fix local workflow for act_runner exec (#63)

by the way, export `ACT_SKIP_CHECKOUT` as a env verb for user to do some special config of local test.

example usage:

7a3ab0fdbc

Reviewed-on: https://gitea.com/gitea/act/pulls/63
Reviewed-by: Jason Song <i@wolfogre.com>
Co-authored-by: a1012112796 <1012112796@qq.com>
Co-committed-by: a1012112796 <1012112796@qq.com>

cmd/input.go

@@ -16,6 +16,7 @@ type Input struct {
 	reuseContainers                    bool
 	bindWorkdir                        bool
 	secrets                            []string
+	vars                               []string
 	envs                               []string
 	inputs                             []string
 	platforms                          []string
@@ -26,6 +27,7 @@ type Input struct {
 	envfile                            string
 	inputfile                          string
 	secretfile                         string
+	varfile                            string
 	insecureSecrets                    bool
 	defaultBranch                      string
 	privileged                         bool
@@ -78,6 +80,10 @@ func (i *Input) Secretfile() string {
 	return i.resolve(i.secretfile)
 }
 
+func (i *Input) Varfile() string {
+	return i.resolve(i.varfile)
+}
+
 // Workdir returns path to workdir
 func (i *Input) Workdir() string {
 	return i.resolve(".")

cmd/root.go

@@ -49,6 +49,7 @@ func Execute(ctx context.Context, version string) {
 
 	rootCmd.Flags().StringVar(&input.remoteName, "remote-name", "origin", "git remote name that will be used to retrieve url of git repo")
 	rootCmd.Flags().StringArrayVarP(&input.secrets, "secret", "s", []string{}, "secret to make available to actions with optional value (e.g. -s mysecret=foo or -s mysecret)")
+	rootCmd.Flags().StringArrayVar(&input.vars, "var", []string{}, "variable to make available to actions with optional value (e.g. --var myvar=foo or --var myvar)")
 	rootCmd.Flags().StringArrayVarP(&input.envs, "env", "", []string{}, "env to make available to actions with optional value (e.g. --env myenv=foo or --env myenv)")
 	rootCmd.Flags().StringArrayVarP(&input.inputs, "input", "", []string{}, "action input to make available to actions (e.g. --input myinput=foo)")
 	rootCmd.Flags().StringArrayVarP(&input.platforms, "platform", "P", []string{}, "custom image to use per platform (e.g. -P ubuntu-18.04=nektos/act-environments-ubuntu:18.04)")
@@ -77,6 +78,7 @@ func Execute(ctx context.Context, version string) {
 	rootCmd.PersistentFlags().BoolVarP(&input.noOutput, "quiet", "q", false, "disable logging of output from steps")
 	rootCmd.PersistentFlags().BoolVarP(&input.dryrun, "dryrun", "n", false, "dryrun mode")
 	rootCmd.PersistentFlags().StringVarP(&input.secretfile, "secret-file", "", ".secrets", "file with list of secrets to read from (e.g. --secret-file .secrets)")
+	rootCmd.PersistentFlags().StringVarP(&input.varfile, "var-file", "", ".vars", "file with list of vars to read from (e.g. --var-file .vars)")
 	rootCmd.PersistentFlags().BoolVarP(&input.insecureSecrets, "insecure-secrets", "", false, "NOT RECOMMENDED! Doesn't hide secrets while printing logs.")
 	rootCmd.PersistentFlags().StringVarP(&input.envfile, "env-file", "", ".env", "environment file to read and use as env in the containers")
 	rootCmd.PersistentFlags().StringVarP(&input.inputfile, "input-file", "", ".input", "input file to read and use as action input")
@@ -418,6 +420,10 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 		secrets := newSecrets(input.secrets)
 		_ = readEnvs(input.Secretfile(), secrets)
 
+		log.Debugf("Loading vars from %s", input.Varfile())
+		vars := newSecrets(input.vars)
+		_ = readEnvs(input.Varfile(), vars)
+
 		matrixes := parseMatrix(input.matrix)
 		log.Debugf("Evaluated matrix inclusions: %v", matrixes)
 
@@ -579,6 +585,7 @@ func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []str
 			JSONLogger:                         input.jsonLogger,
 			Env:                                envs,
 			Secrets:                            secrets,
+			Vars:                               vars,
 			Inputs:                             inputs,
 			Token:                              secrets["GITHUB_TOKEN"],
 			InsecureSecrets:                    input.insecureSecrets,

pkg/container/container_types.go

@@ -31,6 +31,7 @@ type NewContainerInput struct {
 	AutoRemove bool
 
 	NetworkAliases []string
+	ValidVolumes   []string
 }
 
 // FileEntry is a file to copy to a container

pkg/container/docker_run.go

@@ -16,6 +16,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/docker/docker/api/types/network"
 	networktypes "github.com/docker/docker/api/types/network"
 
 	"github.com/go-git/go-billy/v5/helper/polyfill"
@@ -27,6 +28,7 @@ import (
 	"github.com/kballard/go-shellquote"
 	"github.com/spf13/pflag"
 
+	"github.com/docker/cli/cli/compose/loader"
 	"github.com/docker/cli/cli/connhelper"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@@ -366,10 +368,20 @@ func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config
 		return nil, nil, fmt.Errorf("Cannot parse container options: '%s': '%w'", input.Options, err)
 	}
 
-	if len(copts.netMode.Value()) == 0 {
-		if err = copts.netMode.Set("host"); err != nil {
-			return nil, nil, fmt.Errorf("Cannot parse networkmode=host. This is an internal error and should not happen: '%w'", err)
-		}
+	// If a service container's network is set to `host`, the container will not be able to
+	// connect to the specified network created for the job container and the service containers.
+	// So comment out the following code.
+
+	// if len(copts.netMode.Value()) == 0 {
+	// 	if err = copts.netMode.Set("host"); err != nil {
+	// 		return nil, nil, fmt.Errorf("Cannot parse networkmode=host. This is an internal error and should not happen: '%w'", err)
+	// 	}
+	// }
+
+	// If the `privileged` config has been disabled, `copts.privileged` need to be forced to false,
+	// even if the user specifies `--privileged` in the options string.
+	if !hostConfig.Privileged {
+		copts.privileged = false
 	}
 
 	containerConfig, err := parse(flags, copts, "")
@@ -379,7 +391,7 @@ func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config
 
 	logger.Debugf("Custom container.Config from options ==> %+v", containerConfig.Config)
 
-	err = mergo.Merge(config, containerConfig.Config, mergo.WithOverride)
+	err = mergo.Merge(config, containerConfig.Config, mergo.WithOverride, mergo.WithAppendSlice)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Cannot merge container.Config options: '%s': '%w'", input.Options, err)
 	}
@@ -391,12 +403,17 @@ func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config
 	hostConfig.Mounts = append(hostConfig.Mounts, containerConfig.HostConfig.Mounts...)
 	binds := hostConfig.Binds
 	mounts := hostConfig.Mounts
+	networkMode := hostConfig.NetworkMode
 	err = mergo.Merge(hostConfig, containerConfig.HostConfig, mergo.WithOverride)
 	if err != nil {
 		return nil, nil, fmt.Errorf("Cannot merge container.HostConfig options: '%s': '%w'", input.Options, err)
 	}
 	hostConfig.Binds = binds
 	hostConfig.Mounts = mounts
+	if len(copts.netMode.Value()) > 0 {
+		logger.Warn("--network and --net in the options will be ignored.")
+	}
+	hostConfig.NetworkMode = networkMode
 	logger.Debugf("Merged container.HostConfig ==> %+v", hostConfig)
 
 	return config, hostConfig, nil
@@ -467,7 +484,24 @@ func (cr *containerReference) create(capAdd []string, capDrop []string) common.E
 			return err
 		}
 
-		resp, err := cr.cli.ContainerCreate(ctx, config, hostConfig, nil, platSpecs, input.Name)
+		// For Gitea
+		config, hostConfig = cr.sanitizeConfig(ctx, config, hostConfig)
+
+		// For Gitea
+		// network-scoped alias is supported only for containers in user defined networks
+		var networkingConfig *network.NetworkingConfig
+		if hostConfig.NetworkMode.IsUserDefined() && len(input.NetworkAliases) > 0 {
+			endpointConfig := &network.EndpointSettings{
+				Aliases: input.NetworkAliases,
+			}
+			networkingConfig = &network.NetworkingConfig{
+				EndpointsConfig: map[string]*network.EndpointSettings{
+					input.NetworkMode: endpointConfig,
+				},
+			}
+		}
+
+		resp, err := cr.cli.ContainerCreate(ctx, config, hostConfig, networkingConfig, platSpecs, input.Name)
 		if err != nil {
 			return fmt.Errorf("failed to create container: '%w'", err)
 		}
@@ -848,3 +882,46 @@ func (cr *containerReference) wait() common.Executor {
 		return fmt.Errorf("exit with `FAILURE`: %v", statusCode)
 	}
 }
+
+func (cr *containerReference) sanitizeConfig(ctx context.Context, config *container.Config, hostConfig *container.HostConfig) (*container.Config, *container.HostConfig) {
+	logger := common.Logger(ctx)
+
+	if len(cr.input.ValidVolumes) > 0 {
+		vv := make(map[string]struct{}, len(cr.input.ValidVolumes))
+		for _, volume := range cr.input.ValidVolumes {
+			vv[volume] = struct{}{}
+		}
+		// sanitize binds
+		sanitizedBinds := make([]string, 0, len(hostConfig.Binds))
+		for _, bind := range hostConfig.Binds {
+			parsed, err := loader.ParseVolume(bind)
+			if err != nil {
+				logger.Warnf("parse volume [%s] error: %v", bind, err)
+				continue
+			}
+			if parsed.Source == "" {
+				// anonymous volume
+				sanitizedBinds = append(sanitizedBinds, bind)
+				continue
+			}
+			if _, ok := vv[parsed.Source]; ok {
+				sanitizedBinds = append(sanitizedBinds, bind)
+			} else {
+				logger.Warnf("[%s] is not a valid volume, will be ignored", bind)
+			}
+		}
+		hostConfig.Binds = sanitizedBinds
+		// sanitize mounts
+		sanitizedMounts := make([]mount.Mount, 0, len(hostConfig.Mounts))
+		for _, mt := range hostConfig.Mounts {
+			if _, ok := vv[mt.Source]; ok {
+				sanitizedMounts = append(sanitizedMounts, mt)
+			} else {
+				logger.Warnf("[%s] is not a valid volume, will be ignored", mt.Source)
+			}
+		}
+		hostConfig.Mounts = sanitizedMounts
+	}
+
+	return config, hostConfig
+}

pkg/exprparser/interpreter.go

@@ -19,12 +19,11 @@ type EvaluationEnvironment struct {
 	Steps    map[string]*model.StepResult
 	Runner   map[string]interface{}
 	Secrets  map[string]string
+	Vars     map[string]string
 	Strategy map[string]interface{}
 	Matrix   map[string]interface{}
 	Needs    map[string]Needs
 	Inputs   map[string]interface{}
-
-	Vars map[string]string
 }
 
 type Needs struct {
@@ -150,6 +149,7 @@ func (impl *interperterImpl) evaluateNode(exprNode actionlint.ExprNode) (interfa
 	}
 }
 
+// nolint:gocyclo
 func (impl *interperterImpl) evaluateVariable(variableNode *actionlint.VariableNode) (interface{}, error) {
 	switch strings.ToLower(variableNode.Name) {
 	case "github":
@@ -171,6 +171,8 @@ func (impl *interperterImpl) evaluateVariable(variableNode *actionlint.VariableN
 		return impl.env.Runner, nil
 	case "secrets":
 		return impl.env.Secrets, nil
+	case "vars":
+		return impl.env.Vars, nil
 	case "strategy":
 		return impl.env.Strategy, nil
 	case "matrix":
@@ -183,8 +185,6 @@ func (impl *interperterImpl) evaluateVariable(variableNode *actionlint.VariableN
 		return math.Inf(1), nil
 	case "nan":
 		return math.NaN(), nil
-	case "vars":
-		return impl.env.Vars, nil
 	default:
 		return nil, fmt.Errorf("Unavailable context: %s", variableNode.Name)
 	}

pkg/exprparser/interpreter_test.go

@@ -557,6 +557,7 @@ func TestContexts(t *testing.T) {
 		// {"contains(steps.*.outputs.name, 'value')", true, "steps-context-array-outputs"},
 		{"runner.os", "Linux", "runner-context"},
 		{"secrets.name", "value", "secrets-context"},
+		{"vars.name", "value", "vars-context"},
 		{"strategy.fail-fast", true, "strategy-context"},
 		{"matrix.os", "Linux", "matrix-context"},
 		{"needs.job-id.outputs.output-name", "value", "needs-context"},
@@ -593,6 +594,9 @@ func TestContexts(t *testing.T) {
 		Secrets: map[string]string{
 			"name": "value",
 		},
+		Vars: map[string]string{
+			"name": "value",
+		},
 		Strategy: map[string]interface{}{
 			"fail-fast": true,
 		},

