.github/workflows/codeql-analysis.yml

@@ -41,6 +41,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v2
 
+    # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1
       with:
@@ -50,9 +51,21 @@ jobs:
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
-    - run: npm ci
-    - run: npm run build
-    - run: rm -rf dist # We want code scanning to analyze lib instead (individual .js files)
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v1

.github/workflows/test.yml

@@ -142,7 +142,7 @@ jobs:
       options: --dns 127.0.0.1
     services:
       squid-proxy:
-        image: ubuntu/squid:latest
+        image: datadog/squid:latest
         ports:
           - 3128:3128
     env:
@@ -205,41 +205,3 @@ jobs:
           path: basic
       - name: Verify basic
         run: __test__/verify-basic.sh --archive
-    
-  test-git-container:
-    runs-on: ubuntu-latest
-    container: bitnami/git:latest
-    steps:
-      # Clone this repo
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          path: v3
-
-      # Basic checkout using git
-      - name: Checkout basic
-        uses: ./v3
-        with:
-          ref: test-data/v2/basic
-      - name: Verify basic
-        run: |
-          if [ ! -f "./basic-file.txt" ]; then
-              echo "Expected basic file does not exist"
-              exit 1
-          fi
-
-          # Verify .git folder
-          if [ ! -d "./.git" ]; then
-            echo "Expected ./.git folder to exist"
-            exit 1
-          fi
-
-          # Verify auth token
-          git config --global --add safe.directory "*"
-          git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
-
-      # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v3
-        uses: actions/checkout@v3
-        with:
-          path: v3

CHANGELOG.md

@@ -1,14 +1,5 @@
 # Changelog
 
-## v2.5.0
-- [Bump @actions/core to v1.10.0](https://github.com/actions/checkout/pull/962)
-
-## v2.4.2
-- [Add input `set-safe-directory`](https://github.com/actions/checkout/pull/776)
-
-## v2.4.1
-- [Set the safe directory option on git to prevent git commands failing when running in containers](https://github.com/actions/checkout/pull/762)
-
 ## v2.3.1
 
 - [Fix default branch resolution for .wiki and when using SSH](https://github.com/actions/checkout/pull/284)

README.md

@@ -105,11 +105,6 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
     #
     # Default: false
     submodules: ''
-
-    # Add repository path as safe.directory for Git global config by running `git
-    # config --global --add safe.directory <path>`
-    # Default: true
-    set-safe-directory: ''
 ```
 <!-- end usage -->
 
@@ -190,7 +185,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
   uses: actions/checkout@v2
   with:
     repository: my-org/my-private-tools
-    token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
+    token: ${{ secrets.GitHub_PAT }} # `GitHub_PAT` is a secret that contains your PAT
     path: my-tools
 ```
 

__test__/git-auth-helper.test.ts

@@ -518,17 +518,12 @@ describe('git-auth-helper tests', () => {
       await authHelper.configureSubmoduleAuth()
 
       // Assert
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
         /unset-all.*insteadOf/
       )
       expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
-      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
-        /url.*insteadOf.*git@github.com:/
-      )
-      expect(mockSubmoduleForeach.mock.calls[3][0]).toMatch(
-        /url.*insteadOf.*org-123456@github.com:/
-      )
+      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/url.*insteadOf/)
     }
   )
 
@@ -643,11 +638,10 @@ describe('git-auth-helper tests', () => {
     expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
   })
 
-  const removeGlobalConfig_removesOverride =
-    'removeGlobalConfig removes override'
-  it(removeGlobalConfig_removesOverride, async () => {
+  const removeGlobalAuth_removesOverride = 'removeGlobalAuth removes override'
+  it(removeGlobalAuth_removesOverride, async () => {
     // Arrange
-    await setup(removeGlobalConfig_removesOverride)
+    await setup(removeGlobalAuth_removesOverride)
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
     await authHelper.configureAuth()
     await authHelper.configureGlobalAuth()
@@ -656,7 +650,7 @@ describe('git-auth-helper tests', () => {
     await fs.promises.stat(path.join(git.env['HOME'], '.gitconfig'))
 
     // Act
-    await authHelper.removeGlobalConfig()
+    await authHelper.removeGlobalAuth()
 
