v1.12.0 and newer releases don't support nested invocations from composite actions

[vprivat-ads]

The new release fails for our repository, because our organization name contains uppercase characters:

https://github.com/RS-PYTHON/rs-server/actions/runs/11725422733/job/32661677233#step:4:169

/usr/bin/docker run --name ghcrioRSPYTHONrsserverv02a6_5ffa5f (...) ghcr.io/RS-PYTHON/rs-server:v0.2a6
docker: invalid reference format: repository name (RS-PYTHON/rs-server) must be lowercase.

I guess in this line, $GITHUB_REPOSITORY shall be converted to lowercase as per this example.

[webknjaz]

No, that's not it. This is because it doesn't reference our existing image. It's probably caused by the use of a nested composite action that messes up the repo references. We'd need to figure out how to extract proper values in such an environment. I suppose this could count as a regression but the reality is that we never tested this scenario so it was never on the supported list. Would you volunteer to debug it?

[webknjaz]

If we can't rely on ${{ github.action_repository }}, though, I'm not sure where to extract this value from. The tag value is also wrong.

[webknjaz]

Essentially, it's a duplicate of #291 that I thought was fixed. But the more I look into it, the more I realize that it might be a bug within GitHub itself (in how they set the context for the nested action invocations).

[webknjaz]

By the way, you're building wheels in the same job as publishing, which elevates privileges for the entire build the toolchain, including transitive dependencies. This is insecure and heavily discouraged.

[vprivat-ads]

@webknjaz thank you for noticing the security issue, I'm going to check it.

[vprivat-ads]

And yes I'm ok to help you debug it :)

[webknjaz]

@vprivat-ads so we need a way to access the running action's repo org/name + tag. I can come up with a workaround for the slug (a dirty hack but still). Yet, I have no idea how to access the version reiably.

FWIW, I think it's best to document the limitation and leave it be. It would cultivate better usage practices long-term.

[vprivat-ads]

@webknjaz ok, thank you! We have changed our workflows to get rid of the composite action, and fixed the security issue. Thanks a lot for your support :+1: