docs: Improve the documentation for cache (#1034 )

Reviewed-on: https://gitea.com/gitea/runner/pulls/1034 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-committed-by: Nicolas <bircni@icloud.com>
feat: ipv6 options for network container creation (#1029 )
2026-06-17 15:41:29 +00:00 · 2026-06-15 21:50:42 +00:00 · 2026-06-15 05:05:20 +00:00 · 2026-06-14 20:52:42 +00:00 · 2026-06-14 20:43:19 +00:00 · 2026-06-14 14:14:43 +00:00
358 changed files with 46290 additions and 3124 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,52 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# IntelliJ
+.idea
+# Goland's output filename can not be set manually
+/go_build_*
+
+# MS VSCode
+.vscode
+__debug_bin*
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+
+*coverage.out
+coverage.all
+coverage.txt
+cpu.out
+
+*.db
+*.log
+
+/gitea-runner
+/debug
+
+/bin
+/dist
+/.env
+/.runner
+/config.yaml
+/Dockerfile
+.DS_Store
--- a/.editorconfig
+++ b/.editorconfig
@@ -0,0 +1,19 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+tab_width = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.{go}]
+indent_style = tab
+
+[go.*]
+indent_style = tab
+
+[Makefile]
+indent_style = tab
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
+* text=auto eol=lf
--- a/.gitea/workflows/pull-pr-title.yml
+++ b/.gitea/workflows/pull-pr-title.yml
@@ -0,0 +1,27 @@
+name: pr-title
+
+on:
+  pull_request:
+    types:
+    - opened
+    - edited
+    - reopened
+    - synchronize
+    - ready_for_review
+
+permissions:
+  contents: read
+
+jobs:
+  lint-pr-title:
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+    - uses: actions/checkout@v6
+    - uses: actions/setup-node@v6
+      with:
+        node-version: 24
+    - run: make lint-pr-title
+      env:
+        PR_TITLE: ${{ github.event.pull_request.title }}
--- a/.gitea/workflows/release-nightly.yml
+++ b/.gitea/workflows/release-nightly.yml
@@ -1,22 +1,92 @@
-name: goreleaser
+---
+name: release-nightly

 on:
+  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches:
+      - 'main'
+    tags:
+      - '*'
+
+env:
+  DOCKER_ORG: gitea
+  DOCKER_LATEST: nightly

 jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: https://github.com/goreleaser/goreleaser-action@v4
+      - uses: actions/checkout@v6
        with:
-            distribution: goreleaser-pro
-            version: latest
-            args: release --nightly --clean
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: "go.mod"
+      - name: goreleaser
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          distribution: goreleaser-pro
+          args: release --nightly
        env:
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-          S3_BUCKET: ${{ secrets.S3_BUCKET }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          S3_REGION: ${{ secrets.AWS_REGION }}
-          AWS_KEY_ID: ${{ secrets.AWS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          S3_BUCKET: ${{ secrets.AWS_BUCKET }}
+          GORELEASER_FORCE_TOKEN: "gitea"
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  release-image:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        variant:
+          - target: basic
+            tag_suffix: ""
+          - target: dind
+            tag_suffix: "-dind"
+          - target: dind-rootless
+            tag_suffix: "-dind-rootless"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0 # all history for all branches and tags
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v4
+
+      - name: Set up Docker BuildX
+        uses: docker/setup-buildx-action@v4
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Echo the tag
+        run: echo "${{ env.DOCKER_ORG }}/runner:nightly${{ matrix.variant.tag_suffix }}"
+
+      - name: Get Meta
+        id: meta
+        run: |
+          echo REPO_VERSION=$(git describe --tags --always | sed 's/-/+/' | sed 's/^v//') >> $GITHUB_OUTPUT
+
+      - name: Build and push
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: ./Dockerfile
+          target: ${{ matrix.variant.target }}
+          platforms: |
+            linux/amd64
+            linux/arm64
+          push: true
+          tags: |
+            ${{ env.DOCKER_ORG }}/runner:nightly${{ matrix.variant.tag_suffix }}
+          build-args: |
+            VERSION=${{ steps.meta.outputs.REPO_VERSION }}
--- a/.gitea/workflows/release-tag.yml
+++ b/.gitea/workflows/release-tag.yml
@@ -0,0 +1,100 @@
+name: release-tag
+
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0 # all history for all branches and tags
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: "go.mod"
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v7
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.PASSPHRASE }}
+          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
+      - name: goreleaser
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          distribution: goreleaser-pro
+          args: release
+        env:
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          S3_REGION: ${{ secrets.AWS_REGION }}
+          S3_BUCKET: ${{ secrets.AWS_BUCKET }}
+          GORELEASER_FORCE_TOKEN: "gitea"
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+  release-image:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        variant:
+          - target: basic
+            tag_suffix: ""
+          - target: dind
+            tag_suffix: "-dind"
+          - target: dind-rootless
+            tag_suffix: "-dind-rootless"
+    container:
+      image: catthehacker/ubuntu:act-latest
+    env:
+      DOCKER_ORG: gitea
+      DOCKER_LATEST: latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0 # all history for all branches and tags
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v4
+
+      - name: Set up Docker BuildX
+        uses: docker/setup-buildx-action@v4
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: "Docker meta"
+        id: docker_meta
+        uses: docker/metadata-action@v6
+        with:
+          images: |
+            ${{ env.DOCKER_ORG }}/runner
+          tags: |
+            type=semver,pattern={{major}}.{{minor}}.{{patch}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+          flavor: |
+            latest=true
+            suffix=${{ matrix.variant.tag_suffix }},onlatest=true
+
+      - name: Build and push
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: ./Dockerfile
+          target: ${{ matrix.variant.target }}
+          platforms: |
+            linux/amd64
+            linux/arm64
+          push: true
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          build-args: |
+            VERSION=${{ steps.docker_meta.outputs.version }}
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -1,23 +1,44 @@
 name: checks
-on: 
-  - push
-  - pull_request
-
-env:
-  GOPROXY: https://goproxy.io,direct
+on:
+  push:
+    branches:
+      - main
+  pull_request:

 jobs:
  lint:
    name: check and test
    runs-on: ubuntu-latest
+    env:
+      # The runner image ships a stale docker.io login; point docker at an empty config so
+      # image pulls go straight to anonymous instead of attempting (and failing) that auth
+      # first. The path must be a literal: the `runner` context is unavailable in job-level
+      # env, so `${{ runner.temp }}` would resolve to empty and config.Dir() would fall back
+      # to ~/.docker with the stale credentials.
+      DOCKER_CONFIG: /tmp/docker-noauth
    steps:
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
        with:
-          go-version: 1.20
-      - uses: actions/checkout@v3
-      - name: vet checks
-        run: make vet
+          go-version-file: 'go.mod'
+      - name: prepare anonymous docker config
+        run: mkdir -p "$DOCKER_CONFIG" && echo '{}' > "$DOCKER_CONFIG/config.json"
+      # Pre-pull act/runner's two largest base images so a slow pull can't dominate `make test`;
+      # the rest (alpine/ubuntu) pull on demand, absorbed by the make-test -timeout. The host
+      # daemon retains them between runs, so this is usually a fast manifest re-check.
+      - name: pre-pull test images
+        run: |
+          for img in node:24-bookworm-slim nginx:alpine; do
+            for try in 1 2 3; do docker pull "$img" && break || sleep 5; done
+          done
+      - name: lint
+        run: make lint
      - name: build
        run: make build
      - name: test
-        run: make test
+        run: make test
+      # Build the dind image and run the daemon-facing tests against the docker version it
+      # ships, catching daemon-level regressions (e.g. gitea/runner#981) before release. Runs
+      # after `make test` so the images it needs are already present on the host daemon.
+      - name: test against dind image
+        run: make test-dind
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,14 @@
-act_runner
+/gitea-runner
 .env
+!/act/runner/testdata/secrets/.env
 .runner
-coverage.txt
+coverage.txt
+/config.yaml
+
+# Jetbrains
+.idea
+# MS VSCode
+.vscode
+__debug_bin
+# gorelease binary folder
+/dist
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,172 +1,125 @@
+version: "2"
+output:
+  sort-order:
+    - file
 linters:
+  default: none
  enable:
-    - gosimple
-    - deadcode
-    - typecheck
-    - govet
-    - errcheck
-    - staticcheck
-    - unused
-    - structcheck
-    - varcheck
-    - dupl
-    #- gocyclo # The cyclomatic complexety of a lot of functions is too high, we should refactor those another time.
-    - gofmt
-    - misspell
-    - gocritic
    - bidichk
-    - ineffassign
-    - revive
-    - gofumpt
+    - bodyclose
    - depguard
+    - dupl
+    - errcheck
+    - forbidigo
+    - gocheckcompilerdirectives
+    - gocritic
+    - goheader
+    - govet
+    - ineffassign
+    - mirror
+    - modernize
    - nakedret
-    - unconvert
-    - wastedassign
+    - nilnil
    - nolintlint
-    - stylecheck
-  enable-all: false
-  disable-all: true
-  fast: false
-
-run:
-  go: 1.18
-  timeout: 10m
-  skip-dirs:
-    - node_modules
-    - public
-    - web_src
-
-linters-settings:
-  stylecheck:
-    checks: ["all", "-ST1005", "-ST1003"]
-  nakedret:
-    max-func-lines: 0
-  gocritic:
-    disabled-checks:
-      - ifElseChain
-      - singleCaseSwitch # Every time this occurred in the code, there  was no other way.
-  revive:
-    ignore-generated-header: false
-    severity: warning
-    confidence: 0.8
-    errorCode: 1
-    warningCode: 1
+    - perfsprint
+    - revive
+    - staticcheck
+    - testifylint
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - usetesting
+    - wastedassign
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: io/ioutil
+              desc: use os or io instead
+            - pkg: golang.org/x/exp
+              desc: it's experimental and unreliable
+            - pkg: github.com/pkg/errors
+              desc: use builtin errors package instead
+    nolintlint:
+      allow-unused: false
+      require-explanation: true
+      require-specific: true
+    gocritic:
+      enabled-checks:
+        - equalFold
+      disabled-checks:
+        - ifElseChain
+    revive:
+      severity: error
+      rules:
+        - name: blank-imports
+        - name: constant-logical-expr
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: dot-imports
+        - name: empty-lines
+        - name: error-return
+        - name: error-strings
+        - name: exported
+        - name: identical-branches
+        - name: if-return
+        - name: increment-decrement
+        - name: modifies-value-receiver
+        - name: package-comments
+        - name: redefines-builtin-id
+        - name: superfluous-else
+        - name: time-naming
+        - name: unexported-return
+        - name: var-declaration
+        - name: var-naming
+    staticcheck:
+      checks:
+        - all
+        - -ST1005
+    usetesting:
+      os-temp-dir: true
+    perfsprint:
+      concat-loop: false
+    govet:
+      enable:
+        - nilness
+        - unusedwrite
+    goheader:
+      values:
+        regexp:
+          HEADER: 'Copyright \d{4} The Gitea Authors\. All rights reserved\.(\nCopyright [^\n]+)*\nSPDX-License-Identifier: MIT'
+      template: '{{ HEADER }}'
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
    rules:
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: dot-imports
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: exported
-      - name: if-return
-      - name: increment-decrement
-      - name: var-naming
-      - name: var-declaration
-      - name: package-comments
-      - name: range
-      - name: receiver-naming
-      - name: time-naming
-      - name: unexported-return
-      - name: indent-error-flow
-      - name: errorf
-      - name: duplicated-imports
-      - name: modifies-value-receiver
-  gofumpt:
-    extra-rules: true
-    lang-version: "1.18"
-  depguard:
-    # TODO: use depguard to replace import checks in gitea-vet
-    list-type: denylist
-    # Check the list against standard lib.
-    include-go-root: true
-    packages-with-error-message:
-      - github.com/unknwon/com: "use gitea's util and replacements"
-
+      - linters:
+          - forbidigo
+        path: cmd
 issues:
-  exclude-rules:
-    # Exclude some linters from running on tests files.
-    - path: _test\.go
-      linters:
-        - gocyclo
-        - errcheck
-        - dupl
-        - gosec
-        - unparam
-        - staticcheck
-    - path: models/migrations/v
-      linters:
-        - gocyclo
-        - errcheck
-        - dupl
-        - gosec
-    - linters:
-        - dupl
-      text: "webhook"
-    - linters:
-        - gocritic
-      text: "`ID' should not be capitalized"
-    - path: modules/templates/helper.go
-      linters:
-        - gocritic
-    - linters:
-        - unused
-        - deadcode
-      text: "swagger"
-    - path: contrib/pr/checkout.go
-      linters:
-        - errcheck
-    - path: models/issue.go
-      linters:
-        - errcheck
-    - path: models/migrations/
-      linters:
-        - errcheck
-    - path: modules/log/
-      linters:
-        - errcheck
-    - path: routers/api/v1/repo/issue_subscription.go
-      linters:
-        - dupl
-    - path: routers/repo/view.go
-      linters:
-        - dupl
-    - path: models/migrations/
-      linters:
-        - unused
-    - linters:
-        - staticcheck
-      text: "argument x is overwritten before first use"
-    - path: modules/httplib/httplib.go
-      linters:
-        - staticcheck
-    # Enabling this would require refactoring the methods and how they are called.
-    - path: models/issue_comment_list.go
-      linters:
-        - dupl
-    - linters:
-        - misspell
-      text: '`Unknwon` is a misspelling of `Unknown`'
-    - path: models/update.go
-      linters:
-        - unused
-    - path: cmd/dump.go
-      linters:
-        - dupl
-    - path: services/webhook/webhook.go
-      linters:
-        - structcheck
-    - text: "commentFormatting: put a space between `//` and comment text"
-      linters:
-        - gocritic
-    - text: "exitAfterDefer:"
-      linters:
-        - gocritic
-    - path: modules/graceful/manager_windows.go
-      linters:
-        - staticcheck
-      text: "svc.IsAnInteractiveSession is deprecated: Use IsWindowsService instead."
-    - path: models/user/openid.go
-      linters:
-        - golint
+  max-issues-per-linter: 0
+  max-same-issues: 0
+formatters:
+  enable:
+    - gci
+    - gofumpt
+  settings:
+    gci:
+      custom-order: true
+      sections:
+        - standard
+        - prefix(gitea.com/gitea/runner)
+        - blank
+        - default
+    gofumpt:
+      extra-rules: true
+  exclusions:
+    generated: lax
+run:
+  timeout: 10m
--- a/.goreleaser.checksum.sh
+++ b/.goreleaser.checksum.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+if [ -z "$1" ]; then
+  echo "usage: $0 <path>"
+  exit 1
+fi
+
+SUM=$(shasum -a 256 "$1" | cut -d' ' -f1)
+BASENAME=$(basename "$1")
+echo -n "${SUM}  ${BASENAME}" > "$1".sha256
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,3 +1,7 @@
+version: 2
+
+project_name: gitea-runner
+
 before:
  hooks:
    - go mod tidy
@@ -14,8 +18,9 @@ builds:
  - amd64
  - arm
  - arm64
+  - loong64
  - s390x
-  - ppc64le
+  - riscv64
  goarm:
  - "5"
  - "6"
@@ -40,6 +45,8 @@ builds:
    - goos: windows
      goarch: arm
      goarm: "7"
+    - goos: windows
+      goarch: arm64
    - goos: freebsd
      goarch: ppc64le
    - goos: freebsd
@@ -53,14 +60,15 @@ builds:
    - goos: freebsd
      goarch: arm
      goarm: "7"
+    - goos: freebsd
+      goarch: arm64
  flags:
  - -trimpath
  ldflags:
-  - -s -w
+  - -s -w -X gitea.com/gitea/runner/internal/pkg/ver.version={{ .Summary }}
  binary: >-
    {{ .ProjectName }}-
-    {{- if .IsSnapshot }}{{ .Branch }}-
-    {{- else }}{{- .Version }}-{{ end }}
+    {{- .Version }}-
    {{- .Os }}-
    {{- if eq .Arch "amd64" }}amd64
    {{- else if eq .Arch "amd64_v1" }}amd64
@@ -68,13 +76,22 @@ builds:
    {{- else }}{{ .Arch }}{{ end }}
    {{- if .Arm }}-{{ .Arm }}{{ end }}
  no_unique_dist_dir: true
+  hooks:
+    post:
+      - cmd: xz -k -9 {{ .Path }}
+        dir: ./dist/
+      - cmd: sh .goreleaser.checksum.sh {{ .Path }}
+      - cmd: sh .goreleaser.checksum.sh {{ .Path }}.xz

 blobs:
  -
    provider: s3
    bucket: "{{ .Env.S3_BUCKET }}"
    region: "{{ .Env.S3_REGION }}"
-    folder: "act_runner/{{.Version}}"
+    directory: "gitea-runner/{{.Version}}"
+    extra_files:
+      - glob: ./**.xz
+      - glob: ./**.sha256

 archives:
  - format: binary
@@ -83,10 +100,23 @@ archives:

 checksum:
  name_template: 'checksums.txt'
+  extra_files:
+      - glob: ./**.xz

 snapshot:
-  name_template: "{{ incpatch .Version }}"
+  version_template: "{{ .Branch }}-devel"

 nightly:
-  publish_release: false
-  name_template: "{{ .Branch }}"
+  version_template: "nightly"
+
+gitea_urls:
+  api: https://gitea.com/api/v1
+  download: https://gitea.com
+
+release:
+  extra_files:
+    - glob: ./**.xz
+    - glob: ./**.xz.sha256
+
+# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,10 @@
+- Use `make help` to find available development targets
+- Run `make fmt` to format `.go` files, and run `make lint-go` to lint them
+- Run `make tidy` after any `go.mod` changes
+- Run single go unit tests with `go test -run '^TestName$' ./modulepath/`
+- Add the current year into the copyright header of new `.go` files
+- Ensure no trailing whitespace in edited files
+- Never force-push, amend, or squash unless asked. Use new commits and normal push for pull request updates
+- Preserve existing code comments, do not remove or rewrite comments that are still relevant
+- Include authorship attribution in issue and pull request comments
+- Add `Co-Authored-By` lines to all commits, indicating name and model used
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1 @@
+@AGENTS.md
--- a/80
+++ b/80
@@ -0,0 +1,80 @@
+### BUILDER STAGE
+#
+#
+FROM golang:1.26-alpine3.23 AS builder
+
+# Do not remove `git` here, it is required for getting runner version when executing `make build`
+RUN apk add --no-cache make git
+
+ARG GOPROXY
+ENV GOPROXY=${GOPROXY:-}
+
+COPY . /opt/src/runner
+WORKDIR /opt/src/runner
+
+RUN make clean && make build
+
+### DIND VARIANT
+#
+#
+FROM docker:29.5.3-dind AS dind
+
+ARG VERSION=dev
+
+LABEL org.opencontainers.image.source="https://gitea.com/gitea/runner"
+LABEL org.opencontainers.image.version="${VERSION}"
+
+RUN apk add --no-cache s6 bash git tzdata
+
+COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
+COPY scripts/run.sh /usr/local/bin/run.sh
+COPY scripts/s6 /etc/s6
+
+VOLUME /data
+
+ENTRYPOINT ["s6-svscan","/etc/s6"]
+
+### DIND-ROOTLESS VARIANT
+#
+#
+FROM docker:29.5.3-dind-rootless AS dind-rootless
+
+ARG VERSION=dev
+
+LABEL org.opencontainers.image.source="https://gitea.com/gitea/runner"
+LABEL org.opencontainers.image.version="${VERSION}"
+
+USER root
+RUN apk add --no-cache s6 bash git tzdata
+
+COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
+COPY scripts/run.sh /usr/local/bin/run.sh
+COPY scripts/s6 /etc/s6
+
+VOLUME /data
+
+RUN mkdir -p /data && chown -R rootless:rootless /etc/s6 /data
+
+ENV DOCKER_HOST=unix:///run/user/1000/docker.sock
+
+USER rootless
+ENTRYPOINT ["s6-svscan","/etc/s6"]
+
+### BASIC VARIANT
+#
+#
+FROM alpine:3.24 AS basic
+
+ARG VERSION=dev
+
+LABEL org.opencontainers.image.source="https://gitea.com/gitea/runner"
+LABEL org.opencontainers.image.version="${VERSION}"
+
+RUN apk add --no-cache tini bash git tzdata
+
+COPY --from=builder /opt/src/runner/gitea-runner /usr/local/bin/gitea-runner
+COPY scripts/run.sh /usr/local/bin/run.sh
+
+VOLUME /data
+
+ENTRYPOINT ["/sbin/tini","--","run.sh"]
--- a/151
+++ b/151
@@ -1,24 +1,30 @@
 DIST := dist
-EXECUTABLE := act_runner
-GOFMT ?= gofumpt -l
-DIST := dist
+EXECUTABLE := gitea-runner
 DIST_DIRS := $(DIST)/binaries $(DIST)/release
 GO ?= go
 SHASUM ?= shasum -a 256
 HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
-XGO_VERSION := go-1.18.x
-GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10
+XGO_VERSION := go-1.26.x
+GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10

 LINUX_ARCHS ?= linux/amd64,linux/arm64
 DARWIN_ARCHS ?= darwin-12/amd64,darwin-12/arm64
 WINDOWS_ARCHS ?= windows/amd64
-GOFILES := $(shell find . -type f -name "*.go" ! -name "generated.*")
+GOFILES := $(shell find . -type f -name "*.go" -o -name "go.mod" ! -name "generated.*")

-ifneq ($(shell uname), Darwin)
-	EXTLDFLAGS = -extldflags "-static" $(null)
-else
-	EXTLDFLAGS =
+DOCKER_IMAGE ?= gitea/runner
+DOCKER_TAG ?= nightly
+DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
+DOCKER_ROOTLESS_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)-dind-rootless
+
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.12.2
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1.3.0
+
+STATIC ?=
+EXTLDFLAGS ?=
+ifneq ($(STATIC),)
+	EXTLDFLAGS = -extldflags "-static"
 endif

 ifeq ($(HAS_GO), GO)
@@ -49,7 +55,7 @@ else
 	ifneq ($(DRONE_BRANCH),)
 		VERSION ?= $(subst release/v,,$(DRONE_BRANCH))
 	else
-		VERSION ?= master
+		VERSION ?= main
 	endif

 	STORED_VERSION=$(shell cat $(STORED_VERSION_FILE) 2>/dev/null)
@@ -61,71 +67,123 @@ else
 endif

 TAGS ?=
-LDFLAGS ?= -X 'main.Version=$(VERSION)'
+LDFLAGS ?= -X "gitea.com/gitea/runner/internal/pkg/ver.version=v$(RELASE_VERSION)"

+.PHONY: all
 all: build

-fmt:
-	@hash gofumpt > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) install mvdan.cc/gofumpt@latest; \
-	fi
-	$(GOFMT) -w $(GOFILES)
+.PHONY: help
+help: Makefile ## print Makefile help information.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m[TARGETS] default target: build\033[0m\n\n\033[35mTargets:\033[0m\n"} /^[0-9A-Za-z._-]+:.*?##/ { printf "  \033[36m%-45s\033[0m %s\n", $$1, $$2 }' Makefile

-vet:
-	$(GO) vet ./...
+.PHONY: fmt
+fmt: ## format the Go code
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) fmt
+
+.PHONY: go-check
+go-check:
+	$(eval MIN_GO_VERSION_STR := $(shell grep -Eo '^go\s+[0-9]+\.[0-9]+' go.mod | cut -d' ' -f2))
+	$(eval MIN_GO_VERSION := $(shell printf "%03d%03d" $(shell echo '$(MIN_GO_VERSION_STR)' | tr '.' ' ')))
+	$(eval GO_VERSION := $(shell printf "%03d%03d" $(shell $(GO) version | grep -Eo '[0-9]+\.[0-9]+' | tr '.' ' ');))
+	@if [ "$(GO_VERSION)" -lt "$(MIN_GO_VERSION)" ]; then \
+		echo "Gitea Runner requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
+		exit 1; \
+	fi

 .PHONY: fmt-check
-fmt-check:
-	@hash gofumpt > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) install mvdan.cc/gofumpt@latest; \
-	fi
-	@diff=$$($(GOFMT) -d $(GOFILES)); \
+fmt-check: fmt
+	@diff=$$(git diff --color=always); \
 	if [ -n "$$diff" ]; then \
 		echo "Please run 'make fmt' and commit the result:"; \
-		echo "$${diff}"; \
+		printf "%s" "$${diff}"; \
 		exit 1; \
-	fi;
+	fi

-test: fmt-check
-	@$(GO) test -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+.PHONY: deps-tools
+deps-tools: ## install tool dependencies
+	$(GO) install $(GOLANGCI_LINT_PACKAGE) & \
+	$(GO) install $(GXZ_PACKAGE) & \
+	$(GO) install $(XGO_PACKAGE) & \
+	$(GO) install $(GOVULNCHECK_PACKAGE) & \
+	wait

-install: $(GOFILES)
-	$(GO) install -v -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)'
+.PHONY: lint
+lint: lint-go ## lint everything

-build: $(EXECUTABLE)
+.PHONY: lint-go
+lint-go: ## lint go files
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run
+
+.PHONY: lint-go-fix
+lint-go-fix: ## lint go files and fix issues
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run --fix
+
+.PHONY: lint-pr-title
+lint-pr-title: ## lint PR title against Conventional Commits (set PR_TITLE=...)
+	@node ./tools/lint-pr-title.ts
+
+.PHONY: security-check
+security-check: deps-tools
+	GOEXPERIMENT= $(GO) run $(GOVULNCHECK_PACKAGE) -show color ./... || true
+
+.PHONY: tidy
+tidy: ## run go mod tidy
+	$(GO) mod tidy
+
+.PHONY: tidy-check
+tidy-check: tidy
+	@diff=$$(git diff --color=always -- go.mod go.sum); \
+	if [ -n "$$diff" ]; then \
+		echo "Please run 'make tidy' and commit the result:"; \
+		printf "%s" "$${diff}"; \
+		exit 1; \
+	fi
+
+.PHONY: test
+test: fmt-check security-check ## test everything (integration tests self-skip without docker/network)
+	@$(GO) test -race -timeout 20m -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+
+.PHONY: test-dind
+test-dind: ## run the daemon-facing tests against the built dind image (TARGET=dind|dind-rootless)
+	@./scripts/test-dind.sh $(TARGET)
+
+.PHONY: install
+install: $(GOFILES) ## install the runner binary via `go install`
+	$(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)'
+
+.PHONY: build
+build: go-check $(EXECUTABLE) ## build the runner binary

 $(EXECUTABLE): $(GOFILES)
-	$(GO) build -v -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)' -o $@
+	$(GO) build -v -tags '$(TAGS)' -ldflags '-s -w $(EXTLDFLAGS) $(LDFLAGS)' -o $@

 .PHONY: deps-backend
-deps-backend:
+deps-backend: ## install backend dependencies
 	$(GO) mod download
-	$(GO) install $(GXZ_PAGAGE)
-	$(GO) install $(XGO_PACKAGE)

 .PHONY: release
-release: release-windows release-linux release-darwin release-copy release-compress release-check
+release: release-windows release-linux release-darwin release-copy release-compress release-check ## build release artifacts

 $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)

 .PHONY: release-windows
 release-windows: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(WINDOWS_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(WINDOWS_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif

 .PHONY: release-linux
 release-linux: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif

 .PHONY: release-darwin
 release-darwin: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets '$(DARWIN_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w $(LDFLAGS)' -targets '$(DARWIN_ARCHS)' -out $(EXECUTABLE)-$(VERSION) .
 ifeq ($(CI),true)
 	cp -r /build/* $(DIST)/binaries/
 endif
@@ -140,11 +198,20 @@ release-check: | $(DIST_DIRS)

 .PHONY: release-compress
 release-compress: | $(DIST_DIRS)
-	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && $(GO) run $(GXZ_PAGAGE) -k -9 $${file}; done;
+	cd $(DIST)/release/; for file in `find . -type f -name "*"`; do echo "compressing $${file}" && $(GO) run $(GXZ_PACKAGE) -k -9 $${file}; done;

-clean:
+.PHONY: docker
+docker: ## build the docker image
+	if ! docker buildx version >/dev/null 2>&1; then \
+		ARG_DISABLE_CONTENT_TRUST=--disable-content-trust=false; \
+	fi; \
+	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_REF) .
+
+.PHONY: clean
+clean: ## delete binary and coverage files
 	$(GO) clean -x -i ./...
 	rm -rf coverage.txt $(EXECUTABLE) $(DIST)

-version:
+.PHONY: version
+version: ## print the version
 	@echo $(VERSION)
--- a/README.md
+++ b/README.md
@@ -1,30 +1,47 @@
-# act runner
+# Gitea Runner

-Act runner is a runner for Gitea based on [act](https://gitea.com/gitea/act).
+## Installation

-## Prerequisites
+### Prerequisites

-Docker Engine Community version is required. To install Docker CE, follow the official [install instructions](https://docs.docker.com/engine/install/).
+Docker Engine Community version is required for docker mode. To install Docker CE, follow the official [install instructions](https://docs.docker.com/engine/install/).

-## Quickstart
+### Download pre-built binary

-### Build
+Visit [here](https://dl.gitea.com/gitea-runner/) and download the right version for your platform.
+
+### Build from source

 ```bash
 make build
 ```

+### Build a docker image
+
+```bash
+make docker
+```
+
+## Quickstart
+
+Actions are disabled by default, so you need to add the following to the configuration file of your Gitea instance to enable it:
+
+```ini
+[actions]
+ENABLED=true
+```
+
 ### Register

 ```bash
-./act_runner register
+./gitea-runner register
 ```

 And you will be asked to input:

 1. Gitea instance URL, like `http://192.168.8.8:3000/`. You should use your gitea instance ROOT_URL as the instance argument
 and you should not use `localhost` or `127.0.0.1` as instance IP;
-2. Runner token, you can get it from `http://192.168.8.8:3000/admin/runners`;
+2. Runner token, you can get it from `http://192.168.8.8:3000/admin/actions/runners`;
 3. Runner name, you can just leave it blank;
 4. Runner labels, you can just leave it blank.

@@ -37,11 +54,11 @@ INFO Enter the Gitea instance URL (for example, https://gitea.com/):
 http://192.168.8.8:3000/
 INFO Enter the runner token:
 fe884e8027dc292970d4e0303fe82b14xxxxxxxx
-INFO Enter the runner name (if set empty, use hostname:Test.local ):
+INFO Enter the runner name (if set empty, use hostname: Test.local):

-INFO Enter the runner labels, leave blank to use the default labels (comma-separated, for example, self-hosted,ubuntu-20.04:docker://node:16-bullseye,ubuntu-18.04:docker://node:16-buster):
+INFO Enter the runner labels, leave blank to use the default labels (comma-separated, for example, ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest):

-INFO Registering runner, name=Test.local, instance=http://192.168.8.8:3000/, labels=[ubuntu-latest:docker://node:16-bullseye ubuntu-22.04:docker://node:16-bullseye ubuntu-20.04:docker://node:16-bullseye ubuntu-18.04:docker://node:16-buster].
+INFO Registering runner, name=Test.local, instance=http://192.168.8.8:3000/, labels=[ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04 ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04].
 DEBU Successfully pinged the Gitea instance server
 INFO Runner registered successfully.
 ```
@@ -49,7 +66,7 @@ INFO Runner registered successfully.
 You can also register with command line arguments.

 ```bash
-./act_runner register --instance http://192.168.8.8:3000 --token <my_runner_token> --no-interactive
+./gitea-runner register --instance http://192.168.8.8:3000 --token <my_runner_token> --no-interactive
 ```

 If the registry succeed, it will run immediately. Next time, you could run the runner directly.
@@ -57,5 +74,141 @@ If the registry succeed, it will run immediately. Next time, you could run the r
 ### Run

