mirror of
https://github.com/actions/checkout.git
synced 2026-06-29 18:13:51 +08:00
Compare commits
24 Commits
v4.3.1
...
dd74a91233
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
dd74a91233 | ||
|
|
ff7abcd0c3 | ||
|
|
08c6903cd8 | ||
|
|
9f265659d3 | ||
|
|
1d1e7b0d14 | ||
|
|
4fbfd0616f | ||
|
|
2fe00dafc5 | ||
|
|
88f75d99cf | ||
|
|
4c9771d239 | ||
|
|
5273dc8b75 | ||
|
|
2b3ba3731a | ||
|
|
69f65d8073 | ||
|
|
23f7367f17 | ||
|
|
0e43ec312b | ||
|
|
3481f8bbc8 | ||
|
|
2e5004252b | ||
|
|
d0fb879b3f | ||
|
|
12745083dd | ||
|
|
ef76a65b44 | ||
|
|
7ecec56e6d | ||
|
|
9e52bd2490 | ||
|
|
90d97a43da | ||
|
|
1cf234d9d1 | ||
|
|
fe41cdfeaf |
4
.github/workflows/check-dist.yml
vendored
4
.github/workflows/check-dist.yml
vendored
@@ -24,10 +24,10 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4.1.6
|
||||
|
||||
- name: Set Node.js 20.x
|
||||
- name: Set Node.js 24.x
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20.x
|
||||
node-version: 24.x
|
||||
|
||||
- name: Install dependencies
|
||||
run: npm ci
|
||||
|
||||
61
.github/workflows/codacy.yml
vendored
Normal file
61
.github/workflows/codacy.yml
vendored
Normal file
@@ -0,0 +1,61 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
# This workflow checks out code, performs a Codacy security scan
|
||||
# and integrates the results with the
|
||||
# GitHub Advanced Security code scanning feature. For more information on
|
||||
# the Codacy security scan action usage and parameters, see
|
||||
# https://github.com/codacy/codacy-analysis-cli-action.
|
||||
# For more information on Codacy Analysis CLI in general, see
|
||||
# https://github.com/codacy/codacy-analysis-cli.
|
||||
|
||||
name: Codacy Security Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ "main" ]
|
||||
schedule:
|
||||
- cron: '39 20 * * 1'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
codacy-security-scan:
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
|
||||
name: Codacy Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Checkout the repository to the GitHub Actions runner
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
|
||||
- name: Run Codacy Analysis CLI
|
||||
uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
|
||||
with:
|
||||
# Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
|
||||
# You can also omit the token and run the tools that support default configurations
|
||||
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
|
||||
verbose: true
|
||||
output: results.sarif
|
||||
format: sarif
|
||||
# Adjust severity of non-security issues
|
||||
gh-code-scanning-compat: true
|
||||
# Force 0 exit code to allow SARIF file generation
|
||||
# This will handover control about PR rejection to the GitHub side
|
||||
max-allowed-issues: 2147483647
|
||||
|
||||
# Upload the SARIF file generated in the previous step
|
||||
- name: Upload SARIF results file
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
100
.github/workflows/codeql.yml
vendored
Normal file
100
.github/workflows/codeql.yml
vendored
Normal file
@@ -0,0 +1,100 @@
|
||||
# For most projects, this workflow file will not need changing; you simply need
|
||||
# to commit it to your repository.
|
||||
#
|
||||
# You may wish to alter this file to override the set of languages analyzed,
|
||||
# or to provide custom queries or build logic.
|
||||
#
|
||||
# ******** NOTE ********
|
||||
# We have attempted to detect the languages in your repository. Please check
|
||||
# the `language` matrix defined below to confirm you have the correct set of
|
||||
# supported CodeQL languages.
|
||||
#
|
||||
name: "CodeQL Advanced"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
schedule:
|
||||
- cron: '38 16 * * 5'
|
||||
|
||||
jobs:
|
||||
analyze:
|
||||
name: Analyze (${{ matrix.language }})
|
||||
# Runner size impacts CodeQL analysis time. To learn more, please see:
|
||||
# - https://gh.io/recommended-hardware-resources-for-running-codeql
|
||||
# - https://gh.io/supported-runners-and-hardware-resources
|
||||
# - https://gh.io/using-larger-runners (GitHub.com only)
|
||||
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
|
||||
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
|
||||
permissions:
|
||||
# required for all workflows
|
||||
security-events: write
|
||||
|
||||
# required to fetch internal or private CodeQL packs
|
||||
packages: read
|
||||
|
||||
# only required for workflows in private repositories
|
||||
actions: read
|
||||
contents: read
|
||||
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
include:
|
||||
- language: actions
|
||||
build-mode: none
|
||||
- language: javascript-typescript
|
||||
build-mode: none
|
||||
# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
|
||||
# Use `c-cpp` to analyze code written in C, C++ or both
|
||||
# Use 'java-kotlin' to analyze code written in Java, Kotlin or both
|
||||
# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
|
||||
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
|
||||
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
|
||||
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
|
||||
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Add any setup steps before running the `github/codeql-action/init` action.
|
||||
# This includes steps like installing compilers or runtimes (`actions/setup-node`
|
||||
# or others). This is typically only required for manual builds.
|
||||
# - name: Setup runtime (example)
|
||||
# uses: actions/setup-example@v1
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v3
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
build-mode: ${{ matrix.build-mode }}
|
||||
# If you wish to specify custom queries, you can do so here or in a config file.
|
||||
# By default, queries listed here will override any specified in a config file.
|
||||
# Prefix the list here with "+" to use these queries and those in the config file.
|
||||
|
||||
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
|
||||
# queries: security-extended,security-and-quality
|
||||
|
||||
# If the analyze step fails for one of the languages you are analyzing with
|
||||
# "We were unable to automatically build your code", modify the matrix above
|
||||
# to set the build mode to "manual" for that language. Then modify this step
|
||||
# to build your code.
|
||||
# ℹ️ Command-line programs to run using the OS shell.
|
||||
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
|
||||
- if: matrix.build-mode == 'manual'
|
||||
shell: bash
|
||||
run: |
|
||||
echo 'If you are using a "manual" build mode for one or more of the' \
|
||||
'languages you are analyzing, replace this with the commands to build' \
|
||||
'your code, for example:'
|
||||
echo ' make bootstrap'
|
||||
echo ' make release'
|
||||
exit 1
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v3
|
||||
with:
|
||||
category: "/language:${{matrix.language}}"
|
||||
18
.github/workflows/docker-image.yml
vendored
Normal file
18
.github/workflows/docker-image.yml
vendored
Normal file
@@ -0,0 +1,18 @@
|
||||
name: Docker Image CI
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
|
||||
jobs:
|
||||
|
||||
build:
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Build the Docker image
|
||||
run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)
