github.action_repository and github.action_ref are empty in run for composite actions

[jsoref]

Describe the bug
github.action_repository and github.action_ref are empty in run for composite actions

To Reproduce

1. Set up a workflow that uses an action that uses github.action_repository / github.action_ref in run in a step.
2. Trigger a run for the workflow

Expected behavior
github.action_repository / github.action_ref should be filled in for run just as it is for env

Runner Version and Platform

Version of your runner?
Current runner version: '2.302.1'

OS of the machine running the runner? ubuntu-latest

What's not working?

github.action_repository / github.action_ref are empty

Job Log Output

https://github.com/check-spelling/gotosocial/actions/runs/4337164095/jobs/7572980729

2023-03-05T17:20:23.2256789Z ##[group]Run set -x
2023-03-05T17:20:23.2257101Z �[36;1mset -x�[0m
2023-03-05T17:20:23.2257452Z �[36;1mTHIS_ACTION_PATH=$(perl -pe 's#/\./#/#g; s#//+#/#g; s#/$##g' <<< "/home/runner/work/_actions/jsoref/check-spelling/prerelease")�[0m
2023-03-05T17:20:23.2257784Z �[36;1m(�[0m
2023-03-05T17:20:23.2258036Z �[36;1m  echo "THIS_ACTION_PATH=$THIS_ACTION_PATH"�[0m
2023-03-05T17:20:23.2258338Z �[36;1m  echo "PATH=$THIS_ACTION_PATH/wrappers:$PATH"�[0m
2023-03-05T17:20:23.2258580Z �[36;1m  echo "TASK="�[0m
2023-03-05T17:20:23.2258804Z �[36;1m  echo "DO_CHECKOUT=true"�[0m
2023-03-05T17:20:23.2259041Z �[36;1m  echo "FETCH_DEPTH=1"�[0m
2023-03-05T17:20:23.2259258Z �[36;1m  echo "USE_SARIF=1"�[0m
2023-03-05T17:20:23.2259493Z �[36;1m  echo "ALTERNATE_ENGINE="�[0m
2023-03-05T17:20:23.2259786Z �[36;1m  echo "GH_ACTION_REPOSITORY=check-spelling/gotosocial"�[0m
2023-03-05T17:20:23.2260118Z �[36;1m  echo "GH_ACTION_REF=spell-check-with-spelling"�[0m
2023-03-05T17:20:23.2260388Z �[36;1m) >> "$GITHUB_ENV"�[0m
2023-03-05T17:20:23.2316490Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2023-03-05T17:20:23.2316815Z ##[endgroup]
2023-03-05T17:20:23.2565697Z ++ perl -pe 's#/\./#/#g; s#//+#/#g; s#/$##g'
2023-03-05T17:20:23.2566247Z + THIS_ACTION_PATH=/home/runner/work/_actions/jsoref/check-spelling/prerelease
2023-03-05T17:20:23.2566736Z + echo THIS_ACTION_PATH=/home/runner/work/_actions/jsoref/check-spelling/prerelease
2023-03-05T17:20:23.2567757Z + echo PATH=/home/runner/work/_actions/jsoref/check-spelling/prerelease/wrappers:/home/runner/.local/bin:/opt/pipx_bin:/home/runner/.cargo/bin:/home/runner/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/runner/.dotnet/tools:/snap/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
2023-03-05T17:20:23.2569271Z + echo TASK=
2023-03-05T17:20:23.2569494Z + echo DO_CHECKOUT=true
2023-03-05T17:20:23.2569701Z + echo FETCH_DEPTH=1
2023-03-05T17:20:23.2569913Z + echo USE_SARIF=1
2023-03-05T17:20:23.2570127Z + echo ALTERNATE_ENGINE=
2023-03-05T17:20:23.2570470Z + echo GH_ACTION_REPOSITORY=check-spelling/gotosocial
2023-03-05T17:20:23.2570843Z + echo GH_ACTION_REF=spell-check-with-spelling
2023-03-05T17:20:23.2755350Z ##[group]Run secpoll

Runner and Worker's Diagnostic Logs

If applicable, add relevant diagnostic log information. Logs are located in the runner's _diag folder. The runner logs are prefixed with Runner_ and the worker logs are prefixed with Worker_. Each job run correlates to a worker log. All sensitive information should already be masked out, but please double-check before pasting here.

[jsoref]

Cross filed as:
https://github.com/orgs/community/discussions/49245#discussioncomment-5209064
https://support.github.com/ticket/personal/0/2042233
github/docs#25336 (comment)

[JamesMGreene]

Accidentally duplicated with #2525 😅

Leaving it open for now in case there is other useful info in it. 🤷🏻

[ChristopherHX]

Seems like there has been an update to the support ticket: github/docs#25336. I'm linking it here to connect those issues, however the response quoted in the linked docs issue reads like won't fix.

