Merge 7618b1f401 into 1af3b93b68

Simplified the submoduleDirectories
Add string[] option to submodules
2026-06-14 16:53:47 +08:00 · 2025-11-21 08:38:25 +01:00 · 2024-08-28 13:16:59 +02:00 · 2024-08-27 10:37:37 +02:00
24 changed files with 232 additions and 729 deletions
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
      - name: Set Node.js 24.x
        uses: actions/setup-node@v4
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -39,7 +39,7 @@ jobs:
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v4.1.6
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
--- a/.github/workflows/licensed.yml
+++ b/.github/workflows/licensed.yml
@@ -9,6 +9,6 @@ jobs:
    runs-on: ubuntu-latest
    name: Check licenses
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
      - run: npm ci
      - run: npm run licensed-check
--- a/.github/workflows/publish-immutable-actions.yml
+++ b/.github/workflows/publish-immutable-actions.yml
@@ -14,7 +14,7 @@ jobs:
    steps:
      - name: Checking out
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
      - name: Publish
        id: publish
        uses: actions/publish-immutable-action@0.0.3
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -19,7 +19,7 @@ jobs:
      - uses: actions/setup-node@v4
        with:
          node-version: 24.x
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
      - run: npm ci
      - run: npm run build
      - run: npm run format-check
@@ -37,7 +37,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
      # Basic checkout
      - name: Checkout basic
@@ -87,17 +87,6 @@ jobs:
      - name: Verify fetch filter
        run: __test__/verify-fetch-filter.sh
      # Fetch tags
      - name: Checkout with fetch-tags
        uses: ./
        with:
          ref: test-data/v2/basic
          path: fetch-tags-test
          fetch-tags: true
      - name: Verify fetch-tags
        shell: bash
        run: __test__/verify-fetch-tags.sh
      # Sparse checkout
      - name: Sparse checkout
        uses: ./
@@ -165,6 +154,17 @@ jobs:
          submodules: true
      - name: Verify submodules true
        run: __test__/verify-submodules-true.sh
      # Submodules limited
      - name: Checkout submodules limited
        uses: ./
        with:
          ref: test-data/v2/submodule-ssh-url
          path: submodules-true
          submodules: true
          submodule-directories: submodule-level-1
      - name: Verify submodules true
        run: __test__/verify-submodules-true.sh
      # Submodules recursive
      - name: Checkout submodules recursive
@@ -176,22 +176,6 @@ jobs:
      - name: Verify submodules recursive
        run: __test__/verify-submodules-recursive.sh
      # Worktree credentials
      - name: Checkout for worktree test
        uses: ./
        with:
          path: worktree-test
      - name: Verify worktree credentials
        shell: bash
        run: __test__/verify-worktree.sh worktree-test worktree-branch
      # Worktree credentials in container step
      - name: Verify worktree credentials in container step
        if: runner.os == 'Linux'
        uses: docker://bitnami/git:latest
        with:
          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
      # Basic checkout using REST API
      - name: Remove basic
        if: runner.os != 'windows'
@@ -229,7 +213,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
      # Basic checkout using git
      - name: Checkout basic
@@ -261,7 +245,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
      # Basic checkout using git
      - name: Checkout basic
@@ -291,7 +275,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
        with:
          path: localClone
@@ -318,8 +302,8 @@ jobs:
          git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
      # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v6
+      - name: Fix Checkout v4
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
        with:
          path: localClone
@@ -328,7 +312,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
        with:
          path: actions-checkout
--- a/.github/workflows/update-main-version.yml
+++ b/.github/workflows/update-main-version.yml
@@ -23,7 +23,7 @@ jobs:
    # Note this update workflow can also be used as a rollback tool.
    # For that reason, it's best to pin `actions/checkout` to a known, stable version
    # (typically, about two releases back).
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v4.1.6
      with:
        fetch-depth: 0
    - name: Git config
--- a/.github/workflows/update-test-ubuntu-git.yml
+++ b/.github/workflows/update-test-ubuntu-git.yml
@@ -26,7 +26,7 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
      # Use `docker/login-action` to log in to GHCR.io. 
      # Once published, the packages are scoped to the account defined here.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,25 +1,19 @@
 # Changelog
-## v6.0.2
+## V6.0.0
 * Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in https://github.com/actions/checkout/pull/2356
 ## v6.0.1
 * Add worktree support for persist-credentials includeIf by @ericsciple in https://github.com/actions/checkout/pull/2327
 ## v6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
-## v5.0.1
+## V5.0.1
 * Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
-## v5.0.0
+## V5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
-## v4.3.1
+## V4.3.1
 * Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
-## v4.3.0
+## V4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043
--- a/README.md
+++ b/README.md
@@ -4,9 +4,8 @@
 ## What's new
- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
+- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
+  - This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
 - Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
 # Checkout v5
@@ -52,7 +51,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 <!-- start usage -->
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    # Repository name with owner. For example, actions/checkout
    # Default: ${{ github.repository }}
@@ -150,6 +149,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
    # Default: false
    submodules: ''
    # A list of submodules to checkout.
    # Default: null
    submodule-directories: ''
    # Add repository path as safe.directory for Git global config by running `git
    # config --global --add safe.directory <path>`
    # Default: true
@@ -191,7 +194,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    sparse-checkout: .
