Merge ab5d862ce8 into c2d88d3ecc

- Updated README.md examples to reference @v6
- Updated all workflow files to use actions/checkout@v6

.github/workflows/check-dist.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4.1.6
+      - uses: actions/checkout@v6
 
       - name: Set Node.js 24.x
         uses: actions/setup-node@v4

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4.1.6
+      uses: actions/checkout@v6
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3

.github/workflows/licensed.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Check licenses
     steps:
-      - uses: actions/checkout@v4.1.6
+      - uses: actions/checkout@v6
       - run: npm ci
       - run: npm run licensed-check

.github/workflows/publish-immutable-actions.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checking out
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Publish
         id: publish
         uses: actions/publish-immutable-action@0.0.3

.github/workflows/test.yml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 24.x
-      - uses: actions/checkout@v4.1.6
+      - uses: actions/checkout@v6
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -37,7 +37,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@v6
 
       # Basic checkout
       - name: Checkout basic
@@ -202,7 +202,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@v6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -234,7 +234,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@v6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -264,7 +264,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@v6
         with:
           path: localClone
 
@@ -291,8 +291,8 @@ jobs:
           git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
 
       # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v4
+      - name: Fix Checkout v6
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@v6
         with:
           path: localClone
 
@@ -301,13 +301,16 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@v6
+        with:
+          path: actions-checkout
 
       # Basic checkout using git
       - name: Checkout basic
         id: checkout
-        uses: ./
+        uses: ./actions-checkout
         with:
+          path: cloned-using-local-action
           ref: test-data/v2/basic
 
       # Verify output
@@ -325,7 +328,3 @@ jobs:
             echo "Expected commit to be 82f71901cf8c021332310dcc8cdba84c4193ff5d"
             exit 1
           fi
-
-      # needed to make checkout post cleanup succeed
-      - name: Fix Checkout
-        uses: actions/checkout@v4.1.6

.github/workflows/update-main-version.yml

@@ -23,7 +23,7 @@ jobs:
     # Note this update workflow can also be used as a rollback tool.
     # For that reason, it's best to pin `actions/checkout` to a known, stable version
     # (typically, about two releases back).
-    - uses: actions/checkout@v4.1.6
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - name: Git config

.github/workflows/update-test-ubuntu-git.yml

@@ -26,7 +26,7 @@ jobs:
  
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       # Use `docker/login-action` to log in to GHCR.io. 
       # Once published, the packages are scoped to the account defined here.

CHANGELOG.md

@@ -1,8 +1,17 @@
 # Changelog
 
+## V6.0.0
+* Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
+* Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
+
+## V5.0.1
+* Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
+
 ## V5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
 
+## V4.3.1
+* Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
 
 ## V4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971

README.md

@@ -1,10 +1,21 @@
 [![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml)
 
-# Checkout V5
+# Checkout v6
 
-Checkout v5 now supports Node.js 24
+## What's new
 
-# Checkout V4
+- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
+  - This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
+
+# Checkout v5
+
+## What's new
+
+- Updated to the node24 runtime
+  - This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.
+
+
+# Checkout v4
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
@@ -40,7 +51,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -63,6 +74,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
     # Default: ${{ github.token }}
     token: ''
 
+    # Github slug used to configure local user.name and user.email for git. This is
+    # required to push a commit from a Github Action Workflow. Set to '' to disable
+    # this configuration.
+    # Default: github-action[bot]
+    git-user: ''
+
     # SSH key used to fetch the repository. The SSH key is configured with the local
     # git config, which enables your scripts to run authenticated git commands. The
     # post-job step removes the SSH key.
@@ -154,9 +171,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 # Scenarios
 
