Using Service in Action breaks Authentication to Gitea Container Registry

Hi there,

I have a strange problem authenticating to my gitea container registry when a service is present in a job.
Without that service, everything works just fine. After adding that service, the credentials for the main container are no longer being used, and thus authentication fails.

This works just fine. The image is pulled and authentication against gitea container registry is successful:

name: Build Project
on: [push]
jobs:
  build_and_deploy:
    runs-on: ubuntu-latest
    container:      
      image: git.foobar.myhost.tld/foobar/foobar-dev:latest
      credentials:
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_TOKEN }}    
    steps:
      - name: Nothing really
        run: echo "Hello, world!"

I can see the credentials being used in the logs of the Set up job step:

Start image=git.foobar.myhost.tld/foobar/foobar-dev:latest
  docker pull image=git.foobar.myhost.tld/foobar/foobar-dev:latest platform= username=*** forcePull=true
  docker pull git.foobar.myhost.tld/foobar/foobar-dev:latest

Now, after adding a service, the setup step fails:

name: Build Project
on: [push]
jobs:
  build_and_deploy:
    runs-on: ubuntu-latest
    container:      
      image: git.foobar.myhost.tld/foobar/foobar-dev:latest
      credentials:
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_TOKEN }}    
    services:
      db:
        image: docker.io/library/postgres:16.4
        shm_size: 128mb
        environment:
        POSTGRES_USER: foobar
        POSTGRES_PASSWORD: foobar
        POSTGRES_DB: foobar-dev
    steps:
      - name: Nothing really
        run: echo "Hello, world!"

The logs show that the credentials are no longer being used:

  Start image=git.foobar.myhost.tld/foobar/foobar-dev:latest
  docker pull image=docker.io/library/postgres:16.4 platform= username= forcePull=true
  docker pull docker.io/library/postgres:16.4
pulling image 'docker.io/library/postgres:16.4' ()
Pulling from library/postgres :: 16.4
Digest: sha256:59c554e6f26822fd489ebbdef431457db2debd0c5762b24f11f603db5b91dfcc :: 
Status: Image is up to date for postgres:16.4 :: 
  docker pull image=git.foobar.myhost.tld/foobar/foobar-dev:latest platform= username= forcePull=true
  docker pull git.foobar.myhost.tld/foobar/foobar-dev:latest
pulling image 'git.foobar.myhost.tld/foobar/foobar-dev:latest' ()
Error response from daemon: unauthorized: authentication required

Specifying a service (using an image from docker hub) seems to break authentication for the main container (which is from my private gitea registry).
Any idea what’s going on here?

By looking into act/pkg/runner/run_context.go at master · nektos/act · GitHub, I figured that main container credentials are getting overwritten by service credentials. Adding the same credentials to the service fixes the problem (even if they are not needed there). I’ll open a bug for this.