|
||||
129
.github/workflows/fortify.yml
vendored
Normal file
129
.github/workflows/fortify.yml
vendored
Normal file
@@ -0,0 +1,129 @@
|
||||
# This workflow uses actions that are not certified by GitHub.
|
||||
# They are provided by a third-party and are governed by
|
||||
# separate terms of service, privacy policy, and support
|
||||
# documentation.
|
||||
|
||||
################################################################################################################################################
|
||||
# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
|
||||
# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
|
||||
# #
|
||||
# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
|
||||
# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
|
||||
# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
|
||||
# documentation. If you need additional assistance, please contact Fortify support. #
|
||||
################################################################################################################################################
|
||||
|
||||
name: Fortify AST Scan
|
||||
|
||||
# Customize trigger events based on your DevSecOps process and/or policy
|
||||
on:
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ "main" ]
|
||||
schedule:
|
||||
- cron: '40 23 * * 6'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
Fortify-AST-Scan:
|
||||
# Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
# pull-requests: write # Required if DO_PR_COMMENT is set to true
|
||||
|
||||
steps:
|
||||
# Check out source code
|
||||
- name: Check Out Source Code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
|
||||
# configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
|
||||
# job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
|
||||
# The Fortify GitHub Action provides many customization capabilities, but in case further customization is
|
||||
# required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
|
||||
# and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action
|
||||
# documentation at https://github.com/fortify/github-action#readme for more information on the various
|
||||
# configuration options and available sub-actions.
|
||||
- name: Run Fortify Scan
|
||||
# Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example
|
||||
# uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases
|
||||
# are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability
|
||||
# required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version
|
||||
# of this action, allowing your workflows to automatically benefit from any new features and bug fixes.
|
||||
uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297
|
||||
with:
|
||||
sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
|
||||
debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
|
||||
# is disabled). For SSC, run a Debricked scan and import results into SSC.
|
||||
env:
|
||||
#############################################################
|
||||
##### Fortify on Demand configuration
|
||||
##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below)
|
||||
### Required configuration
|
||||
FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret
|
||||
FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required;
|
||||
FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets.
|
||||
FOD_PASSWORD: ${{secrets.FOD_PAT}}
|
||||
# FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}}
|
||||
# FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}}
|
||||
### Optional configuration
|
||||
# FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
|
||||
# FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>
|
||||
# DO_SETUP: true # Setup FoD application, release & static scan configuration
|
||||
# SETUP_ACTION: <URL or file> # Customize setup action
|
||||
# Pass extra options to setup action:
|
||||
# SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}"
|
||||
# PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options
|
||||
# FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options
|
||||
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
|
||||
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
|
||||
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
|
||||
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
|
||||
# DO_JOB_SUMMARY: true # Generate workflow job summary
|
||||
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
|
||||
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
|
||||
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
|
||||
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
|
||||
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
|
||||
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
|
||||
# EXPORT_ACTION: <URL or file> # Customize export action
|
||||
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
|
||||
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
|
||||
|
||||
#############################################################
|
||||
##### Fortify Hosted / Software Security Center & ScanCentral
|
||||
##### Remove this section if you're integrating with Fortify on Demand (see above)
|
||||
### Required configuration
|
||||
SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret
|
||||
SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets
|
||||
SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled
|
||||
DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled
|
||||
SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled
|
||||
### Optional configuration
|
||||
# SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options
|
||||
# SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
|
||||
# SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: <org>/<repo>:<branch>
|
||||
# DO_SETUP: true # Set up SSC application & version
|
||||
# SETUP_ACTION: <URL or file> # Customize setup action
|
||||
# SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action
|
||||
# PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options
|
||||
# EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options
|
||||
# DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled)
|
||||
# DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL
|
||||
# POLICY_CHECK_ACTION: <URL or file> # Customize security policy checks
|
||||
# POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action
|
||||
# DO_JOB_SUMMARY: true # Generate workflow job summary
|
||||
# JOB_SUMMARY_ACTION: <URL or file> # Customize job summary
|
||||
# JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action
|
||||
# DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers
|
||||
# PR_COMMENT_ACTION: <URL or file> # Customize PR comments
|
||||
# PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action
|
||||
# DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard
|
||||
# EXPORT_ACTION: <URL or file> # Customize export action
|
||||
# EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action
|
||||
# TOOL_DEFINITIONS: <URL> # URL from where to retrieve Fortify tool definitions
|
||||
51
.github/workflows/jekyll-gh-pages.yml
vendored
Normal file
51
.github/workflows/jekyll-gh-pages.yml
vendored
Normal file
@@ -0,0 +1,51 @@
|
||||
# Sample workflow for building and deploying a Jekyll site to GitHub Pages
|
||||
name: Deploy Jekyll with GitHub Pages dependencies preinstalled
|
||||
|
||||
on:
|
||||
# Runs on pushes targeting the default branch
|
||||
push:
|
||||
branches: ["main"]
|
||||
|
||||
# Allows you to run this workflow manually from the Actions tab
|
||||
workflow_dispatch:
|
||||
|
||||
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
|
||||
permissions:
|
||||
contents: read
|
||||
pages: write
|
||||
id-token: write
|
||||
|
||||
# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
|
||||
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
|
||||
concurrency:
|
||||
group: "pages"
|
||||
cancel-in-progress: false
|
||||
|
||||
jobs:
|
||||
# Build job
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
- name: Setup Pages
|
||||
uses: actions/configure-pages@v5
|
||||
- name: Build with Jekyll
|
||||
uses: actions/jekyll-build-pages@v1
|
||||
with:
|
||||
source: ./
|
||||
destination: ./_site
|
||||
- name: Upload artifact
|
||||
uses: actions/upload-pages-artifact@v3
|
||||
|
||||
# Deployment job
|
||||
deploy:
|
||||
environment:
|
||||
name: github-pages
|
||||
url: ${{ steps.deployment.outputs.page_url }}
|
||||
runs-on: ubuntu-latest
|
||||
needs: build
|
||||
steps:
|
||||
- name: Deploy to GitHub Pages
|
||||
id: deployment
|
||||
uses: actions/deploy-pages@v4
|
||||
16
.github/workflows/main.yml
vendored
Normal file
16
.github/workflows/main.yml
vendored
Normal file
@@ -0,0 +1,16 @@
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: "github-actions"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
|
||||
- package-ecosystem: "terraform"
|
||||
directory: "/infra"
|
||||
schedule:
|
||||
interval: "daily"
|
||||
|
||||
- package-ecosystem: "docker"
|
||||
directory: "/"
|
||||
schedule:
|
||||
interval: "weekly"
|
||||
2
.github/workflows/test.yml
vendored
2
.github/workflows/test.yml
vendored
@@ -18,7 +18,7 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20.x
|
||||
node-version: 24.x
|
||||
- uses: actions/checkout@v4.1.6
|
||||
- run: npm ci
|
||||
- run: npm run build
|
||||
|
||||
1
.github/workflows/update-main-version.yml
vendored
1
.github/workflows/update-main-version.yml
vendored
@@ -11,6 +11,7 @@ on:
|
||||
type: choice
|
||||
description: The major version to update
|
||||
options:
|
||||
- v5
|
||||
- v4
|
||||
- v3
|
||||
- v2
|
||||
|
||||
@@ -1,5 +1,9 @@
|
||||
# Changelog
|
||||
|
||||
## V5.0.0
|
||||
* Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
|
||||
|
||||
|
||||
## V4.3.0
|
||||
* docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
|
||||
* Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
|
||||
|
||||
77
README.md
77
README.md
@@ -1,5 +1,13 @@
|
||||
[](https://github.com/actions/checkout/actions/workflows/test.yml)
|
||||
|
||||
# Checkout V5
|
||||
|
||||
## What's new
|
||||
|
||||
- Updated to the node24 runtime
|
||||
- This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.
|
||||
|
||||
|
||||
# Checkout V4
|
||||
|
||||
This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
|
||||
@@ -36,7 +44,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
|
||||
<!-- start usage -->
|
||||
```yaml
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
# Repository name with owner. For example, actions/checkout
|
||||
# Default: ${{ github.repository }}
|
||||
@@ -149,24 +157,33 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
|
||||
# Scenarios
|
||||
|
||||
- [Fetch only the root files](#Fetch-only-the-root-files)
|
||||
- [Fetch only the root files and `.github` and `src` folder](#Fetch-only-the-root-files-and-github-and-src-folder)
|
||||
- [Fetch only a single file](#Fetch-only-a-single-file)
|
||||
- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
|
||||
- [Checkout a different branch](#Checkout-a-different-branch)
|
||||
- [Checkout HEAD^](#Checkout-HEAD)
|
||||
- [Checkout multiple repos (side by side)](#Checkout-multiple-repos-side-by-side)
|
||||
- [Checkout multiple repos (nested)](#Checkout-multiple-repos-nested)
|
||||
- [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
|
||||
- [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
|
||||
- [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
|
||||
- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
|
||||
- [Push a commit to a PR using the built-in token](#Push-a-commit-to-a-PR-using-the-built-in-token)
|
||||
- [Checkout V5](#checkout-v5)
|
||||
- [What's new](#whats-new)
|
||||
- [Checkout V4](#checkout-v4)
|
||||
- [Note](#note)
|
||||
- [What's new](#whats-new-1)
|
||||
- [Usage](#usage)
|
||||
- [Scenarios](#scenarios)
|
||||
- [Fetch only the root files](#fetch-only-the-root-files)
|
||||
- [Fetch only the root files and `.github` and `src` folder](#fetch-only-the-root-files-and-github-and-src-folder)
|
||||
- [Fetch only a single file](#fetch-only-a-single-file)
|
||||
- [Fetch all history for all tags and branches](#fetch-all-history-for-all-tags-and-branches)
|
||||
- [Checkout a different branch](#checkout-a-different-branch)
|
||||
- [Checkout HEAD^](#checkout-head)
|
||||
- [Checkout multiple repos (side by side)](#checkout-multiple-repos-side-by-side)
|
||||
- [Checkout multiple repos (nested)](#checkout-multiple-repos-nested)
|
||||
- [Checkout multiple repos (private)](#checkout-multiple-repos-private)
|
||||
- [Checkout pull request HEAD commit instead of merge commit](#checkout-pull-request-head-commit-instead-of-merge-commit)
|
||||
- [Checkout pull request on closed event](#checkout-pull-request-on-closed-event)
|
||||
- [Push a commit using the built-in token](#push-a-commit-using-the-built-in-token)
|
||||
- [Push a commit to a PR using the built-in token](#push-a-commit-to-a-pr-using-the-built-in-token)
|
||||
- [Recommended permissions](#recommended-permissions)
|
||||
- [License](#license)
|
||||
|
||||
## Fetch only the root files
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
sparse-checkout: .
|
||||
```
|
||||
@@ -174,7 +191,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Fetch only the root files and `.github` and `src` folder
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
sparse-checkout: |
|
||||
.github
|
||||
@@ -184,7 +201,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Fetch only a single file
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
sparse-checkout: |
|
||||
README.md
|
||||
@@ -194,7 +211,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Fetch all history for all tags and branches
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
fetch-depth: 0
|
||||
```
|
||||
@@ -202,7 +219,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Checkout a different branch
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
ref: my-branch
|
||||
```
|
||||
@@ -210,7 +227,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Checkout HEAD^
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
fetch-depth: 2
|
||||
- run: git checkout HEAD^
|
||||
@@ -220,12 +237,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
|
||||
```yaml
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
path: main
|
||||
|
||||
- name: Checkout tools repo
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
repository: my-org/my-tools
|
||||
path: my-tools
|
||||
@@ -236,10 +253,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
|
||||
```yaml
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v5
|
||||
|
||||
- name: Checkout tools repo
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
repository: my-org/my-tools
|
||||
path: my-tools
|
||||
@@ -250,12 +267,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
|
||||
```yaml
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
path: main
|
||||
|
||||
- name: Checkout private tools
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
repository: my-org/my-private-tools
|
||||
token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
|
||||
@@ -268,7 +285,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
||||
## Checkout pull request HEAD commit instead of merge commit
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
```
|
||||
@@ -284,7 +301,7 @@ jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v5
|
||||
```
|
||||
|
||||
## Push a commit using the built-in token
|
||||
@@ -295,7 +312,7 @@ jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v5
|
||||
- run: |
|
||||
date > generated.txt
|
||||
# Note: the following account information will not work on GHES
|
||||
@@ -317,7 +334,7 @@ jobs:
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v5
|
||||
with:
|
||||
ref: ${{ github.head_ref }}
|
||||
- run: |
|
||||
|
||||
21
SECURITY.md
Normal file
21
SECURITY.md
Normal file
@@ -0,0 +1,21 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
Use this section to tell people about which versions of your project are
|
||||
currently being supported with security updates.
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 5.1.x | :white_check_mark: |
|
||||
| 5.0.x | :x: |
|
||||
| 4.0.x | :white_check_mark: |
|
||||
| < 4.0 | :x: |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
Use this section to tell people how to report a vulnerability.
|
||||
|
||||
Tell them where to go, how often they can expect to get an update on a
|
||||
reported vulnerability, what to expect if the vulnerability is accepted or
|
||||
declined, etc.
|
||||
@@ -675,283 +675,6 @@ describe('git-auth-helper tests', () => {
|
||||
expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
|
||||
})
|
||||
|
||||
const removeAuth_removesV6StyleCredentials =
|
||||
'removeAuth removes v6 style credentials'
|
||||
it(removeAuth_removesV6StyleCredentials, async () => {
|
||||
// Arrange
|
||||
await setup(removeAuth_removesV6StyleCredentials)
|
||||
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
|
||||
await authHelper.configureAuth()
|
||||
|
||||
// Manually create v6-style credentials that would be left by v6
|
||||
const credentialsFileName =
|
||||
'git-credentials-12345678-1234-1234-1234-123456789abc.config'
|
||||
const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
|
||||
const basicCredential = Buffer.from(
|
||||
`x-access-token:${settings.authToken}`,
|
||||
'utf8'
|
||||
).toString('base64')
|
||||
const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
|
||||
await fs.promises.writeFile(credentialsFilePath, credentialsContent)
|
||||
|
||||
// Add includeIf entries to local git config (simulating v6 configuration)
|
||||
const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
|
||||
await fs.promises.appendFile(
|
||||
localGitConfigPath,
|
||||
`[includeIf "gitdir:${hostGitDir}/"]\n\tpath = ${credentialsFilePath}\n`
|
||||
)
|
||||
await fs.promises.appendFile(
|
||||
localGitConfigPath,
|
||||
`[includeIf "gitdir:/github/workspace/.git/"]\n\tpath = /github/runner_temp/${credentialsFileName}\n`
|
||||
)
|
||||
|
||||
// Verify v6 style config exists
|
||||
let gitConfigContent = (
|
||||
await fs.promises.readFile(localGitConfigPath)
|
||||
).toString()
|
||||
expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
|
||||
expect(
|
||||
gitConfigContent.indexOf(credentialsFilePath)
|
||||
).toBeGreaterThanOrEqual(0)
|
||||
await fs.promises.stat(credentialsFilePath) // Verify file exists
|
||||
|
||||
// Mock the git methods to handle v6 cleanup
|
||||
const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
|
||||
mockTryGetConfigKeys.mockResolvedValue([
|
||||
`includeIf.gitdir:${hostGitDir}/.path`,
|
||||
'includeIf.gitdir:/github/workspace/.git/.path'
|
||||
])
|
||||
|
||||
const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
|
||||
mockTryGetConfigValues.mockImplementation(async (key: string) => {
|
||||
if (key === `includeIf.gitdir:${hostGitDir}/.path`) {
|
||||
return [credentialsFilePath]
|
||||
}
|
||||
if (key === 'includeIf.gitdir:/github/workspace/.git/.path') {
|
||||
return [`/github/runner_temp/${credentialsFileName}`]
|
||||
}
|
||||
return []
|
||||
})
|
||||
|
||||
const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
|
||||
any,
|
||||
any
|
||||
>
|
||||
mockTryConfigUnsetValue.mockImplementation(
|
||||
async (
|
||||
key: string,
|
||||
value: string,
|
||||
globalConfig?: boolean,
|
||||
configPath?: string
|
||||
) => {
|
||||
const targetPath = configPath || localGitConfigPath
|
||||
let content = await fs.promises.readFile(targetPath, 'utf8')
|
||||
// Remove the includeIf section
|
||||
const lines = content
|
||||
.split('\n')
|
||||
.filter(line => !line.includes('includeIf') && !line.includes(value))
|
||||
await fs.promises.writeFile(targetPath, lines.join('\n'))
|
||||
return true
|
||||
}
|
||||
)
|
||||
|
||||
// Act
|
||||
await authHelper.removeAuth()
|
||||
|
||||
// Assert includeIf entries removed from local git config
|
||||
gitConfigContent = (
|
||||
await fs.promises.readFile(localGitConfigPath)
|
||||
).toString()
|
||||
expect(gitConfigContent.indexOf('includeIf')).toBeLessThan(0)
|
||||
expect(gitConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
|
||||
|
||||
// Assert credentials config file deleted
|
||||
try {
|
||||
await fs.promises.stat(credentialsFilePath)
|
||||
throw new Error('Credentials file should have been deleted')
|
||||
} catch (err) {
|
||||
if ((err as any)?.code !== 'ENOENT') {
|
||||
throw err
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
const removeAuth_removesV6StyleCredentialsFromSubmodules =
|
||||
'removeAuth removes v6 style credentials from submodules'
|
||||
it(removeAuth_removesV6StyleCredentialsFromSubmodules, async () => {
|
||||
// Arrange
|
||||
await setup(removeAuth_removesV6StyleCredentialsFromSubmodules)
|
||||
|
||||
// Create fake submodule config paths
|
||||
const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
|
||||
const submodule1ConfigPath = path.join(submodule1Dir, 'config')
|
||||
await fs.promises.mkdir(submodule1Dir, {recursive: true})
|
||||
await fs.promises.writeFile(submodule1ConfigPath, '')
|
||||
|
||||
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
|
||||
await authHelper.configureAuth()
|
||||
|
||||
// Create v6-style credentials file
|
||||
const credentialsFileName =
|
||||
'git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
|
||||
const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
|
||||
const basicCredential = Buffer.from(
|
||||
`x-access-token:${settings.authToken}`,
|
||||
'utf8'
|
||||
).toString('base64')
|
||||
const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
|
||||
await fs.promises.writeFile(credentialsFilePath, credentialsContent)
|
||||
|
||||
// Add includeIf entries to submodule config
|
||||
const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
|
||||
await fs.promises.appendFile(
|
