Merge e7667abffb into 1af3b93b68

.github/workflows/check-dist.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
 
       - name: Set Node.js 24.x
         uses: actions/setup-node@v4

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v4.1.6
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3

.github/workflows/licensed.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Check licenses
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
       - run: npm ci
       - run: npm run licensed-check

.github/workflows/publish-immutable-actions.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checking out
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
       - name: Publish
         id: publish
         uses: actions/publish-immutable-action@0.0.3

.github/workflows/test.yml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 24.x
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -37,7 +37,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout
       - name: Checkout basic
@@ -165,22 +165,6 @@ jobs:
       - name: Verify submodules recursive
         run: __test__/verify-submodules-recursive.sh
 
-      # Worktree credentials
-      - name: Checkout for worktree test
-        uses: ./
-        with:
-          path: worktree-test
-      - name: Verify worktree credentials
-        shell: bash
-        run: __test__/verify-worktree.sh worktree-test worktree-branch
-
-      # Worktree credentials in container step
-      - name: Verify worktree credentials in container step
-        if: runner.os == 'Linux'
-        uses: docker://bitnami/git:latest
-        with:
-          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
-
       # Basic checkout using REST API
       - name: Remove basic
         if: runner.os != 'windows'
@@ -218,7 +202,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -250,7 +234,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -280,7 +264,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
         with:
           path: localClone
 
@@ -307,8 +291,8 @@ jobs:
           git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
 
       # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v6
-        uses: actions/checkout@v6
+      - name: Fix Checkout v4
+        uses: actions/checkout@v4.1.6
         with:
           path: localClone
 
@@ -317,7 +301,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
         with:
           path: actions-checkout
 

.github/workflows/update-main-version.yml

@@ -23,7 +23,7 @@ jobs:
     # Note this update workflow can also be used as a rollback tool.
     # For that reason, it's best to pin `actions/checkout` to a known, stable version
     # (typically, about two releases back).
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v4.1.6
       with:
         fetch-depth: 0
     - name: Git config

.github/workflows/update-test-ubuntu-git.yml

@@ -26,7 +26,7 @@ jobs:
  
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       # Use `docker/login-action` to log in to GHCR.io. 
       # Once published, the packages are scoped to the account defined here.

CHANGELOG.md

@@ -1,19 +1,19 @@
 # Changelog
 
-## v6.0.0
+## V6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
 
-## v5.0.1
+## V5.0.1
 * Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
 
-## v5.0.0
+## V5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
 
-## v4.3.1
+## V4.3.1
 * Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
 
-## v4.3.0
+## V4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043

README.md

@@ -4,9 +4,8 @@
 
 ## What's new
 
-- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
-- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
-- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
+- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
+  - This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
 
 # Checkout v5
 
@@ -52,7 +51,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -191,7 +190,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: .
 ```
@@ -199,7 +198,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files and `.github` and `src` folder
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: |
       .github
@@ -209,7 +208,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only a single file
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: |
       README.md
@@ -219,7 +218,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     fetch-depth: 0
 ```
@@ -227,7 +226,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     ref: my-branch
 ```
@@ -235,7 +234,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -245,12 +244,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -261,10 +260,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
 
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -275,12 +274,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-private-tools
     token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -293,7 +292,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -309,7 +308,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
 ```
 
 ## Push a commit using the built-in token
@@ -320,7 +319,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
       - run: |
           date > generated.txt
           # Note: the following account information will not work on GHES
@@ -342,7 +341,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       - run: |

__test__/verify-worktree.sh

@@ -1,51 +0,0 @@
-#!/bin/bash
-set -e
-
-# Verify worktree credentials
-# This test verifies that git credentials work in worktrees created after checkout
-# Usage: verify-worktree.sh <checkout-path> <worktree-name>
-
-CHECKOUT_PATH="$1"
-WORKTREE_NAME="$2"
-
-if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
-  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
-  exit 1
-fi
-
-cd "$CHECKOUT_PATH"
-
-# Add safe directory for container environments
-git config --global --add safe.directory "*" 2>/dev/null || true
-
-# Show the includeIf configuration
-echo "Git config includeIf entries:"
-git config --list --show-origin | grep -i include || true
-
-# Create the worktree
-echo "Creating worktree..."
-git worktree add "../$WORKTREE_NAME" HEAD --detach
-
-# Change to worktree directory
-cd "../$WORKTREE_NAME"
-
-# Verify we're in a worktree
-echo "Verifying worktree gitdir:"
-cat .git
-
-# Verify credentials are available in worktree by checking extraheader is configured
-echo "Checking credentials in worktree..."
-if git config --list --show-origin | grep -q "extraheader"; then
-  echo "Credentials are configured in worktree"
-else
-  echo "ERROR: Credentials are NOT configured in worktree"
-  echo "Full git config:"
-  git config --list --show-origin
-  exit 1
-fi
-
-# Verify fetch works in the worktree
-echo "Fetching in worktree..."
-git fetch origin
-
-echo "Worktree credentials test passed!"

action.yml

@@ -98,6 +98,10 @@ inputs:
   github-server-url:
     description: The base URL for the GitHub instance that you are trying to clone from, will use environment defaults to fetch from the same instance that the workflow is running from unless specified. Example URLs are https://github.com or https://my-ghes-server.example.com
     required: false
+  skip-cleanup:
+    description: Skips the cleanup phase on post action hook
+    required: false
+    default: false
 outputs:
   ref:
     description: 'The branch, tag or SHA that was checked out'

dist/index.js

@@ -412,9 +412,6 @@ class GitAuthHelper {
                 // Configure host includeIf
                 const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                 yield this.git.config(hostIncludeKey, credentialsConfigPath);
-                // Configure host includeIf for worktrees
-                const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
-                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                 // Container git directory
                 const workingDirectory = this.git.getWorkingDirectory();
                 const githubWorkspace = process.env['GITHUB_WORKSPACE'];
@@ -427,9 +424,6 @@ class GitAuthHelper {
                 // Configure container includeIf
                 const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                 yield this.git.config(containerIncludeKey, containerCredentialsPath);
-                // Configure container includeIf for worktrees
-                const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
-                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
             }
         });
     }

src/git-auth-helper.ts

@@ -374,10 +374,6 @@ class GitAuthHelper {
       const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
       await this.git.config(hostIncludeKey, credentialsConfigPath)
 
-      // Configure host includeIf for worktrees
-      const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
-      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
-
       // Container git directory
       const workingDirectory = this.git.getWorkingDirectory()
       const githubWorkspace = process.env['GITHUB_WORKSPACE']
@@ -399,13 +395,6 @@ class GitAuthHelper {
       // Configure container includeIf
       const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
       await this.git.config(containerIncludeKey, containerCredentialsPath)
-
-      // Configure container includeIf for worktrees
-      const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
-      await this.git.config(
-        containerWorktreeIncludeKey,
-        containerCredentialsPath
-      )
     }
   }
 

src/git-source-settings.ts

@@ -118,4 +118,9 @@ export interface IGitSourceSettings {
    * User override on the GitHub Server/Host URL that hosts the repository to be cloned
    */
   githubServerUrl: string | undefined
+
+  /**
+   * Disable the post action cleanup phase
+   */
+  skipCleanup: boolean
 }

src/main.ts

@@ -30,6 +30,12 @@ async function run(): Promise<void> {
 }
 
 async function cleanup(): Promise<void> {
+  const sourceSettings = await inputHelper.getInputs()
+
+  if (sourceSettings.skipCleanup) {
+    return
+  }
+
   try {
     await gitSourceProvider.cleanup(stateHelper.RepositoryPath)
   } catch (error) {

src/misc/generate-docs.ts

@@ -120,7 +120,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v6',
+  'actions/checkout@v5',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )