1
0
mirror of https://github.com/actions/checkout.git synced 2026-07-08 19:03:47 +08:00

Compare commits

..

4 Commits

Author SHA1 Message Date
eric sciple
34e114876b Cleanup actions/checkout@v6 auth style (#2305) 2025-11-13 17:20:02 -06:00
Salman Chishti
08eba0b27e Prepare release v4.3.0 (#2237) 2025-08-11 11:30:37 +01:00
Salman Chishti
631c7dc4f8 Update package dependencies (#2236)
* package updates

* update dist

* Update license files
2025-08-11 11:22:41 +01:00
Tingluo Huang
8edcb1bdb4 Update CODEOWNERS for actions (#2224) 2025-07-23 09:20:20 -04:00
14 changed files with 884 additions and 650 deletions

View File

@@ -1,9 +1,9 @@
---
name: "@octokit/endpoint"
version: 9.0.5
version: 9.0.6
type: npm
summary: Turns REST API endpoints into generic request options
homepage:
homepage:
license: mit
licenses:
- sources: LICENSE

View File

@@ -1,9 +1,9 @@
---
name: "@octokit/plugin-paginate-rest"
version: 9.2.1
version: 9.2.2
type: npm
summary: Octokit plugin to paginate REST API endpoint responses
homepage:
homepage:
license: mit
licenses:
- sources: LICENSE

View File

@@ -1,9 +1,9 @@
---
name: "@octokit/request-error"
version: 5.1.0
version: 5.1.1
type: npm
summary: Error class for Octokit request errors
homepage:
homepage:
license: mit
licenses:
- sources: LICENSE

View File

@@ -1,10 +1,10 @@
---
name: "@octokit/request"
version: 8.4.0
version: 8.4.1
type: npm
summary: Send parameterized requests to GitHub's APIs with sensible defaults in browsers
and Node
homepage:
homepage:
license: mit
licenses:
- sources: LICENSE

View File

@@ -1,6 +1,6 @@
---
name: undici
version: 5.28.4
version: 5.29.0
type: npm
summary: An HTTP/1.1 client, written from scratch for Node.js
homepage: https://undici.nodejs.org

View File

@@ -1,5 +1,14 @@
# Changelog
## V4.3.0
* docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
* Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
* Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043
* Adjust positioning of user email note and permissions heading by @joshmgross in https://github.com/actions/checkout/pull/2044
* Update README.md by @nebuk89 in https://github.com/actions/checkout/pull/2194
* Update CODEOWNERS for actions by @TingluoHuang in https://github.com/actions/checkout/pull/2224
* Update package dependencies by @salmanmkc in https://github.com/actions/checkout/pull/2236
## v4.2.2
* `url-helper.ts` now leverages well-known environment variables by @jww3 in https://github.com/actions/checkout/pull/1941
* Expand unit test coverage for `isGhes` by @jww3 in https://github.com/actions/checkout/pull/1946

View File

@@ -1 +1 @@
* @actions/actions-launch
* @actions/actions-runtime

View File

@@ -675,6 +675,283 @@ describe('git-auth-helper tests', () => {
expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
})
const removeAuth_removesV6StyleCredentials =
'removeAuth removes v6 style credentials'
it(removeAuth_removesV6StyleCredentials, async () => {
// Arrange
await setup(removeAuth_removesV6StyleCredentials)
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
await authHelper.configureAuth()
// Manually create v6-style credentials that would be left by v6
const credentialsFileName =
'git-credentials-12345678-1234-1234-1234-123456789abc.config'
const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
const basicCredential = Buffer.from(
`x-access-token:${settings.authToken}`,
'utf8'
).toString('base64')
const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
await fs.promises.writeFile(credentialsFilePath, credentialsContent)
// Add includeIf entries to local git config (simulating v6 configuration)
const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
await fs.promises.appendFile(
localGitConfigPath,
`[includeIf "gitdir:${hostGitDir}/"]\n\tpath = ${credentialsFilePath}\n`
)
await fs.promises.appendFile(
localGitConfigPath,
`[includeIf "gitdir:/github/workspace/.git/"]\n\tpath = /github/runner_temp/${credentialsFileName}\n`
)
// Verify v6 style config exists
let gitConfigContent = (
await fs.promises.readFile(localGitConfigPath)
).toString()
expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
expect(
gitConfigContent.indexOf(credentialsFilePath)
).toBeGreaterThanOrEqual(0)
await fs.promises.stat(credentialsFilePath) // Verify file exists
// Mock the git methods to handle v6 cleanup
const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
mockTryGetConfigKeys.mockResolvedValue([
`includeIf.gitdir:${hostGitDir}/.path`,
'includeIf.gitdir:/github/workspace/.git/.path'
])
const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
mockTryGetConfigValues.mockImplementation(async (key: string) => {
if (key === `includeIf.gitdir:${hostGitDir}/.path`) {
return [credentialsFilePath]
}
if (key === 'includeIf.gitdir:/github/workspace/.git/.path') {
return [`/github/runner_temp/${credentialsFileName}`]
}
return []
})
const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
any,
any
>
mockTryConfigUnsetValue.mockImplementation(
async (
key: string,
value: string,
globalConfig?: boolean,
configPath?: string
) => {
const targetPath = configPath || localGitConfigPath
let content = await fs.promises.readFile(targetPath, 'utf8')
// Remove the includeIf section
const lines = content
.split('\n')
.filter(line => !line.includes('includeIf') && !line.includes(value))
await fs.promises.writeFile(targetPath, lines.join('\n'))
return true
}
)
// Act
await authHelper.removeAuth()
// Assert includeIf entries removed from local git config
gitConfigContent = (
await fs.promises.readFile(localGitConfigPath)
).toString()
expect(gitConfigContent.indexOf('includeIf')).toBeLessThan(0)
expect(gitConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
// Assert credentials config file deleted
try {
await fs.promises.stat(credentialsFilePath)
throw new Error('Credentials file should have been deleted')
} catch (err) {
if ((err as any)?.code !== 'ENOENT') {
throw err
}
}
})
const removeAuth_removesV6StyleCredentialsFromSubmodules =
'removeAuth removes v6 style credentials from submodules'
it(removeAuth_removesV6StyleCredentialsFromSubmodules, async () => {
// Arrange
await setup(removeAuth_removesV6StyleCredentialsFromSubmodules)
// Create fake submodule config paths
const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
const submodule1ConfigPath = path.join(submodule1Dir, 'config')
await fs.promises.mkdir(submodule1Dir, {recursive: true})
await fs.promises.writeFile(submodule1ConfigPath, '')
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
await authHelper.configureAuth()
// Create v6-style credentials file
const credentialsFileName =
'git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
const basicCredential = Buffer.from(
`x-access-token:${settings.authToken}`,
'utf8'
).toString('base64')
const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
await fs.promises.writeFile(credentialsFilePath, credentialsContent)
// Add includeIf entries to submodule config
const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
await fs.promises.appendFile(
submodule1ConfigPath,
`[includeIf "gitdir:${submodule1GitDir}/"]\n\tpath = ${credentialsFilePath}\n`
)
// Verify submodule config has includeIf entry
let submoduleConfigContent = (
await fs.promises.readFile(submodule1ConfigPath)
).toString()
expect(submoduleConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(
0
)
expect(
submoduleConfigContent.indexOf(credentialsFilePath)
).toBeGreaterThanOrEqual(0)
// Mock getSubmoduleConfigPaths
const mockGetSubmoduleConfigPaths =
git.getSubmoduleConfigPaths as jest.Mock<any, any>
mockGetSubmoduleConfigPaths.mockResolvedValue([submodule1ConfigPath])
// Mock tryGetConfigKeys for submodule
const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
mockTryGetConfigKeys.mockImplementation(
async (pattern: string, globalConfig?: boolean, configPath?: string) => {
if (configPath === submodule1ConfigPath) {
return [`includeIf.gitdir:${submodule1GitDir}/.path`]
}
return []
}
)
// Mock tryGetConfigValues for submodule
const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
mockTryGetConfigValues.mockImplementation(
async (key: string, globalConfig?: boolean, configPath?: string) => {
if (
configPath === submodule1ConfigPath &&
key === `includeIf.gitdir:${submodule1GitDir}/.path`
) {
return [credentialsFilePath]
}
return []
}
)
// Mock tryConfigUnsetValue for submodule
const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
any,
any
>
mockTryConfigUnsetValue.mockImplementation(
async (
key: string,
value: string,
globalConfig?: boolean,
configPath?: string
) => {
const targetPath = configPath || localGitConfigPath
let content = await fs.promises.readFile(targetPath, 'utf8')
const lines = content
.split('\n')
.filter(line => !line.includes('includeIf') && !line.includes(value))
await fs.promises.writeFile(targetPath, lines.join('\n'))
return true
}
)
// Act
await authHelper.removeAuth()
// Assert submodule includeIf entries removed
submoduleConfigContent = (
await fs.promises.readFile(submodule1ConfigPath)
).toString()
expect(submoduleConfigContent.indexOf('includeIf')).toBeLessThan(0)
expect(submoduleConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
// Assert credentials file deleted
try {
await fs.promises.stat(credentialsFilePath)
throw new Error('Credentials file should have been deleted')
} catch (err) {
if ((err as any)?.code !== 'ENOENT') {
throw err
}
}
})
const removeAuth_skipsV6CleanupWhenEnvVarSet =
'removeAuth skips v6 cleanup when ACTIONS_CHECKOUT_SKIP_V6_CLEANUP is set'
it(removeAuth_skipsV6CleanupWhenEnvVarSet, async () => {
// Arrange
await setup(removeAuth_skipsV6CleanupWhenEnvVarSet)
// Set the skip environment variable
process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'] = '1'
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
await authHelper.configureAuth()
// Create v6-style credentials file in RUNNER_TEMP
const credentialsFileName = 'git-credentials-test-uuid-1234-5678.config'
const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
const credentialsContent =
'[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic token\n'
await fs.promises.writeFile(credentialsFilePath, credentialsContent)
// Add includeIf section to local git config (separate from http.* config)
const includeIfSection = `\n[includeIf "gitdir:/some/path/.git/"]\n\tpath = ${credentialsFilePath}\n`
await fs.promises.appendFile(localGitConfigPath, includeIfSection)
// Verify v6 style config exists
let gitConfigContent = (
await fs.promises.readFile(localGitConfigPath)
).toString()
expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
await fs.promises.stat(credentialsFilePath) // Verify file exists
// Act
await authHelper.removeAuth()
// Assert v5 cleanup still happened (http.* removed)
gitConfigContent = (
await fs.promises.readFile(localGitConfigPath)
).toString()
expect(
gitConfigContent.indexOf('http.https://github.com/.extraheader')
).toBeLessThan(0)
// Assert v6 cleanup was skipped - includeIf should still be present
expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
expect(
gitConfigContent.indexOf(credentialsFilePath)
).toBeGreaterThanOrEqual(0)
// Assert credentials file still exists (wasn't deleted)
await fs.promises.stat(credentialsFilePath) // File should still exist
// Assert debug message was logged
expect(core.debug).toHaveBeenCalledWith(
'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
)
// Cleanup
delete process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
})
const removeGlobalConfig_removesOverride =
'removeGlobalConfig removes override'
it(removeGlobalConfig_removesOverride, async () => {
@@ -796,6 +1073,18 @@ async function setup(testName: string): Promise<void> {
),
tryDisableAutomaticGarbageCollection: jest.fn(),
tryGetFetchUrl: jest.fn(),
getSubmoduleConfigPaths: jest.fn(async () => {
return []
}),
tryConfigUnsetValue: jest.fn(async () => {
return true
}),
tryGetConfigValues: jest.fn(async () => {
return []
}),
tryGetConfigKeys: jest.fn(async () => {
return []
}),
tryReset: jest.fn(),
version: jest.fn()
}

