.

.eslintrc.json

@@ -1,6 +1,6 @@
 {
   "plugins": ["jest", "@typescript-eslint"],
-  "extends": ["plugin:github/recommended"],
+  "extends": ["plugin:github/es6"],
   "parser": "@typescript-eslint/parser",
   "parserOptions": {
     "ecmaVersion": 9,
@@ -16,19 +16,23 @@
     "@typescript-eslint/no-require-imports": "error",
     "@typescript-eslint/array-type": "error",
     "@typescript-eslint/await-thenable": "error",
+    "@typescript-eslint/ban-ts-ignore": "error",
     "camelcase": "off",
+    "@typescript-eslint/camelcase": "error",
+    "@typescript-eslint/class-name-casing": "error",
     "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
     "@typescript-eslint/func-call-spacing": ["error", "never"],
+    "@typescript-eslint/generic-type-naming": ["error", "^[A-Z][A-Za-z]*$"],
     "@typescript-eslint/no-array-constructor": "error",
     "@typescript-eslint/no-empty-interface": "error",
     "@typescript-eslint/no-explicit-any": "error",
     "@typescript-eslint/no-extraneous-class": "error",
-    "@typescript-eslint/no-floating-promises": "error",
     "@typescript-eslint/no-for-in-array": "error",
     "@typescript-eslint/no-inferrable-types": "error",
     "@typescript-eslint/no-misused-new": "error",
     "@typescript-eslint/no-namespace": "error",
     "@typescript-eslint/no-non-null-assertion": "warn",
+    "@typescript-eslint/no-object-literal-type-assertion": "error",
     "@typescript-eslint/no-unnecessary-qualifier": "error",
     "@typescript-eslint/no-unnecessary-type-assertion": "error",
     "@typescript-eslint/no-useless-constructor": "error",
@@ -36,6 +40,7 @@
     "@typescript-eslint/prefer-for-of": "warn",
     "@typescript-eslint/prefer-function-type": "warn",
     "@typescript-eslint/prefer-includes": "error",
+    "@typescript-eslint/prefer-interface": "error",
     "@typescript-eslint/prefer-string-starts-ends-with": "error",
     "@typescript-eslint/promise-function-async": "error",
     "@typescript-eslint/require-array-sort-compare": "error",

.gitattributes

@@ -1 +0,0 @@
-.licenses/** -diff linguist-generated=true

.github/workflows/check-dist.yml

@@ -1,51 +0,0 @@
-# `dist/index.js` is a special file in Actions.
-# When you reference an action with `uses:` in a workflow,
-# `index.js` is the code that will run.
-# For our project, we generate this file through a build process
-# from other source files.
-# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
-name: Check dist
-
-on:
-  push:
-    branches:
-      - main
-    paths-ignore:
-      - '**.md'
-  pull_request:
-    paths-ignore:
-      - '**.md'
-  workflow_dispatch:
-
-jobs:
-  check-dist:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Set Node.js 12.x
-        uses: actions/setup-node@v1
-        with:
-          node-version: 12.x
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Rebuild the index.js file
-        run: npm run build
-
-      - name: Compare the expected and actual dist/ directories
-        run: |
-          if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
-            echo "Detected uncommitted changes after build.  See status below:"
-            git diff
-            exit 1
-          fi
-
-      # If dist/ was different than expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@v2
-        if: ${{ failure() && steps.diff.conclusion == 'failure' }}
-        with:
-          name: dist
-          path: dist/

.github/workflows/codeql-analysis.yml

@@ -1,58 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ main ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ main ]
-  schedule:
-    - cron: '28 9 * * 0'
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'javascript' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
-        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    - run: npm ci
-    - run: npm run build
-    - run: rm -rf dist # We want code scanning to analyze lib instead (individual .js files)
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1

.github/workflows/licensed.yml

@@ -1,14 +0,0 @@
-name: Licensed
-
-on:
-  push: {branches: main}
-  pull_request: {branches: main}
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    name: Check licenses
-    steps:
-      - uses: actions/checkout@v2
-      - run: npm ci
-      - run: npm run licensed-check

.github/workflows/test.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
   push:
     branches:
-      - main
+      - master
       - releases/*
 
 jobs:
@@ -142,7 +142,7 @@ jobs:
       options: --dns 127.0.0.1
     services:
       squid-proxy:
-        image: ubuntu/squid:latest
+        image: datadog/squid:latest
         ports:
           - 3128:3128
     env:
@@ -205,41 +205,3 @@ jobs:
           path: basic
       - name: Verify basic
         run: __test__/verify-basic.sh --archive
-    
-  test-git-container:
-    runs-on: ubuntu-latest
-    container: bitnami/git:latest
-    steps:
-      # Clone this repo
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          path: v3
-
-      # Basic checkout using git
-      - name: Checkout basic
-        uses: ./v3
-        with:
-          ref: test-data/v2/basic
-      - name: Verify basic
-        run: |
-          if [ ! -f "./basic-file.txt" ]; then
-              echo "Expected basic file does not exist"
-              exit 1
-          fi
-
-          # Verify .git folder
-          if [ ! -d "./.git" ]; then
-            echo "Expected ./.git folder to exist"
-            exit 1
-          fi
-
-          # Verify auth token
-          git config --global --add safe.directory "*"
-          git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
-
-      # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v3
-        uses: actions/checkout@v3
-        with:
-          path: v3

.gitignore

@@ -1,4 +1,3 @@
 __test__/_temp
-_temp/
 lib/
 node_modules/

.licensed.yml

@@ -1,14 +0,0 @@
-sources:
-  npm: true
-
-allowed:
-  - apache-2.0
-  - bsd-2-clause
-  - bsd-3-clause
-  - isc
-  - mit
-  - cc0-1.0
-  - unlicense
-
-reviewed:
-  npm:

CHANGELOG.md

@@ -1,49 +1,5 @@
 # Changelog
 
-## v2.5.0
-- [Bump @actions/core to v1.10.0](https://github.com/actions/checkout/pull/962)
-
-## v2.4.2
-- [Add input `set-safe-directory`](https://github.com/actions/checkout/pull/776)
-
-## v2.4.1
-- [Set the safe directory option on git to prevent git commands failing when running in containers](https://github.com/actions/checkout/pull/762)
-
-## v2.3.1
-
-- [Fix default branch resolution for .wiki and when using SSH](https://github.com/actions/checkout/pull/284)
-
-
-## v2.3.0
-
-- [Fallback to the default branch](https://github.com/actions/checkout/pull/278)
-
-## v2.2.0
-
-- [Fetch all history for all tags and branches when fetch-depth=0](https://github.com/actions/checkout/pull/258)
-
-## v2.1.1
-
-- Changes to support GHES ([here](https://github.com/actions/checkout/pull/236) and [here](https://github.com/actions/checkout/pull/248))
-
-## v2.1.0
-
-- [Group output](https://github.com/actions/checkout/pull/191)
-- [Changes to support GHES alpha release](https://github.com/actions/checkout/pull/199)
-- [Persist core.sshCommand for submodules](https://github.com/actions/checkout/pull/184)
-- [Add support ssh](https://github.com/actions/checkout/pull/163)
-- [Convert submodule SSH URL to HTTPS, when not using SSH](https://github.com/actions/checkout/pull/179)
-- [Add submodule support](https://github.com/actions/checkout/pull/157)
-- [Follow proxy settings](https://github.com/actions/checkout/pull/144)
-- [Fix ref for pr closed event when a pr is merged](https://github.com/actions/checkout/pull/141)
-- [Fix issue checking detached when git less than 2.22](https://github.com/actions/checkout/pull/128)
-
-## v2.0.0
-
-- [Do not pass cred on command line](https://github.com/actions/checkout/pull/108)
-- [Add input persist-credentials](https://github.com/actions/checkout/pull/107)
-- [Fallback to REST API to download repo](https://github.com/actions/checkout/pull/104)
-
 ## v2 (beta)
 
 - Improved fetch performance

CODEOWNERS

@@ -1 +0,0 @@
-* @actions/actions-runtime

README.md

@@ -6,7 +6,7 @@
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
-Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
+Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth` to fetch more history. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
 
 The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
 
@@ -18,7 +18,6 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
   - Fetches only a single commit by default
 - Script authenticated git commands
   - Auth token persisted in the local git config
-- Supports SSH
 - Creates a local branch
   - No longer detached HEAD when checking out a branch
 - Improved layout
@@ -27,6 +26,7 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 - Fallback to REST API download
   - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
   - When using a job container, the container's PATH is used
+- Removed input `submodules`
 
 Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
 
@@ -42,7 +42,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
     # The branch, tag or SHA to checkout. When checking out the repository that
     # triggered a workflow, this defaults to the reference or SHA for that event.
-    # Otherwise, uses the default branch.
+    # Otherwise, defaults to `master`.
     ref: ''
 
     # Personal access token (PAT) used to fetch the repository. The PAT is configured
@@ -89,7 +89,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
     # Default: true
     clean: ''
 
-    # Number of commits to fetch. 0 indicates all history for all branches and tags.
+    # Number of commits to fetch. 0 indicates all history.
     # Default: 1
     fetch-depth: ''
 
@@ -105,17 +105,11 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
     #
     # Default: false
     submodules: ''
-
-    # Add repository path as safe.directory for Git global config by running `git
-    # config --global --add safe.directory <path>`
-    # Default: true
-    set-safe-directory: ''
 ```
 <!-- end usage -->
 
 # Scenarios
 
-- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
 - [Checkout a different branch](#Checkout-a-different-branch)
 - [Checkout HEAD^](#Checkout-HEAD)
 - [Checkout multiple repos (side by side)](#Checkout-multiple-repos-side-by-side)
@@ -123,15 +117,10 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 - [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
 - [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
 - [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
-- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
-
-## Fetch all history for all tags and branches
-
-```yaml
-- uses: actions/checkout@v2
-  with:
-    fetch-depth: 0
-```
+- [Checkout submodules](#Checkout-submodules)
+- [Fetch all tags](#Fetch-all-tags)
+- [Fetch all branches](#Fetch-all-branches)
+- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
 
 ## Checkout a different branch
 
@@ -190,7 +179,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
   uses: actions/checkout@v2
   with:
     repository: my-org/my-private-tools
-    token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
+    token: ${{ secrets.GitHub_PAT }} # `GitHub_PAT` is a secret that contains your PAT
     path: my-tools
 ```
 
@@ -210,7 +199,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ```yaml
 on:
   pull_request:
-    branches: [main]
+    branches: [master]
     types: [opened, synchronize, closed]
 jobs:
   build:
@@ -219,22 +208,41 @@ jobs:
       - uses: actions/checkout@v2
 ```
 
-## Push a commit using the built-in token
+## Checkout submodules
 
 ```yaml
-on: push
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - run: |
-          date > generated.txt
-          git config user.name github-actions
-          git config user.email github-actions@github.com
-          git add .
-          git commit -m "generated"
-          git push
+- uses: actions/checkout@v2
+- name: Checkout submodules
+  shell: bash
+  run: |
+    # If your submodules are configured to use SSH instead of HTTPS please uncomment the following line
+    # git config --global url."https://github.com/".insteadOf "git@github.com:"
+    auth_header="$(git config --local --get http.https://github.com/.extraheader)"
+    git submodule sync --recursive
+    git -c "http.extraheader=$auth_header" -c protocol.version=2 submodule update --init --force --recursive --depth=1
+```
+
+## Fetch all tags
+
+```yaml
+- uses: actions/checkout@v2
+- run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
+```
+
+## Fetch all branches
+
+```yaml
+- uses: actions/checkout@v2
+- run: |
+    git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
+```
+
+## Fetch all history for all tags and branches
+
+```yaml
+- uses: actions/checkout@v2
+- run: |
+    git fetch --prune --unshallow
 ```
 
 # License

__test__/git-auth-helper.test.ts

@@ -417,7 +417,7 @@ describe('git-auth-helper tests', () => {
           `Did not expect file to exist: '${globalGitConfigPath}'`
         )
       } catch (err) {
-        if ((err as any)?.code !== 'ENOENT') {
+        if (err.code !== 'ENOENT') {
           throw err
         }
       }
@@ -518,17 +518,12 @@ describe('git-auth-helper tests', () => {
       await authHelper.configureSubmoduleAuth()
 
       // Assert
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
         /unset-all.*insteadOf/
       )
       expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
-      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
-        /url.*insteadOf.*git@github.com:/
-      )
-      expect(mockSubmoduleForeach.mock.calls[3][0]).toMatch(
-        /url.*insteadOf.*org-123456@github.com:/
-      )
+      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/url.*insteadOf/)
     }
   )
 
@@ -606,7 +601,7 @@ describe('git-auth-helper tests', () => {
       await fs.promises.stat(actualKeyPath)
       throw new Error('SSH key should have been deleted')
     } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
+      if (err.code !== 'ENOENT') {
         throw err
       }
     }
@@ -616,7 +611,7 @@ describe('git-auth-helper tests', () => {
       await fs.promises.stat(actualKnownHostsPath)
       throw new Error('SSH known hosts should have been deleted')
     } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
+      if (err.code !== 'ENOENT') {
         throw err
       }
     }
@@ -643,11 +638,10 @@ describe('git-auth-helper tests', () => {
     expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
   })
 
-  const removeGlobalConfig_removesOverride =
-    'removeGlobalConfig removes override'
-  it(removeGlobalConfig_removesOverride, async () => {
+  const removeGlobalAuth_removesOverride = 'removeGlobalAuth removes override'
+  it(removeGlobalAuth_removesOverride, async () => {
     // Arrange
-    await setup(removeGlobalConfig_removesOverride)
+    await setup(removeGlobalAuth_removesOverride)
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
     await authHelper.configureAuth()
     await authHelper.configureGlobalAuth()
@@ -656,7 +650,7 @@ describe('git-auth-helper tests', () => {
     await fs.promises.stat(path.join(git.env['HOME'], '.gitconfig'))
 
     // Act
-    await authHelper.removeGlobalConfig()
+    await authHelper.removeGlobalAuth()
 
     // Assert
     expect(git.env['HOME']).toBeUndefined()
@@ -664,7 +658,7 @@ describe('git-auth-helper tests', () => {
       await fs.promises.stat(homeOverride)
       throw new Error(`Should have been deleted '${homeOverride}'`)
     } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
+      if (err.code !== 'ENOENT') {
         throw err
       }
     }
@@ -720,7 +714,6 @@ async function setup(testName: string): Promise<void> {
     ),
     env: {},
     fetch: jest.fn(),
-    getDefaultBranch: jest.fn(),
     getWorkingDirectory: jest.fn(() => workspace),
     init: jest.fn(),
     isDetached: jest.fn(),
@@ -729,11 +722,10 @@ async function setup(testName: string): Promise<void> {
     log1: jest.fn(),
     remoteAdd: jest.fn(),
     removeEnvironmentVariable: jest.fn((name: string) => delete git.env[name]),
-    revParse: jest.fn(),
     setEnvironmentVariable: jest.fn((name: string, value: string) => {
       git.env[name] = value
     }),
-    shaExists: jest.fn(),
+    setRemoteUrl: jest.fn(),
     submoduleForeach: jest.fn(async () => {
       return ''
     }),
@@ -757,7 +749,7 @@ async function setup(testName: string): Promise<void> {
       }
     ),
     tryDisableAutomaticGarbageCollection: jest.fn(),
-    tryGetFetchUrl: jest.fn(),
+    tryGetRemoteUrl: jest.fn(),
     tryReset: jest.fn()
   }
 
@@ -766,19 +758,18 @@ async function setup(testName: string): Promise<void> {
     clean: true,
     commit: '',
     fetchDepth: 1,
+    isWorkflowRepository: true,
     lfs: false,
     submodules: false,
     nestedSubmodules: false,
     persistCredentials: true,
-    ref: 'refs/heads/main',
+    ref: 'refs/heads/master',
     repositoryName: 'my-repo',
     repositoryOwner: 'my-org',
     repositoryPath: '',
     sshKey: sshPath ? 'some ssh private key' : '',
     sshKnownHosts: '',
-    sshStrict: true,
-    workflowOrganizationId: 123456,
-    setSafeDirectory: true
+    sshStrict: true
   }
 }
 

__test__/git-directory-helper.test.ts

@@ -7,9 +7,9 @@ import {IGitCommandManager} from '../lib/git-command-manager'
 
 const testWorkspace = path.join(__dirname, '_temp', 'git-directory-helper')
 let repositoryPath: string
-let repositoryUrl: string
+let httpsUrl: string
+let sshUrl: string
 let clean: boolean
-let ref: string
 let git: IGitCommandManager
 
 describe('git-directory-helper tests', () => {
@@ -41,9 +41,9 @@ describe('git-directory-helper tests', () => {
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      httpsUrl,
+      [httpsUrl, sshUrl],
+      clean
     )
 
     // Assert
@@ -64,9 +64,9 @@ describe('git-directory-helper tests', () => {
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      httpsUrl,
+      [httpsUrl, sshUrl],
+      clean
     )
 
     // Assert
@@ -90,9 +90,9 @@ describe('git-directory-helper tests', () => {
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      httpsUrl,
+      [httpsUrl, sshUrl],
+      clean
     )
 
     // Assert
@@ -112,9 +112,9 @@ describe('git-directory-helper tests', () => {
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      httpsUrl,
+      [httpsUrl, sshUrl],
+      clean
     )
 
     // Assert
@@ -141,9 +141,9 @@ describe('git-directory-helper tests', () => {
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      httpsUrl,
+      [httpsUrl, sshUrl],
+      clean
     )
 
     // Assert
@@ -161,16 +161,16 @@ describe('git-directory-helper tests', () => {
     await setup(removesContentsWhenDifferentRepositoryUrl)
     clean = false
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    const differentRepositoryUrl =
+    const differentRemoteUrl =
       'https://github.com/my-different-org/my-different-repo'
 
     // Act
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      differentRepositoryUrl,
-      clean,
-      ref
+      differentRemoteUrl,
+      [differentRemoteUrl],
+      clean
     )
 
     // Assert
@@ -193,9 +193,9 @@ describe('git-directory-helper tests', () => {
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      httpsUrl,
+      [httpsUrl, sshUrl],
+      clean
     )
 
     // Assert
@@ -219,9 +219,9 @@ describe('git-directory-helper tests', () => {
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      httpsUrl,
+      [httpsUrl, sshUrl],
+      clean
     )
 
     // Assert
@@ -244,9 +244,9 @@ describe('git-directory-helper tests', () => {
     await gitDirectoryHelper.prepareExistingDirectory(
       undefined,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      httpsUrl,
+      [httpsUrl, sshUrl],
+      clean
     )
 
     // Assert
@@ -269,9 +269,9 @@ describe('git-directory-helper tests', () => {
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      httpsUrl,
+      [httpsUrl, sshUrl],
+      clean
     )
 
     // Assert
@@ -300,9 +300,9 @@ describe('git-directory-helper tests', () => {
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      httpsUrl,
+      [httpsUrl, sshUrl],
+      clean
     )
 
     // Assert
@@ -317,66 +317,54 @@ describe('git-directory-helper tests', () => {
     expect(git.tryReset).not.toHaveBeenCalled()
   })
 
-  const removesAncestorRemoteBranch = 'removes ancestor remote branch'
-  it(removesAncestorRemoteBranch, async () => {
+  const removesRemoteBranches = 'removes local branches'
+  it(removesRemoteBranches, async () => {
     // Arrange
-    await setup(removesAncestorRemoteBranch)
+    await setup(removesRemoteBranches)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
     const mockBranchList = git.branchList as jest.Mock<any, any>
     mockBranchList.mockImplementation(async (remote: boolean) => {
-      return remote ? ['origin/remote-branch-1', 'origin/remote-branch-2'] : []
+      return remote ? ['remote-branch-1', 'remote-branch-2'] : []
     })
-    ref = 'remote-branch-1/conflict'
 
     // Act
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      httpsUrl,
+      [httpsUrl, sshUrl],
+      clean
     )
 
     // Assert
     const files = await fs.promises.readdir(repositoryPath)
     expect(files.sort()).toEqual(['.git', 'my-file'])
-    expect(git.branchDelete).toHaveBeenCalledTimes(1)
-    expect(git.branchDelete).toHaveBeenCalledWith(
-      true,
-      'origin/remote-branch-1'
-    )
+    expect(git.branchDelete).toHaveBeenCalledWith(true, 'remote-branch-1')
+    expect(git.branchDelete).toHaveBeenCalledWith(true, 'remote-branch-2')
   })
 
-  const removesDescendantRemoteBranches = 'removes descendant remote branch'
-  it(removesDescendantRemoteBranches, async () => {
+  const updatesRemoteUrl = 'updates remote URL'
+  it(updatesRemoteUrl, async () => {
     // Arrange
-    await setup(removesDescendantRemoteBranches)
+    await setup(updatesRemoteUrl)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    const mockBranchList = git.branchList as jest.Mock<any, any>
-    mockBranchList.mockImplementation(async (remote: boolean) => {
-      return remote
-        ? ['origin/remote-branch-1/conflict', 'origin/remote-branch-2']
-        : []
-    })
-    ref = 'remote-branch-1'
 
     // Act
     await gitDirectoryHelper.prepareExistingDirectory(
       git,
       repositoryPath,
-      repositoryUrl,
-      clean,
-      ref
+      sshUrl,
+      [sshUrl, httpsUrl],
+      clean
     )
 
     // Assert
     const files = await fs.promises.readdir(repositoryPath)
     expect(files.sort()).toEqual(['.git', 'my-file'])
-    expect(git.branchDelete).toHaveBeenCalledTimes(1)
-    expect(git.branchDelete).toHaveBeenCalledWith(
-      true,
-      'origin/remote-branch-1/conflict'
-    )
+    expect(git.isDetached).toHaveBeenCalled()
+    expect(git.branchList).toHaveBeenCalled()
+    expect(core.warning).not.toHaveBeenCalled()
+    expect(git.setRemoteUrl).toHaveBeenCalledWith(sshUrl)
   })
 })
 
@@ -387,15 +375,13 @@ async function setup(testName: string): Promise<void> {
   repositoryPath = path.join(testWorkspace, testName)
   await fs.promises.mkdir(path.join(repositoryPath, '.git'), {recursive: true})
 
-  // Repository URL
-  repositoryUrl = 'https://github.com/my-org/my-repo'
+  // Remote URLs
+  httpsUrl = 'https://github.com/my-org/my-repo'
+  sshUrl = 'git@github.com:my-org/my-repo'
 
   // Clean
   clean = true
 
-  // Ref
-  ref = ''
-
   // Git command manager
   git = {
     branchDelete: jest.fn(),
@@ -408,7 +394,6 @@ async function setup(testName: string): Promise<void> {
     config: jest.fn(),
     configExists: jest.fn(),
     fetch: jest.fn(),
-    getDefaultBranch: jest.fn(),
     getWorkingDirectory: jest.fn(() => repositoryPath),
     init: jest.fn(),
     isDetached: jest.fn(),
@@ -417,9 +402,8 @@ async function setup(testName: string): Promise<void> {
     log1: jest.fn(),
     remoteAdd: jest.fn(),
     removeEnvironmentVariable: jest.fn(),
-    revParse: jest.fn(),
     setEnvironmentVariable: jest.fn(),
-    shaExists: jest.fn(),
+    setRemoteUrl: jest.fn(),
     submoduleForeach: jest.fn(),
     submoduleSync: jest.fn(),
     submoduleUpdate: jest.fn(),
@@ -429,10 +413,10 @@ async function setup(testName: string): Promise<void> {
     }),
     tryConfigUnset: jest.fn(),
     tryDisableAutomaticGarbageCollection: jest.fn(),
-    tryGetFetchUrl: jest.fn(async () => {
+    tryGetRemoteUrl: jest.fn(async () => {
       // Sanity check - this function shouldn't be called when the .git directory doesn't exist
       await fs.promises.stat(path.join(repositoryPath, '.git'))
-      return repositoryUrl
+      return httpsUrl
     }),
     tryReset: jest.fn(async () => {
       return true

__test__/input-helper.test.ts

@@ -1,9 +1,9 @@
+import * as assert from 'assert'
 import * as core from '@actions/core'
 import * as fsHelper from '../lib/fs-helper'
 import * as github from '@actions/github'
 import * as inputHelper from '../lib/input-helper'
 import * as path from 'path'
-import * as workflowContextHelper from '../lib/workflow-context-helper'
 import {IGitSourceSettings} from '../lib/git-source-settings'
 
 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
@@ -43,11 +43,6 @@ describe('input-helper tests', () => {
       .spyOn(fsHelper, 'directoryExistsSync')
       .mockImplementation((path: string) => path == gitHubWorkspace)
 
-    // Mock ./workflowContextHelper getOrganizationId()
-    jest
-      .spyOn(workflowContextHelper, 'getOrganizationId')
-      .mockImplementation(() => Promise.resolve(123456))
-
     // GitHub workspace
     process.env['GITHUB_WORKSPACE'] = gitHubWorkspace
   })
@@ -72,8 +67,8 @@ describe('input-helper tests', () => {
     jest.restoreAllMocks()
   })
 
-  it('sets defaults', async () => {
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
+  it('sets defaults', () => {
+    const settings: IGitSourceSettings = inputHelper.getInputs()
     expect(settings).toBeTruthy()
     expect(settings.authToken).toBeFalsy()
     expect(settings.clean).toBe(true)
@@ -85,14 +80,13 @@ describe('input-helper tests', () => {
     expect(settings.repositoryName).toBe('some-repo')
     expect(settings.repositoryOwner).toBe('some-owner')
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
-    expect(settings.setSafeDirectory).toBe(true)
   })
 
-  it('qualifies ref', async () => {
+  it('qualifies ref', () => {
     let originalRef = github.context.ref
     try {
       github.context.ref = 'some-unqualified-ref'
-      const settings: IGitSourceSettings = await inputHelper.getInputs()
+      const settings: IGitSourceSettings = inputHelper.getInputs()
       expect(settings).toBeTruthy()
       expect(settings.commit).toBe('1234567890123456789012345678901234567890')
       expect(settings.ref).toBe('refs/heads/some-unqualified-ref')
@@ -101,42 +95,39 @@ describe('input-helper tests', () => {
     }
   })
 
-  it('requires qualified repo', async () => {
+  it('requires qualified repo', () => {
     inputs.repository = 'some-unqualified-repo'
-    try {
-      await inputHelper.getInputs()
-      throw 'should not reach here'
-    } catch (err) {
-      expect(`(${(err as any).message}`).toMatch(
-        "Invalid repository 'some-unqualified-repo'"
-      )
-    }
+    assert.throws(() => {
+      inputHelper.getInputs()
+    }, /Invalid repository 'some-unqualified-repo'/)
   })
 
-  it('roots path', async () => {
+  it('roots path', () => {
     inputs.path = 'some-directory/some-subdirectory'
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    const settings: IGitSourceSettings = inputHelper.getInputs()
     expect(settings.repositoryPath).toBe(
       path.join(gitHubWorkspace, 'some-directory', 'some-subdirectory')
     )
   })
 
-  it('sets ref to empty when explicit sha', async () => {
+  it('sets correct default ref/sha for other repo', () => {
+    inputs.repository = 'some-owner/some-other-repo'
+    const settings: IGitSourceSettings = inputHelper.getInputs()
+    expect(settings.ref).toBe('refs/heads/master')
+    expect(settings.commit).toBeFalsy()
+  })
+
+  it('sets ref to empty when explicit sha', () => {
     inputs.ref = '1111111111222222222233333333334444444444'
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    const settings: IGitSourceSettings = inputHelper.getInputs()
     expect(settings.ref).toBeFalsy()
     expect(settings.commit).toBe('1111111111222222222233333333334444444444')
   })
 
-  it('sets sha to empty when explicit ref', async () => {
+  it('sets sha to empty when explicit ref', () => {
     inputs.ref = 'refs/heads/some-other-ref'
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    const settings: IGitSourceSettings = inputHelper.getInputs()
     expect(settings.ref).toBe('refs/heads/some-other-ref')
     expect(settings.commit).toBeFalsy()
   })
-
-  it('sets workflow organization ID', async () => {
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
-    expect(settings.workflowOrganizationId).toBe(123456)
-  })
 })

__test__/override-git-version.cmd

@@ -2,5 +2,5 @@
 mkdir override-git-version
 cd override-git-version
 echo @echo override git version 1.2.3 > git.cmd
-echo "%CD%" >> $GITHUB_PATH
+echo ::add-path::%CD%
 cd ..

__test__/override-git-version.sh

@@ -5,5 +5,5 @@ cd override-git-version
 echo "#!/bin/sh" > git
 echo "echo override git version 1.2.3" >> git
 chmod +x git
-echo "$(pwd)" >> $GITHUB_PATH
+echo "::add-path::$(pwd)"
 cd ..

__test__/ref-helper.test.ts

@@ -16,7 +16,7 @@ describe('ref-helper tests', () => {
       await refHelper.getCheckoutInfo(git, 'refs/heads/my/branch', commit)
       throw new Error('Should not reach here')
     } catch (err) {
-      expect((err as any)?.message).toBe('Arg git cannot be empty')
+      expect(err.message).toBe('Arg git cannot be empty')
     }
   })
 
@@ -25,9 +25,7 @@ describe('ref-helper tests', () => {
       await refHelper.getCheckoutInfo(git, '', '')
       throw new Error('Should not reach here')
     } catch (err) {
-      expect((err as any)?.message).toBe(
-        'Args ref and commit cannot both be empty'
-      )
+      expect(err.message).toBe('Args ref and commit cannot both be empty')
     }
   })
 
@@ -104,7 +102,7 @@ describe('ref-helper tests', () => {
       await refHelper.getCheckoutInfo(git, 'my-ref', '')
       throw new Error('Should not reach here')
     } catch (err) {
-      expect((err as any)?.message).toBe(
+      expect(err.message).toBe(
         "A branch or tag with the name 'my-ref' could not be found"
       )
     }

__test__/retry-helper.test.ts

@@ -74,7 +74,7 @@ describe('retry-helper tests', () => {
         throw new Error(`some error ${++attempts}`)
       })
     } catch (err) {
-      error = err as Error
+      error = err
     }
     expect(error.message).toBe('some error 3')
     expect(attempts).toBe(3)

__test__/verify-basic.sh

@@ -20,5 +20,5 @@ else
 
   # Verify auth token
   cd basic
-  git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
+  git fetch --no-tags --depth=1 origin +refs/heads/master:refs/remotes/origin/master
 fi

__test__/verify-no-unstaged-changes.sh

@@ -12,6 +12,6 @@ if [[ "$(git status --porcelain)" != "" ]]; then
     echo ----------------------------------------
     echo Troubleshooting
     echo ----------------------------------------
-    echo "::error::Unstaged changes detected. Locally try running: git clean -ffdx && npm ci && npm run format && npm run build"
+    echo "::error::Unstaged changes detected. Locally try running: git clean -ffdx && npm ci && npm run all"
     exit 1
 fi

action.yml

@@ -8,7 +8,7 @@ inputs:
     description: >
       The branch, tag or SHA to checkout. When checking out the repository that
       triggered a workflow, this defaults to the reference or SHA for that
-      event.  Otherwise, uses the default branch.
+      event.  Otherwise, defaults to `master`.
   token:
     description: >
       Personal access token (PAT) used to fetch the repository. The PAT is configured
@@ -54,7 +54,7 @@ inputs:
     description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
     default: true
   fetch-depth:
-    description: 'Number of commits to fetch. 0 indicates all history for all branches and tags.'
+    description: 'Number of commits to fetch. 0 indicates all history.'
     default: 1
   lfs:
     description: 'Whether to download Git-LFS files'
@@ -68,9 +68,6 @@ inputs:
       When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
       converted to HTTPS.
     default: false
-  set-safe-directory:
-    description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
-    default: true
 runs:
   using: node12
   main: dist/index.js

adrs/0153-checkout-v2.md

@@ -24,31 +24,19 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
     description: >
       The branch, tag or SHA to checkout. When checking out the repository that
       triggered a workflow, this defaults to the reference or SHA for that
-      event.  Otherwise, uses the default branch.
+      event.  Otherwise, defaults to `master`.
   token:
     description: >
       Personal access token (PAT) used to fetch the repository. The PAT is configured
       with the local git config, which enables your scripts to run authenticated git
-      commands. The post-job step removes the PAT.
-
-
-      We recommend using a service account with the least permissions necessary.
-      Also when generating a new PAT, select the least scopes necessary.
-
-
-      [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+      commands. The post-job step removes the PAT. [Learn more about creating and using
+      encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     default: ${{ github.token }}
   ssh-key:
     description: >
-      SSH key used to fetch the repository. The SSH key is configured with the local
+      SSH key used to fetch the repository. SSH key is configured with the local
       git config, which enables your scripts to run authenticated git commands.
-      The post-job step removes the SSH key.
-
-
-      We recommend using a service account with the least permissions necessary.
-
-
-      [Learn more about creating and using
+      The post-job step removes the SSH key. [Learn more about creating and using
       encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
   ssh-known-hosts:
     description: >
@@ -56,10 +44,7 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
       SSH keys for a host may be obtained using the utility `ssh-keyscan`. For example,
       `ssh-keyscan github.com`. The public key for github.com is always implicitly added.
   ssh-strict:
-    description: >
-      Whether to perform strict host key checking. When true, adds the options `StrictHostKeyChecking=yes`
-      and `CheckHostIP=no` to the SSH command line. Use the input `ssh-known-hosts` to
-      configure additional hosts.
+    description: 'Whether to perform strict host key checking'
     default: true
   persist-credentials:
     description: 'Whether to configure the token or SSH key with the local git config'
@@ -70,7 +55,7 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
     description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
     default: true
   fetch-depth:
-    description: 'Number of commits to fetch. 0 indicates all history for all tags and branches.'
+    description: 'Number of commits to fetch. 0 indicates all history.'
     default: 1
   lfs:
     description: 'Whether to download Git-LFS files'
@@ -79,11 +64,7 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
     description: >
       Whether to checkout submodules: `true` to checkout submodules or `recursive` to
       recursively checkout submodules.
-
-
-      When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
-      converted to HTTPS.
-    default: false
+    default: 'false'
 ```
 
