockDockerClient) ContainerExecCreate(ctx context.Context, id string, opts types.ExecConfig) (types.IDResponse, error) {
+	args := m.Called(ctx, id, opts)
+	return args.Get(0).(types.IDResponse), args.Error(1)
+}
+
+func (m *mockDockerClient) ContainerExecAttach(ctx context.Context, id string, opts types.ExecStartCheck) (types.HijackedResponse, error) {
+	args := m.Called(ctx, id, opts)
+	return args.Get(0).(types.HijackedResponse), args.Error(1)
+}
+
+func (m *mockDockerClient) ContainerExecInspect(ctx context.Context, execID string) (types.ContainerExecInspect, error) {
+	args := m.Called(ctx, execID)
+	return args.Get(0).(types.ContainerExecInspect), args.Error(1)
+}
+
+func (m *mockDockerClient) ContainerWait(ctx context.Context, containerID string, condition container.WaitCondition) (<-chan container.WaitResponse, <-chan error) {
+	args := m.Called(ctx, containerID, condition)
+	return args.Get(0).(<-chan container.WaitResponse), args.Get(1).(<-chan error)
+}
+
+func (m *mockDockerClient) CopyToContainer(ctx context.Context, id, path string, content io.Reader, options types.CopyToContainerOptions) error {
+	args := m.Called(ctx, id, path, content, options)
+	return args.Error(0)
+}
+
+type endlessReader struct {
+	io.Reader
+}
+
+func (r endlessReader) Read(_ []byte) (n int, err error) {
+	return 1, nil
+}
+
+type mockConn struct {
+	net.Conn
+	mock.Mock
+}
+
+func (m *mockConn) Write(b []byte) (n int, err error) {
+	args := m.Called(b)
+	return args.Int(0), args.Error(1)
+}
+
+func (m *mockConn) Close() (err error) {
+	return nil
+}
+
+func TestDockerExecAbort(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	conn := &mockConn{}
+	conn.On("Write", mock.AnythingOfType("[]uint8")).Return(1, nil)
+
+	client := &mockDockerClient{}
+	client.On("ContainerExecCreate", ctx, "123", mock.AnythingOfType("types.ExecConfig")).Return(types.IDResponse{ID: "id"}, nil)
+	client.On("ContainerExecAttach", ctx, "id", mock.AnythingOfType("types.ExecStartCheck")).Return(types.HijackedResponse{
+		Conn:   conn,
+		Reader: bufio.NewReader(endlessReader{}),
+	}, nil)
+
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	channel := make(chan error)
+
+	go func() {
+		channel <- cr.exec([]string{""}, map[string]string{}, "user", "workdir")(ctx)
+	}()
+
+	time.Sleep(500 * time.Millisecond)
+
+	cancel()
+
+	err := <-channel
+	assert.ErrorIs(t, err, context.Canceled) //nolint:testifylint // pre-existing issue from nektos/act
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+func TestDockerExecFailure(t *testing.T) {
+	ctx := context.Background()
+
+	conn := &mockConn{}
+
+	client := &mockDockerClient{}
+	client.On("ContainerExecCreate", ctx, "123", mock.AnythingOfType("types.ExecConfig")).Return(types.IDResponse{ID: "id"}, nil)
+	client.On("ContainerExecAttach", ctx, "id", mock.AnythingOfType("types.ExecStartCheck")).Return(types.HijackedResponse{
+		Conn:   conn,
+		Reader: bufio.NewReader(strings.NewReader("output")),
+	}, nil)
+	client.On("ContainerExecInspect", ctx, "id").Return(types.ContainerExecInspect{
+		ExitCode: 1,
+	}, nil)
+
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.exec([]string{""}, map[string]string{}, "user", "workdir")(ctx)
+	var exitErr ExitCodeError
+	require.ErrorAs(t, err, &exitErr)
+	assert.Equal(t, ExitCodeError(1), exitErr)
+	assert.Equal(t, "Process completed with exit code 1.", err.Error())
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+func TestDockerWaitFailure(t *testing.T) {
+	ctx := context.Background()
+
+	statusCh := make(chan container.WaitResponse, 1)
+	statusCh <- container.WaitResponse{StatusCode: 2}
+	errCh := make(chan error, 1)
+
+	client := &mockDockerClient{}
+	client.On("ContainerWait", ctx, "123", container.WaitConditionNotRunning).
+		Return((<-chan container.WaitResponse)(statusCh), (<-chan error)(errCh))
+
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.wait()(ctx)
+	var exitErr ExitCodeError
+	require.ErrorAs(t, err, &exitErr)
+	assert.Equal(t, ExitCodeError(2), exitErr)
+	assert.Equal(t, "Process completed with exit code 2.", err.Error())
+
+	client.AssertExpectations(t)
+}
+
+func TestDockerCopyTarStream(t *testing.T) {
+	ctx := context.Background()
+
+	conn := &mockConn{}
+
+	client := &mockDockerClient{}
+	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(nil)
+	client.On("CopyToContainer", ctx, "123", "/var/run/act", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(nil)
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	_ = cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+func TestDockerCopyTarStreamErrorInCopyFiles(t *testing.T) {
+	ctx := context.Background()
+
+	conn := &mockConn{}
+
+	merr := errors.New("Failure")
+
+	client := &mockDockerClient{}
+	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(merr)
+	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(merr)
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
+	assert.ErrorIs(t, err, merr) //nolint:testifylint // pre-existing issue from nektos/act
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+func TestDockerCopyTarStreamErrorInMkdir(t *testing.T) {
+	ctx := context.Background()
+
+	conn := &mockConn{}
+
+	merr := errors.New("Failure")
+
+	client := &mockDockerClient{}
+	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(nil)
+	client.On("CopyToContainer", ctx, "123", "/var/run/act", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(merr)
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
+	assert.ErrorIs(t, err, merr) //nolint:testifylint // pre-existing issue from nektos/act
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+// Type assert containerReference implements ExecutionsEnvironment
+var _ ExecutionsEnvironment = &containerReference{}
+
+func TestCheckVolumes(t *testing.T) {
+	testCases := []struct {
+		desc          string
+		validVolumes  []string
+		binds         []string
+		expectedBinds []string
+	}{
+		{
+			desc:         "match all volumes",
+			validVolumes: []string{"**"},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+		},
+		{
+			desc:         "no volumes can be matched",
+			validVolumes: []string{},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{},
+		},
+		{
+			desc: "only allowed volumes can be matched",
+			validVolumes: []string{
+				"shared_volume",
+				"/home/test/data",
+				"/etc/conf.d/*.json",
+			},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.desc, func(t *testing.T) {
+			logger, _ := test.NewNullLogger()
+			ctx := common.WithLogger(context.Background(), logger)
+			cr := &containerReference{
+				input: &NewContainerInput{
+					ValidVolumes: tc.validVolumes,
+				},
+			}
+			_, hostConf := cr.sanitizeConfig(ctx, &container.Config{}, &container.HostConfig{Binds: tc.binds})
+			assert.Equal(t, tc.expectedBinds, hostConf.Binds)
+		})
+	}
+}
--- a/act/container/docker_socket.go
+++ b/act/container/docker_socket.go
@@ -1,3 +1,7 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2024 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package container

