diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index c7d4962..53902ee 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -22,12 +22,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4.1.6 - - name: Set Node.js 24.x + - name: Set Node.js 20.x uses: actions/setup-node@v4 with: - node-version: 24.x + node-version: 20.x - name: Install dependencies run: npm ci diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 377fae9..778d474 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@v4.1.6 - name: Initialize CodeQL uses: github/codeql-action/init@v3 diff --git a/.github/workflows/licensed.yml b/.github/workflows/licensed.yml index 36e70e2..1f71aa7 100644 --- a/.github/workflows/licensed.yml +++ b/.github/workflows/licensed.yml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest name: Check licenses steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4.1.6 - run: npm ci - run: npm run licensed-check \ No newline at end of file diff --git a/.github/workflows/publish-immutable-actions.yml b/.github/workflows/publish-immutable-actions.yml index 44d571b..87c0207 100644 --- a/.github/workflows/publish-immutable-actions.yml +++ b/.github/workflows/publish-immutable-actions.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checking out - uses: actions/checkout@v6 + uses: actions/checkout@v4 - name: Publish id: publish uses: actions/publish-immutable-action@0.0.3 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fe2539f..cde9f06 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,8 +18,8 @@ jobs: steps: - uses: actions/setup-node@v4 with: - node-version: 24.x - - uses: actions/checkout@v6 + node-version: 20.x + - uses: actions/checkout@v4.1.6 - run: npm ci - run: npm run build - run: npm run format-check @@ -37,7 +37,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v4.1.6 # Basic checkout - name: Checkout basic @@ -165,22 +165,6 @@ jobs: - name: Verify submodules recursive run: __test__/verify-submodules-recursive.sh - # Worktree credentials - - name: Checkout for worktree test - uses: ./ - with: - path: worktree-test - - name: Verify worktree credentials - shell: bash - run: __test__/verify-worktree.sh worktree-test worktree-branch - - # Worktree credentials in container step - - name: Verify worktree credentials in container step - if: runner.os == 'Linux' - uses: docker://bitnami/git:latest - with: - args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch - # Basic checkout using REST API - name: Remove basic if: runner.os != 'windows' @@ -218,7 +202,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v4.1.6 # Basic checkout using git - name: Checkout basic @@ -250,7 +234,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v4.1.6 # Basic checkout using git - name: Checkout basic @@ -280,7 +264,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v4.1.6 with: path: localClone @@ -307,8 +291,8 @@ jobs: git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main # needed to make checkout post cleanup succeed - - name: Fix Checkout v6 - uses: actions/checkout@v6 + - name: Fix Checkout v4 + uses: actions/checkout@v4.1.6 with: path: localClone @@ -317,16 +301,13 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@v6 - with: - path: actions-checkout + uses: actions/checkout@v4.1.6 # Basic checkout using git - name: Checkout basic id: checkout - uses: ./actions-checkout + uses: ./ with: - path: cloned-using-local-action ref: test-data/v2/basic # Verify output @@ -344,3 +325,7 @@ jobs: echo "Expected commit to be 82f71901cf8c021332310dcc8cdba84c4193ff5d" exit 1 fi + + # needed to make checkout post cleanup succeed + - name: Fix Checkout + uses: actions/checkout@v4.1.6 diff --git a/.github/workflows/update-main-version.yml b/.github/workflows/update-main-version.yml index b3b23fe..7bec7d5 100644 --- a/.github/workflows/update-main-version.yml +++ b/.github/workflows/update-main-version.yml @@ -11,7 +11,6 @@ on: type: choice description: The major version to update options: - - v5 - v4 - v3 - v2 @@ -23,7 +22,7 @@ jobs: # Note this update workflow can also be used as a rollback tool. # For that reason, it's best to pin `actions/checkout` to a known, stable version # (typically, about two releases back). - - uses: actions/checkout@v6 + - uses: actions/checkout@v4.1.6 with: fetch-depth: 0 - name: Git config diff --git a/.github/workflows/update-test-ubuntu-git.yml b/.github/workflows/update-test-ubuntu-git.yml index 10e4dac..5c252b9 100644 --- a/.github/workflows/update-test-ubuntu-git.yml +++ b/.github/workflows/update-test-ubuntu-git.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@v4 # Use `docker/login-action` to log in to GHCR.io. # Once published, the packages are scoped to the account defined here. diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d5a6f3..baf5c2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,19 +1,6 @@ # Changelog -## v6.0.0 -* Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286 -* Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248 - -## v5.0.1 -* Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301 - -## v5.0.0 -* Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226 - -## v4.3.1 -* Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305 - -## v4.3.0 +## V4.3.0 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043 diff --git a/README.md b/README.md index f0f65f9..8969446 100644 --- a/README.md +++ b/README.md @@ -1,22 +1,6 @@ [![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml) -# Checkout v6 - -## What's new - -- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config` -- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically -- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later - -# Checkout v5 - -## What's new - -- Updated to the node24 runtime - - This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run. - - -# Checkout v4 +# Checkout V4 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it. @@ -52,7 +36,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ```yaml -- uses: actions/checkout@v6 +- uses: actions/checkout@v4 with: # Repository name with owner. For example, actions/checkout # Default: ${{ github.repository }} @@ -165,33 +149,24 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ # Scenarios -- [Checkout V5](#checkout-v5) - - [What's new](#whats-new) -- [Checkout V4](#checkout-v4) - - [Note](#note) -- [What's new](#whats-new-1) -- [Usage](#usage) -- [Scenarios](#scenarios) - - [Fetch only the root files](#fetch-only-the-root-files) - - [Fetch only the root files and `.github` and `src` folder](#fetch-only-the-root-files-and-github-and-src-folder) - - [Fetch only a single file](#fetch-only-a-single-file) - - [Fetch all history for all tags and branches](#fetch-all-history-for-all-tags-and-branches) - - [Checkout a different branch](#checkout-a-different-branch) - - [Checkout HEAD^](#checkout-head) - - [Checkout multiple repos (side by side)](#checkout-multiple-repos-side-by-side) - - [Checkout multiple repos (nested)](#checkout-multiple-repos-nested) - - [Checkout multiple repos (private)](#checkout-multiple-repos-private) - - [Checkout pull request HEAD commit instead of merge commit](#checkout-pull-request-head-commit-instead-of-merge-commit) - - [Checkout pull request on closed event](#checkout-pull-request-on-closed-event) - - [Push a commit using the built-in token](#push-a-commit-using-the-built-in-token) - - [Push a commit to a PR using the built-in token](#push-a-commit-to-a-pr-using-the-built-in-token) -- [Recommended permissions](#recommended-permissions) -- [License](#license) +- [Fetch only the root files](#Fetch-only-the-root-files) +- [Fetch only the root files and `.github` and `src` folder](#Fetch-only-the-root-files-and-github-and-src-folder) +- [Fetch only a single file](#Fetch-only-a-single-file) +- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches) +- [Checkout a different branch](#Checkout-a-different-branch) +- [Checkout HEAD^](#Checkout-HEAD) +- [Checkout multiple repos (side by side)](#Checkout-multiple-repos-side-by-side) +- [Checkout multiple repos (nested)](#Checkout-multiple-repos-nested) +- [Checkout multiple repos (private)](#Checkout-multiple-repos-private) +- [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit) +- [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event) +- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token) +- [Push a commit to a PR using the built-in token](#Push-a-commit-to-a-PR-using-the-built-in-token) ## Fetch only the root files ```yaml -- uses: actions/checkout@v6 +- uses: actions/checkout@v4 with: sparse-checkout: . ``` @@ -199,7 +174,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Fetch only the root files and `.github` and `src` folder ```yaml -- uses: actions/checkout@v6 +- uses: actions/checkout@v4 with: sparse-checkout: | .github @@ -209,7 +184,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Fetch only a single file ```yaml -- uses: actions/checkout@v6 +- uses: actions/checkout@v4 with: sparse-checkout: | README.md @@ -219,7 +194,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Fetch all history for all tags and branches ```yaml -- uses: actions/checkout@v6 +- uses: actions/checkout@v4 with: fetch-depth: 0 ``` @@ -227,7 +202,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Checkout a different branch ```yaml -- uses: actions/checkout@v6 +- uses: actions/checkout@v4 with: ref: my-branch ``` @@ -235,7 +210,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Checkout HEAD^ ```yaml -- uses: actions/checkout@v6 +- uses: actions/checkout@v4 with: fetch-depth: 2 - run: git checkout HEAD^ @@ -245,12 +220,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ```yaml - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: path: main - name: Checkout tools repo - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: repository: my-org/my-tools path: my-tools @@ -261,10 +236,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ```yaml - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v4 - name: Checkout tools repo - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: repository: my-org/my-tools path: my-tools @@ -275,12 +250,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ```yaml - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: path: main - name: Checkout private tools - uses: actions/checkout@v6 + uses: actions/checkout@v4 with: repository: my-org/my-private-tools token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT @@ -293,7 +268,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Checkout pull request HEAD commit instead of merge commit ```yaml -- uses: actions/checkout@v6 +- uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} ``` @@ -309,7 +284,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 ``` ## Push a commit using the built-in token @@ -320,7 +295,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 - run: | date > generated.txt # Note: the following account information will not work on GHES @@ -342,7 +317,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} - run: | diff --git a/__test__/git-auth-helper.test.ts b/__test__/git-auth-helper.test.ts index ad3566a..9acba54 100644 --- a/__test__/git-auth-helper.test.ts +++ b/__test__/git-auth-helper.test.ts @@ -86,29 +86,16 @@ describe('git-auth-helper tests', () => { // Act await authHelper.configureAuth() - // Assert config - check that .git/config contains includeIf entries - const localConfigContent = ( + // Assert config + const configContent = ( await fs.promises.readFile(localGitConfigPath) ).toString() - expect( - localConfigContent.indexOf('includeIf.gitdir:') - ).toBeGreaterThanOrEqual(0) - - // Assert credentials config file contains the actual credentials - const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter( - f => f.startsWith('git-credentials-') && f.endsWith('.config') - ) - expect(credentialsFiles.length).toBe(1) - const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0]) - const credentialsContent = ( - await fs.promises.readFile(credentialsConfigPath) - ).toString() const basicCredential = Buffer.from( `x-access-token:${settings.authToken}`, 'utf8' ).toString('base64') expect( - credentialsContent.indexOf( + configContent.indexOf( `http.${expectedServerUrl}/.extraheader AUTHORIZATION: basic ${basicCredential}` ) ).toBeGreaterThanOrEqual(0) @@ -133,7 +120,7 @@ describe('git-auth-helper tests', () => { 'inject https://github.com as github server url' it(configureAuth_AcceptsGitHubServerUrlSetToGHEC, async () => { await testAuthHeader( - configureAuth_AcceptsGitHubServerUrlSetToGHEC, + configureAuth_AcceptsGitHubServerUrl, 'https://github.com' ) }) @@ -154,17 +141,12 @@ describe('git-auth-helper tests', () => { // Act await authHelper.configureAuth() - // Assert config - check credentials config file (not local .git/config) - const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter( - f => f.startsWith('git-credentials-') && f.endsWith('.config') - ) - expect(credentialsFiles.length).toBe(1) - const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0]) - const credentialsContent = ( - await fs.promises.readFile(credentialsConfigPath) + // Assert config + const configContent = ( + await fs.promises.readFile(localGitConfigPath) ).toString() expect( - credentialsContent.indexOf( + configContent.indexOf( `http.https://github.com/.extraheader AUTHORIZATION` ) ).toBeGreaterThanOrEqual(0) @@ -269,16 +251,13 @@ describe('git-auth-helper tests', () => { expectedSshCommand ) - // Assert git config + // Asserty git config const gitConfigLines = (await fs.promises.readFile(localGitConfigPath)) .toString() .split('\n') .filter(x => x) - // Should have includeIf entries pointing to credentials file - expect(gitConfigLines.length).toBeGreaterThan(0) - expect( - gitConfigLines.some(line => line.indexOf('includeIf.gitdir:') >= 0) - ).toBeTruthy() + expect(gitConfigLines).toHaveLength(1) + expect(gitConfigLines[0]).toMatch(/^http\./) }) const configureAuth_setsSshCommandWhenPersistCredentialsTrue = @@ -440,20 +419,8 @@ describe('git-auth-helper tests', () => { expect( configContent.indexOf('value-from-global-config') ).toBeGreaterThanOrEqual(0) - // Global config should have include.path pointing to credentials file - expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0) - - // Check credentials in the separate config file - const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter( - f => f.startsWith('git-credentials-') && f.endsWith('.config') - ) - expect(credentialsFiles.length).toBeGreaterThan(0) - const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0]) - const credentialsContent = ( - await fs.promises.readFile(credentialsConfigPath) - ).toString() expect( - credentialsContent.indexOf( + configContent.indexOf( `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}` ) ).toBeGreaterThanOrEqual(0) @@ -496,20 +463,8 @@ describe('git-auth-helper tests', () => { const configContent = ( await fs.promises.readFile(path.join(git.env['HOME'], '.gitconfig')) ).toString() - // Global config should have include.path pointing to credentials file - expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0) - - // Check credentials in the separate config file - const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter( - f => f.startsWith('git-credentials-') && f.endsWith('.config') - ) - expect(credentialsFiles.length).toBeGreaterThan(0) - const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0]) - const credentialsContent = ( - await fs.promises.readFile(credentialsConfigPath) - ).toString() expect( - credentialsContent.indexOf( + configContent.indexOf( `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}` ) ).toBeGreaterThanOrEqual(0) @@ -595,15 +550,15 @@ describe('git-auth-helper tests', () => { await authHelper.configureSubmoduleAuth() // Assert - // Should configure insteadOf (2 calls for two values) - expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3) + expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4) expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch( /unset-all.*insteadOf/ ) - expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch( + expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/) + expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch( /url.*insteadOf.*git@github.com:/ ) - expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch( + expect(mockSubmoduleForeach.mock.calls[3][0]).toMatch( /url.*insteadOf.*org-123456@github.com:/ ) } @@ -634,12 +589,12 @@ describe('git-auth-helper tests', () => { await authHelper.configureSubmoduleAuth() // Assert - // Should configure sshCommand (1 call) - expect(mockSubmoduleForeach).toHaveBeenCalledTimes(2) + expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3) expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch( /unset-all.*insteadOf/ ) - expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/core\.sshCommand/) + expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/) + expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/) } ) @@ -705,81 +660,112 @@ describe('git-auth-helper tests', () => { await setup(removeAuth_removesToken) const authHelper = gitAuthHelper.createAuthHelper(git, settings) await authHelper.configureAuth() - - // Verify includeIf entries exist in local config - let localConfigContent = ( + let gitConfigContent = ( await fs.promises.readFile(localGitConfigPath) ).toString() - expect( - localConfigContent.indexOf('includeIf.gitdir:') - ).toBeGreaterThanOrEqual(0) - - // Verify both host and container includeIf entries are present - const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/') - expect( - localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`) - ).toBeGreaterThanOrEqual(0) - expect( - localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path') - ).toBeGreaterThanOrEqual(0) - - // Verify credentials file exists - let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter( - f => f.startsWith('git-credentials-') && f.endsWith('.config') - ) - expect(credentialsFiles.length).toBe(1) - const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0]) - - // Verify credentials file contains the auth token - let credentialsContent = ( - await fs.promises.readFile(credentialsFilePath) - ).toString() - const basicCredential = Buffer.from( - `x-access-token:${settings.authToken}`, - 'utf8' - ).toString('base64') - expect( - credentialsContent.indexOf( - `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}` - ) - ).toBeGreaterThanOrEqual(0) - - // Verify the includeIf entries point to the credentials file - const containerCredentialsPath = path.posix.join( - '/github/runner_temp', - path.basename(credentialsFilePath) - ) - expect( - localConfigContent.indexOf(credentialsFilePath) - ).toBeGreaterThanOrEqual(0) - expect( - localConfigContent.indexOf(containerCredentialsPath) - ).toBeGreaterThanOrEqual(0) + expect(gitConfigContent.indexOf('http.')).toBeGreaterThanOrEqual(0) // sanity check // Act await authHelper.removeAuth() - // Assert all includeIf entries removed from local git config - localConfigContent = ( + // Assert git config + gitConfigContent = ( await fs.promises.readFile(localGitConfigPath) ).toString() - expect(localConfigContent.indexOf('includeIf.gitdir:')).toBeLessThan(0) + expect(gitConfigContent.indexOf('http.')).toBeLessThan(0) + }) + + const