 ```
@@ -199,7 +202,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files and `.github` and `src` folder
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    sparse-checkout: |
      .github
@@ -209,7 +212,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only a single file
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    sparse-checkout: |
      README.md
@@ -219,7 +222,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch all history for all tags and branches
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    fetch-depth: 0
 ```
@@ -227,7 +230,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    ref: my-branch
 ```
@@ -235,7 +238,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    fetch-depth: 2
 - run: git checkout HEAD^
@@ -245,12 +248,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    path: main
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-tools
    path: my-tools
@@ -261,10 +264,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-tools
    path: my-tools
@@ -275,12 +278,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    path: main
 - name: Checkout private tools
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-private-tools
    token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -293,7 +296,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -309,7 +312,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
 ```
 ## Push a commit using the built-in token
@@ -320,7 +323,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
      - run: |
          date > generated.txt
          # Note: the following account information will not work on GHES
@@ -342,7 +345,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
        with:
          ref: ${{ github.head_ref }}
      - run: |
--- a/test/git-auth-helper.test.ts
+++ b/test/git-auth-helper.test.ts
@@ -974,46 +974,6 @@ describe('git-auth-helper tests', () => {
    ).toBe(false)
    expect((authHelper as any).testCredentialsConfigPath('')).toBe(false)
  })
  const includeIfCleanupRegex_matchesBothVariants =
    'includeIf cleanup regex matches both gitdir: and gitdir/i: keys'
  it(includeIfCleanupRegex_matchesBothVariants, async () => {
    // The cleanup regex must match both variants so credential
    // removal works regardless of which was written
    const regex = /^includeIf\.gitdir(\/i)?:/
    expect(regex.test('includeIf.gitdir:D:/workspaces/repo/.git.path')).toBe(
      true
    )
    expect(regex.test('includeIf.gitdir/i:D:/Workspaces/repo/.git.path')).toBe(
      true
    )
    expect(regex.test('includeIf.gitdir/i:/github/workspace/.git.path')).toBe(
      true
    )
    expect(regex.test('includeIf.gitdir:~/projects/foo/.git.path')).toBe(true)
    expect(regex.test('includeIf.onbranch:main.path')).toBe(false)
    expect(regex.test('include.path')).toBe(false)
  })
  const includeIfDirective_usesCorrectVariantForPlatform =
    'includeIf directive uses gitdir/i on Windows and gitdir on other platforms'
  it(includeIfDirective_usesCorrectVariantForPlatform, async () => {
    await setup(includeIfDirective_usesCorrectVariantForPlatform)
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
    const localConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    if (isWindows) {
      expect(localConfigContent).toContain('includeIf.gitdir/i:')
      expect(localConfigContent).not.toContain('includeIf.gitdir:')
    } else {
      expect(localConfigContent).toContain('includeIf.gitdir:')
      expect(localConfigContent).not.toContain('includeIf.gitdir/i:')
    }
  })
 })
 async function setup(testName: string): Promise<void> {
@@ -1202,6 +1162,7 @@ async function setup(testName: string): Promise<void> {
    lfs: false,
    submodules: false,
    nestedSubmodules: false,
    submoduleDirectories: [],
    persistCredentials: true,
    ref: 'refs/heads/main',
    repositoryName: 'my-repo',
--- a/test/git-command-manager.test.ts
+++ b/test/git-command-manager.test.ts
@@ -108,7 +108,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    jest.restoreAllMocks()
  })
-  it('should call execGit with the correct arguments when fetchDepth is 0', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
@@ -122,7 +122,45 @@ describe('Test fetchDepth and fetchTags options', () => {
    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 0
+      fetchDepth: 0,
      fetchTags: true
    }
    await git.fetch(refSpec, options)
    expect(mockExec).toHaveBeenCalledWith(
      expect.any(String),
      [
        '-c',
        'protocol.version=2',
        'fetch',
        '--prune',
        '--no-recurse-submodules',
        '--filter=filterValue',
        'origin',
        'refspec1',
        'refspec2'
      ],
      expect.any(Object)
    )
  })
  it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is false', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
    const doSparseCheckout = false
    git = await commandManager.createCommandManager(
      workingDirectory,
      lfs,
      doSparseCheckout
    )
    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
      fetchDepth: 0,
      fetchTags: false
    }
    await git.fetch(refSpec, options)
@@ -145,45 +183,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })
-  it('should call execGit with the correct arguments when fetchDepth is 0 and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is false', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
    const doSparseCheckout = false
    git = await commandManager.createCommandManager(
      workingDirectory,
      lfs,
      doSparseCheckout
    )
    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
    const options = {
      filter: 'filterValue',
      fetchDepth: 0
    }
    await git.fetch(refSpec, options)
    expect(mockExec).toHaveBeenCalledWith(
      expect.any(String),
      [
        '-c',
        'protocol.version=2',
        'fetch',
        '--no-tags',
        '--prune',
        '--no-recurse-submodules',
        '--filter=filterValue',
        'origin',
        'refspec1',
        'refspec2',
        '+refs/tags/*:refs/tags/*'
      ],
      expect.any(Object)
    )
  })
  it('should call execGit with the correct arguments when fetchDepth is 1', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
@@ -197,7 +197,8 @@ describe('Test fetchDepth and fetchTags options', () => {
    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 1
+      fetchDepth: 1,
      fetchTags: false
    }
    await git.fetch(refSpec, options)
@@ -221,7 +222,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })
-  it('should call execGit with the correct arguments when fetchDepth is 1 and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
@@ -232,10 +233,11 @@ describe('Test fetchDepth and fetchTags options', () => {
      lfs,
      doSparseCheckout
    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
+    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 1
+      fetchDepth: 1,
      fetchTags: true
    }
    await git.fetch(refSpec, options)
@@ -246,15 +248,13 @@ describe('Test fetchDepth and fetchTags options', () => {
        '-c',
        'protocol.version=2',
        'fetch',
        '--no-tags',
        '--prune',
        '--no-recurse-submodules',
        '--filter=filterValue',
        '--depth=1',
        'origin',
        'refspec1',
-        'refspec2',
+        'refspec2'
        '+refs/tags/*:refs/tags/*'
      ],
      expect.any(Object)
    )
@@ -338,7 +338,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })
-  it('should call execGit with the correct arguments when showProgress is true and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchTags is true and showProgress is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
@@ -349,9 +349,10 @@ describe('Test fetchDepth and fetchTags options', () => {
      lfs,
      doSparseCheckout
    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
+    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
      fetchTags: true,
      showProgress: true
    }
@@ -363,134 +364,15 @@ describe('Test fetchDepth and fetchTags options', () => {
        '-c',
        'protocol.version=2',
        'fetch',
        '--no-tags',
        '--prune',
        '--no-recurse-submodules',
        '--progress',
        '--filter=filterValue',
        'origin',
        'refspec1',
-        'refspec2',
+        'refspec2'
        '+refs/tags/*:refs/tags/*'
      ],
      expect.any(Object)
    )
  })
 })
 describe('git user-agent with orchestration ID', () => {
  beforeEach(async () => {
    jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
    jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
  })
  afterEach(() => {
    jest.restoreAllMocks()
    // Clean up environment variable to prevent test pollution
    delete process.env['ACTIONS_ORCHESTRATION_ID']
  })
  it('should include orchestration ID in user-agent when ACTIONS_ORCHESTRATION_ID is set', async () => {
    const orchId = 'test-orch-id-12345'
    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
    let capturedEnv: any = null
    mockExec.mockImplementation((path, args, options) => {
      if (args.includes('version')) {
        options.listeners.stdout(Buffer.from('2.18'))
      }
      // Capture env on any command
      capturedEnv = options.env
      return 0
    })
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
    const doSparseCheckout = false
    git = await commandManager.createCommandManager(
      workingDirectory,
      lfs,
      doSparseCheckout
    )
    // Call a git command to trigger env capture after user-agent is set
    await git.init()
    // Verify the user agent includes the orchestration ID
    expect(git).toBeDefined()
    expect(capturedEnv).toBeDefined()
    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
      `git/2.18 (github-actions-checkout) actions_orchestration_id/${orchId}`
    )
  })
  it('should sanitize invalid characters in orchestration ID', async () => {
    const orchId = 'test (with) special/chars'
    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
    let capturedEnv: any = null
    mockExec.mockImplementation((path, args, options) => {
      if (args.includes('version')) {
        options.listeners.stdout(Buffer.from('2.18'))
      }
      // Capture env on any command
      capturedEnv = options.env
      return 0
    })
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
    const doSparseCheckout = false
    git = await commandManager.createCommandManager(
      workingDirectory,
      lfs,
      doSparseCheckout
    )
    // Call a git command to trigger env capture after user-agent is set
    await git.init()
    // Verify the user agent has sanitized orchestration ID (spaces, parentheses, slash replaced)
    expect(git).toBeDefined()
    expect(capturedEnv).toBeDefined()
    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
      'git/2.18 (github-actions-checkout) actions_orchestration_id/test__with__special_chars'
    )
  })
  it('should not modify user-agent when ACTIONS_ORCHESTRATION_ID is not set', async () => {
    delete process.env['ACTIONS_ORCHESTRATION_ID']
    let capturedEnv: any = null
    mockExec.mockImplementation((path, args, options) => {
      if (args.includes('version')) {
        options.listeners.stdout(Buffer.from('2.18'))
      }
      // Capture env on any command
      capturedEnv = options.env
      return 0
    })
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
    const doSparseCheckout = false
    git = await commandManager.createCommandManager(
      workingDirectory,
      lfs,
      doSparseCheckout
    )
    // Call a git command to trigger env capture after user-agent is set
    await git.init()
    // Verify the user agent does NOT contain orchestration ID
    expect(git).toBeDefined()
    expect(capturedEnv).toBeDefined()
    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
      'git/2.18 (github-actions-checkout)'
    )
  })
 })
--- a/test/input-helper.test.ts
+++ b/test/input-helper.test.ts
@@ -21,6 +21,13 @@ describe('input-helper tests', () => {
    jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
      return inputs[name]
    })
    // Mock getMultilineInput
    jest.spyOn(core, 'getMultilineInput').mockImplementation((name: string) => {
      const input: string[] = (inputs[name] || '')
        .split('\n')
        .filter(x => x !== '')
      return input.map(inp => inp.trim())
    })
    // Mock error/warning/info/debug
    jest.spyOn(core, 'error').mockImplementation(jest.fn())
@@ -87,6 +94,7 @@ describe('input-helper tests', () => {
    expect(settings.showProgress).toBe(true)
    expect(settings.lfs).toBe(false)
    expect(settings.ref).toBe('refs/heads/some-ref')
    expect(settings.submoduleDirectories).toStrictEqual([])
    expect(settings.repositoryName).toBe('some-repo')
    expect(settings.repositoryOwner).toBe('some-owner')
    expect(settings.repositoryPath).toBe(gitHubWorkspace)
@@ -133,16 +141,6 @@ describe('input-helper tests', () => {
    expect(settings.commit).toBe('1111111111222222222233333333334444444444')
  })
  it('sets ref to empty when explicit sha-256', async () => {
    inputs.ref =
      '1111111111222222222233333333334444444444555555555566666666667777'
    const settings: IGitSourceSettings = await inputHelper.getInputs()
    expect(settings.ref).toBeFalsy()
    expect(settings.commit).toBe(
      '1111111111222222222233333333334444444444555555555566666666667777'
    )
  })
  it('sets sha to empty when explicit ref', async () => {
    inputs.ref = 'refs/heads/some-other-ref'
    const settings: IGitSourceSettings = await inputHelper.getInputs()
@@ -154,4 +152,13 @@ describe('input-helper tests', () => {
    const settings: IGitSourceSettings = await inputHelper.getInputs()
    expect(settings.workflowOrganizationId).toBe(123456)
  })
  it('sets submoduleDirectories', async () => {
    inputs['submodule-directories'] = 'submodule1\nsubmodule2'
    const settings: IGitSourceSettings = await inputHelper.getInputs()
    expect(settings.submoduleDirectories).toStrictEqual([
      'submodule1',
      'submodule2'
    ])
    expect(settings.submodules).toBe(true)
  })
 })
--- a/test/ref-helper.test.ts
+++ b/test/ref-helper.test.ts
@@ -1,12 +1,8 @@
 import * as assert from 'assert'
 import * as core from '@actions/core'
 import * as github from '@actions/github'
 import * as refHelper from '../lib/ref-helper'
 import {IGitCommandManager} from '../lib/git-command-manager'
 const commit = '1234567890123456789012345678901234567890'
 const sha256Commit =
  '1234567890123456789012345678901234567890123456789012345678901234'
 let git: IGitCommandManager
 describe('ref-helper tests', () => {
@@ -41,12 +37,6 @@ describe('ref-helper tests', () => {
    expect(checkoutInfo.startPoint).toBeFalsy()
  })
  it('getCheckoutInfo sha-256 only', async () => {
    const checkoutInfo = await refHelper.getCheckoutInfo(git, '', sha256Commit)
    expect(checkoutInfo.ref).toBe(sha256Commit)
    expect(checkoutInfo.startPoint).toBeFalsy()
  })
  it('getCheckoutInfo refs/heads/', async () => {
    const checkoutInfo = await refHelper.getCheckoutInfo(
      git,
@@ -162,22 +152,7 @@ describe('ref-helper tests', () => {
