mirror of
https://github.com/actions/checkout.git
synced 2026-07-17 17:45:51 +00:00
Compare commits
3 Commits
copilot/ba
...
releases/v
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
11d5960a32 | ||
|
|
c915c33a16 | ||
|
|
34e114876b |
4
.github/workflows/check-dist.yml
vendored
4
.github/workflows/check-dist.yml
vendored
@@ -24,10 +24,10 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4.1.6
|
- uses: actions/checkout@v4.1.6
|
||||||
|
|
||||||
- name: Set Node.js 24.x
|
- name: Set Node.js 20.x
|
||||||
uses: actions/setup-node@v4
|
uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version: 24.x
|
node-version: 20.x
|
||||||
|
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
run: npm ci
|
run: npm ci
|
||||||
|
|||||||
2
.github/workflows/test.yml
vendored
2
.github/workflows/test.yml
vendored
@@ -18,7 +18,7 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- uses: actions/setup-node@v4
|
- uses: actions/setup-node@v4
|
||||||
with:
|
with:
|
||||||
node-version: 24.x
|
node-version: 20.x
|
||||||
- uses: actions/checkout@v4.1.6
|
- uses: actions/checkout@v4.1.6
|
||||||
- run: npm ci
|
- run: npm ci
|
||||||
- run: npm run build
|
- run: npm run build
|
||||||
|
|||||||
1
.github/workflows/update-main-version.yml
vendored
1
.github/workflows/update-main-version.yml
vendored
@@ -11,7 +11,6 @@ on:
|
|||||||
type: choice
|
type: choice
|
||||||
description: The major version to update
|
description: The major version to update
|
||||||
options:
|
options:
|
||||||
- v5
|
|
||||||
- v4
|
- v4
|
||||||
- v3
|
- v3
|
||||||
- v2
|
- v2
|
||||||
|
|||||||
@@ -1,9 +1,5 @@
|
|||||||
# Changelog
|
# Changelog
|
||||||
|
|
||||||
## V5.0.0
|
|
||||||
* Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
|
|
||||||
|
|
||||||
|
|
||||||
## V4.3.0
|
## V4.3.0
|
||||||
* docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
|
* docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
|
||||||
* Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
|
* Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
|
||||||
|
|||||||
72
README.md
72
README.md
@@ -1,9 +1,5 @@
|
|||||||
[](https://github.com/actions/checkout/actions/workflows/test.yml)
|
[](https://github.com/actions/checkout/actions/workflows/test.yml)
|
||||||
|
|
||||||
# Checkout V5
|
|
||||||
|
|
||||||
Checkout v5 now supports Node.js 24
|
|
||||||
|
|
||||||
# Checkout V4
|
# Checkout V4
|
||||||
|
|
||||||
This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
|
This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
|
||||||
@@ -40,7 +36,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
|||||||
|
|
||||||
<!-- start usage -->
|
<!-- start usage -->
|
||||||
```yaml
|
```yaml
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
# Repository name with owner. For example, actions/checkout
|
# Repository name with owner. For example, actions/checkout
|
||||||
# Default: ${{ github.repository }}
|
# Default: ${{ github.repository }}
|
||||||
@@ -162,32 +158,24 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
|||||||
|
|
||||||
# Scenarios
|
# Scenarios
|
||||||
|
|
||||||
- [Checkout V5](#checkout-v5)
|
- [Fetch only the root files](#Fetch-only-the-root-files)
|
||||||
- [Checkout V4](#checkout-v4)
|
- [Fetch only the root files and `.github` and `src` folder](#Fetch-only-the-root-files-and-github-and-src-folder)
|
||||||
- [Note](#note)
|
- [Fetch only a single file](#Fetch-only-a-single-file)
|
||||||
- [What's new](#whats-new)
|
- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
|
||||||
- [Usage](#usage)
|
- [Checkout a different branch](#Checkout-a-different-branch)
|
||||||
- [Scenarios](#scenarios)
|
- [Checkout HEAD^](#Checkout-HEAD)
|
||||||
- [Fetch only the root files](#fetch-only-the-root-files)
|
- [Checkout multiple repos (side by side)](#Checkout-multiple-repos-side-by-side)
|
||||||
- [Fetch only the root files and `.github` and `src` folder](#fetch-only-the-root-files-and-github-and-src-folder)