removeAuth_removesV6StyleCredentials = + 'removeAuth removes v6 style credentials' + it(removeAuth_removesV6StyleCredentials, async () => { + // Arrange + await setup(removeAuth_removesV6StyleCredentials) + const authHelper = gitAuthHelper.createAuthHelper(git, settings) + await authHelper.configureAuth() + + // Manually create v6-style credentials that would be left by v6 + const credentialsFileName = + 'git-credentials-12345678-1234-1234-1234-123456789abc.config' + const credentialsFilePath = path.join(runnerTemp, credentialsFileName) + const basicCredential = Buffer.from( + `x-access-token:${settings.authToken}`, + 'utf8' + ).toString('base64') + const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n` + await fs.promises.writeFile(credentialsFilePath, credentialsContent) + + // Add includeIf entries to local git config (simulating v6 configuration) + const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/') + await fs.promises.appendFile( + localGitConfigPath, + `[includeIf "gitdir:${hostGitDir}/"]\n\tpath = ${credentialsFilePath}\n` + ) + await fs.promises.appendFile( + localGitConfigPath, + `[includeIf "gitdir:/github/workspace/.git/"]\n\tpath = /github/runner_temp/${credentialsFileName}\n` + ) + + // Verify v6 style config exists + let gitConfigContent = ( + await fs.promises.readFile(localGitConfigPath) + ).toString() + expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0) expect( - localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`) - ).toBeLessThan(0) - expect( - localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path') - ).toBeLessThan(0) - expect(localConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0) - expect(localConfigContent.indexOf(containerCredentialsPath)).toBeLessThan(0) + gitConfigContent.indexOf(credentialsFilePath) + ).toBeGreaterThanOrEqual(0) + await fs.promises.stat(credentialsFilePath) // Verify file exists + + // Mock the git methods to handle v6 cleanup + const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock + mockTryGetConfigKeys.mockResolvedValue([ + `includeIf.gitdir:${hostGitDir}/.path`, + 'includeIf.gitdir:/github/workspace/.git/.path' + ]) + + const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock + mockTryGetConfigValues.mockImplementation(async (key: string) => { + if (key === `includeIf.gitdir:${hostGitDir}/.path`) { + return [credentialsFilePath] + } + if (key === 'includeIf.gitdir:/github/workspace/.git/.path') { + return [`/github/runner_temp/${credentialsFileName}`] + } + return [] + }) + + const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock< + any, + any + > + mockTryConfigUnsetValue.mockImplementation( + async ( + key: string, + value: string, + globalConfig?: boolean, + configPath?: string + ) => { + const targetPath = configPath || localGitConfigPath + let content = await fs.promises.readFile(targetPath, 'utf8') + // Remove the includeIf section + const lines = content + .split('\n') + .filter(line => !line.includes('includeIf') && !line.includes(value)) + await fs.promises.writeFile(targetPath, lines.join('\n')) + return true + } + ) + + // Act + await authHelper.removeAuth() + + // Assert includeIf entries removed from local git config + gitConfigContent = ( + await fs.promises.readFile(localGitConfigPath) + ).toString() + expect(gitConfigContent.indexOf('includeIf')).toBeLessThan(0) + expect(gitConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0) // Assert credentials config file deleted - credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter( - f => f.startsWith('git-credentials-') && f.endsWith('.config') - ) - expect(credentialsFiles.length).toBe(0) - - // Verify credentials file no longer exists on disk try { await fs.promises.stat(credentialsFilePath) throw new Error('Credentials file should have been deleted') @@ -790,108 +776,113 @@ describe('git-auth-helper tests', () => { } }) - const removeAuth_removesTokenFromSubmodules = - 'removeAuth removes token from submodules' - it(removeAuth_removesTokenFromSubmodules, async () => { + const removeAuth_removesV6StyleCredentialsFromSubmodules = + 'removeAuth removes v6 style credentials from submodules' + it(removeAuth_removesV6StyleCredentialsFromSubmodules, async () => { // Arrange - await setup(removeAuth_removesTokenFromSubmodules) + await setup(removeAuth_removesV6StyleCredentialsFromSubmodules) // Create fake submodule config paths const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1') - const submodule2Dir = path.join(workspace, '.git', 'modules', 'submodule-2') const submodule1ConfigPath = path.join(submodule1Dir, 'config') - const submodule2ConfigPath = path.join(submodule2Dir, 'config') - await fs.promises.mkdir(submodule1Dir, {recursive: true}) - await fs.promises.mkdir(submodule2Dir, {recursive: true}) await fs.promises.writeFile(submodule1ConfigPath, '') - await fs.promises.writeFile(submodule2ConfigPath, '') - - // Mock getSubmoduleConfigPaths to return our fake submodules (for both configure and remove) - const mockGetSubmoduleConfigPaths = - git.getSubmoduleConfigPaths as jest.Mock - mockGetSubmoduleConfigPaths.mockResolvedValue([ - submodule1ConfigPath, - submodule2ConfigPath - ]) const authHelper = gitAuthHelper.createAuthHelper(git, settings) await authHelper.configureAuth() - await authHelper.configureSubmoduleAuth() - // Verify credentials file exists - let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter( - f => f.startsWith('git-credentials-') && f.endsWith('.config') + // Create v6-style credentials file + const credentialsFileName = + 'git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config' + const credentialsFilePath = path.join(runnerTemp, credentialsFileName) + const basicCredential = Buffer.from( + `x-access-token:${settings.authToken}`, + 'utf8' + ).toString('base64') + const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n` + await fs.promises.writeFile(credentialsFilePath, credentialsContent) + + // Add includeIf entries to submodule config + const submodule1GitDir = submodule1Dir.replace(/\\/g, '/') + await fs.promises.appendFile( + submodule1ConfigPath, + `[includeIf "gitdir:${submodule1GitDir}/"]\n\tpath = ${credentialsFilePath}\n` ) - expect(credentialsFiles.length).toBe(1) - const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0]) - // Verify submodule 1 config has includeIf entries - let submodule1Content = ( + // Verify submodule config has includeIf entry + let submoduleConfigContent = ( await fs.promises.readFile(submodule1ConfigPath) ).toString() - const submodule1GitDir = submodule1Dir.replace(/\\/g, '/') - expect( - submodule1Content.indexOf(`includeIf.gitdir:${submodule1GitDir}.path`) - ).toBeGreaterThanOrEqual(0) - expect( - submodule1Content.indexOf(credentialsFilePath) - ).toBeGreaterThanOrEqual(0) - - // Verify submodule 2 config has includeIf entries - let submodule2Content = ( - await fs.promises.readFile(submodule2ConfigPath) - ).toString() - const submodule2GitDir = submodule2Dir.replace(/\\/g, '/') - expect( - submodule2Content.indexOf(`includeIf.gitdir:${submodule2GitDir}.path`) - ).toBeGreaterThanOrEqual(0) - expect( - submodule2Content.indexOf(credentialsFilePath) - ).toBeGreaterThanOrEqual(0) - - // Verify both host and container paths are in each submodule config - const containerCredentialsPath = path.posix.join( - '/github/runner_temp', - path.basename(credentialsFilePath) + expect(submoduleConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual( + 0 ) expect( - submodule1Content.indexOf(containerCredentialsPath) - ).toBeGreaterThanOrEqual(0) - expect( - submodule2Content.indexOf(containerCredentialsPath) + submoduleConfigContent.indexOf(credentialsFilePath) ).toBeGreaterThanOrEqual(0) - // Act - ensure mock persists for removeAuth - mockGetSubmoduleConfigPaths.mockResolvedValue([ - submodule1ConfigPath, - submodule2ConfigPath - ]) + // Mock getSubmoduleConfigPaths + const mockGetSubmoduleConfigPaths = + git.getSubmoduleConfigPaths as jest.Mock + mockGetSubmoduleConfigPaths.mockResolvedValue([submodule1ConfigPath]) + + // Mock tryGetConfigKeys for submodule + const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock + mockTryGetConfigKeys.mockImplementation( + async (pattern: string, globalConfig?: boolean, configPath?: string) => { + if (configPath === submodule1ConfigPath) { + return [`includeIf.gitdir:${submodule1GitDir}/.path`] + } + return [] + } + ) + + // Mock tryGetConfigValues for submodule + const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock + mockTryGetConfigValues.mockImplementation( + async (key: string, globalConfig?: boolean, configPath?: string) => { + if ( + configPath === submodule1ConfigPath && + key === `includeIf.gitdir:${submodule1GitDir}/.path` + ) { + return [credentialsFilePath] + } + return [] + } + ) + + // Mock tryConfigUnsetValue for submodule + const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock< + any, + any + > + mockTryConfigUnsetValue.mockImplementation( + async ( + key: string, + value: string, + globalConfig?: boolean, + configPath?: string + ) => { + const targetPath = configPath || localGitConfigPath + let content = await fs.promises.readFile(targetPath, 'utf8') + const lines = content + .split('\n') + .filter(line => !line.includes('includeIf') && !line.includes(value)) + await fs.promises.writeFile(targetPath, lines.join('\n')) + return true + } + ) + + // Act await authHelper.removeAuth() - // Assert submodule 1 includeIf entries removed - submodule1Content = ( + // Assert submodule includeIf entries removed + submoduleConfigContent = ( await fs.promises.readFile(submodule1ConfigPath) ).toString() - expect(submodule1Content.indexOf('includeIf.gitdir:')).toBeLessThan(0) - expect(submodule1Content.indexOf(credentialsFilePath)).toBeLessThan(0) - expect(submodule1Content.indexOf(containerCredentialsPath)).toBeLessThan(0) + expect(submoduleConfigContent.indexOf('includeIf')).toBeLessThan(0) + expect(submoduleConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0) - // Assert submodule 2 includeIf entries removed - submodule2Content = ( - await fs.promises.readFile(submodule2ConfigPath) - ).toString() - expect(submodule2Content.indexOf('includeIf.gitdir:')).toBeLessThan(0) - expect(submodule2Content.indexOf(credentialsFilePath)).toBeLessThan(0) - expect(submodule2Content.indexOf(containerCredentialsPath)).toBeLessThan(0) - - // Assert credentials config file deleted - credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter( - f => f.startsWith('git-credentials-') && f.endsWith('.config') - ) - expect(credentialsFiles.length).toBe(0) - - // Verify credentials file no longer exists on disk + // Assert credentials file deleted try { await fs.promises.stat(credentialsFilePath) throw new Error('Credentials file should have been deleted') @@ -902,6 +893,65 @@ describe('git-auth-helper tests', () => { } }) + const removeAuth_skipsV6CleanupWhenEnvVarSet = + 'removeAuth skips v6 cleanup when ACTIONS_CHECKOUT_SKIP_V6_CLEANUP is set' + it(removeAuth_skipsV6CleanupWhenEnvVarSet, async () => { + // Arrange + await setup(removeAuth_skipsV6CleanupWhenEnvVarSet) + + // Set the skip environment variable + process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'] = '1' + + const authHelper = gitAuthHelper.createAuthHelper(git, settings) + await authHelper.configureAuth() + + // Create v6-style credentials file in RUNNER_TEMP + const credentialsFileName = 'git-credentials-test-uuid-1234-5678.config' + const credentialsFilePath = path.join(runnerTemp, credentialsFileName) + const credentialsContent = + '[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic token\n' + await fs.promises.writeFile(credentialsFilePath, credentialsContent) + + // Add includeIf section to local git config (separate from http.* config) + const includeIfSection = `\n[includeIf "gitdir:/some/path/.git/"]\n\tpath = ${credentialsFilePath}\n` + await fs.promises.appendFile(localGitConfigPath, includeIfSection) + + // Verify v6 style config exists + let gitConfigContent = ( + await fs.promises.readFile(localGitConfigPath) + ).toString() + expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0) + await fs.promises.stat(credentialsFilePath) // Verify file exists + + // Act + await authHelper.removeAuth() + + // Assert v5 cleanup still happened (http.* removed) + gitConfigContent = ( + await fs.promises.readFile(localGitConfigPath) + ).toString() + expect( + gitConfigContent.indexOf('http.https://github.com/.extraheader') + ).toBeLessThan(0) + + // Assert v6 cleanup was skipped - includeIf should still be present + expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0) + expect( + gitConfigContent.indexOf(credentialsFilePath) + ).toBeGreaterThanOrEqual(0) + + // Assert credentials file still exists (wasn't deleted) + await fs.promises.stat(credentialsFilePath) // File should still exist + + // Assert debug message was logged + expect(core.debug).toHaveBeenCalledWith( + 'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP' + ) + + // Cleanup + delete process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'] + }) + const removeGlobalConfig_removesOverride = 'removeGlobalConfig removes override' it(removeGlobalConfig_removesOverride, async () => { @@ -928,52 +978,6 @@ describe('git-auth-helper tests', () => { } } }) - - const testCredentialsConfigPath_matchesCredentialsConfigPaths = - 'testCredentialsConfigPath matches credentials config paths' - it(testCredentialsConfigPath_matchesCredentialsConfigPaths, async () => { - // Arrange - await setup(testCredentialsConfigPath_matchesCredentialsConfigPaths) - const authHelper = gitAuthHelper.createAuthHelper(git, settings) - - // Get a real credentials config path - const credentialsConfigPath = await ( - authHelper as any - ).getCredentialsConfigPath() - - // Act & Assert - expect( - (authHelper as any).testCredentialsConfigPath(credentialsConfigPath) - ).toBe(true) - expect( - (authHelper as any).testCredentialsConfigPath( - '/some/path/git-credentials-12345678-abcd-1234-5678-123456789012.config' - ) - ).toBe(true) - expect( - (authHelper as any).testCredentialsConfigPath( - '/some/path/git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config' - ) - ).toBe(true) - - // Test invalid paths - expect( - (authHelper as any).testCredentialsConfigPath( - '/some/path/other-config.config' - ) - ).toBe(false) - expect( - (authHelper as any).testCredentialsConfigPath( - '/some/path/git-credentials-invalid.config' - ) - ).toBe(false) - expect( - (authHelper as any).testCredentialsConfigPath( - '/some/path/git-credentials-.config' - ) - ).toBe(false) - expect((authHelper as any).testCredentialsConfigPath('')).toBe(false) - }) }) async function setup(testName: string): Promise { @@ -988,7 +992,6 @@ async function setup(testName: string): Promise { await fs.promises.mkdir(tempHomedir, {recursive: true}) process.env['RUNNER_TEMP'] = runnerTemp process.env['HOME'] = tempHomedir - process.env['GITHUB_WORKSPACE'] = workspace // Create git config globalGitConfigPath = path.join(tempHomedir, '.gitconfig') @@ -1007,20 +1010,10 @@ async function setup(testName: string): Promise { checkout: jest.fn(), checkoutDetach: jest.fn(), config: jest.fn( - async ( - key: string, - value: string, - globalConfig?: boolean, - add?: boolean, - configFile?: string - ) => { - const configPath = - configFile || - (globalConfig - ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig') - : localGitConfigPath) - // Ensure directory exists - await fs.promises.mkdir(path.dirname(configPath), {recursive: true}) + async (key: string, value: string, globalConfig?: boolean) => { + const configPath = globalConfig + ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig') + : localGitConfigPath await fs.promises.appendFile(configPath, `\n${key} ${value}`) } ), @@ -1040,7 +1033,6 @@ async function setup(testName: string): Promise { env: {}, fetch: jest.fn(), getDefaultBranch: jest.fn(), - getSubmoduleConfigPaths: jest.fn(async () => []), getWorkingDirectory: jest.fn(() => workspace), init: jest.fn(), isDetached: jest.fn(), @@ -1079,72 +1071,20 @@ async function setup(testName: string): Promise { return true } ), - tryConfigUnsetValue: jest.fn( - async ( - key: string, - value: string, - globalConfig?: boolean, - configPath?: string - ): Promise => { - const targetConfigPath = - configPath || - (globalConfig - ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig') - : localGitConfigPath) - let content = await fs.promises.readFile(targetConfigPath) - let lines = content - .toString() - .split('\n') - .filter(x => x) - .filter(x => !(x.startsWith(key) && x.includes(value))) - await fs.promises.writeFile(targetConfigPath, lines.join('\n')) - return true - } - ), tryDisableAutomaticGarbageCollection: jest.fn(), tryGetFetchUrl: jest.fn(), - tryGetConfigValues: jest.fn( - async ( - key: string, - globalConfig?: boolean, - configPath?: string - ): Promise => { - const targetConfigPath = - configPath || - (globalConfig - ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig') - : localGitConfigPath) - const content = await fs.promises.readFile(targetConfigPath) - const lines = content - .toString() - .split('\n') - .filter(x => x && x.startsWith(key)) - .map(x => x.substring(key.length).trim()) - return lines - } - ), - tryGetConfigKeys: jest.fn( - async ( - pattern: string, - globalConfig?: boolean, - configPath?: string - ): Promise => { - const targetConfigPath = - configPath || - (globalConfig - ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig') - : localGitConfigPath) - const content = await fs.promises.readFile(targetConfigPath) - const lines = content - .toString() - .split('\n') - .filter(x => x) - const keys = lines - .filter(x => new RegExp(pattern).test(x.split(' ')[0])) - .map(x => x.split(' ')[0]) - return [...new Set(keys)] // Remove duplicates - } - ), + getSubmoduleConfigPaths: jest.fn(async () => { + return [] + }), + tryConfigUnsetValue: jest.fn(async () => { + return true + }), + tryGetConfigValues: jest.fn(async () => { + return [] + }), + tryGetConfigKeys: jest.fn(async () => { + return [] + }), tryReset: jest.fn(), version: jest.fn() } @@ -1179,7 +1119,6 @@ async function setup(testName: string): Promise { async function getActualSshKeyPath(): Promise { let actualTempFiles = (await fs.promises.readdir(runnerTemp)) - .filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file .sort() .map(x => path.join(runnerTemp, x)) if (actualTempFiles.length === 0) { @@ -1193,7 +1132,6 @@ async function getActualSshKeyPath(): Promise { async function getActualSshKnownHostsPath(): Promise { let actualTempFiles = (await fs.promises.readdir(runnerTemp)) - .filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file .sort() .map(x => path.join(runnerTemp, x)) if (actualTempFiles.length === 0) { diff --git a/__test__/git-directory-helper.test.ts b/__test__/git-directory-helper.test.ts index de79dc8..1627b84 100644 --- a/__test__/git-directory-helper.test.ts +++ b/__test__/git-directory-helper.test.ts @@ -471,7 +471,6 @@ async function setup(testName: string): Promise { configExists: jest.fn(), fetch: jest.fn(), getDefaultBranch: jest.fn(), - getSubmoduleConfigPaths: jest.fn(async () => []), getWorkingDirectory: jest.fn(() => repositoryPath), init: jest.fn(), isDetached: jest.fn(), @@ -494,15 +493,24 @@ async function setup(testName: string): Promise { return true }), tryConfigUnset: jest.fn(), - tryConfigUnsetValue: jest.fn(), tryDisableAutomaticGarbageCollection: jest.fn(), tryGetFetchUrl: jest.fn(async () => { // Sanity check - this function shouldn't be called when the .git directory doesn't exist await fs.promises.stat(path.join(repositoryPath, '.git')) return repositoryUrl }), - tryGetConfigValues: jest.fn(), - tryGetConfigKeys: jest.fn(), + getSubmoduleConfigPaths: jest.fn(async () => { + return [] + }), + tryConfigUnsetValue: jest.fn(async () => { + return true + }), + tryGetConfigValues: jest.fn(async () => { + return [] + }), + tryGetConfigKeys: jest.fn(async () => { + return [] + }), tryReset: jest.fn(async () => { return true }), diff --git a/__test__/verify-submodules-recursive.sh b/__test__/verify-submodules-recursive.sh index 5ecbb42..1b68f9b 100755 --- a/__test__/verify-submodules-recursive.sh +++ b/__test__/verify-submodules-recursive.sh @@ -17,7 +17,7 @@ fi echo "Testing persisted credential" pushd ./submodules-recursive/submodule-level-1/submodule-level-2 -git config --local --includes --name-only --get-regexp http.