 ```bash
-./act_runner daemon
-```
+./gitea-runner daemon
+```
+
+### Run with docker
+
+```bash
+docker run -e GITEA_INSTANCE_URL=https://your_gitea.com -e GITEA_RUNNER_REGISTRATION_TOKEN=<your_token> -v /var/run/docker.sock:/var/run/docker.sock --name my_runner gitea/runner:nightly
+```
+
+Mount a volume on `/data` if you want the registration file and optional config to survive container recreation (see [scripts/run.sh](scripts/run.sh)).
+
+### Image flavours
+
+The image is published in three flavours, all built from the single multi-stage [Dockerfile](Dockerfile) in this repository. They differ only in how a Docker daemon is made available to the jobs the runner executes; the `gitea-runner` binary inside them is identical.
+
+| Tag | Build target | Base image | Docker daemon | Process supervisor | Runs as |
+| --- | --- | --- | --- | --- | --- |
+| `latest` (and `<version>`) | `basic` | `alpine` | none — uses an external daemon you provide | [`tini`](https://github.com/krallin/tini) | `root` |
+| `latest-dind` | `dind` | `docker:dind` | bundled, started inside the container | [`s6`](https://skarnet.org/software/s6/) | `root` (privileged) |
+| `latest-dind-rootless` | `dind-rootless` | `docker:dind-rootless` | bundled, started rootless inside the container | [`s6`](https://skarnet.org/software/s6/) | `rootless` (UID 1000) |
+
+#### `latest` — basic
+
+The default flavour ships only the runner on a minimal Alpine base. It contains **no Docker daemon of its own**: jobs that use `docker://` images need a daemon supplied from outside the container, typically by bind-mounting the host's socket:
+
+```bash
+docker run -e GITEA_INSTANCE_URL=https://your_gitea.com -e GITEA_RUNNER_REGISTRATION_TOKEN=<your_token> \
+  -v /var/run/docker.sock:/var/run/docker.sock --name my_runner gitea/runner:latest
+```
+
+`tini` is the entrypoint (it reaps zombie processes), and it just runs [`scripts/run.sh`](scripts/run.sh), which registers the runner on first start and then execs `gitea-runner daemon`. This flavour does not need `--privileged`. The trade-off is that jobs share the host's daemon, so they can see other containers and images on that daemon.
+
+#### `latest-dind` — Docker-in-Docker
+
+This flavour is based on the official `docker:dind` image and bundles its own Docker daemon, so it needs no external socket — only the `--privileged` flag that Docker-in-Docker requires:
+
+```bash
+docker run --privileged -e GITEA_INSTANCE_URL=https://your_gitea.com -e GITEA_RUNNER_REGISTRATION_TOKEN=<your_token> \
+  --name my_runner gitea/runner:latest-dind
+```
+
+Two processes have to run side by side here (the Docker daemon and the runner), so the entrypoint is the [`s6`](https://skarnet.org/software/s6/) supervision tree under [`scripts/s6`](scripts/s6) instead of `tini`. `s6` starts `dockerd`, and the runner service waits for the daemon to come up (`s6-svwait`) before launching [`run.sh`](scripts/run.sh). Each container has a private daemon isolated from the host's, at the cost of running privileged.
+
+#### `latest-dind-rootless` — rootless Docker-in-Docker
+
+Same idea as `dind`, but built on `docker:dind-rootless` so the bundled daemon and the runner run as an unprivileged user (`rootless`, UID 1000) rather than `root`. `DOCKER_HOST` is preset to `unix:///run/user/1000/docker.sock` so the runner talks to the rootless daemon. This reduces the blast radius compared to the privileged `dind` flavour, but rootless Docker carries the usual rootless limitations (networking, cgroups, storage drivers, and some operations that need additional host configuration such as `/etc/subuid` / `/etc/subgid` mappings and unprivileged user-namespace support).
+
+> **Note on Podman:** these images target the Docker daemon. The bundled `dind`/`dind-rootless` daemons are `dockerd`, not Podman, and the `basic` flavour expects a Docker-compatible socket. Running them under rootless Podman is not a supported configuration, though pointing the `basic` flavour at a Podman socket that emulates the Docker API may work for some workloads.
+
+### Configuration
+
+The runner is configured with a YAML file. Generate a starting point (this matches what ships in the tree):
+
+```bash
+./gitea-runner generate-config > config.yaml
+```
+
+Pass it with `-c` / `--config` on any command that loads configuration (`register`, `daemon`, `cache-server`):
+
+```bash
+./gitea-runner -c config.yaml register
+./gitea-runner -c config.yaml daemon
+./gitea-runner -c config.yaml cache-server
+```
+
+Every option is described in [config.example.yaml](internal/pkg/config/config.example.yaml) (the same content `generate-config` prints).
+
+#### Without a config file
+
+If you omit `-c`, built-in defaults apply (same as an empty YAML document). A small set of **deprecated** environment variables can still override parts of that default config, but **only when no `-c` path was given**; they are ignored if you use a config file:
+
+| Variable | Effect |
+| --- | --- |
+| `GITEA_DEBUG` | If true, sets log level to `debug` |
+| `GITEA_TRACE` | If true, sets log level to `trace` |
+| `GITEA_RUNNER_CAPACITY` | Concurrent jobs (integer) |
+| `GITEA_RUNNER_FILE` | Registration state file path (default `.runner`) |
+| `GITEA_RUNNER_ENVIRON` | Extra job env vars as comma-separated `KEY:VALUE` pairs |
+| `GITEA_RUNNER_ENV_FILE` | Path to an env file merged into job env (same idea as `runner.env_file` in YAML) |
+
+Prefer a YAML file for all settings.
+
+#### Registration vs config labels
+
+If `runner.labels` is set in the YAML file, those labels are used during `register` and the `--labels` CLI flag is ignored.
+
+#### Caching (`actions/cache`)
+
+Each runner starts its own cache server automatically. Cache entries are local to that runner — runners do not share a cache by default.
+
+**Shared cache across multiple runners**
+
+Run one dedicated `gitea-runner cache-server` that all runners point at.
+
+1. Create a config file for the cache server host:
+
+   ```yaml
+   cache:
+     dir: /data/actcache
+     port: 8088
+     external_secret: "replace-with-a-strong-random-secret"
+   ```
+
+2. Start the server:
+
+   ```bash
+   gitea-runner -c cache-server-config.yaml cache-server
+   ```
+
+3. On every runner:
+
+   ```yaml
+   cache:
+     external_server: "http://<cache-server-host>:8088/"
+     external_secret: "replace-with-a-strong-random-secret"  # must match the server
+   ```
+
+Alternatively, mount the same NFS/CIFS share on every runner and point `cache.dir` at it — simpler, but with weaker isolation between repositories.
+
+**S3 / MinIO** — mount object storage as a FUSE filesystem (e.g. [s3fs](https://github.com/s3fs-fuse/s3fs-fuse) or [goofys](https://github.com/kahing/goofys)) and set `cache.dir` to the mount point.
+
+Flags `--dir`, `--host`, and `--port` on `cache-server` override the corresponding `cache.*` YAML keys; all other settings, including `external_secret`, require the config file.
+
+#### Official Docker image
+
+Besides `GITEA_INSTANCE_URL` and `GITEA_RUNNER_REGISTRATION_TOKEN`, the image entrypoint supports optional variables such as `CONFIG_FILE` (passed through as `-c`), `GITEA_RUNNER_LABELS`, `GITEA_RUNNER_EPHEMERAL`, `GITEA_RUNNER_ONCE`, `GITEA_RUNNER_NAME`, `GITEA_MAX_REG_ATTEMPTS`, `RUNNER_STATE_FILE`, and `GITEA_RUNNER_REGISTRATION_TOKEN_FILE`. See [scripts/run.sh](scripts/run.sh) for exact behavior.
+
+For a fuller container-oriented walkthrough, see [examples/docker](examples/docker/README.md).
+
+When `container.bind_workdir` is enabled, stale task workspace directories can be cleaned while the runner is idle:
+- directories older than `runner.workdir_cleanup_age` are removed (default: `24h`; set `0` to disable)
+- cleanup runs every `runner.idle_cleanup_interval` (default: `10m`; set `0` to disable)
+- only purely numeric subdirectories under `container.workdir_parent` are treated as task workspaces and may be removed
+- cleanup assumes `container.workdir_parent` is not shared across multiple runners
+
+### Example Deployments
+
+Check out the [examples](examples) directory for sample deployment types.
--- a/act/LICENSE
+++ b/act/LICENSE
@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2022 The Gitea Authors
+Copyright (c) 2019
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/act/artifactcache/doc.go
+++ b/act/artifactcache/doc.go
@@ -0,0 +1,12 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+// Package artifactcache provides a cache handler for the runner.
+//
+// Inspired by https://github.com/sp-ricard-valverde/github-act-cache-server
+//
+// TODO: Authorization
+// TODO: Restrictions for accessing a cache, see https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache
+// TODO: Force deleting cache entries, see https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
+package artifactcache
--- a/act/artifactcache/handler.go
+++ b/act/artifactcache/handler.go
@@ -0,0 +1,879 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifactcache
+
+import (
+	"context"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/julienschmidt/httprouter"
+	"github.com/sirupsen/logrus"
+	"github.com/timshannon/bolthold"
+	"go.etcd.io/bbolt"
+)
+
+const (
+	apiPath      = "/_apis/artifactcache"
+	internalPath = "/_internal"
+
+	// artifactURLTTL bounds how long a signed artifactLocation URL stays valid.
+	// Short enough that a leaked URL is near-worthless; long enough to let the
+	// @actions/cache client download a big blob that was returned from /cache.
+	artifactURLTTL = 10 * time.Minute
+)
+
+type credKey struct{}
+
+// JobCredential ties a per-job bearer token (ACTIONS_RUNTIME_TOKEN) to the
+// repository that owns it. Every cache entry is stamped with Repo on
+// reserve/commit and checked on read/write so one repo can never observe or
+// poison another repo's cache, even from inside a container that reaches the
+// cache server over the docker bridge network.
+type JobCredential struct {
+	Repo string
+}
+
+// credEntry holds a registered job's credential along with an active
+// registration count. RegisterJob is reference-counted so that if two tasks
+// briefly share an ACTIONS_RUNTIME_TOKEN — e.g. a runner that retries a task
+// after a crash before the old registration is revoked — the first task's
+// revoker does not cut the second task's auth out from under it.
+type credEntry struct {
+	cred JobCredential
+	refs int
+}
+
+type Handler struct {
+	dir      string
+	storage  *Storage
+	router   *httprouter.Router
+	listener net.Listener
+	server   *http.Server
+	logger   logrus.FieldLogger
+
+	gcing atomic.Bool
+	gcAt  time.Time
+
+	outboundIP string
+
+	// internalSecret guards /_internal/{register,revoke}. When set, a remote
+	// runner can use these endpoints to pre-register per-job
+	// ACTIONS_RUNTIME_TOKENs against this server, enabling the same
+	// per-job auth and repo scoping as the embedded handler over the
+	// network. Empty disables the control-plane entirely.
+	internalSecret string
+
+	// secret signs short-lived artifact download URLs. The @actions/cache
+	// toolkit does not send Authorization on the download request, so blob
+	// GETs authenticate via a per-URL HMAC signature with expiry rather than
+	// via the bearer token used for management endpoints.
+	secret []byte
+
+	credMu sync.RWMutex
+	creds  map[string]*credEntry
+}
+
+// StartHandler opens the on-disk cache store and starts the HTTP server.
+//
+// internalSecret, when non-empty, enables a control-plane API at
+// /_internal/{register,revoke} that lets a remote runner pre-register the
+// per-job ACTIONS_RUNTIME_TOKENs it expects this server to honor. The
+// embedded in-process handler leaves it empty and registers tokens via the
+// in-process RegisterJob method directly.
+func StartHandler(dir, outboundIP string, port uint16, internalSecret string, logger logrus.FieldLogger) (*Handler, error) {
+	h := &Handler{
+		creds:          make(map[string]*credEntry),
+		internalSecret: internalSecret,
+	}
+
+	if logger == nil {
+		discard := logrus.New()
+		discard.Out = io.Discard
+		logger = discard
+	}
+	logger = logger.WithField("module", "artifactcache")
+	h.logger = logger
+
+	if dir == "" {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return nil, err
+		}
+		dir = filepath.Join(home, ".cache", "actcache")
+	}
+	if err := os.MkdirAll(dir, 0o755); err != nil {
+		return nil, err
+	}
+
+	h.dir = dir
+
+	storage, err := NewStorage(filepath.Join(dir, "cache"))
+	if err != nil {
+		return nil, err
+	}
+	h.storage = storage
+
+	if outboundIP != "" {
+		h.outboundIP = outboundIP
+	} else if ip := common.GetOutboundIP(); ip == nil {
+		return nil, errors.New("unable to determine outbound IP address")
+	} else {
+		h.outboundIP = ip.String()
+	}
+
+	secret, err := loadOrCreateSecret(dir)
+	if err != nil {
+		return nil, err
+	}
+	h.secret = secret
+
+	router := httprouter.New()
+	router.GET(apiPath+"/cache", h.bearerAuth(h.find))
+	router.POST(apiPath+"/caches", h.bearerAuth(h.reserve))
+	router.PATCH(apiPath+"/caches/:id", h.bearerAuth(h.upload))
+	router.POST(apiPath+"/caches/:id", h.bearerAuth(h.commit))
+	router.POST(apiPath+"/clean", h.bearerAuth(h.clean))
+	// Artifact GET is signed via query-string HMAC because @actions/cache
+	// does not attach Authorization when downloading archiveLocation.
+	router.GET(apiPath+"/artifacts/:id", h.signedURLAuth(h.get))
+	// Control-plane: a remote runner registers/revokes per-job tokens so the
+	// cache API can authenticate them. Always wired so the routes exist; the
+	// handlers themselves 401 when internalSecret is unset.
+	router.POST(internalPath+"/register", h.internalAuth(h.internalRegister))
+	router.POST(internalPath+"/revoke", h.internalAuth(h.internalRevoke))
+
+	h.router = router
+
+	h.gcCache()
+
+	// Listen on all interfaces. Binding to outboundIP only would give no real
+	// security benefit (it is the LAN/internet-facing address either way) and
+	// can break Docker Desktop variants where the host's outbound IP is not
+	// routable from inside the container network. Authentication is enforced
+	// by the bearer middleware and per-repo scoping, not by reachability.
+	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
+	if err != nil {
+		return nil, err
+	}
+	server := &http.Server{
+		ReadHeaderTimeout: 2 * time.Second,
+		Handler:           router,
+	}
+	go func() {
+		if err := server.Serve(listener); err != nil && errors.Is(err, net.ErrClosed) {
+			logger.Errorf("http serve: %v", err)
+		}
+	}()
+	h.listener = listener
+	h.server = server
+
+	return h, nil
+}
+
+func (h *Handler) ExternalURL() string {
+	// TODO: make the external url configurable if necessary
+	return fmt.Sprintf("http://%s:%d",
+		h.outboundIP,
+		h.listener.Addr().(*net.TCPAddr).Port)
+}
+
+// RegisterJob makes token a valid bearer credential for cache requests from
+// the given repository and returns a function that removes it. The runner
+// calls this at job start and defers the returned func so that the credential
+// is only accepted while the job is running.
+//
+// Registrations are reference-counted: if a token is already registered, the
+// existing repo is kept and the refcount is incremented. The entry is
+// removed only when every revoker returned by RegisterJob has been called.
+// This keeps a stray re-registration from silently revoking a live job.
+func (h *Handler) RegisterJob(token, repo string) func() {
+	if h == nil || token == "" {
+		return func() {}
+	}
+	h.credMu.Lock()
+	if existing, ok := h.creds[token]; ok {
+		existing.refs++
+	} else {
+		h.creds[token] = &credEntry{
+			cred: JobCredential{Repo: repo},
+			refs: 1,
+		}
+	}
+	h.credMu.Unlock()
+	return func() {
+		h.credMu.Lock()
+		if entry, ok := h.creds[token]; ok {
+			entry.refs--
+			if entry.refs <= 0 {
+				delete(h.creds, token)
+			}
+		}
+		h.credMu.Unlock()
+	}
+}
+
+// RevokeJob explicitly revokes one registration of token, mirroring one call
+// of the closure returned by RegisterJob. Used by the control-plane endpoint
+// so a remote runner can revoke without holding the closure.
+func (h *Handler) RevokeJob(token string) {
+	if h == nil || token == "" {
+		return
+	}
+	h.credMu.Lock()
+	if entry, ok := h.creds[token]; ok {
+		entry.refs--
+		if entry.refs <= 0 {
+			delete(h.creds, token)
+		}
+	}
+	h.credMu.Unlock()
+}
+
+func (h *Handler) lookupCredential(token string) (JobCredential, bool) {
+	h.credMu.RLock()
+	entry, ok := h.creds[token]
+	h.credMu.RUnlock()
+	if !ok {
+		return JobCredential{}, false
+	}
+	return entry.cred, true
+}
+
+// loadOrCreateSecret returns the 32-byte HMAC signing key for artifact URLs,
+// persisted in dir/.secret so signed URLs handed out before a restart stay
+// valid across the restart and so the standalone cache-server can be pointed
+// at by config.Cache.ExternalServer without the URL rotating.
+func loadOrCreateSecret(dir string) ([]byte, error) {
+	path := filepath.Join(dir, ".secret")
+	if data, err := os.ReadFile(path); err == nil {
+		if secret, err := hex.DecodeString(strings.TrimSpace(string(data))); err == nil && len(secret) >= 32 {
+			return secret, nil
+		}
+	} else if !os.IsNotExist(err) {
+		return nil, fmt.Errorf("read cache secret: %w", err)
+	}
+	secret := make([]byte, 32)
+	if _, err := rand.Read(secret); err != nil {
+		return nil, fmt.Errorf("generate cache secret: %w", err)
+	}
+	if err := os.WriteFile(path, []byte(hex.EncodeToString(secret)), 0o600); err != nil {
+		return nil, fmt.Errorf("write cache secret: %w", err)
+	}
+	return secret, nil
+}
+
+func (h *Handler) Close() error {
+	if h == nil {
+		return nil
+	}
+	var retErr error
+	if h.server != nil {
+		err := h.server.Close()
+		if err != nil {
+			retErr = err
+		}
+		h.server = nil
+	}
+	if h.listener != nil {
+		err := h.listener.Close()
+		if errors.Is(err, net.ErrClosed) {
+			err = nil
+		}
+		if err != nil {
+			retErr = err
+		}
+		h.listener = nil
+	}
+	return retErr
+}
+
+func (h *Handler) openDB() (*bolthold.Store, error) {
+	return bolthold.Open(filepath.Join(h.dir, "bolt.db"), 0o644, &bolthold.Options{
+		Encoder: json.Marshal,
+		Decoder: json.Unmarshal,
+		Options: &bbolt.Options{
+			Timeout:      5 * time.Second,
+			NoGrowSync:   bbolt.DefaultOptions.NoGrowSync,
+			FreelistType: bbolt.DefaultOptions.FreelistType,
+		},
+	})
+}
+
+// GET /_apis/artifactcache/cache
+func (h *Handler) find(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	cred := credFromContext(r.Context())
+	keys := strings.Split(r.URL.Query().Get("keys"), ",")
+	version := r.URL.Query().Get("version")
+
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	cache, err := findCache(db, cred.Repo, keys, version)
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	if cache == nil {
+		h.responseJSON(w, r, 204)
+		return
+	}
+
+	if ok, err := h.storage.Exist(cache.ID); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	} else if !ok {
+		_ = db.Delete(cache.ID, cache)
+		h.responseJSON(w, r, 204)
+		return
+	}
+	h.responseJSON(w, r, 200, map[string]any{
+		"result":          "hit",
+		"archiveLocation": h.signedArtifactURL(cache.ID, time.Now().Add(artifactURLTTL)),
+		"cacheKey":        cache.Key,
+	})
+}
+
+// POST /_apis/artifactcache/caches
+func (h *Handler) reserve(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	cred := credFromContext(r.Context())
+	api := &Request{}
+	if err := json.NewDecoder(r.Body).Decode(api); err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+
+	cache := api.ToCache()
+	cache.Repo = cred.Repo
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	now := time.Now().Unix()
+	cache.CreatedAt = now
+	cache.UsedAt = now
+	if err := insertCache(db, cache); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	h.responseJSON(w, r, 200, map[string]any{
+		"cacheId": cache.ID,
+	})
+}
+
+// PATCH /_apis/artifactcache/caches/:id
+func (h *Handler) upload(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	cred := credFromContext(r.Context())
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+
+	cache := &Cache{}
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.Get(id, cache); err != nil {
+		if errors.Is(err, bolthold.ErrNotFound) {
+			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
+			return
+		}
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	if cache.Repo != cred.Repo {
+		h.responseJSON(w, r, 403, fmt.Errorf("cache %d: forbidden", id))
+		return
+	}
+
+	if cache.Complete {
+		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
+		return
+	}
+	db.Close()
+	start, _, err := parseContentRange(r.Header.Get("Content-Range"))
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+	if err := h.storage.Write(cache.ID, start, r.Body); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	h.useCache(id)
+	h.responseJSON(w, r, 200)
+}
+
+// POST /_apis/artifactcache/caches/:id
+func (h *Handler) commit(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	cred := credFromContext(r.Context())
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+
+	cache := &Cache{}
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.Get(id, cache); err != nil {
+		if errors.Is(err, bolthold.ErrNotFound) {
+			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
+			return
+		}
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	if cache.Repo != cred.Repo {
+		h.responseJSON(w, r, 403, fmt.Errorf("cache %d: forbidden", id))
+		return
+	}
+
+	if cache.Complete {
+		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
+		return
+	}
+
+	db.Close()
+
+	size, err := h.storage.Commit(cache.ID, cache.Size)
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	// write real size back to cache, it may be different from the current value when the request doesn't specify it.
+	cache.Size = size
+
+	db, err = h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	cache.Complete = true
+	if err := db.Update(cache.ID, cache); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	h.responseJSON(w, r, 200)
+}
+
+// GET /_apis/artifactcache/artifacts/:id
+// Authenticated via signed URL (see signedURLAuth), not bearer, because the
+// @actions/cache toolkit downloads archiveLocation without Authorization.
+// Repository scoping is already enforced at find() time; the signature binds
+// the URL to the specific cache ID and an expiry.
+func (h *Handler) get(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+	h.useCache(id)
+	h.storage.Serve(w, r, uint64(id))
+}
+
+// POST /_apis/artifactcache/clean
+func (h *Handler) clean(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	// TODO: don't support force deleting cache entries
+	// see: https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
+
+	h.responseJSON(w, r, 200)
+}
+
+// bearerAuth resolves ACTIONS_RUNTIME_TOKEN against the set of currently
+// registered jobs. A match attaches the job's JobCredential to the request
+// context; a miss returns 401 before the handler body runs.
+func (h *Handler) bearerAuth(handler httprouter.Handle) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+		h.logger.Debugf("%s %s", r.Method, r.URL.Path)
+		token := bearerToken(r)
+		if token == "" {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("missing bearer token"))
+			return
+		}
+		cred, ok := h.lookupCredential(token)
+		if !ok {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("unknown bearer token"))
+			return
+		}
+		ctx := context.WithValue(r.Context(), credKey{}, cred)
+		handler(w, r.WithContext(ctx), params)
+		go h.gcCache()
+	}
+}
+
+func (h *Handler) signedURLAuth(handler httprouter.Handle) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+		h.logger.Debugf("%s %s", r.Method, r.URL.Path)
+		id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+		if err != nil {
+			h.responseJSON(w, r, 400, err)
+			return
+		}
+		expStr := r.URL.Query().Get("exp")
+		sig := r.URL.Query().Get("sig")
+		if expStr == "" || sig == "" {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("missing signature"))
+			return
+		}
+		exp, err := strconv.ParseInt(expStr, 10, 64)
+		if err != nil {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("invalid expiry"))
+			return
+		}
+		if time.Now().Unix() > exp {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("signature expired"))
+			return
+		}
+		expected := h.computeSignature(id, exp)
+		if !hmac.Equal([]byte(sig), []byte(expected)) {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("bad signature"))
+			return
+		}
+		handler(w, r, params)
+		go h.gcCache()
+	}
+}
+
+// internalAuth gates the control-plane endpoints. The bearer must
+// constant-time-equal the configured internalSecret. If the secret is empty,
+// the control-plane is disabled and every request gets 404 — which matches
+// the upstream nektos/act behavior of "the route does not exist".
+func (h *Handler) internalAuth(handler httprouter.Handle) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+		if h.internalSecret == "" {
+			http.NotFound(w, r)
+			return
+		}
+		token := bearerToken(r)
+		if token == "" || !hmac.Equal([]byte(token), []byte(h.internalSecret)) {
+			h.responseJSON(w, r, http.StatusUnauthorized, errors.New("internal: bad secret"))
+			return
+		}
+		handler(w, r, params)
+	}
+}
+
+type internalRegisterBody struct {
+	Token string `json:"token"`
+	Repo  string `json:"repo"`
+}
+
+type internalRevokeBody struct {
+	Token string `json:"token"`
+}
+
+// POST /_internal/register
+func (h *Handler) internalRegister(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	var body internalRegisterBody
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		h.responseJSON(w, r, http.StatusBadRequest, err)
+		return
+	}
+	if body.Token == "" {
+		h.responseJSON(w, r, http.StatusBadRequest, errors.New("token is required"))
+		return
+	}
+	h.RegisterJob(body.Token, body.Repo)
+	h.responseJSON(w, r, http.StatusOK)
+}
+
+// POST /_internal/revoke
+func (h *Handler) internalRevoke(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	var body internalRevokeBody
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		h.responseJSON(w, r, http.StatusBadRequest, err)
+		return
+	}
+	if body.Token == "" {
+		h.responseJSON(w, r, http.StatusBadRequest, errors.New("token is required"))
+		return
+	}
+	h.RevokeJob(body.Token)
+	h.responseJSON(w, r, http.StatusOK)
+}
+
+func bearerToken(r *http.Request) string {
+	auth := r.Header.Get("Authorization")
+	const prefix = "Bearer "
+	if len(auth) > len(prefix) && strings.EqualFold(auth[:len(prefix)], prefix) {
+		return auth[len(prefix):]
+	}
+	return ""
+}
+
+func credFromContext(ctx context.Context) JobCredential {
+	if cred, ok := ctx.Value(credKey{}).(JobCredential); ok {
+		return cred
+	}
+	return JobCredential{}
+}
+
+func (h *Handler) computeSignature(cacheID, exp int64) string {
+	mac := hmac.New(sha256.New, h.secret)
+	fmt.Fprintf(mac, "%d:%d", cacheID, exp)
+	return hex.EncodeToString(mac.Sum(nil))
+}
+
+func (h *Handler) signedArtifactURL(cacheID uint64, exp time.Time) string {
+	expUnix := exp.Unix()
+	sig := h.computeSignature(int64(cacheID), expUnix)
+	q := url.Values{}
+	q.Set("exp", strconv.FormatInt(expUnix, 10))
+	q.Set("sig", sig)
+	return fmt.Sprintf("%s%s/artifacts/%d?%s", h.ExternalURL(), apiPath, cacheID, q.Encode())
+}
+
+// if not found, return (nil, nil) instead of an error.
+func findCache(db *bolthold.Store, repo string, keys []string, version string) (*Cache, error) {
+	cache := &Cache{}
+	for _, prefix := range keys {
+		// if a key in the list matches exactly, don't return partial matches
+		if err := db.FindOne(cache,
+			bolthold.Where("Repo").Eq(repo).
+				And("Key").Eq(prefix).
+				And("Version").Eq(version).
+				And("Complete").Eq(true).
+				SortBy("CreatedAt").Reverse()); err == nil || !errors.Is(err, bolthold.ErrNotFound) {
+			if err != nil {
+				return nil, fmt.Errorf("find cache: %w", err)
+			}
+			return cache, nil
+		}
+		prefixPattern := "^" + regexp.QuoteMeta(prefix)
+		re, err := regexp.Compile(prefixPattern)
+		if err != nil {
+			continue
+		}
+		if err := db.FindOne(cache,
+			bolthold.Where("Repo").Eq(repo).
+				And("Key").RegExp(re).
+				And("Version").Eq(version).
+				And("Complete").Eq(true).
+				SortBy("CreatedAt").Reverse()); err != nil {
+			if errors.Is(err, bolthold.ErrNotFound) {
+				continue
+			}
+			return nil, fmt.Errorf("find cache: %w", err)
+		}
+		return cache, nil
+	}
+	return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+}
+
+func insertCache(db *bolthold.Store, cache *Cache) error {
+	if err := db.Insert(bolthold.NextSequence(), cache); err != nil {
+		return fmt.Errorf("insert cache: %w", err)
+	}
+	// write back id to db
+	if err := db.Update(cache.ID, cache); err != nil {
+		return fmt.Errorf("write back id to db: %w", err)
+	}
+	return nil
+}
+
+func (h *Handler) useCache(id int64) {
+	db, err := h.openDB()
+	if err != nil {
+		return
+	}
+	defer db.Close()
+	cache := &Cache{}
+	if err := db.Get(id, cache); err != nil {
+		return
+	}
+	cache.UsedAt = time.Now().Unix()
+	_ = db.Update(cache.ID, cache)
+}
+
+const (
+	keepUsed   = 30 * 24 * time.Hour
+	keepUnused = 7 * 24 * time.Hour
+	keepTemp   = 5 * time.Minute
+	keepOld    = 5 * time.Minute
+)
+
+func (h *Handler) gcCache() {
+	if h.gcing.Load() {
+		return
+	}
+	if !h.gcing.CompareAndSwap(false, true) {
+		return
+	}
+	defer h.gcing.Store(false)
+
+	if time.Since(h.gcAt) < time.Hour {
+		h.logger.Debugf("skip gc: %v", h.gcAt.String())
+		return
+	}
+	h.gcAt = time.Now()
+	h.logger.Debugf("gc: %v", h.gcAt.String())
+
+	db, err := h.openDB()
+	if err != nil {
+		return
+	}
+	defer db.Close()
+
+	// Remove the caches which are not completed for a while, they are most likely to be broken.
+	var caches []*Cache
+	if err := db.Find(&caches, bolthold.
+		Where("UsedAt").Lt(time.Now().Add(-keepTemp).Unix()).
+		And("Complete").Eq(false),
+	); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+
+	// Remove the old caches which have not been used recently.
+	caches = caches[:0]
+	if err := db.Find(&caches, bolthold.
+		Where("UsedAt").Lt(time.Now().Add(-keepUnused).Unix()),
+	); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+
+	// Remove the old caches which are too old.
+	caches = caches[:0]
+	if err := db.Find(&caches, bolthold.
+		Where("CreatedAt").Lt(time.Now().Add(-keepUsed).Unix()),
+	); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+
+	// Remove the old caches with the same key and version within the same
+	// repository, keep the latest one. Aggregation must include Repo so two
+	// repos that happen to share a (key, version) do not evict each other —
+	// otherwise per-repo scoping holds for reads but one repo can age
+	// another out after keepOld.
+	// Also keep the olds which have been used recently for a while in case of the cache is still in use.
+	if results, err := db.FindAggregate(
+		&Cache{},
+		bolthold.Where("Complete").Eq(true),
+		"Repo", "Key", "Version",
+	); err != nil {
+		h.logger.Warnf("find aggregate caches: %v", err)
+	} else {
+		for _, result := range results {
+			if result.Count() <= 1 {
+				continue
+			}
+			result.Sort("CreatedAt")
+			caches = caches[:0]
+			result.Reduction(&caches)
+			for _, cache := range caches[:len(caches)-1] {
+				if time.Since(time.Unix(cache.UsedAt, 0)) < keepOld {
+					// Keep it since it has been used recently, even if it's old.
+					// Or it could break downloading in process.
+					continue
+				}
+				h.storage.Remove(cache.ID)
+				if err := db.Delete(cache.ID, cache); err != nil {
+					h.logger.Warnf("delete cache: %v", err)
+					continue
+				}
+				h.logger.Infof("deleted cache: %+v", cache)
+			}
+		}
+	}
+}
+
+func (h *Handler) responseJSON(w http.ResponseWriter, r *http.Request, code int, v ...any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	var data []byte
+	if len(v) == 0 || v[0] == nil {
+		data, _ = json.Marshal(struct{}{})
+	} else if err, ok := v[0].(error); ok {
+		h.logger.Errorf("%v %v: %v", r.Method, r.URL.Path, err)
+		data, _ = json.Marshal(map[string]any{
+			"error": err.Error(),
+		})
+	} else {
+		data, _ = json.Marshal(v[0])
+	}
+	w.WriteHeader(code)
+	_, _ = w.Write(data)
+}
+
+func parseContentRange(s string) (int64, int64, error) {
+	// support the format like "bytes 11-22/*" only
+	s, _, _ = strings.Cut(strings.TrimPrefix(s, "bytes "), "/")
+	s1, s2, _ := strings.Cut(s, "-")
+
+	start, err := strconv.ParseInt(s1, 10, 64)
+	if err != nil {
+		return 0, 0, fmt.Errorf("parse %q: %w", s, err)
+	}
+	stop, err := strconv.ParseInt(s2, 10, 64)
+	if err != nil {
+		return 0, 0, fmt.Errorf("parse %q: %w", s, err)
+	}
+	return start, stop, nil
+}
--- a/act/artifactcache/handler_test.go
+++ b/act/artifactcache/handler_test.go
--- a/act/artifactcache/model.go
+++ b/act/artifactcache/model.go
@@ -0,0 +1,39 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifactcache
+
+type Request struct {
+	Key     string `json:"key" `
+	Version string `json:"version"`
+	Size    int64  `json:"cacheSize"`
+}
+
+func (c *Request) ToCache() *Cache {
+	if c == nil {
+		return nil
+	}
+	ret := &Cache{
+		Key:     c.Key,
+		Version: c.Version,
+		Size:    c.Size,
+	}
+	if c.Size == 0 {
+		// So the request comes from old versions of actions, like `actions/cache@v2`.
+		// It doesn't send cache size. Set it to -1 to indicate that.
+		ret.Size = -1
+	}
+	return ret
+}
+
+type Cache struct {
+	ID        uint64 `json:"id" boltholdKey:"ID"`
+	Repo      string `json:"repo" boltholdIndex:"Repo"`
+	Key       string `json:"key" boltholdIndex:"Key"`
+	Version   string `json:"version" boltholdIndex:"Version"`
+	Size      int64  `json:"cacheSize"`
+	Complete  bool   `json:"complete" boltholdIndex:"Complete"`
+	UsedAt    int64  `json:"usedAt" boltholdIndex:"UsedAt"`
+	CreatedAt int64  `json:"createdAt" boltholdIndex:"CreatedAt"`
+}
--- a/act/artifactcache/storage.go
+++ b/act/artifactcache/storage.go
@@ -0,0 +1,135 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifactcache
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strconv"
+)
+
+type Storage struct {
+	rootDir string
+}
+
+func NewStorage(rootDir string) (*Storage, error) {
+	if err := os.MkdirAll(rootDir, 0o755); err != nil {
+		return nil, err
+	}
+	return &Storage{
+		rootDir: rootDir,
+	}, nil
+}
+
+func (s *Storage) Exist(id uint64) (bool, error) {
+	name := s.filename(id)
+	if _, err := os.Stat(name); os.IsNotExist(err) {
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
+func (s *Storage) Write(id uint64, offset int64, reader io.Reader) error {
+	name := s.tempName(id, offset)
+	if err := os.MkdirAll(filepath.Dir(name), 0o755); err != nil {
+		return err
+	}
+	file, err := os.Create(name)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	_, err = io.Copy(file, reader)
+	return err
+}
+
+func (s *Storage) Commit(id uint64, size int64) (int64, error) {
+	defer func() {
+		_ = os.RemoveAll(s.tempDir(id))
+	}()
+
+	name := s.filename(id)
+	tempNames, err := s.tempNames(id)
+	if err != nil {
+		return 0, err
+	}
+
+	if err := os.MkdirAll(filepath.Dir(name), 0o755); err != nil {
+		return 0, err
+	}
+	file, err := os.Create(name)
+	if err != nil {
+		return 0, err
+	}
+	defer file.Close()
+
+	var written int64
+	for _, v := range tempNames {
+		f, err := os.Open(v)
+		if err != nil {
+			return 0, err
+		}
+		n, err := io.Copy(file, f)
+		_ = f.Close()
+		if err != nil {
+			return 0, err
+		}
+		written += n
+	}
+
+	// If size is less than 0, it means the size is unknown.
+	// We can't check the size of the file, just skip the check.
+	// It happens when the request comes from old versions of actions, like `actions/cache@v2`.
+	if size >= 0 && written != size {
+		_ = file.Close()
+		_ = os.Remove(name)
+		return 0, fmt.Errorf("broken file: %v != %v", written, size)
+	}
+
+	return written, nil
+}
+
+func (s *Storage) Serve(w http.ResponseWriter, r *http.Request, id uint64) {
+	name := s.filename(id)
+	http.ServeFile(w, r, name)
+}
+
+func (s *Storage) Remove(id uint64) {
+	_ = os.Remove(s.filename(id))
+	_ = os.RemoveAll(s.tempDir(id))
+}
+
+func (s *Storage) filename(id uint64) string {
+	return filepath.Join(s.rootDir, fmt.Sprintf("%02x", id%0xff), strconv.FormatUint(id, 10))
+}
+
+func (s *Storage) tempDir(id uint64) string {
+	return filepath.Join(s.rootDir, "tmp", strconv.FormatUint(id, 10))
+}
+
+func (s *Storage) tempName(id uint64, offset int64) string {
+	return filepath.Join(s.tempDir(id), fmt.Sprintf("%016x", offset))
+}
+
+func (s *Storage) tempNames(id uint64) ([]string, error) {
+	dir := s.tempDir(id)
+	files, err := os.ReadDir(dir)
+	if err != nil {
+		return nil, err
+	}
+	var names []string
+	for _, v := range files {
+		if !v.IsDir() {
+			names = append(names, filepath.Join(dir, v.Name()))
+		}
+	}
+	return names, nil
+}
--- a/act/artifacts/server.go
+++ b/act/artifacts/server.go
@@ -0,0 +1,319 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifacts
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+type FileContainerResourceURL struct {
+	FileContainerResourceURL string `json:"fileContainerResourceUrl"`
+}
+
+type NamedFileContainerResourceURL struct {
+	Name                     string `json:"name"`
+	FileContainerResourceURL string `json:"fileContainerResourceUrl"`
+}
+
+type NamedFileContainerResourceURLResponse struct {
+	Count int                             `json:"count"`
+	Value []NamedFileContainerResourceURL `json:"value"`
+}
+
+type ContainerItem struct {
+	Path            string `json:"path"`
+	ItemType        string `json:"itemType"`
+	ContentLocation string `json:"contentLocation"`
+}
+
+type ContainerItemResponse struct {
+	Value []ContainerItem `json:"value"`
+}
+
+type ResponseMessage struct {
+	Message string `json:"message"`
+}
+
+type WritableFile interface {
+	io.WriteCloser
+}
+
+type WriteFS interface {
+	OpenWritable(name string) (WritableFile, error)
+	OpenAppendable(name string) (WritableFile, error)
+}
+
+type readWriteFSImpl struct{}
+
+func (fwfs readWriteFSImpl) Open(name string) (fs.File, error) {
+	return os.Open(name)
+}
+
+func (fwfs readWriteFSImpl) OpenWritable(name string) (WritableFile, error) {
+	if err := os.MkdirAll(filepath.Dir(name), os.ModePerm); err != nil {
+		return nil, err
+	}
+	return os.OpenFile(name, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o644)
+}
+
+func (fwfs readWriteFSImpl) OpenAppendable(name string) (WritableFile, error) {
+	if err := os.MkdirAll(filepath.Dir(name), os.ModePerm); err != nil {
+		return nil, err
+	}
+	file, err := os.OpenFile(name, os.O_CREATE|os.O_RDWR, 0o644)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = file.Seek(0, io.SeekEnd)
+	if err != nil {
+		return nil, err
+	}
+	return file, nil
+}
+
+var gzipExtension = ".gz__"
+
+func safeResolve(baseDir, relPath string) string {
+	return filepath.Join(baseDir, filepath.Clean(filepath.Join(string(os.PathSeparator), relPath)))
+}
+
+func uploads(router *httprouter.Router, baseDir string, fsys WriteFS) {
+	router.POST("/_apis/pipelines/workflows/:runId/artifacts", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		runID := params.ByName("runId")
+
+		json, err := json.Marshal(FileContainerResourceURL{
+			FileContainerResourceURL: fmt.Sprintf("http://%s/upload/%s", req.Host, runID),
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		_, err = w.Write(json)
+		if err != nil {
+			panic(err)
+		}
+	})
+
+	router.PUT("/upload/:runId", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		itemPath := req.URL.Query().Get("itemPath")
+		runID := params.ByName("runId")
+
+		if req.Header.Get("Content-Encoding") == "gzip" {
+			itemPath += gzipExtension
+		}
+
+		safeRunPath := safeResolve(baseDir, runID)
+		safePath := safeResolve(safeRunPath, itemPath)
+
+		file, err := func() (WritableFile, error) {
+			contentRange := req.Header.Get("Content-Range")
+			if contentRange != "" && !strings.HasPrefix(contentRange, "bytes 0-") {
+				return fsys.OpenAppendable(safePath)
+			}
+			return fsys.OpenWritable(safePath)
+		}()
+		if err != nil {
+			panic(err)
+		}
+		defer file.Close()
+
+		writer, ok := file.(io.Writer)
+		if !ok {
+			panic(errors.New("File is not writable"))
+		}
+
+		if req.Body == nil {
+			panic(errors.New("No body given"))
+		}
+
+		_, err = io.Copy(writer, req.Body)
+		if err != nil {
+			panic(err)
+		}
+
+		json, err := json.Marshal(ResponseMessage{
+			Message: "success",
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		_, err = w.Write(json)
+		if err != nil {
+			panic(err)
+		}
+	})
+
+	router.PATCH("/_apis/pipelines/workflows/:runId/artifacts", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		json, err := json.Marshal(ResponseMessage{
+			Message: "success",
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		_, err = w.Write(json)
+		if err != nil {
+			panic(err)
+		}
+	})
+}
+
+func downloads(router *httprouter.Router, baseDir string, fsys fs.FS) {
+	router.GET("/_apis/pipelines/workflows/:runId/artifacts", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		runID := params.ByName("runId")
+
+		safePath := safeResolve(baseDir, runID)
+
+		entries, err := fs.ReadDir(fsys, safePath)
+		if err != nil {
+			panic(err)
+		}
+
+		var list []NamedFileContainerResourceURL
+		for _, entry := range entries {
+			list = append(list, NamedFileContainerResourceURL{
+				Name:                     entry.Name(),
+				FileContainerResourceURL: fmt.Sprintf("http://%s/download/%s", req.Host, runID),
+			})
+		}
+
+		json, err := json.Marshal(NamedFileContainerResourceURLResponse{
+			Count: len(list),
+			Value: list,
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		_, err = w.Write(json)
+		if err != nil {
+			panic(err)
+		}
+	})
+
+	router.GET("/download/:container", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		container := params.ByName("container")
+		itemPath := req.URL.Query().Get("itemPath")
+		safePath := safeResolve(baseDir, filepath.Join(container, itemPath))
+
+		var files []ContainerItem
+		err := fs.WalkDir(fsys, safePath, func(path string, entry fs.DirEntry, err error) error {
+			if !entry.IsDir() {
+				rel, err := filepath.Rel(safePath, path)
+				if err != nil {
+					panic(err)
+				}
+
+				// if it was upload as gzip
+				rel = strings.TrimSuffix(rel, gzipExtension)
+				path := filepath.Join(itemPath, rel)
+
+				rel = filepath.ToSlash(rel)
+				path = filepath.ToSlash(path)
+
+				files = append(files, ContainerItem{
+					Path:            path,
+					ItemType:        "file",
+					ContentLocation: fmt.Sprintf("http://%s/artifact/%s/%s/%s", req.Host, container, itemPath, rel),
+				})
+			}
+			return nil
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		json, err := json.Marshal(ContainerItemResponse{
+			Value: files,
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		_, err = w.Write(json)
+		if err != nil {
+			panic(err)
+		}
+	})
+
+	router.GET("/artifact/*path", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		path := params.ByName("path")[1:]
+
+		safePath := safeResolve(baseDir, path)
+
+		file, err := fsys.Open(safePath)
+		if err != nil {
+			// try gzip file
+			file, err = fsys.Open(safePath + gzipExtension)
+			if err != nil {
+				panic(err)
+			}
+			w.Header().Add("Content-Encoding", "gzip")
+		}
+
+		_, err = io.Copy(w, file)
+		if err != nil {
+			panic(err)
+		}
+	})
+}
+
+func Serve(ctx context.Context, artifactPath, addr, port string) context.CancelFunc {
+	serverContext, cancel := context.WithCancel(ctx)
+	logger := common.Logger(serverContext)
+
+	if artifactPath == "" {
+		return cancel
+	}
+
+	router := httprouter.New()
+
+	logger.Debugf("Artifacts base path '%s'", artifactPath)
+	fsys := readWriteFSImpl{}
+	uploads(router, artifactPath, fsys)
+	downloads(router, artifactPath, fsys)
+
+	server := &http.Server{
+		Addr:              fmt.Sprintf("%s:%s", addr, port),
+		ReadHeaderTimeout: 2 * time.Second,
+		Handler:           router,
+	}
+
+	// run server
+	go func() {
+		logger.Infof("Start server on http://%s:%s", addr, port)
+		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			logger.Fatal(err)
+		}
+	}()
+
+	// wait for cancel to gracefully shutdown server
+	go func() {
+		<-serverContext.Done()
+
+		if err := server.Shutdown(ctx); err != nil {
+			logger.Errorf("Failed shutdown gracefully - force shutdown: %v", err)
+			server.Close()
+		}
+	}()
+
+	return cancel
+}
--- a/act/artifacts/server_test.go
+++ b/act/artifacts/server_test.go
@@ -0,0 +1,444 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifacts
+
+import (
+	"bytes"
+	"compress/gzip"
+	"encoding/json"
+	"fmt"
+	"io"
+	"maps"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"testing/fstest"
+	"time"
+
+	"github.com/julienschmidt/httprouter"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type writableMapFile struct {
+	fstest.MapFile
+}
+
+func (f *writableMapFile) Write(data []byte) (int, error) {
+	f.Data = data
+	return len(data), nil
+}
+
+func (f *writableMapFile) Close() error {
+	return nil
+}
+
+type writeMapFS struct {
+	fstest.MapFS
+}
+
+func (fsys writeMapFS) OpenWritable(name string) (WritableFile, error) {
+	file := &writableMapFile{
+		MapFile: fstest.MapFile{
+			Data: []byte("content2"),
+		},
+	}
+	fsys.MapFS[name] = &file.MapFile
+
+	return file, nil
+}
+
+func (fsys writeMapFS) OpenAppendable(name string) (WritableFile, error) {
+	file := &writableMapFile{
+		MapFile: fstest.MapFile{
+			Data: []byte("content2"),
+		},
+	}
+	fsys.MapFS[name] = &file.MapFile
+
+	return file, nil
+}
+
+func TestNewArtifactUploadPrepare(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
+
+	router := httprouter.New()
+	uploads(router, "artifact/server/path", writeMapFS{memfs})
+
+	req, _ := http.NewRequest(http.MethodPost, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.Fail("Wrong status")
+	}
+
+	response := FileContainerResourceURL{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal("http://localhost/upload/1", response.FileContainerResourceURL)
+}
+
+func TestArtifactUploadBlob(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
+
+	router := httprouter.New()
+	uploads(router, "artifact/server/path", writeMapFS{memfs})
+
+	req, _ := http.NewRequest(http.MethodPut, "http://localhost/upload/1?itemPath=some/file", strings.NewReader("content"))
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.Fail("Wrong status")
+	}
+
+	response := ResponseMessage{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal("success", response.Message)
+	assert.Equal("content", string(memfs["artifact/server/path/1/some/file"].Data))
+}
+
+func TestFinalizeArtifactUpload(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
+
+	router := httprouter.New()
+	uploads(router, "artifact/server/path", writeMapFS{memfs})
+
+	req, _ := http.NewRequest(http.MethodPatch, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.Fail("Wrong status")
+	}
+
+	response := ResponseMessage{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal("success", response.Message)
+}
+
+func TestListArtifacts(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
+		"artifact/server/path/1/file.txt": {
+			Data: []byte(""),
+		},
+	})
+
+	router := httprouter.New()
+	downloads(router, "artifact/server/path", memfs)
+
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
+	}
+
+	response := NamedFileContainerResourceURLResponse{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal(1, response.Count)
+	assert.Equal("file.txt", response.Value[0].Name)
+	assert.Equal("http://localhost/download/1", response.Value[0].FileContainerResourceURL)
+}
+
+func TestListArtifactContainer(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
+		"artifact/server/path/1/some/file": {
+			Data: []byte(""),
+		},
+	})
+
+	router := httprouter.New()
+	downloads(router, "artifact/server/path", memfs)
+
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/download/1?itemPath=some/file", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
+	}
+
+	response := ContainerItemResponse{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Len(response.Value, 1)
+	assert.Equal("some/file", response.Value[0].Path)
+	assert.Equal("file", response.Value[0].ItemType)
+	assert.Equal("http://localhost/artifact/1/some/file/.", response.Value[0].ContentLocation)
+}
+
+func TestDownloadArtifactFile(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
+		"artifact/server/path/1/some/file": {
+			Data: []byte("content"),
+		},
+	})
+
+	router := httprouter.New()
+	downloads(router, "artifact/server/path", memfs)
+
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/artifact/1/some/file", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
+	}
+
+	data := rr.Body.Bytes()
+
+	assert.Equal("content", string(data))
+}
+
+// TestArtifactFlow drives the real Serve() artifact server over a loopback socket, exercising
+// the same upload -> finalize -> list -> download protocol the upload-artifact/download-artifact
+// actions speak. Running it in-process (rather than from a job container) keeps it network-free
+// and reachable everywhere, including when the CI job is itself a container.
+func TestArtifactFlow(t *testing.T) {
+	artifactPath := t.TempDir()
+
+	// Serve the exact routes Serve() wires up, on a real loopback socket via httptest. httptest
+	// picks a free port and Close() tears the server down synchronously — avoiding both the
+	// port-rebind race and Serve()'s detached ListenAndServe goroutine, which logger.Fatal()s
+	// (process exit) on a bind error and can outlive the test's temp-dir cleanup.
+	router := httprouter.New()
+	fsys := readWriteFSImpl{}
+	uploads(router, artifactPath, fsys)
+	downloads(router, artifactPath, fsys)
+	server := httptest.NewServer(router)
+	defer server.Close()
+
+	baseURL := server.URL
+	client := server.Client()
+	client.Timeout = 5 * time.Second
+
+	// request performs one HTTP call and returns the status and body. The default transport adds
+	// Accept-Encoding: gzip and transparently decompresses, so gzipped downloads come back plain.
+	request := func(t *testing.T, method, rawURL string, body io.Reader, header http.Header) (int, []byte) {
+		t.Helper()
+		req, err := http.NewRequest(method, rawURL, body)
+		require.NoError(t, err)
+		maps.Copy(req.Header, header)
+		resp, err := client.Do(req)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+		data, err := io.ReadAll(resp.Body)
+		require.NoError(t, err)
+		return resp.StatusCode, data
+	}
+
+	t.Run("upload-and-download", func(t *testing.T) {
+		const runID, item, content = "1", "my-artifact/data.txt", "hello artifact\n"
+
+		status, data := request(t, http.MethodPost, baseURL+"/_apis/pipelines/workflows/"+runID+"/artifacts", nil, nil)
+		require.Equal(t, http.StatusOK, status, string(data))
+		var prep FileContainerResourceURL
+		require.NoError(t, json.Unmarshal(data, &prep))
+		require.Equal(t, baseURL+"/upload/"+runID, prep.FileContainerResourceURL)
+
+		status, data = request(t, http.MethodPut, prep.FileContainerResourceURL+"?itemPath="+url.QueryEscape(item), strings.NewReader(content), nil)
+		require.Equal(t, http.StatusOK, status, string(data))
+		var msg ResponseMessage
+		require.NoError(t, json.Unmarshal(data, &msg))
+		require.Equal(t, "success", msg.Message)
+
+		status, data = request(t, http.MethodPatch, baseURL+"/_apis/pipelines/workflows/"+runID+"/artifacts", nil, nil)
+		require.Equal(t, http.StatusOK, status, string(data))
+
+		status, data = request(t, http.MethodGet, baseURL+"/_apis/pipelines/workflows/"+runID+"/artifacts", nil, nil)
+		require.Equal(t, http.StatusOK, status, string(data))
+		var list NamedFileContainerResourceURLResponse
+		require.NoError(t, json.Unmarshal(data, &list))
+		require.Equal(t, 1, list.Count)
+		require.Equal(t, "my-artifact", list.Value[0].Name)
+
+		status, data = request(t, http.MethodGet, list.Value[0].FileContainerResourceURL+"?itemPath=my-artifact", nil, nil)
+		require.Equal(t, http.StatusOK, status, string(data))
+		var items ContainerItemResponse
+		require.NoError(t, json.Unmarshal(data, &items))
+		require.Len(t, items.Value, 1)
+		require.Equal(t, "file", items.Value[0].ItemType)
+		require.Equal(t, "my-artifact/data.txt", items.Value[0].Path)
+
+		status, data = request(t, http.MethodGet, items.Value[0].ContentLocation, nil, nil)
+		require.Equal(t, http.StatusOK, status)
+		require.Equal(t, content, string(data))
+
+		stored, err := os.ReadFile(filepath.Join(artifactPath, runID, "my-artifact", "data.txt"))
+		require.NoError(t, err)
+		require.Equal(t, content, string(stored))
+	})
+
+	t.Run("gzip-roundtrip", func(t *testing.T) {
+		const runID, item, content = "2", "logs/app.log", "compressed payload\n"
+
+		var buf bytes.Buffer
+		gz := gzip.NewWriter(&buf)
+		_, err := gz.Write([]byte(content))
+		require.NoError(t, err)
+		require.NoError(t, gz.Close())
+
+		status, data := request(t, http.MethodPut, baseURL+"/upload/"+runID+"?itemPath="+url.QueryEscape(item),
+			&buf, http.Header{"Content-Encoding": []string{"gzip"}})
+		require.Equal(t, http.StatusOK, status, string(data))
+
+		// stored compressed, with the server's gzip marker suffix
+		_, err = os.Stat(filepath.Join(artifactPath, runID, "logs", "app.log.gz__"))
+		require.NoError(t, err)
+
+		status, data = request(t, http.MethodGet, baseURL+"/download/"+runID+"?itemPath=logs", nil, nil)
+		require.Equal(t, http.StatusOK, status, string(data))
+		var items ContainerItemResponse
+		require.NoError(t, json.Unmarshal(data, &items))
+		require.Len(t, items.Value, 1)
+		require.Equal(t, "logs/app.log", items.Value[0].Path)
+
+		status, data = request(t, http.MethodGet, items.Value[0].ContentLocation, nil, nil)
+		require.Equal(t, http.StatusOK, status)
+		require.Equal(t, content, string(data))
+	})
+
+	// GHSL-2023-004: an itemPath that climbs out of the run directory must be neutralised so the
+	// blob cannot be written outside the artifact root.
+	t.Run("GHSL-2023-004", func(t *testing.T) {
+		const runID, content = "3", "contained\n"
+
+		status, data := request(t, http.MethodPut, baseURL+"/upload/"+runID+"?itemPath="+url.QueryEscape("../../escape.txt"),
+			strings.NewReader(content), nil)
+		require.Equal(t, http.StatusOK, status, string(data))
+
+		stored, err := os.ReadFile(filepath.Join(artifactPath, runID, "escape.txt"))
+		require.NoError(t, err)
+		require.Equal(t, content, string(stored))
+
+		_, err = os.Stat(filepath.Join(filepath.Dir(artifactPath), "escape.txt"))
+		require.True(t, os.IsNotExist(err), "upload escaped the artifact root")
+
+		status, data = request(t, http.MethodGet, baseURL+"/artifact/"+runID+"/escape.txt", nil, nil)
+		require.Equal(t, http.StatusOK, status)
+		require.Equal(t, content, string(data))
+	})
+}
+
+func TestMkdirFsImplSafeResolve(t *testing.T) {
+	assert := assert.New(t)
+
+	baseDir := "/foo/bar"
+
+	tests := map[string]struct {
+		input string
+		want  string
+	}{
+		"simple":         {input: "baz", want: "/foo/bar/baz"},
+		"nested":         {input: "baz/blue", want: "/foo/bar/baz/blue"},
+		"dots in middle": {input: "baz/../../blue", want: "/foo/bar/blue"},
+		"leading dots":   {input: "../../parent", want: "/foo/bar/parent"},
+		"root path":      {input: "/root", want: "/foo/bar/root"},
+		"root":           {input: "/", want: "/foo/bar"},
+		"empty":          {input: "", want: "/foo/bar"},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			assert.Equal(tc.want, safeResolve(baseDir, tc.input))
+		})
+	}
+}
+
+func TestDownloadArtifactFileUnsafePath(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
+		"artifact/server/path/some/file": {
+			Data: []byte("content"),
+		},
+	})
+
+	router := httprouter.New()
+	downloads(router, "artifact/server/path", memfs)
+
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/artifact/2/../../some/file", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
+	}
+
+	data := rr.Body.Bytes()
+
+	assert.Equal("content", string(data))
+}
+
+func TestArtifactUploadBlobUnsafePath(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
+
+	router := httprouter.New()
+	uploads(router, "artifact/server/path", writeMapFS{memfs})
+
+	req, _ := http.NewRequest(http.MethodPut, "http://localhost/upload/1?itemPath=../../some/file", strings.NewReader("content"))
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.Fail("Wrong status")
+	}
+
+	response := ResponseMessage{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal("success", response.Message)
+	assert.Equal("content", string(memfs["artifact/server/path/1/some/file"].Data))
+}
--- a/act/common/cartesian.go
+++ b/act/common/cartesian.go
@@ -0,0 +1,60 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import "slices"
+
+// CartesianProduct takes map of lists and returns list of unique tuples
+func CartesianProduct(mapOfLists map[string][]any) []map[string]any {
+	listNames := make([]string, 0)
+	lists := make([][]any, 0)
+	for k, v := range mapOfLists {
+		listNames = append(listNames, k)
+		lists = append(lists, v)
+	}
+
+	listCart := cartN(lists...)
+
+	rtn := make([]map[string]any, 0)
+	for _, list := range listCart {
+		vMap := make(map[string]any)
+		for i, v := range list {
+			vMap[listNames[i]] = v
+		}
+		rtn = append(rtn, vMap)
+	}
+	return rtn
+}
+
+func cartN(a ...[]any) [][]any {
+	c := 1
+	for _, a := range a {
+		c *= len(a)
+	}
+	if c == 0 || len(a) == 0 {
+		return nil
+	}
+	p := make([][]any, c)
+	b := make([]any, c*len(a))
+	n := make([]int, len(a))
+	s := 0
+	for i := range p {
+		e := s + len(a)
+		pi := b[s:e]
+		p[i] = pi
+		s = e
+		for j, n := range n {
+			pi[j] = a[j][n]
+		}
+		for j := range slices.Backward(n) {
+			n[j]++
+			if n[j] < len(a[j]) {
+				break
+			}
+			n[j] = 0
+		}
+	}
+	return p
+}
--- a/act/common/cartesian_test.go
+++ b/act/common/cartesian_test.go
@@ -0,0 +1,43 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCartesianProduct(t *testing.T) {
+	assert := assert.New(t)
+	input := map[string][]any{
+		"foo": {1, 2, 3, 4},
+		"bar": {"a", "b", "c"},
+		"baz": {false, true},
+	}
+
+	output := CartesianProduct(input)
+	assert.Len(output, 24)
+
+	for _, v := range output {
+		assert.Len(v, 3)
+
+		assert.Contains(v, "foo")
+		assert.Contains(v, "bar")
+		assert.Contains(v, "baz")
+	}
+
+	input = map[string][]any{
+		"foo": {1, 2, 3, 4},
+		"bar": {},
+		"baz": {false, true},
+	}
+	output = CartesianProduct(input)
+	assert.Empty(output)
+
+	input = map[string][]any{}
+	output = CartesianProduct(input)
+	assert.Empty(output)
+}
--- a/act/common/dryrun.go
+++ b/act/common/dryrun.go
@@ -0,0 +1,29 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+)
+
+type dryrunContextKey string
+
+const dryrunContextKeyVal = dryrunContextKey("dryrun")
+
+// Dryrun returns true if the current context is dryrun
+func Dryrun(ctx context.Context) bool {
+	val := ctx.Value(dryrunContextKeyVal)
+	if val != nil {
+		if dryrun, ok := val.(bool); ok {
+			return dryrun
+		}
+	}
+	return false
+}
+
+// WithDryrun adds a value to the context for dryrun
+func WithDryrun(ctx context.Context, dryrun bool) context.Context {
+	return context.WithValue(ctx, dryrunContextKeyVal, dryrun)
+}
--- a/act/common/executor.go
+++ b/act/common/executor.go
@@ -0,0 +1,201 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+	"fmt"
+	"runtime/debug"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// Executor define contract for the steps of a workflow
+type Executor func(ctx context.Context) error
+
+// Conditional define contract for the conditional predicate
+type Conditional func(ctx context.Context) bool
+
+// NewInfoExecutor is an executor that logs messages
+func NewInfoExecutor(format string, args ...any) Executor {
+	return func(ctx context.Context) error {
+		logger := Logger(ctx)
+		logger.Infof(format, args...)
+		return nil
+	}
+}
+
+// NewDebugExecutor is an executor that logs messages
+func NewDebugExecutor(format string, args ...any) Executor {
+	return func(ctx context.Context) error {
+		logger := Logger(ctx)
+		logger.Debugf(format, args...)
+		return nil
+	}
+}
+
+// NewPipelineExecutor creates a new executor from a series of other executors
+func NewPipelineExecutor(executors ...Executor) Executor {
+	if len(executors) == 0 {
+		return func(ctx context.Context) error {
+			return nil
+		}
+	}
+	var rtn Executor
+	for _, executor := range executors {
+		if rtn == nil {
+			rtn = executor
+		} else {
+			rtn = rtn.Then(executor)
+		}
+	}
+	return rtn
+}
+
+// NewConditionalExecutor creates a new executor based on conditions
+func NewConditionalExecutor(conditional Conditional, trueExecutor, falseExecutor Executor) Executor {
+	return func(ctx context.Context) error {
+		if conditional(ctx) {
+			if trueExecutor != nil {
+				return trueExecutor(ctx)
+			}
+		} else {
+			if falseExecutor != nil {
+				return falseExecutor(ctx)
+			}
+		}
+		return nil
+	}
+}
+
+// NewErrorExecutor creates a new executor that always errors out
+func NewErrorExecutor(err error) Executor {
+	return func(ctx context.Context) error {
+		return err
+	}
+}
+
+// NewParallelExecutor creates a new executor from a parallel of other executors
+func NewParallelExecutor(parallel int, executors ...Executor) Executor {
+	if len(executors) == 0 {
+		return func(ctx context.Context) error {
+			return ctx.Err()
+		}
+	}
+
+	return func(ctx context.Context) error {
+		work := make(chan Executor, len(executors))
+		errs := make(chan error, len(executors))
+
+		if 1 > parallel {
+			log.Debugf("Parallel tasks (%d) below minimum, setting to 1", parallel)
+			parallel = 1
+		}
+
+		log.Infof("NewParallelExecutor: Creating %d workers for %d executors", parallel, len(executors))
+
+		for i := 0; i < parallel; i++ {
+			go func(workerID int, work <-chan Executor, errs chan<- error) {
+				log.Debugf("Worker %d started", workerID)
+				taskCount := 0
+				for executor := range work {
+					taskCount++
+					log.Debugf("Worker %d executing task %d", workerID, taskCount)
+					// Recover from panics in executors to avoid crashing the worker
+					// goroutine which would leave the runner process hung.
+					// https://gitea.com/gitea/runner/issues/371
+					errs <- func() (err error) {
+						defer func() {
+							if r := recover(); r != nil {
+								log.Errorf("panic in executor: %v\n%s", r, debug.Stack())
+								err = fmt.Errorf("panic: %v", r)
+							}
+						}()
+						return executor(ctx)
+					}()
+				}
+				log.Debugf("Worker %d finished (%d tasks executed)", workerID, taskCount)
+			}(i, work, errs)
+		}
+
+		for i := range executors {
+			work <- executors[i]
+		}
+		close(work)
+
+		// Executor waits all executors to cleanup these resources.
+		var firstErr error
+		for range executors {
+			err := <-errs
+			if firstErr == nil {
+				firstErr = err
+			}
+		}
+
+		if err := ctx.Err(); err != nil {
+			return err
+		}
+		return firstErr
+	}
+}
+
+// Then runs another executor if this executor succeeds
+func (e Executor) Then(then Executor) Executor {
+	return func(ctx context.Context) error {
+		if err := e(ctx); err != nil {
+			return err
+		}
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		return then(ctx)
+	}
+}
+
+// If only runs this executor if conditional is true
+func (e Executor) If(conditional Conditional) Executor {
+	return func(ctx context.Context) error {
+		if conditional(ctx) {
+			return e(ctx)
+		}
+		return nil
+	}
+}
+
+// IfNot only runs this executor if conditional is true
+func (e Executor) IfNot(conditional Conditional) Executor {
+	return func(ctx context.Context) error {
+		if !conditional(ctx) {
+			return e(ctx)
+		}
+		return nil
+	}
+}
+
+// IfBool only runs this executor if conditional is true
+func (e Executor) IfBool(conditional bool) Executor {
+	return e.If(func(ctx context.Context) bool {
+		return conditional
+	})
+}
+
+// Finally adds an executor to run after other executor
+func (e Executor) Finally(finally Executor) Executor {
+	return func(ctx context.Context) error {
+		err := e(ctx)
+		err2 := finally(ctx)
+		if err2 != nil {
+			return fmt.Errorf("Error occurred running finally: %v (original error: %v)", err2, err)
+		}
+		return err
+	}
+}
+
+// Not return an inverted conditional
+func (c Conditional) Not() Conditional {
+	return func(ctx context.Context) bool {
+		return !c(ctx)
+	}
+}
--- a/act/common/executor_max_parallel_test.go
+++ b/act/common/executor_max_parallel_test.go
@@ -0,0 +1,89 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// Simple fast test that verifies max-parallel: 2 limits concurrency
+func TestMaxParallel2Quick(t *testing.T) {
+	ctx := context.Background()
+
+	var currentRunning atomic.Int32
+	var maxSimultaneous atomic.Int32
+
+	executors := make([]Executor, 4)
+	for i := range 4 {
+		executors[i] = func(ctx context.Context) error {
+			current := currentRunning.Add(1)
+
+			// Update max if needed
+			for {
+				maxValue := maxSimultaneous.Load()
+				if current <= maxValue || maxSimultaneous.CompareAndSwap(maxValue, current) {
+					break
+				}
+			}
+
+			time.Sleep(10 * time.Millisecond)
+			currentRunning.Add(-1)
+			return nil
+		}
+	}
+
+	err := NewParallelExecutor(2, executors...)(ctx)
+
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.LessOrEqual(t, maxSimultaneous.Load(), int32(2),
+		"Should not exceed max-parallel: 2")
+}
+
+// Test that verifies max-parallel: 1 enforces sequential execution
+func TestMaxParallel1Sequential(t *testing.T) {
+	ctx := context.Background()
+
+	var currentRunning atomic.Int32
+	var maxSimultaneous atomic.Int32
+	var executionOrder []int
+	var orderMutex sync.Mutex
+
+	executors := make([]Executor, 5)
+	for i := range 5 {
+		taskID := i
+		executors[i] = func(ctx context.Context) error {
+			current := currentRunning.Add(1)
+
+			// Track execution order
+			orderMutex.Lock()
+			executionOrder = append(executionOrder, taskID)
+			orderMutex.Unlock()
+
+			// Update max if needed
+			for {
+				maxValue := maxSimultaneous.Load()
+				if current <= maxValue || maxSimultaneous.CompareAndSwap(maxValue, current) {
+					break
+				}
+			}
+
+			time.Sleep(20 * time.Millisecond)
+			currentRunning.Add(-1)
+			return nil
+		}
+	}
+
+	err := NewParallelExecutor(1, executors...)(ctx)
+
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, int32(1), maxSimultaneous.Load(),
+		"max-parallel: 1 should only run 1 task at a time")
+	assert.Len(t, executionOrder, 5, "All 5 tasks should have executed")
+}
--- a/act/common/executor_parallel_advanced_test.go
+++ b/act/common/executor_parallel_advanced_test.go
@@ -0,0 +1,221 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestMaxParallelJobExecution tests actual job execution with max-parallel
+func TestMaxParallelJobExecution(t *testing.T) {
+	t.Run("MaxParallel=1 Sequential", func(t *testing.T) {
+		var currentRunning atomic.Int32
+		var maxConcurrent int32
+		var executionOrder []int
+		var mu sync.Mutex
+
+		executors := make([]Executor, 5)
+		for i := range 5 {
+			taskID := i
+			executors[i] = func(ctx context.Context) error {
+				current := currentRunning.Add(1)
+
+				// Track max concurrent
+				for {
+					maxValue := atomic.LoadInt32(&maxConcurrent)
+					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
+						break
+					}
+				}
+
+				mu.Lock()
+				executionOrder = append(executionOrder, taskID)
+				mu.Unlock()
+
+				time.Sleep(10 * time.Millisecond)
+				currentRunning.Add(-1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(1, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.Equal(t, int32(1), maxConcurrent, "Should never exceed 1 concurrent execution")
+		assert.Len(t, executionOrder, 5, "All tasks should execute")
+	})
+
+	t.Run("MaxParallel=3 Limited", func(t *testing.T) {
+		var currentRunning atomic.Int32
+		var maxConcurrent int32
+
+		executors := make([]Executor, 10)
+		for i := range 10 {
+			executors[i] = func(ctx context.Context) error {
+				current := currentRunning.Add(1)
+
+				for {
+					maxValue := atomic.LoadInt32(&maxConcurrent)
+					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
+						break
+					}
+				}
+
+				time.Sleep(20 * time.Millisecond)
+				currentRunning.Add(-1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(3, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.LessOrEqual(t, int(maxConcurrent), 3, "Should never exceed 3 concurrent executions")
+		assert.GreaterOrEqual(t, int(maxConcurrent), 1, "Should have at least 1 concurrent execution")
+	})
+
+	t.Run("MaxParallel=0 Uses1Worker", func(t *testing.T) {
+		var maxConcurrent int32
+		var currentRunning atomic.Int32
+
+		executors := make([]Executor, 5)
+		for i := range 5 {
+			executors[i] = func(ctx context.Context) error {
+				current := currentRunning.Add(1)
+
+				for {
+					maxValue := atomic.LoadInt32(&maxConcurrent)
+					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
+						break
+					}
+				}
+
+				time.Sleep(10 * time.Millisecond)
+				currentRunning.Add(-1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		// When maxParallel is 0 or negative, it defaults to 1
+		err := NewParallelExecutor(0, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.Equal(t, int32(1), maxConcurrent, "Should use 1 worker when max-parallel is 0")
+	})
+}
+
+// TestMaxParallelWithErrors tests error handling with max-parallel
+func TestMaxParallelWithErrors(t *testing.T) {
+	t.Run("OneTaskFailsOthersContinue", func(t *testing.T) {
+		var successCount int32
+
+		executors := make([]Executor, 5)
+		for i := range 5 {
+			taskID := i
+			executors[i] = func(ctx context.Context) error {
+				if taskID == 2 {
+					return assert.AnError
+				}
+				atomic.AddInt32(&successCount, 1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(2, executors...)(ctx)
+
+		// Should return the error from task 2
+		assert.Error(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		// Other tasks should still execute
+		assert.Equal(t, int32(4), successCount, "4 tasks should succeed")
+	})
+
+	t.Run("ContextCancellation", func(t *testing.T) {
+		ctx, cancel := context.WithCancel(context.Background())
+
+		var startedCount int32
+		executors := make([]Executor, 10)
+		for i := range 10 {
+			executors[i] = func(ctx context.Context) error {
+				atomic.AddInt32(&startedCount, 1)
+				time.Sleep(100 * time.Millisecond)
+				return nil
+			}
+		}
+
+		// Cancel after a short delay
+		go func() {
+			time.Sleep(30 * time.Millisecond)
+			cancel()
+		}()
+
+		err := NewParallelExecutor(3, executors...)(ctx)
+		assert.Error(t, err)                     //nolint:testifylint // pre-existing issue from nektos/act
+		assert.ErrorIs(t, err, context.Canceled) //nolint:testifylint // pre-existing issue from nektos/act
+
+		// Not all tasks should start due to cancellation (but timing may vary)
+		// Just verify cancellation occurred
+		t.Logf("Started %d tasks before cancellation", startedCount)
+	})
+}
+
+// TestMaxParallelResourceSharing tests resource sharing scenarios
+func TestMaxParallelResourceSharing(t *testing.T) {
+	t.Run("SharedResourceWithMutex", func(t *testing.T) {
+		var sharedCounter int
+		var mu sync.Mutex
+
+		executors := make([]Executor, 100)
+		for i := range 100 {
+			executors[i] = func(ctx context.Context) error {
+				mu.Lock()
+				sharedCounter++
+				mu.Unlock()
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(10, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.Equal(t, 100, sharedCounter, "All tasks should increment counter")
+	})
+
+	t.Run("ChannelCommunication", func(t *testing.T) {
+		resultChan := make(chan int, 50)
+
+		executors := make([]Executor, 50)
+		for i := range 50 {
+			taskID := i
+			executors[i] = func(ctx context.Context) error {
+				resultChan <- taskID
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(5, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		close(resultChan)
+
+		results := make(map[int]bool)
+		for result := range resultChan {
+			results[result] = true
+		}
+
+		assert.Len(t, results, 50, "All task IDs should be received")
+	})
+}
--- a/act/common/executor_test.go
+++ b/act/common/executor_test.go
@@ -0,0 +1,172 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+	"errors"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewWorkflow(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx := context.Background()
+
+	// empty
+	emptyWorkflow := NewPipelineExecutor()
+	assert.NoError(emptyWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// error case
+	errorWorkflow := NewErrorExecutor(errors.New("test error"))
+	assert.Error(errorWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// multiple success case
+	runcount := 0
+	successWorkflow := NewPipelineExecutor(
+		func(ctx context.Context) error {
+			runcount++
+			return nil
+		},
+		func(ctx context.Context) error {
+			runcount++
+			return nil
+		})
+	assert.NoError(successWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(2, runcount)
+}
+
+func TestNewConditionalExecutor(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx := context.Background()
+
+	trueCount := 0
+	falseCount := 0
+
+	err := NewConditionalExecutor(func(ctx context.Context) bool {
+		return false
+	}, func(ctx context.Context) error {
+		trueCount++
+		return nil
+	}, func(ctx context.Context) error {
+		falseCount++
+		return nil
+	})(ctx)
+
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(0, trueCount)
+	assert.Equal(1, falseCount)
+
+	err = NewConditionalExecutor(func(ctx context.Context) bool {
+		return true
+	}, func(ctx context.Context) error {
+		trueCount++
+		return nil
+	}, func(ctx context.Context) error {
+		falseCount++
+		return nil
+	})(ctx)
+
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(1, trueCount)
+	assert.Equal(1, falseCount)
+}
+
+func TestNewParallelExecutor(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx := context.Background()
+
+	var count, activeCount, maxCount atomic.Int32
+	emptyWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count.Add(1)
+
+		active := activeCount.Add(1)
+		for {
+			m := maxCount.Load()
+			if active <= m || maxCount.CompareAndSwap(m, active) {
+				break
+			}
+		}
+		time.Sleep(2 * time.Second)
+		activeCount.Add(-1)
+
+		return nil
+	})
+
+	err := NewParallelExecutor(2, emptyWorkflow, emptyWorkflow, emptyWorkflow)(ctx)
+
+	assert.Equal(int32(3), count.Load(), "should run all 3 executors")
+	assert.Equal(int32(2), maxCount.Load(), "should run at most 2 executors in parallel")
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// Reset to test running the executor with 0 parallelism
+	count.Store(0)
+	activeCount.Store(0)
+	maxCount.Store(0)
+
+	errSingle := NewParallelExecutor(0, emptyWorkflow, emptyWorkflow, emptyWorkflow)(ctx)
+
+	assert.Equal(int32(3), count.Load(), "should run all 3 executors")
+	assert.Equal(int32(1), maxCount.Load(), "should run at most 1 executors in parallel")
+	assert.NoError(errSingle)
+}
+
+func TestNewParallelExecutorEmpty(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx := context.Background()
+	require.NoError(t, NewParallelExecutor(2)(ctx))
+
+	canceledCtx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	err := NewParallelExecutor(2)(canceledCtx)
+	assert.ErrorIs(err, context.Canceled)
+}
+
+func TestNewParallelExecutorFailed(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	count := 0
+	errorWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count++
+		return errors.New("fake error")
+	})
+	err := NewParallelExecutor(1, errorWorkflow)(ctx)
+	assert.Equal(1, count)
+	assert.ErrorIs(context.Canceled, err)
+}
+
+func TestNewParallelExecutorCanceled(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	errExpected := errors.New("fake error")
+
+	var count atomic.Int32
+	successWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count.Add(1)
+		return nil
+	})
+	errorWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count.Add(1)
+		return errExpected
+	})
+	err := NewParallelExecutor(3, errorWorkflow, successWorkflow, successWorkflow)(ctx)
+	assert.Equal(int32(3), count.Load())
+	assert.Error(errExpected, err) //nolint:testifylint // pre-existing issue from nektos/act
+}
--- a/act/common/git/git.go
+++ b/act/common/git/git.go
@@ -0,0 +1,470 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"regexp"
+	"strings"
+	"sync"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/config"
+	"github.com/go-git/go-git/v5/plumbing"
+	"github.com/go-git/go-git/v5/plumbing/storer"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/mattn/go-isatty"
+	log "github.com/sirupsen/logrus"
+)
+
+var (
+	codeCommitHTTPRegex = regexp.MustCompile(`^https?://git-codecommit\.(.+)\.amazonaws.com/v1/repos/(.+)$`)
+	codeCommitSSHRegex  = regexp.MustCompile(`ssh://git-codecommit\.(.+)\.amazonaws.com/v1/repos/(.+)$`)
+	githubHTTPRegex     = regexp.MustCompile(`^https?://.*github.com.*/(.+)/(.+?)(?:.git)?$`)
+	githubSSHRegex      = regexp.MustCompile(`github.com[:/](.+)/(.+?)(?:.git)?$`)
+
+	cloneLocks sync.Map // key: clone target directory; value: *sync.Mutex
+
+	ErrShortRef = errors.New("short SHA references are not supported")
+	ErrNoRepo   = errors.New("unable to find git repo")
+)
+
+// AcquireCloneLock returns an unlock function after locking the per-directory mutex for dir.
+// Only concurrent operations targeting the same directory are serialized; clones into different directories run in parallel.
+// Callers reading files inside dir (e.g. tarring a checked-out action into a job container) must hold this lock too,
+// otherwise a concurrent NewGitCloneExecutor on the same dir can mutate the worktree mid-read.
+func AcquireCloneLock(dir string) func() {
+	v, _ := cloneLocks.LoadOrStore(dir, &sync.Mutex{})
+	mu := v.(*sync.Mutex)
+	mu.Lock()
+	return mu.Unlock
+}
+
+type Error struct {
+	err    error
+	commit string
+}
+
+func (e *Error) Error() string {
+	return e.err.Error()
+}
+
+func (e *Error) Unwrap() error {
+	return e.err
+}
+
+func (e *Error) Commit() string {
+	return e.commit
+}
+
+// goGitMu serializes go-git repository access across the process. go-git is not safe for
+// concurrent use of the same repository (even read access decodes packfiles into shared
+// state), so parallel jobs inspecting the shared workdir repo race without this. The guarded
+// operations are fast local reads; gitea runs one job per process, so the lock is effectively
+// uncontended in production.
+var goGitMu sync.Mutex
+
+// FindGitRevision get the current git revision
+func FindGitRevision(ctx context.Context, file string) (shortSha, sha string, err error) {
+	goGitMu.Lock()
+	defer goGitMu.Unlock()
+	return findGitRevision(ctx, file)
+}
+
+func findGitRevision(ctx context.Context, file string) (shortSha, sha string, err error) {
+	logger := common.Logger(ctx)
+
+	gitDir, err := git.PlainOpenWithOptions(
+		file,
+		&git.PlainOpenOptions{
+			DetectDotGit:          true,
+			EnableDotGitCommonDir: true,
+		},
+	)
+	if err != nil {
+		logger.WithError(err).Error("path", file, "not located inside a git repository")
+		return "", "", err
+	}
+
+	head, err := gitDir.Reference(plumbing.HEAD, true)
+	if err != nil {
+		return "", "", err
+	}
+
+	if head.Hash().IsZero() {
+		return "", "", errors.New("HEAD sha1 could not be resolved")
+	}
+
+	hash := head.Hash().String()
+
+	logger.Debugf("Found revision: %s", hash)
+	return hash[:7], strings.TrimSpace(hash), nil
+}
+
+// FindGitRef get the current git ref
+func FindGitRef(ctx context.Context, file string) (string, error) {
+	goGitMu.Lock()
+	defer goGitMu.Unlock()
+
+	logger := common.Logger(ctx)
+
+	logger.Debugf("Loading revision from git directory")
+	_, ref, err := findGitRevision(ctx, file)
+	if err != nil {
+		return "", err
+	}
+
+	logger.Debugf("HEAD points to '%s'", ref)
+
+	// Prefer the git library to iterate over the references and find a matching tag or branch.
+	refTag := ""
+	refBranch := ""
+	repo, err := git.PlainOpenWithOptions(
+		file,
+		&git.PlainOpenOptions{
+			DetectDotGit:          true,
+			EnableDotGitCommonDir: true,
+		},
+	)
+	if err != nil {
+		return "", err
+	}
+
+	iter, err := repo.References()
+	if err != nil {
+		return "", err
+	}
+
+	// find the reference that matches the revision's has
+	err = iter.ForEach(func(r *plumbing.Reference) error {
+		/* tags and branches will have the same hash
+		 * when a user checks out a tag, it is not mentioned explicitly
+		 * in the go-git package, we must identify the revision
+		 * then check if any tag matches that revision,
+		 * if so then we checked out a tag
+		 * else we look for branches and if matches,
+		 * it means we checked out a branch
+		 *
+		 * If a branches matches first we must continue and check all tags (all references)
+		 * in case we match with a tag later in the interation
+		 */
+		if r.Hash().String() == ref {
+			if r.Name().IsTag() {
+				refTag = r.Name().String()
+			}
+			if r.Name().IsBranch() {
+				refBranch = r.Name().String()
+			}
+		}
+
+		// we found what we where looking for
+		if refTag != "" && refBranch != "" {
+			return storer.ErrStop
+		}
+
+		return nil
+	})
+	if err != nil {
+		return "", err
+	}
+
+	// order matters here see above comment.
+	if refTag != "" {
+		return refTag, nil
+	}
+	if refBranch != "" {
+		return refBranch, nil
+	}
+
+	return "", fmt.Errorf("failed to identify reference (tag/branch) for the checked-out revision '%s'", ref)
+}
+
+// FindGithubRepo get the repo
+func FindGithubRepo(ctx context.Context, file, githubInstance, remoteName string) (string, error) {
+	goGitMu.Lock()
+	defer goGitMu.Unlock()
+	if remoteName == "" {
+		remoteName = "origin"
+	}
+
+	url, err := findGitRemoteURL(ctx, file, remoteName)
+	if err != nil {
+		return "", err
+	}
+	_, slug, err := findGitSlug(url, githubInstance)
+	return slug, err
+}
+
+func findGitRemoteURL(_ context.Context, file, remoteName string) (string, error) {
+	repo, err := git.PlainOpenWithOptions(
+		file,
+		&git.PlainOpenOptions{
+			DetectDotGit:          true,
+			EnableDotGitCommonDir: true,
+		},
+	)
+	if err != nil {
+		return "", err
+	}
+
+	remote, err := repo.Remote(remoteName)
+	if err != nil {
+		return "", err
+	}
+
+	if len(remote.Config().URLs) < 1 {
+		return "", fmt.Errorf("remote '%s' exists but has no URL", remoteName)
+	}
+
+	return remote.Config().URLs[0], nil
+}
+
+func findGitSlug(url, githubInstance string) (string, string, error) { //nolint:unparam // pre-existing issue from nektos/act
+	if matches := codeCommitHTTPRegex.FindStringSubmatch(url); matches != nil {
+		return "CodeCommit", matches[2], nil
+	} else if matches := codeCommitSSHRegex.FindStringSubmatch(url); matches != nil {
+		return "CodeCommit", matches[2], nil
+	} else if matches := githubHTTPRegex.FindStringSubmatch(url); matches != nil {
+		return "GitHub", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
+	} else if matches := githubSSHRegex.FindStringSubmatch(url); matches != nil {
+		return "GitHub", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
+	} else if githubInstance != "github.com" {
+		gheHTTPRegex := regexp.MustCompile(fmt.Sprintf(`^https?://%s/(.+)/(.+?)(?:.git)?$`, githubInstance))
+		gheSSHRegex := regexp.MustCompile(githubInstance + "[:/](.+)/(.+?)(?:.git)?$")
+		if matches := gheHTTPRegex.FindStringSubmatch(url); matches != nil {
+			return "GitHubEnterprise", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
+		} else if matches := gheSSHRegex.FindStringSubmatch(url); matches != nil {
+			return "GitHubEnterprise", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
+		}
+	}
+	return "", url, nil
+}
+
+// NewGitCloneExecutorInput the input for the NewGitCloneExecutor
+type NewGitCloneExecutorInput struct {
+	URL         string
+	Ref         string
+	Dir         string
+	Token       string
+	OfflineMode bool
+
+	// For Gitea
+	InsecureSkipTLS bool
+}
+
+// CloneIfRequired returns the repository and a boolean indicating whether an existing local clone was reused.
+func CloneIfRequired(ctx context.Context, refName plumbing.ReferenceName, input NewGitCloneExecutorInput, logger log.FieldLogger) (*git.Repository, bool, error) {
+	r, err := git.PlainOpen(input.Dir)
+	if err == nil {
+		// Verify the cached clone still points to the resolved URL before reusing it.
+		remote, err := r.Remote("origin")
+		if err == nil && len(remote.Config().URLs) > 0 && remote.Config().URLs[0] == input.URL {
+			// Reuse existing clone
+			return r, true, nil
+		}
+
+		if err != nil {
+			logger.Debugf("Removing cached clone at %s because origin cannot be read: %v", input.Dir, err)
+		} else if len(remote.Config().URLs) == 0 {
+			logger.Debugf("Removing cached clone at %s because origin has no URL", input.Dir)
+		} else {
+			logger.Debugf("Removing cached clone at %s because origin URL changed from %s to %s", input.Dir, remote.Config().URLs[0], input.URL)
+		}
+		if err := os.RemoveAll(input.Dir); err != nil {
+			return nil, false, fmt.Errorf("remove cached clone %s: %w", input.Dir, err)
+		}
+	}
+
+	var progressWriter io.Writer
+	if isatty.IsTerminal(os.Stdout.Fd()) || isatty.IsCygwinTerminal(os.Stdout.Fd()) {
+		if entry, ok := logger.(*log.Entry); ok {
+			progressWriter = entry.WriterLevel(log.DebugLevel)
+		} else if lgr, ok := logger.(*log.Logger); ok {
+			progressWriter = lgr.WriterLevel(log.DebugLevel)
+		} else {
+			log.Errorf("Unable to get writer from logger (type=%T)", logger)
+			progressWriter = os.Stdout
+		}
+	}
+
+	cloneOptions := git.CloneOptions{
+		URL:      input.URL,
+		Progress: progressWriter,
+
+		InsecureSkipTLS: input.InsecureSkipTLS, // For Gitea
+	}
+	if input.Token != "" {
+		cloneOptions.Auth = &http.BasicAuth{
+			Username: "token",
+			Password: input.Token,
+		}
+	}
+
+	r, err = git.PlainCloneContext(ctx, input.Dir, false, &cloneOptions)
+	if err != nil {
+		logger.Errorf("Unable to clone %v %s: %v", input.URL, refName, err)
+		return nil, false, err
+	}
+
+	if err = os.Chmod(input.Dir, 0o755); err != nil {
+		return nil, false, err
+	}
+
+	return r, false, nil
+}
+
+func gitOptions(token string) (fetchOptions git.FetchOptions, pullOptions git.PullOptions) {
+	fetchOptions.RefSpecs = []config.RefSpec{"refs/*:refs/*", "HEAD:refs/heads/HEAD"}
+	fetchOptions.Force = true
+	pullOptions.Force = true
+
+	if token != "" {
+		auth := &http.BasicAuth{
+			Username: "token",
+			Password: token,
+		}
+		fetchOptions.Auth = auth
+		pullOptions.Auth = auth
+	}
+
+	return fetchOptions, pullOptions
+}
+
+// NewGitCloneExecutor creates an executor to clone git repos
+func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		logger.Infof("git clone '%s' # ref=%s", input.URL, input.Ref)
+		logger.Debugf("  cloning %s to %s", input.URL, input.Dir)
+
+		defer AcquireCloneLock(input.Dir)()
+
+		refName := plumbing.ReferenceName("refs/heads/" + input.Ref)
+		r, reused, err := CloneIfRequired(ctx, refName, input, logger)
+		if err != nil {
+			return err
+		}
+
+		isOfflineMode := input.OfflineMode
+
+		// fetch latest changes
+		fetchOptions, pullOptions := gitOptions(input.Token)
+
+		if input.InsecureSkipTLS { // For Gitea
+			fetchOptions.InsecureSkipTLS = true
+			pullOptions.InsecureSkipTLS = true
+		}
+
+		if !isOfflineMode {
+			err = r.Fetch(&fetchOptions)
+			if err != nil && !errors.Is(err, git.NoErrAlreadyUpToDate) {
+				return err
+			}
+		}
+
+		var hash *plumbing.Hash
+		rev := plumbing.Revision(input.Ref)
+		if hash, err = r.ResolveRevision(rev); err != nil {
+			// ResolveRevision returns a nil hash on error, and a branch ref legitimately fails
+			// here (no local refs/heads/<ref>); the duck-typing below resolves it.
+			logger.Errorf("Unable to resolve %s: %v", input.Ref, err)
+		} else if hash.String() != input.Ref && strings.HasPrefix(hash.String(), input.Ref) {
+			return &Error{
+				err:    ErrShortRef,
+				commit: hash.String(),
+			}
+		}
+
+		// At this point we need to know if it's a tag or a branch
+		// And the easiest way to do it is duck typing
+		//
+		// If err is nil, it's a tag so let's proceed with that hash like we would if
+		// it was a sha
+		refType := "tag"
+		rev = plumbing.Revision(path.Join("refs", "tags", input.Ref))
+		if _, err := r.Tag(input.Ref); errors.Is(err, git.ErrTagNotFound) {
+			rName := plumbing.ReferenceName(path.Join("refs", "remotes", "origin", input.Ref))
+			if _, err := r.Reference(rName, false); errors.Is(err, plumbing.ErrReferenceNotFound) {
+				refType = "sha"
+				rev = plumbing.Revision(input.Ref)
+			} else {
+				refType = "branch"
+				rev = plumbing.Revision(rName)
+			}
+		}
+
+		if hash, err = r.ResolveRevision(rev); err != nil {
+			logger.Errorf("Unable to resolve %s: %v", input.Ref, err)
+			return err
+		}
+
+		var w *git.Worktree
+		if w, err = r.Worktree(); err != nil {
+			return err
+		}
+
+		// If the hash resolved doesn't match the ref provided in a workflow then we're
+		// using a branch or tag ref, not a sha
+		//
+		// Repos on disk point to commit hashes, and need to checkout input.Ref before
+		// we try and pull down any changes
+		if hash.String() != input.Ref && refType == "branch" {
+			logger.Debugf("Provided ref is not a sha. Checking out branch before pulling changes")
+			sourceRef := plumbing.ReferenceName(path.Join("refs", "remotes", "origin", input.Ref))
+			if err = w.Checkout(&git.CheckoutOptions{
+				Branch: sourceRef,
+				Force:  true,
+			}); err != nil {
+				logger.Errorf("Unable to checkout %s: %v", sourceRef, err)
+				return err
+			}
+		}
+
+		reusedMsg := ""
+
+		if !isOfflineMode {
+			if err = w.Pull(&pullOptions); err != nil && err != git.NoErrAlreadyUpToDate {
+				logger.Debugf("Unable to pull %s: %v", refName, err)
+			}
+		} else if reused {
+			reusedMsg = " (reused in offline mode)"
+		}
+
+		logger.Debugf("Cloned %s to %s%s", input.URL, input.Dir, reusedMsg)
+
+		if hash.String() != input.Ref && refType == "branch" {
+			logger.Debugf("Provided ref is not a sha. Updating branch ref after pull")
+			if hash, err = r.ResolveRevision(rev); err != nil {
+				logger.Errorf("Unable to resolve %s: %v", input.Ref, err)
+				return err
+			}
+		}
+		if err = w.Checkout(&git.CheckoutOptions{
+			Hash:  *hash,
+			Force: true,
+		}); err != nil {
+			logger.Errorf("Unable to checkout %s: %v", *hash, err)
+			return err
+		}
+
+		if err = w.Reset(&git.ResetOptions{
+			Mode:   git.HardReset,
+			Commit: *hash,
+		}); err != nil {
+			logger.Errorf("Unable to reset to %s: %v", hash.String(), err)
+			return err
+		}
+
+		logger.Debugf("Checked out %s", input.Ref)
+		return nil
+	}
+}
--- a/act/common/git/git_test.go
+++ b/act/common/git/git_test.go
@@ -0,0 +1,465 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"sync"
+	"syscall"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFindGitSlug(t *testing.T) {
+	assert := assert.New(t)
+
+	slugTests := []struct {
+		url      string // input
+		provider string // expected result
+		slug     string // expected result
+	}{
+		{"https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo-name", "CodeCommit", "my-repo-name"},
+		{"ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/my-repo", "CodeCommit", "my-repo"},
+		{"git@github.com:nektos/act.git", "GitHub", "nektos/act"},
+		{"git@github.com:nektos/act", "GitHub", "nektos/act"},
+		{"https://github.com/nektos/act.git", "GitHub", "nektos/act"},
+		{"http://github.com/nektos/act.git", "GitHub", "nektos/act"},
+		{"https://github.com/nektos/act", "GitHub", "nektos/act"},
+		{"http://github.com/nektos/act", "GitHub", "nektos/act"},
+		{"git+ssh://git@github.com/owner/repo.git", "GitHub", "owner/repo"},
+		{"http://myotherrepo.com/act.git", "", "http://myotherrepo.com/act.git"},
+	}
+
+	for _, tt := range slugTests {
+		provider, slug, err := findGitSlug(tt.url, "github.com")
+
+		assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+		assert.Equal(tt.provider, provider)
+		assert.Equal(tt.slug, slug)
+	}
+}
+
+func cleanGitHooks(dir string) error {
+	hooksDir := filepath.Join(dir, ".git", "hooks")
+	files, err := os.ReadDir(hooksDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+	for _, f := range files {
+		if f.IsDir() {
+			continue
+		}
+		relName := filepath.Join(hooksDir, f.Name())
+		if err := os.Remove(relName); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func TestFindGitRemoteURL(t *testing.T) {
+	assert := assert.New(t)
+
+	basedir := t.TempDir()
+	err := gitCmd("init", basedir)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	err = cleanGitHooks(basedir)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	remoteURL := "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo-name"
+	err = gitCmd("-C", basedir, "remote", "add", "origin", remoteURL)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	u, err := findGitRemoteURL(context.Background(), basedir, "origin")
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(remoteURL, u)
+
+	remoteURL = "git@github.com/AwesomeOwner/MyAwesomeRepo.git"
+	err = gitCmd("-C", basedir, "remote", "add", "upstream", remoteURL)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	u, err = findGitRemoteURL(context.Background(), basedir, "upstream")
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(remoteURL, u)
+}
+
+func TestGitFindRef(t *testing.T) {
+	basedir := t.TempDir()
+
+	for name, tt := range map[string]struct {
+		Prepare func(t *testing.T, dir string)
+		Assert  func(t *testing.T, ref string, err error)
+	}{
+		"new_repo": {
+			Prepare: func(t *testing.T, dir string) {},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.Error(t, err)
+			},
+		},
+		"new_repo_with_commit": {
+			Prepare: func(t *testing.T, dir string) {
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg"))
+			},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.NoError(t, err)
+				require.Equal(t, "refs/heads/master", ref)
+			},
+		},
+		"current_head_is_tag": {
+			Prepare: func(t *testing.T, dir string) {
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "commit msg"))
+				require.NoError(t, gitCmd("-C", dir, "tag", "v1.2.3"))
+				require.NoError(t, gitCmd("-C", dir, "checkout", "v1.2.3"))
+			},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.NoError(t, err)
+				require.Equal(t, "refs/tags/v1.2.3", ref)
+			},
+		},
+		"current_head_is_same_as_tag": {
+			Prepare: func(t *testing.T, dir string) {
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "1.4.2 release"))
+				require.NoError(t, gitCmd("-C", dir, "tag", "v1.4.2"))
+			},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.NoError(t, err)
+				require.Equal(t, "refs/tags/v1.4.2", ref)
+			},
+		},
+		"current_head_is_not_tag": {
+			Prepare: func(t *testing.T, dir string) {
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg"))
+				require.NoError(t, gitCmd("-C", dir, "tag", "v1.4.2"))
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg2"))
+			},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.NoError(t, err)
+				require.Equal(t, "refs/heads/master", ref)
+			},
+		},
+		"current_head_is_another_branch": {
+			Prepare: func(t *testing.T, dir string) {
+				require.NoError(t, gitCmd("-C", dir, "checkout", "-b", "mybranch"))
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg"))
+			},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.NoError(t, err)
+				require.Equal(t, "refs/heads/mybranch", ref)
+			},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			dir := filepath.Join(basedir, name)
+			require.NoError(t, os.MkdirAll(dir, 0o755))
+			require.NoError(t, gitCmd("-C", dir, "init", "--initial-branch=master"))
+			require.NoError(t, cleanGitHooks(dir))
+			tt.Prepare(t, dir)
+			ref, err := FindGitRef(context.Background(), dir)
+			tt.Assert(t, ref, err)
+		})
+	}
+}
+
+func TestGitCloneExecutor(t *testing.T) {
+	// Build a local bare "remote" so this runs offline and fast. The cases below mirror
+	// the tag/branch/sha/short-sha ref paths the executor handles, formerly exercised by
+	// cloning actions/checkout and anchore/scan-action over the network.
+	remoteDir := t.TempDir()
+	require.NoError(t, gitCmd("init", "--bare", "--initial-branch=main", remoteDir))
+
+	workDir := t.TempDir()
+	require.NoError(t, gitCmd("clone", remoteDir, workDir))
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "initial"))
+	require.NoError(t, gitCmd("-C", workDir, "tag", "v2"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "-u", "origin", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "v2"))
+
+	// A branch with a dash in the name (mirrors the historical scan-action@act-fails case).
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "act-fails"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "branch-commit"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "act-fails"))
+
+	out, err := exec.Command("git", "-C", workDir, "rev-parse", "main").Output()
+	require.NoError(t, err)
+	fullSha := strings.TrimSpace(string(out))
+
+	for name, tt := range map[string]struct {
+		Err error
+		Ref string
+	}{
+		"tag": {
+			Err: nil,
+			Ref: "v2",
+		},
+		"branch": {
+			Err: nil,
+			Ref: "act-fails",
+		},
+		"sha": {
+			Err: nil,
+			Ref: fullSha,
+		},
+		"short-sha": {
+			Err: &Error{ErrShortRef, fullSha},
+			Ref: fullSha[:7],
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			clone := NewGitCloneExecutor(NewGitCloneExecutorInput{
+				URL: remoteDir,
+				Ref: tt.Ref,
+				Dir: t.TempDir(),
+			})
+
+			err := clone(context.Background())
+			if tt.Err != nil {
+				assert.Error(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+				assert.Equal(t, tt.Err, err)
+			} else {
+				assert.Empty(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			}
+		})
+	}
+}
+
+func TestGitCloneExecutorReclonesWhenOriginURLChanges(t *testing.T) {
+	createRemote := func(message string) string {
+		remoteDir := t.TempDir()
+		require.NoError(t, gitCmd("init", "--bare", "--initial-branch=main", remoteDir))
+
+		workDir := t.TempDir()
+		require.NoError(t, gitCmd("clone", remoteDir, workDir))
+		require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "main"))
+		require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", message))
+		require.NoError(t, gitCmd("-C", workDir, "push", "-u", "origin", "main"))
+
+		return remoteDir
+	}
+
+	oldRemoteDir := createRemote("old-action")
+	newRemoteDir := createRemote("new-action")
+	cacheDir := t.TempDir()
+
+	require.NoError(t, NewGitCloneExecutor(NewGitCloneExecutorInput{
+		URL: oldRemoteDir,
+		Ref: "main",
+		Dir: cacheDir,
+	})(t.Context()))
+
+	markerPath := filepath.Join(cacheDir, "stale-marker")
+	require.NoError(t, os.WriteFile(markerPath, []byte("stale"), 0o644))
+
+	require.NoError(t, NewGitCloneExecutor(NewGitCloneExecutorInput{
+		URL: newRemoteDir,
+		Ref: "main",
+		Dir: cacheDir,
+	})(t.Context()))
+
+	originURL, err := findGitRemoteURL(t.Context(), cacheDir, "origin")
+	require.NoError(t, err)
+	assert.Equal(t, newRemoteDir, originURL)
+
+	out, err := exec.Command("git", "-C", cacheDir, "log", "--oneline", "-1", "--format=%s").Output()
+	require.NoError(t, err)
+	assert.Equal(t, "new-action", strings.TrimSpace(string(out)))
+
+	_, err = os.Stat(markerPath)
+	require.True(t, os.IsNotExist(err), "stale cached directory should be removed before recloning")
+}
+
+func TestGitCloneExecutorNonFastForwardRef(t *testing.T) {
+	// Simulate the scenario where a remote ref (e.g. a GitHub PR head ref) changes
+	// non-fast-forward between two fetches. Before the fix, the fetch used Force=false,
+	// causing go-git to return ErrForceNeeded and short-circuit the checkout.
+
+	// Create a bare "remote" repo with an initial commit on main and a feature branch.
+	remoteDir := t.TempDir()
+	require.NoError(t, gitCmd("init", "--bare", "--initial-branch=main", remoteDir))
+
+	// We need a working clone to push commits from.
+	workDir := t.TempDir()
+	require.NoError(t, gitCmd("clone", remoteDir, workDir))
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "initial"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "-u", "origin", "main"))
+
+	// Create a feature branch (simulates refs/pull/N/head).
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "feature-1"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "feature"))
+
+	// First clone via the executor — should succeed and cache the repo.
+	cloneDir := t.TempDir()
+	clone := NewGitCloneExecutor(NewGitCloneExecutorInput{
+		URL: remoteDir,
+		Ref: "main",
+		Dir: cloneDir,
+	})
+	require.NoError(t, clone(context.Background()))
+
+	// Now force-push the feature branch to a non-fast-forward commit (simulates
+	// a PR rebase). This makes refs/heads/feature non-fast-forward.
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "branch", "-D", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "feature"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "feature-rewritten"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "--force", "origin", "feature"))
+
+	// Also advance main so we can verify the clone picks up the new commit.
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "second"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "origin", "main"))
+
+	// Second clone to the same directory — before the fix this returned ErrForceNeeded
+	// and left the working tree at the old commit.
+	err := clone(context.Background())
+	require.NoError(t, err, "fetch with non-fast-forward refs must not fail when Force=true")
+
+	// Verify the working tree was actually updated to the latest main commit.
+	out, err := exec.Command("git", "-C", cloneDir, "log", "--oneline", "-1", "--format=%s").Output()
+	require.NoError(t, err)
+	assert.Equal(t, "second", strings.TrimSpace(string(out)), "working tree should be at the latest commit")
+}
+
+func TestGitCloneExecutorOfflineMode(t *testing.T) {
+	// Build a local "remote" with a single commit on main.
+	remoteDir := t.TempDir()
+	require.NoError(t, gitCmd("init", "--bare", "--initial-branch=main", remoteDir))
+	workDir := t.TempDir()
+	require.NoError(t, gitCmd("clone", remoteDir, workDir))
+	require.NoError(t, gitCmd("-C", workDir, "checkout", "-b", "main"))
+	require.NoError(t, gitCmd("-C", workDir, "commit", "--allow-empty", "-m", "initial"))
+	require.NoError(t, gitCmd("-C", workDir, "push", "-u", "origin", "main"))
+
+	// Prime the cache with an online clone of main.
+	cacheDir := t.TempDir()
+	require.NoError(t, NewGitCloneExecutor(NewGitCloneExecutorInput{
+		URL: remoteDir,
+		Ref: "main",
+		Dir: cacheDir,
+	})(context.Background()))
+
+	t.Run("cached branch resolves without fetching", func(t *testing.T) {
+		// Offline reuse of a cached branch must succeed even though ResolveRevision(input.Ref)
+		// finds no local refs/heads/<ref>.
+		err := NewGitCloneExecutor(NewGitCloneExecutorInput{
+			URL:         remoteDir,
+			Ref:         "main",
+			Dir:         cacheDir,
+			OfflineMode: true,
+		})(context.Background())
+		require.NoError(t, err)
+
+		out, err := exec.Command("git", "-C", cacheDir, "log", "--oneline", "-1", "--format=%s").Output()
+		require.NoError(t, err)
+		assert.Equal(t, "initial", strings.TrimSpace(string(out)))
+	})
+
+	t.Run("unresolvable cached ref returns error", func(t *testing.T) {
+		// The ref was never cached; offline mode cannot resolve it and must return an error.
+		err := NewGitCloneExecutor(NewGitCloneExecutorInput{
+			URL:         remoteDir,
+			Ref:         "never-fetched",
+			Dir:         cacheDir,
+			OfflineMode: true,
+		})(context.Background())
+		require.Error(t, err)
+	})
+}
+
+func gitCmd(args ...string) error {
+	cmd := exec.Command("git", args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	// Inject a deterministic identity and ignore the host's global/system config so commits
+	// succeed regardless of the host having no user.name/user.email (e.g. CI, GITHUB_ACTIONS
+	// unset) or a global commit.gpgsign, and without mutating the developer's ~/.gitconfig.
+	cmd.Env = append(os.Environ(),
+		"GIT_AUTHOR_NAME=Unit Test",
+		"GIT_AUTHOR_EMAIL=test@test.com",
+		"GIT_COMMITTER_NAME=Unit Test",
+		"GIT_COMMITTER_EMAIL=test@test.com",
+		"GIT_CONFIG_GLOBAL=/dev/null",
+		"GIT_CONFIG_SYSTEM=/dev/null",
+	)
+
+	err := cmd.Run()
+	if exitError, ok := err.(*exec.ExitError); ok {
+		if waitStatus, ok := exitError.Sys().(syscall.WaitStatus); ok {
+			return fmt.Errorf("Exit error %d", waitStatus.ExitStatus())
+		}
+		return exitError
+	}
+	return nil
+}
+
+func TestAcquireCloneLock(t *testing.T) {
+	t.Run("same directory serializes", func(t *testing.T) {
+		dir := t.TempDir()
+
+		unlock1 := AcquireCloneLock(dir)
+
+		secondAcquired := make(chan struct{})
+		go func() {
+			unlock := AcquireCloneLock(dir)
+			close(secondAcquired)
+			unlock()
+		}()
+
+		select {
+		case <-secondAcquired:
+			t.Fatal("second acquire should block while first holds the lock")
+		case <-time.After(50 * time.Millisecond):
+		}
+
+		unlock1()
+
+		select {
+		case <-secondAcquired:
+		case <-time.After(time.Second):
+			t.Fatal("second acquire should proceed after first releases the lock")
+		}
+	})
+
+	t.Run("different directories do not block", func(t *testing.T) {
+		dirA := t.TempDir()
+		dirB := t.TempDir()
+
+		unlockA := AcquireCloneLock(dirA)
+		defer unlockA()
+
+		done := make(chan struct{})
+		go func() {
+			unlock := AcquireCloneLock(dirB)
+			unlock()
+			close(done)
+		}()
+
+		select {
+		case <-done:
+		case <-time.After(time.Second):
+			t.Fatal("acquire on a different directory must not block")
+		}
+	})
+
+	t.Run("same directory reuses the same mutex", func(t *testing.T) {
+		dir := t.TempDir()
+
+		v1, _ := cloneLocks.LoadOrStore(dir, &sync.Mutex{})
+		v2, _ := cloneLocks.LoadOrStore(dir, &sync.Mutex{})
+		require.Same(t, v1, v2)
+	})
+}
--- a/act/common/job_error.go
+++ b/act/common/job_error.go
@@ -0,0 +1,34 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+)
+
+type jobErrorContextKey string
+
+const jobErrorContextKeyVal = jobErrorContextKey("job.error")
+
+// JobError returns the job error for current context if any
+func JobError(ctx context.Context) error {
+	val := ctx.Value(jobErrorContextKeyVal)
+	if val != nil {
+		if container, ok := val.(map[string]error); ok {
+			return container["error"]
+		}
+	}
+	return nil
+}
+
+func SetJobError(ctx context.Context, err error) {
+	ctx.Value(jobErrorContextKeyVal).(map[string]error)["error"] = err
+}
+
+// WithJobErrorContainer adds a value to the context as a container for an error
+func WithJobErrorContainer(ctx context.Context) context.Context {
+	container := map[string]error{}
+	return context.WithValue(ctx, jobErrorContextKeyVal, container)
+}
--- a/act/common/line_writer.go
+++ b/act/common/line_writer.go
@@ -0,0 +1,80 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"bytes"
+	"io"
+)
+
+// LineHandler is a callback function for handling a line
+type LineHandler func(line string) bool
+
+// Flusher is implemented by writers that buffer a trailing, not-yet-terminated
+// line. Callers should flush once the underlying stream has reached EOF so the
+// final line (when it is not newline-terminated) is not lost.
+type Flusher interface {
+	Flush()
+}
+
+type lineWriter struct {
+	buffer   bytes.Buffer
+	handlers []LineHandler
+}
+
+// NewLineWriter creates a new instance of a line writer
+func NewLineWriter(handlers ...LineHandler) io.Writer {
+	w := new(lineWriter)
+	w.handlers = handlers
+	return w
+}
+
+// FlushWriter flushes w if it implements Flusher. It is a no-op otherwise, so
+// callers can flush an io.Writer without knowing its concrete type.
+func FlushWriter(w io.Writer) {
+	if f, ok := w.(Flusher); ok {
+		f.Flush()
+	}
+}
+
+func (lw *lineWriter) Write(p []byte) (n int, err error) {
+	pBuf := bytes.NewBuffer(p)
+	written := 0
+	for {
+		line, err := pBuf.ReadString('\n')
+		w, _ := lw.buffer.WriteString(line)
+		written += w
+		if err == nil {
+			lw.handleLine(lw.buffer.String())
+			lw.buffer.Reset()
+		} else if err == io.EOF {
+			break
+		} else {
+			return written, err
+		}
+	}
+
+	return written, nil
+}
+
+// Flush emits any buffered, not-yet-newline-terminated content as a final line.
+// It is safe to call multiple times; subsequent calls with an empty buffer are
+// no-ops.
+func (lw *lineWriter) Flush() {
+	if lw.buffer.Len() == 0 {
+		return
+	}
+	lw.handleLine(lw.buffer.String())
+	lw.buffer.Reset()
+}
+
+func (lw *lineWriter) handleLine(line string) {
+	for _, h := range lw.handlers {
+		ok := h(line)
+		if !ok {
+			break
+		}
+	}
+}
--- a/act/common/line_writer_test.go
+++ b/act/common/line_writer_test.go
@@ -0,0 +1,72 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"io"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLineWriter(t *testing.T) {
+	lines := make([]string, 0)
+	lineHandler := func(s string) bool {
+		lines = append(lines, s)
+		return true
+	}
+
+	lineWriter := NewLineWriter(lineHandler)
+
+	assert := assert.New(t)
+	write := func(s string) {
+		n, err := lineWriter.Write([]byte(s))
+		assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+		assert.Equal(len(s), n, s)
+	}
+
+	write("hello")
+	write(" ")
+	write("world!!\nextra")
+	write(" line\n and another\nlast")
+	write(" line\n")
+	write("no newline here...")
+
+	assert.Len(lines, 4)
+	assert.Equal("hello world!!\n", lines[0])
+	assert.Equal("extra line\n", lines[1])
+	assert.Equal(" and another\n", lines[2])
+	assert.Equal("last line\n", lines[3])
+}
+
+func TestLineWriterFlush(t *testing.T) {
+	lines := make([]string, 0)
+	lineHandler := func(s string) bool {
+		lines = append(lines, s)
+		return true
+	}
+
+	lineWriter := NewLineWriter(lineHandler)
+
+	assert := assert.New(t)
+	_, err := lineWriter.Write([]byte("complete line\npartial line without newline"))
+	assert.NoError(err) //nolint:testifylint // pre-existing pattern from nektos/act
+
+	// Only the newline-terminated line is emitted before flushing.
+	assert.Equal([]string{"complete line\n"}, lines)
+
+	// Flushing emits the buffered, not-yet-terminated trailing line.
+	FlushWriter(lineWriter)
+	assert.Equal([]string{"complete line\n", "partial line without newline"}, lines)
+
+	// Flushing again is a no-op: nothing is buffered.
+	FlushWriter(lineWriter)
+	assert.Len(lines, 2)
+}
+
+func TestFlushWriterIgnoresNonFlusher(t *testing.T) {
+	// FlushWriter must be a safe no-op for writers that do not buffer lines.
+	assert.NotPanics(t, func() { FlushWriter(io.Discard) })
+}
--- a/act/common/logger.go
+++ b/act/common/logger.go
@@ -0,0 +1,52 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+
+	"github.com/sirupsen/logrus"
+)
+
+type loggerContextKey string
+
+const loggerContextKeyVal = loggerContextKey("logrus.FieldLogger")
+
+// Logger returns the appropriate logger for current context
+func Logger(ctx context.Context) logrus.FieldLogger {
+	val := ctx.Value(loggerContextKeyVal)
+	if val != nil {
+		if logger, ok := val.(logrus.FieldLogger); ok {
+			return logger
+		}
+	}
+	return logrus.StandardLogger()
+}
+
+// WithLogger adds a value to the context for the logger
+func WithLogger(ctx context.Context, logger logrus.FieldLogger) context.Context {
+	return context.WithValue(ctx, loggerContextKeyVal, logger)
+}
+
+type loggerHookKey string
+
+const loggerHookKeyVal = loggerHookKey("logrus.Hook")
+
+// LoggerHook returns the appropriate logger hook for current context
+// the hook affects job logger, not global logger
+func LoggerHook(ctx context.Context) logrus.Hook {
+	val := ctx.Value(loggerHookKeyVal)
+	if val != nil {
+		if hook, ok := val.(logrus.Hook); ok {
+			return hook
+		}
+	}
+	return nil
+}
+
+// WithLoggerHook adds a value to the context for the logger hook
+func WithLoggerHook(ctx context.Context, hook logrus.Hook) context.Context {
+	return context.WithValue(ctx, loggerHookKeyVal, hook)
+}
--- a/act/common/outbound_ip.go
+++ b/act/common/outbound_ip.go
@@ -0,0 +1,79 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"net"
+	"sort"
+	"strings"
+)
+
+// GetOutboundIP returns an outbound IP address of this machine.
+// It tries to access the internet and returns the local IP address of the connection.
+// If the machine cannot access the internet, it returns a preferred IP address from network interfaces.
+// It returns nil if no IP address is found.
+func GetOutboundIP() net.IP {
+	// See https://stackoverflow.com/a/37382208
+	conn, err := net.Dial("udp", "8.8.8.8:80")
+	if err == nil {
+		defer conn.Close()
+		return conn.LocalAddr().(*net.UDPAddr).IP
+	}
+
+	// So the machine cannot access the internet. Pick an IP address from network interfaces.
+	if ifs, err := net.Interfaces(); err == nil {
+		type IP struct {
+			net.IP
+			net.Interface
+		}
+		var ips []IP
+		for _, i := range ifs {
+			if addrs, err := i.Addrs(); err == nil {
+				for _, addr := range addrs {
+					var ip net.IP
+					switch v := addr.(type) {
+					case *net.IPNet:
+						ip = v.IP
+					case *net.IPAddr:
+						ip = v.IP
+					}
+					if ip.IsGlobalUnicast() {
+						ips = append(ips, IP{ip, i})
+					}
+				}
+			}
+		}
+		if len(ips) > 1 {
+			sort.Slice(ips, func(i, j int) bool {
+				ifi := ips[i].Interface
+				ifj := ips[j].Interface
+
+				// ethernet is preferred
+				if vi, vj := strings.HasPrefix(ifi.Name, "e"), strings.HasPrefix(ifj.Name, "e"); vi != vj {
+					return vi
+				}
+
+				ipi := ips[i].IP
+				ipj := ips[j].IP
+
+				// IPv4 is preferred
+				if vi, vj := ipi.To4() != nil, ipj.To4() != nil; vi != vj {
+					return vi
+				}
+
+				// en0 is preferred to en1
+				if ifi.Name != ifj.Name {
+					return ifi.Name < ifj.Name
+				}
+
+				// fallback
+				return ipi.String() < ipj.String()
+			})
+			return ips[0].IP
+		}
+	}
+
+	return nil
+}
--- a/act/container/DOCKER_LICENSE
+++ b/act/container/DOCKER_LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2013-2017 Docker, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/act/container/container_types.go
+++ b/act/container/container_types.go
@@ -0,0 +1,100 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/docker/go-connections/nat"
+)
+
+// ExitCodeError reports a non-zero process exit code from a container command.
+type ExitCodeError int
+
+func (e ExitCodeError) Error() string {
+	return fmt.Sprintf("Process completed with exit code %d.", int(e))
+}
+
+// NewContainerInput the input for the New function
+type NewContainerInput struct {
+	Image          string
+	Username       string
+	Password       string
+	Entrypoint     []string
+	Cmd            []string
+	WorkingDir     string
+	Env            []string
+	Binds          []string
+	Mounts         map[string]string
+	Name           string
+	Stdout         io.Writer
+	Stderr         io.Writer
+	NetworkMode    string
+	Privileged     bool
+	UsernsMode     string
+	Platform       string
+	Options        string
+	NetworkAliases []string
+	ExposedPorts   nat.PortSet
+	PortBindings   nat.PortMap
+
+	// Gitea specific
+	AutoRemove   bool
+	ValidVolumes []string
+	AllocatePTY  bool // allocate a pseudo-TTY for the container's exec processes
+}
+
+// FileEntry is a file to copy to a container
+type FileEntry struct {
+	Name string
+	Mode int64
+	Body string
+}
+
+// Container for managing docker run containers
+type Container interface {
+	Create(capAdd, capDrop []string) common.Executor
+	ConnectToNetwork(name string) common.Executor
+	Copy(destPath string, files ...*FileEntry) common.Executor
+	CopyTarStream(ctx context.Context, destPath string, tarStream io.Reader) error
+	CopyDir(destPath, srcPath string, useGitIgnore bool) common.Executor
+	GetContainerArchive(ctx context.Context, srcPath string) (io.ReadCloser, error)
+	Pull(forcePull bool) common.Executor
+	Start(attach bool) common.Executor
+	Exec(command []string, env map[string]string, user, workdir string) common.Executor
+	UpdateFromEnv(srcPath string, env *map[string]string) common.Executor
+	UpdateFromImageEnv(env *map[string]string) common.Executor
+	Remove() common.Executor
+	Close() common.Executor
+	ReplaceLogWriter(io.Writer, io.Writer) (io.Writer, io.Writer)
+}
+
+// NewDockerBuildExecutorInput the input for the NewDockerBuildExecutor function
+type NewDockerBuildExecutorInput struct {
+	ContextDir   string
+	Dockerfile   string
+	BuildContext io.Reader
+	ImageTag     string
+	Platform     string
+}
+
+// NewDockerNetworkCreateExecutorInput the input for the NewDockerNetworkCreateExecutor function
+type NewDockerNetworkCreateExecutorInput struct {
+	EnableIPv4 *bool
+	EnableIPv6 *bool
+}
+
+// NewDockerPullExecutorInput the input for the NewDockerPullExecutor function
+type NewDockerPullExecutorInput struct {
+	Image     string
+	ForcePull bool
+	Platform  string
+	Username  string
+	Password  string
+}
--- a/act/container/docker_auth.go
+++ b/act/container/docker_auth.go
@@ -0,0 +1,71 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/distribution/reference"
+	"github.com/docker/cli/cli/config"
+	"github.com/moby/moby/api/types/registry"
+)
+
+func LoadDockerAuthConfig(ctx context.Context, image string) (registry.AuthConfig, error) {
+	logger := common.Logger(ctx)
+	// config.LoadDefaultConfigFile panics on nil io.Writer when the config
+	// file is malformed; use config.Load to route errors through the logger.
+	cfg, err := config.Load(config.Dir())
+	if err != nil {
+		logger.Warnf("Could not load docker config: %v", err)
+		return registry.AuthConfig{}, err
+	}
+	registryKey := registryAuthConfigKey("docker.io")
+	if image != "" {
+		if registryRef, refErr := reference.ParseNormalizedNamed(image); refErr != nil {
+			logger.Warnf("Could not normalize image reference: %v", refErr)
+		} else {
+			registryKey = registryAuthConfigKey(reference.Domain(registryRef))
+		}
+	}
+
+	authConfig, err := cfg.GetAuthConfig(registryKey)
+	if err != nil {
+		logger.Warnf("Could not get auth config from docker config: %v", err)
+		return registry.AuthConfig{}, err
+	}
+
+	return registry.AuthConfig(authConfig), nil
+}
+
+func LoadDockerAuthConfigs(ctx context.Context) map[string]registry.AuthConfig {
+	logger := common.Logger(ctx)
+	cfg, err := config.Load(config.Dir())
+	if err != nil {
+		logger.Warnf("Could not load docker config: %v", err)
+		return nil
+	}
+	creds, err := cfg.GetAllCredentials()
+	if err != nil {
+		logger.Warnf("Could not get docker auth configs: %v", err)
+		return nil
+	}
+	authConfigs := make(map[string]registry.AuthConfig, len(creds))
+	for k, v := range creds {
+		authConfigs[k] = registry.AuthConfig(v)
+	}
+
+	return authConfigs
+}
+
+func registryAuthConfigKey(domainName string) string {
+	if domainName == "docker.io" || domainName == "index.docker.io" {
+		return "https://index.docker.io/v1/"
+	}
+	return domainName
+}
--- a/act/container/docker_build.go
+++ b/act/container/docker_build.go
@@ -0,0 +1,127 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/moby/go-archive"
+	"github.com/moby/go-archive/compression"
+	"github.com/moby/moby/client"
+	"github.com/moby/patternmatcher"
+	"github.com/moby/patternmatcher/ignorefile"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// NewDockerBuildExecutor function to create a run executor for the container
+func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		if input.Platform != "" {
+			logger.Infof("docker build -t %s --platform %s %s", input.ImageTag, input.Platform, input.ContextDir)
+		} else {
+			logger.Infof("docker build -t %s %s", input.ImageTag, input.ContextDir)
+		}
+		if common.Dryrun(ctx) {
+			return nil
+		}
+
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		logger.Debugf("Building image from '%v'", input.ContextDir)
+
+		tags := []string{input.ImageTag}
+		options := client.ImageBuildOptions{
+			Tags:        tags,
+			Remove:      true,
+			AuthConfigs: LoadDockerAuthConfigs(ctx),
+			Dockerfile:  input.Dockerfile,
+		}
+		platform, err := parsePlatform(input.Platform)
+		if err != nil {
+			return err
+		}
+		if platform != nil {
+			options.Platforms = []specs.Platform{*platform}
+		}
+		var buildContext io.ReadCloser
+		if input.BuildContext != nil {
+			buildContext = io.NopCloser(input.BuildContext)
+		} else {
+			buildContext, err = createBuildContext(ctx, input.ContextDir, input.Dockerfile)
+		}
+		if err != nil {
+			return err
+		}
+
+		defer buildContext.Close()
+
+		logger.Debugf("Creating image from context dir '%s' with tag '%s' and platform '%s'", input.ContextDir, input.ImageTag, input.Platform)
+		resp, err := cli.ImageBuild(ctx, buildContext, options)
+
+		err = logDockerResponse(logger, resp.Body, err != nil)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+func createBuildContext(ctx context.Context, contextDir, relDockerfile string) (io.ReadCloser, error) {
+	common.Logger(ctx).Debugf("Creating archive for build context dir '%s' with relative dockerfile '%s'", contextDir, relDockerfile)
+
+	// And canonicalize dockerfile name to a platform-independent one
+	relDockerfile = filepath.ToSlash(relDockerfile)
+
+	f, err := os.Open(filepath.Join(contextDir, ".dockerignore"))
+	if err != nil && !os.IsNotExist(err) {
+		return nil, err
+	}
+	defer f.Close()
+
+	var excludes []string
+	if err == nil {
+		excludes, err = ignorefile.ReadAll(f)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// If .dockerignore mentions .dockerignore or the Dockerfile
+	// then make sure we send both files over to the daemon
+	// because Dockerfile is, obviously, needed no matter what, and
+	// .dockerignore is needed to know if either one needs to be
+	// removed. The daemon will remove them for us, if needed, after it
+	// parses the Dockerfile. Ignore errors here, as they will have been
+	// caught by validateContextDirectory above.
+	includes := []string{"."}
+	keepThem1, _ := patternmatcher.Matches(".dockerignore", excludes)
+	keepThem2, _ := patternmatcher.Matches(relDockerfile, excludes)
+	if keepThem1 || keepThem2 {
+		includes = append(includes, ".dockerignore", relDockerfile)
+	}
+
+	buildCtx, err := archive.TarWithOptions(contextDir, &archive.TarOptions{
+		Compression:     compression.None,
+		ExcludePatterns: excludes,
+		IncludeFiles:    includes,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return buildCtx, nil
+}
--- a/act/container/docker_cli.go
+++ b/act/container/docker_cli.go
--- a/act/container/docker_cli_test.go
+++ b/act/container/docker_cli_test.go
--- a/act/container/docker_images.go
+++ b/act/container/docker_images.go
@@ -0,0 +1,64 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+	"fmt"
+
+	cerrdefs "github.com/containerd/errdefs"
+	"github.com/moby/moby/client"
+)
+
+// ImageExistsLocally returns a boolean indicating if an image with the
+// requested name, tag and architecture exists in the local docker image store
+func ImageExistsLocally(ctx context.Context, imageName, platform string) (bool, error) {
+	cli, err := GetDockerClient(ctx)
+	if err != nil {
+		return false, err
+	}
+	defer cli.Close()
+
+	inspectImage, err := cli.ImageInspect(ctx, imageName)
+	if cerrdefs.IsNotFound(err) {
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+
+	if platform == "" || platform == "any" || fmt.Sprintf("%s/%s", inspectImage.Os, inspectImage.Architecture) == platform {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+// RemoveImage removes image from local store, the function is used to run different
+// container image architectures
+func RemoveImage(ctx context.Context, imageName string, force, pruneChildren bool) (bool, error) {
+	cli, err := GetDockerClient(ctx)
+	if err != nil {
+		return false, err
+	}
+	defer cli.Close()
+
+	inspectImage, err := cli.ImageInspect(ctx, imageName)
+	if cerrdefs.IsNotFound(err) {
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+
+	if _, err = cli.ImageRemove(ctx, inspectImage.ID, client.ImageRemoveOptions{
+		Force:         force,
+		PruneChildren: pruneChildren,
+	}); err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
--- a/act/container/docker_images_test.go
+++ b/act/container/docker_images_test.go
@@ -0,0 +1,69 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"strings"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func init() {
+	log.SetLevel(log.DebugLevel)
+}
+
+// buildScratchImage builds a tiny empty image for the given platform locally (FROM scratch, no
+// network or emulation since there is nothing to run) and returns its tag, removing it after
+// the test.
+func buildScratchImage(t *testing.T, platform string) string {
+	t.Helper()
+	tag := fmt.Sprintf("act-test-exists-%s:latest", strings.TrimPrefix(platform, "linux/"))
+	cmd := exec.Command("docker", "build", "--platform", platform, "-t", tag, "-")
+	cmd.Stdin = strings.NewReader("FROM scratch\nLABEL act-test=1\n")
+	// Force BuildKit: it records the requested architecture in the image config for a
+	// FROM-scratch build, whereas the classic builder ignores --platform and tags it with the
+	// host arch, which would break the per-platform existence assertions below.
+	cmd.Env = append(os.Environ(), "DOCKER_BUILDKIT=1")
+	out, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(out))
+	t.Cleanup(func() { _ = exec.Command("docker", "rmi", "-f", tag).Run() })
+	return tag
+}
+
+func TestImageExistsLocally(t *testing.T) {
+	requireDocker(t)
+	ctx := context.Background()
+
+	// a non-existent image is reported absent
+	missing, err := ImageExistsLocally(ctx, "library/alpine:this-random-tag-will-never-exist", "linux/amd64")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.False(t, missing)
+
+	// Build tiny images for two architectures locally so per-platform existence can be checked
+	// offline (formerly pulled node:24-bookworm-slim for amd64 and arm64 over the network).
+	amd64Ref := buildScratchImage(t, "linux/amd64")
+	arm64Ref := buildScratchImage(t, "linux/arm64")
+
+	amd64Exists, err := ImageExistsLocally(ctx, amd64Ref, "linux/amd64")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.True(t, amd64Exists)
+
+	// a non-host architecture image is detected for its own architecture
+	arm64Exists, err := ImageExistsLocally(ctx, arm64Ref, "linux/arm64")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.True(t, arm64Exists)
+
+	// a present image is reported absent for a different platform
+	wrongPlatform, err := ImageExistsLocally(ctx, amd64Ref, "linux/arm64")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.False(t, wrongPlatform)
+}
--- a/act/container/docker_logger.go
+++ b/act/container/docker_logger.go
@@ -0,0 +1,85 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"bufio"
+	"encoding/json"
+	"errors"
+	"io"
+
+	"github.com/sirupsen/logrus"
+)
+
+type dockerMessage struct {
+	ID          string `json:"id"`
+	Stream      string `json:"stream"`
+	Error       string `json:"error"`
+	ErrorDetail struct {
+		Message string
+	}
+	Status   string `json:"status"`
+	Progress string `json:"progress"`
+}
+
+func logDockerResponse(logger logrus.FieldLogger, dockerResponse io.ReadCloser, isError bool) error {
+	if dockerResponse == nil {
+		return nil
+	}
+	defer dockerResponse.Close()
+
+	scanner := bufio.NewScanner(dockerResponse)
+	msg := dockerMessage{}
+
+	for scanner.Scan() {
+		line := scanner.Bytes()
+
+		msg.ID = ""
+		msg.Stream = ""
+		msg.Error = ""
+		msg.ErrorDetail.Message = ""
+		msg.Status = ""
+		msg.Progress = ""
+
+		if err := json.Unmarshal(line, &msg); err != nil {
+			writeLog(logger, false, "Unable to unmarshal line [%s] ==> %v", string(line), err)
+			continue
+		}
+
+		if msg.Error != "" {
+			writeLog(logger, isError, "%s", msg.Error)
+			return errors.New(msg.Error)
+		}
+
+		if msg.ErrorDetail.Message != "" {
+			writeLog(logger, isError, "%s", msg.ErrorDetail.Message)
+			return errors.New(msg.Error)
+		}
+
+		if msg.Status != "" {
+			if msg.Progress != "" {
+				writeLog(logger, isError, "%s :: %s :: %s\n", msg.Status, msg.ID, msg.Progress)
+			} else {
+				writeLog(logger, isError, "%s :: %s\n", msg.Status, msg.ID)
+			}
+		} else if msg.Stream != "" {
+			writeLog(logger, isError, "%s", msg.Stream)
+		} else {
+			writeLog(logger, false, "Unable to handle line: %s", string(line))
+		}
+	}
+
+	return nil
+}
+
+func writeLog(logger logrus.FieldLogger, isError bool, format string, args ...any) {
+	if isError {
+		logger.Errorf(format, args...)
+	} else {
+		logger.Debugf(format, args...)
+	}
+}
--- a/act/container/docker_network.go
+++ b/act/container/docker_network.go
@@ -0,0 +1,88 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/moby/moby/client"
+)
+
+func NewDockerNetworkCreateExecutor(name string, opts NewDockerNetworkCreateExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		// Only create the network if it doesn't exist
+		networks, err := cli.NetworkList(ctx, client.NetworkListOptions{})
+		if err != nil {
+			return err
+		}
+		// For Gitea, reduce log noise
+		// common.Logger(ctx).Debugf("%v", networks)
+		for _, n := range networks.Items {
+			if n.Name == name {
+				common.Logger(ctx).Debugf("Network %v exists", name)
+				return nil
+			}
+		}
+
+		_, err = cli.NetworkCreate(ctx, name, client.NetworkCreateOptions{
+			Driver:     "bridge",
+			Scope:      "local",
+			EnableIPv4: opts.EnableIPv4,
+			EnableIPv6: opts.EnableIPv6,
+		})
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+func NewDockerNetworkRemoveExecutor(name string) common.Executor {
+	return func(ctx context.Context) error {
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		// Make sure that all network of the specified name are removed
+		// cli.NetworkRemove refuses to remove a network if there are duplicates
+		networks, err := cli.NetworkList(ctx, client.NetworkListOptions{})
+		if err != nil {
+			return err
+		}
+		// For Gitea, reduce log noise
+		// common.Logger(ctx).Debugf("%v", networks)
+		for _, n := range networks.Items {
+			if n.Name == name {
+				result, err := cli.NetworkInspect(ctx, n.ID, client.NetworkInspectOptions{})
+				if err != nil {
+					return err
+				}
+
+				if len(result.Network.Containers) == 0 {
+					if _, err = cli.NetworkRemove(ctx, n.ID, client.NetworkRemoveOptions{}); err != nil {
+						common.Logger(ctx).Debugf("%v", err)
+					}
+				} else {
+					common.Logger(ctx).Debugf("Refusing to remove network %v because it still has active endpoints", name)
+				}
+			}
+		}
+
+		return err
+	}
+}
--- a/act/container/docker_platform.go
+++ b/act/container/docker_platform.go
@@ -0,0 +1,39 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2025 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"fmt"
+	"strings"
+
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// parsePlatform parses an "os/arch[/variant]" string into a Platform. An empty input
+// returns (nil, nil), meaning "no platform constraint". A non-empty but malformed
+// string is rejected explicitly so it cannot silently fall through to the daemon's
+// default architecture.
+func parsePlatform(platform string) (*specs.Platform, error) {
+	if platform == "" {
+		return nil, nil //nolint:nilnil // no platform constraint requested
+	}
+
+	parts := strings.Split(platform, "/")
+	if len(parts) < 2 || len(parts) > 3 || parts[0] == "" || parts[1] == "" || (len(parts) == 3 && parts[2] == "") {
+		return nil, fmt.Errorf("invalid platform %q: expected os/arch[/variant]", platform)
+	}
+
+	spec := &specs.Platform{
+		OS:           strings.ToLower(parts[0]),
+		Architecture: strings.ToLower(parts[1]),
+	}
+	if len(parts) == 3 {
+		spec.Variant = strings.ToLower(parts[2])
+	}
+
+	return spec, nil
+}
--- a/act/container/docker_platform_test.go
+++ b/act/container/docker_platform_test.go
@@ -0,0 +1,63 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParsePlatform(t *testing.T) {
+	t.Run("empty input returns nil platform without error", func(t *testing.T) {
+		got, err := parsePlatform("")
+		require.NoError(t, err)
+		assert.Nil(t, got)
+	})
+
+	t.Run("os/arch", func(t *testing.T) {
+		got, err := parsePlatform("linux/amd64")
+		require.NoError(t, err)
+		require.NotNil(t, got)
+		assert.Equal(t, "linux", got.OS)
+		assert.Equal(t, "amd64", got.Architecture)
+		assert.Empty(t, got.Variant)
+	})
+
+	t.Run("os/arch/variant", func(t *testing.T) {
+		got, err := parsePlatform("linux/arm/v7")
+		require.NoError(t, err)
+		require.NotNil(t, got)
+		assert.Equal(t, "linux", got.OS)
+		assert.Equal(t, "arm", got.Architecture)
+		assert.Equal(t, "v7", got.Variant)
+	})
+
+	t.Run("input is lowercased", func(t *testing.T) {
+		got, err := parsePlatform("Linux/AMD64/V8")
+		require.NoError(t, err)
+		require.NotNil(t, got)
+		assert.Equal(t, "linux", got.OS)
+		assert.Equal(t, "amd64", got.Architecture)
+		assert.Equal(t, "v8", got.Variant)
+	})
+
+	for _, bad := range []string{
+		"amd64",
+		"linux",
+		"linux/",
+		"/amd64",
+		"/",
+		"//",
+		"linux/arm/",
+		"linux/arm/v7/extra",
+	} {
+		t.Run("rejects "+bad, func(t *testing.T) {
+			got, err := parsePlatform(bad)
+			require.Error(t, err)
+			assert.Nil(t, got)
+		})
+	}
+}
--- a/act/container/docker_pull.go
+++ b/act/container/docker_pull.go
@@ -0,0 +1,131 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/distribution/reference"
+	"github.com/moby/moby/api/pkg/authconfig"
+	"github.com/moby/moby/api/types/registry"
+	"github.com/moby/moby/client"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// NewDockerPullExecutor function to create a run executor for the container
+func NewDockerPullExecutor(input NewDockerPullExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		logger.Debugf("docker pull %v", input.Image)
+
+		if common.Dryrun(ctx) {
+			return nil
+		}
+
+		pull := input.ForcePull
+		if !pull {
+			imageExists, err := ImageExistsLocally(ctx, input.Image, input.Platform)
+			logger.Debugf("Image exists? %v", imageExists)
+			if err != nil {
+				return fmt.Errorf("unable to determine if image already exists for image '%s' (%s): %w", input.Image, input.Platform, err)
+			}
+
+			if !imageExists {
+				pull = true
+			}
+		}
+
+		if !pull {
+			return nil
+		}
+
+		imageRef := cleanImage(ctx, input.Image)
+		logger.Debugf("pulling image '%v' (%s)", imageRef, input.Platform)
+
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		imagePullOptions, err := getImagePullOptions(ctx, input)
+		if err != nil {
+			return err
+		}
+
+		reader, err := cli.ImagePull(ctx, imageRef, imagePullOptions)
+
+		_ = logDockerResponse(logger, reader, err != nil)
+		if err != nil {
+			if imagePullOptions.RegistryAuth != "" && strings.Contains(err.Error(), "unauthorized") {
+				logger.Errorf("pulling image '%v' (%s) failed with credentials %s retrying without them, please check for stale docker config files", imageRef, input.Platform, err.Error())
+				imagePullOptions.RegistryAuth = ""
+				reader, err = cli.ImagePull(ctx, imageRef, imagePullOptions)
+
+				_ = logDockerResponse(logger, reader, err != nil)
+			}
+			return err
+		}
+		return nil
+	}
+}
+
+func getImagePullOptions(ctx context.Context, input NewDockerPullExecutorInput) (client.ImagePullOptions, error) {
+	imagePullOptions := client.ImagePullOptions{}
+	platform, err := parsePlatform(input.Platform)
+	if err != nil {
+		return imagePullOptions, err
+	}
+	if platform != nil {
+		imagePullOptions.Platforms = []specs.Platform{*platform}
+	}
+	logger := common.Logger(ctx)
+
+	if input.Username != "" && input.Password != "" {
+		logger.Debugf("using authentication for docker pull")
+
+		encodedAuth, err := authconfig.Encode(registry.AuthConfig{
+			Username: input.Username,
+			Password: input.Password,
+		})
+		if err != nil {
+			return imagePullOptions, err
+		}
+
+		imagePullOptions.RegistryAuth = encodedAuth
+	} else {
+		authConfig, err := LoadDockerAuthConfig(ctx, input.Image)
+		if err != nil {
+			return imagePullOptions, err
+		}
+		if authConfig.Username == "" && authConfig.Password == "" {
+			return imagePullOptions, nil
+		}
+		logger.Info("using DockerAuthConfig authentication for docker pull")
+
+		imagePullOptions.RegistryAuth, err = authconfig.Encode(authConfig)
+		if err != nil {
+			return imagePullOptions, err
+		}
+	}
+
+	return imagePullOptions, nil
+}
+
+func cleanImage(ctx context.Context, imageName string) string {
+	ref, err := reference.ParseAnyReference(imageName)
+	if err != nil {
+		common.Logger(ctx).Error(err)
+		return ""
+	}
+
+	return ref.String()
+}
--- a/act/container/docker_pull_test.go
+++ b/act/container/docker_pull_test.go
@@ -0,0 +1,67 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/cli/cli/config"
+	log "github.com/sirupsen/logrus"
+	assert "github.com/stretchr/testify/assert"
+)
+
+func init() {
+	log.SetLevel(log.DebugLevel)
+}
+
+func TestCleanImage(t *testing.T) {
+	tables := []struct {
+		imageIn  string
+		imageOut string
+	}{
+		{"myhost.com/foo/bar", "myhost.com/foo/bar"},
+		{"localhost:8000/canonical/ubuntu", "localhost:8000/canonical/ubuntu"},
+		{"localhost/canonical/ubuntu:latest", "localhost/canonical/ubuntu:latest"},
+		{"localhost:8000/canonical/ubuntu:latest", "localhost:8000/canonical/ubuntu:latest"},
+		{"ubuntu", "docker.io/library/ubuntu"},
+		{"ubuntu:18.04", "docker.io/library/ubuntu:18.04"},
+		{"cibuilds/hugo:0.53", "docker.io/cibuilds/hugo:0.53"},
+	}
+
+	for _, table := range tables {
+		imageOut := cleanImage(context.Background(), table.imageIn)
+		assert.Equal(t, table.imageOut, imageOut)
+	}
+}
+
+func TestGetImagePullOptions(t *testing.T) {
+	ctx := context.Background()
+
+	orig := config.Dir()
+	t.Cleanup(func() { config.SetDir(orig) })
+
+	config.SetDir("/non-existent/docker")
+
+	options, err := getImagePullOptions(ctx, NewDockerPullExecutorInput{})
+	assert.NoError(t, err, "Failed to create ImagePullOptions")                                                 //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, "", options.RegistryAuth, "RegistryAuth should be empty if no username or password is set") //nolint:testifylint // pre-existing issue from nektos/act
+
+	options, err = getImagePullOptions(ctx, NewDockerPullExecutorInput{
+		Image:    "",
+		Username: "username",
+		Password: "password",
+	})
+	assert.NoError(t, err, "Failed to create ImagePullOptions") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, "eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwicGFzc3dvcmQiOiJwYXNzd29yZCJ9", options.RegistryAuth, "Username and Password should be provided")
+
+	config.SetDir("testdata/docker-pull-options")
+
+	options, err = getImagePullOptions(ctx, NewDockerPullExecutorInput{
+		Image: "nektos/act",
+	})
+	assert.NoError(t, err, "Failed to create ImagePullOptions") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, "eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwicGFzc3dvcmQiOiJwYXNzd29yZFxuIiwic2VydmVyYWRkcmVzcyI6Imh0dHBzOi8vaW5kZXguZG9ja2VyLmlvL3YxLyJ9", options.RegistryAuth, "RegistryAuth should be taken from local docker config")
+}
--- a/act/container/docker_run.go
+++ b/act/container/docker_run.go
--- a/act/container/docker_run_test.go
+++ b/act/container/docker_run_test.go
@@ -0,0 +1,623 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"encoding/binary"
+	"errors"
+	"io"
+	"net"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"gitea.com/gitea/runner/act/common"
+
+	cerrdefs "github.com/containerd/errdefs"
+	"github.com/moby/moby/api/pkg/stdcopy"
+	"github.com/moby/moby/api/types/container"
+	mobyclient "github.com/moby/moby/client"
+	"github.com/sirupsen/logrus/hooks/test"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDocker(t *testing.T) {
+	requireDocker(t)
+	ctx := context.Background()
+	client, err := GetDockerClient(ctx)
+	require.NoError(t, err)
+	defer client.Close()
+
+	dockerBuild := NewDockerBuildExecutor(NewDockerBuildExecutorInput{
+		ContextDir: "testdata",
+		ImageTag:   "envmergetest",
+	})
+
+	err = dockerBuild(ctx)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	cr := &containerReference{
+		cli: client,
+		input: &NewContainerInput{
+			Image: "envmergetest",
+		},
+	}
+	env := map[string]string{
+		"PATH":         "/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin",
+		"RANDOM_VAR":   "WITH_VALUE",
+		"ANOTHER_VAR":  "",
+		"CONFLICT_VAR": "I_EXIST_IN_MULTIPLE_PLACES",
+	}
+
+	envExecutor := cr.extractFromImageEnv(&env)
+	err = envExecutor(ctx)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, map[string]string{
+		"PATH":            "/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin:/this/path/does/not/exists/anywhere:/this/either",
+		"RANDOM_VAR":      "WITH_VALUE",
+		"ANOTHER_VAR":     "",
+		"SOME_RANDOM_VAR": "",
+		"ANOTHER_ONE":     "BUT_I_HAVE_VALUE",
+		"CONFLICT_VAR":    "I_EXIST_IN_MULTIPLE_PLACES",
+	}, env)
+}
+
+type mockDockerClient struct {
+	mobyclient.APIClient
+	mock.Mock
+}
+
+func (m *mockDockerClient) ExecCreate(ctx context.Context, id string, opts mobyclient.ExecCreateOptions) (mobyclient.ExecCreateResult, error) {
+	args := m.Called(ctx, id, opts)
+	return args.Get(0).(mobyclient.ExecCreateResult), args.Error(1)
+}
+
+func (m *mockDockerClient) ExecAttach(ctx context.Context, id string, opts mobyclient.ExecAttachOptions) (mobyclient.ExecAttachResult, error) {
+	args := m.Called(ctx, id, opts)
+	return args.Get(0).(mobyclient.ExecAttachResult), args.Error(1)
+}
+
+func (m *mockDockerClient) ExecInspect(ctx context.Context, execID string, opts mobyclient.ExecInspectOptions) (mobyclient.ExecInspectResult, error) {
+	args := m.Called(ctx, execID, opts)
+	return args.Get(0).(mobyclient.ExecInspectResult), args.Error(1)
+}
+
+func (m *mockDockerClient) ContainerAttach(ctx context.Context, containerID string, opts mobyclient.ContainerAttachOptions) (mobyclient.ContainerAttachResult, error) {
+	args := m.Called(ctx, containerID, opts)
+	return args.Get(0).(mobyclient.ContainerAttachResult), args.Error(1)
+}
+
+func (m *mockDockerClient) ContainerWait(ctx context.Context, containerID string, opts mobyclient.ContainerWaitOptions) mobyclient.ContainerWaitResult {
+	args := m.Called(ctx, containerID, opts)
+	return args.Get(0).(mobyclient.ContainerWaitResult)
+}
+
+func (m *mockDockerClient) CopyToContainer(ctx context.Context, id string, options mobyclient.CopyToContainerOptions) (mobyclient.CopyToContainerResult, error) {
+	args := m.Called(ctx, id, options)
+	return args.Get(0).(mobyclient.CopyToContainerResult), args.Error(1)
+}
+
+func (m *mockDockerClient) ContainerInspect(ctx context.Context, id string, opts mobyclient.ContainerInspectOptions) (mobyclient.ContainerInspectResult, error) {
+	args := m.Called(ctx, id, opts)
+	return args.Get(0).(mobyclient.ContainerInspectResult), args.Error(1)
+}
+
+func (m *mockDockerClient) ContainerList(ctx context.Context, opts mobyclient.ContainerListOptions) (mobyclient.ContainerListResult, error) {
+	args := m.Called(ctx, opts)
+	return args.Get(0).(mobyclient.ContainerListResult), args.Error(1)
+}
+
+type endlessReader struct {
+	io.Reader
+}
+
+func (r endlessReader) Read(_ []byte) (n int, err error) {
+	return 1, nil
+}
+
+type mockConn struct {
+	net.Conn
+	mock.Mock
+}
+
+func (m *mockConn) Write(b []byte) (n int, err error) {
+	args := m.Called(b)
+	return args.Int(0), args.Error(1)
+}
+
+func (m *mockConn) Close() (err error) {
+	return nil
+}
+
+func TestDockerExecAbort(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	conn := &mockConn{}
+	conn.On("Write", mock.AnythingOfType("[]uint8")).Return(1, nil)
+
+	client := &mockDockerClient{}
+	client.On("ExecCreate", ctx, "123", mock.AnythingOfType("client.ExecCreateOptions")).Return(mobyclient.ExecCreateResult{ID: "id"}, nil)
+	client.On("ExecAttach", ctx, "id", mock.AnythingOfType("client.ExecAttachOptions")).Return(mobyclient.ExecAttachResult{
+		HijackedResponse: mobyclient.HijackedResponse{
+			Conn:   conn,
+			Reader: bufio.NewReader(endlessReader{}),
+		},
+	}, nil)
+
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	channel := make(chan error)
+
+	go func() {
+		channel <- cr.exec([]string{""}, map[string]string{}, "user", "workdir")(ctx)
+	}()
+
+	time.Sleep(500 * time.Millisecond)
+
+	cancel()
+
+	err := <-channel
+	assert.ErrorIs(t, err, context.Canceled) //nolint:testifylint // pre-existing issue from nektos/act
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+func TestDockerExecFailure(t *testing.T) {
+	ctx := context.Background()
+
+	conn := &mockConn{}
+
+	client := &mockDockerClient{}
+	client.On("ExecCreate", ctx, "123", mock.AnythingOfType("client.ExecCreateOptions")).Return(mobyclient.ExecCreateResult{ID: "id"}, nil)
+	client.On("ExecAttach", ctx, "id", mock.AnythingOfType("client.ExecAttachOptions")).Return(mobyclient.ExecAttachResult{
+		HijackedResponse: mobyclient.HijackedResponse{
+			Conn:   conn,
+			Reader: bufio.NewReader(strings.NewReader("output")),
+		},
+	}, nil)
+	client.On("ExecInspect", ctx, "id", mobyclient.ExecInspectOptions{}).Return(mobyclient.ExecInspectResult{
+		ExitCode: 1,
+	}, nil)
+
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.exec([]string{""}, map[string]string{}, "user", "workdir")(ctx)
+	var exitErr ExitCodeError
+	require.ErrorAs(t, err, &exitErr)
+	assert.Equal(t, ExitCodeError(1), exitErr)
+	assert.Equal(t, "Process completed with exit code 1.", err.Error())
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+// stdcopyFrame wraps payload in a single Docker multiplexed-stream frame, the
+// format StdCopy expects: an 8-byte header (stream type + 4-byte big-endian
+// length) followed by the payload.
+func stdcopyFrame(stream stdcopy.StdType, payload string) []byte {
+	b := make([]byte, 8+len(payload))
+	b[0] = byte(stream)
+	binary.BigEndian.PutUint32(b[4:8], uint32(len(payload)))
+	copy(b[8:], payload)
+	return b
+}
+
+// TestDockerAttachFlushesTrailingLine verifies that wait() blocks until the
+// attach() streaming goroutine has drained and flushed the container's output,
+// so a final line without a trailing newline is not lost.
+func TestDockerAttachFlushesTrailingLine(t *testing.T) {
+	ctx := context.Background()
+
+	framed := bytes.NewBuffer(stdcopyFrame(stdcopy.Stdout, "line one\nlast line without newline"))
+
+	var lines []string
+	logWriter := common.NewLineWriter(func(s string) bool {
+		lines = append(lines, s)
+		return true
+	})
+
+	client := &mockDockerClient{}
+	client.On("ContainerAttach", ctx, "123", mock.AnythingOfType("client.ContainerAttachOptions")).
+		Return(mobyclient.ContainerAttachResult{
+			HijackedResponse: mobyclient.HijackedResponse{
+				Conn:   &mockConn{},
+				Reader: bufio.NewReader(framed),
+			},
+		}, nil)
+
+	statusCh := make(chan container.WaitResponse, 1)
+	statusCh <- container.WaitResponse{StatusCode: 0}
+	errCh := make(chan error, 1)
+	client.On("ContainerWait", ctx, "123", mobyclient.ContainerWaitOptions{Condition: container.WaitConditionNotRunning}).
+		Return(mobyclient.ContainerWaitResult{
+			Result: (<-chan container.WaitResponse)(statusCh),
+			Error:  (<-chan error)(errCh),
+		})
+
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image:  "image",
+			Stdout: logWriter,
+			Stderr: logWriter,
+		},
+	}
+
+	require.NoError(t, cr.attach()(ctx))
+	require.NoError(t, cr.wait()(ctx))
+
+	// wait() must have blocked until the goroutine drained AND flushed; the
+	// trailing, non-newline-terminated line must therefore be present. Reading
+	// lines here is race-free because wait() synchronizes on attachDone, which
+	// the goroutine closes after the final append.
+	assert.Equal(t, []string{"line one\n", "last line without newline"}, lines)
+
+	client.AssertExpectations(t)
+}
+
+func TestDockerWaitFailure(t *testing.T) {
+	ctx := context.Background()
+
+	statusCh := make(chan container.WaitResponse, 1)
+	statusCh <- container.WaitResponse{StatusCode: 2}
+	errCh := make(chan error, 1)
+
+	client := &mockDockerClient{}
+	client.On("ContainerWait", ctx, "123", mobyclient.ContainerWaitOptions{Condition: container.WaitConditionNotRunning}).
+		Return(mobyclient.ContainerWaitResult{
+			Result: (<-chan container.WaitResponse)(statusCh),
+			Error:  (<-chan error)(errCh),
+		})
+
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.wait()(ctx)
+	var exitErr ExitCodeError
+	require.ErrorAs(t, err, &exitErr)
+	assert.Equal(t, ExitCodeError(2), exitErr)
+	assert.Equal(t, "Process completed with exit code 2.", err.Error())
+
+	client.AssertExpectations(t)
+}
+
+func TestDockerCopyTarStream(t *testing.T) {
+	ctx := context.Background()
+
+	client := &mockDockerClient{}
+	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
+		return opts.DestinationPath == "/" && opts.Content != nil
+	})).Return(mobyclient.CopyToContainerResult{}, nil)
+	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
+		return opts.DestinationPath == "/var/run/act" && opts.Content != nil
+	})).Return(mobyclient.CopyToContainerResult{}, nil)
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	_ = cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
+
+	client.AssertExpectations(t)
+}
+
+func TestDockerCopyTarStreamErrorInCopyFiles(t *testing.T) {
+	ctx := context.Background()
+
+	merr := errors.New("Failure")
+
+	client := &mockDockerClient{}
+	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
+		return opts.DestinationPath == "/" && opts.Content != nil
+	})).Return(mobyclient.CopyToContainerResult{}, merr)
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
+	assert.ErrorIs(t, err, merr) //nolint:testifylint // pre-existing issue from nektos/act
+
+	client.AssertExpectations(t)
+}
+
+func TestDockerCopyTarStreamErrorInMkdir(t *testing.T) {
+	ctx := context.Background()
+
+	merr := errors.New("Failure")
+
+	client := &mockDockerClient{}
+	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
+		return opts.DestinationPath == "/" && opts.Content != nil
+	})).Return(mobyclient.CopyToContainerResult{}, nil)
+	client.On("CopyToContainer", ctx, "123", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
+		return opts.DestinationPath == "/var/run/act" && opts.Content != nil
+	})).Return(mobyclient.CopyToContainerResult{}, merr)
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
+	assert.ErrorIs(t, err, merr) //nolint:testifylint // pre-existing issue from nektos/act
+
+	client.AssertExpectations(t)
+}
+
+// find() must drop a stale cached id so later Copy/Exec don't hit the
+// daemon with a torn-down container.
+func TestFindRevalidatesStaleID(t *testing.T) {
+	ctx := context.Background()
+	notFound := cerrdefs.ErrNotFound.WithMessage("No such container")
+	boom := errors.New("daemon unreachable")
+	newCR := func(id string) (*containerReference, *mockDockerClient) {
+		client := &mockDockerClient{}
+		return &containerReference{id: id, cli: client, input: &NewContainerInput{Name: "job-1"}}, client
+	}
+	listOpts := mobyclient.ContainerListOptions{All: true}
+	inspectOpts := mobyclient.ContainerInspectOptions{}
+
+	t.Run("stale id cleared, name lookup empty", func(t *testing.T) {
+		cr, client := newCR("stale")
+		client.On("ContainerInspect", ctx, "stale", inspectOpts).Return(mobyclient.ContainerInspectResult{}, notFound)
+		client.On("ContainerList", ctx, listOpts).Return(mobyclient.ContainerListResult{}, nil)
+		require.NoError(t, cr.find()(ctx))
+		assert.Empty(t, cr.id)
+		client.AssertExpectations(t)
+	})
+
+	t.Run("stale id cleared, name lookup repopulates", func(t *testing.T) {
+		cr, client := newCR("stale")
+		client.On("ContainerInspect", ctx, "stale", inspectOpts).Return(mobyclient.ContainerInspectResult{}, notFound)
+		client.On("ContainerList", ctx, listOpts).Return(mobyclient.ContainerListResult{Items: []container.Summary{
+			{ID: "other", Names: []string{"/somebody-else"}},
+			{ID: "fresh", Names: []string{"/job-1"}},
+		}}, nil)
+		require.NoError(t, cr.find()(ctx))
+		assert.Equal(t, "fresh", cr.id)
+		client.AssertExpectations(t)
+	})
+
+	t.Run("live id kept", func(t *testing.T) {
+		cr, client := newCR("live")
+		client.On("ContainerInspect", ctx, "live", inspectOpts).Return(mobyclient.ContainerInspectResult{}, nil)
+		require.NoError(t, cr.find()(ctx))
+		assert.Equal(t, "live", cr.id)
+		client.AssertExpectations(t)
+	})
+
+	t.Run("transient inspect error trusts cache", func(t *testing.T) {
+		cr, client := newCR("live")
+		client.On("ContainerInspect", ctx, "live", inspectOpts).Return(mobyclient.ContainerInspectResult{}, boom)
+		require.NoError(t, cr.find()(ctx))
+		assert.Equal(t, "live", cr.id)
+		client.AssertExpectations(t)
+	})
+
+	t.Run("list error propagates", func(t *testing.T) {
+		cr, client := newCR("")
+		client.On("ContainerList", ctx, listOpts).Return(mobyclient.ContainerListResult{}, boom)
+		require.ErrorIs(t, cr.find()(ctx), boom)
+		client.AssertExpectations(t)
+	})
+}
+
+// Every daemon entry point fails fast with a clear, container-named
+// error when no live cr.id is known.
+func TestRejectsMissingContainer(t *testing.T) {
+	ctx := context.Background()
+	client := &mockDockerClient{}
+	client.On("ContainerList", ctx, mobyclient.ContainerListOptions{All: true}).Return(mobyclient.ContainerListResult{}, nil)
+	cr := &containerReference{cli: client, input: &NewContainerInput{Name: "job-1"}}
+	check := func(op string, err error) {
+		t.Helper()
+		require.Error(t, err, op)
+		assert.Contains(t, err.Error(), `container "job-1" does not exist`, op)
+	}
+	check("copyContent", cr.copyContent("/var/run/act", &FileEntry{Name: "x", Mode: 0o644})(ctx))
+	check("copyDir", cr.copyDir("/var/run/act", "/src", false)(ctx))
+	check("CopyTarStream", cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{}))
+	check("exec", cr.exec([]string{"echo"}, nil, "", "")(ctx))
+	_, err := cr.GetContainerArchive(ctx, "/var/run/act/x")
+	check("GetContainerArchive", err)
+}
+
+// End-to-end: a stale cr.id is cleared, repopulated from name lookup,
+// and the Copy completes against the fresh id.
+func TestPublicCopyPipelineHandlesStaleID(t *testing.T) {
+	ctx := context.Background()
+	client := &mockDockerClient{}
+	client.On("ContainerInspect", ctx, "stale", mobyclient.ContainerInspectOptions{}).
+		Return(mobyclient.ContainerInspectResult{}, cerrdefs.ErrNotFound.WithMessage("gone"))
+	client.On("ContainerList", ctx, mobyclient.ContainerListOptions{All: true}).
+		Return(mobyclient.ContainerListResult{Items: []container.Summary{
+			{ID: "fresh", Names: []string{"/job-1"}},
+		}}, nil)
+	client.On("CopyToContainer", ctx, "fresh", mock.MatchedBy(func(opts mobyclient.CopyToContainerOptions) bool {
+		return opts.DestinationPath == "/var/run/act"
+	})).Return(mobyclient.CopyToContainerResult{}, nil)
+
+	cr := &containerReference{id: "stale", cli: client, input: &NewContainerInput{Name: "job-1"}}
+	require.NoError(t, cr.Copy("/var/run/act", &FileEntry{Name: "x", Mode: 0o644})(ctx))
+	assert.Equal(t, "fresh", cr.id)
+	client.AssertExpectations(t)
+}
+
+// TestDockerCopyToSymlinkPath is a regression test for gitea/runner#981. Most base images
+// symlink /var/run to /run, so copying into /var/run/act traverses that symlink. The broken
+// docker 29.5.1 daemon fails the extraction with "mkdirat var/run: file exists" (fixed in
+// 29.5.2). Running against the daemon shipped in the dind image, this catches a bad bump.
+func TestDockerCopyToSymlinkPath(t *testing.T) {
+	requireDocker(t)
+	ctx := context.Background()
+
+	rc := NewContainer(&NewContainerInput{
+		Image:      "alpine:latest",
+		Entrypoint: []string{"sleep", "30"},
+		Name:       "act-test-symlink-" + time.Now().Format("20060102150405.000000"),
+		AutoRemove: true,
+	})
+	require.NoError(t, rc.Pull(false)(ctx))
+	require.NoError(t, rc.Create(nil, nil)(ctx))
+	require.NoError(t, rc.Start(false)(ctx))
+	t.Cleanup(func() {
+		_ = rc.Remove()(ctx)
+		_ = rc.Close()(ctx)
+	})
+
+	// CopyTarStream first creates the destination directory by extracting a tar at "/",
+	// which makes the daemon mkdir var, then var/run (the symlink), then act — the exact
+	// step that fails on the broken daemon.
+	err := rc.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
+	require.NoError(t, err)
+}
+
+// Type assert containerReference implements ExecutionsEnvironment
+var _ ExecutionsEnvironment = &containerReference{}
+
+func TestCheckVolumes(t *testing.T) {
+	testCases := []struct {
+		desc          string
+		validVolumes  []string
+		binds         []string
+		expectedBinds []string
+	}{
+		{
+			desc:         "match all volumes",
+			validVolumes: []string{"**"},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+		},
+		{
+			desc:         "no volumes can be matched",
+			validVolumes: []string{},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{},
+		},
+		{
+			desc: "only allowed volumes can be matched",
+			validVolumes: []string{
+				"shared_volume",
+				"/home/test/data",
+				"/etc/conf.d/*.json",
+			},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.desc, func(t *testing.T) {
+			logger, _ := test.NewNullLogger()
+			ctx := common.WithLogger(context.Background(), logger)
+			cr := &containerReference{
+				input: &NewContainerInput{
+					ValidVolumes: tc.validVolumes,
+				},
+			}
+			_, hostConf := cr.sanitizeConfig(ctx, &container.Config{}, &container.HostConfig{Binds: tc.binds})
+			assert.Equal(t, tc.expectedBinds, hostConf.Binds)
+		})
+	}
+}
+
+func TestCheckVolumesRejectsEscapingHostPaths(t *testing.T) {
+	logger, _ := test.NewNullLogger()
+	ctx := common.WithLogger(context.Background(), logger)
+
+	base := t.TempDir()
+	allowed := filepath.Join(base, "allowed")
+	denied := filepath.Join(base, "denied")
+	require.NoError(t, os.MkdirAll(allowed, 0o700))
+	require.NoError(t, os.MkdirAll(denied, 0o700))
+
+	cr := &containerReference{
+		input: &NewContainerInput{
+			ValidVolumes: []string{filepath.Join(allowed, "**")},
+		},
+	}
+
+	escapingPath := allowed + string(filepath.Separator) + ".." + string(filepath.Separator) + "denied"
+	_, hostConf := cr.sanitizeConfig(ctx, &container.Config{}, &container.HostConfig{
+		Binds: []string{escapingPath + ":/mnt"},
+	})
+	assert.Empty(t, hostConf.Binds)
+
+	linkPath := filepath.Join(allowed, "link")
+	if err := os.Symlink(denied, linkPath); err != nil {
+		t.Skipf("cannot create symlink: %v", err)
+	}
+	_, hostConf = cr.sanitizeConfig(ctx, &container.Config{}, &container.HostConfig{
+		Binds: []string{linkPath + ":/mnt"},
+	})
+	assert.Empty(t, hostConf.Binds)
+
+	_, hostConf = cr.sanitizeConfig(ctx, &container.Config{}, &container.HostConfig{
+		Binds: []string{filepath.Join(linkPath, "missing") + ":/mnt"},
+	})
+	assert.Empty(t, hostConf.Binds)
+}
--- a/act/container/docker_socket.go
+++ b/act/container/docker_socket.go
@@ -0,0 +1,138 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2024 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+var CommonSocketLocations = []string{
+	"/var/run/docker.sock",
+	"/run/podman/podman.sock",
+	"$HOME/.colima/docker.sock",
+	"$XDG_RUNTIME_DIR/docker.sock",
+	"$XDG_RUNTIME_DIR/podman/podman.sock",
+	`\\.\pipe\docker_engine`,
+	"$HOME/.docker/run/docker.sock",
+}
+
+// returns socket URI or false if not found any
+func socketLocation() (string, bool) {
+	if dockerHost, exists := os.LookupEnv("DOCKER_HOST"); exists {
+		return dockerHost, true
+	}
+
+	for _, p := range CommonSocketLocations {
+		if _, err := os.Lstat(os.ExpandEnv(p)); err == nil {
+			if strings.HasPrefix(p, `\\.\`) {
+				return "npipe://" + filepath.ToSlash(os.ExpandEnv(p)), true
+			}
+			return "unix://" + filepath.ToSlash(os.ExpandEnv(p)), true
+		}
+	}
+
+	return "", false
+}
+
+// This function, `isDockerHostURI`, takes a string argument `daemonPath`. It checks if the
+// `daemonPath` is a valid Docker host URI. It does this by checking if the scheme of the URI (the
+// part before "://") contains only alphabetic characters. If it does, the function returns true,
+// indicating that the `daemonPath` is a Docker host URI. If it doesn't, or if the "://" delimiter
+// is not found in the `daemonPath`, the function returns false.
+func isDockerHostURI(daemonPath string) bool {
+	if before, _, ok := strings.Cut(daemonPath, "://"); ok {
+		scheme := before
+		if strings.IndexFunc(scheme, func(r rune) bool {
+			return (r < 'a' || r > 'z') && (r < 'A' || r > 'Z')
+		}) == -1 {
+			return true
+		}
+	}
+	return false
+}
+
+type SocketAndHost struct {
+	Socket string
+	Host   string
+}
+
+func GetSocketAndHost(containerSocket string) (SocketAndHost, error) {
+	log.Debugf("Handling container host and socket")
+
+	// Prefer DOCKER_HOST, don't override it
+	dockerHost, hasDockerHost := socketLocation()
+	socketHost := SocketAndHost{Socket: containerSocket, Host: dockerHost}
+
+	// ** socketHost.Socket cases **
+	// Case 1: User does _not_ want to mount a daemon socket (passes a dash)
+	// Case 2: User passes a filepath to the socket; is that even valid?
+	// Case 3: User passes a valid socket; do nothing
+	// Case 4: User omitted the flag; set a sane default
+
+	// ** DOCKER_HOST cases **
+	// Case A: DOCKER_HOST is set; use it, i.e. do nothing
+	// Case B: DOCKER_HOST is empty; use sane defaults
+
+	// Set host for sanity's sake, when the socket isn't useful
+	if !hasDockerHost && (socketHost.Socket == "-" || !isDockerHostURI(socketHost.Socket) || socketHost.Socket == "") {
+		// Cases: 1B, 2B, 4B
+		socket, found := socketLocation()
+		socketHost.Host = socket
+		hasDockerHost = found
+	}
+
+	// A - (dash) in socketHost.Socket means don't mount, preserve this value
+	// otherwise if socketHost.Socket is a filepath don't use it as socket
+	// Exit early if we're in an invalid state (e.g. when no DOCKER_HOST and user supplied "-", a dash or omitted)
+	if !hasDockerHost && socketHost.Socket != "" && !isDockerHostURI(socketHost.Socket) {
+		// Cases: 1B, 2B
+		// Should we early-exit here, since there is no host nor socket to talk to?
+		return SocketAndHost{}, fmt.Errorf("DOCKER_HOST was not set, couldn't be found in the usual locations, and the container daemon socket ('%s') is invalid", socketHost.Socket)
+	}
+
+	// Default to DOCKER_HOST if set
+	if socketHost.Socket == "" && hasDockerHost {
+		// Cases: 4A
+		log.Debugf("Defaulting container socket to DOCKER_HOST")
+		socketHost.Socket = socketHost.Host
+	}
+	// Set sane default socket location if user omitted it
+	if socketHost.Socket == "" {
+		// Cases: 4B
+		socket, _ := socketLocation()
+		// socket is empty if it isn't found, so assignment here is at worst a no-op
+		log.Debugf("Defaulting container socket to default '%s'", socket)
+		socketHost.Socket = socket
+	}
+
+	// Exit if both the DOCKER_HOST and socket are fulfilled
+	if hasDockerHost {
+		// Cases: 1A, 2A, 3A, 4A
+		if !isDockerHostURI(socketHost.Socket) {
+			// Cases: 1A, 2A
+			log.Debugf("DOCKER_HOST is set, but socket is invalid '%s'", socketHost.Socket)
+		}
+		return socketHost, nil
+	}
+
+	// Set a sane DOCKER_HOST default if we can
+	if isDockerHostURI(socketHost.Socket) {
+		// Cases: 3B
+		log.Debugf("Setting DOCKER_HOST to container socket '%s'", socketHost.Socket)
+		socketHost.Host = socketHost.Socket
+		// Both DOCKER_HOST and container socket are valid; short-circuit exit
+		return socketHost, nil
+	}
+
+	// Here there is no DOCKER_HOST _and_ the supplied container socket is not a valid URI (either invalid or a file path)
+	// Cases: 2B <- but is already handled at the top
+	// I.e. this path should never be taken
+	return SocketAndHost{}, fmt.Errorf("no DOCKER_HOST and an invalid container socket '%s'", socketHost.Socket)
+}
--- a/act/container/docker_socket_test.go
+++ b/act/container/docker_socket_test.go
@@ -0,0 +1,167 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2024 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"os"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	assert "github.com/stretchr/testify/assert"
+)
+
+func init() {
+	log.SetLevel(log.DebugLevel)
+}
+
+var originalCommonSocketLocations = CommonSocketLocations
+
+func isolateSocketEnv(t *testing.T) {
+	t.Helper()
+	t.Cleanup(func() { CommonSocketLocations = originalCommonSocketLocations })
+	if host, ok := os.LookupEnv("DOCKER_HOST"); ok {
+		t.Setenv("DOCKER_HOST", host)
+	} else {
+		t.Cleanup(func() { os.Unsetenv("DOCKER_HOST") })
+	}
+}
+
+func TestGetSocketAndHostWithSocket(t *testing.T) {
+	// Arrange
+	isolateSocketEnv(t)
+	dockerHost := "unix:///my/docker/host.sock"
+	socketURI := "/path/to/my.socket"
+	t.Setenv("DOCKER_HOST", dockerHost)
+
+	// Act
+	ret, err := GetSocketAndHost(socketURI)
+
+	// Assert
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{socketURI, dockerHost}, ret)
+}
+
+func TestGetSocketAndHostNoSocket(t *testing.T) {
+	// Arrange
+	dockerHost := "unix:///my/docker/host.sock"
+	t.Setenv("DOCKER_HOST", dockerHost)
+
+	// Act
+	ret, err := GetSocketAndHost("")
+
+	// Assert
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{dockerHost, dockerHost}, ret)
+}
+
+func TestGetSocketAndHostOnlySocket(t *testing.T) {
+	// Arrange
+	isolateSocketEnv(t)
+	socketURI := "/path/to/my.socket"
+	os.Unsetenv("DOCKER_HOST")
+	defaultSocket, defaultSocketFound := socketLocation()
+
+	// Act
+	ret, err := GetSocketAndHost(socketURI)
+
+	// Assert
+	assert.NoError(t, err, "Expected no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.True(t, defaultSocketFound, "Expected to find default socket")
+	assert.Equal(t, socketURI, ret.Socket, "Expected socket to match common location")
+	assert.Equal(t, defaultSocket, ret.Host, "Expected ret.Host to match default socket location")
+}
+
+func TestGetSocketAndHostDontMount(t *testing.T) {
+	// Arrange
+	isolateSocketEnv(t)
+	dockerHost := "unix:///my/docker/host.sock"
+	t.Setenv("DOCKER_HOST", dockerHost)
+
+	// Act
+	ret, err := GetSocketAndHost("-")
+
+	// Assert
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{"-", dockerHost}, ret)
+}
+
+func TestGetSocketAndHostNoHostNoSocket(t *testing.T) {
+	// Arrange
+	isolateSocketEnv(t)
+	os.Unsetenv("DOCKER_HOST")
+	defaultSocket, found := socketLocation()
+
+	// Act
+	ret, err := GetSocketAndHost("")
+
+	// Assert
+	assert.True(t, found, "Expected a default socket to be found")
+	assert.NoError(t, err, "Expected no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{defaultSocket, defaultSocket}, ret, "Expected to match default socket location")
+}
+
+// Catch
+// > Your code breaks setting DOCKER_HOST if shouldMount is false.
+// > This happens if neither DOCKER_HOST nor --container-daemon-socket has a value, but socketLocation() returns a URI
+func TestGetSocketAndHostNoHostNoSocketDefaultLocation(t *testing.T) {
+	// Arrange
+	isolateSocketEnv(t)
+	mySocketFile, tmpErr := os.CreateTemp(t.TempDir(), "act-*.sock")
+	mySocket := mySocketFile.Name()
+	unixSocket := "unix://" + mySocket
+	defer os.RemoveAll(mySocket)
+	assert.NoError(t, tmpErr) //nolint:testifylint // pre-existing issue from nektos/act
+	os.Unsetenv("DOCKER_HOST")
+
+	CommonSocketLocations = []string{mySocket}
+	defaultSocket, found := socketLocation()
+
+	// Act
+	ret, err := GetSocketAndHost("")
+
+	// Assert
+	assert.Equal(t, unixSocket, defaultSocket, "Expected default socket to match common socket location")
+	assert.True(t, found, "Expected default socket to be found")
+	assert.NoError(t, err, "Expected no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{unixSocket, unixSocket}, ret, "Expected to match default socket location")
+}
+
+func TestGetSocketAndHostNoHostInvalidSocket(t *testing.T) {
+	// Arrange
+	isolateSocketEnv(t)
+	os.Unsetenv("DOCKER_HOST")
+	mySocket := "/my/socket/path.sock"
+	CommonSocketLocations = []string{"/unusual", "/socket", "/location"}
+	defaultSocket, found := socketLocation()
+
+	// Act
+	ret, err := GetSocketAndHost(mySocket)
+
+	// Assert
+	assert.False(t, found, "Expected no default socket to be found")
+	assert.Equal(t, "", defaultSocket, "Expected no default socket to be found") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{}, ret, "Expected to match default socket location")
+	assert.Error(t, err, "Expected an error in invalid state")
+}
+
+func TestGetSocketAndHostOnlySocketValidButUnusualLocation(t *testing.T) {
+	// Arrange
+	isolateSocketEnv(t)
+	socketURI := "unix:///path/to/my.socket"
+	CommonSocketLocations = []string{"/unusual", "/location"}
+	os.Unsetenv("DOCKER_HOST")
+	defaultSocket, found := socketLocation()
+
+	// Act
+	ret, err := GetSocketAndHost(socketURI)
+
+	// Assert
+	// Default socket locations
+	assert.Equal(t, "", defaultSocket, "Expect default socket location to be empty") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.False(t, found, "Expected no default socket to be found")
+	// Sane default
+	assert.NoError(t, err, "Expect no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, socketURI, ret.Host, "Expect host to default to unusual socket")
+}
--- a/act/container/docker_stub.go
+++ b/act/container/docker_stub.go
@@ -0,0 +1,74 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build WITHOUT_DOCKER || !(linux || darwin || windows || netbsd)
+
+package container
+
+import (
+	"context"
+	"runtime"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/moby/moby/api/types/system"
+	"github.com/pkg/errors"
+)
+
+// ImageExistsLocally returns a boolean indicating if an image with the
+// requested name, tag and architecture exists in the local docker image store
+func ImageExistsLocally(ctx context.Context, imageName, platform string) (bool, error) {
+	return false, errors.New("Unsupported Operation")
+}
+
+// RemoveImage removes image from local store, the function is used to run different
+// container image architectures
+func RemoveImage(ctx context.Context, imageName string, force, pruneChildren bool) (bool, error) {
+	return false, errors.New("Unsupported Operation")
+}
+
+// NewDockerBuildExecutor function to create a run executor for the container
+func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		return errors.New("Unsupported Operation")
+	}
+}
+
+// NewDockerPullExecutor function to create a run executor for the container
+func NewDockerPullExecutor(input NewDockerPullExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		return errors.New("Unsupported Operation")
+	}
+}
+
+// NewContainer creates a reference to a container
+func NewContainer(input *NewContainerInput) ExecutionsEnvironment {
+	return nil
+}
+
+func RunnerArch(ctx context.Context) string {
+	return runtime.GOOS
+}
+
+func GetHostInfo(ctx context.Context) (info system.Info, err error) {
+	return system.Info{}, nil
+}
+
+func NewDockerVolumeRemoveExecutor(volume string, force bool) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func NewDockerNetworkCreateExecutor(name string, opts NewDockerNetworkCreateExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func NewDockerNetworkRemoveExecutor(name string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
--- a/act/container/docker_volume.go
+++ b/act/container/docker_volume.go
@@ -0,0 +1,59 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/moby/moby/client"
+)
+
+func NewDockerVolumeRemoveExecutor(volumeName string, force bool) common.Executor {
+	return func(ctx context.Context) error {
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		list, err := cli.VolumeList(ctx, client.VolumeListOptions{})
+		if err != nil {
+			return err
+		}
+
+		for _, vol := range list.Items {
+			if vol.Name == volumeName {
+				return removeExecutor(volumeName, force)(ctx)
+			}
+		}
+
+		// Volume not found - do nothing
+		return nil
+	}
+}
+
+func removeExecutor(volume string, force bool) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		logger.Debugf("docker volume rm %s", volume)
+
+		if common.Dryrun(ctx) {
+			return nil
+		}
+
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		_, err = cli.VolumeRemove(ctx, volume, client.VolumeRemoveOptions{Force: force})
+		return err
+	}
+}
--- a/act/container/executions_environment.go
+++ b/act/container/executions_environment.go
@@ -0,0 +1,19 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import "context"
+
+type ExecutionsEnvironment interface {
+	Container
+	ToContainerPath(string) string
+	GetActPath() string
+	GetPathVariableName() string
+	DefaultPathVariable() string
+	JoinPathVariable(...string) string
+	GetRunnerContext(ctx context.Context) map[string]any
+	// On windows PATH and Path are the same key
+	IsEnvironmentCaseInsensitive() bool
+}
--- a/act/container/helpers_test.go
+++ b/act/container/helpers_test.go
@@ -0,0 +1,27 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"context"
+	"testing"
+
+	mobyclient "github.com/moby/moby/client"
+)
+
+// requireDocker skips the test unless a reachable docker daemon is available.
+// GetDockerClient succeeds even without a running daemon (its ping is best-effort),
+// so the daemon has to be pinged explicitly here to decide whether to skip.
+func requireDocker(t *testing.T) {
+	t.Helper()
+	ctx := context.Background()
+	cli, err := GetDockerClient(ctx)
+	if err != nil {
+		t.Skipf("skipping: docker client unavailable: %v", err)
+	}
+	defer cli.Close()
+	if _, err := cli.Ping(ctx, mobyclient.PingOptions{}); err != nil {
+		t.Skipf("skipping: docker daemon unreachable: %v", err)
+	}
+}
--- a/act/container/host_environment.go
+++ b/act/container/host_environment.go
@@ -0,0 +1,710 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"gitea.com/gitea/runner/act/common"
+	"gitea.com/gitea/runner/act/filecollector"
+	"gitea.com/gitea/runner/act/lookpath"
+
+	"github.com/go-git/go-billy/v5/helper/polyfill"
+	"github.com/go-git/go-billy/v5/osfs"
+	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"golang.org/x/term"
+)
+
+type HostEnvironment struct {
+	Path      string
+	TmpDir    string
+	ToolCache string
+	Workdir   string
+	// CleanWorkdir means teardown owns Workdir and may delete it. Leave false
+	// when Workdir points at a caller-owned checkout (e.g. `act` local mode).
+	CleanWorkdir bool
+	ActPath      string
+	CleanUp      func()
+	StdOut       io.Writer
+	AllocatePTY  bool // allocate a pseudo-TTY for each step's process
+}
+
+func (e *HostEnvironment) Create(_, _ []string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func (e *HostEnvironment) ConnectToNetwork(name string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func (e *HostEnvironment) Close() common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func (e *HostEnvironment) Copy(destPath string, files ...*FileEntry) common.Executor {
+	return func(ctx context.Context) error {
+		for _, f := range files {
+			if err := os.MkdirAll(filepath.Dir(filepath.Join(destPath, f.Name)), 0o777); err != nil {
+				return err
+			}
+			if err := os.WriteFile(filepath.Join(destPath, f.Name), []byte(f.Body), fs.FileMode(f.Mode)); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+func (e *HostEnvironment) CopyTarStream(ctx context.Context, destPath string, tarStream io.Reader) error {
+	if err := os.RemoveAll(destPath); err != nil {
+		return err
+	}
+	tr := tar.NewReader(tarStream)
+	cp := &filecollector.CopyCollector{
+		DstDir: destPath,
+	}
+	for {
+		ti, err := tr.Next()
+		if errors.Is(err, io.EOF) {
+			return nil
+		} else if err != nil {
+			return err
+		}
+		if ti.FileInfo().IsDir() {
+			continue
+		}
+		if ctx.Err() != nil {
+			return errors.New("CopyTarStream has been cancelled")
+		}
+		if err := cp.WriteFile(ti.Name, ti.FileInfo(), ti.Linkname, tr); err != nil {
+			return err
+		}
+	}
+}
+
+func (e *HostEnvironment) CopyDir(destPath, srcPath string, useGitIgnore bool) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		srcPrefix := filepath.Dir(srcPath)
+		if !strings.HasSuffix(srcPrefix, string(filepath.Separator)) {
+			srcPrefix += string(filepath.Separator)
+		}
+		logger.Debugf("Stripping prefix:%s src:%s", srcPrefix, srcPath)
+		var ignorer gitignore.Matcher
+		if useGitIgnore {
+			ps, err := gitignore.ReadPatterns(polyfill.New(osfs.New(srcPath)), nil)
+			if err != nil {
+				logger.Debugf("Error loading .gitignore: %v", err)
+			}
+
+			ignorer = gitignore.NewMatcher(ps)
+		}
+		fc := &filecollector.FileCollector{
+			Fs:        &filecollector.DefaultFs{},
+			Ignorer:   ignorer,
+			SrcPath:   srcPath,
+			SrcPrefix: srcPrefix,
+			Handler: &filecollector.CopyCollector{
+				DstDir: destPath,
+			},
+		}
+		return filepath.Walk(srcPath, fc.CollectFiles(ctx, []string{}))
+	}
+}
+
+func (e *HostEnvironment) GetContainerArchive(ctx context.Context, srcPath string) (io.ReadCloser, error) {
+	buf := &bytes.Buffer{}
+	tw := tar.NewWriter(buf)
+	defer tw.Close()
+	srcPath = filepath.Clean(srcPath)
+	fi, err := os.Lstat(srcPath)
+	if err != nil {
+		return nil, err
+	}
+	tc := &filecollector.TarCollector{
+		TarWriter: tw,
+	}
+	if fi.IsDir() {
+		srcPrefix := srcPath
+		if !strings.HasSuffix(srcPrefix, string(filepath.Separator)) {
+			srcPrefix += string(filepath.Separator)
+		}
+		fc := &filecollector.FileCollector{
+			Fs:        &filecollector.DefaultFs{},
+			SrcPath:   srcPath,
+			SrcPrefix: srcPrefix,
+			Handler:   tc,
+		}
+		err = filepath.Walk(srcPath, fc.CollectFiles(ctx, []string{}))
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		var f io.ReadCloser
+		var linkname string
+		if fi.Mode()&fs.ModeSymlink != 0 {
+			linkname, err = os.Readlink(srcPath)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			f, err = os.Open(srcPath)
+			if err != nil {
+				return nil, err
+			}
+			defer f.Close()
+		}
+		err := tc.WriteFile(fi.Name(), fi, linkname, f)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return io.NopCloser(buf), nil
+}
+
+func (e *HostEnvironment) Pull(_ bool) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func (e *HostEnvironment) Start(_ bool) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+type ptyWriter struct {
+	Out       io.Writer
+	AutoStop  atomic.Bool
+	dirtyLine bool
+}
+
+func (w *ptyWriter) Write(buf []byte) (int, error) {
+	if w.AutoStop.Load() && len(buf) > 0 && buf[len(buf)-1] == 4 {
+		n, err := w.Out.Write(buf[:len(buf)-1])
+		if err != nil {
+			return n, err
+		}
+		if w.dirtyLine || len(buf) > 1 && buf[len(buf)-2] != '\n' {
+			_, _ = w.Out.Write([]byte("\n"))
+			return n, io.EOF
+		}
+		return n, io.EOF
+	}
+	w.dirtyLine = strings.LastIndex(string(buf), "\n") < len(buf)-1
+	return w.Out.Write(buf)
+}
+
+type localEnv struct {
+	env map[string]string
+}
+
+func (l *localEnv) Getenv(name string) string {
+	if runtime.GOOS == "windows" {
+		for k, v := range l.env {
+			if strings.EqualFold(name, k) {
+				return v
+			}
+		}
+		return ""
+	}
+	return l.env[name]
+}
+
+func lookupPathHost(cmd string, env map[string]string, writer io.Writer) (string, error) {
+	f, err := lookpath.LookPath2(cmd, &localEnv{env: env})
+	if err != nil {
+		err := "Cannot find: " + cmd + " in PATH"
+		if _, _err := writer.Write([]byte(err + "\n")); _err != nil {
+			return "", fmt.Errorf("%v: %w", err, _err)
+		}
+		return "", errors.New(err)
+	}
+	return f, nil
+}
+
+func setupPty(cmd *exec.Cmd, cmdline string) (*os.File, *os.File, error) {
+	ppty, tty, err := openPty()
+	if err != nil {
+		return nil, nil, err
+	}
+	if term.IsTerminal(int(tty.Fd())) {
+		_, err := term.MakeRaw(int(tty.Fd()))
+		if err != nil {
+			ppty.Close()
+			tty.Close()
+			return nil, nil, err
+		}
+	}
+	cmd.Stdin = tty
+	cmd.Stdout = tty
+	cmd.Stderr = tty
+	cmd.SysProcAttr = getSysProcAttr(cmdline, true)
+	return ppty, tty, nil
+}
+
+func writeKeepAlive(ppty io.Writer) {
+	c := 1
+	var err error
+	for c == 1 && err == nil {
+		c, err = ppty.Write([]byte{4})
+		<-time.After(time.Second)
+	}
+}
+
+func copyPtyOutput(writer io.Writer, ppty io.Reader, finishLog context.CancelFunc) {
+	defer func() {
+		finishLog()
+	}()
+	if _, err := io.Copy(writer, ppty); err != nil {
+		return
+	}
+}
+
+func (e *HostEnvironment) UpdateFromImageEnv(_ *map[string]string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func getEnvListFromMap(env map[string]string) []string {
+	envList := make([]string, 0)
+	for k, v := range env {
+		envList = append(envList, fmt.Sprintf("%s=%s", k, v))
+	}
+	return envList
+}
+
+func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline string, env map[string]string, _, workdir string) error {
+	envList := getEnvListFromMap(env)
+	var wd string
+	if workdir != "" {
+		if filepath.IsAbs(workdir) {
+			wd = workdir
+		} else {
+			wd = filepath.Join(e.Path, workdir)
+		}
+	} else {
+		wd = e.Path
+	}
+	f, err := lookupPathHost(command[0], env, e.StdOut)
+	if err != nil {
+		return err
+	}
+	cmd := exec.CommandContext(ctx, f)
+	cmd.Path = f
+	cmd.Args = command
+	cmd.Stdin = nil
+	cmd.Stdout = e.StdOut
+	cmd.Env = envList
+	cmd.Stderr = e.StdOut
+	cmd.Dir = wd
+	cmd.SysProcAttr = getSysProcAttr(cmdline, false)
+
+	// A step often launches a process tree (a shell that starts a child which
+	// spawns further background or GUI processes). The default context
+	// cancellation only kills the direct child, leaving the rest of the tree
+	// running; and because the orphans inherit cmd's stdout/stderr pipe,
+	// cmd.Wait() would block forever, hanging the runner. Kill the whole tree on
+	// cancellation — via a Job Object on Windows and the process group on Unix
+	// (see processKiller) — and bound the wait so a leftover pipe writer can
+	// never hang Wait indefinitely.
+	var killer atomic.Pointer[processKiller]
+	cmd.Cancel = func() error {
+		if k := killer.Load(); k != nil {
+			return k.Kill()
+		}
+		if cmd.Process != nil {
+			return cmd.Process.Kill()
+		}
+		return nil
+	}
+	// Once the step process has exited, give its I/O pipes at most this long to
+	// drain before Wait force-closes them and returns (Go's WaitDelay). This
+	// also covers a step that backgrounds a process holding the pipe open.
+	cmd.WaitDelay = 10 * time.Second
+
+	var ppty *os.File
+	var tty *os.File
+	defer func() {
+		if ppty != nil {
+			ppty.Close()
+		}
+		if tty != nil {
+			tty.Close()
+		}
+	}()
+	if e.AllocatePTY {
+		var err error
+		ppty, tty, err = setupPty(cmd, cmdline)
+		if err != nil {
+			common.Logger(ctx).Debugf("Failed to setup Pty %v\n", err.Error())
+		}
+	}
+	var writer *ptyWriter
+	var logctx context.Context
+	if ppty != nil {
+		writer = &ptyWriter{Out: e.StdOut}
+		var finishLog context.CancelFunc
+		logctx, finishLog = context.WithCancel(context.Background())
+		go copyPtyOutput(writer, ppty, finishLog)
+		go writeKeepAlive(ppty)
+	}
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	// Capture the started process for tree-kill on cancellation: a Job Object on
+	// Windows (children spawned afterwards are auto-included) and the process
+	// group on Unix. On failure (e.g. Windows nested-job restrictions) we fall
+	// back to the default single-process kill; WaitDelay + end-of-job cleanup
+	// still apply.
+	if k, kerr := newProcessKiller(cmd.Process); kerr != nil {
+		common.Logger(ctx).Warnf("process tree kill setup failed, falling back to single-process kill: %v", kerr)
+	} else {
+		killer.Store(k)
+		defer k.Close()
+	}
+	err = cmd.Wait()
+	if err != nil {
+		var exitErr *exec.ExitError
+		if errors.As(err, &exitErr) {
+			return ExitCodeError(exitErr.ExitCode())
+		}
+		return err
+	}
+	if tty != nil {
+		writer.AutoStop.Store(true)
+		if _, err := tty.WriteString("\x04"); err != nil {
+			common.Logger(ctx).Debug("Failed to write EOT")
+		}
+		<-logctx.Done()
+		ppty.Close()
+		ppty = nil
+	}
+	return err
+}
+
+func (e *HostEnvironment) Exec(command []string /*cmdline string, */, env map[string]string, user, workdir string) common.Executor {
+	return e.ExecWithCmdLine(command, "", env, user, workdir)
+}
+
+func (e *HostEnvironment) ExecWithCmdLine(command []string, cmdline string, env map[string]string, user, workdir string) common.Executor {
+	return func(ctx context.Context) error {
+		if err := e.exec(ctx, command, cmdline, env, user, workdir); err != nil {
+			select {
+			case <-ctx.Done():
+				return fmt.Errorf("this step has been cancelled: %w", err)
+			default:
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+func (e *HostEnvironment) UpdateFromEnv(srcPath string, env *map[string]string) common.Executor {
+	return parseEnvFile(e, srcPath, env)
+}
+
+// removeAll is the filesystem delete used by removeAllWithContext. A package
+// var so tests can substitute a blocking stub without patching os.RemoveAll.
+var removeAll = os.RemoveAll
+
+// removeAllWithContext runs removeAll in a goroutine and returns once it
+// finishes or ctx is cancelled. On cancellation the goroutine is left running —
+// a delete blocked inside a syscall cannot be interrupted (see runWithTimeout).
+func removeAllWithContext(ctx context.Context, path string) error {
+	done := make(chan error, 1)
+	go func() { done <- removeAll(path) }()
+	select {
+	case err := <-done:
+		return err
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
+
+func removePathWithRetry(ctx context.Context, path string) error {
+	if path == "" {
+		return nil
+	}
+	attempts := 1
+	delay := time.Duration(0)
+	if runtime.GOOS == "windows" {
+		attempts = 5
+		delay = 200 * time.Millisecond
+	}
+	var lastErr error
+	for i := 0; i < attempts; i++ {
+		if i > 0 {
+			select {
+			case <-ctx.Done():
+				return ctx.Err()
+			case <-time.After(delay):
+			}
+		}
+		lastErr = removeAllWithContext(ctx, path)
+		if lastErr == nil {
+			return nil
+		}
+		if errors.Is(lastErr, context.DeadlineExceeded) {
+			return lastErr
+		}
+	}
+	return lastErr
+}
+
+// buildWindowsWorkspaceKillScript builds a PowerShell command that `taskkill
+// /T /F`s every process tree whose ExecutablePath or CommandLine references one
+// of the given absolute workspace dirs, releasing file handles for cleanup.
+//
+// Win32_Process is used because it exposes both ExecutablePath and CommandLine
+// (Get-Process doesn't, wmic is deprecated). Both match the dir+separator
+// prefix, so a sibling dir sharing a name prefix (job1 vs job10) is spared.
+// Ordinal String methods, not -like, so path metacharacters ([ ] ? *) stay
+// literal.
+//
+// Pure function so the quote-escaping can be unit-tested without PowerShell.
+func buildWindowsWorkspaceKillScript(dirs []string) string {
+	quoted := make([]string, len(dirs))
+	for i, d := range dirs {
+		// Single-quoted PowerShell literal; escape ' by doubling it.
+		quoted[i] = "'" + strings.ReplaceAll(d, "'", "''") + "'"
+	}
+
+	return `$paths = @(` + strings.Join(quoted, ",") + `)
+$selfPid = $PID
+Get-CimInstance Win32_Process -ErrorAction SilentlyContinue | Where-Object {
+    if ($_.ProcessId -eq $selfPid) { return $false }
+    foreach ($p in $paths) {
+        $prefix = $p + '\'
+        if ($_.ExecutablePath -and $_.ExecutablePath.StartsWith($prefix, [System.StringComparison]::OrdinalIgnoreCase)) { return $true }
+        if ($_.CommandLine -and $_.CommandLine.IndexOf($prefix, [System.StringComparison]::OrdinalIgnoreCase) -ge 0) { return $true }
+    }
+    return $false
+} | ForEach-Object {
+    & taskkill.exe /PID $_.ProcessId /T /F 2>$null | Out-Null
+}
+`
+}
+
+func (e *HostEnvironment) terminateRunningProcesses(ctx context.Context) {
+	if runtime.GOOS != "windows" {
+		return
+	}
+
+	// Detached: exec.CommandContext won't start on a cancelled ctx, and a
+	// server cancel has already cancelled the parent ctx.
+	killCtx, killCancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer killCancel()
+
+	logger := common.Logger(ctx)
+
+	// Workspace dirs we own. Any process running from or referencing one is a
+	// leftover job process. ToolCache is shared across jobs; Workdir only when
+	// we own it (else it's a caller-provided checkout, e.g. act local mode).
+	owned := []string{e.Path, e.TmpDir}
+	if e.CleanWorkdir {
+		owned = append(owned, e.Workdir)
+	}
+	dirs := make([]string, 0, len(owned))
+	for _, d := range owned {
+		if d == "" {
+			continue
+		}
+		abs, err := filepath.Abs(d)
+		if err != nil {
+			continue
+		}
+		dirs = append(dirs, abs)
+	}
+	if len(dirs) == 0 {
+		return
+	}
+
+	script := buildWindowsWorkspaceKillScript(dirs)
+
+	cmd := exec.CommandContext(killCtx, "powershell.exe", "-NoProfile", "-NonInteractive", "-Command", script)
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		logger.Debugf("workspace process-tree kill via PowerShell failed: %v output=%s", err, strings.TrimSpace(string(out)))
+	}
+}
+
+// hostCleanupTimeout bounds each filesystem-teardown phase of the host
+// environment so a single stalled delete cannot wedge the runner slot forever.
+// A var (not const) so tests can shrink it.
+var hostCleanupTimeout = 30 * time.Second
+
+// runWithTimeout runs fn in a goroutine and returns once it finishes or timeout
+// elapses, whichever comes first. On timeout the goroutine is left running — an
+// os.RemoveAll blocked inside a delete syscall (AV/EDR filter drivers, an
+// unresponsive network mount, a dying disk) cannot be interrupted — and
+// context.DeadlineExceeded is returned. Leaking the goroutine and the scratch
+// state it was deleting is strictly better than blocking the caller forever and
+// permanently losing the runner's capacity slot; the leaked scratch dir is
+// reclaimed later by the runner's idle stale-dir sweep.
+func runWithTimeout(fn func(), timeout time.Duration) error {
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		fn()
+	}()
+	timer := time.NewTimer(timeout)
+	defer timer.Stop()
+	select {
+	case <-done:
+		return nil
+	case <-timer.C:
+		return context.DeadlineExceeded
+	}
+}
+
+func (e *HostEnvironment) Remove() common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+
+		// Ensure any lingering child processes are ended before attempting
+		// to remove the workspace (Windows file locks otherwise prevent cleanup).
+		e.terminateRunningProcesses(ctx)
+
+		// Only removes per-job misc state. Must not remove the cache/toolcache root.
+		// Bound it: CleanUp is a caller-supplied, typically unbounded os.RemoveAll,
+		// and a delete stalled by a filesystem filter driver would otherwise hang
+		// the job forever at "Cleaning up container" and hold the capacity slot.
+		if e.CleanUp != nil {
+			logger.Debugf("running host environment cleanup callback")
+			if err := runWithTimeout(e.CleanUp, hostCleanupTimeout); err != nil {
+				logger.Warnf("host environment cleanup did not finish within %s; continuing job completion, scratch state may be leaked and is reclaimed by the idle stale-dir sweep", hostCleanupTimeout)
+			} else {
+				logger.Debugf("host environment cleanup callback finished")
+			}
+		}
+
+		// Detach: a cancelled ctx would skip removePathWithRetry's retries,
+		// which absorb Windows file-handle release lag after the kill above.
+		rmCtx, rmCancel := context.WithTimeout(context.Background(), hostCleanupTimeout)
+		defer rmCancel()
+
+		var errs []error
+		if err := removePathWithRetry(rmCtx, e.Path); err != nil {
+			logger.Warnf("failed to remove host misc state %s: %v", e.Path, err)
+			errs = append(errs, err)
+		}
+		if e.CleanWorkdir {
+			if err := removePathWithRetry(rmCtx, e.Workdir); err != nil {
+				logger.Warnf("failed to remove host workspace %s: %v", e.Workdir, err)
+				errs = append(errs, err)
+			}
+		}
+		for _, err := range errs {
+			if !errors.Is(err, context.DeadlineExceeded) {
+				return errors.Join(errs...)
+			}
+		}
+		// Bounded teardown timed out; warnings already logged above. Do not
+		// fail job completion — leaked scratch is reclaimed by the idle sweep.
+		return nil
+	}
+}
+
+func (e *HostEnvironment) ToContainerPath(path string) string {
+	if bp, err := filepath.Rel(e.Workdir, path); err != nil {
+		return filepath.Join(e.Path, bp)
+	} else if filepath.Clean(e.Workdir) == filepath.Clean(path) {
+		return e.Path
+	}
+	return path
+}
+
+func (e *HostEnvironment) GetActPath() string {
+	actPath := e.ActPath
+	if runtime.GOOS == "windows" {
+		actPath = strings.ReplaceAll(actPath, "\\", "/")
+	}
+	return actPath
+}
+
+func (*HostEnvironment) GetPathVariableName() string {
+	switch runtime.GOOS {
+	case "plan9":
+		return "path"
+	case "windows":
+		return "Path" // Actually we need a case insensitive map
+	}
+	return "PATH"
+}
+
+func (e *HostEnvironment) DefaultPathVariable() string {
+	v, _ := os.LookupEnv(e.GetPathVariableName())
+	return v
+}
+
+func (*HostEnvironment) JoinPathVariable(paths ...string) string {
+	return strings.Join(paths, string(filepath.ListSeparator))
+}
+
+// Reference for Arch values for runner.arch
+// https://docs.github.com/en/actions/learn-github-actions/contexts#runner-context
+func goArchToActionArch(arch string) string {
+	archMapper := map[string]string{
+		"x86_64":  "X64",
+		"386":     "X86",
+		"aarch64": "ARM64",
+	}
+	if arch, ok := archMapper[arch]; ok {
+		return arch
+	}
+	return arch
+}
+
+func goOsToActionOs(os string) string {
+	osMapper := map[string]string{
+		"darwin": "macOS",
+	}
+	if os, ok := osMapper[os]; ok {
+		return os
+	}
+	return os
+}
+
+func (e *HostEnvironment) GetRunnerContext(_ context.Context) map[string]any {
+	return map[string]any{
+		"os":         goOsToActionOs(runtime.GOOS),
+		"arch":       goArchToActionArch(runtime.GOARCH),
+		"temp":       e.TmpDir,
+		"tool_cache": e.ToolCache,
+	}
+}
+
+func (e *HostEnvironment) ReplaceLogWriter(stdout, _ io.Writer) (io.Writer, io.Writer) {
+	org := e.StdOut
+	e.StdOut = stdout
+	return org, org
+}
+
+func (*HostEnvironment) IsEnvironmentCaseInsensitive() bool {
+	return runtime.GOOS == "windows"
+}
--- a/act/container/host_environment_test.go
+++ b/act/container/host_environment_test.go
@@ -0,0 +1,363 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	"gitea.com/gitea/runner/act/common"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// Type assert HostEnvironment implements ExecutionsEnvironment
+var _ ExecutionsEnvironment = &HostEnvironment{}
+
+func TestCopyDir(t *testing.T) {
+	dir := t.TempDir()
+	ctx := context.Background()
+	e := &HostEnvironment{
+		Path:      filepath.Join(dir, "path"),
+		TmpDir:    filepath.Join(dir, "tmp"),
+		ToolCache: filepath.Join(dir, "tool_cache"),
+		ActPath:   filepath.Join(dir, "act_path"),
+		StdOut:    os.Stdout,
+		Workdir:   path.Join("testdata", "scratch"),
+	}
+	_ = os.MkdirAll(e.Path, 0o700)
+	_ = os.MkdirAll(e.TmpDir, 0o700)
+	_ = os.MkdirAll(e.ToolCache, 0o700)
+	_ = os.MkdirAll(e.ActPath, 0o700)
+	err := e.CopyDir(e.Workdir, e.Path, true)(ctx)
+	assert.NoError(t, err)
+}
+
+func TestGetContainerArchive(t *testing.T) {
+	dir := t.TempDir()
+	ctx := context.Background()
+	e := &HostEnvironment{
+		Path:      filepath.Join(dir, "path"),
+		TmpDir:    filepath.Join(dir, "tmp"),
+		ToolCache: filepath.Join(dir, "tool_cache"),
+		ActPath:   filepath.Join(dir, "act_path"),
+		StdOut:    os.Stdout,
+		Workdir:   path.Join("testdata", "scratch"),
+	}
+	_ = os.MkdirAll(e.Path, 0o700)
+	_ = os.MkdirAll(e.TmpDir, 0o700)
+	_ = os.MkdirAll(e.ToolCache, 0o700)
+	_ = os.MkdirAll(e.ActPath, 0o700)
+	expectedContent := []byte("sdde/7sh")
+	err := os.WriteFile(filepath.Join(e.Path, "action.yml"), expectedContent, 0o600)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	archive, err := e.GetContainerArchive(ctx, e.Path)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	defer archive.Close()
+	reader := tar.NewReader(archive)
+	h, err := reader.Next()
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, "action.yml", h.Name)
+	content, err := io.ReadAll(reader)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, expectedContent, content)
+	_, err = reader.Next()
+	assert.ErrorIs(t, err, io.EOF)
+}
+
+func TestHostEnvironmentExecExitCode(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("uses POSIX shell")
+	}
+	dir := t.TempDir()
+	ctx := context.Background()
+	e := &HostEnvironment{
+		Path:      filepath.Join(dir, "path"),
+		TmpDir:    filepath.Join(dir, "tmp"),
+		ToolCache: filepath.Join(dir, "tool_cache"),
+		ActPath:   filepath.Join(dir, "act_path"),
+		StdOut:    io.Discard,
+		Workdir:   filepath.Join(dir, "path"),
+	}
+	for _, p := range []string{e.Path, e.TmpDir, e.ToolCache, e.ActPath} {
+		assert.NoError(t, os.MkdirAll(p, 0o700)) //nolint:testifylint // test setup
+	}
+
+	err := e.Exec([]string{"sh", "-c", "exit 3"}, map[string]string{"PATH": os.Getenv("PATH")}, "", "")(ctx)
+	var exitErr ExitCodeError
+	require.ErrorAs(t, err, &exitErr)
+	assert.Equal(t, ExitCodeError(3), exitErr)
+	assert.Equal(t, "Process completed with exit code 3.", err.Error())
+}
+
+func TestHostEnvironmentAllocatePTY(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("uses POSIX shell")
+	}
+	for _, tc := range []struct {
+		name     string
+		allocPTY bool
+		expect   string
+	}{
+		{name: "off", allocPTY: false, expect: "NOTTY"},
+		{name: "on", allocPTY: true, expect: "TTY"},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			dir := t.TempDir()
+			buf := &bytes.Buffer{}
+			e := &HostEnvironment{
+				Path:        filepath.Join(dir, "path"),
+				TmpDir:      filepath.Join(dir, "tmp"),
+				ToolCache:   filepath.Join(dir, "tool_cache"),
+				ActPath:     filepath.Join(dir, "act_path"),
+				StdOut:      buf,
+				Workdir:     filepath.Join(dir, "path"),
+				AllocatePTY: tc.allocPTY,
+			}
+			for _, p := range []string{e.Path, e.TmpDir, e.ToolCache, e.ActPath} {
+				require.NoError(t, os.MkdirAll(p, 0o700))
+			}
+
+			err := e.Exec(
+				[]string{"sh", "-c", "[ -t 1 ] && printf TTY || printf NOTTY"},
+				map[string]string{"PATH": os.Getenv("PATH")}, "", "",
+			)(context.Background())
+			require.NoError(t, err)
+			got := strings.TrimSpace(strings.ReplaceAll(buf.String(), "\r", ""))
+			assert.Equal(t, tc.expect, got)
+		})
+	}
+}
+
+func TestHostEnvironmentRemovePreservesWorkdirByDefault(t *testing.T) {
+	logger := logrus.New()
+	ctx := common.WithLogger(context.Background(), logrus.NewEntry(logger))
+	base := t.TempDir()
+	miscRoot := filepath.Join(base, "misc")
+	path := filepath.Join(miscRoot, "hostexecutor")
+	require.NoError(t, os.MkdirAll(path, 0o700))
+	workdir := filepath.Join(base, "workspace", "owner", "repo")
+	require.NoError(t, os.MkdirAll(workdir, 0o700))
+
+	e := &HostEnvironment{
+		Path:    path,
+		Workdir: workdir,
+		CleanUp: func() {
+			_ = os.RemoveAll(miscRoot)
+		},
+		StdOut: os.Stdout,
+	}
+	require.NoError(t, e.Remove()(ctx))
+	_, err := os.Stat(workdir)
+	require.NoError(t, err)
+}
+
+func TestHostEnvironmentRemoveCleansWorkdirWhenOwned(t *testing.T) {
+	logger := logrus.New()
+	ctx := common.WithLogger(context.Background(), logrus.NewEntry(logger))
+	base := t.TempDir()
+	miscRoot := filepath.Join(base, "misc")
+	path := filepath.Join(miscRoot, "hostexecutor")
+	require.NoError(t, os.MkdirAll(path, 0o700))
+	workdir := filepath.Join(base, "workspace", "123", "owner", "repo")
+	require.NoError(t, os.MkdirAll(workdir, 0o700))
+
+	e := &HostEnvironment{
+		Path:         path,
+		Workdir:      workdir,
+		CleanWorkdir: true,
+		CleanUp: func() {
+			_ = os.RemoveAll(miscRoot)
+		},
+		StdOut: os.Stdout,
+	}
+	require.NoError(t, e.Remove()(ctx))
+	_, err := os.Stat(workdir)
+	assert.ErrorIs(t, err, os.ErrNotExist)
+}
+
+func TestRemoveAllWithContextDoesNotHangOnStuckDelete(t *testing.T) {
+	release := make(chan struct{})
+	stubDone := make(chan struct{})
+
+	orig := removeAll
+	removeAll = func(string) error {
+		defer close(stubDone)
+		<-release
+		return nil
+	}
+	// removeAllWithContext intentionally leaks the delete goroutine on timeout,
+	// and that goroutine still references removeAll. Unblock it and wait for it
+	// to return before restoring the var, so the restore can't race the read.
+	t.Cleanup(func() {
+		close(release)
+		<-stubDone
+		removeAll = orig
+	})
+
+	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+	defer cancel()
+
+	err := removeAllWithContext(ctx, t.TempDir())
+	require.ErrorIs(t, err, context.DeadlineExceeded)
+}
+
+// TestHostEnvironmentRemoveDoesNotHangOnStuckCleanUp guards against a stalled
+// CleanUp callback (e.g. an os.RemoveAll blocked by an AV/EDR filter driver or
+// an unresponsive mount) wedging the runner slot forever at "Cleaning up
+// container". Remove must time out the callback and complete job teardown.
+func TestHostEnvironmentRemoveDoesNotHangOnStuckCleanUp(t *testing.T) {
+	// Keep the suite fast: shrink the per-phase teardown timeout for this test.
+	orig := hostCleanupTimeout
+	hostCleanupTimeout = 100 * time.Millisecond
+	t.Cleanup(func() { hostCleanupTimeout = orig })
+
+	logger := logrus.New()
+	ctx := common.WithLogger(context.Background(), logrus.NewEntry(logger))
+	base := t.TempDir()
+	path := filepath.Join(base, "misc", "hostexecutor")
+	require.NoError(t, os.MkdirAll(path, 0o700))
+
+	release := make(chan struct{})
+	t.Cleanup(func() { close(release) }) // unblock the leaked goroutine at test end
+
+	e := &HostEnvironment{
+		Path: path,
+		CleanUp: func() {
+			<-release // simulate a delete syscall stuck indefinitely
+		},
+		StdOut: os.Stdout,
+	}
+
+	done := make(chan error, 1)
+	go func() { done <- e.Remove()(ctx) }()
+
+	select {
+	case err := <-done:
+		require.NoError(t, err)
+	case <-time.After(10 * time.Second):
+		t.Fatal("Remove() hung on a stuck CleanUp callback")
+	}
+}
+
+// TestHostEnvironmentRemoveDoesNotHangOnStuckPathRemoval guards against a
+// stalled os.RemoveAll on the misc/workspace paths (same AV/EDR wedge as
+// #1023) wedging job completion after the CleanUp callback has already timed
+// out or finished.
+func TestHostEnvironmentRemoveDoesNotHangOnStuckPathRemoval(t *testing.T) {
+	origTimeout := hostCleanupTimeout
+	hostCleanupTimeout = 100 * time.Millisecond
+	t.Cleanup(func() { hostCleanupTimeout = origTimeout })
+
+	release := make(chan struct{})
+	stubDone := make(chan struct{})
+
+	origRemoveAll := removeAll
+	removeAll = func(string) error {
+		defer close(stubDone)
+		<-release
+		return nil
+	}
+	// The stuck delete goroutine outlives the timed-out Remove and still reads
+	// removeAll; unblock it and wait before restoring to avoid a restore/read race.
+	t.Cleanup(func() {
+		close(release)
+		<-stubDone
+		removeAll = origRemoveAll
+	})
+
+	logger := logrus.New()
+	ctx := common.WithLogger(context.Background(), logrus.NewEntry(logger))
+	base := t.TempDir()
+	path := filepath.Join(base, "misc", "hostexecutor")
+	require.NoError(t, os.MkdirAll(path, 0o700))
+
+	e := &HostEnvironment{
+		Path:   path,
+		StdOut: os.Stdout,
+	}
+
+	done := make(chan error, 1)
+	go func() { done <- e.Remove()(ctx) }()
+
+	select {
+	case err := <-done:
+		require.NoError(t, err)
+	case <-time.After(10 * time.Second):
+		t.Fatal("Remove() hung on a stuck path removal")
+	}
+}
+
+func TestBuildWindowsWorkspaceKillScript(t *testing.T) {
+	t.Run("single dir", func(t *testing.T) {
+		s := buildWindowsWorkspaceKillScript([]string{`C:\workspace\job1`})
+		assert.Contains(t, s, `$paths = @('C:\workspace\job1')`)
+		// Self-PID guard is essential — without it the script could taskkill
+		// the PowerShell process running it.
+		assert.Contains(t, s, "$selfPid = $PID")
+		assert.Contains(t, s, "$_.ProcessId -eq $selfPid")
+		// Must match both ExecutablePath (binaries from the workspace) and
+		// CommandLine (system binaries invoked with workspace paths in args),
+		// both bounded by dir+separator so a name-prefix sibling is spared.
+		assert.Contains(t, s, `$prefix = $p + '\'`)
+		assert.Contains(t, s, "$_.ExecutablePath.StartsWith($prefix")
+		assert.Contains(t, s, "$_.CommandLine.IndexOf($prefix")
+		// Each matched PID must be tree-killed, not just stopped.
+		assert.Contains(t, s, "taskkill.exe /PID $_.ProcessId /T /F")
+	})
+
+	t.Run("multiple dirs comma-separated", func(t *testing.T) {
+		s := buildWindowsWorkspaceKillScript([]string{
+			`C:\work\path`,
+			`C:\work\workdir`,
+			`C:\Users\runner\AppData\Local\Temp\job-42`,
+		})
+		assert.Contains(t, s, `'C:\work\path'`)
+		assert.Contains(t, s, `'C:\work\workdir'`)
+		assert.Contains(t, s, `'C:\Users\runner\AppData\Local\Temp\job-42'`)
+		// Commas between entries — no trailing comma, no leading comma.
+		assert.Contains(t, s, `'C:\work\path','C:\work\workdir',`)
+	})
+
+	t.Run("path with single quote is escaped", func(t *testing.T) {
+		// In PowerShell single-quoted strings the only special char is the
+		// quote itself, escaped by doubling. A workspace path that ever
+		// contained `'` would inject a command into the script otherwise.
+		s := buildWindowsWorkspaceKillScript([]string{`C:\work\it's\path`})
+		assert.Contains(t, s, `'C:\work\it''s\path'`)
+		// And it must NOT appear unescaped — otherwise the quote would
+		// terminate the literal early.
+		assert.NotContains(t, s, `'C:\work\it's\path'`)
+	})
+
+	t.Run("path with wildcard metacharacters is matched literally", func(t *testing.T) {
+		// A path containing [ ] ? * must be embedded verbatim and matched with
+		// ordinal String methods, not -like, otherwise the metacharacters would
+		// be interpreted as wildcards and the leftover process could escape.
+		s := buildWindowsWorkspaceKillScript([]string{`C:\work\[job]?1`})
+		assert.Contains(t, s, `'C:\work\[job]?1'`)
+		assert.NotContains(t, s, "-like")
+		assert.Contains(t, s, "StartsWith")
+		assert.Contains(t, s, "IndexOf")
+	})
+
+	t.Run("empty dir list still produces a valid script", func(t *testing.T) {
+		s := buildWindowsWorkspaceKillScript(nil)
+		// Empty array literal — script runs, matches nothing, is a no-op.
+		assert.Contains(t, s, "$paths = @()")
+		assert.Contains(t, s, "Get-CimInstance Win32_Process")
+	})
+}
--- a/act/container/linux_container_environment_extensions.go
+++ b/act/container/linux_container_environment_extensions.go
@@ -0,0 +1,80 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"context"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+type LinuxContainerEnvironmentExtensions struct{}
+
+// Resolves the equivalent host path inside the container
+// This is required for windows and WSL 2 to translate things like C:\Users\Myproject to /mnt/users/Myproject
+// For use in docker volumes and binds
+func (*LinuxContainerEnvironmentExtensions) ToContainerPath(path string) string {
+	if runtime.GOOS == "windows" && strings.Contains(path, "/") {
+		log.Error("You cannot specify linux style local paths (/mnt/etc) on Windows as it does not understand them.")
+		return ""
+	}
+
+	abspath, err := filepath.Abs(path)
+	if err != nil {
+		log.Error(err)
+		return ""
+	}
+
+	// Test if the path is a windows path
+	windowsPathRegex := regexp.MustCompile(`^([a-zA-Z]):\\(.+)$`)
+	windowsPathComponents := windowsPathRegex.FindStringSubmatch(abspath)
+
+	// Return as-is if no match
+	if windowsPathComponents == nil {
+		return abspath
+	}
+
+	// Convert to WSL2-compatible path if it is a windows path
+	// NOTE: Cannot use filepath because it will use the wrong path separators assuming we want the path to be windows
+	// based if running on Windows, and because we are feeding this to Docker, GoLang auto-path-translate doesn't work.
+	driveLetter := strings.ToLower(windowsPathComponents[1])
+	translatedPath := strings.ReplaceAll(windowsPathComponents[2], `\`, `/`)
+	// Should make something like /mnt/c/Users/person/My Folder/MyActProject
+	result := strings.Join([]string{"/mnt", driveLetter, translatedPath}, `/`)
+	return result
+}
+
+func (*LinuxContainerEnvironmentExtensions) GetActPath() string {
+	return "/var/run/act"
+}
+
+func (*LinuxContainerEnvironmentExtensions) GetPathVariableName() string {
+	return "PATH"
+}
+
+func (*LinuxContainerEnvironmentExtensions) DefaultPathVariable() string {
+	return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+}
+
+func (*LinuxContainerEnvironmentExtensions) JoinPathVariable(paths ...string) string {
+	return strings.Join(paths, ":")
+}
+
+func (*LinuxContainerEnvironmentExtensions) GetRunnerContext(ctx context.Context) map[string]any {
+	return map[string]any{
+		"os":         "Linux",
+		"arch":       RunnerArch(ctx),
+		"temp":       "/tmp",
+		"tool_cache": "/opt/hostedtoolcache",
+	}
+}
+
+func (*LinuxContainerEnvironmentExtensions) IsEnvironmentCaseInsensitive() bool {
+	return false
+}
--- a/act/container/linux_container_environment_extensions_test.go
+++ b/act/container/linux_container_environment_extensions_test.go
@@ -0,0 +1,70 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+	"strings"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestContainerPath(t *testing.T) {
+	type containerPathJob struct {
+		destinationPath string
+		sourcePath      string
+		workDir         string
+	}
+
+	linuxcontainerext := &LinuxContainerEnvironmentExtensions{}
+
+	if runtime.GOOS == "windows" {
+		cwd, err := os.Getwd()
+		if err != nil {
+			log.Error(err)
+		}
+
+		rootDrive := os.Getenv("SystemDrive")
+		rootDriveLetter := strings.ReplaceAll(strings.ToLower(rootDrive), `:`, "")
+		for _, v := range []containerPathJob{
+			{"/mnt/c/Users/act/go/src/github.com/nektos/act", "C:\\Users\\act\\go\\src\\github.com\\nektos\\act\\", ""},
+			{"/mnt/f/work/dir", `F:\work\dir`, ""},
+			{"/mnt/c/windows/to/unix", "windows\\to\\unix", rootDrive + "\\"},
+			{fmt.Sprintf("/mnt/%v/act", rootDriveLetter), "act", rootDrive + "\\"},
+		} {
+			if v.workDir != "" {
+				t.Chdir(v.workDir)
+			}
+
+			assert.Equal(t, v.destinationPath, linuxcontainerext.ToContainerPath(v.sourcePath))
+		}
+
+		t.Chdir(cwd)
+	} else {
+		cwd, err := os.Getwd()
+		if err != nil {
+			log.Error(err)
+		}
+		for _, v := range []containerPathJob{
+			{"/home/act/go/src/github.com/nektos/act", "/home/act/go/src/github.com/nektos/act", ""},
+			{"/home/act", `/home/act/`, ""},
+			{cwd, ".", ""},
+		} {
+			assert.Equal(t, v.destinationPath, linuxcontainerext.ToContainerPath(v.sourcePath))
+		}
+	}
+}
+
+type typeAssertMockContainer struct {
+	Container
+	LinuxContainerEnvironmentExtensions
+}
+
+// Type assert Container + LinuxContainerEnvironmentExtensions implements ExecutionsEnvironment
+var _ ExecutionsEnvironment = &typeAssertMockContainer{}
--- a/act/container/parse_env_file.go
+++ b/act/container/parse_env_file.go
@@ -0,0 +1,72 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"archive/tar"
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"strings"
+
+	"gitea.com/gitea/runner/act/common"
+)
+
+func parseEnvFile(e Container, srcPath string, env *map[string]string) common.Executor {
+	localEnv := *env
+	return func(ctx context.Context) error {
+		envTar, err := e.GetContainerArchive(ctx, srcPath)
+		if err != nil {
+			return nil
+		}
+		defer envTar.Close()
+		reader := tar.NewReader(envTar)
+		_, err = reader.Next()
+		if err != nil && err != io.EOF {
+			return err
+		}
+		s := bufio.NewScanner(reader)
+		// Default 64 KiB max token size is too small for realistic env-file lines; allow up to 16 MiB.
+		s.Buffer(make([]byte, 0, 64*1024), 16*1024*1024)
+		for s.Scan() {
+			line := s.Text()
+			singleLineEnv := strings.Index(line, "=")
+			multiLineEnv := strings.Index(line, "<<")
+			if singleLineEnv != -1 && (multiLineEnv == -1 || singleLineEnv < multiLineEnv) {
+				localEnv[line[:singleLineEnv]] = line[singleLineEnv+1:]
+			} else if multiLineEnv != -1 {
+				multiLineEnvContent := ""
+				multiLineEnvDelimiter := line[multiLineEnv+2:]
+				delimiterFound := false
+				for s.Scan() {
+					content := s.Text()
+					if content == multiLineEnvDelimiter {
+						delimiterFound = true
+						break
+					}
+					if multiLineEnvContent != "" {
+						multiLineEnvContent += "\n"
+					}
+					multiLineEnvContent += content
+				}
+				if err := s.Err(); err != nil {
+					return fmt.Errorf("reading env file: %w", err)
+				}
+				if !delimiterFound {
+					return fmt.Errorf("invalid format delimiter '%v' not found before end of file", multiLineEnvDelimiter)
+				}
+				localEnv[line[:multiLineEnv]] = multiLineEnvContent
+			} else {
+				return fmt.Errorf("invalid format '%v', expected a line with '=' or '<<'", line)
+			}
+		}
+		if err := s.Err(); err != nil {
+			return fmt.Errorf("reading env file: %w", err)
+		}
+		env = &localEnv
+		return nil
+	}
+}
--- a/act/container/parse_env_file_test.go
+++ b/act/container/parse_env_file_test.go
@@ -0,0 +1,75 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"bufio"
+	"context"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func newTestHostEnv(t *testing.T) (*HostEnvironment, string) {
+	t.Helper()
+	e := &HostEnvironment{Path: t.TempDir()}
+	return e, filepath.Join(e.Path, "envfile")
+}
+
+func TestParseEnvFileSingleLine(t *testing.T) {
+	e, envPath := newTestHostEnv(t)
+	require.NoError(t, os.WriteFile(envPath, []byte("FOO=bar\nBAZ=qux\n"), 0o600))
+
+	env := map[string]string{}
+	require.NoError(t, parseEnvFile(e, envPath, &env)(context.Background()))
+	assert.Equal(t, "bar", env["FOO"])
+	assert.Equal(t, "qux", env["BAZ"])
+}
+
+func TestParseEnvFileMultiLine(t *testing.T) {
+	e, envPath := newTestHostEnv(t)
+	content := "FOO<<EOF\nline1\nline2\nEOF\n"
+	require.NoError(t, os.WriteFile(envPath, []byte(content), 0o600))
+
+	env := map[string]string{}
+	require.NoError(t, parseEnvFile(e, envPath, &env)(context.Background()))
+	assert.Equal(t, "line1\nline2", env["FOO"])
+}
+
+func TestParseEnvFileLargeValueWithinLimit(t *testing.T) {
+	e, envPath := newTestHostEnv(t)
+	big := strings.Repeat("x", 2*1024*1024)
+	content := "FOO<<EOF\n" + big + "\nEOF\n"
+	require.NoError(t, os.WriteFile(envPath, []byte(content), 0o600))
+
+	env := map[string]string{}
+	require.NoError(t, parseEnvFile(e, envPath, &env)(context.Background()))
+	assert.Equal(t, big, env["FOO"])
+}
+
+func TestParseEnvFileLineExceedsBufferReportsScannerError(t *testing.T) {
+	e, envPath := newTestHostEnv(t)
+	tooBig := strings.Repeat("x", 17*1024*1024) // over the 16 MiB cap
+	content := "FOO<<EOF\n" + tooBig + "\nEOF\n"
+	require.NoError(t, os.WriteFile(envPath, []byte(content), 0o600))
+
+	env := map[string]string{}
+	err := parseEnvFile(e, envPath, &env)(context.Background())
+	require.ErrorIs(t, err, bufio.ErrTooLong)
+	assert.Contains(t, err.Error(), "reading env file")
+}
+
+func TestParseEnvFileMissingDelimiter(t *testing.T) {
+	e, envPath := newTestHostEnv(t)
+	require.NoError(t, os.WriteFile(envPath, []byte("FOO<<EOF\nline1\nline2\n"), 0o600))
+
+	env := map[string]string{}
+	err := parseEnvFile(e, envPath, &env)(context.Background())
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "delimiter")
+}
--- a/act/container/process_other.go
+++ b/act/container/process_other.go
@@ -0,0 +1,29 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build plan9
+
+package container
+
+import "os"
+
+// processKiller falls back to single-process termination on platforms without
+// a process-group / Job Object tree-kill. The Job Object (Windows) and process
+// group (Unix) based tree-kills live in process_windows.go / process_unix.go;
+// here we just kill the direct child, matching the previous default behaviour.
+type processKiller struct {
+	p *os.Process
+}
+
+func newProcessKiller(p *os.Process) (*processKiller, error) {
+	return &processKiller{p: p}, nil
+}
+
+func (k *processKiller) Kill() error {
+	if k == nil || k.p == nil {
+		return nil
+	}
+	return k.p.Kill()
+}
+
+func (k *processKiller) Close() error { return nil }
--- a/act/container/process_unix.go
+++ b/act/container/process_unix.go
@@ -0,0 +1,56 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !windows && !plan9
+
+package container
+
+import (
+	"errors"
+	"os"
+	"syscall"
+)
+
+// processKiller terminates a step process together with its whole process
+// group, which is the Unix counterpart of the Windows Job Object tree-kill.
+//
+// Background: a step often launches a process tree (a shell that starts a child
+// which in turn spawns further background processes). The default
+// exec.CommandContext cancellation only kills the direct child, so cancelling a
+// job left the rest of the tree running. Because those orphans inherited the
+// step's stdout/stderr pipe, cmd.Wait() also blocked forever and the runner
+// hung.
+//
+// Steps are started with Setpgid (or Setsid for the PTY path, see
+// getSysProcAttr), which makes the step process the leader of a new process
+// group whose ID equals its PID. Signalling the negative PID delivers to every
+// process still in that group, so we can tear down the whole tree atomically on
+// cancellation, which also closes the inherited pipe handles so cmd.Wait() can
+// return.
+type processKiller struct {
+	pgid int
+}
+
+// newProcessKiller captures the process group of p (an already-started
+// process). Because the step is launched with Setpgid/Setsid, p is a group
+// leader and its PGID equals its PID; children spawned afterwards stay in the
+// same group unless they explicitly create their own.
+func newProcessKiller(p *os.Process) (*processKiller, error) {
+	return &processKiller{pgid: p.Pid}, nil
+}
+
+// Kill sends SIGKILL to the entire process group (the step process and every
+// descendant that stayed in the group). A missing group (ESRCH) means the
+// processes already exited and is not treated as an error.
+func (k *processKiller) Kill() error {
+	if k == nil || k.pgid <= 0 {
+		return nil
+	}
+	if err := syscall.Kill(-k.pgid, syscall.SIGKILL); err != nil && !errors.Is(err, syscall.ESRCH) {
+		return err
+	}
+	return nil
+}
+
+// Close is a no-op on Unix; there is no job handle to release.
+func (k *processKiller) Close() error { return nil }
--- a/act/container/process_unix_test.go
+++ b/act/container/process_unix_test.go
@@ -0,0 +1,100 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !windows && !plan9
+
+package container
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+// processAlive reports whether pid refers to a still-running process. Signal 0
+// performs error checking without delivering a signal: a nil error (or EPERM)
+// means the process exists, ESRCH means it is gone.
+//
+// On Linux, zombie processes (state Z in /proc/<pid>/stat) appear alive to
+// kill(0) but have already terminated — their corpse lingers until the parent
+// calls wait(). In a Docker container the child may be reparented to a PID 1
+// that does not reap promptly, so we treat zombies as not alive.
+func processAlive(pid int) bool {
+	err := syscall.Kill(pid, 0)
+	if err != nil {
+		return false
+	}
+	// On Linux /proc is available; check whether the process is a zombie.
+	if b, readErr := os.ReadFile(fmt.Sprintf("/proc/%d/stat", pid)); readErr == nil {
+		// Format: "pid (comm) state ..." — state follows the closing ')' of the
+		// command name (which may itself contain spaces and parens).
+		rest := string(b)
+		if idx := strings.LastIndex(rest, ") "); idx >= 0 {
+			fields := strings.Fields(rest[idx+2:])
+			if len(fields) > 0 && fields[0] == "Z" {
+				return false // zombie: terminated but not yet reaped
+			}
+		}
+	}
+	return true
+}
+
+// TestProcessKillerKillsTree verifies that a process group captured by the
+// killer is terminated together with a child the step spawns afterwards. This
+// mirrors a step that launches a child which spawns further processes, where
+// cancelling the job must take down the whole tree, not just the direct child.
+func TestProcessKillerKillsTree(t *testing.T) {
+	dir := t.TempDir()
+	pidFile := filepath.Join(dir, "child.pid")
+
+	// Parent shell backgrounds a long-lived child (writing its PID to a file)
+	// and then sleeps. With job control off (non-interactive sh) the backgrounded
+	// child stays in the parent's process group, so the group kill must reach it.
+	script := fmt.Sprintf(`sleep 600 & echo $! > %q; sleep 600`, pidFile)
+	cmd := exec.Command("/bin/sh", "-c", script)
+	// Launch as its own process-group leader, exactly like a real step does (see
+	// getSysProcAttr), so the killer's PGID == the process PID.
+	cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
+	require.NoError(t, cmd.Start())
+	t.Cleanup(func() {
+		_ = syscall.Kill(-cmd.Process.Pid, syscall.SIGKILL)
+		_ = cmd.Wait()
+	})
+
+	killer, err := newProcessKiller(cmd.Process)
+	require.NoError(t, err)
+	defer killer.Close()
+
+	// Wait for the backgrounded child PID to be reported.
+	var childPID int
+	require.Eventually(t, func() bool {
+		b, e := os.ReadFile(pidFile)
+		if e != nil {
+			return false
+		}
+		s := strings.TrimSpace(string(b))
+		if s == "" {
+			return false
+		}
+		childPID, _ = strconv.Atoi(s)
+		return childPID > 0 && processAlive(childPID)
+	}, 20*time.Second, 100*time.Millisecond, "child process should start")
+
+	// Killing the group must terminate both the parent and the backgrounded child.
+	require.NoError(t, killer.Kill())
+	// Reap the parent so it does not linger as a zombie (which would still report
+	// as alive); SIGKILL makes Wait return promptly.
+	_ = cmd.Wait()
+
+	require.Eventually(t, func() bool {
+		return !processAlive(childPID)
+	}, 20*time.Second, 100*time.Millisecond, "backgrounded child should be terminated")
+}
--- a/act/container/process_windows.go
+++ b/act/container/process_windows.go
@@ -0,0 +1,71 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"os"
+
+	"golang.org/x/sys/windows"
+)
+
+// processKiller terminates a step process together with its entire descendant
+// tree via a Windows Job Object.
+//
+// Background: a step often launches a process tree (a shell that starts a
+// child which in turn spawns further GUI or background processes). The default
+// exec.CommandContext cancellation only kills the direct child, so cancelling a
+// job left the rest of the tree running. Because those orphans inherited the
+// step's stdout/stderr pipe, cmd.Wait() also blocked forever and the runner hung.
+//
+// Assigning the step process to a Job Object lets us kill the whole tree
+// atomically on cancellation (TerminateJobObject), which also closes the
+// inherited pipe handles so cmd.Wait() can return.
+type processKiller struct {
+	job windows.Handle
+}
+
+// newProcessKiller creates a Job Object and assigns p (an already-started
+// process) to it. Children spawned by p afterwards are automatically part of
+// the job. The job does NOT use JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE, so closing
+// the handle on normal completion does not kill legitimate background
+// processes; the tree is only torn down by an explicit Kill (cancellation).
+func newProcessKiller(p *os.Process) (*processKiller, error) {
+	job, err := windows.CreateJobObject(nil, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	h, err := windows.OpenProcess(windows.PROCESS_SET_QUOTA|windows.PROCESS_TERMINATE, false, uint32(p.Pid))
+	if err != nil {
+		windows.CloseHandle(job)
+		return nil, err
+	}
+	defer windows.CloseHandle(h)
+
+	if err := windows.AssignProcessToJobObject(job, h); err != nil {
+		windows.CloseHandle(job)
+		return nil, err
+	}
+
+	return &processKiller{job: job}, nil
+}
+
+// Kill terminates every process currently assigned to the job (the step process
+// and all of its descendants).
+func (k *processKiller) Kill() error {
+	if k == nil || k.job == 0 {
+		return nil
+	}
+	return windows.TerminateJobObject(k.job, 1)
+}
+
+// Close releases the job handle. It does not terminate the processes.
+func (k *processKiller) Close() error {
+	if k == nil || k.job == 0 {
+		return nil
+	}
+	h := k.job
+	k.job = 0
+	return windows.CloseHandle(h)
+}
--- a/act/container/process_windows_test.go
+++ b/act/container/process_windows_test.go
@@ -0,0 +1,78 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/sys/windows"
+)
+
+// processAlive reports whether pid refers to a still-running process.
+func processAlive(pid int) bool {
+	h, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, uint32(pid))
+	if err != nil {
+		return false
+	}
+	defer windows.CloseHandle(h)
+	var code uint32
+	if err := windows.GetExitCodeProcess(h, &code); err != nil {
+		return false
+	}
+	const stillActive = 259 // STILL_ACTIVE
+	return code == stillActive
+}
+
+// TestProcessKillerKillsTree verifies that a process assigned to the Job Object
+// is terminated together with a child it spawns afterwards. This mirrors a step
+// that launches a child which spawns further processes, where cancelling the
+// job must take down the whole tree, not just the direct child.
+func TestProcessKillerKillsTree(t *testing.T) {
+	dir := t.TempDir()
+	pidFile := filepath.Join(dir, "child.pid")
+
+	// Parent powershell spawns a detached, long-lived child powershell (writing
+	// its PID to a file) and then sleeps. The child is launched AFTER the parent
+	// has been assigned to the job, so it must be captured by the job too.
+	script := fmt.Sprintf(
+		`$c = Start-Process powershell -PassThru -ArgumentList '-NoProfile','-Command','Start-Sleep -Seconds 600'; `+
+			`Set-Content -LiteralPath %q -Value $c.Id; Start-Sleep -Seconds 600`, pidFile)
+	cmd := exec.Command("powershell.exe", "-NoProfile", "-Command", script)
+	require.NoError(t, cmd.Start())
+	t.Cleanup(func() { _ = cmd.Process.Kill() })
+
+	killer, err := newProcessKiller(cmd.Process)
+	require.NoError(t, err)
+	defer killer.Close()
+
+	// Wait for the child PID to be reported.
+	var childPID int
+	require.Eventually(t, func() bool {
+		b, e := os.ReadFile(pidFile)
+		if e != nil {
+			return false
+		}
+		s := strings.TrimSpace(string(b))
+		if s == "" {
+			return false
+		}
+		childPID, _ = strconv.Atoi(s)
+		return childPID > 0 && processAlive(childPID)
+	}, 20*time.Second, 200*time.Millisecond, "child process should start")
+
+	// Killing the job must terminate both the parent and the detached child.
+	require.NoError(t, killer.Kill())
+
+	require.Eventually(t, func() bool {
+		return !processAlive(cmd.Process.Pid) && !processAlive(childPID)
+	}, 20*time.Second, 200*time.Millisecond, "parent and child should both be terminated")
+}
--- a/act/container/testdata/Dockerfile
+++ b/act/container/testdata/Dockerfile
@@ -0,0 +1,5 @@
+FROM scratch
+ENV PATH="/this/path/does/not/exists/anywhere:/this/either"
+ENV SOME_RANDOM_VAR=""
+ENV ANOTHER_ONE="BUT_I_HAVE_VALUE"
+ENV CONFLICT_VAR="I_EXIST_ONLY_HERE"
--- a/act/container/testdata/docker-pull-options/config.json
+++ b/act/container/testdata/docker-pull-options/config.json
@@ -0,0 +1,7 @@
+{
+  "auths": {
+          "https://index.docker.io/v1/": {
+                  "auth": "dXNlcm5hbWU6cGFzc3dvcmQK"
+          }
+  }
+}
--- a/act/container/testdata/scratch/test.txt
+++ b/act/container/testdata/scratch/test.txt
@@ -0,0 +1 @@
+testfile
--- a/act/container/testdata/utf16.env
+++ b/act/container/testdata/utf16.env
--- a/act/container/testdata/utf16be.env
+++ b/act/container/testdata/utf16be.env
--- a/act/container/testdata/utf8.env
+++ b/act/container/testdata/utf8.env
@@ -0,0 +1,3 @@
+FOO=BAR
+HELLO=您好
+BAR=FOO
--- a/act/container/testdata/valid.env
+++ b/act/container/testdata/valid.env
@@ -0,0 +1 @@
+ENV1=value1
--- a/act/container/testdata/valid.label
+++ b/act/container/testdata/valid.label
@@ -0,0 +1 @@
+LABEL1=value1
--- a/act/container/util.go
+++ b/act/container/util.go
@@ -0,0 +1,30 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build (!windows && !plan9 && !openbsd) || (!windows && !plan9 && !mips64)
+
+package container
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/creack/pty"
+)
+
+func getSysProcAttr(_ string, tty bool) *syscall.SysProcAttr {
+	if tty {
+		return &syscall.SysProcAttr{
+			Setsid:  true,
+			Setctty: true,
+		}
+	}
+	return &syscall.SysProcAttr{
+		Setpgid: true,
+	}
+}
+
+func openPty() (*os.File, *os.File, error) {
+	return pty.Open()
+}
--- a/act/container/util_openbsd_mips64.go
+++ b/act/container/util_openbsd_mips64.go
@@ -0,0 +1,21 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"errors"
+	"os"
+	"syscall"
+)
+
+func getSysProcAttr(cmdLine string, tty bool) *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{
+		Setpgid: true,
+	}
+}
+
+func openPty() (*os.File, *os.File, error) {
+	return nil, nil, errors.New("Unsupported")
+}
--- a/act/container/util_plan9.go
+++ b/act/container/util_plan9.go
@@ -0,0 +1,21 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"errors"
+	"os"
+	"syscall"
+)
+
+func getSysProcAttr(cmdLine string, tty bool) *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{
+		Rfork: syscall.RFNOTEG,
+	}
+}
+
+func openPty() (*os.File, *os.File, error) {
+	return nil, nil, errors.New("Unsupported")
+}
--- a/act/container/util_windows.go
+++ b/act/container/util_windows.go
@@ -0,0 +1,19 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"errors"
+	"os"
+	"syscall"
+)
+
+func getSysProcAttr(cmdLine string, tty bool) *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{CmdLine: cmdLine, CreationFlags: syscall.CREATE_NEW_PROCESS_GROUP}
+}
+
+func openPty() (*os.File, *os.File, error) {
+	return nil, nil, errors.New("Unsupported")
+}
--- a/act/exprparser/functions.go
+++ b/act/exprparser/functions.go
@@ -0,0 +1,300 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package exprparser
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strconv"
+	"strings"
+
+	"gitea.com/gitea/runner/act/model"
+
+	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"github.com/rhysd/actionlint"
+)
+
+func (impl *interperterImpl) contains(search, item reflect.Value) (bool, error) {
+	switch search.Kind() {
+	case reflect.String, reflect.Int, reflect.Float64, reflect.Bool, reflect.Invalid:
+		return strings.Contains(
+			strings.ToLower(impl.coerceToString(search).String()),
+			strings.ToLower(impl.coerceToString(item).String()),
+		), nil
+
+	case reflect.Slice:
+		for i := 0; i < search.Len(); i++ {
+			arrayItem := search.Index(i).Elem()
+			result, err := impl.compareValues(arrayItem, item, actionlint.CompareOpNodeKindEq)
+			if err != nil {
+				return false, err
+			}
+
+			if isEqual, ok := result.(bool); ok && isEqual {
+				return true, nil
+			}
+		}
+	}
+
+	return false, nil
+}
+
+func (impl *interperterImpl) startsWith(searchString, searchValue reflect.Value) (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	return strings.HasPrefix(
+		strings.ToLower(impl.coerceToString(searchString).String()),
+		strings.ToLower(impl.coerceToString(searchValue).String()),
+	), nil
+}
+
+func (impl *interperterImpl) endsWith(searchString, searchValue reflect.Value) (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	return strings.HasSuffix(
+		strings.ToLower(impl.coerceToString(searchString).String()),
+		strings.ToLower(impl.coerceToString(searchValue).String()),
+	), nil
+}
+
+const (
+	passThrough = iota
+	bracketOpen
+	bracketClose
+)
+
+func (impl *interperterImpl) format(str reflect.Value, replaceValue ...reflect.Value) (string, error) {
+	input := impl.coerceToString(str).String()
+	var output strings.Builder
+	replacementIndex := ""
+
+	state := passThrough
+	for _, character := range input {
+		switch state {
+		case passThrough: // normal buffer output
+			switch character {
+			case '{':
+				state = bracketOpen
+
+			case '}':
+				state = bracketClose
+
+			default:
+				output.WriteRune(character)
+			}
+
+		case bracketOpen: // found {
+			switch character {
+			case '{':
+				output.WriteString("{")
+				replacementIndex = ""
+				state = passThrough
+
+			case '}':
+				index, err := strconv.ParseInt(replacementIndex, 10, 32)
+				if err != nil {
+					return "", fmt.Errorf("The following format string is invalid: '%s'", input)
+				}
+
+				replacementIndex = ""
+
+				if len(replaceValue) <= int(index) {
+					return "", fmt.Errorf("The following format string references more arguments than were supplied: '%s'", input)
+				}
+
+				output.WriteString(impl.coerceToString(replaceValue[index]).String())
+
+				state = passThrough
+
+			default:
+				replacementIndex += string(character)
+			}
+
+		case bracketClose: // found }
+			switch character {
+			case '}':
+				output.WriteString("}")
+				replacementIndex = ""
+				state = passThrough
+
+			default:
+				panic("Invalid format parser state")
+			}
+		}
+	}
+
+	if state != passThrough {
+		switch state {
+		case bracketOpen:
+			return "", fmt.Errorf("Unclosed brackets. The following format string is invalid: '%s'", input)
+
+		case bracketClose:
+			return "", fmt.Errorf("Closing bracket without opening one. The following format string is invalid: '%s'", input)
+		}
+	}
+
+	return output.String(), nil
+}
+
+func (impl *interperterImpl) join(array, sep reflect.Value) (string, error) { //nolint:unparam // pre-existing issue from nektos/act
+	separator := impl.coerceToString(sep).String()
+	switch array.Kind() {
+	case reflect.Slice:
+		var items []string
+		for i := 0; i < array.Len(); i++ {
+			items = append(items, impl.coerceToString(array.Index(i).Elem()).String())
+		}
+
+		return strings.Join(items, separator), nil
+	default:
+		return strings.Join([]string{impl.coerceToString(array).String()}, separator), nil
+	}
+}
+
+func (impl *interperterImpl) toJSON(value reflect.Value) (string, error) {
+	if value.Kind() == reflect.Invalid {
+		return "null", nil
+	}
+
+	json, err := json.MarshalIndent(value.Interface(), "", "  ")
+	if err != nil {
+		return "", fmt.Errorf("Cannot convert value to JSON. Cause: %v", err)
+	}
+
+	return string(json), nil
+}
+
+func (impl *interperterImpl) fromJSON(value reflect.Value) (any, error) {
+	if value.Kind() != reflect.String {
+		return nil, fmt.Errorf("Cannot parse non-string type %v as JSON", value.Kind())
+	}
+
+	var data any
+
+	err := json.Unmarshal([]byte(value.String()), &data)
+	if err != nil {
+		return nil, fmt.Errorf("Invalid JSON: %v", err)
+	}
+
+	return data, nil
+}
+
+func (impl *interperterImpl) hashFiles(paths ...reflect.Value) (string, error) {
+	var ps []gitignore.Pattern
+
+	const cwdPrefix = "." + string(filepath.Separator)
+	const excludeCwdPrefix = "!" + cwdPrefix
+	for _, path := range paths {
+		if path.Kind() == reflect.String {
+			cleanPath := path.String()
+			if strings.HasPrefix(cleanPath, cwdPrefix) {
+				cleanPath = cleanPath[len(cwdPrefix):]
+			} else if strings.HasPrefix(cleanPath, excludeCwdPrefix) {
+				cleanPath = "!" + cleanPath[len(excludeCwdPrefix):]
+			}
+			ps = append(ps, gitignore.ParsePattern(cleanPath, nil))
+		} else {
+			return "", errors.New("Non-string path passed to hashFiles")
+		}
+	}
+
+	matcher := gitignore.NewMatcher(ps)
+
+	var files []string
+	if err := filepath.Walk(impl.config.WorkingDir, func(path string, fi fs.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		sansPrefix := strings.TrimPrefix(path, impl.config.WorkingDir+string(filepath.Separator))
+		parts := strings.Split(sansPrefix, string(filepath.Separator))
+		if fi.IsDir() || !matcher.Match(parts, fi.IsDir()) {
+			return nil
+		}
+		files = append(files, path)
+		return nil
+	}); err != nil {
+		return "", fmt.Errorf("Unable to filepath.Walk: %v", err)
+	}
+
+	if len(files) == 0 {
+		return "", nil
+	}
+
+	hasher := sha256.New()
+
+	for _, file := range files {
+		f, err := os.Open(file)
+		if err != nil {
+			return "", fmt.Errorf("Unable to os.Open: %v", err)
+		}
+
+		if _, err := io.Copy(hasher, f); err != nil {
+			return "", fmt.Errorf("Unable to io.Copy: %v", err)
+		}
+
+		if err := f.Close(); err != nil {
+			return "", fmt.Errorf("Unable to Close file: %v", err)
+		}
+	}
+
+	return hex.EncodeToString(hasher.Sum(nil)), nil
+}
+
+func (impl *interperterImpl) getNeedsTransitive(job *model.Job) []string {
+	needs := job.Needs()
+
+	for _, need := range needs {
+		parentNeeds := impl.getNeedsTransitive(impl.config.Run.Workflow.GetJob(need))
+		needs = append(needs, parentNeeds...)
+	}
+
+	return needs
+}
+
+func (impl *interperterImpl) always() (bool, error) {
+	return true, nil
+}
+
+func (impl *interperterImpl) jobSuccess() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	jobs := impl.config.Run.Workflow.Jobs
+	jobNeeds := impl.getNeedsTransitive(impl.config.Run.Job())
+
+	for _, needs := range jobNeeds {
+		if jobs[needs].Result != "success" {
+			return false, nil
+		}
+	}
+
+	return true, nil
+}
+
+func (impl *interperterImpl) stepSuccess() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	return impl.env.Job.Status == "success", nil
+}
+
+func (impl *interperterImpl) jobFailure() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	jobs := impl.config.Run.Workflow.Jobs
+	jobNeeds := impl.getNeedsTransitive(impl.config.Run.Job())
+
+	for _, needs := range jobNeeds {
+		if jobs[needs].Result == "failure" {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func (impl *interperterImpl) stepFailure() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	return impl.env.Job.Status == "failure", nil
+}
+
+func (impl *interperterImpl) cancelled() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	return impl.env.Job.Status == "cancelled", nil
+}
--- a/act/exprparser/functions_test.go
+++ b/act/exprparser/functions_test.go
@@ -0,0 +1,256 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package exprparser
+
+import (
+	"path/filepath"
+	"testing"
+
+	"gitea.com/gitea/runner/act/model"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFunctionContains(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"contains('search', 'item') }}", false, "contains-str-str"},
+		{`cOnTaInS('Hello', 'll') }}`, true, "contains-str-casing"},
+		{`contains('HELLO', 'll') }}`, true, "contains-str-casing"},
+		{`contains('3.141592', 3.14) }}`, true, "contains-str-number"},
+		{`contains(3.141592, '3.14') }}`, true, "contains-number-str"},
+		{`contains(3.141592, 3.14) }}`, true, "contains-number-number"},
+		{`contains(true, 'u') }}`, true, "contains-bool-str"},
+		{`contains(null, '') }}`, true, "contains-null-str"},
+		{`contains(fromJSON('["first","second"]'), 'first') }}`, true, "contains-item"},
+		{`contains(fromJSON('[null,"second"]'), '') }}`, true, "contains-item-null-empty-str"},
+		{`contains(fromJSON('["","second"]'), null) }}`, true, "contains-item-empty-str-null"},
+		{`contains(fromJSON('[true,"second"]'), 'true') }}`, false, "contains-item-bool-arr"},
+		{`contains(fromJSON('["true","second"]'), true) }}`, false, "contains-item-str-bool"},
+		{`contains(fromJSON('[3.14,"second"]'), '3.14') }}`, true, "contains-item-number-str"},
+		{`contains(fromJSON('[3.14,"second"]'), 3.14) }}`, true, "contains-item-number-number"},
+		{`contains(fromJSON('["","second"]'), fromJSON('[]')) }}`, false, "contains-item-str-arr"},
+		{`contains(fromJSON('["","second"]'), fromJSON('{}')) }}`, false, "contains-item-str-obj"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionStartsWith(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"startsWith('search', 'se') }}", true, "startswith-string"},
+		{"startsWith('search', 'sa') }}", false, "startswith-string"},
+		{"startsWith('123search', '123s') }}", true, "startswith-string"},
+		{"startsWith(123, 's') }}", false, "startswith-string"},
+		{"startsWith(123, '12') }}", true, "startswith-string"},
+		{"startsWith('123', 12) }}", true, "startswith-string"},
+		{"startsWith(null, '42') }}", false, "startswith-string"},
+		{"startsWith('null', null) }}", true, "startswith-string"},
+		{"startsWith('null', '') }}", true, "startswith-string"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionEndsWith(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"endsWith('search', 'ch') }}", true, "endsWith-string"},
+		{"endsWith('search', 'sa') }}", false, "endsWith-string"},
+		{"endsWith('search123s', '123s') }}", true, "endsWith-string"},
+		{"endsWith(123, 's') }}", false, "endsWith-string"},
+		{"endsWith(123, '23') }}", true, "endsWith-string"},
+		{"endsWith('123', 23) }}", true, "endsWith-string"},
+		{"endsWith(null, '42') }}", false, "endsWith-string"},
+		{"endsWith('null', null) }}", true, "endsWith-string"},
+		{"endsWith('null', '') }}", true, "endsWith-string"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionJoin(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"join(fromJSON('[\"a\", \"b\"]'), ',')", "a,b", "join-arr"},
+		{"join('string', ',')", "string", "join-str"},
+		{"join(1, ',')", "1", "join-number"},
+		{"join(null, ',')", "", "join-number"},
+		{"join(fromJSON('[\"a\", \"b\", null]'), null)", "ab", "join-number"},
+		{"join(fromJSON('[\"a\", \"b\"]'))", "a,b", "join-number"},
+		{"join(fromJSON('[\"a\", \"b\", null]'), 1)", "a1b1", "join-number"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionToJSON(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"toJSON(env) }}", "{\n  \"key\": \"value\"\n}", "toJSON"},
+		{"toJSON(null)", "null", "toJSON-null"},
+	}
+
+	env := &EvaluationEnvironment{
+		Env: map[string]string{
+			"key": "value",
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionFromJSON(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"fromJSON('{\"foo\":\"bar\"}') }}", map[string]any{
+			"foo": "bar",
+		}, "fromJSON"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionHashFiles(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"hashFiles('**/non-extant-files') }}", "", "hash-non-existing-file"},
+		{"hashFiles('**/non-extant-files', '**/more-non-extant-files') }}", "", "hash-multiple-non-existing-files"},
+		{"hashFiles('./for-hashing-1.txt') }}", "66a045b452102c59d840ec097d59d9467e13a3f34f6494e539ffd32c1bb35f18", "hash-single-file"},
+		{"hashFiles('./for-hashing-*.txt') }}", "8e5935e7e13368cd9688fe8f48a0955293676a021562582c7e848dafe13fb046", "hash-multiple-files"},
+		{"hashFiles('./for-hashing-*.txt', '!./for-hashing-2.txt') }}", "66a045b452102c59d840ec097d59d9467e13a3f34f6494e539ffd32c1bb35f18", "hash-negative-pattern"},
+		{"hashFiles('./for-hashing-**') }}", "c418ba693753c84115ced0da77f876cddc662b9054f4b129b90f822597ee2f94", "hash-multiple-files-and-directories"},
+		{"hashFiles('./for-hashing-3/**') }}", "6f5696b546a7a9d6d42a449dc9a56bef244aaa826601ef27466168846139d2c2", "hash-nested-directories"},
+		{"hashFiles('./for-hashing-3/**/nested-data.txt') }}", "8ecadfb49f7f978d0a9f3a957e9c8da6cc9ab871f5203b5d9f9d1dc87d8af18c", "hash-nested-directories-2"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			workdir, err := filepath.Abs("testdata")
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			output, err := NewInterpeter(env, Config{WorkingDir: workdir}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionFormat(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		error    any
+		name     string
+	}{
+		{"format('text')", "text", nil, "format-plain-string"},
+		{"format('Hello {0} {1} {2}!', 'Mona', 'the', 'Octocat')", "Hello Mona the Octocat!", nil, "format-with-placeholders"},
+		{"format('{{Hello {0} {1} {2}!}}', 'Mona', 'the', 'Octocat')", "{Hello Mona the Octocat!}", nil, "format-with-escaped-braces"},
+		{"format('{{0}}', 'test')", "{0}", nil, "format-with-escaped-braces"},
+		{"format('{{{0}}}', 'test')", "{test}", nil, "format-with-escaped-braces-and-value"},
+		{"format('}}')", "}", nil, "format-output-closing-brace"},
+		{`format('Hello "{0}" {1} {2} {3} {4}', null, true, -3.14, NaN, Infinity)`, `Hello "" true -3.14 NaN Infinity`, nil, "format-with-primitives"},
+		{`format('Hello "{0}" {1} {2}', fromJSON('[0, true, "abc"]'), fromJSON('[{"a":1}]'), fromJSON('{"a":{"b":1}}'))`, `Hello "Array" Array Object`, nil, "format-with-complex-types"},
+		{"format(true)", "true", nil, "format-with-primitive-args"},
+		{"format('echo Hello {0} ${{Test}}', github.undefined_property)", "echo Hello  ${Test}", nil, "format-with-undefined-value"},
+		{"format('{0}}', '{1}', 'World')", nil, "Closing bracket without opening one. The following format string is invalid: '{0}}'", "format-invalid-format-string"},
+		{"format('{0', '{1}', 'World')", nil, "Unclosed brackets. The following format string is invalid: '{0'", "format-invalid-format-string"},
+		{"format('{2}', '{1}', 'World')", "", "The following format string references more arguments than were supplied: '{2}'", "format-invalid-replacement-reference"},
+		{"format('{2147483648}')", "", "The following format string is invalid: '{2147483648}'", "format-invalid-replacement-reference"},
+		{"format('{0} {1} {2} {3}', 1.0, 1.1, 1234567890.0, 12345678901234567890.0)", "1 1.1 1234567890 1.23456789012346E+19", nil, "format-floats"},
+	}
+
+	env := &EvaluationEnvironment{
+		Github: &model.GithubContext{},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			if tt.error != nil {
+				assert.Equal(t, tt.error, err.Error())
+			} else {
+				assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+				assert.Equal(t, tt.expected, output)
+			}
+		})
+	}
+}
--- a/act/exprparser/interpreter.go
+++ b/act/exprparser/interpreter.go
@@ -0,0 +1,644 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package exprparser
+
+import (
+	"encoding"
+	"errors"
+	"fmt"
+	"math"
+	"reflect"
+	"strings"
+
+	"gitea.com/gitea/runner/act/model"
+
+	"github.com/rhysd/actionlint"
+)
+
+type EvaluationEnvironment struct {
+	Github    *model.GithubContext
+	Env       map[string]string
+	Job       *model.JobContext
+	Jobs      *map[string]*model.WorkflowCallResult
+	Steps     map[string]*model.StepResult
+	Runner    map[string]any
+	Secrets   map[string]string
+	Vars      map[string]string
+	Strategy  map[string]any
+	Matrix    map[string]any
+	Needs     map[string]Needs
+	Inputs    map[string]any
+	HashFiles func([]reflect.Value) (any, error)
+}
+
+type Needs struct {
+	Outputs map[string]string `json:"outputs"`
+	Result  string            `json:"result"`
+}
+
+type Config struct {
+	Run        *model.Run
+	WorkingDir string
+	Context    string
+}
+
+type DefaultStatusCheck int
+
+const (
+	DefaultStatusCheckNone DefaultStatusCheck = iota
+	DefaultStatusCheckSuccess
+	DefaultStatusCheckAlways
+	DefaultStatusCheckCanceled
+	DefaultStatusCheckFailure
+)
+
+func (dsc DefaultStatusCheck) String() string {
+	switch dsc {
+	case DefaultStatusCheckSuccess:
+		return "success"
+	case DefaultStatusCheckAlways:
+		return "always"
+	case DefaultStatusCheckCanceled:
+		return "cancelled"
+	case DefaultStatusCheckFailure:
+		return "failure"
+	}
+	return ""
+}
+
+type Interpreter interface {
+	Evaluate(input string, defaultStatusCheck DefaultStatusCheck) (any, error)
+}
+
+type interperterImpl struct {
+	env    *EvaluationEnvironment
+	config Config
+}
+
+func NewInterpeter(env *EvaluationEnvironment, config Config) Interpreter {
+	return &interperterImpl{
+		env:    env,
+		config: config,
+	}
+}
+
+func (impl *interperterImpl) Evaluate(input string, defaultStatusCheck DefaultStatusCheck) (any, error) {
+	input = strings.TrimPrefix(input, "${{")
+	if defaultStatusCheck != DefaultStatusCheckNone && input == "" {
+		input = "success()"
+	}
+	parser := actionlint.NewExprParser()
+	exprNode, err := parser.Parse(actionlint.NewExprLexer(input + "}}"))
+	if err != nil {
+		return nil, fmt.Errorf("Failed to parse: %s", err.Message)
+	}
+
+	if defaultStatusCheck != DefaultStatusCheckNone {
+		hasStatusCheckFunction := false
+		actionlint.VisitExprNode(exprNode, func(node, _ actionlint.ExprNode, entering bool) {
+			if funcCallNode, ok := node.(*actionlint.FuncCallNode); entering && ok {
+				switch strings.ToLower(funcCallNode.Callee) {
+				case "success", "always", "cancelled", "failure":
+					hasStatusCheckFunction = true
+				}
+			}
+		})
+
+		if !hasStatusCheckFunction {
+			exprNode = &actionlint.LogicalOpNode{
+				Kind: actionlint.LogicalOpNodeKindAnd,
+				Left: &actionlint.FuncCallNode{
+					Callee: defaultStatusCheck.String(),
+					Args:   []actionlint.ExprNode{},
+				},
+				Right: exprNode,
+			}
+		}
+	}
+
+	result, err2 := impl.evaluateNode(exprNode)
+
+	return result, err2
+}
+
+func (impl *interperterImpl) evaluateNode(exprNode actionlint.ExprNode) (any, error) {
+	switch node := exprNode.(type) {
+	case *actionlint.VariableNode:
+		return impl.evaluateVariable(node)
+	case *actionlint.BoolNode:
+		return node.Value, nil
+	case *actionlint.NullNode:
+		return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+	case *actionlint.IntNode:
+		return node.Value, nil
+	case *actionlint.FloatNode:
+		return node.Value, nil
+	case *actionlint.StringNode:
+		return node.Value, nil
+	case *actionlint.IndexAccessNode:
+		return impl.evaluateIndexAccess(node)
+	case *actionlint.ObjectDerefNode:
+		return impl.evaluateObjectDeref(node)
+	case *actionlint.ArrayDerefNode:
+		return impl.evaluateArrayDeref(node)
+	case *actionlint.NotOpNode:
+		return impl.evaluateNot(node)
+	case *actionlint.CompareOpNode:
+		return impl.evaluateCompare(node)
+	case *actionlint.LogicalOpNode:
+		return impl.evaluateLogicalCompare(node)
+	case *actionlint.FuncCallNode:
+		return impl.evaluateFuncCall(node)
+	default:
+		return nil, fmt.Errorf("Fatal error! Unknown node type: %s node: %+v", reflect.TypeOf(exprNode), exprNode)
+	}
+}
+
+func (impl *interperterImpl) evaluateVariable(variableNode *actionlint.VariableNode) (any, error) {
+	switch strings.ToLower(variableNode.Name) {
+	case "github":
+		return impl.env.Github, nil
+	case "gitea": // compatible with Gitea
+		return impl.env.Github, nil
+	case "env":
+		return impl.env.Env, nil
+	case "job":
+		return impl.env.Job, nil
+	case "jobs":
+		if impl.env.Jobs == nil {
+			return nil, errors.New("Unavailable context: jobs")
+		}
+		return impl.env.Jobs, nil
+	case "steps":
+		return impl.env.Steps, nil
+	case "runner":
+		return impl.env.Runner, nil
+	case "secrets":
+		return impl.env.Secrets, nil
+	case "vars":
+		return impl.env.Vars, nil
+	case "strategy":
+		return impl.env.Strategy, nil
+	case "matrix":
+		return impl.env.Matrix, nil
+	case "needs":
+		return impl.env.Needs, nil
+	case "inputs":
+		return impl.env.Inputs, nil
+	case "infinity":
+		return math.Inf(1), nil
+	case "nan":
+		return math.NaN(), nil
+	default:
+		return nil, fmt.Errorf("Unavailable context: %s", variableNode.Name)
+	}
+}
+
+func (impl *interperterImpl) evaluateIndexAccess(indexAccessNode *actionlint.IndexAccessNode) (any, error) {
+	left, err := impl.evaluateNode(indexAccessNode.Operand)
+	if err != nil {
+		return nil, err
+	}
+
+	leftValue := reflect.ValueOf(left)
+
+	right, err := impl.evaluateNode(indexAccessNode.Index)
+	if err != nil {
+		return nil, err
+	}
+
+	rightValue := reflect.ValueOf(right)
+
+	switch rightValue.Kind() {
+	case reflect.String:
+		return impl.getPropertyValue(leftValue, rightValue.String())
+
+	case reflect.Int:
+		switch leftValue.Kind() {
+		case reflect.Slice:
+			if rightValue.Int() < 0 || rightValue.Int() >= int64(leftValue.Len()) {
+				return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+			}
+			return leftValue.Index(int(rightValue.Int())).Interface(), nil
+		default:
+			return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+		}
+
+	default:
+		return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+	}
+}
+
+func (impl *interperterImpl) evaluateObjectDeref(objectDerefNode *actionlint.ObjectDerefNode) (any, error) {
+	left, err := impl.evaluateNode(objectDerefNode.Receiver)
+	if err != nil {
+		return nil, err
+	}
+
+	return impl.getPropertyValue(reflect.ValueOf(left), objectDerefNode.Property)
+}
+
+func (impl *interperterImpl) evaluateArrayDeref(arrayDerefNode *actionlint.ArrayDerefNode) (any, error) {
+	left, err := impl.evaluateNode(arrayDerefNode.Receiver)
+	if err != nil {
+		return nil, err
+	}
+
+	return impl.getSafeValue(reflect.ValueOf(left)), nil
+}
+
+func (impl *interperterImpl) getPropertyValue(left reflect.Value, property string) (value any, err error) {
+	switch left.Kind() {
+	case reflect.Pointer:
+		return impl.getPropertyValue(left.Elem(), property)
+
+	case reflect.Struct:
+		leftType := left.Type()
+		for field := range leftType.Fields() {
+			jsonName := field.Tag.Get("json")
+			if jsonName == property {
+				property = field.Name
+				break
+			}
+		}
+
+		fieldValue := left.FieldByNameFunc(func(name string) bool {
+			return strings.EqualFold(name, property)
+		})
+
+		if fieldValue.Kind() == reflect.Invalid {
+			return "", nil
+		}
+
+		i := fieldValue.Interface()
+		// The type stepStatus int is an integer, but should be treated as string
+		if m, ok := i.(encoding.TextMarshaler); ok {
+			text, err := m.MarshalText()
+			if err != nil {
+				return nil, err
+			}
+			return string(text), nil
+		}
+		return i, nil
+
+	case reflect.Map:
+		iter := left.MapRange()
+
+		for iter.Next() {
+			key := iter.Key()
+
+			switch key.Kind() {
+			case reflect.String:
+				if strings.EqualFold(key.String(), property) {
+					return impl.getMapValue(iter.Value())
+				}
+
+			default:
+				return nil, fmt.Errorf("'%s' in map key not implemented", key.Kind())
+			}
+		}
+
+		return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+
+	case reflect.Slice:
+		var values []any
+
+		for i := 0; i < left.Len(); i++ {
+			value, err := impl.getPropertyValue(left.Index(i).Elem(), property)
+			if err != nil {
+				return nil, err
+			}
+
+			values = append(values, value)
+		}
+
+		return values, nil
+	}
+
+	return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+}
+
+func (impl *interperterImpl) getMapValue(value reflect.Value) (any, error) {
+	if value.Kind() == reflect.Pointer {
+		return impl.getMapValue(value.Elem())
+	}
+
+	return value.Interface(), nil
+}
+
+func (impl *interperterImpl) evaluateNot(notNode *actionlint.NotOpNode) (any, error) {
+	operand, err := impl.evaluateNode(notNode.Operand)
+	if err != nil {
+		return nil, err
+	}
+
+	return !IsTruthy(operand), nil
+}
+
+func (impl *interperterImpl) evaluateCompare(compareNode *actionlint.CompareOpNode) (any, error) {
+	left, err := impl.evaluateNode(compareNode.Left)
+	if err != nil {
+		return nil, err
+	}
+
+	right, err := impl.evaluateNode(compareNode.Right)
+	if err != nil {
+		return nil, err
+	}
+
+	leftValue := reflect.ValueOf(left)
+	rightValue := reflect.ValueOf(right)
+
+	return impl.compareValues(leftValue, rightValue, compareNode.Kind)
+}
+
+func (impl *interperterImpl) compareValues(leftValue, rightValue reflect.Value, kind actionlint.CompareOpNodeKind) (any, error) {
+	if leftValue.Kind() != rightValue.Kind() {
+		if !impl.isNumber(leftValue) {
+			leftValue = impl.coerceToNumber(leftValue)
+		}
+		if !impl.isNumber(rightValue) {
+			rightValue = impl.coerceToNumber(rightValue)
+		}
+	}
+
+	switch leftValue.Kind() {
+	case reflect.Bool:
+		return impl.compareNumber(float64(impl.coerceToNumber(leftValue).Int()), float64(impl.coerceToNumber(rightValue).Int()), kind)
+	case reflect.String:
+		return impl.compareString(strings.ToLower(leftValue.String()), strings.ToLower(rightValue.String()), kind)
+
+	case reflect.Int:
+		if rightValue.Kind() == reflect.Float64 {
+			return impl.compareNumber(float64(leftValue.Int()), rightValue.Float(), kind)
+		}
+
+		return impl.compareNumber(float64(leftValue.Int()), float64(rightValue.Int()), kind)
+
+	case reflect.Float64:
+		if rightValue.Kind() == reflect.Int {
+			return impl.compareNumber(leftValue.Float(), float64(rightValue.Int()), kind)
+		}
+
+		return impl.compareNumber(leftValue.Float(), rightValue.Float(), kind)
+
+	case reflect.Invalid:
+		if rightValue.Kind() == reflect.Invalid {
+			return true, nil
+		}
+
+		// not possible situation - params are converted to the same type in code above
+		return nil, fmt.Errorf("Compare params of Invalid type: left: %+v, right: %+v", leftValue.Kind(), rightValue.Kind())
+
+	default:
+		return nil, fmt.Errorf("Compare not implemented for types: left: %+v, right: %+v", leftValue.Kind(), rightValue.Kind())
+	}
+}
+
+func (impl *interperterImpl) coerceToNumber(value reflect.Value) reflect.Value {
+	switch value.Kind() {
+	case reflect.Invalid:
+		return reflect.ValueOf(0)
+
+	case reflect.Bool:
+		switch value.Bool() {
+		case true:
+			return reflect.ValueOf(1)
+		case false:
+			return reflect.ValueOf(0)
+		}
+
+	case reflect.String:
+		if value.String() == "" {
+			return reflect.ValueOf(0)
+		}
+
+		// try to parse the string as a number
+		evaluated, err := impl.Evaluate(value.String(), DefaultStatusCheckNone)
+		if err != nil {
+			return reflect.ValueOf(math.NaN())
+		}
+
+		if value := reflect.ValueOf(evaluated); impl.isNumber(value) {
+			return value
+		}
+	}
+
+	return reflect.ValueOf(math.NaN())
+}
+
+func (impl *interperterImpl) coerceToString(value reflect.Value) reflect.Value {
+	switch value.Kind() {
+	case reflect.Invalid:
+		return reflect.ValueOf("")
+
+	case reflect.Bool:
+		switch value.Bool() {
+		case true:
+			return reflect.ValueOf("true")
+		case false:
+			return reflect.ValueOf("false")
+		}
+
+	case reflect.String:
+		return value
+
+	case reflect.Int:
+		return reflect.ValueOf(fmt.Sprint(value))
+
+	case reflect.Float64:
+		if math.IsInf(value.Float(), 1) {
+			return reflect.ValueOf("Infinity")
+		} else if math.IsInf(value.Float(), -1) {
+			return reflect.ValueOf("-Infinity")
+		}
+		return reflect.ValueOf(fmt.Sprintf("%.15G", value.Float()))
+
+	case reflect.Slice:
+		return reflect.ValueOf("Array")
+
+	case reflect.Map:
+		return reflect.ValueOf("Object")
+	}
+
+	return value
+}
+
+func (impl *interperterImpl) compareString(left, right string, kind actionlint.CompareOpNodeKind) (bool, error) {
+	switch kind {
+	case actionlint.CompareOpNodeKindLess:
+		return left < right, nil
+	case actionlint.CompareOpNodeKindLessEq:
+		return left <= right, nil
+	case actionlint.CompareOpNodeKindGreater:
+		return left > right, nil
+	case actionlint.CompareOpNodeKindGreaterEq:
+		return left >= right, nil
+	case actionlint.CompareOpNodeKindEq:
+		return left == right, nil
+	case actionlint.CompareOpNodeKindNotEq:
+		return left != right, nil
+	default:
+		return false, fmt.Errorf("TODO: not implemented to compare '%+v'", kind)
+	}
+}
+
+func (impl *interperterImpl) compareNumber(left, right float64, kind actionlint.CompareOpNodeKind) (bool, error) {
+	switch kind {
+	case actionlint.CompareOpNodeKindLess:
+		return left < right, nil
+	case actionlint.CompareOpNodeKindLessEq:
+		return left <= right, nil
+	case actionlint.CompareOpNodeKindGreater:
+		return left > right, nil
+	case actionlint.CompareOpNodeKindGreaterEq:
+		return left >= right, nil
+	case actionlint.CompareOpNodeKindEq:
+		return left == right, nil
+	case actionlint.CompareOpNodeKindNotEq:
+		return left != right, nil
+	default:
+		return false, fmt.Errorf("TODO: not implemented to compare '%+v'", kind)
+	}
+}
+
+func IsTruthy(input any) bool {
+	value := reflect.ValueOf(input)
+	switch value.Kind() {
+	case reflect.Bool:
+		return value.Bool()
+
+	case reflect.String:
+		return value.String() != ""
+
+	case reflect.Int:
+		return value.Int() != 0
+
+	case reflect.Float64:
+		if math.IsNaN(value.Float()) {
+			return false
+		}
+
+		return value.Float() != 0
+
+	case reflect.Map, reflect.Slice:
+		return true
+
+	default:
+		return false
+	}
+}
+
+func (impl *interperterImpl) isNumber(value reflect.Value) bool {
+	switch value.Kind() {
+	case reflect.Int, reflect.Float64:
+		return true
+	default:
+		return false
+	}
+}
+
+func (impl *interperterImpl) getSafeValue(value reflect.Value) any {
+	switch value.Kind() {
+	case reflect.Invalid:
+		return nil
+
+	case reflect.Float64:
+		if value.Float() == 0 {
+			return 0
+		}
+	}
+
+	return value.Interface()
+}
+
+func (impl *interperterImpl) evaluateLogicalCompare(compareNode *actionlint.LogicalOpNode) (any, error) {
+	left, err := impl.evaluateNode(compareNode.Left)
+	if err != nil {
+		return nil, err
+	}
+
+	leftValue := reflect.ValueOf(left)
+
+	if IsTruthy(left) == (compareNode.Kind == actionlint.LogicalOpNodeKindOr) {
+		return impl.getSafeValue(leftValue), nil
+	}
+
+	right, err := impl.evaluateNode(compareNode.Right)
+	if err != nil {
+		return nil, err
+	}
+
+	rightValue := reflect.ValueOf(right)
+
+	switch compareNode.Kind {
+	case actionlint.LogicalOpNodeKindAnd:
+		return impl.getSafeValue(rightValue), nil
+	case actionlint.LogicalOpNodeKindOr:
+		return impl.getSafeValue(rightValue), nil
+	}
+
+	return nil, fmt.Errorf("Unable to compare incompatibles types '%s' and '%s'", leftValue.Kind(), rightValue.Kind())
+}
+
+func (impl *interperterImpl) evaluateFuncCall(funcCallNode *actionlint.FuncCallNode) (any, error) {
+	args := make([]reflect.Value, 0)
+
+	for _, arg := range funcCallNode.Args {
+		value, err := impl.evaluateNode(arg)
+		if err != nil {
+			return nil, err
+		}
+
+		args = append(args, reflect.ValueOf(value))
+	}
+
+	switch strings.ToLower(funcCallNode.Callee) {
+	case "contains":
+		return impl.contains(args[0], args[1])
+	case "startswith":
+		return impl.startsWith(args[0], args[1])
+	case "endswith":
+		return impl.endsWith(args[0], args[1])
+	case "format":
+		return impl.format(args[0], args[1:]...)
+	case "join":
+		if len(args) == 1 {
+			return impl.join(args[0], reflect.ValueOf(","))
+		}
+		return impl.join(args[0], args[1])
+	case "tojson":
+		return impl.toJSON(args[0])
+	case "fromjson":