||||
submodule1ConfigPath,
|
||||
`[includeIf "gitdir:${submodule1GitDir}/"]\n\tpath = ${credentialsFilePath}\n`
|
||||
)
|
||||
|
||||
// Verify submodule config has includeIf entry
|
||||
let submoduleConfigContent = (
|
||||
await fs.promises.readFile(submodule1ConfigPath)
|
||||
).toString()
|
||||
expect(submoduleConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(
|
||||
0
|
||||
)
|
||||
expect(
|
||||
submoduleConfigContent.indexOf(credentialsFilePath)
|
||||
).toBeGreaterThanOrEqual(0)
|
||||
|
||||
// Mock getSubmoduleConfigPaths
|
||||
const mockGetSubmoduleConfigPaths =
|
||||
git.getSubmoduleConfigPaths as jest.Mock<any, any>
|
||||
mockGetSubmoduleConfigPaths.mockResolvedValue([submodule1ConfigPath])
|
||||
|
||||
// Mock tryGetConfigKeys for submodule
|
||||
const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
|
||||
mockTryGetConfigKeys.mockImplementation(
|
||||
async (pattern: string, globalConfig?: boolean, configPath?: string) => {
|
||||
if (configPath === submodule1ConfigPath) {
|
||||
return [`includeIf.gitdir:${submodule1GitDir}/.path`]
|
||||
}
|
||||
return []
|
||||
}
|
||||
)
|
||||
|
||||
// Mock tryGetConfigValues for submodule
|
||||
const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
|
||||
mockTryGetConfigValues.mockImplementation(
|
||||
async (key: string, globalConfig?: boolean, configPath?: string) => {
|
||||
if (
|
||||
configPath === submodule1ConfigPath &&
|
||||
key === `includeIf.gitdir:${submodule1GitDir}/.path`
|
||||
) {
|
||||
return [credentialsFilePath]
|
||||
}
|
||||
return []
|
||||
}
|
||||
)
|
||||
|
||||
// Mock tryConfigUnsetValue for submodule
|
||||
const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
|
||||
any,
|
||||
any
|
||||
>
|
||||
mockTryConfigUnsetValue.mockImplementation(
|
||||
async (
|
||||
key: string,
|
||||
value: string,
|
||||
globalConfig?: boolean,
|
||||
configPath?: string
|
||||
) => {
|
||||
const targetPath = configPath || localGitConfigPath
|
||||
let content = await fs.promises.readFile(targetPath, 'utf8')
|
||||
const lines = content
|
||||
.split('\n')
|
||||
.filter(line => !line.includes('includeIf') && !line.includes(value))
|
||||
await fs.promises.writeFile(targetPath, lines.join('\n'))
|
||||
return true
|
||||
}
|
||||
)
|
||||
|
||||
// Act
|
||||
await authHelper.removeAuth()
|
||||
|
||||
// Assert submodule includeIf entries removed
|
||||
submoduleConfigContent = (
|
||||
await fs.promises.readFile(submodule1ConfigPath)
|
||||
).toString()
|
||||
expect(submoduleConfigContent.indexOf('includeIf')).toBeLessThan(0)
|
||||
expect(submoduleConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
|
||||
|
||||
// Assert credentials file deleted
|
||||
try {
|
||||
await fs.promises.stat(credentialsFilePath)
|
||||
throw new Error('Credentials file should have been deleted')
|
||||
} catch (err) {
|
||||
if ((err as any)?.code !== 'ENOENT') {
|
||||
throw err
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
const removeAuth_skipsV6CleanupWhenEnvVarSet =
|
||||
'removeAuth skips v6 cleanup when ACTIONS_CHECKOUT_SKIP_V6_CLEANUP is set'
|
||||
it(removeAuth_skipsV6CleanupWhenEnvVarSet, async () => {
|
||||
// Arrange
|
||||
await setup(removeAuth_skipsV6CleanupWhenEnvVarSet)
|
||||
|
||||
// Set the skip environment variable
|
||||
process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'] = '1'
|
||||
|
||||
const authHelper = gitAuthHelper.createAuthHelper(git, settings)
|
||||
await authHelper.configureAuth()
|
||||
|
||||
// Create v6-style credentials file in RUNNER_TEMP
|
||||
const credentialsFileName = 'git-credentials-test-uuid-1234-5678.config'
|
||||
const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
|
||||
const credentialsContent =
|
||||
'[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic token\n'
|
||||
await fs.promises.writeFile(credentialsFilePath, credentialsContent)
|
||||
|
||||
// Add includeIf section to local git config (separate from http.* config)
|
||||
const includeIfSection = `\n[includeIf "gitdir:/some/path/.git/"]\n\tpath = ${credentialsFilePath}\n`
|
||||
await fs.promises.appendFile(localGitConfigPath, includeIfSection)
|
||||
|
||||
// Verify v6 style config exists
|
||||
let gitConfigContent = (
|
||||
await fs.promises.readFile(localGitConfigPath)
|
||||
).toString()
|
||||
expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
|
||||
await fs.promises.stat(credentialsFilePath) // Verify file exists
|
||||
|
||||
// Act
|
||||
await authHelper.removeAuth()
|
||||
|
||||
// Assert v5 cleanup still happened (http.* removed)
|
||||
gitConfigContent = (
|
||||
await fs.promises.readFile(localGitConfigPath)
|
||||
).toString()
|
||||
expect(
|
||||
gitConfigContent.indexOf('http.https://github.com/.extraheader')
|
||||
).toBeLessThan(0)
|
||||
|
||||
// Assert v6 cleanup was skipped - includeIf should still be present
|
||||
expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
|
||||
expect(
|
||||
gitConfigContent.indexOf(credentialsFilePath)
|
||||
).toBeGreaterThanOrEqual(0)
|
||||
|
||||
// Assert credentials file still exists (wasn't deleted)
|
||||
await fs.promises.stat(credentialsFilePath) // File should still exist
|
||||
|
||||
// Assert debug message was logged
|
||||
expect(core.debug).toHaveBeenCalledWith(
|
||||
'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
|
||||
)
|
||||
|
||||
// Cleanup
|
||||
delete process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
|
||||
})
|
||||
|
||||
const removeGlobalConfig_removesOverride =
|
||||
'removeGlobalConfig removes override'
|
||||
it(removeGlobalConfig_removesOverride, async () => {
|
||||
@@ -1073,18 +796,6 @@ async function setup(testName: string): Promise<void> {
|
||||
),
|
||||
tryDisableAutomaticGarbageCollection: jest.fn(),
|
||||
tryGetFetchUrl: jest.fn(),
|
||||
getSubmoduleConfigPaths: jest.fn(async () => {
|
||||
return []
|
||||
}),
|
||||
tryConfigUnsetValue: jest.fn(async () => {
|
||||
return true
|
||||
}),
|
||||
tryGetConfigValues: jest.fn(async () => {
|
||||
return []
|
||||
}),
|
||||
tryGetConfigKeys: jest.fn(async () => {
|
||||
return []
|
||||
}),
|
||||
tryReset: jest.fn(),
|
||||
version: jest.fn()
|
||||
}
|
||||
|
||||
@@ -499,18 +499,6 @@ async function setup(testName: string): Promise<void> {
|
||||
await fs.promises.stat(path.join(repositoryPath, '.git'))
|
||||
return repositoryUrl
|
||||
}),
|
||||
getSubmoduleConfigPaths: jest.fn(async () => {
|
||||
return []
|
||||
}),
|
||||
tryConfigUnsetValue: jest.fn(async () => {
|
||||
return true
|
||||
}),
|
||||
tryGetConfigValues: jest.fn(async () => {
|
||||
return []
|
||||
}),
|
||||
tryGetConfigKeys: jest.fn(async () => {
|
||||
return []
|
||||
}),
|
||||
tryReset: jest.fn(async () => {
|
||||
return true
|
||||
}),
|
||||
|
||||
@@ -104,6 +104,6 @@ outputs:
|
||||
commit:
|
||||
description: 'The commit SHA that was checked out'
|
||||
runs:
|
||||
using: node20
|
||||
using: node24
|
||||
main: dist/index.js
|
||||
post: dist/index.js
|
||||
|
||||
151
dist/index.js
vendored
151
dist/index.js
vendored
@@ -411,50 +411,8 @@ class GitAuthHelper {
|
||||
}
|
||||
removeToken() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
// Remove HTTP extra header from local git config and submodule configs
|
||||
// HTTP extra header
|
||||
yield this.removeGitConfig(this.tokenConfigKey);
|
||||
//
|
||||
// Cleanup actions/checkout@v6 style credentials
|
||||
//
|
||||
const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'];
|
||||
if (skipV6Cleanup === '1' || (skipV6Cleanup === null || skipV6Cleanup === void 0 ? void 0 : skipV6Cleanup.toLowerCase()) === 'true') {
|
||||
core.debug('Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP');
|
||||
return;
|
||||
}
|
||||
try {
|
||||
// Collect credentials config paths that need to be removed
|
||||
const credentialsPaths = new Set();
|
||||
// Remove includeIf entries that point to git-credentials-*.config files
|
||||
const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
|
||||
mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
|
||||
// Remove submodule includeIf entries that point to git-credentials-*.config files
|
||||
try {
|
||||
const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
|
||||
for (const configPath of submoduleConfigPaths) {
|
||||
const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
|
||||
submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
|
||||
}
|
||||
}
|
||||
catch (err) {
|
||||
core.debug(`Unable to get submodule config paths: ${err}`);
|
||||
}
|
||||
// Remove credentials config files
|
||||
for (const credentialsPath of credentialsPaths) {
|
||||
// Only remove credentials config files if they are under RUNNER_TEMP
|
||||
const runnerTemp = process.env['RUNNER_TEMP'];
|
||||
if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
|
||||
try {
|
||||
yield io.rmRF(credentialsPath);
|
||||
}
|
||||
catch (err) {
|
||||
core.debug(`Failed to remove credentials config '${credentialsPath}': ${err}`);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (err) {
|
||||
core.debug(`Failed to cleanup v6 style credentials: ${err}`);
|
||||
}
|
||||
});
|
||||
}
|
||||
removeGitConfig(configKey_1) {
|
||||
@@ -472,49 +430,6 @@ class GitAuthHelper {
|
||||
`sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true);
|
||||
});
|
||||
}
|
||||
/**
|
||||
* Removes includeIf entries that point to git-credentials-*.config files.
|
||||
* This handles cleanup of credentials configured by newer versions of the action.
|
||||
* @param configPath Optional path to a specific git config file to operate on
|
||||
* @returns Array of unique credentials config file paths that were found and removed
|
||||
*/
|
||||
removeIncludeIfCredentials(configPath) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const credentialsPaths = new Set();
|
||||
try {
|
||||
// Get all includeIf.gitdir keys
|
||||
const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, // globalConfig?
|
||||
configPath);
|
||||
for (const key of keys) {
|
||||
// Get all values for this key
|
||||
const values = yield this.git.tryGetConfigValues(key, false, // globalConfig?
|
||||
configPath);
|
||||
if (values.length > 0) {
|
||||
// Remove only values that match git-credentials-<uuid>.config pattern
|
||||
for (const value of values) {
|
||||
if (this.testCredentialsConfigPath(value)) {
|
||||
credentialsPaths.add(value);
|
||||
yield this.git.tryConfigUnsetValue(key, value, false, configPath);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (err) {
|
||||
// Ignore errors - this is cleanup code
|
||||
core.debug(`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`);
|
||||
}
|
||||
return Array.from(credentialsPaths);
|
||||
});
|
||||
}
|
||||
/**
|
||||
* Tests if a path matches the git-credentials-*.config pattern used by newer versions.
|
||||
* @param path The path to test
|
||||
* @returns True if the path matches the credentials config pattern
|
||||
*/
|
||||
testCredentialsConfigPath(path) {
|
||||
return /git-credentials-[0-9a-f-]+\.config$/i.test(path);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -791,16 +706,6 @@ class GitCommandManager {
|
||||
throw new Error('Unexpected output when retrieving default branch');
|
||||
});
|
||||
}
|
||||
getSubmoduleConfigPaths(recursive) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
// Get submodule config file paths.
|
||||
// Use `--show-origin` to get the config file path for each submodule.
|
||||
const output = yield this.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, recursive);
|
||||
// Extract config file paths from the output (lines starting with "file:").
