Merge 0865c4bfce into 1af3b93b68

Signed-off-by: James Bradlee <james.bradlee@telenor.no>

.github/workflows/check-dist.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
 
       - name: Set Node.js 24.x
         uses: actions/setup-node@v4

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v4.1.6
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3

.github/workflows/licensed.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Check licenses
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
       - run: npm ci
       - run: npm run licensed-check

.github/workflows/publish-immutable-actions.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checking out
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
       - name: Publish
         id: publish
         uses: actions/publish-immutable-action@0.0.3

.github/workflows/test.yml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 24.x
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -37,7 +37,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout
       - name: Checkout basic
@@ -165,22 +165,6 @@ jobs:
       - name: Verify submodules recursive
         run: __test__/verify-submodules-recursive.sh
 
-      # Worktree credentials
-      - name: Checkout for worktree test
-        uses: ./
-        with:
-          path: worktree-test
-      - name: Verify worktree credentials
-        shell: bash
-        run: __test__/verify-worktree.sh worktree-test worktree-branch
-
-      # Worktree credentials in container step
-      - name: Verify worktree credentials in container step
-        if: runner.os == 'Linux'
-        uses: docker://bitnami/git:latest
-        with:
-          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
-
       # Basic checkout using REST API
       - name: Remove basic
         if: runner.os != 'windows'
@@ -218,7 +202,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -250,7 +234,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -280,7 +264,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
         with:
           path: localClone
 
@@ -307,8 +291,8 @@ jobs:
           git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
 
       # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v6
-        uses: actions/checkout@v6
+      - name: Fix Checkout v4
+        uses: actions/checkout@v4.1.6
         with:
           path: localClone
 
@@ -317,7 +301,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
         with:
           path: actions-checkout
 

.github/workflows/update-main-version.yml

@@ -23,7 +23,7 @@ jobs:
     # Note this update workflow can also be used as a rollback tool.
     # For that reason, it's best to pin `actions/checkout` to a known, stable version
     # (typically, about two releases back).
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v4.1.6
       with:
         fetch-depth: 0
     - name: Git config

.github/workflows/update-test-ubuntu-git.yml

@@ -26,7 +26,7 @@ jobs:
  
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       # Use `docker/login-action` to log in to GHCR.io. 
       # Once published, the packages are scoped to the account defined here.

CHANGELOG.md

@@ -1,19 +1,19 @@
 # Changelog
 
-## v6.0.0
+## V6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
 
-## v5.0.1
+## V5.0.1
 * Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
 
-## v5.0.0
+## V5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
 
-## v4.3.1
+## V4.3.1
 * Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
 
-## v4.3.0
+## V4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043

README.md

@@ -4,9 +4,8 @@
 
 ## What's new
 
-- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
-- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
-- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
+- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
+  - This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
 
 # Checkout v5
 
@@ -52,7 +51,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -63,6 +62,11 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
     # Otherwise, uses the default branch.
     ref: ''
 
+    # The commit SHA to checkout. Used when ref is not specified or is ambiguous. This
+    # can be used as a replacement for ref, or alongside it to checkout a specific
+    # commit of the ref.
+    commit: ''
+
     # Personal access token (PAT) used to fetch the repository. The PAT is configured
     # with the local git config, which enables your scripts to run authenticated git
     # commands. The post-job step removes the PAT.
@@ -191,7 +195,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: .
 ```
@@ -199,7 +203,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files and `.github` and `src` folder
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: |
       .github
@@ -209,7 +213,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only a single file
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: |
       README.md
@@ -219,7 +223,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     fetch-depth: 0
 ```
@@ -227,7 +231,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     ref: my-branch
 ```
@@ -235,7 +239,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -245,12 +249,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -261,10 +265,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
 
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -275,12 +279,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-private-tools
     token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -293,7 +297,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -309,7 +313,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
 ```
 
 ## Push a commit using the built-in token
@@ -320,7 +324,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
       - run: |
           date > generated.txt
           # Note: the following account information will not work on GHES
@@ -342,7 +346,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       - run: |

__test__/input-helper.test.ts

@@ -144,4 +144,30 @@ describe('input-helper tests', () => {
     const settings: IGitSourceSettings = await inputHelper.getInputs()
     expect(settings.workflowOrganizationId).toBe(123456)
   })
+
+  it('accepts ref and commit', async () => {
+    inputs.ref = 'refs/pull/123/merge'
+    inputs.commit = '0123456789012345678901234567890123456789'
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    expect(settings).toBeTruthy()
+    expect(settings.ref).toBeTruthy()
+    expect(settings.ref).toStrictEqual('refs/pull/123/merge')
+    expect(settings.commit).toBeTruthy()
+    expect(settings.commit).toStrictEqual(
+      '0123456789012345678901234567890123456789'
+    )
+  })
+
+  it('ref fallbacks to commit if ref is empty but commit is specified', async () => {
+    inputs.ref = ''
+    inputs.commit = '0123456789012345678901234567890123456789'
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    expect(settings).toBeTruthy()
+    expect(settings.ref).toBeFalsy()
+    expect(settings.ref).toStrictEqual('')
+    expect(settings.commit).toBeTruthy()
+    expect(settings.commit).toStrictEqual(
+      '0123456789012345678901234567890123456789'
+    )
+  })
 })

