Merge gitea/act into act/ folder' (#827 )

Reviewed-on: https://gitea.com/gitea/act_runner/pulls/827 Reviewed-by: ChristopherHX <38043+christopherhx@noreply.gitea.com>
Merge gitea/act into act/
2026-04-24 04:40:22 +08:00 · 2026-04-23 16:41:15 +00:00 · 2026-04-22 22:29:06 +02:00 · 2026-04-19 22:36:34 +00:00 · 2026-04-19 08:10:23 +00:00 · 2026-04-18 09:10:09 +00:00
1366 changed files with 297126 additions and 993 deletions
--- a/.gitea/workflows/release-nightly.yml
+++ b/.gitea/workflows/release-nightly.yml
@@ -1,43 +1,33 @@
+---
 name: release-nightly

 on:
+  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches:
+      - 'main'
+    tags:
+      - '*'

 env:
-  GOPATH: /go_path
-  GOCACHE: /go_cache
+  DOCKER_ORG: gitea
+  DOCKER_LATEST: nightly

 jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
        with:
-          fetch-depth: 0 # all history for all branches and tags
-      - uses: actions/setup-go@v3
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
        with:
-          go-version: '>=1.20.1'
-      - uses: https://gitea.com/actions/go-hashfiles@v0.0.1
-        id: hash-go
-        with:
-          patterns: |
-            go.mod
-            go.sum
-      - name: cache go
-        id: cache-go
-        uses: https://github.com/actions/cache@v3
-        with:
-          path: |
-            /go_path
-            /go_cache
-          key: go_path-${{ steps.hash-go.outputs.hash }}
+          go-version-file: "go.mod"
      - name: goreleaser
-        uses: https://github.com/goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v6
        with:
-            distribution: goreleaser-pro
-            version: latest
-            args: release --nightly
+          distribution: goreleaser-pro
+          args: release --nightly
        env:
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          AWS_REGION: ${{ secrets.AWS_REGION }}
@@ -45,61 +35,51 @@ jobs:
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          S3_REGION: ${{ secrets.AWS_REGION }}
          S3_BUCKET: ${{ secrets.AWS_BUCKET }}
+          GORELEASER_FORCE_TOKEN: "gitea"
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
  release-image:
    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
-    env:
-      DOCKER_ORG: gitea
-      DOCKER_LATEST: nightly
+    strategy:
+      matrix:
+        variant:
+          - target: basic
+            tag_suffix: ""
+          - target: dind
+            tag_suffix: "-dind"
+          - target: dind-rootless
+            tag_suffix: "-dind-rootless"
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # all history for all branches and tags

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker BuildX
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

-      - name: Get Meta
-        id: meta
-        run: |
-          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}') >> $GITHUB_OUTPUT
-          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
+      - name: Echo the tag
+        run: echo "${{ env.DOCKER_ORG }}/act_runner:nightly${{ matrix.variant.tag_suffix }}"

      - name: Build and push
-        uses: docker/build-push-action@v4
-        env:
-          ACTIONS_RUNTIME_TOKEN: '' # See https://gitea.com/gitea/act_runner/issues/119
+        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
+          target: ${{ matrix.variant.target }}
          platforms: |
            linux/amd64
            linux/arm64
          push: true
          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}
-
-      - name: Build and push dind-rootless
-        uses: docker/build-push-action@v4
-        env:
-          ACTIONS_RUNTIME_TOKEN: '' # See https://gitea.com/gitea/act_runner/issues/119
-        with:
-          context: .
-          file: ./Dockerfile.rootless
-          platforms: |
-            linux/amd64
-            linux/arm64
-          push: true
-          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}-dind-rootless
+            ${{ env.DOCKER_ORG }}/act_runner:nightly${{ matrix.variant.tag_suffix }}
--- a/.gitea/workflows/release-tag.yml
+++ b/.gitea/workflows/release-tag.yml
@@ -3,49 +3,30 @@ name: release-tag
 on:
  push:
    tags:
-      - '*'
-
-env:
-  GOPATH: /go_path
-  GOCACHE: /go_cache
+      - "*"

 jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
        with:
          fetch-depth: 0 # all history for all branches and tags
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v6
        with:
-          go-version: '>=1.20.1'
-      - uses: https://gitea.com/actions/go-hashfiles@v0.0.1
-        id: hash-go
-        with:
-          patterns: |
-            go.mod
-            go.sum
-      - name: cache go
-        id: cache-go
-        uses: https://github.com/actions/cache@v3
-        with:
-          path: |
-            /go_path
-            /go_cache
-          key: go_path-${{ steps.hash-go.outputs.hash }}
+          go-version-file: "go.mod"
      - name: Import GPG key
        id: import_gpg
-        uses: https://github.com/crazy-max/ghaction-import-gpg@v5
+        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
      - name: goreleaser
-        uses: https://github.com/goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v6
        with:
-            distribution: goreleaser-pro
-            version: latest
-            args: release
+          distribution: goreleaser-pro
+          args: release
        env:
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          AWS_REGION: ${{ secrets.AWS_REGION }}
@@ -53,11 +34,20 @@ jobs:
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          S3_REGION: ${{ secrets.AWS_REGION }}
          S3_BUCKET: ${{ secrets.AWS_BUCKET }}
-          GORELEASER_FORCE_TOKEN: 'gitea'
+          GORELEASER_FORCE_TOKEN: "gitea"
          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
  release-image:
    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        variant:
+          - target: basic
+            tag_suffix: ""
+          - target: dind
+            tag_suffix: "-dind"
+          - target: dind-rootless
+            tag_suffix: "-dind-rootless"
    container:
      image: catthehacker/ubuntu:act-latest
    env:
@@ -65,54 +55,49 @@ jobs:
      DOCKER_LATEST: latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # all history for all branches and tags

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker BuildX
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

-      - name: Get Meta
-        id: meta
+      - name: Repo Meta
+        id: repo_meta
        run: |
          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}') >> $GITHUB_OUTPUT
-          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
+
+      - name: "Docker meta"
+        id: docker_meta
+        uses: https://github.com/docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.DOCKER_ORG }}/${{ steps.repo_meta.outputs.REPO_NAME }}
+          tags: |
+            type=semver,pattern={{major}}.{{minor}}.{{patch}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+          flavor: |
+            latest=true
+            suffix=${{ matrix.variant.tag_suffix }},onlatest=true

      - name: Build and push
-        uses: docker/build-push-action@v4
-        env:
-          ACTIONS_RUNTIME_TOKEN: '' # See https://gitea.com/gitea/act_runner/issues/119
+        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
+          target: ${{ matrix.variant.target }}
          platforms: |
            linux/amd64
            linux/arm64
          push: true
-          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}
-
-      - name: Build and push dind-rootless
-        uses: docker/build-push-action@v4
-        env:
-          ACTIONS_RUNTIME_TOKEN: '' # See https://gitea.com/gitea/act_runner/issues/119
-        with:
-          context: .
-          file: ./Dockerfile.rootless
-          platforms: |
-            linux/amd64
-            linux/arm64
-          push: true
-          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-dind-rootless
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}-dind-rootless
+          tags: ${{ steps.docker_meta.outputs.tags }}
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -3,35 +3,17 @@ on:
  - push
  - pull_request

-env:
-  GOPATH: /go_path
-  GOCACHE: /go_cache
-
 jobs:
  lint:
    name: check and test
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
        with:
-          go-version: '>=1.20.1'
-      - uses: https://gitea.com/actions/go-hashfiles@v0.0.1
-        id: hash-go
-        with:
-          patterns: |
-            go.mod
-            go.sum
-      - name: cache go
-        id: cache-go
-        uses: https://github.com/actions/cache@v3
-        with:
-          path: |
-            /go_path
-            /go_cache
-          key: go_path-${{ steps.hash-go.outputs.hash }}
-      - name: vet checks
-        run: make vet
+          go-version-file: 'go.mod'
+      - name: lint
+        run: make lint
      - name: build
        run: make build
      - name: test
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,11 @@
-act_runner
+/act_runner
 .env
 .runner
 coverage.txt
-/gitea-vet
 /config.yaml

+# Jetbrains
+.idea
 # MS VSCode
 .vscode
 __debug_bin
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,172 +1,125 @@
+version: "2"
+output:
+  sort-order:
+    - file
 linters:
+  default: none
  enable:
-    - gosimple
-    - deadcode
-    - typecheck
-    - govet
-    - errcheck
-    - staticcheck
-    - unused
-    - structcheck
-    - varcheck
-    - dupl
-    #- gocyclo # The cyclomatic complexety of a lot of functions is too high, we should refactor those another time.
-    - gofmt
-    - misspell
-    - gocritic
    - bidichk
-    - ineffassign
-    - revive
-    - gofumpt
+    - bodyclose
    - depguard
+    - dupl
+    - errcheck
+    - forbidigo
+    - gocheckcompilerdirectives
+    - gocritic
+    - goheader
+    - govet
+    - ineffassign
+    - mirror
+    - modernize
    - nakedret
-    - unconvert
-    - wastedassign
+    - nilnil
    - nolintlint
-    - stylecheck
-  enable-all: false
-  disable-all: true
-  fast: false
-
-run:
-  go: 1.18
-  timeout: 10m
-  skip-dirs:
-    - node_modules
-    - public
-    - web_src
-
-linters-settings:
-  stylecheck:
-    checks: ["all", "-ST1005", "-ST1003"]
-  nakedret:
-    max-func-lines: 0
-  gocritic:
-    disabled-checks:
-      - ifElseChain
-      - singleCaseSwitch # Every time this occurred in the code, there  was no other way.
-  revive:
-    ignore-generated-header: false
-    severity: warning
-    confidence: 0.8
-    errorCode: 1
-    warningCode: 1
+    - perfsprint
+    - revive
+    - staticcheck
+    - testifylint
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - usetesting
+    - wastedassign
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: io/ioutil
+              desc: use os or io instead
+            - pkg: golang.org/x/exp
+              desc: it's experimental and unreliable
+            - pkg: github.com/pkg/errors
+              desc: use builtin errors package instead
+    nolintlint:
+      allow-unused: false
+      require-explanation: true
+      require-specific: true
+    gocritic:
+      enabled-checks:
+        - equalFold
+      disabled-checks:
+        - ifElseChain
+    revive:
+      severity: error
+      rules:
+        - name: blank-imports
+        - name: constant-logical-expr
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: dot-imports
+        - name: empty-lines
+        - name: error-return
+        - name: error-strings
+        - name: exported
+        - name: identical-branches
+        - name: if-return
+        - name: increment-decrement
+        - name: modifies-value-receiver
+        - name: package-comments
+        - name: redefines-builtin-id
+        - name: superfluous-else
+        - name: time-naming
+        - name: unexported-return
+        - name: var-declaration
+        - name: var-naming
+    staticcheck:
+      checks:
+        - all
+        - -ST1005
+    usetesting:
+      os-temp-dir: true
+    perfsprint:
+      concat-loop: false
+    govet:
+      enable:
+        - nilness
+        - unusedwrite
+    goheader:
+      values:
+        regexp:
+          HEADER: 'Copyright \d{4} The Gitea Authors\. All rights reserved\.(\nCopyright [^\n]+)*\nSPDX-License-Identifier: MIT'
+      template: '{{ HEADER }}'
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
    rules:
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: dot-imports
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: exported
-      - name: if-return
-      - name: increment-decrement
-      - name: var-naming
-      - name: var-declaration
-      - name: package-comments
-      - name: range
-      - name: receiver-naming
-      - name: time-naming
-      - name: unexported-return
-      - name: indent-error-flow
-      - name: errorf
-      - name: duplicated-imports
-      - name: modifies-value-receiver
-  gofumpt:
-    extra-rules: true
-    lang-version: "1.18"
-  depguard:
-    # TODO: use depguard to replace import checks in gitea-vet
-    list-type: denylist
-    # Check the list against standard lib.
-    include-go-root: true
-    packages-with-error-message:
-      - github.com/unknwon/com: "use gitea's util and replacements"
-
+      - linters:
+          - forbidigo
+        path: cmd
 issues:
-  exclude-rules:
-    # Exclude some linters from running on tests files.
-    - path: _test\.go
-      linters:
-        - gocyclo
-        - errcheck
-        - dupl
-        - gosec
-        - unparam
-        - staticcheck
-    - path: models/migrations/v
-      linters:
-        - gocyclo
-        - errcheck
-        - dupl
-        - gosec
-    - linters:
-        - dupl
-      text: "webhook"
-    - linters:
-        - gocritic
-      text: "`ID' should not be capitalized"
-    - path: modules/templates/helper.go
-      linters:
-        - gocritic
-    - linters:
-        - unused
-        - deadcode
-      text: "swagger"
-    - path: contrib/pr/checkout.go
-      linters:
-        - errcheck
-    - path: models/issue.go
-      linters:
-        - errcheck
-    - path: models/migrations/
-      linters:
-        - errcheck
-    - path: modules/log/
-      linters:
-        - errcheck
-    - path: routers/api/v1/repo/issue_subscription.go
-      linters:
-        - dupl
-    - path: routers/repo/view.go
-      linters:
-        - dupl
-    - path: models/migrations/
-      linters:
-        - unused
-    - linters:
-        - staticcheck
-      text: "argument x is overwritten before first use"
-    - path: modules/httplib/httplib.go
-      linters:
-        - staticcheck
-    # Enabling this would require refactoring the methods and how they are called.
-    - path: models/issue_comment_list.go
-      linters:
-        - dupl
-    - linters:
-        - misspell
-      text: '`Unknwon` is a misspelling of `Unknown`'
-    - path: models/update.go
-      linters:
-        - unused
-    - path: cmd/dump.go
-      linters:
-        - dupl
-    - path: services/webhook/webhook.go
-      linters:
-        - structcheck
-    - text: "commentFormatting: put a space between `//` and comment text"
-      linters:
-        - gocritic
-    - text: "exitAfterDefer:"
-      linters:
-        - gocritic
-    - path: modules/graceful/manager_windows.go
-      linters:
-        - staticcheck
-      text: "svc.IsAnInteractiveSession is deprecated: Use IsWindowsService instead."
-    - path: models/user/openid.go
-      linters:
-        - golint
+  max-issues-per-linter: 0
+  max-same-issues: 0
+formatters:
+  enable:
+    - gci
+    - gofumpt
+  settings:
+    gci:
+      custom-order: true
+      sections:
+        - standard
+        - prefix(gitea.com/gitea/act_runner)
+        - blank
+        - default
+    gofumpt:
+      extra-rules: true
+  exclusions:
+    generated: lax
+run:
+  timeout: 10m
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,3 +1,5 @@
+version: 2
+
 before:
  hooks:
    - go mod tidy
@@ -14,6 +16,9 @@ builds:
  - amd64
  - arm
  - arm64
+  - loong64
+  - s390x
+  - riscv64
  goarm:
  - "5"
  - "6"
@@ -81,7 +86,7 @@ blobs:
    provider: s3
    bucket: "{{ .Env.S3_BUCKET }}"
    region: "{{ .Env.S3_REGION }}"
-    folder: "act_runner/{{.Version}}"
+    directory: "act_runner/{{.Version}}"
    extra_files:
      - glob: ./**.xz
      - glob: ./**.sha256
@@ -97,10 +102,10 @@ checksum:
      - glob: ./**.xz

 snapshot:
-  name_template: "{{ .Branch }}-devel"
+  version_template: "{{ .Branch }}-devel"

 nightly:
-  name_template: "nightly"
+  version_template: "nightly"

 gitea_urls:
  api: https://gitea.com/api/v1
--- a/58
+++ b/58
@@ -1,16 +1,64 @@
-FROM golang:1.20-alpine3.18 as builder
+### BUILDER STAGE
+#
+#
+FROM golang:1.26-alpine AS builder
+
 # Do not remove `git` here, it is required for getting runner version when executing `make build`
 RUN apk add --no-cache make git

+ARG GOPROXY
+ENV GOPROXY=${GOPROXY:-}
+
 COPY . /opt/src/act_runner
 WORKDIR /opt/src/act_runner

 RUN make clean && make build

-FROM alpine:3.18
-RUN apk add --no-cache git bash tini
+### DIND VARIANT
+#
+#
+FROM docker:28-dind AS dind
+
+RUN apk add --no-cache s6 bash git tzdata

 COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
-COPY scripts/run.sh /opt/act/run.sh
+COPY scripts/run.sh /usr/local/bin/run.sh
+COPY scripts/s6 /etc/s6

-ENTRYPOINT ["/sbin/tini","--","/opt/act/run.sh"]
+VOLUME /data
+
+ENTRYPOINT ["s6-svscan","/etc/s6"]
+
+### DIND-ROOTLESS VARIANT
+#
+#
+FROM docker:28-dind-rootless AS dind-rootless
+
+USER root
+RUN apk add --no-cache s6 bash git tzdata
+
+COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY scripts/run.sh /usr/local/bin/run.sh
+COPY scripts/s6 /etc/s6
+
+VOLUME /data
+
+RUN mkdir -p /data && chown -R rootless:rootless /etc/s6 /data
+
+ENV DOCKER_HOST=unix:///run/user/1000/docker.sock
+
+USER rootless
+ENTRYPOINT ["s6-svscan","/etc/s6"]
+
+### BASIC VARIANT
+#
+#
+FROM alpine AS basic
+RUN apk add --no-cache tini bash git tzdata
+
+COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY scripts/run.sh /usr/local/bin/run.sh
+
+VOLUME /data
+
+ENTRYPOINT ["/sbin/tini","--","run.sh"]
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@@ -1,24 +0,0 @@
-FROM golang:1.20-alpine3.18 as builder
-# Do not remove `git` here, it is required for getting runner version when executing `make build`
-RUN apk add --no-cache make git
-
-COPY . /opt/src/act_runner
-WORKDIR /opt/src/act_runner
-
-RUN make clean && make build
-
-FROM docker:dind-rootless
-USER root
-RUN apk add --no-cache \
-  git bash supervisor
-
-COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
-COPY /scripts/supervisord.conf /etc/supervisord.conf
-COPY /scripts/run.sh /opt/act/run.sh
-COPY /scripts/rootless.sh /opt/act/rootless.sh
-
-RUN mkdir /data \
-    && chown rootless:rootless /data
-
-USER rootless
-ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
--- a/69
+++ b/69
@@ -1,19 +1,16 @@
 DIST := dist
 EXECUTABLE := act_runner
-GOFMT ?= gofumpt -l
-DIST := dist
 DIST_DIRS := $(DIST)/binaries $(DIST)/release
 GO ?= go
 SHASUM ?= shasum -a 256
 HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
-XGO_VERSION := go-1.18.x
+XGO_VERSION := go-1.26.x
 GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10

 LINUX_ARCHS ?= linux/amd64,linux/arm64
 DARWIN_ARCHS ?= darwin-12/amd64,darwin-12/arm64
 WINDOWS_ARCHS ?= windows/amd64
-GO_FMT_FILES := $(shell find . -type f -name "*.go" ! -name "generated.*")
 GOFILES := $(shell find . -type f -name "*.go" -o -name "go.mod" ! -name "generated.*")

 DOCKER_IMAGE ?= gitea/act_runner
@@ -21,6 +18,9 @@ DOCKER_TAG ?= nightly
 DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
 DOCKER_ROOTLESS_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)-dind-rootless

+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1
+
 ifneq ($(shell uname), Darwin)
 	EXTLDFLAGS = -extldflags "-static" $(null)
 else
@@ -66,19 +66,14 @@ else
 	endif
 endif

-GO_PACKAGES_TO_VET ?= $(filter-out gitea.com/gitea/act_runner/internal/pkg/client/mocks,$(shell $(GO) list ./...))
-
-
 TAGS ?=
 LDFLAGS ?= -X "gitea.com/gitea/act_runner/internal/pkg/ver.version=v$(RELASE_VERSION)"

 all: build

+.PHONY: fmt
 fmt:
-	@hash gofumpt > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) install mvdan.cc/gofumpt@latest; \
-	fi
-	$(GOFMT) -w $(GO_FMT_FILES)
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) fmt

 .PHONY: go-check
 go-check:
@@ -91,25 +86,48 @@ go-check:
 	fi

 .PHONY: fmt-check
-fmt-check:
-	@hash gofumpt > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) install mvdan.cc/gofumpt@latest; \
-	fi
-	@diff=$$($(GOFMT) -d $(GO_FMT_FILES)); \
+fmt-check: fmt
+	@diff=$$(git diff --color=always); \
 	if [ -n "$$diff" ]; then \
 		echo "Please run 'make fmt' and commit the result:"; \
+		printf "%s" "$${diff}"; \
+		exit 1; \
+	fi
+
+.PHONY: deps-tools
+deps-tools: ## install tool dependencies
+	$(GO) install $(GOVULNCHECK_PACKAGE)
+
+.PHONY: lint
+lint: lint-go
+
+.PHONY: lint-go
+lint-go: ## lint go files
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run
+
+.PHONY: lint-go-fix
+lint-go-fix: ## lint go files and fix issues
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run --fix
+
+.PHONY: security-check
+security-check: deps-tools
+	GOEXPERIMENT= $(GO) run $(GOVULNCHECK_PACKAGE) -show color ./... || true
+
+.PHONY: tidy
+tidy:
+	$(GO) mod tidy
+
+.PHONY: tidy-check
+tidy-check: tidy
+	@diff=$$(git diff -- go.mod go.sum); \
+	if [ -n "$$diff" ]; then \
+		echo "Please run 'make tidy' and commit the result:"; \
 		echo "$${diff}"; \
 		exit 1; \
-	fi;
+	fi

-test: fmt-check
-	@$(GO) test -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1
-
-.PHONY: vet
-vet:
-	@echo "Running go vet..."
-	@$(GO) build code.gitea.io/gitea-vet
-	@$(GO) vet -vettool=gitea-vet $(GO_PACKAGES_TO_VET)
+test: fmt-check security-check
+	@$(GO) test -race -short -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1

 install: $(GOFILES)
 	$(GO) install -v -tags '$(TAGS)' -ldflags '$(EXTLDFLAGS)-s -w $(LDFLAGS)'
@@ -170,7 +188,6 @@ docker:
 		ARG_DISABLE_CONTENT_TRUST=--disable-content-trust=false; \
 	fi; \
 	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_REF) .
-	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_ROOTLESS_REF) -f Dockerfile.rootless .

 clean:
 	$(GO) clean -x -i ./...
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # act runner

-Act runner is a runner for Gitea based on [Gitea fork](https://gitea.com/gitea/act) of [act](https://github.com/nektos/act).
+Act runner is a runner for Gitea.

 ## Installation

@@ -26,6 +26,13 @@ make docker

 ## Quickstart

+Actions are disabled by default, so you need to add the following to the configuration file of your Gitea instance to enable it: 
+  
+```ini
+[actions]
+ENABLED=true
+```
+
 ### Register

 ```bash
@@ -36,7 +43,7 @@ And you will be asked to input:

 1. Gitea instance URL, like `http://192.168.8.8:3000/`. You should use your gitea instance ROOT_URL as the instance argument
 and you should not use `localhost` or `127.0.0.1` as instance IP;
-2. Runner token, you can get it from `http://192.168.8.8:3000/admin/runners`;
+2. Runner token, you can get it from `http://192.168.8.8:3000/admin/actions/runners`;
 3. Runner name, you can just leave it blank;
 4. Runner labels, you can just leave it blank.

@@ -51,9 +58,9 @@ INFO Enter the runner token:
 fe884e8027dc292970d4e0303fe82b14xxxxxxxx
 INFO Enter the runner name (if set empty, use hostname: Test.local):

-INFO Enter the runner labels, leave blank to use the default labels (comma-separated, for example, ubuntu-20.04:docker://node:16-bullseye,ubuntu-18.04:docker://node:16-buster,linux_arm:host):
+INFO Enter the runner labels, leave blank to use the default labels (comma-separated, for example, ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest):

-INFO Registering runner, name=Test.local, instance=http://192.168.8.8:3000/, labels=[ubuntu-latest:docker://node:16-bullseye ubuntu-22.04:docker://node:16-bullseye ubuntu-20.04:docker://node:16-bullseye ubuntu-18.04:docker://node:16-buster].
+INFO Registering runner, name=Test.local, instance=http://192.168.8.8:3000/, labels=[ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04 ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04].
 DEBU Successfully pinged the Gitea instance server
 INFO Runner registered successfully.
 ```
@@ -72,6 +79,12 @@ If the registry succeed, it will run immediately. Next time, you could run the r
 ./act_runner daemon
 ```

+### Run with docker
+
+```bash
+docker run -e GITEA_INSTANCE_URL=https://your_gitea.com -e GITEA_RUNNER_REGISTRATION_TOKEN=<your_token> -v /var/run/docker.sock:/var/run/docker.sock --name my_runner gitea/act_runner:nightly
+```
+
 ### Configuration

 You can also configure the runner with a configuration file.
@@ -88,6 +101,8 @@ You can specify the configuration file path with `-c`/`--config` argument.
 ./act_runner -c config.yaml daemon # run with config file
 ```

+You can read the latest version of the configuration file online at [config.example.yaml](internal/pkg/config/config.example.yaml).
+
 ### Example Deployments

 Check out the [examples](examples) directory for sample deployment types.
--- a/act/LICENSE
+++ b/act/LICENSE
@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2022 The Gitea Authors
+Copyright (c) 2019
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/act/artifactcache/doc.go
+++ b/act/artifactcache/doc.go
@@ -0,0 +1,12 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+// Package artifactcache provides a cache handler for the runner.
+//
+// Inspired by https://github.com/sp-ricard-valverde/github-act-cache-server
+//
+// TODO: Authorization
+// TODO: Restrictions for accessing a cache, see https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache
+// TODO: Force deleting cache entries, see https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
+package artifactcache
--- a/act/artifactcache/handler.go
+++ b/act/artifactcache/handler.go
@@ -0,0 +1,561 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifactcache
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"gitea.com/gitea/act_runner/act/common"
+
+	"github.com/julienschmidt/httprouter"
+	"github.com/sirupsen/logrus"
+	"github.com/timshannon/bolthold"
+	"go.etcd.io/bbolt"
+)
+
+const (
+	urlBase = "/_apis/artifactcache"
+)
+
+type Handler struct {
+	dir      string
+	storage  *Storage
+	router   *httprouter.Router
+	listener net.Listener
+	server   *http.Server
+	logger   logrus.FieldLogger
+
+	gcing atomic.Bool
+	gcAt  time.Time
+
+	outboundIP string
+}
+
+func StartHandler(dir, outboundIP string, port uint16, logger logrus.FieldLogger) (*Handler, error) {
+	h := &Handler{}
+
+	if logger == nil {
+		discard := logrus.New()
+		discard.Out = io.Discard
+		logger = discard
+	}
+	logger = logger.WithField("module", "artifactcache")
+	h.logger = logger
+
+	if dir == "" {
+		home, err := os.UserHomeDir()
+		if err != nil {
+			return nil, err
+		}
+		dir = filepath.Join(home, ".cache", "actcache")
+	}
+	if err := os.MkdirAll(dir, 0o755); err != nil {
+		return nil, err
+	}
+
+	h.dir = dir
+
+	storage, err := NewStorage(filepath.Join(dir, "cache"))
+	if err != nil {
+		return nil, err
+	}
+	h.storage = storage
+
+	if outboundIP != "" {
+		h.outboundIP = outboundIP
+	} else if ip := common.GetOutboundIP(); ip == nil {
+		return nil, errors.New("unable to determine outbound IP address")
+	} else {
+		h.outboundIP = ip.String()
+	}
+
+	router := httprouter.New()
+	router.GET(urlBase+"/cache", h.middleware(h.find))
+	router.POST(urlBase+"/caches", h.middleware(h.reserve))
+	router.PATCH(urlBase+"/caches/:id", h.middleware(h.upload))
+	router.POST(urlBase+"/caches/:id", h.middleware(h.commit))
+	router.GET(urlBase+"/artifacts/:id", h.middleware(h.get))
+	router.POST(urlBase+"/clean", h.middleware(h.clean))
+
+	h.router = router
+
+	h.gcCache()
+
+	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) // listen on all interfaces
+	if err != nil {
+		return nil, err
+	}
+	server := &http.Server{
+		ReadHeaderTimeout: 2 * time.Second,
+		Handler:           router,
+	}
+	go func() {
+		if err := server.Serve(listener); err != nil && errors.Is(err, net.ErrClosed) {
+			logger.Errorf("http serve: %v", err)
+		}
+	}()
+	h.listener = listener
+	h.server = server
+
+	return h, nil
+}
+
+func (h *Handler) ExternalURL() string {
+	// TODO: make the external url configurable if necessary
+	return fmt.Sprintf("http://%s:%d",
+		h.outboundIP,
+		h.listener.Addr().(*net.TCPAddr).Port)
+}
+
+func (h *Handler) Close() error {
+	if h == nil {
+		return nil
+	}
+	var retErr error
+	if h.server != nil {
+		err := h.server.Close()
+		if err != nil {
+			retErr = err
+		}
+		h.server = nil
+	}
+	if h.listener != nil {
+		err := h.listener.Close()
+		if errors.Is(err, net.ErrClosed) {
+			err = nil
+		}
+		if err != nil {
+			retErr = err
+		}
+		h.listener = nil
+	}
+	return retErr
+}
+
+func (h *Handler) openDB() (*bolthold.Store, error) {
+	return bolthold.Open(filepath.Join(h.dir, "bolt.db"), 0o644, &bolthold.Options{
+		Encoder: json.Marshal,
+		Decoder: json.Unmarshal,
+		Options: &bbolt.Options{
+			Timeout:      5 * time.Second,
+			NoGrowSync:   bbolt.DefaultOptions.NoGrowSync,
+			FreelistType: bbolt.DefaultOptions.FreelistType,
+		},
+	})
+}
+
+// GET /_apis/artifactcache/cache
+func (h *Handler) find(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	keys := strings.Split(r.URL.Query().Get("keys"), ",")
+	// cache keys are case insensitive
+	for i, key := range keys {
+		keys[i] = strings.ToLower(key)
+	}
+	version := r.URL.Query().Get("version")
+
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	cache, err := findCache(db, keys, version)
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	if cache == nil {
+		h.responseJSON(w, r, 204)
+		return
+	}
+
+	if ok, err := h.storage.Exist(cache.ID); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	} else if !ok {
+		_ = db.Delete(cache.ID, cache)
+		h.responseJSON(w, r, 204)
+		return
+	}
+	h.responseJSON(w, r, 200, map[string]any{
+		"result":          "hit",
+		"archiveLocation": fmt.Sprintf("%s%s/artifacts/%d", h.ExternalURL(), urlBase, cache.ID),
+		"cacheKey":        cache.Key,
+	})
+}
+
+// POST /_apis/artifactcache/caches
+func (h *Handler) reserve(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	api := &Request{}
+	if err := json.NewDecoder(r.Body).Decode(api); err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+	// cache keys are case insensitive
+	api.Key = strings.ToLower(api.Key)
+
+	cache := api.ToCache()
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	now := time.Now().Unix()
+	cache.CreatedAt = now
+	cache.UsedAt = now
+	if err := insertCache(db, cache); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	h.responseJSON(w, r, 200, map[string]any{
+		"cacheId": cache.ID,
+	})
+}
+
+// PATCH /_apis/artifactcache/caches/:id
+func (h *Handler) upload(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+
+	cache := &Cache{}
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.Get(id, cache); err != nil {
+		if errors.Is(err, bolthold.ErrNotFound) {
+			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
+			return
+		}
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	if cache.Complete {
+		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
+		return
+	}
+	db.Close()
+	start, _, err := parseContentRange(r.Header.Get("Content-Range"))
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+	if err := h.storage.Write(cache.ID, start, r.Body); err != nil {
+		h.responseJSON(w, r, 500, err)
+	}
+	h.useCache(id)
+	h.responseJSON(w, r, 200)
+}
+
+// POST /_apis/artifactcache/caches/:id
+func (h *Handler) commit(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+
+	cache := &Cache{}
+	db, err := h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+	if err := db.Get(id, cache); err != nil {
+		if errors.Is(err, bolthold.ErrNotFound) {
+			h.responseJSON(w, r, 400, fmt.Errorf("cache %d: not reserved", id))
+			return
+		}
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	if cache.Complete {
+		h.responseJSON(w, r, 400, fmt.Errorf("cache %v %q: already complete", cache.ID, cache.Key))
+		return
+	}
+
+	db.Close()
+
+	size, err := h.storage.Commit(cache.ID, cache.Size)
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	// write real size back to cache, it may be different from the current value when the request doesn't specify it.
+	cache.Size = size
+
+	db, err = h.openDB()
+	if err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+	defer db.Close()
+
+	cache.Complete = true
+	if err := db.Update(cache.ID, cache); err != nil {
+		h.responseJSON(w, r, 500, err)
+		return
+	}
+
+	h.responseJSON(w, r, 200)
+}
+
+// GET /_apis/artifactcache/artifacts/:id
+func (h *Handler) get(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+	id, err := strconv.ParseInt(params.ByName("id"), 10, 64)
+	if err != nil {
+		h.responseJSON(w, r, 400, err)
+		return
+	}
+	h.useCache(id)
+	h.storage.Serve(w, r, uint64(id))
+}
+
+// POST /_apis/artifactcache/clean
+func (h *Handler) clean(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	// TODO: don't support force deleting cache entries
+	// see: https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
+
+	h.responseJSON(w, r, 200)
+}
+
+func (h *Handler) middleware(handler httprouter.Handle) httprouter.Handle {
+	return func(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
+		h.logger.Debugf("%s %s", r.Method, r.RequestURI)
+		handler(w, r, params)
+		go h.gcCache()
+	}
+}
+
+// if not found, return (nil, nil) instead of an error.
+func findCache(db *bolthold.Store, keys []string, version string) (*Cache, error) {
+	cache := &Cache{}
+	for _, prefix := range keys {
+		// if a key in the list matches exactly, don't return partial matches
+		if err := db.FindOne(cache,
+			bolthold.Where("Key").Eq(prefix).
+				And("Version").Eq(version).
+				And("Complete").Eq(true).
+				SortBy("CreatedAt").Reverse()); err == nil || !errors.Is(err, bolthold.ErrNotFound) {
+			if err != nil {
+				return nil, fmt.Errorf("find cache: %w", err)
+			}
+			return cache, nil
+		}
+		prefixPattern := "^" + regexp.QuoteMeta(prefix)
+		re, err := regexp.Compile(prefixPattern)
+		if err != nil {
+			continue
+		}
+		if err := db.FindOne(cache,
+			bolthold.Where("Key").RegExp(re).
+				And("Version").Eq(version).
+				And("Complete").Eq(true).
+				SortBy("CreatedAt").Reverse()); err != nil {
+			if errors.Is(err, bolthold.ErrNotFound) {
+				continue
+			}
+			return nil, fmt.Errorf("find cache: %w", err)
+		}
+		return cache, nil
+	}
+	return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+}
+
+func insertCache(db *bolthold.Store, cache *Cache) error {
+	if err := db.Insert(bolthold.NextSequence(), cache); err != nil {
+		return fmt.Errorf("insert cache: %w", err)
+	}
+	// write back id to db
+	if err := db.Update(cache.ID, cache); err != nil {
+		return fmt.Errorf("write back id to db: %w", err)
+	}
+	return nil
+}
+
+func (h *Handler) useCache(id int64) {
+	db, err := h.openDB()
+	if err != nil {
+		return
+	}
+	defer db.Close()
+	cache := &Cache{}
+	if err := db.Get(id, cache); err != nil {
+		return
+	}
+	cache.UsedAt = time.Now().Unix()
+	_ = db.Update(cache.ID, cache)
+}
+
+const (
+	keepUsed   = 30 * 24 * time.Hour
+	keepUnused = 7 * 24 * time.Hour
+	keepTemp   = 5 * time.Minute
+	keepOld    = 5 * time.Minute
+)
+
+//nolint:gocyclo // function handles many cases
+func (h *Handler) gcCache() {
+	if h.gcing.Load() {
+		return
+	}
+	if !h.gcing.CompareAndSwap(false, true) {
+		return
+	}
+	defer h.gcing.Store(false)
+
+	if time.Since(h.gcAt) < time.Hour {
+		h.logger.Debugf("skip gc: %v", h.gcAt.String())
+		return
+	}
+	h.gcAt = time.Now()
+	h.logger.Debugf("gc: %v", h.gcAt.String())
+
+	db, err := h.openDB()
+	if err != nil {
+		return
+	}
+	defer db.Close()
+
+	// Remove the caches which are not completed for a while, they are most likely to be broken.
+	var caches []*Cache
+	if err := db.Find(&caches, bolthold.
+		Where("UsedAt").Lt(time.Now().Add(-keepTemp).Unix()).
+		And("Complete").Eq(false),
+	); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+
+	// Remove the old caches which have not been used recently.
+	caches = caches[:0]
+	if err := db.Find(&caches, bolthold.
+		Where("UsedAt").Lt(time.Now().Add(-keepUnused).Unix()),
+	); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+
+	// Remove the old caches which are too old.
+	caches = caches[:0]
+	if err := db.Find(&caches, bolthold.
+		Where("CreatedAt").Lt(time.Now().Add(-keepUsed).Unix()),
+	); err != nil {
+		h.logger.Warnf("find caches: %v", err)
+	} else {
+		for _, cache := range caches {
+			h.storage.Remove(cache.ID)
+			if err := db.Delete(cache.ID, cache); err != nil {
+				h.logger.Warnf("delete cache: %v", err)
+				continue
+			}
+			h.logger.Infof("deleted cache: %+v", cache)
+		}
+	}
+
+	// Remove the old caches with the same key and version, keep the latest one.
+	// Also keep the olds which have been used recently for a while in case of the cache is still in use.
+	if results, err := db.FindAggregate(
+		&Cache{},
+		bolthold.Where("Complete").Eq(true),
+		"Key", "Version",
+	); err != nil {
+		h.logger.Warnf("find aggregate caches: %v", err)
+	} else {
+		for _, result := range results {
+			if result.Count() <= 1 {
+				continue
+			}
+			result.Sort("CreatedAt")
+			caches = caches[:0]
+			result.Reduction(&caches)
+			for _, cache := range caches[:len(caches)-1] {
+				if time.Since(time.Unix(cache.UsedAt, 0)) < keepOld {
+					// Keep it since it has been used recently, even if it's old.
+					// Or it could break downloading in process.
+					continue
+				}
+				h.storage.Remove(cache.ID)
+				if err := db.Delete(cache.ID, cache); err != nil {
+					h.logger.Warnf("delete cache: %v", err)
+					continue
+				}
+				h.logger.Infof("deleted cache: %+v", cache)
+			}
+		}
+	}
+}
+
+func (h *Handler) responseJSON(w http.ResponseWriter, r *http.Request, code int, v ...any) {
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	var data []byte
+	if len(v) == 0 || v[0] == nil {
+		data, _ = json.Marshal(struct{}{})
+	} else if err, ok := v[0].(error); ok {
+		h.logger.Errorf("%v %v: %v", r.Method, r.RequestURI, err)
+		data, _ = json.Marshal(map[string]any{
+			"error": err.Error(),
+		})
+	} else {
+		data, _ = json.Marshal(v[0])
+	}
+	w.WriteHeader(code)
+	_, _ = w.Write(data)
+}
+
+func parseContentRange(s string) (int64, int64, error) {
+	// support the format like "bytes 11-22/*" only
+	s, _, _ = strings.Cut(strings.TrimPrefix(s, "bytes "), "/")
+	s1, s2, _ := strings.Cut(s, "-")
+
+	start, err := strconv.ParseInt(s1, 10, 64)
+	if err != nil {
+		return 0, 0, fmt.Errorf("parse %q: %w", s, err)
+	}
+	stop, err := strconv.ParseInt(s2, 10, 64)
+	if err != nil {
+		return 0, 0, fmt.Errorf("parse %q: %w", s, err)
+	}
+	return start, stop, nil
+}
--- a/act/artifactcache/handler_test.go
+++ b/act/artifactcache/handler_test.go
@@ -0,0 +1,701 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifactcache
+
+import (
+	"bytes"
+	"crypto/rand"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/timshannon/bolthold"
+	"go.etcd.io/bbolt"
+)
+
+func TestHandler(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, nil)
+	require.NoError(t, err)
+
+	base := fmt.Sprintf("%s%s", handler.ExternalURL(), urlBase)
+
+	defer func() {
+		t.Run("inpect db", func(t *testing.T) {
+			db, err := handler.openDB()
+			require.NoError(t, err)
+			defer db.Close()
+			require.NoError(t, db.Bolt().View(func(tx *bbolt.Tx) error {
+				return tx.Bucket([]byte("Cache")).ForEach(func(k, v []byte) error {
+					t.Logf("%s: %s", k, v)
+					return nil
+				})
+			}))
+		})
+		t.Run("close", func(t *testing.T) {
+			require.NoError(t, handler.Close())
+			assert.Nil(t, handler.server)
+			assert.Nil(t, handler.listener)
+			_, err := http.Post(fmt.Sprintf("%s/caches/%d", base, 1), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			assert.Error(t, err)
+		})
+	}()
+
+	t.Run("get not exist", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 204, resp.StatusCode)
+	})
+
+	t.Run("reserve and upload", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		uploadCacheNormally(t, base, key, version, content)
+	})
+
+	t.Run("clean", func(t *testing.T) {
+		resp, err := http.Post(base+"/clean", "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		assert.Equal(t, 200, resp.StatusCode)
+	})
+
+	t.Run("reserve with bad request", func(t *testing.T) {
+		body := []byte(`invalid json`)
+		require.NoError(t, err)
+		resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		assert.Equal(t, 400, resp.StatusCode)
+	})
+
+	t.Run("duplicate reserve", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		var first, second struct {
+			CacheID uint64 `json:"cacheId"`
+		}
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&first))
+			assert.NotZero(t, first.CacheID)
+		}
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&second))
+			assert.NotZero(t, second.CacheID)
+		}
+
+		assert.NotEqual(t, first.CacheID, second.CacheID)
+	})
+
+	t.Run("upload with bad id", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodPatch,
+			base+"/caches/invalid_id", bytes.NewReader(nil))
+		require.NoError(t, err)
+		req.Header.Set("Content-Type", "application/octet-stream")
+		req.Header.Set("Content-Range", "bytes 0-99/*")
+		resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		assert.Equal(t, 400, resp.StatusCode)
+	})
+
+	t.Run("upload without reserve", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodPatch,
+			fmt.Sprintf("%s/caches/%d", base, 1000), bytes.NewReader(nil))
+		require.NoError(t, err)
+		req.Header.Set("Content-Type", "application/octet-stream")
+		req.Header.Set("Content-Range", "bytes 0-99/*")
+		resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		assert.Equal(t, 400, resp.StatusCode)
+	})
+
+	t.Run("upload with complete", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		var id uint64
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+
+			got := struct {
+				CacheID uint64 `json:"cacheId"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+			id = got.CacheID
+		}
+		{
+			req, err := http.NewRequest(http.MethodPatch,
+				fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content))
+			require.NoError(t, err)
+			req.Header.Set("Content-Type", "application/octet-stream")
+			req.Header.Set("Content-Range", "bytes 0-99/*")
+			resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+		}
+		{
+			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+		}
+		{
+			req, err := http.NewRequest(http.MethodPatch,
+				fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content))
+			require.NoError(t, err)
+			req.Header.Set("Content-Type", "application/octet-stream")
+			req.Header.Set("Content-Range", "bytes 0-99/*")
+			resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 400, resp.StatusCode)
+		}
+	})
+
+	t.Run("upload with invalid range", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		var id uint64
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+
+			got := struct {
+				CacheID uint64 `json:"cacheId"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+			id = got.CacheID
+		}
+		{
+			req, err := http.NewRequest(http.MethodPatch,
+				fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content))
+			require.NoError(t, err)
+			req.Header.Set("Content-Type", "application/octet-stream")
+			req.Header.Set("Content-Range", "bytes xx-99/*")
+			resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 400, resp.StatusCode)
+		}
+	})
+
+	t.Run("commit with bad id", func(t *testing.T) {
+		{
+			resp, err := http.Post(base+"/caches/invalid_id", "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 400, resp.StatusCode)
+		}
+	})
+
+	t.Run("commit with not exist id", func(t *testing.T) {
+		{
+			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, 100), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 400, resp.StatusCode)
+		}
+	})
+
+	t.Run("duplicate commit", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		var id uint64
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+
+			got := struct {
+				CacheID uint64 `json:"cacheId"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+			id = got.CacheID
+		}
+		{
+			req, err := http.NewRequest(http.MethodPatch,
+				fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content))
+			require.NoError(t, err)
+			req.Header.Set("Content-Type", "application/octet-stream")
+			req.Header.Set("Content-Range", "bytes 0-99/*")
+			resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+		}
+		{
+			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+		}
+		{
+			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 400, resp.StatusCode)
+		}
+	})
+
+	t.Run("commit early", func(t *testing.T) {
+		key := strings.ToLower(t.Name())
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		var id uint64
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		{
+			body, err := json.Marshal(&Request{
+				Key:     key,
+				Version: version,
+				Size:    100,
+			})
+			require.NoError(t, err)
+			resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+
+			got := struct {
+				CacheID uint64 `json:"cacheId"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+			id = got.CacheID
+		}
+		{
+			req, err := http.NewRequest(http.MethodPatch,
+				fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content[:50]))
+			require.NoError(t, err)
+			req.Header.Set("Content-Type", "application/octet-stream")
+			req.Header.Set("Content-Range", "bytes 0-59/*")
+			resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 200, resp.StatusCode)
+		}
+		{
+			resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			assert.Equal(t, 500, resp.StatusCode)
+		}
+	})
+
+	t.Run("get with bad id", func(t *testing.T) {
+		resp, err := http.Get(base + "/artifacts/invalid_id") //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 400, resp.StatusCode)
+	})
+
+	t.Run("get with not exist id", func(t *testing.T) {
+		resp, err := http.Get(fmt.Sprintf("%s/artifacts/%d", base, 100)) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 404, resp.StatusCode)
+	})
+
+	t.Run("get with not exist id", func(t *testing.T) {
+		resp, err := http.Get(fmt.Sprintf("%s/artifacts/%d", base, 100)) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 404, resp.StatusCode)
+	})
+
+	t.Run("get with multiple keys", func(t *testing.T) {
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		key := strings.ToLower(t.Name())
+		keys := [3]string{
+			key + "_a_b_c",
+			key + "_a_b",
+			key + "_a",
+		}
+		contents := [3][]byte{
+			make([]byte, 100),
+			make([]byte, 200),
+			make([]byte, 300),
+		}
+		for i := range contents {
+			_, err := rand.Read(contents[i])
+			require.NoError(t, err)
+			uploadCacheNormally(t, base, keys[i], version, contents[i])
+			time.Sleep(time.Second) // ensure CreatedAt of caches are different
+		}
+
+		reqKeys := strings.Join([]string{
+			key + "_a_b_x",
+			key + "_a_b",
+			key + "_a",
+		}, ",")
+
+		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKeys, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 200, resp.StatusCode)
+
+		/*
+			Expect `key_a_b` because:
+			- `key_a_b_x" doesn't match any caches.
+			- `key_a_b" matches `key_a_b` and `key_a_b_c`, but `key_a_b` is newer.
+		*/
+		except := 1
+
+		got := struct {
+			Result          string `json:"result"`
+			ArchiveLocation string `json:"archiveLocation"`
+			CacheKey        string `json:"cacheKey"`
+		}{}
+		require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+		assert.Equal(t, "hit", got.Result)
+		assert.Equal(t, keys[except], got.CacheKey)
+
+		contentResp, err := http.Get(got.ArchiveLocation) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 200, contentResp.StatusCode)
+		content, err := io.ReadAll(contentResp.Body)
+		require.NoError(t, err)
+		assert.Equal(t, contents[except], content)
+	})
+
+	t.Run("case insensitive", func(t *testing.T) {
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		key := strings.ToLower(t.Name())
+		content := make([]byte, 100)
+		_, err := rand.Read(content)
+		require.NoError(t, err)
+		uploadCacheNormally(t, base, key+"_ABC", version, content)
+
+		{
+			reqKey := key + "_aBc"
+			resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKey, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+			require.NoError(t, err)
+			require.Equal(t, 200, resp.StatusCode)
+			got := struct {
+				Result          string `json:"result"`
+				ArchiveLocation string `json:"archiveLocation"`
+				CacheKey        string `json:"cacheKey"`
+			}{}
+			require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+			assert.Equal(t, "hit", got.Result)
+			assert.Equal(t, key+"_abc", got.CacheKey)
+		}
+	})
+
+	t.Run("exact keys are preferred (key 0)", func(t *testing.T) {
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		key := strings.ToLower(t.Name())
+		keys := [3]string{
+			key + "_a",
+			key + "_a_b_c",
+			key + "_a_b",
+		}
+		contents := [3][]byte{
+			make([]byte, 100),
+			make([]byte, 200),
+			make([]byte, 300),
+		}
+		for i := range contents {
+			_, err := rand.Read(contents[i])
+			require.NoError(t, err)
+			uploadCacheNormally(t, base, keys[i], version, contents[i])
+			time.Sleep(time.Second) // ensure CreatedAt of caches are different
+		}
+
+		reqKeys := strings.Join([]string{
+			key + "_a",
+			key + "_a_b",
+		}, ",")
+
+		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKeys, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 200, resp.StatusCode)
+
+		/*
+			Expect `key_a` because:
+			- `key_a` matches `key_a`, `key_a_b` and `key_a_b_c`, but `key_a` is an exact match.
+			- `key_a_b` matches `key_a_b` and `key_a_b_c`, but previous key had a match
+		*/
+		expect := 0
+
+		got := struct {
+			ArchiveLocation string `json:"archiveLocation"`
+			CacheKey        string `json:"cacheKey"`
+		}{}
+		require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+		assert.Equal(t, keys[expect], got.CacheKey)
+
+		contentResp, err := http.Get(got.ArchiveLocation) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 200, contentResp.StatusCode)
+		content, err := io.ReadAll(contentResp.Body)
+		require.NoError(t, err)
+		assert.Equal(t, contents[expect], content)
+	})
+
+	t.Run("exact keys are preferred (key 1)", func(t *testing.T) {
+		version := "c19da02a2bd7e77277f1ac29ab45c09b7d46a4ee758284e26bb3045ad11d9d20"
+		key := strings.ToLower(t.Name())
+		keys := [3]string{
+			key + "_a",
+			key + "_a_b_c",
+			key + "_a_b",
+		}
+		contents := [3][]byte{
+			make([]byte, 100),
+			make([]byte, 200),
+			make([]byte, 300),
+		}
+		for i := range contents {
+			_, err := rand.Read(contents[i])
+			require.NoError(t, err)
+			uploadCacheNormally(t, base, keys[i], version, contents[i])
+			time.Sleep(time.Second) // ensure CreatedAt of caches are different
+		}
+
+		reqKeys := strings.Join([]string{
+			"------------------------------------------------------",
+			key + "_a",
+			key + "_a_b",
+		}, ",")
+
+		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, reqKeys, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 200, resp.StatusCode)
+
+		/*
+			Expect `key_a` because:
+			- `------------------------------------------------------` doesn't match any caches.
+			- `key_a` matches `key_a`, `key_a_b` and `key_a_b_c`, but `key_a` is an exact match.
+			- `key_a_b` matches `key_a_b` and `key_a_b_c`, but previous key had a match
+		*/
+		expect := 0
+
+		got := struct {
+			ArchiveLocation string `json:"archiveLocation"`
+			CacheKey        string `json:"cacheKey"`
+		}{}
+		require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+		assert.Equal(t, keys[expect], got.CacheKey)
+
+		contentResp, err := http.Get(got.ArchiveLocation) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 200, contentResp.StatusCode)
+		content, err := io.ReadAll(contentResp.Body)
+		require.NoError(t, err)
+		assert.Equal(t, contents[expect], content)
+	})
+}
+
+func uploadCacheNormally(t *testing.T, base, key, version string, content []byte) { //nolint:unparam // pre-existing issue from nektos/act
+	var id uint64
+	{
+		body, err := json.Marshal(&Request{
+			Key:     key,
+			Version: version,
+			Size:    int64(len(content)),
+		})
+		require.NoError(t, err)
+		resp, err := http.Post(base+"/caches", "application/json", bytes.NewReader(body)) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		assert.Equal(t, 200, resp.StatusCode)
+
+		got := struct {
+			CacheID uint64 `json:"cacheId"`
+		}{}
+		require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+		id = got.CacheID
+	}
+	{
+		req, err := http.NewRequest(http.MethodPatch,
+			fmt.Sprintf("%s/caches/%d", base, id), bytes.NewReader(content))
+		require.NoError(t, err)
+		req.Header.Set("Content-Type", "application/octet-stream")
+		req.Header.Set("Content-Range", "bytes 0-99/*")
+		resp, err := http.DefaultClient.Do(req) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		assert.Equal(t, 200, resp.StatusCode)
+	}
+	{
+		resp, err := http.Post(fmt.Sprintf("%s/caches/%d", base, id), "", nil) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		assert.Equal(t, 200, resp.StatusCode)
+	}
+	var archiveLocation string
+	{
+		resp, err := http.Get(fmt.Sprintf("%s/cache?keys=%s&version=%s", base, key, version)) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 200, resp.StatusCode)
+		got := struct {
+			Result          string `json:"result"`
+			ArchiveLocation string `json:"archiveLocation"`
+			CacheKey        string `json:"cacheKey"`
+		}{}
+		require.NoError(t, json.NewDecoder(resp.Body).Decode(&got))
+		assert.Equal(t, "hit", got.Result)
+		assert.Equal(t, strings.ToLower(key), got.CacheKey)
+		archiveLocation = got.ArchiveLocation
+	}
+	{
+		resp, err := http.Get(archiveLocation) //nolint:bodyclose // pre-existing issue from nektos/act
+		require.NoError(t, err)
+		require.Equal(t, 200, resp.StatusCode)
+		got, err := io.ReadAll(resp.Body)
+		require.NoError(t, err)
+		assert.Equal(t, content, got)
+	}
+}
+
+func TestHandler_gcCache(t *testing.T) {
+	dir := filepath.Join(t.TempDir(), "artifactcache")
+	handler, err := StartHandler(dir, "", 0, nil)
+	require.NoError(t, err)
+
+	defer func() {
+		require.NoError(t, handler.Close())
+	}()
+
+	now := time.Now()
+
+	cases := []struct {
+		Cache *Cache
+		Kept  bool
+	}{
+		{
+			// should be kept, since it's used recently and not too old.
+			Cache: &Cache{
+				Key:       "test_key_1",
+				Version:   "test_version",
+				Complete:  true,
+				UsedAt:    now.Unix(),
+				CreatedAt: now.Add(-time.Hour).Unix(),
+			},
+			Kept: true,
+		},
+		{
+			// should be removed, since it's not complete and not used for a while.
+			Cache: &Cache{
+				Key:       "test_key_2",
+				Version:   "test_version",
+				Complete:  false,
+				UsedAt:    now.Add(-(keepTemp + time.Second)).Unix(),
+				CreatedAt: now.Add(-(keepTemp + time.Hour)).Unix(),
+			},
+			Kept: false,
+		},
+		{
+			// should be removed, since it's not used for a while.
+			Cache: &Cache{
+				Key:       "test_key_3",
+				Version:   "test_version",
+				Complete:  true,
+				UsedAt:    now.Add(-(keepUnused + time.Second)).Unix(),
+				CreatedAt: now.Add(-(keepUnused + time.Hour)).Unix(),
+			},
+			Kept: false,
+		},
+		{
+			// should be removed, since it's used but too old.
+			Cache: &Cache{
+				Key:       "test_key_3",
+				Version:   "test_version",
+				Complete:  true,
+				UsedAt:    now.Unix(),
+				CreatedAt: now.Add(-(keepUsed + time.Second)).Unix(),
+			},
+			Kept: false,
+		},
+		{
+			// should be kept, since it has a newer edition but be used recently.
+			Cache: &Cache{
+				Key:       "test_key_1",
+				Version:   "test_version",
+				Complete:  true,
+				UsedAt:    now.Add(-(keepOld - time.Minute)).Unix(),
+				CreatedAt: now.Add(-(time.Hour + time.Second)).Unix(),
+			},
+			Kept: true,
+		},
+		{
+			// should be removed, since it has a newer edition and not be used recently.
+			Cache: &Cache{
+				Key:       "test_key_1",
+				Version:   "test_version",
+				Complete:  true,
+				UsedAt:    now.Add(-(keepOld + time.Second)).Unix(),
+				CreatedAt: now.Add(-(time.Hour + time.Second)).Unix(),
+			},
+			Kept: false,
+		},
+	}
+
+	db, err := handler.openDB()
+	require.NoError(t, err)
+	for _, c := range cases {
+		require.NoError(t, insertCache(db, c.Cache))
+	}
+	require.NoError(t, db.Close())
+
+	handler.gcAt = time.Time{} // ensure gcCache will not skip
+	handler.gcCache()
+
+	db, err = handler.openDB()
+	require.NoError(t, err)
+	for i, v := range cases {
+		t.Run(fmt.Sprintf("%d_%s", i, v.Cache.Key), func(t *testing.T) {
+			cache := &Cache{}
+			err = db.Get(v.Cache.ID, cache)
+			if v.Kept {
+				assert.NoError(t, err)
+			} else {
+				assert.ErrorIs(t, err, bolthold.ErrNotFound)
+			}
+		})
+	}
+	require.NoError(t, db.Close())
+}
--- a/act/artifactcache/model.go
+++ b/act/artifactcache/model.go
@@ -0,0 +1,38 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifactcache
+
+type Request struct {
+	Key     string `json:"key" `
+	Version string `json:"version"`
+	Size    int64  `json:"cacheSize"`
+}
+
+func (c *Request) ToCache() *Cache {
+	if c == nil {
+		return nil
+	}
+	ret := &Cache{
+		Key:     c.Key,
+		Version: c.Version,
+		Size:    c.Size,
+	}
+	if c.Size == 0 {
+		// So the request comes from old versions of actions, like `actions/cache@v2`.
+		// It doesn't send cache size. Set it to -1 to indicate that.
+		ret.Size = -1
+	}
+	return ret
+}
+
+type Cache struct {
+	ID        uint64 `json:"id" boltholdKey:"ID"`
+	Key       string `json:"key" boltholdIndex:"Key"`
+	Version   string `json:"version" boltholdIndex:"Version"`
+	Size      int64  `json:"cacheSize"`
+	Complete  bool   `json:"complete" boltholdIndex:"Complete"`
+	UsedAt    int64  `json:"usedAt" boltholdIndex:"UsedAt"`
+	CreatedAt int64  `json:"createdAt" boltholdIndex:"CreatedAt"`
+}
--- a/act/artifactcache/storage.go
+++ b/act/artifactcache/storage.go
@@ -0,0 +1,135 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifactcache
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strconv"
+)
+
+type Storage struct {
+	rootDir string
+}
+
+func NewStorage(rootDir string) (*Storage, error) {
+	if err := os.MkdirAll(rootDir, 0o755); err != nil {
+		return nil, err
+	}
+	return &Storage{
+		rootDir: rootDir,
+	}, nil
+}
+
+func (s *Storage) Exist(id uint64) (bool, error) {
+	name := s.filename(id)
+	if _, err := os.Stat(name); os.IsNotExist(err) {
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
+func (s *Storage) Write(id uint64, offset int64, reader io.Reader) error {
+	name := s.tempName(id, offset)
+	if err := os.MkdirAll(filepath.Dir(name), 0o755); err != nil {
+		return err
+	}
+	file, err := os.Create(name)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	_, err = io.Copy(file, reader)
+	return err
+}
+
+func (s *Storage) Commit(id uint64, size int64) (int64, error) {
+	defer func() {
+		_ = os.RemoveAll(s.tempDir(id))
+	}()
+
+	name := s.filename(id)
+	tempNames, err := s.tempNames(id)
+	if err != nil {
+		return 0, err
+	}
+
+	if err := os.MkdirAll(filepath.Dir(name), 0o755); err != nil {
+		return 0, err
+	}
+	file, err := os.Create(name)
+	if err != nil {
+		return 0, err
+	}
+	defer file.Close()
+
+	var written int64
+	for _, v := range tempNames {
+		f, err := os.Open(v)
+		if err != nil {
+			return 0, err
+		}
+		n, err := io.Copy(file, f)
+		_ = f.Close()
+		if err != nil {
+			return 0, err
+		}
+		written += n
+	}
+
+	// If size is less than 0, it means the size is unknown.
+	// We can't check the size of the file, just skip the check.
+	// It happens when the request comes from old versions of actions, like `actions/cache@v2`.
+	if size >= 0 && written != size {
+		_ = file.Close()
+		_ = os.Remove(name)
+		return 0, fmt.Errorf("broken file: %v != %v", written, size)
+	}
+
+	return written, nil
+}
+
+func (s *Storage) Serve(w http.ResponseWriter, r *http.Request, id uint64) {
+	name := s.filename(id)
+	http.ServeFile(w, r, name)
+}
+
+func (s *Storage) Remove(id uint64) {
+	_ = os.Remove(s.filename(id))
+	_ = os.RemoveAll(s.tempDir(id))
+}
+
+func (s *Storage) filename(id uint64) string {
+	return filepath.Join(s.rootDir, fmt.Sprintf("%02x", id%0xff), strconv.FormatUint(id, 10))
+}
+
+func (s *Storage) tempDir(id uint64) string {
+	return filepath.Join(s.rootDir, "tmp", strconv.FormatUint(id, 10))
+}
+
+func (s *Storage) tempName(id uint64, offset int64) string {
+	return filepath.Join(s.tempDir(id), fmt.Sprintf("%016x", offset))
+}
+
+func (s *Storage) tempNames(id uint64) ([]string, error) {
+	dir := s.tempDir(id)
+	files, err := os.ReadDir(dir)
+	if err != nil {
+		return nil, err
+	}
+	var names []string
+	for _, v := range files {
+		if !v.IsDir() {
+			names = append(names, filepath.Join(dir, v.Name()))
+		}
+	}
+	return names, nil
+}
--- a/act/artifactcache/testdata/example/example.yaml
+++ b/act/artifactcache/testdata/example/example.yaml
@@ -0,0 +1,30 @@
+# Copied from https://github.com/actions/cache#example-cache-workflow
+name: Caching Primes
+
+on: push
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - run: env
+
+      - uses: actions/checkout@v3
+
+      - name: Cache Primes
+        id: cache-primes
+        uses: actions/cache@v3
+        with:
+          path: prime-numbers
+          key: ${{ runner.os }}-primes-${{ github.run_id }}
+          restore-keys: |
+            ${{ runner.os }}-primes
+            ${{ runner.os }}
+
+      - name: Generate Prime Numbers
+        if: steps.cache-primes.outputs.cache-hit != 'true'
+        run: cat /proc/sys/kernel/random/uuid > prime-numbers
+
+      - name: Use Prime Numbers
+        run: cat prime-numbers
--- a/act/artifacts/server.go
+++ b/act/artifacts/server.go
@@ -0,0 +1,319 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifacts
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"gitea.com/gitea/act_runner/act/common"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+type FileContainerResourceURL struct {
+	FileContainerResourceURL string `json:"fileContainerResourceUrl"`
+}
+
+type NamedFileContainerResourceURL struct {
+	Name                     string `json:"name"`
+	FileContainerResourceURL string `json:"fileContainerResourceUrl"`
+}
+
+type NamedFileContainerResourceURLResponse struct {
+	Count int                             `json:"count"`
+	Value []NamedFileContainerResourceURL `json:"value"`
+}
+
+type ContainerItem struct {
+	Path            string `json:"path"`
+	ItemType        string `json:"itemType"`
+	ContentLocation string `json:"contentLocation"`
+}
+
+type ContainerItemResponse struct {
+	Value []ContainerItem `json:"value"`
+}
+
+type ResponseMessage struct {
+	Message string `json:"message"`
+}
+
+type WritableFile interface {
+	io.WriteCloser
+}
+
+type WriteFS interface {
+	OpenWritable(name string) (WritableFile, error)
+	OpenAppendable(name string) (WritableFile, error)
+}
+
+type readWriteFSImpl struct{}
+
+func (fwfs readWriteFSImpl) Open(name string) (fs.File, error) {
+	return os.Open(name)
+}
+
+func (fwfs readWriteFSImpl) OpenWritable(name string) (WritableFile, error) {
+	if err := os.MkdirAll(filepath.Dir(name), os.ModePerm); err != nil {
+		return nil, err
+	}
+	return os.OpenFile(name, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o644)
+}
+
+func (fwfs readWriteFSImpl) OpenAppendable(name string) (WritableFile, error) {
+	if err := os.MkdirAll(filepath.Dir(name), os.ModePerm); err != nil {
+		return nil, err
+	}
+	file, err := os.OpenFile(name, os.O_CREATE|os.O_RDWR, 0o644)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = file.Seek(0, io.SeekEnd)
+	if err != nil {
+		return nil, err
+	}
+	return file, nil
+}
+
+var gzipExtension = ".gz__"
+
+func safeResolve(baseDir, relPath string) string {
+	return filepath.Join(baseDir, filepath.Clean(filepath.Join(string(os.PathSeparator), relPath)))
+}
+
+func uploads(router *httprouter.Router, baseDir string, fsys WriteFS) {
+	router.POST("/_apis/pipelines/workflows/:runId/artifacts", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		runID := params.ByName("runId")
+
+		json, err := json.Marshal(FileContainerResourceURL{
+			FileContainerResourceURL: fmt.Sprintf("http://%s/upload/%s", req.Host, runID),
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		_, err = w.Write(json)
+		if err != nil {
+			panic(err)
+		}
+	})
+
+	router.PUT("/upload/:runId", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		itemPath := req.URL.Query().Get("itemPath")
+		runID := params.ByName("runId")
+
+		if req.Header.Get("Content-Encoding") == "gzip" {
+			itemPath += gzipExtension
+		}
+
+		safeRunPath := safeResolve(baseDir, runID)
+		safePath := safeResolve(safeRunPath, itemPath)
+
+		file, err := func() (WritableFile, error) {
+			contentRange := req.Header.Get("Content-Range")
+			if contentRange != "" && !strings.HasPrefix(contentRange, "bytes 0-") {
+				return fsys.OpenAppendable(safePath)
+			}
+			return fsys.OpenWritable(safePath)
+		}()
+		if err != nil {
+			panic(err)
+		}
+		defer file.Close()
+
+		writer, ok := file.(io.Writer)
+		if !ok {
+			panic(errors.New("File is not writable"))
+		}
+
+		if req.Body == nil {
+			panic(errors.New("No body given"))
+		}
+
+		_, err = io.Copy(writer, req.Body)
+		if err != nil {
+			panic(err)
+		}
+
+		json, err := json.Marshal(ResponseMessage{
+			Message: "success",
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		_, err = w.Write(json)
+		if err != nil {
+			panic(err)
+		}
+	})
+
+	router.PATCH("/_apis/pipelines/workflows/:runId/artifacts", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		json, err := json.Marshal(ResponseMessage{
+			Message: "success",
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		_, err = w.Write(json)
+		if err != nil {
+			panic(err)
+		}
+	})
+}
+
+func downloads(router *httprouter.Router, baseDir string, fsys fs.FS) {
+	router.GET("/_apis/pipelines/workflows/:runId/artifacts", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		runID := params.ByName("runId")
+
+		safePath := safeResolve(baseDir, runID)
+
+		entries, err := fs.ReadDir(fsys, safePath)
+		if err != nil {
+			panic(err)
+		}
+
+		var list []NamedFileContainerResourceURL
+		for _, entry := range entries {
+			list = append(list, NamedFileContainerResourceURL{
+				Name:                     entry.Name(),
+				FileContainerResourceURL: fmt.Sprintf("http://%s/download/%s", req.Host, runID),
+			})
+		}
+
+		json, err := json.Marshal(NamedFileContainerResourceURLResponse{
+			Count: len(list),
+			Value: list,
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		_, err = w.Write(json)
+		if err != nil {
+			panic(err)
+		}
+	})
+
+	router.GET("/download/:container", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		container := params.ByName("container")
+		itemPath := req.URL.Query().Get("itemPath")
+		safePath := safeResolve(baseDir, filepath.Join(container, itemPath))
+
+		var files []ContainerItem
+		err := fs.WalkDir(fsys, safePath, func(path string, entry fs.DirEntry, err error) error {
+			if !entry.IsDir() {
+				rel, err := filepath.Rel(safePath, path)
+				if err != nil {
+					panic(err)
+				}
+
+				// if it was upload as gzip
+				rel = strings.TrimSuffix(rel, gzipExtension)
+				path := filepath.Join(itemPath, rel)
+
+				rel = filepath.ToSlash(rel)
+				path = filepath.ToSlash(path)
+
+				files = append(files, ContainerItem{
+					Path:            path,
+					ItemType:        "file",
+					ContentLocation: fmt.Sprintf("http://%s/artifact/%s/%s/%s", req.Host, container, itemPath, rel),
+				})
+			}
+			return nil
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		json, err := json.Marshal(ContainerItemResponse{
+			Value: files,
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		_, err = w.Write(json)
+		if err != nil {
+			panic(err)
+		}
+	})
+
+	router.GET("/artifact/*path", func(w http.ResponseWriter, req *http.Request, params httprouter.Params) {
+		path := params.ByName("path")[1:]
+
+		safePath := safeResolve(baseDir, path)
+
+		file, err := fsys.Open(safePath)
+		if err != nil {
+			// try gzip file
+			file, err = fsys.Open(safePath + gzipExtension)
+			if err != nil {
+				panic(err)
+			}
+			w.Header().Add("Content-Encoding", "gzip")
+		}
+
+		_, err = io.Copy(w, file)
+		if err != nil {
+			panic(err)
+		}
+	})
+}
+
+func Serve(ctx context.Context, artifactPath, addr, port string) context.CancelFunc {
+	serverContext, cancel := context.WithCancel(ctx)
+	logger := common.Logger(serverContext)
+
+	if artifactPath == "" {
+		return cancel
+	}
+
+	router := httprouter.New()
+
+	logger.Debugf("Artifacts base path '%s'", artifactPath)
+	fsys := readWriteFSImpl{}
+	uploads(router, artifactPath, fsys)
+	downloads(router, artifactPath, fsys)
+
+	server := &http.Server{
+		Addr:              fmt.Sprintf("%s:%s", addr, port),
+		ReadHeaderTimeout: 2 * time.Second,
+		Handler:           router,
+	}
+
+	// run server
+	go func() {
+		logger.Infof("Start server on http://%s:%s", addr, port)
+		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			logger.Fatal(err)
+		}
+	}()
+
+	// wait for cancel to gracefully shutdown server
+	go func() {
+		<-serverContext.Done()
+
+		if err := server.Shutdown(ctx); err != nil {
+			logger.Errorf("Failed shutdown gracefully - force shutdown: %v", err)
+			server.Close()
+		}
+	}()
+
+	return cancel
+}
--- a/act/artifacts/server_test.go
+++ b/act/artifacts/server_test.go
@@ -0,0 +1,399 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package artifacts
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+	"testing"
+	"testing/fstest"
+
+	"gitea.com/gitea/act_runner/act/model"
+	"gitea.com/gitea/act_runner/act/runner"
+
+	"github.com/julienschmidt/httprouter"
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+)
+
+type writableMapFile struct {
+	fstest.MapFile
+}
+
+func (f *writableMapFile) Write(data []byte) (int, error) {
+	f.Data = data
+	return len(data), nil
+}
+
+func (f *writableMapFile) Close() error {
+	return nil
+}
+
+type writeMapFS struct {
+	fstest.MapFS
+}
+
+func (fsys writeMapFS) OpenWritable(name string) (WritableFile, error) {
+	file := &writableMapFile{
+		MapFile: fstest.MapFile{
+			Data: []byte("content2"),
+		},
+	}
+	fsys.MapFS[name] = &file.MapFile
+
+	return file, nil
+}
+
+func (fsys writeMapFS) OpenAppendable(name string) (WritableFile, error) {
+	file := &writableMapFile{
+		MapFile: fstest.MapFile{
+			Data: []byte("content2"),
+		},
+	}
+	fsys.MapFS[name] = &file.MapFile
+
+	return file, nil
+}
+
+func TestNewArtifactUploadPrepare(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
+
+	router := httprouter.New()
+	uploads(router, "artifact/server/path", writeMapFS{memfs})
+
+	req, _ := http.NewRequest(http.MethodPost, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.Fail("Wrong status")
+	}
+
+	response := FileContainerResourceURL{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal("http://localhost/upload/1", response.FileContainerResourceURL)
+}
+
+func TestArtifactUploadBlob(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
+
+	router := httprouter.New()
+	uploads(router, "artifact/server/path", writeMapFS{memfs})
+
+	req, _ := http.NewRequest(http.MethodPut, "http://localhost/upload/1?itemPath=some/file", strings.NewReader("content"))
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.Fail("Wrong status")
+	}
+
+	response := ResponseMessage{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal("success", response.Message)
+	assert.Equal("content", string(memfs["artifact/server/path/1/some/file"].Data))
+}
+
+func TestFinalizeArtifactUpload(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
+
+	router := httprouter.New()
+	uploads(router, "artifact/server/path", writeMapFS{memfs})
+
+	req, _ := http.NewRequest(http.MethodPatch, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.Fail("Wrong status")
+	}
+
+	response := ResponseMessage{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal("success", response.Message)
+}
+
+func TestListArtifacts(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
+		"artifact/server/path/1/file.txt": {
+			Data: []byte(""),
+		},
+	})
+
+	router := httprouter.New()
+	downloads(router, "artifact/server/path", memfs)
+
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/_apis/pipelines/workflows/1/artifacts", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
+	}
+
+	response := NamedFileContainerResourceURLResponse{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal(1, response.Count)
+	assert.Equal("file.txt", response.Value[0].Name)
+	assert.Equal("http://localhost/download/1", response.Value[0].FileContainerResourceURL)
+}
+
+func TestListArtifactContainer(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
+		"artifact/server/path/1/some/file": {
+			Data: []byte(""),
+		},
+	})
+
+	router := httprouter.New()
+	downloads(router, "artifact/server/path", memfs)
+
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/download/1?itemPath=some/file", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
+	}
+
+	response := ContainerItemResponse{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal(1, len(response.Value)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal("some/file", response.Value[0].Path)
+	assert.Equal("file", response.Value[0].ItemType)
+	assert.Equal("http://localhost/artifact/1/some/file/.", response.Value[0].ContentLocation)
+}
+
+func TestDownloadArtifactFile(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
+		"artifact/server/path/1/some/file": {
+			Data: []byte("content"),
+		},
+	})
+
+	router := httprouter.New()
+	downloads(router, "artifact/server/path", memfs)
+
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/artifact/1/some/file", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
+	}
+
+	data := rr.Body.Bytes()
+
+	assert.Equal("content", string(data))
+}
+
+type TestJobFileInfo struct {
+	workdir               string
+	workflowPath          string
+	eventName             string
+	errorMessage          string
+	platforms             map[string]string
+	containerArchitecture string
+}
+
+var (
+	artifactsPath = path.Join(os.TempDir(), "test-artifacts")
+	artifactsAddr = "127.0.0.1"
+	artifactsPort = "12345"
+)
+
+func TestArtifactFlow(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+
+	ctx := context.Background()
+
+	cancel := Serve(ctx, artifactsPath, artifactsAddr, artifactsPort)
+	defer cancel()
+
+	platforms := map[string]string{
+		"ubuntu-latest": "node:16-buster", // Don't use node:16-buster-slim because it doesn't have curl command, which is used in the tests
+	}
+
+	tables := []TestJobFileInfo{
+		{"testdata", "upload-and-download", "push", "", platforms, ""},
+		{"testdata", "GHSL-2023-004", "push", "", platforms, ""},
+	}
+	log.SetLevel(log.DebugLevel)
+
+	for _, table := range tables {
+		runTestJobFile(ctx, t, table)
+	}
+}
+
+func runTestJobFile(ctx context.Context, t *testing.T, tjfi TestJobFileInfo) {
+	t.Run(tjfi.workflowPath, func(t *testing.T) {
+		fmt.Printf("::group::%s\n", tjfi.workflowPath) //nolint:forbidigo // pre-existing issue from nektos/act
+
+		if err := os.RemoveAll(artifactsPath); err != nil {
+			panic(err)
+		}
+
+		workdir, err := filepath.Abs(tjfi.workdir)
+		assert.Nil(t, err, workdir) //nolint:testifylint // pre-existing issue from nektos/act
+		fullWorkflowPath := filepath.Join(workdir, tjfi.workflowPath)
+		runnerConfig := &runner.Config{
+			Workdir:               workdir,
+			BindWorkdir:           false,
+			EventName:             tjfi.eventName,
+			Platforms:             tjfi.platforms,
+			ReuseContainers:       false,
+			ContainerArchitecture: tjfi.containerArchitecture,
+			GitHubInstance:        "github.com",
+			ArtifactServerPath:    artifactsPath,
+			ArtifactServerAddr:    artifactsAddr,
+			ArtifactServerPort:    artifactsPort,
+		}
+
+		runner, err := runner.New(runnerConfig)
+		assert.Nil(t, err, tjfi.workflowPath) //nolint:testifylint // pre-existing issue from nektos/act
+
+		planner, err := model.NewWorkflowPlanner(fullWorkflowPath, true)
+		assert.Nil(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act
+
+		plan, err := planner.PlanEvent(tjfi.eventName)
+		if err == nil {
+			err = runner.NewPlanExecutor(plan)(ctx)
+			if tjfi.errorMessage == "" {
+				assert.Nil(t, err, fullWorkflowPath) //nolint:testifylint // pre-existing issue from nektos/act
+			} else {
+				assert.Error(t, err, tjfi.errorMessage) //nolint:testifylint // pre-existing issue from nektos/act
+			}
+		} else {
+			assert.Nil(t, plan)
+		}
+
+		fmt.Println("::endgroup::") //nolint:forbidigo // pre-existing issue from nektos/act
+	})
+}
+
+func TestMkdirFsImplSafeResolve(t *testing.T) {
+	assert := assert.New(t)
+
+	baseDir := "/foo/bar"
+
+	tests := map[string]struct {
+		input string
+		want  string
+	}{
+		"simple":         {input: "baz", want: "/foo/bar/baz"},
+		"nested":         {input: "baz/blue", want: "/foo/bar/baz/blue"},
+		"dots in middle": {input: "baz/../../blue", want: "/foo/bar/blue"},
+		"leading dots":   {input: "../../parent", want: "/foo/bar/parent"},
+		"root path":      {input: "/root", want: "/foo/bar/root"},
+		"root":           {input: "/", want: "/foo/bar"},
+		"empty":          {input: "", want: "/foo/bar"},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			assert.Equal(tc.want, safeResolve(baseDir, tc.input))
+		})
+	}
+}
+
+func TestDownloadArtifactFileUnsafePath(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{
+		"artifact/server/path/some/file": {
+			Data: []byte("content"),
+		},
+	})
+
+	router := httprouter.New()
+	downloads(router, "artifact/server/path", memfs)
+
+	req, _ := http.NewRequest(http.MethodGet, "http://localhost/artifact/2/../../some/file", nil)
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.FailNow(fmt.Sprintf("Wrong status: %d", status))
+	}
+
+	data := rr.Body.Bytes()
+
+	assert.Equal("content", string(data))
+}
+
+func TestArtifactUploadBlobUnsafePath(t *testing.T) {
+	assert := assert.New(t)
+
+	memfs := fstest.MapFS(map[string]*fstest.MapFile{})
+
+	router := httprouter.New()
+	uploads(router, "artifact/server/path", writeMapFS{memfs})
+
+	req, _ := http.NewRequest(http.MethodPut, "http://localhost/upload/1?itemPath=../../some/file", strings.NewReader("content"))
+	rr := httptest.NewRecorder()
+
+	router.ServeHTTP(rr, req)
+
+	if status := rr.Code; status != http.StatusOK {
+		assert.Fail("Wrong status")
+	}
+
+	response := ResponseMessage{}
+	err := json.Unmarshal(rr.Body.Bytes(), &response)
+	if err != nil {
+		panic(err)
+	}
+
+	assert.Equal("success", response.Message)
+	assert.Equal("content", string(memfs["artifact/server/path/1/some/file"].Data))
+}
--- a/act/artifacts/testdata/GHSL-2023-004/artifacts.yml
+++ b/act/artifacts/testdata/GHSL-2023-004/artifacts.yml
@@ -0,0 +1,39 @@
+
+name: "GHSL-2023-0004"
+on: push
+
+jobs:
+  test-artifacts:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "hello world" > test.txt
+      - name: curl upload
+        run: curl --silent --show-error --fail ${ACTIONS_RUNTIME_URL}upload/1?itemPath=../../my-artifact/secret.txt --upload-file test.txt
+      - uses: actions/download-artifact@v2
+        with:
+          name: my-artifact
+          path: test-artifacts
+      - name: 'Verify Artifact #1'
+        run: |
+          file="test-artifacts/secret.txt"
+          if [ ! -f $file ] ; then
+            echo "Expected file does not exist"
+            exit 1
+          fi
+          if [ "$(cat $file)" != "hello world" ] ; then
+            echo "File contents of downloaded artifact are incorrect"
+            exit 1
+          fi
+      - name: Verify download should work by clean extra dots
+        run: curl --silent --show-error --fail --path-as-is -o out.txt ${ACTIONS_RUNTIME_URL}artifact/1/../../../1/my-artifact/secret.txt
+      - name: 'Verify download content'
+        run: |
+          file="out.txt"
+          if [ ! -f $file ] ; then
+            echo "Expected file does not exist"
+            exit 1
+          fi
+          if [ "$(cat $file)" != "hello world" ] ; then
+            echo "File contents of downloaded artifact are incorrect"
+            exit 1
+          fi
--- a/act/artifacts/testdata/upload-and-download/artifacts.yml
+++ b/act/artifacts/testdata/upload-and-download/artifacts.yml
@@ -0,0 +1,230 @@
+
+name: "Test that artifact uploads and downloads succeed"
+on: push
+
+jobs:
+  test-artifacts:
+    runs-on: ubuntu-latest
+    steps:
+      - run: mkdir -p path/to/artifact
+      - run: echo hello > path/to/artifact/world.txt
+      - uses: actions/upload-artifact@v2
+        with:
+          name: my-artifact
+          path: path/to/artifact/world.txt
+
+      - run: rm -rf path
+
+      - uses: actions/download-artifact@v2
+        with:
+          name: my-artifact
+      - name: Display structure of downloaded files
+        run: ls -la
+
+      # Test end-to-end by uploading two artifacts and then downloading them
+      - name: Create artifact files
+        run: |
+          mkdir -p path/to/dir-1
+          mkdir -p path/to/dir-2
+          mkdir -p path/to/dir-3
+          mkdir -p path/to/dir-5
+          mkdir -p path/to/dir-6
+          mkdir -p path/to/dir-7
+          echo "Lorem ipsum dolor sit amet" > path/to/dir-1/file1.txt
+          echo "Hello world from file #2" > path/to/dir-2/file2.txt
+          echo "This is a going to be a test for a large enough file that should get compressed with GZip. The @actions/artifact package uses GZip to upload files. This text should have a compression ratio greater than 100% so it should get uploaded using GZip" > path/to/dir-3/gzip.txt
+          dd if=/dev/random of=path/to/dir-5/file5.rnd bs=1024 count=1024
+          dd if=/dev/random of=path/to/dir-6/file6.rnd bs=1024 count=$((10*1024))
+          dd if=/dev/random of=path/to/dir-7/file7.rnd bs=1024 count=$((10*1024))
+
+      # Upload a single file artifact
+      - name: 'Upload artifact #1'
+        uses: actions/upload-artifact@v2
+        with:
+          name: 'Artifact-A'
+          path: path/to/dir-1/file1.txt
+      
+      # Upload using a wildcard pattern, name should default to 'artifact' if not provided
+      - name: 'Upload artifact #2'
+        uses: actions/upload-artifact@v2
+        with:
+          path: path/**/dir*/
+      
+      # Upload a directory that contains a file that will be uploaded with GZip
+      - name: 'Upload artifact #3'
+        uses: actions/upload-artifact@v2
+        with:
+          name: 'GZip-Artifact'
+          path: path/to/dir-3/
+      
+      # Upload a directory that contains a file that will be uploaded with GZip
+      - name: 'Upload artifact #4'
+        uses: actions/upload-artifact@v2
+        with:
+          name: 'Multi-Path-Artifact'
+          path: |
+            path/to/dir-1/*
+            path/to/dir-[23]/*
+            !path/to/dir-3/*.txt
+      
+      # Upload a mid-size file artifact
+      - name: 'Upload artifact #5'
+        uses: actions/upload-artifact@v2
+        with:
+          name: 'Mid-Size-Artifact'
+          path: path/to/dir-5/file5.rnd
+      
+      # Upload a big file artifact
+      - name: 'Upload artifact #6'
+        uses: actions/upload-artifact@v2
+        with:
+          name: 'Big-Artifact'
+          path: path/to/dir-6/file6.rnd
+
+      # Upload a big file artifact twice
+      - name: 'Upload artifact #7 (First)'
+        uses: actions/upload-artifact@v2
+        with:
+          name: 'Big-Uploaded-Twice'
+          path: path/to/dir-7/file7.rnd
+
+      # Upload a big file artifact twice
+      - name: 'Upload artifact #7 (Second)'
+        uses: actions/upload-artifact@v2
+        with:
+          name: 'Big-Uploaded-Twice'
+          path: path/to/dir-7/file7.rnd
+
+      # Verify artifacts. Switch to download-artifact@v2 once it's out of preview
+      
+      # Download Artifact #1 and verify the correctness of the content
+      - name: 'Download artifact #1'
+        uses: actions/download-artifact@v2
+        with:
+          name: 'Artifact-A'
+          path: some/new/path
+      
+      - name: 'Verify Artifact #1'
+        run: |
+          file="some/new/path/file1.txt"
+          if [ ! -f $file ] ; then
+            echo "Expected file does not exist"
+            exit 1
+          fi
+          if [ "$(cat $file)" != "Lorem ipsum dolor sit amet" ] ; then
+            echo "File contents of downloaded artifact are incorrect"
+            exit 1
+          fi
+      
+      # Download Artifact #2 and verify the correctness of the content
+      - name: 'Download artifact #2'
+        uses: actions/download-artifact@v2
+        with:
+          name: 'artifact'
+          path: some/other/path
+      
+      - name: 'Verify Artifact #2'
+        run: |
+          file1="some/other/path/to/dir-1/file1.txt"
+          file2="some/other/path/to/dir-2/file2.txt"
+          if [ ! -f $file1 -o ! -f $file2 ] ; then
+            echo "Expected files do not exist"
+            exit 1
+          fi
+          if [ "$(cat $file1)" != "Lorem ipsum dolor sit amet" -o "$(cat $file2)" != "Hello world from file #2" ] ; then
+            echo "File contents of downloaded artifacts are incorrect"
+            exit 1
+          fi
+      
+      # Download Artifact #3 and verify the correctness of the content
+      - name: 'Download artifact #3'
+        uses: actions/download-artifact@v2
+        with:
+          name: 'GZip-Artifact'
+          path: gzip/artifact/path
+      
+      # Because a directory was used as input during the upload the parent directories, path/to/dir-3/, should not be included in the uploaded artifact
+      - name: 'Verify Artifact #3'
+        run: |
+          gzipFile="gzip/artifact/path/gzip.txt"
+          if [ ! -f $gzipFile ] ; then
+            echo "Expected file do not exist"
+            exit 1
+          fi
+          if [ "$(cat $gzipFile)" != "This is a going to be a test for a large enough file that should get compressed with GZip. The @actions/artifact package uses GZip to upload files. This text should have a compression ratio greater than 100% so it should get uploaded using GZip" ] ; then
+            echo "File contents of downloaded artifact is incorrect"
+            exit 1
+          fi
+      
+      - name: 'Download artifact #4'
+        uses: actions/download-artifact@v2
+        with:
+          name: 'Multi-Path-Artifact'
+          path: multi/artifact
+      
+      - name: 'Verify Artifact #4'
+        run: |
+          file1="multi/artifact/dir-1/file1.txt"
+          file2="multi/artifact/dir-2/file2.txt"
+          if [ ! -f $file1 -o ! -f $file2 ] ; then
+            echo "Expected files do not exist"
+            exit 1
+          fi
+          if [ "$(cat $file1)" != "Lorem ipsum dolor sit amet" -o "$(cat $file2)" != "Hello world from file #2" ] ; then
+            echo "File contents of downloaded artifacts are incorrect"
+            exit 1
+          fi
+      
+      - name: 'Download artifact #5'
+        uses: actions/download-artifact@v2
+        with:
+          name: 'Mid-Size-Artifact'
+          path: mid-size/artifact/path
+      
+      - name: 'Verify Artifact #5'
+        run: |
+          file="mid-size/artifact/path/file5.rnd"
+          if [ ! -f $file ] ; then
+            echo "Expected file does not exist"
+            exit 1
+          fi
+          if ! diff $file path/to/dir-5/file5.rnd ; then
+            echo "File contents of downloaded artifact are incorrect"
+            exit 1
+          fi
+      
+      - name: 'Download artifact #6'
+        uses: actions/download-artifact@v2
+        with:
+          name: 'Big-Artifact'
+          path: big/artifact/path
+      
+      - name: 'Verify Artifact #6'
+        run: |
+          file="big/artifact/path/file6.rnd"
+          if [ ! -f $file ] ; then
+            echo "Expected file does not exist"
+            exit 1
+          fi
+          if ! diff $file path/to/dir-6/file6.rnd ; then
+            echo "File contents of downloaded artifact are incorrect"
+            exit 1
+          fi
+
+      - name: 'Download artifact #7'
+        uses: actions/download-artifact@v2
+        with:
+          name: 'Big-Uploaded-Twice'
+          path: big-uploaded-twice/artifact/path
+
+      - name: 'Verify Artifact #7'
+        run: |
+          file="big-uploaded-twice/artifact/path/file7.rnd"
+          if [ ! -f $file ] ; then
+            echo "Expected file does not exist"
+            exit 1
+          fi
+          if ! diff $file path/to/dir-7/file7.rnd ; then
+            echo "File contents of downloaded artifact are incorrect"
+            exit 1
+          fi
--- a/act/common/cartesian.go
+++ b/act/common/cartesian.go
@@ -0,0 +1,58 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+// CartesianProduct takes map of lists and returns list of unique tuples
+func CartesianProduct(mapOfLists map[string][]any) []map[string]any {
+	listNames := make([]string, 0)
+	lists := make([][]any, 0)
+	for k, v := range mapOfLists {
+		listNames = append(listNames, k)
+		lists = append(lists, v)
+	}
+
+	listCart := cartN(lists...)
+
+	rtn := make([]map[string]any, 0)
+	for _, list := range listCart {
+		vMap := make(map[string]any)
+		for i, v := range list {
+			vMap[listNames[i]] = v
+		}
+		rtn = append(rtn, vMap)
+	}
+	return rtn
+}
+
+func cartN(a ...[]any) [][]any {
+	c := 1
+	for _, a := range a {
+		c *= len(a)
+	}
+	if c == 0 || len(a) == 0 {
+		return nil
+	}
+	p := make([][]any, c)
+	b := make([]any, c*len(a))
+	n := make([]int, len(a))
+	s := 0
+	for i := range p {
+		e := s + len(a)
+		pi := b[s:e]
+		p[i] = pi
+		s = e
+		for j, n := range n {
+			pi[j] = a[j][n]
+		}
+		for j := len(n) - 1; j >= 0; j-- {
+			n[j]++
+			if n[j] < len(a[j]) {
+				break
+			}
+			n[j] = 0
+		}
+	}
+	return p
+}
--- a/act/common/cartesian_test.go
+++ b/act/common/cartesian_test.go
@@ -0,0 +1,43 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCartesianProduct(t *testing.T) {
+	assert := assert.New(t)
+	input := map[string][]any{
+		"foo": {1, 2, 3, 4},
+		"bar": {"a", "b", "c"},
+		"baz": {false, true},
+	}
+
+	output := CartesianProduct(input)
+	assert.Len(output, 24)
+
+	for _, v := range output {
+		assert.Len(v, 3)
+
+		assert.Contains(v, "foo")
+		assert.Contains(v, "bar")
+		assert.Contains(v, "baz")
+	}
+
+	input = map[string][]any{
+		"foo": {1, 2, 3, 4},
+		"bar": {},
+		"baz": {false, true},
+	}
+	output = CartesianProduct(input)
+	assert.Len(output, 0) //nolint:testifylint // pre-existing issue from nektos/act
+
+	input = map[string][]any{}
+	output = CartesianProduct(input)
+	assert.Len(output, 0) //nolint:testifylint // pre-existing issue from nektos/act
+}
--- a/act/common/draw.go
+++ b/act/common/draw.go
@@ -0,0 +1,146 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+)
+
+// Style is a specific style
+type Style int
+
+// Styles
+const (
+	StyleDoubleLine = iota
+	StyleSingleLine
+	StyleDashedLine
+	StyleNoLine
+)
+
+// NewPen creates a new pen
+func NewPen(style Style, color int) *Pen {
+	bgcolor := 49
+	if os.Getenv("CLICOLOR") == "0" {
+		color = 0
+		bgcolor = 0
+	}
+	return &Pen{
+		style:   style,
+		color:   color,
+		bgcolor: bgcolor,
+	}
+}
+
+type styleDef struct {
+	cornerTL string
+	cornerTR string
+	cornerBL string
+	cornerBR string
+	lineH    string
+	lineV    string
+}
+
+var styleDefs = []styleDef{
+	{"\u2554", "\u2557", "\u255a", "\u255d", "\u2550", "\u2551"},
+	{"\u256d", "\u256e", "\u2570", "\u256f", "\u2500", "\u2502"},
+	{"\u250c", "\u2510", "\u2514", "\u2518", "\u254c", "\u254e"},
+	{" ", " ", " ", " ", " ", " "},
+}
+
+// Pen struct
+type Pen struct {
+	style   Style
+	color   int
+	bgcolor int
+}
+
+// Drawing struct
+type Drawing struct {
+	buf   *strings.Builder
+	width int
+}
+
+func (p *Pen) drawTopBars(buf io.Writer, labels ...string) {
+	style := styleDefs[p.style]
+	for _, label := range labels {
+		bar := strings.Repeat(style.lineH, len(label)+2)
+		fmt.Fprintf(buf, " ")
+		fmt.Fprintf(buf, "\x1b[%d;%dm", p.color, p.bgcolor)
+		fmt.Fprintf(buf, "%s%s%s", style.cornerTL, bar, style.cornerTR)
+		fmt.Fprintf(buf, "\x1b[%dm", 0)
+	}
+	fmt.Fprintf(buf, "\n")
+}
+
+func (p *Pen) drawBottomBars(buf io.Writer, labels ...string) {
+	style := styleDefs[p.style]
+	for _, label := range labels {
+		bar := strings.Repeat(style.lineH, len(label)+2)
+		fmt.Fprintf(buf, " ")
+		fmt.Fprintf(buf, "\x1b[%d;%dm", p.color, p.bgcolor)
+		fmt.Fprintf(buf, "%s%s%s", style.cornerBL, bar, style.cornerBR)
+		fmt.Fprintf(buf, "\x1b[%dm", 0)
+	}
+	fmt.Fprintf(buf, "\n")
+}
+
+func (p *Pen) drawLabels(buf io.Writer, labels ...string) {
+	style := styleDefs[p.style]
+	for _, label := range labels {
+		fmt.Fprintf(buf, " ")
+		fmt.Fprintf(buf, "\x1b[%d;%dm", p.color, p.bgcolor)
+		fmt.Fprintf(buf, "%s %s %s", style.lineV, label, style.lineV)
+		fmt.Fprintf(buf, "\x1b[%dm", 0)
+	}
+	fmt.Fprintf(buf, "\n")
+}
+
+// DrawArrow between boxes
+func (p *Pen) DrawArrow() *Drawing {
+	drawing := &Drawing{
+		buf:   new(strings.Builder),
+		width: 1,
+	}
+	fmt.Fprintf(drawing.buf, "\x1b[%dm", p.color)
+	fmt.Fprintf(drawing.buf, "\u2b07")
+	fmt.Fprintf(drawing.buf, "\x1b[%dm", 0)
+	return drawing
+}
+
+// DrawBoxes to draw boxes
+func (p *Pen) DrawBoxes(labels ...string) *Drawing {
+	width := 0
+	for _, l := range labels {
+		width += len(l) + 2 + 2 + 1
+	}
+	drawing := &Drawing{
+		buf:   new(strings.Builder),
+		width: width,
+	}
+	p.drawTopBars(drawing.buf, labels...)
+	p.drawLabels(drawing.buf, labels...)
+	p.drawBottomBars(drawing.buf, labels...)
+
+	return drawing
+}
+
+// Draw to writer
+func (d *Drawing) Draw(writer io.Writer, centerOnWidth int) {
+	padSize := max((centerOnWidth-d.GetWidth())/2, 0)
+	for l := range strings.SplitSeq(d.buf.String(), "\n") {
+		if len(l) > 0 {
+			padding := strings.Repeat(" ", padSize)
+			fmt.Fprintf(writer, "%s%s\n", padding, l)
+		}
+	}
+}
+
+// GetWidth of drawing
+func (d *Drawing) GetWidth() int {
+	return d.width
+}
--- a/act/common/dryrun.go
+++ b/act/common/dryrun.go
@@ -0,0 +1,29 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+)
+
+type dryrunContextKey string
+
+const dryrunContextKeyVal = dryrunContextKey("dryrun")
+
+// Dryrun returns true if the current context is dryrun
+func Dryrun(ctx context.Context) bool {
+	val := ctx.Value(dryrunContextKeyVal)
+	if val != nil {
+		if dryrun, ok := val.(bool); ok {
+			return dryrun
+		}
+	}
+	return false
+}
+
+// WithDryrun adds a value to the context for dryrun
+func WithDryrun(ctx context.Context, dryrun bool) context.Context {
+	return context.WithValue(ctx, dryrunContextKeyVal, dryrun)
+}
--- a/act/common/executor.go
+++ b/act/common/executor.go
@@ -0,0 +1,219 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+	"fmt"
+	"runtime/debug"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// Warning that implements `error` but safe to ignore
+type Warning struct {
+	Message string
+}
+
+// Error the contract for error
+func (w Warning) Error() string {
+	return w.Message
+}
+
+// Warningf create a warning
+func Warningf(format string, args ...any) Warning {
+	w := Warning{
+		Message: fmt.Sprintf(format, args...),
+	}
+	return w
+}
+
+// Executor define contract for the steps of a workflow
+type Executor func(ctx context.Context) error
+
+// Conditional define contract for the conditional predicate
+type Conditional func(ctx context.Context) bool
+
+// NewInfoExecutor is an executor that logs messages
+func NewInfoExecutor(format string, args ...any) Executor {
+	return func(ctx context.Context) error {
+		logger := Logger(ctx)
+		logger.Infof(format, args...)
+		return nil
+	}
+}
+
+// NewDebugExecutor is an executor that logs messages
+func NewDebugExecutor(format string, args ...any) Executor {
+	return func(ctx context.Context) error {
+		logger := Logger(ctx)
+		logger.Debugf(format, args...)
+		return nil
+	}
+}
+
+// NewPipelineExecutor creates a new executor from a series of other executors
+func NewPipelineExecutor(executors ...Executor) Executor {
+	if len(executors) == 0 {
+		return func(ctx context.Context) error {
+			return nil
+		}
+	}
+	var rtn Executor
+	for _, executor := range executors {
+		if rtn == nil {
+			rtn = executor
+		} else {
+			rtn = rtn.Then(executor)
+		}
+	}
+	return rtn
+}
+
+// NewConditionalExecutor creates a new executor based on conditions
+func NewConditionalExecutor(conditional Conditional, trueExecutor, falseExecutor Executor) Executor {
+	return func(ctx context.Context) error {
+		if conditional(ctx) {
+			if trueExecutor != nil {
+				return trueExecutor(ctx)
+			}
+		} else {
+			if falseExecutor != nil {
+				return falseExecutor(ctx)
+			}
+		}
+		return nil
+	}
+}
+
+// NewErrorExecutor creates a new executor that always errors out
+func NewErrorExecutor(err error) Executor {
+	return func(ctx context.Context) error {
+		return err
+	}
+}
+
+// NewParallelExecutor creates a new executor from a parallel of other executors
+func NewParallelExecutor(parallel int, executors ...Executor) Executor {
+	return func(ctx context.Context) error {
+		work := make(chan Executor, len(executors))
+		errs := make(chan error, len(executors))
+
+		if 1 > parallel {
+			log.Debugf("Parallel tasks (%d) below minimum, setting to 1", parallel)
+			parallel = 1
+		}
+
+		log.Infof("NewParallelExecutor: Creating %d workers for %d executors", parallel, len(executors))
+
+		for i := 0; i < parallel; i++ {
+			go func(workerID int, work <-chan Executor, errs chan<- error) {
+				log.Debugf("Worker %d started", workerID)
+				taskCount := 0
+				for executor := range work {
+					taskCount++
+					log.Debugf("Worker %d executing task %d", workerID, taskCount)
+					// Recover from panics in executors to avoid crashing the worker
+					// goroutine which would leave the runner process hung.
+					// https://gitea.com/gitea/act_runner/issues/371
+					errs <- func() (err error) {
+						defer func() {
+							if r := recover(); r != nil {
+								log.Errorf("panic in executor: %v\n%s", r, debug.Stack())
+								err = fmt.Errorf("panic: %v", r)
+							}
+						}()
+						return executor(ctx)
+					}()
+				}
+				log.Debugf("Worker %d finished (%d tasks executed)", workerID, taskCount)
+			}(i, work, errs)
+		}
+
+		for i := range executors {
+			work <- executors[i]
+		}
+		close(work)
+
+		// Executor waits all executors to cleanup these resources.
+		var firstErr error
+		for range executors {
+			err := <-errs
+			if firstErr == nil {
+				firstErr = err
+			}
+		}
+
+		if err := ctx.Err(); err != nil {
+			return err
+		}
+		return firstErr
+	}
+}
+
+// Then runs another executor if this executor succeeds
+func (e Executor) Then(then Executor) Executor {
+	return func(ctx context.Context) error {
+		err := e(ctx)
+		if err != nil {
+			switch err.(type) {
+			case Warning:
+				Logger(ctx).Warning(err.Error())
+			default:
+				return err
+			}
+		}
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		return then(ctx)
+	}
+}
+
+// If only runs this executor if conditional is true
+func (e Executor) If(conditional Conditional) Executor {
+	return func(ctx context.Context) error {
+		if conditional(ctx) {
+			return e(ctx)
+		}
+		return nil
+	}
+}
+
+// IfNot only runs this executor if conditional is true
+func (e Executor) IfNot(conditional Conditional) Executor {
+	return func(ctx context.Context) error {
+		if !conditional(ctx) {
+			return e(ctx)
+		}
+		return nil
+	}
+}
+
+// IfBool only runs this executor if conditional is true
+func (e Executor) IfBool(conditional bool) Executor {
+	return e.If(func(ctx context.Context) bool {
+		return conditional
+	})
+}
+
+// Finally adds an executor to run after other executor
+func (e Executor) Finally(finally Executor) Executor {
+	return func(ctx context.Context) error {
+		err := e(ctx)
+		err2 := finally(ctx)
+		if err2 != nil {
+			return fmt.Errorf("Error occurred running finally: %v (original error: %v)", err2, err)
+		}
+		return err
+	}
+}
+
+// Not return an inverted conditional
+func (c Conditional) Not() Conditional {
+	return func(ctx context.Context) bool {
+		return !c(ctx)
+	}
+}
--- a/act/common/executor_max_parallel_test.go
+++ b/act/common/executor_max_parallel_test.go
@@ -0,0 +1,89 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// Simple fast test that verifies max-parallel: 2 limits concurrency
+func TestMaxParallel2Quick(t *testing.T) {
+	ctx := context.Background()
+
+	var currentRunning atomic.Int32
+	var maxSimultaneous atomic.Int32
+
+	executors := make([]Executor, 4)
+	for i := range 4 {
+		executors[i] = func(ctx context.Context) error {
+			current := currentRunning.Add(1)
+
+			// Update max if needed
+			for {
+				maxValue := maxSimultaneous.Load()
+				if current <= maxValue || maxSimultaneous.CompareAndSwap(maxValue, current) {
+					break
+				}
+			}
+
+			time.Sleep(10 * time.Millisecond)
+			currentRunning.Add(-1)
+			return nil
+		}
+	}
+
+	err := NewParallelExecutor(2, executors...)(ctx)
+
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.LessOrEqual(t, maxSimultaneous.Load(), int32(2),
+		"Should not exceed max-parallel: 2")
+}
+
+// Test that verifies max-parallel: 1 enforces sequential execution
+func TestMaxParallel1Sequential(t *testing.T) {
+	ctx := context.Background()
+
+	var currentRunning atomic.Int32
+	var maxSimultaneous atomic.Int32
+	var executionOrder []int
+	var orderMutex sync.Mutex
+
+	executors := make([]Executor, 5)
+	for i := range 5 {
+		taskID := i
+		executors[i] = func(ctx context.Context) error {
+			current := currentRunning.Add(1)
+
+			// Track execution order
+			orderMutex.Lock()
+			executionOrder = append(executionOrder, taskID)
+			orderMutex.Unlock()
+
+			// Update max if needed
+			for {
+				maxValue := maxSimultaneous.Load()
+				if current <= maxValue || maxSimultaneous.CompareAndSwap(maxValue, current) {
+					break
+				}
+			}
+
+			time.Sleep(20 * time.Millisecond)
+			currentRunning.Add(-1)
+			return nil
+		}
+	}
+
+	err := NewParallelExecutor(1, executors...)(ctx)
+
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, int32(1), maxSimultaneous.Load(),
+		"max-parallel: 1 should only run 1 task at a time")
+	assert.Len(t, executionOrder, 5, "All 5 tasks should have executed")
+}
--- a/act/common/executor_parallel_advanced_test.go
+++ b/act/common/executor_parallel_advanced_test.go
@@ -0,0 +1,283 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestMaxParallelJobExecution tests actual job execution with max-parallel
+func TestMaxParallelJobExecution(t *testing.T) {
+	t.Run("MaxParallel=1 Sequential", func(t *testing.T) {
+		var currentRunning atomic.Int32
+		var maxConcurrent int32
+		var executionOrder []int
+		var mu sync.Mutex
+
+		executors := make([]Executor, 5)
+		for i := range 5 {
+			taskID := i
+			executors[i] = func(ctx context.Context) error {
+				current := currentRunning.Add(1)
+
+				// Track max concurrent
+				for {
+					maxValue := atomic.LoadInt32(&maxConcurrent)
+					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
+						break
+					}
+				}
+
+				mu.Lock()
+				executionOrder = append(executionOrder, taskID)
+				mu.Unlock()
+
+				time.Sleep(10 * time.Millisecond)
+				currentRunning.Add(-1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(1, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.Equal(t, int32(1), maxConcurrent, "Should never exceed 1 concurrent execution")
+		assert.Len(t, executionOrder, 5, "All tasks should execute")
+	})
+
+	t.Run("MaxParallel=3 Limited", func(t *testing.T) {
+		var currentRunning atomic.Int32
+		var maxConcurrent int32
+
+		executors := make([]Executor, 10)
+		for i := range 10 {
+			executors[i] = func(ctx context.Context) error {
+				current := currentRunning.Add(1)
+
+				for {
+					maxValue := atomic.LoadInt32(&maxConcurrent)
+					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
+						break
+					}
+				}
+
+				time.Sleep(20 * time.Millisecond)
+				currentRunning.Add(-1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(3, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.LessOrEqual(t, int(maxConcurrent), 3, "Should never exceed 3 concurrent executions")
+		assert.GreaterOrEqual(t, int(maxConcurrent), 1, "Should have at least 1 concurrent execution")
+	})
+
+	t.Run("MaxParallel=0 Uses1Worker", func(t *testing.T) {
+		var maxConcurrent int32
+		var currentRunning atomic.Int32
+
+		executors := make([]Executor, 5)
+		for i := range 5 {
+			executors[i] = func(ctx context.Context) error {
+				current := currentRunning.Add(1)
+
+				for {
+					maxValue := atomic.LoadInt32(&maxConcurrent)
+					if current <= maxValue || atomic.CompareAndSwapInt32(&maxConcurrent, maxValue, current) {
+						break
+					}
+				}
+
+				time.Sleep(10 * time.Millisecond)
+				currentRunning.Add(-1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		// When maxParallel is 0 or negative, it defaults to 1
+		err := NewParallelExecutor(0, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.Equal(t, int32(1), maxConcurrent, "Should use 1 worker when max-parallel is 0")
+	})
+}
+
+// TestMaxParallelWithErrors tests error handling with max-parallel
+func TestMaxParallelWithErrors(t *testing.T) {
+	t.Run("OneTaskFailsOthersContinue", func(t *testing.T) {
+		var successCount int32
+
+		executors := make([]Executor, 5)
+		for i := range 5 {
+			taskID := i
+			executors[i] = func(ctx context.Context) error {
+				if taskID == 2 {
+					return assert.AnError
+				}
+				atomic.AddInt32(&successCount, 1)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(2, executors...)(ctx)
+
+		// Should return the error from task 2
+		assert.Error(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		// Other tasks should still execute
+		assert.Equal(t, int32(4), successCount, "4 tasks should succeed")
+	})
+
+	t.Run("ContextCancellation", func(t *testing.T) {
+		ctx, cancel := context.WithCancel(context.Background())
+
+		var startedCount int32
+		executors := make([]Executor, 10)
+		for i := range 10 {
+			executors[i] = func(ctx context.Context) error {
+				atomic.AddInt32(&startedCount, 1)
+				time.Sleep(100 * time.Millisecond)
+				return nil
+			}
+		}
+
+		// Cancel after a short delay
+		go func() {
+			time.Sleep(30 * time.Millisecond)
+			cancel()
+		}()
+
+		err := NewParallelExecutor(3, executors...)(ctx)
+		assert.Error(t, err)                     //nolint:testifylint // pre-existing issue from nektos/act
+		assert.ErrorIs(t, err, context.Canceled) //nolint:testifylint // pre-existing issue from nektos/act
+
+		// Not all tasks should start due to cancellation (but timing may vary)
+		// Just verify cancellation occurred
+		t.Logf("Started %d tasks before cancellation", startedCount)
+	})
+}
+
+// TestMaxParallelPerformance tests performance characteristics
+func TestMaxParallelPerformance(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping performance test in short mode")
+	}
+
+	t.Run("ParallelFasterThanSequential", func(t *testing.T) {
+		executors := make([]Executor, 10)
+		for i := range 10 {
+			executors[i] = func(ctx context.Context) error {
+				time.Sleep(50 * time.Millisecond)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+
+		// Sequential (max-parallel=1)
+		start := time.Now()
+		err := NewParallelExecutor(1, executors...)(ctx)
+		sequentialDuration := time.Since(start)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		// Parallel (max-parallel=5)
+		start = time.Now()
+		err = NewParallelExecutor(5, executors...)(ctx)
+		parallelDuration := time.Since(start)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		// Parallel should be significantly faster
+		assert.Less(t, parallelDuration, sequentialDuration/2,
+			"Parallel execution should be at least 2x faster")
+	})
+
+	t.Run("OptimalWorkerCount", func(t *testing.T) {
+		executors := make([]Executor, 20)
+		for i := range 20 {
+			executors[i] = func(ctx context.Context) error {
+				time.Sleep(10 * time.Millisecond)
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+
+		// Test with different worker counts
+		workerCounts := []int{1, 2, 5, 10, 20}
+		durations := make(map[int]time.Duration)
+
+		for _, count := range workerCounts {
+			start := time.Now()
+			err := NewParallelExecutor(count, executors...)(ctx)
+			durations[count] = time.Since(start)
+			assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+		}
+
+		// More workers should generally be faster (up to a point)
+		assert.Less(t, durations[5], durations[1], "5 workers should be faster than 1")
+		assert.Less(t, durations[10], durations[2], "10 workers should be faster than 2")
+	})
+}
+
+// TestMaxParallelResourceSharing tests resource sharing scenarios
+func TestMaxParallelResourceSharing(t *testing.T) {
+	t.Run("SharedResourceWithMutex", func(t *testing.T) {
+		var sharedCounter int
+		var mu sync.Mutex
+
+		executors := make([]Executor, 100)
+		for i := range 100 {
+			executors[i] = func(ctx context.Context) error {
+				mu.Lock()
+				sharedCounter++
+				mu.Unlock()
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(10, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		assert.Equal(t, 100, sharedCounter, "All tasks should increment counter")
+	})
+
+	t.Run("ChannelCommunication", func(t *testing.T) {
+		resultChan := make(chan int, 50)
+
+		executors := make([]Executor, 50)
+		for i := range 50 {
+			taskID := i
+			executors[i] = func(ctx context.Context) error {
+				resultChan <- taskID
+				return nil
+			}
+		}
+
+		ctx := context.Background()
+		err := NewParallelExecutor(5, executors...)(ctx)
+		assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+		close(resultChan)
+
+		results := make(map[int]bool)
+		for result := range resultChan {
+			results[result] = true
+		}
+
+		assert.Len(t, results, 50, "All task IDs should be received")
+	})
+}
--- a/act/common/executor_test.go
+++ b/act/common/executor_test.go
@@ -0,0 +1,158 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+	"errors"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewWorkflow(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx := context.Background()
+
+	// empty
+	emptyWorkflow := NewPipelineExecutor()
+	assert.Nil(emptyWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// error case
+	errorWorkflow := NewErrorExecutor(errors.New("test error"))
+	assert.NotNil(errorWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// multiple success case
+	runcount := 0
+	successWorkflow := NewPipelineExecutor(
+		func(ctx context.Context) error {
+			runcount++
+			return nil
+		},
+		func(ctx context.Context) error {
+			runcount++
+			return nil
+		})
+	assert.Nil(successWorkflow(ctx)) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(2, runcount)
+}
+
+func TestNewConditionalExecutor(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx := context.Background()
+
+	trueCount := 0
+	falseCount := 0
+
+	err := NewConditionalExecutor(func(ctx context.Context) bool {
+		return false
+	}, func(ctx context.Context) error {
+		trueCount++
+		return nil
+	}, func(ctx context.Context) error {
+		falseCount++
+		return nil
+	})(ctx)
+
+	assert.Nil(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(0, trueCount)
+	assert.Equal(1, falseCount)
+
+	err = NewConditionalExecutor(func(ctx context.Context) bool {
+		return true
+	}, func(ctx context.Context) error {
+		trueCount++
+		return nil
+	}, func(ctx context.Context) error {
+		falseCount++
+		return nil
+	})(ctx)
+
+	assert.Nil(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(1, trueCount)
+	assert.Equal(1, falseCount)
+}
+
+func TestNewParallelExecutor(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx := context.Background()
+
+	var count, activeCount, maxCount atomic.Int32
+	emptyWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count.Add(1)
+
+		active := activeCount.Add(1)
+		for {
+			m := maxCount.Load()
+			if active <= m || maxCount.CompareAndSwap(m, active) {
+				break
+			}
+		}
+		time.Sleep(2 * time.Second)
+		activeCount.Add(-1)
+
+		return nil
+	})
+
+	err := NewParallelExecutor(2, emptyWorkflow, emptyWorkflow, emptyWorkflow)(ctx)
+
+	assert.Equal(int32(3), count.Load(), "should run all 3 executors")
+	assert.Equal(int32(2), maxCount.Load(), "should run at most 2 executors in parallel")
+	assert.Nil(err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// Reset to test running the executor with 0 parallelism
+	count.Store(0)
+	activeCount.Store(0)
+	maxCount.Store(0)
+
+	errSingle := NewParallelExecutor(0, emptyWorkflow, emptyWorkflow, emptyWorkflow)(ctx)
+
+	assert.Equal(int32(3), count.Load(), "should run all 3 executors")
+	assert.Equal(int32(1), maxCount.Load(), "should run at most 1 executors in parallel")
+	assert.Nil(errSingle) //nolint:testifylint // pre-existing issue from nektos/act
+}
+
+func TestNewParallelExecutorFailed(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	count := 0
+	errorWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count++
+		return errors.New("fake error")
+	})
+	err := NewParallelExecutor(1, errorWorkflow)(ctx)
+	assert.Equal(1, count)
+	assert.ErrorIs(context.Canceled, err)
+}
+
+func TestNewParallelExecutorCanceled(t *testing.T) {
+	assert := assert.New(t)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	errExpected := errors.New("fake error")
+
+	var count atomic.Int32
+	successWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count.Add(1)
+		return nil
+	})
+	errorWorkflow := NewPipelineExecutor(func(ctx context.Context) error {
+		count.Add(1)
+		return errExpected
+	})
+	err := NewParallelExecutor(3, errorWorkflow, successWorkflow, successWorkflow)(ctx)
+	assert.Equal(int32(3), count.Load())
+	assert.Error(errExpected, err) //nolint:testifylint // pre-existing issue from nektos/act
+}
--- a/act/common/file.go
+++ b/act/common/file.go
@@ -0,0 +1,77 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"fmt"
+	"io"
+	"os"
+)
+
+// CopyFile copy file
+func CopyFile(source, dest string) (err error) {
+	sourcefile, err := os.Open(source)
+	if err != nil {
+		return err
+	}
+
+	defer sourcefile.Close()
+
+	destfile, err := os.Create(dest)
+	if err != nil {
+		return err
+	}
+
+	defer destfile.Close()
+
+	_, err = io.Copy(destfile, sourcefile)
+	if err == nil {
+		sourceinfo, err := os.Stat(source)
+		if err != nil {
+			_ = os.Chmod(dest, sourceinfo.Mode())
+		}
+	}
+
+	return err
+}
+
+// CopyDir recursive copy of directory
+func CopyDir(source, dest string) (err error) {
+	// get properties of source dir
+	sourceinfo, err := os.Stat(source)
+	if err != nil {
+		return err
+	}
+
+	// create dest dir
+
+	err = os.MkdirAll(dest, sourceinfo.Mode())
+	if err != nil {
+		return err
+	}
+
+	objects, err := os.ReadDir(source)
+
+	for _, obj := range objects {
+		sourcefilepointer := source + "/" + obj.Name()
+
+		destinationfilepointer := dest + "/" + obj.Name()
+
+		if obj.IsDir() {
+			// create sub-directories - recursively
+			err = CopyDir(sourcefilepointer, destinationfilepointer)
+			if err != nil {
+				fmt.Println(err) //nolint:forbidigo // pre-existing issue from nektos/act
+			}
+		} else {
+			// perform copy
+			err = CopyFile(sourcefilepointer, destinationfilepointer)
+			if err != nil {
+				fmt.Println(err) //nolint:forbidigo // pre-existing issue from nektos/act
+			}
+		}
+	}
+	return err
+}
--- a/act/common/git/git.go
+++ b/act/common/git/git.go
@@ -0,0 +1,419 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"regexp"
+	"strings"
+	"sync"
+
+	"gitea.com/gitea/act_runner/act/common"
+
+	"github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/config"
+	"github.com/go-git/go-git/v5/plumbing"
+	"github.com/go-git/go-git/v5/plumbing/storer"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"github.com/mattn/go-isatty"
+	log "github.com/sirupsen/logrus"
+)
+
+var (
+	codeCommitHTTPRegex = regexp.MustCompile(`^https?://git-codecommit\.(.+)\.amazonaws.com/v1/repos/(.+)$`)
+	codeCommitSSHRegex  = regexp.MustCompile(`ssh://git-codecommit\.(.+)\.amazonaws.com/v1/repos/(.+)$`)
+	githubHTTPRegex     = regexp.MustCompile(`^https?://.*github.com.*/(.+)/(.+?)(?:.git)?$`)
+	githubSSHRegex      = regexp.MustCompile(`github.com[:/](.+)/(.+?)(?:.git)?$`)
+
+	cloneLock sync.Mutex
+
+	ErrShortRef = errors.New("short SHA references are not supported")
+	ErrNoRepo   = errors.New("unable to find git repo")
+)
+
+type Error struct {
+	err    error
+	commit string
+}
+
+func (e *Error) Error() string {
+	return e.err.Error()
+}
+
+func (e *Error) Unwrap() error {
+	return e.err
+}
+
+func (e *Error) Commit() string {
+	return e.commit
+}
+
+// FindGitRevision get the current git revision
+func FindGitRevision(ctx context.Context, file string) (shortSha, sha string, err error) {
+	logger := common.Logger(ctx)
+
+	gitDir, err := git.PlainOpenWithOptions(
+		file,
+		&git.PlainOpenOptions{
+			DetectDotGit:          true,
+			EnableDotGitCommonDir: true,
+		},
+	)
+	if err != nil {
+		logger.WithError(err).Error("path", file, "not located inside a git repository")
+		return "", "", err
+	}
+
+	head, err := gitDir.Reference(plumbing.HEAD, true)
+	if err != nil {
+		return "", "", err
+	}
+
+	if head.Hash().IsZero() {
+		return "", "", errors.New("HEAD sha1 could not be resolved")
+	}
+
+	hash := head.Hash().String()
+
+	logger.Debugf("Found revision: %s", hash)
+	return hash[:7], strings.TrimSpace(hash), nil
+}
+
+// FindGitRef get the current git ref
+func FindGitRef(ctx context.Context, file string) (string, error) {
+	logger := common.Logger(ctx)
+
+	logger.Debugf("Loading revision from git directory")
+	_, ref, err := FindGitRevision(ctx, file)
+	if err != nil {
+		return "", err
+	}
+
+	logger.Debugf("HEAD points to '%s'", ref)
+
+	// Prefer the git library to iterate over the references and find a matching tag or branch.
+	refTag := ""
+	refBranch := ""
+	repo, err := git.PlainOpenWithOptions(
+		file,
+		&git.PlainOpenOptions{
+			DetectDotGit:          true,
+			EnableDotGitCommonDir: true,
+		},
+	)
+	if err != nil {
+		return "", err
+	}
+
+	iter, err := repo.References()
+	if err != nil {
+		return "", err
+	}
+
+	// find the reference that matches the revision's has
+	err = iter.ForEach(func(r *plumbing.Reference) error {
+		/* tags and branches will have the same hash
+		 * when a user checks out a tag, it is not mentioned explicitly
+		 * in the go-git package, we must identify the revision
+		 * then check if any tag matches that revision,
+		 * if so then we checked out a tag
+		 * else we look for branches and if matches,
+		 * it means we checked out a branch
+		 *
+		 * If a branches matches first we must continue and check all tags (all references)
+		 * in case we match with a tag later in the interation
+		 */
+		if r.Hash().String() == ref {
+			if r.Name().IsTag() {
+				refTag = r.Name().String()
+			}
+			if r.Name().IsBranch() {
+				refBranch = r.Name().String()
+			}
+		}
+
+		// we found what we where looking for
+		if refTag != "" && refBranch != "" {
+			return storer.ErrStop
+		}
+
+		return nil
+	})
+	if err != nil {
+		return "", err
+	}
+
+	// order matters here see above comment.
+	if refTag != "" {
+		return refTag, nil
+	}
+	if refBranch != "" {
+		return refBranch, nil
+	}
+
+	return "", fmt.Errorf("failed to identify reference (tag/branch) for the checked-out revision '%s'", ref)
+}
+
+// FindGithubRepo get the repo
+func FindGithubRepo(ctx context.Context, file, githubInstance, remoteName string) (string, error) {
+	if remoteName == "" {
+		remoteName = "origin"
+	}
+
+	url, err := findGitRemoteURL(ctx, file, remoteName)
+	if err != nil {
+		return "", err
+	}
+	_, slug, err := findGitSlug(url, githubInstance)
+	return slug, err
+}
+
+func findGitRemoteURL(_ context.Context, file, remoteName string) (string, error) {
+	repo, err := git.PlainOpenWithOptions(
+		file,
+		&git.PlainOpenOptions{
+			DetectDotGit:          true,
+			EnableDotGitCommonDir: true,
+		},
+	)
+	if err != nil {
+		return "", err
+	}
+
+	remote, err := repo.Remote(remoteName)
+	if err != nil {
+		return "", err
+	}
+
+	if len(remote.Config().URLs) < 1 {
+		return "", fmt.Errorf("remote '%s' exists but has no URL", remoteName)
+	}
+
+	return remote.Config().URLs[0], nil
+}
+
+func findGitSlug(url, githubInstance string) (string, string, error) { //nolint:unparam // pre-existing issue from nektos/act
+	if matches := codeCommitHTTPRegex.FindStringSubmatch(url); matches != nil {
+		return "CodeCommit", matches[2], nil
+	} else if matches := codeCommitSSHRegex.FindStringSubmatch(url); matches != nil {
+		return "CodeCommit", matches[2], nil
+	} else if matches := githubHTTPRegex.FindStringSubmatch(url); matches != nil {
+		return "GitHub", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
+	} else if matches := githubSSHRegex.FindStringSubmatch(url); matches != nil {
+		return "GitHub", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
+	} else if githubInstance != "github.com" {
+		gheHTTPRegex := regexp.MustCompile(fmt.Sprintf(`^https?://%s/(.+)/(.+?)(?:.git)?$`, githubInstance))
+		gheSSHRegex := regexp.MustCompile(githubInstance + "[:/](.+)/(.+?)(?:.git)?$")
+		if matches := gheHTTPRegex.FindStringSubmatch(url); matches != nil {
+			return "GitHubEnterprise", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
+		} else if matches := gheSSHRegex.FindStringSubmatch(url); matches != nil {
+			return "GitHubEnterprise", fmt.Sprintf("%s/%s", matches[1], matches[2]), nil
+		}
+	}
+	return "", url, nil
+}
+
+// NewGitCloneExecutorInput the input for the NewGitCloneExecutor
+type NewGitCloneExecutorInput struct {
+	URL         string
+	Ref         string
+	Dir         string
+	Token       string
+	OfflineMode bool
+
+	// For Gitea
+	InsecureSkipTLS bool
+}
+
+// CloneIfRequired ...
+func CloneIfRequired(ctx context.Context, refName plumbing.ReferenceName, input NewGitCloneExecutorInput, logger log.FieldLogger) (*git.Repository, error) {
+	r, err := git.PlainOpen(input.Dir)
+	if err != nil {
+		var progressWriter io.Writer
+		if isatty.IsTerminal(os.Stdout.Fd()) || isatty.IsCygwinTerminal(os.Stdout.Fd()) {
+			if entry, ok := logger.(*log.Entry); ok {
+				progressWriter = entry.WriterLevel(log.DebugLevel)
+			} else if lgr, ok := logger.(*log.Logger); ok {
+				progressWriter = lgr.WriterLevel(log.DebugLevel)
+			} else {
+				log.Errorf("Unable to get writer from logger (type=%T)", logger)
+				progressWriter = os.Stdout
+			}
+		}
+
+		cloneOptions := git.CloneOptions{
+			URL:      input.URL,
+			Progress: progressWriter,
+
+			InsecureSkipTLS: input.InsecureSkipTLS, // For Gitea
+		}
+		if input.Token != "" {
+			cloneOptions.Auth = &http.BasicAuth{
+				Username: "token",
+				Password: input.Token,
+			}
+		}
+
+		r, err = git.PlainCloneContext(ctx, input.Dir, false, &cloneOptions)
+		if err != nil {
+			logger.Errorf("Unable to clone %v %s: %v", input.URL, refName, err)
+			return nil, err
+		}
+
+		if err = os.Chmod(input.Dir, 0o755); err != nil {
+			return nil, err
+		}
+	}
+
+	return r, nil
+}
+
+func gitOptions(token string) (fetchOptions git.FetchOptions, pullOptions git.PullOptions) {
+	fetchOptions.RefSpecs = []config.RefSpec{"refs/*:refs/*", "HEAD:refs/heads/HEAD"}
+	pullOptions.Force = true
+
+	if token != "" {
+		auth := &http.BasicAuth{
+			Username: "token",
+			Password: token,
+		}
+		fetchOptions.Auth = auth
+		pullOptions.Auth = auth
+	}
+
+	return fetchOptions, pullOptions
+}
+
+// NewGitCloneExecutor creates an executor to clone git repos
+//
+//nolint:gocyclo // function handles many cases
+func NewGitCloneExecutor(input NewGitCloneExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		logger.Infof("  \u2601  git clone '%s' # ref=%s", input.URL, input.Ref)
+		logger.Debugf("  cloning %s to %s", input.URL, input.Dir)
+
+		cloneLock.Lock()
+		defer cloneLock.Unlock()
+
+		refName := plumbing.ReferenceName("refs/heads/" + input.Ref)
+		r, err := CloneIfRequired(ctx, refName, input, logger)
+		if err != nil {
+			return err
+		}
+
+		isOfflineMode := input.OfflineMode
+
+		// fetch latest changes
+		fetchOptions, pullOptions := gitOptions(input.Token)
+
+		if input.InsecureSkipTLS { // For Gitea
+			fetchOptions.InsecureSkipTLS = true
+			pullOptions.InsecureSkipTLS = true
+		}
+
+		if !isOfflineMode {
+			err = r.Fetch(&fetchOptions)
+			if err != nil && !errors.Is(err, git.NoErrAlreadyUpToDate) {
+				return err
+			}
+		}
+
+		var hash *plumbing.Hash
+		rev := plumbing.Revision(input.Ref)
+		if hash, err = r.ResolveRevision(rev); err != nil {
+			logger.Errorf("Unable to resolve %s: %v", input.Ref, err)
+		}
+
+		if hash.String() != input.Ref && strings.HasPrefix(hash.String(), input.Ref) {
+			return &Error{
+				err:    ErrShortRef,
+				commit: hash.String(),
+			}
+		}
+
+		// At this point we need to know if it's a tag or a branch
+		// And the easiest way to do it is duck typing
+		//
+		// If err is nil, it's a tag so let's proceed with that hash like we would if
+		// it was a sha
+		refType := "tag"
+		rev = plumbing.Revision(path.Join("refs", "tags", input.Ref))
+		if _, err := r.Tag(input.Ref); errors.Is(err, git.ErrTagNotFound) {
+			rName := plumbing.ReferenceName(path.Join("refs", "remotes", "origin", input.Ref))
+			if _, err := r.Reference(rName, false); errors.Is(err, plumbing.ErrReferenceNotFound) {
+				refType = "sha"
+				rev = plumbing.Revision(input.Ref)
+			} else {
+				refType = "branch"
+				rev = plumbing.Revision(rName)
+			}
+		}
+
+		if hash, err = r.ResolveRevision(rev); err != nil {
+			logger.Errorf("Unable to resolve %s: %v", input.Ref, err)
+			return err
+		}
+
+		var w *git.Worktree
+		if w, err = r.Worktree(); err != nil {
+			return err
+		}
+
+		// If the hash resolved doesn't match the ref provided in a workflow then we're
+		// using a branch or tag ref, not a sha
+		//
+		// Repos on disk point to commit hashes, and need to checkout input.Ref before
+		// we try and pull down any changes
+		if hash.String() != input.Ref && refType == "branch" {
+			logger.Debugf("Provided ref is not a sha. Checking out branch before pulling changes")
+			sourceRef := plumbing.ReferenceName(path.Join("refs", "remotes", "origin", input.Ref))
+			if err = w.Checkout(&git.CheckoutOptions{
+				Branch: sourceRef,
+				Force:  true,
+			}); err != nil {
+				logger.Errorf("Unable to checkout %s: %v", sourceRef, err)
+				return err
+			}
+		}
+		if !isOfflineMode {
+			if err = w.Pull(&pullOptions); err != nil && err != git.NoErrAlreadyUpToDate {
+				logger.Debugf("Unable to pull %s: %v", refName, err)
+			}
+		}
+		logger.Debugf("Cloned %s to %s", input.URL, input.Dir)
+
+		if hash.String() != input.Ref && refType == "branch" {
+			logger.Debugf("Provided ref is not a sha. Updating branch ref after pull")
+			if hash, err = r.ResolveRevision(rev); err != nil {
+				logger.Errorf("Unable to resolve %s: %v", input.Ref, err)
+				return err
+			}
+		}
+		if err = w.Checkout(&git.CheckoutOptions{
+			Hash:  *hash,
+			Force: true,
+		}); err != nil {
+			logger.Errorf("Unable to checkout %s: %v", *hash, err)
+			return err
+		}
+
+		if err = w.Reset(&git.ResetOptions{
+			Mode:   git.HardReset,
+			Commit: *hash,
+		}); err != nil {
+			logger.Errorf("Unable to reset to %s: %v", hash.String(), err)
+			return err
+		}
+
+		logger.Debugf("Checked out %s", input.Ref)
+		return nil
+	}
+}
--- a/act/common/git/git_test.go
+++ b/act/common/git/git_test.go
@@ -0,0 +1,248 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"syscall"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFindGitSlug(t *testing.T) {
+	assert := assert.New(t)
+
+	slugTests := []struct {
+		url      string // input
+		provider string // expected result
+		slug     string // expected result
+	}{
+		{"https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo-name", "CodeCommit", "my-repo-name"},
+		{"ssh://git-codecommit.us-west-2.amazonaws.com/v1/repos/my-repo", "CodeCommit", "my-repo"},
+		{"git@github.com:nektos/act.git", "GitHub", "nektos/act"},
+		{"git@github.com:nektos/act", "GitHub", "nektos/act"},
+		{"https://github.com/nektos/act.git", "GitHub", "nektos/act"},
+		{"http://github.com/nektos/act.git", "GitHub", "nektos/act"},
+		{"https://github.com/nektos/act", "GitHub", "nektos/act"},
+		{"http://github.com/nektos/act", "GitHub", "nektos/act"},
+		{"git+ssh://git@github.com/owner/repo.git", "GitHub", "owner/repo"},
+		{"http://myotherrepo.com/act.git", "", "http://myotherrepo.com/act.git"},
+	}
+
+	for _, tt := range slugTests {
+		provider, slug, err := findGitSlug(tt.url, "github.com")
+
+		assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+		assert.Equal(tt.provider, provider)
+		assert.Equal(tt.slug, slug)
+	}
+}
+
+func testDir(t *testing.T) string {
+	return t.TempDir()
+}
+
+func cleanGitHooks(dir string) error {
+	hooksDir := filepath.Join(dir, ".git", "hooks")
+	files, err := os.ReadDir(hooksDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+	for _, f := range files {
+		if f.IsDir() {
+			continue
+		}
+		relName := filepath.Join(hooksDir, f.Name())
+		if err := os.Remove(relName); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func TestFindGitRemoteURL(t *testing.T) {
+	assert := assert.New(t)
+
+	basedir := testDir(t)
+	gitConfig()
+	err := gitCmd("init", basedir)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	err = cleanGitHooks(basedir)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	remoteURL := "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/my-repo-name"
+	err = gitCmd("-C", basedir, "remote", "add", "origin", remoteURL)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	u, err := findGitRemoteURL(context.Background(), basedir, "origin")
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(remoteURL, u)
+
+	remoteURL = "git@github.com/AwesomeOwner/MyAwesomeRepo.git"
+	err = gitCmd("-C", basedir, "remote", "add", "upstream", remoteURL)
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	u, err = findGitRemoteURL(context.Background(), basedir, "upstream")
+	assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(remoteURL, u)
+}
+
+func TestGitFindRef(t *testing.T) {
+	basedir := testDir(t)
+	gitConfig()
+
+	for name, tt := range map[string]struct {
+		Prepare func(t *testing.T, dir string)
+		Assert  func(t *testing.T, ref string, err error)
+	}{
+		"new_repo": {
+			Prepare: func(t *testing.T, dir string) {},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.Error(t, err)
+			},
+		},
+		"new_repo_with_commit": {
+			Prepare: func(t *testing.T, dir string) {
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg"))
+			},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.NoError(t, err)
+				require.Equal(t, "refs/heads/master", ref)
+			},
+		},
+		"current_head_is_tag": {
+			Prepare: func(t *testing.T, dir string) {
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "commit msg"))
+				require.NoError(t, gitCmd("-C", dir, "tag", "v1.2.3"))
+				require.NoError(t, gitCmd("-C", dir, "checkout", "v1.2.3"))
+			},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.NoError(t, err)
+				require.Equal(t, "refs/tags/v1.2.3", ref)
+			},
+		},
+		"current_head_is_same_as_tag": {
+			Prepare: func(t *testing.T, dir string) {
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "1.4.2 release"))
+				require.NoError(t, gitCmd("-C", dir, "tag", "v1.4.2"))
+			},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.NoError(t, err)
+				require.Equal(t, "refs/tags/v1.4.2", ref)
+			},
+		},
+		"current_head_is_not_tag": {
+			Prepare: func(t *testing.T, dir string) {
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg"))
+				require.NoError(t, gitCmd("-C", dir, "tag", "v1.4.2"))
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg2"))
+			},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.NoError(t, err)
+				require.Equal(t, "refs/heads/master", ref)
+			},
+		},
+		"current_head_is_another_branch": {
+			Prepare: func(t *testing.T, dir string) {
+				require.NoError(t, gitCmd("-C", dir, "checkout", "-b", "mybranch"))
+				require.NoError(t, gitCmd("-C", dir, "commit", "--allow-empty", "-m", "msg"))
+			},
+			Assert: func(t *testing.T, ref string, err error) {
+				require.NoError(t, err)
+				require.Equal(t, "refs/heads/mybranch", ref)
+			},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			dir := filepath.Join(basedir, name)
+			require.NoError(t, os.MkdirAll(dir, 0o755))
+			require.NoError(t, gitCmd("-C", dir, "init", "--initial-branch=master"))
+			require.NoError(t, cleanGitHooks(dir))
+			tt.Prepare(t, dir)
+			ref, err := FindGitRef(context.Background(), dir)
+			tt.Assert(t, ref, err)
+		})
+	}
+}
+
+func TestGitCloneExecutor(t *testing.T) {
+	for name, tt := range map[string]struct {
+		Err      error
+		URL, Ref string
+	}{
+		"tag": {
+			Err: nil,
+			URL: "https://github.com/actions/checkout",
+			Ref: "v2",
+		},
+		"branch": {
+			Err: nil,
+			URL: "https://github.com/anchore/scan-action",
+			Ref: "act-fails",
+		},
+		"sha": {
+			Err: nil,
+			URL: "https://github.com/actions/checkout",
+			Ref: "5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f", // v2
+		},
+		"short-sha": {
+			Err: &Error{ErrShortRef, "5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f"},
+			URL: "https://github.com/actions/checkout",
+			Ref: "5a4ac90", // v2
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			clone := NewGitCloneExecutor(NewGitCloneExecutorInput{
+				URL: tt.URL,
+				Ref: tt.Ref,
+				Dir: testDir(t),
+			})
+
+			err := clone(context.Background())
+			if tt.Err != nil {
+				assert.Error(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+				assert.Equal(t, tt.Err, err)
+			} else {
+				assert.Empty(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			}
+		})
+	}
+}
+
+func gitConfig() {
+	if os.Getenv("GITHUB_ACTIONS") == "true" {
+		var err error
+		if err = gitCmd("config", "--global", "user.email", "test@test.com"); err != nil {
+			log.Error(err)
+		}
+		if err = gitCmd("config", "--global", "user.name", "Unit Test"); err != nil {
+			log.Error(err)
+		}
+	}
+}
+
+func gitCmd(args ...string) error {
+	cmd := exec.Command("git", args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	err := cmd.Run()
+	if exitError, ok := err.(*exec.ExitError); ok {
+		if waitStatus, ok := exitError.Sys().(syscall.WaitStatus); ok {
+			return fmt.Errorf("Exit error %d", waitStatus.ExitStatus())
+		}
+		return exitError
+	}
+	return nil
+}
--- a/act/common/job_error.go
+++ b/act/common/job_error.go
@@ -0,0 +1,34 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+)
+
+type jobErrorContextKey string
+
+const jobErrorContextKeyVal = jobErrorContextKey("job.error")
+
+// JobError returns the job error for current context if any
+func JobError(ctx context.Context) error {
+	val := ctx.Value(jobErrorContextKeyVal)
+	if val != nil {
+		if container, ok := val.(map[string]error); ok {
+			return container["error"]
+		}
+	}
+	return nil
+}
+
+func SetJobError(ctx context.Context, err error) {
+	ctx.Value(jobErrorContextKeyVal).(map[string]error)["error"] = err
+}
+
+// WithJobErrorContainer adds a value to the context as a container for an error
+func WithJobErrorContainer(ctx context.Context) context.Context {
+	container := map[string]error{}
+	return context.WithValue(ctx, jobErrorContextKeyVal, container)
+}
--- a/act/common/line_writer.go
+++ b/act/common/line_writer.go
@@ -0,0 +1,54 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"bytes"
+	"io"
+)
+
+// LineHandler is a callback function for handling a line
+type LineHandler func(line string) bool
+
+type lineWriter struct {
+	buffer   bytes.Buffer
+	handlers []LineHandler
+}
+
+// NewLineWriter creates a new instance of a line writer
+func NewLineWriter(handlers ...LineHandler) io.Writer {
+	w := new(lineWriter)
+	w.handlers = handlers
+	return w
+}
+
+func (lw *lineWriter) Write(p []byte) (n int, err error) {
+	pBuf := bytes.NewBuffer(p)
+	written := 0
+	for {
+		line, err := pBuf.ReadString('\n')
+		w, _ := lw.buffer.WriteString(line)
+		written += w
+		if err == nil {
+			lw.handleLine(lw.buffer.String())
+			lw.buffer.Reset()
+		} else if err == io.EOF {
+			break
+		} else {
+			return written, err
+		}
+	}
+
+	return written, nil
+}
+
+func (lw *lineWriter) handleLine(line string) {
+	for _, h := range lw.handlers {
+		ok := h(line)
+		if !ok {
+			break
+		}
+	}
+}
--- a/act/common/line_writer_test.go
+++ b/act/common/line_writer_test.go
@@ -0,0 +1,41 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLineWriter(t *testing.T) {
+	lines := make([]string, 0)
+	lineHandler := func(s string) bool {
+		lines = append(lines, s)
+		return true
+	}
+
+	lineWriter := NewLineWriter(lineHandler)
+
+	assert := assert.New(t)
+	write := func(s string) {
+		n, err := lineWriter.Write([]byte(s))
+		assert.NoError(err) //nolint:testifylint // pre-existing issue from nektos/act
+		assert.Equal(len(s), n, s)
+	}
+
+	write("hello")
+	write(" ")
+	write("world!!\nextra")
+	write(" line\n and another\nlast")
+	write(" line\n")
+	write("no newline here...")
+
+	assert.Len(lines, 4)
+	assert.Equal("hello world!!\n", lines[0])
+	assert.Equal("extra line\n", lines[1])
+	assert.Equal(" and another\n", lines[2])
+	assert.Equal("last line\n", lines[3])
+}
--- a/act/common/logger.go
+++ b/act/common/logger.go
@@ -0,0 +1,52 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"context"
+
+	"github.com/sirupsen/logrus"
+)
+
+type loggerContextKey string
+
+const loggerContextKeyVal = loggerContextKey("logrus.FieldLogger")
+
+// Logger returns the appropriate logger for current context
+func Logger(ctx context.Context) logrus.FieldLogger {
+	val := ctx.Value(loggerContextKeyVal)
+	if val != nil {
+		if logger, ok := val.(logrus.FieldLogger); ok {
+			return logger
+		}
+	}
+	return logrus.StandardLogger()
+}
+
+// WithLogger adds a value to the context for the logger
+func WithLogger(ctx context.Context, logger logrus.FieldLogger) context.Context {
+	return context.WithValue(ctx, loggerContextKeyVal, logger)
+}
+
+type loggerHookKey string
+
+const loggerHookKeyVal = loggerHookKey("logrus.Hook")
+
+// LoggerHook returns the appropriate logger hook for current context
+// the hook affects job logger, not global logger
+func LoggerHook(ctx context.Context) logrus.Hook {
+	val := ctx.Value(loggerHookKeyVal)
+	if val != nil {
+		if hook, ok := val.(logrus.Hook); ok {
+			return hook
+		}
+	}
+	return nil
+}
+
+// WithLoggerHook adds a value to the context for the logger hook
+func WithLoggerHook(ctx context.Context, hook logrus.Hook) context.Context {
+	return context.WithValue(ctx, loggerHookKeyVal, hook)
+}
--- a/act/common/outbound_ip.go
+++ b/act/common/outbound_ip.go
@@ -0,0 +1,79 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"net"
+	"sort"
+	"strings"
+)
+
+// GetOutboundIP returns an outbound IP address of this machine.
+// It tries to access the internet and returns the local IP address of the connection.
+// If the machine cannot access the internet, it returns a preferred IP address from network interfaces.
+// It returns nil if no IP address is found.
+func GetOutboundIP() net.IP {
+	// See https://stackoverflow.com/a/37382208
+	conn, err := net.Dial("udp", "8.8.8.8:80")
+	if err == nil {
+		defer conn.Close()
+		return conn.LocalAddr().(*net.UDPAddr).IP
+	}
+
+	// So the machine cannot access the internet. Pick an IP address from network interfaces.
+	if ifs, err := net.Interfaces(); err == nil {
+		type IP struct {
+			net.IP
+			net.Interface
+		}
+		var ips []IP
+		for _, i := range ifs {
+			if addrs, err := i.Addrs(); err == nil {
+				for _, addr := range addrs {
+					var ip net.IP
+					switch v := addr.(type) {
+					case *net.IPNet:
+						ip = v.IP
+					case *net.IPAddr:
+						ip = v.IP
+					}
+					if ip.IsGlobalUnicast() {
+						ips = append(ips, IP{ip, i})
+					}
+				}
+			}
+		}
+		if len(ips) > 1 {
+			sort.Slice(ips, func(i, j int) bool {
+				ifi := ips[i].Interface
+				ifj := ips[j].Interface
+
+				// ethernet is preferred
+				if vi, vj := strings.HasPrefix(ifi.Name, "e"), strings.HasPrefix(ifj.Name, "e"); vi != vj {
+					return vi
+				}
+
+				ipi := ips[i].IP
+				ipj := ips[j].IP
+
+				// IPv4 is preferred
+				if vi, vj := ipi.To4() != nil, ipj.To4() != nil; vi != vj {
+					return vi
+				}
+
+				// en0 is preferred to en1
+				if ifi.Name != ifj.Name {
+					return ifi.Name < ifj.Name
+				}
+
+				// fallback
+				return ipi.String() < ipj.String()
+			})
+			return ips[0].IP
+		}
+	}
+
+	return nil
+}
--- a/act/container/DOCKER_LICENSE
+++ b/act/container/DOCKER_LICENSE
@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2013-2017 Docker, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/act/container/container_types.go
+++ b/act/container/container_types.go
@@ -0,0 +1,85 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"context"
+	"io"
+
+	"gitea.com/gitea/act_runner/act/common"
+
+	"github.com/docker/go-connections/nat"
+)
+
+// NewContainerInput the input for the New function
+type NewContainerInput struct {
+	Image          string
+	Username       string
+	Password       string
+	Entrypoint     []string
+	Cmd            []string
+	WorkingDir     string
+	Env            []string
+	Binds          []string
+	Mounts         map[string]string
+	Name           string
+	Stdout         io.Writer
+	Stderr         io.Writer
+	NetworkMode    string
+	Privileged     bool
+	UsernsMode     string
+	Platform       string
+	Options        string
+	NetworkAliases []string
+	ExposedPorts   nat.PortSet
+	PortBindings   nat.PortMap
+
+	// Gitea specific
+	AutoRemove   bool
+	ValidVolumes []string
+}
+
+// FileEntry is a file to copy to a container
+type FileEntry struct {
+	Name string
+	Mode int64
+	Body string
+}
+
+// Container for managing docker run containers
+type Container interface {
+	Create(capAdd, capDrop []string) common.Executor
+	ConnectToNetwork(name string) common.Executor
+	Copy(destPath string, files ...*FileEntry) common.Executor
+	CopyTarStream(ctx context.Context, destPath string, tarStream io.Reader) error
+	CopyDir(destPath, srcPath string, useGitIgnore bool) common.Executor
+	GetContainerArchive(ctx context.Context, srcPath string) (io.ReadCloser, error)
+	Pull(forcePull bool) common.Executor
+	Start(attach bool) common.Executor
+	Exec(command []string, env map[string]string, user, workdir string) common.Executor
+	UpdateFromEnv(srcPath string, env *map[string]string) common.Executor
+	UpdateFromImageEnv(env *map[string]string) common.Executor
+	Remove() common.Executor
+	Close() common.Executor
+	ReplaceLogWriter(io.Writer, io.Writer) (io.Writer, io.Writer)
+}
+
+// NewDockerBuildExecutorInput the input for the NewDockerBuildExecutor function
+type NewDockerBuildExecutorInput struct {
+	ContextDir   string
+	Dockerfile   string
+	BuildContext io.Reader
+	ImageTag     string
+	Platform     string
+}
+
+// NewDockerPullExecutorInput the input for the NewDockerPullExecutor function
+type NewDockerPullExecutorInput struct {
+	Image     string
+	ForcePull bool
+	Platform  string
+	Username  string
+	Password  string
+}
--- a/act/container/docker_auth.go
+++ b/act/container/docker_auth.go
@@ -0,0 +1,66 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+	"strings"
+
+	"gitea.com/gitea/act_runner/act/common"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/credentials"
+	"github.com/docker/docker/api/types/registry"
+)
+
+func LoadDockerAuthConfig(ctx context.Context, image string) (registry.AuthConfig, error) {
+	logger := common.Logger(ctx)
+	config, err := config.Load(config.Dir())
+	if err != nil {
+		logger.Warnf("Could not load docker config: %v", err)
+		return registry.AuthConfig{}, err
+	}
+
+	if !config.ContainsAuth() {
+		config.CredentialsStore = credentials.DetectDefaultStore(config.CredentialsStore)
+	}
+
+	hostName := "index.docker.io"
+	index := strings.IndexRune(image, '/')
+	if index > -1 && (strings.ContainsAny(image[:index], ".:") || image[:index] == "localhost") {
+		hostName = image[:index]
+	}
+
+	authConfig, err := config.GetAuthConfig(hostName)
+	if err != nil {
+		logger.Warnf("Could not get auth config from docker config: %v", err)
+		return registry.AuthConfig{}, err
+	}
+
+	return registry.AuthConfig(authConfig), nil
+}
+
+func LoadDockerAuthConfigs(ctx context.Context) map[string]registry.AuthConfig {
+	logger := common.Logger(ctx)
+	config, err := config.Load(config.Dir())
+	if err != nil {
+		logger.Warnf("Could not load docker config: %v", err)
+		return nil
+	}
+
+	if !config.ContainsAuth() {
+		config.CredentialsStore = credentials.DetectDefaultStore(config.CredentialsStore)
+	}
+
+	creds, _ := config.GetAllCredentials()
+	authConfigs := make(map[string]registry.AuthConfig, len(creds))
+	for k, v := range creds {
+		authConfigs[k] = registry.AuthConfig(v)
+	}
+
+	return authConfigs
+}
--- a/act/container/docker_build.go
+++ b/act/container/docker_build.go
@@ -0,0 +1,121 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+
+	"gitea.com/gitea/act_runner/act/common"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/pkg/archive"
+	// github.com/docker/docker/builder/dockerignore is deprecated
+	"github.com/moby/buildkit/frontend/dockerfile/dockerignore"
+	"github.com/moby/patternmatcher"
+)
+
+// NewDockerBuildExecutor function to create a run executor for the container
+func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		if input.Platform != "" {
+			logger.Infof("%sdocker build -t %s --platform %s %s", logPrefix, input.ImageTag, input.Platform, input.ContextDir)
+		} else {
+			logger.Infof("%sdocker build -t %s %s", logPrefix, input.ImageTag, input.ContextDir)
+		}
+		if common.Dryrun(ctx) {
+			return nil
+		}
+
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		logger.Debugf("Building image from '%v'", input.ContextDir)
+
+		tags := []string{input.ImageTag}
+		options := types.ImageBuildOptions{
+			Tags:        tags,
+			Remove:      true,
+			Platform:    input.Platform,
+			AuthConfigs: LoadDockerAuthConfigs(ctx),
+			Dockerfile:  input.Dockerfile,
+		}
+		var buildContext io.ReadCloser
+		if input.BuildContext != nil {
+			buildContext = io.NopCloser(input.BuildContext)
+		} else {
+			buildContext, err = createBuildContext(ctx, input.ContextDir, input.Dockerfile)
+		}
+		if err != nil {
+			return err
+		}
+
+		defer buildContext.Close()
+
+		logger.Debugf("Creating image from context dir '%s' with tag '%s' and platform '%s'", input.ContextDir, input.ImageTag, input.Platform)
+		resp, err := cli.ImageBuild(ctx, buildContext, options)
+
+		err = logDockerResponse(logger, resp.Body, err != nil)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+func createBuildContext(ctx context.Context, contextDir, relDockerfile string) (io.ReadCloser, error) {
+	common.Logger(ctx).Debugf("Creating archive for build context dir '%s' with relative dockerfile '%s'", contextDir, relDockerfile)
+
+	// And canonicalize dockerfile name to a platform-independent one
+	relDockerfile = archive.CanonicalTarNameForPath(relDockerfile)
+
+	f, err := os.Open(filepath.Join(contextDir, ".dockerignore"))
+	if err != nil && !os.IsNotExist(err) {
+		return nil, err
+	}
+	defer f.Close()
+
+	var excludes []string
+	if err == nil {
+		excludes, err = dockerignore.ReadAll(f) //nolint:staticcheck // pre-existing issue from nektos/act
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// If .dockerignore mentions .dockerignore or the Dockerfile
+	// then make sure we send both files over to the daemon
+	// because Dockerfile is, obviously, needed no matter what, and
+	// .dockerignore is needed to know if either one needs to be
+	// removed. The daemon will remove them for us, if needed, after it
+	// parses the Dockerfile. Ignore errors here, as they will have been
+	// caught by validateContextDirectory above.
+	includes := []string{"."}
+	keepThem1, _ := patternmatcher.Matches(".dockerignore", excludes)
+	keepThem2, _ := patternmatcher.Matches(relDockerfile, excludes)
+	if keepThem1 || keepThem2 {
+		includes = append(includes, ".dockerignore", relDockerfile)
+	}
+
+	compression := archive.Uncompressed
+	buildCtx, err := archive.TarWithOptions(contextDir, &archive.TarOptions{
+		Compression:     compression,
+		ExcludePatterns: excludes,
+		IncludeFiles:    includes,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return buildCtx, nil
+}
--- a/act/container/docker_cli.go
+++ b/act/container/docker_cli.go
--- a/act/container/docker_cli_test.go
+++ b/act/container/docker_cli_test.go
@@ -0,0 +1,979 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+// This file is exact copy of https://github.com/docker/cli/blob/9ac8584acfd501c3f4da0e845e3a40ed15c85041/cli/command/container/opts_test.go with:
+// * appended with license information
+// * commented out case 'invalid-mixed-network-types' in test TestParseNetworkConfig
+//
+// docker/cli is licensed under the Apache License, Version 2.0.
+// See DOCKER_LICENSE for the full license text.
+//
+
+//nolint:depguard,gocritic // verbatim copy from docker/cli tests
+package container
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	networktypes "github.com/docker/docker/api/types/network"
+	"github.com/docker/go-connections/nat"
+	"github.com/pkg/errors"
+	"github.com/spf13/pflag"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+	"gotest.tools/v3/skip"
+)
+
+func TestValidateAttach(t *testing.T) {
+	valid := []string{
+		"stdin",
+		"stdout",
+		"stderr",
+		"STDIN",
+		"STDOUT",
+		"STDERR",
+	}
+	if _, err := validateAttach("invalid"); err == nil {
+		t.Fatal("Expected error with [valid streams are STDIN, STDOUT and STDERR], got nothing")
+	}
+
+	for _, attach := range valid {
+		value, err := validateAttach(attach)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if value != strings.ToLower(attach) {
+			t.Fatalf("Expected [%v], got [%v]", attach, value)
+		}
+	}
+}
+
+func parseRun(args []string) (*container.Config, *container.HostConfig, *networktypes.NetworkingConfig, error) {
+	flags, copts := setupRunFlags()
+	if err := flags.Parse(args); err != nil {
+		return nil, nil, nil, err
+	}
+	// TODO: fix tests to accept ContainerConfig
+	containerConfig, err := parse(flags, copts, runtime.GOOS)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return containerConfig.Config, containerConfig.HostConfig, containerConfig.NetworkingConfig, err
+}
+
+func setupRunFlags() (*pflag.FlagSet, *containerOptions) {
+	flags := pflag.NewFlagSet("run", pflag.ContinueOnError)
+	flags.SetOutput(io.Discard)
+	flags.Usage = nil
+	copts := addFlags(flags)
+	return flags, copts
+}
+
+func mustParse(t *testing.T, args string) (*container.Config, *container.HostConfig) {
+	t.Helper()
+	config, hostConfig, _, err := parseRun(append(strings.Split(args, " "), "ubuntu", "bash"))
+	assert.NilError(t, err)
+	return config, hostConfig
+}
+
+func TestParseRunLinks(t *testing.T) {
+	if _, hostConfig := mustParse(t, "--link a:b"); len(hostConfig.Links) == 0 || hostConfig.Links[0] != "a:b" {
+		t.Fatalf("Error parsing links. Expected []string{\"a:b\"}, received: %v", hostConfig.Links)
+	}
+	if _, hostConfig := mustParse(t, "--link a:b --link c:d"); len(hostConfig.Links) < 2 || hostConfig.Links[0] != "a:b" || hostConfig.Links[1] != "c:d" {
+		t.Fatalf("Error parsing links. Expected []string{\"a:b\", \"c:d\"}, received: %v", hostConfig.Links)
+	}
+	if _, hostConfig := mustParse(t, ""); len(hostConfig.Links) != 0 {
+		t.Fatalf("Error parsing links. No link expected, received: %v", hostConfig.Links)
+	}
+}
+
+func TestParseRunAttach(t *testing.T) {
+	tests := []struct {
+		input    string
+		expected container.Config
+	}{
+		{
+			input: "",
+			expected: container.Config{
+				AttachStdout: true,
+				AttachStderr: true,
+			},
+		},
+		{
+			input: "-i",
+			expected: container.Config{
+				AttachStdin:  true,
+				AttachStdout: true,
+				AttachStderr: true,
+			},
+		},
+		{
+			input: "-a stdin",
+			expected: container.Config{
+				AttachStdin: true,
+			},
+		},
+		{
+			input: "-a stdin -a stdout",
+			expected: container.Config{
+				AttachStdin:  true,
+				AttachStdout: true,
+			},
+		},
+		{
+			input: "-a stdin -a stdout -a stderr",
+			expected: container.Config{
+				AttachStdin:  true,
+				AttachStdout: true,
+				AttachStderr: true,
+			},
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.input, func(t *testing.T) {
+			config, _ := mustParse(t, tc.input)
+			assert.Equal(t, config.AttachStdin, tc.expected.AttachStdin)
+			assert.Equal(t, config.AttachStdout, tc.expected.AttachStdout)
+			assert.Equal(t, config.AttachStderr, tc.expected.AttachStderr)
+		})
+	}
+}
+
+func TestParseRunWithInvalidArgs(t *testing.T) {
+	tests := []struct {
+		args  []string
+		error string
+	}{
+		{
+			args:  []string{"-a", "ubuntu", "bash"},
+			error: `invalid argument "ubuntu" for "-a, --attach" flag: valid streams are STDIN, STDOUT and STDERR`,
+		},
+		{
+			args:  []string{"-a", "invalid", "ubuntu", "bash"},
+			error: `invalid argument "invalid" for "-a, --attach" flag: valid streams are STDIN, STDOUT and STDERR`,
+		},
+		{
+			args:  []string{"-a", "invalid", "-a", "stdout", "ubuntu", "bash"},
+			error: `invalid argument "invalid" for "-a, --attach" flag: valid streams are STDIN, STDOUT and STDERR`,
+		},
+		{
+			args:  []string{"-a", "stdout", "-a", "stderr", "-z", "ubuntu", "bash"},
+			error: `unknown shorthand flag: 'z' in -z`,
+		},
+		{
+			args:  []string{"-a", "stdin", "-z", "ubuntu", "bash"},
+			error: `unknown shorthand flag: 'z' in -z`,
+		},
+		{
+			args:  []string{"-a", "stdout", "-z", "ubuntu", "bash"},
+			error: `unknown shorthand flag: 'z' in -z`,
+		},
+		{
+			args:  []string{"-a", "stderr", "-z", "ubuntu", "bash"},
+			error: `unknown shorthand flag: 'z' in -z`,
+		},
+		{
+			args:  []string{"-z", "--rm", "ubuntu", "bash"},
+			error: `unknown shorthand flag: 'z' in -z`,
+		},
+	}
+	flags, _ := setupRunFlags()
+	for _, tc := range tests {
+		t.Run(strings.Join(tc.args, " "), func(t *testing.T) {
+			assert.Error(t, flags.Parse(tc.args), tc.error)
+		})
+	}
+}
+
+//nolint:gocyclo // function handles many cases
+func TestParseWithVolumes(t *testing.T) {
+	// A single volume
+	arr, tryit := setupPlatformVolume([]string{`/tmp`}, []string{`c:\tmp`})
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds != nil {
+		t.Fatalf("Error parsing volume flags, %q should not mount-bind anything. Received %v", tryit, hostConfig.Binds)
+	} else if _, exists := config.Volumes[arr[0]]; !exists {
+		t.Fatalf("Error parsing volume flags, %q is missing from volumes. Received %v", tryit, config.Volumes)
+	}
+
+	// Two volumes
+	arr, tryit = setupPlatformVolume([]string{`/tmp`, `/var`}, []string{`c:\tmp`, `c:\var`})
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds != nil {
+		t.Fatalf("Error parsing volume flags, %q should not mount-bind anything. Received %v", tryit, hostConfig.Binds)
+	} else if _, exists := config.Volumes[arr[0]]; !exists {
+		t.Fatalf("Error parsing volume flags, %s is missing from volumes. Received %v", arr[0], config.Volumes)
+	} else if _, exists := config.Volumes[arr[1]]; !exists {
+		t.Fatalf("Error parsing volume flags, %s is missing from volumes. Received %v", arr[1], config.Volumes)
+	}
+
+	// A single bind mount
+	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`}, []string{os.Getenv("TEMP") + `:c:\containerTmp`})
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || hostConfig.Binds[0] != arr[0] {
+		t.Fatalf("Error parsing volume flags, %q should mount-bind the path before the colon into the path after the colon. Received %v %v", arr[0], hostConfig.Binds, config.Volumes)
+	}
+
+	// Two bind mounts.
+	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`, `/hostVar:/containerVar`}, []string{os.Getenv("ProgramData") + `:c:\ContainerPD`, os.Getenv("TEMP") + `:c:\containerTmp`})
+	if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+		t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
+	}
+
+	// Two bind mounts, first read-only, second read-write.
+	// TODO Windows: The Windows version uses read-write as that's the only mode it supports. Can change this post TP4
+	arr, tryit = setupPlatformVolume(
+		[]string{`/hostTmp:/containerTmp:ro`, `/hostVar:/containerVar:rw`},
+		[]string{os.Getenv("TEMP") + `:c:\containerTmp:rw`, os.Getenv("ProgramData") + `:c:\ContainerPD:rw`})
+	if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+		t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
+	}
+
+	// Similar to previous test but with alternate modes which are only supported by Linux
+	if runtime.GOOS != "windows" {
+		arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp:ro,Z`, `/hostVar:/containerVar:rw,Z`}, []string{})
+		if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+			t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
+		}
+
+		arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp:Z`, `/hostVar:/containerVar:z`}, []string{})
+		if _, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], arr[0], arr[1]) != nil {
+			t.Fatalf("Error parsing volume flags, `%s and %s` did not mount-bind correctly. Received %v", arr[0], arr[1], hostConfig.Binds)
+		}
+	}
+
+	// One bind mount and one volume
+	arr, tryit = setupPlatformVolume([]string{`/hostTmp:/containerTmp`, `/containerVar`}, []string{os.Getenv("TEMP") + `:c:\containerTmp`, `c:\containerTmp`})
+	if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] {
+		t.Fatalf("Error parsing volume flags, %s and %s should only one and only one bind mount %s. Received %s", arr[0], arr[1], arr[0], hostConfig.Binds)
+	} else if _, exists := config.Volumes[arr[1]]; !exists {
+		t.Fatalf("Error parsing volume flags %s and %s. %s is missing from volumes. Received %v", arr[0], arr[1], arr[1], config.Volumes)
+	}
+
+	// Root to non-c: drive letter (Windows specific)
+	if runtime.GOOS == "windows" {
+		arr, tryit = setupPlatformVolume([]string{}, []string{os.Getenv("SystemDrive") + `\:d:`})
+		if config, hostConfig := mustParse(t, tryit); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != arr[0] || len(config.Volumes) != 0 {
+			t.Fatalf("Error parsing %s. Should have a single bind mount and no volumes", arr[0])
+		}
+	}
+}
+
+// setupPlatformVolume takes two arrays of volume specs - a Unix style
+// spec and a Windows style spec. Depending on the platform being unit tested,
+// it returns one of them, along with a volume string that would be passed
+// on the docker CLI (e.g. -v /bar -v /foo).
+func setupPlatformVolume(u, w []string) ([]string, string) {
+	var a []string
+	if runtime.GOOS == "windows" {
+		a = w
+	} else {
+		a = u
+	}
+	s := ""
+	for _, v := range a {
+		s = s + "-v " + v + " "
+	}
+	return a, s
+}
+
+// check if (a == c && b == d) || (a == d && b == c)
+// because maps are randomized
+func compareRandomizedStrings(a, b, c, d string) error {
+	if a == c && b == d {
+		return nil
+	}
+	if a == d && b == c {
+		return nil
+	}
+	return errors.Errorf("strings don't match")
+}
+
+// Simple parse with MacAddress validation
+func TestParseWithMacAddress(t *testing.T) {
+	invalidMacAddress := "--mac-address=invalidMacAddress"
+	validMacAddress := "--mac-address=92:d0:c6:0a:29:33"
+	if _, _, _, err := parseRun([]string{invalidMacAddress, "img", "cmd"}); err != nil && err.Error() != "invalidMacAddress is not a valid mac address" {
+		t.Fatalf("Expected an error with %v mac-address, got %v", invalidMacAddress, err)
+	}
+	if config, _ := mustParse(t, validMacAddress); config.MacAddress != "92:d0:c6:0a:29:33" { //nolint:staticcheck // pre-existing issue from nektos/act
+		t.Fatalf("Expected the config to have '92:d0:c6:0a:29:33' as MacAddress, got '%v'", config.MacAddress) //nolint:staticcheck // pre-existing issue from nektos/act
+	}
+}
+
+func TestRunFlagsParseWithMemory(t *testing.T) {
+	flags, _ := setupRunFlags()
+	args := []string{"--memory=invalid", "img", "cmd"}
+	err := flags.Parse(args)
+	assert.ErrorContains(t, err, `invalid argument "invalid" for "-m, --memory" flag`)
+
+	_, hostconfig := mustParse(t, "--memory=1G")
+	assert.Check(t, is.Equal(int64(1073741824), hostconfig.Memory))
+}
+
+func TestParseWithMemorySwap(t *testing.T) {
+	flags, _ := setupRunFlags()
+	args := []string{"--memory-swap=invalid", "img", "cmd"}
+	err := flags.Parse(args)
+	assert.ErrorContains(t, err, `invalid argument "invalid" for "--memory-swap" flag`)
+
+	_, hostconfig := mustParse(t, "--memory-swap=1G")
+	assert.Check(t, is.Equal(int64(1073741824), hostconfig.MemorySwap))
+
+	_, hostconfig = mustParse(t, "--memory-swap=-1")
+	assert.Check(t, is.Equal(int64(-1), hostconfig.MemorySwap))
+}
+
+func TestParseHostname(t *testing.T) {
+	validHostnames := map[string]string{
+		"hostname":    "hostname",
+		"host-name":   "host-name",
+		"hostname123": "hostname123",
+		"123hostname": "123hostname",
+		"hostname-of-63-bytes-long-should-be-valid-and-without-any-error": "hostname-of-63-bytes-long-should-be-valid-and-without-any-error",
+	}
+	hostnameWithDomain := "--hostname=hostname.domainname"
+	hostnameWithDomainTld := "--hostname=hostname.domainname.tld"
+	for hostname, expectedHostname := range validHostnames {
+		if config, _ := mustParse(t, "--hostname="+hostname); config.Hostname != expectedHostname {
+			t.Fatalf("Expected the config to have 'hostname' as %q, got %q", expectedHostname, config.Hostname)
+		}
+	}
+	if config, _ := mustParse(t, hostnameWithDomain); config.Hostname != "hostname.domainname" || config.Domainname != "" {
+		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname, got %q", config.Hostname)
+	}
+	if config, _ := mustParse(t, hostnameWithDomainTld); config.Hostname != "hostname.domainname.tld" || config.Domainname != "" {
+		t.Fatalf("Expected the config to have 'hostname' as hostname.domainname.tld, got %q", config.Hostname)
+	}
+}
+
+func TestParseHostnameDomainname(t *testing.T) {
+	validDomainnames := map[string]string{
+		"domainname":    "domainname",
+		"domain-name":   "domain-name",
+		"domainname123": "domainname123",
+		"123domainname": "123domainname",
+		"domainname-63-bytes-long-should-be-valid-and-without-any-errors": "domainname-63-bytes-long-should-be-valid-and-without-any-errors",
+	}
+	for domainname, expectedDomainname := range validDomainnames {
+		if config, _ := mustParse(t, "--domainname="+domainname); config.Domainname != expectedDomainname {
+			t.Fatalf("Expected the config to have 'domainname' as %q, got %q", expectedDomainname, config.Domainname)
+		}
+	}
+	if config, _ := mustParse(t, "--hostname=some.prefix --domainname=domainname"); config.Hostname != "some.prefix" || config.Domainname != "domainname" {
+		t.Fatalf("Expected the config to have 'hostname' as 'some.prefix' and 'domainname' as 'domainname', got %q and %q", config.Hostname, config.Domainname)
+	}
+	if config, _ := mustParse(t, "--hostname=another-prefix --domainname=domainname.tld"); config.Hostname != "another-prefix" || config.Domainname != "domainname.tld" {
+		t.Fatalf("Expected the config to have 'hostname' as 'another-prefix' and 'domainname' as 'domainname.tld', got %q and %q", config.Hostname, config.Domainname)
+	}
+}
+
+func TestParseWithExpose(t *testing.T) {
+	invalids := map[string]string{
+		":":                   "invalid port format for --expose: :",
+		"8080:9090":           "invalid port format for --expose: 8080:9090",
+		"NaN/tcp":             `invalid range format for --expose: NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
+		"NaN-NaN/tcp":         `invalid range format for --expose: NaN-NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
+		"8080-NaN/tcp":        `invalid range format for --expose: 8080-NaN/tcp, error: strconv.ParseUint: parsing "NaN": invalid syntax`,
+		"1234567890-8080/tcp": `invalid range format for --expose: 1234567890-8080/tcp, error: strconv.ParseUint: parsing "1234567890": value out of range`,
+	}
+	valids := map[string][]nat.Port{
+		"8080/tcp":      {"8080/tcp"},
+		"8080/udp":      {"8080/udp"},
+		"8080/ncp":      {"8080/ncp"},
+		"8080-8080/udp": {"8080/udp"},
+		"8080-8082/tcp": {"8080/tcp", "8081/tcp", "8082/tcp"},
+	}
+	for expose, expectedError := range invalids {
+		if _, _, _, err := parseRun([]string{fmt.Sprintf("--expose=%v", expose), "img", "cmd"}); err == nil || err.Error() != expectedError {
+			t.Fatalf("Expected error '%v' with '--expose=%v', got '%v'", expectedError, expose, err)
+		}
+	}
+	for expose, exposedPorts := range valids {
+		config, _, _, err := parseRun([]string{fmt.Sprintf("--expose=%v", expose), "img", "cmd"})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(config.ExposedPorts) != len(exposedPorts) {
+			t.Fatalf("Expected %v exposed port, got %v", len(exposedPorts), len(config.ExposedPorts))
+		}
+		for _, port := range exposedPorts {
+			if _, ok := config.ExposedPorts[port]; !ok {
+				t.Fatalf("Expected %v, got %v", exposedPorts, config.ExposedPorts)
+			}
+		}
+	}
+	// Merge with actual published port
+	config, _, _, err := parseRun([]string{"--publish=80", "--expose=80-81/tcp", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.ExposedPorts) != 2 {
+		t.Fatalf("Expected 2 exposed ports, got %v", config.ExposedPorts)
+	}
+	ports := []nat.Port{"80/tcp", "81/tcp"}
+	for _, port := range ports {
+		if _, ok := config.ExposedPorts[port]; !ok {
+			t.Fatalf("Expected %v, got %v", ports, config.ExposedPorts)
+		}
+	}
+}
+
+func TestParseDevice(t *testing.T) {
+	skip.If(t, runtime.GOOS != "linux") // Windows and macOS validate server-side
+	valids := map[string]container.DeviceMapping{
+		"/dev/snd": {
+			PathOnHost:        "/dev/snd",
+			PathInContainer:   "/dev/snd",
+			CgroupPermissions: "rwm",
+		},
+		"/dev/snd:rw": {
+			PathOnHost:        "/dev/snd",
+			PathInContainer:   "/dev/snd",
+			CgroupPermissions: "rw",
+		},
+		"/dev/snd:/something": {
+			PathOnHost:        "/dev/snd",
+			PathInContainer:   "/something",
+			CgroupPermissions: "rwm",
+		},
+		"/dev/snd:/something:rw": {
+			PathOnHost:        "/dev/snd",
+			PathInContainer:   "/something",
+			CgroupPermissions: "rw",
+		},
+	}
+	for device, deviceMapping := range valids {
+		_, hostconfig, _, err := parseRun([]string{fmt.Sprintf("--device=%v", device), "img", "cmd"})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(hostconfig.Devices) != 1 {
+			t.Fatalf("Expected 1 devices, got %v", hostconfig.Devices)
+		}
+		if hostconfig.Devices[0] != deviceMapping {
+			t.Fatalf("Expected %v, got %v", deviceMapping, hostconfig.Devices)
+		}
+	}
+}
+
+func TestParseNetworkConfig(t *testing.T) {
+	tests := []struct {
+		name        string
+		flags       []string
+		expected    map[string]*networktypes.EndpointSettings
+		expectedCfg container.HostConfig
+		expectedErr string
+	}{
+		{
+			name:        "single-network-legacy",
+			flags:       []string{"--network", "net1"},
+			expected:    map[string]*networktypes.EndpointSettings{},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:        "single-network-advanced",
+			flags:       []string{"--network", "name=net1"},
+			expected:    map[string]*networktypes.EndpointSettings{},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name: "single-network-legacy-with-options",
+			flags: []string{
+				"--ip", "172.20.88.22",
+				"--ip6", "2001:db8::8822",
+				"--link", "foo:bar",
+				"--link", "bar:baz",
+				"--link-local-ip", "169.254.2.2",
+				"--link-local-ip", "fe80::169:254:2:2",
+				"--network", "name=net1",
+				"--network-alias", "web1",
+				"--network-alias", "web2",
+			},
+			expected: map[string]*networktypes.EndpointSettings{
+				"net1": {
+					IPAMConfig: &networktypes.EndpointIPAMConfig{
+						IPv4Address:  "172.20.88.22",
+						IPv6Address:  "2001:db8::8822",
+						LinkLocalIPs: []string{"169.254.2.2", "fe80::169:254:2:2"},
+					},
+					Links:   []string{"foo:bar", "bar:baz"},
+					Aliases: []string{"web1", "web2"},
+				},
+			},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name: "multiple-network-advanced-mixed",
+			flags: []string{
+				"--ip", "172.20.88.22",
+				"--ip6", "2001:db8::8822",
+				"--link", "foo:bar",
+				"--link", "bar:baz",
+				"--link-local-ip", "169.254.2.2",
+				"--link-local-ip", "fe80::169:254:2:2",
+				"--network", "name=net1,driver-opt=field1=value1",
+				"--network-alias", "web1",
+				"--network-alias", "web2",
+				"--network", "net2",
+				"--network", "name=net3,alias=web3,driver-opt=field3=value3,ip=172.20.88.22,ip6=2001:db8::8822",
+			},
+			expected: map[string]*networktypes.EndpointSettings{
+				"net1": {
+					DriverOpts: map[string]string{"field1": "value1"},
+					IPAMConfig: &networktypes.EndpointIPAMConfig{
+						IPv4Address:  "172.20.88.22",
+						IPv6Address:  "2001:db8::8822",
+						LinkLocalIPs: []string{"169.254.2.2", "fe80::169:254:2:2"},
+					},
+					Links:   []string{"foo:bar", "bar:baz"},
+					Aliases: []string{"web1", "web2"},
+				},
+				"net2": {},
+				"net3": {
+					DriverOpts: map[string]string{"field3": "value3"},
+					IPAMConfig: &networktypes.EndpointIPAMConfig{
+						IPv4Address: "172.20.88.22",
+						IPv6Address: "2001:db8::8822",
+					},
+					Aliases: []string{"web3"},
+				},
+			},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:  "single-network-advanced-with-options",
+			flags: []string{"--network", "name=net1,alias=web1,alias=web2,driver-opt=field1=value1,driver-opt=field2=value2,ip=172.20.88.22,ip6=2001:db8::8822"},
+			expected: map[string]*networktypes.EndpointSettings{
+				"net1": {
+					DriverOpts: map[string]string{
+						"field1": "value1",
+						"field2": "value2",
+					},
+					IPAMConfig: &networktypes.EndpointIPAMConfig{
+						IPv4Address: "172.20.88.22",
+						IPv6Address: "2001:db8::8822",
+					},
+					Aliases: []string{"web1", "web2"},
+				},
+			},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:        "multiple-networks",
+			flags:       []string{"--network", "net1", "--network", "name=net2"},
+			expected:    map[string]*networktypes.EndpointSettings{"net1": {}, "net2": {}},
+			expectedCfg: container.HostConfig{NetworkMode: "net1"},
+		},
+		{
+			name:        "conflict-network",
+			flags:       []string{"--network", "duplicate", "--network", "name=duplicate"},
+			expectedErr: `network "duplicate" is specified multiple times`,
+		},
+		{
+			name:        "conflict-options-alias",
+			flags:       []string{"--network", "name=net1,alias=web1", "--network-alias", "web1"},
+			expectedErr: `conflicting options: cannot specify both --network-alias and per-network alias`,
+		},
+		{
+			name:        "conflict-options-ip",
+			flags:       []string{"--network", "name=net1,ip=172.20.88.22,ip6=2001:db8::8822", "--ip", "172.20.88.22"},
+			expectedErr: `conflicting options: cannot specify both --ip and per-network IPv4 address`,
+		},
+		{
+			name:        "conflict-options-ip6",
+			flags:       []string{"--network", "name=net1,ip=172.20.88.22,ip6=2001:db8::8822", "--ip6", "2001:db8::8822"},
+			expectedErr: `conflicting options: cannot specify both --ip6 and per-network IPv6 address`,
+		},
+		// case is skipped as it fails w/o any change
+		//
+		//{
+		//	name:        "invalid-mixed-network-types",
+		//	flags:       []string{"--network", "name=host", "--network", "net1"},
+		//	expectedErr: `conflicting options: cannot attach both user-defined and non-user-defined network-modes`,
+		//},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			_, hConfig, nwConfig, err := parseRun(tc.flags)
+
+			if tc.expectedErr != "" {
+				assert.Error(t, err, tc.expectedErr)
+				return
+			}
+
+			assert.NilError(t, err)
+			assert.DeepEqual(t, hConfig.NetworkMode, tc.expectedCfg.NetworkMode)
+			assert.DeepEqual(t, nwConfig.EndpointsConfig, tc.expected)
+		})
+	}
+}
+
+func TestParseModes(t *testing.T) {
+	// pid ko
+	flags, copts := setupRunFlags()
+	args := []string{"--pid=container:", "img", "cmd"}
+	assert.NilError(t, flags.Parse(args))
+	_, err := parse(flags, copts, runtime.GOOS)
+	assert.ErrorContains(t, err, "--pid: invalid PID mode")
+
+	// pid ok
+	_, hostconfig, _, err := parseRun([]string{"--pid=host", "img", "cmd"})
+	assert.NilError(t, err)
+	if !hostconfig.PidMode.Valid() {
+		t.Fatalf("Expected a valid PidMode, got %v", hostconfig.PidMode)
+	}
+
+	// uts ko
+	_, _, _, err = parseRun([]string{"--uts=container:", "img", "cmd"}) //nolint:dogsled // ignoring multiple returns in test helpers
+	assert.ErrorContains(t, err, "--uts: invalid UTS mode")
+
+	// uts ok
+	_, hostconfig, _, err = parseRun([]string{"--uts=host", "img", "cmd"})
+	assert.NilError(t, err)
+	if !hostconfig.UTSMode.Valid() {
+		t.Fatalf("Expected a valid UTSMode, got %v", hostconfig.UTSMode)
+	}
+}
+
+func TestRunFlagsParseShmSize(t *testing.T) {
+	// shm-size ko
+	flags, _ := setupRunFlags()
+	args := []string{"--shm-size=a128m", "img", "cmd"}
+	expectedErr := `invalid argument "a128m" for "--shm-size" flag:`
+	err := flags.Parse(args)
+	assert.ErrorContains(t, err, expectedErr)
+
+	// shm-size ok
+	_, hostconfig, _, err := parseRun([]string{"--shm-size=128m", "img", "cmd"})
+	assert.NilError(t, err)
+	if hostconfig.ShmSize != 134217728 {
+		t.Fatalf("Expected a valid ShmSize, got %d", hostconfig.ShmSize)
+	}
+}
+
+func TestParseRestartPolicy(t *testing.T) {
+	invalids := map[string]string{
+		"always:2:3":         "invalid restart policy format: maximum retry count must be an integer",
+		"on-failure:invalid": "invalid restart policy format: maximum retry count must be an integer",
+	}
+	valids := map[string]container.RestartPolicy{
+		"": {},
+		"always": {
+			Name:              "always",
+			MaximumRetryCount: 0,
+		},
+		"on-failure:1": {
+			Name:              "on-failure",
+			MaximumRetryCount: 1,
+		},
+	}
+	for restart, expectedError := range invalids {
+		if _, _, _, err := parseRun([]string{"--restart=" + restart, "img", "cmd"}); err == nil || err.Error() != expectedError {
+			t.Fatalf("Expected an error with message '%v' for %v, got %v", expectedError, restart, err)
+		}
+	}
+	for restart, expected := range valids {
+		_, hostconfig, _, err := parseRun([]string{fmt.Sprintf("--restart=%v", restart), "img", "cmd"})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if hostconfig.RestartPolicy != expected {
+			t.Fatalf("Expected %v, got %v", expected, hostconfig.RestartPolicy)
+		}
+	}
+}
+
+func TestParseRestartPolicyAutoRemove(t *testing.T) {
+	expected := "Conflicting options: --restart and --rm"
+	_, _, _, err := parseRun([]string{"--rm", "--restart=always", "img", "cmd"}) //nolint:dogsled // ignoring multiple returns in test helpers
+	if err == nil || err.Error() != expected {
+		t.Fatalf("Expected error %v, but got none", expected)
+	}
+}
+
+func TestParseHealth(t *testing.T) {
+	checkOk := func(args ...string) *container.HealthConfig {
+		config, _, _, err := parseRun(args)
+		if err != nil {
+			t.Fatalf("%#v: %v", args, err)
+		}
+		return config.Healthcheck
+	}
+	checkError := func(expected string, args ...string) {
+		config, _, _, err := parseRun(args)
+		if err == nil {
+			t.Fatalf("Expected error, but got %#v", config)
+		}
+		if err.Error() != expected {
+			t.Fatalf("Expected %#v, got %#v", expected, err)
+		}
+	}
+	health := checkOk("--no-healthcheck", "img", "cmd")
+	if health == nil || len(health.Test) != 1 || health.Test[0] != "NONE" {
+		t.Fatalf("--no-healthcheck failed: %#v", health)
+	}
+
+	health = checkOk("--health-cmd=/check.sh -q", "img", "cmd")
+	if len(health.Test) != 2 || health.Test[0] != "CMD-SHELL" || health.Test[1] != "/check.sh -q" {
+		t.Fatalf("--health-cmd: got %#v", health.Test)
+	}
+	if health.Timeout != 0 {
+		t.Fatalf("--health-cmd: timeout = %s", health.Timeout)
+	}
+
+	checkError("--no-healthcheck conflicts with --health-* options",
+		"--no-healthcheck", "--health-cmd=/check.sh -q", "img", "cmd")
+
+	health = checkOk("--health-timeout=2s", "--health-retries=3", "--health-interval=4.5s", "--health-start-period=5s", "img", "cmd")
+	if health.Timeout != 2*time.Second || health.Retries != 3 || health.Interval != 4500*time.Millisecond || health.StartPeriod != 5*time.Second {
+		t.Fatalf("--health-*: got %#v", health)
+	}
+}
+
+func TestParseLoggingOpts(t *testing.T) {
+	// logging opts ko
+	if _, _, _, err := parseRun([]string{"--log-driver=none", "--log-opt=anything", "img", "cmd"}); err == nil || err.Error() != "invalid logging opts for driver none" {
+		t.Fatalf("Expected an error with message 'invalid logging opts for driver none', got %v", err)
+	}
+	// logging opts ok
+	_, hostconfig, _, err := parseRun([]string{"--log-driver=syslog", "--log-opt=something", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if hostconfig.LogConfig.Type != "syslog" || len(hostconfig.LogConfig.Config) != 1 {
+		t.Fatalf("Expected a 'syslog' LogConfig with one config, got %v", hostconfig.RestartPolicy)
+	}
+}
+
+func TestParseEnvfileVariables(t *testing.T) { //nolint:dupl // pre-existing issue from nektos/act
+	e := "open nonexistent: no such file or directory"
+	if runtime.GOOS == "windows" {
+		e = "open nonexistent: The system cannot find the file specified."
+	}
+	// env ko
+	if _, _, _, err := parseRun([]string{"--env-file=nonexistent", "img", "cmd"}); err == nil || err.Error() != e {
+		t.Fatalf("Expected an error with message '%s', got %v", e, err)
+	}
+	// env ok
+	config, _, _, err := parseRun([]string{"--env-file=testdata/valid.env", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.Env) != 1 || config.Env[0] != "ENV1=value1" {
+		t.Fatalf("Expected a config with [ENV1=value1], got %v", config.Env)
+	}
+	config, _, _, err = parseRun([]string{"--env-file=testdata/valid.env", "--env=ENV2=value2", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.Env) != 2 || config.Env[0] != "ENV1=value1" || config.Env[1] != "ENV2=value2" {
+		t.Fatalf("Expected a config with [ENV1=value1 ENV2=value2], got %v", config.Env)
+	}
+}
+
+func TestParseEnvfileVariablesWithBOMUnicode(t *testing.T) {
+	// UTF8 with BOM
+	config, _, _, err := parseRun([]string{"--env-file=testdata/utf8.env", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	env := []string{"FOO=BAR", "HELLO=" + string([]byte{0xe6, 0x82, 0xa8, 0xe5, 0xa5, 0xbd}), "BAR=FOO"}
+	if len(config.Env) != len(env) {
+		t.Fatalf("Expected a config with %d env variables, got %v: %v", len(env), len(config.Env), config.Env)
+	}
+	for i, v := range env {
+		if config.Env[i] != v {
+			t.Fatalf("Expected a config with [%s], got %v", v, []byte(config.Env[i]))
+		}
+	}
+
+	// UTF16 with BOM
+	e := "contains invalid utf8 bytes at line"
+	if _, _, _, err := parseRun([]string{"--env-file=testdata/utf16.env", "img", "cmd"}); err == nil || !strings.Contains(err.Error(), e) {
+		t.Fatalf("Expected an error with message '%s', got %v", e, err)
+	}
+	// UTF16BE with BOM
+	if _, _, _, err := parseRun([]string{"--env-file=testdata/utf16be.env", "img", "cmd"}); err == nil || !strings.Contains(err.Error(), e) {
+		t.Fatalf("Expected an error with message '%s', got %v", e, err)
+	}
+}
+
+func TestParseLabelfileVariables(t *testing.T) { //nolint:dupl // pre-existing issue from nektos/act
+	e := "open nonexistent: no such file or directory"
+	if runtime.GOOS == "windows" {
+		e = "open nonexistent: The system cannot find the file specified."
+	}
+	// label ko
+	if _, _, _, err := parseRun([]string{"--label-file=nonexistent", "img", "cmd"}); err == nil || err.Error() != e {
+		t.Fatalf("Expected an error with message '%s', got %v", e, err)
+	}
+	// label ok
+	config, _, _, err := parseRun([]string{"--label-file=testdata/valid.label", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.Labels) != 1 || config.Labels["LABEL1"] != "value1" {
+		t.Fatalf("Expected a config with [LABEL1:value1], got %v", config.Labels)
+	}
+	config, _, _, err = parseRun([]string{"--label-file=testdata/valid.label", "--label=LABEL2=value2", "img", "cmd"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.Labels) != 2 || config.Labels["LABEL1"] != "value1" || config.Labels["LABEL2"] != "value2" {
+		t.Fatalf("Expected a config with [LABEL1:value1 LABEL2:value2], got %v", config.Labels)
+	}
+}
+
+func TestParseEntryPoint(t *testing.T) {
+	config, _, _, err := parseRun([]string{"--entrypoint=anything", "cmd", "img"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(config.Entrypoint) != 1 && config.Entrypoint[0] != "anything" {
+		t.Fatalf("Expected entrypoint 'anything', got %v", config.Entrypoint)
+	}
+}
+
+func TestValidateDevice(t *testing.T) {
+	skip.If(t, runtime.GOOS != "linux") // Windows and macOS validate server-side
+	valid := []string{
+		"/home",
+		"/home:/home",
+		"/home:/something/else",
+		"/with space",
+		"/home:/with space",
+		"relative:/absolute-path",
+		"hostPath:/containerPath:r",
+		"/hostPath:/containerPath:rw",
+		"/hostPath:/containerPath:mrw",
+	}
+	invalid := map[string]string{
+		"":        "bad format for path: ",
+		"./":      "./ is not an absolute path",
+		"../":     "../ is not an absolute path",
+		"/:../":   "../ is not an absolute path",
+		"/:path":  "path is not an absolute path",
+		":":       "bad format for path: :",
+		"/tmp:":   " is not an absolute path",
+		":test":   "bad format for path: :test",
+		":/test":  "bad format for path: :/test",
+		"tmp:":    " is not an absolute path",
+		":test:":  "bad format for path: :test:",
+		"::":      "bad format for path: ::",
+		":::":     "bad format for path: :::",
+		"/tmp:::": "bad format for path: /tmp:::",
+		":/tmp::": "bad format for path: :/tmp::",
+		"path:ro": "ro is not an absolute path",
+		"path:rr": "rr is not an absolute path",
+		"a:/b:ro": "bad mode specified: ro",
+		"a:/b:rr": "bad mode specified: rr",
+	}
+
+	for _, path := range valid {
+		if _, err := validateDevice(path, runtime.GOOS); err != nil {
+			t.Fatalf("ValidateDevice(`%q`) should succeed: error %q", path, err)
+		}
+	}
+
+	for path, expectedError := range invalid {
+		if _, err := validateDevice(path, runtime.GOOS); err == nil {
+			t.Fatalf("ValidateDevice(`%q`) should have failed validation", path)
+		} else {
+			if err.Error() != expectedError {
+				t.Fatalf("ValidateDevice(`%q`) error should contain %q, got %q", path, expectedError, err.Error())
+			}
+		}
+	}
+}
+
+func TestParseSystemPaths(t *testing.T) {
+	tests := []struct {
+		doc                       string
+		in, out, masked, readonly []string
+	}{
+		{
+			doc: "not set",
+			in:  []string{},
+			out: []string{},
+		},
+		{
+			doc: "not set, preserve other options",
+			in: []string{
+				"seccomp=unconfined",
+				"apparmor=unconfined",
+				"label=user:USER",
+				"foo=bar",
+			},
+			out: []string{
+				"seccomp=unconfined",
+				"apparmor=unconfined",
+				"label=user:USER",
+				"foo=bar",
+			},
+		},
+		{
+			doc:      "unconfined",
+			in:       []string{"systempaths=unconfined"},
+			out:      []string{},
+			masked:   []string{},
+			readonly: []string{},
+		},
+		{
+			doc:      "unconfined and other options",
+			in:       []string{"foo=bar", "bar=baz", "systempaths=unconfined"},
+			out:      []string{"foo=bar", "bar=baz"},
+			masked:   []string{},
+			readonly: []string{},
+		},
+		{
+			doc: "unknown option",
+			in:  []string{"foo=bar", "systempaths=unknown", "bar=baz"},
+			out: []string{"foo=bar", "systempaths=unknown", "bar=baz"},
+		},
+	}
+
+	for _, tc := range tests {
+		securityOpts, maskedPaths, readonlyPaths := parseSystemPaths(tc.in)
+		assert.DeepEqual(t, securityOpts, tc.out)
+		assert.DeepEqual(t, maskedPaths, tc.masked)
+		assert.DeepEqual(t, readonlyPaths, tc.readonly)
+	}
+}
+
+func TestConvertToStandardNotation(t *testing.T) {
+	valid := map[string][]string{
+		"20:10/tcp":               {"target=10,published=20"},
+		"40:30":                   {"40:30"},
+		"20:20 80:4444":           {"20:20", "80:4444"},
+		"1500:2500/tcp 1400:1300": {"target=2500,published=1500", "1400:1300"},
+		"1500:200/tcp 90:80/tcp":  {"published=1500,target=200", "target=80,published=90"},
+	}
+
+	invalid := [][]string{
+		{"published=1500,target:444"},
+		{"published=1500,444"},
+		{"published=1500,target,444"},
+	}
+
+	for key, ports := range valid {
+		convertedPorts, err := convertToStandardNotation(ports)
+		if err != nil {
+			assert.NilError(t, err)
+		}
+		assert.DeepEqual(t, strings.Split(key, " "), convertedPorts)
+	}
+
+	for _, ports := range invalid {
+		if _, err := convertToStandardNotation(ports); err == nil {
+			t.Fatalf("ConvertToStandardNotation(`%q`) should have failed conversion", ports)
+		}
+	}
+}
--- a/act/container/docker_images.go
+++ b/act/container/docker_images.go
@@ -0,0 +1,64 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+)
+
+// ImageExistsLocally returns a boolean indicating if an image with the
+// requested name, tag and architecture exists in the local docker image store
+func ImageExistsLocally(ctx context.Context, imageName, platform string) (bool, error) {
+	cli, err := GetDockerClient(ctx)
+	if err != nil {
+		return false, err
+	}
+	defer cli.Close()
+
+	inspectImage, _, err := cli.ImageInspectWithRaw(ctx, imageName)
+	if client.IsErrNotFound(err) {
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+
+	if platform == "" || platform == "any" || fmt.Sprintf("%s/%s", inspectImage.Os, inspectImage.Architecture) == platform {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+// RemoveImage removes image from local store, the function is used to run different
+// container image architectures
+func RemoveImage(ctx context.Context, imageName string, force, pruneChildren bool) (bool, error) {
+	cli, err := GetDockerClient(ctx)
+	if err != nil {
+		return false, err
+	}
+	defer cli.Close()
+
+	inspectImage, _, err := cli.ImageInspectWithRaw(ctx, imageName)
+	if client.IsErrNotFound(err) {
+		return false, nil
+	} else if err != nil {
+		return false, err
+	}
+
+	if _, err = cli.ImageRemove(ctx, inspectImage.ID, types.ImageRemoveOptions{
+		Force:         force,
+		PruneChildren: pruneChildren,
+	}); err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
--- a/act/container/docker_images_test.go
+++ b/act/container/docker_images_test.go
@@ -0,0 +1,71 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"context"
+	"io"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/client"
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+)
+
+func init() {
+	log.SetLevel(log.DebugLevel)
+}
+
+func TestImageExistsLocally(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration test")
+	}
+	ctx := context.Background()
+	// to help make this test reliable and not flaky, we need to have
+	// an image that will exist, and onew that won't exist
+
+	// Test if image exists with specific tag
+	invalidImageTag, err := ImageExistsLocally(ctx, "library/alpine:this-random-tag-will-never-exist", "linux/amd64")
+	assert.Nil(t, err)                      //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, false, invalidImageTag) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// Test if image exists with specific architecture (image platform)
+	invalidImagePlatform, err := ImageExistsLocally(ctx, "alpine:latest", "windows/amd64")
+	assert.Nil(t, err)                           //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, false, invalidImagePlatform) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// pull an image
+	cli, err := client.NewClientWithOpts(client.FromEnv)
+	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	cli.NegotiateAPIVersion(context.Background())
+
+	// Chose alpine latest because it's so small
+	// maybe we should build an image instead so that tests aren't reliable on dockerhub
+	readerDefault, err := cli.ImagePull(ctx, "node:16-buster-slim", types.ImagePullOptions{
+		Platform: "linux/amd64",
+	})
+	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	defer readerDefault.Close()
+	_, err = io.ReadAll(readerDefault)
+	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	imageDefaultArchExists, err := ImageExistsLocally(ctx, "node:16-buster-slim", "linux/amd64")
+	assert.Nil(t, err)                            //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, true, imageDefaultArchExists) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// Validate if another architecture platform can be pulled
+	readerArm64, err := cli.ImagePull(ctx, "node:16-buster-slim", types.ImagePullOptions{
+		Platform: "linux/arm64",
+	})
+	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	defer readerArm64.Close()
+	_, err = io.ReadAll(readerArm64)
+	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	imageArm64Exists, err := ImageExistsLocally(ctx, "node:16-buster-slim", "linux/arm64")
+	assert.Nil(t, err)                      //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, true, imageArm64Exists) //nolint:testifylint // pre-existing issue from nektos/act
+}
--- a/act/container/docker_logger.go
+++ b/act/container/docker_logger.go
@@ -0,0 +1,87 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"bufio"
+	"encoding/json"
+	"errors"
+	"io"
+
+	"github.com/sirupsen/logrus"
+)
+
+type dockerMessage struct {
+	ID          string `json:"id"`
+	Stream      string `json:"stream"`
+	Error       string `json:"error"`
+	ErrorDetail struct {
+		Message string
+	}
+	Status   string `json:"status"`
+	Progress string `json:"progress"`
+}
+
+const logPrefix = "  \U0001F433  "
+
+func logDockerResponse(logger logrus.FieldLogger, dockerResponse io.ReadCloser, isError bool) error {
+	if dockerResponse == nil {
+		return nil
+	}
+	defer dockerResponse.Close()
+
+	scanner := bufio.NewScanner(dockerResponse)
+	msg := dockerMessage{}
+
+	for scanner.Scan() {
+		line := scanner.Bytes()
+
+		msg.ID = ""
+		msg.Stream = ""
+		msg.Error = ""
+		msg.ErrorDetail.Message = ""
+		msg.Status = ""
+		msg.Progress = ""
+
+		if err := json.Unmarshal(line, &msg); err != nil {
+			writeLog(logger, false, "Unable to unmarshal line [%s] ==> %v", string(line), err)
+			continue
+		}
+
+		if msg.Error != "" {
+			writeLog(logger, isError, "%s", msg.Error)
+			return errors.New(msg.Error)
+		}
+
+		if msg.ErrorDetail.Message != "" {
+			writeLog(logger, isError, "%s", msg.ErrorDetail.Message)
+			return errors.New(msg.Error)
+		}
+
+		if msg.Status != "" {
+			if msg.Progress != "" {
+				writeLog(logger, isError, "%s :: %s :: %s\n", msg.Status, msg.ID, msg.Progress)
+			} else {
+				writeLog(logger, isError, "%s :: %s\n", msg.Status, msg.ID)
+			}
+		} else if msg.Stream != "" {
+			writeLog(logger, isError, "%s", msg.Stream)
+		} else {
+			writeLog(logger, false, "Unable to handle line: %s", string(line))
+		}
+	}
+
+	return nil
+}
+
+func writeLog(logger logrus.FieldLogger, isError bool, format string, args ...any) {
+	if isError {
+		logger.Errorf(format, args...)
+	} else {
+		logger.Debugf(format, args...)
+	}
+}
--- a/act/container/docker_network.go
+++ b/act/container/docker_network.go
@@ -0,0 +1,86 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+
+	"gitea.com/gitea/act_runner/act/common"
+
+	"github.com/docker/docker/api/types"
+)
+
+func NewDockerNetworkCreateExecutor(name string) common.Executor {
+	return func(ctx context.Context) error {
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		// Only create the network if it doesn't exist
+		networks, err := cli.NetworkList(ctx, types.NetworkListOptions{})
+		if err != nil {
+			return err
+		}
+		// For Gitea, reduce log noise
+		// common.Logger(ctx).Debugf("%v", networks)
+		for _, network := range networks {
+			if network.Name == name {
+				common.Logger(ctx).Debugf("Network %v exists", name)
+				return nil
+			}
+		}
+
+		_, err = cli.NetworkCreate(ctx, name, types.NetworkCreate{
+			Driver: "bridge",
+			Scope:  "local",
+		})
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+}
+
+func NewDockerNetworkRemoveExecutor(name string) common.Executor {
+	return func(ctx context.Context) error {
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		// Make shure that all network of the specified name are removed
+		// cli.NetworkRemove refuses to remove a network if there are duplicates
+		networks, err := cli.NetworkList(ctx, types.NetworkListOptions{})
+		if err != nil {
+			return err
+		}
+		// For Gitea, reduce log noise
+		// common.Logger(ctx).Debugf("%v", networks)
+		for _, network := range networks {
+			if network.Name == name {
+				result, err := cli.NetworkInspect(ctx, network.ID, types.NetworkInspectOptions{})
+				if err != nil {
+					return err
+				}
+
+				if len(result.Containers) == 0 {
+					if err = cli.NetworkRemove(ctx, network.ID); err != nil {
+						common.Logger(ctx).Debugf("%v", err)
+					}
+				} else {
+					common.Logger(ctx).Debugf("Refusing to remove network %v because it still has active endpoints", name)
+				}
+			}
+		}
+
+		return err
+	}
+}
--- a/act/container/docker_pull.go
+++ b/act/container/docker_pull.go
@@ -0,0 +1,130 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"gitea.com/gitea/act_runner/act/common"
+
+	"github.com/distribution/reference"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/registry"
+)
+
+// NewDockerPullExecutor function to create a run executor for the container
+func NewDockerPullExecutor(input NewDockerPullExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		logger.Debugf("%sdocker pull %v", logPrefix, input.Image)
+
+		if common.Dryrun(ctx) {
+			return nil
+		}
+
+		pull := input.ForcePull
+		if !pull {
+			imageExists, err := ImageExistsLocally(ctx, input.Image, input.Platform)
+			logger.Debugf("Image exists? %v", imageExists)
+			if err != nil {
+				return fmt.Errorf("unable to determine if image already exists for image '%s' (%s): %w", input.Image, input.Platform, err)
+			}
+
+			if !imageExists {
+				pull = true
+			}
+		}
+
+		if !pull {
+			return nil
+		}
+
+		imageRef := cleanImage(ctx, input.Image)
+		logger.Debugf("pulling image '%v' (%s)", imageRef, input.Platform)
+
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		imagePullOptions, err := getImagePullOptions(ctx, input)
+		if err != nil {
+			return err
+		}
+
+		reader, err := cli.ImagePull(ctx, imageRef, imagePullOptions)
+
+		_ = logDockerResponse(logger, reader, err != nil)
+		if err != nil {
+			if imagePullOptions.RegistryAuth != "" && strings.Contains(err.Error(), "unauthorized") {
+				logger.Errorf("pulling image '%v' (%s) failed with credentials %s retrying without them, please check for stale docker config files", imageRef, input.Platform, err.Error())
+				imagePullOptions.RegistryAuth = ""
+				reader, err = cli.ImagePull(ctx, imageRef, imagePullOptions)
+
+				_ = logDockerResponse(logger, reader, err != nil)
+			}
+			return err
+		}
+		return nil
+	}
+}
+
+func getImagePullOptions(ctx context.Context, input NewDockerPullExecutorInput) (types.ImagePullOptions, error) {
+	imagePullOptions := types.ImagePullOptions{
+		Platform: input.Platform,
+	}
+	logger := common.Logger(ctx)
+
+	if input.Username != "" && input.Password != "" {
+		logger.Debugf("using authentication for docker pull")
+
+		authConfig := registry.AuthConfig{
+			Username: input.Username,
+			Password: input.Password,
+		}
+
+		encodedJSON, err := json.Marshal(authConfig)
+		if err != nil {
+			return imagePullOptions, err
+		}
+
+		imagePullOptions.RegistryAuth = base64.URLEncoding.EncodeToString(encodedJSON)
+	} else {
+		authConfig, err := LoadDockerAuthConfig(ctx, input.Image)
+		if err != nil {
+			return imagePullOptions, err
+		}
+		if authConfig.Username == "" && authConfig.Password == "" {
+			return imagePullOptions, nil
+		}
+		logger.Info("using DockerAuthConfig authentication for docker pull")
+
+		encodedJSON, err := json.Marshal(authConfig)
+		if err != nil {
+			return imagePullOptions, err
+		}
+
+		imagePullOptions.RegistryAuth = base64.URLEncoding.EncodeToString(encodedJSON)
+	}
+
+	return imagePullOptions, nil
+}
+
+func cleanImage(ctx context.Context, image string) string {
+	ref, err := reference.ParseAnyReference(image)
+	if err != nil {
+		common.Logger(ctx).Error(err)
+		return ""
+	}
+
+	return ref.String()
+}
--- a/act/container/docker_pull_test.go
+++ b/act/container/docker_pull_test.go
@@ -0,0 +1,64 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"context"
+	"testing"
+
+	"github.com/docker/cli/cli/config"
+	log "github.com/sirupsen/logrus"
+	assert "github.com/stretchr/testify/assert"
+)
+
+func init() {
+	log.SetLevel(log.DebugLevel)
+}
+
+func TestCleanImage(t *testing.T) {
+	tables := []struct {
+		imageIn  string
+		imageOut string
+	}{
+		{"myhost.com/foo/bar", "myhost.com/foo/bar"},
+		{"localhost:8000/canonical/ubuntu", "localhost:8000/canonical/ubuntu"},
+		{"localhost/canonical/ubuntu:latest", "localhost/canonical/ubuntu:latest"},
+		{"localhost:8000/canonical/ubuntu:latest", "localhost:8000/canonical/ubuntu:latest"},
+		{"ubuntu", "docker.io/library/ubuntu"},
+		{"ubuntu:18.04", "docker.io/library/ubuntu:18.04"},
+		{"cibuilds/hugo:0.53", "docker.io/cibuilds/hugo:0.53"},
+	}
+
+	for _, table := range tables {
+		imageOut := cleanImage(context.Background(), table.imageIn)
+		assert.Equal(t, table.imageOut, imageOut)
+	}
+}
+
+func TestGetImagePullOptions(t *testing.T) {
+	ctx := context.Background()
+
+	config.SetDir("/non-existent/docker")
+
+	options, err := getImagePullOptions(ctx, NewDockerPullExecutorInput{})
+	assert.Nil(t, err, "Failed to create ImagePullOptions")                                                     //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, "", options.RegistryAuth, "RegistryAuth should be empty if no username or password is set") //nolint:testifylint // pre-existing issue from nektos/act
+
+	options, err = getImagePullOptions(ctx, NewDockerPullExecutorInput{
+		Image:    "",
+		Username: "username",
+		Password: "password",
+	})
+	assert.Nil(t, err, "Failed to create ImagePullOptions") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, "eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwicGFzc3dvcmQiOiJwYXNzd29yZCJ9", options.RegistryAuth, "Username and Password should be provided")
+
+	config.SetDir("testdata/docker-pull-options")
+
+	options, err = getImagePullOptions(ctx, NewDockerPullExecutorInput{
+		Image: "nektos/act",
+	})
+	assert.Nil(t, err, "Failed to create ImagePullOptions") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, "eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwicGFzc3dvcmQiOiJwYXNzd29yZFxuIiwic2VydmVyYWRkcmVzcyI6Imh0dHBzOi8vaW5kZXguZG9ja2VyLmlvL3YxLyJ9", options.RegistryAuth, "RegistryAuth should be taken from local docker config")
+}
--- a/act/container/docker_run.go
+++ b/act/container/docker_run.go
@@ -0,0 +1,995 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strconv"
+	"strings"
+
+	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/act_runner/act/filecollector"
+
+	"github.com/Masterminds/semver"
+	"github.com/docker/cli/cli/compose/loader"
+	"github.com/docker/cli/cli/connhelper"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/go-git/go-billy/v5/helper/polyfill"
+	"github.com/go-git/go-billy/v5/osfs"
+	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"github.com/gobwas/glob"
+	"github.com/imdario/mergo"
+	"github.com/joho/godotenv"
+	"github.com/kballard/go-shellquote"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/spf13/pflag"
+	"golang.org/x/term"
+)
+
+// NewContainer creates a reference to a container
+func NewContainer(input *NewContainerInput) ExecutionsEnvironment {
+	cr := new(containerReference)
+	cr.input = input
+	return cr
+}
+
+func (cr *containerReference) ConnectToNetwork(name string) common.Executor {
+	return common.
+		NewDebugExecutor("%sdocker network connect %s %s", logPrefix, name, cr.input.Name).
+		Then(
+			common.NewPipelineExecutor(
+				cr.connect(),
+				cr.connectToNetwork(name, cr.input.NetworkAliases),
+			).IfNot(common.Dryrun),
+		)
+}
+
+func (cr *containerReference) connectToNetwork(name string, aliases []string) common.Executor {
+	return func(ctx context.Context) error {
+		return cr.cli.NetworkConnect(ctx, name, cr.input.Name, &network.EndpointSettings{
+			Aliases: aliases,
+		})
+	}
+}
+
+// supportsContainerImagePlatform returns true if the underlying Docker server
+// API version is 1.41 and beyond
+func supportsContainerImagePlatform(ctx context.Context, cli client.APIClient) bool {
+	logger := common.Logger(ctx)
+	ver, err := cli.ServerVersion(ctx)
+	if err != nil {
+		logger.Panicf("Failed to get Docker API Version: %s", err)
+		return false
+	}
+	sv, err := semver.NewVersion(ver.APIVersion)
+	if err != nil {
+		logger.Panicf("Failed to unmarshal Docker Version: %s", err)
+		return false
+	}
+	constraint, _ := semver.NewConstraint(">= 1.41")
+	return constraint.Check(sv)
+}
+
+func (cr *containerReference) Create(capAdd, capDrop []string) common.Executor {
+	return common.
+		NewInfoExecutor("%sdocker create image=%s platform=%s entrypoint=%+q cmd=%+q network=%+q", logPrefix, cr.input.Image, cr.input.Platform, cr.input.Entrypoint, cr.input.Cmd, cr.input.NetworkMode).
+		Then(
+			common.NewPipelineExecutor(
+				cr.connect(),
+				cr.find(),
+				cr.create(capAdd, capDrop),
+			).IfNot(common.Dryrun),
+		)
+}
+
+func (cr *containerReference) Start(attach bool) common.Executor {
+	return common.
+		NewInfoExecutor("%sdocker run image=%s platform=%s entrypoint=%+q cmd=%+q network=%+q", logPrefix, cr.input.Image, cr.input.Platform, cr.input.Entrypoint, cr.input.Cmd, cr.input.NetworkMode).
+		Then(
+			common.NewPipelineExecutor(
+				cr.connect(),
+				cr.find(),
+				cr.attach().IfBool(attach),
+				cr.start(),
+				cr.wait().IfBool(attach),
+				cr.tryReadUID(),
+				cr.tryReadGID(),
+				func(ctx context.Context) error {
+					// If this fails, then folders have wrong permissions on non root container
+					if cr.UID != 0 || cr.GID != 0 {
+						_ = cr.Exec([]string{"chown", "-R", fmt.Sprintf("%d:%d", cr.UID, cr.GID), cr.input.WorkingDir}, nil, "0", "")(ctx)
+					}
+					return nil
+				},
+			).IfNot(common.Dryrun),
+		)
+}
+
+func (cr *containerReference) Pull(forcePull bool) common.Executor {
+	return common.
+		NewInfoExecutor("%sdocker pull image=%s platform=%s username=%s forcePull=%t", logPrefix, cr.input.Image, cr.input.Platform, cr.input.Username, forcePull).
+		Then(
+			NewDockerPullExecutor(NewDockerPullExecutorInput{
+				Image:     cr.input.Image,
+				ForcePull: forcePull,
+				Platform:  cr.input.Platform,
+				Username:  cr.input.Username,
+				Password:  cr.input.Password,
+			}),
+		)
+}
+
+func (cr *containerReference) Copy(destPath string, files ...*FileEntry) common.Executor {
+	return common.NewPipelineExecutor(
+		cr.connect(),
+		cr.find(),
+		cr.copyContent(destPath, files...),
+	).IfNot(common.Dryrun)
+}
+
+func (cr *containerReference) CopyDir(destPath, srcPath string, useGitIgnore bool) common.Executor {
+	return common.NewPipelineExecutor(
+		common.NewInfoExecutor("%sdocker cp src=%s dst=%s", logPrefix, srcPath, destPath),
+		cr.copyDir(destPath, srcPath, useGitIgnore),
+		func(ctx context.Context) error {
+			// If this fails, then folders have wrong permissions on non root container
+			if cr.UID != 0 || cr.GID != 0 {
+				_ = cr.Exec([]string{"chown", "-R", fmt.Sprintf("%d:%d", cr.UID, cr.GID), destPath}, nil, "0", "")(ctx)
+			}
+			return nil
+		},
+	).IfNot(common.Dryrun)
+}
+
+func (cr *containerReference) GetContainerArchive(ctx context.Context, srcPath string) (io.ReadCloser, error) {
+	if common.Dryrun(ctx) {
+		return nil, errors.New("DRYRUN is not supported in GetContainerArchive")
+	}
+	a, _, err := cr.cli.CopyFromContainer(ctx, cr.id, srcPath)
+	return a, err
+}
+
+func (cr *containerReference) UpdateFromEnv(srcPath string, env *map[string]string) common.Executor {
+	return parseEnvFile(cr, srcPath, env).IfNot(common.Dryrun)
+}
+
+func (cr *containerReference) UpdateFromImageEnv(env *map[string]string) common.Executor {
+	return cr.extractFromImageEnv(env).IfNot(common.Dryrun)
+}
+
+func (cr *containerReference) Exec(command []string, env map[string]string, user, workdir string) common.Executor {
+	return common.NewPipelineExecutor(
+		common.NewInfoExecutor("%sdocker exec cmd=[%s] user=%s workdir=%s", logPrefix, strings.Join(command, " "), user, workdir),
+		cr.connect(),
+		cr.find(),
+		cr.exec(command, env, user, workdir),
+	).IfNot(common.Dryrun)
+}
+
+func (cr *containerReference) Remove() common.Executor {
+	return common.NewPipelineExecutor(
+		cr.connect(),
+		cr.find(),
+	).Finally(
+		cr.remove(),
+	).IfNot(common.Dryrun)
+}
+
+func (cr *containerReference) ReplaceLogWriter(stdout, stderr io.Writer) (io.Writer, io.Writer) {
+	out := cr.input.Stdout
+	err := cr.input.Stderr
+
+	cr.input.Stdout = stdout
+	cr.input.Stderr = stderr
+
+	return out, err
+}
+
+type containerReference struct {
+	cli   client.APIClient
+	id    string
+	input *NewContainerInput
+	UID   int
+	GID   int
+	LinuxContainerEnvironmentExtensions
+}
+
+func GetDockerClient(ctx context.Context) (cli client.APIClient, err error) {
+	dockerHost := os.Getenv("DOCKER_HOST")
+
+	if strings.HasPrefix(dockerHost, "ssh://") {
+		var helper *connhelper.ConnectionHelper
+
+		helper, err = connhelper.GetConnectionHelper(dockerHost)
+		if err != nil {
+			return nil, err
+		}
+		cli, err = client.NewClientWithOpts(
+			client.WithHost(helper.Host),
+			client.WithDialContext(helper.Dialer),
+		)
+	} else {
+		cli, err = client.NewClientWithOpts(client.FromEnv)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to docker daemon: %w", err)
+	}
+	cli.NegotiateAPIVersion(ctx)
+
+	return cli, nil
+}
+
+func GetHostInfo(ctx context.Context) (info types.Info, err error) { //nolint:staticcheck // pre-existing issue from nektos/act
+	var cli client.APIClient
+	cli, err = GetDockerClient(ctx)
+	if err != nil {
+		return info, err
+	}
+	defer cli.Close()
+
+	info, err = cli.Info(ctx)
+	if err != nil {
+		return info, err
+	}
+
+	return info, nil
+}
+
+// Arch fetches values from docker info and translates architecture to
+// GitHub actions compatible runner.arch values
+// https://github.com/github/docs/blob/main/data/reusables/actions/runner-arch-description.md
+func RunnerArch(ctx context.Context) string {
+	info, err := GetHostInfo(ctx)
+	if err != nil {
+		return ""
+	}
+
+	archMapper := map[string]string{
+		"x86_64":  "X64",
+		"amd64":   "X64",
+		"386":     "X86",
+		"aarch64": "ARM64",
+		"arm64":   "ARM64",
+	}
+	if arch, ok := archMapper[info.Architecture]; ok {
+		return arch
+	}
+	return info.Architecture
+}
+
+func (cr *containerReference) connect() common.Executor {
+	return func(ctx context.Context) error {
+		if cr.cli != nil {
+			return nil
+		}
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		cr.cli = cli
+		return nil
+	}
+}
+
+func (cr *containerReference) Close() common.Executor {
+	return func(ctx context.Context) error {
+		if cr.cli != nil {
+			err := cr.cli.Close()
+			cr.cli = nil
+			if err != nil {
+				return fmt.Errorf("failed to close client: %w", err)
+			}
+		}
+		return nil
+	}
+}
+
+func (cr *containerReference) find() common.Executor {
+	return func(ctx context.Context) error {
+		if cr.id != "" {
+			return nil
+		}
+		containers, err := cr.cli.ContainerList(ctx, types.ContainerListOptions{ //nolint:staticcheck // pre-existing issue from nektos/act
+			All: true,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to list containers: %w", err)
+		}
+
+		for _, c := range containers {
+			for _, name := range c.Names {
+				if name[1:] == cr.input.Name {
+					cr.id = c.ID
+					return nil
+				}
+			}
+		}
+
+		cr.id = ""
+		return nil
+	}
+}
+
+func (cr *containerReference) remove() common.Executor {
+	return func(ctx context.Context) error {
+		if cr.id == "" {
+			return nil
+		}
+
+		logger := common.Logger(ctx)
+		err := cr.cli.ContainerRemove(ctx, cr.id, types.ContainerRemoveOptions{ //nolint:staticcheck // pre-existing issue from nektos/act
+			RemoveVolumes: true,
+			Force:         true,
+		})
+		if err != nil {
+			logger.Error(fmt.Errorf("failed to remove container: %w", err))
+		}
+
+		logger.Debugf("Removed container: %v", cr.id)
+		cr.id = ""
+		return nil
+	}
+}
+
+func (cr *containerReference) mergeContainerConfigs(ctx context.Context, config *container.Config, hostConfig *container.HostConfig) (*container.Config, *container.HostConfig, error) {
+	logger := common.Logger(ctx)
+	input := cr.input
+
+	if input.Options == "" {
+		return config, hostConfig, nil
+	}
+
+	// parse configuration from CLI container.options
+	flags := pflag.NewFlagSet("container_flags", pflag.ContinueOnError)
+	copts := addFlags(flags)
+
+	optionsArgs, err := shellquote.Split(input.Options)
+	if err != nil {
+		return nil, nil, fmt.Errorf("Cannot split container options: '%s': '%w'", input.Options, err)
+	}
+
+	err = flags.Parse(optionsArgs)
+	if err != nil {
+		return nil, nil, fmt.Errorf("Cannot parse container options: '%s': '%w'", input.Options, err)
+	}
+
+	// FIXME: If everything is fine after gitea/act v0.260.0, remove the following comment.
+	// In the old fork version, the code is
+	// if len(copts.netMode.Value()) == 0 {
+	// 	if err = copts.netMode.Set("host"); err != nil {
+	// 		return nil, nil, fmt.Errorf("Cannot parse networkmode=host. This is an internal error and should not happen: '%w'", err)
+	// 	}
+	// }
+	// And it has been commented with:
+	//   If a service container's network is set to `host`, the container will not be able to
+	//   connect to the specified network created for the job container and the service containers.
+	//   So comment out the following code.
+	// Not the if it's necessary to comment it in the new version,
+	// since it's cr.input.NetworkMode now.
+
+	if len(copts.netMode.Value()) == 0 {
+		if err = copts.netMode.Set(cr.input.NetworkMode); err != nil {
+			return nil, nil, fmt.Errorf("Cannot parse networkmode=%s. This is an internal error and should not happen: '%w'", cr.input.NetworkMode, err)
+		}
+	}
+
+	// If the `privileged` config has been disabled, `copts.privileged` need to be forced to false,
+	// even if the user specifies `--privileged` in the options string.
+	if !hostConfig.Privileged {
+		copts.privileged = false
+	}
+
+	containerConfig, err := parse(flags, copts, runtime.GOOS)
+	if err != nil {
+		return nil, nil, fmt.Errorf("Cannot process container options: '%s': '%w'", input.Options, err)
+	}
+
+	logger.Debugf("Custom container.Config from options ==> %+v", containerConfig.Config)
+
+	err = mergo.Merge(config, containerConfig.Config, mergo.WithOverride, mergo.WithAppendSlice)
+	if err != nil {
+		return nil, nil, fmt.Errorf("Cannot merge container.Config options: '%s': '%w'", input.Options, err)
+	}
+	logger.Debugf("Merged container.Config ==> %+v", config)
+
+	logger.Debugf("Custom container.HostConfig from options ==> %+v", containerConfig.HostConfig)
+
+	hostConfig.Binds = append(hostConfig.Binds, containerConfig.HostConfig.Binds...)
+	hostConfig.Mounts = append(hostConfig.Mounts, containerConfig.HostConfig.Mounts...)
+	binds := hostConfig.Binds
+	mounts := hostConfig.Mounts
+	networkMode := hostConfig.NetworkMode
+	err = mergo.Merge(hostConfig, containerConfig.HostConfig, mergo.WithOverride)
+	if err != nil {
+		return nil, nil, fmt.Errorf("Cannot merge container.HostConfig options: '%s': '%w'", input.Options, err)
+	}
+	hostConfig.Binds = binds
+	hostConfig.Mounts = mounts
+	if len(copts.netMode.Value()) > 0 {
+		logger.Warn("--network and --net in the options will be ignored.")
+	}
+	hostConfig.NetworkMode = networkMode
+	logger.Debugf("Merged container.HostConfig ==> %+v", hostConfig)
+
+	return config, hostConfig, nil
+}
+
+func (cr *containerReference) create(capAdd, capDrop []string) common.Executor {
+	return func(ctx context.Context) error {
+		if cr.id != "" {
+			return nil
+		}
+		logger := common.Logger(ctx)
+		isTerminal := term.IsTerminal(int(os.Stdout.Fd()))
+		input := cr.input
+
+		config := &container.Config{
+			Image:        input.Image,
+			WorkingDir:   input.WorkingDir,
+			Env:          input.Env,
+			ExposedPorts: input.ExposedPorts,
+			Tty:          isTerminal,
+		}
+		// For Gitea, reduce log noise
+		// logger.Debugf("Common container.Config ==> %+v", config)
+
+		if len(input.Cmd) != 0 {
+			config.Cmd = input.Cmd
+		}
+
+		if len(input.Entrypoint) != 0 {
+			config.Entrypoint = input.Entrypoint
+		}
+
+		mounts := make([]mount.Mount, 0)
+		for mountSource, mountTarget := range input.Mounts {
+			mounts = append(mounts, mount.Mount{
+				Type:   mount.TypeVolume,
+				Source: mountSource,
+				Target: mountTarget,
+			})
+		}
+
+		var platSpecs *specs.Platform
+		if supportsContainerImagePlatform(ctx, cr.cli) && cr.input.Platform != "" {
+			desiredPlatform := strings.SplitN(cr.input.Platform, `/`, 2)
+
+			if len(desiredPlatform) != 2 {
+				return fmt.Errorf("incorrect container platform option '%s'", cr.input.Platform)
+			}
+
+			platSpecs = &specs.Platform{
+				Architecture: desiredPlatform[1],
+				OS:           desiredPlatform[0],
+			}
+		}
+
+		hostConfig := &container.HostConfig{
+			CapAdd:       capAdd,
+			CapDrop:      capDrop,
+			Binds:        input.Binds,
+			Mounts:       mounts,
+			NetworkMode:  container.NetworkMode(input.NetworkMode),
+			Privileged:   input.Privileged,
+			UsernsMode:   container.UsernsMode(input.UsernsMode),
+			PortBindings: input.PortBindings,
+			AutoRemove:   input.AutoRemove,
+		}
+		// For Gitea, reduce log noise
+		// logger.Debugf("Common container.HostConfig ==> %+v", hostConfig)
+
+		config, hostConfig, err := cr.mergeContainerConfigs(ctx, config, hostConfig)
+		if err != nil {
+			return err
+		}
+
+		// For Gitea
+		config, hostConfig = cr.sanitizeConfig(ctx, config, hostConfig)
+
+		var networkingConfig *network.NetworkingConfig
+		// For Gitea, reduce log noise
+		// logger.Debugf("input.NetworkAliases ==> %v", input.NetworkAliases)
+		n := hostConfig.NetworkMode
+		// IsUserDefined and IsHost are broken on windows
+		if n.IsUserDefined() && n != "host" && len(input.NetworkAliases) > 0 {
+			endpointConfig := &network.EndpointSettings{
+				Aliases: input.NetworkAliases,
+			}
+			networkingConfig = &network.NetworkingConfig{
+				EndpointsConfig: map[string]*network.EndpointSettings{
+					input.NetworkMode: endpointConfig,
+				},
+			}
+		}
+
+		resp, err := cr.cli.ContainerCreate(ctx, config, hostConfig, networkingConfig, platSpecs, input.Name)
+		if err != nil {
+			return fmt.Errorf("failed to create container: '%w'", err)
+		}
+
+		logger.Debugf("Created container name=%s id=%v from image %v (platform: %s)", input.Name, resp.ID, input.Image, input.Platform)
+		logger.Debugf("ENV ==> %v", input.Env)
+
+		cr.id = resp.ID
+		return nil
+	}
+}
+
+func (cr *containerReference) extractFromImageEnv(env *map[string]string) common.Executor {
+	envMap := *env
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+
+		inspect, _, err := cr.cli.ImageInspectWithRaw(ctx, cr.input.Image)
+		if err != nil {
+			logger.Error(err)
+			return fmt.Errorf("inspect image: %w", err)
+		}
+
+		if inspect.Config == nil {
+			return nil
+		}
+
+		imageEnv, err := godotenv.Unmarshal(strings.Join(inspect.Config.Env, "\n"))
+		if err != nil {
+			logger.Error(err)
+			return fmt.Errorf("unmarshal image env: %w", err)
+		}
+
+		for k, v := range imageEnv {
+			if k == "PATH" {
+				if envMap[k] == "" {
+					envMap[k] = v
+				} else {
+					envMap[k] += `:` + v
+				}
+			} else if envMap[k] == "" {
+				envMap[k] = v
+			}
+		}
+
+		env = &envMap
+		return nil
+	}
+}
+
+func (cr *containerReference) exec(cmd []string, env map[string]string, user, workdir string) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		// Fix slashes when running on Windows
+		if runtime.GOOS == "windows" {
+			var newCmd []string
+			for _, v := range cmd {
+				newCmd = append(newCmd, strings.ReplaceAll(v, `\`, `/`))
+			}
+			cmd = newCmd
+		}
+
+		logger.Debugf("Exec command '%s'", cmd)
+		isTerminal := term.IsTerminal(int(os.Stdout.Fd()))
+		envList := make([]string, 0)
+		for k, v := range env {
+			envList = append(envList, fmt.Sprintf("%s=%s", k, v))
+		}
+
+		var wd string
+		if workdir != "" {
+			if strings.HasPrefix(workdir, "/") {
+				wd = workdir
+			} else {
+				wd = fmt.Sprintf("%s/%s", cr.input.WorkingDir, workdir)
+			}
+		} else {
+			wd = cr.input.WorkingDir
+		}
+		logger.Debugf("Working directory '%s'", wd)
+
+		idResp, err := cr.cli.ContainerExecCreate(ctx, cr.id, types.ExecConfig{
+			User:         user,
+			Cmd:          cmd,
+			WorkingDir:   wd,
+			Env:          envList,
+			Tty:          isTerminal,
+			AttachStderr: true,
+			AttachStdout: true,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to create exec: %w", err)
+		}
+
+		resp, err := cr.cli.ContainerExecAttach(ctx, idResp.ID, types.ExecStartCheck{
+			Tty: isTerminal,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to attach to exec: %w", err)
+		}
+		defer resp.Close()
+
+		err = cr.waitForCommand(ctx, isTerminal, resp, idResp, user, workdir)
+		if err != nil {
+			return err
+		}
+
+		inspectResp, err := cr.cli.ContainerExecInspect(ctx, idResp.ID)
+		if err != nil {
+			return fmt.Errorf("failed to inspect exec: %w", err)
+		}
+
+		switch inspectResp.ExitCode {
+		case 0:
+			return nil
+		case 127:
+			return fmt.Errorf("exitcode '%d': command not found, please refer to https://github.com/nektos/act/issues/107 for more information", inspectResp.ExitCode)
+		default:
+			return fmt.Errorf("exitcode '%d': failure", inspectResp.ExitCode)
+		}
+	}
+}
+
+func (cr *containerReference) tryReadID(opt string, cbk func(id int)) common.Executor {
+	return func(ctx context.Context) error {
+		idResp, err := cr.cli.ContainerExecCreate(ctx, cr.id, types.ExecConfig{
+			Cmd:          []string{"id", opt},
+			AttachStdout: true,
+			AttachStderr: true,
+		})
+		if err != nil {
+			return nil
+		}
+
+		resp, err := cr.cli.ContainerExecAttach(ctx, idResp.ID, types.ExecStartCheck{})
+		if err != nil {
+			return nil
+		}
+		defer resp.Close()
+
+		sid, err := resp.Reader.ReadString('\n')
+		if err != nil {
+			return nil
+		}
+		exp := regexp.MustCompile(`\d+\n`)
+		found := exp.FindString(sid)
+		id, err := strconv.ParseInt(strings.TrimSpace(found), 10, 32)
+		if err != nil {
+			return nil
+		}
+		cbk(int(id))
+
+		return nil
+	}
+}
+
+func (cr *containerReference) tryReadUID() common.Executor {
+	return cr.tryReadID("-u", func(id int) { cr.UID = id })
+}
+
+func (cr *containerReference) tryReadGID() common.Executor {
+	return cr.tryReadID("-g", func(id int) { cr.GID = id })
+}
+
+func (cr *containerReference) waitForCommand(ctx context.Context, isTerminal bool, resp types.HijackedResponse, _ types.IDResponse, _, _ string) error {
+	logger := common.Logger(ctx)
+
+	cmdResponse := make(chan error)
+
+	go func() {
+		var outWriter io.Writer
+		outWriter = cr.input.Stdout
+		if outWriter == nil {
+			outWriter = os.Stdout
+		}
+		errWriter := cr.input.Stderr
+		if errWriter == nil {
+			errWriter = os.Stderr
+		}
+
+		var err error
+		if !isTerminal || os.Getenv("NORAW") != "" {
+			_, err = stdcopy.StdCopy(outWriter, errWriter, resp.Reader)
+		} else {
+			_, err = io.Copy(outWriter, resp.Reader)
+		}
+		cmdResponse <- err
+	}()
+
+	select {
+	case <-ctx.Done():
+		// send ctrl + c
+		_, err := resp.Conn.Write([]byte{3})
+		if err != nil {
+			logger.Warnf("Failed to send CTRL+C: %+s", err)
+		}
+
+		// we return the context canceled error to prevent other steps
+		// from executing
+		return ctx.Err()
+	case err := <-cmdResponse:
+		if err != nil {
+			logger.Error(err)
+		}
+
+		return nil
+	}
+}
+
+func (cr *containerReference) CopyTarStream(ctx context.Context, destPath string, tarStream io.Reader) error {
+	// Mkdir
+	buf := &bytes.Buffer{}
+	tw := tar.NewWriter(buf)
+	_ = tw.WriteHeader(&tar.Header{
+		Name:     destPath,
+		Mode:     0o777,
+		Typeflag: tar.TypeDir,
+	})
+	tw.Close()
+	err := cr.cli.CopyToContainer(ctx, cr.id, "/", buf, types.CopyToContainerOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to mkdir to copy content to container: %w", err)
+	}
+	// Copy Content
+	err = cr.cli.CopyToContainer(ctx, cr.id, destPath, tarStream, types.CopyToContainerOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to copy content to container: %w", err)
+	}
+	// If this fails, then folders have wrong permissions on non root container
+	if cr.UID != 0 || cr.GID != 0 {
+		_ = cr.Exec([]string{"chown", "-R", fmt.Sprintf("%d:%d", cr.UID, cr.GID), destPath}, nil, "0", "")(ctx)
+	}
+	return nil
+}
+
+func (cr *containerReference) copyDir(dstPath, srcPath string, useGitIgnore bool) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		tarFile, err := os.CreateTemp("", "act")
+		if err != nil {
+			return err
+		}
+		logger.Debugf("Writing tarball %s from %s", tarFile.Name(), srcPath)
+		defer func(tarFile *os.File) {
+			name := tarFile.Name()
+			err := tarFile.Close()
+			if !errors.Is(err, os.ErrClosed) {
+				logger.Error(err)
+			}
+			err = os.Remove(name)
+			if err != nil {
+				logger.Error(err)
+			}
+		}(tarFile)
+		tw := tar.NewWriter(tarFile)
+
+		srcPrefix := filepath.Dir(srcPath)
+		if !strings.HasSuffix(srcPrefix, string(filepath.Separator)) {
+			srcPrefix += string(filepath.Separator)
+		}
+		logger.Debugf("Stripping prefix:%s src:%s", srcPrefix, srcPath)
+
+		var ignorer gitignore.Matcher
+		if useGitIgnore {
+			ps, err := gitignore.ReadPatterns(polyfill.New(osfs.New(srcPath)), nil)
+			if err != nil {
+				logger.Debugf("Error loading .gitignore: %v", err)
+			}
+
+			ignorer = gitignore.NewMatcher(ps)
+		}
+
+		fc := &filecollector.FileCollector{
+			Fs:        &filecollector.DefaultFs{},
+			Ignorer:   ignorer,
+			SrcPath:   srcPath,
+			SrcPrefix: srcPrefix,
+			Handler: &filecollector.TarCollector{
+				TarWriter: tw,
+				UID:       cr.UID,
+				GID:       cr.GID,
+				DstDir:    dstPath[1:],
+			},
+		}
+
+		err = filepath.Walk(srcPath, fc.CollectFiles(ctx, []string{}))
+		if err != nil {
+			return err
+		}
+		if err := tw.Close(); err != nil {
+			return err
+		}
+
+		logger.Debugf("Extracting content from '%s' to '%s'", tarFile.Name(), dstPath)
+		_, err = tarFile.Seek(0, 0)
+		if err != nil {
+			return fmt.Errorf("failed to seek tar archive: %w", err)
+		}
+		err = cr.cli.CopyToContainer(ctx, cr.id, "/", tarFile, types.CopyToContainerOptions{})
+		if err != nil {
+			return fmt.Errorf("failed to copy content to container: %w", err)
+		}
+		return nil
+	}
+}
+
+func (cr *containerReference) copyContent(dstPath string, files ...*FileEntry) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		var buf bytes.Buffer
+		tw := tar.NewWriter(&buf)
+		for _, file := range files {
+			logger.Debugf("Writing entry to tarball %s len:%d", file.Name, len(file.Body))
+			hdr := &tar.Header{
+				Name: file.Name,
+				Mode: file.Mode,
+				Size: int64(len(file.Body)),
+				Uid:  cr.UID,
+				Gid:  cr.GID,
+			}
+			if err := tw.WriteHeader(hdr); err != nil {
+				return err
+			}
+			if _, err := tw.Write([]byte(file.Body)); err != nil {
+				return err
+			}
+		}
+		if err := tw.Close(); err != nil {
+			return err
+		}
+
+		logger.Debugf("Extracting content to '%s'", dstPath)
+		err := cr.cli.CopyToContainer(ctx, cr.id, dstPath, &buf, types.CopyToContainerOptions{})
+		if err != nil {
+			return fmt.Errorf("failed to copy content to container: %w", err)
+		}
+		return nil
+	}
+}
+
+func (cr *containerReference) attach() common.Executor {
+	return func(ctx context.Context) error {
+		out, err := cr.cli.ContainerAttach(ctx, cr.id, types.ContainerAttachOptions{ //nolint:staticcheck // pre-existing issue from nektos/act
+			Stream: true,
+			Stdout: true,
+			Stderr: true,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to attach to container: %w", err)
+		}
+		isTerminal := term.IsTerminal(int(os.Stdout.Fd()))
+
+		var outWriter io.Writer
+		outWriter = cr.input.Stdout
+		if outWriter == nil {
+			outWriter = os.Stdout
+		}
+		errWriter := cr.input.Stderr
+		if errWriter == nil {
+			errWriter = os.Stderr
+		}
+		go func() {
+			if !isTerminal || os.Getenv("NORAW") != "" {
+				_, err = stdcopy.StdCopy(outWriter, errWriter, out.Reader)
+			} else {
+				_, err = io.Copy(outWriter, out.Reader)
+			}
+			if err != nil {
+				common.Logger(ctx).Error(err)
+			}
+		}()
+		return nil
+	}
+}
+
+func (cr *containerReference) start() common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		logger.Debugf("Starting container: %v", cr.id)
+
+		if err := cr.cli.ContainerStart(ctx, cr.id, types.ContainerStartOptions{}); err != nil { //nolint:staticcheck // pre-existing issue from nektos/act
+			return fmt.Errorf("failed to start container: %w", err)
+		}
+
+		logger.Debugf("Started container: %v", cr.id)
+		return nil
+	}
+}
+
+func (cr *containerReference) wait() common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		statusCh, errCh := cr.cli.ContainerWait(ctx, cr.id, container.WaitConditionNotRunning)
+		var statusCode int64
+		select {
+		case err := <-errCh:
+			if err != nil {
+				return fmt.Errorf("failed to wait for container: %w", err)
+			}
+		case status := <-statusCh:
+			statusCode = status.StatusCode
+		}
+
+		logger.Debugf("Return status: %v", statusCode)
+
+		if statusCode == 0 {
+			return nil
+		}
+
+		return fmt.Errorf("exit with `FAILURE`: %v", statusCode)
+	}
+}
+
+// For Gitea
+// sanitizeConfig remove the invalid configurations from `config` and `hostConfig`
+func (cr *containerReference) sanitizeConfig(ctx context.Context, config *container.Config, hostConfig *container.HostConfig) (*container.Config, *container.HostConfig) {
+	logger := common.Logger(ctx)
+
+	if len(cr.input.ValidVolumes) > 0 {
+		globs := make([]glob.Glob, 0, len(cr.input.ValidVolumes))
+		for _, v := range cr.input.ValidVolumes {
+			if g, err := glob.Compile(v); err != nil {
+				logger.Errorf("create glob from %s error: %v", v, err)
+			} else {
+				globs = append(globs, g)
+			}
+		}
+		isValid := func(v string) bool {
+			for _, g := range globs {
+				if g.Match(v) {
+					return true
+				}
+			}
+			return false
+		}
+		// sanitize binds
+		sanitizedBinds := make([]string, 0, len(hostConfig.Binds))
+		for _, bind := range hostConfig.Binds {
+			parsed, err := loader.ParseVolume(bind)
+			if err != nil {
+				logger.Warnf("parse volume [%s] error: %v", bind, err)
+				continue
