chore: bump VERSION to 0.2.49

build(deps): bump github.com/go-git/go-git/v5 from 5.8.0 to 5.8.1 (#1934 )
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.8.0 to 5.8.1. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.8.0...v5.8.1) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
2023-08-01 02:21:38 +00:00 · 2023-07-31 03:49:57 +00:00 · 2023-07-31 03:29:28 +00:00 · 2023-07-31 03:12:43 +00:00 · 2023-07-24 02:53:35 +00:00 · 2023-07-21 16:56:11 +00:00
127 changed files with 6408 additions and 2681 deletions
--- a/.github/actions/choco/Dockerfile
+++ b/.github/actions/choco/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.16
+FROM alpine:3.17

 ARG CHOCOVERSION=1.1.0

--- a/.github/actions/run-tests/action.yml
+++ b/.github/actions/run-tests/action.yml
@@ -0,0 +1,77 @@
+name: 'run-tests'
+description: 'Runs go test and upload a step summary'
+inputs:
+  filter:
+    description: 'The go test pattern for the tests to run'
+    required: false
+    default: ''
+  upload-logs-name:
+    description: 'Choose the name of the log artifact'
+    required: false
+    default: logs-${{ github.job }}-${{ strategy.job-index }}
+  upload-logs:
+    description: 'If true uploads logs of each tests as an artifact'
+    required: false
+    default: 'true'
+runs:
+  using: composite
+  steps:
+    - uses: actions/github-script@v6
+      with:
+        github-token: none # No reason to grant access to the GITHUB_TOKEN
+        script: |
+          let myOutput = '';
+          var fs = require('fs');
+          var uploadLogs = process.env.UPLOAD_LOGS === 'true';
+          if(uploadLogs) {
+            await io.mkdirP('logs');
+          }
+          var filename = null;
+          const options = {};
+          options.ignoreReturnCode = true;
+          options.env = Object.assign({}, process.env);
+          delete options.env.ACTIONS_RUNTIME_URL;
+          delete options.env.ACTIONS_RUNTIME_TOKEN;
+          delete options.env.ACTIONS_CACHE_URL;
+          options.listeners = {
+            stdout: (data) => {
+              for(line of data.toString().split('\n')) {
+                if(/^\s*(===\s[^\s]+\s|---\s[^\s]+:\s)/.test(line)) {
+                  if(uploadLogs) {
+                    var runprefix = "=== RUN   ";
+                    if(line.startsWith(runprefix)) {
+                      filename = "logs/" + line.substring(runprefix.length).replace(/[^A-Za-z0-9]/g, '-') + ".txt";
+                      fs.writeFileSync(filename, line + "\n");
+                    } else if(filename) {
+                      fs.appendFileSync(filename, line + "\n");
+                      filename = null;
+                    }
+                  }
+                  myOutput += line + "\n";
+                } else if(filename) {
+                  fs.appendFileSync(filename, line + "\n");
+                }
+              }
+            }
+          };
+          var args = ['test', '-v', '-cover', '-coverprofile=coverage.txt', '-covermode=atomic', '-timeout', '20m'];
+          var filter = process.env.FILTER;
+          if(filter) {
+            args.push('-run');
+            args.push(filter);
+          }
+          args.push('./...');
+          var exitcode = await exec.exec('go', args, options);
+          if(process.env.GITHUB_STEP_SUMMARY) {
+            core.summary.addCodeBlock(myOutput);
+            await core.summary.write();
+          }
+          process.exit(exitcode);
+      env:
+        FILTER: ${{ inputs.filter }}
+        UPLOAD_LOGS: ${{ inputs.upload-logs }}
+    - uses: actions/upload-artifact@v3
+      if: always() && inputs.upload-logs == 'true' && !env.ACT
+      with:
+        name: ${{ inputs.upload-logs-name }}
+        path: logs
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -1,10 +1,13 @@
 name: checks
 on: [pull_request, workflow_dispatch]

+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+
 env:
  ACT_OWNER: ${{ github.repository_owner }}
  ACT_REPOSITORY: ${{ github.repository }}
-  GO_VERSION: 1.18
  CGO_ENABLED: 0

 jobs:
@@ -15,14 +18,15 @@ jobs:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
-      - uses: golangci/golangci-lint-action@v3.3.1
+      - uses: golangci/golangci-lint-action@v3.6.0
        with:
-          version: v1.47.2
-      - uses: megalinter/megalinter/flavors/go@v6.15.0
+          version: v1.53
+          only-new-issues: true
+      - uses: megalinter/megalinter/flavors/go@v7.1.0
        env:
          DEFAULT_BRANCH: master
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -39,9 +43,9 @@ jobs:
          fetch-depth: 2
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
      - uses: actions/cache@v3
        if: ${{ !env.ACT }}
@@ -50,9 +54,14 @@ jobs:
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
-      - run: go test -v -cover -coverprofile=coverage.txt -covermode=atomic -timeout 15m ./...
+      - name: Run Tests
+        uses: ./.github/actions/run-tests
+        with:
+          upload-logs-name: logs-linux
+      - name: Run act from cli
+        run: go run main.go -P ubuntu-latest=node:16-buster-slim -C ./pkg/runner/testdata/ -W ./basic/push.yml
      - name: Upload Codecov report
-        uses: codecov/codecov-action@v3.1.1
+        uses: codecov/codecov-action@v3.1.4
        with:
          files: coverage.txt
          fail_ci_if_error: true # optional (default = false)
@@ -69,21 +78,24 @@ jobs:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 2
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
-      - run: go test -v -run ^TestRunEventHostEnvironment$ ./...
-    # TODO merge coverage with test-linux
+      - name: Run Tests
+        uses: ./.github/actions/run-tests
+        with:
+          filter: '^TestRunEventHostEnvironment$'
+          upload-logs-name: logs-${{ matrix.os }}

  snapshot:
    name: snapshot
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
      - uses: actions/cache@v3
        if: ${{ !env.ACT }}
@@ -93,10 +105,10 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go-
      - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@v4
        with:
          version: latest
-          args: release --snapshot --rm-dist
+          args: release --snapshot --clean
      - name: Capture x86_64 (64-bit) Linux binary
        if: ${{ !env.ACT }}
        uses: actions/upload-artifact@v3
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@@ -4,9 +4,6 @@ on:
    - cron: '0 2 1 * *'
  workflow_dispatch: {}

-env:
-  GO_VERSION: 1.18
-
 jobs:
  release:
    name: promote
@@ -17,10 +14,10 @@ jobs:
          fetch-depth: 0
          ref: master
          token: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
-      - uses: fregante/setup-git-user@v1
-      - uses: actions/setup-go@v3
+      - uses: fregante/setup-git-user@v2
+      - uses: actions/setup-go@v4
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
      - uses: actions/cache@v3
        if: ${{ !env.ACT }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,9 +4,6 @@ on:
    tags:
      - v*

-env:
-  GO_VERSION: 1.18
-
 jobs:
  release:
    name: release
@@ -15,9 +12,9 @@ jobs:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v4
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
      - uses: actions/cache@v3
        if: ${{ !env.ACT }}
@@ -27,10 +24,10 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go-
      - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@v4
        with:
          version: latest
-          args: release --rm-dist
+          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
      - name: Chocolatey
@@ -39,3 +36,29 @@ jobs:
          version: ${{ github.ref }}
          apiKey: ${{ secrets.CHOCO_APIKEY }}
          push: true
+      - name: GitHub CLI extension
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
+          script: |
+            const mainRef = (await github.rest.git.getRef({
+              owner: 'nektos',
+              repo: 'gh-act',
+              ref: 'heads/main',
+            })).data;
+            console.log(mainRef);
+            github.rest.git.createRef({
+              owner: 'nektos',
+              repo: 'gh-act',
+              ref: context.ref,
+              sha: mainRef.object.sha,
+            });
+  winget:
+    needs: release
+    runs-on: windows-latest # Action can only run on Windows
+    steps:
+      - uses: vedantmgoyal2009/winget-releaser@v2
+        with:
+          identifier: nektos.act
+          installers-regex: '_Windows_\w+\.zip$'
+          token: ${{ secrets.WINGET_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,7 +8,7 @@ jobs:
    name: Stale
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v6
+      - uses: actions/stale@v8
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          stale-issue-message: 'Issue is stale and will be closed in 14 days unless there is new activity'
@@ -19,5 +19,5 @@ jobs:
          exempt-pr-labels: 'stale-exempt'
          remove-stale-when-updated: 'True'
          operations-per-run: 500
-          days-before-stale: 30
+          days-before-stale: 180
          days-before-close: 14
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -19,17 +19,15 @@ linters-settings:
      - pkg: 'github.com/stretchr/testify/assert'
        alias: assert
  depguard:
-    list-type: blacklist
-    include-go-root: true
-    packages:
-      - github.com/pkg/errors
-      - gotest.tools/v3/assert
-      - log
-    packages-with-error-message:
-      - github.com/pkg/errors: 'Please use "errors" package from standard library'
-      - gotest.tools/v3: 'Please keep tests unified using only github.com/stretchr/testify'
-      - log: 'Please keep logging unified using only github.com/sirupsen/logrus'
-
+    rules:
+      main:
+        deny:
+          - pkg: github.com/pkg/errors
+            desc: Please use "errors" package from standard library
+          - pkg: gotest.tools/v3
+            desc: Please keep tests unified using only github.com/stretchr/testify
+          - pkg: log
+            desc: Please keep logging unified using only github.com/sirupsen/logrus
 linters:
  enable:
    - megacheck
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -22,13 +22,13 @@ builds:
 checksum:
  name_template: 'checksums.txt'
 archives:
-  - name_template: '{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}'
-    replacements:
-      darwin: Darwin
-      linux: Linux
-      windows: Windows
-      386: i386
-      amd64: x86_64
+  - name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
    format_overrides:
      - goos: windows
        format: zip
--- a/.mega-linter.yml
+++ b/.mega-linter.yml
@@ -14,7 +14,7 @@ DISABLE_LINTERS:
  - MARKDOWN_MARKDOWN_LINK_CHECK
  - REPOSITORY_CHECKOV
  - REPOSITORY_TRIVY
-FILTER_REGEX_EXCLUDE: (.*testdata/*|install.sh|pkg/container/docker_cli.go|pkg/container/DOCKER_LICENSE)
+FILTER_REGEX_EXCLUDE: (.*testdata/*|install.sh|pkg/container/docker_cli.go|pkg/container/DOCKER_LICENSE|VERSION)
 MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdownlint.yml
 PARALLEL: false
 PRINT_ALPACA: false
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,6 +1,7 @@
 {
  "go.lintTool": "golangci-lint",
  "go.lintFlags": ["--fix"],
+  "go.testTimeout": "300s",
  "[json]": {
    "editor.defaultFormatter": "esbenp.prettier-vscode"
  },
--- a/8
+++ b/8
@@ -96,12 +96,18 @@ ifneq ($(shell git status -s),)
 	@echo "Unable to promote a dirty workspace"
 	@exit 1
 endif
+	echo -n $(NEW_VERSION) > VERSION
+	git add VERSION
+	git commit -m "chore: bump VERSION to $(NEW_VERSION)"
 	git tag -a -m "releasing v$(NEW_VERSION)" v$(NEW_VERSION)
+	git push origin master
 	git push origin v$(NEW_VERSION)

 .PHONY: snapshot
 snapshot:
 	goreleaser build \
-		--rm-dist \
+		--clean \
 		--single-target \
 		--snapshot
+
+.PHONY: clean all
--- a/README.md
+++ b/README.md
@@ -71,6 +71,14 @@ choco install act-cli
 scoop install act
 ```

+### [Winget](https://learn.microsoft.com/en-us/windows/package-manager/) (Windows)
+
+[![Winget package](https://repology.org/badge/version-for-repo/winget/act-run-github-actions.svg)](https://repology.org/project/act-run-github-actions/versions)
+
+```shell
+winget install nektos.act
+```
+
 ### [AUR](https://aur.archlinux.org/packages/act/) (Linux)

 [![aur-shield](https://img.shields.io/aur/version/act)](https://aur.archlinux.org/packages/act/)
@@ -108,6 +116,14 @@ Using the latest [Nix command](https://nixos.wiki/wiki/Nix_command), you can run
 nix run nixpkgs#act
 ```

+## Installation as GitHub CLI extension
+
+Act can be installed as a [GitHub CLI](https://cli.github.com/) extension:
+
+```sh
+gh extension install https://github.com/nektos/gh-act
+```
+
 ## Other install options

 ### Bash script
@@ -115,7 +131,7 @@ nix run nixpkgs#act
 Run this command in your terminal:

 ```shell
-curl https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash
+curl -s https://raw.githubusercontent.com/nektos/act/master/install.sh | sudo bash
 ```

 ### Manual download
@@ -148,6 +164,9 @@ act pull_request
 # Run a specific job:
 act -j test

+# Collect artifacts to the /tmp/artifacts folder:
+act --artifact-server-path /tmp/artifacts
+
 # Run a job in a specific workflow (useful if you have duplicate job names)
 act -j lint -W .github/workflows/checks.yml

@@ -163,49 +182,6 @@ act -v
 When running `act` for the first time, it will ask you to choose image to be used as default.
 It will save that information to `~/.actrc`, please refer to [Configuration](#configuration) for more information about `.actrc` and to [Runners](#runners) for information about used/available Docker images.

-# Flags
-
-```none
-  -a, --actor string                                user that triggered the event (default "nektos/act")
-      --replace-ghe-action-with-github-com          If you are using GitHub Enterprise Server and allow specified actions from GitHub (github.com), you can set actions on this. (e.g. --replace-ghe-action-with-github-com=github/super-linter)
-      --replace-ghe-action-token-with-github-com    If you are using replace-ghe-action-with-github-com and you want to use private actions on GitHub, you have to set personal access token
-      --artifact-server-path string                 Defines the path where the artifact server stores uploads and retrieves downloads from. If not specified the artifact server will not start.
-      --artifact-server-port string                 Defines the port where the artifact server listens (will only bind to localhost). (default "34567")
-  -b, --bind                                        bind working directory to container, rather than copy
-      --container-architecture string               Architecture which should be used to run containers, e.g.: linux/amd64. If not specified, will use host default architecture. Requires Docker server API Version 1.41+. Ignored on earlier Docker server platforms.
-      --container-cap-add stringArray               kernel capabilities to add to the workflow containers (e.g. --container-cap-add SYS_PTRACE)
-      --container-cap-drop stringArray              kernel capabilities to remove from the workflow containers (e.g. --container-cap-drop SYS_PTRACE)
-      --container-daemon-socket string              Path to Docker daemon socket which will be mounted to containers (default "/var/run/docker.sock")
-      --defaultbranch string                        the name of the main branch
-      --detect-event                                Use first event type from workflow as event that triggered the workflow
-  -C, --directory string                            working directory (default ".")
-  -n, --dryrun                                      dryrun mode
-      --env stringArray                             env to make available to actions with optional value (e.g. --env myenv=foo or --env myenv)
-      --env-file string                             environment file to read and use as env in the containers (default ".env")
-  -e, --eventpath string                            path to event JSON file
-      --github-instance string                      GitHub instance to use. Don't use this if you are not using GitHub Enterprise Server. (default "github.com")
-  -g, --graph                                       draw workflows
-  -h, --help                                        help for act
-      --insecure-secrets                            NOT RECOMMENDED! Doesn't hide secrets while printing logs.
-  -j, --job string                                  run job
-  -l, --list                                        list workflows
-      --no-recurse                                  Flag to disable running workflows from subdirectories of specified path in '--workflows'/'-W' flag
-  -P, --platform stringArray                        custom image to use per platform (e.g. -P ubuntu-18.04=nektos/act-environments-ubuntu:18.04)
-      --privileged                                  use privileged mode
-  -p, --pull                                        pull docker image(s) even if already present
-  -q, --quiet                                       disable logging of output from steps
-      --rebuild                                     rebuild local action docker image(s) even if already present
-  -r, --reuse                                       don't remove container(s) on successfully completed workflow(s) to maintain state between runs
-      --rm                                          automatically remove container(s)/volume(s) after a workflow(s) failure
-  -s, --secret stringArray                          secret to make available to actions with optional value (e.g. -s mysecret=foo or -s mysecret)
-      --secret-file string                          file with list of secrets to read from (e.g. --secret-file .secrets) (default ".secrets")
-      --use-gitignore                               Controls whether paths specified in .gitignore should be copied into container (default true)
-      --userns string                               user namespace to use
-  -v, --verbose                                     verbose output
-  -w, --watch                                       watch the contents of the local repo and run when files change
-  -W, --workflows string                            path to workflow file(s) (default "./.github/workflows/")
-```
-
 ## `GITHUB_TOKEN`

 GitHub [automatically provides](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret) a `GITHUB_TOKEN` secret when running workflows inside GitHub.
@@ -216,6 +192,12 @@ If your workflow depends on this token, you need to create a [personal access to
 act -s GITHUB_TOKEN=[insert token or leave blank and omit equals for secure input]
 ```

+If [GitHub CLI](https://cli.github.com/) is installed, the [`gh auth token`](https://cli.github.com/manual/gh_auth_token) command can be used to automatically pass the token to act
+
+```bash
+act -s GITHUB_TOKEN="$(gh auth token)"
+```
+
 **WARNING**: `GITHUB_TOKEN` will be logged in shell history if not inserted through secure input or (depending on your shell config) the command is prefixed with a whitespace.

 # Known Issues
@@ -290,6 +272,15 @@ If you need an environment that works just like the corresponding GitHub runner

 - [`catthehacker/ubuntu:full-*`](https://github.com/catthehacker/docker_images/pkgs/container/ubuntu) - built from Packer template provided by GitHub, see [catthehacker/virtual-environments-fork](https://github.com/catthehacker/virtual-environments-fork) or [catthehacker/docker_images](https://github.com/catthehacker/docker_images) for more information

+## Using local runner images
+
+The `--pull` flag is set to true by default due to a breaking on older default docker images. This would pull the docker image everytime act is executed.
+
+Set `--pull` to false if a local docker image is needed
+```sh
+  act --pull=false
+```
+
 ## Use an alternative runner image

 To use a different image for the runner, use the `-P` option.
@@ -342,10 +333,41 @@ MY_ENV_VAR=MY_ENV_VAR_VALUE
 MY_2ND_ENV_VAR="my 2nd env var value"
 ```

+# Skipping jobs
+
+You cannot use the `env` context in job level if conditions, but you can add a custom event property to the `github` context. You can use this method also on step level if conditions.
+
+```yml
+on: push
+jobs:
+  deploy:
+    if: ${{ !github.event.act }} # skip during local actions testing
+    runs-on: ubuntu-latest
+    steps:
+    - run: exit 0
+```
+
+And use this `event.json` file with act otherwise the Job will run:
+
+```json
+{
+    "act": true
+}
+```
+
+Run act like
+
+```sh
+act -e event.json
+```
+
+_Hint: you can add / append `-e event.json` as a line into `./.actrc`_
+
 # Skipping steps

 Act adds a special environment variable `ACT` that can be used to skip a step that you
 don't want to run locally. E.g. a step that posts a Slack message or bumps a version number.
+**You cannot use this method in job level if conditions, see [Skipping jobs](#skipping-jobs)**

 ```yml
 - name: Some step
@@ -377,7 +399,7 @@ act pull_request -e pull-request.json

 Act will properly provide `github.head_ref` and `github.base_ref` to the action as expected.

-## Pass Inputs to Manually Triggered Workflows
+# Pass Inputs to Manually Triggered Workflows

 Example workflow file

@@ -403,6 +425,14 @@ jobs:
          echo "Hello ${{ github.event.inputs.NAME }} and ${{ github.event.inputs.SOME_VALUE }}!"
 ```

+## via input or input-file flag
+
+- `act --input NAME=somevalue` - use `somevalue` as the value for `NAME` input.
+- `act --input-file my.input` - load input values from `my.input` file.
+  - input file format is the same as `.env` format
+
+## via JSON
+
 Example JSON payload file conveniently named `payload.json`

 ```json
@@ -439,7 +469,7 @@ Want to contribute to act? Awesome! Check out the [contributing guidelines](CONT

 ## Manually building from source

- Install Go tools 1.18+ - (<https://golang.org/doc/install>)
+- Install Go tools 1.20+ - (<https://golang.org/doc/install>)
 - Clone this repo `git clone git@github.com:nektos/act.git`
 - Run unit tests with `make test`
 - Build and install: `make install`
--- a/1
+++ b/1
@@ -0,0 +1 @@
+0.2.49
--- a/cmd/dir.go
+++ b/cmd/dir.go
@@ -0,0 +1,27 @@
+package cmd
+
+import (
+	"os"
+	"path/filepath"
+
+	log "github.com/sirupsen/logrus"
+)
+
+var (
+	UserHomeDir  string
+	CacheHomeDir string
+)
+
+func init() {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		log.Fatal(err)
+	}
+	UserHomeDir = home
+
+	if v := os.Getenv("XDG_CACHE_HOME"); v != "" {
+		CacheHomeDir = v
+	} else {
+		CacheHomeDir = filepath.Join(UserHomeDir, ".cache")
+	}
+}
--- a/cmd/input.go
+++ b/cmd/input.go
@@ -16,20 +16,25 @@ type Input struct {
 	reuseContainers                    bool
 	bindWorkdir                        bool
 	secrets                            []string
+	vars                               []string
 	envs                               []string
+	inputs                             []string
 	platforms                          []string
 	dryrun                             bool
 	forcePull                          bool
 	forceRebuild                       bool
 	noOutput                           bool
 	envfile                            string
+	inputfile                          string
 	secretfile                         string
+	varfile                            string
 	insecureSecrets                    bool
 	defaultBranch                      string
 	privileged                         bool
 	usernsMode                         string
 	containerArchitecture              string
 	containerDaemonSocket              string
+	containerOptions                   string
 	noWorkflowRecurse                  bool
 	useGitIgnore                       bool
 	githubInstance                     string
@@ -37,12 +42,20 @@ type Input struct {
 	containerCapDrop                   []string
 	autoRemove                         bool
 	artifactServerPath                 string
+	artifactServerAddr                 string
 	artifactServerPort                 string
+	noCacheServer                      bool
+	cacheServerPath                    string
+	cacheServerAddr                    string
+	cacheServerPort                    uint16
 	jsonLogger                         bool
 	noSkipCheckout                     bool
 	remoteName                         string
 	replaceGheActionWithGithubCom      []string
 	replaceGheActionTokenWithGithubCom string
+	matrix                             []string
+	actionCachePath                    string
+	logPrefixJobID                     bool
 }

 func (i *Input) resolve(path string) string {
@@ -69,6 +82,10 @@ func (i *Input) Secretfile() string {
 	return i.resolve(i.secretfile)
 }

+func (i *Input) Varfile() string {
+	return i.resolve(i.varfile)
+}
+
 // Workdir returns path to workdir
 func (i *Input) Workdir() string {
 	return i.resolve(".")
@@ -83,3 +100,8 @@ func (i *Input) WorkflowsPath() string {
 func (i *Input) EventPath() string {
 	return i.resolve(i.eventPath)
 }
+
+// Inputfile returns the path to the input file
+func (i *Input) Inputfile() string {
+	return i.resolve(i.inputfile)
+}
--- a/cmd/notices.go
+++ b/cmd/notices.go
@@ -0,0 +1,140 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+type Notice struct {
+	Level   string `json:"level"`
+	Message string `json:"message"`
+}
+
+func displayNotices(input *Input) {
+	select {
+	case notices := <-noticesLoaded:
+		if len(notices) > 0 {
+			noticeLogger := log.New()
+			if input.jsonLogger {
+				noticeLogger.SetFormatter(&log.JSONFormatter{})
+			} else {
+				noticeLogger.SetFormatter(&log.TextFormatter{
+					DisableQuote:     true,
+					DisableTimestamp: true,
+					PadLevelText:     true,
+				})
+			}
+
+			fmt.Printf("\n")
+			for _, notice := range notices {
+				level, err := log.ParseLevel(notice.Level)
+				if err != nil {
+					level = log.InfoLevel
+				}
+				noticeLogger.Log(level, notice.Message)
+			}
+		}
+	case <-time.After(time.Second * 1):
+		log.Debugf("Timeout waiting for notices")
+	}
+}
+
+var noticesLoaded = make(chan []Notice)
+
+func loadVersionNotices(version string) {
+	go func() {
+		noticesLoaded <- getVersionNotices(version)
+	}()
+}
+
+const NoticeURL = "https://api.nektosact.com/notices"
+
+func getVersionNotices(version string) []Notice {
+	if os.Getenv("ACT_DISABLE_VERSION_CHECK") == "1" {
+		return nil
+	}
+
+	noticeURL, err := url.Parse(NoticeURL)
+	if err != nil {
+		log.Error(err)
+		return nil
+	}
+	query := noticeURL.Query()
+	query.Add("os", runtime.GOOS)
+	query.Add("arch", runtime.GOARCH)
+	query.Add("version", version)
+
+	noticeURL.RawQuery = query.Encode()
+
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", noticeURL.String(), nil)
+	if err != nil {
+		log.Debug(err)
+		return nil
+	}
+
+	etag := loadNoticesEtag()
+	if etag != "" {
+		log.Debugf("Conditional GET for notices etag=%s", etag)
+		req.Header.Set("If-None-Match", etag)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		log.Debug(err)
+		return nil
+	}
+
+	newEtag := resp.Header.Get("Etag")
+	if newEtag != "" {
+		log.Debugf("Saving notices etag=%s", newEtag)
+		saveNoticesEtag(newEtag)
+	}
+
+	defer resp.Body.Close()
+	notices := []Notice{}
+	if resp.StatusCode == 304 {
+		log.Debug("No new notices")
+		return nil
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&notices); err != nil {
+		log.Debug(err)
+		return nil
+	}
+
+	return notices
+}
+
+func loadNoticesEtag() string {
+	p := etagPath()
+	content, err := os.ReadFile(p)
+	if err != nil {
+		log.Debugf("Unable to load etag from %s: %e", p, err)
+	}
+	return strings.TrimSuffix(string(content), "\n")
+}
+
+func saveNoticesEtag(etag string) {
+	p := etagPath()
+	err := os.WriteFile(p, []byte(strings.TrimSuffix(etag, "\n")), 0o600)
+	if err != nil {
+		log.Debugf("Unable to save etag to %s: %e", p, err)
+	}
+}
+
+func etagPath() string {
+	dir := filepath.Join(CacheHomeDir, "act")
+	if err := os.MkdirAll(dir, 0o777); err != nil {
+		log.Fatal(err)
+	}
+	return filepath.Join(dir, ".notices.etag")
+}
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -12,13 +12,15 @@ import (
 	"strings"

 	"github.com/AlecAivazis/survey/v2"
+	"github.com/adrg/xdg"
 	"github.com/andreaskoch/go-fswatch"
 	"github.com/joho/godotenv"
-	"github.com/mitchellh/go-homedir"
 	gitignore "github.com/sabhiram/go-gitignore"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"gopkg.in/yaml.v3"

+	"github.com/nektos/act/pkg/artifactcache"
 	"github.com/nektos/act/pkg/artifacts"
 	"github.com/nektos/act/pkg/common"
 	"github.com/nektos/act/pkg/container"
@@ -30,13 +32,14 @@ import (
 func Execute(ctx context.Context, version string) {
 	input := new(Input)
 	var rootCmd = &cobra.Command{
-		Use:              "act [event name to run] [flags]\n\nIf no event name passed, will default to \"on: push\"\nIf actions handles only one event it will be used as default instead of \"on: push\"",
-		Short:            "Run GitHub actions locally by specifying the event name (e.g. `push`) or an action name directly.",
-		Args:             cobra.MaximumNArgs(1),
-		RunE:             newRunCommand(ctx, input),
-		PersistentPreRun: setupLogging,
-		Version:          version,
-		SilenceUsage:     true,
+		Use:               "act [event name to run] [flags]\n\nIf no event name passed, will default to \"on: push\"\nIf actions handles only one event it will be used as default instead of \"on: push\"",
+		Short:             "Run GitHub actions locally by specifying the event name (e.g. `push`) or an action name directly.",
+		Args:              cobra.MaximumNArgs(1),
+		RunE:              newRunCommand(ctx, input),
+		PersistentPreRun:  setup(input),
+		PersistentPostRun: cleanup(input),
+		Version:           version,
+		SilenceUsage:      true,
 	}
 	rootCmd.Flags().BoolP("watch", "w", false, "watch the contents of the local repo and run when files change")
 	rootCmd.Flags().BoolP("list", "l", false, "list workflows")
@@ -46,12 +49,14 @@ func Execute(ctx context.Context, version string) {

 	rootCmd.Flags().StringVar(&input.remoteName, "remote-name", "origin", "git remote name that will be used to retrieve url of git repo")
 	rootCmd.Flags().StringArrayVarP(&input.secrets, "secret", "s", []string{}, "secret to make available to actions with optional value (e.g. -s mysecret=foo or -s mysecret)")
+	rootCmd.Flags().StringArrayVar(&input.vars, "var", []string{}, "variable to make available to actions with optional value (e.g. --var myvar=foo or --var myvar)")
 	rootCmd.Flags().StringArrayVarP(&input.envs, "env", "", []string{}, "env to make available to actions with optional value (e.g. --env myenv=foo or --env myenv)")
+	rootCmd.Flags().StringArrayVarP(&input.inputs, "input", "", []string{}, "action input to make available to actions (e.g. --input myinput=foo)")
 	rootCmd.Flags().StringArrayVarP(&input.platforms, "platform", "P", []string{}, "custom image to use per platform (e.g. -P ubuntu-18.04=nektos/act-environments-ubuntu:18.04)")
 	rootCmd.Flags().BoolVarP(&input.reuseContainers, "reuse", "r", false, "don't remove container(s) on successfully completed workflow(s) to maintain state between runs")
 	rootCmd.Flags().BoolVarP(&input.bindWorkdir, "bind", "b", false, "bind working directory to container, rather than copy")
-	rootCmd.Flags().BoolVarP(&input.forcePull, "pull", "p", false, "pull docker image(s) even if already present")
-	rootCmd.Flags().BoolVarP(&input.forceRebuild, "rebuild", "", false, "rebuild local action docker image(s) even if already present")
+	rootCmd.Flags().BoolVarP(&input.forcePull, "pull", "p", true, "pull docker image(s) even if already present")
+	rootCmd.Flags().BoolVarP(&input.forceRebuild, "rebuild", "", true, "rebuild local action docker image(s) even if already present")
 	rootCmd.Flags().BoolVarP(&input.autodetectEvent, "detect-event", "", false, "Use first event type from workflow as event that triggered the workflow")
 	rootCmd.Flags().StringVarP(&input.eventPath, "eventpath", "e", "", "path to event JSON file")
 	rootCmd.Flags().StringVar(&input.defaultBranch, "defaultbranch", "", "the name of the main branch")
@@ -63,23 +68,34 @@ func Execute(ctx context.Context, version string) {
 	rootCmd.Flags().BoolVar(&input.autoRemove, "rm", false, "automatically remove container(s)/volume(s) after a workflow(s) failure")
 	rootCmd.Flags().StringArrayVarP(&input.replaceGheActionWithGithubCom, "replace-ghe-action-with-github-com", "", []string{}, "If you are using GitHub Enterprise Server and allow specified actions from GitHub (github.com), you can set actions on this. (e.g. --replace-ghe-action-with-github-com =github/super-linter)")
 	rootCmd.Flags().StringVar(&input.replaceGheActionTokenWithGithubCom, "replace-ghe-action-token-with-github-com", "", "If you are using replace-ghe-action-with-github-com  and you want to use private actions on GitHub, you have to set personal access token")
+	rootCmd.Flags().StringArrayVarP(&input.matrix, "matrix", "", []string{}, "specify which matrix configuration to include (e.g. --matrix java:13")
 	rootCmd.PersistentFlags().StringVarP(&input.actor, "actor", "a", "nektos/act", "user that triggered the event")
 	rootCmd.PersistentFlags().StringVarP(&input.workflowsPath, "workflows", "W", "./.github/workflows/", "path to workflow file(s)")
 	rootCmd.PersistentFlags().BoolVarP(&input.noWorkflowRecurse, "no-recurse", "", false, "Flag to disable running workflows from subdirectories of specified path in '--workflows'/'-W' flag")
 	rootCmd.PersistentFlags().StringVarP(&input.workdir, "directory", "C", ".", "working directory")
 	rootCmd.PersistentFlags().BoolP("verbose", "v", false, "verbose output")
 	rootCmd.PersistentFlags().BoolVar(&input.jsonLogger, "json", false, "Output logs in json format")
+	rootCmd.PersistentFlags().BoolVar(&input.logPrefixJobID, "log-prefix-job-id", false, "Output the job id within non-json logs instead of the entire name")
 	rootCmd.PersistentFlags().BoolVarP(&input.noOutput, "quiet", "q", false, "disable logging of output from steps")
 	rootCmd.PersistentFlags().BoolVarP(&input.dryrun, "dryrun", "n", false, "dryrun mode")
 	rootCmd.PersistentFlags().StringVarP(&input.secretfile, "secret-file", "", ".secrets", "file with list of secrets to read from (e.g. --secret-file .secrets)")
+	rootCmd.PersistentFlags().StringVarP(&input.varfile, "var-file", "", ".vars", "file with list of vars to read from (e.g. --var-file .vars)")
 	rootCmd.PersistentFlags().BoolVarP(&input.insecureSecrets, "insecure-secrets", "", false, "NOT RECOMMENDED! Doesn't hide secrets while printing logs.")
 	rootCmd.PersistentFlags().StringVarP(&input.envfile, "env-file", "", ".env", "environment file to read and use as env in the containers")
+	rootCmd.PersistentFlags().StringVarP(&input.inputfile, "input-file", "", ".input", "input file to read and use as action input")
 	rootCmd.PersistentFlags().StringVarP(&input.containerArchitecture, "container-architecture", "", "", "Architecture which should be used to run containers, e.g.: linux/amd64. If not specified, will use host default architecture. Requires Docker server API Version 1.41+. Ignored on earlier Docker server platforms.")
-	rootCmd.PersistentFlags().StringVarP(&input.containerDaemonSocket, "container-daemon-socket", "", "/var/run/docker.sock", "Path to Docker daemon socket which will be mounted to containers")
+	rootCmd.PersistentFlags().StringVarP(&input.containerDaemonSocket, "container-daemon-socket", "", "", "URI to Docker Engine socket (e.g.: unix://~/.docker/run/docker.sock or - to disable bind mounting the socket)")
+	rootCmd.PersistentFlags().StringVarP(&input.containerOptions, "container-options", "", "", "Custom docker container options for the job container without an options property in the job definition")
 	rootCmd.PersistentFlags().StringVarP(&input.githubInstance, "github-instance", "", "github.com", "GitHub instance to use. Don't use this if you are not using GitHub Enterprise Server.")
 	rootCmd.PersistentFlags().StringVarP(&input.artifactServerPath, "artifact-server-path", "", "", "Defines the path where the artifact server stores uploads and retrieves downloads from. If not specified the artifact server will not start.")
-	rootCmd.PersistentFlags().StringVarP(&input.artifactServerPort, "artifact-server-port", "", "34567", "Defines the port where the artifact server listens (will only bind to localhost).")
+	rootCmd.PersistentFlags().StringVarP(&input.artifactServerAddr, "artifact-server-addr", "", common.GetOutboundIP().String(), "Defines the address to which the artifact server binds.")
+	rootCmd.PersistentFlags().StringVarP(&input.artifactServerPort, "artifact-server-port", "", "34567", "Defines the port where the artifact server listens.")
 	rootCmd.PersistentFlags().BoolVarP(&input.noSkipCheckout, "no-skip-checkout", "", false, "Do not skip actions/checkout")
+	rootCmd.PersistentFlags().BoolVarP(&input.noCacheServer, "no-cache-server", "", false, "Disable cache server")
+	rootCmd.PersistentFlags().StringVarP(&input.cacheServerPath, "cache-server-path", "", filepath.Join(CacheHomeDir, "actcache"), "Defines the path where the cache server stores caches.")
+	rootCmd.PersistentFlags().StringVarP(&input.cacheServerAddr, "cache-server-addr", "", common.GetOutboundIP().String(), "Defines the address to which the cache server binds.")
+	rootCmd.PersistentFlags().Uint16VarP(&input.cacheServerPort, "cache-server-port", "", 0, "Defines the port where the artifact server listens. 0 means a randomly available port.")
+	rootCmd.PersistentFlags().StringVarP(&input.actionCachePath, "action-cache-path", "", filepath.Join(CacheHomeDir, "act"), "Defines the path where the actions get cached and host workspaces created.")
 	rootCmd.SetArgs(args())

 	if err := rootCmd.Execute(); err != nil {
@@ -88,26 +104,51 @@ func Execute(ctx context.Context, version string) {
 }

 func configLocations() []string {
-	home, err := homedir.Dir()
-	if err != nil {
-		log.Fatal(err)
-	}
+	configFileName := ".actrc"

 	// reference: https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html
 	var actrcXdg string
-	if xdg, ok := os.LookupEnv("XDG_CONFIG_HOME"); ok && xdg != "" {
-		actrcXdg = filepath.Join(xdg, ".actrc")
-	} else {
-		actrcXdg = filepath.Join(home, ".config", ".actrc")
+	for _, fileName := range []string{"act/actrc", configFileName} {
+		if foundConfig, err := xdg.SearchConfigFile(fileName); foundConfig != "" && err == nil {
+			actrcXdg = foundConfig
+			break
+		}
 	}

 	return []string{
-		filepath.Join(home, ".actrc"),
+		filepath.Join(UserHomeDir, configFileName),
 		actrcXdg,
-		filepath.Join(".", ".actrc"),
+		filepath.Join(".", configFileName),
 	}
 }

+var commonSocketPaths = []string{
+	"/var/run/docker.sock",
+	"/var/run/podman/podman.sock",
+	"$HOME/.colima/docker.sock",
+	"$XDG_RUNTIME_DIR/docker.sock",
+	`\\.\pipe\docker_engine`,
+	"$HOME/.docker/run/docker.sock",
+}
+
+// returns socket path or false if not found any
+func socketLocation() (string, bool) {
+	if dockerHost, exists := os.LookupEnv("DOCKER_HOST"); exists {
+		return dockerHost, true
+	}
+
+	for _, p := range commonSocketPaths {
+		if _, err := os.Lstat(os.ExpandEnv(p)); err == nil {
+			if strings.HasPrefix(p, `\\.\`) {
+				return "npipe://" + filepath.ToSlash(os.ExpandEnv(p)), true
+			}
+			return "unix://" + filepath.ToSlash(os.ExpandEnv(p)), true
+		}
+	}
+
+	return "", false
+}
+
 func args() []string {
 	actrc := configLocations()

@@ -121,15 +162,6 @@ func args() []string {
 }

 func bugReport(ctx context.Context, version string) error {
-	var commonSocketPaths = []string{
-		"/var/run/docker.sock",
-		"/var/run/podman/podman.sock",
-		"$HOME/.colima/docker.sock",
-		"$XDG_RUNTIME_DIR/docker.sock",
-		`\\.\pipe\docker_engine`,
-		"$HOME/.docker/run/docker.sock",
-	}
-
 	sprintf := func(key, val string) string {
 		return fmt.Sprintf("%-24s%s\n", key, val)
 	}
@@ -140,19 +172,20 @@ func bugReport(ctx context.Context, version string) error {
 	report += sprintf("NumCPU:", fmt.Sprint(runtime.NumCPU()))

 	var dockerHost string
-	if dockerHost = os.Getenv("DOCKER_HOST"); dockerHost == "" {
-		dockerHost = "DOCKER_HOST environment variable is unset/empty."
+	var exists bool
+	if dockerHost, exists = os.LookupEnv("DOCKER_HOST"); !exists {
+		dockerHost = "DOCKER_HOST environment variable is not set"
+	} else if dockerHost == "" {
+		dockerHost = "DOCKER_HOST environment variable is empty."
 	}

 	report += sprintf("Docker host:", dockerHost)
 	report += fmt.Sprintln("Sockets found:")
 	for _, p := range commonSocketPaths {
-		if strings.HasPrefix(p, `$`) {
-			v := strings.Split(p, `/`)[0]
-			p = strings.Replace(p, v, os.Getenv(strings.TrimPrefix(v, `$`)), 1)
-		}
-		if _, err := os.Stat(p); err != nil {
+		if _, err := os.Lstat(os.ExpandEnv(p)); err != nil {
 			continue
+		} else if _, err := os.Stat(os.ExpandEnv(p)); err != nil {
+			report += fmt.Sprintf("\t%s(broken)\n", p)
 		} else {
 			report += fmt.Sprintf("\t%s\n", p)
 		}
@@ -241,16 +274,57 @@ func readArgsFile(file string, split bool) []string {
 	return args
 }

-func setupLogging(cmd *cobra.Command, _ []string) {
-	verbose, _ := cmd.Flags().GetBool("verbose")
-	if verbose {
-		log.SetLevel(log.DebugLevel)
+func setup(_ *Input) func(*cobra.Command, []string) {
+	return func(cmd *cobra.Command, _ []string) {
+		verbose, _ := cmd.Flags().GetBool("verbose")
+		if verbose {
+			log.SetLevel(log.DebugLevel)
+		}
+		loadVersionNotices(cmd.Version)
 	}
 }

+func cleanup(inputs *Input) func(*cobra.Command, []string) {
+	return func(cmd *cobra.Command, _ []string) {
+		displayNotices(inputs)
+	}
+}
+
+func parseEnvs(env []string, envs map[string]string) bool {
+	if env != nil {
+		for _, envVar := range env {
+			e := strings.SplitN(envVar, `=`, 2)
+			if len(e) == 2 {
+				envs[e[0]] = e[1]
+			} else {
+				envs[e[0]] = ""
+			}
+		}
+		return true
+	}
+	return false
+}
+
+func readYamlFile(file string) (map[string]string, error) {
+	content, err := os.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+	ret := map[string]string{}
+	if err = yaml.Unmarshal(content, &ret); err != nil {
+		return nil, err
+	}
+	return ret, nil
+}
+
 func readEnvs(path string, envs map[string]string) bool {
 	if _, err := os.Stat(path); err == nil {
-		env, err := godotenv.Read(path)
+		var env map[string]string
+		if ext := filepath.Ext(path); ext == ".yml" || ext == ".yaml" {
+			env, err = readYamlFile(path)
+		} else {
+			env, err = godotenv.Read(path)
+		}
 		if err != nil {
 			log.Fatalf("Error loading from %s: %v", path, err)
 		}
@@ -262,6 +336,35 @@ func readEnvs(path string, envs map[string]string) bool {
 	return false
 }

+func parseMatrix(matrix []string) map[string]map[string]bool {
+	// each matrix entry should be of the form - string:string
+	r := regexp.MustCompile(":")
+	matrixes := make(map[string]map[string]bool)
+	for _, m := range matrix {
+		matrix := r.Split(m, 2)
+		if len(matrix) < 2 {
+			log.Fatalf("Invalid matrix format. Failed to parse %s", m)
+		}
+		if _, ok := matrixes[matrix[0]]; !ok {
+			matrixes[matrix[0]] = make(map[string]bool)
+		}
+		matrixes[matrix[0]][matrix[1]] = true
+	}
+	return matrixes
+}
+
+func isDockerHostURI(daemonPath string) bool {
+	if protoIndex := strings.Index(daemonPath, "://"); protoIndex != -1 {
+		scheme := daemonPath[:protoIndex]
+		if strings.IndexFunc(scheme, func(r rune) bool {
+			return (r < 'a' || r > 'z') && (r < 'A' || r > 'Z')
+		}) == -1 {
+			return true
+		}
+	}
+	return false
+}
+
 //nolint:gocyclo
 func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []string) error {
 	return func(cmd *cobra.Command, args []string) error {
@@ -273,33 +376,58 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 			return bugReport(ctx, cmd.Version)
 		}

+		// Prefer DOCKER_HOST, don't override it
+		socketPath, hasDockerHost := os.LookupEnv("DOCKER_HOST")
+		if !hasDockerHost {
+			// a - in containerDaemonSocket means don't mount, preserve this value
+			// otherwise if input.containerDaemonSocket is a filepath don't use it as socketPath
+			skipMount := input.containerDaemonSocket == "-" || !isDockerHostURI(input.containerDaemonSocket)
+			if input.containerDaemonSocket != "" && !skipMount {
+				socketPath = input.containerDaemonSocket
+			} else {
+				socket, found := socketLocation()
+				if !found {
+					log.Errorln("daemon Docker Engine socket not found and containerDaemonSocket option was not set")
+				} else {
+					socketPath = socket
+				}
+				if !skipMount {
+					input.containerDaemonSocket = socketPath
+				}
+			}
+			os.Setenv("DOCKER_HOST", socketPath)
+		}
+
 		if runtime.GOOS == "darwin" && runtime.GOARCH == "arm64" && input.containerArchitecture == "" {
 			l := log.New()
 			l.SetFormatter(&log.TextFormatter{
 				DisableQuote:     true,
 				DisableTimestamp: true,
 			})
-			l.Warnf(" \U000026A0 You are using Apple M1 chip and you have not specified container architecture, you might encounter issues while running act. If so, try running it with '--container-architecture linux/amd64'. \U000026A0 \n")
+			l.Warnf(" \U000026A0 You are using Apple M-series chip and you have not specified container architecture, you might encounter issues while running act. If so, try running it with '--container-architecture linux/amd64'. \U000026A0 \n")
 		}

 		log.Debugf("Loading environment from %s", input.Envfile())
 		envs := make(map[string]string)
-		if input.envs != nil {
-			for _, envVar := range input.envs {
-				e := strings.SplitN(envVar, `=`, 2)
-				if len(e) == 2 {
-					envs[e[0]] = e[1]
-				} else {
-					envs[e[0]] = ""
-				}
-			}
-		}
+		_ = parseEnvs(input.envs, envs)
 		_ = readEnvs(input.Envfile(), envs)

+		log.Debugf("Loading action inputs from %s", input.Inputfile())
+		inputs := make(map[string]string)
+		_ = parseEnvs(input.inputs, inputs)
+		_ = readEnvs(input.Inputfile(), inputs)
+
 		log.Debugf("Loading secrets from %s", input.Secretfile())
 		secrets := newSecrets(input.secrets)
 		_ = readEnvs(input.Secretfile(), secrets)

+		log.Debugf("Loading vars from %s", input.Varfile())
+		vars := newSecrets(input.vars)
+		_ = readEnvs(input.Varfile(), vars)
+
+		matrixes := parseMatrix(input.matrix)
+		log.Debugf("Evaluated matrix inclusions: %v", matrixes)
+
 		planner, err := model.NewWorkflowPlanner(input.WorkflowsPath(), input.noWorkflowRecurse)
 		if err != nil {
 			return err
@@ -329,7 +457,7 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 		var filterPlan *model.Plan

 		// Determine the event name to be filtered
-		var filterEventName string = ""
+		var filterEventName string

 		if len(args) > 0 {
 			log.Debugf("Using first passed in arguments event for filtering: %s", args[0])
@@ -341,23 +469,35 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 			filterEventName = events[0]
 		}

+		var plannerErr error
 		if jobID != "" {
 			log.Debugf("Preparing plan with a job: %s", jobID)
-			filterPlan = planner.PlanJob(jobID)
+			filterPlan, plannerErr = planner.PlanJob(jobID)
 		} else if filterEventName != "" {
 			log.Debugf("Preparing plan for a event: %s", filterEventName)
-			filterPlan = planner.PlanEvent(filterEventName)
+			filterPlan, plannerErr = planner.PlanEvent(filterEventName)
 		} else {
 			log.Debugf("Preparing plan with all jobs")
-			filterPlan = planner.PlanAll()
+			filterPlan, plannerErr = planner.PlanAll()
+		}
+		if filterPlan == nil && plannerErr != nil {
+			return plannerErr
 		}

 		if list {
-			return printList(filterPlan)
+			err = printList(filterPlan)
+			if err != nil {
+				return err
+			}
+			return plannerErr
 		}

 		if graph {
-			return drawGraph(filterPlan)
+			err = drawGraph(filterPlan)
+			if err != nil {
+				return err
+			}
+			return plannerErr
 		}

 		// plan with triggered jobs
@@ -385,10 +525,13 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 		// build the plan for this run
 		if jobID != "" {
 			log.Debugf("Planning job: %s", jobID)
-			plan = planner.PlanJob(jobID)
+			plan, plannerErr = planner.PlanJob(jobID)
 		} else {
 			log.Debugf("Planning jobs for event: %s", eventName)
-			plan = planner.PlanEvent(eventName)
+			plan, plannerErr = planner.PlanEvent(eventName)
+		}
+		if plan == nil && plannerErr != nil {
+			return plannerErr
 		}

 		// check to see if the main branch was defined
@@ -414,6 +557,19 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 				input.platforms = readArgsFile(cfgLocations[0], true)
 			}
 		}
+		deprecationWarning := "--%s is deprecated and will be removed soon, please switch to cli: `--container-options \"%[2]s\"` or `.actrc`: `--container-options %[2]s`."
+		if input.privileged {
+			log.Warnf(deprecationWarning, "privileged", "--privileged")
+		}
+		if len(input.usernsMode) > 0 {
+			log.Warnf(deprecationWarning, "userns", fmt.Sprintf("--userns=%s", input.usernsMode))
+		}
+		if len(input.containerCapAdd) > 0 {
+			log.Warnf(deprecationWarning, "container-cap-add", fmt.Sprintf("--cap-add=%s", input.containerCapAdd))
+		}
+		if len(input.containerCapDrop) > 0 {
+			log.Warnf(deprecationWarning, "container-cap-drop", fmt.Sprintf("--cap-drop=%s", input.containerCapDrop))
+		}

 		// run the plan
 		config := &runner.Config{
@@ -425,11 +581,15 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 			ForceRebuild:                       input.forceRebuild,
 			ReuseContainers:                    input.reuseContainers,
 			Workdir:                            input.Workdir(),
+			ActionCacheDir:                     input.actionCachePath,
 			BindWorkdir:                        input.bindWorkdir,
 			LogOutput:                          !input.noOutput,
 			JSONLogger:                         input.jsonLogger,
+			LogPrefixJobID:                     input.logPrefixJobID,
 			Env:                                envs,
 			Secrets:                            secrets,
+			Vars:                               vars,
+			Inputs:                             inputs,
 			Token:                              secrets["GITHUB_TOKEN"],
 			InsecureSecrets:                    input.insecureSecrets,
 			Platforms:                          input.newPlatforms(),
@@ -437,37 +597,60 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 			UsernsMode:                         input.usernsMode,
 			ContainerArchitecture:              input.containerArchitecture,
 			ContainerDaemonSocket:              input.containerDaemonSocket,
+			ContainerOptions:                   input.containerOptions,
 			UseGitIgnore:                       input.useGitIgnore,
 			GitHubInstance:                     input.githubInstance,
 			ContainerCapAdd:                    input.containerCapAdd,
 			ContainerCapDrop:                   input.containerCapDrop,
 			AutoRemove:                         input.autoRemove,
 			ArtifactServerPath:                 input.artifactServerPath,
+			ArtifactServerAddr:                 input.artifactServerAddr,
 			ArtifactServerPort:                 input.artifactServerPort,
 			NoSkipCheckout:                     input.noSkipCheckout,
 			RemoteName:                         input.remoteName,
 			ReplaceGheActionWithGithubCom:      input.replaceGheActionWithGithubCom,
 			ReplaceGheActionTokenWithGithubCom: input.replaceGheActionTokenWithGithubCom,
+			Matrix:                             matrixes,
 		}
 		r, err := runner.New(config)
 		if err != nil {
 			return err
 		}

-		cancel := artifacts.Serve(ctx, input.artifactServerPath, input.artifactServerPort)
+		cancel := artifacts.Serve(ctx, input.artifactServerPath, input.artifactServerAddr, input.artifactServerPort)
+
+		const cacheURLKey = "ACTIONS_CACHE_URL"
+		var cacheHandler *artifactcache.Handler
+		if !input.noCacheServer && envs[cacheURLKey] == "" {
+			var err error
+			cacheHandler, err = artifactcache.StartHandler(input.cacheServerPath, input.cacheServerAddr, input.cacheServerPort, common.Logger(ctx))
+			if err != nil {
+				return err
+			}
+			envs[cacheURLKey] = cacheHandler.ExternalURL() + "/"
+		}

 		ctx = common.WithDryrun(ctx, input.dryrun)
 		if watch, err := cmd.Flags().GetBool("watch"); err != nil {
 			return err
 		} else if watch {
-			return watchAndRun(ctx, r.NewPlanExecutor(plan))
+			err = watchAndRun(ctx, r.NewPlanExecutor(plan))
+			if err != nil {
+				return err
+			}
+			return plannerErr
 		}

 		executor := r.NewPlanExecutor(plan).Finally(func(ctx context.Context) error {
 			cancel()
+			_ = cacheHandler.Close()
 			return nil
 		})
-		return executor(ctx)
+		err = executor(ctx)
+		if err != nil {
+			return err
+		}
+		return plannerErr
 	}
 }

@@ -492,7 +675,7 @@ func defaultImageSurvey(actrc string) error {
 	case "Medium":
 		option = "-P ubuntu-latest=catthehacker/ubuntu:act-latest\n-P ubuntu-22.04=catthehacker/ubuntu:act-22.04\n-P ubuntu-20.04=catthehacker/ubuntu:act-20.04\n-P ubuntu-18.04=catthehacker/ubuntu:act-18.04\n"
 	case "Micro":
-		option = "-P ubuntu-latest=node:16-buster-slim\n-P -P ubuntu-22.04=node:16-bullseye-slim\n ubuntu-20.04=node:16-buster-slim\n-P ubuntu-18.04=node:16-buster-slim\n"
+		option = "-P ubuntu-latest=node:16-buster-slim\n-P ubuntu-22.04=node:16-bullseye-slim\n-P ubuntu-20.04=node:16-buster-slim\n-P ubuntu-18.04=node:16-buster-slim\n"
 	}

 	f, err := os.Create(actrc)
@@ -515,45 +698,47 @@ func defaultImageSurvey(actrc string) error {
 }

 func watchAndRun(ctx context.Context, fn common.Executor) error {
-	recurse := true
-	checkIntervalInSeconds := 2
 	dir, err := os.Getwd()
 	if err != nil {
 		return err
 	}

-	var ignore *gitignore.GitIgnore
-	if _, err := os.Stat(filepath.Join(dir, ".gitignore")); !os.IsNotExist(err) {
-		ignore, _ = gitignore.CompileIgnoreFile(filepath.Join(dir, ".gitignore"))
-	} else {
-		ignore = &gitignore.GitIgnore{}
+	ignoreFile := filepath.Join(dir, ".gitignore")
+	ignore := &gitignore.GitIgnore{}
+	if info, err := os.Stat(ignoreFile); err == nil && !info.IsDir() {
+		ignore, err = gitignore.CompileIgnoreFile(ignoreFile)
+		if err != nil {
+			return fmt.Errorf("compile %q: %w", ignoreFile, err)
+		}
 	}

 	folderWatcher := fswatch.NewFolderWatcher(
 		dir,
-		recurse,
+		true,
 		ignore.MatchesPath,
-		checkIntervalInSeconds,
+		2, // 2 seconds
 	)

 	folderWatcher.Start()
+	defer folderWatcher.Stop()

-	go func() {
-		for folderWatcher.IsRunning() {
-			if err = fn(ctx); err != nil {
-				break
-			}
-			log.Debugf("Watching %s for changes", dir)
-			for changes := range folderWatcher.ChangeDetails() {
-				log.Debugf("%s", changes.String())
-				if err = fn(ctx); err != nil {
-					break
-				}
-				log.Debugf("Watching %s for changes", dir)
+	// run once before watching
+	if err := fn(ctx); err != nil {
+		return err
+	}
+
+	for folderWatcher.IsRunning() {
+		log.Debugf("Watching %s for changes", dir)
+		select {
+		case <-ctx.Done():
+			return nil
+		case changes := <-folderWatcher.ChangeDetails():
+			log.Debugf("%s", changes.String())
+			if err := fn(ctx); err != nil {
+				return err
 			}
 		}
-	}()
-	<-ctx.Done()
-	folderWatcher.Stop()
-	return err
+	}
+
+	return nil
 }
--- a/go.mod
+++ b/go.mod
@@ -1,85 +1,89 @@
 module github.com/nektos/act

-go 1.18
+go 1.20

 require (
-	github.com/AlecAivazis/survey/v2 v2.3.6
+	github.com/AlecAivazis/survey/v2 v2.3.7
 	github.com/Masterminds/semver v1.5.0
+	github.com/adrg/xdg v0.4.0
 	github.com/andreaskoch/go-fswatch v1.0.0
 	github.com/creack/pty v1.1.18
-	github.com/docker/cli v20.10.21+incompatible
-	github.com/docker/distribution v2.8.1+incompatible
-	github.com/docker/docker v20.10.21+incompatible
+	github.com/docker/cli v24.0.5+incompatible
+	github.com/docker/distribution v2.8.2+incompatible
+	github.com/docker/docker v24.0.5+incompatible // 24.0 branch
 	github.com/docker/go-connections v0.4.0
-	github.com/go-git/go-billy/v5 v5.3.1
-	github.com/go-git/go-git/v5 v5.4.2
-	github.com/go-ini/ini v1.67.0
-	github.com/imdario/mergo v0.3.13
-	github.com/joho/godotenv v1.4.0
+	github.com/go-git/go-billy/v5 v5.4.1
+	github.com/go-git/go-git/v5 v5.8.1
+	github.com/imdario/mergo v0.3.16
+	github.com/joho/godotenv v1.5.1
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/mattn/go-isatty v0.0.16
-	github.com/mitchellh/go-homedir v1.1.0
-	github.com/moby/buildkit v0.10.6
-	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799
-	github.com/opencontainers/selinux v1.10.2
+	github.com/mattn/go-isatty v0.0.19
+	github.com/moby/buildkit v0.12.0
+	github.com/moby/patternmatcher v0.5.0
+	github.com/opencontainers/image-spec v1.1.0-rc4
+	github.com/opencontainers/selinux v1.11.0
 	github.com/pkg/errors v0.9.1
-	github.com/rhysd/actionlint v1.6.22
+	github.com/rhysd/actionlint v1.6.25
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06
-	github.com/sirupsen/logrus v1.9.0
-	github.com/spf13/cobra v1.6.1
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.8.1
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+	github.com/stretchr/testify v1.8.4
+	github.com/timshannon/bolthold v0.0.0-20210913165410-232392fc8a6a
+	go.etcd.io/bbolt v1.3.7
+	golang.org/x/term v0.10.0
 	gopkg.in/yaml.v3 v3.0.1
-	gotest.tools/v3 v3.4.0
+	gotest.tools/v3 v3.5.0
 )

 require (
-	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/Microsoft/hcsshim v0.9.3 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20220404123522-616f957b79ad // indirect
-	github.com/acomagu/bufpipe v1.0.3 // indirect
-	github.com/containerd/cgroups v1.0.3 // indirect
-	github.com/containerd/containerd v1.6.6 // indirect
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 // indirect
+	github.com/acomagu/bufpipe v1.0.4 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/containerd/containerd v1.7.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/docker-credential-helpers v0.6.4 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
-	github.com/emirpasic/gods v1.12.0 // indirect
-	github.com/fatih/color v1.13.0 // indirect
-	github.com/go-git/gcfg v1.5.0 // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/fatih/color v1.15.0 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/google/go-cmp v0.5.7 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/klauspost/compress v1.16.3 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
 	github.com/mitchellh/mapstructure v1.1.2 // indirect
-	github.com/moby/sys/mount v0.3.1 // indirect
-	github.com/moby/sys/mountinfo v0.6.0 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/term v0.0.0-20200312100748-672ec06f55cd // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/runc v1.1.2 // indirect
+	github.com/opencontainers/runc v1.1.7 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rivo/uniseg v0.3.4 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/robfig/cron v1.2.0 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
+	github.com/skeema/knownhosts v1.2.0 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
-	github.com/xanzy/ssh-agent v0.3.1 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
-	github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f // indirect
-	go.opencensus.io v0.23.0 // indirect
-	golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect
-	golang.org/x/net v0.0.0-20220906165146-f3363e06e74c // indirect
-	golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde // indirect
-	golang.org/x/sys v0.0.0-20220818161305-2296e01440c6 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/mod v0.9.0 // indirect
+	golang.org/x/net v0.12.0 // indirect
+	golang.org/x/sync v0.2.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/tools v0.7.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
-
-replace github.com/go-git/go-git/v5 => github.com/ZauberNerd/go-git/v5 v5.4.3-0.20220315170230-29ec1bc1e5db
--- a/go.sum
+++ b/go.sum
--- a/main.go
+++ b/main.go
@@ -2,6 +2,7 @@ package main

 import (
 	"context"
+	_ "embed"
 	"os"
 	"os/signal"
 	"syscall"
@@ -9,7 +10,8 @@ import (
 	"github.com/nektos/act/cmd"
 )

-var version = "v0.2.27-dev" // Manually bump after tagging next release
+//go:embed VERSION
+var version string

 func main() {
 	ctx := context.Background()
--- a/pkg/artifactcache/doc.go
+++ b/pkg/artifactcache/doc.go
@@ -0,0 +1,8 @@
+// Package artifactcache provides a cache handler for the runner.
+//
+// Inspired by https://github.com/sp-ricard-valverde/github-act-cache-server
+//
+// TODO: Authorization
+// TODO: Restrictions for accessing a cache, see https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache
+// TODO: Force deleting cache entries, see https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
+package artifactcache
--- a/pkg/artifactcache/handler.go
+++ b/pkg/artifactcache/handler.go
@@ -0,0 +1,530 @@
+package artifactcache
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"github.com/julienschmidt/httprouter"
+	"github.com/sirupsen/logrus"
+	"github.com/timshannon/bolthold"
+	"go.etcd.io/bbolt"
+
+	"github.com/nektos/act/pkg/common"
+)
+
+const (
+	urlBase = "/_apis/artifactcache"
+)
+
+type Handler struct {
+	dir      string
+	storage  *Storage
+	router   *httprouter.Router
+	listener net.Listener
+	server   *http.Server
+	logger   logrus.FieldLogger
+
+	gcing int32 // TODO: use atomic.Bool when we can use Go 1.19
+	gcAt  time.Time
+
+	outboundIP string
+}
+
+func StartHandler(dir, outboundIP string, port uint16, logger logrus.FieldLogger) (*Handler, error) {
+	h := &Handler{}
+
+	if logger == nil {
+		discard := logrus.New()
+		discard.Out = io.Discard
+		logger = discard
+	}
+	logger = logger.WithField("module", "artifactcache")
+	h.logger = logger
+
+	if dir == "" {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return nil, err
+		}
+		dir = filepath.Join(home, ".cache", "actcache")
+	}
+	if err := os.MkdirAll(dir, 0o755); err != nil {
+		return nil, err
+	}
+
+	h.dir = dir
+
+	storage, err := NewStorage(filepath.Join(dir, "cache"))
+	if err != nil {
+		return nil, err
+	}
+	h.storage = storage
+
+	if outboundIP != "" {
+		h.outboundIP = outboundIP
+	} else if ip := common.GetOutboundIP(); ip == nil {
+		return nil, fmt.Errorf("unable to determine outbound IP address")
+	} else {
+		h.outboundIP = ip.String()
+	}
+
+	router := httprouter.New()
+	router.GET(urlBase+"/cache", h.middleware(h.find))
+	router.POST(urlBase+"/caches", h.middleware(h.reserve))
+	router.PATCH(urlBase+"/caches/:id", h.middleware(h.upload))
+	router.POST(urlBase+"/caches/:id", h.middleware(h.commit))
+	router.GET(urlBase+"/artifacts/:id", h.middleware(h.get))
+	router.POST(urlBase+"/clean", h.middleware(h.clean))
+
+	h.router = router
+
+	h.gcCache()
+
+	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) // listen on all interfaces
+	if err != nil {
+		return nil, err
+	}
+	server := &http.Server{
+		ReadHeaderTimeout: 2 * time.Second,
+		Handler:           router,
+	}
+	go func() {
+		if err := server.Serve(listener); err != nil && errors.Is(err, net.ErrClosed) {
+			logger.Errorf("http serve: %v", err)
+		}
+	}()
+	h.listener = listener
+	h.server = server
+
+	return h, nil
+}
+
+func (h *Handler) ExternalURL() string {
+	// TODO: make the external url configurable if necessary
+	return fmt.Sprintf("http://%s:%d",
+		h.outboundIP,
+		h.listener.Addr().(*net.TCPAddr).Port)
+}
+
+func (h *Handler) Close() error {
+	if h == nil {
+		return nil
+	}
+	var retErr error
+	if h.server != nil {
+		err := h.server.Close()
+		if err != nil {
+			retErr = err
+		}
+		h.server = nil
+	}
+	if h.listener != nil {
+		err := h.listener.Close()
+		if errors.Is(err, net.ErrClosed) {
+			err = nil
+		}
+		if err != nil {
+			retErr = err
+		}
+		h.listener = nil
+	}
+	return retErr
+}
+
+func (h *Handler) openDB() (*bolthold.Store, error) {
+	return bolthold.Open(filepath.Join(h.dir, "bolt.db"), 0o644, &bolthold.Options{
+		Encoder: json.Marshal,
+		Decoder: json.Unmarshal,
+		Options: &bbolt.Options{
+			Timeout:      5 * time.Second,
+			NoGrowSync:   bbolt.DefaultOptions.NoGrowSync,
+			FreelistType: bbolt.DefaultOptions.FreelistType,
+		},
+	})
+}
+
+// GET /_apis/artifactcache/cache
+func (h *Handler) find(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	keys := strings.Split(r.URL.Query().Get("keys"), ",")
+	// cache keys are case insensitive
+	for i, key := range keys {
+		keys[i] = strings.ToLower(key)
+	}
+	version := r.URL.Query().Get("version")
+
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	cache, err := h.findCache(db, keys, version)
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	if cache == nil {
+		h.responseJSON(w, r, 204)
+		return
+	}
+
+	if ok, err := h.storage.Exist(cache.ID); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	} else if !ok {
+		_ = db.Delete(cache.ID, cache)
+		h.responseJSON(w, r, 204)
+		return
+	}
+	h.responseJSON(w, r, 200, map[string]any{
+		"result":          "hit",
+		"archiveLocation": fmt.Sprintf("%s%s/artifacts/%d", h.ExternalURL(), urlBase, cache.ID),
+		"cacheKey":        cache.Key,
+	})
+}
+
+// POST /_apis/artifactcache/caches
+func (h *Handler) reserve(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	api := &Request{}
+	if err := json.NewDecoder(r.Body).Decode(api); err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+	// cache keys are case insensitive
+	api.Key = strings.ToLower(api.Key)
+
+	cache := api.ToCache()
+	cache.FillKeyVersionHash()
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.FindOne(cache, bolthold.Where("KeyVersionHash").Eq(cache.KeyVersionHash)); err != nil {
+		if !errors.Is(err, bolthold.ErrNotFound) {
+			h.responseJSON(w, r, 500, err)
+			return
+		}
+	} else {
+		h.responseJSON(w, r, 400, fmt.Errorf("already exist"))
+		return
+	}
+
+	now := time.Now().Unix()
+	cache.CreatedAt = now
+	cache.UsedAt = now
+	if err := db.Insert(bolthold.NextSequence(), cache); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	// write back id to db
+	if err := db.Update(cache.ID, cache); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	h.responseJSON(w, r, 200, map[string]any{
+		"cacheId": cache.ID,
+	})
+}
+
+// PATCH /_apis/artifactcache/caches/:id
+func (h *Handler) upload(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+
+	cache := &Cache{}
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.Get(id, cache); err != nil {
+		if errors.Is(err, bolthold.ErrNotFound) {
+			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
+			return
+		}
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	if cache.Complete {
+		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
+		return
+	}
+	db.Close()
+	start, _, err := parseContentRange(r.Header.Get("Content-Range"))
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+	if err := h.storage.Write(cache.ID, start, r.Body); err != nil {
+		h.responseJSON(w, r, 500, err)
+	}
+	h.useCache(id)
+	h.responseJSON(w, r, 200)
+}
+
+// POST /_apis/artifactcache/caches/:id
+func (h *Handler) commit(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+
+	cache := &Cache{}
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.Get(id, cache); err != nil {
+		if errors.Is(err, bolthold.ErrNotFound) {
+			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
+			return
+		}
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	if cache.Complete {
+		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
+		return
+	}
+
+	db.Close()
+
+	size, err := h.storage.Commit(cache.ID, cache.Size)
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	// write real size back to cache, it may be different from the current value when the request doesn't specify it.
+	cache.Size = size
+
+	db, err = h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	cache.Complete = true
+	if err := db.Update(cache.ID, cache); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	h.responseJSON(w, r, 200)
+}
+
+// GET /_apis/artifactcache/artifacts/:id
+func (h *Handler) get(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+	h.useCache(id)
+	h.storage.Serve(w, r, uint64(id))
+}
+
+// POST /_apis/artifactcache/clean
+func (h *Handler) clean(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	// TODO: don't support force deleting cache entries
+	// see: https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
+
+	h.responseJSON(w, r, 200)
+}
+
+func (h *Handler) middleware(handler httprouter.Handle) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+		h.logger.Debugf("%s %s", r.Method, r.RequestURI)
+		handler(w, r, params)
+		go h.gcCache()
+	}
+}
+
+// if not found, return (nil, nil) instead of an error.
+func (h *Handler) findCache(db *bolthold.Store, keys []string, version string) (*Cache, error) {
+	if len(keys) == 0 {
+		return nil, nil
+	}
+	key := keys[0] // the first key is for exact match.
+
+	cache := &Cache{
+		Key:     key,
+		Version: version,
+	}
+	cache.FillKeyVersionHash()
+
+	if err := db.FindOne(cache, bolthold.Where("KeyVersionHash").Eq(cache.KeyVersionHash)); err != nil {
+		if !errors.Is(err, bolthold.ErrNotFound) {
+			return nil, err
+		}
+	} else if cache.Complete {
+		return cache, nil
+	}
+	stop := fmt.Errorf("stop")
+
+	for _, prefix := range keys[1:] {
+		found := false
+		if err := db.ForEach(bolthold.Where("Key").Ge(prefix).And("Version").Eq(version).SortBy("Key"), func(v *Cache) error {
+			if !strings.HasPrefix(v.Key, prefix) {
+				return stop
+			}
+			if v.Complete {
+				cache = v
+				found = true
+				return stop
+			}
+			return nil
+		}); err != nil {
+			if !errors.Is(err, stop) {
+				return nil, err
+			}
+		}
+		if found {
+			return cache, nil
+		}
+	}
+	return nil, nil
+}
+
+func (h *Handler) useCache(id int64) {
+	db, err := h.openDB()
+	if err != nil {
+		return
+	}
+	defer db.Close()
+	cache := &Cache{}
+	if err := db.Get(id, cache); err != nil {
+		return
+	}
+	cache.UsedAt = time.Now().Unix()
+	_ = db.Update(cache.ID, cache)
+}
+
+func (h *Handler) gcCache() {
+	if atomic.LoadInt32(&h.gcing) != 0 {
+		return
+	}
+	if !atomic.CompareAndSwapInt32(&h.gcing, 0, 1) {
+		return
+	}
+	defer atomic.StoreInt32(&h.gcing, 0)
+
+	if time.Since(h.gcAt) < time.Hour {
+		h.logger.Debugf("skip gc: %v", h.gcAt.String())
+		return
+	}
+	h.gcAt = time.Now()
+	h.logger.Debugf("gc: %v", h.gcAt.String())
+
+	const (
+		keepUsed   = 30 * 24 * time.Hour
+		keepUnused = 7 * 24 * time.Hour
+		keepTemp   = 5 * time.Minute
+	)
+
+	db, err := h.openDB()
+	if err != nil {
+		return
+	}
+	defer db.Close()
+
+	var caches []*Cache
+	if err := db.Find(&caches, bolthold.Where("UsedAt").Lt(time.Now().Add(-keepTemp).Unix())); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			if cache.Complete {
+				continue
+			}
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+
+	caches = caches[:0]
+	if err := db.Find(&caches, bolthold.Where("UsedAt").Lt(time.Now().Add(-keepUnused).Unix())); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+
+	caches = caches[:0]
+	if err := db.Find(&caches, bolthold.Where("CreatedAt").Lt(time.Now().Add(-keepUsed).Unix())); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+}
+
+func (h *Handler) responseJSON(w http.ResponseWriter, r *http.Request, code int, v ...any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	var data []byte
+	if len(v) == 0 || v[0] == nil {
+		data, _ = json.Marshal(struct{}{})
+	} else if err, ok := v[0].(error); ok {
+		h.logger.Errorf("%v %v: %v", r.Method, r.RequestURI, err)
+		data, _ = json.Marshal(map[string]any{
+			"error": err.Error(),
+		})
+	} else {
+		data, _ = json.Marshal(v[0])
+	}
+	w.WriteHeader(code)
+	_, _ = w.Write(data)
+}
+
+func parseContentRange(s string) (int64, int64, error) {
+	// support the format like "bytes 11-22/*" only
+	s, _, _ = strings.Cut(strings.TrimPrefix(s, "bytes "), "/")
+	s1, s2, _ := strings.Cut(s, "-")
+
+	start, err := strconv.ParseInt(s1, 10, 64)
+	if err != nil {
+		return 0, 0, fmt.Errorf("parse %q: %w", s, err)
+	}
+	stop, err := strconv.ParseInt(s2, 10, 64)
+	if err != nil {
+		return 0, 0, fmt.Errorf("parse %q: %w", s, err)
+	}
+	return start, stop, nil
+}
--- a/pkg/artifactcache/handler_test.go
+++ b/pkg/artifactcache/handler_test.go
@@ -0,0 +1,471 @@
+package artifactcache
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.etcd.io/bbolt"
+)
+
+func TestHandler(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, nil)
+	require.NoError(t, err)
+
+	base := fmt.Sprintf("%s%s", handler.ExternalURL(), urlBase)
+
+	defer func() {
+		t.Run("inpect db", func(t *testing.T) {
+			db, err := handler.openDB()
+			require.NoError(t, err)
+			defer db.Close()
+			require.NoError(t, db.Bolt().View(func(tx *bbolt.Tx) error {
+				return tx.Bucket([]byte("Cache")).ForEach(func(k, v []byte) error {
+					t.Logf("%s: %s", k, v)
+					return nil
+				})
+			}))
+		})
+		t.Run("close", func(t *testing.T) {
+			require.NoError(t, handler.Close())
+			assert.Nil(t, handler.server)
+			assert.Nil(t, handler.listener)
+			_, err := http.Post(fmt.Sprintf("%s/caches/%d", base, 1), "", nil)
+			assert.Error(t, err)
+		})
+	}()
+
+	t.Run("get not exist", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version))
+		require.NoError(t, err)
+		require.Equal(t, 204, resp.StatusCode)
+	})
+
+	t.Run("reserve and upload", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		uploadCacheNormally(t, base, key, version, content)
+	})
+
+	t.Run("clean", func(t *testing.T) {
+		resp, err := http.Post(fmt.Sprintf("%s/clean", base), "", nil)
+		require.NoError(t, err)
+		assert.Equal(t, 200, resp.StatusCode)
+	})
+
+	t.Run("reserve with bad request", func(t *testing.T) {
+		body := []byte(`invalid json`)
+		require.NoError(t, err)
+		resp, err := http.Post(fmt.Sprintf("%s/caches", base), "application/json", bytes.NewReader(body))
+		require.NoError(t, err)
+		assert.Equal(t, 400, resp.StatusCode)
+	})
+
+	t.Run("duplicate reserve", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(fmt.Sprintf("%s/caches", base), "application/json", bytes.NewReader(body))
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+
+			got := struct {
+				CacheID uint64 `json:"cacheId"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+		}
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(fmt.Sprintf("%s/caches", base), "application/json", bytes.NewReader(body))
+			require.NoError(t, err)
+			assert.Equal(t, 400, resp.StatusCode)
+		}
+	})
+
+	t.Run("upload with bad id", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodPatch,
+			fmt.Sprintf("%s/caches/invalid_id", base), bytes.NewReader(nil))
+		require.NoError(t, err)
+		req.Header.Set("Content-Type", "application/octet-stream")
+		req.Header.Set("Content-Range", "bytes 0-99/*")
+		resp, err := http.DefaultClient.Do(req)
+		require.NoError(t, err)
+		assert.Equal(t, 400, resp.StatusCode)
+	})
+
+	t.Run("upload without reserve", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodPatch,
+			fmt.Sprintf("%s/caches/%d", base, 1000), bytes.NewReader(nil))
+		require.NoError(t, err)
+		req.Header.Set("Content-Type", "application/octet-stream")
+		req.Header.Set("Content-Range", "bytes 0-99/*")
+		resp, err := http.DefaultClient.Do(req)
+		require.NoError(t, err)
+		assert.Equal(t, 400, resp.StatusCode)
+	})
+
+	t.Run("upload with complete", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		var id uint64
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(fmt.Sprintf("%s/caches", base), "application/json", bytes.NewReader(body))
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+
+			got := struct {
+				CacheID uint64 `json:"cacheId"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+			id = got.CacheID
+		}
+		{
+			req, err := http.NewRequest(http.MethodPatch,
+				fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content))
+			require.NoError(t, err)
+			req.Header.Set("Content-Type", "application/octet-stream")
+			req.Header.Set("Content-Range", "bytes 0-99/*")
+			resp, err := http.DefaultClient.Do(req)
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+		}
+		{
+			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil)
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+		}
+		{
+			req, err := http.NewRequest(http.MethodPatch,
+				fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content))
+			require.NoError(t, err)
+			req.Header.Set("Content-Type", "application/octet-stream")
+			req.Header.Set("Content-Range", "bytes 0-99/*")
+			resp, err := http.DefaultClient.Do(req)
+			require.NoError(t, err)
+			assert.Equal(t, 400, resp.StatusCode)
+		}
+	})
+
+	t.Run("upload with invalid range", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		var id uint64
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(fmt.Sprintf("%s/caches", base), "application/json", bytes.NewReader(body))
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+
+			got := struct {
+				CacheID uint64 `json:"cacheId"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+			id = got.CacheID
+		}
+		{
+			req, err := http.NewRequest(http.MethodPatch,
+				fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content))
+			require.NoError(t, err)
+			req.Header.Set("Content-Type", "application/octet-stream")
+			req.Header.Set("Content-Range", "bytes xx-99/*")
+			resp, err := http.DefaultClient.Do(req)
+			require.NoError(t, err)
+			assert.Equal(t, 400, resp.StatusCode)
+		}
+	})
+
+	t.Run("commit with bad id", func(t *testing.T) {
+		{
+			resp, err := http.Post(fmt.Sprintf("%s/caches/invalid_id", base), "", nil)
+			require.NoError(t, err)
+			assert.Equal(t, 400, resp.StatusCode)
+		}
+	})
+
+	t.Run("commit with not exist id", func(t *testing.T) {
+		{
+			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, 100), "", nil)
+			require.NoError(t, err)
+			assert.Equal(t, 400, resp.StatusCode)
+		}
+	})
+
+	t.Run("duplicate commit", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		var id uint64
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(fmt.Sprintf("%s/caches", base), "application/json", bytes.NewReader(body))
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+
+			got := struct {
+				CacheID uint64 `json:"cacheId"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+			id = got.CacheID
+		}
+		{
+			req, err := http.NewRequest(http.MethodPatch,
+				fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content))
+			require.NoError(t, err)
+			req.Header.Set("Content-Type", "application/octet-stream")
+			req.Header.Set("Content-Range", "bytes 0-99/*")
+			resp, err := http.DefaultClient.Do(req)
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+		}
+		{
+			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil)
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+		}
+		{
+			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil)
+			require.NoError(t, err)
+			assert.Equal(t, 400, resp.StatusCode)
+		}
+	})
+
+	t.Run("commit early", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		var id uint64
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(fmt.Sprintf("%s/caches", base), "application/json", bytes.NewReader(body))
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+
+			got := struct {
+				CacheID uint64 `json:"cacheId"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+			id = got.CacheID
+		}
+		{
+			req, err := http.NewRequest(http.MethodPatch,
+				fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content[:50]))
+			require.NoError(t, err)
+			req.Header.Set("Content-Type", "application/octet-stream")
+			req.Header.Set("Content-Range", "bytes 0-59/*")
+			resp, err := http.DefaultClient.Do(req)
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+		}
+		{
+			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil)
+			require.NoError(t, err)
+			assert.Equal(t, 500, resp.StatusCode)
+		}
+	})
+
+	t.Run("get with bad id", func(t *testing.T) {
+		resp, err := http.Get(fmt.Sprintf("%s/artifacts/invalid_id", base))
+		require.NoError(t, err)
+		require.Equal(t, 400, resp.StatusCode)
+	})
+
+	t.Run("get with not exist id", func(t *testing.T) {
+		resp, err := http.Get(fmt.Sprintf("%s/artifacts/%d", base, 100))
+		require.NoError(t, err)
+		require.Equal(t, 404, resp.StatusCode)
+	})
+
+	t.Run("get with not exist id", func(t *testing.T) {
+		resp, err := http.Get(fmt.Sprintf("%s/artifacts/%d", base, 100))
+		require.NoError(t, err)
+		require.Equal(t, 404, resp.StatusCode)
+	})
+
+	t.Run("get with multiple keys", func(t *testing.T) {
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		key := strings.ToLower(t.Name())
+		keys := [3]string{
+			key + "_a",
+			key + "_a_b",
+			key + "_a_b_c",
+		}
+		contents := [3][]byte{
+			make([]byte, 100),
+			make([]byte, 200),
+			make([]byte, 300),
+		}
+		for i := range contents {
+			_, err := rand.Read(contents[i])
+			require.NoError(t, err)
+			uploadCacheNormally(t, base, keys[i], version, contents[i])
+		}
+
+		reqKeys := strings.Join([]string{
+			key + "_a_b_x",
+			key + "_a_b",
+			key + "_a",
+		}, ",")
+		var archiveLocation string
+		{
+			resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKeys, version))
+			require.NoError(t, err)
+			require.Equal(t, 200, resp.StatusCode)
+			got := struct {
+				Result          string `json:"result"`
+				ArchiveLocation string `json:"archiveLocation"`
+				CacheKey        string `json:"cacheKey"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+			assert.Equal(t, "hit", got.Result)
+			assert.Equal(t, keys[1], got.CacheKey)
+			archiveLocation = got.ArchiveLocation
+		}
+		{
+			resp, err := http.Get(archiveLocation) //nolint:gosec
+			require.NoError(t, err)
+			require.Equal(t, 200, resp.StatusCode)
+			got, err := io.ReadAll(resp.Body)
+			require.NoError(t, err)
+			assert.Equal(t, contents[1], got)
+		}
+	})
+
+	t.Run("case insensitive", func(t *testing.T) {
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		key := strings.ToLower(t.Name())
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		uploadCacheNormally(t, base, key+"_ABC", version, content)
+
+		{
+			reqKey := key + "_aBc"
+			resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKey, version))
+			require.NoError(t, err)
+			require.Equal(t, 200, resp.StatusCode)
+			got := struct {
+				Result          string `json:"result"`
+				ArchiveLocation string `json:"archiveLocation"`
+				CacheKey        string `json:"cacheKey"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+			assert.Equal(t, "hit", got.Result)
+			assert.Equal(t, key+"_abc", got.CacheKey)
+		}
+	})
+}
+
+func uploadCacheNormally(t *testing.T, base, key, version string, content []byte) {
+	var id uint64
+	{
+		body, err := json.Marshal(&Request{
+			Key:     key,
+			Version: version,
+			Size:    int64(len(content)),
+		})
+		require.NoError(t, err)
+		resp, err := http.Post(fmt.Sprintf("%s/caches", base), "application/json", bytes.NewReader(body))
+		require.NoError(t, err)
+		assert.Equal(t, 200, resp.StatusCode)
+
+		got := struct {
+			CacheID uint64 `json:"cacheId"`
+		}{}
+		require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+		id = got.CacheID
+	}
+	{
+		req, err := http.NewRequest(http.MethodPatch,
+			fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content))
+		require.NoError(t, err)
+		req.Header.Set("Content-Type", "application/octet-stream")
+		req.Header.Set("Content-Range", "bytes 0-99/*")
+		resp, err := http.DefaultClient.Do(req)
+		require.NoError(t, err)
+		assert.Equal(t, 200, resp.StatusCode)
+	}
+	{
+		resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil)
+		require.NoError(t, err)
+		assert.Equal(t, 200, resp.StatusCode)
+	}
+	var archiveLocation string
+	{
+		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version))
+		require.NoError(t, err)
+		require.Equal(t, 200, resp.StatusCode)
+		got := struct {
+			Result          string `json:"result"`
+			ArchiveLocation string `json:"archiveLocation"`
+			CacheKey        string `json:"cacheKey"`
+		}{}
+		require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+		assert.Equal(t, "hit", got.Result)
+		assert.Equal(t, strings.ToLower(key), got.CacheKey)
+		archiveLocation = got.ArchiveLocation
+	}
+	{
+		resp, err := http.Get(archiveLocation) //nolint:gosec
+		require.NoError(t, err)
+		require.Equal(t, 200, resp.StatusCode)
+		got, err := io.ReadAll(resp.Body)
+		require.NoError(t, err)
+		assert.Equal(t, content, got)
+	}
+}
--- a/pkg/artifactcache/model.go
+++ b/pkg/artifactcache/model.go
@@ -0,0 +1,44 @@
+package artifactcache
+
+import (
+	"crypto/sha256"
+	"fmt"
+)
+
+type Request struct {
+	Key     string `json:"key" `
+	Version string `json:"version"`
+	Size    int64  `json:"cacheSize"`
+}
+
+func (c *Request) ToCache() *Cache {
+	if c == nil {
+		return nil
+	}
+	ret := &Cache{
+		Key:     c.Key,
+		Version: c.Version,
+		Size:    c.Size,
+	}
+	if c.Size == 0 {
+		// So the request comes from old versions of actions, like `actions/cache@v2`.
+		// It doesn't send cache size. Set it to -1 to indicate that.
+		ret.Size = -1
+	}
+	return ret
+}
+
+type Cache struct {
+	ID             uint64 `json:"id" boltholdKey:"ID"`
+	Key            string `json:"key" boltholdIndex:"Key"`
+	Version        string `json:"version" boltholdIndex:"Version"`
+	KeyVersionHash string `json:"keyVersionHash" boltholdUnique:"KeyVersionHash"`
+	Size           int64  `json:"cacheSize"`
+	Complete       bool   `json:"complete"`
+	UsedAt         int64  `json:"usedAt" boltholdIndex:"UsedAt"`
+	CreatedAt      int64  `json:"createdAt" boltholdIndex:"CreatedAt"`
+}
+
+func (c *Cache) FillKeyVersionHash() {
+	c.KeyVersionHash = fmt.Sprintf("%x", sha256.Sum256([]byte(fmt.Sprintf("%s:%s", c.Key, c.Version))))
+}
--- a/pkg/artifactcache/storage.go
+++ b/pkg/artifactcache/storage.go
@@ -0,0 +1,130 @@
+package artifactcache
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+)
+
+type Storage struct {
+	rootDir string
+}
+
+func NewStorage(rootDir string) (*Storage, error) {
+	if err := os.MkdirAll(rootDir, 0o755); err != nil {
+		return nil, err
+	}
+	return &Storage{
+		rootDir: rootDir,
+	}, nil
+}
+
+func (s *Storage) Exist(id uint64) (bool, error) {
+	name := s.filename(id)
+	if _, err := os.Stat(name); os.IsNotExist(err) {
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
+func (s *Storage) Write(id uint64, offset int64, reader io.Reader) error {
+	name := s.tempName(id, offset)
+	if err := os.MkdirAll(filepath.Dir(name), 0o755); err != nil {
+		return err
+	}
+	file, err := os.Create(name)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	_, err = io.Copy(file, reader)
+	return err
+}
+
+func (s *Storage) Commit(id uint64, size int64) (int64, error) {
+	defer func() {
+		_ = os.RemoveAll(s.tempDir(id))
+	}()
+
+	name := s.filename(id)
+	tempNames, err := s.tempNames(id)
+	if err != nil {
+		return 0, err
+	}
+
+	if err := os.MkdirAll(filepath.Dir(name), 0o755); err != nil {
+		return 0, err
+	}
+	file, err := os.Create(name)
+	if err != nil {
+		return 0, err
+	}
+	defer file.Close()
+
+	var written int64
+	for _, v := range tempNames {
+		f, err := os.Open(v)
+		if err != nil {
+			return 0, err
+		}
+		n, err := io.Copy(file, f)
+		_ = f.Close()
+		if err != nil {
+			return 0, err
+		}
+		written += n
+	}
+
+	// If size is less than 0, it means the size is unknown.
+	// We can't check the size of the file, just skip the check.
+	// It happens when the request comes from old versions of actions, like `actions/cache@v2`.
+	if size >= 0 && written != size {
+		_ = file.Close()
+		_ = os.Remove(name)
+		return 0, fmt.Errorf("broken file: %v != %v", written, size)
+	}
+
+	return written, nil
+}
+
+func (s *Storage) Serve(w http.ResponseWriter, r *http.Request, id uint64) {
+	name := s.filename(id)
+	http.ServeFile(w, r, name)
+}
+
+func (s *Storage) Remove(id uint64) {
+	_ = os.Remove(s.filename(id))
+	_ = os.RemoveAll(s.tempDir(id))
+}
+
+func (s *Storage) filename(id uint64) string {
+	return filepath.Join(s.rootDir, fmt.Sprintf("%02x", id%0xff), fmt.Sprint(id))
+}
+
+func (s *Storage) tempDir(id uint64) string {
+	return filepath.Join(s.rootDir, "tmp", fmt.Sprint(id))
+}
+
+func (s *Storage) tempName(id uint64, offset int64) string {
+	return filepath.Join(s.tempDir(id), fmt.Sprintf("%016x", offset))
+}
+
+func (s *Storage) tempNames(id uint64) ([]string, error) {
+	dir := s.tempDir(id)
+	files, err := os.ReadDir(dir)
+	if err != nil {
+		return nil, err
+	}
+	var names []string
+	for _, v := range files {
+		if !v.IsDir() {
+			names = append(names, filepath.Join(dir, v.Name()))
+		}
+	}
+	return names, nil
+}
--- a/pkg/artifactcache/testdata/example/example.yaml
+++ b/pkg/artifactcache/testdata/example/example.yaml
@@ -0,0 +1,30 @@
+# Copied from https://github.com/actions/cache#example-cache-workflow
+name: Caching Primes
+
+on: push
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - run: env
+
+      - uses: actions/checkout@v3
+
+      - name: Cache Primes
+        id: cache-primes
+        uses: actions/cache@v3
+        with:
+          path: prime-numbers
+          key: ${{ runner.os }}-primes-${{ github.run_id }}
+          restore-keys: |
+            ${{ runner.os }}-primes
+            ${{ runner.os }}
+
+      - name: Generate Prime Numbers
+        if: steps.cache-primes.outputs.cache-hit != 'true'
+        run: cat /proc/sys/kernel/random/uuid > prime-numbers
+
+      - name: Use Prime Numbers
+        run: cat prime-numbers
--- a/pkg/artifacts/server.go
+++ b/pkg/artifacts/server.go
@@ -9,12 +9,12 @@ import (
 	"io/fs"
 	"net/http"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"
 	"time"

 	"github.com/julienschmidt/httprouter"
+
 	"github.com/nektos/act/pkg/common"
 )

@@ -46,44 +46,53 @@ type ResponseMessage struct {
 	Message string `json:"message"`
 }

-type MkdirFS interface {
-	fs.FS
-	MkdirAll(path string, perm fs.FileMode) error
-	Open(name string) (fs.File, error)
-	OpenAtEnd(name string) (fs.File, error)
+type WritableFile interface {
+	io.WriteCloser
 }

-type MkdirFsImpl struct {
-	dir string
-	fs.FS
+type WriteFS interface {
+	OpenWritable(name string) (WritableFile, error)
+	OpenAppendable(name string) (WritableFile, error)
 }

-func (fsys MkdirFsImpl) MkdirAll(path string, perm fs.FileMode) error {
-	return os.MkdirAll(fsys.dir+"/"+path, perm)
+type readWriteFSImpl struct {
 }

-func (fsys MkdirFsImpl) Open(name string) (fs.File, error) {
-	return os.OpenFile(fsys.dir+"/"+name, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0644)
+func (fwfs readWriteFSImpl) Open(name string) (fs.File, error) {
+	return os.Open(name)
 }

-func (fsys MkdirFsImpl) OpenAtEnd(name string) (fs.File, error) {
-	file, err := os.OpenFile(fsys.dir+"/"+name, os.O_CREATE|os.O_RDWR, 0644)
+func (fwfs readWriteFSImpl) OpenWritable(name string) (WritableFile, error) {
+	if err := os.MkdirAll(filepath.Dir(name), os.ModePerm); err != nil {
+		return nil, err
+	}
+	return os.OpenFile(name, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o644)
+}
+
+func (fwfs readWriteFSImpl) OpenAppendable(name string) (WritableFile, error) {
+	if err := os.MkdirAll(filepath.Dir(name), os.ModePerm); err != nil {
+		return nil, err
+	}
+	file, err := os.OpenFile(name, os.O_CREATE|os.O_RDWR, 0o644)

 	if err != nil {
 		return nil, err
 	}

-	_, err = file.Seek(0, os.SEEK_END)
+	_, err = file.Seek(0, io.SeekEnd)
 	if err != nil {
 		return nil, err
 	}
-
 	return file, nil
 }

 var gzipExtension = ".gz__"

-func uploads(router *httprouter.Router, fsys MkdirFS) {
+func safeResolve(baseDir string, relPath string) string {
+	return filepath.Join(baseDir, filepath.Clean(filepath.Join(string(os.PathSeparator), relPath)))
+}
+
+func uploads(router *httprouter.Router, baseDir string, fsys WriteFS) {
 	router.POST("/_apis/pipelines/workflows/:runId/artifacts", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
 		runID := params.ByName("runId")

@@ -108,19 +117,15 @@ func uploads(router *httprouter.Router, fsys MkdirFS) {
 			itemPath += gzipExtension
 		}

-		filePath := fmt.Sprintf("%s/%s", runID, itemPath)
+		safeRunPath := safeResolve(baseDir, runID)
+		safePath := safeResolve(safeRunPath, itemPath)

-		err := fsys.MkdirAll(path.Dir(filePath), os.ModePerm)
-		if err != nil {
-			panic(err)
-		}
-
-		file, err := func() (fs.File, error) {
+		file, err := func() (WritableFile, error) {
 			contentRange := req.Header.Get("Content-Range")
 			if contentRange != "" && !strings.HasPrefix(contentRange, "bytes 0-") {
-				return fsys.OpenAtEnd(filePath)
+				return fsys.OpenAppendable(safePath)
 			}
-			return fsys.Open(filePath)
+			return fsys.OpenWritable(safePath)
 		}()

 		if err != nil {
@@ -170,11 +175,13 @@ func uploads(router *httprouter.Router, fsys MkdirFS) {
 	})
 }

-func downloads(router *httprouter.Router, fsys fs.FS) {
+func downloads(router *httprouter.Router, baseDir string, fsys fs.FS) {
 	router.GET("/_apis/pipelines/workflows/:runId/artifacts", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
 		runID := params.ByName("runId")

-		entries, err := fs.ReadDir(fsys, runID)
+		safePath := safeResolve(baseDir, runID)
+
+		entries, err := fs.ReadDir(fsys, safePath)
 		if err != nil {
 			panic(err)
 		}
@@ -204,21 +211,25 @@ func downloads(router *httprouter.Router, fsys fs.FS) {
 	router.GET("/download/:container", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
 		container := params.ByName("container")
 		itemPath := req.URL.Query().Get("itemPath")
-		dirPath := fmt.Sprintf("%s/%s", container, itemPath)
+		safePath := safeResolve(baseDir, filepath.Join(container, itemPath))

 		var files []ContainerItem
-		err := fs.WalkDir(fsys, dirPath, func(path string, entry fs.DirEntry, err error) error {
+		err := fs.WalkDir(fsys, safePath, func(path string, entry fs.DirEntry, err error) error {
 			if !entry.IsDir() {
-				rel, err := filepath.Rel(dirPath, path)
+				rel, err := filepath.Rel(safePath, path)
 				if err != nil {
 					panic(err)
 				}

 				// if it was upload as gzip
 				rel = strings.TrimSuffix(rel, gzipExtension)
+				path := filepath.Join(itemPath, rel)
+
+				rel = filepath.ToSlash(rel)
+				path = filepath.ToSlash(path)

 				files = append(files, ContainerItem{
-					Path:            fmt.Sprintf("%s/%s", itemPath, rel),
+					Path:            path,
 					ItemType:        "file",
 					ContentLocation: fmt.Sprintf("http://%s/artifact/%s/%s/%s", req.Host, container, itemPath, rel),
 				})
@@ -245,10 +256,12 @@ func downloads(router *httprouter.Router, fsys fs.FS) {
 	router.GET("/artifact/*path", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
 		path := params.ByName("path")[1:]

-		file, err := fsys.Open(path)
+		safePath := safeResolve(baseDir, path)
+
+		file, err := fsys.Open(safePath)
 		if err != nil {
 			// try gzip file
-			file, err = fsys.Open(path + gzipExtension)
+			file, err = fsys.Open(safePath + gzipExtension)
 			if err != nil {
 				panic(err)
 			}
@@ -262,7 +275,7 @@ func downloads(router *httprouter.Router, fsys fs.FS) {
 	})
 }

-func Serve(ctx context.Context, artifactPath string, port string) context.CancelFunc {
+func Serve(ctx context.Context, artifactPath string, addr string, port string) context.CancelFunc {
 	serverContext, cancel := context.WithCancel(ctx)
 	logger := common.Logger(serverContext)

@@ -273,20 +286,19 @@ func Serve(ctx context.Context, artifactPath string, port string) context.Cancel
 	router := httprouter.New()

 	logger.Debugf("Artifacts base path '%s'", artifactPath)
-	fs := os.DirFS(artifactPath)
-	uploads(router, MkdirFsImpl{artifactPath, fs})
-	downloads(router, fs)
-	ip := common.GetOutboundIP().String()
+	fsys := readWriteFSImpl{}
+	uploads(router, artifactPath, fsys)
+	downloads(router, artifactPath, fsys)

 	server := &http.Server{
-		Addr:              fmt.Sprintf("%s:%s", ip, port),
+		Addr:              fmt.Sprintf("%s:%s", addr, port),
 		ReadHeaderTimeout: 2 * time.Second,
 		Handler:           router,
 	}

 	// run server
 	go func() {
-		logger.Infof("Start server on http://%s:%s", ip, port)
+		logger.Infof("Start server on http://%s:%s", addr, port)
 		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 			logger.Fatal(err)
 		}
--- a/pkg/artifacts/server_test.go
+++ b/pkg/artifacts/server_test.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io/fs"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -15,50 +14,50 @@ import (
 	"testing/fstest"

 	"github.com/julienschmidt/httprouter"
-	"github.com/nektos/act/pkg/model"
-	"github.com/nektos/act/pkg/runner"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
+
+	"github.com/nektos/act/pkg/model"
+	"github.com/nektos/act/pkg/runner"
 )

-type MapFsImpl struct {
-	fstest.MapFS
+type writableMapFile struct {
+	fstest.MapFile
 }

-func (fsys MapFsImpl) MkdirAll(path string, perm fs.FileMode) error {
-	// mocked no-op
-	return nil
-}
-
-type WritableFile struct {
-	fs.File
-	fsys fstest.MapFS
-	path string
-}
-
-func (file WritableFile) Write(data []byte) (int, error) {
-	file.fsys[file.path].Data = data
+func (f *writableMapFile) Write(data []byte) (int, error) {
+	f.Data = data
 	return len(data), nil
 }

-func (fsys MapFsImpl) Open(path string) (fs.File, error) {
-	var file = fstest.MapFile{
-		Data: []byte("content2"),
-	}
-	fsys.MapFS[path] = &file
-
-	result, err := fsys.MapFS.Open(path)
-	return WritableFile{result, fsys.MapFS, path}, err
+func (f *writableMapFile) Close() error {
+	return nil
 }

-func (fsys MapFsImpl) OpenAtEnd(path string) (fs.File, error) {
-	var file = fstest.MapFile{
-		Data: []byte("content2"),
-	}
-	fsys.MapFS[path] = &file
+type writeMapFS struct {
+	fstest.MapFS
+}

-	result, err := fsys.MapFS.Open(path)
-	return WritableFile{result, fsys.MapFS, path}, err
+func (fsys writeMapFS) OpenWritable(name string) (WritableFile, error) {
+	var file = &writableMapFile{
+		MapFile: fstest.MapFile{
+			Data: []byte("content2"),
+		},
+	}
+	fsys.MapFS[name] = &file.MapFile
+
+	return file, nil
+}
+
+func (fsys writeMapFS) OpenAppendable(name string) (WritableFile, error) {
+	var file = &writableMapFile{
+		MapFile: fstest.MapFile{
+			Data: []byte("content2"),
+		},
+	}
+	fsys.MapFS[name] = &file.MapFile
+
+	return file, nil
 }

 func TestNewArtifactUploadPrepare(t *testing.T) {
@@ -67,7 +66,7 @@ func TestNewArtifactUploadPrepare(t *testing.T) {
 	var memfs = fstest.MapFS(map[string]*fstest.MapFile{})

 	router := httprouter.New()
-	uploads(router, MapFsImpl{memfs})
+	uploads(router, "artifact/server/path", writeMapFS{memfs})

 	req, _ := http.NewRequest("POST", "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
 	rr := httptest.NewRecorder()
@@ -93,7 +92,7 @@ func TestArtifactUploadBlob(t *testing.T) {
 	var memfs = fstest.MapFS(map[string]*fstest.MapFile{})

 	router := httprouter.New()
-	uploads(router, MapFsImpl{memfs})
+	uploads(router, "artifact/server/path", writeMapFS{memfs})

 	req, _ := http.NewRequest("PUT", "http://localhost/upload/1?itemPath=some/file", strings.NewReader("content"))
 	rr := httptest.NewRecorder()
@@ -111,7 +110,7 @@ func TestArtifactUploadBlob(t *testing.T) {
 	}

 	assert.Equal("success", response.Message)
-	assert.Equal("content", string(memfs["1/some/file"].Data))
+	assert.Equal("content", string(memfs["artifact/server/path/1/some/file"].Data))
 }

 func TestFinalizeArtifactUpload(t *testing.T) {
@@ -120,7 +119,7 @@ func TestFinalizeArtifactUpload(t *testing.T) {
 	var memfs = fstest.MapFS(map[string]*fstest.MapFile{})

 	router := httprouter.New()
-	uploads(router, MapFsImpl{memfs})
+	uploads(router, "artifact/server/path", writeMapFS{memfs})

 	req, _ := http.NewRequest("PATCH", "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
 	rr := httptest.NewRecorder()
@@ -144,13 +143,13 @@ func TestListArtifacts(t *testing.T) {
 	assert := assert.New(t)

 	var memfs = fstest.MapFS(map[string]*fstest.MapFile{
-		"1/file.txt": {
+		"artifact/server/path/1/file.txt": {
 			Data: []byte(""),
 		},
 	})

 	router := httprouter.New()
-	downloads(router, memfs)
+	downloads(router, "artifact/server/path", memfs)

 	req, _ := http.NewRequest("GET", "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
 	rr := httptest.NewRecorder()
@@ -176,13 +175,13 @@ func TestListArtifactContainer(t *testing.T) {
 	assert := assert.New(t)

 	var memfs = fstest.MapFS(map[string]*fstest.MapFile{
-		"1/some/file": {
+		"artifact/server/path/1/some/file": {
 			Data: []byte(""),
 		},
 	})

 	router := httprouter.New()
-	downloads(router, memfs)
+	downloads(router, "artifact/server/path", memfs)

 	req, _ := http.NewRequest("GET", "http://localhost/download/1?itemPath=some/file", nil)
 	rr := httptest.NewRecorder()
@@ -200,7 +199,7 @@ func TestListArtifactContainer(t *testing.T) {
 	}

 	assert.Equal(1, len(response.Value))
-	assert.Equal("some/file/.", response.Value[0].Path)
+	assert.Equal("some/file", response.Value[0].Path)
 	assert.Equal("file", response.Value[0].ItemType)
 	assert.Equal("http://localhost/artifact/1/some/file/.", response.Value[0].ContentLocation)
 }
@@ -209,13 +208,13 @@ func TestDownloadArtifactFile(t *testing.T) {
 	assert := assert.New(t)

 	var memfs = fstest.MapFS(map[string]*fstest.MapFile{
-		"1/some/file": {
+		"artifact/server/path/1/some/file": {
 			Data: []byte("content"),
 		},
 	})

 	router := httprouter.New()
-	downloads(router, memfs)
+	downloads(router, "artifact/server/path", memfs)

 	req, _ := http.NewRequest("GET", "http://localhost/artifact/1/some/file", nil)
 	rr := httptest.NewRecorder()
@@ -240,8 +239,11 @@ type TestJobFileInfo struct {
 	containerArchitecture string
 }

-var aritfactsPath = path.Join(os.TempDir(), "test-artifacts")
-var artifactsPort = "12345"
+var (
+	artifactsPath = path.Join(os.TempDir(), "test-artifacts")
+	artifactsAddr = "127.0.0.1"
+	artifactsPort = "12345"
+)

 func TestArtifactFlow(t *testing.T) {
 	if testing.Short() {
@@ -250,15 +252,16 @@ func TestArtifactFlow(t *testing.T) {

 	ctx := context.Background()

-	cancel := Serve(ctx, aritfactsPath, artifactsPort)
+	cancel := Serve(ctx, artifactsPath, artifactsAddr, artifactsPort)
 	defer cancel()

 	platforms := map[string]string{
-		"ubuntu-latest": "node:16-buster-slim",
+		"ubuntu-latest": "node:16-buster", // Don't use node:16-buster-slim because it doesn't have curl command, which is used in the tests
 	}

 	tables := []TestJobFileInfo{
 		{"testdata", "upload-and-download", "push", "", platforms, ""},
+		{"testdata", "GHSL-2023-004", "push", "", platforms, ""},
 	}
 	log.SetLevel(log.DebugLevel)

@@ -271,7 +274,7 @@ func runTestJobFile(ctx context.Context, t *testing.T, tjfi TestJobFileInfo) {
 	t.Run(tjfi.workflowPath, func(t *testing.T) {
 		fmt.Printf("::group::%s\n", tjfi.workflowPath)

-		if err := os.RemoveAll(aritfactsPath); err != nil {
+		if err := os.RemoveAll(artifactsPath); err != nil {
 			panic(err)
 		}

@@ -286,7 +289,8 @@ func runTestJobFile(ctx context.Context, t *testing.T, tjfi TestJobFileInfo) {
 			ReuseContainers:       false,
 			ContainerArchitecture: tjfi.containerArchitecture,
 			GitHubInstance:        "github.com",
-			ArtifactServerPath:    aritfactsPath,
+			ArtifactServerPath:    artifactsPath,
+			ArtifactServerAddr:    artifactsAddr,
 			ArtifactServerPort:    artifactsPort,
 		}

@@ -296,15 +300,96 @@ func runTestJobFile(ctx context.Context, t *testing.T, tjfi TestJobFileInfo) {
 		planner, err := model.NewWorkflowPlanner(fullWorkflowPath, true)
 		assert.Nil(t, err, fullWorkflowPath)

-		plan := planner.PlanEvent(tjfi.eventName)
-
-		err = runner.NewPlanExecutor(plan)(ctx)
-		if tjfi.errorMessage == "" {
-			assert.Nil(t, err, fullWorkflowPath)
+		plan, err := planner.PlanEvent(tjfi.eventName)
+		if err == nil {
+			err = runner.NewPlanExecutor(plan)(ctx)
+			if tjfi.errorMessage == "" {
+				assert.Nil(t, err, fullWorkflowPath)
+			} else {
+				assert.Error(t, err, tjfi.errorMessage)
+			}
 		} else {
-			assert.Error(t, err, tjfi.errorMessage)
+			assert.Nil(t, plan)
 		}

 		fmt.Println("::endgroup::")
 	})
 }
+
+func TestMkdirFsImplSafeResolve(t *testing.T) {
+	assert := assert.New(t)
+
+	baseDir := "/foo/bar"
+
+	tests := map[string]struct {
+		input string
+		want  string
+	}{
+		"simple":         {input: "baz", want: "/foo/bar/baz"},
+		"nested":         {input: "baz/blue", want: "/foo/bar/baz/blue"},
+		"dots in middle": {input: "baz/../../blue", want: "/foo/bar/blue"},
+		"leading dots":   {input: "../../parent", want: "/foo/bar/parent"},
+		"root path":      {input: "/root", want: "/foo/bar/root"},
+		"root":           {input: "/", want: "/foo/bar"},
+		"empty":          {input: "", want: "/foo/bar"},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			assert.Equal(tc.want, safeResolve(baseDir, tc.input))
+		})
+	}
+}
+
+func TestDownloadArtifactFileUnsafePath(t *testing.T) {
+	assert := assert.New(t)
+
+	var memfs = fstest.MapFS(map[string]*fstest.MapFile{
+		"artifact/server/path/some/file": {
+			Data: []byte("content"),
+		},
+	})
+
+	router := httprouter.New()
+	downloads(router, "artifact/server/path", memfs)
+
+	req, _ := http.NewRequest("GET", "http://localhost/artifact/2/../../some/file", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
+	}
+
+	data := rr.Body.Bytes()
+
+	assert.Equal("content", string(data))
+}
+
+func TestArtifactUploadBlobUnsafePath(t *testing.T) {
+	assert := assert.New(t)
+
+	var memfs = fstest.MapFS(map[string]*fstest.MapFile{})
+
+	router := httprouter.New()
+	uploads(router, "artifact/server/path", writeMapFS{memfs})
+
+	req, _ := http.NewRequest("PUT", "http://localhost/upload/1?itemPath=../../some/file", strings.NewReader("content"))
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.Fail("Wrong status")
+	}
+
+	response := ResponseMessage{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal("success", response.Message)
+	assert.Equal("content", string(memfs["artifact/server/path/1/some/file"].Data))
+}
--- a/pkg/artifacts/testdata/GHSL-2023-004/artifacts.yml
+++ b/pkg/artifacts/testdata/GHSL-2023-004/artifacts.yml
@@ -0,0 +1,39 @@
+
+name: "GHSL-2023-0004"
+on: push
+
+jobs:
+  test-artifacts:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "hello world" > test.txt
+      - name: curl upload
+        run: curl --silent --show-error --fail ${ACTIONS_RUNTIME_URL}upload/1?itemPath=../../my-artifact/secret.txt --upload-file test.txt
+      - uses: actions/download-artifact@v2
+        with:
+          name: my-artifact
+          path: test-artifacts
+      - name: 'Verify Artifact #1'
+        run: |
+          file="test-artifacts/secret.txt"
+          if [ ! -f $file ] ; then
+            echo "Expected file does not exist"
+            exit 1
+          fi
+          if [ "$(cat $file)" != "hello world" ] ; then
+            echo "File contents of downloaded artifact are incorrect"
+            exit 1
+          fi
+      - name: Verify download should work by clean extra dots
+        run: curl --silent --show-error --fail --path-as-is -o out.txt ${ACTIONS_RUNTIME_URL}artifact/1/../../../1/my-artifact/secret.txt
+      - name: 'Verify download content'
+        run: |
+          file="out.txt"
+          if [ ! -f $file ] ; then
+            echo "Expected file does not exist"
+            exit 1
+          fi
+          if [ "$(cat $file)" != "hello world" ] ; then
+            echo "File contents of downloaded artifact are incorrect"
+            exit 1
+          fi
--- a/pkg/common/executor.go
+++ b/pkg/common/executor.go
@@ -3,6 +3,8 @@ package common
 import (
 	"context"
 	"fmt"
+
+	log "github.com/sirupsen/logrus"
 )

 // Warning that implements `error` but safe to ignore
@@ -94,6 +96,11 @@ func NewParallelExecutor(parallel int, executors ...Executor) Executor {
 		work := make(chan Executor, len(executors))
 		errs := make(chan error, len(executors))

+		if 1 > parallel {
+			log.Infof("Parallel tasks (%d) below minimum, setting to 1", parallel)
+			parallel = 1
+		}
+
 		for i := 0; i < parallel; i++ {
 			go func(work <-chan Executor, errs chan<- error) {
 				for executor := range work {
--- a/pkg/common/executor_test.go
+++ b/pkg/common/executor_test.go
@@ -100,6 +100,17 @@ func TestNewParallelExecutor(t *testing.T) {
 	assert.Equal(3, count, "should run all 3 executors")
 	assert.Equal(2, maxCount, "should run at most 2 executors in parallel")
 	assert.Nil(err)
+
+	// Reset to test running the executor with 0 parallelism
+	count = 0
+	activeCount = 0
+	maxCount = 0
+
+	errSingle := NewParallelExecutor(0, emptyWorkflow, emptyWorkflow, emptyWorkflow)(ctx)
+
+	assert.Equal(3, count, "should run all 3 executors")
+	assert.Equal(1, maxCount, "should run at most 1 executors in parallel")
+	assert.Nil(errSingle)
 }

 func TestNewParallelExecutorFailed(t *testing.T) {
--- a/pkg/common/git/git.go
+++ b/pkg/common/git/git.go
@@ -7,20 +7,19 @@ import (
 	"io"
 	"os"
 	"path"
-	"path/filepath"
 	"regexp"
 	"strings"
 	"sync"

-	"github.com/nektos/act/pkg/common"
-
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/plumbing"
+	"github.com/go-git/go-git/v5/plumbing/storer"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
-	"github.com/go-ini/ini"
 	"github.com/mattn/go-isatty"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/nektos/act/pkg/common"
 )

 var (
@@ -55,41 +54,40 @@ func (e *Error) Commit() string {
 // FindGitRevision get the current git revision
 func FindGitRevision(ctx context.Context, file string) (shortSha string, sha string, err error) {
 	logger := common.Logger(ctx)
-	gitDir, err := findGitDirectory(file)
+
+	gitDir, err := git.PlainOpenWithOptions(
+		file,
+		&git.PlainOpenOptions{
+			DetectDotGit:          true,
+			EnableDotGitCommonDir: true,
+		},
+	)
+
+	if err != nil {
+		logger.WithError(err).Error("path", file, "not located inside a git repository")
+		return "", "", err
+	}
+
+	head, err := gitDir.Reference(plumbing.HEAD, true)
 	if err != nil {
 		return "", "", err
 	}

-	bts, err := os.ReadFile(filepath.Join(gitDir, "HEAD"))
-	if err != nil {
-		return "", "", err
+	if head.Hash().IsZero() {
+		return "", "", fmt.Errorf("HEAD sha1 could not be resolved")
 	}

-	var ref = strings.TrimSpace(strings.TrimPrefix(string(bts), "ref:"))
-	var refBuf []byte
-	if strings.HasPrefix(ref, "refs/") {
-		// load commitid ref
-		refBuf, err = os.ReadFile(filepath.Join(gitDir, ref))
-		if err != nil {
-			return "", "", err
-		}
-	} else {
-		refBuf = []byte(ref)
-	}
+	hash := head.Hash().String()

-	logger.Debugf("Found revision: %s", refBuf)
-	return string(refBuf[:7]), strings.TrimSpace(string(refBuf)), nil
+	logger.Debugf("Found revision: %s", hash)
+	return hash[:7], strings.TrimSpace(hash), nil
 }

 // FindGitRef get the current git ref
 func FindGitRef(ctx context.Context, file string) (string, error) {
 	logger := common.Logger(ctx)
-	gitDir, err := findGitDirectory(file)
-	if err != nil {
-		return "", err
-	}
-	logger.Debugf("Loading revision from git directory '%s'", gitDir)

+	logger.Debugf("Loading revision from git directory")
 	_, ref, err := FindGitRevision(ctx, file)
 	if err != nil {
 		return "", err
@@ -100,28 +98,58 @@ func FindGitRef(ctx context.Context, file string) (string, error) {
 	// Prefer the git library to iterate over the references and find a matching tag or branch.
 	var refTag = ""
 	var refBranch = ""
-	r, err := git.PlainOpen(filepath.Join(gitDir, ".."))
-	if err == nil {
-		iter, err := r.References()
-		if err == nil {
-			for {
-				r, err := iter.Next()
-				if r == nil || err != nil {
-					break
-				}
-				// logger.Debugf("Reference: name=%s sha=%s", r.Name().String(), r.Hash().String())
-				if r.Hash().String() == ref {
-					if r.Name().IsTag() {
-						refTag = r.Name().String()
-					}
-					if r.Name().IsBranch() {
-						refBranch = r.Name().String()
-					}
-				}
-			}
-			iter.Close()
-		}
+	repo, err := git.PlainOpenWithOptions(
+		file,
+		&git.PlainOpenOptions{
+			DetectDotGit:          true,
+			EnableDotGitCommonDir: true,
+		},
+	)
+
+	if err != nil {
+		return "", err
 	}
+
+	iter, err := repo.References()
+	if err != nil {
+		return "", err
+	}
+
+	// find the reference that matches the revision's has
+	err = iter.ForEach(func(r *plumbing.Reference) error {
+		/* tags and branches will have the same hash
+		 * when a user checks out a tag, it is not mentioned explicitly
+		 * in the go-git package, we must identify the revision
+		 * then check if any tag matches that revision,
+		 * if so then we checked out a tag
+		 * else we look for branches and if matches,
+		 * it means we checked out a branch
+		 *
+		 * If a branches matches first we must continue and check all tags (all references)
+		 * in case we match with a tag later in the interation
+		 */
+		if r.Hash().String() == ref {
+			if r.Name().IsTag() {
+				refTag = r.Name().String()
+			}
+			if r.Name().IsBranch() {
+				refBranch = r.Name().String()
+			}
+		}
+
+		// we found what we where looking for
+		if refTag != "" && refBranch != "" {
+			return storer.ErrStop
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		return "", err
+	}
+
+	// order matters here see above comment.
 	if refTag != "" {
 		return refTag, nil
 	}
@@ -129,39 +157,7 @@ func FindGitRef(ctx context.Context, file string) (string, error) {
 		return refBranch, nil
 	}

-	// If the above doesn't work, fall back to the old way
-
-	// try tags first
-	tag, err := findGitPrettyRef(ctx, ref, gitDir, "refs/tags")
-	if err != nil || tag != "" {
-		return tag, err
-	}
-	// and then branches
-	return findGitPrettyRef(ctx, ref, gitDir, "refs/heads")
-}
-
-func findGitPrettyRef(ctx context.Context, head, root, sub string) (string, error) {
-	var name string
-	var err = filepath.Walk(filepath.Join(root, sub), func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if name != "" || info.IsDir() {
-			return nil
-		}
-		var bts []byte
-		if bts, err = os.ReadFile(path); err != nil {
-			return err
-		}
-		var pointsTo = strings.TrimSpace(string(bts))
-		if head == pointsTo {
-			// On Windows paths are separated with backslash character so they should be replaced to provide proper git refs format
-			name = strings.TrimPrefix(strings.ReplaceAll(strings.Replace(path, root, "", 1), `\`, `/`), "/")
-			common.Logger(ctx).Debugf("HEAD matches %s", name)
-		}
-		return nil
-	})
-	return name, err
+	return "", fmt.Errorf("failed to identify reference (tag/branch) for the checked-out revision '%s'", ref)
 }

 // FindGithubRepo get the repo
@@ -178,27 +174,28 @@ func FindGithubRepo(ctx context.Context, file, githubInstance, remoteName string
 	return slug, err
 }

-func findGitRemoteURL(ctx context.Context, file, remoteName string) (string, error) {
-	gitDir, err := findGitDirectory(file)
+func findGitRemoteURL(_ context.Context, file, remoteName string) (string, error) {
+	repo, err := git.PlainOpenWithOptions(
+		file,
+		&git.PlainOpenOptions{
+			DetectDotGit:          true,
+			EnableDotGitCommonDir: true,
+		},
+	)
 	if err != nil {
 		return "", err
 	}
-	common.Logger(ctx).Debugf("Loading slug from git directory '%s'", gitDir)

-	gitconfig, err := ini.InsensitiveLoad(fmt.Sprintf("%s/config", gitDir))
+	remote, err := repo.Remote(remoteName)
 	if err != nil {
 		return "", err
 	}
-	remote, err := gitconfig.GetSection(fmt.Sprintf(`remote "%s"`, remoteName))
-	if err != nil {
-		return "", err
+
+	if len(remote.Config().URLs) < 1 {
+		return "", fmt.Errorf("remote '%s' exists but has no URL", remoteName)
 	}
-	urlKey, err := remote.GetKey("url")
-	if err != nil {
-		return "", err
-	}
-	url := urlKey.String()
-	return url, nil
+
+	return remote.Config().URLs[0], nil
 }

 func findGitSlug(url string, githubInstance string) (string, string, error) {
@@ -222,35 +219,6 @@ func findGitSlug(url string, githubInstance string) (string, string, error) {
 	return "", url, nil
 }

-func findGitDirectory(fromFile string) (string, error) {
-	absPath, err := filepath.Abs(fromFile)
-	if err != nil {
-		return "", err
-	}
-
-	fi, err := os.Stat(absPath)
-	if err != nil {
-		return "", err
-	}
-
-	var dir string
-	if fi.Mode().IsDir() {
-		dir = absPath
-	} else {
-		dir = filepath.Dir(absPath)
-	}
-
-	gitPath := filepath.Join(dir, ".git")
-	fi, err = os.Stat(gitPath)
-	if err == nil && fi.Mode().IsDir() {
-		return gitPath, nil
-	} else if dir == "/" || dir == "C:\\" || dir == "c:\\" {
-		return "", &Error{err: ErrNoRepo}
-	}
-
-	return findGitDirectory(filepath.Dir(dir))
-}
-
 // NewGitCloneExecutorInput the input for the NewGitCloneExecutor
 type NewGitCloneExecutorInput struct {
 	URL   string
@@ -292,7 +260,7 @@ func CloneIfRequired(ctx context.Context, refName plumbing.ReferenceName, input
 			return nil, err
 		}

-		if err = os.Chmod(input.Dir, 0755); err != nil {
+		if err = os.Chmod(input.Dir, 0o755); err != nil {
 			return nil, err
 		}
 	}
--- a/pkg/common/git/git_test.go
+++ b/pkg/common/git/git_test.go
@@ -82,12 +82,19 @@ func TestFindGitRemoteURL(t *testing.T) {
 	assert.NoError(err)

 	remoteURL := "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo-name"
-	err = gitCmd("config", "-f", fmt.Sprintf("%s/.git/config", basedir), "--add", "remote.origin.url", remoteURL)
+	err = gitCmd("-C", basedir, "remote", "add", "origin", remoteURL)
 	assert.NoError(err)

 	u, err := findGitRemoteURL(context.Background(), basedir, "origin")
 	assert.NoError(err)
 	assert.Equal(remoteURL, u)
+
+	remoteURL = "git@github.com/AwesomeOwner/MyAwesomeRepo.git"
+	err = gitCmd("-C", basedir, "remote", "add", "upstream", remoteURL)
+	assert.NoError(err)
+	u, err = findGitRemoteURL(context.Background(), basedir, "upstream")
+	assert.NoError(err)
+	assert.Equal(remoteURL, u)
 }

 func TestGitFindRef(t *testing.T) {
@@ -160,7 +167,7 @@ func TestGitFindRef(t *testing.T) {
 		name := name
 		t.Run(name, func(t *testing.T) {
 			dir := filepath.Join(basedir, name)
-			require.NoError(t, os.MkdirAll(dir, 0755))
+			require.NoError(t, os.MkdirAll(dir, 0o755))
 			require.NoError(t, gitCmd("-C", dir, "init", "--initial-branch=master"))
 			require.NoError(t, cleanGitHooks(dir))
 			tt.Prepare(t, dir)
--- a/pkg/common/outbound_ip.go
+++ b/pkg/common/outbound_ip.go
@@ -2,20 +2,74 @@ package common

 import (
 	"net"
-
-	log "github.com/sirupsen/logrus"
+	"sort"
+	"strings"
 )

-// https://stackoverflow.com/a/37382208
-// Get preferred outbound ip of this machine
+// GetOutboundIP returns an outbound IP address of this machine.
+// It tries to access the internet and returns the local IP address of the connection.
+// If the machine cannot access the internet, it returns a preferred IP address from network interfaces.
+// It returns nil if no IP address is found.
 func GetOutboundIP() net.IP {
+	// See https://stackoverflow.com/a/37382208
 	conn, err := net.Dial("udp", "8.8.8.8:80")
-	if err != nil {
-		log.Fatal(err)
+	if err == nil {
+		defer conn.Close()
+		return conn.LocalAddr().(*net.UDPAddr).IP
 	}
-	defer conn.Close()

-	localAddr := conn.LocalAddr().(*net.UDPAddr)
+	// So the machine cannot access the internet. Pick an IP address from network interfaces.
+	if ifs, err := net.Interfaces(); err == nil {
+		type IP struct {
+			net.IP
+			net.Interface
+		}
+		var ips []IP
+		for _, i := range ifs {
+			if addrs, err := i.Addrs(); err == nil {
+				for _, addr := range addrs {
+					var ip net.IP
+					switch v := addr.(type) {
+					case *net.IPNet:
+						ip = v.IP
+					case *net.IPAddr:
+						ip = v.IP
+					}
+					if ip.IsGlobalUnicast() {
+						ips = append(ips, IP{ip, i})
+					}
+				}
+			}
+		}
+		if len(ips) > 1 {
+			sort.Slice(ips, func(i, j int) bool {
+				ifi := ips[i].Interface
+				ifj := ips[j].Interface

-	return localAddr.IP
+				// ethernet is preferred
+				if vi, vj := strings.HasPrefix(ifi.Name, "e"), strings.HasPrefix(ifj.Name, "e"); vi != vj {
+					return vi
+				}
+
+				ipi := ips[i].IP
+				ipj := ips[j].IP
+
+				// IPv4 is preferred
+				if vi, vj := ipi.To4() != nil, ipj.To4() != nil; vi != vj {
+					return vi
+				}
+
+				// en0 is preferred to en1
+				if ifi.Name != ifj.Name {
+					return ifi.Name < ifj.Name
+				}
+
+				// fallback
+				return ipi.String() < ipj.String()
+			})
+			return ips[0].IP
+		}
+	}
+
+	return nil
 }
--- a/pkg/container/container_types.go
+++ b/pkg/container/container_types.go
@@ -0,0 +1,70 @@
+package container
+
+import (
+	"context"
+	"io"
+
+	"github.com/nektos/act/pkg/common"
+)
+
+// NewContainerInput the input for the New function
+type NewContainerInput struct {
+	Image       string
+	Username    string
+	Password    string
+	Entrypoint  []string
+	Cmd         []string
+	WorkingDir  string
+	Env         []string
+	Binds       []string
+	Mounts      map[string]string
+	Name        string
+	Stdout      io.Writer
+	Stderr      io.Writer
+	NetworkMode string
+	Privileged  bool
+	UsernsMode  string
+	Platform    string
+	Options     string
+}
+
+// FileEntry is a file to copy to a container
+type FileEntry struct {
+	Name string
+	Mode int64
+	Body string
+}
+
+// Container for managing docker run containers
+type Container interface {
+	Create(capAdd []string, capDrop []string) common.Executor
+	Copy(destPath string, files ...*FileEntry) common.Executor
+	CopyDir(destPath string, srcPath string, useGitIgnore bool) common.Executor
+	GetContainerArchive(ctx context.Context, srcPath string) (io.ReadCloser, error)
+	Pull(forcePull bool) common.Executor
+	Start(attach bool) common.Executor
+	Exec(command []string, env map[string]string, user, workdir string) common.Executor
+	UpdateFromEnv(srcPath string, env *map[string]string) common.Executor
+	UpdateFromImageEnv(env *map[string]string) common.Executor
+	Remove() common.Executor
+	Close() common.Executor
+	ReplaceLogWriter(io.Writer, io.Writer) (io.Writer, io.Writer)
+}
+
+// NewDockerBuildExecutorInput the input for the NewDockerBuildExecutor function
+type NewDockerBuildExecutorInput struct {
+	ContextDir string
+	Dockerfile string
+	Container  Container
+	ImageTag   string
+	Platform   string
+}
+
+// NewDockerPullExecutorInput the input for the NewDockerPullExecutor function
+type NewDockerPullExecutorInput struct {
+	Image     string
+	ForcePull bool
+	Platform  string
+	Username  string
+	Password  string
+}
--- a/pkg/container/docker_auth.go
+++ b/pkg/container/docker_auth.go
@@ -1,3 +1,5 @@
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+
 package container

 import (
@@ -6,16 +8,16 @@ import (

 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/credentials"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/registry"
 	"github.com/nektos/act/pkg/common"
 )

-func LoadDockerAuthConfig(ctx context.Context, image string) (types.AuthConfig, error) {
+func LoadDockerAuthConfig(ctx context.Context, image string) (registry.AuthConfig, error) {
 	logger := common.Logger(ctx)
 	config, err := config.Load(config.Dir())
 	if err != nil {
 		logger.Warnf("Could not load docker config: %v", err)
-		return types.AuthConfig{}, err
+		return registry.AuthConfig{}, err
 	}

 	if !config.ContainsAuth() {
@@ -31,8 +33,29 @@ func LoadDockerAuthConfig(ctx context.Context, image string) (types.AuthConfig,
 	authConfig, err := config.GetAuthConfig(hostName)
 	if err != nil {
 		logger.Warnf("Could not get auth config from docker config: %v", err)
-		return types.AuthConfig{}, err
+		return registry.AuthConfig{}, err
 	}

-	return types.AuthConfig(authConfig), nil
+	return registry.AuthConfig(authConfig), nil
+}
+
+func LoadDockerAuthConfigs(ctx context.Context) map[string]registry.AuthConfig {
+	logger := common.Logger(ctx)
+	config, err := config.Load(config.Dir())
+	if err != nil {
+		logger.Warnf("Could not load docker config: %v", err)
+		return nil
+	}
+
+	if !config.ContainsAuth() {
+		config.CredentialsStore = credentials.DetectDefaultStore(config.CredentialsStore)
+	}
+
+	creds, _ := config.GetAllCredentials()
+	authConfigs := make(map[string]registry.AuthConfig, len(creds))
+	for k, v := range creds {
+		authConfigs[k] = registry.AuthConfig(v)
+	}
+
+	return authConfigs
 }
--- a/pkg/container/docker_build.go
+++ b/pkg/container/docker_build.go
@@ -1,3 +1,5 @@
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+
 package container

 import (
@@ -8,22 +10,14 @@ import (

 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/pkg/archive"
-	"github.com/docker/docker/pkg/fileutils"

 	// github.com/docker/docker/builder/dockerignore is deprecated
 	"github.com/moby/buildkit/frontend/dockerfile/dockerignore"
+	"github.com/moby/patternmatcher"

 	"github.com/nektos/act/pkg/common"
 )

-// NewDockerBuildExecutorInput the input for the NewDockerBuildExecutor function
-type NewDockerBuildExecutorInput struct {
-	ContextDir string
-	Container  Container
-	ImageTag   string
-	Platform   string
-}
-
 // NewDockerBuildExecutor function to create a run executor for the container
 func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {
 	return func(ctx context.Context) error {
@@ -47,15 +41,17 @@ func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {

 		tags := []string{input.ImageTag}
 		options := types.ImageBuildOptions{
-			Tags:     tags,
-			Remove:   true,
-			Platform: input.Platform,
+			Tags:        tags,
+			Remove:      true,
+			Platform:    input.Platform,
+			AuthConfigs: LoadDockerAuthConfigs(ctx),
+			Dockerfile:  input.Dockerfile,
 		}
 		var buildContext io.ReadCloser
 		if input.Container != nil {
 			buildContext, err = input.Container.GetContainerArchive(ctx, input.ContextDir+"/.")
 		} else {
-			buildContext, err = createBuildContext(ctx, input.ContextDir, "Dockerfile")
+			buildContext, err = createBuildContext(ctx, input.ContextDir, input.Dockerfile)
 		}
 		if err != nil {
 			return err
@@ -101,8 +97,8 @@ func createBuildContext(ctx context.Context, contextDir string, relDockerfile st
 	// parses the Dockerfile. Ignore errors here, as they will have been
 	// caught by validateContextDirectory above.
 	var includes = []string{"."}
-	keepThem1, _ := fileutils.Matches(".dockerignore", excludes)
-	keepThem2, _ := fileutils.Matches(relDockerfile, excludes)
+	keepThem1, _ := patternmatcher.Matches(".dockerignore", excludes)
+	keepThem2, _ := patternmatcher.Matches(relDockerfile, excludes)
 	if keepThem1 || keepThem2 {
 		includes = append(includes, ".dockerignore", relDockerfile)
 	}
--- a/pkg/container/docker_cli.go
+++ b/pkg/container/docker_cli.go
@@ -1,3 +1,5 @@
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+
 // This file is exact copy of https://github.com/docker/cli/blob/9ac8584acfd501c3f4da0e845e3a40ed15c85041/cli/command/container/opts.go
 // appended with license information.
 //
--- a/pkg/container/docker_cli_test.go
+++ b/pkg/container/docker_cli_test.go
@@ -663,8 +663,8 @@ func TestRunFlagsParseShmSize(t *testing.T) {

 func TestParseRestartPolicy(t *testing.T) {
 	invalids := map[string]string{
-		"always:2:3":         "invalid restart policy format",
-		"on-failure:invalid": "maximum retry count must be an integer",
+		"always:2:3":         "invalid restart policy format: maximum retry count must be an integer",
+		"on-failure:invalid": "invalid restart policy format: maximum retry count must be an integer",
 	}
 	valids := map[string]container.RestartPolicy{
 		"": {},
--- a/pkg/container/docker_images.go
+++ b/pkg/container/docker_images.go
@@ -1,3 +1,5 @@
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+
 package container

 import (
@@ -5,7 +7,7 @@ import (
 	"fmt"

 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/client"
 )

 // ImageExistsLocally returns a boolean indicating if an image with the
@@ -17,33 +19,15 @@ func ImageExistsLocally(ctx context.Context, imageName string, platform string)
 	}
 	defer cli.Close()

-	filters := filters.NewArgs()
-	filters.Add("reference", imageName)
-
-	imageListOptions := types.ImageListOptions{
-		Filters: filters,
-	}
-
-	images, err := cli.ImageList(ctx, imageListOptions)
-	if err != nil {
+	inspectImage, _, err := cli.ImageInspectWithRaw(ctx, imageName)
+	if client.IsErrNotFound(err) {
+		return false, nil
+	} else if err != nil {
 		return false, err
 	}

-	if len(images) > 0 {
-		if platform == "any" || platform == "" {
-			return true, nil
-		}
-		for _, v := range images {
-			inspectImage, _, err := cli.ImageInspectWithRaw(ctx, v.ID)
-			if err != nil {
-				return false, err
-			}
-
-			if fmt.Sprintf("%s/%s", inspectImage.Os, inspectImage.Architecture) == platform {
-				return true, nil
-			}
-		}
-		return false, nil
+	if platform == "" || platform == "any" || fmt.Sprintf("%s/%s", inspectImage.Os, inspectImage.Architecture) == platform {
+		return true, nil
 	}

 	return false, nil
@@ -52,38 +36,25 @@ func ImageExistsLocally(ctx context.Context, imageName string, platform string)
 // RemoveImage removes image from local store, the function is used to run different
 // container image architectures
 func RemoveImage(ctx context.Context, imageName string, force bool, pruneChildren bool) (bool, error) {
-	if exists, err := ImageExistsLocally(ctx, imageName, "any"); !exists {
-		return false, err
-	}
-
 	cli, err := GetDockerClient(ctx)
 	if err != nil {
 		return false, err
 	}
+	defer cli.Close()

-	filters := filters.NewArgs()
-	filters.Add("reference", imageName)
-
-	imageListOptions := types.ImageListOptions{
-		Filters: filters,
-	}
-
-	images, err := cli.ImageList(ctx, imageListOptions)
-	if err != nil {
+	inspectImage, _, err := cli.ImageInspectWithRaw(ctx, imageName)
+	if client.IsErrNotFound(err) {
+		return false, nil
+	} else if err != nil {
 		return false, err
 	}

-	if len(images) > 0 {
-		for _, v := range images {
-			if _, err = cli.ImageRemove(ctx, v.ID, types.ImageRemoveOptions{
-				Force:         force,
-				PruneChildren: pruneChildren,
-			}); err != nil {
-				return false, err
-			}
-		}
-		return true, nil
+	if _, err = cli.ImageRemove(ctx, inspectImage.ID, types.ImageRemoveOptions{
+		Force:         force,
+		PruneChildren: pruneChildren,
+	}); err != nil {
+		return false, err
 	}

-	return false, nil
+	return true, nil
 }
--- a/pkg/container/docker_logger.go
+++ b/pkg/container/docker_logger.go
@@ -1,3 +1,5 @@
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+
 package container

 import (
--- a/pkg/container/docker_pull.go
+++ b/pkg/container/docker_pull.go
@@ -1,3 +1,5 @@
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+
 package container

 import (
@@ -5,22 +7,15 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"strings"

 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/registry"

 	"github.com/nektos/act/pkg/common"
 )

-// NewDockerPullExecutorInput the input for the NewDockerPullExecutor function
-type NewDockerPullExecutorInput struct {
-	Image     string
-	ForcePull bool
-	Platform  string
-	Username  string
-	Password  string
-}
-
 // NewDockerPullExecutor function to create a run executor for the container
 func NewDockerPullExecutor(input NewDockerPullExecutorInput) common.Executor {
 	return func(ctx context.Context) error {
@@ -66,6 +61,13 @@ func NewDockerPullExecutor(input NewDockerPullExecutorInput) common.Executor {

 		_ = logDockerResponse(logger, reader, err != nil)
 		if err != nil {
+			if imagePullOptions.RegistryAuth != "" && strings.Contains(err.Error(), "unauthorized") {
+				logger.Errorf("pulling image '%v' (%s) failed with credentials %s retrying without them, please check for stale docker config files", imageRef, input.Platform, err.Error())
+				imagePullOptions.RegistryAuth = ""
+				reader, err = cli.ImagePull(ctx, imageRef, imagePullOptions)
+
+				_ = logDockerResponse(logger, reader, err != nil)
+			}
 			return err
 		}
 		return nil
@@ -76,12 +78,12 @@ func getImagePullOptions(ctx context.Context, input NewDockerPullExecutorInput)
 	imagePullOptions := types.ImagePullOptions{
 		Platform: input.Platform,
 	}
+	logger := common.Logger(ctx)

 	if input.Username != "" && input.Password != "" {
-		logger := common.Logger(ctx)
 		logger.Debugf("using authentication for docker pull")

-		authConfig := types.AuthConfig{
+		authConfig := registry.AuthConfig{
 			Username: input.Username,
 			Password: input.Password,
 		}
@@ -100,6 +102,7 @@ func getImagePullOptions(ctx context.Context, input NewDockerPullExecutorInput)
 		if authConfig.Username == "" && authConfig.Password == "" {
 			return imagePullOptions, nil
 		}
+		logger.Info("using DockerAuthConfig authentication for docker pull")

 		encodedJSON, err := json.Marshal(authConfig)
 		if err != nil {
--- a/pkg/container/docker_run.go
+++ b/pkg/container/docker_run.go
@@ -1,8 +1,9 @@
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+
 package container

 import (
 	"archive/tar"
-	"bufio"
 	"bytes"
 	"context"
 	"errors"
@@ -38,51 +39,6 @@ import (
 	"github.com/nektos/act/pkg/common"
 )

-// NewContainerInput the input for the New function
-type NewContainerInput struct {
-	Image       string
-	Username    string
-	Password    string
-	Entrypoint  []string
-	Cmd         []string
-	WorkingDir  string
-	Env         []string
-	Binds       []string
-	Mounts      map[string]string
-	Name        string
-	Stdout      io.Writer
-	Stderr      io.Writer
-	NetworkMode string
-	Privileged  bool
-	UsernsMode  string
-	Platform    string
-	Options     string
-}
-
-// FileEntry is a file to copy to a container
-type FileEntry struct {
-	Name string
-	Mode int64
-	Body string
-}
-
-// Container for managing docker run containers
-type Container interface {
-	Create(capAdd []string, capDrop []string) common.Executor
-	Copy(destPath string, files ...*FileEntry) common.Executor
-	CopyDir(destPath string, srcPath string, useGitIgnore bool) common.Executor
-	GetContainerArchive(ctx context.Context, srcPath string) (io.ReadCloser, error)
-	Pull(forcePull bool) common.Executor
-	Start(attach bool) common.Executor
-	Exec(command []string, env map[string]string, user, workdir string) common.Executor
-	UpdateFromEnv(srcPath string, env *map[string]string) common.Executor
-	UpdateFromImageEnv(env *map[string]string) common.Executor
-	UpdateFromPath(env *map[string]string) common.Executor
-	Remove() common.Executor
-	Close() common.Executor
-	ReplaceLogWriter(io.Writer, io.Writer) (io.Writer, io.Writer)
-}
-
 // NewContainer creates a reference to a container
 func NewContainer(input *NewContainerInput) ExecutionsEnvironment {
 	cr := new(containerReference)
@@ -188,17 +144,13 @@ func (cr *containerReference) GetContainerArchive(ctx context.Context, srcPath s
 }

 func (cr *containerReference) UpdateFromEnv(srcPath string, env *map[string]string) common.Executor {
-	return cr.extractEnv(srcPath, env).IfNot(common.Dryrun)
+	return parseEnvFile(cr, srcPath, env).IfNot(common.Dryrun)
 }

 func (cr *containerReference) UpdateFromImageEnv(env *map[string]string) common.Executor {
 	return cr.extractFromImageEnv(env).IfNot(common.Dryrun)
 }

-func (cr *containerReference) UpdateFromPath(env *map[string]string) common.Executor {
-	return cr.extractPath(env).IfNot(common.Dryrun)
-}
-
 func (cr *containerReference) Exec(command []string, env map[string]string, user, workdir string) common.Executor {
 	return common.NewPipelineExecutor(
 		common.NewInfoExecutor("%sdocker exec cmd=[%s] user=%s workdir=%s", logPrefix, strings.Join(command, " "), user, workdir),
@@ -237,9 +189,6 @@ type containerReference struct {
 }

 func GetDockerClient(ctx context.Context) (cli client.APIClient, err error) {
-	// TODO: this should maybe need to be a global option, not hidden in here?
-	//       though i'm not sure how that works out when there's another Executor :D
-	//		 I really would like something that works on OSX native for eg
 	dockerHost := os.Getenv("DOCKER_HOST")

 	if strings.HasPrefix(dockerHost, "ssh://") {
@@ -291,8 +240,8 @@ func RunnerArch(ctx context.Context) string {

 	archMapper := map[string]string{
 		"x86_64":  "X64",
-		"386":     "x86",
-		"aarch64": "arm64",
+		"386":     "X86",
+		"aarch64": "ARM64",
 	}
 	if arch, ok := archMapper[info.Architecture]; ok {
 		return arch
@@ -396,6 +345,12 @@ func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config
 		return nil, nil, fmt.Errorf("Cannot parse container options: '%s': '%w'", input.Options, err)
 	}

+	if len(copts.netMode.Value()) == 0 {
+		if err = copts.netMode.Set("host"); err != nil {
+			return nil, nil, fmt.Errorf("Cannot parse networkmode=host. This is an internal error and should not happen: '%w'", err)
+		}
+	}
+
 	containerConfig, err := parse(flags, copts, "")
 	if err != nil {
 		return nil, nil, fmt.Errorf("Cannot process container options: '%s': '%w'", input.Options, err)
@@ -411,10 +366,16 @@ func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config

 	logger.Debugf("Custom container.HostConfig from options ==> %+v", containerConfig.HostConfig)

+	hostConfig.Binds = append(hostConfig.Binds, containerConfig.HostConfig.Binds...)
+	hostConfig.Mounts = append(hostConfig.Mounts, containerConfig.HostConfig.Mounts...)
+	binds := hostConfig.Binds
+	mounts := hostConfig.Mounts
 	err = mergo.Merge(hostConfig, containerConfig.HostConfig, mergo.WithOverride)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Cannot merge container.HostConfig options: '%s': '%w'", input.Options, err)
 	}
+	hostConfig.Binds = binds
+	hostConfig.Mounts = mounts
 	logger.Debugf("Merged container.HostConfig ==> %+v", hostConfig)

 	return config, hostConfig, nil
@@ -497,59 +458,6 @@ func (cr *containerReference) create(capAdd []string, capDrop []string) common.E
 	}
 }

-var singleLineEnvPattern, multiLineEnvPattern *regexp.Regexp
-
-func (cr *containerReference) extractEnv(srcPath string, env *map[string]string) common.Executor {
-	if singleLineEnvPattern == nil {
-		// Single line pattern matches:
-		// SOME_VAR=data=moredata
-		// SOME_VAR=datamoredata
-		singleLineEnvPattern = regexp.MustCompile(`^([^=]*)\=(.*)$`)
-		multiLineEnvPattern = regexp.MustCompile(`^([^<]+)<<([\w-]+)$`)
-	}
-
-	localEnv := *env
-	return func(ctx context.Context) error {
-		envTar, _, err := cr.cli.CopyFromContainer(ctx, cr.id, srcPath)
-		if err != nil {
-			return nil
-		}
-		defer envTar.Close()
-
-		reader := tar.NewReader(envTar)
-		_, err = reader.Next()
-		if err != nil && err != io.EOF {
-			return fmt.Errorf("failed to read tar archive: %w", err)
-		}
-		s := bufio.NewScanner(reader)
-		multiLineEnvKey := ""
-		multiLineEnvDelimiter := ""
-		multiLineEnvContent := ""
-		for s.Scan() {
-			line := s.Text()
-			if singleLineEnv := singleLineEnvPattern.FindStringSubmatch(line); singleLineEnv != nil {
-				localEnv[singleLineEnv[1]] = singleLineEnv[2]
-			}
-			if line == multiLineEnvDelimiter {
-				localEnv[multiLineEnvKey] = multiLineEnvContent
-				multiLineEnvKey, multiLineEnvDelimiter, multiLineEnvContent = "", "", ""
-			}
-			if multiLineEnvKey != "" && multiLineEnvDelimiter != "" {
-				if multiLineEnvContent != "" {
-					multiLineEnvContent += "\n"
-				}
-				multiLineEnvContent += line
-			}
-			if multiLineEnvStart := multiLineEnvPattern.FindStringSubmatch(line); multiLineEnvStart != nil {
-				multiLineEnvKey = multiLineEnvStart[1]
-				multiLineEnvDelimiter = multiLineEnvStart[2]
-			}
-		}
-		env = &localEnv
-		return nil
-	}
-}
-
 func (cr *containerReference) extractFromImageEnv(env *map[string]string) common.Executor {
 	envMap := *env
 	return func(ctx context.Context) error {
@@ -582,31 +490,6 @@ func (cr *containerReference) extractFromImageEnv(env *map[string]string) common
 	}
 }

-func (cr *containerReference) extractPath(env *map[string]string) common.Executor {
-	localEnv := *env
-	return func(ctx context.Context) error {
-		pathTar, _, err := cr.cli.CopyFromContainer(ctx, cr.id, localEnv["GITHUB_PATH"])
-		if err != nil {
-			return fmt.Errorf("failed to copy from container: %w", err)
-		}
-		defer pathTar.Close()
-
-		reader := tar.NewReader(pathTar)
-		_, err = reader.Next()
-		if err != nil && err != io.EOF {
-			return fmt.Errorf("failed to read tar archive: %w", err)
-		}
-		s := bufio.NewScanner(reader)
-		for s.Scan() {
-			line := s.Text()
-			localEnv["PATH"] = fmt.Sprintf("%s:%s", line, localEnv["PATH"])
-		}
-
-		env = &localEnv
-		return nil
-	}
-}
-
 func (cr *containerReference) exec(cmd []string, env map[string]string, user, workdir string) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
@@ -703,7 +586,7 @@ func (cr *containerReference) tryReadID(opt string, cbk func(id int)) common.Exe
 		}
 		exp := regexp.MustCompile(`\d+\n`)
 		found := exp.FindString(sid)
-		id, err := strconv.ParseInt(found[:len(found)-1], 10, 32)
+		id, err := strconv.ParseInt(strings.TrimSpace(found), 10, 32)
 		if err != nil {
 			return nil
 		}
@@ -721,7 +604,7 @@ func (cr *containerReference) tryReadGID() common.Executor {
 	return cr.tryReadID("-g", func(id int) { cr.GID = id })
 }

-func (cr *containerReference) waitForCommand(ctx context.Context, isTerminal bool, resp types.HijackedResponse, idResp types.IDResponse, user string, workdir string) error {
+func (cr *containerReference) waitForCommand(ctx context.Context, isTerminal bool, resp types.HijackedResponse, _ types.IDResponse, _ string, _ string) error {
 	logger := common.Logger(ctx)

 	cmdResponse := make(chan error)
--- a/pkg/container/docker_run_test.go
+++ b/pkg/container/docker_run_test.go
@@ -78,7 +78,7 @@ type endlessReader struct {
 	io.Reader
 }

-func (r endlessReader) Read(p []byte) (n int, err error) {
+func (r endlessReader) Read(_ []byte) (n int, err error) {
 	return 1, nil
 }

--- a/pkg/container/docker_stub.go
+++ b/pkg/container/docker_stub.go
@@ -0,0 +1,57 @@
+//go:build WITHOUT_DOCKER || !(linux || darwin || windows)
+
+package container
+
+import (
+	"context"
+	"runtime"
+
+	"github.com/docker/docker/api/types"
+	"github.com/nektos/act/pkg/common"
+	"github.com/pkg/errors"
+)
+
+// ImageExistsLocally returns a boolean indicating if an image with the
+// requested name, tag and architecture exists in the local docker image store
+func ImageExistsLocally(ctx context.Context, imageName string, platform string) (bool, error) {
+	return false, errors.New("Unsupported Operation")
+}
+
+// RemoveImage removes image from local store, the function is used to run different
+// container image architectures
+func RemoveImage(ctx context.Context, imageName string, force bool, pruneChildren bool) (bool, error) {
+	return false, errors.New("Unsupported Operation")
+}
+
+// NewDockerBuildExecutor function to create a run executor for the container
+func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		return errors.New("Unsupported Operation")
+	}
+}
+
+// NewDockerPullExecutor function to create a run executor for the container
+func NewDockerPullExecutor(input NewDockerPullExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		return errors.New("Unsupported Operation")
+	}
+}
+
+// NewContainer creates a reference to a container
+func NewContainer(input *NewContainerInput) ExecutionsEnvironment {
+	return nil
+}
+
+func RunnerArch(ctx context.Context) string {
+	return runtime.GOOS
+}
+
+func GetHostInfo(ctx context.Context) (info types.Info, err error) {
+	return types.Info{}, nil
+}
+
+func NewDockerVolumeRemoveExecutor(volume string, force bool) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
--- a/pkg/container/docker_volume.go
+++ b/pkg/container/docker_volume.go
@@ -1,13 +1,16 @@
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+
 package container

 import (
 	"context"

 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/volume"
 	"github.com/nektos/act/pkg/common"
 )

-func NewDockerVolumeRemoveExecutor(volume string, force bool) common.Executor {
+func NewDockerVolumeRemoveExecutor(volumeName string, force bool) common.Executor {
 	return func(ctx context.Context) error {
 		cli, err := GetDockerClient(ctx)
 		if err != nil {
@@ -15,14 +18,14 @@ func NewDockerVolumeRemoveExecutor(volume string, force bool) common.Executor {
 		}
 		defer cli.Close()

-		list, err := cli.VolumeList(ctx, filters.NewArgs())
+		list, err := cli.VolumeList(ctx, volume.ListOptions{Filters: filters.NewArgs()})
 		if err != nil {
 			return err
 		}

 		for _, vol := range list.Volumes {
-			if vol.Name == volume {
-				return removeExecutor(volume, force)(ctx)
+			if vol.Name == volumeName {
+				return removeExecutor(volumeName, force)(ctx)
 			}
 		}

--- a/pkg/container/executions_environment.go
+++ b/pkg/container/executions_environment.go
@@ -10,4 +10,6 @@ type ExecutionsEnvironment interface {
 	DefaultPathVariable() string
 	JoinPathVariable(...string) string
 	GetRunnerContext(ctx context.Context) map[string]interface{}
+	// On windows PATH and Path are the same key
+	IsEnvironmentCaseInsensitive() bool
 }
--- a/pkg/container/file_collector.go
+++ b/pkg/container/file_collector.go
@@ -65,7 +65,7 @@ type copyCollector struct {

 func (cc *copyCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string, f io.Reader) error {
 	fdestpath := filepath.Join(cc.DstDir, fpath)
-	if err := os.MkdirAll(filepath.Dir(fdestpath), 0777); err != nil {
+	if err := os.MkdirAll(filepath.Dir(fdestpath), 0o777); err != nil {
 		return err
 	}
 	if f == nil {
--- a/pkg/container/file_collector_test.go
+++ b/pkg/container/file_collector_test.go
@@ -76,7 +76,7 @@ func (mfs *memoryFs) Readlink(path string) (string, error) {

 func TestIgnoredTrackedfile(t *testing.T) {
 	fs := memfs.New()
-	_ = fs.MkdirAll("mygitrepo/.git", 0777)
+	_ = fs.MkdirAll("mygitrepo/.git", 0o777)
 	dotgit, _ := fs.Chroot("mygitrepo/.git")
 	worktree, _ := fs.Chroot("mygitrepo")
 	repo, _ := git.Init(filesystem.NewStorage(dotgit, cache.NewObjectLRUDefault()), worktree)
--- a/pkg/container/host_environment.go
+++ b/pkg/container/host_environment.go
@@ -2,9 +2,9 @@ package container

 import (
 	"archive/tar"
-	"bufio"
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"io/fs"
@@ -15,14 +15,13 @@ import (
 	"strings"
 	"time"

-	"errors"
-
 	"github.com/go-git/go-billy/v5/helper/polyfill"
 	"github.com/go-git/go-billy/v5/osfs"
 	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"golang.org/x/term"
+
 	"github.com/nektos/act/pkg/common"
 	"github.com/nektos/act/pkg/lookpath"
-	"golang.org/x/term"
 )

 type HostEnvironment struct {
@@ -35,7 +34,7 @@ type HostEnvironment struct {
 	StdOut    io.Writer
 }

-func (e *HostEnvironment) Create(capAdd []string, capDrop []string) common.Executor {
+func (e *HostEnvironment) Create(_ []string, _ []string) common.Executor {
 	return func(ctx context.Context) error {
 		return nil
 	}
@@ -50,7 +49,7 @@ func (e *HostEnvironment) Close() common.Executor {
 func (e *HostEnvironment) Copy(destPath string, files ...*FileEntry) common.Executor {
 	return func(ctx context.Context) error {
 		for _, f := range files {
-			if err := os.MkdirAll(filepath.Dir(filepath.Join(destPath, f.Name)), 0777); err != nil {
+			if err := os.MkdirAll(filepath.Dir(filepath.Join(destPath, f.Name)), 0o777); err != nil {
 				return err
 			}
 			if err := os.WriteFile(filepath.Join(destPath, f.Name), []byte(f.Body), fs.FileMode(f.Mode)); err != nil {
@@ -141,13 +140,13 @@ func (e *HostEnvironment) GetContainerArchive(ctx context.Context, srcPath strin
 	return io.NopCloser(buf), nil
 }

-func (e *HostEnvironment) Pull(forcePull bool) common.Executor {
+func (e *HostEnvironment) Pull(_ bool) common.Executor {
 	return func(ctx context.Context) error {
 		return nil
 	}
 }

-func (e *HostEnvironment) Start(attach bool) common.Executor {
+func (e *HostEnvironment) Start(_ bool) common.Executor {
 	return func(ctx context.Context) error {
 		return nil
 	}
@@ -241,7 +240,7 @@ func copyPtyOutput(writer io.Writer, ppty io.Reader, finishLog context.CancelFun
 	}
 }

-func (e *HostEnvironment) UpdateFromImageEnv(env *map[string]string) common.Executor {
+func (e *HostEnvironment) UpdateFromImageEnv(_ *map[string]string) common.Executor {
 	return func(ctx context.Context) error {
 		return nil
 	}
@@ -255,7 +254,7 @@ func getEnvListFromMap(env map[string]string) []string {
 	return envList
 }

-func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline string, env map[string]string, user, workdir string) error {
+func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline string, env map[string]string, _, workdir string) error {
 	envList := getEnvListFromMap(env)
 	var wd string
 	if workdir != "" {
@@ -341,77 +340,7 @@ func (e *HostEnvironment) Exec(command []string /*cmdline string, */, env map[st
 }

 func (e *HostEnvironment) UpdateFromEnv(srcPath string, env *map[string]string) common.Executor {
-	localEnv := *env
-	return func(ctx context.Context) error {
-		envTar, err := e.GetContainerArchive(ctx, srcPath)
-		if err != nil {
-			return nil
-		}
-		defer envTar.Close()
-		reader := tar.NewReader(envTar)
-		_, err = reader.Next()
-		if err != nil && err != io.EOF {
-			return err
-		}
-		s := bufio.NewScanner(reader)
-		for s.Scan() {
-			line := s.Text()
-			singleLineEnv := strings.Index(line, "=")
-			multiLineEnv := strings.Index(line, "<<")
-			if singleLineEnv != -1 && (multiLineEnv == -1 || singleLineEnv < multiLineEnv) {
-				localEnv[line[:singleLineEnv]] = line[singleLineEnv+1:]
-			} else if multiLineEnv != -1 {
-				multiLineEnvContent := ""
-				multiLineEnvDelimiter := line[multiLineEnv+2:]
-				delimiterFound := false
-				for s.Scan() {
-					content := s.Text()
-					if content == multiLineEnvDelimiter {
-						delimiterFound = true
-						break
-					}
-					if multiLineEnvContent != "" {
-						multiLineEnvContent += "\n"
-					}
-					multiLineEnvContent += content
-				}
-				if !delimiterFound {
-					return fmt.Errorf("invalid format delimiter '%v' not found before end of file", multiLineEnvDelimiter)
-				}
-				localEnv[line[:multiLineEnv]] = multiLineEnvContent
-			} else {
-				return fmt.Errorf("invalid format '%v', expected a line with '=' or '<<'", line)
-			}
-		}
-		env = &localEnv
-		return nil
-	}
-}
-
-func (e *HostEnvironment) UpdateFromPath(env *map[string]string) common.Executor {
-	localEnv := *env
-	return func(ctx context.Context) error {
-		pathTar, err := e.GetContainerArchive(ctx, localEnv["GITHUB_PATH"])
-		if err != nil {
-			return err
-		}
-		defer pathTar.Close()
-
-		reader := tar.NewReader(pathTar)
-		_, err = reader.Next()
-		if err != nil && err != io.EOF {
-			return err
-		}
-		s := bufio.NewScanner(reader)
-		for s.Scan() {
-			line := s.Text()
-			pathSep := string(filepath.ListSeparator)
-			localEnv[e.GetPathVariableName()] = fmt.Sprintf("%s%s%s", line, pathSep, localEnv[e.GetPathVariableName()])
-		}
-
-		env = &localEnv
-		return nil
-	}
+	return parseEnvFile(e, srcPath, env)
 }

 func (e *HostEnvironment) Remove() common.Executor {
@@ -433,7 +362,11 @@ func (e *HostEnvironment) ToContainerPath(path string) string {
 }

 func (e *HostEnvironment) GetActPath() string {
-	return e.ActPath
+	actPath := e.ActPath
+	if runtime.GOOS == "windows" {
+		actPath = strings.ReplaceAll(actPath, "\\", "/")
+	}
+	return actPath
 }

 func (*HostEnvironment) GetPathVariableName() string {
@@ -454,17 +387,45 @@ func (*HostEnvironment) JoinPathVariable(paths ...string) string {
 	return strings.Join(paths, string(filepath.ListSeparator))
 }

-func (e *HostEnvironment) GetRunnerContext(ctx context.Context) map[string]interface{} {
+// Reference for Arch values for runner.arch
+// https://docs.github.com/en/actions/learn-github-actions/contexts#runner-context
+func goArchToActionArch(arch string) string {
+	archMapper := map[string]string{
+		"x86_64":  "X64",
+		"386":     "X86",
+		"aarch64": "ARM64",
+	}
+	if arch, ok := archMapper[arch]; ok {
+		return arch
+	}
+	return arch
+}
+
+func goOsToActionOs(os string) string {
+	osMapper := map[string]string{
+		"darwin": "macOS",
+	}
+	if os, ok := osMapper[os]; ok {
+		return os
+	}
+	return os
+}
+
+func (e *HostEnvironment) GetRunnerContext(_ context.Context) map[string]interface{} {
 	return map[string]interface{}{
-		"os":         runtime.GOOS,
-		"arch":       runtime.GOARCH,
+		"os":         goOsToActionOs(runtime.GOOS),
+		"arch":       goArchToActionArch(runtime.GOARCH),
 		"temp":       e.TmpDir,
 		"tool_cache": e.ToolCache,
 	}
 }

-func (e *HostEnvironment) ReplaceLogWriter(stdout io.Writer, stderr io.Writer) (io.Writer, io.Writer) {
+func (e *HostEnvironment) ReplaceLogWriter(stdout io.Writer, _ io.Writer) (io.Writer, io.Writer) {
 	org := e.StdOut
 	e.StdOut = stdout
 	return org, org
 }
+
+func (*HostEnvironment) IsEnvironmentCaseInsensitive() bool {
+	return runtime.GOOS == "windows"
+}
--- a/pkg/container/linux_container_environment_extensions.go
+++ b/pkg/container/linux_container_environment_extensions.go
@@ -71,3 +71,7 @@ func (*LinuxContainerEnvironmentExtensions) GetRunnerContext(ctx context.Context
 		"tool_cache": "/opt/hostedtoolcache",
 	}
 }
+
+func (*LinuxContainerEnvironmentExtensions) IsEnvironmentCaseInsensitive() bool {
+	return false
+}
--- a/pkg/container/parse_env_file.go
+++ b/pkg/container/parse_env_file.go
@@ -0,0 +1,60 @@
+package container
+
+import (
+	"archive/tar"
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/nektos/act/pkg/common"
+)
+
+func parseEnvFile(e Container, srcPath string, env *map[string]string) common.Executor {
+	localEnv := *env
+	return func(ctx context.Context) error {
+		envTar, err := e.GetContainerArchive(ctx, srcPath)
+		if err != nil {
+			return nil
+		}
+		defer envTar.Close()
+		reader := tar.NewReader(envTar)
+		_, err = reader.Next()
+		if err != nil && err != io.EOF {
+			return err
+		}
+		s := bufio.NewScanner(reader)
+		for s.Scan() {
+			line := s.Text()
+			singleLineEnv := strings.Index(line, "=")
+			multiLineEnv := strings.Index(line, "<<")
+			if singleLineEnv != -1 && (multiLineEnv == -1 || singleLineEnv < multiLineEnv) {
+				localEnv[line[:singleLineEnv]] = line[singleLineEnv+1:]
+			} else if multiLineEnv != -1 {
+				multiLineEnvContent := ""
+				multiLineEnvDelimiter := line[multiLineEnv+2:]
+				delimiterFound := false
+				for s.Scan() {
+					content := s.Text()
+					if content == multiLineEnvDelimiter {
+						delimiterFound = true
+						break
+					}
+					if multiLineEnvContent != "" {
+						multiLineEnvContent += "\n"
+					}
+					multiLineEnvContent += content
+				}
+				if !delimiterFound {
+					return fmt.Errorf("invalid format delimiter '%v' not found before end of file", multiLineEnvDelimiter)
+				}
+				localEnv[line[:multiLineEnv]] = multiLineEnvContent
+			} else {
+				return fmt.Errorf("invalid format '%v', expected a line with '=' or '<<'", line)
+			}
+		}
+		env = &localEnv
+		return nil
+	}
+}
--- a/pkg/container/util.go
+++ b/pkg/container/util.go
@@ -9,7 +9,7 @@ import (
 	"github.com/creack/pty"
 )

-func getSysProcAttr(cmdLine string, tty bool) *syscall.SysProcAttr {
+func getSysProcAttr(_ string, tty bool) *syscall.SysProcAttr {
 	if tty {
 		return &syscall.SysProcAttr{
 			Setsid:  true,
--- a/pkg/exprparser/functions.go
+++ b/pkg/exprparser/functions.go
@@ -14,6 +14,7 @@ import (
 	"strings"

 	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+
 	"github.com/nektos/act/pkg/model"
 	"github.com/rhysd/actionlint"
 )
@@ -202,6 +203,9 @@ func (impl *interperterImpl) hashFiles(paths ...reflect.Value) (string, error) {

 	var files []string
 	if err := filepath.Walk(impl.config.WorkingDir, func(path string, fi fs.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
 		sansPrefix := strings.TrimPrefix(path, impl.config.WorkingDir+string(filepath.Separator))
 		parts := strings.Split(sansPrefix, string(filepath.Separator))
 		if fi.IsDir() || !matcher.Match(parts, fi.IsDir()) {
--- a/pkg/exprparser/interpreter.go
+++ b/pkg/exprparser/interpreter.go
@@ -15,15 +15,22 @@ type EvaluationEnvironment struct {
 	Github   *model.GithubContext
 	Env      map[string]string
 	Job      *model.JobContext
+	Jobs     *map[string]*model.WorkflowCallResult
 	Steps    map[string]*model.StepResult
 	Runner   map[string]interface{}
 	Secrets  map[string]string
+	Vars     map[string]string
 	Strategy map[string]interface{}
 	Matrix   map[string]interface{}
-	Needs    map[string]map[string]map[string]string
+	Needs    map[string]Needs
 	Inputs   map[string]interface{}
 }

+type Needs struct {
+	Outputs map[string]string `json:"outputs"`
+	Result  string            `json:"result"`
+}
+
 type Config struct {
 	Run        *model.Run
 	WorkingDir string
@@ -142,6 +149,7 @@ func (impl *interperterImpl) evaluateNode(exprNode actionlint.ExprNode) (interfa
 	}
 }

+//nolint:gocyclo
 func (impl *interperterImpl) evaluateVariable(variableNode *actionlint.VariableNode) (interface{}, error) {
 	switch strings.ToLower(variableNode.Name) {
 	case "github":
@@ -150,12 +158,19 @@ func (impl *interperterImpl) evaluateVariable(variableNode *actionlint.VariableN
 		return impl.env.Env, nil
 	case "job":
 		return impl.env.Job, nil
+	case "jobs":
+		if impl.env.Jobs == nil {
+			return nil, fmt.Errorf("Unavailable context: jobs")
+		}
+		return impl.env.Jobs, nil
 	case "steps":
 		return impl.env.Steps, nil
 	case "runner":
 		return impl.env.Runner, nil
 	case "secrets":
 		return impl.env.Secrets, nil
+	case "vars":
+		return impl.env.Vars, nil
 	case "strategy":
 		return impl.env.Strategy, nil
 	case "matrix":
@@ -361,8 +376,16 @@ func (impl *interperterImpl) compareValues(leftValue reflect.Value, rightValue r

 		return impl.compareNumber(leftValue.Float(), rightValue.Float(), kind)

+	case reflect.Invalid:
+		if rightValue.Kind() == reflect.Invalid {
+			return true, nil
+		}
+
+		// not possible situation - params are converted to the same type in code above
+		return nil, fmt.Errorf("Compare params of Invalid type: left: %+v, right: %+v", leftValue.Kind(), rightValue.Kind())
+
 	default:
-		return nil, fmt.Errorf("TODO: evaluateCompare not implemented! left: %+v, right: %+v", leftValue.Kind(), rightValue.Kind())
+		return nil, fmt.Errorf("Compare not implemented for types: left: %+v, right: %+v", leftValue.Kind(), rightValue.Kind())
 	}
 }

--- a/pkg/exprparser/interpreter_test.go
+++ b/pkg/exprparser/interpreter_test.go
@@ -69,6 +69,11 @@ func TestOperators(t *testing.T) {
 		{`true || false`, true, "or", ""},
 		{`fromJSON('{}') && true`, true, "and-boolean-object", ""},
 		{`fromJSON('{}') || false`, make(map[string]interface{}), "or-boolean-object", ""},
+		{"github.event.commits[0].author.username != github.event.commits[1].author.username", true, "property-comparison1", ""},
+		{"github.event.commits[0].author.username1 != github.event.commits[1].author.username", true, "property-comparison2", ""},
+		{"github.event.commits[0].author.username != github.event.commits[1].author.username1", true, "property-comparison3", ""},
+		{"github.event.commits[0].author.username1 != github.event.commits[1].author.username2", true, "property-comparison4", ""},
+		{"secrets != env", nil, "property-comparison5", "Compare not implemented for types: left: map, right: map"},
 	}

 	env := &EvaluationEnvironment{
@@ -552,9 +557,11 @@ func TestContexts(t *testing.T) {
 		// {"contains(steps.*.outputs.name, 'value')", true, "steps-context-array-outputs"},
 		{"runner.os", "Linux", "runner-context"},
 		{"secrets.name", "value", "secrets-context"},
+		{"vars.name", "value", "vars-context"},
 		{"strategy.fail-fast", true, "strategy-context"},
 		{"matrix.os", "Linux", "matrix-context"},
 		{"needs.job-id.outputs.output-name", "value", "needs-context"},
+		{"needs.job-id.result", "success", "needs-context"},
 		{"inputs.name", "value", "inputs-context"},
 	}

@@ -587,17 +594,21 @@ func TestContexts(t *testing.T) {
 		Secrets: map[string]string{
 			"name": "value",
 		},
+		Vars: map[string]string{
+			"name": "value",
+		},
 		Strategy: map[string]interface{}{
 			"fail-fast": true,
 		},
 		Matrix: map[string]interface{}{
 			"os": "Linux",
 		},
-		Needs: map[string]map[string]map[string]string{
+		Needs: map[string]Needs{
 			"job-id": {
-				"outputs": {
+				Outputs: map[string]string{
 					"output-name": "value",
 				},
+				Result: "success",
 			},
 		},
 		Inputs: map[string]interface{}{
--- a/pkg/model/github_context.go
+++ b/pkg/model/github_context.go
@@ -3,6 +3,7 @@ package model
 import (
 	"context"
 	"fmt"
+	"strings"

 	"github.com/nektos/act/pkg/common"
 	"github.com/nektos/act/pkg/common/git"
@@ -35,6 +36,9 @@ type GithubContext struct {
 	RetentionDays    string                 `json:"retention_days"`
 	RunnerPerflog    string                 `json:"runner_perflog"`
 	RunnerTrackingID string                 `json:"runner_tracking_id"`
+	ServerURL        string                 `json:"server_url"`
+	APIURL           string                 `json:"api_url"`
+	GraphQLURL       string                 `json:"graphql_url"`
 }

 func asString(v interface{}) string {
@@ -89,26 +93,22 @@ func withDefaultBranch(ctx context.Context, b string, event map[string]interface
 var findGitRef = git.FindGitRef
 var findGitRevision = git.FindGitRevision

-func (ghc *GithubContext) SetRefAndSha(ctx context.Context, defaultBranch string, repoPath string) {
+func (ghc *GithubContext) SetRef(ctx context.Context, defaultBranch string, repoPath string) {
 	logger := common.Logger(ctx)
+
 	// https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
 	// https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads
 	switch ghc.EventName {
 	case "pull_request_target":
 		ghc.Ref = fmt.Sprintf("refs/heads/%s", ghc.BaseRef)
-		ghc.Sha = asString(nestedMapLookup(ghc.Event, "pull_request", "base", "sha"))
 	case "pull_request", "pull_request_review", "pull_request_review_comment":
 		ghc.Ref = fmt.Sprintf("refs/pull/%.0f/merge", ghc.Event["number"])
 	case "deployment", "deployment_status":
 		ghc.Ref = asString(nestedMapLookup(ghc.Event, "deployment", "ref"))
-		ghc.Sha = asString(nestedMapLookup(ghc.Event, "deployment", "sha"))
 	case "release":
-		ghc.Ref = asString(nestedMapLookup(ghc.Event, "release", "tag_name"))
+		ghc.Ref = fmt.Sprintf("refs/tags/%s", asString(nestedMapLookup(ghc.Event, "release", "tag_name")))
 	case "push", "create", "workflow_dispatch":
 		ghc.Ref = asString(ghc.Event["ref"])
-		if deleted, ok := ghc.Event["deleted"].(bool); ok && !deleted {
-			ghc.Sha = asString(ghc.Event["after"])
-		}
 	default:
 		defaultBranch := asString(nestedMapLookup(ghc.Event, "repository", "default_branch"))
 		if defaultBranch != "" {
@@ -136,6 +136,23 @@ func (ghc *GithubContext) SetRefAndSha(ctx context.Context, defaultBranch string
 			ghc.Ref = fmt.Sprintf("refs/heads/%s", asString(nestedMapLookup(ghc.Event, "repository", "default_branch")))
 		}
 	}
+}
+
+func (ghc *GithubContext) SetSha(ctx context.Context, repoPath string) {
+	logger := common.Logger(ctx)
+
+	// https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
+	// https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads
+	switch ghc.EventName {
+	case "pull_request_target":
+		ghc.Sha = asString(nestedMapLookup(ghc.Event, "pull_request", "base", "sha"))
+	case "deployment", "deployment_status":
+		ghc.Sha = asString(nestedMapLookup(ghc.Event, "deployment", "sha"))
+	case "push", "create", "workflow_dispatch":
+		if deleted, ok := ghc.Event["deleted"].(bool); ok && !deleted {
+			ghc.Sha = asString(ghc.Event["after"])
+		}
+	}

 	if ghc.Sha == "" {
 		_, sha, err := findGitRevision(ctx, repoPath)
@@ -146,3 +163,51 @@ func (ghc *GithubContext) SetRefAndSha(ctx context.Context, defaultBranch string
 		}
 	}
 }
+
+func (ghc *GithubContext) SetRepositoryAndOwner(ctx context.Context, githubInstance string, remoteName string, repoPath string) {
+	if ghc.Repository == "" {
+		repo, err := git.FindGithubRepo(ctx, repoPath, githubInstance, remoteName)
+		if err != nil {
+			common.Logger(ctx).Warningf("unable to get git repo: %v", err)
+			return
+		}
+		ghc.Repository = repo
+	}
+	ghc.RepositoryOwner = strings.Split(ghc.Repository, "/")[0]
+}
+
+func (ghc *GithubContext) SetRefTypeAndName() {
+	var refType, refName string
+
+	// https://docs.github.com/en/actions/learn-github-actions/environment-variables
+	if strings.HasPrefix(ghc.Ref, "refs/tags/") {
+		refType = "tag"
+		refName = ghc.Ref[len("refs/tags/"):]
+	} else if strings.HasPrefix(ghc.Ref, "refs/heads/") {
+		refType = "branch"
+		refName = ghc.Ref[len("refs/heads/"):]
+	} else if strings.HasPrefix(ghc.Ref, "refs/pull/") {
+		refType = ""
+		refName = ghc.Ref[len("refs/pull/"):]
+	}
+
+	if ghc.RefType == "" {
+		ghc.RefType = refType
+	}
+
+	if ghc.RefName == "" {
+		ghc.RefName = refName
+	}
+}
+
+func (ghc *GithubContext) SetBaseAndHeadRef() {
+	if ghc.EventName == "pull_request" || ghc.EventName == "pull_request_target" {
+		if ghc.BaseRef == "" {
+			ghc.BaseRef = asString(nestedMapLookup(ghc.Event, "pull_request", "base", "ref"))
+		}
+
+		if ghc.HeadRef == "" {
+			ghc.HeadRef = asString(nestedMapLookup(ghc.Event, "pull_request", "head", "ref"))
+		}
+	}
+}
--- a/pkg/model/github_context_test.go
+++ b/pkg/model/github_context_test.go
@@ -9,7 +9,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )

-func TestSetRefAndSha(t *testing.T) {
+func TestSetRef(t *testing.T) {
 	log.SetLevel(log.DebugLevel)

 	oldFindGitRef := findGitRef
@@ -29,38 +29,31 @@ func TestSetRefAndSha(t *testing.T) {
 		eventName string
 		event     map[string]interface{}
 		ref       string
-		sha       string
+		refName   string
 	}{
 		{
 			eventName: "pull_request_target",
-			event: map[string]interface{}{
-				"pull_request": map[string]interface{}{
-					"base": map[string]interface{}{
-						"sha": "pr-base-sha",
-					},
-				},
-			},
-			ref: "refs/heads/master",
-			sha: "pr-base-sha",
+			event:     map[string]interface{}{},
+			ref:       "refs/heads/master",
+			refName:   "master",
 		},
 		{
 			eventName: "pull_request",
 			event: map[string]interface{}{
 				"number": 1234.,
 			},
-			ref: "refs/pull/1234/merge",
-			sha: "1234fakesha",
+			ref:     "refs/pull/1234/merge",
+			refName: "1234/merge",
 		},
 		{
 			eventName: "deployment",
 			event: map[string]interface{}{
 				"deployment": map[string]interface{}{
 					"ref": "refs/heads/somebranch",
-					"sha": "deployment-sha",
 				},
 			},
-			ref: "refs/heads/somebranch",
-			sha: "deployment-sha",
+			ref:     "refs/heads/somebranch",
+			refName: "somebranch",
 		},
 		{
 			eventName: "release",
@@ -69,18 +62,16 @@ func TestSetRefAndSha(t *testing.T) {
 					"tag_name": "v1.0.0",
 				},
 			},
-			ref: "v1.0.0",
-			sha: "1234fakesha",
+			ref:     "refs/tags/v1.0.0",
+			refName: "v1.0.0",
 		},
 		{
 			eventName: "push",
 			event: map[string]interface{}{
-				"ref":     "refs/heads/somebranch",
-				"after":   "push-sha",
-				"deleted": false,
+				"ref": "refs/heads/somebranch",
 			},
-			ref: "refs/heads/somebranch",
-			sha: "push-sha",
+			ref:     "refs/heads/somebranch",
+			refName: "somebranch",
 		},
 		{
 			eventName: "unknown",
@@ -89,14 +80,14 @@ func TestSetRefAndSha(t *testing.T) {
 					"default_branch": "main",
 				},
 			},
-			ref: "refs/heads/main",
-			sha: "1234fakesha",
+			ref:     "refs/heads/main",
+			refName: "main",
 		},
 		{
 			eventName: "no-event",
 			event:     map[string]interface{}{},
 			ref:       "refs/heads/master",
-			sha:       "1234fakesha",
+			refName:   "master",
 		},
 	}

@@ -108,10 +99,11 @@ func TestSetRefAndSha(t *testing.T) {
 				Event:     table.event,
 			}

-			ghc.SetRefAndSha(context.Background(), "main", "/some/dir")
+			ghc.SetRef(context.Background(), "main", "/some/dir")
+			ghc.SetRefTypeAndName()

 			assert.Equal(t, table.ref, ghc.Ref)
-			assert.Equal(t, table.sha, ghc.Sha)
+			assert.Equal(t, table.refName, ghc.RefName)
 		})
 	}

@@ -125,9 +117,96 @@ func TestSetRefAndSha(t *testing.T) {
 			Event:     map[string]interface{}{},
 		}

-		ghc.SetRefAndSha(context.Background(), "", "/some/dir")
+		ghc.SetRef(context.Background(), "", "/some/dir")

 		assert.Equal(t, "refs/heads/master", ghc.Ref)
-		assert.Equal(t, "1234fakesha", ghc.Sha)
 	})
 }
+
+func TestSetSha(t *testing.T) {
+	log.SetLevel(log.DebugLevel)
+
+	oldFindGitRef := findGitRef
+	oldFindGitRevision := findGitRevision
+	defer func() { findGitRef = oldFindGitRef }()
+	defer func() { findGitRevision = oldFindGitRevision }()
+
+	findGitRef = func(ctx context.Context, file string) (string, error) {
+		return "refs/heads/master", nil
+	}
+
+	findGitRevision = func(ctx context.Context, file string) (string, string, error) {
+		return "", "1234fakesha", nil
+	}
+
+	tables := []struct {
+		eventName string
+		event     map[string]interface{}
+		sha       string
+	}{
+		{
+			eventName: "pull_request_target",
+			event: map[string]interface{}{
+				"pull_request": map[string]interface{}{
+					"base": map[string]interface{}{
+						"sha": "pr-base-sha",
+					},
+				},
+			},
+			sha: "pr-base-sha",
+		},
+		{
+			eventName: "pull_request",
+			event: map[string]interface{}{
+				"number": 1234.,
+			},
+			sha: "1234fakesha",
+		},
+		{
+			eventName: "deployment",
+			event: map[string]interface{}{
+				"deployment": map[string]interface{}{
+					"sha": "deployment-sha",
+				},
+			},
+			sha: "deployment-sha",
+		},
+		{
+			eventName: "release",
+			event:     map[string]interface{}{},
+			sha:       "1234fakesha",
+		},
+		{
+			eventName: "push",
+			event: map[string]interface{}{
+				"after":   "push-sha",
+				"deleted": false,
+			},
+			sha: "push-sha",
+		},
+		{
+			eventName: "unknown",
+			event:     map[string]interface{}{},
+			sha:       "1234fakesha",
+		},
+		{
+			eventName: "no-event",
+			event:     map[string]interface{}{},
+			sha:       "1234fakesha",
+		},
+	}
+
+	for _, table := range tables {
+		t.Run(table.eventName, func(t *testing.T) {
+			ghc := &GithubContext{
+				EventName: table.eventName,
+				BaseRef:   "master",
+				Event:     table.event,
+			}
+
+			ghc.SetSha(context.Background(), "/some/dir")
+
+			assert.Equal(t, table.sha, ghc.Sha)
+		})
+	}
+}
--- a/pkg/model/planner.go
+++ b/pkg/model/planner.go
@@ -15,9 +15,9 @@ import (

 // WorkflowPlanner contains methods for creating plans
 type WorkflowPlanner interface {
-	PlanEvent(eventName string) *Plan
-	PlanJob(jobName string) *Plan
-	PlanAll() *Plan
+	PlanEvent(eventName string) (*Plan, error)
+	PlanJob(jobName string) (*Plan, error)
+	PlanAll() (*Plan, error)
 	GetEvents() []string
 }

@@ -169,47 +169,76 @@ type workflowPlanner struct {
 }

 // PlanEvent builds a new list of runs to execute in parallel for an event name
-func (wp *workflowPlanner) PlanEvent(eventName string) *Plan {
+func (wp *workflowPlanner) PlanEvent(eventName string) (*Plan, error) {
 	plan := new(Plan)
 	if len(wp.workflows) == 0 {
-		log.Debugf("no events found for workflow: %s", eventName)
+		log.Debug("no workflows found by planner")
+		return plan, nil
 	}
+	var lastErr error

 	for _, w := range wp.workflows {
-		for _, e := range w.On() {
+		events := w.On()
+		if len(events) == 0 {
+			log.Debugf("no events found for workflow: %s", w.File)
+			continue
+		}
+
+		for _, e := range events {
 			if e == eventName {
-				plan.mergeStages(createStages(w, w.GetJobIDs()...))
+				stages, err := createStages(w, w.GetJobIDs()...)
+				if err != nil {
+					log.Warn(err)
+					lastErr = err
+				} else {
+					plan.mergeStages(stages)
+				}
 			}
 		}
 	}
-	return plan
+	return plan, lastErr
 }

 // PlanJob builds a new run to execute in parallel for a job name
-func (wp *workflowPlanner) PlanJob(jobName string) *Plan {
+func (wp *workflowPlanner) PlanJob(jobName string) (*Plan, error) {
 	plan := new(Plan)
 	if len(wp.workflows) == 0 {
 		log.Debugf("no jobs found for workflow: %s", jobName)
 	}
+	var lastErr error

 	for _, w := range wp.workflows {
-		plan.mergeStages(createStages(w, jobName))
+		stages, err := createStages(w, jobName)
+		if err != nil {
+			log.Warn(err)
+			lastErr = err
+		} else {
+			plan.mergeStages(stages)
+		}
 	}
-	return plan
+	return plan, lastErr
 }

 // PlanAll builds a new run to execute in parallel all
-func (wp *workflowPlanner) PlanAll() *Plan {
+func (wp *workflowPlanner) PlanAll() (*Plan, error) {
 	plan := new(Plan)
 	if len(wp.workflows) == 0 {
-		log.Debugf("no jobs found for loaded workflows")
+		log.Debug("no workflows found by planner")
+		return plan, nil
 	}
+	var lastErr error

 	for _, w := range wp.workflows {
-		plan.mergeStages(createStages(w, w.GetJobIDs()...))
+		stages, err := createStages(w, w.GetJobIDs()...)
+		if err != nil {
+			log.Warn(err)
+			lastErr = err
+		} else {
+			plan.mergeStages(stages)
+		}
 	}

-	return plan
+	return plan, lastErr
 }

 // GetEvents gets all the events in the workflows file
@@ -282,7 +311,7 @@ func (p *Plan) mergeStages(stages []*Stage) {
 	p.Stages = newStages
 }

-func createStages(w *Workflow, jobIDs ...string) []*Stage {
+func createStages(w *Workflow, jobIDs ...string) ([]*Stage, error) {
 	// first, build a list of all the necessary jobs to run, and their dependencies
 	jobDependencies := make(map[string][]string)
 	for len(jobIDs) > 0 {
@@ -299,6 +328,8 @@ func createStages(w *Workflow, jobIDs ...string) []*Stage {
 		jobIDs = newJobIDs
 	}

+	var err error
+
 	// next, build an execution graph
 	stages := make([]*Stage, 0)
 	for len(jobDependencies) > 0 {
@@ -314,12 +345,16 @@ func createStages(w *Workflow, jobIDs ...string) []*Stage {
 			}
 		}
 		if len(stage.Runs) == 0 {
-			log.Fatalf("Unable to build dependency graph!")
+			return nil, fmt.Errorf("unable to build dependency graph for %s (%s)", w.Name, w.File)
 		}
 		stages = append(stages, stage)
 	}

-	return stages
+	if len(stages) == 0 && err != nil {
+		return nil, err
+	}
+
+	return stages, nil
 }

 // return true iff all strings in srcList exist in at least one of the stages
--- a/pkg/model/step_result.go
+++ b/pkg/model/step_result.go
@@ -42,5 +42,4 @@ type StepResult struct {
 	Outputs    map[string]string `json:"outputs"`
 	Conclusion stepStatus        `json:"conclusion"`
 	Outcome    stepStatus        `json:"outcome"`
-	State      map[string]string
 }
--- a/pkg/model/workflow.go
+++ b/pkg/model/workflow.go
@@ -58,9 +58,8 @@ func (w *Workflow) On() []string {
 func (w *Workflow) OnEvent(event string) interface{} {
 	if w.RawOn.Kind == yaml.MappingNode {
 		var val map[string]interface{}
-		err := w.RawOn.Decode(&val)
-		if err != nil {
-			log.Fatal(err)
+		if !decodeNode(w.RawOn, &val) {
+			return nil
 		}
 		return val[event]
 	}
@@ -85,16 +84,55 @@ func (w *Workflow) WorkflowDispatchConfig() *WorkflowDispatch {
 	}

 	var val map[string]yaml.Node
-	err := w.RawOn.Decode(&val)
-	if err != nil {
-		log.Fatal(err)
+	if !decodeNode(w.RawOn, &val) {
+		return nil
 	}

 	var config WorkflowDispatch
 	node := val["workflow_dispatch"]
-	err = node.Decode(&config)
-	if err != nil {
-		log.Fatal(err)
+	if !decodeNode(node, &config) {
+		return nil
+	}
+
+	return &config
+}
+
+type WorkflowCallInput struct {
+	Description string `yaml:"description"`
+	Required    bool   `yaml:"required"`
+	Default     string `yaml:"default"`
+	Type        string `yaml:"type"`
+}
+
+type WorkflowCallOutput struct {
+	Description string `yaml:"description"`
+	Value       string `yaml:"value"`
+}
+
+type WorkflowCall struct {
+	Inputs  map[string]WorkflowCallInput  `yaml:"inputs"`
+	Outputs map[string]WorkflowCallOutput `yaml:"outputs"`
+}
+
+type WorkflowCallResult struct {
+	Outputs map[string]string
+}
+
+func (w *Workflow) WorkflowCallConfig() *WorkflowCall {
+	if w.RawOn.Kind != yaml.MappingNode {
+		// The callers expect for "on: workflow_call" and "on: [ workflow_call ]" a non nil return value
+		return &WorkflowCall{}
+	}
+
+	var val map[string]yaml.Node
+	if !decodeNode(w.RawOn, &val) {
+		return &WorkflowCall{}
+	}
+
+	var config WorkflowCall
+	node := val["workflow_call"]
+	if !decodeNode(node, &config) {
+		return &WorkflowCall{}
 	}

 	return &config
@@ -115,6 +153,8 @@ type Job struct {
 	Defaults       Defaults                  `yaml:"defaults"`
 	Outputs        map[string]string         `yaml:"outputs"`
 	Uses           string                    `yaml:"uses"`
+	With           map[string]interface{}    `yaml:"with"`
+	RawSecrets     yaml.Node                 `yaml:"secrets"`
 	Result         string
 }

@@ -169,21 +209,45 @@ func (s Strategy) GetFailFast() bool {
 	return failFast
 }

+func (j *Job) InheritSecrets() bool {
+	if j.RawSecrets.Kind != yaml.ScalarNode {
+		return false
+	}
+
+	var val string
+	if !decodeNode(j.RawSecrets, &val) {
+		return false
+	}
+
+	return val == "inherit"
+}
+
+func (j *Job) Secrets() map[string]string {
+	if j.RawSecrets.Kind != yaml.MappingNode {
+		return nil
+	}
+
+	var val map[string]string
+	if !decodeNode(j.RawSecrets, &val) {
+		return nil
+	}
+
+	return val
+}
+
 // Container details for the job
 func (j *Job) Container() *ContainerSpec {
 	var val *ContainerSpec
 	switch j.RawContainer.Kind {
 	case yaml.ScalarNode:
 		val = new(ContainerSpec)
-		err := j.RawContainer.Decode(&val.Image)
-		if err != nil {
-			log.Fatal(err)
+		if !decodeNode(j.RawContainer, &val.Image) {
+			return nil
 		}
 	case yaml.MappingNode:
 		val = new(ContainerSpec)
-		err := j.RawContainer.Decode(val)
-		if err != nil {
-			log.Fatal(err)
+		if !decodeNode(j.RawContainer, val) {
+			return nil
 		}
 	}
 	return val
@@ -194,16 +258,14 @@ func (j *Job) Needs() []string {
 	switch j.RawNeeds.Kind {
 	case yaml.ScalarNode:
 		var val string
-		err := j.RawNeeds.Decode(&val)
-		if err != nil {
-			log.Fatal(err)
+		if !decodeNode(j.RawNeeds, &val) {
+			return nil
 		}
 		return []string{val}
 	case yaml.SequenceNode:
 		var val []string
-		err := j.RawNeeds.Decode(&val)
-		if err != nil {
-			log.Fatal(err)
+		if !decodeNode(j.RawNeeds, &val) {
+			return nil
 		}
 		return val
 	}
@@ -215,16 +277,14 @@ func (j *Job) RunsOn() []string {
 	switch j.RawRunsOn.Kind {
 	case yaml.ScalarNode:
 		var val string
-		err := j.RawRunsOn.Decode(&val)
-		if err != nil {
-			log.Fatal(err)
+		if !decodeNode(j.RawRunsOn, &val) {
+			return nil
 		}
 		return []string{val}
 	case yaml.SequenceNode:
 		var val []string
-		err := j.RawRunsOn.Decode(&val)
-		if err != nil {
-			log.Fatal(err)
+		if !decodeNode(j.RawRunsOn, &val) {
+			return nil
 		}
 		return val
 	}
@@ -234,8 +294,8 @@ func (j *Job) RunsOn() []string {
 func environment(yml yaml.Node) map[string]string {
 	env := make(map[string]string)
 	if yml.Kind == yaml.MappingNode {
-		if err := yml.Decode(&env); err != nil {
-			log.Fatal(err)
+		if !decodeNode(yml, &env) {
+			return nil
 		}
 	}
 	return env
@@ -250,8 +310,8 @@ func (j *Job) Environment() map[string]string {
 func (j *Job) Matrix() map[string][]interface{} {
 	if j.Strategy.RawMatrix.Kind == yaml.MappingNode {
 		var val map[string][]interface{}
-		if err := j.Strategy.RawMatrix.Decode(&val); err != nil {
-			log.Fatal(err)
+		if !decodeNode(j.Strategy.RawMatrix, &val) {
+			return nil
 		}
 		return val
 	}
@@ -262,7 +322,7 @@ func (j *Job) Matrix() map[string][]interface{} {
 // It skips includes and hard fails excludes for non-existing keys
 //
 //nolint:gocyclo
-func (j *Job) GetMatrixes() []map[string]interface{} {
+func (j *Job) GetMatrixes() ([]map[string]interface{}, error) {
 	matrixes := make([]map[string]interface{}, 0)
 	if j.Strategy != nil {
 		j.Strategy.FailFast = j.Strategy.GetFailFast()
@@ -313,7 +373,7 @@ func (j *Job) GetMatrixes() []map[string]interface{} {
 						excludes = append(excludes, e)
 					} else {
 						// We fail completely here because that's what GitHub does for non-existing matrix keys, fail on exclude, silent skip on include
-						log.Fatalf("The workflow is not valid. Matrix exclude key '%s' does not match any key within the matrix", k)
+						return nil, fmt.Errorf("the workflow is not valid. Matrix exclude key %q does not match any key within the matrix", k)
 					}
 				}
 			}
@@ -357,8 +417,9 @@ func (j *Job) GetMatrixes() []map[string]interface{} {
 		}
 	} else {
 		matrixes = append(matrixes, make(map[string]interface{}))
+		log.Debugf("Empty Strategy, matrixes=%v", matrixes)
 	}
-	return matrixes
+	return matrixes, nil
 }

 func commonKeysMatch(a map[string]interface{}, b map[string]interface{}) bool {
@@ -384,14 +445,17 @@ func commonKeysMatch2(a map[string]interface{}, b map[string]interface{}, m map[
 type JobType int

 const (
-	// StepTypeRun is all steps that have a `run` attribute
+	// JobTypeDefault is all jobs that have a `run` attribute
 	JobTypeDefault JobType = iota

-	// StepTypeReusableWorkflowLocal is all steps that have a `uses` that is a local workflow in the .github/workflows directory
+	// JobTypeReusableWorkflowLocal is all jobs that have a `uses` that is a local workflow in the .github/workflows directory
 	JobTypeReusableWorkflowLocal

-	// JobTypeReusableWorkflowRemote is all steps that have a `uses` that references a workflow file in a github repo
+	// JobTypeReusableWorkflowRemote is all jobs that have a `uses` that references a workflow file in a github repo
 	JobTypeReusableWorkflowRemote
+
+	// JobTypeInvalid represents a job which is not configured correctly
+	JobTypeInvalid
 )

 func (j JobType) String() string {
@@ -407,13 +471,28 @@ func (j JobType) String() string {
 }

 // Type returns the type of the job
-func (j *Job) Type() JobType {
-	if strings.HasPrefix(j.Uses, "./.github/workflows") && (strings.HasSuffix(j.Uses, ".yml") || strings.HasSuffix(j.Uses, ".yaml")) {
-		return JobTypeReusableWorkflowLocal
-	} else if !strings.HasPrefix(j.Uses, "./") && strings.Contains(j.Uses, ".github/workflows") && (strings.Contains(j.Uses, ".yml@") || strings.Contains(j.Uses, ".yaml@")) {
-		return JobTypeReusableWorkflowRemote
+func (j *Job) Type() (JobType, error) {
+	isReusable := j.Uses != ""
+
+	if isReusable {
+		isYaml, _ := regexp.MatchString(`\.(ya?ml)(?:$|@)`, j.Uses)
+
+		if isYaml {
+			isLocalPath := strings.HasPrefix(j.Uses, "./")
+			isRemotePath, _ := regexp.MatchString(`^[^.](.+?/){2,}.+\.ya?ml@`, j.Uses)
+			hasVersion, _ := regexp.MatchString(`\.ya?ml@`, j.Uses)
+
+			if isLocalPath {
+				return JobTypeReusableWorkflowLocal, nil
+			} else if isRemotePath && hasVersion {
+				return JobTypeReusableWorkflowRemote, nil
+			}
+		}
+
+		return JobTypeInvalid, fmt.Errorf("`uses` key references invalid workflow path '%s'. Must start with './' if it's a local workflow, or must start with '<org>/<repo>/' and include an '@' if it's a remote workflow", j.Uses)
 	}
-	return JobTypeDefault
+
+	return JobTypeDefault, nil
 }

 // ContainerSpec is the specification of the container to use for the job
@@ -458,16 +537,8 @@ func (s *Step) String() string {
 }

 // Environments returns string-based key=value map for a step
-// Note: all keys are uppercase
 func (s *Step) Environment() map[string]string {
-	env := environment(s.Env)
-
-	for k, v := range env {
-		delete(env, k)
-		env[strings.ToUpper(k)] = v
-	}
-
-	return env
+	return environment(s.Env)
 }

 // GetEnv gets the env for a step
@@ -606,3 +677,17 @@ func (w *Workflow) GetJobIDs() []string {
 	}
 	return ids
 }
+
+var OnDecodeNodeError = func(node yaml.Node, out interface{}, err error) {
+	log.Fatalf("Failed to decode node %v into %T: %v", node, out, err)
+}
+
+func decodeNode(node yaml.Node, out interface{}) bool {
+	if err := node.Decode(out); err != nil {
+		if OnDecodeNodeError != nil {
+			OnDecodeNodeError(node, out, err)
+		}
+		return false
+	}
+	return true
+}
--- a/pkg/model/workflow_test.go
+++ b/pkg/model/workflow_test.go
@@ -147,20 +147,81 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - run: echo
-  remote-reusable-workflow:
-    runs-on: ubuntu-latest
-    uses: remote/repo/.github/workflows/workflow.yml@main
-  local-reusable-workflow:
-    runs-on: ubuntu-latest
-    uses: ./.github/workflows/workflow.yml
+  remote-reusable-workflow-yml:
+    uses: remote/repo/some/path/to/workflow.yml@main
+  remote-reusable-workflow-yaml:
+    uses: remote/repo/some/path/to/workflow.yaml@main
+  remote-reusable-workflow-custom-path:
+    uses: remote/repo/path/to/workflow.yml@main
+  local-reusable-workflow-yml:
+    uses: ./some/path/to/workflow.yml
+  local-reusable-workflow-yaml:
+    uses: ./some/path/to/workflow.yaml
 `

 	workflow, err := ReadWorkflow(strings.NewReader(yaml))
 	assert.NoError(t, err, "read workflow should succeed")
-	assert.Len(t, workflow.Jobs, 3)
-	assert.Equal(t, workflow.Jobs["default-job"].Type(), JobTypeDefault)
-	assert.Equal(t, workflow.Jobs["remote-reusable-workflow"].Type(), JobTypeReusableWorkflowRemote)
-	assert.Equal(t, workflow.Jobs["local-reusable-workflow"].Type(), JobTypeReusableWorkflowLocal)
+	assert.Len(t, workflow.Jobs, 6)
+
+	jobType, err := workflow.Jobs["default-job"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeDefault, jobType)
+
+	jobType, err = workflow.Jobs["remote-reusable-workflow-yml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowRemote, jobType)
+
+	jobType, err = workflow.Jobs["remote-reusable-workflow-yaml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowRemote, jobType)
+
+	jobType, err = workflow.Jobs["remote-reusable-workflow-custom-path"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowRemote, jobType)
+
+	jobType, err = workflow.Jobs["local-reusable-workflow-yml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowLocal, jobType)
+
+	jobType, err = workflow.Jobs["local-reusable-workflow-yaml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowLocal, jobType)
+}
+
+func TestReadWorkflow_JobTypes_InvalidPath(t *testing.T) {
+	yaml := `
+name: invalid job definition
+
+jobs:
+  remote-reusable-workflow-missing-version:
+    uses: remote/repo/some/path/to/workflow.yml
+  remote-reusable-workflow-bad-extension:
+    uses: remote/repo/some/path/to/workflow.json
+  local-reusable-workflow-bad-extension:
+    uses: ./some/path/to/workflow.json
+  local-reusable-workflow-bad-path:
+    uses: some/path/to/workflow.yaml
+`
+
+	workflow, err := ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	assert.Len(t, workflow.Jobs, 4)
+
+	jobType, err := workflow.Jobs["remote-reusable-workflow-missing-version"].Type()
+	assert.Equal(t, JobTypeInvalid, jobType)
+	assert.NotEqual(t, nil, err)
+
+	jobType, err = workflow.Jobs["remote-reusable-workflow-bad-extension"].Type()
+	assert.Equal(t, JobTypeInvalid, jobType)
+	assert.NotEqual(t, nil, err)
+
+	jobType, err = workflow.Jobs["local-reusable-workflow-bad-extension"].Type()
+	assert.Equal(t, JobTypeInvalid, jobType)
+	assert.NotEqual(t, nil, err)
+
+	jobType, err = workflow.Jobs["local-reusable-workflow-bad-path"].Type()
+	assert.Equal(t, JobTypeInvalid, jobType)
+	assert.NotEqual(t, nil, err)
 }

 func TestReadWorkflow_StepsTypes(t *testing.T) {
@@ -241,7 +302,8 @@ func TestReadWorkflow_Strategy(t *testing.T) {
 	w, err := NewWorkflowPlanner("testdata/strategy/push.yml", true)
 	assert.NoError(t, err)

-	p := w.PlanJob("strategy-only-max-parallel")
+	p, err := w.PlanJob("strategy-only-max-parallel")
+	assert.NoError(t, err)

 	assert.Equal(t, len(p.Stages), 1)
 	assert.Equal(t, len(p.Stages[0].Runs), 1)
@@ -249,25 +311,33 @@ func TestReadWorkflow_Strategy(t *testing.T) {
 	wf := p.Stages[0].Runs[0].Workflow

 	job := wf.Jobs["strategy-only-max-parallel"]
-	assert.Equal(t, job.GetMatrixes(), []map[string]interface{}{{}})
+	matrixes, err := job.GetMatrixes()
+	assert.NoError(t, err)
+	assert.Equal(t, matrixes, []map[string]interface{}{{}})
 	assert.Equal(t, job.Matrix(), map[string][]interface{}(nil))
 	assert.Equal(t, job.Strategy.MaxParallel, 2)
 	assert.Equal(t, job.Strategy.FailFast, true)

 	job = wf.Jobs["strategy-only-fail-fast"]
-	assert.Equal(t, job.GetMatrixes(), []map[string]interface{}{{}})
+	matrixes, err = job.GetMatrixes()
+	assert.NoError(t, err)
+	assert.Equal(t, matrixes, []map[string]interface{}{{}})
 	assert.Equal(t, job.Matrix(), map[string][]interface{}(nil))
 	assert.Equal(t, job.Strategy.MaxParallel, 4)
 	assert.Equal(t, job.Strategy.FailFast, false)

 	job = wf.Jobs["strategy-no-matrix"]
-	assert.Equal(t, job.GetMatrixes(), []map[string]interface{}{{}})
+	matrixes, err = job.GetMatrixes()
+	assert.NoError(t, err)
+	assert.Equal(t, matrixes, []map[string]interface{}{{}})
 	assert.Equal(t, job.Matrix(), map[string][]interface{}(nil))
 	assert.Equal(t, job.Strategy.MaxParallel, 2)
 	assert.Equal(t, job.Strategy.FailFast, false)

 	job = wf.Jobs["strategy-all"]
-	assert.Equal(t, job.GetMatrixes(),
+	matrixes, err = job.GetMatrixes()
+	assert.NoError(t, err)
+	assert.Equal(t, matrixes,
 		[]map[string]interface{}{
 			{"datacenter": "site-c", "node-version": "14.x", "site": "staging"},
 			{"datacenter": "site-c", "node-version": "16.x", "site": "staging"},
--- a/pkg/runner/action.go
+++ b/pkg/runner/action.go
@@ -14,6 +14,7 @@ import (
 	"strings"

 	"github.com/kballard/go-shellquote"
+
 	"github.com/nektos/act/pkg/common"
 	"github.com/nektos/act/pkg/container"
 	"github.com/nektos/act/pkg/model"
@@ -30,6 +31,7 @@ type actionStep interface {
 type readAction func(ctx context.Context, step *model.Step, actionDir string, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error)

 type actionYamlReader func(filename string) (io.Reader, io.Closer, error)
+
 type fileWriter func(filename string, data []byte, perm fs.FileMode) error

 type runAction func(step actionStep, actionDir string, remoteAction *remoteAction) common.Executor
@@ -61,7 +63,7 @@ func readActionImpl(ctx context.Context, step *model.Step, actionDir string, act
 					if b, err = trampoline.ReadFile("res/trampoline.js"); err != nil {
 						return nil, err
 					}
-					err2 := writeFile(filepath.Join(actionDir, actionPath, "trampoline.js"), b, 0400)
+					err2 := writeFile(filepath.Join(actionDir, actionPath, "trampoline.js"), b, 0o400)
 					if err2 != nil {
 						return nil, err2
 					}
@@ -154,6 +156,8 @@ func runActionImpl(step actionStep, actionDir string, remoteAction *remoteAction
 			containerArgs := []string{"node", path.Join(containerActionDir, action.Runs.Main)}
 			logger.Debugf("executing remote job container: %s", containerArgs)

+			rc.ApplyExtraPath(ctx, step.getEnv())
+
 			return rc.execJobContainer(containerArgs, *step.getEnv(), "", "")(ctx)
 		case model.ActionRunsUsingDocker:
 			location := actionLocation
@@ -178,7 +182,7 @@ func runActionImpl(step actionStep, actionDir string, remoteAction *remoteAction
 	}
 }

-func setupActionEnv(ctx context.Context, step actionStep, remoteAction *remoteAction) error {
+func setupActionEnv(ctx context.Context, step actionStep, _ *remoteAction) error {
 	rc := step.getRunContext()

 	// A few fields in the environment (e.g. GITHUB_ACTION_REPOSITORY)
@@ -219,14 +223,17 @@ func execAsDocker(ctx context.Context, step actionStep, actionName string, based

 	var prepImage common.Executor
 	var image string
+	forcePull := false
 	if strings.HasPrefix(action.Runs.Image, "docker://") {
 		image = strings.TrimPrefix(action.Runs.Image, "docker://")
+		// Apply forcePull only for prebuild docker images
+		forcePull = rc.Config.ForcePull
 	} else {
 		// "-dockeraction" enshures that "./", "./test " won't get converted to "act-:latest", "act-test-:latest" which are invalid docker image names
 		image = fmt.Sprintf("%s-dockeraction:%s", regexp.MustCompile("[^a-zA-Z0-9]").ReplaceAllString(actionName, "-"), "latest")
 		image = fmt.Sprintf("act-%s", strings.TrimLeft(image, "-"))
 		image = strings.ToLower(image)
-		contextDir := filepath.Join(basedir, action.Runs.Main)
+		contextDir, fileName := filepath.Split(filepath.Join(basedir, action.Runs.Image))

 		anyArchExists, err := container.ImageExistsLocally(ctx, image, "any")
 		if err != nil {
@@ -256,6 +263,7 @@ func execAsDocker(ctx context.Context, step actionStep, actionName string, based
 			}
 			prepImage = container.NewDockerBuildExecutor(container.NewDockerBuildExecutorInput{
 				ContextDir: contextDir,
+				Dockerfile: fileName,
 				ImageTag:   image,
 				Container:  actionContainer,
 				Platform:   rc.Config.ContainerArchitecture,
@@ -287,7 +295,7 @@ func execAsDocker(ctx context.Context, step actionStep, actionName string, based
 	stepContainer := newStepContainer(ctx, step, image, cmd, entrypoint)
 	return common.NewPipelineExecutor(
 		prepImage,
-		stepContainer.Pull(rc.Config.ForcePull),
+		stepContainer.Pull(forcePull),
 		stepContainer.Remove().IfBool(!rc.Config.ReuseContainers),
 		stepContainer.Create(rc.Config.ContainerCapAdd, rc.Config.ContainerCapDrop),
 		stepContainer.Start(true),
@@ -311,13 +319,13 @@ func evalDockerArgs(ctx context.Context, step step, action *model.Action, cmd *[
 			inputs[k] = eval.Interpolate(ctx, v)
 		}
 	}
-	mergeIntoMap(step.getEnv(), inputs)
+	mergeIntoMap(step, step.getEnv(), inputs)

 	stepEE := rc.NewStepExpressionEvaluator(ctx, step)
 	for i, v := range *cmd {
 		(*cmd)[i] = stepEE.Interpolate(ctx, v)
 	}
-	mergeIntoMap(step.getEnv(), action.Runs.Env)
+	mergeIntoMap(step, step.getEnv(), action.Runs.Env)

 	ee := rc.NewStepExpressionEvaluator(ctx, step)
 	for k, v := range *step.getEnv() {
@@ -348,7 +356,10 @@ func newStepContainer(ctx context.Context, step step, image string, cmd []string
 	envList = append(envList, fmt.Sprintf("%s=%s", "RUNNER_TEMP", "/tmp"))

 	binds, mounts := rc.GetBindsAndMounts()
-
+	networkMode := fmt.Sprintf("container:%s", rc.jobContainerName())
+	if rc.IsHostEnv(ctx) {
+		networkMode = "default"
+	}
 	stepContainer := container.NewContainer(&container.NewContainerInput{
 		Cmd:         cmd,
 		Entrypoint:  entrypoint,
@@ -359,21 +370,22 @@ func newStepContainer(ctx context.Context, step step, image string, cmd []string
 		Name:        createContainerName(rc.jobContainerName(), stepModel.ID),
 		Env:         envList,
 		Mounts:      mounts,
-		NetworkMode: fmt.Sprintf("container:%s", rc.jobContainerName()),
+		NetworkMode: networkMode,
 		Binds:       binds,
 		Stdout:      logWriter,
 		Stderr:      logWriter,
 		Privileged:  rc.Config.Privileged,
 		UsernsMode:  rc.Config.UsernsMode,
 		Platform:    rc.Config.ContainerArchitecture,
+		Options:     rc.Config.ContainerOptions,
 	})
 	return stepContainer
 }

 func populateEnvsFromSavedState(env *map[string]string, step actionStep, rc *RunContext) {
-	stepResult := rc.StepResults[step.getStepModel().ID]
-	if stepResult != nil {
-		for name, value := range stepResult.State {
+	state, ok := rc.IntraActionState[step.getStepModel().ID]
+	if ok {
+		for name, value := range state {
 			envName := fmt.Sprintf("STATE_%s", name)
 			(*env)[envName] = value
 		}
@@ -463,7 +475,7 @@ func runPreStep(step actionStep) common.Executor {
 			var actionPath string
 			if _, ok := step.(*stepActionRemote); ok {
 				actionPath = newRemoteAction(stepModel.Uses).Path
-				actionDir = fmt.Sprintf("%s/%s", rc.ActionCacheDir(), strings.ReplaceAll(stepModel.Uses, "/", "-"))
+				actionDir = fmt.Sprintf("%s/%s", rc.ActionCacheDir(), safeFilename(stepModel.Uses))
 			} else {
 				actionDir = filepath.Join(rc.Config.Workdir, stepModel.Uses)
 				actionPath = ""
@@ -485,6 +497,8 @@ func runPreStep(step actionStep) common.Executor {
 			containerArgs := []string{"node", path.Join(containerActionDir, action.Runs.Pre)}
 			logger.Debugf("executing remote job container: %s", containerArgs)

+			rc.ApplyExtraPath(ctx, step.getEnv())
+
 			return rc.execJobContainer(containerArgs, *step.getEnv(), "", "")(ctx)

 		case model.ActionRunsUsingComposite:
@@ -492,7 +506,10 @@ func runPreStep(step actionStep) common.Executor {
 				step.getCompositeRunContext(ctx)
 			}

-			return step.getCompositeSteps().pre(ctx)
+			if steps := step.getCompositeSteps(); steps != nil && steps.pre != nil {
+				return steps.pre(ctx)
+			}
+			return fmt.Errorf("missing steps in composite action")

 		default:
 			return nil
@@ -549,7 +566,7 @@ func runPostStep(step actionStep) common.Executor {
 		var actionPath string
 		if _, ok := step.(*stepActionRemote); ok {
 			actionPath = newRemoteAction(stepModel.Uses).Path
-			actionDir = fmt.Sprintf("%s/%s", rc.ActionCacheDir(), strings.ReplaceAll(stepModel.Uses, "/", "-"))
+			actionDir = fmt.Sprintf("%s/%s", rc.ActionCacheDir(), safeFilename(stepModel.Uses))
 		} else {
 			actionDir = filepath.Join(rc.Config.Workdir, stepModel.Uses)
 			actionPath = ""
@@ -572,6 +589,8 @@ func runPostStep(step actionStep) common.Executor {
 			containerArgs := []string{"node", path.Join(containerActionDir, action.Runs.Post)}
 			logger.Debugf("executing remote job container: %s", containerArgs)

+			rc.ApplyExtraPath(ctx, step.getEnv())
+
 			return rc.execJobContainer(containerArgs, *step.getEnv(), "", "")(ctx)

 		case model.ActionRunsUsingComposite:
@@ -579,7 +598,10 @@ func runPostStep(step actionStep) common.Executor {
 				return err
 			}

-			return step.getCompositeSteps().post(ctx)
+			if steps := step.getCompositeSteps(); steps != nil && steps.post != nil {
+				return steps.post(ctx)
+			}
+			return fmt.Errorf("missing steps in composite action")

 		default:
 			return nil
--- a/pkg/runner/action_composite.go
+++ b/pkg/runner/action_composite.go
@@ -66,6 +66,7 @@ func newCompositeRunContext(ctx context.Context, parent *RunContext, step action
 		JobContainer: parent.JobContainer,
 		ActionPath:   actionPath,
 		Env:          env,
+		GlobalEnv:    parent.GlobalEnv,
 		Masks:        parent.Masks,
 		ExtraPath:    parent.ExtraPath,
 		Parent:       parent,
@@ -85,6 +86,10 @@ func execAsComposite(step actionStep) common.Executor {

 		steps := step.getCompositeSteps()

+		if steps == nil || steps.main == nil {
+			return fmt.Errorf("missing steps in composite action")
+		}
+
 		ctx = WithCompositeLogger(ctx, &compositeRC.Masks)

 		err := steps.main(ctx)
@@ -99,6 +104,16 @@ func execAsComposite(step actionStep) common.Executor {

 		rc.Masks = append(rc.Masks, compositeRC.Masks...)
 		rc.ExtraPath = compositeRC.ExtraPath
+		// compositeRC.Env is dirty, contains INPUT_ and merged step env, only rely on compositeRC.GlobalEnv
+		mergeIntoMap := mergeIntoMapCaseSensitive
+		if rc.JobContainer.IsEnvironmentCaseInsensitive() {
+			mergeIntoMap = mergeIntoMapCaseInsensitive
+		}
+		if rc.GlobalEnv == nil {
+			rc.GlobalEnv = map[string]string{}
+		}
+		mergeIntoMap(rc.GlobalEnv, compositeRC.GlobalEnv)
+		mergeIntoMap(rc.Env, compositeRC.GlobalEnv)

 		return err
 	}
--- a/pkg/runner/action_test.go
+++ b/pkg/runner/action_test.go
@@ -201,10 +201,11 @@ func TestActionRunner(t *testing.T) {
 					},
 					CurrentStep: "post-step",
 					StepResults: map[string]*model.StepResult{
+						"step": {},
+					},
+					IntraActionState: map[string]map[string]string{
 						"step": {
-							State: map[string]string{
-								"name": "state value",
-							},
+							"name": "state value",
 						},
 					},
 				},
--- a/pkg/runner/command.go
+++ b/pkg/runner/command.go
@@ -16,22 +16,27 @@ func init() {
 	commandPatternADO = regexp.MustCompile("^##\\[([^ ]+)( (.+))?]([^\r\n]*)[\r\n]+$")
 }

+func tryParseRawActionCommand(line string) (command string, kvPairs map[string]string, arg string, ok bool) {
+	if m := commandPatternGA.FindStringSubmatch(line); m != nil {
+		command = m[1]
+		kvPairs = parseKeyValuePairs(m[3], ",")
+		arg = m[4]
+		ok = true
+	} else if m := commandPatternADO.FindStringSubmatch(line); m != nil {
+		command = m[1]
+		kvPairs = parseKeyValuePairs(m[3], ";")
+		arg = m[4]
+		ok = true
+	}
+	return
+}
+
 func (rc *RunContext) commandHandler(ctx context.Context) common.LineHandler {
 	logger := common.Logger(ctx)
 	resumeCommand := ""
 	return func(line string) bool {
-		var command string
-		var kvPairs map[string]string
-		var arg string
-		if m := commandPatternGA.FindStringSubmatch(line); m != nil {
-			command = m[1]
-			kvPairs = parseKeyValuePairs(m[3], ",")
-			arg = m[4]
-		} else if m := commandPatternADO.FindStringSubmatch(line); m != nil {
-			command = m[1]
-			kvPairs = parseKeyValuePairs(m[3], ";")
-			arg = m[4]
-		} else {
+		command, kvPairs, arg, ok := tryParseRawActionCommand(line)
+		if !ok {
 			return true
 		}

@@ -66,6 +71,8 @@ func (rc *RunContext) commandHandler(ctx context.Context) common.LineHandler {
 		case "save-state":
 			logger.Infof("  \U0001f4be  %s", line)
 			rc.saveState(ctx, kvPairs, arg)
+		case "add-matcher":
+			logger.Infof("  \U00002753 add-matcher %s", arg)
 		default:
 			logger.Infof("  \U00002753  %s", line)
 		}
@@ -75,11 +82,23 @@ func (rc *RunContext) commandHandler(ctx context.Context) common.LineHandler {
 }

 func (rc *RunContext) setEnv(ctx context.Context, kvPairs map[string]string, arg string) {
-	common.Logger(ctx).Infof("  \U00002699  ::set-env:: %s=%s", kvPairs["name"], arg)
+	name := kvPairs["name"]
+	common.Logger(ctx).Infof("  \U00002699  ::set-env:: %s=%s", name, arg)
 	if rc.Env == nil {
 		rc.Env = make(map[string]string)
 	}
-	rc.Env[kvPairs["name"]] = arg
+	if rc.GlobalEnv == nil {
+		rc.GlobalEnv = map[string]string{}
+	}
+	newenv := map[string]string{
+		name: arg,
+	}
+	mergeIntoMap := mergeIntoMapCaseSensitive
+	if rc.JobContainer != nil && rc.JobContainer.IsEnvironmentCaseInsensitive() {
+		mergeIntoMap = mergeIntoMapCaseInsensitive
+	}
+	mergeIntoMap(rc.Env, newenv)
+	mergeIntoMap(rc.GlobalEnv, newenv)
 }
 func (rc *RunContext) setOutput(ctx context.Context, kvPairs map[string]string, arg string) {
 	logger := common.Logger(ctx)
@@ -101,7 +120,13 @@ func (rc *RunContext) setOutput(ctx context.Context, kvPairs map[string]string,
 }
 func (rc *RunContext) addPath(ctx context.Context, arg string) {
 	common.Logger(ctx).Infof("  \U00002699  ::add-path:: %s", arg)
-	rc.ExtraPath = append(rc.ExtraPath, arg)
+	extraPath := []string{arg}
+	for _, v := range rc.ExtraPath {
+		if v != arg {
+			extraPath = append(extraPath, v)
+		}
+	}
+	rc.ExtraPath = extraPath
 }

 func parseKeyValuePairs(kvPairs string, separator string) map[string]string {
@@ -146,14 +171,17 @@ func unescapeKvPairs(kvPairs map[string]string) map[string]string {
 	return kvPairs
 }

-func (rc *RunContext) saveState(ctx context.Context, kvPairs map[string]string, arg string) {
-	if rc.CurrentStep != "" {
-		stepResult := rc.StepResults[rc.CurrentStep]
-		if stepResult != nil {
-			if stepResult.State == nil {
-				stepResult.State = map[string]string{}
-			}
-			stepResult.State[kvPairs["name"]] = arg
+func (rc *RunContext) saveState(_ context.Context, kvPairs map[string]string, arg string) {
+	stepID := rc.CurrentStep
+	if stepID != "" {
+		if rc.IntraActionState == nil {
+			rc.IntraActionState = map[string]map[string]string{}
 		}
+		state, ok := rc.IntraActionState[stepID]
+		if !ok {
+			state = map[string]string{}
+			rc.IntraActionState[stepID] = state
+		}
+		state[kvPairs["name"]] = arg
 	}
 }
--- a/pkg/runner/command_test.go
+++ b/pkg/runner/command_test.go
@@ -64,7 +64,7 @@ func TestAddpath(t *testing.T) {
 	a.Equal("/zoo", rc.ExtraPath[0])

 	handler("::add-path::/boo\n")
-	a.Equal("/boo", rc.ExtraPath[1])
+	a.Equal("/boo", rc.ExtraPath[0])
 }

 func TestStopCommands(t *testing.T) {
@@ -102,7 +102,7 @@ func TestAddpathADO(t *testing.T) {
 	a.Equal("/zoo", rc.ExtraPath[0])

 	handler("##[add-path]/boo\n")
-	a.Equal("/boo", rc.ExtraPath[1])
+	a.Equal("/boo", rc.ExtraPath[0])
 }

 func TestAddmask(t *testing.T) {
@@ -177,11 +177,7 @@ func TestAddmaskUsemask(t *testing.T) {
 func TestSaveState(t *testing.T) {
 	rc := &RunContext{
 		CurrentStep: "step",
-		StepResults: map[string]*model.StepResult{
-			"step": {
-				State: map[string]string{},
-			},
-		},
+		StepResults: map[string]*model.StepResult{},
 	}

 	ctx := context.Background()
@@ -189,5 +185,5 @@ func TestSaveState(t *testing.T) {
 	handler := rc.commandHandler(ctx)
 	handler("::save-state name=state-name::state-value\n")

-	assert.Equal(t, "state-value", rc.StepResults["step"].State["state-name"])
+	assert.Equal(t, "state-value", rc.IntraActionState["step"]["state-name"])
 }
--- a/pkg/runner/container_mock_test.go
+++ b/pkg/runner/container_mock_test.go
@@ -2,6 +2,7 @@ package runner

 import (
 	"context"
+	"io"

 	"github.com/nektos/act/pkg/common"
 	"github.com/nektos/act/pkg/container"
@@ -49,11 +50,6 @@ func (cm *containerMock) UpdateFromImageEnv(env *map[string]string) common.Execu
 	return args.Get(0).(func(context.Context) error)
 }

-func (cm *containerMock) UpdateFromPath(env *map[string]string) common.Executor {
-	args := cm.Called(env)
-	return args.Get(0).(func(context.Context) error)
-}
-
 func (cm *containerMock) Copy(destPath string, files ...*container.FileEntry) common.Executor {
 	args := cm.Called(destPath, files)
 	return args.Get(0).(func(context.Context) error)
@@ -63,7 +59,17 @@ func (cm *containerMock) CopyDir(destPath string, srcPath string, useGitIgnore b
 	args := cm.Called(destPath, srcPath, useGitIgnore)
 	return args.Get(0).(func(context.Context) error)
 }
+
 func (cm *containerMock) Exec(command []string, env map[string]string, user, workdir string) common.Executor {
 	args := cm.Called(command, env, user, workdir)
 	return args.Get(0).(func(context.Context) error)
 }
+
+func (cm *containerMock) GetContainerArchive(ctx context.Context, srcPath string) (io.ReadCloser, error) {
+	args := cm.Called(ctx, srcPath)
+	err, hasErr := args.Get(1).(error)
+	if !hasErr {
+		err = nil
+	}
+	return args.Get(0).(io.ReadCloser), err
+}
--- a/pkg/runner/expression.go
+++ b/pkg/runner/expression.go
@@ -21,8 +21,14 @@ type ExpressionEvaluator interface {

 // NewExpressionEvaluator creates a new evaluator
 func (rc *RunContext) NewExpressionEvaluator(ctx context.Context) ExpressionEvaluator {
+	return rc.NewExpressionEvaluatorWithEnv(ctx, rc.GetEnv())
+}
+
+func (rc *RunContext) NewExpressionEvaluatorWithEnv(ctx context.Context, env map[string]string) ExpressionEvaluator {
+	var workflowCallResult map[string]*model.WorkflowCallResult
+
 	// todo: cleanup EvaluationEnvironment creation
-	using := make(map[string]map[string]map[string]string)
+	using := make(map[string]exprparser.Needs)
 	strategy := make(map[string]interface{})
 	if rc.Run != nil {
 		job := rc.Run.Job()
@@ -35,8 +41,26 @@ func (rc *RunContext) NewExpressionEvaluator(ctx context.Context) ExpressionEval
 		jobNeeds := rc.Run.Job().Needs()

 		for _, needs := range jobNeeds {
-			using[needs] = map[string]map[string]string{
-				"outputs": jobs[needs].Outputs,
+			using[needs] = exprparser.Needs{
+				Outputs: jobs[needs].Outputs,
+				Result:  jobs[needs].Result,
+			}
+		}
+
+		// only setup jobs context in case of workflow_call
+		// and existing expression evaluator (this means, jobs are at
+		// least ready to run)
+		if rc.caller != nil && rc.ExprEval != nil {
+			workflowCallResult = map[string]*model.WorkflowCallResult{}
+
+			for jobName, job := range jobs {
+				result := model.WorkflowCallResult{
+					Outputs: map[string]string{},
+				}
+				for k, v := range job.Outputs {
+					result.Outputs[k] = v
+				}
+				workflowCallResult[jobName] = &result
 			}
 		}
 	}
@@ -46,12 +70,14 @@ func (rc *RunContext) NewExpressionEvaluator(ctx context.Context) ExpressionEval

 	ee := &exprparser.EvaluationEnvironment{
 		Github: ghc,
-		Env:    rc.GetEnv(),
+		Env:    env,
 		Job:    rc.getJobContext(),
+		Jobs:   &workflowCallResult,
 		// todo: should be unavailable
 		// but required to interpolate/evaluate the step outputs on the job
 		Steps:    rc.getStepsContext(),
-		Secrets:  rc.Config.Secrets,
+		Secrets:  getWorkflowSecrets(ctx, rc),
+		Vars:     getWorkflowVars(ctx, rc),
 		Strategy: strategy,
 		Matrix:   rc.Matrix,
 		Needs:    using,
@@ -82,10 +108,11 @@ func (rc *RunContext) NewStepExpressionEvaluator(ctx context.Context, step step)
 	jobs := rc.Run.Workflow.Jobs
 	jobNeeds := rc.Run.Job().Needs()

-	using := make(map[string]map[string]map[string]string)
+	using := make(map[string]exprparser.Needs)
 	for _, needs := range jobNeeds {
-		using[needs] = map[string]map[string]string{
-			"outputs": jobs[needs].Outputs,
+		using[needs] = exprparser.Needs{
+			Outputs: jobs[needs].Outputs,
+			Result:  jobs[needs].Result,
 		}
 	}

@@ -97,7 +124,8 @@ func (rc *RunContext) NewStepExpressionEvaluator(ctx context.Context, step step)
 		Env:      *step.getEnv(),
 		Job:      rc.getJobContext(),
 		Steps:    rc.getStepsContext(),
-		Secrets:  rc.Config.Secrets,
+		Secrets:  getWorkflowSecrets(ctx, rc),
+		Vars:     getWorkflowVars(ctx, rc),
 		Strategy: strategy,
 		Matrix:   rc.Matrix,
 		Needs:    using,
@@ -132,67 +160,117 @@ func (ee expressionEvaluator) evaluate(ctx context.Context, in string, defaultSt
 	return evaluated, err
 }

-func (ee expressionEvaluator) evaluateScalarYamlNode(ctx context.Context, node *yaml.Node) error {
+func (ee expressionEvaluator) evaluateScalarYamlNode(ctx context.Context, node *yaml.Node) (*yaml.Node, error) {
 	var in string
 	if err := node.Decode(&in); err != nil {
-		return err
+		return nil, err
 	}
 	if !strings.Contains(in, "${{") || !strings.Contains(in, "}}") {
-		return nil
+		return nil, nil
 	}
 	expr, _ := rewriteSubExpression(ctx, in, false)
 	res, err := ee.evaluate(ctx, expr, exprparser.DefaultStatusCheckNone)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	return node.Encode(res)
+	ret := &yaml.Node{}
+	if err := ret.Encode(res); err != nil {
+		return nil, err
+	}
+	return ret, err
 }

-func (ee expressionEvaluator) evaluateMappingYamlNode(ctx context.Context, node *yaml.Node) error {
+func (ee expressionEvaluator) evaluateMappingYamlNode(ctx context.Context, node *yaml.Node) (*yaml.Node, error) {
+	var ret *yaml.Node
 	// GitHub has this undocumented feature to merge maps, called insert directive
 	insertDirective := regexp.MustCompile(`\${{\s*insert\s*}}`)
-	for i := 0; i < len(node.Content)/2; {
+	for i := 0; i < len(node.Content)/2; i++ {
+		changed := func() error {
+			if ret == nil {
+				ret = &yaml.Node{}
+				if err := ret.Encode(node); err != nil {
+					return err
+				}
+				ret.Content = ret.Content[:i*2]
+			}
+			return nil
+		}
 		k := node.Content[i*2]
 		v := node.Content[i*2+1]
-		if err := ee.EvaluateYamlNode(ctx, v); err != nil {
-			return err
+		ev, err := ee.evaluateYamlNodeInternal(ctx, v)
+		if err != nil {
+			return nil, err
+		}
+		if ev != nil {
+			if err := changed(); err != nil {
+				return nil, err
+			}
+		} else {
+			ev = v
 		}
 		var sk string
 		// Merge the nested map of the insert directive
 		if k.Decode(&sk) == nil && insertDirective.MatchString(sk) {
-			node.Content = append(append(node.Content[:i*2], v.Content...), node.Content[(i+1)*2:]...)
-			i += len(v.Content) / 2
-		} else {
-			if err := ee.EvaluateYamlNode(ctx, k); err != nil {
-				return err
+			if ev.Kind != yaml.MappingNode {
+				return nil, fmt.Errorf("failed to insert node %v into mapping %v unexpected type %v expected MappingNode", ev, node, ev.Kind)
+			}
+			if err := changed(); err != nil {
+				return nil, err
+			}
+			ret.Content = append(ret.Content, ev.Content...)
+		} else {
+			ek, err := ee.evaluateYamlNodeInternal(ctx, k)
+			if err != nil {
+				return nil, err
+			}
+			if ek != nil {
+				if err := changed(); err != nil {
+					return nil, err
+				}
+			} else {
+				ek = k
+			}
+			if ret != nil {
+				ret.Content = append(ret.Content, ek, ev)
 			}
-			i++
 		}
 	}
-	return nil
+	return ret, nil
 }

-func (ee expressionEvaluator) evaluateSequenceYamlNode(ctx context.Context, node *yaml.Node) error {
-	for i := 0; i < len(node.Content); {
+func (ee expressionEvaluator) evaluateSequenceYamlNode(ctx context.Context, node *yaml.Node) (*yaml.Node, error) {
+	var ret *yaml.Node
+	for i := 0; i < len(node.Content); i++ {
 		v := node.Content[i]
 		// Preserve nested sequences
 		wasseq := v.Kind == yaml.SequenceNode
-		if err := ee.EvaluateYamlNode(ctx, v); err != nil {
-			return err
+		ev, err := ee.evaluateYamlNodeInternal(ctx, v)
+		if err != nil {
+			return nil, err
 		}
-		// GitHub has this undocumented feature to merge sequences / arrays
-		// We have a nested sequence via evaluation, merge the arrays
-		if v.Kind == yaml.SequenceNode && !wasseq {
-			node.Content = append(append(node.Content[:i], v.Content...), node.Content[i+1:]...)
-			i += len(v.Content)
-		} else {
-			i++
+		if ev != nil {
+			if ret == nil {
+				ret = &yaml.Node{}
+				if err := ret.Encode(node); err != nil {
+					return nil, err
+				}
+				ret.Content = ret.Content[:i]
+			}
+			// GitHub has this undocumented feature to merge sequences / arrays
+			// We have a nested sequence via evaluation, merge the arrays
+			if ev.Kind == yaml.SequenceNode && !wasseq {
+				ret.Content = append(ret.Content, ev.Content...)
+			} else {
+				ret.Content = append(ret.Content, ev)
+			}
+		} else if ret != nil {
+			ret.Content = append(ret.Content, v)
 		}
 	}
-	return nil
+	return ret, nil
 }

-func (ee expressionEvaluator) EvaluateYamlNode(ctx context.Context, node *yaml.Node) error {
+func (ee expressionEvaluator) evaluateYamlNodeInternal(ctx context.Context, node *yaml.Node) (*yaml.Node, error) {
 	switch node.Kind {
 	case yaml.ScalarNode:
 		return ee.evaluateScalarYamlNode(ctx, node)
@@ -201,10 +279,21 @@ func (ee expressionEvaluator) EvaluateYamlNode(ctx context.Context, node *yaml.N
 	case yaml.SequenceNode:
 		return ee.evaluateSequenceYamlNode(ctx, node)
 	default:
-		return nil
+		return nil, nil
 	}
 }

+func (ee expressionEvaluator) EvaluateYamlNode(ctx context.Context, node *yaml.Node) error {
+	ret, err := ee.evaluateYamlNodeInternal(ctx, node)
+	if err != nil {
+		return err
+	}
+	if ret != nil {
+		return ret.Decode(node)
+	}
+	return nil
+}
+
 func (ee expressionEvaluator) Interpolate(ctx context.Context, in string) string {
 	if !strings.Contains(in, "${{") || !strings.Contains(in, "}}") {
 		return in
@@ -308,9 +397,12 @@ func rewriteSubExpression(ctx context.Context, in string, forceFormat bool) (str
 	return out, nil
 }

+//nolint:gocyclo
 func getEvaluatorInputs(ctx context.Context, rc *RunContext, step step, ghc *model.GithubContext) map[string]interface{} {
 	inputs := map[string]interface{}{}

+	setupWorkflowInputs(ctx, &inputs, rc)
+
 	var env map[string]string
 	if step != nil {
 		env = *step.getEnv()
@@ -341,5 +433,76 @@ func getEvaluatorInputs(ctx context.Context, rc *RunContext, step step, ghc *mod
 		}
 	}

+	if ghc.EventName == "workflow_call" {
+		config := rc.Run.Workflow.WorkflowCallConfig()
+		if config != nil && config.Inputs != nil {
+			for k, v := range config.Inputs {
+				value := nestedMapLookup(ghc.Event, "inputs", k)
+				if value == nil {
+					value = v.Default
+				}
+				if v.Type == "boolean" {
+					inputs[k] = value == "true"
+				} else {
+					inputs[k] = value
+				}
+			}
+		}
+	}
 	return inputs
 }
+
+func setupWorkflowInputs(ctx context.Context, inputs *map[string]interface{}, rc *RunContext) {
+	if rc.caller != nil {
+		config := rc.Run.Workflow.WorkflowCallConfig()
+
+		for name, input := range config.Inputs {
+			value := rc.caller.runContext.Run.Job().With[name]
+			if value != nil {
+				if str, ok := value.(string); ok {
+					// evaluate using the calling RunContext (outside)
+					value = rc.caller.runContext.ExprEval.Interpolate(ctx, str)
+				}
+			}
+
+			if value == nil && config != nil && config.Inputs != nil {
+				value = input.Default
+				if rc.ExprEval != nil {
+					if str, ok := value.(string); ok {
+						// evaluate using the called RunContext (inside)
+						value = rc.ExprEval.Interpolate(ctx, str)
+					}
+				}
+			}
+
+			(*inputs)[name] = value
+		}
+	}
+}
+
+func getWorkflowSecrets(ctx context.Context, rc *RunContext) map[string]string {
+	if rc.caller != nil {
+		job := rc.caller.runContext.Run.Job()
+		secrets := job.Secrets()
+
+		if secrets == nil && job.InheritSecrets() {
+			secrets = rc.caller.runContext.Config.Secrets
+		}
+
+		if secrets == nil {
+			secrets = map[string]string{}
+		}
+
+		for k, v := range secrets {
+			secrets[k] = rc.caller.runContext.ExprEval.Interpolate(ctx, v)
+		}
+
+		return secrets
+	}
+
+	return rc.Config.Secrets
+}
+
+func getWorkflowVars(_ context.Context, rc *RunContext) map[string]string {
+	return rc.Config.Vars
+}
--- a/pkg/runner/expression_test.go
+++ b/pkg/runner/expression_test.go
@@ -28,6 +28,9 @@ func createRunContext(t *testing.T) *RunContext {
 			Secrets: map[string]string{
 				"CASE_INSENSITIVE_SECRET": "value",
 			},
+			Vars: map[string]string{
+				"CASE_INSENSITIVE_VAR": "value",
+			},
 		},
 		Env: map[string]string{
 			"key": "value",
@@ -122,6 +125,8 @@ func TestEvaluateRunContext(t *testing.T) {
 		{"env.key", "value", ""},
 		{"secrets.CASE_INSENSITIVE_SECRET", "value", ""},
 		{"secrets.case_insensitive_secret", "value", ""},
+		{"vars.CASE_INSENSITIVE_VAR", "value", ""},
+		{"vars.case_insensitive_var", "value", ""},
 		{"format('{{0}}', 'test')", "{0}", ""},
 		{"format('{{{0}}}', 'test')", "{test}", ""},
 		{"format('}}')", "}", ""},
@@ -195,6 +200,9 @@ func TestInterpolate(t *testing.T) {
 			Secrets: map[string]string{
 				"CASE_INSENSITIVE_SECRET": "value",
 			},
+			Vars: map[string]string{
+				"CASE_INSENSITIVE_VAR": "value",
+			},
 		},
 		Env: map[string]string{
 			"KEYWITHNOTHING":       "valuewithnothing",
@@ -229,6 +237,8 @@ func TestInterpolate(t *testing.T) {
 		{" ${{ env.KEY_WITH_UNDERSCORES }} ", " value_with_underscores "},
 		{"${{ secrets.CASE_INSENSITIVE_SECRET }}", "value"},
 		{"${{ secrets.case_insensitive_secret }}", "value"},
+		{"${{ vars.CASE_INSENSITIVE_VAR }}", "value"},
+		{"${{ vars.case_insensitive_var }}", "value"},
 		{"${{ env.UNKNOWN }}", ""},
 		{"${{ env.SOMETHING_TRUE }}", "true"},
 		{"${{ env.SOMETHING_FALSE }}", "false"},
--- a/pkg/runner/job_executor.go
+++ b/pkg/runner/job_executor.go
@@ -95,21 +95,18 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo
 	}

 	postExecutor = postExecutor.Finally(func(ctx context.Context) error {
-		logger := common.Logger(ctx)
 		jobError := common.JobError(ctx)
-		if jobError != nil {
-			info.result("failure")
-			logger.WithField("jobResult", "failure").Infof("\U0001F3C1  Job failed")
-		} else {
-			err := info.stopContainer()(ctx)
-			if err != nil {
-				return err
-			}
-			info.result("success")
-			logger.WithField("jobResult", "success").Infof("\U0001F3C1  Job succeeded")
+		var err error
+		if rc.Config.AutoRemove || jobError == nil {
+			// always allow 1 min for stopping and removing the runner, even if we were cancelled
+			ctx, cancel := context.WithTimeout(common.WithLogger(context.Background(), common.Logger(ctx)), time.Minute)
+			defer cancel()
+			err = info.stopContainer()(ctx) //nolint:contextcheck
 		}
+		setJobResult(ctx, info, rc, jobError == nil)
+		setJobOutputs(ctx, rc)

-		return nil
+		return err
 	})

 	pipeline := make([]common.Executor, 0)
@@ -117,12 +114,12 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo
 	pipeline = append(pipeline, steps...)

 	return common.NewPipelineExecutor(info.startContainer(), common.NewPipelineExecutor(pipeline...).
-		Finally(func(ctx context.Context) error {
+		Finally(func(ctx context.Context) error { //nolint:contextcheck
 			var cancel context.CancelFunc
 			if ctx.Err() == context.Canceled {
 				// in case of an aborted run, we still should execute the
 				// post steps to allow cleanup.
-				ctx, cancel = context.WithTimeout(WithJobLogger(context.Background(), rc.Run.JobID, rc.String(), rc.Config, &rc.Masks, rc.Matrix), 5*time.Minute)
+				ctx, cancel = context.WithTimeout(common.WithLogger(context.Background(), common.Logger(ctx)), 5*time.Minute)
 				defer cancel()
 			}
 			return postExecutor(ctx)
@@ -131,6 +128,49 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo
 		Finally(info.closeContainer()))
 }

+func setJobResult(ctx context.Context, info jobInfo, rc *RunContext, success bool) {
+	logger := common.Logger(ctx)
+
+	jobResult := "success"
+	// we have only one result for a whole matrix build, so we need
+	// to keep an existing result state if we run a matrix
+	if len(info.matrix()) > 0 && rc.Run.Job().Result != "" {
+		jobResult = rc.Run.Job().Result
+	}
+
+	if !success {
+		jobResult = "failure"
+	}
+
+	info.result(jobResult)
+	if rc.caller != nil {
+		// set reusable workflow job result
+		rc.caller.runContext.result(jobResult)
+	}
+
+	jobResultMessage := "succeeded"
+	if jobResult != "success" {
+		jobResultMessage = "failed"
+	}
+
+	logger.WithField("jobResult", jobResult).Infof("\U0001F3C1  Job %s", jobResultMessage)
+}
+
+func setJobOutputs(ctx context.Context, rc *RunContext) {
+	if rc.caller != nil {
+		// map outputs for reusable workflows
+		callerOutputs := make(map[string]string)
+
+		ee := rc.NewExpressionEvaluator(ctx)
+
+		for k, v := range rc.Run.Workflow.WorkflowCallConfig().Outputs {
+			callerOutputs[k] = ee.Interpolate(ctx, ee.Interpolate(ctx, v.Value))
+		}
+
+		rc.caller.runContext.Run.Job().Outputs = callerOutputs
+	}
+}
+
 func useStepLogger(rc *RunContext, stepModel *model.Step, stage stepStage, executor common.Executor) common.Executor {
 	return func(ctx context.Context) error {
 		ctx = withStepLogger(ctx, stepModel.ID, rc.ExprEval.Interpolate(ctx, stepModel.String()), stage.String())
--- a/pkg/runner/job_executor_test.go
+++ b/pkg/runner/job_executor_test.go
@@ -15,15 +15,15 @@ import (

 func TestJobExecutor(t *testing.T) {
 	tables := []TestJobFileInfo{
-		{workdir, "uses-and-run-in-one-step", "push", "Invalid run/uses syntax for job:test step:Test", platforms},
-		{workdir, "uses-github-empty", "push", "Expected format {org}/{repo}[/path]@ref", platforms},
-		{workdir, "uses-github-noref", "push", "Expected format {org}/{repo}[/path]@ref", platforms},
-		{workdir, "uses-github-root", "push", "", platforms},
-		{workdir, "uses-github-path", "push", "", platforms},
-		{workdir, "uses-docker-url", "push", "", platforms},
-		{workdir, "uses-github-full-sha", "push", "", platforms},
-		{workdir, "uses-github-short-sha", "push", "Unable to resolve action `actions/hello-world-docker-action@b136eb8`, the provided ref `b136eb8` is the shortened version of a commit SHA, which is not supported. Please use the full commit SHA `b136eb8894c5cb1dd5807da824be97ccdf9b5423` instead", platforms},
-		{workdir, "job-nil-step", "push", "invalid Step 0: missing run or uses key", platforms},
+		{workdir, "uses-and-run-in-one-step", "push", "Invalid run/uses syntax for job:test step:Test", platforms, secrets},
+		{workdir, "uses-github-empty", "push", "Expected format {org}/{repo}[/path]@ref", platforms, secrets},
+		{workdir, "uses-github-noref", "push", "Expected format {org}/{repo}[/path]@ref", platforms, secrets},
+		{workdir, "uses-github-root", "push", "", platforms, secrets},
+		{workdir, "uses-github-path", "push", "", platforms, secrets},
+		{workdir, "uses-docker-url", "push", "", platforms, secrets},
+		{workdir, "uses-github-full-sha", "push", "", platforms, secrets},
+		{workdir, "uses-github-short-sha", "push", "Unable to resolve action `actions/hello-world-docker-action@b136eb8`, the provided ref `b136eb8` is the shortened version of a commit SHA, which is not supported. Please use the full commit SHA `b136eb8894c5cb1dd5807da824be97ccdf9b5423` instead", platforms, secrets},
+		{workdir, "job-nil-step", "push", "invalid Step 0: missing run or uses key", platforms, secrets},
 	}
 	// These tests are sufficient to only check syntax.
 	ctx := common.WithDryrun(context.Background(), true)
@@ -82,7 +82,7 @@ type jobContainerMock struct {
 	container.LinuxContainerEnvironmentExtensions
 }

-func (jcm *jobContainerMock) ReplaceLogWriter(stdout, stderr io.Writer) (io.Writer, io.Writer) {
+func (jcm *jobContainerMock) ReplaceLogWriter(_, _ io.Writer) (io.Writer, io.Writer) {
 	return nil, nil
 }

--- a/pkg/runner/logger.go
+++ b/pkg/runner/logger.go
@@ -57,31 +57,49 @@ func WithMasks(ctx context.Context, masks *[]string) context.Context {
 	return context.WithValue(ctx, masksContextKeyVal, masks)
 }

+type JobLoggerFactory interface {
+	WithJobLogger() *logrus.Logger
+}
+
+type jobLoggerFactoryContextKey string
+
+var jobLoggerFactoryContextKeyVal = (jobLoggerFactoryContextKey)("jobloggerkey")
+
+func WithJobLoggerFactory(ctx context.Context, factory JobLoggerFactory) context.Context {
+	return context.WithValue(ctx, jobLoggerFactoryContextKeyVal, factory)
+}
+
 // WithJobLogger attaches a new logger to context that is aware of steps
 func WithJobLogger(ctx context.Context, jobID string, jobName string, config *Config, masks *[]string, matrix map[string]interface{}) context.Context {
-	mux.Lock()
-	defer mux.Unlock()
-
-	var formatter logrus.Formatter
-	if config.JSONLogger {
-		formatter = &jobLogJSONFormatter{
-			formatter: &logrus.JSONFormatter{},
-			masker:    valueMasker(config.InsecureSecrets, config.Secrets),
-		}
-	} else {
-		formatter = &jobLogFormatter{
-			color:  colors[nextColor%len(colors)],
-			masker: valueMasker(config.InsecureSecrets, config.Secrets),
-		}
-	}
-
-	nextColor++
 	ctx = WithMasks(ctx, masks)

-	logger := logrus.New()
-	logger.SetFormatter(formatter)
-	logger.SetOutput(os.Stdout)
-	logger.SetLevel(logrus.GetLevel())
+	var logger *logrus.Logger
+	if jobLoggerFactory, ok := ctx.Value(jobLoggerFactoryContextKeyVal).(JobLoggerFactory); ok && jobLoggerFactory != nil {
+		logger = jobLoggerFactory.WithJobLogger()
+	} else {
+		var formatter logrus.Formatter
+		if config.JSONLogger {
+			formatter = &logrus.JSONFormatter{}
+		} else {
+			mux.Lock()
+			defer mux.Unlock()
+			nextColor++
+			formatter = &jobLogFormatter{
+				color:          colors[nextColor%len(colors)],
+				logPrefixJobID: config.LogPrefixJobID,
+			}
+		}
+
+		logger = logrus.New()
+		logger.SetOutput(os.Stdout)
+		logger.SetLevel(logrus.GetLevel())
+		logger.SetFormatter(formatter)
+	}
+
+	logger.SetFormatter(&maskedFormatter{
+		Formatter: logger.Formatter,
+		masker:    valueMasker(config.InsecureSecrets, config.Secrets),
+	})
 	rtn := logger.WithFields(logrus.Fields{
 		"job":    jobName,
 		"jobID":  jobID,
@@ -149,16 +167,23 @@ func valueMasker(insecureSecrets bool, secrets map[string]string) entryProcessor
 	}
 }

-type jobLogFormatter struct {
-	color  int
+type maskedFormatter struct {
+	logrus.Formatter
 	masker entryProcessor
 }

+func (f *maskedFormatter) Format(entry *logrus.Entry) ([]byte, error) {
+	return f.Formatter.Format(f.masker(entry))
+}
+
+type jobLogFormatter struct {
+	color          int
+	logPrefixJobID bool
+}
+
 func (f *jobLogFormatter) Format(entry *logrus.Entry) ([]byte, error) {
 	b := &bytes.Buffer{}

-	entry = f.masker(entry)
-
 	if f.isColored(entry) {
 		f.printColored(b, entry)
 	} else {
@@ -171,7 +196,14 @@ func (f *jobLogFormatter) Format(entry *logrus.Entry) ([]byte, error) {

 func (f *jobLogFormatter) printColored(b *bytes.Buffer, entry *logrus.Entry) {
 	entry.Message = strings.TrimSuffix(entry.Message, "\n")
-	jobName := entry.Data["job"]
+
+	var job any
+	if f.logPrefixJobID {
+		job = entry.Data["jobID"]
+	} else {
+		job = entry.Data["job"]
+	}
+
 	debugFlag := ""
 	if entry.Level == logrus.DebugLevel {
 		debugFlag = "[DEBUG] "
@@ -180,26 +212,33 @@ func (f *jobLogFormatter) printColored(b *bytes.Buffer, entry *logrus.Entry) {
 	if entry.Data["raw_output"] == true {
 		fmt.Fprintf(b, "\x1b[%dm|\x1b[0m %s", f.color, entry.Message)
 	} else if entry.Data["dryrun"] == true {
-		fmt.Fprintf(b, "\x1b[1m\x1b[%dm\x1b[7m*DRYRUN*\x1b[0m \x1b[%dm[%s] \x1b[0m%s%s", gray, f.color, jobName, debugFlag, entry.Message)
+		fmt.Fprintf(b, "\x1b[1m\x1b[%dm\x1b[7m*DRYRUN*\x1b[0m \x1b[%dm[%s] \x1b[0m%s%s", gray, f.color, job, debugFlag, entry.Message)
 	} else {
-		fmt.Fprintf(b, "\x1b[%dm[%s] \x1b[0m%s%s", f.color, jobName, debugFlag, entry.Message)
+		fmt.Fprintf(b, "\x1b[%dm[%s] \x1b[0m%s%s", f.color, job, debugFlag, entry.Message)
 	}
 }

 func (f *jobLogFormatter) print(b *bytes.Buffer, entry *logrus.Entry) {
 	entry.Message = strings.TrimSuffix(entry.Message, "\n")
-	jobName := entry.Data["job"]
+
+	var job any
+	if f.logPrefixJobID {
+		job = entry.Data["jobID"]
+	} else {
+		job = entry.Data["job"]
+	}
+
 	debugFlag := ""
 	if entry.Level == logrus.DebugLevel {
 		debugFlag = "[DEBUG] "
 	}

 	if entry.Data["raw_output"] == true {
-		fmt.Fprintf(b, "[%s]   | %s", jobName, entry.Message)
+		fmt.Fprintf(b, "[%s]   | %s", job, entry.Message)
 	} else if entry.Data["dryrun"] == true {
-		fmt.Fprintf(b, "*DRYRUN* [%s] %s%s", jobName, debugFlag, entry.Message)
+		fmt.Fprintf(b, "*DRYRUN* [%s] %s%s", job, debugFlag, entry.Message)
 	} else {
-		fmt.Fprintf(b, "[%s] %s%s", jobName, debugFlag, entry.Message)
+		fmt.Fprintf(b, "[%s] %s%s", job, debugFlag, entry.Message)
 	}
 }

@@ -225,12 +264,3 @@ func checkIfTerminal(w io.Writer) bool {
 		return false
 	}
 }
-
-type jobLogJSONFormatter struct {
-	masker    entryProcessor
-	formatter *logrus.JSONFormatter
-}
-
-func (f *jobLogJSONFormatter) Format(entry *logrus.Entry) ([]byte, error) {
-	return f.formatter.Format(f.masker(entry))
-}
--- a/pkg/runner/reusable_workflow.go
+++ b/pkg/runner/reusable_workflow.go
@@ -0,0 +1,135 @@
+package runner
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"path"
+	"regexp"
+	"sync"
+
+	"github.com/nektos/act/pkg/common"
+	"github.com/nektos/act/pkg/common/git"
+	"github.com/nektos/act/pkg/model"
+)
+
+func newLocalReusableWorkflowExecutor(rc *RunContext) common.Executor {
+	return newReusableWorkflowExecutor(rc, rc.Config.Workdir, rc.Run.Job().Uses)
+}
+
+func newRemoteReusableWorkflowExecutor(rc *RunContext) common.Executor {
+	uses := rc.Run.Job().Uses
+
+	remoteReusableWorkflow := newRemoteReusableWorkflow(uses)
+	if remoteReusableWorkflow == nil {
+		return common.NewErrorExecutor(fmt.Errorf("expected format {owner}/{repo}/.github/workflows/{filename}@{ref}. Actual '%s' Input string was not in a correct format", uses))
+	}
+
+	// uses with safe filename makes the target directory look something like this {owner}-{repo}-.github-workflows-{filename}@{ref}
+	// instead we will just use {owner}-{repo}@{ref} as our target directory. This should also improve performance when we are using
+	// multiple reusable workflows from the same repository and ref since for each workflow we won't have to clone it again
+	filename := fmt.Sprintf("%s/%s@%s", remoteReusableWorkflow.Org, remoteReusableWorkflow.Repo, remoteReusableWorkflow.Ref)
+	workflowDir := fmt.Sprintf("%s/%s", rc.ActionCacheDir(), safeFilename(filename))
+
+	return common.NewPipelineExecutor(
+		newMutexExecutor(cloneIfRequired(rc, *remoteReusableWorkflow, workflowDir)),
+		newReusableWorkflowExecutor(rc, workflowDir, fmt.Sprintf("./.github/workflows/%s", remoteReusableWorkflow.Filename)),
+	)
+}
+
+var (
+	executorLock sync.Mutex
+)
+
+func newMutexExecutor(executor common.Executor) common.Executor {
+	return func(ctx context.Context) error {
+		executorLock.Lock()
+		defer executorLock.Unlock()
+
+		return executor(ctx)
+	}
+}
+
+func cloneIfRequired(rc *RunContext, remoteReusableWorkflow remoteReusableWorkflow, targetDirectory string) common.Executor {
+	return common.NewConditionalExecutor(
+		func(ctx context.Context) bool {
+			_, err := os.Stat(targetDirectory)
+			notExists := errors.Is(err, fs.ErrNotExist)
+			return notExists
+		},
+		func(ctx context.Context) error {
+			remoteReusableWorkflow.URL = rc.getGithubContext(ctx).ServerURL
+			return git.NewGitCloneExecutor(git.NewGitCloneExecutorInput{
+				URL:   remoteReusableWorkflow.CloneURL(),
+				Ref:   remoteReusableWorkflow.Ref,
+				Dir:   targetDirectory,
+				Token: rc.Config.Token,
+			})(ctx)
+		},
+		nil,
+	)
+}
+
+func newReusableWorkflowExecutor(rc *RunContext, directory string, workflow string) common.Executor {
+	return func(ctx context.Context) error {
+		planner, err := model.NewWorkflowPlanner(path.Join(directory, workflow), true)
+		if err != nil {
+			return err
+		}
+
+		plan, err := planner.PlanEvent("workflow_call")
+		if err != nil {
+			return err
+		}
+
+		runner, err := NewReusableWorkflowRunner(rc)
+		if err != nil {
+			return err
+		}
+
+		return runner.NewPlanExecutor(plan)(ctx)
+	}
+}
+
+func NewReusableWorkflowRunner(rc *RunContext) (Runner, error) {
+	runner := &runnerImpl{
+		config:    rc.Config,
+		eventJSON: rc.EventJSON,
+		caller: &caller{
+			runContext: rc,
+		},
+	}
+
+	return runner.configure()
+}
+
+type remoteReusableWorkflow struct {
+	URL      string
+	Org      string
+	Repo     string
+	Filename string
+	Ref      string
+}
+
+func (r *remoteReusableWorkflow) CloneURL() string {
+	return fmt.Sprintf("%s/%s/%s", r.URL, r.Org, r.Repo)
+}
+
+func newRemoteReusableWorkflow(uses string) *remoteReusableWorkflow {
+	// GitHub docs:
+	// https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_iduses
+	r := regexp.MustCompile(`^([^/]+)/([^/]+)/.github/workflows/([^@]+)@(.*)$`)
+	matches := r.FindStringSubmatch(uses)
+	if len(matches) != 5 {
+		return nil
+	}
+	return &remoteReusableWorkflow{
+		Org:      matches[1],
+		Repo:     matches[2],
+		Filename: matches[3],
+		Ref:      matches[4],
+		URL:      "https://github.com",
+	}
+}
--- a/pkg/runner/run_context.go
+++ b/pkg/runner/run_context.go
@@ -1,24 +1,25 @@
 package runner

 import (
+	"archive/tar"
+	"bufio"
 	"context"
 	"crypto/rand"
+	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"regexp"
 	"runtime"
 	"strings"

-	"github.com/mitchellh/go-homedir"
 	"github.com/opencontainers/selinux/go-selinux"
-	log "github.com/sirupsen/logrus"

 	"github.com/nektos/act/pkg/common"
-	"github.com/nektos/act/pkg/common/git"
 	"github.com/nektos/act/pkg/container"
 	"github.com/nektos/act/pkg/exprparser"
 	"github.com/nektos/act/pkg/model"
@@ -32,9 +33,11 @@ type RunContext struct {
 	Run                 *model.Run
 	EventJSON           string
 	Env                 map[string]string
+	GlobalEnv           map[string]string // to pass env changes of GITHUB_ENV and set-env correctly, due to dirty Env field
 	ExtraPath           []string
 	CurrentStep         string
 	StepResults         map[string]*model.StepResult
+	IntraActionState    map[string]map[string]string
 	ExprEval            ExpressionEvaluator
 	JobContainer        container.ExecutionsEnvironment
 	OutputMappings      map[MappableOutput]MappableOutput
@@ -43,6 +46,7 @@ type RunContext struct {
 	Parent              *RunContext
 	Masks               []string
 	cleanUpJobContainer common.Executor
+	caller              *caller // job calling this RunContext (reusable workflows)
 }

 func (rc *RunContext) AddMask(mask string) {
@@ -55,7 +59,13 @@ type MappableOutput struct {
 }

 func (rc *RunContext) String() string {
-	return fmt.Sprintf("%s/%s", rc.Run.Workflow.Name, rc.Name)
+	name := fmt.Sprintf("%s/%s", rc.Run.Workflow.Name, rc.Name)
+	if rc.caller != nil {
+		// prefix the reusable workflow with the caller job
+		// this is required to create unique container names
+		name = fmt.Sprintf("%s/%s", rc.caller.runContext.Run.JobID, name)
+	}
+	return name
 }

 // GetEnv returns the env for the context
@@ -77,6 +87,24 @@ func (rc *RunContext) jobContainerName() string {
 	return createContainerName("act", rc.String())
 }

+func getDockerDaemonSocketMountPath(daemonPath string) string {
+	if protoIndex := strings.Index(daemonPath, "://"); protoIndex != -1 {
+		scheme := daemonPath[:protoIndex]
+		if strings.EqualFold(scheme, "npipe") {
+			// linux container mount on windows, use the default socket path of the VM / wsl2
+			return "/var/run/docker.sock"
+		} else if strings.EqualFold(scheme, "unix") {
+			return daemonPath[protoIndex+3:]
+		} else if strings.IndexFunc(scheme, func(r rune) bool {
+			return (r < 'a' || r > 'z') && (r < 'A' || r > 'Z')
+		}) == -1 {
+			// unknown protocol use default
+			return "/var/run/docker.sock"
+		}
+	}
+	return daemonPath
+}
+
 // Returns the binds and mounts for the container, resolving paths as appopriate
 func (rc *RunContext) GetBindsAndMounts() ([]string, map[string]string) {
 	name := rc.jobContainerName()
@@ -85,8 +113,10 @@ func (rc *RunContext) GetBindsAndMounts() ([]string, map[string]string) {
 		rc.Config.ContainerDaemonSocket = "/var/run/docker.sock"
 	}

-	binds := []string{
-		fmt.Sprintf("%s:%s", rc.Config.ContainerDaemonSocket, "/var/run/docker.sock"),
+	binds := []string{}
+	if rc.Config.ContainerDaemonSocket != "-" {
+		daemonPath := getDockerDaemonSocketMountPath(rc.Config.ContainerDaemonSocket)
+		binds = append(binds, fmt.Sprintf("%s:%s", daemonPath, "/var/run/docker.sock"))
 	}

 	ext := container.LinuxContainerEnvironmentExtensions{}
@@ -144,15 +174,15 @@ func (rc *RunContext) startHostEnvironment() common.Executor {
 		_, _ = rand.Read(randBytes)
 		miscpath := filepath.Join(cacheDir, hex.EncodeToString(randBytes))
 		actPath := filepath.Join(miscpath, "act")
-		if err := os.MkdirAll(actPath, 0777); err != nil {
+		if err := os.MkdirAll(actPath, 0o777); err != nil {
 			return err
 		}
 		path := filepath.Join(miscpath, "hostexecutor")
-		if err := os.MkdirAll(path, 0777); err != nil {
+		if err := os.MkdirAll(path, 0o777); err != nil {
 			return err
 		}
 		runnerTmp := filepath.Join(miscpath, "tmp")
-		if err := os.MkdirAll(runnerTmp, 0777); err != nil {
+		if err := os.MkdirAll(runnerTmp, 0o777); err != nil {
 			return err
 		}
 		toolCache := filepath.Join(cacheDir, "tool_cache")
@@ -168,29 +198,28 @@ func (rc *RunContext) startHostEnvironment() common.Executor {
 			StdOut: logWriter,
 		}
 		rc.cleanUpJobContainer = rc.JobContainer.Remove()
-		rc.Env["RUNNER_TOOL_CACHE"] = toolCache
-		rc.Env["RUNNER_OS"] = runtime.GOOS
-		rc.Env["RUNNER_ARCH"] = runtime.GOARCH
-		rc.Env["RUNNER_TEMP"] = runnerTmp
+		for k, v := range rc.JobContainer.GetRunnerContext(ctx) {
+			if v, ok := v.(string); ok {
+				rc.Env[fmt.Sprintf("RUNNER_%s", strings.ToUpper(k))] = v
+			}
+		}
 		for _, env := range os.Environ() {
-			i := strings.Index(env, "=")
-			if i > 0 {
-				rc.Env[env[0:i]] = env[i+1:]
+			if k, v, ok := strings.Cut(env, "="); ok {
+				// don't override
+				if _, ok := rc.Env[k]; !ok {
+					rc.Env[k] = v
+				}
 			}
 		}

 		return common.NewPipelineExecutor(
 			rc.JobContainer.Copy(rc.JobContainer.GetActPath()+"/", &container.FileEntry{
 				Name: "workflow/event.json",
-				Mode: 0644,
+				Mode: 0o644,
 				Body: rc.EventJSON,
 			}, &container.FileEntry{
 				Name: "workflow/envs.txt",
-				Mode: 0666,
-				Body: "",
-			}, &container.FileEntry{
-				Name: "workflow/paths.txt",
-				Mode: 0666,
+				Mode: 0o666,
 				Body: "",
 			}),
 		)(ctx)
@@ -225,6 +254,7 @@ func (rc *RunContext) startJobContainer() common.Executor {
 		envList = append(envList, fmt.Sprintf("%s=%s", "RUNNER_OS", "Linux"))
 		envList = append(envList, fmt.Sprintf("%s=%s", "RUNNER_ARCH", container.RunnerArch(ctx)))
 		envList = append(envList, fmt.Sprintf("%s=%s", "RUNNER_TEMP", "/tmp"))
+		envList = append(envList, fmt.Sprintf("%s=%s", "LANG", "C.UTF-8")) // Use same locale as GitHub Actions

 		ext := container.LinuxContainerEnvironmentExtensions{}
 		binds, mounts := rc.GetBindsAndMounts()
@@ -240,7 +270,7 @@ func (rc *RunContext) startJobContainer() common.Executor {

 		rc.JobContainer = container.NewContainer(&container.NewContainerInput{
 			Cmd:         nil,
-			Entrypoint:  []string{"/usr/bin/tail", "-f", "/dev/null"},
+			Entrypoint:  []string{"tail", "-f", "/dev/null"},
 			WorkingDir:  ext.ToContainerPath(rc.Config.Workdir),
 			Image:       image,
 			Username:    username,
@@ -266,19 +296,13 @@ func (rc *RunContext) startJobContainer() common.Executor {
 			rc.stopJobContainer(),
 			rc.JobContainer.Create(rc.Config.ContainerCapAdd, rc.Config.ContainerCapDrop),
 			rc.JobContainer.Start(false),
-			rc.JobContainer.UpdateFromImageEnv(&rc.Env),
-			rc.JobContainer.UpdateFromEnv("/etc/environment", &rc.Env),
 			rc.JobContainer.Copy(rc.JobContainer.GetActPath()+"/", &container.FileEntry{
 				Name: "workflow/event.json",
-				Mode: 0644,
+				Mode: 0o644,
 				Body: rc.EventJSON,
 			}, &container.FileEntry{
 				Name: "workflow/envs.txt",
-				Mode: 0666,
-				Body: "",
-			}, &container.FileEntry{
-				Name: "workflow/paths.txt",
-				Mode: 0666,
+				Mode: 0o666,
 				Body: "",
 			}),
 		)(ctx)
@@ -291,6 +315,60 @@ func (rc *RunContext) execJobContainer(cmd []string, env map[string]string, user
 	}
 }

+func (rc *RunContext) ApplyExtraPath(ctx context.Context, env *map[string]string) {
+	if rc.ExtraPath != nil && len(rc.ExtraPath) > 0 {
+		path := rc.JobContainer.GetPathVariableName()
+		if rc.JobContainer.IsEnvironmentCaseInsensitive() {
+			// On windows system Path and PATH could also be in the map
+			for k := range *env {
+				if strings.EqualFold(path, k) {
+					path = k
+					break
+				}
+			}
+		}
+		if (*env)[path] == "" {
+			cenv := map[string]string{}
+			var cpath string
+			if err := rc.JobContainer.UpdateFromImageEnv(&cenv)(ctx); err == nil {
+				if p, ok := cenv[path]; ok {
+					cpath = p
+				}
+			}
+			if len(cpath) == 0 {
+				cpath = rc.JobContainer.DefaultPathVariable()
+			}
+			(*env)[path] = cpath
+		}
+		(*env)[path] = rc.JobContainer.JoinPathVariable(append(rc.ExtraPath, (*env)[path])...)
+	}
+}
+
+func (rc *RunContext) UpdateExtraPath(ctx context.Context, githubEnvPath string) error {
+	if common.Dryrun(ctx) {
+		return nil
+	}
+	pathTar, err := rc.JobContainer.GetContainerArchive(ctx, githubEnvPath)
+	if err != nil {
+		return err
+	}
+	defer pathTar.Close()
+
+	reader := tar.NewReader(pathTar)
+	_, err = reader.Next()
+	if err != nil && err != io.EOF {
+		return err
+	}
+	s := bufio.NewScanner(reader)
+	for s.Scan() {
+		line := s.Text()
+		if len(line) > 0 {
+			rc.addPath(ctx, line)
+		}
+	}
+	return nil
+}
+
 // stopJobContainer removes the job container (if it exists) and its volume (if it exists) if !rc.Config.ReuseContainers
 func (rc *RunContext) stopJobContainer() common.Executor {
 	return func(ctx context.Context) error {
@@ -305,13 +383,17 @@ func (rc *RunContext) stopJobContainer() common.Executor {

 // ActionCacheDir is for rc
 func (rc *RunContext) ActionCacheDir() string {
+	if rc.Config.ActionCacheDir != "" {
+		return rc.Config.ActionCacheDir
+	}
 	var xdgCache string
 	var ok bool
 	if xdgCache, ok = os.LookupEnv("XDG_CACHE_HOME"); !ok || xdgCache == "" {
-		if home, err := homedir.Dir(); err == nil {
+		if home, err := os.UserHomeDir(); err == nil {
 			xdgCache = filepath.Join(home, ".cache")
 		} else if xdgCache, err = filepath.Abs("."); err != nil {
-			log.Fatal(err)
+			// It's almost impossible to get here, so the temp dir is a good fallback
+			xdgCache = os.TempDir()
 		}
 	}
 	return filepath.Join(xdgCache, "act")
@@ -333,14 +415,19 @@ func (rc *RunContext) interpolateOutputs() common.Executor {

 func (rc *RunContext) startContainer() common.Executor {
 	return func(ctx context.Context) error {
-		image := rc.platformImage(ctx)
-		if strings.EqualFold(image, "-self-hosted") {
+		if rc.IsHostEnv(ctx) {
 			return rc.startHostEnvironment()(ctx)
 		}
 		return rc.startJobContainer()(ctx)
 	}
 }

+func (rc *RunContext) IsHostEnv(ctx context.Context) bool {
+	platform := rc.runsOnImage(ctx)
+	image := rc.containerImage(ctx)
+	return image == "" && strings.EqualFold(platform, "-self-hosted")
+}
+
 func (rc *RunContext) stopContainer() common.Executor {
 	return rc.stopJobContainer()
 }
@@ -367,22 +454,34 @@ func (rc *RunContext) steps() []*model.Step {
 }

 // Executor returns a pipeline executor for all the steps in the job
-func (rc *RunContext) Executor() common.Executor {
+func (rc *RunContext) Executor() (common.Executor, error) {
+	var executor common.Executor
+	var jobType, err = rc.Run.Job().Type()
+
+	switch jobType {
+	case model.JobTypeDefault:
+		executor = newJobExecutor(rc, &stepFactoryImpl{}, rc)
+	case model.JobTypeReusableWorkflowLocal:
+		executor = newLocalReusableWorkflowExecutor(rc)
+	case model.JobTypeReusableWorkflowRemote:
+		executor = newRemoteReusableWorkflowExecutor(rc)
+	case model.JobTypeInvalid:
+		return nil, err
+	}
+
 	return func(ctx context.Context) error {
-		isEnabled, err := rc.isEnabled(ctx)
+		res, err := rc.isEnabled(ctx)
 		if err != nil {
 			return err
 		}
-
-		if isEnabled {
-			return newJobExecutor(rc, &stepFactoryImpl{}, rc)(ctx)
+		if res {
+			return executor(ctx)
 		}
-
 		return nil
-	}
+	}, nil
 }

-func (rc *RunContext) platformImage(ctx context.Context) string {
+func (rc *RunContext) containerImage(ctx context.Context) string {
 	job := rc.Run.Job()

 	c := job.Container()
@@ -390,6 +489,12 @@ func (rc *RunContext) platformImage(ctx context.Context) string {
 		return rc.ExprEval.Interpolate(ctx, c.Image)
 	}

+	return ""
+}
+
+func (rc *RunContext) runsOnImage(ctx context.Context) string {
+	job := rc.Run.Job()
+
 	if job.RunsOn() == nil {
 		common.Logger(ctx).Errorf("'runs-on' key not defined in %s", rc.String())
 	}
@@ -405,11 +510,19 @@ func (rc *RunContext) platformImage(ctx context.Context) string {
 	return ""
 }

-func (rc *RunContext) options(ctx context.Context) string {
+func (rc *RunContext) platformImage(ctx context.Context) string {
+	if containerImage := rc.containerImage(ctx); containerImage != "" {
+		return containerImage
+	}
+
+	return rc.runsOnImage(ctx)
+}
+
+func (rc *RunContext) options(_ context.Context) string {
 	job := rc.Run.Job()
 	c := job.Container()
 	if c == nil {
-		return ""
+		return rc.Config.ContainerOptions
 	}

 	return c.Options
@@ -418,10 +531,19 @@ func (rc *RunContext) options(ctx context.Context) string {
 func (rc *RunContext) isEnabled(ctx context.Context) (bool, error) {
 	job := rc.Run.Job()
 	l := common.Logger(ctx)
-	runJob, err := EvalBool(ctx, rc.ExprEval, job.If.Value, exprparser.DefaultStatusCheckSuccess)
-	if err != nil {
-		return false, fmt.Errorf("  \u274C  Error in if-expression: \"if: %s\" (%s)", job.If.Value, err)
+	runJob, runJobErr := EvalBool(ctx, rc.ExprEval, job.If.Value, exprparser.DefaultStatusCheckSuccess)
+	jobType, jobTypeErr := job.Type()
+
+	if runJobErr != nil {
+		return false, fmt.Errorf("  \u274C  Error in if-expression: \"if: %s\" (%s)", job.If.Value, runJobErr)
 	}
+
+	if jobType == model.JobTypeInvalid {
+		return false, jobTypeErr
+	} else if jobType != model.JobTypeDefault {
+		return true, nil
+	}
+
 	if !runJob {
 		l.WithField("jobResult", "skipped").Debugf("Skipping job '%s' due to '%s'", job.Name, job.If.Value)
 		return false, nil
@@ -453,26 +575,16 @@ func mergeMaps(maps ...map[string]string) map[string]string {
 }

 func createContainerName(parts ...string) string {
-	name := make([]string, 0)
+	name := strings.Join(parts, "-")
 	pattern := regexp.MustCompile("[^a-zA-Z0-9]")
-	partLen := (30 / len(parts)) - 1
-	for i, part := range parts {
-		if i == len(parts)-1 {
-			name = append(name, pattern.ReplaceAllString(part, "-"))
-		} else {
-			// If any part has a '-<number>' on the end it is likely part of a matrix job.
-			// Let's preserve the number to prevent clashes in container names.
-			re := regexp.MustCompile("-[0-9]+$")
-			num := re.FindStringSubmatch(part)
-			if len(num) > 0 {
-				name = append(name, trimToLen(pattern.ReplaceAllString(part, "-"), partLen-len(num[0])))
-				name = append(name, num[0])
-			} else {
-				name = append(name, trimToLen(pattern.ReplaceAllString(part, "-"), partLen))
-			}
-		}
-	}
-	return strings.ReplaceAll(strings.Trim(strings.Join(name, "-"), "-"), "--", "-")
+	name = pattern.ReplaceAllString(name, "-")
+	name = strings.ReplaceAll(name, "--", "-")
+	hash := sha256.Sum256([]byte(name))
+
+	// SHA256 is 64 hex characters. So trim name to 63 characters to make room for the hash and separator
+	trimmedName := strings.Trim(trimToLen(name, 63), "-")
+
+	return fmt.Sprintf("%s-%x", trimmedName, hash)
 }

 func trimToLen(s string, l int) string {
@@ -513,11 +625,20 @@ func (rc *RunContext) getGithubContext(ctx context.Context) *model.GithubContext
 		EventName:        rc.Config.EventName,
 		Action:           rc.CurrentStep,
 		Token:            rc.Config.Token,
+		Job:              rc.Run.JobID,
 		ActionPath:       rc.ActionPath,
 		RepositoryOwner:  rc.Config.Env["GITHUB_REPOSITORY_OWNER"],
 		RetentionDays:    rc.Config.Env["GITHUB_RETENTION_DAYS"],
 		RunnerPerflog:    rc.Config.Env["RUNNER_PERFLOG"],
 		RunnerTrackingID: rc.Config.Env["RUNNER_TRACKING_ID"],
+		Repository:       rc.Config.Env["GITHUB_REPOSITORY"],
+		Ref:              rc.Config.Env["GITHUB_REF"],
+		Sha:              rc.Config.Env["SHA_REF"],
+		RefName:          rc.Config.Env["GITHUB_REF_NAME"],
+		RefType:          rc.Config.Env["GITHUB_REF_TYPE"],
+		BaseRef:          rc.Config.Env["GITHUB_BASE_REF"],
+		HeadRef:          rc.Config.Env["GITHUB_HEAD_REF"],
+		Workspace:        rc.Config.Env["GITHUB_WORKSPACE"],
 	}
 	if rc.JobContainer != nil {
 		ghc.EventPath = rc.JobContainer.GetActPath() + "/workflow/event.json"
@@ -546,38 +667,44 @@ func (rc *RunContext) getGithubContext(ctx context.Context) *model.GithubContext
 		ghc.Actor = "nektos/act"
 	}

-	repoPath := rc.Config.Workdir
-	repo, err := git.FindGithubRepo(ctx, repoPath, rc.Config.GitHubInstance, rc.Config.RemoteName)
-	if err != nil {
-		logger.Warningf("unable to get git repo: %v", err)
-	} else {
-		ghc.Repository = repo
-		if ghc.RepositoryOwner == "" {
-			ghc.RepositoryOwner = strings.Split(repo, "/")[0]
-		}
-	}
-
 	if rc.EventJSON != "" {
-		err = json.Unmarshal([]byte(rc.EventJSON), &ghc.Event)
+		err := json.Unmarshal([]byte(rc.EventJSON), &ghc.Event)
 		if err != nil {
 			logger.Errorf("Unable to Unmarshal event '%s': %v", rc.EventJSON, err)
 		}
 	}

-	if ghc.EventName == "pull_request" || ghc.EventName == "pull_request_target" {
-		ghc.BaseRef = asString(nestedMapLookup(ghc.Event, "pull_request", "base", "ref"))
-		ghc.HeadRef = asString(nestedMapLookup(ghc.Event, "pull_request", "head", "ref"))
+	ghc.SetBaseAndHeadRef()
+	repoPath := rc.Config.Workdir
+	ghc.SetRepositoryAndOwner(ctx, rc.Config.GitHubInstance, rc.Config.RemoteName, repoPath)
+	if ghc.Ref == "" {
+		ghc.SetRef(ctx, rc.Config.DefaultBranch, repoPath)
+	}
+	if ghc.Sha == "" {
+		ghc.SetSha(ctx, repoPath)
 	}

-	ghc.SetRefAndSha(ctx, rc.Config.DefaultBranch, repoPath)
+	ghc.SetRefTypeAndName()

-	// https://docs.github.com/en/actions/learn-github-actions/environment-variables
-	if strings.HasPrefix(ghc.Ref, "refs/tags/") {
-		ghc.RefType = "tag"
-		ghc.RefName = ghc.Ref[len("refs/tags/"):]
-	} else if strings.HasPrefix(ghc.Ref, "refs/heads/") {
-		ghc.RefType = "branch"
-		ghc.RefName = ghc.Ref[len("refs/heads/"):]
+	// defaults
+	ghc.ServerURL = "https://github.com"
+	ghc.APIURL = "https://api.github.com"
+	ghc.GraphQLURL = "https://api.github.com/graphql"
+	// per GHES
+	if rc.Config.GitHubInstance != "github.com" {
+		ghc.ServerURL = fmt.Sprintf("https://%s", rc.Config.GitHubInstance)
+		ghc.APIURL = fmt.Sprintf("https://%s/api/v3", rc.Config.GitHubInstance)
+		ghc.GraphQLURL = fmt.Sprintf("https://%s/api/graphql", rc.Config.GitHubInstance)
+	}
+	// allow to be overridden by user
+	if rc.Config.Env["GITHUB_SERVER_URL"] != "" {
+		ghc.ServerURL = rc.Config.Env["GITHUB_SERVER_URL"]
+	}
+	if rc.Config.Env["GITHUB_API_URL"] != "" {
+		ghc.APIURL = rc.Config.Env["GITHUB_API_URL"]
+	}
+	if rc.Config.Env["GITHUB_GRAPHQL_URL"] != "" {
+		ghc.GraphQLURL = rc.Config.Env["GITHUB_GRAPHQL_URL"]
 	}

 	return ghc
@@ -609,15 +736,6 @@ func isLocalCheckout(ghc *model.GithubContext, step *model.Step) bool {
 	return true
 }

-func asString(v interface{}) string {
-	if v == nil {
-		return ""
-	} else if s, ok := v.(string); ok {
-		return s
-	}
-	return ""
-}
-
 func nestedMapLookup(m map[string]interface{}, ks ...string) (rval interface{}) {
 	var ok bool

@@ -637,8 +755,6 @@ func nestedMapLookup(m map[string]interface{}, ks ...string) (rval interface{})

 func (rc *RunContext) withGithubEnv(ctx context.Context, github *model.GithubContext, env map[string]string) map[string]string {
 	env["CI"] = "true"
-	env["GITHUB_ENV"] = rc.JobContainer.GetActPath() + "/workflow/envs.txt"
-	env["GITHUB_PATH"] = rc.JobContainer.GetActPath() + "/workflow/paths.txt"
 	env["GITHUB_WORKFLOW"] = github.Workflow
 	env["GITHUB_RUN_ID"] = github.RunID
 	env["GITHUB_RUN_NUMBER"] = github.RunNumber
@@ -657,21 +773,16 @@ func (rc *RunContext) withGithubEnv(ctx context.Context, github *model.GithubCon
 	env["GITHUB_REF_NAME"] = github.RefName
 	env["GITHUB_REF_TYPE"] = github.RefType
 	env["GITHUB_TOKEN"] = github.Token
-	env["GITHUB_SERVER_URL"] = "https://github.com"
-	env["GITHUB_API_URL"] = "https://api.github.com"
-	env["GITHUB_GRAPHQL_URL"] = "https://api.github.com/graphql"
-	env["GITHUB_BASE_REF"] = github.BaseRef
-	env["GITHUB_HEAD_REF"] = github.HeadRef
-	env["GITHUB_JOB"] = rc.JobName
+	env["GITHUB_JOB"] = github.Job
 	env["GITHUB_REPOSITORY_OWNER"] = github.RepositoryOwner
 	env["GITHUB_RETENTION_DAYS"] = github.RetentionDays
 	env["RUNNER_PERFLOG"] = github.RunnerPerflog
 	env["RUNNER_TRACKING_ID"] = github.RunnerTrackingID
-	if rc.Config.GitHubInstance != "github.com" {
-		env["GITHUB_SERVER_URL"] = fmt.Sprintf("https://%s", rc.Config.GitHubInstance)
-		env["GITHUB_API_URL"] = fmt.Sprintf("https://%s/api/v3", rc.Config.GitHubInstance)
-		env["GITHUB_GRAPHQL_URL"] = fmt.Sprintf("https://%s/api/graphql", rc.Config.GitHubInstance)
-	}
+	env["GITHUB_BASE_REF"] = github.BaseRef
+	env["GITHUB_HEAD_REF"] = github.HeadRef
+	env["GITHUB_SERVER_URL"] = github.ServerURL
+	env["GITHUB_API_URL"] = github.APIURL
+	env["GITHUB_GRAPHQL_URL"] = github.GraphQLURL

 	if rc.Config.ArtifactServerPath != "" {
 		setActionRuntimeVars(rc, env)
@@ -699,7 +810,7 @@ func (rc *RunContext) withGithubEnv(ctx context.Context, github *model.GithubCon
 func setActionRuntimeVars(rc *RunContext, env map[string]string) {
 	actionsRuntimeURL := os.Getenv("ACTIONS_RUNTIME_URL")
 	if actionsRuntimeURL == "" {
-		actionsRuntimeURL = fmt.Sprintf("http://%s:%s/", common.GetOutboundIP().String(), rc.Config.ArtifactServerPort)
+		actionsRuntimeURL = fmt.Sprintf("http://%s:%s/", rc.Config.ArtifactServerAddr, rc.Config.ArtifactServerPort)
 	}
 	env["ACTIONS_RUNTIME_URL"] = actionsRuntimeURL

@@ -710,35 +821,35 @@ func setActionRuntimeVars(rc *RunContext, env map[string]string) {
 	env["ACTIONS_RUNTIME_TOKEN"] = actionsRuntimeToken
 }

-func (rc *RunContext) handleCredentials(ctx context.Context) (username, password string, err error) {
+func (rc *RunContext) handleCredentials(ctx context.Context) (string, string, error) {
 	// TODO: remove below 2 lines when we can release act with breaking changes
-	username = rc.Config.Secrets["DOCKER_USERNAME"]
-	password = rc.Config.Secrets["DOCKER_PASSWORD"]
+	username := rc.Config.Secrets["DOCKER_USERNAME"]
+	password := rc.Config.Secrets["DOCKER_PASSWORD"]

 	container := rc.Run.Job().Container()
 	if container == nil || container.Credentials == nil {
-		return
+		return username, password, nil
 	}

 	if container.Credentials != nil && len(container.Credentials) != 2 {
-		err = fmt.Errorf("invalid property count for key 'credentials:'")
-		return
+		err := fmt.Errorf("invalid property count for key 'credentials:'")
+		return "", "", err
 	}

 	ee := rc.NewExpressionEvaluator(ctx)
 	if username = ee.Interpolate(ctx, container.Credentials["username"]); username == "" {
-		err = fmt.Errorf("failed to interpolate container.credentials.username")
-		return
+		err := fmt.Errorf("failed to interpolate container.credentials.username")
+		return "", "", err
 	}
 	if password = ee.Interpolate(ctx, container.Credentials["password"]); password == "" {
-		err = fmt.Errorf("failed to interpolate container.credentials.password")
-		return
+		err := fmt.Errorf("failed to interpolate container.credentials.password")
+		return "", "", err
 	}

 	if container.Credentials["username"] == "" || container.Credentials["password"] == "" {