+		return impl.fromJSON(args[0])
+	case "hashfiles":
+		if impl.env.HashFiles != nil {
+			return impl.env.HashFiles(args)
+		}
+		return impl.hashFiles(args...)
+	case "always":
+		return impl.always()
+	case "success":
+		if impl.config.Context == "job" {
+			return impl.jobSuccess()
+		}
+		if impl.config.Context == "step" {
+			return impl.stepSuccess()
+		}
+		return nil, fmt.Errorf("Context '%s' must be one of 'job' or 'step'", impl.config.Context)
+	case "failure":
+		if impl.config.Context == "job" {
+			return impl.jobFailure()
+		}
+		if impl.config.Context == "step" {
+			return impl.stepFailure()
+		}
+		return nil, fmt.Errorf("Context '%s' must be one of 'job' or 'step'", impl.config.Context)
+	case "cancelled":
+		return impl.cancelled()
+	default:
+		return nil, fmt.Errorf("TODO: '%s' not implemented", funcCallNode.Callee)
+	}
+}
--- a/act/exprparser/interpreter_test.go
+++ b/act/exprparser/interpreter_test.go
@@ -0,0 +1,632 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package exprparser
+
+import (
+	"math"
+	"testing"
+
+	"gitea.com/gitea/runner/act/model"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLiterals(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"true", true, "true"},
+		{"false", false, "false"},
+		{"null", nil, "null"},
+		{"123", 123, "integer"},
+		{"-9.7", -9.7, "float"},
+		{"0xff", 255, "hex"},
+		{"-2.99e-2", -2.99e-2, "exponential"},
+		{"'foo'", "foo", "string"},
+		{"'it''s foo'", "it's foo", "string"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestOperators(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+		error    string
+	}{
+		{"(false || (false || true))", true, "logical-grouping", ""},
+		{"github.action", "push", "property-dereference", ""},
+		{"github['action']", "push", "property-index", ""},
+		{"github.action[0]", nil, "string-index", ""},
+		{"github.action['0']", nil, "string-index", ""},
+		{"fromJSON('[0,1]')[1]", 1.0, "array-index", ""},
+		{"fromJSON('[0,1]')[1.1]", nil, "array-index", ""},
+		// Disabled weird things are happening
+		// {"fromJSON('[0,1]')['1.1']", nil, "array-index", ""},
+		{"(github.event.commits.*.author.username)[0]", "someone", "array-index-0", ""},
+		{"fromJSON('[0,1]')[2]", nil, "array-index-out-of-bounds-0", ""},
+		{"fromJSON('[0,1]')[34553]", nil, "array-index-out-of-bounds-1", ""},
+		{"fromJSON('[0,1]')[-1]", nil, "array-index-out-of-bounds-2", ""},
+		{"fromJSON('[0,1]')[-34553]", nil, "array-index-out-of-bounds-3", ""},
+		{"!true", false, "not", ""},
+		{"1 < 2", true, "less-than", ""},
+		{`'b' <= 'a'`, false, "less-than-or-equal", ""},
+		{"1 > 2", false, "greater-than", ""},
+		{`'b' >= 'a'`, true, "greater-than-or-equal", ""},
+		{`'a' == 'a'`, true, "equal", ""},
+		{`'a' != 'a'`, false, "not-equal", ""},
+		{`true && false`, false, "and", ""},
+		{`true || false`, true, "or", ""},
+		{`fromJSON('{}') && true`, true, "and-boolean-object", ""},
+		{`fromJSON('{}') || false`, make(map[string]any), "or-boolean-object", ""},
+		{"github.event.commits[0].author.username != github.event.commits[1].author.username", true, "property-comparison1", ""},
+		{"github.event.commits[0].author.username1 != github.event.commits[1].author.username", true, "property-comparison2", ""},
+		{"github.event.commits[0].author.username != github.event.commits[1].author.username1", true, "property-comparison3", ""},
+		{"github.event.commits[0].author.username1 != github.event.commits[1].author.username2", true, "property-comparison4", ""},
+		{"secrets != env", nil, "property-comparison5", "Compare not implemented for types: left: map, right: map"},
+	}
+
+	env := &EvaluationEnvironment{
+		Github: &model.GithubContext{
+			Action: "push",
+			Event: map[string]any{
+				"commits": []any{
+					map[string]any{
+						"author": map[string]any{
+							"username": "someone",
+						},
+					},
+					map[string]any{
+						"author": map[string]any{
+							"username": "someone-else",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			if tt.error != "" {
+				assert.Error(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+				assert.Equal(t, tt.error, err.Error())
+			} else {
+				assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			}
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestOperatorsCompare(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"!null", true, "not-null"},
+		{"!-10", false, "not-neg-num"},
+		{"!0", true, "not-zero"},
+		{"!3.14", false, "not-pos-float"},
+		{"!''", true, "not-empty-str"},
+		{"!'abc'", false, "not-str"},
+		{"!fromJSON('{}')", false, "not-obj"},
+		{"!fromJSON('[]')", false, "not-arr"},
+		{`null == 0 }}`, true, "null-coercion"},
+		{`true == 1 }}`, true, "boolean-coercion"},
+		{`'' == 0 }}`, true, "string-0-coercion"},
+		{`'3' == 3 }}`, true, "string-3-coercion"},
+		{`0 == null }}`, true, "null-coercion-alt"},
+		{`1 == true }}`, true, "boolean-coercion-alt"},
+		{`0 == '' }}`, true, "string-0-coercion-alt"},
+		{`3 == '3' }}`, true, "string-3-coercion-alt"},
+		{`'TEST' == 'test' }}`, true, "string-casing"},
+		{"true > false }}", true, "bool-greater-than"},
+		{"true >= false }}", true, "bool-greater-than-eq"},
+		{"true >= true }}", true, "bool-greater-than-1"},
+		{"true != false }}", true, "bool-not-equal"},
+		{`fromJSON('{}') < 2 }}`, false, "object-with-less"},
+		{`fromJSON('{}') < fromJSON('[]') }}`, false, "object/arr-with-lt"},
+		{`fromJSON('{}') > fromJSON('[]') }}`, false, "object/arr-with-gt"},
+	}
+
+	env := &EvaluationEnvironment{
+		Github: &model.GithubContext{
+			Action: "push",
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestOperatorsBooleanEvaluation(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		// true &&
+		{"true && true", true, "true-and"},
+		{"true && false", false, "true-and"},
+		{"true && null", nil, "true-and"},
+		{"true && -10", -10, "true-and"},
+		{"true && 0", 0, "true-and"},
+		{"true && 10", 10, "true-and"},
+		{"true && 3.14", 3.14, "true-and"},
+		{"true && 0.0", 0, "true-and"},
+		{"true && Infinity", math.Inf(1), "true-and"},
+		// {"true && -Infinity", math.Inf(-1), "true-and"},
+		{"true && NaN", math.NaN(), "true-and"},
+		{"true && ''", "", "true-and"},
+		{"true && 'abc'", "abc", "true-and"},
+		// false &&
+		{"false && true", false, "false-and"},
+		{"false && false", false, "false-and"},
+		{"false && null", false, "false-and"},
+		{"false && -10", false, "false-and"},
+		{"false && 0", false, "false-and"},
+		{"false && 10", false, "false-and"},
+		{"false && 3.14", false, "false-and"},
+		{"false && 0.0", false, "false-and"},
+		{"false && Infinity", false, "false-and"},
+		// {"false && -Infinity", false, "false-and"},
+		{"false && NaN", false, "false-and"},
+		{"false && ''", false, "false-and"},
+		{"false && 'abc'", false, "false-and"},
+		// true ||
+		{"true || true", true, "true-or"},
+		{"true || false", true, "true-or"},
+		{"true || null", true, "true-or"},
+		{"true || -10", true, "true-or"},
+		{"true || 0", true, "true-or"},
+		{"true || 10", true, "true-or"},
+		{"true || 3.14", true, "true-or"},
+		{"true || 0.0", true, "true-or"},
+		{"true || Infinity", true, "true-or"},
+		// {"true || -Infinity", true, "true-or"},
+		{"true || NaN", true, "true-or"},
+		{"true || ''", true, "true-or"},
+		{"true || 'abc'", true, "true-or"},
+		// false ||
+		{"false || true", true, "false-or"},
+		{"false || false", false, "false-or"},
+		{"false || null", nil, "false-or"},
+		{"false || -10", -10, "false-or"},
+		{"false || 0", 0, "false-or"},
+		{"false || 10", 10, "false-or"},
+		{"false || 3.14", 3.14, "false-or"},
+		{"false || 0.0", 0, "false-or"},
+		{"false || Infinity", math.Inf(1), "false-or"},
+		// {"false || -Infinity", math.Inf(-1), "false-or"},
+		{"false || NaN", math.NaN(), "false-or"},
+		{"false || ''", "", "false-or"},
+		{"false || 'abc'", "abc", "false-or"},
+		// null &&
+		{"null && true", nil, "null-and"},
+		{"null && false", nil, "null-and"},
+		{"null && null", nil, "null-and"},
+		{"null && -10", nil, "null-and"},
+		{"null && 0", nil, "null-and"},
+		{"null && 10", nil, "null-and"},
+		{"null && 3.14", nil, "null-and"},
+		{"null && 0.0", nil, "null-and"},
+		{"null && Infinity", nil, "null-and"},
+		// {"null && -Infinity", nil, "null-and"},
+		{"null && NaN", nil, "null-and"},
+		{"null && ''", nil, "null-and"},
+		{"null && 'abc'", nil, "null-and"},
+		// null ||
+		{"null || true", true, "null-or"},
+		{"null || false", false, "null-or"},
+		{"null || null", nil, "null-or"},
+		{"null || -10", -10, "null-or"},
+		{"null || 0", 0, "null-or"},
+		{"null || 10", 10, "null-or"},
+		{"null || 3.14", 3.14, "null-or"},
+		{"null || 0.0", 0, "null-or"},
+		{"null || Infinity", math.Inf(1), "null-or"},
+		// {"null || -Infinity", math.Inf(-1), "null-or"},
+		{"null || NaN", math.NaN(), "null-or"},
+		{"null || ''", "", "null-or"},
+		{"null || 'abc'", "abc", "null-or"},
+		// -10 &&
+		{"-10 && true", true, "neg-num-and"},
+		{"-10 && false", false, "neg-num-and"},
+		{"-10 && null", nil, "neg-num-and"},
+		{"-10 && -10", -10, "neg-num-and"},
+		{"-10 && 0", 0, "neg-num-and"},
+		{"-10 && 10", 10, "neg-num-and"},
+		{"-10 && 3.14", 3.14, "neg-num-and"},
+		{"-10 && 0.0", 0, "neg-num-and"},
+		{"-10 && Infinity", math.Inf(1), "neg-num-and"},
+		// {"-10 && -Infinity", math.Inf(-1), "neg-num-and"},
+		{"-10 && NaN", math.NaN(), "neg-num-and"},
+		{"-10 && ''", "", "neg-num-and"},
+		{"-10 && 'abc'", "abc", "neg-num-and"},
+		// -10 ||
+		{"-10 || true", -10, "neg-num-or"},
+		{"-10 || false", -10, "neg-num-or"},
+		{"-10 || null", -10, "neg-num-or"},
+		{"-10 || -10", -10, "neg-num-or"},
+		{"-10 || 0", -10, "neg-num-or"},
+		{"-10 || 10", -10, "neg-num-or"},
+		{"-10 || 3.14", -10, "neg-num-or"},
+		{"-10 || 0.0", -10, "neg-num-or"},
+		{"-10 || Infinity", -10, "neg-num-or"},
+		// {"-10 || -Infinity", -10, "neg-num-or"},
+		{"-10 || NaN", -10, "neg-num-or"},
+		{"-10 || ''", -10, "neg-num-or"},
+		{"-10 || 'abc'", -10, "neg-num-or"},
+		// 0 &&
+		{"0 && true", 0, "zero-and"},
+		{"0 && false", 0, "zero-and"},
+		{"0 && null", 0, "zero-and"},
+		{"0 && -10", 0, "zero-and"},
+		{"0 && 0", 0, "zero-and"},
+		{"0 && 10", 0, "zero-and"},
+		{"0 && 3.14", 0, "zero-and"},
+		{"0 && 0.0", 0, "zero-and"},
+		{"0 && Infinity", 0, "zero-and"},
+		// {"0 && -Infinity", 0, "zero-and"},
+		{"0 && NaN", 0, "zero-and"},
+		{"0 && ''", 0, "zero-and"},
+		{"0 && 'abc'", 0, "zero-and"},
+		// 0 ||
+		{"0 || true", true, "zero-or"},
+		{"0 || false", false, "zero-or"},
+		{"0 || null", nil, "zero-or"},
+		{"0 || -10", -10, "zero-or"},
+		{"0 || 0", 0, "zero-or"},
+		{"0 || 10", 10, "zero-or"},
+		{"0 || 3.14", 3.14, "zero-or"},
+		{"0 || 0.0", 0, "zero-or"},
+		{"0 || Infinity", math.Inf(1), "zero-or"},
+		// {"0 || -Infinity", math.Inf(-1), "zero-or"},
+		{"0 || NaN", math.NaN(), "zero-or"},
+		{"0 || ''", "", "zero-or"},
+		{"0 || 'abc'", "abc", "zero-or"},
+		// 10 &&
+		{"10 && true", true, "pos-num-and"},
+		{"10 && false", false, "pos-num-and"},
+		{"10 && null", nil, "pos-num-and"},
+		{"10 && -10", -10, "pos-num-and"},
+		{"10 && 0", 0, "pos-num-and"},
+		{"10 && 10", 10, "pos-num-and"},
+		{"10 && 3.14", 3.14, "pos-num-and"},
+		{"10 && 0.0", 0, "pos-num-and"},
+		{"10 && Infinity", math.Inf(1), "pos-num-and"},
+		// {"10 && -Infinity", math.Inf(-1), "pos-num-and"},
+		{"10 && NaN", math.NaN(), "pos-num-and"},
+		{"10 && ''", "", "pos-num-and"},
+		{"10 && 'abc'", "abc", "pos-num-and"},
+		// 10 ||
+		{"10 || true", 10, "pos-num-or"},
+		{"10 || false", 10, "pos-num-or"},
+		{"10 || null", 10, "pos-num-or"},
+		{"10 || -10", 10, "pos-num-or"},
+		{"10 || 0", 10, "pos-num-or"},
+		{"10 || 10", 10, "pos-num-or"},
+		{"10 || 3.14", 10, "pos-num-or"},
+		{"10 || 0.0", 10, "pos-num-or"},
+		{"10 || Infinity", 10, "pos-num-or"},
+		// {"10 || -Infinity", 10, "pos-num-or"},
+		{"10 || NaN", 10, "pos-num-or"},
+		{"10 || ''", 10, "pos-num-or"},
+		{"10 || 'abc'", 10, "pos-num-or"},
+		// 3.14 &&
+		{"3.14 && true", true, "pos-float-and"},
+		{"3.14 && false", false, "pos-float-and"},
+		{"3.14 && null", nil, "pos-float-and"},
+		{"3.14 && -10", -10, "pos-float-and"},
+		{"3.14 && 0", 0, "pos-float-and"},
+		{"3.14 && 10", 10, "pos-float-and"},
+		{"3.14 && 3.14", 3.14, "pos-float-and"},
+		{"3.14 && 0.0", 0, "pos-float-and"},
+		{"3.14 && Infinity", math.Inf(1), "pos-float-and"},
+		// {"3.14 && -Infinity", math.Inf(-1), "pos-float-and"},
+		{"3.14 && NaN", math.NaN(), "pos-float-and"},
+		{"3.14 && ''", "", "pos-float-and"},
+		{"3.14 && 'abc'", "abc", "pos-float-and"},
+		// 3.14 ||
+		{"3.14 || true", 3.14, "pos-float-or"},
+		{"3.14 || false", 3.14, "pos-float-or"},
+		{"3.14 || null", 3.14, "pos-float-or"},
+		{"3.14 || -10", 3.14, "pos-float-or"},
+		{"3.14 || 0", 3.14, "pos-float-or"},
+		{"3.14 || 10", 3.14, "pos-float-or"},
+		{"3.14 || 3.14", 3.14, "pos-float-or"},
+		{"3.14 || 0.0", 3.14, "pos-float-or"},
+		{"3.14 || Infinity", 3.14, "pos-float-or"},
+		// {"3.14 || -Infinity", 3.14, "pos-float-or"},
+		{"3.14 || NaN", 3.14, "pos-float-or"},
+		{"3.14 || ''", 3.14, "pos-float-or"},
+		{"3.14 || 'abc'", 3.14, "pos-float-or"},
+		// Infinity &&
+		{"Infinity && true", true, "pos-inf-and"},
+		{"Infinity && false", false, "pos-inf-and"},
+		{"Infinity && null", nil, "pos-inf-and"},
+		{"Infinity && -10", -10, "pos-inf-and"},
+		{"Infinity && 0", 0, "pos-inf-and"},
+		{"Infinity && 10", 10, "pos-inf-and"},
+		{"Infinity && 3.14", 3.14, "pos-inf-and"},
+		{"Infinity && 0.0", 0, "pos-inf-and"},
+		{"Infinity && Infinity", math.Inf(1), "pos-inf-and"},
+		// {"Infinity && -Infinity", math.Inf(-1), "pos-inf-and"},
+		{"Infinity && NaN", math.NaN(), "pos-inf-and"},
+		{"Infinity && ''", "", "pos-inf-and"},
+		{"Infinity && 'abc'", "abc", "pos-inf-and"},
+		// Infinity ||
+		{"Infinity || true", math.Inf(1), "pos-inf-or"},
+		{"Infinity || false", math.Inf(1), "pos-inf-or"},
+		{"Infinity || null", math.Inf(1), "pos-inf-or"},
+		{"Infinity || -10", math.Inf(1), "pos-inf-or"},
+		{"Infinity || 0", math.Inf(1), "pos-inf-or"},
+		{"Infinity || 10", math.Inf(1), "pos-inf-or"},
+		{"Infinity || 3.14", math.Inf(1), "pos-inf-or"},
+		{"Infinity || 0.0", math.Inf(1), "pos-inf-or"},
+		{"Infinity || Infinity", math.Inf(1), "pos-inf-or"},
+		// {"Infinity || -Infinity", math.Inf(1), "pos-inf-or"},
+		{"Infinity || NaN", math.Inf(1), "pos-inf-or"},
+		{"Infinity || ''", math.Inf(1), "pos-inf-or"},
+		{"Infinity || 'abc'", math.Inf(1), "pos-inf-or"},
+		// -Infinity &&
+		// {"-Infinity && true", true, "neg-inf-and"},
+		// {"-Infinity && false", false, "neg-inf-and"},
+		// {"-Infinity && null", nil, "neg-inf-and"},
+		// {"-Infinity && -10", -10, "neg-inf-and"},
+		// {"-Infinity && 0", 0, "neg-inf-and"},
+		// {"-Infinity && 10", 10, "neg-inf-and"},
+		// {"-Infinity && 3.14", 3.14, "neg-inf-and"},
+		// {"-Infinity && 0.0", 0, "neg-inf-and"},
+		// {"-Infinity && Infinity", math.Inf(1), "neg-inf-and"},
+		// {"-Infinity && -Infinity", math.Inf(-1), "neg-inf-and"},
+		// {"-Infinity && NaN", math.NaN(), "neg-inf-and"},
+		// {"-Infinity && ''", "", "neg-inf-and"},
+		// {"-Infinity && 'abc'", "abc", "neg-inf-and"},
+		// -Infinity ||
+		// {"-Infinity || true", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || false", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || null", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || -10", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || 0", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || 10", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || 3.14", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || 0.0", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || Infinity", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || -Infinity", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || NaN", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || ''", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || 'abc'", math.Inf(-1), "neg-inf-or"},
+		// NaN &&
+		{"NaN && true", math.NaN(), "nan-and"},
+		{"NaN && false", math.NaN(), "nan-and"},
+		{"NaN && null", math.NaN(), "nan-and"},
+		{"NaN && -10", math.NaN(), "nan-and"},
+		{"NaN && 0", math.NaN(), "nan-and"},
+		{"NaN && 10", math.NaN(), "nan-and"},
+		{"NaN && 3.14", math.NaN(), "nan-and"},
+		{"NaN && 0.0", math.NaN(), "nan-and"},
+		{"NaN && Infinity", math.NaN(), "nan-and"},
+		// {"NaN && -Infinity", math.NaN(), "nan-and"},
+		{"NaN && NaN", math.NaN(), "nan-and"},
+		{"NaN && ''", math.NaN(), "nan-and"},
+		{"NaN && 'abc'", math.NaN(), "nan-and"},
+		// NaN ||
+		{"NaN || true", true, "nan-or"},
+		{"NaN || false", false, "nan-or"},
+		{"NaN || null", nil, "nan-or"},
+		{"NaN || -10", -10, "nan-or"},
+		{"NaN || 0", 0, "nan-or"},
+		{"NaN || 10", 10, "nan-or"},
+		{"NaN || 3.14", 3.14, "nan-or"},
+		{"NaN || 0.0", 0, "nan-or"},
+		{"NaN || Infinity", math.Inf(1), "nan-or"},
+		// {"NaN || -Infinity", math.Inf(-1), "nan-or"},
+		{"NaN || NaN", math.NaN(), "nan-or"},
+		{"NaN || ''", "", "nan-or"},
+		{"NaN || 'abc'", "abc", "nan-or"},
+		// "" &&
+		{"'' && true", "", "empty-str-and"},
+		{"'' && false", "", "empty-str-and"},
+		{"'' && null", "", "empty-str-and"},
+		{"'' && -10", "", "empty-str-and"},
+		{"'' && 0", "", "empty-str-and"},
+		{"'' && 10", "", "empty-str-and"},
+		{"'' && 3.14", "", "empty-str-and"},
+		{"'' && 0.0", "", "empty-str-and"},
+		{"'' && Infinity", "", "empty-str-and"},
+		// {"'' && -Infinity", "", "empty-str-and"},
+		{"'' && NaN", "", "empty-str-and"},
+		{"'' && ''", "", "empty-str-and"},
+		{"'' && 'abc'", "", "empty-str-and"},
+		// "" ||
+		{"'' || true", true, "empty-str-or"},
+		{"'' || false", false, "empty-str-or"},
+		{"'' || null", nil, "empty-str-or"},
+		{"'' || -10", -10, "empty-str-or"},
+		{"'' || 0", 0, "empty-str-or"},
+		{"'' || 10", 10, "empty-str-or"},
+		{"'' || 3.14", 3.14, "empty-str-or"},
+		{"'' || 0.0", 0, "empty-str-or"},
+		{"'' || Infinity", math.Inf(1), "empty-str-or"},
+		// {"'' || -Infinity", math.Inf(-1), "empty-str-or"},
+		{"'' || NaN", math.NaN(), "empty-str-or"},
+		{"'' || ''", "", "empty-str-or"},
+		{"'' || 'abc'", "abc", "empty-str-or"},
+		// "abc" &&
+		{"'abc' && true", true, "str-and"},
+		{"'abc' && false", false, "str-and"},
+		{"'abc' && null", nil, "str-and"},
+		{"'abc' && -10", -10, "str-and"},
+		{"'abc' && 0", 0, "str-and"},
+		{"'abc' && 10", 10, "str-and"},
+		{"'abc' && 3.14", 3.14, "str-and"},
+		{"'abc' && 0.0", 0, "str-and"},
+		{"'abc' && Infinity", math.Inf(1), "str-and"},
+		// {"'abc' && -Infinity", math.Inf(-1), "str-and"},
+		{"'abc' && NaN", math.NaN(), "str-and"},
+		{"'abc' && ''", "", "str-and"},
+		{"'abc' && 'abc'", "abc", "str-and"},
+		// "abc" ||
+		{"'abc' || true", "abc", "str-or"},
+		{"'abc' || false", "abc", "str-or"},
+		{"'abc' || null", "abc", "str-or"},
+		{"'abc' || -10", "abc", "str-or"},
+		{"'abc' || 0", "abc", "str-or"},
+		{"'abc' || 10", "abc", "str-or"},
+		{"'abc' || 3.14", "abc", "str-or"},
+		{"'abc' || 0.0", "abc", "str-or"},
+		{"'abc' || Infinity", "abc", "str-or"},
+		// {"'abc' || -Infinity", "abc", "str-or"},
+		{"'abc' || NaN", "abc", "str-or"},
+		{"'abc' || ''", "abc", "str-or"},
+		{"'abc' || 'abc'", "abc", "str-or"},
+		// extra tests
+		{"0.0 && true", 0, "float-evaluation-0-alt"},
+		{"-1.5 && true", true, "float-evaluation-neg-alt"},
+	}
+
+	env := &EvaluationEnvironment{
+		Github: &model.GithubContext{
+			Action: "push",
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			if expected, ok := tt.expected.(float64); ok && math.IsNaN(expected) {
+				assert.True(t, math.IsNaN(output.(float64)))
+			} else {
+				assert.Equal(t, tt.expected, output)
+			}
+		})
+	}
+}
+
+func TestContexts(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"github.action", "push", "github-context"},
+		{"github.event.commits[0].message", nil, "github-context-noexist-prop"},
+		{"fromjson('{\"commits\":[]}').commits[0].message", nil, "github-context-noexist-prop"},
+		{"github.event.pull_request.labels.*.name", nil, "github-context-noexist-prop"},
+		{"env.TEST", "value", "env-context"},
+		{"job.status", "success", "job-context"},
+		{"steps.step-id.outputs.name", "value", "steps-context"},
+		{"steps.step-id.conclusion", "success", "steps-context-conclusion"},
+		{"steps.step-id.conclusion && true", true, "steps-context-conclusion"},
+		{"steps.step-id2.conclusion", "skipped", "steps-context-conclusion"},
+		{"steps.step-id2.conclusion && true", true, "steps-context-conclusion"},
+		{"steps.step-id.outcome", "success", "steps-context-outcome"},
+		{"steps.step-id['outcome']", "success", "steps-context-outcome"},
+		{"steps.step-id.outcome == 'success'", true, "steps-context-outcome"},
+		{"steps.step-id['outcome'] == 'success'", true, "steps-context-outcome"},
+		{"steps.step-id.outcome && true", true, "steps-context-outcome"},
+		{"steps['step-id']['outcome'] && true", true, "steps-context-outcome"},
+		{"steps.step-id2.outcome", "failure", "steps-context-outcome"},
+		{"steps.step-id2.outcome && true", true, "steps-context-outcome"},
+		// Disabled, since the interpreter is still too broken
+		// {"contains(steps.*.outcome, 'success')", true, "steps-context-array-outcome"},
+		// {"contains(steps.*.outcome, 'failure')", true, "steps-context-array-outcome"},
+		// {"contains(steps.*.outputs.name, 'value')", true, "steps-context-array-outputs"},
+		{"runner.os", "Linux", "runner-context"},
+		{"secrets.name", "value", "secrets-context"},
+		{"vars.name", "value", "vars-context"},
+		{"strategy.fail-fast", true, "strategy-context"},
+		{"matrix.os", "Linux", "matrix-context"},
+		{"needs.job-id.outputs.output-name", "value", "needs-context"},
+		{"needs.job-id.result", "success", "needs-context"},
+		{"inputs.name", "value", "inputs-context"},
+	}
+
+	env := &EvaluationEnvironment{
+		Github: &model.GithubContext{
+			Action: "push",
+		},
+		Env: map[string]string{
+			"TEST": "value",
+		},
+		Job: &model.JobContext{
+			Status: "success",
+		},
+		Steps: map[string]*model.StepResult{
+			"step-id": {
+				Outputs: map[string]string{
+					"name": "value",
+				},
+			},
+			"step-id2": {
+				Outcome:    model.StepStatusFailure,
+				Conclusion: model.StepStatusSkipped,
+			},
+		},
+		Runner: map[string]any{
+			"os":         "Linux",
+			"temp":       "/tmp",
+			"tool_cache": "/opt/hostedtoolcache",
+		},
+		Secrets: map[string]string{
+			"name": "value",
+		},
+		Vars: map[string]string{
+			"name": "value",
+		},
+		Strategy: map[string]any{
+			"fail-fast": true,
+		},
+		Matrix: map[string]any{
+			"os": "Linux",
+		},
+		Needs: map[string]Needs{
+			"job-id": {
+				Outputs: map[string]string{
+					"output-name": "value",
+				},
+				Result: "success",
+			},
+		},
+		Inputs: map[string]any{
+			"name": "value",
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
--- a/act/exprparser/testdata/for-hashing-1.txt
+++ b/act/exprparser/testdata/for-hashing-1.txt
@@ -0,0 +1 @@
+Hello
--- a/act/exprparser/testdata/for-hashing-2.txt
+++ b/act/exprparser/testdata/for-hashing-2.txt
@@ -0,0 +1 @@
+World!
--- a/act/exprparser/testdata/for-hashing-3/data.txt
+++ b/act/exprparser/testdata/for-hashing-3/data.txt
@@ -0,0 +1 @@
+Knock knock!
--- a/act/exprparser/testdata/for-hashing-3/nested/nested-data.txt
+++ b/act/exprparser/testdata/for-hashing-3/nested/nested-data.txt
@@ -0,0 +1 @@
+Anybody home?
--- a/act/filecollector/file_collector.go
+++ b/act/filecollector/file_collector.go
@@ -0,0 +1,219 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2024 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package filecollector
+
+import (
+	"archive/tar"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	git "github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/plumbing/filemode"
+	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"github.com/go-git/go-git/v5/plumbing/format/index"
+)
+
+type Handler interface {
+	WriteFile(path string, fi fs.FileInfo, linkName string, f io.Reader) error
+}
+
+type TarCollector struct {
+	TarWriter *tar.Writer
+	UID       int
+	GID       int
+	DstDir    string
+}
+
+func (tc TarCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string, f io.Reader) error {
+	// create a new dir/file header
+	header, err := tar.FileInfoHeader(fi, linkName)
+	if err != nil {
+		return err
+	}
+
+	// update the name to correctly reflect the desired destination when untaring
+	header.Name = path.Join(tc.DstDir, fpath)
+	header.Mode = int64(fi.Mode())
+	header.ModTime = fi.ModTime()
+	header.Uid = tc.UID
+	header.Gid = tc.GID
+
+	// write the header
+	if err := tc.TarWriter.WriteHeader(header); err != nil {
+		return err
+	}
+
+	// this is a symlink no reader provided
+	if f == nil {
+		return nil
+	}
+
+	// copy file data into tar writer
+	if _, err := io.Copy(tc.TarWriter, f); err != nil {
+		return err
+	}
+	return nil
+}
+
+type CopyCollector struct {
+	DstDir string
+}
+
+func (cc *CopyCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string, f io.Reader) error {
+	fdestpath := filepath.Join(cc.DstDir, fpath)
+	if err := os.MkdirAll(filepath.Dir(fdestpath), 0o777); err != nil {
+		return err
+	}
+	// Remove any existing destination so we can overwrite read-only files
+	// (e.g. git pack files at mode 0444 trip EACCES on macOS and "Access is
+	// denied" on Windows when reopened with O_WRONLY) and so os.Symlink does
+	// not fail with EEXIST. os.Remove clears the Windows read-only attribute
+	// internally; on Unix unlink only needs write permission on the parent.
+	_ = os.Remove(fdestpath)
+	if f == nil {
+		return os.Symlink(linkName, fdestpath)
+	}
+	df, err := os.OpenFile(fdestpath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, fi.Mode())
+	if err != nil {
+		return err
+	}
+	defer df.Close()
+	if _, err := io.Copy(df, f); err != nil {
+		return err
+	}
+	return nil
+}
+
+type FileCollector struct {
+	Ignorer   gitignore.Matcher
+	SrcPath   string
+	SrcPrefix string
+	Fs        Fs
+	Handler   Handler
+}
+
+type Fs interface {
+	Walk(root string, fn filepath.WalkFunc) error
+	OpenGitIndex(path string) (*index.Index, error)
+	Open(path string) (io.ReadCloser, error)
+	Readlink(path string) (string, error)
+}
+
+type DefaultFs struct{}
+
+func (*DefaultFs) Walk(root string, fn filepath.WalkFunc) error {
+	return filepath.Walk(root, fn)
+}
+
+func (*DefaultFs) OpenGitIndex(path string) (*index.Index, error) {
+	r, err := git.PlainOpen(path)
+	if err != nil {
+		return nil, err
+	}
+	i, err := r.Storer.Index()
+	if err != nil {
+		return nil, err
+	}
+	return i, nil
+}
+
+func (*DefaultFs) Open(path string) (io.ReadCloser, error) {
+	return os.Open(path)
+}
+
+func (*DefaultFs) Readlink(path string) (string, error) {
+	return os.Readlink(path)
+}
+
+func (fc *FileCollector) CollectFiles(ctx context.Context, submodulePath []string) filepath.WalkFunc {
+	i, _ := fc.Fs.OpenGitIndex(path.Join(fc.SrcPath, path.Join(submodulePath...)))
+	return func(file string, fi os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if ctx != nil {
+			select {
+			case <-ctx.Done():
+				return errors.New("copy cancelled")
+			default:
+			}
+		}
+
+		sansPrefix := strings.TrimPrefix(file, fc.SrcPrefix)
+		split := strings.Split(sansPrefix, string(filepath.Separator))
+		// The root folders should be skipped, submodules only have the last path component set to "." by filepath.Walk
+		if fi.IsDir() && len(split) > 0 && split[len(split)-1] == "." {
+			return nil
+		}
+		var entry *index.Entry
+		if i != nil {
+			entry, err = i.Entry(strings.Join(split[len(submodulePath):], "/"))
+		} else {
+			err = index.ErrEntryNotFound
+		}
+		if err != nil && fc.Ignorer != nil && fc.Ignorer.Match(split, fi.IsDir()) {
+			if fi.IsDir() {
+				if i != nil {
+					ms, err := i.Glob(strings.Join(append(split[len(submodulePath):], "**"), "/"))
+					if err != nil || len(ms) == 0 {
+						return filepath.SkipDir
+					}
+				} else {
+					return filepath.SkipDir
+				}
+			} else {
+				return nil
+			}
+		}
+		if err == nil && entry.Mode == filemode.Submodule {
+			err = fc.Fs.Walk(file, fc.CollectFiles(ctx, split))
+			if err != nil {
+				return err
+			}
+			return filepath.SkipDir
+		}
+		path := filepath.ToSlash(sansPrefix)
+
+		// return on non-regular files (thanks to [kumo](https://medium.com/@komuw/just-like-you-did-fbdd7df829d3) for this suggested update)
+		if fi.Mode()&os.ModeSymlink == os.ModeSymlink {
+			linkName, err := fc.Fs.Readlink(file)
+			if err != nil {
+				return fmt.Errorf("unable to readlink '%s': %w", file, err)
+			}
+			return fc.Handler.WriteFile(path, fi, linkName, nil)
+		} else if !fi.Mode().IsRegular() {
+			return nil
+		}
+
+		// open file
+		f, err := fc.Fs.Open(file)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+
+		if ctx != nil {
+			// make io.Copy cancellable by closing the file
+			cpctx, cpfinish := context.WithCancel(ctx)
+			defer cpfinish()
+			go func() {
+				select {
+				case <-cpctx.Done():
+				case <-ctx.Done():
+					f.Close()
+				}
+			}()
+		}
+
+		return fc.Handler.WriteFile(path, fi, "", f)
+	}
+}
--- a/act/filecollector/file_collector_test.go
+++ b/act/filecollector/file_collector_test.go
@@ -0,0 +1,223 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2024 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package filecollector
+
+import (
+	"archive/tar"
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/go-git/go-billy/v5"
+	"github.com/go-git/go-billy/v5/memfs"
+	git "github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/plumbing/cache"
+	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"github.com/go-git/go-git/v5/plumbing/format/index"
+	"github.com/go-git/go-git/v5/storage/filesystem"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type memoryFs struct {
+	billy.Filesystem
+}
+
+func (mfs *memoryFs) walk(root string, fn filepath.WalkFunc) error {
+	dir, err := mfs.ReadDir(root)
+	if err != nil {
+		return err
+	}
+	for i := range dir {
+		filename := filepath.Join(root, dir[i].Name())
+		err = fn(filename, dir[i], nil)
+		if dir[i].IsDir() {
+			if err == filepath.SkipDir {
+				err = nil
+			} else if err := mfs.walk(filename, fn); err != nil {
+				return err
+			}
+		}
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (mfs *memoryFs) Walk(root string, fn filepath.WalkFunc) error {
+	stat, err := mfs.Lstat(root)
+	if err != nil {
+		return err
+	}
+	err = fn(strings.Join([]string{root, "."}, string(filepath.Separator)), stat, nil)
+	if err != nil {
+		return err
+	}
+	return mfs.walk(root, fn)
+}
+
+func (mfs *memoryFs) OpenGitIndex(path string) (*index.Index, error) {
+	f, _ := mfs.Filesystem.Chroot(filepath.Join(path, ".git")) //nolint:staticcheck // pre-existing issue from nektos/act
+	storage := filesystem.NewStorage(f, cache.NewObjectLRUDefault())
+	i, err := storage.Index()
+	if err != nil {
+		return nil, err
+	}
+	return i, nil
+}
+
+func (mfs *memoryFs) Open(path string) (io.ReadCloser, error) {
+	return mfs.Filesystem.Open(path)
+}
+
+func (mfs *memoryFs) Readlink(path string) (string, error) {
+	return mfs.Filesystem.Readlink(path)
+}
+
+func TestIgnoredTrackedfile(t *testing.T) {
+	fs := memfs.New()
+	_ = fs.MkdirAll("mygitrepo/.git", 0o777)
+	dotgit, _ := fs.Chroot("mygitrepo/.git")
+	worktree, _ := fs.Chroot("mygitrepo")
+	repo, _ := git.Init(filesystem.NewStorage(dotgit, cache.NewObjectLRUDefault()), worktree)
+	f, _ := worktree.Create(".gitignore")
+	_, _ = f.Write([]byte(".*\n"))
+	f.Close()
+	// This file shouldn't be in the tar
+	f, _ = worktree.Create(".env")
+	_, _ = f.Write([]byte("test=val1\n"))
+	f.Close()
+	w, _ := repo.Worktree()
+	// .gitignore is in the tar after adding it to the index
+	_, _ = w.Add(".gitignore")
+
+	tmpTar, _ := fs.Create("temp.tar")
+	tw := tar.NewWriter(tmpTar)
+	ps, _ := gitignore.ReadPatterns(worktree, []string{})
+	ignorer := gitignore.NewMatcher(ps)
+	fc := &FileCollector{
+		Fs:        &memoryFs{Filesystem: fs},
+		Ignorer:   ignorer,
+		SrcPath:   "mygitrepo",
+		SrcPrefix: "mygitrepo" + string(filepath.Separator),
+		Handler: &TarCollector{
+			TarWriter: tw,
+		},
+	}
+	err := fc.Fs.Walk("mygitrepo", fc.CollectFiles(context.Background(), []string{}))
+	assert.NoError(t, err, "successfully collect files") //nolint:testifylint // pre-existing issue from nektos/act
+	tw.Close()
+	_, _ = tmpTar.Seek(0, io.SeekStart)
+	tr := tar.NewReader(tmpTar)
+	h, err := tr.Next()
+	assert.NoError(t, err, "tar must not be empty") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, ".gitignore", h.Name)
+	_, err = tr.Next()
+	assert.ErrorIs(t, err, io.EOF, "tar must only contain one element")
+}
+
+func TestSymlinks(t *testing.T) {
+	fs := memfs.New()
+	_ = fs.MkdirAll("mygitrepo/.git", 0o777)
+	dotgit, _ := fs.Chroot("mygitrepo/.git")
+	worktree, _ := fs.Chroot("mygitrepo")
+	repo, _ := git.Init(filesystem.NewStorage(dotgit, cache.NewObjectLRUDefault()), worktree)
+	// This file shouldn't be in the tar
+	f, err := worktree.Create(".env")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	_, err = f.Write([]byte("test=val1\n"))
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	f.Close()
+	err = worktree.Symlink(".env", "test.env")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	w, err := repo.Worktree()
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// .gitignore is in the tar after adding it to the index
+	_, err = w.Add(".env")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	_, err = w.Add("test.env")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	tmpTar, _ := fs.Create("temp.tar")
+	tw := tar.NewWriter(tmpTar)
+	ps, _ := gitignore.ReadPatterns(worktree, []string{})
+	ignorer := gitignore.NewMatcher(ps)
+	fc := &FileCollector{
+		Fs:        &memoryFs{Filesystem: fs},
+		Ignorer:   ignorer,
+		SrcPath:   "mygitrepo",
+		SrcPrefix: "mygitrepo" + string(filepath.Separator),
+		Handler: &TarCollector{
+			TarWriter: tw,
+		},
+	}
+	err = fc.Fs.Walk("mygitrepo", fc.CollectFiles(context.Background(), []string{}))
+	assert.NoError(t, err, "successfully collect files") //nolint:testifylint // pre-existing issue from nektos/act
+	tw.Close()
+	_, _ = tmpTar.Seek(0, io.SeekStart)
+	tr := tar.NewReader(tmpTar)
+	h, err := tr.Next()
+	files := map[string]tar.Header{}
+	for err == nil {
+		files[h.Name] = *h
+		h, err = tr.Next()
+	}
+
+	assert.Equal(t, ".env", files[".env"].Name)
+	assert.Equal(t, "test.env", files["test.env"].Name)
+	assert.Equal(t, ".env", files["test.env"].Linkname)
+	assert.ErrorIs(t, err, io.EOF, "tar must be read cleanly to EOF")
+}
+
+// Regression for https://gitea.com/gitea/runner/issues/876 and /941:
+// re-copying an action directory must overwrite a pre-existing read-only
+// file (e.g. a git pack .idx at mode 0444) instead of failing with EACCES
+// on macOS or "Access is denied" on Windows.
+func TestCopyCollectorWriteFileOverwritesReadOnlyFile(t *testing.T) {
+	dst := t.TempDir()
+	target := filepath.Join(dst, "sub", "pack.idx")
+	require.NoError(t, os.MkdirAll(filepath.Dir(target), 0o755))
+	require.NoError(t, os.WriteFile(target, []byte("old"), 0o444))
+
+	src := filepath.Join(t.TempDir(), "pack.idx")
+	require.NoError(t, os.WriteFile(src, []byte("new"), 0o444))
+	fi, err := os.Stat(src)
+	require.NoError(t, err)
+
+	cc := &CopyCollector{DstDir: dst}
+	require.NoError(t, cc.WriteFile("sub/pack.idx", fi, "", strings.NewReader("new")))
+
+	got, err := os.ReadFile(target)
+	require.NoError(t, err)
+	assert.Equal(t, "new", string(got))
+}
+
+// Without the destination removal, os.Symlink fails with EEXIST when the
+// path already holds a regular file from an earlier copy of the action.
+func TestCopyCollectorWriteFileOverwritesFileWithSymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("creating symlinks requires elevated privileges on Windows")
+	}
+	dst := t.TempDir()
+	target := filepath.Join(dst, "link")
+	require.NoError(t, os.WriteFile(target, []byte("stale"), 0o644))
+
+	fi, err := os.Lstat(target)
+	require.NoError(t, err)
+
+	cc := &CopyCollector{DstDir: dst}
+	require.NoError(t, cc.WriteFile("link", fi, "target", nil))
+
+	resolved, err := os.Readlink(target)
+	require.NoError(t, err)
+	assert.Equal(t, "target", resolved)
+}
--- a/act/lookpath/LICENSE
+++ b/act/lookpath/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+	* Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+	* Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+	* Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/act/lookpath/env.go
+++ b/act/lookpath/env.go
@@ -0,0 +1,9 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package lookpath
+
+type Env interface {
+	Getenv(name string) string
+}
--- a/act/lookpath/error.go
+++ b/act/lookpath/error.go
@@ -0,0 +1,14 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package lookpath
+
+type Error struct {
+	Name string
+	Err  error
+}
+
+func (e *Error) Error() string {
+	return e.Err.Error()
+}
--- a/act/lookpath/lp_js.go
+++ b/act/lookpath/lp_js.go
@@ -0,0 +1,24 @@
+//nolint:goheader // pre-existing issue from nektos/act
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build js && wasm
+
+package lookpath
+
+import (
+	"errors"
+)
+
+// ErrNotFound is the error resulting if a path search failed to find an executable file.
+var ErrNotFound = errors.New("executable file not found in $PATH")
+
+// LookPath searches for an executable named file in the
+// directories named by the PATH environment variable.
+// If file contains a slash, it is tried directly and the PATH is not consulted.
+// The result may be an absolute path or a path relative to the current directory.
+func LookPath2(file string, lenv Env) (string, error) {
+	// Wasm can not execute processes, so act as if there are no executables at all.
+	return "", &Error{file, ErrNotFound}
+}
--- a/act/lookpath/lp_plan9.go
+++ b/act/lookpath/lp_plan9.go
@@ -0,0 +1,57 @@
+//nolint:goheader // pre-existing issue from nektos/act
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package lookpath
+
+import (
+	"errors"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// ErrNotFound is the error resulting if a path search failed to find an executable file.
+var ErrNotFound = errors.New("executable file not found in $path")
+
+func findExecutable(file string) error {
+	d, err := os.Stat(file)
+	if err != nil {
+		return err
+	}
+	if m := d.Mode(); !m.IsDir() && m&0o111 != 0 {
+		return nil
+	}
+	return fs.ErrPermission
+}
+
+// LookPath searches for an executable named file in the
+// directories named by the path environment variable.
+// If file begins with "/", "#", "./", or "../", it is tried
+// directly and the path is not consulted.
+// The result may be an absolute path or a path relative to the current directory.
+func LookPath2(file string, lenv Env) (string, error) {
+	// skip the path lookup for these prefixes
+	skip := []string{"/", "#", "./", "../"}
+
+	for _, p := range skip {
+		if strings.HasPrefix(file, p) {
+			err := findExecutable(file)
+			if err == nil {
+				return file, nil
+			}
+			return "", &Error{file, err}
+		}
+	}
+
+	path := lenv.Getenv("path")
+	for _, dir := range filepath.SplitList(path) {
+		path := filepath.Join(dir, file)
+		if err := findExecutable(path); err == nil {
+			return path, nil
+		}
+	}
+	return "", &Error{file, ErrNotFound}
+}
--- a/act/lookpath/lp_unix.go
+++ b/act/lookpath/lp_unix.go
@@ -0,0 +1,60 @@
+//nolint:goheader // pre-existing issue from nektos/act
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
+
+package lookpath
+
+import (
+	"errors"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// ErrNotFound is the error resulting if a path search failed to find an executable file.
+var ErrNotFound = errors.New("executable file not found in $PATH")
+
+func findExecutable(file string) error {
+	d, err := os.Stat(file)
+	if err != nil {
+		return err
+	}
+	if m := d.Mode(); !m.IsDir() && m&0o111 != 0 {
+		return nil
+	}
+	return fs.ErrPermission
+}
+
+// LookPath searches for an executable named file in the
+// directories named by the PATH environment variable.
+// If file contains a slash, it is tried directly and the PATH is not consulted.
+// The result may be an absolute path or a path relative to the current directory.
+func LookPath2(file string, lenv Env) (string, error) {
+	// NOTE(rsc): I wish we could use the Plan 9 behavior here
+	// (only bypass the path if file begins with / or ./ or ../)
+	// but that would not match all the Unix shells.
+
+	if strings.Contains(file, "/") {
+		err := findExecutable(file)
+		if err == nil {
+			return file, nil
+		}
+		return "", &Error{file, err}
+	}
+	path := lenv.Getenv("PATH")
+	for _, dir := range filepath.SplitList(path) {
+		if dir == "" {
+			// Unix shell semantics: path element "" means "."
+			dir = "."
+		}
+		path := filepath.Join(dir, file)
+		if err := findExecutable(path); err == nil {
+			return path, nil
+		}
+	}
+	return "", &Error{file, ErrNotFound}
+}
--- a/act/lookpath/lp_windows.go
+++ b/act/lookpath/lp_windows.go
@@ -0,0 +1,95 @@
+//nolint:goheader // pre-existing issue from nektos/act
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package lookpath
+
+import (
+	"errors"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// ErrNotFound is the error resulting if a path search failed to find an executable file.
+var ErrNotFound = errors.New("executable file not found in %PATH%")
+
+func chkStat(file string) error {
+	d, err := os.Stat(file)
+	if err != nil {
+		return err
+	}
+	if d.IsDir() {
+		return fs.ErrPermission
+	}
+	return nil
+}
+
+func hasExt(file string) bool {
+	i := strings.LastIndex(file, ".")
+	if i < 0 {
+		return false
+	}
+	return strings.LastIndexAny(file, `:\/`) < i
+}
+
+func findExecutable(file string, exts []string) (string, error) {
+	if len(exts) == 0 {
+		return file, chkStat(file)
+	}
+	if hasExt(file) {
+		if chkStat(file) == nil {
+			return file, nil
+		}
+	}
+	for _, e := range exts {
+		if f := file + e; chkStat(f) == nil {
+			return f, nil
+		}
+	}
+	return "", fs.ErrNotExist
+}
+
+// LookPath searches for an executable named file in the
+// directories named by the PATH environment variable.
+// If file contains a slash, it is tried directly and the PATH is not consulted.
+// LookPath also uses PATHEXT environment variable to match
+// a suitable candidate.
+// The result may be an absolute path or a path relative to the current directory.
+func LookPath2(file string, lenv Env) (string, error) {
+	var exts []string
+	x := lenv.Getenv(`PATHEXT`)
+	if x != "" {
+		for _, e := range strings.Split(strings.ToLower(x), `;`) {
+			if e == "" {
+				continue
+			}
+			if e[0] != '.' {
+				e = "." + e
+			}
+			exts = append(exts, e)
+		}
+	} else {
+		exts = []string{".com", ".exe", ".bat", ".cmd"}
+	}
+
+	if strings.ContainsAny(file, `:\/`) {
+		if f, err := findExecutable(file, exts); err == nil {
+			return f, nil
+		} else {
+			return "", &Error{file, err}
+		}
+	}
+	if f, err := findExecutable(filepath.Join(".", file), exts); err == nil {
+		return f, nil
+	}
+	path := lenv.Getenv("path")
+	for _, dir := range filepath.SplitList(path) {
+		if f, err := findExecutable(filepath.Join(dir, file), exts); err == nil {
+			return f, nil
+		}
+	}
+	return "", &Error{file, ErrNotFound}
+}
--- a/Show More
+++ b/Show More