v1.1

* Add set-safe-directory input to allow customers to take control.

.github/workflows/check-dist.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Set Node.js 16.x
         uses: actions/setup-node@v1

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1

.github/workflows/licensed.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Check licenses
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - run: npm ci
       - run: npm run licensed-check

.github/workflows/test.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/setup-node@v1
         with:
           node-version: 16.x
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -32,7 +32,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Basic checkout
       - name: Checkout basic
@@ -150,7 +150,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Basic checkout using git
       - name: Checkout basic
@@ -182,7 +182,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Basic checkout using git
       - name: Checkout basic
@@ -205,3 +205,41 @@ jobs:
           path: basic
       - name: Verify basic
         run: __test__/verify-basic.sh --archive
+    
+  test-git-container:
+    runs-on: ubuntu-latest
+    container: bitnami/git:latest
+    steps:
+      # Clone this repo
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          path: v3
+
+      # Basic checkout using git
+      - name: Checkout basic
+        uses: ./v3
+        with:
+          ref: test-data/v2/basic
+      - name: Verify basic
+        run: |
+          if [ ! -f "./basic-file.txt" ]; then
+              echo "Expected basic file does not exist"
+              exit 1
+          fi
+
+          # Verify .git folder
+          if [ ! -d "./.git" ]; then
+            echo "Expected ./.git folder to exist"
+            exit 1
+          fi
+
+          # Verify auth token
+          git config --global --add safe.directory "*"
+          git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
+
+      # needed to make checkout post cleanup succeed
+      - name: Fix Checkout v3
+        uses: actions/checkout@v3
+        with:
+          path: v3

.gitignore

@@ -2,3 +2,20 @@ __test__/_temp
 _temp/
 lib/
 node_modules/
+/dist/fs-helper.d.ts
+/dist/git-auth-helper.d.ts
+/dist/git-command-manager.d.ts
+/dist/git-directory-helper.d.ts
+/dist/git-source-provider.d.ts
+/dist/git-source-settings.d.ts
+/dist/git-version.d.ts
+/dist/github-api-helper.d.ts
+/dist/input-helper.d.ts
+/dist/main.d.ts
+/dist/misc/generate-docs.d.ts
+/dist/ref-helper.d.ts
+/dist/regexp-helper.d.ts
+/dist/retry-helper.d.ts
+/dist/state-helper.d.ts
+/dist/url-helper.d.ts
+/dist/workflow-context-helper.d.ts

.licenses/npm/node-fetch.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: node-fetch
-version: 2.6.5
+version: 2.6.7
 type: npm
 summary: A light-weight module that brings window.fetch to node.js
 homepage: https://github.com/bitinn/node-fetch

CHANGELOG.md

@@ -1,10 +1,20 @@
 # Changelog
 
+## v3.0.2
+- [Add input `set-safe-directory`](https://github.com/actions/checkout/pull/770)
+
+## v3.0.1
+- [Fixed an issue where checkout failed to run in container jobs due to the new git setting `safe.directory`](https://github.com/actions/checkout/pull/762)
+- [Bumped various npm package versions](https://github.com/actions/checkout/pull/744)
+
+## v3.0.0
+
+- [Update to node 16](https://github.com/actions/checkout/pull/689)
+
 ## v2.3.1
 
 - [Fix default branch resolution for .wiki and when using SSH](https://github.com/actions/checkout/pull/284)
 
-
 ## v2.3.0
 
 - [Fallback to the default branch](https://github.com/actions/checkout/pull/278)

README.md

@@ -2,26 +2,28 @@
   <a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a>
 </p>
 
-# Checkout V3
+This is a fork of https://github.com/actions/checkout@v3
 
-This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
+# Build
 
-Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
+## Windows
 
-The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
+ncc.cmd build .\src\main.ts
-
-When Git 2.18 or higher is not in your PATH, falls back to the REST API to download the files.
 
 # What's new
 
-- Updated to the node16 runtime by default
+With this action it is possible to check out a repository located on a Gitea instance with subdirectories.
-  - This requires a minimum [Actions Runner](https://github.com/actions/runner/releases/tag/v2.285.0) version of v2.285.0 to run, which is by default available in GHES 3.4 or later.
+
+Changed  
+`https://<domain>[:<port>]/<name>/<repository>`  
+to  
+`https://<domain>[:<port>]/<subpath>/<name>/<repository>`
 
 # Usage
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v3
+- uses: https://gitea.com/ScMi1/checkout@v1
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -92,6 +94,11 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
     #
     # Default: false
     submodules: ''
+
+    # Add repository path as safe.directory for Git global config by running `git
+    # config --global --add safe.directory <path>`
+    # Default: true
+    set-safe-directory: ''
 ```
 <!-- end usage -->
 

__test__/git-auth-helper.test.ts

@@ -643,10 +643,11 @@ describe('git-auth-helper tests', () => {
     expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
   })
 
-  const removeGlobalAuth_removesOverride = 'removeGlobalAuth removes override'
+  const removeGlobalConfig_removesOverride =
-  it(removeGlobalAuth_removesOverride, async () => {
+    'removeGlobalConfig removes override'
+  it(removeGlobalConfig_removesOverride, async () => {
     // Arrange
-    await setup(removeGlobalAuth_removesOverride)
+    await setup(removeGlobalConfig_removesOverride)
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
     await authHelper.configureAuth()
     await authHelper.configureGlobalAuth()
@@ -655,7 +656,7 @@ describe('git-auth-helper tests', () => {
     await fs.promises.stat(path.join(git.env['HOME'], '.gitconfig'))
 
     // Act
-    await authHelper.removeGlobalAuth()
+    await authHelper.removeGlobalConfig()
 
     // Assert
     expect(git.env['HOME']).toBeUndefined()
@@ -776,7 +777,8 @@ async function setup(testName: string): Promise<void> {
     sshKey: sshPath ? 'some ssh private key' : '',
     sshKnownHosts: '',
     sshStrict: true,
-    workflowOrganizationId: 123456
+    workflowOrganizationId: 123456,
+    setSafeDirectory: true
   }
 }
 

__test__/input-helper.test.ts

@@ -85,6 +85,7 @@ describe('input-helper tests', () => {
     expect(settings.repositoryName).toBe('some-repo')
     expect(settings.repositoryOwner).toBe('some-owner')
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
+    expect(settings.setSafeDirectory).toBe(true)
   })
 
   it('qualifies ref', async () => {

action.yml

@@ -68,6 +68,9 @@ inputs:
       When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
       converted to HTTPS.
     default: false
+  set-safe-directory:
+    description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
+    default: true
 runs:
   using: node16
   main: dist/index.js

src/git-auth-helper.ts

@@ -19,8 +19,9 @@ export interface IGitAuthHelper {
   configureAuth(): Promise<void>
   configureGlobalAuth(): Promise<void>
   configureSubmoduleAuth(): Promise<void>
+  configureTempGlobalConfig(): Promise<string>
   removeAuth(): Promise<void>
-  removeGlobalAuth(): Promise<void>
+  removeGlobalConfig(): Promise<void>
 }
 
 export function createAuthHelper(
@@ -52,7 +53,7 @@ class GitAuthHelper {
 
     // Token auth header
     const serverUrl = urlHelper.getServerUrl()
-    this.tokenConfigKey = `http.${serverUrl.origin}/.extraheader` // "origin" is SCHEME://HOSTNAME[:PORT]
+    this.tokenConfigKey = `http.${serverUrl.origin}${serverUrl.pathname}/.extraheader` // "origin" is SCHEME://HOSTNAME[:PORT]
     const basicCredential = Buffer.from(
       `x-access-token:${this.settings.authToken}`,
       'utf8'
@@ -62,7 +63,7 @@ class GitAuthHelper {
     this.tokenConfigValue = `AUTHORIZATION: basic ${basicCredential}`
 
     // Instead of SSH URL
-    this.insteadOfKey = `url.${serverUrl.origin}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
+    this.insteadOfKey = `url.${serverUrl.origin}${serverUrl.pathname}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
     this.insteadOfValues.push(`git@${serverUrl.hostname}:`)
     if (this.settings.workflowOrganizationId) {
       this.insteadOfValues.push(
@@ -80,7 +81,11 @@ class GitAuthHelper {
     await this.configureToken()
   }
 
-  async configureGlobalAuth(): Promise<void> {
+  async configureTempGlobalConfig(): Promise<string> {
+    // Already setup global config
+    if (this.temporaryHomePath?.length > 0) {
+      return path.join(this.temporaryHomePath, '.gitconfig')
+    }
     // Create a temp home directory
     const runnerTemp = process.env['RUNNER_TEMP'] || ''
     assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
@@ -110,13 +115,19 @@ class GitAuthHelper {
       await fs.promises.writeFile(newGitConfigPath, '')
     }
 
-    try {
     // Override HOME
     core.info(
       `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
     )
     this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
 
+    return newGitConfigPath
+  }
+
+  async configureGlobalAuth(): Promise<void> {
+    // 'configureTempGlobalConfig' noops if already set, just returns the path
+    const newGitConfigPath = await this.configureTempGlobalConfig()
+    try {
       // Configure the token
       await this.configureToken(newGitConfigPath, true)
 
@@ -181,11 +192,13 @@ class GitAuthHelper {
     await this.removeToken()
   }
 
-  async removeGlobalAuth(): Promise<void> {
+  async removeGlobalConfig(): Promise<void> {
+    if (this.temporaryHomePath?.length > 0) {
       core.debug(`Unsetting HOME override`)
       this.git.removeEnvironmentVariable('HOME')
       await io.rmRF(this.temporaryHomePath)
     }
+  }
 
   private async configureSsh(): Promise<void> {
     if (!this.settings.sshKey) {

src/git-command-manager.ts

@@ -231,6 +231,7 @@ class GitCommandManager {
   }
 
   async init(): Promise<void> {
+    await this.execGit(['config', '--global', 'init.defaultBranch', 'main'])
     await this.execGit(['init', this.workingDirectory])
   }
 

src/git-source-provider.ts

@@ -36,6 +36,30 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
   const git = await getGitCommandManager(settings)
   core.endGroup()
 
+  let authHelper: gitAuthHelper.IGitAuthHelper | null = null
+  try {
+    if (git) {
+      authHelper = gitAuthHelper.createAuthHelper(git, settings)
+      if (settings.setSafeDirectory) {
+        // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
+        // Otherwise all git commands we run in a container fail
+        await authHelper.configureTempGlobalConfig()
+        core.info(
+          `Adding repository directory to the temporary git global config as a safe directory`
+        )
+
+        await git
+          .config('safe.directory', settings.repositoryPath, true, true)
+          .catch(error => {
+            core.info(
+              `Failed to initialize safe directory with error: ${error}`
+            )
+          })
+
+        stateHelper.setSafeDirectory()
+      }
+    }
+
     // Prepare existing directory, otherwise recreate
     if (isExisting) {
       await gitDirectoryHelper.prepareExistingDirectory(
@@ -96,8 +120,10 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     }
     core.endGroup()
 
-  const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+    // If we didn't initialize it above, do it now
-  try {
+    if (!authHelper) {
+      authHelper = gitAuthHelper.createAuthHelper(git, settings)
+    }
     // Configure auth
     core.startGroup('Setting up auth')
     await authHelper.configureAuth()
@@ -170,7 +196,6 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
 
     // Submodules
     if (settings.submodules) {
-      try {
       // Temporarily override global config
       core.startGroup('Setting up auth for fetching submodules')
       await authHelper.configureGlobalAuth()
@@ -179,10 +204,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
       // Checkout submodules
       core.startGroup('Fetching submodules')
       await git.submoduleSync(settings.nestedSubmodules)
-        await git.submoduleUpdate(
+      await git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules)
-          settings.fetchDepth,
-          settings.nestedSubmodules
-        )
       await git.submoduleForeach(
         'git config --local gc.auto 0',
         settings.nestedSubmodules
@@ -195,10 +217,6 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
         await authHelper.configureSubmoduleAuth()
         core.endGroup()
       }
-      } finally {
-        // Remove temporary global config override
-        await authHelper.removeGlobalAuth()
-      }
     }
 
     // Get commit information
@@ -218,11 +236,14 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     )
   } finally {
     // Remove auth
+    if (authHelper) {
       if (!settings.persistCredentials) {
         core.startGroup('Removing auth')
         await authHelper.removeAuth()
         core.endGroup()
       }
+      authHelper.removeGlobalConfig()
+    }
   }
 }
 
@@ -244,7 +265,26 @@ export async function cleanup(repositoryPath: string): Promise<void> {
 
   // Remove auth
   const authHelper = gitAuthHelper.createAuthHelper(git)
+  try {
+    if (stateHelper.PostSetSafeDirectory) {
+      // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
+      // Otherwise all git commands we run in a container fail
+      await authHelper.configureTempGlobalConfig()
+      core.info(
+        `Adding repository directory to the temporary git global config as a safe directory`
+      )
+
+      await git
+        .config('safe.directory', repositoryPath, true, true)
+        .catch(error => {
+          core.info(`Failed to initialize safe directory with error: ${error}`)
+        })
+    }
+
     await authHelper.removeAuth()
+  } finally {
+    await authHelper.removeGlobalConfig()
+  }
 }
 
 async function getGitCommandManager(

src/git-source-settings.ts

@@ -78,4 +78,9 @@ export interface IGitSourceSettings {
    * Organization ID for the currently running workflow (used for auth settings)
    */
   workflowOrganizationId: number | undefined
+
+  /**
+   * Indicates whether to add repositoryPath as safe.directory in git global config
+   */
+  setSafeDirectory: boolean
 }

src/input-helper.ts

@@ -122,5 +122,8 @@ export async function getInputs(): Promise<IGitSourceSettings> {
   // Workflow organization ID
   result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()
 
+  // Set safe.directory in git global config.
+  result.setSafeDirectory =
+    (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE'
   return result
 }

src/misc/licensed-check.sh

@@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh
 
 echo 'Running: licensed cached'
-_temp/licensed-3.3.1/licensed status
+_temp/licensed-3.6.0/licensed status

src/misc/licensed-download.sh

@@ -2,23 +2,23 @@
 
 set -e
 
-if [ ! -f _temp/licensed-3.3.1.done ]; then
+if [ ! -f _temp/licensed-3.6.0.done ]; then
   echo 'Clearing temp'
-  rm -rf _temp/licensed-3.3.1 || true
+  rm -rf _temp/licensed-3.6.0 || true
 
   echo 'Downloading licensed'
-  mkdir -p _temp/licensed-3.3.1
+  mkdir -p _temp/licensed-3.6.0
-  pushd _temp/licensed-3.3.1
+  pushd _temp/licensed-3.6.0
   if [[ "$OSTYPE" == "darwin"* ]]; then
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-darwin-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-darwin-x64.tar.gz
   else
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-linux-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-linux-x64.tar.gz
   fi
 
   echo 'Extracting licenesed'
   tar -xzf licensed.tar.gz
   popd
-  touch _temp/licensed-3.3.1.done
+  touch _temp/licensed-3.6.0.done
 else
   echo 'Licensed already downloaded'
 fi

src/misc/licensed-generate.sh

@@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh
 
 echo 'Running: licensed cached'
-_temp/licensed-3.3.1/licensed cache
+_temp/licensed-3.6.0/licensed cache

src/state-helper.ts

@@ -11,6 +11,12 @@ export const IsPost = !!process.env['STATE_isPost']
 export const RepositoryPath =
   (process.env['STATE_repositoryPath'] as string) || ''
 
+/**
+ * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action.
+ */
+export const PostSetSafeDirectory =
+  (process.env['STATE_setSafeDirectory'] as string) === 'true'
+
 /**
  * The SSH key path for the POST action. The value is empty during the MAIN action.
  */
@@ -51,6 +57,13 @@ export function setSshKnownHostsPath(sshKnownHostsPath: string) {
   )
 }
 
+/**
+ * Save the sef-safe-directory input so the POST action can retrieve the value.
+ */
+export function setSafeDirectory() {
+  coreCommand.issueCommand('save-state', {name: 'setSafeDirectory'}, 'true')
+}
+
 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!IsPost) {

src/url-helper.ts

@@ -16,7 +16,7 @@ export function getFetchUrl(settings: IGitSourceSettings): string {
   }
 
   // "origin" is SCHEME://HOSTNAME[:PORT]
-  return `${serviceUrl.origin}/${encodedOwner}/${encodedName}`
+  return `${serviceUrl.origin}${serviceUrl.pathname}/${encodedOwner}/${encodedName}`
 }
 
 export function getServerUrl(): URL {