|
||||
const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
|
||||
return configPaths;
|
||||
});
|
||||
}
|
||||
getWorkingDirectory() {
|
||||
return this.workingDirectory;
|
||||
}
|
||||
@@ -931,20 +836,6 @@ class GitCommandManager {
|
||||
return output.exitCode === 0;
|
||||
});
|
||||
}
|
||||
tryConfigUnsetValue(configKey, configValue, globalConfig, configFile) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const args = ['config'];
|
||||
if (configFile) {
|
||||
args.push('--file', configFile);
|
||||
}
|
||||
else {
|
||||
args.push(globalConfig ? '--global' : '--local');
|
||||
}
|
||||
args.push('--unset', configKey, configValue);
|
||||
const output = yield this.execGit(args, true);
|
||||
return output.exitCode === 0;
|
||||
});
|
||||
}
|
||||
tryDisableAutomaticGarbageCollection() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true);
|
||||
@@ -964,46 +855,6 @@ class GitCommandManager {
|
||||
return stdout;
|
||||
});
|
||||
}
|
||||
tryGetConfigValues(configKey, globalConfig, configFile) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const args = ['config'];
|
||||
if (configFile) {
|
||||
args.push('--file', configFile);
|
||||
}
|
||||
else {
|
||||
args.push(globalConfig ? '--global' : '--local');
|
||||
}
|
||||
args.push('--get-all', configKey);
|
||||
const output = yield this.execGit(args, true);
|
||||
if (output.exitCode !== 0) {
|
||||
return [];
|
||||
}
|
||||
return output.stdout
|
||||
.trim()
|
||||
.split('\n')
|
||||
.filter(value => value.trim());
|
||||
});
|
||||
}
|
||||
tryGetConfigKeys(pattern, globalConfig, configFile) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const args = ['config'];
|
||||
if (configFile) {
|
||||
args.push('--file', configFile);
|
||||
}
|
||||
else {
|
||||
args.push(globalConfig ? '--global' : '--local');
|
||||
}
|
||||
args.push('--name-only', '--get-regexp', pattern);
|
||||
const output = yield this.execGit(args, true);
|
||||
if (output.exitCode !== 0) {
|
||||
return [];
|
||||
}
|
||||
return output.stdout
|
||||
.trim()
|
||||
.split('\n')
|
||||
.filter(key => key.trim());
|
||||
});
|
||||
}
|
||||
tryReset() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const output = yield this.execGit(['reset', '--hard', 'HEAD'], true);
|
||||
|
||||
20
package-lock.json
generated
20
package-lock.json
generated
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "checkout",
|
||||
"version": "4.3.0",
|
||||
"version": "5.0.0",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "checkout",
|
||||
"version": "4.3.0",
|
||||
"version": "5.0.0",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
@@ -18,7 +18,7 @@
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/node": "^20.12.12",
|
||||
"@types/node": "^24.1.0",
|
||||
"@types/uuid": "^9.0.8",
|
||||
"@typescript-eslint/eslint-plugin": "^7.9.0",
|
||||
"@typescript-eslint/parser": "^7.9.0",
|
||||
@@ -1515,12 +1515,12 @@
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/@types/node": {
|
||||
"version": "20.12.12",
|
||||
"resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.12.tgz",
|
||||
"integrity": "sha512-eWLDGF/FOSPtAvEqeRAQ4C8LSA7M1I7i0ky1I8U7kD1J5ITyW3AsRhQrKVoWf5pFKZ2kILsEGJhsI9r93PYnOw==",
|
||||
"version": "24.1.0",
|
||||
"resolved": "https://registry.npmjs.org/@types/node/-/node-24.1.0.tgz",
|
||||
"integrity": "sha512-ut5FthK5moxFKH2T1CUOC6ctR67rQRvvHdFLCD2Ql6KXmMuCrjsSsRI9UsLCm9M18BMwClv4pn327UvB7eeO1w==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"undici-types": "~5.26.4"
|
||||
"undici-types": "~7.8.0"
|
||||
}
|
||||
},
|
||||
"node_modules/@types/stack-utils": {
|
||||
@@ -6865,9 +6865,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/undici-types": {
|
||||
"version": "5.26.5",
|
||||
"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
|
||||
"integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==",
|
||||
"version": "7.8.0",
|
||||
"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.8.0.tgz",
|
||||
"integrity": "sha512-9UJ2xGDvQ43tYyVMpuHlsgApydB8ZKfVYTsLDhXkFL/6gfkp+U8xTGdh8pMJv1SpZna0zxG1DwsKZsreLbXBxw==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/universal-user-agent": {
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "checkout",
|
||||
"version": "4.3.0",
|
||||
"version": "5.0.0",
|
||||
"description": "checkout action",
|
||||
"main": "lib/main.js",
|
||||
"scripts": {
|
||||
@@ -37,7 +37,7 @@
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/node": "^20.12.12",
|
||||
"@types/node": "^24.1.0",
|
||||
"@types/uuid": "^9.0.8",
|
||||
"@typescript-eslint/eslint-plugin": "^7.9.0",
|
||||
"@typescript-eslint/parser": "^7.9.0",
|
||||
|
||||
@@ -346,58 +346,8 @@ class GitAuthHelper {
|
||||
}
|
||||
|
||||
private async removeToken(): Promise<void> {
|
||||
// Remove HTTP extra header from local git config and submodule configs
|
||||
// HTTP extra header
|
||||
await this.removeGitConfig(this.tokenConfigKey)
|
||||
|
||||
//
|
||||
// Cleanup actions/checkout@v6 style credentials
|
||||
//
|
||||
const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
|
||||
if (skipV6Cleanup === '1' || skipV6Cleanup?.toLowerCase() === 'true') {
|
||||
core.debug(
|
||||
'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
|
||||
)
|
||||
return
|
||||
}
|
||||
|
||||
try {
|
||||
// Collect credentials config paths that need to be removed
|
||||
const credentialsPaths = new Set<string>()
|
||||
|
||||
// Remove includeIf entries that point to git-credentials-*.config files
|
||||
const mainCredentialsPaths = await this.removeIncludeIfCredentials()
|
||||
mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
|
||||
|
||||
// Remove submodule includeIf entries that point to git-credentials-*.config files
|
||||
try {
|
||||
const submoduleConfigPaths =
|
||||
await this.git.getSubmoduleConfigPaths(true)
|
||||
for (const configPath of submoduleConfigPaths) {
|
||||
const submoduleCredentialsPaths =
|
||||
await this.removeIncludeIfCredentials(configPath)
|
||||
submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
|
||||
}
|
||||
} catch (err) {
|
||||
core.debug(`Unable to get submodule config paths: ${err}`)
|
||||
}
|
||||
|
||||
// Remove credentials config files
|
||||
for (const credentialsPath of credentialsPaths) {
|
||||
// Only remove credentials config files if they are under RUNNER_TEMP
|
||||
const runnerTemp = process.env['RUNNER_TEMP']
|
||||
if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
|
||||
try {
|
||||
await io.rmRF(credentialsPath)
|
||||
} catch (err) {
|
||||
core.debug(
|
||||
`Failed to remove credentials config '${credentialsPath}': ${err}`
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
core.debug(`Failed to cleanup v6 style credentials: ${err}`)
|
||||
}
|
||||
}
|
||||
|
||||
private async removeGitConfig(
|
||||
@@ -421,59 +371,4 @@ class GitAuthHelper {
|
||||
true
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Removes includeIf entries that point to git-credentials-*.config files.
|
||||
* This handles cleanup of credentials configured by newer versions of the action.
|
||||
* @param configPath Optional path to a specific git config file to operate on
|
||||
* @returns Array of unique credentials config file paths that were found and removed
|
||||
*/
|
||||
private async removeIncludeIfCredentials(
|
||||
configPath?: string
|
||||
): Promise<string[]> {
|
||||
const credentialsPaths = new Set<string>()
|
||||
|
||||
try {
|
||||
// Get all includeIf.gitdir keys
|
||||
const keys = await this.git.tryGetConfigKeys(
|
||||
'^includeIf\\.gitdir:',
|
||||
false, // globalConfig?
|
||||
configPath
|
||||
)
|
||||
|
||||
for (const key of keys) {
|
||||
// Get all values for this key
|
||||
const values = await this.git.tryGetConfigValues(
|
||||
key,
|
||||
false, // globalConfig?
|
||||
configPath
|
||||
)
|
||||
if (values.length > 0) {
|
||||
// Remove only values that match git-credentials-<uuid>.config pattern
|
||||
for (const value of values) {
|
||||
if (this.testCredentialsConfigPath(value)) {
|
||||
credentialsPaths.add(value)
|
||||
await this.git.tryConfigUnsetValue(key, value, false, configPath)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
// Ignore errors - this is cleanup code
|
||||
core.debug(
|
||||
`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`
|
||||
)
|
||||
}
|
||||
|
||||
return Array.from(credentialsPaths)
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests if a path matches the git-credentials-*.config pattern used by newer versions.
|
||||
* @param path The path to test
|
||||
* @returns True if the path matches the credentials config pattern
|
||||
*/
|
||||
private testCredentialsConfigPath(path: string): boolean {
|
||||
return /git-credentials-[0-9a-f-]+\.config$/i.test(path)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -41,7 +41,6 @@ export interface IGitCommandManager {
|
||||
}
|
||||
): Promise<void>
|
||||
getDefaultBranch(repositoryUrl: string): Promise<string>
|
||||
getSubmoduleConfigPaths(recursive: boolean): Promise<string[]>
|
||||
getWorkingDirectory(): string
|
||||
init(): Promise<void>
|
||||
isDetached(): Promise<boolean>
|
||||
@@ -60,24 +59,8 @@ export interface IGitCommandManager {
|
||||
tagExists(pattern: string): Promise<boolean>
|
||||
tryClean(): Promise<boolean>
|
||||
tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
|
||||
tryConfigUnsetValue(
|
||||
configKey: string,
|
||||
configValue: string,
|
||||
globalConfig?: boolean,
|
||||
configFile?: string
|
||||
): Promise<boolean>
|
||||
tryDisableAutomaticGarbageCollection(): Promise<boolean>
|
||||
tryGetFetchUrl(): Promise<string>
|
||||
tryGetConfigValues(
|
||||
configKey: string,
|
||||
globalConfig?: boolean,
|
||||
configFile?: string
|
||||
): Promise<string[]>
|
||||
tryGetConfigKeys(
|
||||
pattern: string,
|
||||
globalConfig?: boolean,
|
||||
configFile?: string
|
||||
): Promise<string[]>
|
||||
tryReset(): Promise<boolean>
|
||||
version(): Promise<GitVersion>
|
||||
}
|
||||
@@ -340,21 +323,6 @@ class GitCommandManager {
|
||||
throw new Error('Unexpected output when retrieving default branch')
|
||||
}
|
||||
|
||||
async getSubmoduleConfigPaths(recursive: boolean): Promise<string[]> {
|
||||
// Get submodule config file paths.
|
||||
// Use `--show-origin` to get the config file path for each submodule.
|
||||
const output = await this.submoduleForeach(
|
||||
`git config --local --show-origin --name-only --get-regexp remote.origin.url`,
|
||||
recursive
|
||||
)
|
||||
|
||||
// Extract config file paths from the output (lines starting with "file:").
|
||||
const configPaths =
|
||||
output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
|
||||
|
||||
return configPaths
|
||||
}
|
||||
|
||||
getWorkingDirectory(): string {
|
||||
return this.workingDirectory
|
||||
}
|
||||
@@ -487,24 +455,6 @@ class GitCommandManager {
|
||||
return output.exitCode === 0
|
||||
}
|
||||
|
||||
async tryConfigUnsetValue(
|
||||
configKey: string,
|
||||
configValue: string,
|
||||
globalConfig?: boolean,
|
||||
configFile?: string
|
||||
): Promise<boolean> {
|
||||
const args = ['config']
|
||||
if (configFile) {
|
||||
args.push('--file', configFile)
|
||||
} else {
|
||||
args.push(globalConfig ? '--global' : '--local')
|
||||
}
|
||||
args.push('--unset', configKey, configValue)
|
||||
|
||||
const output = await this.execGit(args, true)
|
||||
return output.exitCode === 0
|
||||
}
|
||||
|
||||
async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
|
||||
const output = await this.execGit(
|
||||
['config', '--local', 'gc.auto', '0'],
|
||||
@@ -531,56 +481,6 @@ class GitCommandManager {
|
||||
return stdout
|
||||
}
|
||||
|
||||
async tryGetConfigValues(
|
||||
configKey: string,
|
||||
globalConfig?: boolean,
|
||||
configFile?: string
|
||||
): Promise<string[]> {
|
||||
const args = ['config']
|
||||
if (configFile) {
|
||||
args.push('--file', configFile)
|
||||
} else {
|
||||
args.push(globalConfig ? '--global' : '--local')
|
||||
}
|
||||
args.push('--get-all', configKey)
|
||||
|
||||
const output = await this.execGit(args, true)
|
||||
|
||||
if (output.exitCode !== 0) {
|
||||
return []
|
||||
}
|
||||
|
||||
return output.stdout
|
||||
.trim()
|
||||
.split('\n')
|
||||
.filter(value => value.trim())
|
||||
}
|
||||
|
||||
async tryGetConfigKeys(
|
||||
pattern: string,
|
||||
globalConfig?: boolean,
|
||||
configFile?: string
|
||||
): Promise<string[]> {
|
||||
const args = ['config']
|
||||
if (configFile) {
|
||||
args.push('--file', configFile)
|
||||
} else {
|
||||
args.push(globalConfig ? '--global' : '--local')
|
||||
}
|
||||
args.push('--name-only', '--get-regexp', pattern)
|
||||
|
||||
const output = await this.execGit(args, true)
|
||||
|
||||
if (output.exitCode !== 0) {
|
||||
return []
|
||||
}
|
||||
|
||||
return output.stdout
|
||||
.trim()
|
||||
.split('\n')
|
||||
.filter(key => key.trim())
|
||||
}
|
||||
|
||||
async tryReset(): Promise<boolean> {
|
||||
const output = await this.execGit(['reset', '--hard', 'HEAD'], true)
|
||||
return output.exitCode === 0
|
||||
|
||||
@@ -120,7 +120,7 @@ function updateUsage(
|
||||
}
|
||||
|
||||
updateUsage(
|
||||
'actions/checkout@v4',
|
||||
'actions/checkout@v5',
|
||||
path.join(__dirname, '..', '..', 'action.yml'),
|
||||
path.join(__dirname, '..', '..', 'README.md')
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user