Using Service in Action breaks Authentication to Gitea Container Registry

[belowm]

Description

Defining a service seems to invalidate credentials given to check out main container.

This works just fine:

name: Some Action
on: [push]
jobs:
  build_and_deploy:
    runs-on: ubuntu-latest
    container:      
      image: git.foobar.myhost.tld/foobar/foobar-dev:latest
      credentials:
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_TOKEN }}    
    steps:
      - name: Nothing really
        run: echo "Hello, world!"

The logs of the Set up job step show that the credentials are used (username=***):

Start image=git.foobar.myhost.tld/foobar/foobar-dev:latest
  docker pull image=git.foobar.myhost.tld/foobar/foobar-dev:latest platform= username=*** forcePull=true
  docker pull git.foobar.myhost.tld/foobar/foobar-dev:latest

Now, adding a service (without credentials) to the action, results in credentials for the main container being empty:

name: Build Project
on: [push]
jobs:
  build_and_deploy:
    runs-on: ubuntu-latest
    container:      
      image: git.foobar.myhost.tld/foobar/foobar-dev:latest
      credentials:
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_TOKEN }}    
    services:
      db:
        image: postgres:16.4
        shm_size: 128mb
        environment:
          POSTGRES_PASSWORD: foobar
    steps:
      - name: Nothing really
        run: echo "Hello, world!"

The logs show that the credentials are no longer being used (username=):

  Start image=git.foobar.myhost.tld/foobar/foobar-dev:latest
  docker pull image=docker.io/library/postgres:16.4 platform= username= forcePull=true
  docker pull docker.io/library/postgres:16.4
pulling image 'docker.io/library/postgres:16.4' ()
Pulling from library/postgres :: 16.4
Digest: sha256:59c554e6f26822fd489ebbdef431457db2debd0c5762b24f11f603db5b91dfcc :: 
Status: Image is up to date for postgres:16.4 :: 
  docker pull image=git.foobar.myhost.tld/foobar/foobar-dev:latest platform= username= forcePull=true
  docker pull git.foobar.myhost.tld/foobar/foobar-dev:latest
pulling image 'git.foobar.myhost.tld/foobar/foobar-dev:latest' ()
Error response from daemon: unauthorized: authentication required

I guess this bug is in https://github.com/nektos/act/blob/master/pkg/runner/run_context.go, where main container credentials are overwritten by service credentials (even if the latter are empty).

Gitea Version

1.22.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

(logs are inlinded in the issue)

Screenshots

No response

Git Version

2.43.0

Operating System

Ubuntu 24.04 LTS

How are you running Gitea?

self-hosted via docker

Database

SQLite

[belowm]

Fixing this should be as easy as:

index 8abc435..b78bbc7 100644
--- a/pkg/runner/run_context.go
+++ b/pkg/runner/run_context.go
@@ -293,7 +293,7 @@ func (rc *RunContext) startJobContainer() common.Executor {
                        for k, v := range interpolatedEnvs {
                                envs = append(envs, fmt.Sprintf("%s=%s", k, v))
                        }
-                       username, password, err = rc.handleServiceCredentials(ctx, spec.Credentials)
+                       username, password, err := rc.handleServiceCredentials(ctx, spec.Credentials)
                        if err != nil {
                                return fmt.Errorf("failed to handle service %s credentials: %w", serviceID, err)
                        }

[belowm]

Sorry for misplacing this issue, it should have gone into https://gitea.com/gitea/act_runner of course.

[wolfogre]

@belowm I noticed that you pushed a commit for this, could you please post a PR to nektos/act? And I'll review it and port it to act_runner.

[belowm]

@wolfogre I'd like to, but didn't have the time to set things up so taht I can build and test the project. I can probably look into this by the end of this week. BTW - have you considered adding a devcontainer configuration to the project? That would allow new developers to get things running more easily.