mirror of
https://github.com/actions/checkout.git
synced 2026-07-02 18:33:48 +08:00
Compare commits
9 Commits
copilot/fi
...
bbc1be3677
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
bbc1be3677 | ||
|
|
45abae3e9f | ||
|
|
215f9562a1 | ||
|
|
caa5717450 | ||
|
|
630cdb3874 | ||
|
|
6503dcd44c | ||
|
|
ebd82bae91 | ||
|
|
f04b821901 | ||
|
|
45fe6460ed |
2
.github/workflows/check-dist.yml
vendored
2
.github/workflows/check-dist.yml
vendored
@@ -22,7 +22,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v4.1.6
|
||||
|
||||
- name: Set Node.js 24.x
|
||||
uses: actions/setup-node@v4
|
||||
|
||||
2
.github/workflows/codeql-analysis.yml
vendored
2
.github/workflows/codeql-analysis.yml
vendored
@@ -39,7 +39,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v4.1.6
|
||||
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v3
|
||||
|
||||
2
.github/workflows/licensed.yml
vendored
2
.github/workflows/licensed.yml
vendored
@@ -9,6 +9,6 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
name: Check licenses
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v4.1.6
|
||||
- run: npm ci
|
||||
- run: npm run licensed-check
|
||||
@@ -14,7 +14,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checking out
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v4
|
||||
- name: Publish
|
||||
id: publish
|
||||
uses: actions/publish-immutable-action@0.0.3
|
||||
|
||||
43
.github/workflows/test.yml
vendored
43
.github/workflows/test.yml
vendored
@@ -19,7 +19,7 @@ jobs:
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 24.x
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v4.1.6
|
||||
- run: npm ci
|
||||
- run: npm run build
|
||||
- run: npm run format-check
|
||||
@@ -37,7 +37,7 @@ jobs:
|
||||
steps:
|
||||
# Clone this repo
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v4.1.6
|
||||
|
||||
# Basic checkout
|
||||
- name: Checkout basic
|
||||
@@ -87,17 +87,6 @@ jobs:
|
||||
- name: Verify fetch filter
|
||||
run: __test__/verify-fetch-filter.sh
|
||||
|
||||
# Fetch tags
|
||||
- name: Checkout with fetch-tags
|
||||
uses: ./
|
||||
with:
|
||||
ref: test-data/v2/basic
|
||||
path: fetch-tags-test
|
||||
fetch-tags: true
|
||||
- name: Verify fetch-tags
|
||||
shell: bash
|
||||
run: __test__/verify-fetch-tags.sh
|
||||
|
||||
# Sparse checkout
|
||||
- name: Sparse checkout
|
||||
uses: ./
|
||||
@@ -176,22 +165,6 @@ jobs:
|
||||
- name: Verify submodules recursive
|
||||
run: __test__/verify-submodules-recursive.sh
|
||||
|
||||
# Worktree credentials
|
||||
- name: Checkout for worktree test
|
||||
uses: ./
|
||||
with:
|
||||
path: worktree-test
|
||||
- name: Verify worktree credentials
|
||||
shell: bash
|
||||
run: __test__/verify-worktree.sh worktree-test worktree-branch
|
||||
|
||||
# Worktree credentials in container step
|
||||
- name: Verify worktree credentials in container step
|
||||
if: runner.os == 'Linux'
|
||||
uses: docker://bitnami/git:latest
|
||||
with:
|
||||
args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
|
||||
|
||||
# Basic checkout using REST API
|
||||
- name: Remove basic
|
||||
if: runner.os != 'windows'
|
||||
@@ -229,7 +202,7 @@ jobs:
|
||||
steps:
|
||||
# Clone this repo
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v4.1.6
|
||||
|
||||
# Basic checkout using git
|
||||
- name: Checkout basic
|
||||
@@ -261,7 +234,7 @@ jobs:
|
||||
steps:
|
||||
# Clone this repo
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v4.1.6
|
||||
|
||||
# Basic checkout using git
|
||||
- name: Checkout basic
|
||||
@@ -291,7 +264,7 @@ jobs:
|
||||
steps:
|
||||
# Clone this repo
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v4.1.6
|
||||
with:
|
||||
path: localClone
|
||||
|
||||
@@ -318,8 +291,8 @@ jobs:
|
||||
git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
|
||||
|
||||
# needed to make checkout post cleanup succeed
|
||||
- name: Fix Checkout v6
|
||||
uses: actions/checkout@v6
|
||||
- name: Fix Checkout v4
|
||||
uses: actions/checkout@v4.1.6
|
||||
with:
|
||||
path: localClone
|
||||
|
||||
@@ -328,7 +301,7 @@ jobs:
|
||||
steps:
|
||||
# Clone this repo
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v4.1.6
|
||||
with:
|
||||
path: actions-checkout
|
||||
|
||||
|
||||
2
.github/workflows/update-main-version.yml
vendored
2
.github/workflows/update-main-version.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
||||
# Note this update workflow can also be used as a rollback tool.
|
||||
# For that reason, it's best to pin `actions/checkout` to a known, stable version
|
||||
# (typically, about two releases back).
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v4.1.6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Git config
|
||||
|
||||
2
.github/workflows/update-test-ubuntu-git.yml
vendored
2
.github/workflows/update-test-ubuntu-git.yml
vendored
@@ -26,7 +26,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Use `docker/login-action` to log in to GHCR.io.
|
||||
# Once published, the packages are scoped to the account defined here.
|
||||
|
||||
23
CHANGELOG.md
23
CHANGELOG.md
@@ -1,29 +1,10 @@
|
||||
# Changelog
|
||||
|
||||
## v6.0.3
|
||||
* Fix checkout init for SHA-256 repositories by @yaananth in https://github.com/actions/checkout/pull/2439
|
||||
* fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in https://github.com/actions/checkout/pull/2414
|
||||
|
||||
## v6.0.2
|
||||
* Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in https://github.com/actions/checkout/pull/2356
|
||||
|
||||
## v6.0.1
|
||||
* Add worktree support for persist-credentials includeIf by @ericsciple in https://github.com/actions/checkout/pull/2327
|
||||
|
||||
## v6.0.0
|
||||
* Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
|
||||
* Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
|
||||
|
||||
## v5.0.1
|
||||
* Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
|
||||
|
||||
## v5.0.0
|
||||
## V5.0.0
|
||||
* Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
|
||||
|
||||
## v4.3.1
|
||||
* Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
|
||||
|
||||
## v4.3.0
|
||||
## V4.3.0
|
||||
* docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
|
||||
* Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
|
||||
* Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043
|
||||
|
||||
71
README.md
71
README.md
@@ -1,12 +1,11 @@
|
||||
[](https://github.com/actions/checkout/actions/workflows/test.yml)
|
||||
|
||||
# Checkout v6
|
||||
# Checkout v6-beta
|
||||
|
||||
## What's new
|
||||
|
||||
- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
|
||||
- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
|
||||
- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
|
||||
- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
|
||||
- This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
|
||||
|
||||
# Checkout v5
|
||||
|
||||
@@ -52,7 +51,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
|
||||
<!-- start usage -->
|
||||
```yaml
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
# Repository name with owner. For example, actions/checkout
|
||||
# Default: ${{ github.repository }}
|
||||
@@ -112,6 +111,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
# Default: true
|
||||
clean: ''
|
||||
|
||||
# Whether to preserve local changes during checkout. If true, tries to preserve
|
||||
# local files that are not tracked by Git. By default, all files will be
|
||||
# overwritten.
|
||||
# Default: false
|
||||
preserve-local-changes: ''
|
||||
|
||||
# Partially clone against a given filter. Overrides sparse-checkout if set.
|
||||
# Default: null
|
||||
filter: ''
|
||||
@@ -160,15 +165,6 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
# running from unless specified. Example URLs are https://github.com or
|
||||
# https://my-ghes-server.example.com
|
||||
github-server-url: ''
|
||||
|
||||
# Required to check out fork pull request code from a workflow triggered by
|
||||
# `pull_request_target` or `workflow_run`. These workflows run with the base
|
||||
# repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
|
||||
# access; fetching and executing a fork's code in that trusted context commonly
|
||||
# leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the
|
||||
# risks at https://gh.io/securely-using-pull_request_target.
|
||||
# Default: false
|
||||
allow-unsafe-pr-checkout: ''
|
||||
```
|
||||
<!-- end usage -->
|
||||
|
||||
@@ -200,7 +196,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Fetch only the root files
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
sparse-checkout: .
|
||||
```
|
||||
@@ -208,7 +204,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Fetch only the root files and `.github` and `src` folder
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
sparse-checkout: |
|
||||
.github
|
||||
@@ -218,7 +214,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Fetch only a single file
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
sparse-checkout: |
|
||||
README.md
|
||||
@@ -228,7 +224,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Fetch all history for all tags and branches
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
fetch-depth: 0
|
||||
```
|
||||
@@ -236,7 +232,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Checkout a different branch
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
ref: my-branch
|
||||
```
|
||||
@@ -244,7 +240,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Checkout HEAD^
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
fetch-depth: 2
|
||||
- run: git checkout HEAD^
|
||||
@@ -254,12 +250,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
|
||||
```yaml
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
path: main
|
||||
|
||||
- name: Checkout tools repo
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
repository: my-org/my-tools
|
||||
path: my-tools
|
||||
@@ -270,10 +266,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
|
||||
```yaml
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v5
|
||||
|
||||
- name: Checkout tools repo
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
repository: my-org/my-tools
|
||||
path: my-tools
|
||||
@@ -284,12 +280,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
|
||||
```yaml
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
path: main
|
||||
|
||||
- name: Checkout private tools
|
||||
uses: actions/checkout@v6
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
repository: my-org/my-private-tools
|
||||
token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
|
||||
@@ -302,7 +298,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Checkout pull request HEAD commit instead of merge commit
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
```
|
||||
@@ -318,7 +314,7 @@ jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v5
|
||||
```
|
||||
|
||||
## Push a commit using the built-in token
|
||||
@@ -329,7 +325,7 @@ jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v5
|
||||
- run: |
|
||||
date > generated.txt
|
||||
# Note: the following account information will not work on GHES
|
||||
@@ -351,7 +347,7 @@ jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
- run: |
|
||||
@@ -366,6 +362,21 @@ jobs:
|
||||
|
||||
*NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D
|
||||
|
||||
## Preserve local changes during checkout
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
- name: Create file before checkout
|
||||
shell: pwsh
|
||||
run: New-Item -Path . -Name "example.txt" -ItemType "File"
|
||||
|
||||
- name: Checkout with preserving local changes
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
clean: false
|
||||
preserve-local-changes: true
|
||||
```
|
||||
|
||||
# Recommended permissions
|
||||
|
||||
When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs:
|
||||
|
||||
@@ -1163,6 +1163,7 @@ async function setup(testName: string): Promise<void> {
|
||||
submodules: false,
|
||||
nestedSubmodules: false,
|
||||
persistCredentials: true,
|
||||
preserveLocalChanges: false,
|
||||
ref: 'refs/heads/main',
|
||||
repositoryName: 'my-repo',
|
||||
repositoryOwner: 'my-org',
|
||||
@@ -1173,8 +1174,7 @@ async function setup(testName: string): Promise<void> {
|
||||
sshUser: '',
|
||||
workflowOrganizationId: 123456,
|
||||
setSafeDirectory: true,
|
||||
githubServerUrl: githubServerUrl,
|
||||
allowUnsafePrCheckout: false
|
||||
githubServerUrl: githubServerUrl
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -108,7 +108,7 @@ describe('Test fetchDepth and fetchTags options', () => {
|
||||
jest.restoreAllMocks()
|
||||
})
|
||||
|
||||
it('should call execGit with the correct arguments when fetchDepth is 0', async () => {
|
||||
it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is true', async () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
@@ -122,7 +122,45 @@ describe('Test fetchDepth and fetchTags options', () => {
|
||||
const refSpec = ['refspec1', 'refspec2']
|
||||
const options = {
|
||||
filter: 'filterValue',
|
||||
fetchDepth: 0
|
||||
fetchDepth: 0,
|
||||
fetchTags: true
|
||||
}
|
||||
|
||||
await git.fetch(refSpec, options)
|
||||
|
||||
expect(mockExec).toHaveBeenCalledWith(
|
||||
expect.any(String),
|
||||
[
|
||||
'-c',
|
||||
'protocol.version=2',
|
||||
'fetch',
|
||||
'--prune',
|
||||
'--no-recurse-submodules',
|
||||
'--filter=filterValue',
|
||||
'origin',
|
||||
'refspec1',
|
||||
'refspec2'
|
||||
],
|
||||
expect.any(Object)
|
||||
)
|
||||
})
|
||||
|
||||
it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is false', async () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
const doSparseCheckout = false
|
||||
git = await commandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
const refSpec = ['refspec1', 'refspec2']
|
||||
const options = {
|
||||
filter: 'filterValue',
|
||||
fetchDepth: 0,
|
||||
fetchTags: false
|
||||
}
|
||||
|
||||
await git.fetch(refSpec, options)
|
||||
@@ -145,45 +183,7 @@ describe('Test fetchDepth and fetchTags options', () => {
|
||||
)
|
||||
})
|
||||
|
||||
it('should call execGit with the correct arguments when fetchDepth is 0 and refSpec includes tags', async () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
const doSparseCheckout = false
|
||||
git = await commandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
|
||||
const options = {
|
||||
filter: 'filterValue',
|
||||
fetchDepth: 0
|
||||
}
|
||||
|
||||
await git.fetch(refSpec, options)
|
||||
|
||||
expect(mockExec).toHaveBeenCalledWith(
|
||||
expect.any(String),
|
||||
[
|
||||
'-c',
|
||||
'protocol.version=2',
|
||||
'fetch',
|
||||
'--no-tags',
|
||||
'--prune',
|
||||
'--no-recurse-submodules',
|
||||
'--filter=filterValue',
|
||||
'origin',
|
||||
'refspec1',
|
||||
'refspec2',
|
||||
'+refs/tags/*:refs/tags/*'
|
||||
],
|
||||
expect.any(Object)
|
||||
)
|
||||
})
|
||||
|
||||
it('should call execGit with the correct arguments when fetchDepth is 1', async () => {
|
||||
it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is false', async () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
const workingDirectory = 'test'
|
||||
@@ -197,7 +197,8 @@ describe('Test fetchDepth and fetchTags options', () => {
|
||||
const refSpec = ['refspec1', 'refspec2']
|
||||
const options = {
|
||||
filter: 'filterValue',
|
||||
fetchDepth: 1
|
||||
fetchDepth: 1,
|
||||
fetchTags: false
|
||||
}
|
||||
|
||||
await git.fetch(refSpec, options)
|
||||
@@ -221,7 +222,7 @@ describe('Test fetchDepth and fetchTags options', () => {
|
||||
)
|
||||
})
|
||||
|
||||
it('should call execGit with the correct arguments when fetchDepth is 1 and refSpec includes tags', async () => {
|
||||
it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is true', async () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
const workingDirectory = 'test'
|
||||
@@ -232,10 +233,11 @@ describe('Test fetchDepth and fetchTags options', () => {
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
|
||||
const refSpec = ['refspec1', 'refspec2']
|
||||
const options = {
|
||||
filter: 'filterValue',
|
||||
fetchDepth: 1
|
||||
fetchDepth: 1,
|
||||
fetchTags: true
|
||||
}
|
||||
|
||||
await git.fetch(refSpec, options)
|
||||
@@ -246,15 +248,13 @@ describe('Test fetchDepth and fetchTags options', () => {
|
||||
'-c',
|
||||
'protocol.version=2',
|
||||
'fetch',
|
||||
'--no-tags',
|
||||
'--prune',
|
||||
'--no-recurse-submodules',
|
||||
'--filter=filterValue',
|
||||
'--depth=1',
|
||||
'origin',
|
||||
'refspec1',
|
||||
'refspec2',
|
||||
'+refs/tags/*:refs/tags/*'
|
||||
'refspec2'
|
||||
],
|
||||
expect.any(Object)
|
||||
)
|
||||
@@ -338,7 +338,7 @@ describe('Test fetchDepth and fetchTags options', () => {
|
||||
)
|
||||
})
|
||||
|
||||
it('should call execGit with the correct arguments when showProgress is true and refSpec includes tags', async () => {
|
||||
it('should call execGit with the correct arguments when fetchTags is true and showProgress is true', async () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
const workingDirectory = 'test'
|
||||
@@ -349,9 +349,10 @@ describe('Test fetchDepth and fetchTags options', () => {
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
|
||||
const refSpec = ['refspec1', 'refspec2']
|
||||
const options = {
|
||||
filter: 'filterValue',
|
||||
fetchTags: true,
|
||||
showProgress: true
|
||||
}
|
||||
|
||||
@@ -363,187 +364,15 @@ describe('Test fetchDepth and fetchTags options', () => {
|
||||
'-c',
|
||||
'protocol.version=2',
|
||||
'fetch',
|
||||
'--no-tags',
|
||||
'--prune',
|
||||
'--no-recurse-submodules',
|
||||
'--progress',
|
||||
'--filter=filterValue',
|
||||
'origin',
|
||||
'refspec1',
|
||||
'refspec2',
|
||||
'+refs/tags/*:refs/tags/*'
|
||||
'refspec2'
|
||||
],
|
||||
expect.any(Object)
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe('repository initialization object format', () => {
|
||||
beforeEach(async () => {
|
||||
jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
|
||||
jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
jest.restoreAllMocks()
|
||||
})
|
||||
|
||||
it('initializes SHA-256 repositories with the matching object format', async () => {
|
||||
mockExec.mockImplementation((path, args, options) => {
|
||||
if (args.includes('version')) {
|
||||
options.listeners.stdout(Buffer.from('git version 2.50.1'))
|
||||
}
|
||||
|
||||
return 0
|
||||
})
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
git = await commandManager.createCommandManager('test', false, false)
|
||||
|
||||
await git.init('sha256')
|
||||
|
||||
expect(mockExec).toHaveBeenCalledWith(
|
||||
expect.any(String),
|
||||
['init', '--object-format=sha256', 'test'],
|
||||
expect.any(Object)
|
||||
)
|
||||
})
|
||||
|
||||
it('initializes SHA-1 repositories with existing default arguments', async () => {
|
||||
mockExec.mockImplementation((path, args, options) => {
|
||||
if (args.includes('version')) {
|
||||
options.listeners.stdout(Buffer.from('git version 2.50.1'))
|
||||
}
|
||||
|
||||
return 0
|
||||
})
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
git = await commandManager.createCommandManager('test', false, false)
|
||||
|
||||
await git.init('sha1')
|
||||
|
||||
expect(mockExec).toHaveBeenCalledWith(
|
||||
expect.any(String),
|
||||
['init', 'test'],
|
||||
expect.any(Object)
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
describe('git user-agent with orchestration ID', () => {
|
||||
beforeEach(async () => {
|
||||
jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
|
||||
jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
jest.restoreAllMocks()
|
||||
// Clean up environment variable to prevent test pollution
|
||||
delete process.env['ACTIONS_ORCHESTRATION_ID']
|
||||
})
|
||||
|
||||
it('should include orchestration ID in user-agent when ACTIONS_ORCHESTRATION_ID is set', async () => {
|
||||
const orchId = 'test-orch-id-12345'
|
||||
process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
|
||||
|
||||
let capturedEnv: any = null
|
||||
mockExec.mockImplementation((path, args, options) => {
|
||||
if (args.includes('version')) {
|
||||
options.listeners.stdout(Buffer.from('2.18'))
|
||||
}
|
||||
// Capture env on any command
|
||||
capturedEnv = options.env
|
||||
return 0
|
||||
})
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
const doSparseCheckout = false
|
||||
git = await commandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
|
||||
// Call a git command to trigger env capture after user-agent is set
|
||||
await git.init()
|
||||
|
||||
// Verify the user agent includes the orchestration ID
|
||||
expect(git).toBeDefined()
|
||||
expect(capturedEnv).toBeDefined()
|
||||
expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
|
||||
`git/2.18 (github-actions-checkout) actions_orchestration_id/${orchId}`
|
||||
)
|
||||
})
|
||||
|
||||
it('should sanitize invalid characters in orchestration ID', async () => {
|
||||
const orchId = 'test (with) special/chars'
|
||||
process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
|
||||
|
||||
let capturedEnv: any = null
|
||||
mockExec.mockImplementation((path, args, options) => {
|
||||
if (args.includes('version')) {
|
||||
options.listeners.stdout(Buffer.from('2.18'))
|
||||
}
|
||||
// Capture env on any command
|
||||
capturedEnv = options.env
|
||||
return 0
|
||||
})
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
const doSparseCheckout = false
|
||||
git = await commandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
|
||||
// Call a git command to trigger env capture after user-agent is set
|
||||
await git.init()
|
||||
|
||||
// Verify the user agent has sanitized orchestration ID (spaces, parentheses, slash replaced)
|
||||
expect(git).toBeDefined()
|
||||
expect(capturedEnv).toBeDefined()
|
||||
expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
|
||||
'git/2.18 (github-actions-checkout) actions_orchestration_id/test__with__special_chars'
|
||||
)
|
||||
})
|
||||
|
||||
it('should not modify user-agent when ACTIONS_ORCHESTRATION_ID is not set', async () => {
|
||||
delete process.env['ACTIONS_ORCHESTRATION_ID']
|
||||
|
||||
let capturedEnv: any = null
|
||||
mockExec.mockImplementation((path, args, options) => {
|
||||
if (args.includes('version')) {
|
||||
options.listeners.stdout(Buffer.from('2.18'))
|
||||
}
|
||||
// Capture env on any command
|
||||
capturedEnv = options.env
|
||||
return 0
|
||||
})
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
const doSparseCheckout = false
|
||||
git = await commandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
|
||||
// Call a git command to trigger env capture after user-agent is set
|
||||
await git.init()
|
||||
|
||||
// Verify the user agent does NOT contain orchestration ID
|
||||
expect(git).toBeDefined()
|
||||
expect(capturedEnv).toBeDefined()
|
||||
expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
|
||||
'git/2.18 (github-actions-checkout)'
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
@@ -143,12 +143,41 @@ describe('git-directory-helper tests', () => {
|
||||
repositoryPath,
|
||||
repositoryUrl,
|
||||
clean,
|
||||
ref
|
||||
ref,
|
||||
false // preserveLocalChanges = false
|
||||
)
|
||||
|
||||
// Assert
|
||||
const files = await fs.promises.readdir(repositoryPath)
|
||||
expect(files).toHaveLength(0)
|
||||
expect(files).toEqual(['.git']) // Expect just the .git directory to remain
|
||||
expect(git.tryClean).toHaveBeenCalled()
|
||||
expect(core.warning).toHaveBeenCalled()
|
||||
expect(git.tryReset).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
const preservesContentsWhenCleanFailsAndPreserveLocalChanges = 'preserves contents when clean fails and preserve-local-changes is true'
|
||||
it(preservesContentsWhenCleanFailsAndPreserveLocalChanges, async () => {
|
||||
// Arrange
|
||||
await setup(preservesContentsWhenCleanFailsAndPreserveLocalChanges)
|
||||
await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
|
||||
let mockTryClean = git.tryClean as jest.Mock<any, any>
|
||||
mockTryClean.mockImplementation(async () => {
|
||||
return false
|
||||
})
|
||||
|
||||
// Act
|
||||
await gitDirectoryHelper.prepareExistingDirectory(
|
||||
git,
|
||||
repositoryPath,
|
||||
repositoryUrl,
|
||||
clean,
|
||||
ref,
|
||||
true // preserveLocalChanges = true
|
||||
)
|
||||
|
||||
// Assert
|
||||
const files = await fs.promises.readdir(repositoryPath)
|
||||
expect(files.sort()).toEqual(['.git', 'my-file']) // Expect both .git and user files to remain
|
||||
expect(git.tryClean).toHaveBeenCalled()
|
||||
expect(core.warning).toHaveBeenCalled()
|
||||
expect(git.tryReset).not.toHaveBeenCalled()
|
||||
@@ -170,16 +199,50 @@ describe('git-directory-helper tests', () => {
|
||||
repositoryPath,
|
||||
differentRepositoryUrl,
|
||||
clean,
|
||||
ref
|
||||
ref,
|
||||
false // preserveLocalChanges = false
|
||||
)
|
||||
|
||||
// Assert
|
||||
const files = await fs.promises.readdir(repositoryPath)
|
||||
expect(files).toHaveLength(0)
|
||||
expect(files).toEqual(['.git']) // Expect just the .git directory to remain
|
||||
expect(core.warning).not.toHaveBeenCalled()
|
||||
expect(git.isDetached).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
const keepsContentsWhenDifferentRepositoryUrlAndPreserveLocalChanges =
|
||||
'keeps contents when different repository url and preserve-local-changes is true'
|
||||
it(keepsContentsWhenDifferentRepositoryUrlAndPreserveLocalChanges, async () => {
|
||||
// Arrange
|
||||
await setup(keepsContentsWhenDifferentRepositoryUrlAndPreserveLocalChanges)
|
||||
clean = false
|
||||
|
||||
// Create a file that we expect to be preserved
|
||||
await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
|
||||
|
||||
// Simulate a different repository by simply removing the .git directory
|
||||
await io.rmRF(path.join(repositoryPath, '.git'))
|
||||
await fs.promises.mkdir(path.join(repositoryPath, '.git'))
|
||||
|
||||
const differentRepositoryUrl = 'https://github.com/my-different-org/my-different-repo'
|
||||
|
||||
// Act
|
||||
await gitDirectoryHelper.prepareExistingDirectory(
|
||||
git,
|
||||
repositoryPath,
|
||||
differentRepositoryUrl, // Use a different URL
|
||||
clean,
|
||||
ref,
|
||||
true // preserveLocalChanges = true
|
||||
)
|
||||
|
||||
// Assert
|
||||
const files = await fs.promises.readdir(repositoryPath)
|
||||
console.log('Files after operation:', files)
|
||||
// When preserveLocalChanges is true, files should be preserved even with different repo URL
|
||||
expect(files.sort()).toEqual(['.git', 'my-file'].sort())
|
||||
})
|
||||
|
||||
const removesContentsWhenNoGitDirectory =
|
||||
'removes contents when no git directory'
|
||||
it(removesContentsWhenNoGitDirectory, async () => {
|
||||
@@ -221,12 +284,41 @@ describe('git-directory-helper tests', () => {
|
||||
repositoryPath,
|
||||
repositoryUrl,
|
||||
clean,
|
||||
ref
|
||||
ref,
|
||||
false // preserveLocalChanges = false
|
||||
)
|
||||
|
||||
// Assert
|
||||
const files = await fs.promises.readdir(repositoryPath)
|
||||
expect(files).toHaveLength(0)
|
||||
expect(files).toEqual(['.git']) // Expect just the .git directory to remain
|
||||
expect(git.tryClean).toHaveBeenCalled()
|
||||
expect(git.tryReset).toHaveBeenCalled()
|
||||
expect(core.warning).toHaveBeenCalled()
|
||||
})
|
||||
|
||||
const preservesContentsWhenResetFailsAndPreserveLocalChanges = 'preserves contents when reset fails and preserve-local-changes is true'
|
||||
it(preservesContentsWhenResetFailsAndPreserveLocalChanges, async () => {
|
||||
// Arrange
|
||||
await setup(preservesContentsWhenResetFailsAndPreserveLocalChanges)
|
||||
await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
|
||||
let mockTryReset = git.tryReset as jest.Mock<any, any>
|
||||
mockTryReset.mockImplementation(async () => {
|
||||
return false
|
||||
})
|
||||
|
||||
// Act
|
||||
await gitDirectoryHelper.prepareExistingDirectory(
|
||||
git,
|
||||
repositoryPath,
|
||||
repositoryUrl,
|
||||
clean,
|
||||
ref,
|
||||
true // preserveLocalChanges = true
|
||||
)
|
||||
|
||||
// Assert
|
||||
const files = await fs.promises.readdir(repositoryPath)
|
||||
expect(files.sort()).toEqual(['.git', 'my-file']) // Expect both .git and user files to remain
|
||||
expect(git.tryClean).toHaveBeenCalled()
|
||||
expect(git.tryReset).toHaveBeenCalled()
|
||||
expect(core.warning).toHaveBeenCalled()
|
||||
@@ -246,12 +338,13 @@ describe('git-directory-helper tests', () => {
|
||||
repositoryPath,
|
||||
repositoryUrl,
|
||||
clean,
|
||||
ref
|
||||
ref,
|
||||
false // preserveLocalChanges = false
|
||||
)
|
||||
|
||||
// Assert
|
||||
const files = await fs.promises.readdir(repositoryPath)
|
||||
expect(files).toHaveLength(0)
|
||||
expect(files).toEqual(['.git']) // Expect just the .git directory to remain
|
||||
expect(core.warning).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
@@ -302,12 +395,13 @@ describe('git-directory-helper tests', () => {
|
||||
repositoryPath,
|
||||
repositoryUrl,
|
||||
clean,
|
||||
ref
|
||||
ref,
|
||||
false // preserveLocalChanges = false
|
||||
)
|
||||
|
||||
// Assert
|
||||
const files = await fs.promises.readdir(repositoryPath)
|
||||
expect(files).toHaveLength(0)
|
||||
expect(files).toEqual(['.git']) // Expect just the .git directory to remain
|
||||
expect(git.tryClean).toHaveBeenCalled()
|
||||
})
|
||||
|
||||
|
||||
@@ -1,98 +0,0 @@
|
||||
import * as core from '@actions/core'
|
||||
import * as github from '@actions/github'
|
||||
import * as githubApiHelper from '../lib/github-api-helper'
|
||||
|
||||
describe('github-api-helper object format', () => {
|
||||
let getOctokitSpy: jest.SpyInstance
|
||||
let debugSpy: jest.SpyInstance
|
||||
let request: jest.Mock
|
||||
|
||||
function mockHashAlgorithmApi(hashAlgorithm: string): void {
|
||||
request = jest.fn(async () => ({
|
||||
data: {
|
||||
hash_algorithm: hashAlgorithm
|
||||
}
|
||||
}))
|
||||
getOctokitSpy = jest.spyOn(github, 'getOctokit').mockReturnValue({
|
||||
request
|
||||
} as any)
|
||||
}
|
||||
|
||||
beforeEach(() => {
|
||||
debugSpy = jest.spyOn(core, 'debug').mockImplementation(jest.fn())
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
jest.restoreAllMocks()
|
||||
})
|
||||
|
||||
it('detects SHA-256 from the repository hash algorithm endpoint', async () => {
|
||||
mockHashAlgorithmApi('sha256')
|
||||
|
||||
await expect(
|
||||
githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
|
||||
).resolves.toEqual({format: 'sha256', succeeded: true})
|
||||
|
||||
expect(getOctokitSpy).toHaveBeenCalledWith(
|
||||
'token',
|
||||
expect.objectContaining({baseUrl: 'https://api.github.com'})
|
||||
)
|
||||
expect(request).toHaveBeenCalledWith(
|
||||
'GET /repos/{owner}/{repo}/hash-algorithm',
|
||||
{owner: 'owner', repo: 'repo'}
|
||||
)
|
||||
})
|
||||
|
||||
it('detects SHA-1 from the repository hash algorithm endpoint', async () => {
|
||||
mockHashAlgorithmApi('sha1')
|
||||
|
||||
await expect(
|
||||
githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
|
||||
).resolves.toEqual({format: 'sha1', succeeded: true})
|
||||
})
|
||||
|
||||
it('detects object format from an existing commit without API calls', async () => {
|
||||
const commitSha =
|
||||
'9422233ca7ee1b17f1e905d0e141faf0c401556c41cdc6acd71c6bd685da2e92'
|
||||
getOctokitSpy = jest.spyOn(github, 'getOctokit')
|
||||
|
||||
await expect(
|
||||
githubApiHelper.tryGetRepositoryObjectFormat(
|
||||
'token',
|
||||
'owner',
|
||||
'repo',
|
||||
undefined,
|
||||
commitSha
|
||||
)
|
||||
).resolves.toEqual({format: 'sha256', succeeded: true})
|
||||
|
||||
expect(getOctokitSpy).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('returns unsuccessful when the hash algorithm endpoint value is not recognized', async () => {
|
||||
mockHashAlgorithmApi('unknown')
|
||||
|
||||
await expect(
|
||||
githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
|
||||
).resolves.toEqual({format: '', succeeded: false})
|
||||
expect(debugSpy).toHaveBeenCalledWith(
|
||||
'Unable to determine repository object format from hash-algorithm endpoint'
|
||||
)
|
||||
})
|
||||
|
||||
it('returns unsuccessful when the hash algorithm API lookup fails', async () => {
|
||||
request = jest.fn(async () => {
|
||||
throw new Error('not found')
|
||||
})
|
||||
jest.spyOn(github, 'getOctokit').mockReturnValue({
|
||||
request
|
||||
} as any)
|
||||
|
||||
await expect(
|
||||
githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
|
||||
).resolves.toEqual({format: '', succeeded: false})
|
||||
expect(debugSpy).toHaveBeenCalledWith(
|
||||
'Unable to determine repository object format from hash-algorithm endpoint: not found'
|
||||
)
|
||||
})
|
||||
})
|
||||
@@ -91,7 +91,6 @@ describe('input-helper tests', () => {
|
||||
expect(settings.repositoryOwner).toBe('some-owner')
|
||||
expect(settings.repositoryPath).toBe(gitHubWorkspace)
|
||||
expect(settings.setSafeDirectory).toBe(true)
|
||||
expect(settings.allowUnsafePrCheckout).toBe(false)
|
||||
})
|
||||
|
||||
it('qualifies ref', async () => {
|
||||
@@ -134,16 +133,6 @@ describe('input-helper tests', () => {
|
||||
expect(settings.commit).toBe('1111111111222222222233333333334444444444')
|
||||
})
|
||||
|
||||
it('sets ref to empty when explicit sha-256', async () => {
|
||||
inputs.ref =
|
||||
'1111111111222222222233333333334444444444555555555566666666667777'
|
||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||
expect(settings.ref).toBeFalsy()
|
||||
expect(settings.commit).toBe(
|
||||
'1111111111222222222233333333334444444444555555555566666666667777'
|
||||
)
|
||||
})
|
||||
|
||||
it('sets sha to empty when explicit ref', async () => {
|
||||
inputs.ref = 'refs/heads/some-other-ref'
|
||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||
|
||||
@@ -1,12 +1,8 @@
|
||||
import * as assert from 'assert'
|
||||
import * as core from '@actions/core'
|
||||
import * as github from '@actions/github'
|
||||
import * as refHelper from '../lib/ref-helper'
|
||||
import {IGitCommandManager} from '../lib/git-command-manager'
|
||||
|
||||
const commit = '1234567890123456789012345678901234567890'
|
||||
const sha256Commit =
|
||||
'1234567890123456789012345678901234567890123456789012345678901234'
|
||||
let git: IGitCommandManager
|
||||
|
||||
describe('ref-helper tests', () => {
|
||||
@@ -41,12 +37,6 @@ describe('ref-helper tests', () => {
|
||||
expect(checkoutInfo.startPoint).toBeFalsy()
|
||||
})
|
||||
|
||||
it('getCheckoutInfo sha-256 only', async () => {
|
||||
const checkoutInfo = await refHelper.getCheckoutInfo(git, '', sha256Commit)
|
||||
expect(checkoutInfo.ref).toBe(sha256Commit)
|
||||
expect(checkoutInfo.startPoint).toBeFalsy()
|
||||
})
|
||||
|
||||
it('getCheckoutInfo refs/heads/', async () => {
|
||||
const checkoutInfo = await refHelper.getCheckoutInfo(
|
||||
git,
|
||||
@@ -162,22 +152,7 @@ describe('ref-helper tests', () => {
|
||||
it('getRefSpec sha + refs/tags/', async () => {
|
||||
const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit)
|
||||
expect(refSpec.length).toBe(1)
|
||||
expect(refSpec[0]).toBe(`+refs/tags/my-tag:refs/tags/my-tag`)
|
||||
})
|
||||
|
||||
it('getRefSpec sha + refs/tags/ with fetchTags', async () => {
|
||||
// When fetchTags is true, only include tags wildcard (specific tag is redundant)
|
||||
const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit, true)
|
||||
expect(refSpec.length).toBe(1)
|
||||
expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
|
||||
})
|
||||
|
||||
it('getRefSpec sha + refs/heads/ with fetchTags', async () => {
|
||||
// When fetchTags is true, include both the branch refspec and tags wildcard
|
||||
const refSpec = refHelper.getRefSpec('refs/heads/my/branch', commit, true)
|
||||
expect(refSpec.length).toBe(2)
|
||||
expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
|
||||
expect(refSpec[1]).toBe(`+${commit}:refs/remotes/origin/my/branch`)
|
||||
expect(refSpec[0]).toBe(`+${commit}:refs/tags/my-tag`)
|
||||
})
|
||||
|
||||
it('getRefSpec sha only', async () => {
|
||||
@@ -193,14 +168,6 @@ describe('ref-helper tests', () => {
|
||||
expect(refSpec[1]).toBe('+refs/tags/my-ref*:refs/tags/my-ref*')
|
||||
})
|
||||
|
||||
it('getRefSpec unqualified ref only with fetchTags', async () => {
|
||||
// When fetchTags is true, skip specific tag pattern since wildcard covers all
|
||||
const refSpec = refHelper.getRefSpec('my-ref', '', true)
|
||||
expect(refSpec.length).toBe(2)
|
||||
expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
|
||||
expect(refSpec[1]).toBe('+refs/heads/my-ref*:refs/remotes/origin/my-ref*')
|
||||
})
|
||||
|
||||
it('getRefSpec refs/heads/ only', async () => {
|
||||
const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '')
|
||||
expect(refSpec.length).toBe(1)
|
||||
@@ -220,159 +187,4 @@ describe('ref-helper tests', () => {
|
||||
expect(refSpec.length).toBe(1)
|
||||
expect(refSpec[0]).toBe('+refs/tags/my-tag:refs/tags/my-tag')
|
||||
})
|
||||
|
||||
it('getRefSpec refs/tags/ only with fetchTags', async () => {
|
||||
// When fetchTags is true, only include tags wildcard (specific tag is redundant)
|
||||
const refSpec = refHelper.getRefSpec('refs/tags/my-tag', '', true)
|
||||
expect(refSpec.length).toBe(1)
|
||||
expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
|
||||
})
|
||||
|
||||
it('getRefSpec refs/heads/ only with fetchTags', async () => {
|
||||
// When fetchTags is true, include both the branch refspec and tags wildcard
|
||||
const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '', true)
|
||||
expect(refSpec.length).toBe(2)
|
||||
expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
|
||||
expect(refSpec[1]).toBe(
|
||||
'+refs/heads/my/branch:refs/remotes/origin/my/branch'
|
||||
)
|
||||
})
|
||||
|
||||
describe('checkCommitInfo', () => {
|
||||
const repositoryOwner = 'some-owner'
|
||||
const repositoryName = 'some-repo'
|
||||
const ref = 'refs/pull/123/merge'
|
||||
const sha1Head = '1111111111222222222233333333334444444444'
|
||||
const sha1Base = 'aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd'
|
||||
const sha256Head =
|
||||
'1111111111222222222233333333334444444444555555555566666666667777'
|
||||
const sha256Base =
|
||||
'aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff0000'
|
||||
let debugSpy: jest.SpyInstance
|
||||
let getOctokitSpy: jest.SpyInstance
|
||||
let repoGetSpy: jest.Mock
|
||||
let originalEventName: string
|
||||
let originalPayload: unknown
|
||||
let originalRef: string
|
||||
let originalSha: string
|
||||
|
||||
function setPullRequestContext(
|
||||
expectedHeadSha: string,
|
||||
expectedBaseSha: string,
|
||||
mergeCommit: string
|
||||
): void {
|
||||
;(github.context as any).eventName = 'pull_request'
|
||||
github.context.ref = ref
|
||||
github.context.sha = mergeCommit
|
||||
;(github.context as any).payload = {
|
||||
action: 'synchronize',
|
||||
after: expectedHeadSha,
|
||||
number: 123,
|
||||
pull_request: {
|
||||
base: {
|
||||
sha: expectedBaseSha
|
||||
}
|
||||
},
|
||||
repository: {
|
||||
private: false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
beforeEach(() => {
|
||||
originalEventName = github.context.eventName
|
||||
originalPayload = github.context.payload
|
||||
originalRef = github.context.ref
|
||||
originalSha = github.context.sha
|
||||
|
||||
jest.spyOn(github.context, 'repo', 'get').mockReturnValue({
|
||||
owner: repositoryOwner,
|
||||
repo: repositoryName
|
||||
})
|
||||
debugSpy = jest.spyOn(core, 'debug').mockImplementation(jest.fn())
|
||||
repoGetSpy = jest.fn(async () => ({}))
|
||||
getOctokitSpy = jest.spyOn(github, 'getOctokit').mockReturnValue({
|
||||
rest: {
|
||||
repos: {
|
||||
get: repoGetSpy
|
||||
}
|
||||
}
|
||||
} as any)
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
;(github.context as any).eventName = originalEventName
|
||||
;(github.context as any).payload = originalPayload
|
||||
github.context.ref = originalRef
|
||||
github.context.sha = originalSha
|
||||
jest.restoreAllMocks()
|
||||
})
|
||||
|
||||
it('returns early for SHA-1 merge commit', async () => {
|
||||
setPullRequestContext(sha1Head, sha1Base, commit)
|
||||
|
||||
await refHelper.checkCommitInfo(
|
||||
'token',
|
||||
`Merge ${sha1Head} into ${sha1Base}`,
|
||||
repositoryOwner,
|
||||
repositoryName,
|
||||
ref,
|
||||
commit
|
||||
)
|
||||
|
||||
expect(getOctokitSpy).not.toHaveBeenCalled()
|
||||
expect(repoGetSpy).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('matches SHA-256 merge commit info', async () => {
|
||||
const actualHeadSha =
|
||||
'9999999999888888888877777777776666666666555555555544444444443333'
|
||||
setPullRequestContext(sha256Head, sha256Base, sha256Commit)
|
||||
|
||||
await refHelper.checkCommitInfo(
|
||||
'token',
|
||||
`Merge ${actualHeadSha} into ${sha256Base}`,
|
||||
repositoryOwner,
|
||||
repositoryName,
|
||||
ref,
|
||||
sha256Commit
|
||||
)
|
||||
|
||||
expect(getOctokitSpy).toHaveBeenCalledWith(
|
||||
'token',
|
||||
expect.objectContaining({
|
||||
userAgent: expect.stringContaining(
|
||||
`expected_head_sha=${sha256Head};actual_head_sha=${actualHeadSha}`
|
||||
)
|
||||
})
|
||||
)
|
||||
expect(repoGetSpy).toHaveBeenCalledWith({
|
||||
owner: repositoryOwner,
|
||||
repo: repositoryName
|
||||
})
|
||||
expect(debugSpy).toHaveBeenCalledWith(
|
||||
`Expected head sha ${sha256Head}; actual head sha ${actualHeadSha}`
|
||||
)
|
||||
expect(debugSpy).not.toHaveBeenCalledWith('Unexpected message format')
|
||||
})
|
||||
|
||||
it('does not match 50-char hex as a valid merge', async () => {
|
||||
const invalidHeadSha =
|
||||
'99999999998888888888777777777766666666665555555555'
|
||||
setPullRequestContext(sha1Head, sha1Base, commit)
|
||||
|
||||
await refHelper.checkCommitInfo(
|
||||
'token',
|
||||
`Merge ${invalidHeadSha} into ${sha1Base}`,
|
||||
repositoryOwner,
|
||||
repositoryName,
|
||||
ref,
|
||||
commit
|
||||
)
|
||||
|
||||
expect(getOctokitSpy).not.toHaveBeenCalled()
|
||||
expect(repoGetSpy).not.toHaveBeenCalled()
|
||||
expect(debugSpy).toHaveBeenCalledWith('Unexpected message format')
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
@@ -1,267 +0,0 @@
|
||||
import * as github from '@actions/github'
|
||||
import {assertSafePrCheckout} from '../lib/unsafe-pr-checkout-helper'
|
||||
|
||||
// Shallow clone original @actions/github context
|
||||
const originalContext = {...github.context}
|
||||
const originalEventName = github.context.eventName
|
||||
const originalPayload = github.context.payload
|
||||
|
||||
const BASE_REPO_ID = 100
|
||||
const FORK_REPO_ID = 200
|
||||
const PR_HEAD_SHA = '1111111111111111111111111111111111111111'
|
||||
const PR_MERGE_SHA = '2222222222222222222222222222222222222222'
|
||||
const SAFE_BASE_SHA = '3333333333333333333333333333333333333333'
|
||||
const WORKFLOW_RUN_HEAD_COMMIT_SHA = '4444444444444444444444444444444444444444'
|
||||
const BASE_QUALIFIED_REPO = 'some-owner/some-repo'
|
||||
const FORK_QUALIFIED_REPO = 'another-repo/fork'
|
||||
|
||||
function setContext(eventName: string, payload: object): void {
|
||||
;(github.context as {eventName: string}).eventName = eventName
|
||||
;(github.context as {payload: object}).payload = payload
|
||||
}
|
||||
|
||||
function forkPullRequestTargetPayload(): object {
|
||||
return {
|
||||
repository: {id: BASE_REPO_ID},
|
||||
pull_request: {
|
||||
head: {
|
||||
sha: PR_HEAD_SHA,
|
||||
repo: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
|
||||
},
|
||||
merge_commit_sha: PR_MERGE_SHA
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function sameRepoPullRequestTargetPayload(): object {
|
||||
return {
|
||||
repository: {id: BASE_REPO_ID},
|
||||
pull_request: {
|
||||
head: {
|
||||
sha: PR_HEAD_SHA,
|
||||
repo: {id: BASE_REPO_ID, full_name: BASE_QUALIFIED_REPO}
|
||||
},
|
||||
merge_commit_sha: PR_MERGE_SHA
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function forkWorkflowRunPayload(): object {
|
||||
return {
|
||||
repository: {id: BASE_REPO_ID},
|
||||
workflow_run: {
|
||||
event: 'pull_request',
|
||||
head_commit: {id: WORKFLOW_RUN_HEAD_COMMIT_SHA},
|
||||
head_repository: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
describe('unsafe-pr-checkout-helper', () => {
|
||||
beforeAll(() => {
|
||||
jest.spyOn(github.context, 'repo', 'get').mockReturnValue({
|
||||
owner: 'some-owner',
|
||||
repo: 'some-repo'
|
||||
})
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
;(github.context as {eventName: string}).eventName = originalEventName
|
||||
;(github.context as {payload: object}).payload = originalPayload
|
||||
})
|
||||
|
||||
afterAll(() => {
|
||||
;(github.context as {eventName: string}).eventName =
|
||||
originalContext.eventName
|
||||
;(github.context as {payload: object}).payload = originalContext.payload
|
||||
jest.restoreAllMocks()
|
||||
})
|
||||
|
||||
it('allows pull_request events untouched', () => {
|
||||
setContext('pull_request', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: 'attacker/fork',
|
||||
ref: 'refs/pull/1/merge',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
|
||||
it('allows pull_request_target default checkout (base branch)', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: 'refs/heads/main',
|
||||
commit: SAFE_BASE_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
|
||||
it('allows same-repo pull_request_target checkout of PR head', () => {
|
||||
setContext('pull_request_target', sameRepoPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: PR_HEAD_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
|
||||
it('refuses pull_request_target fork PR head SHA checkout', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: PR_HEAD_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow(/Refusing to check out fork pull request code/)
|
||||
})
|
||||
|
||||
it('refuses pull_request_target fork PR merge_commit_sha checkout', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: PR_MERGE_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow(/allow-unsafe-pr-checkout/)
|
||||
})
|
||||
|
||||
it('refuses pull_request_target fork PR ref pattern (head)', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: 'refs/pull/42/head',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('refuses pull_request_target fork PR ref pattern (merge)', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: 'refs/pull/42/merge',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('refuses pull_request_target when repository points at the fork', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: FORK_QUALIFIED_REPO,
|
||||
ref: 'refs/heads/main',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('allows pull_request_target checkout of an unrelated third-party repo', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: 'some-other/unrelated',
|
||||
ref: 'refs/heads/main',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
|
||||
it('refuses pull_request_target ignoring repository case differences', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: FORK_QUALIFIED_REPO.toUpperCase(),
|
||||
ref: '',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('refuses pull_request_target ignoring commit SHA case differences', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: PR_HEAD_SHA.toUpperCase(),
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('allows pull_request_target fork PR checkout when opted in', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: 'refs/pull/42/merge',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: true
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
|
||||
it('refuses workflow_run fork PR head_commit.id checkout', () => {
|
||||
setContext('workflow_run', forkWorkflowRunPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('refuses workflow_run with pull_request_target underlying event', () => {
|
||||
const payload = forkWorkflowRunPayload() as {
|
||||
workflow_run: {event: string}
|
||||
}
|
||||
payload.workflow_run.event = 'pull_request_target'
|
||||
setContext('workflow_run', payload)
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('allows workflow_run same-repo PR (head_repository.id matches base)', () => {
|
||||
const payload = forkWorkflowRunPayload() as {
|
||||
workflow_run: {head_repository: {id: number}}
|
||||
}
|
||||
payload.workflow_run.head_repository.id = BASE_REPO_ID
|
||||
setContext('workflow_run', payload)
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
})
|
||||
@@ -1,9 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Verify tags were fetched
|
||||
TAG_COUNT=$(git -C ./fetch-tags-test tag | wc -l)
|
||||
if [ "$TAG_COUNT" -eq 0 ]; then
|
||||
echo "Expected tags to be fetched, but found none"
|
||||
exit 1
|
||||
fi
|
||||
echo "Found $TAG_COUNT tags"
|
||||
@@ -1,51 +0,0 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
# Verify worktree credentials
|
||||
# This test verifies that git credentials work in worktrees created after checkout
|
||||
# Usage: verify-worktree.sh <checkout-path> <worktree-name>
|
||||
|
||||
CHECKOUT_PATH="$1"
|
||||
WORKTREE_NAME="$2"
|
||||
|
||||
if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
|
||||
echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
cd "$CHECKOUT_PATH"
|
||||
|
||||
# Add safe directory for container environments
|
||||
git config --global --add safe.directory "*" 2>/dev/null || true
|
||||
|
||||
# Show the includeIf configuration
|
||||
echo "Git config includeIf entries:"
|
||||
git config --list --show-origin | grep -i include || true
|
||||
|
||||
# Create the worktree
|
||||
echo "Creating worktree..."
|
||||
git worktree add "../$WORKTREE_NAME" HEAD --detach
|
||||
|
||||
# Change to worktree directory
|
||||
cd "../$WORKTREE_NAME"
|
||||
|
||||
# Verify we're in a worktree
|
||||
echo "Verifying worktree gitdir:"
|
||||
cat .git
|
||||
|
||||
# Verify credentials are available in worktree by checking extraheader is configured
|
||||
echo "Checking credentials in worktree..."
|
||||
if git config --list --show-origin | grep -q "extraheader"; then
|
||||
echo "Credentials are configured in worktree"
|
||||
else
|
||||
echo "ERROR: Credentials are NOT configured in worktree"
|
||||
echo "Full git config:"
|
||||
git config --list --show-origin
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Verify fetch works in the worktree
|
||||
echo "Fetching in worktree..."
|
||||
git fetch origin
|
||||
|
||||
echo "Worktree credentials test passed!"
|
||||
14
action.yml
14
action.yml
@@ -56,7 +56,10 @@ inputs:
|
||||
description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
|
||||
clean:
|
||||
description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
|
||||
default: true
|
||||
default: 'true'
|
||||
preserve-local-changes:
|
||||
description: 'Whether to preserve local changes during checkout. If true, tries to preserve local files that are not tracked by Git. By default, all files will be overwritten.'
|
||||
default: 'false'
|
||||
filter:
|
||||
description: >
|
||||
Partially clone against a given filter.
|
||||
@@ -98,15 +101,6 @@ inputs:
|
||||
github-server-url:
|
||||
description: The base URL for the GitHub instance that you are trying to clone from, will use environment defaults to fetch from the same instance that the workflow is running from unless specified. Example URLs are https://github.com or https://my-ghes-server.example.com
|
||||
required: false
|
||||
allow-unsafe-pr-checkout:
|
||||
description: >
|
||||
Required to check out fork pull request code from a workflow triggered by
|
||||
`pull_request_target` or `workflow_run`. These workflows run with the
|
||||
base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
|
||||
runner access; fetching and executing a fork's code in that trusted
|
||||
context commonly leads to "pwn request" vulnerabilities. Set to `true`
|
||||
only after reviewing the risks at https://gh.io/securely-using-pull_request_target.
|
||||
default: false
|
||||
outputs:
|
||||
ref:
|
||||
description: 'The branch, tag or SHA that was checked out'
|
||||
|
||||
399
dist/index.js
vendored
399
dist/index.js
vendored
@@ -412,9 +412,6 @@ class GitAuthHelper {
|
||||
// Configure host includeIf
|
||||
const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
|
||||
yield this.git.config(hostIncludeKey, credentialsConfigPath);
|
||||
// Configure host includeIf for worktrees
|
||||
const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
|
||||
yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
|
||||
// Container git directory
|
||||
const workingDirectory = this.git.getWorkingDirectory();
|
||||
const githubWorkspace = process.env['GITHUB_WORKSPACE'];
|
||||
@@ -427,9 +424,6 @@ class GitAuthHelper {
|
||||
// Configure container includeIf
|
||||
const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
|
||||
yield this.git.config(containerIncludeKey, containerCredentialsPath);
|
||||
// Configure container includeIf for worktrees
|
||||
const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
|
||||
yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
|
||||
}
|
||||
});
|
||||
}
|
||||
@@ -653,6 +647,7 @@ const fs = __importStar(__nccwpck_require__(7147));
|
||||
const fshelper = __importStar(__nccwpck_require__(7219));
|
||||
const io = __importStar(__nccwpck_require__(7436));
|
||||
const path = __importStar(__nccwpck_require__(1017));
|
||||
const refHelper = __importStar(__nccwpck_require__(8601));
|
||||
const regexpHelper = __importStar(__nccwpck_require__(3120));
|
||||
const retryHelper = __importStar(__nccwpck_require__(2155));
|
||||
const git_version_1 = __nccwpck_require__(3142);
|
||||
@@ -780,9 +775,17 @@ class GitCommandManager {
|
||||
yield fs.promises.appendFile(sparseCheckoutPath, `\n${sparseCheckout.join('\n')}\n`);
|
||||
});
|
||||
}
|
||||
checkout(ref, startPoint) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const args = ['checkout', '--progress', '--force'];
|
||||
checkout(ref_1, startPoint_1) {
|
||||
return __awaiter(this, arguments, void 0, function* (ref, startPoint, options = []) {
|
||||
const args = ['checkout', '--progress'];
|
||||
// Add custom options (like --merge) if provided
|
||||
if (options.length > 0) {
|
||||
args.push(...options);
|
||||
}
|
||||
else {
|
||||
// Default behavior - use force
|
||||
args.push('--force');
|
||||
}
|
||||
if (startPoint) {
|
||||
args.push('-B', ref, startPoint);
|
||||
}
|
||||
@@ -830,9 +833,9 @@ class GitCommandManager {
|
||||
fetch(refSpec, options) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const args = ['-c', 'protocol.version=2', 'fetch'];
|
||||
// Always use --no-tags for explicit control over tag fetching
|
||||
// Tags are fetched explicitly via refspec when needed
|
||||
args.push('--no-tags');
|
||||
if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
|
||||
args.push('--no-tags');
|
||||
}
|
||||
args.push('--prune', '--no-recurse-submodules');
|
||||
if (options.showProgress) {
|
||||
args.push('--progress');
|
||||
@@ -896,14 +899,9 @@ class GitCommandManager {
|
||||
getWorkingDirectory() {
|
||||
return this.workingDirectory;
|
||||
}
|
||||
init(objectFormat) {
|
||||
init() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const args = ['init'];
|
||||
if (objectFormat === 'sha256') {
|
||||
args.push('--object-format=sha256');
|
||||
}
|
||||
args.push(this.workingDirectory);
|
||||
yield this.execGit(args);
|
||||
yield this.execGit(['init', this.workingDirectory]);
|
||||
});
|
||||
}
|
||||
isDetached() {
|
||||
@@ -1210,17 +1208,7 @@ class GitCommandManager {
|
||||
}
|
||||
}
|
||||
// Set the user agent
|
||||
let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
|
||||
// Append orchestration ID if set
|
||||
const orchId = process.env['ACTIONS_ORCHESTRATION_ID'];
|
||||
if (orchId) {
|
||||
// Sanitize the orchestration ID to ensure it contains only valid characters
|
||||
// Valid characters: 0-9, a-z, _, -, .
|
||||
const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_');
|
||||
if (sanitizedId) {
|
||||
gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`;
|
||||
}
|
||||
}
|
||||
const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
|
||||
core.debug(`Set git useragent to: ${gitHttpUserAgent}`);
|
||||
this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent;
|
||||
});
|
||||
@@ -1281,13 +1269,17 @@ const fs = __importStar(__nccwpck_require__(7147));
|
||||
const fsHelper = __importStar(__nccwpck_require__(7219));
|
||||
const io = __importStar(__nccwpck_require__(7436));
|
||||
const path = __importStar(__nccwpck_require__(1017));
|
||||
function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean, ref) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
function prepareExistingDirectory(git_1, repositoryPath_1, repositoryUrl_1, clean_1, ref_1) {
|
||||
return __awaiter(this, arguments, void 0, function* (git, repositoryPath, repositoryUrl, clean, ref, preserveLocalChanges = false) {
|
||||
var _a;
|
||||
assert.ok(repositoryPath, 'Expected repositoryPath to be defined');
|
||||
assert.ok(repositoryUrl, 'Expected repositoryUrl to be defined');
|
||||
// Indicates whether to delete the directory contents
|
||||
let remove = false;
|
||||
// If preserveLocalChanges is true, log it
|
||||
if (preserveLocalChanges) {
|
||||
core.info(`Preserve local changes is enabled, will attempt to keep local files`);
|
||||
}
|
||||
// Check whether using git or REST API
|
||||
if (!git) {
|
||||
remove = true;
|
||||
@@ -1368,14 +1360,28 @@ function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean, ref
|
||||
remove = true;
|
||||
}
|
||||
}
|
||||
if (remove) {
|
||||
if (remove && !preserveLocalChanges) {
|
||||
// Delete the contents of the directory. Don't delete the directory itself
|
||||
// since it might be the current working directory.
|
||||
core.info(`Deleting the contents of '${repositoryPath}'`);
|
||||
for (const file of yield fs.promises.readdir(repositoryPath)) {
|
||||
// Skip .git directory as we need it to determine if a file is tracked
|
||||
if (file === '.git') {
|
||||
continue;
|
||||
}
|
||||
yield io.rmRF(path.join(repositoryPath, file));
|
||||
}
|
||||
}
|
||||
else if (remove && preserveLocalChanges) {
|
||||
core.info(`Skipping deletion of directory contents due to preserve-local-changes setting`);
|
||||
// We still need to make sure we have a git repository to work with
|
||||
if (!git) {
|
||||
core.info(`Initializing git repository to prepare for checkout with preserved changes`);
|
||||
yield fs.promises.mkdir(path.join(repositoryPath, '.git'), {
|
||||
recursive: true
|
||||
});
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
@@ -1472,7 +1478,7 @@ function getSource(settings) {
|
||||
}
|
||||
// Prepare existing directory, otherwise recreate
|
||||
if (isExisting) {
|
||||
yield gitDirectoryHelper.prepareExistingDirectory(git, settings.repositoryPath, repositoryUrl, settings.clean, settings.ref);
|
||||
yield gitDirectoryHelper.prepareExistingDirectory(git, settings.repositoryPath, repositoryUrl, settings.clean, settings.ref, settings.preserveLocalChanges);
|
||||
}
|
||||
if (!git) {
|
||||
// Downloading using REST API
|
||||
@@ -1491,17 +1497,8 @@ function getSource(settings) {
|
||||
stateHelper.setRepositoryPath(settings.repositoryPath);
|
||||
// Initialize the repository
|
||||
if (!fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))) {
|
||||
core.startGroup('Determining repository object format');
|
||||
const objectFormatResult = yield githubApiHelper.tryGetRepositoryObjectFormat(settings.authToken, settings.repositoryOwner, settings.repositoryName, settings.githubServerUrl, settings.commit);
|
||||
const objectFormat = objectFormatResult.succeeded
|
||||
? objectFormatResult.format
|
||||
: '';
|
||||
if (objectFormat === 'sha256') {
|
||||
core.info('Detected SHA-256 repository object format');
|
||||
}
|
||||
core.endGroup();
|
||||
core.startGroup('Initializing the repository');
|
||||
yield git.init(objectFormat);
|
||||
yield git.init();
|
||||
yield git.remoteAdd('origin', repositoryUrl);
|
||||
core.endGroup();
|
||||
}
|
||||
@@ -1552,26 +1549,13 @@ function getSource(settings) {
|
||||
if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
|
||||
refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
|
||||
yield git.fetch(refSpec, fetchOptions);
|
||||
// Verify the ref now matches. For branches, the targeted fetch above brings
|
||||
// in the specific commit. For tags (fetched by ref), this will fail if
|
||||
// the tag was moved after the workflow was triggered.
|
||||
if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
|
||||
throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
|
||||
`The ref may have been updated after the workflow was triggered.`);
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
fetchOptions.fetchDepth = settings.fetchDepth;
|
||||
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit, settings.fetchTags);
|
||||
fetchOptions.fetchTags = settings.fetchTags;
|
||||
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
|
||||
yield git.fetch(refSpec, fetchOptions);
|
||||
// For tags, verify the ref still points to the expected commit.
|
||||
// Tags are fetched by ref (not commit), so if a tag was moved after the
|
||||
// workflow was triggered, we would silently check out the wrong commit.
|
||||
if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
|
||||
throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
|
||||
`The ref may have been updated after the workflow was triggered.`);
|
||||
}
|
||||
}
|
||||
core.endGroup();
|
||||
// Checkout info
|
||||
@@ -1607,7 +1591,104 @@ function getSource(settings) {
|
||||
}
|
||||
// Checkout
|
||||
core.startGroup('Checking out the ref');
|
||||
yield git.checkout(checkoutInfo.ref, checkoutInfo.startPoint);
|
||||
if (settings.preserveLocalChanges) {
|
||||
core.info('Attempting to preserve local changes during checkout');
|
||||
// List and store local files before checkout
|
||||
const fs = __nccwpck_require__(7147);
|
||||
const path = __nccwpck_require__(1017);
|
||||
const localFiles = new Map();
|
||||
try {
|
||||
// Get all files in the workspace that aren't in the .git directory
|
||||
const workspacePath = process.cwd();
|
||||
core.info(`Current workspace path: ${workspacePath}`);
|
||||
// List all files in the current directory using fs
|
||||
const listFilesRecursively = (dir) => {
|
||||
let results = [];
|
||||
const list = fs.readdirSync(dir);
|
||||
list.forEach((file) => {
|
||||
const fullPath = path.join(dir, file);
|
||||
const relativePath = path.relative(workspacePath, fullPath);
|
||||
// Skip .git directory
|
||||
if (relativePath.startsWith('.git'))
|
||||
return;
|
||||
const stat = fs.statSync(fullPath);
|
||||
if (stat && stat.isDirectory()) {
|
||||
// Recursively explore subdirectories
|
||||
results = results.concat(listFilesRecursively(fullPath));
|
||||
}
|
||||
else {
|
||||
// Store file content in memory
|
||||
try {
|
||||
const content = fs.readFileSync(fullPath);
|
||||
localFiles.set(relativePath, content);
|
||||
results.push(relativePath);
|
||||
}
|
||||
catch (readErr) {
|
||||
core.warning(`Failed to read file ${relativePath}: ${readErr}`);
|
||||
}
|
||||
}
|
||||
});
|
||||
return results;
|
||||
};
|
||||
const localFilesList = listFilesRecursively(workspacePath);
|
||||
core.info(`Found ${localFilesList.length} local files to preserve:`);
|
||||
localFilesList.forEach(file => core.info(` - ${file}`));
|
||||
}
|
||||
catch (error) {
|
||||
core.warning(`Failed to list local files: ${error}`);
|
||||
}
|
||||
// Perform normal checkout
|
||||
yield git.checkout(checkoutInfo.ref, checkoutInfo.startPoint);
|
||||
// Restore local files that were not tracked by git
|
||||
core.info('Restoring local files after checkout');
|
||||
try {
|
||||
let restoredCount = 0;
|
||||
const execOptions = {
|
||||
cwd: process.cwd(),
|
||||
silent: true,
|
||||
ignoreReturnCode: true
|
||||
};
|
||||
for (const [filePath, content] of localFiles.entries()) {
|
||||
// Check if file exists in git using a child process instead of git.execGit
|
||||
const { exec } = __nccwpck_require__(1514);
|
||||
let exitCode = 0;
|
||||
const output = {
|
||||
stdout: '',
|
||||
stderr: ''
|
||||
};
|
||||
// Capture output
|
||||
const options = Object.assign(Object.assign({}, execOptions), { listeners: {
|
||||
stdout: (data) => {
|
||||
output.stdout += data.toString();
|
||||
},
|
||||
stderr: (data) => {
|
||||
output.stderr += data.toString();
|
||||
}
|
||||
} });
|
||||
exitCode = yield exec('git', ['ls-files', '--error-unmatch', filePath], options);
|
||||
if (exitCode !== 0) {
|
||||
// File is not tracked by git, safe to restore
|
||||
const fullPath = path.join(process.cwd(), filePath);
|
||||
// Ensure directory exists
|
||||
fs.mkdirSync(path.dirname(fullPath), { recursive: true });
|
||||
fs.writeFileSync(fullPath, content);
|
||||
core.info(`Restored local file: ${filePath}`);
|
||||
restoredCount++;
|
||||
}
|
||||
else {
|
||||
core.info(`Skipping ${filePath} as it's tracked by git`);
|
||||
}
|
||||
}
|
||||
core.info(`Successfully restored ${restoredCount} local files`);
|
||||
}
|
||||
catch (error) {
|
||||
core.warning(`Failed to restore local files: ${error}`);
|
||||
}
|
||||
}
|
||||
else {
|
||||
// Use the default behavior with --force
|
||||
yield git.checkout(checkoutInfo.ref, checkoutInfo.startPoint);
|
||||
}
|
||||
core.endGroup();
|
||||
// Submodules
|
||||
if (settings.submodules) {
|
||||
@@ -1824,7 +1905,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.downloadRepository = downloadRepository;
|
||||
exports.getDefaultBranch = getDefaultBranch;
|
||||
exports.tryGetRepositoryObjectFormat = tryGetRepositoryObjectFormat;
|
||||
const assert = __importStar(__nccwpck_require__(9491));
|
||||
const core = __importStar(__nccwpck_require__(2186));
|
||||
const fs = __importStar(__nccwpck_require__(7147));
|
||||
@@ -1926,40 +2006,6 @@ function getDefaultBranch(authToken, owner, repo, baseUrl) {
|
||||
}));
|
||||
});
|
||||
}
|
||||
function tryGetRepositoryObjectFormat(authToken, owner, repo, baseUrl, commit) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
var _a;
|
||||
const commitFormat = getObjectFormat(commit);
|
||||
if (commitFormat) {
|
||||
return { format: commitFormat, succeeded: true };
|
||||
}
|
||||
try {
|
||||
const octokit = github.getOctokit(authToken, {
|
||||
baseUrl: (0, url_helper_1.getServerApiUrl)(baseUrl)
|
||||
});
|
||||
const response = yield octokit.request('GET /repos/{owner}/{repo}/hash-algorithm', { owner, repo });
|
||||
const hashAlgorithm = response.data.hash_algorithm;
|
||||
if (hashAlgorithm === 'sha256' || hashAlgorithm === 'sha1') {
|
||||
return { format: hashAlgorithm, succeeded: true };
|
||||
}
|
||||
core.debug('Unable to determine repository object format from hash-algorithm endpoint');
|
||||
return { format: '', succeeded: false };
|
||||
}
|
||||
catch (err) {
|
||||
core.debug(`Unable to determine repository object format from hash-algorithm endpoint: ${(_a = err === null || err === void 0 ? void 0 : err.message) !== null && _a !== void 0 ? _a : err}`);
|
||||
return { format: '', succeeded: false };
|
||||
}
|
||||
});
|
||||
}
|
||||
function getObjectFormat(sha) {
|
||||
if (/^[0-9a-fA-F]{64}$/.test(sha || '')) {
|
||||
return 'sha256';
|
||||
}
|
||||
if (/^[0-9a-fA-F]{40}$/.test(sha || '')) {
|
||||
return 'sha1';
|
||||
}
|
||||
return '';
|
||||
}
|
||||
function downloadArchive(authToken, owner, repo, ref, commit, baseUrl) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const octokit = github.getOctokit(authToken, {
|
||||
@@ -2023,7 +2069,6 @@ const core = __importStar(__nccwpck_require__(2186));
|
||||
const fsHelper = __importStar(__nccwpck_require__(7219));
|
||||
const github = __importStar(__nccwpck_require__(5438));
|
||||
const path = __importStar(__nccwpck_require__(1017));
|
||||
const unsafePrCheckoutHelper = __importStar(__nccwpck_require__(843));
|
||||
const workflowContextHelper = __importStar(__nccwpck_require__(9568));
|
||||
function getInputs() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
@@ -2071,7 +2116,7 @@ function getInputs() {
|
||||
}
|
||||
}
|
||||
// SHA?
|
||||
else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
|
||||
else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
|
||||
result.commit = result.ref;
|
||||
result.ref = '';
|
||||
}
|
||||
@@ -2080,6 +2125,11 @@ function getInputs() {
|
||||
// Clean
|
||||
result.clean = (core.getInput('clean') || 'true').toUpperCase() === 'TRUE';
|
||||
core.debug(`clean = ${result.clean}`);
|
||||
// Preserve local changes
|
||||
result.preserveLocalChanges =
|
||||
(core.getInput('preserve-local-changes') || 'false').toUpperCase() ===
|
||||
'TRUE';
|
||||
core.debug(`preserveLocalChanges = ${result.preserveLocalChanges}`);
|
||||
// Filter
|
||||
const filter = core.getInput('filter');
|
||||
if (filter) {
|
||||
@@ -2145,17 +2195,6 @@ function getInputs() {
|
||||
// Determine the GitHub URL that the repository is being hosted from
|
||||
result.githubServerUrl = core.getInput('github-server-url');
|
||||
core.debug(`GitHub Host URL = ${result.githubServerUrl}`);
|
||||
// Allow unsafe PR checkout (opt-in for pull_request_target / workflow_run fork PRs)
|
||||
result.allowUnsafePrCheckout =
|
||||
(core.getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
|
||||
'TRUE';
|
||||
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`);
|
||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||
qualifiedRepository,
|
||||
ref: result.ref,
|
||||
commit: result.commit,
|
||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||
});
|
||||
return result;
|
||||
});
|
||||
}
|
||||
@@ -2296,7 +2335,6 @@ exports.getRefSpecForAllHistory = getRefSpecForAllHistory;
|
||||
exports.getRefSpec = getRefSpec;
|
||||
exports.testRef = testRef;
|
||||
exports.checkCommitInfo = checkCommitInfo;
|
||||
exports.fromPayload = fromPayload;
|
||||
const core = __importStar(__nccwpck_require__(2186));
|
||||
const github = __importStar(__nccwpck_require__(5438));
|
||||
const url_helper_1 = __nccwpck_require__(9437);
|
||||
@@ -2358,67 +2396,53 @@ function getRefSpecForAllHistory(ref, commit) {
|
||||
}
|
||||
return result;
|
||||
}
|
||||
function getRefSpec(ref, commit, fetchTags) {
|
||||
function getRefSpec(ref, commit) {
|
||||
if (!ref && !commit) {
|
||||
throw new Error('Args ref and commit cannot both be empty');
|
||||
}
|
||||
const upperRef = (ref || '').toUpperCase();
|
||||
const result = [];
|
||||
// When fetchTags is true, always include the tags refspec
|
||||
if (fetchTags) {
|
||||
result.push(exports.tagsRefSpec);
|
||||
}
|
||||
// SHA
|
||||
if (commit) {
|
||||
// refs/heads
|
||||
if (upperRef.startsWith('REFS/HEADS/')) {
|
||||
const branch = ref.substring('refs/heads/'.length);
|
||||
result.push(`+${commit}:refs/remotes/origin/${branch}`);
|
||||
return [`+${commit}:refs/remotes/origin/${branch}`];
|
||||
}
|
||||
// refs/pull/
|
||||
else if (upperRef.startsWith('REFS/PULL/')) {
|
||||
const branch = ref.substring('refs/pull/'.length);
|
||||
result.push(`+${commit}:refs/remotes/pull/${branch}`);
|
||||
return [`+${commit}:refs/remotes/pull/${branch}`];
|
||||
}
|
||||
// refs/tags/
|
||||
else if (upperRef.startsWith('REFS/TAGS/')) {
|
||||
if (!fetchTags) {
|
||||
result.push(`+${ref}:${ref}`);
|
||||
}
|
||||
return [`+${commit}:${ref}`];
|
||||
}
|
||||
// Otherwise no destination ref
|
||||
else {
|
||||
result.push(commit);
|
||||
return [commit];
|
||||
}
|
||||
}
|
||||
// Unqualified ref, check for a matching branch or tag
|
||||
else if (!upperRef.startsWith('REFS/')) {
|
||||
result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`);
|
||||
if (!fetchTags) {
|
||||
result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`);
|
||||
}
|
||||
return [
|
||||
`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
|
||||
`+refs/tags/${ref}*:refs/tags/${ref}*`
|
||||
];
|
||||
}
|
||||
// refs/heads/
|
||||
else if (upperRef.startsWith('REFS/HEADS/')) {
|
||||
const branch = ref.substring('refs/heads/'.length);
|
||||
result.push(`+${ref}:refs/remotes/origin/${branch}`);
|
||||
return [`+${ref}:refs/remotes/origin/${branch}`];
|
||||
}
|
||||
// refs/pull/
|
||||
else if (upperRef.startsWith('REFS/PULL/')) {
|
||||
const branch = ref.substring('refs/pull/'.length);
|
||||
result.push(`+${ref}:refs/remotes/pull/${branch}`);
|
||||
return [`+${ref}:refs/remotes/pull/${branch}`];
|
||||
}
|
||||
// refs/tags/
|
||||
else if (upperRef.startsWith('REFS/TAGS/')) {
|
||||
if (!fetchTags) {
|
||||
result.push(`+${ref}:${ref}`);
|
||||
}
|
||||
}
|
||||
// Other refs
|
||||
else {
|
||||
result.push(`+${ref}:${ref}`);
|
||||
return [`+${ref}:${ref}`];
|
||||
}
|
||||
return result;
|
||||
}
|
||||
/**
|
||||
* Tests whether the initial fetch created the ref at the expected commit
|
||||
@@ -2454,9 +2478,7 @@ function testRef(git, ref, commit) {
|
||||
// refs/tags/
|
||||
else if (upperRef.startsWith('REFS/TAGS/')) {
|
||||
const tagName = ref.substring('refs/tags/'.length);
|
||||
// Use ^{commit} to dereference annotated tags to their underlying commit
|
||||
return ((yield git.tagExists(tagName)) &&
|
||||
commit === (yield git.revParse(`${ref}^{commit}`)));
|
||||
return ((yield git.tagExists(tagName)) && commit === (yield git.revParse(ref)));
|
||||
}
|
||||
// Unexpected
|
||||
else {
|
||||
@@ -2506,7 +2528,7 @@ function checkCommitInfo(token, commitInfo, repositoryOwner, repositoryName, ref
|
||||
return;
|
||||
}
|
||||
// Extract details from message
|
||||
const match = commitInfo.match(/Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/);
|
||||
const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/);
|
||||
if (!match) {
|
||||
core.debug('Unexpected message format');
|
||||
return;
|
||||
@@ -2745,105 +2767,6 @@ if (!exports.IsPost) {
|
||||
}
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 843:
|
||||
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
|
||||
|
||||
"use strict";
|
||||
|
||||
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
var desc = Object.getOwnPropertyDescriptor(m, k);
|
||||
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
||||
desc = { enumerable: true, get: function() { return m[k]; } };
|
||||
}
|
||||
Object.defineProperty(o, k2, desc);
|
||||
}) : (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
o[k2] = m[k];
|
||||
}));
|
||||
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
||||
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
||||
}) : function(o, v) {
|
||||
o["default"] = v;
|
||||
});
|
||||
var __importStar = (this && this.__importStar) || function (mod) {
|
||||
if (mod && mod.__esModule) return mod;
|
||||
var result = {};
|
||||
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
||||
__setModuleDefault(result, mod);
|
||||
return result;
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.assertSafePrCheckout = assertSafePrCheckout;
|
||||
const github = __importStar(__nccwpck_require__(5438));
|
||||
const ref_helper_1 = __nccwpck_require__(8601);
|
||||
const PR_REF_PATTERN = /^refs\/pull\/[0-9]+\/(?:head|merge)$/;
|
||||
function assertSafePrCheckout(input) {
|
||||
if (input.allowUnsafePrCheckout) {
|
||||
return;
|
||||
}
|
||||
const eventName = github.context.eventName;
|
||||
if (eventName !== 'pull_request_target' && eventName !== 'workflow_run') {
|
||||
return;
|
||||
}
|
||||
const baseRepoId = (0, ref_helper_1.fromPayload)('repository.id');
|
||||
if (typeof baseRepoId !== 'number') {
|
||||
return;
|
||||
}
|
||||
let prHeadRepoId;
|
||||
let prHeadRepoFullName;
|
||||
const prShas = [];
|
||||
if (eventName === 'pull_request_target') {
|
||||
prHeadRepoId = (0, ref_helper_1.fromPayload)('pull_request.head.repo.id');
|
||||
prHeadRepoFullName = (0, ref_helper_1.fromPayload)('pull_request.head.repo.full_name');
|
||||
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('pull_request.head.sha'));
|
||||
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('pull_request.merge_commit_sha'));
|
||||
}
|
||||
else {
|
||||
const wrEvent = (0, ref_helper_1.fromPayload)('workflow_run.event');
|
||||
if (typeof wrEvent !== 'string' || !wrEvent.startsWith('pull_request')) {
|
||||
return;
|
||||
}
|
||||
prHeadRepoId = (0, ref_helper_1.fromPayload)('workflow_run.head_repository.id');
|
||||
prHeadRepoFullName = (0, ref_helper_1.fromPayload)('workflow_run.head_repository.full_name');
|
||||
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('workflow_run.head_commit.id'));
|
||||
// For `pull_request_target`-triggered workflow_run, `head_sha` is the base
|
||||
// default branch SHA (not the PR head)
|
||||
if (wrEvent !== 'pull_request_target') {
|
||||
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('workflow_run.head_sha'));
|
||||
}
|
||||
}
|
||||
// (A) Fork PR?
|
||||
if (typeof prHeadRepoId !== 'number' || prHeadRepoId === baseRepoId) {
|
||||
return;
|
||||
}
|
||||
// (B) We cannot check for all fork PR refs so check to see
|
||||
// if the resolved input points to the fork PR sha we have in the payload
|
||||
const repositoryMatchesPrHead = typeof prHeadRepoFullName === 'string' &&
|
||||
input.qualifiedRepository.toLowerCase() === prHeadRepoFullName.toLowerCase();
|
||||
const refMatchesPullPattern = PR_REF_PATTERN.test(input.ref);
|
||||
const commitMatchesPrHeadSha = !!input.commit && prShas.includes(input.commit.toLowerCase());
|
||||
if (!repositoryMatchesPrHead &&
|
||||
!refMatchesPullPattern &&
|
||||
!commitMatchesPrHeadSha) {
|
||||
return;
|
||||
}
|
||||
throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
|
||||
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
|
||||
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
|
||||
`context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
|
||||
`the risks at https://gh.io/securely-using-pull_request_target, set ` +
|
||||
`'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
|
||||
}
|
||||
function pushIfSha(target, value) {
|
||||
if (typeof value === 'string' && value.length > 0) {
|
||||
target.push(value.toLowerCase());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 9437:
|
||||
|
||||
9
package-lock.json
generated
9
package-lock.json
generated
@@ -14,7 +14,6 @@
|
||||
"@actions/github": "^6.0.0",
|
||||
"@actions/io": "^1.1.3",
|
||||
"@actions/tool-cache": "^2.0.1",
|
||||
"flatted": "^3.4.2",
|
||||
"uuid": "^9.0.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
@@ -3591,10 +3590,10 @@
|
||||
}
|
||||
},
|
||||
"node_modules/flatted": {
|
||||
"version": "3.4.2",
|
||||
"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
|
||||
"integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
|
||||
"license": "ISC"
|
||||
"version": "3.3.1",
|
||||
"resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz",
|
||||
"integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/for-each": {
|
||||
"version": "0.3.3",
|
||||
|
||||
@@ -33,7 +33,6 @@
|
||||
"@actions/github": "^6.0.0",
|
||||
"@actions/io": "^1.1.3",
|
||||
"@actions/tool-cache": "^2.0.1",
|
||||
"flatted": "^3.4.2",
|
||||
"uuid": "^9.0.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
|
||||
@@ -374,10 +374,6 @@ class GitAuthHelper {
|
||||
const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
|
||||
await this.git.config(hostIncludeKey, credentialsConfigPath)
|
||||
|
||||
// Configure host includeIf for worktrees
|
||||
const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
|
||||
await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
|
||||
|
||||
// Container git directory
|
||||
const workingDirectory = this.git.getWorkingDirectory()
|
||||
const githubWorkspace = process.env['GITHUB_WORKSPACE']
|
||||
@@ -399,13 +395,6 @@ class GitAuthHelper {
|
||||
// Configure container includeIf
|
||||
const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
|
||||
await this.git.config(containerIncludeKey, containerCredentialsPath)
|
||||
|
||||
// Configure container includeIf for worktrees
|
||||
const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
|
||||
await this.git.config(
|
||||
containerWorktreeIncludeKey,
|
||||
containerCredentialsPath
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -22,7 +22,7 @@ export interface IGitCommandManager {
|
||||
disableSparseCheckout(): Promise<void>
|
||||
sparseCheckout(sparseCheckout: string[]): Promise<void>
|
||||
sparseCheckoutNonConeMode(sparseCheckout: string[]): Promise<void>
|
||||
checkout(ref: string, startPoint: string): Promise<void>
|
||||
checkout(ref: string, startPoint: string, options?: string[]): Promise<void>
|
||||
checkoutDetach(): Promise<void>
|
||||
config(
|
||||
configKey: string,
|
||||
@@ -37,13 +37,14 @@ export interface IGitCommandManager {
|
||||
options: {
|
||||
filter?: string
|
||||
fetchDepth?: number
|
||||
fetchTags?: boolean
|
||||
showProgress?: boolean
|
||||
}
|
||||
): Promise<void>
|
||||
getDefaultBranch(repositoryUrl: string): Promise<string>
|
||||
getSubmoduleConfigPaths(recursive: boolean): Promise<string[]>
|
||||
getWorkingDirectory(): string
|
||||
init(objectFormat?: string): Promise<void>
|
||||
init(): Promise<void>
|
||||
isDetached(): Promise<boolean>
|
||||
lfsFetch(ref: string): Promise<void>
|
||||
lfsInstall(): Promise<void>
|
||||
@@ -220,8 +221,21 @@ class GitCommandManager {
|
||||
)
|
||||
}
|
||||
|
||||
async checkout(ref: string, startPoint: string): Promise<void> {
|
||||
const args = ['checkout', '--progress', '--force']
|
||||
async checkout(
|
||||
ref: string,
|
||||
startPoint: string,
|
||||
options: string[] = []
|
||||
): Promise<void> {
|
||||
const args = ['checkout', '--progress']
|
||||
|
||||
// Add custom options (like --merge) if provided
|
||||
if (options.length > 0) {
|
||||
args.push(...options)
|
||||
} else {
|
||||
// Default behavior - use force
|
||||
args.push('--force')
|
||||
}
|
||||
|
||||
if (startPoint) {
|
||||
args.push('-B', ref, startPoint)
|
||||
} else {
|
||||
@@ -279,13 +293,14 @@ class GitCommandManager {
|
||||
options: {
|
||||
filter?: string
|
||||
fetchDepth?: number
|
||||
fetchTags?: boolean
|
||||
showProgress?: boolean
|
||||
}
|
||||
): Promise<void> {
|
||||
const args = ['-c', 'protocol.version=2', 'fetch']
|
||||
// Always use --no-tags for explicit control over tag fetching
|
||||
// Tags are fetched explicitly via refspec when needed
|
||||
args.push('--no-tags')
|
||||
if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
|
||||
args.push('--no-tags')
|
||||
}
|
||||
|
||||
args.push('--prune', '--no-recurse-submodules')
|
||||
if (options.showProgress) {
|
||||
@@ -364,14 +379,8 @@ class GitCommandManager {
|
||||
return this.workingDirectory
|
||||
}
|
||||
|
||||
async init(objectFormat?: string): Promise<void> {
|
||||
const args = ['init']
|
||||
if (objectFormat === 'sha256') {
|
||||
args.push('--object-format=sha256')
|
||||
}
|
||||
args.push(this.workingDirectory)
|
||||
|
||||
await this.execGit(args)
|
||||
async init(): Promise<void> {
|
||||
await this.execGit(['init', this.workingDirectory])
|
||||
}
|
||||
|
||||
async isDetached(): Promise<boolean> {
|
||||
@@ -734,19 +743,7 @@ class GitCommandManager {
|
||||
}
|
||||
}
|
||||
// Set the user agent
|
||||
let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
|
||||
|
||||
// Append orchestration ID if set
|
||||
const orchId = process.env['ACTIONS_ORCHESTRATION_ID']
|
||||
if (orchId) {
|
||||
// Sanitize the orchestration ID to ensure it contains only valid characters
|
||||
// Valid characters: 0-9, a-z, _, -, .
|
||||
const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_')
|
||||
if (sanitizedId) {
|
||||
gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`
|
||||
}
|
||||
}
|
||||
|
||||
const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
|
||||
core.debug(`Set git useragent to: ${gitHttpUserAgent}`)
|
||||
this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent
|
||||
}
|
||||
|
||||
@@ -11,7 +11,8 @@ export async function prepareExistingDirectory(
|
||||
repositoryPath: string,
|
||||
repositoryUrl: string,
|
||||
clean: boolean,
|
||||
ref: string
|
||||
ref: string,
|
||||
preserveLocalChanges: boolean = false
|
||||
): Promise<void> {
|
||||
assert.ok(repositoryPath, 'Expected repositoryPath to be defined')
|
||||
assert.ok(repositoryUrl, 'Expected repositoryUrl to be defined')
|
||||
@@ -19,6 +20,13 @@ export async function prepareExistingDirectory(
|
||||
// Indicates whether to delete the directory contents
|
||||
let remove = false
|
||||
|
||||
// If preserveLocalChanges is true, log it
|
||||
if (preserveLocalChanges) {
|
||||
core.info(
|
||||
`Preserve local changes is enabled, will attempt to keep local files`
|
||||
)
|
||||
}
|
||||
|
||||
// Check whether using git or REST API
|
||||
if (!git) {
|
||||
remove = true
|
||||
@@ -114,12 +122,43 @@ export async function prepareExistingDirectory(
|
||||
}
|
||||
}
|
||||
|
||||
if (remove) {
|
||||
// Check repository conditions
|
||||
let isLocalGitRepo = git && fsHelper.directoryExistsSync(path.join(repositoryPath, '.git'));
|
||||
let repoUrl = isLocalGitRepo ? await git?.tryGetFetchUrl() : '';
|
||||
let isSameRepository = repositoryUrl === repoUrl;
|
||||
let differentRepoUrl = !isSameRepository;
|
||||
|
||||
// Repository URL has changed
|
||||
if (differentRepoUrl) {
|
||||
if (preserveLocalChanges) {
|
||||
core.warning(`Repository URL has changed from '${repoUrl}' to '${repositoryUrl}'. Local changes will be preserved as requested.`);
|
||||
}
|
||||
remove = true; // Mark for removal, but actual removal will respect preserveLocalChanges
|
||||
}
|
||||
|
||||
if (remove && !preserveLocalChanges) {
|
||||
// Delete the contents of the directory. Don't delete the directory itself
|
||||
// since it might be the current working directory.
|
||||
core.info(`Deleting the contents of '${repositoryPath}'`)
|
||||
for (const file of await fs.promises.readdir(repositoryPath)) {
|
||||
// Skip .git directory as we need it to determine if a file is tracked
|
||||
if (file === '.git') {
|
||||
continue
|
||||
}
|
||||
await io.rmRF(path.join(repositoryPath, file))
|
||||
}
|
||||
} else if (remove && preserveLocalChanges) {
|
||||
core.info(
|
||||
`Skipping deletion of directory contents due to preserve-local-changes setting`
|
||||
)
|
||||
// We still need to make sure we have a git repository to work with
|
||||
if (!git) {
|
||||
core.info(
|
||||
`Initializing git repository to prepare for checkout with preserved changes`
|
||||
)
|
||||
await fs.promises.mkdir(path.join(repositoryPath, '.git'), {
|
||||
recursive: true
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -70,7 +70,8 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
|
||||
settings.repositoryPath,
|
||||
repositoryUrl,
|
||||
settings.clean,
|
||||
settings.ref
|
||||
settings.ref,
|
||||
settings.preserveLocalChanges
|
||||
)
|
||||
}
|
||||
|
||||
@@ -109,25 +110,8 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
|
||||
if (
|
||||
!fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
|
||||
) {
|
||||
core.startGroup('Determining repository object format')
|
||||
const objectFormatResult =
|
||||
await githubApiHelper.tryGetRepositoryObjectFormat(
|
||||
settings.authToken,
|
||||
settings.repositoryOwner,
|
||||
settings.repositoryName,
|
||||
settings.githubServerUrl,
|
||||
settings.commit
|
||||
)
|
||||
const objectFormat = objectFormatResult.succeeded
|
||||
? objectFormatResult.format
|
||||
: ''
|
||||
if (objectFormat === 'sha256') {
|
||||
core.info('Detected SHA-256 repository object format')
|
||||
}
|
||||
core.endGroup()
|
||||
|
||||
core.startGroup('Initializing the repository')
|
||||
await git.init(objectFormat)
|
||||
await git.init()
|
||||
await git.remoteAdd('origin', repositoryUrl)
|
||||
core.endGroup()
|
||||
}
|
||||
@@ -176,6 +160,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
|
||||
const fetchOptions: {
|
||||
filter?: string
|
||||
fetchDepth?: number
|
||||
fetchTags?: boolean
|
||||
showProgress?: boolean
|
||||
} = {}
|
||||
|
||||
@@ -198,35 +183,12 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
|
||||
if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
|
||||
refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
|
||||
await git.fetch(refSpec, fetchOptions)
|
||||
|
||||
// Verify the ref now matches. For branches, the targeted fetch above brings
|
||||
// in the specific commit. For tags (fetched by ref), this will fail if
|
||||
// the tag was moved after the workflow was triggered.
|
||||
if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
|
||||
throw new Error(
|
||||
`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
|
||||
`The ref may have been updated after the workflow was triggered.`
|
||||
)
|
||||
}
|
||||
}
|
||||
} else {
|
||||
fetchOptions.fetchDepth = settings.fetchDepth
|
||||
const refSpec = refHelper.getRefSpec(
|
||||
settings.ref,
|
||||
settings.commit,
|
||||
settings.fetchTags
|
||||
)
|
||||
fetchOptions.fetchTags = settings.fetchTags
|
||||
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
|
||||
await git.fetch(refSpec, fetchOptions)
|
||||
|
||||
// For tags, verify the ref still points to the expected commit.
|
||||
// Tags are fetched by ref (not commit), so if a tag was moved after the
|
||||
// workflow was triggered, we would silently check out the wrong commit.
|
||||
if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
|
||||
throw new Error(
|
||||
`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
|
||||
`The ref may have been updated after the workflow was triggered.`
|
||||
)
|
||||
}
|
||||
}
|
||||
core.endGroup()
|
||||
|
||||
@@ -268,7 +230,115 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
|
||||
|
||||
// Checkout
|
||||
core.startGroup('Checking out the ref')
|
||||
await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
|
||||
if (settings.preserveLocalChanges) {
|
||||
core.info('Attempting to preserve local changes during checkout')
|
||||
|
||||
// List and store local files before checkout
|
||||
const fs = require('fs')
|
||||
const path = require('path')
|
||||
const localFiles = new Map()
|
||||
|
||||
try {
|
||||
// Get all files in the workspace that aren't in the .git directory
|
||||
const workspacePath = process.cwd()
|
||||
core.info(`Current workspace path: ${workspacePath}`)
|
||||
|
||||
// List all files in the current directory using fs
|
||||
const listFilesRecursively = (dir: string): string[] => {
|
||||
let results: string[] = []
|
||||
const list = fs.readdirSync(dir)
|
||||
list.forEach((file: string) => {
|
||||
const fullPath = path.join(dir, file)
|
||||
const relativePath = path.relative(workspacePath, fullPath)
|
||||
// Skip .git directory
|
||||
if (relativePath.startsWith('.git')) return
|
||||
|
||||
const stat = fs.statSync(fullPath)
|
||||
if (stat && stat.isDirectory()) {
|
||||
// Recursively explore subdirectories
|
||||
results = results.concat(listFilesRecursively(fullPath))
|
||||
} else {
|
||||
// Store file content in memory
|
||||
try {
|
||||
const content = fs.readFileSync(fullPath)
|
||||
localFiles.set(relativePath, content)
|
||||
results.push(relativePath)
|
||||
} catch (readErr) {
|
||||
core.warning(`Failed to read file ${relativePath}: ${readErr}`)
|
||||
}
|
||||
}
|
||||
})
|
||||
return results
|
||||
}
|
||||
|
||||
const localFilesList = listFilesRecursively(workspacePath)
|
||||
core.info(`Found ${localFilesList.length} local files to preserve:`)
|
||||
localFilesList.forEach(file => core.info(` - ${file}`))
|
||||
} catch (error) {
|
||||
core.warning(`Failed to list local files: ${error}`)
|
||||
}
|
||||
|
||||
// Perform normal checkout
|
||||
await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
|
||||
|
||||
// Restore local files that were not tracked by git
|
||||
core.info('Restoring local files after checkout')
|
||||
try {
|
||||
let restoredCount = 0
|
||||
const execOptions = {
|
||||
cwd: process.cwd(),
|
||||
silent: true,
|
||||
ignoreReturnCode: true
|
||||
}
|
||||
|
||||
for (const [filePath, content] of localFiles.entries()) {
|
||||
// Check if file exists in git using a child process instead of git.execGit
|
||||
const {exec} = require('@actions/exec')
|
||||
let exitCode = 0
|
||||
const output = {
|
||||
stdout: '',
|
||||
stderr: ''
|
||||
}
|
||||
|
||||
// Capture output
|
||||
const options = {
|
||||
...execOptions,
|
||||
listeners: {
|
||||
stdout: (data: Buffer) => {
|
||||
output.stdout += data.toString()
|
||||
},
|
||||
stderr: (data: Buffer) => {
|
||||
output.stderr += data.toString()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
exitCode = await exec(
|
||||
'git',
|
||||
['ls-files', '--error-unmatch', filePath],
|
||||
options
|
||||
)
|
||||
|
||||
if (exitCode !== 0) {
|
||||
// File is not tracked by git, safe to restore
|
||||
const fullPath = path.join(process.cwd(), filePath)
|
||||
// Ensure directory exists
|
||||
fs.mkdirSync(path.dirname(fullPath), {recursive: true})
|
||||
fs.writeFileSync(fullPath, content)
|
||||
core.info(`Restored local file: ${filePath}`)
|
||||
restoredCount++
|
||||
} else {
|
||||
core.info(`Skipping ${filePath} as it's tracked by git`)
|
||||
}
|
||||
}
|
||||
core.info(`Successfully restored ${restoredCount} local files`)
|
||||
} catch (error) {
|
||||
core.warning(`Failed to restore local files: ${error}`)
|
||||
}
|
||||
} else {
|
||||
// Use the default behavior with --force
|
||||
await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
|
||||
}
|
||||
core.endGroup()
|
||||
|
||||
// Submodules
|
||||
|
||||
@@ -25,10 +25,15 @@ export interface IGitSourceSettings {
|
||||
commit: string
|
||||
|
||||
/**
|
||||
* Indicates whether to clean the repository
|
||||
* Whether to execute git clean and git reset before fetching
|
||||
*/
|
||||
clean: boolean
|
||||
|
||||
/**
|
||||
* Whether to preserve local changes during checkout
|
||||
*/
|
||||
preserveLocalChanges: boolean
|
||||
|
||||
/**
|
||||
* The filter determining which objects to include
|
||||
*/
|
||||
@@ -118,10 +123,4 @@ export interface IGitSourceSettings {
|
||||
* User override on the GitHub Server/Host URL that hosts the repository to be cloned
|
||||
*/
|
||||
githubServerUrl: string | undefined
|
||||
|
||||
/**
|
||||
* Opt-in to allow checking out fork pull request code from a workflow
|
||||
* triggered by pull_request_target or workflow_run.
|
||||
*/
|
||||
allowUnsafePrCheckout: boolean
|
||||
}
|
||||
|
||||
@@ -11,11 +11,6 @@ import {getServerApiUrl} from './url-helper'
|
||||
|
||||
const IS_WINDOWS = process.platform === 'win32'
|
||||
|
||||
export interface RepositoryObjectFormatResult {
|
||||
format: string
|
||||
succeeded: boolean
|
||||
}
|
||||
|
||||
export async function downloadRepository(
|
||||
authToken: string,
|
||||
owner: string,
|
||||
@@ -127,53 +122,6 @@ export async function getDefaultBranch(
|
||||
})
|
||||
}
|
||||
|
||||
export async function tryGetRepositoryObjectFormat(
|
||||
authToken: string,
|
||||
owner: string,
|
||||
repo: string,
|
||||
baseUrl?: string,
|
||||
commit?: string
|
||||
): Promise<RepositoryObjectFormatResult> {
|
||||
const commitFormat = getObjectFormat(commit)
|
||||
if (commitFormat) {
|
||||
return {format: commitFormat, succeeded: true}
|
||||
}
|
||||
|
||||
try {
|
||||
const octokit = github.getOctokit(authToken, {
|
||||
baseUrl: getServerApiUrl(baseUrl)
|
||||
})
|
||||
const response = await octokit.request(
|
||||
'GET /repos/{owner}/{repo}/hash-algorithm',
|
||||
{owner, repo}
|
||||
)
|
||||
const hashAlgorithm = response.data.hash_algorithm
|
||||
if (hashAlgorithm === 'sha256' || hashAlgorithm === 'sha1') {
|
||||
return {format: hashAlgorithm, succeeded: true}
|
||||
}
|
||||
|
||||
core.debug(
|
||||
'Unable to determine repository object format from hash-algorithm endpoint'
|
||||
)
|
||||
return {format: '', succeeded: false}
|
||||
} catch (err) {
|
||||
core.debug(
|
||||
`Unable to determine repository object format from hash-algorithm endpoint: ${(err as any)?.message ?? err}`
|
||||
)
|
||||
return {format: '', succeeded: false}
|
||||
}
|
||||
}
|
||||
|
||||
function getObjectFormat(sha?: string): string {
|
||||
if (/^[0-9a-fA-F]{64}$/.test(sha || '')) {
|
||||
return 'sha256'
|
||||
}
|
||||
if (/^[0-9a-fA-F]{40}$/.test(sha || '')) {
|
||||
return 'sha1'
|
||||
}
|
||||
return ''
|
||||
}
|
||||
|
||||
async function downloadArchive(
|
||||
authToken: string,
|
||||
owner: string,
|
||||
|
||||
@@ -2,7 +2,6 @@ import * as core from '@actions/core'
|
||||
import * as fsHelper from './fs-helper'
|
||||
import * as github from '@actions/github'
|
||||
import * as path from 'path'
|
||||
import * as unsafePrCheckoutHelper from './unsafe-pr-checkout-helper'
|
||||
import * as workflowContextHelper from './workflow-context-helper'
|
||||
import {IGitSourceSettings} from './git-source-settings'
|
||||
|
||||
@@ -72,7 +71,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
||||
}
|
||||
}
|
||||
// SHA?
|
||||
else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
|
||||
else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
|
||||
result.commit = result.ref
|
||||
result.ref = ''
|
||||
}
|
||||
@@ -83,6 +82,12 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
||||
result.clean = (core.getInput('clean') || 'true').toUpperCase() === 'TRUE'
|
||||
core.debug(`clean = ${result.clean}`)
|
||||
|
||||
// Preserve local changes
|
||||
result.preserveLocalChanges =
|
||||
(core.getInput('preserve-local-changes') || 'false').toUpperCase() ===
|
||||
'TRUE'
|
||||
core.debug(`preserveLocalChanges = ${result.preserveLocalChanges}`)
|
||||
|
||||
// Filter
|
||||
const filter = core.getInput('filter')
|
||||
if (filter) {
|
||||
@@ -162,18 +167,5 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
||||
result.githubServerUrl = core.getInput('github-server-url')
|
||||
core.debug(`GitHub Host URL = ${result.githubServerUrl}`)
|
||||
|
||||
// Allow unsafe PR checkout (opt-in for pull_request_target / workflow_run fork PRs)
|
||||
result.allowUnsafePrCheckout =
|
||||
(core.getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
|
||||
'TRUE'
|
||||
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`)
|
||||
|
||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||
qualifiedRepository,
|
||||
ref: result.ref,
|
||||
commit: result.commit,
|
||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||
})
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
@@ -120,7 +120,7 @@ function updateUsage(
|
||||
}
|
||||
|
||||
updateUsage(
|
||||
'actions/checkout@v6',
|
||||
'actions/checkout@v5',
|
||||
path.join(__dirname, '..', '..', 'action.yml'),
|
||||
path.join(__dirname, '..', '..', 'README.md')
|
||||
)
|
||||
|
||||
@@ -76,75 +76,55 @@ export function getRefSpecForAllHistory(ref: string, commit: string): string[] {
|
||||
return result
|
||||
}
|
||||
|
||||
export function getRefSpec(
|
||||
ref: string,
|
||||
commit: string,
|
||||
fetchTags?: boolean
|
||||
): string[] {
|
||||
export function getRefSpec(ref: string, commit: string): string[] {
|
||||
if (!ref && !commit) {
|
||||
throw new Error('Args ref and commit cannot both be empty')
|
||||
}
|
||||
|
||||
const upperRef = (ref || '').toUpperCase()
|
||||
const result: string[] = []
|
||||
|
||||
// When fetchTags is true, always include the tags refspec
|
||||
if (fetchTags) {
|
||||
result.push(tagsRefSpec)
|
||||
}
|
||||
|
||||
// SHA
|
||||
if (commit) {
|
||||
// refs/heads
|
||||
if (upperRef.startsWith('REFS/HEADS/')) {
|
||||
const branch = ref.substring('refs/heads/'.length)
|
||||
result.push(`+${commit}:refs/remotes/origin/${branch}`)
|
||||
return [`+${commit}:refs/remotes/origin/${branch}`]
|
||||
}
|
||||
// refs/pull/
|
||||
else if (upperRef.startsWith('REFS/PULL/')) {
|
||||
const branch = ref.substring('refs/pull/'.length)
|
||||
result.push(`+${commit}:refs/remotes/pull/${branch}`)
|
||||
return [`+${commit}:refs/remotes/pull/${branch}`]
|
||||
}
|
||||
// refs/tags/
|
||||
else if (upperRef.startsWith('REFS/TAGS/')) {
|
||||
if (!fetchTags) {
|
||||
result.push(`+${ref}:${ref}`)
|
||||
}
|
||||
return [`+${commit}:${ref}`]
|
||||
}
|
||||
// Otherwise no destination ref
|
||||
else {
|
||||
result.push(commit)
|
||||
return [commit]
|
||||
}
|
||||
}
|
||||
// Unqualified ref, check for a matching branch or tag
|
||||
else if (!upperRef.startsWith('REFS/')) {
|
||||
result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`)
|
||||
if (!fetchTags) {
|
||||
result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`)
|
||||
}
|
||||
return [
|
||||
`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
|
||||
`+refs/tags/${ref}*:refs/tags/${ref}*`
|
||||
]
|
||||
}
|
||||
// refs/heads/
|
||||
else if (upperRef.startsWith('REFS/HEADS/')) {
|
||||
const branch = ref.substring('refs/heads/'.length)
|
||||
result.push(`+${ref}:refs/remotes/origin/${branch}`)
|
||||
return [`+${ref}:refs/remotes/origin/${branch}`]
|
||||
}
|
||||
// refs/pull/
|
||||
else if (upperRef.startsWith('REFS/PULL/')) {
|
||||
const branch = ref.substring('refs/pull/'.length)
|
||||
result.push(`+${ref}:refs/remotes/pull/${branch}`)
|
||||
return [`+${ref}:refs/remotes/pull/${branch}`]
|
||||
}
|
||||
// refs/tags/
|
||||
else if (upperRef.startsWith('REFS/TAGS/')) {
|
||||
if (!fetchTags) {
|
||||
result.push(`+${ref}:${ref}`)
|
||||
}
|
||||
}
|
||||
// Other refs
|
||||
else {
|
||||
result.push(`+${ref}:${ref}`)
|
||||
return [`+${ref}:${ref}`]
|
||||
}
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -190,10 +170,8 @@ export async function testRef(
|
||||
// refs/tags/
|
||||
else if (upperRef.startsWith('REFS/TAGS/')) {
|
||||
const tagName = ref.substring('refs/tags/'.length)
|
||||
// Use ^{commit} to dereference annotated tags to their underlying commit
|
||||
return (
|
||||
(await git.tagExists(tagName)) &&
|
||||
commit === (await git.revParse(`${ref}^{commit}`))
|
||||
(await git.tagExists(tagName)) && commit === (await git.revParse(ref))
|
||||
)
|
||||
}
|
||||
// Unexpected
|
||||
@@ -258,9 +236,7 @@ export async function checkCommitInfo(
|
||||
}
|
||||
|
||||
// Extract details from message
|
||||
const match = commitInfo.match(
|
||||
/Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/
|
||||
)
|
||||
const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/)
|
||||
if (!match) {
|
||||
core.debug('Unexpected message format')
|
||||
return
|
||||
@@ -292,7 +268,7 @@ export async function checkCommitInfo(
|
||||
}
|
||||
}
|
||||
|
||||
export function fromPayload(path: string): any {
|
||||
function fromPayload(path: string): any {
|
||||
return select(github.context.payload, path)
|
||||
}
|
||||
|
||||
|
||||
@@ -1,88 +0,0 @@
|
||||
import * as github from '@actions/github'
|
||||
import {fromPayload} from './ref-helper'
|
||||
|
||||
const PR_REF_PATTERN = /^refs\/pull\/[0-9]+\/(?:head|merge)$/
|
||||
|
||||
export interface IUnsafePrCheckoutInput {
|
||||
qualifiedRepository: string
|
||||
ref: string
|
||||
commit: string | undefined
|
||||
allowUnsafePrCheckout: boolean
|
||||
}
|
||||
|
||||
export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
|
||||
if (input.allowUnsafePrCheckout) {
|
||||
return
|
||||
}
|
||||
|
||||
const eventName = github.context.eventName
|
||||
if (eventName !== 'pull_request_target' && eventName !== 'workflow_run') {
|
||||
return
|
||||
}
|
||||
|
||||
const baseRepoId = fromPayload('repository.id')
|
||||
if (typeof baseRepoId !== 'number') {
|
||||
return
|
||||
}
|
||||
|
||||
let prHeadRepoId: unknown
|
||||
let prHeadRepoFullName: unknown
|
||||
const prShas: string[] = []
|
||||
|
||||
if (eventName === 'pull_request_target') {
|
||||
prHeadRepoId = fromPayload('pull_request.head.repo.id')
|
||||
prHeadRepoFullName = fromPayload('pull_request.head.repo.full_name')
|
||||
pushIfSha(prShas, fromPayload('pull_request.head.sha'))
|
||||
pushIfSha(prShas, fromPayload('pull_request.merge_commit_sha'))
|
||||
} else {
|
||||
const wrEvent = fromPayload('workflow_run.event')
|
||||
if (typeof wrEvent !== 'string' || !wrEvent.startsWith('pull_request')) {
|
||||
return
|
||||
}
|
||||
prHeadRepoId = fromPayload('workflow_run.head_repository.id')
|
||||
prHeadRepoFullName = fromPayload('workflow_run.head_repository.full_name')
|
||||
pushIfSha(prShas, fromPayload('workflow_run.head_commit.id'))
|
||||
// For `pull_request_target`-triggered workflow_run, `head_sha` is the base
|
||||
// default branch SHA (not the PR head)
|
||||
if (wrEvent !== 'pull_request_target') {
|
||||
pushIfSha(prShas, fromPayload('workflow_run.head_sha'))
|
||||
}
|
||||
}
|
||||
|
||||
// (A) Fork PR?
|
||||
if (typeof prHeadRepoId !== 'number' || prHeadRepoId === baseRepoId) {
|
||||
return
|
||||
}
|
||||
|
||||
// (B) We cannot check for all fork PR refs so check to see
|
||||
// if the resolved input points to the fork PR sha we have in the payload
|
||||
const repositoryMatchesPrHead =
|
||||
typeof prHeadRepoFullName === 'string' &&
|
||||
input.qualifiedRepository.toLowerCase() === prHeadRepoFullName.toLowerCase()
|
||||
const refMatchesPullPattern = PR_REF_PATTERN.test(input.ref)
|
||||
const commitMatchesPrHeadSha =
|
||||
!!input.commit && prShas.includes(input.commit.toLowerCase())
|
||||
|
||||
if (
|
||||
!repositoryMatchesPrHead &&
|
||||
!refMatchesPullPattern &&
|
||||
!commitMatchesPrHeadSha
|
||||
) {
|
||||
return
|
||||
}
|
||||
|
||||
throw new Error(
|
||||
`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
|
||||
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
|
||||
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
|
||||
`context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
|
||||
`the risks at https://gh.io/securely-using-pull_request_target, set ` +
|
||||
`'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
|
||||
)
|
||||
}
|
||||
|
||||
function pushIfSha(target: string[], value: unknown): void {
|
||||
if (typeof value === 'string' && value.length > 0) {
|
||||
target.push(value.toLowerCase())
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user