fix(workflow): point to correct repo

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [code.forgejo.org/forgejo/forgejo](https://forgejo.org) ([source](https://codeberg.org/forgejo/forgejo)) | patch | `11.0.6` -> `11.0.7` |

---

### Release Notes

<details>
<summary>forgejo/forgejo (code.forgejo.org/forgejo/forgejo)</summary>

### [`v11.0.7`](https://codeberg.org/forgejo/forgejo/releases/tag/v11.0.7)

[Compare Source](https://codeberg.org/forgejo/forgejo/compare/v11.0.6...v11.0.7)

See <https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/11.0.7.md>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTIuOSIsInVwZGF0ZWRJblZlciI6IjQxLjE1Mi45IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJLaW5kL0RlcGVuZGVuY3lVcGRhdGUiLCJydW4tZW5kLXRvLWVuZC10ZXN0cyJdfQ==-->

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1113
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>

.forgejo/workflows/build-ipcei.yml

@@ -0,0 +1,27 @@
+name: ci
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ">=1.25.1"
+      - name: Test code
+        run: make test
+      - name: Run GoReleaser
+        uses: https://github.com/goreleaser/goreleaser-action@v6
+        env:
+          GITEA_TOKEN: ${{ secrets.PACKAGES_TOKEN }}
+        with:
+          args: release --clean

.forgejo/workflows/build-release-integration.yml

@@ -19,7 +19,7 @@ on:
 enable-email-notifications: true
 
 env:
-  FORGEJO_VERSION: 11.0.6 # renovate: datasource=docker depName=code.forgejo.org/forgejo/forgejo
+  FORGEJO_VERSION: 11.0.7 # renovate: datasource=docker depName=code.forgejo.org/forgejo/forgejo
 
 jobs:
   release-simulation:

.forgejo/workflows/docker-build-push-action-in-lxc.yml

@@ -21,7 +21,7 @@ on:
 enable-email-notifications: true
 
 env:
-  FORGEJO_VERSION: 11.0.6 # renovate: datasource=docker depName=code.forgejo.org/forgejo/forgejo
+  FORGEJO_VERSION: 11.0.7 # renovate: datasource=docker depName=code.forgejo.org/forgejo/forgejo
   FORGEJO_USER: root
   FORGEJO_PASSWORD: admin1234
 

.forgejo/workflows/example-lxc-systemd.yml

@@ -14,6 +14,7 @@ env:
   SERIAL: "30"
   LIFETIME: "60"
   SYSTEMD_OPTIONS: "--no-pager --full"
+  USE_VERSION: 11.0.7 # renovate: datasource=docker depName=code.forgejo.org/forgejo/forgejo
 
 jobs:
   example-lxc-systemd:
@@ -57,7 +58,7 @@ jobs:
          with:
            user: root
            password: admin1234
-           binary: https://code.forgejo.org/forgejo/forgejo/releases/download/v7.0.12/forgejo-7.0.12-linux-amd64
+           binary: https://code.forgejo.org/forgejo/forgejo/releases/download/v${{ env.USE_VERSION }}/forgejo-${{ env.USE_VERSION }}-linux-amd64
            # must be the same as LXC_IPV4_PREFIX in examples/lxc-systemd/forgejo-runner-service.sh
            lxc-ip-prefix: 10.105.7
 

.goreleaser.yaml

@@ -0,0 +1,60 @@
+version: 2
+
+before:
+  hooks:
+    - go mod download
+
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+
+archives:
+  - formats: [binary]
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+
+changelog:
+  abbrev: 10
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+  format: "{{.SHA}}: {{.Message}}"
+  groups:
+    - title: Features
+      regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
+      order: 0
+    - title: "Bug fixes"
+      regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
+      order: 1
+    - title: "Chores"
+      regexp: '^.*?chore(\([[:word:]]+\))??!?:.+$'
+      order: 2
+    - title: Others
+      order: 999
+  sort: asc
+
+release:
+  gitea:
+    owner: DevFW-CICD
+    name: runner
+
+force_token: gitea
+gitea_urls:
+  api: https://edp.buildth.ing/api/v1
+  download: https://edp.buildth.ing
+  # set to true if you use a self-signed certificate
+  skip_tls_verify: false

Dockerfile

@@ -1,6 +1,6 @@
 FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx
 
-FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.22 AS build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.25-alpine3.22 AS build-env
 
 #
 # Transparently cross compile for the target platform

act/artifactcache/handler.go

@@ -9,7 +9,6 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
-	"syscall"
 	"time"
 
 	"github.com/julienschmidt/httprouter"
@@ -25,7 +24,7 @@ const (
 
 var fatal = func(logger logrus.FieldLogger, err error) {
 	logger.Errorf("unrecoverable error in the cache: %v", err)
-	if err := syscall.Kill(syscall.Getpid(), syscall.SIGTERM); err != nil {
+	if err := suicide(); err != nil {
 		logger.Errorf("unrecoverable error in the cache: failed to send the TERM signal to shutdown the daemon %v", err)
 	}
 }

act/artifactcache/utils.go

@@ -0,0 +1,9 @@
+//go:build !windows
+
+package artifactcache
+
+import "syscall"
+
+func suicide() error {
+	return syscall.Kill(syscall.Getpid(), syscall.SIGTERM)
+}

act/artifactcache/utils_windows.go

@@ -0,0 +1,14 @@
+//go:build windows
+
+package artifactcache
+
+import "syscall"
+
+func suicide() error {
+	handle, err := syscall.GetCurrentProcess()
+	if err != nil {
+		return err
+	}
+
+	return syscall.TerminateProcess(handle, uint32(syscall.SIGTERM))
+}

act/cacheproxy/handler.go

@@ -64,7 +64,7 @@ func StartHandler(targetHost, outboundIP string, port uint16, cacheProxyHostOver
 		discard.Out = io.Discard
 		logger = discard
 	}
-	logger = logger.WithField("module", "artifactcache")
+	logger = logger.WithField("module", "cacheproxy")
 	h.logger = logger
 
 	h.cacheSecret = cacheSecret
@@ -82,7 +82,7 @@ func StartHandler(targetHost, outboundIP string, port uint16, cacheProxyHostOver
 
 	proxy, err := h.newReverseProxy(targetHost)
 	if err != nil {
-		return nil, fmt.Errorf("unable to set up proxy to target host")
+		return nil, fmt.Errorf("unable to set up proxy to target host: %v", err)
 	}
 
 	router := httprouter.New()
@@ -139,6 +139,7 @@ func (h *Handler) newReverseProxy(targetHost string) (*httputil.ReverseProxy, er
 
 			r.SetURL(targetURL)
 			r.Out.URL.Path = uri
+			h.logger.Debugf("proxy req %s %q to %q", r.In.Method, r.In.URL, r.Out.URL)
 
 			r.Out.Header.Set("Forgejo-Cache-Repo", runData.RepositoryFullName)
 			r.Out.Header.Set("Forgejo-Cache-RunNumber", runData.RunNumber)
@@ -150,6 +151,10 @@ func (h *Handler) newReverseProxy(targetHost string) (*httputil.ReverseProxy, er
 				r.Out.Header.Set("Forgejo-Cache-WriteIsolationKey", runData.WriteIsolationKey)
 			}
 		},
+		ModifyResponse: func(r *http.Response) error {
+			h.logger.Debugf("proxy resp %s w/ %d bytes", r.Status, r.ContentLength)
+			return nil
+		},
 	}
 	return proxy, nil
 }

act/common/git/git.go

@@ -305,7 +305,7 @@ func gitOptions(token string) (fetchOptions git.FetchOptions, pullOptions git.Pu
 func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
 	return func(ctx context.Context) error {
 		logger := common.Logger(ctx)
-		logger.Infof("  \u2601  git clone '%s' # ref=%s", input.URL, input.Ref)
+		logger.Infof("  \u2601\ufe0f  git clone '%s' # ref=%s", input.URL, input.Ref)
 		logger.Debugf("  cloning %s to %s", input.URL, input.Dir)
 
 		cloneLock.Lock()

act/container/docker_run.go

@@ -483,6 +483,14 @@ func (cr *containerReference) mergeJobOptions(ctx context.Context, config *conta
 		}
 	}
 
+	if jobConfig.HostConfig.Memory > 0 {
+		logger.Debugf("--memory %v", jobConfig.HostConfig.Memory)
+		if hostConfig.Memory > 0 && jobConfig.HostConfig.Memory > hostConfig.Memory {
+			return nil, nil, fmt.Errorf("the --memory %v option found in the workflow cannot be greater than the --memory %v option from the runner configuration file", jobConfig.HostConfig.Memory, hostConfig.Memory)
+		}
+		hostConfig.Memory = jobConfig.HostConfig.Memory
+	}
+
 	if len(jobConfig.Config.Hostname) > 0 {
 		logger.Debugf("--hostname %v", jobConfig.Config.Hostname)
 		config.Hostname = jobConfig.Config.Hostname

act/container/host_environment.go

@@ -34,7 +34,6 @@ type HostEnvironment struct {
 	Workdir   string
 	ActPath   string
 	Root      string
-	CleanUp   func()
 	StdOut    io.Writer
 	LXC       bool
 }
@@ -404,11 +403,12 @@ func (e *HostEnvironment) UpdateFromEnv(srcPath string, env *map[string]string)
 
 func (e *HostEnvironment) Remove() common.Executor {
 	return func(ctx context.Context) error {
-		if e.CleanUp != nil {
+		if e.GetLXC() {
-			e.CleanUp()
+			// there may be files owned by root: removal
+			// is the responsibility of the LXC backend
+			return nil
 		}
-		common.Logger(ctx).Debugf("HostEnvironment.Remove %s", e.Path)
+		return os.RemoveAll(e.Root)
-		return os.RemoveAll(e.Path)
 	}
 }
 

act/jobparser/model.go

@@ -2,6 +2,7 @@ package jobparser
 
 import (
 	"fmt"
+	"strings"
 
 	"code.forgejo.org/forgejo/runner/v11/act/model"
 	"go.yaml.in/yaml/v3"
@@ -226,7 +227,7 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 		var val string
 		err := rawOn.Decode(&val)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("unable to interpret scalar value into a string: %w", err)
 		}
 		return []*Event{
 			{Name: val},
@@ -238,12 +239,12 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 			return nil, err
 		}
 		res := make([]*Event, 0, len(val))
-		for _, v := range val {
+		for i, v := range val {
 			switch t := v.(type) {
 			case string:
 				res = append(res, &Event{Name: t})
 			default:
-				return nil, fmt.Errorf("invalid type %T", t)
+				return nil, fmt.Errorf("value at index %d was unexpected type %[2]T; must be a string but was %#[2]v", i, v)
 			}
 		}
 		return res, nil
@@ -263,16 +264,6 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 				continue
 			}
 			switch t := v.(type) {
-			case string:
-				res = append(res, &Event{
-					Name: k,
-					acts: map[string][]string{},
-				})
-			case []string:
-				res = append(res, &Event{
-					Name: k,
-					acts: map[string][]string{},
-				})
 			case map[string]any:
 				acts := make(map[string][]string, len(t))
 				for act, branches := range t {
@@ -286,15 +277,15 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 						for i, v := range b {
 							var ok bool
 							if acts[act][i], ok = v.(string); !ok {
-								return nil, fmt.Errorf("unknown on type: %#v", branches)
+								return nil, fmt.Errorf("key %q.%q index %d had unexpected type %[4]T; a string was expected but was %#[4]v", k, act, i, v)
 							}
 						}
 					case map[string]any:
-						if isInvalidOnType(k, act) {
+						if err := isInvalidOnType(k, act); err != nil {
-							return nil, fmt.Errorf("unknown on type: %#v", v)
+							return nil, fmt.Errorf("invalid value on key %q: %w", k, err)
 						}
 					default:
-						return nil, fmt.Errorf("unknown on type: %#v", branches)
+						return nil, fmt.Errorf("key %q.%q had unexpected type %T; was %#v", k, act, branches, branches)
 					}
 				}
 				if k == "workflow_dispatch" || k == "workflow_call" {
@@ -306,19 +297,22 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 				})
 			case []any:
 				if k != "schedule" {
-					return nil, fmt.Errorf("unknown on type: %#v", v)
+					return nil, fmt.Errorf("key %q had an type %T; only the 'schedule' key is expected with this type", k, v)
 				}
 				schedules := make([]map[string]string, len(t))
 				for i, tt := range t {
 					vv, ok := tt.(map[string]any)
 					if !ok {
-						return nil, fmt.Errorf("unknown on type: %#v", v)
+						return nil, fmt.Errorf("key %q[%d] had unexpected type %[3]T; a map with a key \"cron\" was expected, but value was %#[3]v", k, i, tt)
 					}
 					schedules[i] = make(map[string]string, len(vv))
-					for k, vvv := range vv {
+					for kk, vvv := range vv {
+						if strings.ToLower(kk) != "cron" {
+							return nil, fmt.Errorf("key %q[%d] had unexpected key %q; \"cron\" was expected", k, i, kk)
+						}
 						var ok bool
-						if schedules[i][k], ok = vvv.(string); !ok {
+						if schedules[i][kk], ok = vvv.(string); !ok {
-							return nil, fmt.Errorf("unknown on type: %#v", v)
+							return nil, fmt.Errorf("key %q[%d].%q had unexpected type %[4]T; a string was expected by was %#[4]v", k, i, kk, vvv)
 						}
 					}
 				}
@@ -327,23 +321,29 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 					schedules: schedules,
 				})
 			default:
-				return nil, fmt.Errorf("unknown on type: %#v", v)
+				return nil, fmt.Errorf("key %q had unexpected type %[2]T; expected a map or array but was %#[2]v", k, v)
 			}
 		}
 		return res, nil
 	default:
-		return nil, fmt.Errorf("unknown on type: %v", rawOn.Kind)
+		return nil, fmt.Errorf("unexpected yaml node in `on`: %v", rawOn.Kind)
 	}
 }
 
-func isInvalidOnType(onType, subKey string) bool {
+func isInvalidOnType(onType, subKey string) error {
-	if onType == "workflow_dispatch" && subKey == "inputs" {
+	if onType == "workflow_dispatch" {
-		return false
+		if subKey == "inputs" {
+			return nil
+		}
+		return fmt.Errorf("workflow_dispatch only supports key \"inputs\", but key %q was found", subKey)
 	}
-	if onType == "workflow_call" && (subKey == "inputs" || subKey == "outputs") {
+	if onType == "workflow_call" {
-		return false
+		if subKey == "inputs" || subKey == "outputs" {
+			return nil
+		}
+		return fmt.Errorf("workflow_call only supports keys \"inputs\" and \"outputs\", but key %q was found", subKey)
 	}
-	return true
+	return fmt.Errorf("unexpected key %q.%q", onType, subKey)
 }
 
 // parseMappingNode parse a mapping node and preserve order.

act/jobparser/model_test.go

@@ -16,6 +16,7 @@ func TestParseRawOn(t *testing.T) {
 	kases := []struct {
 		input  string
 		result []*Event
+		err    string
 	}{
 		{
 			input: "on: issue_comment",
@@ -33,7 +34,10 @@ func TestParseRawOn(t *testing.T) {
 				},
 			},
 		},
-
+		{
+			input: "on: [123]",
+			err:   "value at index 0 was unexpected type int; must be a string but was 123",
+		},
 		{
 			input: "on:\n  - push\n  - pull_request",
 			result: []*Event{
@@ -45,6 +49,19 @@ func TestParseRawOn(t *testing.T) {
 				},
 			},
 		},
+		{
+			input: "on: { push: null }",
+			result: []*Event{
+				{
+					Name: "push",
+					acts: map[string][]string{},
+				},
+			},
+		},
+		{
+			input: "on: { push: 'abc' }",
+			err:   "key \"push\" had unexpected type string; expected a map or array but was \"abc\"",
+		},
 		{
 			input: "on:\n  push:\n    branches:\n      - master",
 			result: []*Event{
@@ -72,6 +89,10 @@ func TestParseRawOn(t *testing.T) {
 				},
 			},
 		},
+		{
+			input: "on:\n  branch_protection_rule:\n    types: [123, deleted]",
+			err:   "key \"branch_protection_rule\".\"types\" index 0 had unexpected type int; a string was expected but was 123",
+		},
 		{
 			input: "on:\n  project:\n    types: [created, deleted]\n  milestone:\n    types: [opened, deleted]",
 			result: []*Event{
@@ -189,6 +210,22 @@ func TestParseRawOn(t *testing.T) {
 				},
 			},
 		},
+		{
+			input: "on:\n  schedule2:\n    - cron: '20 6 * * *'",
+			err:   "key \"schedule2\" had an type []interface {}; only the 'schedule' key is expected with this type",
+		},
+		{
+			input: "on:\n  schedule:\n    - 123",
+			err:   "key \"schedule\"[0] had unexpected type int; a map with a key \"cron\" was expected, but value was 123",
+		},
+		{
+			input: "on:\n  schedule:\n    - corn: '20 6 * * *'",
+			err:   "key \"schedule\"[0] had unexpected key \"corn\"; \"cron\" was expected",
+		},
+		{
+			input: "on:\n  schedule:\n    - cron: 123",
+			err:   "key \"schedule\"[0].\"cron\" had unexpected type int; a string was expected by was 123",
+		},
 		{
 			input: `
 on:
@@ -222,15 +259,37 @@ on:
 				},
 			},
 		},
+		{
+			input: `
+on:
+  workflow_call:
+    mistake:
+      access-token:
+        description: 'A token passed from the caller workflow'
+        required: false
+`,
+			err: "invalid value on key \"workflow_call\": workflow_call only supports keys \"inputs\" and \"outputs\", but key \"mistake\" was found",
+		},
+		{
+			input: `
+on:
+  workflow_call: { map: 123 }
+`,
+			err: "key \"workflow_call\".\"map\" had unexpected type int; was 123",
+		},
 	}
 	for _, kase := range kases {
 		t.Run(kase.input, func(t *testing.T) {
 			origin, err := model.ReadWorkflow(strings.NewReader(kase.input), false)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 
 			events, err := ParseRawOn(&origin.RawOn)
-			assert.NoError(t, err)
+			if kase.err != "" {
-			assert.EqualValues(t, kase.result, events, fmt.Sprintf("%#v", events))
+				assert.ErrorContains(t, err, kase.err)
+			} else {
+				assert.NoError(t, err)
+				assert.EqualValues(t, kase.result, events, fmt.Sprintf("%#v", events))
+			}
 		})
 	}
 }

