locally running workflow with nektos/act fails environment variable was unset

[YoraiLevi]

I am trying to form a locally reproducible workflow run for testing and experimenting without pushing to github so I am using Act
while the following workflow seem to work ok on github, publishing to test.pypi it doesn't work locally.

# .env
GITHUB_TOKEN=github_pat_*******fine_grained_token
ACTIONS_ID_TOKEN_REQUEST_TOKEN=github_pat_*****same_fine_grained_token
GITHUB_WORKFLOW_REF=refs/heads/master

gh act --secret-file .env

...
[Upload Python Package/deploy]   💬  ::debug::Authenticating to https://test.pypi.org/legacy/ via Trusted Publishing
[Upload Python Package/deploy]   💬  ::debug::Selected Trusted Publishing Exchange Endpoint: Https://Test.Pypi.Org/_/Oidc/Mint-Token
[Upload Python Package/deploy]   ❗  ::error::Trusted publishing exchange failure: %0AOpenID Connect token retrieval failed: GitHub: missing or insufficient OIDC token permissions, the ACTIONS_ID_TOKEN_REQUEST_URL environment variable was unset%0A%0AThis generally indicates a workflow configuration error, such as insufficient%0Apermissions. Make sure that your workflow has `id-token: write` configured%0Aat the job level, e.g.:%0A%0A```yaml%0Apermissions:%0A  id-token: write%0A```%0A%0ALearn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.%0A

from the error message I understand that ACTIONS_ID_TOKEN_REQUEST_URL is also required and my guess is that it is a url for authentication with github, which even if I were to set, would be detrimental to the purpose of what I am trying to do, run the workflow completely locally and also run on github without any changes to the workflow file (which is why i am ruling out using https://github.com/pypiserver/pypiserver)

Do you think it is possible to set up a local "testing" environment for workflows using this publishing action?

Steps to reproduce

setup an account/project on test.pypi accoording to https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#configuring-trusted-publishing
fork using this commit: https://github.com/YoraiLevi/pip_installable_module/tree/84d86f0203368f47c604ddb7d26e7419c12bc5de
have Act installed, https://nektosact.com/installation/gh.html
create a fine grained token with github for the repository forked
populate a .env file at the root of the repository
execute gh act --secret-file .env -W .github/workflows/python-publish.yml

output log file: python-publish.log

[webknjaz]

FWIW, it'd be nice to integrate act into this repository's CI, additionally to what we have.
ACTIONS_ID_TOKEN_REQUEST_URL is used for OIDC IIRC. And OIDC is auto-activated on the code path with an empty password.

Using trusted publishing is only possible with platforms for which PyPI implemented it, and localhost isn't one of them. PyPI (and TestPyPI) is able to trust GitHub's signatures, but not an arbitrary localhost. It won't be possible to use it locally. I think, you should be able to do API-token based uploads by only setting the password input. That code path shouldn't trigger anything requiring OIDC. You might end up seeing a warning/suggestion, though.

If you start messing with env vars that GH only sets in OIDC-enabled runtimes, the action may end up thinking that it's available when it isn't.

In general, this request sounds similar to #275 in that it attempts running the action in an unsupported/untested env.

[webknjaz]

Looking into the log and checking https://github.com/YoraiLevi/pip_installable_module/blob/84d86f0203368f47c604ddb7d26e7419c12bc5de/.github/workflows/python-publish.yml, I can confirm that you are not passing the token to the action (action inputs is not the same as env vars), which triggers an attempt to use trusted publishing where it's physically impossible.

Additionally, your workflow should not build the dists in the same job as publishing when OIDC is enabled because you're giving elevated privileges to impersonate your repository to the build dependency tree.

[YoraiLevi]

added password: ${{ secrets.TEST_PYPI_API_TOKEN }} and configured TEST_PYPI_API_TOKEN api token in the .env file seem to make it work locally too
.env

GITHUB_WORKFLOW_REF=refs/heads/master
TEST_PYPI_API_TOKEN=pypi-******

It wasn't clear from the documentation that I could "fall back" on OIDC
Thanks!

[webknjaz]

Don't expose that secret to env vars, though.