mirror of
https://github.com/actions/checkout
synced 2026-07-06 22:17:29 +00:00
Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 8e14252a48 | |||
| 644b6f1c69 | |||
| 8f56c6c639 | |||
| f43a0e5ff2 | |||
| 7739b9ba2e | |||
| 96f53100ba | |||
| c85c95e3d7 | |||
| d106d4669b | |||
| f095bcc56b | |||
| 47fbe2df0a |
@@ -44,7 +44,7 @@ jobs:
|
||||
fi
|
||||
|
||||
# If dist/ was different than expected, upload the expected version as an artifact
|
||||
- uses: actions/upload-artifact@v2
|
||||
- uses: actions/upload-artifact@v4
|
||||
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
|
||||
with:
|
||||
name: dist
|
||||
|
||||
@@ -72,6 +72,33 @@ jobs:
|
||||
shell: bash
|
||||
run: __test__/verify-side-by-side.sh
|
||||
|
||||
# Sparse checkout
|
||||
- name: Sparse checkout
|
||||
uses: ./
|
||||
with:
|
||||
sparse-checkout: |
|
||||
__test__
|
||||
.github
|
||||
dist
|
||||
path: sparse-checkout
|
||||
|
||||
- name: Verify sparse checkout
|
||||
run: __test__/verify-sparse-checkout.sh
|
||||
|
||||
# Sparse checkout (non-cone mode)
|
||||
- name: Sparse checkout (non-cone mode)
|
||||
uses: ./
|
||||
with:
|
||||
sparse-checkout: |
|
||||
/__test__/
|
||||
/.github/
|
||||
/dist/
|
||||
sparse-checkout-cone-mode: false
|
||||
path: sparse-checkout-non-cone-mode
|
||||
|
||||
- name: Verify sparse checkout (non-cone mode)
|
||||
run: __test__/verify-sparse-checkout-non-cone-mode.sh
|
||||
|
||||
# LFS
|
||||
- name: Checkout LFS
|
||||
uses: ./
|
||||
|
||||
@@ -1,5 +1,14 @@
|
||||
# Changelog
|
||||
|
||||
## v3.6.0
|
||||
- [Fix: Mark test scripts with Bash'isms to be run via Bash](https://github.com/actions/checkout/pull/1377)
|
||||
- [Add option to fetch tags even if fetch-depth > 0](https://github.com/actions/checkout/pull/579)
|
||||
|
||||
## v3.5.3
|
||||
- [Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in](https://github.com/actions/checkout/pull/1196)
|
||||
- [Fix typos found by codespell](https://github.com/actions/checkout/pull/1287)
|
||||
- [Add support for sparse checkouts](https://github.com/actions/checkout/pull/1369)
|
||||
|
||||
## v3.5.2
|
||||
- [Fix api endpoint for GHES](https://github.com/actions/checkout/pull/1289)
|
||||
|
||||
|
||||
@@ -74,10 +74,23 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
|
||||
# Default: true
|
||||
clean: ''
|
||||
|
||||
# Do a sparse checkout on given patterns. Each pattern should be separated with
|
||||
# new lines
|
||||
# Default: null
|
||||
sparse-checkout: ''
|
||||
|
||||
# Specifies whether to use cone-mode when doing a sparse checkout.
|
||||
# Default: true
|
||||
sparse-checkout-cone-mode: ''
|
||||
|
||||
# Number of commits to fetch. 0 indicates all history for all branches and tags.
|
||||
# Default: 1
|
||||
fetch-depth: ''
|
||||
|
||||
# Whether to fetch tags, even if fetch-depth > 0.
|
||||
# Default: false
|
||||
fetch-tags: ''
|
||||
|
||||
# Whether to download Git-LFS files
|
||||
# Default: false
|
||||
lfs: ''
|
||||
@@ -101,11 +114,23 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
|
||||
# running from unless specified. Example URLs are https://github.com or
|
||||
# https://my-ghes-server.example.com
|
||||
github-server-url: ''
|
||||
|
||||
# Required to check out fork pull request code from a workflow triggered by
|
||||
# `pull_request_target` or `workflow_run`. These workflows run with the base
|
||||
# repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
|
||||
# access; fetching and executing a fork's code in that trusted context commonly
|
||||
# leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the
|
||||
# risks at https://gh.io/securely-using-pull_request_target.
|
||||
# Default: false
|
||||
allow-unsafe-pr-checkout: ''
|
||||
```
|
||||
<!-- end usage -->
|
||||
|
||||
# Scenarios
|
||||
|
||||
- [Fetch only the root files](#Fetch-only-the-root-files)
|
||||
- [Fetch only the root files and `.github` and `src` folder](#Fetch-only-the-root-files-and-github-and-src-folder)
|
||||
- [Fetch only a single file](#Fetch-only-a-single-file)
|
||||
- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
|
||||
- [Checkout a different branch](#Checkout-a-different-branch)
|
||||
- [Checkout HEAD^](#Checkout-HEAD)
|
||||
@@ -116,6 +141,34 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
|
||||
- [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
|
||||
- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
|
||||
|
||||
## Fetch only the root files
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
sparse-checkout: .
|
||||
```
|
||||
|
||||
## Fetch only the root files and `.github` and `src` folder
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
sparse-checkout: |
|
||||
.github
|
||||
src
|
||||
```
|
||||
|
||||
## Fetch only a single file
|
||||
|
||||
```yaml
|
||||
- uses: actions/checkout@v3
|
||||
with:
|
||||
sparse-checkout: |
|
||||
README.md
|
||||
sparse-checkout-cone-mode: false
|
||||
```
|
||||
|
||||
## Fetch all history for all tags and branches
|
||||
|
||||
```yaml
|
||||
|
||||
@@ -727,6 +727,8 @@ async function setup(testName: string): Promise<void> {
|
||||
branchDelete: jest.fn(),
|
||||
branchExists: jest.fn(),
|
||||
branchList: jest.fn(),
|
||||
sparseCheckout: jest.fn(),
|
||||
sparseCheckoutNonConeMode: jest.fn(),
|
||||
checkout: jest.fn(),
|
||||
checkoutDetach: jest.fn(),
|
||||
config: jest.fn(
|
||||
@@ -770,6 +772,9 @@ async function setup(testName: string): Promise<void> {
|
||||
return ''
|
||||
}),
|
||||
submoduleSync: jest.fn(),
|
||||
submoduleStatus: jest.fn(async () => {
|
||||
return true
|
||||
}),
|
||||
submoduleUpdate: jest.fn(),
|
||||
tagExists: jest.fn(),
|
||||
tryClean: jest.fn(),
|
||||
@@ -797,7 +802,10 @@ async function setup(testName: string): Promise<void> {
|
||||
authToken: 'some auth token',
|
||||
clean: true,
|
||||
commit: '',
|
||||
sparseCheckout: [],
|
||||
sparseCheckoutConeMode: true,
|
||||
fetchDepth: 1,
|
||||
fetchTags: false,
|
||||
lfs: false,
|
||||
submodules: false,
|
||||
nestedSubmodules: false,
|
||||
@@ -811,7 +819,8 @@ async function setup(testName: string): Promise<void> {
|
||||
sshStrict: true,
|
||||
workflowOrganizationId: 123456,
|
||||
setSafeDirectory: true,
|
||||
githubServerUrl: githubServerUrl
|
||||
githubServerUrl: githubServerUrl,
|
||||
allowUnsafePrCheckout: false
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -39,7 +39,12 @@ describe('git-auth-helper tests', () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
git = await commandManager.createCommandManager(workingDirectory, lfs)
|
||||
const doSparseCheckout = false
|
||||
git = await commandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
|
||||
let branches = await git.branchList(false)
|
||||
|
||||
@@ -70,7 +75,12 @@ describe('git-auth-helper tests', () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
git = await commandManager.createCommandManager(workingDirectory, lfs)
|
||||
const doSparseCheckout = false
|
||||
git = await commandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
|
||||
let branches = await git.branchList(false)
|
||||
|
||||
@@ -78,3 +88,179 @@ describe('git-auth-helper tests', () => {
|
||||
expect(branches.sort()).toEqual(['foo'].sort())
|
||||
})
|
||||
})
|
||||
|
||||
describe('Test fetchDepth and fetchTags options', () => {
|
||||
beforeEach(async () => {
|
||||
jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
|
||||
jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
|
||||
mockExec.mockImplementation((path, args, options) => {
|
||||
console.log(args, options.listeners.stdout)
|
||||
|
||||
if (args.includes('version')) {
|
||||
options.listeners.stdout(Buffer.from('2.18'))
|
||||
}
|
||||
|
||||
return 0
|
||||
})
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
jest.restoreAllMocks()
|
||||
})
|
||||
|
||||
it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is true', async () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
const doSparseCheckout = false
|
||||
git = await commandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
|
||||
const refSpec = ['refspec1', 'refspec2']
|
||||
const options = {
|
||||
filter: 'filterValue',
|
||||
fetchDepth: 0,
|
||||
fetchTags: true
|
||||
}
|
||||
|
||||
await git.fetch(refSpec, options)
|
||||
|
||||
expect(mockExec).toHaveBeenCalledWith(
|
||||
expect.any(String),
|
||||
[
|
||||
'-c',
|