 - [Checkout V5](#checkout-v5)
+  - [What's new](#whats-new)
 - [Checkout V4](#checkout-v4)
     - [Note](#note)
-- [What's new](#whats-new)
+- [What's new](#whats-new-1)
 - [Usage](#usage)
 - [Scenarios](#scenarios)
   - [Fetch only the root files](#fetch-only-the-root-files)
@@ -178,7 +196,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     sparse-checkout: .
 ```
@@ -186,7 +204,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files and `.github` and `src` folder
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     sparse-checkout: |
       .github
@@ -196,7 +214,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only a single file
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     sparse-checkout: |
       README.md
@@ -206,7 +224,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     fetch-depth: 0
 ```
@@ -214,7 +232,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     ref: my-branch
 ```
@@ -222,7 +240,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -232,12 +250,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -248,10 +266,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
 
 - name: Checkout tools repo
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -262,12 +280,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
   with:
     repository: my-org/my-private-tools
     token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -280,7 +298,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -296,7 +314,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 ```
 
 ## Push a commit using the built-in token
@@ -307,12 +325,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - run: |
           date > generated.txt
           # Note: the following account information will not work on GHES
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add .
           git commit -m "generated"
           git push
@@ -329,14 +345,12 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.head_ref }}
       - run: |
           date > generated.txt
           # Note: the following account information will not work on GHES
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add .
           git commit -m "generated"
           git push

__test__/git-auth-helper.test.ts

@@ -1,12 +1,12 @@
 import * as core from '@actions/core'
 import * as fs from 'fs'
-import * as gitAuthHelper from '../lib/git-auth-helper'
+import * as gitAuthHelper from '../src/git-auth-helper'
 import * as io from '@actions/io'
 import * as os from 'os'
 import * as path from 'path'
-import * as stateHelper from '../lib/state-helper'
+import * as stateHelper from '../src/state-helper'
-import {IGitCommandManager} from '../lib/git-command-manager'
+import {IGitCommandManager} from '../src/git-command-manager'
-import {IGitSourceSettings} from '../lib/git-source-settings'
+import {IGitSourceSettings} from '../src/git-source-settings'
 
 const isWindows = process.platform === 'win32'
 const testWorkspace = path.join(__dirname, '_temp', 'git-auth-helper')
@@ -86,16 +86,29 @@ describe('git-auth-helper tests', () => {
     // Act
     await authHelper.configureAuth()
 
-    // Assert config
+    // Assert config - check that .git/config contains includeIf entries
-    const configContent = (
+    const localConfigContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
+    expect(
+      localConfigContent.indexOf('includeIf.gitdir:')
+    ).toBeGreaterThanOrEqual(0)
+
+    // Assert credentials config file contains the actual credentials
+    const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
+      f => f.startsWith('git-credentials-') && f.endsWith('.config')
+    )
+    expect(credentialsFiles.length).toBe(1)
+    const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
+    const credentialsContent = (
+      await fs.promises.readFile(credentialsConfigPath)
+    ).toString()
     const basicCredential = Buffer.from(
       `x-access-token:${settings.authToken}`,
       'utf8'
     ).toString('base64')
     expect(
-      configContent.indexOf(
+      credentialsContent.indexOf(
         `http.${expectedServerUrl}/.extraheader AUTHORIZATION: basic ${basicCredential}`
       )
     ).toBeGreaterThanOrEqual(0)
@@ -120,7 +133,7 @@ describe('git-auth-helper tests', () => {
     'inject https://github.com as github server url'
   it(configureAuth_AcceptsGitHubServerUrlSetToGHEC, async () => {
     await testAuthHeader(
-      configureAuth_AcceptsGitHubServerUrl,
+      configureAuth_AcceptsGitHubServerUrlSetToGHEC,
       'https://github.com'
     )
   })
@@ -141,12 +154,17 @@ describe('git-auth-helper tests', () => {
       // Act
       await authHelper.configureAuth()
 
-      // Assert config
+      // Assert config - check credentials config file (not local .git/config)
-      const configContent = (
+      const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-        await fs.promises.readFile(localGitConfigPath)
+        f => f.startsWith('git-credentials-') && f.endsWith('.config')
+      )
+      expect(credentialsFiles.length).toBe(1)
+      const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
+      const credentialsContent = (
+        await fs.promises.readFile(credentialsConfigPath)
       ).toString()
       expect(
-        configContent.indexOf(
+        credentialsContent.indexOf(
           `http.https://github.com/.extraheader AUTHORIZATION`
         )
       ).toBeGreaterThanOrEqual(0)
@@ -251,13 +269,16 @@ describe('git-auth-helper tests', () => {
       expectedSshCommand
     )
 
-    // Asserty git config
+    // Assert git config
     const gitConfigLines = (await fs.promises.readFile(localGitConfigPath))
       .toString()
       .split('\n')
       .filter(x => x)
-    expect(gitConfigLines).toHaveLength(1)
+    // Should have includeIf entries pointing to credentials file
-    expect(gitConfigLines[0]).toMatch(/^http\./)
+    expect(gitConfigLines.length).toBeGreaterThan(0)
+    expect(
+      gitConfigLines.some(line => line.indexOf('includeIf.gitdir:') >= 0)
+    ).toBeTruthy()
   })
 
   const configureAuth_setsSshCommandWhenPersistCredentialsTrue =
@@ -419,8 +440,20 @@ describe('git-auth-helper tests', () => {
     expect(
       configContent.indexOf('value-from-global-config')
     ).toBeGreaterThanOrEqual(0)
+    // Global config should have include.path pointing to credentials file
+    expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0)
+
+    // Check credentials in the separate config file
+    const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
+      f => f.startsWith('git-credentials-') && f.endsWith('.config')
+    )
+    expect(credentialsFiles.length).toBeGreaterThan(0)
+    const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
+    const credentialsContent = (
+      await fs.promises.readFile(credentialsConfigPath)
+    ).toString()
     expect(
-      configContent.indexOf(
+      credentialsContent.indexOf(
         `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
       )
     ).toBeGreaterThanOrEqual(0)
@@ -463,8 +496,20 @@ describe('git-auth-helper tests', () => {
       const configContent = (
         await fs.promises.readFile(path.join(git.env['HOME'], '.gitconfig'))
       ).toString()
+      // Global config should have include.path pointing to credentials file
+      expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0)
+
+      // Check credentials in the separate config file
+      const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
+        f => f.startsWith('git-credentials-') && f.endsWith('.config')
+      )
+      expect(credentialsFiles.length).toBeGreaterThan(0)
+      const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
+      const credentialsContent = (
+        await fs.promises.readFile(credentialsConfigPath)
+      ).toString()
       expect(
-        configContent.indexOf(
+        credentialsContent.indexOf(
           `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
         )
       ).toBeGreaterThanOrEqual(0)
@@ -550,15 +595,15 @@ describe('git-auth-helper tests', () => {
       await authHelper.configureSubmoduleAuth()
 
       // Assert
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4)
+      // Should configure insteadOf (2 calls for two values)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
         /unset-all.*insteadOf/
       )
-      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
+      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(
-      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
         /url.*insteadOf.*git@github.com:/
       )
-      expect(mockSubmoduleForeach.mock.calls[3][0]).toMatch(
+      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
         /url.*insteadOf.*org-123456@github.com:/
       )
     }
@@ -589,12 +634,12 @@ describe('git-auth-helper tests', () => {
       await authHelper.configureSubmoduleAuth()
 
       // Assert
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
+      // Should configure sshCommand (1 call)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(2)
       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
         /unset-all.*insteadOf/
       )
-      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
+      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/core\.sshCommand/)
-      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/)
     }
   )
 
@@ -660,112 +705,81 @@ describe('git-auth-helper tests', () => {
     await setup(removeAuth_removesToken)
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
     await authHelper.configureAuth()
-    let gitConfigContent = (
+
+    // Verify includeIf entries exist in local config
+    let localConfigContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
-    expect(gitConfigContent.indexOf('http.')).toBeGreaterThanOrEqual(0) // sanity check
+    expect(
+      localConfigContent.indexOf('includeIf.gitdir:')
+    ).toBeGreaterThanOrEqual(0)
 
-    // Act
+    // Verify both host and container includeIf entries are present
-    await authHelper.removeAuth()
+    const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
+    expect(
+      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
+    ).toBeGreaterThanOrEqual(0)
+    expect(
+      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
+    ).toBeGreaterThanOrEqual(0)
 
-    // Assert git config
+    // Verify credentials file exists
-    gitConfigContent = (
+    let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      await fs.promises.readFile(localGitConfigPath)
+      f => f.startsWith('git-credentials-') && f.endsWith('.config')
+    )
+    expect(credentialsFiles.length).toBe(1)
+    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
+
+    // Verify credentials file contains the auth token
+    let credentialsContent = (
+      await fs.promises.readFile(credentialsFilePath)
     ).toString()
-    expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
-  })
-
-  const removeAuth_removesV6StyleCredentials =
-    'removeAuth removes v6 style credentials'
-  it(removeAuth_removesV6StyleCredentials, async () => {
-    // Arrange
-    await setup(removeAuth_removesV6StyleCredentials)
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    await authHelper.configureAuth()
-
-    // Manually create v6-style credentials that would be left by v6
-    const credentialsFileName =
-      'git-credentials-12345678-1234-1234-1234-123456789abc.config'
-    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
     const basicCredential = Buffer.from(
       `x-access-token:${settings.authToken}`,
       'utf8'
     ).toString('base64')
-    const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
-    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
-
-    // Add includeIf entries to local git config (simulating v6 configuration)
-    const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
-    await fs.promises.appendFile(
-      localGitConfigPath,
-      `[includeIf "gitdir:${hostGitDir}/"]\n\tpath = ${credentialsFilePath}\n`
-    )
-    await fs.promises.appendFile(
-      localGitConfigPath,
-      `[includeIf "gitdir:/github/workspace/.git/"]\n\tpath = /github/runner_temp/${credentialsFileName}\n`
-    )
-
-    // Verify v6 style config exists
-    let gitConfigContent = (
-      await fs.promises.readFile(localGitConfigPath)
-    ).toString()
-    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
     expect(
-      gitConfigContent.indexOf(credentialsFilePath)
+      credentialsContent.indexOf(
+        `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
+      )
     ).toBeGreaterThanOrEqual(0)
-    await fs.promises.stat(credentialsFilePath) // Verify file exists
 
-    // Mock the git methods to handle v6 cleanup
+    // Verify the includeIf entries point to the credentials file
-    const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
+    const containerCredentialsPath = path.posix.join(
-    mockTryGetConfigKeys.mockResolvedValue([
+      '/github/runner_temp',
-      `includeIf.gitdir:${hostGitDir}/.path`,
+      path.basename(credentialsFilePath)
-      'includeIf.gitdir:/github/workspace/.git/.path'
-    ])
-
-    const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
-    mockTryGetConfigValues.mockImplementation(async (key: string) => {
-      if (key === `includeIf.gitdir:${hostGitDir}/.path`) {
-        return [credentialsFilePath]
-      }
-      if (key === 'includeIf.gitdir:/github/workspace/.git/.path') {
-        return [`/github/runner_temp/${credentialsFileName}`]
-      }
-      return []
-    })
-
-    const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
-      any,
-      any
-    >
-    mockTryConfigUnsetValue.mockImplementation(
-      async (
-        key: string,
-        value: string,
-        globalConfig?: boolean,
-        configPath?: string
-      ) => {
-        const targetPath = configPath || localGitConfigPath
-        let content = await fs.promises.readFile(targetPath, 'utf8')
-        // Remove the includeIf section
-        const lines = content
-          .split('\n')
-          .filter(line => !line.includes('includeIf') && !line.includes(value))
-        await fs.promises.writeFile(targetPath, lines.join('\n'))
-        return true
-      }
     )
+    expect(
+      localConfigContent.indexOf(credentialsFilePath)
+    ).toBeGreaterThanOrEqual(0)
+    expect(
+      localConfigContent.indexOf(containerCredentialsPath)
+    ).toBeGreaterThanOrEqual(0)
 
     // Act
     await authHelper.removeAuth()
 
-    // Assert includeIf entries removed from local git config
+    // Assert all includeIf entries removed from local git config
-    gitConfigContent = (
+    localConfigContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
-    expect(gitConfigContent.indexOf('includeIf')).toBeLessThan(0)
+    expect(localConfigContent.indexOf('includeIf.gitdir:')).toBeLessThan(0)
-    expect(gitConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
+    expect(
+      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
+    ).toBeLessThan(0)
+    expect(
+      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
+    ).toBeLessThan(0)
+    expect(localConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
+    expect(localConfigContent.indexOf(containerCredentialsPath)).toBeLessThan(0)
 
     // Assert credentials config file deleted
+    credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
+      f => f.startsWith('git-credentials-') && f.endsWith('.config')
+    )
+    expect(credentialsFiles.length).toBe(0)
+
+    // Verify credentials file no longer exists on disk
     try {
       await fs.promises.stat(credentialsFilePath)
       throw new Error('Credentials file should have been deleted')
@@ -776,113 +790,108 @@ describe('git-auth-helper tests', () => {
     }
   })
 
-  const removeAuth_removesV6StyleCredentialsFromSubmodules =
+  const removeAuth_removesTokenFromSubmodules =
-    'removeAuth removes v6 style credentials from submodules'
+    'removeAuth removes token from submodules'
-  it(removeAuth_removesV6StyleCredentialsFromSubmodules, async () => {
+  it(removeAuth_removesTokenFromSubmodules, async () => {
     // Arrange
-    await setup(removeAuth_removesV6StyleCredentialsFromSubmodules)
+    await setup(removeAuth_removesTokenFromSubmodules)
 
     // Create fake submodule config paths
     const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
+    const submodule2Dir = path.join(workspace, '.git', 'modules', 'submodule-2')
     const submodule1ConfigPath = path.join(submodule1Dir, 'config')
+    const submodule2ConfigPath = path.join(submodule2Dir, 'config')
+
     await fs.promises.mkdir(submodule1Dir, {recursive: true})
+    await fs.promises.mkdir(submodule2Dir, {recursive: true})
     await fs.promises.writeFile(submodule1ConfigPath, '')
+    await fs.promises.writeFile(submodule2ConfigPath, '')
+
+    // Mock getSubmoduleConfigPaths to return our fake submodules (for both configure and remove)
+    const mockGetSubmoduleConfigPaths =
+      git.getSubmoduleConfigPaths as jest.Mock<any, any>
+    mockGetSubmoduleConfigPaths.mockResolvedValue([
+      submodule1ConfigPath,
+      submodule2ConfigPath
+    ])
 
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
     await authHelper.configureAuth()
+    await authHelper.configureSubmoduleAuth()
 
-    // Create v6-style credentials file
+    // Verify credentials file exists
-    const credentialsFileName =
+    let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      'git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
+      f => f.startsWith('git-credentials-') && f.endsWith('.config')
-    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
-    const basicCredential = Buffer.from(
-      `x-access-token:${settings.authToken}`,
-      'utf8'
-    ).toString('base64')
-    const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
-    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
-
-    // Add includeIf entries to submodule config
-    const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
-    await fs.promises.appendFile(
-      submodule1ConfigPath,
-      `[includeIf "gitdir:${submodule1GitDir}/"]\n\tpath = ${credentialsFilePath}\n`
     )
+    expect(credentialsFiles.length).toBe(1)
+    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
 
-    // Verify submodule config has includeIf entry
+    // Verify submodule 1 config has includeIf entries
-    let submoduleConfigContent = (
+    let submodule1Content = (
       await fs.promises.readFile(submodule1ConfigPath)
     ).toString()
-    expect(submoduleConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(
+    const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
-      0
-    )
     expect(
-      submoduleConfigContent.indexOf(credentialsFilePath)
+      submodule1Content.indexOf(`includeIf.gitdir:${submodule1GitDir}.path`)
+    ).toBeGreaterThanOrEqual(0)
+    expect(
+      submodule1Content.indexOf(credentialsFilePath)
     ).toBeGreaterThanOrEqual(0)
 
-    // Mock getSubmoduleConfigPaths
+    // Verify submodule 2 config has includeIf entries
-    const mockGetSubmoduleConfigPaths =
+    let submodule2Content = (
-      git.getSubmoduleConfigPaths as jest.Mock<any, any>
+      await fs.promises.readFile(submodule2ConfigPath)
-    mockGetSubmoduleConfigPaths.mockResolvedValue([submodule1ConfigPath])
+    ).toString()
+    const submodule2GitDir = submodule2Dir.replace(/\\/g, '/')
+    expect(
+      submodule2Content.indexOf(`includeIf.gitdir:${submodule2GitDir}.path`)
+    ).toBeGreaterThanOrEqual(0)
+    expect(
+      submodule2Content.indexOf(credentialsFilePath)
+    ).toBeGreaterThanOrEqual(0)
 
-    // Mock tryGetConfigKeys for submodule
+    // Verify both host and container paths are in each submodule config
-    const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
+    const containerCredentialsPath = path.posix.join(
-    mockTryGetConfigKeys.mockImplementation(
+      '/github/runner_temp',
-      async (pattern: string, globalConfig?: boolean, configPath?: string) => {
+      path.basename(credentialsFilePath)
-        if (configPath === submodule1ConfigPath) {
-          return [`includeIf.gitdir:${submodule1GitDir}/.path`]
-        }
-        return []
-      }
     )
+    expect(
+      submodule1Content.indexOf(containerCredentialsPath)
+    ).toBeGreaterThanOrEqual(0)
+    expect(
+      submodule2Content.indexOf(containerCredentialsPath)
+    ).toBeGreaterThanOrEqual(0)
 
-    // Mock tryGetConfigValues for submodule
+    // Act - ensure mock persists for removeAuth
-    const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
+    mockGetSubmoduleConfigPaths.mockResolvedValue([
-    mockTryGetConfigValues.mockImplementation(
+      submodule1ConfigPath,
-      async (key: string, globalConfig?: boolean, configPath?: string) => {
+      submodule2ConfigPath
-        if (
+    ])
-          configPath === submodule1ConfigPath &&
-          key === `includeIf.gitdir:${submodule1GitDir}/.path`
-        ) {
-          return [credentialsFilePath]
-        }
-        return []
-      }
-    )
-
-    // Mock tryConfigUnsetValue for submodule
-    const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
-      any,
-      any
-    >
-    mockTryConfigUnsetValue.mockImplementation(
-      async (
-        key: string,
-        value: string,
-        globalConfig?: boolean,
-        configPath?: string
-      ) => {
-        const targetPath = configPath || localGitConfigPath
-        let content = await fs.promises.readFile(targetPath, 'utf8')
-        const lines = content
-          .split('\n')
-          .filter(line => !line.includes('includeIf') && !line.includes(value))
-        await fs.promises.writeFile(targetPath, lines.join('\n'))
-        return true
-      }
-    )
-
-    // Act
     await authHelper.removeAuth()
 
-    // Assert submodule includeIf entries removed
+    // Assert submodule 1 includeIf entries removed
-    submoduleConfigContent = (
+    submodule1Content = (
       await fs.promises.readFile(submodule1ConfigPath)
     ).toString()
-    expect(submoduleConfigContent.indexOf('includeIf')).toBeLessThan(0)
+    expect(submodule1Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
-    expect(submoduleConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
+    expect(submodule1Content.indexOf(credentialsFilePath)).toBeLessThan(0)
+    expect(submodule1Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
 
-    // Assert credentials file deleted
+    // Assert submodule 2 includeIf entries removed
+    submodule2Content = (
+      await fs.promises.readFile(submodule2ConfigPath)
+    ).toString()
+    expect(submodule2Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
+    expect(submodule2Content.indexOf(credentialsFilePath)).toBeLessThan(0)
+    expect(submodule2Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
+
+    // Assert credentials config file deleted
+    credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
+      f => f.startsWith('git-credentials-') && f.endsWith('.config')
+    )
+    expect(credentialsFiles.length).toBe(0)
+
+    // Verify credentials file no longer exists on disk
     try {
       await fs.promises.stat(credentialsFilePath)
       throw new Error('Credentials file should have been deleted')
@@ -893,65 +902,6 @@ describe('git-auth-helper tests', () => {
     }
   })
 
-  const removeAuth_skipsV6CleanupWhenEnvVarSet =
-    'removeAuth skips v6 cleanup when ACTIONS_CHECKOUT_SKIP_V6_CLEANUP is set'
-  it(removeAuth_skipsV6CleanupWhenEnvVarSet, async () => {
-    // Arrange
-    await setup(removeAuth_skipsV6CleanupWhenEnvVarSet)
-
-    // Set the skip environment variable
-    process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'] = '1'
-
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    await authHelper.configureAuth()
-
-    // Create v6-style credentials file in RUNNER_TEMP
-    const credentialsFileName = 'git-credentials-test-uuid-1234-5678.config'
-    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
-    const credentialsContent =
-      '[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic token\n'
-    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
-
-    // Add includeIf section to local git config (separate from http.* config)
-    const includeIfSection = `\n[includeIf "gitdir:/some/path/.git/"]\n\tpath = ${credentialsFilePath}\n`
-    await fs.promises.appendFile(localGitConfigPath, includeIfSection)
-
-    // Verify v6 style config exists
-    let gitConfigContent = (
-      await fs.promises.readFile(localGitConfigPath)
-    ).toString()
-    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
-    await fs.promises.stat(credentialsFilePath) // Verify file exists
-
-    // Act
-    await authHelper.removeAuth()
-
-    // Assert v5 cleanup still happened (http.* removed)
-    gitConfigContent = (
-      await fs.promises.readFile(localGitConfigPath)
-    ).toString()
-    expect(
-      gitConfigContent.indexOf('http.https://github.com/.extraheader')
-    ).toBeLessThan(0)
-
-    // Assert v6 cleanup was skipped - includeIf should still be present
-    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
-    expect(
-      gitConfigContent.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Assert credentials file still exists (wasn't deleted)
-    await fs.promises.stat(credentialsFilePath) // File should still exist
-
-    // Assert debug message was logged
-    expect(core.debug).toHaveBeenCalledWith(
-      'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
-    )
-
-    // Cleanup
-    delete process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
-  })
-
   const removeGlobalConfig_removesOverride =
     'removeGlobalConfig removes override'
   it(removeGlobalConfig_removesOverride, async () => {
@@ -978,6 +928,52 @@ describe('git-auth-helper tests', () => {
       }
     }
   })
+
+  const testCredentialsConfigPath_matchesCredentialsConfigPaths =
+    'testCredentialsConfigPath matches credentials config paths'
+  it(testCredentialsConfigPath_matchesCredentialsConfigPaths, async () => {
+    // Arrange
+    await setup(testCredentialsConfigPath_matchesCredentialsConfigPaths)
+    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+
+    // Get a real credentials config path
+    const credentialsConfigPath = await (
+      authHelper as any
+    ).getCredentialsConfigPath()
+
+    // Act & Assert
+    expect(
+      (authHelper as any).testCredentialsConfigPath(credentialsConfigPath)
+    ).toBe(true)
+    expect(
+      (authHelper as any).testCredentialsConfigPath(
+        '/some/path/git-credentials-12345678-abcd-1234-5678-123456789012.config'
+      )
+    ).toBe(true)
+    expect(
+      (authHelper as any).testCredentialsConfigPath(
+        '/some/path/git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
+      )
+    ).toBe(true)
+
+    // Test invalid paths
+    expect(
+      (authHelper as any).testCredentialsConfigPath(
+        '/some/path/other-config.config'
+      )
+    ).toBe(false)
+    expect(
+      (authHelper as any).testCredentialsConfigPath(
+        '/some/path/git-credentials-invalid.config'
+      )
+    ).toBe(false)
+    expect(
+      (authHelper as any).testCredentialsConfigPath(
+        '/some/path/git-credentials-.config'
+      )
+    ).toBe(false)
+    expect((authHelper as any).testCredentialsConfigPath('')).toBe(false)
+  })
 })
 
 async function setup(testName: string): Promise<void> {
@@ -992,6 +988,7 @@ async function setup(testName: string): Promise<void> {
   await fs.promises.mkdir(tempHomedir, {recursive: true})
   process.env['RUNNER_TEMP'] = runnerTemp
   process.env['HOME'] = tempHomedir
+  process.env['GITHUB_WORKSPACE'] = workspace
 
   // Create git config
   globalGitConfigPath = path.join(tempHomedir, '.gitconfig')
@@ -1010,10 +1007,20 @@ async function setup(testName: string): Promise<void> {
     checkout: jest.fn(),
     checkoutDetach: jest.fn(),
     config: jest.fn(
-      async (key: string, value: string, globalConfig?: boolean) => {
+      async (
-        const configPath = globalConfig
+        key: string,
-          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
+        value: string,
-          : localGitConfigPath
+        globalConfig?: boolean,
+        add?: boolean,
+        configFile?: string
+      ) => {
+        const configPath =
+          configFile ||
+          (globalConfig
+            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
+            : localGitConfigPath)
+        // Ensure directory exists
+        await fs.promises.mkdir(path.dirname(configPath), {recursive: true})
         await fs.promises.appendFile(configPath, `\n${key} ${value}`)
       }
     ),
@@ -1033,6 +1040,7 @@ async function setup(testName: string): Promise<void> {
     env: {},
     fetch: jest.fn(),
     getDefaultBranch: jest.fn(),
+    getSubmoduleConfigPaths: jest.fn(async () => []),
     getWorkingDirectory: jest.fn(() => workspace),
     init: jest.fn(),
     isDetached: jest.fn(),
@@ -1071,20 +1079,72 @@ async function setup(testName: string): Promise<void> {
         return true
       }
     ),
+    tryConfigUnsetValue: jest.fn(
+      async (
+        key: string,
+        value: string,
+        globalConfig?: boolean,
+        configPath?: string
+      ): Promise<boolean> => {
+        const targetConfigPath =
+          configPath ||
+          (globalConfig
+            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
+            : localGitConfigPath)
+        let content = await fs.promises.readFile(targetConfigPath)
+        let lines = content
+          .toString()
+          .split('\n')
+          .filter(x => x)
+          .filter(x => !(x.startsWith(key) && x.includes(value)))
+        await fs.promises.writeFile(targetConfigPath, lines.join('\n'))
+        return true
+      }
+    ),
     tryDisableAutomaticGarbageCollection: jest.fn(),
     tryGetFetchUrl: jest.fn(),
-    getSubmoduleConfigPaths: jest.fn(async () => {
+    tryGetConfigValues: jest.fn(
-      return []
+      async (
-    }),
+        key: string,
-    tryConfigUnsetValue: jest.fn(async () => {
+        globalConfig?: boolean,
-      return true
+        configPath?: string
-    }),
+      ): Promise<string[]> => {
-    tryGetConfigValues: jest.fn(async () => {
+        const targetConfigPath =
-      return []
+          configPath ||
-    }),
+          (globalConfig
-    tryGetConfigKeys: jest.fn(async () => {
+            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-      return []
+            : localGitConfigPath)
-    }),
+        const content = await fs.promises.readFile(targetConfigPath)
+        const lines = content
+          .toString()
+          .split('\n')
+          .filter(x => x && x.startsWith(key))
+          .map(x => x.substring(key.length).trim())
+        return lines
+      }
+    ),
+    tryGetConfigKeys: jest.fn(
+      async (
+        pattern: string,
+        globalConfig?: boolean,
+        configPath?: string
+      ): Promise<string[]> => {
+        const targetConfigPath =
+          configPath ||
+          (globalConfig
+            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
+            : localGitConfigPath)
+        const content = await fs.promises.readFile(targetConfigPath)
+        const lines = content
+          .toString()
+          .split('\n')
+          .filter(x => x)
+        const keys = lines
+          .filter(x => new RegExp(pattern).test(x.split(' ')[0]))
+          .map(x => x.split(' ')[0])
+        return [...new Set(keys)] // Remove duplicates
+      }
+    ),
     tryReset: jest.fn(),
     version: jest.fn()
   }
@@ -1113,12 +1173,14 @@ async function setup(testName: string): Promise<void> {
     sshUser: '',
     workflowOrganizationId: 123456,
     setSafeDirectory: true,
-    githubServerUrl: githubServerUrl
+    githubServerUrl: githubServerUrl,
+    gitUser: 'github-action[bot]'
   }
 }
 
 async function getActualSshKeyPath(): Promise<string> {
   let actualTempFiles = (await fs.promises.readdir(runnerTemp))
+    .filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file
     .sort()
     .map(x => path.join(runnerTemp, x))
   if (actualTempFiles.length === 0) {
@@ -1132,6 +1194,7 @@ async function getActualSshKeyPath(): Promise<string> {
 
 async function getActualSshKnownHostsPath(): Promise<string> {
   let actualTempFiles = (await fs.promises.readdir(runnerTemp))
+    .filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file
     .sort()
     .map(x => path.join(runnerTemp, x))
   if (actualTempFiles.length === 0) {

__test__/git-command-manager.test.ts

@@ -1,6 +1,6 @@
 import * as exec from '@actions/exec'
-import * as fshelper from '../lib/fs-helper'
+import * as fshelper from '../src/fs-helper'
-import * as commandManager from '../lib/git-command-manager'
+import * as commandManager from '../src/git-command-manager'
 
 let git: commandManager.IGitCommandManager
 let mockExec = jest.fn()

__test__/git-directory-helper.test.ts

@@ -1,9 +1,9 @@
 import * as core from '@actions/core'
 import * as fs from 'fs'
-import * as gitDirectoryHelper from '../lib/git-directory-helper'
+import * as gitDirectoryHelper from '../src/git-directory-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
-import {IGitCommandManager} from '../lib/git-command-manager'
+import {IGitCommandManager} from '../src/git-command-manager'
 
 const testWorkspace = path.join(__dirname, '_temp', 'git-directory-helper')
 let repositoryPath: string
@@ -471,6 +471,7 @@ async function setup(testName: string): Promise<void> {
     configExists: jest.fn(),
     fetch: jest.fn(),
     getDefaultBranch: jest.fn(),
+    getSubmoduleConfigPaths: jest.fn(async () => []),
     getWorkingDirectory: jest.fn(() => repositoryPath),
     init: jest.fn(),
     isDetached: jest.fn(),
@@ -493,24 +494,15 @@ async function setup(testName: string): Promise<void> {
       return true
     }),
     tryConfigUnset: jest.fn(),
+    tryConfigUnsetValue: jest.fn(),
     tryDisableAutomaticGarbageCollection: jest.fn(),
     tryGetFetchUrl: jest.fn(async () => {
       // Sanity check - this function shouldn't be called when the .git directory doesn't exist
       await fs.promises.stat(path.join(repositoryPath, '.git'))
       return repositoryUrl
     }),
-    getSubmoduleConfigPaths: jest.fn(async () => {
+    tryGetConfigValues: jest.fn(),
-      return []
+    tryGetConfigKeys: jest.fn(),
-    }),
-    tryConfigUnsetValue: jest.fn(async () => {
-      return true
-    }),
-    tryGetConfigValues: jest.fn(async () => {
-      return []
-    }),
-    tryGetConfigKeys: jest.fn(async () => {
-      return []
-    }),
     tryReset: jest.fn(async () => {
       return true
     }),

__test__/input-helper.test.ts

@@ -1,10 +1,10 @@
 import * as core from '@actions/core'
-import * as fsHelper from '../lib/fs-helper'
+import * as fsHelper from '../src/fs-helper'
 import * as github from '@actions/github'
-import * as inputHelper from '../lib/input-helper'
+import * as inputHelper from '../src/input-helper'
 import * as path from 'path'
-import * as workflowContextHelper from '../lib/workflow-context-helper'
+import * as workflowContextHelper from '../src/workflow-context-helper'
-import {IGitSourceSettings} from '../lib/git-source-settings'
+import {IGitSourceSettings} from '../src/git-source-settings'
 
 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
 const gitHubWorkspace = path.resolve('/checkout-tests/workspace')

__test__/ref-helper.test.ts

@@ -1,6 +1,6 @@
 import * as assert from 'assert'
-import * as refHelper from '../lib/ref-helper'
+import * as refHelper from '../src/ref-helper'
-import {IGitCommandManager} from '../lib/git-command-manager'
+import {IGitCommandManager} from '../src/git-command-manager'
 
 const commit = '1234567890123456789012345678901234567890'
 let git: IGitCommandManager

__test__/retry-helper.test.ts

@@ -1,5 +1,5 @@
 import * as core from '@actions/core'
-import {RetryHelper} from '../lib/retry-helper'
+import {RetryHelper} from '../src/retry-helper'
 
 let info: string[]
 let retryHelper: any

__test__/verify-submodules-recursive.sh

@@ -17,7 +17,7 @@ fi
 
 echo "Testing persisted credential"
 pushd ./submodules-recursive/submodule-level-1/submodule-level-2
-git config --local --name-only --get-regexp http.+extraheader && git fetch
+git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
     echo "Failed to validate persisted credential"
     popd

__test__/verify-submodules-true.sh

@@ -17,7 +17,7 @@ fi
 
 echo "Testing persisted credential"
 pushd ./submodules-true/submodule-level-1
-git config --local --name-only --get-regexp http.+extraheader && git fetch
+git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
     echo "Failed to validate persisted credential"
     popd

action.yml

@@ -22,6 +22,12 @@ inputs:
 
       [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     default: ${{ github.token }}
+  git-user:
+    description: >
+      Github slug used to configure local user.name and user.email for git.
+      This is required to push a commit from a Github Action Workflow.
+      Set to '' to disable this configuration.
+    default: "github-action[bot]"
   ssh-key:
     description: >
       SSH key used to fetch the repository. The SSH key is configured with the local

dist/index.js

@@ -162,6 +162,7 @@ class GitAuthHelper {
         this.sshKeyPath = '';
         this.sshKnownHostsPath = '';
         this.temporaryHomePath = '';
+        this.credentialsConfigPath = ''; // Path to separate credentials config file in RUNNER_TEMP
         this.git = gitCommandManager;
         this.settings = gitSourceSettings || {};
         // Token auth header
@@ -229,15 +230,17 @@ class GitAuthHelper {
     configureGlobalAuth() {
         return __awaiter(this, void 0, void 0, function* () {
             // 'configureTempGlobalConfig' noops if already set, just returns the path
-            const newGitConfigPath = yield this.configureTempGlobalConfig();
+            yield this.configureTempGlobalConfig();
             try {
                 // Configure the token
-                yield this.configureToken(newGitConfigPath, true);
+                yield this.configureToken(true);
                 // Configure HTTPS instead of SSH
                 yield this.git.tryConfigUnset(this.insteadOfKey, true);
                 if (!this.settings.sshKey) {
                     for (const insteadOfValue of this.insteadOfValues) {
-                        yield this.git.config(this.insteadOfKey, insteadOfValue, true, true);
+                        yield this.git.config(this.insteadOfKey, insteadOfValue, true, // globalConfig?
+                        true // add?
+                        );
                     }
                 }
             }
@@ -252,19 +255,34 @@ class GitAuthHelper {
     configureSubmoduleAuth() {
         return __awaiter(this, void 0, void 0, function* () {
             // Remove possible previous HTTPS instead of SSH
-            yield this.removeGitConfig(this.insteadOfKey, true);
+            yield this.removeSubmoduleGitConfig(this.insteadOfKey);
             if (this.settings.persistCredentials) {
-                // Configure a placeholder value. This approach avoids the credential being captured
+                // Get the credentials config file path in RUNNER_TEMP
-                // by process creation audit events, which are commonly logged. For more information,
+                const credentialsConfigPath = this.getCredentialsConfigPath();
-                // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+                // Container credentials config path
-                const output = yield this.git.submoduleForeach(
+                const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
-                // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
+                // Get submodule config file paths.
-                `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`, this.settings.nestedSubmodules);
+                const configPaths = yield this.git.getSubmoduleConfigPaths(this.settings.nestedSubmodules);
-                // Replace the placeholder
+                // For each submodule, configure includeIf entries pointing to the shared credentials file.
-                const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
+                // Configure both host and container paths to support Docker container actions.
                 for (const configPath of configPaths) {
-                    core.debug(`Replacing token placeholder in '${configPath}'`);
+                    // Submodule Git directory
-                    yield this.replaceTokenPlaceholder(configPath);
+                    let submoduleGitDir = path.dirname(configPath); // The config file is at .git/modules/submodule-name/config
+                    submoduleGitDir = submoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
+                    // Configure host includeIf
+                    yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig?
+                    false, // add?
+                    configPath);
+                    // Container submodule git directory
+                    const githubWorkspace = process.env['GITHUB_WORKSPACE'];
+                    assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
+                    let relativeSubmoduleGitDir = path.relative(githubWorkspace, submoduleGitDir);
+                    relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
+                    const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleGitDir);
+                    // Configure container includeIf
+                    yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig?
+                    false, // add?
+                    configPath);
                 }
                 if (this.settings.sshKey) {
                     // Configure core.sshCommand
@@ -295,6 +313,10 @@ class GitAuthHelper {
             }
         });
     }
+    /**
+     * Configures SSH authentication by writing the SSH key and known hosts,
+     * and setting up the GIT_SSH_COMMAND environment variable.
+     */
     configureSsh() {
         return __awaiter(this, void 0, void 0, function* () {
             if (!this.settings.sshKey) {
@@ -351,43 +373,88 @@ class GitAuthHelper {
             }
         });
     }
-    configureToken(configPath, globalConfig) {
+    /**
+     * Configures token-based authentication by creating a credentials config file
+     * and setting up includeIf entries to reference it.
+     * @param globalConfig Whether to configure global config instead of local
+     */
+    configureToken(globalConfig) {
         return __awaiter(this, void 0, void 0, function* () {
-            // Validate args
+            // Get the credentials config file path in RUNNER_TEMP
-            assert.ok((configPath && globalConfig) || (!configPath && !globalConfig), 'Unexpected configureToken parameter combinations');
+            const credentialsConfigPath = this.getCredentialsConfigPath();
-            // Default config path
+            // Write placeholder to the separate credentials config file using git config.
-            if (!configPath && !globalConfig) {
+            // This approach avoids the credential being captured by process creation audit events,
-                configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config');
+            // which are commonly logged. For more information, refer to
-            }
+            // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
-            // Configure a placeholder value. This approach avoids the credential being captured
+            yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, // globalConfig?
-            // by process creation audit events, which are commonly logged. For more information,
+            false, // add?
-            // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+            credentialsConfigPath);
-            yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, globalConfig);
+            // Replace the placeholder in the credentials config file
-            // Replace the placeholder
+            let content = (yield fs.promises.readFile(credentialsConfigPath)).toString();
-            yield this.replaceTokenPlaceholder(configPath || '');
-        });
-    }
-    replaceTokenPlaceholder(configPath) {
-        return __awaiter(this, void 0, void 0, function* () {
-            assert.ok(configPath, 'configPath is not defined');
-            let content = (yield fs.promises.readFile(configPath)).toString();
             const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue);
             if (placeholderIndex < 0 ||
                 placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)) {
-                throw new Error(`Unable to replace auth placeholder in ${configPath}`);
+                throw new Error(`Unable to replace auth placeholder in ${credentialsConfigPath}`);
             }
             assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined');
             content = content.replace(this.tokenPlaceholderConfigValue, this.tokenConfigValue);
-            yield fs.promises.writeFile(configPath, content);
+            yield fs.promises.writeFile(credentialsConfigPath, content);
+            // Add include or includeIf to reference the credentials config
+            if (globalConfig) {
