Merge 0dcc70b094 into 8e8c483db8

Clarify v6 README (#2328 )
Add worktree support for persist-credentials includeIf (#2327 )
2025-12-14 17:01:15 +00:00 · 2025-12-03 05:47:58 +03:00 · 2025-12-01 20:08:49 -06:00 · 2025-12-01 19:53:23 -06:00 · 2025-09-23 19:00:12 -07:00
9 changed files with 97 additions and 36 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -165,6 +165,22 @@ jobs:
      - name: Verify submodules recursive
        run: __test__/verify-submodules-recursive.sh
      # Worktree credentials
      - name: Checkout for worktree test
        uses: ./
        with:
          path: worktree-test
      - name: Verify worktree credentials
        shell: bash
        run: __test__/verify-worktree.sh worktree-test worktree-branch
      # Worktree credentials in container step
      - name: Verify worktree credentials in container step
        if: runner.os == 'Linux'
        uses: docker://bitnami/git:latest
        with:
          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
      # Basic checkout using REST API
      - name: Remove basic
        if: runner.os != 'windows'
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,19 +1,19 @@
 # Changelog
-## V6.0.0
+## v6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
-## V5.0.1
+## v5.0.1
 * Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
-## V5.0.0
+## v5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
-## V4.3.1
+## v4.3.1
 * Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
-## V4.3.0
+## v4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043
--- a/README.md
+++ b/README.md
@ -4,8 +4,9 @@
 ## What's new
- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
+- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
-  - This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
+- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
 - Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
 # Checkout v5
--- a/test/verify-worktree.sh
+++ b/test/verify-worktree.sh
@ -0,0 +1,51 @@
 #!/bin/bash
 set -e
 # Verify worktree credentials
 # This test verifies that git credentials work in worktrees created after checkout
 # Usage: verify-worktree.sh <checkout-path> <worktree-name>
 CHECKOUT_PATH="$1"
 WORKTREE_NAME="$2"
 if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
  exit 1
 fi
 cd "$CHECKOUT_PATH"
 # Add safe directory for container environments
 git config --global --add safe.directory "*" 2>/dev/null || true
 # Show the includeIf configuration
 echo "Git config includeIf entries:"
 git config --list --show-origin | grep -i include || true
 # Create the worktree
 echo "Creating worktree..."
 git worktree add "../$WORKTREE_NAME" HEAD --detach
 # Change to worktree directory
 cd "../$WORKTREE_NAME"
 # Verify we're in a worktree
 echo "Verifying worktree gitdir:"
 cat .git
 # Verify credentials are available in worktree by checking extraheader is configured
 echo "Checking credentials in worktree..."
 if git config --list --show-origin | grep -q "extraheader"; then
  echo "Credentials are configured in worktree"
 else
  echo "ERROR: Credentials are NOT configured in worktree"
  echo "Full git config:"
  git config --list --show-origin
  exit 1
 fi
 # Verify fetch works in the worktree
 echo "Fetching in worktree..."
 git fetch origin
 echo "Worktree credentials test passed!"
--- a/dist/index.js
+++ b/dist/index.js
@ -412,6 +412,9 @@ class GitAuthHelper {
                // Configure host includeIf
                const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                yield this.git.config(hostIncludeKey, credentialsConfigPath);
                // Configure host includeIf for worktrees
                const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                // Container git directory
                const workingDirectory = this.git.getWorkingDirectory();
                const githubWorkspace = process.env['GITHUB_WORKSPACE'];
@ -424,6 +427,9 @@ class GitAuthHelper {
                // Configure container includeIf
                const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                yield this.git.config(containerIncludeKey, containerCredentialsPath);
                // Configure container includeIf for worktrees
                const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
            }
        });
    }
--- a/package-lock.json
+++ b/package-lock.json
@ -13,13 +13,11 @@
        "@actions/exec": "^1.1.1",
        "@actions/github": "^6.0.0",
        "@actions/io": "^1.1.3",
-        "@actions/tool-cache": "^2.0.1",
+        "@actions/tool-cache": "^2.0.1"
        "uuid": "^9.0.1"
      },
      "devDependencies": {
        "@types/jest": "^29.5.12",
        "@types/node": "^24.1.0",
        "@types/uuid": "^9.0.8",
        "@typescript-eslint/eslint-plugin": "^7.9.0",
        "@typescript-eslint/parser": "^7.9.0",
        "@vercel/ncc": "^0.38.1",
@ -1529,12 +1527,6 @@
      "integrity": "sha512-9aEbYZ3TbYMznPdcdr3SmIrLXwC/AKZXQeCf9Pgao5CKb8CyHuEX5jzWPTkvregvhRJHcpRO6BFoGW9ycaOkYw==",
      "dev": true
    },
    "node_modules/@types/uuid": {
      "version": "9.0.8",
      "resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-9.0.8.tgz",
      "integrity": "sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA==",
      "dev": true
    },
    "node_modules/@types/yargs": {
      "version": "17.0.32",
      "resolved": "https://registry.npmjs.org/@types/yargs/-/yargs-17.0.32.tgz",
@ -6914,18 +6906,6 @@
        "punycode": "^2.1.0"
      }
    },
    "node_modules/uuid": {
      "version": "9.0.1",
      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
      "funding": [
        "https://github.com/sponsors/broofa",
        "https://github.com/sponsors/ctavan"
      ],
      "bin": {
        "uuid": "dist/bin/uuid"
      }
    },
    "node_modules/v8-to-istanbul": {
      "version": "9.2.0",
      "resolved": "https://registry.npmjs.org/v8-to-istanbul/-/v8-to-istanbul-9.2.0.tgz",
--- a/package.json
+++ b/package.json
@ -32,13 +32,11 @@
    "@actions/exec": "^1.1.1",
    "@actions/github": "^6.0.0",
    "@actions/io": "^1.1.3",
-    "@actions/tool-cache": "^2.0.1",
+    "@actions/tool-cache": "^2.0.1"
    "uuid": "^9.0.1"
  },
  "devDependencies": {
    "@types/jest": "^29.5.12",
    "@types/node": "^24.1.0",
    "@types/uuid": "^9.0.8",
    "@typescript-eslint/eslint-plugin": "^7.9.0",
    "@typescript-eslint/parser": "^7.9.0",
    "@vercel/ncc": "^0.38.1",
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@ -8,7 +8,6 @@ import * as path from 'path'
 import * as regexpHelper from './regexp-helper'
 import * as stateHelper from './state-helper'
 import * as urlHelper from './url-helper'
 import {v4 as uuid} from 'uuid'
 import {IGitCommandManager} from './git-command-manager'
 import {IGitSourceSettings} from './git-source-settings'
@ -90,7 +89,7 @@ class GitAuthHelper {
    // Create a temp home directory
    const runnerTemp = process.env['RUNNER_TEMP'] || ''
    assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
-    const uniqueId = uuid()
+    const uniqueId = crypto.randomUUID()
    this.temporaryHomePath = path.join(runnerTemp, uniqueId)
    await fs.promises.mkdir(this.temporaryHomePath, {recursive: true})
@ -255,7 +254,7 @@ class GitAuthHelper {
    // Write key
    const runnerTemp = process.env['RUNNER_TEMP'] || ''
    assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
-    const uniqueId = uuid()
+    const uniqueId = crypto.randomUUID()
    this.sshKeyPath = path.join(runnerTemp, uniqueId)
    stateHelper.setSshKeyPath(this.sshKeyPath)
    await fs.promises.mkdir(runnerTemp, {recursive: true})
@ -374,6 +373,10 @@ class GitAuthHelper {
      const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
      await this.git.config(hostIncludeKey, credentialsConfigPath)
      // Configure host includeIf for worktrees
      const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
      // Container git directory
      const workingDirectory = this.git.getWorkingDirectory()
      const githubWorkspace = process.env['GITHUB_WORKSPACE']
@ -395,6 +398,13 @@ class GitAuthHelper {
      // Configure container includeIf
      const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
      await this.git.config(containerIncludeKey, containerCredentialsPath)
      // Configure container includeIf for worktrees
      const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
      await this.git.config(
        containerWorktreeIncludeKey,
        containerCredentialsPath
      )
    }
  }
--- a/src/github-api-helper.ts
+++ b/src/github-api-helper.ts
@ -6,7 +6,6 @@ import * as io from '@actions/io'
 import * as path from 'path'
 import * as retryHelper from './retry-helper'
 import * as toolCache from '@actions/tool-cache'
 import {v4 as uuid} from 'uuid'
 import {getServerApiUrl} from './url-helper'
 const IS_WINDOWS = process.platform === 'win32'
@ -34,7 +33,7 @@ export async function downloadRepository(
  // Write archive to disk
  core.info('Writing archive to disk')
-  const uniqueId = uuid()
+  const uniqueId = crypto.randomUUID()
  const archivePath = IS_WINDOWS
    ? path.join(repositoryPath, `${uniqueId}.zip`)
    : path.join(repositoryPath, `${uniqueId}.tar.gz`)
Author	SHA1	Message	Date
Trivikram Kamat	af1ddd7f22	Merge `0dcc70b094` into `8e8c483db8`	2025-12-03 05:47:58 +03:00
eric sciple	8e8c483db8	Clarify v6 README (#2328 ) Some checks failed CodeQL / Analyze (push) Has been cancelled Details Licensed / Check licenses (push) Has been cancelled Details Build and Test / build (push) Has been cancelled Details Check dist / check-dist (push) Has been cancelled Details Build and Test / test (ubuntu-latest) (push) Has been cancelled Details Build and Test / test (windows-latest) (push) Has been cancelled Details Build and Test / test (macos-latest) (push) Has been cancelled Details Build and Test / test-proxy (push) Has been cancelled Details Build and Test / test-bypass-proxy (push) Has been cancelled Details Build and Test / test-git-container (push) Has been cancelled Details Build and Test / test-output (push) Has been cancelled Details	2025-12-01 20:08:49 -06:00
eric sciple	033fa0dc0b	Add worktree support for persist-credentials includeIf (#2327 )	2025-12-01 19:53:23 -06:00
Kamat, Trivikram	0dcc70b094	Replace uuid with crypto.randomUUID()	2025-09-23 19:00:12 -07:00