[BUG] Composite actions should be provisioned with ACTIONS_RUNTIME_TOKEN just like the node and docker ones

[webknjaz]

Currently, ACTIONS_RUNTIME_TOKEN is exposed to nodejs and docker action types, but not the composite ones. So accessing it is rather limited to 2/3 types of the action types. It's not a private implementation detail and GitHub's own docs even show accessing it through the normal JS env var interface (process.env): https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#requesting-the-jwt-using-environment-variables. There's also no recommendations not to use it, it's rather undocumented that it's surprisingly inaccessible from within non-actions and composite actions.

Which is why I think it's actually a bug that got overlooked, unintentionally vendor-locking the action authors to docker or nodejs. It shouldn't be like this so I'm filing this issue to ask this (and related) env vars to be exposed to all action types equally.

The other action implementations set the env var like this:

• nodejs:

  runner/src/Runner.Worker/Handlers/NodeScriptActionHandler.cs

  Line 56 in 9e3e57f

  Environment["ACTIONS_RUNTIME_TOKEN"] = systemConnection.Authorization.Parameters[EndpointAuthorizationParameters.AccessToken];

• container:

  runner/src/Runner.Worker/Handlers/ContainerActionHandler.cs

  Line 221 in 9e3e57f

  Environment["ACTIONS_RUNTIME_TOKEN"] = systemConnection.Authorization.Parameters[EndpointAuthorizationParameters.AccessToken];