adr support fetch-refs

* Handle submodules with SSH URLs

This is just a documentation change, explaining how to fix submodules
that are configured to use SSH URLs instead of HTTPS URLs. Spent a while
banging my head on the wall and hope this saves someone else the pain.

This is helpful for teams that use the SSH protocol for local
development so don't want to change the mechanism that pulls in the
submodules. Using `insteadOf` seems a bit nicer than than setting up a
deploy keypair.

* SSH submodules

Co-authored-by: Chris Patterson <chrispat@github.com>

.github/workflows/test.yml

@@ -6,32 +6,35 @@ on:
     branches:
       - master
       - releases/*
-      - users/ericsciple/*
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2-beta
+      - uses: actions/setup-node@v1
-  #     - run: npm ci
+        with:
-  #     - run: npm run build
+          node-version: 12.x
-  #     - run: npm run format-check
+      - uses: actions/checkout@v2
-  #     - run: npm run lint
+      - run: npm ci
-  #     - run: npm run pack
+      - run: npm run build
-  #     - run: npm run gendocs
+      - run: npm run format-check
-  #     - name: Verify no unstaged changes
+      - run: npm run lint
-  #       run: __test__/verify-no-unstaged-changes.sh
+      - run: npm run pack
+      - run: npm run gendocs
+      - run: npm test
+      - name: Verify no unstaged changes
+        run: __test__/verify-no-unstaged-changes.sh
 
-  # test:
+  test:
-  #   strategy:
+    strategy:
-  #     matrix:
+      matrix:
-  #       runs-on: [ubuntu-latest, macos-latest, windows-latest]
+        runs-on: [ubuntu-latest, macos-latest, windows-latest]
-  #   runs-on: ${{ matrix.runs-on }}
+    runs-on: ${{ matrix.runs-on }}
 
-  #   steps:
+    steps:
-  #     # Clone this repo
+      # Clone this repo
-  #     - name: Checkout
+      - name: Checkout
-  #       uses: actions/checkout@v1 # todo: switch to V2
+        uses: actions/checkout@v2
 
       # Basic checkout
       - name: Basic checkout
@@ -39,46 +42,139 @@ jobs:
         with:
           ref: test-data/v2/basic
           path: basic
-      # - name: Verify basic
+      - name: Verify basic
-      #   shell: bash
+        shell: bash
-      #   run: __test__/verify-basic.sh
+        run: __test__/verify-basic.sh
 
-      # # Clean
+      # Clean
-      # - name: Modify work tree
+      - name: Modify work tree
-      #   shell: bash
+        shell: bash
-      #   run: __test__/modify-work-tree.sh
+        run: __test__/modify-work-tree.sh
-      # - name: Clean checkout
+      - name: Clean checkout
-      #   uses: ./
+        uses: ./
-      #   with:
+        with:
-      #     ref: test-data/v2/basic
+          ref: test-data/v2/basic
-      #     path: basic
+          path: basic
-      # - name: Verify clean
+      - name: Verify clean
-      #   shell: bash
+        shell: bash
-      #   run: __test__/verify-clean.sh
+        run: __test__/verify-clean.sh
 
-      # # Side by side
+      # Side by side
-      # - name: Side by side checkout 1
+      - name: Side by side checkout 1
-      #   uses: ./
+        uses: ./
-      #   with:
+        with:
-      #     ref: test-data/v2/side-by-side-1
+          ref: test-data/v2/side-by-side-1
-      #     path: side-by-side-1
+          path: side-by-side-1
-      # - name: Side by side checkout 2
+      - name: Side by side checkout 2
-      #   uses: ./
+        uses: ./
-      #   with:
+        with:
-      #     ref: test-data/v2/side-by-side-2
+          ref: test-data/v2/side-by-side-2
-      #     path: side-by-side-2
+          path: side-by-side-2
-      # - name: Verify side by side
+      - name: Verify side by side
-      #   shell: bash
+        shell: bash
-      #   run: __test__/verify-side-by-side.sh
+        run: __test__/verify-side-by-side.sh
 
-      # # LFS
+      # LFS
-      # - name: LFS checkout
+      - name: LFS checkout
-      #   uses: ./
+        uses: ./
-      #   with:
+        with:
-      #     repository: actions/checkout # hardcoded, otherwise doesn't work from a fork
+          repository: actions/checkout # hardcoded, otherwise doesn't work from a fork
-      #     ref: test-data/v2/lfs
+          ref: test-data/v2/lfs
-      #     path: lfs
+          path: lfs
-      #     lfs: true
+          lfs: true
-      # - name: Verify LFS
+      - name: Verify LFS
-      #   shell: bash
+        shell: bash
-      #   run: __test__/verify-lfs.sh
+        run: __test__/verify-lfs.sh
+
+      # Basic checkout using REST API
+      - name: Remove basic
+        if: runner.os != 'windows'
+        run: rm -rf basic
+      - name: Remove basic (Windows)
+        if: runner.os == 'windows'
+        shell: cmd
+        run: rmdir /s /q basic
+      - name: Override git version
+        if: runner.os != 'windows'
+        run: __test__/override-git-version.sh
+      - name: Override git version (Windows)
+        if: runner.os == 'windows'
+        run: __test__\\override-git-version.cmd
+      - name: Basic checkout using REST API
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh --archive
+
+  test-proxy:
+    runs-on: ubuntu-latest
+    container:
+      image: alpine/git:latest
+      options: --dns 127.0.0.1
+    services:
+      squid-proxy:
+        image: datadog/squid:latest
+        ports:
+          - 3128:3128
+    env:
+      https_proxy: http://squid-proxy:3128
+    steps:
+      # Clone this repo
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      # Basic checkout using git
+      - name: Basic checkout
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh
+
+      # Basic checkout using REST API
+      - name: Remove basic
+        run: rm -rf basic
+      - name: Override git version
+        run: __test__/override-git-version.sh
+      - name: Basic checkout using REST API
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh --archive
+
+  test-bypass-proxy:
+    runs-on: ubuntu-latest
+    env:
+      https_proxy: http://no-such-proxy:3128
+      no_proxy: api.github.com,github.com
+    steps:
+      # Clone this repo
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      # Basic checkout using git
+      - name: Basic checkout
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh
+      - name: Remove basic
+        run: rm -rf basic
+
+      # Basic checkout using REST API
+      - name: Override git version
+        run: __test__/override-git-version.sh
+      - name: Basic checkout using REST API
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh --archive

README.md

@@ -2,29 +2,30 @@
   <a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a>
 </p>
 
-# Checkout V2 beta
+# Checkout V2
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
-By default, the repository that triggered the workflow is checked-out, for the ref/SHA that triggered the event.
+Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth` to fetch more history. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
 
-Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
+The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
+
+When Git 2.18 or higher is not in your PATH, falls back to the REST API to download the files.
 
