fix last error

Fix all 93 lint-go errors
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 14:33:49 +00:00 · 2026-02-23 14:09:30 +01:00 · 2026-02-23 13:59:05 +01:00 · 2026-02-23 00:30:44 +01:00 · 2026-02-22 21:12:25 +01:00 · 2026-02-22 21:04:33 +01:00
1961 changed files with 528731 additions and 867 deletions
--- a/.codespellrc
+++ b/.codespellrc
@@ -0,0 +1,6 @@
+[codespell]
+# Ref: https://github.com/codespell-project/codespell#using-a-config-file
+skip = .git*,go.sum,package-lock.json,*.min.*,.codespellrc,testdata,./pkg/runner/hashfiles/index.js
+check-hidden = true
+ignore-regex = .*Te\{0\}st.*
+# ignore-words-list =
--- a/.gitea/workflows/checks.yml
+++ b/.gitea/workflows/checks.yml
@@ -0,0 +1,156 @@
+name: checks
+on: [pull_request, workflow_dispatch]
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+env:
+  ACT_OWNER: ${{ github.repository_owner }}
+  ACT_REPOSITORY: ${{ github.repository }}
+  CGO_ENABLED: 0
+  NO_QEMU: 1
+  NO_EXTERNAL_IP: 1
+  DOOD: 1
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: golangci/golangci-lint-action@v8.0.0
+        with:
+          version: v2.1.6
+      - uses: megalinter/megalinter/flavors/go@v9.1.0
+        env:
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VALIDATE_ALL_CODEBASE: false
+          GITHUB_STATUS_REPORTER: ${{ !env.ACT }}
+          GITHUB_COMMENT_REPORTER: ${{ !env.ACT }}
+
+  test-linux:
+    name: test-linux
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 2
+      - name: Cleanup Docker Engine
+        run: |
+          docker ps -a --format '{{ if eq (truncate .Names 4) "act-" }}
+          {{ .ID }}
+          {{end}}' | xargs -r docker rm -f || :
+          docker volume ls --format '{{ if eq (truncate .Name 4) "act-" }}
+          {{ .Name }}
+          {{ end }}' | xargs -r docker volume rm -f || :
+          docker images --format '{{ if eq (truncate .Repository 4) "act-" }}
+          {{ .ID }}
+          {{ end }}' | xargs -r docker rmi -f || :
+          docker images -q | xargs -r docker rmi || :
+      - name: Set up QEMU
+        if: '!env.NO_QEMU'
+        uses: docker/setup-qemu-action@v3
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Install gotestfmt
+        run: go install github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.5.0
+      # Regressions by Gitea Actions CI Migration
+      # GITHUB_REPOSITORY contains the server url
+      # ACTIONS_RUNTIME_URL provided to every step, act does not override
+      - name: Run Tests
+        run: |
+          unset ACTIONS_RUNTIME_URL
+          unset ACTIONS_RESULTS_URL
+          unset ACTIONS_RUNTIME_TOKEN
+          export GITHUB_REPOSITORY="${GITHUB_REPOSITORY#${SERVER_URL%/}/}"
+          export ACT_REPOSITORY="${GITHUB_REPOSITORY#${SERVER_URL%/}/}"
+          export ACT_OWNER="${ACT_OWNER#${SERVER_URL%/}/}"
+          env
+          go test -json -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m ./... | gotestfmt -hide successful-packages,empty-packages 2>&1
+        env:
+          SERVER_URL: ${{ github.server_url }}
+      - name: Run act from cli
+        run: go run main.go -P ubuntu-latest=node:16-buster-slim -C ./pkg/runner/testdata/ -W ./basic/push.yml
+      - name: Run act from cli without docker support
+        run: go run -tags WITHOUT_DOCKER main.go -P ubuntu-latest=-self-hosted -C ./pkg/runner/testdata/ -W ./local-action-js/push.yml
+
+  snapshot:
+    name: snapshot
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: GoReleaser
+        id: goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: v2
+          args: release --snapshot --clean
+      - name: Setup Node
+        continue-on-error: true
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20
+      - name: Install @actions/artifact@2.1.0
+        continue-on-error: true
+        run: npm install @actions/artifact@2.1.0
+      - name: Upload All
+        uses: actions/github-script@v8
+        continue-on-error: true
+        with:
+          script: |
+            // We do not use features depending on GITHUB_API_URL so we can hardcode it to avoid the GHES no support error
+            process.env["GITHUB_SERVER_URL"] = "https://github.com";
+            const {DefaultArtifactClient} = require('@actions/artifact');
+            const aartifact = new DefaultArtifactClient();
+            var artifacts = JSON.parse(process.env.ARTIFACTS);
+            for(var artifact of artifacts) {
+              if(artifact.type === "Binary") {
+                const {id, size} = await aartifact.uploadArtifact(
+                  // name of the artifact
+                  `${artifact.name}-${artifact.target}`,
+                  // files to include (supports absolute and relative paths)
+                  [artifact.path],
+                  process.cwd(),
+                  {
+                    // optional: how long to retain the artifact
+                    // if unspecified, defaults to repository/org retention settings (the limit of this value)
+                    retentionDays: 10
+                  }
+                );
+                console.log(`Created artifact with id: ${id} (bytes: ${size}`);
+              }
+            }
+        env:
+          ARTIFACTS: ${{ steps.goreleaser.outputs.artifacts }}
+      - name: Chocolatey
+        uses: ./.github/actions/choco
+        with:
+          version: v0.0.0-pr
--- a/.gitea/workflows/release-nightly.yml
+++ b/.gitea/workflows/release-nightly.yml
@@ -1,42 +1,32 @@
+---
 name: release-nightly

 on:
+  workflow_dispatch:
  push:
-    branches: [ main ]
+    branches:
+      - 'main'
+    tags:
+      - '*'

 env:
-  GOPATH: /go_path
-  GOCACHE: /go_cache
+  DOCKER_ORG: gitea
+  DOCKER_LATEST: nightly

 jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
        with:
-          fetch-depth: 0 # all history for all branches and tags
-      - uses: actions/setup-go@v3
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
        with:
-          go-version: '>=1.21.0'
-      - uses: https://gitea.com/actions/go-hashfiles@v0.0.1
-        id: hash-go
-        with:
-          patterns: |
-            go.mod
-            go.sum
-      - name: cache go
-        id: cache-go
-        uses: https://github.com/actions/cache@v3
-        with:
-          path: |
-            /go_path
-            /go_cache
-          key: go_path-${{ steps.hash-go.outputs.hash }}
+          go-version-file: "go.mod"
      - name: goreleaser
-        uses: https://github.com/goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser-pro
-          version: latest
          args: release --nightly
        env:
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
@@ -45,61 +35,51 @@ jobs:
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          S3_REGION: ${{ secrets.AWS_REGION }}
          S3_BUCKET: ${{ secrets.AWS_BUCKET }}
+          GORELEASER_FORCE_TOKEN: "gitea"
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
  release-image:
    runs-on: ubuntu-latest
-    container:
-      image: catthehacker/ubuntu:act-latest
-    env:
-      DOCKER_ORG: gitea
-      DOCKER_LATEST: nightly
+    strategy:
+      matrix:
+        variant:
+          - target: basic
+            tag_suffix: ""
+          - target: dind
+            tag_suffix: "-dind"
+          - target: dind-rootless
+            tag_suffix: "-dind-rootless"
+
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # all history for all branches and tags

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker BuildX
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

-      - name: Get Meta
-        id: meta
-        run: |
-          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}') >> $GITHUB_OUTPUT
-          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
+      - name: Echo the tag
+        run: echo "${{ env.DOCKER_ORG }}/act_runner:nightly${{ matrix.variant.tag_suffix }}"

      - name: Build and push
-        uses: docker/build-push-action@v4
-        env:
-          ACTIONS_RUNTIME_TOKEN: '' # See https://gitea.com/gitea/act_runner/issues/119
+        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
+          target: ${{ matrix.variant.target }}
          platforms: |
            linux/amd64
            linux/arm64
          push: true
          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}
-
-      - name: Build and push dind-rootless
-        uses: docker/build-push-action@v4
-        env:
-          ACTIONS_RUNTIME_TOKEN: '' # See https://gitea.com/gitea/act_runner/issues/119
-        with:
-          context: .
-          file: ./Dockerfile.rootless
-          platforms: |
-            linux/amd64
-            linux/arm64
-          push: true
-          tags: |
-            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}-dind-rootless
+            ${{ env.DOCKER_ORG }}/act_runner:nightly${{ matrix.variant.tag_suffix }}
--- a/.gitea/workflows/release-tag.yml
+++ b/.gitea/workflows/release-tag.yml
@@ -3,49 +3,30 @@ name: release-tag
 on:
  push:
    tags:
-      - '*'
-
-env:
-  GOPATH: /go_path
-  GOCACHE: /go_cache
+      - "*"

 jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
        with:
          fetch-depth: 0 # all history for all branches and tags
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v6
        with:
-          go-version: '>=1.21.0'
-      - uses: https://gitea.com/actions/go-hashfiles@v0.0.1
-        id: hash-go
-        with:
-          patterns: |
-            go.mod
-            go.sum
-      - name: cache go
-        id: cache-go
-        uses: https://github.com/actions/cache@v3
-        with:
-          path: |
-            /go_path
-            /go_cache
-          key: go_path-${{ steps.hash-go.outputs.hash }}
+          go-version-file: "go.mod"
      - name: Import GPG key
        id: import_gpg
-        uses: https://github.com/crazy-max/ghaction-import-gpg@v5
+        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
      - name: goreleaser
-        uses: https://github.com/goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v6
        with:
-            distribution: goreleaser-pro
-            version: latest
-            args: release
+          distribution: goreleaser-pro
+          args: release
        env:
          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
          AWS_REGION: ${{ secrets.AWS_REGION }}
@@ -53,7 +34,7 @@ jobs:
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          S3_REGION: ${{ secrets.AWS_REGION }}
          S3_BUCKET: ${{ secrets.AWS_BUCKET }}
-          GORELEASER_FORCE_TOKEN: 'gitea'
+          GORELEASER_FORCE_TOKEN: "gitea"
          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
  release-image:
@@ -65,18 +46,18 @@ jobs:
      DOCKER_LATEST: latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0 # all history for all branches and tags

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker BuildX
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
@@ -85,15 +66,14 @@ jobs:
        id: meta
        run: |
          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}') >> $GITHUB_OUTPUT
-          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
+          echo REPO_VERSION=${GITHUB_REF_NAME#v} >> $GITHUB_OUTPUT

      - name: Build and push
-        uses: docker/build-push-action@v4
-        env:
-          ACTIONS_RUNTIME_TOKEN: '' # See https://gitea.com/gitea/act_runner/issues/119
+        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
+          target: basic
          platforms: |
            linux/amd64
            linux/arm64
@@ -102,13 +82,26 @@ jobs:
            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}
            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}

-      - name: Build and push dind-rootless
-        uses: docker/build-push-action@v4
-        env:
-          ACTIONS_RUNTIME_TOKEN: '' # See https://gitea.com/gitea/act_runner/issues/119
+      - name: Build and push dind
+        uses: docker/build-push-action@v6
        with:
          context: .
-          file: ./Dockerfile.rootless
+          file: ./Dockerfile
+          target: dind
+          platforms: |
+            linux/amd64
+            linux/arm64
+          push: true
+          tags: |
+            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-dind
+            ${{ env.DOCKER_ORG }}/${{ steps.meta.outputs.REPO_NAME }}:${{ env.DOCKER_LATEST }}-dind
+
+      - name: Build and push dind-rootless
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          target: dind-rootless
          platforms: |
            linux/amd64
            linux/arm64
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -0,0 +1,72 @@
+name: release
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  release:
+    # TODO use environment to scope secrets
+    name: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: latest
+          args: release --clean -f ./.goreleaser.yml -f ./.goreleaser.gitea.yml
+        env:
+          GITEA_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN || github.token }}
+      - name: Winget
+        uses: vedantmgoyal2009/winget-releaser@v2
+        with:
+          identifier: nektos.act
+          installers-regex: '_Windows_\w+\.zip$'
+          token: ${{ secrets.WINGET_TOKEN }}
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ secrets.WINGET_TOKEN && '1' || '' }}
+      - name: Chocolatey
+        uses: ./.github/actions/choco
+        with:
+          version: ${{ github.ref }}
+          apiKey: ${{ secrets.CHOCO_APIKEY }}
+          push: true
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ secrets.CHOCO_APIKEY && '1' || ''  }}
+      # TODO use ssh deployment key
+      - name: GitHub CLI extension
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN }}
+          script: |
+            const mainRef = (await github.rest.git.getRef({
+              owner: context.repo.owner,
+              repo: 'gh-act',
+              ref: 'heads/main',
+            })).data;
+            console.log(mainRef);
+            github.rest.git.createRef({
+              owner: 'nektos',
+              repo: 'gh-act',
+              ref: context.ref,
+              sha: mainRef.object.sha,
+            });
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ (secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN) && '1' || ''  }}
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -3,35 +3,17 @@ on:
  - push
  - pull_request

-env:
-  GOPATH: /go_path
-  GOCACHE: /go_cache
-
 jobs:
  lint:
    name: check and test
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
        with:
-          go-version: '>=1.21.0'
-      - uses: https://gitea.com/actions/go-hashfiles@v0.0.1
-        id: hash-go
-        with:
-          patterns: |
-            go.mod
-            go.sum
-      - name: cache go
-        id: cache-go
-        uses: https://github.com/actions/cache@v3
-        with:
-          path: |
-            /go_path
-            /go_cache
-          key: go_path-${{ steps.hash-go.outputs.hash }}
-      - name: vet checks
-        run: make vet
+          go-version-file: 'go.mod'
+      - name: lint
+        run: make lint
      - name: build
        run: make build
      - name: test
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -0,0 +1,88 @@
+name: Bug report
+description: Use this template for reporting bugs/issues.
+labels:
+  - 'kind/bug'
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: textarea
+    id: act-debug
+    attributes:
+      label: Bug report info
+      render: plain text
+      description: |
+        Output of `act --bug-report`
+      placeholder: |
+        act --bug-report
+    validations:
+      required: true
+  - type: textarea
+    id: act-command
+    attributes:
+      label: Command used with act
+      description: |
+        Please paste your whole command
+      placeholder: |
+        act -P ubuntu-latest=node:12 -v -d ...
+      render: sh
+    validations:
+      required: true
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: Describe issue
+      description: |
+        Also tell us what did you expect to happen?
+      placeholder: |
+        Describe issue
+    validations:
+      required: true
+  - type: input
+    id: repo
+    attributes:
+      label: Link to GitHub repository
+      description: |
+        Provide link to GitHub repository, you can skip it if the repository is private or you don't have it on GitHub, otherwise please provide it as it might help us troubleshoot problem
+      placeholder: |
+        https://github.com/nektos/act
+    validations:
+      required: false
+  - type: textarea
+    id: workflow
+    attributes:
+      label: Workflow content
+      description: |
+        Please paste your **whole** workflow here
+      placeholder: |
+        name: My workflow
+        on: ['push', 'schedule']
+        jobs:
+          test:
+            runs-on: ubuntu-latest
+          env:
+            KEY: VAL
+        [...]
+      render: yml
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: |
+        Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks. Please verify that the log output doesn't contain any sensitive data.
+      render: sh
+      placeholder: |
+        Use `act -v` for verbose output
+    validations:
+      required: true
+  - type: textarea
+    id: additional-info
+    attributes:
+      label: Additional information
+      placeholder: |
+        Additional information that doesn't fit elsewhere
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Start a discussion
+    url: https://github.com/actions-oss/act-cli/discussions/new
+    about: You can ask for help here!
+  - name: Want to contribute to act?
+    url: https://github.com/actions-oss/act-cli/blob/main/CONTRIBUTING.md
+    about: Be sure to read contributing guidelines!
--- a/.github/ISSUE_TEMPLATE/feature_template.yml
+++ b/.github/ISSUE_TEMPLATE/feature_template.yml
@@ -0,0 +1,28 @@
+name: Feature request
+description: Use this template for requesting a feature/enhancement.
+labels:
+  - 'kind/feature-request'
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please note that incompatibility with GitHub Actions should be opened as a bug report, not a new feature.
+  - type: input
+    id: act-version
+    attributes:
+      label: Act version
+      description: |
+        What version of `act` are you using? Version can be obtained via `act --version`
+        If you've built it from source, please provide commit hash
+      placeholder: |
+        act --version
+    validations:
+      required: true
+  - type: textarea
+    id: feature
+    attributes:
+      label: Feature description
+      description: Describe feature that you would like to see
+      placeholder: ...
+    validations:
+      required: true
--- a/.github/actions/choco/Dockerfile
+++ b/.github/actions/choco/Dockerfile
@@ -0,0 +1,20 @@
+FROM alpine:3.21
+
+ARG CHOCOVERSION=1.1.0
+
+RUN apk add --no-cache bash ca-certificates git \
+  && apk --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/edge/community add mono mono-dev \
+  && cert-sync /etc/ssl/certs/ca-certificates.crt \
+  && wget "https://github.com/chocolatey/choco/archive/${CHOCOVERSION}.tar.gz" -O- | tar -xzf - \
+  && cd choco-"${CHOCOVERSION}" \
+  && chmod +x build.sh zip.sh \
+  && ./build.sh -v \
+  && mv ./code_drop/chocolatey/console /opt/chocolatey \
+  && mkdir -p /opt/chocolatey/lib \
+  && rm -rf /choco-"${CHOCOVERSION}" \
+  && apk del mono-dev \
+  && rm -rf /var/cache/apk/*
+
+ENV ChocolateyInstall=/opt/chocolatey
+COPY entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/choco/action.yml
+++ b/.github/actions/choco/action.yml
@@ -0,0 +1,16 @@
+name: 'Chocolatey Packager'
+description: 'Create the choco package and push it'
+inputs:
+  version:
+    description: 'Version of package'
+    required: false
+  apiKey:
+    description: 'API Key for chocolately'
+    required: false
+  push:
+    description: 'Option for if package is going to be pushed'
+    required: false
+    default: 'false'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
--- a/.github/actions/choco/entrypoint.sh
+++ b/.github/actions/choco/entrypoint.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+set -e
+
+function choco {
+  mono /opt/chocolatey/choco.exe "$@" --allow-unofficial --nocolor
+}
+
+function get_version {
+  local version=${INPUT_VERSION:-$(git describe --tags)}
+  version=(${version//[!0-9.-]/})
+  local version_parts=(${version//-/ })
+  version=${version_parts[0]}
+  if [ ${#version_parts[@]} -gt 1 ]; then
+    version=${version_parts}.${version_parts[1]}
+  fi
+  echo "$version"
+}
+
+## Determine the version to pack
+VERSION=$(get_version)
+echo "Packing version ${VERSION} of act"
+rm -f act-cli.*.nupkg
+mkdir -p tools
+cp LICENSE tools/LICENSE.txt
+cp VERIFICATION tools/VERIFICATION.txt
+cp dist/act-cli_windows_amd64*/act.exe tools/
+choco pack act-cli.nuspec --version ${VERSION}
+if [[ "$INPUT_PUSH" == "true" ]]; then
+  choco push act-cli.${VERSION}.nupkg --api-key ${INPUT_APIKEY} -s https://push.chocolatey.org/ --timeout 180
+fi
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,23 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'monthly'
+    groups:
+      dependencies:
+        patterns:
+        - '*'
+  - package-ecosystem: 'gomod'
+    directory: '/'
+    schedule:
+      interval: 'monthly'
+    groups:
+      dependencies:
+        patterns:
+        - '*'
--- a/.github/workflows/.gitignore
+++ b/.github/workflows/.gitignore
@@ -0,0 +1 @@
+test-*.yml
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -0,0 +1,151 @@
+name: checks
+on: [pull_request, workflow_dispatch]
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+env:
+  ACT_OWNER: ${{ github.repository_owner }}
+  ACT_REPOSITORY: ${{ github.repository }}
+  CGO_ENABLED: 0
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: golangci/golangci-lint-action@v8.0.0
+        with:
+          version: v2.1.6
+      - uses: megalinter/megalinter/flavors/go@v9.1.0
+        env:
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VALIDATE_ALL_CODEBASE: false
+          GITHUB_STATUS_REPORTER: ${{ !env.ACT }}
+          GITHUB_COMMENT_REPORTER: ${{ !env.ACT }}
+
+  test-linux:
+    name: test-linux
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Install gotestfmt
+        run: go install github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.5.0
+      - name: Run Tests
+        run: go test -json -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m ./... | gotestfmt -hide successful-packages,empty-packages 2>&1
+      - name: Run act from cli
+        run: go run main.go -P ubuntu-latest=node:16-buster-slim -C ./pkg/runner/testdata/ -W ./basic/push.yml
+      - name: Run act from cli without docker support
+        run: go run -tags WITHOUT_DOCKER main.go -P ubuntu-latest=-self-hosted -C ./pkg/runner/testdata/ -W ./local-action-js/push.yml
+      - name: Upload Codecov report
+        uses: codecov/codecov-action@v5
+        with:
+          files: coverage.txt
+          fail_ci_if_error: true # optional (default = false)
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+  test-host:
+    strategy:
+      matrix:
+        os:
+          - windows-latest
+          - macos-latest
+    name: test-host-${{matrix.os}}
+    runs-on: ${{matrix.os}}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 2
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - name: Install gotestfmt
+        run: go install github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.5.0
+      - name: Run Tests
+        run: go test -v -cover -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic -timeout 20m -run ^TestRunEventHostEnvironment$ ./...
+        shell: bash
+
+
+  snapshot:
+    name: snapshot
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: GoReleaser
+        id: goreleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: v2
+          args: release --snapshot --clean
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 20
+      - name: Install @actions/artifact
+        run: npm install @actions/artifact
+      - name: Upload All
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const {DefaultArtifactClient} = require('@actions/artifact');
+            const aartifact = new DefaultArtifactClient();
+            var artifacts = JSON.parse(process.env.ARTIFACTS);
+            for(var artifact of artifacts) {
+              if(artifact.type === "Binary") {
+                const {id, size} = await aartifact.uploadArtifact(
+                  // name of the artifact
+                  `${artifact.name}-${artifact.target}`,
+                  // files to include (supports absolute and relative paths)
+                  [artifact.path],
+                  process.cwd(),
+                  {
+                    // optional: how long to retain the artifact
+                    // if unspecified, defaults to repository/org retention settings (the limit of this value)
+                    retentionDays: 10
+                  }
+                );
+                console.log(`Created artifact with id: ${id} (bytes: ${size}`);
+              }
+            }
+        env:
+          ARTIFACTS: ${{ steps.goreleaser.outputs.artifacts }}
+      - name: Chocolatey
+        uses: ./.github/actions/choco
+        with:
+          version: v0.0.0-pr
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -0,0 +1,23 @@
+# Codespell configuration is within .codespellrc
+---
+name: Codespell
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: read
+
+jobs:
+  codespell:
+    name: Check for spelling errors
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Codespell
+        uses: codespell-project/actions-codespell@v2
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@@ -0,0 +1,30 @@
+name: promote
+on:
+  schedule:
+    - cron: '0 2 1 * *'
+  workflow_dispatch: {}
+
+jobs:
+  release:
+    if: vars.ENABLE_PROMOTE || github.event_name != 'schedule'
+    name: promote
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          ref: master
+          token: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
+      - uses: fregante/setup-git-user@v2
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - run: make promote
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,72 @@
+name: release
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  release:
+    # TODO use environment to scope secrets
+    name: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+      - uses: actions/cache@v4
+        if: ${{ !env.ACT }}
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN || github.token }}
+      - name: Winget
+        uses: vedantmgoyal2009/winget-releaser@v2
+        with:
+          identifier: nektos.act
+          installers-regex: '_Windows_\w+\.zip$'
+          token: ${{ secrets.WINGET_TOKEN }}
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ secrets.WINGET_TOKEN && '1' || '' }}
+      - name: Chocolatey
+        uses: ./.github/actions/choco
+        with:
+          version: ${{ github.ref }}
+          apiKey: ${{ secrets.CHOCO_APIKEY }}
+          push: true
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ secrets.CHOCO_APIKEY && '1' || ''  }}
+      # TODO use ssh deployment key
+      - name: GitHub CLI extension
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN }}
+          script: |
+            const mainRef = (await github.rest.git.getRef({
+              owner: context.repo.owner,
+              repo: 'gh-act',
+              ref: 'heads/main',
+            })).data;
+            console.log(mainRef);
+            github.rest.git.createRef({
+              owner: 'nektos',
+              repo: 'gh-act',
+              ref: context.ref,
+              sha: mainRef.object.sha,
+            });
+        if: env.ENABLED
+        env:
+          ENABLED: ${{ (secrets.CLI_GITHUB_TOKEN || secrets.GORELEASER_GITHUB_TOKEN) && '1' || ''  }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,23 @@
+name: 'Close stale issues'
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  stale:
+    name: Stale
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v10
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          stale-issue-message: 'Issue is stale and will be closed in 14 days unless there is new activity'
+          stale-pr-message: 'PR is stale and will be closed in 14 days unless there is new activity'
+          stale-issue-label: 'stale'
+          exempt-issue-labels: 'stale-exempt,kind/feature-request'
+          stale-pr-label: 'stale'
+          exempt-pr-labels: 'stale-exempt'
+          remove-stale-when-updated: 'True'
+          operations-per-run: 500
+          days-before-stale: 180
+          days-before-close: 14
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,12 @@
-act_runner
+/act_runner
 .env
 .runner
 coverage.txt
 /gitea-vet
 /config.yaml

+# Jetbrains
+.idea
 # MS VSCode
 .vscode
 __debug_bin
--- a/.gitleaksignore
+++ b/.gitleaksignore
@@ -0,0 +1,2 @@
+b910a42edfab7a02b08a52ecef203fd419725642:pkg/container/testdata/docker-pull-options/config.json:generic-api-key:4
+710a3ac94c3dc0eaf680d417c87f37f92b4887f4:pkg/container/docker_pull_test.go:generic-api-key:45
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,165 +1,82 @@
+version: "2"
+output:
+  sort-order:
+    - file
 linters:
+  default: none
  enable:
-    - gosimple
-    - typecheck
-    - govet
-    - errcheck
-    - staticcheck
-    - unused
-    - dupl
-    #- gocyclo # The cyclomatic complexety of a lot of functions is too high, we should refactor those another time.
-    - gofmt
-    - misspell
-    - gocritic
    - bidichk
-    - ineffassign
-    - revive
-    - gofumpt
+    - bodyclose
    - depguard
+    - dupl
+    - errcheck
+    - forbidigo
+    - gocheckcompilerdirectives
+    - gocritic
+    - govet
+    - ineffassign
+    - mirror
+    - modernize
    - nakedret
-    - unconvert
-    - wastedassign
+    - nilnil
    - nolintlint
-    - stylecheck
-  enable-all: false
-  disable-all: true
-  fast: false
-
-run:
-  go: 1.18
-  timeout: 10m
-  skip-dirs:
-    - node_modules
-    - public
-    - web_src
-
-linters-settings:
-  stylecheck:
-    checks: ["all", "-ST1005", "-ST1003"]
-  nakedret:
-    max-func-lines: 0
-  gocritic:
-    disabled-checks:
-      - ifElseChain
-      - singleCaseSwitch # Every time this occurred in the code, there  was no other way.
-  revive:
-    ignore-generated-header: false
-    severity: warning
-    confidence: 0.8
-    errorCode: 1
-    warningCode: 1
+    - perfsprint
+    - revive
+    - staticcheck
+    - testifylint
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - usetesting
+    - wastedassign
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: github.com/pkg/errors
+              desc: Please use "errors" package from standard library
+            - pkg: gotest.tools/v3
+              desc: Please keep tests unified using only github.com/stretchr/testify
+            - pkg: log
+              desc: Please keep logging unified using only github.com/sirupsen/logrus
+    gocritic:
+      disabled-checks:
+        - ifElseChain
+    gocyclo:
+      min-complexity: 20
+    importas:
+      alias:
+        - pkg: github.com/sirupsen/logrus
+          alias: log
+        - pkg: github.com/stretchr/testify/assert
+          alias: assert
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
    rules:
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: dot-imports
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: exported
-      - name: if-return
-      - name: increment-decrement
-      - name: var-naming
-      - name: var-declaration
-      - name: package-comments
-      - name: range
-      - name: receiver-naming
-      - name: time-naming
-      - name: unexported-return
-      - name: indent-error-flow
-      - name: errorf
-      - name: duplicated-imports
-      - name: modifies-value-receiver
-  gofumpt:
-    extra-rules: true
-    lang-version: "1.18"
-  depguard:
-    # TODO: use depguard to replace import checks in gitea-vet
-    list-type: denylist
-    # Check the list against standard lib.
-    include-go-root: true
-    packages-with-error-message:
-      - github.com/unknwon/com: "use gitea's util and replacements"
-
+      - linters: [revive]
+        text: avoid meaningless package names
+    paths:
+      - report
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  exclude-rules:
-    # Exclude some linters from running on tests files.
-    - path: _test\.go
-      linters:
-        - gocyclo
-        - errcheck
-        - dupl
-        - gosec
-        - unparam
-        - staticcheck
-    - path: models/migrations/v
-      linters:
-        - gocyclo
-        - errcheck
-        - dupl
-        - gosec
-    - linters:
-        - dupl
-      text: "webhook"
-    - linters:
-        - gocritic
-      text: "`ID' should not be capitalized"
-    - path: modules/templates/helper.go
-      linters:
-        - gocritic
-    - linters:
-        - unused
-      text: "swagger"
-    - path: contrib/pr/checkout.go
-      linters:
-        - errcheck
-    - path: models/issue.go
-      linters:
-        - errcheck
-    - path: models/migrations/
-      linters:
-        - errcheck
-    - path: modules/log/
-      linters:
-        - errcheck
-    - path: routers/api/v1/repo/issue_subscription.go
-      linters:
-        - dupl
-    - path: routers/repo/view.go
-      linters:
-        - dupl
-    - path: models/migrations/
-      linters:
-        - unused
-    - linters:
-        - staticcheck
-      text: "argument x is overwritten before first use"
-    - path: modules/httplib/httplib.go
-      linters:
-        - staticcheck
-    # Enabling this would require refactoring the methods and how they are called.
-    - path: models/issue_comment_list.go
-      linters:
-        - dupl
-    - linters:
-        - misspell
-      text: '`Unknwon` is a misspelling of `Unknown`'
-    - path: models/update.go
-      linters:
-        - unused
-    - path: cmd/dump.go
-      linters:
-        - dupl
-    - text: "commentFormatting: put a space between `//` and comment text"
-      linters:
-        - gocritic
-    - text: "exitAfterDefer:"
-      linters:
-        - gocritic
-    - path: modules/graceful/manager_windows.go
-      linters:
-        - staticcheck
-      text: "svc.IsAnInteractiveSession is deprecated: Use IsWindowsService instead."
-    - path: models/user/openid.go
-      linters:
-        - golint
+  max-issues-per-linter: 0
+  max-same-issues: 0
+formatters:
+  enable:
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - report
+      - third_party$
+      - builtin$
+      - examples$
--- a/.goreleaser.gitea.yml
+++ b/.goreleaser.gitea.yml
@@ -0,0 +1,3 @@
+gitea_urls:
+  api: https://gitea.com/api/v1/
+  download: https://gitea.com/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,3 +1,5 @@
+version: 2
+
 before:
  hooks:
    - go mod tidy
@@ -14,6 +16,9 @@ builds:
  - amd64
  - arm
  - arm64
+  - loong64
+  - s390x
+  - riscv64
  goarm:
  - "5"
  - "6"
@@ -81,7 +86,7 @@ blobs:
    provider: s3
    bucket: "{{ .Env.S3_BUCKET }}"
    region: "{{ .Env.S3_REGION }}"
-    folder: "act_runner/{{.Version}}"
+    directory: "act_runner/{{.Version}}"
    extra_files:
      - glob: ./**.xz
      - glob: ./**.sha256
@@ -97,10 +102,10 @@ checksum:
      - glob: ./**.xz

 snapshot:
-  name_template: "{{ .Branch }}-devel"
+  version_template: "{{ .Branch }}-devel"

 nightly:
-  name_template: "nightly"
+  version_template: "nightly"

 gitea_urls:
  api: https://gitea.com/api/v1
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -0,0 +1,54 @@
+version: 2
+before:
+  hooks:
+    - go mod tidy
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+      - linux
+      - windows
+    goarch:
+      - amd64
+      - '386'
+      - arm64
+      - arm
+      - riscv64
+    goarm:
+      - '6'
+      - '7'
+    ignore:
+      - goos: windows
+        goarm: '6'
+    binary: act
+checksum:
+  name_template: 'checksums.txt'
+archives:
+  - name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    format_overrides:
+      - goos: windows
+        formats:
+        - zip
+changelog:
+  groups:
+    - title: 'New Features'
+      regexp: "^.*feat[(\\w)]*:+.*$"
+      order: 0
+    - title: 'Bug fixes'
+      regexp: "^.*fix[(\\w)]*:+.*$"
+      order: 1
+    - title: 'Documentation updates'
+      regexp: "^.*docs[(\\w)]*:+.*$"
+      order: 2
+    - title: 'Other'
+      order: 999
+release:
+  prerelease: auto
+  mode: append
--- a/.markdownlint.yml
+++ b/.markdownlint.yml
@@ -0,0 +1,12 @@
+# Default state for all rules
+default: true
+
+# MD013/line-length - Line length
+MD013:
+  line_length: 1024
+
+# MD033/no-inline-html - Inline HTML
+MD033: false
+
+# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
+MD041: false
--- a/.mega-linter.yml
+++ b/.mega-linter.yml
@@ -0,0 +1,20 @@
+---
+APPLY_FIXES: none
+DISABLE:
+  - ACTION
+  - BASH
+  - COPYPASTE
+  - DOCKERFILE
+  - GO
+  - JAVASCRIPT
+  - SPELL
+DISABLE_LINTERS:
+  - YAML_YAMLLINT
+  - MARKDOWN_MARKDOWN_TABLE_FORMATTER
+  - MARKDOWN_MARKDOWN_LINK_CHECK
+  - REPOSITORY_CHECKOV
+  - REPOSITORY_TRIVY
+FILTER_REGEX_EXCLUDE: (.*testdata/*|install.sh|pkg/container/docker_cli.go|pkg/container/DOCKER_LICENSE|VERSION)
+MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .markdownlint.yml
+PARALLEL: false
+PRINT_ALPACA: false
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -0,0 +1,98 @@
+
+pull_request_rules:
+  - name: warn on conflicts
+    conditions:
+      - -draft
+      - -closed
+      - -merged
+      - conflict
+    actions:
+      comment:
+        message: '@{{author}} this pull request is now in conflict 😩'
+      label:
+        add:
+          - conflict
+  - name: remove conflict label if not needed
+    conditions:
+      - -conflict
+    actions:
+      label:
+        remove:
+          - conflict
+  - name: warn on needs-work
+    conditions:
+      - -draft
+      - -closed
+      - -merged
+      - or:
+          - check-failure=lint
+          - check-failure=test-linux
+          - check-failure=codecov/patch
+          - check-failure=codecov/project
+          - check-failure=snapshot
+    actions:
+      comment:
+        message: '@{{author}} this pull request has failed checks 🛠'
+      label:
+        add:
+          - needs-work
+  - name: remove needs-work label if not needed
+    conditions:
+      - check-success=lint
+      - check-success=test-linux
+      - check-success=codecov/patch
+      - check-success=codecov/project
+      - check-success=snapshot
+    actions:
+      label:
+        remove:
+          - needs-work
+  - name: Automatic maintainer assignment
+    conditions:
+      - '-approved-reviews-by=@nektos/act-maintainers'
+      - -draft
+      - -merged
+      - -closed
+      - -conflict
+      - check-success=lint
+      - check-success=test-linux
+      - check-success=codecov/patch
+      - check-success=codecov/project
+      - check-success=snapshot
+    actions:
+      request_reviews:
+        teams:
+          - '@nektos/act-maintainers'
+  - name: Automatic merge on approval
+    conditions: []
+    actions:
+      queue:
+queue_rules:
+  - name: default
+    queue_conditions:
+      - '#changes-requested-reviews-by=0'
+      - or:
+          - 'approved-reviews-by=@nektos/act-committers'
+          - 'author~=^dependabot(|-preview)\[bot\]$'
+          - and:
+              - 'approved-reviews-by=@nektos/act-maintainers'
+              - '#approved-reviews-by>=2'
+          - and:
+              - 'author=@nektos/act-maintainers'
+              - 'approved-reviews-by=@nektos/act-maintainers'
+              - '#approved-reviews-by>=1'
+      - -draft
+      - -merged
+      - -closed
+      - check-success=lint
+      - check-success=test-linux
+      - check-success=codecov/patch
+      - check-success=codecov/project
+      - check-success=snapshot
+    merge_conditions:
+      - check-success=lint
+      - check-success=test-linux
+      - check-success=codecov/patch
+      - check-success=codecov/project
+      - check-success=snapshot
+    merge_method: squash
--- a/.prettierignore
+++ b/.prettierignore
@@ -0,0 +1,2 @@
+**/testdata
+pkg/runner/res
--- a/.prettierrc.yml
+++ b/.prettierrc.yml
@@ -0,0 +1,7 @@
+overrides:
+  - files: '*.yml'
+    options:
+      singleQuote: true
+  - files: '*.json'
+    options:
+      singleQuote: false
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -0,0 +1,9 @@
+{
+  "recommendations": [
+    "editorconfig.editorconfig",
+    "golang.go",
+    "davidanson.vscode-markdownlint",
+    "esbenp.prettier-vscode",
+    "redhat.vscode-yaml"
+  ]
+}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,14 @@
+{
+  "go.lintTool": "golangci-lint",
+  "go.lintFlags": ["--fix"],
+  "go.testTimeout": "300s",
+  "[json]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  },
+  "[markdown]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  },
+  "[yaml]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  }
+}
--- a/1
+++ b/1
@@ -0,0 +1 @@
+*       @nektos/act-maintainers
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,69 @@
+# Contributing to Act
+
+Help wanted! We'd love your contributions to Act. Please review the following guidelines before contributing. Also, feel free to propose changes to these guidelines by updating this file and submitting a pull request.
+
+- [I have a question...](#questions)
+- [I found a bug...](#bugs)
+- [I have a feature request...](#features)
+- [I have a contribution to share...](#process)
+
+## <a id="questions"></a> Have a Question?
+
+Please don't open a GitHub issue for questions about how to use `act`, as the goal is to use issues for managing bugs and feature requests. Issues that are related to general support will be closed and redirected to our gitter room.
+
+For all support related questions, please ask the question in discussions: [actions-oss/act-cli](https://github.com/actions-oss/act-cli/discussions).
+
+## <a id="bugs"></a> Found a Bug?
+
+If you've identified a bug in `act`, please [submit an issue](#issue) to our GitHub repo: [actions-oss/act-cli](https://github.com/actions-oss/act-cli/issues/new). Please also feel free to submit a [Pull Request](#pr) with a fix for the bug!
+
+## <a id="features"></a> Have a Feature Request?
+
+All feature requests should start with [submitting an issue](#issue) documenting the user story and acceptance criteria. Again, feel free to submit a [Pull Request](#pr) with a proposed implementation of the feature.
+
+## <a id="process"></a> Ready to Contribute
+
+### <a id="issue"></a> Create an issue
+
+Before submitting a new issue, please search the issues to make sure there isn't a similar issue doesn't already exist.
+
+Assuming no existing issues exist, please ensure you include required information when submitting the issue to ensure we can quickly reproduce your issue.
+
+We may have additional questions and will communicate through the GitHub issue, so please respond back to our questions to help reproduce and resolve the issue as quickly as possible.
+
+New issues can be created with in our [GitHub repo](https://github.com/actions-oss/act-cli/issues/new).
+
+### <a id="pr"></a>Pull Requests
+
+Pull requests should target the `master` branch. Please also reference the issue from the description of the pull request using [special keyword syntax](https://help.github.com/articles/closing-issues-via-commit-messages/) to auto close the issue when the PR is merged. For example, include the phrase `fixes #14` in the PR description to have issue #14 auto close. Please send documentation updates for the [act user guide](https://actions-oss.github.io/act-docs/) to [actions-oss/act-docs](https://github.com/actions-oss/act-docs).
+
+### <a id="style"></a> Styleguide
+
+When submitting code, please make every effort to follow existing conventions and style in order to keep the code as readable as possible. Here are a few points to keep in mind:
+
+- Please run `go fmt ./...` before committing to ensure code aligns with go standards.
+- We use [`golangci-lint`](https://golangci-lint.run/) for linting Go code, run `golangci-lint run --fix` before submitting PR. Editors such as Visual Studio Code or JetBrains IntelliJ; with Go support plugin will offer `golangci-lint` automatically.
+- There are additional linters and formatters for files such as Markdown documents or YAML/JSON:
+  - Please refer to the [Makefile](Makefile) or [`lint` job in our workflow](.github/workflows/checks.yml) to see how to those linters/formatters work.
+  - You can lint codebase by running `go run main.go -j lint --env RUN_LOCAL=true` or `act -j lint --env RUN_LOCAL=true`
+  - In `Makefile`, there are tools that require `npx` which is shipped with `nodejs`.
+  - Our `Makefile` exports `GITHUB_TOKEN` from `~/.config/github/token`, you have been warned.
+  - You can run `make pr` to cleanup dependencies, format/lint code and run tests.
+- All dependencies must be defined in the `go.mod` file.
+  - Advanced IDEs and code editors (like VSCode) will take care of that, but to be sure, run `go mod tidy` to validate dependencies.
+- For details on the approved style, check out [Effective Go](https://golang.org/doc/effective_go.html).
+- Before running tests, please be aware that they are multi-architecture so for them to not fail, you need to run `docker run --privileged --rm tonistiigi/binfmt --install amd64,arm64` before ([more info available in #765](https://github.com/nektos/act/issues/765)).
+
+Also, consider the original design principles:
+
+- **Polyglot** - There will be no prescribed language or framework for developing the microservices. The only requirement will be that the service will be run inside a container and exposed via an HTTP endpoint.
+- **Cloud Provider** - At this point, the tool will assume AWS for the cloud provider and will not be written in a cloud agnostic manner. However, this does not preclude refactoring to add support for other providers at a later time.
+- **Declarative** - All resource administration will be handled in a declarative vs. imperative manner. A file will be used to declared the desired state of the resources and the tool will simply assert the actual state matches the desired state. The tool will accomplish this by generating CloudFormation templates.
+- **Stateless** - The tool will not maintain its own state. Rather, it will rely on the CloudFormation stacks to determine the state of the platform.
+- **Secure** - All security will be managed by AWS IAM credentials. No additional authentication or authorization mechanisms will be introduced.
+
+### License
+
+By contributing your code, you agree to license your contribution under the terms of the [MIT License](LICENSE).
+
+All files are released with the MIT license.
--- a/58
+++ b/58
@@ -1,16 +1,64 @@
-FROM golang:1.21-alpine3.18 as builder
+### BUILDER STAGE
+#
+#
+FROM golang:1.26-alpine AS builder
+
 # Do not remove `git` here, it is required for getting runner version when executing `make build`
 RUN apk add --no-cache make git

+ARG GOPROXY
+ENV GOPROXY=${GOPROXY:-}
+
 COPY . /opt/src/act_runner
 WORKDIR /opt/src/act_runner

