`github.action_repository` and `github.action_ref` are empty in `run` for composite actions

[jsoref]

Describe the bug github.action_repository and github.action_ref are empty in run for composite actions

To Reproduce

1. Set up a workflow that uses an action that uses github.action_repository / github.action_ref in run in a step.
2. Trigger a run for the workflow

Expected behavior github.action_repository / github.action_ref should be filled in for run just as it is for env

Runner Version and Platform

Version of your runner? Current runner version: '2.302.1'

OS of the machine running the runner? ubuntu-latest

What's not working?

github.action_repository / github.action_ref are empty

Job Log Output

https://github.com/check-spelling/gotosocial/actions/runs/4337164095/jobs/7572980729

2023-03-05T17:20:23.2256789Z ##[group]Run set -x
2023-03-05T17:20:23.2257101Z set -x
2023-03-05T17:20:23.2257452Z THIS_ACTION_PATH=$(perl -pe 's#/\./#/#g; s#//+#/#g; s#/$##g' <<< "/home/runner/work/_actions/jsoref/check-spelling/prerelease")
2023-03-05T17:20:23.2257784Z (
2023-03-05T17:20:23.2258036Z   echo "THIS_ACTION_PATH=$THIS_ACTION_PATH"
2023-03-05T17:20:23.2258338Z   echo "PATH=$THIS_ACTION_PATH/wrappers:$PATH"
2023-03-05T17:20:23.2258580Z   echo "TASK="
2023-03-05T17:20:23.2258804Z   echo "DO_CHECKOUT=true"
2023-03-05T17:20:23.2259041Z   echo "FETCH_DEPTH=1"
2023-03-05T17:20:23.2259258Z   echo "USE_SARIF=1"
2023-03-05T17:20:23.2259493Z   echo "ALTERNATE_ENGINE="
2023-03-05T17:20:23.2259786Z   echo "GH_ACTION_REPOSITORY=check-spelling/gotosocial"
2023-03-05T17:20:23.2260118Z   echo "GH_ACTION_REF=spell-check-with-spelling"
2023-03-05T17:20:23.2260388Z ) >> "$GITHUB_ENV"
2023-03-05T17:20:23.2316490Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2023-03-05T17:20:23.2316815Z ##[endgroup]
2023-03-05T17:20:23.2565697Z ++ perl -pe 's#/\./#/#g; s#//+#/#g; s#/$##g'
2023-03-05T17:20:23.2566247Z + THIS_ACTION_PATH=/home/runner/work/_actions/jsoref/check-spelling/prerelease
2023-03-05T17:20:23.2566736Z + echo THIS_ACTION_PATH=/home/runner/work/_actions/jsoref/check-spelling/prerelease
2023-03-05T17:20:23.2567757Z + echo PATH=/home/runner/work/_actions/jsoref/check-spelling/prerelease/wrappers:/home/runner/.local/bin:/opt/pipx_bin:/home/runner/.cargo/bin:/home/runner/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/runner/.dotnet/tools:/snap/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
2023-03-05T17:20:23.2569271Z + echo TASK=
2023-03-05T17:20:23.2569494Z + echo DO_CHECKOUT=true
2023-03-05T17:20:23.2569701Z + echo FETCH_DEPTH=1
2023-03-05T17:20:23.2569913Z + echo USE_SARIF=1
2023-03-05T17:20:23.2570127Z + echo ALTERNATE_ENGINE=
2023-03-05T17:20:23.2570470Z + echo GH_ACTION_REPOSITORY=check-spelling/gotosocial
2023-03-05T17:20:23.2570843Z + echo GH_ACTION_REF=spell-check-with-spelling
2023-03-05T17:20:23.2755350Z ##[group]Run secpoll

Runner and Worker's Diagnostic Logs

If applicable, add relevant diagnostic log information. Logs are located in the runner's _diag folder. The runner logs are prefixed with Runner_ and the worker logs are prefixed with Worker_. Each job run correlates to a worker log. All sensitive information should already be masked out, but please double-check before pasting here.

[jsoref]

Cross filed as: https://github.com/orgs/community/discussions/49245#discussioncomment-5209064 https://support.github.com/ticket/personal/0/2042233 https://github.com/github/docs/issues/25336#issuecomment-1736251764

[JamesMGreene]

Accidentally duplicated with #2525 😅

Leaving it open for now in case there is other useful info in it. 🤷🏻

[ChristopherHX]

Seems like there has been an update to the support ticket: https://github.com/github/docs/issues/25336. I'm linking it here to connect those issues, however the response quoted in the linked docs issue reads like won't fix.

[ssbarnea]

Am I missing something or this means that is impossible to use a specific version of the action due to this bug?

[jsoref]

No, your action will still run, you just won't easily know where your action came from and what version you are. If you burn that info into your repo w/ files, you could get info that way. And iirc I had some way to work around this, it's just fairly annoying.

[ssbarnea]

We use dynamic versioning based on github tags, so basically is impossible for the code to discover its own version and tell user to upgrade if needed, code that we already had implemented for normal usage.

Is bit perplexed by the fact that that all that happens seems more like on-purpose to make it impossible to know:

• action code is not cloned, so no access to tags or even ref number
• no environment variable exposed regarding who called it and with which what @tag

[jsoref]

Yes, I sympathize -- that's why I filed this.

Fwiw, there is a workaround noted in https://github.com/github/docs/issues/25336#issuecomment-1736251764 (I think @ChristopherHX might have suggested it somewhere), and it looks like they're going to document this quirk in the near future.

Basically my action.yml defines an env: for each of the things i need and then I can use them within the run: space via that environment variable.

[ChristopherHX]

Yeah I mentioned this in https://github.com/orgs/community/discussions/49245#discussioncomment-5209064.

Keep in mind local action call syntax (./) doesn't have an action_ref, that's why most action ci will have empty values if using it for tests...

A similar problems happens by using ${{ github.action_path }} in the run step (a different issue exists https://github.com/actions/runner/issues/716) it's not empty, but may contain the host path in the run step if not passed by env section.

It's totally unsafe to use run: ${{..}}, but it's the easiest way to get it wrong and allow script injection..

composite actions are quite buggy and some very old issues about them are not fixed within 1 year, even if a pr has been contributed

[jsoref]

Right, which means this is how I worked around it: https://github.com/check-spelling/check-spelling/blob/ed14e107b2404ceec4db32161bc3cc353b123b46/.github/workflows/spelling.yml#L114 https://github.com/check-spelling/check-spelling/blob/ed14e107b2404ceec4db32161bc3cc353b123b46/action.yml#L522-L523

It's good enough for testing...

[copdips]

it seems that the workaround doesnt work for embedded composite actions, it seems that it shows the top level action ref always. Say: workflow1 calls action1@ref1 calls action2@ref2.

following code in the action2 returns: action_ref: ref1 while I expect action_ref: ref2

run: |
  echo "action_ref: $action_ref"
env:
  action_ref: ${{ github.action_ref }}

[ChristopherHX]

Thanks for letting me know that my initial workaround is affected by another actions/runner bug..., if we nest composite actions (Sadly local composite actions break all post steps inputs)

inputs:
  action_ref:
    default: ${{ github.action_ref }} # Downside the user can override it
runs:
  using: composite
  steps:
  - uses: actions/github-script@v5
    with:
      script: |
                console.log('${{ github.action_ref }}'); # broken, returns v5
  - run: echo ${{ env.ref }}
    env:
      ref: ${{ github.action_ref }} # broken
    shell: bash
  - run: echo ${{ env.ref }}
    env:
      ref: ${{ inputs.action_ref }} # works
    shell: bash
  - run: echo ${{ inputs.action_ref }} # works
    shell: bash

Expected log output

``` ##[group]Run Christopher/nested-composite-get-ref@main ##[endgroup] ##[group]Run echo main echo main shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} env: ref: main ##[endgroup] main ##[group]Run Christopher/nested-composite-get-ref@me with: action_ref: me ##[endgroup] ##[group]Run actions/github-script@v5 with: script: console.log('v5'); github-token: *** debug: false user-agent: actions/github-script result-encoding: json ##[endgroup] v5 ##[group]Run echo main echo main shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} env: ref: main ##[endgroup] main ##[group]Run echo me echo me shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} env: ref: me ##[endgroup] me ##[group]Run echo me echo me shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} ##[endgroup] me ```

To recap you could try the following ( verified locally using actions runner 2.309.0 )

inputs:
  action_ref:
    default: ${{ github.action_ref }}
runs:
  using: composite
  steps:
  - run: echo ${{ inputs.action_ref }}
    shell: bash

[copdips]

inputs:
  action_ref:
    default: ${{ github.action_ref }}

Thanks for the prompt reply, with inputs default value, it's working now, this is really tricky :)

[lure8225]

Any update on this? We seem to have also just hit this problem, still seems to be an issue