__test__/verify-worktree.sh

@@ -1,51 +0,0 @@
-#!/bin/bash
-set -e
-
-# Verify worktree credentials
-# This test verifies that git credentials work in worktrees created after checkout
-# Usage: verify-worktree.sh <checkout-path> <worktree-name>
-
-CHECKOUT_PATH="$1"
-WORKTREE_NAME="$2"
-
-if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
-  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
-  exit 1
-fi
-
-cd "$CHECKOUT_PATH"
-
-# Add safe directory for container environments
-git config --global --add safe.directory "*" 2>/dev/null || true
-
-# Show the includeIf configuration
-echo "Git config includeIf entries:"
-git config --list --show-origin | grep -i include || true
-
-# Create the worktree
-echo "Creating worktree..."
-git worktree add "../$WORKTREE_NAME" HEAD --detach
-
-# Change to worktree directory
-cd "../$WORKTREE_NAME"
-
-# Verify we're in a worktree
-echo "Verifying worktree gitdir:"
-cat .git
-
-# Verify credentials are available in worktree by checking extraheader is configured
-echo "Checking credentials in worktree..."
-if git config --list --show-origin | grep -q "extraheader"; then
-  echo "Credentials are configured in worktree"
-else
-  echo "ERROR: Credentials are NOT configured in worktree"
-  echo "Full git config:"
-  git config --list --show-origin
-  exit 1
-fi
-
-# Verify fetch works in the worktree
-echo "Fetching in worktree..."
-git fetch origin
-
-echo "Worktree credentials test passed!"

action.yml

@@ -9,6 +9,11 @@ inputs:
       The branch, tag or SHA to checkout. When checking out the repository that
       triggered a workflow, this defaults to the reference or SHA for that
       event.  Otherwise, uses the default branch.
+  commit:
+    description: >
+      The commit SHA to checkout. Used when ref is not specified or is ambiguous.
+      This can be used as a replacement for ref, or alongside it to checkout a
+      specific commit of the ref.
   token:
     description: >
       Personal access token (PAT) used to fetch the repository. The PAT is configured

dist/index.js

@@ -412,9 +412,6 @@ class GitAuthHelper {
                 // Configure host includeIf
                 const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                 yield this.git.config(hostIncludeKey, credentialsConfigPath);
-                // Configure host includeIf for worktrees
-                const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
-                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                 // Container git directory
                 const workingDirectory = this.git.getWorkingDirectory();
                 const githubWorkspace = process.env['GITHUB_WORKSPACE'];
@@ -427,9 +424,6 @@ class GitAuthHelper {
                 // Configure container includeIf
                 const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                 yield this.git.config(containerIncludeKey, containerCredentialsPath);
-                // Configure container includeIf for worktrees
-                const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
-                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
             }
         });
     }
@@ -1986,7 +1980,11 @@ function getInputs() {
         const isWorkflowRepository = qualifiedRepository.toUpperCase() ===
             `${github.context.repo.owner}/${github.context.repo.repo}`.toUpperCase();
         // Source branch, source version
-        result.ref = core.getInput('ref');
+        result.commit = core.getInput('commit');
+        if (result.commit && !result.commit.match(/^[0-9a-fA-F]{40}$/)) {
+            throw new Error(`The commit SHA '${result.commit}' is not a valid SHA.`);
+        }
+        result.ref = core.getInput('ref') || result.commit;
         if (!result.ref) {
             if (isWorkflowRepository) {
                 result.ref = github.context.ref;

src/git-auth-helper.ts

@@ -374,10 +374,6 @@ class GitAuthHelper {
       const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
       await this.git.config(hostIncludeKey, credentialsConfigPath)
 
-      // Configure host includeIf for worktrees
-      const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
-      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
-
       // Container git directory
       const workingDirectory = this.git.getWorkingDirectory()
       const githubWorkspace = process.env['GITHUB_WORKSPACE']
@@ -399,13 +395,6 @@ class GitAuthHelper {
       // Configure container includeIf
       const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
       await this.git.config(containerIncludeKey, containerCredentialsPath)
-
-      // Configure container includeIf for worktrees
-      const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
-      await this.git.config(
-        containerWorktreeIncludeKey,
-        containerCredentialsPath
-      )
     }
   }
 

src/input-helper.ts

@@ -57,7 +57,12 @@ export async function getInputs(): Promise<IGitSourceSettings> {
     `${github.context.repo.owner}/${github.context.repo.repo}`.toUpperCase()
 
   // Source branch, source version
-  result.ref = core.getInput('ref')
+  result.commit = core.getInput('commit')
+  if (result.commit && !result.commit.match(/^[0-9a-fA-F]{40}$/)) {
+    throw new Error(`The commit SHA '${result.commit}' is not a valid SHA.`)
+  }
+
+  result.ref = core.getInput('ref') || result.commit
   if (!result.ref) {
     if (isWorkflowRepository) {
       result.ref = github.context.ref

src/misc/generate-docs.ts

@@ -120,7 +120,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v6',
+  'actions/checkout@v5',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )