Patched options() to let container options propagate to job containers

Merge pull request 'Bump nektos/act to 0.2.59' (#90 ) from harryzcy/act:bump-nektos-act into main
Reviewed-on: https://gitea.com/gitea/act/pulls/90
2024-02-23 08:45:47 +01:00 · 2024-02-19 22:25:12 +00:00 · 2024-02-17 13:19:51 -05:00 · 2024-02-01 22:32:06 +00:00 · 2024-02-01 13:57:16 -08:00 · 2024-02-01 02:12:33 +00:00
1602 changed files with 473014 additions and 1205 deletions
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -0,0 +1,44 @@
+name: checks
+on:
+  - push
+  - pull_request
+
+env:
+  GOPROXY: https://goproxy.io,direct
+  GOPATH: /go_path
+  GOCACHE: /go_cache
+
+jobs:
+  lint:
+    name: check and test
+    runs-on: ubuntu-latest
+    steps:
+      - name: cache go path
+        id: cache-go-path
+        uses: https://github.com/actions/cache@v3
+        with:
+          path: /go_path
+          key: go_path-${{ github.repository }}-${{ github.ref_name }}
+          restore-keys: |
+            go_path-${{ github.repository }}-
+            go_path-
+      - name: cache go cache
+        id: cache-go-cache
+        uses: https://github.com/actions/cache@v3
+        with:
+          path: /go_cache
+          key: go_cache-${{ github.repository }}-${{ github.ref_name }}
+          restore-keys: |
+            go_cache-${{ github.repository }}-
+            go_cache-
+      - uses: actions/setup-go@v3
+        with:
+          go-version: 1.20
+      - uses: actions/checkout@v3
+      - name: vet checks
+        run: go vet -v ./...
+      - name: build
+        run: go build -v ./...
+      - name: test
+        run: go test -v ./pkg/jobparser
+        # TODO test more packages
--- a/.github/actions/run-tests/action.yml
+++ b/.github/actions/run-tests/action.yml
@@ -54,7 +54,7 @@ runs:
              }
            }
          };
-          var args = ['test', '-v', '-cover', '-coverprofile=coverage.txt', '-covermode=atomic', '-timeout', '15m'];
+          var args = ['test', '-v', '-cover', '-coverprofile=coverage.txt', '-covermode=atomic', '-timeout', '20m'];
          var filter = process.env.FILTER;
          if(filter) {
            args.push('-run');
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -8,7 +8,6 @@ concurrency:
 env:
  ACT_OWNER: ${{ github.repository_owner }}
  ACT_REPOSITORY: ${{ github.repository }}
-  GO_VERSION: 1.18
  CGO_ENABLED: 0

 jobs:
@@ -16,17 +15,18 @@ jobs:
    name: lint
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
-      - uses: golangci/golangci-lint-action@v3.4.0
+      - uses: golangci/golangci-lint-action@v3.7.0
        with:
-          version: v1.47.2
-      - uses: megalinter/megalinter/flavors/go@v6.22.2
+          version: v1.53
+          only-new-issues: true
+      - uses: megalinter/megalinter/flavors/go@v7.8.0
        env:
          DEFAULT_BRANCH: master
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -38,14 +38,14 @@ jobs:
    name: test-linux
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      - uses: actions/setup-go@v4
+        uses: docker/setup-qemu-action@v3
+      - uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
      - uses: actions/cache@v3
        if: ${{ !env.ACT }}
@@ -61,7 +61,7 @@ jobs:
      - name: Run act from cli
        run: go run main.go -P ubuntu-latest=node:16-buster-slim -C ./pkg/runner/testdata/ -W ./basic/push.yml
      - name: Upload Codecov report
-        uses: codecov/codecov-action@v3.1.3
+        uses: codecov/codecov-action@v3.1.5
        with:
          files: coverage.txt
          fail_ci_if_error: true # optional (default = false)
@@ -75,12 +75,12 @@ jobs:
    name: test-${{matrix.os}}
    runs-on: ${{matrix.os}}
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
      - name: Run Tests
        uses: ./.github/actions/run-tests
@@ -92,10 +92,10 @@ jobs:
    name: snapshot
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
      - uses: actions/cache@v3
        if: ${{ !env.ACT }}
@@ -105,73 +105,73 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go-
      - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v5
        with:
          version: latest
-          args: release --snapshot --rm-dist
+          args: release --snapshot --clean
      - name: Capture x86_64 (64-bit) Linux binary
        if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: act-linux-amd64
          path: dist/act_linux_amd64_v1/act
      - name: Capture i386 (32-bit) Linux binary
        if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: act-linux-i386
          path: dist/act_linux_386/act
      - name: Capture arm64 (64-bit) Linux binary
        if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: act-linux-arm64
          path: dist/act_linux_arm64/act
      - name: Capture armv6 (32-bit) Linux binary
        if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: act-linux-armv6
          path: dist/act_linux_arm_6/act
      - name: Capture armv7 (32-bit) Linux binary
        if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: act-linux-armv7
          path: dist/act_linux_arm_7/act
      - name: Capture x86_64 (64-bit) Windows binary
        if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: act-windows-amd64
          path: dist/act_windows_amd64_v1/act.exe
      - name: Capture i386 (32-bit) Windows binary
        if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: act-windows-i386
          path: dist/act_windows_386/act.exe
      - name: Capture arm64 (64-bit) Windows binary
        if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: act-windows-arm64
          path: dist/act_windows_arm64/act.exe
      - name: Capture armv7 (32-bit) Windows binary
        if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: act-windows-armv7
          path: dist/act_windows_arm_7/act.exe
      - name: Capture x86_64 (64-bit) MacOS binary
        if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: act-macos-amd64
          path: dist/act_darwin_amd64_v1/act
      - name: Capture arm64 (64-bit) MacOS binary
        if: ${{ !env.ACT }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: act-macos-arm64
          path: dist/act_darwin_arm64/act
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@@ -4,23 +4,20 @@ on:
    - cron: '0 2 1 * *'
  workflow_dispatch: {}

-env:
-  GO_VERSION: 1.18
-
 jobs:
  release:
    name: promote
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: master
          token: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
      - uses: fregante/setup-git-user@v2
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
      - uses: actions/cache@v3
        if: ${{ !env.ACT }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,20 +4,17 @@ on:
    tags:
      - v*

-env:
-  GO_VERSION: 1.18
-
 jobs:
  release:
    name: release
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
        with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version-file: go.mod
          check-latest: true
      - uses: actions/cache@v3
        if: ${{ !env.ACT }}
@@ -27,12 +24,18 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go-
      - name: GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v5
        with:
          version: latest
-          args: release --rm-dist
+          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
+      - name: Winget
+        uses: vedantmgoyal2009/winget-releaser@v2
+        with:
+          identifier: nektos.act
+          installers-regex: '_Windows_\w+\.zip$'
+          token: ${{ secrets.WINGET_TOKEN }}
      - name: Chocolatey
        uses: ./.github/actions/choco
        with:
@@ -40,7 +43,7 @@ jobs:
          apiKey: ${{ secrets.CHOCO_APIKEY }}
          push: true
      - name: GitHub CLI extension
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        with:
          github-token: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
          script: |
@@ -56,12 +59,3 @@ jobs:
              ref: context.ref,
              sha: mainRef.object.sha,
            });
-  winget:
-    needs: release
-    runs-on: windows-latest # Action can only run on Windows
-    steps:
-      - uses: vedantmgoyal2009/winget-releaser@v2
-        with:
-          identifier: nektos.act
-          installers-regex: '_Windows_\w+\.zip$'
-          token: ${{ secrets.WINGET_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,7 +8,7 @@ jobs:
    name: Stale
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v8
+      - uses: actions/stale@v9
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          stale-issue-message: 'Issue is stale and will be closed in 14 days unless there is new activity'
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,4 @@ coverage.txt

 # megalinter
 report/
+act
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -19,17 +19,15 @@ linters-settings:
      - pkg: 'github.com/stretchr/testify/assert'
        alias: assert
  depguard:
-    list-type: blacklist
-    include-go-root: true
-    packages:
-      - github.com/pkg/errors
-      - gotest.tools/v3/assert
-      - log
-    packages-with-error-message:
-      - github.com/pkg/errors: 'Please use "errors" package from standard library'
-      - gotest.tools/v3: 'Please keep tests unified using only github.com/stretchr/testify'
-      - log: 'Please keep logging unified using only github.com/sirupsen/logrus'
-
+    rules:
+      main:
+        deny:
+          - pkg: github.com/pkg/errors
+            desc: Please use "errors" package from standard library
+          - pkg: gotest.tools/v3
+            desc: Please keep tests unified using only github.com/stretchr/testify
+          - pkg: log
+            desc: Please keep logging unified using only github.com/sirupsen/logrus
 linters:
  enable:
    - megacheck
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -22,13 +22,13 @@ builds:
 checksum:
  name_template: 'checksums.txt'
 archives:
-  - name_template: '{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}'
-    replacements:
-      darwin: Darwin
-      linux: Linux
-      windows: Windows
-      386: i386
-      amd64: x86_64
+  - name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
    format_overrides:
      - goos: windows
        format: zip
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -71,6 +71,10 @@ pull_request_rules:
          - and:
              - 'approved-reviews-by=@nektos/act-maintainers'
              - '#approved-reviews-by>=2'
+          - and:
+              - 'author=@nektos/act-maintainers'
+              - 'approved-reviews-by=@nektos/act-maintainers'
+              - '#approved-reviews-by>=1'
      - -draft
      - -merged
      - -closed
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -35,7 +35,7 @@ New issues can be created with in our [GitHub repo](https://github.com/nektos/ac

 ### <a id="pr"></a>Pull Requests

-Pull requests should target the `master` branch. Please also reference the issue from the description of the pull request using [special keyword syntax](https://help.github.com/articles/closing-issues-via-commit-messages/) to auto close the issue when the PR is merged. For example, include the phrase `fixes #14` in the PR description to have issue #14 auto close.
+Pull requests should target the `master` branch. Please also reference the issue from the description of the pull request using [special keyword syntax](https://help.github.com/articles/closing-issues-via-commit-messages/) to auto close the issue when the PR is merged. For example, include the phrase `fixes #14` in the PR description to have issue #14 auto close. Please send documentation updates for the [act user guide](https://nektosact.com) to [nektos/act-docs](https://github.com/nektos/act-docs).

 ### <a id="style"></a> Styleguide

--- a/1
+++ b/1
@@ -1,5 +1,6 @@
 MIT License

+Copyright (c) 2022 The Gitea Authors
 Copyright (c) 2019

 Permission is hereby granted, free of charge, to any person obtaining a copy
--- a/2
+++ b/2
@@ -106,7 +106,7 @@ endif
 .PHONY: snapshot
 snapshot:
 	goreleaser build \
-		--rm-dist \
+		--clean \
 		--single-target \
 		--snapshot

--- a/README.md
+++ b/README.md
@@ -1,3 +1,28 @@
+## Forking rules
+
+This is a custom fork of [nektos/act](https://github.com/nektos/act/), for the purpose of serving [act_runner](https://gitea.com/gitea/act_runner).
+
+It cannot be used as command line tool anymore, but only as a library.
+
+It's a soft fork, which means that it will tracking the latest release of nektos/act.
+
+Branches:
+
+- `main`: default branch, contains custom changes, based on the latest release(not the latest of the master branch) of nektos/act.
+- `nektos/master`: mirror for the master branch of nektos/act.
+
+Tags:
+
+- `nektos/vX.Y.Z`: mirror for `vX.Y.Z` of [nektos/act](https://github.com/nektos/act/).
+- `vX.YZ.*`: based on `nektos/vX.Y.Z`, contains custom changes.
+  - Examples:
+    - `nektos/v0.2.23` -> `v0.223.*`
+    - `nektos/v0.3.1` -> `v0.301.*`, not ~~`v0.31.*`~~
+    - `nektos/v0.10.1` -> `v0.1001.*`, not ~~`v0.101.*`~~
+    - `nektos/v0.3.100` -> not ~~`v0.3100.*`~~, I don't think it's really going to happen, if it does, we can find a way to handle it.
+
+---
+
 ![act-logo](https://github.com/nektos/act/wiki/img/logo-150.png)

 # Overview [![push](https://github.com/nektos/act/workflows/push/badge.svg?branch=master&event=push)](https://github.com/nektos/act/actions) [![Join the chat at https://gitter.im/nektos/act](https://badges.gitter.im/nektos/act.svg)](https://gitter.im/nektos/act?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) [![Go Report Card](https://goreportcard.com/badge/github.com/nektos/act)](https://goreportcard.com/report/github.com/nektos/act) [![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners)
@@ -17,6 +42,10 @@ Let's see it in action with a [sample repo](https://github.com/cplee/github-acti

 ![Demo](https://github.com/nektos/act/wiki/quickstart/act-quickstart-2.gif)

+# Act User Guide
+
+Please look at the [act user guide](https://nektosact.com) for more documentation.
+
 # Installation

 ## Necessary prerequisites for running `act`
@@ -192,6 +221,12 @@ If your workflow depends on this token, you need to create a [personal access to
 act -s GITHUB_TOKEN=[insert token or leave blank and omit equals for secure input]
 ```

+If [GitHub CLI](https://cli.github.com/) is installed, the [`gh auth token`](https://cli.github.com/manual/gh_auth_token) command can be used to automatically pass the token to act
+
+```bash
+act -s GITHUB_TOKEN="$(gh auth token)"
+```
+
 **WARNING**: `GITHUB_TOKEN` will be logged in shell history if not inserted through secure input or (depending on your shell config) the command is prefixed with a whitespace.

 # Known Issues
@@ -266,6 +301,15 @@ If you need an environment that works just like the corresponding GitHub runner

 - [`catthehacker/ubuntu:full-*`](https://github.com/catthehacker/docker_images/pkgs/container/ubuntu) - built from Packer template provided by GitHub, see [catthehacker/virtual-environments-fork](https://github.com/catthehacker/virtual-environments-fork) or [catthehacker/docker_images](https://github.com/catthehacker/docker_images) for more information

+## Using local runner images
+
+The `--pull` flag is set to true by default due to a breaking on older default docker images. This would pull the docker image everytime act is executed.
+
+Set `--pull` to false if a local docker image is needed
+```sh
+  act --pull=false
+```
+
 ## Use an alternative runner image

 To use a different image for the runner, use the `-P` option.
@@ -296,6 +340,14 @@ To run `act` with secrets, you can enter them interactively, supply them as envi
 - `act --secret-file my.secrets` - load secrets values from `my.secrets` file.
  - secrets file format is the same as `.env` format

+# Vars
+
+To run `act` with repository variables that are acessible inside the workflow via ${{ vars.VARIABLE }}, you can enter them interactively or load them from a file. The following options are available for providing github repository variables:
+
+- `act --var VARIABLE=somevalue` - use `somevalue` as the value for `VARIABLE`.
+- `act --var-file my.variables` - load variables values from `my.variables` file.
+  - variables file format is the same as `.env` format
+
 # Configuration

 You can provide default configuration flags to `act` by either creating a `./.actrc` or a `~/.actrc` file. Any flags in the files will be applied before any flags provided directly on the command line. For example, a file like below will always use the `nektos/act-environments-ubuntu:18.04` image for the `ubuntu-latest` runner:
@@ -454,7 +506,7 @@ Want to contribute to act? Awesome! Check out the [contributing guidelines](CONT

 ## Manually building from source

- Install Go tools 1.18+ - (<https://golang.org/doc/install>)
+- Install Go tools 1.20+ - (<https://golang.org/doc/install>)
 - Clone this repo `git clone git@github.com:nektos/act.git`
 - Run unit tests with `make test`
 - Build and install: `make install`
--- a/2
+++ b/2
@@ -1 +1 @@
-0.2.45
+0.2.59
--- a/cmd/input.go
+++ b/cmd/input.go
@@ -16,6 +16,7 @@ type Input struct {
 	reuseContainers                    bool
 	bindWorkdir                        bool
 	secrets                            []string
+	vars                               []string
 	envs                               []string
 	inputs                             []string
 	platforms                          []string
@@ -26,6 +27,7 @@ type Input struct {
 	envfile                            string
 	inputfile                          string
 	secretfile                         string
+	varfile                            string
 	insecureSecrets                    bool
 	defaultBranch                      string
 	privileged                         bool
@@ -52,6 +54,11 @@ type Input struct {
 	replaceGheActionWithGithubCom      []string
 	replaceGheActionTokenWithGithubCom string
 	matrix                             []string
+	actionCachePath                    string
+	actionOfflineMode                  bool
+	logPrefixJobID                     bool
+	networkName                        string
+	useNewActionCache                  bool
 }

 func (i *Input) resolve(path string) string {
@@ -78,6 +85,10 @@ func (i *Input) Secretfile() string {
 	return i.resolve(i.secretfile)
 }

+func (i *Input) Varfile() string {
+	return i.resolve(i.varfile)
+}
+
 // Workdir returns path to workdir
 func (i *Input) Workdir() string {
 	return i.resolve(".")
--- a/cmd/platforms.go
+++ b/cmd/platforms.go
@@ -15,7 +15,7 @@ func (i *Input) newPlatforms() map[string]string {
 	for _, p := range i.platforms {
 		pParts := strings.Split(p, "=")
 		if len(pParts) == 2 {
-			platforms[pParts[0]] = pParts[1]
+			platforms[strings.ToLower(pParts[0])] = pParts[1]
 		}
 	}
 	return platforms
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -14,6 +14,7 @@ import (
 	"github.com/AlecAivazis/survey/v2"
 	"github.com/adrg/xdg"
 	"github.com/andreaskoch/go-fswatch"
+	docker_container "github.com/docker/docker/api/types/container"
 	"github.com/joho/godotenv"
 	gitignore "github.com/sabhiram/go-gitignore"
 	log "github.com/sirupsen/logrus"
@@ -49,6 +50,7 @@ func Execute(ctx context.Context, version string) {

 	rootCmd.Flags().StringVar(&input.remoteName, "remote-name", "origin", "git remote name that will be used to retrieve url of git repo")
 	rootCmd.Flags().StringArrayVarP(&input.secrets, "secret", "s", []string{}, "secret to make available to actions with optional value (e.g. -s mysecret=foo or -s mysecret)")
+	rootCmd.Flags().StringArrayVar(&input.vars, "var", []string{}, "variable to make available to actions with optional value (e.g. --var myvar=foo or --var myvar)")
 	rootCmd.Flags().StringArrayVarP(&input.envs, "env", "", []string{}, "env to make available to actions with optional value (e.g. --env myenv=foo or --env myenv)")
 	rootCmd.Flags().StringArrayVarP(&input.inputs, "input", "", []string{}, "action input to make available to actions (e.g. --input myinput=foo)")
 	rootCmd.Flags().StringArrayVarP(&input.platforms, "platform", "P", []string{}, "custom image to use per platform (e.g. -P ubuntu-18.04=nektos/act-environments-ubuntu:18.04)")
@@ -74,9 +76,11 @@ func Execute(ctx context.Context, version string) {
 	rootCmd.PersistentFlags().StringVarP(&input.workdir, "directory", "C", ".", "working directory")
 	rootCmd.PersistentFlags().BoolP("verbose", "v", false, "verbose output")
 	rootCmd.PersistentFlags().BoolVar(&input.jsonLogger, "json", false, "Output logs in json format")
+	rootCmd.PersistentFlags().BoolVar(&input.logPrefixJobID, "log-prefix-job-id", false, "Output the job id within non-json logs instead of the entire name")
 	rootCmd.PersistentFlags().BoolVarP(&input.noOutput, "quiet", "q", false, "disable logging of output from steps")
 	rootCmd.PersistentFlags().BoolVarP(&input.dryrun, "dryrun", "n", false, "dryrun mode")
 	rootCmd.PersistentFlags().StringVarP(&input.secretfile, "secret-file", "", ".secrets", "file with list of secrets to read from (e.g. --secret-file .secrets)")
+	rootCmd.PersistentFlags().StringVarP(&input.varfile, "var-file", "", ".vars", "file with list of vars to read from (e.g. --var-file .vars)")
 	rootCmd.PersistentFlags().BoolVarP(&input.insecureSecrets, "insecure-secrets", "", false, "NOT RECOMMENDED! Doesn't hide secrets while printing logs.")
 	rootCmd.PersistentFlags().StringVarP(&input.envfile, "env-file", "", ".env", "environment file to read and use as env in the containers")
 	rootCmd.PersistentFlags().StringVarP(&input.inputfile, "input-file", "", ".input", "input file to read and use as action input")
@@ -92,6 +96,10 @@ func Execute(ctx context.Context, version string) {
 	rootCmd.PersistentFlags().StringVarP(&input.cacheServerPath, "cache-server-path", "", filepath.Join(CacheHomeDir, "actcache"), "Defines the path where the cache server stores caches.")
 	rootCmd.PersistentFlags().StringVarP(&input.cacheServerAddr, "cache-server-addr", "", common.GetOutboundIP().String(), "Defines the address to which the cache server binds.")
 	rootCmd.PersistentFlags().Uint16VarP(&input.cacheServerPort, "cache-server-port", "", 0, "Defines the port where the artifact server listens. 0 means a randomly available port.")
+	rootCmd.PersistentFlags().StringVarP(&input.actionCachePath, "action-cache-path", "", filepath.Join(CacheHomeDir, "act"), "Defines the path where the actions get cached and host workspaces created.")
+	rootCmd.PersistentFlags().BoolVarP(&input.actionOfflineMode, "action-offline-mode", "", false, "If action contents exists, it will not be fetch and pull again. If turn on this,will turn off force pull")
+	rootCmd.PersistentFlags().StringVarP(&input.networkName, "network", "", "host", "Sets a docker network name. Defaults to host.")
+	rootCmd.PersistentFlags().BoolVarP(&input.useNewActionCache, "use-new-action-cache", "", false, "Enable using the new Action Cache for storing Actions locally")
 	rootCmd.SetArgs(args())

 	if err := rootCmd.Execute(); err != nil {
@@ -99,30 +107,30 @@ func Execute(ctx context.Context, version string) {
 	}
 }

+// Return locations where Act's config can be found in order: XDG spec, .actrc in HOME directory, .actrc in invocation directory
 func configLocations() []string {
 	configFileName := ".actrc"

-	// reference: https://specifications.freedesktop.org/basedir-spec/latest/ar01s03.html
-	var actrcXdg string
-	for _, fileName := range []string{"act/actrc", configFileName} {
-		if foundConfig, err := xdg.SearchConfigFile(fileName); foundConfig != "" && err == nil {
-			actrcXdg = foundConfig
-			break
-		}
+	homePath := filepath.Join(UserHomeDir, configFileName)
+	invocationPath := filepath.Join(".", configFileName)
+
+	// Though named xdg, adrg's lib support macOS and Windows config paths as well
+	// It also takes cares of creating the parent folder so we don't need to bother later
+	specPath, err := xdg.ConfigFile("act/actrc")
+	if err != nil {
+		specPath = homePath
 	}

-	return []string{
-		filepath.Join(UserHomeDir, configFileName),
-		actrcXdg,
-		filepath.Join(".", configFileName),
-	}
+	// This order should be enforced since the survey part relies on it
+	return []string{specPath, homePath, invocationPath}
 }

 var commonSocketPaths = []string{
 	"/var/run/docker.sock",
-	"/var/run/podman/podman.sock",
+	"/run/podman/podman.sock",
 	"$HOME/.colima/docker.sock",
 	"$XDG_RUNTIME_DIR/docker.sock",
+	"$XDG_RUNTIME_DIR/podman/podman.sock",
 	`\\.\pipe\docker_engine`,
 	"$HOME/.docker/run/docker.sock",
 }
@@ -260,7 +268,8 @@ func readArgsFile(file string, split bool) []string {
 	}()
 	scanner := bufio.NewScanner(f)
 	for scanner.Scan() {
-		arg := strings.TrimSpace(scanner.Text())
+		arg := os.ExpandEnv(strings.TrimSpace(scanner.Text()))
+
 		if strings.HasPrefix(arg, "-") && split {
 			args = append(args, regexp.MustCompile(`\s`).Split(arg, 2)...)
 		} else if !split {
@@ -270,7 +279,7 @@ func readArgsFile(file string, split bool) []string {
 	return args
 }

-func setup(inputs *Input) func(*cobra.Command, []string) {
+func setup(_ *Input) func(*cobra.Command, []string) {
 	return func(cmd *cobra.Command, _ []string) {
 		verbose, _ := cmd.Flags().GetBool("verbose")
 		if verbose {
@@ -286,19 +295,17 @@ func cleanup(inputs *Input) func(*cobra.Command, []string) {
 	}
 }

-func parseEnvs(env []string, envs map[string]string) bool {
-	if env != nil {
-		for _, envVar := range env {
-			e := strings.SplitN(envVar, `=`, 2)
-			if len(e) == 2 {
-				envs[e[0]] = e[1]
-			} else {
-				envs[e[0]] = ""
-			}
+func parseEnvs(env []string) map[string]string {
+	envs := make(map[string]string, len(env))
+	for _, envVar := range env {
+		e := strings.SplitN(envVar, `=`, 2)
+		if len(e) == 2 {
+			envs[e[0]] = e[1]
+		} else {
+			envs[e[0]] = ""
 		}
-		return true
 	}
-	return false
+	return envs
 }

 func readYamlFile(file string) (map[string]string, error) {
@@ -340,12 +347,11 @@ func parseMatrix(matrix []string) map[string]map[string]bool {
 		matrix := r.Split(m, 2)
 		if len(matrix) < 2 {
 			log.Fatalf("Invalid matrix format. Failed to parse %s", m)
-		} else {
-			if _, ok := matrixes[matrix[0]]; !ok {
-				matrixes[matrix[0]] = make(map[string]bool)
-			}
-			matrixes[matrix[0]][matrix[1]] = true
 		}
+		if _, ok := matrixes[matrix[0]]; !ok {
+			matrixes[matrix[0]] = make(map[string]bool)
+		}
+		matrixes[matrix[0]][matrix[1]] = true
 	}
 	return matrixes
 }
@@ -405,19 +411,21 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 		}

 		log.Debugf("Loading environment from %s", input.Envfile())
-		envs := make(map[string]string)
-		_ = parseEnvs(input.envs, envs)
+		envs := parseEnvs(input.envs)
 		_ = readEnvs(input.Envfile(), envs)

 		log.Debugf("Loading action inputs from %s", input.Inputfile())
-		inputs := make(map[string]string)
-		_ = parseEnvs(input.inputs, inputs)
+		inputs := parseEnvs(input.inputs)
 		_ = readEnvs(input.Inputfile(), inputs)

 		log.Debugf("Loading secrets from %s", input.Secretfile())
 		secrets := newSecrets(input.secrets)
 		_ = readEnvs(input.Secretfile(), secrets)

+		log.Debugf("Loading vars from %s", input.Varfile())
+		vars := newSecrets(input.vars)
+		_ = readEnvs(input.Varfile(), vars)
+
 		matrixes := parseMatrix(input.matrix)
 		log.Debugf("Evaluated matrix inclusions: %v", matrixes)

@@ -544,6 +552,7 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 				}
 			}
 			if !cfgFound && len(cfgLocations) > 0 {
+				// The first config location refers to the global config folder one
 				if err := defaultImageSurvey(cfgLocations[0]); err != nil {
 					log.Fatal(err)
 				}
@@ -570,15 +579,19 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 			EventName:                          eventName,
 			EventPath:                          input.EventPath(),
 			DefaultBranch:                      defaultbranch,
-			ForcePull:                          input.forcePull,
+			ForcePull:                          !input.actionOfflineMode && input.forcePull,
 			ForceRebuild:                       input.forceRebuild,
 			ReuseContainers:                    input.reuseContainers,
 			Workdir:                            input.Workdir(),
+			ActionCacheDir:                     input.actionCachePath,
+			ActionOfflineMode:                  input.actionOfflineMode,
 			BindWorkdir:                        input.bindWorkdir,
 			LogOutput:                          !input.noOutput,
 			JSONLogger:                         input.jsonLogger,
+			LogPrefixJobID:                     input.logPrefixJobID,
 			Env:                                envs,
 			Secrets:                            secrets,
+			Vars:                               vars,
 			Inputs:                             inputs,
 			Token:                              secrets["GITHUB_TOKEN"],
 			InsecureSecrets:                    input.insecureSecrets,
@@ -601,6 +614,12 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 			ReplaceGheActionWithGithubCom:      input.replaceGheActionWithGithubCom,
 			ReplaceGheActionTokenWithGithubCom: input.replaceGheActionTokenWithGithubCom,
 			Matrix:                             matrixes,
+			ContainerNetworkMode:               docker_container.NetworkMode(input.networkName),
+		}
+		if input.useNewActionCache {
+			config.ActionCache = &runner.GoGitActionCache{
+				Path: config.ActionCacheDir,
+			}
 		}
 		r, err := runner.New(config)
 		if err != nil {
@@ -647,7 +666,7 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 func defaultImageSurvey(actrc string) error {
 	var answer string
 	confirmation := &survey.Select{
-		Message: "Please choose the default image you want to use with act:\n\n  - Large size image: +20GB Docker image, includes almost all tools used on GitHub Actions (IMPORTANT: currently only ubuntu-18.04 platform is available)\n  - Medium size image: ~500MB, includes only necessary tools to bootstrap actions and aims to be compatible with all actions\n  - Micro size image: <200MB, contains only NodeJS required to bootstrap actions, doesn't work with all actions\n\nDefault image and other options can be changed manually in ~/.actrc (please refer to https://github.com/nektos/act#configuration for additional information about file structure)",
+		Message: "Please choose the default image you want to use with act:\n  - Large size image: ca. 17GB download + 53.1GB storage, you will need 75GB of free disk space, snapshots of GitHub Hosted Runners without snap and pulled docker images\n  - Medium size image: ~500MB, includes only necessary tools to bootstrap actions and aims to be compatible with most actions\n  - Micro size image: <200MB, contains only NodeJS required to bootstrap actions, doesn't work with all actions\n\nDefault image and other options can be changed manually in ~/.actrc (please refer to https://github.com/nektos/act#configuration for additional information about file structure)",
 		Help:    "If you want to know why act asks you that, please go to https://github.com/nektos/act/issues/107",
 		Default: "Medium",
 		Options: []string{"Large", "Medium", "Micro"},
@@ -661,7 +680,7 @@ func defaultImageSurvey(actrc string) error {
 	var option string
 	switch answer {
 	case "Large":
-		option = "-P ubuntu-latest=catthehacker/ubuntu:full-latest\n-P ubuntu-latest=catthehacker/ubuntu:full-20.04\n-P ubuntu-18.04=catthehacker/ubuntu:full-18.04\n"
+		option = "-P ubuntu-latest=catthehacker/ubuntu:full-latest\n-P ubuntu-22.04=catthehacker/ubuntu:full-22.04\n-P ubuntu-20.04=catthehacker/ubuntu:full-20.04\n-P ubuntu-18.04=catthehacker/ubuntu:full-18.04\n"
 	case "Medium":
 		option = "-P ubuntu-latest=catthehacker/ubuntu:act-latest\n-P ubuntu-22.04=catthehacker/ubuntu:act-22.04\n-P ubuntu-20.04=catthehacker/ubuntu:act-20.04\n-P ubuntu-18.04=catthehacker/ubuntu:act-18.04\n"
 	case "Micro":
--- a/go.mod
+++ b/go.mod
@@ -1,85 +1,94 @@
 module github.com/nektos/act

-go 1.18
+go 1.20

 require (
-	github.com/AlecAivazis/survey/v2 v2.3.6
-	github.com/Masterminds/semver v1.5.0
+	github.com/AlecAivazis/survey/v2 v2.3.7
 	github.com/adrg/xdg v0.4.0
 	github.com/andreaskoch/go-fswatch v1.0.0
-	github.com/creack/pty v1.1.18
-	github.com/docker/cli v23.0.4+incompatible
-	github.com/docker/distribution v2.8.1+incompatible
-	github.com/docker/docker v23.0.4+incompatible
+	github.com/creack/pty v1.1.21
+	github.com/docker/cli v24.0.7+incompatible
+	github.com/docker/distribution v2.8.3+incompatible
+	github.com/docker/docker v24.0.7+incompatible // 24.0 branch
 	github.com/docker/go-connections v0.4.0
-	github.com/go-git/go-billy/v5 v5.4.1
-	github.com/go-git/go-git/v5 v5.6.2-0.20230411180853-ce62f3e9ff86
-	github.com/imdario/mergo v0.3.15
+	github.com/go-git/go-billy/v5 v5.5.0
+	github.com/go-git/go-git/v5 v5.11.0
+	github.com/imdario/mergo v0.3.16
 	github.com/joho/godotenv v1.5.1
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/mattn/go-isatty v0.0.18
-	github.com/moby/buildkit v0.11.6
-	github.com/moby/patternmatcher v0.5.0
-	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
+	github.com/mattn/go-isatty v0.0.20
+	github.com/moby/buildkit v0.12.5
+	github.com/moby/patternmatcher v0.6.0
+	github.com/opencontainers/image-spec v1.1.0-rc3
 	github.com/opencontainers/selinux v1.11.0
 	github.com/pkg/errors v0.9.1
-	github.com/rhysd/actionlint v1.6.24
+	github.com/rhysd/actionlint v1.6.26
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06
-	github.com/sirupsen/logrus v1.9.0
-	github.com/spf13/cobra v1.7.0
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.8.2
+	github.com/stretchr/testify v1.8.4
 	github.com/timshannon/bolthold v0.0.0-20210913165410-232392fc8a6a
-	go.etcd.io/bbolt v1.3.7
-	golang.org/x/term v0.7.0
+	go.etcd.io/bbolt v1.3.8
+	golang.org/x/term v0.16.0
 	gopkg.in/yaml.v3 v3.0.1
-	gotest.tools/v3 v3.4.0
+	gotest.tools/v3 v3.5.1
 )

 require (
-	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
-	github.com/acomagu/bufpipe v1.0.4 // indirect
-	github.com/cloudflare/circl v1.1.0 // indirect
-	github.com/containerd/containerd v1.6.20 // indirect
+	github.com/Masterminds/semver v1.5.0
+	github.com/gobwas/glob v0.2.3
+)
+
+require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/containerd/containerd v1.7.2 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/distribution/reference v0.5.0 // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fatih/color v1.15.0 // indirect
-	github.com/go-git/gcfg v1.5.0 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.15.12 // indirect
+	github.com/klauspost/compress v1.17.2 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
 	github.com/mitchellh/mapstructure v1.1.2 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
 	github.com/moby/term v0.0.0-20200312100748-672ec06f55cd // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/runc v1.1.5 // indirect
+	github.com/opencontainers/runc v1.1.12 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/robfig/cron v1.2.0 // indirect
+	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
-	github.com/skeema/knownhosts v1.1.0 // indirect
+	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	golang.org/x/crypto v0.6.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.7.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.13.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,99 +1,88 @@
-github.com/AlecAivazis/survey/v2 v2.3.6 h1:NvTuVHISgTHEHeBFqt6BHOe4Ny/NwGZr7w+F8S9ziyw=
-github.com/AlecAivazis/survey/v2 v2.3.6/go.mod h1:4AuI9b7RjAR+G7v9+C4YSlX/YL3K3cWNXgWXOhllqvI=
+dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
+dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic=
+github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkkhIiSjQ=
+github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
-github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/hcsshim v0.9.8 h1:lf7xxK2+Ikbj9sVf2QZsouGjRjEp2STj1yDHgoVtU5k=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/Microsoft/hcsshim v0.10.0-rc.8 h1:YSZVvlIIDD1UxQpJp0h+dnpLUw+TrY0cx8obKsp3bek=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
-github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 h1:wPbRQzjjwFc0ih8puEVAOFGELsn1zoIIYdxvML7mDxA=
-github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g=
-github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ=
-github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
+github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
 github.com/adrg/xdg v0.4.0 h1:RzRqFcjH4nE5C6oTAxhBtoE2IRyjBSa62SCbyPidvls=
 github.com/adrg/xdg v0.4.0/go.mod h1:N6ag73EX4wyxeaoeHctc1mas01KZgsj5tYiAIwqJE/E=
 github.com/andreaskoch/go-fswatch v1.0.0 h1:la8nP/HiaFCxP2IM6NZNUCoxgLWuyNFgH0RligBbnJU=
 github.com/andreaskoch/go-fswatch v1.0.0/go.mod h1:r5/iV+4jfwoY2sYqBkg8vpF04ehOvEl4qPptVGdxmqo=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
-github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=
-github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
-github.com/cloudflare/circl v1.1.0 h1:bZgT/A+cikZnKIwn7xL2OBj012Bmvho/o6RpRvv3GKY=
-github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
-github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
-github.com/containerd/containerd v1.6.20 h1:+itjwpdqXpzHB/QAiWc/BZCjjVfcNgw69w/oIeF4Oy0=
-github.com/containerd/containerd v1.6.20/go.mod h1:apei1/i5Ux2FzrK6+DM/suEsGuK/MeVOfy8tR2q7Wnw=
-github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
-github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
+github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
+github.com/containerd/containerd v1.7.2 h1:UF2gdONnxO8I6byZXDi5sXWiWvlW3D/sci7dTQimEJo=
+github.com/containerd/containerd v1.7.2/go.mod h1:afcz74+K10M/+cjGHIVQrCt3RAQhUSCAjJ9iMYhhkuI=
+github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
-github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
+github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
+github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docker/cli v23.0.4+incompatible h1:xClB7PsiATttDHj8ce5qvJcikiApNy7teRR1XkoBZGs=
-github.com/docker/cli v23.0.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
-github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v23.0.4+incompatible h1:Kd3Bh9V/rO+XpTP/BLqM+gx8z7+Yb0AA2Ibj+nNo4ek=
-github.com/docker/docker v23.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
+github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1xfI36MSkFg=
+github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
+github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM=
+github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
 github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
-github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
-github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
-github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4=
-github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E=
-github.com/go-git/go-billy/v5 v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0=
-github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4=
-github.com/go-git/go-billy/v5 v5.4.1/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg=
-github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8=
-github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo=
-github.com/go-git/go-git/v5 v5.6.2-0.20230411180853-ce62f3e9ff86 h1:vbnwVQwGOr4xwrtcZ1lrhWHPMIgWkhNv+2+smiA2HHk=
-github.com/go-git/go-git/v5 v5.6.2-0.20230411180853-ce62f3e9ff86/go.mod h1:Q3/DKr39xeJ3oEAVC8Q1+BlJK3OMsOQsksNb3s+9M1A=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
+github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
+github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
+github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
-github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
-github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM=
-github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
+github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
@@ -104,52 +93,43 @@ github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.15.12 h1:YClS/PImqYbn+UILDnqxQCZ3RehC9N318SU3kElDUEM=
-github.com/klauspost/compress v1.15.12/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
+github.com/klauspost/compress v1.17.2 h1:RlWWUY/Dr4fL8qk9YG7DTZ7PDgME2V4csBXA8L/ixi4=
+github.com/klauspost/compress v1.17.2/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
-github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.18 h1:DOKFKCQ7FNG2L1rbrmstDN4QVRdS89Nkh85u68Uwp98=
-github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWVwUuU=
-github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
+github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b h1:j7+1HpAFS1zy5+Q4qx1fWh90gTKwiN4QCGoY9TWyyO4=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mmcloughlin/avo v0.5.0/go.mod h1:ChHFdoV7ql95Wi7vuq2YT1bwCJqiWdZrQ1im3VujLYM=
-github.com/moby/buildkit v0.11.6 h1:VYNdoKk5TVxN7k4RvZgdeM4GOyRvIi4Z8MXOY7xvyUs=
-github.com/moby/buildkit v0.11.6/go.mod h1:GCqKfHhz+pddzfgaR7WmHVEE3nKKZMMDPpK8mh3ZLv4=
-github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
-github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
+github.com/moby/buildkit v0.12.5 h1:RNHH1l3HDhYyZafr5EgstEu8aGNCwyfvMtrQDtjH9T0=
+github.com/moby/buildkit v0.12.5/go.mod h1:YGwjA2loqyiYfZeEo8FtI7z4x5XponAaIWsWcSjWwso=
+github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
+github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
 github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
 github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
 github.com/moby/term v0.0.0-20200312100748-672ec06f55cd h1:aY7OQNf2XqY/JQ6qREWamhI/81os/agb2BAGpcx5yWI=
 github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
-github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
-github.com/opencontainers/runc v1.1.5 h1:L44KXEpKmfWDcS02aeGm8QNTFXTo2D+8MYGDIJ/GDEs=
-github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
-github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
+github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8=
+github.com/opencontainers/image-spec v1.1.0-rc3/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/opencontainers/runc v1.1.12 h1:BOIssBaW1La0/qbNZHXOOa71dZfZEQOzW7dqQf3phss=
+github.com/opencontainers/runc v1.1.12/go.mod h1:S+lQwSfncpBha7XTy/5lBwWgm5+y5Ma/O44Ekby9FK8=
 github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
 github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
 github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
@@ -159,31 +139,27 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rhysd/actionlint v1.6.24 h1:5f61cF5ssP2pzG0jws5bEsfZBNhbBcO9nl7vTzVKjzs=
-github.com/rhysd/actionlint v1.6.24/go.mod h1:gQmz9r2wlcpLy+VdbzK0GINJQnAK5/sNH3BpwW4Mt5I=
+github.com/rhysd/actionlint v1.6.26 h1:zi7jPZf3Ks14gCXYAAL47uBziyFlX7+Xwilqhexct9g=
+github.com/rhysd/actionlint v1.6.26/go.mod h1:TIj1DlCgtYLOv5CH9wCK+WJTOr1qAdnFzkGi0IgSCO4=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
-github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 h1:OkMGxebDjyw0ULyrTYWeN0UNCCkmCWfjPnIA2W6oviI=
 github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06/go.mod h1:+ePHsJ1keEjQtpvf9HHw0f4ZeJ0TLRsxhunSI2hYJSs=
-github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
-github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
-github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/skeema/knownhosts v1.1.0 h1:Wvr9V0MxhjRbl3f9nMnKnFfiWTJmtECJ9Njkea3ysW0=
-github.com/skeema/knownhosts v1.1.0/go.mod h1:sKFq3RD6/TKZkSWn8boUbDC7Qkgcv+8XXijpFO6roag=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ=
+github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
+github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
+github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -199,18 +175,15 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
-github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/timshannon/bolthold v0.0.0-20210913165410-232392fc8a6a h1:oIi7H/bwFUYKYhzKbHc+3MvHRWqhQwXVB4LweLMiVy0=
 github.com/timshannon/bolthold v0.0.0-20210913165410-232392fc8a6a/go.mod h1:iSvujNDmpZ6eQX+bg/0X3lF7LEmZ8N77g2a/J/+Zt2U=
-github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
-github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
-github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
@@ -219,111 +192,99 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
-go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
-go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
-golang.org/x/arch v0.1.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
+go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA=
+go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
-golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
-golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
+golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -331,11 +292,9 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
-gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
-gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
-rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
+gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
+gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
--- a/pkg/artifactcache/handler.go
+++ b/pkg/artifactcache/handler.go
@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"sync/atomic"
@@ -27,7 +28,7 @@ const (
 )

 type Handler struct {
-	db       *bolthold.Store
+	dir      string
 	storage  *Storage
 	router   *httprouter.Router
 	listener net.Listener
@@ -62,19 +63,7 @@ func StartHandler(dir, outboundIP string, port uint16, logger logrus.FieldLogger
 		return nil, err
 	}

-	db, err := bolthold.Open(filepath.Join(dir, "bolt.db"), 0o644, &bolthold.Options{
-		Encoder: json.Marshal,
-		Decoder: json.Unmarshal,
-		Options: &bbolt.Options{
-			Timeout:      5 * time.Second,
-			NoGrowSync:   bbolt.DefaultOptions.NoGrowSync,
-			FreelistType: bbolt.DefaultOptions.FreelistType,
-		},
-	})
-	if err != nil {
-		return nil, err
-	}
-	h.db = db
+	h.dir = dir

 	storage, err := NewStorage(filepath.Join(dir, "cache"))
 	if err != nil {
@@ -150,16 +139,21 @@ func (h *Handler) Close() error {
 		}
 		h.listener = nil
 	}
-	if h.db != nil {
-		err := h.db.Close()
-		if err != nil {
-			retErr = err
-		}
-		h.db = nil
-	}
 	return retErr
 }

+func (h *Handler) openDB() (*bolthold.Store, error) {
+	return bolthold.Open(filepath.Join(h.dir, "bolt.db"), 0o644, &bolthold.Options{
+		Encoder: json.Marshal,
+		Decoder: json.Unmarshal,
+		Options: &bbolt.Options{
+			Timeout:      5 * time.Second,
+			NoGrowSync:   bbolt.DefaultOptions.NoGrowSync,
+			FreelistType: bbolt.DefaultOptions.FreelistType,
+		},
+	})
+}
+
 // GET /_apis/artifactcache/cache
 func (h *Handler) find(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	keys := strings.Split(r.URL.Query().Get("keys"), ",")
@@ -169,7 +163,14 @@ func (h *Handler) find(w http.ResponseWriter, r *http.Request, _ httprouter.Para
 	}
 	version := r.URL.Query().Get("version")

-	cache, err := h.findCache(keys, version)
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	cache, err := h.findCache(db, keys, version)
 	if err != nil {
 		h.responseJSON(w, r, 500, err)
 		return
@@ -183,7 +184,7 @@ func (h *Handler) find(w http.ResponseWriter, r *http.Request, _ httprouter.Para
 		h.responseJSON(w, r, 500, err)
 		return
 	} else if !ok {
-		_ = h.db.Delete(cache.ID, cache)
+		_ = db.Delete(cache.ID, cache)
 		h.responseJSON(w, r, 204)
 		return
 	}
@@ -206,7 +207,13 @@ func (h *Handler) reserve(w http.ResponseWriter, r *http.Request, _ httprouter.P

 	cache := api.ToCache()
 	cache.FillKeyVersionHash()
-	if err := h.db.FindOne(cache, bolthold.Where("KeyVersionHash").Eq(cache.KeyVersionHash)); err != nil {
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.FindOne(cache, bolthold.Where("KeyVersionHash").Eq(cache.KeyVersionHash)); err != nil {
 		if !errors.Is(err, bolthold.ErrNotFound) {
 			h.responseJSON(w, r, 500, err)
 			return
@@ -219,12 +226,12 @@ func (h *Handler) reserve(w http.ResponseWriter, r *http.Request, _ httprouter.P
 	now := time.Now().Unix()
 	cache.CreatedAt = now
 	cache.UsedAt = now
-	if err := h.db.Insert(bolthold.NextSequence(), cache); err != nil {
+	if err := db.Insert(bolthold.NextSequence(), cache); err != nil {
 		h.responseJSON(w, r, 500, err)
 		return
 	}
 	// write back id to db
-	if err := h.db.Update(cache.ID, cache); err != nil {
+	if err := db.Update(cache.ID, cache); err != nil {
 		h.responseJSON(w, r, 500, err)
 		return
 	}
@@ -242,7 +249,13 @@ func (h *Handler) upload(w http.ResponseWriter, r *http.Request, params httprout
 	}

 	cache := &Cache{}
-	if err := h.db.Get(id, cache); err != nil {
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.Get(id, cache); err != nil {
 		if errors.Is(err, bolthold.ErrNotFound) {
 			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
 			return
@@ -255,6 +268,7 @@ func (h *Handler) upload(w http.ResponseWriter, r *http.Request, params httprout
 		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
 		return
 	}
+	db.Close()
 	start, _, err := parseContentRange(r.Header.Get("Content-Range"))
 	if err != nil {
 		h.responseJSON(w, r, 400, err)
@@ -276,7 +290,13 @@ func (h *Handler) commit(w http.ResponseWriter, r *http.Request, params httprout
 	}

 	cache := &Cache{}
-	if err := h.db.Get(id, cache); err != nil {
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.Get(id, cache); err != nil {
 		if errors.Is(err, bolthold.ErrNotFound) {
 			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
 			return
@@ -290,13 +310,25 @@ func (h *Handler) commit(w http.ResponseWriter, r *http.Request, params httprout
 		return
 	}

-	if err := h.storage.Commit(cache.ID, cache.Size); err != nil {
+	db.Close()
+
+	size, err := h.storage.Commit(cache.ID, cache.Size)
+	if err != nil {
 		h.responseJSON(w, r, 500, err)
 		return
 	}
+	// write real size back to cache, it may be different from the current value when the request doesn't specify it.
+	cache.Size = size
+
+	db, err = h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()

 	cache.Complete = true
-	if err := h.db.Update(cache.ID, cache); err != nil {
+	if err := db.Update(cache.ID, cache); err != nil {
 		h.responseJSON(w, r, 500, err)
 		return
 	}
@@ -332,7 +364,7 @@ func (h *Handler) middleware(handler httprouter.Handle) httprouter.Handle {
 }

 // if not found, return (nil, nil) instead of an error.
-func (h *Handler) findCache(keys []string, version string) (*Cache, error) {
+func (h *Handler) findCache(db *bolthold.Store, keys []string, version string) (*Cache, error) {
 	if len(keys) == 0 {
 		return nil, nil
 	}
@@ -344,7 +376,7 @@ func (h *Handler) findCache(keys []string, version string) (*Cache, error) {
 	}
 	cache.FillKeyVersionHash()

-	if err := h.db.FindOne(cache, bolthold.Where("KeyVersionHash").Eq(cache.KeyVersionHash)); err != nil {
+	if err := db.FindOne(cache, bolthold.Where("KeyVersionHash").Eq(cache.KeyVersionHash)); err != nil {
 		if !errors.Is(err, bolthold.ErrNotFound) {
 			return nil, err
 		}
@@ -355,7 +387,12 @@ func (h *Handler) findCache(keys []string, version string) (*Cache, error) {

 	for _, prefix := range keys[1:] {
 		found := false
-		if err := h.db.ForEach(bolthold.Where("Key").Ge(prefix).And("Version").Eq(version).SortBy("Key"), func(v *Cache) error {
+		prefixPattern := fmt.Sprintf("^%s", regexp.QuoteMeta(prefix))
+		re, err := regexp.Compile(prefixPattern)
+		if err != nil {
+			continue
+		}
+		if err := db.ForEach(bolthold.Where("Key").RegExp(re).And("Version").Eq(version).SortBy("CreatedAt").Reverse(), func(v *Cache) error {
 			if !strings.HasPrefix(v.Key, prefix) {
 				return stop
 			}
@@ -378,12 +415,17 @@ func (h *Handler) findCache(keys []string, version string) (*Cache, error) {
 }

 func (h *Handler) useCache(id int64) {
+	db, err := h.openDB()
+	if err != nil {
+		return
+	}
+	defer db.Close()
 	cache := &Cache{}
-	if err := h.db.Get(id, cache); err != nil {
+	if err := db.Get(id, cache); err != nil {
 		return
 	}
 	cache.UsedAt = time.Now().Unix()
-	_ = h.db.Update(cache.ID, cache)
+	_ = db.Update(cache.ID, cache)
 }

 func (h *Handler) gcCache() {
@@ -408,8 +450,14 @@ func (h *Handler) gcCache() {
 		keepTemp   = 5 * time.Minute
 	)

+	db, err := h.openDB()
+	if err != nil {
+		return
+	}
+	defer db.Close()
+
 	var caches []*Cache
-	if err := h.db.Find(&caches, bolthold.Where("UsedAt").Lt(time.Now().Add(-keepTemp).Unix())); err != nil {
+	if err := db.Find(&caches, bolthold.Where("UsedAt").Lt(time.Now().Add(-keepTemp).Unix())); err != nil {
 		h.logger.Warnf("find caches: %v", err)
 	} else {
 		for _, cache := range caches {
@@ -417,7 +465,7 @@ func (h *Handler) gcCache() {
 				continue
 			}
 			h.storage.Remove(cache.ID)
-			if err := h.db.Delete(cache.ID, cache); err != nil {
+			if err := db.Delete(cache.ID, cache); err != nil {
 				h.logger.Warnf("delete cache: %v", err)
 				continue
 			}
@@ -426,12 +474,12 @@ func (h *Handler) gcCache() {
 	}

 	caches = caches[:0]
-	if err := h.db.Find(&caches, bolthold.Where("UsedAt").Lt(time.Now().Add(-keepUnused).Unix())); err != nil {
+	if err := db.Find(&caches, bolthold.Where("UsedAt").Lt(time.Now().Add(-keepUnused).Unix())); err != nil {
 		h.logger.Warnf("find caches: %v", err)
 	} else {
 		for _, cache := range caches {
 			h.storage.Remove(cache.ID)
-			if err := h.db.Delete(cache.ID, cache); err != nil {
+			if err := db.Delete(cache.ID, cache); err != nil {
 				h.logger.Warnf("delete cache: %v", err)
 				continue
 			}
@@ -440,12 +488,12 @@ func (h *Handler) gcCache() {
 	}

 	caches = caches[:0]
-	if err := h.db.Find(&caches, bolthold.Where("CreatedAt").Lt(time.Now().Add(-keepUsed).Unix())); err != nil {
+	if err := db.Find(&caches, bolthold.Where("CreatedAt").Lt(time.Now().Add(-keepUsed).Unix())); err != nil {
 		h.logger.Warnf("find caches: %v", err)
 	} else {
 		for _, cache := range caches {
 			h.storage.Remove(cache.ID)
-			if err := h.db.Delete(cache.ID, cache); err != nil {
+			if err := db.Delete(cache.ID, cache); err != nil {
 				h.logger.Warnf("delete cache: %v", err)
 				continue
 			}
--- a/pkg/artifactcache/handler_test.go
+++ b/pkg/artifactcache/handler_test.go
@@ -25,7 +25,10 @@ func TestHandler(t *testing.T) {

 	defer func() {
 		t.Run("inpect db", func(t *testing.T) {
-			require.NoError(t, handler.db.Bolt().View(func(tx *bbolt.Tx) error {
+			db, err := handler.openDB()
+			require.NoError(t, err)
+			defer db.Close()
+			require.NoError(t, db.Bolt().View(func(tx *bbolt.Tx) error {
 				return tx.Bucket([]byte("Cache")).ForEach(func(k, v []byte) error {
 					t.Logf("%s: %s", k, v)
 					return nil
@@ -36,7 +39,6 @@ func TestHandler(t *testing.T) {
 			require.NoError(t, handler.Close())
 			assert.Nil(t, handler.server)
 			assert.Nil(t, handler.listener)
-			assert.Nil(t, handler.db)
 			_, err := http.Post(fmt.Sprintf("%s/caches/%d", base, 1), "", nil)
 			assert.Error(t, err)
 		})
--- a/pkg/artifactcache/model.go
+++ b/pkg/artifactcache/model.go
@@ -15,11 +15,17 @@ func (c *Request) ToCache() *Cache {
 	if c == nil {
 		return nil
 	}
-	return &Cache{
+	ret := &Cache{
 		Key:     c.Key,
 		Version: c.Version,
 		Size:    c.Size,
 	}
+	if c.Size == 0 {
+		// So the request comes from old versions of actions, like `actions/cache@v2`.
+		// It doesn't send cache size. Set it to -1 to indicate that.
+		ret.Size = -1
+	}
+	return ret
 }

 type Cache struct {
--- a/pkg/artifactcache/storage.go
+++ b/pkg/artifactcache/storage.go
@@ -46,7 +46,7 @@ func (s *Storage) Write(id uint64, offset int64, reader io.Reader) error {
 	return err
 }

-func (s *Storage) Commit(id uint64, size int64) error {
+func (s *Storage) Commit(id uint64, size int64) (int64, error) {
 	defer func() {
 		_ = os.RemoveAll(s.tempDir(id))
 	}()
@@ -54,15 +54,15 @@ func (s *Storage) Commit(id uint64, size int64) error {
 	name := s.filename(id)
 	tempNames, err := s.tempNames(id)
 	if err != nil {
-		return err
+		return 0, err
 	}

 	if err := os.MkdirAll(filepath.Dir(name), 0o755); err != nil {
-		return err
+		return 0, err
 	}
 	file, err := os.Create(name)
 	if err != nil {
-		return err
+		return 0, err
 	}
 	defer file.Close()

@@ -70,22 +70,26 @@ func (s *Storage) Commit(id uint64, size int64) error {
 	for _, v := range tempNames {
 		f, err := os.Open(v)
 		if err != nil {
-			return err
+			return 0, err
 		}
 		n, err := io.Copy(file, f)
 		_ = f.Close()
 		if err != nil {
-			return err
+			return 0, err
 		}
 		written += n
 	}

-	if written != size {
+	// If size is less than 0, it means the size is unknown.
+	// We can't check the size of the file, just skip the check.
+	// It happens when the request comes from old versions of actions, like `actions/cache@v2`.
+	if size >= 0 && written != size {
 		_ = file.Close()
 		_ = os.Remove(name)
-		return fmt.Errorf("broken file: %v != %v", written, size)
+		return 0, fmt.Errorf("broken file: %v != %v", written, size)
 	}
-	return nil
+
+	return written, nil
 }

 func (s *Storage) Serve(w http.ResponseWriter, r *http.Request, id uint64) {
--- a/pkg/artifacts/server.go
+++ b/pkg/artifacts/server.go
@@ -79,7 +79,7 @@ func (fwfs readWriteFSImpl) OpenAppendable(name string) (WritableFile, error) {
 		return nil, err
 	}

-	_, err = file.Seek(0, os.SEEK_END)
+	_, err = file.Seek(0, io.SeekEnd)
 	if err != nil {
 		return nil, err
 	}
@@ -223,9 +223,13 @@ func downloads(router *httprouter.Router, baseDir string, fsys fs.FS) {

 				// if it was upload as gzip
 				rel = strings.TrimSuffix(rel, gzipExtension)
+				path := filepath.Join(itemPath, rel)
+
+				rel = filepath.ToSlash(rel)
+				path = filepath.ToSlash(path)

 				files = append(files, ContainerItem{
-					Path:            filepath.Join(itemPath, rel),
+					Path:            path,
 					ItemType:        "file",
 					ContentLocation: fmt.Sprintf("http://%s/artifact/%s/%s/%s", req.Host, container, itemPath, rel),
 				})
--- a/pkg/artifacts/server_test.go
+++ b/pkg/artifacts/server_test.go
@@ -14,10 +14,11 @@ import (
 	"testing/fstest"

 	"github.com/julienschmidt/httprouter"
-	"github.com/nektos/act/pkg/model"
-	"github.com/nektos/act/pkg/runner"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
+
+	"github.com/nektos/act/pkg/model"
+	"github.com/nektos/act/pkg/runner"
 )

 type writableMapFile struct {
@@ -238,9 +239,11 @@ type TestJobFileInfo struct {
 	containerArchitecture string
 }

-var artifactsPath = path.Join(os.TempDir(), "test-artifacts")
-var artifactsAddr = "127.0.0.1"
-var artifactsPort = "12345"
+var (
+	artifactsPath = path.Join(os.TempDir(), "test-artifacts")
+	artifactsAddr = "127.0.0.1"
+	artifactsPort = "12345"
+)

 func TestArtifactFlow(t *testing.T) {
 	if testing.Short() {
@@ -253,7 +256,7 @@ func TestArtifactFlow(t *testing.T) {
 	defer cancel()

 	platforms := map[string]string{
-		"ubuntu-latest": "node:16-buster-slim",
+		"ubuntu-latest": "node:16-buster", // Don't use node:16-buster-slim because it doesn't have curl command, which is used in the tests
 	}

 	tables := []TestJobFileInfo{
--- a/pkg/artifacts/testdata/GHSL-2023-004/artifacts.yml
+++ b/pkg/artifacts/testdata/GHSL-2023-004/artifacts.yml
@@ -8,9 +8,7 @@ jobs:
    steps:
      - run: echo "hello world" > test.txt
      - name: curl upload
-        uses: wei/curl@v1
-        with:
-          args: -s --fail ${ACTIONS_RUNTIME_URL}upload/1?itemPath=../../my-artifact/secret.txt --upload-file test.txt
+        run: curl --silent --show-error --fail ${ACTIONS_RUNTIME_URL}upload/1?itemPath=../../my-artifact/secret.txt --upload-file test.txt
      - uses: actions/download-artifact@v2
        with:
          name: my-artifact
@@ -27,9 +25,7 @@ jobs:
            exit 1
          fi
      - name: Verify download should work by clean extra dots
-        uses: wei/curl@v1
-        with:
-          args: --path-as-is -s -o out.txt --fail ${ACTIONS_RUNTIME_URL}artifact/1/../../../1/my-artifact/secret.txt
+        run: curl --silent --show-error --fail --path-as-is -o out.txt ${ACTIONS_RUNTIME_URL}artifact/1/../../../1/my-artifact/secret.txt
      - name: 'Verify download content'
        run: |
          file="out.txt"
--- a/pkg/common/executor.go
+++ b/pkg/common/executor.go
@@ -3,6 +3,8 @@ package common
 import (
 	"context"
 	"fmt"
+
+	log "github.com/sirupsen/logrus"
 )

 // Warning that implements `error` but safe to ignore
@@ -94,6 +96,11 @@ func NewParallelExecutor(parallel int, executors ...Executor) Executor {
 		work := make(chan Executor, len(executors))
 		errs := make(chan error, len(executors))

+		if 1 > parallel {
+			log.Infof("Parallel tasks (%d) below minimum, setting to 1", parallel)
+			parallel = 1
+		}
+
 		for i := 0; i < parallel; i++ {
 			go func(work <-chan Executor, errs chan<- error) {
 				for executor := range work {
--- a/pkg/common/executor_test.go
+++ b/pkg/common/executor_test.go
@@ -100,6 +100,17 @@ func TestNewParallelExecutor(t *testing.T) {
 	assert.Equal(3, count, "should run all 3 executors")
 	assert.Equal(2, maxCount, "should run at most 2 executors in parallel")
 	assert.Nil(err)
+
+	// Reset to test running the executor with 0 parallelism
+	count = 0
+	activeCount = 0
+	maxCount = 0
+
+	errSingle := NewParallelExecutor(0, emptyWorkflow, emptyWorkflow, emptyWorkflow)(ctx)
+
+	assert.Equal(3, count, "should run all 3 executors")
+	assert.Equal(1, maxCount, "should run at most 1 executors in parallel")
+	assert.Nil(errSingle)
 }

 func TestNewParallelExecutorFailed(t *testing.T) {
--- a/pkg/common/git/git.go
+++ b/pkg/common/git/git.go
@@ -174,7 +174,7 @@ func FindGithubRepo(ctx context.Context, file, githubInstance, remoteName string
 	return slug, err
 }

-func findGitRemoteURL(ctx context.Context, file, remoteName string) (string, error) {
+func findGitRemoteURL(_ context.Context, file, remoteName string) (string, error) {
 	repo, err := git.PlainOpenWithOptions(
 		file,
 		&git.PlainOpenOptions{
@@ -221,10 +221,11 @@ func findGitSlug(url string, githubInstance string) (string, string, error) {

 // NewGitCloneExecutorInput the input for the NewGitCloneExecutor
 type NewGitCloneExecutorInput struct {
-	URL   string
-	Ref   string
-	Dir   string
-	Token string
+	URL         string
+	Ref         string
+	Dir         string
+	Token       string
+	OfflineMode bool
 }

 // CloneIfRequired ...
@@ -302,12 +303,16 @@ func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 			return err
 		}

+		isOfflineMode := input.OfflineMode
+
 		// fetch latest changes
 		fetchOptions, pullOptions := gitOptions(input.Token)

-		err = r.Fetch(&fetchOptions)
-		if err != nil && !errors.Is(err, git.NoErrAlreadyUpToDate) {
-			return err
+		if !isOfflineMode {
+			err = r.Fetch(&fetchOptions)
+			if err != nil && !errors.Is(err, git.NoErrAlreadyUpToDate) {
+				return err
+			}
 		}

 		var hash *plumbing.Hash
@@ -367,9 +372,10 @@ func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 				return err
 			}
 		}
-
-		if err = w.Pull(&pullOptions); err != nil && err != git.NoErrAlreadyUpToDate {
-			logger.Debugf("Unable to pull %s: %v", refName, err)
+		if !isOfflineMode {
+			if err = w.Pull(&pullOptions); err != nil && err != git.NoErrAlreadyUpToDate {
+				logger.Debugf("Unable to pull %s: %v", refName, err)
+			}
 		}
 		logger.Debugf("Cloned %s to %s", input.URL, input.Dir)

--- a/pkg/common/logger.go
+++ b/pkg/common/logger.go
@@ -25,3 +25,24 @@ func Logger(ctx context.Context) logrus.FieldLogger {
 func WithLogger(ctx context.Context, logger logrus.FieldLogger) context.Context {
 	return context.WithValue(ctx, loggerContextKeyVal, logger)
 }
+
+type loggerHookKey string
+
+const loggerHookKeyVal = loggerHookKey("logrus.Hook")
+
+// LoggerHook returns the appropriate logger hook for current context
+// the hook affects job logger, not global logger
+func LoggerHook(ctx context.Context) logrus.Hook {
+	val := ctx.Value(loggerHookKeyVal)
+	if val != nil {
+		if hook, ok := val.(logrus.Hook); ok {
+			return hook
+		}
+	}
+	return nil
+}
+
+// WithLoggerHook adds a value to the context for the logger hook
+func WithLoggerHook(ctx context.Context, hook logrus.Hook) context.Context {
+	return context.WithValue(ctx, loggerHookKeyVal, hook)
+}
--- a/pkg/container/container_types.go
+++ b/pkg/container/container_types.go
@@ -4,28 +4,37 @@ import (
 	"context"
 	"io"

+	"github.com/docker/go-connections/nat"
 	"github.com/nektos/act/pkg/common"
 )

 // NewContainerInput the input for the New function
 type NewContainerInput struct {
-	Image       string
-	Username    string
-	Password    string
-	Entrypoint  []string
-	Cmd         []string
-	WorkingDir  string
-	Env         []string
-	Binds       []string
-	Mounts      map[string]string
-	Name        string
-	Stdout      io.Writer
-	Stderr      io.Writer
-	NetworkMode string
-	Privileged  bool
-	UsernsMode  string
-	Platform    string
-	Options     string
+	Image          string
+	Username       string
+	Password       string
+	Entrypoint     []string
+	Cmd            []string
+	WorkingDir     string
+	Env            []string
+	Binds          []string
+	Mounts         map[string]string
+	Name           string
+	Stdout         io.Writer
+	Stderr         io.Writer
+	NetworkMode    string
+	Privileged     bool
+	UsernsMode     string
+	Platform       string
+	Options        string
+	NetworkAliases []string
+	ExposedPorts   nat.PortSet
+	PortBindings   nat.PortMap
+
+	// Gitea specific
+	AutoRemove bool
+
+	ValidVolumes []string
 }

 // FileEntry is a file to copy to a container
@@ -38,7 +47,9 @@ type FileEntry struct {
 // Container for managing docker run containers
 type Container interface {
 	Create(capAdd []string, capDrop []string) common.Executor
+	ConnectToNetwork(name string) common.Executor
 	Copy(destPath string, files ...*FileEntry) common.Executor
+	CopyTarStream(ctx context.Context, destPath string, tarStream io.Reader) error
 	CopyDir(destPath string, srcPath string, useGitIgnore bool) common.Executor
 	GetContainerArchive(ctx context.Context, srcPath string) (io.ReadCloser, error)
 	Pull(forcePull bool) common.Executor
@@ -53,11 +64,11 @@ type Container interface {

 // NewDockerBuildExecutorInput the input for the NewDockerBuildExecutor function
 type NewDockerBuildExecutorInput struct {
-	ContextDir string
-	Dockerfile string
-	Container  Container
-	ImageTag   string
-	Platform   string
+	ContextDir   string
+	Dockerfile   string
+	BuildContext io.Reader
+	ImageTag     string
+	Platform     string
 }

 // NewDockerPullExecutorInput the input for the NewDockerPullExecutor function
--- a/pkg/container/docker_auth.go
+++ b/pkg/container/docker_auth.go
@@ -1,4 +1,4 @@
-//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container

@@ -8,16 +8,16 @@ import (

 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/credentials"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/registry"
 	"github.com/nektos/act/pkg/common"
 )

-func LoadDockerAuthConfig(ctx context.Context, image string) (types.AuthConfig, error) {
+func LoadDockerAuthConfig(ctx context.Context, image string) (registry.AuthConfig, error) {
 	logger := common.Logger(ctx)
 	config, err := config.Load(config.Dir())
 	if err != nil {
 		logger.Warnf("Could not load docker config: %v", err)
-		return types.AuthConfig{}, err
+		return registry.AuthConfig{}, err
 	}

 	if !config.ContainsAuth() {
@@ -33,13 +33,13 @@ func LoadDockerAuthConfig(ctx context.Context, image string) (types.AuthConfig,
 	authConfig, err := config.GetAuthConfig(hostName)
 	if err != nil {
 		logger.Warnf("Could not get auth config from docker config: %v", err)
-		return types.AuthConfig{}, err
+		return registry.AuthConfig{}, err
 	}

-	return types.AuthConfig(authConfig), nil
+	return registry.AuthConfig(authConfig), nil
 }

-func LoadDockerAuthConfigs(ctx context.Context) map[string]types.AuthConfig {
+func LoadDockerAuthConfigs(ctx context.Context) map[string]registry.AuthConfig {
 	logger := common.Logger(ctx)
 	config, err := config.Load(config.Dir())
 	if err != nil {
@@ -52,9 +52,9 @@ func LoadDockerAuthConfigs(ctx context.Context) map[string]types.AuthConfig {
 	}

 	creds, _ := config.GetAllCredentials()
-	authConfigs := make(map[string]types.AuthConfig, len(creds))
+	authConfigs := make(map[string]registry.AuthConfig, len(creds))
 	for k, v := range creds {
-		authConfigs[k] = types.AuthConfig(v)
+		authConfigs[k] = registry.AuthConfig(v)
 	}

 	return authConfigs
--- a/pkg/container/docker_build.go
+++ b/pkg/container/docker_build.go
@@ -1,4 +1,4 @@
-//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container

@@ -48,8 +48,8 @@ func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {
 			Dockerfile:  input.Dockerfile,
 		}
 		var buildContext io.ReadCloser
-		if input.Container != nil {
-			buildContext, err = input.Container.GetContainerArchive(ctx, input.ContextDir+"/.")
+		if input.BuildContext != nil {
+			buildContext = io.NopCloser(input.BuildContext)
 		} else {
 			buildContext, err = createBuildContext(ctx, input.ContextDir, input.Dockerfile)
 		}
--- a/pkg/container/docker_cli.go
+++ b/pkg/container/docker_cli.go
@@ -1,4 +1,4 @@
-//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 // This file is exact copy of https://github.com/docker/cli/blob/9ac8584acfd501c3f4da0e845e3a40ed15c85041/cli/command/container/opts.go
 // appended with license information.
--- a/pkg/container/docker_images.go
+++ b/pkg/container/docker_images.go
@@ -1,4 +1,4 @@
-//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container

--- a/pkg/container/docker_logger.go
+++ b/pkg/container/docker_logger.go
@@ -1,4 +1,4 @@
-//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container

--- a/pkg/container/docker_network.go
+++ b/pkg/container/docker_network.go
@@ -0,0 +1,79 @@
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	"github.com/nektos/act/pkg/common"
+)
+
+func NewDockerNetworkCreateExecutor(name string) common.Executor {
+	return func(ctx context.Context) error {
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		// Only create the network if it doesn't exist
+		networks, err := cli.NetworkList(ctx, types.NetworkListOptions{})
+		if err != nil {
+			return err
+		}
+		common.Logger(ctx).Debugf("%v", networks)
+		for _, network := range networks {
+			if network.Name == name {
+				common.Logger(ctx).Debugf("Network %v exists", name)
+				return nil
+			}
+		}
+
+		_, err = cli.NetworkCreate(ctx, name, types.NetworkCreate{
+			Driver: "bridge",
+			Scope:  "local",
+		})
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+func NewDockerNetworkRemoveExecutor(name string) common.Executor {
+	return func(ctx context.Context) error {
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		// Make shure that all network of the specified name are removed
+		// cli.NetworkRemove refuses to remove a network if there are duplicates
+		networks, err := cli.NetworkList(ctx, types.NetworkListOptions{})
+		if err != nil {
+			return err
+		}
+		common.Logger(ctx).Debugf("%v", networks)
+		for _, network := range networks {
+			if network.Name == name {
+				result, err := cli.NetworkInspect(ctx, network.ID, types.NetworkInspectOptions{})
+				if err != nil {
+					return err
+				}
+
+				if len(result.Containers) == 0 {
+					if err = cli.NetworkRemove(ctx, network.ID); err != nil {
+						common.Logger(ctx).Debugf("%v", err)
+					}
+				} else {
+					common.Logger(ctx).Debugf("Refusing to remove network %v because it still has active endpoints", name)
+				}
+			}
+		}
+
+		return err
+	}
+}
--- a/pkg/container/docker_pull.go
+++ b/pkg/container/docker_pull.go
@@ -1,4 +1,4 @@
-//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container

@@ -7,9 +7,11 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"strings"

 	"github.com/docker/distribution/reference"
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/registry"

 	"github.com/nektos/act/pkg/common"
 )
@@ -59,6 +61,13 @@ func NewDockerPullExecutor(input NewDockerPullExecutorInput) common.Executor {

 		_ = logDockerResponse(logger, reader, err != nil)
 		if err != nil {
+			if imagePullOptions.RegistryAuth != "" && strings.Contains(err.Error(), "unauthorized") {
+				logger.Errorf("pulling image '%v' (%s) failed with credentials %s retrying without them, please check for stale docker config files", imageRef, input.Platform, err.Error())
+				imagePullOptions.RegistryAuth = ""
+				reader, err = cli.ImagePull(ctx, imageRef, imagePullOptions)
+
+				_ = logDockerResponse(logger, reader, err != nil)
+			}
 			return err
 		}
 		return nil
@@ -69,12 +78,12 @@ func getImagePullOptions(ctx context.Context, input NewDockerPullExecutorInput)
 	imagePullOptions := types.ImagePullOptions{
 		Platform: input.Platform,
 	}
+	logger := common.Logger(ctx)

 	if input.Username != "" && input.Password != "" {
-		logger := common.Logger(ctx)
 		logger.Debugf("using authentication for docker pull")

-		authConfig := types.AuthConfig{
+		authConfig := registry.AuthConfig{
 			Username: input.Username,
 			Password: input.Password,
 		}
@@ -93,6 +102,7 @@ func getImagePullOptions(ctx context.Context, input NewDockerPullExecutorInput)
 		if authConfig.Username == "" && authConfig.Password == "" {
 			return imagePullOptions, nil
 		}
+		logger.Info("using DockerAuthConfig authentication for docker pull")

 		encodedJSON, err := json.Marshal(authConfig)
 		if err != nil {
--- a/pkg/container/docker_run.go
+++ b/pkg/container/docker_run.go
@@ -1,4 +1,4 @@
-//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container

@@ -16,27 +16,29 @@ import (
 	"strconv"
 	"strings"

-	"github.com/go-git/go-billy/v5/helper/polyfill"
-	"github.com/go-git/go-billy/v5/osfs"
-	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
-	"github.com/joho/godotenv"
-
-	"github.com/imdario/mergo"
-	"github.com/kballard/go-shellquote"
-	"github.com/spf13/pflag"
-
+	"github.com/Masterminds/semver"
+	"github.com/docker/cli/cli/compose/loader"
 	"github.com/docker/cli/cli/connhelper"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/network"
+	networktypes "github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/go-git/go-billy/v5/helper/polyfill"
+	"github.com/go-git/go-billy/v5/osfs"
+	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"github.com/gobwas/glob"
+	"github.com/imdario/mergo"
+	"github.com/joho/godotenv"
+	"github.com/kballard/go-shellquote"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
-
-	"github.com/Masterminds/semver"
+	"github.com/spf13/pflag"
 	"golang.org/x/term"

 	"github.com/nektos/act/pkg/common"
+	"github.com/nektos/act/pkg/filecollector"
 )

 // NewContainer creates a reference to a container
@@ -46,6 +48,25 @@ func NewContainer(input *NewContainerInput) ExecutionsEnvironment {
 	return cr
 }

+func (cr *containerReference) ConnectToNetwork(name string) common.Executor {
+	return common.
+		NewDebugExecutor("%sdocker network connect %s %s", logPrefix, name, cr.input.Name).
+		Then(
+			common.NewPipelineExecutor(
+				cr.connect(),
+				cr.connectToNetwork(name, cr.input.NetworkAliases),
+			).IfNot(common.Dryrun),
+		)
+}
+
+func (cr *containerReference) connectToNetwork(name string, aliases []string) common.Executor {
+	return func(ctx context.Context) error {
+		return cr.cli.NetworkConnect(ctx, name, cr.input.Name, &networktypes.EndpointSettings{
+			Aliases: aliases,
+		})
+	}
+}
+
 // supportsContainerImagePlatform returns true if the underlying Docker server
 // API version is 1.41 and beyond
 func supportsContainerImagePlatform(ctx context.Context, cli client.APIClient) bool {
@@ -66,7 +87,7 @@ func supportsContainerImagePlatform(ctx context.Context, cli client.APIClient) b

 func (cr *containerReference) Create(capAdd []string, capDrop []string) common.Executor {
 	return common.
-		NewInfoExecutor("%sdocker create image=%s platform=%s entrypoint=%+q cmd=%+q", logPrefix, cr.input.Image, cr.input.Platform, cr.input.Entrypoint, cr.input.Cmd).
+		NewInfoExecutor("%sdocker create image=%s platform=%s entrypoint=%+q cmd=%+q network=%+q", logPrefix, cr.input.Image, cr.input.Platform, cr.input.Entrypoint, cr.input.Cmd, cr.input.NetworkMode).
 		Then(
 			common.NewPipelineExecutor(
 				cr.connect(),
@@ -78,7 +99,7 @@ func (cr *containerReference) Create(capAdd []string, capDrop []string) common.E

 func (cr *containerReference) Start(attach bool) common.Executor {
 	return common.
-		NewInfoExecutor("%sdocker run image=%s platform=%s entrypoint=%+q cmd=%+q", logPrefix, cr.input.Image, cr.input.Platform, cr.input.Entrypoint, cr.input.Cmd).
+		NewInfoExecutor("%sdocker run image=%s platform=%s entrypoint=%+q cmd=%+q network=%+q", logPrefix, cr.input.Image, cr.input.Platform, cr.input.Entrypoint, cr.input.Cmd, cr.input.NetworkMode).
 		Then(
 			common.NewPipelineExecutor(
 				cr.connect(),
@@ -240,8 +261,10 @@ func RunnerArch(ctx context.Context) string {

 	archMapper := map[string]string{
 		"x86_64":  "X64",
-		"386":     "x86",
-		"aarch64": "arm64",
+		"amd64":   "X64",
+		"386":     "X86",
+		"aarch64": "ARM64",
+		"arm64":   "ARM64",
 	}
 	if arch, ok := archMapper[info.Architecture]; ok {
 		return arch
@@ -345,20 +368,30 @@ func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config
 		return nil, nil, fmt.Errorf("Cannot parse container options: '%s': '%w'", input.Options, err)
 	}

-	if len(copts.netMode.Value()) == 0 {
-		if err = copts.netMode.Set("host"); err != nil {
-			return nil, nil, fmt.Errorf("Cannot parse networkmode=host. This is an internal error and should not happen: '%w'", err)
-		}
+	// If a service container's network is set to `host`, the container will not be able to
+	// connect to the specified network created for the job container and the service containers.
+	// So comment out the following code.
+
+	// if len(copts.netMode.Value()) == 0 {
+	// 	if err = copts.netMode.Set(cr.input.NetworkMode); err != nil {
+	// 		return nil, nil, fmt.Errorf("Cannot parse networkmode=%s. This is an internal error and should not happen: '%w'", cr.input.NetworkMode, err)
+	// 	}
+	// }
+
+	// If the `privileged` config has been disabled, `copts.privileged` need to be forced to false,
+	// even if the user specifies `--privileged` in the options string.
+	if !hostConfig.Privileged {
+		copts.privileged = false
 	}

-	containerConfig, err := parse(flags, copts, "")
+	containerConfig, err := parse(flags, copts, runtime.GOOS)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Cannot process container options: '%s': '%w'", input.Options, err)
 	}

 	logger.Debugf("Custom container.Config from options ==> %+v", containerConfig.Config)

-	err = mergo.Merge(config, containerConfig.Config, mergo.WithOverride)
+	err = mergo.Merge(config, containerConfig.Config, mergo.WithOverride, mergo.WithAppendSlice)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Cannot merge container.Config options: '%s': '%w'", input.Options, err)
 	}
@@ -370,12 +403,17 @@ func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config
 	hostConfig.Mounts = append(hostConfig.Mounts, containerConfig.HostConfig.Mounts...)
 	binds := hostConfig.Binds
 	mounts := hostConfig.Mounts
+	networkMode := hostConfig.NetworkMode
 	err = mergo.Merge(hostConfig, containerConfig.HostConfig, mergo.WithOverride)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Cannot merge container.HostConfig options: '%s': '%w'", input.Options, err)
 	}
 	hostConfig.Binds = binds
 	hostConfig.Mounts = mounts
+	if len(copts.netMode.Value()) > 0 {
+		logger.Warn("--network and --net in the options will be ignored.")
+	}
+	hostConfig.NetworkMode = networkMode
 	logger.Debugf("Merged container.HostConfig ==> %+v", hostConfig)

 	return config, hostConfig, nil
@@ -391,10 +429,11 @@ func (cr *containerReference) create(capAdd []string, capDrop []string) common.E
 		input := cr.input

 		config := &container.Config{
-			Image:      input.Image,
-			WorkingDir: input.WorkingDir,
-			Env:        input.Env,
-			Tty:        isTerminal,
+			Image:        input.Image,
+			WorkingDir:   input.WorkingDir,
+			Env:          input.Env,
+			ExposedPorts: input.ExposedPorts,
+			Tty:          isTerminal,
 		}
 		logger.Debugf("Common container.Config ==> %+v", config)

@@ -430,13 +469,15 @@ func (cr *containerReference) create(capAdd []string, capDrop []string) common.E
 		}

 		hostConfig := &container.HostConfig{
-			CapAdd:      capAdd,
-			CapDrop:     capDrop,
-			Binds:       input.Binds,
-			Mounts:      mounts,
-			NetworkMode: container.NetworkMode(input.NetworkMode),
-			Privileged:  input.Privileged,
-			UsernsMode:  container.UsernsMode(input.UsernsMode),
+			CapAdd:       capAdd,
+			CapDrop:      capDrop,
+			Binds:        input.Binds,
+			Mounts:       mounts,
+			NetworkMode:  container.NetworkMode(input.NetworkMode),
+			Privileged:   input.Privileged,
+			UsernsMode:   container.UsernsMode(input.UsernsMode),
+			PortBindings: input.PortBindings,
+			AutoRemove:   input.AutoRemove,
 		}
 		logger.Debugf("Common container.HostConfig ==> %+v", hostConfig)

@@ -445,7 +486,27 @@ func (cr *containerReference) create(capAdd []string, capDrop []string) common.E
 			return err
 		}

-		resp, err := cr.cli.ContainerCreate(ctx, config, hostConfig, nil, platSpecs, input.Name)
+		// For Gitea
+		config, hostConfig = cr.sanitizeConfig(ctx, config, hostConfig)
+
+		// For Gitea
+		// network-scoped alias is supported only for containers in user defined networks
+		var networkingConfig *network.NetworkingConfig
+		logger.Debugf("input.NetworkAliases ==> %v", input.NetworkAliases)
+		n := hostConfig.NetworkMode
+		// IsUserDefined and IsHost are broken on windows
+		if n.IsUserDefined() && n != "host" && len(input.NetworkAliases) > 0 {
+			endpointConfig := &network.EndpointSettings{
+				Aliases: input.NetworkAliases,
+			}
+			networkingConfig = &network.NetworkingConfig{
+				EndpointsConfig: map[string]*network.EndpointSettings{
+					input.NetworkMode: endpointConfig,
+				},
+			}
+		}
+
+		resp, err := cr.cli.ContainerCreate(ctx, config, hostConfig, networkingConfig, platSpecs, input.Name)
 		if err != nil {
 			return fmt.Errorf("failed to create container: '%w'", err)
 		}
@@ -466,11 +527,17 @@ func (cr *containerReference) extractFromImageEnv(env *map[string]string) common
 		inspect, _, err := cr.cli.ImageInspectWithRaw(ctx, cr.input.Image)
 		if err != nil {
 			logger.Error(err)
+			return fmt.Errorf("inspect image: %w", err)
+		}
+
+		if inspect.Config == nil {
+			return nil
 		}

 		imageEnv, err := godotenv.Unmarshal(strings.Join(inspect.Config.Env, "\n"))
 		if err != nil {
 			logger.Error(err)
+			return fmt.Errorf("unmarshal image env: %w", err)
 		}

 		for k, v := range imageEnv {
@@ -604,7 +671,7 @@ func (cr *containerReference) tryReadGID() common.Executor {
 	return cr.tryReadID("-g", func(id int) { cr.GID = id })
 }

-func (cr *containerReference) waitForCommand(ctx context.Context, isTerminal bool, resp types.HijackedResponse, idResp types.IDResponse, user string, workdir string) error {
+func (cr *containerReference) waitForCommand(ctx context.Context, isTerminal bool, resp types.HijackedResponse, _ types.IDResponse, _ string, _ string) error {
 	logger := common.Logger(ctx)

 	cmdResponse := make(chan error)
@@ -649,6 +716,32 @@ func (cr *containerReference) waitForCommand(ctx context.Context, isTerminal boo
 	}
 }

+func (cr *containerReference) CopyTarStream(ctx context.Context, destPath string, tarStream io.Reader) error {
+	// Mkdir
+	buf := &bytes.Buffer{}
+	tw := tar.NewWriter(buf)
+	_ = tw.WriteHeader(&tar.Header{
+		Name:     destPath,
+		Mode:     777,
+		Typeflag: tar.TypeDir,
+	})
+	tw.Close()
+	err := cr.cli.CopyToContainer(ctx, cr.id, "/", buf, types.CopyToContainerOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to mkdir to copy content to container: %w", err)
+	}
+	// Copy Content
+	err = cr.cli.CopyToContainer(ctx, cr.id, destPath, tarStream, types.CopyToContainerOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to copy content to container: %w", err)
+	}
+	// If this fails, then folders have wrong permissions on non root container
+	if cr.UID != 0 || cr.GID != 0 {
+		_ = cr.Exec([]string{"chown", "-R", fmt.Sprintf("%d:%d", cr.UID, cr.GID), destPath}, nil, "0", "")(ctx)
+	}
+	return nil
+}
+
 func (cr *containerReference) copyDir(dstPath string, srcPath string, useGitIgnore bool) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
@@ -686,12 +779,12 @@ func (cr *containerReference) copyDir(dstPath string, srcPath string, useGitIgno
 			ignorer = gitignore.NewMatcher(ps)
 		}

-		fc := &fileCollector{
-			Fs:        &defaultFs{},
+		fc := &filecollector.FileCollector{
+			Fs:        &filecollector.DefaultFs{},
 			Ignorer:   ignorer,
 			SrcPath:   srcPath,
 			SrcPrefix: srcPrefix,
-			Handler: &tarCollector{
+			Handler: &filecollector.TarCollector{
 				TarWriter: tw,
 				UID:       cr.UID,
 				GID:       cr.GID,
@@ -699,7 +792,7 @@ func (cr *containerReference) copyDir(dstPath string, srcPath string, useGitIgno
 			},
 		}

-		err = filepath.Walk(srcPath, fc.collectFiles(ctx, []string{}))
+		err = filepath.Walk(srcPath, fc.CollectFiles(ctx, []string{}))
 		if err != nil {
 			return err
 		}
@@ -826,3 +919,63 @@ func (cr *containerReference) wait() common.Executor {
 		return fmt.Errorf("exit with `FAILURE`: %v", statusCode)
 	}
 }
+
+// For Gitea
+// sanitizeConfig remove the invalid configurations from `config` and `hostConfig`
+func (cr *containerReference) sanitizeConfig(ctx context.Context, config *container.Config, hostConfig *container.HostConfig) (*container.Config, *container.HostConfig) {
+	logger := common.Logger(ctx)
+
+	if len(cr.input.ValidVolumes) > 0 {
+		globs := make([]glob.Glob, 0, len(cr.input.ValidVolumes))
+		for _, v := range cr.input.ValidVolumes {
+			if g, err := glob.Compile(v); err != nil {
+				logger.Errorf("create glob from %s error: %v", v, err)
+			} else {
+				globs = append(globs, g)
+			}
+		}
+		isValid := func(v string) bool {
+			for _, g := range globs {
+				if g.Match(v) {
+					return true
+				}
+			}
+			return false
+		}
+		// sanitize binds
+		sanitizedBinds := make([]string, 0, len(hostConfig.Binds))
+		for _, bind := range hostConfig.Binds {
+			parsed, err := loader.ParseVolume(bind)
+			if err != nil {
+				logger.Warnf("parse volume [%s] error: %v", bind, err)
+				continue
+			}
+			if parsed.Source == "" {
+				// anonymous volume
+				sanitizedBinds = append(sanitizedBinds, bind)
+				continue
+			}
+			if isValid(parsed.Source) {
+				sanitizedBinds = append(sanitizedBinds, bind)
+			} else {
+				logger.Warnf("[%s] is not a valid volume, will be ignored", parsed.Source)
+			}
+		}
+		hostConfig.Binds = sanitizedBinds
+		// sanitize mounts
+		sanitizedMounts := make([]mount.Mount, 0, len(hostConfig.Mounts))
+		for _, mt := range hostConfig.Mounts {
+			if isValid(mt.Source) {
+				sanitizedMounts = append(sanitizedMounts, mt)
+			} else {
+				logger.Warnf("[%s] is not a valid volume, will be ignored", mt.Source)
+			}
+		}
+		hostConfig.Mounts = sanitizedMounts
+	} else {
+		hostConfig.Binds = []string{}
+		hostConfig.Mounts = []mount.Mount{}
+	}
+
+	return config, hostConfig
+}
--- a/pkg/container/docker_run_test.go
+++ b/pkg/container/docker_run_test.go
@@ -9,8 +9,12 @@ import (
 	"testing"
 	"time"

+	"github.com/nektos/act/pkg/common"
+
 	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
+	"github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )
@@ -19,6 +23,7 @@ func TestDocker(t *testing.T) {
 	ctx := context.Background()
 	client, err := GetDockerClient(ctx)
 	assert.NoError(t, err)
+	defer client.Close()

 	dockerBuild := NewDockerBuildExecutor(NewDockerBuildExecutorInput{
 		ContextDir: "testdata",
@@ -78,7 +83,7 @@ type endlessReader struct {
 	io.Reader
 }

-func (r endlessReader) Read(p []byte) (n int, err error) {
+func (r endlessReader) Read(_ []byte) (n int, err error) {
 	return 1, nil
 }

@@ -166,3 +171,76 @@ func TestDockerExecFailure(t *testing.T) {

 // Type assert containerReference implements ExecutionsEnvironment
 var _ ExecutionsEnvironment = &containerReference{}
+
+func TestCheckVolumes(t *testing.T) {
+	testCases := []struct {
+		desc          string
+		validVolumes  []string
+		binds         []string
+		expectedBinds []string
+	}{
+		{
+			desc:         "match all volumes",
+			validVolumes: []string{"**"},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+		},
+		{
+			desc:         "no volumes can be matched",
+			validVolumes: []string{},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{},
+		},
+		{
+			desc: "only allowed volumes can be matched",
+			validVolumes: []string{
+				"shared_volume",
+				"/home/test/data",
+				"/etc/conf.d/*.json",
+			},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.desc, func(t *testing.T) {
+			logger, _ := test.NewNullLogger()
+			ctx := common.WithLogger(context.Background(), logger)
+			cr := &containerReference{
+				input: &NewContainerInput{
+					ValidVolumes: tc.validVolumes,
+				},
+			}
+			_, hostConf := cr.sanitizeConfig(ctx, &container.Config{}, &container.HostConfig{Binds: tc.binds})
+			assert.Equal(t, tc.expectedBinds, hostConf.Binds)
+		})
+	}
+}
--- a/pkg/container/docker_stub.go
+++ b/pkg/container/docker_stub.go
@@ -1,4 +1,4 @@
-//go:build WITHOUT_DOCKER || !(linux || darwin || windows)
+//go:build WITHOUT_DOCKER || !(linux || darwin || windows || netbsd)

 package container

@@ -55,3 +55,15 @@ func NewDockerVolumeRemoveExecutor(volume string, force bool) common.Executor {
 		return nil
 	}
 }
+
+func NewDockerNetworkCreateExecutor(name string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func NewDockerNetworkRemoveExecutor(name string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
--- a/pkg/container/docker_volume.go
+++ b/pkg/container/docker_volume.go
@@ -1,4 +1,4 @@
-//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows))
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))

 package container

@@ -6,10 +6,11 @@ import (
 	"context"

 	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/volume"
 	"github.com/nektos/act/pkg/common"
 )

-func NewDockerVolumeRemoveExecutor(volume string, force bool) common.Executor {
+func NewDockerVolumeRemoveExecutor(volumeName string, force bool) common.Executor {
 	return func(ctx context.Context) error {
 		cli, err := GetDockerClient(ctx)
 		if err != nil {
@@ -17,14 +18,14 @@ func NewDockerVolumeRemoveExecutor(volume string, force bool) common.Executor {
 		}
 		defer cli.Close()

-		list, err := cli.VolumeList(ctx, filters.NewArgs())
+		list, err := cli.VolumeList(ctx, volume.ListOptions{Filters: filters.NewArgs()})
 		if err != nil {
 			return err
 		}

 		for _, vol := range list.Volumes {
-			if vol.Name == volume {
-				return removeExecutor(volume, force)(ctx)
+			if vol.Name == volumeName {
+				return removeExecutor(volumeName, force)(ctx)
 			}
 		}

--- a/pkg/container/host_environment.go
+++ b/pkg/container/host_environment.go
@@ -21,6 +21,7 @@ import (
 	"golang.org/x/term"

 	"github.com/nektos/act/pkg/common"
+	"github.com/nektos/act/pkg/filecollector"
 	"github.com/nektos/act/pkg/lookpath"
 )

@@ -34,7 +35,13 @@ type HostEnvironment struct {
 	StdOut    io.Writer
 }

-func (e *HostEnvironment) Create(capAdd []string, capDrop []string) common.Executor {
+func (e *HostEnvironment) Create(_ []string, _ []string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func (e *HostEnvironment) ConnectToNetwork(name string) common.Executor {
 	return func(ctx context.Context) error {
 		return nil
 	}
@@ -60,6 +67,33 @@ func (e *HostEnvironment) Copy(destPath string, files ...*FileEntry) common.Exec
 	}
 }

+func (e *HostEnvironment) CopyTarStream(ctx context.Context, destPath string, tarStream io.Reader) error {
+	if err := os.RemoveAll(destPath); err != nil {
+		return err
+	}
+	tr := tar.NewReader(tarStream)
+	cp := &filecollector.CopyCollector{
+		DstDir: destPath,
+	}
+	for {
+		ti, err := tr.Next()
+		if errors.Is(err, io.EOF) {
+			return nil
+		} else if err != nil {
+			return err
+		}
+		if ti.FileInfo().IsDir() {
+			continue
+		}
+		if ctx.Err() != nil {
+			return fmt.Errorf("CopyTarStream has been cancelled")
+		}
+		if err := cp.WriteFile(ti.Name, ti.FileInfo(), ti.Linkname, tr); err != nil {
+			return err
+		}
+	}
+}
+
 func (e *HostEnvironment) CopyDir(destPath string, srcPath string, useGitIgnore bool) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
@@ -77,16 +111,16 @@ func (e *HostEnvironment) CopyDir(destPath string, srcPath string, useGitIgnore

 			ignorer = gitignore.NewMatcher(ps)
 		}
-		fc := &fileCollector{
-			Fs:        &defaultFs{},
+		fc := &filecollector.FileCollector{
+			Fs:        &filecollector.DefaultFs{},
 			Ignorer:   ignorer,
 			SrcPath:   srcPath,
 			SrcPrefix: srcPrefix,
-			Handler: &copyCollector{
+			Handler: &filecollector.CopyCollector{
 				DstDir: destPath,
 			},
 		}
-		return filepath.Walk(srcPath, fc.collectFiles(ctx, []string{}))
+		return filepath.Walk(srcPath, fc.CollectFiles(ctx, []string{}))
 	}
 }

@@ -99,21 +133,21 @@ func (e *HostEnvironment) GetContainerArchive(ctx context.Context, srcPath strin
 	if err != nil {
 		return nil, err
 	}
-	tc := &tarCollector{
+	tc := &filecollector.TarCollector{
 		TarWriter: tw,
 	}
 	if fi.IsDir() {
-		srcPrefix := filepath.Dir(srcPath)
+		srcPrefix := srcPath
 		if !strings.HasSuffix(srcPrefix, string(filepath.Separator)) {
 			srcPrefix += string(filepath.Separator)
 		}
-		fc := &fileCollector{
-			Fs:        &defaultFs{},
+		fc := &filecollector.FileCollector{
+			Fs:        &filecollector.DefaultFs{},
 			SrcPath:   srcPath,
 			SrcPrefix: srcPrefix,
 			Handler:   tc,
 		}
-		err = filepath.Walk(srcPath, fc.collectFiles(ctx, []string{}))
+		err = filepath.Walk(srcPath, fc.CollectFiles(ctx, []string{}))
 		if err != nil {
 			return nil, err
 		}
@@ -140,13 +174,13 @@ func (e *HostEnvironment) GetContainerArchive(ctx context.Context, srcPath strin
 	return io.NopCloser(buf), nil
 }

-func (e *HostEnvironment) Pull(forcePull bool) common.Executor {
+func (e *HostEnvironment) Pull(_ bool) common.Executor {
 	return func(ctx context.Context) error {
 		return nil
 	}
 }

-func (e *HostEnvironment) Start(attach bool) common.Executor {
+func (e *HostEnvironment) Start(_ bool) common.Executor {
 	return func(ctx context.Context) error {
 		return nil
 	}
@@ -240,7 +274,7 @@ func copyPtyOutput(writer io.Writer, ppty io.Reader, finishLog context.CancelFun
 	}
 }

-func (e *HostEnvironment) UpdateFromImageEnv(env *map[string]string) common.Executor {
+func (e *HostEnvironment) UpdateFromImageEnv(_ *map[string]string) common.Executor {
 	return func(ctx context.Context) error {
 		return nil
 	}
@@ -254,7 +288,7 @@ func getEnvListFromMap(env map[string]string) []string {
 	return envList
 }

-func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline string, env map[string]string, user, workdir string) error {
+func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline string, env map[string]string, _, workdir string) error {
 	envList := getEnvListFromMap(env)
 	var wd string
 	if workdir != "" {
@@ -326,8 +360,12 @@ func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline st
 }

 func (e *HostEnvironment) Exec(command []string /*cmdline string, */, env map[string]string, user, workdir string) common.Executor {
+	return e.ExecWithCmdLine(command, "", env, user, workdir)
+}
+
+func (e *HostEnvironment) ExecWithCmdLine(command []string, cmdline string, env map[string]string, user, workdir string) common.Executor {
 	return func(ctx context.Context) error {
-		if err := e.exec(ctx, command, "" /*cmdline*/, env, user, workdir); err != nil {
+		if err := e.exec(ctx, command, cmdline, env, user, workdir); err != nil {
 			select {
 			case <-ctx.Done():
 				return fmt.Errorf("this step has been cancelled: %w", err)
@@ -362,7 +400,11 @@ func (e *HostEnvironment) ToContainerPath(path string) string {
 }

 func (e *HostEnvironment) GetActPath() string {
-	return e.ActPath
+	actPath := e.ActPath
+	if runtime.GOOS == "windows" {
+		actPath = strings.ReplaceAll(actPath, "\\", "/")
+	}
+	return actPath
 }

 func (*HostEnvironment) GetPathVariableName() string {
@@ -383,11 +425,13 @@ func (*HostEnvironment) JoinPathVariable(paths ...string) string {
 	return strings.Join(paths, string(filepath.ListSeparator))
 }

+// Reference for Arch values for runner.arch
+// https://docs.github.com/en/actions/learn-github-actions/contexts#runner-context
 func goArchToActionArch(arch string) string {
 	archMapper := map[string]string{
 		"x86_64":  "X64",
-		"386":     "x86",
-		"aarch64": "arm64",
+		"386":     "X86",
+		"aarch64": "ARM64",
 	}
 	if arch, ok := archMapper[arch]; ok {
 		return arch
@@ -405,7 +449,7 @@ func goOsToActionOs(os string) string {
 	return os
 }

-func (e *HostEnvironment) GetRunnerContext(ctx context.Context) map[string]interface{} {
+func (e *HostEnvironment) GetRunnerContext(_ context.Context) map[string]interface{} {
 	return map[string]interface{}{
 		"os":         goOsToActionOs(runtime.GOOS),
 		"arch":       goArchToActionArch(runtime.GOARCH),
@@ -414,7 +458,7 @@ func (e *HostEnvironment) GetRunnerContext(ctx context.Context) map[string]inter
 	}
 }

-func (e *HostEnvironment) ReplaceLogWriter(stdout io.Writer, stderr io.Writer) (io.Writer, io.Writer) {
+func (e *HostEnvironment) ReplaceLogWriter(stdout io.Writer, _ io.Writer) (io.Writer, io.Writer) {
 	org := e.StdOut
 	e.StdOut = stdout
 	return org, org
--- a/pkg/container/host_environment_test.go
+++ b/pkg/container/host_environment_test.go
@@ -1,4 +1,71 @@
 package container

+import (
+	"archive/tar"
+	"context"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
 // Type assert HostEnvironment implements ExecutionsEnvironment
 var _ ExecutionsEnvironment = &HostEnvironment{}
+
+func TestCopyDir(t *testing.T) {
+	dir, err := os.MkdirTemp("", "test-host-env-*")
+	assert.NoError(t, err)
+	defer os.RemoveAll(dir)
+	ctx := context.Background()
+	e := &HostEnvironment{
+		Path:      filepath.Join(dir, "path"),
+		TmpDir:    filepath.Join(dir, "tmp"),
+		ToolCache: filepath.Join(dir, "tool_cache"),
+		ActPath:   filepath.Join(dir, "act_path"),
+		StdOut:    os.Stdout,
+		Workdir:   path.Join("testdata", "scratch"),
+	}
+	_ = os.MkdirAll(e.Path, 0700)
+	_ = os.MkdirAll(e.TmpDir, 0700)
+	_ = os.MkdirAll(e.ToolCache, 0700)
+	_ = os.MkdirAll(e.ActPath, 0700)
+	err = e.CopyDir(e.Workdir, e.Path, true)(ctx)
+	assert.NoError(t, err)
+}
+
+func TestGetContainerArchive(t *testing.T) {
+	dir, err := os.MkdirTemp("", "test-host-env-*")
+	assert.NoError(t, err)
+	defer os.RemoveAll(dir)
+	ctx := context.Background()
+	e := &HostEnvironment{
+		Path:      filepath.Join(dir, "path"),
+		TmpDir:    filepath.Join(dir, "tmp"),
+		ToolCache: filepath.Join(dir, "tool_cache"),
+		ActPath:   filepath.Join(dir, "act_path"),
+		StdOut:    os.Stdout,
+		Workdir:   path.Join("testdata", "scratch"),
+	}
+	_ = os.MkdirAll(e.Path, 0700)
+	_ = os.MkdirAll(e.TmpDir, 0700)
+	_ = os.MkdirAll(e.ToolCache, 0700)
+	_ = os.MkdirAll(e.ActPath, 0700)
+	expectedContent := []byte("sdde/7sh")
+	err = os.WriteFile(filepath.Join(e.Path, "action.yml"), expectedContent, 0600)
+	assert.NoError(t, err)
+	archive, err := e.GetContainerArchive(ctx, e.Path)
+	assert.NoError(t, err)
+	defer archive.Close()
+	reader := tar.NewReader(archive)
+	h, err := reader.Next()
+	assert.NoError(t, err)
+	assert.Equal(t, "action.yml", h.Name)
+	content, err := io.ReadAll(reader)
+	assert.NoError(t, err)
+	assert.Equal(t, expectedContent, content)
+	_, err = reader.Next()
+	assert.ErrorIs(t, err, io.EOF)
+}
--- a/pkg/container/testdata/scratch/test.txt
+++ b/pkg/container/testdata/scratch/test.txt
@@ -0,0 +1 @@
+testfile
--- a/pkg/container/util.go
+++ b/pkg/container/util.go
@@ -9,7 +9,7 @@ import (
 	"github.com/creack/pty"
 )

-func getSysProcAttr(cmdLine string, tty bool) *syscall.SysProcAttr {
+func getSysProcAttr(_ string, tty bool) *syscall.SysProcAttr {
 	if tty {
 		return &syscall.SysProcAttr{
 			Setsid:  true,
--- a/pkg/exprparser/functions_test.go
+++ b/pkg/exprparser/functions_test.go
@@ -230,6 +230,7 @@ func TestFunctionFormat(t *testing.T) {
 		{"format('{0', '{1}', 'World')", nil, "Unclosed brackets. The following format string is invalid: '{0'", "format-invalid-format-string"},
 		{"format('{2}', '{1}', 'World')", "", "The following format string references more arguments than were supplied: '{2}'", "format-invalid-replacement-reference"},
 		{"format('{2147483648}')", "", "The following format string is invalid: '{2147483648}'", "format-invalid-replacement-reference"},
+		{"format('{0} {1} {2} {3}', 1.0, 1.1, 1234567890.0, 12345678901234567890.0)", "1 1.1 1234567890 1.23456789012346E+19", nil, "format-floats"},
 	}

 	env := &EvaluationEnvironment{
--- a/pkg/exprparser/interpreter.go
+++ b/pkg/exprparser/interpreter.go
@@ -12,17 +12,19 @@ import (
 )

 type EvaluationEnvironment struct {
-	Github   *model.GithubContext
-	Env      map[string]string
-	Job      *model.JobContext
-	Jobs     *map[string]*model.WorkflowCallResult
-	Steps    map[string]*model.StepResult
-	Runner   map[string]interface{}
-	Secrets  map[string]string
-	Strategy map[string]interface{}
-	Matrix   map[string]interface{}
-	Needs    map[string]Needs
-	Inputs   map[string]interface{}
+	Github    *model.GithubContext
+	Env       map[string]string
+	Job       *model.JobContext
+	Jobs      *map[string]*model.WorkflowCallResult
+	Steps     map[string]*model.StepResult
+	Runner    map[string]interface{}
+	Secrets   map[string]string
+	Vars      map[string]string
+	Strategy  map[string]interface{}
+	Matrix    map[string]interface{}
+	Needs     map[string]Needs
+	Inputs    map[string]interface{}
+	HashFiles func([]reflect.Value) (interface{}, error)
 }

 type Needs struct {
@@ -148,10 +150,13 @@ func (impl *interperterImpl) evaluateNode(exprNode actionlint.ExprNode) (interfa
 	}
 }

+//nolint:gocyclo
 func (impl *interperterImpl) evaluateVariable(variableNode *actionlint.VariableNode) (interface{}, error) {
 	switch strings.ToLower(variableNode.Name) {
 	case "github":
 		return impl.env.Github, nil
+	case "gitea": // compatible with Gitea
+		return impl.env.Github, nil
 	case "env":
 		return impl.env.Env, nil
 	case "job":
@@ -167,6 +172,8 @@ func (impl *interperterImpl) evaluateVariable(variableNode *actionlint.VariableN
 		return impl.env.Runner, nil
 	case "secrets":
 		return impl.env.Secrets, nil
+	case "vars":
+		return impl.env.Vars, nil
 	case "strategy":
 		return impl.env.Strategy, nil
 	case "matrix":
@@ -442,7 +449,7 @@ func (impl *interperterImpl) coerceToString(value reflect.Value) reflect.Value {
 		} else if math.IsInf(value.Float(), -1) {
 			return reflect.ValueOf("-Infinity")
 		}
-		return reflect.ValueOf(fmt.Sprint(value))
+		return reflect.ValueOf(fmt.Sprintf("%.15G", value.Float()))

 	case reflect.Slice:
 		return reflect.ValueOf("Array")
@@ -550,6 +557,10 @@ func (impl *interperterImpl) evaluateLogicalCompare(compareNode *actionlint.Logi

 	leftValue := reflect.ValueOf(left)

+	if IsTruthy(left) == (compareNode.Kind == actionlint.LogicalOpNodeKindOr) {
+		return impl.getSafeValue(leftValue), nil
+	}
+
 	right, err := impl.evaluateNode(compareNode.Right)
 	if err != nil {
 		return nil, err
@@ -559,17 +570,8 @@ func (impl *interperterImpl) evaluateLogicalCompare(compareNode *actionlint.Logi

 	switch compareNode.Kind {
 	case actionlint.LogicalOpNodeKindAnd:
-		if IsTruthy(left) {
-			return impl.getSafeValue(rightValue), nil
-		}
-
-		return impl.getSafeValue(leftValue), nil
-
+		return impl.getSafeValue(rightValue), nil
 	case actionlint.LogicalOpNodeKindOr:
-		if IsTruthy(left) {
-			return impl.getSafeValue(leftValue), nil
-		}
-
 		return impl.getSafeValue(rightValue), nil
 	}

@@ -608,6 +610,9 @@ func (impl *interperterImpl) evaluateFuncCall(funcCallNode *actionlint.FuncCallN
 	case "fromjson":
 		return impl.fromJSON(args[0])
 	case "hashfiles":
+		if impl.env.HashFiles != nil {
+			return impl.env.HashFiles(args)
+		}
 		return impl.hashFiles(args...)
 	case "always":
 		return impl.always()
--- a/pkg/exprparser/interpreter_test.go
+++ b/pkg/exprparser/interpreter_test.go
@@ -557,6 +557,7 @@ func TestContexts(t *testing.T) {
 		// {"contains(steps.*.outputs.name, 'value')", true, "steps-context-array-outputs"},
 		{"runner.os", "Linux", "runner-context"},
 		{"secrets.name", "value", "secrets-context"},
+		{"vars.name", "value", "vars-context"},
 		{"strategy.fail-fast", true, "strategy-context"},
 		{"matrix.os", "Linux", "matrix-context"},
 		{"needs.job-id.outputs.output-name", "value", "needs-context"},
@@ -593,6 +594,9 @@ func TestContexts(t *testing.T) {
 		Secrets: map[string]string{
 			"name": "value",
 		},
+		Vars: map[string]string{
+			"name": "value",
+		},
 		Strategy: map[string]interface{}{
 			"fail-fast": true,
 		},
--- a/pkg/filecollector/file_collector.go
+++ b/pkg/filecollector/file_collector.go
@@ -1,4 +1,4 @@
-package container
+package filecollector

 import (
 	"archive/tar"
@@ -17,18 +17,18 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/format/index"
 )

-type fileCollectorHandler interface {
+type Handler interface {
 	WriteFile(path string, fi fs.FileInfo, linkName string, f io.Reader) error
 }

-type tarCollector struct {
+type TarCollector struct {
 	TarWriter *tar.Writer
 	UID       int
 	GID       int
 	DstDir    string
 }

-func (tc tarCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string, f io.Reader) error {
+func (tc TarCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string, f io.Reader) error {
 	// create a new dir/file header
 	header, err := tar.FileInfoHeader(fi, linkName)
 	if err != nil {
@@ -59,11 +59,11 @@ func (tc tarCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string,
 	return nil
 }

-type copyCollector struct {
+type CopyCollector struct {
 	DstDir string
 }

-func (cc *copyCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string, f io.Reader) error {
+func (cc *CopyCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string, f io.Reader) error {
 	fdestpath := filepath.Join(cc.DstDir, fpath)
 	if err := os.MkdirAll(filepath.Dir(fdestpath), 0o777); err != nil {
 		return err
@@ -82,29 +82,29 @@ func (cc *copyCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string
 	return nil
 }

-type fileCollector struct {
+type FileCollector struct {
 	Ignorer   gitignore.Matcher
 	SrcPath   string
 	SrcPrefix string
-	Fs        fileCollectorFs
-	Handler   fileCollectorHandler
+	Fs        Fs
+	Handler   Handler
 }

-type fileCollectorFs interface {
+type Fs interface {
 	Walk(root string, fn filepath.WalkFunc) error
 	OpenGitIndex(path string) (*index.Index, error)
 	Open(path string) (io.ReadCloser, error)
 	Readlink(path string) (string, error)
 }

-type defaultFs struct {
+type DefaultFs struct {
 }

-func (*defaultFs) Walk(root string, fn filepath.WalkFunc) error {
+func (*DefaultFs) Walk(root string, fn filepath.WalkFunc) error {
 	return filepath.Walk(root, fn)
 }

-func (*defaultFs) OpenGitIndex(path string) (*index.Index, error) {
+func (*DefaultFs) OpenGitIndex(path string) (*index.Index, error) {
 	r, err := git.PlainOpen(path)
 	if err != nil {
 		return nil, err
@@ -116,16 +116,16 @@ func (*defaultFs) OpenGitIndex(path string) (*index.Index, error) {
 	return i, nil
 }

-func (*defaultFs) Open(path string) (io.ReadCloser, error) {
+func (*DefaultFs) Open(path string) (io.ReadCloser, error) {
 	return os.Open(path)
 }

-func (*defaultFs) Readlink(path string) (string, error) {
+func (*DefaultFs) Readlink(path string) (string, error) {
 	return os.Readlink(path)
 }

 //nolint:gocyclo
-func (fc *fileCollector) collectFiles(ctx context.Context, submodulePath []string) filepath.WalkFunc {
+func (fc *FileCollector) CollectFiles(ctx context.Context, submodulePath []string) filepath.WalkFunc {
 	i, _ := fc.Fs.OpenGitIndex(path.Join(fc.SrcPath, path.Join(submodulePath...)))
 	return func(file string, fi os.FileInfo, err error) error {
 		if err != nil {
@@ -166,7 +166,7 @@ func (fc *fileCollector) collectFiles(ctx context.Context, submodulePath []strin
 			}
 		}
 		if err == nil && entry.Mode == filemode.Submodule {
-			err = fc.Fs.Walk(file, fc.collectFiles(ctx, split))
+			err = fc.Fs.Walk(file, fc.CollectFiles(ctx, split))
 			if err != nil {
 				return err
 			}
--- a/pkg/filecollector/file_collector_test.go
+++ b/pkg/filecollector/file_collector_test.go
@@ -1,4 +1,4 @@
-package container
+package filecollector

 import (
 	"archive/tar"
@@ -95,16 +95,16 @@ func TestIgnoredTrackedfile(t *testing.T) {
 	tw := tar.NewWriter(tmpTar)
 	ps, _ := gitignore.ReadPatterns(worktree, []string{})
 	ignorer := gitignore.NewMatcher(ps)
-	fc := &fileCollector{
+	fc := &FileCollector{
 		Fs:        &memoryFs{Filesystem: fs},
 		Ignorer:   ignorer,
 		SrcPath:   "mygitrepo",
 		SrcPrefix: "mygitrepo" + string(filepath.Separator),
-		Handler: &tarCollector{
+		Handler: &TarCollector{
 			TarWriter: tw,
 		},
 	}
-	err := fc.Fs.Walk("mygitrepo", fc.collectFiles(context.Background(), []string{}))
+	err := fc.Fs.Walk("mygitrepo", fc.CollectFiles(context.Background(), []string{}))
 	assert.NoError(t, err, "successfully collect files")
 	tw.Close()
 	_, _ = tmpTar.Seek(0, io.SeekStart)
@@ -115,3 +115,58 @@ func TestIgnoredTrackedfile(t *testing.T) {
 	_, err = tr.Next()
 	assert.ErrorIs(t, err, io.EOF, "tar must only contain one element")
 }
+
+func TestSymlinks(t *testing.T) {
+	fs := memfs.New()
+	_ = fs.MkdirAll("mygitrepo/.git", 0o777)
+	dotgit, _ := fs.Chroot("mygitrepo/.git")
+	worktree, _ := fs.Chroot("mygitrepo")
+	repo, _ := git.Init(filesystem.NewStorage(dotgit, cache.NewObjectLRUDefault()), worktree)
+	// This file shouldn't be in the tar
+	f, err := worktree.Create(".env")
+	assert.NoError(t, err)
+	_, err = f.Write([]byte("test=val1\n"))
+	assert.NoError(t, err)
+	f.Close()
+	err = worktree.Symlink(".env", "test.env")
+	assert.NoError(t, err)
+
+	w, err := repo.Worktree()
+	assert.NoError(t, err)
+
+	// .gitignore is in the tar after adding it to the index
+	_, err = w.Add(".env")
+	assert.NoError(t, err)
+	_, err = w.Add("test.env")
+	assert.NoError(t, err)
+
+	tmpTar, _ := fs.Create("temp.tar")
+	tw := tar.NewWriter(tmpTar)
+	ps, _ := gitignore.ReadPatterns(worktree, []string{})
+	ignorer := gitignore.NewMatcher(ps)
+	fc := &FileCollector{
+		Fs:        &memoryFs{Filesystem: fs},
+		Ignorer:   ignorer,
+		SrcPath:   "mygitrepo",
+		SrcPrefix: "mygitrepo" + string(filepath.Separator),
+		Handler: &TarCollector{
+			TarWriter: tw,
+		},
+	}
+	err = fc.Fs.Walk("mygitrepo", fc.CollectFiles(context.Background(), []string{}))
+	assert.NoError(t, err, "successfully collect files")
+	tw.Close()
+	_, _ = tmpTar.Seek(0, io.SeekStart)
+	tr := tar.NewReader(tmpTar)
+	h, err := tr.Next()
+	files := map[string]tar.Header{}
+	for err == nil {
+		files[h.Name] = *h
+		h, err = tr.Next()
+	}
+
+	assert.Equal(t, ".env", files[".env"].Name)
+	assert.Equal(t, "test.env", files["test.env"].Name)
+	assert.Equal(t, ".env", files["test.env"].Linkname)
+	assert.ErrorIs(t, err, io.EOF, "tar must be read cleanly to EOF")
+}
--- a/pkg/jobparser/evaluator.go
+++ b/pkg/jobparser/evaluator.go
@@ -0,0 +1,185 @@
+package jobparser
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/nektos/act/pkg/exprparser"
+	"gopkg.in/yaml.v3"
+)
+
+// ExpressionEvaluator is copied from runner.expressionEvaluator,
+// to avoid unnecessary dependencies
+type ExpressionEvaluator struct {
+	interpreter exprparser.Interpreter
+}
+
+func NewExpressionEvaluator(interpreter exprparser.Interpreter) *ExpressionEvaluator {
+	return &ExpressionEvaluator{interpreter: interpreter}
+}
+
+func (ee ExpressionEvaluator) evaluate(in string, defaultStatusCheck exprparser.DefaultStatusCheck) (interface{}, error) {
+	evaluated, err := ee.interpreter.Evaluate(in, defaultStatusCheck)
+
+	return evaluated, err
+}
+
+func (ee ExpressionEvaluator) evaluateScalarYamlNode(node *yaml.Node) error {
+	var in string
+	if err := node.Decode(&in); err != nil {
+		return err
+	}
+	if !strings.Contains(in, "${{") || !strings.Contains(in, "}}") {
+		return nil
+	}
+	expr, _ := rewriteSubExpression(in, false)
+	res, err := ee.evaluate(expr, exprparser.DefaultStatusCheckNone)
+	if err != nil {
+		return err
+	}
+	return node.Encode(res)
+}
+
+func (ee ExpressionEvaluator) evaluateMappingYamlNode(node *yaml.Node) error {
+	// GitHub has this undocumented feature to merge maps, called insert directive
+	insertDirective := regexp.MustCompile(`\${{\s*insert\s*}}`)
+	for i := 0; i < len(node.Content)/2; {
+		k := node.Content[i*2]
+		v := node.Content[i*2+1]
+		if err := ee.EvaluateYamlNode(v); err != nil {
+			return err
+		}
+		var sk string
+		// Merge the nested map of the insert directive
+		if k.Decode(&sk) == nil && insertDirective.MatchString(sk) {
+			node.Content = append(append(node.Content[:i*2], v.Content...), node.Content[(i+1)*2:]...)
+			i += len(v.Content) / 2
+		} else {
+			if err := ee.EvaluateYamlNode(k); err != nil {
+				return err
+			}
+			i++
+		}
+	}
+	return nil
+}
+
+func (ee ExpressionEvaluator) evaluateSequenceYamlNode(node *yaml.Node) error {
+	for i := 0; i < len(node.Content); {
+		v := node.Content[i]
+		// Preserve nested sequences
+		wasseq := v.Kind == yaml.SequenceNode
+		if err := ee.EvaluateYamlNode(v); err != nil {
+			return err
+		}
+		// GitHub has this undocumented feature to merge sequences / arrays
+		// We have a nested sequence via evaluation, merge the arrays
+		if v.Kind == yaml.SequenceNode && !wasseq {
+			node.Content = append(append(node.Content[:i], v.Content...), node.Content[i+1:]...)
+			i += len(v.Content)
+		} else {
+			i++
+		}
+	}
+	return nil
+}
+
+func (ee ExpressionEvaluator) EvaluateYamlNode(node *yaml.Node) error {
+	switch node.Kind {
+	case yaml.ScalarNode:
+		return ee.evaluateScalarYamlNode(node)
+	case yaml.MappingNode:
+		return ee.evaluateMappingYamlNode(node)
+	case yaml.SequenceNode:
+		return ee.evaluateSequenceYamlNode(node)
+	default:
+		return nil
+	}
+}
+
+func (ee ExpressionEvaluator) Interpolate(in string) string {
+	if !strings.Contains(in, "${{") || !strings.Contains(in, "}}") {
+		return in
+	}
+
+	expr, _ := rewriteSubExpression(in, true)
+	evaluated, err := ee.evaluate(expr, exprparser.DefaultStatusCheckNone)
+	if err != nil {
+		return ""
+	}
+
+	value, ok := evaluated.(string)
+	if !ok {
+		panic(fmt.Sprintf("Expression %s did not evaluate to a string", expr))
+	}
+
+	return value
+}
+
+func escapeFormatString(in string) string {
+	return strings.ReplaceAll(strings.ReplaceAll(in, "{", "{{"), "}", "}}")
+}
+
+func rewriteSubExpression(in string, forceFormat bool) (string, error) {
+	if !strings.Contains(in, "${{") || !strings.Contains(in, "}}") {
+		return in, nil
+	}
+
+	strPattern := regexp.MustCompile("(?:''|[^'])*'")
+	pos := 0
+	exprStart := -1
+	strStart := -1
+	var results []string
+	formatOut := ""
+	for pos < len(in) {
+		if strStart > -1 {
+			matches := strPattern.FindStringIndex(in[pos:])
+			if matches == nil {
+				panic("unclosed string.")
+			}
+
+			strStart = -1
+			pos += matches[1]
+		} else if exprStart > -1 {
+			exprEnd := strings.Index(in[pos:], "}}")
+			strStart = strings.Index(in[pos:], "'")
+
+			if exprEnd > -1 && strStart > -1 {
+				if exprEnd < strStart {
+					strStart = -1
+				} else {
+					exprEnd = -1
+				}
+			}
+
+			if exprEnd > -1 {
+				formatOut += fmt.Sprintf("{%d}", len(results))
+				results = append(results, strings.TrimSpace(in[exprStart:pos+exprEnd]))
+				pos += exprEnd + 2
+				exprStart = -1
+			} else if strStart > -1 {
+				pos += strStart + 1
+			} else {
+				panic("unclosed expression.")
+			}
+		} else {
+			exprStart = strings.Index(in[pos:], "${{")
+			if exprStart != -1 {
+				formatOut += escapeFormatString(in[pos : pos+exprStart])
+				exprStart = pos + exprStart + 3
+				pos = exprStart
+			} else {
+				formatOut += escapeFormatString(in[pos:])
+				pos = len(in)
+			}
+		}
+	}
+
+	if len(results) == 1 && formatOut == "{0}" && !forceFormat {
+		return in, nil
+	}
+
+	out := fmt.Sprintf("format('%s', %s)", strings.ReplaceAll(formatOut, "'", "''"), strings.Join(results, ", "))
+	return out, nil
+}
--- a/pkg/jobparser/interpeter.go
+++ b/pkg/jobparser/interpeter.go
@@ -0,0 +1,81 @@
+package jobparser
+
+import (
+	"github.com/nektos/act/pkg/exprparser"
+	"github.com/nektos/act/pkg/model"
+	"gopkg.in/yaml.v3"
+)
+
+// NewInterpeter returns an interpeter used in the server,
+// need github, needs, strategy, matrix, inputs context only,
+// see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability
+func NewInterpeter(
+	jobID string,
+	job *model.Job,
+	matrix map[string]interface{},
+	gitCtx *model.GithubContext,
+	results map[string]*JobResult,
+) exprparser.Interpreter {
+	strategy := make(map[string]interface{})
+	if job.Strategy != nil {
+		strategy["fail-fast"] = job.Strategy.FailFast
+		strategy["max-parallel"] = job.Strategy.MaxParallel
+	}
+
+	run := &model.Run{
+		Workflow: &model.Workflow{
+			Jobs: map[string]*model.Job{},
+		},
+		JobID: jobID,
+	}
+	for id, result := range results {
+		need := yaml.Node{}
+		_ = need.Encode(result.Needs)
+		run.Workflow.Jobs[id] = &model.Job{
+			RawNeeds: need,
+			Result:   result.Result,
+			Outputs:  result.Outputs,
+		}
+	}
+
+	jobs := run.Workflow.Jobs
+	jobNeeds := run.Job().Needs()
+
+	using := map[string]exprparser.Needs{}
+	for _, need := range jobNeeds {
+		if v, ok := jobs[need]; ok {
+			using[need] = exprparser.Needs{
+				Outputs: v.Outputs,
+				Result:  v.Result,
+			}
+		}
+	}
+
+	ee := &exprparser.EvaluationEnvironment{
+		Github:   gitCtx,
+		Env:      nil, // no need
+		Job:      nil, // no need
+		Steps:    nil, // no need
+		Runner:   nil, // no need
+		Secrets:  nil, // no need
+		Strategy: strategy,
+		Matrix:   matrix,
+		Needs:    using,
+		Inputs:   nil, // not supported yet
+	}
+
+	config := exprparser.Config{
+		Run:        run,
+		WorkingDir: "", // WorkingDir is used for  the function hashFiles, but it's not needed in the server
+		Context:    "job",
+	}
+
+	return exprparser.NewInterpeter(ee, config)
+}
+
+// JobResult is the minimum requirement of job results for Interpeter
+type JobResult struct {
+	Needs   []string
+	Result  string
+	Outputs map[string]string
+}
--- a/pkg/jobparser/jobparser.go
+++ b/pkg/jobparser/jobparser.go
@@ -0,0 +1,150 @@
+package jobparser
+
+import (
+	"bytes"
+	"fmt"
+	"sort"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+
+	"github.com/nektos/act/pkg/model"
+)
+
+func Parse(content []byte, options ...ParseOption) ([]*SingleWorkflow, error) {
+	origin, err := model.ReadWorkflow(bytes.NewReader(content))
+	if err != nil {
+		return nil, fmt.Errorf("model.ReadWorkflow: %w", err)
+	}
+
+	workflow := &SingleWorkflow{}
+	if err := yaml.Unmarshal(content, workflow); err != nil {
+		return nil, fmt.Errorf("yaml.Unmarshal: %w", err)
+	}
+
+	pc := &parseContext{}
+	for _, o := range options {
+		o(pc)
+	}
+	results := map[string]*JobResult{}
+	for id, job := range origin.Jobs {
+		results[id] = &JobResult{
+			Needs:   job.Needs(),
+			Result:  pc.jobResults[id],
+			Outputs: nil, // not supported yet
+		}
+	}
+
+	var ret []*SingleWorkflow
+	ids, jobs, err := workflow.jobs()
+	if err != nil {
+		return nil, fmt.Errorf("invalid jobs: %w", err)
+	}
+	for i, id := range ids {
+		job := jobs[i]
+		matricxes, err := getMatrixes(origin.GetJob(id))
+		if err != nil {
+			return nil, fmt.Errorf("getMatrixes: %w", err)
+		}
+		for _, matrix := range matricxes {
+			job := job.Clone()
+			if job.Name == "" {
+				job.Name = id
+			}
+			job.Name = nameWithMatrix(job.Name, matrix)
+			job.Strategy.RawMatrix = encodeMatrix(matrix)
+			evaluator := NewExpressionEvaluator(NewInterpeter(id, origin.GetJob(id), matrix, pc.gitContext, results))
+			runsOn := origin.GetJob(id).RunsOn()
+			for i, v := range runsOn {
+				runsOn[i] = evaluator.Interpolate(v)
+			}
+			job.RawRunsOn = encodeRunsOn(runsOn)
+			swf := &SingleWorkflow{
+				Name:     workflow.Name,
+				RawOn:    workflow.RawOn,
+				Env:      workflow.Env,
+				Defaults: workflow.Defaults,
+			}
+			if err := swf.SetJob(id, job); err != nil {
+				return nil, fmt.Errorf("SetJob: %w", err)
+			}
+			ret = append(ret, swf)
+		}
+	}
+	return ret, nil
+}
+
+func WithJobResults(results map[string]string) ParseOption {
+	return func(c *parseContext) {
+		c.jobResults = results
+	}
+}
+
+func WithGitContext(context *model.GithubContext) ParseOption {
+	return func(c *parseContext) {
+		c.gitContext = context
+	}
+}
+
+type parseContext struct {
+	jobResults map[string]string
+	gitContext *model.GithubContext
+}
+
+type ParseOption func(c *parseContext)
+
+func getMatrixes(job *model.Job) ([]map[string]interface{}, error) {
+	ret, err := job.GetMatrixes()
+	if err != nil {
+		return nil, fmt.Errorf("GetMatrixes: %w", err)
+	}
+	sort.Slice(ret, func(i, j int) bool {
+		return matrixName(ret[i]) < matrixName(ret[j])
+	})
+	return ret, nil
+}
+
+func encodeMatrix(matrix map[string]interface{}) yaml.Node {
+	if len(matrix) == 0 {
+		return yaml.Node{}
+	}
+	value := map[string][]interface{}{}
+	for k, v := range matrix {
+		value[k] = []interface{}{v}
+	}
+	node := yaml.Node{}
+	_ = node.Encode(value)
+	return node
+}
+
+func encodeRunsOn(runsOn []string) yaml.Node {
+	node := yaml.Node{}
+	if len(runsOn) == 1 {
+		_ = node.Encode(runsOn[0])
+	} else {
+		_ = node.Encode(runsOn)
+	}
+	return node
+}
+
+func nameWithMatrix(name string, m map[string]interface{}) string {
+	if len(m) == 0 {
+		return name
+	}
+
+	return name + " " + matrixName(m)
+}
+
+func matrixName(m map[string]interface{}) string {
+	ks := make([]string, 0, len(m))
+	for k := range m {
+		ks = append(ks, k)
+	}
+	sort.Strings(ks)
+	vs := make([]string, 0, len(m))
+	for _, v := range ks {
+		vs = append(vs, fmt.Sprint(m[v]))
+	}
+
+	return fmt.Sprintf("(%s)", strings.Join(vs, ", "))
+}
--- a/pkg/jobparser/jobparser_test.go
+++ b/pkg/jobparser/jobparser_test.go
@@ -0,0 +1,76 @@
+package jobparser
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/stretchr/testify/require"
+
+	"gopkg.in/yaml.v3"
+)
+
+func TestParse(t *testing.T) {
+	tests := []struct {
+		name    string
+		options []ParseOption
+		wantErr bool
+	}{
+		{
+			name:    "multiple_jobs",
+			options: nil,
+			wantErr: false,
+		},
+		{
+			name:    "multiple_matrix",
+			options: nil,
+			wantErr: false,
+		},
+		{
+			name:    "has_needs",
+			options: nil,
+			wantErr: false,
+		},
+		{
+			name:    "has_with",
+			options: nil,
+			wantErr: false,
+		},
+		{
+			name:    "has_secrets",
+			options: nil,
+			wantErr: false,
+		},
+		{
+			name:    "empty_step",
+			options: nil,
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			content := ReadTestdata(t, tt.name+".in.yaml")
+			want := ReadTestdata(t, tt.name+".out.yaml")
+			got, err := Parse(content, tt.options...)
+			if tt.wantErr {
+				require.Error(t, err)
+			}
+			require.NoError(t, err)
+
+			builder := &strings.Builder{}
+			for _, v := range got {
+				if builder.Len() > 0 {
+					builder.WriteString("---\n")
+				}
+				encoder := yaml.NewEncoder(builder)
+				encoder.SetIndent(2)
+				require.NoError(t, encoder.Encode(v))
+				id, job := v.Job()
+				assert.NotEmpty(t, id)
+				assert.NotNil(t, job)
+			}
+			assert.Equal(t, string(want), builder.String())
+		})
+	}
+}
--- a/pkg/jobparser/model.go
+++ b/pkg/jobparser/model.go
@@ -0,0 +1,333 @@
+package jobparser
+
+import (
+	"fmt"
+
+	"github.com/nektos/act/pkg/model"
+	"gopkg.in/yaml.v3"
+)
+
+// SingleWorkflow is a workflow with single job and single matrix
+type SingleWorkflow struct {
+	Name     string            `yaml:"name,omitempty"`
+	RawOn    yaml.Node         `yaml:"on,omitempty"`
+	Env      map[string]string `yaml:"env,omitempty"`
+	RawJobs  yaml.Node         `yaml:"jobs,omitempty"`
+	Defaults Defaults          `yaml:"defaults,omitempty"`
+}
+
+func (w *SingleWorkflow) Job() (string, *Job) {
+	ids, jobs, _ := w.jobs()
+	if len(ids) >= 1 {
+		return ids[0], jobs[0]
+	}
+	return "", nil
+}
+
+func (w *SingleWorkflow) jobs() ([]string, []*Job, error) {
+	ids, jobs, err := parseMappingNode[*Job](&w.RawJobs)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for _, job := range jobs {
+		steps := make([]*Step, 0, len(job.Steps))
+		for _, s := range job.Steps {
+			if s != nil {
+				steps = append(steps, s)
+			}
+		}
+		job.Steps = steps
+	}
+
+	return ids, jobs, nil
+}
+
+func (w *SingleWorkflow) SetJob(id string, job *Job) error {
+	m := map[string]*Job{
+		id: job,
+	}
+	out, err := yaml.Marshal(m)
+	if err != nil {
+		return err
+	}
+	node := yaml.Node{}
+	if err := yaml.Unmarshal(out, &node); err != nil {
+		return err
+	}
+	if len(node.Content) != 1 || node.Content[0].Kind != yaml.MappingNode {
+		return fmt.Errorf("can not set job: %q", out)
+	}
+	w.RawJobs = *node.Content[0]
+	return nil
+}
+
+func (w *SingleWorkflow) Marshal() ([]byte, error) {
+	return yaml.Marshal(w)
+}
+
+type Job struct {
+	Name           string                    `yaml:"name,omitempty"`
+	RawNeeds       yaml.Node                 `yaml:"needs,omitempty"`
+	RawRunsOn      yaml.Node                 `yaml:"runs-on,omitempty"`
+	Env            yaml.Node                 `yaml:"env,omitempty"`
+	If             yaml.Node                 `yaml:"if,omitempty"`
+	Steps          []*Step                   `yaml:"steps,omitempty"`
+	TimeoutMinutes string                    `yaml:"timeout-minutes,omitempty"`
+	Services       map[string]*ContainerSpec `yaml:"services,omitempty"`
+	Strategy       Strategy                  `yaml:"strategy,omitempty"`
+	RawContainer   yaml.Node                 `yaml:"container,omitempty"`
+	Defaults       Defaults                  `yaml:"defaults,omitempty"`
+	Outputs        map[string]string         `yaml:"outputs,omitempty"`
+	Uses           string                    `yaml:"uses,omitempty"`
+	With           map[string]interface{}    `yaml:"with,omitempty"`
+	RawSecrets     yaml.Node                 `yaml:"secrets,omitempty"`
+}
+
+func (j *Job) Clone() *Job {
+	if j == nil {
+		return nil
+	}
+	return &Job{
+		Name:           j.Name,
+		RawNeeds:       j.RawNeeds,
+		RawRunsOn:      j.RawRunsOn,
+		Env:            j.Env,
+		If:             j.If,
+		Steps:          j.Steps,
+		TimeoutMinutes: j.TimeoutMinutes,
+		Services:       j.Services,
+		Strategy:       j.Strategy,
+		RawContainer:   j.RawContainer,
+		Defaults:       j.Defaults,
+		Outputs:        j.Outputs,
+		Uses:           j.Uses,
+		With:           j.With,
+		RawSecrets:     j.RawSecrets,
+	}
+}
+
+func (j *Job) Needs() []string {
+	return (&model.Job{RawNeeds: j.RawNeeds}).Needs()
+}
+
+func (j *Job) EraseNeeds() *Job {
+	j.RawNeeds = yaml.Node{}
+	return j
+}
+
+func (j *Job) RunsOn() []string {
+	return (&model.Job{RawRunsOn: j.RawRunsOn}).RunsOn()
+}
+
+type Step struct {
+	ID               string            `yaml:"id,omitempty"`
+	If               yaml.Node         `yaml:"if,omitempty"`