View File

@@ -499,6 +499,18 @@ async function setup(testName: string): Promise<void> {
await fs.promises.stat(path.join(repositoryPath, '.git'))
return repositoryUrl
}),
getSubmoduleConfigPaths: jest.fn(async () => {
return []
}),
tryConfigUnsetValue: jest.fn(async () => {
return true
}),
tryGetConfigValues: jest.fn(async () => {
return []
}),
tryGetConfigKeys: jest.fn(async () => {
return []
}),
tryReset: jest.fn(async () => {
return true
}),

249
dist/index.js vendored
View File

@@ -411,8 +411,50 @@ class GitAuthHelper {
}
removeToken() {
return __awaiter(this, void 0, void 0, function* () {
// HTTP extra header
// Remove HTTP extra header from local git config and submodule configs
yield this.removeGitConfig(this.tokenConfigKey);
//
// Cleanup actions/checkout@v6 style credentials
//
const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'];
if (skipV6Cleanup === '1' || (skipV6Cleanup === null || skipV6Cleanup === void 0 ? void 0 : skipV6Cleanup.toLowerCase()) === 'true') {
core.debug('Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP');
return;
}
try {
// Collect credentials config paths that need to be removed
const credentialsPaths = new Set();
// Remove includeIf entries that point to git-credentials-*.config files
const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
// Remove submodule includeIf entries that point to git-credentials-*.config files
try {
const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
for (const configPath of submoduleConfigPaths) {
const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
}
}
catch (err) {
core.debug(`Unable to get submodule config paths: ${err}`);
}
// Remove credentials config files
for (const credentialsPath of credentialsPaths) {
// Only remove credentials config files if they are under RUNNER_TEMP
const runnerTemp = process.env['RUNNER_TEMP'];
if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
try {
yield io.rmRF(credentialsPath);
}
catch (err) {
core.debug(`Failed to remove credentials config '${credentialsPath}': ${err}`);
}
}
}
}
catch (err) {
core.debug(`Failed to cleanup v6 style credentials: ${err}`);
}
});
}
removeGitConfig(configKey_1) {
@@ -430,6 +472,49 @@ class GitAuthHelper {
`sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true);
});
}
/**
* Removes includeIf entries that point to git-credentials-*.config files.
* This handles cleanup of credentials configured by newer versions of the action.
* @param configPath Optional path to a specific git config file to operate on
* @returns Array of unique credentials config file paths that were found and removed
*/
removeIncludeIfCredentials(configPath) {
return __awaiter(this, void 0, void 0, function* () {
const credentialsPaths = new Set();
try {
// Get all includeIf.gitdir keys
const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, // globalConfig?
configPath);
for (const key of keys) {
// Get all values for this key
const values = yield this.git.tryGetConfigValues(key, false, // globalConfig?
configPath);
if (values.length > 0) {
// Remove only values that match git-credentials-<uuid>.config pattern
for (const value of values) {
if (this.testCredentialsConfigPath(value)) {
credentialsPaths.add(value);
yield this.git.tryConfigUnsetValue(key, value, false, configPath);
}
}
}
}
}
catch (err) {
// Ignore errors - this is cleanup code
core.debug(`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`);
}
return Array.from(credentialsPaths);
});
}
/**
* Tests if a path matches the git-credentials-*.config pattern used by newer versions.
* @param path The path to test
* @returns True if the path matches the credentials config pattern
*/
testCredentialsConfigPath(path) {
return /git-credentials-[0-9a-f-]+\.config$/i.test(path);
}
}
@@ -706,6 +791,16 @@ class GitCommandManager {
throw new Error('Unexpected output when retrieving default branch');
});
}
getSubmoduleConfigPaths(recursive) {
return __awaiter(this, void 0, void 0, function* () {
// Get submodule config file paths.
// Use `--show-origin` to get the config file path for each submodule.
const output = yield this.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, recursive);
// Extract config file paths from the output (lines starting with "file:").
const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
return configPaths;
});
}
getWorkingDirectory() {
return this.workingDirectory;
