Gitea Actions does not expand expressions in `jobs.<job>.container.volumes`

[jotego]

Gitea Version

1.26.1

What happened?

I tried to use repository secrets as the host-side bind mount paths:

jobs:
  simulate:
    runs-on: ubuntu-22.04
    container:
      image: jotego/simulator
      volumes:
        - ${{ secrets.MAME }}:/root/.mame/roms:ro
        - ${{ secrets.REGRUNS }}:/nobackup/regression
    steps:
      - name: Check paths
        run: |
          echo "MAME=${{ secrets.MAME }}"
          echo "REGRUNS=${{ secrets.REGRUNS }}"

The secrets are available in step/env expression contexts, but they are not expanded in container.volumes.

The runner log shows the volume sources remain literal:

[${{ secrets.MAME }}] is not a valid volume, will be ignored
[${{ secrets.REGRUNS }}] is not a valid volume, will be ignored

This means the job container starts without the expected bind mounts.

Expected behavior

The volume definitions should be evaluated before creating the job container, so this:

volumes:
  - ${{ secrets.MAME }}:/root/.mame/roms:ro

binds the host path stored in secrets.MAME into /root/.mame/roms.

Alternatively, if expressions are intentionally unsupported in container.volumes, this limitation should be documented clearly.

Actual behavior

The expressions are passed through literally to the runner/container setup. The runner then rejects them as invalid volume paths.

How are you running Gitea?

Gitea is deployed with Docker Compose on a Synology NAS running DSM. It uses the official Gitea Docker image and SQLite as the database.

[bircni]

This is a runner issue, not Gitea.

go-gitea/runner interpolates container.image, container.options, and service volumes, but job container.volumes are passed
through literally in GetBindsAndMounts() (act/runner/run_context.go). The runner then rejects ${{ secrets.MAME }} as an
invalid host path in sanitizeConfig() (act/container/docker_run.go).

Fix belongs in the runner: interpolate job container.volumes like service volumes already are in startJobContainer().

Note: GitHub doesn't list secrets as available under jobs.<job_id>.container, so this may not match upstream Actions
semantics even after a fix.

Workaround: use literal paths in container.volumes, or pass values via container.env and handle mounts inside the container.

[bircni]

See: https://gitea.com/gitea/runner/pulls/1036