Merge 2449f8bb0b into 8e8c483db8

.github/workflows/test.yml

@@ -165,6 +165,22 @@ jobs:
       - name: Verify submodules recursive
         run: __test__/verify-submodules-recursive.sh
 
+      # Worktree credentials
+      - name: Checkout for worktree test
+        uses: ./
+        with:
+          path: worktree-test
+      - name: Verify worktree credentials
+        shell: bash
+        run: __test__/verify-worktree.sh worktree-test worktree-branch
+
+      # Worktree credentials in container step
+      - name: Verify worktree credentials in container step
+        if: runner.os == 'Linux'
+        uses: docker://bitnami/git:latest
+        with:
+          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
+
       # Basic checkout using REST API
       - name: Remove basic
         if: runner.os != 'windows'

CHANGELOG.md

@@ -1,19 +1,19 @@
 # Changelog
 
-## V6.0.0
+## v6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
 
-## V5.0.1
+## v5.0.1
 * Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
 
-## V5.0.0
+## v5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
 
-## V4.3.1
+## v4.3.1
 * Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
 
-## V4.3.0
+## v4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043

README.md

@@ -4,8 +4,9 @@
 
 ## What's new
 
-- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
+- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
-  - This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
+- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
+- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
 
 # Checkout v5
 
@@ -128,6 +129,9 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
     # Default: 1
     fetch-depth: ''
 
+    # Date like `2days` or `1970-01-01`. Fetch a history after the specified time.
+    shallow-since: ''
+
     # Whether to fetch tags, even if fetch-depth > 0.
     # Default: false
     fetch-tags: ''

__test__/git-auth-helper.test.ts

@@ -1157,6 +1157,7 @@ async function setup(testName: string): Promise<void> {
     sparseCheckout: [],
     sparseCheckoutConeMode: true,
     fetchDepth: 1,
+    shallowSince: '',
     fetchTags: false,
     showProgress: true,
     lfs: false,

__test__/verify-worktree.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+set -e
+
+# Verify worktree credentials
+# This test verifies that git credentials work in worktrees created after checkout
+# Usage: verify-worktree.sh <checkout-path> <worktree-name>
+
+CHECKOUT_PATH="$1"
+WORKTREE_NAME="$2"
+
+if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
+  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
+  exit 1
+fi
+
+cd "$CHECKOUT_PATH"
+
+# Add safe directory for container environments
+git config --global --add safe.directory "*" 2>/dev/null || true
+
+# Show the includeIf configuration
+echo "Git config includeIf entries:"
+git config --list --show-origin | grep -i include || true
+
+# Create the worktree
+echo "Creating worktree..."
+git worktree add "../$WORKTREE_NAME" HEAD --detach
+
+# Change to worktree directory
+cd "../$WORKTREE_NAME"
+
+# Verify we're in a worktree
+echo "Verifying worktree gitdir:"
+cat .git
+
+# Verify credentials are available in worktree by checking extraheader is configured
+echo "Checking credentials in worktree..."
+if git config --list --show-origin | grep -q "extraheader"; then
+  echo "Credentials are configured in worktree"
+else
+  echo "ERROR: Credentials are NOT configured in worktree"
+  echo "Full git config:"
+  git config --list --show-origin
+  exit 1
+fi
+
+# Verify fetch works in the worktree
+echo "Fetching in worktree..."
+git fetch origin
+
+echo "Worktree credentials test passed!"

action.yml

@@ -74,6 +74,8 @@ inputs:
   fetch-depth:
     description: 'Number of commits to fetch. 0 indicates all history for all branches and tags.'
     default: 1
+  shallow-since:
+    description: 'Date like `2days` or `1970-01-01`. Fetch a history after the specified time.'
   fetch-tags:
     description: 'Whether to fetch tags, even if fetch-depth > 0.'
     default: false

adrs/0153-checkout-v2.md

@@ -72,6 +72,8 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
   fetch-depth:
     description: 'Number of commits to fetch. 0 indicates all history for all tags and branches.'
     default: 1
+  shallow-since:
+    description: 'Date like `2days` or `1970-01-01`. Fetch a history after the specified time.'
   lfs:
     description: 'Whether to download Git-LFS files'
     default: false
@@ -155,7 +157,7 @@ Fetch only the SHA being built and set depth=1. This significantly reduces the f
 
 If a SHA isn't available (e.g. multi repo), then fetch only the specified ref with depth=1.
 
-The input `fetch-depth` can be used to control the depth.
+The input `fetch-depth` and `shallow-since` can be used to control the depth.
 
 Note:
 - Fetching a single commit is supported by Git wire protocol version 2. The git client uses protocol version 0 by default. The desired protocol version can be overridden in the git config or on the fetch command line invocation (`-c protocol.version=2`). We will override on the fetch command line, for transparency.

dist/index.js

@@ -412,6 +412,9 @@ class GitAuthHelper {
                 // Configure host includeIf
                 const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                 yield this.git.config(hostIncludeKey, credentialsConfigPath);
+                // Configure host includeIf for worktrees
+                const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
+                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                 // Container git directory
                 const workingDirectory = this.git.getWorkingDirectory();
                 const githubWorkspace = process.env['GITHUB_WORKSPACE'];
@@ -424,6 +427,9 @@ class GitAuthHelper {
                 // Configure container includeIf
                 const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                 yield this.git.config(containerIncludeKey, containerCredentialsPath);
+                // Configure container includeIf for worktrees
+                const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
+                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
             }
         });
     }
@@ -835,6 +841,9 @@ class GitCommandManager {
             if (options.filter) {
                 args.push(`--filter=${options.filter}`);
             }
+            if (options.shallowSince) {
+                args.push(`--shallow-since=${options.shallowSince}`);
+            }
             if (options.fetchDepth && options.fetchDepth > 0) {
                 args.push(`--depth=${options.fetchDepth}`);
             }
@@ -975,13 +984,16 @@ class GitCommandManager {
             yield this.execGit(args);
         });
     }
-    submoduleUpdate(fetchDepth, recursive) {
+    submoduleUpdate(fetchDepth, recursive, shallowSince) {
         return __awaiter(this, void 0, void 0, function* () {
             const args = ['-c', 'protocol.version=2'];
             args.push('submodule', 'update', '--init', '--force');
             if (fetchDepth > 0) {
                 args.push(`--depth=${fetchDepth}`);
             }
+            if (shallowSince) {
+                args.push(`--shallow-since=${shallowSince}`);
+            }
             if (recursive) {
                 args.push('--recursive');
             }
@@ -2023,6 +2035,12 @@ function getInputs() {
             result.fetchDepth = 0;
         }
         core.debug(`fetch depth = ${result.fetchDepth}`);
+        // Shallow since
+        if (core.getInput('fetch-depth') && core.getInput('shallow-since')) {
+            throw new Error('`fetch-depth` and `shallow-since` cannot be used at the same time');
+        }
+        result.shallowSince = core.getInput('shallow-since');
+        core.debug(`shallow since = ${result.shallowSince}`);
         // Fetch tags
         result.fetchTags =
             (core.getInput('fetch-tags') || 'false').toUpperCase() === 'TRUE';

src/git-auth-helper.ts

@@ -374,6 +374,10 @@ class GitAuthHelper {
       const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
       await this.git.config(hostIncludeKey, credentialsConfigPath)
 
+      // Configure host includeIf for worktrees
+      const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
+      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
+
       // Container git directory
       const workingDirectory = this.git.getWorkingDirectory()
       const githubWorkspace = process.env['GITHUB_WORKSPACE']
@@ -395,6 +399,13 @@ class GitAuthHelper {
       // Configure container includeIf
       const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
       await this.git.config(containerIncludeKey, containerCredentialsPath)
+
+      // Configure container includeIf for worktrees
+      const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
+      await this.git.config(
+        containerWorktreeIncludeKey,
+        containerCredentialsPath
+      )
     }
   }
 

src/git-command-manager.ts

@@ -37,6 +37,7 @@ export interface IGitCommandManager {
     options: {
       filter?: string
       fetchDepth?: number
+      shallowSince?: string
       fetchTags?: boolean
       showProgress?: boolean
     }
@@ -56,8 +57,12 @@ export interface IGitCommandManager {
   shaExists(sha: string): Promise<boolean>
   submoduleForeach(command: string, recursive: boolean): Promise<string>
   submoduleSync(recursive: boolean): Promise<void>
-  submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void>
   submoduleStatus(): Promise<boolean>
+  submoduleUpdate(
+    fetchDepth: number,
+    recursive: boolean,
+    shallowSince?: string
+  ): Promise<void>
   tagExists(pattern: string): Promise<boolean>
   tryClean(): Promise<boolean>
   tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
@@ -280,6 +285,7 @@ class GitCommandManager {
     options: {
       filter?: string
       fetchDepth?: number
+      shallowSince?: string
       fetchTags?: boolean
       showProgress?: boolean
     }
@@ -298,6 +304,10 @@ class GitCommandManager {
       args.push(`--filter=${options.filter}`)
     }
 
+    if (options.shallowSince) {
+      args.push(`--shallow-since=${options.shallowSince}`)
+    }
+
     if (options.fetchDepth && options.fetchDepth > 0) {
       args.push(`--depth=${options.fetchDepth}`)
     } else if (
@@ -448,13 +458,21 @@ class GitCommandManager {
     await this.execGit(args)
   }
 
-  async submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void> {
+  async submoduleUpdate(
+    fetchDepth: number,
+    recursive: boolean,
+    shallowSince?: string
+  ): Promise<void> {
     const args = ['-c', 'protocol.version=2']
     args.push('submodule', 'update', '--init', '--force')
     if (fetchDepth > 0) {
       args.push(`--depth=${fetchDepth}`)
     }
 
+    if (shallowSince) {
+      args.push(`--shallow-since=${shallowSince}`)
+    }
+
     if (recursive) {
       args.push('--recursive')
     }

src/git-source-settings.ts

@@ -50,7 +50,12 @@ export interface IGitSourceSettings {
   fetchDepth: number
 
   /**
-   * Fetch tags, even if fetchDepth > 0 (default: false)
+   * Deepen or shorten the history of a shallow repository to include all reachable commits after
+   */
+  shallowSince: string
+
+  /**
+   *  Fetch tags, even if fetchDepth > 0 (default: false)
    */
   fetchTags: boolean
 

src/input-helper.ts

@@ -108,6 +108,15 @@ export async function getInputs(): Promise<IGitSourceSettings> {
   }
   core.debug(`fetch depth = ${result.fetchDepth}`)
 
+  // Shallow since
+  if (core.getInput('fetch-depth') && core.getInput('shallow-since')) {
+    throw new Error(
+      '`fetch-depth` and `shallow-since` cannot be used at the same time'
+    )
+  }
+  result.shallowSince = core.getInput('shallow-since')
+  core.debug(`shallow since = ${result.shallowSince}`)
+
   // Fetch tags
   result.fetchTags =
     (core.getInput('fetch-tags') || 'false').toUpperCase() === 'TRUE'