Merge https://github.com/actions-oss/act-cli into act-runner-merged

Merge branch 'main' of gitea.com:gitea/act_runner into act-runner-actions-oss-act
Merge branch 'act-runner-actions-oss-act' of gitea.com:gitea/act_runner into act-runner-actions-oss-act
2026-06-09 18:44:23 +02:00 · 2026-02-22 20:38:07 +01:00 · 2026-02-22 20:26:32 +01:00 · 2026-02-22 17:34:49 +01:00 · 2026-02-22 17:34:18 +01:00 · 2026-02-22 17:28:48 +01:00
2034 changed files with 506166 additions and 18580 deletions
--- a/.codespellrc
+++ b/.codespellrc
@@ -0,0 +1,6 @@
+[codespell]
+# Ref: https://github.com/codespell-project/codespell#using-a-config-file
+skip = .git*,go.sum,package-lock.json,*.min.*,.codespellrc,testdata,./pkg/runner/hashfiles/index.js
+check-hidden = true
+ignore-regex = .*Te\{0\}st.*
+# ignore-words-list =
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,52 +0,0 @@
-# Compiled Object files, Static and Dynamic libs (Shared Objects)
-*.o
-*.a
-*.so
-
-# Folders
-_obj
-_test
-
-# IntelliJ
-.idea
-# Goland's output filename can not be set manually
-/go_build_*
-
-# MS VSCode
-.vscode
-__debug_bin*
-
-# Architecture specific extensions/prefixes
-*.[568vq]
-[568vq].out
-
-*.cgo1.go
-*.cgo2.c
-_cgo_defun.c
-_cgo_gotypes.go
-_cgo_export.*
-
-_testmain.go
-
-*.exe
-*.test
-*.prof
-
-*coverage.out
-coverage.all
-coverage.txt
-cpu.out
-
-*.db
-*.log
-
-/gitea-runner
-/debug
-
-/bin
-/dist
-/.env
-/.runner
-/config.yaml
-/Dockerfile
-.DS_Store
--- a/.editorconfig
+++ b/.editorconfig
@@ -12,8 +12,5 @@ insert_final_newline = true
 [*.{go}]
 indent_style = tab

-[go.*]
-indent_style = tab
-
 [Makefile]
 indent_style = tab
--- a/.gitea/workflows/checks.yml
+++ b/.gitea/workflows/checks.yml
@@ -0,0 +1,156 @@
+name: checks
+on: [pull_request, workflow_dispatch]
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+env:
+  ACT_OWNER: ${{ github.repository_owner }}
+  ACT_REPOSITORY: ${{ github.repository }}
+  CGO_ENABLED: 0
+  NO_QEMU: 1
+  NO_EXTERNAL_IP: 1
+  DOOD: 1
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: golangci/golangci-lint-action@v8.0.0
+        with:
+          version: v2.1.6
+      - uses: megalinter/megalinter/flavors/go@v9.1.0
+        env:
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VALIDATE_ALL_CODEBASE: false
+          GITHUB_STATUS_REPORTER: ${{ !env.ACT }}
+          GITHUB_COMMENT_REPORTER: ${{ !env.ACT }}
+
+  test-linux:
+    name: test-linux
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 2
+      - name: Cleanup Docker Engine
+        run: |
+          docker ps -a --format '{{ if eq (truncate .Names 4) "act-" }}
+          {{ .ID }}
+          {{end}}' | xargs -r docker rm -f || :
+          docker volume ls --format '{{ if eq (truncate .Name 4) "act-" }}
+          {{ .Name }}
+          {{ end }}' | xargs -r docker volume rm -f || :
+          docker images --format '{{ if eq (truncate .Repository 4) "act-" }}
+          {{ .ID }}
+          {{ end }}' | xargs -r docker rmi -f || :
+          docker images -q | xargs -r docker rmi || :
+      - name: Set up QEMU
+        if: '!env.NO_QEMU'
+        uses: docker/setup-qemu-action@v3
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Install gotestfmt
+        run: go install github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.5.0
+      # Regressions by Gitea Actions CI Migration
+      # GITHUB_REPOSITORY contains the server url
+      # ACTIONS_RUNTIME_URL provided to every step, act does not override
+      - name: Run Tests
+        run: |
+          unset ACTIONS_RUNTIME_URL
+          unset ACTIONS_RESULTS_URL
+          unset ACTIONS_RUNTIME_TOKEN
+          export GITHUB_REPOSITORY="${GITHUB_REPOSITORY#${SERVER_URL%/}/}"
+          export ACT_REPOSITORY="${GITHUB_REPOSITORY#${SERVER_URL%/}/}"
+          export ACT_OWNER="${ACT_OWNER#${SERVER_URL%/}/}"
+          env
+          go test -json -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m ./... | gotestfmt -hide successful-packages,empty-packages 2>&1
+        env:
+          SERVER_URL: ${{ github.server_url }}
+      - name: Run act from cli
+        run: go run main.go -P ubuntu-latest=node:16-buster-slim -C ./pkg/runner/testdata/ -W ./basic/push.yml
+      - name: Run act from cli without docker support
+        run: go run -tags WITHOUT_DOCKER main.go -P ubuntu-latest=-self-hosted -C ./pkg/runner/testdata/ -W ./local-action-js/push.yml
+
+  snapshot:
+    name: snapshot
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: GoReleaser
+        id: goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: v2
+          args: release --snapshot --clean
+      - name: Setup Node
+        continue-on-error: true
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20
+      - name: Install @actions/artifact@2.1.0
+        continue-on-error: true
+        run: npm install @actions/artifact@2.1.0
+      - name: Upload All
+        uses: actions/github-script@v8
+        continue-on-error: true
+        with:
+          script: |
+            // We do not use features depending on GITHUB_API_URL so we can hardcode it to avoid the GHES no support error
+            process.env["GITHUB_SERVER_URL"] = "https://github.com";
+            const {DefaultArtifactClient} = require('@actions/artifact');
+            const aartifact = new DefaultArtifactClient();
+            var artifacts = JSON.parse(process.env.ARTIFACTS);
+            for(var artifact of artifacts) {
+              if(artifact.type === "Binary") {
+                const {id, size} = await aartifact.uploadArtifact(
+                  // name of the artifact
+                  `${artifact.name}-${artifact.target}`,
+                  // files to include (supports absolute and relative paths)
+                  [artifact.path],
+                  process.cwd(),
+                  {
+                    // optional: how long to retain the artifact
+                    // if unspecified, defaults to repository/org retention settings (the limit of this value)
+                    retentionDays: 10
+                  }
+                );
+                console.log(`Created artifact with id: ${id} (bytes: ${size}`);
+              }
+            }
+        env:
+          ARTIFACTS: ${{ steps.goreleaser.outputs.artifacts }}
+      - name: Chocolatey
+        uses: ./.github/actions/choco
+        with:
+          version: v0.0.0-pr
--- a/.gitea/workflows/pull-pr-title.yml
+++ b/.gitea/workflows/pull-pr-title.yml
@@ -1,27 +0,0 @@
-name: pr-title
-
-on:
-  pull_request:
-    types:
-    - opened
-    - edited
-    - reopened
-    - synchronize
-    - ready_for_review
-
-permissions:
-  contents: read
-
-jobs:
-  lint-pr-title:
-    if: github.event.pull_request.draft == false
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-    - uses: actions/checkout@v6
-    - uses: actions/setup-node@v6
-      with:
-        node-version: 24
-    - run: make lint-pr-title
-      env:
-        PR_TITLE: ${{ github.event.pull_request.title }}
--- a/.gitea/workflows/release-nightly.yml
+++ b/.gitea/workflows/release-nightly.yml
@@ -24,7 +24,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: goreleaser
-        uses: goreleaser/goreleaser-action@v7
+        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro
          args: release --nightly
@@ -57,27 +57,22 @@ jobs:
          fetch-depth: 0 # all history for all branches and tags

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker BuildX
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Echo the tag
-        run: echo "${{ env.DOCKER_ORG }}/runner:nightly${{ matrix.variant.tag_suffix }}"
-
-      - name: Get Meta
-        id: meta
-        run: |
-          echo REPO_VERSION=$(git describe --tags --always | sed 's/-/+/' | sed 's/^v//') >> $GITHUB_OUTPUT
+        run: echo "${{ env.DOCKER_ORG }}/act_runner:nightly${{ matrix.variant.tag_suffix }}"

      - name: Build and push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
@@ -87,6 +82,4 @@ jobs:
            linux/arm64
          push: true
          tags: |
-            ${{ env.DOCKER_ORG }}/runner:nightly${{ matrix.variant.tag_suffix }}
-          build-args: |
-            VERSION=${{ steps.meta.outputs.REPO_VERSION }}
+            ${{ env.DOCKER_ORG }}/act_runner:nightly${{ matrix.variant.tag_suffix }}
--- a/.gitea/workflows/release-tag.yml
+++ b/.gitea/workflows/release-tag.yml
@@ -17,13 +17,13 @@ jobs:
          go-version-file: "go.mod"
      - name: Import GPG key
        id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v7
+        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
      - name: goreleaser
-        uses: goreleaser/goreleaser-action@v7
+        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro
          args: release
@@ -39,15 +39,6 @@ jobs:
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
  release-image:
    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        variant:
-          - target: basic
-            tag_suffix: ""
-          - target: dind
-            tag_suffix: "-dind"
-          - target: dind-rootless
-            tag_suffix: "-dind-rootless"
    container:
      image: catthehacker/ubuntu:act-latest
    env:
@@ -60,41 +51,61 @@ jobs:
          fetch-depth: 0 # all history for all branches and tags

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker BuildX
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

-      - name: "Docker meta"
-        id: docker_meta
-        uses: docker/metadata-action@v6
-        with:
-          images: |
-            ${{ env.DOCKER_ORG }}/runner
-          tags: |
-            type=semver,pattern={{major}}.{{minor}}.{{patch}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-          flavor: |
-            latest=true
-            suffix=${{ matrix.variant.tag_suffix }},onlatest=true
+      - name: Get Meta
+        id: meta
+        run: |
+          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}') >> $GITHUB_OUTPUT
+          echo REPO_VERSION=${GITHUB_REF_NAME#v} >> $GITHUB_OUTPUT

      - name: Build and push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
-          target: ${{ matrix.variant.target }}
+          target: basic
          platforms: |
            linux/amd64
            linux/arm64
          push: true
-          tags: ${{ steps.docker_meta.outputs.tags }}
-          build-args: |
-            VERSION=${{ steps.docker_meta.outputs.version }}
+          tags: |
+            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}
+            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}
+
+      - name: Build and push dind
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          target: dind
+          platforms: |
+            linux/amd64
+            linux/arm64
+          push: true
+          tags: |
+            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-dind
+            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}-dind
+
+      - name: Build and push dind-rootless
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          target: dind-rootless
+          platforms: |
+            linux/amd64
+            linux/arm64
+          push: true
+          tags: |
+            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-dind-rootless
+            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}-dind-rootless
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -0,0 +1,72 @@
+name: release
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  release:
+    # TODO use environment to scope secrets
+    name: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: latest
+          args: release --clean -f ./.goreleaser.yml -f ./.goreleaser.gitea.yml
+        env:
+          GITEA_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN || github.token }}
+      - name: Winget
+        uses: vedantmgoyal2009/winget-releaser@v2
+        with:
+          identifier: nektos.act
+          installers-regex: '_Windows_\w+\.zip$'
+          token: ${{ secrets.WINGET_TOKEN }}
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ secrets.WINGET_TOKEN && '1' || '' }}
+      - name: Chocolatey
+        uses: ./.github/actions/choco
+        with:
+          version: ${{ github.ref }}
+          apiKey: ${{ secrets.CHOCO_APIKEY }}
+          push: true
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ secrets.CHOCO_APIKEY && '1' || ''  }}
+      # TODO use ssh deployment key
+      - name: GitHub CLI extension
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN }}
+          script: |
+            const mainRef = (await github.rest.git.getRef({
+              owner: context.repo.owner,
+              repo: 'gh-act',
+              ref: 'heads/main',
+            })).data;
+            console.log(mainRef);
+            github.rest.git.createRef({
+              owner: 'nektos',
+              repo: 'gh-act',
+              ref: context.ref,
+              sha: mainRef.object.sha,
+            });
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ (secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN) && '1' || ''  }}
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -1,44 +1,20 @@
 name: checks
 on:
-  push:
-    branches:
-      - main
-  pull_request:
+  - push
+  - pull_request

 jobs:
  lint:
    name: check and test
    runs-on: ubuntu-latest
-    env:
-      # The runner image ships a stale docker.io login; point docker at an empty config so
-      # image pulls go straight to anonymous instead of attempting (and failing) that auth
-      # first. The path must be a literal: the `runner` context is unavailable in job-level
-      # env, so `${{ runner.temp }}` would resolve to empty and config.Dir() would fall back
-      # to ~/.docker with the stale credentials.
-      DOCKER_CONFIG: /tmp/docker-noauth
    steps:
      - uses: actions/checkout@v6
      - uses: actions/setup-go@v6
        with:
          go-version-file: 'go.mod'
-      - name: prepare anonymous docker config
-        run: mkdir -p "$DOCKER_CONFIG" && echo '{}' > "$DOCKER_CONFIG/config.json"
-      # Pre-pull act/runner's two largest base images so a slow pull can't dominate `make test`;
-      # the rest (alpine/ubuntu) pull on demand, absorbed by the make-test -timeout. The host
-      # daemon retains them between runs, so this is usually a fast manifest re-check.
-      - name: pre-pull test images
-        run: |
-          for img in node:24-bookworm-slim nginx:alpine; do
-            for try in 1 2 3; do docker pull "$img" && break || sleep 5; done
-          done
      - name: lint
        run: make lint
      - name: build
        run: make build
      - name: test
        run: make test
-      # Build the dind image and run the daemon-facing tests against the docker version it
-      # ships, catching daemon-level regressions (e.g. gitea/runner#981) before release. Runs
-      # after `make test` so the images it needs are already present on the host daemon.
-      - name: test against dind image
-        run: make test-dind
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,88 @@
+name: Bug report
+description: Use this template for reporting bugs/issues.
+labels:
+  - 'kind/bug'
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: textarea
+    id: act-debug
+    attributes:
+      label: Bug report info
+      render: plain text
+      description: |
+        Output of `act --bug-report`
+      placeholder: |
+        act --bug-report
+    validations:
+      required: true
+  - type: textarea
+    id: act-command
+    attributes:
+      label: Command used with act
+      description: |
+        Please paste your whole command
+      placeholder: |
+        act -P ubuntu-latest=node:12 -v -d ...
+      render: sh
+    validations:
+      required: true
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: Describe issue
+      description: |
+        Also tell us what did you expect to happen?
+      placeholder: |
+        Describe issue
+    validations:
+      required: true
+  - type: input
+    id: repo
+    attributes:
+      label: Link to GitHub repository
+      description: |
+        Provide link to GitHub repository, you can skip it if the repository is private or you don't have it on GitHub, otherwise please provide it as it might help us troubleshoot problem
+      placeholder: |
+        https://github.com/nektos/act
+    validations:
+      required: false
+  - type: textarea
+    id: workflow
+    attributes:
+      label: Workflow content
+      description: |
+        Please paste your **whole** workflow here
+      placeholder: |
+        name: My workflow
+        on: ['push', 'schedule']
+        jobs:
+          test:
+            runs-on: ubuntu-latest
+          env:
+            KEY: VAL
+        [...]
+      render: yml
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: |
+        Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks. Please verify that the log output doesn't contain any sensitive data.
+      render: sh
+      placeholder: |
+        Use `act -v` for verbose output
+    validations:
+      required: true
+  - type: textarea
+    id: additional-info
+    attributes:
+      label: Additional information
+      placeholder: |
+        Additional information that doesn't fit elsewhere
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Start a discussion
+    url: https://github.com/actions-oss/act-cli/discussions/new
+    about: You can ask for help here!
+  - name: Want to contribute to act?
+    url: https://github.com/actions-oss/act-cli/blob/main/CONTRIBUTING.md
+    about: Be sure to read contributing guidelines!
--- a/.github/ISSUE_TEMPLATE/feature_template.yml
+++ b/.github/ISSUE_TEMPLATE/feature_template.yml
@@ -0,0 +1,28 @@
+name: Feature request
+description: Use this template for requesting a feature/enhancement.
+labels:
+  - 'kind/feature-request'
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please note that incompatibility with GitHub Actions should be opened as a bug report, not a new feature.
+  - type: input
+    id: act-version
+    attributes:
+      label: Act version
+      description: |
+        What version of `act` are you using? Version can be obtained via `act --version`
+        If you've built it from source, please provide commit hash
+      placeholder: |
+        act --version
+    validations:
+      required: true
+  - type: textarea
+    id: feature
+    attributes:
+      label: Feature description
+      description: Describe feature that you would like to see
+      placeholder: ...
+    validations:
+      required: true
--- a/.github/actions/choco/Dockerfile
+++ b/.github/actions/choco/Dockerfile
@@ -0,0 +1,20 @@
+FROM alpine:3.21
+
+ARG CHOCOVERSION=1.1.0
+
+RUN apk add --no-cache bash ca-certificates git \
+  && apk --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/edge/community add mono mono-dev \
+  && cert-sync /etc/ssl/certs/ca-certificates.crt \
+  && wget "https://github.com/chocolatey/choco/archive/${CHOCOVERSION}.tar.gz" -O- | tar -xzf - \
+  && cd choco-"${CHOCOVERSION}" \
+  && chmod +x build.sh zip.sh \
+  && ./build.sh -v \
+  && mv ./code_drop/chocolatey/console /opt/chocolatey \
+  && mkdir -p /opt/chocolatey/lib \
+  && rm -rf /choco-"${CHOCOVERSION}" \
+  && apk del mono-dev \
+  && rm -rf /var/cache/apk/*
+
+ENV ChocolateyInstall=/opt/chocolatey
+COPY entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/choco/action.yml
+++ b/.github/actions/choco/action.yml
@@ -0,0 +1,16 @@
+name: 'Chocolatey Packager'
+description: 'Create the choco package and push it'
+inputs:
+  version:
+    description: 'Version of package'
+    required: false
+  apiKey:
+    description: 'API Key for chocolately'
+    required: false
+  push:
+    description: 'Option for if package is going to be pushed'
+    required: false
+    default: 'false'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
--- a/.github/actions/choco/entrypoint.sh
+++ b/.github/actions/choco/entrypoint.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+function choco {
+  mono /opt/chocolatey/choco.exe "$@" --allow-unofficial --nocolor
+}
+
+function get_version {
+  local version=${INPUT_VERSION:-$(git describe --tags)}
+  version=(${version//[!0-9.-]/})
+  local version_parts=(${version//-/ })
+  version=${version_parts[0]}
+  if [ ${#version_parts[@]} -gt 1 ]; then
+    version=${version_parts}.${version_parts[1]}
+  fi
+  echo "$version"
+}
+
+## Determine the version to pack
+VERSION=$(get_version)
+echo "Packing version ${VERSION} of act"
+rm -f act-cli.*.nupkg
+mkdir -p tools
+cp LICENSE tools/LICENSE.txt
+cp VERIFICATION tools/VERIFICATION.txt
+cp dist/act-cli_windows_amd64*/act.exe tools/
+choco pack act-cli.nuspec --version ${VERSION}
+if [[ "$INPUT_PUSH" == "true" ]]; then
+  choco push act-cli.${VERSION}.nupkg --api-key ${INPUT_APIKEY} -s https://push.chocolatey.org/ --timeout 180
+fi
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'monthly'
+    groups:
+      dependencies:
+        patterns:
+        - '*'
+  - package-ecosystem: 'gomod'
+    directory: '/'
+    schedule:
+      interval: 'monthly'
+    groups:
+      dependencies:
+        patterns:
+        - '*'
--- a/.github/workflows/.gitignore
+++ b/.github/workflows/.gitignore
@@ -0,0 +1 @@
+test-*.yml
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -0,0 +1,151 @@
+name: checks
+on: [pull_request, workflow_dispatch]
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+env:
+  ACT_OWNER: ${{ github.repository_owner }}
+  ACT_REPOSITORY: ${{ github.repository }}
+  CGO_ENABLED: 0
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: golangci/golangci-lint-action@v8.0.0
+        with:
+          version: v2.1.6
+      - uses: megalinter/megalinter/flavors/go@v9.1.0
+        env:
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VALIDATE_ALL_CODEBASE: false
+          GITHUB_STATUS_REPORTER: ${{ !env.ACT }}
+          GITHUB_COMMENT_REPORTER: ${{ !env.ACT }}
+
+  test-linux:
+    name: test-linux
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Install gotestfmt
+        run: go install github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.5.0
+      - name: Run Tests
+        run: go test -json -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m ./... | gotestfmt -hide successful-packages,empty-packages 2>&1
+      - name: Run act from cli
+        run: go run main.go -P ubuntu-latest=node:16-buster-slim -C ./pkg/runner/testdata/ -W ./basic/push.yml
+      - name: Run act from cli without docker support
+        run: go run -tags WITHOUT_DOCKER main.go -P ubuntu-latest=-self-hosted -C ./pkg/runner/testdata/ -W ./local-action-js/push.yml
+      - name: Upload Codecov report
+        uses: codecov/codecov-action@v5
+        with:
+          files: coverage.txt
+          fail_ci_if_error: true # optional (default = false)
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+  test-host:
+    strategy:
+      matrix:
+        os:
+          - windows-latest
+          - macos-latest
+    name: test-host-${{matrix.os}}
+    runs-on: ${{matrix.os}}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 2
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - name: Install gotestfmt
+        run: go install github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.5.0
+      - name: Run Tests
+        run: go test -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m -run ^TestRunEventHostEnvironment$ ./...
+        shell: bash
+
+
+  snapshot:
+    name: snapshot
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: GoReleaser
+        id: goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: v2
+          args: release --snapshot --clean
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20
+      - name: Install @actions/artifact
+        run: npm install @actions/artifact
+      - name: Upload All
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const {DefaultArtifactClient} = require('@actions/artifact');
+            const aartifact = new DefaultArtifactClient();
+            var artifacts = JSON.parse(process.env.ARTIFACTS);
+            for(var artifact of artifacts) {
+              if(artifact.type === "Binary") {
+                const {id, size} = await aartifact.uploadArtifact(
+                  // name of the artifact
+                  `${artifact.name}-${artifact.target}`,
+                  // files to include (supports absolute and relative paths)
+                  [artifact.path],
+                  process.cwd(),
+                  {
+                    // optional: how long to retain the artifact
+                    // if unspecified, defaults to repository/org retention settings (the limit of this value)
+                    retentionDays: 10
+                  }
+                );
+                console.log(`Created artifact with id: ${id} (bytes: ${size}`);
+              }
+            }
+        env:
+          ARTIFACTS: ${{ steps.goreleaser.outputs.artifacts }}
+      - name: Chocolatey
+        uses: ./.github/actions/choco
+        with:
+          version: v0.0.0-pr
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -0,0 +1,23 @@
+# Codespell configuration is within .codespellrc
+---
+name: Codespell
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: read
+
+jobs:
+  codespell:
+    name: Check for spelling errors
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Codespell
+        uses: codespell-project/actions-codespell@v2
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@@ -0,0 +1,30 @@
+name: promote
+on:
+  schedule:
+    - cron: '0 2 1 * *'
+  workflow_dispatch: {}
+
+jobs:
+  release:
+    if: vars.ENABLE_PROMOTE || github.event_name != 'schedule'
+    name: promote
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          ref: master
+          token: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
+      - uses: fregante/setup-git-user@v2
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - run: make promote
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,72 @@
+name: release
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  release:
+    # TODO use environment to scope secrets
+    name: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN || github.token }}
+      - name: Winget
+        uses: vedantmgoyal2009/winget-releaser@v2
+        with:
+          identifier: nektos.act
+          installers-regex: '_Windows_\w+\.zip$'
+          token: ${{ secrets.WINGET_TOKEN }}
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ secrets.WINGET_TOKEN && '1' || '' }}
+      - name: Chocolatey
+        uses: ./.github/actions/choco
+        with:
+          version: ${{ github.ref }}
+          apiKey: ${{ secrets.CHOCO_APIKEY }}
+          push: true
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ secrets.CHOCO_APIKEY && '1' || ''  }}
+      # TODO use ssh deployment key
+      - name: GitHub CLI extension
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN }}
+          script: |
+            const mainRef = (await github.rest.git.getRef({
+              owner: context.repo.owner,
+              repo: 'gh-act',
+              ref: 'heads/main',
+            })).data;
+            console.log(mainRef);
+            github.rest.git.createRef({
+              owner: 'nektos',
+              repo: 'gh-act',
+              ref: context.ref,
+              sha: mainRef.object.sha,
+            });
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ (secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN) && '1' || ''  }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,23 @@
+name: 'Close stale issues'
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  stale:
+    name: Stale
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v10
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          stale-issue-message: 'Issue is stale and will be closed in 14 days unless there is new activity'
+          stale-pr-message: 'PR is stale and will be closed in 14 days unless there is new activity'
+          stale-issue-label: 'stale'
+          exempt-issue-labels: 'stale-exempt,kind/feature-request'
+          stale-pr-label: 'stale'
+          exempt-pr-labels: 'stale-exempt'
+          remove-stale-when-updated: 'True'
+          operations-per-run: 500
+          days-before-stale: 180
+          days-before-close: 14
--- a/.gitignore
+++ b/.gitignore
@@ -1,8 +1,8 @@
-/gitea-runner
+/act_runner
 .env
-!/act/runner/testdata/secrets/.env
 .runner
 coverage.txt
+/gitea-vet
 /config.yaml

 # Jetbrains
@@ -11,4 +11,4 @@ coverage.txt
 .vscode
 __debug_bin
 # gorelease binary folder
-/dist
+dist
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -0,0 +1,2 @@
+b910a42edfab7a02b08a52ecef203fd419725642:pkg/container/testdata/docker-pull-options/config.json:generic-api-key:4
+710a3ac94c3dc0eaf680d417c87f37f92b4887f4:pkg/container/docker_pull_test.go:generic-api-key:45
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -13,7 +13,6 @@ linters:
    - forbidigo
    - gocheckcompilerdirectives
    - gocritic
-    - goheader
    - govet
    - ineffassign
    - mirror
@@ -36,61 +35,23 @@ linters:
      rules:
        main:
          deny:
-            - pkg: io/ioutil
-              desc: use os or io instead
-            - pkg: golang.org/x/exp
-              desc: it's experimental and unreliable
            - pkg: github.com/pkg/errors
-              desc: use builtin errors package instead
-    nolintlint:
-      allow-unused: false
-      require-explanation: true
-      require-specific: true
+              desc: Please use "errors" package from standard library
+            - pkg: gotest.tools/v3
+              desc: Please keep tests unified using only github.com/stretchr/testify
+            - pkg: log
+              desc: Please keep logging unified using only github.com/sirupsen/logrus
    gocritic:
-      enabled-checks:
-        - equalFold
      disabled-checks:
        - ifElseChain
-    revive:
-      severity: error
-      rules:
-        - name: blank-imports
-        - name: constant-logical-expr
-        - name: context-as-argument
-        - name: context-keys-type
-        - name: dot-imports
-        - name: empty-lines
-        - name: error-return
-        - name: error-strings
-        - name: exported
-        - name: identical-branches
-        - name: if-return
-        - name: increment-decrement
-        - name: modifies-value-receiver
-        - name: package-comments
-        - name: redefines-builtin-id
-        - name: superfluous-else
-        - name: time-naming
-        - name: unexported-return
-        - name: var-declaration
-        - name: var-naming
-    staticcheck:
-      checks:
-        - all
-        - -ST1005
-    usetesting:
-      os-temp-dir: true
-    perfsprint:
-      concat-loop: false
-    govet:
-      enable:
-        - nilness
-        - unusedwrite
-    goheader:
-      values:
-        regexp:
-          HEADER: 'Copyright \d{4} The Gitea Authors\. All rights reserved\.(\nCopyright [^\n]+)*\nSPDX-License-Identifier: MIT'
-      template: '{{ HEADER }}'
+    gocyclo:
+      min-complexity: 20
+    importas:
+      alias:
+        - pkg: github.com/sirupsen/logrus
+          alias: log
+        - pkg: github.com/stretchr/testify/assert
+          alias: assert
  exclusions:
    generated: lax
    presets:
@@ -98,28 +59,21 @@ linters:
      - common-false-positives
      - legacy
      - std-error-handling
-    rules:
-      - linters:
-          - forbidigo
-        path: cmd
+    paths:
+      - report
+      - third_party$
+      - builtin$
+      - examples$
 issues:
  max-issues-per-linter: 0
  max-same-issues: 0
 formatters:
  enable:
-    - gci
-    - gofumpt
-  settings:
-    gci:
-      custom-order: true
-      sections:
-        - standard
-        - prefix(gitea.com/gitea/runner)
-        - blank
-        - default
-    gofumpt:
-      extra-rules: true
+    - goimports
  exclusions:
    generated: lax
-run:
-  timeout: 10m
+    paths:
+      - report
+      - third_party$
+      - builtin$
+      - examples$
--- a/.goreleaser.gitea.yml
+++ b/.goreleaser.gitea.yml
@@ -0,0 +1,3 @@
+gitea_urls:
+  api: https://gitea.com/api/v1/
+  download: https://gitea.com/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,7 +1,5 @@
 version: 2

-project_name: gitea-runner
-
 before:
  hooks:
    - go mod tidy
@@ -65,7 +63,7 @@ builds:
  flags:
  - -trimpath
  ldflags:
-  - -s -w -X gitea.com/gitea/runner/internal/pkg/ver.version={{ .Summary }}
+  - -s -w -X gitea.com/gitea/act_runner/internal/pkg/ver.version={{ .Summary }}
  binary: >-
    {{ .ProjectName }}-
    {{- .Version }}-
@@ -88,7 +86,7 @@ blobs:
    provider: s3
    bucket: "{{ .Env.S3_BUCKET }}"
    region: "{{ .Env.S3_REGION }}"
-    directory: "gitea-runner/{{.Version}}"
+    directory: "act_runner/{{.Version}}"
    extra_files:
      - glob: ./**.xz
      - glob: ./**.sha256
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -0,0 +1,54 @@
+version: 2
+before:
+  hooks:
+    - go mod tidy
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+      - linux
+      - windows
+    goarch:
+      - amd64
+      - '386'
+      - arm64
+      - arm
+      - riscv64
+    goarm:
+      - '6'
+      - '7'
+    ignore:
+      - goos: windows
+        goarm: '6'
+    binary: act
+checksum:
+  name_template: 'checksums.txt'
+archives:
+  - name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    format_overrides:
+      - goos: windows
+        formats:
+        - zip
+changelog:
+  groups:
+    - title: 'New Features'
+      regexp: "^.*feat[(\\w)]*:+.*$"
+      order: 0
+    - title: 'Bug fixes'
+      regexp: "^.*fix[(\\w)]*:+.*$"
+      order: 1
+    - title: 'Documentation updates'
+      regexp: "^.*docs[(\\w)]*:+.*$"
+      order: 2
+    - title: 'Other'
+      order: 999
+release:
+  prerelease: auto
+  mode: append
--- a/.markdownlint.yml
+++ b/.markdownlint.yml
@@ -0,0 +1,12 @@
+# Default state for all rules
+default: true
+
+# MD013/line-length - Line length
+MD013:
+  line_length: 1024
+
+# MD033/no-inline-html - Inline HTML
+MD033: false
+
+# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
+MD041: false
--- a/.mega-linter.yml
+++ b/.mega-linter.yml
@@ -0,0 +1,20 @@
+---
+APPLY_FIXES: none
+DISABLE:
+  - ACTION
+  - BASH
+  - COPYPASTE
+  - DOCKERFILE
+  - GO
+  - JAVASCRIPT
+  - SPELL
+DISABLE_LINTERS:
+  - YAML_YAMLLINT
+  - MARKDOWN_MARKDOWN_TABLE_FORMATTER
+  - MARKDOWN_MARKDOWN_LINK_CHECK
+  - REPOSITORY_CHECKOV
+  - REPOSITORY_TRIVY
+FILTER_REGEX_EXCLUDE: (.*testdata/*|install.sh|pkg/container/docker_cli.go|pkg/container/DOCKER_LICENSE|VERSION)
+MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdownlint.yml
+PARALLEL: false
+PRINT_ALPACA: false
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -0,0 +1,98 @@
+
+pull_request_rules:
+  - name: warn on conflicts
+    conditions:
+      - -draft
+      - -closed
+      - -merged
+      - conflict
+    actions:
+      comment:
+        message: '@{{author}} this pull request is now in conflict 😩'
+      label:
+        add:
+          - conflict
+  - name: remove conflict label if not needed
+    conditions:
+      - -conflict
+    actions:
+      label:
+        remove:
+          - conflict
+  - name: warn on needs-work
+    conditions:
+      - -draft
+      - -closed
+      - -merged
+      - or:
+          - check-failure=lint
+          - check-failure=test-linux
+          - check-failure=codecov/patch
+          - check-failure=codecov/project
+          - check-failure=snapshot
+    actions:
+      comment:
+        message: '@{{author}} this pull request has failed checks 🛠'
+      label:
+        add:
+          - needs-work
+  - name: remove needs-work label if not needed
+    conditions:
+      - check-success=lint
+      - check-success=test-linux
+      - check-success=codecov/patch
+      - check-success=codecov/project
+      - check-success=snapshot
+    actions:
+      label:
+        remove:
+          - needs-work
+  - name: Automatic maintainer assignment
+    conditions:
+      - '-approved-reviews-by=@nektos/act-maintainers'
+      - -draft
+      - -merged
+      - -closed
+      - -conflict
+      - check-success=lint
+      - check-success=test-linux
+      - check-success=codecov/patch
+      - check-success=codecov/project
+      - check-success=snapshot
+    actions:
+      request_reviews:
+        teams:
+          - '@nektos/act-maintainers'
+  - name: Automatic merge on approval
+    conditions: []
+    actions:
+      queue:
+queue_rules:
+  - name: default
+    queue_conditions:
+      - '#changes-requested-reviews-by=0'
+      - or:
+          - 'approved-reviews-by=@nektos/act-committers'
+          - 'author~=^dependabot(|-preview)\[bot\]$'
+          - and:
+              - 'approved-reviews-by=@nektos/act-maintainers'
+              - '#approved-reviews-by>=2'
+          - and:
+              - 'author=@nektos/act-maintainers'
+              - 'approved-reviews-by=@nektos/act-maintainers'
+              - '#approved-reviews-by>=1'
+      - -draft
+      - -merged
+      - -closed
+      - check-success=lint
+      - check-success=test-linux
+      - check-success=codecov/patch
+      - check-success=codecov/project
+      - check-success=snapshot
+    merge_conditions:
+      - check-success=lint
+      - check-success=test-linux
+      - check-success=codecov/patch
+      - check-success=codecov/project
+      - check-success=snapshot
+    merge_method: squash
--- a/.prettierignore
+++ b/.prettierignore
@@ -0,0 +1,2 @@
+**/testdata
+pkg/runner/res
--- a/.prettierrc.yml
+++ b/.prettierrc.yml
@@ -0,0 +1,7 @@
+overrides:
+  - files: '*.yml'
+    options:
+      singleQuote: true
+  - files: '*.json'
+    options:
+      singleQuote: false
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -0,0 +1,9 @@
+{
+  "recommendations": [
+    "editorconfig.editorconfig",
+    "golang.go",
+    "davidanson.vscode-markdownlint",
+    "esbenp.prettier-vscode",
+    "redhat.vscode-yaml"
+  ]
+}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,14 @@
+{
+  "go.lintTool": "golangci-lint",
+  "go.lintFlags": ["--fix"],
+  "go.testTimeout": "300s",
+  "[json]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  },
+  "[markdown]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  },
+  "[yaml]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  }
+}
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,10 +0,0 @@
- Use `make help` to find available development targets
- Run `make fmt` to format `.go` files, and run `make lint-go` to lint them
- Run `make tidy` after any `go.mod` changes
- Run single go unit tests with `go test -run '^TestName$' ./modulepath/`
- Add the current year into the copyright header of new `.go` files
- Ensure no trailing whitespace in edited files
- Never force-push, amend, or squash unless asked. Use new commits and normal push for pull request updates
- Preserve existing code comments, do not remove or rewrite comments that are still relevant
- Include authorship attribution in issue and pull request comments
- Add `Co-Authored-By` lines to all commits, indicating name and model used
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1 +0,0 @@
-@AGENTS.md
--- a/1
+++ b/1
@@ -0,0 +1 @@
+*       @nektos/act-maintainers
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,69 @@
+# Contributing to Act
+
+Help wanted! We'd love your contributions to Act. Please review the following guidelines before contributing. Also, feel free to propose changes to these guidelines by updating this file and submitting a pull request.
+
+- [I have a question...](#questions)
+- [I found a bug...](#bugs)
+- [I have a feature request...](#features)
+- [I have a contribution to share...](#process)
+
+## <a id="questions"></a> Have a Question?
+
+Please don't open a GitHub issue for questions about how to use `act`, as the goal is to use issues for managing bugs and feature requests. Issues that are related to general support will be closed and redirected to our gitter room.
+
+For all support related questions, please ask the question in discussions: [actions-oss/act-cli](https://github.com/actions-oss/act-cli/discussions).
+
+## <a id="bugs"></a> Found a Bug?
+
+If you've identified a bug in `act`, please [submit an issue](#issue) to our GitHub repo: [actions-oss/act-cli](https://github.com/actions-oss/act-cli/issues/new). Please also feel free to submit a [Pull Request](#pr) with a fix for the bug!
+
+## <a id="features"></a> Have a Feature Request?
+
+All feature requests should start with [submitting an issue](#issue) documenting the user story and acceptance criteria. Again, feel free to submit a [Pull Request](#pr) with a proposed implementation of the feature.
+
+## <a id="process"></a> Ready to Contribute
+
+### <a id="issue"></a> Create an issue
+
+Before submitting a new issue, please search the issues to make sure there isn't a similar issue doesn't already exist.
+
+Assuming no existing issues exist, please ensure you include required information when submitting the issue to ensure we can quickly reproduce your issue.
+
+We may have additional questions and will communicate through the GitHub issue, so please respond back to our questions to help reproduce and resolve the issue as quickly as possible.
+
+New issues can be created with in our [GitHub repo](https://github.com/actions-oss/act-cli/issues/new).
+
+### <a id="pr"></a>Pull Requests
+
+Pull requests should target the `master` branch. Please also reference the issue from the description of the pull request using [special keyword syntax](https://help.github.com/articles/closing-issues-via-commit-messages/) to auto close the issue when the PR is merged. For example, include the phrase `fixes #14` in the PR description to have issue #14 auto close. Please send documentation updates for the [act user guide](https://actions-oss.github.io/act-docs/) to [actions-oss/act-docs](https://github.com/actions-oss/act-docs).
+
+### <a id="style"></a> Styleguide
+
+When submitting code, please make every effort to follow existing conventions and style in order to keep the code as readable as possible. Here are a few points to keep in mind:
+
+- Please run `go fmt ./...` before committing to ensure code aligns with go standards.
+- We use [`golangci-lint`](https://golangci-lint.run/) for linting Go code, run `golangci-lint run --fix` before submitting PR. Editors such as Visual Studio Code or JetBrains IntelliJ; with Go support plugin will offer `golangci-lint` automatically.
+- There are additional linters and formatters for files such as Markdown documents or YAML/JSON:
+  - Please refer to the [Makefile](Makefile) or [`lint` job in our workflow](.github/workflows/checks.yml) to see how to those linters/formatters work.
+  - You can lint codebase by running `go run main.go -j lint --env RUN_LOCAL=true` or `act -j lint --env RUN_LOCAL=true`
+  - In `Makefile`, there are tools that require `npx` which is shipped with `nodejs`.
+  - Our `Makefile` exports `GITHUB_TOKEN` from `~/.config/github/token`, you have been warned.
+  - You can run `make pr` to cleanup dependencies, format/lint code and run tests.
+- All dependencies must be defined in the `go.mod` file.
+  - Advanced IDEs and code editors (like VSCode) will take care of that, but to be sure, run `go mod tidy` to validate dependencies.
+- For details on the approved style, check out [Effective Go](https://golang.org/doc/effective_go.html).
+- Before running tests, please be aware that they are multi-architecture so for them to not fail, you need to run `docker run --privileged --rm tonistiigi/binfmt --install amd64,arm64` before ([more info available in #765](https://github.com/nektos/act/issues/765)).
+
+Also, consider the original design principles:
+
+- **Polyglot** - There will be no prescribed language or framework for developing the microservices. The only requirement will be that the service will be run inside a container and exposed via an HTTP endpoint.
+- **Cloud Provider** - At this point, the tool will assume AWS for the cloud provider and will not be written in a cloud agnostic manner. However, this does not preclude refactoring to add support for other providers at a later time.
+- **Declarative** - All resource administration will be handled in a declarative vs. imperative manner. A file will be used to declared the desired state of the resources and the tool will simply assert the actual state matches the desired state. The tool will accomplish this by generating CloudFormation templates.
+- **Stateless** - The tool will not maintain its own state. Rather, it will rely on the CloudFormation stacks to determine the state of the platform.
+- **Secure** - All security will be managed by AWS IAM credentials. No additional authentication or authorization mechanisms will be introduced.
+
+### License
+
+By contributing your code, you agree to license your contribution under the terms of the [MIT License](LICENSE).
+
+All files are released with the MIT license.
--- a/34
+++ b/34
@@ -1,7 +1,7 @@
 ### BUILDER STAGE
 #
 #
-FROM golang:1.26-alpine3.23 AS builder
+FROM golang:1.26-alpine AS builder

 # Do not remove `git` here, it is required for getting runner version when executing `make build`
 RUN apk add --no-cache make git
@@ -9,24 +9,19 @@ RUN apk add --no-cache make git
 ARG GOPROXY
 ENV GOPROXY=${GOPROXY:-}

-COPY . /opt/src/runner
-WORKDIR /opt/src/runner
+COPY . /opt/src/act_runner
+WORKDIR /opt/src/act_runner

 RUN make clean && make build

 ### DIND VARIANT
 #
 #
-FROM docker:29.5.2-dind AS dind
-
-ARG VERSION=dev
-
-LABEL org.opencontainers.image.source="https://gitea.com/gitea/runner"
-LABEL org.opencontainers.image.version="${VERSION}"
+FROM docker:28-dind AS dind

 RUN apk add --no-cache s6 bash git tzdata

-COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
+COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
 COPY scripts/run.sh /usr/local/bin/run.sh
 COPY scripts/s6 /etc/s6

@@ -37,17 +32,12 @@ ENTRYPOINT ["s6-svscan","/etc/s6"]
 ### DIND-ROOTLESS VARIANT
 #
 #
-FROM docker:29.5.2-dind-rootless AS dind-rootless
-
-ARG VERSION=dev
-
-LABEL org.opencontainers.image.source="https://gitea.com/gitea/runner"
-LABEL org.opencontainers.image.version="${VERSION}"
+FROM docker:28-dind-rootless AS dind-rootless

 USER root
 RUN apk add --no-cache s6 bash git tzdata

-COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
+COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
 COPY scripts/run.sh /usr/local/bin/run.sh
 COPY scripts/s6 /etc/s6

@@ -63,16 +53,10 @@ ENTRYPOINT ["s6-svscan","/etc/s6"]
 ### BASIC VARIANT
 #
 #
-FROM alpine:3.23 AS basic
-
-ARG VERSION=dev
-
-LABEL org.opencontainers.image.source="https://gitea.com/gitea/runner"
-LABEL org.opencontainers.image.version="${VERSION}"
-
+FROM alpine AS basic
 RUN apk add --no-cache tini bash git tzdata

-COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
+COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
 COPY scripts/run.sh /usr/local/bin/run.sh

 VOLUME /data
--- a/116
+++ b/116
@@ -1,30 +1,32 @@
 DIST := dist
-EXECUTABLE := gitea-runner
+EXECUTABLE := act_runner
+GOFMT ?= gofumpt -l
 DIST_DIRS := $(DIST)/binaries $(DIST)/release
 GO ?= go
 SHASUM ?= shasum -a 256
 HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
 XGO_VERSION := go-1.26.x
-GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10
+GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10

 LINUX_ARCHS ?= linux/amd64,linux/arm64
 DARWIN_ARCHS ?= darwin-12/amd64,darwin-12/arm64
 WINDOWS_ARCHS ?= windows/amd64
+GO_FMT_FILES := $(shell find . -type f -name "*.go" ! -name "generated.*")
 GOFILES := $(shell find . -type f -name "*.go" -o -name "go.mod" ! -name "generated.*")

-DOCKER_IMAGE ?= gitea/runner
+DOCKER_IMAGE ?= gitea/act_runner
 DOCKER_TAG ?= nightly
 DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
 DOCKER_ROOTLESS_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)-dind-rootless

-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
-GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1.3.0
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.10.1
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1

-STATIC ?=
-EXTLDFLAGS ?=
-ifneq ($(STATIC),)
-	EXTLDFLAGS = -extldflags "-static"
+ifneq ($(shell uname), Darwin)
+	EXTLDFLAGS = -extldflags "-static" $(null)
+else
+	EXTLDFLAGS =
 endif

 ifeq ($(HAS_GO), GO)
@@ -66,19 +68,19 @@ else
 	endif
 endif

-TAGS ?=
-LDFLAGS ?= -X "gitea.com/gitea/runner/internal/pkg/ver.version=v$(RELASE_VERSION)"
+GO_PACKAGES_TO_VET ?= $(filter-out gitea.com/gitea/act_runner/internal/pkg/client/mocks,$(shell $(GO) list ./...))
+
+
+TAGS ?=
+LDFLAGS ?= -X "gitea.com/gitea/act_runner/internal/pkg/ver.version=v$(RELASE_VERSION)"

-.PHONY: all
 all: build

-.PHONY: help
-help: Makefile ## print Makefile help information.
-	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m[TARGETS] default target: build\033[0m\n\n\033[35mTargets:\033[0m\n"} /^[0-9A-Za-z._-]+:.*?##/ { printf "  \033[36m%-45s\033[0m %s\n", $$1, $$2 }' Makefile
-
-.PHONY: fmt
-fmt: ## format the Go code
-	$(GO) run $(GOLANGCI_LINT_PACKAGE) fmt
+fmt:
+	@hash gofumpt > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		$(GO) install mvdan.cc/gofumpt@latest; \
+	fi
+	$(GOFMT) -w $(GO_FMT_FILES)

 .PHONY: go-check
 go-check:
@@ -86,29 +88,28 @@ go-check:
 	$(eval MIN_GO_VERSION := $(shell printf "%03d%03d" $(shell echo '$(MIN_GO_VERSION_STR)' | tr '.' ' ')))
 	$(eval GO_VERSION := $(shell printf "%03d%03d" $(shell $(GO) version | grep -Eo '[0-9]+\.[0-9]+' | tr '.' ' ');))
 	@if [ "$(GO_VERSION)" -lt "$(MIN_GO_VERSION)" ]; then \
-		echo "Gitea Runner requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
+		echo "Act Runner requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
 		exit 1; \
 	fi

 .PHONY: fmt-check
-fmt-check: fmt
-	@diff=$$(git diff --color=always); \
+fmt-check:
+	@hash gofumpt > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		$(GO) install mvdan.cc/gofumpt@latest; \
+	fi
+	@diff=$$($(GOFMT) -d $(GO_FMT_FILES)); \
 	if [ -n "$$diff" ]; then \
 		echo "Please run 'make fmt' and commit the result:"; \
-		printf "%s" "$${diff}"; \
+		echo "$${diff}"; \
 		exit 1; \
-	fi
+	fi;

 .PHONY: deps-tools
 deps-tools: ## install tool dependencies
-	$(GO) install $(GOLANGCI_LINT_PACKAGE) & \
-	$(GO) install $(GXZ_PACKAGE) & \
-	$(GO) install $(XGO_PACKAGE) & \
-	$(GO) install $(GOVULNCHECK_PACKAGE) & \
-	wait
+	$(GO) install $(GOVULNCHECK_PACKAGE)

 .PHONY: lint
-lint: lint-go ## lint everything
+lint: lint-go vet

 .PHONY: lint-go
 lint-go: ## lint go files
@@ -118,72 +119,69 @@ lint-go: ## lint go files
 lint-go-fix: ## lint go files and fix issues
 	$(GO) run $(GOLANGCI_LINT_PACKAGE) run --fix

-.PHONY: lint-pr-title
-lint-pr-title: ## lint PR title against Conventional Commits (set PR_TITLE=...)
-	@node ./tools/lint-pr-title.ts
-
 .PHONY: security-check
 security-check: deps-tools
 	GOEXPERIMENT= $(GO) run $(GOVULNCHECK_PACKAGE) -show color ./... || true

 .PHONY: tidy
-tidy: ## run go mod tidy
+tidy:
 	$(GO) mod tidy

 .PHONY: tidy-check
 tidy-check: tidy
-	@diff=$$(git diff --color=always -- go.mod go.sum); \
+	@diff=$$(git diff -- go.mod go.sum); \
 	if [ -n "$$diff" ]; then \
 		echo "Please run 'make tidy' and commit the result:"; \
-		printf "%s" "$${diff}"; \
+		echo "$${diff}"; \
 		exit 1; \
 	fi

-.PHONY: test
-test: fmt-check security-check ## test everything (integration tests self-skip without docker/network)
-	@$(GO) test -race -timeout 20m -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+test: fmt-check security-check
+	@$(GO) test -race -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1

-.PHONY: test-dind
-test-dind: ## run the daemon-facing tests against the built dind image (TARGET=dind|dind-rootless)
-	@./scripts/test-dind.sh $(TARGET)
+.PHONY: vet
+vet:
+	@echo "Running go vet..."
+	@$(GO) build code.gitea.io/gitea-vet
+	@$(GO) vet -vettool=gitea-vet $(GO_PACKAGES_TO_VET)

-.PHONY: install
-install: $(GOFILES) ## install the runner binary via `go install`
-	$(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)'
+install: $(GOFILES)
+	$(GO) install -v -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)'

-.PHONY: build
-build: go-check $(EXECUTABLE) ## build the runner binary
+build: go-check $(EXECUTABLE)

 $(EXECUTABLE): $(GOFILES)
-	$(GO) build -v -tags '$(TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)' -o $@
+	$(GO) build -v -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)' -o $@

 .PHONY: deps-backend
-deps-backend: ## install backend dependencies
+deps-backend:
 	$(GO) mod download
+	$(GO) install $(GXZ_PAGAGE)
+	$(GO) install $(XGO_PACKAGE)

 .PHONY: release
-release: release-windows release-linux release-darwin release-copy release-compress release-check ## build release artifacts
+release: release-windows release-linux release-darwin release-copy release-compress release-check

 $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)

 .PHONY: release-windows
 release-windows: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(WINDOWS_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(WINDOWS_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif

 .PHONY: release-linux
 release-linux: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif

 .PHONY: release-darwin
 release-darwin: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w $(LDFLAGS)' -targets '$(DARWIN_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets '$(DARWIN_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif
@@ -198,20 +196,18 @@ release-check: | $(DIST_DIRS)

 .PHONY: release-compress
 release-compress: | $(DIST_DIRS)
-	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && $(GO) run $(GXZ_PACKAGE) -k -9 $${file}; done;
+	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && $(GO) run $(GXZ_PAGAGE) -k -9 $${file}; done;

 .PHONY: docker
-docker: ## build the docker image
+docker:
 	if ! docker buildx version >/dev/null 2>&1; then \
 		ARG_DISABLE_CONTENT_TRUST=--disable-content-trust=false; \
 	fi; \
 	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_REF) .