 import (
@@ -43,8 +47,8 @@ func socketLocation() (string, bool) {
 // indicating that the `daemonPath` is a Docker host URI. If it doesn't, or if the "://" delimiter
 // is not found in the `daemonPath`, the function returns false.
 func isDockerHostURI(daemonPath string) bool {
-	if protoIndex := strings.Index(daemonPath, "://"); protoIndex != -1 {
-		scheme := daemonPath[:protoIndex]
+	if before, _, ok := strings.Cut(daemonPath, "://"); ok {
+		scheme := before
 		if strings.IndexFunc(scheme, func(r rune) bool {
 			return (r < 'a' || r > 'z') && (r < 'A' || r > 'Z')
 		}) == -1 {
@@ -90,7 +94,7 @@ func GetSocketAndHost(containerSocket string) (SocketAndHost, error) {
 	if !hasDockerHost && socketHost.Socket != "" && !isDockerHostURI(socketHost.Socket) {
 		// Cases: 1B, 2B
 		// Should we early-exit here, since there is no host nor socket to talk to?
-		return SocketAndHost{}, fmt.Errorf("docker host aka DOCKER_HOST was not set, couldn't be found in the usual locations, and the container daemon socket ('%s') is invalid", socketHost.Socket)
+		return SocketAndHost{}, fmt.Errorf("DOCKER_HOST was not set, couldn't be found in the usual locations, and the container daemon socket ('%s') is invalid", socketHost.Socket)
 	}

 	// Default to DOCKER_HOST if set
--- a/act/container/docker_socket_test.go
+++ b/act/container/docker_socket_test.go
@@ -1,3 +1,7 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2024 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package container

 import (
@@ -19,26 +23,26 @@ func TestGetSocketAndHostWithSocket(t *testing.T) {
 	CommonSocketLocations = originalCommonSocketLocations
 	dockerHost := "unix:///my/docker/host.sock"
 	socketURI := "/path/to/my.socket"
-	os.Setenv("DOCKER_HOST", dockerHost)
+	t.Setenv("DOCKER_HOST", dockerHost)

 	// Act
 	ret, err := GetSocketAndHost(socketURI)

 	// Assert
-	assert.Nil(t, err)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{socketURI, dockerHost}, ret)
 }

 func TestGetSocketAndHostNoSocket(t *testing.T) {
 	// Arrange
 	dockerHost := "unix:///my/docker/host.sock"
-	os.Setenv("DOCKER_HOST", dockerHost)
+	t.Setenv("DOCKER_HOST", dockerHost)

 	// Act
 	ret, err := GetSocketAndHost("")

 	// Assert
-	assert.Nil(t, err)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{dockerHost, dockerHost}, ret)
 }

@@ -53,8 +57,8 @@ func TestGetSocketAndHostOnlySocket(t *testing.T) {
 	ret, err := GetSocketAndHost(socketURI)

 	// Assert
-	assert.NoError(t, err, "Expected no error from GetSocketAndHost")
-	assert.Equal(t, true, defaultSocketFound, "Expected to find default socket")
+	assert.NoError(t, err, "Expected no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.True(t, defaultSocketFound, "Expected to find default socket")
 	assert.Equal(t, socketURI, ret.Socket, "Expected socket to match common location")
 	assert.Equal(t, defaultSocket, ret.Host, "Expected ret.Host to match default socket location")
 }
@@ -63,13 +67,13 @@ func TestGetSocketAndHostDontMount(t *testing.T) {
 	// Arrange
 	CommonSocketLocations = originalCommonSocketLocations
 	dockerHost := "unix:///my/docker/host.sock"
-	os.Setenv("DOCKER_HOST", dockerHost)
+	t.Setenv("DOCKER_HOST", dockerHost)

 	// Act
 	ret, err := GetSocketAndHost("-")

 	// Assert
-	assert.Nil(t, err)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{"-", dockerHost}, ret)
 }

@@ -83,8 +87,8 @@ func TestGetSocketAndHostNoHostNoSocket(t *testing.T) {
 	ret, err := GetSocketAndHost("")

 	// Assert
-	assert.Equal(t, true, found, "Expected a default socket to be found")
-	assert.Nil(t, err, "Expected no error from GetSocketAndHost")
+	assert.True(t, found, "Expected a default socket to be found")
+	assert.NoError(t, err, "Expected no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{defaultSocket, defaultSocket}, ret, "Expected to match default socket location")
 }

@@ -93,11 +97,11 @@ func TestGetSocketAndHostNoHostNoSocket(t *testing.T) {
 // > This happens if neither DOCKER_HOST nor --container-daemon-socket has a value, but socketLocation() returns a URI
 func TestGetSocketAndHostNoHostNoSocketDefaultLocation(t *testing.T) {
 	// Arrange
-	mySocketFile, tmpErr := os.CreateTemp("", "act-*.sock")
+	mySocketFile, tmpErr := os.CreateTemp(t.TempDir(), "act-*.sock")
 	mySocket := mySocketFile.Name()
 	unixSocket := "unix://" + mySocket
 	defer os.RemoveAll(mySocket)
-	assert.NoError(t, tmpErr)
+	assert.NoError(t, tmpErr) //nolint:testifylint // pre-existing issue from nektos/act
 	os.Unsetenv("DOCKER_HOST")

 	CommonSocketLocations = []string{mySocket}
@@ -108,8 +112,8 @@ func TestGetSocketAndHostNoHostNoSocketDefaultLocation(t *testing.T) {

 	// Assert
 	assert.Equal(t, unixSocket, defaultSocket, "Expected default socket to match common socket location")
-	assert.Equal(t, true, found, "Expected default socket to be found")
-	assert.Nil(t, err, "Expected no error from GetSocketAndHost")
+	assert.True(t, found, "Expected default socket to be found")
+	assert.NoError(t, err, "Expected no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{unixSocket, unixSocket}, ret, "Expected to match default socket location")
 }

@@ -124,8 +128,8 @@ func TestGetSocketAndHostNoHostInvalidSocket(t *testing.T) {
 	ret, err := GetSocketAndHost(mySocket)

 	// Assert
-	assert.Equal(t, false, found, "Expected no default socket to be found")
-	assert.Equal(t, "", defaultSocket, "Expected no default socket to be found")
+	assert.False(t, found, "Expected no default socket to be found")
+	assert.Equal(t, "", defaultSocket, "Expected no default socket to be found") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, SocketAndHost{}, ret, "Expected to match default socket location")
 	assert.Error(t, err, "Expected an error in invalid state")
 }
@@ -142,9 +146,9 @@ func TestGetSocketAndHostOnlySocketValidButUnusualLocation(t *testing.T) {

 	// Assert
 	// Default socket locations
-	assert.Equal(t, "", defaultSocket, "Expect default socket location to be empty")
-	assert.Equal(t, false, found, "Expected no default socket to be found")
+	assert.Equal(t, "", defaultSocket, "Expect default socket location to be empty") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.False(t, found, "Expected no default socket to be found")
 	// Sane default
-	assert.Nil(t, err, "Expect no error from GetSocketAndHost")
+	assert.NoError(t, err, "Expect no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
 	assert.Equal(t, socketURI, ret.Host, "Expect host to default to unusual socket")
 }
--- a/act/container/docker_stub.go
+++ b/act/container/docker_stub.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 //go:build WITHOUT_DOCKER || !(linux || darwin || windows || netbsd)

 package container
@@ -6,20 +10,21 @@ import (
 	"context"
 	"runtime"

-	"github.com/docker/docker/api/types/system"
-	"github.com/actions-oss/act-cli/pkg/common"
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/docker/docker/api/types"
 	"github.com/pkg/errors"
 )

 // ImageExistsLocally returns a boolean indicating if an image with the
 // requested name, tag and architecture exists in the local docker image store
-func ImageExistsLocally(ctx context.Context, imageName string, platform string) (bool, error) {
+func ImageExistsLocally(ctx context.Context, imageName, platform string) (bool, error) {
 	return false, errors.New("Unsupported Operation")
 }

 // RemoveImage removes image from local store, the function is used to run different
 // container image architectures
-func RemoveImage(ctx context.Context, imageName string, force bool, pruneChildren bool) (bool, error) {
+func RemoveImage(ctx context.Context, imageName string, force, pruneChildren bool) (bool, error) {
 	return false, errors.New("Unsupported Operation")
 }

@@ -46,8 +51,8 @@ func RunnerArch(ctx context.Context) string {
 	return runtime.GOOS
 }

-func GetHostInfo(ctx context.Context) (info system.Info, err error) {
-	return system.Info{}, nil
+func GetHostInfo(ctx context.Context) (info types.Info, err error) {
+	return types.Info{}, nil
 }

 func NewDockerVolumeRemoveExecutor(volume string, force bool) common.Executor {
--- a/act/container/docker_volume.go
+++ b/act/container/docker_volume.go
@@ -1,3 +1,7 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 //go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container
@@ -5,7 +9,8 @@ package container
 import (
 	"context"

-	"github.com/actions-oss/act-cli/pkg/common"
+	"gitea.com/gitea/runner/act/common"
+
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/volume"
 )
--- a/act/container/executions_environment.go
+++ b/act/container/executions_environment.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package container

 import "context"
@@ -9,7 +13,7 @@ type ExecutionsEnvironment interface {
 	GetPathVariableName() string
 	DefaultPathVariable() string
 	JoinPathVariable(...string) string
-	GetRunnerContext(ctx context.Context) map[string]interface{}
+	GetRunnerContext(ctx context.Context) map[string]any
 	// On windows PATH and Path are the same key
 	IsEnvironmentCaseInsensitive() bool
 }
--- a/act/container/host_environment.go
+++ b/act/container/host_environment.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package container

 import (
@@ -12,17 +16,19 @@ import (
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
+	"sync"
 	"time"

+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/filecollector"
+	"gitea.com/gitea/runner/act/lookpath"
+
 	"github.com/go-git/go-billy/v5/helper/polyfill"
 	"github.com/go-git/go-billy/v5/osfs"
 	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
 	"golang.org/x/term"
-
-	"github.com/actions-oss/act-cli/pkg/common"
-	"github.com/actions-oss/act-cli/pkg/filecollector"
-	"github.com/actions-oss/act-cli/pkg/lookpath"
 )

 type HostEnvironment struct {
@@ -30,25 +36,37 @@ type HostEnvironment struct {
 	TmpDir    string
 	ToolCache string
 	Workdir   string
+	// BindWorkdir is true when the app runner mounts the workspace on the host and
+	// deletes the task directory after the job; host teardown must not remove Workdir.
+	BindWorkdir bool
 	ActPath     string
 	CleanUp     func()
 	StdOut      io.Writer
+
+	mu          sync.Mutex
+	runningPIDs map[int]struct{}
 }

-func (e *HostEnvironment) Create(_ []string, _ []string) common.Executor {
-	return func(_ context.Context) error {
+func (e *HostEnvironment) Create(_, _ []string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func (e *HostEnvironment) ConnectToNetwork(name string) common.Executor {
+	return func(ctx context.Context) error {
 		return nil
 	}
 }

 func (e *HostEnvironment) Close() common.Executor {
-	return func(_ context.Context) error {
+	return func(ctx context.Context) error {
 		return nil
 	}
 }

 func (e *HostEnvironment) Copy(destPath string, files ...*FileEntry) common.Executor {
-	return func(_ context.Context) error {
+	return func(ctx context.Context) error {
 		for _, f := range files {
 			if err := os.MkdirAll(filepath.Dir(filepath.Join(destPath, f.Name)), 0o777); err != nil {
 				return err
@@ -62,9 +80,6 @@ func (e *HostEnvironment) Copy(destPath string, files ...*FileEntry) common.Exec
 }

 func (e *HostEnvironment) CopyTarStream(ctx context.Context, destPath string, tarStream io.Reader) error {
-	if common.Dryrun(ctx) {
-		return nil
-	}
 	if err := os.RemoveAll(destPath); err != nil {
 		return err
 	}
@@ -83,7 +98,7 @@ func (e *HostEnvironment) CopyTarStream(ctx context.Context, destPath string, ta
 			continue
 		}
 		if ctx.Err() != nil {
-			return fmt.Errorf("copyTarStream has been cancelled")
+			return errors.New("CopyTarStream has been cancelled")
 		}
 		if err := cp.WriteFile(ti.Name, ti.FileInfo(), ti.Linkname, tr); err != nil {
 			return err
@@ -91,7 +106,7 @@ func (e *HostEnvironment) CopyTarStream(ctx context.Context, destPath string, ta
 	}
 }

-func (e *HostEnvironment) CopyDir(destPath string, srcPath string, useGitIgnore bool) common.Executor {
+func (e *HostEnvironment) CopyDir(destPath, srcPath string, useGitIgnore bool) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
 		srcPrefix := filepath.Dir(srcPath)
@@ -172,13 +187,13 @@ func (e *HostEnvironment) GetContainerArchive(ctx context.Context, srcPath strin
 }

 func (e *HostEnvironment) Pull(_ bool) common.Executor {
-	return func(_ context.Context) error {
+	return func(ctx context.Context) error {
 		return nil
 	}
 }

 func (e *HostEnvironment) Start(_ bool) common.Executor {
-	return func(_ context.Context) error {
+	return func(ctx context.Context) error {
 		return nil
 	}
 }
@@ -224,7 +239,7 @@ func (l *localEnv) Getenv(name string) string {
 func lookupPathHost(cmd string, env map[string]string, writer io.Writer) (string, error) {
 	f, err := lookpath.LookPath2(cmd, &localEnv{env: env})
 	if err != nil {
-		err := "Cannot find: " + fmt.Sprint(cmd) + " in PATH"
+		err := "Cannot find: " + cmd + " in PATH"
 		if _, _err := writer.Write([]byte(err + "\n")); _err != nil {
 			return "", fmt.Errorf("%v: %w", err, _err)
 		}
@@ -272,7 +287,7 @@ func copyPtyOutput(writer io.Writer, ppty io.Reader, finishLog context.CancelFun
 }

 func (e *HostEnvironment) UpdateFromImageEnv(_ *map[string]string) common.Executor {
-	return func(_ context.Context) error {
+	return func(ctx context.Context) error {
 		return nil
 	}
 }
@@ -320,7 +335,7 @@ func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline st
 			tty.Close()
 		}
 	}()
-	if containerAllocateTerminal /* allocate Terminal */ {
+	if true /* allocate Terminal */ {
 		var err error
 		ppty, tty, err = setupPty(cmd, cmdline)
 		if err != nil {
@@ -337,13 +352,35 @@ func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline st
 	if ppty != nil {
 		go writeKeepAlive(ppty)
 	}
-	err = cmd.Run()
+	// Split Start/Wait so the PID can be registered before the process can exit;
+	// cmd.Run() would block until exit, by which time the PID may have been reused.
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	if cmd.Process != nil {
+		e.mu.Lock()
+		if e.runningPIDs == nil {
+			e.runningPIDs = map[int]struct{}{}
+		}
+		e.runningPIDs[cmd.Process.Pid] = struct{}{}
+		e.mu.Unlock()
+		defer func(pid int) {
+			e.mu.Lock()
+			delete(e.runningPIDs, pid)
+			e.mu.Unlock()
+		}(cmd.Process.Pid)
+	}
+	err = cmd.Wait()
 	if err != nil {
+		var exitErr *exec.ExitError
+		if errors.As(err, &exitErr) {
+			return ExitCodeError(exitErr.ExitCode())
+		}
 		return err
 	}
 	if tty != nil {
 		writer.AutoStop = true
-		if _, err := tty.Write([]byte("\x04")); err != nil {
+		if _, err := tty.WriteString("\x04"); err != nil {
 			common.Logger(ctx).Debug("Failed to write EOT")
 		}
 	}
@@ -378,12 +415,83 @@ func (e *HostEnvironment) UpdateFromEnv(srcPath string, env *map[string]string)
 	return parseEnvFile(e, srcPath, env)
 }

+func removePathWithRetry(ctx context.Context, path string) error {
+	if path == "" {
+		return nil
+	}
+	attempts := 1
+	delay := time.Duration(0)
+	if runtime.GOOS == "windows" {
+		attempts = 5
+		delay = 200 * time.Millisecond
+	}
+	var lastErr error
+	for i := 0; i < attempts; i++ {
+		if i > 0 {
+			select {
+			case <-ctx.Done():
+				return ctx.Err()
+			case <-time.After(delay):
+			}
+		}
+		lastErr = os.RemoveAll(path)
+		if lastErr == nil {
+			return nil
+		}
+	}
+	return lastErr
+}
+
+func (e *HostEnvironment) terminateRunningProcesses(ctx context.Context) {
+	if runtime.GOOS != "windows" {
+		return
+	}
+	e.mu.Lock()
+	pids := make([]int, 0, len(e.runningPIDs))
+	for pid := range e.runningPIDs {
+		pids = append(pids, pid)
+	}
+	e.mu.Unlock()
+
+	if len(pids) == 0 {
+		return
+	}
+
+	logger := common.Logger(ctx)
+	for _, pid := range pids {
+		// Best-effort: forcibly terminate process tree to release file handles
+		// so that workspace cleanup can succeed on Windows.
+		cmd := exec.CommandContext(ctx, "taskkill", "/PID", strconv.Itoa(pid), "/T", "/F")
+		out, err := cmd.CombinedOutput()
+		if err != nil {
+			logger.Debugf("taskkill failed for pid=%d: %v output=%s", pid, err, strings.TrimSpace(string(out)))
+		}
+	}
+}
+
 func (e *HostEnvironment) Remove() common.Executor {
-	return func(_ context.Context) error {
+	return func(ctx context.Context) error {
+		// Ensure any lingering child processes are ended before attempting
+		// to remove the workspace (Windows file locks otherwise prevent cleanup).
+		e.terminateRunningProcesses(ctx)
+
+		// Only removes per-job misc state. Must not remove the cache/toolcache root.
 		if e.CleanUp != nil {
 			e.CleanUp()
 		}
-		return os.RemoveAll(e.Path)
+		logger := common.Logger(ctx)
+		var errs []error
+		if err := removePathWithRetry(ctx, e.Path); err != nil {
+			logger.Warnf("failed to remove host misc state %s: %v", e.Path, err)
+			errs = append(errs, err)
+		}
+		if !e.BindWorkdir && e.Workdir != "" {
+			if err := removePathWithRetry(ctx, e.Workdir); err != nil {
+				logger.Warnf("failed to remove host workspace %s: %v", e.Workdir, err)
+				errs = append(errs, err)
+			}
+		}
+		return errors.Join(errs...)
 	}
 }

@@ -410,9 +518,8 @@ func (*HostEnvironment) GetPathVariableName() string {
 		return "path"
 	case "windows":
 		return "Path" // Actually we need a case insensitive map
-	default:
-		return "PATH"
 	}
+	return "PATH"
 }

 func (e *HostEnvironment) DefaultPathVariable() string {
@@ -428,7 +535,6 @@ func (*HostEnvironment) JoinPathVariable(paths ...string) string {
 // https://docs.github.com/en/actions/learn-github-actions/contexts#runner-context
 func goArchToActionArch(arch string) string {
 	archMapper := map[string]string{
-		"amd64":   "X64",
 		"x86_64":  "X64",
 		"386":     "X86",
 		"aarch64": "ARM64",
@@ -441,8 +547,6 @@ func goArchToActionArch(arch string) string {

 func goOsToActionOs(os string) string {
 	osMapper := map[string]string{
-		"linux":   "Linux",
-		"windows": "Windows",
 		"darwin": "macOS",
 	}
 	if os, ok := osMapper[os]; ok {
@@ -451,8 +555,8 @@ func goOsToActionOs(os string) string {
 	return os
 }

-func (e *HostEnvironment) GetRunnerContext(_ context.Context) map[string]interface{} {
-	return map[string]interface{}{
+func (e *HostEnvironment) GetRunnerContext(_ context.Context) map[string]any {
+	return map[string]any{
 		"os":         goOsToActionOs(runtime.GOOS),
 		"arch":       goArchToActionArch(runtime.GOARCH),
 		"temp":       e.TmpDir,
@@ -460,11 +564,7 @@ func (e *HostEnvironment) GetRunnerContext(_ context.Context) map[string]interfa
 	}
 }

-func (e *HostEnvironment) GetHealth(_ context.Context) Health {
-	return HealthHealthy
-}
-
-func (e *HostEnvironment) ReplaceLogWriter(stdout io.Writer, _ io.Writer) (io.Writer, io.Writer) {
+func (e *HostEnvironment) ReplaceLogWriter(stdout, _ io.Writer) (io.Writer, io.Writer) {
 	org := e.StdOut
 	e.StdOut = stdout
 	return org, org
--- a/act/container/host_environment_test.go
+++ b/act/container/host_environment_test.go
@@ -0,0 +1,149 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"archive/tar"
+	"context"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// Type assert HostEnvironment implements ExecutionsEnvironment
+var _ ExecutionsEnvironment = &HostEnvironment{}
+
+func TestCopyDir(t *testing.T) {
+	dir := t.TempDir()
+	ctx := context.Background()
+	e := &HostEnvironment{
+		Path:      filepath.Join(dir, "path"),
+		TmpDir:    filepath.Join(dir, "tmp"),
+		ToolCache: filepath.Join(dir, "tool_cache"),
+		ActPath:   filepath.Join(dir, "act_path"),
+		StdOut:    os.Stdout,
+		Workdir:   path.Join("testdata", "scratch"),
+	}
+	_ = os.MkdirAll(e.Path, 0o700)
+	_ = os.MkdirAll(e.TmpDir, 0o700)
+	_ = os.MkdirAll(e.ToolCache, 0o700)
+	_ = os.MkdirAll(e.ActPath, 0o700)
+	err := e.CopyDir(e.Workdir, e.Path, true)(ctx)
+	assert.NoError(t, err)
+}
+
+func TestGetContainerArchive(t *testing.T) {
+	dir := t.TempDir()
+	ctx := context.Background()
+	e := &HostEnvironment{
+		Path:      filepath.Join(dir, "path"),
+		TmpDir:    filepath.Join(dir, "tmp"),
+		ToolCache: filepath.Join(dir, "tool_cache"),
+		ActPath:   filepath.Join(dir, "act_path"),
+		StdOut:    os.Stdout,
+		Workdir:   path.Join("testdata", "scratch"),
+	}
+	_ = os.MkdirAll(e.Path, 0o700)
+	_ = os.MkdirAll(e.TmpDir, 0o700)
+	_ = os.MkdirAll(e.ToolCache, 0o700)
+	_ = os.MkdirAll(e.ActPath, 0o700)
+	expectedContent := []byte("sdde/7sh")
+	err := os.WriteFile(filepath.Join(e.Path, "action.yml"), expectedContent, 0o600)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	archive, err := e.GetContainerArchive(ctx, e.Path)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	defer archive.Close()
+	reader := tar.NewReader(archive)
+	h, err := reader.Next()
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, "action.yml", h.Name)
+	content, err := io.ReadAll(reader)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, expectedContent, content)
+	_, err = reader.Next()
+	assert.ErrorIs(t, err, io.EOF)
+}
+
+func TestHostEnvironmentExecExitCode(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("uses POSIX shell")
+	}
+	dir := t.TempDir()
+	ctx := context.Background()
+	e := &HostEnvironment{
+		Path:      filepath.Join(dir, "path"),
+		TmpDir:    filepath.Join(dir, "tmp"),
+		ToolCache: filepath.Join(dir, "tool_cache"),
+		ActPath:   filepath.Join(dir, "act_path"),
+		StdOut:    io.Discard,
+		Workdir:   filepath.Join(dir, "path"),
+	}
+	for _, p := range []string{e.Path, e.TmpDir, e.ToolCache, e.ActPath} {
+		assert.NoError(t, os.MkdirAll(p, 0o700)) //nolint:testifylint // test setup
+	}
+
+	err := e.Exec([]string{"sh", "-c", "exit 3"}, map[string]string{"PATH": os.Getenv("PATH")}, "", "")(ctx)
+	var exitErr ExitCodeError
+	require.ErrorAs(t, err, &exitErr)
+	assert.Equal(t, ExitCodeError(3), exitErr)
+	assert.Equal(t, "Process completed with exit code 3.", err.Error())
+}
+
+func TestHostEnvironmentRemoveCleansWorkdir(t *testing.T) {
+	logger := logrus.New()
+	ctx := common.WithLogger(context.Background(), logrus.NewEntry(logger))
+	base := t.TempDir()
+	miscRoot := filepath.Join(base, "misc")
+	path := filepath.Join(miscRoot, "hostexecutor")
+	require.NoError(t, os.MkdirAll(path, 0o700))
+	workdir := filepath.Join(base, "workspace", "owner", "repo")
+	require.NoError(t, os.MkdirAll(workdir, 0o700))
+
+	e := &HostEnvironment{
+		Path:        path,
+		Workdir:     workdir,
+		BindWorkdir: false,
+		CleanUp: func() {
+			_ = os.RemoveAll(miscRoot)
+		},
+		StdOut: os.Stdout,
+	}
+	require.NoError(t, e.Remove()(ctx))
+	_, err := os.Stat(workdir)
+	assert.ErrorIs(t, err, os.ErrNotExist)
+}
+
+func TestHostEnvironmentRemoveSkipsWorkdirWhenBindWorkdir(t *testing.T) {
+	logger := logrus.New()
+	ctx := common.WithLogger(context.Background(), logrus.NewEntry(logger))
+	base := t.TempDir()
+	miscRoot := filepath.Join(base, "misc")
+	path := filepath.Join(miscRoot, "hostexecutor")
+	require.NoError(t, os.MkdirAll(path, 0o700))
+	workdir := filepath.Join(base, "workspace", "123", "owner", "repo")
+	require.NoError(t, os.MkdirAll(workdir, 0o700))
+
+	e := &HostEnvironment{
+		Path:        path,
+		Workdir:     workdir,
+		BindWorkdir: true,
+		CleanUp: func() {
+			_ = os.RemoveAll(miscRoot)
+		},
+		StdOut: os.Stdout,
+	}
+	require.NoError(t, e.Remove()(ctx))
+	_, err := os.Stat(workdir)
+	require.NoError(t, err)
+}
--- a/act/container/linux_container_environment_extensions.go
+++ b/act/container/linux_container_environment_extensions.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package container

 import (
@@ -10,8 +14,7 @@ import (
 	log "github.com/sirupsen/logrus"
 )

-type LinuxContainerEnvironmentExtensions struct {
-}
+type LinuxContainerEnvironmentExtensions struct{}

 // Resolves the equivalent host path inside the container
 // This is required for windows and WSL 2 to translate things like C:\Users\Myproject to /mnt/users/Myproject
@@ -63,8 +66,8 @@ func (*LinuxContainerEnvironmentExtensions) JoinPathVariable(paths ...string) st
 	return strings.Join(paths, ":")
 }

-func (*LinuxContainerEnvironmentExtensions) GetRunnerContext(ctx context.Context) map[string]interface{} {
-	return map[string]interface{}{
+func (*LinuxContainerEnvironmentExtensions) GetRunnerContext(ctx context.Context) map[string]any {
+	return map[string]any{
 		"os":         "Linux",
 		"arch":       RunnerArch(ctx),
 		"temp":       "/tmp",
--- a/act/container/linux_container_environment_extensions_test.go
+++ b/act/container/linux_container_environment_extensions_test.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package container

 import (
@@ -31,22 +35,17 @@ func TestContainerPath(t *testing.T) {
 		for _, v := range []containerPathJob{
 			{"/mnt/c/Users/act/go/src/github.com/nektos/act", "C:\\Users\\act\\go\\src\\github.com\\nektos\\act\\", ""},
 			{"/mnt/f/work/dir", `F:\work\dir`, ""},
-			{"/mnt/c/windows/to/unix", "windows\\to\\unix", fmt.Sprintf("%s\\", rootDrive)},
-			{fmt.Sprintf("/mnt/%v/act", rootDriveLetter), "act", fmt.Sprintf("%s\\", rootDrive)},
+			{"/mnt/c/windows/to/unix", "windows\\to\\unix", rootDrive + "\\"},
+			{fmt.Sprintf("/mnt/%v/act", rootDriveLetter), "act", rootDrive + "\\"},
 		} {
 			if v.workDir != "" {
-				if err := os.Chdir(v.workDir); err != nil {
-					log.Error(err)
-					t.Fail()
-				}
+				t.Chdir(v.workDir)
 			}

 			assert.Equal(t, v.destinationPath, linuxcontainerext.ToContainerPath(v.sourcePath))
 		}

-		if err := os.Chdir(cwd); err != nil {
-			log.Error(err)
-		}
+		t.Chdir(cwd)
 	} else {
 		cwd, err := os.Getwd()
 		if err != nil {
--- a/act/container/parse_env_file.go
+++ b/act/container/parse_env_file.go
@@ -1,3 +1,7 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
 package container

 import (
@@ -8,7 +12,7 @@ import (
 	"io"
 	"strings"

-	"github.com/actions-oss/act-cli/pkg/common"
+	"gitea.com/gitea/runner/act/common"
 )

 func parseEnvFile(e Container, srcPath string, env *map[string]string) common.Executor {
@@ -25,17 +29,8 @@ func parseEnvFile(e Container, srcPath string, env *map[string]string) common.Ex
 			return err
 		}
 		s := bufio.NewScanner(reader)
-		s.Buffer(nil, 1024*1024*1024) // increase buffer to 1GB to avoid scanner buffer overflow
-		firstLine := true
 		for s.Scan() {
 			line := s.Text()
-			if firstLine {
-				firstLine = false
-				// skip utf8 bom, powershell 5 legacy uses it for utf8
-				if len(line) >= 3 && line[0] == 239 && line[1] == 187 && line[2] == 191 {
-					line = line[3:]
-				}
-			}
 			singleLineEnv := strings.Index(line, "=")
 			multiLineEnv := strings.Index(line, "<<")
 			if singleLineEnv != -1 && (multiLineEnv == -1 || singleLineEnv < multiLineEnv) {
@@ -64,6 +59,6 @@ func parseEnvFile(e Container, srcPath string, env *map[string]string) common.Ex
 			}
 		}
 		env = &localEnv
-		return s.Err()
+		return nil
 	}
 }
--- a/act/container/testdata/Dockerfile
+++ b/act/container/testdata/Dockerfile
--- a/act/container/testdata/docker-pull-options/config.json
+++ b/act/container/testdata/docker-pull-options/config.json
--- a/act/container/testdata/scratch/test.txt
+++ b/act/container/testdata/scratch/test.txt
--- a/act/container/testdata/utf16.env
+++ b/act/container/testdata/utf16.env
--- a/act/container/testdata/utf16be.env
+++ b/act/container/testdata/utf16be.env
--- a/Show More
+++ b/Show More