act/runner/expression.go

@@ -479,8 +479,6 @@ func rewriteSubExpression(ctx context.Context, in string, forceFormat bool) (str
 func getEvaluatorInputs(ctx context.Context, rc *RunContext, step step, ghc *model.GithubContext) map[string]any {
 	inputs := map[string]any{}
 
-	setupWorkflowInputs(ctx, &inputs, rc)
-
 	var env map[string]string
 	if step != nil {
 		env = *step.getEnv()
@@ -494,6 +492,8 @@ func getEvaluatorInputs(ctx context.Context, rc *RunContext, step step, ghc *mod
 		}
 	}
 
+	setupWorkflowInputs(ctx, &inputs, rc)
+
 	if rc.caller == nil && ghc.EventName == "workflow_dispatch" {
 		config := rc.Run.Workflow.WorkflowDispatchConfig()
 		if config != nil && config.Inputs != nil {

act/runner/job_executor.go

@@ -180,31 +180,35 @@ func setJobResult(ctx context.Context, info jobInfo, rc *RunContext, success boo
 		jobResult = "failure"
 	}
 
+	// Set local result on current job (child or parent)
 	info.result(jobResult)
+
 	if rc.caller != nil {
-		// set reusable workflow job result
+		// Child reusable workflow:
+		// 1) propagate result to parent job state
 		rc.caller.runContext.result(jobResult)
+
+		// 2) copy workflow_call outputs from child to parent (as in upstream)
+		jobOutputs := make(map[string]string)
+		ee := rc.NewExpressionEvaluator(ctx)
+		if wfcc := rc.Run.Workflow.WorkflowCallConfig(); wfcc != nil {
+			for k, v := range wfcc.Outputs {
+				jobOutputs[k] = ee.Interpolate(ctx, ee.Interpolate(ctx, v.Value))
+			}
+		}
+		rc.caller.runContext.Run.Job().Outputs = jobOutputs
+
+		// 3) DO NOT print banner in child job (prevents premature token revocation)
+		logger.Debugf("Reusable job result=%s (parent will finalize, no banner)", jobResult)
+		return
 	}
 
+	// Parent job: print the final banner ONCE (job-level)
 	jobResultMessage := "succeeded"
 	if jobResult != "success" {
 		jobResultMessage = "failed"
 	}
-
 	jobOutputs := rc.Run.Job().Outputs
-	if rc.caller != nil {
-		// Rewrite the job's outputs into the workflow_call outputs...
-		jobOutputs = make(map[string]string)
-		ee := rc.NewExpressionEvaluator(ctx)
-		for k, v := range rc.Run.Workflow.WorkflowCallConfig().Outputs {
-			jobOutputs[k] = ee.Interpolate(ctx, ee.Interpolate(ctx, v.Value))
-		}
-		// When running as a daemon and receiving jobs from Forgejo, the next job (and any of it's `needs` outputs) will
-		// be provided by Forgejo based upon the data sent to the logger below.  However, when running `forgejo-runner
-		// exec` with a reusable workflow, the next job will only be able to read outputs if those outputs are stored on
-		// the workflow -- that's what is accomplished here:
-		rc.caller.runContext.Run.Job().Outputs = jobOutputs
-	}
 
 	logger.
 		WithFields(logrus.Fields{

act/runner/job_executor_test.go

@@ -444,3 +444,76 @@ func TestSetJobResultConcurrency(t *testing.T) {
 
 	assert.Equal(t, "failure", lastResult)
 }
+
+func TestSetJobResult_SkipsBannerInChildReusableWorkflow(t *testing.T) {
+	// Test that child reusable workflow does not print final banner
+	// to prevent premature token revocation
+
+	mockLogger := mocks.NewFieldLogger(t)
+	// Allow all variants of Debugf (git operations can call with 1-3 args)
+	mockLogger.On("Debugf", mock.Anything).Return(0).Maybe()
+	mockLogger.On("Debugf", mock.Anything, mock.Anything).Return(0).Maybe()
+	mockLogger.On("Debugf", mock.Anything, mock.Anything, mock.Anything).Return(0).Maybe()
+	// CRITICAL: In CI, git ref detection may fail and call Warningf
+	mockLogger.On("Warningf", mock.Anything, mock.Anything).Return(0).Maybe()
+	mockLogger.On("WithField", mock.Anything, mock.Anything).Return(&logrus.Entry{Logger: &logrus.Logger{}}).Maybe()
+	mockLogger.On("WithFields", mock.Anything).Return(&logrus.Entry{Logger: &logrus.Logger{}}).Maybe()
+
+	ctx := common.WithLogger(common.WithJobErrorContainer(t.Context()), mockLogger)
+
+	// Setup parent job
+	parentJob := &model.Job{
+		Result: "success",
+	}
+	parentRC := &RunContext{
+		Config: &Config{Env: map[string]string{}}, // Must have Config
+		Run: &model.Run{
+			JobID: "parent",
+			Workflow: &model.Workflow{
+				Jobs: map[string]*model.Job{
+					"parent": parentJob,
+				},
+			},
+		},
+	}
+
+	// Setup child job with caller reference
+	childJob := &model.Job{
+		Result: "success",
+	}
+	childRC := &RunContext{
+		Config: &Config{Env: map[string]string{}}, // Must have Config
+		Run: &model.Run{
+			JobID: "child",
+			Workflow: &model.Workflow{
+				Jobs: map[string]*model.Job{
+					"child": childJob,
+				},
+			},
+		},
+		caller: &caller{
+			runContext: parentRC,
+		},
+	}
+
+	jim := &jobInfoMock{}
+	jim.On("matrix").Return(map[string]any{}) // REQUIRED: setJobResult always calls matrix()
+	jim.On("result", "success")
+
+	// Call setJobResult for child workflow
+	setJobResult(ctx, jim, childRC, true)
+
+	// Verify:
+	// 1. Child result is set
+	jim.AssertCalled(t, "result", "success")
+
+	// 2. Parent result is propagated
+	assert.Equal(t, "success", parentJob.Result)
+
+	// 3. Final banner was NOT printed by child (critical for token security)
+	mockLogger.AssertNotCalled(t, "WithFields", mock.MatchedBy(func(fields logrus.Fields) bool {
+		_, okJobResult := fields["jobResult"]
+		_, okJobOutput := fields["jobOutputs"]
+		return okJobOutput && okJobResult
+	}))
+}

act/runner/lxc-helpers-lib.sh

@@ -11,6 +11,8 @@ LXC_IPV6_PREFIX_DEFAULT="fd15"
 LXC_DOCKER_PREFIX_DEFAULT="172.17"
 LXC_IPV6_DOCKER_PREFIX_DEFAULT="fd00:d0ca"
 LXC_APT_TOO_OLD='1 week ago'
+: ${LXC_TRANSACTION_TIMEOUT:=600}
+LXC_TRANSACTION_LOCK_FILE=/tmp/lxc-helper.lock
 
 : ${LXC_SUDO:=}
 : ${LXC_CONTAINER_RELEASE:=bookworm}
@@ -28,16 +30,22 @@ function lxc_template_release() {
     echo lxc-helpers-$LXC_CONTAINER_RELEASE
 }
 
+function lxc_directory() {
+    local name="$1"
+
+    echo /var/lib/lxc/$name
+}
+
 function lxc_root() {
     local name="$1"
 
-    echo /var/lib/lxc/$name/rootfs
+    echo $(lxc_directory $name)/rootfs
 }
 
 function lxc_config() {
     local name="$1"
 
-    echo /var/lib/lxc/$name/config
+    echo $(lxc_directory $name)/config
 }
 
 function lxc_container_run() {
@@ -47,6 +55,42 @@ function lxc_container_run() {
     $LXC_SUDO lxc-attach --clear-env --name $name -- "$@"
 }
 