+			}
+			if parsed.Source == "" {
+				// anonymous volume
+				sanitizedBinds = append(sanitizedBinds, bind)
+				continue
+			}
+			if isValid(parsed.Source) {
+				sanitizedBinds = append(sanitizedBinds, bind)
+			} else {
+				logger.Warnf("[%s] is not a valid volume, will be ignored", parsed.Source)
+			}
+		}
+		hostConfig.Binds = sanitizedBinds
+		// sanitize mounts
+		sanitizedMounts := make([]mount.Mount, 0, len(hostConfig.Mounts))
+		for _, mt := range hostConfig.Mounts {
+			if isValid(mt.Source) {
+				sanitizedMounts = append(sanitizedMounts, mt)
+			} else {
+				logger.Warnf("[%s] is not a valid volume, will be ignored", mt.Source)
+			}
+		}
+		hostConfig.Mounts = sanitizedMounts
+	} else {
+		hostConfig.Binds = []string{}
+		hostConfig.Mounts = []mount.Mount{}
+	}
+
+	return config, hostConfig
+}
--- a/act/container/docker_run_test.go
+++ b/act/container/docker_run_test.go
@@ -0,0 +1,329 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"errors"
+	"io"
+	"net"
+	"strings"
+	"testing"
+	"time"
+
+	"gitea.com/gitea/act_runner/act/common"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+	"github.com/sirupsen/logrus/hooks/test"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+func TestDocker(t *testing.T) {
+	ctx := context.Background()
+	client, err := GetDockerClient(ctx)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	defer client.Close()
+
+	dockerBuild := NewDockerBuildExecutor(NewDockerBuildExecutorInput{
+		ContextDir: "testdata",
+		ImageTag:   "envmergetest",
+	})
+
+	err = dockerBuild(ctx)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	cr := &containerReference{
+		cli: client,
+		input: &NewContainerInput{
+			Image: "envmergetest",
+		},
+	}
+	env := map[string]string{
+		"PATH":         "/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin",
+		"RANDOM_VAR":   "WITH_VALUE",
+		"ANOTHER_VAR":  "",
+		"CONFLICT_VAR": "I_EXIST_IN_MULTIPLE_PLACES",
+	}
+
+	envExecutor := cr.extractFromImageEnv(&env)
+	err = envExecutor(ctx)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, map[string]string{
+		"PATH":            "/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin:/this/path/does/not/exists/anywhere:/this/either",
+		"RANDOM_VAR":      "WITH_VALUE",
+		"ANOTHER_VAR":     "",
+		"SOME_RANDOM_VAR": "",
+		"ANOTHER_ONE":     "BUT_I_HAVE_VALUE",
+		"CONFLICT_VAR":    "I_EXIST_IN_MULTIPLE_PLACES",
+	}, env)
+}
+
+type mockDockerClient struct {
+	client.APIClient
+	mock.Mock
+}
+
+func (m *mockDockerClient) ContainerExecCreate(ctx context.Context, id string, opts types.ExecConfig) (types.IDResponse, error) {
+	args := m.Called(ctx, id, opts)
+	return args.Get(0).(types.IDResponse), args.Error(1)
+}
+
+func (m *mockDockerClient) ContainerExecAttach(ctx context.Context, id string, opts types.ExecStartCheck) (types.HijackedResponse, error) {
+	args := m.Called(ctx, id, opts)
+	return args.Get(0).(types.HijackedResponse), args.Error(1)
+}
+
+func (m *mockDockerClient) ContainerExecInspect(ctx context.Context, execID string) (types.ContainerExecInspect, error) {
+	args := m.Called(ctx, execID)
+	return args.Get(0).(types.ContainerExecInspect), args.Error(1)
+}
+
+func (m *mockDockerClient) CopyToContainer(ctx context.Context, id, path string, content io.Reader, options types.CopyToContainerOptions) error {
+	args := m.Called(ctx, id, path, content, options)
+	return args.Error(0)
+}
+
+type endlessReader struct {
+	io.Reader
+}
+
+func (r endlessReader) Read(_ []byte) (n int, err error) {
+	return 1, nil
+}
+
+type mockConn struct {
+	net.Conn
+	mock.Mock
+}
+
+func (m *mockConn) Write(b []byte) (n int, err error) {
+	args := m.Called(b)
+	return args.Int(0), args.Error(1)
+}
+
+func (m *mockConn) Close() (err error) {
+	return nil
+}
+
+func TestDockerExecAbort(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	conn := &mockConn{}
+	conn.On("Write", mock.AnythingOfType("[]uint8")).Return(1, nil)
+
+	client := &mockDockerClient{}
+	client.On("ContainerExecCreate", ctx, "123", mock.AnythingOfType("types.ExecConfig")).Return(types.IDResponse{ID: "id"}, nil)
+	client.On("ContainerExecAttach", ctx, "id", mock.AnythingOfType("types.ExecStartCheck")).Return(types.HijackedResponse{
+		Conn:   conn,
+		Reader: bufio.NewReader(endlessReader{}),
+	}, nil)
+
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	channel := make(chan error)
+
+	go func() {
+		channel <- cr.exec([]string{""}, map[string]string{}, "user", "workdir")(ctx)
+	}()
+
+	time.Sleep(500 * time.Millisecond)
+
+	cancel()
+
+	err := <-channel
+	assert.ErrorIs(t, err, context.Canceled) //nolint:testifylint // pre-existing issue from nektos/act
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+func TestDockerExecFailure(t *testing.T) {
+	ctx := context.Background()
+
+	conn := &mockConn{}
+
+	client := &mockDockerClient{}
+	client.On("ContainerExecCreate", ctx, "123", mock.AnythingOfType("types.ExecConfig")).Return(types.IDResponse{ID: "id"}, nil)
+	client.On("ContainerExecAttach", ctx, "id", mock.AnythingOfType("types.ExecStartCheck")).Return(types.HijackedResponse{
+		Conn:   conn,
+		Reader: bufio.NewReader(strings.NewReader("output")),
+	}, nil)
+	client.On("ContainerExecInspect", ctx, "id").Return(types.ContainerExecInspect{
+		ExitCode: 1,
+	}, nil)
+
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.exec([]string{""}, map[string]string{}, "user", "workdir")(ctx)
+	assert.Error(t, err, "exit with `FAILURE`: 1") //nolint:testifylint // pre-existing issue from nektos/act
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+func TestDockerCopyTarStream(t *testing.T) {
+	ctx := context.Background()
+
+	conn := &mockConn{}
+
+	client := &mockDockerClient{}
+	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(nil)
+	client.On("CopyToContainer", ctx, "123", "/var/run/act", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(nil)
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	_ = cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+func TestDockerCopyTarStreamErrorInCopyFiles(t *testing.T) {
+	ctx := context.Background()
+
+	conn := &mockConn{}
+
+	merr := errors.New("Failure")
+
+	client := &mockDockerClient{}
+	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(merr)
+	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(merr)
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
+	assert.ErrorIs(t, err, merr) //nolint:testifylint // pre-existing issue from nektos/act
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+func TestDockerCopyTarStreamErrorInMkdir(t *testing.T) {
+	ctx := context.Background()
+
+	conn := &mockConn{}
+
+	merr := errors.New("Failure")
+
+	client := &mockDockerClient{}
+	client.On("CopyToContainer", ctx, "123", "/", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(nil)
+	client.On("CopyToContainer", ctx, "123", "/var/run/act", mock.Anything, mock.AnythingOfType("types.CopyToContainerOptions")).Return(merr)
+	cr := &containerReference{
+		id:  "123",
+		cli: client,
+		input: &NewContainerInput{
+			Image: "image",
+		},
+	}
+
+	err := cr.CopyTarStream(ctx, "/var/run/act", &bytes.Buffer{})
+	assert.ErrorIs(t, err, merr) //nolint:testifylint // pre-existing issue from nektos/act
+
+	conn.AssertExpectations(t)
+	client.AssertExpectations(t)
+}
+
+// Type assert containerReference implements ExecutionsEnvironment
+var _ ExecutionsEnvironment = &containerReference{}
+
+func TestCheckVolumes(t *testing.T) {
+	testCases := []struct {
+		desc          string
+		validVolumes  []string
+		binds         []string
+		expectedBinds []string
+	}{
+		{
+			desc:         "match all volumes",
+			validVolumes: []string{"**"},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+		},
+		{
+			desc:         "no volumes can be matched",
+			validVolumes: []string{},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{},
+		},
+		{
+			desc: "only allowed volumes can be matched",
+			validVolumes: []string{
+				"shared_volume",
+				"/home/test/data",
+				"/etc/conf.d/*.json",
+			},
+			binds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+				"sql_data:/sql_data",
+				"/secrets/keys:/keys",
+			},
+			expectedBinds: []string{
+				"shared_volume:/shared_volume",
+				"/home/test/data:/test_data",
+				"/etc/conf.d/base.json:/config/base.json",
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.desc, func(t *testing.T) {
+			logger, _ := test.NewNullLogger()
+			ctx := common.WithLogger(context.Background(), logger)
+			cr := &containerReference{
+				input: &NewContainerInput{
+					ValidVolumes: tc.validVolumes,
+				},
+			}
+			_, hostConf := cr.sanitizeConfig(ctx, &container.Config{}, &container.HostConfig{Binds: tc.binds})
+			assert.Equal(t, tc.expectedBinds, hostConf.Binds)
+		})
+	}
+}
--- a/act/container/docker_socket.go
+++ b/act/container/docker_socket.go
@@ -0,0 +1,138 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2024 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+var CommonSocketLocations = []string{
+	"/var/run/docker.sock",
+	"/run/podman/podman.sock",
+	"$HOME/.colima/docker.sock",
+	"$XDG_RUNTIME_DIR/docker.sock",
+	"$XDG_RUNTIME_DIR/podman/podman.sock",
+	`\\.\pipe\docker_engine`,
+	"$HOME/.docker/run/docker.sock",
+}
+
+// returns socket URI or false if not found any
+func socketLocation() (string, bool) {
+	if dockerHost, exists := os.LookupEnv("DOCKER_HOST"); exists {
+		return dockerHost, true
+	}
+
+	for _, p := range CommonSocketLocations {
+		if _, err := os.Lstat(os.ExpandEnv(p)); err == nil {
+			if strings.HasPrefix(p, `\\.\`) {
+				return "npipe://" + filepath.ToSlash(os.ExpandEnv(p)), true
+			}
+			return "unix://" + filepath.ToSlash(os.ExpandEnv(p)), true
+		}
+	}
+
+	return "", false
+}
+
+// This function, `isDockerHostURI`, takes a string argument `daemonPath`. It checks if the
+// `daemonPath` is a valid Docker host URI. It does this by checking if the scheme of the URI (the
+// part before "://") contains only alphabetic characters. If it does, the function returns true,
+// indicating that the `daemonPath` is a Docker host URI. If it doesn't, or if the "://" delimiter
+// is not found in the `daemonPath`, the function returns false.
+func isDockerHostURI(daemonPath string) bool {
+	if before, _, ok := strings.Cut(daemonPath, "://"); ok {
+		scheme := before
+		if strings.IndexFunc(scheme, func(r rune) bool {
+			return (r < 'a' || r > 'z') && (r < 'A' || r > 'Z')
+		}) == -1 {
+			return true
+		}
+	}
+	return false
+}
+
+type SocketAndHost struct {
+	Socket string
+	Host   string
+}
+
+func GetSocketAndHost(containerSocket string) (SocketAndHost, error) {
+	log.Debugf("Handling container host and socket")
+
+	// Prefer DOCKER_HOST, don't override it
+	dockerHost, hasDockerHost := socketLocation()
+	socketHost := SocketAndHost{Socket: containerSocket, Host: dockerHost}
+
+	// ** socketHost.Socket cases **
+	// Case 1: User does _not_ want to mount a daemon socket (passes a dash)
+	// Case 2: User passes a filepath to the socket; is that even valid?
+	// Case 3: User passes a valid socket; do nothing
+	// Case 4: User omitted the flag; set a sane default
+
+	// ** DOCKER_HOST cases **
+	// Case A: DOCKER_HOST is set; use it, i.e. do nothing
+	// Case B: DOCKER_HOST is empty; use sane defaults
+
+	// Set host for sanity's sake, when the socket isn't useful
+	if !hasDockerHost && (socketHost.Socket == "-" || !isDockerHostURI(socketHost.Socket) || socketHost.Socket == "") {
+		// Cases: 1B, 2B, 4B
+		socket, found := socketLocation()
+		socketHost.Host = socket
+		hasDockerHost = found
+	}
+
+	// A - (dash) in socketHost.Socket means don't mount, preserve this value
+	// otherwise if socketHost.Socket is a filepath don't use it as socket
+	// Exit early if we're in an invalid state (e.g. when no DOCKER_HOST and user supplied "-", a dash or omitted)
+	if !hasDockerHost && socketHost.Socket != "" && !isDockerHostURI(socketHost.Socket) {
+		// Cases: 1B, 2B
+		// Should we early-exit here, since there is no host nor socket to talk to?
+		return SocketAndHost{}, fmt.Errorf("DOCKER_HOST was not set, couldn't be found in the usual locations, and the container daemon socket ('%s') is invalid", socketHost.Socket)
+	}
+
+	// Default to DOCKER_HOST if set
+	if socketHost.Socket == "" && hasDockerHost {
+		// Cases: 4A
+		log.Debugf("Defaulting container socket to DOCKER_HOST")
+		socketHost.Socket = socketHost.Host
+	}
+	// Set sane default socket location if user omitted it
+	if socketHost.Socket == "" {
+		// Cases: 4B
+		socket, _ := socketLocation()
+		// socket is empty if it isn't found, so assignment here is at worst a no-op
+		log.Debugf("Defaulting container socket to default '%s'", socket)
+		socketHost.Socket = socket
+	}
+
+	// Exit if both the DOCKER_HOST and socket are fulfilled
+	if hasDockerHost {
+		// Cases: 1A, 2A, 3A, 4A
+		if !isDockerHostURI(socketHost.Socket) {
+			// Cases: 1A, 2A
+			log.Debugf("DOCKER_HOST is set, but socket is invalid '%s'", socketHost.Socket)
+		}
+		return socketHost, nil
+	}
+
+	// Set a sane DOCKER_HOST default if we can
+	if isDockerHostURI(socketHost.Socket) {
+		// Cases: 3B
+		log.Debugf("Setting DOCKER_HOST to container socket '%s'", socketHost.Socket)
+		socketHost.Host = socketHost.Socket
+		// Both DOCKER_HOST and container socket are valid; short-circuit exit
+		return socketHost, nil
+	}
+
+	// Here there is no DOCKER_HOST _and_ the supplied container socket is not a valid URI (either invalid or a file path)
+	// Cases: 2B <- but is already handled at the top
+	// I.e. this path should never be taken
+	return SocketAndHost{}, fmt.Errorf("no DOCKER_HOST and an invalid container socket '%s'", socketHost.Socket)
+}
--- a/act/container/docker_socket_test.go
+++ b/act/container/docker_socket_test.go
@@ -0,0 +1,154 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2024 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"os"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	assert "github.com/stretchr/testify/assert"
+)
+
+func init() {
+	log.SetLevel(log.DebugLevel)
+}
+
+var originalCommonSocketLocations = CommonSocketLocations
+
+func TestGetSocketAndHostWithSocket(t *testing.T) {
+	// Arrange
+	CommonSocketLocations = originalCommonSocketLocations
+	dockerHost := "unix:///my/docker/host.sock"
+	socketURI := "/path/to/my.socket"
+	t.Setenv("DOCKER_HOST", dockerHost)
+
+	// Act
+	ret, err := GetSocketAndHost(socketURI)
+
+	// Assert
+	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{socketURI, dockerHost}, ret)
+}
+
+func TestGetSocketAndHostNoSocket(t *testing.T) {
+	// Arrange
+	dockerHost := "unix:///my/docker/host.sock"
+	t.Setenv("DOCKER_HOST", dockerHost)
+
+	// Act
+	ret, err := GetSocketAndHost("")
+
+	// Assert
+	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{dockerHost, dockerHost}, ret)
+}
+
+func TestGetSocketAndHostOnlySocket(t *testing.T) {
+	// Arrange
+	socketURI := "/path/to/my.socket"
+	os.Unsetenv("DOCKER_HOST")
+	CommonSocketLocations = originalCommonSocketLocations
+	defaultSocket, defaultSocketFound := socketLocation()
+
+	// Act
+	ret, err := GetSocketAndHost(socketURI)
+
+	// Assert
+	assert.NoError(t, err, "Expected no error from GetSocketAndHost")            //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, true, defaultSocketFound, "Expected to find default socket") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, socketURI, ret.Socket, "Expected socket to match common location")
+	assert.Equal(t, defaultSocket, ret.Host, "Expected ret.Host to match default socket location")
+}
+
+func TestGetSocketAndHostDontMount(t *testing.T) {
+	// Arrange
+	CommonSocketLocations = originalCommonSocketLocations
+	dockerHost := "unix:///my/docker/host.sock"
+	t.Setenv("DOCKER_HOST", dockerHost)
+
+	// Act
+	ret, err := GetSocketAndHost("-")
+
+	// Assert
+	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{"-", dockerHost}, ret)
+}
+
+func TestGetSocketAndHostNoHostNoSocket(t *testing.T) {
+	// Arrange
+	CommonSocketLocations = originalCommonSocketLocations
+	os.Unsetenv("DOCKER_HOST")
+	defaultSocket, found := socketLocation()
+
+	// Act
+	ret, err := GetSocketAndHost("")
+
+	// Assert
+	assert.Equal(t, true, found, "Expected a default socket to be found") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Nil(t, err, "Expected no error from GetSocketAndHost")         //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{defaultSocket, defaultSocket}, ret, "Expected to match default socket location")
+}
+
+// Catch
+// > Your code breaks setting DOCKER_HOST if shouldMount is false.
+// > This happens if neither DOCKER_HOST nor --container-daemon-socket has a value, but socketLocation() returns a URI
+func TestGetSocketAndHostNoHostNoSocketDefaultLocation(t *testing.T) {
+	// Arrange
+	mySocketFile, tmpErr := os.CreateTemp(t.TempDir(), "act-*.sock")
+	mySocket := mySocketFile.Name()
+	unixSocket := "unix://" + mySocket
+	defer os.RemoveAll(mySocket)
+	assert.NoError(t, tmpErr) //nolint:testifylint // pre-existing issue from nektos/act
+	os.Unsetenv("DOCKER_HOST")
+
+	CommonSocketLocations = []string{mySocket}
+	defaultSocket, found := socketLocation()
+
+	// Act
+	ret, err := GetSocketAndHost("")
+
+	// Assert
+	assert.Equal(t, unixSocket, defaultSocket, "Expected default socket to match common socket location")
+	assert.Equal(t, true, found, "Expected default socket to be found") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Nil(t, err, "Expected no error from GetSocketAndHost")       //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{unixSocket, unixSocket}, ret, "Expected to match default socket location")
+}
+
+func TestGetSocketAndHostNoHostInvalidSocket(t *testing.T) {
+	// Arrange
+	os.Unsetenv("DOCKER_HOST")
+	mySocket := "/my/socket/path.sock"
+	CommonSocketLocations = []string{"/unusual", "/socket", "/location"}
+	defaultSocket, found := socketLocation()
+
+	// Act
+	ret, err := GetSocketAndHost(mySocket)
+
+	// Assert
+	assert.Equal(t, false, found, "Expected no default socket to be found")      //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, "", defaultSocket, "Expected no default socket to be found") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, SocketAndHost{}, ret, "Expected to match default socket location")
+	assert.Error(t, err, "Expected an error in invalid state")
+}
+
+func TestGetSocketAndHostOnlySocketValidButUnusualLocation(t *testing.T) {
+	// Arrange
+	socketURI := "unix:///path/to/my.socket"
+	CommonSocketLocations = []string{"/unusual", "/location"}
+	os.Unsetenv("DOCKER_HOST")
+	defaultSocket, found := socketLocation()
+
+	// Act
+	ret, err := GetSocketAndHost(socketURI)
+
+	// Assert
+	// Default socket locations
+	assert.Equal(t, "", defaultSocket, "Expect default socket location to be empty") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, false, found, "Expected no default socket to be found")          //nolint:testifylint // pre-existing issue from nektos/act
+	// Sane default
+	assert.Nil(t, err, "Expect no error from GetSocketAndHost") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, socketURI, ret.Host, "Expect host to default to unusual socket")
+}
--- a/act/container/docker_stub.go
+++ b/act/container/docker_stub.go
@@ -0,0 +1,74 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2023 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build WITHOUT_DOCKER || !(linux || darwin || windows || netbsd)
+
+package container
+
+import (
+	"context"
+	"runtime"
+
+	"gitea.com/gitea/act_runner/act/common"
+
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+)
+
+// ImageExistsLocally returns a boolean indicating if an image with the
+// requested name, tag and architecture exists in the local docker image store
+func ImageExistsLocally(ctx context.Context, imageName, platform string) (bool, error) {
+	return false, errors.New("Unsupported Operation")
+}
+
+// RemoveImage removes image from local store, the function is used to run different
+// container image architectures
+func RemoveImage(ctx context.Context, imageName string, force, pruneChildren bool) (bool, error) {
+	return false, errors.New("Unsupported Operation")
+}
+
+// NewDockerBuildExecutor function to create a run executor for the container
+func NewDockerBuildExecutor(input NewDockerBuildExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		return errors.New("Unsupported Operation")
+	}
+}
+
+// NewDockerPullExecutor function to create a run executor for the container
+func NewDockerPullExecutor(input NewDockerPullExecutorInput) common.Executor {
+	return func(ctx context.Context) error {
+		return errors.New("Unsupported Operation")
+	}
+}
+
+// NewContainer creates a reference to a container
+func NewContainer(input *NewContainerInput) ExecutionsEnvironment {
+	return nil
+}
+
+func RunnerArch(ctx context.Context) string {
+	return runtime.GOOS
+}
+
+func GetHostInfo(ctx context.Context) (info types.Info, err error) {
+	return types.Info{}, nil
+}
+
+func NewDockerVolumeRemoveExecutor(volume string, force bool) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func NewDockerNetworkCreateExecutor(name string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func NewDockerNetworkRemoveExecutor(name string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
--- a/act/container/docker_volume.go
+++ b/act/container/docker_volume.go
@@ -0,0 +1,59 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !(WITHOUT_DOCKER || !(linux || darwin || windows || netbsd))
+
+package container
+
+import (
+	"context"
+
+	"gitea.com/gitea/act_runner/act/common"
+
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/volume"
+)
+
+func NewDockerVolumeRemoveExecutor(volumeName string, force bool) common.Executor {
+	return func(ctx context.Context) error {
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		list, err := cli.VolumeList(ctx, volume.ListOptions{Filters: filters.NewArgs()})
+		if err != nil {
+			return err
+		}
+
+		for _, vol := range list.Volumes {
+			if vol.Name == volumeName {
+				return removeExecutor(volumeName, force)(ctx)
+			}
+		}
+
+		// Volume not found - do nothing
+		return nil
+	}
+}
+
+func removeExecutor(volume string, force bool) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		logger.Debugf("%sdocker volume rm %s", logPrefix, volume)
+
+		if common.Dryrun(ctx) {
+			return nil
+		}
+
+		cli, err := GetDockerClient(ctx)
+		if err != nil {
+			return err
+		}
+		defer cli.Close()
+
+		return cli.VolumeRemove(ctx, volume, force)
+	}
+}
--- a/act/container/executions_environment.go
+++ b/act/container/executions_environment.go
@@ -0,0 +1,19 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import "context"
+
+type ExecutionsEnvironment interface {
+	Container
+	ToContainerPath(string) string
+	GetActPath() string
+	GetPathVariableName() string
+	DefaultPathVariable() string
+	JoinPathVariable(...string) string
+	GetRunnerContext(ctx context.Context) map[string]any
+	// On windows PATH and Path are the same key
+	IsEnvironmentCaseInsensitive() bool
+}
--- a/act/container/host_environment.go
+++ b/act/container/host_environment.go
@@ -0,0 +1,474 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"archive/tar"
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"time"
+
+	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/act_runner/act/filecollector"
+	"gitea.com/gitea/act_runner/act/lookpath"
+
+	"github.com/go-git/go-billy/v5/helper/polyfill"
+	"github.com/go-git/go-billy/v5/osfs"
+	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"golang.org/x/term"
+)
+
+type HostEnvironment struct {
+	Path      string
+	TmpDir    string
+	ToolCache string
+	Workdir   string
+	ActPath   string
+	CleanUp   func()
+	StdOut    io.Writer
+}
+
+func (e *HostEnvironment) Create(_, _ []string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func (e *HostEnvironment) ConnectToNetwork(name string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func (e *HostEnvironment) Close() common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func (e *HostEnvironment) Copy(destPath string, files ...*FileEntry) common.Executor {
+	return func(ctx context.Context) error {
+		for _, f := range files {
+			if err := os.MkdirAll(filepath.Dir(filepath.Join(destPath, f.Name)), 0o777); err != nil {
+				return err
+			}
+			if err := os.WriteFile(filepath.Join(destPath, f.Name), []byte(f.Body), fs.FileMode(f.Mode)); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+func (e *HostEnvironment) CopyTarStream(ctx context.Context, destPath string, tarStream io.Reader) error {
+	if err := os.RemoveAll(destPath); err != nil {
+		return err
+	}
+	tr := tar.NewReader(tarStream)
+	cp := &filecollector.CopyCollector{
+		DstDir: destPath,
+	}
+	for {
+		ti, err := tr.Next()
+		if errors.Is(err, io.EOF) {
+			return nil
+		} else if err != nil {
+			return err
+		}
+		if ti.FileInfo().IsDir() {
+			continue
+		}
+		if ctx.Err() != nil {
+			return errors.New("CopyTarStream has been cancelled")
+		}
+		if err := cp.WriteFile(ti.Name, ti.FileInfo(), ti.Linkname, tr); err != nil {
+			return err
+		}
+	}
+}
+
+func (e *HostEnvironment) CopyDir(destPath, srcPath string, useGitIgnore bool) common.Executor {
+	return func(ctx context.Context) error {
+		logger := common.Logger(ctx)
+		srcPrefix := filepath.Dir(srcPath)
+		if !strings.HasSuffix(srcPrefix, string(filepath.Separator)) {
+			srcPrefix += string(filepath.Separator)
+		}
+		logger.Debugf("Stripping prefix:%s src:%s", srcPrefix, srcPath)
+		var ignorer gitignore.Matcher
+		if useGitIgnore {
+			ps, err := gitignore.ReadPatterns(polyfill.New(osfs.New(srcPath)), nil)
+			if err != nil {
+				logger.Debugf("Error loading .gitignore: %v", err)
+			}
+
+			ignorer = gitignore.NewMatcher(ps)
+		}
+		fc := &filecollector.FileCollector{
+			Fs:        &filecollector.DefaultFs{},
+			Ignorer:   ignorer,
+			SrcPath:   srcPath,
+			SrcPrefix: srcPrefix,
+			Handler: &filecollector.CopyCollector{
+				DstDir: destPath,
+			},
+		}
+		return filepath.Walk(srcPath, fc.CollectFiles(ctx, []string{}))
+	}
+}
+
+func (e *HostEnvironment) GetContainerArchive(ctx context.Context, srcPath string) (io.ReadCloser, error) {
+	buf := &bytes.Buffer{}
+	tw := tar.NewWriter(buf)
+	defer tw.Close()
+	srcPath = filepath.Clean(srcPath)
+	fi, err := os.Lstat(srcPath)
+	if err != nil {
+		return nil, err
+	}
+	tc := &filecollector.TarCollector{
+		TarWriter: tw,
+	}
+	if fi.IsDir() {
+		srcPrefix := srcPath
+		if !strings.HasSuffix(srcPrefix, string(filepath.Separator)) {
+			srcPrefix += string(filepath.Separator)
+		}
+		fc := &filecollector.FileCollector{
+			Fs:        &filecollector.DefaultFs{},
+			SrcPath:   srcPath,
+			SrcPrefix: srcPrefix,
+			Handler:   tc,
+		}
+		err = filepath.Walk(srcPath, fc.CollectFiles(ctx, []string{}))
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		var f io.ReadCloser
+		var linkname string
+		if fi.Mode()&fs.ModeSymlink != 0 {
+			linkname, err = os.Readlink(srcPath)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			f, err = os.Open(srcPath)
+			if err != nil {
+				return nil, err
+			}
+			defer f.Close()
+		}
+		err := tc.WriteFile(fi.Name(), fi, linkname, f)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return io.NopCloser(buf), nil
+}
+
+func (e *HostEnvironment) Pull(_ bool) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func (e *HostEnvironment) Start(_ bool) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+type ptyWriter struct {
+	Out       io.Writer
+	AutoStop  bool
+	dirtyLine bool
+}
+
+func (w *ptyWriter) Write(buf []byte) (int, error) {
+	if w.AutoStop && len(buf) > 0 && buf[len(buf)-1] == 4 {
+		n, err := w.Out.Write(buf[:len(buf)-1])
+		if err != nil {
+			return n, err
+		}
+		if w.dirtyLine || len(buf) > 1 && buf[len(buf)-2] != '\n' {
+			_, _ = w.Out.Write([]byte("\n"))
+			return n, io.EOF
+		}
+		return n, io.EOF
+	}
+	w.dirtyLine = strings.LastIndex(string(buf), "\n") < len(buf)-1
+	return w.Out.Write(buf)
+}
+
+type localEnv struct {
+	env map[string]string
+}
+
+func (l *localEnv) Getenv(name string) string {
+	if runtime.GOOS == "windows" {
+		for k, v := range l.env {
+			if strings.EqualFold(name, k) {
+				return v
+			}
+		}
+		return ""
+	}
+	return l.env[name]
+}
+
+func lookupPathHost(cmd string, env map[string]string, writer io.Writer) (string, error) {
+	f, err := lookpath.LookPath2(cmd, &localEnv{env: env})
+	if err != nil {
+		err := "Cannot find: " + cmd + " in PATH"
+		if _, _err := writer.Write([]byte(err + "\n")); _err != nil {
+			return "", fmt.Errorf("%v: %w", err, _err)
+		}
+		return "", errors.New(err)
+	}
+	return f, nil
+}
+
+func setupPty(cmd *exec.Cmd, cmdline string) (*os.File, *os.File, error) {
+	ppty, tty, err := openPty()
+	if err != nil {
+		return nil, nil, err
+	}
+	if term.IsTerminal(int(tty.Fd())) {
+		_, err := term.MakeRaw(int(tty.Fd()))
+		if err != nil {
+			ppty.Close()
+			tty.Close()
+			return nil, nil, err
+		}
+	}
+	cmd.Stdin = tty
+	cmd.Stdout = tty
+	cmd.Stderr = tty
+	cmd.SysProcAttr = getSysProcAttr(cmdline, true)
+	return ppty, tty, nil
+}
+
+func writeKeepAlive(ppty io.Writer) {
+	c := 1
+	var err error
+	for c == 1 && err == nil {
+		c, err = ppty.Write([]byte{4})
+		<-time.After(time.Second)
+	}
+}
+
+func copyPtyOutput(writer io.Writer, ppty io.Reader, finishLog context.CancelFunc) {
+	defer func() {
+		finishLog()
+	}()
+	if _, err := io.Copy(writer, ppty); err != nil {
+		return
+	}
+}
+
+func (e *HostEnvironment) UpdateFromImageEnv(_ *map[string]string) common.Executor {
+	return func(ctx context.Context) error {
+		return nil
+	}
+}
+
+func getEnvListFromMap(env map[string]string) []string {
+	envList := make([]string, 0)
+	for k, v := range env {
+		envList = append(envList, fmt.Sprintf("%s=%s", k, v))
+	}
+	return envList
+}
+
+func (e *HostEnvironment) exec(ctx context.Context, command []string, cmdline string, env map[string]string, _, workdir string) error {
+	envList := getEnvListFromMap(env)
+	var wd string
+	if workdir != "" {
+		if filepath.IsAbs(workdir) {
+			wd = workdir
+		} else {
+			wd = filepath.Join(e.Path, workdir)
+		}
+	} else {
+		wd = e.Path
+	}
+	f, err := lookupPathHost(command[0], env, e.StdOut)
+	if err != nil {
+		return err
+	}
+	cmd := exec.CommandContext(ctx, f)
+	cmd.Path = f
+	cmd.Args = command
+	cmd.Stdin = nil
+	cmd.Stdout = e.StdOut
+	cmd.Env = envList
+	cmd.Stderr = e.StdOut
+	cmd.Dir = wd
+	cmd.SysProcAttr = getSysProcAttr(cmdline, false)
+	var ppty *os.File
+	var tty *os.File
+	defer func() {
+		if ppty != nil {
+			ppty.Close()
+		}
+		if tty != nil {
+			tty.Close()
+		}
+	}()
+	if true /* allocate Terminal */ {
+		var err error
+		ppty, tty, err = setupPty(cmd, cmdline)
+		if err != nil {
+			common.Logger(ctx).Debugf("Failed to setup Pty %v\n", err.Error())
+		}
+	}
+	writer := &ptyWriter{Out: e.StdOut}
+	logctx, finishLog := context.WithCancel(context.Background())
+	if ppty != nil {
+		go copyPtyOutput(writer, ppty, finishLog)
+	} else {
+		finishLog()
+	}
+	if ppty != nil {
+		go writeKeepAlive(ppty)
+	}
+	err = cmd.Run()
+	if err != nil {
+		return err
+	}
+	if tty != nil {
+		writer.AutoStop = true
+		if _, err := tty.WriteString("\x04"); err != nil {
+			common.Logger(ctx).Debug("Failed to write EOT")
+		}
+	}
+	<-logctx.Done()
+
+	if ppty != nil {
+		ppty.Close()
+		ppty = nil
+	}
+	return err
+}
+
+func (e *HostEnvironment) Exec(command []string /*cmdline string, */, env map[string]string, user, workdir string) common.Executor {
+	return e.ExecWithCmdLine(command, "", env, user, workdir)
+}
+
+func (e *HostEnvironment) ExecWithCmdLine(command []string, cmdline string, env map[string]string, user, workdir string) common.Executor {
+	return func(ctx context.Context) error {
+		if err := e.exec(ctx, command, cmdline, env, user, workdir); err != nil {
+			select {
+			case <-ctx.Done():
+				return fmt.Errorf("this step has been cancelled: %w", err)
+			default:
+				return err
+			}
+		}
+		return nil
+	}
+}
+
+func (e *HostEnvironment) UpdateFromEnv(srcPath string, env *map[string]string) common.Executor {
+	return parseEnvFile(e, srcPath, env)
+}
+
+func (e *HostEnvironment) Remove() common.Executor {
+	return func(ctx context.Context) error {
+		if e.CleanUp != nil {
+			e.CleanUp()
+		}
+		return os.RemoveAll(e.Path)
+	}
+}
+
+func (e *HostEnvironment) ToContainerPath(path string) string {
+	if bp, err := filepath.Rel(e.Workdir, path); err != nil {
+		return filepath.Join(e.Path, bp)
+	} else if filepath.Clean(e.Workdir) == filepath.Clean(path) {
+		return e.Path
+	}
+	return path
+}
+
+func (e *HostEnvironment) GetActPath() string {
+	actPath := e.ActPath
+	if runtime.GOOS == "windows" {
+		actPath = strings.ReplaceAll(actPath, "\\", "/")
+	}
+	return actPath
+}
+
+func (*HostEnvironment) GetPathVariableName() string {
+	switch runtime.GOOS {
+	case "plan9":
+		return "path"
+	case "windows":
+		return "Path" // Actually we need a case insensitive map
+	}
+	return "PATH"
+}
+
+func (e *HostEnvironment) DefaultPathVariable() string {
+	v, _ := os.LookupEnv(e.GetPathVariableName())
+	return v
+}
+
+func (*HostEnvironment) JoinPathVariable(paths ...string) string {
+	return strings.Join(paths, string(filepath.ListSeparator))
+}
+
+// Reference for Arch values for runner.arch
+// https://docs.github.com/en/actions/learn-github-actions/contexts#runner-context
+func goArchToActionArch(arch string) string {
+	archMapper := map[string]string{
+		"x86_64":  "X64",
+		"386":     "X86",
+		"aarch64": "ARM64",
+	}
+	if arch, ok := archMapper[arch]; ok {
+		return arch
+	}
+	return arch
+}
+
+func goOsToActionOs(os string) string {
+	osMapper := map[string]string{
+		"darwin": "macOS",
+	}
+	if os, ok := osMapper[os]; ok {
+		return os
+	}
+	return os
+}
+
+func (e *HostEnvironment) GetRunnerContext(_ context.Context) map[string]any {
+	return map[string]any{
+		"os":         goOsToActionOs(runtime.GOOS),
+		"arch":       goArchToActionArch(runtime.GOARCH),
+		"temp":       e.TmpDir,
+		"tool_cache": e.ToolCache,
+	}
+}
+
+func (e *HostEnvironment) ReplaceLogWriter(stdout, _ io.Writer) (io.Writer, io.Writer) {
+	org := e.StdOut
+	e.StdOut = stdout
+	return org, org
+}
+
+func (*HostEnvironment) IsEnvironmentCaseInsensitive() bool {
+	return runtime.GOOS == "windows"
+}
--- a/act/container/host_environment_test.go
+++ b/act/container/host_environment_test.go
@@ -0,0 +1,71 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"archive/tar"
+	"context"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// Type assert HostEnvironment implements ExecutionsEnvironment
+var _ ExecutionsEnvironment = &HostEnvironment{}
+
+func TestCopyDir(t *testing.T) {
+	dir := t.TempDir()
+	ctx := context.Background()
+	e := &HostEnvironment{
+		Path:      filepath.Join(dir, "path"),
+		TmpDir:    filepath.Join(dir, "tmp"),
+		ToolCache: filepath.Join(dir, "tool_cache"),
+		ActPath:   filepath.Join(dir, "act_path"),
+		StdOut:    os.Stdout,
+		Workdir:   path.Join("testdata", "scratch"),
+	}
+	_ = os.MkdirAll(e.Path, 0o700)
+	_ = os.MkdirAll(e.TmpDir, 0o700)
+	_ = os.MkdirAll(e.ToolCache, 0o700)
+	_ = os.MkdirAll(e.ActPath, 0o700)
+	err := e.CopyDir(e.Workdir, e.Path, true)(ctx)
+	assert.NoError(t, err)
+}
+
+func TestGetContainerArchive(t *testing.T) {
+	dir := t.TempDir()
+	ctx := context.Background()
+	e := &HostEnvironment{
+		Path:      filepath.Join(dir, "path"),
+		TmpDir:    filepath.Join(dir, "tmp"),
+		ToolCache: filepath.Join(dir, "tool_cache"),
+		ActPath:   filepath.Join(dir, "act_path"),
+		StdOut:    os.Stdout,
+		Workdir:   path.Join("testdata", "scratch"),
+	}
+	_ = os.MkdirAll(e.Path, 0o700)
+	_ = os.MkdirAll(e.TmpDir, 0o700)
+	_ = os.MkdirAll(e.ToolCache, 0o700)
+	_ = os.MkdirAll(e.ActPath, 0o700)
+	expectedContent := []byte("sdde/7sh")
+	err := os.WriteFile(filepath.Join(e.Path, "action.yml"), expectedContent, 0o600)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	archive, err := e.GetContainerArchive(ctx, e.Path)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	defer archive.Close()
+	reader := tar.NewReader(archive)
+	h, err := reader.Next()
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, "action.yml", h.Name)
+	content, err := io.ReadAll(reader)
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, expectedContent, content)
+	_, err = reader.Next()
+	assert.ErrorIs(t, err, io.EOF)
+}
--- a/act/container/linux_container_environment_extensions.go
+++ b/act/container/linux_container_environment_extensions.go
@@ -0,0 +1,80 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"context"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+type LinuxContainerEnvironmentExtensions struct{}
+
+// Resolves the equivalent host path inside the container
+// This is required for windows and WSL 2 to translate things like C:\Users\Myproject to /mnt/users/Myproject
+// For use in docker volumes and binds
+func (*LinuxContainerEnvironmentExtensions) ToContainerPath(path string) string {
+	if runtime.GOOS == "windows" && strings.Contains(path, "/") {
+		log.Error("You cannot specify linux style local paths (/mnt/etc) on Windows as it does not understand them.")
+		return ""
+	}
+
+	abspath, err := filepath.Abs(path)
+	if err != nil {
+		log.Error(err)
+		return ""
+	}
+
+	// Test if the path is a windows path
+	windowsPathRegex := regexp.MustCompile(`^([a-zA-Z]):\\(.+)$`)
+	windowsPathComponents := windowsPathRegex.FindStringSubmatch(abspath)
+
+	// Return as-is if no match
+	if windowsPathComponents == nil {
+		return abspath
+	}
+
+	// Convert to WSL2-compatible path if it is a windows path
+	// NOTE: Cannot use filepath because it will use the wrong path separators assuming we want the path to be windows
+	// based if running on Windows, and because we are feeding this to Docker, GoLang auto-path-translate doesn't work.
+	driveLetter := strings.ToLower(windowsPathComponents[1])
+	translatedPath := strings.ReplaceAll(windowsPathComponents[2], `\`, `/`)
+	// Should make something like /mnt/c/Users/person/My Folder/MyActProject
+	result := strings.Join([]string{"/mnt", driveLetter, translatedPath}, `/`)
+	return result
+}
+
+func (*LinuxContainerEnvironmentExtensions) GetActPath() string {
+	return "/var/run/act"
+}
+
+func (*LinuxContainerEnvironmentExtensions) GetPathVariableName() string {
+	return "PATH"
+}
+
+func (*LinuxContainerEnvironmentExtensions) DefaultPathVariable() string {
+	return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+}
+
+func (*LinuxContainerEnvironmentExtensions) JoinPathVariable(paths ...string) string {
+	return strings.Join(paths, ":")
+}
+
+func (*LinuxContainerEnvironmentExtensions) GetRunnerContext(ctx context.Context) map[string]any {
+	return map[string]any{
+		"os":         "Linux",
+		"arch":       RunnerArch(ctx),
+		"temp":       "/tmp",
+		"tool_cache": "/opt/hostedtoolcache",
+	}
+}
+
+func (*LinuxContainerEnvironmentExtensions) IsEnvironmentCaseInsensitive() bool {
+	return false
+}
--- a/act/container/linux_container_environment_extensions_test.go
+++ b/act/container/linux_container_environment_extensions_test.go
@@ -0,0 +1,70 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+	"strings"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestContainerPath(t *testing.T) {
+	type containerPathJob struct {
+		destinationPath string
+		sourcePath      string
+		workDir         string
+	}
+
+	linuxcontainerext := &LinuxContainerEnvironmentExtensions{}
+
+	if runtime.GOOS == "windows" {
+		cwd, err := os.Getwd()
+		if err != nil {
+			log.Error(err)
+		}
+
+		rootDrive := os.Getenv("SystemDrive")
+		rootDriveLetter := strings.ReplaceAll(strings.ToLower(rootDrive), `:`, "")
+		for _, v := range []containerPathJob{
+			{"/mnt/c/Users/act/go/src/github.com/nektos/act", "C:\\Users\\act\\go\\src\\github.com\\nektos\\act\\", ""},
+			{"/mnt/f/work/dir", `F:\work\dir`, ""},
+			{"/mnt/c/windows/to/unix", "windows\\to\\unix", rootDrive + "\\"},
+			{fmt.Sprintf("/mnt/%v/act", rootDriveLetter), "act", rootDrive + "\\"},
+		} {
+			if v.workDir != "" {
+				t.Chdir(v.workDir)
+			}
+
+			assert.Equal(t, v.destinationPath, linuxcontainerext.ToContainerPath(v.sourcePath))
+		}
+
+		t.Chdir(cwd)
+	} else {
+		cwd, err := os.Getwd()
+		if err != nil {
+			log.Error(err)
+		}
+		for _, v := range []containerPathJob{
+			{"/home/act/go/src/github.com/nektos/act", "/home/act/go/src/github.com/nektos/act", ""},
+			{"/home/act", `/home/act/`, ""},
+			{cwd, ".", ""},
+		} {
+			assert.Equal(t, v.destinationPath, linuxcontainerext.ToContainerPath(v.sourcePath))
+		}
+	}
+}
+
+type typeAssertMockContainer struct {
+	Container
+	LinuxContainerEnvironmentExtensions
+}
+
+// Type assert Container + LinuxContainerEnvironmentExtensions implements ExecutionsEnvironment
+var _ ExecutionsEnvironment = &typeAssertMockContainer{}
--- a/act/container/parse_env_file.go
+++ b/act/container/parse_env_file.go
@@ -0,0 +1,64 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"archive/tar"
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"strings"
+
+	"gitea.com/gitea/act_runner/act/common"
+)
+
+func parseEnvFile(e Container, srcPath string, env *map[string]string) common.Executor {
+	localEnv := *env
+	return func(ctx context.Context) error {
+		envTar, err := e.GetContainerArchive(ctx, srcPath)
+		if err != nil {
+			return nil
+		}
+		defer envTar.Close()
+		reader := tar.NewReader(envTar)
+		_, err = reader.Next()
+		if err != nil && err != io.EOF {
+			return err
+		}
+		s := bufio.NewScanner(reader)
+		for s.Scan() {
+			line := s.Text()
+			singleLineEnv := strings.Index(line, "=")
+			multiLineEnv := strings.Index(line, "<<")
+			if singleLineEnv != -1 && (multiLineEnv == -1 || singleLineEnv < multiLineEnv) {
+				localEnv[line[:singleLineEnv]] = line[singleLineEnv+1:]
+			} else if multiLineEnv != -1 {
+				multiLineEnvContent := ""
+				multiLineEnvDelimiter := line[multiLineEnv+2:]
+				delimiterFound := false
+				for s.Scan() {
+					content := s.Text()
+					if content == multiLineEnvDelimiter {
+						delimiterFound = true
+						break
+					}
+					if multiLineEnvContent != "" {
+						multiLineEnvContent += "\n"
+					}
+					multiLineEnvContent += content
+				}
+				if !delimiterFound {
+					return fmt.Errorf("invalid format delimiter '%v' not found before end of file", multiLineEnvDelimiter)
+				}
+				localEnv[line[:multiLineEnv]] = multiLineEnvContent
+			} else {
+				return fmt.Errorf("invalid format '%v', expected a line with '=' or '<<'", line)
+			}
+		}
+		env = &localEnv
+		return nil
+	}
+}
--- a/act/container/testdata/Dockerfile
+++ b/act/container/testdata/Dockerfile
@@ -0,0 +1,5 @@
+FROM scratch
+ENV PATH="/this/path/does/not/exists/anywhere:/this/either"
+ENV SOME_RANDOM_VAR=""
+ENV ANOTHER_ONE="BUT_I_HAVE_VALUE"
+ENV CONFLICT_VAR="I_EXIST_ONLY_HERE"
--- a/act/container/testdata/docker-pull-options/config.json
+++ b/act/container/testdata/docker-pull-options/config.json
@@ -0,0 +1,7 @@
+{
+  "auths": {
+          "https://index.docker.io/v1/": {
+                  "auth": "dXNlcm5hbWU6cGFzc3dvcmQK"
+          }
+  }
+}
--- a/act/container/testdata/scratch/test.txt
+++ b/act/container/testdata/scratch/test.txt
@@ -0,0 +1 @@
+testfile
--- a/act/container/testdata/utf16.env
+++ b/act/container/testdata/utf16.env
--- a/act/container/testdata/utf16be.env
+++ b/act/container/testdata/utf16be.env
--- a/act/container/testdata/utf8.env
+++ b/act/container/testdata/utf8.env
@@ -0,0 +1,3 @@
+FOO=BAR
+HELLO=您好
+BAR=FOO
--- a/act/container/testdata/valid.env
+++ b/act/container/testdata/valid.env
@@ -0,0 +1 @@
+ENV1=value1
--- a/act/container/testdata/valid.label
+++ b/act/container/testdata/valid.label
@@ -0,0 +1 @@
+LABEL1=value1
--- a/act/container/util.go
+++ b/act/container/util.go
@@ -0,0 +1,30 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build (!windows && !plan9 && !openbsd) || (!windows && !plan9 && !mips64)
+
+package container
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/creack/pty"
+)
+
+func getSysProcAttr(_ string, tty bool) *syscall.SysProcAttr {
+	if tty {
+		return &syscall.SysProcAttr{
+			Setsid:  true,
+			Setctty: true,
+		}
+	}
+	return &syscall.SysProcAttr{
+		Setpgid: true,
+	}
+}
+
+func openPty() (*os.File, *os.File, error) {
+	return pty.Open()
+}
--- a/act/container/util_openbsd_mips64.go
+++ b/act/container/util_openbsd_mips64.go
@@ -0,0 +1,21 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"errors"
+	"os"
+	"syscall"
+)
+
+func getSysProcAttr(cmdLine string, tty bool) *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{
+		Setpgid: true,
+	}
+}
+
+func openPty() (*os.File, *os.File, error) {
+	return nil, nil, errors.New("Unsupported")
+}
--- a/act/container/util_plan9.go
+++ b/act/container/util_plan9.go
@@ -0,0 +1,21 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"errors"
+	"os"
+	"syscall"
+)
+
+func getSysProcAttr(cmdLine string, tty bool) *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{
+		Rfork: syscall.RFNOTEG,
+	}
+}
+
+func openPty() (*os.File, *os.File, error) {
+	return nil, nil, errors.New("Unsupported")
+}
--- a/act/container/util_windows.go
+++ b/act/container/util_windows.go
@@ -0,0 +1,19 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package container
+
+import (
+	"errors"
+	"os"
+	"syscall"
+)
+
+func getSysProcAttr(cmdLine string, tty bool) *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{CmdLine: cmdLine, CreationFlags: syscall.CREATE_NEW_PROCESS_GROUP}
+}
+
+func openPty() (*os.File, *os.File, error) {
+	return nil, nil, errors.New("Unsupported")
+}
--- a/act/exprparser/functions.go
+++ b/act/exprparser/functions.go
@@ -0,0 +1,300 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package exprparser
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strconv"
+	"strings"
+
+	"gitea.com/gitea/act_runner/act/model"
+
+	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"github.com/rhysd/actionlint"
+)
+
+func (impl *interperterImpl) contains(search, item reflect.Value) (bool, error) {
+	switch search.Kind() {
+	case reflect.String, reflect.Int, reflect.Float64, reflect.Bool, reflect.Invalid:
+		return strings.Contains(
+			strings.ToLower(impl.coerceToString(search).String()),
+			strings.ToLower(impl.coerceToString(item).String()),
+		), nil
+
+	case reflect.Slice:
+		for i := 0; i < search.Len(); i++ {
+			arrayItem := search.Index(i).Elem()
+			result, err := impl.compareValues(arrayItem, item, actionlint.CompareOpNodeKindEq)
+			if err != nil {
+				return false, err
+			}
+
+			if isEqual, ok := result.(bool); ok && isEqual {
+				return true, nil
+			}
+		}
+	}
+
+	return false, nil
+}
+
+func (impl *interperterImpl) startsWith(searchString, searchValue reflect.Value) (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	return strings.HasPrefix(
+		strings.ToLower(impl.coerceToString(searchString).String()),
+		strings.ToLower(impl.coerceToString(searchValue).String()),
+	), nil
+}
+
+func (impl *interperterImpl) endsWith(searchString, searchValue reflect.Value) (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	return strings.HasSuffix(
+		strings.ToLower(impl.coerceToString(searchString).String()),
+		strings.ToLower(impl.coerceToString(searchValue).String()),
+	), nil
+}
+
+const (
+	passThrough = iota
+	bracketOpen
+	bracketClose
+)
+
+func (impl *interperterImpl) format(str reflect.Value, replaceValue ...reflect.Value) (string, error) {
+	input := impl.coerceToString(str).String()
+	var output strings.Builder
+	replacementIndex := ""
+
+	state := passThrough
+	for _, character := range input {
+		switch state {
+		case passThrough: // normal buffer output
+			switch character {
+			case '{':
+				state = bracketOpen
+
+			case '}':
+				state = bracketClose
+
+			default:
+				output.WriteRune(character)
+			}
+
+		case bracketOpen: // found {
+			switch character {
+			case '{':
+				output.WriteString("{")
+				replacementIndex = ""
+				state = passThrough
+
+			case '}':
+				index, err := strconv.ParseInt(replacementIndex, 10, 32)
+				if err != nil {
+					return "", fmt.Errorf("The following format string is invalid: '%s'", input)
+				}
+
+				replacementIndex = ""
+
+				if len(replaceValue) <= int(index) {
+					return "", fmt.Errorf("The following format string references more arguments than were supplied: '%s'", input)
+				}
+
+				output.WriteString(impl.coerceToString(replaceValue[index]).String())
+
+				state = passThrough
+
+			default:
+				replacementIndex += string(character)
+			}
+
+		case bracketClose: // found }
+			switch character {
+			case '}':
+				output.WriteString("}")
+				replacementIndex = ""
+				state = passThrough
+
+			default:
+				panic("Invalid format parser state")
+			}
+		}
+	}
+
+	if state != passThrough {
+		switch state {
+		case bracketOpen:
+			return "", fmt.Errorf("Unclosed brackets. The following format string is invalid: '%s'", input)
+
+		case bracketClose:
+			return "", fmt.Errorf("Closing bracket without opening one. The following format string is invalid: '%s'", input)
+		}
+	}
+
+	return output.String(), nil
+}
+
+func (impl *interperterImpl) join(array, sep reflect.Value) (string, error) { //nolint:unparam // pre-existing issue from nektos/act
+	separator := impl.coerceToString(sep).String()
+	switch array.Kind() {
+	case reflect.Slice:
+		var items []string
+		for i := 0; i < array.Len(); i++ {
+			items = append(items, impl.coerceToString(array.Index(i).Elem()).String())
+		}
+
+		return strings.Join(items, separator), nil
+	default:
+		return strings.Join([]string{impl.coerceToString(array).String()}, separator), nil
+	}
+}
+
+func (impl *interperterImpl) toJSON(value reflect.Value) (string, error) {
+	if value.Kind() == reflect.Invalid {
+		return "null", nil
+	}
+
+	json, err := json.MarshalIndent(value.Interface(), "", "  ")
+	if err != nil {
+		return "", fmt.Errorf("Cannot convert value to JSON. Cause: %v", err)
+	}
+
+	return string(json), nil
+}
+
+func (impl *interperterImpl) fromJSON(value reflect.Value) (any, error) {
+	if value.Kind() != reflect.String {
+		return nil, fmt.Errorf("Cannot parse non-string type %v as JSON", value.Kind())
+	}
+
+	var data any
+
+	err := json.Unmarshal([]byte(value.String()), &data)
+	if err != nil {
+		return nil, fmt.Errorf("Invalid JSON: %v", err)
+	}
+
+	return data, nil
+}
+