 Note:
@@ -277,7 +258,7 @@ Note:
 ### Branching strategy and release tags
 
 - Create a servicing branch for V1: `releases/v1`
-- Merge the changes into the default branch
+- Merge the changes into `master`
 - Release using a new tag `preview`
 - When stable, release using a new tag `v2`
 

package.json

@@ -1,16 +1,14 @@
 {
   "name": "checkout",
-  "version": "2.6.0",
+  "version": "2.0.2",
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {
     "build": "tsc && ncc build && node lib/misc/generate-docs.js",
-    "format": "prettier --write '**/*.ts'",
-    "format-check": "prettier --check '**/*.ts'",
+    "format": "prettier --write **/*.ts",
+    "format-check": "prettier --check **/*.ts",
     "lint": "eslint src/**/*.ts",
-    "test": "jest",
-    "licensed-check": "src/misc/licensed-check.sh",
-    "licensed-generate": "src/misc/licensed-generate.sh"
+    "test": "jest"
   },
   "repository": {
     "type": "git",
@@ -28,28 +26,27 @@
   },
   "homepage": "https://github.com/actions/checkout#readme",
   "dependencies": {
-    "@actions/core": "^1.10.0",
+    "@actions/core": "^1.1.3",
     "@actions/exec": "^1.0.1",
-    "@actions/github": "^2.2.0",
-    "@actions/io": "^1.1.2",
+    "@actions/github": "^2.0.2",
+    "@actions/io": "^1.0.1",
     "@actions/tool-cache": "^1.1.2",
     "uuid": "^3.3.3"
   },
   "devDependencies": {
-    "@types/jest": "^27.0.2",
+    "@types/jest": "^24.0.23",
     "@types/node": "^12.7.12",
     "@types/uuid": "^3.4.6",
-    "@typescript-eslint/eslint-plugin": "^5.45.0",
-    "@typescript-eslint/parser": "^5.45.0",
+    "@typescript-eslint/parser": "^2.8.0",
     "@zeit/ncc": "^0.20.5",
-    "eslint": "^7.32.0",
-    "eslint-plugin-github": "^4.3.2",
-    "eslint-plugin-jest": "^25.7.0",
-    "jest": "^27.3.0",
-    "jest-circus": "^27.3.0",
+    "eslint": "^5.16.0",
+    "eslint-plugin-github": "^2.0.0",
+    "eslint-plugin-jest": "^22.21.0",
+    "jest": "^24.9.0",
+    "jest-circus": "^24.9.0",
     "js-yaml": "^3.13.1",
     "prettier": "^1.19.1",
-    "ts-jest": "^27.0.7",
-    "typescript": "^4.4.4"
+    "ts-jest": "^24.2.0",
+    "typescript": "^3.6.4"
   }
 }

src/fs-helper.ts

@@ -9,7 +9,7 @@ export function directoryExistsSync(path: string, required?: boolean): boolean {
   try {
     stats = fs.statSync(path)
   } catch (error) {
-    if ((error as any)?.code === 'ENOENT') {
+    if (error.code === 'ENOENT') {
       if (!required) {
         return false
       }
@@ -18,8 +18,7 @@ export function directoryExistsSync(path: string, required?: boolean): boolean {
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
-        ?.message ?? error}`
+      `Encountered an error when checking whether path '${path}' exists: ${error.message}`
     )
   }
 
@@ -40,13 +39,12 @@ export function existsSync(path: string): boolean {
   try {
     fs.statSync(path)
   } catch (error) {
-    if ((error as any)?.code === 'ENOENT') {
+    if (error.code === 'ENOENT') {
       return false
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
-        ?.message ?? error}`
+      `Encountered an error when checking whether path '${path}' exists: ${error.message}`
     )
   }
 
@@ -62,13 +60,12 @@ export function fileExistsSync(path: string): boolean {
   try {
     stats = fs.statSync(path)
   } catch (error) {
-    if ((error as any)?.code === 'ENOENT') {
+    if (error.code === 'ENOENT') {
       return false
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
-        ?.message ?? error}`
+      `Encountered an error when checking whether path '${path}' exists: ${error.message}`
     )
   }
 

src/git-auth-helper.ts

@@ -7,21 +7,20 @@ import * as os from 'os'
 import * as path from 'path'
 import * as regexpHelper from './regexp-helper'
 import * as stateHelper from './state-helper'
-import * as urlHelper from './url-helper'
 import {default as uuid} from 'uuid/v4'
 import {IGitCommandManager} from './git-command-manager'
 import {IGitSourceSettings} from './git-source-settings'
 
 const IS_WINDOWS = process.platform === 'win32'
+const HOSTNAME = 'github.com'
 const SSH_COMMAND_KEY = 'core.sshCommand'
 
 export interface IGitAuthHelper {
   configureAuth(): Promise<void>
   configureGlobalAuth(): Promise<void>
   configureSubmoduleAuth(): Promise<void>
-  configureTempGlobalConfig(): Promise<string>
   removeAuth(): Promise<void>
-  removeGlobalConfig(): Promise<void>
+  removeGlobalAuth(): Promise<void>
 }
 
 export function createAuthHelper(
@@ -34,26 +33,24 @@ export function createAuthHelper(
 class GitAuthHelper {
   private readonly git: IGitCommandManager
   private readonly settings: IGitSourceSettings
-  private readonly tokenConfigKey: string
-  private readonly tokenConfigValue: string
+  private readonly tokenConfigKey: string = `http.https://${HOSTNAME}/.extraheader`
   private readonly tokenPlaceholderConfigValue: string
-  private readonly insteadOfKey: string
-  private readonly insteadOfValues: string[] = []
+  private readonly insteadOfKey: string = `url.https://${HOSTNAME}/.insteadOf`
+  private readonly insteadOfValue: string = `git@${HOSTNAME}:`
   private sshCommand = ''
   private sshKeyPath = ''
   private sshKnownHostsPath = ''
   private temporaryHomePath = ''
+  private tokenConfigValue: string
 
   constructor(
     gitCommandManager: IGitCommandManager,
-    gitSourceSettings: IGitSourceSettings | undefined
+    gitSourceSettings?: IGitSourceSettings
   ) {
     this.git = gitCommandManager
     this.settings = gitSourceSettings || (({} as unknown) as IGitSourceSettings)
 
     // Token auth header
-    const serverUrl = urlHelper.getServerUrl()
-    this.tokenConfigKey = `http.${serverUrl.origin}/.extraheader` // "origin" is SCHEME://HOSTNAME[:PORT]
     const basicCredential = Buffer.from(
       `x-access-token:${this.settings.authToken}`,
       'utf8'
@@ -61,15 +58,6 @@ class GitAuthHelper {
     core.setSecret(basicCredential)
     this.tokenPlaceholderConfigValue = `AUTHORIZATION: basic ***`
     this.tokenConfigValue = `AUTHORIZATION: basic ${basicCredential}`
-
-    // Instead of SSH URL
-    this.insteadOfKey = `url.${serverUrl.origin}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
-    this.insteadOfValues.push(`git@${serverUrl.hostname}:`)
-    if (this.settings.workflowOrganizationId) {
-      this.insteadOfValues.push(
-        `org-${this.settings.workflowOrganizationId}@github.com:`
-      )
-    }
   }
 
   async configureAuth(): Promise<void> {
@@ -81,11 +69,7 @@ class GitAuthHelper {
     await this.configureToken()
   }
 
-  async configureTempGlobalConfig(): Promise<string> {
-    // Already setup global config
-    if (this.temporaryHomePath?.length > 0) {
-      return path.join(this.temporaryHomePath, '.gitconfig')
-    }
+  async configureGlobalAuth(): Promise<void> {
     // Create a temp home directory
     const runnerTemp = process.env['RUNNER_TEMP'] || ''
     assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
@@ -104,7 +88,7 @@ class GitAuthHelper {
       await fs.promises.stat(gitConfigPath)
       configExists = true
     } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
+      if (err.code !== 'ENOENT') {
         throw err
       }
     }
@@ -115,28 +99,20 @@ class GitAuthHelper {
       await fs.promises.writeFile(newGitConfigPath, '')
     }
 
-    // Override HOME
-    core.info(
-      `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
-    )
-    this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
-
-    return newGitConfigPath
-  }
-
-  async configureGlobalAuth(): Promise<void> {
-    // 'configureTempGlobalConfig' noops if already set, just returns the path
-    const newGitConfigPath = await this.configureTempGlobalConfig()
     try {
+      // Override HOME
+      core.info(
+        `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
+      )
+      this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
+
       // Configure the token
       await this.configureToken(newGitConfigPath, true)
 
       // Configure HTTPS instead of SSH
       await this.git.tryConfigUnset(this.insteadOfKey, true)
       if (!this.settings.sshKey) {
-        for (const insteadOfValue of this.insteadOfValues) {
-          await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
-        }
+        await this.git.config(this.insteadOfKey, this.insteadOfValue, true)
       }
     } catch (err) {
       // Unset in case somehow written to the real global config
@@ -157,8 +133,7 @@ class GitAuthHelper {
       // by process creation audit events, which are commonly logged. For more information,
       // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
       const output = await this.git.submoduleForeach(
-        // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
-        `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
+        `git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url`,
         this.settings.nestedSubmodules
       )
 
@@ -167,7 +142,7 @@ class GitAuthHelper {
         output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
       for (const configPath of configPaths) {
         core.debug(`Replacing token placeholder in '${configPath}'`)
-        await this.replaceTokenPlaceholder(configPath)
+        this.replaceTokenPlaceholder(configPath)
       }
 
       if (this.settings.sshKey) {
@@ -178,12 +153,10 @@ class GitAuthHelper {
         )
       } else {
         // Configure HTTPS instead of SSH
-        for (const insteadOfValue of this.insteadOfValues) {
-          await this.git.submoduleForeach(
-            `git config --local --add '${this.insteadOfKey}' '${insteadOfValue}'`,
-            this.settings.nestedSubmodules
-          )
-        }
+        await this.git.submoduleForeach(
+          `git config --local '${this.insteadOfKey}' '${this.insteadOfValue}'`,
+          this.settings.nestedSubmodules
+        )
       }
     }
   }
@@ -193,12 +166,10 @@ class GitAuthHelper {
     await this.removeToken()
   }
 
-  async removeGlobalConfig(): Promise<void> {
-    if (this.temporaryHomePath?.length > 0) {
-      core.debug(`Unsetting HOME override`)
-      this.git.removeEnvironmentVariable('HOME')
-      await io.rmRF(this.temporaryHomePath)
-    }
+  async removeGlobalAuth(): Promise<void> {
+    core.debug(`Unsetting HOME override`)
+    this.git.removeEnvironmentVariable('HOME')
+    await io.rmRF(this.temporaryHomePath)
   }
 
   private async configureSsh(): Promise<void> {
@@ -236,7 +207,7 @@ class GitAuthHelper {
         await fs.promises.readFile(userKnownHostsPath)
       ).toString()
     } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
+      if (err.code !== 'ENOENT') {
         throw err
       }
     }
@@ -325,7 +296,7 @@ class GitAuthHelper {
       try {
         await io.rmRF(keyPath)
       } catch (err) {
-        core.debug(`${(err as any)?.message ?? err}`)
+        core.debug(err.message)
         core.warning(`Failed to remove SSH key '${keyPath}'`)
       }
     }
@@ -366,8 +337,7 @@ class GitAuthHelper {
 
     const pattern = regexpHelper.escape(configKey)
     await this.git.submoduleForeach(
-      // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
-      `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`,
+      `git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :`,
       true
     )
   }

src/git-command-manager.ts

@@ -3,7 +3,6 @@ import * as exec from '@actions/exec'
 import * as fshelper from './fs-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
-import * as refHelper from './ref-helper'
 import * as regexpHelper from './regexp-helper'
 import * as retryHelper from './retry-helper'
 import {GitVersion} from './git-version'
@@ -21,23 +20,20 @@ export interface IGitCommandManager {
   config(
     configKey: string,
     configValue: string,
-    globalConfig?: boolean,
-    add?: boolean
+    globalConfig?: boolean
   ): Promise<void>
   configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
-  fetch(refSpec: string[], fetchDepth?: number): Promise<void>
-  getDefaultBranch(repositoryUrl: string): Promise<string>
+  fetch(fetchDepth: number, refSpec: string[]): Promise<void>
   getWorkingDirectory(): string
   init(): Promise<void>
   isDetached(): Promise<boolean>
   lfsFetch(ref: string): Promise<void>
   lfsInstall(): Promise<void>
-  log1(format?: string): Promise<string>
+  log1(): Promise<void>
   remoteAdd(remoteName: string, remoteUrl: string): Promise<void>
   removeEnvironmentVariable(name: string): void
-  revParse(ref: string): Promise<string>
   setEnvironmentVariable(name: string, value: string): void
-  shaExists(sha: string): Promise<boolean>
+  setRemoteUrl(url: string): Promise<void>
   submoduleForeach(command: string, recursive: boolean): Promise<string>
   submoduleSync(recursive: boolean): Promise<void>
   submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void>
@@ -45,7 +41,7 @@ export interface IGitCommandManager {
   tryClean(): Promise<boolean>
   tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
   tryDisableAutomaticGarbageCollection(): Promise<boolean>
-  tryGetFetchUrl(): Promise<string>
+  tryGetRemoteUrl(): Promise<string>
   tryReset(): Promise<boolean>
 }
 
@@ -141,15 +137,14 @@ class GitCommandManager {
   async config(
     configKey: string,
     configValue: string,
-    globalConfig?: boolean,
-    add?: boolean
+    globalConfig?: boolean
   ): Promise<void> {
-    const args: string[] = ['config', globalConfig ? '--global' : '--local']
-    if (add) {
-      args.push('--add')
-    }
-    args.push(...[configKey, configValue])
-    await this.execGit(args)
+    await this.execGit([
+      'config',
+      globalConfig ? '--global' : '--local',
+      configKey,
+      configValue
+    ])
   }
 
   async configExists(
@@ -170,14 +165,17 @@ class GitCommandManager {
     return output.exitCode === 0
   }
 
-  async fetch(refSpec: string[], fetchDepth?: number): Promise<void> {
-    const args = ['-c', 'protocol.version=2', 'fetch']
-    if (!refSpec.some(x => x === refHelper.tagsRefSpec)) {
-      args.push('--no-tags')
-    }
-
-    args.push('--prune', '--progress', '--no-recurse-submodules')
-    if (fetchDepth && fetchDepth > 0) {
+  async fetch(fetchDepth: number, refSpec: string[]): Promise<void> {
+    const args = [
+      '-c',
+      'protocol.version=2',
+      'fetch',
+      '--no-tags',
+      '--prune',
+      '--progress',
+      '--no-recurse-submodules'
+    ]
+    if (fetchDepth > 0) {
       args.push(`--depth=${fetchDepth}`)
     } else if (
       fshelper.fileExistsSync(
@@ -198,34 +196,6 @@ class GitCommandManager {
     })
   }
 
