How to handle github.token (not secrets.GITHUB_TOKEN)

[airtonix]

composite actions cant directly use ${{secrets.GITHUB_TOKEN}}, but they can use ${{github.token}} (it might be a blanket dsl guard on secrets.*)

I'm unable to find how i can simulate ${{github.token}} with netkos/act

[Antvirf]

After looking into this a bit, I believe you can replicate what you need using environment variables with act.
The main challenge is that while the github object does exist in act, it won't have your GitHub token there by default as the code doesn't know the value of that token - it needs to be provided.

If we weren't using composite actions, it would be simpler and covered by the README with secrets.GITHUB_TOKEN - i.e. provide it as a secret.

Now, as you mention, composite actions can't directly use secrets so you can't declare it as a secret. However, you could declare it as an environment variable. There are two ways you can provide the env variable to act:

Option 1: Provide it from an env variable on your machine (recommended)

Recommending this as it's likely safer and has less chance of accidentally exposing the value in your SCM.

First, define the value:
export ACT_GITHUB_TOKEN="your token"

Then, run your workflow with:
act --env ACT_GITHUB_TOKEN="your token"

Option 2: Provide it from a file

Following the sample here. If you do this, make sure to .gitignore the .env file if you store it in the same folder.

Set your .env file:

ACT_GITHUB_TOKEN="your token"

Run your workflow with:
act --env-file .env

Example using this in the workflow

In your flow, you could do this (following example from the README on how to skip/do actions based on whether in GHA or in Act):

...
# do the action if the workflow is running inside act
- name: Do something if in act
  if: ${{ env.ACT }}
  run: |
    echo $ACT_GITHUB_TOKEN # if running inside a command
    ... ${{ env.ACT_GITHUB_TOKEN }} # if using for conditions or inputs to composite workflows

# do the action if the workflow is running inside GHA
- name: Do something if in GHA
  if: ${{ !env.ACT }}
  run: echo ${{ github.token }}

Testing setup

Click me

Directory structure

 .
├── .env
└── .github
    ├── actions
    │   └── test-composite
    │       └── action.yml
    └── workflows
        └── test.yml

test.yml

name: github context test
on:
  push:
    branches:
      - "*"
jobs:
  test-job:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3

    - name: Do something in act
      if: ${{ env.ACT }}
      uses: ./.github/actions/test-composite # test file
      with:
        token_input: ${{ env.ACT_GITHUB_TOKEN }}

    - name: Do something in GHA
      if: ${{ !env.ACT }} # if you're executing the step in GHA, use the available variable
      uses: ./.github/actions/test-composite # test file
      with:
        token_input: ${{ github.token }}

test-composite/action.yml

name: 'test composite'
description: "does something"
inputs:
  token_input:  # id of input
    description: "does something"
    required: true
runs:
  using: "composite"
  steps:
    - run: echo Token is ${{ inputs.token_input }}
      shell: bash

[Ismoh]

Option 1: Provide it from an env variable on your machine (recommended)

Recommending this as it's likely safer and has less chance of accidentally exposing the value in your SCM.

First, define the value: export ACT_GITHUB_TOKEN="your token"

Then, run your workflow with: act --env ACT_GITHUB_TOKEN="your token"

Option 2: Provide it from a file

Following the sample here. If you do this, make sure to .gitignore the .env file if you store it in the same folder.

Set your .env file:

ACT_GITHUB_TOKEN="your token"

Run your workflow with: act --env-file .env

Is this even secure?
Isn't it possible to simply cat the file or do a set and simply read those tokens in plain text?
I already asked a question, maybe someone can have a look!
Thanks a ton!

[ChristopherHX]

It is possible that the documentation is not clear enough about this

act -s GITHUB_TOKEN should provide both ${{ github.token }} and ${{secrets.GITHUB_TOKEN}}.