1
0
mirror of https://github.com/actions/checkout.git synced 2026-07-14 19:33:48 +08:00

Compare commits

..

2 Commits

Author SHA1 Message Date
eric sciple
8e8c483db8 Clarify v6 README (#2328) 2025-12-01 20:08:49 -06:00
eric sciple
033fa0dc0b Add worktree support for persist-credentials includeIf (#2327) 2025-12-01 19:53:23 -06:00
9 changed files with 94 additions and 54 deletions

View File

@@ -165,6 +165,22 @@ jobs:
- name: Verify submodules recursive
run: __test__/verify-submodules-recursive.sh
# Worktree credentials
- name: Checkout for worktree test
uses: ./
with:
path: worktree-test
- name: Verify worktree credentials
shell: bash
run: __test__/verify-worktree.sh worktree-test worktree-branch
# Worktree credentials in container step
- name: Verify worktree credentials in container step
if: runner.os == 'Linux'
uses: docker://bitnami/git:latest
with:
args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
# Basic checkout using REST API
- name: Remove basic
if: runner.os != 'windows'

View File

@@ -1,19 +1,19 @@
# Changelog
## V6.0.0
## v6.0.0
* Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
* Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
## V5.0.1
## v5.0.1
* Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
## V5.0.0
## v5.0.0
* Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
## V4.3.1
## v4.3.1
* Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
## V4.3.0
## v4.3.0
* docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
* Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
* Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043

View File

@@ -4,8 +4,9 @@
## What's new
- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
- This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
# Checkout v5
@@ -62,11 +63,6 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
# Otherwise, uses the default branch.
ref: ''
# The commit SHA to checkout. Used when ref is not specified or is ambiguous. This
# can be used as a replacement for ref, or alongside it to checkout a specific
# commit of the ref.
commit: ''
# Personal access token (PAT) used to fetch the repository. The PAT is configured
# with the local git config, which enables your scripts to run authenticated git
# commands. The post-job step removes the PAT.

View File

@@ -144,30 +144,4 @@ describe('input-helper tests', () => {
const settings: IGitSourceSettings = await inputHelper.getInputs()
expect(settings.workflowOrganizationId).toBe(123456)
})
it('accepts ref and commit', async () => {
inputs.ref = 'refs/pull/123/merge'
inputs.commit = '0123456789012345678901234567890123456789'
const settings: IGitSourceSettings = await inputHelper.getInputs()
expect(settings).toBeTruthy()
expect(settings.ref).toBeTruthy()
expect(settings.ref).toStrictEqual('refs/pull/123/merge')
expect(settings.commit).toBeTruthy()
expect(settings.commit).toStrictEqual(
'0123456789012345678901234567890123456789'
)
})
it('ref fallbacks to commit if ref is empty but commit is specified', async () => {
inputs.ref = ''
inputs.commit = '0123456789012345678901234567890123456789'
const settings: IGitSourceSettings = await inputHelper.getInputs()
expect(settings).toBeTruthy()
expect(settings.ref).toBeFalsy()
expect(settings.ref).toStrictEqual('')
expect(settings.commit).toBeTruthy()
expect(settings.commit).toStrictEqual(
'0123456789012345678901234567890123456789'
)
})
})

51
__test__/verify-worktree.sh Executable file
View File

@@ -0,0 +1,51 @@
#!/bin/bash
set -e
# Verify worktree credentials
# This test verifies that git credentials work in worktrees created after checkout
# Usage: verify-worktree.sh <checkout-path> <worktree-name>
CHECKOUT_PATH="$1"
WORKTREE_NAME="$2"
if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
exit 1
fi
cd "$CHECKOUT_PATH"
# Add safe directory for container environments
git config --global --add safe.directory "*" 2>/dev/null || true
# Show the includeIf configuration
echo "Git config includeIf entries:"
git config --list --show-origin | grep -i include || true
# Create the worktree
echo "Creating worktree..."
git worktree add "../$WORKTREE_NAME" HEAD --detach
# Change to worktree directory
cd "../$WORKTREE_NAME"
# Verify we're in a worktree
echo "Verifying worktree gitdir:"
cat .git
# Verify credentials are available in worktree by checking extraheader is configured
echo "Checking credentials in worktree..."
if git config --list --show-origin | grep -q "extraheader"; then
echo "Credentials are configured in worktree"
else
echo "ERROR: Credentials are NOT configured in worktree"
echo "Full git config:"
git config --list --show-origin
exit 1
fi
# Verify fetch works in the worktree
echo "Fetching in worktree..."
git fetch origin
echo "Worktree credentials test passed!"

View File

@@ -9,11 +9,6 @@ inputs:
The branch, tag or SHA to checkout. When checking out the repository that
triggered a workflow, this defaults to the reference or SHA for that
event. Otherwise, uses the default branch.
commit:
description: >
The commit SHA to checkout. Used when ref is not specified or is ambiguous.
This can be used as a replacement for ref, or alongside it to checkout a
specific commit of the ref.
token:
description: >
Personal access token (PAT) used to fetch the repository. The PAT is configured

12
dist/index.js vendored
View File

@@ -412,6 +412,9 @@ class GitAuthHelper {
// Configure host includeIf
const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
yield this.git.config(hostIncludeKey, credentialsConfigPath);
// Configure host includeIf for worktrees
const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
// Container git directory
const workingDirectory = this.git.getWorkingDirectory();
const githubWorkspace = process.env['GITHUB_WORKSPACE'];
@@ -424,6 +427,9 @@ class GitAuthHelper {
// Configure container includeIf
const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
yield this.git.config(containerIncludeKey, containerCredentialsPath);
// Configure container includeIf for worktrees
const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
}
});
}
@@ -1980,11 +1986,7 @@ function getInputs() {
const isWorkflowRepository = qualifiedRepository.toUpperCase() ===
`${github.context.repo.owner}/${github.context.repo.repo}`.toUpperCase();
// Source branch, source version
result.commit = core.getInput('commit');
if (result.commit && !result.commit.match(/^[0-9a-fA-F]{40}$/)) {
throw new Error(`The commit SHA '${result.commit}' is not a valid SHA.`);
}
result.ref = core.getInput('ref') || result.commit;
result.ref = core.getInput('ref');
if (!result.ref) {
if (isWorkflowRepository) {
result.ref = github.context.ref;

View File

@@ -374,6 +374,10 @@ class GitAuthHelper {
const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
await this.git.config(hostIncludeKey, credentialsConfigPath)
// Configure host includeIf for worktrees
const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
// Container git directory
const workingDirectory = this.git.getWorkingDirectory()
const githubWorkspace = process.env['GITHUB_WORKSPACE']
@@ -395,6 +399,13 @@ class GitAuthHelper {
// Configure container includeIf
const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
await this.git.config(containerIncludeKey, containerCredentialsPath)
// Configure container includeIf for worktrees
const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
await this.git.config(
containerWorktreeIncludeKey,
containerCredentialsPath
)
}
}

View File

@@ -57,12 +57,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
`${github.context.repo.owner}/${github.context.repo.repo}`.toUpperCase()
// Source branch, source version
result.commit = core.getInput('commit')
if (result.commit && !result.commit.match(/^[0-9a-fA-F]{40}$/)) {
throw new Error(`The commit SHA '${result.commit}' is not a valid SHA.`)
}
result.ref = core.getInput('ref') || result.commit
result.ref = core.getInput('ref')
if (!result.ref) {
if (isWorkflowRepository) {
result.ref = github.context.ref