Merge 1d3fa26c9e into ff7abcd0c3

Update README to include Node.js 24 support details and requirements (#2248 )
* Update README to include Node.js 24 support details and requirements * Update
2026-06-23 17:43:52 +08:00 · 2025-08-15 02:48:30 +02:00 · 2025-08-13 13:57:25 +01:00 · 2025-08-11 13:35:28 +01:00 · 2025-08-11 11:52:51 +01:00 · 2023-10-06 12:42:43 -04:00
15 changed files with 75 additions and 706 deletions
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@@ -24,10 +24,10 @@ jobs:
    steps:
      - uses: actions/checkout@v4.1.6

-      - name: Set Node.js 20.x
+      - name: Set Node.js 24.x
        uses: actions/setup-node@v4
        with:
-          node-version: 20.x
+          node-version: 24.x

      - name: Install dependencies
        run: npm ci
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -18,7 +18,7 @@ jobs:
    steps:
      - uses: actions/setup-node@v4
        with:
-          node-version: 20.x
+          node-version: 24.x
      - uses: actions/checkout@v4.1.6
      - run: npm ci
      - run: npm run build
--- a/.github/workflows/update-main-version.yml
+++ b/.github/workflows/update-main-version.yml
@@ -11,6 +11,7 @@ on:
        type: choice
        description: The major version to update
        options:
+          - v5
          - v4
          - v3
          - v2
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog

+## V5.0.0
+* Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
+
+
 ## V4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
--- a/README.md
+++ b/README.md
@@ -1,5 +1,13 @@
 [![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml)

+# Checkout V5
+
+## What's new
+
+- Updated to the node24 runtime
+  - This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.
+
+
 # Checkout V4

 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
@@ -36,7 +44,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 <!-- start usage -->
 ```yaml
- uses: actions/checkout@v4
+- uses: actions/checkout@v5
  with:
    # Repository name with owner. For example, actions/checkout
    # Default: ${{ github.repository }}
@@ -149,24 +157,33 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 # Scenarios

- [Fetch only the root files](#Fetch-only-the-root-files)
- [Fetch only the root files and `.github` and `src` folder](#Fetch-only-the-root-files-and-github-and-src-folder)
- [Fetch only a single file](#Fetch-only-a-single-file)
- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
- [Checkout a different branch](#Checkout-a-different-branch)
- [Checkout HEAD^](#Checkout-HEAD)
- [Checkout multiple repos (side by side)](#Checkout-multiple-repos-side-by-side)
- [Checkout multiple repos (nested)](#Checkout-multiple-repos-nested)
- [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
- [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
- [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
- [Push a commit to a PR using the built-in token](#Push-a-commit-to-a-PR-using-the-built-in-token)
+- [Checkout V5](#checkout-v5)
+  - [What's new](#whats-new)
+- [Checkout V4](#checkout-v4)
+    - [Note](#note)
+- [What's new](#whats-new-1)
+- [Usage](#usage)
+- [Scenarios](#scenarios)
+  - [Fetch only the root files](#fetch-only-the-root-files)
+  - [Fetch only the root files and `.github` and `src` folder](#fetch-only-the-root-files-and-github-and-src-folder)
+  - [Fetch only a single file](#fetch-only-a-single-file)
+  - [Fetch all history for all tags and branches](#fetch-all-history-for-all-tags-and-branches)
+  - [Checkout a different branch](#checkout-a-different-branch)
+  - [Checkout HEAD^](#checkout-head)
+  - [Checkout multiple repos (side by side)](#checkout-multiple-repos-side-by-side)
+  - [Checkout multiple repos (nested)](#checkout-multiple-repos-nested)
+  - [Checkout multiple repos (private)](#checkout-multiple-repos-private)
+  - [Checkout pull request HEAD commit instead of merge commit](#checkout-pull-request-head-commit-instead-of-merge-commit)
+  - [Checkout pull request on closed event](#checkout-pull-request-on-closed-event)
+  - [Push a commit using the built-in token](#push-a-commit-using-the-built-in-token)
+  - [Push a commit to a PR using the built-in token](#push-a-commit-to-a-pr-using-the-built-in-token)
+- [Recommended permissions](#recommended-permissions)
+- [License](#license)

 ## Fetch only the root files

 ```yaml
- uses: actions/checkout@v4
+- uses: actions/checkout@v5
  with:
    sparse-checkout: .
 ```
@@ -174,7 +191,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files and `.github` and `src` folder

 ```yaml
- uses: actions/checkout@v4
+- uses: actions/checkout@v5
  with:
    sparse-checkout: |
      .github
@@ -184,7 +201,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only a single file

 ```yaml
- uses: actions/checkout@v4
+- uses: actions/checkout@v5
  with:
    sparse-checkout: |
      README.md
@@ -194,7 +211,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch all history for all tags and branches

 ```yaml
- uses: actions/checkout@v4
+- uses: actions/checkout@v5
  with:
    fetch-depth: 0
 ```
@@ -202,7 +219,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch

 ```yaml
- uses: actions/checkout@v4
+- uses: actions/checkout@v5
  with:
    ref: my-branch
 ```
@@ -210,7 +227,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^

 ```yaml
- uses: actions/checkout@v4
+- uses: actions/checkout@v5
  with:
    fetch-depth: 2
 - run: git checkout HEAD^
@@ -220,12 +237,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v4
+  uses: actions/checkout@v5
  with:
    path: main

 - name: Checkout tools repo
-  uses: actions/checkout@v4
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-tools
    path: my-tools
@@ -236,10 +253,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v4
+  uses: actions/checkout@v5

 - name: Checkout tools repo
-  uses: actions/checkout@v4
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-tools
    path: my-tools
@@ -250,12 +267,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v4
+  uses: actions/checkout@v5
  with:
    path: main

 - name: Checkout private tools
-  uses: actions/checkout@v4
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-private-tools
    token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -268,7 +285,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit

 ```yaml
- uses: actions/checkout@v4
+- uses: actions/checkout@v5
  with:
    ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -284,7 +301,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 ```

 ## Push a commit using the built-in token
@@ -295,7 +312,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - run: |
          date > generated.txt
          # Note: the following account information will not work on GHES
@@ -317,7 +334,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          ref: ${{ github.head_ref }}
      - run: |
--- a/test/git-auth-helper.test.ts
+++ b/test/git-auth-helper.test.ts
@@ -675,283 +675,6 @@ describe('git-auth-helper tests', () => {
    expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
  })

-  const removeAuth_removesV6StyleCredentials =
-    'removeAuth removes v6 style credentials'
-  it(removeAuth_removesV6StyleCredentials, async () => {
-    // Arrange
-    await setup(removeAuth_removesV6StyleCredentials)
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    await authHelper.configureAuth()
-
-    // Manually create v6-style credentials that would be left by v6
-    const credentialsFileName =
-      'git-credentials-12345678-1234-1234-1234-123456789abc.config'
-    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
-    const basicCredential = Buffer.from(
-      `x-access-token:${settings.authToken}`,
-      'utf8'
-    ).toString('base64')
-    const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
-    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
-
-    // Add includeIf entries to local git config (simulating v6 configuration)
-    const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
-    await fs.promises.appendFile(
-      localGitConfigPath,
-      `[includeIf "gitdir:${hostGitDir}/"]\n\tpath = ${credentialsFilePath}\n`
-    )
-    await fs.promises.appendFile(
-      localGitConfigPath,
-      `[includeIf "gitdir:/github/workspace/.git/"]\n\tpath = /github/runner_temp/${credentialsFileName}\n`
-    )
-
-    // Verify v6 style config exists
-    let gitConfigContent = (
-      await fs.promises.readFile(localGitConfigPath)
-    ).toString()
-    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
-    expect(
-      gitConfigContent.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-    await fs.promises.stat(credentialsFilePath) // Verify file exists
-
-    // Mock the git methods to handle v6 cleanup
-    const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
-    mockTryGetConfigKeys.mockResolvedValue([
-      `includeIf.gitdir:${hostGitDir}/.path`,
-      'includeIf.gitdir:/github/workspace/.git/.path'
-    ])
-
-    const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
-    mockTryGetConfigValues.mockImplementation(async (key: string) => {
-      if (key === `includeIf.gitdir:${hostGitDir}/.path`) {
-        return [credentialsFilePath]
-      }
-      if (key === 'includeIf.gitdir:/github/workspace/.git/.path') {
-        return [`/github/runner_temp/${credentialsFileName}`]
-      }
-      return []
-    })
-
-    const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
-      any,
-      any
-    >
-    mockTryConfigUnsetValue.mockImplementation(
-      async (
-        key: string,
-        value: string,
-        globalConfig?: boolean,
-        configPath?: string
-      ) => {
-        const targetPath = configPath || localGitConfigPath
-        let content = await fs.promises.readFile(targetPath, 'utf8')
-        // Remove the includeIf section
-        const lines = content
-          .split('\n')
-          .filter(line => !line.includes('includeIf') && !line.includes(value))
-        await fs.promises.writeFile(targetPath, lines.join('\n'))
-        return true
-      }
-    )
-
-    // Act
-    await authHelper.removeAuth()
-
-    // Assert includeIf entries removed from local git config
-    gitConfigContent = (
-      await fs.promises.readFile(localGitConfigPath)
-    ).toString()
-    expect(gitConfigContent.indexOf('includeIf')).toBeLessThan(0)
-    expect(gitConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
-
-    // Assert credentials config file deleted
-    try {
-      await fs.promises.stat(credentialsFilePath)
-      throw new Error('Credentials file should have been deleted')
-    } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
-        throw err
-      }
-    }
-  })
-
-  const removeAuth_removesV6StyleCredentialsFromSubmodules =
-    'removeAuth removes v6 style credentials from submodules'
-  it(removeAuth_removesV6StyleCredentialsFromSubmodules, async () => {
-    // Arrange
-    await setup(removeAuth_removesV6StyleCredentialsFromSubmodules)
-
-    // Create fake submodule config paths
-    const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
-    const submodule1ConfigPath = path.join(submodule1Dir, 'config')
-    await fs.promises.mkdir(submodule1Dir, {recursive: true})
-    await fs.promises.writeFile(submodule1ConfigPath, '')
-
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    await authHelper.configureAuth()
-
-    // Create v6-style credentials file
-    const credentialsFileName =
-      'git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
-    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
-    const basicCredential = Buffer.from(
-      `x-access-token:${settings.authToken}`,
-      'utf8'
-    ).toString('base64')
-    const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
-    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
-
-    // Add includeIf entries to submodule config
-    const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
-    await fs.promises.appendFile(
-      submodule1ConfigPath,
-      `[includeIf "gitdir:${submodule1GitDir}/"]\n\tpath = ${credentialsFilePath}\n`
-    )
-
-    // Verify submodule config has includeIf entry
-    let submoduleConfigContent = (
-      await fs.promises.readFile(submodule1ConfigPath)
-    ).toString()
-    expect(submoduleConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(
-      0
-    )
-    expect(
-      submoduleConfigContent.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Mock getSubmoduleConfigPaths
-    const mockGetSubmoduleConfigPaths =
-      git.getSubmoduleConfigPaths as jest.Mock<any, any>
-    mockGetSubmoduleConfigPaths.mockResolvedValue([submodule1ConfigPath])
-
-    // Mock tryGetConfigKeys for submodule
-    const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
-    mockTryGetConfigKeys.mockImplementation(
-      async (pattern: string, globalConfig?: boolean, configPath?: string) => {
-        if (configPath === submodule1ConfigPath) {
-          return [`includeIf.gitdir:${submodule1GitDir}/.path`]
-        }
-        return []
-      }
-    )
-
-    // Mock tryGetConfigValues for submodule
-    const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
-    mockTryGetConfigValues.mockImplementation(
-      async (key: string, globalConfig?: boolean, configPath?: string) => {
-        if (
-          configPath === submodule1ConfigPath &&
-          key === `includeIf.gitdir:${submodule1GitDir}/.path`
-        ) {
-          return [credentialsFilePath]
-        }
-        return []
-      }
-    )
-
-    // Mock tryConfigUnsetValue for submodule
-    const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
-      any,
-      any
-    >
-    mockTryConfigUnsetValue.mockImplementation(
-      async (
-        key: string,
-        value: string,
-        globalConfig?: boolean,
-        configPath?: string
-      ) => {
-        const targetPath = configPath || localGitConfigPath
-        let content = await fs.promises.readFile(targetPath, 'utf8')
-        const lines = content
-          .split('\n')
-          .filter(line => !line.includes('includeIf') && !line.includes(value))
-        await fs.promises.writeFile(targetPath, lines.join('\n'))
-        return true
-      }
-    )
-
-    // Act
-    await authHelper.removeAuth()
-
-    // Assert submodule includeIf entries removed
-    submoduleConfigContent = (
-      await fs.promises.readFile(submodule1ConfigPath)
-    ).toString()
-    expect(submoduleConfigContent.indexOf('includeIf')).toBeLessThan(0)
-    expect(submoduleConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
-
-    // Assert credentials file deleted
-    try {
-      await fs.promises.stat(credentialsFilePath)
-      throw new Error('Credentials file should have been deleted')
-    } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
-        throw err
-      }
-    }
-  })
-
-  const removeAuth_skipsV6CleanupWhenEnvVarSet =
-    'removeAuth skips v6 cleanup when ACTIONS_CHECKOUT_SKIP_V6_CLEANUP is set'
-  it(removeAuth_skipsV6CleanupWhenEnvVarSet, async () => {
-    // Arrange
-    await setup(removeAuth_skipsV6CleanupWhenEnvVarSet)
-
-    // Set the skip environment variable
-    process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'] = '1'
-
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    await authHelper.configureAuth()
-
-    // Create v6-style credentials file in RUNNER_TEMP
-    const credentialsFileName = 'git-credentials-test-uuid-1234-5678.config'
-    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
-    const credentialsContent =
-      '[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic token\n'
-    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
-
-    // Add includeIf section to local git config (separate from http.* config)
-    const includeIfSection = `\n[includeIf "gitdir:/some/path/.git/"]\n\tpath = ${credentialsFilePath}\n`
-    await fs.promises.appendFile(localGitConfigPath, includeIfSection)
-
-    // Verify v6 style config exists
-    let gitConfigContent = (
-      await fs.promises.readFile(localGitConfigPath)
-    ).toString()
-    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
-    await fs.promises.stat(credentialsFilePath) // Verify file exists
-
-    // Act
-    await authHelper.removeAuth()
-
-    // Assert v5 cleanup still happened (http.* removed)
-    gitConfigContent = (
-      await fs.promises.readFile(localGitConfigPath)
-    ).toString()
-    expect(
-      gitConfigContent.indexOf('http.https://github.com/.extraheader')
-    ).toBeLessThan(0)
-
-    // Assert v6 cleanup was skipped - includeIf should still be present
-    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
-    expect(
-      gitConfigContent.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Assert credentials file still exists (wasn't deleted)
-    await fs.promises.stat(credentialsFilePath) // File should still exist
-
-    // Assert debug message was logged
-    expect(core.debug).toHaveBeenCalledWith(
-      'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
-    )
-
-    // Cleanup
-    delete process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
-  })
-
  const removeGlobalConfig_removesOverride =
    'removeGlobalConfig removes override'
  it(removeGlobalConfig_removesOverride, async () => {
@@ -1073,18 +796,6 @@ async function setup(testName: string): Promise<void> {
    ),
    tryDisableAutomaticGarbageCollection: jest.fn(),
    tryGetFetchUrl: jest.fn(),
-    getSubmoduleConfigPaths: jest.fn(async () => {
-      return []
-    }),
-    tryConfigUnsetValue: jest.fn(async () => {
-      return true
-    }),
-    tryGetConfigValues: jest.fn(async () => {
-      return []
-    }),
-    tryGetConfigKeys: jest.fn(async () => {
-      return []
-    }),
    tryReset: jest.fn(),
    version: jest.fn()
  }
--- a/test/git-directory-helper.test.ts
+++ b/test/git-directory-helper.test.ts
@@ -499,18 +499,6 @@ async function setup(testName: string): Promise<void> {
      await fs.promises.stat(path.join(repositoryPath, '.git'))
      return repositoryUrl
    }),
-    getSubmoduleConfigPaths: jest.fn(async () => {
-      return []
-    }),
-    tryConfigUnsetValue: jest.fn(async () => {
-      return true
-    }),
-    tryGetConfigValues: jest.fn(async () => {
-      return []
-    }),
-    tryGetConfigKeys: jest.fn(async () => {
-      return []
-    }),
    tryReset: jest.fn(async () => {
      return true
    }),
--- a/action.yml
+++ b/action.yml
@@ -104,6 +104,6 @@ outputs:
  commit:
    description: 'The commit SHA that was checked out'
 runs:
-  using: node20
+  using: node24
  main: dist/index.js
  post: dist/index.js
--- a/dist/index.js
+++ b/dist/index.js
@@ -411,50 +411,8 @@ class GitAuthHelper {
    }
    removeToken() {
        return __awaiter(this, void 0, void 0, function* () {
-            // Remove HTTP extra header from local git config and submodule configs
+            // HTTP extra header
            yield this.removeGitConfig(this.tokenConfigKey);
-            //
-            // Cleanup actions/checkout@v6 style credentials
-            //
-            const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'];
-            if (skipV6Cleanup === '1' || (skipV6Cleanup === null || skipV6Cleanup === void 0 ? void 0 : skipV6Cleanup.toLowerCase()) === 'true') {
-                core.debug('Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP');
-                return;
-            }
-            try {
-                // Collect credentials config paths that need to be removed
-                const credentialsPaths = new Set();
-                // Remove includeIf entries that point to git-credentials-*.config files
-                const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
-                mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
-                // Remove submodule includeIf entries that point to git-credentials-*.config files
-                try {
-                    const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
-                    for (const configPath of submoduleConfigPaths) {
-                        const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
-                        submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
-                    }
-                }
-                catch (err) {
-                    core.debug(`Unable to get submodule config paths: ${err}`);
-                }
-                // Remove credentials config files
-                for (const credentialsPath of credentialsPaths) {
-                    // Only remove credentials config files if they are under RUNNER_TEMP
-                    const runnerTemp = process.env['RUNNER_TEMP'];
-                    if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
-                        try {
-                            yield io.rmRF(credentialsPath);
-                        }
-                        catch (err) {
-                            core.debug(`Failed to remove credentials config '${credentialsPath}': ${err}`);
-                        }
-                    }
-                }
-            }
-            catch (err) {
-                core.debug(`Failed to cleanup v6 style credentials: ${err}`);
-            }
        });
    }
    removeGitConfig(configKey_1) {
@@ -472,49 +430,6 @@ class GitAuthHelper {
            `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true);
        });
    }
-    /**
-     * Removes includeIf entries that point to git-credentials-*.config files.
-     * This handles cleanup of credentials configured by newer versions of the action.
-     * @param configPath Optional path to a specific git config file to operate on
-     * @returns Array of unique credentials config file paths that were found and removed
-     */
-    removeIncludeIfCredentials(configPath) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const credentialsPaths = new Set();
-            try {
-                // Get all includeIf.gitdir keys
-                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, // globalConfig?
-                configPath);
-                for (const key of keys) {
-                    // Get all values for this key
-                    const values = yield this.git.tryGetConfigValues(key, false, // globalConfig?
-                    configPath);
-                    if (values.length > 0) {
-                        // Remove only values that match git-credentials-<uuid>.config pattern
-                        for (const value of values) {
-                            if (this.testCredentialsConfigPath(value)) {
-                                credentialsPaths.add(value);
-                                yield this.git.tryConfigUnsetValue(key, value, false, configPath);
-                            }
-                        }
-                    }
-                }
-            }
-            catch (err) {
-                // Ignore errors - this is cleanup code
-                core.debug(`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`);
-            }
-            return Array.from(credentialsPaths);
-        });
-    }
-    /**
-     * Tests if a path matches the git-credentials-*.config pattern used by newer versions.
-     * @param path The path to test
-     * @returns True if the path matches the credentials config pattern
-     */
-    testCredentialsConfigPath(path) {
-        return /git-credentials-[0-9a-f-]+\.config$/i.test(path);
-    }
 }


@@ -791,16 +706,6 @@ class GitCommandManager {
            throw new Error('Unexpected output when retrieving default branch');
        });
    }
-    getSubmoduleConfigPaths(recursive) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // Get submodule config file paths.
-            // Use `--show-origin` to get the config file path for each submodule.
-            const output = yield this.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, recursive);
-            // Extract config file paths from the output (lines starting with "file:").
-            const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
-            return configPaths;
-        });
-    }
    getWorkingDirectory() {
        return this.workingDirectory;
    }
@@ -931,20 +836,6 @@ class GitCommandManager {
            return output.exitCode === 0;
        });
    }
-    tryConfigUnsetValue(configKey, configValue, globalConfig, configFile) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const args = ['config'];
-            if (configFile) {
-                args.push('--file', configFile);
-            }
-            else {
-                args.push(globalConfig ? '--global' : '--local');
-            }
-            args.push('--unset', configKey, configValue);
-            const output = yield this.execGit(args, true);
-            return output.exitCode === 0;
-        });
-    }
    tryDisableAutomaticGarbageCollection() {
        return __awaiter(this, void 0, void 0, function* () {
            const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true);
@@ -964,46 +855,6 @@ class GitCommandManager {
            return stdout;
        });
    }
-    tryGetConfigValues(configKey, globalConfig, configFile) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const args = ['config'];
-            if (configFile) {
-                args.push('--file', configFile);
-            }
-            else {
-                args.push(globalConfig ? '--global' : '--local');
-            }
-            args.push('--get-all', configKey);
-            const output = yield this.execGit(args, true);
-            if (output.exitCode !== 0) {
-                return [];
-            }
-            return output.stdout
-                .trim()
-                .split('\n')
-                .filter(value => value.trim());
-        });
-    }
-    tryGetConfigKeys(pattern, globalConfig, configFile) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const args = ['config'];
-            if (configFile) {
-                args.push('--file', configFile);
-            }
-            else {
-                args.push(globalConfig ? '--global' : '--local');
-            }
-            args.push('--name-only', '--get-regexp', pattern);
-            const output = yield this.execGit(args, true);
-            if (output.exitCode !== 0) {
-                return [];
-            }
-            return output.stdout
-                .trim()
-                .split('\n')
-                .filter(key => key.trim());
-        });
-    }
    tryReset() {
        return __awaiter(this, void 0, void 0, function* () {
            const output = yield this.execGit(['reset', '--hard', 'HEAD'], true);
@@ -2263,7 +2114,8 @@ function testRef(git, ref, commit) {
        // refs/tags/
        else if (upperRef.startsWith('REFS/TAGS/')) {
            const tagName = ref.substring('refs/tags/'.length);
-            return ((yield git.tagExists(tagName)) && commit === (yield git.revParse(ref)));
+            return ((yield git.tagExists(tagName)) &&
+                commit === (yield git.revParse(`${ref}^{commit}`)));
        }
        // Unexpected
        else {
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "checkout",
-  "version": "4.3.0",
+  "version": "5.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "checkout",
-      "version": "4.3.0",
+      "version": "5.0.0",
      "license": "MIT",
      "dependencies": {
        "@actions/core": "^1.10.1",
@@ -18,7 +18,7 @@
      },
      "devDependencies": {
        "@types/jest": "^29.5.12",
-        "@types/node": "^20.12.12",
+        "@types/node": "^24.1.0",
        "@types/uuid": "^9.0.8",
        "@typescript-eslint/eslint-plugin": "^7.9.0",
        "@typescript-eslint/parser": "^7.9.0",
@@ -1515,12 +1515,12 @@
      "dev": true
    },
    "node_modules/@types/node": {
-      "version": "20.12.12",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.12.tgz",
-      "integrity": "sha512-eWLDGF/FOSPtAvEqeRAQ4C8LSA7M1I7i0ky1I8U7kD1J5ITyW3AsRhQrKVoWf5pFKZ2kILsEGJhsI9r93PYnOw==",
+      "version": "24.1.0",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-24.1.0.tgz",
+      "integrity": "sha512-ut5FthK5moxFKH2T1CUOC6ctR67rQRvvHdFLCD2Ql6KXmMuCrjsSsRI9UsLCm9M18BMwClv4pn327UvB7eeO1w==",
      "dev": true,
      "dependencies": {
-        "undici-types": "~5.26.4"
+        "undici-types": "~7.8.0"
      }
    },
    "node_modules/@types/stack-utils": {
@@ -6865,9 +6865,9 @@
      }
    },
    "node_modules/undici-types": {
-      "version": "5.26.5",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
-      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==",
+      "version": "7.8.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.8.0.tgz",
+      "integrity": "sha512-9UJ2xGDvQ43tYyVMpuHlsgApydB8ZKfVYTsLDhXkFL/6gfkp+U8xTGdh8pMJv1SpZna0zxG1DwsKZsreLbXBxw==",
      "dev": true
    },
    "node_modules/universal-user-agent": {
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "checkout",
-  "version": "4.3.0",
+  "version": "5.0.0",
  "description": "checkout action",
  "main": "lib/main.js",
  "scripts": {
@@ -37,7 +37,7 @@
  },
  "devDependencies": {
    "@types/jest": "^29.5.12",
-    "@types/node": "^20.12.12",
+    "@types/node": "^24.1.0",
    "@types/uuid": "^9.0.8",
    "@typescript-eslint/eslint-plugin": "^7.9.0",
    "@typescript-eslint/parser": "^7.9.0",
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@@ -346,58 +346,8 @@ class GitAuthHelper {
  }

  private async removeToken(): Promise<void> {
-    // Remove HTTP extra header from local git config and submodule configs
+    // HTTP extra header
    await this.removeGitConfig(this.tokenConfigKey)
-
-    //
-    // Cleanup actions/checkout@v6 style credentials
-    //
-    const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
-    if (skipV6Cleanup === '1' || skipV6Cleanup?.toLowerCase() === 'true') {
-      core.debug(
-        'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
-      )
-      return
-    }
-
-    try {
-      // Collect credentials config paths that need to be removed
-      const credentialsPaths = new Set<string>()
-
-      // Remove includeIf entries that point to git-credentials-*.config files
-      const mainCredentialsPaths = await this.removeIncludeIfCredentials()
-      mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
-
-      // Remove submodule includeIf entries that point to git-credentials-*.config files
-      try {
-        const submoduleConfigPaths =
-          await this.git.getSubmoduleConfigPaths(true)
-        for (const configPath of submoduleConfigPaths) {
-          const submoduleCredentialsPaths =
-            await this.removeIncludeIfCredentials(configPath)
-          submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
-        }
-      } catch (err) {
-        core.debug(`Unable to get submodule config paths: ${err}`)
-      }
-
-      // Remove credentials config files
-      for (const credentialsPath of credentialsPaths) {
-        // Only remove credentials config files if they are under RUNNER_TEMP
-        const runnerTemp = process.env['RUNNER_TEMP']
-        if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
-          try {
-            await io.rmRF(credentialsPath)
-          } catch (err) {
-            core.debug(
-              `Failed to remove credentials config '${credentialsPath}': ${err}`
-            )
-          }
-        }
-      }
-    } catch (err) {
-      core.debug(`Failed to cleanup v6 style credentials: ${err}`)
-    }
  }

  private async removeGitConfig(
@@ -421,59 +371,4 @@ class GitAuthHelper {
      true
    )
  }
-
-  /**
-   * Removes includeIf entries that point to git-credentials-*.config files.
-   * This handles cleanup of credentials configured by newer versions of the action.
-   * @param configPath Optional path to a specific git config file to operate on
-   * @returns Array of unique credentials config file paths that were found and removed
-   */
-  private async removeIncludeIfCredentials(
-    configPath?: string
-  ): Promise<string[]> {
-    const credentialsPaths = new Set<string>()
-
-    try {
-      // Get all includeIf.gitdir keys
-      const keys = await this.git.tryGetConfigKeys(
-        '^includeIf\\.gitdir:',
-        false, // globalConfig?
-        configPath
-      )
-
-      for (const key of keys) {
-        // Get all values for this key
-        const values = await this.git.tryGetConfigValues(
-          key,
-          false, // globalConfig?
-          configPath
-        )
-        if (values.length > 0) {
-          // Remove only values that match git-credentials-<uuid>.config pattern
-          for (const value of values) {
-            if (this.testCredentialsConfigPath(value)) {
-              credentialsPaths.add(value)
-              await this.git.tryConfigUnsetValue(key, value, false, configPath)
-            }
-          }
-        }
-      }
-    } catch (err) {
-      // Ignore errors - this is cleanup code
-      core.debug(
-        `Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`
-      )
-    }
-
-    return Array.from(credentialsPaths)
-  }
-
-  /**
-   * Tests if a path matches the git-credentials-*.config pattern used by newer versions.
-   * @param path The path to test
-   * @returns True if the path matches the credentials config pattern
-   */
-  private testCredentialsConfigPath(path: string): boolean {
-    return /git-credentials-[0-9a-f-]+\.config$/i.test(path)
-  }
 }
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@@ -41,7 +41,6 @@ export interface IGitCommandManager {
    }
  ): Promise<void>
  getDefaultBranch(repositoryUrl: string): Promise<string>
-  getSubmoduleConfigPaths(recursive: boolean): Promise<string[]>
  getWorkingDirectory(): string
  init(): Promise<void>
  isDetached(): Promise<boolean>
@@ -60,24 +59,8 @@ export interface IGitCommandManager {
  tagExists(pattern: string): Promise<boolean>
  tryClean(): Promise<boolean>
  tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
-  tryConfigUnsetValue(
-    configKey: string,
-    configValue: string,
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<boolean>
  tryDisableAutomaticGarbageCollection(): Promise<boolean>
  tryGetFetchUrl(): Promise<string>
-  tryGetConfigValues(
-    configKey: string,
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<string[]>
-  tryGetConfigKeys(
-    pattern: string,
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<string[]>
  tryReset(): Promise<boolean>
  version(): Promise<GitVersion>
 }
@@ -340,21 +323,6 @@ class GitCommandManager {
    throw new Error('Unexpected output when retrieving default branch')
  }

-  async getSubmoduleConfigPaths(recursive: boolean): Promise<string[]> {
-    // Get submodule config file paths.
-    // Use `--show-origin` to get the config file path for each submodule.
-    const output = await this.submoduleForeach(
-      `git config --local --show-origin --name-only --get-regexp remote.origin.url`,
-      recursive
-    )
-
-    // Extract config file paths from the output (lines starting with "file:").
-    const configPaths =
-      output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
-
-    return configPaths
-  }
-
  getWorkingDirectory(): string {
    return this.workingDirectory
  }
@@ -487,24 +455,6 @@ class GitCommandManager {
    return output.exitCode === 0
  }

-  async tryConfigUnsetValue(
-    configKey: string,
-    configValue: string,
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<boolean> {
-    const args = ['config']
-    if (configFile) {
-      args.push('--file', configFile)
-    } else {
-      args.push(globalConfig ? '--global' : '--local')
-    }
-    args.push('--unset', configKey, configValue)
-
-    const output = await this.execGit(args, true)
-    return output.exitCode === 0
-  }
-
  async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
    const output = await this.execGit(
      ['config', '--local', 'gc.auto', '0'],
@@ -531,56 +481,6 @@ class GitCommandManager {
    return stdout
  }

-  async tryGetConfigValues(
-    configKey: string,
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<string[]> {
-    const args = ['config']
-    if (configFile) {
-      args.push('--file', configFile)
-    } else {
-      args.push(globalConfig ? '--global' : '--local')
-    }
-    args.push('--get-all', configKey)
-
-    const output = await this.execGit(args, true)
-
-    if (output.exitCode !== 0) {
-      return []
-    }
-
-    return output.stdout
-      .trim()
-      .split('\n')
-      .filter(value => value.trim())
-  }
-
-  async tryGetConfigKeys(
-    pattern: string,
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<string[]> {
-    const args = ['config']
-    if (configFile) {
-      args.push('--file', configFile)
-    } else {
-      args.push(globalConfig ? '--global' : '--local')
-    }
-    args.push('--name-only', '--get-regexp', pattern)
-
-    const output = await this.execGit(args, true)
-
-    if (output.exitCode !== 0) {
-      return []
-    }
-
-    return output.stdout
-      .trim()
-      .split('\n')
-      .filter(key => key.trim())
-  }
-
  async tryReset(): Promise<boolean> {
    const output = await this.execGit(['reset', '--hard', 'HEAD'], true)
    return output.exitCode === 0
--- a/src/misc/generate-docs.ts
+++ b/src/misc/generate-docs.ts
@@ -120,7 +120,7 @@ function updateUsage(
 }

 updateUsage(
-  'actions/checkout@v4',
+  'actions/checkout@v5',
  path.join(__dirname, '..', '..', 'action.yml'),
  path.join(__dirname, '..', '..', 'README.md')
 )
--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@@ -171,7 +171,8 @@ export async function testRef(
  else if (upperRef.startsWith('REFS/TAGS/')) {
    const tagName = ref.substring('refs/tags/'.length)
    return (
-      (await git.tagExists(tagName)) && commit === (await git.revParse(ref))
+      (await git.tagExists(tagName)) &&
+      commit === (await git.revParse(`${ref}^{commit}`))
    )
  }
  // Unexpected
Author	SHA1	Message	Date
Mark Vander Stel	21bf035c67	Merge `1d3fa26c9e` into `ff7abcd0c3`	2025-08-15 02:48:30 +02:00
Salman Chishti	ff7abcd0c3	Update README to include Node.js 24 support details and requirements (#2248 ) * Update README to include Node.js 24 support details and requirements * Update	2025-08-13 13:57:25 +01:00
Salman Chishti	08c6903cd8	Prepare v5.0.0 release (#2238 )	2025-08-11 13:35:28 +01:00
Salman Chishti	9f265659d3	Update actions checkout to use node 24 (#2226 ) * use node 24 * update other parts to node 24 * bump to major version, audit fix, changelog * update licenses * update dist * update major version * will do separate pr for v5 and will do a minor version for previous changes	2025-08-11 11:52:51 +01:00
Mark Vander Stel	1d3fa26c9e	Fix checkout of annotated tag loosing annotation Currently, a check is done after fetch to ensure that the repo state has not changed since the workflow was triggered. This check will reset the checkout to the commit that triggered the workflow, even if the branch or tag has moved since. The issue is that the check currently sees what "object" the ref points to. For an annotated tag, that is the annotation, not the commit. This means the check always fails for annotated tags, and they are reset to the commit, losing the annotation. Losing the annotation can be fatal, as `git describe` will only match annotated tags. The fix is simple: check if the tag points at the right commit, ignoring any other type of object. This is done with the <rev>^{commit} syntax. From the git-rev-parse docs: > <rev>^{<type>}, e.g. v0.99.8^{commit} > A suffix ^ followed by an object type name enclosed in brace pair > means dereference the object at <rev> recursively until an object of > type <type> is found or the object cannot be dereferenced anymore (in > which case, barf). For example, if <rev> is a commit-ish, > <rev>^{commit} describes the corresponding commit object. Similarly, > if <rev> is a tree-ish, <rev>^{tree} describes the corresponding tree > object. <rev>^0 is a short-hand for <rev>^{commit}. If the check still fails, we will still reset the tag to the commit, losing the annotation. However, there is no way to truly recover in this situtation, as GitHub does not capture the annotation on workflow start, and since the history has changed, we can not trust the new tag to contain the same data as it did before. Fixes #290 Closes #697	2023-10-06 12:42:43 -04:00