||||
'protocol.version=2',
|
||||
'fetch',
|
||||
'--prune',
|
||||
'--progress',
|
||||
'--no-recurse-submodules',
|
||||
'--filter=filterValue',
|
||||
'origin',
|
||||
'refspec1',
|
||||
'refspec2'
|
||||
],
|
||||
expect.any(Object)
|
||||
)
|
||||
})
|
||||
|
||||
it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is false', async () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
const doSparseCheckout = false
|
||||
git = await commandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
const refSpec = ['refspec1', 'refspec2']
|
||||
const options = {
|
||||
filter: 'filterValue',
|
||||
fetchDepth: 0,
|
||||
fetchTags: false
|
||||
}
|
||||
|
||||
await git.fetch(refSpec, options)
|
||||
|
||||
expect(mockExec).toHaveBeenCalledWith(
|
||||
expect.any(String),
|
||||
[
|
||||
'-c',
|
||||
'protocol.version=2',
|
||||
'fetch',
|
||||
'--no-tags',
|
||||
'--prune',
|
||||
'--progress',
|
||||
'--no-recurse-submodules',
|
||||
'--filter=filterValue',
|
||||
'origin',
|
||||
'refspec1',
|
||||
'refspec2'
|
||||
],
|
||||
expect.any(Object)
|
||||
)
|
||||
})
|
||||
|
||||
it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is false', async () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
const doSparseCheckout = false
|
||||
git = await commandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
const refSpec = ['refspec1', 'refspec2']
|
||||
const options = {
|
||||
filter: 'filterValue',
|
||||
fetchDepth: 1,
|
||||
fetchTags: false
|
||||
}
|
||||
|
||||
await git.fetch(refSpec, options)
|
||||
|
||||
expect(mockExec).toHaveBeenCalledWith(
|
||||
expect.any(String),
|
||||
[
|
||||
'-c',
|
||||
'protocol.version=2',
|
||||
'fetch',
|
||||
'--no-tags',
|
||||
'--prune',
|
||||
'--progress',
|
||||
'--no-recurse-submodules',
|
||||
'--filter=filterValue',
|
||||
'--depth=1',
|
||||
'origin',
|
||||
'refspec1',
|
||||
'refspec2'
|
||||
],
|
||||
expect.any(Object)
|
||||
)
|
||||
})
|
||||
|
||||
it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is true', async () => {
|
||||
jest.spyOn(exec, 'exec').mockImplementation(mockExec)
|
||||
|
||||
const workingDirectory = 'test'
|
||||
const lfs = false
|
||||
const doSparseCheckout = false
|
||||
git = await commandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
const refSpec = ['refspec1', 'refspec2']
|
||||
const options = {
|
||||
filter: 'filterValue',
|
||||
fetchDepth: 1,
|
||||
fetchTags: true
|
||||
}
|
||||
|
||||
await git.fetch(refSpec, options)
|
||||
|
||||
expect(mockExec).toHaveBeenCalledWith(
|
||||
expect.any(String),
|
||||
[
|
||||
'-c',
|
||||
'protocol.version=2',
|
||||
'fetch',
|
||||
'--prune',
|
||||
'--progress',
|
||||
'--no-recurse-submodules',
|
||||
'--filter=filterValue',
|
||||
'--depth=1',
|
||||
'origin',
|
||||
'refspec1',
|
||||
'refspec2'
|
||||
],
|
||||
expect.any(Object)
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
@@ -281,6 +281,65 @@ describe('git-directory-helper tests', () => {
|
||||
expect(git.branchDelete).toHaveBeenCalledWith(false, 'local-branch-2')
|
||||
})
|
||||
|
||||
const cleanWhenSubmoduleStatusIsFalse =
|
||||
'cleans when submodule status is false'
|
||||
|
||||
it(cleanWhenSubmoduleStatusIsFalse, async () => {
|
||||
// Arrange
|
||||
await setup(cleanWhenSubmoduleStatusIsFalse)
|
||||
await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
|
||||
|
||||
//mock bad submodule
|
||||
|
||||
const submoduleStatus = git.submoduleStatus as jest.Mock<any, any>
|
||||
submoduleStatus.mockImplementation(async (remote: boolean) => {
|
||||
return false
|
||||
})
|
||||
|
||||
// Act
|
||||
await gitDirectoryHelper.prepareExistingDirectory(
|
||||
git,
|
||||
repositoryPath,
|
||||
repositoryUrl,
|
||||
clean,
|
||||
ref
|
||||
)
|
||||
|
||||
// Assert
|
||||
const files = await fs.promises.readdir(repositoryPath)
|
||||
expect(files).toHaveLength(0)
|
||||
expect(git.tryClean).toHaveBeenCalled()
|
||||
})
|
||||
|
||||
const doesNotCleanWhenSubmoduleStatusIsTrue =
|
||||
'does not clean when submodule status is true'
|
||||
|
||||
it(doesNotCleanWhenSubmoduleStatusIsTrue, async () => {
|
||||
// Arrange
|
||||
await setup(doesNotCleanWhenSubmoduleStatusIsTrue)
|
||||
await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
|
||||
|
||||
const submoduleStatus = git.submoduleStatus as jest.Mock<any, any>
|
||||
submoduleStatus.mockImplementation(async (remote: boolean) => {
|
||||
return true
|
||||
})
|
||||
|
||||
// Act
|
||||
await gitDirectoryHelper.prepareExistingDirectory(
|
||||
git,
|
||||
repositoryPath,
|
||||
repositoryUrl,
|
||||
clean,
|
||||
ref
|
||||
)
|
||||
|
||||
// Assert
|
||||
|
||||
const files = await fs.promises.readdir(repositoryPath)
|
||||
expect(files.sort()).toEqual(['.git', 'my-file'])
|
||||
expect(git.tryClean).toHaveBeenCalled()
|
||||
})
|
||||
|
||||
const removesLockFiles = 'removes lock files'
|
||||
it(removesLockFiles, async () => {
|
||||
// Arrange
|
||||
@@ -403,6 +462,8 @@ async function setup(testName: string): Promise<void> {
|
||||
branchList: jest.fn(async () => {
|
||||
return []
|
||||
}),
|
||||
sparseCheckout: jest.fn(),
|
||||
sparseCheckoutNonConeMode: jest.fn(),
|
||||
checkout: jest.fn(),
|
||||
checkoutDetach: jest.fn(),
|
||||
config: jest.fn(),
|
||||
@@ -423,6 +484,9 @@ async function setup(testName: string): Promise<void> {
|
||||
submoduleForeach: jest.fn(),
|
||||
submoduleSync: jest.fn(),
|
||||
submoduleUpdate: jest.fn(),
|
||||
submoduleStatus: jest.fn(async () => {
|
||||
return true
|
||||
}),
|
||||
tagExists: jest.fn(),
|
||||
tryClean: jest.fn(async () => {
|
||||
return true
|
||||
|
||||
@@ -79,13 +79,17 @@ describe('input-helper tests', () => {
|
||||
expect(settings.clean).toBe(true)
|
||||
expect(settings.commit).toBeTruthy()
|
||||
expect(settings.commit).toBe('1234567890123456789012345678901234567890')
|
||||
expect(settings.sparseCheckout).toBe(undefined)
|
||||
expect(settings.sparseCheckoutConeMode).toBe(true)
|
||||
expect(settings.fetchDepth).toBe(1)
|
||||
expect(settings.fetchTags).toBe(false)
|
||||
expect(settings.lfs).toBe(false)
|
||||
expect(settings.ref).toBe('refs/heads/some-ref')
|
||||
expect(settings.repositoryName).toBe('some-repo')
|
||||
expect(settings.repositoryOwner).toBe('some-owner')
|
||||
expect(settings.repositoryPath).toBe(gitHubWorkspace)
|
||||
expect(settings.setSafeDirectory).toBe(true)
|
||||
expect(settings.allowUnsafePrCheckout).toBe(false)
|
||||
})
|
||||
|
||||
it('qualifies ref', async () => {
|
||||
|
||||
@@ -0,0 +1,267 @@
|
||||
import * as github from '@actions/github'
|
||||
import {assertSafePrCheckout} from '../lib/unsafe-pr-checkout-helper'
|
||||
|
||||
// Shallow clone original @actions/github context
|
||||
const originalContext = {...github.context}
|
||||
const originalEventName = github.context.eventName
|
||||
const originalPayload = github.context.payload
|
||||
|
||||
const BASE_REPO_ID = 100
|
||||
const FORK_REPO_ID = 200
|
||||
const PR_HEAD_SHA = '1111111111111111111111111111111111111111'
|
||||
const PR_MERGE_SHA = '2222222222222222222222222222222222222222'
|
||||
const SAFE_BASE_SHA = '3333333333333333333333333333333333333333'
|
||||
const WORKFLOW_RUN_HEAD_COMMIT_SHA = '4444444444444444444444444444444444444444'
|
||||
const BASE_QUALIFIED_REPO = 'some-owner/some-repo'
|
||||
const FORK_QUALIFIED_REPO = 'another-repo/fork'
|
||||
|
||||
function setContext(eventName: string, payload: object): void {
|
||||
;(github.context as {eventName: string}).eventName = eventName
|
||||
;(github.context as {payload: object}).payload = payload
|
||||
}
|
||||
|
||||
function forkPullRequestTargetPayload(): object {
|
||||
return {
|
||||
repository: {id: BASE_REPO_ID},
|
||||
pull_request: {
|
||||
head: {
|
||||
sha: PR_HEAD_SHA,
|
||||
repo: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
|
||||
},
|
||||
merge_commit_sha: PR_MERGE_SHA
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function sameRepoPullRequestTargetPayload(): object {
|
||||
return {
|
||||
repository: {id: BASE_REPO_ID},
|
||||
pull_request: {
|
||||
head: {
|
||||
sha: PR_HEAD_SHA,
|
||||
repo: {id: BASE_REPO_ID, full_name: BASE_QUALIFIED_REPO}
|
||||
},
|
||||
merge_commit_sha: PR_MERGE_SHA
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function forkWorkflowRunPayload(): object {
|
||||
return {
|
||||
repository: {id: BASE_REPO_ID},
|
||||
workflow_run: {
|
||||
event: 'pull_request',
|
||||
head_commit: {id: WORKFLOW_RUN_HEAD_COMMIT_SHA},
|
||||
head_repository: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
describe('unsafe-pr-checkout-helper', () => {
|
||||
beforeAll(() => {
|
||||
jest.spyOn(github.context, 'repo', 'get').mockReturnValue({
|
||||
owner: 'some-owner',
|
||||
repo: 'some-repo'
|
||||
})
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
;(github.context as {eventName: string}).eventName = originalEventName
|
||||
;(github.context as {payload: object}).payload = originalPayload
|
||||
})
|
||||
|
||||
afterAll(() => {
|
||||
;(github.context as {eventName: string}).eventName =
|
||||
originalContext.eventName
|
||||
;(github.context as {payload: object}).payload = originalContext.payload
|
||||
jest.restoreAllMocks()
|
||||
})
|
||||
|
||||
it('allows pull_request events untouched', () => {
|
||||
setContext('pull_request', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: 'attacker/fork',
|
||||
ref: 'refs/pull/1/merge',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
|
||||
it('allows pull_request_target default checkout (base branch)', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: 'refs/heads/main',
|
||||
commit: SAFE_BASE_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
|
||||
it('allows same-repo pull_request_target checkout of PR head', () => {
|
||||
setContext('pull_request_target', sameRepoPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: PR_HEAD_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
|
||||
it('refuses pull_request_target fork PR head SHA checkout', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: PR_HEAD_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow(/Refusing to check out fork pull request code/)
|
||||
})
|
||||
|
||||
it('refuses pull_request_target fork PR merge_commit_sha checkout', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: PR_MERGE_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow(/allow-unsafe-pr-checkout/)
|
||||
})
|
||||
|
||||
it('refuses pull_request_target fork PR ref pattern (head)', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: 'refs/pull/42/head',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('refuses pull_request_target fork PR ref pattern (merge)', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: 'refs/pull/42/merge',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('refuses pull_request_target when repository points at the fork', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: FORK_QUALIFIED_REPO,
|
||||
ref: 'refs/heads/main',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('allows pull_request_target checkout of an unrelated third-party repo', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: 'some-other/unrelated',
|
||||
ref: 'refs/heads/main',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
|
||||
it('refuses pull_request_target ignoring repository case differences', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: FORK_QUALIFIED_REPO.toUpperCase(),
|
||||
ref: '',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('refuses pull_request_target ignoring commit SHA case differences', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: PR_HEAD_SHA.toUpperCase(),
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('allows pull_request_target fork PR checkout when opted in', () => {
|
||||
setContext('pull_request_target', forkPullRequestTargetPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: 'refs/pull/42/merge',
|
||||
commit: '',
|
||||
allowUnsafePrCheckout: true
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
|
||||
it('refuses workflow_run fork PR head_commit.id checkout', () => {
|
||||
setContext('workflow_run', forkWorkflowRunPayload())
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('refuses workflow_run with pull_request_target underlying event', () => {
|
||||
const payload = forkWorkflowRunPayload() as {
|
||||
workflow_run: {event: string}
|
||||
}
|
||||
payload.workflow_run.event = 'pull_request_target'
|
||||
setContext('workflow_run', payload)
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
it('allows workflow_run same-repo PR (head_repository.id matches base)', () => {
|
||||
const payload = forkWorkflowRunPayload() as {
|
||||
workflow_run: {head_repository: {id: number}}
|
||||
}
|
||||
payload.workflow_run.head_repository.id = BASE_REPO_ID
|
||||
setContext('workflow_run', payload)
|
||||
expect(() =>
|
||||
assertSafePrCheckout({
|
||||
qualifiedRepository: BASE_QUALIFIED_REPO,
|
||||
ref: '',
|
||||
commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
|
||||
allowUnsafePrCheckout: false
|
||||
})
|
||||
).not.toThrow()
|
||||
})
|
||||
})
|
||||
+51
@@ -0,0 +1,51 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Verify .git folder
|
||||
if [ ! -d "./sparse-checkout-non-cone-mode/.git" ]; then
|
||||
echo "Expected ./sparse-checkout-non-cone-mode/.git folder to exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Verify sparse-checkout (non-cone-mode)
|
||||
cd sparse-checkout-non-cone-mode
|
||||
|
||||
ENABLED=$(git config --local --get-all core.sparseCheckout)
|
||||
|
||||
if [ "$?" != "0" ]; then
|
||||
echo "Failed to verify that sparse-checkout is enabled"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check that sparse-checkout is enabled
|
||||
if [ "$ENABLED" != "true" ]; then
|
||||
echo "Expected sparse-checkout to be enabled (is: $ENABLED)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
SPARSE_CHECKOUT_FILE=$(git rev-parse --git-path info/sparse-checkout)
|
||||
|
||||
if [ "$?" != "0" ]; then
|
||||
echo "Failed to validate sparse-checkout"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check that sparse-checkout list is not empty
|
||||
if [ ! -f "$SPARSE_CHECKOUT_FILE" ]; then
|
||||
echo "Expected sparse-checkout file to exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check that all folders from sparse-checkout exists
|
||||
for pattern in $(cat "$SPARSE_CHECKOUT_FILE")
|
||||
do
|
||||
if [ ! -d "${pattern#/}" ]; then
|
||||
echo "Expected directory '${pattern#/}' to exist"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
# Verify that the root directory is not checked out
|
||||
if [ -f README.md ]; then
|
||||
echo "Expected top-level files not to exist"
|
||||
exit 1
|
||||
fi
|
||||
Executable
+63
@@ -0,0 +1,63 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Verify .git folder
|
||||
if [ ! -d "./sparse-checkout/.git" ]; then
|
||||
echo "Expected ./sparse-checkout/.git folder to exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Verify sparse-checkout
|
||||
cd sparse-checkout
|
||||
|
||||
SPARSE=$(git sparse-checkout list)
|
||||
|
||||
if [ "$?" != "0" ]; then
|
||||
echo "Failed to validate sparse-checkout"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check that sparse-checkout list is not empty
|
||||
if [ -z "$SPARSE" ]; then
|
||||
echo "Expected sparse-checkout list to not be empty"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Check that all folders of the sparse checkout exist
|
||||
for pattern in $SPARSE
|
||||
do
|
||||
if [ ! -d "$pattern" ]; then
|
||||
echo "Expected directory '$pattern' to exist"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
checkSparse () {
|
||||
if [ ! -d "./$1" ]; then
|
||||
echo "Expected directory '$1' to exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for file in $(git ls-tree -r --name-only HEAD $1)
|
||||
do
|
||||
if [ ! -f "$file" ]; then
|
||||
echo "Expected file '$file' to exist"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# Check that all folders and their children have been checked out
|
||||
checkSparse __test__
|
||||
checkSparse .github
|
||||
checkSparse dist
|
||||
|
||||
# Check that only sparse-checkout folders have been checked out
|
||||
for pattern in $(git ls-tree --name-only HEAD)
|
||||
do
|
||||
if [ -d "$pattern" ]; then
|
||||
if [[ "$pattern" != "__test__" && "$pattern" != ".github" && "$pattern" != "dist" ]]; then
|
||||
echo "Expected directory '$pattern' to not exist"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
+21
@@ -53,9 +53,21 @@ inputs:
|
||||
clean:
|
||||
description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
|
||||
default: true
|
||||
sparse-checkout:
|
||||
description: >
|
||||
Do a sparse checkout on given patterns.
