Safe Directory v2 update (#764 )

* set safe directory when running checkout
2022-04-14 12:12:00 -04:00
24 changed files with 30134 additions and 35313 deletions
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@@ -22,12 +22,12 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2

-      - name: Set Node.js 16.x
+      - name: Set Node.js 12.x
        uses: actions/setup-node@v1
        with:
-          node-version: 16.x
+          node-version: 12.x

      - name: Install dependencies
        run: npm ci
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -39,7 +39,7 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v2

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v1
--- a/.github/workflows/licensed.yml
+++ b/.github/workflows/licensed.yml
@@ -9,6 +9,6 @@ jobs:
    runs-on: ubuntu-latest
    name: Check licenses
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - run: npm ci
      - run: npm run licensed-check
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -13,8 +13,8 @@ jobs:
    steps:
      - uses: actions/setup-node@v1
        with:
-          node-version: 16.x
-      - uses: actions/checkout@v3
+          node-version: 12.x
+      - uses: actions/checkout@v2
      - run: npm ci
      - run: npm run build
      - run: npm run format-check
@@ -32,7 +32,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2

      # Basic checkout
      - name: Checkout basic
@@ -150,7 +150,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2

      # Basic checkout using git
      - name: Checkout basic
@@ -182,7 +182,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2

      # Basic checkout using git
      - name: Checkout basic
@@ -205,41 +205,3 @@ jobs:
          path: basic
      - name: Verify basic
        run: __test__/verify-basic.sh --archive
-    
-  test-git-container:
-    runs-on: ubuntu-latest
-    container: bitnami/git:latest
-    steps:
-      # Clone this repo
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          path: v3
-
-      # Basic checkout using git
-      - name: Checkout basic
-        uses: ./v3
-        with:
-          ref: test-data/v2/basic
-      - name: Verify basic
-        run: |
-          if [ ! -f "./basic-file.txt" ]; then
-              echo "Expected basic file does not exist"
-              exit 1
-          fi
-
-          # Verify .git folder
-          if [ ! -d "./.git" ]; then
-            echo "Expected ./.git folder to exist"
-            exit 1
-          fi
-
-          # Verify auth token
-          git config --global --add safe.directory "*"
-          git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
-
-      # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v3
-        uses: actions/checkout@v3
-        with:
-          path: v3
--- a/.gitignore
+++ b/.gitignore
@@ -1,21 +1,4 @@
 __test__/_temp
 _temp/
 lib/
-node_modules/
-/dist/fs-helper.d.ts
-/dist/git-auth-helper.d.ts
-/dist/git-command-manager.d.ts
-/dist/git-directory-helper.d.ts
-/dist/git-source-provider.d.ts
-/dist/git-source-settings.d.ts
-/dist/git-version.d.ts
-/dist/github-api-helper.d.ts
-/dist/input-helper.d.ts
-/dist/main.d.ts
-/dist/misc/generate-docs.d.ts
-/dist/ref-helper.d.ts
-/dist/regexp-helper.d.ts
-/dist/retry-helper.d.ts
-/dist/state-helper.d.ts
-/dist/url-helper.d.ts
-/dist/workflow-context-helper.d.ts
+node_modules/
--- a/.licenses/npm/node-fetch.dep.yml
+++ b/.licenses/npm/node-fetch.dep.yml
@@ -1,6 +1,6 @@
 ---
 name: node-fetch
-version: 2.6.7
+version: 2.6.5
 type: npm
 summary: A light-weight module that brings window.fetch to node.js
 homepage: https://github.com/bitinn/node-fetch
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,20 +1,13 @@
 # Changelog

-## v3.0.2
- [Add input `set-safe-directory`](https://github.com/actions/checkout/pull/770)
-
-## v3.0.1
- [Fixed an issue where checkout failed to run in container jobs due to the new git setting `safe.directory`](https://github.com/actions/checkout/pull/762)
- [Bumped various npm package versions](https://github.com/actions/checkout/pull/744)
-
-## v3.0.0
-
- [Update to node 16](https://github.com/actions/checkout/pull/689)
+## v2.4.1
+- [Set the safe directory option on git to prevent git commands failing when running in containers](https://github.com/actions/checkout/pull/762)

 ## v2.3.1

 - [Fix default branch resolution for .wiki and when using SSH](https://github.com/actions/checkout/pull/284)

+
 ## v2.3.0

 - [Fallback to the default branch](https://github.com/actions/checkout/pull/278)
--- a/README.md
+++ b/README.md
@@ -2,28 +2,39 @@
  <a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a>
 </p>

-This is a fork of https://github.com/actions/checkout@v3
+# Checkout V2

-# Build
+This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.

-## Windows
+Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.

-ncc.cmd build .\src\main.ts
+The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
+
+When Git 2.18 or higher is not in your PATH, falls back to the REST API to download the files.

 # What's new

-With this action it is possible to check out a repository located on a Gitea instance with subdirectories.
+- Improved performance
+  - Fetches only a single commit by default
+- Script authenticated git commands
+  - Auth token persisted in the local git config
+- Supports SSH
+- Creates a local branch
+  - No longer detached HEAD when checking out a branch
+- Improved layout
+  - The input `path` is always relative to $GITHUB_WORKSPACE
+  - Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in
+- Fallback to REST API download
+  - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
+  - When using a job container, the container's PATH is used

-Changed  
-`https://<domain>[:<port>]/<name>/<repository>`  
-to  
-`https://<domain>[:<port>]/<subpath>/<name>/<repository>`
+Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.

 # Usage

 <!-- start usage -->
 ```yaml
- uses: https://gitea.com/ScMi1/checkout@v1
+- uses: actions/checkout@v2
  with:
    # Repository name with owner. For example, actions/checkout
    # Default: ${{ github.repository }}
@@ -94,11 +105,6 @@ to
    #
    # Default: false
    submodules: ''
-
-    # Add repository path as safe.directory for Git global config by running `git
-    # config --global --add safe.directory <path>`
-    # Default: true
-    set-safe-directory: ''
 ```
 <!-- end usage -->

@@ -117,7 +123,7 @@ to
 ## Fetch all history for all tags and branches

 ```yaml
- uses: actions/checkout@v3
+- uses: actions/checkout@v2
  with:
    fetch-depth: 0
 ```
@@ -125,7 +131,7 @@ to
 ## Checkout a different branch

 ```yaml
- uses: actions/checkout@v3
+- uses: actions/checkout@v2
  with:
    ref: my-branch
 ```
@@ -133,7 +139,7 @@ to
 ## Checkout HEAD^

 ```yaml
- uses: actions/checkout@v3
+- uses: actions/checkout@v2
  with:
    fetch-depth: 2
 - run: git checkout HEAD^
@@ -143,12 +149,12 @@ to

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2
  with:
    path: main

 - name: Checkout tools repo
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2
  with:
    repository: my-org/my-tools
    path: my-tools
@@ -158,10 +164,10 @@ to

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2

 - name: Checkout tools repo
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2
  with:
    repository: my-org/my-tools
    path: my-tools
@@ -171,12 +177,12 @@ to

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2
  with:
    path: main

 - name: Checkout private tools
-  uses: actions/checkout@v3
+  uses: actions/checkout@v2
  with:
    repository: my-org/my-private-tools
    token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -189,7 +195,7 @@ to
 ## Checkout pull request HEAD commit instead of merge commit

 ```yaml
- uses: actions/checkout@v3
+- uses: actions/checkout@v2
  with:
    ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -205,7 +211,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
 ```

 ## Push a commit using the built-in token
@@ -216,7 +222,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v2
      - run: |
          date > generated.txt
          git config user.name github-actions
--- a/test/git-auth-helper.test.ts
+++ b/test/git-auth-helper.test.ts
@@ -777,8 +777,7 @@ async function setup(testName: string): Promise<void> {
    sshKey: sshPath ? 'some ssh private key' : '',
    sshKnownHosts: '',
    sshStrict: true,
-    workflowOrganizationId: 123456,
-    setSafeDirectory: true
+    workflowOrganizationId: 123456
  }
 }

--- a/test/input-helper.test.ts
+++ b/test/input-helper.test.ts
@@ -85,7 +85,6 @@ describe('input-helper tests', () => {
    expect(settings.repositoryName).toBe('some-repo')
    expect(settings.repositoryOwner).toBe('some-owner')
    expect(settings.repositoryPath).toBe(gitHubWorkspace)
-    expect(settings.setSafeDirectory).toBe(true)
  })

  it('qualifies ref', async () => {
--- a/action.yml
+++ b/action.yml
@@ -68,10 +68,7 @@ inputs:
      When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
      converted to HTTPS.
    default: false
-  set-safe-directory:
-    description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
-    default: true
 runs:
-  using: node16
+  using: node12
  main: dist/index.js
  post: dist/index.js
--- a/dist/index.js
+++ b/dist/index.js
--- a/package-lock.json
+++ b/package-lock.json
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@@ -19,7 +19,7 @@ export interface IGitAuthHelper {
  configureAuth(): Promise<void>
  configureGlobalAuth(): Promise<void>
  configureSubmoduleAuth(): Promise<void>
-  configureTempGlobalConfig(): Promise<string>
+  configureTempGlobalConfig(repositoryPath?: string): Promise<string>
  removeAuth(): Promise<void>
  removeGlobalConfig(): Promise<void>
 }
@@ -53,7 +53,7 @@ class GitAuthHelper {

    // Token auth header
    const serverUrl = urlHelper.getServerUrl()
-    this.tokenConfigKey = `http.${serverUrl.origin}${serverUrl.pathname}/.extraheader` // "origin" is SCHEME://HOSTNAME[:PORT]
+    this.tokenConfigKey = `http.${serverUrl.origin}/.extraheader` // "origin" is SCHEME://HOSTNAME[:PORT]
    const basicCredential = Buffer.from(
      `x-access-token:${this.settings.authToken}`,
      'utf8'
@@ -63,7 +63,7 @@ class GitAuthHelper {
    this.tokenConfigValue = `AUTHORIZATION: basic ${basicCredential}`

    // Instead of SSH URL
-    this.insteadOfKey = `url.${serverUrl.origin}${serverUrl.pathname}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
+    this.insteadOfKey = `url.${serverUrl.origin}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
    this.insteadOfValues.push(`git@${serverUrl.hostname}:`)
    if (this.settings.workflowOrganizationId) {
      this.insteadOfValues.push(
@@ -81,7 +81,7 @@ class GitAuthHelper {
    await this.configureToken()
  }

-  async configureTempGlobalConfig(): Promise<string> {
+  async configureTempGlobalConfig(repositoryPath?: string): Promise<string> {
    // Already setup global config
    if (this.temporaryHomePath?.length > 0) {
      return path.join(this.temporaryHomePath, '.gitconfig')
@@ -121,6 +121,21 @@ class GitAuthHelper {
    )
    this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)

+    // Setup the workspace as a safe directory, so if we pass this into a container job with a different user it doesn't fail
+    // Otherwise all git commands we run in a container fail
+    core.info(
+      `Adding working directory to the temporary git global config as a safe directory`
+    )
+    await this.git
+      .config(
+        'safe.directory',
+        repositoryPath ?? this.settings.repositoryPath,
+        true,
+        true
+      )
+      .catch(error => {
+        core.info(`Failed to initialize safe directory with error: ${error}`)
+      })
    return newGitConfigPath
  }

--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@@ -231,7 +231,6 @@ class GitCommandManager {
  }

  async init(): Promise<void> {
-    await this.execGit(['config', '--global', 'init.defaultBranch', 'main'])
    await this.execGit(['init', this.workingDirectory])
  }

--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@@ -40,24 +40,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
  try {
    if (git) {
      authHelper = gitAuthHelper.createAuthHelper(git, settings)
-      if (settings.setSafeDirectory) {
-        // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-        // Otherwise all git commands we run in a container fail
-        await authHelper.configureTempGlobalConfig()
-        core.info(
-          `Adding repository directory to the temporary git global config as a safe directory`
-        )
-
-        await git
-          .config('safe.directory', settings.repositoryPath, true, true)
-          .catch(error => {
-            core.info(
-              `Failed to initialize safe directory with error: ${error}`
-            )
-          })
-
-        stateHelper.setSafeDirectory()
-      }
+      await authHelper.configureTempGlobalConfig()
    }

    // Prepare existing directory, otherwise recreate
@@ -266,21 +249,7 @@ export async function cleanup(repositoryPath: string): Promise<void> {
  // Remove auth
  const authHelper = gitAuthHelper.createAuthHelper(git)
  try {
-    if (stateHelper.PostSetSafeDirectory) {
-      // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-      // Otherwise all git commands we run in a container fail
-      await authHelper.configureTempGlobalConfig()
-      core.info(
-        `Adding repository directory to the temporary git global config as a safe directory`
-      )
-
-      await git
-        .config('safe.directory', repositoryPath, true, true)
-        .catch(error => {
-          core.info(`Failed to initialize safe directory with error: ${error}`)
-        })
-    }
-
+    await authHelper.configureTempGlobalConfig(repositoryPath)
    await authHelper.removeAuth()
  } finally {
    await authHelper.removeGlobalConfig()
--- a/src/git-source-settings.ts
+++ b/src/git-source-settings.ts
@@ -78,9 +78,4 @@ export interface IGitSourceSettings {
   * Organization ID for the currently running workflow (used for auth settings)
   */
  workflowOrganizationId: number | undefined
-
-  /**
-   * Indicates whether to add repositoryPath as safe.directory in git global config
-   */
-  setSafeDirectory: boolean
 }
--- a/src/input-helper.ts
+++ b/src/input-helper.ts
@@ -23,10 +23,6 @@ export async function getInputs(): Promise<IGitSourceSettings> {
    `${github.context.repo.owner}/${github.context.repo.repo}`
  core.debug(`qualified repository = '${qualifiedRepository}'`)
  const splitRepository = qualifiedRepository.split('/')
-  if(splitRepository.length === 3) {
-    splitRepository.shift()
-  }
-
  if (
    splitRepository.length !== 2 ||
    !splitRepository[0] ||
@@ -126,8 +122,5 @@ export async function getInputs(): Promise<IGitSourceSettings> {
  // Workflow organization ID
  result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()

-  // Set safe.directory in git global config.
-  result.setSafeDirectory =
-    (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE'
  return result
 }
--- a/src/misc/generate-docs.ts
+++ b/src/misc/generate-docs.ts
@@ -120,7 +120,7 @@ function updateUsage(
 }

 updateUsage(
-  'actions/checkout@v3',
+  'actions/checkout@v2',
  path.join(__dirname, '..', '..', 'action.yml'),
  path.join(__dirname, '..', '..', 'README.md')
 )
--- a/src/misc/licensed-check.sh
+++ b/src/misc/licensed-check.sh
@@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh

 echo 'Running: licensed cached'
-_temp/licensed-3.6.0/licensed status
+_temp/licensed-3.3.1/licensed status
--- a/src/misc/licensed-download.sh
+++ b/src/misc/licensed-download.sh
@@ -2,23 +2,23 @@

 set -e

-if [ ! -f _temp/licensed-3.6.0.done ]; then
+if [ ! -f _temp/licensed-3.3.1.done ]; then
  echo 'Clearing temp'
-  rm -rf _temp/licensed-3.6.0 || true
+  rm -rf _temp/licensed-3.3.1 || true

  echo 'Downloading licensed'
-  mkdir -p _temp/licensed-3.6.0
-  pushd _temp/licensed-3.6.0
+  mkdir -p _temp/licensed-3.3.1
+  pushd _temp/licensed-3.3.1
  if [[ "$OSTYPE" == "darwin"* ]]; then
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-darwin-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-darwin-x64.tar.gz
  else
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-linux-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-linux-x64.tar.gz
  fi

  echo 'Extracting licenesed'
  tar -xzf licensed.tar.gz
  popd
-  touch _temp/licensed-3.6.0.done
+  touch _temp/licensed-3.3.1.done
 else
  echo 'Licensed already downloaded'
 fi
--- a/src/misc/licensed-generate.sh
+++ b/src/misc/licensed-generate.sh
@@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh

 echo 'Running: licensed cached'
-_temp/licensed-3.6.0/licensed cache
+_temp/licensed-3.3.1/licensed cache
--- a/src/state-helper.ts
+++ b/src/state-helper.ts
@@ -11,12 +11,6 @@ export const IsPost = !!process.env['STATE_isPost']
 export const RepositoryPath =
  (process.env['STATE_repositoryPath'] as string) || ''

-/**
- * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action.
- */
-export const PostSetSafeDirectory =
-  (process.env['STATE_setSafeDirectory'] as string) === 'true'
-
 /**
 * The SSH key path for the POST action. The value is empty during the MAIN action.
 */
@@ -57,13 +51,6 @@ export function setSshKnownHostsPath(sshKnownHostsPath: string) {
  )
 }

-/**
- * Save the sef-safe-directory input so the POST action can retrieve the value.
- */
-export function setSafeDirectory() {
-  coreCommand.issueCommand('save-state', {name: 'setSafeDirectory'}, 'true')
-}
-
 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!IsPost) {
--- a/src/url-helper.ts
+++ b/src/url-helper.ts
@@ -16,7 +16,7 @@ export function getFetchUrl(settings: IGitSourceSettings): string {
  }

  // "origin" is SCHEME://HOSTNAME[:PORT]
-  return `${serviceUrl.origin}${serviceUrl.pathname}/${encodedOwner}/${encodedName}`
+  return `${serviceUrl.origin}/${encodedOwner}/${encodedName}`
 }

 export function getServerUrl(): URL {