+func (impl *interperterImpl) hashFiles(paths ...reflect.Value) (string, error) {
+	var ps []gitignore.Pattern
+
+	const cwdPrefix = "." + string(filepath.Separator)
+	const excludeCwdPrefix = "!" + cwdPrefix
+	for _, path := range paths {
+		if path.Kind() == reflect.String {
+			cleanPath := path.String()
+			if strings.HasPrefix(cleanPath, cwdPrefix) {
+				cleanPath = cleanPath[len(cwdPrefix):]
+			} else if strings.HasPrefix(cleanPath, excludeCwdPrefix) {
+				cleanPath = "!" + cleanPath[len(excludeCwdPrefix):]
+			}
+			ps = append(ps, gitignore.ParsePattern(cleanPath, nil))
+		} else {
+			return "", errors.New("Non-string path passed to hashFiles")
+		}
+	}
+
+	matcher := gitignore.NewMatcher(ps)
+
+	var files []string
+	if err := filepath.Walk(impl.config.WorkingDir, func(path string, fi fs.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		sansPrefix := strings.TrimPrefix(path, impl.config.WorkingDir+string(filepath.Separator))
+		parts := strings.Split(sansPrefix, string(filepath.Separator))
+		if fi.IsDir() || !matcher.Match(parts, fi.IsDir()) {
+			return nil
+		}
+		files = append(files, path)
+		return nil
+	}); err != nil {
+		return "", fmt.Errorf("Unable to filepath.Walk: %v", err)
+	}
+
+	if len(files) == 0 {
+		return "", nil
+	}
+
+	hasher := sha256.New()
+
+	for _, file := range files {
+		f, err := os.Open(file)
+		if err != nil {
+			return "", fmt.Errorf("Unable to os.Open: %v", err)
+		}
+
+		if _, err := io.Copy(hasher, f); err != nil {
+			return "", fmt.Errorf("Unable to io.Copy: %v", err)
+		}
+
+		if err := f.Close(); err != nil {
+			return "", fmt.Errorf("Unable to Close file: %v", err)
+		}
+	}
+
+	return hex.EncodeToString(hasher.Sum(nil)), nil
+}
+
+func (impl *interperterImpl) getNeedsTransitive(job *model.Job) []string {
+	needs := job.Needs()
+
+	for _, need := range needs {
+		parentNeeds := impl.getNeedsTransitive(impl.config.Run.Workflow.GetJob(need))
+		needs = append(needs, parentNeeds...)
+	}
+
+	return needs
+}
+
+func (impl *interperterImpl) always() (bool, error) {
+	return true, nil
+}
+
+func (impl *interperterImpl) jobSuccess() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	jobs := impl.config.Run.Workflow.Jobs
+	jobNeeds := impl.getNeedsTransitive(impl.config.Run.Job())
+
+	for _, needs := range jobNeeds {
+		if jobs[needs].Result != "success" {
+			return false, nil
+		}
+	}
+
+	return true, nil
+}
+
+func (impl *interperterImpl) stepSuccess() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	return impl.env.Job.Status == "success", nil
+}
+
+func (impl *interperterImpl) jobFailure() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	jobs := impl.config.Run.Workflow.Jobs
+	jobNeeds := impl.getNeedsTransitive(impl.config.Run.Job())
+
+	for _, needs := range jobNeeds {
+		if jobs[needs].Result == "failure" {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func (impl *interperterImpl) stepFailure() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	return impl.env.Job.Status == "failure", nil
+}
+
+func (impl *interperterImpl) cancelled() (bool, error) { //nolint:unparam // pre-existing issue from nektos/act
+	return impl.env.Job.Status == "cancelled", nil
+}
--- a/act/exprparser/functions_test.go
+++ b/act/exprparser/functions_test.go
@@ -0,0 +1,256 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package exprparser
+
+import (
+	"path/filepath"
+	"testing"
+
+	"gitea.com/gitea/act_runner/act/model"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFunctionContains(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"contains('search', 'item') }}", false, "contains-str-str"},
+		{`cOnTaInS('Hello', 'll') }}`, true, "contains-str-casing"},
+		{`contains('HELLO', 'll') }}`, true, "contains-str-casing"},
+		{`contains('3.141592', 3.14) }}`, true, "contains-str-number"},
+		{`contains(3.141592, '3.14') }}`, true, "contains-number-str"},
+		{`contains(3.141592, 3.14) }}`, true, "contains-number-number"},
+		{`contains(true, 'u') }}`, true, "contains-bool-str"},
+		{`contains(null, '') }}`, true, "contains-null-str"},
+		{`contains(fromJSON('["first","second"]'), 'first') }}`, true, "contains-item"},
+		{`contains(fromJSON('[null,"second"]'), '') }}`, true, "contains-item-null-empty-str"},
+		{`contains(fromJSON('["","second"]'), null) }}`, true, "contains-item-empty-str-null"},
+		{`contains(fromJSON('[true,"second"]'), 'true') }}`, false, "contains-item-bool-arr"},
+		{`contains(fromJSON('["true","second"]'), true) }}`, false, "contains-item-str-bool"},
+		{`contains(fromJSON('[3.14,"second"]'), '3.14') }}`, true, "contains-item-number-str"},
+		{`contains(fromJSON('[3.14,"second"]'), 3.14) }}`, true, "contains-item-number-number"},
+		{`contains(fromJSON('["","second"]'), fromJSON('[]')) }}`, false, "contains-item-str-arr"},
+		{`contains(fromJSON('["","second"]'), fromJSON('{}')) }}`, false, "contains-item-str-obj"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionStartsWith(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"startsWith('search', 'se') }}", true, "startswith-string"},
+		{"startsWith('search', 'sa') }}", false, "startswith-string"},
+		{"startsWith('123search', '123s') }}", true, "startswith-string"},
+		{"startsWith(123, 's') }}", false, "startswith-string"},
+		{"startsWith(123, '12') }}", true, "startswith-string"},
+		{"startsWith('123', 12) }}", true, "startswith-string"},
+		{"startsWith(null, '42') }}", false, "startswith-string"},
+		{"startsWith('null', null) }}", true, "startswith-string"},
+		{"startsWith('null', '') }}", true, "startswith-string"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionEndsWith(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"endsWith('search', 'ch') }}", true, "endsWith-string"},
+		{"endsWith('search', 'sa') }}", false, "endsWith-string"},
+		{"endsWith('search123s', '123s') }}", true, "endsWith-string"},
+		{"endsWith(123, 's') }}", false, "endsWith-string"},
+		{"endsWith(123, '23') }}", true, "endsWith-string"},
+		{"endsWith('123', 23) }}", true, "endsWith-string"},
+		{"endsWith(null, '42') }}", false, "endsWith-string"},
+		{"endsWith('null', null) }}", true, "endsWith-string"},
+		{"endsWith('null', '') }}", true, "endsWith-string"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionJoin(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"join(fromJSON('[\"a\", \"b\"]'), ',')", "a,b", "join-arr"},
+		{"join('string', ',')", "string", "join-str"},
+		{"join(1, ',')", "1", "join-number"},
+		{"join(null, ',')", "", "join-number"},
+		{"join(fromJSON('[\"a\", \"b\", null]'), null)", "ab", "join-number"},
+		{"join(fromJSON('[\"a\", \"b\"]'))", "a,b", "join-number"},
+		{"join(fromJSON('[\"a\", \"b\", null]'), 1)", "a1b1", "join-number"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionToJSON(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"toJSON(env) }}", "{\n  \"key\": \"value\"\n}", "toJSON"},
+		{"toJSON(null)", "null", "toJSON-null"},
+	}
+
+	env := &EvaluationEnvironment{
+		Env: map[string]string{
+			"key": "value",
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionFromJSON(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"fromJSON('{\"foo\":\"bar\"}') }}", map[string]any{
+			"foo": "bar",
+		}, "fromJSON"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionHashFiles(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"hashFiles('**/non-extant-files') }}", "", "hash-non-existing-file"},
+		{"hashFiles('**/non-extant-files', '**/more-non-extant-files') }}", "", "hash-multiple-non-existing-files"},
+		{"hashFiles('./for-hashing-1.txt') }}", "66a045b452102c59d840ec097d59d9467e13a3f34f6494e539ffd32c1bb35f18", "hash-single-file"},
+		{"hashFiles('./for-hashing-*.txt') }}", "8e5935e7e13368cd9688fe8f48a0955293676a021562582c7e848dafe13fb046", "hash-multiple-files"},
+		{"hashFiles('./for-hashing-*.txt', '!./for-hashing-2.txt') }}", "66a045b452102c59d840ec097d59d9467e13a3f34f6494e539ffd32c1bb35f18", "hash-negative-pattern"},
+		{"hashFiles('./for-hashing-**') }}", "c418ba693753c84115ced0da77f876cddc662b9054f4b129b90f822597ee2f94", "hash-multiple-files-and-directories"},
+		{"hashFiles('./for-hashing-3/**') }}", "6f5696b546a7a9d6d42a449dc9a56bef244aaa826601ef27466168846139d2c2", "hash-nested-directories"},
+		{"hashFiles('./for-hashing-3/**/nested-data.txt') }}", "8ecadfb49f7f978d0a9f3a957e9c8da6cc9ab871f5203b5d9f9d1dc87d8af18c", "hash-nested-directories-2"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			workdir, err := filepath.Abs("testdata")
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			output, err := NewInterpeter(env, Config{WorkingDir: workdir}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestFunctionFormat(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		error    any
+		name     string
+	}{
+		{"format('text')", "text", nil, "format-plain-string"},
+		{"format('Hello {0} {1} {2}!', 'Mona', 'the', 'Octocat')", "Hello Mona the Octocat!", nil, "format-with-placeholders"},
+		{"format('{{Hello {0} {1} {2}!}}', 'Mona', 'the', 'Octocat')", "{Hello Mona the Octocat!}", nil, "format-with-escaped-braces"},
+		{"format('{{0}}', 'test')", "{0}", nil, "format-with-escaped-braces"},
+		{"format('{{{0}}}', 'test')", "{test}", nil, "format-with-escaped-braces-and-value"},
+		{"format('}}')", "}", nil, "format-output-closing-brace"},
+		{`format('Hello "{0}" {1} {2} {3} {4}', null, true, -3.14, NaN, Infinity)`, `Hello "" true -3.14 NaN Infinity`, nil, "format-with-primitives"},
+		{`format('Hello "{0}" {1} {2}', fromJSON('[0, true, "abc"]'), fromJSON('[{"a":1}]'), fromJSON('{"a":{"b":1}}'))`, `Hello "Array" Array Object`, nil, "format-with-complex-types"},
+		{"format(true)", "true", nil, "format-with-primitive-args"},
+		{"format('echo Hello {0} ${{Test}}', github.undefined_property)", "echo Hello  ${Test}", nil, "format-with-undefined-value"},
+		{"format('{0}}', '{1}', 'World')", nil, "Closing bracket without opening one. The following format string is invalid: '{0}}'", "format-invalid-format-string"},
+		{"format('{0', '{1}', 'World')", nil, "Unclosed brackets. The following format string is invalid: '{0'", "format-invalid-format-string"},
+		{"format('{2}', '{1}', 'World')", "", "The following format string references more arguments than were supplied: '{2}'", "format-invalid-replacement-reference"},
+		{"format('{2147483648}')", "", "The following format string is invalid: '{2147483648}'", "format-invalid-replacement-reference"},
+		{"format('{0} {1} {2} {3}', 1.0, 1.1, 1234567890.0, 12345678901234567890.0)", "1 1.1 1234567890 1.23456789012346E+19", nil, "format-floats"},
+	}
+
+	env := &EvaluationEnvironment{
+		Github: &model.GithubContext{},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			if tt.error != nil {
+				assert.Equal(t, tt.error, err.Error())
+			} else {
+				assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+				assert.Equal(t, tt.expected, output)
+			}
+		})
+	}
+}
--- a/act/exprparser/interpreter.go
+++ b/act/exprparser/interpreter.go
@@ -0,0 +1,646 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package exprparser
+
+import (
+	"encoding"
+	"errors"
+	"fmt"
+	"math"
+	"reflect"
+	"strings"
+
+	"gitea.com/gitea/act_runner/act/model"
+
+	"github.com/rhysd/actionlint"
+)
+
+type EvaluationEnvironment struct {
+	Github    *model.GithubContext
+	Env       map[string]string
+	Job       *model.JobContext
+	Jobs      *map[string]*model.WorkflowCallResult
+	Steps     map[string]*model.StepResult
+	Runner    map[string]any
+	Secrets   map[string]string
+	Vars      map[string]string
+	Strategy  map[string]any
+	Matrix    map[string]any
+	Needs     map[string]Needs
+	Inputs    map[string]any
+	HashFiles func([]reflect.Value) (any, error)
+}
+
+type Needs struct {
+	Outputs map[string]string `json:"outputs"`
+	Result  string            `json:"result"`
+}
+
+type Config struct {
+	Run        *model.Run
+	WorkingDir string
+	Context    string
+}
+
+type DefaultStatusCheck int
+
+const (
+	DefaultStatusCheckNone DefaultStatusCheck = iota
+	DefaultStatusCheckSuccess
+	DefaultStatusCheckAlways
+	DefaultStatusCheckCanceled
+	DefaultStatusCheckFailure
+)
+
+func (dsc DefaultStatusCheck) String() string {
+	switch dsc {
+	case DefaultStatusCheckSuccess:
+		return "success"
+	case DefaultStatusCheckAlways:
+		return "always"
+	case DefaultStatusCheckCanceled:
+		return "cancelled"
+	case DefaultStatusCheckFailure:
+		return "failure"
+	}
+	return ""
+}
+
+type Interpreter interface {
+	Evaluate(input string, defaultStatusCheck DefaultStatusCheck) (any, error)
+}
+
+type interperterImpl struct {
+	env    *EvaluationEnvironment
+	config Config
+}
+
+func NewInterpeter(env *EvaluationEnvironment, config Config) Interpreter {
+	return &interperterImpl{
+		env:    env,
+		config: config,
+	}
+}
+
+func (impl *interperterImpl) Evaluate(input string, defaultStatusCheck DefaultStatusCheck) (any, error) {
+	input = strings.TrimPrefix(input, "${{")
+	if defaultStatusCheck != DefaultStatusCheckNone && input == "" {
+		input = "success()"
+	}
+	parser := actionlint.NewExprParser()
+	exprNode, err := parser.Parse(actionlint.NewExprLexer(input + "}}"))
+	if err != nil {
+		return nil, fmt.Errorf("Failed to parse: %s", err.Message)
+	}
+
+	if defaultStatusCheck != DefaultStatusCheckNone {
+		hasStatusCheckFunction := false
+		actionlint.VisitExprNode(exprNode, func(node, _ actionlint.ExprNode, entering bool) {
+			if funcCallNode, ok := node.(*actionlint.FuncCallNode); entering && ok {
+				switch strings.ToLower(funcCallNode.Callee) {
+				case "success", "always", "cancelled", "failure":
+					hasStatusCheckFunction = true
+				}
+			}
+		})
+
+		if !hasStatusCheckFunction {
+			exprNode = &actionlint.LogicalOpNode{
+				Kind: actionlint.LogicalOpNodeKindAnd,
+				Left: &actionlint.FuncCallNode{
+					Callee: defaultStatusCheck.String(),
+					Args:   []actionlint.ExprNode{},
+				},
+				Right: exprNode,
+			}
+		}
+	}
+
+	result, err2 := impl.evaluateNode(exprNode)
+
+	return result, err2
+}
+
+func (impl *interperterImpl) evaluateNode(exprNode actionlint.ExprNode) (any, error) {
+	switch node := exprNode.(type) {
+	case *actionlint.VariableNode:
+		return impl.evaluateVariable(node)
+	case *actionlint.BoolNode:
+		return node.Value, nil
+	case *actionlint.NullNode:
+		return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+	case *actionlint.IntNode:
+		return node.Value, nil
+	case *actionlint.FloatNode:
+		return node.Value, nil
+	case *actionlint.StringNode:
+		return node.Value, nil
+	case *actionlint.IndexAccessNode:
+		return impl.evaluateIndexAccess(node)
+	case *actionlint.ObjectDerefNode:
+		return impl.evaluateObjectDeref(node)
+	case *actionlint.ArrayDerefNode:
+		return impl.evaluateArrayDeref(node)
+	case *actionlint.NotOpNode:
+		return impl.evaluateNot(node)
+	case *actionlint.CompareOpNode:
+		return impl.evaluateCompare(node)
+	case *actionlint.LogicalOpNode:
+		return impl.evaluateLogicalCompare(node)
+	case *actionlint.FuncCallNode:
+		return impl.evaluateFuncCall(node)
+	default:
+		return nil, fmt.Errorf("Fatal error! Unknown node type: %s node: %+v", reflect.TypeOf(exprNode), exprNode)
+	}
+}
+
+//nolint:gocyclo // function handles many cases
+func (impl *interperterImpl) evaluateVariable(variableNode *actionlint.VariableNode) (any, error) {
+	switch strings.ToLower(variableNode.Name) {
+	case "github":
+		return impl.env.Github, nil
+	case "gitea": // compatible with Gitea
+		return impl.env.Github, nil
+	case "env":
+		return impl.env.Env, nil
+	case "job":
+		return impl.env.Job, nil
+	case "jobs":
+		if impl.env.Jobs == nil {
+			return nil, errors.New("Unavailable context: jobs")
+		}
+		return impl.env.Jobs, nil
+	case "steps":
+		return impl.env.Steps, nil
+	case "runner":
+		return impl.env.Runner, nil
+	case "secrets":
+		return impl.env.Secrets, nil
+	case "vars":
+		return impl.env.Vars, nil
+	case "strategy":
+		return impl.env.Strategy, nil
+	case "matrix":
+		return impl.env.Matrix, nil
+	case "needs":
+		return impl.env.Needs, nil
+	case "inputs":
+		return impl.env.Inputs, nil
+	case "infinity":
+		return math.Inf(1), nil
+	case "nan":
+		return math.NaN(), nil
+	default:
+		return nil, fmt.Errorf("Unavailable context: %s", variableNode.Name)
+	}
+}
+
+func (impl *interperterImpl) evaluateIndexAccess(indexAccessNode *actionlint.IndexAccessNode) (any, error) {
+	left, err := impl.evaluateNode(indexAccessNode.Operand)
+	if err != nil {
+		return nil, err
+	}
+
+	leftValue := reflect.ValueOf(left)
+
+	right, err := impl.evaluateNode(indexAccessNode.Index)
+	if err != nil {
+		return nil, err
+	}
+
+	rightValue := reflect.ValueOf(right)
+
+	switch rightValue.Kind() {
+	case reflect.String:
+		return impl.getPropertyValue(leftValue, rightValue.String())
+
+	case reflect.Int:
+		switch leftValue.Kind() {
+		case reflect.Slice:
+			if rightValue.Int() < 0 || rightValue.Int() >= int64(leftValue.Len()) {
+				return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+			}
+			return leftValue.Index(int(rightValue.Int())).Interface(), nil
+		default:
+			return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+		}
+
+	default:
+		return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+	}
+}
+
+func (impl *interperterImpl) evaluateObjectDeref(objectDerefNode *actionlint.ObjectDerefNode) (any, error) {
+	left, err := impl.evaluateNode(objectDerefNode.Receiver)
+	if err != nil {
+		return nil, err
+	}
+
+	return impl.getPropertyValue(reflect.ValueOf(left), objectDerefNode.Property)
+}
+
+func (impl *interperterImpl) evaluateArrayDeref(arrayDerefNode *actionlint.ArrayDerefNode) (any, error) {
+	left, err := impl.evaluateNode(arrayDerefNode.Receiver)
+	if err != nil {
+		return nil, err
+	}
+
+	return impl.getSafeValue(reflect.ValueOf(left)), nil
+}
+
+func (impl *interperterImpl) getPropertyValue(left reflect.Value, property string) (value any, err error) {
+	switch left.Kind() {
+	case reflect.Ptr:
+		return impl.getPropertyValue(left.Elem(), property)
+
+	case reflect.Struct:
+		leftType := left.Type()
+		for field := range leftType.Fields() {
+			jsonName := field.Tag.Get("json")
+			if jsonName == property {
+				property = field.Name
+				break
+			}
+		}
+
+		fieldValue := left.FieldByNameFunc(func(name string) bool {
+			return strings.EqualFold(name, property)
+		})
+
+		if fieldValue.Kind() == reflect.Invalid {
+			return "", nil
+		}
+
+		i := fieldValue.Interface()
+		// The type stepStatus int is an integer, but should be treated as string
+		if m, ok := i.(encoding.TextMarshaler); ok {
+			text, err := m.MarshalText()
+			if err != nil {
+				return nil, err
+			}
+			return string(text), nil
+		}
+		return i, nil
+
+	case reflect.Map:
+		iter := left.MapRange()
+
+		for iter.Next() {
+			key := iter.Key()
+
+			switch key.Kind() {
+			case reflect.String:
+				if strings.EqualFold(key.String(), property) {
+					return impl.getMapValue(iter.Value())
+				}
+
+			default:
+				return nil, fmt.Errorf("'%s' in map key not implemented", key.Kind())
+			}
+		}
+
+		return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+
+	case reflect.Slice:
+		var values []any
+
+		for i := 0; i < left.Len(); i++ {
+			value, err := impl.getPropertyValue(left.Index(i).Elem(), property)
+			if err != nil {
+				return nil, err
+			}
+
+			values = append(values, value)
+		}
+
+		return values, nil
+	}
+
+	return nil, nil //nolint:nilnil // pre-existing issue from nektos/act
+}
+
+func (impl *interperterImpl) getMapValue(value reflect.Value) (any, error) {
+	if value.Kind() == reflect.Ptr {
+		return impl.getMapValue(value.Elem())
+	}
+
+	return value.Interface(), nil
+}
+
+func (impl *interperterImpl) evaluateNot(notNode *actionlint.NotOpNode) (any, error) {
+	operand, err := impl.evaluateNode(notNode.Operand)
+	if err != nil {
+		return nil, err
+	}
+
+	return !IsTruthy(operand), nil
+}
+
+func (impl *interperterImpl) evaluateCompare(compareNode *actionlint.CompareOpNode) (any, error) {
+	left, err := impl.evaluateNode(compareNode.Left)
+	if err != nil {
+		return nil, err
+	}
+
+	right, err := impl.evaluateNode(compareNode.Right)
+	if err != nil {
+		return nil, err
+	}
+
+	leftValue := reflect.ValueOf(left)
+	rightValue := reflect.ValueOf(right)
+
+	return impl.compareValues(leftValue, rightValue, compareNode.Kind)
+}
+
+func (impl *interperterImpl) compareValues(leftValue, rightValue reflect.Value, kind actionlint.CompareOpNodeKind) (any, error) {
+	if leftValue.Kind() != rightValue.Kind() {
+		if !impl.isNumber(leftValue) {
+			leftValue = impl.coerceToNumber(leftValue)
+		}
+		if !impl.isNumber(rightValue) {
+			rightValue = impl.coerceToNumber(rightValue)
+		}
+	}
+
+	switch leftValue.Kind() {
+	case reflect.Bool:
+		return impl.compareNumber(float64(impl.coerceToNumber(leftValue).Int()), float64(impl.coerceToNumber(rightValue).Int()), kind)
+	case reflect.String:
+		return impl.compareString(strings.ToLower(leftValue.String()), strings.ToLower(rightValue.String()), kind)
+
+	case reflect.Int:
+		if rightValue.Kind() == reflect.Float64 {
+			return impl.compareNumber(float64(leftValue.Int()), rightValue.Float(), kind)
+		}
+
+		return impl.compareNumber(float64(leftValue.Int()), float64(rightValue.Int()), kind)
+
+	case reflect.Float64:
+		if rightValue.Kind() == reflect.Int {
+			return impl.compareNumber(leftValue.Float(), float64(rightValue.Int()), kind)
+		}
+
+		return impl.compareNumber(leftValue.Float(), rightValue.Float(), kind)
+
+	case reflect.Invalid:
+		if rightValue.Kind() == reflect.Invalid {
+			return true, nil
+		}
+
+		// not possible situation - params are converted to the same type in code above
+		return nil, fmt.Errorf("Compare params of Invalid type: left: %+v, right: %+v", leftValue.Kind(), rightValue.Kind())
+
+	default:
+		return nil, fmt.Errorf("Compare not implemented for types: left: %+v, right: %+v", leftValue.Kind(), rightValue.Kind())
+	}
+}
+
+func (impl *interperterImpl) coerceToNumber(value reflect.Value) reflect.Value {
+	switch value.Kind() {
+	case reflect.Invalid:
+		return reflect.ValueOf(0)
+
+	case reflect.Bool:
+		switch value.Bool() {
+		case true:
+			return reflect.ValueOf(1)
+		case false:
+			return reflect.ValueOf(0)
+		}
+
+	case reflect.String:
+		if value.String() == "" {
+			return reflect.ValueOf(0)
+		}
+
+		// try to parse the string as a number
+		evaluated, err := impl.Evaluate(value.String(), DefaultStatusCheckNone)
+		if err != nil {
+			return reflect.ValueOf(math.NaN())
+		}
+
+		if value := reflect.ValueOf(evaluated); impl.isNumber(value) {
+			return value
+		}
+	}
+
+	return reflect.ValueOf(math.NaN())
+}
+
+func (impl *interperterImpl) coerceToString(value reflect.Value) reflect.Value {
+	switch value.Kind() {
+	case reflect.Invalid:
+		return reflect.ValueOf("")
+
+	case reflect.Bool:
+		switch value.Bool() {
+		case true:
+			return reflect.ValueOf("true")
+		case false:
+			return reflect.ValueOf("false")
+		}
+
+	case reflect.String:
+		return value
+
+	case reflect.Int:
+		return reflect.ValueOf(fmt.Sprint(value))
+
+	case reflect.Float64:
+		if math.IsInf(value.Float(), 1) {
+			return reflect.ValueOf("Infinity")
+		} else if math.IsInf(value.Float(), -1) {
+			return reflect.ValueOf("-Infinity")
+		}
+		return reflect.ValueOf(fmt.Sprintf("%.15G", value.Float()))
+
+	case reflect.Slice:
+		return reflect.ValueOf("Array")
+
+	case reflect.Map:
+		return reflect.ValueOf("Object")
+	}
+
+	return value
+}
+
+func (impl *interperterImpl) compareString(left, right string, kind actionlint.CompareOpNodeKind) (bool, error) {
+	switch kind {
+	case actionlint.CompareOpNodeKindLess:
+		return left < right, nil
+	case actionlint.CompareOpNodeKindLessEq:
+		return left <= right, nil
+	case actionlint.CompareOpNodeKindGreater:
+		return left > right, nil
+	case actionlint.CompareOpNodeKindGreaterEq:
+		return left >= right, nil
+	case actionlint.CompareOpNodeKindEq:
+		return left == right, nil
+	case actionlint.CompareOpNodeKindNotEq:
+		return left != right, nil
+	default:
+		return false, fmt.Errorf("TODO: not implemented to compare '%+v'", kind)
+	}
+}
+
+func (impl *interperterImpl) compareNumber(left, right float64, kind actionlint.CompareOpNodeKind) (bool, error) {
+	switch kind {
+	case actionlint.CompareOpNodeKindLess:
+		return left < right, nil
+	case actionlint.CompareOpNodeKindLessEq:
+		return left <= right, nil
+	case actionlint.CompareOpNodeKindGreater:
+		return left > right, nil
+	case actionlint.CompareOpNodeKindGreaterEq:
+		return left >= right, nil
+	case actionlint.CompareOpNodeKindEq:
+		return left == right, nil
+	case actionlint.CompareOpNodeKindNotEq:
+		return left != right, nil
+	default:
+		return false, fmt.Errorf("TODO: not implemented to compare '%+v'", kind)
+	}
+}
+
+func IsTruthy(input any) bool {
+	value := reflect.ValueOf(input)
+	switch value.Kind() {
+	case reflect.Bool:
+		return value.Bool()
+
+	case reflect.String:
+		return value.String() != ""
+
+	case reflect.Int:
+		return value.Int() != 0
+
+	case reflect.Float64:
+		if math.IsNaN(value.Float()) {
+			return false
+		}
+
+		return value.Float() != 0
+
+	case reflect.Map, reflect.Slice:
+		return true
+
+	default:
+		return false
+	}
+}
+
+func (impl *interperterImpl) isNumber(value reflect.Value) bool {
+	switch value.Kind() {
+	case reflect.Int, reflect.Float64:
+		return true
+	default:
+		return false
+	}
+}
+
+func (impl *interperterImpl) getSafeValue(value reflect.Value) any {
+	switch value.Kind() {
+	case reflect.Invalid:
+		return nil
+
+	case reflect.Float64:
+		if value.Float() == 0 {
+			return 0
+		}
+	}
+
+	return value.Interface()
+}
+
+func (impl *interperterImpl) evaluateLogicalCompare(compareNode *actionlint.LogicalOpNode) (any, error) {
+	left, err := impl.evaluateNode(compareNode.Left)
+	if err != nil {
+		return nil, err
+	}
+
+	leftValue := reflect.ValueOf(left)
+
+	if IsTruthy(left) == (compareNode.Kind == actionlint.LogicalOpNodeKindOr) {
+		return impl.getSafeValue(leftValue), nil
+	}
+
+	right, err := impl.evaluateNode(compareNode.Right)
+	if err != nil {
+		return nil, err
+	}
+
+	rightValue := reflect.ValueOf(right)
+
+	switch compareNode.Kind {
+	case actionlint.LogicalOpNodeKindAnd:
+		return impl.getSafeValue(rightValue), nil
+	case actionlint.LogicalOpNodeKindOr:
+		return impl.getSafeValue(rightValue), nil
+	}
+
+	return nil, fmt.Errorf("Unable to compare incompatibles types '%s' and '%s'", leftValue.Kind(), rightValue.Kind())
+}
+
+//nolint:gocyclo // function handles many cases
+func (impl *interperterImpl) evaluateFuncCall(funcCallNode *actionlint.FuncCallNode) (any, error) {
+	args := make([]reflect.Value, 0)
+
+	for _, arg := range funcCallNode.Args {
+		value, err := impl.evaluateNode(arg)
+		if err != nil {
+			return nil, err
+		}
+
+		args = append(args, reflect.ValueOf(value))
+	}
+
+	switch strings.ToLower(funcCallNode.Callee) {
+	case "contains":
+		return impl.contains(args[0], args[1])
+	case "startswith":
+		return impl.startsWith(args[0], args[1])
+	case "endswith":
+		return impl.endsWith(args[0], args[1])
+	case "format":
+		return impl.format(args[0], args[1:]...)
+	case "join":
+		if len(args) == 1 {
+			return impl.join(args[0], reflect.ValueOf(","))
+		}
+		return impl.join(args[0], args[1])
+	case "tojson":
+		return impl.toJSON(args[0])
+	case "fromjson":
+		return impl.fromJSON(args[0])
+	case "hashfiles":
+		if impl.env.HashFiles != nil {
+			return impl.env.HashFiles(args)
+		}
+		return impl.hashFiles(args...)
+	case "always":
+		return impl.always()
+	case "success":
+		if impl.config.Context == "job" {
+			return impl.jobSuccess()
+		}
+		if impl.config.Context == "step" {
+			return impl.stepSuccess()
+		}
+		return nil, fmt.Errorf("Context '%s' must be one of 'job' or 'step'", impl.config.Context)
+	case "failure":
+		if impl.config.Context == "job" {
+			return impl.jobFailure()
+		}
+		if impl.config.Context == "step" {
+			return impl.stepFailure()
+		}
+		return nil, fmt.Errorf("Context '%s' must be one of 'job' or 'step'", impl.config.Context)
+	case "cancelled":
+		return impl.cancelled()
+	default:
+		return nil, fmt.Errorf("TODO: '%s' not implemented", funcCallNode.Callee)
+	}
+}
--- a/act/exprparser/interpreter_test.go
+++ b/act/exprparser/interpreter_test.go
@@ -0,0 +1,632 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package exprparser
+
+import (
+	"math"
+	"testing"
+
+	"gitea.com/gitea/act_runner/act/model"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLiterals(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"true", true, "true"},
+		{"false", false, "false"},
+		{"null", nil, "null"},
+		{"123", 123, "integer"},
+		{"-9.7", -9.7, "float"},
+		{"0xff", 255, "hex"},
+		{"-2.99e-2", -2.99e-2, "exponential"},
+		{"'foo'", "foo", "string"},
+		{"'it''s foo'", "it's foo", "string"},
+	}
+
+	env := &EvaluationEnvironment{}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestOperators(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+		error    string
+	}{
+		{"(false || (false || true))", true, "logical-grouping", ""},
+		{"github.action", "push", "property-dereference", ""},
+		{"github['action']", "push", "property-index", ""},
+		{"github.action[0]", nil, "string-index", ""},
+		{"github.action['0']", nil, "string-index", ""},
+		{"fromJSON('[0,1]')[1]", 1.0, "array-index", ""},
+		{"fromJSON('[0,1]')[1.1]", nil, "array-index", ""},
+		// Disabled weird things are happening
+		// {"fromJSON('[0,1]')['1.1']", nil, "array-index", ""},
+		{"(github.event.commits.*.author.username)[0]", "someone", "array-index-0", ""},
+		{"fromJSON('[0,1]')[2]", nil, "array-index-out-of-bounds-0", ""},
+		{"fromJSON('[0,1]')[34553]", nil, "array-index-out-of-bounds-1", ""},
+		{"fromJSON('[0,1]')[-1]", nil, "array-index-out-of-bounds-2", ""},
+		{"fromJSON('[0,1]')[-34553]", nil, "array-index-out-of-bounds-3", ""},
+		{"!true", false, "not", ""},
+		{"1 < 2", true, "less-than", ""},
+		{`'b' <= 'a'`, false, "less-than-or-equal", ""},
+		{"1 > 2", false, "greater-than", ""},
+		{`'b' >= 'a'`, true, "greater-than-or-equal", ""},
+		{`'a' == 'a'`, true, "equal", ""},
+		{`'a' != 'a'`, false, "not-equal", ""},
+		{`true && false`, false, "and", ""},
+		{`true || false`, true, "or", ""},
+		{`fromJSON('{}') && true`, true, "and-boolean-object", ""},
+		{`fromJSON('{}') || false`, make(map[string]any), "or-boolean-object", ""},
+		{"github.event.commits[0].author.username != github.event.commits[1].author.username", true, "property-comparison1", ""},
+		{"github.event.commits[0].author.username1 != github.event.commits[1].author.username", true, "property-comparison2", ""},
+		{"github.event.commits[0].author.username != github.event.commits[1].author.username1", true, "property-comparison3", ""},
+		{"github.event.commits[0].author.username1 != github.event.commits[1].author.username2", true, "property-comparison4", ""},
+		{"secrets != env", nil, "property-comparison5", "Compare not implemented for types: left: map, right: map"},
+	}
+
+	env := &EvaluationEnvironment{
+		Github: &model.GithubContext{
+			Action: "push",
+			Event: map[string]any{
+				"commits": []any{
+					map[string]any{
+						"author": map[string]any{
+							"username": "someone",
+						},
+					},
+					map[string]any{
+						"author": map[string]any{
+							"username": "someone-else",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			if tt.error != "" {
+				assert.NotNil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+				assert.Equal(t, tt.error, err.Error())
+			} else {
+				assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+			}
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestOperatorsCompare(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"!null", true, "not-null"},
+		{"!-10", false, "not-neg-num"},
+		{"!0", true, "not-zero"},
+		{"!3.14", false, "not-pos-float"},
+		{"!''", true, "not-empty-str"},
+		{"!'abc'", false, "not-str"},
+		{"!fromJSON('{}')", false, "not-obj"},
+		{"!fromJSON('[]')", false, "not-arr"},
+		{`null == 0 }}`, true, "null-coercion"},
+		{`true == 1 }}`, true, "boolean-coercion"},
+		{`'' == 0 }}`, true, "string-0-coercion"},
+		{`'3' == 3 }}`, true, "string-3-coercion"},
+		{`0 == null }}`, true, "null-coercion-alt"},
+		{`1 == true }}`, true, "boolean-coercion-alt"},
+		{`0 == '' }}`, true, "string-0-coercion-alt"},
+		{`3 == '3' }}`, true, "string-3-coercion-alt"},
+		{`'TEST' == 'test' }}`, true, "string-casing"},
+		{"true > false }}", true, "bool-greater-than"},
+		{"true >= false }}", true, "bool-greater-than-eq"},
+		{"true >= true }}", true, "bool-greater-than-1"},
+		{"true != false }}", true, "bool-not-equal"},
+		{`fromJSON('{}') < 2 }}`, false, "object-with-less"},
+		{`fromJSON('{}') < fromJSON('[]') }}`, false, "object/arr-with-lt"},
+		{`fromJSON('{}') > fromJSON('[]') }}`, false, "object/arr-with-gt"},
+	}
+
+	env := &EvaluationEnvironment{
+		Github: &model.GithubContext{
+			Action: "push",
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
+
+func TestOperatorsBooleanEvaluation(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		// true &&
+		{"true && true", true, "true-and"},
+		{"true && false", false, "true-and"},
+		{"true && null", nil, "true-and"},
+		{"true && -10", -10, "true-and"},
+		{"true && 0", 0, "true-and"},
+		{"true && 10", 10, "true-and"},
+		{"true && 3.14", 3.14, "true-and"},
+		{"true && 0.0", 0, "true-and"},
+		{"true && Infinity", math.Inf(1), "true-and"},
+		// {"true && -Infinity", math.Inf(-1), "true-and"},
+		{"true && NaN", math.NaN(), "true-and"},
+		{"true && ''", "", "true-and"},
+		{"true && 'abc'", "abc", "true-and"},
+		// false &&
+		{"false && true", false, "false-and"},
+		{"false && false", false, "false-and"},
+		{"false && null", false, "false-and"},
+		{"false && -10", false, "false-and"},
+		{"false && 0", false, "false-and"},
+		{"false && 10", false, "false-and"},
+		{"false && 3.14", false, "false-and"},
+		{"false && 0.0", false, "false-and"},
+		{"false && Infinity", false, "false-and"},
+		// {"false && -Infinity", false, "false-and"},
+		{"false && NaN", false, "false-and"},
+		{"false && ''", false, "false-and"},
+		{"false && 'abc'", false, "false-and"},
+		// true ||
+		{"true || true", true, "true-or"},
+		{"true || false", true, "true-or"},
+		{"true || null", true, "true-or"},
+		{"true || -10", true, "true-or"},
+		{"true || 0", true, "true-or"},
+		{"true || 10", true, "true-or"},
+		{"true || 3.14", true, "true-or"},
+		{"true || 0.0", true, "true-or"},
+		{"true || Infinity", true, "true-or"},
+		// {"true || -Infinity", true, "true-or"},
+		{"true || NaN", true, "true-or"},
+		{"true || ''", true, "true-or"},
+		{"true || 'abc'", true, "true-or"},
+		// false ||
+		{"false || true", true, "false-or"},
+		{"false || false", false, "false-or"},
+		{"false || null", nil, "false-or"},
+		{"false || -10", -10, "false-or"},
+		{"false || 0", 0, "false-or"},
+		{"false || 10", 10, "false-or"},
+		{"false || 3.14", 3.14, "false-or"},
+		{"false || 0.0", 0, "false-or"},
+		{"false || Infinity", math.Inf(1), "false-or"},
+		// {"false || -Infinity", math.Inf(-1), "false-or"},
+		{"false || NaN", math.NaN(), "false-or"},
+		{"false || ''", "", "false-or"},
+		{"false || 'abc'", "abc", "false-or"},
+		// null &&
+		{"null && true", nil, "null-and"},
+		{"null && false", nil, "null-and"},
+		{"null && null", nil, "null-and"},
+		{"null && -10", nil, "null-and"},
+		{"null && 0", nil, "null-and"},
+		{"null && 10", nil, "null-and"},
+		{"null && 3.14", nil, "null-and"},
+		{"null && 0.0", nil, "null-and"},
+		{"null && Infinity", nil, "null-and"},
+		// {"null && -Infinity", nil, "null-and"},
+		{"null && NaN", nil, "null-and"},
+		{"null && ''", nil, "null-and"},
+		{"null && 'abc'", nil, "null-and"},
+		// null ||
+		{"null || true", true, "null-or"},
+		{"null || false", false, "null-or"},
+		{"null || null", nil, "null-or"},
+		{"null || -10", -10, "null-or"},
+		{"null || 0", 0, "null-or"},
+		{"null || 10", 10, "null-or"},
+		{"null || 3.14", 3.14, "null-or"},
+		{"null || 0.0", 0, "null-or"},
+		{"null || Infinity", math.Inf(1), "null-or"},
+		// {"null || -Infinity", math.Inf(-1), "null-or"},
+		{"null || NaN", math.NaN(), "null-or"},
+		{"null || ''", "", "null-or"},
+		{"null || 'abc'", "abc", "null-or"},
+		// -10 &&
+		{"-10 && true", true, "neg-num-and"},
+		{"-10 && false", false, "neg-num-and"},
+		{"-10 && null", nil, "neg-num-and"},
+		{"-10 && -10", -10, "neg-num-and"},
+		{"-10 && 0", 0, "neg-num-and"},
+		{"-10 && 10", 10, "neg-num-and"},
+		{"-10 && 3.14", 3.14, "neg-num-and"},
+		{"-10 && 0.0", 0, "neg-num-and"},
+		{"-10 && Infinity", math.Inf(1), "neg-num-and"},
+		// {"-10 && -Infinity", math.Inf(-1), "neg-num-and"},
+		{"-10 && NaN", math.NaN(), "neg-num-and"},
+		{"-10 && ''", "", "neg-num-and"},
+		{"-10 && 'abc'", "abc", "neg-num-and"},
+		// -10 ||
+		{"-10 || true", -10, "neg-num-or"},
+		{"-10 || false", -10, "neg-num-or"},
+		{"-10 || null", -10, "neg-num-or"},
+		{"-10 || -10", -10, "neg-num-or"},
+		{"-10 || 0", -10, "neg-num-or"},
+		{"-10 || 10", -10, "neg-num-or"},
+		{"-10 || 3.14", -10, "neg-num-or"},
+		{"-10 || 0.0", -10, "neg-num-or"},
+		{"-10 || Infinity", -10, "neg-num-or"},
+		// {"-10 || -Infinity", -10, "neg-num-or"},
+		{"-10 || NaN", -10, "neg-num-or"},
+		{"-10 || ''", -10, "neg-num-or"},
+		{"-10 || 'abc'", -10, "neg-num-or"},
+		// 0 &&
+		{"0 && true", 0, "zero-and"},
+		{"0 && false", 0, "zero-and"},
+		{"0 && null", 0, "zero-and"},
+		{"0 && -10", 0, "zero-and"},
+		{"0 && 0", 0, "zero-and"},
+		{"0 && 10", 0, "zero-and"},
+		{"0 && 3.14", 0, "zero-and"},
+		{"0 && 0.0", 0, "zero-and"},
+		{"0 && Infinity", 0, "zero-and"},
+		// {"0 && -Infinity", 0, "zero-and"},
+		{"0 && NaN", 0, "zero-and"},
+		{"0 && ''", 0, "zero-and"},
+		{"0 && 'abc'", 0, "zero-and"},
+		// 0 ||
+		{"0 || true", true, "zero-or"},
+		{"0 || false", false, "zero-or"},
+		{"0 || null", nil, "zero-or"},
+		{"0 || -10", -10, "zero-or"},
+		{"0 || 0", 0, "zero-or"},
+		{"0 || 10", 10, "zero-or"},
+		{"0 || 3.14", 3.14, "zero-or"},
+		{"0 || 0.0", 0, "zero-or"},
+		{"0 || Infinity", math.Inf(1), "zero-or"},
+		// {"0 || -Infinity", math.Inf(-1), "zero-or"},
+		{"0 || NaN", math.NaN(), "zero-or"},
+		{"0 || ''", "", "zero-or"},
+		{"0 || 'abc'", "abc", "zero-or"},
+		// 10 &&
+		{"10 && true", true, "pos-num-and"},
+		{"10 && false", false, "pos-num-and"},
+		{"10 && null", nil, "pos-num-and"},
+		{"10 && -10", -10, "pos-num-and"},
+		{"10 && 0", 0, "pos-num-and"},
+		{"10 && 10", 10, "pos-num-and"},
+		{"10 && 3.14", 3.14, "pos-num-and"},
+		{"10 && 0.0", 0, "pos-num-and"},
+		{"10 && Infinity", math.Inf(1), "pos-num-and"},
+		// {"10 && -Infinity", math.Inf(-1), "pos-num-and"},
+		{"10 && NaN", math.NaN(), "pos-num-and"},
+		{"10 && ''", "", "pos-num-and"},
+		{"10 && 'abc'", "abc", "pos-num-and"},
+		// 10 ||
+		{"10 || true", 10, "pos-num-or"},
+		{"10 || false", 10, "pos-num-or"},
+		{"10 || null", 10, "pos-num-or"},
+		{"10 || -10", 10, "pos-num-or"},
+		{"10 || 0", 10, "pos-num-or"},
+		{"10 || 10", 10, "pos-num-or"},
+		{"10 || 3.14", 10, "pos-num-or"},
+		{"10 || 0.0", 10, "pos-num-or"},
+		{"10 || Infinity", 10, "pos-num-or"},
+		// {"10 || -Infinity", 10, "pos-num-or"},
+		{"10 || NaN", 10, "pos-num-or"},
+		{"10 || ''", 10, "pos-num-or"},
+		{"10 || 'abc'", 10, "pos-num-or"},
+		// 3.14 &&
+		{"3.14 && true", true, "pos-float-and"},
+		{"3.14 && false", false, "pos-float-and"},
+		{"3.14 && null", nil, "pos-float-and"},
+		{"3.14 && -10", -10, "pos-float-and"},
+		{"3.14 && 0", 0, "pos-float-and"},
+		{"3.14 && 10", 10, "pos-float-and"},
+		{"3.14 && 3.14", 3.14, "pos-float-and"},
+		{"3.14 && 0.0", 0, "pos-float-and"},
+		{"3.14 && Infinity", math.Inf(1), "pos-float-and"},
+		// {"3.14 && -Infinity", math.Inf(-1), "pos-float-and"},
+		{"3.14 && NaN", math.NaN(), "pos-float-and"},
+		{"3.14 && ''", "", "pos-float-and"},
+		{"3.14 && 'abc'", "abc", "pos-float-and"},
+		// 3.14 ||
+		{"3.14 || true", 3.14, "pos-float-or"},
+		{"3.14 || false", 3.14, "pos-float-or"},
+		{"3.14 || null", 3.14, "pos-float-or"},
+		{"3.14 || -10", 3.14, "pos-float-or"},
+		{"3.14 || 0", 3.14, "pos-float-or"},
+		{"3.14 || 10", 3.14, "pos-float-or"},
+		{"3.14 || 3.14", 3.14, "pos-float-or"},
+		{"3.14 || 0.0", 3.14, "pos-float-or"},
+		{"3.14 || Infinity", 3.14, "pos-float-or"},
+		// {"3.14 || -Infinity", 3.14, "pos-float-or"},
+		{"3.14 || NaN", 3.14, "pos-float-or"},
+		{"3.14 || ''", 3.14, "pos-float-or"},
+		{"3.14 || 'abc'", 3.14, "pos-float-or"},
+		// Infinity &&
+		{"Infinity && true", true, "pos-inf-and"},
+		{"Infinity && false", false, "pos-inf-and"},
+		{"Infinity && null", nil, "pos-inf-and"},
+		{"Infinity && -10", -10, "pos-inf-and"},
+		{"Infinity && 0", 0, "pos-inf-and"},
+		{"Infinity && 10", 10, "pos-inf-and"},
+		{"Infinity && 3.14", 3.14, "pos-inf-and"},
+		{"Infinity && 0.0", 0, "pos-inf-and"},
+		{"Infinity && Infinity", math.Inf(1), "pos-inf-and"},
+		// {"Infinity && -Infinity", math.Inf(-1), "pos-inf-and"},
+		{"Infinity && NaN", math.NaN(), "pos-inf-and"},
+		{"Infinity && ''", "", "pos-inf-and"},
+		{"Infinity && 'abc'", "abc", "pos-inf-and"},
+		// Infinity ||
+		{"Infinity || true", math.Inf(1), "pos-inf-or"},
+		{"Infinity || false", math.Inf(1), "pos-inf-or"},
+		{"Infinity || null", math.Inf(1), "pos-inf-or"},
+		{"Infinity || -10", math.Inf(1), "pos-inf-or"},
+		{"Infinity || 0", math.Inf(1), "pos-inf-or"},
+		{"Infinity || 10", math.Inf(1), "pos-inf-or"},
+		{"Infinity || 3.14", math.Inf(1), "pos-inf-or"},
+		{"Infinity || 0.0", math.Inf(1), "pos-inf-or"},
+		{"Infinity || Infinity", math.Inf(1), "pos-inf-or"},
+		// {"Infinity || -Infinity", math.Inf(1), "pos-inf-or"},
+		{"Infinity || NaN", math.Inf(1), "pos-inf-or"},
+		{"Infinity || ''", math.Inf(1), "pos-inf-or"},
+		{"Infinity || 'abc'", math.Inf(1), "pos-inf-or"},
+		// -Infinity &&
+		// {"-Infinity && true", true, "neg-inf-and"},
+		// {"-Infinity && false", false, "neg-inf-and"},
+		// {"-Infinity && null", nil, "neg-inf-and"},
+		// {"-Infinity && -10", -10, "neg-inf-and"},
+		// {"-Infinity && 0", 0, "neg-inf-and"},
+		// {"-Infinity && 10", 10, "neg-inf-and"},
+		// {"-Infinity && 3.14", 3.14, "neg-inf-and"},
+		// {"-Infinity && 0.0", 0, "neg-inf-and"},
+		// {"-Infinity && Infinity", math.Inf(1), "neg-inf-and"},
+		// {"-Infinity && -Infinity", math.Inf(-1), "neg-inf-and"},
+		// {"-Infinity && NaN", math.NaN(), "neg-inf-and"},
+		// {"-Infinity && ''", "", "neg-inf-and"},
+		// {"-Infinity && 'abc'", "abc", "neg-inf-and"},
+		// -Infinity ||
+		// {"-Infinity || true", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || false", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || null", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || -10", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || 0", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || 10", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || 3.14", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || 0.0", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || Infinity", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || -Infinity", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || NaN", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || ''", math.Inf(-1), "neg-inf-or"},
+		// {"-Infinity || 'abc'", math.Inf(-1), "neg-inf-or"},
+		// NaN &&
+		{"NaN && true", math.NaN(), "nan-and"},
+		{"NaN && false", math.NaN(), "nan-and"},
+		{"NaN && null", math.NaN(), "nan-and"},
+		{"NaN && -10", math.NaN(), "nan-and"},
+		{"NaN && 0", math.NaN(), "nan-and"},
+		{"NaN && 10", math.NaN(), "nan-and"},
+		{"NaN && 3.14", math.NaN(), "nan-and"},
+		{"NaN && 0.0", math.NaN(), "nan-and"},
+		{"NaN && Infinity", math.NaN(), "nan-and"},
+		// {"NaN && -Infinity", math.NaN(), "nan-and"},
+		{"NaN && NaN", math.NaN(), "nan-and"},
+		{"NaN && ''", math.NaN(), "nan-and"},
+		{"NaN && 'abc'", math.NaN(), "nan-and"},
+		// NaN ||
+		{"NaN || true", true, "nan-or"},
+		{"NaN || false", false, "nan-or"},
+		{"NaN || null", nil, "nan-or"},
+		{"NaN || -10", -10, "nan-or"},
+		{"NaN || 0", 0, "nan-or"},
+		{"NaN || 10", 10, "nan-or"},
+		{"NaN || 3.14", 3.14, "nan-or"},
+		{"NaN || 0.0", 0, "nan-or"},
+		{"NaN || Infinity", math.Inf(1), "nan-or"},
+		// {"NaN || -Infinity", math.Inf(-1), "nan-or"},
+		{"NaN || NaN", math.NaN(), "nan-or"},
+		{"NaN || ''", "", "nan-or"},
+		{"NaN || 'abc'", "abc", "nan-or"},
+		// "" &&
+		{"'' && true", "", "empty-str-and"},
+		{"'' && false", "", "empty-str-and"},
+		{"'' && null", "", "empty-str-and"},
+		{"'' && -10", "", "empty-str-and"},
+		{"'' && 0", "", "empty-str-and"},
+		{"'' && 10", "", "empty-str-and"},
+		{"'' && 3.14", "", "empty-str-and"},
+		{"'' && 0.0", "", "empty-str-and"},
+		{"'' && Infinity", "", "empty-str-and"},
+		// {"'' && -Infinity", "", "empty-str-and"},
+		{"'' && NaN", "", "empty-str-and"},
+		{"'' && ''", "", "empty-str-and"},
+		{"'' && 'abc'", "", "empty-str-and"},
+		// "" ||
+		{"'' || true", true, "empty-str-or"},
+		{"'' || false", false, "empty-str-or"},
+		{"'' || null", nil, "empty-str-or"},
+		{"'' || -10", -10, "empty-str-or"},
+		{"'' || 0", 0, "empty-str-or"},
+		{"'' || 10", 10, "empty-str-or"},
+		{"'' || 3.14", 3.14, "empty-str-or"},
+		{"'' || 0.0", 0, "empty-str-or"},
+		{"'' || Infinity", math.Inf(1), "empty-str-or"},
+		// {"'' || -Infinity", math.Inf(-1), "empty-str-or"},
+		{"'' || NaN", math.NaN(), "empty-str-or"},
+		{"'' || ''", "", "empty-str-or"},
+		{"'' || 'abc'", "abc", "empty-str-or"},
+		// "abc" &&
+		{"'abc' && true", true, "str-and"},
+		{"'abc' && false", false, "str-and"},
+		{"'abc' && null", nil, "str-and"},
+		{"'abc' && -10", -10, "str-and"},
+		{"'abc' && 0", 0, "str-and"},
+		{"'abc' && 10", 10, "str-and"},
+		{"'abc' && 3.14", 3.14, "str-and"},
+		{"'abc' && 0.0", 0, "str-and"},
+		{"'abc' && Infinity", math.Inf(1), "str-and"},
+		// {"'abc' && -Infinity", math.Inf(-1), "str-and"},
+		{"'abc' && NaN", math.NaN(), "str-and"},
+		{"'abc' && ''", "", "str-and"},
+		{"'abc' && 'abc'", "abc", "str-and"},
+		// "abc" ||
+		{"'abc' || true", "abc", "str-or"},
+		{"'abc' || false", "abc", "str-or"},
+		{"'abc' || null", "abc", "str-or"},
+		{"'abc' || -10", "abc", "str-or"},
+		{"'abc' || 0", "abc", "str-or"},
+		{"'abc' || 10", "abc", "str-or"},
+		{"'abc' || 3.14", "abc", "str-or"},
+		{"'abc' || 0.0", "abc", "str-or"},
+		{"'abc' || Infinity", "abc", "str-or"},
+		// {"'abc' || -Infinity", "abc", "str-or"},
+		{"'abc' || NaN", "abc", "str-or"},
+		{"'abc' || ''", "abc", "str-or"},
+		{"'abc' || 'abc'", "abc", "str-or"},
+		// extra tests
+		{"0.0 && true", 0, "float-evaluation-0-alt"},
+		{"-1.5 && true", true, "float-evaluation-neg-alt"},
+	}
+
+	env := &EvaluationEnvironment{
+		Github: &model.GithubContext{
+			Action: "push",
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			if expected, ok := tt.expected.(float64); ok && math.IsNaN(expected) {
+				assert.True(t, math.IsNaN(output.(float64)))
+			} else {
+				assert.Equal(t, tt.expected, output)
+			}
+		})
+	}
+}
+
+func TestContexts(t *testing.T) {
+	table := []struct {
+		input    string
+		expected any
+		name     string
+	}{
+		{"github.action", "push", "github-context"},
+		{"github.event.commits[0].message", nil, "github-context-noexist-prop"},
+		{"fromjson('{\"commits\":[]}').commits[0].message", nil, "github-context-noexist-prop"},
+		{"github.event.pull_request.labels.*.name", nil, "github-context-noexist-prop"},
+		{"env.TEST", "value", "env-context"},
+		{"job.status", "success", "job-context"},
+		{"steps.step-id.outputs.name", "value", "steps-context"},
+		{"steps.step-id.conclusion", "success", "steps-context-conclusion"},
+		{"steps.step-id.conclusion && true", true, "steps-context-conclusion"},
+		{"steps.step-id2.conclusion", "skipped", "steps-context-conclusion"},
+		{"steps.step-id2.conclusion && true", true, "steps-context-conclusion"},
+		{"steps.step-id.outcome", "success", "steps-context-outcome"},
+		{"steps.step-id['outcome']", "success", "steps-context-outcome"},
+		{"steps.step-id.outcome == 'success'", true, "steps-context-outcome"},
+		{"steps.step-id['outcome'] == 'success'", true, "steps-context-outcome"},
+		{"steps.step-id.outcome && true", true, "steps-context-outcome"},
+		{"steps['step-id']['outcome'] && true", true, "steps-context-outcome"},
+		{"steps.step-id2.outcome", "failure", "steps-context-outcome"},
+		{"steps.step-id2.outcome && true", true, "steps-context-outcome"},
+		// Disabled, since the interpreter is still too broken
+		// {"contains(steps.*.outcome, 'success')", true, "steps-context-array-outcome"},
+		// {"contains(steps.*.outcome, 'failure')", true, "steps-context-array-outcome"},
+		// {"contains(steps.*.outputs.name, 'value')", true, "steps-context-array-outputs"},
+		{"runner.os", "Linux", "runner-context"},
+		{"secrets.name", "value", "secrets-context"},
+		{"vars.name", "value", "vars-context"},
+		{"strategy.fail-fast", true, "strategy-context"},
+		{"matrix.os", "Linux", "matrix-context"},
+		{"needs.job-id.outputs.output-name", "value", "needs-context"},
+		{"needs.job-id.result", "success", "needs-context"},
+		{"inputs.name", "value", "inputs-context"},
+	}
+
+	env := &EvaluationEnvironment{
+		Github: &model.GithubContext{
+			Action: "push",
+		},
+		Env: map[string]string{
+			"TEST": "value",
+		},
+		Job: &model.JobContext{
+			Status: "success",
+		},
+		Steps: map[string]*model.StepResult{
+			"step-id": {
+				Outputs: map[string]string{
+					"name": "value",
+				},
+			},
+			"step-id2": {
+				Outcome:    model.StepStatusFailure,
+				Conclusion: model.StepStatusSkipped,
+			},
+		},
+		Runner: map[string]any{
+			"os":         "Linux",
+			"temp":       "/tmp",
+			"tool_cache": "/opt/hostedtoolcache",
+		},
+		Secrets: map[string]string{
+			"name": "value",
+		},
+		Vars: map[string]string{
+			"name": "value",
+		},
+		Strategy: map[string]any{
+			"fail-fast": true,
+		},
+		Matrix: map[string]any{
+			"os": "Linux",
+		},
+		Needs: map[string]Needs{
+			"job-id": {
+				Outputs: map[string]string{
+					"output-name": "value",
+				},
+				Result: "success",
+			},
+		},
+		Inputs: map[string]any{
+			"name": "value",
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			output, err := NewInterpeter(env, Config{}).Evaluate(tt.input, DefaultStatusCheckNone)
+			assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+			assert.Equal(t, tt.expected, output)
+		})
+	}
+}
--- a/act/exprparser/testdata/for-hashing-1.txt
+++ b/act/exprparser/testdata/for-hashing-1.txt
@@ -0,0 +1 @@
+Hello
--- a/act/exprparser/testdata/for-hashing-2.txt
+++ b/act/exprparser/testdata/for-hashing-2.txt
@@ -0,0 +1 @@
+World!
--- a/act/exprparser/testdata/for-hashing-3/data.txt
+++ b/act/exprparser/testdata/for-hashing-3/data.txt
@@ -0,0 +1 @@
+Knock knock!
--- a/act/exprparser/testdata/for-hashing-3/nested/nested-data.txt
+++ b/act/exprparser/testdata/for-hashing-3/nested/nested-data.txt
@@ -0,0 +1 @@
+Anybody home?
--- a/act/filecollector/file_collector.go
+++ b/act/filecollector/file_collector.go
@@ -0,0 +1,214 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2024 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package filecollector
+
+import (
+	"archive/tar"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	git "github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/plumbing/filemode"
+	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"github.com/go-git/go-git/v5/plumbing/format/index"
+)
+
+type Handler interface {
+	WriteFile(path string, fi fs.FileInfo, linkName string, f io.Reader) error
+}
+
+type TarCollector struct {
+	TarWriter *tar.Writer
+	UID       int
+	GID       int
+	DstDir    string
+}
+
+func (tc TarCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string, f io.Reader) error {
+	// create a new dir/file header
+	header, err := tar.FileInfoHeader(fi, linkName)
+	if err != nil {
+		return err
+	}
+
+	// update the name to correctly reflect the desired destination when untaring
+	header.Name = path.Join(tc.DstDir, fpath)
+	header.Mode = int64(fi.Mode())
+	header.ModTime = fi.ModTime()
+	header.Uid = tc.UID
+	header.Gid = tc.GID
+
+	// write the header
+	if err := tc.TarWriter.WriteHeader(header); err != nil {
+		return err
+	}
+
+	// this is a symlink no reader provided
+	if f == nil {
+		return nil
+	}
+
+	// copy file data into tar writer
+	if _, err := io.Copy(tc.TarWriter, f); err != nil {
+		return err
+	}
+	return nil
+}
+
+type CopyCollector struct {
+	DstDir string
+}
+
+func (cc *CopyCollector) WriteFile(fpath string, fi fs.FileInfo, linkName string, f io.Reader) error {
+	fdestpath := filepath.Join(cc.DstDir, fpath)
+	if err := os.MkdirAll(filepath.Dir(fdestpath), 0o777); err != nil {
+		return err
+	}
+	if f == nil {
+		return os.Symlink(linkName, fdestpath)
+	}
+	df, err := os.OpenFile(fdestpath, os.O_CREATE|os.O_WRONLY, fi.Mode())
+	if err != nil {
+		return err
+	}
+	defer df.Close()
+	if _, err := io.Copy(df, f); err != nil {
+		return err
+	}
+	return nil
+}
+
+type FileCollector struct {
+	Ignorer   gitignore.Matcher
+	SrcPath   string
+	SrcPrefix string
+	Fs        Fs
+	Handler   Handler
+}
+
+type Fs interface {
+	Walk(root string, fn filepath.WalkFunc) error
+	OpenGitIndex(path string) (*index.Index, error)
+	Open(path string) (io.ReadCloser, error)
+	Readlink(path string) (string, error)
+}
+
+type DefaultFs struct{}
+
+func (*DefaultFs) Walk(root string, fn filepath.WalkFunc) error {
+	return filepath.Walk(root, fn)
+}
+
+func (*DefaultFs) OpenGitIndex(path string) (*index.Index, error) {
+	r, err := git.PlainOpen(path)
+	if err != nil {
+		return nil, err
+	}
+	i, err := r.Storer.Index()
+	if err != nil {
+		return nil, err
+	}
+	return i, nil
+}
+
+func (*DefaultFs) Open(path string) (io.ReadCloser, error) {
+	return os.Open(path)
+}
+
+func (*DefaultFs) Readlink(path string) (string, error) {
+	return os.Readlink(path)
+}
+
+//nolint:gocyclo // function handles many cases
+func (fc *FileCollector) CollectFiles(ctx context.Context, submodulePath []string) filepath.WalkFunc {
+	i, _ := fc.Fs.OpenGitIndex(path.Join(fc.SrcPath, path.Join(submodulePath...)))
+	return func(file string, fi os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if ctx != nil {
+			select {
+			case <-ctx.Done():
+				return errors.New("copy cancelled")
+			default:
+			}
+		}
+
+		sansPrefix := strings.TrimPrefix(file, fc.SrcPrefix)
+		split := strings.Split(sansPrefix, string(filepath.Separator))
+		// The root folders should be skipped, submodules only have the last path component set to "." by filepath.Walk
+		if fi.IsDir() && len(split) > 0 && split[len(split)-1] == "." {
+			return nil
+		}
+		var entry *index.Entry
+		if i != nil {
+			entry, err = i.Entry(strings.Join(split[len(submodulePath):], "/"))
+		} else {
+			err = index.ErrEntryNotFound
+		}
+		if err != nil && fc.Ignorer != nil && fc.Ignorer.Match(split, fi.IsDir()) {
+			if fi.IsDir() {
+				if i != nil {
+					ms, err := i.Glob(strings.Join(append(split[len(submodulePath):], "**"), "/"))
+					if err != nil || len(ms) == 0 {
+						return filepath.SkipDir
+					}
+				} else {
+					return filepath.SkipDir
+				}
+			} else {
+				return nil
+			}
+		}
+		if err == nil && entry.Mode == filemode.Submodule {
+			err = fc.Fs.Walk(file, fc.CollectFiles(ctx, split))
+			if err != nil {
+				return err
+			}
+			return filepath.SkipDir
+		}
+		path := filepath.ToSlash(sansPrefix)
+
+		// return on non-regular files (thanks to [kumo](https://medium.com/@komuw/just-like-you-did-fbdd7df829d3) for this suggested update)
+		if fi.Mode()&os.ModeSymlink == os.ModeSymlink {
+			linkName, err := fc.Fs.Readlink(file)
+			if err != nil {
+				return fmt.Errorf("unable to readlink '%s': %w", file, err)
+			}
+			return fc.Handler.WriteFile(path, fi, linkName, nil)
+		} else if !fi.Mode().IsRegular() {
+			return nil
+		}
+
+		// open file
+		f, err := fc.Fs.Open(file)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+
+		if ctx != nil {
+			// make io.Copy cancellable by closing the file
+			cpctx, cpfinish := context.WithCancel(ctx)
+			defer cpfinish()
+			go func() {
+				select {
+				case <-cpctx.Done():
+				case <-ctx.Done():
+					f.Close()
+				}
+			}()
+		}
+
+		return fc.Handler.WriteFile(path, fi, "", f)
+	}
+}
--- a/act/filecollector/file_collector_test.go
+++ b/act/filecollector/file_collector_test.go
@@ -0,0 +1,176 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// Copyright 2024 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package filecollector
+
+import (
+	"archive/tar"
+	"context"
+	"io"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/go-git/go-billy/v5"
+	"github.com/go-git/go-billy/v5/memfs"
+	git "github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/plumbing/cache"
+	"github.com/go-git/go-git/v5/plumbing/format/gitignore"
+	"github.com/go-git/go-git/v5/plumbing/format/index"
+	"github.com/go-git/go-git/v5/storage/filesystem"
+	"github.com/stretchr/testify/assert"
+)
+
+type memoryFs struct {
+	billy.Filesystem
+}
+
+func (mfs *memoryFs) walk(root string, fn filepath.WalkFunc) error {
+	dir, err := mfs.ReadDir(root)
+	if err != nil {
+		return err
+	}
+	for i := range dir {
+		filename := filepath.Join(root, dir[i].Name())
+		err = fn(filename, dir[i], nil)
+		if dir[i].IsDir() {
+			if err == filepath.SkipDir {
+				err = nil
+			} else if err := mfs.walk(filename, fn); err != nil {
+				return err
+			}
+		}
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (mfs *memoryFs) Walk(root string, fn filepath.WalkFunc) error {
+	stat, err := mfs.Lstat(root)
+	if err != nil {
+		return err
+	}
+	err = fn(strings.Join([]string{root, "."}, string(filepath.Separator)), stat, nil)
+	if err != nil {
+		return err
+	}
+	return mfs.walk(root, fn)
+}
+
+func (mfs *memoryFs) OpenGitIndex(path string) (*index.Index, error) {
+	f, _ := mfs.Filesystem.Chroot(filepath.Join(path, ".git")) //nolint:staticcheck // pre-existing issue from nektos/act
+	storage := filesystem.NewStorage(f, cache.NewObjectLRUDefault())
+	i, err := storage.Index()
+	if err != nil {
+		return nil, err
+	}
+	return i, nil
+}
+
+func (mfs *memoryFs) Open(path string) (io.ReadCloser, error) {
+	return mfs.Filesystem.Open(path)
+}
+
+func (mfs *memoryFs) Readlink(path string) (string, error) {
+	return mfs.Filesystem.Readlink(path)
+}
+
+func TestIgnoredTrackedfile(t *testing.T) {
+	fs := memfs.New()
+	_ = fs.MkdirAll("mygitrepo/.git", 0o777)
+	dotgit, _ := fs.Chroot("mygitrepo/.git")
+	worktree, _ := fs.Chroot("mygitrepo")
+	repo, _ := git.Init(filesystem.NewStorage(dotgit, cache.NewObjectLRUDefault()), worktree)
+	f, _ := worktree.Create(".gitignore")
+	_, _ = f.Write([]byte(".*\n"))
+	f.Close()
+	// This file shouldn't be in the tar
+	f, _ = worktree.Create(".env")
+	_, _ = f.Write([]byte("test=val1\n"))
+	f.Close()
+	w, _ := repo.Worktree()
+	// .gitignore is in the tar after adding it to the index
+	_, _ = w.Add(".gitignore")
+
+	tmpTar, _ := fs.Create("temp.tar")
+	tw := tar.NewWriter(tmpTar)
+	ps, _ := gitignore.ReadPatterns(worktree, []string{})
+	ignorer := gitignore.NewMatcher(ps)
+	fc := &FileCollector{
+		Fs:        &memoryFs{Filesystem: fs},
+		Ignorer:   ignorer,
+		SrcPath:   "mygitrepo",
+		SrcPrefix: "mygitrepo" + string(filepath.Separator),
+		Handler: &TarCollector{
+			TarWriter: tw,
+		},
+	}
+	err := fc.Fs.Walk("mygitrepo", fc.CollectFiles(context.Background(), []string{}))
+	assert.NoError(t, err, "successfully collect files") //nolint:testifylint // pre-existing issue from nektos/act
+	tw.Close()
+	_, _ = tmpTar.Seek(0, io.SeekStart)
+	tr := tar.NewReader(tmpTar)
+	h, err := tr.Next()
+	assert.NoError(t, err, "tar must not be empty") //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Equal(t, ".gitignore", h.Name)
+	_, err = tr.Next()
+	assert.ErrorIs(t, err, io.EOF, "tar must only contain one element")
+}
+
+func TestSymlinks(t *testing.T) {
+	fs := memfs.New()
+	_ = fs.MkdirAll("mygitrepo/.git", 0o777)
+	dotgit, _ := fs.Chroot("mygitrepo/.git")
+	worktree, _ := fs.Chroot("mygitrepo")
+	repo, _ := git.Init(filesystem.NewStorage(dotgit, cache.NewObjectLRUDefault()), worktree)
+	// This file shouldn't be in the tar
+	f, err := worktree.Create(".env")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	_, err = f.Write([]byte("test=val1\n"))
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	f.Close()
+	err = worktree.Symlink(".env", "test.env")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	w, err := repo.Worktree()
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	// .gitignore is in the tar after adding it to the index
+	_, err = w.Add(".env")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	_, err = w.Add("test.env")
+	assert.NoError(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+
+	tmpTar, _ := fs.Create("temp.tar")
+	tw := tar.NewWriter(tmpTar)
+	ps, _ := gitignore.ReadPatterns(worktree, []string{})
+	ignorer := gitignore.NewMatcher(ps)
+	fc := &FileCollector{
+		Fs:        &memoryFs{Filesystem: fs},
+		Ignorer:   ignorer,
+		SrcPath:   "mygitrepo",
+		SrcPrefix: "mygitrepo" + string(filepath.Separator),
+		Handler: &TarCollector{
+			TarWriter: tw,
+		},
+	}
+	err = fc.Fs.Walk("mygitrepo", fc.CollectFiles(context.Background(), []string{}))
+	assert.NoError(t, err, "successfully collect files") //nolint:testifylint // pre-existing issue from nektos/act
+	tw.Close()
+	_, _ = tmpTar.Seek(0, io.SeekStart)
+	tr := tar.NewReader(tmpTar)
+	h, err := tr.Next()
+	files := map[string]tar.Header{}
+	for err == nil {
+		files[h.Name] = *h
+		h, err = tr.Next()
+	}
+
+	assert.Equal(t, ".env", files[".env"].Name)
+	assert.Equal(t, "test.env", files["test.env"].Name)
+	assert.Equal(t, ".env", files["test.env"].Linkname)
+	assert.ErrorIs(t, err, io.EOF, "tar must be read cleanly to EOF")
+}
--- a/act/lookpath/LICENSE
+++ b/act/lookpath/LICENSE
@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+	* Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+	* Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+	* Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/act/lookpath/env.go
+++ b/act/lookpath/env.go
@@ -0,0 +1,21 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package lookpath
+
+import "os"
+
+type Env interface {
+	Getenv(name string) string
+}
+
+type defaultEnv struct{}
+
+func (*defaultEnv) Getenv(name string) string {
+	return os.Getenv(name)
+}
+
+func LookPath(file string) (string, error) {
+	return LookPath2(file, &defaultEnv{})
+}
--- a/act/lookpath/error.go
+++ b/act/lookpath/error.go
@@ -0,0 +1,14 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package lookpath
+
+type Error struct {
+	Name string
+	Err  error
+}
+
+func (e *Error) Error() string {
+	return e.Err.Error()
+}
--- a/act/lookpath/lp_js.go
+++ b/act/lookpath/lp_js.go
@@ -0,0 +1,24 @@
+//nolint:goheader // pre-existing issue from nektos/act
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build js && wasm
+
+package lookpath
+
+import (
+	"errors"
+)
+
+// ErrNotFound is the error resulting if a path search failed to find an executable file.
+var ErrNotFound = errors.New("executable file not found in $PATH")
+
+// LookPath searches for an executable named file in the
+// directories named by the PATH environment variable.
+// If file contains a slash, it is tried directly and the PATH is not consulted.
+// The result may be an absolute path or a path relative to the current directory.
+func LookPath2(file string, lenv Env) (string, error) {
+	// Wasm can not execute processes, so act as if there are no executables at all.
+	return "", &Error{file, ErrNotFound}
+}
--- a/act/lookpath/lp_plan9.go
+++ b/act/lookpath/lp_plan9.go
@@ -0,0 +1,57 @@
+//nolint:goheader // pre-existing issue from nektos/act
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package lookpath
+
+import (
+	"errors"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// ErrNotFound is the error resulting if a path search failed to find an executable file.
+var ErrNotFound = errors.New("executable file not found in $path")
+
+func findExecutable(file string) error {
+	d, err := os.Stat(file)
+	if err != nil {
+		return err
+	}
+	if m := d.Mode(); !m.IsDir() && m&0o111 != 0 {
+		return nil
+	}
+	return fs.ErrPermission
+}
+
+// LookPath searches for an executable named file in the
+// directories named by the path environment variable.
+// If file begins with "/", "#", "./", or "../", it is tried
+// directly and the path is not consulted.
+// The result may be an absolute path or a path relative to the current directory.
+func LookPath2(file string, lenv Env) (string, error) {
+	// skip the path lookup for these prefixes
+	skip := []string{"/", "#", "./", "../"}
+
+	for _, p := range skip {
+		if strings.HasPrefix(file, p) {
+			err := findExecutable(file)
+			if err == nil {
+				return file, nil
+			}
+			return "", &Error{file, err}
+		}
+	}
+
+	path := lenv.Getenv("path")
+	for _, dir := range filepath.SplitList(path) {
+		path := filepath.Join(dir, file)
+		if err := findExecutable(path); err == nil {
+			return path, nil
+		}
+	}
+	return "", &Error{file, ErrNotFound}
+}
--- a/act/lookpath/lp_unix.go
+++ b/act/lookpath/lp_unix.go
@@ -0,0 +1,60 @@
+//nolint:goheader // pre-existing issue from nektos/act
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
+
+package lookpath
+
+import (
+	"errors"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// ErrNotFound is the error resulting if a path search failed to find an executable file.
+var ErrNotFound = errors.New("executable file not found in $PATH")
+
+func findExecutable(file string) error {
+	d, err := os.Stat(file)
+	if err != nil {
+		return err
+	}
+	if m := d.Mode(); !m.IsDir() && m&0o111 != 0 {
+		return nil
+	}
+	return fs.ErrPermission
+}
+
+// LookPath searches for an executable named file in the
+// directories named by the PATH environment variable.
+// If file contains a slash, it is tried directly and the PATH is not consulted.
+// The result may be an absolute path or a path relative to the current directory.
+func LookPath2(file string, lenv Env) (string, error) {
+	// NOTE(rsc): I wish we could use the Plan 9 behavior here
+	// (only bypass the path if file begins with / or ./ or ../)
+	// but that would not match all the Unix shells.
+
+	if strings.Contains(file, "/") {
+		err := findExecutable(file)
+		if err == nil {
+			return file, nil
+		}
+		return "", &Error{file, err}
+	}
+	path := lenv.Getenv("PATH")
+	for _, dir := range filepath.SplitList(path) {
+		if dir == "" {
+			// Unix shell semantics: path element "" means "."
+			dir = "."
+		}
+		path := filepath.Join(dir, file)
+		if err := findExecutable(path); err == nil {
+			return path, nil
+		}
+	}
+	return "", &Error{file, ErrNotFound}
+}
--- a/act/lookpath/lp_windows.go
+++ b/act/lookpath/lp_windows.go
@@ -0,0 +1,95 @@
+//nolint:goheader // pre-existing issue from nektos/act
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package lookpath
+
+import (
+	"errors"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// ErrNotFound is the error resulting if a path search failed to find an executable file.
+var ErrNotFound = errors.New("executable file not found in %PATH%")
+
+func chkStat(file string) error {
+	d, err := os.Stat(file)
+	if err != nil {
+		return err
+	}
+	if d.IsDir() {
+		return fs.ErrPermission
+	}
+	return nil
+}
+
+func hasExt(file string) bool {
+	i := strings.LastIndex(file, ".")
+	if i < 0 {
+		return false
+	}
+	return strings.LastIndexAny(file, `:\/`) < i
+}
+
+func findExecutable(file string, exts []string) (string, error) {
+	if len(exts) == 0 {
+		return file, chkStat(file)
+	}
+	if hasExt(file) {
+		if chkStat(file) == nil {
+			return file, nil
+		}
+	}
+	for _, e := range exts {
+		if f := file + e; chkStat(f) == nil {
+			return f, nil
+		}
+	}
+	return "", fs.ErrNotExist
+}
+
+// LookPath searches for an executable named file in the
+// directories named by the PATH environment variable.
+// If file contains a slash, it is tried directly and the PATH is not consulted.
+// LookPath also uses PATHEXT environment variable to match
+// a suitable candidate.
+// The result may be an absolute path or a path relative to the current directory.
+func LookPath2(file string, lenv Env) (string, error) {
+	var exts []string
+	x := lenv.Getenv(`PATHEXT`)
+	if x != "" {
+		for _, e := range strings.Split(strings.ToLower(x), `;`) {
+			if e == "" {
+				continue
+			}
+			if e[0] != '.' {
+				e = "." + e
+			}
+			exts = append(exts, e)
+		}
+	} else {
+		exts = []string{".com", ".exe", ".bat", ".cmd"}
+	}
+
+	if strings.ContainsAny(file, `:\/`) {
+		if f, err := findExecutable(file, exts); err == nil {
+			return f, nil
+		} else {
+			return "", &Error{file, err}
+		}
+	}
+	if f, err := findExecutable(filepath.Join(".", file), exts); err == nil {
+		return f, nil
+	}
+	path := lenv.Getenv("path")
+	for _, dir := range filepath.SplitList(path) {
+		if f, err := findExecutable(filepath.Join(dir, file), exts); err == nil {
+			return f, nil
+		}
+	}
+	return "", &Error{file, ErrNotFound}
+}
--- a/act/model/action.go
+++ b/act/model/action.go
@@ -0,0 +1,136 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package model
+
+import (
+	"fmt"
+	"io"
+	"strings"
+
+	"go.yaml.in/yaml/v4"
+)
+
+// ActionRunsUsing is the type of runner for the action
+type ActionRunsUsing string
+
+func (a *ActionRunsUsing) UnmarshalYAML(unmarshal func(any) error) error {
+	var using string
+	if err := unmarshal(&using); err != nil {
+		return err
+	}
+
+	// Force input to lowercase for case insensitive comparison
+	format := ActionRunsUsing(strings.ToLower(using))
+	switch format {
+	case ActionRunsUsingNode24, ActionRunsUsingNode20, ActionRunsUsingNode16, ActionRunsUsingNode12, ActionRunsUsingDocker, ActionRunsUsingComposite, ActionRunsUsingGo:
+		*a = format
+	default:
+		return fmt.Errorf("The runs.using key in action.yml must be one of: %v, got %s", []string{
+			ActionRunsUsingComposite,
+			ActionRunsUsingDocker,
+			ActionRunsUsingNode12,
+			ActionRunsUsingNode16,
+			ActionRunsUsingNode20,
+			ActionRunsUsingNode24,
+			ActionRunsUsingGo,
+		}, format)
+	}
+	return nil
+}
+
+const (
+	// ActionRunsUsingNode12 for running with node12
+	ActionRunsUsingNode12 = "node12"
+	// ActionRunsUsingNode16 for running with node16
+	ActionRunsUsingNode16 = "node16"
+	// ActionRunsUsingNode20 for running with node20
+	ActionRunsUsingNode20 = "node20"
+	// ActionRunsUsingNode24 for running with node24
+	ActionRunsUsingNode24 = "node24"
+	// ActionRunsUsingDocker for running with docker
+	ActionRunsUsingDocker = "docker"
+	// ActionRunsUsingComposite for running composite
+	ActionRunsUsingComposite = "composite"
+	// ActionRunsUsingGo for running with go
+	ActionRunsUsingGo = "go"
+)
+
+func (a ActionRunsUsing) IsNode() bool {
+	switch a {
+	case ActionRunsUsingNode12, ActionRunsUsingNode16, ActionRunsUsingNode20, ActionRunsUsingNode24:
+		return true
+	default:
+		return false
+	}
+}
+
+func (a ActionRunsUsing) IsDocker() bool {
+	return a == ActionRunsUsingDocker
+}
+
+func (a ActionRunsUsing) IsComposite() bool {
+	return a == ActionRunsUsingComposite
+}
+
+// ActionRuns are a field in Action
+type ActionRuns struct {
+	Using      ActionRunsUsing   `yaml:"using"`
+	Env        map[string]string `yaml:"env"`
+	Main       string            `yaml:"main"`
+	Pre        string            `yaml:"pre"`
+	PreIf      string            `yaml:"pre-if"`
+	Post       string            `yaml:"post"`
+	PostIf     string            `yaml:"post-if"`
+	Image      string            `yaml:"image"`
+	Entrypoint string            `yaml:"entrypoint"`
+	Args       []string          `yaml:"args"`
+	Steps      []Step            `yaml:"steps"`
+}
+
+// Action describes a metadata file for GitHub actions. The metadata filename must be either action.yml or action.yaml. The data in the metadata file defines the inputs, outputs and main entrypoint for your action.
+type Action struct {
+	Name        string            `yaml:"name"`
+	Author      string            `yaml:"author"`
+	Description string            `yaml:"description"`
+	Inputs      map[string]Input  `yaml:"inputs"`
+	Outputs     map[string]Output `yaml:"outputs"`
+	Runs        ActionRuns        `yaml:"runs"`
+	Branding    struct {
+		Color string `yaml:"color"`
+		Icon  string `yaml:"icon"`
+	} `yaml:"branding"`
+}
+
+// Input parameters allow you to specify data that the action expects to use during runtime. GitHub stores input parameters as environment variables. Input ids with uppercase letters are converted to lowercase during runtime. We recommended using lowercase input ids.
+type Input struct {
+	Description string `yaml:"description"`
+	Required    bool   `yaml:"required"`
+	Default     string `yaml:"default"`
+}
+
+// Output parameters allow you to declare data that an action sets. Actions that run later in a workflow can use the output data set in previously run actions. For example, if you had an action that performed the addition of two inputs (x + y = z), the action could output the sum (z) for other actions to use as an input.
+type Output struct {
+	Description string `yaml:"description"`
+	Value       string `yaml:"value"`
+}
+
+// ReadAction reads an action from a reader
+func ReadAction(in io.Reader) (*Action, error) {
+	a := new(Action)
+	err := yaml.NewDecoder(in).Decode(a)
+	if err != nil {
+		return nil, err
+	}
+
+	// set defaults
+	if a.Runs.PreIf == "" {
+		a.Runs.PreIf = "always()"
+	}
+	if a.Runs.PostIf == "" {
+		a.Runs.PostIf = "always()"
+	}
+
+	return a, nil
+}
--- a/act/model/github_context.go
+++ b/act/model/github_context.go
@@ -0,0 +1,222 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package model
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"gitea.com/gitea/act_runner/act/common"
+	"gitea.com/gitea/act_runner/act/common/git"
+)
+
+type GithubContext struct {
+	Event            map[string]any `json:"event"`
+	EventPath        string         `json:"event_path"`
+	Workflow         string         `json:"workflow"`
+	RunID            string         `json:"run_id"`
+	RunNumber        string         `json:"run_number"`
+	Actor            string         `json:"actor"`
+	Repository       string         `json:"repository"`
+	EventName        string         `json:"event_name"`
+	Sha              string         `json:"sha"`
+	Ref              string         `json:"ref"`
+	RefName          string         `json:"ref_name"`
+	RefType          string         `json:"ref_type"`
+	HeadRef          string         `json:"head_ref"`
+	BaseRef          string         `json:"base_ref"`
+	Token            string         `json:"token"`
+	Workspace        string         `json:"workspace"`
+	Action           string         `json:"action"`
+	ActionPath       string         `json:"action_path"`
+	ActionRef        string         `json:"action_ref"`
+	ActionRepository string         `json:"action_repository"`
+	Job              string         `json:"job"`
+	JobName          string         `json:"job_name"`
+	RepositoryOwner  string         `json:"repository_owner"`
+	RetentionDays    string         `json:"retention_days"`
+	RunnerPerflog    string         `json:"runner_perflog"`
+	RunnerTrackingID string         `json:"runner_tracking_id"`
+	ServerURL        string         `json:"server_url"`
+	APIURL           string         `json:"api_url"`
+	GraphQLURL       string         `json:"graphql_url"`
+
+	// For Gitea
+	RunAttempt string `json:"run_attempt"`
+}
+
+func asString(v any) string {
+	if v == nil {
+		return ""
+	} else if s, ok := v.(string); ok {
+		return s
+	}
+	return ""
+}
+
+func nestedMapLookup(m map[string]any, ks ...string) (rval any) {
+	var ok bool
+
+	if len(ks) == 0 { // degenerate input
+		return nil
+	}
+	if rval, ok = m[ks[0]]; !ok {
+		return nil
+	} else if len(ks) == 1 { // we've reached the final key
+		return rval
+	} else if m, ok = rval.(map[string]any); !ok {
+		return nil
+	} else { // 1+ more keys
+		return nestedMapLookup(m, ks[1:]...)
+	}
+}
+
+func withDefaultBranch(ctx context.Context, b string, event map[string]any) map[string]any {
+	repoI, ok := event["repository"]
+	if !ok {
+		repoI = make(map[string]any)
+	}
+
+	repo, ok := repoI.(map[string]any)
+	if !ok {
+		common.Logger(ctx).Warnf("unable to set default branch to %v", b)
+		return event
+	}
+
+	// if the branch is already there return with no changes
+	if _, ok = repo["default_branch"]; ok {
+		return event
+	}
+
+	repo["default_branch"] = b
+	event["repository"] = repo
+
+	return event
+}
+
+var (
+	findGitRef      = git.FindGitRef
+	findGitRevision = git.FindGitRevision
+)
+
+func (ghc *GithubContext) SetRef(ctx context.Context, defaultBranch, repoPath string) {
+	logger := common.Logger(ctx)
+
+	// https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
+	// https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads
+	switch ghc.EventName {
+	case "pull_request_target":
+		ghc.Ref = "refs/heads/" + ghc.BaseRef
+	case "pull_request", "pull_request_review", "pull_request_review_comment":
+		ghc.Ref = fmt.Sprintf("refs/pull/%.0f/merge", ghc.Event["number"])
+	case "deployment", "deployment_status":
+		ghc.Ref = asString(nestedMapLookup(ghc.Event, "deployment", "ref"))
+	case "release":
+		ghc.Ref = "refs/tags/" + asString(nestedMapLookup(ghc.Event, "release", "tag_name"))
+	case "push", "create", "workflow_dispatch":
+		ghc.Ref = asString(ghc.Event["ref"])
+	default:
+		defaultBranch := asString(nestedMapLookup(ghc.Event, "repository", "default_branch"))
+		if defaultBranch != "" {
+			ghc.Ref = "refs/heads/" + defaultBranch
+		}
+	}
+
+	if ghc.Ref == "" {
+		ref, err := findGitRef(ctx, repoPath)
+		if err != nil {
+			logger.Warningf("unable to get git ref: %v", err)
+		} else {
+			logger.Debugf("using github ref: %s", ref)
+			ghc.Ref = ref
+		}
+
+		// set the branch in the event data
+		if defaultBranch != "" {
+			ghc.Event = withDefaultBranch(ctx, defaultBranch, ghc.Event)
+		} else {
+			ghc.Event = withDefaultBranch(ctx, "master", ghc.Event)
+		}
+
+		if ghc.Ref == "" {
+			ghc.Ref = "refs/heads/" + asString(nestedMapLookup(ghc.Event, "repository", "default_branch"))
+		}
+	}
+}
+
+func (ghc *GithubContext) SetSha(ctx context.Context, repoPath string) {
+	logger := common.Logger(ctx)
+
+	// https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows
+	// https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads
+	switch ghc.EventName {
+	case "pull_request_target":
+		ghc.Sha = asString(nestedMapLookup(ghc.Event, "pull_request", "base", "sha"))
+	case "deployment", "deployment_status":
+		ghc.Sha = asString(nestedMapLookup(ghc.Event, "deployment", "sha"))
+	case "push", "create", "workflow_dispatch":
+		if deleted, ok := ghc.Event["deleted"].(bool); ok && !deleted {
+			ghc.Sha = asString(ghc.Event["after"])
+		}
+	}
+
+	if ghc.Sha == "" {
+		_, sha, err := findGitRevision(ctx, repoPath)
+		if err != nil {
+			logger.Warningf("unable to get git revision: %v", err)
+		} else {
+			ghc.Sha = sha
+		}
+	}
+}
+
+func (ghc *GithubContext) SetRepositoryAndOwner(ctx context.Context, githubInstance, remoteName, repoPath string) {
+	if ghc.Repository == "" {
+		repo, err := git.FindGithubRepo(ctx, repoPath, githubInstance, remoteName)
+		if err != nil {
+			common.Logger(ctx).Warningf("unable to get git repo (githubInstance: %v; remoteName: %v, repoPath: %v): %v", githubInstance, remoteName, repoPath, err)
+			return
+		}
+		ghc.Repository = repo
+	}
+	ghc.RepositoryOwner = strings.Split(ghc.Repository, "/")[0]
+}
+
+func (ghc *GithubContext) SetRefTypeAndName() {
+	var refType, refName string
+
+	// https://docs.github.com/en/actions/learn-github-actions/environment-variables
+	if strings.HasPrefix(ghc.Ref, "refs/tags/") {
+		refType = "tag"
+		refName = ghc.Ref[len("refs/tags/"):]
+	} else if strings.HasPrefix(ghc.Ref, "refs/heads/") {
+		refType = "branch"
+		refName = ghc.Ref[len("refs/heads/"):]
+	} else if strings.HasPrefix(ghc.Ref, "refs/pull/") {
+		refType = ""
+		refName = ghc.Ref[len("refs/pull/"):]
+	}
+
+	if ghc.RefType == "" {
+		ghc.RefType = refType
+	}
+
+	if ghc.RefName == "" {
+		ghc.RefName = refName
+	}
+}
+
+func (ghc *GithubContext) SetBaseAndHeadRef() {
+	if ghc.EventName == "pull_request" || ghc.EventName == "pull_request_target" {
+		if ghc.BaseRef == "" {
+			ghc.BaseRef = asString(nestedMapLookup(ghc.Event, "pull_request", "base", "ref"))
+		}
+
+		if ghc.HeadRef == "" {
+			ghc.HeadRef = asString(nestedMapLookup(ghc.Event, "pull_request", "head", "ref"))
+		}
+	}
+}
--- a/act/model/github_context_test.go
+++ b/act/model/github_context_test.go
@@ -0,0 +1,216 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2022 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package model
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSetRef(t *testing.T) {
+	log.SetLevel(log.DebugLevel)
+
+	oldFindGitRef := findGitRef
+	oldFindGitRevision := findGitRevision
+	defer func() { findGitRef = oldFindGitRef }()
+	defer func() { findGitRevision = oldFindGitRevision }()
+
+	findGitRef = func(ctx context.Context, file string) (string, error) {
+		return "refs/heads/master", nil
+	}
+
+	findGitRevision = func(ctx context.Context, file string) (string, string, error) {
+		return "", "1234fakesha", nil
+	}
+
+	tables := []struct {
+		eventName string
+		event     map[string]any
+		ref       string
+		refName   string
+	}{
+		{
+			eventName: "pull_request_target",
+			event:     map[string]any{},
+			ref:       "refs/heads/master",
+			refName:   "master",
+		},
+		{
+			eventName: "pull_request",
+			event: map[string]any{
+				"number": 1234.,
+			},
+			ref:     "refs/pull/1234/merge",
+			refName: "1234/merge",
+		},
+		{
+			eventName: "deployment",
+			event: map[string]any{
+				"deployment": map[string]any{
+					"ref": "refs/heads/somebranch",
+				},
+			},
+			ref:     "refs/heads/somebranch",
+			refName: "somebranch",
+		},
+		{
+			eventName: "release",
+			event: map[string]any{
+				"release": map[string]any{
+					"tag_name": "v1.0.0",
+				},
+			},
+			ref:     "refs/tags/v1.0.0",
+			refName: "v1.0.0",
+		},
+		{
+			eventName: "push",
+			event: map[string]any{
+				"ref": "refs/heads/somebranch",
+			},
+			ref:     "refs/heads/somebranch",
+			refName: "somebranch",
+		},
+		{
+			eventName: "unknown",
+			event: map[string]any{
+				"repository": map[string]any{
+					"default_branch": "main",
+				},
+			},
+			ref:     "refs/heads/main",
+			refName: "main",
+		},
+		{
+			eventName: "no-event",
+			event:     map[string]any{},
+			ref:       "refs/heads/master",
+			refName:   "master",
+		},
+	}
+
+	for _, table := range tables {
+		t.Run(table.eventName, func(t *testing.T) {
+			ghc := &GithubContext{
+				EventName: table.eventName,
+				BaseRef:   "master",
+				Event:     table.event,
+			}
+
+			ghc.SetRef(context.Background(), "main", "/some/dir")
+			ghc.SetRefTypeAndName()
+
+			assert.Equal(t, table.ref, ghc.Ref)
+			assert.Equal(t, table.refName, ghc.RefName)
+		})
+	}
+
+	t.Run("no-default-branch", func(t *testing.T) {
+		findGitRef = func(ctx context.Context, file string) (string, error) {
+			return "", errors.New("no default branch")
+		}
+
+		ghc := &GithubContext{
+			EventName: "no-default-branch",
+			Event:     map[string]any{},
+		}
+
+		ghc.SetRef(context.Background(), "", "/some/dir")
+
+		assert.Equal(t, "refs/heads/master", ghc.Ref)
+	})
+}
+
+func TestSetSha(t *testing.T) {
+	log.SetLevel(log.DebugLevel)
+
+	oldFindGitRef := findGitRef
+	oldFindGitRevision := findGitRevision
+	defer func() { findGitRef = oldFindGitRef }()
+	defer func() { findGitRevision = oldFindGitRevision }()
+
+	findGitRef = func(ctx context.Context, file string) (string, error) {
+		return "refs/heads/master", nil
+	}
+
+	findGitRevision = func(ctx context.Context, file string) (string, string, error) {
+		return "", "1234fakesha", nil
+	}
+
+	tables := []struct {
+		eventName string
+		event     map[string]any
+		sha       string
+	}{
+		{
+			eventName: "pull_request_target",
+			event: map[string]any{
+				"pull_request": map[string]any{
+					"base": map[string]any{
+						"sha": "pr-base-sha",
+					},
+				},
+			},
+			sha: "pr-base-sha",
+		},
+		{
+			eventName: "pull_request",
+			event: map[string]any{
+				"number": 1234.,
+			},
+			sha: "1234fakesha",
+		},
+		{
+			eventName: "deployment",
+			event: map[string]any{
+				"deployment": map[string]any{
+					"sha": "deployment-sha",
+				},
+			},
+			sha: "deployment-sha",
+		},
+		{
+			eventName: "release",
+			event:     map[string]any{},
+			sha:       "1234fakesha",
+		},
+		{
+			eventName: "push",
+			event: map[string]any{
+				"after":   "push-sha",
+				"deleted": false,
+			},
+			sha: "push-sha",
+		},
+		{
+			eventName: "unknown",
+			event:     map[string]any{},
+			sha:       "1234fakesha",
+		},
+		{
+			eventName: "no-event",
+			event:     map[string]any{},
+			sha:       "1234fakesha",
+		},
+	}
+
+	for _, table := range tables {
+		t.Run(table.eventName, func(t *testing.T) {
+			ghc := &GithubContext{
+				EventName: table.eventName,
+				BaseRef:   "master",
+				Event:     table.event,
+			}
+
+			ghc.SetSha(context.Background(), "/some/dir")
+
+			assert.Equal(t, table.sha, ghc.Sha)
+		})
+	}
+}
--- a/act/model/job_context.go
+++ b/act/model/job_context.go
@@ -0,0 +1,16 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package model
+
+type JobContext struct {
+	Status    string `json:"status"`
+	Container struct {
+		ID      string `json:"id"`
+		Network string `json:"network"`
+	} `json:"container"`
+	Services map[string]struct {
+		ID string `json:"id"`
+	} `json:"services"`
+}
--- a/act/model/planner.go
+++ b/act/model/planner.go
@@ -0,0 +1,412 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2020 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package model
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"math"
+	"os"
+	"path/filepath"
+	"regexp"
+	"slices"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// WorkflowPlanner contains methods for creating plans
+type WorkflowPlanner interface {
+	PlanEvent(eventName string) (*Plan, error)
+	PlanJob(jobName string) (*Plan, error)
+	PlanAll() (*Plan, error)
+	GetEvents() []string
+}
+
+// Plan contains a list of stages to run in series
+type Plan struct {
+	Stages []*Stage
+}
+
+// Stage contains a list of runs to execute in parallel
+type Stage struct {
+	Runs []*Run
+}
+
+// Run represents a job from a workflow that needs to be run
+type Run struct {
+	Workflow *Workflow
+	JobID    string
+}
+
+func (r *Run) String() string {
+	jobName := r.Job().Name
+	if jobName == "" {
+		jobName = r.JobID
+	}
+	return jobName
+}
+
+// Job returns the job for this Run
+func (r *Run) Job() *Job {
+	return r.Workflow.GetJob(r.JobID)
+}
+
+type WorkflowFiles struct {
+	workflowDirEntry os.DirEntry
+	dirPath          string
+}
+
+// NewWorkflowPlanner will load a specific workflow, all workflows from a directory or all workflows from a directory and its subdirectories
+//
+//nolint:gocyclo // function handles many cases
+func NewWorkflowPlanner(path string, noWorkflowRecurse bool) (WorkflowPlanner, error) {
+	path, err := filepath.Abs(path)
+	if err != nil {
+		return nil, err
+	}
+
+	fi, err := os.Stat(path)
+	if err != nil {
+		return nil, err
+	}
+
+	var workflows []WorkflowFiles
+
+	if fi.IsDir() {
+		log.Debugf("Loading workflows from '%s'", path)
+		if noWorkflowRecurse {
+			files, err := os.ReadDir(path)
+			if err != nil {
+				return nil, err
+			}
+
+			for _, v := range files {
+				workflows = append(workflows, WorkflowFiles{
+					dirPath:          path,
+					workflowDirEntry: v,
+				})
+			}
+		} else {
+			log.Debug("Loading workflows recursively")
+			if err := filepath.Walk(path,
+				func(p string, f os.FileInfo, err error) error {
+					if err != nil {
+						return err
+					}
+
+					if !f.IsDir() {
+						log.Debugf("Found workflow '%s' in '%s'", f.Name(), p)
+						workflows = append(workflows, WorkflowFiles{
+							dirPath:          filepath.Dir(p),
+							workflowDirEntry: fs.FileInfoToDirEntry(f),
+						})
+					}
+
+					return nil
+				}); err != nil {
+				return nil, err
+			}
+		}
+	} else {
+		log.Debugf("Loading workflow '%s'", path)
+		dirname := filepath.Dir(path)
+
+		workflows = append(workflows, WorkflowFiles{
+			dirPath:          dirname,
+			workflowDirEntry: fs.FileInfoToDirEntry(fi),
+		})
+	}
+
+	wp := new(workflowPlanner)
+	for _, wf := range workflows {
+		ext := filepath.Ext(wf.workflowDirEntry.Name())
+		if ext == ".yml" || ext == ".yaml" {
+			f, err := os.Open(filepath.Join(wf.dirPath, wf.workflowDirEntry.Name()))
+			if err != nil {
+				return nil, err
+			}
+
+			log.Debugf("Reading workflow '%s'", f.Name())
+			workflow, err := ReadWorkflow(f)
+			if err != nil {
+				_ = f.Close()
+				if err == io.EOF {
+					return nil, fmt.Errorf("unable to read workflow '%s': file is empty: %w", wf.workflowDirEntry.Name(), err)
+				}
+				return nil, fmt.Errorf("workflow is not valid. '%s': %w", wf.workflowDirEntry.Name(), err)
+			}
+			_, err = f.Seek(0, 0)
+			if err != nil {
+				_ = f.Close()
+				return nil, fmt.Errorf("error occurring when resetting io pointer in '%s': %w", wf.workflowDirEntry.Name(), err)
+			}
+
+			workflow.File = wf.workflowDirEntry.Name()
+			if workflow.Name == "" {
+				workflow.Name = wf.workflowDirEntry.Name()
+			}
+
+			err = validateJobName(workflow)
+			if err != nil {
+				_ = f.Close()
+				return nil, err
+			}
+
+			wp.workflows = append(wp.workflows, workflow)
+			_ = f.Close()
+		}
+	}
+
+	return wp, nil
+}
+
+// CombineWorkflowPlanner combines workflows to a WorkflowPlanner
+func CombineWorkflowPlanner(workflows ...*Workflow) WorkflowPlanner {
+	return &workflowPlanner{
+		workflows: workflows,
+	}
+}
+
+func NewSingleWorkflowPlanner(name string, f io.Reader) (WorkflowPlanner, error) {
+	wp := new(workflowPlanner)
+
+	log.Debugf("Reading workflow %s", name)
+	workflow, err := ReadWorkflow(f)
+	if err != nil {
+		if err == io.EOF {
+			return nil, fmt.Errorf("unable to read workflow '%s': file is empty: %w", name, err)
+		}
+		return nil, fmt.Errorf("workflow is not valid. '%s': %w", name, err)
+	}
+	workflow.File = name
+	if workflow.Name == "" {
+		workflow.Name = name
+	}
+
+	err = validateJobName(workflow)
+	if err != nil {
+		return nil, err
+	}
+
+	wp.workflows = append(wp.workflows, workflow)
+
+	return wp, nil
+}
+
+func validateJobName(workflow *Workflow) error {
+	jobNameRegex := regexp.MustCompile(`^([[:alpha:]_][[:alnum:]_\-]*)$`)
+	for k := range workflow.Jobs {
+		if ok := jobNameRegex.MatchString(k); !ok {
+			return fmt.Errorf("workflow is not valid. '%s': Job name '%s' is invalid. Names must start with a letter or '_' and contain only alphanumeric characters, '-', or '_'", workflow.Name, k)
+		}
+	}
+	return nil
+}
+
+type workflowPlanner struct {
+	workflows []*Workflow
+}
+
+// PlanEvent builds a new list of runs to execute in parallel for an event name
+func (wp *workflowPlanner) PlanEvent(eventName string) (*Plan, error) {
+	plan := new(Plan)
+	if len(wp.workflows) == 0 {
+		log.Debug("no workflows found by planner")
+		return plan, nil
+	}
+	var lastErr error
+
+	for _, w := range wp.workflows {
+		events := w.On()
+		if len(events) == 0 {
+			log.Debugf("no events found for workflow: %s", w.File)
+			continue
+		}
+
+		for _, e := range events {
+			if e == eventName {
+				stages, err := createStages(w, w.GetJobIDs()...)
+				if err != nil {
+					log.Warn(err)
+					lastErr = err
+				} else {
+					plan.mergeStages(stages)
+				}
+			}
+		}
+	}
+	return plan, lastErr
+}
+
+// PlanJob builds a new run to execute in parallel for a job name
+func (wp *workflowPlanner) PlanJob(jobName string) (*Plan, error) {
+	plan := new(Plan)
+	if len(wp.workflows) == 0 {
+		log.Debugf("no jobs found for workflow: %s", jobName)
+	}
+	var lastErr error
+
+	for _, w := range wp.workflows {
+		stages, err := createStages(w, jobName)
+		if err != nil {
+			log.Warn(err)
+			lastErr = err
+		} else {
+			plan.mergeStages(stages)
+		}
+	}
+	return plan, lastErr
+}
+
+// PlanAll builds a new run to execute in parallel all
+func (wp *workflowPlanner) PlanAll() (*Plan, error) {
+	plan := new(Plan)
+	if len(wp.workflows) == 0 {
+		log.Debug("no workflows found by planner")
+		return plan, nil
+	}
+	var lastErr error
+
+	for _, w := range wp.workflows {
+		stages, err := createStages(w, w.GetJobIDs()...)
+		if err != nil {
+			log.Warn(err)
+			lastErr = err
+		} else {
+			plan.mergeStages(stages)
+		}
+	}
+
+	return plan, lastErr
+}
+
+// GetEvents gets all the events in the workflows file
+func (wp *workflowPlanner) GetEvents() []string {
+	events := make([]string, 0)
+	for _, w := range wp.workflows {
+		found := false
+		for _, e := range events {
+			if slices.Contains(w.On(), e) {
+				found = true
+			}
+			if found {
+				break
+			}
+		}
+
+		if !found {
+			events = append(events, w.On()...)
+		}
+	}
+
+	// sort the list based on depth of dependencies
+	slices.Sort(events)
+
+	return events
+}
+
+// MaxRunNameLen determines the max name length of all jobs
+func (p *Plan) MaxRunNameLen() int {
+	maxRunNameLen := 0
+	for _, stage := range p.Stages {
+		for _, run := range stage.Runs {
+			runNameLen := len(run.String())
+			if runNameLen > maxRunNameLen {
+				maxRunNameLen = runNameLen
+			}
+		}
+	}
+	return maxRunNameLen
+}
+
+// GetJobIDs will get all the job names in the stage
+func (s *Stage) GetJobIDs() []string {
+	names := make([]string, 0)
+	for _, r := range s.Runs {
+		names = append(names, r.JobID)
+	}
+	return names
+}
+
+// Merge stages with existing stages in plan
+func (p *Plan) mergeStages(stages []*Stage) {
+	newStages := make([]*Stage, int(math.Max(float64(len(p.Stages)), float64(len(stages)))))
+	for i := range newStages {
+		newStages[i] = new(Stage)
+		if i >= len(p.Stages) {
+			newStages[i].Runs = append(newStages[i].Runs, stages[i].Runs...)
+		} else if i >= len(stages) {
+			newStages[i].Runs = append(newStages[i].Runs, p.Stages[i].Runs...)
+		} else {
+			newStages[i].Runs = append(newStages[i].Runs, p.Stages[i].Runs...)
+			newStages[i].Runs = append(newStages[i].Runs, stages[i].Runs...)
+		}
+	}
+	p.Stages = newStages
+}
+
+func createStages(w *Workflow, jobIDs ...string) ([]*Stage, error) {
+	// first, build a list of all the necessary jobs to run, and their dependencies
+	jobDependencies := make(map[string][]string)
+	for len(jobIDs) > 0 {
+		newJobIDs := make([]string, 0)
+		for _, jID := range jobIDs {
+			// make sure we haven't visited this job yet
+			if _, ok := jobDependencies[jID]; !ok {
+				if job := w.GetJob(jID); job != nil {
+					jobDependencies[jID] = job.Needs()
+					newJobIDs = append(newJobIDs, job.Needs()...)
+				}
+			}
+		}
+		jobIDs = newJobIDs
+	}
+
+	// next, build an execution graph
+	stages := make([]*Stage, 0)
+	for len(jobDependencies) > 0 {
+		stage := new(Stage)
+		for jID, jDeps := range jobDependencies {
+			// make sure all deps are in the graph already
+			if listInStages(jDeps, stages...) {
+				stage.Runs = append(stage.Runs, &Run{
+					Workflow: w,
+					JobID:    jID,
+				})
+				delete(jobDependencies, jID)
+			}
+		}
+		if len(stage.Runs) == 0 {
+			return nil, fmt.Errorf("unable to build dependency graph for %s (%s)", w.Name, w.File)
+		}
+		stages = append(stages, stage)
+	}
+
+	if len(stages) == 0 {
+		return nil, errors.New("Could not find any stages to run. View the valid jobs with `act --list`. Use `act --help` to find how to filter by Job ID/Workflow/Event Name")
+	}
+
+	return stages, nil
+}
+
+// return true iff all strings in srcList exist in at least one of the stages
+func listInStages(srcList []string, stages ...*Stage) bool {
+	for _, src := range srcList {
+		found := false
+		for _, stage := range stages {
+			for _, search := range stage.GetJobIDs() {
+				if src == search {
+					found = true
+				}
+			}
+		}
+		if !found {
+			return false
+		}
+	}
+	return true
+}
--- a/act/model/planner_test.go
+++ b/act/model/planner_test.go
@@ -0,0 +1,67 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package model
+
+import (
+	"path/filepath"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+)
+
+type WorkflowPlanTest struct {
+	workflowPath      string
+	errorMessage      string
+	noWorkflowRecurse bool
+}
+
+func TestPlanner(t *testing.T) {
+	log.SetLevel(log.DebugLevel)
+
+	tables := []WorkflowPlanTest{
+		{"invalid-job-name/invalid-1.yml", "workflow is not valid. 'invalid-job-name-1': Job name 'invalid-JOB-Name-v1.2.3-docker_hub' is invalid. Names must start with a letter or '_' and contain only alphanumeric characters, '-', or '_'", false},
+		{"invalid-job-name/invalid-2.yml", "workflow is not valid. 'invalid-job-name-2': Job name '1234invalid-JOB-Name-v123-docker_hub' is invalid. Names must start with a letter or '_' and contain only alphanumeric characters, '-', or '_'", false},
+		{"invalid-job-name/valid-1.yml", "", false},
+		{"invalid-job-name/valid-2.yml", "", false},
+		{"empty-workflow", "unable to read workflow 'push.yml': file is empty: EOF", false},
+		{"nested", "unable to read workflow 'fail.yml': file is empty: EOF", false},
+		{"nested", "", true},
+	}
+
+	workdir, err := filepath.Abs("testdata")
+	assert.NoError(t, err, workdir) //nolint:testifylint // pre-existing issue from nektos/act
+	for _, table := range tables {
+		fullWorkflowPath := filepath.Join(workdir, table.workflowPath)
+		_, err = NewWorkflowPlanner(fullWorkflowPath, table.noWorkflowRecurse)
+		if table.errorMessage == "" {
+			assert.NoError(t, err, "WorkflowPlanner should exit without any error")
+		} else {
+			assert.EqualError(t, err, table.errorMessage)
+		}
+	}
+}
+
+func TestWorkflow(t *testing.T) {
+	log.SetLevel(log.DebugLevel)
+
+	workflow := Workflow{
+		Jobs: map[string]*Job{
+			"valid_job": {
+				Name: "valid_job",
+			},
+		},
+	}
+
+	// Check that an invalid job id returns error
+	result, err := createStages(&workflow, "invalid_job_id")
+	assert.NotNil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.Nil(t, result)
+
+	// Check that an valid job id returns non-error
+	result, err = createStages(&workflow, "valid_job")
+	assert.Nil(t, err) //nolint:testifylint // pre-existing issue from nektos/act
+	assert.NotNil(t, result)
+}
--- a/act/model/step_result.go
+++ b/act/model/step_result.go
@@ -0,0 +1,49 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Copyright 2021 The nektos/act Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package model
+
+import "fmt"
+
+type stepStatus int
+
+const (
+	StepStatusSuccess stepStatus = iota
+	StepStatusFailure
+	StepStatusSkipped
+)
+
+var stepStatusStrings = [...]string{
+	"success",
+	"failure",
+	"skipped",
+}
+
+func (s stepStatus) MarshalText() ([]byte, error) {
+	return []byte(s.String()), nil
+}
+
+func (s *stepStatus) UnmarshalText(b []byte) error {
+	str := string(b)
+	for i, name := range stepStatusStrings {
+		if name == str {
+			*s = stepStatus(i)
+			return nil
+		}
+	}
+	return fmt.Errorf("invalid step status %q", str)
+}
+
+func (s stepStatus) String() string {
+	if int(s) >= len(stepStatusStrings) {
+		return ""
+	}
+	return stepStatusStrings[s]
+}
+
+type StepResult struct {
+	Outputs    map[string]string `json:"outputs"`
+	Conclusion stepStatus        `json:"conclusion"`
+	Outcome    stepStatus        `json:"outcome"`
+}
--- a/act/model/testdata/container-volumes/push.yml
+++ b/act/model/testdata/container-volumes/push.yml
@@ -0,0 +1,19 @@
+name: Job Container
+on: push
+
+jobs:
+  with-volumes:
+    runs-on: ubuntu-latest
+    container:
+      image: node:16-buster-slim
+      volumes:
+        - my_docker_volume:/path/to/volume
+        - /path/to/nonexist/directory
+        - /proc/sys/kernel/random/boot_id:/current/boot_id
+    steps:
+      - run: |
+          set -e
+          test -d /path/to/volume
+          test "$(cat /proc/sys/kernel/random/boot_id)" = "$(cat /current/boot_id)"
+          test -d /path/to/nonexist/directory
+  
--- a/act/model/testdata/empty-workflow/push.yml
+++ b/act/model/testdata/empty-workflow/push.yml
--- a/act/model/testdata/invalid-job-name/invalid-1.yml
+++ b/act/model/testdata/invalid-job-name/invalid-1.yml
@@ -0,0 +1,12 @@
+name: invalid-job-name-1
+on: push
+
+jobs:
+  invalid-JOB-Name-v1.2.3-docker_hub:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo hi
+  valid-JOB-Name-v123-docker_hub:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo hi
--- a/Show More
+++ b/Show More