-		err = fmt.Errorf("container.credentials cannot be empty")
-		return
+		err := fmt.Errorf("container.credentials cannot be empty")
+		return "", "", err
 	}

-	return username, password, err
+	return username, password, nil
 }
--- a/pkg/runner/run_context_test.go
+++ b/pkg/runner/run_context_test.go
@@ -144,6 +144,7 @@ func TestRunContext_EvalBool(t *testing.T) {
 		// Check github context
 		{in: "github.actor == 'nektos/act'", out: true},
 		{in: "github.actor == 'unknown'", out: false},
+		{in: "github.job == 'job1'", out: true},
 		// The special ACT flag
 		{in: "${{ env.ACT }}", out: true},
 		{in: "${{ !env.ACT }}", out: false},
@@ -364,6 +365,7 @@ func TestGetGitHubContext(t *testing.T) {
 		StepResults:    map[string]*model.StepResult{},
 		OutputMappings: map[MappableOutput]MappableOutput{},
 	}
+	rc.Run.JobID = "job1"

 	ghc := rc.getGithubContext(context.Background())

@@ -392,6 +394,7 @@ func TestGetGitHubContext(t *testing.T) {
 	assert.Equal(t, ghc.RepositoryOwner, owner)
 	assert.Equal(t, ghc.RunnerPerflog, "/dev/null")
 	assert.Equal(t, ghc.Token, rc.Config.Secrets["GITHUB_TOKEN"])
+	assert.Equal(t, ghc.Job, "job1")
 }

 func TestGetGithubContextRef(t *testing.T) {
@@ -410,7 +413,7 @@ func TestGetGithubContextRef(t *testing.T) {
 		{event: "pull_request_target", json: `{"pull_request":{"base":{"ref": "main"}}}`, ref: "refs/heads/main"},
 		{event: "deployment", json: `{"deployment": {"ref": "tag-name"}}`, ref: "tag-name"},
 		{event: "deployment_status", json: `{"deployment": {"ref": "tag-name"}}`, ref: "tag-name"},
-		{event: "release", json: `{"release": {"tag_name": "tag-name"}}`, ref: "tag-name"},
+		{event: "release", json: `{"release": {"tag_name": "tag-name"}}`, ref: "refs/tags/tag-name"},
 	}

 	for _, data := range table {
--- a/pkg/runner/runner.go
+++ b/pkg/runner/runner.go
@@ -2,14 +2,14 @@ package runner

 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
-	"time"
+	"runtime"

 	log "github.com/sirupsen/logrus"

 	"github.com/nektos/act/pkg/common"
-	"github.com/nektos/act/pkg/container"
 	"github.com/nektos/act/pkg/model"
 )

@@ -20,42 +20,54 @@ type Runner interface {

 // Config contains the config for a new runner
 type Config struct {
-	Actor                              string            // the user that triggered the event
-	Workdir                            string            // path to working directory
-	BindWorkdir                        bool              // bind the workdir to the job container
-	EventName                          string            // name of event to run
-	EventPath                          string            // path to JSON file to use for event.json in containers
-	DefaultBranch                      string            // name of the main branch for this repository
-	ReuseContainers                    bool              // reuse containers to maintain state
-	ForcePull                          bool              // force pulling of the image, even if already present
-	ForceRebuild                       bool              // force rebuilding local docker image action
-	LogOutput                          bool              // log the output from docker run
-	JSONLogger                         bool              // use json or text logger
-	Env                                map[string]string // env for containers
-	Secrets                            map[string]string // list of secrets
-	Token                              string            // GitHub token
-	InsecureSecrets                    bool              // switch hiding output when printing to terminal
-	Platforms                          map[string]string // list of platforms
-	Privileged                         bool              // use privileged mode
-	UsernsMode                         string            // user namespace to use
-	ContainerArchitecture              string            // Desired OS/architecture platform for running containers
-	ContainerDaemonSocket              string            // Path to Docker daemon socket
-	UseGitIgnore                       bool              // controls if paths in .gitignore should not be copied into container, default true
-	GitHubInstance                     string            // GitHub instance to use, default "github.com"
-	ContainerCapAdd                    []string          // list of kernel capabilities to add to the containers
-	ContainerCapDrop                   []string          // list of kernel capabilities to remove from the containers
-	AutoRemove                         bool              // controls if the container is automatically removed upon workflow completion
-	ArtifactServerPath                 string            // the path where the artifact server stores uploads
-	ArtifactServerPort                 string            // the port the artifact server binds to
-	NoSkipCheckout                     bool              // do not skip actions/checkout
-	RemoteName                         string            // remote name in local git repo config
-	ReplaceGheActionWithGithubCom      []string          // Use actions from GitHub Enterprise instance to GitHub
-	ReplaceGheActionTokenWithGithubCom string            // Token of private action repo on GitHub.
+	Actor                              string                     // the user that triggered the event
+	Workdir                            string                     // path to working directory
+	ActionCacheDir                     string                     // path used for caching action contents
+	BindWorkdir                        bool                       // bind the workdir to the job container
+	EventName                          string                     // name of event to run
+	EventPath                          string                     // path to JSON file to use for event.json in containers
+	DefaultBranch                      string                     // name of the main branch for this repository
+	ReuseContainers                    bool                       // reuse containers to maintain state
+	ForcePull                          bool                       // force pulling of the image, even if already present
+	ForceRebuild                       bool                       // force rebuilding local docker image action
+	LogOutput                          bool                       // log the output from docker run
+	JSONLogger                         bool                       // use json or text logger
+	LogPrefixJobID                     bool                       // switches from the full job name to the job id
+	Env                                map[string]string          // env for containers
+	Inputs                             map[string]string          // manually passed action inputs
+	Secrets                            map[string]string          // list of secrets
+	Vars                               map[string]string          // list of vars
+	Token                              string                     // GitHub token
+	InsecureSecrets                    bool                       // switch hiding output when printing to terminal
+	Platforms                          map[string]string          // list of platforms
+	Privileged                         bool                       // use privileged mode
+	UsernsMode                         string                     // user namespace to use
+	ContainerArchitecture              string                     // Desired OS/architecture platform for running containers
+	ContainerDaemonSocket              string                     // Path to Docker daemon socket
+	ContainerOptions                   string                     // Options for the job container
+	UseGitIgnore                       bool                       // controls if paths in .gitignore should not be copied into container, default true
+	GitHubInstance                     string                     // GitHub instance to use, default "github.com"
+	ContainerCapAdd                    []string                   // list of kernel capabilities to add to the containers
+	ContainerCapDrop                   []string                   // list of kernel capabilities to remove from the containers
+	AutoRemove                         bool                       // controls if the container is automatically removed upon workflow completion
+	ArtifactServerPath                 string                     // the path where the artifact server stores uploads
+	ArtifactServerAddr                 string                     // the address the artifact server binds to
+	ArtifactServerPort                 string                     // the port the artifact server binds to
+	NoSkipCheckout                     bool                       // do not skip actions/checkout
+	RemoteName                         string                     // remote name in local git repo config
+	ReplaceGheActionWithGithubCom      []string                   // Use actions from GitHub Enterprise instance to GitHub
+	ReplaceGheActionTokenWithGithubCom string                     // Token of private action repo on GitHub.
+	Matrix                             map[string]map[string]bool // Matrix config to run
+}
+
+type caller struct {
+	runContext *RunContext
 }

 type runnerImpl struct {
 	config    *Config
 	eventJSON string
+	caller    *caller // the job calling this runner (caller of a reusable workflow)
 }

 // New Creates a new Runner
@@ -64,45 +76,91 @@ func New(runnerConfig *Config) (Runner, error) {
 		config: runnerConfig,
 	}

+	return runner.configure()
+}
+
+func (runner *runnerImpl) configure() (Runner, error) {
 	runner.eventJSON = "{}"
-	if runnerConfig.EventPath != "" {
+	if runner.config.EventPath != "" {
 		log.Debugf("Reading event.json from %s", runner.config.EventPath)
 		eventJSONBytes, err := os.ReadFile(runner.config.EventPath)
 		if err != nil {
 			return nil, err
 		}
 		runner.eventJSON = string(eventJSONBytes)
+	} else if len(runner.config.Inputs) != 0 {
+		eventMap := map[string]map[string]string{
+			"inputs": runner.config.Inputs,
+		}
+		eventJSON, err := json.Marshal(eventMap)
+		if err != nil {
+			return nil, err
+		}
+		runner.eventJSON = string(eventJSON)
 	}
 	return runner, nil
 }

 // NewPlanExecutor ...
-//
-//nolint:gocyclo
 func (runner *runnerImpl) NewPlanExecutor(plan *model.Plan) common.Executor {
 	maxJobNameLen := 0

 	stagePipeline := make([]common.Executor, 0)
+	log.Debugf("Plan Stages: %v", plan.Stages)
+
 	for i := range plan.Stages {
-		s := i
 		stage := plan.Stages[i]
 		stagePipeline = append(stagePipeline, func(ctx context.Context) error {
 			pipeline := make([]common.Executor, 0)
-			for r, run := range stage.Runs {
+			for _, run := range stage.Runs {
+				log.Debugf("Stages Runs: %v", stage.Runs)
 				stageExecutor := make([]common.Executor, 0)
 				job := run.Job()
-
-				if job.Uses != "" {
-					return fmt.Errorf("reusable workflows are currently not supported (see https://github.com/nektos/act/issues/826 for updates)")
+				log.Debugf("Job.Name: %v", job.Name)
+				log.Debugf("Job.RawNeeds: %v", job.RawNeeds)
+				log.Debugf("Job.RawRunsOn: %v", job.RawRunsOn)
+				log.Debugf("Job.Env: %v", job.Env)
+				log.Debugf("Job.If: %v", job.If)
+				for step := range job.Steps {
+					if nil != job.Steps[step] {
+						log.Debugf("Job.Steps: %v", job.Steps[step].String())
+					}
 				}
+				log.Debugf("Job.TimeoutMinutes: %v", job.TimeoutMinutes)
+				log.Debugf("Job.Services: %v", job.Services)
+				log.Debugf("Job.Strategy: %v", job.Strategy)
+				log.Debugf("Job.RawContainer: %v", job.RawContainer)
+				log.Debugf("Job.Defaults.Run.Shell: %v", job.Defaults.Run.Shell)
+				log.Debugf("Job.Defaults.Run.WorkingDirectory: %v", job.Defaults.Run.WorkingDirectory)
+				log.Debugf("Job.Outputs: %v", job.Outputs)
+				log.Debugf("Job.Uses: %v", job.Uses)
+				log.Debugf("Job.With: %v", job.With)
+				// log.Debugf("Job.RawSecrets: %v", job.RawSecrets)
+				log.Debugf("Job.Result: %v", job.Result)

 				if job.Strategy != nil {
+					log.Debugf("Job.Strategy.FailFast: %v", job.Strategy.FailFast)
+					log.Debugf("Job.Strategy.MaxParallel: %v", job.Strategy.MaxParallel)
+					log.Debugf("Job.Strategy.FailFastString: %v", job.Strategy.FailFastString)
+					log.Debugf("Job.Strategy.MaxParallelString: %v", job.Strategy.MaxParallelString)
+					log.Debugf("Job.Strategy.RawMatrix: %v", job.Strategy.RawMatrix)
+
 					strategyRc := runner.newRunContext(ctx, run, nil)
 					if err := strategyRc.NewExpressionEvaluator(ctx).EvaluateYamlNode(ctx, &job.Strategy.RawMatrix); err != nil {
 						log.Errorf("Error while evaluating matrix: %v", err)
 					}
 				}
-				matrixes := job.GetMatrixes()
+
+				var matrixes []map[string]interface{}
+				if m, err := job.GetMatrixes(); err != nil {
+					log.Errorf("Error while get job's matrix: %v", err)
+				} else {
+					log.Debugf("Job Matrices: %v", m)
+					log.Debugf("Runner Matrices: %v", runner.config.Matrix)
+					matrixes = selectMatrixes(m, runner.config.Matrix)
+				}
+				log.Debugf("Final matrix after applying user inclusions '%v'", matrixes)
+
 				maxParallel := 4
 				if job.Strategy != nil {
 					maxParallel = job.Strategy.MaxParallel
@@ -123,41 +181,23 @@ func (runner *runnerImpl) NewPlanExecutor(plan *model.Plan) common.Executor {
 						maxJobNameLen = len(rc.String())
 					}
 					stageExecutor = append(stageExecutor, func(ctx context.Context) error {
-						logger := common.Logger(ctx)
 						jobName := fmt.Sprintf("%-*s", maxJobNameLen, rc.String())
-						return rc.Executor().Finally(func(ctx context.Context) error {
-							isLastRunningContainer := func(currentStage int, currentRun int) bool {
-								return currentStage == len(plan.Stages)-1 && currentRun == len(stage.Runs)-1
-							}
+						executor, err := rc.Executor()

-							if runner.config.AutoRemove && isLastRunningContainer(s, r) {
-								var cancel context.CancelFunc
-								if ctx.Err() == context.Canceled {
-									ctx, cancel = context.WithTimeout(context.Background(), 5*time.Minute)
-									defer cancel()
-								}
+						if err != nil {
+							return err
+						}

-								log.Infof("Cleaning up container for job %s", rc.JobName)
-
-								if err := rc.stopJobContainer()(ctx); err != nil {
-									logger.Errorf("Error while cleaning container: %v", err)
-								}
-							}
-
-							return nil
-						})(common.WithJobErrorContainer(WithJobLogger(ctx, rc.Run.JobID, jobName, rc.Config, &rc.Masks, matrix)))
+						return executor(common.WithJobErrorContainer(WithJobLogger(ctx, rc.Run.JobID, jobName, rc.Config, &rc.Masks, matrix)))
 					})
 				}
 				pipeline = append(pipeline, common.NewParallelExecutor(maxParallel, stageExecutor...))
 			}
-			var ncpu int
-			info, err := container.GetHostInfo(ctx)
-			if err != nil {
-				log.Errorf("failed to obtain container engine info: %s", err)
-				ncpu = 1 // sane default?
-			} else {
-				ncpu = info.NCPU
+			ncpu := runtime.NumCPU()
+			if 1 > ncpu {
+				ncpu = 1
 			}
+			log.Debugf("Detected CPUs: %d", ncpu)
 			return common.NewParallelExecutor(ncpu, pipeline...)(ctx)
 		})
 	}
@@ -178,6 +218,25 @@ func handleFailure(plan *model.Plan) common.Executor {
 	}
 }

+func selectMatrixes(originalMatrixes []map[string]interface{}, targetMatrixValues map[string]map[string]bool) []map[string]interface{} {
+	matrixes := make([]map[string]interface{}, 0)
+	for _, original := range originalMatrixes {
+		flag := true
+		for key, val := range original {
+			if allowedVals, ok := targetMatrixValues[key]; ok {
+				valToString := fmt.Sprintf("%v", val)
+				if _, ok := allowedVals[valToString]; !ok {
+					flag = false
+				}
+			}
+		}
+		if flag {
+			matrixes = append(matrixes, original)
+		}
+	}
+	return matrixes
+}
+
 func (runner *runnerImpl) newRunContext(ctx context.Context, run *model.Run, matrix map[string]interface{}) *RunContext {
 	rc := &RunContext{
 		Config:      runner.config,
@@ -185,8 +244,10 @@ func (runner *runnerImpl) newRunContext(ctx context.Context, run *model.Run, mat
 		EventJSON:   runner.eventJSON,
 		StepResults: make(map[string]*model.StepResult),
 		Matrix:      matrix,
+		caller:      runner.caller,
 	}
 	rc.ExprEval = rc.NewExpressionEvaluator(ctx)
 	rc.Name = rc.ExprEval.Interpolate(ctx, run.String())
+
 	return rc
 }
--- a/pkg/runner/runner_test.go
+++ b/pkg/runner/runner_test.go
@@ -1,8 +1,10 @@
 package runner

 import (
+	"bytes"
 	"context"
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -22,6 +24,7 @@ var (
 	platforms map[string]string
 	logLevel  = log.DebugLevel
 	workdir   = "testdata"
+	secrets   map[string]string
 )

 func init() {
@@ -42,14 +45,103 @@ func init() {
 	if wd, err := filepath.Abs(workdir); err == nil {
 		workdir = wd
 	}
+
+	secrets = map[string]string{}
+}
+
+func TestNoWorkflowsFoundByPlanner(t *testing.T) {
+	planner, err := model.NewWorkflowPlanner("res", true)
+	assert.NoError(t, err)
+
+	out := log.StandardLogger().Out
+	var buf bytes.Buffer
+	log.SetOutput(&buf)
+	log.SetLevel(log.DebugLevel)
+	plan, err := planner.PlanEvent("pull_request")
+	assert.NotNil(t, plan)
+	assert.NoError(t, err)
+	assert.Contains(t, buf.String(), "no workflows found by planner")
+	buf.Reset()
+	plan, err = planner.PlanAll()
+	assert.NotNil(t, plan)
+	assert.NoError(t, err)
+	assert.Contains(t, buf.String(), "no workflows found by planner")
+	log.SetOutput(out)
+}
+
+func TestGraphMissingEvent(t *testing.T) {
+	planner, err := model.NewWorkflowPlanner("testdata/issue-1595/no-event.yml", true)
+	assert.NoError(t, err)
+
+	out := log.StandardLogger().Out
+	var buf bytes.Buffer
+	log.SetOutput(&buf)
+	log.SetLevel(log.DebugLevel)
+
+	plan, err := planner.PlanEvent("push")
+	assert.NoError(t, err)
+	assert.NotNil(t, plan)
+	assert.Equal(t, 0, len(plan.Stages))
+
+	assert.Contains(t, buf.String(), "no events found for workflow: no-event.yml")
+	log.SetOutput(out)
+}
+
+func TestGraphMissingFirst(t *testing.T) {
+	planner, err := model.NewWorkflowPlanner("testdata/issue-1595/no-first.yml", true)
+	assert.NoError(t, err)
+
+	plan, err := planner.PlanEvent("push")
+	assert.EqualError(t, err, "unable to build dependency graph for no first (no-first.yml)")
+	assert.NotNil(t, plan)
+	assert.Equal(t, 0, len(plan.Stages))
+}
+
+func TestGraphWithMissing(t *testing.T) {
+	planner, err := model.NewWorkflowPlanner("testdata/issue-1595/missing.yml", true)
+	assert.NoError(t, err)
+
+	out := log.StandardLogger().Out
+	var buf bytes.Buffer
+	log.SetOutput(&buf)
+	log.SetLevel(log.DebugLevel)
+
+	plan, err := planner.PlanEvent("push")
+	assert.NotNil(t, plan)
+	assert.Equal(t, 0, len(plan.Stages))
+	assert.EqualError(t, err, "unable to build dependency graph for missing (missing.yml)")
+	assert.Contains(t, buf.String(), "unable to build dependency graph for missing (missing.yml)")
+	log.SetOutput(out)
+}
+
+func TestGraphWithSomeMissing(t *testing.T) {
+	log.SetLevel(log.DebugLevel)
+
+	planner, err := model.NewWorkflowPlanner("testdata/issue-1595/", true)
+	assert.NoError(t, err)
+
+	out := log.StandardLogger().Out
+	var buf bytes.Buffer
+	log.SetOutput(&buf)
+	log.SetLevel(log.DebugLevel)
+
+	plan, err := planner.PlanAll()
+	assert.Error(t, err, "unable to build dependency graph for no first (no-first.yml)")
+	assert.NotNil(t, plan)
+	assert.Equal(t, 1, len(plan.Stages))
+	assert.Contains(t, buf.String(), "unable to build dependency graph for missing (missing.yml)")
+	assert.Contains(t, buf.String(), "unable to build dependency graph for no first (no-first.yml)")
+	log.SetOutput(out)
 }

 func TestGraphEvent(t *testing.T) {
 	planner, err := model.NewWorkflowPlanner("testdata/basic", true)
-	assert.Nil(t, err)
+	assert.NoError(t, err)

-	plan := planner.PlanEvent("push")
-	assert.Nil(t, err)
+	plan, err := planner.PlanEvent("push")
+	assert.NoError(t, err)
+	assert.NotNil(t, plan)
+	assert.NotNil(t, plan.Stages)
 	assert.Equal(t, len(plan.Stages), 3, "stages")
 	assert.Equal(t, len(plan.Stages[0].Runs), 1, "stage0.runs")
 	assert.Equal(t, len(plan.Stages[1].Runs), 1, "stage1.runs")
@@ -58,8 +150,10 @@ func TestGraphEvent(t *testing.T) {
 	assert.Equal(t, plan.Stages[1].Runs[0].JobID, "build", "jobid")
 	assert.Equal(t, plan.Stages[2].Runs[0].JobID, "test", "jobid")

-	plan = planner.PlanEvent("release")
-	assert.Equal(t, len(plan.Stages), 0, "stages")
+	plan, err = planner.PlanEvent("release")
+	assert.NoError(t, err)
+	assert.NotNil(t, plan)
+	assert.Equal(t, 0, len(plan.Stages))
 }

 type TestJobFileInfo struct {
@@ -68,6 +162,7 @@ type TestJobFileInfo struct {
 	eventName    string
 	errorMessage string
 	platforms    map[string]string
+	secrets      map[string]string
 }

 func (j *TestJobFileInfo) runTest(ctx context.Context, t *testing.T, cfg *Config) {
@@ -88,8 +183,10 @@ func (j *TestJobFileInfo) runTest(ctx context.Context, t *testing.T, cfg *Config
 		ReuseContainers:       false,
 		Env:                   cfg.Env,
 		Secrets:               cfg.Secrets,
+		Inputs:                cfg.Inputs,
 		GitHubInstance:        "github.com",
 		ContainerArchitecture: cfg.ContainerArchitecture,
+		Matrix:                cfg.Matrix,
 	}

 	runner, err := New(runnerConfig)
@@ -98,13 +195,15 @@ func (j *TestJobFileInfo) runTest(ctx context.Context, t *testing.T, cfg *Config
 	planner, err := model.NewWorkflowPlanner(fullWorkflowPath, true)
 	assert.Nil(t, err, fullWorkflowPath)

-	plan := planner.PlanEvent(j.eventName)
-
-	err = runner.NewPlanExecutor(plan)(ctx)
-	if j.errorMessage == "" {
-		assert.Nil(t, err, fullWorkflowPath)
-	} else {
-		assert.Error(t, err, j.errorMessage)
+	plan, err := planner.PlanEvent(j.eventName)
+	assert.True(t, (err == nil) != (plan == nil), "PlanEvent should return either a plan or an error")
+	if err == nil && plan != nil {
+		err = runner.NewPlanExecutor(plan)(ctx)
+		if j.errorMessage == "" {
+			assert.Nil(t, err, fullWorkflowPath)
+		} else {
+			assert.Error(t, err, j.errorMessage)
+		}
 	}

 	fmt.Println("::endgroup::")
@@ -119,81 +218,96 @@ func TestRunEvent(t *testing.T) {

 	tables := []TestJobFileInfo{
 		// Shells
-		{workdir, "shells/defaults", "push", "", platforms},
+		{workdir, "shells/defaults", "push", "", platforms, secrets},
 		// TODO: figure out why it fails
 		// {workdir, "shells/custom", "push", "", map[string]string{"ubuntu-latest": "catthehacker/ubuntu:pwsh-latest"}, }, // custom image with pwsh
-		{workdir, "shells/pwsh", "push", "", map[string]string{"ubuntu-latest": "catthehacker/ubuntu:pwsh-latest"}}, // custom image with pwsh
-		{workdir, "shells/bash", "push", "", platforms},
-		{workdir, "shells/python", "push", "", map[string]string{"ubuntu-latest": "node:16-buster"}}, // slim doesn't have python
-		{workdir, "shells/sh", "push", "", platforms},
+		{workdir, "shells/pwsh", "push", "", map[string]string{"ubuntu-latest": "catthehacker/ubuntu:pwsh-latest"}, secrets}, // custom image with pwsh
+		{workdir, "shells/bash", "push", "", platforms, secrets},
+		{workdir, "shells/python", "push", "", map[string]string{"ubuntu-latest": "node:16-buster"}, secrets}, // slim doesn't have python
+		{workdir, "shells/sh", "push", "", platforms, secrets},

 		// Local action
-		{workdir, "local-action-docker-url", "push", "", platforms},
-		{workdir, "local-action-dockerfile", "push", "", platforms},
-		{workdir, "local-action-via-composite-dockerfile", "push", "", platforms},
-		{workdir, "local-action-js", "push", "", platforms},
+		{workdir, "local-action-docker-url", "push", "", platforms, secrets},
+		{workdir, "local-action-dockerfile", "push", "", platforms, secrets},
+		{workdir, "local-action-via-composite-dockerfile", "push", "", platforms, secrets},
+		{workdir, "local-action-js", "push", "", platforms, secrets},

 		// Uses
-		{workdir, "uses-composite", "push", "", platforms},
-		{workdir, "uses-composite-with-error", "push", "Job 'failing-composite-action' failed", platforms},
-		{workdir, "uses-nested-composite", "push", "", platforms},
-		{workdir, "remote-action-composite-js-pre-with-defaults", "push", "", platforms},
-		{workdir, "uses-workflow", "push", "reusable workflows are currently not supported (see https://github.com/nektos/act/issues/826 for updates)", platforms},
-		{workdir, "uses-docker-url", "push", "", platforms},
-		{workdir, "act-composite-env-test", "push", "", platforms},
+		{workdir, "uses-composite", "push", "", platforms, secrets},
+		{workdir, "uses-composite-with-error", "push", "Job 'failing-composite-action' failed", platforms, secrets},
+		{workdir, "uses-nested-composite", "push", "", platforms, secrets},
+		{workdir, "remote-action-composite-js-pre-with-defaults", "push", "", platforms, secrets},
+		{workdir, "uses-workflow", "push", "", platforms, map[string]string{"secret": "keep_it_private"}},
+		{workdir, "uses-workflow", "pull_request", "", platforms, map[string]string{"secret": "keep_it_private"}},
+		{workdir, "uses-docker-url", "push", "", platforms, secrets},
+		{workdir, "act-composite-env-test", "push", "", platforms, secrets},

 		// Eval
-		{workdir, "evalmatrix", "push", "", platforms},
-		{workdir, "evalmatrixneeds", "push", "", platforms},
-		{workdir, "evalmatrixneeds2", "push", "", platforms},
-		{workdir, "evalmatrix-merge-map", "push", "", platforms},
-		{workdir, "evalmatrix-merge-array", "push", "", platforms},
-		{workdir, "issue-1195", "push", "", platforms},
+		{workdir, "evalmatrix", "push", "", platforms, secrets},
+		{workdir, "evalmatrixneeds", "push", "", platforms, secrets},
+		{workdir, "evalmatrixneeds2", "push", "", platforms, secrets},
+		{workdir, "evalmatrix-merge-map", "push", "", platforms, secrets},
+		{workdir, "evalmatrix-merge-array", "push", "", platforms, secrets},
+		{workdir, "issue-1195", "push", "", platforms, secrets},

-		{workdir, "basic", "push", "", platforms},
-		{workdir, "fail", "push", "exit with `FAILURE`: 1", platforms},
-		{workdir, "runs-on", "push", "", platforms},
-		{workdir, "checkout", "push", "", platforms},
-		{workdir, "job-container", "push", "", platforms},
-		{workdir, "job-container-non-root", "push", "", platforms},
-		{workdir, "job-container-invalid-credentials", "push", "failed to handle credentials: failed to interpolate container.credentials.password", platforms},
-		{workdir, "container-hostname", "push", "", platforms},
-		{workdir, "remote-action-docker", "push", "", platforms},
-		{workdir, "remote-action-js", "push", "", platforms},
-		{workdir, "remote-action-js", "push", "", map[string]string{"ubuntu-latest": "catthehacker/ubuntu:runner-latest"}}, // Test if this works with non root container
-		{workdir, "matrix", "push", "", platforms},
-		{workdir, "matrix-include-exclude", "push", "", platforms},
-		{workdir, "commands", "push", "", platforms},
-		{workdir, "workdir", "push", "", platforms},
-		{workdir, "defaults-run", "push", "", platforms},
-		{workdir, "composite-fail-with-output", "push", "", platforms},
-		{workdir, "issue-597", "push", "", platforms},
-		{workdir, "issue-598", "push", "", platforms},
-		{workdir, "if-env-act", "push", "", platforms},
-		{workdir, "env-and-path", "push", "", platforms},
-		{workdir, "non-existent-action", "push", "Job 'nopanic' failed", platforms},
-		{workdir, "outputs", "push", "", platforms},
-		{workdir, "networking", "push", "", platforms},
-		{workdir, "steps-context/conclusion", "push", "", platforms},
-		{workdir, "steps-context/outcome", "push", "", platforms},
-		{workdir, "job-status-check", "push", "job 'fail' failed", platforms},
-		{workdir, "if-expressions", "push", "Job 'mytest' failed", platforms},
-		{workdir, "actions-environment-and-context-tests", "push", "", platforms},
-		{workdir, "uses-action-with-pre-and-post-step", "push", "", platforms},
-		{workdir, "evalenv", "push", "", platforms},
-		{workdir, "ensure-post-steps", "push", "Job 'second-post-step-should-fail' failed", platforms},
-		{workdir, "workflow_dispatch", "workflow_dispatch", "", platforms},
-		{workdir, "workflow_dispatch_no_inputs_mapping", "workflow_dispatch", "", platforms},
-		{workdir, "workflow_dispatch-scalar", "workflow_dispatch", "", platforms},
-		{workdir, "workflow_dispatch-scalar-composite-action", "workflow_dispatch", "", platforms},
-		{"../model/testdata", "strategy", "push", "", platforms}, // TODO: move all testdata into pkg so we can validate it with planner and runner
-		// {"testdata", "issue-228", "push", "", platforms, }, // TODO [igni]: Remove this once everything passes
-		{"../model/testdata", "container-volumes", "push", "", platforms},
+		{workdir, "basic", "push", "", platforms, secrets},
+		{workdir, "fail", "push", "exit with `FAILURE`: 1", platforms, secrets},
+		{workdir, "runs-on", "push", "", platforms, secrets},
+		{workdir, "checkout", "push", "", platforms, secrets},
+		{workdir, "job-container", "push", "", platforms, secrets},
+		{workdir, "job-container-non-root", "push", "", platforms, secrets},
+		{workdir, "job-container-invalid-credentials", "push", "failed to handle credentials: failed to interpolate container.credentials.password", platforms, secrets},
+		{workdir, "container-hostname", "push", "", platforms, secrets},
+		{workdir, "remote-action-docker", "push", "", platforms, secrets},
+		{workdir, "remote-action-js", "push", "", platforms, secrets},
+		{workdir, "remote-action-js-node-user", "push", "", platforms, secrets}, // Test if this works with non root container
+		{workdir, "matrix", "push", "", platforms, secrets},
+		{workdir, "matrix-include-exclude", "push", "", platforms, secrets},
+		{workdir, "matrix-exitcode", "push", "Job 'test' failed", platforms, secrets},
+		{workdir, "commands", "push", "", platforms, secrets},
+		{workdir, "workdir", "push", "", platforms, secrets},
+		{workdir, "defaults-run", "push", "", platforms, secrets},
+		{workdir, "composite-fail-with-output", "push", "", platforms, secrets},
+		{workdir, "issue-597", "push", "", platforms, secrets},
+		{workdir, "issue-598", "push", "", platforms, secrets},
+		{workdir, "if-env-act", "push", "", platforms, secrets},
+		{workdir, "env-and-path", "push", "", platforms, secrets},
+		{workdir, "environment-files", "push", "", platforms, secrets},
+		{workdir, "GITHUB_STATE", "push", "", platforms, secrets},
+		{workdir, "environment-files-parser-bug", "push", "", platforms, secrets},
+		{workdir, "non-existent-action", "push", "Job 'nopanic' failed", platforms, secrets},
+		{workdir, "outputs", "push", "", platforms, secrets},
+		{workdir, "networking", "push", "", platforms, secrets},
+		{workdir, "steps-context/conclusion", "push", "", platforms, secrets},
+		{workdir, "steps-context/outcome", "push", "", platforms, secrets},
+		{workdir, "job-status-check", "push", "job 'fail' failed", platforms, secrets},
+		{workdir, "if-expressions", "push", "Job 'mytest' failed", platforms, secrets},
+		{workdir, "actions-environment-and-context-tests", "push", "", platforms, secrets},
+		{workdir, "uses-action-with-pre-and-post-step", "push", "", platforms, secrets},
+		{workdir, "evalenv", "push", "", platforms, secrets},
+		{workdir, "docker-action-custom-path", "push", "", platforms, secrets},
+		{workdir, "GITHUB_ENV-use-in-env-ctx", "push", "", platforms, secrets},
+		{workdir, "ensure-post-steps", "push", "Job 'second-post-step-should-fail' failed", platforms, secrets},
+		{workdir, "workflow_call_inputs", "workflow_call", "", platforms, secrets},
+		{workdir, "workflow_dispatch", "workflow_dispatch", "", platforms, secrets},
+		{workdir, "workflow_dispatch_no_inputs_mapping", "workflow_dispatch", "", platforms, secrets},
+		{workdir, "workflow_dispatch-scalar", "workflow_dispatch", "", platforms, secrets},
+		{workdir, "workflow_dispatch-scalar-composite-action", "workflow_dispatch", "", platforms, secrets},
+		{workdir, "job-needs-context-contains-result", "push", "", platforms, secrets},
+		{"../model/testdata", "strategy", "push", "", platforms, secrets}, // TODO: move all testdata into pkg so we can validate it with planner and runner
+		{"../model/testdata", "container-volumes", "push", "", platforms, secrets},
+		{workdir, "path-handling", "push", "", platforms, secrets},
+		{workdir, "do-not-leak-step-env-in-composite", "push", "", platforms, secrets},
+		{workdir, "set-env-step-env-override", "push", "", platforms, secrets},
+		{workdir, "set-env-new-env-file-per-step", "push", "", platforms, secrets},
+		{workdir, "no-panic-on-invalid-composite-action", "push", "jobs failed due to invalid action", platforms, secrets},
 	}

 	for _, table := range tables {
 		t.Run(table.workflowPath, func(t *testing.T) {
-			config := &Config{}
+			config := &Config{
+				Secrets: table.secrets,
+			}

 			eventFile := filepath.Join(workdir, table.workflowPath, "event.json")
 			if _, err := os.Stat(eventFile); err == nil {
@@ -221,51 +335,51 @@ func TestRunEventHostEnvironment(t *testing.T) {

 		tables = append(tables, []TestJobFileInfo{
 			// Shells
-			{workdir, "shells/defaults", "push", "", platforms},
-			{workdir, "shells/pwsh", "push", "", platforms},
-			{workdir, "shells/bash", "push", "", platforms},
-			{workdir, "shells/python", "push", "", platforms},
-			{workdir, "shells/sh", "push", "", platforms},
+			{workdir, "shells/defaults", "push", "", platforms, secrets},
+			{workdir, "shells/pwsh", "push", "", platforms, secrets},
+			{workdir, "shells/bash", "push", "", platforms, secrets},
+			{workdir, "shells/python", "push", "", platforms, secrets},
+			{workdir, "shells/sh", "push", "", platforms, secrets},

 			// Local action
-			{workdir, "local-action-js", "push", "", platforms},
+			{workdir, "local-action-js", "push", "", platforms, secrets},

 			// Uses
-			{workdir, "uses-composite", "push", "", platforms},
-			{workdir, "uses-composite-with-error", "push", "Job 'failing-composite-action' failed", platforms},
-			{workdir, "uses-nested-composite", "push", "", platforms},
-			{workdir, "act-composite-env-test", "push", "", platforms},
+			{workdir, "uses-composite", "push", "", platforms, secrets},
+			{workdir, "uses-composite-with-error", "push", "Job 'failing-composite-action' failed", platforms, secrets},
+			{workdir, "uses-nested-composite", "push", "", platforms, secrets},
+			{workdir, "act-composite-env-test", "push", "", platforms, secrets},

 			// Eval
-			{workdir, "evalmatrix", "push", "", platforms},
-			{workdir, "evalmatrixneeds", "push", "", platforms},
-			{workdir, "evalmatrixneeds2", "push", "", platforms},
-			{workdir, "evalmatrix-merge-map", "push", "", platforms},
-			{workdir, "evalmatrix-merge-array", "push", "", platforms},
-			{workdir, "issue-1195", "push", "", platforms},
+			{workdir, "evalmatrix", "push", "", platforms, secrets},
+			{workdir, "evalmatrixneeds", "push", "", platforms, secrets},
+			{workdir, "evalmatrixneeds2", "push", "", platforms, secrets},
+			{workdir, "evalmatrix-merge-map", "push", "", platforms, secrets},
+			{workdir, "evalmatrix-merge-array", "push", "", platforms, secrets},
+			{workdir, "issue-1195", "push", "", platforms, secrets},

-			{workdir, "fail", "push", "exit with `FAILURE`: 1", platforms},
-			{workdir, "runs-on", "push", "", platforms},
-			{workdir, "checkout", "push", "", platforms},
-			{workdir, "remote-action-js", "push", "", platforms},
-			{workdir, "matrix", "push", "", platforms},
-			{workdir, "matrix-include-exclude", "push", "", platforms},
-			{workdir, "commands", "push", "", platforms},
-			{workdir, "defaults-run", "push", "", platforms},
-			{workdir, "composite-fail-with-output", "push", "", platforms},
-			{workdir, "issue-597", "push", "", platforms},
-			{workdir, "issue-598", "push", "", platforms},
-			{workdir, "if-env-act", "push", "", platforms},
-			{workdir, "env-and-path", "push", "", platforms},
-			{workdir, "non-existent-action", "push", "Job 'nopanic' failed", platforms},
-			{workdir, "outputs", "push", "", platforms},
-			{workdir, "steps-context/conclusion", "push", "", platforms},
-			{workdir, "steps-context/outcome", "push", "", platforms},
-			{workdir, "job-status-check", "push", "job 'fail' failed", platforms},
-			{workdir, "if-expressions", "push", "Job 'mytest' failed", platforms},
-			{workdir, "uses-action-with-pre-and-post-step", "push", "", platforms},
-			{workdir, "evalenv", "push", "", platforms},
-			{workdir, "ensure-post-steps", "push", "Job 'second-post-step-should-fail' failed", platforms},
+			{workdir, "fail", "push", "exit with `FAILURE`: 1", platforms, secrets},
+			{workdir, "runs-on", "push", "", platforms, secrets},
+			{workdir, "checkout", "push", "", platforms, secrets},
+			{workdir, "remote-action-js", "push", "", platforms, secrets},
+			{workdir, "matrix", "push", "", platforms, secrets},
+			{workdir, "matrix-include-exclude", "push", "", platforms, secrets},
+			{workdir, "commands", "push", "", platforms, secrets},
+			{workdir, "defaults-run", "push", "", platforms, secrets},
+			{workdir, "composite-fail-with-output", "push", "", platforms, secrets},
+			{workdir, "issue-597", "push", "", platforms, secrets},
+			{workdir, "issue-598", "push", "", platforms, secrets},
+			{workdir, "if-env-act", "push", "", platforms, secrets},
+			{workdir, "env-and-path", "push", "", platforms, secrets},
+			{workdir, "non-existent-action", "push", "Job 'nopanic' failed", platforms, secrets},
+			{workdir, "outputs", "push", "", platforms, secrets},
+			{workdir, "steps-context/conclusion", "push", "", platforms, secrets},
+			{workdir, "steps-context/outcome", "push", "", platforms, secrets},
+			{workdir, "job-status-check", "push", "job 'fail' failed", platforms, secrets},
+			{workdir, "if-expressions", "push", "Job 'mytest' failed", platforms, secrets},
+			{workdir, "uses-action-with-pre-and-post-step", "push", "", platforms, secrets},
+			{workdir, "evalenv", "push", "", platforms, secrets},
+			{workdir, "ensure-post-steps", "push", "Job 'second-post-step-should-fail' failed", platforms, secrets},
 		}...)
 	}
 	if runtime.GOOS == "windows" {
@@ -274,16 +388,22 @@ func TestRunEventHostEnvironment(t *testing.T) {
 		}

 		tables = append(tables, []TestJobFileInfo{
-			{workdir, "windows-prepend-path", "push", "", platforms},
-			{workdir, "windows-add-env", "push", "", platforms},
+			{workdir, "windows-prepend-path", "push", "", platforms, secrets},
+			{workdir, "windows-add-env", "push", "", platforms, secrets},
 		}...)
 	} else {
 		platforms := map[string]string{
-			"self-hosted": "-self-hosted",
+			"self-hosted":   "-self-hosted",
+			"ubuntu-latest": "-self-hosted",
 		}

 		tables = append(tables, []TestJobFileInfo{
-			{workdir, "nix-prepend-path", "push", "", platforms},
+			{workdir, "nix-prepend-path", "push", "", platforms, secrets},
+			{workdir, "inputs-via-env-context", "push", "", platforms, secrets},
+			{workdir, "do-not-leak-step-env-in-composite", "push", "", platforms, secrets},
+			{workdir, "set-env-step-env-override", "push", "", platforms, secrets},
+			{workdir, "set-env-new-env-file-per-step", "push", "", platforms, secrets},
+			{workdir, "no-panic-on-invalid-composite-action", "push", "jobs failed due to invalid action", platforms, secrets},
 		}...)
 	}

@@ -303,17 +423,17 @@ func TestDryrunEvent(t *testing.T) {

 	tables := []TestJobFileInfo{
 		// Shells
-		{workdir, "shells/defaults", "push", "", platforms},
-		{workdir, "shells/pwsh", "push", "", map[string]string{"ubuntu-latest": "catthehacker/ubuntu:pwsh-latest"}}, // custom image with pwsh
-		{workdir, "shells/bash", "push", "", platforms},
-		{workdir, "shells/python", "push", "", map[string]string{"ubuntu-latest": "node:16-buster"}}, // slim doesn't have python
-		{workdir, "shells/sh", "push", "", platforms},
+		{workdir, "shells/defaults", "push", "", platforms, secrets},
+		{workdir, "shells/pwsh", "push", "", map[string]string{"ubuntu-latest": "catthehacker/ubuntu:pwsh-latest"}, secrets}, // custom image with pwsh
+		{workdir, "shells/bash", "push", "", platforms, secrets},
+		{workdir, "shells/python", "push", "", map[string]string{"ubuntu-latest": "node:16-buster"}, secrets}, // slim doesn't have python
+		{workdir, "shells/sh", "push", "", platforms, secrets},

 		// Local action
-		{workdir, "local-action-docker-url", "push", "", platforms},
-		{workdir, "local-action-dockerfile", "push", "", platforms},
-		{workdir, "local-action-via-composite-dockerfile", "push", "", platforms},
-		{workdir, "local-action-js", "push", "", platforms},
+		{workdir, "local-action-docker-url", "push", "", platforms, secrets},
+		{workdir, "local-action-dockerfile", "push", "", platforms, secrets},
+		{workdir, "local-action-via-composite-dockerfile", "push", "", platforms, secrets},
+		{workdir, "local-action-js", "push", "", platforms, secrets},
 	}

 	for _, table := range tables {
@@ -323,6 +443,30 @@ func TestDryrunEvent(t *testing.T) {
 	}
 }

+func TestDockerActionForcePullForceRebuild(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+
+	ctx := context.Background()
+
+	config := &Config{
+		ForcePull:    true,
+		ForceRebuild: true,
+	}
+
+	tables := []TestJobFileInfo{
+		{workdir, "local-action-dockerfile", "push", "", platforms, secrets},
+		{workdir, "local-action-via-composite-dockerfile", "push", "", platforms, secrets},
+	}
+
+	for _, table := range tables {
+		t.Run(table.workflowPath, func(t *testing.T) {
+			table.runTest(ctx, t, config)
+		})
+	}
+}
+
 func TestRunDifferentArchitecture(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping integration test")
@@ -339,6 +483,17 @@ func TestRunDifferentArchitecture(t *testing.T) {
 	tjfi.runTest(context.Background(), t, &Config{ContainerArchitecture: "linux/arm64"})
 }

+type maskJobLoggerFactory struct {
+	Output bytes.Buffer
+}
+
+func (f *maskJobLoggerFactory) WithJobLogger() *log.Logger {
+	logger := log.New()
+	logger.SetOutput(io.MultiWriter(&f.Output, os.Stdout))
+	logger.SetLevel(log.DebugLevel)
+	return logger
+}
+
 func TestMaskValues(t *testing.T) {
 	assertNoSecret := func(text string, secret string) {
 		index := strings.Index(text, "composite secret")
@@ -362,9 +517,9 @@ func TestMaskValues(t *testing.T) {
 		platforms:    platforms,
 	}

-	output := captureOutput(t, func() {
-		tjfi.runTest(context.Background(), t, &Config{})
-	})
+	logger := &maskJobLoggerFactory{}
+	tjfi.runTest(WithJobLoggerFactory(common.WithLogger(context.Background(), logger.WithJobLogger()), logger), t, &Config{})
+	output := logger.Output.String()

 	assertNoSecret(output, "secret value")
 	assertNoSecret(output, "YWJjCg==")
@@ -392,6 +547,27 @@ func TestRunEventSecrets(t *testing.T) {
 	tjfi.runTest(context.Background(), t, &Config{Secrets: secrets, Env: env})
 }

+func TestRunActionInputs(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+	workflowPath := "input-from-cli"
+
+	tjfi := TestJobFileInfo{
+		workdir:      workdir,
+		workflowPath: workflowPath,
+		eventName:    "workflow_dispatch",
+		errorMessage: "",
+		platforms:    platforms,
+	}
+
+	inputs := map[string]string{
+		"SOME_INPUT": "input",
+	}
+
+	tjfi.runTest(context.Background(), t, &Config{Inputs: inputs})
+}
+
 func TestRunEventPullRequest(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping integration test")
@@ -409,3 +585,30 @@ func TestRunEventPullRequest(t *testing.T) {

 	tjfi.runTest(context.Background(), t, &Config{EventPath: filepath.Join(workdir, workflowPath, "event.json")})
 }
+
+func TestRunMatrixWithUserDefinedInclusions(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+	workflowPath := "matrix-with-user-inclusions"
+
+	tjfi := TestJobFileInfo{
+		workdir:      workdir,
+		workflowPath: workflowPath,
+		eventName:    "push",
+		errorMessage: "",
+		platforms:    platforms,
+	}
+
+	matrix := map[string]map[string]bool{
+		"node": {
+			"8":   true,
+			"8.x": true,
+		},
+		"os": {
+			"ubuntu-18.04": true,
+		},
+	}
+
+	tjfi.runTest(context.Background(), t, &Config{Matrix: matrix})
+}
--- a/pkg/runner/step.go
+++ b/pkg/runner/step.go
@@ -4,7 +4,9 @@ import (
 	"context"
 	"fmt"
 	"path"
+	"strconv"
 	"strings"
+	"time"

 	"github.com/nektos/act/pkg/common"
 	"github.com/nektos/act/pkg/container"
@@ -44,16 +46,16 @@ func (s stepStage) String() string {
 	return "Unknown"
 }

-func (s stepStage) getStepName(stepModel *model.Step) string {
-	switch s {
-	case stepStagePre:
-		return fmt.Sprintf("pre-%s", stepModel.ID)
-	case stepStageMain:
-		return stepModel.ID
-	case stepStagePost:
-		return fmt.Sprintf("post-%s", stepModel.ID)
+func processRunnerEnvFileCommand(ctx context.Context, fileName string, rc *RunContext, setter func(context.Context, map[string]string, string)) error {
+	env := map[string]string{}
+	err := rc.JobContainer.UpdateFromEnv(path.Join(rc.JobContainer.GetActPath(), fileName), &env)(ctx)
+	if err != nil {
+		return err
 	}
-	return "unknown"
+	for k, v := range env {
+		setter(ctx, map[string]string{"name": k}, v)
+	}
+	return nil
 }

 func runStepExecutor(step step, stage stepStage, executor common.Executor) common.Executor {
@@ -63,13 +65,16 @@ func runStepExecutor(step step, stage stepStage, executor common.Executor) commo
 		stepModel := step.getStepModel()

 		ifExpression := step.getIfExpression(ctx, stage)
-		rc.CurrentStep = stage.getStepName(stepModel)
+		rc.CurrentStep = stepModel.ID

-		rc.StepResults[rc.CurrentStep] = &model.StepResult{
+		stepResult := &model.StepResult{
 			Outcome:    model.StepStatusSuccess,
 			Conclusion: model.StepStatusSuccess,
 			Outputs:    make(map[string]string),
 		}
+		if stage == stepStageMain {
+			rc.StepResults[rc.CurrentStep] = stepResult
+		}

 		err := setupEnv(ctx, step)
 		if err != nil {
@@ -78,15 +83,15 @@ func runStepExecutor(step step, stage stepStage, executor common.Executor) commo

 		runStep, err := isStepEnabled(ctx, ifExpression, step, stage)
 		if err != nil {
-			rc.StepResults[rc.CurrentStep].Conclusion = model.StepStatusFailure
-			rc.StepResults[rc.CurrentStep].Outcome = model.StepStatusFailure
+			stepResult.Conclusion = model.StepStatusFailure
+			stepResult.Outcome = model.StepStatusFailure
 			return err
 		}

 		if !runStep {
-			rc.StepResults[rc.CurrentStep].Conclusion = model.StepStatusSkipped
-			rc.StepResults[rc.CurrentStep].Outcome = model.StepStatusSkipped
-			logger.WithField("stepResult", rc.StepResults[rc.CurrentStep].Outcome).Debugf("Skipping step '%s' due to '%s'", stepModel, ifExpression)
+			stepResult.Conclusion = model.StepStatusSkipped
+			stepResult.Outcome = model.StepStatusSkipped
+			logger.WithField("stepResult", stepResult.Outcome).Debugf("Skipping step '%s' due to '%s'", stepModel, ifExpression)
 			return nil
 		}

@@ -98,58 +103,81 @@ func runStepExecutor(step step, stage stepStage, executor common.Executor) commo

