Secrets from --secret-file aren’t loaded when running act on Apple‑Silicon

[tripsee-jacob]

Hi everyone 👋

I’m trying to run my Flutter CI workflow locally with act on a MacBook Pro (M‑series, macOS 15.5) and I keep hitting a signing error from yukiarrr/ios-build-action:

::error::P12 keys missing or in the wrong format.

What I’m doing:

act --secret-file my.secrets push -P macos-latest=-self-hosted --container-architecture linux/amd64

my.secrets is in classic dotenv format (no export, one line, trailing \n):

IOS_CERT_BASE64=MIITdwYJKoZIhvcNAQcC... # one long line
IOS_CERT_PASSWORD=MyStrongPassword
IOS_PROFILE_BASE64=MIINzwIBAzCCA7YG... # one long line

What I see:

A debug step prints zero for each signing secret:

IOS_CERT_BASE64 length: 0
IOS_CERT_PASSWORD length: 0
IOS_PROFILE_BASE64 length: 0

Naturally the iOS build step fails with the “P12 keys missing” error.

If I inline a secret with -s FOO=bar it does appear in the job, so act can read secrets—it just ignores every line in my.secrets.

macOS 15.5 (Apple silicon)
act version 0.2.78

Things I’ve tried:

Re‑encoded the .p12 & .mobileprovision with
base64 -b 0 -i file > my.secrets (single line, no line breaks).

Verified the file ends with a newline:
tail -c1 my.secrets | od -An -t a → nl

Removed export, quotes, whitespace, CR‑LF, BOM, etc.

Hard‑coded dummy secrets (TEST_SECRET=hello) → they are read if placed in my.secrets, so parsing isn’t completely broken.

Same secrets copy‑pasted into a GitHub repo’s Actions → Secrets work perfectly on GitHub CI.

Questions:

Is there a known dotenv edge‑case (length, characters, size) that causes all large values to be skipped?

Does act require a different flag/format for multi‑kilobyte secrets?

Any way to get act to show why it discards a line in --secret-file?

Any pointers are much appreciated—been staring at this for hours. 😅

Thanks!

[ChristopherHX]

Hi @tripsee-jacob,

I would suggest to try naming your secrets file .yml and use the YAML format. The same parser is used to read workflows.

dotenv internals are obscure to me, as a workflow author I expect you know this YAML format pretty good.

I know GITHUB_ENV / GITHUB_OUTPUT that do not use godotenv have arbitary low line length constraints due to stdlib defaults that is on my TODO.

[tripsee-jacob]

Turns outs I had to use the .secrets file in the root of the project. I was trying to use a my.secrets file in the workflows folder and it didn't like that.

[ChristopherHX]

idk nothing about your problem description read like your outcome, only you the OP knows all details

if you pass a relative file path, this is the same as $PWD/my.secrets and not $PWD/.github/workflows/my.secrets.

Is there a bug in act that does not return errors if a secret file is not found? Or did you create two my.secrets files one in the root and one in .github/workflows then you might created the nightmare by yourself

Is there anything that could be improved from act side?

[tripsee-jacob]

Perhaps this is entirely my fault - I was simply passing 'my.secrets' on the act command rather than '$PWD/my.secrets'. I believe the documentation could be adjusted to include the working directory prefix in the instructions.