Merge ab5d862ce8 into 8e8c483db8

fix tests and update index.js
codereview: define a git-user slug instead of a true/false config
2026-06-23 17:43:52 +08:00 · 2025-12-02 08:24:33 +01:00 · 2025-01-22 11:55:00 +01:00 · 2025-01-21 18:50:25 +01:00 · 2024-12-19 16:24:48 +01:00
19 changed files with 200 additions and 621 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -87,17 +87,6 @@ jobs:
      - name: Verify fetch filter
        run: __test__/verify-fetch-filter.sh

-      # Fetch tags
-      - name: Checkout with fetch-tags
-        uses: ./
-        with:
-          ref: test-data/v2/basic
-          path: fetch-tags-test
-          fetch-tags: true
-      - name: Verify fetch-tags
-        shell: bash
-        run: __test__/verify-fetch-tags.sh
-
      # Sparse checkout
      - name: Sparse checkout
        uses: ./
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,11 +1,5 @@
 # Changelog

-## v6.0.2
-* Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in https://github.com/actions/checkout/pull/2356
-
-## v6.0.1
-* Add worktree support for persist-credentials includeIf by @ericsciple in https://github.com/actions/checkout/pull/2327
-
 ## v6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
--- a/README.md
+++ b/README.md
@@ -75,6 +75,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
    # Default: ${{ github.token }}
    token: ''

+    # Github slug used to configure local user.name and user.email for git. This is
+    # required to push a commit from a Github Action Workflow. Set to '' to disable
+    # this configuration.
+    # Default: github-action[bot]
+    git-user: ''
+
    # SSH key used to fetch the repository. The SSH key is configured with the local
    # git config, which enables your scripts to run authenticated git commands. The
    # post-job step removes the SSH key.
@@ -324,8 +330,6 @@ jobs:
      - run: |
          date > generated.txt
          # Note: the following account information will not work on GHES
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git add .
          git commit -m "generated"
          git push
@@ -348,8 +352,6 @@ jobs:
      - run: |
          date > generated.txt
          # Note: the following account information will not work on GHES
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git add .
          git commit -m "generated"
          git push
--- a/test/git-auth-helper.test.ts
+++ b/test/git-auth-helper.test.ts
@@ -1,12 +1,12 @@
 import * as core from '@actions/core'
 import * as fs from 'fs'
-import * as gitAuthHelper from '../lib/git-auth-helper'
+import * as gitAuthHelper from '../src/git-auth-helper'
 import * as io from '@actions/io'
 import * as os from 'os'
 import * as path from 'path'
-import * as stateHelper from '../lib/state-helper'
-import {IGitCommandManager} from '../lib/git-command-manager'
-import {IGitSourceSettings} from '../lib/git-source-settings'
+import * as stateHelper from '../src/state-helper'
+import {IGitCommandManager} from '../src/git-command-manager'
+import {IGitSourceSettings} from '../src/git-source-settings'

 const isWindows = process.platform === 'win32'
 const testWorkspace = path.join(__dirname, '_temp', 'git-auth-helper')
@@ -974,46 +974,6 @@ describe('git-auth-helper tests', () => {
    ).toBe(false)
    expect((authHelper as any).testCredentialsConfigPath('')).toBe(false)
  })
-
-  const includeIfCleanupRegex_matchesBothVariants =
-    'includeIf cleanup regex matches both gitdir: and gitdir/i: keys'
-  it(includeIfCleanupRegex_matchesBothVariants, async () => {
-    // The cleanup regex must match both variants so credential
-    // removal works regardless of which was written
-    const regex = /^includeIf\.gitdir(\/i)?:/
-    expect(regex.test('includeIf.gitdir:D:/workspaces/repo/.git.path')).toBe(
-      true
-    )
-    expect(regex.test('includeIf.gitdir/i:D:/Workspaces/repo/.git.path')).toBe(
-      true
-    )
-    expect(regex.test('includeIf.gitdir/i:/github/workspace/.git.path')).toBe(
-      true
-    )
-    expect(regex.test('includeIf.gitdir:~/projects/foo/.git.path')).toBe(true)
-    expect(regex.test('includeIf.onbranch:main.path')).toBe(false)
-    expect(regex.test('include.path')).toBe(false)
-  })
-
-  const includeIfDirective_usesCorrectVariantForPlatform =
-    'includeIf directive uses gitdir/i on Windows and gitdir on other platforms'
-  it(includeIfDirective_usesCorrectVariantForPlatform, async () => {
-    await setup(includeIfDirective_usesCorrectVariantForPlatform)
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    await authHelper.configureAuth()
-
-    const localConfigContent = (
-      await fs.promises.readFile(localGitConfigPath)
-    ).toString()
-
-    if (isWindows) {
-      expect(localConfigContent).toContain('includeIf.gitdir/i:')
-      expect(localConfigContent).not.toContain('includeIf.gitdir:')
-    } else {
-      expect(localConfigContent).toContain('includeIf.gitdir:')
-      expect(localConfigContent).not.toContain('includeIf.gitdir/i:')
-    }
-  })
 })

 async function setup(testName: string): Promise<void> {
@@ -1213,7 +1173,8 @@ async function setup(testName: string): Promise<void> {
    sshUser: '',
    workflowOrganizationId: 123456,
    setSafeDirectory: true,
-    githubServerUrl: githubServerUrl
+    githubServerUrl: githubServerUrl,
+    gitUser: 'github-action[bot]'
  }
 }

--- a/test/git-command-manager.test.ts
+++ b/test/git-command-manager.test.ts
@@ -1,6 +1,6 @@
 import * as exec from '@actions/exec'
-import * as fshelper from '../lib/fs-helper'
-import * as commandManager from '../lib/git-command-manager'
+import * as fshelper from '../src/fs-helper'
+import * as commandManager from '../src/git-command-manager'

 let git: commandManager.IGitCommandManager
 let mockExec = jest.fn()
@@ -108,7 +108,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    jest.restoreAllMocks()
  })

-  it('should call execGit with the correct arguments when fetchDepth is 0', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
@@ -122,7 +122,45 @@ describe('Test fetchDepth and fetchTags options', () => {
    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 0
+      fetchDepth: 0,
+      fetchTags: true
+    }
+
+    await git.fetch(refSpec, options)
+
+    expect(mockExec).toHaveBeenCalledWith(
+      expect.any(String),
+      [
+        '-c',
+        'protocol.version=2',
+        'fetch',
+        '--prune',
+        '--no-recurse-submodules',
+        '--filter=filterValue',
+        'origin',
+        'refspec1',
+        'refspec2'
+      ],
+      expect.any(Object)
+    )
+  })
+
+  it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is false', async () => {
+    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+
+    const workingDirectory = 'test'
+    const lfs = false
+    const doSparseCheckout = false
+    git = await commandManager.createCommandManager(
+      workingDirectory,
+      lfs,
+      doSparseCheckout
+    )
+    const refSpec = ['refspec1', 'refspec2']
+    const options = {
+      filter: 'filterValue',
+      fetchDepth: 0,
+      fetchTags: false
    }

    await git.fetch(refSpec, options)
@@ -145,45 +183,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })

-  it('should call execGit with the correct arguments when fetchDepth is 0 and refSpec includes tags', async () => {
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
-    const options = {
-      filter: 'filterValue',
-      fetchDepth: 0
-    }
-
-    await git.fetch(refSpec, options)
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      [
-        '-c',
-        'protocol.version=2',
-        'fetch',
-        '--no-tags',
-        '--prune',
-        '--no-recurse-submodules',
-        '--filter=filterValue',
-        'origin',
-        'refspec1',
-        'refspec2',
-        '+refs/tags/*:refs/tags/*'
-      ],
-      expect.any(Object)
-    )
-  })
-
-  it('should call execGit with the correct arguments when fetchDepth is 1', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is false', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)

    const workingDirectory = 'test'
@@ -197,7 +197,8 @@ describe('Test fetchDepth and fetchTags options', () => {
    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 1
+      fetchDepth: 1,
+      fetchTags: false
    }

    await git.fetch(refSpec, options)
@@ -221,7 +222,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })

-  it('should call execGit with the correct arguments when fetchDepth is 1 and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)

    const workingDirectory = 'test'
@@ -232,10 +233,11 @@ describe('Test fetchDepth and fetchTags options', () => {
      lfs,
      doSparseCheckout
    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
+    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 1
+      fetchDepth: 1,
+      fetchTags: true
    }

    await git.fetch(refSpec, options)
@@ -246,15 +248,13 @@ describe('Test fetchDepth and fetchTags options', () => {
        '-c',
        'protocol.version=2',
        'fetch',
-        '--no-tags',
        '--prune',
        '--no-recurse-submodules',
        '--filter=filterValue',
        '--depth=1',
        'origin',
        'refspec1',
-        'refspec2',
-        '+refs/tags/*:refs/tags/*'
+        'refspec2'
      ],
      expect.any(Object)
    )
@@ -338,7 +338,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })

-  it('should call execGit with the correct arguments when showProgress is true and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchTags is true and showProgress is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)

    const workingDirectory = 'test'
@@ -349,9 +349,10 @@ describe('Test fetchDepth and fetchTags options', () => {
      lfs,
      doSparseCheckout
    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
+    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
+      fetchTags: true,
      showProgress: true
    }

@@ -363,134 +364,15 @@ describe('Test fetchDepth and fetchTags options', () => {
        '-c',
        'protocol.version=2',
        'fetch',
-        '--no-tags',
        '--prune',
        '--no-recurse-submodules',
        '--progress',
        '--filter=filterValue',
        'origin',
        'refspec1',
-        'refspec2',
-        '+refs/tags/*:refs/tags/*'
+        'refspec2'
      ],
      expect.any(Object)
    )
  })
 })
-
-describe('git user-agent with orchestration ID', () => {
-  beforeEach(async () => {
-    jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
-    jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
-  })
-
-  afterEach(() => {
-    jest.restoreAllMocks()
-    // Clean up environment variable to prevent test pollution
-    delete process.env['ACTIONS_ORCHESTRATION_ID']
-  })
-
-  it('should include orchestration ID in user-agent when ACTIONS_ORCHESTRATION_ID is set', async () => {
-    const orchId = 'test-orch-id-12345'
-    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent includes the orchestration ID
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      `git/2.18 (github-actions-checkout) actions_orchestration_id/${orchId}`
-    )
-  })
-
-  it('should sanitize invalid characters in orchestration ID', async () => {
-    const orchId = 'test (with) special/chars'
-    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent has sanitized orchestration ID (spaces, parentheses, slash replaced)
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      'git/2.18 (github-actions-checkout) actions_orchestration_id/test__with__special_chars'
-    )
-  })
-
-  it('should not modify user-agent when ACTIONS_ORCHESTRATION_ID is not set', async () => {
-    delete process.env['ACTIONS_ORCHESTRATION_ID']
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent does NOT contain orchestration ID
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      'git/2.18 (github-actions-checkout)'
-    )
-  })
-})
--- a/test/git-directory-helper.test.ts
+++ b/test/git-directory-helper.test.ts
@@ -1,9 +1,9 @@
 import * as core from '@actions/core'
 import * as fs from 'fs'
-import * as gitDirectoryHelper from '../lib/git-directory-helper'
+import * as gitDirectoryHelper from '../src/git-directory-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
-import {IGitCommandManager} from '../lib/git-command-manager'
+import {IGitCommandManager} from '../src/git-command-manager'

 const testWorkspace = path.join(__dirname, '_temp', 'git-directory-helper')
 let repositoryPath: string
--- a/test/input-helper.test.ts
+++ b/test/input-helper.test.ts
@@ -1,10 +1,10 @@
 import * as core from '@actions/core'
-import * as fsHelper from '../lib/fs-helper'
+import * as fsHelper from '../src/fs-helper'
 import * as github from '@actions/github'
-import * as inputHelper from '../lib/input-helper'
+import * as inputHelper from '../src/input-helper'
 import * as path from 'path'
-import * as workflowContextHelper from '../lib/workflow-context-helper'
-import {IGitSourceSettings} from '../lib/git-source-settings'
+import * as workflowContextHelper from '../src/workflow-context-helper'
+import {IGitSourceSettings} from '../src/git-source-settings'

 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
 const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
@@ -133,16 +133,6 @@ describe('input-helper tests', () => {
    expect(settings.commit).toBe('1111111111222222222233333333334444444444')
  })

-  it('sets ref to empty when explicit sha-256', async () => {
-    inputs.ref =
-      '1111111111222222222233333333334444444444555555555566666666667777'
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
-    expect(settings.ref).toBeFalsy()
-    expect(settings.commit).toBe(
-      '1111111111222222222233333333334444444444555555555566666666667777'
-    )
-  })
-
  it('sets sha to empty when explicit ref', async () => {
    inputs.ref = 'refs/heads/some-other-ref'
    const settings: IGitSourceSettings = await inputHelper.getInputs()
--- a/test/ref-helper.test.ts
+++ b/test/ref-helper.test.ts
@@ -1,12 +1,8 @@
 import * as assert from 'assert'
-import * as core from '@actions/core'
-import * as github from '@actions/github'
-import * as refHelper from '../lib/ref-helper'
-import {IGitCommandManager} from '../lib/git-command-manager'
+import * as refHelper from '../src/ref-helper'
+import {IGitCommandManager} from '../src/git-command-manager'

 const commit = '1234567890123456789012345678901234567890'
-const sha256Commit =
-  '1234567890123456789012345678901234567890123456789012345678901234'
 let git: IGitCommandManager

 describe('ref-helper tests', () => {
@@ -41,12 +37,6 @@ describe('ref-helper tests', () => {
    expect(checkoutInfo.startPoint).toBeFalsy()
  })

-  it('getCheckoutInfo sha-256 only', async () => {
-    const checkoutInfo = await refHelper.getCheckoutInfo(git, '', sha256Commit)
-    expect(checkoutInfo.ref).toBe(sha256Commit)
-    expect(checkoutInfo.startPoint).toBeFalsy()
-  })
-
  it('getCheckoutInfo refs/heads/', async () => {
    const checkoutInfo = await refHelper.getCheckoutInfo(
      git,
@@ -162,22 +152,7 @@ describe('ref-helper tests', () => {
  it('getRefSpec sha + refs/tags/', async () => {
    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit)
    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe(`+refs/tags/my-tag:refs/tags/my-tag`)
-  })
-
-  it('getRefSpec sha + refs/tags/ with fetchTags', async () => {
-    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
-    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit, true)
-    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-  })
-
-  it('getRefSpec sha + refs/heads/ with fetchTags', async () => {
-    // When fetchTags is true, include both the branch refspec and tags wildcard
-    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', commit, true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe(`+${commit}:refs/remotes/origin/my/branch`)
+    expect(refSpec[0]).toBe(`+${commit}:refs/tags/my-tag`)
  })

  it('getRefSpec sha only', async () => {
@@ -193,14 +168,6 @@ describe('ref-helper tests', () => {
    expect(refSpec[1]).toBe('+refs/tags/my-ref*:refs/tags/my-ref*')
  })