[ssbarnea]

Am I missing something or this means that is impossible to use a specific version of the action due to this bug?

[jsoref]

No, your action will still run, you just won't easily know where your action came from and what version you are. If you burn that info into your repo w/ files, you could get info that way. And iirc I had some way to work around this, it's just fairly annoying.

[ssbarnea]

We use dynamic versioning based on github tags, so basically is impossible for the code to discover its own version and tell user to upgrade if needed, code that we already had implemented for normal usage.

Is bit perplexed by the fact that that all that happens seems more like on-purpose to make it impossible to know:

• action code is not cloned, so no access to tags or even ref number
• no environment variable exposed regarding who called it and with which what @tag

[jsoref]

Yes, I sympathize -- that's why I filed this.

Fwiw, there is a workaround noted in github/docs#25336 (comment) (I think @ChristopherHX might have suggested it somewhere), and it looks like they're going to document this quirk in the near future.

Basically my action.yml defines an env: for each of the things i need and then I can use them within the run: space via that environment variable.

[ChristopherHX]

Yeah I mentioned this in https://github.com/orgs/community/discussions/49245#discussioncomment-5209064.

Keep in mind local action call syntax (./) doesn't have an action_ref, that's why most action ci will have empty values if using it for tests...

A similar problems happens by using ${{ github.action_path }} in the run step (a different issue exists #716) it's not empty, but may contain the host path in the run step if not passed by env section.

It's totally unsafe to use run: ${{..}}, but it's the easiest way to get it wrong and allow script injection..

composite actions are quite buggy and some very old issues about them are not fixed within 1 year, even if a pr has been contributed

[jsoref]

Right, which means this is how I worked around it:
https://github.com/check-spelling/check-spelling/blob/ed14e107b2404ceec4db32161bc3cc353b123b46/.github/workflows/spelling.yml#L114
https://github.com/check-spelling/check-spelling/blob/ed14e107b2404ceec4db32161bc3cc353b123b46/action.yml#L522-L523

It's good enough for testing...

[copdips]

it seems that the workaround doesnt work for embedded composite actions, it seems that it shows the top level action ref always.
Say: workflow1 calls action1@ref1 calls action2@ref2.

following code in the action2 returns: action_ref: ref1 while I expect action_ref: ref2

run: |
  echo "action_ref: $action_ref"
env:
  action_ref: ${{ github.action_ref }}

[ChristopherHX]

Thanks for letting me know that my initial workaround is affected by another actions/runner bug..., if we nest composite actions (Sadly local composite actions break all post steps inputs)

inputs:
  action_ref:
    default: ${{ github.action_ref }} # Downside the user can override it
runs:
  using: composite
  steps:
  - uses: actions/github-script@v5
    with:
      script: |
                console.log('${{ github.action_ref }}'); # broken, returns v5
  - run: echo ${{ env.ref }}
    env:
      ref: ${{ github.action_ref }} # broken
    shell: bash
  - run: echo ${{ env.ref }}
    env:
      ref: ${{ inputs.action_ref }} # works
    shell: bash
  - run: echo ${{ inputs.action_ref }} # works
    shell: bash

Expected log output

##[group]Run Christopher/nested-composite-get-ref@main
##[endgroup]
##[group]Run echo main
echo main
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
env:
  ref: main
##[endgroup]
main
##[group]Run Christopher/nested-composite-get-ref@me
with:
  action_ref: me
##[endgroup]
##[group]Run actions/github-script@v5
with:
  script: console.log('v5');
  github-token: ***
  debug: false
  user-agent: actions/github-script
  result-encoding: json
##[endgroup]
v5
##[group]Run echo main
echo main
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
env:
  ref: main
##[endgroup]
main
##[group]Run echo me
echo me
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
env:
  ref: me
##[endgroup]
me
##[group]Run echo me
echo me
shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
##[endgroup]
me

To recap you could try the following ( verified locally using actions runner 2.309.0 )

inputs:
  action_ref:
    default: ${{ github.action_ref }}
runs:
  using: composite
  steps:
  - run: echo ${{ inputs.action_ref }}
    shell: bash

[copdips]

inputs:
  action_ref:
    default: ${{ github.action_ref }}

Thanks for the prompt reply, with inputs default value, it's working now, this is really tricky :)

[lure8225]

Any update on this? We seem to have also just hit this problem, still seems to be an issue