}
@@ -836,6 +931,20 @@ class GitCommandManager {
return output.exitCode === 0;
});
}
tryConfigUnsetValue(configKey, configValue, globalConfig, configFile) {
return __awaiter(this, void 0, void 0, function* () {
const args = ['config'];
if (configFile) {
args.push('--file', configFile);
}
else {
args.push(globalConfig ? '--global' : '--local');
}
args.push('--unset', configKey, configValue);
const output = yield this.execGit(args, true);
return output.exitCode === 0;
});
}
tryDisableAutomaticGarbageCollection() {
return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true);
@@ -855,6 +964,46 @@ class GitCommandManager {
return stdout;
});
}
tryGetConfigValues(configKey, globalConfig, configFile) {
return __awaiter(this, void 0, void 0, function* () {
const args = ['config'];
if (configFile) {
args.push('--file', configFile);
}
else {
args.push(globalConfig ? '--global' : '--local');
}
args.push('--get-all', configKey);
const output = yield this.execGit(args, true);
if (output.exitCode !== 0) {
return [];
}
return output.stdout
.trim()
.split('\n')
.filter(value => value.trim());
});
}
tryGetConfigKeys(pattern, globalConfig, configFile) {
return __awaiter(this, void 0, void 0, function* () {
const args = ['config'];
if (configFile) {
args.push('--file', configFile);
}
else {
args.push(globalConfig ? '--global' : '--local');
}
args.push('--name-only', '--get-regexp', pattern);
const output = yield this.execGit(args, true);
if (output.exitCode !== 0) {
return [];
}
return output.stdout
.trim()
.split('\n')
.filter(key => key.trim());
});
}
tryReset() {
return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit(['reset', '--hard', 'HEAD'], true);
@@ -7802,7 +7951,7 @@ module.exports = __toCommonJS(dist_src_exports);
var import_universal_user_agent = __nccwpck_require__(5030);
// pkg/dist-src/version.js
var VERSION = "9.0.5";
var VERSION = "9.0.6";
// pkg/dist-src/defaults.js
var userAgent = `octokit-endpoint.js/${VERSION} ${(0, import_universal_user_agent.getUserAgent)()}`;
@@ -7907,9 +8056,9 @@ function addQueryParameters(url, parameters) {
}
// pkg/dist-src/util/extract-url-variable-names.js
var urlVariableRegex = /\{[^}]+\}/g;
var urlVariableRegex = /\{[^{}}]+\}/g;
function removeNonChars(variableName) {
return variableName.replace(/^\W+|\W+$/g, "").split(/,/);
return variableName.replace(/(?:^\W+)|(?:(?<!\W)\W+$)/g, "").split(/,/);
}
function extractUrlVariableNames(url) {
const matches = url.match(urlVariableRegex);
@@ -8095,7 +8244,7 @@ function parse(options) {
}
if (url.endsWith("/graphql")) {
if (options.mediaType.previews?.length) {
const previewsFromAcceptHeader = headers.accept.match(/[\w-]+(?=-preview)/g) || [];
const previewsFromAcceptHeader = headers.accept.match(/(?<![\w-])[\w-]+(?=-preview)/g) || [];
headers.accept = previewsFromAcceptHeader.concat(options.mediaType.previews).map((preview) => {
const format = options.mediaType.format ? `.${options.mediaType.format}` : "+json";
return `application/vnd.github.${preview}-preview${format}`;
@@ -8344,7 +8493,7 @@ __export(dist_src_exports, {
module.exports = __toCommonJS(dist_src_exports);
// pkg/dist-src/version.js
var VERSION = "9.2.1";
var VERSION = "9.2.2";
// pkg/dist-src/normalize-paginated-list-response.js
function normalizePaginatedListResponse(response) {
@@ -8392,7 +8541,7 @@ function iterator(octokit, route, parameters) {
const response = await requestMethod({ method, url, headers });
const normalizedResponse = normalizePaginatedListResponse(response);
url = ((normalizedResponse.headers.link || "").match(
/<([^>]+)>;\s*rel="next"/
/<([^<>]+)>;\s*rel="next"/
) || [])[1];
return { value: normalizedResponse };
} catch (error) {
@@ -10944,7 +11093,7 @@ var RequestError = class extends Error {
if (options.request.headers.authorization) {
requestCopy.headers = Object.assign({}, options.request.headers, {
authorization: options.request.headers.authorization.replace(
/ .*$/,
/(?<! ) .*$/,
" [REDACTED]"
)
});
@@ -11012,7 +11161,7 @@ var import_endpoint = __nccwpck_require__(9440);
var import_universal_user_agent = __nccwpck_require__(5030);
// pkg/dist-src/version.js
var VERSION = "8.4.0";
var VERSION = "8.4.1";
// pkg/dist-src/is-plain-object.js
function isPlainObject(value) {
@@ -11071,7 +11220,7 @@ function fetchWrapper(requestOptions) {
headers[keyAndValue[0]] = keyAndValue[1];
}
if ("deprecation" in headers) {
const matches = headers.link && headers.link.match(/<([^>]+)>; rel="deprecation"/);
const matches = headers.link && headers.link.match(/<([^<>]+)>; rel="deprecation"/);
const deprecationLink = matches && matches.pop();
log.warn(
`[@octokit/request] "${requestOptions.method} ${requestOptions.url}" is deprecated. It is scheduled to be removed on ${headers.sunset}${deprecationLink ? `. See ${deprecationLink}` : ""}`
@@ -18725,7 +18874,7 @@ module.exports = {
const { parseSetCookie } = __nccwpck_require__(4408)
const { stringify, getHeadersList } = __nccwpck_require__(3121)
const { stringify } = __nccwpck_require__(3121)
const { webidl } = __nccwpck_require__(1744)
const { Headers } = __nccwpck_require__(554)
@@ -18801,14 +18950,13 @@ function getSetCookies (headers) {
webidl.brandCheck(headers, Headers, { strict: false })
const cookies = getHeadersList(headers).cookies
const cookies = headers.getSetCookie()
if (!cookies) {
return []
}
// In older versions of undici, cookies is a list of name:value.
return cookies.map((pair) => parseSetCookie(Array.isArray(pair) ? pair[1] : pair))
return cookies.map((pair) => parseSetCookie(pair))
}
/**
@@ -19236,14 +19384,15 @@ module.exports = {
/***/ }),
/***/ 3121:
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
/***/ ((module) => {
"use strict";
const assert = __nccwpck_require__(9491)
const { kHeadersList } = __nccwpck_require__(2785)
/**
* @param {string} value
* @returns {boolean}
*/
function isCTLExcludingHtab (value) {
if (value.length === 0) {
return false
@@ -19504,31 +19653,13 @@ function stringify (cookie) {
return out.join('; ')
}
let kHeadersListNode
function getHeadersList (headers) {
if (headers[kHeadersList]) {
return headers[kHeadersList]
}
if (!kHeadersListNode) {
kHeadersListNode = Object.getOwnPropertySymbols(headers).find(
(symbol) => symbol.description === 'headers list'
)
assert(kHeadersListNode, 'Headers cannot be parsed')
}
const headersList = headers[kHeadersListNode]
assert(headersList)
return headersList
}
module.exports = {
isCTLExcludingHtab,
stringify,
getHeadersList
validateCookieName,
validateCookiePath,
validateCookieValue,
toIMFDate,
stringify
}
@@ -21457,6 +21588,14 @@ const { isUint8Array, isArrayBuffer } = __nccwpck_require__(9830)
const { File: UndiciFile } = __nccwpck_require__(8511)
const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(685)
let random
try {
const crypto = __nccwpck_require__(6005)
random = (max) => crypto.randomInt(0, max)
} catch {
random = (max) => Math.floor(Math.random(max))
}
let ReadableStream = globalThis.ReadableStream
/** @type {globalThis['File']} */
@@ -21542,7 +21681,7 @@ function extractBody (object, keepalive = false) {
// Set source to a copy of the bytes held by object.
source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength))
} else if (util.isFormDataLike(object)) {
const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}`
const boundary = `----formdata-undici-0${`${random(1e11)}`.padStart(11, '0')}`
const prefix = `--${boundary}\r\nContent-Disposition: form-data`
/*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
@@ -23524,6 +23663,7 @@ const {
isValidHeaderName,
isValidHeaderValue
} = __nccwpck_require__(2538)
const util = __nccwpck_require__(3837)
const { webidl } = __nccwpck_require__(1744)
const assert = __nccwpck_require__(9491)
@@ -24077,6 +24217,9 @@ Object.defineProperties(Headers.prototype, {
[Symbol.toStringTag]: {
value: 'Headers',
configurable: true
},
[util.inspect.custom]: {
enumerable: false
}
})
@@ -33253,6 +33396,20 @@ class Pool extends PoolBase {
? { ...options.interceptors }
: undefined
this[kFactory] = factory
this.on('connectionError', (origin, targets, error) => {
// If a connection error occurs, we remove the client from the pool,
// and emit a connectionError event. They will not be re-used.
// Fixes https://github.com/nodejs/undici/issues/3895
for (const target of targets) {
// Do not use kRemoveClient here, as it will close the client,
// but the client cannot be closed in this state.
const idx = this[kClients].indexOf(target)
if (idx !== -1) {
this[kClients].splice(idx, 1)
}
}
})
}
[kGetDispatcher] () {
@@ -36408,6 +36565,14 @@ module.exports = require("net");
/***/ }),
/***/ 6005:
/***/ ((module) => {
"use strict";
module.exports = require("node:crypto");
/***/ }),
/***/ 5673:
/***/ ((module) => {

