Safe Directory v2 update (#764)

* set safe directory when running checkout

.github/workflows/check-dist.yml

@@ -22,12 +22,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
 
-      - name: Set Node.js 16.x
+      - name: Set Node.js 12.x
         uses: actions/setup-node@v1
         with:
-          node-version: 16.x
+          node-version: 12.x
 
       - name: Install dependencies
         run: npm ci

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1

.github/workflows/licensed.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Check licenses
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
       - run: npm ci
       - run: npm run licensed-check

.github/workflows/test.yml

@@ -13,8 +13,8 @@ jobs:
     steps:
       - uses: actions/setup-node@v1
         with:
-          node-version: 16.x
+          node-version: 12.x
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -32,7 +32,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       # Basic checkout
       - name: Checkout basic
@@ -150,7 +150,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       # Basic checkout using git
       - name: Checkout basic
@@ -182,7 +182,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       # Basic checkout using git
       - name: Checkout basic
@@ -205,41 +205,3 @@ jobs:
           path: basic
       - name: Verify basic
         run: __test__/verify-basic.sh --archive
-    
-  test-git-container:
-    runs-on: ubuntu-latest
-    container: bitnami/git:latest
-    steps:
-      # Clone this repo
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          path: v3
-
-      # Basic checkout using git
-      - name: Checkout basic
-        uses: ./v3
-        with:
-          ref: test-data/v2/basic
-      - name: Verify basic
-        run: |
-          if [ ! -f "./basic-file.txt" ]; then
-              echo "Expected basic file does not exist"
-              exit 1
-          fi
-
-          # Verify .git folder
-          if [ ! -d "./.git" ]; then
-            echo "Expected ./.git folder to exist"
-            exit 1
-          fi
-
-          # Verify auth token
-          git config --global --add safe.directory "*"
-          git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
-
-      # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v3
-        uses: actions/checkout@v3
-        with:
-          path: v3

.gitignore

@@ -1,21 +1,4 @@
 __test__/_temp
 _temp/
 lib/
-node_modules/
+node_modules/
-/dist/fs-helper.d.ts
-/dist/git-auth-helper.d.ts
-/dist/git-command-manager.d.ts
-/dist/git-directory-helper.d.ts
-/dist/git-source-provider.d.ts
-/dist/git-source-settings.d.ts
-/dist/git-version.d.ts
-/dist/github-api-helper.d.ts
-/dist/input-helper.d.ts
-/dist/main.d.ts
-/dist/misc/generate-docs.d.ts
-/dist/ref-helper.d.ts
-/dist/regexp-helper.d.ts
-/dist/retry-helper.d.ts
-/dist/state-helper.d.ts
-/dist/url-helper.d.ts
-/dist/workflow-context-helper.d.ts

.licenses/npm/node-fetch.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: node-fetch
-version: 2.6.7
+version: 2.6.5
 type: npm
 summary: A light-weight module that brings window.fetch to node.js
 homepage: https://github.com/bitinn/node-fetch

CHANGELOG.md

@@ -1,20 +1,13 @@
 # Changelog
 
-## v3.0.2
+## v2.4.1
-- [Add input `set-safe-directory`](https://github.com/actions/checkout/pull/770)
+- [Set the safe directory option on git to prevent git commands failing when running in containers](https://github.com/actions/checkout/pull/762)
-
-## v3.0.1
-- [Fixed an issue where checkout failed to run in container jobs due to the new git setting `safe.directory`](https://github.com/actions/checkout/pull/762)
-- [Bumped various npm package versions](https://github.com/actions/checkout/pull/744)
-
-## v3.0.0
-
-- [Update to node 16](https://github.com/actions/checkout/pull/689)
 
 ## v2.3.1
 
 - [Fix default branch resolution for .wiki and when using SSH](https://github.com/actions/checkout/pull/284)
 
+
 ## v2.3.0
 
 - [Fallback to the default branch](https://github.com/actions/checkout/pull/278)

README.md

@@ -2,28 +2,39 @@
   <a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a>
 </p>
 
-This is a fork of https://github.com/actions/checkout@v3
+# Checkout V2
 
-# Build
+This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
-## Windows
+Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
 
-ncc.cmd build .\src\main.ts
+The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
+
+When Git 2.18 or higher is not in your PATH, falls back to the REST API to download the files.
 
 # What's new
 
-With this action it is possible to check out a repository located on a Gitea instance with subdirectories.
+- Improved performance
+  - Fetches only a single commit by default
+- Script authenticated git commands
+  - Auth token persisted in the local git config
+- Supports SSH
+- Creates a local branch
+  - No longer detached HEAD when checking out a branch
+- Improved layout
+  - The input `path` is always relative to $GITHUB_WORKSPACE
+  - Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in
+- Fallback to REST API download
+  - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
+  - When using a job container, the container's PATH is used
 
-Changed  
+Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
-`https://<domain>[:<port>]/<name>/<repository>`  
-to  
-`https://<domain>[:<port>]/<subpath>/<name>/<repository>`
 
 # Usage
 
 <!-- start usage -->
 ```yaml
-- uses: https://gitea.com/ScMi1/checkout@v1
+- uses: actions/checkout@v2
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -94,11 +105,6 @@ to
     #
     # Default: false
     submodules: ''
-
-    # Add repository path as safe.directory for Git global config by running `git
-    # config --global --add safe.directory <path>`
-    # Default: true
-    set-safe-directory: ''
 ```
 <!-- end usage -->
 
@@ -117,7 +123,7 @@ to
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v2
   with:
     fetch-depth: 0
 ```
@@ -125,7 +131,7 @@ to
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v2
   with:
     ref: my-branch
 ```
@@ -133,7 +139,7 @@ to
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v2
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -143,12 +149,12 @@ to
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -158,10 +164,10 @@ to
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2
 
 - name: Checkout tools repo
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -171,12 +177,12 @@ to
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2
   with:
     repository: my-org/my-private-tools
     token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -189,7 +195,7 @@ to
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v2
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -205,7 +211,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
 ```
 
 ## Push a commit using the built-in token
@@ -216,7 +222,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
       - run: |
           date > generated.txt
           git config user.name github-actions

__test__/git-auth-helper.test.ts

@@ -777,8 +777,7 @@ async function setup(testName: string): Promise<void> {
     sshKey: sshPath ? 'some ssh private key' : '',
     sshKnownHosts: '',
     sshStrict: true,
-    workflowOrganizationId: 123456,
+    workflowOrganizationId: 123456
-    setSafeDirectory: true
   }
 }
 

__test__/input-helper.test.ts

@@ -85,7 +85,6 @@ describe('input-helper tests', () => {
     expect(settings.repositoryName).toBe('some-repo')
     expect(settings.repositoryOwner).toBe('some-owner')
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
-    expect(settings.setSafeDirectory).toBe(true)
   })
 
   it('qualifies ref', async () => {

action.yml

@@ -68,10 +68,7 @@ inputs:
       When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
       converted to HTTPS.
     default: false
-  set-safe-directory:
-    description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
-    default: true
 runs:
-  using: node16
+  using: node12
   main: dist/index.js
   post: dist/index.js

src/git-auth-helper.ts

@@ -19,7 +19,7 @@ export interface IGitAuthHelper {
   configureAuth(): Promise<void>
   configureGlobalAuth(): Promise<void>
   configureSubmoduleAuth(): Promise<void>
-  configureTempGlobalConfig(): Promise<string>
+  configureTempGlobalConfig(repositoryPath?: string): Promise<string>
   removeAuth(): Promise<void>
   removeGlobalConfig(): Promise<void>
 }
@@ -53,7 +53,7 @@ class GitAuthHelper {
 
     // Token auth header
     const serverUrl = urlHelper.getServerUrl()
-    this.tokenConfigKey = `http.${serverUrl.origin}${serverUrl.pathname}/.extraheader` // "origin" is SCHEME://HOSTNAME[:PORT]
+    this.tokenConfigKey = `http.${serverUrl.origin}/.extraheader` // "origin" is SCHEME://HOSTNAME[:PORT]
     const basicCredential = Buffer.from(
       `x-access-token:${this.settings.authToken}`,
       'utf8'
@@ -63,7 +63,7 @@ class GitAuthHelper {
     this.tokenConfigValue = `AUTHORIZATION: basic ${basicCredential}`
 
     // Instead of SSH URL
-    this.insteadOfKey = `url.${serverUrl.origin}${serverUrl.pathname}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
+    this.insteadOfKey = `url.${serverUrl.origin}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
     this.insteadOfValues.push(`git@${serverUrl.hostname}:`)
     if (this.settings.workflowOrganizationId) {
       this.insteadOfValues.push(
@@ -81,7 +81,7 @@ class GitAuthHelper {
     await this.configureToken()
   }
 
-  async configureTempGlobalConfig(): Promise<string> {
+  async configureTempGlobalConfig(repositoryPath?: string): Promise<string> {
     // Already setup global config
     if (this.temporaryHomePath?.length > 0) {
       return path.join(this.temporaryHomePath, '.gitconfig')
@@ -121,6 +121,21 @@ class GitAuthHelper {
     )
     this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
 
+    // Setup the workspace as a safe directory, so if we pass this into a container job with a different user it doesn't fail
+    // Otherwise all git commands we run in a container fail
+    core.info(
+      `Adding working directory to the temporary git global config as a safe directory`
+    )
+    await this.git
+      .config(
+        'safe.directory',
+        repositoryPath ?? this.settings.repositoryPath,
+        true,
+        true
+      )
+      .catch(error => {
+        core.info(`Failed to initialize safe directory with error: ${error}`)
+      })
     return newGitConfigPath
   }
 

src/git-command-manager.ts

@@ -231,7 +231,6 @@ class GitCommandManager {
   }
 
   async init(): Promise<void> {
-    await this.execGit(['config', '--global', 'init.defaultBranch', 'main'])
     await this.execGit(['init', this.workingDirectory])
   }
 

src/git-source-provider.ts

@@ -40,24 +40,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
   try {
     if (git) {
       authHelper = gitAuthHelper.createAuthHelper(git, settings)
-      if (settings.setSafeDirectory) {
+      await authHelper.configureTempGlobalConfig()
-        // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-        // Otherwise all git commands we run in a container fail
-        await authHelper.configureTempGlobalConfig()
-        core.info(
-          `Adding repository directory to the temporary git global config as a safe directory`
-        )
-
-        await git
-          .config('safe.directory', settings.repositoryPath, true, true)
-          .catch(error => {
-            core.info(
-              `Failed to initialize safe directory with error: ${error}`
-            )
-          })
-
-        stateHelper.setSafeDirectory()
-      }
     }
 
     // Prepare existing directory, otherwise recreate
@@ -266,21 +249,7 @@ export async function cleanup(repositoryPath: string): Promise<void> {
   // Remove auth
   const authHelper = gitAuthHelper.createAuthHelper(git)
   try {
-    if (stateHelper.PostSetSafeDirectory) {
+    await authHelper.configureTempGlobalConfig(repositoryPath)
-      // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-      // Otherwise all git commands we run in a container fail
-      await authHelper.configureTempGlobalConfig()
-      core.info(
-        `Adding repository directory to the temporary git global config as a safe directory`
-      )
-
-      await git
-        .config('safe.directory', repositoryPath, true, true)
-        .catch(error => {
-          core.info(`Failed to initialize safe directory with error: ${error}`)
-        })
-    }
-
     await authHelper.removeAuth()
   } finally {
     await authHelper.removeGlobalConfig()

src/git-source-settings.ts

@@ -78,9 +78,4 @@ export interface IGitSourceSettings {
    * Organization ID for the currently running workflow (used for auth settings)
    */
   workflowOrganizationId: number | undefined
-
-  /**
-   * Indicates whether to add repositoryPath as safe.directory in git global config
-   */
-  setSafeDirectory: boolean
 }

src/input-helper.ts

@@ -23,15 +23,15 @@ export async function getInputs(): Promise<IGitSourceSettings> {
     `${github.context.repo.owner}/${github.context.repo.repo}`
   core.debug(`qualified repository = '${qualifiedRepository}'`)
   const splitRepository = qualifiedRepository.split('/')
-  // if (
+  if (
-  //   splitRepository.length !== 2 ||
+    splitRepository.length !== 2 ||
-  //   !splitRepository[0] ||
+    !splitRepository[0] ||
-  //   !splitRepository[1]
+    !splitRepository[1]
-  // ) {
+  ) {
-  //   throw new Error(
+    throw new Error(
-  //     `Invalid repository '${qualifiedRepository}'. Expected format {owner}/{repo}.`
+      `Invalid repository '${qualifiedRepository}'. Expected format {owner}/{repo}.`
-  //   )
+    )
-  // }
+  }
   result.repositoryOwner = splitRepository[0]
   result.repositoryName = splitRepository[1]
 
@@ -122,8 +122,5 @@ export async function getInputs(): Promise<IGitSourceSettings> {
   // Workflow organization ID
   result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()
 
-  // Set safe.directory in git global config.
-  result.setSafeDirectory =
-    (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE'
   return result
 }

src/misc/generate-docs.ts

@@ -120,7 +120,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v3',
+  'actions/checkout@v2',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )

src/misc/licensed-check.sh

@@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh
 
 echo 'Running: licensed cached'
-_temp/licensed-3.6.0/licensed status
+_temp/licensed-3.3.1/licensed status

src/misc/licensed-download.sh

@@ -2,23 +2,23 @@
 
 set -e
 
-if [ ! -f _temp/licensed-3.6.0.done ]; then
+if [ ! -f _temp/licensed-3.3.1.done ]; then
   echo 'Clearing temp'
-  rm -rf _temp/licensed-3.6.0 || true
+  rm -rf _temp/licensed-3.3.1 || true
 
   echo 'Downloading licensed'
-  mkdir -p _temp/licensed-3.6.0
+  mkdir -p _temp/licensed-3.3.1
-  pushd _temp/licensed-3.6.0
+  pushd _temp/licensed-3.3.1
   if [[ "$OSTYPE" == "darwin"* ]]; then
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-darwin-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-darwin-x64.tar.gz
   else
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-linux-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-linux-x64.tar.gz
   fi
 
   echo 'Extracting licenesed'
   tar -xzf licensed.tar.gz
   popd
-  touch _temp/licensed-3.6.0.done
+  touch _temp/licensed-3.3.1.done
 else
   echo 'Licensed already downloaded'
 fi

src/misc/licensed-generate.sh

@@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh
 
 echo 'Running: licensed cached'
-_temp/licensed-3.6.0/licensed cache
+_temp/licensed-3.3.1/licensed cache

src/state-helper.ts

@@ -11,12 +11,6 @@ export const IsPost = !!process.env['STATE_isPost']
 export const RepositoryPath =
   (process.env['STATE_repositoryPath'] as string) || ''
 
-/**
- * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action.
- */
-export const PostSetSafeDirectory =
-  (process.env['STATE_setSafeDirectory'] as string) === 'true'
-
 /**
  * The SSH key path for the POST action. The value is empty during the MAIN action.
  */
@@ -57,13 +51,6 @@ export function setSshKnownHostsPath(sshKnownHostsPath: string) {
   )
 }
 
-/**
- * Save the sef-safe-directory input so the POST action can retrieve the value.
- */
-export function setSafeDirectory() {
-  coreCommand.issueCommand('save-state', {name: 'setSafeDirectory'}, 'true')
-}
-
 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!IsPost) {

src/url-helper.ts

@@ -16,7 +16,7 @@ export function getFetchUrl(settings: IGitSourceSettings): string {
   }
 
   // "origin" is SCHEME://HOSTNAME[:PORT]
-  return `${serviceUrl.origin}${serviceUrl.pathname}/${encodedOwner}/${encodedName}`
+  return `${serviceUrl.origin}/${encodedOwner}/${encodedName}`
 }
 
 export function getServerUrl(): URL {