+                // Global config file is temporary
+                yield this.git.config('include.path', credentialsConfigPath, true // globalConfig?
+                );
+            }
+            else {
+                // Host git directory
+                let gitDir = path.join(this.git.getWorkingDirectory(), '.git');
+                gitDir = gitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
+                // Configure host includeIf
+                const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
+                yield this.git.config(hostIncludeKey, credentialsConfigPath);
+                // Container git directory
+                const workingDirectory = this.git.getWorkingDirectory();
+                const githubWorkspace = process.env['GITHUB_WORKSPACE'];
+                assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
+                let relativePath = path.relative(githubWorkspace, workingDirectory);
+                relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows
+                const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
+                // Container credentials config path
+                const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
+                // Configure container includeIf
+                const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
+                yield this.git.config(containerIncludeKey, containerCredentialsPath);
+            }
         });
     }
+    /**
+     * Gets or creates the path to the credentials config file in RUNNER_TEMP.
+     * @returns The absolute path to the credentials config file
+     */
+    getCredentialsConfigPath() {
+        if (this.credentialsConfigPath) {
+            return this.credentialsConfigPath;
+        }
+        const runnerTemp = process.env['RUNNER_TEMP'] || '';
+        assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
+        // Create a unique filename for this checkout instance
+        const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
+        this.credentialsConfigPath = path.join(runnerTemp, configFileName);
+        core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
+        return this.credentialsConfigPath;
+    }
+    /**
+     * Removes SSH authentication configuration by cleaning up SSH keys,
+     * known hosts files, and SSH command configurations.
+     */
     removeSsh() {
         return __awaiter(this, void 0, void 0, function* () {
-            var _a;
+            var _a, _b;
             // SSH key
             const keyPath = this.sshKeyPath || stateHelper.SshKeyPath;
             if (keyPath) {
                 try {
+                    core.info(`Removing SSH key '${keyPath}'`);
                     yield io.rmRF(keyPath);
                 }
                 catch (err) {
@@ -399,82 +466,91 @@ class GitAuthHelper {
             const knownHostsPath = this.sshKnownHostsPath || stateHelper.SshKnownHostsPath;
             if (knownHostsPath) {
                 try {
+                    core.info(`Removing SSH known hosts '${knownHostsPath}'`);
                     yield io.rmRF(knownHostsPath);
                 }
-                catch (_b) {
+                catch (err) {
-                    // Intentionally empty
+                    core.debug(`${(_b = err === null || err === void 0 ? void 0 : err.message) !== null && _b !== void 0 ? _b : err}`);
+                    core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`);
                 }
             }
             // SSH command
+            core.info('Removing SSH command configuration');
             yield this.removeGitConfig(SSH_COMMAND_KEY);
+            yield this.removeSubmoduleGitConfig(SSH_COMMAND_KEY);
         });
     }
+    /**
+     * Removes token-based authentication by cleaning up HTTP headers,
+     * includeIf entries, and credentials config files.
+     */
     removeToken() {
         return __awaiter(this, void 0, void 0, function* () {
-            // Remove HTTP extra header from local git config and submodule configs
+            var _a;
+            // Remove HTTP extra header
+            core.info('Removing HTTP extra header');
             yield this.removeGitConfig(this.tokenConfigKey);
-            //
+            yield this.removeSubmoduleGitConfig(this.tokenConfigKey);
-            // Cleanup actions/checkout@v6 style credentials
+            // Collect credentials config paths that need to be removed
-            //
+            const credentialsPaths = new Set();
-            const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'];
+            // Remove includeIf entries that point to git-credentials-*.config files
-            if (skipV6Cleanup === '1' || (skipV6Cleanup === null || skipV6Cleanup === void 0 ? void 0 : skipV6Cleanup.toLowerCase()) === 'true') {
+            core.info('Removing includeIf entries pointing to credentials config files');
-                core.debug('Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP');
+            const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
-                return;
+            mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
+            // Remove submodule includeIf entries that point to git-credentials-*.config files
+            const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
+            for (const configPath of submoduleConfigPaths) {
+                const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
+                submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
             }
-            try {
+            // Remove credentials config files
-                // Collect credentials config paths that need to be removed
+            for (const credentialsPath of credentialsPaths) {
-                const credentialsPaths = new Set();
+                // Only remove credentials config files if they are under RUNNER_TEMP
-                // Remove includeIf entries that point to git-credentials-*.config files
+                const runnerTemp = process.env['RUNNER_TEMP'];
-                const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
+                assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
-                mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
+                if (credentialsPath.startsWith(runnerTemp)) {
-                // Remove submodule includeIf entries that point to git-credentials-*.config files
+                    try {
-                try {
+                        core.info(`Removing credentials config '${credentialsPath}'`);
-                    const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
+                        yield io.rmRF(credentialsPath);
-                    for (const configPath of submoduleConfigPaths) {
+                    }
-                        const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
+                    catch (err) {
-                        submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
+                        core.debug(`${(_a = err === null || err === void 0 ? void 0 : err.message) !== null && _a !== void 0 ? _a : err}`);
+                        core.warning(`Failed to remove credentials config '${credentialsPath}'`);
                     }
                 }
-                catch (err) {
+                else {
-                    core.debug(`Unable to get submodule config paths: ${err}`);
+                    core.debug(`Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`);
                 }
-                // Remove credentials config files
-                for (const credentialsPath of credentialsPaths) {
-                    // Only remove credentials config files if they are under RUNNER_TEMP
-                    const runnerTemp = process.env['RUNNER_TEMP'];
-                    if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
-                        try {
-                            yield io.rmRF(credentialsPath);
-                        }
-                        catch (err) {
-                            core.debug(`Failed to remove credentials config '${credentialsPath}': ${err}`);
-                        }
-                    }
-                }
-            }
-            catch (err) {
-                core.debug(`Failed to cleanup v6 style credentials: ${err}`);
             }
         });
     }
-    removeGitConfig(configKey_1) {
+    /**
-        return __awaiter(this, arguments, void 0, function* (configKey, submoduleOnly = false) {
+     * Removes a git config key from the local repository config.
-            if (!submoduleOnly) {
+     * @param configKey The git config key to remove
-                if ((yield this.git.configExists(configKey)) &&
+     */
-                    !(yield this.git.tryConfigUnset(configKey))) {
+    removeGitConfig(configKey) {
-                    // Load the config contents
+        return __awaiter(this, void 0, void 0, function* () {
-                    core.warning(`Failed to remove '${configKey}' from the git config`);
+            if ((yield this.git.configExists(configKey)) &&
-                }
+                !(yield this.git.tryConfigUnset(configKey))) {
+                // Load the config contents
+                core.warning(`Failed to remove '${configKey}' from the git config`);
             }
+        });
+    }
+    /**
+     * Removes a git config key from all submodule configs.
+     * @param configKey The git config key to remove
+     */
+    removeSubmoduleGitConfig(configKey) {
+        return __awaiter(this, void 0, void 0, function* () {
             const pattern = regexpHelper.escape(configKey);
             yield this.git.submoduleForeach(
-            // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
+            // Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline.
             `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true);
         });
     }
     /**
      * Removes includeIf entries that point to git-credentials-*.config files.
-     * This handles cleanup of credentials configured by newer versions of the action.
      * @param configPath Optional path to a specific git config file to operate on
      * @returns Array of unique credentials config file paths that were found and removed
      */
@@ -502,13 +578,18 @@ class GitAuthHelper {
             }
             catch (err) {
                 // Ignore errors - this is cleanup code
-                core.debug(`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`);
+                if (configPath) {
+                    core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`);
+                }
+                else {
+                    core.debug(`Error during includeIf cleanup: ${err}`);
+                }
             }
             return Array.from(credentialsPaths);
         });
     }
     /**
-     * Tests if a path matches the git-credentials-*.config pattern used by newer versions.
+     * Tests if a path matches the git-credentials-*.config pattern.
      * @param path The path to test
      * @returns True if the path matches the credentials config pattern
      */
@@ -712,9 +793,15 @@ class GitCommandManager {
             yield this.execGit(args);
         });
     }
-    config(configKey, configValue, globalConfig, add) {
+    config(configKey, configValue, globalConfig, add, configFile) {
         return __awaiter(this, void 0, void 0, function* () {
-            const args = ['config', globalConfig ? '--global' : '--local'];
+            const args = ['config'];
+            if (configFile) {
+                args.push('--file', configFile);
+            }
+            else {
+                args.push(globalConfig ? '--global' : '--local');
+            }
             if (add) {
                 args.push('--add');
             }
@@ -1506,6 +1593,15 @@ function getSource(settings) {
             core.setOutput('commit', commitSHA.trim());
             // Check for incorrect pull request merge commit
             yield refHelper.checkCommitInfo(settings.authToken, commitInfo, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.githubServerUrl);
+            if (settings.gitUser) {
+                if (!(yield git.configExists('user.name', true))) {
+                    yield git.config('user.name', settings.gitUser, true);
+                }
+                if (!(yield git.configExists('user.email', true))) {
+                    const userId = yield githubApiHelper.getUserId(settings.gitUser, settings.authToken, settings.githubServerUrl);
+                    yield git.config('user.email', `${userId}+${settings.gitUser}@users.noreply.github.com`, true);
+                }
+            }
         }
         finally {
             // Remove auth
@@ -1695,6 +1791,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.downloadRepository = downloadRepository;
 exports.getDefaultBranch = getDefaultBranch;
+exports.getUserId = getUserId;
 const assert = __importStar(__nccwpck_require__(9491));
 const core = __importStar(__nccwpck_require__(2186));
 const fs = __importStar(__nccwpck_require__(7147));
@@ -1812,6 +1909,15 @@ function downloadArchive(authToken, owner, repo, ref, commit, baseUrl) {
         return Buffer.from(response.data); // response.data is ArrayBuffer
     });
 }
+function getUserId(username, authToken, baseUrl) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const octokit = github.getOctokit(authToken, {
+            baseUrl: (0, url_helper_1.getServerApiUrl)(baseUrl)
+        });
+        const user = yield octokit.rest.users.getByUsername({ username, });
+        return user.data.id;
+    });
+}
 
 
 /***/ }),
@@ -1962,6 +2068,8 @@ function getInputs() {
         core.debug(`recursive submodules = ${result.nestedSubmodules}`);
         // Auth token
         result.authToken = core.getInput('token', { required: true });
+        // Git user
+        result.gitUser = core.getInput('git-user') || 'github-action[bot]';
         // SSH
         result.sshKey = core.getInput('ssh-key');
         result.sshKnownHosts = core.getInput('ssh-known-hosts');

src/git-auth-helper.ts

@@ -43,6 +43,7 @@ class GitAuthHelper {
   private sshKeyPath = ''
   private sshKnownHostsPath = ''
   private temporaryHomePath = ''
+  private credentialsConfigPath = '' // Path to separate credentials config file in RUNNER_TEMP
 
   constructor(
     gitCommandManager: IGitCommandManager,
@@ -126,16 +127,21 @@ class GitAuthHelper {
 
   async configureGlobalAuth(): Promise<void> {
     // 'configureTempGlobalConfig' noops if already set, just returns the path
-    const newGitConfigPath = await this.configureTempGlobalConfig()
+    await this.configureTempGlobalConfig()
     try {
       // Configure the token
-      await this.configureToken(newGitConfigPath, true)
+      await this.configureToken(true)
 
       // Configure HTTPS instead of SSH
       await this.git.tryConfigUnset(this.insteadOfKey, true)
       if (!this.settings.sshKey) {
         for (const insteadOfValue of this.insteadOfValues) {
-          await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
+          await this.git.config(
+            this.insteadOfKey,
+            insteadOfValue,
+            true, // globalConfig?
+            true // add?
+          )
         }
       }
     } catch (err) {
@@ -150,24 +156,60 @@ class GitAuthHelper {
 
   async configureSubmoduleAuth(): Promise<void> {
     // Remove possible previous HTTPS instead of SSH
-    await this.removeGitConfig(this.insteadOfKey, true)
+    await this.removeSubmoduleGitConfig(this.insteadOfKey)
 
     if (this.settings.persistCredentials) {
-      // Configure a placeholder value. This approach avoids the credential being captured
+      // Get the credentials config file path in RUNNER_TEMP
-      // by process creation audit events, which are commonly logged. For more information,
+      const credentialsConfigPath = this.getCredentialsConfigPath()
-      // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+
-      const output = await this.git.submoduleForeach(
+      // Container credentials config path
-        // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
+      const containerCredentialsPath = path.posix.join(
-        `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
+        '/github/runner_temp',
+        path.basename(credentialsConfigPath)
+      )
+
+      // Get submodule config file paths.
+      const configPaths = await this.git.getSubmoduleConfigPaths(
         this.settings.nestedSubmodules
       )
 
-      // Replace the placeholder
+      // For each submodule, configure includeIf entries pointing to the shared credentials file.
-      const configPaths: string[] =
+      // Configure both host and container paths to support Docker container actions.
-        output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
       for (const configPath of configPaths) {
-        core.debug(`Replacing token placeholder in '${configPath}'`)
+        // Submodule Git directory
-        await this.replaceTokenPlaceholder(configPath)
+        let submoduleGitDir = path.dirname(configPath) // The config file is at .git/modules/submodule-name/config
+        submoduleGitDir = submoduleGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
+
+        // Configure host includeIf
+        await this.git.config(
+          `includeIf.gitdir:${submoduleGitDir}.path`,
+          credentialsConfigPath,
+          false, // globalConfig?
+          false, // add?
+          configPath
+        )
+
+        // Container submodule git directory
+        const githubWorkspace = process.env['GITHUB_WORKSPACE']
+        assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
+        let relativeSubmoduleGitDir = path.relative(
+          githubWorkspace,
+          submoduleGitDir
+        )
+        relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
+        const containerSubmoduleGitDir = path.posix.join(
+          '/github/workspace',
+          relativeSubmoduleGitDir
+        )
+
+        // Configure container includeIf
+        await this.git.config(
+          `includeIf.gitdir:${containerSubmoduleGitDir}.path`,
+          containerCredentialsPath,
+          false, // globalConfig?
+          false, // add?
+          configPath
+        )
       }
 
       if (this.settings.sshKey) {
@@ -201,6 +243,10 @@ class GitAuthHelper {
     }
   }
 
+  /**
+   * Configures SSH authentication by writing the SSH key and known hosts,
+   * and setting up the GIT_SSH_COMMAND environment variable.
+   */
   private async configureSsh(): Promise<void> {
     if (!this.settings.sshKey) {
       return
@@ -272,57 +318,116 @@ class GitAuthHelper {
     }
   }
 
-  private async configureToken(
+  /**
-    configPath?: string,
+   * Configures token-based authentication by creating a credentials config file
-    globalConfig?: boolean
+   * and setting up includeIf entries to reference it.
-  ): Promise<void> {
+   * @param globalConfig Whether to configure global config instead of local
-    // Validate args
+   */
-    assert.ok(
+  private async configureToken(globalConfig?: boolean): Promise<void> {
-      (configPath && globalConfig) || (!configPath && !globalConfig),
+    // Get the credentials config file path in RUNNER_TEMP
-      'Unexpected configureToken parameter combinations'
+    const credentialsConfigPath = this.getCredentialsConfigPath()
-    )
 
-    // Default config path
+    // Write placeholder to the separate credentials config file using git config.
-    if (!configPath && !globalConfig) {
+    // This approach avoids the credential being captured by process creation audit events,
-      configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config')
+    // which are commonly logged. For more information, refer to
-    }
+    // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
-
-    // Configure a placeholder value. This approach avoids the credential being captured
-    // by process creation audit events, which are commonly logged. For more information,
-    // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
     await this.git.config(
       this.tokenConfigKey,
       this.tokenPlaceholderConfigValue,
-      globalConfig
+      false, // globalConfig?
+      false, // add?
+      credentialsConfigPath
     )
 
-    // Replace the placeholder
+    // Replace the placeholder in the credentials config file
-    await this.replaceTokenPlaceholder(configPath || '')
+    let content = (await fs.promises.readFile(credentialsConfigPath)).toString()
-  }
-
-  private async replaceTokenPlaceholder(configPath: string): Promise<void> {
-    assert.ok(configPath, 'configPath is not defined')
-    let content = (await fs.promises.readFile(configPath)).toString()
     const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue)
     if (
       placeholderIndex < 0 ||
       placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)
     ) {
-      throw new Error(`Unable to replace auth placeholder in ${configPath}`)
+      throw new Error(
+        `Unable to replace auth placeholder in ${credentialsConfigPath}`
+      )
     }
     assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined')
     content = content.replace(
       this.tokenPlaceholderConfigValue,
       this.tokenConfigValue
     )
-    await fs.promises.writeFile(configPath, content)
+    await fs.promises.writeFile(credentialsConfigPath, content)
+
+    // Add include or includeIf to reference the credentials config
+    if (globalConfig) {
+      // Global config file is temporary
+      await this.git.config(
+        'include.path',
+        credentialsConfigPath,
+        true // globalConfig?
+      )
+    } else {
+      // Host git directory
+      let gitDir = path.join(this.git.getWorkingDirectory(), '.git')
+      gitDir = gitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
+
+      // Configure host includeIf
+      const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
+      await this.git.config(hostIncludeKey, credentialsConfigPath)
+
+      // Container git directory
+      const workingDirectory = this.git.getWorkingDirectory()
+      const githubWorkspace = process.env['GITHUB_WORKSPACE']
+      assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
+      let relativePath = path.relative(githubWorkspace, workingDirectory)
+      relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows
+      const containerGitDir = path.posix.join(
+        '/github/workspace',
+        relativePath,
+        '.git'
+      )
+
+      // Container credentials config path
+      const containerCredentialsPath = path.posix.join(
+        '/github/runner_temp',
