diff --git a/act/cacheproxy/handler.go b/act/cacheproxy/handler.go
index bd047926..61b09ebe 100644
--- a/act/cacheproxy/handler.go
+++ b/act/cacheproxy/handler.go
@@ -5,7 +5,6 @@ package cacheproxy
 
 import (
 	"crypto/hmac"
-	"crypto/rand"
 	"crypto/sha256"
 	"encoding/hex"
 	"errors"
@@ -170,12 +169,10 @@ func (h *Handler) ExternalURL() string {
 // The function returns the 32-bit random key which the run will use to identify itself.
 func (h *Handler) AddRun(data RunData) (string, error) {
 	for retries := 0; retries < 3; retries++ {
-		keyBytes := make([]byte, 4)
-		_, err := rand.Read(keyBytes)
+		key, err := common.RandName(4)
 		if err != nil {
 			return "", errors.New("Could not generate the run id")
 		}
-		key := hex.EncodeToString(keyBytes)
 
 		_, loaded := h.runs.LoadOrStore(key, data)
 		if !loaded {
diff --git a/act/common/randname.go b/act/common/randname.go
new file mode 100644
index 00000000..a9350106
--- /dev/null
+++ b/act/common/randname.go
@@ -0,0 +1,16 @@
+// Copyright 2025 The Forgejo Authors
+// SPDX-License-Identifier: MIT
+package common
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+)
+
+func RandName(size int) (string, error) {
+	randBytes := make([]byte, size)
+	if _, err := rand.Read(randBytes); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(randBytes), nil
+}
diff --git a/act/runner/action_cache.go b/act/runner/action_cache.go
index 9af06db0..5fa77646 100644
--- a/act/runner/action_cache.go
+++ b/act/runner/action_cache.go
@@ -3,8 +3,6 @@ package runner
 import (
 	"archive/tar"
 	"context"
-	"crypto/rand"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -19,6 +17,8 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/object"
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/http"
+
+	"github.com/nektos/act/pkg/common"
 )
 
 type ActionCache interface {
@@ -39,11 +39,10 @@ func (c GoGitActionCache) Fetch(ctx context.Context, cacheDir, url, ref, token s
 	if err != nil {
 		return "", err
 	}
-	tmpBranch := make([]byte, 12)
-	if _, err := rand.Read(tmpBranch); err != nil {
+	branchName, err := common.RandName(12)
+	if err != nil {
 		return "", err
 	}
-	branchName := hex.EncodeToString(tmpBranch)
 
 	var auth transport.AuthMethod
 	if token != "" {
diff --git a/act/runner/run_context.go b/act/runner/run_context.go
index c0f510d8..131888e0 100644
--- a/act/runner/run_context.go
+++ b/act/runner/run_context.go
@@ -5,10 +5,8 @@ import (
 	"bufio"
 	"bytes"
 	"context"
-	"crypto/rand"
 	"crypto/sha256"
 	_ "embed"
-	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -283,9 +281,10 @@ func (rc *RunContext) startHostEnvironment() common.Executor {
 			return true
 		})
 		cacheDir := rc.ActionCacheDir()
-		randBytes := make([]byte, 8)
-		_, _ = rand.Read(randBytes)
-		randName := hex.EncodeToString(randBytes)
+		randName, err := common.RandName(8)
+		if err != nil {
+			return err
+		}
 		miscpath := filepath.Join(cacheDir, randName)
 		actPath := filepath.Join(miscpath, "act")
 		if err := os.MkdirAll(actPath, 0o777); err != nil {