Merge 0548471950 into 8e8c483db8

.github/workflows/test.yml

@@ -165,6 +165,22 @@ jobs:
       - name: Verify submodules recursive
         run: __test__/verify-submodules-recursive.sh
 
+      # Worktree credentials
+      - name: Checkout for worktree test
+        uses: ./
+        with:
+          path: worktree-test
+      - name: Verify worktree credentials
+        shell: bash
+        run: __test__/verify-worktree.sh worktree-test worktree-branch
+
+      # Worktree credentials in container step
+      - name: Verify worktree credentials in container step
+        if: runner.os == 'Linux'
+        uses: docker://bitnami/git:latest
+        with:
+          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
+
       # Basic checkout using REST API
       - name: Remove basic
         if: runner.os != 'windows'

.gitignore

@@ -2,4 +2,5 @@ __test__/_temp
 _temp/
 lib/
 node_modules/
-.vscode/
+.vscode/
+.idea/

CHANGELOG.md

@@ -1,19 +1,19 @@
 # Changelog
 
-## V6.0.0
+## v6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
 
-## V5.0.1
+## v5.0.1
 * Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
 
-## V5.0.0
+## v5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
 
-## V4.3.1
+## v4.3.1
 * Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
 
-## V4.3.0
+## v4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043

README.md

@@ -4,8 +4,9 @@
 
 ## What's new
 
-- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
-  - This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
+- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
+- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
+- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
 