744
package-lock.json generated

File diff suppressed because it is too large Load Diff

View File

@@ -1,6 +1,6 @@
{
"name": "checkout",
"version": "4.2.2",
"version": "4.3.0",
"description": "checkout action",
"main": "lib/main.js",
"scripts": {
@@ -39,7 +39,7 @@
"@types/jest": "^29.5.12",
"@types/node": "^20.12.12",
"@types/uuid": "^9.0.8",
"@typescript-eslint/eslint-plugin": "^8.4.0",
"@typescript-eslint/eslint-plugin": "^7.9.0",
"@typescript-eslint/parser": "^7.9.0",
"@vercel/ncc": "^0.38.1",
"eslint": "^8.57.0",

View File

@@ -346,8 +346,58 @@ class GitAuthHelper {
}
private async removeToken(): Promise<void> {
// HTTP extra header
// Remove HTTP extra header from local git config and submodule configs
await this.removeGitConfig(this.tokenConfigKey)
//
// Cleanup actions/checkout@v6 style credentials
//
const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
if (skipV6Cleanup === '1' || skipV6Cleanup?.toLowerCase() === 'true') {
core.debug(
'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
)
return
}
try {
// Collect credentials config paths that need to be removed
const credentialsPaths = new Set<string>()
// Remove includeIf entries that point to git-credentials-*.config files
const mainCredentialsPaths = await this.removeIncludeIfCredentials()
mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
// Remove submodule includeIf entries that point to git-credentials-*.config files
try {
const submoduleConfigPaths =
await this.git.getSubmoduleConfigPaths(true)
for (const configPath of submoduleConfigPaths) {
const submoduleCredentialsPaths =
await this.removeIncludeIfCredentials(configPath)
submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
}
} catch (err) {
core.debug(`Unable to get submodule config paths: ${err}`)
}
// Remove credentials config files
for (const credentialsPath of credentialsPaths) {
// Only remove credentials config files if they are under RUNNER_TEMP
const runnerTemp = process.env['RUNNER_TEMP']
if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
try {
await io.rmRF(credentialsPath)
} catch (err) {
core.debug(
`Failed to remove credentials config '${credentialsPath}': ${err}`
)
}
}
}
} catch (err) {
core.debug(`Failed to cleanup v6 style credentials: ${err}`)
}
}
private async removeGitConfig(
@@ -371,4 +421,59 @@ class GitAuthHelper {
true
)
}
/**
* Removes includeIf entries that point to git-credentials-*.config files.
* This handles cleanup of credentials configured by newer versions of the action.
* @param configPath Optional path to a specific git config file to operate on
* @returns Array of unique credentials config file paths that were found and removed
*/
private async removeIncludeIfCredentials(
configPath?: string
): Promise<string[]> {
const credentialsPaths = new Set<string>()
try {
// Get all includeIf.gitdir keys
const keys = await this.git.tryGetConfigKeys(
'^includeIf\\.gitdir:',
false, // globalConfig?
configPath
)
for (const key of keys) {
// Get all values for this key
const values = await this.git.tryGetConfigValues(
key,
false, // globalConfig?
configPath
)
if (values.length > 0) {
// Remove only values that match git-credentials-<uuid>.config pattern
for (const value of values) {
if (this.testCredentialsConfigPath(value)) {
credentialsPaths.add(value)
await this.git.tryConfigUnsetValue(key, value, false, configPath)
}
}
}
}
} catch (err) {
// Ignore errors - this is cleanup code
core.debug(
`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`
)
}
return Array.from(credentialsPaths)
}
/**
* Tests if a path matches the git-credentials-*.config pattern used by newer versions.
* @param path The path to test
* @returns True if the path matches the credentials config pattern
*/
private testCredentialsConfigPath(path: string): boolean {
return /git-credentials-[0-9a-f-]+\.config$/i.test(path)
}
}