+function lxc_transaction_lock() {
+    exec 7>$LXC_TRANSACTION_LOCK_FILE
+    flock --timeout $LXC_TRANSACTION_TIMEOUT 7
+}
+
+function lxc_transaction_unlock() {
+    exec 7>&-
+}
+
+function lxc_transaction_draft_name() {
+    echo "lxc-helper-draft"
+}
+
+function lxc_transaction_begin() {
+    local name=$1 # not actually used but it helps when reading in the caller
+    local draft=$(lxc_transaction_draft_name)
+
+    lxc_transaction_lock
+    lxc_container_destroy $draft
+}
+
+function lxc_transaction_commit() {
+    local name=$1
+    local draft=$(lxc_transaction_draft_name)
+
+    # do not use lxc-copy because it is not atomic if lxc-copy is
+    # interrupted it may leave the $name container half populated
+    $LXC_SUDO sed -i -e "s/$draft/$name/g" \
+        $(lxc_config $draft) \
+        $(lxc_root $draft)/etc/hosts \
+        $(lxc_root $draft)/etc/hostname
+    $LXC_SUDO rm -f $(lxc_root $draft)/var/lib/dhcp/dhclient.*
+    $LXC_SUDO mv $(lxc_directory $draft) $(lxc_directory $name)
+    lxc_transaction_unlock
+}
+
 function lxc_container_run_script_as() {
     local name="$1"
     local user="$2"
@@ -242,7 +286,7 @@ function lxc_container_configure() {
 function lxc_container_install_lxc_helpers() {
     local name="$1"
 
-    $LXC_SUDO cp -a $LXC_SELF_DIR/lxc-helpers*.sh $root/$LXC_BIN
+    $LXC_SUDO cp -a $LXC_SELF_DIR/lxc-helpers*.sh $(lxc_root $name)/$LXC_BIN
     #
     # Wait for the network to come up
     #
@@ -304,10 +348,9 @@ function lxc_container_stop() {
 
 function lxc_container_destroy() {
     local name="$1"
-    local root="$2"
 
     if lxc_exists "$name"; then
-        lxc_container_stop $name $root
+        lxc_container_stop $name
         $LXC_SUDO lxc-destroy --force --name="$name"
     fi
 }
@@ -342,36 +385,44 @@ function lxc_running() {
 function lxc_build_template_release() {
     local name="$(lxc_template_release)"
 
+    lxc_transaction_begin $name
+
     if lxc_exists_and_apt_not_old $name; then
+        lxc_transaction_unlock
         return
     fi
 
-    local root=$(lxc_root $name)
+    local draft=$(lxc_transaction_draft_name)
-    $LXC_SUDO lxc-create --name $name --template debian -- --release=$LXC_CONTAINER_RELEASE
+    $LXC_SUDO lxc-create --name $draft --template debian -- --release=$LXC_CONTAINER_RELEASE
-    echo 'lxc.apparmor.profile = unconfined' | $LXC_SUDO tee -a $(lxc_config $name)
+    echo 'lxc.apparmor.profile = unconfined' | $LXC_SUDO tee -a $(lxc_config $draft)
-    lxc_container_install_lxc_helpers $name
+    lxc_container_install_lxc_helpers $draft
-    lxc_container_start $name
+    lxc_container_start $draft
-    lxc_container_run $name apt-get update -qq
+    lxc_container_run $draft apt-get update -qq
-    lxc_apt_install $name sudo git python3
+    lxc_apt_install $draft sudo git python3
-    lxc_container_stop $name
+    lxc_container_stop $draft
+    lxc_transaction_commit $name
 }
 
 function lxc_build_template() {
     local name="$1"
     local newname="$2"
 
-    if lxc_exists_and_apt_not_old $newname; then
-        return
-    fi
-
     if test "$name" = "$(lxc_template_release)"; then
         lxc_build_template_release
     fi
 
-    if ! $LXC_SUDO lxc-copy --name=$name --newname=$newname; then
+    lxc_transaction_begin $name
-        echo lxc-copy --name=$name --newname=$newname failed
+    if lxc_exists_and_apt_not_old $newname; then
+        lxc_transaction_unlock
+        return
+    fi
+
+    local draft=$(lxc_transaction_draft_name)
+    if ! $LXC_SUDO lxc-copy --name=$name --newname=$draft; then
+        echo lxc-copy --name=$name --newname=$draft failed
         return 1
     fi
+    lxc_transaction_commit $newname
     lxc_container_configure $newname
 }
 

act/runner/reusable_workflow.go

@@ -16,6 +16,7 @@ import (
 	"code.forgejo.org/forgejo/runner/v11/act/common"
 	"code.forgejo.org/forgejo/runner/v11/act/common/git"
 	"code.forgejo.org/forgejo/runner/v11/act/model"
+	"github.com/sirupsen/logrus"
 )
 
 func newLocalReusableWorkflowExecutor(rc *RunContext) common.Executor {
@@ -115,7 +116,10 @@ func newActionCacheReusableWorkflowExecutor(rc *RunContext, filename string, rem
 			return err
 		}
 
-		return runner.NewPlanExecutor(plan)(ctx)
+		planErr := runner.NewPlanExecutor(plan)(ctx)
+
+		// Finalize from parent context: one job-level banner
+		return finalizeReusableWorkflow(ctx, rc, planErr)
 	}
 }
 
@@ -171,7 +175,10 @@ func newReusableWorkflowExecutor(rc *RunContext, directory, workflow string) com
 			return err
 		}
 
-		return runner.NewPlanExecutor(plan)(ctx)
+		planErr := runner.NewPlanExecutor(plan)(ctx)
+
+		// Finalize from parent context: one job-level banner
+		return finalizeReusableWorkflow(ctx, rc, planErr)
 	}
 }
 
@@ -229,3 +236,29 @@ func newRemoteReusableWorkflowWithPlat(url, uses string) *remoteReusableWorkflow
 		URL:         url,
 	}
 }
+
+// finalizeReusableWorkflow prints the final job banner from the parent job context.
+//
+// The Forgejo reporter waits for this banner (log entry with "jobResult"
+// field and without stage="Main") before marking the job as complete and revoking
+// tokens. Printing this banner from the child reusable workflow would cause
+// premature token revocation, breaking subsequent steps in the parent workflow.
+func finalizeReusableWorkflow(ctx context.Context, rc *RunContext, planErr error) error {
+	jobResult := "success"
+	jobResultMessage := "succeeded"
+	if planErr != nil {
+		jobResult = "failure"
+		jobResultMessage = "failed"
+	}
+
+	// Outputs should already be present in the parent context:
+	// - copied by child's setJobResult branch (rc.caller != nil)
+	jobOutputs := rc.Run.Job().Outputs
+
+	common.Logger(ctx).WithFields(logrus.Fields{
+		"jobResult":  jobResult,
+		"jobOutputs": jobOutputs,
+	}).Infof("\U0001F3C1  Job %s", jobResultMessage)
+
+	return planErr
+}

act/runner/reusable_workflow_test.go

@@ -0,0 +1,247 @@
+package runner
+
+import (
+	"errors"
+	"testing"
+
+	"code.forgejo.org/forgejo/runner/v11/act/common"
+	"code.forgejo.org/forgejo/runner/v11/act/model"
+	"code.forgejo.org/forgejo/runner/v11/act/runner/mocks"
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+func TestConfig_GetToken(t *testing.T) {
+	t.Run("returns GITEA_TOKEN when both GITEA_TOKEN and GITHUB_TOKEN present", func(t *testing.T) {
+		c := &Config{
+			Secrets: map[string]string{
+				"GITHUB_TOKEN": "github-token",
+				"GITEA_TOKEN":  "gitea-token",
+			},
+		}
+		assert.Equal(t, "gitea-token", c.GetToken())
+	})
+
+	t.Run("returns GITHUB_TOKEN when only GITHUB_TOKEN present", func(t *testing.T) {
+		c := &Config{
+			Secrets: map[string]string{
+				"GITHUB_TOKEN": "github-token",
+			},
+		}
+		assert.Equal(t, "github-token", c.GetToken())
+	})
+
+	t.Run("returns empty string when no tokens present", func(t *testing.T) {
+		c := &Config{
+			Secrets: map[string]string{},
+		}
+		assert.Equal(t, "", c.GetToken())
+	})
+
+	t.Run("returns empty string when Secrets is nil", func(t *testing.T) {
+		c := &Config{}
+		assert.Equal(t, "", c.GetToken())
+	})
+}
+
+func TestRemoteReusableWorkflow_CloneURL(t *testing.T) {
+	t.Run("adds https prefix when missing", func(t *testing.T) {
+		rw := &remoteReusableWorkflow{
+			URL:  "code.forgejo.org",
+			Org:  "owner",
+			Repo: "repo",
+		}
+		assert.Equal(t, "https://code.forgejo.org/owner/repo", rw.CloneURL())
+	})
+
+	t.Run("preserves https prefix", func(t *testing.T) {
+		rw := &remoteReusableWorkflow{
+			URL:  "https://code.forgejo.org",
+			Org:  "owner",
+			Repo: "repo",
+		}
+		assert.Equal(t, "https://code.forgejo.org/owner/repo", rw.CloneURL())
+	})
+
+	t.Run("preserves http prefix", func(t *testing.T) {
+		rw := &remoteReusableWorkflow{
+			URL:  "http://localhost:3000",
+			Org:  "owner",
+			Repo: "repo",
+		}
+		assert.Equal(t, "http://localhost:3000/owner/repo", rw.CloneURL())
+	})
+}
+
+func TestRemoteReusableWorkflow_FilePath(t *testing.T) {
+	tests := []struct {
+		name         string
+		gitPlatform  string
+		filename     string
+		expectedPath string
+	}{
+		{
+			name:         "github platform",
+			gitPlatform:  "github",
+			filename:     "test.yml",
+			expectedPath: "./.github/workflows/test.yml",
+		},
+		{
+			name:         "gitea platform",
+			gitPlatform:  "gitea",
+			filename:     "build.yaml",
+			expectedPath: "./.gitea/workflows/build.yaml",
+		},
+		{
+			name:         "forgejo platform",
+			gitPlatform:  "forgejo",
+			filename:     "deploy.yml",
+			expectedPath: "./.forgejo/workflows/deploy.yml",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rw := &remoteReusableWorkflow{
+				GitPlatform: tt.gitPlatform,
+				Filename:    tt.filename,
+			}
+			assert.Equal(t, tt.expectedPath, rw.FilePath())
+		})
+	}
+}
+
+func TestNewRemoteReusableWorkflowWithPlat(t *testing.T) {
+	tests := []struct {
+		name             string
+		url              string
+		uses             string
+		expectedOrg      string
+		expectedRepo     string
+		expectedPlatform string
+		expectedFilename string
+		expectedRef      string
+		shouldFail       bool
+	}{
+		{
+			name:             "valid github workflow",
+			url:              "github.com",
+			uses:             "owner/repo/.github/workflows/test.yml@main",
+			expectedOrg:      "owner",
+			expectedRepo:     "repo",
+			expectedPlatform: "github",
+			expectedFilename: "test.yml",
+			expectedRef:      "main",
+			shouldFail:       false,
+		},
+		{
+			name:             "valid gitea workflow",
+			url:              "code.forgejo.org",
+			uses:             "forgejo/runner/.gitea/workflows/build.yaml@v1.0.0",
+			expectedOrg:      "forgejo",
+			expectedRepo:     "runner",
+			expectedPlatform: "gitea",
+			expectedFilename: "build.yaml",
+			expectedRef:      "v1.0.0",
+			shouldFail:       false,
+		},
+		{
+			name:       "invalid format - missing platform",
+			url:        "github.com",
+			uses:       "owner/repo/workflows/test.yml@main",
+			shouldFail: true,
+		},
+		{
+			name:       "invalid format - no ref",
+			url:        "github.com",
+			uses:       "owner/repo/.github/workflows/test.yml",
+			shouldFail: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := newRemoteReusableWorkflowWithPlat(tt.url, tt.uses)
+
+			if tt.shouldFail {
+				assert.Nil(t, result)
+			} else {
+				assert.NotNil(t, result)
+				assert.Equal(t, tt.expectedOrg, result.Org)
+				assert.Equal(t, tt.expectedRepo, result.Repo)
+				assert.Equal(t, tt.expectedPlatform, result.GitPlatform)
+				assert.Equal(t, tt.expectedFilename, result.Filename)
+				assert.Equal(t, tt.expectedRef, result.Ref)
+				assert.Equal(t, tt.url, result.URL)
+			}
+		})
+	}
+}
+
+func TestFinalizeReusableWorkflow_PrintsBannerSuccess(t *testing.T) {
+	mockLogger := mocks.NewFieldLogger(t)
+
+	bannerCalled := false
+	mockLogger.On("WithFields",
+		mock.MatchedBy(func(fields logrus.Fields) bool {
+			result, ok := fields["jobResult"].(string)
+			if !ok || result != "success" {
+				return false
+			}
+			outs, ok := fields["jobOutputs"].(map[string]string)
+			return ok && outs["foo"] == "bar"
+		}),
+	).Run(func(args mock.Arguments) {
+		bannerCalled = true
+	}).Return(&logrus.Entry{Logger: &logrus.Logger{}}).Once()
+
+	ctx := common.WithLogger(t.Context(), mockLogger)
+	rc := &RunContext{
+		Run: &model.Run{
+			JobID: "parent",
+			Workflow: &model.Workflow{
+				Jobs: map[string]*model.Job{
+					"parent": {
+						Outputs: map[string]string{"foo": "bar"},
+					},
+				},
+			},
+		},
+	}
+
+	err := finalizeReusableWorkflow(ctx, rc, nil)
+	assert.NoError(t, err)
+	assert.True(t, bannerCalled, "final banner should be printed from parent")
+}
+
+func TestFinalizeReusableWorkflow_PrintsBannerFailure(t *testing.T) {
+	mockLogger := mocks.NewFieldLogger(t)
+
+	bannerCalled := false
+	mockLogger.On("WithFields",
+		mock.MatchedBy(func(fields logrus.Fields) bool {
+			result, ok := fields["jobResult"].(string)
+			return ok && result == "failure"
+		}),
+	).Run(func(args mock.Arguments) {
+		bannerCalled = true
+	}).Return(&logrus.Entry{Logger: &logrus.Logger{}}).Once()
+
+	ctx := common.WithLogger(t.Context(), mockLogger)
+	rc := &RunContext{
+		Run: &model.Run{
+			JobID: "parent",
+			Workflow: &model.Workflow{
+				Jobs: map[string]*model.Job{
+					"parent": {},
+				},
+			},
+		},
+	}
+
+	planErr := errors.New("workflow failed")
+	err := finalizeReusableWorkflow(ctx, rc, planErr)
+	assert.EqualError(t, err, "workflow failed")
+	assert.True(t, bannerCalled, "banner should be printed even on failure")
+}

act/runner/run_context.go

@@ -248,6 +248,8 @@ var stopTemplate = template.Must(template.New("stop").Parse(`#!/bin/bash
 source $(dirname $0)/lxc-helpers-lib.sh
 
 lxc_container_destroy "{{.Name}}"
+lxc_maybe_sudo
+$LXC_SUDO rm -fr "{{ .Root }}"
 `))
 
 func (rc *RunContext) stopHostEnvironment(ctx context.Context) error {
@@ -314,11 +316,8 @@ func (rc *RunContext) startHostEnvironment() common.Executor {
 			ToolCache: rc.getToolCache(ctx),
 			Workdir:   rc.Config.Workdir,
 			ActPath:   actPath,
-			CleanUp: func() {
+			StdOut:    logWriter,
-				os.RemoveAll(miscpath)
+			LXC:       rc.IsLXCHostEnv(ctx),
-			},
-			StdOut: logWriter,
-			LXC:    rc.IsLXCHostEnv(ctx),
 		}
 		rc.cleanUpJobContainer = func(ctx context.Context) error {
 			if err := rc.stopHostEnvironment(ctx); err != nil {
@@ -1211,7 +1210,7 @@ func (rc *RunContext) getGithubContext(ctx context.Context) *model.GithubContext
 			ghc.RetentionDays = preset.RetentionDays
 
 			instance := rc.Config.GitHubInstance
-			if !strings.HasPrefix(instance, "http://") &&
+			if instance != "" && !strings.HasPrefix(instance, "http://") &&
 				!strings.HasPrefix(instance, "https://") {
 				instance = "https://" + instance
 			}
@@ -1254,7 +1253,7 @@ func (rc *RunContext) getGithubContext(ctx context.Context) *model.GithubContext
 
 	{ // Adapt to Gitea
 		instance := rc.Config.GitHubInstance
-		if !strings.HasPrefix(instance, "http://") &&
+		if instance != "" && !strings.HasPrefix(instance, "http://") &&
 			!strings.HasPrefix(instance, "https://") {
 			instance = "https://" + instance
 		}
@@ -1356,16 +1355,6 @@ func (rc *RunContext) withGithubEnv(ctx context.Context, github *model.GithubCon
 	set("SERVER_URL", github.ServerURL)
 	set("API_URL", github.APIURL)
 
-	{ // Adapt to Forgejo
-		instance := rc.Config.GitHubInstance
-		if !strings.HasPrefix(instance, "http://") &&
-			!strings.HasPrefix(instance, "https://") {
-			instance = "https://" + instance
-		}
-		set("SERVER_URL", instance)
-		set("API_URL", instance+"/api/v1")
-	}
-
 	if rc.Config.ArtifactServerPath != "" {
 		setActionRuntimeVars(rc, env)
 	}

act/runner/run_context_test.go

@@ -280,6 +280,39 @@ func TestRunContext_GetBindsAndMounts(t *testing.T) {
 	})
 }
 
+func TestRunContext_GetGithubContextURL(t *testing.T) {
+	table := []struct {
+		instance  string
+		serverURL string
+		APIURL    string
+	}{
+		{instance: "", serverURL: "", APIURL: "/api/v1"},
+		{instance: "example.com", serverURL: "https://example.com", APIURL: "https://example.com/api/v1"},
+		{instance: "http://example.com", serverURL: "http://example.com", APIURL: "http://example.com/api/v1"},
+		{instance: "https://example.com", serverURL: "https://example.com", APIURL: "https://example.com/api/v1"},
+	}
+	for _, data := range table {
+		t.Run(data.instance, func(t *testing.T) {
+			rc := &RunContext{
+				EventJSON: "{}",
+				Config: &Config{
+					GitHubInstance: data.instance,
+				},
+				Run: &model.Run{
+					Workflow: &model.Workflow{
+						Name: "GitHubContextTest",
+					},
+				},
+			}
+
+			ghc := rc.getGithubContext(t.Context())
+
+			assert.Equal(t, data.serverURL, ghc.ServerURL)
+			assert.Equal(t, data.APIURL, ghc.APIURL)
+		})
+	}
+}
+
 func TestRunContext_GetGithubContextRef(t *testing.T) {
 	table := []struct {
 		event string

act/runner/runner_test.go

@@ -263,6 +263,7 @@ func TestRunner_RunEvent(t *testing.T) {
 		{workdir, "uses-workflow", "pull_request", "", platforms, map[string]string{"secret": "keep_it_private"}},
 		{workdir, "uses-docker-url", "push", "", platforms, secrets},
 		{workdir, "act-composite-env-test", "push", "", platforms, secrets},
+		{workdir, "uses-workflow-env-input", "push", "", platforms, secrets},
 
 		// Eval
 		{workdir, "evalmatrix", "push", "", platforms, secrets},

act/runner/testdata/.github/workflows/local-reusable-env-input.yml

@@ -0,0 +1,21 @@
+name: "use-inputs-impl"
+
+on:
+  workflow_call:
+    inputs:
+      greet_target:
+        type: string
+        required: false
+        default: "Some Default Value"
+
+jobs:
+  works:
+    runs-on: ubuntu-latest
+    env:
+      MY_INPUT_TEST: ${{ inputs.greet_target }}
+      INPUT_TEST: ${{ inputs.greet_target }}
+      INPUT_GREET_TARGET: ${{ inputs.greet_target }}
+    steps:
+      - run: '[ "$MY_INPUT_TEST" = "Mona the Octocat" ] || exit 1'
+      - run: '[ "$INPUT_TEST" = "Mona the Octocat" ] || exit 1'
+      - run: '[ "$INPUT_GREET_TARGET" = "Mona the Octocat" ] || exit 1'

act/runner/testdata/actions-environment-and-context-tests/docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3
+FROM code.forgejo.org/oci/alpine:latest
 
 COPY entrypoint.sh /entrypoint.sh
 

act/runner/testdata/uses-workflow-env-input/push.yml

@@ -0,0 +1,8 @@
+name: local-action-env-input
+on: push
+jobs:
+  test:
+    runs-on: docker
+    uses: ./testdata/.github/workflows/local-reusable-env-input.yml
+    with:
+      greet_target: 'Mona the Octocat'

act/schema/schema_test.go

@@ -242,7 +242,7 @@ jobs:
     name: Build Silo Frontend DEV
     runs-on: ubuntu-latest
     container:
-      image: code.forgejo.org/oci/node:22-bookworm
+      image: code.forgejo.org/oci/${{ env.IMAGE }}
     uses: ./.forgejo/workflows/${{ vars.PATHNAME }}
     with:
       STAGE: dev

act/schema/workflow_schema.json

@@ -2008,7 +2008,7 @@
     },
     "container": {
       "description": "A container to run any steps in a job that don't already specify a container. If you have steps that use both script and container actions, the container actions will run as sibling containers on the same network with the same volume mounts.\n\nIf you do not set a container, all steps will run directly on the host specified by runs-on unless a step refers to an action configured to run in a container.",
-      "context": ["forge", "forgejo", "github", "inputs", "vars", "needs", "strategy", "matrix"],
+      "context": ["forge", "forgejo", "github", "inputs", "vars", "needs", "strategy", "matrix", "env"],
       "one-of": ["string", "container-mapping"]
     },
     "container-mapping": {

examples/docker-compose/compose-forgejo-and-runner.yml

@@ -51,7 +51,7 @@ services:
       - 8080:3000
 
   runner-register:
-    image: code.forgejo.org/forgejo/runner:11.1.1
+    image: code.forgejo.org/forgejo/runner:11.1.2
     links:
       - docker-in-docker
       - forgejo
@@ -77,7 +77,7 @@ services:
       '
 
   runner-daemon:
-    image: code.forgejo.org/forgejo/runner:11.1.1
+    image: code.forgejo.org/forgejo/runner:11.1.2
     links:
       - docker-in-docker
       - forgejo

examples/lxc-systemd/forgejo-runner-service.sh

@@ -20,9 +20,9 @@ trap "rm -fr $TMPDIR" EXIT
 : ${INPUTS_TOKEN:=}
 : ${INPUTS_FORGEJO:=https://code.forgejo.org}
 : ${INPUTS_LIFETIME:=7d}
-DEFAULT_LXC_HELPERS_VERSION=1.1.0 # renovate: datasource=forgejo-tags depName=forgejo/lxc-helpers
+DEFAULT_LXC_HELPERS_VERSION=1.1.3 # renovate: datasource=forgejo-tags depName=forgejo/lxc-helpers
 : ${INPUTS_LXC_HELPERS_VERSION:=$DEFAULT_LXC_HELPERS_VERSION}
-DEFAULT_RUNNER_VERSION=11.1.1 # renovate: datasource=forgejo-releases depName=forgejo/runner
+DEFAULT_RUNNER_VERSION=11.1.2 # renovate: datasource=forgejo-releases depName=forgejo/runner
 : ${INPUTS_RUNNER_VERSION:=$DEFAULT_RUNNER_VERSION}
 
 : ${KILL_AFTER:=21600} # 6h == 21600

go.mod

@@ -2,22 +2,22 @@ module code.forgejo.org/forgejo/runner/v11
 
 go 1.24.0
 
-toolchain go1.24.7
+toolchain go1.24.9
 
 require (
-	code.forgejo.org/forgejo/actions-proto v0.5.2
+	code.forgejo.org/forgejo/actions-proto v0.5.3
-	connectrpc.com/connect v1.18.1
+	connectrpc.com/connect v1.19.1
 	dario.cat/mergo v1.0.2
 	github.com/Masterminds/semver v1.5.0
-	github.com/avast/retry-go/v4 v4.6.1
+	github.com/avast/retry-go/v4 v4.7.0
 	github.com/containerd/errdefs v1.0.0
 	github.com/creack/pty v1.1.24
 	github.com/distribution/reference v0.6.0
-	github.com/docker/cli v28.4.0+incompatible
+	github.com/docker/cli v28.5.1+incompatible
-	github.com/docker/docker v28.4.0+incompatible
+	github.com/docker/docker v28.5.1+incompatible
 	github.com/docker/go-connections v0.6.0
 	github.com/go-git/go-billy/v5 v5.6.2
-	github.com/go-git/go-git/v5 v5.16.2
+	github.com/go-git/go-git/v5 v5.16.3
 	github.com/gobwas/glob v0.2.3
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
@@ -29,7 +29,7 @@ require (
 	github.com/moby/patternmatcher v0.6.0
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/opencontainers/selinux v1.12.0
-	github.com/rhysd/actionlint v1.7.7
+	github.com/rhysd/actionlint v1.7.8
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.10
@@ -37,9 +37,9 @@ require (
 	github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928
 	go.etcd.io/bbolt v1.4.3
 	go.yaml.in/yaml/v3 v3.0.4
-	golang.org/x/term v0.35.0
+	golang.org/x/term v0.36.0
-	golang.org/x/time v0.13.0
+	golang.org/x/time v0.14.0
-	google.golang.org/protobuf v1.36.9
+	google.golang.org/protobuf v1.36.10
 	gotest.tools/v3 v3.5.2
 )
 
@@ -47,7 +47,7 @@ require (
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v1.1.6 // indirect
-	github.com/bmatcuk/doublestar/v4 v4.8.0 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.9.1 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
@@ -69,7 +69,7 @@ require (
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mattn/go-runewidth v0.0.17 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
@@ -98,10 +98,11 @@ require (
 	go.opentelemetry.io/otel/metric v1.36.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.21.0 // indirect
 	go.opentelemetry.io/otel/trace v1.36.0 // indirect
+	go.yaml.in/yaml/v4 v4.0.0-rc.2 // indirect
 	golang.org/x/crypto v0.37.0 // indirect
 	golang.org/x/net v0.39.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -1,7 +1,7 @@
-code.forgejo.org/forgejo/actions-proto v0.5.2 h1:2+j3pXKk7l4cqATb7de75ZPPsNqc6e7RWX7xJ8DmySY=
+code.forgejo.org/forgejo/actions-proto v0.5.3 h1:dDProRNB4CDvEl9gfo8jkiVfGdiW7fXAt5TM9Irka28=
-code.forgejo.org/forgejo/actions-proto v0.5.2/go.mod h1:6CtsEiLzyODMO/3sqsdoTij4Y3gyQ29Nn8QnWunOw98=
+code.forgejo.org/forgejo/actions-proto v0.5.3/go.mod h1:33iTdur/jVa/wAQP+BuciRTK9WZcVaxy0BNEnSWWFDM=
-connectrpc.com/connect v1.18.1 h1:PAg7CjSAGvscaf6YZKUefjoih5Z/qYkyaTrBW8xvYPw=
+connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
-connectrpc.com/connect v1.18.1/go.mod h1:0292hj1rnx8oFrStN7cB4jjVBeqs+Yx5yDIC2prWDO8=
+connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
@@ -19,10 +19,10 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIcMk=
+github.com/avast/retry-go/v4 v4.7.0 h1:yjDs35SlGvKwRNSykujfjdMxMhMQQM0TnIjJaHB+Zio=
-github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA=
+github.com/avast/retry-go/v4 v4.7.0/go.mod h1:ZMPDa3sY2bKgpLtap9JRUgk2yTAba7cgiFhqxY2Sg6Q=
-github.com/bmatcuk/doublestar/v4 v4.8.0 h1:DSXtrypQddoug1459viM9X9D3dp1Z7993fw36I2kNcQ=
+github.com/bmatcuk/doublestar/v4 v4.9.1 h1:X8jg9rRZmJd4yRy7ZeNDRnM+T3ZfHv15JiBJ/avrEXE=
-github.com/bmatcuk/doublestar/v4 v4.8.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/bmatcuk/doublestar/v4 v4.9.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
@@ -43,10 +43,10 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v28.4.0+incompatible h1:RBcf3Kjw2pMtwui5V0DIMdyeab8glEw5QY0UUU4C9kY=
+github.com/docker/cli v28.5.1+incompatible h1:ESutzBALAD6qyCLqbQSEf1a/U8Ybms5agw59yGVc+yY=
-github.com/docker/cli v28.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v28.5.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v28.4.0+incompatible h1:KVC7bz5zJY/4AZe/78BIvCnPsLaC9T/zh72xnlrTTOk=
+github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM=
-github.com/docker/docker v28.4.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
 github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
@@ -69,8 +69,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN
 github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM=
+github.com/go-git/go-git/v5 v5.16.3 h1:Z8BtvxZ09bYm/yYNgPKCzgWtaRqDTgIKRgIRHBfU6Z8=
-github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
+github.com/go-git/go-git/v5 v5.16.3/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -115,8 +115,8 @@ github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHP
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.17 h1:78v8ZlW0bP43XfmAfPsdXcoNCelfMHsDmd/pkENfrjQ=
-github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.17/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
@@ -151,8 +151,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rhysd/actionlint v1.7.7 h1:0KgkoNTrYY7vmOCs9BW2AHxLvvpoY9nEUzgBHiPUr0k=
+github.com/rhysd/actionlint v1.7.8 h1:3d+N9ourgAxVYG4z2IFxFIk/YiT6V+VnKASfXGwT60E=
-github.com/rhysd/actionlint v1.7.7/go.mod h1:AE6I6vJEkNaIfWqC2GNE5spIJNhxf8NCtLEKU4NnUXg=
+github.com/rhysd/actionlint v1.7.8/go.mod h1:3kiS6egcbXG+vQsJIhFxTz+UKaF1JprsE0SKrpCZKvU=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -222,6 +222,8 @@ go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lI
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+go.yaml.in/yaml/v4 v4.0.0-rc.2 h1:/FrI8D64VSr4HtGIlUtlFMGsm7H7pWTbj6vOLVZcA6s=
+go.yaml.in/yaml/v4 v4.0.0-rc.2/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
 golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
@@ -230,8 +232,8 @@ golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbR
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
 golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -242,16 +244,16 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
+golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
 golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
-golang.org/x/time v0.13.0 h1:eUlYslOIt32DgYD6utsuUeHs4d7AsEYLuIAdg7FlYgI=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.13.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 h1:wpZ8pe2x1Q3f2KyT5f8oP/fa9rHAKgFPr/HZdNuS+PQ=
 google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f h1:2yNACc1O40tTnrsbk9Cv6oxiW8pxI/pXj0wRtdlYmgY=
@@ -260,8 +262,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
 google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw=
 google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
-google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

internal/app/job/job.go

@@ -36,11 +36,20 @@ func NewJob(cfg *config.Config, client client.Client, runner run.RunnerInterface
 }
 
 func (j *Job) Run(ctx context.Context) error {
-	task, ok := j.fetchTask(ctx)
+	log.Info("Polling for a job...")
-	if !ok {
+	for {
-		return fmt.Errorf("could not fetch task")
+		task, ok := j.fetchTask(ctx)
+		if ok {
+			return j.runTaskWithRecover(ctx, task)
+		}
+		// No task available, continue polling
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			// Continue to next iteration
+		}
 	}
-	return j.runTaskWithRecover(ctx, task)
 }
 
 func (j *Job) runTaskWithRecover(ctx context.Context, task *runnerv1.Task) error {

internal/app/run/runner.go

@@ -117,13 +117,13 @@ func setupCache(cfg *config.Config, envs map[string]string) *cacheproxy.Handler
 
 		cacheServer, err := artifactcache.StartHandler(
 			cfg.Cache.Dir,
-			cfg.Cache.Host,
+			"", // automatically detect
 			cfg.Cache.Port,
 			cacheSecret,
 			log.StandardLogger().WithField("module", "cache_request"),
 		)
 		if err != nil {
-			log.Error("Could not start the cache server, cache will be disabled")
+			log.Errorf("Could not start the cache server, cache will be disabled: %v", err)
 			return nil
 		}
 
@@ -150,10 +150,10 @@ func setupCache(cfg *config.Config, envs map[string]string) *cacheproxy.Handler
 	)
 	if err != nil {
 		log.Errorf("cannot init cache proxy, cache will be disabled: %v", err)
+	} else {
+		envs["ACTIONS_CACHE_URL"] = cacheProxy.ExternalURL()
 	}
 
-	envs["ACTIONS_CACHE_URL"] = cacheProxy.ExternalURL()
-
 	return cacheProxy
 }
 

internal/app/run/runner_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"os"
 	"testing"
 	"time"
@@ -70,6 +71,7 @@ func TestLabelUpdate(t *testing.T) {
 
 type forgejoClientMock struct {
 	mock.Mock
+	sent string
 }
 
 func (m *forgejoClientMock) Address() string {
@@ -122,11 +124,20 @@ func (m *forgejoClientMock) UpdateTask(ctx context.Context, request *connect.Req
 	return args.Get(0).(*connect.Response[runnerv1.UpdateTaskResponse]), args.Error(1)
 }
 
+func rowsToString(rows []*runnerv1.LogRow) string {
+	s := ""
+	for _, row := range rows {
+		s += row.Content + "\n"
+	}
+	return s
+}
+
 func (m *forgejoClientMock) UpdateLog(ctx context.Context, request *connect.Request[runnerv1.UpdateLogRequest]) (*connect.Response[runnerv1.UpdateLogResponse], error) {
 	// Enable for log output from runs if needed.
 	// for _, row := range request.Msg.Rows {
 	// 	println(fmt.Sprintf("UpdateLog: %q", row.Content))
 	// }
+	m.sent += rowsToString(request.Msg.Rows)
 	args := m.Called(ctx, request)
 	mockRetval := args.Get(0)
 	mockError := args.Error(1)
@@ -421,6 +432,98 @@ jobs:
 	})
 }
 
+func TestRunnerCacheStartupFailure(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+
+	testCases := []struct {
+		desc   string
+		listen string
+	}{
+		{
+			desc:   "disable cache server",
+			listen: "127.0.0.1:40715",
+		},
+		{
+			desc:   "disable cache proxy server",
+			listen: "127.0.0.1:40716",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.desc, func(t *testing.T) {
+			forgejoClient := &forgejoClientMock{}
+
+			forgejoClient.On("Address").Return("https://127.0.0.1:8080") // not expected to be used in this test
+			forgejoClient.On("UpdateLog", mock.Anything, mock.Anything).Return(nil, nil)
+			forgejoClient.On("UpdateTask", mock.Anything, mock.Anything).
+				Return(connect.NewResponse(&runnerv1.UpdateTaskResponse{}), nil)
+
+			// We'll be listening on some network port in this test that will conflict with the cache configuration...
+			l, err := net.Listen("tcp4", tc.listen)
+			require.NoError(t, err)
+			defer l.Close()
+
+			runner := NewRunner(
+				&config.Config{
+					Cache: config.Cache{
+						Port:      40715,
+						ProxyPort: 40716,
+						Dir:       t.TempDir(),
+					},
+					Host: config.Host{
+						WorkdirParent: t.TempDir(),
+					},
+				},
+				&config.Registration{
+					Labels: []string{"ubuntu-latest:docker://code.forgejo.org/oci/node:20-bookworm"},
+				},
+				forgejoClient)
+			require.NotNil(t, runner)
+
+			// Ensure that cacheProxy failed to start
+			assert.Nil(t, runner.cacheProxy)
+
+			runWorkflow := func(ctx context.Context, cancel context.CancelFunc, yamlContent string) {
+				task := &runnerv1.Task{
+					WorkflowPayload: []byte(yamlContent),
+					Context: &structpb.Struct{
+						Fields: map[string]*structpb.Value{
+							"token":                       structpb.NewStringValue("some token here"),
+							"forgejo_default_actions_url": structpb.NewStringValue("https://data.forgejo.org"),
+							"repository":                  structpb.NewStringValue("runner"),
+							"event_name":                  structpb.NewStringValue("push"),
+							"ref":                         structpb.NewStringValue("refs/heads/main"),
+						},
+					},
+				}
+
+				reporter := report.NewReporter(ctx, cancel, forgejoClient, task, time.Second)
+				err := runner.run(ctx, task, reporter)
+				reporter.Close(nil)
+				require.NoError(t, err)
+			}
+
+			ctx, cancel := context.WithCancel(t.Context())
+			defer cancel()
+
+			checkCacheYaml := `
+name: Verify No ACTIONS_CACHE_URL
+on:
+  push:
+jobs:
+  job-cache-check-1:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo $ACTIONS_CACHE_URL
+      - run: '[[ "$ACTIONS_CACHE_URL" = "" ]] || exit 1'
+`
+			runWorkflow(ctx, cancel, checkCacheYaml)
+		})
+	}
+}
+
 func TestRunnerLXC(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping integration test")
@@ -491,8 +594,164 @@ jobs:
   job:
     runs-on: lxc
     steps:
-      - run: echo OK
+      - run: mkdir -p some/directory/owned/by/root
 `
 		runWorkflow(ctx, cancel, workflow, "push", "refs/heads/main", "OK")
 	})
 }
+
+func TestRunnerResources(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+
+	forgejoClient := &forgejoClientMock{}
+
+	forgejoClient.On("Address").Return("https://127.0.0.1:8080") // not expected to be used in this test
+	forgejoClient.On("UpdateLog", mock.Anything, mock.Anything).Return(nil, nil)
+	forgejoClient.On("UpdateTask", mock.Anything, mock.Anything).
+		Return(connect.NewResponse(&runnerv1.UpdateTaskResponse{}), nil)
+
+	workdirParent := t.TempDir()
+
+	runWorkflow := func(ctx context.Context, cancel context.CancelFunc, yamlContent, options, errorMessage, logMessage string) {
+		task := &runnerv1.Task{
+			WorkflowPayload: []byte(yamlContent),
+			Context: &structpb.Struct{
+				Fields: map[string]*structpb.Value{
+					"token":                       structpb.NewStringValue("some token here"),
+					"forgejo_default_actions_url": structpb.NewStringValue("https://data.forgejo.org"),
+					"repository":                  structpb.NewStringValue("runner"),
+					"event_name":                  structpb.NewStringValue("push"),
+					"ref":                         structpb.NewStringValue("refs/heads/main"),
+				},
+			},
+		}
+
+		runner := NewRunner(
+			&config.Config{
+				Log: config.Log{
+					JobLevel: "trace",
+				},
+				Host: config.Host{
+					WorkdirParent: workdirParent,
+				},
+				Container: config.Container{
+					Options: options,
+				},
+			},
+			&config.Registration{
+				Labels: []string{"docker:docker://code.forgejo.org/oci/node:20-bookworm"},
+			},
+			forgejoClient)
+		require.NotNil(t, runner)
+
+		reporter := report.NewReporter(ctx, cancel, forgejoClient, task, time.Second)
+		err := runner.run(ctx, task, reporter)
+		reporter.Close(nil)
+		if len(errorMessage) > 0 {
+			require.Error(t, err)
+			assert.ErrorContains(t, err, errorMessage)
+		} else {
+			require.NoError(t, err)
+		}
+		if len(logMessage) > 0 {
+			assert.Contains(t, forgejoClient.sent, logMessage)
+		}
+	}
+
+	t.Run("config.yaml --memory set and enforced", func(t *testing.T) {
+		ctx, cancel := context.WithCancel(t.Context())
+		defer cancel()
+
+		workflow := `
+on:
+  push:
+jobs:
+  job:
+    runs-on: docker
+    steps:
+      - run: |
+          # more than 300MB
+          perl -e '$a = "a" x (300 * 1024 * 1024)'
+`
+		runWorkflow(ctx, cancel, workflow, "--memory 200M", "Job 'job' failed", "Killed")
+	})
+
+	t.Run("config.yaml --memory set and within limits", func(t *testing.T) {
+		ctx, cancel := context.WithCancel(t.Context())
+		defer cancel()
+
+		workflow := `
+on:
+  push:
+jobs:
+  job:
+    runs-on: docker
+    steps:
+      - run: echo OK
+`
+		runWorkflow(ctx, cancel, workflow, "--memory 200M", "", "")
+	})
+
+	t.Run("config.yaml --memory set and container fails to increase it", func(t *testing.T) {
+		ctx, cancel := context.WithCancel(t.Context())
+		defer cancel()
+
+		workflow := `
+on:
+  push:
+jobs:
+  job:
+    runs-on: docker
+    container:
+      image: code.forgejo.org/oci/node:20-bookworm
+      options: --memory 4G
+    steps:
+      - run: |
+          # more than 300MB
+          perl -e '$a = "a" x (300 * 1024 * 1024)'
+`
+		runWorkflow(ctx, cancel, workflow, "--memory 200M", "option found in the workflow cannot be greater than", "")
+	})
+
+	t.Run("container --memory set and enforced", func(t *testing.T) {
+		ctx, cancel := context.WithCancel(t.Context())
+		defer cancel()
+
+		workflow := `
+on:
+  push:
+jobs:
+  job:
+    runs-on: docker
+    container:
+      image: code.forgejo.org/oci/node:20-bookworm
+      options: --memory 200M
+    steps:
+      - run: |
+          # more than 300MB
+          perl -e '$a = "a" x (300 * 1024 * 1024)'
+`
+		runWorkflow(ctx, cancel, workflow, "", "Job 'job' failed", "Killed")
+	})
+
+	t.Run("container --memory set and within limits", func(t *testing.T) {
+		ctx, cancel := context.WithCancel(t.Context())
+		defer cancel()
+
+		workflow := `
+on:
+  push:
+jobs:
+  job:
+    runs-on: docker
+    container:
+      image: code.forgejo.org/oci/node:20-bookworm
+      options: --memory 200M
+    steps:
+      - run: echo OK
+`
+		runWorkflow(ctx, cancel, workflow, "", "", "")
+	})
+}

internal/pkg/config/config.example.yaml

@@ -176,10 +176,12 @@ container:
   # valid_volumes:
   #   - '**'
   valid_volumes: []
-  # overrides the docker client host with the specified one.
+  # Overrides the docker host set by the DOCKER_HOST environment variable, and mounts on the job container.
-  # If "-" or "", an available docker host will automatically be found.
+  # If "-" or "", no docker host will be mounted in the job container
   # If "automount", an available docker host will automatically be found and mounted in the job container (e.g. /var/run/docker.sock).
-  # Otherwise the specified docker host will be used and an error will be returned if it doesn't work.
+  # If it's a url, the specified docker host will be mounted in the job container
+  # Example urls: unix:///run/docker.socket or ssh://user@host
+  # The specified socket is mounted within the job container at /var/run/docker.sock
   docker_host: "-"
   # Pull docker image(s) even if already present
   force_pull: false