-  it('getRefSpec unqualified ref only with fetchTags', async () => {
-    // When fetchTags is true, skip specific tag pattern since wildcard covers all
-    const refSpec = refHelper.getRefSpec('my-ref', '', true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe('+refs/heads/my-ref*:refs/remotes/origin/my-ref*')
-  })
-
  it('getRefSpec refs/heads/ only', async () => {
    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '')
    expect(refSpec.length).toBe(1)
@@ -220,159 +187,4 @@ describe('ref-helper tests', () => {
    expect(refSpec.length).toBe(1)
    expect(refSpec[0]).toBe('+refs/tags/my-tag:refs/tags/my-tag')
  })
-
-  it('getRefSpec refs/tags/ only with fetchTags', async () => {
-    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
-    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', '', true)
-    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-  })
-
-  it('getRefSpec refs/heads/ only with fetchTags', async () => {
-    // When fetchTags is true, include both the branch refspec and tags wildcard
-    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '', true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe(
-      '+refs/heads/my/branch:refs/remotes/origin/my/branch'
-    )
-  })
-
-  describe('checkCommitInfo', () => {
-    const repositoryOwner = 'some-owner'
-    const repositoryName = 'some-repo'
-    const ref = 'refs/pull/123/merge'
-    const sha1Head = '1111111111222222222233333333334444444444'
-    const sha1Base = 'aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd'
-    const sha256Head =
-      '1111111111222222222233333333334444444444555555555566666666667777'
-    const sha256Base =
-      'aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff0000'
-    let debugSpy: jest.SpyInstance
-    let getOctokitSpy: jest.SpyInstance
-    let repoGetSpy: jest.Mock
-    let originalEventName: string
-    let originalPayload: unknown
-    let originalRef: string
-    let originalSha: string
-
-    function setPullRequestContext(
-      expectedHeadSha: string,
-      expectedBaseSha: string,
-      mergeCommit: string
-    ): void {
-      ;(github.context as any).eventName = 'pull_request'
-      github.context.ref = ref
-      github.context.sha = mergeCommit
-      ;(github.context as any).payload = {
-        action: 'synchronize',
-        after: expectedHeadSha,
-        number: 123,
-        pull_request: {
-          base: {
-            sha: expectedBaseSha
-          }
-        },
-        repository: {
-          private: false
-        }
-      }
-    }
-
-    beforeEach(() => {
-      originalEventName = github.context.eventName
-      originalPayload = github.context.payload
-      originalRef = github.context.ref
-      originalSha = github.context.sha
-
-      jest.spyOn(github.context, 'repo', 'get').mockReturnValue({
-        owner: repositoryOwner,
-        repo: repositoryName
-      })
-      debugSpy = jest.spyOn(core, 'debug').mockImplementation(jest.fn())
-      repoGetSpy = jest.fn(async () => ({}))
-      getOctokitSpy = jest.spyOn(github, 'getOctokit').mockReturnValue({
-        rest: {
-          repos: {
-            get: repoGetSpy
-          }
-        }
-      } as any)
-    })
-
-    afterEach(() => {
-      ;(github.context as any).eventName = originalEventName
-      ;(github.context as any).payload = originalPayload
-      github.context.ref = originalRef
-      github.context.sha = originalSha
-      jest.restoreAllMocks()
-    })
-
-    it('returns early for SHA-1 merge commit', async () => {
-      setPullRequestContext(sha1Head, sha1Base, commit)
-
-      await refHelper.checkCommitInfo(
-        'token',
-        `Merge ${sha1Head} into ${sha1Base}`,
-        repositoryOwner,
-        repositoryName,
-        ref,
-        commit
-      )
-
-      expect(getOctokitSpy).not.toHaveBeenCalled()
-      expect(repoGetSpy).not.toHaveBeenCalled()
-    })
-
-    it('matches SHA-256 merge commit info', async () => {
-      const actualHeadSha =
-        '9999999999888888888877777777776666666666555555555544444444443333'
-      setPullRequestContext(sha256Head, sha256Base, sha256Commit)
-
-      await refHelper.checkCommitInfo(
-        'token',
-        `Merge ${actualHeadSha} into ${sha256Base}`,
-        repositoryOwner,
-        repositoryName,
-        ref,
-        sha256Commit
-      )
-
-      expect(getOctokitSpy).toHaveBeenCalledWith(
-        'token',
-        expect.objectContaining({
-          userAgent: expect.stringContaining(
-            `expected_head_sha=${sha256Head};actual_head_sha=${actualHeadSha}`
-          )
-        })
-      )
-      expect(repoGetSpy).toHaveBeenCalledWith({
-        owner: repositoryOwner,
-        repo: repositoryName
-      })
-      expect(debugSpy).toHaveBeenCalledWith(
-        `Expected head sha ${sha256Head}; actual head sha ${actualHeadSha}`
-      )
-      expect(debugSpy).not.toHaveBeenCalledWith('Unexpected message format')
-    })
-
-    it('does not match 50-char hex as a valid merge', async () => {
-      const invalidHeadSha =
-        '99999999998888888888777777777766666666665555555555'
-      setPullRequestContext(sha1Head, sha1Base, commit)
-
-      await refHelper.checkCommitInfo(
-        'token',
-        `Merge ${invalidHeadSha} into ${sha1Base}`,
-        repositoryOwner,
-        repositoryName,
-        ref,
-        commit
-      )
-
-      expect(getOctokitSpy).not.toHaveBeenCalled()
-      expect(repoGetSpy).not.toHaveBeenCalled()
-      expect(debugSpy).toHaveBeenCalledWith('Unexpected message format')
-    })
-  })
 })
--- a/test/retry-helper.test.ts
+++ b/test/retry-helper.test.ts
@@ -1,5 +1,5 @@
 import * as core from '@actions/core'
-import {RetryHelper} from '../lib/retry-helper'
+import {RetryHelper} from '../src/retry-helper'

 let info: string[]
 let retryHelper: any
--- a/test/verify-fetch-tags.sh
+++ b/test/verify-fetch-tags.sh
@@ -1,9 +0,0 @@
-#!/bin/sh
-
-# Verify tags were fetched
-TAG_COUNT=$(git -C ./fetch-tags-test tag | wc -l)
-if [ "$TAG_COUNT" -eq 0 ]; then
-    echo "Expected tags to be fetched, but found none"
-    exit 1
-fi
-echo "Found $TAG_COUNT tags"
--- a/action.yml
+++ b/action.yml
@@ -22,6 +22,12 @@ inputs:

