@ChristopherHX When you have a chance, could you test out this change as I do not have a Mac or Linux

@ChristopherHX Turns out there is an issue with handling quotes in inputs. Variables are fine however. Is this an issue in act?

[Echo Test/SAMPLE] variable with spaces and quotes"
[Echo Test/SAMPLE] /var/run/act/workflow/0: line 3: unexpected EOF while looking for matching `"'

act --workflows ".github/workflows/sample.yaml" --secret-file "" --var MY_VAR="variable with spaces and quotes\"" --var-file "" --input MY_INPUT="input with spaces and quotes\"" --input-file "" --eventpath ""

name: Echo Test

on:
  push:
    branches: ["main"]

jobs:
  sample:
    name: SAMPLE

    runs-on: ubuntu-latest

    steps:
      - name: Echo
        run: |
          echo '${{ vars.MY_VAR }}'
          echo ${{ github.event.inputs.MY_INPUT }}

Is this an issue in act?

No, your workflow just has a script injection vulnerability. Regardless of using act or not

It's best practice to use shell environment variables for passing untrusted data.

Learn more here
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#example-of-a-script-injection-attack

Variables are fine however

Your variable line has an incomplete mitigation of a special case of script injection by using single quotes '

Yes I just accept this risk myself a lot, mitigation adds more code