|
||||
Each pattern should be separated with new lines
|
||||
default: null
|
||||
sparse-checkout-cone-mode:
|
||||
description: >
|
||||
Specifies whether to use cone-mode when doing a sparse checkout.
|
||||
default: true
|
||||
fetch-depth:
|
||||
description: 'Number of commits to fetch. 0 indicates all history for all branches and tags.'
|
||||
default: 1
|
||||
fetch-tags:
|
||||
description: 'Whether to fetch tags, even if fetch-depth > 0.'
|
||||
default: false
|
||||
lfs:
|
||||
description: 'Whether to download Git-LFS files'
|
||||
default: false
|
||||
@@ -74,6 +86,15 @@ inputs:
|
||||
github-server-url:
|
||||
description: The base URL for the GitHub instance that you are trying to clone from, will use environment defaults to fetch from the same instance that the workflow is running from unless specified. Example URLs are https://github.com or https://my-ghes-server.example.com
|
||||
required: false
|
||||
allow-unsafe-pr-checkout:
|
||||
description: >
|
||||
Required to check out fork pull request code from a workflow triggered by
|
||||
`pull_request_target` or `workflow_run`. These workflows run with the
|
||||
base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
|
||||
runner access; fetching and executing a fork's code in that trusted
|
||||
context commonly leads to "pwn request" vulnerabilities. Set to `true`
|
||||
only after reviewing the risks at https://gh.io/securely-using-pull_request_target.
|
||||
default: false
|
||||
runs:
|
||||
using: node16
|
||||
main: dist/index.js
|
||||
|
||||
@@ -181,7 +181,7 @@ GITHUB_WORKSPACE=/home/runner/work/foo/foo
|
||||
RUNNER_WORKSPACE=/home/runner/work/foo
|
||||
```
|
||||
|
||||
V2 introduces a new contraint on the checkout path. The location must now be under `github.workspace`. Whereas the checkout@v1 constraint was one level up, under `runner.workspace`.
|
||||
V2 introduces a new constraint on the checkout path. The location must now be under `github.workspace`. Whereas the checkout@v1 constraint was one level up, under `runner.workspace`.
|
||||
|
||||
V2 no longer changes `github.workspace` to follow wherever the self repo is checked-out.
|
||||
|
||||
@@ -287,4 +287,4 @@ Note:
|
||||
- Update samples to consume `actions/checkout@v2`
|
||||
- Job containers now require git in the PATH for checkout, otherwise fallback to REST API
|
||||
- Minimum git version 2.18
|
||||
- Update problem matcher logic regarding source file verification (runner)
|
||||
- Update problem matcher logic regarding source file verification (runner)
|
||||
|
||||
Vendored
+200
-19
@@ -470,6 +470,7 @@ Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.createCommandManager = exports.MinimumGitVersion = void 0;
|
||||
const core = __importStar(__nccwpck_require__(2186));
|
||||
const exec = __importStar(__nccwpck_require__(1514));
|
||||
const fs = __importStar(__nccwpck_require__(7147));
|
||||
const fshelper = __importStar(__nccwpck_require__(7219));
|
||||
const io = __importStar(__nccwpck_require__(7436));
|
||||
const path = __importStar(__nccwpck_require__(1017));
|
||||
@@ -480,9 +481,9 @@ const git_version_1 = __nccwpck_require__(3142);
|
||||
// Auth header not supported before 2.9
|
||||
// Wire protocol v2 not supported before 2.18
|
||||
exports.MinimumGitVersion = new git_version_1.GitVersion('2.18');
|
||||
function createCommandManager(workingDirectory, lfs) {
|
||||
function createCommandManager(workingDirectory, lfs, doSparseCheckout) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
return yield GitCommandManager.createCommandManager(workingDirectory, lfs);
|
||||
return yield GitCommandManager.createCommandManager(workingDirectory, lfs, doSparseCheckout);
|
||||
});
|
||||
}
|
||||
exports.createCommandManager = createCommandManager;
|
||||
@@ -495,6 +496,7 @@ class GitCommandManager {
|
||||
};
|
||||
this.gitPath = '';
|
||||
this.lfs = false;
|
||||
this.doSparseCheckout = false;
|
||||
this.workingDirectory = '';
|
||||
}
|
||||
branchDelete(remote, branch) {
|
||||
@@ -574,6 +576,23 @@ class GitCommandManager {
|
||||
return result;
|
||||
});
|
||||
}
|
||||
sparseCheckout(sparseCheckout) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
yield this.execGit(['sparse-checkout', 'set', ...sparseCheckout]);
|
||||
});
|
||||
}
|
||||
sparseCheckoutNonConeMode(sparseCheckout) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
yield this.execGit(['config', 'core.sparseCheckout', 'true']);
|
||||
const output = yield this.execGit([
|
||||
'rev-parse',
|
||||
'--git-path',
|
||||
'info/sparse-checkout'
|
||||
]);
|
||||
const sparseCheckoutPath = path.join(this.workingDirectory, output.stdout.trimRight());
|
||||
yield fs.promises.appendFile(sparseCheckoutPath, `\n${sparseCheckout.join('\n')}\n`);
|
||||
});
|
||||
}
|
||||
checkout(ref, startPoint) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const args = ['checkout', '--progress', '--force'];
|
||||
@@ -615,15 +634,18 @@ class GitCommandManager {
|
||||
return output.exitCode === 0;
|
||||
});
|
||||
}
|
||||
fetch(refSpec, fetchDepth) {
|
||||
fetch(refSpec, options) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const args = ['-c', 'protocol.version=2', 'fetch'];
|
||||
if (!refSpec.some(x => x === refHelper.tagsRefSpec)) {
|
||||
if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
|
||||
args.push('--no-tags');
|
||||
}
|
||||
args.push('--prune', '--progress', '--no-recurse-submodules');
|
||||
if (fetchDepth && fetchDepth > 0) {
|
||||
args.push(`--depth=${fetchDepth}`);
|
||||
if (options.filter) {
|
||||
args.push(`--filter=${options.filter}`);
|
||||
}
|
||||
if (options.fetchDepth && options.fetchDepth > 0) {
|
||||
args.push(`--depth=${options.fetchDepth}`);
|
||||
}
|
||||
else if (fshelper.fileExistsSync(path.join(this.workingDirectory, '.git', 'shallow'))) {
|
||||
args.push('--unshallow');
|
||||
@@ -696,8 +718,8 @@ class GitCommandManager {
|
||||
}
|
||||
log1(format) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
var args = format ? ['log', '-1', format] : ['log', '-1'];
|
||||
var silent = format ? false : true;
|
||||
const args = format ? ['log', '-1', format] : ['log', '-1'];
|
||||
const silent = format ? false : true;
|
||||
const output = yield this.execGit(args, false, silent);
|
||||
return output.stdout;
|
||||
});
|
||||
@@ -765,6 +787,13 @@ class GitCommandManager {
|
||||
yield this.execGit(args);
|
||||
});
|
||||
}
|
||||
submoduleStatus() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const output = yield this.execGit(['submodule', 'status'], true);
|
||||
core.debug(output.stdout);
|
||||
return output.exitCode === 0;
|
||||
});
|
||||
}
|
||||
tagExists(pattern) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const output = yield this.execGit(['tag', '--list', pattern]);
|
||||
@@ -813,10 +842,10 @@ class GitCommandManager {
|
||||
return output.exitCode === 0;
|
||||
});
|
||||
}
|
||||
static createCommandManager(workingDirectory, lfs) {
|
||||
static createCommandManager(workingDirectory, lfs, doSparseCheckout) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const result = new GitCommandManager();
|
||||
yield result.initializeCommandManager(workingDirectory, lfs);
|
||||
yield result.initializeCommandManager(workingDirectory, lfs, doSparseCheckout);
|
||||
return result;
|
||||
});
|
||||
}
|
||||
@@ -852,7 +881,7 @@ class GitCommandManager {
|
||||
return result;
|
||||
});
|
||||
}
|
||||
initializeCommandManager(workingDirectory, lfs) {
|
||||
initializeCommandManager(workingDirectory, lfs, doSparseCheckout) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
this.workingDirectory = workingDirectory;
|
||||
// Git-lfs will try to pull down assets if any of the local/user/system setting exist.
|
||||
@@ -904,6 +933,14 @@ class GitCommandManager {
|
||||
throw new Error(`Minimum required git-lfs version is ${minimumGitLfsVersion}. Your git-lfs ('${gitLfsPath}') is ${gitLfsVersion}`);
|
||||
}
|
||||
}
|
||||
this.doSparseCheckout = doSparseCheckout;
|
||||
if (this.doSparseCheckout) {
|
||||
// The `git sparse-checkout` command was introduced in Git v2.25.0
|
||||
const minimumGitSparseCheckoutVersion = new git_version_1.GitVersion('2.25');
|
||||
if (!gitVersion.checkMinimum(minimumGitSparseCheckoutVersion)) {
|
||||
throw new Error(`Minimum Git version required for sparse checkout is ${minimumGitSparseCheckoutVersion}. Your git ('${this.gitPath}') is ${gitVersion}`);
|
||||
}
|
||||
}
|
||||
// Set the user agent
|
||||
const gitHttpUserAgent = `git/${gitVersion} (github-actions-checkout)`;
|
||||
core.debug(`Set git useragent to: ${gitHttpUserAgent}`);
|
||||
@@ -1023,11 +1060,16 @@ function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean, ref
|
||||
}
|
||||
}
|
||||
core.endGroup();
|
||||
// Check for submodules and delete any existing files if submodules are present
|
||||
if (!(yield git.submoduleStatus())) {
|
||||
remove = true;
|
||||
core.info('Bad Submodules found, removing existing files');
|
||||
}
|
||||
// Clean
|
||||
if (clean) {
|
||||
core.startGroup('Cleaning the repository');
|
||||
if (!(yield git.tryClean())) {
|
||||
core.debug(`The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For futher investigation, manually run 'git clean -ffdx' on the directory '${repositoryPath}'.`);
|
||||
core.debug(`The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For further investigation, manually run 'git clean -ffdx' on the directory '${repositoryPath}'.`);
|
||||
remove = true;
|
||||
}
|
||||
else if (!(yield git.tryReset())) {
|
||||
@@ -1198,20 +1240,25 @@ function getSource(settings) {
|
||||
}
|
||||
// Fetch
|
||||
core.startGroup('Fetching the repository');
|
||||
const fetchOptions = {};
|
||||
if (settings.sparseCheckout)
|
||||
fetchOptions.filter = 'blob:none';
|
||||
if (settings.fetchDepth <= 0) {
|
||||
// Fetch all branches and tags
|
||||
let refSpec = refHelper.getRefSpecForAllHistory(settings.ref, settings.commit);
|
||||
yield git.fetch(refSpec);
|
||||
yield git.fetch(refSpec, fetchOptions);
|
||||
// When all history is fetched, the ref we're interested in may have moved to a different
|
||||
// commit (push or force push). If so, fetch again with a targeted refspec.
|
||||
if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
|
||||
refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
|
||||
yield git.fetch(refSpec);
|
||||
yield git.fetch(refSpec, fetchOptions);
|
||||
}
|
||||
}
|
||||
else {
|
||||
fetchOptions.fetchDepth = settings.fetchDepth;
|
||||
fetchOptions.fetchTags = settings.fetchTags;
|
||||
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
|
||||
yield git.fetch(refSpec, settings.fetchDepth);
|
||||
yield git.fetch(refSpec, fetchOptions);
|
||||
}
|
||||
core.endGroup();
|
||||
// Checkout info
|
||||
@@ -1221,11 +1268,23 @@ function getSource(settings) {
|
||||
// LFS fetch
|
||||
// Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
|
||||
// Explicit lfs fetch will fetch lfs objects in parallel.
|
||||
if (settings.lfs) {
|
||||
// For sparse checkouts, let `checkout` fetch the needed objects lazily.
|
||||
if (settings.lfs && !settings.sparseCheckout) {
|
||||
core.startGroup('Fetching LFS objects');
|
||||
yield git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref);
|
||||
core.endGroup();
|
||||
}
|
||||
// Sparse checkout
|
||||
if (settings.sparseCheckout) {
|
||||
core.startGroup('Setting up sparse checkout');
|
||||
if (settings.sparseCheckoutConeMode) {
|
||||
yield git.sparseCheckout(settings.sparseCheckout);
|
||||
}
|
||||
else {
|
||||
yield git.sparseCheckoutNonConeMode(settings.sparseCheckout);
|
||||
}
|
||||
core.endGroup();
|
||||
}
|
||||
// Checkout
|
||||
core.startGroup('Checking out the ref');
|
||||
yield git.checkout(checkoutInfo.ref, checkoutInfo.startPoint);
|
||||
@@ -1279,7 +1338,7 @@ function cleanup(repositoryPath) {
|
||||
}
|
||||
let git;
|
||||
try {
|
||||
git = yield gitCommandManager.createCommandManager(repositoryPath, false);
|
||||
git = yield gitCommandManager.createCommandManager(repositoryPath, false, false);
|
||||
}
|
||||
catch (_a) {
|
||||
return;
|
||||
@@ -1310,7 +1369,7 @@ function getGitCommandManager(settings) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
core.info(`Working directory is '${settings.repositoryPath}'`);
|
||||
try {
|
||||
return yield gitCommandManager.createCommandManager(settings.repositoryPath, settings.lfs);
|
||||
return yield gitCommandManager.createCommandManager(settings.repositoryPath, settings.lfs, settings.sparseCheckout != null);
|
||||
}
|
||||
catch (err) {
|
||||
// Git is required for LFS
|
||||
@@ -1605,6 +1664,7 @@ const core = __importStar(__nccwpck_require__(2186));
|
||||
const fsHelper = __importStar(__nccwpck_require__(7219));
|
||||
const github = __importStar(__nccwpck_require__(5438));
|
||||
const path = __importStar(__nccwpck_require__(1017));
|
||||
const unsafePrCheckoutHelper = __importStar(__nccwpck_require__(843));
|
||||
const workflowContextHelper = __importStar(__nccwpck_require__(9568));
|
||||
function getInputs() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
@@ -1661,12 +1721,25 @@ function getInputs() {
|
||||
// Clean
|
||||
result.clean = (core.getInput('clean') || 'true').toUpperCase() === 'TRUE';
|
||||
core.debug(`clean = ${result.clean}`);
|
||||
// Sparse checkout
|
||||
const sparseCheckout = core.getMultilineInput('sparse-checkout');
|
||||
if (sparseCheckout.length) {
|
||||
result.sparseCheckout = sparseCheckout;
|
||||
core.debug(`sparse checkout = ${result.sparseCheckout}`);
|
||||
}
|
||||
result.sparseCheckoutConeMode =
|
||||
(core.getInput('sparse-checkout-cone-mode') || 'true').toUpperCase() ===
|
||||
'TRUE';
|
||||
// Fetch depth
|
||||
result.fetchDepth = Math.floor(Number(core.getInput('fetch-depth') || '1'));
|
||||
if (isNaN(result.fetchDepth) || result.fetchDepth < 0) {
|
||||
result.fetchDepth = 0;
|
||||
}
|
||||
core.debug(`fetch depth = ${result.fetchDepth}`);
|
||||
// Fetch tags
|
||||
result.fetchTags =
|
||||
(core.getInput('fetch-tags') || 'false').toUpperCase() === 'TRUE';
|
||||
core.debug(`fetch tags = ${result.fetchTags}`);
|
||||
// LFS
|
||||
result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE';
|
||||
core.debug(`lfs = ${result.lfs}`);
|
||||
@@ -1701,6 +1774,17 @@ function getInputs() {
|
||||
// Determine the GitHub URL that the repository is being hosted from
|
||||
result.githubServerUrl = core.getInput('github-server-url');
|
||||
core.debug(`GitHub Host URL = ${result.githubServerUrl}`);
|
||||
// Allow unsafe PR checkout (opt-in for pull_request_target / workflow_run fork PRs)
|
||||
result.allowUnsafePrCheckout =
|
||||
(core.getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
|
||||
'TRUE';
|
||||
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`);
|
||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||
qualifiedRepository,
|
||||
ref: result.ref,
|
||||
commit: result.commit,
|
||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||
});
|
||||
return result;
|
||||
});
|
||||
}
|
||||
@@ -1827,7 +1911,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
||||
});
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.checkCommitInfo = exports.testRef = exports.getRefSpec = exports.getRefSpecForAllHistory = exports.getCheckoutInfo = exports.tagsRefSpec = void 0;
|
||||
exports.fromPayload = exports.checkCommitInfo = exports.testRef = exports.getRefSpec = exports.getRefSpecForAllHistory = exports.getCheckoutInfo = exports.tagsRefSpec = void 0;
|
||||
const core = __importStar(__nccwpck_require__(2186));
|
||||
const github = __importStar(__nccwpck_require__(5438));
|
||||
const url_helper_1 = __nccwpck_require__(9437);
|
||||
@@ -2049,6 +2133,7 @@ exports.checkCommitInfo = checkCommitInfo;
|
||||
function fromPayload(path) {
|
||||
return select(github.context.payload, path);
|
||||
}
|
||||
exports.fromPayload = fromPayload;
|
||||
function select(obj, path) {
|
||||
if (!obj) {
|
||||
return undefined;
|
||||
@@ -2255,6 +2340,102 @@ if (!exports.IsPost) {
|
||||
}
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 843:
|
||||
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
|
||||
|
||||
"use strict";
|
||||
|
||||
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
|
||||
}) : (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
o[k2] = m[k];
|
||||
}));
|
||||
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
||||
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
||||
}) : function(o, v) {
|
||||
o["default"] = v;
|
||||
});
|
||||
var __importStar = (this && this.__importStar) || function (mod) {
|
||||
if (mod && mod.__esModule) return mod;
|
||||
var result = {};
|
||||
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
||||
__setModuleDefault(result, mod);
|
||||
return result;
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.assertSafePrCheckout = void 0;
|
||||
const github = __importStar(__nccwpck_require__(5438));
|
||||
const ref_helper_1 = __nccwpck_require__(8601);
|
||||
const PR_REF_PATTERN = /^refs\/pull\/[0-9]+\/(?:head|merge)$/;
|
||||
function assertSafePrCheckout(input) {
|
||||
if (input.allowUnsafePrCheckout) {
|
||||
return;
|
||||
}
|
||||
const eventName = github.context.eventName;
|
||||
if (eventName !== 'pull_request_target' && eventName !== 'workflow_run') {
|
||||
return;
|
||||
}
|
||||
const baseRepoId = (0, ref_helper_1.fromPayload)('repository.id');
|
||||
if (typeof baseRepoId !== 'number') {
|
||||
return;
|
||||
}
|
||||
let prHeadRepoId;
|
||||
let prHeadRepoFullName;
|
||||
const prShas = [];
|
||||
if (eventName === 'pull_request_target') {
|
||||
prHeadRepoId = (0, ref_helper_1.fromPayload)('pull_request.head.repo.id');
|
||||
prHeadRepoFullName = (0, ref_helper_1.fromPayload)('pull_request.head.repo.full_name');
|
||||
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('pull_request.head.sha'));
|
||||
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('pull_request.merge_commit_sha'));
|
||||
}
|
||||
else {
|
||||
const wrEvent = (0, ref_helper_1.fromPayload)('workflow_run.event');
|
||||
if (typeof wrEvent !== 'string' || !wrEvent.startsWith('pull_request')) {
|
||||
return;
|
||||
}
|
||||
prHeadRepoId = (0, ref_helper_1.fromPayload)('workflow_run.head_repository.id');
|
||||
prHeadRepoFullName = (0, ref_helper_1.fromPayload)('workflow_run.head_repository.full_name');
|
||||
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('workflow_run.head_commit.id'));
|
||||
// For `pull_request_target`-triggered workflow_run, `head_sha` is the base
|
||||
// default branch SHA (not the PR head)
|
||||
if (wrEvent !== 'pull_request_target') {
|
||||
pushIfSha(prShas, (0, ref_helper_1.fromPayload)('workflow_run.head_sha'));
|
||||
}
|
||||
}
|
||||
// (A) Fork PR?
|
||||
if (typeof prHeadRepoId !== 'number' || prHeadRepoId === baseRepoId) {
|
||||
return;
|
||||
}
|
||||
// (B) We cannot check for all fork PR refs so check to see
|
||||
// if the resolved input points to the fork PR sha we have in the payload
|
||||
const repositoryMatchesPrHead = typeof prHeadRepoFullName === 'string' &&
|
||||
input.qualifiedRepository.toLowerCase() === prHeadRepoFullName.toLowerCase();
|
||||
const refMatchesPullPattern = PR_REF_PATTERN.test(input.ref);
|
||||
const commitMatchesPrHeadSha = !!input.commit && prShas.includes(input.commit.toLowerCase());
|
||||
if (!repositoryMatchesPrHead &&
|
||||
!refMatchesPullPattern &&
|
||||
!commitMatchesPrHeadSha) {
|
||||
return;
|
||||
}
|
||||
throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
|
||||
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
|
||||
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
|
||||
`context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` +
|
||||
`at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` +
|
||||
`on the actions/checkout step.`);
|
||||
}
|
||||
exports.assertSafePrCheckout = assertSafePrCheckout;
|
||||
function pushIfSha(target, value) {
|
||||
if (typeof value === 'string' && value.length > 0) {
|
||||
target.push(value.toLowerCase());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 9437:
|
||||
|
||||
Generated
+2
-2
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "checkout",
|
||||
"version": "3.5.2",
|
||||
"version": "3.6.0",
|
||||
"lockfileVersion": 2,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "checkout",
|
||||
"version": "3.5.2",
|
||||
"version": "3.6.0",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.0",
|
||||
|
||||
+2
-2
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "checkout",
|
||||
"version": "3.5.2",
|
||||
"version": "3.6.0",
|
||||
"description": "checkout action",
|
||||
"main": "lib/main.js",
|
||||
"scripts": {
|
||||
@@ -52,4 +52,4 @@
|
||||
"ts-jest": "^27.0.7",
|
||||
"typescript": "^4.4.4"
|
||||
}
|
||||
}
|
||||
}
|
||||
+80
-12
@@ -1,5 +1,6 @@
|
||||
import * as core from '@actions/core'
|
||||
import * as exec from '@actions/exec'
|
||||
import * as fs from 'fs'
|
||||
import * as fshelper from './fs-helper'
|
||||
import * as io from '@actions/io'
|
||||
import * as path from 'path'
|
||||
@@ -16,6 +17,8 @@ export interface IGitCommandManager {
|
||||
branchDelete(remote: boolean, branch: string): Promise<void>
|
||||
branchExists(remote: boolean, pattern: string): Promise<boolean>
|
||||
branchList(remote: boolean): Promise<string[]>
|
||||
sparseCheckout(sparseCheckout: string[]): Promise<void>
|
||||
sparseCheckoutNonConeMode(sparseCheckout: string[]): Promise<void>
|
||||
checkout(ref: string, startPoint: string): Promise<void>
|
||||
checkoutDetach(): Promise<void>
|
||||
config(
|
||||
@@ -25,7 +28,14 @@ export interface IGitCommandManager {
|
||||
add?: boolean
|
||||
): Promise<void>
|
||||
configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
|
||||
fetch(refSpec: string[], fetchDepth?: number): Promise<void>
|
||||
fetch(
|
||||
refSpec: string[],
|
||||
options: {
|
||||
filter?: string
|
||||
fetchDepth?: number
|
||||
fetchTags?: boolean
|
||||
}
|
||||
): Promise<void>
|
||||
getDefaultBranch(repositoryUrl: string): Promise<string>
|
||||
getWorkingDirectory(): string
|
||||
init(): Promise<void>
|
||||
@@ -41,6 +51,7 @@ export interface IGitCommandManager {
|
||||
submoduleForeach(command: string, recursive: boolean): Promise<string>
|
||||
submoduleSync(recursive: boolean): Promise<void>
|
||||
submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void>
|
||||
submoduleStatus(): Promise<boolean>
|
||||
tagExists(pattern: string): Promise<boolean>
|
||||
tryClean(): Promise<boolean>
|
||||
tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
|
||||
@@ -51,9 +62,14 @@ export interface IGitCommandManager {
|
||||
|
||||
export async function createCommandManager(
|
||||
workingDirectory: string,
|
||||
lfs: boolean
|
||||
lfs: boolean,
|
||||
doSparseCheckout: boolean
|
||||
): Promise<IGitCommandManager> {
|
||||
return await GitCommandManager.createCommandManager(workingDirectory, lfs)
|
||||
return await GitCommandManager.createCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
}
|
||||
|
||||
class GitCommandManager {
|
||||
@@ -63,6 +79,7 @@ class GitCommandManager {
|
||||
}
|
||||
private gitPath = ''
|
||||
private lfs = false
|
||||
private doSparseCheckout = false
|
||||
private workingDirectory = ''
|
||||
|
||||
// Private constructor; use createCommandManager()
|
||||
@@ -153,6 +170,27 @@ class GitCommandManager {
|
||||
return result
|
||||
}
|
||||
|
||||
async sparseCheckout(sparseCheckout: string[]): Promise<void> {
|
||||
await this.execGit(['sparse-checkout', 'set', ...sparseCheckout])
|
||||
}
|
||||
|
||||
async sparseCheckoutNonConeMode(sparseCheckout: string[]): Promise<void> {
|
||||
await this.execGit(['config', 'core.sparseCheckout', 'true'])
|
||||
const output = await this.execGit([
|
||||
'rev-parse',
|
||||
'--git-path',
|
||||
'info/sparse-checkout'
|
||||
])
|
||||
const sparseCheckoutPath = path.join(
|
||||
this.workingDirectory,
|
||||
output.stdout.trimRight()
|
||||
)
|
||||
await fs.promises.appendFile(
|
||||
sparseCheckoutPath,
|
||||
`\n${sparseCheckout.join('\n')}\n`
|
||||
)
|
||||
}
|
||||
|
||||
async checkout(ref: string, startPoint: string): Promise<void> {
|
||||
const args = ['checkout', '--progress', '--force']
|
||||
if (startPoint) {
|
||||
@@ -201,15 +239,23 @@ class GitCommandManager {
|
||||
return output.exitCode === 0
|
||||
}
|
||||
|
||||
async fetch(refSpec: string[], fetchDepth?: number): Promise<void> {
|
||||
async fetch(
|
||||
refSpec: string[],
|
||||
options: {filter?: string; fetchDepth?: number; fetchTags?: boolean}
|
||||
): Promise<void> {
|
||||
const args = ['-c', 'protocol.version=2', 'fetch']
|
||||
if (!refSpec.some(x => x === refHelper.tagsRefSpec)) {
|
||||
if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
|
||||
args.push('--no-tags')
|
||||
}
|
||||
|
||||
args.push('--prune', '--progress', '--no-recurse-submodules')
|
||||
if (fetchDepth && fetchDepth > 0) {
|
||||
args.push(`--depth=${fetchDepth}`)
|
||||
|
||||
if (options.filter) {
|
||||
args.push(`--filter=${options.filter}`)
|
||||
}
|
||||
|
||||
if (options.fetchDepth && options.fetchDepth > 0) {
|
||||
args.push(`--depth=${options.fetchDepth}`)
|
||||
} else if (
|
||||
fshelper.fileExistsSync(
|
||||
path.join(this.workingDirectory, '.git', 'shallow')
|
||||
@@ -288,8 +334,8 @@ class GitCommandManager {
|
||||
}
|
||||
|
||||
async log1(format?: string): Promise<string> {
|
||||
var args = format ? ['log', '-1', format] : ['log', '-1']
|
||||
var silent = format ? false : true
|
||||
const args = format ? ['log', '-1', format] : ['log', '-1']
|
||||
const silent = format ? false : true
|
||||
const output = await this.execGit(args, false, silent)
|
||||
return output.stdout
|
||||
}
|
||||
@@ -357,6 +403,12 @@ class GitCommandManager {
|
||||
await this.execGit(args)
|
||||
}
|
||||
|
||||
async submoduleStatus(): Promise<boolean> {
|
||||
const output = await this.execGit(['submodule', 'status'], true)
|
||||
core.debug(output.stdout)
|
||||
return output.exitCode === 0
|
||||
}
|
||||
|
||||
async tagExists(pattern: string): Promise<boolean> {
|
||||
const output = await this.execGit(['tag', '--list', pattern])
|
||||
return !!output.stdout.trim()
|
||||
@@ -416,10 +468,15 @@ class GitCommandManager {
|
||||
|
||||
static async createCommandManager(
|
||||
workingDirectory: string,
|
||||
lfs: boolean
|
||||
lfs: boolean,
|
||||
doSparseCheckout: boolean
|
||||
): Promise<GitCommandManager> {
|
||||
const result = new GitCommandManager()
|
||||
await result.initializeCommandManager(workingDirectory, lfs)
|
||||
await result.initializeCommandManager(
|
||||
workingDirectory,
|
||||
lfs,
|
||||
doSparseCheckout
|
||||
)
|
||||
return result
|
||||
}
|
||||
|
||||
@@ -469,7 +526,8 @@ class GitCommandManager {
|
||||
|
||||
private async initializeCommandManager(
|
||||
workingDirectory: string,
|
||||
lfs: boolean
|
||||
lfs: boolean,
|
||||
doSparseCheckout: boolean
|
||||
): Promise<void> {
|
||||
this.workingDirectory = workingDirectory
|
||||
|
||||
@@ -532,6 +590,16 @@ class GitCommandManager {
|
||||
}
|
||||
}
|
||||
|
||||
this.doSparseCheckout = doSparseCheckout
|
||||
if (this.doSparseCheckout) {
|
||||
// The `git sparse-checkout` command was introduced in Git v2.25.0
|
||||
const minimumGitSparseCheckoutVersion = new GitVersion('2.25')
|
||||
if (!gitVersion.checkMinimum(minimumGitSparseCheckoutVersion)) {
|
||||
throw new Error(
|
||||
`Minimum Git version required for sparse checkout is ${minimumGitSparseCheckoutVersion}. Your git ('${this.gitPath}') is ${gitVersion}`
|
||||
)
|
||||
}
|
||||
}
|
||||
// Set the user agent
|
||||
const gitHttpUserAgent = `git/${gitVersion} (github-actions-checkout)`
|
||||
core.debug(`Set git useragent to: ${gitHttpUserAgent}`)
|
||||
|
||||
@@ -81,12 +81,18 @@ export async function prepareExistingDirectory(
|
||||
}
|
||||
core.endGroup()
|
||||
|
||||
// Check for submodules and delete any existing files if submodules are present
|
||||
if (!(await git.submoduleStatus())) {
|
||||
remove = true
|
||||
core.info('Bad Submodules found, removing existing files')
|
||||
}
|
||||
|
||||
// Clean
|
||||
if (clean) {
|
||||
core.startGroup('Cleaning the repository')
|
||||
if (!(await git.tryClean())) {
|
||||
core.debug(
|
||||
`The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For futher investigation, manually run 'git clean -ffdx' on the directory '${repositoryPath}'.`
|
||||
`The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For further investigation, manually run 'git clean -ffdx' on the directory '${repositoryPath}'.`
|
||||
)
|
||||
remove = true
|
||||
} else if (!(await git.tryReset())) {
|
||||
|
||||
@@ -153,23 +153,31 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
|
||||
|
||||
// Fetch
|
||||
core.startGroup('Fetching the repository')
|
||||
const fetchOptions: {
|
||||
filter?: string
|
||||
fetchDepth?: number
|
||||
fetchTags?: boolean
|
||||
} = {}
|
||||
if (settings.sparseCheckout) fetchOptions.filter = 'blob:none'
|
||||
if (settings.fetchDepth <= 0) {
|
||||
// Fetch all branches and tags
|
||||
let refSpec = refHelper.getRefSpecForAllHistory(
|
||||
settings.ref,
|
||||
settings.commit
|
||||
)
|
||||
await git.fetch(refSpec)
|
||||
await git.fetch(refSpec, fetchOptions)
|
||||
|
||||
// When all history is fetched, the ref we're interested in may have moved to a different
|
||||
// commit (push or force push). If so, fetch again with a targeted refspec.
|
||||
if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
|
||||
refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
|
||||
await git.fetch(refSpec)
|
||||
await git.fetch(refSpec, fetchOptions)
|
||||
}
|
||||
} else {
|
||||
fetchOptions.fetchDepth = settings.fetchDepth
|
||||
fetchOptions.fetchTags = settings.fetchTags
|
||||
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
|
||||
await git.fetch(refSpec, settings.fetchDepth)
|
||||
await git.fetch(refSpec, fetchOptions)
|
||||
}
|
||||
core.endGroup()
|
||||
|
||||
@@ -185,12 +193,24 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
|
||||
// LFS fetch
|
||||
// Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
|
||||
// Explicit lfs fetch will fetch lfs objects in parallel.
|
||||
if (settings.lfs) {
|
||||
// For sparse checkouts, let `checkout` fetch the needed objects lazily.
|
||||
if (settings.lfs && !settings.sparseCheckout) {
|
||||
core.startGroup('Fetching LFS objects')
|
||||
await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
|
||||
core.endGroup()
|
||||
}
|
||||
|
||||
// Sparse checkout
|
||||
if (settings.sparseCheckout) {
|
||||
core.startGroup('Setting up sparse checkout')
|
||||
if (settings.sparseCheckoutConeMode) {
|
||||
await git.sparseCheckout(settings.sparseCheckout)
|
||||
} else {
|
||||
await git.sparseCheckoutNonConeMode(settings.sparseCheckout)
|
||||
}
|
||||
core.endGroup()
|
||||
}
|
||||
|
||||
// Checkout
|
||||
core.startGroup('Checking out the ref')
|
||||
await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
|
||||
@@ -261,7 +281,11 @@ export async function cleanup(repositoryPath: string): Promise<void> {
|
||||
|
||||
let git: IGitCommandManager
|
||||
try {
|
||||
git = await gitCommandManager.createCommandManager(repositoryPath, false)
|
||||
git = await gitCommandManager.createCommandManager(
|
||||
repositoryPath,
|
||||
false,
|
||||
false
|
||||
)
|
||||
} catch {
|
||||
return
|
||||
}
|
||||
@@ -297,7 +321,8 @@ async function getGitCommandManager(
|
||||
try {
|
||||
return await gitCommandManager.createCommandManager(
|
||||
settings.repositoryPath,
|
||||
settings.lfs
|
||||
settings.lfs,
|
||||
settings.sparseCheckout != null
|
||||
)
|
||||
} catch (err) {
|
||||
// Git is required for LFS
|
||||
|
||||
@@ -29,11 +29,26 @@ export interface IGitSourceSettings {
|
||||
*/
|
||||
clean: boolean
|
||||
|
||||
/**
|
||||
* The array of folders to make the sparse checkout
|
||||
*/
|
||||
sparseCheckout: string[]
|
||||
|
||||
/**
|
||||
* Indicates whether to use cone mode in the sparse checkout (if any)
|
||||
*/
|
||||
sparseCheckoutConeMode: boolean
|
||||
|
||||
/**
|
||||
* The depth when fetching
|
||||
*/
|
||||
fetchDepth: number
|
||||
|
||||
/**
|
||||
* Fetch tags, even if fetchDepth > 0 (default: false)
|
||||
*/
|
||||
fetchTags: boolean
|
||||
|
||||
/**
|
||||
* Indicates whether to fetch LFS objects
|
||||
*/
|
||||
@@ -88,4 +103,10 @@ export interface IGitSourceSettings {
|
||||
* User override on the GitHub Server/Host URL that hosts the repository to be cloned
|
||||
*/
|
||||
githubServerUrl: string | undefined
|
||||
|
||||
/**
|
||||
* Opt-in to allow checking out fork pull request code from a workflow
|
||||
* triggered by pull_request_target or workflow_run.
|
||||
*/
|
||||
allowUnsafePrCheckout: boolean
|
||||
}
|
||||
|
||||
@@ -2,6 +2,7 @@ import * as core from '@actions/core'
|
||||
import * as fsHelper from './fs-helper'
|
||||
import * as github from '@actions/github'
|
||||
import * as path from 'path'
|
||||
import * as unsafePrCheckoutHelper from './unsafe-pr-checkout-helper'
|
||||
import * as workflowContextHelper from './workflow-context-helper'
|
||||
import {IGitSourceSettings} from './git-source-settings'
|
||||
|
||||
@@ -82,6 +83,17 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
||||
result.clean = (core.getInput('clean') || 'true').toUpperCase() === 'TRUE'
|
||||
core.debug(`clean = ${result.clean}`)
|
||||
|
||||
// Sparse checkout
|
||||
const sparseCheckout = core.getMultilineInput('sparse-checkout')
|
||||
if (sparseCheckout.length) {
|
||||
result.sparseCheckout = sparseCheckout
|
||||
core.debug(`sparse checkout = ${result.sparseCheckout}`)
|
||||
}
|
||||
|
||||
result.sparseCheckoutConeMode =
|
||||
(core.getInput('sparse-checkout-cone-mode') || 'true').toUpperCase() ===
|
||||
'TRUE'
|
||||
|
||||
// Fetch depth
|
||||
result.fetchDepth = Math.floor(Number(core.getInput('fetch-depth') || '1'))
|
||||
if (isNaN(result.fetchDepth) || result.fetchDepth < 0) {
|
||||
@@ -89,6 +101,11 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
||||
}
|
||||
core.debug(`fetch depth = ${result.fetchDepth}`)
|
||||
|
||||
// Fetch tags
|
||||
result.fetchTags =
|
||||
(core.getInput('fetch-tags') || 'false').toUpperCase() === 'TRUE'
|
||||
core.debug(`fetch tags = ${result.fetchTags}`)
|
||||
|
||||
// LFS
|
||||
result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'
|
||||
core.debug(`lfs = ${result.lfs}`)
|
||||
@@ -130,5 +147,18 @@ export async function getInputs(): Promise<IGitSourceSettings> {
|
||||
result.githubServerUrl = core.getInput('github-server-url')
|
||||
core.debug(`GitHub Host URL = ${result.githubServerUrl}`)
|
||||
|
||||
// Allow unsafe PR checkout (opt-in for pull_request_target / workflow_run fork PRs)
|
||||
result.allowUnsafePrCheckout =
|
||||
(core.getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
|
||||
'TRUE'
|
||||
core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`)
|
||||
|
||||
unsafePrCheckoutHelper.assertSafePrCheckout({
|
||||
qualifiedRepository,
|
||||
ref: result.ref,
|
||||
commit: result.commit,
|
||||
allowUnsafePrCheckout: result.allowUnsafePrCheckout
|
||||
})
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
+1
-1
@@ -264,7 +264,7 @@ export async function checkCommitInfo(
|
||||
}
|
||||
}
|
||||
|
||||
function fromPayload(path: string): any {
|
||||
export function fromPayload(path: string): any {
|
||||
return select(github.context.payload, path)
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,88 @@
|
||||
import * as github from '@actions/github'
|
||||
import {fromPayload} from './ref-helper'
|
||||
|
||||
const PR_REF_PATTERN = /^refs\/pull\/[0-9]+\/(?:head|merge)$/
|
||||
|
||||
export interface IUnsafePrCheckoutInput {
|
||||
qualifiedRepository: string
|
||||
ref: string
|
||||
commit: string | undefined
|
||||
allowUnsafePrCheckout: boolean
|
||||
}
|
||||
|
||||
export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
|
||||
if (input.allowUnsafePrCheckout) {
|
||||
return
|
||||
}
|
||||
|
||||
const eventName = github.context.eventName
|
||||
if (eventName !== 'pull_request_target' && eventName !== 'workflow_run') {
|
||||
return
|
||||
}
|
||||
|
||||
const baseRepoId = fromPayload('repository.id')
|
||||
if (typeof baseRepoId !== 'number') {
|
||||
return
|
||||
}
|
||||
|
||||
let prHeadRepoId: unknown
|
||||
let prHeadRepoFullName: unknown
|
||||
const prShas: string[] = []
|
||||
|
||||
if (eventName === 'pull_request_target') {
|
||||
prHeadRepoId = fromPayload('pull_request.head.repo.id')
|
||||
prHeadRepoFullName = fromPayload('pull_request.head.repo.full_name')
|
||||
pushIfSha(prShas, fromPayload('pull_request.head.sha'))
|
||||
pushIfSha(prShas, fromPayload('pull_request.merge_commit_sha'))
|
||||
} else {
|
||||
const wrEvent = fromPayload('workflow_run.event')
|
||||
if (typeof wrEvent !== 'string' || !wrEvent.startsWith('pull_request')) {
|
||||
return
|
||||
}
|
||||
prHeadRepoId = fromPayload('workflow_run.head_repository.id')
|
||||
prHeadRepoFullName = fromPayload('workflow_run.head_repository.full_name')
|
||||
pushIfSha(prShas, fromPayload('workflow_run.head_commit.id'))
|
||||
// For `pull_request_target`-triggered workflow_run, `head_sha` is the base
|
||||
// default branch SHA (not the PR head)
|
||||
if (wrEvent !== 'pull_request_target') {
|
||||
pushIfSha(prShas, fromPayload('workflow_run.head_sha'))
|
||||
}
|
||||
}
|
||||
|
||||
// (A) Fork PR?
|
||||
if (typeof prHeadRepoId !== 'number' || prHeadRepoId === baseRepoId) {
|
||||
return
|
||||
}
|
||||
|
||||
// (B) We cannot check for all fork PR refs so check to see
|
||||
// if the resolved input points to the fork PR sha we have in the payload
|
||||
const repositoryMatchesPrHead =
|
||||
typeof prHeadRepoFullName === 'string' &&
|
||||
input.qualifiedRepository.toLowerCase() === prHeadRepoFullName.toLowerCase()
|
||||
const refMatchesPullPattern = PR_REF_PATTERN.test(input.ref)
|
||||
const commitMatchesPrHeadSha =
|
||||
!!input.commit && prShas.includes(input.commit.toLowerCase())
|
||||
|
||||
if (
|
||||
!repositoryMatchesPrHead &&
|
||||
!refMatchesPullPattern &&
|
||||
!commitMatchesPrHeadSha
|
||||
) {
|
||||
return
|
||||
}
|
||||
|
||||
throw new Error(
|
||||
`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
|
||||
`This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
|
||||
`cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
|
||||
`context commonly leads to "pwn request" vulnerabilities. To opt in, review the risks ` +
|
||||
`at https://gh.io/securely-using-pull_request_target and set 'allow-unsafe-pr-checkout: true' ` +
|
||||
`on the actions/checkout step.`
|
||||
)
|
||||
}
|
||||
|
||||
function pushIfSha(target: string[], value: unknown): void {
|
||||
if (typeof value === 'string' && value.length > 0) {
|
||||
target.push(value.toLowerCase())
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user