  it('getRefSpec sha + refs/tags/', async () => {
    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit)
    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe(`+refs/tags/my-tag:refs/tags/my-tag`)
+    expect(refSpec[0]).toBe(`+${commit}:refs/tags/my-tag`)
  })
  it('getRefSpec sha + refs/tags/ with fetchTags', async () => {
    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit, true)
    expect(refSpec.length).toBe(1)
    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
  })
  it('getRefSpec sha + refs/heads/ with fetchTags', async () => {
    // When fetchTags is true, include both the branch refspec and tags wildcard
    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', commit, true)
    expect(refSpec.length).toBe(2)
    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
    expect(refSpec[1]).toBe(`+${commit}:refs/remotes/origin/my/branch`)
  })
  it('getRefSpec sha only', async () => {
@@ -193,14 +168,6 @@ describe('ref-helper tests', () => {
    expect(refSpec[1]).toBe('+refs/tags/my-ref*:refs/tags/my-ref*')
  })
  it('getRefSpec unqualified ref only with fetchTags', async () => {
    // When fetchTags is true, skip specific tag pattern since wildcard covers all
    const refSpec = refHelper.getRefSpec('my-ref', '', true)
    expect(refSpec.length).toBe(2)
    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
    expect(refSpec[1]).toBe('+refs/heads/my-ref*:refs/remotes/origin/my-ref*')
  })
  it('getRefSpec refs/heads/ only', async () => {
    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '')
    expect(refSpec.length).toBe(1)
@@ -220,159 +187,4 @@ describe('ref-helper tests', () => {
    expect(refSpec.length).toBe(1)
    expect(refSpec[0]).toBe('+refs/tags/my-tag:refs/tags/my-tag')
  })
  it('getRefSpec refs/tags/ only with fetchTags', async () => {
    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', '', true)
    expect(refSpec.length).toBe(1)
    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
  })
  it('getRefSpec refs/heads/ only with fetchTags', async () => {
    // When fetchTags is true, include both the branch refspec and tags wildcard
    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '', true)
    expect(refSpec.length).toBe(2)
    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
    expect(refSpec[1]).toBe(
      '+refs/heads/my/branch:refs/remotes/origin/my/branch'
    )
  })
  describe('checkCommitInfo', () => {
    const repositoryOwner = 'some-owner'
    const repositoryName = 'some-repo'
    const ref = 'refs/pull/123/merge'
    const sha1Head = '1111111111222222222233333333334444444444'
    const sha1Base = 'aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd'
    const sha256Head =
      '1111111111222222222233333333334444444444555555555566666666667777'
    const sha256Base =
      'aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff0000'
    let debugSpy: jest.SpyInstance
    let getOctokitSpy: jest.SpyInstance
    let repoGetSpy: jest.Mock
    let originalEventName: string
    let originalPayload: unknown
    let originalRef: string
    let originalSha: string
    function setPullRequestContext(
      expectedHeadSha: string,
      expectedBaseSha: string,
      mergeCommit: string
    ): void {
      ;(github.context as any).eventName = 'pull_request'
      github.context.ref = ref
      github.context.sha = mergeCommit
      ;(github.context as any).payload = {
        action: 'synchronize',
        after: expectedHeadSha,
        number: 123,
        pull_request: {
          base: {
            sha: expectedBaseSha
          }
        },
        repository: {
          private: false
        }
      }
    }
    beforeEach(() => {
      originalEventName = github.context.eventName
      originalPayload = github.context.payload
      originalRef = github.context.ref
      originalSha = github.context.sha
      jest.spyOn(github.context, 'repo', 'get').mockReturnValue({
        owner: repositoryOwner,
        repo: repositoryName
      })
      debugSpy = jest.spyOn(core, 'debug').mockImplementation(jest.fn())
      repoGetSpy = jest.fn(async () => ({}))
      getOctokitSpy = jest.spyOn(github, 'getOctokit').mockReturnValue({
        rest: {
          repos: {
            get: repoGetSpy
          }
        }
      } as any)
    })
    afterEach(() => {
      ;(github.context as any).eventName = originalEventName
      ;(github.context as any).payload = originalPayload
      github.context.ref = originalRef
      github.context.sha = originalSha
      jest.restoreAllMocks()
    })
    it('returns early for SHA-1 merge commit', async () => {
      setPullRequestContext(sha1Head, sha1Base, commit)
      await refHelper.checkCommitInfo(
        'token',
        `Merge ${sha1Head} into ${sha1Base}`,
        repositoryOwner,
        repositoryName,
        ref,
        commit
      )
      expect(getOctokitSpy).not.toHaveBeenCalled()
      expect(repoGetSpy).not.toHaveBeenCalled()
    })
    it('matches SHA-256 merge commit info', async () => {
      const actualHeadSha =
        '9999999999888888888877777777776666666666555555555544444444443333'
      setPullRequestContext(sha256Head, sha256Base, sha256Commit)
      await refHelper.checkCommitInfo(
        'token',
        `Merge ${actualHeadSha} into ${sha256Base}`,
        repositoryOwner,
        repositoryName,
        ref,
        sha256Commit
      )
      expect(getOctokitSpy).toHaveBeenCalledWith(
        'token',
        expect.objectContaining({
          userAgent: expect.stringContaining(
            `expected_head_sha=${sha256Head};actual_head_sha=${actualHeadSha}`
          )
        })
      )
      expect(repoGetSpy).toHaveBeenCalledWith({
        owner: repositoryOwner,
        repo: repositoryName
      })
      expect(debugSpy).toHaveBeenCalledWith(
        `Expected head sha ${sha256Head}; actual head sha ${actualHeadSha}`
      )
      expect(debugSpy).not.toHaveBeenCalledWith('Unexpected message format')
    })
    it('does not match 50-char hex as a valid merge', async () => {
      const invalidHeadSha =
        '99999999998888888888777777777766666666665555555555'
      setPullRequestContext(sha1Head, sha1Base, commit)
      await refHelper.checkCommitInfo(
        'token',
        `Merge ${invalidHeadSha} into ${sha1Base}`,
        repositoryOwner,
        repositoryName,
        ref,
        commit
      )
      expect(getOctokitSpy).not.toHaveBeenCalled()
      expect(repoGetSpy).not.toHaveBeenCalled()
      expect(debugSpy).toHaveBeenCalledWith('Unexpected message format')
    })
  })
 })
--- a/test/verify-fetch-tags.sh
+++ b/test/verify-fetch-tags.sh
@@ -1,9 +0,0 @@
 #!/bin/sh
 # Verify tags were fetched
 TAG_COUNT=$(git -C ./fetch-tags-test tag | wc -l)
 if [ "$TAG_COUNT" -eq 0 ]; then
    echo "Expected tags to be fetched, but found none"
    exit 1
 fi
 echo "Found $TAG_COUNT tags"
--- a/test/verify-worktree.sh
+++ b/test/verify-worktree.sh
@@ -1,51 +0,0 @@
 #!/bin/bash
 set -e
 # Verify worktree credentials
 # This test verifies that git credentials work in worktrees created after checkout
 # Usage: verify-worktree.sh <checkout-path> <worktree-name>
 CHECKOUT_PATH="$1"
 WORKTREE_NAME="$2"
 if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
  exit 1
 fi
 cd "$CHECKOUT_PATH"
 # Add safe directory for container environments
 git config --global --add safe.directory "*" 2>/dev/null || true
 # Show the includeIf configuration
 echo "Git config includeIf entries:"
 git config --list --show-origin | grep -i include || true
 # Create the worktree
 echo "Creating worktree..."
 git worktree add "../$WORKTREE_NAME" HEAD --detach
 # Change to worktree directory
 cd "../$WORKTREE_NAME"
 # Verify we're in a worktree
 echo "Verifying worktree gitdir:"
 cat .git
 # Verify credentials are available in worktree by checking extraheader is configured
 echo "Checking credentials in worktree..."
 if git config --list --show-origin | grep -q "extraheader"; then
  echo "Credentials are configured in worktree"
 else
  echo "ERROR: Credentials are NOT configured in worktree"
  echo "Full git config:"
  git config --list --show-origin
  exit 1
 fi
 # Verify fetch works in the worktree
 echo "Fetching in worktree..."
 git fetch origin
 echo "Worktree credentials test passed!"
--- a/action.yml
+++ b/action.yml
@@ -92,6 +92,10 @@ inputs:
      When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
      converted to HTTPS.
    default: false
  submodule-directories:
    description: >
      A list of submodules to checkout.
    default: null
  set-safe-directory:
    description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
    default: true
--- a/dist/index.js
+++ b/dist/index.js
@@ -151,12 +151,6 @@ const stateHelper = __importStar(__nccwpck_require__(4866));
 const urlHelper = __importStar(__nccwpck_require__(9437));
 const uuid_1 = __nccwpck_require__(5840);
 const IS_WINDOWS = process.platform === 'win32';
 // Use case-insensitive gitdir matching on Windows to handle path casing mismatches
 // between the runner's GITHUB_WORKSPACE and the actual filesystem casing.
 // See: https://github.com/actions/checkout/issues/2345
 const INCLUDE_IF_GITDIR = IS_WINDOWS
    ? 'includeIf.gitdir/i:'
    : 'includeIf.gitdir:';
 const SSH_COMMAND_KEY = 'core.sshCommand';
 function createAuthHelper(git, settings) {
    return new GitAuthHelper(git, settings);
@@ -276,7 +270,7 @@ class GitAuthHelper {
                    let submoduleGitDir = path.dirname(configPath); // The config file is at .git/modules/submodule-name/config
                    submoduleGitDir = submoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                    // Configure host includeIf
-                    yield this.git.config(`${INCLUDE_IF_GITDIR}${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig?
+                    yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig?
                    false, // add?
                    configPath);
                    // Container submodule git directory
@@ -286,7 +280,7 @@ class GitAuthHelper {
                    relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                    const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleGitDir);
                    // Configure container includeIf
-                    yield this.git.config(`${INCLUDE_IF_GITDIR}${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig?
+                    yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig?
                    false, // add?
                    configPath);
                }
@@ -416,11 +410,8 @@ class GitAuthHelper {
                let gitDir = path.join(this.git.getWorkingDirectory(), '.git');
                gitDir = gitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                // Configure host includeIf
-                const hostIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}.path`;
+                const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                yield this.git.config(hostIncludeKey, credentialsConfigPath);
                // Configure host includeIf for worktrees
                const hostWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}/worktrees/*.path`;
                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                // Container git directory
                const workingDirectory = this.git.getWorkingDirectory();
                const githubWorkspace = process.env['GITHUB_WORKSPACE'];
@@ -431,11 +422,8 @@ class GitAuthHelper {
                // Container credentials config path
                const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
                // Configure container includeIf
-                const containerIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}.path`;
+                const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                yield this.git.config(containerIncludeKey, containerCredentialsPath);
                // Configure container includeIf for worktrees
                const containerWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}/worktrees/*.path`;
                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
            }
        });
    }
@@ -571,7 +559,7 @@ class GitAuthHelper {
            const credentialsPaths = new Set();
            try {
                // Get all includeIf.gitdir keys
-                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir(/i)?:', false, // globalConfig?
+                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, // globalConfig?
                configPath);
                for (const key of keys) {
                    // Get all values for this key
@@ -659,6 +647,7 @@ const fs = __importStar(__nccwpck_require__(7147));
 const fshelper = __importStar(__nccwpck_require__(7219));
 const io = __importStar(__nccwpck_require__(7436));
 const path = __importStar(__nccwpck_require__(1017));
 const refHelper = __importStar(__nccwpck_require__(8601));
 const regexpHelper = __importStar(__nccwpck_require__(3120));
 const retryHelper = __importStar(__nccwpck_require__(2155));
 const git_version_1 = __nccwpck_require__(3142);
@@ -836,9 +825,9 @@ class GitCommandManager {
    fetch(refSpec, options) {
        return __awaiter(this, void 0, void 0, function* () {
            const args = ['-c', 'protocol.version=2', 'fetch'];
-            // Always use --no-tags for explicit control over tag fetching
+            if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
-            // Tags are fetched explicitly via refspec when needed
+                args.push('--no-tags');
-            args.push('--no-tags');
+            }
            args.push('--prune', '--no-recurse-submodules');
            if (options.showProgress) {
                args.push('--progress');
@@ -986,10 +975,10 @@ class GitCommandManager {
            yield this.execGit(args);
        });
    }
-    submoduleUpdate(fetchDepth, recursive) {
+    submoduleUpdate(fetchDepth, recursive, submoduleDirectories) {
        return __awaiter(this, void 0, void 0, function* () {
            const args = ['-c', 'protocol.version=2'];
-            args.push('submodule', 'update', '--init', '--force');
+            args.push('submodule', 'update', '--init', '--force', ...submoduleDirectories);
            if (fetchDepth > 0) {
                args.push(`--depth=${fetchDepth}`);
            }
@@ -1211,17 +1200,7 @@ class GitCommandManager {
                }
            }
            // Set the user agent
-            let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
+            const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
            // Append orchestration ID if set
            const orchId = process.env['ACTIONS_ORCHESTRATION_ID'];
            if (orchId) {
                // Sanitize the orchestration ID to ensure it contains only valid characters
                // Valid characters: 0-9, a-z, _, -, .
