fix: composite action input pollution (#2348)

* fix: composite action input pollution * fix run steps * fix missing defaults in post after env cleanup * fix test to make more sense * Add tests and simplify change --------- Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> (cherry picked from commit 54245641d28fc496152684e151043ce0c7389086) Conflicts: act/runner/step_test.go the modified test does not exist in the Forgejo runner
2025-08-21 18:11:06 +00:00 · 2024-06-05 16:44:44 +02:00 · 2024-06-05 16:44:44 +02:00 · cb99c53dc1
commit cb99c53dc1
parent a737f197c7
15 changed files with 181 additions and 0 deletions
--- a/act/runner/step.go
+++ b/act/runner/step.go
@ -262,6 +262,16 @@ func mergeEnv(ctx context.Context, step step) {
 	}

 	rc.withGithubEnv(ctx, step.getGithubContext(ctx), *env)
+
+	if step.getStepModel().Uses != "" {
+		// prevent uses action input pollution of unset parameters, skip this for run steps
+		// due to design flaw
+		for key := range *env {
+			if strings.Contains(key, "INPUT_") {
+				delete(*env, key)
+			}
+		}
+	}
 }

 func isStepEnabled(ctx context.Context, expr string, step step, stage stepStage) (bool, error) {