1
0
mirror of https://github.com/actions/checkout.git synced 2026-07-02 18:33:48 +08:00

Compare commits

..

4 Commits

Author SHA1 Message Date
Theomegas1
2316c2a206 Merge 8ec026fcc5 into ff7abcd0c3 2025-09-24 13:43:30 +00:00
Theomegas1
8ec026fcc5 Createmikes codeql.yml 2025-09-24 09:43:27 -04:00
Theomegas1
524dcd0a11 Create release,tagset
.net,react
2025-09-04 21:33:51 -04:00
Theomegas1
3ee49d2c6b Create generator-generic-ossf-slsa3-publish.yml
tech sav
2025-09-04 17:48:46 -04:00
28 changed files with 729 additions and 1782 deletions

View File

@@ -22,7 +22,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v4.1.6
- name: Set Node.js 24.x - name: Set Node.js 24.x
uses: actions/setup-node@v4 uses: actions/setup-node@v4

View File

@@ -39,7 +39,7 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v6 uses: actions/checkout@v4.1.6
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v3 uses: github/codeql-action/init@v3

234
.github/workflows/codeql.yml vendored Normal file
View File

@@ -0,0 +1,234 @@
- name: Setup Java JDK
uses: actions/setup-java@v5.0.0
with:
# The Java version to set up. Takes a whole or semver Java version. See examples of supported syntax in README file
java-version: # optional
# The path to the `.java-version` file. See examples of supported syntax in README file
java-version-file: # optional
# Java distribution. See the list of supported distributions in README file
distribution:
# The package type (jdk, jre, jdk+fx, jre+fx)
java-package: # optional, default is jdk
# The architecture of the package (defaults to the action runner's architecture)
architecture: # optional
# Path to where the compressed JDK is located
jdkFile: # optional
# Set this option if you want the action to check for the latest available version that satisfies the version spec
check-latest: # optional
# ID of the distributionManagement repository in the pom.xml file. Default is `github`
server-id: # optional, default is github
# Environment variable name for the username for authentication to the Apache Maven repository. Default is $GITHUB_ACTOR
server-username: # optional, default is GITHUB_ACTOR
# Environment variable name for password or token for authentication to the Apache Maven repository. Default is $GITHUB_TOKEN
server-password: # optional, default is GITHUB_TOKEN
# Path to where the settings.xml file will be written. Default is ~/.m2.
settings-path: # optional
# Overwrite the settings.xml file if it exists. Default is "true".
overwrite-settings: # optional, default is true
# GPG private key to import. Default is empty string.
gpg-private-key: # optional
# Environment variable name for the GPG private key passphrase. Default is $GPG_PASSPHRASE.
gpg-passphrase: # optional
# Name of the build platform to cache dependencies. It can be "maven", "gradle" or "sbt".
cache: # optional
# The path to a dependency file: pom.xml, build.gradle, build.sbt, etc. This option can be used with the `cache` option. If this option is omitted, the action searches for the dependency file in the entire repository. This option supports wildcards and a list of file names for caching multiple dependencies.
cache-dependency-path: # optional
# Workaround to pass job status to post job step. This variable is not intended for manual setting
job-status: # optional, default is ${{ job.status }}
# The token used to authenticate when fetching version manifests hosted on github.com, such as for the Microsoft Build of OpenJDK. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting.
token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }}
# Name of Maven Toolchain ID if the default name of "${distribution}_${java-version}" is not wanted. See examples of supported syntax in Advanced Usage file
mvn-toolchain-id: # optional
# Name of Maven Toolchain Vendor if the default name of "${distribution}" is not wanted. See examples of supported syntax in Advanced Usage file
mvn-toolchain-vendor: # optional
- name: Setup Java JDK
uses: actions/setup-java@v5.0.0
with:
# The Java version to set up. Takes a whole or semver Java version. See examples of supported syntax in README file
java-version: # optional
# The path to the `.java-version` file. See examples of supported syntax in README file
java-version-file: # optional
# Java distribution. See the list of supported distributions in README file
distribution:
# The package type (jdk, jre, jdk+fx, jre+fx)
java-package: # optional, default is jdk
# The architecture of the package (defaults to the action runner's architecture)
architecture: # optional
# Path to where the compressed JDK is located
jdkFile: # optional
# Set this option if you want the action to check for the latest available version that satisfies the version spec
check-latest: # optional
# ID of the distributionManagement repository in the pom.xml file. Default is `github`
server-id: # optional, default is github
# Environment variable name for the username for authentication to the Apache Maven repository. Default is $GITHUB_ACTOR
server-username: # optional, default is GITHUB_ACTOR
# Environment variable name for password or token for authentication to the Apache Maven repository. Default is $GITHUB_TOKEN
server-password: # optional, default is GITHUB_TOKEN
# Path to where the settings.xml file will be written. Default is ~/.m2.
settings-path: # optional
# Overwrite the settings.xml file if it exists. Default is "true".
overwrite-settings: # optional, default is true
# GPG private key to import. Default is empty string.
gpg-private-key: # optional
# Environment variable name for the GPG private key passphrase. Default is $GPG_PASSPHRASE.
gpg-passphrase: # optional
# Name of the build platform to cache dependencies. It can be "maven", "gradle" or "sbt".
cache: # optional
# The path to a dependency file: pom.xml, build.gradle, build.sbt, etc. This option can be used with the `cache` option. If this option is omitted, the action searches for the dependency file in the entire repository. This option supports wildcards and a list of file names for caching multiple dependencies.
cache-dependency-path: # optional
# Workaround to pass job status to post job step. This variable is not intended for manual setting
job-status: # optional, default is ${{ job.status }}
# The token used to authenticate when fetching version manifests hosted on github.com, such as for the Microsoft Build of OpenJDK. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting.
token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }}
# Name of Maven Toolchain ID if the default name of "${distribution}_${java-version}" is not wanted. See examples of supported syntax in Advanced Usage file
mvn-toolchain-id: # optional
# Name of Maven Toolchain Vendor if the default name of "${distribution}" is not wanted. See examples of supported syntax in Advanced Usage file
mvn-toolchain-vendor: # optional
- name: Setup .NET Core SDK
uses: actions/setup-dotnet@v5.0.0
with:
# Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x, 6.0.2xx
dotnet-version: # optional
# Optional quality of the build. The possible values are: daily, signed, validated, preview, ga.
dotnet-quality: # optional
# Optional global.json location, if your global.json isn't located in the root of the repo.
global-json-file: # optional
# Optional package source for which to set up authentication. Will consult any existing NuGet.config in the root of the repo and provide a temporary NuGet.config using the NUGET_AUTH_TOKEN environment variable as a ClearTextPassword
source-url: # optional
# Optional OWNER for using packages from GitHub Package Registry organizations/users other than the current repository's owner. Only used if a GPR URL is also provided in source-url
owner: # optional
# Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo.
config-file: # optional
# Optional input to enable caching of the NuGet global-packages folder
cache: # optional
# Used to specify the path to a dependency file: packages.lock.json. Supports wildcards or a list of file names for caching multiple dependencies.
cache-dependency-path: # optional
- name: Custom Models Action
# You may pin to the exact commit or the version.
# uses: datarobot-oss/custom-models-action@0a5d55659824973261d6b49389569dd4e28795bf
uses: datarobot-oss/custom-models-action@v1.6.0
with:
# DataRobot authentication API token.
api-token:
# DataRobot frontend web server.
webserver:
# The branch for which pull request and push events will trigger the action.
branch:
# Determines the namespace under which models and deployments will be created, updated and
deleted.
namespace: # optional
# Whether to detected local deleted model definitions and consequently delete them
in DataRobot.
allow-model-deletion: # optional, default is false
# Whether to detect local deleted deployment definitions and consequently delete them
in DataRobot.
allow-deployment-deletion: # optional, default is false
# Whether to handle custom inference models only, without deployments..
models-only: # optional, default is false
# Whether a request to an HTTPS URL will be made without a certificate verification.
skip-cert-verification: # optional, default is false
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL Advanced"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '24 19 * * 1'
jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners (GitHub.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
# only required for workflows in private repositories
actions: read
contents: read
strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
- language: javascript-typescript
build-mode: none
# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
# Use `c-cpp` to analyze code written in C, C++ or both
# Use 'java-kotlin' to analyze code written in Java, Kotlin or both
# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Add any setup steps before running the `github/codeql-action/init` action.
# This includes steps like installing compilers or runtimes (`actions/setup-node`
# or others). This is typically only required for manual builds.
# - name: Setup runtime (example)
# uses: actions/setup-example@v1
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# If the analyze step fails for one of the languages you are analyzing with
# "We were unable to automatically build your code", modify the matrix above
# to set the build mode to "manual" for that language. Then modify this step
# to build your code.
# Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- if: matrix.build-mode == 'manual'
shell: bash
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
'your code, for example:'
echo ' make bootstrap'
echo ' make release'
exit 1
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"

View File

@@ -0,0 +1,105 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow lets you generate SLSA provenance file for your project.
# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
# The project is an initiative of the OpenSSF (openssf.org) and is developed at
# https://github.com/slsa-framework/slsa-github-generator.
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
name: SLSA generic generator
on:
workflow_dispatch:
release:
types: [created]
jobs:
build:
runs-on: ubuntu-latest
outputs:
digests: ${{ steps.hash.outputs.digests }}
steps:
- uses: actions/checkout@v4
# ========================================================
#
# Step 1: Build your artifacts.
#
# ========================================================
- name: Build artifacts
run: |
# These are some amazing artifacts.
echo "artifact1" > artifact1
echo "artifact2" > artifact2
# ========================================================
#
# Step 2: Add a step to generate the provenance subjects
# as shown below. Update the sha256 sum arguments
# to include all binaries that you generate
# provenance for.
#
# ========================================================
- name: Generate subject for provenance
id: hash
run: |
set -euo pipefail
# List the artifacts the provenance will refer to.
files=$(ls artifact*)
# Generate the subjects (base64 encoded).
echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
provenance:
needs: [build]
permissions: - name: Deploy HelmFile
# You may pin to the exact commit or the version.
# uses: cloudposse/github-action-deploy-helmfile@fcc0ea83519505047bd34a4e017f1d0c3516a5cc
uses: cloudposse/github-action-deploy-helmfile@0.7.0
with:
# Cluster name
cluster:
# AWS region
aws-region: # optional, default is us-east-1
# The path where lives the helmfile.
helmfile-path: # optional, default is deploy
# Helmfile name
helmfile: # optional, default is helmfile.yaml
# Operation with helmfiles. (valid options - `deploy`, `destroy`)
operation: # default is deploy
# Helmfile environment
environment: # optional, default is preview
# Git SHA
gitref-sha: # optional, default is
# Kubernetes namespace
namespace:
# Docker image
image:
# Docker image tag
image-tag:
# Debug mode
debug: # optional, default is false
# The name of the label used to describe the helm release
release_label_name: # optional, default is release
# YAML string with extra values to use in a helmfile deploy
values_yaml: # optional
# Helm version
helm_version: # optional, default is 3.11.1
# Helmfile version
helmfile_version: # optional, default is 0.143.5
# Kubectl version
kubectl_version: # optional, default is 1.26.3
# Kubectl version
chamber_version: # optional, default is 2.11.1
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
with:
base64-subjects: "${{ needs.build.outputs.digests }}"
upload-assets: true # Optional: Upload to a new release

View File

@@ -9,6 +9,6 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
name: Check licenses name: Check licenses
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v4.1.6
- run: npm ci - run: npm ci
- run: npm run licensed-check - run: npm run licensed-check

View File

@@ -14,7 +14,7 @@ jobs:
steps: steps:
- name: Checking out - name: Checking out
uses: actions/checkout@v6 uses: actions/checkout@v4
- name: Publish - name: Publish
id: publish id: publish
uses: actions/publish-immutable-action@0.0.3 uses: actions/publish-immutable-action@0.0.3

View File

@@ -19,7 +19,7 @@ jobs:
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
with: with:
node-version: 24.x node-version: 24.x
- uses: actions/checkout@v6 - uses: actions/checkout@v4.1.6
- run: npm ci - run: npm ci
- run: npm run build - run: npm run build
- run: npm run format-check - run: npm run format-check
@@ -37,7 +37,7 @@ jobs:
steps: steps:
# Clone this repo # Clone this repo
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@v4.1.6
# Basic checkout # Basic checkout
- name: Checkout basic - name: Checkout basic
@@ -87,17 +87,6 @@ jobs:
- name: Verify fetch filter - name: Verify fetch filter
run: __test__/verify-fetch-filter.sh run: __test__/verify-fetch-filter.sh
# Fetch tags
- name: Checkout with fetch-tags
uses: ./
with:
ref: test-data/v2/basic
path: fetch-tags-test
fetch-tags: true
- name: Verify fetch-tags
shell: bash
run: __test__/verify-fetch-tags.sh
# Sparse checkout # Sparse checkout
- name: Sparse checkout - name: Sparse checkout
uses: ./ uses: ./
@@ -176,22 +165,6 @@ jobs:
- name: Verify submodules recursive - name: Verify submodules recursive
run: __test__/verify-submodules-recursive.sh run: __test__/verify-submodules-recursive.sh
# Worktree credentials
- name: Checkout for worktree test
uses: ./
with:
path: worktree-test
- name: Verify worktree credentials
shell: bash
run: __test__/verify-worktree.sh worktree-test worktree-branch
# Worktree credentials in container step
- name: Verify worktree credentials in container step
if: runner.os == 'Linux'
uses: docker://bitnami/git:latest
with:
args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
# Basic checkout using REST API # Basic checkout using REST API
- name: Remove basic - name: Remove basic
if: runner.os != 'windows' if: runner.os != 'windows'
@@ -229,7 +202,7 @@ jobs:
steps: steps:
# Clone this repo # Clone this repo
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@v4.1.6
# Basic checkout using git # Basic checkout using git
- name: Checkout basic - name: Checkout basic
@@ -261,7 +234,7 @@ jobs:
steps: steps:
# Clone this repo # Clone this repo
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@v4.1.6
# Basic checkout using git # Basic checkout using git
- name: Checkout basic - name: Checkout basic
@@ -291,7 +264,7 @@ jobs:
steps: steps:
# Clone this repo # Clone this repo
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@v4.1.6
with: with:
path: localClone path: localClone
@@ -318,8 +291,8 @@ jobs:
git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
# needed to make checkout post cleanup succeed # needed to make checkout post cleanup succeed
- name: Fix Checkout v6 - name: Fix Checkout v4
uses: actions/checkout@v6 uses: actions/checkout@v4.1.6
with: with:
path: localClone path: localClone
@@ -328,16 +301,13 @@ jobs:
steps: steps:
# Clone this repo # Clone this repo
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@v4.1.6
with:
path: actions-checkout
# Basic checkout using git # Basic checkout using git
- name: Checkout basic - name: Checkout basic
id: checkout id: checkout
uses: ./actions-checkout uses: ./
with: with:
path: cloned-using-local-action
ref: test-data/v2/basic ref: test-data/v2/basic
# Verify output # Verify output
@@ -355,3 +325,7 @@ jobs:
echo "Expected commit to be 82f71901cf8c021332310dcc8cdba84c4193ff5d" echo "Expected commit to be 82f71901cf8c021332310dcc8cdba84c4193ff5d"
exit 1 exit 1
fi fi
# needed to make checkout post cleanup succeed
- name: Fix Checkout
uses: actions/checkout@v4.1.6

View File

@@ -23,7 +23,7 @@ jobs:
# Note this update workflow can also be used as a rollback tool. # Note this update workflow can also be used as a rollback tool.
# For that reason, it's best to pin `actions/checkout` to a known, stable version # For that reason, it's best to pin `actions/checkout` to a known, stable version
# (typically, about two releases back). # (typically, about two releases back).
- uses: actions/checkout@v6 - uses: actions/checkout@v4.1.6
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Git config - name: Git config

View File

@@ -26,7 +26,7 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v6 uses: actions/checkout@v4
# Use `docker/login-action` to log in to GHCR.io. # Use `docker/login-action` to log in to GHCR.io.
# Once published, the packages are scoped to the account defined here. # Once published, the packages are scoped to the account defined here.

View File

@@ -1,25 +1,10 @@
# Changelog # Changelog
## v6.0.2 ## V5.0.0
* Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in https://github.com/actions/checkout/pull/2356
## v6.0.1
* Add worktree support for persist-credentials includeIf by @ericsciple in https://github.com/actions/checkout/pull/2327
## v6.0.0
* Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
* Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
## v5.0.1
* Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
## v5.0.0
* Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
## v4.3.1
* Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
## v4.3.0 ## V4.3.0
* docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
* Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
* Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043

View File

@@ -1,14 +1,6 @@
[![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml) [![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml)
# Checkout v6 # Checkout V5
## What's new
- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
# Checkout v5
## What's new ## What's new
@@ -16,7 +8,7 @@
- This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run. - This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.
# Checkout v4 # Checkout V4
This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it. This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
@@ -52,7 +44,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
<!-- start usage --> <!-- start usage -->
```yaml ```yaml
- uses: actions/checkout@v6 - uses: actions/checkout@v5
with: with:
# Repository name with owner. For example, actions/checkout # Repository name with owner. For example, actions/checkout
# Default: ${{ github.repository }} # Default: ${{ github.repository }}
@@ -191,7 +183,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
## Fetch only the root files ## Fetch only the root files
```yaml ```yaml
- uses: actions/checkout@v6 - uses: actions/checkout@v5
with: with:
sparse-checkout: . sparse-checkout: .
``` ```
@@ -199,7 +191,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
## Fetch only the root files and `.github` and `src` folder ## Fetch only the root files and `.github` and `src` folder
```yaml ```yaml
- uses: actions/checkout@v6 - uses: actions/checkout@v5
with: with:
sparse-checkout: | sparse-checkout: |
.github .github
@@ -209,7 +201,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
## Fetch only a single file ## Fetch only a single file
```yaml ```yaml
- uses: actions/checkout@v6 - uses: actions/checkout@v5
with: with:
sparse-checkout: | sparse-checkout: |
README.md README.md
@@ -219,7 +211,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
## Fetch all history for all tags and branches ## Fetch all history for all tags and branches
```yaml ```yaml
- uses: actions/checkout@v6 - uses: actions/checkout@v5
with: with:
fetch-depth: 0 fetch-depth: 0
``` ```
@@ -227,7 +219,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
## Checkout a different branch ## Checkout a different branch
```yaml ```yaml
- uses: actions/checkout@v6 - uses: actions/checkout@v5
with: with:
ref: my-branch ref: my-branch
``` ```
@@ -235,7 +227,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
## Checkout HEAD^ ## Checkout HEAD^
```yaml ```yaml
- uses: actions/checkout@v6 - uses: actions/checkout@v5
with: with:
fetch-depth: 2 fetch-depth: 2
- run: git checkout HEAD^ - run: git checkout HEAD^
@@ -245,12 +237,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
```yaml ```yaml
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@v5
with: with:
path: main path: main
- name: Checkout tools repo - name: Checkout tools repo
uses: actions/checkout@v6 uses: actions/checkout@v5
with: with:
repository: my-org/my-tools repository: my-org/my-tools
path: my-tools path: my-tools
@@ -261,10 +253,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
```yaml ```yaml
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@v5
- name: Checkout tools repo - name: Checkout tools repo
uses: actions/checkout@v6 uses: actions/checkout@v5
with: with:
repository: my-org/my-tools repository: my-org/my-tools
path: my-tools path: my-tools
@@ -275,12 +267,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
```yaml ```yaml
- name: Checkout - name: Checkout
uses: actions/checkout@v6 uses: actions/checkout@v5
with: with:
path: main path: main
- name: Checkout private tools - name: Checkout private tools
uses: actions/checkout@v6 uses: actions/checkout@v5
with: with:
repository: my-org/my-private-tools repository: my-org/my-private-tools
token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -293,7 +285,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
## Checkout pull request HEAD commit instead of merge commit ## Checkout pull request HEAD commit instead of merge commit
```yaml ```yaml
- uses: actions/checkout@v6 - uses: actions/checkout@v5
with: with:
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
``` ```
@@ -309,7 +301,7 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v5
``` ```
## Push a commit using the built-in token ## Push a commit using the built-in token
@@ -320,7 +312,7 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v5
- run: | - run: |
date > generated.txt date > generated.txt
# Note: the following account information will not work on GHES # Note: the following account information will not work on GHES
@@ -342,7 +334,7 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v5
with: with:
ref: ${{ github.head_ref }} ref: ${{ github.head_ref }}
- run: | - run: |

View File

@@ -86,29 +86,16 @@ describe('git-auth-helper tests', () => {
// Act // Act
await authHelper.configureAuth() await authHelper.configureAuth()
// Assert config - check that .git/config contains includeIf entries // Assert config
const localConfigContent = ( const configContent = (
await fs.promises.readFile(localGitConfigPath) await fs.promises.readFile(localGitConfigPath)
).toString() ).toString()
expect(
localConfigContent.indexOf('includeIf.gitdir:')
).toBeGreaterThanOrEqual(0)
// Assert credentials config file contains the actual credentials
const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBe(1)
const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
const credentialsContent = (
await fs.promises.readFile(credentialsConfigPath)
).toString()
const basicCredential = Buffer.from( const basicCredential = Buffer.from(
`x-access-token:${settings.authToken}`, `x-access-token:${settings.authToken}`,
'utf8' 'utf8'
).toString('base64') ).toString('base64')
expect( expect(
credentialsContent.indexOf( configContent.indexOf(
`http.${expectedServerUrl}/.extraheader AUTHORIZATION: basic ${basicCredential}` `http.${expectedServerUrl}/.extraheader AUTHORIZATION: basic ${basicCredential}`
) )
).toBeGreaterThanOrEqual(0) ).toBeGreaterThanOrEqual(0)
@@ -133,7 +120,7 @@ describe('git-auth-helper tests', () => {
'inject https://github.com as github server url' 'inject https://github.com as github server url'
it(configureAuth_AcceptsGitHubServerUrlSetToGHEC, async () => { it(configureAuth_AcceptsGitHubServerUrlSetToGHEC, async () => {
await testAuthHeader( await testAuthHeader(
configureAuth_AcceptsGitHubServerUrlSetToGHEC, configureAuth_AcceptsGitHubServerUrl,
'https://github.com' 'https://github.com'
) )
}) })
@@ -154,17 +141,12 @@ describe('git-auth-helper tests', () => {
// Act // Act
await authHelper.configureAuth() await authHelper.configureAuth()
// Assert config - check credentials config file (not local .git/config) // Assert config
const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter( const configContent = (
f => f.startsWith('git-credentials-') && f.endsWith('.config') await fs.promises.readFile(localGitConfigPath)
)
expect(credentialsFiles.length).toBe(1)
const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
const credentialsContent = (
await fs.promises.readFile(credentialsConfigPath)
).toString() ).toString()
expect( expect(
credentialsContent.indexOf( configContent.indexOf(
`http.https://github.com/.extraheader AUTHORIZATION` `http.https://github.com/.extraheader AUTHORIZATION`
) )
).toBeGreaterThanOrEqual(0) ).toBeGreaterThanOrEqual(0)
@@ -269,16 +251,13 @@ describe('git-auth-helper tests', () => {
expectedSshCommand expectedSshCommand
) )
// Assert git config // Asserty git config
const gitConfigLines = (await fs.promises.readFile(localGitConfigPath)) const gitConfigLines = (await fs.promises.readFile(localGitConfigPath))
.toString() .toString()
.split('\n') .split('\n')
.filter(x => x) .filter(x => x)
// Should have includeIf entries pointing to credentials file expect(gitConfigLines).toHaveLength(1)
expect(gitConfigLines.length).toBeGreaterThan(0) expect(gitConfigLines[0]).toMatch(/^http\./)
expect(
gitConfigLines.some(line => line.indexOf('includeIf.gitdir:') >= 0)
).toBeTruthy()
}) })
const configureAuth_setsSshCommandWhenPersistCredentialsTrue = const configureAuth_setsSshCommandWhenPersistCredentialsTrue =
@@ -440,20 +419,8 @@ describe('git-auth-helper tests', () => {
expect( expect(
configContent.indexOf('value-from-global-config') configContent.indexOf('value-from-global-config')
).toBeGreaterThanOrEqual(0) ).toBeGreaterThanOrEqual(0)
// Global config should have include.path pointing to credentials file
expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0)
// Check credentials in the separate config file
const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBeGreaterThan(0)
const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
const credentialsContent = (
await fs.promises.readFile(credentialsConfigPath)
).toString()
expect( expect(
credentialsContent.indexOf( configContent.indexOf(
`http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}` `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
) )
).toBeGreaterThanOrEqual(0) ).toBeGreaterThanOrEqual(0)
@@ -496,20 +463,8 @@ describe('git-auth-helper tests', () => {
const configContent = ( const configContent = (
await fs.promises.readFile(path.join(git.env['HOME'], '.gitconfig')) await fs.promises.readFile(path.join(git.env['HOME'], '.gitconfig'))
).toString() ).toString()
// Global config should have include.path pointing to credentials file
expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0)
// Check credentials in the separate config file
const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBeGreaterThan(0)
const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
const credentialsContent = (
await fs.promises.readFile(credentialsConfigPath)
).toString()
expect( expect(
credentialsContent.indexOf( configContent.indexOf(
`http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}` `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
) )
).toBeGreaterThanOrEqual(0) ).toBeGreaterThanOrEqual(0)
@@ -595,15 +550,15 @@ describe('git-auth-helper tests', () => {
await authHelper.configureSubmoduleAuth() await authHelper.configureSubmoduleAuth()
// Assert // Assert
// Should configure insteadOf (2 calls for two values) expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4)
expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch( expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
/unset-all.*insteadOf/ /unset-all.*insteadOf/
) )
expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch( expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
/url.*insteadOf.*git@github.com:/ /url.*insteadOf.*git@github.com:/
) )
expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch( expect(mockSubmoduleForeach.mock.calls[3][0]).toMatch(
/url.*insteadOf.*org-123456@github.com:/ /url.*insteadOf.*org-123456@github.com:/
) )
} }
@@ -634,12 +589,12 @@ describe('git-auth-helper tests', () => {
await authHelper.configureSubmoduleAuth() await authHelper.configureSubmoduleAuth()
// Assert // Assert
// Should configure sshCommand (1 call) expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
expect(mockSubmoduleForeach).toHaveBeenCalledTimes(2)
expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch( expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
/unset-all.*insteadOf/ /unset-all.*insteadOf/
) )
expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/core\.sshCommand/) expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/)
} }
) )
@@ -705,201 +660,19 @@ describe('git-auth-helper tests', () => {
await setup(removeAuth_removesToken) await setup(removeAuth_removesToken)
const authHelper = gitAuthHelper.createAuthHelper(git, settings) const authHelper = gitAuthHelper.createAuthHelper(git, settings)
await authHelper.configureAuth() await authHelper.configureAuth()
let gitConfigContent = (
// Verify includeIf entries exist in local config
let localConfigContent = (
await fs.promises.readFile(localGitConfigPath) await fs.promises.readFile(localGitConfigPath)
).toString() ).toString()
expect( expect(gitConfigContent.indexOf('http.')).toBeGreaterThanOrEqual(0) // sanity check
localConfigContent.indexOf('includeIf.gitdir:')
).toBeGreaterThanOrEqual(0)
// Verify both host and container includeIf entries are present
const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
expect(
localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
).toBeGreaterThanOrEqual(0)
expect(
localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
).toBeGreaterThanOrEqual(0)
// Verify credentials file exists
let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBe(1)
const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
// Verify credentials file contains the auth token
let credentialsContent = (
await fs.promises.readFile(credentialsFilePath)
).toString()
const basicCredential = Buffer.from(
`x-access-token:${settings.authToken}`,
'utf8'
).toString('base64')
expect(
credentialsContent.indexOf(
`http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
)
).toBeGreaterThanOrEqual(0)
// Verify the includeIf entries point to the credentials file
const containerCredentialsPath = path.posix.join(
'/github/runner_temp',
path.basename(credentialsFilePath)
)
expect(
localConfigContent.indexOf(credentialsFilePath)
).toBeGreaterThanOrEqual(0)
expect(
localConfigContent.indexOf(containerCredentialsPath)
).toBeGreaterThanOrEqual(0)
// Act // Act
await authHelper.removeAuth() await authHelper.removeAuth()
// Assert all includeIf entries removed from local git config // Assert git config
localConfigContent = ( gitConfigContent = (
await fs.promises.readFile(localGitConfigPath) await fs.promises.readFile(localGitConfigPath)
).toString() ).toString()
expect(localConfigContent.indexOf('includeIf.gitdir:')).toBeLessThan(0) expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
expect(
localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
).toBeLessThan(0)
expect(
localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
).toBeLessThan(0)
expect(localConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
expect(localConfigContent.indexOf(containerCredentialsPath)).toBeLessThan(0)
// Assert credentials config file deleted
credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBe(0)
// Verify credentials file no longer exists on disk
try {
await fs.promises.stat(credentialsFilePath)
throw new Error('Credentials file should have been deleted')
} catch (err) {
if ((err as any)?.code !== 'ENOENT') {
throw err
}
}
})
const removeAuth_removesTokenFromSubmodules =
'removeAuth removes token from submodules'
it(removeAuth_removesTokenFromSubmodules, async () => {
// Arrange
await setup(removeAuth_removesTokenFromSubmodules)
// Create fake submodule config paths
const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
const submodule2Dir = path.join(workspace, '.git', 'modules', 'submodule-2')
const submodule1ConfigPath = path.join(submodule1Dir, 'config')
const submodule2ConfigPath = path.join(submodule2Dir, 'config')
await fs.promises.mkdir(submodule1Dir, {recursive: true})
await fs.promises.mkdir(submodule2Dir, {recursive: true})
await fs.promises.writeFile(submodule1ConfigPath, '')
await fs.promises.writeFile(submodule2ConfigPath, '')
// Mock getSubmoduleConfigPaths to return our fake submodules (for both configure and remove)
const mockGetSubmoduleConfigPaths =
git.getSubmoduleConfigPaths as jest.Mock<any, any>
mockGetSubmoduleConfigPaths.mockResolvedValue([
submodule1ConfigPath,
submodule2ConfigPath
])
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
await authHelper.configureAuth()
await authHelper.configureSubmoduleAuth()
// Verify credentials file exists
let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBe(1)
const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
// Verify submodule 1 config has includeIf entries
let submodule1Content = (
await fs.promises.readFile(submodule1ConfigPath)
).toString()
const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
expect(
submodule1Content.indexOf(`includeIf.gitdir:${submodule1GitDir}.path`)
).toBeGreaterThanOrEqual(0)
expect(
submodule1Content.indexOf(credentialsFilePath)
).toBeGreaterThanOrEqual(0)
// Verify submodule 2 config has includeIf entries
let submodule2Content = (
await fs.promises.readFile(submodule2ConfigPath)
).toString()
const submodule2GitDir = submodule2Dir.replace(/\\/g, '/')
expect(
submodule2Content.indexOf(`includeIf.gitdir:${submodule2GitDir}.path`)
).toBeGreaterThanOrEqual(0)
expect(
submodule2Content.indexOf(credentialsFilePath)
).toBeGreaterThanOrEqual(0)
// Verify both host and container paths are in each submodule config
const containerCredentialsPath = path.posix.join(
'/github/runner_temp',
path.basename(credentialsFilePath)
)
expect(
submodule1Content.indexOf(containerCredentialsPath)
).toBeGreaterThanOrEqual(0)
expect(
submodule2Content.indexOf(containerCredentialsPath)
).toBeGreaterThanOrEqual(0)
// Act - ensure mock persists for removeAuth
mockGetSubmoduleConfigPaths.mockResolvedValue([
submodule1ConfigPath,
submodule2ConfigPath
])
await authHelper.removeAuth()
// Assert submodule 1 includeIf entries removed
submodule1Content = (
await fs.promises.readFile(submodule1ConfigPath)
).toString()
expect(submodule1Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
expect(submodule1Content.indexOf(credentialsFilePath)).toBeLessThan(0)
expect(submodule1Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
// Assert submodule 2 includeIf entries removed
submodule2Content = (
await fs.promises.readFile(submodule2ConfigPath)
).toString()
expect(submodule2Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
expect(submodule2Content.indexOf(credentialsFilePath)).toBeLessThan(0)
expect(submodule2Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
// Assert credentials config file deleted
credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
f => f.startsWith('git-credentials-') && f.endsWith('.config')
)
expect(credentialsFiles.length).toBe(0)
// Verify credentials file no longer exists on disk
try {
await fs.promises.stat(credentialsFilePath)
throw new Error('Credentials file should have been deleted')
} catch (err) {
if ((err as any)?.code !== 'ENOENT') {
throw err
}
}
}) })
const removeGlobalConfig_removesOverride = const removeGlobalConfig_removesOverride =
@@ -928,92 +701,6 @@ describe('git-auth-helper tests', () => {
} }
} }
}) })
const testCredentialsConfigPath_matchesCredentialsConfigPaths =
'testCredentialsConfigPath matches credentials config paths'
it(testCredentialsConfigPath_matchesCredentialsConfigPaths, async () => {
// Arrange
await setup(testCredentialsConfigPath_matchesCredentialsConfigPaths)
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
// Get a real credentials config path
const credentialsConfigPath = await (
authHelper as any
).getCredentialsConfigPath()
// Act & Assert
expect(
(authHelper as any).testCredentialsConfigPath(credentialsConfigPath)
).toBe(true)
expect(
(authHelper as any).testCredentialsConfigPath(
'/some/path/git-credentials-12345678-abcd-1234-5678-123456789012.config'
)
).toBe(true)
expect(
(authHelper as any).testCredentialsConfigPath(
'/some/path/git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
)
).toBe(true)
// Test invalid paths
expect(
(authHelper as any).testCredentialsConfigPath(
'/some/path/other-config.config'
)
).toBe(false)
expect(
(authHelper as any).testCredentialsConfigPath(
'/some/path/git-credentials-invalid.config'
)
).toBe(false)
expect(
(authHelper as any).testCredentialsConfigPath(
'/some/path/git-credentials-.config'
)
).toBe(false)
expect((authHelper as any).testCredentialsConfigPath('')).toBe(false)
})
const includeIfCleanupRegex_matchesBothVariants =
'includeIf cleanup regex matches both gitdir: and gitdir/i: keys'
it(includeIfCleanupRegex_matchesBothVariants, async () => {
// The cleanup regex must match both variants so credential
// removal works regardless of which was written
const regex = /^includeIf\.gitdir(\/i)?:/
expect(regex.test('includeIf.gitdir:D:/workspaces/repo/.git.path')).toBe(
true
)
expect(regex.test('includeIf.gitdir/i:D:/Workspaces/repo/.git.path')).toBe(
true
)
expect(regex.test('includeIf.gitdir/i:/github/workspace/.git.path')).toBe(
true
)
expect(regex.test('includeIf.gitdir:~/projects/foo/.git.path')).toBe(true)
expect(regex.test('includeIf.onbranch:main.path')).toBe(false)
expect(regex.test('include.path')).toBe(false)
})
const includeIfDirective_usesCorrectVariantForPlatform =
'includeIf directive uses gitdir/i on Windows and gitdir on other platforms'
it(includeIfDirective_usesCorrectVariantForPlatform, async () => {
await setup(includeIfDirective_usesCorrectVariantForPlatform)
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
await authHelper.configureAuth()
const localConfigContent = (
await fs.promises.readFile(localGitConfigPath)
).toString()
if (isWindows) {
expect(localConfigContent).toContain('includeIf.gitdir/i:')
expect(localConfigContent).not.toContain('includeIf.gitdir:')
} else {
expect(localConfigContent).toContain('includeIf.gitdir:')
expect(localConfigContent).not.toContain('includeIf.gitdir/i:')
}
})
}) })
async function setup(testName: string): Promise<void> { async function setup(testName: string): Promise<void> {
@@ -1028,7 +715,6 @@ async function setup(testName: string): Promise<void> {
await fs.promises.mkdir(tempHomedir, {recursive: true}) await fs.promises.mkdir(tempHomedir, {recursive: true})
process.env['RUNNER_TEMP'] = runnerTemp process.env['RUNNER_TEMP'] = runnerTemp
process.env['HOME'] = tempHomedir process.env['HOME'] = tempHomedir
process.env['GITHUB_WORKSPACE'] = workspace
// Create git config // Create git config
globalGitConfigPath = path.join(tempHomedir, '.gitconfig') globalGitConfigPath = path.join(tempHomedir, '.gitconfig')
@@ -1047,20 +733,10 @@ async function setup(testName: string): Promise<void> {
checkout: jest.fn(), checkout: jest.fn(),
checkoutDetach: jest.fn(), checkoutDetach: jest.fn(),
config: jest.fn( config: jest.fn(
async ( async (key: string, value: string, globalConfig?: boolean) => {
key: string, const configPath = globalConfig
value: string, ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
globalConfig?: boolean, : localGitConfigPath
add?: boolean,
configFile?: string
) => {
const configPath =
configFile ||
(globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath)
// Ensure directory exists
await fs.promises.mkdir(path.dirname(configPath), {recursive: true})
await fs.promises.appendFile(configPath, `\n${key} ${value}`) await fs.promises.appendFile(configPath, `\n${key} ${value}`)
} }
), ),
@@ -1080,7 +756,6 @@ async function setup(testName: string): Promise<void> {
env: {}, env: {},
fetch: jest.fn(), fetch: jest.fn(),
getDefaultBranch: jest.fn(), getDefaultBranch: jest.fn(),
getSubmoduleConfigPaths: jest.fn(async () => []),
getWorkingDirectory: jest.fn(() => workspace), getWorkingDirectory: jest.fn(() => workspace),
init: jest.fn(), init: jest.fn(),
isDetached: jest.fn(), isDetached: jest.fn(),
@@ -1119,72 +794,8 @@ async function setup(testName: string): Promise<void> {
return true return true
} }
), ),
tryConfigUnsetValue: jest.fn(
async (
key: string,
value: string,
globalConfig?: boolean,
configPath?: string
): Promise<boolean> => {
const targetConfigPath =
configPath ||
(globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath)
let content = await fs.promises.readFile(targetConfigPath)
let lines = content
.toString()
.split('\n')
.filter(x => x)
.filter(x => !(x.startsWith(key) && x.includes(value)))
await fs.promises.writeFile(targetConfigPath, lines.join('\n'))
return true
}
),
tryDisableAutomaticGarbageCollection: jest.fn(), tryDisableAutomaticGarbageCollection: jest.fn(),
tryGetFetchUrl: jest.fn(), tryGetFetchUrl: jest.fn(),
tryGetConfigValues: jest.fn(
async (
key: string,
globalConfig?: boolean,
configPath?: string
): Promise<string[]> => {
const targetConfigPath =
configPath ||
(globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath)
const content = await fs.promises.readFile(targetConfigPath)
const lines = content
.toString()
.split('\n')
.filter(x => x && x.startsWith(key))
.map(x => x.substring(key.length).trim())
return lines
}
),
tryGetConfigKeys: jest.fn(
async (
pattern: string,
globalConfig?: boolean,
configPath?: string
): Promise<string[]> => {
const targetConfigPath =
configPath ||
(globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath)
const content = await fs.promises.readFile(targetConfigPath)
const lines = content
.toString()
.split('\n')
.filter(x => x)
const keys = lines
.filter(x => new RegExp(pattern).test(x.split(' ')[0]))
.map(x => x.split(' ')[0])
return [...new Set(keys)] // Remove duplicates
}
),
tryReset: jest.fn(), tryReset: jest.fn(),
version: jest.fn() version: jest.fn()
} }
@@ -1219,7 +830,6 @@ async function setup(testName: string): Promise<void> {
async function getActualSshKeyPath(): Promise<string> { async function getActualSshKeyPath(): Promise<string> {
let actualTempFiles = (await fs.promises.readdir(runnerTemp)) let actualTempFiles = (await fs.promises.readdir(runnerTemp))
.filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file
.sort() .sort()
.map(x => path.join(runnerTemp, x)) .map(x => path.join(runnerTemp, x))
if (actualTempFiles.length === 0) { if (actualTempFiles.length === 0) {
@@ -1233,7 +843,6 @@ async function getActualSshKeyPath(): Promise<string> {
async function getActualSshKnownHostsPath(): Promise<string> { async function getActualSshKnownHostsPath(): Promise<string> {
let actualTempFiles = (await fs.promises.readdir(runnerTemp)) let actualTempFiles = (await fs.promises.readdir(runnerTemp))
.filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file
.sort() .sort()
.map(x => path.join(runnerTemp, x)) .map(x => path.join(runnerTemp, x))
if (actualTempFiles.length === 0) { if (actualTempFiles.length === 0) {

View File

@@ -108,7 +108,7 @@ describe('Test fetchDepth and fetchTags options', () => {
jest.restoreAllMocks() jest.restoreAllMocks()
}) })
it('should call execGit with the correct arguments when fetchDepth is 0', async () => { it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is true', async () => {
jest.spyOn(exec, 'exec').mockImplementation(mockExec) jest.spyOn(exec, 'exec').mockImplementation(mockExec)
const workingDirectory = 'test' const workingDirectory = 'test'
const lfs = false const lfs = false
@@ -122,7 +122,45 @@ describe('Test fetchDepth and fetchTags options', () => {
const refSpec = ['refspec1', 'refspec2'] const refSpec = ['refspec1', 'refspec2']
const options = { const options = {
filter: 'filterValue', filter: 'filterValue',
fetchDepth: 0 fetchDepth: 0,
fetchTags: true
}
await git.fetch(refSpec, options)
expect(mockExec).toHaveBeenCalledWith(
expect.any(String),
[
'-c',
'protocol.version=2',
'fetch',
'--prune',
'--no-recurse-submodules',
'--filter=filterValue',
'origin',
'refspec1',
'refspec2'
],
expect.any(Object)
)
})
it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is false', async () => {
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
const workingDirectory = 'test'
const lfs = false
const doSparseCheckout = false
git = await commandManager.createCommandManager(
workingDirectory,
lfs,
doSparseCheckout
)
const refSpec = ['refspec1', 'refspec2']
const options = {
filter: 'filterValue',
fetchDepth: 0,
fetchTags: false
} }
await git.fetch(refSpec, options) await git.fetch(refSpec, options)
@@ -145,45 +183,7 @@ describe('Test fetchDepth and fetchTags options', () => {
) )
}) })
it('should call execGit with the correct arguments when fetchDepth is 0 and refSpec includes tags', async () => { it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is false', async () => {
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
const workingDirectory = 'test'
const lfs = false
const doSparseCheckout = false
git = await commandManager.createCommandManager(
workingDirectory,
lfs,
doSparseCheckout
)
const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
const options = {
filter: 'filterValue',
fetchDepth: 0
}
await git.fetch(refSpec, options)
expect(mockExec).toHaveBeenCalledWith(
expect.any(String),
[
'-c',
'protocol.version=2',
'fetch',
'--no-tags',
'--prune',
'--no-recurse-submodules',
'--filter=filterValue',
'origin',
'refspec1',
'refspec2',
'+refs/tags/*:refs/tags/*'
],
expect.any(Object)
)
})
it('should call execGit with the correct arguments when fetchDepth is 1', async () => {
jest.spyOn(exec, 'exec').mockImplementation(mockExec) jest.spyOn(exec, 'exec').mockImplementation(mockExec)
const workingDirectory = 'test' const workingDirectory = 'test'
@@ -197,7 +197,8 @@ describe('Test fetchDepth and fetchTags options', () => {
const refSpec = ['refspec1', 'refspec2'] const refSpec = ['refspec1', 'refspec2']
const options = { const options = {
filter: 'filterValue', filter: 'filterValue',
fetchDepth: 1 fetchDepth: 1,
fetchTags: false
} }
await git.fetch(refSpec, options) await git.fetch(refSpec, options)
@@ -221,7 +222,7 @@ describe('Test fetchDepth and fetchTags options', () => {
) )
}) })
it('should call execGit with the correct arguments when fetchDepth is 1 and refSpec includes tags', async () => { it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is true', async () => {
jest.spyOn(exec, 'exec').mockImplementation(mockExec) jest.spyOn(exec, 'exec').mockImplementation(mockExec)
const workingDirectory = 'test' const workingDirectory = 'test'
@@ -232,10 +233,11 @@ describe('Test fetchDepth and fetchTags options', () => {
lfs, lfs,
doSparseCheckout doSparseCheckout
) )
const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*'] const refSpec = ['refspec1', 'refspec2']
const options = { const options = {
filter: 'filterValue', filter: 'filterValue',
fetchDepth: 1 fetchDepth: 1,
fetchTags: true
} }
await git.fetch(refSpec, options) await git.fetch(refSpec, options)
@@ -246,15 +248,13 @@ describe('Test fetchDepth and fetchTags options', () => {
'-c', '-c',
'protocol.version=2', 'protocol.version=2',
'fetch', 'fetch',
'--no-tags',
'--prune', '--prune',
'--no-recurse-submodules', '--no-recurse-submodules',
'--filter=filterValue', '--filter=filterValue',
'--depth=1', '--depth=1',
'origin', 'origin',
'refspec1', 'refspec1',
'refspec2', 'refspec2'
'+refs/tags/*:refs/tags/*'
], ],
expect.any(Object) expect.any(Object)
) )
@@ -338,7 +338,7 @@ describe('Test fetchDepth and fetchTags options', () => {
) )
}) })
it('should call execGit with the correct arguments when showProgress is true and refSpec includes tags', async () => { it('should call execGit with the correct arguments when fetchTags is true and showProgress is true', async () => {
jest.spyOn(exec, 'exec').mockImplementation(mockExec) jest.spyOn(exec, 'exec').mockImplementation(mockExec)
const workingDirectory = 'test' const workingDirectory = 'test'
@@ -349,9 +349,10 @@ describe('Test fetchDepth and fetchTags options', () => {
lfs, lfs,
doSparseCheckout doSparseCheckout
) )
const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*'] const refSpec = ['refspec1', 'refspec2']
const options = { const options = {
filter: 'filterValue', filter: 'filterValue',
fetchTags: true,
showProgress: true showProgress: true
} }
@@ -363,134 +364,15 @@ describe('Test fetchDepth and fetchTags options', () => {
'-c', '-c',
'protocol.version=2', 'protocol.version=2',
'fetch', 'fetch',
'--no-tags',
'--prune', '--prune',
'--no-recurse-submodules', '--no-recurse-submodules',
'--progress', '--progress',
'--filter=filterValue', '--filter=filterValue',
'origin', 'origin',
'refspec1', 'refspec1',
'refspec2', 'refspec2'
'+refs/tags/*:refs/tags/*'
], ],
expect.any(Object) expect.any(Object)
) )
}) })
}) })
describe('git user-agent with orchestration ID', () => {
beforeEach(async () => {
jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
})
afterEach(() => {
jest.restoreAllMocks()
// Clean up environment variable to prevent test pollution
delete process.env['ACTIONS_ORCHESTRATION_ID']
})
it('should include orchestration ID in user-agent when ACTIONS_ORCHESTRATION_ID is set', async () => {
const orchId = 'test-orch-id-12345'
process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
let capturedEnv: any = null
mockExec.mockImplementation((path, args, options) => {
if (args.includes('version')) {
options.listeners.stdout(Buffer.from('2.18'))
}
// Capture env on any command
capturedEnv = options.env
return 0
})
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
const workingDirectory = 'test'
const lfs = false
const doSparseCheckout = false
git = await commandManager.createCommandManager(
workingDirectory,
lfs,
doSparseCheckout
)
// Call a git command to trigger env capture after user-agent is set
await git.init()
// Verify the user agent includes the orchestration ID
expect(git).toBeDefined()
expect(capturedEnv).toBeDefined()
expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
`git/2.18 (github-actions-checkout) actions_orchestration_id/${orchId}`
)
})
it('should sanitize invalid characters in orchestration ID', async () => {
const orchId = 'test (with) special/chars'
process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
let capturedEnv: any = null
mockExec.mockImplementation((path, args, options) => {
if (args.includes('version')) {
options.listeners.stdout(Buffer.from('2.18'))
}
// Capture env on any command
capturedEnv = options.env
return 0
})
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
const workingDirectory = 'test'
const lfs = false
const doSparseCheckout = false
git = await commandManager.createCommandManager(
workingDirectory,
lfs,
doSparseCheckout
)
// Call a git command to trigger env capture after user-agent is set
await git.init()
// Verify the user agent has sanitized orchestration ID (spaces, parentheses, slash replaced)
expect(git).toBeDefined()
expect(capturedEnv).toBeDefined()
expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
'git/2.18 (github-actions-checkout) actions_orchestration_id/test__with__special_chars'
)
})
it('should not modify user-agent when ACTIONS_ORCHESTRATION_ID is not set', async () => {
delete process.env['ACTIONS_ORCHESTRATION_ID']
let capturedEnv: any = null
mockExec.mockImplementation((path, args, options) => {
if (args.includes('version')) {
options.listeners.stdout(Buffer.from('2.18'))
}
// Capture env on any command
capturedEnv = options.env
return 0
})
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
const workingDirectory = 'test'
const lfs = false
const doSparseCheckout = false
git = await commandManager.createCommandManager(
workingDirectory,
lfs,
doSparseCheckout
)
// Call a git command to trigger env capture after user-agent is set
await git.init()
// Verify the user agent does NOT contain orchestration ID
expect(git).toBeDefined()
expect(capturedEnv).toBeDefined()
expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
'git/2.18 (github-actions-checkout)'
)
})
})

View File

@@ -471,7 +471,6 @@ async function setup(testName: string): Promise<void> {
configExists: jest.fn(), configExists: jest.fn(),
fetch: jest.fn(), fetch: jest.fn(),
getDefaultBranch: jest.fn(), getDefaultBranch: jest.fn(),
getSubmoduleConfigPaths: jest.fn(async () => []),
getWorkingDirectory: jest.fn(() => repositoryPath), getWorkingDirectory: jest.fn(() => repositoryPath),
init: jest.fn(), init: jest.fn(),
isDetached: jest.fn(), isDetached: jest.fn(),
@@ -494,15 +493,12 @@ async function setup(testName: string): Promise<void> {
return true return true
}), }),
tryConfigUnset: jest.fn(), tryConfigUnset: jest.fn(),
tryConfigUnsetValue: jest.fn(),
tryDisableAutomaticGarbageCollection: jest.fn(), tryDisableAutomaticGarbageCollection: jest.fn(),
tryGetFetchUrl: jest.fn(async () => { tryGetFetchUrl: jest.fn(async () => {
// Sanity check - this function shouldn't be called when the .git directory doesn't exist // Sanity check - this function shouldn't be called when the .git directory doesn't exist
await fs.promises.stat(path.join(repositoryPath, '.git')) await fs.promises.stat(path.join(repositoryPath, '.git'))
return repositoryUrl return repositoryUrl
}), }),
tryGetConfigValues: jest.fn(),
tryGetConfigKeys: jest.fn(),
tryReset: jest.fn(async () => { tryReset: jest.fn(async () => {
return true return true
}), }),

View File

@@ -133,16 +133,6 @@ describe('input-helper tests', () => {
expect(settings.commit).toBe('1111111111222222222233333333334444444444') expect(settings.commit).toBe('1111111111222222222233333333334444444444')
}) })
it('sets ref to empty when explicit sha-256', async () => {
inputs.ref =
'1111111111222222222233333333334444444444555555555566666666667777'
const settings: IGitSourceSettings = await inputHelper.getInputs()
expect(settings.ref).toBeFalsy()
expect(settings.commit).toBe(
'1111111111222222222233333333334444444444555555555566666666667777'
)
})
it('sets sha to empty when explicit ref', async () => { it('sets sha to empty when explicit ref', async () => {
inputs.ref = 'refs/heads/some-other-ref' inputs.ref = 'refs/heads/some-other-ref'
const settings: IGitSourceSettings = await inputHelper.getInputs() const settings: IGitSourceSettings = await inputHelper.getInputs()

View File

@@ -1,12 +1,8 @@
import * as assert from 'assert' import * as assert from 'assert'
import * as core from '@actions/core'
import * as github from '@actions/github'
import * as refHelper from '../lib/ref-helper' import * as refHelper from '../lib/ref-helper'
import {IGitCommandManager} from '../lib/git-command-manager' import {IGitCommandManager} from '../lib/git-command-manager'
const commit = '1234567890123456789012345678901234567890' const commit = '1234567890123456789012345678901234567890'
const sha256Commit =
'1234567890123456789012345678901234567890123456789012345678901234'
let git: IGitCommandManager let git: IGitCommandManager
describe('ref-helper tests', () => { describe('ref-helper tests', () => {
@@ -41,12 +37,6 @@ describe('ref-helper tests', () => {
expect(checkoutInfo.startPoint).toBeFalsy() expect(checkoutInfo.startPoint).toBeFalsy()
}) })
it('getCheckoutInfo sha-256 only', async () => {
const checkoutInfo = await refHelper.getCheckoutInfo(git, '', sha256Commit)
expect(checkoutInfo.ref).toBe(sha256Commit)
expect(checkoutInfo.startPoint).toBeFalsy()
})
it('getCheckoutInfo refs/heads/', async () => { it('getCheckoutInfo refs/heads/', async () => {
const checkoutInfo = await refHelper.getCheckoutInfo( const checkoutInfo = await refHelper.getCheckoutInfo(
git, git,
@@ -162,22 +152,7 @@ describe('ref-helper tests', () => {
it('getRefSpec sha + refs/tags/', async () => { it('getRefSpec sha + refs/tags/', async () => {
const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit) const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit)
expect(refSpec.length).toBe(1) expect(refSpec.length).toBe(1)
expect(refSpec[0]).toBe(`+refs/tags/my-tag:refs/tags/my-tag`) expect(refSpec[0]).toBe(`+${commit}:refs/tags/my-tag`)
})
it('getRefSpec sha + refs/tags/ with fetchTags', async () => {
// When fetchTags is true, only include tags wildcard (specific tag is redundant)
const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit, true)
expect(refSpec.length).toBe(1)
expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
})
it('getRefSpec sha + refs/heads/ with fetchTags', async () => {
// When fetchTags is true, include both the branch refspec and tags wildcard
const refSpec = refHelper.getRefSpec('refs/heads/my/branch', commit, true)
expect(refSpec.length).toBe(2)
expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
expect(refSpec[1]).toBe(`+${commit}:refs/remotes/origin/my/branch`)
}) })
it('getRefSpec sha only', async () => { it('getRefSpec sha only', async () => {
@@ -193,14 +168,6 @@ describe('ref-helper tests', () => {
expect(refSpec[1]).toBe('+refs/tags/my-ref*:refs/tags/my-ref*') expect(refSpec[1]).toBe('+refs/tags/my-ref*:refs/tags/my-ref*')
}) })
it('getRefSpec unqualified ref only with fetchTags', async () => {
// When fetchTags is true, skip specific tag pattern since wildcard covers all
const refSpec = refHelper.getRefSpec('my-ref', '', true)
expect(refSpec.length).toBe(2)
expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
expect(refSpec[1]).toBe('+refs/heads/my-ref*:refs/remotes/origin/my-ref*')
})
it('getRefSpec refs/heads/ only', async () => { it('getRefSpec refs/heads/ only', async () => {
const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '') const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '')
expect(refSpec.length).toBe(1) expect(refSpec.length).toBe(1)
@@ -220,159 +187,4 @@ describe('ref-helper tests', () => {
expect(refSpec.length).toBe(1) expect(refSpec.length).toBe(1)
expect(refSpec[0]).toBe('+refs/tags/my-tag:refs/tags/my-tag') expect(refSpec[0]).toBe('+refs/tags/my-tag:refs/tags/my-tag')
}) })
it('getRefSpec refs/tags/ only with fetchTags', async () => {
// When fetchTags is true, only include tags wildcard (specific tag is redundant)
const refSpec = refHelper.getRefSpec('refs/tags/my-tag', '', true)
expect(refSpec.length).toBe(1)
expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
})
it('getRefSpec refs/heads/ only with fetchTags', async () => {
// When fetchTags is true, include both the branch refspec and tags wildcard
const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '', true)
expect(refSpec.length).toBe(2)
expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
expect(refSpec[1]).toBe(
'+refs/heads/my/branch:refs/remotes/origin/my/branch'
)
})
describe('checkCommitInfo', () => {
const repositoryOwner = 'some-owner'
const repositoryName = 'some-repo'
const ref = 'refs/pull/123/merge'
const sha1Head = '1111111111222222222233333333334444444444'
const sha1Base = 'aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd'
const sha256Head =
'1111111111222222222233333333334444444444555555555566666666667777'
const sha256Base =
'aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff0000'
let debugSpy: jest.SpyInstance
let getOctokitSpy: jest.SpyInstance
let repoGetSpy: jest.Mock
let originalEventName: string
let originalPayload: unknown
let originalRef: string
let originalSha: string
function setPullRequestContext(
expectedHeadSha: string,
expectedBaseSha: string,
mergeCommit: string
): void {
;(github.context as any).eventName = 'pull_request'
github.context.ref = ref
github.context.sha = mergeCommit
;(github.context as any).payload = {
action: 'synchronize',
after: expectedHeadSha,
number: 123,
pull_request: {
base: {
sha: expectedBaseSha
}
},
repository: {
private: false
}
}
}
beforeEach(() => {
originalEventName = github.context.eventName
originalPayload = github.context.payload
originalRef = github.context.ref
originalSha = github.context.sha
jest.spyOn(github.context, 'repo', 'get').mockReturnValue({
owner: repositoryOwner,
repo: repositoryName
})
debugSpy = jest.spyOn(core, 'debug').mockImplementation(jest.fn())
repoGetSpy = jest.fn(async () => ({}))
getOctokitSpy = jest.spyOn(github, 'getOctokit').mockReturnValue({
rest: {
repos: {
get: repoGetSpy
}
}
} as any)
})
afterEach(() => {
;(github.context as any).eventName = originalEventName
;(github.context as any).payload = originalPayload
github.context.ref = originalRef
github.context.sha = originalSha
jest.restoreAllMocks()
})
it('returns early for SHA-1 merge commit', async () => {
setPullRequestContext(sha1Head, sha1Base, commit)
await refHelper.checkCommitInfo(
'token',
`Merge ${sha1Head} into ${sha1Base}`,
repositoryOwner,
repositoryName,
ref,
commit
)
expect(getOctokitSpy).not.toHaveBeenCalled()
expect(repoGetSpy).not.toHaveBeenCalled()
})
it('matches SHA-256 merge commit info', async () => {
const actualHeadSha =
'9999999999888888888877777777776666666666555555555544444444443333'
setPullRequestContext(sha256Head, sha256Base, sha256Commit)
await refHelper.checkCommitInfo(
'token',
`Merge ${actualHeadSha} into ${sha256Base}`,
repositoryOwner,
repositoryName,
ref,
sha256Commit
)
expect(getOctokitSpy).toHaveBeenCalledWith(
'token',
expect.objectContaining({
userAgent: expect.stringContaining(
`expected_head_sha=${sha256Head};actual_head_sha=${actualHeadSha}`
)
})
)
expect(repoGetSpy).toHaveBeenCalledWith({
owner: repositoryOwner,
repo: repositoryName
})
expect(debugSpy).toHaveBeenCalledWith(
`Expected head sha ${sha256Head}; actual head sha ${actualHeadSha}`
)
expect(debugSpy).not.toHaveBeenCalledWith('Unexpected message format')
})
it('does not match 50-char hex as a valid merge', async () => {
const invalidHeadSha =
'99999999998888888888777777777766666666665555555555'
setPullRequestContext(sha1Head, sha1Base, commit)
await refHelper.checkCommitInfo(
'token',
`Merge ${invalidHeadSha} into ${sha1Base}`,
repositoryOwner,
repositoryName,
ref,
commit
)
expect(getOctokitSpy).not.toHaveBeenCalled()
expect(repoGetSpy).not.toHaveBeenCalled()
expect(debugSpy).toHaveBeenCalledWith('Unexpected message format')
})
})
}) })

View File

@@ -1,9 +0,0 @@
#!/bin/sh
# Verify tags were fetched
TAG_COUNT=$(git -C ./fetch-tags-test tag | wc -l)
if [ "$TAG_COUNT" -eq 0 ]; then
echo "Expected tags to be fetched, but found none"
exit 1
fi
echo "Found $TAG_COUNT tags"

View File

@@ -17,7 +17,7 @@ fi
echo "Testing persisted credential" echo "Testing persisted credential"
pushd ./submodules-recursive/submodule-level-1/submodule-level-2 pushd ./submodules-recursive/submodule-level-1/submodule-level-2
git config --local --includes --name-only --get-regexp http.+extraheader && git fetch git config --local --name-only --get-regexp http.+extraheader && git fetch
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
echo "Failed to validate persisted credential" echo "Failed to validate persisted credential"
popd popd

View File

@@ -17,7 +17,7 @@ fi
echo "Testing persisted credential" echo "Testing persisted credential"
pushd ./submodules-true/submodule-level-1 pushd ./submodules-true/submodule-level-1
git config --local --includes --name-only --get-regexp http.+extraheader && git fetch git config --local --name-only --get-regexp http.+extraheader && git fetch
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
echo "Failed to validate persisted credential" echo "Failed to validate persisted credential"
popd popd

View File

@@ -1,51 +0,0 @@
#!/bin/bash
set -e
# Verify worktree credentials
# This test verifies that git credentials work in worktrees created after checkout
# Usage: verify-worktree.sh <checkout-path> <worktree-name>
CHECKOUT_PATH="$1"
WORKTREE_NAME="$2"
if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
exit 1
fi
cd "$CHECKOUT_PATH"
# Add safe directory for container environments
git config --global --add safe.directory "*" 2>/dev/null || true
# Show the includeIf configuration
echo "Git config includeIf entries:"
git config --list --show-origin | grep -i include || true
# Create the worktree
echo "Creating worktree..."
git worktree add "../$WORKTREE_NAME" HEAD --detach
# Change to worktree directory
cd "../$WORKTREE_NAME"
# Verify we're in a worktree
echo "Verifying worktree gitdir:"
cat .git
# Verify credentials are available in worktree by checking extraheader is configured
echo "Checking credentials in worktree..."
if git config --list --show-origin | grep -q "extraheader"; then
echo "Credentials are configured in worktree"
else
echo "ERROR: Credentials are NOT configured in worktree"
echo "Full git config:"
git config --list --show-origin
exit 1
fi
# Verify fetch works in the worktree
echo "Fetching in worktree..."
git fetch origin
echo "Worktree credentials test passed!"

430
dist/index.js vendored
View File

@@ -151,12 +151,6 @@ const stateHelper = __importStar(__nccwpck_require__(4866));
const urlHelper = __importStar(__nccwpck_require__(9437)); const urlHelper = __importStar(__nccwpck_require__(9437));
const uuid_1 = __nccwpck_require__(5840); const uuid_1 = __nccwpck_require__(5840);
const IS_WINDOWS = process.platform === 'win32'; const IS_WINDOWS = process.platform === 'win32';
// Use case-insensitive gitdir matching on Windows to handle path casing mismatches
// between the runner's GITHUB_WORKSPACE and the actual filesystem casing.
// See: https://github.com/actions/checkout/issues/2345
const INCLUDE_IF_GITDIR = IS_WINDOWS
? 'includeIf.gitdir/i:'
: 'includeIf.gitdir:';
const SSH_COMMAND_KEY = 'core.sshCommand'; const SSH_COMMAND_KEY = 'core.sshCommand';
function createAuthHelper(git, settings) { function createAuthHelper(git, settings) {
return new GitAuthHelper(git, settings); return new GitAuthHelper(git, settings);
@@ -168,7 +162,6 @@ class GitAuthHelper {
this.sshKeyPath = ''; this.sshKeyPath = '';
this.sshKnownHostsPath = ''; this.sshKnownHostsPath = '';
this.temporaryHomePath = ''; this.temporaryHomePath = '';
this.credentialsConfigPath = ''; // Path to separate credentials config file in RUNNER_TEMP
this.git = gitCommandManager; this.git = gitCommandManager;
this.settings = gitSourceSettings || {}; this.settings = gitSourceSettings || {};
// Token auth header // Token auth header
@@ -236,17 +229,15 @@ class GitAuthHelper {
configureGlobalAuth() { configureGlobalAuth() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
// 'configureTempGlobalConfig' noops if already set, just returns the path // 'configureTempGlobalConfig' noops if already set, just returns the path
yield this.configureTempGlobalConfig(); const newGitConfigPath = yield this.configureTempGlobalConfig();
try { try {
// Configure the token // Configure the token
yield this.configureToken(true); yield this.configureToken(newGitConfigPath, true);
// Configure HTTPS instead of SSH // Configure HTTPS instead of SSH
yield this.git.tryConfigUnset(this.insteadOfKey, true); yield this.git.tryConfigUnset(this.insteadOfKey, true);
if (!this.settings.sshKey) { if (!this.settings.sshKey) {
for (const insteadOfValue of this.insteadOfValues) { for (const insteadOfValue of this.insteadOfValues) {
yield this.git.config(this.insteadOfKey, insteadOfValue, true, // globalConfig? yield this.git.config(this.insteadOfKey, insteadOfValue, true, true);
true // add?
);
} }
} }
} }
@@ -261,34 +252,19 @@ class GitAuthHelper {
configureSubmoduleAuth() { configureSubmoduleAuth() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
// Remove possible previous HTTPS instead of SSH // Remove possible previous HTTPS instead of SSH
yield this.removeSubmoduleGitConfig(this.insteadOfKey); yield this.removeGitConfig(this.insteadOfKey, true);
if (this.settings.persistCredentials) { if (this.settings.persistCredentials) {
// Get the credentials config file path in RUNNER_TEMP // Configure a placeholder value. This approach avoids the credential being captured
const credentialsConfigPath = this.getCredentialsConfigPath(); // by process creation audit events, which are commonly logged. For more information,
// Container credentials config path // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath)); const output = yield this.git.submoduleForeach(
// Get submodule config file paths. // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
const configPaths = yield this.git.getSubmoduleConfigPaths(this.settings.nestedSubmodules); `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`, this.settings.nestedSubmodules);
// For each submodule, configure includeIf entries pointing to the shared credentials file. // Replace the placeholder
// Configure both host and container paths to support Docker container actions. const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
for (const configPath of configPaths) { for (const configPath of configPaths) {
// Submodule Git directory core.debug(`Replacing token placeholder in '${configPath}'`);
let submoduleGitDir = path.dirname(configPath); // The config file is at .git/modules/submodule-name/config yield this.replaceTokenPlaceholder(configPath);
submoduleGitDir = submoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
// Configure host includeIf
yield this.git.config(`${INCLUDE_IF_GITDIR}${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig?
false, // add?
configPath);
// Container submodule git directory
const githubWorkspace = process.env['GITHUB_WORKSPACE'];
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
let relativeSubmoduleGitDir = path.relative(githubWorkspace, submoduleGitDir);
relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleGitDir);
// Configure container includeIf
yield this.git.config(`${INCLUDE_IF_GITDIR}${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig?
false, // add?
configPath);
} }
if (this.settings.sshKey) { if (this.settings.sshKey) {
// Configure core.sshCommand // Configure core.sshCommand
@@ -319,10 +295,6 @@ class GitAuthHelper {
} }
}); });
} }
/**
* Configures SSH authentication by writing the SSH key and known hosts,
* and setting up the GIT_SSH_COMMAND environment variable.
*/
configureSsh() { configureSsh() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
if (!this.settings.sshKey) { if (!this.settings.sshKey) {
@@ -379,94 +351,43 @@ class GitAuthHelper {
} }
}); });
} }
/** configureToken(configPath, globalConfig) {
* Configures token-based authentication by creating a credentials config file
* and setting up includeIf entries to reference it.
* @param globalConfig Whether to configure global config instead of local
*/
configureToken(globalConfig) {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
// Get the credentials config file path in RUNNER_TEMP // Validate args
const credentialsConfigPath = this.getCredentialsConfigPath(); assert.ok((configPath && globalConfig) || (!configPath && !globalConfig), 'Unexpected configureToken parameter combinations');
// Write placeholder to the separate credentials config file using git config. // Default config path
// This approach avoids the credential being captured by process creation audit events, if (!configPath && !globalConfig) {
// which are commonly logged. For more information, refer to configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config');
// https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing }
yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, // globalConfig? // Configure a placeholder value. This approach avoids the credential being captured
false, // add? // by process creation audit events, which are commonly logged. For more information,
credentialsConfigPath); // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
// Replace the placeholder in the credentials config file yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, globalConfig);
let content = (yield fs.promises.readFile(credentialsConfigPath)).toString(); // Replace the placeholder
yield this.replaceTokenPlaceholder(configPath || '');
});
}
replaceTokenPlaceholder(configPath) {
return __awaiter(this, void 0, void 0, function* () {
assert.ok(configPath, 'configPath is not defined');
let content = (yield fs.promises.readFile(configPath)).toString();
const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue); const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue);
if (placeholderIndex < 0 || if (placeholderIndex < 0 ||
placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)) { placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)) {
throw new Error(`Unable to replace auth placeholder in ${credentialsConfigPath}`); throw new Error(`Unable to replace auth placeholder in ${configPath}`);
} }
assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined'); assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined');
content = content.replace(this.tokenPlaceholderConfigValue, this.tokenConfigValue); content = content.replace(this.tokenPlaceholderConfigValue, this.tokenConfigValue);
yield fs.promises.writeFile(credentialsConfigPath, content); yield fs.promises.writeFile(configPath, content);
// Add include or includeIf to reference the credentials config
if (globalConfig) {
// Global config file is temporary
yield this.git.config('include.path', credentialsConfigPath, true // globalConfig?
);
}
else {
// Host git directory
let gitDir = path.join(this.git.getWorkingDirectory(), '.git');
gitDir = gitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
// Configure host includeIf
const hostIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}.path`;
yield this.git.config(hostIncludeKey, credentialsConfigPath);
// Configure host includeIf for worktrees
const hostWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}/worktrees/*.path`;
yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
// Container git directory
const workingDirectory = this.git.getWorkingDirectory();
const githubWorkspace = process.env['GITHUB_WORKSPACE'];
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
let relativePath = path.relative(githubWorkspace, workingDirectory);
relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows
const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
// Container credentials config path
const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
// Configure container includeIf
const containerIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}.path`;
yield this.git.config(containerIncludeKey, containerCredentialsPath);
// Configure container includeIf for worktrees
const containerWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}/worktrees/*.path`;
yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
}
}); });
} }
/**
* Gets or creates the path to the credentials config file in RUNNER_TEMP.
* @returns The absolute path to the credentials config file
*/
getCredentialsConfigPath() {
if (this.credentialsConfigPath) {
return this.credentialsConfigPath;
}
const runnerTemp = process.env['RUNNER_TEMP'] || '';
assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
// Create a unique filename for this checkout instance
const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
this.credentialsConfigPath = path.join(runnerTemp, configFileName);
core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
return this.credentialsConfigPath;
}
/**
* Removes SSH authentication configuration by cleaning up SSH keys,
* known hosts files, and SSH command configurations.
*/
removeSsh() { removeSsh() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
var _a, _b; var _a;
// SSH key // SSH key
const keyPath = this.sshKeyPath || stateHelper.SshKeyPath; const keyPath = this.sshKeyPath || stateHelper.SshKeyPath;
if (keyPath) { if (keyPath) {
try { try {
core.info(`Removing SSH key '${keyPath}'`);
yield io.rmRF(keyPath); yield io.rmRF(keyPath);
} }
catch (err) { catch (err) {
@@ -478,136 +399,37 @@ class GitAuthHelper {
const knownHostsPath = this.sshKnownHostsPath || stateHelper.SshKnownHostsPath; const knownHostsPath = this.sshKnownHostsPath || stateHelper.SshKnownHostsPath;
if (knownHostsPath) { if (knownHostsPath) {
try { try {
core.info(`Removing SSH known hosts '${knownHostsPath}'`);
yield io.rmRF(knownHostsPath); yield io.rmRF(knownHostsPath);
} }
catch (err) { catch (_b) {
core.debug(`${(_b = err === null || err === void 0 ? void 0 : err.message) !== null && _b !== void 0 ? _b : err}`); // Intentionally empty
core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`);
} }
} }
// SSH command // SSH command
core.info('Removing SSH command configuration');
yield this.removeGitConfig(SSH_COMMAND_KEY); yield this.removeGitConfig(SSH_COMMAND_KEY);
yield this.removeSubmoduleGitConfig(SSH_COMMAND_KEY);
}); });
} }
/**
* Removes token-based authentication by cleaning up HTTP headers,
* includeIf entries, and credentials config files.
*/
removeToken() { removeToken() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
var _a; // HTTP extra header
// Remove HTTP extra header
core.info('Removing HTTP extra header');
yield this.removeGitConfig(this.tokenConfigKey); yield this.removeGitConfig(this.tokenConfigKey);
yield this.removeSubmoduleGitConfig(this.tokenConfigKey);
// Collect credentials config paths that need to be removed
const credentialsPaths = new Set();
// Remove includeIf entries that point to git-credentials-*.config files
core.info('Removing includeIf entries pointing to credentials config files');
const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
// Remove submodule includeIf entries that point to git-credentials-*.config files
const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
for (const configPath of submoduleConfigPaths) {
const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
}
// Remove credentials config files
for (const credentialsPath of credentialsPaths) {
// Only remove credentials config files if they are under RUNNER_TEMP
const runnerTemp = process.env['RUNNER_TEMP'];
assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
if (credentialsPath.startsWith(runnerTemp)) {
try {
core.info(`Removing credentials config '${credentialsPath}'`);
yield io.rmRF(credentialsPath);
}
catch (err) {
core.debug(`${(_a = err === null || err === void 0 ? void 0 : err.message) !== null && _a !== void 0 ? _a : err}`);
core.warning(`Failed to remove credentials config '${credentialsPath}'`);
}
}
else {
core.debug(`Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`);
}
}
}); });
} }
/** removeGitConfig(configKey_1) {
* Removes a git config key from the local repository config. return __awaiter(this, arguments, void 0, function* (configKey, submoduleOnly = false) {
* @param configKey The git config key to remove if (!submoduleOnly) {
*/ if ((yield this.git.configExists(configKey)) &&
removeGitConfig(configKey) { !(yield this.git.tryConfigUnset(configKey))) {
return __awaiter(this, void 0, void 0, function* () { // Load the config contents
if ((yield this.git.configExists(configKey)) && core.warning(`Failed to remove '${configKey}' from the git config`);
!(yield this.git.tryConfigUnset(configKey))) { }
// Load the config contents
core.warning(`Failed to remove '${configKey}' from the git config`);
} }
});
}
/**
* Removes a git config key from all submodule configs.
* @param configKey The git config key to remove
*/
removeSubmoduleGitConfig(configKey) {
return __awaiter(this, void 0, void 0, function* () {
const pattern = regexpHelper.escape(configKey); const pattern = regexpHelper.escape(configKey);
yield this.git.submoduleForeach( yield this.git.submoduleForeach(
// Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline. // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
`sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true); `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true);
}); });
} }
/**
* Removes includeIf entries that point to git-credentials-*.config files.
* @param configPath Optional path to a specific git config file to operate on
* @returns Array of unique credentials config file paths that were found and removed
*/
removeIncludeIfCredentials(configPath) {
return __awaiter(this, void 0, void 0, function* () {
const credentialsPaths = new Set();
try {
// Get all includeIf.gitdir keys
const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir(/i)?:', false, // globalConfig?
configPath);
for (const key of keys) {
// Get all values for this key
const values = yield this.git.tryGetConfigValues(key, false, // globalConfig?
configPath);
if (values.length > 0) {
// Remove only values that match git-credentials-<uuid>.config pattern
for (const value of values) {
if (this.testCredentialsConfigPath(value)) {
credentialsPaths.add(value);
yield this.git.tryConfigUnsetValue(key, value, false, configPath);
}
}
}
}
}
catch (err) {
// Ignore errors - this is cleanup code
if (configPath) {
core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`);
}
else {
core.debug(`Error during includeIf cleanup: ${err}`);
}
}
return Array.from(credentialsPaths);
});
}
/**
* Tests if a path matches the git-credentials-*.config pattern.
* @param path The path to test
* @returns True if the path matches the credentials config pattern
*/
testCredentialsConfigPath(path) {
return /git-credentials-[0-9a-f-]+\.config$/i.test(path);
}
} }
@@ -659,6 +481,7 @@ const fs = __importStar(__nccwpck_require__(7147));
const fshelper = __importStar(__nccwpck_require__(7219)); const fshelper = __importStar(__nccwpck_require__(7219));
const io = __importStar(__nccwpck_require__(7436)); const io = __importStar(__nccwpck_require__(7436));
const path = __importStar(__nccwpck_require__(1017)); const path = __importStar(__nccwpck_require__(1017));
const refHelper = __importStar(__nccwpck_require__(8601));
const regexpHelper = __importStar(__nccwpck_require__(3120)); const regexpHelper = __importStar(__nccwpck_require__(3120));
const retryHelper = __importStar(__nccwpck_require__(2155)); const retryHelper = __importStar(__nccwpck_require__(2155));
const git_version_1 = __nccwpck_require__(3142); const git_version_1 = __nccwpck_require__(3142);
@@ -804,15 +627,9 @@ class GitCommandManager {
yield this.execGit(args); yield this.execGit(args);
}); });
} }
config(configKey, configValue, globalConfig, add, configFile) { config(configKey, configValue, globalConfig, add) {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const args = ['config']; const args = ['config', globalConfig ? '--global' : '--local'];
if (configFile) {
args.push('--file', configFile);
}
else {
args.push(globalConfig ? '--global' : '--local');
}
if (add) { if (add) {
args.push('--add'); args.push('--add');
} }
@@ -836,9 +653,9 @@ class GitCommandManager {
fetch(refSpec, options) { fetch(refSpec, options) {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const args = ['-c', 'protocol.version=2', 'fetch']; const args = ['-c', 'protocol.version=2', 'fetch'];
// Always use --no-tags for explicit control over tag fetching if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
// Tags are fetched explicitly via refspec when needed args.push('--no-tags');
args.push('--no-tags'); }
args.push('--prune', '--no-recurse-submodules'); args.push('--prune', '--no-recurse-submodules');
if (options.showProgress) { if (options.showProgress) {
args.push('--progress'); args.push('--progress');
@@ -889,16 +706,6 @@ class GitCommandManager {
throw new Error('Unexpected output when retrieving default branch'); throw new Error('Unexpected output when retrieving default branch');
}); });
} }
getSubmoduleConfigPaths(recursive) {
return __awaiter(this, void 0, void 0, function* () {
// Get submodule config file paths.
// Use `--show-origin` to get the config file path for each submodule.
const output = yield this.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, recursive);
// Extract config file paths from the output (lines starting with "file:").
const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
return configPaths;
});
}
getWorkingDirectory() { getWorkingDirectory() {
return this.workingDirectory; return this.workingDirectory;
} }
@@ -1029,20 +836,6 @@ class GitCommandManager {
return output.exitCode === 0; return output.exitCode === 0;
}); });
} }
tryConfigUnsetValue(configKey, configValue, globalConfig, configFile) {
return __awaiter(this, void 0, void 0, function* () {
const args = ['config'];
if (configFile) {
args.push('--file', configFile);
}
else {
args.push(globalConfig ? '--global' : '--local');
}
args.push('--unset', configKey, configValue);
const output = yield this.execGit(args, true);
return output.exitCode === 0;
});
}
tryDisableAutomaticGarbageCollection() { tryDisableAutomaticGarbageCollection() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true); const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true);
@@ -1062,46 +855,6 @@ class GitCommandManager {
return stdout; return stdout;
}); });
} }
tryGetConfigValues(configKey, globalConfig, configFile) {
return __awaiter(this, void 0, void 0, function* () {
const args = ['config'];
if (configFile) {
args.push('--file', configFile);
}
else {
args.push(globalConfig ? '--global' : '--local');
}
args.push('--get-all', configKey);
const output = yield this.execGit(args, true);
if (output.exitCode !== 0) {
return [];
}
return output.stdout
.trim()
.split('\n')
.filter(value => value.trim());
});
}
tryGetConfigKeys(pattern, globalConfig, configFile) {
return __awaiter(this, void 0, void 0, function* () {
const args = ['config'];
if (configFile) {
args.push('--file', configFile);
}
else {
args.push(globalConfig ? '--global' : '--local');
}
args.push('--name-only', '--get-regexp', pattern);
const output = yield this.execGit(args, true);
if (output.exitCode !== 0) {
return [];
}
return output.stdout
.trim()
.split('\n')
.filter(key => key.trim());
});
}
tryReset() { tryReset() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit(['reset', '--hard', 'HEAD'], true); const output = yield this.execGit(['reset', '--hard', 'HEAD'], true);
@@ -1211,17 +964,7 @@ class GitCommandManager {
} }
} }
// Set the user agent // Set the user agent
let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`; const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
// Append orchestration ID if set
const orchId = process.env['ACTIONS_ORCHESTRATION_ID'];
if (orchId) {
// Sanitize the orchestration ID to ensure it contains only valid characters
// Valid characters: 0-9, a-z, _, -, .
const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_');
if (sanitizedId) {
gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`;
}
}
core.debug(`Set git useragent to: ${gitHttpUserAgent}`); core.debug(`Set git useragent to: ${gitHttpUserAgent}`);
this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent; this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent;
}); });
@@ -1544,26 +1287,13 @@ function getSource(settings) {
if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) { if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
refSpec = refHelper.getRefSpec(settings.ref, settings.commit); refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
yield git.fetch(refSpec, fetchOptions); yield git.fetch(refSpec, fetchOptions);
// Verify the ref now matches. For branches, the targeted fetch above brings
// in the specific commit. For tags (fetched by ref), this will fail if
// the tag was moved after the workflow was triggered.
if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
`The ref may have been updated after the workflow was triggered.`);
}
} }
} }
else { else {
fetchOptions.fetchDepth = settings.fetchDepth; fetchOptions.fetchDepth = settings.fetchDepth;
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit, settings.fetchTags); fetchOptions.fetchTags = settings.fetchTags;
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
yield git.fetch(refSpec, fetchOptions); yield git.fetch(refSpec, fetchOptions);
// For tags, verify the ref still points to the expected commit.
// Tags are fetched by ref (not commit), so if a tag was moved after the
// workflow was triggered, we would silently check out the wrong commit.
if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
`The ref may have been updated after the workflow was triggered.`);
}
} }
core.endGroup(); core.endGroup();
// Checkout info // Checkout info
@@ -2027,7 +1757,7 @@ function getInputs() {
} }
} }
// SHA? // SHA?
else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) { else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
result.commit = result.ref; result.commit = result.ref;
result.ref = ''; result.ref = '';
} }
@@ -2302,67 +2032,53 @@ function getRefSpecForAllHistory(ref, commit) {
} }
return result; return result;
} }
function getRefSpec(ref, commit, fetchTags) { function getRefSpec(ref, commit) {
if (!ref && !commit) { if (!ref && !commit) {
throw new Error('Args ref and commit cannot both be empty'); throw new Error('Args ref and commit cannot both be empty');
} }
const upperRef = (ref || '').toUpperCase(); const upperRef = (ref || '').toUpperCase();
const result = [];
// When fetchTags is true, always include the tags refspec
if (fetchTags) {
result.push(exports.tagsRefSpec);
}
// SHA // SHA
if (commit) { if (commit) {
// refs/heads // refs/heads
if (upperRef.startsWith('REFS/HEADS/')) { if (upperRef.startsWith('REFS/HEADS/')) {
const branch = ref.substring('refs/heads/'.length); const branch = ref.substring('refs/heads/'.length);
result.push(`+${commit}:refs/remotes/origin/${branch}`); return [`+${commit}:refs/remotes/origin/${branch}`];
} }
// refs/pull/ // refs/pull/
else if (upperRef.startsWith('REFS/PULL/')) { else if (upperRef.startsWith('REFS/PULL/')) {
const branch = ref.substring('refs/pull/'.length); const branch = ref.substring('refs/pull/'.length);
result.push(`+${commit}:refs/remotes/pull/${branch}`); return [`+${commit}:refs/remotes/pull/${branch}`];
} }
// refs/tags/ // refs/tags/
else if (upperRef.startsWith('REFS/TAGS/')) { else if (upperRef.startsWith('REFS/TAGS/')) {
if (!fetchTags) { return [`+${commit}:${ref}`];
result.push(`+${ref}:${ref}`);
}
} }
// Otherwise no destination ref // Otherwise no destination ref
else { else {
result.push(commit); return [commit];
} }
} }
// Unqualified ref, check for a matching branch or tag // Unqualified ref, check for a matching branch or tag
else if (!upperRef.startsWith('REFS/')) { else if (!upperRef.startsWith('REFS/')) {
result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`); return [
if (!fetchTags) { `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`); `+refs/tags/${ref}*:refs/tags/${ref}*`
} ];
} }
// refs/heads/ // refs/heads/
else if (upperRef.startsWith('REFS/HEADS/')) { else if (upperRef.startsWith('REFS/HEADS/')) {
const branch = ref.substring('refs/heads/'.length); const branch = ref.substring('refs/heads/'.length);
result.push(`+${ref}:refs/remotes/origin/${branch}`); return [`+${ref}:refs/remotes/origin/${branch}`];
} }
// refs/pull/ // refs/pull/
else if (upperRef.startsWith('REFS/PULL/')) { else if (upperRef.startsWith('REFS/PULL/')) {
const branch = ref.substring('refs/pull/'.length); const branch = ref.substring('refs/pull/'.length);
result.push(`+${ref}:refs/remotes/pull/${branch}`); return [`+${ref}:refs/remotes/pull/${branch}`];
} }
// refs/tags/ // refs/tags/
else if (upperRef.startsWith('REFS/TAGS/')) {
if (!fetchTags) {
result.push(`+${ref}:${ref}`);
}
}
// Other refs
else { else {
result.push(`+${ref}:${ref}`); return [`+${ref}:${ref}`];
} }
return result;
} }
/** /**
* Tests whether the initial fetch created the ref at the expected commit * Tests whether the initial fetch created the ref at the expected commit
@@ -2398,9 +2114,7 @@ function testRef(git, ref, commit) {
// refs/tags/ // refs/tags/
else if (upperRef.startsWith('REFS/TAGS/')) { else if (upperRef.startsWith('REFS/TAGS/')) {
const tagName = ref.substring('refs/tags/'.length); const tagName = ref.substring('refs/tags/'.length);
// Use ^{commit} to dereference annotated tags to their underlying commit return ((yield git.tagExists(tagName)) && commit === (yield git.revParse(ref)));
return ((yield git.tagExists(tagName)) &&
commit === (yield git.revParse(`${ref}^{commit}`)));
} }
// Unexpected // Unexpected
else { else {
@@ -2450,7 +2164,7 @@ function checkCommitInfo(token, commitInfo, repositoryOwner, repositoryName, ref
return; return;
} }
// Extract details from message // Extract details from message
const match = commitInfo.match(/Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/); const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/);
if (!match) { if (!match) {
core.debug('Unexpected message format'); core.debug('Unexpected message format');
return; return;

108
release,tagset Normal file
View File

@@ -0,0 +1,108 @@
- uses: actions/checkout@v5
with:
# Repository name with owner. For example, actions/checkout
# Default: ${{ github.repository }}
repository: ''
# The branch, tag or SHA to checkout. When checking out the repository that
# triggered a workflow, this defaults to the reference or SHA for that event.
# Otherwise, uses the default branch.
ref: ''
# Personal access token (PAT) used to fetch the repository. The PAT is configured
# with the local git config, which enables your scripts to run authenticated git
# commands. The post-job step removes the PAT.
#
# We recommend using a service account with the least permissions necessary. Also
# when generating a new PAT, select the least scopes necessary.
#
# [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
#
# Default: ${{ github.token }}
token: ''
# SSH key used to fetch the repository. The SSH key is configured with the local
# git config, which enables your scripts to run authenticated git commands. The
# post-job step removes the SSH key.
#
# We recommend using a service account with the least permissions necessary.
#
# [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
ssh-key: ''
# Known hosts in addition to the user and global host key database. The public SSH
# keys for a host may be obtained using the utility `ssh-keyscan`. For example,
# `ssh-keyscan github.com`. The public key for github.com is always implicitly
# added.
ssh-known-hosts: ''
# Whether to perform strict host key checking. When true, adds the options
# `StrictHostKeyChecking=yes` and `CheckHostIP=no` to the SSH command line. Use
# the input `ssh-known-hosts` to configure additional hosts.
# Default: true
ssh-strict: ''
# The user to use when connecting to the remote SSH host. By default 'git' is
# used.
# Default: git
ssh-user: ''
# Whether to configure the token or SSH key with the local git config
# Default: true
persist-credentials: ''
# Relative path under $GITHUB_WORKSPACE to place the repository
path: ''
# Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching
# Default: true
clean: ''
# Partially clone against a given filter. Overrides sparse-checkout if set.
# Default: null
filter: ''
# Do a sparse checkout on given patterns. Each pattern should be separated with
# new lines.
# Default: null
sparse-checkout: ''
# Specifies whether to use cone-mode when doing a sparse checkout.
# Default: true
sparse-checkout-cone-mode: ''
# Number of commits to fetch. 0 indicates all history for all branches and tags.
# Default: 1
fetch-depth: ''
# Whether to fetch tags, even if fetch-depth > 0.
# Default: false
fetch-tags: ''
# Whether to show progress status output when fetching.
# Default: true
show-progress: ''
# Whether to download Git-LFS files
# Default: false
lfs: ''
# Whether to checkout submodules: `true` to checkout submodules or `recursive` to
# recursively checkout submodules.
#
# When the `ssh-key` input is not provided, SSH URLs beginning with
# `git@github.com:` are converted to HTTPS.
#
# Default: false
submodules: ''
# Add repository path as safe.directory for Git global config by running `git
# config --global --add safe.directory <path>`
# Default: true
set-safe-directory: ''
# The base URL for the GitHub instance that you are trying to clone from, will use
# environment defaults to fetch from the same instance that the workflow is
# running from unless specified. Example URLs are https://github.com or
# https://my-ghes-server.example.com
github-server-url: ''

View File

@@ -13,12 +13,6 @@ import {IGitCommandManager} from './git-command-manager'
import {IGitSourceSettings} from './git-source-settings' import {IGitSourceSettings} from './git-source-settings'
const IS_WINDOWS = process.platform === 'win32' const IS_WINDOWS = process.platform === 'win32'
// Use case-insensitive gitdir matching on Windows to handle path casing mismatches
// between the runner's GITHUB_WORKSPACE and the actual filesystem casing.
// See: https://github.com/actions/checkout/issues/2345
const INCLUDE_IF_GITDIR = IS_WINDOWS
? 'includeIf.gitdir/i:'
: 'includeIf.gitdir:'
const SSH_COMMAND_KEY = 'core.sshCommand' const SSH_COMMAND_KEY = 'core.sshCommand'
export interface IGitAuthHelper { export interface IGitAuthHelper {
@@ -49,7 +43,6 @@ class GitAuthHelper {
private sshKeyPath = '' private sshKeyPath = ''
private sshKnownHostsPath = '' private sshKnownHostsPath = ''
private temporaryHomePath = '' private temporaryHomePath = ''
private credentialsConfigPath = '' // Path to separate credentials config file in RUNNER_TEMP
constructor( constructor(
gitCommandManager: IGitCommandManager, gitCommandManager: IGitCommandManager,
@@ -133,21 +126,16 @@ class GitAuthHelper {
async configureGlobalAuth(): Promise<void> { async configureGlobalAuth(): Promise<void> {
// 'configureTempGlobalConfig' noops if already set, just returns the path // 'configureTempGlobalConfig' noops if already set, just returns the path
await this.configureTempGlobalConfig() const newGitConfigPath = await this.configureTempGlobalConfig()
try { try {
// Configure the token // Configure the token
await this.configureToken(true) await this.configureToken(newGitConfigPath, true)
// Configure HTTPS instead of SSH // Configure HTTPS instead of SSH
await this.git.tryConfigUnset(this.insteadOfKey, true) await this.git.tryConfigUnset(this.insteadOfKey, true)
if (!this.settings.sshKey) { if (!this.settings.sshKey) {
for (const insteadOfValue of this.insteadOfValues) { for (const insteadOfValue of this.insteadOfValues) {
await this.git.config( await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
this.insteadOfKey,
insteadOfValue,
true, // globalConfig?
true // add?
)
} }
} }
} catch (err) { } catch (err) {
@@ -162,60 +150,24 @@ class GitAuthHelper {
async configureSubmoduleAuth(): Promise<void> { async configureSubmoduleAuth(): Promise<void> {
// Remove possible previous HTTPS instead of SSH // Remove possible previous HTTPS instead of SSH
await this.removeSubmoduleGitConfig(this.insteadOfKey) await this.removeGitConfig(this.insteadOfKey, true)
if (this.settings.persistCredentials) { if (this.settings.persistCredentials) {
// Get the credentials config file path in RUNNER_TEMP // Configure a placeholder value. This approach avoids the credential being captured
const credentialsConfigPath = this.getCredentialsConfigPath() // by process creation audit events, which are commonly logged. For more information,
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
// Container credentials config path const output = await this.git.submoduleForeach(
const containerCredentialsPath = path.posix.join( // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
'/github/runner_temp', `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
path.basename(credentialsConfigPath)
)
// Get submodule config file paths.
const configPaths = await this.git.getSubmoduleConfigPaths(
this.settings.nestedSubmodules this.settings.nestedSubmodules
) )
// For each submodule, configure includeIf entries pointing to the shared credentials file. // Replace the placeholder
// Configure both host and container paths to support Docker container actions. const configPaths: string[] =
output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
for (const configPath of configPaths) { for (const configPath of configPaths) {
// Submodule Git directory core.debug(`Replacing token placeholder in '${configPath}'`)
let submoduleGitDir = path.dirname(configPath) // The config file is at .git/modules/submodule-name/config await this.replaceTokenPlaceholder(configPath)
submoduleGitDir = submoduleGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
// Configure host includeIf
await this.git.config(
`${INCLUDE_IF_GITDIR}${submoduleGitDir}.path`,
credentialsConfigPath,
false, // globalConfig?
false, // add?
configPath
)
// Container submodule git directory
const githubWorkspace = process.env['GITHUB_WORKSPACE']
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
let relativeSubmoduleGitDir = path.relative(
githubWorkspace,
submoduleGitDir
)
relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
const containerSubmoduleGitDir = path.posix.join(
'/github/workspace',
relativeSubmoduleGitDir
)
// Configure container includeIf
await this.git.config(
`${INCLUDE_IF_GITDIR}${containerSubmoduleGitDir}.path`,
containerCredentialsPath,
false, // globalConfig?
false, // add?
configPath
)
} }
if (this.settings.sshKey) { if (this.settings.sshKey) {
@@ -249,10 +201,6 @@ class GitAuthHelper {
} }
} }
/**
* Configures SSH authentication by writing the SSH key and known hosts,
* and setting up the GIT_SSH_COMMAND environment variable.
*/
private async configureSsh(): Promise<void> { private async configureSsh(): Promise<void> {
if (!this.settings.sshKey) { if (!this.settings.sshKey) {
return return
@@ -324,127 +272,57 @@ class GitAuthHelper {
} }
} }
/** private async configureToken(
* Configures token-based authentication by creating a credentials config file configPath?: string,
* and setting up includeIf entries to reference it. globalConfig?: boolean
* @param globalConfig Whether to configure global config instead of local ): Promise<void> {
*/ // Validate args
private async configureToken(globalConfig?: boolean): Promise<void> { assert.ok(
// Get the credentials config file path in RUNNER_TEMP (configPath && globalConfig) || (!configPath && !globalConfig),
const credentialsConfigPath = this.getCredentialsConfigPath() 'Unexpected configureToken parameter combinations'
)
// Write placeholder to the separate credentials config file using git config. // Default config path
// This approach avoids the credential being captured by process creation audit events, if (!configPath && !globalConfig) {
// which are commonly logged. For more information, refer to configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config')
// https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing }
// Configure a placeholder value. This approach avoids the credential being captured
// by process creation audit events, which are commonly logged. For more information,
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
await this.git.config( await this.git.config(
this.tokenConfigKey, this.tokenConfigKey,
this.tokenPlaceholderConfigValue, this.tokenPlaceholderConfigValue,
false, // globalConfig? globalConfig
false, // add?
credentialsConfigPath
) )
// Replace the placeholder in the credentials config file // Replace the placeholder
let content = (await fs.promises.readFile(credentialsConfigPath)).toString() await this.replaceTokenPlaceholder(configPath || '')
}
private async replaceTokenPlaceholder(configPath: string): Promise<void> {
assert.ok(configPath, 'configPath is not defined')
let content = (await fs.promises.readFile(configPath)).toString()
const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue) const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue)
if ( if (
placeholderIndex < 0 || placeholderIndex < 0 ||
placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue) placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)
) { ) {
throw new Error( throw new Error(`Unable to replace auth placeholder in ${configPath}`)
`Unable to replace auth placeholder in ${credentialsConfigPath}`
)
} }
assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined') assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined')
content = content.replace( content = content.replace(
this.tokenPlaceholderConfigValue, this.tokenPlaceholderConfigValue,
this.tokenConfigValue this.tokenConfigValue
) )
await fs.promises.writeFile(credentialsConfigPath, content) await fs.promises.writeFile(configPath, content)
// Add include or includeIf to reference the credentials config
if (globalConfig) {
// Global config file is temporary
await this.git.config(
'include.path',
credentialsConfigPath,
true // globalConfig?
)
} else {
// Host git directory
let gitDir = path.join(this.git.getWorkingDirectory(), '.git')
gitDir = gitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
// Configure host includeIf
const hostIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}.path`
await this.git.config(hostIncludeKey, credentialsConfigPath)
// Configure host includeIf for worktrees
const hostWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}/worktrees/*.path`
await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
// Container git directory
const workingDirectory = this.git.getWorkingDirectory()
const githubWorkspace = process.env['GITHUB_WORKSPACE']
assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
let relativePath = path.relative(githubWorkspace, workingDirectory)
relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows
const containerGitDir = path.posix.join(
'/github/workspace',
relativePath,
'.git'
)
// Container credentials config path
const containerCredentialsPath = path.posix.join(
'/github/runner_temp',
path.basename(credentialsConfigPath)
)
// Configure container includeIf
const containerIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}.path`
await this.git.config(containerIncludeKey, containerCredentialsPath)
// Configure container includeIf for worktrees
const containerWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}/worktrees/*.path`
await this.git.config(
containerWorktreeIncludeKey,
containerCredentialsPath
)
}
} }
/**
* Gets or creates the path to the credentials config file in RUNNER_TEMP.
* @returns The absolute path to the credentials config file
*/
private getCredentialsConfigPath(): string {
if (this.credentialsConfigPath) {
return this.credentialsConfigPath
}
const runnerTemp = process.env['RUNNER_TEMP'] || ''
assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
// Create a unique filename for this checkout instance
const configFileName = `git-credentials-${uuid()}.config`
this.credentialsConfigPath = path.join(runnerTemp, configFileName)
core.debug(`Credentials config path: ${this.credentialsConfigPath}`)
return this.credentialsConfigPath
}
/**
* Removes SSH authentication configuration by cleaning up SSH keys,
* known hosts files, and SSH command configurations.
*/
private async removeSsh(): Promise<void> { private async removeSsh(): Promise<void> {
// SSH key // SSH key
const keyPath = this.sshKeyPath || stateHelper.SshKeyPath const keyPath = this.sshKeyPath || stateHelper.SshKeyPath
if (keyPath) { if (keyPath) {
try { try {
core.info(`Removing SSH key '${keyPath}'`)
await io.rmRF(keyPath) await io.rmRF(keyPath)
} catch (err) { } catch (err) {
core.debug(`${(err as any)?.message ?? err}`) core.debug(`${(err as any)?.message ?? err}`)
@@ -457,149 +335,40 @@ class GitAuthHelper {
this.sshKnownHostsPath || stateHelper.SshKnownHostsPath this.sshKnownHostsPath || stateHelper.SshKnownHostsPath
if (knownHostsPath) { if (knownHostsPath) {
try { try {
core.info(`Removing SSH known hosts '${knownHostsPath}'`)
await io.rmRF(knownHostsPath) await io.rmRF(knownHostsPath)
} catch (err) { } catch {
core.debug(`${(err as any)?.message ?? err}`) // Intentionally empty
core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`)
} }
} }
// SSH command // SSH command
core.info('Removing SSH command configuration')
await this.removeGitConfig(SSH_COMMAND_KEY) await this.removeGitConfig(SSH_COMMAND_KEY)
await this.removeSubmoduleGitConfig(SSH_COMMAND_KEY)
} }
/**
* Removes token-based authentication by cleaning up HTTP headers,
* includeIf entries, and credentials config files.
*/
private async removeToken(): Promise<void> { private async removeToken(): Promise<void> {
// Remove HTTP extra header // HTTP extra header
core.info('Removing HTTP extra header')
await this.removeGitConfig(this.tokenConfigKey) await this.removeGitConfig(this.tokenConfigKey)
await this.removeSubmoduleGitConfig(this.tokenConfigKey) }
// Collect credentials config paths that need to be removed private async removeGitConfig(
const credentialsPaths = new Set<string>() configKey: string,
submoduleOnly: boolean = false
// Remove includeIf entries that point to git-credentials-*.config files ): Promise<void> {
core.info('Removing includeIf entries pointing to credentials config files') if (!submoduleOnly) {
const mainCredentialsPaths = await this.removeIncludeIfCredentials() if (
mainCredentialsPaths.forEach(path => credentialsPaths.add(path)) (await this.git.configExists(configKey)) &&
!(await this.git.tryConfigUnset(configKey))
// Remove submodule includeIf entries that point to git-credentials-*.config files ) {
const submoduleConfigPaths = await this.git.getSubmoduleConfigPaths(true) // Load the config contents
for (const configPath of submoduleConfigPaths) { core.warning(`Failed to remove '${configKey}' from the git config`)
const submoduleCredentialsPaths =
await this.removeIncludeIfCredentials(configPath)
submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
}
// Remove credentials config files
for (const credentialsPath of credentialsPaths) {
// Only remove credentials config files if they are under RUNNER_TEMP
const runnerTemp = process.env['RUNNER_TEMP']
assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
if (credentialsPath.startsWith(runnerTemp)) {
try {
core.info(`Removing credentials config '${credentialsPath}'`)
await io.rmRF(credentialsPath)
} catch (err) {
core.debug(`${(err as any)?.message ?? err}`)
core.warning(
`Failed to remove credentials config '${credentialsPath}'`
)
}
} else {
core.debug(
`Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`
)
} }
} }
}
/**
* Removes a git config key from the local repository config.
* @param configKey The git config key to remove
*/
private async removeGitConfig(configKey: string): Promise<void> {
if (
(await this.git.configExists(configKey)) &&
!(await this.git.tryConfigUnset(configKey))
) {
// Load the config contents
core.warning(`Failed to remove '${configKey}' from the git config`)
}
}
/**
* Removes a git config key from all submodule configs.
* @param configKey The git config key to remove
*/
private async removeSubmoduleGitConfig(configKey: string): Promise<void> {
const pattern = regexpHelper.escape(configKey) const pattern = regexpHelper.escape(configKey)
await this.git.submoduleForeach( await this.git.submoduleForeach(
// Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline. // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
`sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`,
true true
) )
} }
/**
* Removes includeIf entries that point to git-credentials-*.config files.
* @param configPath Optional path to a specific git config file to operate on
* @returns Array of unique credentials config file paths that were found and removed
*/
private async removeIncludeIfCredentials(
configPath?: string
): Promise<string[]> {
const credentialsPaths = new Set<string>()
try {
// Get all includeIf.gitdir keys
const keys = await this.git.tryGetConfigKeys(
'^includeIf\\.gitdir(/i)?:',
false, // globalConfig?
configPath
)
for (const key of keys) {
// Get all values for this key
const values = await this.git.tryGetConfigValues(
key,
false, // globalConfig?
configPath
)
if (values.length > 0) {
// Remove only values that match git-credentials-<uuid>.config pattern
for (const value of values) {
if (this.testCredentialsConfigPath(value)) {
credentialsPaths.add(value)
await this.git.tryConfigUnsetValue(key, value, false, configPath)
}
}
}
}
} catch (err) {
// Ignore errors - this is cleanup code
if (configPath) {
core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`)
} else {
core.debug(`Error during includeIf cleanup: ${err}`)
}
}
return Array.from(credentialsPaths)
}
/**
* Tests if a path matches the git-credentials-*.config pattern.
* @param path The path to test
* @returns True if the path matches the credentials config pattern
*/
private testCredentialsConfigPath(path: string): boolean {
return /git-credentials-[0-9a-f-]+\.config$/i.test(path)
}
} }

View File

@@ -28,8 +28,7 @@ export interface IGitCommandManager {
configKey: string, configKey: string,
configValue: string, configValue: string,
globalConfig?: boolean, globalConfig?: boolean,
add?: boolean, add?: boolean
configFile?: string
): Promise<void> ): Promise<void>
configExists(configKey: string, globalConfig?: boolean): Promise<boolean> configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
fetch( fetch(
@@ -37,11 +36,11 @@ export interface IGitCommandManager {
options: { options: {
filter?: string filter?: string
fetchDepth?: number fetchDepth?: number
fetchTags?: boolean
showProgress?: boolean showProgress?: boolean
} }
): Promise<void> ): Promise<void>
getDefaultBranch(repositoryUrl: string): Promise<string> getDefaultBranch(repositoryUrl: string): Promise<string>
getSubmoduleConfigPaths(recursive: boolean): Promise<string[]>
getWorkingDirectory(): string getWorkingDirectory(): string
init(): Promise<void> init(): Promise<void>
isDetached(): Promise<boolean> isDetached(): Promise<boolean>
@@ -60,24 +59,8 @@ export interface IGitCommandManager {
tagExists(pattern: string): Promise<boolean> tagExists(pattern: string): Promise<boolean>
tryClean(): Promise<boolean> tryClean(): Promise<boolean>
tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean> tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
tryConfigUnsetValue(
configKey: string,
configValue: string,
globalConfig?: boolean,
configFile?: string
): Promise<boolean>
tryDisableAutomaticGarbageCollection(): Promise<boolean> tryDisableAutomaticGarbageCollection(): Promise<boolean>
tryGetFetchUrl(): Promise<string> tryGetFetchUrl(): Promise<string>
tryGetConfigValues(
configKey: string,
globalConfig?: boolean,
configFile?: string
): Promise<string[]>
tryGetConfigKeys(
pattern: string,
globalConfig?: boolean,
configFile?: string
): Promise<string[]>
tryReset(): Promise<boolean> tryReset(): Promise<boolean>
version(): Promise<GitVersion> version(): Promise<GitVersion>
} }
@@ -240,15 +223,9 @@ class GitCommandManager {
configKey: string, configKey: string,
configValue: string, configValue: string,
globalConfig?: boolean, globalConfig?: boolean,
add?: boolean, add?: boolean
configFile?: string
): Promise<void> { ): Promise<void> {
const args: string[] = ['config'] const args: string[] = ['config', globalConfig ? '--global' : '--local']
if (configFile) {
args.push('--file', configFile)
} else {
args.push(globalConfig ? '--global' : '--local')
}
if (add) { if (add) {
args.push('--add') args.push('--add')
} }
@@ -279,13 +256,14 @@ class GitCommandManager {
options: { options: {
filter?: string filter?: string
fetchDepth?: number fetchDepth?: number
fetchTags?: boolean
showProgress?: boolean showProgress?: boolean
} }
): Promise<void> { ): Promise<void> {
const args = ['-c', 'protocol.version=2', 'fetch'] const args = ['-c', 'protocol.version=2', 'fetch']
// Always use --no-tags for explicit control over tag fetching if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
// Tags are fetched explicitly via refspec when needed args.push('--no-tags')
args.push('--no-tags') }
args.push('--prune', '--no-recurse-submodules') args.push('--prune', '--no-recurse-submodules')
if (options.showProgress) { if (options.showProgress) {
@@ -345,21 +323,6 @@ class GitCommandManager {
throw new Error('Unexpected output when retrieving default branch') throw new Error('Unexpected output when retrieving default branch')
} }
async getSubmoduleConfigPaths(recursive: boolean): Promise<string[]> {
// Get submodule config file paths.
// Use `--show-origin` to get the config file path for each submodule.
const output = await this.submoduleForeach(
`git config --local --show-origin --name-only --get-regexp remote.origin.url`,
recursive
)
// Extract config file paths from the output (lines starting with "file:").
const configPaths =
output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
return configPaths
}
getWorkingDirectory(): string { getWorkingDirectory(): string {
return this.workingDirectory return this.workingDirectory
} }
@@ -492,24 +455,6 @@ class GitCommandManager {
return output.exitCode === 0 return output.exitCode === 0
} }
async tryConfigUnsetValue(
configKey: string,
configValue: string,
globalConfig?: boolean,
configFile?: string
): Promise<boolean> {
const args = ['config']
if (configFile) {
args.push('--file', configFile)
} else {
args.push(globalConfig ? '--global' : '--local')
}
args.push('--unset', configKey, configValue)
const output = await this.execGit(args, true)
return output.exitCode === 0
}
async tryDisableAutomaticGarbageCollection(): Promise<boolean> { async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
const output = await this.execGit( const output = await this.execGit(
['config', '--local', 'gc.auto', '0'], ['config', '--local', 'gc.auto', '0'],
@@ -536,56 +481,6 @@ class GitCommandManager {
return stdout return stdout
} }
async tryGetConfigValues(
configKey: string,
globalConfig?: boolean,
configFile?: string
): Promise<string[]> {
const args = ['config']
if (configFile) {
args.push('--file', configFile)
} else {
args.push(globalConfig ? '--global' : '--local')
}
args.push('--get-all', configKey)
const output = await this.execGit(args, true)
if (output.exitCode !== 0) {
return []
}
return output.stdout
.trim()
.split('\n')
.filter(value => value.trim())
}
async tryGetConfigKeys(
pattern: string,
globalConfig?: boolean,
configFile?: string
): Promise<string[]> {
const args = ['config']
if (configFile) {
args.push('--file', configFile)
} else {
args.push(globalConfig ? '--global' : '--local')
}
args.push('--name-only', '--get-regexp', pattern)
const output = await this.execGit(args, true)
if (output.exitCode !== 0) {
return []
}
return output.stdout
.trim()
.split('\n')
.filter(key => key.trim())
}
async tryReset(): Promise<boolean> { async tryReset(): Promise<boolean> {
const output = await this.execGit(['reset', '--hard', 'HEAD'], true) const output = await this.execGit(['reset', '--hard', 'HEAD'], true)
return output.exitCode === 0 return output.exitCode === 0
@@ -728,19 +623,7 @@ class GitCommandManager {
} }
} }
// Set the user agent // Set the user agent
let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)` const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
// Append orchestration ID if set
const orchId = process.env['ACTIONS_ORCHESTRATION_ID']
if (orchId) {
// Sanitize the orchestration ID to ensure it contains only valid characters
// Valid characters: 0-9, a-z, _, -, .
const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_')
if (sanitizedId) {
gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`
}
}
core.debug(`Set git useragent to: ${gitHttpUserAgent}`) core.debug(`Set git useragent to: ${gitHttpUserAgent}`)
this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent
} }

View File

@@ -159,6 +159,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
const fetchOptions: { const fetchOptions: {
filter?: string filter?: string
fetchDepth?: number fetchDepth?: number
fetchTags?: boolean
showProgress?: boolean showProgress?: boolean
} = {} } = {}
@@ -181,35 +182,12 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
if (!(await refHelper.testRef(git, settings.ref, settings.commit))) { if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
refSpec = refHelper.getRefSpec(settings.ref, settings.commit) refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
await git.fetch(refSpec, fetchOptions) await git.fetch(refSpec, fetchOptions)
// Verify the ref now matches. For branches, the targeted fetch above brings
// in the specific commit. For tags (fetched by ref), this will fail if
// the tag was moved after the workflow was triggered.
if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
throw new Error(
`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
`The ref may have been updated after the workflow was triggered.`
)
}
} }
} else { } else {
fetchOptions.fetchDepth = settings.fetchDepth fetchOptions.fetchDepth = settings.fetchDepth
const refSpec = refHelper.getRefSpec( fetchOptions.fetchTags = settings.fetchTags
settings.ref, const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
settings.commit,
settings.fetchTags
)
await git.fetch(refSpec, fetchOptions) await git.fetch(refSpec, fetchOptions)
// For tags, verify the ref still points to the expected commit.
// Tags are fetched by ref (not commit), so if a tag was moved after the
// workflow was triggered, we would silently check out the wrong commit.
if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
throw new Error(
`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
`The ref may have been updated after the workflow was triggered.`
)
}
} }
core.endGroup() core.endGroup()

View File

@@ -71,7 +71,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
} }
} }
// SHA? // SHA?
else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) { else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
result.commit = result.ref result.commit = result.ref
result.ref = '' result.ref = ''
} }

View File

@@ -120,7 +120,7 @@ function updateUsage(
} }
updateUsage( updateUsage(
'actions/checkout@v6', 'actions/checkout@v5',
path.join(__dirname, '..', '..', 'action.yml'), path.join(__dirname, '..', '..', 'action.yml'),
path.join(__dirname, '..', '..', 'README.md') path.join(__dirname, '..', '..', 'README.md')
) )

View File

@@ -76,75 +76,55 @@ export function getRefSpecForAllHistory(ref: string, commit: string): string[] {
return result return result
} }
export function getRefSpec( export function getRefSpec(ref: string, commit: string): string[] {
ref: string,
commit: string,
fetchTags?: boolean
): string[] {
if (!ref && !commit) { if (!ref && !commit) {
throw new Error('Args ref and commit cannot both be empty') throw new Error('Args ref and commit cannot both be empty')
} }
const upperRef = (ref || '').toUpperCase() const upperRef = (ref || '').toUpperCase()
const result: string[] = []
// When fetchTags is true, always include the tags refspec
if (fetchTags) {
result.push(tagsRefSpec)
}
// SHA // SHA
if (commit) { if (commit) {
// refs/heads // refs/heads
if (upperRef.startsWith('REFS/HEADS/')) { if (upperRef.startsWith('REFS/HEADS/')) {
const branch = ref.substring('refs/heads/'.length) const branch = ref.substring('refs/heads/'.length)
result.push(`+${commit}:refs/remotes/origin/${branch}`) return [`+${commit}:refs/remotes/origin/${branch}`]
} }
// refs/pull/ // refs/pull/
else if (upperRef.startsWith('REFS/PULL/')) { else if (upperRef.startsWith('REFS/PULL/')) {
const branch = ref.substring('refs/pull/'.length) const branch = ref.substring('refs/pull/'.length)
result.push(`+${commit}:refs/remotes/pull/${branch}`) return [`+${commit}:refs/remotes/pull/${branch}`]
} }
// refs/tags/ // refs/tags/
else if (upperRef.startsWith('REFS/TAGS/')) { else if (upperRef.startsWith('REFS/TAGS/')) {
if (!fetchTags) { return [`+${commit}:${ref}`]
result.push(`+${ref}:${ref}`)
}
} }
// Otherwise no destination ref // Otherwise no destination ref
else { else {
result.push(commit) return [commit]
} }
} }
// Unqualified ref, check for a matching branch or tag // Unqualified ref, check for a matching branch or tag
else if (!upperRef.startsWith('REFS/')) { else if (!upperRef.startsWith('REFS/')) {
result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`) return [
if (!fetchTags) { `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`) `+refs/tags/${ref}*:refs/tags/${ref}*`
} ]
} }
// refs/heads/ // refs/heads/
else if (upperRef.startsWith('REFS/HEADS/')) { else if (upperRef.startsWith('REFS/HEADS/')) {
const branch = ref.substring('refs/heads/'.length) const branch = ref.substring('refs/heads/'.length)
result.push(`+${ref}:refs/remotes/origin/${branch}`) return [`+${ref}:refs/remotes/origin/${branch}`]
} }
// refs/pull/ // refs/pull/
else if (upperRef.startsWith('REFS/PULL/')) { else if (upperRef.startsWith('REFS/PULL/')) {
const branch = ref.substring('refs/pull/'.length) const branch = ref.substring('refs/pull/'.length)
result.push(`+${ref}:refs/remotes/pull/${branch}`) return [`+${ref}:refs/remotes/pull/${branch}`]
} }
// refs/tags/ // refs/tags/
else if (upperRef.startsWith('REFS/TAGS/')) {
if (!fetchTags) {
result.push(`+${ref}:${ref}`)
}
}
// Other refs
else { else {
result.push(`+${ref}:${ref}`) return [`+${ref}:${ref}`]
} }
return result
} }
/** /**
@@ -190,10 +170,8 @@ export async function testRef(
// refs/tags/ // refs/tags/
else if (upperRef.startsWith('REFS/TAGS/')) { else if (upperRef.startsWith('REFS/TAGS/')) {
const tagName = ref.substring('refs/tags/'.length) const tagName = ref.substring('refs/tags/'.length)
// Use ^{commit} to dereference annotated tags to their underlying commit
return ( return (
(await git.tagExists(tagName)) && (await git.tagExists(tagName)) && commit === (await git.revParse(ref))
commit === (await git.revParse(`${ref}^{commit}`))
) )
} }
// Unexpected // Unexpected
@@ -258,9 +236,7 @@ export async function checkCommitInfo(
} }
// Extract details from message // Extract details from message
const match = commitInfo.match( const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/)
/Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/
)
if (!match) { if (!match) {
core.debug('Unexpected message format') core.debug('Unexpected message format')
return return