|
- [Checkout multiple repos (nested)](#Checkout-multiple-repos-nested)
|
||||||
- [Fetch only a single file](#fetch-only-a-single-file)
|
- [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
|
||||||
- [Fetch all history for all tags and branches](#fetch-all-history-for-all-tags-and-branches)
|
- [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
|
||||||
- [Checkout a different branch](#checkout-a-different-branch)
|
- [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
|
||||||
- [Checkout HEAD^](#checkout-head)
|
- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
|
||||||
- [Checkout multiple repos (side by side)](#checkout-multiple-repos-side-by-side)
|
- [Push a commit to a PR using the built-in token](#Push-a-commit-to-a-PR-using-the-built-in-token)
|
||||||
- [Checkout multiple repos (nested)](#checkout-multiple-repos-nested)
|
|
||||||
- [Checkout multiple repos (private)](#checkout-multiple-repos-private)
|
|
||||||
- [Checkout pull request HEAD commit instead of merge commit](#checkout-pull-request-head-commit-instead-of-merge-commit)
|
|
||||||
- [Checkout pull request on closed event](#checkout-pull-request-on-closed-event)
|
|
||||||
- [Push a commit using the built-in token](#push-a-commit-using-the-built-in-token)
|
|
||||||
- [Push a commit to a PR using the built-in token](#push-a-commit-to-a-pr-using-the-built-in-token)
|
|
||||||
- [Recommended permissions](#recommended-permissions)
|
|
||||||
- [License](#license)
|
|
||||||
|
|
||||||
## Fetch only the root files
|
## Fetch only the root files
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
sparse-checkout: .
|
sparse-checkout: .
|
||||||
```
|
```
|
||||||
@@ -195,7 +183,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
|||||||
## Fetch only the root files and `.github` and `src` folder
|
## Fetch only the root files and `.github` and `src` folder
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
sparse-checkout: |
|
sparse-checkout: |
|
||||||
.github
|
.github
|
||||||
@@ -205,7 +193,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
|||||||
## Fetch only a single file
|
## Fetch only a single file
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
sparse-checkout: |
|
sparse-checkout: |
|
||||||
README.md
|
README.md
|
||||||
@@ -215,7 +203,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
|||||||
## Fetch all history for all tags and branches
|
## Fetch all history for all tags and branches
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
```
|
```
|
||||||
@@ -223,7 +211,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
|||||||
## Checkout a different branch
|
## Checkout a different branch
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
ref: my-branch
|
ref: my-branch
|
||||||
```
|
```
|
||||||
@@ -231,7 +219,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
|||||||
## Checkout HEAD^
|
## Checkout HEAD^
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
- run: git checkout HEAD^
|
- run: git checkout HEAD^
|
||||||
@@ -241,12 +229,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
|||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: main
|
path: main
|
||||||
|
|
||||||
- name: Checkout tools repo
|
- name: Checkout tools repo
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: my-org/my-tools
|
repository: my-org/my-tools
|
||||||
path: my-tools
|
path: my-tools
|
||||||
@@ -257,10 +245,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
|||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Checkout tools repo
|
- name: Checkout tools repo
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: my-org/my-tools
|
repository: my-org/my-tools
|
||||||
path: my-tools
|
path: my-tools
|
||||||
@@ -271,12 +259,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
|||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: main
|
path: main
|
||||||
|
|
||||||
- name: Checkout private tools
|
- name: Checkout private tools
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: my-org/my-private-tools
|
repository: my-org/my-private-tools
|
||||||
token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
|
token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
|
||||||
@@ -289,7 +277,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
|
|||||||
## Checkout pull request HEAD commit instead of merge commit
|
## Checkout pull request HEAD commit instead of merge commit
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
ref: ${{ github.event.pull_request.head.sha }}
|
ref: ${{ github.event.pull_request.head.sha }}
|
||||||
```
|
```
|
||||||
@@ -305,7 +293,7 @@ jobs:
|
|||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
```
|
```
|
||||||
|
|
||||||
## Push a commit using the built-in token
|
## Push a commit using the built-in token
|
||||||
@@ -316,7 +304,7 @@ jobs:
|
|||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- run: |
|
- run: |
|
||||||
date > generated.txt
|
date > generated.txt
|
||||||
# Note: the following account information will not work on GHES
|
# Note: the following account information will not work on GHES
|
||||||
@@ -338,7 +326,7 @@ jobs:
|
|||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
ref: ${{ github.head_ref }}
|
ref: ${{ github.head_ref }}
|
||||||
- run: |
|
- run: |
|
||||||
|
|||||||
@@ -12,15 +12,24 @@ const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
|
|||||||
// Inputs for mock @actions/core
|
// Inputs for mock @actions/core
|
||||||
let inputs = {} as any
|
let inputs = {} as any
|
||||||
|
|
||||||
|
// Replicate @actions/core getInput behavior: it trims whitespace by default
|
||||||
|
// (String.prototype.trim(), which strips characters such as a leading U+FEFF BOM)
|
||||||
|
// unless trimWhitespace is explicitly set to false.
|
||||||
|
const getInputImpl = (name: string, options?: {trimWhitespace?: boolean}) => {
|
||||||
|
const val = inputs[name] ?? ''
|
||||||
|
if (options && options.trimWhitespace === false) {
|
||||||
|
return val
|
||||||
|
}
|
||||||
|
return typeof val === 'string' ? val.trim() : val
|
||||||
|
}
|
||||||
|
|
||||||
// Shallow clone original @actions/github context
|
// Shallow clone original @actions/github context
|
||||||
let originalContext = {...github.context}
|
let originalContext = {...github.context}
|
||||||
|
|
||||||
describe('input-helper tests', () => {
|
describe('input-helper tests', () => {
|
||||||
beforeAll(() => {
|
beforeAll(() => {
|
||||||
// Mock getInput
|
// Mock getInput
|
||||||
jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
|
jest.spyOn(core, 'getInput').mockImplementation(getInputImpl as any)
|
||||||
return inputs[name]
|
|
||||||
})
|
|
||||||
|
|
||||||
// Mock error/warning/info/debug
|
// Mock error/warning/info/debug
|
||||||
jest.spyOn(core, 'error').mockImplementation(jest.fn())
|
jest.spyOn(core, 'error').mockImplementation(jest.fn())
|
||||||
@@ -141,6 +150,26 @@ describe('input-helper tests', () => {
|
|||||||
expect(settings.commit).toBeFalsy()
|
expect(settings.commit).toBeFalsy()
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it('does not reclassify a ref as sha when a BOM is prefixed', async () => {
|
||||||
|
// A fork branch named "<U+FEFF>" + 40 hex chars. core.getInput trims the
|
||||||
|
// BOM by default, which previously collapsed this into a bare SHA and
|
||||||
|
// bypassed the unsafe fork PR checkout guard.
|
||||||
|
inputs.ref = '\uFEFF522d932fae5296da51fdf431934425ecf891c6a2'
|
||||||
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
|
expect(settings.commit).toBeFalsy()
|
||||||
|
expect(settings.ref).toBe('522d932fae5296da51fdf431934425ecf891c6a2')
|
||||||
|
})
|
||||||
|
|
||||||
|
it('treats a sha surrounded by ascii whitespace as a commit', async () => {
|
||||||
|
// ASCII whitespace can only come from the workflow author's YAML (git ref
|
||||||
|
// names cannot contain it), so trimming it and treating the value as a
|
||||||
|
// commit is safe.
|
||||||
|
inputs.ref = ' 1111111111222222222233333333334444444444 '
|
||||||
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
|
expect(settings.ref).toBeFalsy()
|
||||||
|
expect(settings.commit).toBe('1111111111222222222233333333334444444444')
|
||||||
|
})
|
||||||
|
|
||||||
it('sets workflow organization ID', async () => {
|
it('sets workflow organization ID', async () => {
|
||||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
expect(settings.workflowOrganizationId).toBe(123456)
|
expect(settings.workflowOrganizationId).toBe(123456)
|
||||||
@@ -161,6 +190,7 @@ describe('input-helper tests', () => {
|
|||||||
it('allows the default self-checkout on a fork pull_request_target', async () => {
|
it('allows the default self-checkout on a fork pull_request_target', async () => {
|
||||||
const originalEvent = github.context.eventName
|
const originalEvent = github.context.eventName
|
||||||
const originalPayload = github.context.payload
|
const originalPayload = github.context.payload
|
||||||
|
const originalSha = github.context.sha
|
||||||
try {
|
try {
|
||||||
github.context.eventName = 'pull_request_target'
|
github.context.eventName = 'pull_request_target'
|
||||||
github.context.payload = forkPayload as any
|
github.context.payload = forkPayload as any
|
||||||
@@ -172,6 +202,7 @@ describe('input-helper tests', () => {
|
|||||||
} finally {
|
} finally {
|
||||||
github.context.eventName = originalEvent
|
github.context.eventName = originalEvent
|
||||||
github.context.payload = originalPayload
|
github.context.payload = originalPayload
|
||||||
|
github.context.sha = originalSha
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|||||||
@@ -113,6 +113,6 @@ outputs:
|
|||||||
commit:
|
commit:
|
||||||
description: 'The commit SHA that was checked out'
|
description: 'The commit SHA that was checked out'
|
||||||
runs:
|
runs:
|
||||||
using: node24
|
using: node20
|
||||||
main: dist/index.js
|
main: dist/index.js
|
||||||
post: dist/index.js
|
post: dist/index.js
|
||||||
|
|||||||
21
dist/index.js
vendored
21
dist/index.js
vendored
@@ -1895,6 +1895,23 @@ function getInputs() {
|
|||||||
`${github.context.repo.owner}/${github.context.repo.repo}`.toUpperCase();
|
`${github.context.repo.owner}/${github.context.repo.repo}`.toUpperCase();
|
||||||
// Source branch, source version
|
// Source branch, source version
|
||||||
result.ref = core.getInput('ref');
|
result.ref = core.getInput('ref');
|
||||||
|
// core.getInput()'s default trim strips a range of Unicode characters such as a
|
||||||
|
// leading BOM (U+FEFF) or NBSP (U+00A0). Those are valid in a git ref name, so
|
||||||
|
// a fork branch named "<BOM>" + 40 hex chars would trim down to a bare SHA and
|
||||||
|
// be silently reclassified as a commit, bypassing the unsafe fork PR checkout
|
||||||
|
// guard.
|
||||||
|
//
|
||||||
|
// The trim below strips only the ASCII whitespace characters which are all forbidden
|
||||||
|
// in a git branch name.
|
||||||
|
// \t U+0009 horizontal tab - ASCII control, forbidden in ref names
|
||||||
|
// \n U+000A line feed - ASCII control, forbidden in ref names
|
||||||
|
// \v U+000B vertical tab - ASCII control, forbidden in ref names
|
||||||
|
// \f U+000C form feed - ASCII control, forbidden in ref names
|
||||||
|
// \r U+000D carriage return - ASCII control, forbidden in ref names
|
||||||
|
// ' ' U+0020 space - forbidden in ref names
|
||||||
|
const asciiTrimmedRef = core
|
||||||
|
.getInput('ref', { trimWhitespace: false })
|
||||||
|
.replace(/^[\t\n\v\f\r ]+|[\t\n\v\f\r ]+$/g, '');
|
||||||
if (!result.ref) {
|
if (!result.ref) {
|
||||||
if (isWorkflowRepository) {
|
if (isWorkflowRepository) {
|
||||||
result.ref = github.context.ref;
|
result.ref = github.context.ref;
|
||||||
@@ -1907,8 +1924,8 @@ function getInputs() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// SHA?
|
// SHA?
|
||||||
else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
|
else if (asciiTrimmedRef.match(/^[0-9a-fA-F]{40}$/)) {
|
||||||
result.commit = result.ref;
|
result.commit = asciiTrimmedRef;
|
||||||
result.ref = '';
|
result.ref = '';
|
||||||
}
|
}
|
||||||
core.debug(`ref = '${result.ref}'`);
|
core.debug(`ref = '${result.ref}'`);
|
||||||
|
|||||||
20
package-lock.json
generated
20
package-lock.json
generated
@@ -1,12 +1,12 @@
|
|||||||
{
|
{
|
||||||
"name": "checkout",
|
"name": "checkout",
|
||||||
"version": "5.0.0",
|
"version": "4.3.0",
|
||||||
"lockfileVersion": 3,
|
"lockfileVersion": 3,
|
||||||
"requires": true,
|
"requires": true,
|
||||||
"packages": {
|
"packages": {
|
||||||
"": {
|
"": {
|
||||||
"name": "checkout",
|
"name": "checkout",
|
||||||
"version": "5.0.0",
|
"version": "4.3.0",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@actions/core": "^1.10.1",
|
"@actions/core": "^1.10.1",
|
||||||
@@ -18,7 +18,7 @@
|
|||||||
},
|
},
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"@types/jest": "^29.5.12",
|
"@types/jest": "^29.5.12",
|
||||||
"@types/node": "^24.1.0",
|
"@types/node": "^20.12.12",
|
||||||
"@types/uuid": "^9.0.8",
|
"@types/uuid": "^9.0.8",
|
||||||
"@typescript-eslint/eslint-plugin": "^7.9.0",
|
"@typescript-eslint/eslint-plugin": "^7.9.0",
|
||||||
"@typescript-eslint/parser": "^7.9.0",
|
"@typescript-eslint/parser": "^7.9.0",
|
||||||
@@ -1515,12 +1515,12 @@
|
|||||||
"dev": true
|
"dev": true
|
||||||
},
|
},
|
||||||
"node_modules/@types/node": {
|
"node_modules/@types/node": {
|
||||||
"version": "24.1.0",
|
"version": "20.12.12",
|
||||||
"resolved": "https://registry.npmjs.org/@types/node/-/node-24.1.0.tgz",
|
"resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.12.tgz",
|
||||||
"integrity": "sha512-ut5FthK5moxFKH2T1CUOC6ctR67rQRvvHdFLCD2Ql6KXmMuCrjsSsRI9UsLCm9M18BMwClv4pn327UvB7eeO1w==",
|
"integrity": "sha512-eWLDGF/FOSPtAvEqeRAQ4C8LSA7M1I7i0ky1I8U7kD1J5ITyW3AsRhQrKVoWf5pFKZ2kILsEGJhsI9r93PYnOw==",
|
||||||
"dev": true,
|
"dev": true,
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"undici-types": "~7.8.0"
|
"undici-types": "~5.26.4"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/@types/stack-utils": {
|
"node_modules/@types/stack-utils": {
|
||||||
@@ -6865,9 +6865,9 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"node_modules/undici-types": {
|
"node_modules/undici-types": {
|
||||||
"version": "7.8.0",
|
"version": "5.26.5",
|
||||||
"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.8.0.tgz",
|
"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
|
||||||
"integrity": "sha512-9UJ2xGDvQ43tYyVMpuHlsgApydB8ZKfVYTsLDhXkFL/6gfkp+U8xTGdh8pMJv1SpZna0zxG1DwsKZsreLbXBxw==",
|
"integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==",
|
||||||
"dev": true
|
"dev": true
|
||||||
},
|
},
|
||||||
"node_modules/universal-user-agent": {
|
"node_modules/universal-user-agent": {
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "checkout",
|
"name": "checkout",
|
||||||
"version": "5.0.0",
|
"version": "4.3.0",
|
||||||
"description": "checkout action",
|
"description": "checkout action",
|
||||||
"main": "lib/main.js",
|
"main": "lib/main.js",
|
||||||
"scripts": {
|
"scripts": {
|
||||||
@@ -37,7 +37,7 @@
|
|||||||
},
|
},
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"@types/jest": "^29.5.12",
|
"@types/jest": "^29.5.12",
|
||||||
"@types/node": "^24.1.0",
|
"@types/node": "^20.12.12",
|
||||||
"@types/uuid": "^9.0.8",
|
"@types/uuid": "^9.0.8",
|
||||||
"@typescript-eslint/eslint-plugin": "^7.9.0",
|
"@typescript-eslint/eslint-plugin": "^7.9.0",
|
||||||
"@typescript-eslint/parser": "^7.9.0",
|
"@typescript-eslint/parser": "^7.9.0",
|
||||||
|
|||||||
@@ -59,6 +59,23 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
|
|
||||||
// Source branch, source version
|
// Source branch, source version
|
||||||
result.ref = core.getInput('ref')
|
result.ref = core.getInput('ref')
|
||||||
|
// core.getInput()'s default trim strips a range of Unicode characters such as a
|
||||||
|
// leading BOM (U+FEFF) or NBSP (U+00A0). Those are valid in a git ref name, so
|
||||||
|
// a fork branch named "<BOM>" + 40 hex chars would trim down to a bare SHA and
|
||||||
|
// be silently reclassified as a commit, bypassing the unsafe fork PR checkout
|
||||||
|
// guard.
|
||||||
|
//
|
||||||
|
// The trim below strips only the ASCII whitespace characters which are all forbidden
|
||||||
|
// in a git branch name.
|
||||||
|
// \t U+0009 horizontal tab - ASCII control, forbidden in ref names
|
||||||
|
// \n U+000A line feed - ASCII control, forbidden in ref names
|
||||||
|
// \v U+000B vertical tab - ASCII control, forbidden in ref names
|
||||||
|
// \f U+000C form feed - ASCII control, forbidden in ref names
|
||||||
|
// \r U+000D carriage return - ASCII control, forbidden in ref names
|
||||||
|
// ' ' U+0020 space - forbidden in ref names
|
||||||
|
const asciiTrimmedRef = core
|
||||||
|
.getInput('ref', {trimWhitespace: false})
|
||||||
|
.replace(/^[\t\n\v\f\r ]+|[\t\n\v\f\r ]+$/g, '')
|
||||||
if (!result.ref) {
|
if (!result.ref) {
|
||||||
if (isWorkflowRepository) {
|
if (isWorkflowRepository) {
|
||||||
result.ref = github.context.ref
|
result.ref = github.context.ref
|
||||||
@@ -72,8 +89,8 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// SHA?
|
// SHA?
|
||||||
else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
|
else if (asciiTrimmedRef.match(/^[0-9a-fA-F]{40}$/)) {
|
||||||
result.commit = result.ref
|
result.commit = asciiTrimmedRef
|
||||||
result.ref = ''
|
result.ref = ''
|
||||||
}
|
}
|
||||||
core.debug(`ref = '${result.ref}'`)
|
core.debug(`ref = '${result.ref}'`)
|
||||||
|
|||||||
@@ -120,7 +120,7 @@ function updateUsage(
|
|||||||
}
|
}
|
||||||
|
|
||||||
updateUsage(
|
updateUsage(
|
||||||
'actions/checkout@v5',
|
'actions/checkout@v4',
|
||||||
path.join(__dirname, '..', '..', 'action.yml'),
|
path.join(__dirname, '..', '..', 'action.yml'),
|
||||||
path.join(__dirname, '..', '..', 'README.md')
|
path.join(__dirname, '..', '..', 'README.md')
|
||||||
)
|
)
|
||||||
|
|||||||
Reference in New Issue
Block a user