core.getInput (and maybe other things) doesn't work in another action

[daleyjem]

Please let me know if I'm just doing things wrong, but when actions/github-script is used within another action, things like core.getInput('some_input) don't return anything.

I have a test here to demonstrate: https://github.com/daleyjem/test-github-script/pull/1

Workflow File

name: Test
on:
  pull_request:
    types: [opened, synchronize]

jobs:
  test:
    name: test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Test input
        uses: ./.github/actions/test-input

Action File

name: Test Input
description: Test input
inputs:
  my_input: 
    description: My input
    required: false
    default: 'foobar'

runs:
  using: 'composite'
  steps:
    - name: Log input val
      uses: actions/github-script@v6
      with:
        script: |
          console.log('my_input =', core.getInput('my_input'))
    - name: Log it the other way
      run: |
        echo ${{ inputs.my_input }}
      shell: bash

[eserte]

A possible workaround: interpolate your inputs into the script code:

          console.log('my_input =', "${{ inputs.my_input }}")

However this breaks if the input value contains certain characters, e.g. a double quote. And using this workaround it is even possible to inject additional javascript code into the action:

      - name: Test input
        uses: ./.github/actions/test-input
        with:
          my_input: 'foo"); console.log("ohoh'

So you have to be careful when using this workaround.

[joshmgross]

Transferring to actions/toolkit, this isn't a github-script specific issue.

[stefreak]

There is a workaround: Pass the input as an argument of the github-script action (below with:). It is definitely not optimal and it causes a warning in the GitHub Action UI; but it works and is not prone to script injection.

name: Test Input
description: Test input
inputs:
  my_input: 
    description: My input
    required: false
    default: 'foobar'

runs:
  using: 'composite'
  steps:
    - name: Log input val
      uses: actions/github-script@v6
      with:
        my_input: ${{ inputs.my_input }}
        script: |
          console.log('my_input =', core.getInput('my_input'))

Warning in the Workflow detail page:

Unexpected input(s) 'my_input', valid inputs are ['script', 'github-token', 'debug', 'user-agent', 'previews', 'result-encoding']

[gmazzo]

Just faced this issue today, and @stefreak's workaround is not working to me 🤔

[homburg]

Alternative workaround (that worked for me). Use the toJSON github actions template function to interpolate inputs:

name: Test Input
description: Test input
inputs:
  my_input: 
    description: My input
    required: false
    default: 'foobar'

runs:
  using: 'composite'
  steps:
    - name: Log input val
      uses: actions/github-script@v6
      with:
        script: |
          const inputs = ${{ toJSON(inputs) }};

          console.log("My input!", inputs.my_input);

[stefreak]

@homburg that's a good idea, and shouldn't be prone to script injection attacks either because of the json encoding 👍

[stefreak]

Just faced this issue today, and @stefreak's workaround is not working to me 🤔

@gmazzo Can you share what went wrong? Then I could edit my comment to make it more clear / fix the issue

[gmazzo]

Just faced this issue today, and @stefreak's workaround is not working to me 🤔

@gmazzo Can you share what went wrong? Then I could edit my comment to make it more clear / fix the issue

To be honest, I don't remember. At the end, I just dropped it and changed the approach by writing an action from scratch

[Lykathia]

on.workflow_call tends to be the types of workflows of which I use inputs the most. Not having getInput return the input greatly diminishes the utility of github-script imo!

[mirek]

Looks like gha should support something like:

passthrough_inputs: true

^^ passes all inputs

and/or:

passthrough_inputs:
  - foo
  - bar
  - baz

^^ passes selected inputs

This toJson hack is great but oh boy, it is mind bending scope shenanigans available only in yaml programming language.

[CYWong-Nick]

It has been 2 years already. GitHub, please fix this. @actions/github-script is not a third-party library, users expect it to work on GitHub Actions with hassle-free experience. Using features in @actions/github-script like core.getInput should be as simple as using a USB keyboard with your PC, now @actions/github-script feels like an antique PS/2 keyboard.

The bare minimal: If this use case is not supported, it should at least be documented.

[inkarkat]

+1 on fixing this; it's a nuisance and impacting developer productivity.

Another workaround is to define environment variables based on the inputs and then use process.env.my_input in the script. This has the same verbosity as the workaround of repeating the inputs (but doesn't cause any warnings), and aids testability in that the script does not contain variable interpolation, and when extracted and put in a test harness there's no need for mocking the core.getInput() function.

name: Test Input
description: Test input
inputs:
  my_input:
    description: My input
    required: false
    default: 'foobar'

runs:
  using: 'composite'
  steps:
    - name: Log input val
      uses: actions/github-script@v6
      env:
        my_input: ${{ inputs.my_input }}
      with:
        script: |
          console.log('my_input =', process.env.my_input)

[lzdun]

Workaround with env:

name: "Message"
description: "Print info message"
inputs:
  message: 
    description: "Message to print"
    required: false
    default: "Hello, World!"

runs:
  using: "composite"
  steps:
    - name: "Print message"
      uses: "actions/github-script@v7"
      env:
        INPUT_MESSAGE: "${{ inputs.message }}"
      with:
        script: |
          const message = core.getInput('message');
          core.info(`Message: ${message}`);