View File

@@ -41,6 +41,7 @@ export interface IGitCommandManager {
}
): Promise<void>
getDefaultBranch(repositoryUrl: string): Promise<string>
getSubmoduleConfigPaths(recursive: boolean): Promise<string[]>
getWorkingDirectory(): string
init(): Promise<void>
isDetached(): Promise<boolean>
@@ -59,8 +60,24 @@ export interface IGitCommandManager {
tagExists(pattern: string): Promise<boolean>
tryClean(): Promise<boolean>
tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
tryConfigUnsetValue(
configKey: string,
configValue: string,
globalConfig?: boolean,
configFile?: string
): Promise<boolean>
tryDisableAutomaticGarbageCollection(): Promise<boolean>
tryGetFetchUrl(): Promise<string>
tryGetConfigValues(
configKey: string,
globalConfig?: boolean,
configFile?: string
): Promise<string[]>
tryGetConfigKeys(
pattern: string,
globalConfig?: boolean,
configFile?: string
): Promise<string[]>
tryReset(): Promise<boolean>
version(): Promise<GitVersion>
}
@@ -323,6 +340,21 @@ class GitCommandManager {
throw new Error('Unexpected output when retrieving default branch')
}
async getSubmoduleConfigPaths(recursive: boolean): Promise<string[]> {
// Get submodule config file paths.
// Use `--show-origin` to get the config file path for each submodule.
const output = await this.submoduleForeach(
`git config --local --show-origin --name-only --get-regexp remote.origin.url`,
recursive
)
// Extract config file paths from the output (lines starting with "file:").
const configPaths =
output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
return configPaths
}
getWorkingDirectory(): string {
return this.workingDirectory
}
@@ -455,6 +487,24 @@ class GitCommandManager {
return output.exitCode === 0
}
async tryConfigUnsetValue(
configKey: string,
configValue: string,
globalConfig?: boolean,
configFile?: string
): Promise<boolean> {
const args = ['config']
if (configFile) {
args.push('--file', configFile)
} else {
args.push(globalConfig ? '--global' : '--local')
}
args.push('--unset', configKey, configValue)
const output = await this.execGit(args, true)
return output.exitCode === 0
}
async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
const output = await this.execGit(
['config', '--local', 'gc.auto', '0'],
@@ -481,6 +531,56 @@ class GitCommandManager {
return stdout
}
async tryGetConfigValues(
configKey: string,
globalConfig?: boolean,
configFile?: string
): Promise<string[]> {
const args = ['config']
if (configFile) {
args.push('--file', configFile)
} else {
args.push(globalConfig ? '--global' : '--local')
}
args.push('--get-all', configKey)
const output = await this.execGit(args, true)
if (output.exitCode !== 0) {
return []
}
return output.stdout
.trim()
.split('\n')
.filter(value => value.trim())
}
async tryGetConfigKeys(
pattern: string,
globalConfig?: boolean,
configFile?: string
): Promise<string[]> {
const args = ['config']
if (configFile) {
args.push('--file', configFile)
} else {
args.push(globalConfig ? '--global' : '--local')
}
args.push('--name-only', '--get-regexp', pattern)
const output = await this.execGit(args, true)
if (output.exitCode !== 0) {
return []
}
return output.stdout
.trim()
.split('\n')
.filter(key => key.trim())
}
async tryReset(): Promise<boolean> {
const output = await this.execGit(['reset', '--hard', 'HEAD'], true)
return output.exitCode === 0