 # What's new
 
-- Improved fetch performance
+- Improved performance
-  - The default behavior now fetches only the SHA being checked-out
+  - Fetches only a single commit by default
 - Script authenticated git commands
-  - Persists `with.token` in the local git config
+  - Auth token persisted in the local git config
-  - Enables your scripts to run authenticated git commands
-  - Post-job cleanup removes the token
-  - Coming soon: Opt out by setting `with.persist-credentials` to `false`
 - Creates a local branch
   - No longer detached HEAD when checking out a branch
-  - A local branch is created with the corresponding upstream branch set
 - Improved layout
-  - `with.path` is always relative to `github.workspace`
+  - The input `path` is always relative to $GITHUB_WORKSPACE
-  - Aligns better with container actions, where `github.workspace` gets mapped in
+  - Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in
+- Fallback to REST API download
+  - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
+  - When using a job container, the container's PATH is used
 - Removed input `submodules`
 
 Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
@@ -33,21 +34,28 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v2-beta
+- uses: actions/checkout@v2
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
     repository: ''
 
-    # The branch, tag or SHA to checkout.  When checking out the repository that
+    # The branch, tag or SHA to checkout. When checking out the repository that
     # triggered a workflow, this defaults to the reference or SHA for that event.
     # Otherwise, defaults to `master`.
     ref: ''
 
-    # Access token for clone repository
+    # Auth token used to fetch the repository. The token is stored in the local git
+    # config, which enables your scripts to run authenticated git commands. The
+    # post-job step removes the token from the git config. [Learn more about creating
+    # and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     # Default: ${{ github.token }}
     token: ''
 
+    # Whether to persist the token in the git config
+    # Default: true
+    persist-credentials: ''
+
     # Relative path under $GITHUB_WORKSPACE to place the repository
     path: ''
 
@@ -65,31 +73,141 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ```
 <!-- end usage -->
 
+# Scenarios
+
+- [Checkout a different branch](#Checkout-a-different-branch)
+- [Checkout HEAD^](#Checkout-HEAD)
+- [Checkout multiple repos (side by side)](#Checkout-multiple-repos-side-by-side)
+- [Checkout multiple repos (nested)](#Checkout-multiple-repos-nested)
+- [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
+- [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
+- [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
+- [Checkout submodules](#Checkout-submodules)
+- [Fetch all tags](#Fetch-all-tags)
+- [Fetch all branches](#Fetch-all-branches)
+- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
+
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v2-beta
+- uses: actions/checkout@v2
   with:
-    ref: some-branch
+    ref: my-branch
 ```
 
-## Checkout a different, private repository
+## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v2-beta
+- uses: actions/checkout@v2
   with:
-    repository: myAccount/myRepository
+    fetch-depth: 2
-    ref: refs/heads/master
+- run: git checkout HEAD^
+```
+
+## Checkout multiple repos (side by side)
+
+```yaml
+- name: Checkout
+  uses: actions/checkout@v2
+  with:
+    path: main
+
+- name: Checkout tools repo
+  uses: actions/checkout@v2
+  with:
+    repository: my-org/my-tools
+    path: my-tools
+```
+
+## Checkout multiple repos (nested)
+
+```yaml
+- name: Checkout
+  uses: actions/checkout@v2
+
+- name: Checkout tools repo
+  uses: actions/checkout@v2
+  with:
+    repository: my-org/my-tools
+    path: my-tools
+```
+
+## Checkout multiple repos (private)
+
+```yaml
+- name: Checkout
+  uses: actions/checkout@v2
+  with:
+    path: main
+
+- name: Checkout private tools
+  uses: actions/checkout@v2
+  with:
+    repository: my-org/my-private-tools
     token: ${{ secrets.GitHub_PAT }} # `GitHub_PAT` is a secret that contains your PAT
+    path: my-tools
 ```
-> - `${{ github.token }}` is scoped to the current repository, so if you want to checkout another repository that is private you will need to provide your own [PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line).
 
-## Checkout the HEAD commit of a PR, rather than the merge commit
+> - `${{ github.token }}` is scoped to the current repository, so if you want to checkout a different repository that is private you will need to provide your own [PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line).
+
+
+## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v2-beta
+- uses: actions/checkout@v2
   with:
-    ref: ${{ github.event.after }}
+    ref: ${{ github.event.pull_request.head.sha }}
+```
+
+## Checkout pull request on closed event
+
+```yaml
+on:
+  pull_request:
+    branches: [master]
+    types: [opened, synchronize, closed]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+```
+
+## Checkout submodules
+
+```yaml
+- uses: actions/checkout@v2
+- name: Checkout submodules
+  shell: bash
+  run: |
+    # If your submodules are configured to use SSH instead of HTTPS please uncomment the following line
+    # git config --global url."https://github.com/".insteadOf "git@github.com:"
+    auth_header="$(git config --local --get http.https://github.com/.extraheader)"
+    git submodule sync --recursive
+    git -c "http.extraheader=$auth_header" -c protocol.version=2 submodule update --init --force --recursive --depth=1
+```
+
+## Fetch all tags
+
+```yaml
+- uses: actions/checkout@v2
+- run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
+```
+
+## Fetch all branches
+
+```yaml
+- uses: actions/checkout@v2
+- run: |
+    git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
+```
+
+## Fetch all history for all tags and branches
+
+```yaml
+- uses: actions/checkout@v2
+- run: |
+    git fetch --prune --unshallow
 ```
 
 # License

__test__/input-helper.test.ts

@@ -1,47 +1,44 @@
 import * as assert from 'assert'
+import * as core from '@actions/core'
+import * as fsHelper from '../lib/fs-helper'
+import * as github from '@actions/github'
+import * as inputHelper from '../lib/input-helper'
 import * as path from 'path'
 import {ISourceSettings} from '../lib/git-source-provider'
 
 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
 const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
 
-// Late bind
+// Inputs for mock @actions/core
-let inputHelper: any
-
-// Mock @actions/core
 let inputs = {} as any
-const mockCore = jest.genMockFromModule('@actions/core') as any
-mockCore.getInput = (name: string) => {
-  return inputs[name]
-}
 
-// Mock @actions/github
+// Shallow clone original @actions/github context
-const mockGitHub = jest.genMockFromModule('@actions/github') as any
+let originalContext = {...github.context}
-mockGitHub.context = {
-  repo: {
-    owner: 'some-owner',
-    repo: 'some-repo'
-  },
-  ref: 'refs/heads/some-ref',
-  sha: '1234567890123456789012345678901234567890'
-}
-
-// Mock ./fs-helper
-const mockFSHelper = jest.genMockFromModule('../lib/fs-helper') as any
-mockFSHelper.directoryExistsSync = (path: string) => path == gitHubWorkspace
 
 describe('input-helper tests', () => {
   beforeAll(() => {
+    // Mock @actions/core getInput()
+    jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
+      return inputs[name]
+    })
+
+    // Mock @actions/github context
+    jest.spyOn(github.context, 'repo', 'get').mockImplementation(() => {
+      return {
+        owner: 'some-owner',
+        repo: 'some-repo'
+      }
+    })
+    github.context.ref = 'refs/heads/some-ref'
+    github.context.sha = '1234567890123456789012345678901234567890'
+
+    // Mock ./fs-helper directoryExistsSync()
+    jest
+      .spyOn(fsHelper, 'directoryExistsSync')
+      .mockImplementation((path: string) => path == gitHubWorkspace)
+
     // GitHub workspace
     process.env['GITHUB_WORKSPACE'] = gitHubWorkspace
-
-    // Mocks
-    jest.setMock('@actions/core', mockCore)
-    jest.setMock('@actions/github', mockGitHub)
-    jest.setMock('../lib/fs-helper', mockFSHelper)
-
-    // Now import
-    inputHelper = require('../lib/input-helper')
   })
 
   beforeEach(() => {
@@ -50,20 +47,24 @@ describe('input-helper tests', () => {
   })
 
   afterAll(() => {
-    // Reset GitHub workspace
+    // Restore GitHub workspace
     delete process.env['GITHUB_WORKSPACE']
     if (originalGitHubWorkspace) {
       process.env['GITHUB_WORKSPACE'] = originalGitHubWorkspace
     }
 
-    // Reset modules
+    // Restore @actions/github context
-    jest.resetModules()
+    github.context.ref = originalContext.ref
+    github.context.sha = originalContext.sha
+
+    // Restore
+    jest.restoreAllMocks()
   })
 
   it('sets defaults', () => {
     const settings: ISourceSettings = inputHelper.getInputs()
     expect(settings).toBeTruthy()
-    expect(settings.accessToken).toBeFalsy()
+    expect(settings.authToken).toBeFalsy()
     expect(settings.clean).toBe(true)
     expect(settings.commit).toBeTruthy()
     expect(settings.commit).toBe('1234567890123456789012345678901234567890')
@@ -75,6 +76,19 @@ describe('input-helper tests', () => {
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
   })
 
+  it('qualifies ref', () => {
+    let originalRef = github.context.ref
+    try {
+      github.context.ref = 'some-unqualified-ref'
+      const settings: ISourceSettings = inputHelper.getInputs()
+      expect(settings).toBeTruthy()
+      expect(settings.commit).toBe('1234567890123456789012345678901234567890')
+      expect(settings.ref).toBe('refs/heads/some-unqualified-ref')
+    } finally {
+      github.context.ref = originalRef
+    }
+  })
+
   it('requires qualified repo', () => {
     inputs.repository = 'some-unqualified-repo'
     assert.throws(() => {

__test__/override-git-version.cmd

@@ -0,0 +1,6 @@
+
+mkdir override-git-version
+cd override-git-version
+echo @echo override git version 1.2.3 > git.cmd
+echo ::add-path::%CD%
+cd ..

__test__/override-git-version.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+mkdir override-git-version
+cd override-git-version
+echo "#!/bin/sh" > git
+echo "echo override git version 1.2.3" >> git
+chmod +x git
+echo "::add-path::$(pwd)"
+cd ..

__test__/retry-helper.test.ts

@@ -0,0 +1,87 @@
+import * as core from '@actions/core'
+import {RetryHelper} from '../lib/retry-helper'
+
+let info: string[]
+let retryHelper: any
+
+describe('retry-helper tests', () => {
+  beforeAll(() => {
+    // Mock @actions/core info()
+    jest.spyOn(core, 'info').mockImplementation((message: string) => {
+      info.push(message)
+    })
+
+    retryHelper = new RetryHelper(3, 0, 0)
+  })
+
+  beforeEach(() => {
+    // Reset info
+    info = []
+  })
+
+  afterAll(() => {
+    // Restore
+    jest.restoreAllMocks()
+  })
+
+  it('first attempt succeeds', async () => {
+    const actual = await retryHelper.execute(async () => {
+      return 'some result'
+    })
+    expect(actual).toBe('some result')
+    expect(info).toHaveLength(0)
+  })
+
+  it('second attempt succeeds', async () => {
+    let attempts = 0
+    const actual = await retryHelper.execute(() => {
+      if (++attempts == 1) {
+        throw new Error('some error')
+      }
+
+      return Promise.resolve('some result')
+    })
+    expect(attempts).toBe(2)
+    expect(actual).toBe('some result')
+    expect(info).toHaveLength(2)
+    expect(info[0]).toBe('some error')
+    expect(info[1]).toMatch(/Waiting .+ seconds before trying again/)
+  })
+
+  it('third attempt succeeds', async () => {
+    let attempts = 0
+    const actual = await retryHelper.execute(() => {
+      if (++attempts < 3) {
+        throw new Error(`some error ${attempts}`)
+      }
+
+      return Promise.resolve('some result')
+    })
+    expect(attempts).toBe(3)
+    expect(actual).toBe('some result')
+    expect(info).toHaveLength(4)
+    expect(info[0]).toBe('some error 1')
+    expect(info[1]).toMatch(/Waiting .+ seconds before trying again/)
+    expect(info[2]).toBe('some error 2')
+    expect(info[3]).toMatch(/Waiting .+ seconds before trying again/)
+  })
+
+  it('all attempts fail succeeds', async () => {
+    let attempts = 0
+    let error: Error = (null as unknown) as Error
+    try {
+      await retryHelper.execute(() => {
+        throw new Error(`some error ${++attempts}`)
+      })
+    } catch (err) {
+      error = err
+    }
+    expect(error.message).toBe('some error 3')
+    expect(attempts).toBe(3)
+    expect(info).toHaveLength(4)
+    expect(info[0]).toBe('some error 1')
+    expect(info[1]).toMatch(/Waiting .+ seconds before trying again/)
+    expect(info[2]).toBe('some error 2')
+    expect(info[3]).toMatch(/Waiting .+ seconds before trying again/)
+  })
+})

__test__/verify-basic.sh

@@ -1,10 +1,24 @@
-#!/bin/bash
+#!/bin/sh
 
 if [ ! -f "./basic/basic-file.txt" ]; then
     echo "Expected basic file does not exist"
     exit 1
 fi
 
-# Verify auth token
+if [ "$1" = "--archive" ]; then
-cd basic
+  # Verify no .git folder
-git fetch
+  if [ -d "./basic/.git" ]; then
+    echo "Did not expect ./basic/.git folder to exist"
+    exit 1
+  fi
+else
+  # Verify .git folder
+  if [ ! -d "./basic/.git" ]; then
+    echo "Expected ./basic/.git folder to exist"
+    exit 1
+  fi
+
+  # Verify auth token
+  cd basic
+  git fetch --no-tags --depth=1 origin +refs/heads/master:refs/remotes/origin/master
+fi

action.yml

@@ -6,12 +6,19 @@ inputs:
     default: ${{ github.repository }}
   ref:
     description: >
-      The branch, tag or SHA to checkout.  When checking out the repository
+      The branch, tag or SHA to checkout. When checking out the repository that
-      that triggered a workflow, this defaults to the reference or SHA for
+      triggered a workflow, this defaults to the reference or SHA for that
-      that event.  Otherwise, defaults to `master`.
+      event.  Otherwise, defaults to `master`.
   token:
-    description: 'Access token for clone repository'
+    description: >
+      Auth token used to fetch the repository. The token is stored in the local
+      git config, which enables your scripts to run authenticated git commands.
+      The post-job step removes the token from the git config. [Learn more about
+      creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     default: ${{ github.token }}
+  persist-credentials:
+    description: 'Whether to persist the token in the git config'
+    default: true
   path:
     description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
   clean:

adrs/0153-checkout-v2.md

@@ -0,0 +1,215 @@
+# ADR 0153: Checkout v2
+
+**Date**: 2019-10-21
+
+**Status**: Accepted
+
+## Context
+
+This ADR details the behavior for `actions/checkout@v2`.
+
+The new action will be written in typescript. We are moving away from runner-plugin actions.
+
+We want to take this opportunity to make behavioral changes, from v1. This document is scoped to those differences.
+
+## Decision
+
+### Inputs
+
+```yaml
+  repository:
+    description: 'Repository name with owner. For example, actions/checkout'
+    default: ${{ github.repository }}
+  ref:
+    description: >
+      The branch, tag or SHA to checkout. When checking out the repository that
+      triggered a workflow, this defaults to the reference or SHA for that
+      event.  Otherwise, defaults to `master`.
+  token:
+    description: >
+      Auth token used to fetch the repository. The token is stored in the local
+      git config, which enables your scripts to run authenticated git commands.
+      The post-job step removes the token from the git config. [Learn more about
+      creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+    default: ${{ github.token }}
+  persist-credentials:
+    description: 'Whether to persist the token in the git config'
+    default: true
+  path:
+    description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
+  clean:
+    description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
+    default: true
+  fetch-depth:
+    description: 'Number of commits to fetch. 0 indicates all history.'
+    default: 1
+  fetch-refs:
+    description: >
+      Additional refs to fetch: `branches`, `tags`, `pr-base`, or `all`.
+      Combinations are also accepted. For example: `branches, tags`
+    default: ''
+  lfs:
+    description: 'Whether to download Git-LFS files'
+    default: false
+```
+
+Note:
+- `fetch-refs` is new
+- `persist-credentials` is new
+- `path` behavior is different (refer [below](#path) for details)
+- `submodules` was removed (error if specified; add later if needed)
+
+### Fallback to GitHub API
+
+When a sufficient version of git is not in the PATH, fallback to the [web API](https://developer.github.com/v3/repos/contents/#get-archive-link) to download a tarball/zipball.
+
+Note:
+- LFS files are not included in the archive. Therefore fail if LFS is set to true.
+- Submodules are also not included in the archive. However submodules are not supported by checkout v2 anyway.
+
+### Persist credentials
+
+Persist the token in the git config (http.extraheader). This will allow users to script authenticated git commands, like `git fetch`.
+
+A post script will remove the credentials from the git config (cleanup for self-hosted).
+
+Users may opt-out by specifying `persist-credentials: false`
+
+Note:
+- Users scripting `git commit` may need to set the username and email. The service does not provide any reasonable default value. Users can add `git config user.name <NAME>` and `git config user.email <EMAIL>`. We will document this guidance.
+- The auth header (stored in the repo's git config), is scoped to all of github `http.https://github.com/.extraheader`
+  - Additional public remotes also just work.
+  - If users want to authenticate to an additional private remote, they should provide the `token` input.
+  - Lines up if we add submodule support in the future. Don't need to worry about calculating relative URLs. Just works, although needs to be persisted in each submodule git config.
+  - Users opt out of persisted credentials (`persist-credentials: false`), or can script the removal themselves (`git config --unset-all http.https://github.com/.extraheader`).
+
+### Fetch behavior
+
+Fetch only the SHA being built and set depth=1. This significantly reduces the fetch time for large repos.
+
+If a SHA isn't available (e.g. multi repo), then fetch only the specified ref with depth=1.
+
+The input `fetch-depth` can be used to control the depth.
+
+The input `fetch-refs` can be used to fetch additional refs.
+
+Note:
+- Fetching a single commit is supported by Git wire protocol version 2. The git client uses protocol version 0 by default. The desired protocol version can be overridden in the git config or on the fetch command line invocation (`-c protocol.version=2`). We will override on the fetch command line, for transparency.
+- Git client version 2.18+ (released June 2018) is required for wire protocol version 2.
+
+### Checkout behavior
+
+For CI, checkout will create a local ref with the upstream set. This allows users to script git as they normally would.
+
+For PR, continue to checkout detached head. The PR branch is special - the branch and merge commit are created by the server. It doesn't match a users' local workflow.
+
+Note:
+- Consider deleting all local refs during cleanup if that helps avoid collisions. More testing required.
+
+### Path
+
+For the mainline scenario, the disk-layout behavior remains the same.
+
+Remember, given the repo `johndoe/foo`, the mainline disk layout looks like:
+
+```
+GITHUB_WORKSPACE=/home/runner/work/foo/foo
+RUNNER_WORKSPACE=/home/runner/work/foo
+```
+
+V2 introduces a new contraint on the checkout path. The location must now be under `github.workspace`. Whereas the checkout@v1 constraint was one level up, under `runner.workspace`.
+
+V2 no longer changes `github.workspace` to follow wherever the self repo is checked-out.
+
+These behavioral changes align better with container actions. The [documented filesystem contract](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners#docker-container-filesystem) is:
+
+- `/github/home`
+- `/github/workspace` - Note: GitHub Actions must be run by the default Docker user (root). Ensure your Dockerfile does not set the USER instruction, otherwise you will not be able to access `GITHUB_WORKSPACE`.
+- `/github/workflow`
+
+Note:
+- The tracking config will not be updated to reflect the path of the workflow repo.
+- Any existing workflow repo will not be moved when the checkout path changes. In fact some customers want to checkout the workflow repo twice, side by side against different branches.
+- Actions that need to operate only against the root of the self repo, should expose a `path` input.
+
+#### Default value for `path` input
+
+The `path` input will default to `./` which is rooted against `github.workspace`.
+
+This default fits the mainline scenario well: single checkout
+
+For multi-checkout, users must specify the `path` input for at least one of the repositories.
+
+Note:
+- An alternative is for the self repo to default to `./` and other repos default to `<REPO_NAME>`. However nested layout is an atypical git layout and therefore is not a good default. Users should supply the path info.
+
+#### Example - Nested layout
+
+The following example checks-out two repositories and creates a nested layout.
+
+```yaml
+# Self repo - Checkout to $GITHUB_WORKSPACE
+- uses: checkout@v2
+
+# Other repo - Checkout to $GITHUB_WORKSPACE/myscripts
+- uses: checkout@v2
+  with:
+    repository: myorg/myscripts
+    path: myscripts
+```
+
+#### Example - Side by side layout
+
+The following example checks-out two repositories and creates a side-by-side layout.
+
+```yaml
+# Self repo - Checkout to $GITHUB_WORKSPACE/foo
+- uses: checkout@v2
+  with:
+    path: foo
+
+# Other repo - Checkout to $GITHUB_WORKSPACE/myscripts
+- uses: checkout@v2
+  with:
+    repository: myorg/myscripts
+    path: myscripts
+```
+
+#### Path impact to problem matchers
+
+Problem matchers associate the source files with annotations.
+
+Today the runner verifies the source file is under the `github.workspace`. Otherwise the source file property is dropped.
+
+Multi-checkout complicates the matter. However even today submodules may cause this heuristic to be inaccurate.
+
+A better solution is:
+
+Given a source file path, walk up the directories until the first `.git/config` is found. Check if it matches the self repo (`url = https://github.com/OWNER/REPO`). If not, drop the source file path.
+
+### Port to typescript
+
+The checkout action should be a typescript action on the GitHub graph, for the following reasons:
+- Enables customers to fork the checkout repo and modify
+- Serves as an example for customers
+- Demystifies the checkout action manifest
+- Simplifies the runner
+- Reduce the amount of runner code to port (if we ever do)
+
+Note:
+- This means job-container images will need git in the PATH, for checkout.
+
+### Branching strategy and release tags
+
+- Create a servicing branch for V1: `releases/v1`
+- Merge the changes into `master`
+- Release using a new tag `preview`
+- When stable, release using a new tag `v2`
+
+## Consequences
+
+- Update the checkout action and readme
+- Update samples to consume `actions/checkout@v2`
+- Job containers now require git in the PATH for checkout, otherwise fallback to REST API
+- Minimum git version 2.18
+- Update problem matcher logic regarding source file verification (runner)

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -15,14 +15,30 @@
       "integrity": "sha512-nvFkxwiicvpzNiCBF4wFBDfnBvi7xp/as7LE1hBxBxKG2L29+gkIPBiLKMVORL+Hg3JNf07AKRfl0V5djoypjQ=="
     },
     "@actions/github": {
-      "version": "2.0.0",
+      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-2.0.0.tgz",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-2.1.0.tgz",
-      "integrity": "sha512-sNpZ5dJyJyfJIO5lNYx8r/Gha4Tlm8R0MLO2cBkGdOnAAEn3t1M/MHVcoBhY/VPfjGVe5RNAUPz+6INrViiUPA==",
+      "integrity": "sha512-G4ncMlh4pLLAvNgHUYUtpWQ1zPf/VYqmRH9oshxLabdaOOnp7i1hgSgzr2xne2YUaSND3uqemd3YYTIsm2f/KQ==",
       "requires": {
+        "@actions/http-client": "^1.0.3",
         "@octokit/graphql": "^4.3.1",
         "@octokit/rest": "^16.15.0"
       }
     },
+    "@actions/http-client": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.3.tgz",
+      "integrity": "sha512-wFwh1U4adB/Zsk4cc9kVqaBOHoknhp/pJQk+aWTocbAZWpIl4Zx/At83WFRLXvxB+5HVTWOACM6qjULMZfQSfw==",
+      "requires": {
+        "tunnel": "0.0.6"
+      },
+      "dependencies": {
+        "tunnel": {
+          "version": "0.0.6",
+          "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+          "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
+        }
+      }
+    },
     "@actions/io": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.0.1.tgz",
@@ -597,6 +613,14 @@
         "@types/yargs": "^13.0.0"
       }
     },
+    "@octokit/auth-token": {
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.4.0.tgz",
+      "integrity": "sha512-eoOVMjILna7FVQf96iWc3+ZtE/ZT6y8ob8ZzcqKY1ibSQCnu4O/B7pJvzMx5cyZ/RjAff6DAdEb0O0Cjcxidkg==",
+      "requires": {
+        "@octokit/types": "^2.0.0"
+      }
+    },
     "@octokit/endpoint": {
       "version": "5.5.1",
       "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-5.5.1.tgz",
@@ -643,10 +667,11 @@
       }
     },
     "@octokit/rest": {
-      "version": "16.35.0",
+      "version": "16.38.1",
-      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.35.0.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.38.1.tgz",
-      "integrity": "sha512-9ShFqYWo0CLoGYhA1FdtdykJuMzS/9H6vSbbQWDX4pWr4p9v+15MsH/wpd/3fIU+tSxylaNO48+PIHqOkBRx3w==",
+      "integrity": "sha512-zyNFx+/Bd1EXt7LQjfrc6H4wryBQ/oDuZeZhGMBSFr1eMPFDmpEweFQR3R25zjKwBQpDY7L5GQO6A3XSaOfV1w==",
       "requires": {
+        "@octokit/auth-token": "^2.4.0",
         "@octokit/request": "^5.2.0",
         "@octokit/request-error": "^1.0.2",
         "atob-lite": "^2.0.0",
@@ -662,9 +687,9 @@
       }
     },
     "@octokit/types": {
-      "version": "2.0.2",
+      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.0.2.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.1.1.tgz",
-      "integrity": "sha512-StASIL2lgT3TRjxv17z9pAqbnI7HGu9DrJlg3sEBFfCLaMEqp+O3IQPUF6EZtQ4xkAu2ml6kMBBCtGxjvmtmuQ==",
+      "integrity": "sha512-89LOYH+d/vsbDX785NOfLxTW88GjNd0lWRz1DVPVsZgg9Yett5O+3MOvwo7iHgvUwbFz0mf/yPIjBkUbs4kxoQ==",
       "requires": {
         "@types/node": ">= 8"
       }
@@ -767,6 +792,15 @@
       "integrity": "sha512-l42BggppR6zLmpfU6fq9HEa2oGPEI8yrSPL3GITjfRInppYFahObbIQOQK3UGxEnyQpltZLaPe75046NOZQikw==",
       "dev": true
     },
+    "@types/uuid": {
+      "version": "3.4.6",
+      "resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-3.4.6.tgz",
+      "integrity": "sha512-cCdlC/1kGEZdEglzOieLDYBxHsvEOIg7kp/2FYyVR9Pxakq+Qf/inL3RKQ+PA8gOlI/NnL+fXmQH12nwcGzsHw==",
+      "dev": true,
+      "requires": {
+        "@types/node": "*"
+      }
+    },
     "@types/yargs": {
       "version": "13.0.3",
       "resolved": "https://registry.npmjs.org/@types/yargs/-/yargs-13.0.3.tgz",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {
@@ -31,13 +31,15 @@
   "dependencies": {
     "@actions/core": "^1.1.3",
     "@actions/exec": "^1.0.1",
-    "@actions/github": "^2.0.0",
+    "@actions/github": "^2.0.2",
     "@actions/io": "^1.0.1",
-    "@actions/tool-cache": "^1.1.2"
+    "@actions/tool-cache": "^1.1.2",
+    "uuid": "^3.3.3"
   },
   "devDependencies": {
     "@types/jest": "^24.0.23",
     "@types/node": "^12.7.12",
+    "@types/uuid": "^3.4.6",
     "@typescript-eslint/parser": "^2.8.0",
     "@zeit/ncc": "^0.20.5",
     "eslint": "^5.16.0",

src/git-command-manager.ts

@@ -77,10 +77,12 @@ class GitCommandManager {
   async branchList(remote: boolean): Promise<string[]> {
     const result: string[] = []
 
-    // Note, this implementation uses "rev-parse --symbolic" because the output from
+    // Note, this implementation uses "rev-parse --symbolic-full-name" because the output from
     // "branch --list" is more difficult when in a detached HEAD state.
+    // Note, this implementation uses "rev-parse --symbolic-full-name" because there is a bug
+    // in Git 2.18 that causes "rev-parse --symbolic" to output symbolic full names.
 
-    const args = ['rev-parse', '--symbolic']
+    const args = ['rev-parse', '--symbolic-full-name']
     if (remote) {
       args.push('--remotes=origin')
     } else {
@@ -92,6 +94,12 @@ class GitCommandManager {
     for (let branch of output.stdout.trim().split('\n')) {
       branch = branch.trim()
       if (branch) {
+        if (branch.startsWith('refs/heads/')) {
+          branch = branch.substr('refs/heads/'.length)
+        } else if (branch.startsWith('refs/remotes/')) {
+          branch = branch.substr('refs/remotes/'.length)
+        }
+
         result.push(branch)
       }
     }
@@ -116,7 +124,7 @@ class GitCommandManager {
   }
 
   async config(configKey: string, configValue: string): Promise<void> {
-    await this.execGit(['config', configKey, configValue])
+    await this.execGit(['config', '--local', configKey, configValue])
   }
 
   async configExists(configKey: string): Promise<boolean> {
@@ -124,7 +132,7 @@ class GitCommandManager {
       return `\\${x}`
     })
     const output = await this.execGit(
-      ['config', '--name-only', '--get-regexp', pattern],
+      ['config', '--local', '--name-only', '--get-regexp', pattern],
       true
     )
     return output.exitCode === 0
@@ -170,12 +178,12 @@ class GitCommandManager {
   }
 
   async isDetached(): Promise<boolean> {
-    // Note, this implementation uses "branch --show-current" because
+    // Note, "branch --show-current" would be simpler but isn't available until Git 2.22
-    // "rev-parse --symbolic-full-name HEAD" can fail on a new repo
+    const output = await this.execGit(
-    // with nothing checked out.
+      ['rev-parse', '--symbolic-full-name', '--verify', '--quiet', 'HEAD'],
-
+      true
-    const output = await this.execGit(['branch', '--show-current'])
+    )
-    return output.stdout.trim() === ''
+    return !output.stdout.trim().startsWith('refs/heads/')
   }
 
   async lfsFetch(ref: string): Promise<void> {
@@ -211,20 +219,23 @@ class GitCommandManager {
 
   async tryConfigUnset(configKey: string): Promise<boolean> {
     const output = await this.execGit(
-      ['config', '--unset-all', configKey],
+      ['config', '--local', '--unset-all', configKey],
       true
     )
     return output.exitCode === 0
   }
 
   async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
-    const output = await this.execGit(['config', 'gc.auto', '0'], true)
+    const output = await this.execGit(
+      ['config', '--local', 'gc.auto', '0'],
+      true
+    )
     return output.exitCode === 0
   }
 
   async tryGetFetchUrl(): Promise<string> {
     const output = await this.execGit(
-      ['config', '--get', 'remote.origin.url'],
+      ['config', '--local', '--get', 'remote.origin.url'],
       true
     )
 

src/git-source-provider.ts

@@ -1,15 +1,16 @@
 import * as core from '@actions/core'
-import * as coreCommand from '@actions/core/lib/command'
 import * as fs from 'fs'
 import * as fsHelper from './fs-helper'
 import * as gitCommandManager from './git-command-manager'
+import * as githubApiHelper from './github-api-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
 import * as refHelper from './ref-helper'
-import * as githubApiHelper from './github-api-helper'
+import * as stateHelper from './state-helper'
 import {IGitCommandManager} from './git-command-manager'
 
-const authConfigKey = `http.https://github.com/.extraheader`
+const serverUrl = 'https://github.com/'
+const authConfigKey = `http.${serverUrl}.extraheader`
 
 export interface ISourceSettings {
   repositoryPath: string
@@ -20,7 +21,8 @@ export interface ISourceSettings {
   clean: boolean
   fetchDepth: number
   lfs: boolean
-  accessToken: string
+  authToken: string
+  persistCredentials: boolean
 }
 
 export async function getSource(settings: ISourceSettings): Promise<void> {
@@ -32,13 +34,6 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
     settings.repositoryOwner
   )}/${encodeURIComponent(settings.repositoryName)}`
 
-  // Set intra-task state for cleanup
-  coreCommand.issueCommand(
-    'save-state',
-    {name: 'repositoryPath'},
-    settings.repositoryPath
-  )
-
   // Remove conflicting file path
   if (fsHelper.fileExistsSync(settings.repositoryPath)) {
     await io.rmRF(settings.repositoryPath)
@@ -52,21 +47,7 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
   }
 
   // Git command manager
-  core.info(`Working directory is '${settings.repositoryPath}'`)
+  const git = await getGitCommandManager(settings)
-  let git = (null as unknown) as IGitCommandManager
-  try {
-    git = await gitCommandManager.CreateCommandManager(
-      settings.repositoryPath,
-      settings.lfs
-    )
-  } catch (err) {
-    // Git is required for LFS
-    if (settings.lfs) {
-      throw err
-    }
-
-    // Otherwise fallback to REST API
-  }
 
   // Prepare existing directory, otherwise recreate
   if (isExisting) {
@@ -78,13 +59,14 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
     )
   }
 
-  if (!git || `${1}` == '1') {
+  if (!git) {
-    core.info(`Downloading the repository files using the GitHub REST API`)
+    // Downloading using REST API
+    core.info(`The repository will be downloaded using the GitHub REST API`)
     core.info(
-      `To create a local repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
+      `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
     )
     await githubApiHelper.downloadRepository(
-      settings.accessToken,
+      settings.authToken,
       settings.repositoryOwner,
       settings.repositoryName,
       settings.ref,
@@ -92,6 +74,9 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
       settings.repositoryPath
     )
   } else {
+    // Save state for POST action
+    stateHelper.setRepositoryPath(settings.repositoryPath)
+
     // Initialize the repository
     if (
       !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
@@ -110,61 +95,87 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
     // Remove possible previous extraheader
     await removeGitConfig(git, authConfigKey)
 
-    // Add extraheader (auth)
+    try {
-    const base64Credentials = Buffer.from(
+      // Config extraheader
-      `x-access-token:${settings.accessToken}`,
+      await configureAuthToken(git, settings.authToken)
-      'utf8'
-    ).toString('base64')
-    core.setSecret(base64Credentials)
-    const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
-    await git.config(authConfigKey, authConfigValue)
 
-    // LFS install
+      // LFS install
-    if (settings.lfs) {
+      if (settings.lfs) {
-      await git.lfsInstall()
+        await git.lfsInstall()
+      }
+
+      // Fetch
+      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
+      await git.fetch(settings.fetchDepth, refSpec)
+
+      // Checkout info
+      const checkoutInfo = await refHelper.getCheckoutInfo(
+        git,
+        settings.ref,
+        settings.commit
+      )
+
+      // LFS fetch
+      // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
+      // Explicit lfs fetch will fetch lfs objects in parallel.
+      if (settings.lfs) {
+        await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
+      }
+
+      // Checkout
+      await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
+
+      // Dump some info about the checked out commit
+      await git.log1()
+    } finally {
+      if (!settings.persistCredentials) {
+        await removeGitConfig(git, authConfigKey)
+      }
     }
-
-    // Fetch
-    const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
-    await git.fetch(settings.fetchDepth, refSpec)
-
-    // Checkout info
-    const checkoutInfo = await refHelper.getCheckoutInfo(
-      git,
-      settings.ref,
-      settings.commit
-    )
-
-    // LFS fetch
-    // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
-    // Explicit lfs fetch will fetch lfs objects in parallel.
-    if (settings.lfs) {
-      await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
-    }
-
-    // Checkout
-    await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
-
-    // Dump some info about the checked out commit
-    await git.log1()
   }
 }
 
 export async function cleanup(repositoryPath: string): Promise<void> {
   // Repo exists?
-  if (!fsHelper.fileExistsSync(path.join(repositoryPath, '.git', 'config'))) {
+  if (
+    !repositoryPath ||
+    !fsHelper.fileExistsSync(path.join(repositoryPath, '.git', 'config'))
+  ) {
     return
   }
-  fsHelper.directoryExistsSync(repositoryPath, true)
 
-  // Remove the config key
+  let git: IGitCommandManager
-  const git = await gitCommandManager.CreateCommandManager(
+  try {
-    repositoryPath,
+    git = await gitCommandManager.CreateCommandManager(repositoryPath, false)
-    false
+  } catch {
-  )
+    return
+  }
+
+  // Remove extraheader
   await removeGitConfig(git, authConfigKey)
 }
 
+async function getGitCommandManager(
+  settings: ISourceSettings
+): Promise<IGitCommandManager> {
+  core.info(`Working directory is '${settings.repositoryPath}'`)
+  let git = (null as unknown) as IGitCommandManager
+  try {
+    return await gitCommandManager.CreateCommandManager(
+      settings.repositoryPath,
+      settings.lfs
+    )
+  } catch (err) {
+    // Git is required for LFS
+    if (settings.lfs) {
+      throw err
+    }
+
+    // Otherwise fallback to REST API
+    return (null as unknown) as IGitCommandManager
+  }
+}
+
 async function prepareExistingDirectory(
   git: IGitCommandManager,
   repositoryPath: string,
@@ -250,6 +261,40 @@ async function prepareExistingDirectory(
   }
 }
 
+async function configureAuthToken(
+  git: IGitCommandManager,
+  authToken: string
+): Promise<void> {
+  // Configure a placeholder value. This approach avoids the credential being captured
+  // by process creation audit events, which are commonly logged. For more information,
+  // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+  const placeholder = `AUTHORIZATION: basic ***`
+  await git.config(authConfigKey, placeholder)
+
+  // Determine the basic credential value
+  const basicCredential = Buffer.from(
+    `x-access-token:${authToken}`,
+    'utf8'
+  ).toString('base64')
+  core.setSecret(basicCredential)
+
+  // Replace the value in the config file
+  const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
+  let content = (await fs.promises.readFile(configPath)).toString()
+  const placeholderIndex = content.indexOf(placeholder)
+  if (
+    placeholderIndex < 0 ||
+    placeholderIndex != content.lastIndexOf(placeholder)
+  ) {
+    throw new Error('Unable to replace auth placeholder in .git/config')
+  }
+  content = content.replace(
+    placeholder,
+    `AUTHORIZATION: basic ${basicCredential}`
+  )
+  await fs.promises.writeFile(configPath, content)
+}
+
 async function removeGitConfig(
   git: IGitCommandManager,
   configKey: string
@@ -259,21 +304,6 @@ async function removeGitConfig(
     !(await git.tryConfigUnset(configKey))
   ) {
     // Load the config contents
-    core.warning(
+    core.warning(`Failed to remove '${configKey}' from the git config`)
-      `Failed to remove '${configKey}' from the git config. Attempting to remove the config value by editing the file directly.`
-    )
-    const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
-    fsHelper.fileExistsSync(configPath)
-    let contents = fs.readFileSync(configPath).toString() || ''
-
-    // Filter - only includes lines that do not contain the config key
-    const upperConfigKey = configKey.toUpperCase()
-    const split = contents
-      .split('\n')
-      .filter(x => !x.toUpperCase().includes(upperConfigKey))
-    contents = split.join('\n')
-
-    // Rewrite the config file
-    fs.writeFileSync(configPath, contents)
   }
 }

src/github-api-helper.ts

@@ -1,173 +1,92 @@
 import * as assert from 'assert'
 import * as core from '@actions/core'
-import * as exec from '@actions/exec'
 import * as fs from 'fs'
 import * as github from '@actions/github'
-import * as https from 'https'
 import * as io from '@actions/io'
 import * as path from 'path'
-import * as refHelper from './ref-helper'
 import * as retryHelper from './retry-helper'
 import * as toolCache from '@actions/tool-cache'
-import {ExecOptions} from '@actions/exec/lib/interfaces'
+import {default as uuid} from 'uuid/v4'
-import {IncomingMessage} from 'http'
 import {ReposGetArchiveLinkParams} from '@octokit/rest'
-import {RequestOptions} from 'https'
-import {WriteStream} from 'fs'
 
 const IS_WINDOWS = process.platform === 'win32'
 
 export async function downloadRepository(
-  accessToken: string,
+  authToken: string,
   owner: string,
   repo: string,
   ref: string,
   commit: string,
   repositoryPath: string
 ): Promise<void> {
-  // Determine archive path
+  // Download the archive
-  const runnerTemp = process.env['RUNNER_TEMP'] as string
+  let archiveData = await retryHelper.execute(async () => {
-  assert.ok(runnerTemp, 'RUNNER_TEMP not defined')
+    core.info('Downloading the archive')
-  const archivePath = path.join(runnerTemp, 'checkout.tar.gz')
+    return await downloadArchive(authToken, owner, repo, ref, commit)
-  // await fs.promises.writeFile(archivePath, raw)
-
-  // Get the archive URL using the REST API
-  await retryHelper.execute(async () => {
-    // Prepare the archive stream
-    core.debug(`Preparing the archive stream: ${archivePath}`)
-    await io.rmRF(archivePath)
-    const fileStream = fs.createWriteStream(archivePath)
-    const fileStreamClosed = getFileClosedPromise(fileStream)
-
-    try {
-      // Get the archive URL using the GitHub REST API
-      core.info('Getting archive URL from GitHub REST API')
-      const octokit = new github.GitHub(accessToken)
-      const params: RequestOptions & ReposGetArchiveLinkParams = {
-        method: 'HEAD',
-        archive_format: IS_WINDOWS ? 'zipball' : 'tarball',
-        owner: owner,
-        repo: repo,
-        ref: refHelper.getDownloadRef(ref, commit)
-      }
-      const response = await octokit.repos.getArchiveLink(params)
-      console.log('GOT THE RESPONSE')
-      if (response.status != 302) {
-        throw new Error(
-          `Unexpected response from GitHub API. Status: '${response.status}'`
-        )
-      }
-      console.log('GETTING THE LOCATION')
-      const archiveUrl = response.headers['Location'] // Do not print the archive URL because it has an embedded token
-      assert.ok(
-        archiveUrl,
-        `Expected GitHub API response to contain 'Location' header`
-      )
-
-      // Download the archive
-      core.info('Downloading the archive') // Do not print the archive URL because it has an embedded token
-      await downloadFile(archiveUrl, fileStream)
-    } finally {
-      await fileStreamClosed
-    }
-
-    // return Buffer.from(response.data) // response.data is ArrayBuffer
   })
 
-  // // Download the archive
+  // Write archive to disk
-  // core.info('Downloading the archive') // Do not print the URL since it contains a token to download the archive
+  core.info('Writing archive to disk')
-  // await downloadFile(archiveUrl, archivePath)
+  const uniqueId = uuid()
-
+  const archivePath = path.join(repositoryPath, `${uniqueId}.tar.gz`)
-  // // console.log(`status=${response.status}`)
+  await fs.promises.writeFile(archivePath, archiveData)
-  // // console.log(`headers=${JSON.stringify(response.headers)}`)
+  archiveData = Buffer.from('') // Free memory
-  // // console.log(`data=${response.data}`)
-  // // console.log(`data=${JSON.stringify(response.data)}`)
-  // // for (const key of Object.keys(response.data)) {
-  // //   console.log(`data['${key}']=${response.data[key]}`)
-  // // }
-
-  // // Write archive to file
-  // const runnerTemp = process.env['RUNNER_TEMP'] as string
-  // assert.ok(runnerTemp, 'RUNNER_TEMP not defined')
-  // const archivePath = path.join(runnerTemp, 'checkout.tar.gz')
-  // await io.rmRF(archivePath)
-  // await fs.promises.writeFile(archivePath, raw)
-  // // await exec.exec(`ls -la "${archiveFile}"`, [], {
-  // //   cwd: repositoryPath
-  // // } as ExecOptions)
 
   // Extract archive
-  const extractPath = path.join(
+  core.info('Extracting the archive')
-    runnerTemp,
+  const extractPath = path.join(repositoryPath, uniqueId)
-    `checkout-archive${IS_WINDOWS ? '.zip' : '.tar.gz'}`
-  )
-  await io.rmRF(extractPath)
   await io.mkdirP(extractPath)
   if (IS_WINDOWS) {
     await toolCache.extractZip(archivePath, extractPath)
   } else {
     await toolCache.extractTar(archivePath, extractPath)
   }
-  // await exec.exec(`tar -xzf "${archiveFile}"`, [], {
+  io.rmRF(archivePath)
-  //   cwd: extractPath
-  // } as ExecOptions)
 
-  // Determine the real directory to copy (ignore extra dir at root of the archive)
+  // Determine the path of the repository content. The archive contains
+  // a top-level folder and the repository content is inside.
   const archiveFileNames = await fs.promises.readdir(extractPath)
   assert.ok(
     archiveFileNames.length == 1,
     'Expected exactly one directory inside archive'
   )
-  const extraDirectoryName = archiveFileNames[0]
+  const archiveVersion = archiveFileNames[0] // The top-level folder name includes the short SHA
-  core.info(`Resolved ${extraDirectoryName}`) // contains the short SHA
+  core.info(`Resolved version ${archiveVersion}`)
-  const tempRepositoryPath = path.join(extractPath, extraDirectoryName)
+  const tempRepositoryPath = path.join(extractPath, archiveVersion)
 
   // Move the files
   for (const fileName of await fs.promises.readdir(tempRepositoryPath)) {
     const sourcePath = path.join(tempRepositoryPath, fileName)
     const targetPath = path.join(repositoryPath, fileName)
-    await io.mv(sourcePath, targetPath)
+    if (IS_WINDOWS) {
+      await io.cp(sourcePath, targetPath, {recursive: true}) // Copy on Windows (Windows Defender may have a lock)
+    } else {
+      await io.mv(sourcePath, targetPath)
+    }
+  }
+  io.rmRF(extractPath)
+}
+
+async function downloadArchive(
+  authToken: string,
+  owner: string,
+  repo: string,
+  ref: string,
+  commit: string
+): Promise<Buffer> {
+  const octokit = new github.GitHub(authToken)
+  const params: ReposGetArchiveLinkParams = {
+    owner: owner,
+    repo: repo,
+    archive_format: IS_WINDOWS ? 'zipball' : 'tarball',
+    ref: commit || ref
+  }
+  const response = await octokit.repos.getArchiveLink(params)
+  if (response.status != 200) {
+    throw new Error(
+      `Unexpected response from GitHub API. Status: ${response.status}, Data: ${response.data}`
+    )
   }
 
-  await exec.exec(`find .`, [], {
+  return Buffer.from(response.data) // response.data is ArrayBuffer
-    cwd: repositoryPath
-  } as ExecOptions)
-}
-
-function downloadFile(url: string, fileStream: WriteStream): Promise<void> {
-  return new Promise((resolve, reject) => {
-    try {
-      https.get(url, (response: IncomingMessage) => {
-        if (response.statusCode != 200) {
-          reject(`Request failed with status '${response.statusCode}'`)
-          response.resume() // Consume response data to free up memory
-          return
-        }
-
-        response.on('data', chunk => {
-          fileStream.write(chunk)
-        })
-        response.on('end', () => {
-          resolve()
-        })
-        response.on('error', err => {
-          reject(err)
-        })
-        // response.pipe(fileStream)
-      })
-    } catch (err) {
-      reject(err)
-    }
-  })
-}
-
-function getFileClosedPromise(stream: WriteStream): Promise<void> {
-  return new Promise((resolve, reject) => {
-    stream.on('error', err => {
-      reject(err)
-    })
-    stream.on('finish', () => {
-      resolve()
-    })
-  })
 }

src/input-helper.ts

@@ -61,6 +61,12 @@ export function getInputs(): ISourceSettings {
     if (isWorkflowRepository) {
       result.ref = github.context.ref
       result.commit = github.context.sha
+
+      // Some events have an unqualifed ref. For example when a PR is merged (pull_request closed event),
+      // the ref is unqualifed like "master" instead of "refs/heads/master".
+      if (result.commit && result.ref && !result.ref.startsWith('refs/')) {
+        result.ref = `refs/heads/${result.ref}`
+      }
     }
 
     if (!result.ref && !result.commit) {
@@ -97,8 +103,12 @@ export function getInputs(): ISourceSettings {
   result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'
   core.debug(`lfs = ${result.lfs}`)
 
-  // Access token
+  // Auth token
-  result.accessToken = core.getInput('token')
+  result.authToken = core.getInput('token')
+
+  // Persist credentials
+  result.persistCredentials =
+    (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
 
   return result
 }

src/main.ts

@@ -3,8 +3,7 @@ import * as coreCommand from '@actions/core/lib/command'
 import * as gitSourceProvider from './git-source-provider'
 import * as inputHelper from './input-helper'
 import * as path from 'path'
-
+import * as stateHelper from './state-helper'
-const cleanupRepositoryPath = process.env['STATE_repositoryPath'] as string
 
 async function run(): Promise<void> {
   try {
@@ -31,14 +30,14 @@ async function run(): Promise<void> {
 
 async function cleanup(): Promise<void> {
   try {
-    await gitSourceProvider.cleanup(cleanupRepositoryPath)
+    await gitSourceProvider.cleanup(stateHelper.RepositoryPath)
   } catch (error) {
     core.warning(error.message)
   }
 }
 
 // Main
-if (!cleanupRepositoryPath) {
+if (!stateHelper.IsPost) {
   run()
 }
 // Post

src/misc/generate-docs.ts

@@ -65,9 +65,14 @@ function updateUsage(
       let segment: string = description
       if (description.length > width) {
         segment = description.substr(0, width + 1)
-        while (!segment.endsWith(' ')) {
+        while (!segment.endsWith(' ') && segment) {
           segment = segment.substr(0, segment.length - 1)
         }
+
+        // Trimmed too much?
+        if (segment.length < width * 0.67) {
+          segment = description
+        }
       } else {
         segment = description
       }
@@ -96,7 +101,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v2-beta',
+  'actions/checkout@v2',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )

src/ref-helper.ts

@@ -5,15 +5,6 @@ export interface ICheckoutInfo {
   startPoint: string
 }
 
-export function getDownloadRef(ref: string, commit: string): string {
-  if (commit) {
-    return commit
-  }
-
-  // todo fix this to work with refs/pull etc
-  return ref
-}
-
 export async function getCheckoutInfo(
   git: IGitCommandManager,
   ref: string,

src/retry-helper.ts

@@ -1,36 +1,61 @@
 import * as core from '@actions/core'
 
-const maxAttempts = 3
+const defaultMaxAttempts = 3
-const minSeconds = 10
+const defaultMinSeconds = 10
-const maxSeconds = 20
+const defaultMaxSeconds = 20
 
-export async function execute<T>(action: () => Promise<T>): Promise<T> {
+export class RetryHelper {
-  let attempt = 1
+  private maxAttempts: number
-  while (attempt < maxAttempts) {
+  private minSeconds: number
-    // Try
+  private maxSeconds: number
-    try {
+
-      return await action()
+  constructor(
-    } catch (err) {
+    maxAttempts: number = defaultMaxAttempts,
-      core.info(err.message)
+    minSeconds: number = defaultMinSeconds,
+    maxSeconds: number = defaultMaxSeconds
+  ) {
+    this.maxAttempts = maxAttempts
+    this.minSeconds = Math.floor(minSeconds)
+    this.maxSeconds = Math.floor(maxSeconds)
+    if (this.minSeconds > this.maxSeconds) {
+      throw new Error('min seconds should be less than or equal to max seconds')
     }
-
-    // Sleep
-    const seconds = getRandomIntInclusive(minSeconds, maxSeconds)
-    core.info(`Waiting ${seconds} before trying again`)
-    await sleep(seconds * 1000)
-    attempt++
   }
 
-  // Last attempt
+  async execute<T>(action: () => Promise<T>): Promise<T> {
-  return await action()
+    let attempt = 1
+    while (attempt < this.maxAttempts) {
+      // Try
+      try {
+        return await action()
+      } catch (err) {
+        core.info(err.message)
+      }
+
+      // Sleep
+      const seconds = this.getSleepAmount()
+      core.info(`Waiting ${seconds} seconds before trying again`)
+      await this.sleep(seconds)
+      attempt++
+    }
+
+    // Last attempt
+    return await action()
+  }
+
+  private getSleepAmount(): number {
+    return (
+      Math.floor(Math.random() * (this.maxSeconds - this.minSeconds + 1)) +
+      this.minSeconds
+    )
+  }
+
+  private async sleep(seconds: number): Promise<void> {
+    return new Promise(resolve => setTimeout(resolve, seconds * 1000))
+  }
 }
 
-function getRandomIntInclusive(minimum: number, maximum: number): number {
+export async function execute<T>(action: () => Promise<T>): Promise<T> {
-  minimum = Math.floor(minimum)
+  const retryHelper = new RetryHelper()
-  maximum = Math.floor(maximum)
+  return await retryHelper.execute(action)
-  return Math.floor(Math.random() * (maximum - minimum + 1)) + minimum
-}
-
-async function sleep(milliseconds): Promise<void> {
-  return new Promise(resolve => setTimeout(resolve, milliseconds))
 }

src/state-helper.ts

@@ -0,0 +1,30 @@
+import * as core from '@actions/core'
+import * as coreCommand from '@actions/core/lib/command'
+
+/**
+ * Indicates whether the POST action is running
+ */
+export const IsPost = !!process.env['STATE_isPost']
+
+/**
+ * The repository path for the POST action. The value is empty during the MAIN action.
+ */
+export const RepositoryPath =
+  (process.env['STATE_repositoryPath'] as string) || ''
+
+/**
+ * Save the repository path so the POST action can retrieve the value.
+ */
+export function setRepositoryPath(repositoryPath: string) {
+  coreCommand.issueCommand(
+    'save-state',
+    {name: 'repositoryPath'},
+    repositoryPath
+  )
+}
+
+// Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
+// This is necessary since we don't have a separate entry point.
+if (!IsPost) {
+  coreCommand.issueCommand('save-state', {name: 'isPost'}, 'true')
+}