pkg/jobparser/interpeter.go

@@ -62,8 +62,6 @@ func NewInterpeter(
 		Matrix:   matrix,
 		Needs:    using,
 		Inputs:   nil, // not supported yet
-
-		Vars: nil,
 	}
 
 	config := exprparser.Config{

pkg/runner/expression.go

@@ -77,12 +77,11 @@ func (rc *RunContext) NewExpressionEvaluatorWithEnv(ctx context.Context, env map
 		// but required to interpolate/evaluate the step outputs on the job
 		Steps:    rc.getStepsContext(),
 		Secrets:  getWorkflowSecrets(ctx, rc),
+		Vars:     getWorkflowVars(ctx, rc),
 		Strategy: strategy,
 		Matrix:   rc.Matrix,
 		Needs:    using,
 		Inputs:   inputs,
-
-		Vars: rc.getVarsContext(),
 	}
 	if rc.JobContainer != nil {
 		ee.Runner = rc.JobContainer.GetRunnerContext(ctx)
@@ -126,14 +125,13 @@ func (rc *RunContext) NewStepExpressionEvaluator(ctx context.Context, step step)
 		Job:      rc.getJobContext(),
 		Steps:    rc.getStepsContext(),
 		Secrets:  getWorkflowSecrets(ctx, rc),
+		Vars:     getWorkflowVars(ctx, rc),
 		Strategy: strategy,
 		Matrix:   rc.Matrix,
 		Needs:    using,
 		// todo: should be unavailable
 		// but required to interpolate/evaluate the inputs in actions/composite
 		Inputs: inputs,
-
-		Vars: rc.getVarsContext(),
 	}
 	if rc.JobContainer != nil {
 		ee.Runner = rc.JobContainer.GetRunnerContext(ctx)
@@ -426,3 +424,7 @@ func getWorkflowSecrets(ctx context.Context, rc *RunContext) map[string]string {
 
 	return rc.Config.Secrets
 }
+
+func getWorkflowVars(ctx context.Context, rc *RunContext) map[string]string {
+	return rc.Config.Vars
+}

pkg/runner/expression_test.go

@@ -28,6 +28,9 @@ func createRunContext(t *testing.T) *RunContext {
 			Secrets: map[string]string{
 				"CASE_INSENSITIVE_SECRET": "value",
 			},
+			Vars: map[string]string{
+				"CASE_INSENSITIVE_VAR": "value",
+			},
 		},
 		Env: map[string]string{
 			"key": "value",
@@ -122,6 +125,8 @@ func TestEvaluateRunContext(t *testing.T) {
 		{"env.key", "value", ""},
 		{"secrets.CASE_INSENSITIVE_SECRET", "value", ""},
 		{"secrets.case_insensitive_secret", "value", ""},
+		{"vars.CASE_INSENSITIVE_VAR", "value", ""},
+		{"vars.case_insensitive_var", "value", ""},
 		{"format('{{0}}', 'test')", "{0}", ""},
 		{"format('{{{0}}}', 'test')", "{test}", ""},
 		{"format('}}')", "}", ""},
@@ -195,6 +200,9 @@ func TestInterpolate(t *testing.T) {
 			Secrets: map[string]string{
 				"CASE_INSENSITIVE_SECRET": "value",
 			},
+			Vars: map[string]string{
+				"CASE_INSENSITIVE_VAR": "value",
+			},
 		},
 		Env: map[string]string{
 			"KEYWITHNOTHING":       "valuewithnothing",
@@ -229,6 +237,8 @@ func TestInterpolate(t *testing.T) {
 		{" ${{ env.KEY_WITH_UNDERSCORES }} ", " value_with_underscores "},
 		{"${{ secrets.CASE_INSENSITIVE_SECRET }}", "value"},
 		{"${{ secrets.case_insensitive_secret }}", "value"},
+		{"${{ vars.CASE_INSENSITIVE_VAR }}", "value"},
+		{"${{ vars.case_insensitive_var }}", "value"},
 		{"${{ env.UNKNOWN }}", ""},
 		{"${{ env.SOMETHING_TRUE }}", "true"},
 		{"${{ env.SOMETHING_FALSE }}", "false"},

pkg/runner/job_executor.go

@@ -122,12 +122,17 @@ func newJobExecutor(info jobInfo, sf stepFactory, rc *RunContext) common.Executo
 			}
 
 			logger.Infof("Cleaning up container for job %s", rc.JobName)
-			err = info.stopContainer()(ctx)
-
-			logger.Infof("Cleaning up network for job %s", rc.JobName)
-			networkName := fmt.Sprintf("%s-network", rc.jobContainerName())
-			if err := rc.removeNetwork(networkName)(ctx); err != nil {
-				logger.Errorf("Error while cleaning network: %v", err)
+			if err = info.stopContainer()(ctx); err != nil {
+				logger.Errorf("Error while stop job container: %v", err)
+			}
+			if rc.Config.ContainerNetworkMode == "" {
+				// if the value of `ContainerNetworkMode` is empty string,
+				// it means that the network to which containers are connecting is created by `act_runner`,
+				// so, we should remove the network at last.
+				logger.Infof("Cleaning up network for job %s, and network name is: %s", rc.JobName, rc.networkName())
+				if err := rc.removeNetwork(rc.networkName())(ctx); err != nil {
+					logger.Errorf("Error while cleaning network: %v", err)
+				}
 			}
 		}
 		setJobResult(ctx, info, rc, jobError == nil)

pkg/runner/reusable_workflow.go

@@ -17,6 +17,18 @@ import (
 )
 
 func newLocalReusableWorkflowExecutor(rc *RunContext) common.Executor {
+	if !rc.Config.NoSkipCheckout {
+		fullPath := rc.Run.Job().Uses
+
+		fileName := path.Base(fullPath)
+		workflowDir := strings.TrimSuffix(fullPath, path.Join("/", fileName))
+		workflowDir = strings.TrimPrefix(workflowDir, "./")
+
+		return common.NewPipelineExecutor(
+			newReusableWorkflowExecutor(rc, workflowDir, fileName),
+		)
+	}
+
 	// ./.gitea/workflows/wf.yml -> .gitea/workflows/wf.yml
 	trimmedUses := strings.TrimPrefix(rc.Run.Job().Uses, "./")
 	// uses string format is {owner}/{repo}/.{git_platform}/workflows/{filename}@{ref}

pkg/runner/run_context.go

@@ -18,7 +18,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/docker/docker/errdefs"
 	"github.com/opencontainers/selinux/go-selinux"
 
 	"github.com/nektos/act/pkg/common"
@@ -83,6 +82,11 @@ func (rc *RunContext) GetEnv() map[string]string {
 		}
 	}
 	rc.Env["ACT"] = "true"
+
+	if !rc.Config.NoSkipCheckout {
+		rc.Env["ACT_SKIP_CHECKOUT"] = "true"
+	}
+
 	return rc.Env
 }
 
@@ -90,6 +94,12 @@ func (rc *RunContext) jobContainerName() string {
 	return createSimpleContainerName(rc.Config.ContainerNamePrefix, "WORKFLOW-"+rc.Run.Workflow.Name, "JOB-"+rc.Name)
 }
 
+// networkName return the name of the network which will be created by `act` automatically for job,
+// only create network if `rc.Config.ContainerNetworkMode` is empty string.
+func (rc *RunContext) networkName() string {
+	return fmt.Sprintf("%s-network", rc.jobContainerName())
+}
+
 func getDockerDaemonSocketMountPath(daemonPath string) string {
 	if protoIndex := strings.Index(daemonPath, "://"); protoIndex != -1 {
 		scheme := daemonPath[:protoIndex]
@@ -157,6 +167,14 @@ func (rc *RunContext) GetBindsAndMounts() ([]string, map[string]string) {
 		mounts[name] = ext.ToContainerPath(rc.Config.Workdir)
 	}
 
+	// For Gitea
+	// add some default binds and mounts to ValidVolumes
+	rc.Config.ValidVolumes = append(rc.Config.ValidVolumes, "act-toolcache")
+	rc.Config.ValidVolumes = append(rc.Config.ValidVolumes, name)
+	rc.Config.ValidVolumes = append(rc.Config.ValidVolumes, name+"-env")
+	// TODO: add a new configuration to control whether the docker daemon can be mounted
+	rc.Config.ValidVolumes = append(rc.Config.ValidVolumes, getDockerDaemonSocketMountPath(rc.Config.ContainerDaemonSocket))
+
 	return binds, mounts
 }
 
@@ -250,6 +268,9 @@ func (rc *RunContext) startJobContainer() common.Executor {
 
 		logger.Infof("\U0001f680  Start image=%s", image)
 		name := rc.jobContainerName()
+		// For gitea, to support --volumes-from <container_name_or_id> in options.
+		// We need to set the container name to the environment variable.
+		rc.Env["JOB_CONTAINER_NAME"] = name
 
 		envList := make([]string, 0)
 
@@ -262,8 +283,16 @@ func (rc *RunContext) startJobContainer() common.Executor {
 		ext := container.LinuxContainerEnvironmentExtensions{}
 		binds, mounts := rc.GetBindsAndMounts()
 
+		// specify the network to which the container will connect when `docker create` stage. (like execute command line: docker create --network <networkName> <image>)
+		networkName := string(rc.Config.ContainerNetworkMode)
+		if networkName == "" {
+			// if networkName is empty string, will create a new network for the containers.
+			// and it will be removed after at last.
+			networkName = rc.networkName()
+		}
+
 		// add service containers
-		for name, spec := range rc.Run.Job().Services {
+		for serviceId, spec := range rc.Run.Job().Services {
 			// interpolate env
 			interpolatedEnvs := make(map[string]string, len(spec.Env))
 			for k, v := range spec.Env {
@@ -280,24 +309,20 @@ func (rc *RunContext) startJobContainer() common.Executor {
 			}
 			username, password, err := rc.handleServiceCredentials(ctx, spec.Credentials)
 			if err != nil {
-				return fmt.Errorf("failed to handle service %s credentials: %w", name, err)
+				return fmt.Errorf("failed to handle service %s credentials: %w", serviceId, err)
 			}
-			serviceContainerName := createSimpleContainerName(rc.jobContainerName(), name)
+			serviceBinds, serviceMounts := rc.GetServiceBindsAndMounts(spec.Volumes)
+			serviceContainerName := createSimpleContainerName(rc.jobContainerName(), serviceId)
 			c := container.NewContainer(&container.NewContainerInput{
-				Name:       serviceContainerName,
-				WorkingDir: ext.ToContainerPath(rc.Config.Workdir),
-				Image:      spec.Image,
-				Username:   username,
-				Password:   password,
-				Cmd:        interpolatedCmd,
-				Env:        envs,
-				Mounts: map[string]string{
-					// TODO merge volumes
-					name:            ext.ToContainerPath(rc.Config.Workdir),
-					"act-toolcache": "/toolcache",
-					"act-actions":   "/actions",
-				},
-				Binds:          binds,
+				Name:           serviceContainerName,
+				WorkingDir:     ext.ToContainerPath(rc.Config.Workdir),
+				Image:          spec.Image,
+				Username:       username,
+				Password:       password,
+				Cmd:            interpolatedCmd,
+				Env:            envs,
+				Mounts:         serviceMounts,
+				Binds:          serviceBinds,
 				Stdout:         logWriter,
 				Stderr:         logWriter,
 				Privileged:     rc.Config.Privileged,
@@ -305,7 +330,9 @@ func (rc *RunContext) startJobContainer() common.Executor {
 				Platform:       rc.Config.ContainerArchitecture,
 				AutoRemove:     rc.Config.AutoRemove,
 				Options:        spec.Options,
-				NetworkAliases: []string{name},
+				NetworkMode:    networkName,
+				NetworkAliases: []string{serviceId},
+				ValidVolumes:   rc.Config.ValidVolumes,
 			})
 			rc.ServiceContainers = append(rc.ServiceContainers, c)
 		}
@@ -320,47 +347,38 @@ func (rc *RunContext) startJobContainer() common.Executor {
 		}
 
 		rc.JobContainer = container.NewContainer(&container.NewContainerInput{
-			Cmd:         nil,
-			Entrypoint:  []string{"/bin/sleep", fmt.Sprint(rc.Config.ContainerMaxLifetime.Round(time.Second).Seconds())},
-			WorkingDir:  ext.ToContainerPath(rc.Config.Workdir),
-			Image:       image,
-			Username:    username,
-			Password:    password,
-			Name:        name,
-			Env:         envList,
-			Mounts:      mounts,
-			NetworkMode: rc.Config.ContainerNetworkMode,
-			Binds:       binds,
-			Stdout:      logWriter,
-			Stderr:      logWriter,
-			Privileged:  rc.Config.Privileged,
-			UsernsMode:  rc.Config.UsernsMode,
-			Platform:    rc.Config.ContainerArchitecture,
-			Options:     rc.options(ctx),
-			AutoRemove:  rc.Config.AutoRemove,
+			Cmd:            nil,
+			Entrypoint:     []string{"/bin/sleep", fmt.Sprint(rc.Config.ContainerMaxLifetime.Round(time.Second).Seconds())},
+			WorkingDir:     ext.ToContainerPath(rc.Config.Workdir),
+			Image:          image,
+			Username:       username,
+			Password:       password,
+			Name:           name,
+			Env:            envList,
+			Mounts:         mounts,
+			NetworkMode:    networkName,
+			NetworkAliases: []string{rc.Name},
+			Binds:          binds,
+			Stdout:         logWriter,
+			Stderr:         logWriter,
+			Privileged:     rc.Config.Privileged,
+			UsernsMode:     rc.Config.UsernsMode,
+			Platform:       rc.Config.ContainerArchitecture,
+			Options:        rc.options(ctx),
+			AutoRemove:     rc.Config.AutoRemove,
+			ValidVolumes:   rc.Config.ValidVolumes,
 		})
 		if rc.JobContainer == nil {
 			return errors.New("Failed to create job container")
 		}
 
-		networkName := fmt.Sprintf("%s-network", rc.jobContainerName())
 		return common.NewPipelineExecutor(
 			rc.pullServicesImages(rc.Config.ForcePull),
 			rc.JobContainer.Pull(rc.Config.ForcePull),
-			rc.stopServiceContainers(),
-			rc.stopJobContainer(),
-			func(ctx context.Context) error {
-				err := rc.removeNetwork(networkName)(ctx)
-				if errdefs.IsNotFound(err) {
-					return nil
-				}
-				return err
-			},
-			rc.createNetwork(networkName),
+			rc.createNetwork(networkName).IfBool(rc.Config.ContainerNetworkMode == ""), // if the value of `ContainerNetworkMode` is empty string, then will create a new network for containers.
 			rc.startServiceContainers(networkName),
 			rc.JobContainer.Create(rc.Config.ContainerCapAdd, rc.Config.ContainerCapDrop),
 			rc.JobContainer.Start(false),
-			rc.JobContainer.ConnectToNetwork(networkName),
 			rc.JobContainer.Copy(rc.JobContainer.GetActPath()+"/", &container.FileEntry{
 				Name: "workflow/event.json",
 				Mode: 0o644,
@@ -474,7 +492,6 @@ func (rc *RunContext) startServiceContainers(networkName string) common.Executor
 				c.Pull(false),
 				c.Create(rc.Config.ContainerCapAdd, rc.Config.ContainerCapDrop),
 				c.Start(false),
-				c.ConnectToNetwork(networkName),
 			))
 		}
 		return common.NewParallelExecutor(len(execs), execs...)(ctx)
@@ -727,10 +744,6 @@ func (rc *RunContext) getStepsContext() map[string]*model.StepResult {
 	return rc.StepResults
 }
 
-func (rc *RunContext) getVarsContext() map[string]string {
-	return rc.Config.Vars
-}
-
 func (rc *RunContext) getGithubContext(ctx context.Context) *model.GithubContext {
 	logger := common.Logger(ctx)
 	ghc := &model.GithubContext{
@@ -1025,3 +1038,30 @@ func (rc *RunContext) handleServiceCredentials(ctx context.Context, creds map[st
 
 	return
 }
+
+// GetServiceBindsAndMounts returns the binds and mounts for the service container, resolving paths as appopriate
+func (rc *RunContext) GetServiceBindsAndMounts(svcVolumes []string) ([]string, map[string]string) {
+	if rc.Config.ContainerDaemonSocket == "" {
+		rc.Config.ContainerDaemonSocket = "/var/run/docker.sock"
+	}
+	binds := []string{}
+	if rc.Config.ContainerDaemonSocket != "-" {
+		daemonPath := getDockerDaemonSocketMountPath(rc.Config.ContainerDaemonSocket)
+		binds = append(binds, fmt.Sprintf("%s:%s", daemonPath, "/var/run/docker.sock"))
+	}
+
+	mounts := map[string]string{}
+
+	for _, v := range svcVolumes {
+		if !strings.Contains(v, ":") || filepath.IsAbs(v) {
+			// Bind anonymous volume or host file.
+			binds = append(binds, v)
+		} else {
+			// Mount existing volume.
+			paths := strings.SplitN(v, ":", 2)
+			mounts[paths[0]] = paths[1]
+		}
+	}
+
+	return binds, mounts
+}

pkg/runner/runner.go

@@ -5,9 +5,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 
+	docker_container "github.com/docker/docker/api/types/container"
 	"github.com/nektos/act/pkg/common"
 	"github.com/nektos/act/pkg/container"
 	"github.com/nektos/act/pkg/model"
@@ -34,6 +36,7 @@ type Config struct {
 	Env                                map[string]string          // env for containers
 	Inputs                             map[string]string          // manually passed action inputs
 	Secrets                            map[string]string          // list of secrets
+	Vars                               map[string]string          // list of vars
 	Token                              string                     // GitHub token
 	InsecureSecrets                    bool                       // switch hiding output when printing to terminal
 	Platforms                          map[string]string          // list of platforms
@@ -60,11 +63,12 @@ type Config struct {
 	EventJSON             string                       // the content of JSON file to use for event.json in containers, overrides EventPath
 	ContainerNamePrefix   string                       // the prefix of container name
 	ContainerMaxLifetime  time.Duration                // the max lifetime of job containers
-	ContainerNetworkMode  string                       // the network mode of job containers
-	DefaultActionInstance string                       // the default actions web site
+	ContainerNetworkMode  docker_container.NetworkMode // the network mode of job containers (the value of --network)
+	DefaultActionInstance string                       // Deprecated: use DefaultActionsURLs instead.
+	DefaultActionsURLs    []string                     // urls from gitea's `DEFAULT_ACTIONS_URL` config
 	PlatformPicker        func(labels []string) string // platform picker, it will take precedence over Platforms if isn't nil
 	JobLoggerLevel        *log.Level                   // the level of job logger
-	Vars                  map[string]string            // the list of variables set at the repository, environment, or organization levels.
+	ValidVolumes          []string                     // only volumes (and bind mounts) in this slice can be mounted on the job container or service containers
 }
 
 // GetToken: Adapt to Gitea

pkg/runner/step_action_remote.go

@@ -5,11 +5,13 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net/http"
 	"os"
 	"path"
 	"path/filepath"
 	"regexp"
 	"strings"
+	"time"
 
 	gogit "github.com/go-git/go-git/v5"
 
@@ -18,6 +20,8 @@ import (
 	"github.com/nektos/act/pkg/model"
 )
 
+var detectActionClient = http.Client{Timeout: 5 * time.Second}
+
 type stepActionRemote struct {
 	Step                *model.Step
 	RunContext          *RunContext
@@ -57,9 +61,14 @@ func (sar *stepActionRemote) prepareActionExecutor() common.Executor {
 			}
 		}
 
+		cloneURL, err := sar.remoteAction.GetAvailableCloneURL(sar.RunContext.Config.DefaultActionsURLs)
+		if err != nil {
+			return fmt.Errorf("failed to get available clone url of [%s] action, error: %w", sar.Step.Uses, err)
+		}
+
 		actionDir := fmt.Sprintf("%s/%s", sar.RunContext.ActionCacheDir(), safeFilename(sar.Step.Uses))
 		gitClone := stepActionRemoteNewCloneExecutor(git.NewGitCloneExecutorInput{
-			URL:   sar.remoteAction.CloneURL(sar.RunContext.Config.DefaultActionInstance),
+			URL:   cloneURL,
 			Ref:   sar.remoteAction.Ref,
 			Dir:   actionDir,
 			Token: "", /*
@@ -232,6 +241,29 @@ func (ra *remoteAction) IsCheckout() bool {
 	return false
 }
 
+func (ra *remoteAction) GetAvailableCloneURL(actionURLs []string) (string, error) {
+	for _, u := range actionURLs {
+		cloneURL := ra.CloneURL(u)
+		resp, err := detectActionClient.Get(cloneURL)
+		if err != nil {
+			return "", err
+		}
+		defer resp.Body.Close()
+
+		switch resp.StatusCode {
+		case http.StatusOK:
+			return cloneURL, nil
+		case http.StatusNotFound:
+			continue
+
+		default:
+			return "", fmt.Errorf("unexpected http status code: %d", resp.StatusCode)
+		}
+	}
+
+	return "", fmt.Errorf("no available url found")
+}
+
 func newRemoteAction(action string) *remoteAction {
 	// support http(s)://host/owner/repo@v3
 	for _, schema := range []string{"https://", "http://"} {