                const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_');
                if (sanitizedId) {
                    gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`;
                }
            }
            core.debug(`Set git useragent to: ${gitHttpUserAgent}`);
            this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent;
        });
@@ -1544,26 +1523,13 @@ function getSource(settings) {
                if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
                    refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
                    yield git.fetch(refSpec, fetchOptions);
                    // Verify the ref now matches. For branches, the targeted fetch above brings
                    // in the specific commit. For tags (fetched by ref), this will fail if
                    // the tag was moved after the workflow was triggered.
                    if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
                        throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
                            `The ref may have been updated after the workflow was triggered.`);
                    }
                }
            }
            else {
                fetchOptions.fetchDepth = settings.fetchDepth;
-                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit, settings.fetchTags);
+                fetchOptions.fetchTags = settings.fetchTags;
                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
                yield git.fetch(refSpec, fetchOptions);
                // For tags, verify the ref still points to the expected commit.
                // Tags are fetched by ref (not commit), so if a tag was moved after the
                // workflow was triggered, we would silently check out the wrong commit.
                if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
                    throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
                        `The ref may have been updated after the workflow was triggered.`);
                }
            }
            core.endGroup();
            // Checkout info
@@ -1610,7 +1576,7 @@ function getSource(settings) {
                // Checkout submodules
                core.startGroup('Fetching submodules');
                yield git.submoduleSync(settings.nestedSubmodules);
-                yield git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules);
+                yield git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules, settings.submoduleDirectories);
                yield git.submoduleForeach('git config --local gc.auto 0', settings.nestedSubmodules);
                core.endGroup();
                // Persist credentials
@@ -2027,7 +1993,7 @@ function getInputs() {
            }
        }
        // SHA?
-        else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
+        else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
            result.commit = result.ref;
            result.ref = '';
        }
@@ -2071,6 +2037,7 @@ function getInputs() {
        // Submodules
        result.submodules = false;
        result.nestedSubmodules = false;
        result.submoduleDirectories = [];
        const submodulesString = (core.getInput('submodules') || '').toUpperCase();
        if (submodulesString == 'RECURSIVE') {
            result.submodules = true;
@@ -2079,8 +2046,15 @@ function getInputs() {
        else if (submodulesString == 'TRUE') {
            result.submodules = true;
        }
        const submoduleDirectories = core.getMultilineInput('submodule-directories');
        if (submoduleDirectories.length > 0) {
            result.submoduleDirectories = submoduleDirectories;
            if (!result.submodules)
                result.submodules = true;
        }
        core.debug(`submodules = ${result.submodules}`);
        core.debug(`recursive submodules = ${result.nestedSubmodules}`);
        core.debug(`submodule directories = ${result.submoduleDirectories}`);
        // Auth token
        result.authToken = core.getInput('token', { required: true });
        // SSH
@@ -2302,67 +2276,53 @@ function getRefSpecForAllHistory(ref, commit) {
    }
    return result;
 }
-function getRefSpec(ref, commit, fetchTags) {
+function getRefSpec(ref, commit) {
    if (!ref && !commit) {
        throw new Error('Args ref and commit cannot both be empty');
    }
    const upperRef = (ref || '').toUpperCase();
    const result = [];
    // When fetchTags is true, always include the tags refspec
    if (fetchTags) {
        result.push(exports.tagsRefSpec);
    }
    // SHA
    if (commit) {
        // refs/heads
        if (upperRef.startsWith('REFS/HEADS/')) {
            const branch = ref.substring('refs/heads/'.length);
-            result.push(`+${commit}:refs/remotes/origin/${branch}`);
+            return [`+${commit}:refs/remotes/origin/${branch}`];
        }
        // refs/pull/
        else if (upperRef.startsWith('REFS/PULL/')) {
            const branch = ref.substring('refs/pull/'.length);
-            result.push(`+${commit}:refs/remotes/pull/${branch}`);
+            return [`+${commit}:refs/remotes/pull/${branch}`];
        }
        // refs/tags/
        else if (upperRef.startsWith('REFS/TAGS/')) {
-            if (!fetchTags) {
+            return [`+${commit}:${ref}`];
                result.push(`+${ref}:${ref}`);
            }
        }
        // Otherwise no destination ref
        else {
-            result.push(commit);
+            return [commit];
        }
    }
    // Unqualified ref, check for a matching branch or tag
    else if (!upperRef.startsWith('REFS/')) {
-        result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`);
+        return [
-        if (!fetchTags) {
+            `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
-            result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`);
+            `+refs/tags/${ref}*:refs/tags/${ref}*`
-        }
+        ];
    }
    // refs/heads/
    else if (upperRef.startsWith('REFS/HEADS/')) {
        const branch = ref.substring('refs/heads/'.length);
-        result.push(`+${ref}:refs/remotes/origin/${branch}`);
+        return [`+${ref}:refs/remotes/origin/${branch}`];
    }
    // refs/pull/
    else if (upperRef.startsWith('REFS/PULL/')) {
        const branch = ref.substring('refs/pull/'.length);
-        result.push(`+${ref}:refs/remotes/pull/${branch}`);
+        return [`+${ref}:refs/remotes/pull/${branch}`];
    }
    // refs/tags/
    else if (upperRef.startsWith('REFS/TAGS/')) {
        if (!fetchTags) {
            result.push(`+${ref}:${ref}`);
        }
    }
    // Other refs
    else {
-        result.push(`+${ref}:${ref}`);
+        return [`+${ref}:${ref}`];
    }
    return result;
 }
 /**
 * Tests whether the initial fetch created the ref at the expected commit
@@ -2398,9 +2358,7 @@ function testRef(git, ref, commit) {
        // refs/tags/
        else if (upperRef.startsWith('REFS/TAGS/')) {
            const tagName = ref.substring('refs/tags/'.length);
-            // Use ^{commit} to dereference annotated tags to their underlying commit
+            return ((yield git.tagExists(tagName)) && commit === (yield git.revParse(ref)));
            return ((yield git.tagExists(tagName)) &&
                commit === (yield git.revParse(`${ref}^{commit}`)));
        }
        // Unexpected
        else {
@@ -2450,7 +2408,7 @@ function checkCommitInfo(token, commitInfo, repositoryOwner, repositoryName, ref
                return;
            }
            // Extract details from message
-            const match = commitInfo.match(/Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/);
+            const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/);
            if (!match) {
                core.debug('Unexpected message format');
                return;
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@@ -13,12 +13,6 @@ import {IGitCommandManager} from './git-command-manager'
 import {IGitSourceSettings} from './git-source-settings'
 const IS_WINDOWS = process.platform === 'win32'
 // Use case-insensitive gitdir matching on Windows to handle path casing mismatches
 // between the runner's GITHUB_WORKSPACE and the actual filesystem casing.
 // See: https://github.com/actions/checkout/issues/2345
 const INCLUDE_IF_GITDIR = IS_WINDOWS
  ? 'includeIf.gitdir/i:'
  : 'includeIf.gitdir:'
 const SSH_COMMAND_KEY = 'core.sshCommand'
 export interface IGitAuthHelper {
@@ -188,7 +182,7 @@ class GitAuthHelper {
        // Configure host includeIf
        await this.git.config(
-          `${INCLUDE_IF_GITDIR}${submoduleGitDir}.path`,
+          `includeIf.gitdir:${submoduleGitDir}.path`,
          credentialsConfigPath,
          false, // globalConfig?
          false, // add?
@@ -210,7 +204,7 @@ class GitAuthHelper {
        // Configure container includeIf
        await this.git.config(
-          `${INCLUDE_IF_GITDIR}${containerSubmoduleGitDir}.path`,
+          `includeIf.gitdir:${containerSubmoduleGitDir}.path`,
          containerCredentialsPath,
          false, // globalConfig?
          false, // add?
@@ -377,13 +371,9 @@ class GitAuthHelper {
      gitDir = gitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
      // Configure host includeIf
-      const hostIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}.path`
+      const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
      await this.git.config(hostIncludeKey, credentialsConfigPath)
      // Configure host includeIf for worktrees
      const hostWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}/worktrees/*.path`
      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
      // Container git directory
      const workingDirectory = this.git.getWorkingDirectory()
      const githubWorkspace = process.env['GITHUB_WORKSPACE']
@@ -403,15 +393,8 @@ class GitAuthHelper {
      )
      // Configure container includeIf
-      const containerIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}.path`
+      const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
      await this.git.config(containerIncludeKey, containerCredentialsPath)
      // Configure container includeIf for worktrees
      const containerWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}/worktrees/*.path`
      await this.git.config(
        containerWorktreeIncludeKey,
        containerCredentialsPath
      )
    }
  }
@@ -560,7 +543,7 @@ class GitAuthHelper {
    try {
      // Get all includeIf.gitdir keys
      const keys = await this.git.tryGetConfigKeys(
-        '^includeIf\\.gitdir(/i)?:',
+        '^includeIf\\.gitdir:',
        false, // globalConfig?
        configPath
      )
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@@ -37,6 +37,7 @@ export interface IGitCommandManager {
    options: {
      filter?: string
      fetchDepth?: number
      fetchTags?: boolean
      showProgress?: boolean
    }
  ): Promise<void>
@@ -55,7 +56,11 @@ export interface IGitCommandManager {
  shaExists(sha: string): Promise<boolean>
  submoduleForeach(command: string, recursive: boolean): Promise<string>
  submoduleSync(recursive: boolean): Promise<void>
-  submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void>
+  submoduleUpdate(
    fetchDepth: number,
    recursive: boolean,
    submoduleDirectories: string[]
  ): Promise<void>
  submoduleStatus(): Promise<boolean>
  tagExists(pattern: string): Promise<boolean>
  tryClean(): Promise<boolean>
@@ -279,13 +284,14 @@ class GitCommandManager {
    options: {
      filter?: string
      fetchDepth?: number
      fetchTags?: boolean
      showProgress?: boolean
    }
  ): Promise<void> {
    const args = ['-c', 'protocol.version=2', 'fetch']
-    // Always use --no-tags for explicit control over tag fetching
+    if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
-    // Tags are fetched explicitly via refspec when needed
+      args.push('--no-tags')
-    args.push('--no-tags')
+    }
    args.push('--prune', '--no-recurse-submodules')
    if (options.showProgress) {
@@ -446,9 +452,19 @@ class GitCommandManager {
    await this.execGit(args)
  }
-  async submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void> {
+  async submoduleUpdate(
    fetchDepth: number,
    recursive: boolean,
    submoduleDirectories: string[]
  ): Promise<void> {
    const args = ['-c', 'protocol.version=2']
-    args.push('submodule', 'update', '--init', '--force')
+    args.push(
      'submodule',
      'update',
      '--init',
      '--force',
      ...submoduleDirectories
    )
    if (fetchDepth > 0) {
      args.push(`--depth=${fetchDepth}`)
    }
@@ -728,19 +744,7 @@ class GitCommandManager {
      }
    }
    // Set the user agent
-    let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
+    const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
    // Append orchestration ID if set
    const orchId = process.env['ACTIONS_ORCHESTRATION_ID']
    if (orchId) {
      // Sanitize the orchestration ID to ensure it contains only valid characters
      // Valid characters: 0-9, a-z, _, -, .
      const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_')
      if (sanitizedId) {
        gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`
      }
    }
    core.debug(`Set git useragent to: ${gitHttpUserAgent}`)
    this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent
  }
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@@ -159,6 +159,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
    const fetchOptions: {
      filter?: string
      fetchDepth?: number
      fetchTags?: boolean
      showProgress?: boolean
    } = {}
@@ -181,35 +182,12 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
        refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
        await git.fetch(refSpec, fetchOptions)
        // Verify the ref now matches. For branches, the targeted fetch above brings
        // in the specific commit. For tags (fetched by ref), this will fail if
        // the tag was moved after the workflow was triggered.
        if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
          throw new Error(
            `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
              `The ref may have been updated after the workflow was triggered.`
          )
        }
      }
    } else {
      fetchOptions.fetchDepth = settings.fetchDepth
-      const refSpec = refHelper.getRefSpec(
+      fetchOptions.fetchTags = settings.fetchTags
-        settings.ref,
+      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
        settings.commit,
        settings.fetchTags
      )
      await git.fetch(refSpec, fetchOptions)
      // For tags, verify the ref still points to the expected commit.
      // Tags are fetched by ref (not commit), so if a tag was moved after the
      // workflow was triggered, we would silently check out the wrong commit.
      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
        throw new Error(
          `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
            `The ref may have been updated after the workflow was triggered.`
        )
      }
    }
    core.endGroup()
@@ -264,7 +242,11 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
      // Checkout submodules
      core.startGroup('Fetching submodules')
      await git.submoduleSync(settings.nestedSubmodules)
-      await git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules)
+      await git.submoduleUpdate(
        settings.fetchDepth,
        settings.nestedSubmodules,
        settings.submoduleDirectories
      )
      await git.submoduleForeach(
        'git config --local gc.auto 0',
        settings.nestedSubmodules
--- a/src/git-source-settings.ts
+++ b/src/git-source-settings.ts
@@ -74,6 +74,11 @@ export interface IGitSourceSettings {
   */
  nestedSubmodules: boolean
  /**
   * Indicates which submodule paths to checkout
   */
  submoduleDirectories: string[]
  /**
   * The auth token to use when fetching the repository
   */
--- a/src/input-helper.ts
+++ b/src/input-helper.ts
@@ -71,7 +71,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
    }
  }
  // SHA?
-  else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
+  else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
    result.commit = result.ref
    result.ref = ''
  }
@@ -125,6 +125,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
  // Submodules
  result.submodules = false
  result.nestedSubmodules = false
  result.submoduleDirectories = []
  const submodulesString = (core.getInput('submodules') || '').toUpperCase()
  if (submodulesString == 'RECURSIVE') {
    result.submodules = true
@@ -132,9 +133,16 @@ export async function getInputs(): Promise<IGitSourceSettings> {
  } else if (submodulesString == 'TRUE') {
    result.submodules = true
  }
  const submoduleDirectories = core.getMultilineInput('submodule-directories')
  if (submoduleDirectories.length > 0) {
    result.submoduleDirectories = submoduleDirectories
    if (!result.submodules) result.submodules = true
  }
  core.debug(`submodules = ${result.submodules}`)
  core.debug(`recursive submodules = ${result.nestedSubmodules}`)
-
+  core.debug(`submodule directories = ${result.submoduleDirectories}`)
  // Auth token
  result.authToken = core.getInput('token', {required: true})
--- a/src/misc/generate-docs.ts
+++ b/src/misc/generate-docs.ts
@@ -120,7 +120,7 @@ function updateUsage(
 }
 updateUsage(
-  'actions/checkout@v6',
+  'actions/checkout@v5',
  path.join(__dirname, '..', '..', 'action.yml'),
  path.join(__dirname, '..', '..', 'README.md')
 )
--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@@ -76,75 +76,55 @@ export function getRefSpecForAllHistory(ref: string, commit: string): string[] {
  return result
 }
-export function getRefSpec(
+export function getRefSpec(ref: string, commit: string): string[] {
  ref: string,
  commit: string,
  fetchTags?: boolean
 ): string[] {
  if (!ref && !commit) {
    throw new Error('Args ref and commit cannot both be empty')
  }
  const upperRef = (ref || '').toUpperCase()
  const result: string[] = []
  // When fetchTags is true, always include the tags refspec
  if (fetchTags) {
    result.push(tagsRefSpec)
  }
  // SHA
  if (commit) {
    // refs/heads
    if (upperRef.startsWith('REFS/HEADS/')) {
      const branch = ref.substring('refs/heads/'.length)
-      result.push(`+${commit}:refs/remotes/origin/${branch}`)
+      return [`+${commit}:refs/remotes/origin/${branch}`]
    }
    // refs/pull/
    else if (upperRef.startsWith('REFS/PULL/')) {
      const branch = ref.substring('refs/pull/'.length)
-      result.push(`+${commit}:refs/remotes/pull/${branch}`)
+      return [`+${commit}:refs/remotes/pull/${branch}`]
    }
    // refs/tags/
    else if (upperRef.startsWith('REFS/TAGS/')) {
-      if (!fetchTags) {
+      return [`+${commit}:${ref}`]
        result.push(`+${ref}:${ref}`)
      }
    }
    // Otherwise no destination ref
    else {
-      result.push(commit)
+      return [commit]
    }
  }
  // Unqualified ref, check for a matching branch or tag
  else if (!upperRef.startsWith('REFS/')) {
-    result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`)
+    return [
-    if (!fetchTags) {
+      `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
-      result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`)
+      `+refs/tags/${ref}*:refs/tags/${ref}*`
-    }
+    ]
  }
  // refs/heads/
  else if (upperRef.startsWith('REFS/HEADS/')) {
    const branch = ref.substring('refs/heads/'.length)
-    result.push(`+${ref}:refs/remotes/origin/${branch}`)
+    return [`+${ref}:refs/remotes/origin/${branch}`]
  }
  // refs/pull/
  else if (upperRef.startsWith('REFS/PULL/')) {
    const branch = ref.substring('refs/pull/'.length)
-    result.push(`+${ref}:refs/remotes/pull/${branch}`)
+    return [`+${ref}:refs/remotes/pull/${branch}`]
  }
  // refs/tags/
  else if (upperRef.startsWith('REFS/TAGS/')) {
    if (!fetchTags) {
      result.push(`+${ref}:${ref}`)
    }
  }
  // Other refs
  else {
-    result.push(`+${ref}:${ref}`)
+    return [`+${ref}:${ref}`]
  }
  return result
 }
 /**
@@ -190,10 +170,8 @@ export async function testRef(
  // refs/tags/
  else if (upperRef.startsWith('REFS/TAGS/')) {
    const tagName = ref.substring('refs/tags/'.length)
    // Use ^{commit} to dereference annotated tags to their underlying commit
    return (
-      (await git.tagExists(tagName)) &&
+      (await git.tagExists(tagName)) && commit === (await git.revParse(ref))
      commit === (await git.revParse(`${ref}^{commit}`))
    )
  }
  // Unexpected
@@ -258,9 +236,7 @@ export async function checkCommitInfo(
    }
    // Extract details from message
-    const match = commitInfo.match(
+    const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/)
      /Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/
    )
    if (!match) {
      core.debug('Unexpected message format')
      return
Author	SHA1	Message	Date
Marcus Tillmanns	ce7b6f00a4	Merge `7618b1f401` into `1af3b93b68`	2025-11-21 08:38:25 +01:00
Marcus Tillmanns	7618b1f401	Simplified the submoduleDirectories	2024-08-28 13:16:59 +02:00
Marcus Tillmanns	b6625bb44a	Add string[] option to submodules Allows checking out only specific submodules instead of all	2024-08-27 10:37:37 +02:00