 RUN make clean && make build

-FROM alpine:3.18
-RUN apk add --no-cache git bash tini
+### DIND VARIANT
+#
+#
+FROM docker:28-dind AS dind
+
+RUN apk add --no-cache s6 bash git tzdata

 COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
-COPY scripts/run.sh /opt/act/run.sh
+COPY scripts/run.sh /usr/local/bin/run.sh
+COPY scripts/s6 /etc/s6

-ENTRYPOINT ["/sbin/tini","--","/opt/act/run.sh"]
+VOLUME /data
+
+ENTRYPOINT ["s6-svscan","/etc/s6"]
+
+### DIND-ROOTLESS VARIANT
+#
+#
+FROM docker:28-dind-rootless AS dind-rootless
+
+USER root
+RUN apk add --no-cache s6 bash git tzdata
+
+COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY scripts/run.sh /usr/local/bin/run.sh
+COPY scripts/s6 /etc/s6
+
+VOLUME /data
+
+RUN mkdir -p /data && chown -R rootless:rootless /etc/s6 /data
+
+ENV DOCKER_HOST=unix:///run/user/1000/docker.sock
+
+USER rootless
+ENTRYPOINT ["s6-svscan","/etc/s6"]
+
+### BASIC VARIANT
+#
+#
+FROM alpine AS basic
+RUN apk add --no-cache tini bash git tzdata
+
+COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
+COPY scripts/run.sh /usr/local/bin/run.sh
+
+VOLUME /data
+
+ENTRYPOINT ["/sbin/tini","--","run.sh"]
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@@ -1,24 +0,0 @@
-FROM golang:1.21-alpine3.18 as builder
-# Do not remove `git` here, it is required for getting runner version when executing `make build`
-RUN apk add --no-cache make git
-
-COPY . /opt/src/act_runner
-WORKDIR /opt/src/act_runner
-
-RUN make clean && make build
-
-FROM docker:dind-rootless
-USER root
-RUN apk add --no-cache \
-  git bash supervisor
-
-COPY --from=builder /opt/src/act_runner/act_runner /usr/local/bin/act_runner
-COPY /scripts/supervisord.conf /etc/supervisord.conf
-COPY /scripts/run.sh /opt/act/run.sh
-COPY /scripts/rootless.sh /opt/act/rootless.sh
-
-RUN mkdir /data \
-    && chown rootless:rootless /data
-
-USER rootless
-ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
--- a/43
+++ b/43
@@ -1,13 +1,12 @@
 DIST := dist
 EXECUTABLE := act_runner
 GOFMT ?= gofumpt -l
-DIST := dist
 DIST_DIRS := $(DIST)/binaries $(DIST)/release
 GO ?= go
 SHASUM ?= shasum -a 256
 HAS_GO = $(shell hash $(GO) > /dev/null 2>&1 && echo "GO" || echo "NOGO" )
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
-XGO_VERSION := go-1.18.x
+XGO_VERSION := go-1.26.x
 GXZ_PAGAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.10

 LINUX_ARCHS ?= linux/amd64,linux/arm64
@@ -21,6 +20,9 @@ DOCKER_TAG ?= nightly
 DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
 DOCKER_ROOTLESS_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)-dind-rootless

+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.10.1
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1
+
 ifneq ($(shell uname), Darwin)
 	EXTLDFLAGS = -extldflags "-static" $(null)
 else
@@ -102,8 +104,40 @@ fmt-check:
 		exit 1; \
 	fi;

-test: fmt-check
-	@$(GO) test -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+.PHONY: deps-tools
+deps-tools: ## install tool dependencies
+	$(GO) install $(GOVULNCHECK_PACKAGE)
+
+.PHONY: lint
+lint: lint-go vet
+
+.PHONY: lint-go
+lint-go: ## lint go files
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run
+
+.PHONY: lint-go-fix
+lint-go-fix: ## lint go files and fix issues
+	$(GO) run $(GOLANGCI_LINT_PACKAGE) run --fix
+
+.PHONY: security-check
+security-check: deps-tools
+	GOEXPERIMENT= $(GO) run $(GOVULNCHECK_PACKAGE) -show color ./... || true
+
+.PHONY: tidy
+tidy:
+	$(GO) mod tidy
+
+.PHONY: tidy-check
+tidy-check: tidy
+	@diff=$$(git diff -- go.mod go.sum); \
+	if [ -n "$$diff" ]; then \
+		echo "Please run 'make tidy' and commit the result:"; \
+		echo "$${diff}"; \
+		exit 1; \
+	fi
+
+test: fmt-check security-check
+	@$(GO) test -race -v -cover -coverprofile coverage.txt ./... && echo "\n==>\033[32m Ok\033[m\n" || exit 1

 .PHONY: vet
 vet:
@@ -170,7 +204,6 @@ docker:
 		ARG_DISABLE_CONTENT_TRUST=--disable-content-trust=false; \
 	fi; \
 	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_REF) .
-	docker build $${ARG_DISABLE_CONTENT_TRUST} -t $(DOCKER_ROOTLESS_REF) -f Dockerfile.rootless .

 clean:
 	$(GO) clean -x -i ./...
--- a/README.md
+++ b/README.md
@@ -58,9 +58,9 @@ INFO Enter the runner token:
 fe884e8027dc292970d4e0303fe82b14xxxxxxxx
 INFO Enter the runner name (if set empty, use hostname: Test.local):

-INFO Enter the runner labels, leave blank to use the default labels (comma-separated, for example, ubuntu-20.04:docker://node:16-bullseye,ubuntu-18.04:docker://node:16-buster,linux_arm:host):
+INFO Enter the runner labels, leave blank to use the default labels (comma-separated, for example, ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest):

-INFO Registering runner, name=Test.local, instance=http://192.168.8.8:3000/, labels=[ubuntu-latest:docker://node:16-bullseye ubuntu-22.04:docker://node:16-bullseye ubuntu-20.04:docker://node:16-bullseye ubuntu-18.04:docker://node:16-buster].
+INFO Registering runner, name=Test.local, instance=http://192.168.8.8:3000/, labels=[ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04 ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04].
 DEBU Successfully pinged the Gitea instance server
 INFO Runner registered successfully.
 ```
@@ -101,6 +101,8 @@ You can specify the configuration file path with `-c`/`--config` argument.
 ./act_runner -c config.yaml daemon # run with config file
 ```

+You can read the latest version of the configuration file online at [config.example.yaml](internal/pkg/config/config.example.yaml).
+
 ### Example Deployments

 Check out the [examples](examples) directory for sample deployment types.
--- a/5
+++ b/5
@@ -0,0 +1,5 @@
+VERIFICATION
+Verification is intended to assist the Chocolatey moderators and community
+in verifying that this package's contents are trustworthy.
+
+Checksums: https://github.com/nektos/act/releases, in the checksums.txt file
--- a/1
+++ b/1
@@ -0,0 +1 @@
+0.4.0
--- a/act-cli.nuspec
+++ b/act-cli.nuspec
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Do not remove this test for UTF-8: if “Ω” doesn’t appear as greek uppercase omega letter enclosed in quotation marks, you should use an editor that supports UTF-8, not this one. -->
+<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
+  <metadata>
+    <id>act-cli</id>
+    <version>0.0.0</version>
+    <packageSourceUrl>https://github.com/nektos/act</packageSourceUrl>
+    <owners>nektos</owners>
+    <title>act (GitHub Actions CLI)</title>
+    <authors>nektos</authors>
+    <projectUrl>https://github.com/nektos/act</projectUrl>
+    <iconUrl>https://raw.githubusercontent.com/wiki/nektos/act/img/logo-150.png</iconUrl>
+    <copyright>Nektos</copyright>
+    <licenseUrl>https://raw.githubusercontent.com/nektos/act/master/LICENSE</licenseUrl>
+    <requireLicenseAcceptance>true</requireLicenseAcceptance>
+    <projectSourceUrl>https://github.com/nektos/act</projectSourceUrl>
+    <docsUrl>https://raw.githubusercontent.com/nektos/act/master/README.md</docsUrl>
+    <bugTrackerUrl>https://github.com/nektos/act/issues</bugTrackerUrl>
+    <tags>act github-actions actions golang ci devops</tags>
+    <summary>Run your GitHub Actions locally 🚀</summary>
+    <description>Run your GitHub Actions locally 🚀</description>
+  </metadata>
+  <files>
+    <file src="tools/**" target="tools" />
+  </files>
+</package>
--- a/cmd/dir.go
+++ b/cmd/dir.go
@@ -0,0 +1,27 @@
+package cmd
+
+import (
+	"os"
+	"path/filepath"
+
+	log "github.com/sirupsen/logrus"
+)
+
+var (
+	UserHomeDir  string
+	CacheHomeDir string
+)
+
+func init() {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		log.Fatal(err)
+	}
+	UserHomeDir = home
+
+	if v := os.Getenv("XDG_CACHE_HOME"); v != "" {
+		CacheHomeDir = v
+	} else {
+		CacheHomeDir = filepath.Join(UserHomeDir, ".cache")
+	}
+}
--- a/cmd/execute_test.go
+++ b/cmd/execute_test.go
@@ -0,0 +1,45 @@
+package cmd
+
+import (
+	"context"
+	"os"
+	"testing"
+)
+
+// Helper function to test main with different os.Args
+func testMain(args []string) (exitCode int) {
+	// Save original os.Args and defer restoring it
+	origArgs := os.Args
+	defer func() { os.Args = origArgs }()
+
+	// Save original os.Exit and defer restoring it
+	defer func() { exitFunc = os.Exit }()
+
+	// Mock os.Exit
+	fakeExit := func(code int) {
+		exitCode = code
+	}
+	exitFunc = fakeExit
+
+	// Mock os.Args
+	os.Args = args
+
+	// Run the main function
+	Execute(context.Background(), "")
+
+	return exitCode
+}
+
+func TestMainHelp(t *testing.T) {
+	exitCode := testMain([]string{"cmd", "--help"})
+	if exitCode != 0 {
+		t.Errorf("expected exit code 0, got %d", exitCode)
+	}
+}
+
+func TestMainNoArgsError(t *testing.T) {
+	exitCode := testMain([]string{"cmd"})
+	if exitCode != 1 {
+		t.Errorf("expected exit code 1, got %d", exitCode)
+	}
+}
--- a/cmd/graph.go
+++ b/cmd/graph.go
@@ -0,0 +1,37 @@
+package cmd
+
+import (
+	"os"
+
+	"gitea.com/gitea/act_runner/pkg/common"
+	"gitea.com/gitea/act_runner/pkg/model"
+)
+
+func drawGraph(plan *model.Plan) {
+	drawings := make([]*common.Drawing, 0)
+
+	jobPen := common.NewPen(common.StyleSingleLine, 96)
+	arrowPen := common.NewPen(common.StyleNoLine, 97)
+	for i, stage := range plan.Stages {
+		if i > 0 {
+			drawings = append(drawings, arrowPen.DrawArrow())
+		}
+
+		ids := make([]string, 0)
+		for _, r := range stage.Runs {
+			ids = append(ids, r.String())
+		}
+		drawings = append(drawings, jobPen.DrawBoxes(ids...))
+	}
+
+	maxWidth := 0
+	for _, d := range drawings {
+		if d.GetWidth() > maxWidth {
+			maxWidth = d.GetWidth()
+		}
+	}
+
+	for _, d := range drawings {
+		d.Draw(os.Stdout, maxWidth)
+	}
+}
--- a/cmd/input.go
+++ b/cmd/input.go
@@ -0,0 +1,118 @@
+package cmd
+
+import (
+	"path/filepath"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// Input contains the input for the root command
+type Input struct {
+	actor                              string
+	workdir                            string
+	workflowsPath                      string
+	autodetectEvent                    bool
+	eventPath                          string
+	reuseContainers                    bool
+	bindWorkdir                        bool
+	secrets                            []string
+	vars                               []string
+	envs                               []string
+	inputs                             []string
+	platforms                          []string
+	dryrun                             bool
+	pullIfNeeded                       bool
+	noRebuild                          bool
+	noOutput                           bool
+	envfile                            string
+	inputfile                          string
+	secretfile                         string
+	varfile                            string
+	insecureSecrets                    bool
+	defaultBranch                      string
+	privileged                         bool
+	usernsMode                         string
+	containerArchitecture              string
+	containerDaemonSocket              string
+	containerOptions                   string
+	workflowRecurse                    bool
+	useGitIgnore                       bool
+	githubInstance                     string
+	gitHubServerURL                    string
+	gitHubAPIServerURL                 string
+	gitHubGraphQlAPIServerURL          string
+	containerCapAdd                    []string
+	containerCapDrop                   []string
+	autoRemove                         bool
+	artifactServerPath                 string
+	artifactServerAddr                 string
+	artifactServerPort                 string
+	noCacheServer                      bool
+	cacheServerPath                    string
+	cacheServerAddr                    string
+	cacheServerPort                    uint16
+	jsonLogger                         bool
+	noSkipCheckout                     bool
+	remoteName                         string
+	replaceGheActionWithGithubCom      []string
+	replaceGheActionTokenWithGithubCom string
+	matrix                             []string
+	actionCachePath                    string
+	actionOfflineMode                  bool
+	logPrefixJobID                     bool
+	networkName                        string
+	localRepository                    []string
+	listOptions                        bool
+	validate                           bool
+	strict                             bool
+	parallel                           int
+	gitea                              bool
+}
+
+func (i *Input) resolve(path string) string {
+	basedir, err := filepath.Abs(i.workdir)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if path == "" {
+		return path
+	}
+	if !filepath.IsAbs(path) {
+		path = filepath.Join(basedir, path)
+	}
+	return path
+}
+
+// Envfile returns path to .env
+func (i *Input) Envfile() string {
+	return i.resolve(i.envfile)
+}
+
+// Secretfile returns path to secrets
+func (i *Input) Secretfile() string {
+	return i.resolve(i.secretfile)
+}
+
+func (i *Input) Varfile() string {
+	return i.resolve(i.varfile)
+}
+
+// Workdir returns path to workdir
+func (i *Input) Workdir() string {
+	return i.resolve(".")
+}
+
+// WorkflowsPath returns path to workflow file(s)
+func (i *Input) WorkflowsPath() string {
+	return i.resolve(i.workflowsPath)
+}
+
+// EventPath returns the path to events file
+func (i *Input) EventPath() string {
+	return i.resolve(i.eventPath)
+}
+
+// Inputfile returns the path to the input file
+func (i *Input) Inputfile() string {
+	return i.resolve(i.inputfile)
+}
--- a/cmd/list.go
+++ b/cmd/list.go
@@ -0,0 +1,107 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+
+	"gitea.com/gitea/act_runner/pkg/model"
+)
+
+func printList(plan *model.Plan) {
+	type lineInfoDef struct {
+		jobID   string
+		jobName string
+		stage   string
+		wfName  string
+		wfFile  string
+		events  string
+	}
+	lineInfos := []lineInfoDef{}
+
+	header := lineInfoDef{
+		jobID:   "Job ID",
+		jobName: "Job name",
+		stage:   "Stage",
+		wfName:  "Workflow name",
+		wfFile:  "Workflow file",
+		events:  "Events",
+	}
+
+	jobs := map[string]bool{}
+	duplicateJobIDs := false
+
+	jobIDMaxWidth := len(header.jobID)
+	jobNameMaxWidth := len(header.jobName)
+	stageMaxWidth := len(header.stage)
+	wfNameMaxWidth := len(header.wfName)
+	wfFileMaxWidth := len(header.wfFile)
+	eventsMaxWidth := len(header.events)
+
+	for i, stage := range plan.Stages {
+		for _, r := range stage.Runs {
+			jobID := r.JobID
+			line := lineInfoDef{
+				jobID:   jobID,
+				jobName: r.String(),
+				stage:   strconv.Itoa(i),
+				wfName:  r.Workflow.Name,
+				wfFile:  r.Workflow.File,
+				events:  strings.Join(r.Workflow.On(), `,`),
+			}
+			if _, ok := jobs[jobID]; ok {
+				duplicateJobIDs = true
+			} else {
+				jobs[jobID] = true
+			}
+			lineInfos = append(lineInfos, line)
+			if jobIDMaxWidth < len(line.jobID) {
+				jobIDMaxWidth = len(line.jobID)
+			}
+			if jobNameMaxWidth < len(line.jobName) {
+				jobNameMaxWidth = len(line.jobName)
+			}
+			if stageMaxWidth < len(line.stage) {
+				stageMaxWidth = len(line.stage)
+			}
+			if wfNameMaxWidth < len(line.wfName) {
+				wfNameMaxWidth = len(line.wfName)
+			}
+			if wfFileMaxWidth < len(line.wfFile) {
+				wfFileMaxWidth = len(line.wfFile)
+			}
+			if eventsMaxWidth < len(line.events) {
+				eventsMaxWidth = len(line.events)
+			}
+		}
+	}
+
+	jobIDMaxWidth += 2
+	jobNameMaxWidth += 2
+	stageMaxWidth += 2
+	wfNameMaxWidth += 2
+	wfFileMaxWidth += 2
+
+	fmt.Fprintf(os.Stdout, "%*s%*s%*s%*s%*s%*s\n",
+		-stageMaxWidth, header.stage,
+		-jobIDMaxWidth, header.jobID,
+		-jobNameMaxWidth, header.jobName,
+		-wfNameMaxWidth, header.wfName,
+		-wfFileMaxWidth, header.wfFile,
+		-eventsMaxWidth, header.events,
+	)
+	for _, line := range lineInfos {
+		fmt.Fprintf(os.Stdout, "%*s%*s%*s%*s%*s%*s\n",
+			-stageMaxWidth, line.stage,
+			-jobIDMaxWidth, line.jobID,
+			-jobNameMaxWidth, line.jobName,
+			-wfNameMaxWidth, line.wfName,
+			-wfFileMaxWidth, line.wfFile,
+			-eventsMaxWidth, line.events,
+		)
+	}
+	if duplicateJobIDs {
+		fmt.Fprint(os.Stdout, "\nDetected multiple jobs with the same job name, use `-W` to specify the path to the specific workflow.\n")
+	}
+}
--- a/cmd/platforms.go
+++ b/cmd/platforms.go
@@ -0,0 +1,22 @@
+package cmd
+
+import (
+	"strings"
+)
+
+func (i *Input) newPlatforms() map[string]string {
+	platforms := map[string]string{
+		"ubuntu-latest": "node:16-buster-slim",
+		"ubuntu-22.04":  "node:16-bullseye-slim",
+		"ubuntu-20.04":  "node:16-buster-slim",
+		"ubuntu-18.04":  "node:16-buster-slim",
+	}
+
+	for _, p := range i.platforms {
+		pParts := strings.SplitN(p, "=", 2)
+		if len(pParts) == 2 {
+			platforms[strings.ToLower(pParts[0])] = pParts[1]
+		}
+	}
+	return platforms
+}
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -0,0 +1,866 @@
+package cmd
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"runtime"
+	"runtime/debug"
+	"strconv"
+	"strings"
+
+	"github.com/AlecAivazis/survey/v2"
+	"github.com/adrg/xdg"
+	"github.com/andreaskoch/go-fswatch"
+	docker_container "github.com/docker/docker/api/types/container"
+	"github.com/joho/godotenv"
+	gitignore "github.com/sabhiram/go-gitignore"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/cobra/doc"
+	"github.com/spf13/pflag"
+	"gopkg.in/yaml.v3"
+
+	"gitea.com/gitea/act_runner/pkg/artifactcache"
+	"gitea.com/gitea/act_runner/pkg/artifacts"
+	"gitea.com/gitea/act_runner/pkg/common"
+	"gitea.com/gitea/act_runner/pkg/container"
+	"gitea.com/gitea/act_runner/pkg/gh"
+	"gitea.com/gitea/act_runner/pkg/model"
+	"gitea.com/gitea/act_runner/pkg/runner"
+	"gitea.com/gitea/act_runner/pkg/schema"
+)
+
+type Flag struct {
+	Name        string `json:"name"`
+	Default     string `json:"default"`
+	Type        string `json:"type"`
+	Description string `json:"description"`
+}
+
+var exitFunc = os.Exit
+
+// Execute is the entry point to running the CLI
+func Execute(ctx context.Context, version string) {
+	input := new(Input)
+	rootCmd := createRootCommand(ctx, input, version)
+
+	if err := rootCmd.Execute(); err != nil {
+		exitFunc(1)
+	}
+}
+
+func createRootCommand(ctx context.Context, input *Input, version string) *cobra.Command {
+	rootCmd := &cobra.Command{
+		Use:              "act [event name to run] [flags]\n\nIf no event name passed, will default to \"on: push\"\nIf actions handles only one event it will be used as default instead of \"on: push\"\nSee documentation at: https://gitea.com/actions-oss/act-cli or https://github.com/actions-oss/act-cli",
+		Short:            "Run GitHub actions locally by specifying the event name (e.g. `push`) or an action name directly.",
+		Args:             cobra.MaximumNArgs(1),
+		RunE:             newRunCommand(ctx, input),
+		PersistentPreRun: setup(input),
+		Version:          version,
+		SilenceUsage:     true,
+	}
+
+	rootCmd.Flags().BoolP("watch", "w", false, "watch the contents of the local repo and run when files change")
+	rootCmd.Flags().BoolVar(&input.validate, "validate", false, "validate workflows")
+	rootCmd.Flags().BoolVar(&input.strict, "strict", false, "use strict workflow schema")
+	rootCmd.Flags().BoolP("list", "l", false, "list workflows")
+	rootCmd.Flags().BoolP("graph", "g", false, "draw workflows")
+	rootCmd.Flags().StringP("job", "j", "", "run a specific job ID")
+	rootCmd.Flags().BoolP("bug-report", "", false, "Display system information for bug report")
+	rootCmd.Flags().BoolP("man-page", "", false, "Print a generated manual page to stdout")
+
+	rootCmd.Flags().StringVar(&input.remoteName, "remote-name", "origin", "git remote name that will be used to retrieve url of git repo")
+	rootCmd.Flags().StringArrayVarP(&input.secrets, "secret", "s", []string{}, "secret to make available to actions with optional value (e.g. -s mysecret=foo or -s mysecret)")
+	rootCmd.Flags().StringArrayVar(&input.vars, "var", []string{}, "variable to make available to actions with optional value (e.g. --var myvar=foo or --var myvar)")
+	rootCmd.Flags().StringArrayVarP(&input.envs, "env", "", []string{}, "env to make available to actions with optional value (e.g. --env myenv=foo or --env myenv)")
+	rootCmd.Flags().StringArrayVarP(&input.inputs, "input", "", []string{}, "action input to make available to actions (e.g. --input myinput=foo)")
+	rootCmd.Flags().StringArrayVarP(&input.platforms, "platform", "P", []string{}, "custom image to use per platform (e.g. -P ubuntu-18.04=nektos/act-environments-ubuntu:18.04)")
+	rootCmd.Flags().BoolVarP(&input.reuseContainers, "reuse", "r", false, "don't remove container(s) on successfully completed workflow(s) to maintain state between runs")
+	rootCmd.Flags().BoolVarP(&input.bindWorkdir, "bind", "b", false, "bind working directory to container, rather than copy")
+	rootCmd.Flags().BoolVarP(&input.pullIfNeeded, "pull-if-needed", "", false, "only pull docker image(s) if not present")
+	rootCmd.Flags().BoolVarP(&input.noRebuild, "no-rebuild", "", false, "don't rebuild local action docker action image(s) if already present for correct platform")
+	rootCmd.Flags().BoolVarP(&input.autodetectEvent, "detect-event", "", false, "Use first event type from workflow as event that triggered the workflow")
+	rootCmd.Flags().StringVarP(&input.eventPath, "eventpath", "e", "", "path to event JSON file")
+	rootCmd.Flags().StringVar(&input.defaultBranch, "defaultbranch", "", "the name of the main branch")
+	rootCmd.Flags().BoolVar(&input.privileged, "privileged", false, "use privileged mode")
+	rootCmd.Flags().StringVar(&input.usernsMode, "userns", "", "user namespace to use")
+	rootCmd.Flags().BoolVar(&input.useGitIgnore, "use-gitignore", true, "Controls whether paths specified in .gitignore should be copied into container")
+	rootCmd.Flags().StringArrayVarP(&input.containerCapAdd, "container-cap-add", "", []string{}, "kernel capabilities to add to the workflow containers (e.g. --container-cap-add SYS_PTRACE)")
+	rootCmd.Flags().StringArrayVarP(&input.containerCapDrop, "container-cap-drop", "", []string{}, "kernel capabilities to remove from the workflow containers (e.g. --container-cap-drop SYS_PTRACE)")
+	rootCmd.Flags().BoolVar(&input.autoRemove, "rm", false, "automatically remove container(s)/volume(s) after a workflow(s) failure")
+	rootCmd.Flags().StringArrayVarP(&input.replaceGheActionWithGithubCom, "replace-ghe-action-with-github-com", "", []string{}, "If you are using GitHub Enterprise Server and allow specified actions from GitHub (github.com), you can set actions on this. (e.g. --replace-ghe-action-with-github-com =github/super-linter)")
+	rootCmd.Flags().StringVar(&input.replaceGheActionTokenWithGithubCom, "replace-ghe-action-token-with-github-com", "", "If you are using replace-ghe-action-with-github-com  and you want to use private actions on GitHub, you have to set personal access token")
+	rootCmd.Flags().StringArrayVarP(&input.matrix, "matrix", "", []string{}, "specify which matrix configuration to include (e.g. --matrix java:13")
+	rootCmd.Flags().IntVarP(&input.parallel, "parallel", "", 0, "number of jobs to run in parallel")
+	rootCmd.Flags().IntVarP(&input.parallel, "concurrent-jobs", "", 0, "number of jobs to run in parallel")
+	rootCmd.PersistentFlags().StringVarP(&input.actor, "actor", "a", "nektos/act", "user that triggered the event")
+	rootCmd.PersistentFlags().StringVarP(&input.workflowsPath, "workflows", "W", "./.github/workflows/", "path to workflow file(s)")
+	rootCmd.PersistentFlags().BoolVarP(&input.workflowRecurse, "recurse", "", false, "Flag to enable running workflows from subdirectories of specified path in '--workflows'/'-W' flag, this feature doesn't exist on GitHub Actions as of 2024/11")
+	rootCmd.PersistentFlags().StringVarP(&input.workdir, "directory", "C", ".", "working directory")
+	rootCmd.PersistentFlags().BoolP("verbose", "v", false, "verbose output")
+	rootCmd.PersistentFlags().BoolVar(&input.jsonLogger, "json", false, "Output logs in json format")
+	rootCmd.PersistentFlags().BoolVar(&input.logPrefixJobID, "log-prefix-job-id", false, "Output the job id within non-json logs instead of the entire name")
+	rootCmd.PersistentFlags().BoolVarP(&input.noOutput, "quiet", "q", false, "disable logging of output from steps")
+	rootCmd.PersistentFlags().BoolVarP(&input.dryrun, "dryrun", "n", false, "disable container creation, validates only workflow correctness")
+	rootCmd.PersistentFlags().StringVarP(&input.secretfile, "secret-file", "", ".secrets", "file with list of secrets to read from (e.g. --secret-file .secrets)")
+	rootCmd.PersistentFlags().StringVarP(&input.varfile, "var-file", "", ".vars", "file with list of vars to read from (e.g. --var-file .vars)")
+	rootCmd.PersistentFlags().BoolVarP(&input.insecureSecrets, "insecure-secrets", "", false, "NOT RECOMMENDED! Doesn't hide secrets while printing logs.")
+	rootCmd.PersistentFlags().StringVarP(&input.envfile, "env-file", "", ".env", "environment file to read and use as env in the containers")
+	rootCmd.PersistentFlags().StringVarP(&input.inputfile, "input-file", "", ".input", "input file to read and use as action input")
+	rootCmd.PersistentFlags().StringVarP(&input.containerArchitecture, "container-architecture", "", "", "Architecture which should be used to run containers, e.g.: linux/amd64. If not specified, will use host default architecture. Requires Docker server API Version 1.41+. Ignored on earlier Docker server platforms.")
+	rootCmd.PersistentFlags().StringVarP(&input.containerDaemonSocket, "container-daemon-socket", "", "", "URI to Docker Engine socket (e.g.: unix://~/.docker/run/docker.sock or - to disable bind mounting the socket)")
+	rootCmd.PersistentFlags().StringVarP(&input.containerOptions, "container-options", "", "", "Custom docker container options for the job container without an options property in the job definition")
+	rootCmd.PersistentFlags().StringVarP(&input.githubInstance, "github-instance", "", "github.com", "GitHub instance to use. Only use this when using GitHub Enterprise Server.")
+	rootCmd.PersistentFlags().StringVarP(&input.gitHubServerURL, "github-server-url", "", "", "Fully qualified URL to the GitHub instance to use with http/https protocol. Only use this when using GitHub Enterprise Server or Gitea.")
+	rootCmd.PersistentFlags().StringVarP(&input.gitHubAPIServerURL, "github-api-server-url", "", "", "Fully qualified URL to the GitHub instance api url to use with http/https protocol. Only use this when using GitHub Enterprise Server or Gitea.")
+	rootCmd.PersistentFlags().StringVarP(&input.gitHubGraphQlAPIServerURL, "github-graph-ql-api-server-url", "", "", "Fully qualified URL to the GitHub instance graphql api to use with http/https protocol. Only use this when using GitHub Enterprise Server or Gitea.")
+	rootCmd.PersistentFlags().StringVarP(&input.artifactServerPath, "artifact-server-path", "", "", "Defines the path where the artifact server stores uploads and retrieves downloads from. If not specified the artifact server will not start.")
+	rootCmd.PersistentFlags().StringVarP(&input.artifactServerAddr, "artifact-server-addr", "", common.GetOutboundIP().String(), "Defines the address to which the artifact server binds.")
+	rootCmd.PersistentFlags().StringVarP(&input.artifactServerPort, "artifact-server-port", "", "34567", "Defines the port where the artifact server listens.")
+	rootCmd.PersistentFlags().BoolVarP(&input.noSkipCheckout, "no-skip-checkout", "", false, "Do not skip actions/checkout")
+	rootCmd.PersistentFlags().BoolVarP(&input.noCacheServer, "no-cache-server", "", false, "Disable cache server")
+	rootCmd.PersistentFlags().StringVarP(&input.cacheServerPath, "cache-server-path", "", filepath.Join(CacheHomeDir, "actcache"), "Defines the path where the cache server stores caches.")
+	rootCmd.PersistentFlags().StringVarP(&input.cacheServerAddr, "cache-server-addr", "", common.GetOutboundIP().String(), "Defines the address to which the cache server binds.")
+	rootCmd.PersistentFlags().Uint16VarP(&input.cacheServerPort, "cache-server-port", "", 0, "Defines the port where the artifact server listens. 0 means a randomly available port.")
+	rootCmd.PersistentFlags().StringVarP(&input.actionCachePath, "action-cache-path", "", filepath.Join(CacheHomeDir, "act"), "Defines the path where the actions get cached and host workspaces created.")
+	rootCmd.PersistentFlags().BoolVarP(&input.actionOfflineMode, "action-offline-mode", "", false, "If action contents exists, it will not be fetch and pull again. If turn on this, will turn off force pull")
+	rootCmd.PersistentFlags().StringVarP(&input.networkName, "network", "", "host", "Sets a docker network name. Defaults to host.")
+	rootCmd.PersistentFlags().StringArrayVarP(&input.localRepository, "local-repository", "", []string{}, "Replaces the specified repository and ref with a local folder (e.g. https://github.com/test/test@v0=/home/act/test or test/test@v0=/home/act/test, the latter matches any hosts or protocols)")
+	rootCmd.PersistentFlags().BoolVar(&input.listOptions, "list-options", false, "Print a json structure of compatible options")
+	rootCmd.PersistentFlags().BoolVar(&input.gitea, "gitea", false, "Use Gitea instead of GitHub")
+	rootCmd.SetArgs(args())
+	return rootCmd
+}
+
+// Return locations where Act's config can be found in order: XDG spec, .actrc in HOME directory, .actrc in invocation directory
+func configLocations() []string {
+	configFileName := ".actrc"
+
+	homePath := filepath.Join(UserHomeDir, configFileName)
+	invocationPath := filepath.Join(".", configFileName)
+
+	// Though named xdg, adrg's lib support macOS and Windows config paths as well
+	// It also takes cares of creating the parent folder so we don't need to bother later
+	specPath, err := xdg.ConfigFile("act/actrc")
+	if err != nil {
+		specPath = homePath
+	}
+
+	// This order should be enforced since the survey part relies on it
+	return []string{specPath, homePath, invocationPath}
+}
+
+func args() []string {
+	actrc := configLocations()
+
+	args := make([]string, 0)
+	for _, f := range actrc {
+		args = append(args, readArgsFile(f, true)...)
+	}
+
+	args = append(args, os.Args[1:]...)
+	return args
+}
+
+func bugReport(ctx context.Context, version string) error {
+	sprintf := func(key, val string) string {
+		return fmt.Sprintf("%-24s%s\n", key, val)
+	}
+
+	report := sprintf("act version:", version)
+	report += sprintf("Variant:", "https://gitea.com/actions-oss/act-cli / https://github.com/actions-oss/act-cli")
+	report += sprintf("GOOS:", runtime.GOOS)
+	report += sprintf("GOARCH:", runtime.GOARCH)
+	report += sprintf("NumCPU:", strconv.Itoa(runtime.NumCPU()))
+
+	var dockerHost string
+	var exists bool
+	if dockerHost, exists = os.LookupEnv("DOCKER_HOST"); !exists {
+		dockerHost = "DOCKER_HOST environment variable is not set"
+	} else if dockerHost == "" {
+		dockerHost = "DOCKER_HOST environment variable is empty."
+	}
+
+	report += sprintf("Docker host:", dockerHost)
+	report += fmt.Sprintln("Sockets found:")
+	for _, p := range container.CommonSocketLocations {
+		if _, err := os.Lstat(os.ExpandEnv(p)); err != nil {
+			continue
+		} else if _, err := os.Stat(os.ExpandEnv(p)); err != nil {
+			report += fmt.Sprintf("\t%s(broken)\n", p)
+		} else {
+			report += fmt.Sprintf("\t%s\n", p)
+		}
+	}
+
+	report += sprintf("Config files:", "")
+	var reportSb202 strings.Builder
+	var reportSb205 strings.Builder
+	for _, c := range configLocations() {
+		args := readArgsFile(c, false)
+		if len(args) > 0 {
+			fmt.Fprintf(&reportSb202, "\t%s:\n", c)
+			var reportSb206 strings.Builder
+			for _, l := range args {
+				fmt.Fprintf(&reportSb206, "\t\t%s\n", l)
+			}
+			reportSb205.WriteString(reportSb206.String())
+		}
+	}
+	report += reportSb205.String()
+	report += reportSb202.String()
+
+	vcs, ok := debug.ReadBuildInfo()
+	if ok && vcs != nil {
+		report += fmt.Sprintln("Build info:")
+		vcs := *vcs
+		report += sprintf("\tGo version:", vcs.GoVersion)
+		report += sprintf("\tModule path:", vcs.Path)
+		report += sprintf("\tMain version:", vcs.Main.Version)
+		report += sprintf("\tMain path:", vcs.Main.Path)
+		report += sprintf("\tMain checksum:", vcs.Main.Sum)
+
+		report += fmt.Sprintln("\tBuild settings:")
+		var reportSb223 strings.Builder
+		for _, set := range vcs.Settings {
+			reportSb223.WriteString(sprintf(fmt.Sprintf("\t\t%s:", set.Key), set.Value))
+		}
+		report += reportSb223.String()
+	}
+
+	info, err := container.GetHostInfo(ctx)
+	if err != nil {
+		fmt.Fprintln(os.Stdout, report)
+		return err
+	}
+
+	report += fmt.Sprintln("Docker Engine:")
+
+	report += sprintf("\tEngine version:", info.ServerVersion)
+	report += sprintf("\tEngine runtime:", info.DefaultRuntime)
+	report += sprintf("\tCgroup version:", info.CgroupVersion)
+	report += sprintf("\tCgroup driver:", info.CgroupDriver)
+	report += sprintf("\tStorage driver:", info.Driver)
+	report += sprintf("\tRegistry URI:", info.IndexServerAddress)
+
+	report += sprintf("\tOS:", info.OperatingSystem)
+	report += sprintf("\tOS type:", info.OSType)
+	report += sprintf("\tOS version:", info.OSVersion)
+	report += sprintf("\tOS arch:", info.Architecture)
+	report += sprintf("\tOS kernel:", info.KernelVersion)
+	report += sprintf("\tOS CPU:", strconv.Itoa(info.NCPU))
+	report += sprintf("\tOS memory:", fmt.Sprintf("%d MB", info.MemTotal/1024/1024))
+
+	report += fmt.Sprintln("\tSecurity options:")
+	var reportSb252 strings.Builder
+	for _, secopt := range info.SecurityOptions {
+		fmt.Fprintf(&reportSb252, "\t\t%s\n", secopt)
+	}
+	report += reportSb252.String()
+
+	fmt.Fprintln(os.Stdout, report)
+	return nil
+}
+
+func generateManPage(cmd *cobra.Command) {
+	header := &doc.GenManHeader{
+		Title:   "act",
+		Section: "1",
+		Source:  "act " + cmd.Version,
+	}
+	buf := new(bytes.Buffer)
+	cobra.CheckErr(doc.GenMan(cmd, header, buf))
+	fmt.Fprint(os.Stdout, buf.String())
+}
+
+func listOptions(cmd *cobra.Command) error {
+	flags := []Flag{}
+	cmd.LocalFlags().VisitAll(func(f *pflag.Flag) {
+		flags = append(flags, Flag{Name: f.Name, Default: f.DefValue, Description: f.Usage, Type: f.Value.Type()})
+	})
+	a, err := json.Marshal(flags)
+	fmt.Fprintln(os.Stdout, string(a))
+	return err
+}
+
+func readArgsFile(file string, split bool) []string {
+	args := make([]string, 0)
+	f, err := os.Open(file)
+	if err != nil {
+		return args
+	}
+	defer func() {
+		err := f.Close()
+		if err != nil {
+			log.Errorf("failed to close args file: %v", err)
+		}
+	}()
+	scanner := bufio.NewScanner(f)
+	scanner.Buffer(nil, 1024*1024*1024) // increase buffer to 1GB to avoid scanner buffer overflow
+	for scanner.Scan() {
+		arg := os.ExpandEnv(strings.TrimSpace(scanner.Text()))
+
+		if strings.HasPrefix(arg, "-") && split {
+			args = append(args, regexp.MustCompile(`\s`).Split(arg, 2)...)
+		} else if !split {
+			args = append(args, arg)
+		}
+	}
+	return args
+}
+
+func setup(_ *Input) func(*cobra.Command, []string) {
+	return func(cmd *cobra.Command, _ []string) {
+		verbose, _ := cmd.Flags().GetBool("verbose")
+		if verbose {
+			log.SetLevel(log.DebugLevel)
+		}
+	}
+}
+
+func parseEnvs(env []string) map[string]string {
+	envs := make(map[string]string, len(env))
+	for _, envVar := range env {
+		e := strings.SplitN(envVar, `=`, 2)
+		if len(e) == 2 {
+			envs[e[0]] = e[1]
+		} else {
+			envs[e[0]] = ""
+		}
+	}
+	return envs
+}
+
+func readYamlFile(file string) (map[string]string, error) {
+	content, err := os.ReadFile(file)
+	if err != nil {
+		return nil, err
+	}
+	ret := map[string]string{}
+	if err = yaml.Unmarshal(content, &ret); err != nil {
+		return nil, err
+	}
+	return ret, nil
+}
+
+func readEnvs(path string, envs map[string]string) bool {
+	return readEnvsEx(path, envs, false)
+}
+
+func readEnvsEx(path string, envs map[string]string, caseInsensitive bool) bool {
+	if _, err := os.Stat(path); err == nil {
+		var env map[string]string
+		if ext := filepath.Ext(path); ext == ".yml" || ext == ".yaml" {
+			env, err = readYamlFile(path)
+		} else {
+			env, err = godotenv.Read(path)
+		}
+		if err != nil {
+			log.Fatalf("Error loading from %s: %v", path, err)
+		}
+		for k, v := range env {
+			if caseInsensitive {
+				k = strings.ToUpper(k)
+			}
+			if _, ok := envs[k]; !ok {
+				envs[k] = v
+			}
+		}
+		return true
+	}
+	return false
+}
+
+func parseMatrix(matrix []string) map[string]map[string]bool {
+	// each matrix entry should be of the form - string:string
+	r := regexp.MustCompile(":")
+	matrixes := make(map[string]map[string]bool)
+	for _, m := range matrix {
+		matrix := r.Split(m, 2)
+		if len(matrix) < 2 {
+			log.Fatalf("Invalid matrix format. Failed to parse %s", m)
+		}
+		if _, ok := matrixes[matrix[0]]; !ok {
+			matrixes[matrix[0]] = make(map[string]bool)
+		}
+		matrixes[matrix[0]][matrix[1]] = true
+	}
+	return matrixes
+}
+
+//nolint:gocyclo
+func newRunCommand(ctx context.Context, input *Input) func(*cobra.Command, []string) error {
+	return func(cmd *cobra.Command, args []string) error {
+		if input.jsonLogger {
+			log.SetFormatter(&log.JSONFormatter{})
+		}
+
+		if ok, _ := cmd.Flags().GetBool("bug-report"); ok {
+			ctx, cancel := common.EarlyCancelContext(ctx)
+			defer cancel()
+			return bugReport(ctx, cmd.Version)
+		}
+		if ok, _ := cmd.Flags().GetBool("man-page"); ok {
+			generateManPage(cmd)
+			return nil
+		}
+		if input.listOptions {
+			return listOptions(cmd)
+		}
+
+		if ret, err := container.GetSocketAndHost(input.containerDaemonSocket); err != nil {
+			log.Warnf("Couldn't get a valid docker connection: %+v", err)
+		} else {
+			os.Setenv("DOCKER_HOST", ret.Host)
+			input.containerDaemonSocket = ret.Socket
+			log.Infof("Using docker host '%s', and daemon socket '%s'", ret.Host, ret.Socket)
+		}
+
+		if runtime.GOOS == "darwin" && runtime.GOARCH == "arm64" && input.containerArchitecture == "" {
+			l := log.New()
+			l.SetFormatter(&log.TextFormatter{
+				DisableQuote:     true,
+				DisableTimestamp: true,
+			})
+			l.Warnf(" \U000026A0 You are using Apple M-series chip and you have not specified container architecture, you might encounter issues while running act. If so, try running it with '--container-architecture linux/amd64'. \U000026A0 \n")
+		}
+
+		log.Debugf("Loading environment from %s", input.Envfile())
+		envs := parseEnvs(input.envs)
+		_ = readEnvs(input.Envfile(), envs)
+
+		log.Debugf("Loading action inputs from %s", input.Inputfile())
+		inputs := parseEnvs(input.inputs)
+		_ = readEnvs(input.Inputfile(), inputs)
+
+		log.Debugf("Loading secrets from %s", input.Secretfile())
+		secrets := newSecrets(input.secrets)
+		_ = readEnvsEx(input.Secretfile(), secrets, true)
+
+		if _, hasGitHubToken := secrets["GITHUB_TOKEN"]; !hasGitHubToken {
+			ctx, cancel := common.EarlyCancelContext(ctx)
+			defer cancel()
+			secrets["GITHUB_TOKEN"], _ = gh.GetToken(ctx, "")
+		}
+
+		log.Debugf("Loading vars from %s", input.Varfile())
+		vars := newSecrets(input.vars)
+		_ = readEnvs(input.Varfile(), vars)
+
+		log.Debugf("Cleaning up %s old action cache format", input.actionCachePath)
+		entries, _ := os.ReadDir(input.actionCachePath)
+		for _, entry := range entries {
+			if strings.Contains(entry.Name(), "@") {
+				fullPath := filepath.Join(input.actionCachePath, entry.Name())
+				log.Debugf("Removing %s", fullPath)
+				_ = os.RemoveAll(fullPath)
+			}
+		}
+
+		matrixes := parseMatrix(input.matrix)
+		log.Debugf("Evaluated matrix inclusions: %v", matrixes)
+
+		// TODO switch to Gitea Schema when supported
+		plannerConfig := model.PlannerConfig{
+			Recursive: input.workflowRecurse,
+			Workflow: model.WorkflowConfig{
+				Strict: input.strict,
+			},
+		}
+		if input.gitea {
+			plannerConfig.Workflow.Schema = schema.GetGiteaWorkflowSchema()
+		}
+
+		planner, err := model.NewWorkflowPlanner(input.WorkflowsPath(), plannerConfig)
+		if err != nil {
+			return err
+		}
+
+		jobID, err := cmd.Flags().GetString("job")
+		if err != nil {
+			return err
+		}
+
+		// check if we should just list the workflows
+		list, err := cmd.Flags().GetBool("list")
+		if err != nil {
+			return err
+		}
+
+		// check if we should just validate the workflows
+		if input.validate {
+			return err
+		}
+
+		// check if we should just draw the graph
+		graph, err := cmd.Flags().GetBool("graph")
+		if err != nil {
+			return err
+		}
+
+		// collect all events from loaded workflows
+		events := planner.GetEvents()
+
+		// plan with filtered jobs - to be used for filtering only
+		var filterPlan *model.Plan
+
+		// Determine the event name to be filtered
+		var filterEventName string
+
+		if len(args) > 0 {
+			log.Debugf("Using first passed in arguments event for filtering: %s", args[0])
+			filterEventName = args[0]
+		} else if input.autodetectEvent && len(events) > 0 && len(events[0]) > 0 {
+			// set default event type to first event from many available
+			// this way user dont have to specify the event.
+			log.Debugf("Using first detected workflow event for filtering: %s", events[0])
+			filterEventName = events[0]
+		}
+
+		var plannerErr error
+		if jobID != "" {
+			log.Debugf("Preparing plan with a job: %s", jobID)
+			filterPlan, plannerErr = planner.PlanJob(jobID)
+		} else if filterEventName != "" {
+			log.Debugf("Preparing plan for a event: %s", filterEventName)
+			filterPlan, plannerErr = planner.PlanEvent(filterEventName)
+		} else {
+			log.Debugf("Preparing plan with all jobs")
+			filterPlan, plannerErr = planner.PlanAll()
+		}
+		if filterPlan == nil && plannerErr != nil {
+			return plannerErr
+		}
+
+		if list {
+			printList(filterPlan)
+			return plannerErr
+		}
+
+		if graph {
+			drawGraph(filterPlan)
+			return plannerErr
+		}
+
+		// plan with triggered jobs
+		var plan *model.Plan
+
+		// Determine the event name to be triggered
+		var eventName string
+
+		if len(args) > 0 {
+			log.Debugf("Using first passed in arguments event: %s", args[0])
+			eventName = args[0]
+		} else if len(events) == 1 && len(events[0]) > 0 {
+			log.Debugf("Using the only detected workflow event: %s", events[0])
+			eventName = events[0]
+		} else if input.autodetectEvent && len(events) > 0 && len(events[0]) > 0 {
+			// set default event type to first event from many available
+			// this way user dont have to specify the event.
+			log.Debugf("Using first detected workflow event: %s", events[0])
+			eventName = events[0]
+		} else {
+			log.Debugf("Using default workflow event: push")
+			eventName = "push"
+		}
+
+		// build the plan for this run
+		if jobID != "" {
+			log.Debugf("Planning job: %s", jobID)
+			plan, plannerErr = planner.PlanJob(jobID)
+		} else {
+			log.Debugf("Planning jobs for event: %s", eventName)
+			plan, plannerErr = planner.PlanEvent(eventName)
+		}
+		if plan != nil {
+			if len(plan.Stages) == 0 {
+				plannerErr = errors.New("could not find any stages to run. View the valid jobs with `act --list`. Use `act --help` to find how to filter by Job ID/Workflow/Event Name")
+			}
+		}
+		if plan == nil && plannerErr != nil {
+			return plannerErr
+		}
+
+		// check to see if the main branch was defined
+		defaultbranch, err := cmd.Flags().GetString("defaultbranch")
+		if err != nil {
+			return err
+		}
+
+		// Check if platforms flag is set, if not, run default image survey
+		if len(input.platforms) == 0 {
+			cfgFound := false
+			cfgLocations := configLocations()
+			for _, v := range cfgLocations {
+				_, err := os.Stat(v)
+				if os.IsExist(err) {
+					cfgFound = true
+				}
+			}
+			if !cfgFound && len(cfgLocations) > 0 {
+				// The first config location refers to the global config folder one
+				if err := defaultImageSurvey(cfgLocations[0]); err != nil {
+					log.Fatal(err)
+				}
+				input.platforms = readArgsFile(cfgLocations[0], true)
+			}
+		}
+		deprecationWarning := "--%s is deprecated and will be removed soon, please switch to cli: `--container-options \"%[2]s\"` or `.actrc`: `--container-options %[2]s`."
+		if input.privileged {
+			log.Warnf(deprecationWarning, "privileged", "--privileged")
+		}
+		if len(input.usernsMode) > 0 {
+			log.Warnf(deprecationWarning, "userns", "--userns="+input.usernsMode)
+		}
+		if len(input.containerCapAdd) > 0 {
+			log.Warnf(deprecationWarning, "container-cap-add", fmt.Sprintf("--cap-add=%s", input.containerCapAdd))
+		}
+		if len(input.containerCapDrop) > 0 {
+			log.Warnf(deprecationWarning, "container-cap-drop", fmt.Sprintf("--cap-drop=%s", input.containerCapDrop))
+		}
+
+		// run the plan
+		config := &runner.Config{
+			Actor:                              input.actor,
+			EventName:                          eventName,
+			EventPath:                          input.EventPath(),
+			DefaultBranch:                      defaultbranch,
+			ForcePull:                          !input.actionOfflineMode && !input.pullIfNeeded,
+			ForceRebuild:                       !input.noRebuild,
+			ReuseContainers:                    input.reuseContainers,
+			Workdir:                            input.Workdir(),
+			ActionCacheDir:                     input.actionCachePath,
+			ActionOfflineMode:                  input.actionOfflineMode,
+			BindWorkdir:                        input.bindWorkdir,
+			LogOutput:                          !input.noOutput,
+			JSONLogger:                         input.jsonLogger,
+			LogPrefixJobID:                     input.logPrefixJobID,
+			Env:                                envs,
+			Secrets:                            secrets,
+			Vars:                               vars,
+			Inputs:                             inputs,
+			Token:                              secrets["GITHUB_TOKEN"],
+			InsecureSecrets:                    input.insecureSecrets,
+			Platforms:                          input.newPlatforms(),
+			Privileged:                         input.privileged,
+			UsernsMode:                         input.usernsMode,
+			ContainerArchitecture:              input.containerArchitecture,
+			ContainerDaemonSocket:              input.containerDaemonSocket,
+			ContainerOptions:                   input.containerOptions,
+			UseGitIgnore:                       input.useGitIgnore,
+			GitHubInstance:                     input.githubInstance,
+			GitHubServerURL:                    input.gitHubServerURL,
+			GitHubAPIServerURL:                 input.gitHubAPIServerURL,
+			GitHubGraphQlAPIServerURL:          input.gitHubGraphQlAPIServerURL,
+			ContainerCapAdd:                    input.containerCapAdd,
+			ContainerCapDrop:                   input.containerCapDrop,
+			AutoRemove:                         input.autoRemove,
+			ArtifactServerPath:                 input.artifactServerPath,
+			ArtifactServerAddr:                 input.artifactServerAddr,
+			ArtifactServerPort:                 input.artifactServerPort,
+			NoSkipCheckout:                     input.noSkipCheckout,
+			RemoteName:                         input.remoteName,
+			ReplaceGheActionWithGithubCom:      input.replaceGheActionWithGithubCom,
+			ReplaceGheActionTokenWithGithubCom: input.replaceGheActionTokenWithGithubCom,
+			Matrix:                             matrixes,
+			ContainerNetworkMode:               docker_container.NetworkMode(input.networkName),
+			Parallel:                           input.parallel,
+			Planner:                            plannerConfig,
+			Action:                             model.ActionConfig{}, // TODO Gitea Action Schema
+			MainContextNames:                   []string{"github"},
+		}
+		if input.gitea {
+			config.Action.Schema = schema.GetGiteaActionSchema()
+			config.MainContextNames = append(config.MainContextNames, "gitea")
+		}
+		actionCache := runner.GoGitActionCache{
+			Path: config.ActionCacheDir,
+		}
+		config.ActionCache = &actionCache
+		if input.actionOfflineMode {
+			config.ActionCache = &runner.GoGitActionCacheOfflineMode{
+				Parent: actionCache,
+			}
+		}
+		if len(input.localRepository) > 0 {
+			localRepositories := map[string]string{}
+			for _, l := range input.localRepository {
+				k, v, _ := strings.Cut(l, "=")
+				localRepositories[k] = v
+			}
+			config.ActionCache = &runner.LocalRepositoryCache{
+				Parent:            config.ActionCache,
+				LocalRepositories: localRepositories,
+				CacheDirCache:     map[string]string{},
+			}
+		}
+
+		var r runner.Runner
+		if eventName == "workflow_call" {
+			// Do not use the totally broken code and instead craft a fake caller
+			convertedInputs := make(map[string]any)
+			for k, v := range inputs {
+				var raw any
+				if err := yaml.Unmarshal([]byte(v), &raw); err != nil {
+					return fmt.Errorf("failed to unmarshal input %s: %w", k, err)
+				}
+				convertedInputs[k] = raw
+			}
+			r, err = runner.NewReusableWorkflowRunner(&runner.RunContext{
+				Config:  config,
+				Name:    "_",
+				JobName: "_",
+				Run: &model.Run{
+					JobID: "_",
+					Workflow: &model.Workflow{
+						Jobs: map[string]*model.Job{
+							"_": {
+								Name: "_",
+								With: convertedInputs,
+							},
+						},
+					},
+				},
+			})
+		} else {
+			r, err = runner.New(config)
+		}
+		if err != nil {
+			return err
+		}
+
+		cancel := artifacts.Serve(ctx, input.artifactServerPath, input.artifactServerAddr, input.artifactServerPort)
+
+		const cacheURLKey = "ACTIONS_CACHE_URL"
+		var cacheHandler *artifactcache.Handler
+		if !input.noCacheServer && envs[cacheURLKey] == "" {
+			var err error
+			cacheHandler, err = artifactcache.StartHandler(input.cacheServerPath, input.cacheServerAddr, input.cacheServerPort, common.Logger(ctx))
+			if err != nil {
+				return err
+			}
+			envs[cacheURLKey] = cacheHandler.ExternalURL() + "/"
+		}
+
+		ctx = common.WithDryrun(ctx, input.dryrun)
+		if watch, err := cmd.Flags().GetBool("watch"); err != nil {
+			return err
+		} else if watch {
+			err = watchAndRun(ctx, r.NewPlanExecutor(plan))
+			if err != nil {
+				return err
+			}
+			return plannerErr
+		}
+
+		executor := r.NewPlanExecutor(plan).Finally(func(_ context.Context) error {
+			cancel()
+			_ = cacheHandler.Close()
+			return nil
+		})
+		err = executor(ctx)
+		if err != nil {
+			return err
+		}
+		return plannerErr
+	}
+}
+
+func defaultImageSurvey(actrc string) error {
+	var answer string
+	confirmation := &survey.Select{
+		Message: "Please choose the default image you want to use with act:\n  - Large size image: ca. 17GB download + 53.1GB storage, you will need 75GB of free disk space, snapshots of GitHub Hosted Runners without snap and pulled docker images\n  - Medium size image: ~500MB, includes only necessary tools to bootstrap actions and aims to be compatible with most actions\n  - Micro size image: <200MB, contains only NodeJS required to bootstrap actions, doesn't work with all actions\n\nDefault image and other options can be changed manually in " + configLocations()[0] + " (please refer to https://github.com/nektos/act#configuration for additional information about file structure)",
+		Help:    "If you want to know why act asks you that, please go to https://github.com/actions-oss/act-cli/issues/107",
+		Default: "Medium",
+		Options: []string{"Large", "Medium", "Micro"},
+	}
+
+	err := survey.AskOne(confirmation, &answer)
+	if err != nil {
+		return err
+	}
+
+	var option string
+	switch answer {
+	case "Large":
+		option = "-P ubuntu-latest=catthehacker/ubuntu:full-latest\n-P ubuntu-22.04=catthehacker/ubuntu:full-22.04\n-P ubuntu-20.04=catthehacker/ubuntu:full-20.04\n-P ubuntu-18.04=catthehacker/ubuntu:full-18.04\n"
+	case "Medium":
+		option = "-P ubuntu-latest=catthehacker/ubuntu:act-latest\n-P ubuntu-22.04=catthehacker/ubuntu:act-22.04\n-P ubuntu-20.04=catthehacker/ubuntu:act-20.04\n-P ubuntu-18.04=catthehacker/ubuntu:act-18.04\n"
+	case "Micro":
+		option = "-P ubuntu-latest=node:16-buster-slim\n-P ubuntu-22.04=node:16-bullseye-slim\n-P ubuntu-20.04=node:16-buster-slim\n-P ubuntu-18.04=node:16-buster-slim\n"
+	}
+
+	f, err := os.Create(actrc)
+	if err != nil {
+		return err
+	}
+
+	_, err = f.WriteString(option)
+	if err != nil {
+		_ = f.Close()
+		return err
+	}
+
+	err = f.Close()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func watchAndRun(ctx context.Context, fn common.Executor) error {
+	dir, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+
+	ignoreFile := filepath.Join(dir, ".gitignore")
+	ignore := &gitignore.GitIgnore{}
+	if info, err := os.Stat(ignoreFile); err == nil && !info.IsDir() {
+		ignore, err = gitignore.CompileIgnoreFile(ignoreFile)
+		if err != nil {
+			return fmt.Errorf("compile %q: %w", ignoreFile, err)
+		}
+	}
+
+	folderWatcher := fswatch.NewFolderWatcher(
+		dir,
+		true,
+		ignore.MatchesPath,
+		2, // 2 seconds
+	)
+
+	folderWatcher.Start()
+	defer folderWatcher.Stop()
+
+	// run once before watching
+	if err := fn(ctx); err != nil {
+		return err
+	}
+
+	earlyCancelCtx, cancel := common.EarlyCancelContext(ctx)
+	defer cancel()
+
+	for folderWatcher.IsRunning() {
+		log.Debugf("Watching %s for changes", dir)
+		select {
+		case <-earlyCancelCtx.Done():
+			return nil
+		case changes := <-folderWatcher.ChangeDetails():
+			log.Debugf("%s", changes.String())
+			if err := fn(ctx); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
--- a/cmd/root_test.go
+++ b/cmd/root_test.go
@@ -0,0 +1,110 @@
+package cmd
+
+import (
+	"context"
+	"path"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestReadSecrets(t *testing.T) {
+	secrets := map[string]string{}
+	ret := readEnvsEx(path.Join("testdata", "secrets.yml"), secrets, true)
+	assert.True(t, ret)
+	assert.Equal(t, `line1
+line2
+line3
+`, secrets["MYSECRET"])
+}
+
+func TestReadEnv(t *testing.T) {
+	secrets := map[string]string{}
+	ret := readEnvs(path.Join("testdata", "secrets.yml"), secrets)
+	assert.True(t, ret)
+	assert.Equal(t, `line1
+line2
+line3
+`, secrets["mysecret"])
+}
+
+func TestListOptions(t *testing.T) {
+	rootCmd := createRootCommand(context.Background(), &Input{}, "")
+	err := newRunCommand(context.Background(), &Input{
+		listOptions: true,
+	})(rootCmd, []string{})
+	require.NoError(t, err)
+}
+
+func TestRun(t *testing.T) {
+	rootCmd := createRootCommand(context.Background(), &Input{}, "")
+	err := newRunCommand(context.Background(), &Input{
+		platforms:     []string{"ubuntu-latest=node:16-buster-slim"},
+		workdir:       "../pkg/runner/testdata/",
+		workflowsPath: "./basic/push.yml",
+	})(rootCmd, []string{})
+	require.NoError(t, err)
+}
+
+func TestRunPush(t *testing.T) {
+	rootCmd := createRootCommand(context.Background(), &Input{}, "")
+	err := newRunCommand(context.Background(), &Input{
+		platforms:     []string{"ubuntu-latest=node:16-buster-slim"},
+		workdir:       "../pkg/runner/testdata/",
+		workflowsPath: "./basic/push.yml",
+	})(rootCmd, []string{"push"})
+	require.NoError(t, err)
+}
+
+func TestRunPushJsonLogger(t *testing.T) {
+	rootCmd := createRootCommand(context.Background(), &Input{}, "")
+	err := newRunCommand(context.Background(), &Input{
+		platforms:     []string{"ubuntu-latest=node:16-buster-slim"},
+		workdir:       "../pkg/runner/testdata/",
+		workflowsPath: "./basic/push.yml",
+		jsonLogger:    true,
+	})(rootCmd, []string{"push"})
+	require.NoError(t, err)
+}
+
+func TestFlags(t *testing.T) {
+	for _, f := range []string{"graph", "list", "bug-report", "man-page"} {
+		t.Run("TestFlag-"+f, func(t *testing.T) {
+			rootCmd := createRootCommand(context.Background(), &Input{}, "")
+			err := rootCmd.Flags().Set(f, "true")
+			require.NoError(t, err)
+			err = newRunCommand(context.Background(), &Input{
+				platforms:     []string{"ubuntu-latest=node:16-buster-slim"},
+				workdir:       "../pkg/runner/testdata/",
+				workflowsPath: "./basic/push.yml",
+			})(rootCmd, []string{})
+			require.NoError(t, err)
+		})
+	}
+}
+
+func TestWorkflowCall(t *testing.T) {
+	rootCmd := createRootCommand(context.Background(), &Input{}, "")
+	err := newRunCommand(context.Background(), &Input{
+		platforms:     []string{"ubuntu-latest=node:16-buster-slim"},
+		workdir:       "../pkg/runner/testdata/",
+		workflowsPath: "./workflow_call_inputs/workflow_call_inputs.yml",
+		inputs:        []string{"required=required input", "boolean=true"},
+	})(rootCmd, []string{"workflow_call"})
+	require.NoError(t, err)
+}
+
+func TestLocalRepositories(t *testing.T) {
+	wd, _ := filepath.Abs("../pkg/runner/testdata/")
+	rootCmd := createRootCommand(context.Background(), &Input{}, "")
+	err := newRunCommand(context.Background(), &Input{
+		githubInstance:  "github.com",
+		platforms:       []string{"ubuntu-latest=node:16-buster-slim"},
+		workdir:         wd,
+		workflowsPath:   "./remote-action-composite-action-ref-partial-override/push.yml",
+		localRepository: []string{"needs/override@main=" + wd + "/actions-environment-and-context-tests"},
+	})(rootCmd, []string{"push"})
+	require.NoError(t, err)
+}
--- a/cmd/secrets.go
+++ b/cmd/secrets.go
@@ -0,0 +1,42 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/term"
+)
+
+type secrets map[string]string
+
+func newSecrets(secretList []string) secrets {
+	s := make(map[string]string)
+	for _, secretPair := range secretList {
+		secretPairParts := strings.SplitN(secretPair, "=", 2)
+		secretPairParts[0] = strings.ToUpper(secretPairParts[0])
+		if strings.ToUpper(s[secretPairParts[0]]) == secretPairParts[0] {
+			log.Errorf("secret %s is already defined (secrets are case insensitive)", secretPairParts[0])
+		}
+		if len(secretPairParts) == 2 {
+			s[secretPairParts[0]] = secretPairParts[1]
+		} else if env, ok := os.LookupEnv(secretPairParts[0]); ok && env != "" {
+			s[secretPairParts[0]] = env
+		} else {
+			fmt.Fprintf(os.Stdout, "Provide value for '%s': ", secretPairParts[0])
+			val, err := term.ReadPassword(int(os.Stdin.Fd()))
+			fmt.Fprintln(os.Stdout)
+			if err != nil {
+				log.Errorf("failed to read input: %v", err)
+				os.Exit(1)
+			}
+			s[secretPairParts[0]] = string(val)
+		}
+	}
+	return s
+}
+
+func (s secrets) AsMap() map[string]string {
+	return s
+}
--- a/cmd/testdata/secrets.yml
+++ b/cmd/testdata/secrets.yml
@@ -0,0 +1,4 @@
+mysecret: |
+  line1
+  line2
+  line3
--- a/codecov.yml
+++ b/codecov.yml
@@ -0,0 +1,12 @@
+coverage:
+  status:
+    project:
+      default:
+        target: auto # auto compares coverage to the previous base commit
+        threshold: 1%
+    patch:
+      default:
+        target: 50%
+ignore:
+# Files generated by Google Protobuf do not require coverage
+- '**/*.pb.go'
--- a/examples/docker-compose/README.md
+++ b/examples/docker-compose/README.md
@@ -5,12 +5,27 @@
  gitea:
    image: gitea/gitea
    ...
+    healthcheck:
+      # checks availability of Gitea's front-end with curl
+      test: ["CMD", "curl", "-f", "<instance_url>"]
+      interval: 10s
+      retries: 3
+      start_period: 30s
+      timeout: 10s
+    environment:
+      # GITEA_RUNNER_REGISTRATION_TOKEN can be used to set a global runner registration token.
+      # The Gitea version must be v1.23 or higher.
+      # It's also possible to use GITEA_RUNNER_REGISTRATION_TOKEN_FILE to pass the location.
+      # - GITEA_RUNNER_REGISTRATION_TOKEN=<user-defined registration token>

  runner:
    image: gitea/act_runner
    restart: always
    depends_on:
-      - gitea
+      gitea:
+        # required so runner can attach to gitea, see "healthcheck"
+        condition: service_healthy 
+        restart: true
    volumes:
      - ./data/act_runner:/data
      - /var/run/docker.sock:/var/run/docker.sock
@@ -18,6 +33,32 @@
      - GITEA_INSTANCE_URL=<instance url>
      # When using Docker Secrets, it's also possible to use
      # GITEA_RUNNER_REGISTRATION_TOKEN_FILE to pass the location.
-      # The env var takes precedence
+      # The env var takes precedence.
+      # Needed only for the first start.
+      - GITEA_RUNNER_REGISTRATION_TOKEN=<registration token>
+```
+
+### Running `act_runner` using Docker-in-Docker (DIND) 
+
+```yml
+...
+  runner:
+    image: gitea/act_runner:latest-dind-rootless
+    restart: always
+    privileged: true
+    depends_on:
+      - gitea
+    volumes:
+      - ./data/act_runner:/data
+    environment:
+      - GITEA_INSTANCE_URL=<instance url>
+      - DOCKER_HOST=unix:///var/run/user/1000/docker.sock
+      # Use slirp4netns instead of vpnkit for significantly better network throughput.
+      - DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns
+      - DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=65520
+      # When using Docker Secrets, it's also possible to use
+      # GITEA_RUNNER_REGISTRATION_TOKEN_FILE to pass the location.
+      # The env var takes precedence.
+      # Needed only for the first start.
      - GITEA_RUNNER_REGISTRATION_TOKEN=<registration token>
 ```
--- a/examples/kubernetes/dind-docker.yaml
+++ b/examples/kubernetes/dind-docker.yaml
@@ -12,6 +12,9 @@ spec:
 ---
 apiVersion: v1
 data:
+  # The registration token can be obtained from the web UI, API or command-line.
+  # You can also set a pre-defined global runner registration token for the Gitea instance via 
+  # `GITEA_RUNNER_REGISTRATION_TOKEN`/`GITEA_RUNNER_REGISTRATION_TOKEN_FILE` environment variable.
  token: << base64 encoded registration token >>
 kind: Secret
 metadata:
@@ -46,7 +49,7 @@ spec:
      containers:
      - name: runner
        image: gitea/act_runner:nightly
-        command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
+        command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- run.sh"]
        env:
        - name: DOCKER_HOST
          value: tcp://localhost:2376
--- a/examples/kubernetes/rootless-docker.yaml
+++ b/examples/kubernetes/rootless-docker.yaml
@@ -12,7 +12,10 @@ spec:
 ---
 apiVersion: v1
 data:
-  token: << runner registration token goes here >>
+  # The registration token can be obtained from the web UI, API or command-line.
+  # You can also set a pre-defined global runner registration token for the Gitea instance via 
+  # `GITEA_RUNNER_REGISTRATION_TOKEN`/`GITEA_RUNNER_REGISTRATION_TOKEN_FILE` environment variable.
+  token: << base64 encoded registration token >>
 kind: Secret
 metadata:
  name: runner-secret
@@ -41,6 +44,8 @@ spec:
      - name: runner-data
        persistentVolumeClaim:
          claimName: act-runner-vol
+      securityContext:
+        fsGroup: 1000
      containers:
      - name: runner
        image: gitea/act_runner:nightly-dind-rootless
--- a/examples/vm/rootless-docker.md
+++ b/examples/vm/rootless-docker.md
@@ -11,7 +11,8 @@ As `root`:
 ```bash
 useradd -m rootless
 passwd rootless
-```
+ apt-get install -y uidmap # Not mentioned but needed for docker rootless.
+ ```

 - Install [`docker-ce`](https://docs.docker.com/engine/install/)
 - (Recommended) Disable the system-wide Docker daemon
@@ -21,12 +22,19 @@ As `root`:
 As the `rootless` user:

 - Follow the instructions for [enabling rootless mode](https://docs.docker.com/engine/security/rootless/)
- Add the following lines to the `/home/rootless/.bashrc`:
+- Add the following line to the `/home/rootless/.bashrc`:

 ```bash
- export XDG_RUNTIME_DIR=/home/rootless/.docker/run
- export PATH=/home/rootless/bin:$PATH
- export DOCKER_HOST=unix:///run/user/1001/docker.sock
+for f in ./.bashrc.d/*.bash; do echo "Processing $f file..."; . "$f"; done
+```
+
+- Create the .bashrc.d directory `mkdir ~/.bashrc.d`
+- Add the following lines to the `/home/rootless/.bashrc.d/rootless-docker.bash`:
+
+```bash
+export XDG_RUNTIME_DIR=/home/rootless/.docker/run
+export PATH=/home/rootless/bin:$PATH
+export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock
 ```

 - Reboot. Ensure that the Docker process is working.
--- a/go.mod
+++ b/go.mod
@@ -1,94 +1,121 @@
 module gitea.com/gitea/act_runner

-go 1.21
+go 1.26.0

 require (
-	code.gitea.io/actions-proto-go v0.3.1
-	code.gitea.io/gitea-vet v0.2.3-0.20230113022436-2b1561217fa5
-	github.com/avast/retry-go/v4 v4.5.0
-	github.com/bufbuild/connect-go v1.10.0
-	github.com/docker/docker v24.0.6+incompatible
+	code.gitea.io/actions-proto-go v0.4.1
+	code.gitea.io/gitea-vet v0.2.3
+	connectrpc.com/connect v1.19.1
+	github.com/avast/retry-go/v4 v4.7.0
+	github.com/docker/docker v28.5.1+incompatible
 	github.com/joho/godotenv v1.5.1
-	github.com/mattn/go-isatty v0.0.19
-	github.com/nektos/act v0.2.51
-	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.7.0
-	github.com/stretchr/testify v1.8.4
-	golang.org/x/term v0.12.0
-	golang.org/x/time v0.3.0
-	google.golang.org/protobuf v1.31.0
+	github.com/mattn/go-isatty v0.0.20
+	github.com/sirupsen/logrus v1.9.4
+	github.com/spf13/cobra v1.10.2
+	github.com/stretchr/testify v1.11.1
+	golang.org/x/term v0.40.0
+	golang.org/x/time v0.14.0
+	google.golang.org/protobuf v1.36.11
 	gopkg.in/yaml.v3 v3.0.1
-	gotest.tools/v3 v3.5.1
+	gotest.tools/v3 v3.5.2
 )

 require (
-	dario.cat/mergo v1.0.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
-	github.com/Masterminds/semver v1.5.0 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
-	github.com/acomagu/bufpipe v1.0.4 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/containerd/containerd v1.7.3 // indirect
-	github.com/creack/pty v1.1.18 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	dario.cat/mergo v1.0.2
+	github.com/AlecAivazis/survey/v2 v2.3.7
+	github.com/Masterminds/semver v1.5.0
+	github.com/adrg/xdg v0.5.3
+	github.com/andreaskoch/go-fswatch v1.0.0
+	github.com/avast/retry-go v3.0.0+incompatible
+	github.com/containerd/errdefs v1.0.0
+	github.com/creack/pty v1.1.24
+	github.com/distribution/reference v0.6.0
+	github.com/docker/cli v28.5.1+incompatible
+	github.com/docker/go-connections v0.6.0
+	github.com/go-git/go-billy/v5 v5.7.0
+	github.com/go-git/go-git/v5 v5.16.5
+	github.com/golang-jwt/jwt/v5 v5.3.0
+	github.com/julienschmidt/httprouter v1.3.0
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
+	github.com/moby/go-archive v0.1.0
+	github.com/moby/patternmatcher v0.6.0
+	github.com/opencontainers/image-spec v1.1.1
+	github.com/opencontainers/selinux v1.13.1
+	github.com/pkg/errors v0.9.1
+	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06
+	github.com/spf13/pflag v1.0.10
+	github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928
+	go.etcd.io/bbolt v1.4.3
+	go.yaml.in/yaml/v4 v4.0.0-rc.3
+	golang.org/x/crypto v0.48.0
+	golang.org/x/sync v0.19.0
+)
+
+require (
+	cyphar.com/go-pathrs v0.2.3 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/ProtonMail/go-crypto v1.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v24.0.6+incompatible // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.0 // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/docker-credential-helpers v0.9.5 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/fatih/color v1.15.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
-	github.com/go-git/go-git/v5 v5.9.0 // indirect
-	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/julienschmidt/httprouter v1.3.0 // indirect
-	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
-	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.16.7 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/buildkit v0.12.2 // indirect
-	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/kevinburke/ssh_config v1.6.0 // indirect
+	github.com/klauspost/compress v1.18.4 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
-	github.com/opencontainers/runc v1.1.8 // indirect
-	github.com/opencontainers/selinux v1.11.0 // indirect
-	github.com/pjbgf/sha1cd v0.3.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pjbgf/sha1cd v0.5.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rhysd/actionlint v1.6.25 // indirect
-	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/robfig/cron v1.2.0 // indirect
-	github.com/sergi/go-diff v1.3.1 // indirect
-	github.com/skeema/knownhosts v1.2.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.5.1 // indirect
-	github.com/timshannon/bolthold v0.0.0-20210913165410-232392fc8a6a // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sergi/go-diff v1.4.0 // indirect
+	github.com/skeema/knownhosts v1.3.2 // indirect
+	github.com/stretchr/objx v0.5.3 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	go.etcd.io/bbolt v1.3.7 // indirect
-	golang.org/x/crypto v0.13.0 // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/net v0.15.0 // indirect
-	golang.org/x/sync v0.3.0 // indirect
-	golang.org/x/sys v0.12.0 // indirect
-	golang.org/x/tools v0.13.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
+	go.opentelemetry.io/otel v1.40.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
+	golang.org/x/net v0.50.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

-replace github.com/nektos/act => gitea.com/gitea/act v0.2.51
+replace github.com/actions-oss/act-cli => gitea.com/actions-oss/act-cli v0.4.2-0.20260220200604-40ee0f3ef6fc
+
+// Remove after github.com/docker/distribution is updated to support distribution/reference v0.6.0
+// (pulled in via moby/buildkit, breaks on undefined: reference.SplitHostname)
+replace github.com/distribution/reference v0.6.0 => github.com/distribution/reference v0.5.0
--- a/go.sum
+++ b/go.sum
@@ -1,89 +1,111 @@
-code.gitea.io/actions-proto-go v0.3.1 h1:PMyiQtBKb8dNnpEO2R5rcZdXSis+UQZVo/SciMtR1aU=
-code.gitea.io/actions-proto-go v0.3.1/go.mod h1:00ys5QDo1iHN1tHNvvddAcy2W/g+425hQya1cCSvq9A=
-code.gitea.io/gitea-vet v0.2.3-0.20230113022436-2b1561217fa5 h1:daBEK2GQeqGikJESctP5Cu1i33z5ztAD4kyQWiw185M=
-code.gitea.io/gitea-vet v0.2.3-0.20230113022436-2b1561217fa5/go.mod h1:zcNbT/aJEmivCAhfmkHOlT645KNOf9W2KnkLgFjGGfE=
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-gitea.com/gitea/act v0.2.51 h1:gXc/B4OlTciTTzAx9cmNyw04n2SDO7exPjAsR5Idu+c=
-gitea.com/gitea/act v0.2.51/go.mod h1:CoaX2053jqBlD6JMgu4d4UgFL/rp2I14Kt5mMqcs0Z0=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 h1:EKPd1INOIyr5hWOWhvpmQpY6tKjeG0hT1s3AMC/9fic=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1/go.mod h1:VzwV+t+dZ9j/H867F1M2ziD+yLHtB46oM35FxxMJ4d0=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+code.gitea.io/actions-proto-go v0.4.1 h1:l0EYhjsgpUe/1VABo2eK7zcoNX2W44WOnb0MSLrKfls=
+code.gitea.io/actions-proto-go v0.4.1/go.mod h1:mn7Wkqz6JbnTOHQpot3yDeHx+O5C9EGhMEE+htvHBas=
+code.gitea.io/gitea-vet v0.2.3 h1:gdFmm6WOTM65rE8FUBTRzeQZYzXePKSSB1+r574hWwI=
+code.gitea.io/gitea-vet v0.2.3/go.mod h1:zcNbT/aJEmivCAhfmkHOlT645KNOf9W2KnkLgFjGGfE=
+connectrpc.com/connect v1.19.1 h1:R5M57z05+90EfEvCY1b7hBxDVOUl45PrtXtAV2fOC14=
+connectrpc.com/connect v1.19.1/go.mod h1:tN20fjdGlewnSFeZxLKb0xwIZ6ozc3OQs2hTXy4du9w=
+cyphar.com/go-pathrs v0.2.3 h1:0pH8gep37wB0BgaXrEaN1OtZhUMeS7VvaejSr6i822o=
+cyphar.com/go-pathrs v0.2.3/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=
+dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
+dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkkhIiSjQ=
+github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/Microsoft/hcsshim v0.10.0-rc.8 h1:YSZVvlIIDD1UxQpJp0h+dnpLUw+TrY0cx8obKsp3bek=
-github.com/Microsoft/hcsshim v0.10.0-rc.8/go.mod h1:OEthFdQv/AD2RAdzR6Mm1N1KPCztGKDurW1Z8b8VGMM=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
-github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ=
-github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
+github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
+github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw=
+github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
+github.com/adrg/xdg v0.5.3 h1:xRnxJXne7+oWDatRhR1JLnvuccuIeCoBu2rtuLqQB78=
+github.com/adrg/xdg v0.5.3/go.mod h1:nlTsY+NNiCBGCK2tpm09vRqfVzrc2fLmXGpBLF0zlTQ=
+github.com/andreaskoch/go-fswatch v1.0.0 h1:la8nP/HiaFCxP2IM6NZNUCoxgLWuyNFgH0RligBbnJU=
+github.com/andreaskoch/go-fswatch v1.0.0/go.mod h1:r5/iV+4jfwoY2sYqBkg8vpF04ehOvEl4qPptVGdxmqo=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/avast/retry-go/v4 v4.5.0 h1:QoRAZZ90cj5oni2Lsgl2GW8mNTnUCnmpx/iKpwVisHg=
-github.com/avast/retry-go/v4 v4.5.0/go.mod h1:7hLEXp0oku2Nir2xBAsg0PTphp9z71bN5Aq1fboC3+I=
-github.com/bufbuild/connect-go v1.10.0 h1:QAJ3G9A1OYQW2Jbk3DeoJbkCxuKArrvZgDt47mjdTbg=
-github.com/bufbuild/connect-go v1.10.0/go.mod h1:CAIePUgkDR5pAFaylSMtNK45ANQjp9JvpluG20rhpV8=
-github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
-github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/containerd/containerd v1.7.3 h1:cKwYKkP1eTj54bP3wCdXXBymmKRQMrWjkLSWZZJDa8o=
-github.com/containerd/containerd v1.7.3/go.mod h1:32FOM4/O0RkNg7AjQj3hDzN9cUGtu+HMvaKUNiqCZB8=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
-github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHSxpiH9JdtuBj0=
+github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
+github.com/avast/retry-go/v4 v4.7.0 h1:yjDs35SlGvKwRNSykujfjdMxMhMQQM0TnIjJaHB+Zio=
+github.com/avast/retry-go/v4 v4.7.0/go.mod h1:ZMPDa3sY2bKgpLtap9JRUgk2yTAba7cgiFhqxY2Sg6Q=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
+github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
+github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
+github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
+github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
+github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
+github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docker/cli v24.0.6+incompatible h1:fF+XCQCgJjjQNIMjzaSmiKJSCcfcXb3TWTcc7GAneOY=
-github.com/docker/cli v24.0.6+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
-github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v24.0.6+incompatible h1:hceabKCtUgDqPu+qm0NgsaXf28Ljf4/pWFL7xjWWDgE=
-github.com/docker/docker v24.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
-github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40=
-github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
-github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
+github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/cli v28.5.1+incompatible h1:ESutzBALAD6qyCLqbQSEf1a/U8Ybms5agw59yGVc+yY=
+github.com/docker/cli v28.5.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM=
+github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker-credential-helpers v0.9.5 h1:EFNN8DHvaiK8zVqFA2DT6BjXE0GzfLOZ38ggPTKePkY=
+github.com/docker/docker-credential-helpers v0.9.5/go.mod h1:v1S+hepowrQXITkEfw6o4+BMbGot02wiKpzWhGUZK6c=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
+github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
-github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
-github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
+github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
-github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
-github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8=
-github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo=
-github.com/go-git/go-git/v5 v5.9.0 h1:cD9SFA7sHVRdJ7AYck1ZaAa/yeuBvGPxwXDL8cxrObY=
-github.com/go-git/go-git/v5 v5.9.0/go.mod h1:RKIqga24sWdMGZF+1Ekv9kylsDz6LzdTSI2s/OsZWE0=
-github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
-github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/go-git/go-billy/v5 v5.7.0 h1:83lBUJhGWhYp0ngzCMSgllhUSuoHP1iEWYjsPl9nwqM=
+github.com/go-git/go-billy/v5 v5.7.0/go.mod h1:/1IUejTKH8xipsAcdfcSAlUlo2J7lkYV8GTKxAT/L3E=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
+github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s=
+github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
-github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
-github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
+github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=
+github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
@@ -94,12 +116,12 @@ github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4d
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
-github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
-github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I=
-github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/kevinburke/ssh_config v1.6.0 h1:J1FBfmuVosPHf5GRdltRLhPJtJpTlMdKTBjRgTaQBFY=
+github.com/kevinburke/ssh_config v1.6.0/go.mod h1:q2RIzfka+BXARoNexmF9gkxEX7DmvbW9P4hIVx2Kg4M=
+github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
+github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -107,80 +129,81 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A=
-github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
-github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.12.2 h1:B7guBgY6sfk4dBlv/ORUxyYlp0UojYaYyATgtNwSCXc=
-github.com/moby/buildkit v0.12.2/go.mod h1:adB4y0SxxX8trnrY+oEulb48ODLqPO6pKMF0ppGcCoI=
+github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
+github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
+github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
+github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
-github.com/moby/term v0.0.0-20200312100748-672ec06f55cd h1:aY7OQNf2XqY/JQ6qREWamhI/81os/agb2BAGpcx5yWI=
-github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
+github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
+github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
+github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
+github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
-github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
+github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI=
-github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
-github.com/opencontainers/runc v1.1.8 h1:zICRlc+C1XzivLc3nzE+cbJV4LIi8tib6YG0MqC6OqA=
-github.com/opencontainers/runc v1.1.8/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
-github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
-github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
-github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE=
+github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg=
+github.com/pjbgf/sha1cd v0.5.0 h1:a+UkboSi1znleCDUNT3M5YxjOnN1fz2FhN48FlwCxs0=
+github.com/pjbgf/sha1cd v0.5.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rhysd/actionlint v1.6.25 h1:0Is99a51w1iocdxKUzNYiBNwjoSlO2Klqzll98joVj4=
-github.com/rhysd/actionlint v1.6.25/go.mod h1:Q+MtZKm1MdmJ9woOSKxLscMW7kU44/PShvjNy5ZKHA8=
-github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
-github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=
-github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k=
-github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
-github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
+github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 h1:OkMGxebDjyw0ULyrTYWeN0UNCCkmCWfjPnIA2W6oviI=
+github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06/go.mod h1:+ePHsJ1keEjQtpvf9HHw0f4ZeJ0TLRsxhunSI2hYJSs=
+github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
+github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/skeema/knownhosts v1.2.0 h1:h9r9cf0+u7wSE+M183ZtMGgOJKiL96brpaz5ekfJCpM=
-github.com/skeema/knownhosts v1.2.0/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
+github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
+github.com/skeema/knownhosts v1.3.2 h1:EDL9mgf4NzwMXCTfaxSD/o/a5fxDw/xL9nkU28JjdBg=
+github.com/skeema/knownhosts v1.3.2/go.mod h1:bEg3iQAuw+jyiw+484wwFJoKSLwcfd7fqRy+N0QTiow=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/objx v0.5.1 h1:4VhoImhV/Bm0ToFkXFi8hXNXwpDRZ/ynw3amt82mzq0=
-github.com/stretchr/objx v0.5.1/go.mod h1:/iHQpkQwBD6DLUmQ4pE+s1TXdob1mORJ4/UFdrifcy0=
+github.com/stretchr/objx v0.5.3 h1:jmXUvGomnU1o3W/V5h2VEradbpJDwGrzugQQvL0POH4=
+github.com/stretchr/objx v0.5.3/go.mod h1:rDQraq+vQZU7Fde9LOZLr8Tax6zZvy4kuNKF+QYS+U0=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/timshannon/bolthold v0.0.0-20210913165410-232392fc8a6a h1:oIi7H/bwFUYKYhzKbHc+3MvHRWqhQwXVB4LweLMiVy0=
-github.com/timshannon/bolthold v0.0.0-20210913165410-232392fc8a6a/go.mod h1:iSvujNDmpZ6eQX+bg/0X3lF7LEmZ8N77g2a/J/+Zt2U=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928 h1:zjNCuOOhh1TKRU0Ru3PPPJt80z7eReswCao91gBLk00=
+github.com/timshannon/bolthold v0.0.0-20240314194003-30aac6950928/go.mod h1:PCFYfAEfKT+Nd6zWvUpsXduMR1bXFLf0uGSlEF05MCI=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -191,100 +214,106 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
-go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
-go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
+go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
+go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
+go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
+go.etcd.io/gofail v0.1.0/go.mod h1:VZBCXYGZhHAinaBiiqYvuDynvahNsAyLFwB3kEHKz1M=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
+go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
+go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 h1:j9+03ymgYhPKmeXGk5Zu+cIZOlVzd9Zv7QIiyItjFBU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0/go.mod h1:Y5+XiUG4Emn1hTfciPzGPJaSI+RpDts6BnCIir0SLqk=
+go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
+go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
+go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
+go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
+go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
+go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
+go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+go.yaml.in/yaml/v4 v4.0.0-rc.3 h1:3h1fjsh1CTAPjW7q/EMe+C8shx5d8ctzZTrLcs/j8Go=
+go.yaml.in/yaml/v4 v4.0.0-rc.3/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
+golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
-golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
+golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU=
-golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200325010219-a49f79bcc224/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 h1:wKguEg1hsxI2/L3hUYrpo1RVi48K+uTyzKqprwLXsb8=
+google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142/go.mod h1:d6be+8HhtEtucleCbxpPW9PA9XwISACu8nvpPqF0BVo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw=
+google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -292,10 +321,9 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
-gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
--- a/install.sh
+++ b/install.sh
@@ -0,0 +1,433 @@
+#!/bin/sh
+set -e
+# Code originally generated by godownloader on 2021-12-22T16:10:52Z. DO NOT EDIT.
+# (godownloader is deprecated, so changes to this script are maintained in install.sh in https://github.com/nektos/act)
+#
+
+usage() {
+  this=$1
+  cat <<EOF
+$this: download go binaries for nektos/act
+
+Usage: $this [-b bindir] [-d] [-f] [tag]
+  -b sets bindir or installation directory, Defaults to ./bin
+  -d turns on debug logging
+  -f forces installation, bypassing version checks
+   [tag] is a tag from
+   https://github.com/nektos/act/releases
+   If tag is missing, then the latest will be used.
+EOF
+  exit 2
+}
+
+parse_args() {
+  #BINDIR is ./bin unless set be ENV
+  # over-ridden by flag below
+
+  BINDIR=${BINDIR:-./bin}
+  while getopts "b:dfh?x" arg; do
+    case "$arg" in
+      b) BINDIR="$OPTARG" ;;
+      d) log_set_priority 10 ;;
+      f) FORCE_INSTALL="true" ;;
+      h | \?) usage "$0" ;;
+      x) set -x ;;
+    esac
+  done
+  shift $((OPTIND - 1))
+  TAG=$1
+}
+# this function wraps all the destructive operations
+# if a curl|bash cuts off the end of the script due to
+# network, either nothing will happen or will syntax error
+# out preventing half-done work
+execute() {
+  tmpdir=$(mktemp -d)
+  log_debug "downloading files into ${tmpdir}"
+  http_download "${tmpdir}/${TARBALL}" "${TARBALL_URL}"
+  http_download "${tmpdir}/${CHECKSUM}" "${CHECKSUM_URL}"
+  hash_sha256_verify "${tmpdir}/${TARBALL}" "${tmpdir}/${CHECKSUM}"
+  srcdir="${tmpdir}"
+  (cd "${tmpdir}" && untar "${TARBALL}")
+  test ! -d "${BINDIR}" && install -d "${BINDIR}"
+  for binexe in $BINARIES; do
+    if [ "$OS" = "windows" ]; then
+      binexe="${binexe}.exe"
+    fi
+    install "${srcdir}/${binexe}" "${BINDIR}/"
+    log_info "installed ${BINDIR}/${binexe}"
+  done
+  rm -rf "${tmpdir}"
+}
+get_binaries() {
+  case "$PLATFORM" in
+    darwin/386) BINARIES="act" ;;
+    darwin/amd64) BINARIES="act" ;;
+    darwin/arm64) BINARIES="act" ;;
+    darwin/armv6) BINARIES="act" ;;
+    darwin/armv7) BINARIES="act" ;;
+    linux/386) BINARIES="act" ;;
+    linux/amd64) BINARIES="act" ;;
+    linux/arm64) BINARIES="act" ;;
+    linux/armv6) BINARIES="act" ;;
+    linux/armv7) BINARIES="act" ;;
+    windows/386) BINARIES="act" ;;
+    windows/amd64) BINARIES="act" ;;
+    windows/arm64) BINARIES="act" ;;
+    windows/armv6) BINARIES="act" ;;
+    windows/armv7) BINARIES="act" ;;
+    *)
+      log_crit "platform $PLATFORM is not supported.  Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
+      exit 1
+      ;;
+  esac
+}
+tag_to_version() {
+  if [ -z "${TAG}" ]; then
+    log_info "checking GitHub for latest tag"
+  else
+    log_info "checking GitHub for tag '${TAG}'"
+  fi
+  REALTAG=$(github_release "$OWNER/$REPO" "${TAG}") && true
+  if test -z "$REALTAG"; then
+    log_crit "unable to find '${TAG}' - use 'latest' or see https://github.com/${PREFIX}/releases for details"
+    exit 1
+  fi
+  # if version starts with 'v', remove it
+  TAG="$REALTAG"
+  VERSION=${TAG#v}
+}
+adjust_format() {
+  # change format (tar.gz or zip) based on OS
+  case ${OS} in
+    windows) FORMAT=zip ;;
+  esac
+  true
+}
+adjust_os() {
+  # adjust archive name based on OS
+  case ${OS} in
+    386) OS=i386 ;;
+    amd64) OS=x86_64 ;;
+    darwin) OS=Darwin ;;
+    linux) OS=Linux ;;
+    windows) OS=Windows ;;
+  esac
+  true
+}
+adjust_arch() {
+  # adjust archive name based on ARCH
+  case ${ARCH} in
+    386) ARCH=i386 ;;
+    amd64) ARCH=x86_64 ;;
+    darwin) ARCH=Darwin ;;
+    linux) ARCH=Linux ;;
+    windows) ARCH=Windows ;;
+  esac
+  true
+}
+check_installed_version() {
+  # Check if force install flag is set
+  if [ "${FORCE_INSTALL}" = "true" ]; then
+    log_info "force install enabled. Skipping version check."
+    return
+  fi
+
+  # Check if the binary exists
+  if is_command "$BINARY"; then
+    # Extract installed version using cut
+    INSTALLED_VERSION=$($BINARY --version | cut -d' ' -f3)
+
+    if [ -z "$INSTALLED_VERSION" ]; then
+      log_err "failed to detect installed version. Proceeding with installation."
+      return
+    fi
+
+    log_info "found installed version: $INSTALLED_VERSION"
+
+    # Compare versions
+    if [ "$INSTALLED_VERSION" = "$VERSION" ]; then
+      log_info "$BINARY version $INSTALLED_VERSION is already installed."
+      exit 0
+    else
+      log_debug "updating $BINARY from version $INSTALLED_VERSION to $VERSION..."
+    fi
+  else
+    log_debug "$BINARY is not installed. Proceeding with installation..."
+  fi
+}
+
+
+cat /dev/null <<EOF
+------------------------------------------------------------------------
+https://github.com/client9/shlib - portable posix shell functions
+Public domain - http://unlicense.org
+https://github.com/client9/shlib/blob/master/LICENSE.md
+but credit (and pull requests) appreciated.
+------------------------------------------------------------------------
+EOF
+is_command() {
+  command -v "$1" >/dev/null
+}
+echoerr() {
+  echo "$@" 1>&2
+}
+log_prefix() {
+  echo "$0"
+}
+_logp=6
+log_set_priority() {
+  _logp="$1"
+}
+log_priority() {
+  if test -z "$1"; then
+    echo "$_logp"
+    return
+  fi
+  [ "$1" -le "$_logp" ]
+}
+log_tag() {
+  case $1 in
+    0) echo "emerg" ;;
+    1) echo "alert" ;;
+    2) echo "crit" ;;
+    3) echo "err" ;;
+    4) echo "warning" ;;
+    5) echo "notice" ;;
+    6) echo "info" ;;
+    7) echo "debug" ;;
+    *) echo "$1" ;;
+  esac
+}
+log_debug() {
+  log_priority 7 || return 0
+  echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
+}
+log_info() {
+  log_priority 6 || return 0
+  echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
+}
+log_err() {
+  log_priority 3 || return 0
+  echoerr "$(log_prefix)" "$(log_tag 3)" "$@"
+}
+log_crit() {
+  log_priority 2 || return 0
+  echoerr "$(log_prefix)" "$(log_tag 2)" "$@"
+}
+uname_os() {
+  os=$(uname -s | tr '[:upper:]' '[:lower:]')
+  case "$os" in
+    cygwin_nt*) os="windows" ;;
+    mingw*) os="windows" ;;
+    msys_nt*) os="windows" ;;
+  esac
+  echo "$os"
+}
+uname_arch() {
+  arch=$(uname -m)
+  case $arch in
+    x86_64) arch="amd64" ;;
+    x86) arch="386" ;;
+    i686) arch="386" ;;
+    i386) arch="386" ;;
+    aarch64) arch="arm64" ;;
+    armv5*) arch="armv5" ;;
+    armv6*) arch="armv6" ;;
+    armv7*) arch="armv7" ;;
+  esac
+  echo ${arch}
+}
+uname_os_check() {
+  os=$(uname_os)
+  case "$os" in
+    darwin) return 0 ;;
+    dragonfly) return 0 ;;
+    freebsd) return 0 ;;
+    linux) return 0 ;;
+    android) return 0 ;;
+    nacl) return 0 ;;
+    netbsd) return 0 ;;
+    openbsd) return 0 ;;
+    plan9) return 0 ;;
+    solaris) return 0 ;;
+    windows) return 0 ;;
+  esac
+  log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib"
+  return 1
+}
+uname_arch_check() {
+  arch=$(uname_arch)
+  case "$arch" in
+    386) return 0 ;;
+    amd64) return 0 ;;
+    arm64) return 0 ;;
+    armv5) return 0 ;;
+    armv6) return 0 ;;
+    armv7) return 0 ;;
+    ppc64) return 0 ;;
+    ppc64le) return 0 ;;
+    mips) return 0 ;;
+    mipsle) return 0 ;;
+    mips64) return 0 ;;
+    mips64le) return 0 ;;
+    s390x) return 0 ;;
+    amd64p32) return 0 ;;
+  esac
+  log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value.  Please file bug report at https://github.com/client9/shlib"
+  return 1
+}
+untar() {
+  tarball=$1
+  case "${tarball}" in
+    *.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;;
+    *.tar) tar --no-same-owner -xf "${tarball}" ;;
+    *.zip) unzip "${tarball}" ;;
+    *)
+      log_err "untar unknown archive format for ${tarball}"
+      return 1
+      ;;
+  esac
+}
+http_download_curl() {
+  local_file=$1
+  source_url=$2
+  header=$3
+  if [ -z "$header" ]; then
+    code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url")
+  else
+    code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url")
+  fi
+  if [ "$code" != "200" ]; then
+    log_debug "http_download_curl received HTTP status $code"
+    return 1
+  fi
+  return 0
+}
+http_download_wget() {
+  local_file=$1
+  source_url=$2
+  header=$3
+  if [ -z "$header" ]; then
+    wget -q -O "$local_file" "$source_url"
+  else
+    wget -q --header "$header" -O "$local_file" "$source_url"
+  fi
+}
+http_download() {
+  log_debug "http_download $2"
+  if is_command curl; then
+    http_download_curl "$@"
+    return
+  elif is_command wget; then
+    http_download_wget "$@"
+    return
+  fi
+  log_crit "http_download unable to find wget or curl"
+  return 1
+}
+http_copy() {
+  tmp=$(mktemp)
+  http_download "${tmp}" "$1" "$2" || return 1
+  body=$(cat "$tmp")
+  rm -f "${tmp}"
+  echo "$body"
+}
+github_release() {
+  owner_repo=$1
+  version=$2
+  test -z "$version" && version="latest"
+  giturl="https://github.com/${owner_repo}/releases/${version}"
+  json=$(http_copy "$giturl" "Accept:application/json")
+  test -z "$json" && return 1
+  version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//')
+  test -z "$version" && return 1
+  echo "$version"
+}
+hash_sha256() {
+  TARGET=${1:-/dev/stdin}
+  if is_command gsha256sum; then
+    hash=$(gsha256sum "$TARGET") || return 1
+    echo "$hash" | cut -d ' ' -f 1
+  elif is_command sha256sum; then
+    hash=$(sha256sum "$TARGET") || return 1
+    echo "$hash" | cut -d ' ' -f 1
+  elif is_command shasum; then
+    hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1
+    echo "$hash" | cut -d ' ' -f 1
+  elif is_command openssl; then
+    hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1
+    echo "$hash" | cut -d ' ' -f a
+  else
+    log_crit "hash_sha256 unable to find command to compute sha-256 hash"
+    return 1
+  fi
+}
+hash_sha256_verify() {
+  TARGET=$1
+  checksums=$2
+  if [ -z "$checksums" ]; then
+    log_err "hash_sha256_verify checksum file not specified in arg2"
+    return 1
+  fi
+  BASENAME=${TARGET##*/}
+  want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1)
+  if [ -z "$want" ]; then
+    log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'"
+    return 1
+  fi
+  got=$(hash_sha256 "$TARGET")
+  if [ "$want" != "$got" ]; then
+    log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got"
+    return 1
+  fi
+}
+cat /dev/null <<EOF
+------------------------------------------------------------------------
+End of functions from https://github.com/client9/shlib
+------------------------------------------------------------------------
+EOF
+
+PROJECT_NAME="act"
+OWNER=nektos
+REPO="act"
+BINARY=act
+FORMAT=tar.gz
+OS=$(uname_os)
+ARCH=$(uname_arch)
+PREFIX="$OWNER/$REPO"
+
+# use in logging routines
+log_prefix() {
+	echo "$PREFIX"
+}
+PLATFORM="${OS}/${ARCH}"
+GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
+
+uname_os_check "$OS"
+uname_arch_check "$ARCH"
+
+parse_args "$@"
+
+get_binaries
+
+tag_to_version
+
+check_installed_version
+
+adjust_format
+
+adjust_os
+
+adjust_arch
+
+log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}"
+
+NAME=${PROJECT_NAME}_${OS}_${ARCH}
+TARBALL=${NAME}.${FORMAT}
+TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
+CHECKSUM=checksums.txt
+CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}
+
+
+execute
--- a/internal/app/act-cli/VERSION
+++ b/internal/app/act-cli/VERSION
@@ -0,0 +1 @@
+0.4.0
--- a/internal/app/act-cli/main.go
+++ b/internal/app/act-cli/main.go
@@ -0,0 +1,19 @@
+package main
+
+import (
+	_ "embed"
+
+	"gitea.com/gitea/act_runner/cmd"
+	"gitea.com/gitea/act_runner/pkg/common"
+)
+
+//go:embed VERSION
+var version string
+
+func main() {
+	ctx, cancel := common.CreateGracefulJobCancellationContext()
+	defer cancel()
+
+	// run the command
+	cmd.Execute(ctx, version)
+}
--- a/internal/app/cmd/cache-server.go
+++ b/internal/app/cmd/cache-server.go
@@ -4,14 +4,13 @@
 package cmd

 import (
-	"context"
 	"fmt"
 	"os"
 	"os/signal"

 	"gitea.com/gitea/act_runner/internal/pkg/config"

-	"github.com/nektos/act/pkg/artifactcache"
+	"gitea.com/gitea/act_runner/pkg/artifactcache"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
@@ -22,8 +21,8 @@ type cacheServerArgs struct {
 	Port uint16
 }

-func runCacheServer(ctx context.Context, configFile *string, cacheArgs *cacheServerArgs) func(cmd *cobra.Command, args []string) error {
-	return func(cmd *cobra.Command, args []string) error {
+func runCacheServer(configFile *string, cacheArgs *cacheServerArgs) func(cmd *cobra.Command, args []string) error {
+	return func(_ *cobra.Command, _ []string) error {
 		cfg, err := config.LoadDefault(*configFile)
 		if err != nil {
 			return fmt.Errorf("invalid configuration: %w", err)
--- a/internal/app/cmd/cmd.go
+++ b/internal/app/cmd/cmd.go
@@ -39,15 +39,18 @@ func Execute(ctx context.Context) {
 	registerCmd.Flags().StringVar(&regArgs.Token, "token", "", "Runner token")
 	registerCmd.Flags().StringVar(&regArgs.RunnerName, "name", "", "Runner name")
 	registerCmd.Flags().StringVar(&regArgs.Labels, "labels", "", "Runner tags, comma separated")
+	registerCmd.Flags().BoolVar(&regArgs.Ephemeral, "ephemeral", false, "Configure the runner to be ephemeral and only ever be able to pick a single job (stricter than --once)")
 	rootCmd.AddCommand(registerCmd)

 	// ./act_runner daemon
+	var daemArgs daemonArgs
 	daemonCmd := &cobra.Command{
 		Use:   "daemon",
 		Short: "Run as a runner daemon",
-		Args:  cobra.MaximumNArgs(1),
-		RunE:  runDaemon(ctx, &configFile),
+		Args:  cobra.MaximumNArgs(0),
+		RunE:  runDaemon(ctx, &daemArgs, &configFile),
 	}
+	daemonCmd.Flags().BoolVar(&daemArgs.Once, "once", false, "Run one job then exit")
 	rootCmd.AddCommand(daemonCmd)

 	// ./act_runner exec
@@ -59,7 +62,7 @@ func Execute(ctx context.Context) {
 		Short: "Generate an example config file",
 		Args:  cobra.MaximumNArgs(0),
 		Run: func(_ *cobra.Command, _ []string) {
-			fmt.Printf("%s", config.Example)
+			fmt.Fprintf(os.Stdout, "%s", config.Example)
 		},
 	})

@@ -69,7 +72,7 @@ func Execute(ctx context.Context) {
 		Use:   "cache-server",
 		Short: "Start a cache server for the cache action",
 		Args:  cobra.MaximumNArgs(0),
-		RunE:  runCacheServer(ctx, &configFile, &cacheArgs),
+		RunE:  runCacheServer(&configFile, &cacheArgs),
 	}
 	cacheCmd.Flags().StringVarP(&cacheArgs.Dir, "dir", "d", "", "Cache directory")
 	cacheCmd.Flags().StringVarP(&cacheArgs.Host, "host", "s", "", "Host of the cache server")
--- a/internal/app/cmd/daemon.go
+++ b/internal/app/cmd/daemon.go
@@ -5,15 +5,18 @@ package cmd

 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"path"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strconv"
 	"strings"
+	"time"

-	"github.com/bufbuild/connect-go"
+	"connectrpc.com/connect"
 	"github.com/mattn/go-isatty"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -27,8 +30,8 @@ import (
 	"gitea.com/gitea/act_runner/internal/pkg/ver"
 )

-func runDaemon(ctx context.Context, configFile *string) func(cmd *cobra.Command, args []string) error {
-	return func(cmd *cobra.Command, args []string) error {
+func runDaemon(ctx context.Context, daemArgs *daemonArgs, configFile *string) func(cmd *cobra.Command, args []string) error {
+	return func(_ *cobra.Command, _ []string) error {
 		cfg, err := config.LoadDefault(*configFile)
 		if err != nil {
 			return fmt.Errorf("invalid configuration: %w", err)
@@ -63,7 +66,34 @@ func runDaemon(ctx context.Context, configFile *string) func(cmd *cobra.Command,
 			log.Warn("no labels configured, runner may not be able to pick up jobs")
 		}

-		if ls.RequireDocker() {
+		if ls.RequireDocker() || cfg.Container.RequireDocker {
+			// Wait for dockerd be ready
+			if timeout := cfg.Container.DockerTimeout; timeout > 0 {
+				tctx, cancel := context.WithTimeout(ctx, timeout)
+				defer cancel()
+				keepRunning := true
+				for keepRunning {
+					dockerSocketPath, err := getDockerSocketPath(cfg.Container.DockerHost)
+					if err != nil {
+						log.Errorf("Failed to get socket path: %s", err.Error())
+					} else if err = envcheck.CheckIfDockerRunning(tctx, dockerSocketPath); errors.Is(err, context.Canceled) {
+						log.Infof("Docker wait timeout of %s expired", timeout.String())
+						break
+					} else if err != nil {
+						log.Errorf("Docker connection failed: %s", err.Error())
+					} else {
+						log.Infof("Docker is ready")
+						break
+					}
+					select {
+					case <-time.After(time.Second):
+					case <-tctx.Done():
+						log.Infof("Docker wait timeout of %s expired", timeout.String())
+						keepRunning = false
+					}
+				}
+			}
+			// Require dockerd be ready
 			dockerSocketPath, err := getDockerSocketPath(cfg.Container.DockerHost)
 			if err != nil {
 				return err
@@ -88,6 +118,14 @@ func runDaemon(ctx context.Context, configFile *string) func(cmd *cobra.Command,
 			}
 		}

+		if !slices.Equal(reg.Labels, ls.ToStrings()) {
+			reg.Labels = ls.ToStrings()
+			if err := config.SaveRegistration(cfg.Runner.File, reg); err != nil {
+				return fmt.Errorf("failed to save runner config: %w", err)
+			}
+			log.Infof("labels updated to: %v", reg.Labels)
+		}
+
 		cli := client.New(
 			reg.Address,
 			cfg.Runner.Insecure,
@@ -97,67 +135,99 @@ func runDaemon(ctx context.Context, configFile *string) func(cmd *cobra.Command,
 		)

 		runner := run.NewRunner(cfg, reg, cli)
+
 		// declare the labels of the runner before fetching tasks
 		resp, err := runner.Declare(ctx, ls.Names())
 		if err != nil && connect.CodeOf(err) == connect.CodeUnimplemented {
-			// Gitea instance is older version. skip declare step.
-			log.Warn("Because the Gitea instance is an old version, skip declare labels and version.")
+			log.Errorf("Your Gitea version is too old to support runner declare, please upgrade to v1.21 or later")
+			return err
 		} else if err != nil {
 			log.WithError(err).Error("fail to invoke Declare")
 			return err
-		} else {
-			log.Infof("runner: %s, with version: %s, with labels: %v, declare successfully",
-				resp.Msg.Runner.Name, resp.Msg.Runner.Version, resp.Msg.Runner.Labels)
-			// if declare successfully, override the labels in the.runner file with valid labels in the config file (if specified)
-			reg.Labels = ls.ToStrings()
-			if err := config.SaveRegistration(cfg.Runner.File, reg); err != nil {
-				return fmt.Errorf("failed to save runner config: %w", err)
-			}
 		}
+		log.Infof("runner: %s, with version: %s, with labels: %v, declare successfully",
+			resp.Msg.Runner.Name, resp.Msg.Runner.Version, resp.Msg.Runner.Labels)

 		poller := poll.New(cfg, cli, runner)

-		poller.Poll(ctx)
+		if daemArgs.Once || reg.Ephemeral {
+			done := make(chan struct{})
+			go func() {
+				defer close(done)
+				poller.PollOnce()
+			}()
+
+			// shutdown when we complete a job or cancel is requested
+			select {
+			case <-ctx.Done():
+			case <-done:
+			}
+		} else {
+			go poller.Poll()
+
+			<-ctx.Done()
+		}
+
+		log.Infof("runner: %s shutdown initiated, waiting %s for running jobs to complete before shutting down", resp.Msg.Runner.Name, cfg.Runner.ShutdownTimeout)
+
+		ctx, cancel := context.WithTimeout(context.Background(), cfg.Runner.ShutdownTimeout)
+		defer cancel()
+
+		err = poller.Shutdown(ctx)
+		if err != nil {
+			log.Warnf("runner: %s cancelled in progress jobs during shutdown", resp.Msg.Runner.Name)
+		}

 		return nil
 	}
 }

+type daemonArgs struct {
+	Once bool
+}
+
 // initLogging setup the global logrus logger.
 func initLogging(cfg *config.Config) {
+	callPrettyfier := func(f *runtime.Frame) (string, string) {
+		// get function name
+		s := strings.Split(f.Function, ".")
+		funcname := "[" + s[len(s)-1] + "]"
+		// get file name and line number
+		_, filename := path.Split(f.File)
+		filename = "[" + filename + ":" + strconv.Itoa(f.Line) + "]"
+		return funcname, filename
+	}
+
 	isTerm := isatty.IsTerminal(os.Stdout.Fd())
 	format := &log.TextFormatter{
-		DisableColors: !isTerm,
-		FullTimestamp: true,
+		DisableColors:    !isTerm,
+		FullTimestamp:    true,
+		CallerPrettyfier: callPrettyfier,
 	}
 	log.SetFormatter(format)

-	if l := cfg.Log.Level; l != "" {
-		level, err := log.ParseLevel(l)
-		if err != nil {
-			log.WithError(err).
-				Errorf("invalid log level: %q", l)
-		}
+	l := cfg.Log.Level
+	if l == "" {
+		log.Infof("Log level not set, sticking to info")
+		return
+	}

-		// debug level
-		if level == log.DebugLevel {
-			log.SetReportCaller(true)
-			format.CallerPrettyfier = func(f *runtime.Frame) (string, string) {
-				// get function name
-				s := strings.Split(f.Function, ".")
-				funcname := "[" + s[len(s)-1] + "]"
-				// get file name and line number
-				_, filename := path.Split(f.File)
-				filename = "[" + filename + ":" + strconv.Itoa(f.Line) + "]"
-				return funcname, filename
-			}
-			log.SetFormatter(format)
-		}
+	level, err := log.ParseLevel(l)
+	if err != nil {
+		log.WithError(err).
+			Errorf("invalid log level: %q", l)
+	}

-		if log.GetLevel() != level {
-			log.Infof("log level changed to %v", level)
-			log.SetLevel(level)
-		}
+	// debug level
+	switch level {
+	case log.DebugLevel, log.TraceLevel:
+		log.SetReportCaller(true) // Only in debug or trace because it takes a performance toll
+		log.Infof("Log level %s requested, setting up report caller for further debugging", level)
+	}
+
+	if log.GetLevel() != level {
+		log.Infof("log level set to %v", level)
+		log.SetLevel(level)
 	}
 }

@@ -191,5 +261,5 @@ func getDockerSocketPath(configDockerHost string) (string, error) {
 		}
 	}

-	return "", fmt.Errorf("daemon Docker Engine socket not found and docker_host config was invalid")
+	return "", errors.New("daemon Docker Engine socket not found and docker_host config was invalid")
 }
--- a/internal/app/cmd/exec.go
+++ b/internal/app/cmd/exec.go
@@ -6,20 +6,23 @@ package cmd

 import (
 	"context"
+	"errors"
 	"fmt"
+	"maps"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
-	"time"

+	"gitea.com/gitea/act_runner/internal/app/run"
+	"gitea.com/gitea/act_runner/pkg/artifactcache"
+	"gitea.com/gitea/act_runner/pkg/artifacts"
+	"gitea.com/gitea/act_runner/pkg/common"
+	"gitea.com/gitea/act_runner/pkg/model"
+	"gitea.com/gitea/act_runner/pkg/runner"
+	"gitea.com/gitea/act_runner/pkg/schema"
 	"github.com/docker/docker/api/types/container"
 	"github.com/joho/godotenv"
-	"github.com/nektos/act/pkg/artifactcache"
-	"github.com/nektos/act/pkg/artifacts"
-	"github.com/nektos/act/pkg/common"
-	"github.com/nektos/act/pkg/model"
-	"github.com/nektos/act/pkg/runner"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
@@ -39,6 +42,7 @@ type executeArgs struct {
 	envs                  []string
 	envfile               string
 	secrets               []string
+	vars                  []string
 	defaultActionsURL     string
 	insecureSecrets       bool
 	privileged            bool
@@ -76,7 +80,7 @@ func (i *executeArgs) LoadSecrets() map[string]string {
 	for _, secretPair := range i.secrets {
 		secretPairParts := strings.SplitN(secretPair, "=", 2)
 		secretPairParts[0] = strings.ToUpper(secretPairParts[0])
-		if strings.ToUpper(s[secretPairParts[0]]) == secretPairParts[0] {
+		if strings.EqualFold(s[secretPairParts[0]], secretPairParts[0]) {
 			log.Errorf("Secret %s is already defined (secrets are case insensitive)", secretPairParts[0])
 		}
 		if len(secretPairParts) == 2 {
@@ -84,9 +88,9 @@ func (i *executeArgs) LoadSecrets() map[string]string {
 		} else if env, ok := os.LookupEnv(secretPairParts[0]); ok && env != "" {
 			s[secretPairParts[0]] = env
 		} else {
-			fmt.Printf("Provide value for '%s': ", secretPairParts[0])
+			fmt.Fprintf(os.Stdout, "Provide value for '%s': ", secretPairParts[0])
 			val, err := term.ReadPassword(int(os.Stdin.Fd()))
-			fmt.Println()
+			fmt.Fprintln(os.Stdout)
 			if err != nil {
 				log.Errorf("failed to read input: %v", err)
 				os.Exit(1)
@@ -103,9 +107,7 @@ func readEnvs(path string, envs map[string]string) bool {
 		if err != nil {
 			log.Fatalf("Error loading from %s: %v", path, err)
 		}
-		for k, v := range env {
-			envs[k] = v
-		}
+		maps.Copy(envs, env)
 		return true
 	}
 	return false
@@ -130,6 +132,22 @@ func (i *executeArgs) LoadEnvs() map[string]string {
 	return envs
 }

+func (i *executeArgs) LoadVars() map[string]string {
+	vars := make(map[string]string)
+	if i.vars != nil {
+		for _, runVar := range i.vars {
+			e := strings.SplitN(runVar, `=`, 2)
+			if len(e) == 2 {
+				vars[e[0]] = e[1]
+			} else {
+				vars[e[0]] = ""
+			}
+		}
+	}
+
+	return vars
+}
+
 // Workdir returns path to workdir
 func (i *executeArgs) Workdir() string {
 	return i.resolve(".")
@@ -149,7 +167,7 @@ func (i *executeArgs) resolve(path string) string {
 	return path
 }

-func printList(plan *model.Plan) error {
+func printList(plan *model.Plan) {
 	type lineInfoDef struct {
 		jobID   string
 		jobName string
@@ -223,7 +241,7 @@ func printList(plan *model.Plan) error {
 	wfNameMaxWidth += 2
 	wfFileMaxWidth += 2

-	fmt.Printf("%*s%*s%*s%*s%*s%*s\n",
+	fmt.Fprintf(os.Stdout, "%*s%*s%*s%*s%*s%*s\n",
 		-stageMaxWidth, header.stage,
 		-jobIDMaxWidth, header.jobID,
 		-jobNameMaxWidth, header.jobName,
@@ -232,7 +250,7 @@ func printList(plan *model.Plan) error {
 		-eventsMaxWidth, header.events,
 	)
 	for _, line := range lineInfos {
-		fmt.Printf("%*s%*s%*s%*s%*s%*s\n",
+		fmt.Fprintf(os.Stdout, "%*s%*s%*s%*s%*s%*s\n",
 			-stageMaxWidth, line.stage,
 			-jobIDMaxWidth, line.jobID,
 			-jobNameMaxWidth, line.jobName,
@@ -242,12 +260,11 @@ func printList(plan *model.Plan) error {
 		)
 	}
 	if duplicateJobIDs {
-		fmt.Print("\nDetected multiple jobs with the same job name, use `-W` to specify the path to the specific workflow.\n")
+		fmt.Fprint(os.Stdout, "\nDetected multiple jobs with the same job name, use `-W` to specify the path to the specific workflow.\n")
 	}
-	return nil
 }

-func runExecList(ctx context.Context, planner model.WorkflowPlanner, execArgs *executeArgs) error {
+func runExecList(planner model.WorkflowPlanner, execArgs *executeArgs) error {
 	// plan with filtered jobs - to be used for filtering only
 	var filterPlan *model.Plan

@@ -289,20 +306,25 @@ func runExecList(ctx context.Context, planner model.WorkflowPlanner, execArgs *e
 		}
 	}

-	_ = printList(filterPlan)
+	printList(filterPlan)

 	return nil
 }

 func runExec(ctx context.Context, execArgs *executeArgs) func(cmd *cobra.Command, args []string) error {
-	return func(cmd *cobra.Command, args []string) error {
-		planner, err := model.NewWorkflowPlanner(execArgs.WorkflowsPath(), execArgs.noWorkflowRecurse)
+	return func(_ *cobra.Command, _ []string) error {
+		planner, err := model.NewWorkflowPlanner(execArgs.WorkflowsPath(), model.PlannerConfig{
+			Recursive: !execArgs.noWorkflowRecurse,
+			Workflow: model.WorkflowConfig{
+				Schema: schema.GetGiteaWorkflowSchema(),
+			},
+		})
 		if err != nil {
 			return err
 		}

 		if execArgs.runList {
-			return runExecList(ctx, planner, execArgs)
+			return runExecList(planner, execArgs)
 		}

 		// plan with triggered jobs
@@ -345,10 +367,11 @@ func runExec(ctx context.Context, execArgs *executeArgs) func(cmd *cobra.Command
 			}
 		}

-		maxLifetime := 3 * time.Hour
-		if deadline, ok := ctx.Deadline(); ok {
-			maxLifetime = time.Until(deadline)
-		}
+		// TODO GITEA
+		// maxLifetime := 3 * time.Hour
+		// if deadline, ok := ctx.Deadline(); ok {
+		// 	maxLifetime = time.Until(deadline)
+		// }

 		// init a cache server
 		handler, err := artifactcache.StartHandler("", "", 0, log.StandardLogger().WithField("module", "cache_request"))
@@ -361,7 +384,7 @@ func runExec(ctx context.Context, execArgs *executeArgs) func(cmd *cobra.Command
 		if len(execArgs.artifactServerAddr) == 0 {
 			ip := common.GetOutboundIP()
 			if ip == nil {
-				return fmt.Errorf("unable to determine outbound IP address")
+				return errors.New("unable to determine outbound IP address")
 			}
 			execArgs.artifactServerAddr = ip.String()
 		}
@@ -369,7 +392,7 @@ func runExec(ctx context.Context, execArgs *executeArgs) func(cmd *cobra.Command
 		if len(execArgs.artifactServerPath) == 0 {
 			tempDir, err := os.MkdirTemp("", "gitea-act-")
 			if err != nil {
-				fmt.Println(err)
+				fmt.Fprintln(os.Stderr, err)
 			}
 			defer os.RemoveAll(tempDir)

@@ -386,6 +409,7 @@ func runExec(ctx context.Context, execArgs *executeArgs) func(cmd *cobra.Command
 			LogOutput:             true,
 			JSONLogger:            execArgs.jsonLogger,
 			Env:                   execArgs.LoadEnvs(),
+			Vars:                  execArgs.LoadVars(),
 			Secrets:               execArgs.LoadSecrets(),
 			InsecureSecrets:       execArgs.insecureSecrets,
 			Privileged:            execArgs.privileged,
@@ -404,14 +428,16 @@ func runExec(ctx context.Context, execArgs *executeArgs) func(cmd *cobra.Command
 			NoSkipCheckout:        execArgs.noSkipCheckout,
 			// PresetGitHubContext:   preset,
 			// EventJSON:             string(eventJSON),
-			ContainerNamePrefix:   fmt.Sprintf("GITEA-ACTIONS-TASK-%s", eventName),
-			ContainerMaxLifetime:  maxLifetime,
-			ContainerNetworkMode:  container.NetworkMode(execArgs.network),
-			DefaultActionInstance: execArgs.defaultActionsURL,
-			PlatformPicker: func(_ []string) string {
-				return execArgs.image
-			},
-			ValidVolumes: []string{"**"}, // All volumes are allowed for `exec` command
+			// TODO GITEA
+			// ContainerNamePrefix:   "GITEA-ACTIONS-TASK-" + eventName,
+			// ContainerMaxLifetime:  maxLifetime,
+			ContainerNetworkMode: container.NetworkMode(execArgs.network),
+			// TODO GITEA
+			// DefaultActionInstance: execArgs.defaultActionsURL,
+			// PlatformPicker: func(_ []string) string {
+			// 	return execArgs.image
+			// },
+			// ValidVolumes: []string{"**"}, // All volumes are allowed for `exec` command
 		}

 		config.Env["ACT_EXEC"] = "true"
@@ -422,10 +448,8 @@ func runExec(ctx context.Context, execArgs *executeArgs) func(cmd *cobra.Command
 			config.Token = t
 		}

-		if !execArgs.debug {
-			logLevel := log.InfoLevel
-			config.JobLoggerLevel = &logLevel
-		}
+		// TODO GITEA
+		ctx = runner.WithJobLoggerFactory(ctx, &run.JobLoggerFactoryWithInfoLevel{})

 		r, err := runner.New(config)
 		if err != nil {
@@ -436,7 +460,7 @@ func runExec(ctx context.Context, execArgs *executeArgs) func(cmd *cobra.Command
 		log.Debugf("artifacts server started at %s:%s", execArgs.artifactServerPath, execArgs.artifactServerPort)

 		ctx = common.WithDryrun(ctx, execArgs.dryrun)
-		executor := r.NewPlanExecutor(plan).Finally(func(ctx context.Context) error {
+		executor := r.NewPlanExecutor(plan).Finally(func(_ context.Context) error {
 			artifactCancel()
 			return nil
 		})
@@ -468,6 +492,7 @@ func loadExecCmd(ctx context.Context) *cobra.Command {
 	execCmd.Flags().StringArrayVarP(&execArg.envs, "env", "", []string{}, "env to make available to actions with optional value (e.g. --env myenv=foo or --env myenv)")
 	execCmd.PersistentFlags().StringVarP(&execArg.envfile, "env-file", "", ".env", "environment file to read and use as env in the containers")
 	execCmd.Flags().StringArrayVarP(&execArg.secrets, "secret", "s", []string{}, "secret to make available to actions with optional value (e.g. -s mysecret=foo or -s mysecret)")
+	execCmd.Flags().StringArrayVarP(&execArg.vars, "var", "", []string{}, "variable to make available to actions with optional value (e.g. --var myvar=foo or --var myvar)")
 	execCmd.PersistentFlags().BoolVarP(&execArg.insecureSecrets, "insecure-secrets", "", false, "NOT RECOMMENDED! Doesn't hide secrets while printing logs.")
 	execCmd.Flags().BoolVar(&execArg.privileged, "privileged", false, "use privileged mode")
 	execCmd.Flags().StringVar(&execArg.usernsMode, "userns", "", "user namespace to use")
@@ -484,7 +509,7 @@ func loadExecCmd(ctx context.Context) *cobra.Command {
 	execCmd.PersistentFlags().BoolVarP(&execArg.noSkipCheckout, "no-skip-checkout", "", false, "Do not skip actions/checkout")
 	execCmd.PersistentFlags().BoolVarP(&execArg.debug, "debug", "d", false, "enable debug log")
 	execCmd.PersistentFlags().BoolVarP(&execArg.dryrun, "dryrun", "n", false, "dryrun mode")
-	execCmd.PersistentFlags().StringVarP(&execArg.image, "image", "i", "node:16-bullseye", "docker image to use")
+	execCmd.PersistentFlags().StringVarP(&execArg.image, "image", "i", "docker.gitea.com/runner-images:ubuntu-latest", "Docker image to use. Use \"-self-hosted\" to run directly on the host.")
 	execCmd.PersistentFlags().StringVarP(&execArg.network, "network", "", "", "Specify the network to which the container will connect")
 	execCmd.PersistentFlags().StringVarP(&execArg.githubInstance, "gitea-instance", "", "", "Gitea instance to use.")

--- a/internal/app/cmd/register.go
+++ b/internal/app/cmd/register.go
@@ -6,6 +6,7 @@ package cmd
 import (
 	"bufio"
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"os/signal"
@@ -15,7 +16,7 @@ import (

 	pingv1 "code.gitea.io/actions-proto-go/ping/v1"
 	runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
-	"github.com/bufbuild/connect-go"
+	"connectrpc.com/connect"
 	"github.com/mattn/go-isatty"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -28,7 +29,7 @@ import (

 // runRegister registers a runner to the server
 func runRegister(ctx context.Context, regArgs *registerArgs, configFile *string) func(*cobra.Command, []string) error {
-	return func(cmd *cobra.Command, args []string) error {
+	return func(_ *cobra.Command, _ []string) error {
 		log.SetReportCaller(false)
 		isTerm := isatty.IsTerminal(os.Stdout.Fd())
 		log.SetFormatter(&log.TextFormatter{
@@ -52,7 +53,7 @@ func runRegister(ctx context.Context, regArgs *registerArgs, configFile *string)
 			}
 		} else {
 			go func() {
-				if err := registerInteractive(ctx, *configFile); err != nil {
+				if err := registerInteractive(ctx, *configFile, regArgs); err != nil {
 					log.Fatal(err)
 					return
 				}
@@ -75,6 +76,7 @@ type registerArgs struct {
 	Token         string
 	RunnerName    string
 	Labels        string
+	Ephemeral     bool
 }

 type registerStage int8
@@ -91,10 +93,9 @@ const (
 )

 var defaultLabels = []string{
-	"ubuntu-latest:docker://node:16-bullseye",
-	"ubuntu-22.04:docker://node:16-bullseye", // There's no node:16-bookworm yet
-	"ubuntu-20.04:docker://node:16-bullseye",
-	"ubuntu-18.04:docker://node:16-buster",
+	"ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest",
+	"ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04",
+	"ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04",
 }

 type registerInputs struct {
@@ -102,14 +103,15 @@ type registerInputs struct {
 	Token        string
 	RunnerName   string
 	Labels       []string
+	Ephemeral    bool
 }

 func (r *registerInputs) validate() error {
 	if r.InstanceAddr == "" {
-		return fmt.Errorf("instance address is empty")
+		return errors.New("instance address is empty")
 	}
 	if r.Token == "" {
-		return fmt.Errorf("token is empty")
+		return errors.New("token is empty")
 	}
 	if len(r.Labels) > 0 {
 		return validateLabels(r.Labels)
@@ -126,6 +128,22 @@ func validateLabels(ls []string) error {
 	return nil
 }

+func (r *registerInputs) stageValue(stage registerStage) string {
+	switch stage {
+	case StageInputInstance:
+		return r.InstanceAddr
+	case StageInputToken:
+		return r.Token
+	case StageInputRunnerName:
+		return r.RunnerName
+	case StageInputLabels:
+		if len(r.Labels) > 0 {
+			return strings.Join(r.Labels, ",")
+		}
+	}
+	return ""
+}
+
 func (r *registerInputs) assignToNext(stage registerStage, value string, cfg *config.Config) registerStage {
 	// must set instance address and token.
 	// if empty, keep current stage.
@@ -179,7 +197,8 @@ func (r *registerInputs) assignToNext(stage registerStage, value string, cfg *co
 		}

 		if validateLabels(r.Labels) != nil {
-			log.Infoln("Invalid labels, please input again, leave blank to use the default labels (for example, ubuntu-20.04:docker://node:16-bullseye,ubuntu-18.04:docker://node:16-buster,linux_arm:host)")
+			log.Infoln("Invalid labels, please input again, leave blank to use the default labels (for example, ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest)")
+			r.Labels = nil
 			return StageInputLabels
 		}
 		return StageWaitingForRegistration
@@ -187,11 +206,25 @@ func (r *registerInputs) assignToNext(stage registerStage, value string, cfg *co
 	return StageUnknown
 }

-func registerInteractive(ctx context.Context, configFile string) error {
+func initInputs(regArgs *registerArgs) *registerInputs {
+	inputs := &registerInputs{
+		InstanceAddr: regArgs.InstanceAddr,
+		Token:        regArgs.Token,
+		RunnerName:   regArgs.RunnerName,
+		Ephemeral:    regArgs.Ephemeral,
+	}
+	regArgs.Labels = strings.TrimSpace(regArgs.Labels)
+	// command line flag.
+	if regArgs.Labels != "" {
+		inputs.Labels = strings.Split(regArgs.Labels, ",")
+	}
+	return inputs
+}
+
+func registerInteractive(ctx context.Context, configFile string, regArgs *registerArgs) error {
 	var (
 		reader = bufio.NewReader(os.Stdin)
 		stage  = StageInputInstance
-		inputs = new(registerInputs)
 	)

 	cfg, err := config.LoadDefault(configFile)
@@ -201,20 +234,24 @@ func registerInteractive(ctx context.Context, configFile string) error {
 	if f, err := os.Stat(cfg.Runner.File); err == nil && !f.IsDir() {
 		stage = StageOverwriteLocalConfig
 	}
+	inputs := initInputs(regArgs)

 	for {
-		printStageHelp(stage)
-
-		cmdString, err := reader.ReadString('\n')
-		if err != nil {
-			return err
+		cmdString := inputs.stageValue(stage)
+		if cmdString == "" {
+			printStageHelp(stage)
+			var err error
+			cmdString, err = reader.ReadString('\n')
+			if err != nil {
+				return err
+			}
 		}
 		stage = inputs.assignToNext(stage, strings.TrimSpace(cmdString), cfg)

 		if stage == StageWaitingForRegistration {
 			log.Infof("Registering runner, name=%s, instance=%s, labels=%v.", inputs.RunnerName, inputs.InstanceAddr, inputs.Labels)
 			if err := doRegister(ctx, cfg, inputs); err != nil {
-				return fmt.Errorf("Failed to register runner: %w", err)
+				return fmt.Errorf("failed to register runner: %w", err)
 			}
 			log.Infof("Runner registered successfully.")
 			return nil
@@ -243,7 +280,7 @@ func printStageHelp(stage registerStage) {
 		hostname, _ := os.Hostname()
 		log.Infof("Enter the runner name (if set empty, use hostname: %s):\n", hostname)
 	case StageInputLabels:
-		log.Infoln("Enter the runner labels, leave blank to use the default labels (comma-separated, for example, ubuntu-20.04:docker://node:16-bullseye,ubuntu-18.04:docker://node:16-buster,linux_arm:host):")
+		log.Infoln("Enter the runner labels, leave blank to use the default labels (comma-separated, for example, ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest):")
 	case StageWaitingForRegistration:
 		log.Infoln("Waiting for registration...")
 	}
@@ -254,17 +291,7 @@ func registerNoInteractive(ctx context.Context, configFile string, regArgs *regi
 	if err != nil {
 		return err
 	}
-	inputs := &registerInputs{
-		InstanceAddr: regArgs.InstanceAddr,
-		Token:        regArgs.Token,
-		RunnerName:   regArgs.RunnerName,
-		Labels:       defaultLabels,
-	}
-	regArgs.Labels = strings.TrimSpace(regArgs.Labels)
-	// command line flag.
-	if regArgs.Labels != "" {
-		inputs.Labels = strings.Split(regArgs.Labels, ",")
-	}
+	inputs := initInputs(regArgs)
 	// specify labels in config file.
 	if len(cfg.Runner.Labels) > 0 {
 		if regArgs.Labels != "" {
@@ -272,6 +299,9 @@ func registerNoInteractive(ctx context.Context, configFile string, regArgs *regi
 		}
 		inputs.Labels = cfg.Runner.Labels
 	}
+	if len(inputs.Labels) == 0 {
+		inputs.Labels = defaultLabels
+	}

 	if inputs.RunnerName == "" {
 		inputs.RunnerName, _ = os.Hostname()
@@ -279,10 +309,10 @@ func registerNoInteractive(ctx context.Context, configFile string, regArgs *regi
 	}
 	if err := inputs.validate(); err != nil {
 		log.WithError(err).Errorf("Invalid input, please re-run act command.")
-		return nil
+		return err
 	}
 	if err := doRegister(ctx, cfg, inputs); err != nil {
-		return fmt.Errorf("Failed to register runner: %w", err)
+		return fmt.Errorf("failed to register runner: %w", err)
 	}
 	log.Infof("Runner registered successfully.")
 	return nil
@@ -322,10 +352,11 @@ func doRegister(ctx context.Context, cfg *config.Config, inputs *registerInputs)
 	}

 	reg := &config.Registration{
-		Name:    inputs.RunnerName,
-		Token:   inputs.Token,
-		Address: inputs.InstanceAddr,
-		Labels:  inputs.Labels,
+		Name:      inputs.RunnerName,
+		Token:     inputs.Token,
+		Address:   inputs.InstanceAddr,
+		Labels:    inputs.Labels,
+		Ephemeral: inputs.Ephemeral,
 	}

 	ls := make([]string, len(reg.Labels))
@@ -340,6 +371,7 @@ func doRegister(ctx context.Context, cfg *config.Config, inputs *registerInputs)
 		Version:     ver.Version(),
 		AgentLabels: ls, // Could be removed after Gitea 1.20
 		Labels:      ls,
+		Ephemeral:   reg.Ephemeral,
 	}))
 	if err != nil {
 		log.WithError(err).Error("poller: cannot register new runner")
@@ -351,6 +383,11 @@ func doRegister(ctx context.Context, cfg *config.Config, inputs *registerInputs)
 	reg.Name = resp.Msg.Runner.Name
 	reg.Token = resp.Msg.Runner.Token

+	if inputs.Ephemeral != resp.Msg.Runner.Ephemeral {
+		// TODO we cannot remove the configuration via runner api, if we return an error here we just fill the database
+		log.Error("poller: cannot register new runner as ephemeral upgrade Gitea to gain security, run-once will be used automatically")
+	}
+
 	if err := config.SaveRegistration(cfg.Runner.File, reg); err != nil {
 		return fmt.Errorf("failed to save runner config: %w", err)
 	}
--- a/internal/app/cmd/register_test.go
+++ b/internal/app/cmd/register_test.go
@@ -0,0 +1,19 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package cmd
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestRegisterNonInteractiveReturnsLabelValidationError(t *testing.T) {
+	err := registerNoInteractive(t.Context(), "", &registerArgs{
+		Labels:       "label:invalid",
+		Token:        "token",
+		InstanceAddr: "http://localhost:3000",
+	})
+	require.Error(t, err, "unsupported schema: invalid")
+}
--- a/internal/app/poll/poller.go
+++ b/internal/app/poll/poller.go
@@ -11,7 +11,7 @@ import (
 	"sync/atomic"

 	runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
-	"github.com/bufbuild/connect-go"
+	"connectrpc.com/connect"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/time/rate"

@@ -25,40 +25,118 @@ type Poller struct {
 	runner       *run.Runner
 	cfg          *config.Config
 	tasksVersion atomic.Int64 // tasksVersion used to store the version of the last task fetched from the Gitea.
+
+	pollingCtx      context.Context
+	shutdownPolling context.CancelFunc
+
+	jobsCtx      context.Context
+	shutdownJobs context.CancelFunc
+
+	done chan struct{}
 }

 func New(cfg *config.Config, client client.Client, runner *run.Runner) *Poller {
+	pollingCtx, shutdownPolling := context.WithCancel(context.Background())
+
+	jobsCtx, shutdownJobs := context.WithCancel(context.Background())
+
+	done := make(chan struct{})
+
 	return &Poller{
 		client: client,
 		runner: runner,
 		cfg:    cfg,
+
+		pollingCtx:      pollingCtx,
+		shutdownPolling: shutdownPolling,
+
+		jobsCtx:      jobsCtx,
+		shutdownJobs: shutdownJobs,
+
+		done: done,
 	}
 }

-func (p *Poller) Poll(ctx context.Context) {
+func (p *Poller) Poll() {
 	limiter := rate.NewLimiter(rate.Every(p.cfg.Runner.FetchInterval), 1)
 	wg := &sync.WaitGroup{}
 	for i := 0; i < p.cfg.Runner.Capacity; i++ {
 		wg.Add(1)
-		go p.poll(ctx, wg, limiter)
+		go p.poll(wg, limiter)
 	}
 	wg.Wait()
+
+	// signal that we shutdown
+	close(p.done)
 }

-func (p *Poller) poll(ctx context.Context, wg *sync.WaitGroup, limiter *rate.Limiter) {
+func (p *Poller) PollOnce() {
+	limiter := rate.NewLimiter(rate.Every(p.cfg.Runner.FetchInterval), 1)
+
+	p.pollOnce(limiter)
+
+	// signal that we're done
+	close(p.done)
+}
+
+func (p *Poller) Shutdown(ctx context.Context) error {
+	p.shutdownPolling()
+
+	select {
+	// graceful shutdown completed succesfully
+	case <-p.done:
+		return nil
+
+	// our timeout for shutting down ran out
+	case <-ctx.Done():
+		// when both the timeout fires and the graceful shutdown
+		// completed succsfully, this branch of the select may
+		// fire. Do a non-blocking check here against the graceful
+		// shutdown status to avoid sending an error if we don't need to.
+		_, ok := <-p.done
+		if !ok {
+			return nil
+		}
+
+		// force a shutdown of all running jobs
+		p.shutdownJobs()
+
+		// wait for running jobs to report their status to Gitea
+		<-p.done
+
+		return ctx.Err()
+	}
+}
+
+func (p *Poller) poll(wg *sync.WaitGroup, limiter *rate.Limiter) {
 	defer wg.Done()
 	for {
-		if err := limiter.Wait(ctx); err != nil {
-			if ctx.Err() != nil {
+		p.pollOnce(limiter)
+
+		select {
+		case <-p.pollingCtx.Done():
+			return
+		default:
+			continue
+		}
+	}
+}
+
+func (p *Poller) pollOnce(limiter *rate.Limiter) {
+	for {
+		if err := limiter.Wait(p.pollingCtx); err != nil {
+			if p.pollingCtx.Err() != nil {
 				log.WithError(err).Debug("limiter wait failed")
 			}
 			return
 		}
-		task, ok := p.fetchTask(ctx)
+		task, ok := p.fetchTask(p.pollingCtx)
 		if !ok {
 			continue
 		}
-		p.runTaskWithRecover(ctx, task)
+
+		p.runTaskWithRecover(p.jobsCtx, task)
+		return
 	}
 }

--- a/internal/app/run/logging.go
+++ b/internal/app/run/logging.go
@@ -0,0 +1,38 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package run
+
+import (
+	"io"
+	"os"
+
+	"gitea.com/gitea/act_runner/internal/pkg/report"
+	log "github.com/sirupsen/logrus"
+)
+
+type JobLoggerFactoryWithInfoLevel struct{}
+
+// WithJobLogger implements [runner.JobLoggerFactory].
+func (j *JobLoggerFactoryWithInfoLevel) WithJobLogger() *log.Logger {
+	jobLogger := log.New()
+	jobLogger.SetLevel(log.InfoLevel)
+	return jobLogger
+}
+
+type JobLoggerWithReporter struct {
+	Reporter      *report.Reporter
+	LogToTerminal bool
+}
+
+// WithJobLogger implements [runner.JobLoggerFactory].
+func (j *JobLoggerWithReporter) WithJobLogger() *log.Logger {
+	jobLogger := log.New()
+	if j.LogToTerminal {
+		jobLogger.SetOutput(os.Stdout)
+	} else {
+		jobLogger.SetOutput(io.Discard)
+	}
+	jobLogger.AddHook(j.Reporter)
+	return jobLogger
+}
--- a/internal/app/run/runner.go
+++ b/internal/app/run/runner.go
@@ -7,18 +7,19 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"maps"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"sync"
-	"time"

 	runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
-	"github.com/bufbuild/connect-go"
+	"connectrpc.com/connect"
+	"gitea.com/gitea/act_runner/pkg/artifactcache"
+	"gitea.com/gitea/act_runner/pkg/model"
+	"gitea.com/gitea/act_runner/pkg/runner"
+	"gitea.com/gitea/act_runner/pkg/schema"
 	"github.com/docker/docker/api/types/container"
-	"github.com/nektos/act/pkg/artifactcache"
-	"github.com/nektos/act/pkg/common"
-	"github.com/nektos/act/pkg/model"
-	"github.com/nektos/act/pkg/runner"
 	log "github.com/sirupsen/logrus"

 	"gitea.com/gitea/act_runner/internal/pkg/client"
@@ -49,9 +50,7 @@ func NewRunner(cfg *config.Config, reg *config.Registration, cli client.Client)
 		}
 	}
 	envs := make(map[string]string, len(cfg.Runner.Envs))
-	for k, v := range cfg.Runner.Envs {
-		envs[k] = v
-	}
+	maps.Copy(envs, cfg.Runner.Envs)
 	if cfg.Cache.Enabled == nil || *cfg.Cache.Enabled {
 		if cfg.Cache.ExternalServer != "" {
 			envs["ACTIONS_CACHE_URL"] = cfg.Cache.ExternalServer
@@ -74,6 +73,7 @@ func NewRunner(cfg *config.Config, reg *config.Registration, cli client.Client)
 	// set artifact gitea api
 	artifactGiteaAPI := strings.TrimSuffix(cli.Address(), "/") + "/api/actions_pipeline/"
 	envs["ACTIONS_RUNTIME_URL"] = artifactGiteaAPI
+	envs["ACTIONS_RESULTS_URL"] = strings.TrimSuffix(cli.Address(), "/")

 	// Set specific environments to distinguish between Gitea and GitHub
 	envs["GITEA_ACTIONS"] = "true"
@@ -112,6 +112,17 @@ func (r *Runner) Run(ctx context.Context, task *runnerv1.Task) error {
 	return nil
 }

+// getDefaultActionsURL
+// when DEFAULT_ACTIONS_URL == "https://github.com" and GithubMirror is not blank,
+// it should be set to GithubMirror first.
+func (r *Runner) getDefaultActionsURL(task *runnerv1.Task) string {
+	giteaDefaultActionsURL := task.Context.Fields["gitea_default_actions_url"].GetStringValue()
+	if giteaDefaultActionsURL == "https://github.com" && r.cfg.Runner.GithubMirror != "" {
+		return r.cfg.Runner.GithubMirror
+	}
+	return giteaDefaultActionsURL
+}
+
 func (r *Runner) run(ctx context.Context, task *runnerv1.Task, reporter *report.Reporter) (err error) {
 	defer func() {
 		if r := recover(); r != nil {
@@ -126,17 +137,25 @@ func (r *Runner) run(ctx context.Context, task *runnerv1.Task, reporter *report.
 		return err
 	}

+	// TODO GITEA
 	plan, err := model.CombineWorkflowPlanner(workflow).PlanJob(jobID)
 	if err != nil {
 		return err
 	}
 	job := workflow.GetJob(jobID)
-	reporter.ResetSteps(len(job.Steps))
+	var stepIDs []string
+	for i, v := range job.Steps {
+		if v.ID == "" {
+			v.ID = strconv.Itoa(i)
+		}
+		stepIDs = append(stepIDs, v.ID)
+	}
+	reporter.SetStepIdMapping(stepIDs...)

 	taskContext := task.Context.Fields

 	log.Infof("task %v repo is %v %v %v", task.Id, taskContext["repository"].GetStringValue(),
-		taskContext["gitea_default_actions_url"].GetStringValue(),
+		r.getDefaultActionsURL(task),
 		r.client.Address())

 	preset := &model.GithubContext{
@@ -162,48 +181,83 @@ func (r *Runner) run(ctx context.Context, task *runnerv1.Task, reporter *report.
 		preset.Token = t
 	}

-	// use task token to action api token
-	r.envs["ACTIONS_RUNTIME_TOKEN"] = preset.Token
+	if actionsIDTokenRequestURL := taskContext["actions_id_token_request_url"].GetStringValue(); actionsIDTokenRequestURL != "" {
+		r.envs["ACTIONS_ID_TOKEN_REQUEST_URL"] = actionsIDTokenRequestURL
+		r.envs["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = taskContext["actions_id_token_request_token"].GetStringValue()
+		task.Secrets["ACTIONS_ID_TOKEN_REQUEST_TOKEN"] = r.envs["ACTIONS_ID_TOKEN_REQUEST_TOKEN"]
+	}

+	giteaRuntimeToken := taskContext["gitea_runtime_token"].GetStringValue()
+	if giteaRuntimeToken == "" {
+		// use task token to action api token for previous Gitea Server Versions
+		giteaRuntimeToken = preset.Token
+	}
+	r.envs["ACTIONS_RUNTIME_TOKEN"] = giteaRuntimeToken
+
+	// TODO GITEA
 	eventJSON, err := json.Marshal(preset.Event)
 	if err != nil {
 		return err
 	}

-	maxLifetime := 3 * time.Hour
-	if deadline, ok := ctx.Deadline(); ok {
-		maxLifetime = time.Until(deadline)
-	}
+	// maxLifetime := 3 * time.Hour
+	// if deadline, ok := ctx.Deadline(); ok {
+	// 	maxLifetime = time.Until(deadline)
+	// }
+
+	actCtx := map[string]any{}
+	forgeCtx := task.Context.AsMap()
+	actCtx["github"] = forgeCtx
+	actCtx["gitea"] = forgeCtx

 	runnerConfig := &runner.Config{
 		// On Linux, Workdir will be like "/<parent_directory>/<owner>/<repo>"
 		// On Windows, Workdir will be like "\<parent_directory>\<owner>\<repo>"
-		Workdir:        filepath.FromSlash(fmt.Sprintf("/%s/%s", r.cfg.Container.WorkdirParent, preset.Repository)),
+		Workdir:        filepath.FromSlash(fmt.Sprintf("/%s/%s", strings.TrimLeft(r.cfg.Container.WorkdirParent, "/"), preset.Repository)),
 		BindWorkdir:    false,
 		ActionCacheDir: filepath.FromSlash(r.cfg.Host.WorkdirParent),

-		ReuseContainers:       false,
-		ForcePull:             r.cfg.Container.ForcePull,
-		ForceRebuild:          false,
-		LogOutput:             true,
-		JSONLogger:            false,
-		Env:                   r.envs,
-		Secrets:               task.Secrets,
-		GitHubInstance:        strings.TrimSuffix(r.client.Address(), "/"),
-		AutoRemove:            true,
-		NoSkipCheckout:        true,
-		PresetGitHubContext:   preset,
-		EventJSON:             string(eventJSON),
-		ContainerNamePrefix:   fmt.Sprintf("GITEA-ACTIONS-TASK-%d", task.Id),
-		ContainerMaxLifetime:  maxLifetime,
+		ReuseContainers: false,
+		ForcePull:       r.cfg.Container.ForcePull,
+		ForceRebuild:    r.cfg.Container.ForceRebuild,
+		LogOutput:       true,
+		JSONLogger:      false,
+		Env:             r.envs,
+		Secrets:         task.Secrets,
+		// GitHubInstance:  strings.TrimSuffix(r.client.Address(), "/"),
+		AutoRemove:     true,
+		NoSkipCheckout: true,
+		// TODO GITEA
+		// PresetGitHubContext:   preset,
+		EventJSON: string(eventJSON),
+		// ContainerNamePrefix:   fmt.Sprintf("GITEA-ACTIONS-TASK-%d", task.Id),
+		// ContainerMaxLifetime:  maxLifetime,
 		ContainerNetworkMode:  container.NetworkMode(r.cfg.Container.Network),
 		ContainerOptions:      r.cfg.Container.Options,
 		ContainerDaemonSocket: r.cfg.Container.DockerHost,
 		Privileged:            r.cfg.Container.Privileged,
-		DefaultActionInstance: taskContext["gitea_default_actions_url"].GetStringValue(),
-		PlatformPicker:        r.labels.PickPlatform,
-		Vars:                  task.Vars,
-		ValidVolumes:          r.cfg.Container.ValidVolumes,
+
+		Platforms: map[string]string{
+			"dummy": "-self-hosted",
+		},
+		// TODO GITEA
+		// DefaultActionInstance: r.getDefaultActionsURL(task),
+		// PlatformPicker:        r.labels.PickPlatform,
+		Vars: task.Vars,
+		// TODO GITEA
+		// ValidVolumes:          r.cfg.Container.ValidVolumes,
+		// InsecureSkipTLS:       r.cfg.Runner.Insecure,
+
+		GitHubServerURL:    strings.TrimSuffix(r.client.Address(), "/"),
+		GitHubAPIServerURL: strings.TrimSuffix(r.client.Address(), "/") + "/api/v1",
+		// Invalid but ok
+		GitHubGraphQlAPIServerURL: strings.TrimSuffix(r.client.Address(), "/api/graphql"),
+		MainContextNames:          []string{"gitea", "github"},
+
+		Action: model.ActionConfig{
+			Schema: schema.GetGiteaActionSchema(),
+		},
+		ContextData: actCtx,
 	}

 	rr, err := runner.New(runnerConfig)
@@ -214,8 +268,8 @@ func (r *Runner) run(ctx context.Context, task *runnerv1.Task, reporter *report.

 	reporter.Logf("workflow prepared")

-	// add logger recorders
-	ctx = common.WithLoggerHook(ctx, reporter)
+	// TODO GITEA
+	ctx = runner.WithJobLoggerFactory(ctx, &JobLoggerWithReporter{Reporter: reporter, LogToTerminal: log.IsLevelEnabled(log.DebugLevel)})

 	execErr := executor(ctx)
 	reporter.SetOutputs(job.Outputs)
--- a/internal/app/run/workflow.go
+++ b/internal/app/run/workflow.go
@@ -10,12 +10,24 @@ import (
 	"strings"

 	runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
-	"github.com/nektos/act/pkg/model"
+	"gitea.com/gitea/act_runner/pkg/model"
+	"gitea.com/gitea/act_runner/pkg/schema"
 	"gopkg.in/yaml.v3"
 )

 func generateWorkflow(task *runnerv1.Task) (*model.Workflow, string, error) {
-	workflow, err := model.ReadWorkflow(bytes.NewReader(task.WorkflowPayload))
+	workflow, err := model.ReadWorkflow(bytes.NewReader(task.WorkflowPayload), model.WorkflowConfig{
+		// Schema: schema.GetGiteaWorkflowSchema(),
+		// Allow everything
+		Schema: &schema.Schema{
+			Definitions: map[string]schema.Definition{
+				"workflow-root": {
+					Context: []string{"github", "gitea", "env", "job", "matrix", "strategy", "inputs", "vars", "runner", "steps", "needs"},
+					OneOf:   &[]string{"any"},
+				},
+			},
+		},
+	})
 	if err != nil {
 		return nil, "", err
 	}
@@ -48,7 +60,9 @@ func generateWorkflow(task *runnerv1.Task) (*model.Workflow, string, error) {
 		})
 	}

+	// TODO GITEA
 	workflow.Jobs[jobID].RawNeeds = rawNeeds
+	_ = workflow.Jobs[jobID].RawRunsOn.Encode("dummy")

 	return workflow, jobID, nil
 }
--- a/internal/app/run/workflow_test.go
+++ b/internal/app/run/workflow_test.go
@@ -7,9 +7,10 @@ import (
 	"testing"

 	runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
-	"github.com/nektos/act/pkg/model"
+	"gitea.com/gitea/act_runner/pkg/model"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gotest.tools/v3/assert"
+	"go.yaml.in/yaml/v4"
 )

 func Test_generateWorkflow(t *testing.T) {
@@ -57,18 +58,272 @@ jobs:
 				},
 			},
 			assert: func(t *testing.T, wf *model.Workflow) {
-				assert.DeepEqual(t, wf.GetJob("job9").Needs(), []string{"job1", "job2"})
+				assert.Equal(t, []string{"job1", "job2"}, wf.GetJob("job9").Needs())
 			},
 			want1:   "job9",
 			wantErr: false,
 		},
+		{
+			name: "no needs",
+			args: args{
+				task: &runnerv1.Task{
+					WorkflowPayload: []byte(`
+name: Simple workflow
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: echo "hello"
+`),
+					Needs: map[string]*runnerv1.TaskNeed{},
+				},
+			},
+			assert: func(t *testing.T, wf *model.Workflow) {
+				job := wf.GetJob("test")
+				assert.Equal(t, []string{}, job.Needs())
+				assert.Len(t, job.Steps, 2)
+			},
+			want1:   "test",
+			wantErr: false,
+		},
+		{
+			name: "needs list",
+			args: args{
+				task: &runnerv1.Task{
+					WorkflowPayload: []byte(`
+name: Workflow with list needs
+on: push
+
+jobs:
+  deploy:
+    needs: [build, test, lint]
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "deploying"
+`),
+					Needs: map[string]*runnerv1.TaskNeed{
+						"build": {
+							Outputs: map[string]string{},
+							Result:  runnerv1.Result_RESULT_SUCCESS,
+						},
+						"test": {
+							Outputs: map[string]string{
+								"coverage": "80%",
+							},
+							Result: runnerv1.Result_RESULT_SUCCESS,
+						},
+						"lint": {
+							Outputs: map[string]string{},
+							Result:  runnerv1.Result_RESULT_FAILURE,
+						},
+					},
+				},
+			},
+			assert: func(t *testing.T, wf *model.Workflow) {
+				job := wf.GetJob("deploy")
+				needs := job.Needs()
+				assert.Equal(t, []string{"build", "lint", "test"}, needs)
+				assert.Equal(t, "80%", wf.Jobs["test"].Outputs["coverage"])
+				assert.Equal(t, "failure", wf.Jobs["lint"].Result)
+			},
+			want1:   "deploy",
+			wantErr: false,
+		},
+		{
+			name: "workflow env and defaults",
+			args: args{
+				task: &runnerv1.Task{
+					WorkflowPayload: []byte(`
+name: Complex workflow
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    types: [opened, synchronize]
+
+env:
+  NODE_ENV: production
+  CI: "true"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      BUILD_TYPE: release
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "18"
+      - run: npm ci
+      - run: npm run build
+`),
+					Needs: map[string]*runnerv1.TaskNeed{},
+				},
+			},
+			assert: func(t *testing.T, wf *model.Workflow) {
+				assert.Equal(t, "Complex workflow", wf.Name)
+				assert.Equal(t, "production", wf.Env["NODE_ENV"])
+				assert.Equal(t, "true", wf.Env["CI"])
+				job := wf.GetJob("build")
+				assert.Len(t, job.Steps, 4)
+			},
+			want1:   "build",
+			wantErr: false,
+		},
+		{
+			name: "job with container and services",
+			args: args{
+				task: &runnerv1.Task{
+					WorkflowPayload: []byte(`
+name: Integration tests
+on: push
+
+jobs:
+  integration:
+    runs-on: ubuntu-latest
+    container:
+      image: node:18
+    services:
+      postgres:
+        image: postgres:15
+    steps:
+      - uses: actions/checkout@v3
+      - run: npm test
+`),
+					Needs: map[string]*runnerv1.TaskNeed{},
+				},
+			},
+			assert: func(t *testing.T, wf *model.Workflow) {
+				job := wf.GetJob("integration")
+				container := job.Container()
+				assert.Equal(t, "node:18", container.Image)
+				assert.Equal(t, "postgres:15", job.Services["postgres"].Image)
+			},
+			want1:   "integration",
+			wantErr: false,
+		},
+		{
+			name: "job with matrix strategy",
+			args: args{
+				task: &runnerv1.Task{
+					WorkflowPayload: []byte(`
+name: Matrix build
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go-version: ["1.21", "1.22"]
+    steps:
+      - uses: actions/checkout@v3
+      - run: go test ./...
+`),
+					Needs: map[string]*runnerv1.TaskNeed{},
+				},
+			},
+			assert: func(t *testing.T, wf *model.Workflow) {
+				job := wf.GetJob("test")
+				matrixes, err := job.GetMatrixes()
+				require.NoError(t, err)
+				assert.Len(t, matrixes, 2)
+			},
+			want1:   "test",
+			wantErr: false,
+		},
+		{
+			name: "special yaml characters in values",
+			args: args{
+				task: &runnerv1.Task{
+					WorkflowPayload: []byte("name: \"Special: characters & test\"\non: push\n\njobs:\n  test:\n    runs-on: ubuntu-latest\n    steps:\n      - run: 'echo \"hello: world\"'\n      - run: 'echo \"quotes & ampersands\"'\n      - run: |\n          echo \"multiline\"\n          echo \"script\"\n"),
+					Needs:           map[string]*runnerv1.TaskNeed{},
+				},
+			},
+			assert: func(t *testing.T, wf *model.Workflow) {
+				assert.Equal(t, "Special: characters & test", wf.Name)
+				job := wf.GetJob("test")
+				assert.Len(t, job.Steps, 3)
+			},
+			want1:   "test",
+			wantErr: false,
+		},
+		{
+			name: "invalid yaml",
+			args: args{
+				task: &runnerv1.Task{
+					WorkflowPayload: []byte(`
+name: Bad workflow
+on: push
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo "ok"
+     bad-indent: true
+`),
+					Needs: map[string]*runnerv1.TaskNeed{},
+				},
+			},
+			assert:  nil,
+			want1:   "",
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, got1, err := generateWorkflow(tt.args.task)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
 			require.NoError(t, err)
 			tt.assert(t, got)
-			assert.Equal(t, got1, tt.want1)
+			assert.Equal(t, tt.want1, got1)
 		})
 	}
 }
+
+func Test_yamlV4NodeRoundTrip(t *testing.T) {
+	t.Run("marshal sequence node", func(t *testing.T) {
+		node := yaml.Node{
+			Kind: yaml.SequenceNode,
+			Content: []*yaml.Node{
+				{Kind: yaml.ScalarNode, Value: "a"},
+				{Kind: yaml.ScalarNode, Value: "b"},
+				{Kind: yaml.ScalarNode, Value: "c"},
+			},
+		}
+
+		out, err := yaml.Marshal(&node)
+		require.NoError(t, err)
+		assert.Equal(t, "- a\n- b\n- c\n", string(out))
+	})
+
+	t.Run("unmarshal and re-marshal workflow", func(t *testing.T) {
+		input := []byte("name: test\non: push\njobs:\n    build:\n        runs-on: ubuntu-latest\n        steps:\n            - run: echo hello\n")
+
+		var wf map[string]any
+		err := yaml.Unmarshal(input, &wf)
+		require.NoError(t, err)
+		assert.Equal(t, "test", wf["name"])
+
+		out, err := yaml.Marshal(wf)
+		require.NoError(t, err)
+
+		var wf2 map[string]any
+		err = yaml.Unmarshal(out, &wf2)
+		require.NoError(t, err)
+		assert.Equal(t, "test", wf2["name"])
+	})
+
+	t.Run("node kind constants", func(t *testing.T) {
+		// Verify yaml/v4 node kind constants are usable (same API as v3)
+		require.NotEqual(t, yaml.ScalarNode, yaml.SequenceNode)
+		require.NotEqual(t, yaml.SequenceNode, yaml.MappingNode)
+	})
+}
--- a/internal/eval/functions/format.go
+++ b/internal/eval/functions/format.go
@@ -0,0 +1,122 @@
+package functions
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+)
+
+// Format evaluates a format string with the supplied arguments.
+// It behaves like the C# implementation in the repository –
+// it supports escaped braces and numeric argument indices.
+// Format specifiers (e.g. :D) are recognised but currently ignored.
+func Format(formatStr string, args ...any) (string, error) {
+	var sb strings.Builder
+	i := 0
+	for i < len(formatStr) {
+		lbrace := strings.IndexByte(formatStr[i:], '{')
+		rbrace := strings.IndexByte(formatStr[i:], '}')
+
+		// left brace
+		if lbrace >= 0 && (rbrace < 0 || rbrace > lbrace) {
+			l := i + lbrace
+
+			sb.WriteString(formatStr[i:l])
+
+			// escaped left brace
+			if l+1 < len(formatStr) && formatStr[l+1] == '{' {
+				sb.WriteString(formatStr[l : l+1])
+				i = l + 2
+				continue
+			}
+
+			// normal placeholder
+			if rbrace > lbrace+1 {
+				// read index
+				idx, endIdx, ok := readArgIndex(formatStr, l+1)
+				if !ok {
+					return "", fmt.Errorf("invalid format string: %s", formatStr)
+				}
+				// read optional format specifier
+				spec, r, ok := readFormatSpecifiers(formatStr, endIdx+1)
+				if !ok {
+					return "", fmt.Errorf("invalid format string: %s", formatStr)
+				}
+				if idx >= len(args) {
+					return "", fmt.Errorf("argument index %d out of range", idx)
+				}
+				// append argument (format specifier is ignored here)
+				arg := args[idx]
+				fmt.Fprintf(&sb, "%v", arg)
+				if spec != "" {
+					// placeholder for future specifier handling
+					_ = spec
+				}
+				i = r + 1
+				continue
+			}
+			return "", fmt.Errorf("invalid format string: %s", formatStr)
+		}
+
+		// right brace
+		if rbrace >= 0 {
+			// escaped right brace
+			if i+rbrace+1 < len(formatStr) && formatStr[i+rbrace+1] == '}' {
+				sb.WriteString(formatStr[i : i+rbrace+1])
+				i += rbrace + 2
+				continue
+			}
+			return "", fmt.Errorf("invalid format string: %s", formatStr)
+		}
+
+		// rest of string
+		sb.WriteString(formatStr[i:])
+		break
+	}
+	return sb.String(), nil
+}
+
+// readArgIndex parses a decimal number starting at pos.
+// It returns the parsed value, the index of the last digit and true on success.
+func readArgIndex(s string, pos int) (int, int, bool) {
+	start := pos
+	for pos < len(s) && s[pos] >= '0' && s[pos] <= '9' {
+		pos++
+	}
+	if start == pos {
+		return 0, 0, false
+	}
+	idx, err := strconv.Atoi(s[start:pos])
+	if err != nil {
+		return 0, 0, false
+	}
+	return idx, pos - 1, true
+}
+
+// readFormatSpecifiers reads an optional format specifier block.
+// It returns the specifier string, the index of the closing '}' and true on success.
+func readFormatSpecifiers(s string, pos int) (string, int, bool) {
+	if pos >= len(s) {
+		return "", 0, false
+	}
+	if s[pos] == '}' {
+		return "", pos, true
+	}
+	if s[pos] != ':' {
+		return "", 0, false
+	}
+	pos++ // skip ':'
+	start := pos
+	for pos < len(s) {
+		if s[pos] == '}' {
+			return s[start:pos], pos, true
+		}
+		if s[pos] == '}' && pos+1 < len(s) && s[pos+1] == '}' {
+			// escaped '}'
+			pos += 2
+			continue
+		}
+		pos++
+	}
+	return "", 0, false
+}
--- a/internal/eval/functions/format_test.go
+++ b/internal/eval/functions/format_test.go
@@ -0,0 +1,13 @@
+package functions
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestFormat(t *testing.T) {
+	_, err := Format("Hello {0}, you have {1} new messages", "Alice", 5)
+	require.NoError(t, err)
+	// fmt.Println(s) // Hello Alice, you have 5 new messages
+}
--- a/internal/eval/v2/evaluation_result.go
+++ b/internal/eval/v2/evaluation_result.go
@@ -0,0 +1,474 @@
+package v2
+
+import (
+	"fmt"
+	"math"
+	"strconv"
+	"strings"
+)
+
+// ValueKind represents the type of a value in the evaluation engine.
+// The values mirror the C# ValueKind enum.
+//
+// Note: The names are kept identical to the C# implementation for easier mapping.
+//
+// The lexer is intentionally simple – it only tokenises the subset of
+// expressions that are used in GitHub Actions workflow `if:` expressions.
+// It does not evaluate the expression – that is left to the parser.
+
+type ValueKind int
+
+const (
+	ValueKindNull ValueKind = iota
+	ValueKindBoolean
+	ValueKindNumber
+	ValueKindString
+	ValueKindObject
+	ValueKindArray
+)
+
+type ReadOnlyArray[T any] interface {
+	GetAt(i int64) T
+	GetEnumerator() []T
+}
+
+type ReadOnlyObject[T any] interface {
+	Get(key string) T
+	GetKv(key string) (string, T) // Returns the actual key used (for case-insensitive objects)
+	GetEnumerator() map[string]T
+}
+
+type BasicArray[T any] []T
+
+func (a BasicArray[T]) GetAt(i int64) T {
+	if int(i) >= len(a) {
+		var zero T
+		return zero
+	}
+	return a[i]
+}
+
+func (a BasicArray[T]) GetEnumerator() []T {
+	return a
+}
+
+type CaseInsensitiveObject[T any] map[string]T
+
+func (o CaseInsensitiveObject[T]) Get(key string) T {
+	_, v := o.GetKv(key)
+	return v
+}
+
+func (o CaseInsensitiveObject[T]) GetKv(key string) (k string, v T) {
+	for k, v := range o {
+		if strings.EqualFold(k, key) {
+			return k, v
+		}
+	}
+	var zero T
+	return key, zero
+}
+
+func (o CaseInsensitiveObject[T]) GetEnumerator() map[string]T {
+	return o
+}
+
+type CaseSensitiveObject[T any] map[string]T
+
+func (o CaseSensitiveObject[T]) Get(key string) T {
+	return o[key]
+}
+
+func (o CaseSensitiveObject[T]) GetKv(key string) (string, T) {
+	return key, o[key]
+}
+
+func (o CaseSensitiveObject[T]) GetEnumerator() map[string]T {
+	return o
+}
+
+// EvaluationResult holds the result of evaluating an expression node.
+// It mirrors the C# EvaluationResult class.
+
+type EvaluationResult struct {
+	context     *EvaluationContext
+	level       int
+	value       any
+	kind        ValueKind
+	raw         any
+	omitTracing bool
+}
+
+// NewEvaluationResult creates a new EvaluationResult.
+func NewEvaluationResult(context *EvaluationContext, level int, val any, kind ValueKind, raw any, omitTracing bool) *EvaluationResult {
+	er := &EvaluationResult{context: context, level: level, value: val, kind: kind, raw: raw, omitTracing: omitTracing}
+	if !omitTracing {
+		er.traceValue()
+	}
+	return er
+}
+
+// Kind returns the ValueKind of the result.
+func (er *EvaluationResult) Kind() ValueKind { return er.kind }
+
+// Raw returns the raw value that was passed to the constructor.
+func (er *EvaluationResult) Raw() any { return er.raw }
+
+// Value returns the canonical value.
+func (er *EvaluationResult) Value() any { return er.value }
+
+// IsFalsy implements the logic from the C# class.
+func (er *EvaluationResult) IsFalsy() bool {
+	switch er.kind {
+	case ValueKindNull:
+		return true
+	case ValueKindBoolean:
+		return !er.value.(bool)
+	case ValueKindNumber:
+		v := er.value.(float64)
+		return v == 0 || isNaN(v)
+	case ValueKindString:
+		return er.value.(string) == ""
+	default:
+		return false
+	}
+}
+
+func isNaN(v float64) bool { return v != v }
+
+// IsPrimitive returns true if the kind is a primitive type.
+func (er *EvaluationResult) IsPrimitive() bool { return er.kind <= ValueKindString }
+
+// IsTruthy is the negation of IsFalsy.
+func (er *EvaluationResult) IsTruthy() bool { return !er.IsFalsy() }
+
+// AbstractEqual compares two EvaluationResults using the abstract equality algorithm.
+func (er *EvaluationResult) AbstractEqual(other *EvaluationResult) bool {
+	return abstractEqual(er.value, other.value)
+}
+
+// AbstractGreaterThan compares two EvaluationResults.
+func (er *EvaluationResult) AbstractGreaterThan(other *EvaluationResult) bool {
+	return abstractGreaterThan(er.value, other.value)
+}
+
+// AbstractGreaterThanOrEqual
+func (er *EvaluationResult) AbstractGreaterThanOrEqual(other *EvaluationResult) bool {
+	return er.AbstractEqual(other) || er.AbstractGreaterThan(other)
+}
+
+// AbstractLessThan
+func (er *EvaluationResult) AbstractLessThan(other *EvaluationResult) bool {
+	return abstractLessThan(er.value, other.value)
+}
+
+// AbstractLessThanOrEqual
+func (er *EvaluationResult) AbstractLessThanOrEqual(other *EvaluationResult) bool {
+	return er.AbstractEqual(other) || er.AbstractLessThan(other)
+}
+
+// AbstractNotEqual
+func (er *EvaluationResult) AbstractNotEqual(other *EvaluationResult) bool {
+	return !er.AbstractEqual(other)
+}
+
+// ConvertToNumber converts the value to a float64.
+func (er *EvaluationResult) ConvertToNumber() float64 { return convertToNumber(er.value) }
+
+// ConvertToString converts the value to a string.
+func (er *EvaluationResult) ConvertToString() string {
+	switch er.kind {
+	case ValueKindNull:
+		return ""
+	case ValueKindBoolean:
+		if er.value.(bool) {
+			return ExpressionConstants.True
+		}
+		return ExpressionConstants.False
+	case ValueKindNumber:
+		return fmt.Sprintf(ExpressionConstants.NumberFormat, er.value.(float64))
+	case ValueKindString:
+		return er.value.(string)
+	default:
+		return fmt.Sprintf("%v", er.value)
+	}
+}
+
+// TryGetCollectionInterface returns the underlying collection if the value is an array or object.
+func (er *EvaluationResult) TryGetCollectionInterface() (any, bool) {
+	switch v := er.value.(type) {
+	case ReadOnlyArray[any]:
+		return v, true
+	case ReadOnlyObject[any]:
+		return v, true
+	default:
+		return nil, false
+	}
+}
+
+// CreateIntermediateResult creates an EvaluationResult from an arbitrary object.
+func CreateIntermediateResult(context *EvaluationContext, obj any) *EvaluationResult {
+	val, kind, raw := convertToCanonicalValue(obj)
+	return NewEvaluationResult(context, 0, val, kind, raw, true)
+}
+
+// --- Helper functions and constants ---------------------------------------
+
+// ExpressionConstants holds string constants used in conversions.
+var ExpressionConstants = struct {
+	True         string
+	False        string
+	NumberFormat string
+}{
+	True:         "true",
+	False:        "false",
+	NumberFormat: "%.15g",
+}
+
+// convertToCanonicalValue converts an arbitrary Go value to a canonical form.
+func convertToCanonicalValue(obj any) (any, ValueKind, any) {
+	switch v := obj.(type) {
+	case nil:
+		return nil, ValueKindNull, nil
+	case bool:
+		return v, ValueKindBoolean, v
+	case int, int8, int16, int32, int64:
+		f := float64(toInt64(v))
+		return f, ValueKindNumber, f
+	case uint, uint8, uint16, uint32, uint64:
+		f := float64(toUint64(v))
+		return f, ValueKindNumber, f
+	case float32, float64:
+		f := toFloat64(v)
+		return f, ValueKindNumber, f
+	case string:
+		return v, ValueKindString, v
+	case []any:
+		return BasicArray[any](v), ValueKindArray, v
+	case ReadOnlyArray[any]:
+		return v, ValueKindArray, v
+	case map[string]any:
+		return CaseInsensitiveObject[any](v), ValueKindObject, v
+	case ReadOnlyObject[any]:
+		return v, ValueKindObject, v
+	default:
+		// Fallback: treat as object
+		return v, ValueKindObject, v
+	}
+}
+
+func toInt64(v any) int64 {
+	switch i := v.(type) {
+	case int:
+		return int64(i)
+	case int8:
+		return int64(i)
+	case int16:
+		return int64(i)
+	case int32:
+		return int64(i)
+	case int64:
+		return i
+	default:
+		return 0
+	}
+}
+
+func toUint64(v any) uint64 {
+	switch i := v.(type) {
+	case uint:
+		return uint64(i)
+	case uint8:
+		return uint64(i)
+	case uint16:
+		return uint64(i)
+	case uint32:
+		return uint64(i)
+	case uint64:
+		return i
+	default:
+		return 0
+	}
+}
+
+func toFloat64(v any) float64 {
+	switch f := v.(type) {
+	case float32:
+		return float64(f)
+	case float64:
+		return f
+	default:
+		return 0
+	}
+}
+
+// coerceTypes implements the C# CoerceTypes logic.
+// It converts values to compatible types before comparison.
+func coerceTypes(left, right any) (any, any, ValueKind, ValueKind) {
+	leftKind := getKind(left)
+	rightKind := getKind(right)
+
+	// same kind – nothing to do
+	if leftKind == rightKind {
+		return left, right, leftKind, rightKind
+	}
+
+	// Number <-> String
+	if leftKind == ValueKindNumber && rightKind == ValueKindString {
+		right = convertToNumber(right)
+		rightKind = ValueKindNumber
+		return left, right, leftKind, rightKind
+	}
+	if leftKind == ValueKindString && rightKind == ValueKindNumber {
+		left = convertToNumber(left)
+		leftKind = ValueKindNumber
+		return left, right, leftKind, rightKind
+	}
+
+	// Boolean or Null -> Number
+	if leftKind == ValueKindBoolean || leftKind == ValueKindNull {
+		left = convertToNumber(left)
+		return coerceTypes(left, right)
+	}
+	if rightKind == ValueKindBoolean || rightKind == ValueKindNull {
+		right = convertToNumber(right)
+		return coerceTypes(left, right)
+	}
+
+	// otherwise keep as is
+	return left, right, leftKind, rightKind
+}
+
+// abstractEqual uses coerceTypes before comparing.
+func abstractEqual(left, right any) bool {
+	left, right, leftKind, rightKind := coerceTypes(left, right)
+	if leftKind != rightKind {
+		return false
+	}
+	switch leftKind {
+	case ValueKindNull:
+		return true
+	case ValueKindNumber:
+		l := left.(float64)
+		r := right.(float64)
+		if isNaN(l) || isNaN(r) {
+			return false
+		}
+		return l == r
+	case ValueKindString:
+		return strings.EqualFold(left.(string), right.(string))
+	case ValueKindBoolean:
+		return left.(bool) == right.(bool)
+		// Compare object equality fails via panic
+		// case ValueKindObject, ValueKindArray:
+		// 	return left == right
+	}
+	return false
+}
+
+// abstractGreaterThan uses coerceTypes before comparing.
+func abstractGreaterThan(left, right any) bool {
+	left, right, leftKind, rightKind := coerceTypes(left, right)
+	if leftKind != rightKind {
+		return false
+	}
+	switch leftKind {
+	case ValueKindNumber:
+		l := left.(float64)
+		r := right.(float64)
+		if isNaN(l) || isNaN(r) {
+			return false
+		}
+		return l > r
+	case ValueKindString:
+		return strings.Compare(left.(string), right.(string)) > 0
+	case ValueKindBoolean:
+		return left.(bool) && !right.(bool)
+	}
+	return false
+}
+
+// abstractLessThan uses coerceTypes before comparing.
+func abstractLessThan(left, right any) bool {
+	left, right, leftKind, rightKind := coerceTypes(left, right)
+	if leftKind != rightKind {
+		return false
+	}
+	switch leftKind {
+	case ValueKindNumber:
+		l := left.(float64)
+		r := right.(float64)
+		if isNaN(l) || isNaN(r) {
+			return false
+		}
+		return l < r
+	case ValueKindString:
+		return strings.Compare(left.(string), right.(string)) < 0
+	case ValueKindBoolean:
+		return !left.(bool) && right.(bool)
+	}
+	return false
+}
+
+// convertToNumber converts a value to a float64 following JavaScript rules.
+func convertToNumber(v any) float64 {
+	switch val := v.(type) {
+	case nil:
+		return 0
+	case bool:
+		if val {
+			return 1
+		}
+		return 0
+	case float64:
+		return val
+	case float32:
+		return float64(val)
+	case string:
+		// parsenumber
+		if val == "" {
+			return float64(0)
+		}
+		if len(val) > 2 {
+			switch val[:2] {
+			case "0x", "0o":
+				if i, err := strconv.ParseInt(val, 0, 32); err == nil {
+					return float64(i)
+				}
+			}
+		}
+		if f, err := strconv.ParseFloat(val, 64); err == nil {
+			return f
+		}
+		return math.NaN()
+	default:
+		return math.NaN()
+	}
+}
+
+// getKind returns the ValueKind for a Go value.
+func getKind(v any) ValueKind {
+	switch v.(type) {
+	case nil:
+		return ValueKindNull
+	case bool:
+		return ValueKindBoolean
+	case float64, float32, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64:
+		return ValueKindNumber
+	case string:
+		return ValueKindString
+	case []any:
+		return ValueKindArray
+	case map[string]any:
+		return ValueKindObject
+	default:
+		return ValueKindObject
+	}
+}
+
+// traceValue is a placeholder for tracing logic.
+func (er *EvaluationResult) traceValue() {
+	// No-op in this simplified implementation.
+}
+
+// --- End of file ---------------------------------------
--- a/internal/eval/v2/evaluator.go
+++ b/internal/eval/v2/evaluator.go
@@ -0,0 +1,276 @@
+package v2
+
+import (
+	"errors"
+	"fmt"
+
+	exprparser "gitea.com/gitea/act_runner/internal/expr"
+)
+
+// EvaluationContext holds variables that can be referenced in expressions.
+type EvaluationContext struct {
+	Variables ReadOnlyObject[any]
+	Functions ReadOnlyObject[Function]
+}
+
+func NewEvaluationContext() *EvaluationContext {
+	return &EvaluationContext{}
+}
+
+type Function interface {
+	Evaluate(eval *Evaluator, args []exprparser.Node) (*EvaluationResult, error)
+}
+
+// Evaluator evaluates workflow expressions using the lexer and parser from workflow.
+type Evaluator struct {
+	ctx *EvaluationContext
+}
+
+// NewEvaluator creates an Evaluator with the supplied context.
+func NewEvaluator(ctx *EvaluationContext) *Evaluator {
+	return &Evaluator{ctx: ctx}
+}
+
+func (e *Evaluator) Context() *EvaluationContext {
+	return e.ctx
+}
+
+func (e *Evaluator) Evaluate(root exprparser.Node) (*EvaluationResult, error) {
+	result, err := e.evalNode(root)
+	if err != nil {
+		return nil, err
+	}
+	return result, nil
+}
+
+// EvaluateBoolean parses and evaluates the expression, returning a boolean result.
+func (e *Evaluator) EvaluateBoolean(expr string) (bool, error) {
+	root, err := exprparser.Parse(expr)
+	if err != nil {
+		return false, fmt.Errorf("parse error: %w", err)
+	}
+	result, err := e.evalNode(root)
+	if err != nil {
+		return false, err
+	}
+	return result.IsTruthy(), nil
+}
+
+func (e *Evaluator) ToRaw(result *EvaluationResult) (any, error) {
+	if col, ok := result.TryGetCollectionInterface(); ok {
+		switch node := col.(type) {
+		case ReadOnlyObject[any]:
+			rawMap := map[string]any{}
+			for k, v := range node.GetEnumerator() {
+				rawRes, err := e.ToRaw(CreateIntermediateResult(e.Context(), v))
+				if err != nil {
+					return nil, err
+				}
+				rawMap[k] = rawRes
+			}
+			return rawMap, nil
+		case ReadOnlyArray[any]:
+			rawArray := []any{}
+			for _, v := range node.GetEnumerator() {
+				rawRes, err := e.ToRaw(CreateIntermediateResult(e.Context(), v))
+				if err != nil {
+					return nil, err
+				}
+				rawArray = append(rawArray, rawRes)
+			}
+			return rawArray, nil
+		}
+	}
+	return result.Value(), nil
+}
+
+// Evaluate parses and evaluates the expression, returning a boolean result.
+func (e *Evaluator) EvaluateRaw(expr string) (any, error) {
+	root, err := exprparser.Parse(expr)
+	if err != nil {
+		return false, fmt.Errorf("parse error: %w", err)
+	}
+	result, err := e.evalNode(root)
+	if err != nil {
+		return false, err
+	}
+	return e.ToRaw(result)
+}
+
+type FilteredArray []any
+
+func (a FilteredArray) GetAt(i int64) any {
+	if int(i) > len(a) {
+		return nil
+	}
+	return a[i]
+}
+
+func (a FilteredArray) GetEnumerator() []any {
+	return a
+}
+
+// evalNode recursively evaluates a parser node and returns an EvaluationResult.
+func (e *Evaluator) evalNode(n exprparser.Node) (*EvaluationResult, error) {
+	switch node := n.(type) {
+	case *exprparser.ValueNode:
+		return e.evalValueNode(node)
+	case *exprparser.FunctionNode:
+		return e.evalFunctionNode(node)
+	case *exprparser.BinaryNode:
+		return e.evalBinaryNode(node)
+	case *exprparser.UnaryNode:
+		return e.evalUnaryNode(node)
+	}
+	return nil, errors.New("unknown node type")
+}
+
+func (e *Evaluator) evalValueNode(node *exprparser.ValueNode) (*EvaluationResult, error) {
+	if node.Kind == exprparser.TokenKindNamedValue {
+		if e.ctx != nil {
+			val := e.ctx.Variables.Get(node.Value.(string))
+			if val == nil {
+				return nil, fmt.Errorf("undefined variable %s", node.Value)
+			}
+			return CreateIntermediateResult(e.Context(), val), nil
+		}
+		return nil, errors.New("no evaluation context")
+	}
+	return CreateIntermediateResult(e.Context(), node.Value), nil
+}
+
+func (e *Evaluator) evalFunctionNode(node *exprparser.FunctionNode) (*EvaluationResult, error) {
+	fn := e.ctx.Functions.Get(node.Name)
+	if fn == nil {
+		return nil, fmt.Errorf("unknown function %v", node.Name)
+	}
+	return fn.Evaluate(e, node.Args)
+}
+
+func (e *Evaluator) evalBinaryNode(node *exprparser.BinaryNode) (*EvaluationResult, error) {
+	left, err := e.evalNode(node.Left)
+	if err != nil {
+		return nil, err
+	}
+	if res, err := e.evalBinaryNodeLeft(node, left); res != nil || err != nil {
+		return res, err
+	}
+	right, err := e.evalNode(node.Right)
+	if err != nil {
+		return nil, err
+	}
+	return e.evalBinaryNodeRight(node, left, right)
+}
+
+func (e *Evaluator) evalBinaryNodeLeft(node *exprparser.BinaryNode, left *EvaluationResult) (*EvaluationResult, error) {
+	switch node.Op {
+	case "&&":
+		if left.IsFalsy() {
+			return left, nil
+		}
+	case "||":
+		if left.IsTruthy() {
+			return left, nil
+		}
+	case ".":
+		if v, ok := node.Right.(*exprparser.ValueNode); ok && v.Kind == exprparser.TokenKindWildcard {
+			var ret FilteredArray
+			if col, ok := left.TryGetCollectionInterface(); ok {
+				if farray, ok := col.(FilteredArray); ok {
+					for _, subcol := range farray.GetEnumerator() {
+						ret = processStar(CreateIntermediateResult(e.Context(), subcol).Value(), ret)
+					}
+				} else {
+					ret = processStar(col, ret)
+				}
+			}
+			return CreateIntermediateResult(e.Context(), ret), nil
+		}
+	}
+	return nil, errors.ErrUnsupported
+}
+
+func (e *Evaluator) evalBinaryNodeRight(node *exprparser.BinaryNode, left *EvaluationResult, right *EvaluationResult) (*EvaluationResult, error) {
+	switch node.Op {
+	case "&&":
+		return right, nil
+	case "||":
+		return right, nil
+	case "==":
+		// Use abstract equality per spec
+		return CreateIntermediateResult(e.Context(), left.AbstractEqual(right)), nil
+	case "!=":
+		return CreateIntermediateResult(e.Context(), left.AbstractNotEqual(right)), nil
+	case ">":
+		return CreateIntermediateResult(e.Context(), left.AbstractGreaterThan(right)), nil
+	case "<":
+		return CreateIntermediateResult(e.Context(), left.AbstractLessThan(right)), nil
+	case ">=":
+		return CreateIntermediateResult(e.Context(), left.AbstractGreaterThanOrEqual(right)), nil
+	case "<=":
+		return CreateIntermediateResult(e.Context(), left.AbstractLessThanOrEqual(right)), nil
+	case ".", "[":
+		if farray, ok := left.Value().(FilteredArray); ok {
+			var ret FilteredArray
+			for _, subcol := range farray.GetEnumerator() {
+				res := processIndex(CreateIntermediateResult(e.Context(), subcol).Value(), right)
+				if res != nil {
+					ret = append(ret, res)
+				}
+			}
+			if ret == nil {
+				return CreateIntermediateResult(e.Context(), nil), nil
+			}
+			return CreateIntermediateResult(e.Context(), ret), nil
+		}
+		col, _ := left.TryGetCollectionInterface()
+		result := processIndex(col, right)
+		return CreateIntermediateResult(e.Context(), result), nil
+	default:
+		return nil, fmt.Errorf("unsupported operator %s", node.Op)
+	}
+}
+
+func (e *Evaluator) evalUnaryNode(node *exprparser.UnaryNode) (*EvaluationResult, error) {
+	operand, err := e.evalNode(node.Operand)
+	if err != nil {
+		return nil, err
+	}
+	switch node.Op {
+	case "!":
+		return CreateIntermediateResult(e.Context(), !operand.IsTruthy()), nil
+	default:
+		return nil, fmt.Errorf("unsupported unary operator %s", node.Op)
+	}
+}
+
+func processIndex(col any, right *EvaluationResult) any {
+	if mapVal, ok := col.(ReadOnlyObject[any]); ok {
+		key, ok := right.Value().(string)
+		if !ok {
+			return nil
+		}
+		val := mapVal.Get(key)
+		return val
+	}
+	if arrayVal, ok := col.(ReadOnlyArray[any]); ok {
+		key, ok := right.Value().(float64)
+		if !ok || key < 0 {
+			return nil
+		}
+		val := arrayVal.GetAt(int64(key))
+		return val
+	}
+	return nil
+}
+
+func processStar(subcol any, ret FilteredArray) FilteredArray {
+	if array, ok := subcol.(ReadOnlyArray[any]); ok {
+		ret = append(ret, array.GetEnumerator()...)
+	} else if obj, ok := subcol.(ReadOnlyObject[any]); ok {
+		for _, v := range obj.GetEnumerator() {
+			ret = append(ret, v)
+		}
+	}
+	return ret
+}
--- a/internal/eval/v2/evaluator_test.go
+++ b/internal/eval/v2/evaluator_test.go
@@ -0,0 +1,117 @@
+package v2
+
+import (
+	"testing"
+)
+
+// Test boolean and comparison operations using the evaluator.
+func TestEvaluator_BooleanOps(t *testing.T) {
+	ctx := &EvaluationContext{Variables: CaseInsensitiveObject[any](map[string]any{"a": 5, "b": 3})}
+	eval := NewEvaluator(ctx)
+
+	tests := []struct {
+		expr string
+		want bool
+	}{
+		{"1 == 1", true},
+		{"1 != 2", true},
+		{"5 > 3", true},
+		{"2 < 4", true},
+		{"5 >= 5", true},
+		{"3 <= 4", true},
+		{"true && false", false},
+		{"!false", true},
+		{"a > b", true},
+	}
+
+	for _, tt := range tests {
+		got, err := eval.EvaluateBoolean(tt.expr)
+		if err != nil {
+			t.Fatalf("evaluate %s error: %v", tt.expr, err)
+		}
+		if got != tt.want {
+			t.Fatalf("evaluate %s expected %v got %v", tt.expr, tt.want, got)
+		}
+	}
+}
+
+func TestEvaluator_Raw(t *testing.T) {
+	ctx := &EvaluationContext{
+		Variables: CaseInsensitiveObject[any](map[string]any{"a": 5, "b": 3}),
+		Functions: GetFunctions(),
+	}
+	eval := NewEvaluator(ctx)
+
+	tests := []struct {
+		expr string
+		want any
+	}{
+		{"a.b['x']", nil},
+		{"(a.b).c['x']", nil},
+		{"(a.b).*['x']", nil},
+		{"(a['x'])", nil},
+		{"true || false", true},
+		{"false || false", false},
+		{"false || true", true},
+		{"false || true || false", true},
+		{"contains('', '') || contains('', '') || contains('', '')", true},
+		{"1 == 1", true},
+		{"1 != 2", true},
+		{"5 > 3", true},
+		{"2 < 4", true},
+		{"5 >= 5", true},
+		{"3 <= 4", true},
+		{"true && false", false},
+		{"!false", true},
+		{"a > b", true},
+		{"!(a > b)", false},
+		{"!(a > b) || !0", true},
+		{"!(a > b) || !(1)", false},
+		{"'Hello World'", "Hello World"},
+		{"23.5", 23.5},
+		{"fromjson('{\"twst\":\"x\"}')['twst']", "x"},
+		{"fromjson('{\"Twst\":\"x\"}')['twst']", "x"},
+		{"fromjson('{\"TwsT\":\"x\"}')['twst']", "x"},
+		{"fromjson('{\"TwsT\":\"x\"}')['tWst']", "x"},
+		{"fromjson('{\"TwsT\":{\"a\":\"y\"}}').TwsT.a", "y"},
+		{"fromjson('{\"TwsT\":{\"a\":\"y\"}}')['TwsT'].a", "y"},
+		{"fromjson('{\"TwsT\":{\"a\":\"y\"}}')['TwsT']['a']", "y"},
+		{"fromjson('{\"TwsT\":{\"a\":\"y\"}}').TwsT['a']", "y"},
+		// {"fromjson('{\"TwsT\":\"x\"}').*[0]", "x"},
+		{"fromjson('{\"TwsT\":[\"x\"]}')['TwsT'][0]", "x"},
+		{"fromjson('[]')['tWst']", nil},
+		{"fromjson('[]').tWst", nil},
+		{"contains('a', 'a')", true},
+		{"contains('bab', 'a')", true},
+		{"contains('bab', 'ac')", false},
+		{"contains(fromjson('[\"ac\"]'), 'ac')", true},
+		{"contains(fromjson('[\"ac\"]'), 'a')", false},
+		// {"fromjson('{\"TwsT\":{\"a\":\"y\"}}').*['a']", "y"},
+		{"fromjson(tojson(fromjson('{\"TwsT\":{\"a\":\"y\"}}').*.a))[0]", "y"},
+		{"fromjson(tojson(fromjson('{\"TwsT\":{\"a\":\"y\"}}').*['a']))[0]", "y"},
+		{"fromjson('{}').x", nil},
+		{"format('{0}', fromjson('{}').x)", ""},
+		{"format('{0}', fromjson('{}')[0])", ""},
+		{"fromjson(tojson(fromjson('[[3,5],[5,6]]').*[1]))[1]", float64(6)},
+		{"contains(fromjson('[[3,5],[5,6]]').*[1], 5)", true},
+		{"contains(fromjson('[[3,5],[5,6]]').*[1], 6)", true},
+		{"contains(fromjson('[[3,5],[5,6]]').*[1], 3)", false},
+		{"contains(fromjson('[[3,5],[5,6]]').*[1], '6')", true},
+		{"case(6 == 6, 0, 1)", 0.0},
+		{"case(6 != 6, 0, 1)", 1.0},
+		{"case(6 != 6, 0, 'test')", "test"},
+		{"case(contains(fromjson('[\"ac\"]'), 'a'), 0, 'test')", "test"},
+		{"case(0 == 1, 0, 2 == 2, 1, 0)", 1.0},
+		{"case(0 == 1, 0, 2 != 2, 1, 0)", 0.0},
+	}
+
+	for _, tt := range tests {
+		got, err := eval.EvaluateRaw(tt.expr)
+		if err != nil {
+			t.Fatalf("evaluate %s error: %v", tt.expr, err)
+		}
+		if got != tt.want {
+			t.Fatalf("evaluate %s expected %v got %v", tt.expr, tt.want, got)
+		}
+	}
+}
--- a/internal/eval/v2/functions.go
+++ b/internal/eval/v2/functions.go
@@ -0,0 +1,202 @@
+package v2
+
+import (
+	"encoding/json"
+	"errors"
+	"strings"
+
+	"gitea.com/gitea/act_runner/internal/eval/functions"
+	exprparser "gitea.com/gitea/act_runner/internal/expr"
+)
+
+type FromJSON struct {
+}
+
+func (FromJSON) Evaluate(eval *Evaluator, args []exprparser.Node) (*EvaluationResult, error) {
+	r, err := eval.Evaluate(args[0])
+	if err != nil {
+		return nil, err
+	}
+	var res any
+	if err := json.Unmarshal([]byte(r.ConvertToString()), &res); err != nil {
+		return nil, err
+	}
+
+	return CreateIntermediateResult(eval.Context(), res), nil
+}
+
+type ToJSON struct {
+}
+
+func (ToJSON) Evaluate(eval *Evaluator, args []exprparser.Node) (*EvaluationResult, error) {
+	r, err := eval.Evaluate(args[0])
+	if err != nil {
+		return nil, err
+	}
+	raw, err := eval.ToRaw(r)
+	if err != nil {
+		return nil, err
+	}
+	data, err := json.MarshalIndent(raw, "", "  ")
+	if err != nil {
+		return nil, err
+	}
+	return CreateIntermediateResult(eval.Context(), string(data)), nil
+}
+
+type Contains struct {
+}
+
+func (Contains) Evaluate(eval *Evaluator, args []exprparser.Node) (*EvaluationResult, error) {
+	collection, err := eval.Evaluate(args[0])
+	if err != nil {
+		return nil, err
+	}
+	el, err := eval.Evaluate(args[1])
+	if err != nil {
+		return nil, err
+	}
+	// Array
+	if col, ok := collection.TryGetCollectionInterface(); ok {
+		if node, ok := col.(ReadOnlyArray[any]); ok {
+			for _, v := range node.GetEnumerator() {
+				canon := CreateIntermediateResult(eval.Context(), v)
+				if canon.AbstractEqual(el) {
+					return CreateIntermediateResult(eval.Context(), true), nil
+				}
+			}
+		}
+		return CreateIntermediateResult(eval.Context(), false), nil
+	}
+	// String
+	return CreateIntermediateResult(eval.Context(), strings.Contains(strings.ToLower(collection.ConvertToString()), strings.ToLower(el.ConvertToString()))), nil
+}
+
+type StartsWith struct {
+}
+
+func (StartsWith) Evaluate(eval *Evaluator, args []exprparser.Node) (*EvaluationResult, error) {
+	collection, err := eval.Evaluate(args[0])
+	if err != nil {
+		return nil, err
+	}
+	el, err := eval.Evaluate(args[1])
+	if err != nil {
+		return nil, err
+	}
+	// String
+	return CreateIntermediateResult(eval.Context(), strings.HasPrefix(strings.ToLower(collection.ConvertToString()), strings.ToLower(el.ConvertToString()))), nil
+}
+
+type EndsWith struct {
+}
+
+func (EndsWith) Evaluate(eval *Evaluator, args []exprparser.Node) (*EvaluationResult, error) {
+	collection, err := eval.Evaluate(args[0])
+	if err != nil {
+		return nil, err
+	}
+	el, err := eval.Evaluate(args[1])
+	if err != nil {
+		return nil, err
+	}
+	// String
+	return CreateIntermediateResult(eval.Context(), strings.HasSuffix(strings.ToLower(collection.ConvertToString()), strings.ToLower(el.ConvertToString()))), nil
+}
+
+type Format struct {
+}
+
+func (Format) Evaluate(eval *Evaluator, args []exprparser.Node) (*EvaluationResult, error) {
+	collection, err := eval.Evaluate(args[0])
+	if err != nil {
+		return nil, err
+	}
+
+	sargs := []any{}
+	for _, arg := range args[1:] {
+		el, err := eval.Evaluate(arg)
+		if err != nil {
+			return nil, err
+		}
+		sargs = append(sargs, el.ConvertToString())
+	}
+
+	ret, err := functions.Format(collection.ConvertToString(), sargs...)
+	return CreateIntermediateResult(eval.Context(), ret), err
+}
+
+type Join struct {
+}
+
+func (Join) Evaluate(eval *Evaluator, args []exprparser.Node) (*EvaluationResult, error) {
+	collection, err := eval.Evaluate(args[0])
+	if err != nil {
+		return nil, err
+	}
+	var el *EvaluationResult
+
+	if len(args) > 1 {
+		if el, err = eval.Evaluate(args[1]); err != nil {
+			return nil, err
+		}
+	}
+	// Array
+	if col, ok := collection.TryGetCollectionInterface(); ok {
+		var elements []string
+		if node, ok := col.(ReadOnlyArray[any]); ok {
+			for _, v := range node.GetEnumerator() {
+				elements = append(elements, CreateIntermediateResult(eval.Context(), v).ConvertToString())
+			}
+		}
+		var sep string
+		if el != nil {
+			sep = el.ConvertToString()
+		} else {
+			sep = ","
+		}
+		return CreateIntermediateResult(eval.Context(), strings.Join(elements, sep)), nil
+	}
+	// Primitive
+	if collection.IsPrimitive() {
+		return CreateIntermediateResult(eval.Context(), collection.ConvertToString()), nil
+	}
+	return CreateIntermediateResult(eval.Context(), ""), nil
+}
+
+type Case struct {
+}
+
+func (Case) Evaluate(eval *Evaluator, args []exprparser.Node) (*EvaluationResult, error) {
+	if len(args)%2 == 0 {
+		return nil, errors.New("case function requires an odd number of arguments")
+	}
+
+	for i := 0; i < len(args)-1; i += 2 {
+		condition, err := eval.Evaluate(args[i])
+		if err != nil {
+			return nil, err
+		}
+		if condition.kind != ValueKindBoolean {
+			return nil, errors.New("case function conditions must evaluate to boolean")
+		}
+		if condition.IsTruthy() {
+			return eval.Evaluate(args[i+1])
+		}
+	}
+
+	return eval.Evaluate(args[len(args)-1])
+}
+
+func GetFunctions() CaseInsensitiveObject[Function] {
+	return CaseInsensitiveObject[Function](map[string]Function{
+		"fromjson":   &FromJSON{},
+		"tojson":     &ToJSON{},
+		"contains":   &Contains{},
+		"startswith": &StartsWith{},
+		"endswith":   &EndsWith{},
+		"format":     &Format{},
+		"join":       &Join{},
+		"case":       &Case{},
+	})
+}
--- a/internal/expr/expression_parse_test.go
+++ b/internal/expr/expression_parse_test.go
@@ -0,0 +1,27 @@
+package workflow
+
+import "testing"
+
+func TestExpressionParser(t *testing.T) {
+	node, err := Parse("github.event_name")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	t.Logf("Parsed expression: %+v", node)
+}
+
+func TestExpressionParserWildcard(t *testing.T) {
+	node, err := Parse("github.commits.*.message")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	t.Logf("Parsed expression: %+v", node)
+}
+
+func TestExpressionParserDot(t *testing.T) {
+	node, err := Parse("github.head_commit.message")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	t.Logf("Parsed expression: %+v", node)
+}
--- a/internal/expr/expression_parser.go
+++ b/internal/expr/expression_parser.go
@@ -0,0 +1,306 @@
+package workflow
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+)
+
+// Node represents a node in the expression tree.
+// It is intentionally minimal – only the fields needed for the parser.
+// Users can extend it with more information if required.
+
+type Node interface {
+	String() string
+}
+
+// ValueNode represents a literal value (number, string, boolean, null) or a named value.
+// The Kind field indicates the type.
+// For named values the Value is nil.
+
+type ValueNode struct {
+	Kind  TokenKind
+	Value any
+}
+
+// FunctionNode represents a function call with arguments.
+
+type FunctionNode struct {
+	Name string
+	Args []Node
+}
+
+// BinaryNode represents a binary operator.
+
+type BinaryNode struct {
+	Op    string
+	Left  Node
+	Right Node
+}
+
+// UnaryNode represents a unary operator.
+
+type UnaryNode struct {
+	Op      string
+	Operand Node
+}
+
+// Parser holds the lexer and the stacks used by the shunting‑yard algorithm.
+
+type Parser struct {
+	lexer  *Lexer
+	tokens []Token
+	pos    int
+	ops    []OpToken
+	vals   []Node
+}
+
+type OpToken struct {
+	Token
+	StartPos int
+}
+
+func precedence(tkn Token) int {
+	switch tkn.Kind {
+	case TokenKindStartGroup:
+		return 20
+	case TokenKindStartIndex, TokenKindStartParameters, TokenKindDereference:
+		return 19
+	case TokenKindLogicalOperator:
+		switch tkn.Raw {
+		case "!":
+			return 16
+		case ">", ">=", "<", "<=":
+			return 11
+		case "==", "!=":
+			return 10
+		case "&&":
+			return 6
+		case "||":
+			return 5
+		}
+	case TokenKindEndGroup, TokenKindEndIndex, TokenKindEndParameters, TokenKindSeparator:
+		return 1
+	}
+	return 0
+}
+
+// Parse parses the expression and returns the root node.
+func Parse(expression string) (Node, error) {
+	lexer := NewLexer(expression, 0)
+	p := &Parser{}
+	// Tokenise all tokens
+	if err := p.initWithLexer(lexer); err != nil {
+		return nil, err
+	}
+	return p.parse()
+}
+
+func (p *Parser) parse() (Node, error) {
+	// Shunting‑yard algorithm
+	for p.pos < len(p.tokens) {
+		tok := p.tokens[p.pos]
+		p.pos++
+		switch tok.Kind {
+		case TokenKindNumber, TokenKindString, TokenKindBoolean, TokenKindNull:
+			p.pushValue(&ValueNode{Kind: tok.Kind, Value: tok.Value})
+		case TokenKindNamedValue, TokenKindPropertyName, TokenKindWildcard:
+			p.pushValue(&ValueNode{Kind: tok.Kind, Value: tok.Raw})
+		case TokenKindFunction:
+			p.pushFunc(tok, len(p.vals))
+		case TokenKindStartParameters, TokenKindStartGroup, TokenKindStartIndex, TokenKindLogicalOperator, TokenKindDereference:
+			if err := p.pushOp(tok); err != nil {
+				return nil, err
+			}
+		case TokenKindSeparator:
+			if err := p.popGroup(TokenKindStartParameters); err != nil {
+				return nil, err
+			}
+		case TokenKindEndParameters:
+			if err := p.pushFuncValue(); err != nil {
+				return nil, err
+			}
+		case TokenKindEndGroup:
+			if err := p.popGroup(TokenKindStartGroup); err != nil {
+				return nil, err
+			}
+
+			p.ops = p.ops[:len(p.ops)-1]
+		case TokenKindEndIndex:
+			if err := p.popGroup(TokenKindStartIndex); err != nil {
+				return nil, err
+			}
+
+			// pop the start parameters
+			p.ops = p.ops[:len(p.ops)-1]
+			right := p.vals[len(p.vals)-1]
+			p.vals = p.vals[:len(p.vals)-1]
+			left := p.vals[len(p.vals)-1]
+			p.vals = p.vals[:len(p.vals)-1]
+			p.vals = append(p.vals, &BinaryNode{Op: "[", Left: left, Right: right})
+		}
+	}
+	for len(p.ops) > 0 {
+		if err := p.popOp(); err != nil {
+			return nil, err
+		}
+	}
+	if len(p.vals) != 1 {
+		return nil, errors.New("invalid expression")
+	}
+	return p.vals[0], nil
+}
+
+func (p *Parser) pushFuncValue() error {
+	if err := p.popGroup(TokenKindStartParameters); err != nil {
+		return err
+	}
+
+	// pop the start parameters
+	p.ops = p.ops[:len(p.ops)-1]
+	// create function node
+	fnTok := p.ops[len(p.ops)-1]
+	if fnTok.Kind != TokenKindFunction {
+		return errors.New("expected function token")
+	}
+	p.ops = p.ops[:len(p.ops)-1]
+	// collect arguments
+	args := []Node{}
+	for len(p.vals) > fnTok.StartPos {
+		args = append([]Node{p.vals[len(p.vals)-1]}, args...)
+		p.vals = p.vals[:len(p.vals)-1]
+	}
+	p.pushValue(&FunctionNode{Name: fnTok.Raw, Args: args})
+	return nil
+}
+
+func (p *Parser) initWithLexer(lexer *Lexer) error {
+	p.lexer = lexer
+	for {
+		tok := lexer.Next()
+		if tok == nil {
+			break
+		}
+		if tok.Kind == TokenKindUnexpected {
+			return fmt.Errorf("unexpected token %s at position %d", tok.Raw, tok.Index)
+		}
+		p.tokens = append(p.tokens, *tok)
+	}
+	return nil
+}
+
+func (p *Parser) popGroup(kind TokenKind) error {
+	for len(p.ops) > 0 && p.ops[len(p.ops)-1].Kind != kind {
+		if err := p.popOp(); err != nil {
+			return err
+		}
+	}
+	if len(p.ops) == 0 {
+		return errors.New("mismatched parentheses")
+	}
+	return nil
+}
+
+func (p *Parser) pushValue(v Node) {
+	p.vals = append(p.vals, v)
+}
+
+func (p *Parser) pushOp(t Token) error {
+	for len(p.ops) > 0 {
+		top := p.ops[len(p.ops)-1]
+		if precedence(top.Token) >= precedence(t) &&
+			top.Kind != TokenKindStartGroup &&
+			top.Kind != TokenKindStartIndex &&
+			top.Kind != TokenKindStartParameters &&
+			top.Kind != TokenKindSeparator {
+			if err := p.popOp(); err != nil {
+				return err
+			}
+		} else {
+			break
+		}
+	}
+	p.ops = append(p.ops, OpToken{Token: t})
+	return nil
+}
+
+func (p *Parser) pushFunc(t Token, start int) {
+	p.ops = append(p.ops, OpToken{Token: t, StartPos: start})
+}
+
+func (p *Parser) popOp() error {
+	if len(p.ops) == 0 {
+		return nil
+	}
+	op := p.ops[len(p.ops)-1]
+	p.ops = p.ops[:len(p.ops)-1]
+	switch op.Kind {
+	case TokenKindLogicalOperator:
+		if op.Raw == "!" {
+			if len(p.vals) < 1 {
+				return errors.New("insufficient operands")
+			}
+			right := p.vals[len(p.vals)-1]
+			p.vals = p.vals[:len(p.vals)-1]
+			p.vals = append(p.vals, &UnaryNode{Op: op.Raw, Operand: right})
+		} else {
+			if len(p.vals) < 2 {
+				return errors.New("insufficient operands")
+			}
+			right := p.vals[len(p.vals)-1]
+			left := p.vals[len(p.vals)-2]
+			p.vals = p.vals[:len(p.vals)-2]
+			p.vals = append(p.vals, &BinaryNode{Op: op.Raw, Left: left, Right: right})
+		}
+	case TokenKindStartParameters:
+		// unary operator '!' handled elsewhere
+	case TokenKindDereference:
+		if len(p.vals) < 2 {
+			return errors.New("insufficient operands")
+		}
+		right := p.vals[len(p.vals)-1]
+		left := p.vals[len(p.vals)-2]
+		p.vals = p.vals[:len(p.vals)-2]
+		p.vals = append(p.vals, &BinaryNode{Op: ".", Left: left, Right: right})
+	}
+	return nil
+}
+
+// String returns a string representation of the node.
+func (n *ValueNode) String() string { return fmt.Sprintf("%v", n.Value) }
+
+// String returns a string representation of the node.
+func (n *FunctionNode) String() string {
+	return fmt.Sprintf("%s(%s)", n.Name, strings.Join(funcArgs(n.Args), ", "))
+}
+
+func funcArgs(args []Node) []string {
+	res := []string{}
+	for _, a := range args {
+		res = append(res, a.String())
+	}
+	return res
+}
+
+// String returns a string representation of the node.
+func (n *BinaryNode) String() string {
+	return fmt.Sprintf("(%s %s %s)", n.Left.String(), n.Op, n.Right.String())
+}
+
+// String returns a string representation of the node.
+func (n *UnaryNode) String() string { return fmt.Sprintf("(%s%s)", n.Op, n.Operand.String()) }
+
+func VisitNode(exprNode Node, callback func(node Node)) {
+	callback(exprNode)
+	switch node := exprNode.(type) {
+	case *FunctionNode:
+		for _, arg := range node.Args {
+			VisitNode(arg, callback)
+		}
+	case *UnaryNode:
+		VisitNode(node.Operand, callback)
+	case *BinaryNode:
+		VisitNode(node.Left, callback)
+		VisitNode(node.Right, callback)
+	}
+}
--- a/internal/expr/lexer.go
+++ b/internal/expr/lexer.go
@@ -0,0 +1,361 @@
+package workflow
+
+import (
+	"math"
+	"slices"
+	"strconv"
+	"strings"
+	"unicode"
+)
+
+// TokenKind represents the type of token returned by the lexer.
+// The values mirror the C# TokenKind enum.
+//
+// Note: The names are kept identical to the C# implementation for
+// easier mapping when porting the parser.
+//
+// The lexer is intentionally simple – it only tokenises the subset of
+// expressions that are used in GitHub Actions workflow `if:` expressions.
+// It does not evaluate the expression – that is left to the parser.
+
+type TokenKind int
+
+const (
+	TokenKindStartGroup TokenKind = iota
+	TokenKindStartIndex
+	TokenKindEndGroup
+	TokenKindEndIndex
+	TokenKindSeparator
+	TokenKindDereference
+	TokenKindWildcard
+	TokenKindLogicalOperator
+	TokenKindNumber
+	TokenKindString
+	TokenKindBoolean
+	TokenKindNull
+	TokenKindPropertyName
+	TokenKindFunction
+	TokenKindNamedValue
+	TokenKindStartParameters
+	TokenKindEndParameters
+	TokenKindUnexpected
+)
+
+// Token represents a single lexical token.
+// Raw holds the original text, Value holds the parsed value when applicable.
+// Index is the start position in the source string.
+//
+// The struct is intentionally minimal – it only contains what the parser
+// needs. If you need more information (e.g. token length) you can add it.
+
+type Token struct {
+	Kind  TokenKind
+	Raw   string
+	Value any
+	Index int
+}
+
+// Lexer holds the state while tokenising an expression.
+// It is a direct port of the C# LexicalAnalyzer.
+//
+// Flags can be used to enable/disable features – for now we only support
+// a single flag that mirrors ExpressionFlags.DTExpressionsV1.
+//
+// The lexer is not thread‑safe – reuse a single instance per expression.
+
+type Lexer struct {
+	expr  string
+	flags int
+	index int
+	last  *Token
+	stack []TokenKind // unclosed start tokens
+}
+
+// NewLexer creates a new lexer for the given expression.
+func NewLexer(expr string, flags int) *Lexer {
+	return &Lexer{expr: expr, flags: flags}
+}
+
+func testTokenBoundary(c rune) bool {
+	switch c {
+	case '(', '[', ')', ']', ',', '.',
+		'!', '>', '<', '=', '&', '|':
+		return true
+	default:
+		return unicode.IsSpace(c)
+	}
+}
+
+// Next returns the next token or nil if the end of the expression is reached.
+func (l *Lexer) Next() *Token {
+	// Skip whitespace
+	for l.index < len(l.expr) && unicode.IsSpace(rune(l.expr[l.index])) {
+		l.index++
+	}
+	if l.index >= len(l.expr) {
+		return nil
+	}
+
+	c := l.expr[l.index]
+	switch c {
+	case '(':
+		l.index++
+		// Function call or logical grouping
+		if l.last != nil && l.last.Kind == TokenKindFunction {
+			return l.createToken(TokenKindStartParameters, "(")
+		}
+		if l.flags&FlagV1 != 0 {
+			// V1 does not support grouping – treat as unexpected
+			return l.createToken(TokenKindUnexpected, "(")
+		}
+		return l.createToken(TokenKindStartGroup, "(")
+	case '[':
+		l.index++
+		return l.createToken(TokenKindStartIndex, "[")
+	case ')':
+		l.index++
+		if len(l.stack) > 0 && l.stack[len(l.stack)-1] == TokenKindStartParameters {
+			return l.createToken(TokenKindEndParameters, ")")
+		}
+		return l.createToken(TokenKindEndGroup, ")")
+	case ']':
+		l.index++
+		return l.createToken(TokenKindEndIndex, "]")
+	case ',':
+		l.index++
+		return l.createToken(TokenKindSeparator, ",")
+	case '*':
+		l.index++
+		return l.createToken(TokenKindWildcard, "*")
+	case '\'':
+		return l.readString()
+	case '!', '>', '<', '=', '&', '|':
+		if l.flags&FlagV1 != 0 {
+			l.index++
+			return l.createToken(TokenKindUnexpected, string(c))
+		}
+		return l.readOperator()
+	default:
+		return l.defaultNext(c)
+	}
+}
+
+func (l *Lexer) defaultNext(c byte) *Token {
+	if c == '.' {
+		// Could be number or dereference
+		if l.last == nil || l.last.Kind == TokenKindSeparator || l.last.Kind == TokenKindStartGroup || l.last.Kind == TokenKindStartIndex || l.last.Kind == TokenKindStartParameters || l.last.Kind == TokenKindLogicalOperator {
+			return l.readNumber()
+		}
+		l.index++
+		return l.createToken(TokenKindDereference, ".")
+	}
+	if c == '-' || c == '+' || unicode.IsDigit(rune(c)) {
+		return l.readNumber()
+	}
+	return l.readKeyword()
+}
+
+// Helper to create a token and update lexer state.
+func (l *Lexer) createToken(kind TokenKind, raw string) *Token {
+	// Token order check
+	if !l.checkLastToken(kind, raw) {
+		// Illegal token sequence
+		return &Token{Kind: TokenKindUnexpected, Raw: raw, Index: l.index}
+	}
+	tok := &Token{Kind: kind, Raw: raw, Index: l.index}
+	l.last = tok
+	// Manage stack for grouping
+	switch kind {
+	case TokenKindStartGroup, TokenKindStartIndex, TokenKindStartParameters:
+		l.stack = append(l.stack, kind)
+	case TokenKindEndGroup, TokenKindEndIndex, TokenKindEndParameters:
+		if len(l.stack) > 0 {
+			l.stack = l.stack[:len(l.stack)-1]
+		}
+	}
+	return tok
+}
+
+// nil last token represented by nil
+func (l *Lexer) getLastKind() *TokenKind {
+	var lastKind *TokenKind
+	if l.last != nil {
+		lastKind = &l.last.Kind
+	}
+	return lastKind
+}
+
+// checkLastToken verifies that the token sequence is legal based on the last token.
+func (l *Lexer) checkLastToken(kind TokenKind, raw string) bool {
+	lastKind := l.getLastKind()
+
+	// Helper to check if lastKind is in allowed list
+	allowed := func(allowedKinds ...TokenKind) bool {
+		return lastKind != nil && slices.Contains(allowedKinds, *lastKind)
+	}
+	// For nil last, we treat as no previous token
+	// Define allowed previous kinds for each token kind
+	switch kind {
+	case TokenKindStartGroup:
+		return lastKind == nil || allowed(TokenKindSeparator, TokenKindStartGroup, TokenKindStartParameters, TokenKindStartIndex, TokenKindLogicalOperator)
+	case TokenKindStartIndex:
+		return allowed(TokenKindEndGroup, TokenKindEndParameters, TokenKindEndIndex, TokenKindWildcard, TokenKindPropertyName, TokenKindNamedValue)
+	case TokenKindStartParameters:
+		return allowed(TokenKindFunction)
+	case TokenKindEndGroup:
+		return allowed(TokenKindEndGroup, TokenKindEndParameters, TokenKindEndIndex, TokenKindWildcard, TokenKindNull, TokenKindBoolean, TokenKindNumber, TokenKindString, TokenKindPropertyName, TokenKindNamedValue)
+	case TokenKindEndIndex:
+		return allowed(TokenKindEndGroup, TokenKindEndParameters, TokenKindEndIndex, TokenKindWildcard, TokenKindNull, TokenKindBoolean, TokenKindNumber, TokenKindString, TokenKindPropertyName, TokenKindNamedValue)
+	case TokenKindEndParameters:
+		return allowed(TokenKindStartParameters, TokenKindEndGroup, TokenKindEndParameters, TokenKindEndIndex, TokenKindWildcard, TokenKindNull, TokenKindBoolean, TokenKindNumber, TokenKindString, TokenKindPropertyName, TokenKindNamedValue)
+	case TokenKindSeparator:
+		return allowed(TokenKindEndGroup, TokenKindEndParameters, TokenKindEndIndex, TokenKindWildcard, TokenKindNull, TokenKindBoolean, TokenKindNumber, TokenKindString, TokenKindPropertyName, TokenKindNamedValue)
+	case TokenKindWildcard:
+		return allowed(TokenKindStartIndex, TokenKindDereference)
+	case TokenKindDereference:
+		return allowed(TokenKindEndGroup, TokenKindEndParameters, TokenKindEndIndex, TokenKindWildcard, TokenKindPropertyName, TokenKindNamedValue)
+	case TokenKindLogicalOperator:
+		if raw == "!" { // "!"
+			return lastKind == nil || allowed(TokenKindSeparator, TokenKindStartGroup, TokenKindStartParameters, TokenKindStartIndex, TokenKindLogicalOperator)
+		}
+		return allowed(TokenKindEndGroup, TokenKindEndParameters, TokenKindEndIndex, TokenKindWildcard, TokenKindNull, TokenKindBoolean, TokenKindNumber, TokenKindString, TokenKindPropertyName, TokenKindNamedValue)
+	case TokenKindNull, TokenKindBoolean, TokenKindNumber, TokenKindString:
+		return lastKind == nil || allowed(TokenKindSeparator, TokenKindStartIndex, TokenKindStartGroup, TokenKindStartParameters, TokenKindLogicalOperator)
+	case TokenKindPropertyName:
+		return allowed(TokenKindDereference)
+	case TokenKindFunction, TokenKindNamedValue:
+		return lastKind == nil || allowed(TokenKindSeparator, TokenKindStartIndex, TokenKindStartGroup, TokenKindStartParameters, TokenKindLogicalOperator)
+	default:
+		return true
+	}
+}
+
+// readNumber parses a numeric literal.
+func (l *Lexer) readNumber() *Token {
+	start := l.index
+	periods := 0
+	for l.index < len(l.expr) {
+		ch := l.expr[l.index]
+		if ch == '.' {
+			periods++
+		}
+		if testTokenBoundary(rune(ch)) && ch != '.' {
+			break
+		}
+		l.index++
+	}
+	raw := l.expr[start:l.index]
+	if len(raw) > 2 {
+		switch raw[:2] {
+		case "0x", "0o":
+			tok := l.createToken(TokenKindNumber, raw)
+			if i, err := strconv.ParseInt(raw, 0, 32); err == nil {
+				tok.Value = float64(i)
+				return tok
+			}
+		}
+	}
+	// Try to parse as float64
+	var val any = raw
+	if f, err := strconv.ParseFloat(raw, 64); err == nil {
+		val = f
+	}
+	tok := l.createToken(TokenKindNumber, raw)
+	tok.Value = val
+	return tok
+}
+
+// readString parses a single‑quoted string literal.
+func (l *Lexer) readString() *Token {
+	start := l.index
+	l.index++ // skip opening quote
+	var sb strings.Builder
+	closed := false
+	for l.index < len(l.expr) {
+		ch := l.expr[l.index]
+		l.index++
+		if ch == '\'' {
+			if l.index < len(l.expr) && l.expr[l.index] == '\'' {
+				// escaped quote
+				sb.WriteByte('\'')
+				l.index++
+				continue
+			}
+			closed = true
+			break
+		}
+		sb.WriteByte(ch)
+	}
+	raw := l.expr[start:l.index]
+	tok := l.createToken(TokenKindString, raw)
+	if closed {
+		tok.Value = sb.String()
+	} else {
+		tok.Kind = TokenKindUnexpected
+	}
+	return tok
+}
+
+// readOperator parses logical operators (==, !=, >, >=, etc.).
+func (l *Lexer) readOperator() *Token {
+	start := l.index
+	l.index++
+	if l.index < len(l.expr) {
+		two := l.expr[start : l.index+1]
+		switch two {
+		case "!=", ">=", "<=", "==", "&&", "||":
+			l.index++
+			return l.createToken(TokenKindLogicalOperator, two)
+		}
+	}
+	ch := l.expr[start]
+	switch ch {
+	case '!', '>', '<':
+		return l.createToken(TokenKindLogicalOperator, string(ch))
+	}
+	return l.createToken(TokenKindUnexpected, string(ch))
+}
+
+// readKeyword parses identifiers, booleans, null, etc.
+func (l *Lexer) readKeyword() *Token {
+	start := l.index
+	for l.index < len(l.expr) && !unicode.IsSpace(rune(l.expr[l.index])) && !strings.ContainsRune("()[],.!<>==&|*", rune(l.expr[l.index])) {
+		l.index++
+	}
+	raw := l.expr[start:l.index]
+	if l.last != nil && l.last.Kind == TokenKindDereference {
+		return l.createToken(TokenKindPropertyName, raw)
+	}
+	switch raw {
+	case "true":
+		tok := l.createToken(TokenKindBoolean, raw)
+		tok.Value = true
+		return tok
+	case "false":
+		tok := l.createToken(TokenKindBoolean, raw)
+		tok.Value = false
+		return tok
+	case "null":
+		return l.createToken(TokenKindNull, raw)
+	case "NaN":
+		tok := l.createToken(TokenKindNumber, raw)
+		tok.Value = math.NaN()
+		return tok
+	case "Infinity":
+		tok := l.createToken(TokenKindNumber, raw)
+		tok.Value = math.Inf(1)
+		return tok
+	}
+	if l.index < len(l.expr) && l.expr[l.index] == '(' {
+		return l.createToken(TokenKindFunction, raw)
+	}
+	return l.createToken(TokenKindNamedValue, raw)
+}
+
+// Flag constants – only V1 is used for now.
+const FlagV1 = 1
+
+// UnclosedTokens returns the stack of unclosed start tokens.
+func (l *Lexer) UnclosedTokens() []TokenKind {
+	return l.stack
+}
--- a/internal/expr/lexer_additional_test.go
+++ b/internal/expr/lexer_additional_test.go
@@ -0,0 +1,112 @@
+package workflow
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestLexerMultiple runs a set of expressions through the lexer and
+// verifies that the produced token kinds and values match expectations.
+func TestLexerMultiple(t *testing.T) {
+	cases := []struct {
+		expr     string
+		expected []TokenKind
+		values   []any // optional, nil if not checking values
+	}{
+		{
+			expr: "github.event_name == 'push'",
+			expected: []TokenKind{
+				TokenKindNamedValue, // github
+				TokenKindDereference,
+				TokenKindPropertyName,    // event_name
+				TokenKindLogicalOperator, // ==
+				TokenKindString,          // 'push'
+			},
+		},
+		{
+			expr: "github.event_name == 'push' && github.ref == 'refs/heads/main'",
+			expected: []TokenKind{
+				TokenKindNamedValue, TokenKindDereference, TokenKindPropertyName, TokenKindLogicalOperator, TokenKindString,
+				TokenKindLogicalOperator, // &&
+				TokenKindNamedValue, TokenKindDereference, TokenKindPropertyName, TokenKindLogicalOperator, TokenKindString,
+			},
+		},
+		{
+			expr: "contains(github.ref, 'refs/heads/')",
+			expected: []TokenKind{
+				TokenKindFunction, // contains
+				TokenKindStartParameters,
+				TokenKindNamedValue, TokenKindDereference, TokenKindPropertyName, // github.ref
+				TokenKindSeparator,
+				TokenKindString,
+				TokenKindEndParameters,
+			},
+		},
+		{
+			expr: "matrix[0].name",
+			expected: []TokenKind{
+				TokenKindNamedValue, // matrix
+				TokenKindStartIndex,
+				TokenKindNumber,
+				TokenKindEndIndex,
+				TokenKindDereference,
+				TokenKindPropertyName, // name
+			},
+		},
+		{
+			expr: "github.*",
+			expected: []TokenKind{
+				TokenKindNamedValue, TokenKindDereference, TokenKindWildcard,
+			},
+		},
+		{
+			expr:     "null",
+			expected: []TokenKind{TokenKindNull},
+		},
+		{
+			expr:     "true",
+			expected: []TokenKind{TokenKindBoolean},
+			values:   []any{true},
+		},
+		{
+			expr:     "123",
+			expected: []TokenKind{TokenKindNumber},
+			values:   []any{123.0},
+		},
+		{
+			expr:     "(a && b)",
+			expected: []TokenKind{TokenKindStartGroup, TokenKindNamedValue, TokenKindLogicalOperator, TokenKindNamedValue, TokenKindEndGroup},
+		},
+		{
+			expr:     "[1,2]", // Syntax Error
+			expected: []TokenKind{TokenKindUnexpected, TokenKindNumber, TokenKindSeparator, TokenKindNumber, TokenKindEndIndex},
+		},
+		{
+			expr:     "'Hello i''s escaped'",
+			expected: []TokenKind{TokenKindString},
+			values:   []any{"Hello i's escaped"},
+		},
+	}
+
+	for _, tc := range cases {
+		lexer := NewLexer(tc.expr, 0)
+		var tokens []*Token
+		for {
+			tok := lexer.Next()
+			if tok == nil {
+				break
+			}
+			tokens = append(tokens, tok)
+		}
+		assert.Len(t, tokens, len(tc.expected), "expression: %s", tc.expr)
+		for i, kind := range tc.expected {
+			assert.Equal(t, kind, tokens[i].Kind, "expr %s token %d", tc.expr, i)
+		}
+		if tc.values != nil {
+			for i, val := range tc.values {
+				assert.Equal(t, val, tokens[i].Value, "expr %s token %d value", tc.expr, i)
+			}
+		}
+	}
+}
--- a/internal/expr/lexer_test.go
+++ b/internal/expr/lexer_test.go
@@ -0,0 +1,56 @@
+package workflow
+
+import (
+	"math"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestLexer(t *testing.T) {
+	input := "github.event_name == 'push' && github.ref == 'refs/heads/main'"
+	lexer := NewLexer(input, 0)
+	var tokens []*Token
+	for {
+		tok := lexer.Next()
+		if tok == nil || tok.Kind == TokenKindUnexpected {
+			break
+		}
+		tokens = append(tokens, tok)
+	}
+	for i, tok := range tokens {
+		t.Logf("Token %d: Kind=%v, Value=%v", i, tok.Kind, tok.Value)
+	}
+	assert.Equal(t, TokenKindDereference, tokens[1].Kind)
+}
+
+func TestLexerNumbers(t *testing.T) {
+	table := []struct {
+		in  string
+		out any
+	}{
+		{"-Infinity", math.Inf(-1)},
+		{"Infinity", math.Inf(1)},
+		{"2.5", float64(2.5)},
+		{"3.3", float64(3.3)},
+		{"1", float64(1)},
+		{"-1", float64(-1)},
+		{"0x34", float64(0x34)},
+		{"0o34", float64(0o34)},
+	}
+	for _, cs := range table {
+		lexer := NewLexer(cs.in, 0)
+		var tokens []*Token
+		for {
+			tok := lexer.Next()
+			if tok == nil || tok.Kind == TokenKindUnexpected {
+				break
+			}
+			tokens = append(tokens, tok)
+		}
+		require.Len(t, tokens, 1)
+		assert.Equal(t, cs.out, tokens[0].Value)
+		assert.Equal(t, cs.in, tokens[0].Raw)
+	}
+}
--- a/internal/model/anchors.go
+++ b/internal/model/anchors.go
@@ -0,0 +1,30 @@
+package model
+
+import (
+	"errors"
+
+	"gopkg.in/yaml.v3"
+)
+
+// Assumes there is no cycle ensured via test TestVerifyCycleIsInvalid
+func resolveAliases(node *yaml.Node) error {
+	switch node.Kind {
+	case yaml.AliasNode:
+		aliasTarget := node.Alias
+		if aliasTarget == nil {
+			return errors.New("unresolved alias node")
+		}
+		*node = *aliasTarget
+		if err := resolveAliases(node); err != nil {
+			return err
+		}
+
+	case yaml.DocumentNode, yaml.MappingNode, yaml.SequenceNode:
+		for _, child := range node.Content {
+			if err := resolveAliases(child); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
--- a/internal/model/strategy_utils.go
+++ b/internal/model/strategy_utils.go
@@ -0,0 +1,240 @@
+package model
+
+import (
+	"errors"
+	"maps"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+)
+
+// TraceWriter is an interface for logging trace information.
+// Implementations can write to console, file, or any other sink.
+type TraceWriter interface {
+	Info(format string, args ...any)
+}
+
+// StrategyResult holds the result of expanding a strategy.
+// FlatMatrix contains the expanded matrix entries.
+// IncludeMatrix contains entries that were added via include.
+// FailFast indicates whether the job should fail fast.
+// MaxParallel is the maximum parallelism allowed.
+// MatrixKeys is the set of keys present in the matrix.
+type StrategyResult struct {
+	FlatMatrix    []map[string]yaml.Node
+	IncludeMatrix []map[string]yaml.Node
+	FailFast      bool
+	MaxParallel   *float64
+	MatrixKeys    map[string]struct{}
+}
+
+type strategyContext struct {
+	jobTraceWriter TraceWriter
+	failFast       bool
+	maxParallel    float64
+	matrix         map[string][]yaml.Node
+
+	flatMatrix    []map[string]yaml.Node
+	includeMatrix []map[string]yaml.Node
+
+	include []yaml.Node
+	exclude []yaml.Node
+}
+
+func (strategyContext *strategyContext) handleInclude() error {
+	// Handle include logic
+	if len(strategyContext.include) > 0 {
+		for _, incNode := range strategyContext.include {
+			if incNode.Kind != yaml.MappingNode {
+				return errors.New("include entry is not a mapping node")
+			}
+			incMap := make(map[string]yaml.Node)
+			for i := 0; i < len(incNode.Content); i += 2 {
+				keyNode := incNode.Content[i]
+				valNode := incNode.Content[i+1]
+				if keyNode.Kind != yaml.ScalarNode {
+					return errors.New("include key is not scalar")
+				}
+				incMap[keyNode.Value] = *valNode
+			}
+			matched := false
+			for _, row := range strategyContext.flatMatrix {
+				match := true
+				for k, v := range incMap {
+					if rv, ok := row[k]; ok && !nodesEqual(rv, v) {
+						match = false
+						break
+					}
+				}
+				if match {
+					matched = true
+					// Add missing keys
+					strategyContext.jobTraceWriter.Info("Add missing keys %v", incMap)
+					for k, v := range incMap {
+						if _, ok := row[k]; !ok {
+							row[k] = v
+						}
+					}
+				}
+			}
+			if !matched {
+				if strategyContext.jobTraceWriter != nil {
+					strategyContext.jobTraceWriter.Info("Append include entry %v", incMap)
+				}
+				strategyContext.includeMatrix = append(strategyContext.includeMatrix, incMap)
+			}
+		}
+	}
+	return nil
+}
+
+func (strategyContext *strategyContext) handleExclude() error {
+	// Handle exclude logic
+	if len(strategyContext.exclude) > 0 {
+		for _, exNode := range strategyContext.exclude {
+			// exNode is expected to be a mapping node
+			if exNode.Kind != yaml.MappingNode {
+				return errors.New("exclude entry is not a mapping node")
+			}
+			// Convert mapping to map[string]yaml.Node
+			exMap := make(map[string]yaml.Node)
+			for i := 0; i < len(exNode.Content); i += 2 {
+				keyNode := exNode.Content[i]
+				valNode := exNode.Content[i+1]
+				if keyNode.Kind != yaml.ScalarNode {
+					return errors.New("exclude key is not scalar")
+				}
+				exMap[keyNode.Value] = *valNode
+			}
+			// Remove matching rows
+			filtered := []map[string]yaml.Node{}
+			for _, row := range strategyContext.flatMatrix {
+				match := true
+				for k, v := range exMap {
+					if rv, ok := row[k]; !ok || !nodesEqual(rv, v) {
+						match = false
+						break
+					}
+				}
+				if !match {
+					filtered = append(filtered, row)
+				} else if strategyContext.jobTraceWriter != nil {
+					strategyContext.jobTraceWriter.Info("Removing %v from matrix due to exclude entry %v", row, exMap)
+				}
+			}
+			strategyContext.flatMatrix = filtered
+		}
+	}
+	return nil
+}
+
+// ExpandStrategy expands the given strategy into a flat matrix and include matrix.
+// It mimics the behavior of the C# StrategyUtils. The strategy parameter is expected
+// to be populated from a YAML mapping that follows the GitHub Actions strategy schema.
+func ExpandStrategy(strategy *Strategy, jobTraceWriter TraceWriter) (*StrategyResult, error) {
+	if strategy == nil {
+		return &StrategyResult{FlatMatrix: []map[string]yaml.Node{{}}, IncludeMatrix: []map[string]yaml.Node{}, FailFast: true}, nil
+	}
+
+	// Initialize defaults
+	strategyContext := &strategyContext{
+		jobTraceWriter: jobTraceWriter,
+		failFast:       strategy.FailFast,
+		maxParallel:    strategy.MaxParallel,
+		matrix:         strategy.Matrix,
+		flatMatrix:     []map[string]yaml.Node{{}},
+	}
+	// Process matrix entries
+	for key, values := range strategyContext.matrix {
+		switch key {
+		case "include":
+			strategyContext.include = values
+		case "exclude":
+			strategyContext.exclude = values
+		default:
+			// Other keys are treated as matrix dimensions
+			// Expand each existing row with the new key/value pairs
+			next := []map[string]yaml.Node{}
+			for _, row := range strategyContext.flatMatrix {
+				for _, val := range values {
+					newRow := make(map[string]yaml.Node)
+					maps.Copy(newRow, row)
+					newRow[key] = val
+					next = append(next, newRow)
+				}
+			}
+			strategyContext.flatMatrix = next
+		}
+	}
+
+	if err := strategyContext.handleExclude(); err != nil {
+		return nil, err
+	}
+
+	if len(strategyContext.flatMatrix) == 0 {
+		if jobTraceWriter != nil {
+			jobTraceWriter.Info("Matrix is empty, adding an empty entry")
+		}
+		strategyContext.flatMatrix = []map[string]yaml.Node{{}}
+	}
+
+	// Enforce job matrix limit of github
+	if len(strategyContext.flatMatrix) > 256 {
+		if jobTraceWriter != nil {
+			jobTraceWriter.Info("Failure: Matrix contains more than 256 entries after exclude")
+		}
+		return nil, errors.New("matrix contains more than 256 entries")
+	}
+
+	// Build matrix keys set
+	matrixKeys := make(map[string]struct{})
+	if len(strategyContext.flatMatrix) > 0 {
+		for k := range strategyContext.flatMatrix[0] {
+			matrixKeys[k] = struct{}{}
+		}
+	}
+
+	if err := strategyContext.handleInclude(); err != nil {
+		return nil, err
+	}
+
+	return &StrategyResult{
+		FlatMatrix:    strategyContext.flatMatrix,
+		IncludeMatrix: strategyContext.includeMatrix,
+		FailFast:      strategyContext.failFast,
+		MaxParallel:   &strategyContext.maxParallel,
+		MatrixKeys:    matrixKeys,
+	}, nil
+}
+
+// nodesEqual compares two yaml.Node values for equality.
+func nodesEqual(a, b yaml.Node) bool {
+	return DeepEquals(a, b, true)
+}
+
+// GetDefaultDisplaySuffix returns a string like "(foo, bar, baz)".
+// Empty items are ignored. If all items are empty the result is "".
+func GetDefaultDisplaySuffix(items []string) string {
+	var b strings.Builder // efficient string concatenation
+
+	first := true // true until we write the first non‑empty item
+
+	for _, mk := range items {
+		if mk == "" { // Go has no null string, so we only need to check for empty
+			continue
+		}
+		if first {
+			b.WriteString("(")
+			first = false
+		} else {
+			b.WriteString(", ")
+		}
+		b.WriteString(mk)
+	}
+
+	if !first { // we wrote at least one item
+		b.WriteString(")")
+	}
+
+	return b.String()
+}
--- a/internal/model/strategy_utils_test.go
+++ b/internal/model/strategy_utils_test.go
@@ -0,0 +1,68 @@
+package model
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v3"
+)
+
+type EmptyTraceWriter struct {
+}
+
+func (e *EmptyTraceWriter) Info(_ string, _ ...any) {
+}
+
+func TestStrategy(t *testing.T) {
+	table := []struct {
+		content       string
+		flatmatrix    int
+		includematrix int
+	}{
+		{`
+matrix:
+  label:
+  - a
+  - b
+  fields:
+  - a
+  - b
+`, 4, 0},
+		{`
+matrix:
+  label:
+  - a
+  - b
+  include:
+  - label: a
+    x: self`, 2, 0,
+		},
+		{`
+matrix:
+  label:
+  - a
+  - b
+  include:
+  - label: c
+    x: self`, 2, 1,
+		},
+		{`
+matrix:
+  label:
+  - a
+  - b
+  exclude:
+  - label: a`, 1, 0,
+		},
+	}
+
+	for _, tc := range table {
+		var strategy Strategy
+		err := yaml.Unmarshal([]byte(tc.content), &strategy)
+		require.NoError(t, err)
+		res, err := ExpandStrategy(&strategy, &EmptyTraceWriter{})
+		require.NoError(t, err)
+		require.Len(t, res.FlatMatrix, tc.flatmatrix)
+		require.Len(t, res.IncludeMatrix, tc.includematrix)
+	}
+}
--- a/internal/model/token_utils.go
+++ b/internal/model/token_utils.go
@@ -0,0 +1,148 @@
+package model
+
+import (
+	"strings"
+
+	v2 "gitea.com/gitea/act_runner/internal/eval/v2"
+	"gopkg.in/yaml.v3"
+)
+
+// DeepEquals compares two yaml.Node values recursively.
+// It supports scalar, mapping and sequence nodes and allows
+// an optional partial match for mappings and sequences.
+func DeepEquals(a, b yaml.Node, partialMatch bool) bool {
+	// Scalar comparison
+	if a.Kind == yaml.ScalarNode && b.Kind == yaml.ScalarNode {
+		return scalarEquals(a, b)
+	}
+
+	// Mapping comparison
+	if a.Kind == yaml.MappingNode && b.Kind == yaml.MappingNode {
+		return deepMapEquals(a, b, partialMatch)
+	}
+
+	// Sequence comparison
+	if a.Kind == yaml.SequenceNode && b.Kind == yaml.SequenceNode {
+		return deepSequenceEquals(a, b, partialMatch)
+	}
+
+	// Different kinds are not equal
+	return false
+}
+
+func scalarEquals(a, b yaml.Node) bool {
+	var left, right any
+	return a.Decode(&left) == nil && b.Decode(&right) == nil && v2.CreateIntermediateResult(v2.NewEvaluationContext(), left).AbstractEqual(v2.CreateIntermediateResult(v2.NewEvaluationContext(), right))
+}
+
+func deepMapEquals(a, b yaml.Node, partialMatch bool) bool {
+	mapA := make(map[string]yaml.Node)
+	for i := 0; i < len(a.Content); i += 2 {
+		keyNode := a.Content[i]
+		valNode := a.Content[i+1]
+		if keyNode.Kind != yaml.ScalarNode {
+			return false
+		}
+		mapA[strings.ToLower(keyNode.Value)] = *valNode
+	}
+	mapB := make(map[string]yaml.Node)
+	for i := 0; i < len(b.Content); i += 2 {
+		keyNode := b.Content[i]
+		valNode := b.Content[i+1]
+		if keyNode.Kind != yaml.ScalarNode {
+			return false
+		}
+		mapB[strings.ToLower(keyNode.Value)] = *valNode
+	}
+	if partialMatch {
+		if len(mapA) < len(mapB) {
+			return false
+		}
+	} else {
+		if len(mapA) != len(mapB) {
+			return false
+		}
+	}
+	for k, vB := range mapB {
+		vA, ok := mapA[k]
+		if !ok || !DeepEquals(vA, vB, partialMatch) {
+			return false
+		}
+	}
+	return true
+}
+
+func deepSequenceEquals(a, b yaml.Node, partialMatch bool) bool {
+	if partialMatch {
+		if len(a.Content) < len(b.Content) {
+			return false
+		}
+	} else {
+		if len(a.Content) != len(b.Content) {
+			return false
+		}
+	}
+	limit := len(b.Content)
+	if !partialMatch {
+		limit = len(a.Content)
+	}
+	for i := 0; i < limit; i++ {
+		if !DeepEquals(*a.Content[i], *b.Content[i], partialMatch) {
+			return false
+		}
+	}
+	return true
+}
+
+// traverse walks a YAML node recursively.
+func traverse(node *yaml.Node, omitKeys bool, result *[]*yaml.Node) {
+	if node == nil {
+		return
+	}
+
+	*result = append(*result, node)
+
+	switch node.Kind {
+	case yaml.MappingNode:
+		if omitKeys {
+			// node.Content: key0, val0, key1, val1, …
+			for i := 1; i < len(node.Content); i += 2 { // only the values
+				traverse(node.Content[i], omitKeys, result)
+			}
+		} else {
+			for _, child := range node.Content {
+				traverse(child, omitKeys, result)
+			}
+		}
+	case yaml.SequenceNode:
+		// For all other node kinds (Scalar, Sequence, Alias, etc.)
+		for _, child := range node.Content {
+			traverse(child, omitKeys, result)
+		}
+	}
+}
+
+// GetDisplayStrings implements the LINQ expression:
+//
+//	from displayitem in keys.SelectMany(key => item[key].Traverse(true))
+//	where !(displayitem is SequenceToken || displayitem is MappingToken)
+//	select displayitem.ToString()
+func GetDisplayStrings(keys []string, item map[string]*yaml.Node) []string {
+	var res []string
+
+	for _, k := range keys {
+		if node, ok := item[k]; ok {
+			var all []*yaml.Node
+			traverse(node, true, &all) // include the parent node itself
+
+			for _, n := range all {
+				// Keep only scalars – everything else is dropped
+				if n.Kind == yaml.ScalarNode {
+					res = append(res, n.Value)
+				}
+			}
+		}
+	}
+
+	return res
+}
--- a/internal/model/workflow_state.go
+++ b/internal/model/workflow_state.go
@@ -0,0 +1,277 @@
+package model
+
+import "gopkg.in/yaml.v3"
+
+type JobStatus int
+
+const (
+	JobStatusPending JobStatus = iota
+	JobStatusDependenciesReady
+	JobStatusBlocked
+	JobStatusCompleted
+)
+
+type JobState struct {
+	JobID    string            // Workflow path to job, incl matrix and parent jobids
+	Result   string            // Actions Job Result
+	Outputs  map[string]string // Returned Outputs
+	State    JobStatus
+	Strategy []MatrixJobState
+}
+
+type MatrixJobState struct {
+	Matrix  map[string]any
+	Name    string
+	Result  string
+	Outputs map[string]string // Returned Outputs
+	State   JobStatus
+}
+
+type WorkflowStatus int
+
+const (
+	WorkflowStatusPending WorkflowStatus = iota
+	WorkflowStatusDependenciesReady
+	WorkflowStatusBlocked
+	WorkflowStatusCompleted
+)
+
+type WorkflowState struct {
+	Name                string
+	RunName             string
+	Jobs                JobState
+	StateWorkflowStatus WorkflowStatus
+}
+
+type Workflow struct {
+	On          *On            `yaml:"on,omitempty"`
+	Name        string         `yaml:"name,omitempty"`
+	Description string         `yaml:"description,omitempty"`
+	RunName     yaml.Node      `yaml:"run-name,omitempty"`
+	Permissions *Permissions   `yaml:"permissions,omitempty"`
+	Env         yaml.Node      `yaml:"env,omitempty"`
+	Defaults    yaml.Node      `yaml:"defaults,omitempty"`
+	Concurrency yaml.Node      `yaml:"concurrency,omitempty"` // Two layouts
+	Jobs        map[string]Job `yaml:"jobs,omitempty"`
+}
+
+type On struct {
+	Data             map[string]yaml.Node `yaml:"-"`
+	WorkflowDispatch *WorkflowDispatch    `yaml:"workflow_dispatch,omitempty"`
+	WorkflowCall     *WorkflowCall        `yaml:"workflow_call,omitempty"`
+	Schedule         []Cron               `yaml:"schedule,omitempty"`
+}
+
+type Cron struct {
+	Cron string `yaml:"cron,omitempty"`
+}
+
+func (a *On) UnmarshalYAML(node *yaml.Node) error {
+	switch node.Kind {
+	case yaml.ScalarNode:
+		var s string
+		if err := node.Decode(&s); err != nil {
+			return err
+		}
+		a.Data = map[string]yaml.Node{}
+		a.Data[s] = yaml.Node{}
+	case yaml.SequenceNode:
+		var s []string
+		if err := node.Decode(&s); err != nil {
+			return err
+		}
+		a.Data = map[string]yaml.Node{}
+		for _, v := range s {
+			a.Data[v] = yaml.Node{}
+		}
+	default:
+		if err := node.Decode(&a.Data); err != nil {
+			return err
+		}
+		type OnObj On
+		if err := node.Decode((*OnObj)(a)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (a *On) MarshalYAML() (any, error) {
+	return a.Data, nil
+}
+
+var (
+	_ yaml.Unmarshaler = &On{}
+	_ yaml.Marshaler   = &On{}
+	_ yaml.Unmarshaler = &Concurrency{}
+	_ yaml.Unmarshaler = &RunsOn{}
+	_ yaml.Unmarshaler = &ImplicitStringArray{}
+	_ yaml.Unmarshaler = &Environment{}
+)
+
+type WorkflowDispatch struct {
+	Inputs map[string]Input `yaml:"inputs,omitempty"`
+}
+
+type Input struct {
+	Description string `yaml:"description,omitempty"`
+	Type        string `yaml:"type,omitempty"`
+	Default     string `yaml:"default,omitempty"`
+	Required    bool   `yaml:"required,omitempty"`
+}
+
+type WorkflowCall struct {
+	Inputs  map[string]Input  `yaml:"inputs,omitempty"`
+	Secrets map[string]Secret `yaml:"secrets,omitempty"`
+	Outputs map[string]Output `yaml:"outputs,omitempty"`
+}
+
+type Secret struct {
+	Description string `yaml:"description,omitempty"`
+	Required    bool   `yaml:"required,omitempty"`
+}
+
+type Output struct {
+	Description string    `yaml:"description,omitempty"`
+	Value       yaml.Node `yaml:"value,omitempty"`
+}
+
+type Job struct {
+	Needs       ImplicitStringArray `yaml:"needs,omitempty"`
+	Permissions *Permissions        `yaml:"permissions,omitempty"`
+	Strategy    yaml.Node           `yaml:"strategy,omitempty"`
+	Name        yaml.Node           `yaml:"name,omitempty"`
+	Concurrency yaml.Node           `yaml:"concurrency,omitempty"`
+	// Reusable Workflow
+	Uses    yaml.Node `yaml:"uses,omitempty"`
+	With    yaml.Node `yaml:"with,omitempty"`
+	Secrets yaml.Node `yaml:"secrets,omitempty"`
+	// Runner Job
+	RunsOn         yaml.Node   `yaml:"runs-on,omitempty"`
+	Defaults       yaml.Node   `yaml:"defaults,omitempty"`
+	TimeoutMinutes yaml.Node   `yaml:"timeout-minutes,omitempty"`
+	Container      yaml.Node   `yaml:"container,omitempty"`
+	Services       yaml.Node   `yaml:"services,omitempty"`
+	Env            yaml.Node   `yaml:"env,omitempty"`
+	Steps          []yaml.Node `yaml:"steps,omitempty"`
+	Outputs        yaml.Node   `yaml:"outputs,omitempty"`
+}
+
+type ImplicitStringArray []string
+
+func (a *ImplicitStringArray) UnmarshalYAML(node *yaml.Node) error {
+	if node.Kind == yaml.ScalarNode {
+		var s string
+		if err := node.Decode(&s); err != nil {
+			return err
+		}
+		*a = []string{s}
+		return nil
+	}
+	return node.Decode((*[]string)(a))
+}
+
+type Permissions map[string]string
+
+func (p *Permissions) UnmarshalYAML(node *yaml.Node) error {
+	if node.Kind == yaml.ScalarNode {
+		var s string
+		if err := node.Decode(&s); err != nil {
+			return err
+		}
+		var perm string
+		switch s {
+		case "read-all":
+			perm = "read"
+		case "write-all":
+			perm = "write"
+		default:
+			return nil
+		}
+		(*p)["actions"] = perm
+		(*p)["attestations"] = perm
+		(*p)["contents"] = perm
+		(*p)["checks"] = perm
+		(*p)["deployments"] = perm
+		(*p)["discussions"] = perm
+		(*p)["id-token"] = perm
+		(*p)["issues"] = perm
+		(*p)["models"] = perm
+		(*p)["packages"] = perm
+		(*p)["pages"] = perm
+		(*p)["pull-requests"] = perm
+		(*p)["repository-projects"] = perm
+		(*p)["security-events"] = perm
+		(*p)["statuses"] = perm
+		return nil
+	}
+	return node.Decode((*map[string]string)(p))
+}
+
+type Strategy struct {
+	Matrix      map[string][]yaml.Node `yaml:"matrix"`
+	MaxParallel float64                `yaml:"max-parallel"`
+	FailFast    bool                   `yaml:"fail-fast"`
+}
+
+type Concurrency struct {
+	Group            string `yaml:"group"`
+	CancelInProgress bool   `yaml:"cancel-in-progress"`
+}
+
+func (c *Concurrency) UnmarshalYAML(node *yaml.Node) error {
+	if node.Kind == yaml.ScalarNode {
+		var s string
+		if err := node.Decode(&s); err != nil {
+			return err
+		}
+		c.Group = s
+		return nil
+	}
+	type ConcurrencyObj Concurrency
+	return node.Decode((*ConcurrencyObj)(c))
+}
+
+type Environment struct {
+	Name string    `yaml:"name"`
+	URL  yaml.Node `yaml:"url"`
+}
+
+func (e *Environment) UnmarshalYAML(node *yaml.Node) error {
+	if node.Kind == yaml.ScalarNode {
+		var s string
+		if err := node.Decode(&s); err != nil {
+			return err
+		}
+		e.Name = s
+		return nil
+	}
+	type EnvironmentObj Environment
+	return node.Decode((*EnvironmentObj)(e))
+}
+
+type RunsOn struct {
+	Labels []string `yaml:"labels"`
+	Group  string   `yaml:"group,omitempty"`
+}
+
+func (a *RunsOn) UnmarshalYAML(node *yaml.Node) error {
+	if node.Kind == yaml.ScalarNode {
+		var s string
+		if err := node.Decode(&s); err != nil {
+			return err
+		}
+		a.Labels = []string{s}
+		return nil
+	}
+	if node.Kind == yaml.SequenceNode {
+		var s []string
+		if err := node.Decode(&s); err != nil {
+			return err
+		}
+		a.Labels = s
+		return nil
+	}
+	type RunsOnObj RunsOn
+	return node.Decode((*RunsOnObj)(a))
+}
--- a/internal/model/workflow_state_test.go
+++ b/internal/model/workflow_state_test.go
@@ -0,0 +1,141 @@
+package model
+
+import (
+	"context"
+	"testing"
+
+	v2 "gitea.com/gitea/act_runner/internal/eval/v2"
+	"gitea.com/gitea/act_runner/internal/templateeval"
+	"gitea.com/gitea/act_runner/pkg/schema"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v3"
+)
+
+func TestParseWorkflow(t *testing.T) {
+	ee := &templateeval.ExpressionEvaluator{
+		EvaluationContext: v2.EvaluationContext{
+			Variables: v2.CaseInsensitiveObject[any]{},
+			Functions: v2.GetFunctions(),
+		},
+	}
+	var node yaml.Node
+	err := yaml.Unmarshal([]byte(`
+on: push
+run-name: ${{ fromjson('{}') }}
+jobs:
+  _:
+    name: ${{ github.ref_name }}
+    steps:
+    - run: echo Hello World
+      env:
+        TAG: ${{ env.global }}
+`), &node)
+	require.NoError(t, err)
+	err = ee.EvaluateYamlNode(context.Background(), node.Content[0], &schema.Node{
+		Definition: "workflow-root",
+		Schema:     schema.GetWorkflowSchema(),
+	})
+	require.NoError(t, err)
+
+	ee.RestrictEval = true
+	ee.EvaluationContext.Variables = v2.CaseInsensitiveObject[any]{
+		"github": v2.CaseInsensitiveObject[any]{
+			"ref_name": "self",
+		},
+		"vars":   v2.CaseInsensitiveObject[any]{},
+		"inputs": v2.CaseInsensitiveObject[any]{},
+	}
+
+	err = ee.EvaluateYamlNode(context.Background(), node.Content[0], &schema.Node{
+		Definition: "workflow-root",
+		Schema:     schema.GetWorkflowSchema(),
+	})
+	require.Error(t, err)
+	var myw Workflow
+	require.NoError(t, node.Decode(&myw))
+}
+
+func TestParseWorkflowCall(t *testing.T) {
+	ee := &templateeval.ExpressionEvaluator{
+		EvaluationContext: v2.EvaluationContext{
+			Variables: v2.CaseInsensitiveObject[any]{},
+			Functions: v2.GetFunctions(),
+		},
+	}
+	var node yaml.Node
+	// jobs.test.outputs.test
+	err := yaml.Unmarshal([]byte(`
+on:
+  workflow_call:
+    outputs:
+      test:
+        value: ${{ jobs.test.outputs.test }} # tojson(vars.raw)
+run-name: ${{ github.ref_name }}
+jobs:
+  _:
+    runs-on: ubuntu-latest
+    name: ${{ github.ref_name }}
+    steps:
+    - run: echo Hello World
+      env:
+        TAG: ${{ env.global }}
+`), &node)
+	require.NoError(t, err)
+	require.NoError(t, resolveAliases(node.Content[0]))
+	require.NoError(t, (&schema.Node{
+		Definition: "workflow-root",
+		Schema:     schema.GetWorkflowSchema(),
+	}).UnmarshalYAML(node.Content[0]))
+	err = ee.EvaluateYamlNode(context.Background(), node.Content[0], &schema.Node{
+		Definition: "workflow-root",
+		Schema:     schema.GetWorkflowSchema(),
+	})
+	require.NoError(t, err)
+
+	var raw any
+	err = node.Content[0].Decode(&raw)
+	require.NoError(t, err)
+
+	ee.RestrictEval = true
+	ee.EvaluationContext.Variables = v2.CaseInsensitiveObject[any]{
+		"github": v2.CaseInsensitiveObject[any]{
+			"ref_name": "self",
+		},
+		"vars": v2.CaseInsensitiveObject[any]{
+			"raw": raw,
+		},
+		"inputs": v2.CaseInsensitiveObject[any]{},
+		"jobs": v2.CaseInsensitiveObject[any]{
+			"test": v2.CaseInsensitiveObject[any]{
+				"outputs": v2.CaseInsensitiveObject[any]{
+					"test": "Hello World",
+				},
+			},
+		},
+	}
+
+	err = ee.EvaluateYamlNode(context.Background(), node.Content[0], &schema.Node{
+		RestrictEval: true,
+		Definition:   "workflow-root",
+		Schema:       schema.GetWorkflowSchema(),
+	})
+	require.NoError(t, err)
+	var myw Workflow
+	require.NoError(t, node.Decode(&myw))
+	workflowCall := myw.On.WorkflowCall
+	if workflowCall != nil {
+		for _, out := range workflowCall.Outputs {
+			err = ee.EvaluateYamlNode(context.Background(), &out.Value, &schema.Node{
+				RestrictEval: true,
+				Definition:   "workflow-output-context",
+				Schema:       schema.GetWorkflowSchema(),
+			})
+			require.NoError(t, err)
+			require.Equal(t, "Hello World", out.Value.Value)
+		}
+	}
+	out, err := yaml.Marshal(&myw)
+	require.NoError(t, err)
+	assert.NotEmpty(t, out)
+}
--- a/internal/pkg/client/http.go
+++ b/internal/pkg/client/http.go
@@ -11,7 +11,7 @@ import (

 	"code.gitea.io/actions-proto-go/ping/v1/pingv1connect"
 	"code.gitea.io/actions-proto-go/runner/v1/runnerv1connect"
-	"github.com/bufbuild/connect-go"
+	"connectrpc.com/connect"
 )

 func getHTTPClient(endpoint string, insecure bool) *http.Client {
--- a/internal/pkg/client/mocks/Client.go
+++ b/internal/pkg/client/mocks/Client.go
@@ -1,11 +1,11 @@
-// Code generated by mockery v2.26.1. DO NOT EDIT.
+// Code generated by mockery v2.42.1. DO NOT EDIT.

 package mocks

 import (
 	context "context"

-	connect "github.com/bufbuild/connect-go"
+	connect "connectrpc.com/connect"

 	mock "github.com/stretchr/testify/mock"

@@ -23,6 +23,10 @@ type Client struct {
 func (_m *Client) Address() string {
 	ret := _m.Called()

+	if len(ret) == 0 {
+		panic("no return value specified for Address")
+	}
+
 	var r0 string
 	if rf, ok := ret.Get(0).(func() string); ok {
 		r0 = rf()
@@ -37,6 +41,10 @@ func (_m *Client) Address() string {
 func (_m *Client) Declare(_a0 context.Context, _a1 *connect.Request[runnerv1.DeclareRequest]) (*connect.Response[runnerv1.DeclareResponse], error) {
 	ret := _m.Called(_a0, _a1)

+	if len(ret) == 0 {
+		panic("no return value specified for Declare")
+	}
+
 	var r0 *connect.Response[runnerv1.DeclareResponse]
 	var r1 error
 	if rf, ok := ret.Get(0).(func(context.Context, *connect.Request[runnerv1.DeclareRequest]) (*connect.Response[runnerv1.DeclareResponse], error)); ok {
@@ -63,6 +71,10 @@ func (_m *Client) Declare(_a0 context.Context, _a1 *connect.Request[runnerv1.Dec
 func (_m *Client) FetchTask(_a0 context.Context, _a1 *connect.Request[runnerv1.FetchTaskRequest]) (*connect.Response[runnerv1.FetchTaskResponse], error) {
 	ret := _m.Called(_a0, _a1)

+	if len(ret) == 0 {
+		panic("no return value specified for FetchTask")
+	}
+
 	var r0 *connect.Response[runnerv1.FetchTaskResponse]
 	var r1 error
 	if rf, ok := ret.Get(0).(func(context.Context, *connect.Request[runnerv1.FetchTaskRequest]) (*connect.Response[runnerv1.FetchTaskResponse], error)); ok {
@@ -89,6 +101,10 @@ func (_m *Client) FetchTask(_a0 context.Context, _a1 *connect.Request[runnerv1.F
 func (_m *Client) Insecure() bool {
 	ret := _m.Called()

+	if len(ret) == 0 {
+		panic("no return value specified for Insecure")
+	}
+
 	var r0 bool
 	if rf, ok := ret.Get(0).(func() bool); ok {
 		r0 = rf()
@@ -103,6 +119,10 @@ func (_m *Client) Insecure() bool {
 func (_m *Client) Ping(_a0 context.Context, _a1 *connect.Request[pingv1.PingRequest]) (*connect.Response[pingv1.PingResponse], error) {
 	ret := _m.Called(_a0, _a1)

+	if len(ret) == 0 {
+		panic("no return value specified for Ping")
+	}
+
 	var r0 *connect.Response[pingv1.PingResponse]
 	var r1 error
 	if rf, ok := ret.Get(0).(func(context.Context, *connect.Request[pingv1.PingRequest]) (*connect.Response[pingv1.PingResponse], error)); ok {
@@ -129,6 +149,10 @@ func (_m *Client) Ping(_a0 context.Context, _a1 *connect.Request[pingv1.PingRequ
 func (_m *Client) Register(_a0 context.Context, _a1 *connect.Request[runnerv1.RegisterRequest]) (*connect.Response[runnerv1.RegisterResponse], error) {
 	ret := _m.Called(_a0, _a1)

+	if len(ret) == 0 {
+		panic("no return value specified for Register")
+	}
+
 	var r0 *connect.Response[runnerv1.RegisterResponse]
 	var r1 error
 	if rf, ok := ret.Get(0).(func(context.Context, *connect.Request[runnerv1.RegisterRequest]) (*connect.Response[runnerv1.RegisterResponse], error)); ok {
@@ -155,6 +179,10 @@ func (_m *Client) Register(_a0 context.Context, _a1 *connect.Request[runnerv1.Re
 func (_m *Client) UpdateLog(_a0 context.Context, _a1 *connect.Request[runnerv1.UpdateLogRequest]) (*connect.Response[runnerv1.UpdateLogResponse], error) {
 	ret := _m.Called(_a0, _a1)

+	if len(ret) == 0 {
+		panic("no return value specified for UpdateLog")
+	}
+
 	var r0 *connect.Response[runnerv1.UpdateLogResponse]
 	var r1 error
 	if rf, ok := ret.Get(0).(func(context.Context, *connect.Request[runnerv1.UpdateLogRequest]) (*connect.Response[runnerv1.UpdateLogResponse], error)); ok {
@@ -181,6 +209,10 @@ func (_m *Client) UpdateLog(_a0 context.Context, _a1 *connect.Request[runnerv1.U
 func (_m *Client) UpdateTask(_a0 context.Context, _a1 *connect.Request[runnerv1.UpdateTaskRequest]) (*connect.Response[runnerv1.UpdateTaskResponse], error) {
 	ret := _m.Called(_a0, _a1)

+	if len(ret) == 0 {
+		panic("no return value specified for UpdateTask")
+	}
+
 	var r0 *connect.Response[runnerv1.UpdateTaskResponse]
 	var r1 error
 	if rf, ok := ret.Get(0).(func(context.Context, *connect.Request[runnerv1.UpdateTaskRequest]) (*connect.Response[runnerv1.UpdateTaskResponse], error)); ok {
@@ -203,13 +235,13 @@ func (_m *Client) UpdateTask(_a0 context.Context, _a1 *connect.Request[runnerv1.
 	return r0, r1
 }

-type mockConstructorTestingTNewClient interface {
+// NewClient creates a new instance of Client. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewClient(t interface {
 	mock.TestingT
 	Cleanup(func())
-}
-
-// NewClient creates a new instance of Client. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-func NewClient(t mockConstructorTestingTNewClient) *Client {
+},
+) *Client {
 	mock := &Client{}
 	mock.Mock.Test(t)

--- a/internal/pkg/config/config.example.yaml
+++ b/internal/pkg/config/config.example.yaml
@@ -21,19 +21,31 @@ runner:
  env_file: .env
  # The timeout for a job to be finished.
  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
-  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  # So the job could be stopped by the Gitea instance if its timeout is shorter than this.
  timeout: 3h
+  # The timeout for the runner to wait for running jobs to finish when shutting down.
+  # Any running jobs that haven't finished after this timeout will be cancelled.
+  shutdown_timeout: 0s
  # Whether skip verifying the TLS certificate of the Gitea instance.
  insecure: false
  # The timeout for fetching the job from the Gitea instance.
  fetch_timeout: 5s
  # The interval for fetching the job from the Gitea instance.
  fetch_interval: 2s
+  # The github_mirror of a runner is used to specify the mirror address of the github that pulls the action repository.
+  # It works when something like `uses: actions/checkout@v4` is used and DEFAULT_ACTIONS_URL is set to github,
+  # and github_mirror is not empty. In this case,
+  # it replaces https://github.com with the value here, which is useful for some special network environments.
+  github_mirror: ''
  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
-  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # Like: "macos-arm64:host" or "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
+  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
  # If it's empty when registering, it will ask for inputting labels.
-  # If it's empty when execute `deamon`, will use labels in `.runner` file.
-  labels: []
+  # If it's empty when execute `daemon`, will use labels in `.runner` file.
+  labels:
+    - "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
+    - "ubuntu-24.04:docker://docker.gitea.com/runner-images:ubuntu-24.04"
+    - "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"

 cache:
  # Enable cache server to use actions/cache.
@@ -60,9 +72,12 @@ container:
  network: ""
  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
  privileged: false
-  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  # Any other options to be used when the container is started (e.g., --add-host=my.gitea.url:host-gateway).
  options:
  # The parent directory of a job's working directory.
+  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
+  # If the path starts with '/', the '/' will be trimmed.
+  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
  # If it's empty, /workspace will be used.
  workdir_parent:
  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
@@ -75,13 +90,19 @@ container:
  # valid_volumes:
  #   - '**'
  valid_volumes: []
-  # overrides the docker client host with the specified one.
+  # Overrides the docker client host with the specified one.
  # If it's empty, act_runner will find an available docker host automatically.
  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
  docker_host: ""
  # Pull docker image(s) even if already present
-  force_pull: false
+  force_pull: true
+  # Rebuild docker image(s) even if already present
+  force_rebuild: false
+  # Always require a reachable docker daemon, even if not required by act_runner
+  require_docker: false
+  # Timeout to wait for the docker daemon to be reachable, if docker is required by require_docker or act_runner
+  docker_timeout: 0s

 host:
  # The parent directory of a job's working directory.
--- a/internal/pkg/config/config.go
+++ b/internal/pkg/config/config.go
@@ -5,6 +5,7 @@ package config

 import (
 	"fmt"
+	"maps"
 	"os"
 	"path/filepath"
 	"time"
@@ -21,15 +22,17 @@ type Log struct {

 // Runner represents the configuration for the runner.
 type Runner struct {
-	File          string            `yaml:"file"`           // File specifies the file path for the runner.
-	Capacity      int               `yaml:"capacity"`       // Capacity specifies the capacity of the runner.
-	Envs          map[string]string `yaml:"envs"`           // Envs stores environment variables for the runner.
-	EnvFile       string            `yaml:"env_file"`       // EnvFile specifies the path to the file containing environment variables for the runner.
-	Timeout       time.Duration     `yaml:"timeout"`        // Timeout specifies the duration for runner timeout.
-	Insecure      bool              `yaml:"insecure"`       // Insecure indicates whether the runner operates in an insecure mode.
-	FetchTimeout  time.Duration     `yaml:"fetch_timeout"`  // FetchTimeout specifies the timeout duration for fetching resources.
-	FetchInterval time.Duration     `yaml:"fetch_interval"` // FetchInterval specifies the interval duration for fetching resources.
-	Labels        []string          `yaml:"labels"`         // Labels specifies the labels of the runner. Labels are declared on each startup
+	File            string            `yaml:"file"`             // File specifies the file path for the runner.
+	Capacity        int               `yaml:"capacity"`         // Capacity specifies the capacity of the runner.
+	Envs            map[string]string `yaml:"envs"`             // Envs stores environment variables for the runner.
+	EnvFile         string            `yaml:"env_file"`         // EnvFile specifies the path to the file containing environment variables for the runner.
+	Timeout         time.Duration     `yaml:"timeout"`          // Timeout specifies the duration for runner timeout.
+	ShutdownTimeout time.Duration     `yaml:"shutdown_timeout"` // ShutdownTimeout specifies the duration to wait for running jobs to complete during a shutdown of the runner.
+	Insecure        bool              `yaml:"insecure"`         // Insecure indicates whether the runner operates in an insecure mode.
+	FetchTimeout    time.Duration     `yaml:"fetch_timeout"`    // FetchTimeout specifies the timeout duration for fetching resources.
+	FetchInterval   time.Duration     `yaml:"fetch_interval"`   // FetchInterval specifies the interval duration for fetching resources.
+	Labels          []string          `yaml:"labels"`           // Labels specify the labels of the runner. Labels are declared on each startup
+	GithubMirror    string            `yaml:"github_mirror"`    // GithubMirror defines what mirrors should be used when using github
 }

 // Cache represents the configuration for caching.
@@ -43,14 +46,17 @@ type Cache struct {

 // Container represents the configuration for the container.
 type Container struct {
-	Network       string   `yaml:"network"`        // Network specifies the network for the container.
-	NetworkMode   string   `yaml:"network_mode"`   // Deprecated: use Network instead. Could be removed after Gitea 1.20
-	Privileged    bool     `yaml:"privileged"`     // Privileged indicates whether the container runs in privileged mode.
-	Options       string   `yaml:"options"`        // Options specifies additional options for the container.
-	WorkdirParent string   `yaml:"workdir_parent"` // WorkdirParent specifies the parent directory for the container's working directory.
-	ValidVolumes  []string `yaml:"valid_volumes"`  // ValidVolumes specifies the volumes (including bind mounts) can be mounted to containers.
-	DockerHost    string   `yaml:"docker_host"`    // DockerHost specifies the Docker host. It overrides the value specified in environment variable DOCKER_HOST.
-	ForcePull     bool     `yaml:"force_pull"`     // Pull docker image(s) even if already present
+	Network       string        `yaml:"network"`        // Network specifies the network for the container.
+	NetworkMode   string        `yaml:"network_mode"`   // Deprecated: use Network instead. Could be removed after Gitea 1.20
+	Privileged    bool          `yaml:"privileged"`     // Privileged indicates whether the container runs in privileged mode.
+	Options       string        `yaml:"options"`        // Options specifies additional options for the container.
+	WorkdirParent string        `yaml:"workdir_parent"` // WorkdirParent specifies the parent directory for the container's working directory.
+	ValidVolumes  []string      `yaml:"valid_volumes"`  // ValidVolumes specifies the volumes (including bind mounts) can be mounted to containers.
+	DockerHost    string        `yaml:"docker_host"`    // DockerHost specifies the Docker host. It overrides the value specified in environment variable DOCKER_HOST.
+	ForcePull     bool          `yaml:"force_pull"`     // Pull docker image(s) even if already present
+	ForceRebuild  bool          `yaml:"force_rebuild"`  // Rebuild docker image(s) even if already present
+	RequireDocker bool          `yaml:"require_docker"` // Always require a reachable docker daemon, even if not required by act_runner
+	DockerTimeout time.Duration `yaml:"docker_timeout"` // Timeout to wait for the docker daemon to be reachable, if docker is required by require_docker or act_runner
 }

 // Host represents the configuration for the host.
@@ -88,9 +94,10 @@ func LoadDefault(file string) (*Config, error) {
 			if err != nil {
 				return nil, fmt.Errorf("read env file %q: %w", cfg.Runner.EnvFile, err)
 			}
-			for k, v := range envs {
-				cfg.Runner.Envs[k] = v
+			if cfg.Runner.Envs == nil {
+				cfg.Runner.Envs = map[string]string{}
 			}
+			maps.Copy(cfg.Runner.Envs, envs)
 		}
 	}

--- a/internal/pkg/config/registration.go
+++ b/internal/pkg/config/registration.go
@@ -14,12 +14,13 @@ const registrationWarning = "This file is automatically generated by act-runner.
 type Registration struct {
 	Warning string `json:"WARNING"` // Warning message to display, it's always the registrationWarning constant

-	ID      int64    `json:"id"`
-	UUID    string   `json:"uuid"`
-	Name    string   `json:"name"`
-	Token   string   `json:"token"`
-	Address string   `json:"address"`
-	Labels  []string `json:"labels"`
+	ID        int64    `json:"id"`
+	UUID      string   `json:"uuid"`
+	Name      string   `json:"name"`
+	Token     string   `json:"token"`
+	Address   string   `json:"address"`
+	Labels    []string `json:"labels"`
+	Ephemeral bool     `json:"ephemeral"`
 }

 func LoadRegistration(file string) (*Registration, error) {
--- a/internal/pkg/envcheck/docker.go
+++ b/internal/pkg/envcheck/docker.go
@@ -27,7 +27,7 @@ func CheckIfDockerRunning(ctx context.Context, configDockerHost string) error {

 	_, err = cli.Ping(ctx)
 	if err != nil {
-		return fmt.Errorf("cannot ping the docker daemon, does it running? %w", err)
+		return fmt.Errorf("cannot ping the docker daemon, is it running? %w", err)
 	}

 	return nil
--- a/internal/pkg/labels/labels.go
+++ b/internal/pkg/labels/labels.go
@@ -55,7 +55,6 @@ func (l Labels) PickPlatform(runsOn []string) string {
 		switch label.Schema {
 		case SchemeDocker:
 			// "//" will be ignored
-			// TODO maybe we should use 'ubuntu-18.04:docker:node:16-buster' instead
 			platforms[label.Name] = strings.TrimPrefix(label.Arg, "//")
 		case SchemeHost:
 			platforms[label.Name] = "-self-hosted"
@@ -80,7 +79,7 @@ func (l Labels) PickPlatform(runsOn []string) string {
 	// So the runner receives a task with a label that the runner doesn't have,
 	// it happens when the user have edited the label of the runner in the web UI.
 	// TODO: it may be not correct, what if the runner is used as host mode only?
-	return "node:16-bullseye"
+	return "docker.gitea.com/runner-images:ubuntu-latest"
 }

 func (l Labels) Names() []string {
--- a/internal/pkg/labels/labels_test.go
+++ b/internal/pkg/labels/labels_test.go
@@ -6,8 +6,8 @@ package labels
 import (
 	"testing"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gotest.tools/v3/assert"
 )

 func TestParse(t *testing.T) {
@@ -57,7 +57,7 @@ func TestParse(t *testing.T) {
 				return
 			}
 			require.NoError(t, err)
-			assert.DeepEqual(t, got, tt.want)
+			assert.Equal(t, tt.want, got)
 		})
 	}
 }
--- a/internal/pkg/report/reporter.go
+++ b/internal/pkg/report/reporter.go
@@ -5,15 +5,17 @@ package report

 import (
 	"context"
+	"errors"
 	"fmt"
 	"regexp"
+	"slices"
 	"strings"
 	"sync"
 	"time"

 	runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
-	retry "github.com/avast/retry-go/v4"
-	"github.com/bufbuild/connect-go"
+	"connectrpc.com/connect"
+	"github.com/avast/retry-go/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -37,9 +39,12 @@ type Reporter struct {
 	state   *runnerv1.TaskState
 	stateMu sync.RWMutex
 	outputs sync.Map
+	daemon  chan struct{}

 	debugOutputEnabled  bool
 	stopCommandEndToken string
+
+	stepIds []string
 }

 func NewReporter(ctx context.Context, cancel context.CancelFunc, client client.Client, task *runnerv1.Task) *Reporter {
@@ -47,6 +52,9 @@ func NewReporter(ctx context.Context, cancel context.CancelFunc, client client.C
 	if v := task.Context.Fields["token"].GetStringValue(); v != "" {
 		oldnew = append(oldnew, v, "***")
 	}
+	if v := task.Context.Fields["gitea_runtime_token"].GetStringValue(); v != "" {
+		oldnew = append(oldnew, v, "***")
+	}
 	for _, v := range task.Secrets {
 		oldnew = append(oldnew, v, "***")
 	}
@@ -60,6 +68,7 @@ func NewReporter(ctx context.Context, cancel context.CancelFunc, client client.C
 		state: &runnerv1.TaskState{
 			Id: task.Id,
 		},
+		daemon: make(chan struct{}),
 	}

 	if task.Secrets["ACTIONS_STEP_DEBUG"] == "true" {
@@ -72,13 +81,20 @@ func NewReporter(ctx context.Context, cancel context.CancelFunc, client client.C
 func (r *Reporter) ResetSteps(l int) {
 	r.stateMu.Lock()
 	defer r.stateMu.Unlock()
-	for i := 0; i < l; i++ {
+	for i := range l {
 		r.state.Steps = append(r.state.Steps, &runnerv1.StepState{
 			Id: int64(i),
 		})
 	}
 }

+func (r *Reporter) SetStepIdMapping(stepIDs ...string) {
+	r.ResetSteps(len(stepIDs))
+	r.stateMu.Lock()
+	defer r.stateMu.Unlock()
+	r.stepIds = stepIDs
+}
+
 func (r *Reporter) Levels() []log.Level {
 	return log.AllLevels
 }
@@ -90,6 +106,18 @@ func appendIfNotNil[T any](s []*T, v *T) []*T {
 	return s
 }

+// isJobStepEntry is used to not report composite step results incorrectly as step result
+// returns true if the logentry is on job level
+// returns false for composite action step messages
+func isJobStepEntry(entry *log.Entry) bool {
+	if v, ok := entry.Data["stepID"]; ok {
+		if v, ok := v.([]string); ok && len(v) > 1 {
+			return false
+		}
+	}
+	return true
+}
+
 func (r *Reporter) Fire(entry *log.Entry) error {
 	r.stateMu.Lock()
 	defer r.stateMu.Unlock()
@@ -106,11 +134,15 @@ func (r *Reporter) Fire(entry *log.Entry) error {
 	if stage != "Main" {
 		if v, ok := entry.Data["jobResult"]; ok {
 			if jobResult, ok := r.parseResult(v); ok {
+				// We need to ensure log upload before this upload
 				r.state.Result = jobResult
 				r.state.StoppedAt = timestamppb.New(timestamp)
 				for _, s := range r.state.Steps {
 					if s.Result == runnerv1.Result_RESULT_UNSPECIFIED {
 						s.Result = runnerv1.Result_RESULT_CANCELLED
+						if jobResult == runnerv1.Result_RESULT_SKIPPED {
+							s.Result = runnerv1.Result_RESULT_SKIPPED
+						}
 					}
 				}
 			}
@@ -126,6 +158,12 @@ func (r *Reporter) Fire(entry *log.Entry) error {
 		if v, ok := v.(int); ok && len(r.state.Steps) > v {
 			step = r.state.Steps[v]
 		}
+	} else if v, ok := entry.Data["stepID"]; ok {
+		if v, ok := v.([]string); ok && len(v) >= 1 {
+			if no := slices.Index(r.stepIds, v[0]); no >= 0 && len(r.state.Steps) > no {
+				step = r.state.Steps[no]
+			}
+		}
 	}
 	if step == nil {
 		if !r.duringSteps() {
@@ -137,6 +175,12 @@ func (r *Reporter) Fire(entry *log.Entry) error {
 	if step.StartedAt == nil {
 		step.StartedAt = timestamppb.New(timestamp)
 	}
+
+	// Force reporting log errors as raw output to prevent silent failures
+	if entry.Level == log.ErrorLevel {
+		entry.Data["raw_output"] = true
+	}
+
 	if v, ok := entry.Data["raw_output"]; ok {
 		if rawOutput, ok := v.(bool); ok && rawOutput {
 			if row := r.parseLogRow(entry); row != nil {
@@ -150,7 +194,7 @@ func (r *Reporter) Fire(entry *log.Entry) error {
 	} else if !r.duringSteps() {
 		r.logRows = appendIfNotNil(r.logRows, r.parseLogRow(entry))
 	}
-	if v, ok := entry.Data["stepResult"]; ok {
+	if v, ok := entry.Data["stepResult"]; ok && isJobStepEntry(entry) {
 		if stepResult, ok := r.parseResult(v); ok {
 			if step.LogLength == 0 {
 				step.LogIndex = int64(r.logOffset + len(r.logRows))
@@ -164,27 +208,29 @@ func (r *Reporter) Fire(entry *log.Entry) error {
 }

 func (r *Reporter) RunDaemon() {
-	if r.closed {
-		return
-	}
-	if r.ctx.Err() != nil {
+	r.stateMu.RLock()
+	closed := r.closed
+	r.stateMu.RUnlock()
+	if closed || r.ctx.Err() != nil {
+		// Acknowledge close
+		close(r.daemon)
 		return
 	}

 	_ = r.ReportLog(false)
-	_ = r.ReportState()
+	_ = r.ReportState(false)

 	time.AfterFunc(time.Second, r.RunDaemon)
 }

-func (r *Reporter) Logf(format string, a ...interface{}) {
+func (r *Reporter) Logf(format string, a ...any) {
 	r.stateMu.Lock()
 	defer r.stateMu.Unlock()

 	r.logf(format, a...)
 }

-func (r *Reporter) logf(format string, a ...interface{}) {
+func (r *Reporter) logf(format string, a ...any) {
 	if !r.duringSteps() {
 		r.logRows = append(r.logRows, &runnerv1.LogRow{
 			Time:    timestamppb.Now(),
@@ -214,9 +260,8 @@ func (r *Reporter) SetOutputs(outputs map[string]string) {
 }

 func (r *Reporter) Close(lastWords string) error {
-	r.closed = true
-
 	r.stateMu.Lock()
+	r.closed = true
 	if r.state.Result == runnerv1.Result_RESULT_UNSPECIFIED {
 		if lastWords == "" {
 			lastWords = "Early termination"
@@ -239,13 +284,23 @@ func (r *Reporter) Close(lastWords string) error {
 		})
 	}
 	r.stateMu.Unlock()
+	// Wait for Acknowledge
+	select {
+	case <-r.daemon:
+	case <-time.After(60 * time.Second):
+		close(r.daemon)
+		log.Error("No Response from RunDaemon for 60s, continue best effort")
+	}

-	return retry.Do(func() error {
-		if err := r.ReportLog(true); err != nil {
-			return err
-		}
-		return r.ReportState()
-	}, retry.Context(r.ctx))
+	// Report the job outcome even when all log upload retry attempts have been exhausted
+	return errors.Join(
+		retry.Do(func() error {
+			return r.ReportLog(true)
+		}, retry.Context(r.ctx)),
+		retry.Do(func() error {
+			return r.ReportState(true)
+		}, retry.Context(r.ctx)),
+	)
 }

 func (r *Reporter) ReportLog(noMore bool) error {
@@ -268,22 +323,25 @@ func (r *Reporter) ReportLog(noMore bool) error {

 	ack := int(resp.Msg.AckIndex)
 	if ack < r.logOffset {
-		return fmt.Errorf("submitted logs are lost")
+		return errors.New("submitted logs are lost")
 	}

 	r.stateMu.Lock()
 	r.logRows = r.logRows[ack-r.logOffset:]
+	submitted := r.logOffset + len(rows)
 	r.logOffset = ack
 	r.stateMu.Unlock()

-	if noMore && ack < r.logOffset+len(rows) {
-		return fmt.Errorf("not all logs are submitted")
+	if noMore && ack < submitted {
+		return errors.New("not all logs are submitted")
 	}

 	return nil
 }

-func (r *Reporter) ReportState() error {
+// ReportState only reports the job result if reportResult is true
+// RunDaemon never reports results even if result is set
+func (r *Reporter) ReportState(reportResult bool) error {
 	r.clientM.Lock()
 	defer r.clientM.Unlock()

@@ -291,8 +349,13 @@ func (r *Reporter) ReportState() error {
 	state := proto.Clone(r.state).(*runnerv1.TaskState)
 	r.stateMu.RUnlock()

+	// Only report result from Close to reliable sent logs
+	if !reportResult {
+		state.Result = runnerv1.Result_RESULT_UNSPECIFIED
+	}
+
 	outputs := make(map[string]string)
-	r.outputs.Range(func(k, v interface{}) bool {
+	r.outputs.Range(func(k, v any) bool {
 		if val, ok := v.(string); ok {
 			outputs[k.(string)] = val
 		}
@@ -316,7 +379,7 @@ func (r *Reporter) ReportState() error {
 	}

 	var noSent []string
-	r.outputs.Range(func(k, v interface{}) bool {
+	r.outputs.Range(func(k, v any) bool {
 		if _, ok := v.(string); ok {
 			noSent = append(noSent, k.(string))
 		}
@@ -347,7 +410,7 @@ var stringToResult = map[string]runnerv1.Result{
 	"cancelled": runnerv1.Result_RESULT_CANCELLED,
 }

-func (r *Reporter) parseResult(result interface{}) (runnerv1.Result, bool) {
+func (r *Reporter) parseResult(result any) (runnerv1.Result, bool) {
 	str := ""
 	if v, ok := result.(string); ok { // for jobResult
 		str = v
@@ -361,7 +424,7 @@ func (r *Reporter) parseResult(result interface{}) (runnerv1.Result, bool) {

 var cmdRegex = regexp.MustCompile(`^::([^ :]+)( .*)?::(.*)$`)

-func (r *Reporter) handleCommand(originalContent, command, parameters, value string) *string {
+func (r *Reporter) handleCommand(originalContent, command, value string) *string {
 	if r.stopCommandEndToken != "" && command != r.stopCommandEndToken {
 		return &originalContent
 	}
@@ -407,7 +470,7 @@ func (r *Reporter) parseLogRow(entry *log.Entry) *runnerv1.LogRow {

 	matches := cmdRegex.FindStringSubmatch(content)
 	if matches != nil {
-		if output := r.handleCommand(content, matches[1], matches[2], matches[3]); output != nil {
+		if output := r.handleCommand(content, matches[1], matches[3]); output != nil {
 			content = *output
 		} else {
 			return nil
@@ -418,7 +481,7 @@ func (r *Reporter) parseLogRow(entry *log.Entry) *runnerv1.LogRow {

 	return &runnerv1.LogRow{
 		Time:    timestamppb.New(entry.Time),
-		Content: content,
+		Content: strings.ToValidUTF8(content, "?"),
 	}
 }

--- a/internal/pkg/report/reporter_test.go
+++ b/internal/pkg/report/reporter_test.go
@@ -5,16 +5,20 @@ package report

 import (
 	"context"
+	"errors"
 	"strings"
+	"sync"
 	"testing"
+	"time"

 	runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
-	connect_go "github.com/bufbuild/connect-go"
+	connect_go "connectrpc.com/connect"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/structpb"
+	"google.golang.org/protobuf/types/known/timestamppb"

 	"gitea.com/gitea/act_runner/internal/pkg/client/mocks"
 )
@@ -169,29 +173,165 @@ func TestReporter_Fire(t *testing.T) {
 			return connect_go.NewResponse(&runnerv1.UpdateTaskResponse{}), nil
 		})
 		ctx, cancel := context.WithCancel(context.Background())
-		taskCtx, err := structpb.NewStruct(map[string]interface{}{})
+		taskCtx, err := structpb.NewStruct(map[string]any{})
 		require.NoError(t, err)
 		reporter := NewReporter(ctx, cancel, client, &runnerv1.Task{
 			Context: taskCtx,
 		})
+		reporter.RunDaemon()
 		defer func() {
-			assert.NoError(t, reporter.Close(""))
+			require.NoError(t, reporter.Close(""))
 		}()
 		reporter.ResetSteps(5)

-		dataStep0 := map[string]interface{}{
+		dataStep0 := map[string]any{
 			"stage":      "Main",
 			"stepNumber": 0,
 			"raw_output": true,
 		}

-		assert.NoError(t, reporter.Fire(&log.Entry{Message: "regular log line", Data: dataStep0}))
-		assert.NoError(t, reporter.Fire(&log.Entry{Message: "::debug::debug log line", Data: dataStep0}))
-		assert.NoError(t, reporter.Fire(&log.Entry{Message: "regular log line", Data: dataStep0}))
-		assert.NoError(t, reporter.Fire(&log.Entry{Message: "::debug::debug log line", Data: dataStep0}))
-		assert.NoError(t, reporter.Fire(&log.Entry{Message: "::debug::debug log line", Data: dataStep0}))
-		assert.NoError(t, reporter.Fire(&log.Entry{Message: "regular log line", Data: dataStep0}))
+		require.NoError(t, reporter.Fire(&log.Entry{Message: "regular log line", Data: dataStep0}))
+		require.NoError(t, reporter.Fire(&log.Entry{Message: "::debug::debug log line", Data: dataStep0}))
+		require.NoError(t, reporter.Fire(&log.Entry{Message: "regular log line", Data: dataStep0}))
+		require.NoError(t, reporter.Fire(&log.Entry{Message: "::debug::debug log line", Data: dataStep0}))
+		require.NoError(t, reporter.Fire(&log.Entry{Message: "::debug::debug log line", Data: dataStep0}))
+		require.NoError(t, reporter.Fire(&log.Entry{Message: "regular log line", Data: dataStep0}))
+		require.NoError(t, reporter.Fire(&log.Entry{Message: "composite step result", Data: map[string]any{
+			"stage":      "Main",
+			"stepID":     []string{"0", "0"},
+			"stepNumber": 0,
+			"raw_output": true,
+			"stepResult": "failure",
+		}}))
+		assert.Equal(t, runnerv1.Result_RESULT_UNSPECIFIED, reporter.state.Steps[0].Result)
+		require.NoError(t, reporter.Fire(&log.Entry{Message: "step result", Data: map[string]any{
+			"stage":      "Main",
+			"stepNumber": 0,
+			"raw_output": true,
+			"stepResult": "success",
+		}}))
+		assert.Equal(t, runnerv1.Result_RESULT_SUCCESS, reporter.state.Steps[0].Result)

-		assert.Equal(t, int64(3), reporter.state.Steps[0].LogLength)
+		assert.Equal(t, int64(5), reporter.state.Steps[0].LogLength)
 	})
 }
+
+// TestReporter_EphemeralRunnerDeletion reproduces the exact scenario from
+// https://gitea.com/gitea/act_runner/issues/793:
+//
+//  1. RunDaemon calls ReportLog(false) — runner is still alive
+//  2. Close() updates state to Result=FAILURE (between RunDaemon's ReportLog and ReportState)
+//  3. RunDaemon's ReportState() would clone the completed state and send it,
+//     but the fix makes ReportState return early when closed, preventing this
+//  4. Close's ReportLog(true) succeeds because the runner was not deleted
+func TestReporter_EphemeralRunnerDeletion(t *testing.T) {
+	runnerDeleted := false
+
+	client := mocks.NewClient(t)
+	client.On("UpdateLog", mock.Anything, mock.Anything).Return(
+		func(_ context.Context, req *connect_go.Request[runnerv1.UpdateLogRequest]) (*connect_go.Response[runnerv1.UpdateLogResponse], error) {
+			if runnerDeleted {
+				return nil, errors.New("runner has been deleted")
+			}
+			return connect_go.NewResponse(&runnerv1.UpdateLogResponse{
+				AckIndex: req.Msg.Index + int64(len(req.Msg.Rows)),
+			}), nil
+		},
+	)
+	client.On("UpdateTask", mock.Anything, mock.Anything).Maybe().Return(
+		func(_ context.Context, req *connect_go.Request[runnerv1.UpdateTaskRequest]) (*connect_go.Response[runnerv1.UpdateTaskResponse], error) {
+			// Server deletes ephemeral runner when it receives a completed state
+			if req.Msg.State != nil && req.Msg.State.Result != runnerv1.Result_RESULT_UNSPECIFIED {
+				runnerDeleted = true
+			}
+			return connect_go.NewResponse(&runnerv1.UpdateTaskResponse{}), nil
+		},
+	)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	taskCtx, err := structpb.NewStruct(map[string]any{})
+	require.NoError(t, err)
+	reporter := NewReporter(ctx, cancel, client, &runnerv1.Task{Context: taskCtx})
+	reporter.ResetSteps(1)
+
+	// Fire a log entry to create pending data
+	require.NoError(t, reporter.Fire(&log.Entry{
+		Message: "build output",
+		Data:    log.Fields{"stage": "Main", "stepNumber": 0, "raw_output": true},
+	}))
+
+	// Step 1: RunDaemon calls ReportLog(false) — runner is still alive
+	require.NoError(t, reporter.ReportLog(false))
+
+	// Step 2: Close() updates state — sets Result=FAILURE and marks steps cancelled.
+	// In the real race, this happens while RunDaemon is between ReportLog and ReportState.
+	reporter.stateMu.Lock()
+	reporter.closed = true
+	for _, v := range reporter.state.Steps {
+		if v.Result == runnerv1.Result_RESULT_UNSPECIFIED {
+			v.Result = runnerv1.Result_RESULT_CANCELLED
+		}
+	}
+	reporter.state.Result = runnerv1.Result_RESULT_FAILURE
+	reporter.logRows = append(reporter.logRows, &runnerv1.LogRow{
+		Time:    timestamppb.Now(),
+		Content: "Early termination",
+	})
+	reporter.state.StoppedAt = timestamppb.Now()
+	reporter.stateMu.Unlock()
+
+	// Step 3: RunDaemon's ReportState() — with the fix, this returns early
+	// because closed=true, preventing the server from deleting the runner.
+	require.NoError(t, reporter.ReportState(false))
+	assert.False(t, runnerDeleted, "runner must not be deleted by RunDaemon's ReportState")
+
+	// Step 4: Close's final log upload succeeds because the runner is still alive.
+	// Flush pending rows first, then send the noMore signal (matching Close's retry behavior).
+	require.NoError(t, reporter.ReportLog(false))
+	// Acknowledge Close as done in daemon
+	close(reporter.daemon)
+	err = reporter.ReportLog(true)
+	require.NoError(t, err, "final log upload must not fail: runner should not be deleted before Close finishes sending logs")
+	err = reporter.ReportState(true)
+	require.NoError(t, err, "final state update should work: runner should not be deleted before Close finishes sending logs")
+}
+
+func TestReporter_RunDaemonClose_Race(t *testing.T) {
+	client := mocks.NewClient(t)
+	client.On("UpdateLog", mock.Anything, mock.Anything).Return(
+		func(_ context.Context, req *connect_go.Request[runnerv1.UpdateLogRequest]) (*connect_go.Response[runnerv1.UpdateLogResponse], error) {
+			return connect_go.NewResponse(&runnerv1.UpdateLogResponse{
+				AckIndex: req.Msg.Index + int64(len(req.Msg.Rows)),
+			}), nil
+		},
+	)
+	client.On("UpdateTask", mock.Anything, mock.Anything).Return(
+		func(_ context.Context, req *connect_go.Request[runnerv1.UpdateTaskRequest]) (*connect_go.Response[runnerv1.UpdateTaskResponse], error) {
+			return connect_go.NewResponse(&runnerv1.UpdateTaskResponse{}), nil
+		},
+	)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	taskCtx, err := structpb.NewStruct(map[string]any{})
+	require.NoError(t, err)
+	reporter := NewReporter(ctx, cancel, client, &runnerv1.Task{
+		Context: taskCtx,
+	})
+	reporter.ResetSteps(1)
+
+	// Start the daemon loop in a separate goroutine.
+	// RunDaemon reads r.closed and reschedules itself via time.AfterFunc.
+	var wg sync.WaitGroup
+	wg.Go(func() {
+		reporter.RunDaemon()
+	})
+
+	// Close concurrently — this races with RunDaemon on r.closed.
+	require.NoError(t, reporter.Close(""))
+
+	// Cancel context so pending AfterFunc callbacks exit quickly.
+	cancel()
+	wg.Wait()
+	time.Sleep(2 * time.Second)
+}
--- a/internal/templateeval/evaluate.go
+++ b/internal/templateeval/evaluate.go
@@ -0,0 +1,195 @@
+package templateeval
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+
+	v2 "gitea.com/gitea/act_runner/internal/eval/v2"
+	exprparser "gitea.com/gitea/act_runner/internal/expr"
+	"gitea.com/gitea/act_runner/pkg/schema"
+	"gopkg.in/yaml.v3"
+)
+
+type ExpressionEvaluator struct {
+	RestrictEval      bool
+	EvaluationContext v2.EvaluationContext
+}
+
+func isImplExpr(snode *schema.Node) bool {
+	def := snode.Schema.GetDefinition(snode.Definition)
+	return def.String != nil && def.String.IsExpression
+}
+
+func (ee ExpressionEvaluator) evaluateScalarYamlNode(_ context.Context, node *yaml.Node, snode *schema.Node) (*yaml.Node, error) {
+	var in string
+	if err := node.Decode(&in); err != nil {
+		return nil, err
+	}
+	expr, isExpr, err := rewriteSubExpression(in, false)
+	if err != nil {
+		return nil, err
+	}
+	if snode == nil || !isExpr && !isImplExpr(snode) || snode.Schema.GetDefinition(snode.Definition).String.IsExpression || ee.RestrictEval && node.Tag != "!!expr" {
+		return node, nil
+	}
+	parsed, err := exprparser.Parse(expr)
+	if err != nil {
+		return nil, err
+	}
+	canEvaluate := ee.canEvaluate(parsed, snode)
+	if !canEvaluate {
+		node.Tag = "!!expr"
+		return node, nil
+	}
+
+	eval := v2.NewEvaluator(&ee.EvaluationContext)
+	res, err := eval.EvaluateRaw(expr)
+	if err != nil {
+		return nil, err
+	}
+	ret := &yaml.Node{}
+	if err := ret.Encode(res); err != nil {
+		return nil, err
+	}
+	ret.Line = node.Line
+	ret.Column = node.Column
+	// Finally check if we found a schema validation error
+	return ret, snode.UnmarshalYAML(ret)
+}
+
+func (ee ExpressionEvaluator) canEvaluate(parsed exprparser.Node, snode *schema.Node) bool {
+	canEvaluate := true
+	for _, v := range snode.GetVariables() {
+		canEvaluate = canEvaluate && ee.EvaluationContext.Variables.Get(v) != nil
+	}
+	for _, v := range snode.GetFunctions() {
+		canEvaluate = canEvaluate && ee.EvaluationContext.Functions.Get(v.GetName()) != nil
+	}
+	exprparser.VisitNode(parsed, func(node exprparser.Node) {
+		switch el := node.(type) {
+		case *exprparser.FunctionNode:
+			canEvaluate = canEvaluate && ee.EvaluationContext.Functions.Get(el.Name) != nil
+		case *exprparser.ValueNode:
+			canEvaluate = canEvaluate && (el.Kind != exprparser.TokenKindNamedValue || ee.EvaluationContext.Variables.Get(el.Value.(string)) != nil)
+		}
+	})
+	return canEvaluate
+}
+
+func (ee ExpressionEvaluator) evaluateMappingYamlNode(ctx context.Context, node *yaml.Node, snode *schema.Node) (*yaml.Node, error) {
+	var ret *yaml.Node
+	// GitHub has this undocumented feature to merge maps, called insert directive
+	insertDirective := regexp.MustCompile(`\${{\s*insert\s*}}`)
+	for i := 0; i < len(node.Content)/2; i++ {
+		k := node.Content[i*2]
+		var sk string
+		shouldInsert := k.Decode(&sk) == nil && insertDirective.MatchString(sk)
+		changed := func() error {
+			if ret == nil {
+				ret = &yaml.Node{}
+				if err := ret.Encode(node); err != nil {
+					return err
+				}
+				ret.Content = ret.Content[:i*2]
+			}
+			return nil
+		}
+		var ek *yaml.Node
+		if !shouldInsert {
+			var err error
+			ek, err = ee.evaluateYamlNodeInternal(ctx, k, snode)
+			if err != nil {
+				return nil, err
+			}
+			if ek != nil {
+				if err := changed(); err != nil {
+					return nil, err
+				}
+			} else {
+				ek = k
+			}
+		}
+		v := node.Content[i*2+1]
+		ev, err := ee.evaluateYamlNodeInternal(ctx, v, snode.GetNestedNode(ek.Value))
+		if err != nil {
+			return nil, err
+		}
+		if ev != nil {
+			if err := changed(); err != nil {
+				return nil, err
+			}
+		} else {
+			ev = v
+		}
+		// Merge the nested map of the insert directive
+		if shouldInsert {
+			if ev.Kind != yaml.MappingNode {
+				return nil, fmt.Errorf("failed to insert node %v into mapping %v unexpected type %v expected MappingNode", ev, node, ev.Kind)
+			}
+			if err := changed(); err != nil {
+				return nil, err
+			}
+			ret.Content = append(ret.Content, ev.Content...)
+		} else if ret != nil {
+			ret.Content = append(ret.Content, ek, ev)
+		}
+	}
+	return ret, nil
+}
+
+func (ee ExpressionEvaluator) evaluateSequenceYamlNode(ctx context.Context, node *yaml.Node, snode *schema.Node) (*yaml.Node, error) {
+	var ret *yaml.Node
+	for i := 0; i < len(node.Content); i++ {
+		v := node.Content[i]
+		// Preserve nested sequences
+		wasseq := v.Kind == yaml.SequenceNode
+		ev, err := ee.evaluateYamlNodeInternal(ctx, v, snode.GetNestedNode("*"))
+		if err != nil {
+			return nil, err
+		}
+		if ev != nil {
+			if ret == nil {
+				ret = &yaml.Node{}
+				if err := ret.Encode(node); err != nil {
+					return nil, err
+				}
+				ret.Content = ret.Content[:i]
+			}
+			// GitHub has this undocumented feature to merge sequences / arrays
+			// We have a nested sequence via evaluation, merge the arrays
+			if ev.Kind == yaml.SequenceNode && !wasseq {
+				ret.Content = append(ret.Content, ev.Content...)
+			} else {
+				ret.Content = append(ret.Content, ev)
+			}
+		} else if ret != nil {
+			ret.Content = append(ret.Content, v)
+		}
+	}
+	return ret, nil
+}
+
+func (ee ExpressionEvaluator) evaluateYamlNodeInternal(ctx context.Context, node *yaml.Node, snode *schema.Node) (*yaml.Node, error) {
+	switch node.Kind {
+	case yaml.ScalarNode:
+		return ee.evaluateScalarYamlNode(ctx, node, snode)
+	case yaml.MappingNode:
+		return ee.evaluateMappingYamlNode(ctx, node, snode)
+	case yaml.SequenceNode:
+		return ee.evaluateSequenceYamlNode(ctx, node, snode)
+	default:
+		return nil, nil //nolint:nilnil
+	}
+}
+
+func (ee ExpressionEvaluator) EvaluateYamlNode(ctx context.Context, node *yaml.Node, snode *schema.Node) error {
+	ret, err := ee.evaluateYamlNodeInternal(ctx, node, snode)
+	if err != nil {
+		return err
+	}
+	if ret != nil {
+		return ret.Decode(node)
+	}
+	return nil
+}
--- a/Show More
+++ b/Show More