-  async getDefaultBranch(repositoryUrl: string): Promise<string> {
-    let output: GitOutput | undefined
-    await retryHelper.execute(async () => {
-      output = await this.execGit([
-        'ls-remote',
-        '--quiet',
-        '--exit-code',
-        '--symref',
-        repositoryUrl,
-        'HEAD'
-      ])
-    })
-
-    if (output) {
-      // Satisfy compiler, will always be set
-      for (let line of output.stdout.trim().split('\n')) {
-        line = line.trim()
-        if (line.startsWith('ref:') || line.endsWith('HEAD')) {
-          return line
-            .substr('ref:'.length, line.length - 'ref:'.length - 'HEAD'.length)
-            .trim()
-        }
-      }
-    }
-
-    throw new Error('Unexpected output when retrieving default branch')
-  }
-
   getWorkingDirectory(): string {
     return this.workingDirectory
   }
@@ -256,11 +226,8 @@ class GitCommandManager {
     await this.execGit(['lfs', 'install', '--local'])
   }
 
-  async log1(format?: string): Promise<string> {
-    var args = format ? ['log', '-1', format] : ['log', '-1']
-    var silent = format ? false : true
-    const output = await this.execGit(args, false, silent)
-    return output.stdout
+  async log1(): Promise<void> {
+    await this.execGit(['log', '-1'])
   }
 
   async remoteAdd(remoteName: string, remoteUrl: string): Promise<void> {
@@ -271,25 +238,12 @@ class GitCommandManager {
     delete this.gitEnv[name]
   }
 
-  /**
-   * Resolves a ref to a SHA. For a branch or lightweight tag, the commit SHA is returned.
-   * For an annotated tag, the tag SHA is returned.
-   * @param {string} ref  For example: 'refs/heads/main' or '/refs/tags/v1'
-   * @returns {Promise<string>}
-   */
-  async revParse(ref: string): Promise<string> {
-    const output = await this.execGit(['rev-parse', ref])
-    return output.stdout.trim()
-  }
-
   setEnvironmentVariable(name: string, value: string): void {
     this.gitEnv[name] = value
   }
 
-  async shaExists(sha: string): Promise<boolean> {
-    const args = ['rev-parse', '--verify', '--quiet', `${sha}^{object}`]
-    const output = await this.execGit(args, true)
-    return output.exitCode === 0
+  async setRemoteUrl(value: string): Promise<void> {
+    await this.config('git.remote.url', value)
   }
 
   async submoduleForeach(command: string, recursive: boolean): Promise<string> {
@@ -360,7 +314,7 @@ class GitCommandManager {
     return output.exitCode === 0
   }
 
-  async tryGetFetchUrl(): Promise<string> {
+  async tryGetRemoteUrl(): Promise<string> {
     const output = await this.execGit(
       ['config', '--local', '--get', 'remote.origin.url'],
       true
@@ -394,8 +348,7 @@ class GitCommandManager {
 
   private async execGit(
     args: string[],
-    allowAllExitCodes = false,
-    silent = false
+    allowAllExitCodes = false
   ): Promise<GitOutput> {
     fshelper.directoryExistsSync(this.workingDirectory, true)
 
@@ -414,7 +367,6 @@ class GitCommandManager {
     const options = {
       cwd: this.workingDirectory,
       env,
-      silent,
       ignoreReturnCode: allowAllExitCodes,
       listeners: {
         stdout: (data: Buffer) => {

src/git-directory-helper.ts

@@ -5,20 +5,29 @@ import * as fsHelper from './fs-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
 import {IGitCommandManager} from './git-command-manager'
+import {IGitSourceSettings} from './git-source-settings'
 
 export async function prepareExistingDirectory(
   git: IGitCommandManager | undefined,
   repositoryPath: string,
-  repositoryUrl: string,
-  clean: boolean,
-  ref: string
+  preferredRemoteUrl: string,
+  allowedRemoteUrls: string[],
+  clean: boolean
 ): Promise<void> {
   assert.ok(repositoryPath, 'Expected repositoryPath to be defined')
-  assert.ok(repositoryUrl, 'Expected repositoryUrl to be defined')
+  assert.ok(preferredRemoteUrl, 'Expected preferredRemoteUrl to be defined')
+  assert.ok(allowedRemoteUrls, 'Expected allowedRemoteUrls to be defined')
+  assert.ok(
+    allowedRemoteUrls.length,
+    'Expected allowedRemoteUrls to have at least one value'
+  )
 
   // Indicates whether to delete the directory contents
   let remove = false
 
+  // The remote URL
+  let remoteUrl: string
+
   // Check whether using git or REST API
   if (!git) {
     remove = true
@@ -26,7 +35,7 @@ export async function prepareExistingDirectory(
   // Fetch URL does not match
   else if (
     !fsHelper.directoryExistsSync(path.join(repositoryPath, '.git')) ||
-    repositoryUrl !== (await git.tryGetFetchUrl())
+    allowedRemoteUrls.indexOf((remoteUrl = await git.tryGetRemoteUrl())) < 0
   ) {
     remove = true
   } else {
@@ -39,9 +48,7 @@ export async function prepareExistingDirectory(
       try {
         await io.rmRF(lockPath)
       } catch (error) {
-        core.debug(
-          `Unable to delete '${lockPath}'. ${(error as any)?.message ?? error}`
-        )
+        core.debug(`Unable to delete '${lockPath}'. ${error.message}`)
       }
     }
 
@@ -58,26 +65,10 @@ export async function prepareExistingDirectory(
         await git.branchDelete(false, branch)
       }
 
-      // Remove any conflicting refs/remotes/origin/*
-      // Example 1: Consider ref is refs/heads/foo and previously fetched refs/remotes/origin/foo/bar
-      // Example 2: Consider ref is refs/heads/foo/bar and previously fetched refs/remotes/origin/foo
-      if (ref) {
-        ref = ref.startsWith('refs/') ? ref : `refs/heads/${ref}`
-        if (ref.startsWith('refs/heads/')) {
-          const upperName1 = ref.toUpperCase().substr('REFS/HEADS/'.length)
-          const upperName1Slash = `${upperName1}/`
-          branches = await git.branchList(true)
-          for (const branch of branches) {
-            const upperName2 = branch.substr('origin/'.length).toUpperCase()
-            const upperName2Slash = `${upperName2}/`
-            if (
-              upperName1.startsWith(upperName2Slash) ||
-              upperName2.startsWith(upperName1Slash)
-            ) {
-              await git.branchDelete(true, branch)
-            }
-          }
-        }
+      // Remove all refs/remotes/origin/* to avoid conflicts
+      branches = await git.branchList(true)
+      for (const branch of branches) {
+        await git.branchDelete(true, branch)
       }
       core.endGroup()
 
@@ -100,6 +91,13 @@ export async function prepareExistingDirectory(
           )
         }
       }
+
+      // Update to the preferred remote URL
+      if (remoteUrl !== preferredRemoteUrl) {
+        core.startGroup('Updating the remote URL')
+        await git.setRemoteUrl(preferredRemoteUrl)
+        core.endGroup()
+      }
     } catch (error) {
       core.warning(
         `Unable to prepare the existing repository. The repository will be recreated instead.`