      [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
    default: ${{ github.token }}
+  git-user:
+    description: >
+      Github slug used to configure local user.name and user.email for git.
+      This is required to push a commit from a Github Action Workflow.
+      Set to '' to disable this configuration.
+    default: "github-action[bot]"
  ssh-key:
    description: >
      SSH key used to fetch the repository. The SSH key is configured with the local
--- a/dist/index.js
+++ b/dist/index.js
@@ -151,12 +151,6 @@ const stateHelper = __importStar(__nccwpck_require__(4866));
 const urlHelper = __importStar(__nccwpck_require__(9437));
 const uuid_1 = __nccwpck_require__(5840);
 const IS_WINDOWS = process.platform === 'win32';
-// Use case-insensitive gitdir matching on Windows to handle path casing mismatches
-// between the runner's GITHUB_WORKSPACE and the actual filesystem casing.
-// See: https://github.com/actions/checkout/issues/2345
-const INCLUDE_IF_GITDIR = IS_WINDOWS
-    ? 'includeIf.gitdir/i:'
-    : 'includeIf.gitdir:';
 const SSH_COMMAND_KEY = 'core.sshCommand';
 function createAuthHelper(git, settings) {
    return new GitAuthHelper(git, settings);
@@ -276,7 +270,7 @@ class GitAuthHelper {
                    let submoduleGitDir = path.dirname(configPath); // The config file is at .git/modules/submodule-name/config
                    submoduleGitDir = submoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                    // Configure host includeIf
-                    yield this.git.config(`${INCLUDE_IF_GITDIR}${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig?
+                    yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig?
                    false, // add?
                    configPath);
                    // Container submodule git directory
@@ -286,7 +280,7 @@ class GitAuthHelper {
                    relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                    const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleGitDir);
                    // Configure container includeIf
-                    yield this.git.config(`${INCLUDE_IF_GITDIR}${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig?
+                    yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig?
                    false, // add?
                    configPath);
                }
@@ -416,10 +410,10 @@ class GitAuthHelper {
                let gitDir = path.join(this.git.getWorkingDirectory(), '.git');
                gitDir = gitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                // Configure host includeIf
-                const hostIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}.path`;
+                const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                yield this.git.config(hostIncludeKey, credentialsConfigPath);
                // Configure host includeIf for worktrees
-                const hostWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}/worktrees/*.path`;
+                const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                // Container git directory
                const workingDirectory = this.git.getWorkingDirectory();
@@ -431,10 +425,10 @@ class GitAuthHelper {
                // Container credentials config path
                const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
                // Configure container includeIf
-                const containerIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}.path`;
+                const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                yield this.git.config(containerIncludeKey, containerCredentialsPath);
                // Configure container includeIf for worktrees
-                const containerWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}/worktrees/*.path`;
+                const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
            }
        });
@@ -571,7 +565,7 @@ class GitAuthHelper {
            const credentialsPaths = new Set();
            try {
                // Get all includeIf.gitdir keys
-                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir(/i)?:', false, // globalConfig?
+                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, // globalConfig?
                configPath);
                for (const key of keys) {
                    // Get all values for this key
@@ -659,6 +653,7 @@ const fs = __importStar(__nccwpck_require__(7147));
 const fshelper = __importStar(__nccwpck_require__(7219));
 const io = __importStar(__nccwpck_require__(7436));
 const path = __importStar(__nccwpck_require__(1017));
+const refHelper = __importStar(__nccwpck_require__(8601));
 const regexpHelper = __importStar(__nccwpck_require__(3120));
 const retryHelper = __importStar(__nccwpck_require__(2155));
 const git_version_1 = __nccwpck_require__(3142);
@@ -836,9 +831,9 @@ class GitCommandManager {
    fetch(refSpec, options) {
        return __awaiter(this, void 0, void 0, function* () {
            const args = ['-c', 'protocol.version=2', 'fetch'];
-            // Always use --no-tags for explicit control over tag fetching
-            // Tags are fetched explicitly via refspec when needed
-            args.push('--no-tags');
+            if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
+                args.push('--no-tags');
+            }
            args.push('--prune', '--no-recurse-submodules');
            if (options.showProgress) {
                args.push('--progress');
@@ -1211,17 +1206,7 @@ class GitCommandManager {
                }
            }
            // Set the user agent
-            let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
-            // Append orchestration ID if set
-            const orchId = process.env['ACTIONS_ORCHESTRATION_ID'];
-            if (orchId) {
-                // Sanitize the orchestration ID to ensure it contains only valid characters
-                // Valid characters: 0-9, a-z, _, -, .
-                const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_');
-                if (sanitizedId) {
-                    gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`;
-                }
-            }
+            const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
            core.debug(`Set git useragent to: ${gitHttpUserAgent}`);
            this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent;
        });
@@ -1544,26 +1529,13 @@ function getSource(settings) {
                if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
                    refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
                    yield git.fetch(refSpec, fetchOptions);
-                    // Verify the ref now matches. For branches, the targeted fetch above brings
-                    // in the specific commit. For tags (fetched by ref), this will fail if
-                    // the tag was moved after the workflow was triggered.
-                    if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
-                        throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-                            `The ref may have been updated after the workflow was triggered.`);
-                    }
                }
            }
            else {
                fetchOptions.fetchDepth = settings.fetchDepth;
-                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit, settings.fetchTags);
+                fetchOptions.fetchTags = settings.fetchTags;
+                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
                yield git.fetch(refSpec, fetchOptions);
-                // For tags, verify the ref still points to the expected commit.
-                // Tags are fetched by ref (not commit), so if a tag was moved after the
-                // workflow was triggered, we would silently check out the wrong commit.
-                if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
-                    throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-                        `The ref may have been updated after the workflow was triggered.`);
-                }
            }
            core.endGroup();
            // Checkout info
@@ -1627,6 +1599,15 @@ function getSource(settings) {
            core.setOutput('commit', commitSHA.trim());
            // Check for incorrect pull request merge commit
            yield refHelper.checkCommitInfo(settings.authToken, commitInfo, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.githubServerUrl);
+            if (settings.gitUser) {
+                if (!(yield git.configExists('user.name', true))) {
+                    yield git.config('user.name', settings.gitUser, true);
+                }
+                if (!(yield git.configExists('user.email', true))) {
+                    const userId = yield githubApiHelper.getUserId(settings.gitUser, settings.authToken, settings.githubServerUrl);
+                    yield git.config('user.email', `${userId}+${settings.gitUser}@users.noreply.github.com`, true);
+                }
+            }
        }
        finally {
            // Remove auth
@@ -1816,6 +1797,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.downloadRepository = downloadRepository;
 exports.getDefaultBranch = getDefaultBranch;
+exports.getUserId = getUserId;
 const assert = __importStar(__nccwpck_require__(9491));
 const core = __importStar(__nccwpck_require__(2186));
 const fs = __importStar(__nccwpck_require__(7147));
@@ -1933,6 +1915,15 @@ function downloadArchive(authToken, owner, repo, ref, commit, baseUrl) {
        return Buffer.from(response.data); // response.data is ArrayBuffer
    });
 }
+function getUserId(username, authToken, baseUrl) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const octokit = github.getOctokit(authToken, {
+            baseUrl: (0, url_helper_1.getServerApiUrl)(baseUrl)
+        });
+        const user = yield octokit.rest.users.getByUsername({ username, });
+        return user.data.id;
+    });
+}


 /***/ }),
@@ -2027,7 +2018,7 @@ function getInputs() {
            }
        }
        // SHA?
-        else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
+        else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
            result.commit = result.ref;
            result.ref = '';
        }
@@ -2083,6 +2074,8 @@ function getInputs() {
        core.debug(`recursive submodules = ${result.nestedSubmodules}`);
        // Auth token
        result.authToken = core.getInput('token', { required: true });
+        // Git user
+        result.gitUser = core.getInput('git-user') || 'github-action[bot]';
        // SSH
        result.sshKey = core.getInput('ssh-key');
        result.sshKnownHosts = core.getInput('ssh-known-hosts');
@@ -2302,67 +2295,53 @@ function getRefSpecForAllHistory(ref, commit) {
    }
    return result;
 }
-function getRefSpec(ref, commit, fetchTags) {
+function getRefSpec(ref, commit) {
    if (!ref && !commit) {
        throw new Error('Args ref and commit cannot both be empty');
    }
    const upperRef = (ref || '').toUpperCase();
-    const result = [];
-    // When fetchTags is true, always include the tags refspec
-    if (fetchTags) {
-        result.push(exports.tagsRefSpec);
-    }
    // SHA
    if (commit) {
        // refs/heads
        if (upperRef.startsWith('REFS/HEADS/')) {
            const branch = ref.substring('refs/heads/'.length);
-            result.push(`+${commit}:refs/remotes/origin/${branch}`);
+            return [`+${commit}:refs/remotes/origin/${branch}`];
        }
        // refs/pull/
        else if (upperRef.startsWith('REFS/PULL/')) {
            const branch = ref.substring('refs/pull/'.length);
-            result.push(`+${commit}:refs/remotes/pull/${branch}`);
+            return [`+${commit}:refs/remotes/pull/${branch}`];
        }
        // refs/tags/
        else if (upperRef.startsWith('REFS/TAGS/')) {
-            if (!fetchTags) {
-                result.push(`+${ref}:${ref}`);
-            }
+            return [`+${commit}:${ref}`];
        }
        // Otherwise no destination ref
        else {
-            result.push(commit);
+            return [commit];
        }
    }
    // Unqualified ref, check for a matching branch or tag
    else if (!upperRef.startsWith('REFS/')) {
-        result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`);
-        if (!fetchTags) {
-            result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`);
-        }
+        return [
+            `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
+            `+refs/tags/${ref}*:refs/tags/${ref}*`
+        ];
    }
    // refs/heads/
    else if (upperRef.startsWith('REFS/HEADS/')) {
        const branch = ref.substring('refs/heads/'.length);
-        result.push(`+${ref}:refs/remotes/origin/${branch}`);
+        return [`+${ref}:refs/remotes/origin/${branch}`];
    }
    // refs/pull/
    else if (upperRef.startsWith('REFS/PULL/')) {
        const branch = ref.substring('refs/pull/'.length);
-        result.push(`+${ref}:refs/remotes/pull/${branch}`);
+        return [`+${ref}:refs/remotes/pull/${branch}`];
    }
    // refs/tags/
-    else if (upperRef.startsWith('REFS/TAGS/')) {
-        if (!fetchTags) {
-            result.push(`+${ref}:${ref}`);
-        }
-    }
-    // Other refs
    else {
-        result.push(`+${ref}:${ref}`);
+        return [`+${ref}:${ref}`];
    }
-    return result;
 }
 /**
 * Tests whether the initial fetch created the ref at the expected commit
@@ -2398,9 +2377,7 @@ function testRef(git, ref, commit) {
        // refs/tags/
        else if (upperRef.startsWith('REFS/TAGS/')) {
            const tagName = ref.substring('refs/tags/'.length);
-            // Use ^{commit} to dereference annotated tags to their underlying commit
-            return ((yield git.tagExists(tagName)) &&
-                commit === (yield git.revParse(`${ref}^{commit}`)));
+            return ((yield git.tagExists(tagName)) && commit === (yield git.revParse(ref)));
        }
        // Unexpected
        else {
@@ -2450,7 +2427,7 @@ function checkCommitInfo(token, commitInfo, repositoryOwner, repositoryName, ref
                return;
            }
            // Extract details from message
-            const match = commitInfo.match(/Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/);
+            const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/);
            if (!match) {
                core.debug('Unexpected message format');
                return;
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@@ -13,12 +13,6 @@ import {IGitCommandManager} from './git-command-manager'
 import {IGitSourceSettings} from './git-source-settings'

 const IS_WINDOWS = process.platform === 'win32'
-// Use case-insensitive gitdir matching on Windows to handle path casing mismatches
-// between the runner's GITHUB_WORKSPACE and the actual filesystem casing.
-// See: https://github.com/actions/checkout/issues/2345
-const INCLUDE_IF_GITDIR = IS_WINDOWS
-  ? 'includeIf.gitdir/i:'
-  : 'includeIf.gitdir:'
 const SSH_COMMAND_KEY = 'core.sshCommand'

 export interface IGitAuthHelper {
@@ -188,7 +182,7 @@ class GitAuthHelper {

        // Configure host includeIf
        await this.git.config(
-          `${INCLUDE_IF_GITDIR}${submoduleGitDir}.path`,
+          `includeIf.gitdir:${submoduleGitDir}.path`,
          credentialsConfigPath,
          false, // globalConfig?
          false, // add?
@@ -210,7 +204,7 @@ class GitAuthHelper {

        // Configure container includeIf
        await this.git.config(
-          `${INCLUDE_IF_GITDIR}${containerSubmoduleGitDir}.path`,
+          `includeIf.gitdir:${containerSubmoduleGitDir}.path`,
          containerCredentialsPath,
          false, // globalConfig?
          false, // add?
@@ -377,11 +371,11 @@ class GitAuthHelper {
      gitDir = gitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows

      // Configure host includeIf
-      const hostIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}.path`
+      const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
      await this.git.config(hostIncludeKey, credentialsConfigPath)

      // Configure host includeIf for worktrees
-      const hostWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}/worktrees/*.path`
+      const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)

      // Container git directory
@@ -403,11 +397,11 @@ class GitAuthHelper {
      )

      // Configure container includeIf
-      const containerIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}.path`
+      const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
      await this.git.config(containerIncludeKey, containerCredentialsPath)

      // Configure container includeIf for worktrees
-      const containerWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}/worktrees/*.path`
+      const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
      await this.git.config(
        containerWorktreeIncludeKey,
        containerCredentialsPath
@@ -560,7 +554,7 @@ class GitAuthHelper {
    try {
      // Get all includeIf.gitdir keys
      const keys = await this.git.tryGetConfigKeys(
-        '^includeIf\\.gitdir(/i)?:',
+        '^includeIf\\.gitdir:',
        false, // globalConfig?
        configPath
      )
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@@ -37,6 +37,7 @@ export interface IGitCommandManager {
    options: {
      filter?: string
      fetchDepth?: number
+      fetchTags?: boolean
      showProgress?: boolean
    }
  ): Promise<void>
@@ -279,13 +280,14 @@ class GitCommandManager {
    options: {
      filter?: string
      fetchDepth?: number
+      fetchTags?: boolean
      showProgress?: boolean
    }
  ): Promise<void> {
    const args = ['-c', 'protocol.version=2', 'fetch']
-    // Always use --no-tags for explicit control over tag fetching
-    // Tags are fetched explicitly via refspec when needed
-    args.push('--no-tags')
+    if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
+      args.push('--no-tags')
+    }

    args.push('--prune', '--no-recurse-submodules')
    if (options.showProgress) {
@@ -728,19 +730,7 @@ class GitCommandManager {
      }
    }
    // Set the user agent
-    let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
-
-    // Append orchestration ID if set
-    const orchId = process.env['ACTIONS_ORCHESTRATION_ID']
-    if (orchId) {
-      // Sanitize the orchestration ID to ensure it contains only valid characters
-      // Valid characters: 0-9, a-z, _, -, .
-      const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_')
-      if (sanitizedId) {
-        gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`
-      }
-    }
-
+    const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
    core.debug(`Set git useragent to: ${gitHttpUserAgent}`)
    this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent
  }
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@@ -159,6 +159,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
    const fetchOptions: {
      filter?: string
      fetchDepth?: number
+      fetchTags?: boolean
      showProgress?: boolean
    } = {}

@@ -181,35 +182,12 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
        refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
        await git.fetch(refSpec, fetchOptions)
-
-        // Verify the ref now matches. For branches, the targeted fetch above brings
-        // in the specific commit. For tags (fetched by ref), this will fail if
-        // the tag was moved after the workflow was triggered.
-        if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
-          throw new Error(
-            `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-              `The ref may have been updated after the workflow was triggered.`
-          )
-        }
      }
    } else {
      fetchOptions.fetchDepth = settings.fetchDepth
-      const refSpec = refHelper.getRefSpec(
-        settings.ref,
-        settings.commit,
-        settings.fetchTags
-      )
+      fetchOptions.fetchTags = settings.fetchTags
+      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
      await git.fetch(refSpec, fetchOptions)
-
-      // For tags, verify the ref still points to the expected commit.
-      // Tags are fetched by ref (not commit), so if a tag was moved after the
-      // workflow was triggered, we would silently check out the wrong commit.
-      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
-        throw new Error(
-          `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-            `The ref may have been updated after the workflow was triggered.`
-        )
-      }
    }
    core.endGroup()

@@ -296,6 +274,23 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
      settings.commit,
      settings.githubServerUrl
    )
+    if (settings.gitUser) {
+      if (!(await git.configExists('user.name', true))) {
+        await git.config('user.name', settings.gitUser, true)
+      }
+      if (!(await git.configExists('user.email', true))) {
+        const userId = await githubApiHelper.getUserId(
+          settings.gitUser,
+          settings.authToken,
+          settings.githubServerUrl
+        )
+        await git.config(
+          'user.email',
+          `${userId}+${settings.gitUser}@users.noreply.github.com`,
+          true
+        )
+      }
+    }
  } finally {
    // Remove auth
    if (authHelper) {
--- a/src/git-source-settings.ts
+++ b/src/git-source-settings.ts
@@ -79,6 +79,11 @@ export interface IGitSourceSettings {
   */
  authToken: string

+  /**
+   * A github user slug to set a default user name and email in the local git config
+   */
+  gitUser: string
+
  /**
   * The SSH key to configure
   */
--- a/src/github-api-helper.ts
+++ b/src/github-api-helper.ts
@@ -143,3 +143,15 @@ async function downloadArchive(
  })
  return Buffer.from(response.data as ArrayBuffer) // response.data is ArrayBuffer
 }
+
+export async function getUserId(
+  username: string,
+  authToken: string,
+  baseUrl?: string
+): Promise<number> {
+  const octokit = github.getOctokit(authToken, {
+    baseUrl: getServerApiUrl(baseUrl)
+  })
+  const user = await octokit.rest.users.getByUsername({username})
+  return user.data.id
+}
--- a/src/input-helper.ts
+++ b/src/input-helper.ts
@@ -71,7 +71,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
    }
  }
  // SHA?
-  else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
+  else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
    result.commit = result.ref
    result.ref = ''
  }
@@ -138,6 +138,9 @@ export async function getInputs(): Promise<IGitSourceSettings> {
  // Auth token
  result.authToken = core.getInput('token', {required: true})

+  // Git user
+  result.gitUser = core.getInput('git-user') || 'github-action[bot]'
+
  // SSH
  result.sshKey = core.getInput('ssh-key')
  result.sshKnownHosts = core.getInput('ssh-known-hosts')
--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@@ -76,75 +76,55 @@ export function getRefSpecForAllHistory(ref: string, commit: string): string[] {
  return result
 }

-export function getRefSpec(
-  ref: string,
-  commit: string,
-  fetchTags?: boolean
-): string[] {
+export function getRefSpec(ref: string, commit: string): string[] {
  if (!ref && !commit) {
    throw new Error('Args ref and commit cannot both be empty')
  }

  const upperRef = (ref || '').toUpperCase()
-  const result: string[] = []
-
-  // When fetchTags is true, always include the tags refspec
-  if (fetchTags) {
-    result.push(tagsRefSpec)
-  }

  // SHA
  if (commit) {
    // refs/heads
    if (upperRef.startsWith('REFS/HEADS/')) {
      const branch = ref.substring('refs/heads/'.length)
-      result.push(`+${commit}:refs/remotes/origin/${branch}`)
+      return [`+${commit}:refs/remotes/origin/${branch}`]
    }
    // refs/pull/
    else if (upperRef.startsWith('REFS/PULL/')) {
      const branch = ref.substring('refs/pull/'.length)
-      result.push(`+${commit}:refs/remotes/pull/${branch}`)
+      return [`+${commit}:refs/remotes/pull/${branch}`]
    }
    // refs/tags/
    else if (upperRef.startsWith('REFS/TAGS/')) {
-      if (!fetchTags) {
-        result.push(`+${ref}:${ref}`)
-      }
+      return [`+${commit}:${ref}`]
    }
    // Otherwise no destination ref
    else {
-      result.push(commit)
+      return [commit]
    }
  }
  // Unqualified ref, check for a matching branch or tag
  else if (!upperRef.startsWith('REFS/')) {
-    result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`)
-    if (!fetchTags) {
-      result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`)
-    }
+    return [
+      `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
+      `+refs/tags/${ref}*:refs/tags/${ref}*`
+    ]
  }
  // refs/heads/
  else if (upperRef.startsWith('REFS/HEADS/')) {
    const branch = ref.substring('refs/heads/'.length)
-    result.push(`+${ref}:refs/remotes/origin/${branch}`)
+    return [`+${ref}:refs/remotes/origin/${branch}`]
  }
  // refs/pull/
  else if (upperRef.startsWith('REFS/PULL/')) {
    const branch = ref.substring('refs/pull/'.length)
-    result.push(`+${ref}:refs/remotes/pull/${branch}`)
+    return [`+${ref}:refs/remotes/pull/${branch}`]
  }
  // refs/tags/
-  else if (upperRef.startsWith('REFS/TAGS/')) {
-    if (!fetchTags) {
-      result.push(`+${ref}:${ref}`)
-    }
-  }
-  // Other refs
  else {
-    result.push(`+${ref}:${ref}`)
+    return [`+${ref}:${ref}`]
  }
-
-  return result
 }

 /**
@@ -190,10 +170,8 @@ export async function testRef(
  // refs/tags/
  else if (upperRef.startsWith('REFS/TAGS/')) {
    const tagName = ref.substring('refs/tags/'.length)
-    // Use ^{commit} to dereference annotated tags to their underlying commit
    return (
-      (await git.tagExists(tagName)) &&
-      commit === (await git.revParse(`${ref}^{commit}`))
+      (await git.tagExists(tagName)) && commit === (await git.revParse(ref))
    )
  }
  // Unexpected
@@ -258,9 +236,7 @@ export async function checkCommitInfo(
    }

    // Extract details from message
-    const match = commitInfo.match(
-      /Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/
-    )
+    const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/)
    if (!match) {
      core.debug('Unexpected message format')
      return
Author	SHA1	Message	Date
Nicolas Schweitzer	381b035b47	Merge `ab5d862ce8` into `8e8c483db8`	2025-12-02 08:24:33 +01:00
Nicolas Schweitzer	ab5d862ce8	fix tests and update index.js	2025-01-22 11:55:00 +01:00
Nicolas Schweitzer	5fba9eb899	codereview: define a git-user slug instead of a true/false config	2025-01-21 18:50:25 +01:00
Nicolas Schweitzer	f3b199b7ed	feat(git config): Set default user.name and user.email in git config	2024-12-19 16:24:48 +01:00