+        path.basename(credentialsConfigPath)
+      )
+
+      // Configure container includeIf
+      const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
+      await this.git.config(containerIncludeKey, containerCredentialsPath)
+    }
   }
 
+  /**
+   * Gets or creates the path to the credentials config file in RUNNER_TEMP.
+   * @returns The absolute path to the credentials config file
+   */
+  private getCredentialsConfigPath(): string {
+    if (this.credentialsConfigPath) {
+      return this.credentialsConfigPath
+    }
+
+    const runnerTemp = process.env['RUNNER_TEMP'] || ''
+    assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
+
+    // Create a unique filename for this checkout instance
+    const configFileName = `git-credentials-${uuid()}.config`
+    this.credentialsConfigPath = path.join(runnerTemp, configFileName)
+
+    core.debug(`Credentials config path: ${this.credentialsConfigPath}`)
+    return this.credentialsConfigPath
+  }
+
+  /**
+   * Removes SSH authentication configuration by cleaning up SSH keys,
+   * known hosts files, and SSH command configurations.
+   */
   private async removeSsh(): Promise<void> {
     // SSH key
     const keyPath = this.sshKeyPath || stateHelper.SshKeyPath
     if (keyPath) {
       try {
+        core.info(`Removing SSH key '${keyPath}'`)
         await io.rmRF(keyPath)
       } catch (err) {
         core.debug(`${(err as any)?.message ?? err}`)
@@ -335,88 +440,91 @@ class GitAuthHelper {
       this.sshKnownHostsPath || stateHelper.SshKnownHostsPath
     if (knownHostsPath) {
       try {
+        core.info(`Removing SSH known hosts '${knownHostsPath}'`)
         await io.rmRF(knownHostsPath)
-      } catch {
+      } catch (err) {
-        // Intentionally empty
+        core.debug(`${(err as any)?.message ?? err}`)
+        core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`)
       }
     }
 
     // SSH command
+    core.info('Removing SSH command configuration')
     await this.removeGitConfig(SSH_COMMAND_KEY)
+    await this.removeSubmoduleGitConfig(SSH_COMMAND_KEY)
   }
 
+  /**
+   * Removes token-based authentication by cleaning up HTTP headers,
+   * includeIf entries, and credentials config files.
+   */
   private async removeToken(): Promise<void> {
-    // Remove HTTP extra header from local git config and submodule configs
+    // Remove HTTP extra header
+    core.info('Removing HTTP extra header')
     await this.removeGitConfig(this.tokenConfigKey)
+    await this.removeSubmoduleGitConfig(this.tokenConfigKey)
 
-    //
+    // Collect credentials config paths that need to be removed
-    // Cleanup actions/checkout@v6 style credentials
+    const credentialsPaths = new Set<string>()
-    //
+
-    const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
+    // Remove includeIf entries that point to git-credentials-*.config files
-    if (skipV6Cleanup === '1' || skipV6Cleanup?.toLowerCase() === 'true') {
+    core.info('Removing includeIf entries pointing to credentials config files')
-      core.debug(
+    const mainCredentialsPaths = await this.removeIncludeIfCredentials()
-        'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
+    mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
-      )
+
-      return
+    // Remove submodule includeIf entries that point to git-credentials-*.config files
+    const submoduleConfigPaths = await this.git.getSubmoduleConfigPaths(true)
+    for (const configPath of submoduleConfigPaths) {
+      const submoduleCredentialsPaths =
+        await this.removeIncludeIfCredentials(configPath)
+      submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
     }
 
-    try {
+    // Remove credentials config files
-      // Collect credentials config paths that need to be removed
+    for (const credentialsPath of credentialsPaths) {
-      const credentialsPaths = new Set<string>()
+      // Only remove credentials config files if they are under RUNNER_TEMP
-
+      const runnerTemp = process.env['RUNNER_TEMP']
-      // Remove includeIf entries that point to git-credentials-*.config files
+      assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
-      const mainCredentialsPaths = await this.removeIncludeIfCredentials()
+      if (credentialsPath.startsWith(runnerTemp)) {
-      mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
+        try {
-
+          core.info(`Removing credentials config '${credentialsPath}'`)
-      // Remove submodule includeIf entries that point to git-credentials-*.config files
+          await io.rmRF(credentialsPath)
-      try {
+        } catch (err) {
-        const submoduleConfigPaths =
+          core.debug(`${(err as any)?.message ?? err}`)
-          await this.git.getSubmoduleConfigPaths(true)
+          core.warning(
-        for (const configPath of submoduleConfigPaths) {
+            `Failed to remove credentials config '${credentialsPath}'`
-          const submoduleCredentialsPaths =
+          )
-            await this.removeIncludeIfCredentials(configPath)
-          submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
         }
-      } catch (err) {
+      } else {
-        core.debug(`Unable to get submodule config paths: ${err}`)
+        core.debug(
+          `Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`
+        )
       }
-
-      // Remove credentials config files
-      for (const credentialsPath of credentialsPaths) {
-        // Only remove credentials config files if they are under RUNNER_TEMP
-        const runnerTemp = process.env['RUNNER_TEMP']
-        if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
-          try {
-            await io.rmRF(credentialsPath)
-          } catch (err) {
-            core.debug(
-              `Failed to remove credentials config '${credentialsPath}': ${err}`
-            )
-          }
-        }
-      }
-    } catch (err) {
-      core.debug(`Failed to cleanup v6 style credentials: ${err}`)
     }
   }
 
-  private async removeGitConfig(
+  /**
-    configKey: string,
+   * Removes a git config key from the local repository config.
-    submoduleOnly: boolean = false
+   * @param configKey The git config key to remove
-  ): Promise<void> {
+   */
-    if (!submoduleOnly) {
+  private async removeGitConfig(configKey: string): Promise<void> {
-      if (
+    if (
-        (await this.git.configExists(configKey)) &&
+      (await this.git.configExists(configKey)) &&
-        !(await this.git.tryConfigUnset(configKey))
+      !(await this.git.tryConfigUnset(configKey))
-      ) {
+    ) {
-        // Load the config contents
+      // Load the config contents
-        core.warning(`Failed to remove '${configKey}' from the git config`)
+      core.warning(`Failed to remove '${configKey}' from the git config`)
-      }
     }
+  }
 
+  /**
+   * Removes a git config key from all submodule configs.
+   * @param configKey The git config key to remove
+   */
+  private async removeSubmoduleGitConfig(configKey: string): Promise<void> {
     const pattern = regexpHelper.escape(configKey)
     await this.git.submoduleForeach(
-      // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
+      // Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline.
       `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`,
       true
     )
@@ -424,7 +532,6 @@ class GitAuthHelper {
 
   /**
    * Removes includeIf entries that point to git-credentials-*.config files.
-   * This handles cleanup of credentials configured by newer versions of the action.
    * @param configPath Optional path to a specific git config file to operate on
    * @returns Array of unique credentials config file paths that were found and removed
    */
@@ -460,16 +567,18 @@ class GitAuthHelper {
       }
     } catch (err) {
       // Ignore errors - this is cleanup code
-      core.debug(
+      if (configPath) {
-        `Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`
+        core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`)
-      )
+      } else {
+        core.debug(`Error during includeIf cleanup: ${err}`)
+      }
     }
 
     return Array.from(credentialsPaths)
   }
 
   /**
-   * Tests if a path matches the git-credentials-*.config pattern used by newer versions.
+   * Tests if a path matches the git-credentials-*.config pattern.
    * @param path The path to test
    * @returns True if the path matches the credentials config pattern
    */

src/git-command-manager.ts

@@ -28,7 +28,8 @@ export interface IGitCommandManager {
     configKey: string,
     configValue: string,
     globalConfig?: boolean,
-    add?: boolean
+    add?: boolean,
+    configFile?: string
   ): Promise<void>
   configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
   fetch(
@@ -240,9 +241,15 @@ class GitCommandManager {
     configKey: string,
     configValue: string,
     globalConfig?: boolean,
-    add?: boolean
+    add?: boolean,
+    configFile?: string
   ): Promise<void> {
-    const args: string[] = ['config', globalConfig ? '--global' : '--local']
+    const args: string[] = ['config']
+    if (configFile) {
+      args.push('--file', configFile)
+    } else {
+      args.push(globalConfig ? '--global' : '--local')
+    }
     if (add) {
       args.push('--add')
     }

src/git-source-provider.ts

@@ -274,6 +274,23 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
       settings.commit,
       settings.githubServerUrl
     )
+    if (settings.gitUser) {
+      if (!(await git.configExists('user.name', true))) {
+        await git.config('user.name', settings.gitUser, true)
+      }
+      if (!(await git.configExists('user.email', true))) {
+        const userId = await githubApiHelper.getUserId(
+          settings.gitUser,
+          settings.authToken,
+          settings.githubServerUrl
+        )
+        await git.config(
+          'user.email',
+          `${userId}+${settings.gitUser}@users.noreply.github.com`,
+          true
+        )
+      }
+    }
   } finally {
     // Remove auth
     if (authHelper) {

src/git-source-settings.ts

@@ -79,6 +79,11 @@ export interface IGitSourceSettings {
    */
   authToken: string
 
+  /**
+   * A github user slug to set a default user name and email in the local git config
+   */
+  gitUser: string
+
   /**
    * The SSH key to configure
    */

src/github-api-helper.ts

@@ -143,3 +143,15 @@ async function downloadArchive(
   })
   return Buffer.from(response.data as ArrayBuffer) // response.data is ArrayBuffer
 }
+
+export async function getUserId(
+  username: string,
+  authToken: string,
+  baseUrl?: string
+): Promise<number> {
+  const octokit = github.getOctokit(authToken, {
+    baseUrl: getServerApiUrl(baseUrl)
+  })
+  const user = await octokit.rest.users.getByUsername({username})
+  return user.data.id
+}

src/input-helper.ts

@@ -138,6 +138,9 @@ export async function getInputs(): Promise<IGitSourceSettings> {
   // Auth token
   result.authToken = core.getInput('token', {required: true})
 
+  // Git user
+  result.gitUser = core.getInput('git-user') || 'github-action[bot]'
+
   // SSH
   result.sshKey = core.getInput('ssh-key')
   result.sshKnownHosts = core.getInput('ssh-known-hosts')

src/misc/generate-docs.ts

@@ -120,7 +120,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v5',
+  'actions/checkout@v6',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )