Cleanup actions/checkout@v6 auth style (#2301 )

2026-06-23 17:43:52 +08:00 · 2025-11-13 15:22:10 -06:00
8 changed files with 659 additions and 222 deletions
--- a/.github/workflows/generator-generic-ossf-slsa3-publish.yml
+++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml
@@ -1,105 +0,0 @@
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
 # separate terms of service, privacy policy, and support
 # documentation.
 # This workflow lets you generate SLSA provenance file for your project.
 # The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
 # The project is an initiative of the OpenSSF (openssf.org) and is developed at
 # https://github.com/slsa-framework/slsa-github-generator.
 # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
 # For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
 name: SLSA generic generator
 on:
  workflow_dispatch:
  release:
    types: [created]
 jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
      digests: ${{ steps.hash.outputs.digests }}
    steps:
      - uses: actions/checkout@v4
      # ========================================================
      #
      # Step 1: Build your artifacts.
      #
      # ========================================================
      - name: Build artifacts
        run: |
            # These are some amazing artifacts.
            echo "artifact1" > artifact1
            echo "artifact2" > artifact2
      # ========================================================
      #
      # Step 2: Add a step to generate the provenance subjects
      #         as shown below. Update the sha256 sum arguments
      #         to include all binaries that you generate
      #         provenance for.
      #
      # ========================================================
      - name: Generate subject for provenance
        id: hash
        run: |
          set -euo pipefail
          # List the artifacts the provenance will refer to.
          files=$(ls artifact*)
          # Generate the subjects (base64 encoded).
          echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
  provenance:
    needs: [build]
    permissions:            - name: Deploy HelmFile
  # You may pin to the exact commit or the version.
  # uses: cloudposse/github-action-deploy-helmfile@fcc0ea83519505047bd34a4e017f1d0c3516a5cc
  uses: cloudposse/github-action-deploy-helmfile@0.7.0
  with:
    # Cluster name
    cluster: 
    # AWS region
    aws-region: # optional, default is us-east-1
    # The path where lives the helmfile.
    helmfile-path: # optional, default is deploy
    # Helmfile name
    helmfile: # optional, default is helmfile.yaml
    # Operation with helmfiles. (valid options - `deploy`, `destroy`)
    operation: # default is deploy
    # Helmfile environment
    environment: # optional, default is preview
    # Git SHA
    gitref-sha: # optional, default is 
    # Kubernetes namespace
    namespace: 
    # Docker image
    image: 
    # Docker image tag
    image-tag: 
    # Debug mode
    debug: # optional, default is false
    # The name of the label used to describe the helm release
    release_label_name: # optional, default is release
    # YAML string with extra values to use in a helmfile deploy
    values_yaml: # optional
    # Helm version
    helm_version: # optional, default is 3.11.1
    # Helmfile version
    helmfile_version: # optional, default is 0.143.5
    # Kubectl version
    kubectl_version: # optional, default is 1.26.3
    # Kubectl version
    chamber_version: # optional, default is 2.11.1
      actions: read   # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
    with:
      base64-subjects: "${{ needs.build.outputs.digests }}"
      upload-assets: true # Optional: Upload to a new release
--- a/README.md
+++ b/README.md
@@ -2,11 +2,7 @@
 # Checkout V5
-## What's new
+Checkout v5 now supports Node.js 24
 - Updated to the node24 runtime
  - This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.
 # Checkout V4
@@ -158,10 +154,9 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 # Scenarios
 - [Checkout V5](#checkout-v5)
  - [What's new](#whats-new)
 - [Checkout V4](#checkout-v4)
    - [Note](#note)
- [What's new](#whats-new-1)
+- [What's new](#whats-new)
 - [Usage](#usage)
 - [Scenarios](#scenarios)
  - [Fetch only the root files](#fetch-only-the-root-files)
--- a/test/git-auth-helper.test.ts
+++ b/test/git-auth-helper.test.ts
@@ -675,6 +675,283 @@ describe('git-auth-helper tests', () => {
    expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
  })
  const removeAuth_removesV6StyleCredentials =
    'removeAuth removes v6 style credentials'
  it(removeAuth_removesV6StyleCredentials, async () => {
    // Arrange
    await setup(removeAuth_removesV6StyleCredentials)
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
    // Manually create v6-style credentials that would be left by v6
    const credentialsFileName =
      'git-credentials-12345678-1234-1234-1234-123456789abc.config'
    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
    const basicCredential = Buffer.from(
      `x-access-token:${settings.authToken}`,
      'utf8'
    ).toString('base64')
    const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
    // Add includeIf entries to local git config (simulating v6 configuration)
    const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
    await fs.promises.appendFile(
      localGitConfigPath,
      `[includeIf "gitdir:${hostGitDir}/"]\n\tpath = ${credentialsFilePath}\n`
    )
    await fs.promises.appendFile(
      localGitConfigPath,
      `[includeIf "gitdir:/github/workspace/.git/"]\n\tpath = /github/runner_temp/${credentialsFileName}\n`
    )
    // Verify v6 style config exists
    let gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
    expect(
      gitConfigContent.indexOf(credentialsFilePath)
    ).toBeGreaterThanOrEqual(0)
    await fs.promises.stat(credentialsFilePath) // Verify file exists
    // Mock the git methods to handle v6 cleanup
    const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
    mockTryGetConfigKeys.mockResolvedValue([
      `includeIf.gitdir:${hostGitDir}/.path`,
      'includeIf.gitdir:/github/workspace/.git/.path'
    ])
    const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
    mockTryGetConfigValues.mockImplementation(async (key: string) => {
      if (key === `includeIf.gitdir:${hostGitDir}/.path`) {
        return [credentialsFilePath]
      }
      if (key === 'includeIf.gitdir:/github/workspace/.git/.path') {
        return [`/github/runner_temp/${credentialsFileName}`]
      }
      return []
    })
    const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
      any,
      any
    >
    mockTryConfigUnsetValue.mockImplementation(
      async (
        key: string,
        value: string,
        globalConfig?: boolean,
        configPath?: string
      ) => {
        const targetPath = configPath || localGitConfigPath
        let content = await fs.promises.readFile(targetPath, 'utf8')
        // Remove the includeIf section
        const lines = content
          .split('\n')
          .filter(line => !line.includes('includeIf') && !line.includes(value))
        await fs.promises.writeFile(targetPath, lines.join('\n'))
        return true
      }
    )
    // Act
    await authHelper.removeAuth()
    // Assert includeIf entries removed from local git config
    gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(gitConfigContent.indexOf('includeIf')).toBeLessThan(0)
    expect(gitConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
    // Assert credentials config file deleted
    try {
      await fs.promises.stat(credentialsFilePath)
      throw new Error('Credentials file should have been deleted')
    } catch (err) {
      if ((err as any)?.code !== 'ENOENT') {
        throw err
      }
    }
  })
  const removeAuth_removesV6StyleCredentialsFromSubmodules =
    'removeAuth removes v6 style credentials from submodules'
  it(removeAuth_removesV6StyleCredentialsFromSubmodules, async () => {
    // Arrange
    await setup(removeAuth_removesV6StyleCredentialsFromSubmodules)
    // Create fake submodule config paths
    const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
    const submodule1ConfigPath = path.join(submodule1Dir, 'config')
    await fs.promises.mkdir(submodule1Dir, {recursive: true})
    await fs.promises.writeFile(submodule1ConfigPath, '')
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
    // Create v6-style credentials file
    const credentialsFileName =
      'git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
    const basicCredential = Buffer.from(
      `x-access-token:${settings.authToken}`,
      'utf8'
    ).toString('base64')
    const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
    // Add includeIf entries to submodule config
    const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
    await fs.promises.appendFile(
      submodule1ConfigPath,
      `[includeIf "gitdir:${submodule1GitDir}/"]\n\tpath = ${credentialsFilePath}\n`
    )
    // Verify submodule config has includeIf entry
    let submoduleConfigContent = (
      await fs.promises.readFile(submodule1ConfigPath)
    ).toString()
    expect(submoduleConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(
      0
    )
    expect(
      submoduleConfigContent.indexOf(credentialsFilePath)
    ).toBeGreaterThanOrEqual(0)
    // Mock getSubmoduleConfigPaths
    const mockGetSubmoduleConfigPaths =
      git.getSubmoduleConfigPaths as jest.Mock<any, any>
    mockGetSubmoduleConfigPaths.mockResolvedValue([submodule1ConfigPath])
    // Mock tryGetConfigKeys for submodule
    const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
    mockTryGetConfigKeys.mockImplementation(
      async (pattern: string, globalConfig?: boolean, configPath?: string) => {
        if (configPath === submodule1ConfigPath) {
          return [`includeIf.gitdir:${submodule1GitDir}/.path`]
        }
        return []
      }
    )
    // Mock tryGetConfigValues for submodule
    const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
    mockTryGetConfigValues.mockImplementation(
      async (key: string, globalConfig?: boolean, configPath?: string) => {
        if (
          configPath === submodule1ConfigPath &&
          key === `includeIf.gitdir:${submodule1GitDir}/.path`
        ) {
          return [credentialsFilePath]
        }
        return []
      }
    )
    // Mock tryConfigUnsetValue for submodule
    const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
      any,
      any
    >
    mockTryConfigUnsetValue.mockImplementation(
      async (
        key: string,
        value: string,
        globalConfig?: boolean,
        configPath?: string
      ) => {
        const targetPath = configPath || localGitConfigPath
        let content = await fs.promises.readFile(targetPath, 'utf8')
        const lines = content
          .split('\n')
          .filter(line => !line.includes('includeIf') && !line.includes(value))
        await fs.promises.writeFile(targetPath, lines.join('\n'))
        return true
      }
    )
    // Act
    await authHelper.removeAuth()
    // Assert submodule includeIf entries removed
    submoduleConfigContent = (
      await fs.promises.readFile(submodule1ConfigPath)
    ).toString()
    expect(submoduleConfigContent.indexOf('includeIf')).toBeLessThan(0)
    expect(submoduleConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
    // Assert credentials file deleted
    try {
      await fs.promises.stat(credentialsFilePath)
      throw new Error('Credentials file should have been deleted')
    } catch (err) {
      if ((err as any)?.code !== 'ENOENT') {
        throw err
      }
    }
  })
  const removeAuth_skipsV6CleanupWhenEnvVarSet =
    'removeAuth skips v6 cleanup when ACTIONS_CHECKOUT_SKIP_V6_CLEANUP is set'
  it(removeAuth_skipsV6CleanupWhenEnvVarSet, async () => {
    // Arrange
    await setup(removeAuth_skipsV6CleanupWhenEnvVarSet)
    // Set the skip environment variable
    process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'] = '1'
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
    // Create v6-style credentials file in RUNNER_TEMP
    const credentialsFileName = 'git-credentials-test-uuid-1234-5678.config'
    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
    const credentialsContent =
      '[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic token\n'
    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
    // Add includeIf section to local git config (separate from http.* config)
    const includeIfSection = `\n[includeIf "gitdir:/some/path/.git/"]\n\tpath = ${credentialsFilePath}\n`
    await fs.promises.appendFile(localGitConfigPath, includeIfSection)
    // Verify v6 style config exists
    let gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
    await fs.promises.stat(credentialsFilePath) // Verify file exists
    // Act
    await authHelper.removeAuth()
    // Assert v5 cleanup still happened (http.* removed)
    gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(
      gitConfigContent.indexOf('http.https://github.com/.extraheader')
    ).toBeLessThan(0)
    // Assert v6 cleanup was skipped - includeIf should still be present
    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
    expect(
      gitConfigContent.indexOf(credentialsFilePath)
    ).toBeGreaterThanOrEqual(0)
    // Assert credentials file still exists (wasn't deleted)
    await fs.promises.stat(credentialsFilePath) // File should still exist
    // Assert debug message was logged
    expect(core.debug).toHaveBeenCalledWith(
      'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
    )
    // Cleanup
    delete process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
  })
  const removeGlobalConfig_removesOverride =
    'removeGlobalConfig removes override'
  it(removeGlobalConfig_removesOverride, async () => {
@@ -796,6 +1073,18 @@ async function setup(testName: string): Promise<void> {
    ),
    tryDisableAutomaticGarbageCollection: jest.fn(),
    tryGetFetchUrl: jest.fn(),
    getSubmoduleConfigPaths: jest.fn(async () => {
      return []
    }),
    tryConfigUnsetValue: jest.fn(async () => {
      return true
    }),
    tryGetConfigValues: jest.fn(async () => {
      return []
    }),
    tryGetConfigKeys: jest.fn(async () => {
      return []
    }),
    tryReset: jest.fn(),
    version: jest.fn()
  }
--- a/test/git-directory-helper.test.ts
+++ b/test/git-directory-helper.test.ts
@@ -499,6 +499,18 @@ async function setup(testName: string): Promise<void> {
      await fs.promises.stat(path.join(repositoryPath, '.git'))
      return repositoryUrl
    }),
    getSubmoduleConfigPaths: jest.fn(async () => {
      return []
    }),
    tryConfigUnsetValue: jest.fn(async () => {
      return true
    }),
    tryGetConfigValues: jest.fn(async () => {
      return []
    }),
    tryGetConfigKeys: jest.fn(async () => {
      return []
    }),
    tryReset: jest.fn(async () => {
      return true
    }),
--- a/dist/index.js
+++ b/dist/index.js
@@ -411,8 +411,50 @@ class GitAuthHelper {
    }
    removeToken() {
        return __awaiter(this, void 0, void 0, function* () {
-            // HTTP extra header
+            // Remove HTTP extra header from local git config and submodule configs
            yield this.removeGitConfig(this.tokenConfigKey);
            //
            // Cleanup actions/checkout@v6 style credentials
            //
            const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'];
            if (skipV6Cleanup === '1' || (skipV6Cleanup === null || skipV6Cleanup === void 0 ? void 0 : skipV6Cleanup.toLowerCase()) === 'true') {
                core.debug('Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP');
                return;
            }
            try {
                // Collect credentials config paths that need to be removed
                const credentialsPaths = new Set();
                // Remove includeIf entries that point to git-credentials-*.config files
                const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
                mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
                // Remove submodule includeIf entries that point to git-credentials-*.config files
                try {
                    const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
                    for (const configPath of submoduleConfigPaths) {
                        const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
                        submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
                    }
                }
                catch (err) {
                    core.debug(`Unable to get submodule config paths: ${err}`);
                }
                // Remove credentials config files
                for (const credentialsPath of credentialsPaths) {
                    // Only remove credentials config files if they are under RUNNER_TEMP
                    const runnerTemp = process.env['RUNNER_TEMP'];
                    if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
                        try {
                            yield io.rmRF(credentialsPath);
                        }
                        catch (err) {
                            core.debug(`Failed to remove credentials config '${credentialsPath}': ${err}`);
                        }
                    }
                }
            }
            catch (err) {
                core.debug(`Failed to cleanup v6 style credentials: ${err}`);
            }
        });
    }
    removeGitConfig(configKey_1) {
@@ -430,6 +472,49 @@ class GitAuthHelper {
            `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true);
        });
    }
    /**
     * Removes includeIf entries that point to git-credentials-*.config files.
     * This handles cleanup of credentials configured by newer versions of the action.
     * @param configPath Optional path to a specific git config file to operate on
     * @returns Array of unique credentials config file paths that were found and removed
     */
    removeIncludeIfCredentials(configPath) {
        return __awaiter(this, void 0, void 0, function* () {
            const credentialsPaths = new Set();
            try {
                // Get all includeIf.gitdir keys
                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, // globalConfig?
                configPath);
                for (const key of keys) {
                    // Get all values for this key
                    const values = yield this.git.tryGetConfigValues(key, false, // globalConfig?
                    configPath);
                    if (values.length > 0) {
                        // Remove only values that match git-credentials-<uuid>.config pattern
                        for (const value of values) {
                            if (this.testCredentialsConfigPath(value)) {
                                credentialsPaths.add(value);
                                yield this.git.tryConfigUnsetValue(key, value, false, configPath);
                            }
                        }
                    }
                }
            }
            catch (err) {
                // Ignore errors - this is cleanup code
                core.debug(`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`);
            }
            return Array.from(credentialsPaths);
        });
    }
    /**
     * Tests if a path matches the git-credentials-*.config pattern used by newer versions.
     * @param path The path to test
     * @returns True if the path matches the credentials config pattern
     */
    testCredentialsConfigPath(path) {
        return /git-credentials-[0-9a-f-]+\.config$/i.test(path);
    }
 }
@@ -706,6 +791,16 @@ class GitCommandManager {
            throw new Error('Unexpected output when retrieving default branch');
        });
    }
    getSubmoduleConfigPaths(recursive) {
        return __awaiter(this, void 0, void 0, function* () {
            // Get submodule config file paths.
            // Use `--show-origin` to get the config file path for each submodule.
            const output = yield this.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, recursive);
            // Extract config file paths from the output (lines starting with "file:").
            const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
            return configPaths;
        });
    }
    getWorkingDirectory() {
        return this.workingDirectory;
    }
@@ -836,6 +931,20 @@ class GitCommandManager {
            return output.exitCode === 0;
        });
    }
    tryConfigUnsetValue(configKey, configValue, globalConfig, configFile) {
        return __awaiter(this, void 0, void 0, function* () {
            const args = ['config'];
            if (configFile) {
                args.push('--file', configFile);
            }
            else {
                args.push(globalConfig ? '--global' : '--local');
            }
            args.push('--unset', configKey, configValue);
            const output = yield this.execGit(args, true);
            return output.exitCode === 0;
        });
    }
    tryDisableAutomaticGarbageCollection() {
        return __awaiter(this, void 0, void 0, function* () {
            const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true);
@@ -855,6 +964,46 @@ class GitCommandManager {
            return stdout;
        });
    }
    tryGetConfigValues(configKey, globalConfig, configFile) {
        return __awaiter(this, void 0, void 0, function* () {
            const args = ['config'];
            if (configFile) {
                args.push('--file', configFile);
            }
            else {
                args.push(globalConfig ? '--global' : '--local');
            }
            args.push('--get-all', configKey);
            const output = yield this.execGit(args, true);
            if (output.exitCode !== 0) {
                return [];
            }
            return output.stdout
                .trim()
                .split('\n')
                .filter(value => value.trim());
        });
    }
    tryGetConfigKeys(pattern, globalConfig, configFile) {
        return __awaiter(this, void 0, void 0, function* () {
            const args = ['config'];
            if (configFile) {
                args.push('--file', configFile);
            }
            else {
                args.push(globalConfig ? '--global' : '--local');
            }
            args.push('--name-only', '--get-regexp', pattern);
            const output = yield this.execGit(args, true);
            if (output.exitCode !== 0) {
                return [];
            }
            return output.stdout
                .trim()
                .split('\n')
                .filter(key => key.trim());
        });
    }
    tryReset() {
        return __awaiter(this, void 0, void 0, function* () {
            const output = yield this.execGit(['reset', '--hard', 'HEAD'], true);
--- a/108
+++ b/108
@@ -1,108 +0,0 @@
 - uses: actions/checkout@v5
  with:
    # Repository name with owner. For example, actions/checkout
    # Default: ${{ github.repository }}
    repository: ''
    # The branch, tag or SHA to checkout. When checking out the repository that
    # triggered a workflow, this defaults to the reference or SHA for that event.
    # Otherwise, uses the default branch.
    ref: ''
    # Personal access token (PAT) used to fetch the repository. The PAT is configured
    # with the local git config, which enables your scripts to run authenticated git
    # commands. The post-job step removes the PAT.
    #
    # We recommend using a service account with the least permissions necessary. Also
    # when generating a new PAT, select the least scopes necessary.
    #
    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
    #
    # Default: ${{ github.token }}
    token: ''
    # SSH key used to fetch the repository. The SSH key is configured with the local
    # git config, which enables your scripts to run authenticated git commands. The
    # post-job step removes the SSH key.
    #
    # We recommend using a service account with the least permissions necessary.
    #
    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
    ssh-key: ''
    # Known hosts in addition to the user and global host key database. The public SSH
    # keys for a host may be obtained using the utility `ssh-keyscan`. For example,
    # `ssh-keyscan github.com`. The public key for github.com is always implicitly
    # added.
    ssh-known-hosts: ''
    # Whether to perform strict host key checking. When true, adds the options
    # `StrictHostKeyChecking=yes` and `CheckHostIP=no` to the SSH command line. Use
    # the input `ssh-known-hosts` to configure additional hosts.
    # Default: true
    ssh-strict: ''
    # The user to use when connecting to the remote SSH host. By default 'git' is
    # used.
    # Default: git
    ssh-user: ''
    # Whether to configure the token or SSH key with the local git config
    # Default: true
    persist-credentials: ''
    # Relative path under $GITHUB_WORKSPACE to place the repository
    path: ''
    # Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching
    # Default: true
    clean: ''