+	Name             string            `yaml:"name,omitempty"`
+	Uses             string            `yaml:"uses,omitempty"`
+	Run              string            `yaml:"run,omitempty"`
+	WorkingDirectory string            `yaml:"working-directory,omitempty"`
+	Shell            string            `yaml:"shell,omitempty"`
+	Env              yaml.Node         `yaml:"env,omitempty"`
+	With             map[string]string `yaml:"with,omitempty"`
+	ContinueOnError  bool              `yaml:"continue-on-error,omitempty"`
+	TimeoutMinutes   string            `yaml:"timeout-minutes,omitempty"`
+}
+
+// String gets the name of step
+func (s *Step) String() string {
+	if s == nil {
+		return ""
+	}
+	return (&model.Step{
+		ID:   s.ID,
+		Name: s.Name,
+		Uses: s.Uses,
+		Run:  s.Run,
+	}).String()
+}
+
+type ContainerSpec struct {
+	Image       string            `yaml:"image,omitempty"`
+	Env         map[string]string `yaml:"env,omitempty"`
+	Ports       []string          `yaml:"ports,omitempty"`
+	Volumes     []string          `yaml:"volumes,omitempty"`
+	Options     string            `yaml:"options,omitempty"`
+	Credentials map[string]string `yaml:"credentials,omitempty"`
+	Cmd         []string          `yaml:"cmd,omitempty"`
+}
+
+type Strategy struct {
+	FailFastString    string    `yaml:"fail-fast,omitempty"`
+	MaxParallelString string    `yaml:"max-parallel,omitempty"`
+	RawMatrix         yaml.Node `yaml:"matrix,omitempty"`
+}
+
+type Defaults struct {
+	Run RunDefaults `yaml:"run,omitempty"`
+}
+
+type RunDefaults struct {
+	Shell            string `yaml:"shell,omitempty"`
+	WorkingDirectory string `yaml:"working-directory,omitempty"`
+}
+
+type Event struct {
+	Name      string
+	acts      map[string][]string
+	schedules []map[string]string
+}
+
+func (evt *Event) IsSchedule() bool {
+	return evt.schedules != nil
+}
+
+func (evt *Event) Acts() map[string][]string {
+	return evt.acts
+}
+
+func (evt *Event) Schedules() []map[string]string {
+	return evt.schedules
+}
+
+func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
+	switch rawOn.Kind {
+	case yaml.ScalarNode:
+		var val string
+		err := rawOn.Decode(&val)
+		if err != nil {
+			return nil, err
+		}
+		return []*Event{
+			{Name: val},
+		}, nil
+	case yaml.SequenceNode:
+		var val []interface{}
+		err := rawOn.Decode(&val)
+		if err != nil {
+			return nil, err
+		}
+		res := make([]*Event, 0, len(val))
+		for _, v := range val {
+			switch t := v.(type) {
+			case string:
+				res = append(res, &Event{Name: t})
+			default:
+				return nil, fmt.Errorf("invalid type %T", t)
+			}
+		}
+		return res, nil
+	case yaml.MappingNode:
+		events, triggers, err := parseMappingNode[interface{}](rawOn)
+		if err != nil {
+			return nil, err
+		}
+		res := make([]*Event, 0, len(events))
+		for i, k := range events {
+			v := triggers[i]
+			if v == nil {
+				res = append(res, &Event{
+					Name: k,
+					acts: map[string][]string{},
+				})
+				continue
+			}
+			switch t := v.(type) {
+			case string:
+				res = append(res, &Event{
+					Name: k,
+					acts: map[string][]string{},
+				})
+			case []string:
+				res = append(res, &Event{
+					Name: k,
+					acts: map[string][]string{},
+				})
+			case map[string]interface{}:
+				acts := make(map[string][]string, len(t))
+				for act, branches := range t {
+					switch b := branches.(type) {
+					case string:
+						acts[act] = []string{b}
+					case []string:
+						acts[act] = b
+					case []interface{}:
+						acts[act] = make([]string, len(b))
+						for i, v := range b {
+							var ok bool
+							if acts[act][i], ok = v.(string); !ok {
+								return nil, fmt.Errorf("unknown on type: %#v", branches)
+							}
+						}
+					default:
+						return nil, fmt.Errorf("unknown on type: %#v", branches)
+					}
+				}
+				res = append(res, &Event{
+					Name: k,
+					acts: acts,
+				})
+			case []interface{}:
+				if k != "schedule" {
+					return nil, fmt.Errorf("unknown on type: %#v", v)
+				}
+				schedules := make([]map[string]string, len(t))
+				for i, tt := range t {
+					vv, ok := tt.(map[string]interface{})
+					if !ok {
+						return nil, fmt.Errorf("unknown on type: %#v", v)
+					}
+					schedules[i] = make(map[string]string, len(vv))
+					for k, vvv := range vv {
+						var ok bool
+						if schedules[i][k], ok = vvv.(string); !ok {
+							return nil, fmt.Errorf("unknown on type: %#v", v)
+						}
+					}
+				}
+				res = append(res, &Event{
+					Name:      k,
+					schedules: schedules,
+				})
+			default:
+				return nil, fmt.Errorf("unknown on type: %#v", v)
+			}
+		}
+		return res, nil
+	default:
+		return nil, fmt.Errorf("unknown on type: %v", rawOn.Kind)
+	}
+}
+
+// parseMappingNode parse a mapping node and preserve order.
+func parseMappingNode[T any](node *yaml.Node) ([]string, []T, error) {
+	if node.Kind != yaml.MappingNode {
+		return nil, nil, fmt.Errorf("input node is not a mapping node")
+	}
+
+	var scalars []string
+	var datas []T
+	expectKey := true
+	for _, item := range node.Content {
+		if expectKey {
+			if item.Kind != yaml.ScalarNode {
+				return nil, nil, fmt.Errorf("not a valid scalar node: %v", item.Value)
+			}
+			scalars = append(scalars, item.Value)
+			expectKey = false
+		} else {
+			var val T
+			if err := item.Decode(&val); err != nil {
+				return nil, nil, err
+			}
+			datas = append(datas, val)
+			expectKey = true
+		}
+	}
+
+	if len(scalars) != len(datas) {
+		return nil, nil, fmt.Errorf("invalid definition of on: %v", node.Value)
+	}
+
+	return scalars, datas, nil
+}
--- a/pkg/jobparser/model_test.go
+++ b/pkg/jobparser/model_test.go
@@ -0,0 +1,306 @@
+package jobparser
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/nektos/act/pkg/model"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v3"
+)
+
+func TestParseRawOn(t *testing.T) {
+	kases := []struct {
+		input  string
+		result []*Event
+	}{
+		{
+			input: "on: issue_comment",
+			result: []*Event{
+				{
+					Name: "issue_comment",
+				},
+			},
+		},
+		{
+			input: "on:\n  push",
+			result: []*Event{
+				{
+					Name: "push",
+				},
+			},
+		},
+
+		{
+			input: "on:\n  - push\n  - pull_request",
+			result: []*Event{
+				{
+					Name: "push",
+				},
+				{
+					Name: "pull_request",
+				},
+			},
+		},
+		{
+			input: "on:\n  push:\n    branches:\n      - master",
+			result: []*Event{
+				{
+					Name: "push",
+					acts: map[string][]string{
+						"branches": {
+							"master",
+						},
+					},
+				},
+			},
+		},
+		{
+			input: "on:\n  branch_protection_rule:\n    types: [created, deleted]",
+			result: []*Event{
+				{
+					Name: "branch_protection_rule",
+					acts: map[string][]string{
+						"types": {
+							"created",
+							"deleted",
+						},
+					},
+				},
+			},
+		},
+		{
+			input: "on:\n  project:\n    types: [created, deleted]\n  milestone:\n    types: [opened, deleted]",
+			result: []*Event{
+				{
+					Name: "project",
+					acts: map[string][]string{
+						"types": {
+							"created",
+							"deleted",
+						},
+					},
+				},
+				{
+					Name: "milestone",
+					acts: map[string][]string{
+						"types": {
+							"opened",
+							"deleted",
+						},
+					},
+				},
+			},
+		},
+		{
+			input: "on:\n  pull_request:\n    types:\n      - opened\n    branches:\n      - 'releases/**'",
+			result: []*Event{
+				{
+					Name: "pull_request",
+					acts: map[string][]string{
+						"types": {
+							"opened",
+						},
+						"branches": {
+							"releases/**",
+						},
+					},
+				},
+			},
+		},
+		{
+			input: "on:\n  push:\n    branches:\n      - main\n  pull_request:\n    types:\n      - opened\n    branches:\n      - '**'",
+			result: []*Event{
+				{
+					Name: "push",
+					acts: map[string][]string{
+						"branches": {
+							"main",
+						},
+					},
+				},
+				{
+					Name: "pull_request",
+					acts: map[string][]string{
+						"types": {
+							"opened",
+						},
+						"branches": {
+							"**",
+						},
+					},
+				},
+			},
+		},
+		{
+			input: "on:\n  push:\n    branches:\n      - 'main'\n      - 'releases/**'",
+			result: []*Event{
+				{
+					Name: "push",
+					acts: map[string][]string{
+						"branches": {
+							"main",
+							"releases/**",
+						},
+					},
+				},
+			},
+		},
+		{
+			input: "on:\n  push:\n    tags:\n      - v1.**",
+			result: []*Event{
+				{
+					Name: "push",
+					acts: map[string][]string{
+						"tags": {
+							"v1.**",
+						},
+					},
+				},
+			},
+		},
+		{
+			input: "on: [pull_request, workflow_dispatch]",
+			result: []*Event{
+				{
+					Name: "pull_request",
+				},
+				{
+					Name: "workflow_dispatch",
+				},
+			},
+		},
+		{
+			input: "on:\n  schedule:\n    - cron: '20 6 * * *'",
+			result: []*Event{
+				{
+					Name: "schedule",
+					schedules: []map[string]string{
+						{
+							"cron": "20 6 * * *",
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, kase := range kases {
+		t.Run(kase.input, func(t *testing.T) {
+			origin, err := model.ReadWorkflow(strings.NewReader(kase.input))
+			assert.NoError(t, err)
+
+			events, err := ParseRawOn(&origin.RawOn)
+			assert.NoError(t, err)
+			assert.EqualValues(t, kase.result, events, fmt.Sprintf("%#v", events))
+		})
+	}
+}
+
+func TestSingleWorkflow_SetJob(t *testing.T) {
+	t.Run("erase needs", func(t *testing.T) {
+		content := ReadTestdata(t, "erase_needs.in.yaml")
+		want := ReadTestdata(t, "erase_needs.out.yaml")
+		swf, err := Parse(content)
+		require.NoError(t, err)
+		builder := &strings.Builder{}
+		for _, v := range swf {
+			id, job := v.Job()
+			require.NoError(t, v.SetJob(id, job.EraseNeeds()))
+
+			if builder.Len() > 0 {
+				builder.WriteString("---\n")
+			}
+			encoder := yaml.NewEncoder(builder)
+			encoder.SetIndent(2)
+			require.NoError(t, encoder.Encode(v))
+		}
+		assert.Equal(t, string(want), builder.String())
+	})
+}
+
+func TestParseMappingNode(t *testing.T) {
+	tests := []struct {
+		input   string
+		scalars []string
+		datas   []interface{}
+	}{
+		{
+			input:   "on:\n  push:\n    branches:\n      - master",
+			scalars: []string{"push"},
+			datas: []interface {
+			}{
+				map[string]interface{}{
+					"branches": []interface{}{"master"},
+				},
+			},
+		},
+		{
+			input:   "on:\n  branch_protection_rule:\n    types: [created, deleted]",
+			scalars: []string{"branch_protection_rule"},
+			datas: []interface{}{
+				map[string]interface{}{
+					"types": []interface{}{"created", "deleted"},
+				},
+			},
+		},
+		{
+			input:   "on:\n  project:\n    types: [created, deleted]\n  milestone:\n    types: [opened, deleted]",
+			scalars: []string{"project", "milestone"},
+			datas: []interface{}{
+				map[string]interface{}{
+					"types": []interface{}{"created", "deleted"},
+				},
+				map[string]interface{}{
+					"types": []interface{}{"opened", "deleted"},
+				},
+			},
+		},
+		{
+			input:   "on:\n  pull_request:\n    types:\n      - opened\n    branches:\n      - 'releases/**'",
+			scalars: []string{"pull_request"},
+			datas: []interface{}{
+				map[string]interface{}{
+					"types":    []interface{}{"opened"},
+					"branches": []interface{}{"releases/**"},
+				},
+			},
+		},
+		{
+			input:   "on:\n  push:\n    branches:\n      - main\n  pull_request:\n    types:\n      - opened\n    branches:\n      - '**'",
+			scalars: []string{"push", "pull_request"},
+			datas: []interface{}{
+				map[string]interface{}{
+					"branches": []interface{}{"main"},
+				},
+				map[string]interface{}{
+					"types":    []interface{}{"opened"},
+					"branches": []interface{}{"**"},
+				},
+			},
+		},
+		{
+			input:   "on:\n  schedule:\n    - cron: '20 6 * * *'",
+			scalars: []string{"schedule"},
+			datas: []interface{}{
+				[]interface{}{map[string]interface{}{
+					"cron": "20 6 * * *",
+				}},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.input, func(t *testing.T) {
+			workflow, err := model.ReadWorkflow(strings.NewReader(test.input))
+			assert.NoError(t, err)
+
+			scalars, datas, err := parseMappingNode[interface{}](&workflow.RawOn)
+			assert.NoError(t, err)
+			assert.EqualValues(t, test.scalars, scalars, fmt.Sprintf("%#v", scalars))
+			assert.EqualValues(t, test.datas, datas, fmt.Sprintf("%#v", datas))
+		})
+	}
+}
--- a/pkg/jobparser/testdata/empty_step.in.yaml
+++ b/pkg/jobparser/testdata/empty_step.in.yaml
@@ -0,0 +1,8 @@
+name: test
+jobs:
+  job1:
+    name: job1
+    runs-on: linux
+    steps:
+      - run: echo job-1
+      -
--- a/pkg/jobparser/testdata/empty_step.out.yaml
+++ b/pkg/jobparser/testdata/empty_step.out.yaml
@@ -0,0 +1,7 @@
+name: test
+jobs:
+  job1:
+    name: job1
+    runs-on: linux
+    steps:
+      - run: echo job-1
--- a/pkg/jobparser/testdata/erase_needs.in.yaml
+++ b/pkg/jobparser/testdata/erase_needs.in.yaml
@@ -0,0 +1,16 @@
+name: test
+jobs:
+  job1:
+    runs-on: linux
+    steps:
+      - run: uname -a
+  job2:
+    runs-on: linux
+    steps:
+      - run: uname -a
+    needs: job1
+  job3:
+    runs-on: linux
+    steps:
+      - run: uname -a
+    needs: [job1, job2]
--- a/pkg/jobparser/testdata/erase_needs.out.yaml
+++ b/pkg/jobparser/testdata/erase_needs.out.yaml
@@ -0,0 +1,23 @@
+name: test
+jobs:
+  job1:
+    name: job1
+    runs-on: linux
+    steps:
+      - run: uname -a
+---
+name: test
+jobs:
+  job2:
+    name: job2
+    runs-on: linux
+    steps:
+      - run: uname -a
+---
+name: test
+jobs:
+  job3:
+    name: job3
+    runs-on: linux
+    steps:
+      - run: uname -a
--- a/pkg/jobparser/testdata/has_needs.in.yaml
+++ b/pkg/jobparser/testdata/has_needs.in.yaml
@@ -0,0 +1,16 @@
+name: test
+jobs:
+  job1:
+    runs-on: linux
+    steps:
+      - run: uname -a
+  job2:
+    runs-on: linux
+    steps:
+      - run: uname -a
+    needs: job1
+  job3:
+    runs-on: linux
+    steps:
+      - run: uname -a
+    needs: [job1, job2]
--- a/pkg/jobparser/testdata/has_needs.out.yaml
+++ b/pkg/jobparser/testdata/has_needs.out.yaml
@@ -0,0 +1,25 @@
+name: test
+jobs:
+  job1:
+    name: job1
+    runs-on: linux
+    steps:
+      - run: uname -a
+---
+name: test
+jobs:
+  job2:
+    name: job2
+    needs: job1
+    runs-on: linux
+    steps:
+      - run: uname -a
+---
+name: test
+jobs:
+  job3:
+    name: job3
+    needs: [job1, job2]
+    runs-on: linux
+    steps:
+      - run: uname -a
--- a/pkg/jobparser/testdata/has_secrets.in.yaml
+++ b/pkg/jobparser/testdata/has_secrets.in.yaml
@@ -0,0 +1,14 @@
+name: test
+jobs:
+  job1:
+    name: job1
+    runs-on: linux
+    uses: .gitea/workflows/build.yml
+    secrets:
+      secret: hideme
+
+  job2:
+    name: job2
+    runs-on: linux
+    uses: .gitea/workflows/build.yml
+    secrets: inherit
--- a/pkg/jobparser/testdata/has_secrets.out.yaml
+++ b/pkg/jobparser/testdata/has_secrets.out.yaml
@@ -0,0 +1,16 @@
+name: test
+jobs:
+  job1:
+    name: job1
+    runs-on: linux
+    uses: .gitea/workflows/build.yml
+    secrets:
+      secret: hideme
+---
+name: test
+jobs:
+  job2:
+    name: job2
+    runs-on: linux
+    uses: .gitea/workflows/build.yml
+    secrets: inherit
--- a/pkg/jobparser/testdata/has_with.in.yaml
+++ b/pkg/jobparser/testdata/has_with.in.yaml
@@ -0,0 +1,15 @@
+name: test
+jobs:
+  job1:
+    name: job1
+    runs-on: linux
+    uses: .gitea/workflows/build.yml
+    with:
+      package: service
+
+  job2:
+    name: job2
+    runs-on: linux
+    uses: .gitea/workflows/build.yml
+    with:
+      package: module
--- a/pkg/jobparser/testdata/has_with.out.yaml
+++ b/pkg/jobparser/testdata/has_with.out.yaml
@@ -0,0 +1,17 @@
+name: test
+jobs:
+  job1:
+    name: job1
+    runs-on: linux
+    uses: .gitea/workflows/build.yml
+    with:
+      package: service
+---
+name: test
+jobs:
+  job2:
+    name: job2
+    runs-on: linux
+    uses: .gitea/workflows/build.yml
+    with:
+      package: module
--- a/pkg/jobparser/testdata/multiple_jobs.in.yaml
+++ b/pkg/jobparser/testdata/multiple_jobs.in.yaml
@@ -0,0 +1,22 @@
+name: test
+jobs:
+  zzz:
+    runs-on: linux
+    steps:
+      - run: echo zzz
+  job1:
+    runs-on: linux
+    steps:
+      - run: uname -a && go version
+  job2:
+    runs-on: linux
+    steps:
+      - run: uname -a && go version
+  job3:
+    runs-on: linux
+    steps:
+      - run: uname -a && go version
+  aaa:
+    runs-on: linux
+    steps:
+      - run: uname -a && go version
--- a/pkg/jobparser/testdata/multiple_jobs.out.yaml
+++ b/pkg/jobparser/testdata/multiple_jobs.out.yaml
@@ -0,0 +1,39 @@
+name: test
+jobs:
+  zzz:
+    name: zzz
+    runs-on: linux
+    steps:
+      - run: echo zzz
+---
+name: test
+jobs:
+  job1:
+    name: job1
+    runs-on: linux
+    steps:
+      - run: uname -a && go version
+---
+name: test
+jobs:
+  job2:
+    name: job2
+    runs-on: linux
+    steps:
+      - run: uname -a && go version
+---
+name: test
+jobs:
+  job3:
+    name: job3
+    runs-on: linux
+    steps:
+      - run: uname -a && go version
+---
+name: test
+jobs:
+  aaa:
+    name: aaa
+    runs-on: linux
+    steps:
+      - run: uname -a && go version
--- a/pkg/jobparser/testdata/multiple_matrix.in.yaml
+++ b/pkg/jobparser/testdata/multiple_matrix.in.yaml
@@ -0,0 +1,13 @@
+name: test
+jobs:
+  job1:
+    strategy:
+      matrix:
+        os: [ubuntu-22.04, ubuntu-20.04]
+        version: [1.17, 1.18, 1.19]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.version }}
+      - run: uname -a && go version
--- a/pkg/jobparser/testdata/multiple_matrix.out.yaml
+++ b/pkg/jobparser/testdata/multiple_matrix.out.yaml
@@ -0,0 +1,101 @@
+name: test
+jobs:
+  job1:
+    name: job1 (ubuntu-20.04, 1.17)
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.version }}
+      - run: uname -a && go version
+    strategy:
+      matrix:
+        os:
+          - ubuntu-20.04
+        version:
+          - 1.17
+---
+name: test
+jobs:
+  job1:
+    name: job1 (ubuntu-20.04, 1.18)
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.version }}
+      - run: uname -a && go version
+    strategy:
+      matrix:
+        os:
+          - ubuntu-20.04
+        version:
+          - 1.18
+---
+name: test
+jobs:
+  job1:
+    name: job1 (ubuntu-20.04, 1.19)
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.version }}
+      - run: uname -a && go version
+    strategy:
+      matrix:
+        os:
+          - ubuntu-20.04
+        version:
+          - 1.19
+---
+name: test
+jobs:
+  job1:
+    name: job1 (ubuntu-22.04, 1.17)
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.version }}
+      - run: uname -a && go version
+    strategy:
+      matrix:
+        os:
+          - ubuntu-22.04
+        version:
+          - 1.17
+---
+name: test
+jobs:
+  job1:
+    name: job1 (ubuntu-22.04, 1.18)
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.version }}
+      - run: uname -a && go version
+    strategy:
+      matrix:
+        os:
+          - ubuntu-22.04
+        version:
+          - 1.18
+---
+name: test
+jobs:
+  job1:
+    name: job1 (ubuntu-22.04, 1.19)
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.version }}
+      - run: uname -a && go version
+    strategy:
+      matrix:
+        os:
+          - ubuntu-22.04
+        version:
+          - 1.19
--- a/pkg/jobparser/testdata_test.go
+++ b/pkg/jobparser/testdata_test.go
@@ -0,0 +1,18 @@
+package jobparser
+
+import (
+	"embed"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+//go:embed testdata
+var testdata embed.FS
+
+func ReadTestdata(t *testing.T, name string) []byte {
+	content, err := testdata.ReadFile(filepath.Join("testdata", name))
+	require.NoError(t, err)
+	return content
+}
--- a/pkg/model/action.go
+++ b/pkg/model/action.go
@@ -20,7 +20,7 @@ func (a *ActionRunsUsing) UnmarshalYAML(unmarshal func(interface{}) error) error
 	// Force input to lowercase for case insensitive comparison
 	format := ActionRunsUsing(strings.ToLower(using))
 	switch format {
-	case ActionRunsUsingNode16, ActionRunsUsingNode12, ActionRunsUsingDocker, ActionRunsUsingComposite:
+	case ActionRunsUsingNode20, ActionRunsUsingNode16, ActionRunsUsingNode12, ActionRunsUsingDocker, ActionRunsUsingComposite, ActionRunsUsingGo:
 		*a = format
 	default:
 		return fmt.Errorf(fmt.Sprintf("The runs.using key in action.yml must be one of: %v, got %s", []string{
@@ -28,6 +28,8 @@ func (a *ActionRunsUsing) UnmarshalYAML(unmarshal func(interface{}) error) error
 			ActionRunsUsingDocker,
 			ActionRunsUsingNode12,
 			ActionRunsUsingNode16,
+			ActionRunsUsingNode20,
+			ActionRunsUsingGo,
 		}, format))
 	}
 	return nil
@@ -36,12 +38,16 @@ func (a *ActionRunsUsing) UnmarshalYAML(unmarshal func(interface{}) error) error
 const (
 	// ActionRunsUsingNode12 for running with node12
 	ActionRunsUsingNode12 = "node12"
-	// ActionRunsUsingNode12 for running with node16
+	// ActionRunsUsingNode16 for running with node16
 	ActionRunsUsingNode16 = "node16"
+	// ActionRunsUsingNode20 for running with node20
+	ActionRunsUsingNode20 = "node20"
 	// ActionRunsUsingDocker for running with docker
 	ActionRunsUsingDocker = "docker"
 	// ActionRunsUsingComposite for running composite
 	ActionRunsUsingComposite = "composite"
+	// ActionRunsUsingGo for running with go
+	ActionRunsUsingGo = "go"
 )

 // ActionRuns are a field in Action
--- a/pkg/model/github_context.go
+++ b/pkg/model/github_context.go
@@ -168,7 +168,7 @@ func (ghc *GithubContext) SetRepositoryAndOwner(ctx context.Context, githubInsta
 	if ghc.Repository == "" {
 		repo, err := git.FindGithubRepo(ctx, repoPath, githubInstance, remoteName)
 		if err != nil {
-			common.Logger(ctx).Warningf("unable to get git repo: %v", err)
+			common.Logger(ctx).Warningf("unable to get git repo (githubInstance: %v; remoteName: %v, repoPath: %v): %v", githubInstance, remoteName, repoPath, err)
 			return
 		}
 		ghc.Repository = repo
--- a/pkg/model/planner.go
+++ b/pkg/model/planner.go
@@ -148,12 +148,10 @@ func NewWorkflowPlanner(path string, noWorkflowRecurse bool) (WorkflowPlanner, e
 				workflow.Name = wf.workflowDirEntry.Name()
 			}

-			jobNameRegex := regexp.MustCompile(`^([[:alpha:]_][[:alnum:]_\-]*)$`)
-			for k := range workflow.Jobs {
-				if ok := jobNameRegex.MatchString(k); !ok {
-					_ = f.Close()
-					return nil, fmt.Errorf("workflow is not valid. '%s': Job name '%s' is invalid. Names must start with a letter or '_' and contain only alphanumeric characters, '-', or '_'", workflow.Name, k)
-				}
+			err = validateJobName(workflow)
+			if err != nil {
+				_ = f.Close()
+				return nil, err
 			}

 			wp.workflows = append(wp.workflows, workflow)
@@ -164,6 +162,49 @@ func NewWorkflowPlanner(path string, noWorkflowRecurse bool) (WorkflowPlanner, e
 	return wp, nil
 }

+// CombineWorkflowPlanner combines workflows to a WorkflowPlanner
+func CombineWorkflowPlanner(workflows ...*Workflow) WorkflowPlanner {
+	return &workflowPlanner{
+		workflows: workflows,
+	}
+}
+
+func NewSingleWorkflowPlanner(name string, f io.Reader) (WorkflowPlanner, error) {
+	wp := new(workflowPlanner)
+
+	log.Debugf("Reading workflow %s", name)
+	workflow, err := ReadWorkflow(f)
+	if err != nil {
+		if err == io.EOF {
+			return nil, fmt.Errorf("unable to read workflow '%s': file is empty: %w", name, err)
+		}
+		return nil, fmt.Errorf("workflow is not valid. '%s': %w", name, err)
+	}
+	workflow.File = name
+	if workflow.Name == "" {
+		workflow.Name = name
+	}
+
+	err = validateJobName(workflow)
+	if err != nil {
+		return nil, err
+	}
+
+	wp.workflows = append(wp.workflows, workflow)
+
+	return wp, nil
+}
+
+func validateJobName(workflow *Workflow) error {
+	jobNameRegex := regexp.MustCompile(`^([[:alpha:]_][[:alnum:]_\-]*)$`)
+	for k := range workflow.Jobs {
+		if ok := jobNameRegex.MatchString(k); !ok {
+			return fmt.Errorf("workflow is not valid. '%s': Job name '%s' is invalid. Names must start with a letter or '_' and contain only alphanumeric characters, '-', or '_'", workflow.Name, k)
+		}
+	}
+	return nil
+}
+
 type workflowPlanner struct {
 	workflows []*Workflow
 }
@@ -328,8 +369,6 @@ func createStages(w *Workflow, jobIDs ...string) ([]*Stage, error) {
 		jobIDs = newJobIDs
 	}

-	var err error
-
 	// next, build an execution graph
 	stages := make([]*Stage, 0)
 	for len(jobDependencies) > 0 {
@@ -350,8 +389,8 @@ func createStages(w *Workflow, jobIDs ...string) ([]*Stage, error) {
 		stages = append(stages, stage)
 	}

-	if len(stages) == 0 && err != nil {
-		return nil, err
+	if len(stages) == 0 {
+		return nil, fmt.Errorf("Could not find any stages to run. View the valid jobs with `act --list`. Use `act --help` to find how to filter by Job ID/Workflow/Event Name")
 	}

 	return stages, nil
--- a/pkg/model/planner_test.go
+++ b/pkg/model/planner_test.go
@@ -39,3 +39,25 @@ func TestPlanner(t *testing.T) {
 		}
 	}
 }
+
+func TestWorkflow(t *testing.T) {
+	log.SetLevel(log.DebugLevel)
+
+	workflow := Workflow{
+		Jobs: map[string]*Job{
+			"valid_job": {
+				Name: "valid_job",
+			},
+		},
+	}
+
+	// Check that an invalid job id returns error
+	result, err := createStages(&workflow, "invalid_job_id")
+	assert.NotNil(t, err)
+	assert.Nil(t, result)
+
+	// Check that an valid job id returns non-error
+	result, err = createStages(&workflow, "valid_job")
+	assert.Nil(t, err)
+	assert.NotNil(t, result)
+}
--- a/pkg/model/workflow.go
+++ b/pkg/model/workflow.go
@@ -66,6 +66,30 @@ func (w *Workflow) OnEvent(event string) interface{} {
 	return nil
 }

+func (w *Workflow) OnSchedule() []string {
+	schedules := w.OnEvent("schedule")
+	if schedules == nil {
+		return []string{}
+	}
+
+	switch val := schedules.(type) {
+	case []interface{}:
+		allSchedules := []string{}
+		for _, v := range val {
+			for k, cron := range v.(map[string]interface{}) {
+				if k != "cron" {
+					continue
+				}
+				allSchedules = append(allSchedules, cron.(string))
+			}
+		}
+		return allSchedules
+	default:
+	}
+
+	return []string{}
+}
+
 type WorkflowDispatchInput struct {
 	Description string   `yaml:"description"`
 	Required    bool     `yaml:"required"`
@@ -79,22 +103,40 @@ type WorkflowDispatch struct {
 }

 func (w *Workflow) WorkflowDispatchConfig() *WorkflowDispatch {
-	if w.RawOn.Kind != yaml.MappingNode {
+	switch w.RawOn.Kind {
+	case yaml.ScalarNode:
+		var val string
+		if !decodeNode(w.RawOn, &val) {
+			return nil
+		}
+		if val == "workflow_dispatch" {
+			return &WorkflowDispatch{}
+		}
+	case yaml.SequenceNode:
+		var val []string
+		if !decodeNode(w.RawOn, &val) {
+			return nil
+		}
+		for _, v := range val {
+			if v == "workflow_dispatch" {
+				return &WorkflowDispatch{}
+			}
+		}
+	case yaml.MappingNode:
+		var val map[string]yaml.Node
+		if !decodeNode(w.RawOn, &val) {
+			return nil
+		}
+
+		n, found := val["workflow_dispatch"]
+		var workflowDispatch WorkflowDispatch
+		if found && decodeNode(n, &workflowDispatch) {
+			return &workflowDispatch
+		}
+	default:
 		return nil
 	}
-
-	var val map[string]yaml.Node
-	if !decodeNode(w.RawOn, &val) {
-		return nil
-	}
-
-	var config WorkflowDispatch
-	node := val["workflow_dispatch"]
-	if !decodeNode(node, &config) {
-		return nil
-	}
-
-	return &config
+	return nil
 }

 type WorkflowCallInput struct {
@@ -275,15 +317,39 @@ func (j *Job) Needs() []string {
 // RunsOn list for Job
 func (j *Job) RunsOn() []string {
 	switch j.RawRunsOn.Kind {
+	case yaml.MappingNode:
+		var val struct {
+			Group  string
+			Labels yaml.Node
+		}
+
+		if !decodeNode(j.RawRunsOn, &val) {
+			return nil
+		}
+
+		labels := nodeAsStringSlice(val.Labels)
+
+		if val.Group != "" {
+			labels = append(labels, val.Group)
+		}
+
+		return labels
+	default:
+		return nodeAsStringSlice(j.RawRunsOn)
+	}
+}
+
+func nodeAsStringSlice(node yaml.Node) []string {
+	switch node.Kind {
 	case yaml.ScalarNode:
 		var val string
-		if !decodeNode(j.RawRunsOn, &val) {
+		if !decodeNode(node, &val) {
 			return nil
 		}
 		return []string{val}
 	case yaml.SequenceNode:
 		var val []string
-		if !decodeNode(j.RawRunsOn, &val) {
+		if !decodeNode(node, &val) {
 			return nil
 		}
 		return val
@@ -417,6 +483,7 @@ func (j *Job) GetMatrixes() ([]map[string]interface{}, error) {
 		}
 	} else {
 		matrixes = append(matrixes, make(map[string]interface{}))
+		log.Debugf("Empty Strategy, matrixes=%v", matrixes)
 	}
 	return matrixes, nil
 }
@@ -444,14 +511,17 @@ func commonKeysMatch2(a map[string]interface{}, b map[string]interface{}, m map[
 type JobType int

 const (
-	// StepTypeRun is all steps that have a `run` attribute
+	// JobTypeDefault is all jobs that have a `run` attribute
 	JobTypeDefault JobType = iota

-	// StepTypeReusableWorkflowLocal is all steps that have a `uses` that is a local workflow in the .github/workflows directory
+	// JobTypeReusableWorkflowLocal is all jobs that have a `uses` that is a local workflow in the .github/workflows directory
 	JobTypeReusableWorkflowLocal

-	// JobTypeReusableWorkflowRemote is all steps that have a `uses` that references a workflow file in a github repo
+	// JobTypeReusableWorkflowRemote is all jobs that have a `uses` that references a workflow file in a github repo
 	JobTypeReusableWorkflowRemote
+
+	// JobTypeInvalid represents a job which is not configured correctly
+	JobTypeInvalid
 )

 func (j JobType) String() string {
@@ -467,13 +537,28 @@ func (j JobType) String() string {
 }

 // Type returns the type of the job
-func (j *Job) Type() JobType {
-	if strings.HasPrefix(j.Uses, "./.github/workflows") && (strings.HasSuffix(j.Uses, ".yml") || strings.HasSuffix(j.Uses, ".yaml")) {
-		return JobTypeReusableWorkflowLocal
-	} else if !strings.HasPrefix(j.Uses, "./") && strings.Contains(j.Uses, ".github/workflows") && (strings.Contains(j.Uses, ".yml@") || strings.Contains(j.Uses, ".yaml@")) {
-		return JobTypeReusableWorkflowRemote
+func (j *Job) Type() (JobType, error) {
+	isReusable := j.Uses != ""
+
+	if isReusable {
+		isYaml, _ := regexp.MatchString(`\.(ya?ml)(?:$|@)`, j.Uses)
+
+		if isYaml {
+			isLocalPath := strings.HasPrefix(j.Uses, "./")
+			isRemotePath, _ := regexp.MatchString(`^[^.](.+?/){2,}.+\.ya?ml@`, j.Uses)
+			hasVersion, _ := regexp.MatchString(`\.ya?ml@`, j.Uses)
+
+			if isLocalPath {
+				return JobTypeReusableWorkflowLocal, nil
+			} else if isRemotePath && hasVersion {
+				return JobTypeReusableWorkflowRemote, nil
+			}
+		}
+
+		return JobTypeInvalid, fmt.Errorf("`uses` key references invalid workflow path '%s'. Must start with './' if it's a local workflow, or must start with '<org>/<repo>/' and include an '@' if it's a remote workflow", j.Uses)
 	}
-	return JobTypeDefault
+
+	return JobTypeDefault, nil
 }

 // ContainerSpec is the specification of the container to use for the job
@@ -488,10 +573,14 @@ type ContainerSpec struct {
 	Args        string
 	Name        string
 	Reuse       bool
+
+	// Gitea specific
+	Cmd []string `yaml:"cmd"`
 }

 // Step is the structure of one step in a job
 type Step struct {
+	Number             int               `yaml:"-"`
 	ID                 string            `yaml:"id"`
 	If                 yaml.Node         `yaml:"if"`
 	Name               string            `yaml:"name"`
@@ -538,7 +627,7 @@ func (s *Step) GetEnv() map[string]string {
 func (s *Step) ShellCommand() string {
 	shellCommand := ""

-	//Reference: https://github.com/actions/runner/blob/8109c962f09d9acc473d92c595ff43afceddb347/src/Runner.Worker/Handlers/ScriptHandlerHelpers.cs#L9-L17
+	// Reference: https://github.com/actions/runner/blob/8109c962f09d9acc473d92c595ff43afceddb347/src/Runner.Worker/Handlers/ScriptHandlerHelpers.cs#L9-L17
 	switch s.Shell {
 	case "", "bash":
 		shellCommand = "bash --noprofile --norc -e -o pipefail {0}"
@@ -549,7 +638,7 @@ func (s *Step) ShellCommand() string {
 	case "sh":
 		shellCommand = "sh -e {0}"
 	case "cmd":
-		shellCommand = "%ComSpec% /D /E:ON /V:OFF /S /C \"CALL \"{0}\"\""
+		shellCommand = "cmd /D /E:ON /V:OFF /S /C \"CALL \"{0}\"\""
 	case "powershell":
 		shellCommand = "powershell -command . '{0}'"
 	default:
--- a/pkg/model/workflow_test.go
+++ b/pkg/model/workflow_test.go
@@ -7,6 +7,88 @@ import (
 	"github.com/stretchr/testify/assert"
 )

+func TestReadWorkflow_ScheduleEvent(t *testing.T) {
+	yaml := `
+name: local-action-docker-url
+on:
+  schedule:
+    - cron: '30 5 * * 1,3'
+    - cron: '30 5 * * 2,4'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: ./actions/docker-url
+`
+
+	workflow, err := ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+
+	schedules := workflow.OnEvent("schedule")
+	assert.Len(t, schedules, 2)
+
+	newSchedules := workflow.OnSchedule()
+	assert.Len(t, newSchedules, 2)
+
+	assert.Equal(t, "30 5 * * 1,3", newSchedules[0])
+	assert.Equal(t, "30 5 * * 2,4", newSchedules[1])
+
+	yaml = `
+name: local-action-docker-url
+on:
+  schedule:
+    test: '30 5 * * 1,3'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: ./actions/docker-url
+`
+
+	workflow, err = ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+
+	newSchedules = workflow.OnSchedule()
+	assert.Len(t, newSchedules, 0)
+
+	yaml = `
+name: local-action-docker-url
+on:
+  schedule:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: ./actions/docker-url
+`
+
+	workflow, err = ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+
+	newSchedules = workflow.OnSchedule()
+	assert.Len(t, newSchedules, 0)
+
+	yaml = `
+name: local-action-docker-url
+on: [push, tag]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: ./actions/docker-url
+`
+
+	workflow, err = ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+
+	newSchedules = workflow.OnSchedule()
+	assert.Len(t, newSchedules, 0)
+}
+
 func TestReadWorkflow_StringEvent(t *testing.T) {
 	yaml := `
 name: local-action-docker-url
@@ -71,6 +153,41 @@ jobs:
 	assert.Contains(t, workflow.On(), "pull_request")
 }

+func TestReadWorkflow_RunsOnLabels(t *testing.T) {
+	yaml := `
+name: local-action-docker-url
+
+jobs:
+  test:
+    container: nginx:latest
+    runs-on:
+      labels: ubuntu-latest
+    steps:
+    - uses: ./actions/docker-url`
+
+	workflow, err := ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	assert.Equal(t, workflow.Jobs["test"].RunsOn(), []string{"ubuntu-latest"})
+}
+
+func TestReadWorkflow_RunsOnLabelsWithGroup(t *testing.T) {
+	yaml := `
+name: local-action-docker-url
+
+jobs:
+  test:
+    container: nginx:latest
+    runs-on:
+      labels: [ubuntu-latest]
+      group: linux
+    steps:
+    - uses: ./actions/docker-url`
+
+	workflow, err := ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	assert.Equal(t, workflow.Jobs["test"].RunsOn(), []string{"ubuntu-latest", "linux"})
+}
+
 func TestReadWorkflow_StringContainer(t *testing.T) {
 	yaml := `
 name: local-action-docker-url
@@ -147,20 +264,81 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - run: echo
-  remote-reusable-workflow:
-    runs-on: ubuntu-latest
-    uses: remote/repo/.github/workflows/workflow.yml@main
-  local-reusable-workflow:
-    runs-on: ubuntu-latest
-    uses: ./.github/workflows/workflow.yml
+  remote-reusable-workflow-yml:
+    uses: remote/repo/some/path/to/workflow.yml@main
+  remote-reusable-workflow-yaml:
+    uses: remote/repo/some/path/to/workflow.yaml@main
+  remote-reusable-workflow-custom-path:
+    uses: remote/repo/path/to/workflow.yml@main
+  local-reusable-workflow-yml:
+    uses: ./some/path/to/workflow.yml
+  local-reusable-workflow-yaml:
+    uses: ./some/path/to/workflow.yaml
 `

 	workflow, err := ReadWorkflow(strings.NewReader(yaml))
 	assert.NoError(t, err, "read workflow should succeed")
-	assert.Len(t, workflow.Jobs, 3)
-	assert.Equal(t, workflow.Jobs["default-job"].Type(), JobTypeDefault)
-	assert.Equal(t, workflow.Jobs["remote-reusable-workflow"].Type(), JobTypeReusableWorkflowRemote)
-	assert.Equal(t, workflow.Jobs["local-reusable-workflow"].Type(), JobTypeReusableWorkflowLocal)
+	assert.Len(t, workflow.Jobs, 6)
+
+	jobType, err := workflow.Jobs["default-job"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeDefault, jobType)
+
+	jobType, err = workflow.Jobs["remote-reusable-workflow-yml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowRemote, jobType)
+
+	jobType, err = workflow.Jobs["remote-reusable-workflow-yaml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowRemote, jobType)
+
+	jobType, err = workflow.Jobs["remote-reusable-workflow-custom-path"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowRemote, jobType)
+
+	jobType, err = workflow.Jobs["local-reusable-workflow-yml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowLocal, jobType)
+
+	jobType, err = workflow.Jobs["local-reusable-workflow-yaml"].Type()
+	assert.Equal(t, nil, err)
+	assert.Equal(t, JobTypeReusableWorkflowLocal, jobType)
+}
+
+func TestReadWorkflow_JobTypes_InvalidPath(t *testing.T) {
+	yaml := `
+name: invalid job definition
+
+jobs:
+  remote-reusable-workflow-missing-version:
+    uses: remote/repo/some/path/to/workflow.yml
+  remote-reusable-workflow-bad-extension:
+    uses: remote/repo/some/path/to/workflow.json
+  local-reusable-workflow-bad-extension:
+    uses: ./some/path/to/workflow.json
+  local-reusable-workflow-bad-path:
+    uses: some/path/to/workflow.yaml
+`
+
+	workflow, err := ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	assert.Len(t, workflow.Jobs, 4)
+
+	jobType, err := workflow.Jobs["remote-reusable-workflow-missing-version"].Type()
+	assert.Equal(t, JobTypeInvalid, jobType)
+	assert.NotEqual(t, nil, err)
+
+	jobType, err = workflow.Jobs["remote-reusable-workflow-bad-extension"].Type()
+	assert.Equal(t, JobTypeInvalid, jobType)
+	assert.NotEqual(t, nil, err)
+
+	jobType, err = workflow.Jobs["local-reusable-workflow-bad-extension"].Type()
+	assert.Equal(t, JobTypeInvalid, jobType)
+	assert.NotEqual(t, nil, err)
+
+	jobType, err = workflow.Jobs["local-reusable-workflow-bad-path"].Type()
+	assert.Equal(t, JobTypeInvalid, jobType)
+	assert.NotEqual(t, nil, err)
 }

 func TestReadWorkflow_StepsTypes(t *testing.T) {
@@ -321,3 +499,107 @@ func TestStep_ShellCommand(t *testing.T) {
 		})
 	}
 }
+
+func TestReadWorkflow_WorkflowDispatchConfig(t *testing.T) {
+	yaml := `
+    name: local-action-docker-url
+    `
+	workflow, err := ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	workflowDispatch := workflow.WorkflowDispatchConfig()
+	assert.Nil(t, workflowDispatch)
+
+	yaml = `
+    name: local-action-docker-url
+    on: push
+    `
+	workflow, err = ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	workflowDispatch = workflow.WorkflowDispatchConfig()
+	assert.Nil(t, workflowDispatch)
+
+	yaml = `
+    name: local-action-docker-url
+    on: workflow_dispatch
+    `
+	workflow, err = ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	workflowDispatch = workflow.WorkflowDispatchConfig()
+	assert.NotNil(t, workflowDispatch)
+	assert.Nil(t, workflowDispatch.Inputs)
+
+	yaml = `
+    name: local-action-docker-url
+    on: [push, pull_request]
+    `
+	workflow, err = ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	workflowDispatch = workflow.WorkflowDispatchConfig()
+	assert.Nil(t, workflowDispatch)
+
+	yaml = `
+    name: local-action-docker-url
+    on: [push, workflow_dispatch]
+    `
+	workflow, err = ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	workflowDispatch = workflow.WorkflowDispatchConfig()
+	assert.NotNil(t, workflowDispatch)
+	assert.Nil(t, workflowDispatch.Inputs)
+
+	yaml = `
+    name: local-action-docker-url
+    on:
+        - push
+        - workflow_dispatch
+    `
+	workflow, err = ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	workflowDispatch = workflow.WorkflowDispatchConfig()
+	assert.NotNil(t, workflowDispatch)
+	assert.Nil(t, workflowDispatch.Inputs)
+
+	yaml = `
+    name: local-action-docker-url
+    on:
+        push:
+        pull_request:
+    `
+	workflow, err = ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	workflowDispatch = workflow.WorkflowDispatchConfig()
+	assert.Nil(t, workflowDispatch)
+
+	yaml = `
+    name: local-action-docker-url
+    on:
+        push:
+        pull_request:
+        workflow_dispatch:
+            inputs:
+                logLevel:
+                    description: 'Log level'
+                    required: true
+                    default: 'warning'
+                    type: choice
+                    options:
+                    - info
+                    - warning
+                    - debug
+    `
+	workflow, err = ReadWorkflow(strings.NewReader(yaml))
+	assert.NoError(t, err, "read workflow should succeed")
+	workflowDispatch = workflow.WorkflowDispatchConfig()
+	assert.NotNil(t, workflowDispatch)
+	assert.Equal(t, WorkflowDispatchInput{
+		Default:     "warning",
+		Description: "Log level",
+		Options: []string{
+			"info",
+			"warning",
+			"debug",
+		},
+		Required: true,
+		Type:     "choice",
+	}, workflowDispatch.Inputs["logLevel"])
+}
--- a/pkg/runner/action.go
+++ b/pkg/runner/action.go
@@ -3,6 +3,7 @@ package runner
 import (
 	"context"
 	"embed"
+	"errors"
 	"fmt"
 	"io"
 	"io/fs"
@@ -41,11 +42,24 @@ var trampoline embed.FS

 func readActionImpl(ctx context.Context, step *model.Step, actionDir string, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error) {
 	logger := common.Logger(ctx)
+	allErrors := []error{}
+	addError := func(fileName string, err error) {
+		if err != nil {
+			allErrors = append(allErrors, fmt.Errorf("failed to read '%s' from action '%s' with path '%s' of step %w", fileName, step.String(), actionPath, err))
+		} else {
+			// One successful read, clear error state
+			allErrors = nil
+		}
+	}
 	reader, closer, err := readFile("action.yml")
+	addError("action.yml", err)
 	if os.IsNotExist(err) {
 		reader, closer, err = readFile("action.yaml")
-		if err != nil {
-			if _, closer, err2 := readFile("Dockerfile"); err2 == nil {
+		addError("action.yaml", err)
+		if os.IsNotExist(err) {
+			_, closer, err := readFile("Dockerfile")
+			addError("Dockerfile", err)
+			if err == nil {
 				closer.Close()
 				action := &model.Action{
 					Name: "(Synthetic)",
@@ -90,10 +104,10 @@ func readActionImpl(ctx context.Context, step *model.Step, actionDir string, act
 					return action, nil
 				}
 			}
-			return nil, err
 		}
-	} else if err != nil {
-		return nil, err
+	}
+	if allErrors != nil {
+		return nil, errors.Join(allErrors...)
 	}
 	defer closer.Close()

@@ -110,9 +124,6 @@ func maybeCopyToActionDir(ctx context.Context, step actionStep, actionDir string
 	if stepModel.Type() != model.StepTypeUsesActionRemote {
 		return nil
 	}
-	if err := removeGitIgnore(ctx, actionDir); err != nil {
-		return err
-	}

 	var containerActionDirCopy string
 	containerActionDirCopy = strings.TrimSuffix(containerActionDir, actionPath)
@@ -121,6 +132,21 @@ func maybeCopyToActionDir(ctx context.Context, step actionStep, actionDir string
 	if !strings.HasSuffix(containerActionDirCopy, `/`) {
 		containerActionDirCopy += `/`
 	}
+
+	if rc.Config != nil && rc.Config.ActionCache != nil {
+		raction := step.(*stepActionRemote)
+		ta, err := rc.Config.ActionCache.GetTarArchive(ctx, raction.cacheDir, raction.resolvedSha, "")
+		if err != nil {
+			return err
+		}
+		defer ta.Close()
+		return rc.JobContainer.CopyTarStream(ctx, containerActionDirCopy, ta)
+	}
+
+	if err := removeGitIgnore(ctx, actionDir); err != nil {
+		return err
+	}
+
 	return rc.JobContainer.CopyDir(containerActionDirCopy, actionDir+"/", rc.Config.UseGitIgnore)(ctx)
 }

@@ -149,7 +175,7 @@ func runActionImpl(step actionStep, actionDir string, remoteAction *remoteAction
 		logger.Debugf("type=%v actionDir=%s actionPath=%s workdir=%s actionCacheDir=%s actionName=%s containerActionDir=%s", stepModel.Type(), actionDir, actionPath, rc.Config.Workdir, rc.ActionCacheDir(), actionName, containerActionDir)

 		switch action.Runs.Using {
-		case model.ActionRunsUsingNode12, model.ActionRunsUsingNode16:
+		case model.ActionRunsUsingNode12, model.ActionRunsUsingNode16, model.ActionRunsUsingNode20:
 			if err := maybeCopyToActionDir(ctx, step, actionDir, actionPath, containerActionDir); err != nil {
 				return err
 			}
@@ -171,18 +197,35 @@ func runActionImpl(step actionStep, actionDir string, remoteAction *remoteAction
 			}

 			return execAsComposite(step)(ctx)
+		case model.ActionRunsUsingGo:
+			if err := maybeCopyToActionDir(ctx, step, actionDir, actionPath, containerActionDir); err != nil {
+				return err
+			}
+
+			rc.ApplyExtraPath(ctx, step.getEnv())
+
+			execFileName := fmt.Sprintf("%s.out", action.Runs.Main)
+			buildArgs := []string{"go", "build", "-o", execFileName, action.Runs.Main}
+			execArgs := []string{filepath.Join(containerActionDir, execFileName)}
+
+			return common.NewPipelineExecutor(
+				rc.execJobContainer(buildArgs, *step.getEnv(), "", containerActionDir),
+				rc.execJobContainer(execArgs, *step.getEnv(), "", ""),
+			)(ctx)
 		default:
 			return fmt.Errorf(fmt.Sprintf("The runs.using key must be one of: %v, got %s", []string{
 				model.ActionRunsUsingDocker,
 				model.ActionRunsUsingNode12,
 				model.ActionRunsUsingNode16,
+				model.ActionRunsUsingNode20,
 				model.ActionRunsUsingComposite,
+				model.ActionRunsUsingGo,
 			}, action.Runs.Using))
 		}
 	}
 }

-func setupActionEnv(ctx context.Context, step actionStep, remoteAction *remoteAction) error {
+func setupActionEnv(ctx context.Context, step actionStep, _ *remoteAction) error {
 	rc := step.getRunContext()

 	// A few fields in the environment (e.g. GITHUB_ACTION_REPOSITORY)
@@ -257,16 +300,27 @@ func execAsDocker(ctx context.Context, step actionStep, actionName string, based

 		if !correctArchExists || rc.Config.ForceRebuild {
 			logger.Debugf("image '%s' for architecture '%s' will be built from context '%s", image, rc.Config.ContainerArchitecture, contextDir)
-			var actionContainer container.Container
+			var buildContext io.ReadCloser
 			if localAction {
-				actionContainer = rc.JobContainer
+				buildContext, err = rc.JobContainer.GetContainerArchive(ctx, contextDir+"/.")
+				if err != nil {
+					return err
+				}
+				defer buildContext.Close()
+			} else if rc.Config.ActionCache != nil {
+				rstep := step.(*stepActionRemote)
+				buildContext, err = rc.Config.ActionCache.GetTarArchive(ctx, rstep.cacheDir, rstep.resolvedSha, contextDir)
+				if err != nil {
+					return err
+				}
+				defer buildContext.Close()
 			}
 			prepImage = container.NewDockerBuildExecutor(container.NewDockerBuildExecutorInput{
-				ContextDir: contextDir,
-				Dockerfile: fileName,
-				ImageTag:   image,
-				Container:  actionContainer,
-				Platform:   rc.Config.ContainerArchitecture,
+				ContextDir:   contextDir,
+				Dockerfile:   fileName,
+				ImageTag:     image,
+				BuildContext: buildContext,
+				Platform:     rc.Config.ContainerArchitecture,
 			})
 		} else {
 			logger.Debugf("image '%s' for architecture '%s' already exists", image, rc.Config.ContainerArchitecture)
@@ -361,23 +415,25 @@ func newStepContainer(ctx context.Context, step step, image string, cmd []string
 		networkMode = "default"
 	}
 	stepContainer := container.NewContainer(&container.NewContainerInput{
-		Cmd:         cmd,
-		Entrypoint:  entrypoint,
-		WorkingDir:  rc.JobContainer.ToContainerPath(rc.Config.Workdir),
-		Image:       image,
-		Username:    rc.Config.Secrets["DOCKER_USERNAME"],
-		Password:    rc.Config.Secrets["DOCKER_PASSWORD"],
-		Name:        createContainerName(rc.jobContainerName(), stepModel.ID),
-		Env:         envList,
-		Mounts:      mounts,
-		NetworkMode: networkMode,
-		Binds:       binds,
-		Stdout:      logWriter,
-		Stderr:      logWriter,
-		Privileged:  rc.Config.Privileged,
-		UsernsMode:  rc.Config.UsernsMode,
-		Platform:    rc.Config.ContainerArchitecture,
-		Options:     rc.Config.ContainerOptions,
+		Cmd:          cmd,
+		Entrypoint:   entrypoint,
+		WorkingDir:   rc.JobContainer.ToContainerPath(rc.Config.Workdir),
+		Image:        image,
+		Username:     rc.Config.Secrets["DOCKER_USERNAME"],
+		Password:     rc.Config.Secrets["DOCKER_PASSWORD"],
+		Name:         createSimpleContainerName(rc.jobContainerName(), "STEP-"+stepModel.ID),
+		Env:          envList,
+		Mounts:       mounts,
+		NetworkMode:  networkMode,
+		Binds:        binds,
+		Stdout:       logWriter,
+		Stderr:       logWriter,
+		Privileged:   rc.Config.Privileged,
+		UsernsMode:   rc.Config.UsernsMode,
+		Platform:     rc.Config.ContainerArchitecture,
+		Options:      rc.Config.ContainerOptions,
+		AutoRemove:   rc.Config.AutoRemove,
+		ValidVolumes: rc.Config.ValidVolumes,
 	})
 	return stepContainer
 }
@@ -452,7 +508,9 @@ func hasPreStep(step actionStep) common.Conditional {
 		action := step.getActionModel()
 		return action.Runs.Using == model.ActionRunsUsingComposite ||
 			((action.Runs.Using == model.ActionRunsUsingNode12 ||
-				action.Runs.Using == model.ActionRunsUsingNode16) &&
+				action.Runs.Using == model.ActionRunsUsingNode16 ||
+				action.Runs.Using == model.ActionRunsUsingNode20 ||
+				action.Runs.Using == model.ActionRunsUsingGo) &&
 				action.Runs.Pre != "")
 	}
 }
@@ -467,7 +525,7 @@ func runPreStep(step actionStep) common.Executor {
 		action := step.getActionModel()

 		switch action.Runs.Using {
-		case model.ActionRunsUsingNode12, model.ActionRunsUsingNode16:
+		case model.ActionRunsUsingNode12, model.ActionRunsUsingNode16, model.ActionRunsUsingNode20:
 			// defaults in pre steps were missing, however provided inputs are available
 			populateEnvsFromInput(ctx, step.getEnv(), action, rc)
 			// todo: refactor into step
@@ -511,6 +569,43 @@ func runPreStep(step actionStep) common.Executor {
 			}
 			return fmt.Errorf("missing steps in composite action")

+		case model.ActionRunsUsingGo:
+			// defaults in pre steps were missing, however provided inputs are available
+			populateEnvsFromInput(ctx, step.getEnv(), action, rc)
+			// todo: refactor into step
+			var actionDir string
+			var actionPath string
+			if _, ok := step.(*stepActionRemote); ok {
+				actionPath = newRemoteAction(stepModel.Uses).Path
+				actionDir = fmt.Sprintf("%s/%s", rc.ActionCacheDir(), safeFilename(stepModel.Uses))
+			} else {
+				actionDir = filepath.Join(rc.Config.Workdir, stepModel.Uses)
+				actionPath = ""
+			}
+
+			actionLocation := ""
+			if actionPath != "" {
+				actionLocation = path.Join(actionDir, actionPath)
+			} else {
+				actionLocation = actionDir
+			}
+
+			_, containerActionDir := getContainerActionPaths(stepModel, actionLocation, rc)
+
+			if err := maybeCopyToActionDir(ctx, step, actionDir, actionPath, containerActionDir); err != nil {
+				return err
+			}
+
+			rc.ApplyExtraPath(ctx, step.getEnv())
+
+			execFileName := fmt.Sprintf("%s.out", action.Runs.Pre)
+			buildArgs := []string{"go", "build", "-o", execFileName, action.Runs.Pre}
+			execArgs := []string{filepath.Join(containerActionDir, execFileName)}
+
+			return common.NewPipelineExecutor(
+				rc.execJobContainer(buildArgs, *step.getEnv(), "", containerActionDir),
+				rc.execJobContainer(execArgs, *step.getEnv(), "", ""),
+			)(ctx)
 		default:
 			return nil
 		}
@@ -547,7 +642,9 @@ func hasPostStep(step actionStep) common.Conditional {
 		action := step.getActionModel()
 		return action.Runs.Using == model.ActionRunsUsingComposite ||
 			((action.Runs.Using == model.ActionRunsUsingNode12 ||
-				action.Runs.Using == model.ActionRunsUsingNode16) &&
+				action.Runs.Using == model.ActionRunsUsingNode16 ||
+				action.Runs.Using == model.ActionRunsUsingNode20 ||
+				action.Runs.Using == model.ActionRunsUsingGo) &&
 				action.Runs.Post != "")
 	}
 }
@@ -582,7 +679,7 @@ func runPostStep(step actionStep) common.Executor {
 		_, containerActionDir := getContainerActionPaths(stepModel, actionLocation, rc)

 		switch action.Runs.Using {
-		case model.ActionRunsUsingNode12, model.ActionRunsUsingNode16:
+		case model.ActionRunsUsingNode12, model.ActionRunsUsingNode16, model.ActionRunsUsingNode20:

 			populateEnvsFromSavedState(step.getEnv(), step, rc)

@@ -603,6 +700,19 @@ func runPostStep(step actionStep) common.Executor {
 			}
 			return fmt.Errorf("missing steps in composite action")

+		case model.ActionRunsUsingGo:
+			populateEnvsFromSavedState(step.getEnv(), step, rc)
+			rc.ApplyExtraPath(ctx, step.getEnv())
+
+			execFileName := fmt.Sprintf("%s.out", action.Runs.Post)
+			buildArgs := []string{"go", "build", "-o", execFileName, action.Runs.Post}
+			execArgs := []string{filepath.Join(containerActionDir, execFileName)}
+
+			return common.NewPipelineExecutor(
+				rc.execJobContainer(buildArgs, *step.getEnv(), "", containerActionDir),
+				rc.execJobContainer(execArgs, *step.getEnv(), "", ""),
+			)(ctx)
+
 		default:
 			return nil
 		}
--- a/pkg/runner/action_cache.go
+++ b/pkg/runner/action_cache.go
@@ -0,0 +1,181 @@
+package runner
+
+import (
+	"archive/tar"
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"path"
+	"strings"
+
+	git "github.com/go-git/go-git/v5"
+	config "github.com/go-git/go-git/v5/config"
+	"github.com/go-git/go-git/v5/plumbing"
+	"github.com/go-git/go-git/v5/plumbing/object"
+	"github.com/go-git/go-git/v5/plumbing/transport"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+)
+
+type ActionCache interface {
+	Fetch(ctx context.Context, cacheDir, url, ref, token string) (string, error)
+	GetTarArchive(ctx context.Context, cacheDir, sha, includePrefix string) (io.ReadCloser, error)
+}
+
+type GoGitActionCache struct {
+	Path string
+}
+
+func (c GoGitActionCache) Fetch(ctx context.Context, cacheDir, url, ref, token string) (string, error) {
+	gitPath := path.Join(c.Path, safeFilename(cacheDir)+".git")
+	gogitrepo, err := git.PlainInit(gitPath, true)
+	if errors.Is(err, git.ErrRepositoryAlreadyExists) {
+		gogitrepo, err = git.PlainOpen(gitPath)
+	}
+	if err != nil {
+		return "", err
+	}
+	tmpBranch := make([]byte, 12)
+	if _, err := rand.Read(tmpBranch); err != nil {
+		return "", err
+	}
+	branchName := hex.EncodeToString(tmpBranch)
+	var refSpec config.RefSpec
+	spec := config.RefSpec(ref + ":" + branchName)
+	tagOrSha := false
+	if spec.IsExactSHA1() {
+		refSpec = spec
+	} else if strings.HasPrefix(ref, "refs/") {
+		refSpec = config.RefSpec(ref + ":refs/heads/" + branchName)
+	} else {
+		tagOrSha = true
+		refSpec = config.RefSpec("refs/*/" + ref + ":refs/heads/*/" + branchName)
+	}
+	var auth transport.AuthMethod
+	if token != "" {
+		auth = &http.BasicAuth{
+			Username: "token",
+			Password: token,
+		}
+	}
+	remote, err := gogitrepo.CreateRemoteAnonymous(&config.RemoteConfig{
+		Name: "anonymous",
+		URLs: []string{
+			url,
+		},
+	})
+	if err != nil {
+		return "", err
+	}
+	defer func() {
+		if refs, err := gogitrepo.References(); err == nil {
+			_ = refs.ForEach(func(r *plumbing.Reference) error {
+				if strings.Contains(r.Name().String(), branchName) {
+					return gogitrepo.DeleteBranch(r.Name().String())
+				}
+				return nil
+			})
+		}
+	}()
+	if err := remote.FetchContext(ctx, &git.FetchOptions{
+		RefSpecs: []config.RefSpec{
+			refSpec,
+		},
+		Auth:  auth,
+		Force: true,
+	}); err != nil {
+		if tagOrSha && errors.Is(err, git.NoErrAlreadyUpToDate) {
+			return "", fmt.Errorf("couldn't find remote ref \"%s\"", ref)
+		}
+		return "", err
+	}
+	if tagOrSha {
+		for _, prefix := range []string{"refs/heads/tags/", "refs/heads/heads/"} {
+			hash, err := gogitrepo.ResolveRevision(plumbing.Revision(prefix + branchName))
+			if err == nil {
+				return hash.String(), nil
+			}
+		}
+	}
+	hash, err := gogitrepo.ResolveRevision(plumbing.Revision(branchName))
+	if err != nil {
+		return "", err
+	}
+	return hash.String(), nil
+}
+
+func (c GoGitActionCache) GetTarArchive(ctx context.Context, cacheDir, sha, includePrefix string) (io.ReadCloser, error) {
+	gitPath := path.Join(c.Path, safeFilename(cacheDir)+".git")
+	gogitrepo, err := git.PlainOpen(gitPath)
+	if err != nil {
+		return nil, err
+	}
+	commit, err := gogitrepo.CommitObject(plumbing.NewHash(sha))
+	if err != nil {
+		return nil, err
+	}
+	files, err := commit.Files()
+	if err != nil {
+		return nil, err
+	}
+	rpipe, wpipe := io.Pipe()
+	// Interrupt io.Copy using ctx
+	ch := make(chan int, 1)
+	go func() {
+		select {
+		case <-ctx.Done():
+			wpipe.CloseWithError(ctx.Err())
+		case <-ch:
+		}
+	}()
+	go func() {
+		defer wpipe.Close()
+		defer close(ch)
+		tw := tar.NewWriter(wpipe)
+		cleanIncludePrefix := path.Clean(includePrefix)
+		wpipe.CloseWithError(files.ForEach(func(f *object.File) error {
+			if err := ctx.Err(); err != nil {
+				return err
+			}
+			name := f.Name
+			if strings.HasPrefix(name, cleanIncludePrefix+"/") {
+				name = name[len(cleanIncludePrefix)+1:]
+			} else if cleanIncludePrefix != "." && name != cleanIncludePrefix {
+				return nil
+			}
+			fmode, err := f.Mode.ToOSFileMode()
+			if err != nil {
+				return err
+			}
+			if fmode&fs.ModeSymlink == fs.ModeSymlink {
+				content, err := f.Contents()
+				if err != nil {
+					return err
+				}
+				return tw.WriteHeader(&tar.Header{
+					Name:     name,
+					Mode:     int64(fmode),
+					Linkname: content,
+				})
+			}
+			err = tw.WriteHeader(&tar.Header{
+				Name: name,
+				Mode: int64(fmode),
+				Size: f.Size,
+			})
+			if err != nil {
+				return err
+			}
+			reader, err := f.Reader()
+			if err != nil {
+				return err
+			}
+			_, err = io.Copy(tw, reader)
+			return err
+		}))
+	}()
+	return rpipe, err
+}
--- a/pkg/runner/action_cache_test.go
+++ b/pkg/runner/action_cache_test.go
@@ -0,0 +1,37 @@
+package runner
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"io"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+//nolint:gosec
+func TestActionCache(t *testing.T) {
+	a := assert.New(t)
+	cache := &GoGitActionCache{
+		Path: os.TempDir(),
+	}
+	ctx := context.Background()
+	sha, err := cache.Fetch(ctx, "christopherhx/script", "https://github.com/christopherhx/script", "main", "")
+	a.NoError(err)
+	a.NotEmpty(sha)
+	atar, err := cache.GetTarArchive(ctx, "christopherhx/script", sha, "node_modules")
+	a.NoError(err)
+	a.NotEmpty(atar)
+	mytar := tar.NewReader(atar)
+	th, err := mytar.Next()
+	a.NoError(err)
+	a.NotEqual(0, th.Size)
+	buf := &bytes.Buffer{}
+	// G110: Potential DoS vulnerability via decompression bomb (gosec)
+	_, err = io.Copy(buf, mytar)
+	a.NoError(err)
+	str := buf.String()
+	a.NotEmpty(str)
+}
--- a/pkg/runner/action_composite.go
+++ b/pkg/runner/action_composite.go
@@ -37,6 +37,9 @@ func evaluateCompositeInputAndEnv(ctx context.Context, parent *RunContext, step
 			env[envKey] = ee.Interpolate(ctx, input.Default)
 		}
 	}
+	gh := step.getGithubContext(ctx)
+	env["GITHUB_ACTION_REPOSITORY"] = gh.ActionRepository
+	env["GITHUB_ACTION_REF"] = gh.ActionRef

 	return env
 }
@@ -53,11 +56,11 @@ func newCompositeRunContext(ctx context.Context, parent *RunContext, step action
 		Name:    parent.Name,
 		JobName: parent.JobName,
 		Run: &model.Run{
-			JobID: "composite-job",
+			JobID: parent.Run.JobID,
 			Workflow: &model.Workflow{
 				Name: parent.Run.Workflow.Name,
 				Jobs: map[string]*model.Job{
-					"composite-job": {},
+					parent.Run.JobID: {},
 				},
 			},
 		},
@@ -137,6 +140,7 @@ func (rc *RunContext) compositeExecutor(action *model.Action) *compositeSteps {
 		if step.ID == "" {
 			step.ID = fmt.Sprintf("%d", i)
 		}
+		step.Number = i

 		// create a copy of the step, since this composite action could
 		// run multiple times and we might modify the instance
--- a/pkg/runner/command.go
+++ b/pkg/runner/command.go
@@ -77,7 +77,8 @@ func (rc *RunContext) commandHandler(ctx context.Context) common.LineHandler {
 			logger.Infof("  \U00002753  %s", line)
 		}

-		return false
+		// return true to let gitea's logger handle these special outputs also
+		return true
 	}
 }

@@ -171,7 +172,7 @@ func unescapeKvPairs(kvPairs map[string]string) map[string]string {
 	return kvPairs
 }

-func (rc *RunContext) saveState(ctx context.Context, kvPairs map[string]string, arg string) {
+func (rc *RunContext) saveState(_ context.Context, kvPairs map[string]string, arg string) {
 	stepID := rc.CurrentStep
 	if stepID != "" {
 		if rc.IntraActionState == nil {
--- a/pkg/runner/expression.go
+++ b/pkg/runner/expression.go
@@ -1,12 +1,19 @@
 package runner

 import (
+	"bytes"
 	"context"
 	"fmt"
+	"path"
+	"reflect"
 	"regexp"
 	"strings"
+	"time"
+
+	_ "embed"

 	"github.com/nektos/act/pkg/common"
+	"github.com/nektos/act/pkg/container"
 	"github.com/nektos/act/pkg/exprparser"
 	"github.com/nektos/act/pkg/model"
 	"gopkg.in/yaml.v3"
@@ -75,12 +82,14 @@ func (rc *RunContext) NewExpressionEvaluatorWithEnv(ctx context.Context, env map
 		Jobs:   &workflowCallResult,
 		// todo: should be unavailable
 		// but required to interpolate/evaluate the step outputs on the job
-		Steps:    rc.getStepsContext(),
-		Secrets:  getWorkflowSecrets(ctx, rc),
-		Strategy: strategy,
-		Matrix:   rc.Matrix,
-		Needs:    using,
-		Inputs:   inputs,
+		Steps:     rc.getStepsContext(),
+		Secrets:   getWorkflowSecrets(ctx, rc),
+		Vars:      getWorkflowVars(ctx, rc),
+		Strategy:  strategy,
+		Matrix:    rc.Matrix,
+		Needs:     using,
+		Inputs:    inputs,
+		HashFiles: getHashFilesFunction(ctx, rc),
 	}
 	if rc.JobContainer != nil {
 		ee.Runner = rc.JobContainer.GetRunnerContext(ctx)
@@ -94,6 +103,9 @@ func (rc *RunContext) NewExpressionEvaluatorWithEnv(ctx context.Context, env map
 	}
 }

+//go:embed hashfiles/index.js
+var hashfiles string
+
 // NewExpressionEvaluator creates a new evaluator
 func (rc *RunContext) NewStepExpressionEvaluator(ctx context.Context, step step) ExpressionEvaluator {
 	// todo: cleanup EvaluationEnvironment creation
@@ -124,12 +136,14 @@ func (rc *RunContext) NewStepExpressionEvaluator(ctx context.Context, step step)
 		Job:      rc.getJobContext(),
 		Steps:    rc.getStepsContext(),
 		Secrets:  getWorkflowSecrets(ctx, rc),
+		Vars:     getWorkflowVars(ctx, rc),
 		Strategy: strategy,
 		Matrix:   rc.Matrix,
 		Needs:    using,
 		// todo: should be unavailable
 		// but required to interpolate/evaluate the inputs in actions/composite
-		Inputs: inputs,
+		Inputs:    inputs,
+		HashFiles: getHashFilesFunction(ctx, rc),
 	}
 	if rc.JobContainer != nil {
 		ee.Runner = rc.JobContainer.GetRunnerContext(ctx)
@@ -143,6 +157,67 @@ func (rc *RunContext) NewStepExpressionEvaluator(ctx context.Context, step step)
 	}
 }

+func getHashFilesFunction(ctx context.Context, rc *RunContext) func(v []reflect.Value) (interface{}, error) {
+	hashFiles := func(v []reflect.Value) (interface{}, error) {
+		if rc.JobContainer != nil {
+			timeed, cancel := context.WithTimeout(ctx, time.Minute)
+			defer cancel()
+			name := "workflow/hashfiles/index.js"
+			hout := &bytes.Buffer{}
+			herr := &bytes.Buffer{}
+			patterns := []string{}
+			followSymlink := false
+
+			for i, p := range v {
+				s := p.String()
+				if i == 0 {
+					if strings.HasPrefix(s, "--") {
+						if strings.EqualFold(s, "--follow-symbolic-links") {
+							followSymlink = true
+							continue
+						}
+						return "", fmt.Errorf("Invalid glob option %s, available option: '--follow-symbolic-links'", s)
+					}
+				}
+				patterns = append(patterns, s)
+			}
+			env := map[string]string{}
+			for k, v := range rc.Env {
+				env[k] = v
+			}
+			env["patterns"] = strings.Join(patterns, "\n")
+			if followSymlink {
+				env["followSymbolicLinks"] = "true"
+			}
+
+			stdout, stderr := rc.JobContainer.ReplaceLogWriter(hout, herr)
+			_ = rc.JobContainer.Copy(rc.JobContainer.GetActPath(), &container.FileEntry{
+				Name: name,
+				Mode: 0o644,
+				Body: hashfiles,
+			}).
+				Then(rc.execJobContainer([]string{"node", path.Join(rc.JobContainer.GetActPath(), name)},
+					env, "", "")).
+				Finally(func(context.Context) error {
+					rc.JobContainer.ReplaceLogWriter(stdout, stderr)
+					return nil
+				})(timeed)
+			output := hout.String() + "\n" + herr.String()
+			guard := "__OUTPUT__"
+			outstart := strings.Index(output, guard)
+			if outstart != -1 {
+				outstart += len(guard)
+				outend := strings.Index(output[outstart:], guard)
+				if outend != -1 {
+					return output[outstart : outstart+outend], nil
+				}
+			}
+		}
+		return "", nil
+	}
+	return hashFiles
+}
+
 type expressionEvaluator struct {
 	interpreter exprparser.Interpreter
 }
@@ -158,67 +233,117 @@ func (ee expressionEvaluator) evaluate(ctx context.Context, in string, defaultSt
 	return evaluated, err
 }

-func (ee expressionEvaluator) evaluateScalarYamlNode(ctx context.Context, node *yaml.Node) error {
+func (ee expressionEvaluator) evaluateScalarYamlNode(ctx context.Context, node *yaml.Node) (*yaml.Node, error) {
 	var in string
 	if err := node.Decode(&in); err != nil {
-		return err
+		return nil, err
 	}
 	if !strings.Contains(in, "${{") || !strings.Contains(in, "}}") {
-		return nil
+		return nil, nil
 	}
 	expr, _ := rewriteSubExpression(ctx, in, false)
 	res, err := ee.evaluate(ctx, expr, exprparser.DefaultStatusCheckNone)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	return node.Encode(res)
+	ret := &yaml.Node{}
+	if err := ret.Encode(res); err != nil {
+		return nil, err
+	}
+	return ret, err
 }

-func (ee expressionEvaluator) evaluateMappingYamlNode(ctx context.Context, node *yaml.Node) error {
+func (ee expressionEvaluator) evaluateMappingYamlNode(ctx context.Context, node *yaml.Node) (*yaml.Node, error) {
+	var ret *yaml.Node
 	// GitHub has this undocumented feature to merge maps, called insert directive
 	insertDirective := regexp.MustCompile(`\${{\s*insert\s*}}`)
-	for i := 0; i < len(node.Content)/2; {
+	for i := 0; i < len(node.Content)/2; i++ {
+		changed := func() error {
+			if ret == nil {
+				ret = &yaml.Node{}
+				if err := ret.Encode(node); err != nil {
+					return err
+				}
+				ret.Content = ret.Content[:i*2]
+			}
+			return nil
+		}
 		k := node.Content[i*2]
 		v := node.Content[i*2+1]
-		if err := ee.EvaluateYamlNode(ctx, v); err != nil {
-			return err
+		ev, err := ee.evaluateYamlNodeInternal(ctx, v)
+		if err != nil {
+			return nil, err
+		}
+		if ev != nil {
+			if err := changed(); err != nil {
+				return nil, err
+			}
+		} else {
+			ev = v
 		}
 		var sk string
 		// Merge the nested map of the insert directive
 		if k.Decode(&sk) == nil && insertDirective.MatchString(sk) {
-			node.Content = append(append(node.Content[:i*2], v.Content...), node.Content[(i+1)*2:]...)
-			i += len(v.Content) / 2
-		} else {
-			if err := ee.EvaluateYamlNode(ctx, k); err != nil {
-				return err
+			if ev.Kind != yaml.MappingNode {
+				return nil, fmt.Errorf("failed to insert node %v into mapping %v unexpected type %v expected MappingNode", ev, node, ev.Kind)
+			}
+			if err := changed(); err != nil {
+				return nil, err
+			}
+			ret.Content = append(ret.Content, ev.Content...)
+		} else {
+			ek, err := ee.evaluateYamlNodeInternal(ctx, k)
+			if err != nil {
+				return nil, err
+			}
+			if ek != nil {
+				if err := changed(); err != nil {
+					return nil, err
+				}
+			} else {
+				ek = k
+			}
+			if ret != nil {
+				ret.Content = append(ret.Content, ek, ev)
 			}
-			i++
 		}
 	}
-	return nil
+	return ret, nil
 }

-func (ee expressionEvaluator) evaluateSequenceYamlNode(ctx context.Context, node *yaml.Node) error {
-	for i := 0; i < len(node.Content); {
+func (ee expressionEvaluator) evaluateSequenceYamlNode(ctx context.Context, node *yaml.Node) (*yaml.Node, error) {
+	var ret *yaml.Node
+	for i := 0; i < len(node.Content); i++ {
 		v := node.Content[i]
 		// Preserve nested sequences
 		wasseq := v.Kind == yaml.SequenceNode
-		if err := ee.EvaluateYamlNode(ctx, v); err != nil {
-			return err
+		ev, err := ee.evaluateYamlNodeInternal(ctx, v)
+		if err != nil {
+			return nil, err
 		}
-		// GitHub has this undocumented feature to merge sequences / arrays
-		// We have a nested sequence via evaluation, merge the arrays
-		if v.Kind == yaml.SequenceNode && !wasseq {
-			node.Content = append(append(node.Content[:i], v.Content...), node.Content[i+1:]...)
-			i += len(v.Content)
-		} else {
-			i++
+		if ev != nil {
+			if ret == nil {
+				ret = &yaml.Node{}
+				if err := ret.Encode(node); err != nil {
+					return nil, err
+				}
+				ret.Content = ret.Content[:i]
+			}
+			// GitHub has this undocumented feature to merge sequences / arrays
+			// We have a nested sequence via evaluation, merge the arrays
+			if ev.Kind == yaml.SequenceNode && !wasseq {
+				ret.Content = append(ret.Content, ev.Content...)
+			} else {
+				ret.Content = append(ret.Content, ev)
+			}
+		} else if ret != nil {
+			ret.Content = append(ret.Content, v)
 		}
 	}
-	return nil
+	return ret, nil
 }

-func (ee expressionEvaluator) EvaluateYamlNode(ctx context.Context, node *yaml.Node) error {
+func (ee expressionEvaluator) evaluateYamlNodeInternal(ctx context.Context, node *yaml.Node) (*yaml.Node, error) {
 	switch node.Kind {
 	case yaml.ScalarNode:
 		return ee.evaluateScalarYamlNode(ctx, node)
@@ -227,10 +352,21 @@ func (ee expressionEvaluator) EvaluateYamlNode(ctx context.Context, node *yaml.N
 	case yaml.SequenceNode:
 		return ee.evaluateSequenceYamlNode(ctx, node)
 	default:
-		return nil
+		return nil, nil
 	}
 }

+func (ee expressionEvaluator) EvaluateYamlNode(ctx context.Context, node *yaml.Node) error {
+	ret, err := ee.evaluateYamlNodeInternal(ctx, node)
+	if err != nil {
+		return err
+	}
+	if ret != nil {
+		return ret.Decode(node)
+	}
+	return nil
+}
+
 func (ee expressionEvaluator) Interpolate(ctx context.Context, in string) string {
 	if !strings.Contains(in, "${{") || !strings.Contains(in, "}}") {
 		return in
@@ -334,6 +470,7 @@ func rewriteSubExpression(ctx context.Context, in string, forceFormat bool) (str
 	return out, nil
 }

+//nolint:gocyclo
 func getEvaluatorInputs(ctx context.Context, rc *RunContext, step step, ghc *model.GithubContext) map[string]interface{} {
 	inputs := map[string]interface{}{}

@@ -369,6 +506,22 @@ func getEvaluatorInputs(ctx context.Context, rc *RunContext, step step, ghc *mod
 		}
 	}

+	if ghc.EventName == "workflow_call" {
+		config := rc.Run.Workflow.WorkflowCallConfig()
+		if config != nil && config.Inputs != nil {
+			for k, v := range config.Inputs {
+				value := nestedMapLookup(ghc.Event, "inputs", k)
+				if value == nil {
+					value = v.Default
+				}
+				if v.Type == "boolean" {
+					inputs[k] = value == "true"
+				} else {
+					inputs[k] = value
+				}
+			}
+		}
+	}
 	return inputs
 }

@@ -422,3 +575,7 @@ func getWorkflowSecrets(ctx context.Context, rc *RunContext) map[string]string {

 	return rc.Config.Secrets
 }
+
+func getWorkflowVars(_ context.Context, rc *RunContext) map[string]string {
+	return rc.Config.Vars
+}
--- a/pkg/runner/expression_test.go
+++ b/pkg/runner/expression_test.go
@@ -28,6 +28,9 @@ func createRunContext(t *testing.T) *RunContext {
 			Secrets: map[string]string{
 				"CASE_INSENSITIVE_SECRET": "value",
 			},
+			Vars: map[string]string{
+				"CASE_INSENSITIVE_VAR": "value",
+			},
 		},
 		Env: map[string]string{
 			"key": "value",
@@ -122,6 +125,8 @@ func TestEvaluateRunContext(t *testing.T) {
 		{"env.key", "value", ""},
 		{"secrets.CASE_INSENSITIVE_SECRET", "value", ""},
 		{"secrets.case_insensitive_secret", "value", ""},
+		{"vars.CASE_INSENSITIVE_VAR", "value", ""},
+		{"vars.case_insensitive_var", "value", ""},
 		{"format('{{0}}', 'test')", "{0}", ""},
 		{"format('{{{0}}}', 'test')", "{test}", ""},
 		{"format('}}')", "}", ""},
@@ -195,6 +200,9 @@ func TestInterpolate(t *testing.T) {
 			Secrets: map[string]string{
 				"CASE_INSENSITIVE_SECRET": "value",
 			},
+			Vars: map[string]string{
+				"CASE_INSENSITIVE_VAR": "value",
+			},
 		},
 		Env: map[string]string{
 			"KEYWITHNOTHING":       "valuewithnothing",
@@ -229,6 +237,8 @@ func TestInterpolate(t *testing.T) {
 		{" ${{ env.KEY_WITH_UNDERSCORES }} ", " value_with_underscores "},
 		{"${{ secrets.CASE_INSENSITIVE_SECRET }}", "value"},
 		{"${{ secrets.case_insensitive_secret }}", "value"},
+		{"${{ vars.CASE_INSENSITIVE_VAR }}", "value"},
+		{"${{ vars.case_insensitive_var }}", "value"},
 		{"${{ env.UNKNOWN }}", ""},
 		{"${{ env.SOMETHING_TRUE }}", "true"},
 		{"${{ env.SOMETHING_FALSE }}", "false"},
--- a/pkg/runner/hashfiles/index.js
+++ b/pkg/runner/hashfiles/index.js
--- a/pkg/runner/job_executor.go
+++ b/pkg/runner/job_executor.go
@@ -6,6 +6,7 @@ import (
 	"time"

 	"github.com/nektos/act/pkg/common"
+	"github.com/nektos/act/pkg/container"
 	"github.com/nektos/act/pkg/model"
 )

@@ -19,6 +20,7 @@ type jobInfo interface {
 	result(result string)
 }

+//nolint:contextcheck,gocyclo
 func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executor {
 	steps := make([]common.Executor, 0)
 	preSteps := make([]common.Executor, 0)
@@ -62,6 +64,7 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo
 		if stepModel.ID == "" {
 			stepModel.ID = fmt.Sprintf("%d", i)
 		}
+		stepModel.Number = i

 		step, err := sf.newStep(stepModel, rc)

@@ -69,7 +72,19 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo
 			return common.NewErrorExecutor(err)
 		}

-		preSteps = append(preSteps, useStepLogger(rc, stepModel, stepStagePre, step.pre()))
+		preExec := step.pre()
+		preSteps = append(preSteps, useStepLogger(rc, stepModel, stepStagePre, func(ctx context.Context) error {
+			logger := common.Logger(ctx)
+			preErr := preExec(ctx)
+			if preErr != nil {
+				logger.Errorf("%v", preErr)
+				common.SetJobError(ctx, preErr)
+			} else if ctx.Err() != nil {
+				logger.Errorf("%v", ctx.Err())
+				common.SetJobError(ctx, ctx.Err())
+			}
+			return preErr
+		}))

 		stepExec := step.main()
 		steps = append(steps, useStepLogger(rc, stepModel, stepStageMain, func(ctx context.Context) error {
@@ -87,7 +102,7 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo

 		postExec := useStepLogger(rc, stepModel, stepStagePost, step.post())
 		if postExecutor != nil {
-			// run the post exector in reverse order
+			// run the post executor in reverse order
 			postExecutor = postExec.Finally(postExecutor)
 		} else {
 			postExecutor = postExec
@@ -101,7 +116,24 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo
 			// always allow 1 min for stopping and removing the runner, even if we were cancelled
 			ctx, cancel := context.WithTimeout(common.WithLogger(context.Background(), common.Logger(ctx)), time.Minute)
 			defer cancel()
-			err = info.stopContainer()(ctx)
+
+			logger := common.Logger(ctx)
+			logger.Infof("Cleaning up container for job %s", rc.JobName)
+			if err = info.stopContainer()(ctx); err != nil {
+				logger.Errorf("Error while stop job container: %v", err)
+			}
+
+			if !rc.IsHostEnv(ctx) && rc.Config.ContainerNetworkMode == "" {
+				// clean network in docker mode only
+				// if the value of `ContainerNetworkMode` is empty string,
+				// it means that the network to which containers are connecting is created by `act_runner`,
+				// so, we should remove the network at last.
+				networkName, _ := rc.networkName()
+				logger.Infof("Cleaning up network for job %s, and network name is: %s", rc.JobName, networkName)
+				if err := container.NewDockerNetworkRemoveExecutor(networkName)(ctx); err != nil {
+					logger.Errorf("Error while cleaning network: %v", err)
+				}
+			}
 		}
 		setJobResult(ctx, info, rc, jobError == nil)
 		setJobOutputs(ctx, rc)
@@ -114,7 +146,7 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo
 	pipeline = append(pipeline, steps...)

 	return common.NewPipelineExecutor(info.startContainer(), common.NewPipelineExecutor(pipeline...).
-		Finally(func(ctx context.Context) error {
+		Finally(func(ctx context.Context) error { //nolint:contextcheck
 			var cancel context.CancelFunc
 			if ctx.Err() == context.Canceled {
 				// in case of an aborted run, we still should execute the
@@ -173,7 +205,7 @@ func setJobOutputs(ctx context.Context, rc *RunContext) {

 func useStepLogger(rc *RunContext, stepModel *model.Step, stage stepStage, executor common.Executor) common.Executor {
 	return func(ctx context.Context) error {
-		ctx = withStepLogger(ctx, stepModel.ID, rc.ExprEval.Interpolate(ctx, stepModel.String()), stage.String())
+		ctx = withStepLogger(ctx, stepModel.Number, stepModel.ID, rc.ExprEval.Interpolate(ctx, stepModel.String()), stage.String())

 		rawLogger := common.Logger(ctx).WithField("raw_output", true)
 		logWriter := common.NewLineWriter(rc.commandHandler(ctx), func(s string) bool {
--- a/pkg/runner/job_executor_test.go
+++ b/pkg/runner/job_executor_test.go
@@ -82,7 +82,7 @@ type jobContainerMock struct {
 	container.LinuxContainerEnvironmentExtensions
 }

-func (jcm *jobContainerMock) ReplaceLogWriter(stdout, stderr io.Writer) (io.Writer, io.Writer) {
+func (jcm *jobContainerMock) ReplaceLogWriter(_, _ io.Writer) (io.Writer, io.Writer) {
 	return nil, nil
 }

--- a/pkg/runner/logger.go
+++ b/pkg/runner/logger.go
@@ -85,7 +85,8 @@ func WithJobLogger(ctx context.Context, jobID string, jobName string, config *Co
 			defer mux.Unlock()
 			nextColor++
 			formatter = &jobLogFormatter{
-				color: colors[nextColor%len(colors)],
+				color:          colors[nextColor%len(colors)],
+				logPrefixJobID: config.LogPrefixJobID,
 			}
 		}

@@ -95,6 +96,17 @@ func WithJobLogger(ctx context.Context, jobID string, jobName string, config *Co
 		logger.SetFormatter(formatter)
 	}

+	{ // Adapt to Gitea
+		if hook := common.LoggerHook(ctx); hook != nil {
+			logger.AddHook(hook)
+		}
+		if config.JobLoggerLevel != nil {
+			logger.SetLevel(*config.JobLoggerLevel)
+		} else {
+			logger.SetLevel(logrus.TraceLevel)
+		}
+	}
+
 	logger.SetFormatter(&maskedFormatter{
 		Formatter: logger.Formatter,
 		masker:    valueMasker(config.InsecureSecrets, config.Secrets),
@@ -131,11 +143,12 @@ func WithCompositeStepLogger(ctx context.Context, stepID string) context.Context
 	}).WithContext(ctx))
 }

-func withStepLogger(ctx context.Context, stepID string, stepName string, stageName string) context.Context {
+func withStepLogger(ctx context.Context, stepNumber int, stepID, stepName, stageName string) context.Context {
 	rtn := common.Logger(ctx).WithFields(logrus.Fields{
-		"step":   stepName,
-		"stepID": []string{stepID},
-		"stage":  stageName,
+		"stepNumber": stepNumber,
+		"step":       stepName,
+		"stepID":     []string{stepID},
+		"stage":      stageName,
 	})
 	return common.WithLogger(ctx, rtn)
 }
@@ -176,7 +189,8 @@ func (f *maskedFormatter) Format(entry *logrus.Entry) ([]byte, error) {
 }

 type jobLogFormatter struct {
-	color int
+	color          int
+	logPrefixJobID bool
 }

 func (f *jobLogFormatter) Format(entry *logrus.Entry) ([]byte, error) {
@@ -194,7 +208,14 @@ func (f *jobLogFormatter) Format(entry *logrus.Entry) ([]byte, error) {

 func (f *jobLogFormatter) printColored(b *bytes.Buffer, entry *logrus.Entry) {
 	entry.Message = strings.TrimSuffix(entry.Message, "\n")
-	jobName := entry.Data["job"]
+
+	var job any
+	if f.logPrefixJobID {
+		job = entry.Data["jobID"]
+	} else {
+		job = entry.Data["job"]
+	}
+
 	debugFlag := ""
 	if entry.Level == logrus.DebugLevel {
 		debugFlag = "[DEBUG] "
@@ -203,26 +224,33 @@ func (f *jobLogFormatter) printColored(b *bytes.Buffer, entry *logrus.Entry) {
 	if entry.Data["raw_output"] == true {
 		fmt.Fprintf(b, "\x1b[%dm|\x1b[0m %s", f.color, entry.Message)
 	} else if entry.Data["dryrun"] == true {
-		fmt.Fprintf(b, "\x1b[1m\x1b[%dm\x1b[7m*DRYRUN*\x1b[0m \x1b[%dm[%s] \x1b[0m%s%s", gray, f.color, jobName, debugFlag, entry.Message)
+		fmt.Fprintf(b, "\x1b[1m\x1b[%dm\x1b[7m*DRYRUN*\x1b[0m \x1b[%dm[%s] \x1b[0m%s%s", gray, f.color, job, debugFlag, entry.Message)
 	} else {
-		fmt.Fprintf(b, "\x1b[%dm[%s] \x1b[0m%s%s", f.color, jobName, debugFlag, entry.Message)
+		fmt.Fprintf(b, "\x1b[%dm[%s] \x1b[0m%s%s", f.color, job, debugFlag, entry.Message)
 	}
 }

 func (f *jobLogFormatter) print(b *bytes.Buffer, entry *logrus.Entry) {
 	entry.Message = strings.TrimSuffix(entry.Message, "\n")
-	jobName := entry.Data["job"]
+
+	var job any
+	if f.logPrefixJobID {
+		job = entry.Data["jobID"]
+	} else {
+		job = entry.Data["job"]
+	}
+
 	debugFlag := ""
 	if entry.Level == logrus.DebugLevel {
 		debugFlag = "[DEBUG] "
 	}

 	if entry.Data["raw_output"] == true {
-		fmt.Fprintf(b, "[%s]   | %s", jobName, entry.Message)
+		fmt.Fprintf(b, "[%s]   | %s", job, entry.Message)
 	} else if entry.Data["dryrun"] == true {
-		fmt.Fprintf(b, "*DRYRUN* [%s] %s%s", jobName, debugFlag, entry.Message)
+		fmt.Fprintf(b, "*DRYRUN* [%s] %s%s", job, debugFlag, entry.Message)
 	} else {
-		fmt.Fprintf(b, "[%s] %s%s", jobName, debugFlag, entry.Message)
+		fmt.Fprintf(b, "[%s] %s%s", job, debugFlag, entry.Message)
 	}
 }

--- a/pkg/runner/reusable_workflow.go
+++ b/pkg/runner/reusable_workflow.go
@@ -1,6 +1,7 @@
 package runner

 import (
+	"archive/tar"
 	"context"
 	"errors"
 	"fmt"
@@ -8,6 +9,7 @@ import (
 	"os"
 	"path"
 	"regexp"
+	"strings"
 	"sync"

 	"github.com/nektos/act/pkg/common"
@@ -16,26 +18,101 @@ import (
 )

 func newLocalReusableWorkflowExecutor(rc *RunContext) common.Executor {
-	return newReusableWorkflowExecutor(rc, rc.Config.Workdir, rc.Run.Job().Uses)
+	if !rc.Config.NoSkipCheckout {
+		fullPath := rc.Run.Job().Uses
+
+		fileName := path.Base(fullPath)
+		workflowDir := strings.TrimSuffix(fullPath, path.Join("/", fileName))
+		workflowDir = strings.TrimPrefix(workflowDir, "./")
+
+		return common.NewPipelineExecutor(
+			newReusableWorkflowExecutor(rc, workflowDir, fileName),
+		)
+	}
+
+	// ./.gitea/workflows/wf.yml -> .gitea/workflows/wf.yml
+	trimmedUses := strings.TrimPrefix(rc.Run.Job().Uses, "./")
+	// uses string format is {owner}/{repo}/.{git_platform}/workflows/{filename}@{ref}
+	uses := fmt.Sprintf("%s/%s@%s", rc.Config.PresetGitHubContext.Repository, trimmedUses, rc.Config.PresetGitHubContext.Sha)
+
+	remoteReusableWorkflow := newRemoteReusableWorkflowWithPlat(rc.Config.GitHubInstance, uses)
+	if remoteReusableWorkflow == nil {
+		return common.NewErrorExecutor(fmt.Errorf("expected format {owner}/{repo}/.{git_platform}/workflows/{filename}@{ref}. Actual '%s' Input string was not in a correct format", uses))
+	}
+
+	workflowDir := fmt.Sprintf("%s/%s", rc.ActionCacheDir(), safeFilename(uses))
+
+	// If the repository is private, we need a token to clone it
+	token := rc.Config.GetToken()
+
+	return common.NewPipelineExecutor(
+		newMutexExecutor(cloneIfRequired(rc, *remoteReusableWorkflow, workflowDir, token)),
+		newReusableWorkflowExecutor(rc, workflowDir, remoteReusableWorkflow.FilePath()),
+	)
 }

 func newRemoteReusableWorkflowExecutor(rc *RunContext) common.Executor {
 	uses := rc.Run.Job().Uses

-	remoteReusableWorkflow := newRemoteReusableWorkflow(uses)
+	remoteReusableWorkflow := newRemoteReusableWorkflowWithPlat(rc.Config.GitHubInstance, uses)
 	if remoteReusableWorkflow == nil {
-		return common.NewErrorExecutor(fmt.Errorf("expected format {owner}/{repo}/.github/workflows/{filename}@{ref}. Actual '%s' Input string was not in a correct format", uses))
+		return common.NewErrorExecutor(fmt.Errorf("expected format {owner}/{repo}/.{git_platform}/workflows/{filename}@{ref}. Actual '%s' Input string was not in a correct format", uses))
 	}
-	remoteReusableWorkflow.URL = rc.Config.GitHubInstance

-	workflowDir := fmt.Sprintf("%s/%s", rc.ActionCacheDir(), safeFilename(uses))
+	// uses with safe filename makes the target directory look something like this {owner}-{repo}-.github-workflows-{filename}@{ref}
+	// instead we will just use {owner}-{repo}@{ref} as our target directory. This should also improve performance when we are using
+	// multiple reusable workflows from the same repository and ref since for each workflow we won't have to clone it again
+	filename := fmt.Sprintf("%s/%s@%s", remoteReusableWorkflow.Org, remoteReusableWorkflow.Repo, remoteReusableWorkflow.Ref)
+	workflowDir := fmt.Sprintf("%s/%s", rc.ActionCacheDir(), safeFilename(filename))
+
+	// FIXME: if the reusable workflow is from a private repository, we need to provide a token to access the repository.
+	token := ""
+
+	if rc.Config.ActionCache != nil {
+		return newActionCacheReusableWorkflowExecutor(rc, filename, remoteReusableWorkflow)
+	}

 	return common.NewPipelineExecutor(
-		newMutexExecutor(cloneIfRequired(rc, *remoteReusableWorkflow, workflowDir)),
-		newReusableWorkflowExecutor(rc, workflowDir, fmt.Sprintf("./.github/workflows/%s", remoteReusableWorkflow.Filename)),
+		newMutexExecutor(cloneIfRequired(rc, *remoteReusableWorkflow, workflowDir, token)),
+		newReusableWorkflowExecutor(rc, workflowDir, remoteReusableWorkflow.FilePath()),
 	)
 }

+func newActionCacheReusableWorkflowExecutor(rc *RunContext, filename string, remoteReusableWorkflow *remoteReusableWorkflow) common.Executor {
+	return func(ctx context.Context) error {
+		ghctx := rc.getGithubContext(ctx)
+		remoteReusableWorkflow.URL = ghctx.ServerURL
+		sha, err := rc.Config.ActionCache.Fetch(ctx, filename, remoteReusableWorkflow.CloneURL(), remoteReusableWorkflow.Ref, ghctx.Token)
+		if err != nil {
+			return err
+		}
+		archive, err := rc.Config.ActionCache.GetTarArchive(ctx, filename, sha, fmt.Sprintf(".github/workflows/%s", remoteReusableWorkflow.Filename))
+		if err != nil {
+			return err
+		}
+		defer archive.Close()
+		treader := tar.NewReader(archive)
+		if _, err = treader.Next(); err != nil {
+			return err
+		}
+		planner, err := model.NewSingleWorkflowPlanner(remoteReusableWorkflow.Filename, treader)
+		if err != nil {
+			return err
+		}
+		plan, err := planner.PlanEvent("workflow_call")
+		if err != nil {
+			return err
+		}
+
+		runner, err := NewReusableWorkflowRunner(rc)
+		if err != nil {
+			return err
+		}
+
+		return runner.NewPlanExecutor(plan)(ctx)
+	}
+}
+
 var (
 	executorLock sync.Mutex
 )
@@ -49,19 +126,26 @@ func newMutexExecutor(executor common.Executor) common.Executor {
 	}
 }

-func cloneIfRequired(rc *RunContext, remoteReusableWorkflow remoteReusableWorkflow, targetDirectory string) common.Executor {
+func cloneIfRequired(rc *RunContext, remoteReusableWorkflow remoteReusableWorkflow, targetDirectory, token string) common.Executor {
 	return common.NewConditionalExecutor(
 		func(ctx context.Context) bool {
 			_, err := os.Stat(targetDirectory)
 			notExists := errors.Is(err, fs.ErrNotExist)
 			return notExists
 		},
-		git.NewGitCloneExecutor(git.NewGitCloneExecutorInput{
-			URL:   remoteReusableWorkflow.CloneURL(),
-			Ref:   remoteReusableWorkflow.Ref,
-			Dir:   targetDirectory,
-			Token: rc.Config.Token,
-		}),
+		func(ctx context.Context) error {
+			// Do not change the remoteReusableWorkflow.URL, because:
+			// 	1. Gitea doesn't support specifying GithubContext.ServerURL by the GITHUB_SERVER_URL env
+			//	2. Gitea has already full URL with rc.Config.GitHubInstance when calling newRemoteReusableWorkflowWithPlat
+			// remoteReusableWorkflow.URL = rc.getGithubContext(ctx).ServerURL
+			return git.NewGitCloneExecutor(git.NewGitCloneExecutorInput{
+				URL:         remoteReusableWorkflow.CloneURL(),
+				Ref:         remoteReusableWorkflow.Ref,
+				Dir:         targetDirectory,
+				Token:       token,
+				OfflineMode: rc.Config.ActionOfflineMode,
+			})(ctx)
+		},
 		nil,
 	)
 }
@@ -105,12 +189,44 @@ type remoteReusableWorkflow struct {
 	Repo     string
 	Filename string
 	Ref      string
+
+	GitPlatform string
 }

 func (r *remoteReusableWorkflow) CloneURL() string {
+	// In Gitea, r.URL always has the protocol prefix, we don't need to add extra prefix in this case.
+	if strings.HasPrefix(r.URL, "http://") || strings.HasPrefix(r.URL, "https://") {
+		return fmt.Sprintf("%s/%s/%s", r.URL, r.Org, r.Repo)
+	}
 	return fmt.Sprintf("https://%s/%s/%s", r.URL, r.Org, r.Repo)
 }

+func (r *remoteReusableWorkflow) FilePath() string {
+	return fmt.Sprintf("./.%s/workflows/%s", r.GitPlatform, r.Filename)
+}
+
+// For Gitea
+// newRemoteReusableWorkflowWithPlat create a `remoteReusableWorkflow`
+// workflows from `.gitea/workflows` and `.github/workflows` are supported
+func newRemoteReusableWorkflowWithPlat(url, uses string) *remoteReusableWorkflow {
+	// GitHub docs:
+	// https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_iduses
+	r := regexp.MustCompile(`^([^/]+)/([^/]+)/\.([^/]+)/workflows/([^@]+)@(.*)$`)
+	matches := r.FindStringSubmatch(uses)
+	if len(matches) != 6 {
+		return nil
+	}
+	return &remoteReusableWorkflow{
+		Org:         matches[1],
+		Repo:        matches[2],
+		GitPlatform: matches[3],
+		Filename:    matches[4],
+		Ref:         matches[5],
+		URL:         url,
+	}
+}
+
+// deprecated: use newRemoteReusableWorkflowWithPlat
 func newRemoteReusableWorkflow(uses string) *remoteReusableWorkflow {
 	// GitHub docs:
 	// https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_iduses
@@ -124,6 +240,6 @@ func newRemoteReusableWorkflow(uses string) *remoteReusableWorkflow {
 		Repo:     matches[2],
 		Filename: matches[3],
 		Ref:      matches[4],
-		URL:      "github.com",
+		URL:      "https://github.com",
 	}
 }
--- a/pkg/runner/run_context.go
+++ b/pkg/runner/run_context.go
@@ -17,12 +17,12 @@ import (
 	"runtime"
 	"strings"

-	"github.com/opencontainers/selinux/go-selinux"
-
+	"github.com/docker/go-connections/nat"
 	"github.com/nektos/act/pkg/common"
 	"github.com/nektos/act/pkg/container"
 	"github.com/nektos/act/pkg/exprparser"
 	"github.com/nektos/act/pkg/model"
+	"github.com/opencontainers/selinux/go-selinux"
 )

 // RunContext contains info about current job
@@ -40,6 +40,7 @@ type RunContext struct {
 	IntraActionState    map[string]map[string]string
 	ExprEval            ExpressionEvaluator
 	JobContainer        container.ExecutionsEnvironment
+	ServiceContainers   []container.ExecutionsEnvironment
 	OutputMappings      map[MappableOutput]MappableOutput
 	JobName             string
 	ActionPath          string
@@ -63,7 +64,7 @@ func (rc *RunContext) String() string {
 	if rc.caller != nil {
 		// prefix the reusable workflow with the caller job
 		// this is required to create unique container names
-		name = fmt.Sprintf("%s/%s", rc.caller.runContext.Run.JobID, name)
+		name = fmt.Sprintf("%s/%s", rc.caller.runContext.Name, name)
 	}
 	return name
 }
@@ -80,11 +81,28 @@ func (rc *RunContext) GetEnv() map[string]string {
 		}
 	}
 	rc.Env["ACT"] = "true"
+
+	if !rc.Config.NoSkipCheckout {
+		rc.Env["ACT_SKIP_CHECKOUT"] = "true"
+	}
+
 	return rc.Env
 }

 func (rc *RunContext) jobContainerName() string {
-	return createContainerName("act", rc.String())
+	return createSimpleContainerName(rc.Config.ContainerNamePrefix, "WORKFLOW-"+rc.Run.Workflow.Name, "JOB-"+rc.Name)
+}
+
+// networkName return the name of the network which will be created by `act` automatically for job,
+// only create network if using a service container
+func (rc *RunContext) networkName() (string, bool) {
+	if len(rc.Run.Job().Services) > 0 {
+		return fmt.Sprintf("%s-%s-network", rc.jobContainerName(), rc.Run.JobID), true
+	}
+	if rc.Config.ContainerNetworkMode == "" {
+		return "host", false
+	}
+	return string(rc.Config.ContainerNetworkMode), false
 }

 func getDockerDaemonSocketMountPath(daemonPath string) string {
@@ -122,7 +140,7 @@ func (rc *RunContext) GetBindsAndMounts() ([]string, map[string]string) {
 	ext := container.LinuxContainerEnvironmentExtensions{}

 	mounts := map[string]string{
-		"act-toolcache": "/toolcache",
+		"act-toolcache": "/opt/hostedtoolcache",
 		name + "-env":   ext.GetActPath(),
 	}

@@ -154,6 +172,14 @@ func (rc *RunContext) GetBindsAndMounts() ([]string, map[string]string) {
 		mounts[name] = ext.ToContainerPath(rc.Config.Workdir)
 	}

+	// For Gitea
+	// add some default binds and mounts to ValidVolumes
+	rc.Config.ValidVolumes = append(rc.Config.ValidVolumes, "act-toolcache")
+	rc.Config.ValidVolumes = append(rc.Config.ValidVolumes, name)
+	rc.Config.ValidVolumes = append(rc.Config.ValidVolumes, name+"-env")
+	// TODO: add a new configuration to control whether the docker daemon can be mounted
+	rc.Config.ValidVolumes = append(rc.Config.ValidVolumes, getDockerDaemonSocketMountPath(rc.Config.ContainerDaemonSocket))
+
 	return binds, mounts
 }

@@ -226,6 +252,7 @@ func (rc *RunContext) startHostEnvironment() common.Executor {
 	}
 }

+//nolint:gocyclo
 func (rc *RunContext) startJobContainer() common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
@@ -247,6 +274,9 @@ func (rc *RunContext) startJobContainer() common.Executor {

 		logger.Infof("\U0001f680  Start image=%s", image)
 		name := rc.jobContainerName()
+		// For gitea, to support --volumes-from <container_name_or_id> in options.
+		// We need to set the container name to the environment variable.
+		rc.Env["JOB_CONTAINER_NAME"] = name

 		envList := make([]string, 0)

@@ -259,41 +289,149 @@ func (rc *RunContext) startJobContainer() common.Executor {
 		ext := container.LinuxContainerEnvironmentExtensions{}
 		binds, mounts := rc.GetBindsAndMounts()

+		// specify the network to which the container will connect when `docker create` stage. (like execute command line: docker create --network <networkName> <image>)
+		networkName := string(rc.Config.ContainerNetworkMode)
+		var createAndDeleteNetwork bool
+		if networkName == "" {
+			// if networkName is empty string, will create a new network for the containers.
+			// and it will be removed after at last.
+			networkName, createAndDeleteNetwork = rc.networkName()
+		}
+
+		// add service containers
+		for serviceID, spec := range rc.Run.Job().Services {
+			// interpolate env
+			interpolatedEnvs := make(map[string]string, len(spec.Env))
+			for k, v := range spec.Env {
+				interpolatedEnvs[k] = rc.ExprEval.Interpolate(ctx, v)
+			}
+			envs := make([]string, 0, len(interpolatedEnvs))
+			for k, v := range interpolatedEnvs {
+				envs = append(envs, fmt.Sprintf("%s=%s", k, v))
+			}
+			interpolatedCmd := make([]string, 0, len(spec.Cmd))
+			for _, v := range spec.Cmd {
+				interpolatedCmd = append(interpolatedCmd, rc.ExprEval.Interpolate(ctx, v))
+			}
+
+			username, password, err = rc.handleServiceCredentials(ctx, spec.Credentials)
+			if err != nil {
+				return fmt.Errorf("failed to handle service %s credentials: %w", serviceID, err)
+			}
+
+			interpolatedVolumes := make([]string, 0, len(spec.Volumes))
+			for _, volume := range spec.Volumes {
+				interpolatedVolumes = append(interpolatedVolumes, rc.ExprEval.Interpolate(ctx, volume))
+			}
+			serviceBinds, serviceMounts := rc.GetServiceBindsAndMounts(interpolatedVolumes)
+
+			interpolatedPorts := make([]string, 0, len(spec.Ports))
+			for _, port := range spec.Ports {
+				interpolatedPorts = append(interpolatedPorts, rc.ExprEval.Interpolate(ctx, port))
+			}
+			exposedPorts, portBindings, err := nat.ParsePortSpecs(interpolatedPorts)
+			if err != nil {
+				return fmt.Errorf("failed to parse service %s ports: %w", serviceID, err)
+			}
+
+			serviceContainerName := createContainerName(rc.jobContainerName(), serviceID)
+			c := container.NewContainer(&container.NewContainerInput{
+				Name:           serviceContainerName,
+				WorkingDir:     ext.ToContainerPath(rc.Config.Workdir),
+				Image:          rc.ExprEval.Interpolate(ctx, spec.Image),
+				Username:       username,
+				Password:       password,
+				Cmd:            interpolatedCmd,
+				Env:            envs,
+				Mounts:         serviceMounts,
+				Binds:          serviceBinds,
+				Stdout:         logWriter,
+				Stderr:         logWriter,
+				Privileged:     rc.Config.Privileged,
+				UsernsMode:     rc.Config.UsernsMode,
+				Platform:       rc.Config.ContainerArchitecture,
+				AutoRemove:     rc.Config.AutoRemove,
+				Options:        rc.ExprEval.Interpolate(ctx, spec.Options),
+				NetworkMode:    networkName,
+				NetworkAliases: []string{serviceID},
+				ExposedPorts:   exposedPorts,
+				PortBindings:   portBindings,
+				ValidVolumes:   rc.Config.ValidVolumes,
+			})
+			rc.ServiceContainers = append(rc.ServiceContainers, c)
+		}
+
 		rc.cleanUpJobContainer = func(ctx context.Context) error {
-			if rc.JobContainer != nil && !rc.Config.ReuseContainers {
-				return rc.JobContainer.Remove().
-					Then(container.NewDockerVolumeRemoveExecutor(rc.jobContainerName(), false)).
-					Then(container.NewDockerVolumeRemoveExecutor(rc.jobContainerName()+"-env", false))(ctx)
+			reuseJobContainer := func(ctx context.Context) bool {
+				return rc.Config.ReuseContainers
+			}
+
+			if rc.JobContainer != nil {
+				return rc.JobContainer.Remove().IfNot(reuseJobContainer).
+					Then(container.NewDockerVolumeRemoveExecutor(rc.jobContainerName(), false)).IfNot(reuseJobContainer).
+					Then(container.NewDockerVolumeRemoveExecutor(rc.jobContainerName()+"-env", false)).IfNot(reuseJobContainer).
+					Then(func(ctx context.Context) error {
+						if len(rc.ServiceContainers) > 0 {
+							logger.Infof("Cleaning up services for job %s", rc.JobName)
+							if err := rc.stopServiceContainers()(ctx); err != nil {
+								logger.Errorf("Error while cleaning services: %v", err)
+							}
+							if createAndDeleteNetwork {
+								// clean network if it has been created by act
+								// if using service containers
+								// it means that the network to which containers are connecting is created by `act_runner`,
+								// so, we should remove the network at last.
+								logger.Infof("Cleaning up network for job %s, and network name is: %s", rc.JobName, networkName)
+								if err := container.NewDockerNetworkRemoveExecutor(networkName)(ctx); err != nil {
+									logger.Errorf("Error while cleaning network: %v", err)
+								}
+							}
+						}
+						return nil
+					})(ctx)
 			}
 			return nil
 		}

+		jobContainerNetwork := rc.Config.ContainerNetworkMode.NetworkName()
+		if rc.containerImage(ctx) != "" {
+			jobContainerNetwork = networkName
+		} else if jobContainerNetwork == "" {
+			jobContainerNetwork = "host"
+		}
+
 		rc.JobContainer = container.NewContainer(&container.NewContainerInput{
-			Cmd:         nil,
-			Entrypoint:  []string{"tail", "-f", "/dev/null"},
-			WorkingDir:  ext.ToContainerPath(rc.Config.Workdir),
-			Image:       image,
-			Username:    username,
-			Password:    password,
-			Name:        name,
-			Env:         envList,
-			Mounts:      mounts,
-			NetworkMode: "host",
-			Binds:       binds,
-			Stdout:      logWriter,
-			Stderr:      logWriter,
-			Privileged:  rc.Config.Privileged,
-			UsernsMode:  rc.Config.UsernsMode,
-			Platform:    rc.Config.ContainerArchitecture,
-			Options:     rc.options(ctx),
+			Cmd:            nil,
+			Entrypoint:     []string{"tail", "-f", "/dev/null"},
+			WorkingDir:     ext.ToContainerPath(rc.Config.Workdir),
+			Image:          image,
+			Username:       username,
+			Password:       password,
+			Name:           name,
+			Env:            envList,
+			Mounts:         mounts,
+			NetworkMode:    jobContainerNetwork,
+			NetworkAliases: []string{rc.Name},
+			Binds:          binds,
+			Stdout:         logWriter,
+			Stderr:         logWriter,
+			Privileged:     rc.Config.Privileged,
+			UsernsMode:     rc.Config.UsernsMode,
+			Platform:       rc.Config.ContainerArchitecture,
+			Options:        rc.options(ctx),
+			AutoRemove:     rc.Config.AutoRemove,
+			ValidVolumes:   rc.Config.ValidVolumes,
 		})
 		if rc.JobContainer == nil {
 			return errors.New("Failed to create job container")
 		}

 		return common.NewPipelineExecutor(
+			rc.pullServicesImages(rc.Config.ForcePull),
 			rc.JobContainer.Pull(rc.Config.ForcePull),
 			rc.stopJobContainer(),
+			container.NewDockerNetworkCreateExecutor(networkName).IfBool(!rc.IsHostEnv(ctx) && rc.Config.ContainerNetworkMode == ""), // if the value of `ContainerNetworkMode` is empty string, then will create a new network for containers.
+			rc.startServiceContainers(networkName),
 			rc.JobContainer.Create(rc.Config.ContainerCapAdd, rc.Config.ContainerCapDrop),
 			rc.JobContainer.Start(false),
 			rc.JobContainer.Copy(rc.JobContainer.GetActPath()+"/", &container.FileEntry{
@@ -369,20 +507,57 @@ func (rc *RunContext) UpdateExtraPath(ctx context.Context, githubEnvPath string)
 	return nil
 }

-// stopJobContainer removes the job container (if it exists) and its volume (if it exists) if !rc.Config.ReuseContainers
+// stopJobContainer removes the job container (if it exists) and its volume (if it exists)
 func (rc *RunContext) stopJobContainer() common.Executor {
 	return func(ctx context.Context) error {
-		if rc.cleanUpJobContainer != nil && !rc.Config.ReuseContainers {
+		if rc.cleanUpJobContainer != nil {
 			return rc.cleanUpJobContainer(ctx)
 		}
 		return nil
 	}
 }

+func (rc *RunContext) pullServicesImages(forcePull bool) common.Executor {
+	return func(ctx context.Context) error {
+		execs := []common.Executor{}
+		for _, c := range rc.ServiceContainers {
+			execs = append(execs, c.Pull(forcePull))
+		}
+		return common.NewParallelExecutor(len(execs), execs...)(ctx)
+	}
+}
+
+func (rc *RunContext) startServiceContainers(_ string) common.Executor {
+	return func(ctx context.Context) error {
+		execs := []common.Executor{}
+		for _, c := range rc.ServiceContainers {
+			execs = append(execs, common.NewPipelineExecutor(
+				c.Pull(false),
+				c.Create(rc.Config.ContainerCapAdd, rc.Config.ContainerCapDrop),
+				c.Start(false),
+			))
+		}
+		return common.NewParallelExecutor(len(execs), execs...)(ctx)
+	}
+}
+
+func (rc *RunContext) stopServiceContainers() common.Executor {
+	return func(ctx context.Context) error {
+		execs := []common.Executor{}
+		for _, c := range rc.ServiceContainers {
+			execs = append(execs, c.Remove().Finally(c.Close()))
+		}
+		return common.NewParallelExecutor(len(execs), execs...)(ctx)
+	}
+}
+
 // Prepare the mounts and binds for the worker

 // ActionCacheDir is for rc
 func (rc *RunContext) ActionCacheDir() string {
+	if rc.Config.ActionCacheDir != "" {
+		return rc.Config.ActionCacheDir
+	}
 	var xdgCache string
 	var ok bool
 	if xdgCache, ok = os.LookupEnv("XDG_CACHE_HOME"); !ok || xdgCache == "" {
@@ -420,8 +595,9 @@ func (rc *RunContext) startContainer() common.Executor {
 }

 func (rc *RunContext) IsHostEnv(ctx context.Context) bool {
-	image := rc.platformImage(ctx)
-	return strings.EqualFold(image, "-self-hosted")
+	platform := rc.runsOnImage(ctx)
+	image := rc.containerImage(ctx)
+	return image == "" && strings.EqualFold(platform, "-self-hosted")
 }

 func (rc *RunContext) stopContainer() common.Executor {
@@ -450,16 +626,19 @@ func (rc *RunContext) steps() []*model.Step {
 }

 // Executor returns a pipeline executor for all the steps in the job
-func (rc *RunContext) Executor() common.Executor {
+func (rc *RunContext) Executor() (common.Executor, error) {
 	var executor common.Executor
+	var jobType, err = rc.Run.Job().Type()

-	switch rc.Run.Job().Type() {
+	switch jobType {
 	case model.JobTypeDefault:
 		executor = newJobExecutor(rc, &stepFactoryImpl{}, rc)
 	case model.JobTypeReusableWorkflowLocal:
 		executor = newLocalReusableWorkflowExecutor(rc)
 	case model.JobTypeReusableWorkflowRemote:
 		executor = newRemoteReusableWorkflowExecutor(rc)
+	case model.JobTypeInvalid:
+		return nil, err
 	}

 	return func(ctx context.Context) error {
@@ -471,10 +650,10 @@ func (rc *RunContext) Executor() common.Executor {
 			return executor(ctx)
 		}
 		return nil
-	}
+	}, nil
 }

-func (rc *RunContext) platformImage(ctx context.Context) string {
+func (rc *RunContext) containerImage(ctx context.Context) string {
 	job := rc.Run.Job()

 	c := job.Container()
@@ -482,12 +661,26 @@ func (rc *RunContext) platformImage(ctx context.Context) string {
 		return rc.ExprEval.Interpolate(ctx, c.Image)
 	}

-	if job.RunsOn() == nil {
+	return ""
+}
+
+func (rc *RunContext) runsOnImage(ctx context.Context) string {
+	if rc.Run.Job().RunsOn() == nil {
 		common.Logger(ctx).Errorf("'runs-on' key not defined in %s", rc.String())
 	}

-	for _, runnerLabel := range job.RunsOn() {
-		platformName := rc.ExprEval.Interpolate(ctx, runnerLabel)
+	runsOn := rc.Run.Job().RunsOn()
+	for i, v := range runsOn {
+		runsOn[i] = rc.ExprEval.Interpolate(ctx, v)
+	}
+
+	if pick := rc.Config.PlatformPicker; pick != nil {
+		if image := pick(runsOn); image != "" {
+			return image
+		}
+	}
+
+	for _, platformName := range rc.runsOnPlatformNames(ctx) {
 		image := rc.Config.Platforms[strings.ToLower(platformName)]
 		if image != "" {
 			return image
@@ -497,40 +690,65 @@ func (rc *RunContext) platformImage(ctx context.Context) string {
 	return ""
 }

+func (rc *RunContext) runsOnPlatformNames(ctx context.Context) []string {
+	job := rc.Run.Job()
+
+	if job.RunsOn() == nil {
+		return []string{}
+	}
+
+	if err := rc.ExprEval.EvaluateYamlNode(ctx, &job.RawRunsOn); err != nil {
+		common.Logger(ctx).Errorf("Error while evaluating runs-on: %v", err)
+		return []string{}
+	}
+
+	return job.RunsOn()
+}
+
+func (rc *RunContext) platformImage(ctx context.Context) string {
+	if containerImage := rc.containerImage(ctx); containerImage != "" {
+		return containerImage
+	}
+
+	return rc.runsOnImage(ctx)
+}
+
 func (rc *RunContext) options(ctx context.Context) string {
 	job := rc.Run.Job()
 	c := job.Container()
-	if c == nil {
-		return rc.Config.ContainerOptions
+	if c != nil {
+		return rc.Config.ContainerOptions + " " + rc.ExprEval.Interpolate(ctx, c.Options)
 	}

-	return c.Options
+	return rc.Config.ContainerOptions
 }

 func (rc *RunContext) isEnabled(ctx context.Context) (bool, error) {
 	job := rc.Run.Job()
 	l := common.Logger(ctx)
-	runJob, err := EvalBool(ctx, rc.ExprEval, job.If.Value, exprparser.DefaultStatusCheckSuccess)
-	if err != nil {
-		return false, fmt.Errorf("  \u274C  Error in if-expression: \"if: %s\" (%s)", job.If.Value, err)
+	runJob, runJobErr := EvalBool(ctx, rc.ExprEval, job.If.Value, exprparser.DefaultStatusCheckSuccess)
+	jobType, jobTypeErr := job.Type()
+
+	if runJobErr != nil {
+		return false, fmt.Errorf("  \u274C  Error in if-expression: \"if: %s\" (%s)", job.If.Value, runJobErr)
 	}
+
+	if jobType == model.JobTypeInvalid {
+		return false, jobTypeErr
+	}
+
 	if !runJob {
 		l.WithField("jobResult", "skipped").Debugf("Skipping job '%s' due to '%s'", job.Name, job.If.Value)
 		return false, nil
 	}

-	if job.Type() != model.JobTypeDefault {
+	if jobType != model.JobTypeDefault {
 		return true, nil
 	}

 	img := rc.platformImage(ctx)
 	if img == "" {
-		if job.RunsOn() == nil {
-			l.Errorf("'runs-on' key not defined in %s", rc.String())
-		}
-
-		for _, runnerLabel := range job.RunsOn() {
-			platformName := rc.ExprEval.Interpolate(ctx, runnerLabel)
+		for _, platformName := range rc.runsOnPlatformNames(ctx) {
 			l.Infof("\U0001F6A7  Skipping unsupported platform -- Try running with `-P %+v=...`", platformName)
 		}
 		return false, nil
@@ -548,6 +766,7 @@ func mergeMaps(maps ...map[string]string) map[string]string {
 	return rtnMap
 }

+// deprecated: use createSimpleContainerName
 func createContainerName(parts ...string) string {
 	name := strings.Join(parts, "-")
 	pattern := regexp.MustCompile("[^a-zA-Z0-9]")
@@ -561,6 +780,22 @@ func createContainerName(parts ...string) string {
 	return fmt.Sprintf("%s-%x", trimmedName, hash)
 }

+func createSimpleContainerName(parts ...string) string {
+	pattern := regexp.MustCompile("[^a-zA-Z0-9-]")
+	name := make([]string, 0, len(parts))
+	for _, v := range parts {
+		v = pattern.ReplaceAllString(v, "-")
+		v = strings.Trim(v, "-")
+		for strings.Contains(v, "--") {
+			v = strings.ReplaceAll(v, "--", "-")
+		}
+		if v != "" {
+			name = append(name, v)
+		}
+	}
+	return strings.Join(name, "_")
+}
+
 func trimToLen(s string, l int) string {
 	if l < 0 {
 		l = 0
@@ -601,6 +836,8 @@ func (rc *RunContext) getGithubContext(ctx context.Context) *model.GithubContext
 		Token:            rc.Config.Token,
 		Job:              rc.Run.JobID,
 		ActionPath:       rc.ActionPath,
+		ActionRepository: rc.Env["GITHUB_ACTION_REPOSITORY"],
+		ActionRef:        rc.Env["GITHUB_ACTION_REF"],
 		RepositoryOwner:  rc.Config.Env["GITHUB_REPOSITORY_OWNER"],
 		RetentionDays:    rc.Config.Env["GITHUB_RETENTION_DAYS"],
 		RunnerPerflog:    rc.Config.Env["RUNNER_PERFLOG"],
@@ -641,6 +878,36 @@ func (rc *RunContext) getGithubContext(ctx context.Context) *model.GithubContext
 		ghc.Actor = "nektos/act"
 	}

+	{ // Adapt to Gitea
+		if preset := rc.Config.PresetGitHubContext; preset != nil {
+			ghc.Event = preset.Event
+			ghc.RunID = preset.RunID
+			ghc.RunNumber = preset.RunNumber
+			ghc.Actor = preset.Actor
+			ghc.Repository = preset.Repository
+			ghc.EventName = preset.EventName
+			ghc.Sha = preset.Sha
+			ghc.Ref = preset.Ref
+			ghc.RefName = preset.RefName
+			ghc.RefType = preset.RefType
+			ghc.HeadRef = preset.HeadRef
+			ghc.BaseRef = preset.BaseRef
+			ghc.Token = preset.Token
+			ghc.RepositoryOwner = preset.RepositoryOwner
+			ghc.RetentionDays = preset.RetentionDays
+
+			instance := rc.Config.GitHubInstance
+			if !strings.HasPrefix(instance, "http://") &&
+				!strings.HasPrefix(instance, "https://") {
+				instance = "https://" + instance
+			}
+			ghc.ServerURL = instance
+			ghc.APIURL = instance + "/api/v1" // the version of Gitea is v1
+			ghc.GraphQLURL = ""               // Gitea doesn't support graphql
+			return ghc
+		}
+	}
+
 	if rc.EventJSON != "" {
 		err := json.Unmarshal([]byte(rc.EventJSON), &ghc.Event)
 		if err != nil {
@@ -670,6 +937,18 @@ func (rc *RunContext) getGithubContext(ctx context.Context) *model.GithubContext
 		ghc.APIURL = fmt.Sprintf("https://%s/api/v3", rc.Config.GitHubInstance)
 		ghc.GraphQLURL = fmt.Sprintf("https://%s/api/graphql", rc.Config.GitHubInstance)
 	}
+
+	{ // Adapt to Gitea
+		instance := rc.Config.GitHubInstance
+		if !strings.HasPrefix(instance, "http://") &&
+			!strings.HasPrefix(instance, "https://") {
+			instance = "https://" + instance
+		}
+		ghc.ServerURL = instance
+		ghc.APIURL = instance + "/api/v1" // the version of Gitea is v1
+		ghc.GraphQLURL = ""               // Gitea doesn't support graphql
+	}
+
 	// allow to be overridden by user
 	if rc.Config.Env["GITHUB_SERVER_URL"] != "" {
 		ghc.ServerURL = rc.Config.Env["GITHUB_SERVER_URL"]
@@ -746,7 +1025,6 @@ func (rc *RunContext) withGithubEnv(ctx context.Context, github *model.GithubCon
 	env["GITHUB_REF"] = github.Ref
 	env["GITHUB_REF_NAME"] = github.RefName
 	env["GITHUB_REF_TYPE"] = github.RefType
-	env["GITHUB_TOKEN"] = github.Token
 	env["GITHUB_JOB"] = github.Job
 	env["GITHUB_REPOSITORY_OWNER"] = github.RepositoryOwner
 	env["GITHUB_RETENTION_DAYS"] = github.RetentionDays
@@ -758,22 +1036,29 @@ func (rc *RunContext) withGithubEnv(ctx context.Context, github *model.GithubCon
 	env["GITHUB_API_URL"] = github.APIURL
 	env["GITHUB_GRAPHQL_URL"] = github.GraphQLURL

+	{ // Adapt to Gitea
+		instance := rc.Config.GitHubInstance
+		if !strings.HasPrefix(instance, "http://") &&
+			!strings.HasPrefix(instance, "https://") {
+			instance = "https://" + instance
+		}
+		env["GITHUB_SERVER_URL"] = instance
+		env["GITHUB_API_URL"] = instance + "/api/v1" // the version of Gitea is v1
+		env["GITHUB_GRAPHQL_URL"] = ""               // Gitea doesn't support graphql
+	}
+
 	if rc.Config.ArtifactServerPath != "" {
 		setActionRuntimeVars(rc, env)
 	}

-	job := rc.Run.Job()
-	if job.RunsOn() != nil {
-		for _, runnerLabel := range job.RunsOn() {
-			platformName := rc.ExprEval.Interpolate(ctx, runnerLabel)
-			if platformName != "" {
-				if platformName == "ubuntu-latest" {
-					// hardcode current ubuntu-latest since we have no way to check that 'on the fly'
-					env["ImageOS"] = "ubuntu20"
-				} else {
-					platformName = strings.SplitN(strings.Replace(platformName, `-`, ``, 1), `.`, 2)[0]
-					env["ImageOS"] = platformName
-				}
+	for _, platformName := range rc.runsOnPlatformNames(ctx) {
+		if platformName != "" {
+			if platformName == "ubuntu-latest" {
+				// hardcode current ubuntu-latest since we have no way to check that 'on the fly'
+				env["ImageOS"] = "ubuntu20"
+			} else {
+				platformName = strings.SplitN(strings.Replace(platformName, `-`, ``, 1), `.`, 2)[0]
+				env["ImageOS"] = platformName
 			}
 		}
 	}
@@ -795,35 +1080,85 @@ func setActionRuntimeVars(rc *RunContext, env map[string]string) {
 	env["ACTIONS_RUNTIME_TOKEN"] = actionsRuntimeToken
 }

-func (rc *RunContext) handleCredentials(ctx context.Context) (username, password string, err error) {
+func (rc *RunContext) handleCredentials(ctx context.Context) (string, string, error) {
 	// TODO: remove below 2 lines when we can release act with breaking changes
-	username = rc.Config.Secrets["DOCKER_USERNAME"]
-	password = rc.Config.Secrets["DOCKER_PASSWORD"]
+	username := rc.Config.Secrets["DOCKER_USERNAME"]
+	password := rc.Config.Secrets["DOCKER_PASSWORD"]

 	container := rc.Run.Job().Container()
 	if container == nil || container.Credentials == nil {
-		return
+		return username, password, nil
 	}

 	if container.Credentials != nil && len(container.Credentials) != 2 {
+		err := fmt.Errorf("invalid property count for key 'credentials:'")
+		return "", "", err
+	}
+
+	ee := rc.NewExpressionEvaluator(ctx)
+	if username = ee.Interpolate(ctx, container.Credentials["username"]); username == "" {
+		err := fmt.Errorf("failed to interpolate container.credentials.username")
+		return "", "", err
+	}
+	if password = ee.Interpolate(ctx, container.Credentials["password"]); password == "" {
+		err := fmt.Errorf("failed to interpolate container.credentials.password")
+		return "", "", err
+	}
+
+	if container.Credentials["username"] == "" || container.Credentials["password"] == "" {
+		err := fmt.Errorf("container.credentials cannot be empty")
+		return "", "", err
+	}
+
+	return username, password, nil
+}
+
+func (rc *RunContext) handleServiceCredentials(ctx context.Context, creds map[string]string) (username, password string, err error) {
+	if creds == nil {
+		return
+	}
+	if len(creds) != 2 {
 		err = fmt.Errorf("invalid property count for key 'credentials:'")
 		return
 	}

 	ee := rc.NewExpressionEvaluator(ctx)
-	if username = ee.Interpolate(ctx, container.Credentials["username"]); username == "" {
-		err = fmt.Errorf("failed to interpolate container.credentials.username")
-		return
-	}
-	if password = ee.Interpolate(ctx, container.Credentials["password"]); password == "" {
-		err = fmt.Errorf("failed to interpolate container.credentials.password")
+	if username = ee.Interpolate(ctx, creds["username"]); username == "" {
+		err = fmt.Errorf("failed to interpolate credentials.username")
 		return
 	}

-	if container.Credentials["username"] == "" || container.Credentials["password"] == "" {
-		err = fmt.Errorf("container.credentials cannot be empty")
+	if password = ee.Interpolate(ctx, creds["password"]); password == "" {
+		err = fmt.Errorf("failed to interpolate credentials.password")
 		return
 	}

-	return username, password, err
+	return
+}
+
+// GetServiceBindsAndMounts returns the binds and mounts for the service container, resolving paths as appopriate
+func (rc *RunContext) GetServiceBindsAndMounts(svcVolumes []string) ([]string, map[string]string) {
+	if rc.Config.ContainerDaemonSocket == "" {
+		rc.Config.ContainerDaemonSocket = "/var/run/docker.sock"
+	}
+	binds := []string{}
+	if rc.Config.ContainerDaemonSocket != "-" {
+		daemonPath := getDockerDaemonSocketMountPath(rc.Config.ContainerDaemonSocket)
+		binds = append(binds, fmt.Sprintf("%s:%s", daemonPath, "/var/run/docker.sock"))
+	}
+
+	mounts := map[string]string{}
+
+	for _, v := range svcVolumes {
+		if !strings.Contains(v, ":") || filepath.IsAbs(v) {
+			// Bind anonymous volume or host file.
+			binds = append(binds, v)
+		} else {
+			// Mount existing volume.
+			paths := strings.SplitN(v, ":", 2)
+			mounts[paths[0]] = paths[1]
+		}
+	}
+
+	return binds, mounts
 }
--- a/pkg/runner/run_context_test.go
+++ b/pkg/runner/run_context_test.go
@@ -470,6 +470,53 @@ func createJob(t *testing.T, input string, result string) *model.Job {
 	return job
 }

+func TestRunContextRunsOnPlatformNames(t *testing.T) {
+	log.SetLevel(log.DebugLevel)
+	assertObject := assert.New(t)
+
+	rc := createIfTestRunContext(map[string]*model.Job{
+		"job1": createJob(t, `runs-on: ubuntu-latest`, ""),
+	})
+	assertObject.Equal([]string{"ubuntu-latest"}, rc.runsOnPlatformNames(context.Background()))
+
+	rc = createIfTestRunContext(map[string]*model.Job{
+		"job1": createJob(t, `runs-on: ${{ 'ubuntu-latest' }}`, ""),
+	})
+	assertObject.Equal([]string{"ubuntu-latest"}, rc.runsOnPlatformNames(context.Background()))
+
+	rc = createIfTestRunContext(map[string]*model.Job{
+		"job1": createJob(t, `runs-on: [self-hosted, my-runner]`, ""),
+	})
+	assertObject.Equal([]string{"self-hosted", "my-runner"}, rc.runsOnPlatformNames(context.Background()))
+
+	rc = createIfTestRunContext(map[string]*model.Job{
+		"job1": createJob(t, `runs-on: [self-hosted, "${{ 'my-runner' }}"]`, ""),
+	})
+	assertObject.Equal([]string{"self-hosted", "my-runner"}, rc.runsOnPlatformNames(context.Background()))
+
+	rc = createIfTestRunContext(map[string]*model.Job{
+		"job1": createJob(t, `runs-on: ${{ fromJSON('["ubuntu-latest"]') }}`, ""),
+	})
+	assertObject.Equal([]string{"ubuntu-latest"}, rc.runsOnPlatformNames(context.Background()))
+
+	// test missing / invalid runs-on
+	rc = createIfTestRunContext(map[string]*model.Job{
+		"job1": createJob(t, `name: something`, ""),
+	})
+	assertObject.Equal([]string{}, rc.runsOnPlatformNames(context.Background()))
+
+	rc = createIfTestRunContext(map[string]*model.Job{
+		"job1": createJob(t, `runs-on:
+  mapping: value`, ""),
+	})
+	assertObject.Equal([]string{}, rc.runsOnPlatformNames(context.Background()))
+
+	rc = createIfTestRunContext(map[string]*model.Job{
+		"job1": createJob(t, `runs-on: ${{ invalid expression }}`, ""),
+	})
+	assertObject.Equal([]string{}, rc.runsOnPlatformNames(context.Background()))
+}
+
 func TestRunContextIsEnabled(t *testing.T) {
 	log.SetLevel(log.DebugLevel)
 	assertObject := assert.New(t)
@@ -572,6 +619,17 @@ if: always()`, ""),
 	})
 	rc.Run.JobID = "job2"
 	assertObject.True(rc.isEnabled(context.Background()))
+
+	rc = createIfTestRunContext(map[string]*model.Job{
+		"job1": createJob(t, `uses: ./.github/workflows/reusable.yml`, ""),
+	})
+	assertObject.True(rc.isEnabled(context.Background()))
+
+	rc = createIfTestRunContext(map[string]*model.Job{
+		"job1": createJob(t, `uses: ./.github/workflows/reusable.yml
+if: false`, ""),
+	})
+	assertObject.False(rc.isEnabled(context.Background()))
 }

 func TestRunContextGetEnv(t *testing.T) {
@@ -624,3 +682,24 @@ func TestRunContextGetEnv(t *testing.T) {
 		})
 	}
 }
+
+func Test_createSimpleContainerName(t *testing.T) {
+	tests := []struct {
+		parts []string
+		want  string
+	}{
+		{
+			parts: []string{"a--a", "BB正", "c-C"},
+			want:  "a-a_BB_c-C",
+		},
+		{
+			parts: []string{"a-a", "", "-"},
+			want:  "a-a",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(strings.Join(tt.parts, " "), func(t *testing.T) {
+			assert.Equalf(t, tt.want, createSimpleContainerName(tt.parts...), "createSimpleContainerName(%v)", tt.parts)
+		})
+	}
+}
--- a/pkg/runner/runner.go
+++ b/pkg/runner/runner.go
@@ -5,11 +5,13 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"runtime"
+	"time"

+	docker_container "github.com/docker/docker/api/types/container"
 	log "github.com/sirupsen/logrus"

 	"github.com/nektos/act/pkg/common"
-	"github.com/nektos/act/pkg/container"
 	"github.com/nektos/act/pkg/model"
 )

@@ -20,41 +22,65 @@ type Runner interface {

 // Config contains the config for a new runner
 type Config struct {
-	Actor                              string                     // the user that triggered the event
-	Workdir                            string                     // path to working directory
-	BindWorkdir                        bool                       // bind the workdir to the job container
-	EventName                          string                     // name of event to run
-	EventPath                          string                     // path to JSON file to use for event.json in containers
-	DefaultBranch                      string                     // name of the main branch for this repository
-	ReuseContainers                    bool                       // reuse containers to maintain state
-	ForcePull                          bool                       // force pulling of the image, even if already present
-	ForceRebuild                       bool                       // force rebuilding local docker image action
-	LogOutput                          bool                       // log the output from docker run
-	JSONLogger                         bool                       // use json or text logger
-	Env                                map[string]string          // env for containers
-	Inputs                             map[string]string          // manually passed action inputs
-	Secrets                            map[string]string          // list of secrets
-	Token                              string                     // GitHub token
-	InsecureSecrets                    bool                       // switch hiding output when printing to terminal
-	Platforms                          map[string]string          // list of platforms
-	Privileged                         bool                       // use privileged mode
-	UsernsMode                         string                     // user namespace to use
-	ContainerArchitecture              string                     // Desired OS/architecture platform for running containers
-	ContainerDaemonSocket              string                     // Path to Docker daemon socket
-	ContainerOptions                   string                     // Options for the job container
-	UseGitIgnore                       bool                       // controls if paths in .gitignore should not be copied into container, default true
-	GitHubInstance                     string                     // GitHub instance to use, default "github.com"
-	ContainerCapAdd                    []string                   // list of kernel capabilities to add to the containers
-	ContainerCapDrop                   []string                   // list of kernel capabilities to remove from the containers
-	AutoRemove                         bool                       // controls if the container is automatically removed upon workflow completion
-	ArtifactServerPath                 string                     // the path where the artifact server stores uploads
-	ArtifactServerAddr                 string                     // the address the artifact server binds to
-	ArtifactServerPort                 string                     // the port the artifact server binds to
-	NoSkipCheckout                     bool                       // do not skip actions/checkout
-	RemoteName                         string                     // remote name in local git repo config
-	ReplaceGheActionWithGithubCom      []string                   // Use actions from GitHub Enterprise instance to GitHub
-	ReplaceGheActionTokenWithGithubCom string                     // Token of private action repo on GitHub.
-	Matrix                             map[string]map[string]bool // Matrix config to run
+	Actor                              string                       // the user that triggered the event
+	Workdir                            string                       // path to working directory
+	ActionCacheDir                     string                       // path used for caching action contents
+	ActionOfflineMode                  bool                         // when offline, use caching action contents
+	BindWorkdir                        bool                         // bind the workdir to the job container
+	EventName                          string                       // name of event to run
+	EventPath                          string                       // path to JSON file to use for event.json in containers
+	DefaultBranch                      string                       // name of the main branch for this repository
+	ReuseContainers                    bool                         // reuse containers to maintain state
+	ForcePull                          bool                         // force pulling of the image, even if already present
+	ForceRebuild                       bool                         // force rebuilding local docker image action
+	LogOutput                          bool                         // log the output from docker run
+	JSONLogger                         bool                         // use json or text logger
+	LogPrefixJobID                     bool                         // switches from the full job name to the job id
+	Env                                map[string]string            // env for containers
+	Inputs                             map[string]string            // manually passed action inputs
+	Secrets                            map[string]string            // list of secrets
+	Vars                               map[string]string            // list of vars
+	Token                              string                       // GitHub token
+	InsecureSecrets                    bool                         // switch hiding output when printing to terminal
+	Platforms                          map[string]string            // list of platforms
+	Privileged                         bool                         // use privileged mode
+	UsernsMode                         string                       // user namespace to use
+	ContainerArchitecture              string                       // Desired OS/architecture platform for running containers
+	ContainerDaemonSocket              string                       // Path to Docker daemon socket
+	ContainerOptions                   string                       // Options for the job container
+	UseGitIgnore                       bool                         // controls if paths in .gitignore should not be copied into container, default true
+	GitHubInstance                     string                       // GitHub instance to use, default "github.com"
+	ContainerCapAdd                    []string                     // list of kernel capabilities to add to the containers
+	ContainerCapDrop                   []string                     // list of kernel capabilities to remove from the containers
+	AutoRemove                         bool                         // controls if the container is automatically removed upon workflow completion
+	ArtifactServerPath                 string                       // the path where the artifact server stores uploads
+	ArtifactServerAddr                 string                       // the address the artifact server binds to
+	ArtifactServerPort                 string                       // the port the artifact server binds to
+	NoSkipCheckout                     bool                         // do not skip actions/checkout
+	RemoteName                         string                       // remote name in local git repo config
+	ReplaceGheActionWithGithubCom      []string                     // Use actions from GitHub Enterprise instance to GitHub
+	ReplaceGheActionTokenWithGithubCom string                       // Token of private action repo on GitHub.
+	Matrix                             map[string]map[string]bool   // Matrix config to run
+	ContainerNetworkMode               docker_container.NetworkMode // the network mode of job containers (the value of --network)
+	ActionCache                        ActionCache                  // Use a custom ActionCache Implementation
+
+	PresetGitHubContext   *model.GithubContext         // the preset github context, overrides some fields like DefaultBranch, Env, Secrets etc.
+	EventJSON             string                       // the content of JSON file to use for event.json in containers, overrides EventPath
+	ContainerNamePrefix   string                       // the prefix of container name
+	ContainerMaxLifetime  time.Duration                // the max lifetime of job containers
+	DefaultActionInstance string                       // the default actions web site
+	PlatformPicker        func(labels []string) string // platform picker, it will take precedence over Platforms if isn't nil
+	JobLoggerLevel        *log.Level                   // the level of job logger
+	ValidVolumes          []string                     // only volumes (and bind mounts) in this slice can be mounted on the job container or service containers
+}
+
+// GetToken: Adapt to Gitea
+func (c Config) GetToken() string {
+	token := c.Secrets["GITHUB_TOKEN"]
+	if c.Secrets["GITEA_TOKEN"] != "" {
+		token = c.Secrets["GITEA_TOKEN"]
+	}
+	return token
 }

 type caller struct {
@@ -78,7 +104,9 @@ func New(runnerConfig *Config) (Runner, error) {

 func (runner *runnerImpl) configure() (Runner, error) {
 	runner.eventJSON = "{}"
-	if runner.config.EventPath != "" {
+	if runner.config.EventJSON != "" {
+		runner.eventJSON = runner.config.EventJSON
+	} else if runner.config.EventPath != "" {
 		log.Debugf("Reading event.json from %s", runner.config.EventPath)
 		eventJSONBytes, err := os.ReadFile(runner.config.EventPath)
 		if err != nil {
@@ -103,15 +131,45 @@ func (runner *runnerImpl) NewPlanExecutor(plan *model.Plan) common.Executor {
 	maxJobNameLen := 0

 	stagePipeline := make([]common.Executor, 0)
+	log.Debugf("Plan Stages: %v", plan.Stages)
+
 	for i := range plan.Stages {
 		stage := plan.Stages[i]
 		stagePipeline = append(stagePipeline, func(ctx context.Context) error {
 			pipeline := make([]common.Executor, 0)
 			for _, run := range stage.Runs {
+				log.Debugf("Stages Runs: %v", stage.Runs)
 				stageExecutor := make([]common.Executor, 0)
 				job := run.Job()
+				log.Debugf("Job.Name: %v", job.Name)
+				log.Debugf("Job.RawNeeds: %v", job.RawNeeds)
+				log.Debugf("Job.RawRunsOn: %v", job.RawRunsOn)
+				log.Debugf("Job.Env: %v", job.Env)
+				log.Debugf("Job.If: %v", job.If)
+				for step := range job.Steps {
+					if nil != job.Steps[step] {
+						log.Debugf("Job.Steps: %v", job.Steps[step].String())
+					}
+				}
+				log.Debugf("Job.TimeoutMinutes: %v", job.TimeoutMinutes)
+				log.Debugf("Job.Services: %v", job.Services)
+				log.Debugf("Job.Strategy: %v", job.Strategy)
+				log.Debugf("Job.RawContainer: %v", job.RawContainer)
+				log.Debugf("Job.Defaults.Run.Shell: %v", job.Defaults.Run.Shell)
+				log.Debugf("Job.Defaults.Run.WorkingDirectory: %v", job.Defaults.Run.WorkingDirectory)
+				log.Debugf("Job.Outputs: %v", job.Outputs)
+				log.Debugf("Job.Uses: %v", job.Uses)
+				log.Debugf("Job.With: %v", job.With)
+				// log.Debugf("Job.RawSecrets: %v", job.RawSecrets)
+				log.Debugf("Job.Result: %v", job.Result)

 				if job.Strategy != nil {
+					log.Debugf("Job.Strategy.FailFast: %v", job.Strategy.FailFast)
+					log.Debugf("Job.Strategy.MaxParallel: %v", job.Strategy.MaxParallel)
+					log.Debugf("Job.Strategy.FailFastString: %v", job.Strategy.FailFastString)
+					log.Debugf("Job.Strategy.MaxParallelString: %v", job.Strategy.MaxParallelString)
+					log.Debugf("Job.Strategy.RawMatrix: %v", job.Strategy.RawMatrix)
+
 					strategyRc := runner.newRunContext(ctx, run, nil)
 					if err := strategyRc.NewExpressionEvaluator(ctx).EvaluateYamlNode(ctx, &job.Strategy.RawMatrix); err != nil {
 						log.Errorf("Error while evaluating matrix: %v", err)
@@ -122,6 +180,8 @@ func (runner *runnerImpl) NewPlanExecutor(plan *model.Plan) common.Executor {
 				if m, err := job.GetMatrixes(); err != nil {
 					log.Errorf("Error while get job's matrix: %v", err)
 				} else {
+					log.Debugf("Job Matrices: %v", m)
+					log.Debugf("Runner Matrices: %v", runner.config.Matrix)
 					matrixes = selectMatrixes(m, runner.config.Matrix)
 				}
 				log.Debugf("Final matrix after applying user inclusions '%v'", matrixes)
@@ -147,19 +207,22 @@ func (runner *runnerImpl) NewPlanExecutor(plan *model.Plan) common.Executor {
 					}
 					stageExecutor = append(stageExecutor, func(ctx context.Context) error {
 						jobName := fmt.Sprintf("%-*s", maxJobNameLen, rc.String())
-						return rc.Executor()(common.WithJobErrorContainer(WithJobLogger(ctx, rc.Run.JobID, jobName, rc.Config, &rc.Masks, matrix)))
+						executor, err := rc.Executor()
+
+						if err != nil {
+							return err
+						}
+
+						return executor(common.WithJobErrorContainer(WithJobLogger(ctx, rc.Run.JobID, jobName, rc.Config, &rc.Masks, matrix)))
 					})
 				}
 				pipeline = append(pipeline, common.NewParallelExecutor(maxParallel, stageExecutor...))
 			}
-			var ncpu int
-			info, err := container.GetHostInfo(ctx)
-			if err != nil {
-				log.Errorf("failed to obtain container engine info: %s", err)
-				ncpu = 1 // sane default?
-			} else {
-				ncpu = info.NCPU
+			ncpu := runtime.NumCPU()
+			if 1 > ncpu {
+				ncpu = 1
 			}
+			log.Debugf("Detected CPUs: %d", ncpu)
 			return common.NewParallelExecutor(ncpu, pipeline...)(ctx)
 		})
 	}
--- a/pkg/runner/runner_test.go
+++ b/pkg/runner/runner_test.go
@@ -237,6 +237,7 @@ func TestRunEvent(t *testing.T) {
 		{workdir, "uses-composite-with-error", "push", "Job 'failing-composite-action' failed", platforms, secrets},
 		{workdir, "uses-nested-composite", "push", "", platforms, secrets},
 		{workdir, "remote-action-composite-js-pre-with-defaults", "push", "", platforms, secrets},
+		{workdir, "remote-action-composite-action-ref", "push", "", platforms, secrets},
 		{workdir, "uses-workflow", "push", "", platforms, map[string]string{"secret": "keep_it_private"}},
 		{workdir, "uses-workflow", "pull_request", "", platforms, map[string]string{"secret": "keep_it_private"}},
 		{workdir, "uses-docker-url", "push", "", platforms, secrets},
@@ -288,6 +289,7 @@ func TestRunEvent(t *testing.T) {
 		{workdir, "docker-action-custom-path", "push", "", platforms, secrets},
 		{workdir, "GITHUB_ENV-use-in-env-ctx", "push", "", platforms, secrets},
 		{workdir, "ensure-post-steps", "push", "Job 'second-post-step-should-fail' failed", platforms, secrets},
+		{workdir, "workflow_call_inputs", "workflow_call", "", platforms, secrets},
 		{workdir, "workflow_dispatch", "workflow_dispatch", "", platforms, secrets},
 		{workdir, "workflow_dispatch_no_inputs_mapping", "workflow_dispatch", "", platforms, secrets},
 		{workdir, "workflow_dispatch-scalar", "workflow_dispatch", "", platforms, secrets},
@@ -300,6 +302,11 @@ func TestRunEvent(t *testing.T) {
 		{workdir, "set-env-step-env-override", "push", "", platforms, secrets},
 		{workdir, "set-env-new-env-file-per-step", "push", "", platforms, secrets},
 		{workdir, "no-panic-on-invalid-composite-action", "push", "jobs failed due to invalid action", platforms, secrets},
+
+		// services
+		{workdir, "services", "push", "", platforms, secrets},
+		{workdir, "services-host-network", "push", "", platforms, secrets},
+		{workdir, "services-with-container", "push", "", platforms, secrets},
 	}

 	for _, table := range tables {
@@ -389,6 +396,7 @@ func TestRunEventHostEnvironment(t *testing.T) {
 		tables = append(tables, []TestJobFileInfo{
 			{workdir, "windows-prepend-path", "push", "", platforms, secrets},
 			{workdir, "windows-add-env", "push", "", platforms, secrets},
+			{workdir, "windows-shell-cmd", "push", "", platforms, secrets},
 		}...)
 	} else {
 		platforms := map[string]string{
@@ -546,6 +554,43 @@ func TestRunEventSecrets(t *testing.T) {
 	tjfi.runTest(context.Background(), t, &Config{Secrets: secrets, Env: env})
 }

+func TestRunWithService(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+
+	log.SetLevel(log.DebugLevel)
+	ctx := context.Background()
+
+	platforms := map[string]string{
+		"ubuntu-latest": "node:12.20.1-buster-slim",
+	}
+
+	workflowPath := "services"
+	eventName := "push"
+
+	workdir, err := filepath.Abs("testdata")
+	assert.NoError(t, err, workflowPath)
+
+	runnerConfig := &Config{
+		Workdir:         workdir,
+		EventName:       eventName,
+		Platforms:       platforms,
+		ReuseContainers: false,
+	}
+	runner, err := New(runnerConfig)
+	assert.NoError(t, err, workflowPath)
+
+	planner, err := model.NewWorkflowPlanner(fmt.Sprintf("testdata/%s", workflowPath), true)
+	assert.NoError(t, err, workflowPath)
+
+	plan, err := planner.PlanEvent(eventName)
+	assert.NoError(t, err, workflowPath)
+
+	err = runner.NewPlanExecutor(plan)(ctx)
+	assert.NoError(t, err, workflowPath)
+}
+
 func TestRunActionInputs(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping integration test")
--- a/pkg/runner/step.go
+++ b/pkg/runner/step.go
@@ -4,7 +4,9 @@ import (
 	"context"
 	"fmt"
 	"path"
+	"strconv"
 	"strings"
+	"time"

 	"github.com/nektos/act/pkg/common"
 	"github.com/nektos/act/pkg/container"
@@ -32,6 +34,9 @@ const (
 	stepStagePost
 )

+// Controls how many symlinks are resolved for local and remote Actions
+const maxSymlinkDepth = 10
+
 func (s stepStage) String() string {
 	switch s {
 	case stepStagePre:
@@ -134,7 +139,9 @@ func runStepExecutor(step step, stage stepStage, executor common.Executor) commo
 			Mode: 0o666,
 		})(ctx)

-		err = executor(ctx)
+		timeoutctx, cancelTimeOut := evaluateStepTimeout(ctx, rc.ExprEval, stepModel)
+		defer cancelTimeOut()
+		err = executor(timeoutctx)

 		if err == nil {
 			logger.WithField("stepResult", stepResult.Outcome).Infof("  \u2705  Success - %s %s", stage, stepString)
@@ -182,6 +189,16 @@ func runStepExecutor(step step, stage stepStage, executor common.Executor) commo
 	}
 }

+func evaluateStepTimeout(ctx context.Context, exprEval ExpressionEvaluator, stepModel *model.Step) (context.Context, context.CancelFunc) {
+	timeout := exprEval.Interpolate(ctx, stepModel.TimeoutMinutes)
+	if timeout != "" {
+		if timeOutMinutes, err := strconv.ParseInt(timeout, 10, 64); err == nil {
+			return context.WithTimeout(ctx, time.Duration(timeOutMinutes)*time.Minute)
+		}
+	}
+	return ctx, func() {}
+}
+
 func setupEnv(ctx context.Context, step step) error {
 	rc := step.getRunContext()

@@ -242,7 +259,7 @@ func isStepEnabled(ctx context.Context, expr string, step step, stage stepStage)
 	return runStep, nil
 }

-func isContinueOnError(ctx context.Context, expr string, step step, stage stepStage) (bool, error) {
+func isContinueOnError(ctx context.Context, expr string, step step, _ stepStage) (bool, error) {
 	// https://github.com/github/docs/blob/3ae84420bd10997bb5f35f629ebb7160fe776eae/content/actions/reference/workflow-syntax-for-github-actions.md?plain=true#L962
 	if len(strings.TrimSpace(expr)) == 0 {
 		return false, nil
@@ -293,3 +310,13 @@ func mergeIntoMapCaseInsensitive(target map[string]string, maps ...map[string]st
 		}
 	}
 }
+
+func symlinkJoin(filename, sym, parent string) (string, error) {
+	dir := path.Dir(filename)
+	dest := path.Join(dir, sym)
+	prefix := path.Clean(parent) + "/"
+	if strings.HasPrefix(dest, prefix) || prefix == "./" {
+		return dest, nil
+	}
+	return "", fmt.Errorf("symlink tries to access file '%s' outside of '%s'", strings.ReplaceAll(dest, "'", "''"), strings.ReplaceAll(parent, "'", "''"))
+}
--- a/pkg/runner/step_action_local.go
+++ b/pkg/runner/step_action_local.go
@@ -3,7 +3,10 @@ package runner
 import (
 	"archive/tar"
 	"context"
+	"errors"
+	"fmt"
 	"io"
+	"io/fs"
 	"os"
 	"path"
 	"path/filepath"
@@ -42,15 +45,31 @@ func (sal *stepActionLocal) main() common.Executor {
 		localReader := func(ctx context.Context) actionYamlReader {
 			_, cpath := getContainerActionPaths(sal.Step, path.Join(actionDir, ""), sal.RunContext)
 			return func(filename string) (io.Reader, io.Closer, error) {
-				tars, err := sal.RunContext.JobContainer.GetContainerArchive(ctx, path.Join(cpath, filename))
-				if err != nil {
-					return nil, nil, os.ErrNotExist
+				spath := path.Join(cpath, filename)
+				for i := 0; i < maxSymlinkDepth; i++ {
+					tars, err := sal.RunContext.JobContainer.GetContainerArchive(ctx, spath)
+					if errors.Is(err, fs.ErrNotExist) {
+						return nil, nil, err
+					} else if err != nil {
+						return nil, nil, fs.ErrNotExist
+					}
+					treader := tar.NewReader(tars)
+					header, err := treader.Next()
+					if errors.Is(err, io.EOF) {
+						return nil, nil, os.ErrNotExist
+					} else if err != nil {
+						return nil, nil, err
+					}
+					if header.FileInfo().Mode()&os.ModeSymlink == os.ModeSymlink {
+						spath, err = symlinkJoin(spath, header.Linkname, cpath)
+						if err != nil {
+							return nil, nil, err
+						}
+					} else {
+						return treader, tars, nil
+					}
 				}
-				treader := tar.NewReader(tars)
-				if _, err := treader.Next(); err != nil {
-					return nil, nil, os.ErrNotExist
-				}
-				return treader, tars, nil
+				return nil, nil, fmt.Errorf("max depth %d of symlinks exceeded while reading %s", maxSymlinkDepth, spath)
 			}
 		}

@@ -85,7 +104,7 @@ func (sal *stepActionLocal) getEnv() *map[string]string {
 	return &sal.env
 }

-func (sal *stepActionLocal) getIfExpression(context context.Context, stage stepStage) string {
+func (sal *stepActionLocal) getIfExpression(_ context.Context, stage stepStage) string {
 	switch stage {
 	case stepStageMain:
 		return sal.Step.If.Value
--- a/pkg/runner/step_action_local_test.go
+++ b/pkg/runner/step_action_local_test.go
@@ -24,7 +24,7 @@ func (salm *stepActionLocalMocks) runAction(step actionStep, actionDir string, r
 	return args.Get(0).(func(context.Context) error)
 }

-func (salm *stepActionLocalMocks) readAction(ctx context.Context, step *model.Step, actionDir string, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error) {
+func (salm *stepActionLocalMocks) readAction(_ context.Context, step *model.Step, actionDir string, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error) {
 	args := salm.Called(step, actionDir, actionPath, readFile, writeFile)
 	return args.Get(0).(*model.Action), args.Error(1)
 }
--- a/pkg/runner/step_action_remote.go
+++ b/pkg/runner/step_action_remote.go
@@ -1,6 +1,7 @@
 package runner

 import (
+	"archive/tar"
 	"context"
 	"errors"
 	"fmt"
@@ -28,11 +29,11 @@ type stepActionRemote struct {
 	action              *model.Action
 	env                 map[string]string
 	remoteAction        *remoteAction
+	cacheDir            string
+	resolvedSha         string
 }

-var (
-	stepActionRemoteNewCloneExecutor = git.NewGitCloneExecutor
-)
+var stepActionRemoteNewCloneExecutor = git.NewGitCloneExecutor

 func (sar *stepActionRemote) prepareActionExecutor() common.Executor {
 	return func(ctx context.Context) error {
@@ -41,33 +42,85 @@ func (sar *stepActionRemote) prepareActionExecutor() common.Executor {
 			return nil
 		}

+		// For gitea:
+		// Since actions can specify the download source via a url prefix.
+		// The prefix may contain some sensitive information that needs to be stored in secrets,
+		// so we need to interpolate the expression value for uses first.
+		sar.Step.Uses = sar.RunContext.NewExpressionEvaluator(ctx).Interpolate(ctx, sar.Step.Uses)
+
 		sar.remoteAction = newRemoteAction(sar.Step.Uses)
 		if sar.remoteAction == nil {
 			return fmt.Errorf("Expected format {org}/{repo}[/path]@ref. Actual '%s' Input string was not in a correct format", sar.Step.Uses)
 		}

-		sar.remoteAction.URL = sar.RunContext.Config.GitHubInstance
-
 		github := sar.getGithubContext(ctx)
 		if sar.remoteAction.IsCheckout() && isLocalCheckout(github, sar.Step) && !sar.RunContext.Config.NoSkipCheckout {
 			common.Logger(ctx).Debugf("Skipping local actions/checkout because workdir was already copied")
 			return nil
 		}

-		sar.remoteAction.URL = sar.RunContext.Config.GitHubInstance
 		for _, action := range sar.RunContext.Config.ReplaceGheActionWithGithubCom {
 			if strings.EqualFold(fmt.Sprintf("%s/%s", sar.remoteAction.Org, sar.remoteAction.Repo), action) {
-				sar.remoteAction.URL = "github.com"
+				sar.remoteAction.URL = "https://github.com"
 				github.Token = sar.RunContext.Config.ReplaceGheActionTokenWithGithubCom
 			}
 		}
+		if sar.RunContext.Config.ActionCache != nil {
+			cache := sar.RunContext.Config.ActionCache
+
+			var err error
+			sar.cacheDir = fmt.Sprintf("%s/%s", sar.remoteAction.Org, sar.remoteAction.Repo)
+			repoURL := sar.remoteAction.URL + "/" + sar.cacheDir
+			repoRef := sar.remoteAction.Ref
+			sar.resolvedSha, err = cache.Fetch(ctx, sar.cacheDir, repoURL, repoRef, github.Token)
+			if err != nil {
+				return fmt.Errorf("failed to fetch \"%s\" version \"%s\": %w", repoURL, repoRef, err)
+			}
+
+			remoteReader := func(ctx context.Context) actionYamlReader {
+				return func(filename string) (io.Reader, io.Closer, error) {
+					spath := path.Join(sar.remoteAction.Path, filename)
+					for i := 0; i < maxSymlinkDepth; i++ {
+						tars, err := cache.GetTarArchive(ctx, sar.cacheDir, sar.resolvedSha, spath)
+						if err != nil {
+							return nil, nil, os.ErrNotExist
+						}
+						treader := tar.NewReader(tars)
+						header, err := treader.Next()
+						if err != nil {
+							return nil, nil, os.ErrNotExist
+						}
+						if header.FileInfo().Mode()&os.ModeSymlink == os.ModeSymlink {
+							spath, err = symlinkJoin(spath, header.Linkname, ".")
+							if err != nil {
+								return nil, nil, err
+							}
+						} else {
+							return treader, tars, nil
+						}
+					}
+					return nil, nil, fmt.Errorf("max depth %d of symlinks exceeded while reading %s", maxSymlinkDepth, spath)
+				}
+			}
+
+			actionModel, err := sar.readAction(ctx, sar.Step, sar.resolvedSha, sar.remoteAction.Path, remoteReader(ctx), os.WriteFile)
+			sar.action = actionModel
+			return err
+		}

 		actionDir := fmt.Sprintf("%s/%s", sar.RunContext.ActionCacheDir(), safeFilename(sar.Step.Uses))
 		gitClone := stepActionRemoteNewCloneExecutor(git.NewGitCloneExecutorInput{
-			URL:   sar.remoteAction.CloneURL(),
+			URL:   sar.remoteAction.CloneURL(sar.RunContext.Config.DefaultActionInstance),
 			Ref:   sar.remoteAction.Ref,
 			Dir:   actionDir,
-			Token: github.Token,
+			Token: "", /*
+				Shouldn't provide token when cloning actions,
+				the token comes from the instance which triggered the task,
+				however, it might be not the same instance which provides actions.
+				For GitHub, they are the same, always github.com.
+				But for Gitea, tasks triggered by a.com can clone actions from b.com.
+			*/
+			OfflineMode: sar.RunContext.Config.ActionOfflineMode,
 		})
 		var ntErr common.Executor
 		if err := gitClone(ctx); err != nil {
@@ -213,8 +266,16 @@ type remoteAction struct {
 	Ref  string
 }

-func (ra *remoteAction) CloneURL() string {
-	return fmt.Sprintf("https://%s/%s/%s", ra.URL, ra.Org, ra.Repo)
+func (ra *remoteAction) CloneURL(u string) string {
+	if ra.URL == "" {
+		if !strings.HasPrefix(u, "http://") && !strings.HasPrefix(u, "https://") {
+			u = "https://" + u
+		}
+	} else {
+		u = ra.URL
+	}
+
+	return fmt.Sprintf("%s/%s/%s", u, ra.Org, ra.Repo)
 }

 func (ra *remoteAction) IsCheckout() bool {
@@ -225,6 +286,26 @@ func (ra *remoteAction) IsCheckout() bool {
 }

 func newRemoteAction(action string) *remoteAction {
+	// support http(s)://host/owner/repo@v3
+	for _, schema := range []string{"https://", "http://"} {
+		if strings.HasPrefix(action, schema) {
+			splits := strings.SplitN(strings.TrimPrefix(action, schema), "/", 2)
+			if len(splits) != 2 {
+				return nil
+			}
+			ret := parseAction(splits[1])
+			if ret == nil {
+				return nil
+			}
+			ret.URL = schema + splits[0]
+			return ret
+		}
+	}
+
+	return parseAction(action)
+}
+
+func parseAction(action string) *remoteAction {
 	// GitHub's document[^] describes:
 	// > We strongly recommend that you include the version of
 	// > the action you are using by specifying a Git ref, SHA, or Docker tag number.
@@ -240,7 +321,7 @@ func newRemoteAction(action string) *remoteAction {
 		Repo: matches[2],
 		Path: matches[4],
 		Ref:  matches[6],
-		URL:  "github.com",
+		URL:  "",
 	}
 }

--- a/pkg/runner/step_action_remote_test.go
+++ b/pkg/runner/step_action_remote_test.go
@@ -21,7 +21,7 @@ type stepActionRemoteMocks struct {
 	mock.Mock
 }

-func (sarm *stepActionRemoteMocks) readAction(ctx context.Context, step *model.Step, actionDir string, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error) {
+func (sarm *stepActionRemoteMocks) readAction(_ context.Context, step *model.Step, actionDir string, actionPath string, readFile actionYamlReader, writeFile fileWriter) (*model.Action, error) {
 	args := sarm.Called(step, actionDir, actionPath, readFile, writeFile)
 	return args.Get(0).(*model.Action), args.Error(1)
 }
@@ -616,6 +616,100 @@ func TestStepActionRemotePost(t *testing.T) {
 	}
 }

+func Test_newRemoteAction(t *testing.T) {
+	tests := []struct {
+		action       string
+		want         *remoteAction
+		wantCloneURL string
+	}{
+		{
+			action: "actions/heroku@main",
+			want: &remoteAction{
+				URL:  "",
+				Org:  "actions",
+				Repo: "heroku",
+				Path: "",
+				Ref:  "main",
+			},
+			wantCloneURL: "https://github.com/actions/heroku",
+		},
+		{
+			action: "actions/aws/ec2@main",
+			want: &remoteAction{
+				URL:  "",
+				Org:  "actions",
+				Repo: "aws",
+				Path: "ec2",
+				Ref:  "main",
+			},
+			wantCloneURL: "https://github.com/actions/aws",
+		},
+		{
+			action: "./.github/actions/my-action", // it's valid for GitHub, but act don't support it
+			want:   nil,
+		},
+		{
+			action: "docker://alpine:3.8", // it's valid for GitHub, but act don't support it
+			want:   nil,
+		},
+		{
+			action: "https://gitea.com/actions/heroku@main", // it's invalid for GitHub, but gitea supports it
+			want: &remoteAction{
+				URL:  "https://gitea.com",
+				Org:  "actions",
+				Repo: "heroku",
+				Path: "",
+				Ref:  "main",
+			},
+			wantCloneURL: "https://gitea.com/actions/heroku",
+		},
+		{
+			action: "https://gitea.com/actions/aws/ec2@main", // it's invalid for GitHub, but gitea supports it
+			want: &remoteAction{
+				URL:  "https://gitea.com",
+				Org:  "actions",
+				Repo: "aws",
+				Path: "ec2",
+				Ref:  "main",
+			},
+			wantCloneURL: "https://gitea.com/actions/aws",
+		},
+		{
+			action: "http://gitea.com/actions/heroku@main", // it's invalid for GitHub, but gitea supports it
+			want: &remoteAction{
+				URL:  "http://gitea.com",
+				Org:  "actions",
+				Repo: "heroku",
+				Path: "",
+				Ref:  "main",
+			},
+			wantCloneURL: "http://gitea.com/actions/heroku",
+		},
+		{
+			action: "http://gitea.com/actions/aws/ec2@main", // it's invalid for GitHub, but gitea supports it
+			want: &remoteAction{
+				URL:  "http://gitea.com",
+				Org:  "actions",
+				Repo: "aws",
+				Path: "ec2",
+				Ref:  "main",
+			},
+			wantCloneURL: "http://gitea.com/actions/aws",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.action, func(t *testing.T) {
+			got := newRemoteAction(tt.action)
+			assert.Equalf(t, tt.want, got, "newRemoteAction(%v)", tt.action)
+			cloneURL := ""
+			if got != nil {
+				cloneURL = got.CloneURL("github.com")
+			}
+			assert.Equalf(t, tt.wantCloneURL, cloneURL, "newRemoteAction(%v).CloneURL()", tt.action)
+		})
+	}
+}
+
 func Test_safeFilename(t *testing.T) {
 	tests := []struct {
 		s    string
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.45
 .2.59