From c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 Mon Sep 17 00:00:00 2001 From: eric sciple Date: Sun, 23 Nov 2025 19:32:55 -0600 Subject: [PATCH 1/6] Update all references from v5 and v4 to v6 (#2314) - Updated README.md examples to reference @v6 - Updated all workflow files to use actions/checkout@v6 --- .github/workflows/check-dist.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/licensed.yml | 2 +- .../workflows/publish-immutable-actions.yml | 2 +- .github/workflows/test.yml | 16 ++++----- .github/workflows/update-main-version.yml | 2 +- .github/workflows/update-test-ubuntu-git.yml | 2 +- README.md | 34 +++++++++---------- src/misc/generate-docs.ts | 2 +- 9 files changed, 32 insertions(+), 32 deletions(-) diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index db3e37f..c7d4962 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.1.6 + - uses: actions/checkout@v6 - name: Set Node.js 24.x uses: actions/setup-node@v4 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 778d474..377fae9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v6 - name: Initialize CodeQL uses: github/codeql-action/init@v3 diff --git a/.github/workflows/licensed.yml b/.github/workflows/licensed.yml index 1f71aa7..36e70e2 100644 --- a/.github/workflows/licensed.yml +++ b/.github/workflows/licensed.yml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest name: Check licenses steps: - - uses: actions/checkout@v4.1.6 + - uses: actions/checkout@v6 - run: npm ci - run: npm run licensed-check \ No newline at end of file diff --git a/.github/workflows/publish-immutable-actions.yml b/.github/workflows/publish-immutable-actions.yml index 87c0207..44d571b 100644 --- a/.github/workflows/publish-immutable-actions.yml +++ b/.github/workflows/publish-immutable-actions.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checking out - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Publish id: publish uses: actions/publish-immutable-action@0.0.3 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7c47d7b..3aa5fc9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/setup-node@v4 with: node-version: 24.x - - uses: actions/checkout@v4.1.6 + - uses: actions/checkout@v6 - run: npm ci - run: npm run build - run: npm run format-check @@ -37,7 +37,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v6 # Basic checkout - name: Checkout basic @@ -202,7 +202,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v6 # Basic checkout using git - name: Checkout basic @@ -234,7 +234,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v6 # Basic checkout using git - name: Checkout basic @@ -264,7 +264,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v6 with: path: localClone @@ -291,8 +291,8 @@ jobs: git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main # needed to make checkout post cleanup succeed - - name: Fix Checkout v4 - uses: actions/checkout@v4.1.6 + - name: Fix Checkout v6 + uses: actions/checkout@v6 with: path: localClone @@ -301,7 +301,7 @@ jobs: steps: # Clone this repo - name: Checkout - uses: actions/checkout@v4.1.6 + uses: actions/checkout@v6 with: path: actions-checkout diff --git a/.github/workflows/update-main-version.yml b/.github/workflows/update-main-version.yml index 643b954..b3b23fe 100644 --- a/.github/workflows/update-main-version.yml +++ b/.github/workflows/update-main-version.yml @@ -23,7 +23,7 @@ jobs: # Note this update workflow can also be used as a rollback tool. # For that reason, it's best to pin `actions/checkout` to a known, stable version # (typically, about two releases back). - - uses: actions/checkout@v4.1.6 + - uses: actions/checkout@v6 with: fetch-depth: 0 - name: Git config diff --git a/.github/workflows/update-test-ubuntu-git.yml b/.github/workflows/update-test-ubuntu-git.yml index 5c252b9..10e4dac 100644 --- a/.github/workflows/update-test-ubuntu-git.yml +++ b/.github/workflows/update-test-ubuntu-git.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 # Use `docker/login-action` to log in to GHCR.io. # Once published, the packages are scoped to the account defined here. diff --git a/README.md b/README.md index 5ad476f..a8549c3 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ```yaml -- uses: actions/checkout@v5 +- uses: actions/checkout@v6 with: # Repository name with owner. For example, actions/checkout # Default: ${{ github.repository }} @@ -190,7 +190,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Fetch only the root files ```yaml -- uses: actions/checkout@v5 +- uses: actions/checkout@v6 with: sparse-checkout: . ``` @@ -198,7 +198,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Fetch only the root files and `.github` and `src` folder ```yaml -- uses: actions/checkout@v5 +- uses: actions/checkout@v6 with: sparse-checkout: | .github @@ -208,7 +208,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Fetch only a single file ```yaml -- uses: actions/checkout@v5 +- uses: actions/checkout@v6 with: sparse-checkout: | README.md @@ -218,7 +218,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Fetch all history for all tags and branches ```yaml -- uses: actions/checkout@v5 +- uses: actions/checkout@v6 with: fetch-depth: 0 ``` @@ -226,7 +226,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Checkout a different branch ```yaml -- uses: actions/checkout@v5 +- uses: actions/checkout@v6 with: ref: my-branch ``` @@ -234,7 +234,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Checkout HEAD^ ```yaml -- uses: actions/checkout@v5 +- uses: actions/checkout@v6 with: fetch-depth: 2 - run: git checkout HEAD^ @@ -244,12 +244,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ```yaml - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: path: main - name: Checkout tools repo - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: repository: my-org/my-tools path: my-tools @@ -260,10 +260,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ```yaml - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Checkout tools repo - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: repository: my-org/my-tools path: my-tools @@ -274,12 +274,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ```yaml - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: path: main - name: Checkout private tools - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: repository: my-org/my-private-tools token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT @@ -292,7 +292,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/ ## Checkout pull request HEAD commit instead of merge commit ```yaml -- uses: actions/checkout@v5 +- uses: actions/checkout@v6 with: ref: ${{ github.event.pull_request.head.sha }} ``` @@ -308,7 +308,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 ``` ## Push a commit using the built-in token @@ -319,7 +319,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - run: | date > generated.txt # Note: the following account information will not work on GHES @@ -341,7 +341,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: ref: ${{ github.head_ref }} - run: | diff --git a/src/misc/generate-docs.ts b/src/misc/generate-docs.ts index 6d4816f..b78f035 100644 --- a/src/misc/generate-docs.ts +++ b/src/misc/generate-docs.ts @@ -120,7 +120,7 @@ function updateUsage( } updateUsage( - 'actions/checkout@v5', + 'actions/checkout@v6', path.join(__dirname, '..', '..', 'action.yml'), path.join(__dirname, '..', '..', 'README.md') ) From 033fa0dc0b82693d8986f1016a0ec2c5e7d9cbb1 Mon Sep 17 00:00:00 2001 From: eric sciple Date: Mon, 1 Dec 2025 19:53:23 -0600 Subject: [PATCH 2/6] Add worktree support for persist-credentials includeIf (#2327) --- .github/workflows/test.yml | 16 ++++++++++++ __test__/verify-worktree.sh | 51 +++++++++++++++++++++++++++++++++++++ dist/index.js | 6 +++++ src/git-auth-helper.ts | 11 ++++++++ 4 files changed, 84 insertions(+) create mode 100755 __test__/verify-worktree.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3aa5fc9..fe2539f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -165,6 +165,22 @@ jobs: - name: Verify submodules recursive run: __test__/verify-submodules-recursive.sh + # Worktree credentials + - name: Checkout for worktree test + uses: ./ + with: + path: worktree-test + - name: Verify worktree credentials + shell: bash + run: __test__/verify-worktree.sh worktree-test worktree-branch + + # Worktree credentials in container step + - name: Verify worktree credentials in container step + if: runner.os == 'Linux' + uses: docker://bitnami/git:latest + with: + args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch + # Basic checkout using REST API - name: Remove basic if: runner.os != 'windows' diff --git a/__test__/verify-worktree.sh b/__test__/verify-worktree.sh new file mode 100755 index 0000000..3a4d3e4 --- /dev/null +++ b/__test__/verify-worktree.sh @@ -0,0 +1,51 @@ +#!/bin/bash +set -e + +# Verify worktree credentials +# This test verifies that git credentials work in worktrees created after checkout +# Usage: verify-worktree.sh + +CHECKOUT_PATH="$1" +WORKTREE_NAME="$2" + +if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then + echo "Usage: verify-worktree.sh " + exit 1 +fi + +cd "$CHECKOUT_PATH" + +# Add safe directory for container environments +git config --global --add safe.directory "*" 2>/dev/null || true + +# Show the includeIf configuration +echo "Git config includeIf entries:" +git config --list --show-origin | grep -i include || true + +# Create the worktree +echo "Creating worktree..." +git worktree add "../$WORKTREE_NAME" HEAD --detach + +# Change to worktree directory +cd "../$WORKTREE_NAME" + +# Verify we're in a worktree +echo "Verifying worktree gitdir:" +cat .git + +# Verify credentials are available in worktree by checking extraheader is configured +echo "Checking credentials in worktree..." +if git config --list --show-origin | grep -q "extraheader"; then + echo "Credentials are configured in worktree" +else + echo "ERROR: Credentials are NOT configured in worktree" + echo "Full git config:" + git config --list --show-origin + exit 1 +fi + +# Verify fetch works in the worktree +echo "Fetching in worktree..." +git fetch origin + +echo "Worktree credentials test passed!" diff --git a/dist/index.js b/dist/index.js index a251a19..b9b34d3 100644 --- a/dist/index.js +++ b/dist/index.js @@ -412,6 +412,9 @@ class GitAuthHelper { // Configure host includeIf const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`; yield this.git.config(hostIncludeKey, credentialsConfigPath); + // Configure host includeIf for worktrees + const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`; + yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath); // Container git directory const workingDirectory = this.git.getWorkingDirectory(); const githubWorkspace = process.env['GITHUB_WORKSPACE']; @@ -424,6 +427,9 @@ class GitAuthHelper { // Configure container includeIf const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`; yield this.git.config(containerIncludeKey, containerCredentialsPath); + // Configure container includeIf for worktrees + const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`; + yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath); } }); } diff --git a/src/git-auth-helper.ts b/src/git-auth-helper.ts index a1950a6..e67db14 100644 --- a/src/git-auth-helper.ts +++ b/src/git-auth-helper.ts @@ -374,6 +374,10 @@ class GitAuthHelper { const hostIncludeKey = `includeIf.gitdir:${gitDir}.path` await this.git.config(hostIncludeKey, credentialsConfigPath) + // Configure host includeIf for worktrees + const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path` + await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath) + // Container git directory const workingDirectory = this.git.getWorkingDirectory() const githubWorkspace = process.env['GITHUB_WORKSPACE'] @@ -395,6 +399,13 @@ class GitAuthHelper { // Configure container includeIf const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path` await this.git.config(containerIncludeKey, containerCredentialsPath) + + // Configure container includeIf for worktrees + const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path` + await this.git.config( + containerWorktreeIncludeKey, + containerCredentialsPath + ) } } From 8e8c483db84b4bee98b60c0593521ed34d9990e8 Mon Sep 17 00:00:00 2001 From: eric sciple Date: Mon, 1 Dec 2025 20:08:49 -0600 Subject: [PATCH 3/6] Clarify v6 README (#2328) --- CHANGELOG.md | 10 +++++----- README.md | 5 +++-- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 25befb7..6d5a6f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,19 +1,19 @@ # Changelog -## V6.0.0 +## v6.0.0 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248 -## V5.0.1 +## v5.0.1 * Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301 -## V5.0.0 +## v5.0.0 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226 -## V4.3.1 +## v4.3.1 * Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305 -## V4.3.0 +## v4.3.0 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043 diff --git a/README.md b/README.md index a8549c3..f0f65f9 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,9 @@ ## What's new -- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config. - - This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios. +- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config` +- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically +- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later # Checkout v5 From 064fe7f3312418007dea2b49a19844a9ee378f49 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Thu, 8 Jan 2026 15:07:38 -0500 Subject: [PATCH 4/6] Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set (#2355) * Initial plan * Add orchestration ID support to git user-agent Co-authored-by: TingluoHuang <1750815+TingluoHuang@users.noreply.github.com> * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Improve tests to verify user-agent content and handle empty sanitized IDs Co-authored-by: TingluoHuang <1750815+TingluoHuang@users.noreply.github.com> * Simplify orchestration ID validation to accept any non-empty sanitized value Co-authored-by: TingluoHuang <1750815+TingluoHuang@users.noreply.github.com> * Remove test for orchestration ID with only invalid characters Co-authored-by: TingluoHuang <1750815+TingluoHuang@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: TingluoHuang <1750815+TingluoHuang@users.noreply.github.com> Co-authored-by: Tingluo Huang Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- __test__/git-command-manager.test.ts | 117 +++++++++++++++++++++++++++ dist/index.js | 12 ++- src/git-command-manager.ts | 14 +++- 3 files changed, 141 insertions(+), 2 deletions(-) diff --git a/__test__/git-command-manager.test.ts b/__test__/git-command-manager.test.ts index cea73d4..23b8863 100644 --- a/__test__/git-command-manager.test.ts +++ b/__test__/git-command-manager.test.ts @@ -376,3 +376,120 @@ describe('Test fetchDepth and fetchTags options', () => { ) }) }) + +describe('git user-agent with orchestration ID', () => { + beforeEach(async () => { + jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn()) + jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn()) + }) + + afterEach(() => { + jest.restoreAllMocks() + // Clean up environment variable to prevent test pollution + delete process.env['ACTIONS_ORCHESTRATION_ID'] + }) + + it('should include orchestration ID in user-agent when ACTIONS_ORCHESTRATION_ID is set', async () => { + const orchId = 'test-orch-id-12345' + process.env['ACTIONS_ORCHESTRATION_ID'] = orchId + + let capturedEnv: any = null + mockExec.mockImplementation((path, args, options) => { + if (args.includes('version')) { + options.listeners.stdout(Buffer.from('2.18')) + } + // Capture env on any command + capturedEnv = options.env + return 0 + }) + jest.spyOn(exec, 'exec').mockImplementation(mockExec) + + const workingDirectory = 'test' + const lfs = false + const doSparseCheckout = false + git = await commandManager.createCommandManager( + workingDirectory, + lfs, + doSparseCheckout + ) + + // Call a git command to trigger env capture after user-agent is set + await git.init() + + // Verify the user agent includes the orchestration ID + expect(git).toBeDefined() + expect(capturedEnv).toBeDefined() + expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe( + `git/2.18 (github-actions-checkout) actions_orchestration_id/${orchId}` + ) + }) + + it('should sanitize invalid characters in orchestration ID', async () => { + const orchId = 'test (with) special/chars' + process.env['ACTIONS_ORCHESTRATION_ID'] = orchId + + let capturedEnv: any = null + mockExec.mockImplementation((path, args, options) => { + if (args.includes('version')) { + options.listeners.stdout(Buffer.from('2.18')) + } + // Capture env on any command + capturedEnv = options.env + return 0 + }) + jest.spyOn(exec, 'exec').mockImplementation(mockExec) + + const workingDirectory = 'test' + const lfs = false + const doSparseCheckout = false + git = await commandManager.createCommandManager( + workingDirectory, + lfs, + doSparseCheckout + ) + + // Call a git command to trigger env capture after user-agent is set + await git.init() + + // Verify the user agent has sanitized orchestration ID (spaces, parentheses, slash replaced) + expect(git).toBeDefined() + expect(capturedEnv).toBeDefined() + expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe( + 'git/2.18 (github-actions-checkout) actions_orchestration_id/test__with__special_chars' + ) + }) + + it('should not modify user-agent when ACTIONS_ORCHESTRATION_ID is not set', async () => { + delete process.env['ACTIONS_ORCHESTRATION_ID'] + + let capturedEnv: any = null + mockExec.mockImplementation((path, args, options) => { + if (args.includes('version')) { + options.listeners.stdout(Buffer.from('2.18')) + } + // Capture env on any command + capturedEnv = options.env + return 0 + }) + jest.spyOn(exec, 'exec').mockImplementation(mockExec) + + const workingDirectory = 'test' + const lfs = false + const doSparseCheckout = false + git = await commandManager.createCommandManager( + workingDirectory, + lfs, + doSparseCheckout + ) + + // Call a git command to trigger env capture after user-agent is set + await git.init() + + // Verify the user agent does NOT contain orchestration ID + expect(git).toBeDefined() + expect(capturedEnv).toBeDefined() + expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe( + 'git/2.18 (github-actions-checkout)' + ) + }) +}) diff --git a/dist/index.js b/dist/index.js index b9b34d3..4eab86e 100644 --- a/dist/index.js +++ b/dist/index.js @@ -1206,7 +1206,17 @@ class GitCommandManager { } } // Set the user agent - const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`; + let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`; + // Append orchestration ID if set + const orchId = process.env['ACTIONS_ORCHESTRATION_ID']; + if (orchId) { + // Sanitize the orchestration ID to ensure it contains only valid characters + // Valid characters: 0-9, a-z, _, -, . + const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_'); + if (sanitizedId) { + gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`; + } + } core.debug(`Set git useragent to: ${gitHttpUserAgent}`); this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent; }); diff --git a/src/git-command-manager.ts b/src/git-command-manager.ts index a45e15a..eba285a 100644 --- a/src/git-command-manager.ts +++ b/src/git-command-manager.ts @@ -730,7 +730,19 @@ class GitCommandManager { } } // Set the user agent - const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)` + let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)` + + // Append orchestration ID if set + const orchId = process.env['ACTIONS_ORCHESTRATION_ID'] + if (orchId) { + // Sanitize the orchestration ID to ensure it contains only valid characters + // Valid characters: 0-9, a-z, _, -, . + const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_') + if (sanitizedId) { + gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}` + } + } + core.debug(`Set git useragent to: ${gitHttpUserAgent}`) this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent } From de0fac2e4500dabe0009e67214ff5f5447ce83dd Mon Sep 17 00:00:00 2001 From: eric sciple Date: Fri, 9 Jan 2026 13:42:23 -0600 Subject: [PATCH 5/6] Fix tag handling: preserve annotations and explicit fetch-tags (#2356) This PR fixes several issues with tag handling in the checkout action: 1. fetch-tags: true now works (fixes #1471) - Tags refspec is now included in getRefSpec() when fetchTags=true - Previously tags were only fetched during a separate fetch that was overwritten by the main fetch 2. Tag checkout preserves annotations (fixes #290) - Tags are fetched via refspec (+refs/tags/*:refs/tags/*) instead of --tags flag - This fetches the actual tag objects, preserving annotations 3. Tag checkout with fetch-tags: true no longer fails (fixes #1467) - When checking out a tag with fetchTags=true, only the wildcard refspec is used (specific tag refspec is redundant) Changes: - src/ref-helper.ts: getRefSpec() now accepts fetchTags parameter and prepends tags refspec when true - src/git-command-manager.ts: fetch() simplified to always use --no-tags, tags are fetched explicitly via refspec - src/git-source-provider.ts: passes fetchTags to getRefSpec() - Added E2E test for fetch-tags option Related #1471, #1467, #290 --- .github/workflows/test.yml | 11 +++ __test__/git-command-manager.test.ts | 105 ++++++++++++++------------- __test__/ref-helper.test.ts | 42 ++++++++++- __test__/verify-fetch-tags.sh | 9 +++ dist/index.js | 68 ++++++++++++----- src/git-command-manager.ts | 8 +- src/git-source-provider.ts | 28 ++++++- src/ref-helper.ts | 50 +++++++++---- 8 files changed, 226 insertions(+), 95 deletions(-) create mode 100755 __test__/verify-fetch-tags.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fe2539f..0383c88 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -87,6 +87,17 @@ jobs: - name: Verify fetch filter run: __test__/verify-fetch-filter.sh + # Fetch tags + - name: Checkout with fetch-tags + uses: ./ + with: + ref: test-data/v2/basic + path: fetch-tags-test + fetch-tags: true + - name: Verify fetch-tags + shell: bash + run: __test__/verify-fetch-tags.sh + # Sparse checkout - name: Sparse checkout uses: ./ diff --git a/__test__/git-command-manager.test.ts b/__test__/git-command-manager.test.ts index 23b8863..8a97d82 100644 --- a/__test__/git-command-manager.test.ts +++ b/__test__/git-command-manager.test.ts @@ -108,7 +108,7 @@ describe('Test fetchDepth and fetchTags options', () => { jest.restoreAllMocks() }) - it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is true', async () => { + it('should call execGit with the correct arguments when fetchDepth is 0', async () => { jest.spyOn(exec, 'exec').mockImplementation(mockExec) const workingDirectory = 'test' const lfs = false @@ -122,45 +122,7 @@ describe('Test fetchDepth and fetchTags options', () => { const refSpec = ['refspec1', 'refspec2'] const options = { filter: 'filterValue', - fetchDepth: 0, - fetchTags: true - } - - await git.fetch(refSpec, options) - - expect(mockExec).toHaveBeenCalledWith( - expect.any(String), - [ - '-c', - 'protocol.version=2', - 'fetch', - '--prune', - '--no-recurse-submodules', - '--filter=filterValue', - 'origin', - 'refspec1', - 'refspec2' - ], - expect.any(Object) - ) - }) - - it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is false', async () => { - jest.spyOn(exec, 'exec').mockImplementation(mockExec) - - const workingDirectory = 'test' - const lfs = false - const doSparseCheckout = false - git = await commandManager.createCommandManager( - workingDirectory, - lfs, - doSparseCheckout - ) - const refSpec = ['refspec1', 'refspec2'] - const options = { - filter: 'filterValue', - fetchDepth: 0, - fetchTags: false + fetchDepth: 0 } await git.fetch(refSpec, options) @@ -183,7 +145,45 @@ describe('Test fetchDepth and fetchTags options', () => { ) }) - it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is false', async () => { + it('should call execGit with the correct arguments when fetchDepth is 0 and refSpec includes tags', async () => { + jest.spyOn(exec, 'exec').mockImplementation(mockExec) + + const workingDirectory = 'test' + const lfs = false + const doSparseCheckout = false + git = await commandManager.createCommandManager( + workingDirectory, + lfs, + doSparseCheckout + ) + const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*'] + const options = { + filter: 'filterValue', + fetchDepth: 0 + } + + await git.fetch(refSpec, options) + + expect(mockExec).toHaveBeenCalledWith( + expect.any(String), + [ + '-c', + 'protocol.version=2', + 'fetch', + '--no-tags', + '--prune', + '--no-recurse-submodules', + '--filter=filterValue', + 'origin', + 'refspec1', + 'refspec2', + '+refs/tags/*:refs/tags/*' + ], + expect.any(Object) + ) + }) + + it('should call execGit with the correct arguments when fetchDepth is 1', async () => { jest.spyOn(exec, 'exec').mockImplementation(mockExec) const workingDirectory = 'test' @@ -197,8 +197,7 @@ describe('Test fetchDepth and fetchTags options', () => { const refSpec = ['refspec1', 'refspec2'] const options = { filter: 'filterValue', - fetchDepth: 1, - fetchTags: false + fetchDepth: 1 } await git.fetch(refSpec, options) @@ -222,7 +221,7 @@ describe('Test fetchDepth and fetchTags options', () => { ) }) - it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is true', async () => { + it('should call execGit with the correct arguments when fetchDepth is 1 and refSpec includes tags', async () => { jest.spyOn(exec, 'exec').mockImplementation(mockExec) const workingDirectory = 'test' @@ -233,11 +232,10 @@ describe('Test fetchDepth and fetchTags options', () => { lfs, doSparseCheckout ) - const refSpec = ['refspec1', 'refspec2'] + const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*'] const options = { filter: 'filterValue', - fetchDepth: 1, - fetchTags: true + fetchDepth: 1 } await git.fetch(refSpec, options) @@ -248,13 +246,15 @@ describe('Test fetchDepth and fetchTags options', () => { '-c', 'protocol.version=2', 'fetch', + '--no-tags', '--prune', '--no-recurse-submodules', '--filter=filterValue', '--depth=1', 'origin', 'refspec1', - 'refspec2' + 'refspec2', + '+refs/tags/*:refs/tags/*' ], expect.any(Object) ) @@ -338,7 +338,7 @@ describe('Test fetchDepth and fetchTags options', () => { ) }) - it('should call execGit with the correct arguments when fetchTags is true and showProgress is true', async () => { + it('should call execGit with the correct arguments when showProgress is true and refSpec includes tags', async () => { jest.spyOn(exec, 'exec').mockImplementation(mockExec) const workingDirectory = 'test' @@ -349,10 +349,9 @@ describe('Test fetchDepth and fetchTags options', () => { lfs, doSparseCheckout ) - const refSpec = ['refspec1', 'refspec2'] + const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*'] const options = { filter: 'filterValue', - fetchTags: true, showProgress: true } @@ -364,13 +363,15 @@ describe('Test fetchDepth and fetchTags options', () => { '-c', 'protocol.version=2', 'fetch', + '--no-tags', '--prune', '--no-recurse-submodules', '--progress', '--filter=filterValue', 'origin', 'refspec1', - 'refspec2' + 'refspec2', + '+refs/tags/*:refs/tags/*' ], expect.any(Object) ) diff --git a/__test__/ref-helper.test.ts b/__test__/ref-helper.test.ts index 5c8d76b..4943abd 100644 --- a/__test__/ref-helper.test.ts +++ b/__test__/ref-helper.test.ts @@ -152,7 +152,22 @@ describe('ref-helper tests', () => { it('getRefSpec sha + refs/tags/', async () => { const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit) expect(refSpec.length).toBe(1) - expect(refSpec[0]).toBe(`+${commit}:refs/tags/my-tag`) + expect(refSpec[0]).toBe(`+refs/tags/my-tag:refs/tags/my-tag`) + }) + + it('getRefSpec sha + refs/tags/ with fetchTags', async () => { + // When fetchTags is true, only include tags wildcard (specific tag is redundant) + const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit, true) + expect(refSpec.length).toBe(1) + expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*') + }) + + it('getRefSpec sha + refs/heads/ with fetchTags', async () => { + // When fetchTags is true, include both the branch refspec and tags wildcard + const refSpec = refHelper.getRefSpec('refs/heads/my/branch', commit, true) + expect(refSpec.length).toBe(2) + expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*') + expect(refSpec[1]).toBe(`+${commit}:refs/remotes/origin/my/branch`) }) it('getRefSpec sha only', async () => { @@ -168,6 +183,14 @@ describe('ref-helper tests', () => { expect(refSpec[1]).toBe('+refs/tags/my-ref*:refs/tags/my-ref*') }) + it('getRefSpec unqualified ref only with fetchTags', async () => { + // When fetchTags is true, skip specific tag pattern since wildcard covers all + const refSpec = refHelper.getRefSpec('my-ref', '', true) + expect(refSpec.length).toBe(2) + expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*') + expect(refSpec[1]).toBe('+refs/heads/my-ref*:refs/remotes/origin/my-ref*') + }) + it('getRefSpec refs/heads/ only', async () => { const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '') expect(refSpec.length).toBe(1) @@ -187,4 +210,21 @@ describe('ref-helper tests', () => { expect(refSpec.length).toBe(1) expect(refSpec[0]).toBe('+refs/tags/my-tag:refs/tags/my-tag') }) + + it('getRefSpec refs/tags/ only with fetchTags', async () => { + // When fetchTags is true, only include tags wildcard (specific tag is redundant) + const refSpec = refHelper.getRefSpec('refs/tags/my-tag', '', true) + expect(refSpec.length).toBe(1) + expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*') + }) + + it('getRefSpec refs/heads/ only with fetchTags', async () => { + // When fetchTags is true, include both the branch refspec and tags wildcard + const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '', true) + expect(refSpec.length).toBe(2) + expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*') + expect(refSpec[1]).toBe( + '+refs/heads/my/branch:refs/remotes/origin/my/branch' + ) + }) }) diff --git a/__test__/verify-fetch-tags.sh b/__test__/verify-fetch-tags.sh new file mode 100755 index 0000000..74cff1e --- /dev/null +++ b/__test__/verify-fetch-tags.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +# Verify tags were fetched +TAG_COUNT=$(git -C ./fetch-tags-test tag | wc -l) +if [ "$TAG_COUNT" -eq 0 ]; then + echo "Expected tags to be fetched, but found none" + exit 1 +fi +echo "Found $TAG_COUNT tags" diff --git a/dist/index.js b/dist/index.js index 4eab86e..fe3f317 100644 --- a/dist/index.js +++ b/dist/index.js @@ -653,7 +653,6 @@ const fs = __importStar(__nccwpck_require__(7147)); const fshelper = __importStar(__nccwpck_require__(7219)); const io = __importStar(__nccwpck_require__(7436)); const path = __importStar(__nccwpck_require__(1017)); -const refHelper = __importStar(__nccwpck_require__(8601)); const regexpHelper = __importStar(__nccwpck_require__(3120)); const retryHelper = __importStar(__nccwpck_require__(2155)); const git_version_1 = __nccwpck_require__(3142); @@ -831,9 +830,9 @@ class GitCommandManager { fetch(refSpec, options) { return __awaiter(this, void 0, void 0, function* () { const args = ['-c', 'protocol.version=2', 'fetch']; - if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) { - args.push('--no-tags'); - } + // Always use --no-tags for explicit control over tag fetching + // Tags are fetched explicitly via refspec when needed + args.push('--no-tags'); args.push('--prune', '--no-recurse-submodules'); if (options.showProgress) { args.push('--progress'); @@ -1539,13 +1538,26 @@ function getSource(settings) { if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) { refSpec = refHelper.getRefSpec(settings.ref, settings.commit); yield git.fetch(refSpec, fetchOptions); + // Verify the ref now matches. For branches, the targeted fetch above brings + // in the specific commit. For tags (fetched by ref), this will fail if + // the tag was moved after the workflow was triggered. + if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) { + throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` + + `The ref may have been updated after the workflow was triggered.`); + } } } else { fetchOptions.fetchDepth = settings.fetchDepth; - fetchOptions.fetchTags = settings.fetchTags; - const refSpec = refHelper.getRefSpec(settings.ref, settings.commit); + const refSpec = refHelper.getRefSpec(settings.ref, settings.commit, settings.fetchTags); yield git.fetch(refSpec, fetchOptions); + // For tags, verify the ref still points to the expected commit. + // Tags are fetched by ref (not commit), so if a tag was moved after the + // workflow was triggered, we would silently check out the wrong commit. + if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) { + throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` + + `The ref may have been updated after the workflow was triggered.`); + } } core.endGroup(); // Checkout info @@ -2284,53 +2296,67 @@ function getRefSpecForAllHistory(ref, commit) { } return result; } -function getRefSpec(ref, commit) { +function getRefSpec(ref, commit, fetchTags) { if (!ref && !commit) { throw new Error('Args ref and commit cannot both be empty'); } const upperRef = (ref || '').toUpperCase(); + const result = []; + // When fetchTags is true, always include the tags refspec + if (fetchTags) { + result.push(exports.tagsRefSpec); + } // SHA if (commit) { // refs/heads if (upperRef.startsWith('REFS/HEADS/')) { const branch = ref.substring('refs/heads/'.length); - return [`+${commit}:refs/remotes/origin/${branch}`]; + result.push(`+${commit}:refs/remotes/origin/${branch}`); } // refs/pull/ else if (upperRef.startsWith('REFS/PULL/')) { const branch = ref.substring('refs/pull/'.length); - return [`+${commit}:refs/remotes/pull/${branch}`]; + result.push(`+${commit}:refs/remotes/pull/${branch}`); } // refs/tags/ else if (upperRef.startsWith('REFS/TAGS/')) { - return [`+${commit}:${ref}`]; + if (!fetchTags) { + result.push(`+${ref}:${ref}`); + } } // Otherwise no destination ref else { - return [commit]; + result.push(commit); } } // Unqualified ref, check for a matching branch or tag else if (!upperRef.startsWith('REFS/')) { - return [ - `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`, - `+refs/tags/${ref}*:refs/tags/${ref}*` - ]; + result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`); + if (!fetchTags) { + result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`); + } } // refs/heads/ else if (upperRef.startsWith('REFS/HEADS/')) { const branch = ref.substring('refs/heads/'.length); - return [`+${ref}:refs/remotes/origin/${branch}`]; + result.push(`+${ref}:refs/remotes/origin/${branch}`); } // refs/pull/ else if (upperRef.startsWith('REFS/PULL/')) { const branch = ref.substring('refs/pull/'.length); - return [`+${ref}:refs/remotes/pull/${branch}`]; + result.push(`+${ref}:refs/remotes/pull/${branch}`); } // refs/tags/ - else { - return [`+${ref}:${ref}`]; + else if (upperRef.startsWith('REFS/TAGS/')) { + if (!fetchTags) { + result.push(`+${ref}:${ref}`); + } } + // Other refs + else { + result.push(`+${ref}:${ref}`); + } + return result; } /** * Tests whether the initial fetch created the ref at the expected commit @@ -2366,7 +2392,9 @@ function testRef(git, ref, commit) { // refs/tags/ else if (upperRef.startsWith('REFS/TAGS/')) { const tagName = ref.substring('refs/tags/'.length); - return ((yield git.tagExists(tagName)) && commit === (yield git.revParse(ref))); + // Use ^{commit} to dereference annotated tags to their underlying commit + return ((yield git.tagExists(tagName)) && + commit === (yield git.revParse(`${ref}^{commit}`))); } // Unexpected else { diff --git a/src/git-command-manager.ts b/src/git-command-manager.ts index eba285a..f5ba40e 100644 --- a/src/git-command-manager.ts +++ b/src/git-command-manager.ts @@ -37,7 +37,6 @@ export interface IGitCommandManager { options: { filter?: string fetchDepth?: number - fetchTags?: boolean showProgress?: boolean } ): Promise @@ -280,14 +279,13 @@ class GitCommandManager { options: { filter?: string fetchDepth?: number - fetchTags?: boolean showProgress?: boolean } ): Promise { const args = ['-c', 'protocol.version=2', 'fetch'] - if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) { - args.push('--no-tags') - } + // Always use --no-tags for explicit control over tag fetching + // Tags are fetched explicitly via refspec when needed + args.push('--no-tags') args.push('--prune', '--no-recurse-submodules') if (options.showProgress) { diff --git a/src/git-source-provider.ts b/src/git-source-provider.ts index 2d35138..ec87178 100644 --- a/src/git-source-provider.ts +++ b/src/git-source-provider.ts @@ -159,7 +159,6 @@ export async function getSource(settings: IGitSourceSettings): Promise { const fetchOptions: { filter?: string fetchDepth?: number - fetchTags?: boolean showProgress?: boolean } = {} @@ -182,12 +181,35 @@ export async function getSource(settings: IGitSourceSettings): Promise { if (!(await refHelper.testRef(git, settings.ref, settings.commit))) { refSpec = refHelper.getRefSpec(settings.ref, settings.commit) await git.fetch(refSpec, fetchOptions) + + // Verify the ref now matches. For branches, the targeted fetch above brings + // in the specific commit. For tags (fetched by ref), this will fail if + // the tag was moved after the workflow was triggered. + if (!(await refHelper.testRef(git, settings.ref, settings.commit))) { + throw new Error( + `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` + + `The ref may have been updated after the workflow was triggered.` + ) + } } } else { fetchOptions.fetchDepth = settings.fetchDepth - fetchOptions.fetchTags = settings.fetchTags - const refSpec = refHelper.getRefSpec(settings.ref, settings.commit) + const refSpec = refHelper.getRefSpec( + settings.ref, + settings.commit, + settings.fetchTags + ) await git.fetch(refSpec, fetchOptions) + + // For tags, verify the ref still points to the expected commit. + // Tags are fetched by ref (not commit), so if a tag was moved after the + // workflow was triggered, we would silently check out the wrong commit. + if (!(await refHelper.testRef(git, settings.ref, settings.commit))) { + throw new Error( + `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` + + `The ref may have been updated after the workflow was triggered.` + ) + } } core.endGroup() diff --git a/src/ref-helper.ts b/src/ref-helper.ts index 58f9290..5130f53 100644 --- a/src/ref-helper.ts +++ b/src/ref-helper.ts @@ -76,55 +76,75 @@ export function getRefSpecForAllHistory(ref: string, commit: string): string[] { return result } -export function getRefSpec(ref: string, commit: string): string[] { +export function getRefSpec( + ref: string, + commit: string, + fetchTags?: boolean +): string[] { if (!ref && !commit) { throw new Error('Args ref and commit cannot both be empty') } const upperRef = (ref || '').toUpperCase() + const result: string[] = [] + + // When fetchTags is true, always include the tags refspec + if (fetchTags) { + result.push(tagsRefSpec) + } // SHA if (commit) { // refs/heads if (upperRef.startsWith('REFS/HEADS/')) { const branch = ref.substring('refs/heads/'.length) - return [`+${commit}:refs/remotes/origin/${branch}`] + result.push(`+${commit}:refs/remotes/origin/${branch}`) } // refs/pull/ else if (upperRef.startsWith('REFS/PULL/')) { const branch = ref.substring('refs/pull/'.length) - return [`+${commit}:refs/remotes/pull/${branch}`] + result.push(`+${commit}:refs/remotes/pull/${branch}`) } // refs/tags/ else if (upperRef.startsWith('REFS/TAGS/')) { - return [`+${commit}:${ref}`] + if (!fetchTags) { + result.push(`+${ref}:${ref}`) + } } // Otherwise no destination ref else { - return [commit] + result.push(commit) } } // Unqualified ref, check for a matching branch or tag else if (!upperRef.startsWith('REFS/')) { - return [ - `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`, - `+refs/tags/${ref}*:refs/tags/${ref}*` - ] + result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`) + if (!fetchTags) { + result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`) + } } // refs/heads/ else if (upperRef.startsWith('REFS/HEADS/')) { const branch = ref.substring('refs/heads/'.length) - return [`+${ref}:refs/remotes/origin/${branch}`] + result.push(`+${ref}:refs/remotes/origin/${branch}`) } // refs/pull/ else if (upperRef.startsWith('REFS/PULL/')) { const branch = ref.substring('refs/pull/'.length) - return [`+${ref}:refs/remotes/pull/${branch}`] + result.push(`+${ref}:refs/remotes/pull/${branch}`) } // refs/tags/ - else { - return [`+${ref}:${ref}`] + else if (upperRef.startsWith('REFS/TAGS/')) { + if (!fetchTags) { + result.push(`+${ref}:${ref}`) + } } + // Other refs + else { + result.push(`+${ref}:${ref}`) + } + + return result } /** @@ -170,8 +190,10 @@ export async function testRef( // refs/tags/ else if (upperRef.startsWith('REFS/TAGS/')) { const tagName = ref.substring('refs/tags/'.length) + // Use ^{commit} to dereference annotated tags to their underlying commit return ( - (await git.tagExists(tagName)) && commit === (await git.revParse(ref)) + (await git.tagExists(tagName)) && + commit === (await git.revParse(`${ref}^{commit}`)) ) } // Unexpected From 0c366fd6a839edf440554fa01a7085ccba70ac98 Mon Sep 17 00:00:00 2001 From: eric sciple Date: Fri, 9 Jan 2026 14:09:42 -0600 Subject: [PATCH 6/6] Update changelog (#2357) --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d5a6f3..bcd8126 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## v6.0.2 +* Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in https://github.com/actions/checkout/pull/2356 + +## v6.0.1 +* Add worktree support for persist-credentials includeIf by @ericsciple in https://github.com/actions/checkout/pull/2327 + ## v6.0.0 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248