    # Partially clone against a given filter. Overrides sparse-checkout if set.
    # Default: null
    filter: ''
    # Do a sparse checkout on given patterns. Each pattern should be separated with
    # new lines.
    # Default: null
    sparse-checkout: ''
    # Specifies whether to use cone-mode when doing a sparse checkout.
    # Default: true
    sparse-checkout-cone-mode: ''
    # Number of commits to fetch. 0 indicates all history for all branches and tags.
    # Default: 1
    fetch-depth: ''
    # Whether to fetch tags, even if fetch-depth > 0.
    # Default: false
    fetch-tags: ''
    # Whether to show progress status output when fetching.
    # Default: true
    show-progress: ''
    # Whether to download Git-LFS files
    # Default: false
    lfs: ''
    # Whether to checkout submodules: `true` to checkout submodules or `recursive` to
    # recursively checkout submodules.
    #
    # When the `ssh-key` input is not provided, SSH URLs beginning with
    # `git@github.com:` are converted to HTTPS.
    #
    # Default: false
    submodules: ''
    # Add repository path as safe.directory for Git global config by running `git
    # config --global --add safe.directory <path>`
    # Default: true
    set-safe-directory: ''
    # The base URL for the GitHub instance that you are trying to clone from, will use
    # environment defaults to fetch from the same instance that the workflow is
    # running from unless specified. Example URLs are https://github.com or
    # https://my-ghes-server.example.com
    github-server-url: ''
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@@ -346,8 +346,58 @@ class GitAuthHelper {
  }
  private async removeToken(): Promise<void> {
-    // HTTP extra header
+    // Remove HTTP extra header from local git config and submodule configs
    await this.removeGitConfig(this.tokenConfigKey)
    //
    // Cleanup actions/checkout@v6 style credentials
    //
    const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
    if (skipV6Cleanup === '1' || skipV6Cleanup?.toLowerCase() === 'true') {
      core.debug(
        'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
      )
      return
    }
    try {
      // Collect credentials config paths that need to be removed
      const credentialsPaths = new Set<string>()
      // Remove includeIf entries that point to git-credentials-*.config files
      const mainCredentialsPaths = await this.removeIncludeIfCredentials()
      mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
      // Remove submodule includeIf entries that point to git-credentials-*.config files
      try {
        const submoduleConfigPaths =
          await this.git.getSubmoduleConfigPaths(true)
        for (const configPath of submoduleConfigPaths) {
          const submoduleCredentialsPaths =
            await this.removeIncludeIfCredentials(configPath)
          submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
        }
      } catch (err) {
        core.debug(`Unable to get submodule config paths: ${err}`)
      }
      // Remove credentials config files
      for (const credentialsPath of credentialsPaths) {
        // Only remove credentials config files if they are under RUNNER_TEMP
        const runnerTemp = process.env['RUNNER_TEMP']
        if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
          try {
            await io.rmRF(credentialsPath)
          } catch (err) {
            core.debug(
              `Failed to remove credentials config '${credentialsPath}': ${err}`
            )
          }
        }
      }
    } catch (err) {
      core.debug(`Failed to cleanup v6 style credentials: ${err}`)
    }
  }
  private async removeGitConfig(
@@ -371,4 +421,59 @@ class GitAuthHelper {
      true
    )
  }
  /**
   * Removes includeIf entries that point to git-credentials-*.config files.
   * This handles cleanup of credentials configured by newer versions of the action.
   * @param configPath Optional path to a specific git config file to operate on
   * @returns Array of unique credentials config file paths that were found and removed
   */
  private async removeIncludeIfCredentials(
    configPath?: string
  ): Promise<string[]> {
    const credentialsPaths = new Set<string>()
    try {
      // Get all includeIf.gitdir keys
      const keys = await this.git.tryGetConfigKeys(
        '^includeIf\\.gitdir:',
        false, // globalConfig?
        configPath
      )
      for (const key of keys) {
        // Get all values for this key
        const values = await this.git.tryGetConfigValues(
          key,
          false, // globalConfig?
          configPath
        )
        if (values.length > 0) {
          // Remove only values that match git-credentials-<uuid>.config pattern
          for (const value of values) {
            if (this.testCredentialsConfigPath(value)) {
              credentialsPaths.add(value)
              await this.git.tryConfigUnsetValue(key, value, false, configPath)
            }
          }
        }
      }
    } catch (err) {
      // Ignore errors - this is cleanup code
      core.debug(
        `Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`
      )
    }
    return Array.from(credentialsPaths)
  }
  /**
   * Tests if a path matches the git-credentials-*.config pattern used by newer versions.