 # Checkout v5
 

__test__/git-command-manager.test.ts

@@ -134,6 +134,7 @@ describe('Test fetchDepth and fetchTags options', () => {
         '-c',
         'protocol.version=2',
         'fetch',
+        '--tags',
         '--prune',
         '--no-recurse-submodules',
         '--filter=filterValue',
@@ -248,6 +249,7 @@ describe('Test fetchDepth and fetchTags options', () => {
         '-c',
         'protocol.version=2',
         'fetch',
+        '--tags',
         '--prune',
         '--no-recurse-submodules',
         '--filter=filterValue',
@@ -364,6 +366,7 @@ describe('Test fetchDepth and fetchTags options', () => {
         '-c',
         'protocol.version=2',
         'fetch',
+        '--tags',
         '--prune',
         '--no-recurse-submodules',
         '--progress',
@@ -376,3 +379,225 @@ describe('Test fetchDepth and fetchTags options', () => {
     )
   })
 })
+
+describe('Test git 2.48 tag fetching behavior', () => {
+  beforeEach(async () => {
+    jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
+    jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
+  })
+
+  afterEach(() => {
+    jest.restoreAllMocks()
+  })
+
+  it('should perform separate tag fetch for git 2.48 when fetchTags is true', async () => {
+    mockExec.mockImplementation((path, args, options) => {
+      if (args.includes('version')) {
+        options.listeners.stdout(Buffer.from('2.48.1'))
+      }
+      return 0
+    })
+    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+
+    const workingDirectory = 'test'
+    const lfs = false
+    const doSparseCheckout = false
+    git = await commandManager.createCommandManager(
+      workingDirectory,
+      lfs,
+      doSparseCheckout
+    )
+
+    const refSpec = ['refspec1']
+    const options = {
+      fetchTags: true
+    }
+
+    await git.fetch(refSpec, options)
+
+    // First call: main fetch with --no-tags
+    expect(mockExec).toHaveBeenNthCalledWith(
+      2, // First call is version check
+      expect.any(String),
+      [
+        '-c',
+        'protocol.version=2',
+        'fetch',
+        '--no-tags',
+        '--prune',
+        '--no-recurse-submodules',
+        'origin',
+        'refspec1'
+      ],
+      expect.any(Object)
+    )
+
+    // Second call: separate tag fetch
+    expect(mockExec).toHaveBeenNthCalledWith(
+      3,
+      expect.any(String),
+      [
+        '-c',
+        'protocol.version=2',
+        'fetch',
+        '--tags',
+        '--prune',
+        'origin'
+      ],
+      expect.any(Object)
+    )
+
+    expect(mockExec).toHaveBeenCalledTimes(3) // version + main fetch + tag fetch
+  })
+
+  it('should perform separate tag fetch with progress for git 2.48', async () => {
+    mockExec.mockImplementation((path, args, options) => {
+      if (args.includes('version')) {
+        options.listeners.stdout(Buffer.from('2.48.0'))
+      }
+      return 0
+    })
+    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+
+    const workingDirectory = 'test'
+    const lfs = false
+    const doSparseCheckout = false
+    git = await commandManager.createCommandManager(
+      workingDirectory,
+      lfs,
+      doSparseCheckout
+    )
+
+    const refSpec = ['refspec1']
+    const options = {
+      fetchTags: true,
+      showProgress: true
+    }
+
+    await git.fetch(refSpec, options)
+
+    // Main fetch with --no-tags and --progress
+    expect(mockExec).toHaveBeenNthCalledWith(
+      2,
+      expect.any(String),
+      [
+        '-c',
+        'protocol.version=2',
+        'fetch',
+        '--no-tags',
+        '--prune',
+        '--no-recurse-submodules',
+        '--progress',
+        'origin',
+        'refspec1'
+      ],
+      expect.any(Object)
+    )
+
+    // Separate tag fetch with --progress
+    expect(mockExec).toHaveBeenNthCalledWith(
+      3,
+      expect.any(String),
+      [
+        '-c',
+        'protocol.version=2',
+        'fetch',
+        '--tags',
+        '--prune',
+        '--progress',
+        'origin'
+      ],
+      expect.any(Object)
+    )
+  })
+
+  it('should NOT perform separate tag fetch for git 2.48 when fetchTags is false', async () => {
+    mockExec.mockImplementation((path, args, options) => {
+      if (args.includes('version')) {
+        options.listeners.stdout(Buffer.from('2.48.1'))
+      }
+      return 0
+    })
+    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+
+    const workingDirectory = 'test'
+    const lfs = false
+    const doSparseCheckout = false
+    git = await commandManager.createCommandManager(
+      workingDirectory,
+      lfs,
+      doSparseCheckout
+    )
+
+    const refSpec = ['refspec1']
+    const options = {
+      fetchTags: false
+    }
+
+    await git.fetch(refSpec, options)
+
+    // Only one fetch call with --no-tags
+    expect(mockExec).toHaveBeenNthCalledWith(
+      2,
+      expect.any(String),
+      [
+        '-c',
+        'protocol.version=2',
+        'fetch',
+        '--no-tags',
+        '--prune',
+        '--no-recurse-submodules',
+        'origin',
+        'refspec1'
+      ],
+      expect.any(Object)
+    )
+
+    expect(mockExec).toHaveBeenCalledTimes(2) // version + single fetch only
+  })
+
+  it('should use normal behavior for non-2.48 git versions', async () => {
+    mockExec.mockImplementation((path, args, options) => {
+      if (args.includes('version')) {
+        options.listeners.stdout(Buffer.from('2.47.0'))
+      }
+      return 0
+    })
+    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+
+    const workingDirectory = 'test'
+    const lfs = false
+    const doSparseCheckout = false
+    git = await commandManager.createCommandManager(
+      workingDirectory,
+      lfs,
+      doSparseCheckout
+    )
+
+    const refSpec = ['refspec1']
+    const options = {
+      fetchTags: true
+    }
+
+    await git.fetch(refSpec, options)
+
+    // Single fetch with --tags
+    expect(mockExec).toHaveBeenNthCalledWith(
+      2,
+      expect.any(String),
+      [
+        '-c',
+        'protocol.version=2',
+        'fetch',
+        '--tags',
+        '--prune',
+        '--no-recurse-submodules',
+        'origin',
+        'refspec1'
+      ],
+      expect.any(Object)
+    )
+
+    expect(mockExec).toHaveBeenCalledTimes(2) // version + single fetch only
+  })
+})