     // Assert
     expect(git.env['HOME']).toBeUndefined()
@@ -776,9 +770,7 @@ async function setup(testName: string): Promise<void> {
     repositoryPath: '',
     sshKey: sshPath ? 'some ssh private key' : '',
     sshKnownHosts: '',
-    sshStrict: true,
-    workflowOrganizationId: 123456,
-    setSafeDirectory: true
+    sshStrict: true
   }
 }
 

__test__/input-helper.test.ts

@@ -1,9 +1,9 @@
+import * as assert from 'assert'
 import * as core from '@actions/core'
 import * as fsHelper from '../lib/fs-helper'
 import * as github from '@actions/github'
 import * as inputHelper from '../lib/input-helper'
 import * as path from 'path'
-import * as workflowContextHelper from '../lib/workflow-context-helper'
 import {IGitSourceSettings} from '../lib/git-source-settings'
 
 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
@@ -43,11 +43,6 @@ describe('input-helper tests', () => {
       .spyOn(fsHelper, 'directoryExistsSync')
       .mockImplementation((path: string) => path == gitHubWorkspace)
 
-    // Mock ./workflowContextHelper getOrganizationId()
-    jest
-      .spyOn(workflowContextHelper, 'getOrganizationId')
-      .mockImplementation(() => Promise.resolve(123456))
-
     // GitHub workspace
     process.env['GITHUB_WORKSPACE'] = gitHubWorkspace
   })
@@ -72,8 +67,8 @@ describe('input-helper tests', () => {
     jest.restoreAllMocks()
   })
 
-  it('sets defaults', async () => {
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
+  it('sets defaults', () => {
+    const settings: IGitSourceSettings = inputHelper.getInputs()
     expect(settings).toBeTruthy()
     expect(settings.authToken).toBeFalsy()
     expect(settings.clean).toBe(true)
@@ -85,14 +80,13 @@ describe('input-helper tests', () => {
     expect(settings.repositoryName).toBe('some-repo')
     expect(settings.repositoryOwner).toBe('some-owner')
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
-    expect(settings.setSafeDirectory).toBe(true)
   })
 
-  it('qualifies ref', async () => {
+  it('qualifies ref', () => {
     let originalRef = github.context.ref
     try {
       github.context.ref = 'some-unqualified-ref'
-      const settings: IGitSourceSettings = await inputHelper.getInputs()
+      const settings: IGitSourceSettings = inputHelper.getInputs()
       expect(settings).toBeTruthy()
       expect(settings.commit).toBe('1234567890123456789012345678901234567890')
       expect(settings.ref).toBe('refs/heads/some-unqualified-ref')
@@ -101,42 +95,32 @@ describe('input-helper tests', () => {
     }
   })
 
-  it('requires qualified repo', async () => {
+  it('requires qualified repo', () => {
     inputs.repository = 'some-unqualified-repo'
-    try {
-      await inputHelper.getInputs()
-      throw 'should not reach here'
-    } catch (err) {
-      expect(`(${(err as any).message}`).toMatch(
-        "Invalid repository 'some-unqualified-repo'"
-      )
-    }
+    assert.throws(() => {
+      inputHelper.getInputs()
+    }, /Invalid repository 'some-unqualified-repo'/)
   })
 
-  it('roots path', async () => {
+  it('roots path', () => {
     inputs.path = 'some-directory/some-subdirectory'
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    const settings: IGitSourceSettings = inputHelper.getInputs()
     expect(settings.repositoryPath).toBe(
       path.join(gitHubWorkspace, 'some-directory', 'some-subdirectory')
     )
   })
 
-  it('sets ref to empty when explicit sha', async () => {
+  it('sets ref to empty when explicit sha', () => {
     inputs.ref = '1111111111222222222233333333334444444444'
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    const settings: IGitSourceSettings = inputHelper.getInputs()
     expect(settings.ref).toBeFalsy()
     expect(settings.commit).toBe('1111111111222222222233333333334444444444')
   })
 
-  it('sets sha to empty when explicit ref', async () => {
+  it('sets sha to empty when explicit ref', () => {
     inputs.ref = 'refs/heads/some-other-ref'
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    const settings: IGitSourceSettings = inputHelper.getInputs()
     expect(settings.ref).toBe('refs/heads/some-other-ref')
     expect(settings.commit).toBeFalsy()
   })
-
-  it('sets workflow organization ID', async () => {
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
-    expect(settings.workflowOrganizationId).toBe(123456)
-  })
 })

action.yml

@@ -68,9 +68,6 @@ inputs:
       When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
       converted to HTTPS.
     default: false
-  set-safe-directory:
-    description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
-    default: true
 runs:
   using: node12
   main: dist/index.js

package.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "2.6.0",
+  "version": "2.0.2",
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {
@@ -28,10 +28,10 @@
   },
   "homepage": "https://github.com/actions/checkout#readme",
   "dependencies": {
-    "@actions/core": "^1.10.0",
+    "@actions/core": "^1.2.6",
     "@actions/exec": "^1.0.1",
     "@actions/github": "^2.2.0",
-    "@actions/io": "^1.1.2",
+    "@actions/io": "^1.0.1",
     "@actions/tool-cache": "^1.1.2",
     "uuid": "^3.3.3"
   },
@@ -39,12 +39,11 @@
     "@types/jest": "^27.0.2",
     "@types/node": "^12.7.12",
     "@types/uuid": "^3.4.6",
-    "@typescript-eslint/eslint-plugin": "^5.45.0",
-    "@typescript-eslint/parser": "^5.45.0",
+    "@typescript-eslint/parser": "^5.1.0",
     "@zeit/ncc": "^0.20.5",
     "eslint": "^7.32.0",
     "eslint-plugin-github": "^4.3.2",
-    "eslint-plugin-jest": "^25.7.0",
+    "eslint-plugin-jest": "^25.2.2",
     "jest": "^27.3.0",
     "jest-circus": "^27.3.0",
     "js-yaml": "^3.13.1",

src/git-auth-helper.ts

@@ -19,9 +19,8 @@ export interface IGitAuthHelper {
   configureAuth(): Promise<void>
   configureGlobalAuth(): Promise<void>
   configureSubmoduleAuth(): Promise<void>
-  configureTempGlobalConfig(): Promise<string>
   removeAuth(): Promise<void>
-  removeGlobalConfig(): Promise<void>
+  removeGlobalAuth(): Promise<void>
 }
 
 export function createAuthHelper(
@@ -38,7 +37,7 @@ class GitAuthHelper {
   private readonly tokenConfigValue: string
   private readonly tokenPlaceholderConfigValue: string
   private readonly insteadOfKey: string
-  private readonly insteadOfValues: string[] = []
+  private readonly insteadOfValue: string
   private sshCommand = ''
   private sshKeyPath = ''
   private sshKnownHostsPath = ''
@@ -46,7 +45,7 @@ class GitAuthHelper {
 
   constructor(
     gitCommandManager: IGitCommandManager,
-    gitSourceSettings: IGitSourceSettings | undefined
+    gitSourceSettings?: IGitSourceSettings
   ) {
     this.git = gitCommandManager
     this.settings = gitSourceSettings || (({} as unknown) as IGitSourceSettings)
@@ -64,12 +63,7 @@ class GitAuthHelper {
 
     // Instead of SSH URL
     this.insteadOfKey = `url.${serverUrl.origin}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
-    this.insteadOfValues.push(`git@${serverUrl.hostname}:`)
-    if (this.settings.workflowOrganizationId) {
-      this.insteadOfValues.push(
-        `org-${this.settings.workflowOrganizationId}@github.com:`
-      )
-    }
+    this.insteadOfValue = `git@${serverUrl.hostname}:`
   }
 
   async configureAuth(): Promise<void> {
@@ -81,11 +75,7 @@ class GitAuthHelper {
     await this.configureToken()
   }
 
-  async configureTempGlobalConfig(): Promise<string> {
-    // Already setup global config
-    if (this.temporaryHomePath?.length > 0) {
-      return path.join(this.temporaryHomePath, '.gitconfig')
-    }
+  async configureGlobalAuth(): Promise<void> {
     // Create a temp home directory
     const runnerTemp = process.env['RUNNER_TEMP'] || ''
     assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
@@ -115,28 +105,20 @@ class GitAuthHelper {
       await fs.promises.writeFile(newGitConfigPath, '')
     }
 
-    // Override HOME
-    core.info(
-      `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
-    )
-    this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
-
-    return newGitConfigPath
-  }
-
-  async configureGlobalAuth(): Promise<void> {
-    // 'configureTempGlobalConfig' noops if already set, just returns the path
-    const newGitConfigPath = await this.configureTempGlobalConfig()
     try {
+      // Override HOME
+      core.info(
+        `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
+      )
+      this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
+
       // Configure the token
       await this.configureToken(newGitConfigPath, true)
 