 		// Prepare and clean Runner File Commands
 		actPath := rc.JobContainer.GetActPath()
+
 		outputFileCommand := path.Join("workflow", "outputcmd.txt")
-		stateFileCommand := path.Join("workflow", "statecmd.txt")
 		(*step.getEnv())["GITHUB_OUTPUT"] = path.Join(actPath, outputFileCommand)
+
+		stateFileCommand := path.Join("workflow", "statecmd.txt")
 		(*step.getEnv())["GITHUB_STATE"] = path.Join(actPath, stateFileCommand)
+
+		pathFileCommand := path.Join("workflow", "pathcmd.txt")
+		(*step.getEnv())["GITHUB_PATH"] = path.Join(actPath, pathFileCommand)
+
+		envFileCommand := path.Join("workflow", "envs.txt")
+		(*step.getEnv())["GITHUB_ENV"] = path.Join(actPath, envFileCommand)
+
+		summaryFileCommand := path.Join("workflow", "SUMMARY.md")
+		(*step.getEnv())["GITHUB_STEP_SUMMARY"] = path.Join(actPath, summaryFileCommand)
+
 		_ = rc.JobContainer.Copy(actPath, &container.FileEntry{
 			Name: outputFileCommand,
-			Mode: 0666,
+			Mode: 0o666,
 		}, &container.FileEntry{
 			Name: stateFileCommand,
+			Mode: 0o666,
+		}, &container.FileEntry{
+			Name: pathFileCommand,
+			Mode: 0o666,
+		}, &container.FileEntry{
+			Name: envFileCommand,
 			Mode: 0666,
+		}, &container.FileEntry{
+			Name: summaryFileCommand,
+			Mode: 0o666,
 		})(ctx)

-		err = executor(ctx)
+		timeoutctx, cancelTimeOut := evaluateStepTimeout(ctx, rc.ExprEval, stepModel)
+		defer cancelTimeOut()
+		err = executor(timeoutctx)

 		if err == nil {
-			logger.WithField("stepResult", rc.StepResults[rc.CurrentStep].Outcome).Infof("  \u2705  Success - %s %s", stage, stepString)
+			logger.WithField("stepResult", stepResult.Outcome).Infof("  \u2705  Success - %s %s", stage, stepString)
 		} else {
-			rc.StepResults[rc.CurrentStep].Outcome = model.StepStatusFailure
+			stepResult.Outcome = model.StepStatusFailure

 			continueOnError, parseErr := isContinueOnError(ctx, stepModel.RawContinueOnError, step, stage)
 			if parseErr != nil {
-				rc.StepResults[rc.CurrentStep].Conclusion = model.StepStatusFailure
+				stepResult.Conclusion = model.StepStatusFailure
 				return parseErr
 			}

 			if continueOnError {
 				logger.Infof("Failed but continue next step")
 				err = nil
-				rc.StepResults[rc.CurrentStep].Conclusion = model.StepStatusSuccess
+				stepResult.Conclusion = model.StepStatusSuccess
 			} else {
-				rc.StepResults[rc.CurrentStep].Conclusion = model.StepStatusFailure
+				stepResult.Conclusion = model.StepStatusFailure
 			}

-			logger.WithField("stepResult", rc.StepResults[rc.CurrentStep].Outcome).Errorf("  \u274C  Failure - %s %s", stage, stepString)
+			logger.WithField("stepResult", stepResult.Outcome).Errorf("  \u274C  Failure - %s %s", stage, stepString)
 		}
 		// Process Runner File Commands
 		orgerr := err
-		state := map[string]string{}
-		err = rc.JobContainer.UpdateFromEnv(path.Join(actPath, stateFileCommand), &state)(ctx)
+		err = processRunnerEnvFileCommand(ctx, envFileCommand, rc, rc.setEnv)
 		if err != nil {
 			return err
 		}
-		for k, v := range state {
-			rc.saveState(ctx, map[string]string{"name": k}, v)
-		}
-		output := map[string]string{}
-		err = rc.JobContainer.UpdateFromEnv(path.Join(actPath, outputFileCommand), &output)(ctx)
+		err = processRunnerEnvFileCommand(ctx, stateFileCommand, rc, rc.saveState)
 		if err != nil {
 			return err
 		}
-		for k, v := range output {
-			rc.setOutput(ctx, map[string]string{"name": k}, v)
+		err = processRunnerEnvFileCommand(ctx, outputFileCommand, rc, rc.setOutput)
+		if err != nil {
+			return err
+		}
+		err = rc.UpdateExtraPath(ctx, path.Join(actPath, pathFileCommand))
+		if err != nil {
+			return err
 		}
 		if orgerr != nil {
 			return orgerr
@@ -158,28 +186,36 @@ func runStepExecutor(step step, stage stepStage, executor common.Executor) commo
 	}
 }

+func evaluateStepTimeout(ctx context.Context, exprEval ExpressionEvaluator, stepModel *model.Step) (context.Context, context.CancelFunc) {
+	timeout := exprEval.Interpolate(ctx, stepModel.TimeoutMinutes)
+	if timeout != "" {
+		if timeOutMinutes, err := strconv.ParseInt(timeout, 10, 64); err == nil {
+			return context.WithTimeout(ctx, time.Duration(timeOutMinutes)*time.Minute)
+		}
+	}
+	return ctx, func() {}
+}
+
 func setupEnv(ctx context.Context, step step) error {
 	rc := step.getRunContext()

 	mergeEnv(ctx, step)
-	err := rc.JobContainer.UpdateFromImageEnv(step.getEnv())(ctx)
-	if err != nil {
-		return err
-	}
-	err = rc.JobContainer.UpdateFromEnv((*step.getEnv())["GITHUB_ENV"], step.getEnv())(ctx)
-	if err != nil {
-		return err
-	}
-	err = rc.JobContainer.UpdateFromPath(step.getEnv())(ctx)
-	if err != nil {
-		return err
-	}
 	// merge step env last, since it should not be overwritten
-	mergeIntoMap(step.getEnv(), step.getStepModel().GetEnv())
+	mergeIntoMap(step, step.getEnv(), step.getStepModel().GetEnv())

 	exprEval := rc.NewExpressionEvaluator(ctx)
 	for k, v := range *step.getEnv() {
-		(*step.getEnv())[k] = exprEval.Interpolate(ctx, v)
+		if !strings.HasPrefix(k, "INPUT_") {
+			(*step.getEnv())[k] = exprEval.Interpolate(ctx, v)
+		}
+	}
+	// after we have an evaluated step context, update the expressions evaluator with a new env context
+	// you can use step level env in the with property of a uses construct
+	exprEval = rc.NewExpressionEvaluatorWithEnv(ctx, *step.getEnv())
+	for k, v := range *step.getEnv() {
+		if strings.HasPrefix(k, "INPUT_") {
+			(*step.getEnv())[k] = exprEval.Interpolate(ctx, v)
+		}
 	}

 	common.Logger(ctx).Debugf("setupEnv => %v", *step.getEnv())
@@ -194,17 +230,9 @@ func mergeEnv(ctx context.Context, step step) {

 	c := job.Container()
 	if c != nil {
-		mergeIntoMap(env, rc.GetEnv(), c.Env)
+		mergeIntoMap(step, env, rc.GetEnv(), c.Env)
 	} else {
-		mergeIntoMap(env, rc.GetEnv())
-	}
-
-	path := rc.JobContainer.GetPathVariableName()
-	if (*env)[path] == "" {
-		(*env)[path] = rc.JobContainer.DefaultPathVariable()
-	}
-	if rc.ExtraPath != nil && len(rc.ExtraPath) > 0 {
-		(*env)[path] = rc.JobContainer.JoinPathVariable(append(rc.ExtraPath, (*env)[path])...)
+		mergeIntoMap(step, env, rc.GetEnv())
 	}

 	rc.withGithubEnv(ctx, step.getGithubContext(ctx), *env)
@@ -228,7 +256,7 @@ func isStepEnabled(ctx context.Context, expr string, step step, stage stepStage)
 	return runStep, nil
 }

-func isContinueOnError(ctx context.Context, expr string, step step, stage stepStage) (bool, error) {
+func isContinueOnError(ctx context.Context, expr string, step step, _ stepStage) (bool, error) {
 	// https://github.com/github/docs/blob/3ae84420bd10997bb5f35f629ebb7160fe776eae/content/actions/reference/workflow-syntax-for-github-actions.md?plain=true#L962
 	if len(strings.TrimSpace(expr)) == 0 {
 		return false, nil
@@ -244,10 +272,38 @@ func isContinueOnError(ctx context.Context, expr string, step step, stage stepSt
 	return continueOnError, nil
 }

-func mergeIntoMap(target *map[string]string, maps ...map[string]string) {
+func mergeIntoMap(step step, target *map[string]string, maps ...map[string]string) {
+	if rc := step.getRunContext(); rc != nil && rc.JobContainer != nil && rc.JobContainer.IsEnvironmentCaseInsensitive() {
+		mergeIntoMapCaseInsensitive(*target, maps...)
+	} else {
+		mergeIntoMapCaseSensitive(*target, maps...)
+	}
+}
+
+func mergeIntoMapCaseSensitive(target map[string]string, maps ...map[string]string) {
 	for _, m := range maps {
 		for k, v := range m {
-			(*target)[k] = v
+			target[k] = v
+		}
+	}
+}
+
+func mergeIntoMapCaseInsensitive(target map[string]string, maps ...map[string]string) {
+	foldKeys := make(map[string]string, len(target))
+	for k := range target {
+		foldKeys[strings.ToLower(k)] = k
+	}
+	toKey := func(s string) string {
+		foldKey := strings.ToLower(s)
+		if k, ok := foldKeys[foldKey]; ok {
+			return k
+		}
+		foldKeys[strings.ToLower(foldKey)] = s
+		return s
+	}
+	for _, m := range maps {
+		for k, v := range m {
+			target[toKey(k)] = v
 		}
 	}
 }
--- a/pkg/runner/step_action_local.go
+++ b/pkg/runner/step_action_local.go
@@ -85,7 +85,7 @@ func (sal *stepActionLocal) getEnv() *map[string]string {
 	return &sal.env
 }

-func (sal *stepActionLocal) getIfExpression(context context.Context, stage stepStage) string {
+func (sal *stepActionLocal) getIfExpression(_ context.Context, stage stepStage) string {
 	switch stage {
 	case stepStageMain:
 		return sal.Step.If.Value
--- a/pkg/runner/step_action_local_test.go
+++ b/pkg/runner/step_action_local_test.go
@@ -1,7 +1,9 @@
 package runner

 import (
+	"bytes"
 	"context"
+	"io"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -22,7 +24,7 @@ func (salm *stepActionLocalMocks) runAction(step actionStep, actionDir string, r
 	return args.Get(0).(func(context.Context) error)
 }

-func (salm *stepActionLocalMocks) readAction(ctx context.Context, step *model.Step, actionDir string, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error) {
+func (salm *stepActionLocalMocks) readAction(_ context.Context, step *model.Step, actionDir string, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error) {
 	args := salm.Called(step, actionDir, actionPath, readFile, writeFile)
 	return args.Get(0).(*model.Action), args.Error(1)
 }
@@ -67,7 +69,7 @@ func TestStepActionLocalTest(t *testing.T) {
 	salm.On("readAction", sal.Step, filepath.Clean("/tmp/path/to/action"), "", mock.Anything, mock.Anything).
 		Return(&model.Action{}, nil)

-	cm.On("UpdateFromImageEnv", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
+	cm.On("Copy", "/var/run/act", mock.AnythingOfType("[]*container.FileEntry")).Return(func(ctx context.Context) error {
 		return nil
 	})

@@ -75,14 +77,6 @@ func TestStepActionLocalTest(t *testing.T) {
 		return nil
 	})

-	cm.On("UpdateFromPath", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("Copy", "/var/run/act", mock.AnythingOfType("[]*container.FileEntry")).Return(func(ctx context.Context) error {
-		return nil
-	})
-
 	cm.On("UpdateFromEnv", "/var/run/act/workflow/statecmd.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
 		return nil
 	})
@@ -91,6 +85,8 @@ func TestStepActionLocalTest(t *testing.T) {
 		return nil
 	})

+	cm.On("GetContainerArchive", ctx, "/var/run/act/workflow/pathcmd.txt").Return(io.NopCloser(&bytes.Buffer{}), nil)
+
 	salm.On("runAction", sal, filepath.Clean("/tmp/path/to/action"), (*remoteAction)(nil)).Return(func(ctx context.Context) error {
 		return nil
 	})
@@ -107,13 +103,12 @@ func TestStepActionLocalTest(t *testing.T) {

 func TestStepActionLocalPost(t *testing.T) {
 	table := []struct {
-		name                   string
-		stepModel              *model.Step
-		actionModel            *model.Action
-		initialStepResults     map[string]*model.StepResult
-		expectedPostStepResult *model.StepResult
-		err                    error
-		mocks                  struct {
+		name               string
+		stepModel          *model.Step
+		actionModel        *model.Action
+		initialStepResults map[string]*model.StepResult
+		err                error
+		mocks              struct {
 			env  bool
 			exec bool
 		}
@@ -138,11 +133,6 @@ func TestStepActionLocalPost(t *testing.T) {
 					Outputs:    map[string]string{},
 				},
 			},
-			expectedPostStepResult: &model.StepResult{
-				Conclusion: model.StepStatusSuccess,
-				Outcome:    model.StepStatusSuccess,
-				Outputs:    map[string]string{},
-			},
 			mocks: struct {
 				env  bool
 				exec bool
@@ -171,11 +161,6 @@ func TestStepActionLocalPost(t *testing.T) {
 					Outputs:    map[string]string{},
 				},
 			},
-			expectedPostStepResult: &model.StepResult{
-				Conclusion: model.StepStatusSuccess,
-				Outcome:    model.StepStatusSuccess,
-				Outputs:    map[string]string{},
-			},
 			mocks: struct {
 				env  bool
 				exec bool
@@ -204,16 +189,11 @@ func TestStepActionLocalPost(t *testing.T) {
 					Outputs:    map[string]string{},
 				},
 			},
-			expectedPostStepResult: &model.StepResult{
-				Conclusion: model.StepStatusSkipped,
-				Outcome:    model.StepStatusSkipped,
-				Outputs:    map[string]string{},
-			},
 			mocks: struct {
 				env  bool
 				exec bool
 			}{
-				env:  true,
+				env:  false,
 				exec: false,
 			},
 		},
@@ -238,7 +218,6 @@ func TestStepActionLocalPost(t *testing.T) {
 					Outputs:    map[string]string{},
 				},
 			},
-			expectedPostStepResult: nil,
 			mocks: struct {
 				env  bool
 				exec bool
@@ -277,11 +256,6 @@ func TestStepActionLocalPost(t *testing.T) {
 			}
 			sal.RunContext.ExprEval = sal.RunContext.NewExpressionEvaluator(ctx)

-			if tt.mocks.env {
-				cm.On("UpdateFromImageEnv", &sal.env).Return(func(ctx context.Context) error { return nil })
-				cm.On("UpdateFromEnv", "/var/run/act/workflow/envs.txt", &sal.env).Return(func(ctx context.Context) error { return nil })
-				cm.On("UpdateFromPath", &sal.env).Return(func(ctx context.Context) error { return nil })
-			}
 			if tt.mocks.exec {
 				suffixMatcher := func(suffix string) interface{} {
 					return mock.MatchedBy(func(array []string) bool {
@@ -294,6 +268,10 @@ func TestStepActionLocalPost(t *testing.T) {
 					return nil
 				})

+				cm.On("UpdateFromEnv", "/var/run/act/workflow/envs.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
+					return nil
+				})
+
 				cm.On("UpdateFromEnv", "/var/run/act/workflow/statecmd.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
 					return nil
 				})
@@ -301,12 +279,14 @@ func TestStepActionLocalPost(t *testing.T) {
 				cm.On("UpdateFromEnv", "/var/run/act/workflow/outputcmd.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
 					return nil
 				})
+
+				cm.On("GetContainerArchive", ctx, "/var/run/act/workflow/pathcmd.txt").Return(io.NopCloser(&bytes.Buffer{}), nil)
 			}

 			err := sal.post()(ctx)

 			assert.Equal(t, tt.err, err)
-			assert.Equal(t, tt.expectedPostStepResult, sal.RunContext.StepResults["post-step"])
+			assert.Equal(t, sal.RunContext.StepResults["post-step"], (*model.StepResult)(nil))
 			cm.AssertExpectations(t)
 		})
 	}
--- a/pkg/runner/step_action_remote.go
+++ b/pkg/runner/step_action_remote.go
@@ -11,11 +11,11 @@ import (
 	"regexp"
 	"strings"

+	gogit "github.com/go-git/go-git/v5"
+
 	"github.com/nektos/act/pkg/common"
 	"github.com/nektos/act/pkg/common/git"
 	"github.com/nektos/act/pkg/model"
-
-	gogit "github.com/go-git/go-git/v5"
 )

 type stepActionRemote struct {
@@ -46,23 +46,22 @@ func (sar *stepActionRemote) prepareActionExecutor() common.Executor {
 			return fmt.Errorf("Expected format {org}/{repo}[/path]@ref. Actual '%s' Input string was not in a correct format", sar.Step.Uses)
 		}

-		sar.remoteAction.URL = sar.RunContext.Config.GitHubInstance
-
 		github := sar.getGithubContext(ctx)
+		sar.remoteAction.URL = github.ServerURL
+
 		if sar.remoteAction.IsCheckout() && isLocalCheckout(github, sar.Step) && !sar.RunContext.Config.NoSkipCheckout {
 			common.Logger(ctx).Debugf("Skipping local actions/checkout because workdir was already copied")
 			return nil
 		}

-		sar.remoteAction.URL = sar.RunContext.Config.GitHubInstance
 		for _, action := range sar.RunContext.Config.ReplaceGheActionWithGithubCom {
 			if strings.EqualFold(fmt.Sprintf("%s/%s", sar.remoteAction.Org, sar.remoteAction.Repo), action) {
-				sar.remoteAction.URL = "github.com"
+				sar.remoteAction.URL = "https://github.com"
 				github.Token = sar.RunContext.Config.ReplaceGheActionTokenWithGithubCom
 			}
 		}

-		actionDir := fmt.Sprintf("%s/%s", sar.RunContext.ActionCacheDir(), strings.ReplaceAll(sar.Step.Uses, "/", "-"))
+		actionDir := fmt.Sprintf("%s/%s", sar.RunContext.ActionCacheDir(), safeFilename(sar.Step.Uses))
 		gitClone := stepActionRemoteNewCloneExecutor(git.NewGitCloneExecutorInput{
 			URL:   sar.remoteAction.CloneURL(),
 			Ref:   sar.remoteAction.Ref,
@@ -122,7 +121,7 @@ func (sar *stepActionRemote) main() common.Executor {
 				return sar.RunContext.JobContainer.CopyDir(copyToPath, sar.RunContext.Config.Workdir+string(filepath.Separator)+".", sar.RunContext.Config.UseGitIgnore)(ctx)
 			}

-			actionDir := fmt.Sprintf("%s/%s", sar.RunContext.ActionCacheDir(), strings.ReplaceAll(sar.Step.Uses, "/", "-"))
+			actionDir := fmt.Sprintf("%s/%s", sar.RunContext.ActionCacheDir(), safeFilename(sar.Step.Uses))

 			return sar.runAction(sar, actionDir, sar.remoteAction)(ctx)
 		}),
@@ -181,7 +180,7 @@ func (sar *stepActionRemote) getActionModel() *model.Action {

 func (sar *stepActionRemote) getCompositeRunContext(ctx context.Context) *RunContext {
 	if sar.compositeRunContext == nil {
-		actionDir := fmt.Sprintf("%s/%s", sar.RunContext.ActionCacheDir(), strings.ReplaceAll(sar.Step.Uses, "/", "-"))
+		actionDir := fmt.Sprintf("%s/%s", sar.RunContext.ActionCacheDir(), safeFilename(sar.Step.Uses))
 		actionLocation := path.Join(actionDir, sar.remoteAction.Path)
 		_, containerActionDir := getContainerActionPaths(sar.getStepModel(), actionLocation, sar.RunContext)

@@ -196,6 +195,7 @@ func (sar *stepActionRemote) getCompositeRunContext(ctx context.Context) *RunCon
 		// was already created during the pre stage)
 		env := evaluateCompositeInputAndEnv(ctx, sar.RunContext, sar)
 		sar.compositeRunContext.Env = env
+		sar.compositeRunContext.ExtraPath = sar.RunContext.ExtraPath
 	}
 	return sar.compositeRunContext
 }
@@ -213,7 +213,7 @@ type remoteAction struct {
 }

 func (ra *remoteAction) CloneURL() string {
-	return fmt.Sprintf("https://%s/%s/%s", ra.URL, ra.Org, ra.Repo)
+	return fmt.Sprintf("%s/%s/%s", ra.URL, ra.Org, ra.Repo)
 }

 func (ra *remoteAction) IsCheckout() bool {
@@ -239,6 +239,20 @@ func newRemoteAction(action string) *remoteAction {
 		Repo: matches[2],
 		Path: matches[4],
 		Ref:  matches[6],
-		URL:  "github.com",
+		URL:  "https://github.com",
 	}
 }
+
+func safeFilename(s string) string {
+	return strings.NewReplacer(
+		`<`, "-",
+		`>`, "-",
+		`:`, "-",
+		`"`, "-",
+		`/`, "-",
+		`\`, "-",
+		`|`, "-",
+		`?`, "-",
+		`*`, "-",
+	).Replace(s)
+}
--- a/pkg/runner/step_action_remote_test.go
+++ b/pkg/runner/step_action_remote_test.go
@@ -1,25 +1,27 @@
 package runner

 import (
+	"bytes"
 	"context"
 	"errors"
+	"io"
 	"strings"
 	"testing"

-	"github.com/nektos/act/pkg/common"
-	"github.com/nektos/act/pkg/common/git"
-	"github.com/nektos/act/pkg/model"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"gopkg.in/yaml.v3"
+
+	"github.com/nektos/act/pkg/common"
+	"github.com/nektos/act/pkg/common/git"
+	"github.com/nektos/act/pkg/model"
 )

 type stepActionRemoteMocks struct {
 	mock.Mock
 }

-func (sarm *stepActionRemoteMocks) readAction(ctx context.Context, step *model.Step, actionDir string, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error) {
+func (sarm *stepActionRemoteMocks) readAction(_ context.Context, step *model.Step, actionDir string, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error) {
 	args := sarm.Called(step, actionDir, actionPath, readFile, writeFile)
 	return args.Get(0).(*model.Action), args.Error(1)
 }
@@ -163,11 +165,6 @@ func TestStepActionRemote(t *testing.T) {
 				})
 			}

-			if tt.mocks.env {
-				cm.On("UpdateFromImageEnv", &sar.env).Return(func(ctx context.Context) error { return nil })
-				cm.On("UpdateFromEnv", "/var/run/act/workflow/envs.txt", &sar.env).Return(func(ctx context.Context) error { return nil })
-				cm.On("UpdateFromPath", &sar.env).Return(func(ctx context.Context) error { return nil })
-			}
 			if tt.mocks.read {
 				sarm.On("readAction", sar.Step, suffixMatcher("act/remote-action@v1"), "", mock.Anything, mock.Anything).Return(&model.Action{}, nil)
 			}
@@ -178,6 +175,10 @@ func TestStepActionRemote(t *testing.T) {
 					return nil
 				})

+				cm.On("UpdateFromEnv", "/var/run/act/workflow/envs.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
+					return nil
+				})
+
 				cm.On("UpdateFromEnv", "/var/run/act/workflow/statecmd.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
 					return nil
 				})
@@ -185,6 +186,8 @@ func TestStepActionRemote(t *testing.T) {
 				cm.On("UpdateFromEnv", "/var/run/act/workflow/outputcmd.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
 					return nil
 				})
+
+				cm.On("GetContainerArchive", ctx, "/var/run/act/workflow/pathcmd.txt").Return(io.NopCloser(&bytes.Buffer{}), nil)
 			}

 			err := sar.pre()(ctx)
@@ -412,14 +415,14 @@ func TestStepActionRemotePreThroughActionToken(t *testing.T) {

 func TestStepActionRemotePost(t *testing.T) {
 	table := []struct {
-		name                   string
-		stepModel              *model.Step
-		actionModel            *model.Action
-		initialStepResults     map[string]*model.StepResult
-		expectedEnv            map[string]string
-		expectedPostStepResult *model.StepResult
-		err                    error
-		mocks                  struct {
+		name               string
+		stepModel          *model.Step
+		actionModel        *model.Action
+		initialStepResults map[string]*model.StepResult
+		IntraActionState   map[string]map[string]string
+		expectedEnv        map[string]string
+		err                error
+		mocks              struct {
 			env  bool
 			exec bool
 		}
@@ -442,19 +445,16 @@ func TestStepActionRemotePost(t *testing.T) {
 					Conclusion: model.StepStatusSuccess,
 					Outcome:    model.StepStatusSuccess,
 					Outputs:    map[string]string{},
-					State: map[string]string{
-						"key": "value",
-					},
+				},
+			},
+			IntraActionState: map[string]map[string]string{
+				"step": {
+					"key": "value",
 				},
 			},
 			expectedEnv: map[string]string{
 				"STATE_key": "value",
 			},
-			expectedPostStepResult: &model.StepResult{
-				Conclusion: model.StepStatusSuccess,
-				Outcome:    model.StepStatusSuccess,
-				Outputs:    map[string]string{},
-			},
 			mocks: struct {
 				env  bool
 				exec bool
@@ -483,11 +483,6 @@ func TestStepActionRemotePost(t *testing.T) {
 					Outputs:    map[string]string{},
 				},
 			},
-			expectedPostStepResult: &model.StepResult{
-				Conclusion: model.StepStatusSuccess,
-				Outcome:    model.StepStatusSuccess,
-				Outputs:    map[string]string{},
-			},
 			mocks: struct {
 				env  bool
 				exec bool
@@ -516,11 +511,6 @@ func TestStepActionRemotePost(t *testing.T) {
 					Outputs:    map[string]string{},
 				},
 			},
-			expectedPostStepResult: &model.StepResult{
-				Conclusion: model.StepStatusSkipped,
-				Outcome:    model.StepStatusSkipped,
-				Outputs:    map[string]string{},
-			},
 			mocks: struct {
 				env  bool
 				exec bool
@@ -550,7 +540,6 @@ func TestStepActionRemotePost(t *testing.T) {
 					Outputs:    map[string]string{},
 				},
 			},
-			expectedPostStepResult: nil,
 			mocks: struct {
 				env  bool
 				exec bool
@@ -582,18 +571,14 @@ func TestStepActionRemotePost(t *testing.T) {
 							},
 						},
 					},
-					StepResults: tt.initialStepResults,
+					StepResults:      tt.initialStepResults,
+					IntraActionState: tt.IntraActionState,
 				},
 				Step:   tt.stepModel,
 				action: tt.actionModel,
 			}
 			sar.RunContext.ExprEval = sar.RunContext.NewExpressionEvaluator(ctx)

-			if tt.mocks.env {
-				cm.On("UpdateFromImageEnv", &sar.env).Return(func(ctx context.Context) error { return nil })
-				cm.On("UpdateFromEnv", "/var/run/act/workflow/envs.txt", &sar.env).Return(func(ctx context.Context) error { return nil })
-				cm.On("UpdateFromPath", &sar.env).Return(func(ctx context.Context) error { return nil })
-			}
 			if tt.mocks.exec {
 				cm.On("Exec", []string{"node", "/var/run/act/actions/remote-action@v1/post.js"}, sar.env, "", "").Return(func(ctx context.Context) error { return tt.err })

@@ -601,6 +586,10 @@ func TestStepActionRemotePost(t *testing.T) {
 					return nil
 				})

+				cm.On("UpdateFromEnv", "/var/run/act/workflow/envs.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
+					return nil
+				})
+
 				cm.On("UpdateFromEnv", "/var/run/act/workflow/statecmd.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
 					return nil
 				})
@@ -608,6 +597,8 @@ func TestStepActionRemotePost(t *testing.T) {
 				cm.On("UpdateFromEnv", "/var/run/act/workflow/outputcmd.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
 					return nil
 				})
+
+				cm.On("GetContainerArchive", ctx, "/var/run/act/workflow/pathcmd.txt").Return(io.NopCloser(&bytes.Buffer{}), nil)
 			}

 			err := sar.post()(ctx)
@@ -618,8 +609,30 @@ func TestStepActionRemotePost(t *testing.T) {
 					assert.Equal(t, value, sar.env[key])
 				}
 			}
-			assert.Equal(t, tt.expectedPostStepResult, sar.RunContext.StepResults["post-step"])
+			// Enshure that StepResults is nil in this test
+			assert.Equal(t, sar.RunContext.StepResults["post-step"], (*model.StepResult)(nil))
 			cm.AssertExpectations(t)
 		})
 	}
 }
+
+func Test_safeFilename(t *testing.T) {
+	tests := []struct {
+		s    string
+		want string
+	}{
+		{
+			s:    "https://test.com/test/",
+			want: "https---test.com-test-",
+		},
+		{
+			s:    `<>:"/\|?*`,
+			want: "---------",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.s, func(t *testing.T) {
+			assert.Equalf(t, tt.want, safeFilename(tt.s), "safeFilename(%v)", tt.s)
+		})
+	}
+}
--- a/pkg/runner/step_docker.go
+++ b/pkg/runner/step_docker.go
@@ -51,7 +51,7 @@ func (sd *stepDocker) getEnv() *map[string]string {
 	return &sd.env
 }

-func (sd *stepDocker) getIfExpression(context context.Context, stage stepStage) string {
+func (sd *stepDocker) getIfExpression(_ context.Context, _ stepStage) string {
 	return sd.Step.If.Value
 }

--- a/pkg/runner/step_docker_test.go
+++ b/pkg/runner/step_docker_test.go
@@ -1,7 +1,9 @@
 package runner

 import (
+	"bytes"
 	"context"
+	"io"
 	"testing"

 	"github.com/nektos/act/pkg/container"
@@ -55,18 +57,6 @@ func TestStepDockerMain(t *testing.T) {
 	}
 	sd.RunContext.ExprEval = sd.RunContext.NewExpressionEvaluator(ctx)

-	cm.On("UpdateFromImageEnv", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("UpdateFromEnv", "/var/run/act/workflow/envs.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("UpdateFromPath", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
-		return nil
-	})
-
 	cm.On("Pull", false).Return(func(ctx context.Context) error {
 		return nil
 	})
@@ -91,6 +81,10 @@ func TestStepDockerMain(t *testing.T) {
 		return nil
 	})

+	cm.On("UpdateFromEnv", "/var/run/act/workflow/envs.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
+		return nil
+	})
+
 	cm.On("UpdateFromEnv", "/var/run/act/workflow/statecmd.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
 		return nil
 	})
@@ -99,6 +93,8 @@ func TestStepDockerMain(t *testing.T) {
 		return nil
 	})

+	cm.On("GetContainerArchive", ctx, "/var/run/act/workflow/pathcmd.txt").Return(io.NopCloser(&bytes.Buffer{}), nil)
+
 	err := sd.main()(ctx)
 	assert.Nil(t, err)

--- a/pkg/runner/step_run.go
+++ b/pkg/runner/step_run.go
@@ -6,16 +6,18 @@ import (
 	"strings"

 	"github.com/kballard/go-shellquote"
+
 	"github.com/nektos/act/pkg/common"
 	"github.com/nektos/act/pkg/container"
 	"github.com/nektos/act/pkg/model"
 )

 type stepRun struct {
-	Step       *model.Step
-	RunContext *RunContext
-	cmd        []string
-	env        map[string]string
+	Step             *model.Step
+	RunContext       *RunContext
+	cmd              []string
+	env              map[string]string
+	WorkingDirectory string
 }

 func (sr *stepRun) pre() common.Executor {
@@ -26,11 +28,11 @@ func (sr *stepRun) pre() common.Executor {

 func (sr *stepRun) main() common.Executor {
 	sr.env = map[string]string{}
-
 	return runStepExecutor(sr, stepStageMain, common.NewPipelineExecutor(
 		sr.setupShellCommandExecutor(),
 		func(ctx context.Context) error {
-			return sr.getRunContext().JobContainer.Exec(sr.cmd, sr.env, "", sr.Step.WorkingDirectory)(ctx)
+			sr.getRunContext().ApplyExtraPath(ctx, &sr.env)
+			return sr.getRunContext().JobContainer.Exec(sr.cmd, sr.env, "", sr.WorkingDirectory)(ctx)
 		},
 	))
 }
@@ -57,7 +59,7 @@ func (sr *stepRun) getEnv() *map[string]string {
 	return &sr.env
 }

-func (sr *stepRun) getIfExpression(context context.Context, stage stepStage) string {
+func (sr *stepRun) getIfExpression(_ context.Context, _ stepStage) string {
 	return sr.Step.If.Value
 }

@@ -71,7 +73,7 @@ func (sr *stepRun) setupShellCommandExecutor() common.Executor {
 		rc := sr.getRunContext()
 		return rc.JobContainer.Copy(rc.JobContainer.GetActPath(), &container.FileEntry{
 			Name: scriptName,
-			Mode: 0755,
+			Mode: 0o755,
 			Body: script,
 		})(ctx)
 	}
@@ -165,16 +167,20 @@ func (sr *stepRun) setupShell(ctx context.Context) {
 func (sr *stepRun) setupWorkingDirectory(ctx context.Context) {
 	rc := sr.RunContext
 	step := sr.Step
+	workingdirectory := ""

 	if step.WorkingDirectory == "" {
-		step.WorkingDirectory = rc.Run.Job().Defaults.Run.WorkingDirectory
+		workingdirectory = rc.Run.Job().Defaults.Run.WorkingDirectory
+	} else {
+		workingdirectory = step.WorkingDirectory
 	}

 	// jobs can receive context values, so we interpolate
-	step.WorkingDirectory = rc.NewExpressionEvaluator(ctx).Interpolate(ctx, step.WorkingDirectory)
+	workingdirectory = rc.NewExpressionEvaluator(ctx).Interpolate(ctx, workingdirectory)

 	// but top level keys in workflow file like `defaults` or `env` can't
-	if step.WorkingDirectory == "" {
-		step.WorkingDirectory = rc.Run.Workflow.Defaults.Run.WorkingDirectory
+	if workingdirectory == "" {
+		workingdirectory = rc.Run.Workflow.Defaults.Run.WorkingDirectory
 	}
+	sr.WorkingDirectory = workingdirectory
 }
--- a/pkg/runner/step_run_test.go
+++ b/pkg/runner/step_run_test.go
@@ -1,20 +1,23 @@
 package runner

 import (
+	"bytes"
 	"context"
+	"io"
 	"testing"

+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+
 	"github.com/nektos/act/pkg/container"
 	"github.com/nektos/act/pkg/model"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
 )

 func TestStepRun(t *testing.T) {
 	cm := &containerMock{}
 	fileEntry := &container.FileEntry{
 		Name: "workflow/1.sh",
-		Mode: 0755,
+		Mode: 0o755,
 		Body: "\ncmd\n",
 	}

@@ -53,7 +56,7 @@ func TestStepRun(t *testing.T) {
 		return nil
 	})

-	cm.On("UpdateFromImageEnv", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
+	cm.On("Copy", "/var/run/act", mock.AnythingOfType("[]*container.FileEntry")).Return(func(ctx context.Context) error {
 		return nil
 	})

@@ -61,14 +64,6 @@ func TestStepRun(t *testing.T) {
 		return nil
 	})

-	cm.On("UpdateFromPath", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
-		return nil
-	})
-
-	cm.On("Copy", "/var/run/act", mock.AnythingOfType("[]*container.FileEntry")).Return(func(ctx context.Context) error {
-		return nil
-	})
-
 	cm.On("UpdateFromEnv", "/var/run/act/workflow/statecmd.txt", mock.AnythingOfType("*map[string]string")).Return(func(ctx context.Context) error {
 		return nil
 	})
@@ -79,6 +74,8 @@ func TestStepRun(t *testing.T) {

 	ctx := context.Background()

+	cm.On("GetContainerArchive", ctx, "/var/run/act/workflow/pathcmd.txt").Return(io.NopCloser(&bytes.Buffer{}), nil)
+
 	err := sr.main()(ctx)
 	assert.Nil(t, err)

--- a/pkg/runner/step_test.go
+++ b/pkg/runner/step_test.go
@@ -63,7 +63,9 @@ func TestMergeIntoMap(t *testing.T) {

 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
-			mergeIntoMap(&tt.target, tt.maps...)
+			mergeIntoMapCaseSensitive(tt.target, tt.maps...)
+			assert.Equal(t, tt.expected, tt.target)
+			mergeIntoMapCaseInsensitive(tt.target, tt.maps...)
 			assert.Equal(t, tt.expected, tt.target)
 		})
 	}
@@ -134,7 +136,6 @@ func TestSetupEnv(t *testing.T) {
 		Env: map[string]string{
 			"RC_KEY": "rcvalue",
 		},
-		ExtraPath:    []string{"/path/to/extra/file"},
 		JobContainer: cm,
 	}
 	step := &model.Step{
@@ -142,19 +143,13 @@ func TestSetupEnv(t *testing.T) {
 			"STEP_WITH": "with-value",
 		},
 	}
-	env := map[string]string{
-		"PATH": "",
-	}
+	env := map[string]string{}

 	sm.On("getRunContext").Return(rc)
 	sm.On("getGithubContext").Return(rc)
 	sm.On("getStepModel").Return(step)
 	sm.On("getEnv").Return(&env)

-	cm.On("UpdateFromImageEnv", &env).Return(func(ctx context.Context) error { return nil })
-	cm.On("UpdateFromEnv", "/var/run/act/workflow/envs.txt", &env).Return(func(ctx context.Context) error { return nil })
-	cm.On("UpdateFromPath", &env).Return(func(ctx context.Context) error { return nil })
-
 	err := setupEnv(context.Background(), sm)
 	assert.Nil(t, err)

@@ -178,13 +173,11 @@ func TestSetupEnv(t *testing.T) {
 		"GITHUB_ACTION_REPOSITORY": "",
 		"GITHUB_API_URL":           "https:///api/v3",
 		"GITHUB_BASE_REF":          "",
-		"GITHUB_ENV":               "/var/run/act/workflow/envs.txt",
 		"GITHUB_EVENT_NAME":        "",
 		"GITHUB_EVENT_PATH":        "/var/run/act/workflow/event.json",
 		"GITHUB_GRAPHQL_URL":       "https:///api/graphql",
 		"GITHUB_HEAD_REF":          "",
-		"GITHUB_JOB":               "",
-		"GITHUB_PATH":              "/var/run/act/workflow/paths.txt",
+		"GITHUB_JOB":               "1",
 		"GITHUB_RETENTION_DAYS":    "0",
 		"GITHUB_RUN_ID":            "runId",
 		"GITHUB_RUN_NUMBER":        "1",
@@ -192,7 +185,6 @@ func TestSetupEnv(t *testing.T) {
 		"GITHUB_TOKEN":             "",
 		"GITHUB_WORKFLOW":          "",
 		"INPUT_STEP_WITH":          "with-value",
-		"PATH":                     "/path/to/extra/file:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 		"RC_KEY":                   "rcvalue",
 		"RUNNER_PERFLOG":           "/dev/null",
 		"RUNNER_TRACKING_ID":       "",
--- a/pkg/runner/testdata/.github/workflows/local-reusable-workflow-no-inputs-array.yml
+++ b/pkg/runner/testdata/.github/workflows/local-reusable-workflow-no-inputs-array.yml
@@ -0,0 +1,10 @@
+name: reusable
+
+on:
+- workflow_call
+
+jobs:
+  reusable_workflow_job:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo Test
--- a/pkg/runner/testdata/.github/workflows/local-reusable-workflow-no-inputs-string.yml
+++ b/pkg/runner/testdata/.github/workflows/local-reusable-workflow-no-inputs-string.yml
@@ -0,0 +1,9 @@
+name: reusable
+
+on: workflow_call
+
+jobs:
+  reusable_workflow_job:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo Test
--- a/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml
+++ b/pkg/runner/testdata/.github/workflows/local-reusable-workflow.yml
@@ -0,0 +1,82 @@
+name: reusable
+
+on:
+  workflow_call:
+    inputs:
+      string_required:
+        required: true
+        type: string
+      string_optional:
+        required: false
+        type: string
+        default: string
+      bool_required:
+        required: true
+        type: boolean
+      bool_optional:
+        required: false
+        type: boolean
+        default: true
+      number_required:
+        required: true
+        type: number
+      number_optional:
+        required: false
+        type: number
+        default: ${{ 1 }}
+    outputs:
+      output:
+        description: "A workflow output"
+        value: ${{ jobs.reusable_workflow_job.outputs.job-output }}
+
+jobs:
+  reusable_workflow_job:
+    runs-on: ubuntu-latest
+    steps:
+    - name: test required string
+      run: |
+        echo inputs.string_required=${{ inputs.string_required }}
+        [[ "${{ inputs.string_required == 'string' }}" = "true" ]] || exit 1
+
+    - name: test optional string
+      run: |
+        echo inputs.string_optional=${{ inputs.string_optional }}
+        [[ "${{ inputs.string_optional == 'string' }}" = "true" ]] || exit 1
+
+    - name: test required bool
+      run: |
+        echo inputs.bool_required=${{ inputs.bool_required }}
+        [[ "${{ inputs.bool_required }}" = "true" ]] || exit 1
+
+    - name: test optional bool
+      run: |
+        echo inputs.bool_optional=${{ inputs.bool_optional }}
+        [[ "${{ inputs.bool_optional }}" = "true" ]] || exit 1
+
+    - name: test required number
+      run: |
+        echo inputs.number_required=${{ inputs.number_required }}
+        [[ "${{ inputs.number_required == 1 }}" = "true" ]] || exit 1
+
+    - name: test optional number
+      run: |
+        echo inputs.number_optional=${{ inputs.number_optional }}
+        [[ "${{ inputs.number_optional == 1 }}" = "true" ]] || exit 1
+
+    - name: test secret
+      run: |
+        echo secrets.secret=${{ secrets.secret }}
+        [[ "${{ secrets.secret == 'keep_it_private' }}" = "true" ]] || exit 1
+
+    - name: test github.event_name is never workflow_call
+      run: |
+        echo github.event_name=${{ github.event_name }}
+        [[ "${{ github.event_name != 'workflow_call' }}" = "true" ]] || exit 1
+
+    - name: test output
+      id: output_test
+      run: |
+        echo "value=${{ inputs.string_required }}" >> $GITHUB_OUTPUT
+
+    outputs:
+      job-output: ${{ steps.output_test.outputs.value }}
--- a/pkg/runner/testdata/GITHUB_ENV-use-in-env-ctx/push.yml
+++ b/pkg/runner/testdata/GITHUB_ENV-use-in-env-ctx/push.yml
@@ -0,0 +1,27 @@
+on: push
+jobs:
+  _:
+    runs-on: ubuntu-latest
+    env:
+      MYGLOBALENV3: myglobalval3
+    steps:
+    - run: |
+        echo MYGLOBALENV1=myglobalval1 > $GITHUB_ENV
+        echo "::set-env name=MYGLOBALENV2::myglobalval2"
+    - uses: nektos/act-test-actions/script@main
+      with:
+        main: |
+          env
+          [[ "$MYGLOBALENV1" = "${{ env.MYGLOBALENV1 }}" ]]
+          [[ "$MYGLOBALENV1" = "${{ env.MYGLOBALENV1ALIAS }}" ]]
+          [[ "$MYGLOBALENV1" = "$MYGLOBALENV1ALIAS" ]]
+          [[ "$MYGLOBALENV2" = "${{ env.MYGLOBALENV2 }}" ]]
+          [[ "$MYGLOBALENV2" = "${{ env.MYGLOBALENV2ALIAS }}" ]]
+          [[ "$MYGLOBALENV2" = "$MYGLOBALENV2ALIAS" ]]
+          [[ "$MYGLOBALENV3" = "${{ env.MYGLOBALENV3 }}" ]]
+          [[ "$MYGLOBALENV3" = "${{ env.MYGLOBALENV3ALIAS }}" ]]
+          [[ "$MYGLOBALENV3" = "$MYGLOBALENV3ALIAS" ]]
+      env:
+        MYGLOBALENV1ALIAS: ${{ env.MYGLOBALENV1 }}
+        MYGLOBALENV2ALIAS: ${{ env.MYGLOBALENV2 }}
+        MYGLOBALENV3ALIAS: ${{ env.MYGLOBALENV3 }}
--- a/pkg/runner/testdata/GITHUB_STATE/push.yml
+++ b/pkg/runner/testdata/GITHUB_STATE/push.yml
@@ -0,0 +1,48 @@
+on: push
+jobs:
+  _:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: nektos/act-test-actions/script@main
+      with:
+        pre: |
+          env
+          echo mystate0=mystateval > $GITHUB_STATE
+          echo "::save-state name=mystate1::mystateval"
+        main: |
+          env
+          echo mystate2=mystateval > $GITHUB_STATE
+          echo "::save-state name=mystate3::mystateval"
+        post: |
+          env
+          [ "$STATE_mystate0" = "mystateval" ]
+          [ "$STATE_mystate1" = "mystateval" ]
+          [ "$STATE_mystate2" = "mystateval" ]
+          [ "$STATE_mystate3" = "mystateval" ]
+  test-id-collision-bug:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: nektos/act-test-actions/script@main
+      id: script
+      with:
+        pre: |
+          env
+          echo mystate0=mystateval > $GITHUB_STATE
+          echo "::save-state name=mystate1::mystateval"
+        main: |
+          env
+          echo mystate2=mystateval > $GITHUB_STATE
+          echo "::save-state name=mystate3::mystateval"
+        post: |
+          env
+          [ "$STATE_mystate0" = "mystateval" ]
+          [ "$STATE_mystate1" = "mystateval" ]
+          [ "$STATE_mystate2" = "mystateval" ]
+          [ "$STATE_mystate3" = "mystateval" ]
+    - uses: nektos/act-test-actions/script@main
+      id: pre-script
+      with:
+        main: |
+          env
+          echo mystate0=mystateerror > $GITHUB_STATE
+          echo "::save-state name=mystate1::mystateerror"
--- a/pkg/runner/testdata/actions-environment-and-context-tests/push.yml
+++ b/pkg/runner/testdata/actions-environment-and-context-tests/push.yml
@@ -11,3 +11,5 @@ jobs:
      - uses: './actions-environment-and-context-tests/docker'
      - uses: 'nektos/act-test-actions/js@main'
      - uses: 'nektos/act-test-actions/docker@main'
+      - uses: 'nektos/act-test-actions/docker-file@main'
+      - uses: 'nektos/act-test-actions/docker-relative-context/action@main'
--- a/pkg/runner/testdata/do-not-leak-step-env-in-composite/push.yml
+++ b/pkg/runner/testdata/do-not-leak-step-env-in-composite/push.yml
@@ -0,0 +1,18 @@
+on: push
+jobs:
+  _:
+    runs-on: ubuntu-latest
+    steps:
+    - run: |
+        runs:
+          using: composite
+          steps:
+          - run: exit 1
+            shell: bash
+            if: env.LEAK_ENV != 'val'
+      shell: cp {0} action.yml
+    - uses: ./
+      env:
+        LEAK_ENV: val
+    - run: exit 1
+      if: env.LEAK_ENV == 'val'
--- a/pkg/runner/testdata/docker-action-custom-path/push.yml
+++ b/pkg/runner/testdata/docker-action-custom-path/push.yml
@@ -0,0 +1,12 @@
+on: push
+jobs:
+  _:
+    runs-on: ubuntu-latest
+    steps:
+    - run: |
+        FROM ubuntu:latest
+        ENV PATH="/opt/texlive/texdir/bin/x86_64-linuxmusl:${PATH}"
+        ENV ORG_PATH="${PATH}"
+        ENTRYPOINT [ "bash", "-c", "echo \"PATH=$PATH\" && echo \"ORG_PATH=$ORG_PATH\" && [[ \"$PATH\" = \"$ORG_PATH\" ]]" ]
+      shell: mv {0} Dockerfile
+    - uses: ./
--- a/pkg/runner/testdata/environment-files-parser-bug/push.yaml
+++ b/pkg/runner/testdata/environment-files-parser-bug/push.yaml
@@ -0,0 +1,13 @@
+on: push
+jobs:
+  _:
+    runs-on: ubuntu-latest
+    steps:
+    - run: |
+        echo "test<<World" > $GITHUB_ENV
+        echo "x=Thats really Weird" >> $GITHUB_ENV
+        echo "World" >> $GITHUB_ENV
+    - if: env.test != 'x=Thats really Weird'
+      run: exit 1
+    - if: env.x == 'Thats really Weird' # This assert is triggered by the broken impl of act
+      run: exit 1
--- a/pkg/runner/testdata/environment-files/push.yaml
+++ b/pkg/runner/testdata/environment-files/push.yaml
@@ -0,0 +1,101 @@
+name: environment-files
+on: push
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Append to $GITHUB_PATH"
+        run: |
+          echo "$HOME/someFolder" >> $GITHUB_PATH
+      - name: "Append some more to $GITHUB_PATH"
+        run: |
+          echo "$HOME/someOtherFolder" >> $GITHUB_PATH
+      - name: "Check PATH"
+        run: |
+          echo "${PATH}"
+          if [[ ! "${PATH}" =~ .*"$HOME/"someOtherFolder.*"$HOME/"someFolder.* ]]; then
+            echo "${PATH} doesn't match .*someOtherFolder.*someFolder.*"
+            exit 1
+          fi
+      - name: "Prepend"
+        run: |
+          if ls | grep -q 'called ls' ; then
+            echo 'ls was overridden already?'
+            exit 2
+          fi
+          path_add=$(mktemp -d)
+          cat > $path_add/ls <<LS
+          #!/bin/sh
+          echo 'called ls'
+          LS
+          chmod +x $path_add/ls
+          echo $path_add >> $GITHUB_PATH
+      - name: "Verify prepend"
+        run: |
+          if ! ls | grep -q 'called ls' ; then
+            echo 'ls was not overridden'
+            exit 2
+          fi
+      - name: "Write single line env to $GITHUB_ENV"
+        run: |
+          echo "KEY=value" >> $GITHUB_ENV
+      - name: "Check single line env"
+        run: |
+          if [[ "${KEY}" != "value" ]]; then
+            echo "${KEY} doesn't == 'value'"
+            exit 1
+          fi
+      - name: "Write single line env with more than one 'equals' signs to $GITHUB_ENV"
+        run: |
+          echo "KEY=value=anothervalue" >> $GITHUB_ENV
+      - name: "Check single line env"
+        run: |
+          if [[ "${KEY}" != "value=anothervalue" ]]; then
+            echo "${KEY} doesn't == 'value=anothervalue'"
+            exit 1
+          fi
+      - name: "Write multiline env to $GITHUB_ENV"
+        run: |
+          echo 'KEY2<<EOF' >> $GITHUB_ENV
+          echo value2 >> $GITHUB_ENV
+          echo 'EOF' >> $GITHUB_ENV
+      - name: "Check multiline line env"
+        run: |
+          if [[ "${KEY2}" != "value2" ]]; then
+            echo "${KEY2} doesn't == 'value'"
+            exit 1
+          fi
+      - name: "Write multiline env with UUID to $GITHUB_ENV"
+        run: |
+          echo 'KEY3<<ghadelimiter_b8273c6d-d535-419a-a010-b0aaac240e36' >> $GITHUB_ENV
+          echo value3 >> $GITHUB_ENV
+          echo 'ghadelimiter_b8273c6d-d535-419a-a010-b0aaac240e36' >> $GITHUB_ENV
+      - name: "Check multiline env with UUID to $GITHUB_ENV"
+        run: |
+          if [[ "${KEY3}" != "value3" ]]; then
+            echo "${KEY3} doesn't == 'value3'"
+            exit 1
+          fi
+      - name: "Write single line output to $GITHUB_OUTPUT"
+        id: write-single-output
+        run: |
+          echo "KEY=value" >> $GITHUB_OUTPUT
+      - name: "Check single line output"
+        run: |
+          if [[ "${{ steps.write-single-output.outputs.KEY }}" != "value" ]]; then
+            echo "${{ steps.write-single-output.outputs.KEY }} doesn't == 'value'"
+            exit 1
+          fi
+      - name: "Write multiline output to $GITHUB_OUTPUT"
+        id: write-multi-output
+        run: |
+          echo 'KEY2<<EOF' >> $GITHUB_OUTPUT
+          echo value2 >> $GITHUB_OUTPUT
+          echo 'EOF' >> $GITHUB_OUTPUT
+      - name: "Check multiline output"
+        run: |
+          if [[ "${{ steps.write-multi-output.outputs.KEY2 }}" != "value2" ]]; then
+            echo "${{ steps.write-multi-output.outputs.KEY2 }} doesn't == 'value2'"
+            exit 1
+          fi
--- a/pkg/runner/testdata/environment-variables/push.yml
+++ b/pkg/runner/testdata/environment-variables/push.yml
@@ -0,0 +1,33 @@
+name: environment variables
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Test on job level
+        run: |
+          echo \$UPPER=$UPPER
+          echo \$upper=$upper
+          echo \$LOWER=$LOWER
+          echo \$lower=$lower
+          [[ "$UPPER" = "UPPER" ]] || exit 1
+          [[ "$upper" = "" ]] || exit 1
+          [[ "$LOWER" = "" ]] || exit 1
+          [[ "$lower" = "lower" ]] || exit 1
+      - name: Test on step level
+        run: |
+          echo \$UPPER=$UPPER
+          echo \$upper=$upper
+          echo \$LOWER=$LOWER
+          echo \$lower=$lower
+          [[ "$UPPER" = "upper" ]] || exit 1
+          [[ "$upper" = "" ]] || exit 1
+          [[ "$LOWER" = "" ]] || exit 1
+          [[ "$lower" = "LOWER" ]] || exit 1
+        env:
+          UPPER: upper
+          lower: LOWER
+    env:
+      UPPER: UPPER
+      lower: lower
--- a/pkg/runner/testdata/input-from-cli/input.yml
+++ b/pkg/runner/testdata/input-from-cli/input.yml
@@ -0,0 +1,21 @@
+on:
+  workflow_dispatch:
+    inputs:
+      NAME:
+        description: "A random input name for the workflow"
+        type: string
+        required: true
+      SOME_VALUE:
+        description: "Some other input to pass"
+        type: string
+        required: true
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Test with inputs
+        run: |
+          [ -z "${{ github.event.inputs.SOME_INPUT }}" ] && exit 1 || exit 0
--- a/Show More
+++ b/Show More