   * @param path The path to test
   * @returns True if the path matches the credentials config pattern
   */
  private testCredentialsConfigPath(path: string): boolean {
    return /git-credentials-[0-9a-f-]+\.config$/i.test(path)
  }
 }
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@@ -41,6 +41,7 @@ export interface IGitCommandManager {
    }
  ): Promise<void>
  getDefaultBranch(repositoryUrl: string): Promise<string>
  getSubmoduleConfigPaths(recursive: boolean): Promise<string[]>
  getWorkingDirectory(): string
  init(): Promise<void>
  isDetached(): Promise<boolean>
@@ -59,8 +60,24 @@ export interface IGitCommandManager {
  tagExists(pattern: string): Promise<boolean>
  tryClean(): Promise<boolean>
  tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
  tryConfigUnsetValue(
    configKey: string,
    configValue: string,
    globalConfig?: boolean,
    configFile?: string
  ): Promise<boolean>
  tryDisableAutomaticGarbageCollection(): Promise<boolean>
  tryGetFetchUrl(): Promise<string>
  tryGetConfigValues(
    configKey: string,
    globalConfig?: boolean,
    configFile?: string
  ): Promise<string[]>
  tryGetConfigKeys(
    pattern: string,
    globalConfig?: boolean,
    configFile?: string
  ): Promise<string[]>
  tryReset(): Promise<boolean>
  version(): Promise<GitVersion>
 }
@@ -323,6 +340,21 @@ class GitCommandManager {
    throw new Error('Unexpected output when retrieving default branch')
  }
  async getSubmoduleConfigPaths(recursive: boolean): Promise<string[]> {
    // Get submodule config file paths.
    // Use `--show-origin` to get the config file path for each submodule.
    const output = await this.submoduleForeach(
      `git config --local --show-origin --name-only --get-regexp remote.origin.url`,
      recursive
    )
    // Extract config file paths from the output (lines starting with "file:").
    const configPaths =
      output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
    return configPaths
  }
  getWorkingDirectory(): string {
    return this.workingDirectory
  }
@@ -455,6 +487,24 @@ class GitCommandManager {
    return output.exitCode === 0
  }
  async tryConfigUnsetValue(
    configKey: string,
    configValue: string,
    globalConfig?: boolean,
    configFile?: string
  ): Promise<boolean> {
    const args = ['config']
    if (configFile) {
      args.push('--file', configFile)
    } else {
      args.push(globalConfig ? '--global' : '--local')
    }
    args.push('--unset', configKey, configValue)
    const output = await this.execGit(args, true)
    return output.exitCode === 0
  }
  async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
    const output = await this.execGit(
      ['config', '--local', 'gc.auto', '0'],
@@ -481,6 +531,56 @@ class GitCommandManager {
    return stdout
  }
  async tryGetConfigValues(
    configKey: string,
    globalConfig?: boolean,
    configFile?: string
  ): Promise<string[]> {
    const args = ['config']
    if (configFile) {
      args.push('--file', configFile)
    } else {
      args.push(globalConfig ? '--global' : '--local')
    }
    args.push('--get-all', configKey)
    const output = await this.execGit(args, true)
    if (output.exitCode !== 0) {
      return []
    }
    return output.stdout
      .trim()
      .split('\n')
      .filter(value => value.trim())
  }
  async tryGetConfigKeys(
    pattern: string,
    globalConfig?: boolean,
    configFile?: string
  ): Promise<string[]> {
    const args = ['config']
    if (configFile) {
      args.push('--file', configFile)
    } else {
      args.push(globalConfig ? '--global' : '--local')
    }
    args.push('--name-only', '--get-regexp', pattern)
    const output = await this.execGit(args, true)
    if (output.exitCode !== 0) {
      return []
    }
    return output.stdout
      .trim()
      .split('\n')
      .filter(key => key.trim())
  }
  async tryReset(): Promise<boolean> {
    const output = await this.execGit(['reset', '--hard', 'HEAD'], true)
    return output.exitCode === 0