       // Configure HTTPS instead of SSH
       await this.git.tryConfigUnset(this.insteadOfKey, true)
       if (!this.settings.sshKey) {
-        for (const insteadOfValue of this.insteadOfValues) {
-          await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
-        }
+        await this.git.config(this.insteadOfKey, this.insteadOfValue, true)
       }
     } catch (err) {
       // Unset in case somehow written to the real global config
@@ -157,8 +139,7 @@ class GitAuthHelper {
       // by process creation audit events, which are commonly logged. For more information,
       // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
       const output = await this.git.submoduleForeach(
-        // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
-        `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
+        `git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url`,
         this.settings.nestedSubmodules
       )
 
@@ -178,12 +159,10 @@ class GitAuthHelper {
         )
       } else {
         // Configure HTTPS instead of SSH
-        for (const insteadOfValue of this.insteadOfValues) {
-          await this.git.submoduleForeach(
-            `git config --local --add '${this.insteadOfKey}' '${insteadOfValue}'`,
-            this.settings.nestedSubmodules
-          )
-        }
+        await this.git.submoduleForeach(
+          `git config --local '${this.insteadOfKey}' '${this.insteadOfValue}'`,
+          this.settings.nestedSubmodules
+        )
       }
     }
   }
@@ -193,12 +172,10 @@ class GitAuthHelper {
     await this.removeToken()
   }
 
-  async removeGlobalConfig(): Promise<void> {
-    if (this.temporaryHomePath?.length > 0) {
-      core.debug(`Unsetting HOME override`)
-      this.git.removeEnvironmentVariable('HOME')
-      await io.rmRF(this.temporaryHomePath)
-    }
+  async removeGlobalAuth(): Promise<void> {
+    core.debug(`Unsetting HOME override`)
+    this.git.removeEnvironmentVariable('HOME')
+    await io.rmRF(this.temporaryHomePath)
   }
 
   private async configureSsh(): Promise<void> {
@@ -247,7 +224,7 @@ class GitAuthHelper {
     if (this.settings.sshKnownHosts) {
       knownHosts += `# Begin from input known hosts\n${this.settings.sshKnownHosts}\n# end from input known hosts\n`
     }
-    knownHosts += `# Begin implicitly added github.com\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=\n# End implicitly added github.com\n`
+    knownHosts += `# Begin implicitly added github.com\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n# End implicitly added github.com\n`
     this.sshKnownHostsPath = path.join(runnerTemp, `${uniqueId}_known_hosts`)
     stateHelper.setSshKnownHostsPath(this.sshKnownHostsPath)
     await fs.promises.writeFile(this.sshKnownHostsPath, knownHosts)
@@ -366,8 +343,7 @@ class GitAuthHelper {
 
     const pattern = regexpHelper.escape(configKey)
     await this.git.submoduleForeach(
-      // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
-      `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`,
+      `git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :`,
       true
     )
   }

src/git-command-manager.ts

@@ -21,8 +21,7 @@ export interface IGitCommandManager {
   config(
     configKey: string,
     configValue: string,
-    globalConfig?: boolean,
-    add?: boolean
+    globalConfig?: boolean
   ): Promise<void>
   configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
   fetch(refSpec: string[], fetchDepth?: number): Promise<void>
@@ -141,15 +140,14 @@ class GitCommandManager {
   async config(
     configKey: string,
     configValue: string,
-    globalConfig?: boolean,
-    add?: boolean
+    globalConfig?: boolean
   ): Promise<void> {
-    const args: string[] = ['config', globalConfig ? '--global' : '--local']
-    if (add) {
-      args.push('--add')
-    }
-    args.push(...[configKey, configValue])
-    await this.execGit(args)
+    await this.execGit([
+      'config',
+      globalConfig ? '--global' : '--local',
+      configKey,
+      configValue
+    ])
   }
 
   async configExists(

src/git-source-provider.ts

@@ -36,94 +36,68 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
   const git = await getGitCommandManager(settings)
   core.endGroup()
 
-  let authHelper: gitAuthHelper.IGitAuthHelper | null = null
-  try {
-    if (git) {
-      authHelper = gitAuthHelper.createAuthHelper(git, settings)
-      if (settings.setSafeDirectory) {
-        // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-        // Otherwise all git commands we run in a container fail
-        await authHelper.configureTempGlobalConfig()
-        core.info(
-          `Adding repository directory to the temporary git global config as a safe directory`
-        )
+  // Prepare existing directory, otherwise recreate
+  if (isExisting) {
+    await gitDirectoryHelper.prepareExistingDirectory(
+      git,
+      settings.repositoryPath,
+      repositoryUrl,
+      settings.clean,
+      settings.ref
+    )
+  }
 
-        await git
-          .config('safe.directory', settings.repositoryPath, true, true)
-          .catch(error => {
-            core.info(
-              `Failed to initialize safe directory with error: ${error}`
-            )
-          })
-
-        stateHelper.setSafeDirectory()
-      }
-    }
-
-    // Prepare existing directory, otherwise recreate
-    if (isExisting) {
-      await gitDirectoryHelper.prepareExistingDirectory(
-        git,
-        settings.repositoryPath,
-        repositoryUrl,
-        settings.clean,
-        settings.ref
+  if (!git) {
+    // Downloading using REST API
+    core.info(`The repository will be downloaded using the GitHub REST API`)
+    core.info(
+      `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
+    )
+    if (settings.submodules) {
+      throw new Error(
+        `Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
+      )
+    } else if (settings.sshKey) {
+      throw new Error(
+        `Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
       )
     }
 
-    if (!git) {
-      // Downloading using REST API
-      core.info(`The repository will be downloaded using the GitHub REST API`)
-      core.info(
-        `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
-      )
-      if (settings.submodules) {
-        throw new Error(
-          `Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
-        )
-      } else if (settings.sshKey) {
-        throw new Error(
-          `Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
-        )
-      }
+    await githubApiHelper.downloadRepository(
+      settings.authToken,
+      settings.repositoryOwner,
+      settings.repositoryName,
+      settings.ref,
+      settings.commit,
+      settings.repositoryPath
+    )
+    return
+  }
 
-      await githubApiHelper.downloadRepository(
-        settings.authToken,
-        settings.repositoryOwner,
-        settings.repositoryName,
-        settings.ref,
-        settings.commit,
-        settings.repositoryPath
-      )
-      return
-    }
+  // Save state for POST action
+  stateHelper.setRepositoryPath(settings.repositoryPath)
 
-    // Save state for POST action
-    stateHelper.setRepositoryPath(settings.repositoryPath)
-
-    // Initialize the repository
-    if (
-      !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
-    ) {
-      core.startGroup('Initializing the repository')
-      await git.init()
-      await git.remoteAdd('origin', repositoryUrl)
-      core.endGroup()
-    }
-
-    // Disable automatic garbage collection
-    core.startGroup('Disabling automatic garbage collection')
-    if (!(await git.tryDisableAutomaticGarbageCollection())) {
-      core.warning(
-        `Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`
-      )
-    }
+  // Initialize the repository
+  if (
+    !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
+  ) {
+    core.startGroup('Initializing the repository')
+    await git.init()
+    await git.remoteAdd('origin', repositoryUrl)
     core.endGroup()
+  }
 
-    // If we didn't initialize it above, do it now
-    if (!authHelper) {
-      authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    }
+  // Disable automatic garbage collection
+  core.startGroup('Disabling automatic garbage collection')
+  if (!(await git.tryDisableAutomaticGarbageCollection())) {
+    core.warning(
+      `Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`
+    )
+  }
+  core.endGroup()
+
+  const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+  try {
     // Configure auth
     core.startGroup('Setting up auth')
     await authHelper.configureAuth()
@@ -196,26 +170,34 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
 
     // Submodules
     if (settings.submodules) {
-      // Temporarily override global config
-      core.startGroup('Setting up auth for fetching submodules')
-      await authHelper.configureGlobalAuth()
-      core.endGroup()
-
-      // Checkout submodules
-      core.startGroup('Fetching submodules')
-      await git.submoduleSync(settings.nestedSubmodules)
-      await git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules)
-      await git.submoduleForeach(
-        'git config --local gc.auto 0',
-        settings.nestedSubmodules
-      )
-      core.endGroup()
-
-      // Persist credentials
-      if (settings.persistCredentials) {
-        core.startGroup('Persisting credentials for submodules')
-        await authHelper.configureSubmoduleAuth()
+      try {
+        // Temporarily override global config
+        core.startGroup('Setting up auth for fetching submodules')
+        await authHelper.configureGlobalAuth()
         core.endGroup()
+
+        // Checkout submodules
+        core.startGroup('Fetching submodules')
+        await git.submoduleSync(settings.nestedSubmodules)
+        await git.submoduleUpdate(
+          settings.fetchDepth,
+          settings.nestedSubmodules
+        )
+        await git.submoduleForeach(
+          'git config --local gc.auto 0',
+          settings.nestedSubmodules
+        )
+        core.endGroup()
+
+        // Persist credentials
+        if (settings.persistCredentials) {
+          core.startGroup('Persisting credentials for submodules')
+          await authHelper.configureSubmoduleAuth()
+          core.endGroup()
+        }
+      } finally {
+        // Remove temporary global config override
+        await authHelper.removeGlobalAuth()
       }
     }
 
@@ -236,13 +218,10 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     )
   } finally {
     // Remove auth
-    if (authHelper) {
-      if (!settings.persistCredentials) {
-        core.startGroup('Removing auth')
-        await authHelper.removeAuth()
-        core.endGroup()
-      }
-      authHelper.removeGlobalConfig()
+    if (!settings.persistCredentials) {
+      core.startGroup('Removing auth')
+      await authHelper.removeAuth()
+      core.endGroup()
     }
   }
 }
@@ -265,26 +244,7 @@ export async function cleanup(repositoryPath: string): Promise<void> {
 
   // Remove auth
   const authHelper = gitAuthHelper.createAuthHelper(git)
-  try {
-    if (stateHelper.PostSetSafeDirectory) {
-      // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-      // Otherwise all git commands we run in a container fail
-      await authHelper.configureTempGlobalConfig()
-      core.info(
-        `Adding repository directory to the temporary git global config as a safe directory`
-      )
-
-      await git
-        .config('safe.directory', repositoryPath, true, true)
-        .catch(error => {
-          core.info(`Failed to initialize safe directory with error: ${error}`)
-        })
-    }
-
-    await authHelper.removeAuth()
-  } finally {
-    await authHelper.removeGlobalConfig()
-  }
+  await authHelper.removeAuth()
 }
 
 async function getGitCommandManager(

src/git-source-settings.ts

@@ -73,14 +73,4 @@ export interface IGitSourceSettings {
    * Indicates whether to persist the credentials on disk to enable scripting authenticated git commands
    */
   persistCredentials: boolean
-
-  /**
-   * Organization ID for the currently running workflow (used for auth settings)
-   */
-  workflowOrganizationId: number | undefined
-
-  /**
-   * Indicates whether to add repositoryPath as safe.directory in git global config
-   */
-  setSafeDirectory: boolean
 }

src/input-helper.ts

@@ -2,10 +2,9 @@ import * as core from '@actions/core'
 import * as fsHelper from './fs-helper'
 import * as github from '@actions/github'
 import * as path from 'path'
-import * as workflowContextHelper from './workflow-context-helper'
 import {IGitSourceSettings} from './git-source-settings'
 
-export async function getInputs(): Promise<IGitSourceSettings> {
+export function getInputs(): IGitSourceSettings {
   const result = ({} as unknown) as IGitSourceSettings
 
   // GitHub workspace
@@ -119,11 +118,5 @@ export async function getInputs(): Promise<IGitSourceSettings> {
   result.persistCredentials =
     (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
 
-  // Workflow organization ID
-  result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()
-
-  // Set safe.directory in git global config.
-  result.setSafeDirectory =
-    (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE'
   return result
 }

src/main.ts

@@ -7,7 +7,7 @@ import * as stateHelper from './state-helper'
 
 async function run(): Promise<void> {
   try {
-    const sourceSettings = await inputHelper.getInputs()
+    const sourceSettings = inputHelper.getInputs()
 
     try {
       // Register problem matcher

src/misc/licensed-check.sh

@@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh
 
 echo 'Running: licensed cached'
-_temp/licensed-3.6.0/licensed status
+_temp/licensed-3.3.1/licensed status

src/misc/licensed-download.sh

@@ -2,23 +2,23 @@
 
 set -e
 
-if [ ! -f _temp/licensed-3.6.0.done ]; then
+if [ ! -f _temp/licensed-3.3.1.done ]; then
   echo 'Clearing temp'
-  rm -rf _temp/licensed-3.6.0 || true
+  rm -rf _temp/licensed-3.3.1 || true
 
   echo 'Downloading licensed'
-  mkdir -p _temp/licensed-3.6.0
-  pushd _temp/licensed-3.6.0
+  mkdir -p _temp/licensed-3.3.1
+  pushd _temp/licensed-3.3.1
   if [[ "$OSTYPE" == "darwin"* ]]; then
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-darwin-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-darwin-x64.tar.gz
   else
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-linux-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-linux-x64.tar.gz
   fi
 
   echo 'Extracting licenesed'
   tar -xzf licensed.tar.gz
   popd
-  touch _temp/licensed-3.6.0.done
+  touch _temp/licensed-3.3.1.done
 else
   echo 'Licensed already downloaded'
 fi

src/misc/licensed-generate.sh

@@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh
 
 echo 'Running: licensed cached'
-_temp/licensed-3.6.0/licensed cache
+_temp/licensed-3.3.1/licensed cache

src/state-helper.ts

@@ -1,60 +1,58 @@
-import * as core from '@actions/core'
+import * as coreCommand from '@actions/core/lib/command'
 
 /**
  * Indicates whether the POST action is running
  */
-export const IsPost = !!core.getState('isPost')
+export const IsPost = !!process.env['STATE_isPost']
 
 /**
  * The repository path for the POST action. The value is empty during the MAIN action.
  */
-export const RepositoryPath = core.getState('repositoryPath')
-
-/**
- * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action.
- */
-export const PostSetSafeDirectory = core.getState('setSafeDirectory') === 'true'
+export const RepositoryPath =
+  (process.env['STATE_repositoryPath'] as string) || ''
 
 /**
  * The SSH key path for the POST action. The value is empty during the MAIN action.
  */
-export const SshKeyPath = core.getState('sshKeyPath')
+export const SshKeyPath = (process.env['STATE_sshKeyPath'] as string) || ''
 
 /**
  * The SSH known hosts path for the POST action. The value is empty during the MAIN action.
  */
-export const SshKnownHostsPath = core.getState('sshKnownHostsPath')
+export const SshKnownHostsPath =
+  (process.env['STATE_sshKnownHostsPath'] as string) || ''
 
 /**
  * Save the repository path so the POST action can retrieve the value.
  */
 export function setRepositoryPath(repositoryPath: string) {
-  core.saveState('repositoryPath', repositoryPath)
+  coreCommand.issueCommand(
+    'save-state',
+    {name: 'repositoryPath'},
+    repositoryPath
+  )
 }
 
 /**
  * Save the SSH key path so the POST action can retrieve the value.
  */
 export function setSshKeyPath(sshKeyPath: string) {
-  core.saveState('sshKeyPath', sshKeyPath)
+  coreCommand.issueCommand('save-state', {name: 'sshKeyPath'}, sshKeyPath)
 }
 
 /**
  * Save the SSH known hosts path so the POST action can retrieve the value.
  */
 export function setSshKnownHostsPath(sshKnownHostsPath: string) {
-  core.saveState('sshKnownHostsPath', sshKnownHostsPath)
-}
-
-/**
- * Save the sef-safe-directory input so the POST action can retrieve the value.
- */
-export function setSafeDirectory() {
-  core.saveState('setSafeDirectory', 'true')
+  coreCommand.issueCommand(
+    'save-state',
+    {name: 'sshKnownHostsPath'},
+    sshKnownHostsPath
+  )
 }
 
 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!IsPost) {
-  core.saveState('isPost', 'true')
+  coreCommand.issueCommand('save-state', {name: 'isPost'}, 'true')
 }

src/workflow-context-helper.ts

@@ -1,30 +0,0 @@
-import * as core from '@actions/core'
-import * as fs from 'fs'
-
-/**
- * Gets the organization ID of the running workflow or undefined if the value cannot be loaded from the GITHUB_EVENT_PATH
- */
-export async function getOrganizationId(): Promise<number | undefined> {
-  try {
-    const eventPath = process.env.GITHUB_EVENT_PATH
-    if (!eventPath) {
-      core.debug(`GITHUB_EVENT_PATH is not defined`)
-      return
-    }
-
-    const content = await fs.promises.readFile(eventPath, {encoding: 'utf8'})
-    const event = JSON.parse(content)
-    const id = event?.repository?.owner?.id
-    if (typeof id !== 'number') {
-      core.debug('Repository owner ID not found within GITHUB event info')
-      return
-    }
-
-    return id as number
-  } catch (err) {
-    core.debug(
-      `Unable to load organization ID from GITHUB_EVENT_PATH: ${(err as any)
-        .message || err}`
-    )
-  }
-}