Merge e7667abffb into 8e8c483db8

Clarify v6 README (#2328 )
Add worktree support for persist-credentials includeIf (#2327 )
2025-12-14 08:51:14 +00:00 · 2025-12-03 16:43:32 +01:00 · 2025-12-01 20:08:49 -06:00 · 2025-12-01 19:53:23 -06:00 · 2025-07-28 15:27:08 +02:00
9 changed files with 107 additions and 7 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -165,6 +165,22 @@ jobs:
      - name: Verify submodules recursive
        run: __test__/verify-submodules-recursive.sh

+      # Worktree credentials
+      - name: Checkout for worktree test
+        uses: ./
+        with:
+          path: worktree-test
+      - name: Verify worktree credentials
+        shell: bash
+        run: __test__/verify-worktree.sh worktree-test worktree-branch
+
+      # Worktree credentials in container step
+      - name: Verify worktree credentials in container step
+        if: runner.os == 'Linux'
+        uses: docker://bitnami/git:latest
+        with:
+          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
+
      # Basic checkout using REST API
      - name: Remove basic
        if: runner.os != 'windows'
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,19 +1,19 @@
 # Changelog

-## V6.0.0
+## v6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248

-## V5.0.1
+## v5.0.1
 * Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301

-## V5.0.0
+## v5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226

-## V4.3.1
+## v4.3.1
 * Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305

-## V4.3.0
+## v4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043
--- a/README.md
+++ b/README.md
@ -4,8 +4,9 @@

 ## What's new

- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
-  - This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.
+- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
+- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
+- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later

 # Checkout v5

--- a/test/verify-worktree.sh
+++ b/test/verify-worktree.sh
@ -0,0 +1,51 @@
+#!/bin/bash
+set -e
+
+# Verify worktree credentials
+# This test verifies that git credentials work in worktrees created after checkout
+# Usage: verify-worktree.sh <checkout-path> <worktree-name>
+
+CHECKOUT_PATH="$1"
+WORKTREE_NAME="$2"
+
+if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
+  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
+  exit 1
+fi
+
+cd "$CHECKOUT_PATH"
+
+# Add safe directory for container environments
+git config --global --add safe.directory "*" 2>/dev/null || true
+
+# Show the includeIf configuration
+echo "Git config includeIf entries:"
+git config --list --show-origin | grep -i include || true
+
+# Create the worktree
+echo "Creating worktree..."
+git worktree add "../$WORKTREE_NAME" HEAD --detach
+
+# Change to worktree directory
+cd "../$WORKTREE_NAME"
+
+# Verify we're in a worktree
+echo "Verifying worktree gitdir:"
+cat .git
+
+# Verify credentials are available in worktree by checking extraheader is configured
+echo "Checking credentials in worktree..."
+if git config --list --show-origin | grep -q "extraheader"; then
+  echo "Credentials are configured in worktree"
+else
+  echo "ERROR: Credentials are NOT configured in worktree"
+  echo "Full git config:"
+  git config --list --show-origin
+  exit 1
+fi
+
+# Verify fetch works in the worktree
+echo "Fetching in worktree..."
+git fetch origin
+
+echo "Worktree credentials test passed!"
--- a/action.yml
+++ b/action.yml
@ -98,6 +98,10 @@ inputs:
  github-server-url:
    description: The base URL for the GitHub instance that you are trying to clone from, will use environment defaults to fetch from the same instance that the workflow is running from unless specified. Example URLs are https://github.com or https://my-ghes-server.example.com
    required: false
+  skip-cleanup:
+    description: Skips the cleanup phase on post action hook
+    required: false
+    default: false
 outputs:
  ref:
    description: 'The branch, tag or SHA that was checked out'
--- a/dist/index.js
+++ b/dist/index.js
@ -412,6 +412,9 @@ class GitAuthHelper {
                // Configure host includeIf
                const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                yield this.git.config(hostIncludeKey, credentialsConfigPath);
+                // Configure host includeIf for worktrees
+                const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
+                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                // Container git directory
                const workingDirectory = this.git.getWorkingDirectory();
                const githubWorkspace = process.env['GITHUB_WORKSPACE'];
@ -424,6 +427,9 @@ class GitAuthHelper {
                // Configure container includeIf
                const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                yield this.git.config(containerIncludeKey, containerCredentialsPath);
+                // Configure container includeIf for worktrees
+                const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
+                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
            }
        });
    }
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@ -374,6 +374,10 @@ class GitAuthHelper {
      const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
      await this.git.config(hostIncludeKey, credentialsConfigPath)

+      // Configure host includeIf for worktrees
+      const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
+      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
+
      // Container git directory
      const workingDirectory = this.git.getWorkingDirectory()
      const githubWorkspace = process.env['GITHUB_WORKSPACE']
@ -395,6 +399,13 @@ class GitAuthHelper {
      // Configure container includeIf
      const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
      await this.git.config(containerIncludeKey, containerCredentialsPath)
+
+      // Configure container includeIf for worktrees
+      const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
+      await this.git.config(
+        containerWorktreeIncludeKey,
+        containerCredentialsPath
+      )
    }
  }

--- a/src/git-source-settings.ts
+++ b/src/git-source-settings.ts
@ -118,4 +118,9 @@ export interface IGitSourceSettings {
   * User override on the GitHub Server/Host URL that hosts the repository to be cloned
   */
  githubServerUrl: string | undefined
+
+  /**
+   * Disable the post action cleanup phase
+   */
+  skipCleanup: boolean
 }
--- a/src/main.ts
+++ b/src/main.ts
@ -30,6 +30,12 @@ async function run(): Promise<void> {
 }

 async function cleanup(): Promise<void> {
+  const sourceSettings = await inputHelper.getInputs()
+
+  if (sourceSettings.skipCleanup) {
+    return
+  }
+
  try {
    await gitSourceProvider.cleanup(stateHelper.RepositoryPath)
  } catch (error) {
Author	SHA1	Message	Date
Vìncent Le Goff	6517390cd2	Merge `e7667abffb` into `8e8c483db8`	2025-12-03 16:43:32 +01:00
eric sciple	8e8c483db8	Clarify v6 README (#2328 ) Some checks failed CodeQL / Analyze (push) Has been cancelled Details Licensed / Check licenses (push) Has been cancelled Details Build and Test / build (push) Has been cancelled Details Check dist / check-dist (push) Has been cancelled Details Build and Test / test (ubuntu-latest) (push) Has been cancelled Details Build and Test / test (windows-latest) (push) Has been cancelled Details Build and Test / test (macos-latest) (push) Has been cancelled Details Build and Test / test-proxy (push) Has been cancelled Details Build and Test / test-bypass-proxy (push) Has been cancelled Details Build and Test / test-git-container (push) Has been cancelled Details Build and Test / test-output (push) Has been cancelled Details	2025-12-01 20:08:49 -06:00
eric sciple	033fa0dc0b	Add worktree support for persist-credentials includeIf (#2327 )	2025-12-01 19:53:23 -06:00
Vincent Le Goff	e7667abffb	feat(inputs): add option to disable the post action	2025-07-28 15:27:08 +02:00