+extraheader && git fetch +git config --local --name-only --get-regexp http.+extraheader && git fetch if [ "$?" != "0" ]; then echo "Failed to validate persisted credential" popd diff --git a/__test__/verify-submodules-true.sh b/__test__/verify-submodules-true.sh index 4c311f8..43769fe 100755 --- a/__test__/verify-submodules-true.sh +++ b/__test__/verify-submodules-true.sh @@ -17,7 +17,7 @@ fi echo "Testing persisted credential" pushd ./submodules-true/submodule-level-1 -git config --local --includes --name-only --get-regexp http.+extraheader && git fetch +git config --local --name-only --get-regexp http.+extraheader && git fetch if [ "$?" != "0" ]; then echo "Failed to validate persisted credential" popd diff --git a/__test__/verify-worktree.sh b/__test__/verify-worktree.sh deleted file mode 100755 index 3a4d3e4..0000000 --- a/__test__/verify-worktree.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash -set -e - -# Verify worktree credentials -# This test verifies that git credentials work in worktrees created after checkout -# Usage: verify-worktree.sh - -CHECKOUT_PATH="$1" -WORKTREE_NAME="$2" - -if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then - echo "Usage: verify-worktree.sh " - exit 1 -fi - -cd "$CHECKOUT_PATH" - -# Add safe directory for container environments -git config --global --add safe.directory "*" 2>/dev/null || true - -# Show the includeIf configuration -echo "Git config includeIf entries:" -git config --list --show-origin | grep -i include || true - -# Create the worktree -echo "Creating worktree..." -git worktree add "../$WORKTREE_NAME" HEAD --detach - -# Change to worktree directory -cd "../$WORKTREE_NAME" - -# Verify we're in a worktree -echo "Verifying worktree gitdir:" -cat .git - -# Verify credentials are available in worktree by checking extraheader is configured -echo "Checking credentials in worktree..." -if git config --list --show-origin | grep -q "extraheader"; then - echo "Credentials are configured in worktree" -else - echo "ERROR: Credentials are NOT configured in worktree" - echo "Full git config:" - git config --list --show-origin - exit 1 -fi - -# Verify fetch works in the worktree -echo "Fetching in worktree..." -git fetch origin - -echo "Worktree credentials test passed!" diff --git a/action.yml b/action.yml index 767c416..6842eb8 100644 --- a/action.yml +++ b/action.yml @@ -104,6 +104,6 @@ outputs: commit: description: 'The commit SHA that was checked out' runs: - using: node24 + using: node20 main: dist/index.js post: dist/index.js diff --git a/dist/index.js b/dist/index.js index b9b34d3..b0add8a 100644 --- a/dist/index.js +++ b/dist/index.js @@ -162,7 +162,6 @@ class GitAuthHelper { this.sshKeyPath = ''; this.sshKnownHostsPath = ''; this.temporaryHomePath = ''; - this.credentialsConfigPath = ''; // Path to separate credentials config file in RUNNER_TEMP this.git = gitCommandManager; this.settings = gitSourceSettings || {}; // Token auth header @@ -230,17 +229,15 @@ class GitAuthHelper { configureGlobalAuth() { return __awaiter(this, void 0, void 0, function* () { // 'configureTempGlobalConfig' noops if already set, just returns the path - yield this.configureTempGlobalConfig(); + const newGitConfigPath = yield this.configureTempGlobalConfig(); try { // Configure the token - yield this.configureToken(true); + yield this.configureToken(newGitConfigPath, true); // Configure HTTPS instead of SSH yield this.git.tryConfigUnset(this.insteadOfKey, true); if (!this.settings.sshKey) { for (const insteadOfValue of this.insteadOfValues) { - yield this.git.config(this.insteadOfKey, insteadOfValue, true, // globalConfig? - true // add? - ); + yield this.git.config(this.insteadOfKey, insteadOfValue, true, true); } } } @@ -255,34 +252,19 @@ class GitAuthHelper { configureSubmoduleAuth() { return __awaiter(this, void 0, void 0, function* () { // Remove possible previous HTTPS instead of SSH - yield this.removeSubmoduleGitConfig(this.insteadOfKey); + yield this.removeGitConfig(this.insteadOfKey, true); if (this.settings.persistCredentials) { - // Get the credentials config file path in RUNNER_TEMP - const credentialsConfigPath = this.getCredentialsConfigPath(); - // Container credentials config path - const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath)); - // Get submodule config file paths. - const configPaths = yield this.git.getSubmoduleConfigPaths(this.settings.nestedSubmodules); - // For each submodule, configure includeIf entries pointing to the shared credentials file. - // Configure both host and container paths to support Docker container actions. + // Configure a placeholder value. This approach avoids the credential being captured + // by process creation audit events, which are commonly logged. For more information, + // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + const output = yield this.git.submoduleForeach( + // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline + `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`, this.settings.nestedSubmodules); + // Replace the placeholder + const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []; for (const configPath of configPaths) { - // Submodule Git directory - let submoduleGitDir = path.dirname(configPath); // The config file is at .git/modules/submodule-name/config - submoduleGitDir = submoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows - // Configure host includeIf - yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig? - false, // add? - configPath); - // Container submodule git directory - const githubWorkspace = process.env['GITHUB_WORKSPACE']; - assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined'); - let relativeSubmoduleGitDir = path.relative(githubWorkspace, submoduleGitDir); - relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows - const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleGitDir); - // Configure container includeIf - yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig? - false, // add? - configPath); + core.debug(`Replacing token placeholder in '${configPath}'`); + yield this.replaceTokenPlaceholder(configPath); } if (this.settings.sshKey) { // Configure core.sshCommand @@ -313,10 +295,6 @@ class GitAuthHelper { } }); } - /** - * Configures SSH authentication by writing the SSH key and known hosts, - * and setting up the GIT_SSH_COMMAND environment variable. - */ configureSsh() { return __awaiter(this, void 0, void 0, function* () { if (!this.settings.sshKey) { @@ -373,94 +351,43 @@ class GitAuthHelper { } }); } - /** - * Configures token-based authentication by creating a credentials config file - * and setting up includeIf entries to reference it. - * @param globalConfig Whether to configure global config instead of local - */ - configureToken(globalConfig) { + configureToken(configPath, globalConfig) { return __awaiter(this, void 0, void 0, function* () { - // Get the credentials config file path in RUNNER_TEMP - const credentialsConfigPath = this.getCredentialsConfigPath(); - // Write placeholder to the separate credentials config file using git config. - // This approach avoids the credential being captured by process creation audit events, - // which are commonly logged. For more information, refer to - // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing - yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, // globalConfig? - false, // add? - credentialsConfigPath); - // Replace the placeholder in the credentials config file - let content = (yield fs.promises.readFile(credentialsConfigPath)).toString(); + // Validate args + assert.ok((configPath && globalConfig) || (!configPath && !globalConfig), 'Unexpected configureToken parameter combinations'); + // Default config path + if (!configPath && !globalConfig) { + configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config'); + } + // Configure a placeholder value. This approach avoids the credential being captured + // by process creation audit events, which are commonly logged. For more information, + // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, globalConfig); + // Replace the placeholder + yield this.replaceTokenPlaceholder(configPath || ''); + }); + } + replaceTokenPlaceholder(configPath) { + return __awaiter(this, void 0, void 0, function* () { + assert.ok(configPath, 'configPath is not defined'); + let content = (yield fs.promises.readFile(configPath)).toString(); const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue); if (placeholderIndex < 0 || placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)) { - throw new Error(`Unable to replace auth placeholder in ${credentialsConfigPath}`); + throw new Error(`Unable to replace auth placeholder in ${configPath}`); } assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined'); content = content.replace(this.tokenPlaceholderConfigValue, this.tokenConfigValue); - yield fs.promises.writeFile(credentialsConfigPath, content); - // Add include or includeIf to reference the credentials config - if (globalConfig) { - // Global config file is temporary - yield this.git.config('include.path', credentialsConfigPath, true // globalConfig? - ); - } - else { - // Host git directory - let gitDir = path.join(this.git.getWorkingDirectory(), '.git'); - gitDir = gitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows - // Configure host includeIf - const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`; - yield this.git.config(hostIncludeKey, credentialsConfigPath); - // Configure host includeIf for worktrees - const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`; - yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath); - // Container git directory - const workingDirectory = this.git.getWorkingDirectory(); - const githubWorkspace = process.env['GITHUB_WORKSPACE']; - assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined'); - let relativePath = path.relative(githubWorkspace, workingDirectory); - relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows - const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git'); - // Container credentials config path - const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath)); - // Configure container includeIf - const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`; - yield this.git.config(containerIncludeKey, containerCredentialsPath); - // Configure container includeIf for worktrees - const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`; - yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath); - } + yield fs.promises.writeFile(configPath, content); }); } - /** - * Gets or creates the path to the credentials config file in RUNNER_TEMP. - * @returns The absolute path to the credentials config file - */ - getCredentialsConfigPath() { - if (this.credentialsConfigPath) { - return this.credentialsConfigPath; - } - const runnerTemp = process.env['RUNNER_TEMP'] || ''; - assert.ok(runnerTemp, 'RUNNER_TEMP is not defined'); - // Create a unique filename for this checkout instance - const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`; - this.credentialsConfigPath = path.join(runnerTemp, configFileName); - core.debug(`Credentials config path: ${this.credentialsConfigPath}`); - return this.credentialsConfigPath; - } - /** - * Removes SSH authentication configuration by cleaning up SSH keys, - * known hosts files, and SSH command configurations. - */ removeSsh() { return __awaiter(this, void 0, void 0, function* () { - var _a, _b; + var _a; // SSH key const keyPath = this.sshKeyPath || stateHelper.SshKeyPath; if (keyPath) { try { - core.info(`Removing SSH key '${keyPath}'`); yield io.rmRF(keyPath); } catch (err) { @@ -472,91 +399,82 @@ class GitAuthHelper { const knownHostsPath = this.sshKnownHostsPath || stateHelper.SshKnownHostsPath; if (knownHostsPath) { try { - core.info(`Removing SSH known hosts '${knownHostsPath}'`); yield io.rmRF(knownHostsPath); } - catch (err) { - core.debug(`${(_b = err === null || err === void 0 ? void 0 : err.message) !== null && _b !== void 0 ? _b : err}`); - core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`); + catch (_b) { + // Intentionally empty } } // SSH command - core.info('Removing SSH command configuration'); yield this.removeGitConfig(SSH_COMMAND_KEY); - yield this.removeSubmoduleGitConfig(SSH_COMMAND_KEY); }); } - /** - * Removes token-based authentication by cleaning up HTTP headers, - * includeIf entries, and credentials config files. - */ removeToken() { return __awaiter(this, void 0, void 0, function* () { - var _a; - // Remove HTTP extra header - core.info('Removing HTTP extra header'); + // Remove HTTP extra header from local git config and submodule configs yield this.removeGitConfig(this.tokenConfigKey); - yield this.removeSubmoduleGitConfig(this.tokenConfigKey); - // Collect credentials config paths that need to be removed - const credentialsPaths = new Set(); - // Remove includeIf entries that point to git-credentials-*.config files - core.info('Removing includeIf entries pointing to credentials config files'); - const mainCredentialsPaths = yield this.removeIncludeIfCredentials(); - mainCredentialsPaths.forEach(path => credentialsPaths.add(path)); - // Remove submodule includeIf entries that point to git-credentials-*.config files - const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true); - for (const configPath of submoduleConfigPaths) { - const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath); - submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path)); + // + // Cleanup actions/checkout@v6 style credentials + // + const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']; + if (skipV6Cleanup === '1' || (skipV6Cleanup === null || skipV6Cleanup === void 0 ? void 0 : skipV6Cleanup.toLowerCase()) === 'true') { + core.debug('Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'); + return; } - // Remove credentials config files - for (const credentialsPath of credentialsPaths) { - // Only remove credentials config files if they are under RUNNER_TEMP - const runnerTemp = process.env['RUNNER_TEMP']; - assert.ok(runnerTemp, 'RUNNER_TEMP is not defined'); - if (credentialsPath.startsWith(runnerTemp)) { - try { - core.info(`Removing credentials config '${credentialsPath}'`); - yield io.rmRF(credentialsPath); - } - catch (err) { - core.debug(`${(_a = err === null || err === void 0 ? void 0 : err.message) !== null && _a !== void 0 ? _a : err}`); - core.warning(`Failed to remove credentials config '${credentialsPath}'`); + try { + // Collect credentials config paths that need to be removed + const credentialsPaths = new Set(); + // Remove includeIf entries that point to git-credentials-*.config files + const mainCredentialsPaths = yield this.removeIncludeIfCredentials(); + mainCredentialsPaths.forEach(path => credentialsPaths.add(path)); + // Remove submodule includeIf entries that point to git-credentials-*.config files + try { + const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true); + for (const configPath of submoduleConfigPaths) { + const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath); + submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path)); } } - else { - core.debug(`Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`); + catch (err) { + core.debug(`Unable to get submodule config paths: ${err}`); } + // Remove credentials config files + for (const credentialsPath of credentialsPaths) { + // Only remove credentials config files if they are under RUNNER_TEMP + const runnerTemp = process.env['RUNNER_TEMP']; + if (runnerTemp && credentialsPath.startsWith(runnerTemp)) { + try { + yield io.rmRF(credentialsPath); + } + catch (err) { + core.debug(`Failed to remove credentials config '${credentialsPath}': ${err}`); + } + } + } + } + catch (err) { + core.debug(`Failed to cleanup v6 style credentials: ${err}`); } }); } - /** - * Removes a git config key from the local repository config. - * @param configKey The git config key to remove - */ - removeGitConfig(configKey) { - return __awaiter(this, void 0, void 0, function* () { - if ((yield this.git.configExists(configKey)) && - !(yield this.git.tryConfigUnset(configKey))) { - // Load the config contents - core.warning(`Failed to remove '${configKey}' from the git config`); + removeGitConfig(configKey_1) { + return __awaiter(this, arguments, void 0, function* (configKey, submoduleOnly = false) { + if (!submoduleOnly) { + if ((yield this.git.configExists(configKey)) && + !(yield this.git.tryConfigUnset(configKey))) { + // Load the config contents + core.warning(`Failed to remove '${configKey}' from the git config`); + } } - }); - } - /** - * Removes a git config key from all submodule configs. - * @param configKey The git config key to remove - */ - removeSubmoduleGitConfig(configKey) { - return __awaiter(this, void 0, void 0, function* () { const pattern = regexpHelper.escape(configKey); yield this.git.submoduleForeach( - // Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline. + // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true); }); } /** * Removes includeIf entries that point to git-credentials-*.config files. + * This handles cleanup of credentials configured by newer versions of the action. * @param configPath Optional path to a specific git config file to operate on * @returns Array of unique credentials config file paths that were found and removed */ @@ -584,18 +502,13 @@ class GitAuthHelper { } catch (err) { // Ignore errors - this is cleanup code - if (configPath) { - core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`); - } - else { - core.debug(`Error during includeIf cleanup: ${err}`); - } + core.debug(`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`); } return Array.from(credentialsPaths); }); } /** - * Tests if a path matches the git-credentials-*.config pattern. + * Tests if a path matches the git-credentials-*.config pattern used by newer versions. * @param path The path to test * @returns True if the path matches the credentials config pattern */ @@ -799,15 +712,9 @@ class GitCommandManager { yield this.execGit(args); }); } - config(configKey, configValue, globalConfig, add, configFile) { + config(configKey, configValue, globalConfig, add) { return __awaiter(this, void 0, void 0, function* () { - const args = ['config']; - if (configFile) { - args.push('--file', configFile); - } - else { - args.push(globalConfig ? '--global' : '--local'); - } + const args = ['config', globalConfig ? '--global' : '--local']; if (add) { args.push('--add'); } diff --git a/package-lock.json b/package-lock.json index 98eb420..aef29d3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "checkout", - "version": "5.0.0", + "version": "4.3.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "checkout", - "version": "5.0.0", + "version": "4.3.0", "license": "MIT", "dependencies": { "@actions/core": "^1.10.1", @@ -18,7 +18,7 @@ }, "devDependencies": { "@types/jest": "^29.5.12", - "@types/node": "^24.1.0", + "@types/node": "^20.12.12", "@types/uuid": "^9.0.8", "@typescript-eslint/eslint-plugin": "^7.9.0", "@typescript-eslint/parser": "^7.9.0", @@ -1515,12 +1515,12 @@ "dev": true }, "node_modules/@types/node": { - "version": "24.1.0", - "resolved": "https://registry.npmjs.org/@types/node/-/node-24.1.0.tgz", - "integrity": "sha512-ut5FthK5moxFKH2T1CUOC6ctR67rQRvvHdFLCD2Ql6KXmMuCrjsSsRI9UsLCm9M18BMwClv4pn327UvB7eeO1w==", + "version": "20.12.12", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.12.tgz", + "integrity": "sha512-eWLDGF/FOSPtAvEqeRAQ4C8LSA7M1I7i0ky1I8U7kD1J5ITyW3AsRhQrKVoWf5pFKZ2kILsEGJhsI9r93PYnOw==", "dev": true, "dependencies": { - "undici-types": "~7.8.0" + "undici-types": "~5.26.4" } }, "node_modules/@types/stack-utils": { @@ -6865,9 +6865,9 @@ } }, "node_modules/undici-types": { - "version": "7.8.0", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.8.0.tgz", - "integrity": "sha512-9UJ2xGDvQ43tYyVMpuHlsgApydB8ZKfVYTsLDhXkFL/6gfkp+U8xTGdh8pMJv1SpZna0zxG1DwsKZsreLbXBxw==", + "version": "5.26.5", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz", + "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==", "dev": true }, "node_modules/universal-user-agent": { diff --git a/package.json b/package.json index 4b2b58a..dbbaabb 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "checkout", - "version": "5.0.0", + "version": "4.3.0", "description": "checkout action", "main": "lib/main.js", "scripts": { @@ -37,7 +37,7 @@ }, "devDependencies": { "@types/jest": "^29.5.12", - "@types/node": "^24.1.0", + "@types/node": "^20.12.12", "@types/uuid": "^9.0.8", "@typescript-eslint/eslint-plugin": "^7.9.0", "@typescript-eslint/parser": "^7.9.0", diff --git a/src/git-auth-helper.ts b/src/git-auth-helper.ts index e67db14..0c82ddd 100644 --- a/src/git-auth-helper.ts +++ b/src/git-auth-helper.ts @@ -43,7 +43,6 @@ class GitAuthHelper { private sshKeyPath = '' private sshKnownHostsPath = '' private temporaryHomePath = '' - private credentialsConfigPath = '' // Path to separate credentials config file in RUNNER_TEMP constructor( gitCommandManager: IGitCommandManager, @@ -127,21 +126,16 @@ class GitAuthHelper { async configureGlobalAuth(): Promise { // 'configureTempGlobalConfig' noops if already set, just returns the path - await this.configureTempGlobalConfig() + const newGitConfigPath = await this.configureTempGlobalConfig() try { // Configure the token - await this.configureToken(true) + await this.configureToken(newGitConfigPath, true) // Configure HTTPS instead of SSH await this.git.tryConfigUnset(this.insteadOfKey, true) if (!this.settings.sshKey) { for (const insteadOfValue of this.insteadOfValues) { - await this.git.config( - this.insteadOfKey, - insteadOfValue, - true, // globalConfig? - true // add? - ) + await this.git.config(this.insteadOfKey, insteadOfValue, true, true) } } } catch (err) { @@ -156,60 +150,24 @@ class GitAuthHelper { async configureSubmoduleAuth(): Promise { // Remove possible previous HTTPS instead of SSH - await this.removeSubmoduleGitConfig(this.insteadOfKey) + await this.removeGitConfig(this.insteadOfKey, true) if (this.settings.persistCredentials) { - // Get the credentials config file path in RUNNER_TEMP - const credentialsConfigPath = this.getCredentialsConfigPath() - - // Container credentials config path - const containerCredentialsPath = path.posix.join( - '/github/runner_temp', - path.basename(credentialsConfigPath) - ) - - // Get submodule config file paths. - const configPaths = await this.git.getSubmoduleConfigPaths( + // Configure a placeholder value. This approach avoids the credential being captured + // by process creation audit events, which are commonly logged. For more information, + // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + const output = await this.git.submoduleForeach( + // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline + `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`, this.settings.nestedSubmodules ) - // For each submodule, configure includeIf entries pointing to the shared credentials file. - // Configure both host and container paths to support Docker container actions. + // Replace the placeholder + const configPaths: string[] = + output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [] for (const configPath of configPaths) { - // Submodule Git directory - let submoduleGitDir = path.dirname(configPath) // The config file is at .git/modules/submodule-name/config - submoduleGitDir = submoduleGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows - - // Configure host includeIf - await this.git.config( - `includeIf.gitdir:${submoduleGitDir}.path`, - credentialsConfigPath, - false, // globalConfig? - false, // add? - configPath - ) - - // Container submodule git directory - const githubWorkspace = process.env['GITHUB_WORKSPACE'] - assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined') - let relativeSubmoduleGitDir = path.relative( - githubWorkspace, - submoduleGitDir - ) - relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows - const containerSubmoduleGitDir = path.posix.join( - '/github/workspace', - relativeSubmoduleGitDir - ) - - // Configure container includeIf - await this.git.config( - `includeIf.gitdir:${containerSubmoduleGitDir}.path`, - containerCredentialsPath, - false, // globalConfig? - false, // add? - configPath - ) + core.debug(`Replacing token placeholder in '${configPath}'`) + await this.replaceTokenPlaceholder(configPath) } if (this.settings.sshKey) { @@ -243,10 +201,6 @@ class GitAuthHelper { } } - /** - * Configures SSH authentication by writing the SSH key and known hosts, - * and setting up the GIT_SSH_COMMAND environment variable. - */ private async configureSsh(): Promise { if (!this.settings.sshKey) { return @@ -318,127 +272,57 @@ class GitAuthHelper { } } - /** - * Configures token-based authentication by creating a credentials config file - * and setting up includeIf entries to reference it. - * @param globalConfig Whether to configure global config instead of local - */ - private async configureToken(globalConfig?: boolean): Promise { - // Get the credentials config file path in RUNNER_TEMP - const credentialsConfigPath = this.getCredentialsConfigPath() + private async configureToken( + configPath?: string, + globalConfig?: boolean + ): Promise { + // Validate args + assert.ok( + (configPath && globalConfig) || (!configPath && !globalConfig), + 'Unexpected configureToken parameter combinations' + ) - // Write placeholder to the separate credentials config file using git config. - // This approach avoids the credential being captured by process creation audit events, - // which are commonly logged. For more information, refer to - // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + // Default config path + if (!configPath && !globalConfig) { + configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config') + } + + // Configure a placeholder value. This approach avoids the credential being captured + // by process creation audit events, which are commonly logged. For more information, + // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing await this.git.config( this.tokenConfigKey, this.tokenPlaceholderConfigValue, - false, // globalConfig? - false, // add? - credentialsConfigPath + globalConfig ) - // Replace the placeholder in the credentials config file - let content = (await fs.promises.readFile(credentialsConfigPath)).toString() + // Replace the placeholder + await this.replaceTokenPlaceholder(configPath || '') + } + + private async replaceTokenPlaceholder(configPath: string): Promise { + assert.ok(configPath, 'configPath is not defined') + let content = (await fs.promises.readFile(configPath)).toString() const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue) if ( placeholderIndex < 0 || placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue) ) { - throw new Error( - `Unable to replace auth placeholder in ${credentialsConfigPath}` - ) + throw new Error(`Unable to replace auth placeholder in ${configPath}`) } assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined') content = content.replace( this.tokenPlaceholderConfigValue, this.tokenConfigValue ) - await fs.promises.writeFile(credentialsConfigPath, content) - - // Add include or includeIf to reference the credentials config - if (globalConfig) { - // Global config file is temporary - await this.git.config( - 'include.path', - credentialsConfigPath, - true // globalConfig? - ) - } else { - // Host git directory - let gitDir = path.join(this.git.getWorkingDirectory(), '.git') - gitDir = gitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows - - // Configure host includeIf - const hostIncludeKey = `includeIf.gitdir:${gitDir}.path` - await this.git.config(hostIncludeKey, credentialsConfigPath) - - // Configure host includeIf for worktrees - const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path` - await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath) - - // Container git directory - const workingDirectory = this.git.getWorkingDirectory() - const githubWorkspace = process.env['GITHUB_WORKSPACE'] - assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined') - let relativePath = path.relative(githubWorkspace, workingDirectory) - relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows - const containerGitDir = path.posix.join( - '/github/workspace', - relativePath, - '.git' - ) - - // Container credentials config path - const containerCredentialsPath = path.posix.join( - '/github/runner_temp', - path.basename(credentialsConfigPath) - ) - - // Configure container includeIf - const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path` - await this.git.config(containerIncludeKey, containerCredentialsPath) - - // Configure container includeIf for worktrees - const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path` - await this.git.config( - containerWorktreeIncludeKey, - containerCredentialsPath - ) - } + await fs.promises.writeFile(configPath, content) } - /** - * Gets or creates the path to the credentials config file in RUNNER_TEMP. - * @returns The absolute path to the credentials config file - */ - private getCredentialsConfigPath(): string { - if (this.credentialsConfigPath) { - return this.credentialsConfigPath - } - - const runnerTemp = process.env['RUNNER_TEMP'] || '' - assert.ok(runnerTemp, 'RUNNER_TEMP is not defined') - - // Create a unique filename for this checkout instance - const configFileName = `git-credentials-${uuid()}.config` - this.credentialsConfigPath = path.join(runnerTemp, configFileName) - - core.debug(`Credentials config path: ${this.credentialsConfigPath}`) - return this.credentialsConfigPath - } - - /** - * Removes SSH authentication configuration by cleaning up SSH keys, - * known hosts files, and SSH command configurations. - */ private async removeSsh(): Promise { // SSH key const keyPath = this.sshKeyPath || stateHelper.SshKeyPath if (keyPath) { try { - core.info(`Removing SSH key '${keyPath}'`) await io.rmRF(keyPath) } catch (err) { core.debug(`${(err as any)?.message ?? err}`) @@ -451,91 +335,88 @@ class GitAuthHelper { this.sshKnownHostsPath || stateHelper.SshKnownHostsPath if (knownHostsPath) { try { - core.info(`Removing SSH known hosts '${knownHostsPath}'`) await io.rmRF(knownHostsPath) - } catch (err) { - core.debug(`${(err as any)?.message ?? err}`) - core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`) + } catch { + // Intentionally empty } } // SSH command - core.info('Removing SSH command configuration') await this.removeGitConfig(SSH_COMMAND_KEY) - await this.removeSubmoduleGitConfig(SSH_COMMAND_KEY) } - /** - * Removes token-based authentication by cleaning up HTTP headers, - * includeIf entries, and credentials config files. - */ private async removeToken(): Promise { - // Remove HTTP extra header - core.info('Removing HTTP extra header') + // Remove HTTP extra header from local git config and submodule configs await this.removeGitConfig(this.tokenConfigKey) - await this.removeSubmoduleGitConfig(this.tokenConfigKey) - // Collect credentials config paths that need to be removed - const credentialsPaths = new Set() - - // Remove includeIf entries that point to git-credentials-*.config files - core.info('Removing includeIf entries pointing to credentials config files') - const mainCredentialsPaths = await this.removeIncludeIfCredentials() - mainCredentialsPaths.forEach(path => credentialsPaths.add(path)) - - // Remove submodule includeIf entries that point to git-credentials-*.config files - const submoduleConfigPaths = await this.git.getSubmoduleConfigPaths(true) - for (const configPath of submoduleConfigPaths) { - const submoduleCredentialsPaths = - await this.removeIncludeIfCredentials(configPath) - submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path)) + // + // Cleanup actions/checkout@v6 style credentials + // + const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'] + if (skipV6Cleanup === '1' || skipV6Cleanup?.toLowerCase() === 'true') { + core.debug( + 'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP' + ) + return } - // Remove credentials config files - for (const credentialsPath of credentialsPaths) { - // Only remove credentials config files if they are under RUNNER_TEMP - const runnerTemp = process.env['RUNNER_TEMP'] - assert.ok(runnerTemp, 'RUNNER_TEMP is not defined') - if (credentialsPath.startsWith(runnerTemp)) { - try { - core.info(`Removing credentials config '${credentialsPath}'`) - await io.rmRF(credentialsPath) - } catch (err) { - core.debug(`${(err as any)?.message ?? err}`) - core.warning( - `Failed to remove credentials config '${credentialsPath}'` - ) + try { + // Collect credentials config paths that need to be removed + const credentialsPaths = new Set() + + // Remove includeIf entries that point to git-credentials-*.config files + const mainCredentialsPaths = await this.removeIncludeIfCredentials() + mainCredentialsPaths.forEach(path => credentialsPaths.add(path)) + + // Remove submodule includeIf entries that point to git-credentials-*.config files + try { + const submoduleConfigPaths = + await this.git.getSubmoduleConfigPaths(true) + for (const configPath of submoduleConfigPaths) { + const submoduleCredentialsPaths = + await this.removeIncludeIfCredentials(configPath) + submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path)) } - } else { - core.debug( - `Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP` - ) + } catch (err) { + core.debug(`Unable to get submodule config paths: ${err}`) + } + + // Remove credentials config files + for (const credentialsPath of credentialsPaths) { + // Only remove credentials config files if they are under RUNNER_TEMP + const runnerTemp = process.env['RUNNER_TEMP'] + if (runnerTemp && credentialsPath.startsWith(runnerTemp)) { + try { + await io.rmRF(credentialsPath) + } catch (err) { + core.debug( + `Failed to remove credentials config '${credentialsPath}': ${err}` + ) + } + } + } + } catch (err) { + core.debug(`Failed to cleanup v6 style credentials: ${err}`) + } + } + + private async removeGitConfig( + configKey: string, + submoduleOnly: boolean = false + ): Promise { + if (!submoduleOnly) { + if ( + (await this.git.configExists(configKey)) && + !(await this.git.tryConfigUnset(configKey)) + ) { + // Load the config contents + core.warning(`Failed to remove '${configKey}' from the git config`) } } - } - /** - * Removes a git config key from the local repository config. - * @param configKey The git config key to remove - */ - private async removeGitConfig(configKey: string): Promise { - if ( - (await this.git.configExists(configKey)) && - !(await this.git.tryConfigUnset(configKey)) - ) { - // Load the config contents - core.warning(`Failed to remove '${configKey}' from the git config`) - } - } - - /** - * Removes a git config key from all submodule configs. - * @param configKey The git config key to remove - */ - private async removeSubmoduleGitConfig(configKey: string): Promise { const pattern = regexpHelper.escape(configKey) await this.git.submoduleForeach( - // Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline. + // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true ) @@ -543,6 +424,7 @@ class GitAuthHelper { /** * Removes includeIf entries that point to git-credentials-*.config files. + * This handles cleanup of credentials configured by newer versions of the action. * @param configPath Optional path to a specific git config file to operate on * @returns Array of unique credentials config file paths that were found and removed */ @@ -578,18 +460,16 @@ class GitAuthHelper { } } catch (err) { // Ignore errors - this is cleanup code - if (configPath) { - core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`) - } else { - core.debug(`Error during includeIf cleanup: ${err}`) - } + core.debug( + `Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}` + ) } return Array.from(credentialsPaths) } /** - * Tests if a path matches the git-credentials-*.config pattern. + * Tests if a path matches the git-credentials-*.config pattern used by newer versions. * @param path The path to test * @returns True if the path matches the credentials config pattern */ diff --git a/src/git-command-manager.ts b/src/git-command-manager.ts index a45e15a..9c789ac 100644 --- a/src/git-command-manager.ts +++ b/src/git-command-manager.ts @@ -28,8 +28,7 @@ export interface IGitCommandManager { configKey: string, configValue: string, globalConfig?: boolean, - add?: boolean, - configFile?: string + add?: boolean ): Promise configExists(configKey: string, globalConfig?: boolean): Promise fetch( @@ -241,15 +240,9 @@ class GitCommandManager { configKey: string, configValue: string, globalConfig?: boolean, - add?: boolean, - configFile?: string + add?: boolean ): Promise { - const args: string[] = ['config'] - if (configFile) { - args.push('--file', configFile) - } else { - args.push(globalConfig ? '--global' : '--local') - } + const args: string[] = ['config', globalConfig ? '--global' : '--local'] if (add) { args.push('--add') } diff --git a/src/misc/generate-docs.ts b/src/misc/generate-docs.ts index b78f035..4b3c8ff 100644 --- a/src/misc/generate-docs.ts +++ b/src/misc/generate-docs.ts @@ -120,7 +120,7 @@ function updateUsage( } updateUsage( - 'actions/checkout@v6', + 'actions/checkout@v4', path.join(__dirname, '..', '..', 'action.yml'), path.join(__dirname, '..', '..', 'README.md') )