fix: provide token only when cloning actions from same instance

act/runner/step_action_remote.go

@@ -108,17 +108,22 @@ func (sar *stepActionRemote) prepareActionExecutor() common.Executor {
 		}
 
 		actionDir := filepath.Join(sar.RunContext.ActionCacheDir(), sar.Step.UsesHash())
+
+		// Determine token: provide it only if the action is from the same instance
+		token := ""
+		actionURL := sar.remoteAction.URL
+		if actionURL == "" {
+			actionURL = sar.RunContext.Config.DefaultActionInstance
+		}
+		if isSameInstance(actionURL, sar.RunContext.Config.GitHubInstance) {
+			token = sar.RunContext.Config.GetToken()
+		}
+
 		gitClone := stepActionRemoteNewCloneExecutor(git.NewGitCloneExecutorInput{
-			URL:   sar.remoteAction.CloneURL(sar.RunContext.Config.DefaultActionInstance),
-			Ref:   sar.remoteAction.Ref,
-			Dir:   actionDir,
-			Token: "", /*
-				Shouldn't provide token when cloning actions,
-				the token comes from the instance which triggered the task,
-				however, it might be not the same instance which provides actions.
-				For GitHub, they are the same, always github.com.
-				But for Gitea, tasks triggered by a.com can clone actions from b.com.
-			*/
+			URL:         sar.remoteAction.CloneURL(sar.RunContext.Config.DefaultActionInstance),
+			Ref:         sar.remoteAction.Ref,
+			Dir:         actionDir,
+			Token:       token,
 			OfflineMode: sar.RunContext.Config.ActionOfflineMode,
 
 			InsecureSkipTLS: sar.cloneSkipTLS(), // For Gitea