mirror of
https://github.com/actions/checkout.git
synced 2026-07-17 09:25:50 +00:00
Compare commits
1 Commits
releases/v
...
copilot/ba
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
9892aae41f |
@@ -12,24 +12,15 @@ const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
|
|||||||
// Inputs for mock @actions/core
|
// Inputs for mock @actions/core
|
||||||
let inputs = {} as any
|
let inputs = {} as any
|
||||||
|
|
||||||
// Replicate @actions/core getInput behavior: it trims whitespace by default
|
|
||||||
// (String.prototype.trim(), which strips characters such as a leading U+FEFF BOM)
|
|
||||||
// unless trimWhitespace is explicitly set to false.
|
|
||||||
const getInputImpl = (name: string, options?: {trimWhitespace?: boolean}) => {
|
|
||||||
const val = inputs[name] ?? ''
|
|
||||||
if (options && options.trimWhitespace === false) {
|
|
||||||
return val
|
|
||||||
}
|
|
||||||
return typeof val === 'string' ? val.trim() : val
|
|
||||||
}
|
|
||||||
|
|
||||||
// Shallow clone original @actions/github context
|
// Shallow clone original @actions/github context
|
||||||
let originalContext = {...github.context}
|
let originalContext = {...github.context}
|
||||||
|
|
||||||
describe('input-helper tests', () => {
|
describe('input-helper tests', () => {
|
||||||
beforeAll(() => {
|
beforeAll(() => {
|
||||||
// Mock getInput
|
// Mock getInput
|
||||||
jest.spyOn(core, 'getInput').mockImplementation(getInputImpl as any)
|
jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
|
||||||
|
return inputs[name]
|
||||||
|
})
|
||||||
|
|
||||||
// Mock error/warning/info/debug
|
// Mock error/warning/info/debug
|
||||||
jest.spyOn(core, 'error').mockImplementation(jest.fn())
|
jest.spyOn(core, 'error').mockImplementation(jest.fn())
|
||||||
@@ -148,26 +139,6 @@ describe('input-helper tests', () => {
|
|||||||
expect(settings.commit).toBeFalsy()
|
expect(settings.commit).toBeFalsy()
|
||||||
})
|
})
|
||||||
|
|
||||||
it('does not reclassify a ref as sha when a BOM is prefixed', async () => {
|
|
||||||
// A fork branch named "<U+FEFF>" + 40 hex chars. core.getInput trims the
|
|
||||||
// BOM by default, which previously collapsed this into a bare SHA and
|
|
||||||
// bypassed the unsafe fork PR checkout guard.
|
|
||||||
inputs.ref = '\uFEFF522d932fae5296da51fdf431934425ecf891c6a2'
|
|
||||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
|
||||||
expect(settings.commit).toBeFalsy()
|
|
||||||
expect(settings.ref).toBe('522d932fae5296da51fdf431934425ecf891c6a2')
|
|
||||||
})
|
|
||||||
|
|
||||||
it('treats a sha surrounded by ascii whitespace as a commit', async () => {
|
|
||||||
// ASCII whitespace can only come from the workflow author's YAML (git ref
|
|
||||||
// names cannot contain it), so trimming it and treating the value as a
|
|
||||||
// commit is safe.
|
|
||||||
inputs.ref = ' 1111111111222222222233333333334444444444 '
|
|
||||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
|
||||||
expect(settings.ref).toBeFalsy()
|
|
||||||
expect(settings.commit).toBe('1111111111222222222233333333334444444444')
|
|
||||||
})
|
|
||||||
|
|
||||||
it('sets workflow organization ID', async () => {
|
it('sets workflow organization ID', async () => {
|
||||||
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
const settings: IGitSourceSettings = await inputHelper.getInputs()
|
||||||
expect(settings.workflowOrganizationId).toBe(123456)
|
expect(settings.workflowOrganizationId).toBe(123456)
|
||||||
@@ -188,7 +159,6 @@ describe('input-helper tests', () => {
|
|||||||
it('allows the default self-checkout on a fork pull_request_target', async () => {
|
it('allows the default self-checkout on a fork pull_request_target', async () => {
|
||||||
const originalEvent = github.context.eventName
|
const originalEvent = github.context.eventName
|
||||||
const originalPayload = github.context.payload
|
const originalPayload = github.context.payload
|
||||||
const originalSha = github.context.sha
|
|
||||||
try {
|
try {
|
||||||
github.context.eventName = 'pull_request_target'
|
github.context.eventName = 'pull_request_target'
|
||||||
github.context.payload = forkPayload as any
|
github.context.payload = forkPayload as any
|
||||||
@@ -200,7 +170,6 @@ describe('input-helper tests', () => {
|
|||||||
} finally {
|
} finally {
|
||||||
github.context.eventName = originalEvent
|
github.context.eventName = originalEvent
|
||||||
github.context.payload = originalPayload
|
github.context.payload = originalPayload
|
||||||
github.context.sha = originalSha
|
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|||||||
21
dist/index.js
vendored
21
dist/index.js
vendored
@@ -1700,23 +1700,6 @@ function getInputs() {
|
|||||||
`${github.context.repo.owner}/${github.context.repo.repo}`.toUpperCase();
|
`${github.context.repo.owner}/${github.context.repo.repo}`.toUpperCase();
|
||||||
// Source branch, source version
|
// Source branch, source version
|
||||||
result.ref = core.getInput('ref');
|
result.ref = core.getInput('ref');
|
||||||
// core.getInput()'s default trim strips a range of Unicode characters such as a
|
|
||||||
// leading BOM (U+FEFF) or NBSP (U+00A0). Those are valid in a git ref name, so
|
|
||||||
// a fork branch named "<BOM>" + 40 hex chars would trim down to a bare SHA and
|
|
||||||
// be silently reclassified as a commit, bypassing the unsafe fork PR checkout
|
|
||||||
// guard.
|
|
||||||
//
|
|
||||||
// The trim below strips only the ASCII whitespace characters which are all forbidden
|
|
||||||
// in a git branch name.
|
|
||||||
// \t U+0009 horizontal tab - ASCII control, forbidden in ref names
|
|
||||||
// \n U+000A line feed - ASCII control, forbidden in ref names
|
|
||||||
// \v U+000B vertical tab - ASCII control, forbidden in ref names
|
|
||||||
// \f U+000C form feed - ASCII control, forbidden in ref names
|
|
||||||
// \r U+000D carriage return - ASCII control, forbidden in ref names
|
|
||||||
// ' ' U+0020 space - forbidden in ref names
|
|
||||||
const asciiTrimmedRef = core
|
|
||||||
.getInput('ref', { trimWhitespace: false })
|
|
||||||
.replace(/^[\t\n\v\f\r ]+|[\t\n\v\f\r ]+$/g, '');
|
|
||||||
if (!result.ref) {
|
if (!result.ref) {
|
||||||
if (isWorkflowRepository) {
|
if (isWorkflowRepository) {
|
||||||
result.ref = github.context.ref;
|
result.ref = github.context.ref;
|
||||||
@@ -1729,8 +1712,8 @@ function getInputs() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// SHA?
|
// SHA?
|
||||||
else if (asciiTrimmedRef.match(/^[0-9a-fA-F]{40}$/)) {
|
else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
|
||||||
result.commit = asciiTrimmedRef;
|
result.commit = result.ref;
|
||||||
result.ref = '';
|
result.ref = '';
|
||||||
}
|
}
|
||||||
core.debug(`ref = '${result.ref}'`);
|
core.debug(`ref = '${result.ref}'`);
|
||||||
|
|||||||
@@ -7,7 +7,7 @@ import * as workflowContextHelper from './workflow-context-helper'
|
|||||||
import {IGitSourceSettings} from './git-source-settings'
|
import {IGitSourceSettings} from './git-source-settings'
|
||||||
|
|
||||||
export async function getInputs(): Promise<IGitSourceSettings> {
|
export async function getInputs(): Promise<IGitSourceSettings> {
|
||||||
const result = ({} as unknown) as IGitSourceSettings
|
const result = {} as unknown as IGitSourceSettings
|
||||||
|
|
||||||
// GitHub workspace
|
// GitHub workspace
|
||||||
let githubWorkspacePath = process.env['GITHUB_WORKSPACE']
|
let githubWorkspacePath = process.env['GITHUB_WORKSPACE']
|
||||||
@@ -59,23 +59,6 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
|
|
||||||
// Source branch, source version
|
// Source branch, source version
|
||||||
result.ref = core.getInput('ref')
|
result.ref = core.getInput('ref')
|
||||||
// core.getInput()'s default trim strips a range of Unicode characters such as a
|
|
||||||
// leading BOM (U+FEFF) or NBSP (U+00A0). Those are valid in a git ref name, so
|
|
||||||
// a fork branch named "<BOM>" + 40 hex chars would trim down to a bare SHA and
|
|
||||||
// be silently reclassified as a commit, bypassing the unsafe fork PR checkout
|
|
||||||
// guard.
|
|
||||||
//
|
|
||||||
// The trim below strips only the ASCII whitespace characters which are all forbidden
|
|
||||||
// in a git branch name.
|
|
||||||
// \t U+0009 horizontal tab - ASCII control, forbidden in ref names
|
|
||||||
// \n U+000A line feed - ASCII control, forbidden in ref names
|
|
||||||
// \v U+000B vertical tab - ASCII control, forbidden in ref names
|
|
||||||
// \f U+000C form feed - ASCII control, forbidden in ref names
|
|
||||||
// \r U+000D carriage return - ASCII control, forbidden in ref names
|
|
||||||
// ' ' U+0020 space - forbidden in ref names
|
|
||||||
const asciiTrimmedRef = core
|
|
||||||
.getInput('ref', {trimWhitespace: false})
|
|
||||||
.replace(/^[\t\n\v\f\r ]+|[\t\n\v\f\r ]+$/g, '')
|
|
||||||
if (!result.ref) {
|
if (!result.ref) {
|
||||||
if (isWorkflowRepository) {
|
if (isWorkflowRepository) {
|
||||||
result.ref = github.context.ref
|
result.ref = github.context.ref
|
||||||
@@ -89,8 +72,8 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// SHA?
|
// SHA?
|
||||||
else if (asciiTrimmedRef.match(/^[0-9a-fA-F]{40}$/)) {
|
else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
|
||||||
result.commit = asciiTrimmedRef
|
result.commit = result.ref
|
||||||
result.ref = ''
|
result.ref = ''
|
||||||
}
|
}
|
||||||
core.debug(`ref = '${result.ref}'`)
|
core.debug(`ref = '${result.ref}'`)
|
||||||
@@ -154,7 +137,8 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
|||||||
(core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
|
(core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
|
||||||
|
|
||||||
// Workflow organization ID
|
// Workflow organization ID
|
||||||
result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()
|
result.workflowOrganizationId =
|
||||||
|
await workflowContextHelper.getOrganizationId()
|
||||||
|
|
||||||
// Set safe.directory in git global config.
|
// Set safe.directory in git global config.
|
||||||
result.setSafeDirectory =
|
result.setSafeDirectory =
|
||||||
|
|||||||
Reference in New Issue
Block a user