-.PHONY: clean
-clean: ## delete binary and coverage files
+clean:
 	$(GO) clean -x -i ./...
 	rm -rf coverage.txt $(EXECUTABLE) $(DIST)

-.PHONY: version
-version: ## print the version
+version:
 	@echo $(VERSION)
--- a/README.md
+++ b/README.md
@@ -1,4 +1,6 @@
-# Gitea Runner
+# act runner
+
+Act runner is a runner for Gitea based on [Gitea fork](https://gitea.com/gitea/act) of [act](https://github.com/nektos/act).

 ## Installation

@@ -8,7 +10,7 @@ Docker Engine Community version is required for docker mode. To install Docker C

 ### Download pre-built binary

-Visit [here](https://dl.gitea.com/gitea-runner/) and download the right version for your platform.
+Visit [here](https://dl.gitea.com/act_runner/) and download the right version for your platform.

 ### Build from source

@@ -24,8 +26,8 @@ make docker

 ## Quickstart

-Actions are disabled by default, so you need to add the following to the configuration file of your Gitea instance to enable it:
-
+Actions are disabled by default, so you need to add the following to the configuration file of your Gitea instance to enable it: 
+  
 ```ini
 [actions]
 ENABLED=true
@@ -34,7 +36,7 @@ ENABLED=true
 ### Register

 ```bash
-./gitea-runner register
+./act_runner register
 ```

 And you will be asked to input:
@@ -66,7 +68,7 @@ INFO Runner registered successfully.
 You can also register with command line arguments.

 ```bash
-./gitea-runner register --instance http://192.168.8.8:3000 --token <my_runner_token> --no-interactive
+./act_runner register --instance http://192.168.8.8:3000 --token <my_runner_token> --no-interactive
 ```

 If the registry succeed, it will run immediately. Next time, you could run the runner directly.
@@ -74,69 +76,32 @@ If the registry succeed, it will run immediately. Next time, you could run the r
 ### Run

 ```bash
-./gitea-runner daemon
+./act_runner daemon
 ```

 ### Run with docker

 ```bash
-docker run -e GITEA_INSTANCE_URL=https://your_gitea.com -e GITEA_RUNNER_REGISTRATION_TOKEN=<your_token> -v /var/run/docker.sock:/var/run/docker.sock --name my_runner gitea/runner:nightly
+docker run -e GITEA_INSTANCE_URL=https://your_gitea.com -e GITEA_RUNNER_REGISTRATION_TOKEN=<your_token> -v /var/run/docker.sock:/var/run/docker.sock --name my_runner gitea/act_runner:nightly
 ```

-Mount a volume on `/data` if you want the registration file and optional config to survive container recreation (see [scripts/run.sh](scripts/run.sh)).
-
 ### Configuration

-The runner is configured with a YAML file. Generate a starting point (this matches what ships in the tree):
+You can also configure the runner with a configuration file.
+The configuration file is a YAML file, you can generate a sample configuration file with `./act_runner generate-config`.

 ```bash
-./gitea-runner generate-config > config.yaml
+./act_runner generate-config > config.yaml
 ```

-Pass it with `-c` / `--config` on any command that loads configuration (`register`, `daemon`, `cache-server`):
+You can specify the configuration file path with `-c`/`--config` argument.

 ```bash
-./gitea-runner -c config.yaml register
-./gitea-runner -c config.yaml daemon
-./gitea-runner -c config.yaml cache-server
+./act_runner -c config.yaml register # register with config file
+./act_runner -c config.yaml daemon # run with config file
 ```

-Every option is described in [config.example.yaml](internal/pkg/config/config.example.yaml) (the same content `generate-config` prints).
-
-#### Without a config file
-
-If you omit `-c`, built-in defaults apply (same as an empty YAML document). A small set of **deprecated** environment variables can still override parts of that default config, but **only when no `-c` path was given**; they are ignored if you use a config file:
-
-| Variable | Effect |
-| --- | --- |
-| `GITEA_DEBUG` | If true, sets log level to `debug` |
-| `GITEA_TRACE` | If true, sets log level to `trace` |
-| `GITEA_RUNNER_CAPACITY` | Concurrent jobs (integer) |
-| `GITEA_RUNNER_FILE` | Registration state file path (default `.runner`) |
-| `GITEA_RUNNER_ENVIRON` | Extra job env vars as comma-separated `KEY:VALUE` pairs |
-| `GITEA_RUNNER_ENV_FILE` | Path to an env file merged into job env (same idea as `runner.env_file` in YAML) |
-
-Prefer a YAML file for all settings.
-
-#### Registration vs config labels
-
-If `runner.labels` is set in the YAML file, those labels are used during `register` and the `--labels` CLI flag is ignored.
-
-#### External cache (`actions/cache`)
-
-If `cache.external_server` is set, you must set `cache.external_secret` to the same value on this runner and on the standalone cache server. Run the server with `gitea-runner cache-server` using a config that defines `cache.external_secret` (and matching `cache.dir` / host / port as needed). Flags `--dir`, `--host`, and `--port` on `cache-server` override the file.
-
-#### Official Docker image
-
-Besides `GITEA_INSTANCE_URL` and `GITEA_RUNNER_REGISTRATION_TOKEN`, the image entrypoint supports optional variables such as `CONFIG_FILE` (passed through as `-c`), `GITEA_RUNNER_LABELS`, `GITEA_RUNNER_EPHEMERAL`, `GITEA_RUNNER_ONCE`, `GITEA_RUNNER_NAME`, `GITEA_MAX_REG_ATTEMPTS`, `RUNNER_STATE_FILE`, and `GITEA_RUNNER_REGISTRATION_TOKEN_FILE`. See [scripts/run.sh](scripts/run.sh) for exact behavior.
-
-For a fuller container-oriented walkthrough, see [examples/docker](examples/docker/README.md).
-
-When `container.bind_workdir` is enabled, stale task workspace directories can be cleaned while the runner is idle:
- directories older than `runner.workdir_cleanup_age` are removed (default: `24h`; set `0` to disable)
- cleanup runs every `runner.idle_cleanup_interval` (default: `10m`; set `0` to disable)
- only purely numeric subdirectories under `container.workdir_parent` are treated as task workspaces and may be removed
- cleanup assumes `container.workdir_parent` is not shared across multiple runners
+You can read the latest version of the configuration file online at [config.example.yaml](internal/pkg/config/config.example.yaml).

 ### Example Deployments

--- a/5
+++ b/5
@@ -0,0 +1,5 @@
+VERIFICATION
+Verification is intended to assist the Chocolatey moderators and community
+in verifying that this package's contents are trustworthy.
+
+Checksums: https://github.com/nektos/act/releases, in the checksums.txt file
--- a/1
+++ b/1
@@ -0,0 +1 @@
+0.4.0
--- a/act-cli.nuspec
+++ b/act-cli.nuspec
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Do not remove this test for UTF-8: if “Ω” doesn’t appear as greek uppercase omega letter enclosed in quotation marks, you should use an editor that supports UTF-8, not this one. -->
+<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
+  <metadata>
+    <id>act-cli</id>
+    <version>0.0.0</version>
+    <packageSourceUrl>https://github.com/nektos/act</packageSourceUrl>
+    <owners>nektos</owners>
+    <title>act (GitHub Actions CLI)</title>
+    <authors>nektos</authors>
+    <projectUrl>https://github.com/nektos/act</projectUrl>
+    <iconUrl>https://raw.githubusercontent.com/wiki/nektos/act/img/logo-150.png</iconUrl>
+    <copyright>Nektos</copyright>
+    <licenseUrl>https://raw.githubusercontent.com/nektos/act/master/LICENSE</licenseUrl>
+    <requireLicenseAcceptance>true</requireLicenseAcceptance>
+    <projectSourceUrl>https://github.com/nektos/act</projectSourceUrl>
+    <docsUrl>https://raw.githubusercontent.com/nektos/act/master/README.md</docsUrl>
+    <bugTrackerUrl>https://github.com/nektos/act/issues</bugTrackerUrl>
+    <tags>act github-actions actions golang ci devops</tags>
+    <summary>Run your GitHub Actions locally 🚀</summary>
+    <description>Run your GitHub Actions locally 🚀</description>
+  </metadata>
+  <files>
+    <file src="tools/**" target="tools" />
+  </files>
+</package>
--- a/act/artifactcache/handler.go
+++ b/act/artifactcache/handler.go
@@ -1,879 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2023 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package artifactcache
-
-import (
-	"context"
-	"crypto/hmac"
-	"crypto/rand"
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/url"
-	"os"
-	"path/filepath"
-	"regexp"
-	"strconv"
-	"strings"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"gitea.com/gitea/runner/act/common"
-
-	"github.com/julienschmidt/httprouter"
-	"github.com/sirupsen/logrus"
-	"github.com/timshannon/bolthold"
-	"go.etcd.io/bbolt"
-)
-
-const (
-	apiPath      = "/_apis/artifactcache"
-	internalPath = "/_internal"
-
-	// artifactURLTTL bounds how long a signed artifactLocation URL stays valid.
-	// Short enough that a leaked URL is near-worthless; long enough to let the
-	// @actions/cache client download a big blob that was returned from /cache.
-	artifactURLTTL = 10 * time.Minute
-)
-
-type credKey struct{}
-
-// JobCredential ties a per-job bearer token (ACTIONS_RUNTIME_TOKEN) to the
-// repository that owns it. Every cache entry is stamped with Repo on
-// reserve/commit and checked on read/write so one repo can never observe or
-// poison another repo's cache, even from inside a container that reaches the
-// cache server over the docker bridge network.
-type JobCredential struct {
-	Repo string
-}
-
-// credEntry holds a registered job's credential along with an active
-// registration count. RegisterJob is reference-counted so that if two tasks
-// briefly share an ACTIONS_RUNTIME_TOKEN — e.g. a runner that retries a task
-// after a crash before the old registration is revoked — the first task's
-// revoker does not cut the second task's auth out from under it.
-type credEntry struct {
-	cred JobCredential
-	refs int
-}
-
-type Handler struct {
-	dir      string
-	storage  *Storage
-	router   *httprouter.Router
-	listener net.Listener
-	server   *http.Server
-	logger   logrus.FieldLogger
-
-	gcing atomic.Bool
-	gcAt  time.Time
-
-	outboundIP string
-
-	// internalSecret guards /_internal/{register,revoke}. When set, a remote
-	// runner can use these endpoints to pre-register per-job
-	// ACTIONS_RUNTIME_TOKENs against this server, enabling the same
-	// per-job auth and repo scoping as the embedded handler over the
-	// network. Empty disables the control-plane entirely.
-	internalSecret string
-
-	// secret signs short-lived artifact download URLs. The @actions/cache
-	// toolkit does not send Authorization on the download request, so blob
-	// GETs authenticate via a per-URL HMAC signature with expiry rather than
-	// via the bearer token used for management endpoints.
-	secret []byte
-
-	credMu sync.RWMutex
-	creds  map[string]*credEntry
-}
-
-// StartHandler opens the on-disk cache store and starts the HTTP server.
-//
-// internalSecret, when non-empty, enables a control-plane API at
-// /_internal/{register,revoke} that lets a remote runner pre-register the
-// per-job ACTIONS_RUNTIME_TOKENs it expects this server to honor. The
-// embedded in-process handler leaves it empty and registers tokens via the
-// in-process RegisterJob method directly.
-func StartHandler(dir, outboundIP string, port uint16, internalSecret string, logger logrus.FieldLogger) (*Handler, error) {
-	h := &Handler{
-		creds:          make(map[string]*credEntry),
-		internalSecret: internalSecret,
-	}
-
-	if logger == nil {
-		discard := logrus.New()
-		discard.Out = io.Discard
-		logger = discard
-	}
-	logger = logger.WithField("module", "artifactcache")
-	h.logger = logger
-
-	if dir == "" {
-		home, err := os.UserHomeDir()
-		if err != nil {
-			return nil, err
-		}
-		dir = filepath.Join(home, ".cache", "actcache")
-	}
-	if err := os.MkdirAll(dir, 0o755); err != nil {
-		return nil, err
-	}
-
-	h.dir = dir
-
-	storage, err := NewStorage(filepath.Join(dir, "cache"))
-	if err != nil {
-		return nil, err
-	}
-	h.storage = storage
-
-	if outboundIP != "" {
-		h.outboundIP = outboundIP
-	} else if ip := common.GetOutboundIP(); ip == nil {
-		return nil, errors.New("unable to determine outbound IP address")
-	} else {
-		h.outboundIP = ip.String()
-	}
-
-	secret, err := loadOrCreateSecret(dir)
-	if err != nil {
-		return nil, err
-	}
-	h.secret = secret
-
-	router := httprouter.New()
-	router.GET(apiPath+"/cache", h.bearerAuth(h.find))
-	router.POST(apiPath+"/caches", h.bearerAuth(h.reserve))
-	router.PATCH(apiPath+"/caches/:id", h.bearerAuth(h.upload))
-	router.POST(apiPath+"/caches/:id", h.bearerAuth(h.commit))
-	router.POST(apiPath+"/clean", h.bearerAuth(h.clean))
-	// Artifact GET is signed via query-string HMAC because @actions/cache
-	// does not attach Authorization when downloading archiveLocation.
-	router.GET(apiPath+"/artifacts/:id", h.signedURLAuth(h.get))
-	// Control-plane: a remote runner registers/revokes per-job tokens so the
-	// cache API can authenticate them. Always wired so the routes exist; the
-	// handlers themselves 401 when internalSecret is unset.
-	router.POST(internalPath+"/register", h.internalAuth(h.internalRegister))
-	router.POST(internalPath+"/revoke", h.internalAuth(h.internalRevoke))
-
-	h.router = router
-
-	h.gcCache()
-
-	// Listen on all interfaces. Binding to outboundIP only would give no real
-	// security benefit (it is the LAN/internet-facing address either way) and
-	// can break Docker Desktop variants where the host's outbound IP is not
-	// routable from inside the container network. Authentication is enforced
-	// by the bearer middleware and per-repo scoping, not by reachability.
-	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
-	if err != nil {
-		return nil, err
-	}
-	server := &http.Server{
-		ReadHeaderTimeout: 2 * time.Second,
-		Handler:           router,
-	}
-	go func() {
-		if err := server.Serve(listener); err != nil && errors.Is(err, net.ErrClosed) {
-			logger.Errorf("http serve: %v", err)
-		}
-	}()
-	h.listener = listener
-	h.server = server
-
-	return h, nil
-}
-
-func (h *Handler) ExternalURL() string {
-	// TODO: make the external url configurable if necessary
-	return fmt.Sprintf("http://%s:%d",
-		h.outboundIP,
-		h.listener.Addr().(*net.TCPAddr).Port)
-}
-
-// RegisterJob makes token a valid bearer credential for cache requests from
-// the given repository and returns a function that removes it. The runner
-// calls this at job start and defers the returned func so that the credential
-// is only accepted while the job is running.
-//
-// Registrations are reference-counted: if a token is already registered, the
-// existing repo is kept and the refcount is incremented. The entry is
-// removed only when every revoker returned by RegisterJob has been called.
-// This keeps a stray re-registration from silently revoking a live job.
-func (h *Handler) RegisterJob(token, repo string) func() {
-	if h == nil || token == "" {
-		return func() {}
-	}
-	h.credMu.Lock()
-	if existing, ok := h.creds[token]; ok {
-		existing.refs++
-	} else {
-		h.creds[token] = &credEntry{
-			cred: JobCredential{Repo: repo},
-			refs: 1,
-		}
-	}
-	h.credMu.Unlock()
-	return func() {
-		h.credMu.Lock()
-		if entry, ok := h.creds[token]; ok {
-			entry.refs--
-			if entry.refs <= 0 {
-				delete(h.creds, token)
-			}
-		}
-		h.credMu.Unlock()
-	}
-}
-
-// RevokeJob explicitly revokes one registration of token, mirroring one call
-// of the closure returned by RegisterJob. Used by the control-plane endpoint
-// so a remote runner can revoke without holding the closure.
-func (h *Handler) RevokeJob(token string) {
-	if h == nil || token == "" {
-		return
-	}
-	h.credMu.Lock()
-	if entry, ok := h.creds[token]; ok {
-		entry.refs--
-		if entry.refs <= 0 {
-			delete(h.creds, token)
-		}
-	}
-	h.credMu.Unlock()
-}
-
-func (h *Handler) lookupCredential(token string) (JobCredential, bool) {
-	h.credMu.RLock()
-	entry, ok := h.creds[token]
-	h.credMu.RUnlock()
-	if !ok {
-		return JobCredential{}, false
-	}
-	return entry.cred, true
-}
-
-// loadOrCreateSecret returns the 32-byte HMAC signing key for artifact URLs,
-// persisted in dir/.secret so signed URLs handed out before a restart stay
-// valid across the restart and so the standalone cache-server can be pointed
-// at by config.Cache.ExternalServer without the URL rotating.
-func loadOrCreateSecret(dir string) ([]byte, error) {
-	path := filepath.Join(dir, ".secret")
-	if data, err := os.ReadFile(path); err == nil {
-		if secret, err := hex.DecodeString(strings.TrimSpace(string(data))); err == nil && len(secret) >= 32 {
-			return secret, nil
-		}
-	} else if !os.IsNotExist(err) {
-		return nil, fmt.Errorf("read cache secret: %w", err)
-	}
-	secret := make([]byte, 32)
-	if _, err := rand.Read(secret); err != nil {
-		return nil, fmt.Errorf("generate cache secret: %w", err)
-	}
-	if err := os.WriteFile(path, []byte(hex.EncodeToString(secret)), 0o600); err != nil {
-		return nil, fmt.Errorf("write cache secret: %w", err)
-	}
-	return secret, nil
-}
-
-func (h *Handler) Close() error {
-	if h == nil {
-		return nil
-	}
-	var retErr error
-	if h.server != nil {
-		err := h.server.Close()
-		if err != nil {
-			retErr = err
-		}
-		h.server = nil
-	}
-	if h.listener != nil {
-		err := h.listener.Close()
-		if errors.Is(err, net.ErrClosed) {
-			err = nil
-		}
-		if err != nil {
-			retErr = err
-		}
-		h.listener = nil
-	}
-	return retErr
-}
-
-func (h *Handler) openDB() (*bolthold.Store, error) {
-	return bolthold.Open(filepath.Join(h.dir, "bolt.db"), 0o644, &bolthold.Options{
-		Encoder: json.Marshal,
-		Decoder: json.Unmarshal,
-		Options: &bbolt.Options{
-			Timeout:      5 * time.Second,
-			NoGrowSync:   bbolt.DefaultOptions.NoGrowSync,
-			FreelistType: bbolt.DefaultOptions.FreelistType,
-		},
-	})
-}
-
-// GET /_apis/artifactcache/cache
-func (h *Handler) find(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	cred := credFromContext(r.Context())
-	keys := strings.Split(r.URL.Query().Get("keys"), ",")
-	version := r.URL.Query().Get("version")
-
-	db, err := h.openDB()
-	if err != nil {
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-	defer db.Close()
-
-	cache, err := findCache(db, cred.Repo, keys, version)
-	if err != nil {
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-	if cache == nil {
-		h.responseJSON(w, r, 204)
-		return
-	}
-
-	if ok, err := h.storage.Exist(cache.ID); err != nil {
-		h.responseJSON(w, r, 500, err)
-		return
-	} else if !ok {
-		_ = db.Delete(cache.ID, cache)
-		h.responseJSON(w, r, 204)
-		return
-	}
-	h.responseJSON(w, r, 200, map[string]any{
-		"result":          "hit",
-		"archiveLocation": h.signedArtifactURL(cache.ID, time.Now().Add(artifactURLTTL)),
-		"cacheKey":        cache.Key,
-	})
-}
-
-// POST /_apis/artifactcache/caches
-func (h *Handler) reserve(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	cred := credFromContext(r.Context())
-	api := &Request{}
-	if err := json.NewDecoder(r.Body).Decode(api); err != nil {
-		h.responseJSON(w, r, 400, err)
-		return
-	}
-
-	cache := api.ToCache()
-	cache.Repo = cred.Repo
-	db, err := h.openDB()
-	if err != nil {
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-	defer db.Close()
-
-	now := time.Now().Unix()
-	cache.CreatedAt = now
-	cache.UsedAt = now
-	if err := insertCache(db, cache); err != nil {
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-	h.responseJSON(w, r, 200, map[string]any{
-		"cacheId": cache.ID,
-	})
-}
-
-// PATCH /_apis/artifactcache/caches/:id
-func (h *Handler) upload(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
-	cred := credFromContext(r.Context())
-	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
-	if err != nil {
-		h.responseJSON(w, r, 400, err)
-		return
-	}
-
-	cache := &Cache{}
-	db, err := h.openDB()
-	if err != nil {
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-	defer db.Close()
-	if err := db.Get(id, cache); err != nil {
-		if errors.Is(err, bolthold.ErrNotFound) {
-			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
-			return
-		}
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-
-	if cache.Repo != cred.Repo {
-		h.responseJSON(w, r, 403, fmt.Errorf("cache %d: forbidden", id))
-		return
-	}
-
-	if cache.Complete {
-		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
-		return
-	}
-	db.Close()
-	start, _, err := parseContentRange(r.Header.Get("Content-Range"))
-	if err != nil {
-		h.responseJSON(w, r, 400, err)
-		return
-	}
-	if err := h.storage.Write(cache.ID, start, r.Body); err != nil {
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-	h.useCache(id)
-	h.responseJSON(w, r, 200)
-}
-
-// POST /_apis/artifactcache/caches/:id
-func (h *Handler) commit(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
-	cred := credFromContext(r.Context())
-	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
-	if err != nil {
-		h.responseJSON(w, r, 400, err)
-		return
-	}
-
-	cache := &Cache{}
-	db, err := h.openDB()
-	if err != nil {
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-	defer db.Close()
-	if err := db.Get(id, cache); err != nil {
-		if errors.Is(err, bolthold.ErrNotFound) {
-			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
-			return
-		}
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-
-	if cache.Repo != cred.Repo {
-		h.responseJSON(w, r, 403, fmt.Errorf("cache %d: forbidden", id))
-		return
-	}
-
-	if cache.Complete {
-		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
-		return
-	}
-
-	db.Close()
-
-	size, err := h.storage.Commit(cache.ID, cache.Size)
-	if err != nil {
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-	// write real size back to cache, it may be different from the current value when the request doesn't specify it.
-	cache.Size = size
-
-	db, err = h.openDB()
-	if err != nil {
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-	defer db.Close()
-
-	cache.Complete = true
-	if err := db.Update(cache.ID, cache); err != nil {
-		h.responseJSON(w, r, 500, err)
-		return
-	}
-
-	h.responseJSON(w, r, 200)
-}
-
-// GET /_apis/artifactcache/artifacts/:id
-// Authenticated via signed URL (see signedURLAuth), not bearer, because the
-// @actions/cache toolkit downloads archiveLocation without Authorization.
-// Repository scoping is already enforced at find() time; the signature binds
-// the URL to the specific cache ID and an expiry.
-func (h *Handler) get(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
-	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
-	if err != nil {
-		h.responseJSON(w, r, 400, err)
-		return
-	}
-	h.useCache(id)
-	h.storage.Serve(w, r, uint64(id))
-}
-
-// POST /_apis/artifactcache/clean
-func (h *Handler) clean(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	// TODO: don't support force deleting cache entries
-	// see: https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
-
-	h.responseJSON(w, r, 200)
-}
-
-// bearerAuth resolves ACTIONS_RUNTIME_TOKEN against the set of currently
-// registered jobs. A match attaches the job's JobCredential to the request
-// context; a miss returns 401 before the handler body runs.
-func (h *Handler) bearerAuth(handler httprouter.Handle) httprouter.Handle {
-	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
-		h.logger.Debugf("%s %s", r.Method, r.URL.Path)
-		token := bearerToken(r)
-		if token == "" {
-			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("missing bearer token"))
-			return
-		}
-		cred, ok := h.lookupCredential(token)
-		if !ok {
-			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("unknown bearer token"))
-			return
-		}
-		ctx := context.WithValue(r.Context(), credKey{}, cred)
-		handler(w, r.WithContext(ctx), params)
-		go h.gcCache()
-	}
-}
-
-func (h *Handler) signedURLAuth(handler httprouter.Handle) httprouter.Handle {
-	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
-		h.logger.Debugf("%s %s", r.Method, r.URL.Path)
-		id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
-		if err != nil {
-			h.responseJSON(w, r, 400, err)
-			return
-		}
-		expStr := r.URL.Query().Get("exp")
-		sig := r.URL.Query().Get("sig")
-		if expStr == "" || sig == "" {
-			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("missing signature"))
-			return
-		}
-		exp, err := strconv.ParseInt(expStr, 10, 64)
-		if err != nil {
-			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("invalid expiry"))
-			return
-		}
-		if time.Now().Unix() > exp {
-			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("signature expired"))
-			return
-		}
-		expected := h.computeSignature(id, exp)
-		if !hmac.Equal([]byte(sig), []byte(expected)) {
-			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("bad signature"))
-			return
-		}
-		handler(w, r, params)
-		go h.gcCache()
-	}
-}
-
-// internalAuth gates the control-plane endpoints. The bearer must
-// constant-time-equal the configured internalSecret. If the secret is empty,
-// the control-plane is disabled and every request gets 404 — which matches
-// the upstream nektos/act behavior of "the route does not exist".
-func (h *Handler) internalAuth(handler httprouter.Handle) httprouter.Handle {
-	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
-		if h.internalSecret == "" {
-			http.NotFound(w, r)
-			return
-		}
-		token := bearerToken(r)
-		if token == "" || !hmac.Equal([]byte(token), []byte(h.internalSecret)) {
-			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("internal: bad secret"))
-			return
-		}
-		handler(w, r, params)
-	}
-}
-
-type internalRegisterBody struct {
-	Token string `json:"token"`
-	Repo  string `json:"repo"`
-}
-
-type internalRevokeBody struct {
-	Token string `json:"token"`
-}
-
-// POST /_internal/register
-func (h *Handler) internalRegister(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	var body internalRegisterBody
-	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
-		h.responseJSON(w, r, http.StatusBadRequest, err)
-		return
-	}
-	if body.Token == "" {
-		h.responseJSON(w, r, http.StatusBadRequest, errors.New("token is required"))
-		return
-	}
-	h.RegisterJob(body.Token, body.Repo)
-	h.responseJSON(w, r, http.StatusOK)
-}
-
-// POST /_internal/revoke
-func (h *Handler) internalRevoke(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	var body internalRevokeBody
-	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
-		h.responseJSON(w, r, http.StatusBadRequest, err)
-		return
-	}
-	if body.Token == "" {
-		h.responseJSON(w, r, http.StatusBadRequest, errors.New("token is required"))
-		return
-	}
-	h.RevokeJob(body.Token)
-	h.responseJSON(w, r, http.StatusOK)
-}
-
-func bearerToken(r *http.Request) string {
-	auth := r.Header.Get("Authorization")
-	const prefix = "Bearer "
-	if len(auth) > len(prefix) && strings.EqualFold(auth[:len(prefix)], prefix) {
-		return auth[len(prefix):]
-	}
-	return ""
-}
-
-func credFromContext(ctx context.Context) JobCredential {
-	if cred, ok := ctx.Value(credKey{}).(JobCredential); ok {
-		return cred
-	}
-	return JobCredential{}
-}
-
-func (h *Handler) computeSignature(cacheID, exp int64) string {
-	mac := hmac.New(sha256.New, h.secret)
-	fmt.Fprintf(mac, "%d:%d", cacheID, exp)
-	return hex.EncodeToString(mac.Sum(nil))
-}
-
-func (h *Handler) signedArtifactURL(cacheID uint64, exp time.Time) string {
-	expUnix := exp.Unix()
-	sig := h.computeSignature(int64(cacheID), expUnix)
-	q := url.Values{}
-	q.Set("exp", strconv.FormatInt(expUnix, 10))
-	q.Set("sig", sig)
-	return fmt.Sprintf("%s%s/artifacts/%d?%s", h.ExternalURL(), apiPath, cacheID, q.Encode())
-}
-
-// if not found, return (nil, nil) instead of an error.
-func findCache(db *bolthold.Store, repo string, keys []string, version string) (*Cache, error) {
-	cache := &Cache{}
-	for _, prefix := range keys {
-		// if a key in the list matches exactly, don't return partial matches
-		if err := db.FindOne(cache,
-			bolthold.Where("Repo").Eq(repo).
-				And("Key").Eq(prefix).
-				And("Version").Eq(version).
-				And("Complete").Eq(true).
-				SortBy("CreatedAt").Reverse()); err == nil || !errors.Is(err, bolthold.ErrNotFound) {
-			if err != nil {
-				return nil, fmt.Errorf("find cache: %w", err)
-			}
-			return cache, nil
-		}
-		prefixPattern := "^" + regexp.QuoteMeta(prefix)
-		re, err := regexp.Compile(prefixPattern)
-		if err != nil {
-			continue
-		}
-		if err := db.FindOne(cache,
-			bolthold.Where("Repo").Eq(repo).
-				And("Key").RegExp(re).
-				And("Version").Eq(version).
-				And("Complete").Eq(true).
-				SortBy("CreatedAt").Reverse()); err != nil {
-			if errors.Is(err, bolthold.ErrNotFound) {
-				continue
-			}
-			return nil, fmt.Errorf("find cache: %w", err)
-		}
-		return cache, nil
-	}
-	return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
-}
-
-func insertCache(db *bolthold.Store, cache *Cache) error {
-	if err := db.Insert(bolthold.NextSequence(), cache); err != nil {
-		return fmt.Errorf("insert cache: %w", err)
-	}
-	// write back id to db
-	if err := db.Update(cache.ID, cache); err != nil {
-		return fmt.Errorf("write back id to db: %w", err)
-	}
-	return nil
-}
-
-func (h *Handler) useCache(id int64) {
-	db, err := h.openDB()
-	if err != nil {
-		return
-	}
-	defer db.Close()
-	cache := &Cache{}
-	if err := db.Get(id, cache); err != nil {
-		return
-	}
-	cache.UsedAt = time.Now().Unix()
-	_ = db.Update(cache.ID, cache)
-}
-
-const (
-	keepUsed   = 30 * 24 * time.Hour
-	keepUnused = 7 * 24 * time.Hour
-	keepTemp   = 5 * time.Minute
-	keepOld    = 5 * time.Minute
-)
-
-func (h *Handler) gcCache() {
-	if h.gcing.Load() {
-		return
-	}
-	if !h.gcing.CompareAndSwap(false, true) {
-		return
-	}
-	defer h.gcing.Store(false)
-
-	if time.Since(h.gcAt) < time.Hour {
-		h.logger.Debugf("skip gc: %v", h.gcAt.String())
-		return
-	}
-	h.gcAt = time.Now()
-	h.logger.Debugf("gc: %v", h.gcAt.String())
-
-	db, err := h.openDB()
-	if err != nil {
-		return
-	}
-	defer db.Close()
-
-	// Remove the caches which are not completed for a while, they are most likely to be broken.
-	var caches []*Cache
-	if err := db.Find(&caches, bolthold.
-		Where("UsedAt").Lt(time.Now().Add(-keepTemp).Unix()).
-		And("Complete").Eq(false),
-	); err != nil {
-		h.logger.Warnf("find caches: %v", err)
-	} else {
-		for _, cache := range caches {
-			h.storage.Remove(cache.ID)
-			if err := db.Delete(cache.ID, cache); err != nil {
-				h.logger.Warnf("delete cache: %v", err)
-				continue
-			}
-			h.logger.Infof("deleted cache: %+v", cache)
-		}
-	}
-
-	// Remove the old caches which have not been used recently.
-	caches = caches[:0]
-	if err := db.Find(&caches, bolthold.
-		Where("UsedAt").Lt(time.Now().Add(-keepUnused).Unix()),
-	); err != nil {
-		h.logger.Warnf("find caches: %v", err)
-	} else {
-		for _, cache := range caches {
-			h.storage.Remove(cache.ID)
-			if err := db.Delete(cache.ID, cache); err != nil {
-				h.logger.Warnf("delete cache: %v", err)
-				continue
-			}
-			h.logger.Infof("deleted cache: %+v", cache)
-		}
-	}
-
-	// Remove the old caches which are too old.
-	caches = caches[:0]
-	if err := db.Find(&caches, bolthold.
-		Where("CreatedAt").Lt(time.Now().Add(-keepUsed).Unix()),
-	); err != nil {
-		h.logger.Warnf("find caches: %v", err)
-	} else {
-		for _, cache := range caches {
-			h.storage.Remove(cache.ID)
-			if err := db.Delete(cache.ID, cache); err != nil {
-				h.logger.Warnf("delete cache: %v", err)
-				continue
-			}
-			h.logger.Infof("deleted cache: %+v", cache)
-		}
-	}
-
-	// Remove the old caches with the same key and version within the same
-	// repository, keep the latest one. Aggregation must include Repo so two
-	// repos that happen to share a (key, version) do not evict each other —
-	// otherwise per-repo scoping holds for reads but one repo can age
-	// another out after keepOld.
-	// Also keep the olds which have been used recently for a while in case of the cache is still in use.
-	if results, err := db.FindAggregate(
-		&Cache{},
-		bolthold.Where("Complete").Eq(true),
-		"Repo", "Key", "Version",
-	); err != nil {
-		h.logger.Warnf("find aggregate caches: %v", err)
-	} else {
-		for _, result := range results {
-			if result.Count() <= 1 {
-				continue
-			}
-			result.Sort("CreatedAt")
-			caches = caches[:0]
-			result.Reduction(&caches)
-			for _, cache := range caches[:len(caches)-1] {
-				if time.Since(time.Unix(cache.UsedAt, 0)) < keepOld {
-					// Keep it since it has been used recently, even if it's old.
-					// Or it could break downloading in process.
-					continue
-				}
-				h.storage.Remove(cache.ID)
-				if err := db.Delete(cache.ID, cache); err != nil {
-					h.logger.Warnf("delete cache: %v", err)
-					continue
-				}
-				h.logger.Infof("deleted cache: %+v", cache)
-			}
-		}
-	}
-}
-
-func (h *Handler) responseJSON(w http.ResponseWriter, r *http.Request, code int, v ...any) {
-	w.Header().Set("Content-Type", "application/json; charset=utf-8")
-	var data []byte
-	if len(v) == 0 || v[0] == nil {
-		data, _ = json.Marshal(struct{}{})
-	} else if err, ok := v[0].(error); ok {
-		h.logger.Errorf("%v %v: %v", r.Method, r.URL.Path, err)
-		data, _ = json.Marshal(map[string]any{
-			"error": err.Error(),
-		})
-	} else {
-		data, _ = json.Marshal(v[0])
-	}
-	w.WriteHeader(code)
-	_, _ = w.Write(data)
-}
-
-func parseContentRange(s string) (int64, int64, error) {
-	// support the format like "bytes 11-22/*" only
-	s, _, _ = strings.Cut(strings.TrimPrefix(s, "bytes "), "/")
-	s1, s2, _ := strings.Cut(s, "-")
-
-	start, err := strconv.ParseInt(s1, 10, 64)
-	if err != nil {
-		return 0, 0, fmt.Errorf("parse %q: %w", s, err)
-	}
-	stop, err := strconv.ParseInt(s2, 10, 64)
-	if err != nil {
-		return 0, 0, fmt.Errorf("parse %q: %w", s, err)
-	}
-	return start, stop, nil
-}
--- a/act/artifactcache/handler_test.go
+++ b/act/artifactcache/handler_test.go
--- a/act/artifacts/server_test.go
+++ b/act/artifacts/server_test.go
@@ -1,444 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2021 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package artifacts
-
-import (
-	"bytes"
-	"compress/gzip"
-	"encoding/json"
-	"fmt"
-	"io"
-	"maps"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-	"testing/fstest"
-	"time"
-
-	"github.com/julienschmidt/httprouter"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-type writableMapFile struct {
-	fstest.MapFile
-}
-
-func (f *writableMapFile) Write(data []byte) (int, error) {
-	f.Data = data
-	return len(data), nil
-}
-
-func (f *writableMapFile) Close() error {
-	return nil
-}
-
-type writeMapFS struct {
-	fstest.MapFS
-}
-
-func (fsys writeMapFS) OpenWritable(name string) (WritableFile, error) {
-	file := &writableMapFile{
-		MapFile: fstest.MapFile{
-			Data: []byte("content2"),
-		},
-	}
-	fsys.MapFS[name] = &file.MapFile
-
-	return file, nil
-}
-
-func (fsys writeMapFS) OpenAppendable(name string) (WritableFile, error) {
-	file := &writableMapFile{
-		MapFile: fstest.MapFile{
-			Data: []byte("content2"),
-		},
-	}
-	fsys.MapFS[name] = &file.MapFile
-
-	return file, nil
-}
-
-func TestNewArtifactUploadPrepare(t *testing.T) {
-	assert := assert.New(t)
-
-	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
-
-	router := httprouter.New()
-	uploads(router, "artifact/server/path", writeMapFS{memfs})
-
-	req, _ := http.NewRequest(http.MethodPost, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
-	rr := httptest.NewRecorder()
-
-	router.ServeHTTP(rr, req)
-
-	if status := rr.Code; status != http.StatusOK {
-		assert.Fail("Wrong status")
-	}
-
-	response := FileContainerResourceURL{}
-	err := json.Unmarshal(rr.Body.Bytes(), &response)
-	if err != nil {
-		panic(err)
-	}
-
-	assert.Equal("http://localhost/upload/1", response.FileContainerResourceURL)
-}
-
-func TestArtifactUploadBlob(t *testing.T) {
-	assert := assert.New(t)
-
-	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
-
-	router := httprouter.New()
-	uploads(router, "artifact/server/path", writeMapFS{memfs})
-
-	req, _ := http.NewRequest(http.MethodPut, "http://localhost/upload/1?itemPath=some/file", strings.NewReader("content"))
-	rr := httptest.NewRecorder()
-
-	router.ServeHTTP(rr, req)
-
-	if status := rr.Code; status != http.StatusOK {
-		assert.Fail("Wrong status")
-	}
-
-	response := ResponseMessage{}
-	err := json.Unmarshal(rr.Body.Bytes(), &response)
-	if err != nil {
-		panic(err)
-	}
-
-	assert.Equal("success", response.Message)
-	assert.Equal("content", string(memfs["artifact/server/path/1/some/file"].Data))
-}
-
-func TestFinalizeArtifactUpload(t *testing.T) {
-	assert := assert.New(t)
-
-	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
-
-	router := httprouter.New()
-	uploads(router, "artifact/server/path", writeMapFS{memfs})
-
-	req, _ := http.NewRequest(http.MethodPatch, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
-	rr := httptest.NewRecorder()
-
-	router.ServeHTTP(rr, req)
-
-	if status := rr.Code; status != http.StatusOK {
-		assert.Fail("Wrong status")
-	}
-
-	response := ResponseMessage{}
-	err := json.Unmarshal(rr.Body.Bytes(), &response)
-	if err != nil {
-		panic(err)
-	}
-
-	assert.Equal("success", response.Message)
-}
-
-func TestListArtifacts(t *testing.T) {
-	assert := assert.New(t)
-
-	memfs := fstest.MapFS(map[string]*fstest.MapFile{
-		"artifact/server/path/1/file.txt": {
-			Data: []byte(""),
-		},
-	})
-
-	router := httprouter.New()
-	downloads(router, "artifact/server/path", memfs)
-
-	req, _ := http.NewRequest(http.MethodGet, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
-	rr := httptest.NewRecorder()
-
-	router.ServeHTTP(rr, req)
-
-	if status := rr.Code; status != http.StatusOK {
-		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
-	}
-
-	response := NamedFileContainerResourceURLResponse{}
-	err := json.Unmarshal(rr.Body.Bytes(), &response)
-	if err != nil {
-		panic(err)
-	}
-
-	assert.Equal(1, response.Count)
-	assert.Equal("file.txt", response.Value[0].Name)
-	assert.Equal("http://localhost/download/1", response.Value[0].FileContainerResourceURL)
-}
-
-func TestListArtifactContainer(t *testing.T) {
-	assert := assert.New(t)
-
-	memfs := fstest.MapFS(map[string]*fstest.MapFile{
-		"artifact/server/path/1/some/file": {
-			Data: []byte(""),
-		},
-	})
-
-	router := httprouter.New()
-	downloads(router, "artifact/server/path", memfs)
-
-	req, _ := http.NewRequest(http.MethodGet, "http://localhost/download/1?itemPath=some/file", nil)
-	rr := httptest.NewRecorder()
-
-	router.ServeHTTP(rr, req)
-
-	if status := rr.Code; status != http.StatusOK {
-		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
-	}
-
-	response := ContainerItemResponse{}
-	err := json.Unmarshal(rr.Body.Bytes(), &response)
-	if err != nil {
-		panic(err)
-	}
-
-	assert.Len(response.Value, 1)
-	assert.Equal("some/file", response.Value[0].Path)
-	assert.Equal("file", response.Value[0].ItemType)
-	assert.Equal("http://localhost/artifact/1/some/file/.", response.Value[0].ContentLocation)
-}
-
-func TestDownloadArtifactFile(t *testing.T) {
-	assert := assert.New(t)
-
-	memfs := fstest.MapFS(map[string]*fstest.MapFile{
-		"artifact/server/path/1/some/file": {
-			Data: []byte("content"),
-		},
-	})
-
-	router := httprouter.New()
-	downloads(router, "artifact/server/path", memfs)
-
-	req, _ := http.NewRequest(http.MethodGet, "http://localhost/artifact/1/some/file", nil)
-	rr := httptest.NewRecorder()
-
-	router.ServeHTTP(rr, req)
-
-	if status := rr.Code; status != http.StatusOK {
-		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
-	}
-
-	data := rr.Body.Bytes()
-
-	assert.Equal("content", string(data))
-}
-
-// TestArtifactFlow drives the real Serve() artifact server over a loopback socket, exercising
-// the same upload -> finalize -> list -> download protocol the upload-artifact/download-artifact
-// actions speak. Running it in-process (rather than from a job container) keeps it network-free
-// and reachable everywhere, including when the CI job is itself a container.
-func TestArtifactFlow(t *testing.T) {
-	artifactPath := t.TempDir()
-
-	// Serve the exact routes Serve() wires up, on a real loopback socket via httptest. httptest
-	// picks a free port and Close() tears the server down synchronously — avoiding both the
-	// port-rebind race and Serve()'s detached ListenAndServe goroutine, which logger.Fatal()s
-	// (process exit) on a bind error and can outlive the test's temp-dir cleanup.
-	router := httprouter.New()
-	fsys := readWriteFSImpl{}
-	uploads(router, artifactPath, fsys)
-	downloads(router, artifactPath, fsys)
-	server := httptest.NewServer(router)
-	defer server.Close()
-
-	baseURL := server.URL
-	client := server.Client()
-	client.Timeout = 5 * time.Second
-
-	// request performs one HTTP call and returns the status and body. The default transport adds
-	// Accept-Encoding: gzip and transparently decompresses, so gzipped downloads come back plain.
-	request := func(t *testing.T, method, rawURL string, body io.Reader, header http.Header) (int, []byte) {
-		t.Helper()
-		req, err := http.NewRequest(method, rawURL, body)
-		require.NoError(t, err)
-		maps.Copy(req.Header, header)
-		resp, err := client.Do(req)
-		require.NoError(t, err)
-		defer resp.Body.Close()
-		data, err := io.ReadAll(resp.Body)
-		require.NoError(t, err)
-		return resp.StatusCode, data
-	}
-
-	t.Run("upload-and-download", func(t *testing.T) {
-		const runID, item, content = "1", "my-artifact/data.txt", "hello artifact\n"
-
-		status, data := request(t, http.MethodPost, baseURL+"/_apis/pipelines/workflows/"+runID+"/artifacts", nil, nil)
-		require.Equal(t, http.StatusOK, status, string(data))
-		var prep FileContainerResourceURL
-		require.NoError(t, json.Unmarshal(data, &prep))
-		require.Equal(t, baseURL+"/upload/"+runID, prep.FileContainerResourceURL)
-
-		status, data = request(t, http.MethodPut, prep.FileContainerResourceURL+"?itemPath="+url.QueryEscape(item), strings.NewReader(content), nil)
-		require.Equal(t, http.StatusOK, status, string(data))
-		var msg ResponseMessage
-		require.NoError(t, json.Unmarshal(data, &msg))
-		require.Equal(t, "success", msg.Message)
-
-		status, data = request(t, http.MethodPatch, baseURL+"/_apis/pipelines/workflows/"+runID+"/artifacts", nil, nil)
-		require.Equal(t, http.StatusOK, status, string(data))
-
-		status, data = request(t, http.MethodGet, baseURL+"/_apis/pipelines/workflows/"+runID+"/artifacts", nil, nil)
-		require.Equal(t, http.StatusOK, status, string(data))
-		var list NamedFileContainerResourceURLResponse
-		require.NoError(t, json.Unmarshal(data, &list))
-		require.Equal(t, 1, list.Count)
-		require.Equal(t, "my-artifact", list.Value[0].Name)
-
-		status, data = request(t, http.MethodGet, list.Value[0].FileContainerResourceURL+"?itemPath=my-artifact", nil, nil)
-		require.Equal(t, http.StatusOK, status, string(data))
-		var items ContainerItemResponse
-		require.NoError(t, json.Unmarshal(data, &items))
-		require.Len(t, items.Value, 1)
-		require.Equal(t, "file", items.Value[0].ItemType)
-		require.Equal(t, "my-artifact/data.txt", items.Value[0].Path)
-
-		status, data = request(t, http.MethodGet, items.Value[0].ContentLocation, nil, nil)
-		require.Equal(t, http.StatusOK, status)
-		require.Equal(t, content, string(data))
-
-		stored, err := os.ReadFile(filepath.Join(artifactPath, runID, "my-artifact", "data.txt"))
-		require.NoError(t, err)
-		require.Equal(t, content, string(stored))
-	})
-
-	t.Run("gzip-roundtrip", func(t *testing.T) {
-		const runID, item, content = "2", "logs/app.log", "compressed payload\n"
-
-		var buf bytes.Buffer
-		gz := gzip.NewWriter(&buf)
-		_, err := gz.Write([]byte(content))
-		require.NoError(t, err)
-		require.NoError(t, gz.Close())
-
-		status, data := request(t, http.MethodPut, baseURL+"/upload/"+runID+"?itemPath="+url.QueryEscape(item),
-			&buf, http.Header{"Content-Encoding": []string{"gzip"}})
-		require.Equal(t, http.StatusOK, status, string(data))
-
-		// stored compressed, with the server's gzip marker suffix
-		_, err = os.Stat(filepath.Join(artifactPath, runID, "logs", "app.log.gz__"))
-		require.NoError(t, err)
-
-		status, data = request(t, http.MethodGet, baseURL+"/download/"+runID+"?itemPath=logs", nil, nil)
-		require.Equal(t, http.StatusOK, status, string(data))
-		var items ContainerItemResponse
-		require.NoError(t, json.Unmarshal(data, &items))
-		require.Len(t, items.Value, 1)
-		require.Equal(t, "logs/app.log", items.Value[0].Path)
-
-		status, data = request(t, http.MethodGet, items.Value[0].ContentLocation, nil, nil)
-		require.Equal(t, http.StatusOK, status)
-		require.Equal(t, content, string(data))
-	})
-
-	// GHSL-2023-004: an itemPath that climbs out of the run directory must be neutralised so the
-	// blob cannot be written outside the artifact root.
-	t.Run("GHSL-2023-004", func(t *testing.T) {
-		const runID, content = "3", "contained\n"
-
-		status, data := request(t, http.MethodPut, baseURL+"/upload/"+runID+"?itemPath="+url.QueryEscape("../../escape.txt"),
-			strings.NewReader(content), nil)
-		require.Equal(t, http.StatusOK, status, string(data))
-
-		stored, err := os.ReadFile(filepath.Join(artifactPath, runID, "escape.txt"))
-		require.NoError(t, err)
-		require.Equal(t, content, string(stored))
-
-		_, err = os.Stat(filepath.Join(filepath.Dir(artifactPath), "escape.txt"))
-		require.True(t, os.IsNotExist(err), "upload escaped the artifact root")
-
-		status, data = request(t, http.MethodGet, baseURL+"/artifact/"+runID+"/escape.txt", nil, nil)
-		require.Equal(t, http.StatusOK, status)
-		require.Equal(t, content, string(data))
-	})
-}
-
-func TestMkdirFsImplSafeResolve(t *testing.T) {
-	assert := assert.New(t)
-
-	baseDir := "/foo/bar"
-
-	tests := map[string]struct {
-		input string
-		want  string
-	}{
-		"simple":         {input: "baz", want: "/foo/bar/baz"},
-		"nested":         {input: "baz/blue", want: "/foo/bar/baz/blue"},
-		"dots in middle": {input: "baz/../../blue", want: "/foo/bar/blue"},
-		"leading dots":   {input: "../../parent", want: "/foo/bar/parent"},
-		"root path":      {input: "/root", want: "/foo/bar/root"},
-		"root":           {input: "/", want: "/foo/bar"},
-		"empty":          {input: "", want: "/foo/bar"},
-	}
-
-	for name, tc := range tests {
-		t.Run(name, func(t *testing.T) {
-			assert.Equal(tc.want, safeResolve(baseDir, tc.input))
-		})
-	}
-}
-
-func TestDownloadArtifactFileUnsafePath(t *testing.T) {
-	assert := assert.New(t)
-
-	memfs := fstest.MapFS(map[string]*fstest.MapFile{
-		"artifact/server/path/some/file": {
-			Data: []byte("content"),
-		},
-	})
-
-	router := httprouter.New()
-	downloads(router, "artifact/server/path", memfs)
-
-	req, _ := http.NewRequest(http.MethodGet, "http://localhost/artifact/2/../../some/file", nil)
-	rr := httptest.NewRecorder()
-
-	router.ServeHTTP(rr, req)
-
-	if status := rr.Code; status != http.StatusOK {
-		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
-	}
-
-	data := rr.Body.Bytes()
-
-	assert.Equal("content", string(data))
-}
-
-func TestArtifactUploadBlobUnsafePath(t *testing.T) {
-	assert := assert.New(t)
-
-	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
-
-	router := httprouter.New()
-	uploads(router, "artifact/server/path", writeMapFS{memfs})
-
-	req, _ := http.NewRequest(http.MethodPut, "http://localhost/upload/1?itemPath=../../some/file", strings.NewReader("content"))
-	rr := httptest.NewRecorder()
-
-	router.ServeHTTP(rr, req)
-
-	if status := rr.Code; status != http.StatusOK {
-		assert.Fail("Wrong status")
-	}
-
-	response := ResponseMessage{}
-	err := json.Unmarshal(rr.Body.Bytes(), &response)
-	if err != nil {
-		panic(err)
-	}
-
-	assert.Equal("success", response.Message)
-	assert.Equal("content", string(memfs["artifact/server/path/1/some/file"].Data))
-}
--- a/act/common/executor_max_parallel_test.go
+++ b/act/common/executor_max_parallel_test.go
@@ -1,89 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package common
-
-import (
-	"context"
-	"sync"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-)
-
-// Simple fast test that verifies max-parallel: 2 limits concurrency
-func TestMaxParallel2Quick(t *testing.T) {
-	ctx := context.Background()
-
-	var currentRunning atomic.Int32
-	var maxSimultaneous atomic.Int32
-
-	executors := make([]Executor, 4)
-	for i := range 4 {
-		executors[i] = func(ctx context.Context) error {
-			current := currentRunning.Add(1)
-
-			// Update max if needed
-			for {
-				maxValue := maxSimultaneous.Load()
-				if current <= maxValue || maxSimultaneous.CompareAndSwap(maxValue, current) {
-					break
-				}
-			}
-
-			time.Sleep(10 * time.Millisecond)
-			currentRunning.Add(-1)
-			return nil
-		}
-	}
-
-	err := NewParallelExecutor(2, executors...)(ctx)
-
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.LessOrEqual(t, maxSimultaneous.Load(), int32(2),
-		"Should not exceed max-parallel: 2")
-}
-
-// Test that verifies max-parallel: 1 enforces sequential execution
-func TestMaxParallel1Sequential(t *testing.T) {
-	ctx := context.Background()
-
-	var currentRunning atomic.Int32
-	var maxSimultaneous atomic.Int32
-	var executionOrder []int
-	var orderMutex sync.Mutex
-
-	executors := make([]Executor, 5)
-	for i := range 5 {
-		taskID := i
-		executors[i] = func(ctx context.Context) error {
-			current := currentRunning.Add(1)
-
-			// Track execution order
-			orderMutex.Lock()
-			executionOrder = append(executionOrder, taskID)
-			orderMutex.Unlock()
-
-			// Update max if needed
-			for {
-				maxValue := maxSimultaneous.Load()
-				if current <= maxValue || maxSimultaneous.CompareAndSwap(maxValue, current) {
-					break
-				}
-			}
-
-			time.Sleep(20 * time.Millisecond)
-			currentRunning.Add(-1)
-			return nil
-		}
-	}
-
-	err := NewParallelExecutor(1, executors...)(ctx)
-
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, int32(1), maxSimultaneous.Load(),
-		"max-parallel: 1 should only run 1 task at a time")
-	assert.Len(t, executionOrder, 5, "All 5 tasks should have executed")
-}
--- a/act/common/executor_parallel_advanced_test.go
+++ b/act/common/executor_parallel_advanced_test.go
@@ -1,221 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package common
-
-import (
-	"context"
-	"sync"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-)
-
-// TestMaxParallelJobExecution tests actual job execution with max-parallel
-func TestMaxParallelJobExecution(t *testing.T) {
-	t.Run("MaxParallel=1 Sequential", func(t *testing.T) {
-		var currentRunning atomic.Int32
-		var maxConcurrent int32
-		var executionOrder []int
-		var mu sync.Mutex
-
-		executors := make([]Executor, 5)
-		for i := range 5 {
-			taskID := i
-			executors[i] = func(ctx context.Context) error {
