From 033fa0dc0b82693d8986f1016a0ec2c5e7d9cbb1 Mon Sep 17 00:00:00 2001 From: eric sciple Date: Mon, 1 Dec 2025 19:53:23 -0600 Subject: [PATCH 1/2] Add worktree support for persist-credentials includeIf (#2327) --- .github/workflows/test.yml | 16 ++++++++++++ __test__/verify-worktree.sh | 51 +++++++++++++++++++++++++++++++++++++ dist/index.js | 6 +++++ src/git-auth-helper.ts | 11 ++++++++ 4 files changed, 84 insertions(+) create mode 100755 __test__/verify-worktree.sh diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3aa5fc9..fe2539f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -165,6 +165,22 @@ jobs: - name: Verify submodules recursive run: __test__/verify-submodules-recursive.sh + # Worktree credentials + - name: Checkout for worktree test + uses: ./ + with: + path: worktree-test + - name: Verify worktree credentials + shell: bash + run: __test__/verify-worktree.sh worktree-test worktree-branch + + # Worktree credentials in container step + - name: Verify worktree credentials in container step + if: runner.os == 'Linux' + uses: docker://bitnami/git:latest + with: + args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch + # Basic checkout using REST API - name: Remove basic if: runner.os != 'windows' diff --git a/__test__/verify-worktree.sh b/__test__/verify-worktree.sh new file mode 100755 index 0000000..3a4d3e4 --- /dev/null +++ b/__test__/verify-worktree.sh @@ -0,0 +1,51 @@ +#!/bin/bash +set -e + +# Verify worktree credentials +# This test verifies that git credentials work in worktrees created after checkout +# Usage: verify-worktree.sh + +CHECKOUT_PATH="$1" +WORKTREE_NAME="$2" + +if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then + echo "Usage: verify-worktree.sh " + exit 1 +fi + +cd "$CHECKOUT_PATH" + +# Add safe directory for container environments +git config --global --add safe.directory "*" 2>/dev/null || true + +# Show the includeIf configuration +echo "Git config includeIf entries:" +git config --list --show-origin | grep -i include || true + +# Create the worktree +echo "Creating worktree..." +git worktree add "../$WORKTREE_NAME" HEAD --detach + +# Change to worktree directory +cd "../$WORKTREE_NAME" + +# Verify we're in a worktree +echo "Verifying worktree gitdir:" +cat .git + +# Verify credentials are available in worktree by checking extraheader is configured +echo "Checking credentials in worktree..." +if git config --list --show-origin | grep -q "extraheader"; then + echo "Credentials are configured in worktree" +else + echo "ERROR: Credentials are NOT configured in worktree" + echo "Full git config:" + git config --list --show-origin + exit 1 +fi + +# Verify fetch works in the worktree +echo "Fetching in worktree..." +git fetch origin + +echo "Worktree credentials test passed!" diff --git a/dist/index.js b/dist/index.js index a251a19..b9b34d3 100644 --- a/dist/index.js +++ b/dist/index.js @@ -412,6 +412,9 @@ class GitAuthHelper { // Configure host includeIf const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`; yield this.git.config(hostIncludeKey, credentialsConfigPath); + // Configure host includeIf for worktrees + const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`; + yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath); // Container git directory const workingDirectory = this.git.getWorkingDirectory(); const githubWorkspace = process.env['GITHUB_WORKSPACE']; @@ -424,6 +427,9 @@ class GitAuthHelper { // Configure container includeIf const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`; yield this.git.config(containerIncludeKey, containerCredentialsPath); + // Configure container includeIf for worktrees + const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`; + yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath); } }); } diff --git a/src/git-auth-helper.ts b/src/git-auth-helper.ts index a1950a6..e67db14 100644 --- a/src/git-auth-helper.ts +++ b/src/git-auth-helper.ts @@ -374,6 +374,10 @@ class GitAuthHelper { const hostIncludeKey = `includeIf.gitdir:${gitDir}.path` await this.git.config(hostIncludeKey, credentialsConfigPath) + // Configure host includeIf for worktrees + const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path` + await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath) + // Container git directory const workingDirectory = this.git.getWorkingDirectory() const githubWorkspace = process.env['GITHUB_WORKSPACE'] @@ -395,6 +399,13 @@ class GitAuthHelper { // Configure container includeIf const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path` await this.git.config(containerIncludeKey, containerCredentialsPath) + + // Configure container includeIf for worktrees + const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path` + await this.git.config( + containerWorktreeIncludeKey, + containerCredentialsPath + ) } } From 8e8c483db84b4bee98b60c0593521ed34d9990e8 Mon Sep 17 00:00:00 2001 From: eric sciple Date: Mon, 1 Dec 2025 20:08:49 -0600 Subject: [PATCH 2/2] Clarify v6 README (#2328) --- CHANGELOG.md | 10 +++++----- README.md | 5 +++-- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 25befb7..6d5a6f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,19 +1,19 @@ # Changelog -## V6.0.0 +## v6.0.0 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248 -## V5.0.1 +## v5.0.1 * Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301 -## V5.0.0 +## v5.0.0 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226 -## V4.3.1 +## v4.3.1 * Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305 -## V4.3.0 +## v4.3.0 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043 diff --git a/README.md b/README.md index a8549c3..f0f65f9 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,9 @@ ## What's new -- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config. - - This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios. +- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config` +- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically +- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later # Checkout v5