__test__/verify-worktree.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+set -e
+
+# Verify worktree credentials
+# This test verifies that git credentials work in worktrees created after checkout
+# Usage: verify-worktree.sh <checkout-path> <worktree-name>
+
+CHECKOUT_PATH="$1"
+WORKTREE_NAME="$2"
+
+if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
+  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
+  exit 1
+fi
+
+cd "$CHECKOUT_PATH"
+
+# Add safe directory for container environments
+git config --global --add safe.directory "*" 2>/dev/null || true
+
+# Show the includeIf configuration
+echo "Git config includeIf entries:"
+git config --list --show-origin | grep -i include || true
+
+# Create the worktree
+echo "Creating worktree..."
+git worktree add "../$WORKTREE_NAME" HEAD --detach
+
+# Change to worktree directory
+cd "../$WORKTREE_NAME"
+
+# Verify we're in a worktree
+echo "Verifying worktree gitdir:"
+cat .git
+
+# Verify credentials are available in worktree by checking extraheader is configured
+echo "Checking credentials in worktree..."
+if git config --list --show-origin | grep -q "extraheader"; then
+  echo "Credentials are configured in worktree"
+else
+  echo "ERROR: Credentials are NOT configured in worktree"
+  echo "Full git config:"
+  git config --list --show-origin
+  exit 1
+fi
+
+# Verify fetch works in the worktree
+echo "Fetching in worktree..."
+git fetch origin
+
+echo "Worktree credentials test passed!"

dist/index.js

@@ -412,6 +412,9 @@ class GitAuthHelper {
                 // Configure host includeIf
                 const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                 yield this.git.config(hostIncludeKey, credentialsConfigPath);
+                // Configure host includeIf for worktrees
+                const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
+                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                 // Container git directory
                 const workingDirectory = this.git.getWorkingDirectory();
                 const githubWorkspace = process.env['GITHUB_WORKSPACE'];
@@ -424,6 +427,9 @@ class GitAuthHelper {
                 // Configure container includeIf
                 const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                 yield this.git.config(containerIncludeKey, containerCredentialsPath);
+                // Configure container includeIf for worktrees
+                const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
+                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
             }
         });
     }
@@ -825,8 +831,8 @@ class GitCommandManager {
     fetch(refSpec, options) {
         return __awaiter(this, void 0, void 0, function* () {
             const args = ['-c', 'protocol.version=2', 'fetch'];
-            if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
-                args.push('--no-tags');
+            if (!refSpec.some(x => x === refHelper.tagsRefSpec)) {
+                args.push(options.fetchTags ? '--tags' : '--no-tags');
             }
             args.push('--prune', '--no-recurse-submodules');
             if (options.showProgress) {

src/git-auth-helper.ts

@@ -374,6 +374,10 @@ class GitAuthHelper {
       const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
       await this.git.config(hostIncludeKey, credentialsConfigPath)
 
+      // Configure host includeIf for worktrees
+      const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
+      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
+
       // Container git directory
       const workingDirectory = this.git.getWorkingDirectory()
       const githubWorkspace = process.env['GITHUB_WORKSPACE']
@@ -395,6 +399,13 @@ class GitAuthHelper {
       // Configure container includeIf
       const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
       await this.git.config(containerIncludeKey, containerCredentialsPath)
+
+      // Configure container includeIf for worktrees
+      const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
+      await this.git.config(
+        containerWorktreeIncludeKey,
+        containerCredentialsPath
+      )
     }
   }
 

src/git-command-manager.ts

@@ -285,8 +285,12 @@ class GitCommandManager {
     }
   ): Promise<void> {
     const args = ['-c', 'protocol.version=2', 'fetch']
-    if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
-      args.push('--no-tags')
+    const hasTagsRefSpec = refSpec.some(x => x === refHelper.tagsRefSpec)
+    const needsSeparateTagFetch = this.gitVersion.toString().startsWith('2.48') && options.fetchTags && !hasTagsRefSpec
+
+    if (!hasTagsRefSpec) {
+      // For git 2.48, skip --tags here if we need separate fetch
+      args.push(needsSeparateTagFetch || !options.fetchTags ? '--no-tags' : '--tags')
     }
 
     args.push('--prune', '--no-recurse-submodules')
@@ -317,6 +321,19 @@ class GitCommandManager {
     await retryHelper.execute(async () => {
       await that.execGit(args)
     })
+
+    // Separate tag fetch for git 2.48
+    if (needsSeparateTagFetch) {
+      const tagArgs = ['-c', 'protocol.version=2', 'fetch', '--tags', '--prune']
+      if (options.showProgress) {
+        tagArgs.push('--progress')
+      }
+      tagArgs.push('origin')
+
+      await retryHelper.execute(async () => {
+        await that.execGit(tagArgs)
+      })
+    }
   }
 
   async getDefaultBranch(repositoryUrl: string): Promise<string> {