-				current := currentRunning.Add(1)
-
-				// Track max concurrent
-				for {
-					maxValue := atomic.LoadInt32(&maxConcurrent)
-					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
-						break
-					}
-				}
-
-				mu.Lock()
-				executionOrder = append(executionOrder, taskID)
-				mu.Unlock()
-
-				time.Sleep(10 * time.Millisecond)
-				currentRunning.Add(-1)
-				return nil
-			}
-		}
-
-		ctx := context.Background()
-		err := NewParallelExecutor(1, executors...)(ctx)
-		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-		assert.Equal(t, int32(1), maxConcurrent, "Should never exceed 1 concurrent execution")
-		assert.Len(t, executionOrder, 5, "All tasks should execute")
-	})
-
-	t.Run("MaxParallel=3 Limited", func(t *testing.T) {
-		var currentRunning atomic.Int32
-		var maxConcurrent int32
-
-		executors := make([]Executor, 10)
-		for i := range 10 {
-			executors[i] = func(ctx context.Context) error {
-				current := currentRunning.Add(1)
-
-				for {
-					maxValue := atomic.LoadInt32(&maxConcurrent)
-					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
-						break
-					}
-				}
-
-				time.Sleep(20 * time.Millisecond)
-				currentRunning.Add(-1)
-				return nil
-			}
-		}
-
-		ctx := context.Background()
-		err := NewParallelExecutor(3, executors...)(ctx)
-		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-		assert.LessOrEqual(t, int(maxConcurrent), 3, "Should never exceed 3 concurrent executions")
-		assert.GreaterOrEqual(t, int(maxConcurrent), 1, "Should have at least 1 concurrent execution")
-	})
-
-	t.Run("MaxParallel=0 Uses1Worker", func(t *testing.T) {
-		var maxConcurrent int32
-		var currentRunning atomic.Int32
-
-		executors := make([]Executor, 5)
-		for i := range 5 {
-			executors[i] = func(ctx context.Context) error {
-				current := currentRunning.Add(1)
-
-				for {
-					maxValue := atomic.LoadInt32(&maxConcurrent)
-					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
-						break
-					}
-				}
-
-				time.Sleep(10 * time.Millisecond)
-				currentRunning.Add(-1)
-				return nil
-			}
-		}
-
-		ctx := context.Background()
-		// When maxParallel is 0 or negative, it defaults to 1
-		err := NewParallelExecutor(0, executors...)(ctx)
-		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-		assert.Equal(t, int32(1), maxConcurrent, "Should use 1 worker when max-parallel is 0")
-	})
-}
-
-// TestMaxParallelWithErrors tests error handling with max-parallel
-func TestMaxParallelWithErrors(t *testing.T) {
-	t.Run("OneTaskFailsOthersContinue", func(t *testing.T) {
-		var successCount int32
-
-		executors := make([]Executor, 5)
-		for i := range 5 {
-			taskID := i
-			executors[i] = func(ctx context.Context) error {
-				if taskID == 2 {
-					return assert.AnError
-				}
-				atomic.AddInt32(&successCount, 1)
-				return nil
-			}
-		}
-
-		ctx := context.Background()
-		err := NewParallelExecutor(2, executors...)(ctx)
-
-		// Should return the error from task 2
-		assert.Error(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-		// Other tasks should still execute
-		assert.Equal(t, int32(4), successCount, "4 tasks should succeed")
-	})
-
-	t.Run("ContextCancellation", func(t *testing.T) {
-		ctx, cancel := context.WithCancel(context.Background())
-
-		var startedCount int32
-		executors := make([]Executor, 10)
-		for i := range 10 {
-			executors[i] = func(ctx context.Context) error {
-				atomic.AddInt32(&startedCount, 1)
-				time.Sleep(100 * time.Millisecond)
-				return nil
-			}
-		}
-
-		// Cancel after a short delay
-		go func() {
-			time.Sleep(30 * time.Millisecond)
-			cancel()
-		}()
-
-		err := NewParallelExecutor(3, executors...)(ctx)
-		assert.Error(t, err)                     //nolint:testifylint // pre-existing issue from nektos/act
-		assert.ErrorIs(t, err, context.Canceled) //nolint:testifylint // pre-existing issue from nektos/act
-
-		// Not all tasks should start due to cancellation (but timing may vary)
-		// Just verify cancellation occurred
-		t.Logf("Started %d tasks before cancellation", startedCount)
-	})
-}
-
-// TestMaxParallelResourceSharing tests resource sharing scenarios
-func TestMaxParallelResourceSharing(t *testing.T) {
-	t.Run("SharedResourceWithMutex", func(t *testing.T) {
-		var sharedCounter int
-		var mu sync.Mutex
-
-		executors := make([]Executor, 100)
-		for i := range 100 {
-			executors[i] = func(ctx context.Context) error {
-				mu.Lock()
-				sharedCounter++
-				mu.Unlock()
-				return nil
-			}
-		}
-
-		ctx := context.Background()
-		err := NewParallelExecutor(10, executors...)(ctx)
-		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-		assert.Equal(t, 100, sharedCounter, "All tasks should increment counter")
-	})
-
-	t.Run("ChannelCommunication", func(t *testing.T) {
-		resultChan := make(chan int, 50)
-
-		executors := make([]Executor, 50)
-		for i := range 50 {
-			taskID := i
-			executors[i] = func(ctx context.Context) error {
-				resultChan <- taskID
-				return nil
-			}
-		}
-
-		ctx := context.Background()
-		err := NewParallelExecutor(5, executors...)(ctx)
-		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-		close(resultChan)
-
-		results := make(map[int]bool)
-		for result := range resultChan {
-			results[result] = true
-		}
-
-		assert.Len(t, results, 50, "All task IDs should be received")
-	})
-}
--- a/act/common/executor_test.go
+++ b/act/common/executor_test.go
@@ -1,172 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2020 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package common
-
-import (
-	"context"
-	"errors"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestNewWorkflow(t *testing.T) {
-	assert := assert.New(t)
-
-	ctx := context.Background()
-
-	// empty
-	emptyWorkflow := NewPipelineExecutor()
-	assert.NoError(emptyWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
-
-	// error case
-	errorWorkflow := NewErrorExecutor(errors.New("test error"))
-	assert.Error(errorWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
-
-	// multiple success case
-	runcount := 0
-	successWorkflow := NewPipelineExecutor(
-		func(ctx context.Context) error {
-			runcount++
-			return nil
-		},
-		func(ctx context.Context) error {
-			runcount++
-			return nil
-		})
-	assert.NoError(successWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(2, runcount)
-}
-
-func TestNewConditionalExecutor(t *testing.T) {
-	assert := assert.New(t)
-
-	ctx := context.Background()
-
-	trueCount := 0
-	falseCount := 0
-
-	err := NewConditionalExecutor(func(ctx context.Context) bool {
-		return false
-	}, func(ctx context.Context) error {
-		trueCount++
-		return nil
-	}, func(ctx context.Context) error {
-		falseCount++
-		return nil
-	})(ctx)
-
-	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(0, trueCount)
-	assert.Equal(1, falseCount)
-
-	err = NewConditionalExecutor(func(ctx context.Context) bool {
-		return true
-	}, func(ctx context.Context) error {
-		trueCount++
-		return nil
-	}, func(ctx context.Context) error {
-		falseCount++
-		return nil
-	})(ctx)
-
-	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(1, trueCount)
-	assert.Equal(1, falseCount)
-}
-
-func TestNewParallelExecutor(t *testing.T) {
-	assert := assert.New(t)
-
-	ctx := context.Background()
-
-	var count, activeCount, maxCount atomic.Int32
-	emptyWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
-		count.Add(1)
-
-		active := activeCount.Add(1)
-		for {
-			m := maxCount.Load()
-			if active <= m || maxCount.CompareAndSwap(m, active) {
-				break
-			}
-		}
-		time.Sleep(2 * time.Second)
-		activeCount.Add(-1)
-
-		return nil
-	})
-
-	err := NewParallelExecutor(2, emptyWorkflow, emptyWorkflow, emptyWorkflow)(ctx)
-
-	assert.Equal(int32(3), count.Load(), "should run all 3 executors")
-	assert.Equal(int32(2), maxCount.Load(), "should run at most 2 executors in parallel")
-	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
-
-	// Reset to test running the executor with 0 parallelism
-	count.Store(0)
-	activeCount.Store(0)
-	maxCount.Store(0)
-
-	errSingle := NewParallelExecutor(0, emptyWorkflow, emptyWorkflow, emptyWorkflow)(ctx)
-
-	assert.Equal(int32(3), count.Load(), "should run all 3 executors")
-	assert.Equal(int32(1), maxCount.Load(), "should run at most 1 executors in parallel")
-	assert.NoError(errSingle)
-}
-
-func TestNewParallelExecutorEmpty(t *testing.T) {
-	assert := assert.New(t)
-
-	ctx := context.Background()
-	require.NoError(t, NewParallelExecutor(2)(ctx))
-
-	canceledCtx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	err := NewParallelExecutor(2)(canceledCtx)
-	assert.ErrorIs(err, context.Canceled)
-}
-
-func TestNewParallelExecutorFailed(t *testing.T) {
-	assert := assert.New(t)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	count := 0
-	errorWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
-		count++
-		return errors.New("fake error")
-	})
-	err := NewParallelExecutor(1, errorWorkflow)(ctx)
-	assert.Equal(1, count)
-	assert.ErrorIs(context.Canceled, err)
-}
-
-func TestNewParallelExecutorCanceled(t *testing.T) {
-	assert := assert.New(t)
-
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	errExpected := errors.New("fake error")
-
-	var count atomic.Int32
-	successWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
-		count.Add(1)
-		return nil
-	})
-	errorWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
-		count.Add(1)
-		return errExpected
-	})
-	err := NewParallelExecutor(3, errorWorkflow, successWorkflow, successWorkflow)(ctx)
-	assert.Equal(int32(3), count.Load())
-	assert.Error(errExpected, err) //nolint:testifylint // pre-existing issue from nektos/act
-}
--- a/act/common/git/git_test.go
+++ b/act/common/git/git_test.go
@@ -1,420 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package git
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"sync"
-	"syscall"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestFindGitSlug(t *testing.T) {
-	assert := assert.New(t)
-
-	slugTests := []struct {
-		url      string // input
-		provider string // expected result
-		slug     string // expected result
-	}{
-		{"https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo-name", "CodeCommit", "my-repo-name"},
-		{"ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/my-repo", "CodeCommit", "my-repo"},
-		{"git@github.com:nektos/act.git", "GitHub", "nektos/act"},
-		{"git@github.com:nektos/act", "GitHub", "nektos/act"},
-		{"https://github.com/nektos/act.git", "GitHub", "nektos/act"},
-		{"http://github.com/nektos/act.git", "GitHub", "nektos/act"},
-		{"https://github.com/nektos/act", "GitHub", "nektos/act"},
-		{"http://github.com/nektos/act", "GitHub", "nektos/act"},
-		{"git+ssh://git@github.com/owner/repo.git", "GitHub", "owner/repo"},
-		{"http://myotherrepo.com/act.git", "", "http://myotherrepo.com/act.git"},
-	}
-
-	for _, tt := range slugTests {
-		provider, slug, err := findGitSlug(tt.url, "github.com")
-
-		assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
-		assert.Equal(tt.provider, provider)
-		assert.Equal(tt.slug, slug)
-	}
-}
-
-func cleanGitHooks(dir string) error {
-	hooksDir := filepath.Join(dir, ".git", "hooks")
-	files, err := os.ReadDir(hooksDir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return err
-	}
-	for _, f := range files {
-		if f.IsDir() {
-			continue
-		}
-		relName := filepath.Join(hooksDir, f.Name())
-		if err := os.Remove(relName); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func TestFindGitRemoteURL(t *testing.T) {
-	assert := assert.New(t)
-
-	basedir := t.TempDir()
-	err := gitCmd("init", basedir)
-	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
-	err = cleanGitHooks(basedir)
-	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
-
-	remoteURL := "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo-name"
-	err = gitCmd("-C", basedir, "remote", "add", "origin", remoteURL)
-	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
-
-	u, err := findGitRemoteURL(context.Background(), basedir, "origin")
-	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(remoteURL, u)
-
-	remoteURL = "git@github.com/AwesomeOwner/MyAwesomeRepo.git"
-	err = gitCmd("-C", basedir, "remote", "add", "upstream", remoteURL)
-	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
-	u, err = findGitRemoteURL(context.Background(), basedir, "upstream")
-	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(remoteURL, u)
-}
-
-func TestGitFindRef(t *testing.T) {
-	basedir := t.TempDir()
-
-	for name, tt := range map[string]struct {
-		Prepare func(t *testing.T, dir string)
-		Assert  func(t *testing.T, ref string, err error)
-	}{
-		"new_repo": {
-			Prepare: func(t *testing.T, dir string) {},
-			Assert: func(t *testing.T, ref string, err error) {
-				require.Error(t, err)
-			},
-		},
-		"new_repo_with_commit": {
-			Prepare: func(t *testing.T, dir string) {
-				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg"))
-			},
-			Assert: func(t *testing.T, ref string, err error) {
-				require.NoError(t, err)
-				require.Equal(t, "refs/heads/master", ref)
-			},
-		},
-		"current_head_is_tag": {
-			Prepare: func(t *testing.T, dir string) {
-				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "commit msg"))
-				require.NoError(t, gitCmd("-C", dir, "tag", "v1.2.3"))
-				require.NoError(t, gitCmd("-C", dir, "checkout", "v1.2.3"))
-			},
-			Assert: func(t *testing.T, ref string, err error) {
-				require.NoError(t, err)
-				require.Equal(t, "refs/tags/v1.2.3", ref)
-			},
-		},
-		"current_head_is_same_as_tag": {
-			Prepare: func(t *testing.T, dir string) {
-				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "1.4.2 release"))
-				require.NoError(t, gitCmd("-C", dir, "tag", "v1.4.2"))
-			},
-			Assert: func(t *testing.T, ref string, err error) {
-				require.NoError(t, err)
-				require.Equal(t, "refs/tags/v1.4.2", ref)
-			},
-		},
-		"current_head_is_not_tag": {
-			Prepare: func(t *testing.T, dir string) {
-				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg"))
-				require.NoError(t, gitCmd("-C", dir, "tag", "v1.4.2"))
-				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg2"))
-			},
-			Assert: func(t *testing.T, ref string, err error) {
-				require.NoError(t, err)
-				require.Equal(t, "refs/heads/master", ref)
-			},
-		},
-		"current_head_is_another_branch": {
-			Prepare: func(t *testing.T, dir string) {
-				require.NoError(t, gitCmd("-C", dir, "checkout", "-b", "mybranch"))
-				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg"))
-			},
-			Assert: func(t *testing.T, ref string, err error) {
-				require.NoError(t, err)
-				require.Equal(t, "refs/heads/mybranch", ref)
-			},
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			dir := filepath.Join(basedir, name)
-			require.NoError(t, os.MkdirAll(dir, 0o755))
-			require.NoError(t, gitCmd("-C", dir, "init", "--initial-branch=master"))
-			require.NoError(t, cleanGitHooks(dir))
-			tt.Prepare(t, dir)
-			ref, err := FindGitRef(context.Background(), dir)
-			tt.Assert(t, ref, err)
-		})
-	}
-}
-
-func TestGitCloneExecutor(t *testing.T) {
-	// Build a local bare "remote" so this runs offline and fast. The cases below mirror
-	// the tag/branch/sha/short-sha ref paths the executor handles, formerly exercised by
-	// cloning actions/checkout and anchore/scan-action over the network.
-	remoteDir := t.TempDir()
-	require.NoError(t, gitCmd("init", "--bare", "--initial-branch=main", remoteDir))
-
-	workDir := t.TempDir()
-	require.NoError(t, gitCmd("clone", remoteDir, workDir))
-	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "main"))
-	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "initial"))
-	require.NoError(t, gitCmd("-C", workDir, "tag", "v2"))
-	require.NoError(t, gitCmd("-C", workDir, "push", "-u", "origin", "main"))
-	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "v2"))
-
-	// A branch with a dash in the name (mirrors the historical scan-action@act-fails case).
-	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "act-fails"))
-	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "branch-commit"))
-	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "act-fails"))
-
-	out, err := exec.Command("git", "-C", workDir, "rev-parse", "main").Output()
-	require.NoError(t, err)
-	fullSha := strings.TrimSpace(string(out))
-
-	for name, tt := range map[string]struct {
-		Err error
-		Ref string
-	}{
-		"tag": {
-			Err: nil,
-			Ref: "v2",
-		},
-		"branch": {
-			Err: nil,
-			Ref: "act-fails",
-		},
-		"sha": {
-			Err: nil,
-			Ref: fullSha,
-		},
-		"short-sha": {
-			Err: &Error{ErrShortRef, fullSha},
-			Ref: fullSha[:7],
-		},
-	} {
-		t.Run(name, func(t *testing.T) {
-			clone := NewGitCloneExecutor(NewGitCloneExecutorInput{
-				URL: remoteDir,
-				Ref: tt.Ref,
-				Dir: t.TempDir(),
-			})
-
-			err := clone(context.Background())
-			if tt.Err != nil {
-				assert.Error(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-				assert.Equal(t, tt.Err, err)
-			} else {
-				assert.Empty(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-			}
-		})
-	}
-}
-
-func TestGitCloneExecutorNonFastForwardRef(t *testing.T) {
-	// Simulate the scenario where a remote ref (e.g. a GitHub PR head ref) changes
-	// non-fast-forward between two fetches. Before the fix, the fetch used Force=false,
-	// causing go-git to return ErrForceNeeded and short-circuit the checkout.
-
-	// Create a bare "remote" repo with an initial commit on main and a feature branch.
-	remoteDir := t.TempDir()
-	require.NoError(t, gitCmd("init", "--bare", "--initial-branch=main", remoteDir))
-
-	// We need a working clone to push commits from.
-	workDir := t.TempDir()
-	require.NoError(t, gitCmd("clone", remoteDir, workDir))
-	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "main"))
-	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "initial"))
-	require.NoError(t, gitCmd("-C", workDir, "push", "-u", "origin", "main"))
-
-	// Create a feature branch (simulates refs/pull/N/head).
-	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "feature"))
-	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "feature-1"))
-	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "feature"))
-
-	// First clone via the executor — should succeed and cache the repo.
-	cloneDir := t.TempDir()
-	clone := NewGitCloneExecutor(NewGitCloneExecutorInput{
-		URL: remoteDir,
-		Ref: "main",
-		Dir: cloneDir,
-	})
-	require.NoError(t, clone(context.Background()))
-
-	// Now force-push the feature branch to a non-fast-forward commit (simulates
-	// a PR rebase). This makes refs/heads/feature non-fast-forward.
-	require.NoError(t, gitCmd("-C", workDir, "checkout", "main"))
-	require.NoError(t, gitCmd("-C", workDir, "branch", "-D", "feature"))
-	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "feature"))
-	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "feature-rewritten"))
-	require.NoError(t, gitCmd("-C", workDir, "push", "--force", "origin", "feature"))
-
-	// Also advance main so we can verify the clone picks up the new commit.
-	require.NoError(t, gitCmd("-C", workDir, "checkout", "main"))
-	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "second"))
-	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "main"))
-
-	// Second clone to the same directory — before the fix this returned ErrForceNeeded
-	// and left the working tree at the old commit.
-	err := clone(context.Background())
-	require.NoError(t, err, "fetch with non-fast-forward refs must not fail when Force=true")
-
-	// Verify the working tree was actually updated to the latest main commit.
-	out, err := exec.Command("git", "-C", cloneDir, "log", "--oneline", "-1", "--format=%s").Output()
-	require.NoError(t, err)
-	assert.Equal(t, "second", strings.TrimSpace(string(out)), "working tree should be at the latest commit")
-}
-
-func TestGitCloneExecutorOfflineMode(t *testing.T) {
-	// Build a local "remote" with a single commit on main.
-	remoteDir := t.TempDir()
-	require.NoError(t, gitCmd("init", "--bare", "--initial-branch=main", remoteDir))
-	workDir := t.TempDir()
-	require.NoError(t, gitCmd("clone", remoteDir, workDir))
-	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "main"))
-	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "initial"))
-	require.NoError(t, gitCmd("-C", workDir, "push", "-u", "origin", "main"))
-
-	// Prime the cache with an online clone of main.
-	cacheDir := t.TempDir()
-	require.NoError(t, NewGitCloneExecutor(NewGitCloneExecutorInput{
-		URL: remoteDir,
-		Ref: "main",
-		Dir: cacheDir,
-	})(context.Background()))
-
-	t.Run("cached branch resolves without fetching", func(t *testing.T) {
-		// Offline reuse of a cached branch must succeed even though ResolveRevision(input.Ref)
-		// finds no local refs/heads/<ref>.
-		err := NewGitCloneExecutor(NewGitCloneExecutorInput{
-			URL:         remoteDir,
-			Ref:         "main",
-			Dir:         cacheDir,
-			OfflineMode: true,
-		})(context.Background())
-		require.NoError(t, err)
-
-		out, err := exec.Command("git", "-C", cacheDir, "log", "--oneline", "-1", "--format=%s").Output()
-		require.NoError(t, err)
-		assert.Equal(t, "initial", strings.TrimSpace(string(out)))
-	})
-
-	t.Run("unresolvable cached ref returns error", func(t *testing.T) {
-		// The ref was never cached; offline mode cannot resolve it and must return an error.
-		err := NewGitCloneExecutor(NewGitCloneExecutorInput{
-			URL:         remoteDir,
-			Ref:         "never-fetched",
-			Dir:         cacheDir,
-			OfflineMode: true,
-		})(context.Background())
-		require.Error(t, err)
-	})
-}
-
-func gitCmd(args ...string) error {
-	cmd := exec.Command("git", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	// Inject a deterministic identity and ignore the host's global/system config so commits
-	// succeed regardless of the host having no user.name/user.email (e.g. CI, GITHUB_ACTIONS
-	// unset) or a global commit.gpgsign, and without mutating the developer's ~/.gitconfig.
-	cmd.Env = append(os.Environ(),
-		"GIT_AUTHOR_NAME=Unit Test",
-		"GIT_AUTHOR_EMAIL=test@test.com",
-		"GIT_COMMITTER_NAME=Unit Test",
-		"GIT_COMMITTER_EMAIL=test@test.com",
-		"GIT_CONFIG_GLOBAL=/dev/null",
-		"GIT_CONFIG_SYSTEM=/dev/null",
-	)
-
-	err := cmd.Run()
-	if exitError, ok := err.(*exec.ExitError); ok {
-		if waitStatus, ok := exitError.Sys().(syscall.WaitStatus); ok {
-			return fmt.Errorf("Exit error %d", waitStatus.ExitStatus())
-		}
-		return exitError
-	}
-	return nil
-}
-
-func TestAcquireCloneLock(t *testing.T) {
-	t.Run("same directory serializes", func(t *testing.T) {
-		dir := t.TempDir()
-
-		unlock1 := AcquireCloneLock(dir)
-
-		secondAcquired := make(chan struct{})
-		go func() {
-			unlock := AcquireCloneLock(dir)
-			close(secondAcquired)
-			unlock()
-		}()
-
-		select {
-		case <-secondAcquired:
-			t.Fatal("second acquire should block while first holds the lock")
-		case <-time.After(50 * time.Millisecond):
-		}
-
-		unlock1()
-
-		select {
-		case <-secondAcquired:
-		case <-time.After(time.Second):
-			t.Fatal("second acquire should proceed after first releases the lock")
-		}
-	})
-
-	t.Run("different directories do not block", func(t *testing.T) {
-		dirA := t.TempDir()
-		dirB := t.TempDir()
-
-		unlockA := AcquireCloneLock(dirA)
-		defer unlockA()
-
-		done := make(chan struct{})
-		go func() {
-			unlock := AcquireCloneLock(dirB)
-			unlock()
-			close(done)
-		}()
-
-		select {
-		case <-done:
-		case <-time.After(time.Second):
-			t.Fatal("acquire on a different directory must not block")
-		}
-	})
-
-	t.Run("same directory reuses the same mutex", func(t *testing.T) {
-		dir := t.TempDir()
-
-		v1, _ := cloneLocks.LoadOrStore(dir, &sync.Mutex{})
-		v2, _ := cloneLocks.LoadOrStore(dir, &sync.Mutex{})
-		require.Same(t, v1, v2)
-	})
-}
--- a/act/common/job_error.go
+++ b/act/common/job_error.go
@@ -1,34 +0,0 @@
-// Copyright 2021 The Gitea Authors. All rights reserved.
-// Copyright 2021 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package common
-
-import (
-	"context"
-)
-
-type jobErrorContextKey string
-
-const jobErrorContextKeyVal = jobErrorContextKey("job.error")
-
-// JobError returns the job error for current context if any
-func JobError(ctx context.Context) error {
-	val := ctx.Value(jobErrorContextKeyVal)
-	if val != nil {
-		if container, ok := val.(map[string]error); ok {
-			return container["error"]
-		}
-	}
-	return nil
-}
-
-func SetJobError(ctx context.Context, err error) {
-	ctx.Value(jobErrorContextKeyVal).(map[string]error)["error"] = err
-}
-
-// WithJobErrorContainer adds a value to the context as a container for an error
-func WithJobErrorContainer(ctx context.Context) context.Context {
-	container := map[string]error{}
-	return context.WithValue(ctx, jobErrorContextKeyVal, container)
-}
--- a/act/common/logger.go
+++ b/act/common/logger.go
@@ -1,52 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2020 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package common
-
-import (
-	"context"
-
-	"github.com/sirupsen/logrus"
-)
-
-type loggerContextKey string
-
-const loggerContextKeyVal = loggerContextKey("logrus.FieldLogger")
-
-// Logger returns the appropriate logger for current context
-func Logger(ctx context.Context) logrus.FieldLogger {
-	val := ctx.Value(loggerContextKeyVal)
-	if val != nil {
-		if logger, ok := val.(logrus.FieldLogger); ok {
-			return logger
-		}
-	}
-	return logrus.StandardLogger()
-}
-
-// WithLogger adds a value to the context for the logger
-func WithLogger(ctx context.Context, logger logrus.FieldLogger) context.Context {
-	return context.WithValue(ctx, loggerContextKeyVal, logger)
-}
-
-type loggerHookKey string
-
-const loggerHookKeyVal = loggerHookKey("logrus.Hook")
-
-// LoggerHook returns the appropriate logger hook for current context
-// the hook affects job logger, not global logger
-func LoggerHook(ctx context.Context) logrus.Hook {
-	val := ctx.Value(loggerHookKeyVal)
-	if val != nil {
-		if hook, ok := val.(logrus.Hook); ok {
-			return hook
-		}
-	}
-	return nil
-}
-
-// WithLoggerHook adds a value to the context for the logger hook
-func WithLoggerHook(ctx context.Context, hook logrus.Hook) context.Context {
-	return context.WithValue(ctx, loggerHookKeyVal, hook)
-}
--- a/act/container/docker_auth.go
+++ b/act/container/docker_auth.go
@@ -1,71 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2021 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
-
-package container
-
-import (
-	"context"
-
-	"gitea.com/gitea/runner/act/common"
-
-	"github.com/distribution/reference"
-	"github.com/docker/cli/cli/config"
-	"github.com/moby/moby/api/types/registry"
-)
-
-func LoadDockerAuthConfig(ctx context.Context, image string) (registry.AuthConfig, error) {
-	logger := common.Logger(ctx)
-	// config.LoadDefaultConfigFile panics on nil io.Writer when the config
-	// file is malformed; use config.Load to route errors through the logger.
-	cfg, err := config.Load(config.Dir())
-	if err != nil {
-		logger.Warnf("Could not load docker config: %v", err)
-		return registry.AuthConfig{}, err
-	}
-	registryKey := registryAuthConfigKey("docker.io")
-	if image != "" {
-		if registryRef, refErr := reference.ParseNormalizedNamed(image); refErr != nil {
-			logger.Warnf("Could not normalize image reference: %v", refErr)
-		} else {
-			registryKey = registryAuthConfigKey(reference.Domain(registryRef))
-		}
-	}
-
-	authConfig, err := cfg.GetAuthConfig(registryKey)
-	if err != nil {
-		logger.Warnf("Could not get auth config from docker config: %v", err)
-		return registry.AuthConfig{}, err
-	}
-
-	return registry.AuthConfig(authConfig), nil
-}
-
-func LoadDockerAuthConfigs(ctx context.Context) map[string]registry.AuthConfig {
-	logger := common.Logger(ctx)
-	cfg, err := config.Load(config.Dir())
-	if err != nil {
-		logger.Warnf("Could not load docker config: %v", err)
-		return nil
-	}
-	creds, err := cfg.GetAllCredentials()
-	if err != nil {
-		logger.Warnf("Could not get docker auth configs: %v", err)
-		return nil
-	}
-	authConfigs := make(map[string]registry.AuthConfig, len(creds))
-	for k, v := range creds {
-		authConfigs[k] = registry.AuthConfig(v)
-	}
-
-	return authConfigs
-}
-
-func registryAuthConfigKey(domainName string) string {
-	if domainName == "docker.io" || domainName == "index.docker.io" {
-		return "https://index.docker.io/v1/"
-	}
-	return domainName
-}
--- a/act/container/docker_images_test.go
+++ b/act/container/docker_images_test.go
@@ -1,69 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2020 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package container
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"os/exec"
-	"strings"
-	"testing"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func init() {
-	log.SetLevel(log.DebugLevel)
-}
-
-// buildScratchImage builds a tiny empty image for the given platform locally (FROM scratch, no
-// network or emulation since there is nothing to run) and returns its tag, removing it after
-// the test.
-func buildScratchImage(t *testing.T, platform string) string {
-	t.Helper()
-	tag := fmt.Sprintf("act-test-exists-%s:latest", strings.TrimPrefix(platform, "linux/"))
-	cmd := exec.Command("docker", "build", "--platform", platform, "-t", tag, "-")
-	cmd.Stdin = strings.NewReader("FROM scratch\nLABEL act-test=1\n")
-	// Force BuildKit: it records the requested architecture in the image config for a
-	// FROM-scratch build, whereas the classic builder ignores --platform and tags it with the
-	// host arch, which would break the per-platform existence assertions below.
-	cmd.Env = append(os.Environ(), "DOCKER_BUILDKIT=1")
-	out, err := cmd.CombinedOutput()
-	require.NoError(t, err, string(out))
-	t.Cleanup(func() { _ = exec.Command("docker", "rmi", "-f", tag).Run() })
-	return tag
-}
-
-func TestImageExistsLocally(t *testing.T) {
-	requireDocker(t)
-	ctx := context.Background()
-
-	// a non-existent image is reported absent
-	missing, err := ImageExistsLocally(ctx, "library/alpine:this-random-tag-will-never-exist", "linux/amd64")
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.False(t, missing)
-
-	// Build tiny images for two architectures locally so per-platform existence can be checked
-	// offline (formerly pulled node:24-bookworm-slim for amd64 and arm64 over the network).
-	amd64Ref := buildScratchImage(t, "linux/amd64")
-	arm64Ref := buildScratchImage(t, "linux/arm64")
-
-	amd64Exists, err := ImageExistsLocally(ctx, amd64Ref, "linux/amd64")
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.True(t, amd64Exists)
-
-	// a non-host architecture image is detected for its own architecture
-	arm64Exists, err := ImageExistsLocally(ctx, arm64Ref, "linux/arm64")
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.True(t, arm64Exists)
-
-	// a present image is reported absent for a different platform
-	wrongPlatform, err := ImageExistsLocally(ctx, amd64Ref, "linux/arm64")
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.False(t, wrongPlatform)
-}
--- a/act/container/docker_platform.go
+++ b/act/container/docker_platform.go
@@ -1,39 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// Copyright 2025 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
-
-package container
-
-import (
-	"fmt"
-	"strings"
-
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-// parsePlatform parses an "os/arch[/variant]" string into a Platform. An empty input
-// returns (nil, nil), meaning "no platform constraint". A non-empty but malformed
-// string is rejected explicitly so it cannot silently fall through to the daemon's
-// default architecture.
-func parsePlatform(platform string) (*specs.Platform, error) {
-	if platform == "" {
-		return nil, nil //nolint:nilnil // no platform constraint requested
-	}
-
-	parts := strings.Split(platform, "/")
-	if len(parts) < 2 || len(parts) > 3 || parts[0] == "" || parts[1] == "" || (len(parts) == 3 && parts[2] == "") {
-		return nil, fmt.Errorf("invalid platform %q: expected os/arch[/variant]", platform)
-	}
-
-	spec := &specs.Platform{
-		OS:           strings.ToLower(parts[0]),
-		Architecture: strings.ToLower(parts[1]),
-	}
-	if len(parts) == 3 {
-		spec.Variant = strings.ToLower(parts[2])
-	}
-
-	return spec, nil
-}
--- a/act/container/docker_platform_test.go
+++ b/act/container/docker_platform_test.go
@@ -1,63 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package container
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestParsePlatform(t *testing.T) {
-	t.Run("empty input returns nil platform without error", func(t *testing.T) {
-		got, err := parsePlatform("")
-		require.NoError(t, err)
-		assert.Nil(t, got)
-	})
-
-	t.Run("os/arch", func(t *testing.T) {
-		got, err := parsePlatform("linux/amd64")
-		require.NoError(t, err)
-		require.NotNil(t, got)
-		assert.Equal(t, "linux", got.OS)
-		assert.Equal(t, "amd64", got.Architecture)
-		assert.Empty(t, got.Variant)
-	})
-
-	t.Run("os/arch/variant", func(t *testing.T) {
-		got, err := parsePlatform("linux/arm/v7")
-		require.NoError(t, err)
-		require.NotNil(t, got)
-		assert.Equal(t, "linux", got.OS)
-		assert.Equal(t, "arm", got.Architecture)
-		assert.Equal(t, "v7", got.Variant)
-	})
-
-	t.Run("input is lowercased", func(t *testing.T) {
-		got, err := parsePlatform("Linux/AMD64/V8")
-		require.NoError(t, err)
-		require.NotNil(t, got)
-		assert.Equal(t, "linux", got.OS)
-		assert.Equal(t, "amd64", got.Architecture)
-		assert.Equal(t, "v8", got.Variant)
-	})
-
-	for _, bad := range []string{
-		"amd64",
-		"linux",
-		"linux/",
-		"/amd64",
-		"/",
-		"//",
-		"linux/arm/",
-		"linux/arm/v7/extra",
-	} {
-		t.Run("rejects "+bad, func(t *testing.T) {
-			got, err := parsePlatform(bad)
-			require.Error(t, err)
-			assert.Nil(t, got)
-		})
-	}
-}
--- a/act/container/docker_run_test.go
+++ b/act/container/docker_run_test.go
@@ -1,551 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2020 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package container
-
-import (
-	"bufio"
-	"bytes"
-	"context"
-	"errors"
-	"io"
-	"net"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-	"time"
-
-	"gitea.com/gitea/runner/act/common"
-
-	cerrdefs "github.com/containerd/errdefs"
-	"github.com/moby/moby/api/types/container"
-	mobyclient "github.com/moby/moby/client"
-	"github.com/sirupsen/logrus/hooks/test"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-	"github.com/stretchr/testify/require"
-)
-
-func TestDocker(t *testing.T) {
-	requireDocker(t)
-	ctx := context.Background()
-	client, err := GetDockerClient(ctx)
-	require.NoError(t, err)
-	defer client.Close()
-
-	dockerBuild := NewDockerBuildExecutor(NewDockerBuildExecutorInput{
-		ContextDir: "testdata",
-		ImageTag:   "envmergetest",
-	})
-
-	err = dockerBuild(ctx)
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-	cr := &containerReference{
-		cli: client,
-		input: &NewContainerInput{
-			Image: "envmergetest",
-		},
-	}
-	env := map[string]string{
-		"PATH":         "/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin",
-		"RANDOM_VAR":   "WITH_VALUE",
-		"ANOTHER_VAR":  "",
-		"CONFLICT_VAR": "I_EXIST_IN_MULTIPLE_PLACES",
-	}
-
-	envExecutor := cr.extractFromImageEnv(&env)
-	err = envExecutor(ctx)
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, map[string]string{
-		"PATH":            "/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin:/this/path/does/not/exists/anywhere:/this/either",
-		"RANDOM_VAR":      "WITH_VALUE",
-		"ANOTHER_VAR":     "",
-		"SOME_RANDOM_VAR": "",
-		"ANOTHER_ONE":     "BUT_I_HAVE_VALUE",
-		"CONFLICT_VAR":    "I_EXIST_IN_MULTIPLE_PLACES",
-	}, env)
-}
-
-type mockDockerClient struct {
-	mobyclient.APIClient
-	mock.Mock
-}
-
-func (m *mockDockerClient) ExecCreate(ctx context.Context, id string, opts mobyclient.ExecCreateOptions) (mobyclient.ExecCreateResult, error) {
-	args := m.Called(ctx, id, opts)
-	return args.Get(0).(mobyclient.ExecCreateResult), args.Error(1)
-}
-
-func (m *mockDockerClient) ExecAttach(ctx context.Context, id string, opts mobyclient.ExecAttachOptions) (mobyclient.ExecAttachResult, error) {
-	args := m.Called(ctx, id, opts)
-	return args.Get(0).(mobyclient.ExecAttachResult), args.Error(1)
-}
-
-func (m *mockDockerClient) ExecInspect(ctx context.Context, execID string, opts mobyclient.ExecInspectOptions) (mobyclient.ExecInspectResult, error) {
-	args := m.Called(ctx, execID, opts)
-	return args.Get(0).(mobyclient.ExecInspectResult), args.Error(1)
-}
-
-func (m *mockDockerClient) ContainerWait(ctx context.Context, containerID string, opts mobyclient.ContainerWaitOptions) mobyclient.ContainerWaitResult {
-	args := m.Called(ctx, containerID, opts)
-	return args.Get(0).(mobyclient.ContainerWaitResult)
-}
-
-func (m *mockDockerClient) CopyToContainer(ctx context.Context, id string, options mobyclient.CopyToContainerOptions) (mobyclient.CopyToContainerResult, error) {
-	args := m.Called(ctx, id, options)
-	return args.Get(0).(mobyclient.CopyToContainerResult), args.Error(1)
-}
-
-func (m *mockDockerClient) ContainerInspect(ctx context.Context, id string, opts mobyclient.ContainerInspectOptions) (mobyclient.ContainerInspectResult, error) {
-	args := m.Called(ctx, id, opts)
-	return args.Get(0).(mobyclient.ContainerInspectResult), args.Error(1)
-}
-
-func (m *mockDockerClient) ContainerList(ctx context.Context, opts mobyclient.ContainerListOptions) (mobyclient.ContainerListResult, error) {
-	args := m.Called(ctx, opts)
-	return args.Get(0).(mobyclient.ContainerListResult), args.Error(1)
-}
-
-type endlessReader struct {
-	io.Reader
-}
-
-func (r endlessReader) Read(_ []byte) (n int, err error) {
-	return 1, nil
-}
-
-type mockConn struct {
-	net.Conn
-	mock.Mock
-}
-
-func (m *mockConn) Write(b []byte) (n int, err error) {
-	args := m.Called(b)
-	return args.Int(0), args.Error(1)
-}
-
-func (m *mockConn) Close() (err error) {
-	return nil
-}
-
-func TestDockerExecAbort(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-
-	conn := &mockConn{}
-	conn.On("Write", mock.AnythingOfType("[]uint8")).Return(1, nil)
-
-	client := &mockDockerClient{}
-	client.On("ExecCreate", ctx, "123", mock.AnythingOfType("client.ExecCreateOptions")).Return(mobyclient.ExecCreateResult{ID: "id"}, nil)
-	client.On("ExecAttach", ctx, "id", mock.AnythingOfType("client.ExecAttachOptions")).Return(mobyclient.ExecAttachResult{
-		HijackedResponse: mobyclient.HijackedResponse{
-			Conn:   conn,
-			Reader: bufio.NewReader(endlessReader{}),
-		},
-	}, nil)
-
-	cr := &containerReference{
-		id:  "123",
-		cli: client,
-		input: &NewContainerInput{
-			Image: "image",
-		},
-	}
-
-	channel := make(chan error)
-
-	go func() {
-		channel <- cr.exec([]string{""}, map[string]string{}, "user", "workdir")(ctx)
-	}()
-
-	time.Sleep(500 * time.Millisecond)
-
-	cancel()
-
-	err := <-channel
-	assert.ErrorIs(t, err, context.Canceled) //nolint:testifylint // pre-existing issue from nektos/act
-
-	conn.AssertExpectations(t)
-	client.AssertExpectations(t)
-}
-
-func TestDockerExecFailure(t *testing.T) {
-	ctx := context.Background()
-
-	conn := &mockConn{}
-
-	client := &mockDockerClient{}
-	client.On("ExecCreate", ctx, "123", mock.AnythingOfType("client.ExecCreateOptions")).Return(mobyclient.ExecCreateResult{ID: "id"}, nil)
-	client.On("ExecAttach", ctx, "id", mock.AnythingOfType("client.ExecAttachOptions")).Return(mobyclient.ExecAttachResult{
-		HijackedResponse: mobyclient.HijackedResponse{
-			Conn:   conn,
-			Reader: bufio.NewReader(strings.NewReader("output")),
-		},
-	}, nil)
-	client.On("ExecInspect", ctx, "id", mobyclient.ExecInspectOptions{}).Return(mobyclient.ExecInspectResult{
-		ExitCode: 1,
-	}, nil)
-
-	cr := &containerReference{
-		id:  "123",
-		cli: client,
-		input: &NewContainerInput{
-			Image: "image",
-		},
-	}
-
-	err := cr.exec([]string{""}, map[string]string{}, "user", "workdir")(ctx)
-	var exitErr ExitCodeError
-	require.ErrorAs(t, err, &exitErr)
-	assert.Equal(t, ExitCodeError(1), exitErr)
-	assert.Equal(t, "Process completed with exit code 1.", err.Error())
-
-	conn.AssertExpectations(t)
-	client.AssertExpectations(t)
-}
-
-func TestDockerWaitFailure(t *testing.T) {
-	ctx := context.Background()
-
-	statusCh := make(chan container.WaitResponse, 1)
-	statusCh <- container.WaitResponse{StatusCode: 2}
-	errCh := make(chan error, 1)
-
-	client := &mockDockerClient{}
-	client.On("ContainerWait", ctx, "123", mobyclient.ContainerWaitOptions{Condition: container.WaitConditionNotRunning}).
-		Return(mobyclient.ContainerWaitResult{
-			Result: (<-chan container.WaitResponse)(statusCh),
-			Error:  (<-chan error)(errCh),
-		})
-
-	cr := &containerReference{
-		id:  "123",
-		cli: client,
-		input: &NewContainerInput{
-			Image: "image",
-		},
-	}
-
-	err := cr.wait()(ctx)
-	var exitErr ExitCodeError
-	require.ErrorAs(t, err, &exitErr)
-	assert.Equal(t, ExitCodeError(2), exitErr)
-	assert.Equal(t, "Process completed with exit code 2.", err.Error())
-
-	client.AssertExpectations(t)
-}
-
-func TestDockerCopyTarStream(t *testing.T) {
-	ctx := context.Background()
-
-	client := &mockDockerClient{}
-	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
-		return opts.DestinationPath == "/" && opts.Content != nil
-	})).Return(mobyclient.CopyToContainerResult{}, nil)
-	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
-		return opts.DestinationPath == "/var/run/act" && opts.Content != nil
-	})).Return(mobyclient.CopyToContainerResult{}, nil)
-	cr := &containerReference{
-		id:  "123",
-		cli: client,
-		input: &NewContainerInput{
-			Image: "image",
-		},
-	}
-
-	_ = cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
-
-	client.AssertExpectations(t)
-}
-
-func TestDockerCopyTarStreamErrorInCopyFiles(t *testing.T) {
-	ctx := context.Background()
-
-	merr := errors.New("Failure")
-
-	client := &mockDockerClient{}
-	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
-		return opts.DestinationPath == "/" && opts.Content != nil
-	})).Return(mobyclient.CopyToContainerResult{}, merr)
-	cr := &containerReference{
-		id:  "123",
-		cli: client,
-		input: &NewContainerInput{
-			Image: "image",
-		},
-	}
-
-	err := cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
-	assert.ErrorIs(t, err, merr) //nolint:testifylint // pre-existing issue from nektos/act
-
-	client.AssertExpectations(t)
-}
-
-func TestDockerCopyTarStreamErrorInMkdir(t *testing.T) {
-	ctx := context.Background()
-
-	merr := errors.New("Failure")
-
-	client := &mockDockerClient{}
-	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
-		return opts.DestinationPath == "/" && opts.Content != nil
-	})).Return(mobyclient.CopyToContainerResult{}, nil)
-	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
-		return opts.DestinationPath == "/var/run/act" && opts.Content != nil
-	})).Return(mobyclient.CopyToContainerResult{}, merr)
-	cr := &containerReference{
-		id:  "123",
-		cli: client,
-		input: &NewContainerInput{
-			Image: "image",
-		},
-	}
-
-	err := cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
-	assert.ErrorIs(t, err, merr) //nolint:testifylint // pre-existing issue from nektos/act
-
-	client.AssertExpectations(t)
-}
-
-// find() must drop a stale cached id so later Copy/Exec don't hit the
-// daemon with a torn-down container.
-func TestFindRevalidatesStaleID(t *testing.T) {
-	ctx := context.Background()
-	notFound := cerrdefs.ErrNotFound.WithMessage("No such container")
-	boom := errors.New("daemon unreachable")
-	newCR := func(id string) (*containerReference, *mockDockerClient) {
-		client := &mockDockerClient{}
-		return &containerReference{id: id, cli: client, input: &NewContainerInput{Name: "job-1"}}, client
-	}
-	listOpts := mobyclient.ContainerListOptions{All: true}
-	inspectOpts := mobyclient.ContainerInspectOptions{}
-
-	t.Run("stale id cleared, name lookup empty", func(t *testing.T) {
-		cr, client := newCR("stale")
-		client.On("ContainerInspect", ctx, "stale", inspectOpts).Return(mobyclient.ContainerInspectResult{}, notFound)
-		client.On("ContainerList", ctx, listOpts).Return(mobyclient.ContainerListResult{}, nil)
-		require.NoError(t, cr.find()(ctx))
-		assert.Empty(t, cr.id)
-		client.AssertExpectations(t)
-	})
-
-	t.Run("stale id cleared, name lookup repopulates", func(t *testing.T) {
-		cr, client := newCR("stale")
-		client.On("ContainerInspect", ctx, "stale", inspectOpts).Return(mobyclient.ContainerInspectResult{}, notFound)
-		client.On("ContainerList", ctx, listOpts).Return(mobyclient.ContainerListResult{Items: []container.Summary{
-			{ID: "other", Names: []string{"/somebody-else"}},
-			{ID: "fresh", Names: []string{"/job-1"}},
-		}}, nil)
-		require.NoError(t, cr.find()(ctx))
-		assert.Equal(t, "fresh", cr.id)
-		client.AssertExpectations(t)
-	})
-
-	t.Run("live id kept", func(t *testing.T) {
-		cr, client := newCR("live")
-		client.On("ContainerInspect", ctx, "live", inspectOpts).Return(mobyclient.ContainerInspectResult{}, nil)
-		require.NoError(t, cr.find()(ctx))
-		assert.Equal(t, "live", cr.id)
-		client.AssertExpectations(t)
-	})
-
-	t.Run("transient inspect error trusts cache", func(t *testing.T) {
-		cr, client := newCR("live")
-		client.On("ContainerInspect", ctx, "live", inspectOpts).Return(mobyclient.ContainerInspectResult{}, boom)
-		require.NoError(t, cr.find()(ctx))
-		assert.Equal(t, "live", cr.id)
-		client.AssertExpectations(t)
-	})
-
-	t.Run("list error propagates", func(t *testing.T) {
-		cr, client := newCR("")
-		client.On("ContainerList", ctx, listOpts).Return(mobyclient.ContainerListResult{}, boom)
-		require.ErrorIs(t, cr.find()(ctx), boom)
-		client.AssertExpectations(t)
-	})
-}
-
-// Every daemon entry point fails fast with a clear, container-named
-// error when no live cr.id is known.
-func TestRejectsMissingContainer(t *testing.T) {
-	ctx := context.Background()
-	client := &mockDockerClient{}
-	client.On("ContainerList", ctx, mobyclient.ContainerListOptions{All: true}).Return(mobyclient.ContainerListResult{}, nil)
-	cr := &containerReference{cli: client, input: &NewContainerInput{Name: "job-1"}}
-	check := func(op string, err error) {
-		t.Helper()
-		require.Error(t, err, op)
-		assert.Contains(t, err.Error(), `container "job-1" does not exist`, op)
-	}
-	check("copyContent", cr.copyContent("/var/run/act", &FileEntry{Name: "x", Mode: 0o644})(ctx))
-	check("copyDir", cr.copyDir("/var/run/act", "/src", false)(ctx))
-	check("CopyTarStream", cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{}))
-	check("exec", cr.exec([]string{"echo"}, nil, "", "")(ctx))
-	_, err := cr.GetContainerArchive(ctx, "/var/run/act/x")
-	check("GetContainerArchive", err)
-}
-
-// End-to-end: a stale cr.id is cleared, repopulated from name lookup,
-// and the Copy completes against the fresh id.
-func TestPublicCopyPipelineHandlesStaleID(t *testing.T) {
-	ctx := context.Background()
-	client := &mockDockerClient{}
-	client.On("ContainerInspect", ctx, "stale", mobyclient.ContainerInspectOptions{}).
-		Return(mobyclient.ContainerInspectResult{}, cerrdefs.ErrNotFound.WithMessage("gone"))
-	client.On("ContainerList", ctx, mobyclient.ContainerListOptions{All: true}).
-		Return(mobyclient.ContainerListResult{Items: []container.Summary{
-			{ID: "fresh", Names: []string{"/job-1"}},
-		}}, nil)
-	client.On("CopyToContainer", ctx, "fresh", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
-		return opts.DestinationPath == "/var/run/act"
-	})).Return(mobyclient.CopyToContainerResult{}, nil)
-
-	cr := &containerReference{id: "stale", cli: client, input: &NewContainerInput{Name: "job-1"}}
-	require.NoError(t, cr.Copy("/var/run/act", &FileEntry{Name: "x", Mode: 0o644})(ctx))
-	assert.Equal(t, "fresh", cr.id)
-	client.AssertExpectations(t)
-}
-
-// TestDockerCopyToSymlinkPath is a regression test for gitea/runner#981. Most base images
-// symlink /var/run to /run, so copying into /var/run/act traverses that symlink. The broken
-// docker 29.5.1 daemon fails the extraction with "mkdirat var/run: file exists" (fixed in
-// 29.5.2). Running against the daemon shipped in the dind image, this catches a bad bump.
-func TestDockerCopyToSymlinkPath(t *testing.T) {
-	requireDocker(t)
-	ctx := context.Background()
-
-	rc := NewContainer(&NewContainerInput{
-		Image:      "alpine:latest",
-		Entrypoint: []string{"sleep", "30"},
-		Name:       "act-test-symlink-" + time.Now().Format("20060102150405.000000"),
-		AutoRemove: true,
-	})
-	require.NoError(t, rc.Pull(false)(ctx))
-	require.NoError(t, rc.Create(nil, nil)(ctx))
-	require.NoError(t, rc.Start(false)(ctx))
-	t.Cleanup(func() {
-		_ = rc.Remove()(ctx)
-		_ = rc.Close()(ctx)
-	})
-
-	// CopyTarStream first creates the destination directory by extracting a tar at "/",
-	// which makes the daemon mkdir var, then var/run (the symlink), then act — the exact
-	// step that fails on the broken daemon.
-	err := rc.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
-	require.NoError(t, err)
-}
-
-// Type assert containerReference implements ExecutionsEnvironment
-var _ ExecutionsEnvironment = &containerReference{}
-
-func TestCheckVolumes(t *testing.T) {
-	testCases := []struct {
-		desc          string
-		validVolumes  []string
-		binds         []string
-		expectedBinds []string
-	}{
-		{
-			desc:         "match all volumes",
-			validVolumes: []string{"**"},
-			binds: []string{
-				"shared_volume:/shared_volume",
-				"/home/test/data:/test_data",
-				"/etc/conf.d/base.json:/config/base.json",
-				"sql_data:/sql_data",
-				"/secrets/keys:/keys",
-			},
-			expectedBinds: []string{
-				"shared_volume:/shared_volume",
-				"/home/test/data:/test_data",
-				"/etc/conf.d/base.json:/config/base.json",
-				"sql_data:/sql_data",
-				"/secrets/keys:/keys",
-			},
-		},
-		{
-			desc:         "no volumes can be matched",
-			validVolumes: []string{},
-			binds: []string{
-				"shared_volume:/shared_volume",
-				"/home/test/data:/test_data",
-				"/etc/conf.d/base.json:/config/base.json",
-				"sql_data:/sql_data",
-				"/secrets/keys:/keys",
-			},
-			expectedBinds: []string{},
-		},
-		{
-			desc: "only allowed volumes can be matched",
-			validVolumes: []string{
-				"shared_volume",
-				"/home/test/data",
-				"/etc/conf.d/*.json",
-			},
-			binds: []string{
-				"shared_volume:/shared_volume",
-				"/home/test/data:/test_data",
-				"/etc/conf.d/base.json:/config/base.json",
-				"sql_data:/sql_data",
-				"/secrets/keys:/keys",
-			},
-			expectedBinds: []string{
-				"shared_volume:/shared_volume",
-				"/home/test/data:/test_data",
-				"/etc/conf.d/base.json:/config/base.json",
-			},
-		},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.desc, func(t *testing.T) {
-			logger, _ := test.NewNullLogger()
-			ctx := common.WithLogger(context.Background(), logger)
-			cr := &containerReference{
-				input: &NewContainerInput{
-					ValidVolumes: tc.validVolumes,
-				},
-			}
-			_, hostConf := cr.sanitizeConfig(ctx, &container.Config{}, &container.HostConfig{Binds: tc.binds})
-			assert.Equal(t, tc.expectedBinds, hostConf.Binds)
-		})
-	}
-}
-
-func TestCheckVolumesRejectsEscapingHostPaths(t *testing.T) {
-	logger, _ := test.NewNullLogger()
-	ctx := common.WithLogger(context.Background(), logger)
-
-	base := t.TempDir()
-	allowed := filepath.Join(base, "allowed")
-	denied := filepath.Join(base, "denied")
-	require.NoError(t, os.MkdirAll(allowed, 0o700))
-	require.NoError(t, os.MkdirAll(denied, 0o700))
-
-	cr := &containerReference{
-		input: &NewContainerInput{
-			ValidVolumes: []string{filepath.Join(allowed, "**")},
-		},
-	}
-
-	escapingPath := allowed + string(filepath.Separator) + ".." + string(filepath.Separator) + "denied"
-	_, hostConf := cr.sanitizeConfig(ctx, &container.Config{}, &container.HostConfig{
-		Binds: []string{escapingPath + ":/mnt"},
-	})
-	assert.Empty(t, hostConf.Binds)
-
-	linkPath := filepath.Join(allowed, "link")
-	if err := os.Symlink(denied, linkPath); err != nil {
-		t.Skipf("cannot create symlink: %v", err)
-	}
-	_, hostConf = cr.sanitizeConfig(ctx, &container.Config{}, &container.HostConfig{
-		Binds: []string{linkPath + ":/mnt"},
-	})
-	assert.Empty(t, hostConf.Binds)
-
-	_, hostConf = cr.sanitizeConfig(ctx, &container.Config{}, &container.HostConfig{
-		Binds: []string{filepath.Join(linkPath, "missing") + ":/mnt"},
-	})
-	assert.Empty(t, hostConf.Binds)
-}
--- a/act/container/helpers_test.go
+++ b/act/container/helpers_test.go
@@ -1,27 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package container
-
-import (
-	"context"
-	"testing"
-
-	mobyclient "github.com/moby/moby/client"
-)
-
-// requireDocker skips the test unless a reachable docker daemon is available.
-// GetDockerClient succeeds even without a running daemon (its ping is best-effort),
-// so the daemon has to be pinged explicitly here to decide whether to skip.
-func requireDocker(t *testing.T) {
-	t.Helper()
-	ctx := context.Background()
-	cli, err := GetDockerClient(ctx)
-	if err != nil {
-		t.Skipf("skipping: docker client unavailable: %v", err)
-	}
-	defer cli.Close()
-	if _, err := cli.Ping(ctx, mobyclient.PingOptions{}); err != nil {
-		t.Skipf("skipping: docker daemon unreachable: %v", err)
-	}
-}
--- a/act/container/host_environment_test.go
+++ b/act/container/host_environment_test.go
@@ -1,250 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package container
-
-import (
-	"archive/tar"
-	"bytes"
-	"context"
-	"io"
-	"os"
-	"path"
-	"path/filepath"
-	"runtime"
-	"strings"
-	"testing"
-
-	"gitea.com/gitea/runner/act/common"
-
-	"github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// Type assert HostEnvironment implements ExecutionsEnvironment
-var _ ExecutionsEnvironment = &HostEnvironment{}
-
-func TestCopyDir(t *testing.T) {
-	dir := t.TempDir()
-	ctx := context.Background()
-	e := &HostEnvironment{
-		Path:      filepath.Join(dir, "path"),
-		TmpDir:    filepath.Join(dir, "tmp"),
-		ToolCache: filepath.Join(dir, "tool_cache"),
-		ActPath:   filepath.Join(dir, "act_path"),
-		StdOut:    os.Stdout,
-		Workdir:   path.Join("testdata", "scratch"),
-	}
-	_ = os.MkdirAll(e.Path, 0o700)
-	_ = os.MkdirAll(e.TmpDir, 0o700)
-	_ = os.MkdirAll(e.ToolCache, 0o700)
-	_ = os.MkdirAll(e.ActPath, 0o700)
-	err := e.CopyDir(e.Workdir, e.Path, true)(ctx)
-	assert.NoError(t, err)
-}
-
-func TestGetContainerArchive(t *testing.T) {
-	dir := t.TempDir()
-	ctx := context.Background()
-	e := &HostEnvironment{
-		Path:      filepath.Join(dir, "path"),
-		TmpDir:    filepath.Join(dir, "tmp"),
-		ToolCache: filepath.Join(dir, "tool_cache"),
-		ActPath:   filepath.Join(dir, "act_path"),
-		StdOut:    os.Stdout,
-		Workdir:   path.Join("testdata", "scratch"),
-	}
-	_ = os.MkdirAll(e.Path, 0o700)
-	_ = os.MkdirAll(e.TmpDir, 0o700)
-	_ = os.MkdirAll(e.ToolCache, 0o700)
-	_ = os.MkdirAll(e.ActPath, 0o700)
-	expectedContent := []byte("sdde/7sh")
-	err := os.WriteFile(filepath.Join(e.Path, "action.yml"), expectedContent, 0o600)
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	archive, err := e.GetContainerArchive(ctx, e.Path)
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	defer archive.Close()
-	reader := tar.NewReader(archive)
-	h, err := reader.Next()
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, "action.yml", h.Name)
-	content, err := io.ReadAll(reader)
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, expectedContent, content)
-	_, err = reader.Next()
-	assert.ErrorIs(t, err, io.EOF)
-}
-
-func TestHostEnvironmentExecExitCode(t *testing.T) {
-	if runtime.GOOS == "windows" {
-		t.Skip("uses POSIX shell")
-	}
-	dir := t.TempDir()
-	ctx := context.Background()
-	e := &HostEnvironment{
-		Path:      filepath.Join(dir, "path"),
-		TmpDir:    filepath.Join(dir, "tmp"),
-		ToolCache: filepath.Join(dir, "tool_cache"),
-		ActPath:   filepath.Join(dir, "act_path"),
-		StdOut:    io.Discard,
-		Workdir:   filepath.Join(dir, "path"),
-	}
-	for _, p := range []string{e.Path, e.TmpDir, e.ToolCache, e.ActPath} {
-		assert.NoError(t, os.MkdirAll(p, 0o700)) //nolint:testifylint // test setup
-	}
-
-	err := e.Exec([]string{"sh", "-c", "exit 3"}, map[string]string{"PATH": os.Getenv("PATH")}, "", "")(ctx)
-	var exitErr ExitCodeError
-	require.ErrorAs(t, err, &exitErr)
-	assert.Equal(t, ExitCodeError(3), exitErr)
-	assert.Equal(t, "Process completed with exit code 3.", err.Error())
-}
-
-func TestHostEnvironmentAllocatePTY(t *testing.T) {
-	if runtime.GOOS == "windows" {
-		t.Skip("uses POSIX shell")
-	}
-	for _, tc := range []struct {
-		name     string
-		allocPTY bool
-		expect   string
-	}{
-		{name: "off", allocPTY: false, expect: "NOTTY"},
-		{name: "on", allocPTY: true, expect: "TTY"},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			dir := t.TempDir()
-			buf := &bytes.Buffer{}
-			e := &HostEnvironment{
-				Path:        filepath.Join(dir, "path"),
-				TmpDir:      filepath.Join(dir, "tmp"),
-				ToolCache:   filepath.Join(dir, "tool_cache"),
-				ActPath:     filepath.Join(dir, "act_path"),
-				StdOut:      buf,
-				Workdir:     filepath.Join(dir, "path"),
-				AllocatePTY: tc.allocPTY,
-			}
-			for _, p := range []string{e.Path, e.TmpDir, e.ToolCache, e.ActPath} {
-				require.NoError(t, os.MkdirAll(p, 0o700))
-			}
-
-			err := e.Exec(
-				[]string{"sh", "-c", "[ -t 1 ] && printf TTY || printf NOTTY"},
-				map[string]string{"PATH": os.Getenv("PATH")}, "", "",
-			)(context.Background())
-			require.NoError(t, err)
-			got := strings.TrimSpace(strings.ReplaceAll(buf.String(), "\r", ""))
-			assert.Equal(t, tc.expect, got)
-		})
-	}
-}
-
-func TestHostEnvironmentRemovePreservesWorkdirByDefault(t *testing.T) {
-	logger := logrus.New()
-	ctx := common.WithLogger(context.Background(), logrus.NewEntry(logger))
-	base := t.TempDir()
-	miscRoot := filepath.Join(base, "misc")
-	path := filepath.Join(miscRoot, "hostexecutor")
-	require.NoError(t, os.MkdirAll(path, 0o700))
-	workdir := filepath.Join(base, "workspace", "owner", "repo")
-	require.NoError(t, os.MkdirAll(workdir, 0o700))
-
-	e := &HostEnvironment{
-		Path:    path,
-		Workdir: workdir,
-		CleanUp: func() {
-			_ = os.RemoveAll(miscRoot)
-		},
-		StdOut: os.Stdout,
-	}
-	require.NoError(t, e.Remove()(ctx))
-	_, err := os.Stat(workdir)
-	require.NoError(t, err)
-}
-
-func TestHostEnvironmentRemoveCleansWorkdirWhenOwned(t *testing.T) {
-	logger := logrus.New()
-	ctx := common.WithLogger(context.Background(), logrus.NewEntry(logger))
-	base := t.TempDir()
-	miscRoot := filepath.Join(base, "misc")
-	path := filepath.Join(miscRoot, "hostexecutor")
-	require.NoError(t, os.MkdirAll(path, 0o700))
-	workdir := filepath.Join(base, "workspace", "123", "owner", "repo")
-	require.NoError(t, os.MkdirAll(workdir, 0o700))
-
-	e := &HostEnvironment{
-		Path:         path,
-		Workdir:      workdir,
-		CleanWorkdir: true,
-		CleanUp: func() {
-			_ = os.RemoveAll(miscRoot)
-		},
-		StdOut: os.Stdout,
-	}
-	require.NoError(t, e.Remove()(ctx))
-	_, err := os.Stat(workdir)
-	assert.ErrorIs(t, err, os.ErrNotExist)
-}
-
-func TestBuildWindowsWorkspaceKillScript(t *testing.T) {
-	t.Run("single dir", func(t *testing.T) {
-		s := buildWindowsWorkspaceKillScript([]string{`C:\workspace\job1`})
-		assert.Contains(t, s, `$paths = @('C:\workspace\job1')`)
-		// Self-PID guard is essential — without it the script could taskkill
-		// the PowerShell process running it.
-		assert.Contains(t, s, "$selfPid = $PID")
-		assert.Contains(t, s, "$_.ProcessId -eq $selfPid")
-		// Must match both ExecutablePath (binaries from the workspace) and
-		// CommandLine (system binaries invoked with workspace paths in args),
-		// both bounded by dir+separator so a name-prefix sibling is spared.
-		assert.Contains(t, s, `$prefix = $p + '\'`)
-		assert.Contains(t, s, "$_.ExecutablePath.StartsWith($prefix")
-		assert.Contains(t, s, "$_.CommandLine.IndexOf($prefix")
-		// Each matched PID must be tree-killed, not just stopped.
-		assert.Contains(t, s, "taskkill.exe /PID $_.ProcessId /T /F")
-	})
-
-	t.Run("multiple dirs comma-separated", func(t *testing.T) {
-		s := buildWindowsWorkspaceKillScript([]string{
-			`C:\work\path`,
-			`C:\work\workdir`,
-			`C:\Users\runner\AppData\Local\Temp\job-42`,
-		})
-		assert.Contains(t, s, `'C:\work\path'`)
-		assert.Contains(t, s, `'C:\work\workdir'`)
-		assert.Contains(t, s, `'C:\Users\runner\AppData\Local\Temp\job-42'`)
-		// Commas between entries — no trailing comma, no leading comma.
-		assert.Contains(t, s, `'C:\work\path','C:\work\workdir',`)
-	})
-
-	t.Run("path with single quote is escaped", func(t *testing.T) {
-		// In PowerShell single-quoted strings the only special char is the
-		// quote itself, escaped by doubling. A workspace path that ever
-		// contained `'` would inject a command into the script otherwise.
-		s := buildWindowsWorkspaceKillScript([]string{`C:\work\it's\path`})
-		assert.Contains(t, s, `'C:\work\it''s\path'`)
-		// And it must NOT appear unescaped — otherwise the quote would
-		// terminate the literal early.
-		assert.NotContains(t, s, `'C:\work\it's\path'`)
-	})
-
-	t.Run("path with wildcard metacharacters is matched literally", func(t *testing.T) {
-		// A path containing [ ] ? * must be embedded verbatim and matched with
-		// ordinal String methods, not -like, otherwise the metacharacters would
-		// be interpreted as wildcards and the leftover process could escape.
-		s := buildWindowsWorkspaceKillScript([]string{`C:\work\[job]?1`})
-		assert.Contains(t, s, `'C:\work\[job]?1'`)
-		assert.NotContains(t, s, "-like")
-		assert.Contains(t, s, "StartsWith")
-		assert.Contains(t, s, "IndexOf")
-	})
-
-	t.Run("empty dir list still produces a valid script", func(t *testing.T) {
-		s := buildWindowsWorkspaceKillScript(nil)
-		// Empty array literal — script runs, matches nothing, is a no-op.
-		assert.Contains(t, s, "$paths = @()")
-		assert.Contains(t, s, "Get-CimInstance Win32_Process")
-	})
-}
--- a/act/container/parse_env_file_test.go
+++ b/act/container/parse_env_file_test.go
@@ -1,75 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package container
-
-import (
-	"bufio"
-	"context"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func newTestHostEnv(t *testing.T) (*HostEnvironment, string) {
-	t.Helper()
-	e := &HostEnvironment{Path: t.TempDir()}
-	return e, filepath.Join(e.Path, "envfile")
-}
-
-func TestParseEnvFileSingleLine(t *testing.T) {
-	e, envPath := newTestHostEnv(t)
-	require.NoError(t, os.WriteFile(envPath, []byte("FOO=bar\nBAZ=qux\n"), 0o600))
-
-	env := map[string]string{}
-	require.NoError(t, parseEnvFile(e, envPath, &env)(context.Background()))
-	assert.Equal(t, "bar", env["FOO"])
-	assert.Equal(t, "qux", env["BAZ"])
-}
-
-func TestParseEnvFileMultiLine(t *testing.T) {
-	e, envPath := newTestHostEnv(t)
-	content := "FOO<<EOF\nline1\nline2\nEOF\n"
-	require.NoError(t, os.WriteFile(envPath, []byte(content), 0o600))
-
-	env := map[string]string{}
-	require.NoError(t, parseEnvFile(e, envPath, &env)(context.Background()))
-	assert.Equal(t, "line1\nline2", env["FOO"])
-}
-
-func TestParseEnvFileLargeValueWithinLimit(t *testing.T) {
-	e, envPath := newTestHostEnv(t)
-	big := strings.Repeat("x", 2*1024*1024)
-	content := "FOO<<EOF\n" + big + "\nEOF\n"
-	require.NoError(t, os.WriteFile(envPath, []byte(content), 0o600))
-
-	env := map[string]string{}
-	require.NoError(t, parseEnvFile(e, envPath, &env)(context.Background()))
-	assert.Equal(t, big, env["FOO"])
-}
-
-func TestParseEnvFileLineExceedsBufferReportsScannerError(t *testing.T) {
-	e, envPath := newTestHostEnv(t)
-	tooBig := strings.Repeat("x", 17*1024*1024) // over the 16 MiB cap
-	content := "FOO<<EOF\n" + tooBig + "\nEOF\n"
-	require.NoError(t, os.WriteFile(envPath, []byte(content), 0o600))
-
-	env := map[string]string{}
-	err := parseEnvFile(e, envPath, &env)(context.Background())
-	require.ErrorIs(t, err, bufio.ErrTooLong)
-	assert.Contains(t, err.Error(), "reading env file")
-}
-
-func TestParseEnvFileMissingDelimiter(t *testing.T) {
-	e, envPath := newTestHostEnv(t)
-	require.NoError(t, os.WriteFile(envPath, []byte("FOO<<EOF\nline1\nline2\n"), 0o600))
-
-	env := map[string]string{}
-	err := parseEnvFile(e, envPath, &env)(context.Background())
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "delimiter")
-}
--- a/act/container/process_other.go
+++ b/act/container/process_other.go
@@ -1,19 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-//go:build !windows
-
-package container
-
-import "os"
-
-// processKiller is a no-op on non-Windows platforms. The Job Object based
-// tree-kill is only wired in on Windows (see exec()); elsewhere the default
-// exec.CommandContext cancellation and Setpgid handling apply.
-type processKiller struct{}
-
-func newProcessKiller(_ *os.Process) (*processKiller, error) { return &processKiller{}, nil }
-
-func (k *processKiller) Kill() error { return nil }
-
-func (k *processKiller) Close() error { return nil }
--- a/act/container/process_windows.go
+++ b/act/container/process_windows.go
@@ -1,71 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package container
-
-import (
-	"os"
-
-	"golang.org/x/sys/windows"
-)
-
-// processKiller terminates a step process together with its entire descendant
-// tree via a Windows Job Object.
-//
-// Background: a step often launches a process tree (a shell that starts a
-// child which in turn spawns further GUI or background processes). The default
-// exec.CommandContext cancellation only kills the direct child, so cancelling a
-// job left the rest of the tree running. Because those orphans inherited the
-// step's stdout/stderr pipe, cmd.Wait() also blocked forever and the runner hung.
-//
-// Assigning the step process to a Job Object lets us kill the whole tree
-// atomically on cancellation (TerminateJobObject), which also closes the
-// inherited pipe handles so cmd.Wait() can return.
-type processKiller struct {
-	job windows.Handle
-}
-
-// newProcessKiller creates a Job Object and assigns p (an already-started
-// process) to it. Children spawned by p afterwards are automatically part of
-// the job. The job does NOT use JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE, so closing
-// the handle on normal completion does not kill legitimate background
-// processes; the tree is only torn down by an explicit Kill (cancellation).
-func newProcessKiller(p *os.Process) (*processKiller, error) {
-	job, err := windows.CreateJobObject(nil, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	h, err := windows.OpenProcess(windows.PROCESS_SET_QUOTA|windows.PROCESS_TERMINATE, false, uint32(p.Pid))
-	if err != nil {
-		windows.CloseHandle(job)
-		return nil, err
-	}
-	defer windows.CloseHandle(h)
-
-	if err := windows.AssignProcessToJobObject(job, h); err != nil {
-		windows.CloseHandle(job)
-		return nil, err
-	}
-
-	return &processKiller{job: job}, nil
-}
-
-// Kill terminates every process currently assigned to the job (the step process
-// and all of its descendants).
-func (k *processKiller) Kill() error {
-	if k == nil || k.job == 0 {
-		return nil
-	}
-	return windows.TerminateJobObject(k.job, 1)
-}
-
-// Close releases the job handle. It does not terminate the processes.
-func (k *processKiller) Close() error {
-	if k == nil || k.job == 0 {
-		return nil
-	}
-	h := k.job
-	k.job = 0
-	return windows.CloseHandle(h)
-}
--- a/act/container/process_windows_test.go
+++ b/act/container/process_windows_test.go
@@ -1,78 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package container
-
-import (
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-	"golang.org/x/sys/windows"
-)
-
-// processAlive reports whether pid refers to a still-running process.
-func processAlive(pid int) bool {
-	h, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, uint32(pid))
-	if err != nil {
-		return false
-	}
-	defer windows.CloseHandle(h)
-	var code uint32
-	if err := windows.GetExitCodeProcess(h, &code); err != nil {
-		return false
-	}
-	const stillActive = 259 // STILL_ACTIVE
-	return code == stillActive
-}
-
-// TestProcessKillerKillsTree verifies that a process assigned to the Job Object
-// is terminated together with a child it spawns afterwards. This mirrors a step
-// that launches a child which spawns further processes, where cancelling the
-// job must take down the whole tree, not just the direct child.
-func TestProcessKillerKillsTree(t *testing.T) {
-	dir := t.TempDir()
-	pidFile := filepath.Join(dir, "child.pid")
-
-	// Parent powershell spawns a detached, long-lived child powershell (writing
-	// its PID to a file) and then sleeps. The child is launched AFTER the parent
-	// has been assigned to the job, so it must be captured by the job too.
-	script := fmt.Sprintf(
-		`$c = Start-Process powershell -PassThru -ArgumentList '-NoProfile','-Command','Start-Sleep -Seconds 600'; `+
-			`Set-Content -LiteralPath %q -Value $c.Id; Start-Sleep -Seconds 600`, pidFile)
-	cmd := exec.Command("powershell.exe", "-NoProfile", "-Command", script)
-	require.NoError(t, cmd.Start())
-	t.Cleanup(func() { _ = cmd.Process.Kill() })
-
-	killer, err := newProcessKiller(cmd.Process)
-	require.NoError(t, err)
-	defer killer.Close()
-
-	// Wait for the child PID to be reported.
-	var childPID int
-	require.Eventually(t, func() bool {
-		b, e := os.ReadFile(pidFile)
-		if e != nil {
-			return false
-		}
-		s := strings.TrimSpace(string(b))
-		if s == "" {
-			return false
-		}
-		childPID, _ = strconv.Atoi(s)
-		return childPID > 0 && processAlive(childPID)
-	}, 20*time.Second, 200*time.Millisecond, "child process should start")
-
-	// Killing the job must terminate both the parent and the detached child.
-	require.NoError(t, killer.Kill())
-
-	require.Eventually(t, func() bool {
-		return !processAlive(cmd.Process.Pid) && !processAlive(childPID)
-	}, 20*time.Second, 200*time.Millisecond, "parent and child should both be terminated")
-}
--- a/act/exprparser/functions.go
+++ b/act/exprparser/functions.go
@@ -1,300 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package exprparser
-
-import (
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"io/fs"
-	"os"
-	"path/filepath"
-	"reflect"
-	"strconv"
-	"strings"
-
-	"gitea.com/gitea/runner/act/model"
-
-	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
-	"github.com/rhysd/actionlint"
-)
-
-func (impl *interperterImpl) contains(search, item reflect.Value) (bool, error) {
-	switch search.Kind() {
-	case reflect.String, reflect.Int, reflect.Float64, reflect.Bool, reflect.Invalid:
-		return strings.Contains(
-			strings.ToLower(impl.coerceToString(search).String()),
-			strings.ToLower(impl.coerceToString(item).String()),
-		), nil
-
-	case reflect.Slice:
-		for i := 0; i < search.Len(); i++ {
-			arrayItem := search.Index(i).Elem()
-			result, err := impl.compareValues(arrayItem, item, actionlint.CompareOpNodeKindEq)
-			if err != nil {
-				return false, err
-			}
-
-			if isEqual, ok := result.(bool); ok && isEqual {
-				return true, nil
-			}
-		}
-	}
-
-	return false, nil
-}
-
-func (impl *interperterImpl) startsWith(searchString, searchValue reflect.Value) (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
-	return strings.HasPrefix(
-		strings.ToLower(impl.coerceToString(searchString).String()),
-		strings.ToLower(impl.coerceToString(searchValue).String()),
-	), nil
-}
-
-func (impl *interperterImpl) endsWith(searchString, searchValue reflect.Value) (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
-	return strings.HasSuffix(
-		strings.ToLower(impl.coerceToString(searchString).String()),
-		strings.ToLower(impl.coerceToString(searchValue).String()),
-	), nil
-}
-
-const (
-	passThrough = iota
-	bracketOpen
-	bracketClose
-)
-
-func (impl *interperterImpl) format(str reflect.Value, replaceValue ...reflect.Value) (string, error) {
-	input := impl.coerceToString(str).String()
-	var output strings.Builder
-	replacementIndex := ""
-
-	state := passThrough
-	for _, character := range input {
-		switch state {
-		case passThrough: // normal buffer output
-			switch character {
-			case '{':
-				state = bracketOpen
-
-			case '}':
-				state = bracketClose
-
-			default:
-				output.WriteRune(character)
-			}
-
-		case bracketOpen: // found {
-			switch character {
-			case '{':
-				output.WriteString("{")
-				replacementIndex = ""
-				state = passThrough
-
-			case '}':
-				index, err := strconv.ParseInt(replacementIndex, 10, 32)
-				if err != nil {
-					return "", fmt.Errorf("The following format string is invalid: '%s'", input)
-				}
-
-				replacementIndex = ""
-
-				if len(replaceValue) <= int(index) {
-					return "", fmt.Errorf("The following format string references more arguments than were supplied: '%s'", input)
-				}
-
-				output.WriteString(impl.coerceToString(replaceValue[index]).String())
-
-				state = passThrough
-
-			default:
-				replacementIndex += string(character)
-			}
-
-		case bracketClose: // found }
-			switch character {
-			case '}':
-				output.WriteString("}")
-				replacementIndex = ""
-				state = passThrough
-
-			default:
-				panic("Invalid format parser state")
-			}
-		}
-	}
-
-	if state != passThrough {
-		switch state {
-		case bracketOpen:
-			return "", fmt.Errorf("Unclosed brackets. The following format string is invalid: '%s'", input)
-
-		case bracketClose:
-			return "", fmt.Errorf("Closing bracket without opening one. The following format string is invalid: '%s'", input)
-		}
-	}
-
-	return output.String(), nil
-}
-
-func (impl *interperterImpl) join(array, sep reflect.Value) (string, error) { //nolint:unparam // pre-existing issue from nektos/act
-	separator := impl.coerceToString(sep).String()
-	switch array.Kind() {
-	case reflect.Slice:
-		var items []string
-		for i := 0; i < array.Len(); i++ {
-			items = append(items, impl.coerceToString(array.Index(i).Elem()).String())
-		}
-
-		return strings.Join(items, separator), nil
-	default:
-		return strings.Join([]string{impl.coerceToString(array).String()}, separator), nil
-	}
-}
-
-func (impl *interperterImpl) toJSON(value reflect.Value) (string, error) {
-	if value.Kind() == reflect.Invalid {
-		return "null", nil
-	}
-
-	json, err := json.MarshalIndent(value.Interface(), "", "  ")
-	if err != nil {
-		return "", fmt.Errorf("Cannot convert value to JSON. Cause: %v", err)
-	}
-
-	return string(json), nil
-}
-
-func (impl *interperterImpl) fromJSON(value reflect.Value) (any, error) {
-	if value.Kind() != reflect.String {
-		return nil, fmt.Errorf("Cannot parse non-string type %v as JSON", value.Kind())
-	}
-
-	var data any
-
-	err := json.Unmarshal([]byte(value.String()), &data)
-	if err != nil {
-		return nil, fmt.Errorf("Invalid JSON: %v", err)
-	}
-
-	return data, nil
-}
-
-func (impl *interperterImpl) hashFiles(paths ...reflect.Value) (string, error) {
-	var ps []gitignore.Pattern
-
-	const cwdPrefix = "." + string(filepath.Separator)
-	const excludeCwdPrefix = "!" + cwdPrefix
-	for _, path := range paths {
-		if path.Kind() == reflect.String {
-			cleanPath := path.String()
-			if strings.HasPrefix(cleanPath, cwdPrefix) {
-				cleanPath = cleanPath[len(cwdPrefix):]
-			} else if strings.HasPrefix(cleanPath, excludeCwdPrefix) {
-				cleanPath = "!" + cleanPath[len(excludeCwdPrefix):]
-			}
-			ps = append(ps, gitignore.ParsePattern(cleanPath, nil))
-		} else {
-			return "", errors.New("Non-string path passed to hashFiles")
-		}
-	}
-
-	matcher := gitignore.NewMatcher(ps)
-
-	var files []string
-	if err := filepath.Walk(impl.config.WorkingDir, func(path string, fi fs.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		sansPrefix := strings.TrimPrefix(path, impl.config.WorkingDir+string(filepath.Separator))
-		parts := strings.Split(sansPrefix, string(filepath.Separator))
-		if fi.IsDir() || !matcher.Match(parts, fi.IsDir()) {
-			return nil
-		}
-		files = append(files, path)
-		return nil
-	}); err != nil {
-		return "", fmt.Errorf("Unable to filepath.Walk: %v", err)
-	}
-
-	if len(files) == 0 {
-		return "", nil
-	}
-
-	hasher := sha256.New()
-
-	for _, file := range files {
-		f, err := os.Open(file)
-		if err != nil {
-			return "", fmt.Errorf("Unable to os.Open: %v", err)
-		}
-
-		if _, err := io.Copy(hasher, f); err != nil {
-			return "", fmt.Errorf("Unable to io.Copy: %v", err)
-		}
-
-		if err := f.Close(); err != nil {
-			return "", fmt.Errorf("Unable to Close file: %v", err)
-		}
-	}
-
-	return hex.EncodeToString(hasher.Sum(nil)), nil
-}
-
-func (impl *interperterImpl) getNeedsTransitive(job *model.Job) []string {
-	needs := job.Needs()
-
-	for _, need := range needs {
-		parentNeeds := impl.getNeedsTransitive(impl.config.Run.Workflow.GetJob(need))
-		needs = append(needs, parentNeeds...)
-	}
-
-	return needs
-}
-
-func (impl *interperterImpl) always() (bool, error) {
-	return true, nil
-}
-
-func (impl *interperterImpl) jobSuccess() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
-	jobs := impl.config.Run.Workflow.Jobs
-	jobNeeds := impl.getNeedsTransitive(impl.config.Run.Job())
-
-	for _, needs := range jobNeeds {
-		if jobs[needs].Result != "success" {
-			return false, nil
-		}
-	}
-
-	return true, nil
-}
-
-func (impl *interperterImpl) stepSuccess() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
-	return impl.env.Job.Status == "success", nil
-}
-
-func (impl *interperterImpl) jobFailure() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
-	jobs := impl.config.Run.Workflow.Jobs
-	jobNeeds := impl.getNeedsTransitive(impl.config.Run.Job())
-
-	for _, needs := range jobNeeds {
-		if jobs[needs].Result == "failure" {
-			return true, nil
-		}
-	}
-
-	return false, nil
-}
-
-func (impl *interperterImpl) stepFailure() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
-	return impl.env.Job.Status == "failure", nil
-}
-
-func (impl *interperterImpl) cancelled() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
-	return impl.env.Job.Status == "cancelled", nil
-}
--- a/act/exprparser/functions_test.go
+++ b/act/exprparser/functions_test.go
@@ -1,256 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package exprparser
-
-import (
-	"path/filepath"
-	"testing"
-
-	"gitea.com/gitea/runner/act/model"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestFunctionContains(t *testing.T) {
-	table := []struct {
-		input    string
-		expected any
-		name     string
-	}{
-		{"contains('search', 'item') }}", false, "contains-str-str"},
-		{`cOnTaInS('Hello', 'll') }}`, true, "contains-str-casing"},
-		{`contains('HELLO', 'll') }}`, true, "contains-str-casing"},
-		{`contains('3.141592', 3.14) }}`, true, "contains-str-number"},
-		{`contains(3.141592, '3.14') }}`, true, "contains-number-str"},
-		{`contains(3.141592, 3.14) }}`, true, "contains-number-number"},
-		{`contains(true, 'u') }}`, true, "contains-bool-str"},
-		{`contains(null, '') }}`, true, "contains-null-str"},
-		{`contains(fromJSON('["first","second"]'), 'first') }}`, true, "contains-item"},
-		{`contains(fromJSON('[null,"second"]'), '') }}`, true, "contains-item-null-empty-str"},
-		{`contains(fromJSON('["","second"]'), null) }}`, true, "contains-item-empty-str-null"},
-		{`contains(fromJSON('[true,"second"]'), 'true') }}`, false, "contains-item-bool-arr"},
-		{`contains(fromJSON('["true","second"]'), true) }}`, false, "contains-item-str-bool"},
-		{`contains(fromJSON('[3.14,"second"]'), '3.14') }}`, true, "contains-item-number-str"},
-		{`contains(fromJSON('[3.14,"second"]'), 3.14) }}`, true, "contains-item-number-number"},
-		{`contains(fromJSON('["","second"]'), fromJSON('[]')) }}`, false, "contains-item-str-arr"},
-		{`contains(fromJSON('["","second"]'), fromJSON('{}')) }}`, false, "contains-item-str-obj"},
-	}
-
-	env := &EvaluationEnvironment{}
-
-	for _, tt := range table {
-		t.Run(tt.name, func(t *testing.T) {
-			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-			assert.Equal(t, tt.expected, output)
-		})
-	}
-}
-
-func TestFunctionStartsWith(t *testing.T) {
-	table := []struct {
-		input    string
-		expected any
-		name     string
-	}{
-		{"startsWith('search', 'se') }}", true, "startswith-string"},
-		{"startsWith('search', 'sa') }}", false, "startswith-string"},
-		{"startsWith('123search', '123s') }}", true, "startswith-string"},
-		{"startsWith(123, 's') }}", false, "startswith-string"},
-		{"startsWith(123, '12') }}", true, "startswith-string"},
-		{"startsWith('123', 12) }}", true, "startswith-string"},
-		{"startsWith(null, '42') }}", false, "startswith-string"},
-		{"startsWith('null', null) }}", true, "startswith-string"},
-		{"startsWith('null', '') }}", true, "startswith-string"},
-	}
-
-	env := &EvaluationEnvironment{}
-
-	for _, tt := range table {
-		t.Run(tt.name, func(t *testing.T) {
-			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-			assert.Equal(t, tt.expected, output)
-		})
-	}
-}
-
-func TestFunctionEndsWith(t *testing.T) {
-	table := []struct {
-		input    string
-		expected any
-		name     string
-	}{
-		{"endsWith('search', 'ch') }}", true, "endsWith-string"},
-		{"endsWith('search', 'sa') }}", false, "endsWith-string"},
-		{"endsWith('search123s', '123s') }}", true, "endsWith-string"},
-		{"endsWith(123, 's') }}", false, "endsWith-string"},
-		{"endsWith(123, '23') }}", true, "endsWith-string"},
-		{"endsWith('123', 23) }}", true, "endsWith-string"},
-		{"endsWith(null, '42') }}", false, "endsWith-string"},
-		{"endsWith('null', null) }}", true, "endsWith-string"},
-		{"endsWith('null', '') }}", true, "endsWith-string"},
-	}
-
-	env := &EvaluationEnvironment{}
-
-	for _, tt := range table {
-		t.Run(tt.name, func(t *testing.T) {
-			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-			assert.Equal(t, tt.expected, output)
-		})
-	}
-}
-
-func TestFunctionJoin(t *testing.T) {
-	table := []struct {
-		input    string
-		expected any
-		name     string
-	}{
-		{"join(fromJSON('[\"a\", \"b\"]'), ',')", "a,b", "join-arr"},
-		{"join('string', ',')", "string", "join-str"},
-		{"join(1, ',')", "1", "join-number"},
-		{"join(null, ',')", "", "join-number"},
-		{"join(fromJSON('[\"a\", \"b\", null]'), null)", "ab", "join-number"},
-		{"join(fromJSON('[\"a\", \"b\"]'))", "a,b", "join-number"},
-		{"join(fromJSON('[\"a\", \"b\", null]'), 1)", "a1b1", "join-number"},
-	}
-
-	env := &EvaluationEnvironment{}
-
-	for _, tt := range table {
-		t.Run(tt.name, func(t *testing.T) {
-			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-			assert.Equal(t, tt.expected, output)
-		})
-	}
-}
-
-func TestFunctionToJSON(t *testing.T) {
-	table := []struct {
-		input    string
-		expected any
-		name     string
-	}{
-		{"toJSON(env) }}", "{\n  \"key\": \"value\"\n}", "toJSON"},
-		{"toJSON(null)", "null", "toJSON-null"},
-	}
-
-	env := &EvaluationEnvironment{
-		Env: map[string]string{
-			"key": "value",
-		},
-	}
-
-	for _, tt := range table {
-		t.Run(tt.name, func(t *testing.T) {
-			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-			assert.Equal(t, tt.expected, output)
-		})
-	}
-}
-
-func TestFunctionFromJSON(t *testing.T) {
-	table := []struct {
-		input    string
-		expected any
-		name     string
-	}{
-		{"fromJSON('{\"foo\":\"bar\"}') }}", map[string]any{
-			"foo": "bar",
-		}, "fromJSON"},
-	}
-
-	env := &EvaluationEnvironment{}
-
-	for _, tt := range table {
-		t.Run(tt.name, func(t *testing.T) {
-			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-			assert.Equal(t, tt.expected, output)
-		})
-	}
-}
-
-func TestFunctionHashFiles(t *testing.T) {
-	table := []struct {
-		input    string
-		expected any
-		name     string
-	}{
-		{"hashFiles('**/non-extant-files') }}", "", "hash-non-existing-file"},
-		{"hashFiles('**/non-extant-files', '**/more-non-extant-files') }}", "", "hash-multiple-non-existing-files"},
-		{"hashFiles('./for-hashing-1.txt') }}", "66a045b452102c59d840ec097d59d9467e13a3f34f6494e539ffd32c1bb35f18", "hash-single-file"},
-		{"hashFiles('./for-hashing-*.txt') }}", "8e5935e7e13368cd9688fe8f48a0955293676a021562582c7e848dafe13fb046", "hash-multiple-files"},
-		{"hashFiles('./for-hashing-*.txt', '!./for-hashing-2.txt') }}", "66a045b452102c59d840ec097d59d9467e13a3f34f6494e539ffd32c1bb35f18", "hash-negative-pattern"},
-		{"hashFiles('./for-hashing-**') }}", "c418ba693753c84115ced0da77f876cddc662b9054f4b129b90f822597ee2f94", "hash-multiple-files-and-directories"},
-		{"hashFiles('./for-hashing-3/**') }}", "6f5696b546a7a9d6d42a449dc9a56bef244aaa826601ef27466168846139d2c2", "hash-nested-directories"},
-		{"hashFiles('./for-hashing-3/**/nested-data.txt') }}", "8ecadfb49f7f978d0a9f3a957e9c8da6cc9ab871f5203b5d9f9d1dc87d8af18c", "hash-nested-directories-2"},
-	}
-
-	env := &EvaluationEnvironment{}
-
-	for _, tt := range table {
-		t.Run(tt.name, func(t *testing.T) {
-			workdir, err := filepath.Abs("testdata")
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-			output, err := NewInterpeter(env, Config{WorkingDir: workdir}).Evaluate(tt.input, DefaultStatusCheckNone)
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-			assert.Equal(t, tt.expected, output)
-		})
-	}
-}
-
-func TestFunctionFormat(t *testing.T) {
-	table := []struct {
-		input    string
-		expected any
-		error    any
-		name     string
-	}{
-		{"format('text')", "text", nil, "format-plain-string"},
-		{"format('Hello {0} {1} {2}!', 'Mona', 'the', 'Octocat')", "Hello Mona the Octocat!", nil, "format-with-placeholders"},
-		{"format('{{Hello {0} {1} {2}!}}', 'Mona', 'the', 'Octocat')", "{Hello Mona the Octocat!}", nil, "format-with-escaped-braces"},
-		{"format('{{0}}', 'test')", "{0}", nil, "format-with-escaped-braces"},
-		{"format('{{{0}}}', 'test')", "{test}", nil, "format-with-escaped-braces-and-value"},
-		{"format('}}')", "}", nil, "format-output-closing-brace"},
-		{`format('Hello "{0}" {1} {2} {3} {4}', null, true, -3.14, NaN, Infinity)`, `Hello "" true -3.14 NaN Infinity`, nil, "format-with-primitives"},
-		{`format('Hello "{0}" {1} {2}', fromJSON('[0, true, "abc"]'), fromJSON('[{"a":1}]'), fromJSON('{"a":{"b":1}}'))`, `Hello "Array" Array Object`, nil, "format-with-complex-types"},
-		{"format(true)", "true", nil, "format-with-primitive-args"},
-		{"format('echo Hello {0} ${{Test}}', github.undefined_property)", "echo Hello  ${Test}", nil, "format-with-undefined-value"},
-		{"format('{0}}', '{1}', 'World')", nil, "Closing bracket without opening one. The following format string is invalid: '{0}}'", "format-invalid-format-string"},
-		{"format('{0', '{1}', 'World')", nil, "Unclosed brackets. The following format string is invalid: '{0'", "format-invalid-format-string"},
-		{"format('{2}', '{1}', 'World')", "", "The following format string references more arguments than were supplied: '{2}'", "format-invalid-replacement-reference"},
-		{"format('{2147483648}')", "", "The following format string is invalid: '{2147483648}'", "format-invalid-replacement-reference"},
-		{"format('{0} {1} {2} {3}', 1.0, 1.1, 1234567890.0, 12345678901234567890.0)", "1 1.1 1234567890 1.23456789012346E+19", nil, "format-floats"},
-	}
-
-	env := &EvaluationEnvironment{
-		Github: &model.GithubContext{},
-	}
-
-	for _, tt := range table {
-		t.Run(tt.name, func(t *testing.T) {
-			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
-			if tt.error != nil {
-				assert.Equal(t, tt.error, err.Error())
-			} else {
-				assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-				assert.Equal(t, tt.expected, output)
-			}
-		})
-	}
-}
--- a/act/exprparser/interpreter.go
+++ b/act/exprparser/interpreter.go
@@ -1,644 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package exprparser
-
-import (
-	"encoding"
-	"errors"
-	"fmt"
-	"math"
-	"reflect"
-	"strings"
-
-	"gitea.com/gitea/runner/act/model"
-
-	"github.com/rhysd/actionlint"
-)
-
-type EvaluationEnvironment struct {
-	Github    *model.GithubContext
-	Env       map[string]string
-	Job       *model.JobContext
-	Jobs      *map[string]*model.WorkflowCallResult
-	Steps     map[string]*model.StepResult
-	Runner    map[string]any
-	Secrets   map[string]string
-	Vars      map[string]string
-	Strategy  map[string]any
-	Matrix    map[string]any
-	Needs     map[string]Needs
-	Inputs    map[string]any
-	HashFiles func([]reflect.Value) (any, error)
-}
-
-type Needs struct {
-	Outputs map[string]string `json:"outputs"`
-	Result  string            `json:"result"`
-}
-
-type Config struct {
-	Run        *model.Run
-	WorkingDir string
-	Context    string
-}
-
-type DefaultStatusCheck int
-
-const (
-	DefaultStatusCheckNone DefaultStatusCheck = iota
-	DefaultStatusCheckSuccess
-	DefaultStatusCheckAlways
-	DefaultStatusCheckCanceled
-	DefaultStatusCheckFailure
-)
-
-func (dsc DefaultStatusCheck) String() string {
-	switch dsc {
-	case DefaultStatusCheckSuccess:
-		return "success"
-	case DefaultStatusCheckAlways:
-		return "always"
-	case DefaultStatusCheckCanceled:
-		return "cancelled"
-	case DefaultStatusCheckFailure:
-		return "failure"
-	}
-	return ""
-}
-
-type Interpreter interface {
-	Evaluate(input string, defaultStatusCheck DefaultStatusCheck) (any, error)
-}
-
-type interperterImpl struct {
-	env    *EvaluationEnvironment
-	config Config
-}
-
-func NewInterpeter(env *EvaluationEnvironment, config Config) Interpreter {
-	return &interperterImpl{
-		env:    env,
-		config: config,
-	}
-}
-
-func (impl *interperterImpl) Evaluate(input string, defaultStatusCheck DefaultStatusCheck) (any, error) {
-	input = strings.TrimPrefix(input, "${{")
-	if defaultStatusCheck != DefaultStatusCheckNone && input == "" {
-		input = "success()"
-	}
-	parser := actionlint.NewExprParser()
-	exprNode, err := parser.Parse(actionlint.NewExprLexer(input + "}}"))
-	if err != nil {
-		return nil, fmt.Errorf("Failed to parse: %s", err.Message)
-	}
-
-	if defaultStatusCheck != DefaultStatusCheckNone {
-		hasStatusCheckFunction := false
-		actionlint.VisitExprNode(exprNode, func(node, _ actionlint.ExprNode, entering bool) {
-			if funcCallNode, ok := node.(*actionlint.FuncCallNode); entering && ok {
-				switch strings.ToLower(funcCallNode.Callee) {
-				case "success", "always", "cancelled", "failure":
-					hasStatusCheckFunction = true
-				}
-			}
-		})
-
-		if !hasStatusCheckFunction {
-			exprNode = &actionlint.LogicalOpNode{
-				Kind: actionlint.LogicalOpNodeKindAnd,
-				Left: &actionlint.FuncCallNode{
-					Callee: defaultStatusCheck.String(),
-					Args:   []actionlint.ExprNode{},
-				},
-				Right: exprNode,
-			}
-		}
-	}
-
-	result, err2 := impl.evaluateNode(exprNode)
-
-	return result, err2
-}
-
-func (impl *interperterImpl) evaluateNode(exprNode actionlint.ExprNode) (any, error) {
-	switch node := exprNode.(type) {
-	case *actionlint.VariableNode:
-		return impl.evaluateVariable(node)
-	case *actionlint.BoolNode:
-		return node.Value, nil
-	case *actionlint.NullNode:
-		return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
-	case *actionlint.IntNode:
-		return node.Value, nil
-	case *actionlint.FloatNode:
-		return node.Value, nil
-	case *actionlint.StringNode:
-		return node.Value, nil
-	case *actionlint.IndexAccessNode:
-		return impl.evaluateIndexAccess(node)
-	case *actionlint.ObjectDerefNode:
-		return impl.evaluateObjectDeref(node)
-	case *actionlint.ArrayDerefNode:
-		return impl.evaluateArrayDeref(node)
-	case *actionlint.NotOpNode:
-		return impl.evaluateNot(node)
-	case *actionlint.CompareOpNode:
-		return impl.evaluateCompare(node)
-	case *actionlint.LogicalOpNode:
-		return impl.evaluateLogicalCompare(node)
-	case *actionlint.FuncCallNode:
-		return impl.evaluateFuncCall(node)
-	default:
-		return nil, fmt.Errorf("Fatal error! Unknown node type: %s node: %+v", reflect.TypeOf(exprNode), exprNode)
-	}
-}
-
-func (impl *interperterImpl) evaluateVariable(variableNode *actionlint.VariableNode) (any, error) {
-	switch strings.ToLower(variableNode.Name) {
-	case "github":
-		return impl.env.Github, nil
-	case "gitea": // compatible with Gitea
-		return impl.env.Github, nil
-	case "env":
-		return impl.env.Env, nil
-	case "job":
-		return impl.env.Job, nil
-	case "jobs":
-		if impl.env.Jobs == nil {
-			return nil, errors.New("Unavailable context: jobs")
-		}
-		return impl.env.Jobs, nil
-	case "steps":
-		return impl.env.Steps, nil
-	case "runner":
-		return impl.env.Runner, nil
-	case "secrets":
-		return impl.env.Secrets, nil
-	case "vars":
-		return impl.env.Vars, nil
-	case "strategy":
-		return impl.env.Strategy, nil
-	case "matrix":
-		return impl.env.Matrix, nil
-	case "needs":
-		return impl.env.Needs, nil
-	case "inputs":
-		return impl.env.Inputs, nil
-	case "infinity":
-		return math.Inf(1), nil
-	case "nan":
-		return math.NaN(), nil
-	default:
-		return nil, fmt.Errorf("Unavailable context: %s", variableNode.Name)
-	}
-}
-
-func (impl *interperterImpl) evaluateIndexAccess(indexAccessNode *actionlint.IndexAccessNode) (any, error) {
-	left, err := impl.evaluateNode(indexAccessNode.Operand)
-	if err != nil {
-		return nil, err
-	}
-
-	leftValue := reflect.ValueOf(left)
-
-	right, err := impl.evaluateNode(indexAccessNode.Index)
-	if err != nil {
-		return nil, err
-	}
-
-	rightValue := reflect.ValueOf(right)
-
-	switch rightValue.Kind() {
-	case reflect.String:
-		return impl.getPropertyValue(leftValue, rightValue.String())
-
-	case reflect.Int:
-		switch leftValue.Kind() {
-		case reflect.Slice:
-			if rightValue.Int() < 0 || rightValue.Int() >= int64(leftValue.Len()) {
-				return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
-			}
-			return leftValue.Index(int(rightValue.Int())).Interface(), nil
-		default:
-			return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
-		}
-
-	default:
-		return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
-	}
-}
-
-func (impl *interperterImpl) evaluateObjectDeref(objectDerefNode *actionlint.ObjectDerefNode) (any, error) {
-	left, err := impl.evaluateNode(objectDerefNode.Receiver)
-	if err != nil {
-		return nil, err
-	}
-
-	return impl.getPropertyValue(reflect.ValueOf(left), objectDerefNode.Property)
-}
-
-func (impl *interperterImpl) evaluateArrayDeref(arrayDerefNode *actionlint.ArrayDerefNode) (any, error) {
-	left, err := impl.evaluateNode(arrayDerefNode.Receiver)
-	if err != nil {
-		return nil, err
-	}
-
-	return impl.getSafeValue(reflect.ValueOf(left)), nil
-}
-
-func (impl *interperterImpl) getPropertyValue(left reflect.Value, property string) (value any, err error) {
-	switch left.Kind() {
-	case reflect.Pointer:
-		return impl.getPropertyValue(left.Elem(), property)
-
-	case reflect.Struct:
-		leftType := left.Type()
-		for field := range leftType.Fields() {
-			jsonName := field.Tag.Get("json")
-			if jsonName == property {
-				property = field.Name
-				break
-			}
-		}
-
-		fieldValue := left.FieldByNameFunc(func(name string) bool {
-			return strings.EqualFold(name, property)
-		})
-
-		if fieldValue.Kind() == reflect.Invalid {
-			return "", nil
-		}
-
-		i := fieldValue.Interface()
-		// The type stepStatus int is an integer, but should be treated as string
-		if m, ok := i.(encoding.TextMarshaler); ok {
-			text, err := m.MarshalText()
-			if err != nil {
-				return nil, err
-			}
-			return string(text), nil
-		}
-		return i, nil
-
-	case reflect.Map:
-		iter := left.MapRange()
-
-		for iter.Next() {
-			key := iter.Key()
-
-			switch key.Kind() {
-			case reflect.String:
-				if strings.EqualFold(key.String(), property) {
-					return impl.getMapValue(iter.Value())
-				}
-
-			default:
-				return nil, fmt.Errorf("'%s' in map key not implemented", key.Kind())
-			}
-		}
-
-		return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
-
-	case reflect.Slice:
-		var values []any
-
-		for i := 0; i < left.Len(); i++ {
-			value, err := impl.getPropertyValue(left.Index(i).Elem(), property)
-			if err != nil {
-				return nil, err
-			}
-
-			values = append(values, value)
-		}
-
-		return values, nil
-	}
-
-	return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
-}
-
-func (impl *interperterImpl) getMapValue(value reflect.Value) (any, error) {
-	if value.Kind() == reflect.Pointer {
-		return impl.getMapValue(value.Elem())
-	}
-
-	return value.Interface(), nil
-}
-
-func (impl *interperterImpl) evaluateNot(notNode *actionlint.NotOpNode) (any, error) {
-	operand, err := impl.evaluateNode(notNode.Operand)
-	if err != nil {
-		return nil, err
-	}
-
-	return !IsTruthy(operand), nil
-}
-
-func (impl *interperterImpl) evaluateCompare(compareNode *actionlint.CompareOpNode) (any, error) {
-	left, err := impl.evaluateNode(compareNode.Left)
-	if err != nil {
-		return nil, err
-	}
-
-	right, err := impl.evaluateNode(compareNode.Right)
-	if err != nil {
-		return nil, err
-	}
-
-	leftValue := reflect.ValueOf(left)
-	rightValue := reflect.ValueOf(right)
-
-	return impl.compareValues(leftValue, rightValue, compareNode.Kind)
-}
-
-func (impl *interperterImpl) compareValues(leftValue, rightValue reflect.Value, kind actionlint.CompareOpNodeKind) (any, error) {
-	if leftValue.Kind() != rightValue.Kind() {
-		if !impl.isNumber(leftValue) {
-			leftValue = impl.coerceToNumber(leftValue)
-		}
-		if !impl.isNumber(rightValue) {
-			rightValue = impl.coerceToNumber(rightValue)
-		}
-	}
-
-	switch leftValue.Kind() {
-	case reflect.Bool:
-		return impl.compareNumber(float64(impl.coerceToNumber(leftValue).Int()), float64(impl.coerceToNumber(rightValue).Int()), kind)
-	case reflect.String:
-		return impl.compareString(strings.ToLower(leftValue.String()), strings.ToLower(rightValue.String()), kind)
-
-	case reflect.Int:
-		if rightValue.Kind() == reflect.Float64 {
-			return impl.compareNumber(float64(leftValue.Int()), rightValue.Float(), kind)
-		}
-
-		return impl.compareNumber(float64(leftValue.Int()), float64(rightValue.Int()), kind)
-
-	case reflect.Float64:
-		if rightValue.Kind() == reflect.Int {
-			return impl.compareNumber(leftValue.Float(), float64(rightValue.Int()), kind)
-		}
-
-		return impl.compareNumber(leftValue.Float(), rightValue.Float(), kind)
-
-	case reflect.Invalid:
-		if rightValue.Kind() == reflect.Invalid {
-			return true, nil
-		}
-
-		// not possible situation - params are converted to the same type in code above
-		return nil, fmt.Errorf("Compare params of Invalid type: left: %+v, right: %+v", leftValue.Kind(), rightValue.Kind())
-
-	default:
-		return nil, fmt.Errorf("Compare not implemented for types: left: %+v, right: %+v", leftValue.Kind(), rightValue.Kind())
-	}
-}
-
-func (impl *interperterImpl) coerceToNumber(value reflect.Value) reflect.Value {
-	switch value.Kind() {
-	case reflect.Invalid:
-		return reflect.ValueOf(0)
-
-	case reflect.Bool:
-		switch value.Bool() {
-		case true:
-			return reflect.ValueOf(1)
-		case false:
-			return reflect.ValueOf(0)
-		}
-
-	case reflect.String:
-		if value.String() == "" {
-			return reflect.ValueOf(0)
-		}
-
-		// try to parse the string as a number
-		evaluated, err := impl.Evaluate(value.String(), DefaultStatusCheckNone)
-		if err != nil {
-			return reflect.ValueOf(math.NaN())
-		}
-
-		if value := reflect.ValueOf(evaluated); impl.isNumber(value) {
-			return value
-		}
-	}
-
-	return reflect.ValueOf(math.NaN())
-}
-
-func (impl *interperterImpl) coerceToString(value reflect.Value) reflect.Value {
-	switch value.Kind() {
-	case reflect.Invalid:
-		return reflect.ValueOf("")
-
-	case reflect.Bool:
-		switch value.Bool() {
-		case true:
-			return reflect.ValueOf("true")
-		case false:
-			return reflect.ValueOf("false")
-		}
-
-	case reflect.String:
-		return value
-
-	case reflect.Int:
-		return reflect.ValueOf(fmt.Sprint(value))
-
-	case reflect.Float64:
-		if math.IsInf(value.Float(), 1) {
-			return reflect.ValueOf("Infinity")
-		} else if math.IsInf(value.Float(), -1) {
-			return reflect.ValueOf("-Infinity")
-		}
-		return reflect.ValueOf(fmt.Sprintf("%.15G", value.Float()))
-
-	case reflect.Slice:
-		return reflect.ValueOf("Array")
-
-	case reflect.Map:
-		return reflect.ValueOf("Object")
-	}
-
-	return value
-}
-
-func (impl *interperterImpl) compareString(left, right string, kind actionlint.CompareOpNodeKind) (bool, error) {
-	switch kind {
-	case actionlint.CompareOpNodeKindLess:
-		return left < right, nil
-	case actionlint.CompareOpNodeKindLessEq:
-		return left <= right, nil
-	case actionlint.CompareOpNodeKindGreater:
-		return left > right, nil
-	case actionlint.CompareOpNodeKindGreaterEq:
-		return left >= right, nil
-	case actionlint.CompareOpNodeKindEq:
-		return left == right, nil
-	case actionlint.CompareOpNodeKindNotEq:
-		return left != right, nil
-	default:
-		return false, fmt.Errorf("TODO: not implemented to compare '%+v'", kind)
-	}
-}
-
-func (impl *interperterImpl) compareNumber(left, right float64, kind actionlint.CompareOpNodeKind) (bool, error) {
-	switch kind {
-	case actionlint.CompareOpNodeKindLess:
-		return left < right, nil
-	case actionlint.CompareOpNodeKindLessEq:
-		return left <= right, nil
-	case actionlint.CompareOpNodeKindGreater:
-		return left > right, nil
-	case actionlint.CompareOpNodeKindGreaterEq:
-		return left >= right, nil
-	case actionlint.CompareOpNodeKindEq:
-		return left == right, nil
-	case actionlint.CompareOpNodeKindNotEq:
-		return left != right, nil
-	default:
-		return false, fmt.Errorf("TODO: not implemented to compare '%+v'", kind)
-	}
-}
-
-func IsTruthy(input any) bool {
-	value := reflect.ValueOf(input)
-	switch value.Kind() {
-	case reflect.Bool:
-		return value.Bool()
-
-	case reflect.String:
-		return value.String() != ""
-
-	case reflect.Int:
-		return value.Int() != 0
-
-	case reflect.Float64:
-		if math.IsNaN(value.Float()) {
-			return false
-		}
-
-		return value.Float() != 0
-
-	case reflect.Map, reflect.Slice:
-		return true
-
-	default:
-		return false
-	}
-}
-
-func (impl *interperterImpl) isNumber(value reflect.Value) bool {
-	switch value.Kind() {
-	case reflect.Int, reflect.Float64:
-		return true
-	default:
-		return false
-	}
-}
-
-func (impl *interperterImpl) getSafeValue(value reflect.Value) any {
-	switch value.Kind() {
-	case reflect.Invalid:
-		return nil
-
-	case reflect.Float64:
-		if value.Float() == 0 {
-			return 0
-		}
-	}
-
-	return value.Interface()
-}
-
-func (impl *interperterImpl) evaluateLogicalCompare(compareNode *actionlint.LogicalOpNode) (any, error) {
-	left, err := impl.evaluateNode(compareNode.Left)
-	if err != nil {
-		return nil, err
-	}
-
-	leftValue := reflect.ValueOf(left)
-
-	if IsTruthy(left) == (compareNode.Kind == actionlint.LogicalOpNodeKindOr) {
-		return impl.getSafeValue(leftValue), nil
-	}
-
-	right, err := impl.evaluateNode(compareNode.Right)
-	if err != nil {
-		return nil, err
-	}
-
-	rightValue := reflect.ValueOf(right)
-
-	switch compareNode.Kind {
-	case actionlint.LogicalOpNodeKindAnd:
-		return impl.getSafeValue(rightValue), nil
-	case actionlint.LogicalOpNodeKindOr:
-		return impl.getSafeValue(rightValue), nil
-	}
-
-	return nil, fmt.Errorf("Unable to compare incompatibles types '%s' and '%s'", leftValue.Kind(), rightValue.Kind())
-}
-
-func (impl *interperterImpl) evaluateFuncCall(funcCallNode *actionlint.FuncCallNode) (any, error) {
-	args := make([]reflect.Value, 0)
-
-	for _, arg := range funcCallNode.Args {
-		value, err := impl.evaluateNode(arg)
-		if err != nil {
-			return nil, err
-		}
-
-		args = append(args, reflect.ValueOf(value))
-	}
-
-	switch strings.ToLower(funcCallNode.Callee) {
-	case "contains":
-		return impl.contains(args[0], args[1])
-	case "startswith":
-		return impl.startsWith(args[0], args[1])
-	case "endswith":
-		return impl.endsWith(args[0], args[1])
-	case "format":
-		return impl.format(args[0], args[1:]...)
-	case "join":
-		if len(args) == 1 {
-			return impl.join(args[0], reflect.ValueOf(","))
-		}
-		return impl.join(args[0], args[1])
-	case "tojson":
-		return impl.toJSON(args[0])
-	case "fromjson":
-		return impl.fromJSON(args[0])
-	case "hashfiles":
-		if impl.env.HashFiles != nil {
-			return impl.env.HashFiles(args)
-		}
-		return impl.hashFiles(args...)
-	case "always":
-		return impl.always()
-	case "success":
-		if impl.config.Context == "job" {
-			return impl.jobSuccess()
-		}
-		if impl.config.Context == "step" {
-			return impl.stepSuccess()
-		}
-		return nil, fmt.Errorf("Context '%s' must be one of 'job' or 'step'", impl.config.Context)
-	case "failure":
-		if impl.config.Context == "job" {
-			return impl.jobFailure()
-		}
-		if impl.config.Context == "step" {
-			return impl.stepFailure()
-		}
-		return nil, fmt.Errorf("Context '%s' must be one of 'job' or 'step'", impl.config.Context)
-	case "cancelled":
-		return impl.cancelled()
-	default:
-		return nil, fmt.Errorf("TODO: '%s' not implemented", funcCallNode.Callee)
-	}
-}
--- a/act/exprparser/testdata/for-hashing-1.txt
+++ b/act/exprparser/testdata/for-hashing-1.txt
@@ -1 +0,0 @@
-Hello
--- a/act/exprparser/testdata/for-hashing-2.txt
+++ b/act/exprparser/testdata/for-hashing-2.txt
@@ -1 +0,0 @@
-World!
--- a/act/exprparser/testdata/for-hashing-3/data.txt
+++ b/act/exprparser/testdata/for-hashing-3/data.txt
@@ -1 +0,0 @@
-Knock knock!
--- a/act/exprparser/testdata/for-hashing-3/nested/nested-data.txt
+++ b/act/exprparser/testdata/for-hashing-3/nested/nested-data.txt
@@ -1 +0,0 @@
-Anybody home?
--- a/act/lookpath/env.go
+++ b/act/lookpath/env.go
@@ -1,9 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package lookpath
-
-type Env interface {
-	Getenv(name string) string
-}
--- a/act/lookpath/error.go
+++ b/act/lookpath/error.go
@@ -1,14 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package lookpath
-
-type Error struct {
-	Name string
-	Err  error
-}
-
-func (e *Error) Error() string {
-	return e.Err.Error()
-}
--- a/act/model/workflow_test.go
+++ b/act/model/workflow_test.go
@@ -1,928 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2020 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package model
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"go.yaml.in/yaml/v4"
-)
-
-// TestStepCloneIsolatesMutableFields guards the parallel-matrix race fix: combinations share the
-// job's *Step, and Clone() must hand each a copy whose If/Env nodes and With map can be mutated
-// independently. A shallow copy would share Env.Content's backing array (and the With map) and
-// leak writes across combinations.
-func TestStepCloneIsolatesMutableFields(t *testing.T) {
-	var orig Step
-	require.NoError(t, yaml.Unmarshal([]byte("if: ${{ env.X == 'a' }}\nenv:\n  KEY: original\nwith:\n  arg: original\n"), &orig))
-	require.Len(t, orig.Env.Content, 2) // [key, value]
-
-	clone := orig.Clone()
-	clone.If.Value = "changed"
-	clone.Env.Content[1].Value = "changed"
-	clone.With["arg"] = "changed"
-
-	assert.Equal(t, "${{ env.X == 'a' }}", orig.If.Value, "If must not be shared with the clone")
-	assert.Equal(t, "original", orig.Env.Content[1].Value, "Env nodes must not be shared with the clone")
-	assert.Equal(t, "original", orig.With["arg"], "With map must not be shared with the clone")
-}
-
-func TestReadWorkflow_ScheduleEvent(t *testing.T) {
-	yaml := `
-name: local-action-docker-url
-on:
-  schedule:
-    - cron: '30 5 * * 1,3'
-    - cron: '30 5 * * 2,4'
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: ./actions/docker-url
-`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-
-	schedules := workflow.OnEvent("schedule")
-	assert.Len(t, schedules, 2)
-
-	newSchedules := workflow.OnSchedule()
-	assert.Len(t, newSchedules, 2)
-
-	assert.Equal(t, "30 5 * * 1,3", newSchedules[0])
-	assert.Equal(t, "30 5 * * 2,4", newSchedules[1])
-
-	yaml = `
-name: local-action-docker-url
-on:
-  schedule:
-    test: '30 5 * * 1,3'
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: ./actions/docker-url
-`
-
-	workflow, err = ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-
-	newSchedules = workflow.OnSchedule()
-	assert.Empty(t, newSchedules)
-
-	yaml = `
-name: local-action-docker-url
-on:
-  schedule:
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: ./actions/docker-url
-`
-
-	workflow, err = ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-
-	newSchedules = workflow.OnSchedule()
-	assert.Empty(t, newSchedules)
-
-	yaml = `
-name: local-action-docker-url
-on: [push, tag]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: ./actions/docker-url
-`
-
-	workflow, err = ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-
-	newSchedules = workflow.OnSchedule()
-	assert.Empty(t, newSchedules)
-}
-
-func TestReadWorkflow_StringEvent(t *testing.T) {
-	yaml := `
-name: local-action-docker-url
-on: push
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: ./actions/docker-url
-`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-
-	assert.Len(t, workflow.On(), 1)
-	assert.Contains(t, workflow.On(), "push")
-}
-
-func TestReadWorkflow_ListEvent(t *testing.T) {
-	yaml := `
-name: local-action-docker-url
-on: [push, pull_request]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: ./actions/docker-url
-`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-
-	assert.Len(t, workflow.On(), 2)
-	assert.Contains(t, workflow.On(), "push")
-	assert.Contains(t, workflow.On(), "pull_request")
-}
-
-func TestReadWorkflow_MapEvent(t *testing.T) {
-	yaml := `
-name: local-action-docker-url
-on:
-  push:
-    branches:
-    - master
-  pull_request:
-    branches:
-    - master
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: ./actions/docker-url
-`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Len(t, workflow.On(), 2)
-	assert.Contains(t, workflow.On(), "push")
-	assert.Contains(t, workflow.On(), "pull_request")
-}
-
-func TestReadWorkflow_RunsOnLabels(t *testing.T) {
-	yaml := `
-name: local-action-docker-url
-
-jobs:
-  test:
-    container: nginx:latest
-    runs-on:
-      labels: ubuntu-latest
-    steps:
-    - uses: ./actions/docker-url`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed")                     //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, workflow.Jobs["test"].RunsOn(), []string{"ubuntu-latest"}) //nolint:testifylint // pre-existing issue from nektos/act
-}
-
-func TestReadWorkflow_RunsOnLabelsWithGroup(t *testing.T) {
-	yaml := `
-name: local-action-docker-url
-
-jobs:
-  test:
-    container: nginx:latest
-    runs-on:
-      labels: [ubuntu-latest]
-      group: linux
-    steps:
-    - uses: ./actions/docker-url`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed")                              //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, workflow.Jobs["test"].RunsOn(), []string{"ubuntu-latest", "linux"}) //nolint:testifylint // pre-existing issue from nektos/act
-}
-
-func TestReadWorkflow_StringContainer(t *testing.T) {
-	yaml := `
-name: local-action-docker-url
-
-jobs:
-  test:
-    container: nginx:latest
-    runs-on: ubuntu-latest
-    steps:
-    - uses: ./actions/docker-url
-  test2:
-    container:
-      image: nginx:latest
-      env:
-        foo: bar
-    runs-on: ubuntu-latest
-    steps:
-    - uses: ./actions/docker-url
-`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Len(t, workflow.Jobs, 2)
-	assert.Contains(t, workflow.Jobs["test"].Container().Image, "nginx:latest")
-	assert.Contains(t, workflow.Jobs["test2"].Container().Image, "nginx:latest")
-	assert.Contains(t, workflow.Jobs["test2"].Container().Env["foo"], "bar")
-}
-
-func TestReadWorkflow_ObjectContainer(t *testing.T) {
-	yaml := `
-name: local-action-docker-url
-
-jobs:
-  test:
-    container:
-      image: r.example.org/something:latest
-      credentials:
-        username: registry-username
-        password: registry-password
-      env:
-        HOME: /home/user
-      volumes:
-        - my_docker_volume:/volume_mount
-        - /data/my_data
-        - /source/directory:/destination/directory
-    runs-on: ubuntu-latest
-    steps:
-    - uses: ./actions/docker-url
-`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Len(t, workflow.Jobs, 1)
-
-	container := workflow.GetJob("test").Container()
-
-	assert.Contains(t, container.Image, "r.example.org/something:latest")
-	assert.Contains(t, container.Env["HOME"], "/home/user")
-	assert.Contains(t, container.Credentials["username"], "registry-username")
-	assert.Contains(t, container.Credentials["password"], "registry-password")
-	assert.ElementsMatch(t, container.Volumes, []string{
-		"my_docker_volume:/volume_mount",
-		"/data/my_data",
-		"/source/directory:/destination/directory",
-	})
-}
-
-func TestReadWorkflow_JobTypes(t *testing.T) {
-	yaml := `
-name: invalid job definition
-
-jobs:
-  default-job:
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo
-  remote-reusable-workflow-yml:
-    uses: remote/repo/some/path/to/workflow.yml@main
-  remote-reusable-workflow-yaml:
-    uses: remote/repo/some/path/to/workflow.yaml@main
-  remote-reusable-workflow-custom-path:
-    uses: remote/repo/path/to/workflow.yml@main
-  local-reusable-workflow-yml:
-    uses: ./some/path/to/workflow.yml
-  local-reusable-workflow-yaml:
-    uses: ./some/path/to/workflow.yaml
-`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Len(t, workflow.Jobs, 6)
-
-	jobType, err := workflow.Jobs["default-job"].Type()
-	assert.Equal(t, nil, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, JobTypeDefault, jobType)
-
-	jobType, err = workflow.Jobs["remote-reusable-workflow-yml"].Type()
-	assert.Equal(t, nil, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, JobTypeReusableWorkflowRemote, jobType)
-
-	jobType, err = workflow.Jobs["remote-reusable-workflow-yaml"].Type()
-	assert.Equal(t, nil, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, JobTypeReusableWorkflowRemote, jobType)
-
-	jobType, err = workflow.Jobs["remote-reusable-workflow-custom-path"].Type()
-	assert.Equal(t, nil, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, JobTypeReusableWorkflowRemote, jobType)
-
-	jobType, err = workflow.Jobs["local-reusable-workflow-yml"].Type()
-	assert.Equal(t, nil, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, JobTypeReusableWorkflowLocal, jobType)
-
-	jobType, err = workflow.Jobs["local-reusable-workflow-yaml"].Type()
-	assert.Equal(t, nil, err) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, JobTypeReusableWorkflowLocal, jobType)
-}
-
-func TestReadWorkflow_JobTypes_InvalidPath(t *testing.T) {
-	yaml := `
-name: invalid job definition
-
-jobs:
-  remote-reusable-workflow-missing-version:
-    uses: remote/repo/some/path/to/workflow.yml
-  remote-reusable-workflow-bad-extension:
-    uses: remote/repo/some/path/to/workflow.json
-  local-reusable-workflow-bad-extension:
-    uses: ./some/path/to/workflow.json
-  local-reusable-workflow-bad-path:
-    uses: some/path/to/workflow.yaml
-`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Len(t, workflow.Jobs, 4)
-
-	jobType, err := workflow.Jobs["remote-reusable-workflow-missing-version"].Type()
-	assert.Equal(t, JobTypeInvalid, jobType)
-	assert.NotEqual(t, nil, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-	jobType, err = workflow.Jobs["remote-reusable-workflow-bad-extension"].Type()
-	assert.Equal(t, JobTypeInvalid, jobType)
-	assert.NotEqual(t, nil, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-	jobType, err = workflow.Jobs["local-reusable-workflow-bad-extension"].Type()
-	assert.Equal(t, JobTypeInvalid, jobType)
-	assert.NotEqual(t, nil, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-	jobType, err = workflow.Jobs["local-reusable-workflow-bad-path"].Type()
-	assert.Equal(t, JobTypeInvalid, jobType)
-	assert.NotEqual(t, nil, err) //nolint:testifylint // pre-existing issue from nektos/act
-}
-
-func TestReadWorkflow_StepsTypes(t *testing.T) {
-	yaml := `
-name: invalid step definition
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: test1
-        uses: actions/checkout@v2
-        run: echo
-      - name: test2
-        run: echo
-      - name: test3
-        uses: actions/checkout@v2
-      - name: test4
-        uses: docker://nginx:latest
-      - name: test5
-        uses: ./local-action
-`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Len(t, workflow.Jobs, 1)
-	assert.Len(t, workflow.Jobs["test"].Steps, 5)
-	assert.Equal(t, workflow.Jobs["test"].Steps[0].Type(), StepTypeInvalid)          //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, workflow.Jobs["test"].Steps[1].Type(), StepTypeRun)              //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, workflow.Jobs["test"].Steps[2].Type(), StepTypeUsesActionRemote) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, workflow.Jobs["test"].Steps[3].Type(), StepTypeUsesDockerURL)    //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, workflow.Jobs["test"].Steps[4].Type(), StepTypeUsesActionLocal)  //nolint:testifylint // pre-existing issue from nektos/act
-}
-
-// See: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idoutputs
-func TestReadWorkflow_JobOutputs(t *testing.T) {
-	yaml := `
-name: job outputs definition
-
-jobs:
-  test1:
-    runs-on: ubuntu-latest
-    steps:
-      - id: test1_1
-        run: |
-          echo "::set-output name=a_key::some-a_value"
-          echo "::set-output name=b-key::some-b-value"
-    outputs:
-      some_a_key: ${{ steps.test1_1.outputs.a_key }}
-      some-b-key: ${{ steps.test1_1.outputs.b-key }}
-
-  test2:
-    runs-on: ubuntu-latest
-    needs:
-      - test1
-    steps:
-      - name: test2_1
-        run: |
-          echo "${{ needs.test1.outputs.some_a_key }}"
-          echo "${{ needs.test1.outputs.some-b-key }}"
-`
-
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Len(t, workflow.Jobs, 2)
-
-	assert.Len(t, workflow.Jobs["test1"].Steps, 1)
-	assert.Equal(t, StepTypeRun, workflow.Jobs["test1"].Steps[0].Type())
-	assert.Equal(t, "test1_1", workflow.Jobs["test1"].Steps[0].ID)
-	assert.Len(t, workflow.Jobs["test1"].Outputs, 2)
-	assert.Contains(t, workflow.Jobs["test1"].Outputs, "some_a_key")
-	assert.Contains(t, workflow.Jobs["test1"].Outputs, "some-b-key")
-	assert.Equal(t, "${{ steps.test1_1.outputs.a_key }}", workflow.Jobs["test1"].Outputs["some_a_key"])
-	assert.Equal(t, "${{ steps.test1_1.outputs.b-key }}", workflow.Jobs["test1"].Outputs["some-b-key"])
-}
-
-func TestReadWorkflow_Strategy(t *testing.T) {
-	w, err := NewWorkflowPlanner("testdata/strategy/push.yml", true)
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-	p, err := w.PlanJob("strategy-only-max-parallel")
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-	assert.Equal(t, len(p.Stages), 1)         //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, len(p.Stages[0].Runs), 1) //nolint:testifylint // pre-existing issue from nektos/act
-
-	wf := p.Stages[0].Runs[0].Workflow
-
-	job := wf.Jobs["strategy-only-max-parallel"]
-	matrixes, err := job.GetMatrixes()
-	assert.NoError(t, err)                          //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, matrixes, []map[string]any{{}}) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, job.Matrix(), map[string][]any(nil))
-	assert.Equal(t, job.Strategy.MaxParallel, 2) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, job.Strategy.FailFast, true) //nolint:testifylint // pre-existing issue from nektos/act
-
-	job = wf.Jobs["strategy-only-fail-fast"]
-	matrixes, err = job.GetMatrixes()
-	assert.NoError(t, err)                          //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, matrixes, []map[string]any{{}}) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, job.Matrix(), map[string][]any(nil))
-	assert.Equal(t, job.Strategy.MaxParallel, 4)  //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, job.Strategy.FailFast, false) //nolint:testifylint // pre-existing issue from nektos/act
-
-	job = wf.Jobs["strategy-no-matrix"]
-	matrixes, err = job.GetMatrixes()
-	assert.NoError(t, err)                          //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, matrixes, []map[string]any{{}}) //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, job.Matrix(), map[string][]any(nil))
-	assert.Equal(t, job.Strategy.MaxParallel, 2)  //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, job.Strategy.FailFast, false) //nolint:testifylint // pre-existing issue from nektos/act
-
-	job = wf.Jobs["strategy-all"]
-	matrixes, err = job.GetMatrixes()
-	assert.NoError(t, err)    //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, matrixes, //nolint:testifylint // pre-existing issue from nektos/act
-		[]map[string]any{
-			{"datacenter": "site-c", "node-version": "14.x", "site": "staging"},
-			{"datacenter": "site-c", "node-version": "16.x", "site": "staging"},
-			{"datacenter": "site-d", "node-version": "16.x", "site": "staging"},
-			{"php-version": 5.4},
-			{"datacenter": "site-a", "node-version": "10.x", "site": "prod"},
-			{"datacenter": "site-b", "node-version": "12.x", "site": "dev"},
-		},
-	)
-	assert.Equal(t, job.Matrix(), //nolint:testifylint // pre-existing issue from nektos/act
-		map[string][]any{
-			"datacenter": {"site-c", "site-d"},
-			"exclude": {
-				map[string]any{"datacenter": "site-d", "node-version": "14.x", "site": "staging"},
-			},
-			"include": {
-				map[string]any{"php-version": 5.4},
-				map[string]any{"datacenter": "site-a", "node-version": "10.x", "site": "prod"},
-				map[string]any{"datacenter": "site-b", "node-version": "12.x", "site": "dev"},
-			},
-			"node-version": {"14.x", "16.x"},
-			"site":         {"staging"},
-		},
-	)
-	assert.Equal(t, job.Strategy.MaxParallel, 2)  //nolint:testifylint // pre-existing issue from nektos/act
-	assert.Equal(t, job.Strategy.FailFast, false) //nolint:testifylint // pre-existing issue from nektos/act
-}
-
-func TestStep_ShellCommand(t *testing.T) {
-	tests := []struct {
-		shell string
-		want  string
-	}{
-		{"pwsh -v '. {0}'", "pwsh -v '. {0}'"},
-		{"pwsh", "pwsh -command . '{0}'"},
-		{"powershell", "powershell -command . '{0}'"},
-	}
-	for _, tt := range tests {
-		t.Run(tt.shell, func(t *testing.T) {
-			got := (&Step{Shell: tt.shell}).ShellCommand()
-			assert.Equal(t, got, tt.want) //nolint:testifylint // pre-existing issue from nektos/act
-		})
-	}
-}
-
-func TestReadWorkflow_WorkflowDispatchConfig(t *testing.T) {
-	yaml := `
-    name: local-action-docker-url
-    `
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	workflowDispatch := workflow.WorkflowDispatchConfig()
-	assert.Nil(t, workflowDispatch)
-
-	yaml = `
-    name: local-action-docker-url
-    on: push
-    `
-	workflow, err = ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	workflowDispatch = workflow.WorkflowDispatchConfig()
-	assert.Nil(t, workflowDispatch)
-
-	yaml = `
-    name: local-action-docker-url
-    on: workflow_dispatch
-    `
-	workflow, err = ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	workflowDispatch = workflow.WorkflowDispatchConfig()
-	assert.NotNil(t, workflowDispatch)
-	assert.Nil(t, workflowDispatch.Inputs)
-
-	yaml = `
-    name: local-action-docker-url
-    on: [push, pull_request]
-    `
-	workflow, err = ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	workflowDispatch = workflow.WorkflowDispatchConfig()
-	assert.Nil(t, workflowDispatch)
-
-	yaml = `
-    name: local-action-docker-url
-    on: [push, workflow_dispatch]
-    `
-	workflow, err = ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	workflowDispatch = workflow.WorkflowDispatchConfig()
-	assert.NotNil(t, workflowDispatch)
-	assert.Nil(t, workflowDispatch.Inputs)
-
-	yaml = `
-    name: local-action-docker-url
-    on:
-        - push
-        - workflow_dispatch
-    `
-	workflow, err = ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	workflowDispatch = workflow.WorkflowDispatchConfig()
-	assert.NotNil(t, workflowDispatch)
-	assert.Nil(t, workflowDispatch.Inputs)
-
-	yaml = `
-    name: local-action-docker-url
-    on:
-        push:
-        pull_request:
-    `
-	workflow, err = ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	workflowDispatch = workflow.WorkflowDispatchConfig()
-	assert.Nil(t, workflowDispatch)
-
-	yaml = `
-    name: local-action-docker-url
-    on:
-        push:
-        pull_request:
-        workflow_dispatch:
-            inputs:
-                logLevel:
-                    description: 'Log level'
-                    required: true
-                    default: 'warning'
-                    type: choice
-                    options:
-                    - info
-                    - warning
-                    - debug
-    `
-	workflow, err = ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-	workflowDispatch = workflow.WorkflowDispatchConfig()
-	assert.NotNil(t, workflowDispatch)
-	assert.Equal(t, WorkflowDispatchInput{
-		Default:     "warning",
-		Description: "Log level",
-		Options: []string{
-			"info",
-			"warning",
-			"debug",
-		},
-		Required: true,
-		Type:     "choice",
-	}, workflowDispatch.Inputs["logLevel"])
-}
-
-func TestStep_UsesHash(t *testing.T) {
-	type fields struct {
-		Uses string
-	}
-	tests := []struct {
-		name   string
-		fields fields
-		want   string
-	}{
-		{
-			name: "regular",
-			fields: fields{
-				Uses: "https://gitea.com/testa/testb@v3",
-			},
-			want: "ae437878e9f285bd7518c58664f9fabbb12d05feddd7169c01702a2a14322aa8",
-		},
-		{
-			name: "empty",
-			fields: fields{
-				Uses: "",
-			},
-			want: "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			s := &Step{
-				Uses: tt.fields.Uses,
-			}
-			assert.Equalf(t, tt.want, s.UsesHash(), "UsesHash()")
-		})
-	}
-}
-
-func TestNormalizeMatrixValue(t *testing.T) {
-	tests := []struct {
-		name       string
-		key        string
-		value      any
-		wantResult []any
-		wantErr    bool
-		errMsg     string
-	}{
-		{
-			name:       "array_values_pass_through",
-			key:        "version",
-			value:      []any{"1.0", "2.0", "3.0"},
-			wantResult: []any{"1.0", "2.0", "3.0"},
-			wantErr:    false,
-		},
-		{
-			name:       "string_scalar_wrapped",
-			key:        "os",
-			value:      "ubuntu-latest",
-			wantResult: []any{"ubuntu-latest"},
-			wantErr:    false,
-		},
-		{
-			name:       "template_expression_wrapped",
-			key:        "version",
-			value:      "${{ fromJson(needs.setup.outputs.versions) }}",
-			wantResult: []any{"${{ fromJson(needs.setup.outputs.versions) }}"},
-			wantErr:    false,
-		},
-		{
-			name:       "integer_scalar_wrapped",
-			key:        "count",
-			value:      42,
-			wantResult: []any{42},
-			wantErr:    false,
-		},
-		{
-			name:       "float_scalar_wrapped",
-			key:        "factor",
-			value:      3.14,
-			wantResult: []any{3.14},
-			wantErr:    false,
-		},
-		{
-			name:       "bool_scalar_wrapped",
-			key:        "enabled",
-			value:      true,
-			wantResult: []any{true},
-			wantErr:    false,
-		},
-		{
-			name:       "nil_scalar_wrapped",
-			key:        "optional",
-			value:      nil,
-			wantResult: []any{nil},
-			wantErr:    false,
-		},
-		{
-			name:    "nested_map_returns_error",
-			key:     "config",
-			value:   map[string]any{"nested": "value"},
-			wantErr: true,
-			errMsg:  "has invalid nested object value",
-		},
-		{
-			name:       "empty_array_passes_through",
-			key:        "empty",
-			value:      []any{},
-			wantResult: []any{},
-			wantErr:    false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result, err := normalizeMatrixValue(tt.key, tt.value)
-
-			if tt.wantErr {
-				assert.Error(t, err, "should return error") //nolint:testifylint // pre-existing issue from nektos/act
-				if tt.errMsg != "" {
-					assert.Contains(t, err.Error(), tt.errMsg)
-				}
-			} else {
-				assert.NoError(t, err, "should not return error") //nolint:testifylint // pre-existing issue from nektos/act
-				assert.Equal(t, tt.wantResult, result, "result should match expected")
-			}
-		})
-	}
-}
-
-func TestJobMatrix(t *testing.T) {
-	tests := []struct {
-		name    string
-		yaml    string
-		wantErr bool
-		wantLen int
-		checkFn func(*testing.T, map[string][]any)
-	}{
-		{
-			name: "matrix_with_arrays",
-			yaml: `
-name: test
-on: push
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        os: [ubuntu-latest, windows-latest]
-        version: [1.18, 1.19]
-    steps:
-      - run: echo test
-`,
-			wantErr: false,
-			wantLen: 2,
-			checkFn: func(t *testing.T, m map[string][]any) {
-				assert.Equal(t, []any{"ubuntu-latest", "windows-latest"}, m["os"])
-				assert.Equal(t, []any{1.18, 1.19}, m["version"])
-			},
-		},
-		{
-			name: "matrix_with_scalar_values",
-			yaml: `
-name: test
-on: push
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        os: ubuntu-latest
-        version: 1.19
-    steps:
-      - run: echo test
-`,
-			wantErr: false,
-			wantLen: 2,
-			checkFn: func(t *testing.T, m map[string][]any) {
-				assert.Equal(t, []any{"ubuntu-latest"}, m["os"])
-				assert.Equal(t, []any{1.19}, m["version"])
-			},
-		},
-		{
-			name: "matrix_with_template_expression",
-			yaml: `
-name: test
-on: push
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        versions: ${{ fromJson(needs.setup.outputs.versions) }}
-    steps:
-      - run: echo test
-`,
-			wantErr: false,
-			wantLen: 1,
-			checkFn: func(t *testing.T, m map[string][]any) {
-				assert.Equal(t, []any{"${{ fromJson(needs.setup.outputs.versions) }}"}, m["versions"])
-			},
-		},
-		{
-			name: "matrix_mixed_arrays_and_scalars",
-			yaml: `
-name: test
-on: push
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        os: [ubuntu-latest, windows-latest]
-        version: 1.19
-        node: [14, 16]
-    steps:
-      - run: echo test
-`,
-			wantErr: false,
-			wantLen: 3,
-			checkFn: func(t *testing.T, m map[string][]any) {
-				assert.Equal(t, []any{"ubuntu-latest", "windows-latest"}, m["os"])
-				assert.Equal(t, []any{1.19}, m["version"])
-				assert.Equal(t, []any{14, 16}, m["node"])
-			},
-		},
-		{
-			name: "empty_matrix",
-			yaml: `
-name: test
-on: push
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo test
-`,
-			wantErr: false,
-			wantLen: 0,
-			checkFn: nil,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			workflow, err := ReadWorkflow(strings.NewReader(tt.yaml))
-			assert.NoError(t, err, "reading workflow should succeed") //nolint:testifylint // pre-existing issue from nektos/act
-
-			job := workflow.GetJob("build")
-			if job == nil {
-				// For empty matrix test
-				if tt.wantLen == 0 {
-					return
-				}
-				t.Fatal("job not found")
-			}
-
-			matrix := job.Matrix()
-
-			if tt.wantErr {
-				assert.Nil(t, matrix, "matrix should be nil on error")
-			} else {
-				if tt.wantLen == 0 {
-					assert.Nil(t, matrix, "matrix should be nil for jobs without strategy")
-				} else {
-					assert.NotNil(t, matrix, "matrix should not be nil")
-					assert.Len(t, matrix, tt.wantLen, "matrix should have expected number of keys")
-					if tt.checkFn != nil {
-						tt.checkFn(t, matrix)
-					}
-				}
-			}
-		})
-	}
-}
-
-func TestJobMatrixValidation(t *testing.T) {
-	// This test verifies that invalid nested map values are caught
-	t.Run("matrix_with_nested_map_fails", func(t *testing.T) {
-		// Manually construct a job with a problematic matrix containing a nested map
-		job := &Job{
-			Strategy: &Strategy{
-				RawMatrix: yaml.Node{
-					Kind: yaml.MappingNode,
-					Content: []*yaml.Node{
-						{Kind: yaml.ScalarNode, Tag: "!!str", Value: "config"},
-						{Kind: yaml.MappingNode, Tag: "!!map", Content: []*yaml.Node{
-							{Kind: yaml.ScalarNode, Tag: "!!str", Value: "nested"},
-							{Kind: yaml.ScalarNode, Tag: "!!str", Value: "value"},
-						}},
-					},
-				},
-			},
-		}
-
-		// Attempt to get matrix
-		matrix := job.Matrix()
-
-		// Should return nil due to validation error
-		assert.Nil(t, matrix, "matrix with nested map should return nil")
-	})
-}
--- a/act/runner/action.go
+++ b/act/runner/action.go
@@ -1,743 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"context"
-	"embed"
-	"errors"
-	"fmt"
-	"io"
-	"io/fs"
-	"os"
-	"path"
-	"path/filepath"
-	"regexp"
-	"runtime"
-	"strings"
-
-	"gitea.com/gitea/runner/act/common"
-	"gitea.com/gitea/runner/act/common/git"
-	"gitea.com/gitea/runner/act/container"
-	"gitea.com/gitea/runner/act/model"
-
-	"github.com/kballard/go-shellquote"
-)
-
-type actionStep interface {
-	step
-
-	getActionModel() *model.Action
-	getCompositeRunContext(context.Context) *RunContext
-	getCompositeSteps() *compositeSteps
-}
-
-type readAction func(ctx context.Context, step *model.Step, actionDir, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error)
-
-type actionYamlReader func(filename string) (io.Reader, io.Closer, error)
-
-type fileWriter func(filename string, data []byte, perm fs.FileMode) error
-
-type runAction func(step actionStep, actionDir string, remoteAction *remoteAction) common.Executor
-
-//go:embed res/trampoline.js
-var trampoline embed.FS
-
-var (
-	ContainerImageExistsLocally     = container.ImageExistsLocally
-	ContainerNewDockerBuildExecutor = container.NewDockerBuildExecutor
-)
-
-func readActionImpl(ctx context.Context, step *model.Step, actionDir, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error) {
-	logger := common.Logger(ctx)
-	allErrors := []error{}
-	addError := func(fileName string, err error) {
-		if err != nil {
-			allErrors = append(allErrors, fmt.Errorf("failed to read '%s' from action '%s' with path '%s' of step %w", fileName, step.String(), actionPath, err))
-		} else {
-			// One successful read, clear error state
-			allErrors = nil
-		}
-	}
-	reader, closer, err := readFile("action.yml")
-	addError("action.yml", err)
-	if os.IsNotExist(err) {
-		reader, closer, err = readFile("action.yaml")
-		addError("action.yaml", err)
-		if os.IsNotExist(err) {
-			_, closer, err := readFile("Dockerfile")
-			addError("Dockerfile", err)
-			if err == nil {
-				closer.Close()
-				action := &model.Action{
-					Name: "(Synthetic)",
-					Runs: model.ActionRuns{
-						Using: "docker",
-						Image: "Dockerfile",
-					},
-				}
-				logger.Debugf("Using synthetic action %v for Dockerfile", action)
-				return action, nil
-			}
-			if step.With != nil {
-				if val, ok := step.With["args"]; ok {
-					var b []byte
-					if b, err = trampoline.ReadFile("res/trampoline.js"); err != nil {
-						return nil, err
-					}
-					err2 := writeFile(filepath.Join(actionDir, actionPath, "trampoline.js"), b, 0o400)
-					if err2 != nil {
-						return nil, err2
-					}
-					action := &model.Action{
-						Name: "(Synthetic)",
-						Inputs: map[string]model.Input{
-							"cwd": {
-								Description: "(Actual working directory)",
-								Required:    false,
-								Default:     filepath.Join(actionDir, actionPath),
-							},
-							"command": {
-								Description: "(Actual program)",
-								Required:    false,
-								Default:     val,
-							},
-						},
-						Runs: model.ActionRuns{
-							Using: "node12",
-							Main:  "trampoline.js",
-						},
-					}
-					logger.Debugf("Using synthetic action %v", action)
-					return action, nil
-				}
-			}
-		}
-	}
-	if allErrors != nil {
-		return nil, errors.Join(allErrors...)
-	}
-	defer closer.Close()
-
-	action, err := model.ReadAction(reader)
-	// For Gitea, reduce log noise
-	// logger.Debugf("Read action %v from '%s'", action, "Unknown")
-	return action, err
-}
-
-func maybeCopyToActionDir(ctx context.Context, step actionStep, actionDir, actionPath, containerActionDir string) error {
-	logger := common.Logger(ctx)
-	rc := step.getRunContext()
-	stepModel := step.getStepModel()
-
-	if stepModel.Type() != model.StepTypeUsesActionRemote {
-		return nil
-	}
-
-	var containerActionDirCopy string
-	containerActionDirCopy = strings.TrimSuffix(containerActionDir, actionPath)
-	logger.Debug(containerActionDirCopy)
-
-	if !strings.HasSuffix(containerActionDirCopy, `/`) {
-		containerActionDirCopy += `/`
-	}
-
-	if rc.Config != nil && rc.Config.ActionCache != nil {
-		raction := step.(*stepActionRemote)
-		ta, err := rc.Config.ActionCache.GetTarArchive(ctx, raction.cacheDir, raction.resolvedSha, "")
-		if err != nil {
-			return err
-		}
-		defer ta.Close()
-		return rc.JobContainer.CopyTarStream(ctx, containerActionDirCopy, ta)
-	}
-
-	defer git.AcquireCloneLock(actionDir)()
-
-	if err := removeGitIgnore(ctx, actionDir); err != nil {
-		return err
-	}
-
-	return rc.JobContainer.CopyDir(containerActionDirCopy, actionDir+"/", rc.Config.UseGitIgnore)(ctx)
-}
-
-func runActionImpl(step actionStep, actionDir string, remoteAction *remoteAction) common.Executor {
-	rc := step.getRunContext()
-	stepModel := step.getStepModel()
-
-	return func(ctx context.Context) error {
-		logger := common.Logger(ctx)
-		actionPath := ""
-		if remoteAction != nil && remoteAction.Path != "" {
-			actionPath = remoteAction.Path
-		}
-
-		action := step.getActionModel()
-		// For Gitea, reduce log noise
-		// logger.Debugf("About to run action %v", action)
-
-		err := setupActionEnv(ctx, step, remoteAction)
-		if err != nil {
-			return err
-		}
-
-		actionLocation := path.Join(actionDir, actionPath)
-		actionName, containerActionDir := getContainerActionPaths(stepModel, actionLocation, rc)
-
-		logger.Debugf("type=%v actionDir=%s actionPath=%s workdir=%s actionCacheDir=%s actionName=%s containerActionDir=%s", stepModel.Type(), actionDir, actionPath, rc.Config.Workdir, rc.ActionCacheDir(), actionName, containerActionDir)
-
-		x := action.Runs.Using
-		switch {
-		case x.IsNode():
-			if err := maybeCopyToActionDir(ctx, step, actionDir, actionPath, containerActionDir); err != nil {
-				return err
-			}
-			containerArgs := []string{"node", path.Join(containerActionDir, action.Runs.Main)}
-			logger.Debugf("executing remote job container: %s", containerArgs)
-
-			rc.ApplyExtraPath(ctx, step.getEnv())
-
-			return rc.execJobContainer(containerArgs, *step.getEnv(), "", "")(ctx)
-		case x.IsDocker():
-			location := actionLocation
-			if remoteAction == nil {
-				location = containerActionDir
-			}
-			return execAsDocker(ctx, step, actionName, actionDir, location, remoteAction == nil)
-		case x.IsComposite():
-			if err := maybeCopyToActionDir(ctx, step, actionDir, actionPath, containerActionDir); err != nil {
-				return err
-			}
-
-			return execAsComposite(step)(ctx)
-		case x == model.ActionRunsUsingGo:
-			if err := maybeCopyToActionDir(ctx, step, actionDir, actionPath, containerActionDir); err != nil {
-				return err
-			}
-
-			rc.ApplyExtraPath(ctx, step.getEnv())
-
-			execFileName := action.Runs.Main + ".out"
-			buildArgs := []string{"go", "build", "-o", execFileName, action.Runs.Main}
-			execArgs := []string{filepath.Join(containerActionDir, execFileName)}
-
-			return common.NewPipelineExecutor(
-				rc.execJobContainer(buildArgs, *step.getEnv(), "", containerActionDir),
-				rc.execJobContainer(execArgs, *step.getEnv(), "", ""),
-			)(ctx)
-		default:
-			return fmt.Errorf("The runs.using key must be one of: %v, got %s", []string{
-				model.ActionRunsUsingDocker,
-				model.ActionRunsUsingNode12,
-				model.ActionRunsUsingNode16,
-				model.ActionRunsUsingNode20,
-				model.ActionRunsUsingNode24,
-				model.ActionRunsUsingComposite,
-				model.ActionRunsUsingGo,
-			}, action.Runs.Using)
-		}
-	}
-}
-
-func setupActionEnv(ctx context.Context, step actionStep, _ *remoteAction) error {
-	rc := step.getRunContext()
-
-	// A few fields in the environment (e.g. GITHUB_ACTION_REPOSITORY)
-	// are dependent on the action. That means we can complete the
-	// setup only after resolving the whole action model and cloning
-	// the action
-	rc.withGithubEnv(ctx, step.getGithubContext(ctx), *step.getEnv())
-	populateEnvsFromSavedState(step.getEnv(), step, rc)
-	populateEnvsFromInput(ctx, step.getEnv(), step.getActionModel(), rc)
-
-	return nil
-}
-
-// https://github.com/nektos/act/issues/228#issuecomment-629709055
-// files in .gitignore are not copied in a Docker container
-// this causes issues with actions that ignore other important resources
-// such as `node_modules` for example
-func removeGitIgnore(ctx context.Context, directory string) error {
-	gitIgnorePath := path.Join(directory, ".gitignore")
-	if _, err := os.Stat(gitIgnorePath); err == nil {
-		// .gitignore exists
-		common.Logger(ctx).Debugf("Removing %s before docker cp", gitIgnorePath)
-		err := os.Remove(gitIgnorePath)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// TODO: break out parts of function to reduce complexicity
-func execAsDocker(ctx context.Context, step actionStep, actionName, actionDir, basedir string, localAction bool) error {
-	logger := common.Logger(ctx)
-	rc := step.getRunContext()
-	action := step.getActionModel()
-
-	var prepImage common.Executor
-	var image string
-	forcePull := false
-	if after, ok := strings.CutPrefix(action.Runs.Image, "docker://"); ok {
-		image = after
-		// Apply forcePull only for prebuild docker images
-		forcePull = rc.Config.ForcePull
-	} else {
-		// "-dockeraction" enshures that "./", "./test " won't get converted to "act-:latest", "act-test-:latest" which are invalid docker image names
-		image = fmt.Sprintf("%s-dockeraction:%s", regexp.MustCompile("[^a-zA-Z0-9]").ReplaceAllString(actionName, "-"), "latest")
-		image = "act-" + strings.TrimLeft(image, "-")
-		image = strings.ToLower(image)
-		contextDir, fileName := filepath.Split(filepath.Join(basedir, action.Runs.Image))
-
-		anyArchExists, err := ContainerImageExistsLocally(ctx, image, "any")
-		if err != nil {
-			return err
-		}
-
-		correctArchExists, err := ContainerImageExistsLocally(ctx, image, rc.Config.ContainerArchitecture)
-		if err != nil {
-			return err
-		}
-
-		if anyArchExists && !correctArchExists {
-			wasRemoved, err := container.RemoveImage(ctx, image, true, true)
-			if err != nil {
-				return err
-			}
-			if !wasRemoved {
-				return fmt.Errorf("failed to remove image '%s'", image)
-			}
-		}
-
-		if !correctArchExists || rc.Config.ForceRebuild {
-			logger.Debugf("image '%s' for architecture '%s' will be built from context '%s", image, rc.Config.ContainerArchitecture, contextDir)
-			var buildContext io.ReadCloser
-			if localAction {
-				buildContext, err = rc.JobContainer.GetContainerArchive(ctx, contextDir+"/.")
-				if err != nil {
-					return err
-				}
-				defer buildContext.Close()
-			} else if rc.Config.ActionCache != nil {
-				rstep := step.(*stepActionRemote)
-				buildContext, err = rc.Config.ActionCache.GetTarArchive(ctx, rstep.cacheDir, rstep.resolvedSha, contextDir)
-				if err != nil {
-					return err
-				}
-				defer buildContext.Close()
-			}
-			prepImage = ContainerNewDockerBuildExecutor(container.NewDockerBuildExecutorInput{
-				ContextDir:   contextDir,
-				Dockerfile:   fileName,
-				ImageTag:     image,
-				BuildContext: buildContext,
-				Platform:     rc.Config.ContainerArchitecture,
-			})
-			if buildContext == nil {
-				// Held across the whole build: the daemon drains contextDir lazily.
-				inner := prepImage
-				prepImage = func(ctx context.Context) error {
-					defer git.AcquireCloneLock(actionDir)()
-					return inner(ctx)
-				}
-			}
-		} else {
-			logger.Debugf("image '%s' for architecture '%s' already exists", image, rc.Config.ContainerArchitecture)
-		}
-	}
-	eval := rc.NewStepExpressionEvaluator(ctx, step)
-	cmd, err := shellquote.Split(eval.Interpolate(ctx, step.getStepModel().With["args"]))
-	if err != nil {
-		return err
-	}
-	if len(cmd) == 0 {
-		cmd = action.Runs.Args
-		evalDockerArgs(ctx, step, action, &cmd)
-	}
-	entrypoint := strings.Fields(eval.Interpolate(ctx, step.getStepModel().With["entrypoint"]))
-	if len(entrypoint) == 0 {
-		if action.Runs.Entrypoint != "" {
-			entrypoint, err = shellquote.Split(action.Runs.Entrypoint)
-			if err != nil {
-				return err
-			}
-		} else {
-			entrypoint = nil
-		}
-	}
-	stepContainer := newStepContainer(ctx, step, image, cmd, entrypoint)
-	return common.NewPipelineExecutor(
-		prepImage,
-		stepContainer.Pull(forcePull),
-		stepContainer.Remove().IfBool(!rc.Config.ReuseContainers),
-		stepContainer.Create(rc.Config.ContainerCapAdd, rc.Config.ContainerCapDrop),
-		stepContainer.Start(true),
-	).Finally(
-		stepContainer.Remove().IfBool(!rc.Config.ReuseContainers),
-	).Finally(stepContainer.Close())(ctx)
-}
-
-func evalDockerArgs(ctx context.Context, step step, action *model.Action, cmd *[]string) {
-	rc := step.getRunContext()
-	stepModel := step.getStepModel()
-
-	inputs := make(map[string]string)
-	eval := rc.NewExpressionEvaluator(ctx)
-	// Set Defaults
-	for k, input := range action.Inputs {
-		inputs[k] = eval.Interpolate(ctx, input.Default)
-	}
-	if stepModel.With != nil {
-		for k, v := range stepModel.With {
-			inputs[k] = eval.Interpolate(ctx, v)
-		}
-	}
-	mergeIntoMap(step, step.getEnv(), inputs)
-
-	stepEE := rc.NewStepExpressionEvaluator(ctx, step)
-	for i, v := range *cmd {
-		(*cmd)[i] = stepEE.Interpolate(ctx, v)
-	}
-	mergeIntoMap(step, step.getEnv(), action.Runs.Env)
-
-	ee := rc.NewStepExpressionEvaluator(ctx, step)
-	for k, v := range *step.getEnv() {
-		(*step.getEnv())[k] = ee.Interpolate(ctx, v)
-	}
-}
-
-func newStepContainer(ctx context.Context, step step, image string, cmd, entrypoint []string) container.Container {
-	rc := step.getRunContext()
-	stepModel := step.getStepModel()
-	rawLogger := common.Logger(ctx).WithField("raw_output", true)
-	logWriter := common.NewLineWriter(rc.commandHandler(ctx), func(s string) bool {
-		if rc.Config.LogOutput {
-			rawLogger.Infof("%s", s)
-		} else {
-			rawLogger.Debugf("%s", s)
-		}
-		return true
-	})
-	envList := make([]string, 0)
-	for k, v := range *step.getEnv() {
-		envList = append(envList, fmt.Sprintf("%s=%s", k, v))
-	}
-
-	envList = append(envList, fmt.Sprintf("%s=%s", "RUNNER_TOOL_CACHE", "/opt/hostedtoolcache"))
-	envList = append(envList, fmt.Sprintf("%s=%s", "RUNNER_OS", "Linux"))
-	envList = append(envList, fmt.Sprintf("%s=%s", "RUNNER_ARCH", container.RunnerArch(ctx)))
-	envList = append(envList, fmt.Sprintf("%s=%s", "RUNNER_TEMP", "/tmp"))
-
-	binds, mounts := rc.GetBindsAndMounts()
-	networkMode := "container:" + rc.jobContainerName()
-	if rc.IsHostEnv(ctx) {
-		networkMode = "default"
-	}
-	stepContainer := container.NewContainer(&container.NewContainerInput{
-		Cmd:          cmd,
-		Entrypoint:   entrypoint,
-		WorkingDir:   rc.JobContainer.ToContainerPath(rc.Config.Workdir),
-		Image:        image,
-		Username:     rc.Config.Secrets["DOCKER_USERNAME"],
-		Password:     rc.Config.Secrets["DOCKER_PASSWORD"],
-		Name:         createContainerName(rc.jobContainerName(), "STEP-"+stepModel.ID),
-		Env:          envList,
-		Mounts:       mounts,
-		NetworkMode:  networkMode,
-		Binds:        binds,
-		Stdout:       logWriter,
-		Stderr:       logWriter,
-		Privileged:   rc.Config.Privileged,
-		UsernsMode:   rc.Config.UsernsMode,
-		Platform:     rc.Config.ContainerArchitecture,
-		Options:      rc.Config.ContainerOptions,
-		AutoRemove:   rc.Config.AutoRemove,
-		ValidVolumes: rc.validVolumes(),
-		AllocatePTY:  rc.Config.AllocatePTY,
-	})
-	return stepContainer
-}
-
-func populateEnvsFromSavedState(env *map[string]string, step actionStep, rc *RunContext) {
-	state, ok := rc.IntraActionState[step.getStepModel().ID]
-	if ok {
-		for name, value := range state {
-			envName := "STATE_" + name
-			(*env)[envName] = value
-		}
-	}
-}
-
-func populateEnvsFromInput(ctx context.Context, env *map[string]string, action *model.Action, rc *RunContext) {
-	eval := rc.NewExpressionEvaluator(ctx)
-	for inputID, input := range action.Inputs {
-		envKey := regexp.MustCompile("[^A-Z0-9-]").ReplaceAllString(strings.ToUpper(inputID), "_")
-		envKey = "INPUT_" + envKey
-		if _, ok := (*env)[envKey]; !ok {
-			(*env)[envKey] = eval.Interpolate(ctx, input.Default)
-		}
-	}
-}
-
-func getContainerActionPaths(step *model.Step, actionDir string, rc *RunContext) (string, string) {
-	actionName := ""
-	containerActionDir := "."
-	if step.Type() != model.StepTypeUsesActionRemote {
-		actionName = getOsSafeRelativePath(actionDir, rc.Config.Workdir)
-		containerActionDir = rc.JobContainer.ToContainerPath(rc.Config.Workdir) + "/" + actionName
-		actionName = "./" + actionName
-	} else if step.Type() == model.StepTypeUsesActionRemote {
-		actionName = getOsSafeRelativePath(actionDir, rc.ActionCacheDir())
-		containerActionDir = rc.JobContainer.GetActPath() + "/actions/" + actionName
-	}
-
-	if actionName == "" {
-		actionName = filepath.Base(actionDir)
-		if runtime.GOOS == "windows" {
-			actionName = strings.ReplaceAll(actionName, "\\", "/")
-		}
-	}
-	return actionName, containerActionDir
-}
-
-func getOsSafeRelativePath(s, prefix string) string {
-	actionName := strings.TrimPrefix(s, prefix)
-	if runtime.GOOS == "windows" {
-		actionName = strings.ReplaceAll(actionName, "\\", "/")
-	}
-	actionName = strings.TrimPrefix(actionName, "/")
-
-	return actionName
-}
-
-func shouldRunPreStep(step actionStep) common.Conditional {
-	return func(ctx context.Context) bool {
-		log := common.Logger(ctx)
-
-		if step.getActionModel() == nil {
-			log.Debugf("skip pre step for '%s': no action model available", step.getStepModel())
-			return false
-		}
-
-		return true
-	}
-}
-
-func hasPreStep(step actionStep) common.Conditional {
-	return func(ctx context.Context) bool {
-		action := step.getActionModel()
-		return action.Runs.Using.IsComposite() ||
-			(action.Runs.Using.IsNode() &&
-				action.Runs.Pre != "") ||
-			(action.Runs.Using == model.ActionRunsUsingGo &&
-				action.Runs.Pre != "")
-	}
-}
-
-func runPreStep(step actionStep) common.Executor {
-	return func(ctx context.Context) error {
-		logger := common.Logger(ctx)
-		logger.Debugf("run pre step for '%s'", step.getStepModel())
-
-		rc := step.getRunContext()
-		stepModel := step.getStepModel()
-		action := step.getActionModel()
-
-		x := action.Runs.Using
-		switch {
-		case x.IsNode():
-			// defaults in pre steps were missing, however provided inputs are available
-			populateEnvsFromInput(ctx, step.getEnv(), action, rc)
-			// todo: refactor into step
-			var actionDir string
-			var actionPath string
-			if _, ok := step.(*stepActionRemote); ok {
-				actionPath = newRemoteAction(stepModel.Uses).Path
-				actionDir = fmt.Sprintf("%s/%s", rc.ActionCacheDir(), stepModel.UsesHash())
-			} else {
-				actionDir = filepath.Join(rc.Config.Workdir, stepModel.Uses)
-				actionPath = ""
-			}
-
-			var actionLocation string
-			if actionPath != "" {
-				actionLocation = path.Join(actionDir, actionPath)
-			} else {
-				actionLocation = actionDir
-			}
-
-			_, containerActionDir := getContainerActionPaths(stepModel, actionLocation, rc)
-
-			if err := maybeCopyToActionDir(ctx, step, actionDir, actionPath, containerActionDir); err != nil {
-				return err
-			}
-
-			containerArgs := []string{"node", path.Join(containerActionDir, action.Runs.Pre)}
-			logger.Debugf("executing remote job container: %s", containerArgs)
-
-			rc.ApplyExtraPath(ctx, step.getEnv())
-
-			return rc.execJobContainer(containerArgs, *step.getEnv(), "", "")(ctx)
-
-		case x.IsComposite():
-			if step.getCompositeSteps() == nil {
-				step.getCompositeRunContext(ctx)
-			}
-
-			if steps := step.getCompositeSteps(); steps != nil && steps.pre != nil {
-				return steps.pre(ctx)
-			}
-			return errors.New("missing steps in composite action")
-
-		case x == model.ActionRunsUsingGo:
-			// defaults in pre steps were missing, however provided inputs are available
-			populateEnvsFromInput(ctx, step.getEnv(), action, rc)
-			// todo: refactor into step
-			var actionDir string
-			var actionPath string
-			if _, ok := step.(*stepActionRemote); ok {
-				actionPath = newRemoteAction(stepModel.Uses).Path
-				actionDir = fmt.Sprintf("%s/%s", rc.ActionCacheDir(), stepModel.UsesHash())
-			} else {
-				actionDir = filepath.Join(rc.Config.Workdir, stepModel.Uses)
-				actionPath = ""
-			}
-
-			var actionLocation string
-			if actionPath != "" {
-				actionLocation = path.Join(actionDir, actionPath)
-			} else {
-				actionLocation = actionDir
-			}
-
-			_, containerActionDir := getContainerActionPaths(stepModel, actionLocation, rc)
-
-			if err := maybeCopyToActionDir(ctx, step, actionDir, actionPath, containerActionDir); err != nil {
-				return err
-			}
-
-			rc.ApplyExtraPath(ctx, step.getEnv())
-
-			execFileName := action.Runs.Pre + ".out"
-			buildArgs := []string{"go", "build", "-o", execFileName, action.Runs.Pre}
-			execArgs := []string{filepath.Join(containerActionDir, execFileName)}
-
-			return common.NewPipelineExecutor(
-				rc.execJobContainer(buildArgs, *step.getEnv(), "", containerActionDir),
-				rc.execJobContainer(execArgs, *step.getEnv(), "", ""),
-			)(ctx)
-		default:
-			return nil
-		}
-	}
-}
-
-func shouldRunPostStep(step actionStep) common.Conditional {
-	return func(ctx context.Context) bool {
-		log := common.Logger(ctx)
-		stepResults := step.getRunContext().getStepsContext()
-		stepResult := stepResults[step.getStepModel().ID]
-
-		if stepResult == nil {
-			log.WithField("stepResult", model.StepStatusSkipped).Debugf("skipping post step for '%s'; step was not executed", step.getStepModel())
-			return false
-		}
-
-		if stepResult.Conclusion == model.StepStatusSkipped {
-			log.WithField("stepResult", model.StepStatusSkipped).Debugf("skipping post step for '%s'; main step was skipped", step.getStepModel())
-			return false
-		}
-
-		if step.getActionModel() == nil {
-			log.WithField("stepResult", model.StepStatusSkipped).Debugf("skipping post step for '%s': no action model available", step.getStepModel())
-			return false
-		}
-
-		return true
-	}
-}
-
-func hasPostStep(step actionStep) common.Conditional {
-	return func(ctx context.Context) bool {
-		action := step.getActionModel()
-		return action.Runs.Using.IsComposite() ||
-			(action.Runs.Using.IsNode() &&
-				action.Runs.Post != "") ||
-			(action.Runs.Using == model.ActionRunsUsingGo &&
-				action.Runs.Post != "")
-	}
-}
-
-func runPostStep(step actionStep) common.Executor {
-	return func(ctx context.Context) error {
-		logger := common.Logger(ctx)
-		logger.Debugf("run post step for '%s'", step.getStepModel())
-
-		rc := step.getRunContext()
-		stepModel := step.getStepModel()
-		action := step.getActionModel()
-
-		// todo: refactor into step
-		var actionDir string
-		var actionPath string
-		if _, ok := step.(*stepActionRemote); ok {
-			actionPath = newRemoteAction(stepModel.Uses).Path
-			actionDir = fmt.Sprintf("%s/%s", rc.ActionCacheDir(), stepModel.UsesHash())
-		} else {
-			actionDir = filepath.Join(rc.Config.Workdir, stepModel.Uses)
-			actionPath = ""
-		}
-
-		var actionLocation string
-		if actionPath != "" {
-			actionLocation = path.Join(actionDir, actionPath)
-		} else {
-			actionLocation = actionDir
-		}
-
-		_, containerActionDir := getContainerActionPaths(stepModel, actionLocation, rc)
-
-		x := action.Runs.Using
-		switch {
-		case x.IsNode():
-
-			populateEnvsFromSavedState(step.getEnv(), step, rc)
-
-			containerArgs := []string{"node", path.Join(containerActionDir, action.Runs.Post)}
-			logger.Debugf("executing remote job container: %s", containerArgs)
-
-			rc.ApplyExtraPath(ctx, step.getEnv())
-
-			return rc.execJobContainer(containerArgs, *step.getEnv(), "", "")(ctx)
-
-		case x.IsComposite():
-			if err := maybeCopyToActionDir(ctx, step, actionDir, actionPath, containerActionDir); err != nil {
-				return err
-			}
-
-			if steps := step.getCompositeSteps(); steps != nil && steps.post != nil {
-				return steps.post(ctx)
-			}
-			return errors.New("missing steps in composite action")
-
-		case x == model.ActionRunsUsingGo:
-			populateEnvsFromSavedState(step.getEnv(), step, rc)
-			rc.ApplyExtraPath(ctx, step.getEnv())
-
-			execFileName := action.Runs.Post + ".out"
-			buildArgs := []string{"go", "build", "-o", execFileName, action.Runs.Post}
-			execArgs := []string{filepath.Join(containerActionDir, execFileName)}
-
-			return common.NewPipelineExecutor(
-				rc.execJobContainer(buildArgs, *step.getEnv(), "", containerActionDir),
-				rc.execJobContainer(execArgs, *step.getEnv(), "", ""),
-			)(ctx)
-
-		default:
-			return nil
-		}
-	}
-}
--- a/act/runner/action_cache.go
+++ b/act/runner/action_cache.go
@@ -1,156 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2023 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"archive/tar"
-	"context"
-	"crypto/rand"
-	"encoding/hex"
-	"errors"
-	"io"
-	"io/fs"
-	"path"
-	"strings"
-
-	git "github.com/go-git/go-git/v5"
-	config "github.com/go-git/go-git/v5/config"
-	"github.com/go-git/go-git/v5/plumbing"
-	"github.com/go-git/go-git/v5/plumbing/object"
-	"github.com/go-git/go-git/v5/plumbing/transport"
-	"github.com/go-git/go-git/v5/plumbing/transport/http"
-)
-
-type ActionCache interface {
-	Fetch(ctx context.Context, cacheDir, url, ref, token string) (string, error)
-	GetTarArchive(ctx context.Context, cacheDir, sha, includePrefix string) (io.ReadCloser, error)
-}
-
-type GoGitActionCache struct {
-	Path string
-}
-
-func (c GoGitActionCache) Fetch(ctx context.Context, cacheDir, url, ref, token string) (string, error) {
-	gitPath := path.Join(c.Path, safeFilename(cacheDir)+".git")
-	gogitrepo, err := git.PlainInit(gitPath, true)
-	if errors.Is(err, git.ErrRepositoryAlreadyExists) {
-		gogitrepo, err = git.PlainOpen(gitPath)
-	}
-	if err != nil {
-		return "", err
-	}
-	tmpBranch := make([]byte, 12)
-	if _, err := rand.Read(tmpBranch); err != nil {
-		return "", err
-	}
-	branchName := hex.EncodeToString(tmpBranch)
-
-	var auth transport.AuthMethod
-	if token != "" {
-		auth = &http.BasicAuth{
-			Username: "token",
-			Password: token,
-		}
-	}
-	remote, err := gogitrepo.CreateRemoteAnonymous(&config.RemoteConfig{
-		Name: "anonymous",
-		URLs: []string{
-			url,
-		},
-	})
-	if err != nil {
-		return "", err
-	}
-	defer func() {
-		_ = gogitrepo.DeleteBranch(branchName)
-	}()
-	if err := remote.FetchContext(ctx, &git.FetchOptions{
-		RefSpecs: []config.RefSpec{
-			config.RefSpec(ref + ":" + branchName),
-		},
-		Auth:  auth,
-		Force: true,
-	}); err != nil {
-		return "", err
-	}
-	hash, err := gogitrepo.ResolveRevision(plumbing.Revision(branchName))
-	if err != nil {
-		return "", err
-	}
-	return hash.String(), nil
-}
-
-func (c GoGitActionCache) GetTarArchive(ctx context.Context, cacheDir, sha, includePrefix string) (io.ReadCloser, error) {
-	gitPath := path.Join(c.Path, safeFilename(cacheDir)+".git")
-	gogitrepo, err := git.PlainOpen(gitPath)
-	if err != nil {
-		return nil, err
-	}
-	commit, err := gogitrepo.CommitObject(plumbing.NewHash(sha))
-	if err != nil {
-		return nil, err
-	}
-	files, err := commit.Files()
-	if err != nil {
-		return nil, err
-	}
-	rpipe, wpipe := io.Pipe()
-	// Interrupt io.Copy using ctx
-	ch := make(chan int, 1)
-	go func() {
-		select {
-		case <-ctx.Done():
-			wpipe.CloseWithError(ctx.Err())
-		case <-ch:
-		}
-	}()
-	go func() {
-		defer wpipe.Close()
-		defer close(ch)
-		tw := tar.NewWriter(wpipe)
-		cleanIncludePrefix := path.Clean(includePrefix)
-		wpipe.CloseWithError(files.ForEach(func(f *object.File) error {
-			if err := ctx.Err(); err != nil {
-				return err
-			}
-			name := f.Name
-			if strings.HasPrefix(name, cleanIncludePrefix+"/") {
-				name = name[len(cleanIncludePrefix)+1:]
-			} else if cleanIncludePrefix != "." && name != cleanIncludePrefix {
-				return nil
-			}
-			fmode, err := f.Mode.ToOSFileMode()
-			if err != nil {
-				return err
-			}
-			if fmode&fs.ModeSymlink == fs.ModeSymlink {
-				content, err := f.Contents()
-				if err != nil {
-					return err
-				}
-				return tw.WriteHeader(&tar.Header{
-					Name:     name,
-					Mode:     int64(fmode),
-					Linkname: content,
-				})
-			}
-			err = tw.WriteHeader(&tar.Header{
-				Name: name,
-				Mode: int64(fmode),
-				Size: f.Size,
-			})
-			if err != nil {
-				return err
-			}
-			reader, err := f.Reader()
-			if err != nil {
-				return err
-			}
-			_, err = io.Copy(tw, reader)
-			return err
-		}))
-	}()
-	return rpipe, err
-}
--- a/act/runner/action_cache_test.go
+++ b/act/runner/action_cache_test.go
@@ -1,157 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// Copyright 2023 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"archive/tar"
-	"bytes"
-	"context"
-	"fmt"
-	"io"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"testing"
-	"time"
-
-	"gitea.com/gitea/runner/act/common"
-	"gitea.com/gitea/runner/act/model"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func runGit(t *testing.T, dir string, args ...string) {
-	t.Helper()
-	if dir != "" {
-		args = append([]string{"-C", dir}, args...)
-	}
-	cmd := exec.Command("git", args...)
-	// Fixed identity and host-config isolation so commits succeed offline regardless of the
-	// host's git config (mirrors gitCmd in act/common/git).
-	cmd.Env = append(os.Environ(),
-		"GIT_AUTHOR_NAME=test", "GIT_AUTHOR_EMAIL=test@example.com",
-		"GIT_COMMITTER_NAME=test", "GIT_COMMITTER_EMAIL=test@example.com",
-		"GIT_CONFIG_GLOBAL=/dev/null", "GIT_CONFIG_SYSTEM=/dev/null",
-	)
-	out, err := cmd.CombinedOutput()
-	require.NoError(t, err, string(out))
-}
-
-// TestShortShaActionRejected verifies a `uses` ref that is a shortened commit SHA is rejected
-// with a clear error. The action is resolved from a local repo (via DefaultActionInstance) so
-// this runs offline.
-func TestShortShaActionRejected(t *testing.T) {
-	// a local "remote" action repo at <root>/actions/hello-world-docker-action
-	actionRoot := t.TempDir()
-	repo := filepath.Join(actionRoot, "actions", "hello-world-docker-action")
-	require.NoError(t, os.MkdirAll(repo, 0o755))
-	runGit(t, "", "init", "--initial-branch=main", repo)
-	require.NoError(t, os.WriteFile(filepath.Join(repo, "action.yml"),
-		[]byte("name: hello\nruns:\n  using: node24\n  main: index.js\n"), 0o644))
-	runGit(t, repo, "add", ".")
-	runGit(t, repo, "commit", "-m", "initial")
-	out, err := exec.Command("git", "-C", repo, "rev-parse", "HEAD").Output()
-	require.NoError(t, err)
-	shortSha := strings.TrimSpace(string(out))[:7]
-
-	// a workflow that uses the action at the short SHA
-	wfDir := filepath.Join(t.TempDir(), "wf")
-	require.NoError(t, os.MkdirAll(wfDir, 0o755))
-	wf := fmt.Sprintf("on: push\njobs:\n  test:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/hello-world-docker-action@%s\n", shortSha)
-	require.NoError(t, os.WriteFile(filepath.Join(wfDir, "push.yml"), []byte(wf), 0o644))
-
-	runner, err := New(&Config{
-		Workdir:               wfDir,
-		EventName:             "push",
-		Platforms:             map[string]string{"ubuntu-latest": baseImage},
-		GitHubInstance:        "github.com",
-		DefaultActionInstance: actionRoot,
-		ContainerMaxLifetime:  time.Hour,
-	})
-	require.NoError(t, err)
-	planner, err := model.NewWorkflowPlanner(wfDir, true)
-	require.NoError(t, err)
-	plan, err := planner.PlanEvent("push")
-	require.NoError(t, err)
-
-	err = runner.NewPlanExecutor(plan)(common.WithDryrun(context.Background(), true))
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "shortened version of a commit SHA")
-}
-
-func TestActionCache(t *testing.T) {
-	a := assert.New(t)
-	ctx := context.Background()
-
-	// Build a local bare repo with a `js` action dir so this runs offline (formerly cloned
-	// github.com/nektos/act-test-actions over the network). allowAnySHA1InWant lets the
-	// "Fetch Sha" case fetch a commit hash directly.
-	remoteDir := t.TempDir()
-	runGit(t, "", "init", "--bare", "--initial-branch=main", remoteDir)
-	runGit(t, remoteDir, "config", "uploadpack.allowAnySHA1InWant", "true")
-
-	workDir := t.TempDir()
-	runGit(t, "", "clone", remoteDir, workDir)
-	require.NoError(t, os.MkdirAll(filepath.Join(workDir, "js"), 0o755))
-	require.NoError(t, os.WriteFile(filepath.Join(workDir, "js", "action.yml"),
-		[]byte("name: js\nruns:\n  using: node24\n  main: index.js\n"), 0o644))
-	require.NoError(t, os.WriteFile(filepath.Join(workDir, "js", "index.js"),
-		[]byte("console.log('hello');\n"), 0o644))
-	runGit(t, workDir, "add", ".")
-	runGit(t, workDir, "commit", "-m", "initial")
-	runGit(t, workDir, "push", "-u", "origin", "main")
-
-	out, err := exec.Command("git", "-C", workDir, "rev-parse", "main").Output()
-	require.NoError(t, err)
-	fullSha := strings.TrimSpace(string(out))
-
-	cache := &GoGitActionCache{
-		Path: t.TempDir(),
-	}
-	cacheDir := "local/act-test-actions"
-	refs := []struct {
-		Name string
-		Ref  string
-	}{
-		{Name: "Fetch Branch Name", Ref: "main"},
-		{Name: "Fetch Branch Name Absolutely", Ref: "refs/heads/main"},
-		{Name: "Fetch HEAD", Ref: "HEAD"},
-		{Name: "Fetch Sha", Ref: fullSha},
-	}
-	for _, c := range refs {
-		t.Run(c.Name, func(t *testing.T) {
-			sha, err := cache.Fetch(ctx, cacheDir, remoteDir, c.Ref, "")
-			if !a.NoError(err) || !a.NotEmpty(sha) { //nolint:testifylint // pre-existing issue from nektos/act
-				return
-			}
-			atar, err := cache.GetTarArchive(ctx, cacheDir, sha, "js")
-			// NotNil, not NotEmpty: atar is a live io.PipeReader whose producer goroutine is
-			// writing concurrently; NotEmpty deep-reflects over its internals and races.
-			if !a.NoError(err) || !a.NotNil(atar) { //nolint:testifylint // pre-existing issue from nektos/act
-				return
-			}
-			// GetTarArchive streams from a background goroutine walking the shared repo.
-			// Drain and close so it finishes before the next subtest fetches into the same
-			// repo; otherwise the lingering walk races with that fetch.
-			defer func() {
-				_, _ = io.Copy(io.Discard, atar)
-				_ = atar.Close()
-			}()
-			mytar := tar.NewReader(atar)
-			th, err := mytar.Next()
-			if !a.NoError(err) || !a.NotEqual(0, th.Size) { //nolint:testifylint // pre-existing issue from nektos/act
-				return
-			}
-			buf := &bytes.Buffer{}
-			// G110: Potential DoS vulnerability via decompression bomb (gosec)
-			_, err = io.Copy(buf, mytar)
-			a.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
-			str := buf.String()
-			a.NotEmpty(str)
-		})
-	}
-}
--- a/act/runner/action_test.go
+++ b/act/runner/action_test.go
@@ -1,409 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"context"
-	"io"
-	"io/fs"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"gitea.com/gitea/runner/act/common"
-	"gitea.com/gitea/runner/act/common/git"
-	"gitea.com/gitea/runner/act/container"
-	"gitea.com/gitea/runner/act/model"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-)
-
-type closerMock struct {
-	mock.Mock
-}
-
-func (m *closerMock) Close() error {
-	m.Called()
-	return nil
-}
-
-func TestActionReader(t *testing.T) {
-	yaml := strings.ReplaceAll(`
-name: 'name'
-runs:
-	using: 'node16'
-	main: 'main.js'
-`, "\t", "  ")
-
-	table := []struct {
-		name        string
-		step        *model.Step
-		filename    string
-		fileContent string
-		expected    *model.Action
-	}{
-		{
-			name:        "readActionYml",
-			step:        &model.Step{},
-			filename:    "action.yml",
-			fileContent: yaml,
-			expected: &model.Action{
-				Name: "name",
-				Runs: model.ActionRuns{
-					Using:  "node16",
-					Main:   "main.js",
-					PreIf:  "always()",
-					PostIf: "always()",
-				},
-			},
-		},
-		{
-			name:        "readActionYaml",
-			step:        &model.Step{},
-			filename:    "action.yaml",
-			fileContent: yaml,
-			expected: &model.Action{
-				Name: "name",
-				Runs: model.ActionRuns{
-					Using:  "node16",
-					Main:   "main.js",
-					PreIf:  "always()",
-					PostIf: "always()",
-				},
-			},
-		},
-		{
-			name:        "readDockerfile",
-			step:        &model.Step{},
-			filename:    "Dockerfile",
-			fileContent: "FROM ubuntu:20.04",
-			expected: &model.Action{
-				Name: "(Synthetic)",
-				Runs: model.ActionRuns{
-					Using: "docker",
-					Image: "Dockerfile",
-				},
-			},
-		},
-		{
-			name: "readWithArgs",
-			step: &model.Step{
-				With: map[string]string{
-					"args": "cmd",
-				},
-			},
-			expected: &model.Action{
-				Name: "(Synthetic)",
-				Inputs: map[string]model.Input{
-					"cwd": {
-						Description: "(Actual working directory)",
-						Required:    false,
-						Default:     "actionDir/actionPath",
-					},
-					"command": {
-						Description: "(Actual program)",
-						Required:    false,
-						Default:     "cmd",
-					},
-				},
-				Runs: model.ActionRuns{
-					Using: "node12",
-					Main:  "trampoline.js",
-				},
-			},
-		},
-	}
-
-	for _, tt := range table {
-		t.Run(tt.name, func(t *testing.T) {
-			closerMock := &closerMock{}
-
-			readFile := func(filename string) (io.Reader, io.Closer, error) {
-				if tt.filename != filename {
-					return nil, nil, fs.ErrNotExist
-				}
-
-				return strings.NewReader(tt.fileContent), closerMock, nil
-			}
-
-			writeFile := func(filename string, data []byte, perm fs.FileMode) error {
-				assert.Equal(t, "actionDir/actionPath/trampoline.js", filename)
-				assert.Equal(t, fs.FileMode(0o400), perm)
-				return nil
-			}
-
-			if tt.filename != "" {
-				closerMock.On("Close")
-			}
-
-			action, err := readActionImpl(context.Background(), tt.step, "actionDir", "actionPath", readFile, writeFile)
-
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-			assert.Equal(t, tt.expected, action)
-
-			closerMock.AssertExpectations(t)
-		})
-	}
-}
-
-func TestActionRunner(t *testing.T) {
-	table := []struct {
-		name        string
-		step        actionStep
-		expectedEnv map[string]string
-	}{
-		{
-			name: "with-input",
-			step: &stepActionRemote{
-				Step: &model.Step{
-					Uses: "org/repo/path@ref",
-				},
-				RunContext: &RunContext{
-					Config: &Config{},
-					Run: &model.Run{
-						JobID: "job",
-						Workflow: &model.Workflow{
-							Jobs: map[string]*model.Job{
-								"job": {
-									Name: "job",
-								},
-							},
-						},
-					},
-				},
-				action: &model.Action{
-					Inputs: map[string]model.Input{
-						"key": {
-							Default: "default value",
-						},
-					},
-					Runs: model.ActionRuns{
-						Using: "node16",
-					},
-				},
-				env: map[string]string{},
-			},
-			expectedEnv: map[string]string{"INPUT_KEY": "default value"},
-		},
-		{
-			name: "restore-saved-state",
-			step: &stepActionRemote{
-				Step: &model.Step{
-					ID:   "step",
-					Uses: "org/repo/path@ref",
-				},
-				RunContext: &RunContext{
-					ActionPath: "path",
-					Config:     &Config{},
-					Run: &model.Run{
-						JobID: "job",
-						Workflow: &model.Workflow{
-							Jobs: map[string]*model.Job{
-								"job": {
-									Name: "job",
-								},
-							},
-						},
-					},
-					CurrentStep: "post-step",
-					StepResults: map[string]*model.StepResult{
-						"step": {},
-					},
-					IntraActionState: map[string]map[string]string{
-						"step": {
-							"name": "state value",
-						},
-					},
-				},
-				action: &model.Action{
-					Runs: model.ActionRuns{
-						Using: "node16",
-					},
-				},
-				env: map[string]string{},
-			},
-			expectedEnv: map[string]string{"STATE_name": "state value"},
-		},
-	}
-
-	for _, tt := range table {
-		t.Run(tt.name, func(t *testing.T) {
-			ctx := context.Background()
-
-			cm := &containerMock{}
-			cm.On("CopyDir", "/var/run/act/actions/dir/", "dir/", false).Return(func(ctx context.Context) error { return nil })
-
-			envMatcher := mock.MatchedBy(func(env map[string]string) bool {
-				for k, v := range tt.expectedEnv {
-					if env[k] != v {
-						return false
-					}
-				}
-				return true
-			})
-
-			cm.On("Exec", []string{"node", "/var/run/act/actions/dir/path"}, envMatcher, "", "").Return(func(ctx context.Context) error { return nil })
-
-			tt.step.getRunContext().JobContainer = cm
-
-			err := runActionImpl(tt.step, "dir", newRemoteAction("org/repo/path@ref"))(ctx)
-
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-			cm.AssertExpectations(t)
-		})
-	}
-}
-
-func TestMaybeCopyToActionDirHoldsCloneLock(t *testing.T) {
-	ctx := context.Background()
-
-	actionDir := t.TempDir()
-
-	releaseCopy := make(chan struct{})
-	release := sync.OnceFunc(func() { close(releaseCopy) })
-	defer release()
-
-	copyEntered := make(chan struct{})
-
-	cm := &containerMock{}
-	cm.On("CopyDir", "/var/run/act/actions/", actionDir+"/", false).Return(func(ctx context.Context) error {
-		close(copyEntered)
-		<-releaseCopy
-		return nil
-	})
-
-	step := &stepActionRemote{
-		Step: &model.Step{Uses: "remote/action@v1"},
-		RunContext: &RunContext{
-			Config:       &Config{},
-			JobContainer: cm,
-		},
-	}
-
-	copyDone := make(chan error, 1)
-	go func() {
-		copyDone <- maybeCopyToActionDir(ctx, step, actionDir, "", "/var/run/act/actions/")
-	}()
-
-	select {
-	case <-copyEntered:
-	case err := <-copyDone:
-		t.Fatalf("maybeCopyToActionDir returned before CopyDir was entered: %v", err)
-	case <-time.After(time.Second):
-		t.Fatal("CopyDir was not entered within 1 second")
-	}
-
-	peerAcquired := make(chan struct{})
-	go func() {
-		unlock := git.AcquireCloneLock(actionDir)
-		close(peerAcquired)
-		unlock()
-	}()
-
-	select {
-	case <-peerAcquired:
-		t.Fatal("peer AcquireCloneLock returned while CopyDir was running")
-	case <-time.After(50 * time.Millisecond):
-	}
-
-	release()
-
-	select {
-	case err := <-copyDone:
-		if err != nil {
-			t.Fatalf("maybeCopyToActionDir returned error: %v", err)
-		}
-	case <-time.After(time.Second):
-		t.Fatal("maybeCopyToActionDir did not return after CopyDir was unblocked")
-	}
-
-	select {
-	case <-peerAcquired:
-	case <-time.After(time.Second):
-		t.Fatal("peer AcquireCloneLock did not proceed after lock released")
-	}
-
-	cm.AssertExpectations(t)
-}
-
-func TestExecAsDockerHoldsCloneLockForRemoteUncached(t *testing.T) {
-	actionDir := t.TempDir()
-
-	unlockOnce := sync.OnceFunc(git.AcquireCloneLock(actionDir))
-	defer unlockOnce()
-
-	innerEntered := make(chan struct{})
-	releaseInner := make(chan struct{})
-	releaseOnce := sync.OnceFunc(func() { close(releaseInner) })
-	defer releaseOnce()
-
-	origImageExists := ContainerImageExistsLocally
-	ContainerImageExistsLocally = func(_ context.Context, _, _ string) (bool, error) {
-		return false, nil
-	}
-	defer func() { ContainerImageExistsLocally = origImageExists }()
-
-	origBuildExec := ContainerNewDockerBuildExecutor
-	ContainerNewDockerBuildExecutor = func(_ container.NewDockerBuildExecutorInput) common.Executor {
-		return func(_ context.Context) error {
-			close(innerEntered)
-			<-releaseInner
-			return nil
-		}
-	}
-	defer func() { ContainerNewDockerBuildExecutor = origBuildExec }()
-
-	step := &stepActionRemote{
-		Step: &model.Step{ID: "1", Uses: "remote/action@v1", With: map[string]string{}},
-		RunContext: &RunContext{
-			Config: &Config{},
-			Run: &model.Run{
-				JobID: "1",
-				Workflow: &model.Workflow{
-					Name: "wf",
-					Jobs: map[string]*model.Job{"1": {}},
-				},
-			},
-			JobContainer: &containerMock{},
-		},
-		action: &model.Action{Runs: model.ActionRuns{Using: "docker", Image: "Dockerfile"}},
-		env:    map[string]string{},
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	done := make(chan error, 1)
-	go func() { done <- execAsDocker(ctx, step, "test-action", actionDir, actionDir, false) }()
-
-	select {
-	case <-innerEntered:
-		t.Fatal("inner build executor ran before clone lock was released")
-	case err := <-done:
-		t.Fatalf("execAsDocker returned before inner was entered: %v", err)
-	case <-time.After(50 * time.Millisecond):
-	}
-
-	unlockOnce()
-
-	select {
-	case <-innerEntered:
-	case err := <-done:
-		t.Fatalf("execAsDocker returned without entering inner: %v", err)
-	case <-time.After(time.Second):
-		t.Fatal("inner build executor not entered after lock released")
-	}
-
-	cancel()
-	releaseOnce()
-
-	select {
-	case <-done:
-	case <-time.After(time.Second):
-		t.Fatal("execAsDocker did not return after inner was released and ctx was canceled")
-	}
-}
--- a/act/runner/helpers_test.go
+++ b/act/runner/helpers_test.go
@@ -1,66 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"context"
-	"net"
-	"os/exec"
-	"runtime"
-	"testing"
-	"time"
-
-	"gitea.com/gitea/runner/act/container"
-
-	mobyclient "github.com/moby/moby/client"
-)
-
-// requireLinuxDocker skips on non-Linux hosts. Some integration workflows need Docker features
-// that only a Linux daemon provides (host networking, host /proc bind mounts); Docker Desktop
-// on macOS/Windows does not, so those tests can only run on Linux.
-func requireLinuxDocker(t *testing.T) {
-	t.Helper()
-	if runtime.GOOS != "linux" {
-		t.Skip("skipping: requires a Linux Docker host")
-	}
-}
-
-// requireDocker skips the test unless a reachable docker daemon is available.
-// GetDockerClient succeeds even without a running daemon (its ping is best-effort),
-// so the daemon has to be pinged explicitly here to decide whether to skip.
-func requireDocker(t *testing.T) {
-	t.Helper()
-	ctx := context.Background()
-	cli, err := container.GetDockerClient(ctx)
-	if err != nil {
-		t.Skipf("skipping: docker client unavailable: %v", err)
-	}
-	defer cli.Close()
-	if _, err := cli.Ping(ctx, mobyclient.PingOptions{}); err != nil {
-		t.Skipf("skipping: docker daemon unreachable: %v", err)
-	}
-}
-
-// requireNetwork skips the test unless github.com is reachable. A few tests exercise behaviour
-// that inherently needs the network (force-pulling an image, resolving a remote short-sha ref);
-// gating lets the rest of the suite run offline without these failing.
-func requireNetwork(t *testing.T) {
-	t.Helper()
-	conn, err := net.DialTimeout("tcp", "github.com:443", 3*time.Second)
-	if err != nil {
-		t.Skipf("skipping: network unavailable: %v", err)
-	}
-	_ = conn.Close()
-}
-
-// requireHostTools skips the test unless every named executable is on PATH. Used by the
-// self-hosted (host environment) suite, which runs steps directly on the host.
-func requireHostTools(t *testing.T, tools ...string) {
-	t.Helper()
-	for _, tool := range tools {
-		if _, err := exec.LookPath(tool); err != nil {
-			t.Skipf("skipping: required host tool %q not found: %v", tool, err)
-		}
-	}
-}
--- a/act/runner/job_executor.go
+++ b/act/runner/job_executor.go
@@ -1,257 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"context"
-	"fmt"
-	"strconv"
-	"time"
-
-	"gitea.com/gitea/runner/act/common"
-	"gitea.com/gitea/runner/act/model"
-)
-
-type jobInfo interface {
-	matrix() map[string]any
-	steps() []*model.Step
-	startContainer() common.Executor
-	stopContainer() common.Executor
-	closeContainer() common.Executor
-	interpolateOutputs() common.Executor
-	result(result string)
-}
-
-// reportStepError emits the GitHub Actions ##[error] annotation and records
-// the error against the job so the job is reported as failed.
-func reportStepError(ctx context.Context, err error) {
-	common.Logger(ctx).Errorf("##[error]%v", err)
-	common.SetJobError(ctx, err)
-}
-
-func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executor {
-	steps := make([]common.Executor, 0)
-	preSteps := make([]common.Executor, 0)
-	var postExecutor common.Executor
-
-	steps = append(steps, func(ctx context.Context) error {
-		logger := common.Logger(ctx)
-		if len(info.matrix()) > 0 {
-			logger.Infof("Matrix: %v", info.matrix())
-		}
-		return nil
-	})
-
-	infoSteps := info.steps()
-
-	if len(infoSteps) == 0 {
-		return common.NewDebugExecutor("No steps found")
-	}
-
-	preSteps = append(preSteps, func(ctx context.Context) error {
-		// Have to be skipped for some Tests
-		if rc.Run == nil {
-			return nil
-		}
-		rc.ExprEval = rc.NewExpressionEvaluator(ctx)
-		// evaluate environment variables since they can contain
-		// GitHub's special environment variables.
-		for k, v := range rc.GetEnv() {
-			rc.Env[k] = rc.ExprEval.Interpolate(ctx, v)
-		}
-		return nil
-	})
-
-	for i, stepModel := range infoSteps {
-		if stepModel == nil {
-			return func(ctx context.Context) error {
-				return fmt.Errorf("invalid Step %v: missing run or uses key", i)
-			}
-		}
-		if stepModel.ID == "" {
-			stepModel.ID = strconv.Itoa(i)
-		}
-		stepModel.Number = i
-
-		step, err := sf.newStep(stepModel, rc)
-		if err != nil {
-			return common.NewErrorExecutor(err)
-		}
-
-		preExec := step.pre()
-		preSteps = append(preSteps, useStepLogger(rc, stepModel, stepStagePre, func(ctx context.Context) error {
-			preErr := preExec(ctx)
-			if preErr != nil {
-				reportStepError(ctx, preErr)
-			} else if ctx.Err() != nil {
-				reportStepError(ctx, ctx.Err())
-			}
-			return preErr
-		}))
-
-		stepExec := step.main()
-		steps = append(steps, useStepLogger(rc, stepModel, stepStageMain, func(ctx context.Context) error {
-			err := stepExec(ctx)
-			if err != nil {
-				reportStepError(ctx, err)
-			} else if ctx.Err() != nil {
-				reportStepError(ctx, ctx.Err())
-			}
-			return nil
-		}))
-
-		postFn := step.post()
-		postExec := useStepLogger(rc, stepModel, stepStagePost, func(ctx context.Context) error {
-			err := postFn(ctx)
-			if err != nil {
-				reportStepError(ctx, err)
-			} else if ctx.Err() != nil {
-				reportStepError(ctx, ctx.Err())
-			}
-			return err
-		})
-		if postExecutor != nil {
-			// run the post executor in reverse order
-			postExecutor = postExec.Finally(postExecutor)
-		} else {
-			postExecutor = postExec
-		}
-	}
-
-	postExecutor = postExecutor.Finally(func(ctx context.Context) error {
-		jobError := common.JobError(ctx)
-		var err error
-		if rc.Config.AutoRemove || jobError == nil {
-			// always allow 1 min for stopping and removing the runner, even if we were cancelled
-			ctx, cancel := context.WithTimeout(common.WithLogger(context.Background(), common.Logger(ctx)), time.Minute)
-			defer cancel()
-
-			logger := common.Logger(ctx)
-			// For Gitea
-			// We don't need to call `stopServiceContainers` here since it will be called by following `info.stopContainer`
-			// logger.Infof("Cleaning up services for job %s", rc.JobName)
-			// if err := rc.stopServiceContainers()(ctx); err != nil {
-			// 	logger.Errorf("Error while cleaning services: %v", err)
-			// }
-
-			logger.Infof("Cleaning up container for job %s", rc.JobName)
-			if err = info.stopContainer()(ctx); err != nil {
-				logger.Errorf("Error while stop job container: %v", err)
-			}
-
-			// For Gitea
-			// We don't need to call `NewDockerNetworkRemoveExecutor` here since it is called by above `info.stopContainer`
-			// if !rc.IsHostEnv(ctx) && rc.Config.ContainerNetworkMode == "" {
-			// 	// clean network in docker mode only
-			// 	// if the value of `ContainerNetworkMode` is empty string,
-			// 	// it means that the network to which containers are connecting is created by `runner`,
-			// 	// so, we should remove the network at last.
-			// 	networkName, _ := rc.networkName()
-			// 	logger.Infof("Cleaning up network for job %s, and network name is: %s", rc.JobName, networkName)
-			// 	if err := container.NewDockerNetworkRemoveExecutor(networkName)(ctx); err != nil {
-			// 		logger.Errorf("Error while cleaning network: %v", err)
-			// 	}
-			// }
-		}
-		setJobResult(ctx, info, rc, jobError == nil)
-		setJobOutputs(ctx, rc)
-
-		return err
-	})
-
-	pipeline := make([]common.Executor, 0)
-	pipeline = append(pipeline, preSteps...)
-	pipeline = append(pipeline, steps...)
-
-	return common.NewPipelineExecutor(info.startContainer(), common.NewPipelineExecutor(pipeline...).
-		Finally(func(ctx context.Context) error {
-			var cancel context.CancelFunc
-			if ctx.Err() == context.Canceled {
-				// in case of an aborted run, we still should execute the
-				// post steps to allow cleanup.
-				ctx, cancel = context.WithTimeout(common.WithLogger(context.Background(), common.Logger(ctx)), 5*time.Minute)
-				defer cancel()
-			}
-			return postExecutor(ctx)
-		}).
-		Finally(info.interpolateOutputs()).
-		Finally(info.closeContainer()))
-}
-
-func setJobResult(ctx context.Context, info jobInfo, rc *RunContext, success bool) {
-	logger := common.Logger(ctx)
-
-	// Matrix combinations share one *model.Job and run in parallel; serialize the
-	// read-modify-write of the job result so a failing combination is not lost-updated by a
-	// concurrent succeeding one.
-	job := rc.Run.Job()
-	jobResult := func() string {
-		defer lockJob(job)()
-		result := "success"
-		// we have only one result for a whole matrix build, so we need
-		// to keep an existing result state if we run a matrix
-		if len(info.matrix()) > 0 && job.Result != "" {
-			result = job.Result
-		}
-		if !success {
-			result = "failure"
-		}
-		info.result(result)
-		return result
-	}()
-
-	if rc.caller != nil {
-		// set reusable workflow job result
-		rc.caller.setReusedWorkflowJobResult(rc.JobName, jobResult) // For Gitea
-		return
-	}
-
-	jobResultMessage := "succeeded"
-	if jobResult != "success" {
-		jobResultMessage = "failed"
-	}
-
-	logger.WithField("jobResult", jobResult).Infof("Job %s", jobResultMessage)
-}
-
-func setJobOutputs(ctx context.Context, rc *RunContext) {
-	if rc.caller != nil {
-		// map outputs for reusable workflows
-		callerOutputs := make(map[string]string)
-
-		ee := rc.NewExpressionEvaluator(ctx)
-
-		for k, v := range rc.Run.Workflow.WorkflowCallConfig().Outputs {
-			callerOutputs[k] = ee.Interpolate(ctx, ee.Interpolate(ctx, v.Value))
-		}
-
-		// Matrix combinations of a reusable-workflow caller share the caller's *model.Job;
-		// serialize the write so parallel combos don't race on its Outputs field.
-		callerJob := rc.caller.runContext.Run.Job()
-		defer lockJob(callerJob)()
-		callerJob.Outputs = callerOutputs
-	}
-}
-
-func useStepLogger(rc *RunContext, stepModel *model.Step, stage stepStage, executor common.Executor) common.Executor {
-	return func(ctx context.Context) error {
-		ctx = withStepLogger(ctx, stepModel.Number, stepModel.ID, rc.ExprEval.Interpolate(ctx, stepModel.String()), stage.String())
-
-		rawLogger := common.Logger(ctx).WithField("raw_output", true)
-		logWriter := common.NewLineWriter(rc.commandHandler(ctx), func(s string) bool {
-			if rc.Config.LogOutput {
-				rawLogger.Infof("%s", s)
-			} else {
-				rawLogger.Debugf("%s", s)
-			}
-			return true
-		})
-
-		oldout, olderr := rc.JobContainer.ReplaceLogWriter(logWriter, logWriter)
-		defer rc.JobContainer.ReplaceLogWriter(oldout, olderr)
-
-		return executor(ctx)
-	}
-}
--- a/act/runner/logger_test.go
+++ b/act/runner/logger_test.go
@@ -1,52 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestValueMasker(t *testing.T) {
-	table := []struct {
-		name       string
-		lines      string
-		secrets    map[string]string
-		masks      []string
-		disallowed []string
-	}{
-		{
-			name:  "Multiline Private Key",
-			lines: "cat << EOF > private.key\nPRIVATE_KEY_BEGIN\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\nPRIVATE_KEY_END\nEOF",
-			secrets: map[string]string{
-				"PRIVATE_KEY": "PRIVATE_KEY_BEGIN\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\nPRIVATE_KEY_END",
-			},
-			disallowed: []string{"KEY", "dsdfseffefsefes", "PRIVATE_KEY_END"},
-		},
-		{
-			name:       "Multiline Private Key in masks",
-			lines:      "cat << EOF > private.key\nPRIVATE_KEY_BEGIN\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\nPRIVATE_KEY_END\nEOF",
-			masks:      []string{"PRIVATE_KEY_BEGIN\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\nPRIVATE_KEY_END"},
-			disallowed: []string{"KEY", "dsdfseffefsefes", "PRIVATE_KEY_END"},
-		},
-	}
-	for _, entry := range table {
-		t.Run(entry.name, func(t *testing.T) {
-			ctx := WithMasks(t.Context(), &entry.masks)
-			masker := valueMasker(false, entry.secrets)
-			for line := range strings.SplitSeq(entry.lines, "\n") {
-				lentry := masker(&logrus.Entry{
-					Context: ctx,
-					Message: line,
-				})
-				for _, line := range entry.disallowed {
-					assert.NotContains(t, lentry.Message, line)
-				}
-			}
-		})
-	}
-}
--- a/act/runner/max_parallel_test.go
+++ b/act/runner/max_parallel_test.go
@@ -1,67 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"testing"
-
-	"gitea.com/gitea/runner/act/model"
-
-	"github.com/stretchr/testify/assert"
-	"go.yaml.in/yaml/v4"
-)
-
-func TestMaxParallelStrategy(t *testing.T) {
-	tests := []struct {
-		name                string
-		maxParallelString   string
-		expectedMaxParallel int
-	}{
-		{
-			name:                "max-parallel-1",
-			maxParallelString:   "1",
-			expectedMaxParallel: 1,
-		},
-		{
-			name:                "max-parallel-2",
-			maxParallelString:   "2",
-			expectedMaxParallel: 2,
-		},
-		{
-			name:                "max-parallel-default",
-			maxParallelString:   "",
-			expectedMaxParallel: 4,
-		},
-		{
-			name:                "max-parallel-10",
-			maxParallelString:   "10",
-			expectedMaxParallel: 10,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			matrix := map[string][]any{
-				"version": {1, 2, 3, 4, 5},
-			}
-
-			var rawMatrix yaml.Node
-			err := rawMatrix.Encode(matrix)
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-			job := &model.Job{
-				Strategy: &model.Strategy{
-					MaxParallelString: tt.maxParallelString,
-					RawMatrix:         rawMatrix,
-				},
-			}
-
-			matrixes, err := job.GetMatrixes()
-			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-			assert.NotNil(t, matrixes)
-			assert.Len(t, matrixes, 5)
-			assert.Equal(t, tt.expectedMaxParallel, job.Strategy.MaxParallel)
-		})
-	}
-}
--- a/act/runner/res/trampoline.js
+++ b/act/runner/res/trampoline.js
@@ -1,14 +0,0 @@
-const { spawnSync } = require('child_process')
-const spawnArguments = {
-  cwd: process.env.INPUT_CWD,
-  stdio: [
-    process.stdin,
-    process.stdout,
-    process.stderr
-  ]
-}
-const child = spawnSync(
-  '/bin/sh',
-  ['-c'].concat(process.env.INPUT_COMMAND),
-  spawnArguments)
-process.exit(child.status)
--- a/act/runner/reusable_workflow.go
+++ b/act/runner/reusable_workflow.go
@@ -1,333 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"archive/tar"
-	"context"
-	"fmt"
-	"net/url"
-	"path"
-	"path/filepath"
-	"regexp"
-	"strings"
-
-	"gitea.com/gitea/runner/act/common"
-	"gitea.com/gitea/runner/act/common/git"
-	"gitea.com/gitea/runner/act/model"
-)
-
-func newLocalReusableWorkflowExecutor(rc *RunContext) common.Executor {
-	if !rc.Config.NoSkipCheckout {
-		fullPath := rc.Run.Job().Uses
-
-		fileName := path.Base(fullPath)
-		workflowDir := strings.TrimSuffix(fullPath, path.Join("/", fileName))
-		workflowDir = strings.TrimPrefix(workflowDir, "./")
-
-		return common.NewPipelineExecutor(
-			// resolve the local workflow against the workspace root, not the process
-			// working directory, so it is found regardless of where the runner is invoked
-			newReusableWorkflowExecutor(rc, filepath.Join(rc.Config.Workdir, workflowDir), fileName),
-		)
-	}
-
-	// ./.gitea/workflows/wf.yml -> .gitea/workflows/wf.yml
-	trimmedUses := strings.TrimPrefix(rc.Run.Job().Uses, "./")
-	// uses string format is {owner}/{repo}/.{git_platform}/workflows/{filename}@{ref}
-	uses := fmt.Sprintf("%s/%s@%s", rc.Config.PresetGitHubContext.Repository, trimmedUses, rc.Config.PresetGitHubContext.Sha)
-
-	remoteReusableWorkflow := newRemoteReusableWorkflowWithPlat(rc.Config.GitHubInstance, uses)
-	if remoteReusableWorkflow == nil {
-		return common.NewErrorExecutor(fmt.Errorf("expected format {owner}/{repo}/.{git_platform}/workflows/{filename}@{ref}. Actual '%s' Input string was not in a correct format", uses))
-	}
-
-	workflowDir := fmt.Sprintf("%s/%s", rc.ActionCacheDir(), safeFilename(uses))
-
-	// If the repository is private, we need a token to clone it
-	token := rc.Config.GetToken()
-
-	return common.NewPipelineExecutor(
-		cloneRemoteReusableWorkflow(rc, remoteReusableWorkflow.CloneURL(), remoteReusableWorkflow.Ref, workflowDir, token),
-		newReusableWorkflowExecutor(rc, workflowDir, remoteReusableWorkflow.FilePath()),
-	)
-}
-
-func newRemoteReusableWorkflowExecutor(rc *RunContext) common.Executor {
-	uses := rc.Run.Job().Uses
-
-	var remoteReusableWorkflow *remoteReusableWorkflow
-	if strings.HasPrefix(uses, "http://") || strings.HasPrefix(uses, "https://") {
-		remoteReusableWorkflow = newRemoteReusableWorkflowFromAbsoluteURL(uses)
-		if remoteReusableWorkflow == nil {
-			return common.NewErrorExecutor(fmt.Errorf("expected format http(s)://{domain}/{owner}/{repo}/.{git_platform}/workflows/{filename}@{ref}. Actual '%s' Input string was not in a correct format", uses))
-		}
-	} else {
-		remoteReusableWorkflow = newRemoteReusableWorkflowWithPlat(rc.Config.GitHubInstance, uses)
-		if remoteReusableWorkflow == nil {
-			return common.NewErrorExecutor(fmt.Errorf("expected format {owner}/{repo}/.{git_platform}/workflows/{filename}@{ref}. Actual '%s' Input string was not in a correct format", uses))
-		}
-	}
-
-	// uses with safe filename makes the target directory look something like this {owner}-{repo}-.github-workflows-{filename}@{ref}
-	// instead we will just use {owner}-{repo}@{ref} as our target directory. This should also improve performance when we are using
-	// multiple reusable workflows from the same repository and ref since for each workflow we won't have to clone it again
-	filename := fmt.Sprintf("%s/%s@%s", remoteReusableWorkflow.Org, remoteReusableWorkflow.Repo, remoteReusableWorkflow.Ref)
-	workflowDir := fmt.Sprintf("%s/%s", rc.ActionCacheDir(), safeFilename(filename))
-
-	if rc.Config.ActionCache != nil {
-		return newActionCacheReusableWorkflowExecutor(rc, filename, remoteReusableWorkflow)
-	}
-
-	token := getGitCloneToken(rc.Config, remoteReusableWorkflow.CloneURL())
-
-	return common.NewPipelineExecutor(
-		cloneRemoteReusableWorkflow(rc, remoteReusableWorkflow.CloneURL(), remoteReusableWorkflow.Ref, workflowDir, token),
-		newReusableWorkflowExecutor(rc, workflowDir, remoteReusableWorkflow.FilePath()),
-	)
-}
-
-func newActionCacheReusableWorkflowExecutor(rc *RunContext, filename string, remoteReusableWorkflow *remoteReusableWorkflow) common.Executor {
-	return func(ctx context.Context) error {
-		ghctx := rc.getGithubContext(ctx)
-		remoteReusableWorkflow.URL = ghctx.ServerURL
-		sha, err := rc.Config.ActionCache.Fetch(ctx, filename, remoteReusableWorkflow.CloneURL(), remoteReusableWorkflow.Ref, ghctx.Token)
-		if err != nil {
-			return err
-		}
-		archive, err := rc.Config.ActionCache.GetTarArchive(ctx, filename, sha, ".github/workflows/"+remoteReusableWorkflow.Filename)
-		if err != nil {
-			return err
-		}
-		defer archive.Close()
-		treader := tar.NewReader(archive)
-		if _, err = treader.Next(); err != nil {
-			return err
-		}
-		planner, err := model.NewSingleWorkflowPlanner(remoteReusableWorkflow.Filename, treader)
-		if err != nil {
-			return err
-		}
-		plan, err := planner.PlanEvent("workflow_call")
-		if err != nil {
-			return err
-		}
-
-		runner, err := NewReusableWorkflowRunner(rc)
-		if err != nil {
-			return err
-		}
-
-		return runner.NewPlanExecutor(plan)(ctx)
-	}
-}
-
-// cloneRemoteReusableWorkflow always invokes the clone executor — moving refs
-// (branches, tags) must be re-resolved each run, matching GitHub Actions.
-//
-// Callers must not change remoteReusableWorkflow.URL, because:
-//  1. Gitea doesn't support specifying GithubContext.ServerURL by the GITHUB_SERVER_URL env
-//  2. Gitea has already full URL with rc.Config.GitHubInstance when calling newRemoteReusableWorkflowWithPlat
-//
-// remoteReusableWorkflow.URL = rc.getGithubContext(ctx).ServerURL
-func cloneRemoteReusableWorkflow(rc *RunContext, cloneURL, ref, targetDirectory, token string) common.Executor {
-	return func(ctx context.Context) error {
-		cloneURL = rc.NewExpressionEvaluator(ctx).Interpolate(ctx, cloneURL)
-		return git.NewGitCloneExecutor(git.NewGitCloneExecutorInput{
-			URL:         cloneURL,
-			Ref:         ref,
-			Dir:         targetDirectory,
-			Token:       token,
-			OfflineMode: rc.Config.ActionOfflineMode,
-		})(ctx)
-	}
-}
-
-var modelNewWorkflowPlanner = model.NewWorkflowPlanner
-
-func newReusableWorkflowExecutor(rc *RunContext, directory, workflow string) common.Executor {
-	return func(ctx context.Context) error {
-		// Scoped to the yaml read so concurrent invocations don't serialize
-		// on the whole job run.
-		planner, err := func() (model.WorkflowPlanner, error) {
-			defer git.AcquireCloneLock(directory)()
-			return modelNewWorkflowPlanner(path.Join(directory, workflow), true)
-		}()
-		if err != nil {
-			return err
-		}
-
-		plan, err := planner.PlanEvent("workflow_call")
-		if err != nil {
-			return err
-		}
-
-		runner, err := NewReusableWorkflowRunner(rc)
-		if err != nil {
-			return err
-		}
-
-		// return runner.NewPlanExecutor(plan)(ctx)
-		return common.NewPipelineExecutor( // For Gitea
-			runner.NewPlanExecutor(plan),
-			setReusedWorkflowCallerResult(rc, runner),
-		)(ctx)
-	}
-}
-
-func NewReusableWorkflowRunner(rc *RunContext) (Runner, error) {
-	runner := &runnerImpl{
-		config:    rc.Config,
-		eventJSON: rc.EventJSON,
-		caller: &caller{
-			runContext: rc,
-
-			reusedWorkflowJobResults: map[string]string{}, // For Gitea
-		},
-	}
-
-	return runner.configure()
-}
-
-type remoteReusableWorkflow struct {
-	URL      string
-	Org      string
-	Repo     string
-	Filename string
-	Ref      string
-
-	GitPlatform string
-}
-
-func (r *remoteReusableWorkflow) CloneURL() string {
-	// In Gitea, r.URL always has the protocol prefix, we don't need to add extra prefix in this case.
-	if strings.HasPrefix(r.URL, "http://") || strings.HasPrefix(r.URL, "https://") {
-		return fmt.Sprintf("%s/%s/%s", r.URL, r.Org, r.Repo)
-	}
-	return fmt.Sprintf("https://%s/%s/%s", r.URL, r.Org, r.Repo)
-}
-
-func (r *remoteReusableWorkflow) FilePath() string {
-	return fmt.Sprintf("./.%s/workflows/%s", r.GitPlatform, r.Filename)
-}
-
-// For Gitea
-// newRemoteReusableWorkflowWithPlat create a `remoteReusableWorkflow`
-// workflows from `.gitea/workflows` and `.github/workflows` are supported
-func newRemoteReusableWorkflowWithPlat(url, uses string) *remoteReusableWorkflow {
-	// GitHub docs:
-	// https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_iduses
-	r := regexp.MustCompile(`^([^/]+)/([^/]+)/\.([^/]+)/workflows/([^@]+)@(.*)$`)
-	matches := r.FindStringSubmatch(uses)
-	if len(matches) != 6 {
-		return nil
-	}
-	return &remoteReusableWorkflow{
-		Org:         matches[1],
-		Repo:        matches[2],
-		GitPlatform: matches[3],
-		Filename:    matches[4],
-		Ref:         matches[5],
-		URL:         url,
-	}
-}
-
-// For Gitea
-// newRemoteReusableWorkflowWithPlat create a `remoteReusableWorkflow` from an absolute url
-func newRemoteReusableWorkflowFromAbsoluteURL(uses string) *remoteReusableWorkflow {
-	r := regexp.MustCompile(`^(https?://.*)/([^/]+)/([^/]+)/\.([^/]+)/workflows/([^@]+)@(.*)$`)
-	matches := r.FindStringSubmatch(uses)
-	if len(matches) != 7 {
-		return nil
-	}
-	return &remoteReusableWorkflow{
-		URL:         matches[1],
-		Org:         matches[2],
-		Repo:        matches[3],
-		GitPlatform: matches[4],
-		Filename:    matches[5],
-		Ref:         matches[6],
-	}
-}
-
-// For Gitea
-func setReusedWorkflowCallerResult(rc *RunContext, runner Runner) common.Executor {
-	return func(ctx context.Context) error {
-		logger := common.Logger(ctx)
-
-		runnerImpl, ok := runner.(*runnerImpl)
-		if !ok {
-			logger.Warn("Failed to get caller from runner")
-			return nil
-		}
-		caller := runnerImpl.caller
-
-		allJobDone := true
-		hasFailure := false
-		for _, result := range caller.reusedWorkflowJobResults {
-			if result == "pending" {
-				allJobDone = false
-				break
-			}
-			if result == "failure" {
-				hasFailure = true
-			}
-		}
-
-		if allJobDone {
-			reusedWorkflowJobResult := "success"
-			reusedWorkflowJobResultMessage := "succeeded"
-			if hasFailure {
-				reusedWorkflowJobResult = "failure"
-				reusedWorkflowJobResultMessage = "failed"
-			}
-
-			if rc.caller != nil {
-				rc.caller.setReusedWorkflowJobResult(rc.JobName, reusedWorkflowJobResult)
-			} else {
-				// Serialize this shared Job.Result write against the other matrix combos
-				// and setJobResult (same lockJob key).
-				unlock := lockJob(rc.Run.Job())
-				rc.result(reusedWorkflowJobResult)
-				unlock()
-				logger.WithField("jobResult", reusedWorkflowJobResult).Infof("Job %s", reusedWorkflowJobResultMessage)
-			}
-		}
-
-		return nil
-	}
-}
-
-// For Gitea
-// getGitCloneToken returns GITEA_TOKEN when shouldCloneURLUseToken returns true,
-// otherwise returns an empty string
-func getGitCloneToken(conf *Config, cloneURL string) string {
-	if !shouldCloneURLUseToken(conf.GitHubInstance, cloneURL) {
-		return ""
-	}
-	return conf.GetToken()
-}
-
-// For Gitea
-// shouldCloneURLUseToken returns true when the following conditions are met:
-// 1. cloneURL is from the same Gitea instance that the runner is registered to
-// 2. the cloneURL does not have basic auth embedded
-func shouldCloneURLUseToken(instanceURL, cloneURL string) bool {
-	if !strings.HasPrefix(instanceURL, "http://") &&
-		!strings.HasPrefix(instanceURL, "https://") {
-		instanceURL = "https://" + instanceURL
-	}
-
-	u1, err1 := url.Parse(instanceURL)
-	u2, err2 := url.Parse(cloneURL)
-	if err1 != nil || err2 != nil {
-		return false
-	}
-	if u2.User != nil {
-		return false
-	}
-
-	return u1.Host == u2.Host
-}
--- a/act/runner/reusable_workflow_test.go
+++ b/act/runner/reusable_workflow_test.go
@@ -1,193 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"context"
-	"errors"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"sync"
-	"testing"
-	"time"
-
-	"gitea.com/gitea/runner/act/common/git"
-	"gitea.com/gitea/runner/act/model"
-
-	"github.com/stretchr/testify/require"
-)
-
-// Regression test for go-gitea/gitea#37483: a remote reusable workflow at a moving
-// ref (branch/tag) must reflect the new tip on every invocation, not stay pinned
-// to the cache populated on the first run.
-func TestReusableWorkflowCachedBranchRefRefreshes(t *testing.T) {
-	if _, err := exec.LookPath("git"); err != nil {
-		t.Skip("git not available in PATH")
-	}
-
-	remoteDir := t.TempDir()
-	gitMust(t, "", "init", "--bare", "--initial-branch=master", remoteDir)
-
-	workDir := t.TempDir()
-	gitMust(t, "", "clone", remoteDir, workDir)
-	gitMust(t, workDir, "config", "user.email", "test@test")
-	gitMust(t, workDir, "config", "user.name", "test")
-	gitMust(t, workDir, "checkout", "-b", "master")
-
-	const workflowPath = ".gitea/workflows/reusable.yml"
-	tmpl := func(tag string) string {
-		return "name: reusable\non:\n  workflow_call:\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - run: echo " + tag + "\n"
-	}
-
-	require.NoError(t, os.MkdirAll(filepath.Join(workDir, ".gitea/workflows"), 0o755))
-	require.NoError(t, os.WriteFile(filepath.Join(workDir, workflowPath), []byte(tmpl("v1")), 0o644))
-	gitMust(t, workDir, "add", workflowPath)
-	gitMust(t, workDir, "commit", "-m", "v1")
-	gitMust(t, workDir, "push", "-u", "origin", "master")
-
-	rc := &RunContext{
-		Config: &Config{},
-		Run: &model.Run{
-			JobID: "j1",
-			Workflow: &model.Workflow{
-				Name: "wf",
-				Jobs: map[string]*model.Job{"j1": {}},
-			},
-		},
-	}
-	cacheDir := t.TempDir()
-
-	require.NoError(t, cloneRemoteReusableWorkflow(rc, remoteDir, "master", cacheDir, "")(context.Background()))
-	got, err := os.ReadFile(filepath.Join(cacheDir, workflowPath))
-	require.NoError(t, err)
-	require.Equal(t, tmpl("v1"), string(got))
-
-	// Branch tip moves; cache key (cacheDir) does not.
-	require.NoError(t, os.WriteFile(filepath.Join(workDir, workflowPath), []byte(tmpl("v2")), 0o644))
-	gitMust(t, workDir, "commit", "-am", "v2")
-	gitMust(t, workDir, "push", "origin", "master")
-
-	require.NoError(t, cloneRemoteReusableWorkflow(rc, remoteDir, "master", cacheDir, "")(context.Background()))
-	got, err = os.ReadFile(filepath.Join(cacheDir, workflowPath))
-	require.NoError(t, err)
-	require.Equal(t, tmpl("v2"), string(got), "cached workflow file must reflect the updated branch tip")
-}
-
-func TestNewReusableWorkflowExecutorHoldsCloneLock(t *testing.T) {
-	workflowDir := t.TempDir()
-
-	unlockOnce := sync.OnceFunc(git.AcquireCloneLock(workflowDir))
-	defer unlockOnce()
-
-	plannerCalled := make(chan struct{})
-
-	origPlanner := modelNewWorkflowPlanner
-	modelNewWorkflowPlanner = func(string, bool) (model.WorkflowPlanner, error) {
-		close(plannerCalled)
-		return nil, errors.New("stop")
-	}
-	defer func() { modelNewWorkflowPlanner = origPlanner }()
-
-	rc := &RunContext{
-		Config: &Config{},
-		Run:    &model.Run{Workflow: &model.Workflow{Jobs: map[string]*model.Job{}}},
-	}
-	exec := newReusableWorkflowExecutor(rc, workflowDir, "reusable.yml")
-
-	done := make(chan error, 1)
-	go func() { done <- exec(context.Background()) }()
-
-	select {
-	case <-plannerCalled:
-		t.Fatal("planner ran while clone lock was held")
-	case err := <-done:
-		t.Fatalf("executor returned before planner was reached: %v", err)
-	case <-time.After(50 * time.Millisecond):
-	}
-
-	unlockOnce()
-
-	select {
-	case <-plannerCalled:
-	case <-time.After(time.Second):
-		t.Fatal("planner not called after lock was released")
-	}
-
-	select {
-	case err := <-done:
-		require.Error(t, err)
-	case <-time.After(time.Second):
-		t.Fatal("executor did not return after planner ran")
-	}
-}
-
-func TestGetGitCloneTokenWithSchemalessGiteaInstance(t *testing.T) {
-	conf := &Config{
-		GitHubInstance: "gitea.example.net",
-		Secrets: map[string]string{
-			"GITEA_TOKEN": "token-value",
-		},
-	}
-
-	token := getGitCloneToken(conf, "https://gitea.example.net/actions/tools")
-
-	require.Equal(t, "token-value", token)
-}
-
-func TestShouldCloneURLUseToken(t *testing.T) {
-	tests := []struct {
-		name        string
-		instanceURL string
-		cloneURL    string
-		want        bool
-	}{
-		{
-			name:        "same host with schemaless instance",
-			instanceURL: "gitea.example.net",
-			cloneURL:    "https://gitea.example.net/actions/tools",
-			want:        true,
-		},
-		{
-			name:        "same host with schemaless instance and port",
-			instanceURL: "gitea.example.net:3000",
-			cloneURL:    "https://gitea.example.net:3000/actions/tools",
-			want:        true,
-		},
-		{
-			name:        "different host",
-			instanceURL: "gitea.example.net",
-			cloneURL:    "https://github.com/actions/tools",
-			want:        false,
-		},
-		{
-			name:        "embedded basic auth",
-			instanceURL: "gitea.example.net",
-			cloneURL:    "https://user:pass@gitea.example.net/actions/tools",
-			want:        false,
-		},
-		{
-			name:        "invalid clone URL",
-			instanceURL: "gitea.example.net",
-			cloneURL:    "://gitea.example.net/actions/tools",
-			want:        false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			require.Equal(t, tt.want, shouldCloneURLUseToken(tt.instanceURL, tt.cloneURL))
-		})
-	}
-}
-
-func gitMust(t *testing.T, dir string, args ...string) {
-	t.Helper()
-	cmd := exec.Command("git", args...)
-	if dir != "" {
-		cmd.Dir = dir
-	}
-	out, err := cmd.CombinedOutput()
-	require.NoError(t, err, "git %v: %s", args, string(out))
-}
--- a/act/runner/runner_max_parallel_test.go
+++ b/act/runner/runner_max_parallel_test.go
@@ -1,109 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-)
-
-// TestMaxParallelConfig tests that MaxParallel config is properly set
-func TestMaxParallelConfig(t *testing.T) {
-	t.Run("MaxParallel set to 2", func(t *testing.T) {
-		config := &Config{
-			Workdir:     "testdata",
-			MaxParallel: 2,
-		}
-
-		runner, err := New(config)
-		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-		assert.NotNil(t, runner)
-
-		// Verify config is properly stored
-		runnerImpl, ok := runner.(*runnerImpl)
-		assert.True(t, ok)
-		assert.Equal(t, 2, runnerImpl.config.MaxParallel)
-	})
-
-	t.Run("MaxParallel set to 0 (no limit)", func(t *testing.T) {
-		config := &Config{
-			Workdir:     "testdata",
-			MaxParallel: 0,
-		}
-
-		runner, err := New(config)
-		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-		assert.NotNil(t, runner)
-
-		runnerImpl, ok := runner.(*runnerImpl)
-		assert.True(t, ok)
-		assert.Equal(t, 0, runnerImpl.config.MaxParallel)
-	})
-
-	t.Run("MaxParallel not set (defaults to 0)", func(t *testing.T) {
-		config := &Config{
-			Workdir: "testdata",
-		}
-
-		runner, err := New(config)
-		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-		assert.NotNil(t, runner)
-
-		runnerImpl, ok := runner.(*runnerImpl)
-		assert.True(t, ok)
-		assert.Equal(t, 0, runnerImpl.config.MaxParallel)
-	})
-}
-
-// TestMaxParallelConcurrencyTracking tests that max-parallel actually limits concurrent execution
-func TestMaxParallelConcurrencyTracking(t *testing.T) {
-	// This is a unit test for the parallel executor logic
-	// We test that when MaxParallel is set, it limits the number of workers
-
-	var mu sync.Mutex
-	var maxConcurrent int
-	var currentConcurrent int
-
-	// Create a function that tracks concurrent execution
-	trackingFunc := func() {
-		mu.Lock()
-		currentConcurrent++
-		if currentConcurrent > maxConcurrent {
-			maxConcurrent = currentConcurrent
-		}
-		mu.Unlock()
-
-		// Simulate work
-		time.Sleep(50 * time.Millisecond)
-
-		mu.Lock()
-		currentConcurrent--
-		mu.Unlock()
-	}
-
-	// Run multiple tasks with limited parallelism
-	maxConcurrent = 0
-	currentConcurrent = 0
-
-	// This simulates what NewParallelExecutor does with a semaphore
-	var wg sync.WaitGroup
-	semaphore := make(chan struct{}, 2) // Limit to 2 concurrent
-
-	for range 6 {
-		wg.Go(func() {
-			semaphore <- struct{}{}        // Acquire
-			defer func() { <-semaphore }() // Release
-			trackingFunc()
-		})
-	}
-
-	wg.Wait()
-
-	// With a semaphore of 2, max concurrent should be <= 2
-	assert.LessOrEqual(t, maxConcurrent, 2, "Maximum concurrent executions should not exceed limit")
-	assert.GreaterOrEqual(t, maxConcurrent, 1, "Should have at least 1 concurrent execution")
-}
--- a/act/runner/step_docker_test.go
+++ b/act/runner/step_docker_test.go
@@ -1,248 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"bytes"
-	"context"
-	"io"
-	"strings"
-	"testing"
-
-	"gitea.com/gitea/runner/act/container"
-	"gitea.com/gitea/runner/act/model"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-)
-
-func TestStepDockerMain(t *testing.T) {
-	cm := &containerMock{}
-
-	var input *container.NewContainerInput
-
-	// mock the new container call
-	origContainerNewContainer := ContainerNewContainer
-	ContainerNewContainer = func(containerInput *container.NewContainerInput) container.ExecutionsEnvironment {
-		input = containerInput
-		return cm
-	}
-	defer (func() {
-		ContainerNewContainer = origContainerNewContainer
-	})()
-
-	ctx := context.Background()
-
-	sd := &stepDocker{
-		RunContext: &RunContext{
-			StepResults: map[string]*model.StepResult{},
-			Config:      &Config{},
-			Run: &model.Run{
-				JobID: "1",
-				Workflow: &model.Workflow{
-					Jobs: map[string]*model.Job{
-						"1": {
-							Defaults: model.Defaults{
-								Run: model.RunDefaults{
-									Shell: "bash",
-								},
-							},
-						},
-					},
-				},
-			},
-			JobContainer: cm,
-		},
-		Step: &model.Step{
-			ID:               "1",
-			Uses:             "docker://node:14",
-			WorkingDirectory: "workdir",
-		},
-	}
-	sd.RunContext.ExprEval = sd.RunContext.NewExpressionEvaluator(ctx)
-
-	cm.On("Pull", false).Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("Remove").Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("Create", []string(nil), []string(nil)).Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("Start", true).Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("Close").Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("Copy", "/var/run/act", mock.AnythingOfType("[]*container.FileEntry")).Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("UpdateFromEnv", "/var/run/act/workflow/envs.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("UpdateFromEnv", "/var/run/act/workflow/statecmd.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("UpdateFromEnv", "/var/run/act/workflow/outputcmd.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("GetContainerArchive", ctx, "/var/run/act/workflow/pathcmd.txt").Return(io.NopCloser(&bytes.Buffer{}), nil)
-
-	err := sd.main()(ctx)
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-	assert.Equal(t, "node:14", input.Image)
-
-	cm.AssertExpectations(t)
-}
-
-func TestStepDockerNewStepContainerAllocatePTY(t *testing.T) {
-	for _, tc := range []struct {
-		name     string
-		allocPTY bool
-	}{
-		{name: "off", allocPTY: false},
-		{name: "on", allocPTY: true},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			cm := &containerMock{}
-
-			var captured *container.NewContainerInput
-			origContainerNewContainer := ContainerNewContainer
-			ContainerNewContainer = func(input *container.NewContainerInput) container.ExecutionsEnvironment {
-				captured = input
-				return cm
-			}
-			defer func() {
-				ContainerNewContainer = origContainerNewContainer
-			}()
-
-			ctx := context.Background()
-			sd := &stepDocker{
-				RunContext: &RunContext{
-					StepResults: map[string]*model.StepResult{},
-					Config: &Config{
-						AllocatePTY: tc.allocPTY,
-						PlatformPicker: func(_ []string) string {
-							return "node:14"
-						},
-					},
-					Run: &model.Run{
-						JobID: "1",
-						Workflow: &model.Workflow{
-							Jobs: map[string]*model.Job{"1": {}},
-						},
-					},
-					JobContainer: cm,
-				},
-				Step: &model.Step{ID: "1", Uses: "docker://node:14"},
-			}
-			sd.RunContext.ExprEval = sd.RunContext.NewExpressionEvaluator(ctx)
-
-			_ = sd.newStepContainer(ctx, "node:14", []string{"echo", "hi"}, nil)
-			assert.Equal(t, tc.allocPTY, captured.AllocatePTY)
-		})
-	}
-}
-
-func TestStepDockerPrePost(t *testing.T) {
-	ctx := context.Background()
-	sd := &stepDocker{}
-
-	err := sd.pre()(ctx)
-	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
-
-	err = sd.post()(ctx)
-	assert.NoError(t, err)
-}
-
-func TestStepDockerNewStepContainerNetworkMode(t *testing.T) {
-	cases := []struct {
-		name          string
-		platform      string
-		expectDefault bool
-	}{
-		{
-			name:          "docker mode attaches to job container network",
-			platform:      "node:14",
-			expectDefault: false,
-		},
-		{
-			name:          "host mode uses default network",
-			platform:      "-self-hosted",
-			expectDefault: true,
-		},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			cm := &containerMock{}
-
-			var captured *container.NewContainerInput
-			origContainerNewContainer := ContainerNewContainer
-			ContainerNewContainer = func(input *container.NewContainerInput) container.ExecutionsEnvironment {
-				captured = input
-				return cm
-			}
-			defer func() {
-				ContainerNewContainer = origContainerNewContainer
-			}()
-
-			ctx := context.Background()
-
-			platform := tc.platform
-			sd := &stepDocker{
-				RunContext: &RunContext{
-					StepResults: map[string]*model.StepResult{},
-					Config: &Config{
-						PlatformPicker: func(_ []string) string {
-							return platform
-						},
-					},
-					Run: &model.Run{
-						JobID: "1",
-						Workflow: &model.Workflow{
-							Jobs: map[string]*model.Job{
-								"1": {},
-							},
-						},
-					},
-					JobContainer: cm,
-				},
-				Step: &model.Step{
-					ID:   "1",
-					Uses: "docker://alpine:3.20",
-				},
-			}
-			sd.RunContext.ExprEval = sd.RunContext.NewExpressionEvaluator(ctx)
-
-			assert.Equal(t, tc.expectDefault, sd.RunContext.IsHostEnv(ctx),
-				"IsHostEnv mismatch for platform %q", tc.platform)
-
-			_ = sd.newStepContainer(ctx, "alpine:3.20", []string{"echo", "hello"}, nil)
-
-			if tc.expectDefault {
-				assert.Equal(t, "default", captured.NetworkMode,
-					"host-mode step container must use 'default' network, got %q",
-					captured.NetworkMode)
-			} else {
-				assert.True(t, strings.HasPrefix(captured.NetworkMode, "container:"),
-					"docker-mode step container must attach to job container network, got %q",
-					captured.NetworkMode)
-			}
-		})
-	}
-}
--- a/act/runner/step_run.go
+++ b/act/runner/step_run.go
@@ -1,369 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// Copyright 2022 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"context"
-	"fmt"
-	"maps"
-	"runtime"
-	"slices"
-	"strings"
-
-	"gitea.com/gitea/runner/act/common"
-	"gitea.com/gitea/runner/act/container"
-	"gitea.com/gitea/runner/act/lookpath"
-	"gitea.com/gitea/runner/act/model"
-
-	"github.com/kballard/go-shellquote"
-	yaml "go.yaml.in/yaml/v4"
-)
-
-type stepRun struct {
-	Step               *model.Step
-	RunContext         *RunContext
-	cmd                []string
-	cmdline            string
-	env                map[string]string
-	WorkingDirectory   string
-	interpolatedScript string
-	shellCommand       string
-}
-
-func (sr *stepRun) pre() common.Executor {
-	return func(ctx context.Context) error {
-		return nil
-	}
-}
-
-func (sr *stepRun) main() common.Executor {
-	sr.env = map[string]string{}
-	return runStepExecutor(sr, stepStageMain, common.NewPipelineExecutor(
-		sr.setupShellCommandExecutor(),
-		func(ctx context.Context) error {
-			rc := sr.getRunContext()
-			// Apply ::add-path:: effects before printing so PATH is accurate in the env: block.
-			rc.ApplyExtraPath(ctx, &sr.env)
-			sr.printRunScriptActionDetails(ctx)
-			if he, ok := rc.JobContainer.(*container.HostEnvironment); ok && he != nil {
-				return he.ExecWithCmdLine(sr.cmd, sr.cmdline, sr.env, "", sr.WorkingDirectory)(ctx)
-			}
-			return rc.JobContainer.Exec(sr.cmd, sr.env, "", sr.WorkingDirectory)(ctx)
-		},
-	))
-}
-
-// printRunScriptActionDetails mirrors actions/runner ScriptHandler.PrintActionDetails
-// for script steps.
-func (sr *stepRun) printRunScriptActionDetails(ctx context.Context) {
-	rawLogger := common.Logger(ctx).WithField(rawOutputField, true)
-	scriptLineLogger := rawLogger.WithField(scriptLineCyanField, true)
-
-	normalized := strings.TrimRight(strings.ReplaceAll(sr.interpolatedScript, "\r\n", "\n"), "\n")
-
-	rawLogger.Infof("::group::Run %s", sr.runScriptGroupTitle(normalized))
-
-	if normalized != "" {
-		for line := range strings.SplitSeq(normalized, "\n") {
-			scriptLineLogger.Info(line)
-		}
-	}
-
-	rawLogger.Infof("shell: %s", sr.shellCommand)
-
-	printStepEnvBlock(ctx, sr.Step, sr.env, sr.getRunContext())
-	rawLogger.Infof("::endgroup::")
-}
-
-// printRunActionHeader mirrors actions/runner's "Run <action>" header for `uses:` steps,
-// including the with: inputs and the step-level env: block. The caller is responsible
-// for emitting ::endgroup:: after the action finishes.
-func printRunActionHeader(ctx context.Context, step *model.Step, env map[string]string, rc *RunContext) {
-	if step == nil {
-		return
-	}
-	rawLogger := common.Logger(ctx).WithField(rawOutputField, true)
-
-	title := step.Uses
-	if step.Name != "" {
-		title = step.Name
-	}
-	rawLogger.Infof("::group::Run %s", title)
-
-	if len(step.With) > 0 {
-		rawLogger.Infof("with:")
-		for _, k := range slices.Sorted(maps.Keys(step.With)) {
-			rawLogger.Infof("  %s: %s", k, step.With[k])
-		}
-	}
-
-	printStepEnvBlock(ctx, step, env, rc)
-}
-
-// printStepEnvBlock emits the declared-env block (YAML order, internal vars filtered)
-// shared by the run: and uses: "Run" headers.
-func printStepEnvBlock(ctx context.Context, step *model.Step, env map[string]string, rc *RunContext) {
-	rawLogger := common.Logger(ctx).WithField(rawOutputField, true)
-	caseInsensitive := rc != nil && rc.JobContainer != nil && rc.JobContainer.IsEnvironmentCaseInsensitive()
-	var visible []string
-	for _, k := range stepDeclaredEnvKeysInOrder(step) {
-		if !isInternalEnvKey(k, caseInsensitive) {
-			visible = append(visible, k)
-		}
-	}
-	if len(visible) == 0 {
-		return
-	}
-	rawLogger.Infof("env:")
-	envLookup := env
-	if caseInsensitive {
-		envLookup = make(map[string]string, len(env))
-		for k, v := range env {
-			envLookup[strings.ToUpper(k)] = v
-		}
-	}
-	for _, k := range visible {
-		lookupKey := k
-		if caseInsensitive {
-			lookupKey = strings.ToUpper(k)
-		}
-		rawLogger.Infof("  %s: %s", k, envLookup[lookupKey])
-	}
-}
-
-// isInternalEnvKey matches actions/runner's filtered set of vars that are hidden
-// from the "Run" header's env: block because they are injected by the runner itself.
-func isInternalEnvKey(k string, caseInsensitive bool) bool {
-	upper := k
-	if caseInsensitive {
-		upper = strings.ToUpper(k)
-	}
-	switch upper {
-	case "PATH", "HOME", "CI":
-		return true
-	}
-	return strings.HasPrefix(upper, "GITHUB_") ||
-		strings.HasPrefix(upper, "GITEA_") ||
-		strings.HasPrefix(upper, "RUNNER_") ||
-		strings.HasPrefix(upper, "INPUT_")
-}
-
-func (sr *stepRun) runScriptGroupTitle(normalizedScript string) string {
-	trimmed := strings.TrimLeft(normalizedScript, " \t\r\n")
-	if idx := strings.IndexAny(trimmed, "\r\n"); idx >= 0 {
-		trimmed = trimmed[:idx]
-	}
-	if trimmed != "" {
-		return trimmed
-	}
-	if sr.Step != nil {
-		if sr.Step.Name != "" {
-			return sr.Step.Name
-		}
-		return sr.Step.ID
-	}
-	return ""
-}
-
-// stepDeclaredEnvKeysInOrder walks the raw YAML Env mapping so keys are emitted in
-// the order the workflow author wrote them; step.Environment() decodes into a Go map
-// and loses ordering.
-func stepDeclaredEnvKeysInOrder(step *model.Step) []string {
-	if step == nil || step.Env.Kind != yaml.MappingNode {
-		return nil
-	}
-	content := step.Env.Content
-	keys := make([]string, 0, len(content)/2)
-	seen := make(map[string]struct{}, len(content)/2)
-	for i := 0; i+1 < len(content); i += 2 {
-		k := content[i]
-		if k.Kind != yaml.ScalarNode || k.Tag == "!!merge" || k.Value == "<<" {
-			continue
-		}
-		if _, dup := seen[k.Value]; dup {
-			continue
-		}
-		seen[k.Value] = struct{}{}
-		keys = append(keys, k.Value)
-	}
-	return keys
-}
-
-func (sr *stepRun) post() common.Executor {
-	return func(ctx context.Context) error {
-		return nil
-	}
-}
-
-func (sr *stepRun) getRunContext() *RunContext {
-	return sr.RunContext
-}
-
-func (sr *stepRun) getGithubContext(ctx context.Context) *model.GithubContext {
-	return sr.getRunContext().getGithubContext(ctx)
-}
-
-func (sr *stepRun) getStepModel() *model.Step {
-	return sr.Step
-}
-
-func (sr *stepRun) getEnv() *map[string]string {
-	return &sr.env
-}
-
-func (sr *stepRun) getIfExpression(_ context.Context, _ stepStage) string {
-	return sr.Step.If.Value
-}
-
-func (sr *stepRun) setupShellCommandExecutor() common.Executor {
-	return func(ctx context.Context) error {
-		scriptName, script, err := sr.setupShellCommand(ctx)
-		if err != nil {
-			return err
-		}
-
-		rc := sr.getRunContext()
-		return rc.JobContainer.Copy(rc.JobContainer.GetActPath(), &container.FileEntry{
-			Name: scriptName,
-			Mode: 0o755,
-			Body: script,
-		})(ctx)
-	}
-}
-
-func getScriptName(rc *RunContext, step *model.Step) string {
-	scriptName := step.ID
-	for rcs := rc; rcs.Parent != nil; rcs = rcs.Parent {
-		scriptName = fmt.Sprintf("%s-composite-%s", rcs.Parent.CurrentStep, scriptName)
-	}
-	return "workflow/" + scriptName
-}
-
-// TODO: Currently we just ignore top level keys, BUT we should return proper error on them
-// BUTx2 I leave this for when we rewrite act to use actionlint for workflow validation
-// so we return proper errors before any execution or spawning containers
-// it will error anyway with:
-// OCI runtime exec failed: exec failed: container_linux.go:380: starting container process caused: exec: "${{": executable file not found in $PATH: unknown
-func (sr *stepRun) setupShellCommand(ctx context.Context) (name, script string, err error) {
-	logger := common.Logger(ctx)
-	sr.setupShell(ctx)
-	sr.setupWorkingDirectory(ctx)
-
-	step := sr.Step
-
-	script = sr.RunContext.NewStepExpressionEvaluator(ctx, sr).Interpolate(ctx, step.Run)
-	sr.interpolatedScript = script
-
-	scCmd := step.ShellCommand()
-	sr.shellCommand = scCmd
-
-	name = getScriptName(sr.RunContext, step)
-
-	// Reference: https://github.com/actions/runner/blob/8109c962f09d9acc473d92c595ff43afceddb347/src/Runner.Worker/Handlers/ScriptHandlerHelpers.cs#L47-L64
-	// Reference: https://github.com/actions/runner/blob/8109c962f09d9acc473d92c595ff43afceddb347/src/Runner.Worker/Handlers/ScriptHandlerHelpers.cs#L19-L27
-	runPrepend := ""
-	runAppend := ""
-	switch step.Shell {
-	case "bash", "sh":
-		name += ".sh"
-	case "pwsh", "powershell":
-		name += ".ps1"
-		runPrepend = "$ErrorActionPreference = 'stop'"
-		runAppend = "if ((Test-Path -LiteralPath variable:/LASTEXITCODE)) { exit $LASTEXITCODE }"
-	case "cmd":
-		name += ".cmd"
-		runPrepend = "@echo off"
-	case "python":
-		name += ".py"
-	}
-
-	script = fmt.Sprintf("%s\n%s\n%s", runPrepend, script, runAppend)
-
-	if !strings.Contains(script, "::add-mask::") && !sr.RunContext.Config.InsecureSecrets {
-		logger.Debugf("Wrote command \n%s\n to '%s'", script, name)
-	} else {
-		logger.Debugf("Wrote add-mask command to '%s'", name)
-	}
-
-	rc := sr.getRunContext()
-	scriptPath := fmt.Sprintf("%s/%s", rc.JobContainer.GetActPath(), name)
-	sr.cmdline = strings.Replace(scCmd, `{0}`, scriptPath, 1)
-	sr.cmd, err = shellquote.Split(sr.cmdline)
-
-	return name, script, err
-}
-
-type localEnv struct {
-	env map[string]string
-}
-
-func (l *localEnv) Getenv(name string) string {
-	if runtime.GOOS == "windows" {
-		for k, v := range l.env {
-			if strings.EqualFold(name, k) {
-				return v
-			}
-		}
-		return ""
-	}
-	return l.env[name]
-}
-
-func (sr *stepRun) setupShell(ctx context.Context) {
-	rc := sr.RunContext
-	step := sr.Step
-
-	if step.Shell == "" {
-		step.Shell = rc.Run.Job().Defaults.Run.Shell
-	}
-
-	step.Shell = rc.NewExpressionEvaluator(ctx).Interpolate(ctx, step.Shell)
-
-	if step.Shell == "" {
-		step.Shell = rc.Run.Workflow.Defaults.Run.Shell
-	}
-
-	if step.Shell == "" {
-		if _, ok := rc.JobContainer.(*container.HostEnvironment); ok {
-			shellWithFallback := []string{"bash", "sh"}
-			// Don't use bash on windows by default, if not using a docker container
-			if runtime.GOOS == "windows" {
-				shellWithFallback = []string{"pwsh", "powershell"}
-			}
-			step.Shell = shellWithFallback[0]
-			lenv := &localEnv{env: map[string]string{}}
-			maps.Copy(lenv.env, sr.env)
-			sr.getRunContext().ApplyExtraPath(ctx, &lenv.env)
-			_, err := lookpath.LookPath2(shellWithFallback[0], lenv)
-			if err != nil {
-				step.Shell = shellWithFallback[1]
-			}
-		} else if containerImage := rc.containerImage(ctx); containerImage != "" {
-			// Currently only linux containers are supported, use sh by default like actions/runner
-			step.Shell = "sh"
-		}
-	}
-}
-
-func (sr *stepRun) setupWorkingDirectory(ctx context.Context) {
-	rc := sr.RunContext
-	step := sr.Step
-	var workingdirectory string
-
-	if step.WorkingDirectory == "" {
-		workingdirectory = rc.Run.Job().Defaults.Run.WorkingDirectory
-	} else {
-		workingdirectory = step.WorkingDirectory
-	}
-
-	// jobs can receive context values, so we interpolate
-	workingdirectory = rc.NewExpressionEvaluator(ctx).Interpolate(ctx, workingdirectory)
-
-	// but top level keys in workflow file like `defaults` or `env` can't
-	if workingdirectory == "" {
-		workingdirectory = rc.Run.Workflow.Defaults.Run.WorkingDirectory
-	}
-	sr.WorkingDirectory = workingdirectory
-}
--- a/act/runner/step_run_print_test.go
+++ b/act/runner/step_run_print_test.go
@@ -1,182 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// Copyright 2026 The nektos/act Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package runner
-
-import (
-	"bytes"
-	"context"
-	"strings"
-	"testing"
-
-	"gitea.com/gitea/runner/act/common"
-	"gitea.com/gitea/runner/act/model"
-
-	"github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	yaml "go.yaml.in/yaml/v4"
-)
-
-func TestRunScriptGroupTitle(t *testing.T) {
-	sr := &stepRun{Step: &model.Step{Name: "Build"}}
-	assert.Equal(t, "make build", sr.runScriptGroupTitle("make build"))
-	assert.Equal(t, "echo one", sr.runScriptGroupTitle("  \techo one\necho two"))
-	assert.Equal(t, "Build", sr.runScriptGroupTitle(""))
-
-	sr = &stepRun{Step: &model.Step{ID: "s1"}}
-	assert.Equal(t, "s1", sr.runScriptGroupTitle("\n  \n"))
-}
-
-func TestStepDeclaredEnvOrderPreservesYAML(t *testing.T) {
-	raw := `id: s1
-run: "echo 1"
-env:
-  GITHUB_TOKEN: tok
-  PATH: /custom/bin
-  MY_VAR: hello
-`
-	var step model.Step
-	require.NoError(t, yaml.Unmarshal([]byte(raw), &step))
-	assert.Equal(t, []string{"GITHUB_TOKEN", "PATH", "MY_VAR"}, stepDeclaredEnvKeysInOrder(&step))
-}
-
-func TestStepDeclaredEnvKeysInOrderEmpty(t *testing.T) {
-	assert.Nil(t, stepDeclaredEnvKeysInOrder(nil))
-	assert.Empty(t, stepDeclaredEnvKeysInOrder(&model.Step{}))
-}
-
-func TestStepDeclaredEnvKeysIgnoreYAMLMergeKey(t *testing.T) {
-	doc := `
-common: &common
-  COMMON_A: a
-  COMMON_B: b
-step:
-  env:
-    LOCAL_BEFORE: before
-    <<: *common
-    COMMON_B: overridden
-    LOCAL_AFTER: after
-`
-	var root struct {
-		Step model.Step `yaml:"step"`
-	}
-	require.NoError(t, yaml.Unmarshal([]byte(doc), &root))
-
-	keys := stepDeclaredEnvKeysInOrder(&root.Step)
-	assert.Equal(t, []string{"LOCAL_BEFORE", "COMMON_B", "LOCAL_AFTER"}, keys)
-}
-
-func TestPrintRunScriptActionDetailsGolden(t *testing.T) {
-	raw := `id: s1
-name: Build
-run: |
-  echo one
-  echo two
-shell: pwsh
-env:
-  PATH_PREFIX: /custom/bin
-  GITHUB_TOKEN: tok
-  GREETING: hello
-`
-	var step model.Step
-	require.NoError(t, yaml.Unmarshal([]byte(raw), &step))
-
-	buf := &bytes.Buffer{}
-	logger := logrus.New()
-	logger.SetOutput(buf)
-	logger.SetLevel(logrus.InfoLevel)
-	logger.SetFormatter(&jobLogFormatter{color: cyan})
-	entry := logger.WithFields(logrus.Fields{"job": "j1"})
-	ctx := common.WithLogger(context.Background(), entry)
-
-	sr := &stepRun{
-		Step:               &step,
-		RunContext:         &RunContext{},
-		shellCommand:       "pwsh -command . '{0}'",
-		interpolatedScript: "echo one\necho two\n",
-		env: map[string]string{
-			"PATH_PREFIX":  "/custom/bin",
-			"GITHUB_TOKEN": "tok",
-			"GREETING":     "hello",
-		},
-	}
-
-	sr.printRunScriptActionDetails(ctx)
-
-	want := strings.Join([]string{
-		"[j1]   | ::group::Run echo one",
-		"[j1]   | echo one",
-		"[j1]   | echo two",
-		"[j1]   | shell: pwsh -command . '{0}'",
-		"[j1]   | env:",
-		"[j1]   |   PATH_PREFIX: /custom/bin",
-		"[j1]   |   GREETING: hello",
-		"[j1]   | ::endgroup::",
-		"",
-	}, "\n")
-	assert.Equal(t, want, buf.String())
-}
-
-func TestPrintRunActionHeaderGolden(t *testing.T) {
-	raw := `id: s1
-uses: actions/checkout@v4
-with:
-  fetch-depth: "0"
-  token: secret
-env:
-  CUSTOM: value
-  GITHUB_TOKEN: tok
-`
-	var step model.Step
-	require.NoError(t, yaml.Unmarshal([]byte(raw), &step))
-
-	buf := &bytes.Buffer{}
-	logger := logrus.New()
-	logger.SetOutput(buf)
-	logger.SetLevel(logrus.InfoLevel)
-	logger.SetFormatter(&jobLogFormatter{color: cyan})
-	entry := logger.WithFields(logrus.Fields{"job": "j1"})
-	ctx := common.WithLogger(context.Background(), entry)
-
-	printRunActionHeader(ctx, &step, map[string]string{"CUSTOM": "value", "GITHUB_TOKEN": "tok"}, &RunContext{})
-
-	want := strings.Join([]string{
-		"[j1]   | ::group::Run actions/checkout@v4",
-		"[j1]   | with:",
-		"[j1]   |   fetch-depth: 0",
-		"[j1]   |   token: secret",
-		"[j1]   | env:",
-		"[j1]   |   CUSTOM: value",
-		"",
-	}, "\n")
-	assert.Equal(t, want, buf.String())
-}
-
-func TestIsInternalEnvKey(t *testing.T) {
-	for _, k := range []string{"PATH", "HOME", "CI", "GITHUB_TOKEN", "GITEA_ACTIONS", "RUNNER_OS", "INPUT_FOO"} {
-		assert.True(t, isInternalEnvKey(k, false), k)
-	}
-	for _, k := range []string{"PATH_PREFIX", "MY_VAR", "GREETING", "HOMEPAGE"} {
-		assert.False(t, isInternalEnvKey(k, false), k)
-	}
-	assert.True(t, isInternalEnvKey("path", true))
-	assert.False(t, isInternalEnvKey("path", false))
-}
-
-func TestPrintColoredScriptLineCyan(t *testing.T) {
-	f := &jobLogFormatter{color: cyan}
-	entry := &logrus.Entry{
-		Level:   logrus.InfoLevel,
-		Message: "echo one",
-		Data: logrus.Fields{
-			"job":               "j1",
-			rawOutputField:      true,
-			scriptLineCyanField: true,
-		},
-	}
-	buf := &bytes.Buffer{}
-	f.printColored(buf, entry)
-	assert.Equal(t, "\x1b[36m|\x1b[0m \x1b[36;1mecho one\x1b[0m", buf.String())
-}
--- a/act/runner/testdata/.github/workflows/local-reusable-workflow.yml
+++ b/act/runner/testdata/.github/workflows/local-reusable-workflow.yml
@@ -1,34 +0,0 @@
-name: local-reusable-workflow
-on:
-  workflow_call:
-    inputs:
-      string_required:
-        required: true
-        type: string
-      bool_required:
-        required: true
-        type: boolean
-      number_required:
-        required: true
-        type: number
-    secrets:
-      secret:
-        required: true
-    outputs:
-      output:
-        value: ${{ jobs.reusable.outputs.output }}
-
-jobs:
-  reusable:
-    runs-on: ubuntu-latest
-    outputs:
-      output: ${{ steps.gen.outputs.output }}
-    steps:
-      - name: check inputs and secret arrived
-        run: |
-          [ "${{ inputs.string_required }}" = "string" ]
-          [ "${{ inputs.bool_required }}" = "true" ]
-          [ "${{ inputs.number_required }}" = "1" ]
-          [ "${{ secrets.secret }}" = "keep_it_private" ]
-      - id: gen
-        run: echo "output=${{ inputs.string_required }}" >> $GITHUB_OUTPUT
--- a/act/runner/testdata/GITHUB_STATE/push.yml
+++ b/act/runner/testdata/GITHUB_STATE/push.yml
@@ -1,31 +0,0 @@
-on: push
-jobs:
-  # State saved in main (via the $GITHUB_STATE file and the ::save-state command) must surface
-  # as $STATE_* in the action's post step.
-  _:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: ./actions/script
-      with:
-        main: |
-          echo mystate2=mystateval > $GITHUB_STATE
-          echo "::save-state name=mystate3::mystateval"
-        post: |
-          [ "$STATE_mystate2" = "mystateval" ]
-          [ "$STATE_mystate3" = "mystateval" ]
-  # State must be isolated per action instance even when two steps use the same action.
-  test-id-collision-bug:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: ./actions/script
-      id: script
-      with:
-        main: echo mystate=val1 > $GITHUB_STATE
-        post: '[ "$STATE_mystate" = "val1" ]'
-    - uses: ./actions/script
-      id: pre-script
-      with:
-        main: echo mystate=val2 > $GITHUB_STATE
-        post: '[ "$STATE_mystate" = "val2" ]'
--- a/act/runner/testdata/actions-environment-and-context-tests/push.yml
+++ b/act/runner/testdata/actions-environment-and-context-tests/push.yml
@@ -1,11 +0,0 @@
-name: actions-with-environment-and-context-tests
-description: "Actions with environment (env vars) and context (expression) tests"
-on: push
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: './actions-environment-and-context-tests/js'
-      - uses: './actions-environment-and-context-tests/docker'
--- a/act/runner/testdata/actions/action1/Dockerfile
+++ b/act/runner/testdata/actions/action1/Dockerfile
@@ -1 +0,0 @@
-FROM ubuntu:24.04
--- a/act/runner/testdata/actions/node24/.gitignore
+++ b/act/runner/testdata/actions/node24/.gitignore
@@ -1,2 +0,0 @@
-node_modules
-package-lock.json
--- a/act/runner/testdata/actions/node24/index.js
+++ b/act/runner/testdata/actions/node24/index.js
@@ -1,14 +0,0 @@
-import {appendFileSync, readFileSync} from 'node:fs';
-
-const nameToGreet = process.env['INPUT_WHO-TO-GREET'] || 'World';
-console.log(`Hello ${nameToGreet}!`);
-
-if (process.env.GITHUB_OUTPUT) {
-  appendFileSync(process.env.GITHUB_OUTPUT, `time=${new Date().toTimeString()}\n`);
-}
-
-let payload = {};
-if (process.env.GITHUB_EVENT_PATH) {
-  payload = JSON.parse(readFileSync(process.env.GITHUB_EVENT_PATH, 'utf8'));
-}
-console.log(`The event payload: ${JSON.stringify(payload, undefined, 2)}`);
--- a/act/runner/testdata/actions/node24/package.json
+++ b/act/runner/testdata/actions/node24/package.json
@@ -1,5 +0,0 @@
-{
-  "name": "node24",
-  "private": true,
-  "type": "module"
-}
--- a/act/runner/testdata/actions/script/action.yml
+++ b/act/runner/testdata/actions/script/action.yml
@@ -1,15 +0,0 @@
-name: 'script'
-description: 'Run the shell scripts passed as inputs across the pre/main/post lifecycle'
-inputs:
-  main:
-    description: 'shell script to run in the main step'
-    required: false
-    default: ''
-  post:
-    description: 'shell script to run in the post step'
-    required: false
-    default: ''
-runs:
-  using: 'node24'
-  main: 'index.js'
-  post: 'post.js'
--- a/act/runner/testdata/actions/script/index.js
+++ b/act/runner/testdata/actions/script/index.js
@@ -1,9 +0,0 @@
-import {execFileSync} from 'node:child_process';
-
-// Run the `main` input as a bash script; its stdout (workflow commands like
-// ::set-output / ::save-state) and $GITHUB_ENV / $GITHUB_STATE writes are
-// processed by the runner, exactly like the remote script action this replaces.
-const script = process.env.INPUT_MAIN;
-if (script) {
-  execFileSync('bash', ['-eo', 'pipefail', '-c', script], {stdio: 'inherit'});
-}
--- a/act/runner/testdata/actions/script/package.json
+++ b/act/runner/testdata/actions/script/package.json
@@ -1,5 +0,0 @@
-{
-  "name": "script",
-  "private": true,
-  "type": "module"
-}
--- a/Show More
+++ b/Show More