actions/checkout
1
0
Fork 0
mirror of https://github.com/actions/checkout.git synced 2025-10-19 01:08:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
eric sciple 2025-10-16 21:58:52 +00:00
parent 2bcd7c6585
commit e4894fca20
7 changed files with 199 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
__test__/git-auth-helper.test.ts
View File

@ -872,8 +872,53 @@ async function setup(testName: string): Promise<void> {
return true return true
} }
), ),
tryConfigUnsetValue: jest.fn(
async (key: string, value: string, globalConfig?: boolean): Promise<boolean> => {
const configPath = globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath
let content = await fs.promises.readFile(configPath)
let lines = content
.toString()
.split('\n')
.filter(x => x)
.filter(x => !(x.startsWith(key) && x.includes(value)))
await fs.promises.writeFile(configPath, lines.join('\n'))
return true
}
),
tryDisableAutomaticGarbageCollection: jest.fn(), tryDisableAutomaticGarbageCollection: jest.fn(),
tryGetFetchUrl: jest.fn(), tryGetFetchUrl: jest.fn(),
tryGetConfigValues: jest.fn(
async (key: string, globalConfig?: boolean): Promise<string[]> => {
const configPath = globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath
const content = await fs.promises.readFile(configPath)
const lines = content
.toString()
.split('\n')
.filter(x => x && x.startsWith(key))
.map(x => x.substring(key.length).trim())
return lines
}
),
tryGetConfigKeys: jest.fn(
async (pattern: string, globalConfig?: boolean): Promise<string[]> => {
const configPath = globalConfig
? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
: localGitConfigPath
const content = await fs.promises.readFile(configPath)
const lines = content
.toString()
.split('\n')
.filter(x => x)
const keys = lines
.filter(x => new RegExp(pattern).test(x.split(' ')[0]))
.map(x => x.split(' ')[0])
return [...new Set(keys)] // Remove duplicates
}
),
tryReset: jest.fn(), tryReset: jest.fn(),
version: jest.fn() version: jest.fn()
} }

3
__test__/git-directory-helper.test.ts
View File

@ -493,12 +493,15 @@ async function setup(testName: string): Promise<void> {
return true return true
}), }),
tryConfigUnset: jest.fn(), tryConfigUnset: jest.fn(),
tryConfigUnsetValue: jest.fn(),
tryDisableAutomaticGarbageCollection: jest.fn(), tryDisableAutomaticGarbageCollection: jest.fn(),
tryGetFetchUrl: jest.fn(async () => { tryGetFetchUrl: jest.fn(async () => {
// Sanity check - this function shouldn't be called when the .git directory doesn't exist // Sanity check - this function shouldn't be called when the .git directory doesn't exist
await fs.promises.stat(path.join(repositoryPath, '.git')) await fs.promises.stat(path.join(repositoryPath, '.git'))
return repositoryUrl return repositoryUrl
}), }),
tryGetConfigValues: jest.fn(),
tryGetConfigKeys: jest.fn(),
tryReset: jest.fn(async () => { tryReset: jest.fn(async () => {
return true return true
}), }),

2
__test__/verify-submodules-recursive.sh
View File

@ -17,7 +17,7 @@ fi
echo "Testing persisted credential" echo "Testing persisted credential"
pushd ./submodules-recursive/submodule-level-1/submodule-level-2 pushd ./submodules-recursive/submodule-level-1/submodule-level-2
git config --local --name-only --get-regexp '^includeIf\.' && git fetch git config --local --name-only --get-regexp http.+extraheader && git fetch
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
echo "Failed to validate persisted credential" echo "Failed to validate persisted credential"
popd popd

2
__test__/verify-submodules-true.sh
View File

@ -17,7 +17,7 @@ fi
echo "Testing persisted credential" echo "Testing persisted credential"
pushd ./submodules-true/submodule-level-1 pushd ./submodules-true/submodule-level-1
git config --local --name-only --get-regexp '^includeIf\.' && git fetch git config --local --name-only --get-regexp http.+extraheader && git fetch
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
echo "Failed to validate persisted credential" echo "Failed to validate persisted credential"
popd popd

67
dist/index.js vendored
View File

@ -474,11 +474,29 @@ class GitAuthHelper {
// Remove HTTP extra header // Remove HTTP extra header
yield this.removeGitConfig(this.tokenConfigKey); yield this.removeGitConfig(this.tokenConfigKey);
yield this.removeSubmoduleGitConfig(this.tokenConfigKey); yield this.removeSubmoduleGitConfig(this.tokenConfigKey);
// Remove includeIf // Remove includeIf entries that point to git-credentials-*.config files
for (const includeKey of this.credentialsIncludeKeys) { // This is more aggressive than tracking keys, but necessary since cleanup
yield this.removeGitConfig(includeKey); // runs in a post-step where this.credentialsIncludeKeys is empty
try {
// Get all includeIf.gitdir keys
const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:');
for (const key of keys) {
// Get all values for this key
const values = yield this.git.tryGetConfigValues(key);
if (values.length > 0) {
// Remove only values that match git-credentials-<uuid>.config pattern
for (const value of values) {
if (/git-credentials-[0-9a-f-]+\.config$/i.test(value)) {
yield this.git.tryConfigUnsetValue(key, value);
}
}
}
}
}
catch (err) {
// Ignore errors - this is cleanup code
core.debug(`Error during includeIf cleanup: ${err}`);
} }
this.credentialsIncludeKeys = [];
// Remove submodule includeIf // Remove submodule includeIf
yield this.git.submoduleForeach(`sh -c "git config --local --get-regexp '^includeIf\\.' && git config --local --remove-section includeIf || :"`, true); yield this.git.submoduleForeach(`sh -c "git config --local --get-regexp '^includeIf\\.' && git config --local --remove-section includeIf || :"`, true);
// Remove credentials config file // Remove credentials config file
@ -922,6 +940,18 @@ class GitCommandManager {
return output.exitCode === 0; return output.exitCode === 0;
}); });
} }
tryConfigUnsetValue(configKey, configValue, globalConfig) {
return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit([
'config',
globalConfig ? '--global' : '--local',
'--unset',
configKey,
configValue
], true);
return output.exitCode === 0;
});
}
tryDisableAutomaticGarbageCollection() { tryDisableAutomaticGarbageCollection() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true); const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true);
@ -941,6 +971,35 @@ class GitCommandManager {
return stdout; return stdout;
}); });
} }
tryGetConfigValues(configKey, globalConfig) {
return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit([
'config',
globalConfig ? '--global' : '--local',
'--get-all',
configKey
], true);
if (output.exitCode !== 0) {
return [];
}
return output.stdout.trim().split('\n').filter(value => value.trim());
});
}
tryGetConfigKeys(pattern, globalConfig) {
return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit([
'config',
globalConfig ? '--global' : '--local',
'--name-only',
'--get-regexp',
pattern
], true);
if (output.exitCode !== 0) {
return [];
}
return output.stdout.trim().split('\n').filter(key => key.trim());
});
}
tryReset() { tryReset() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const output = yield this.execGit(['reset', '--hard', 'HEAD'], true); const output = yield this.execGit(['reset', '--hard', 'HEAD'], true);

26
src/git-auth-helper.ts
View File

@ -448,11 +448,29 @@ class GitAuthHelper {
await this.removeGitConfig(this.tokenConfigKey) await this.removeGitConfig(this.tokenConfigKey)
await this.removeSubmoduleGitConfig(this.tokenConfigKey) await this.removeSubmoduleGitConfig(this.tokenConfigKey)
// Remove includeIf // Remove includeIf entries that point to git-credentials-*.config files
for (const includeKey of this.credentialsIncludeKeys) { // This is more aggressive than tracking keys, but necessary since cleanup
await this.removeGitConfig(includeKey) // runs in a post-step where this.credentialsIncludeKeys is empty
try {
// Get all includeIf.gitdir keys
const keys = await this.git.tryGetConfigKeys('^includeIf\\.gitdir:')
for (const key of keys) {
// Get all values for this key
const values = await this.git.tryGetConfigValues(key)
if (values.length > 0) {
// Remove only values that match git-credentials-<uuid>.config pattern
for (const value of values) {
if (/git-credentials-[0-9a-f-]+\.config$/i.test(value)) {
await this.git.tryConfigUnsetValue(key, value)
}
}
}
}
} catch (err) {
// Ignore errors - this is cleanup code
core.debug(`Error during includeIf cleanup: ${err}`)
} }
this.credentialsIncludeKeys = []
// Remove submodule includeIf // Remove submodule includeIf
await this.git.submoduleForeach( await this.git.submoduleForeach(

64
src/git-command-manager.ts
View File

@ -60,8 +60,11 @@ export interface IGitCommandManager {
tagExists(pattern: string): Promise<boolean> tagExists(pattern: string): Promise<boolean>
tryClean(): Promise<boolean> tryClean(): Promise<boolean>
tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean> tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
tryConfigUnsetValue(configKey: string, configValue: string, globalConfig?: boolean): Promise<boolean>
tryDisableAutomaticGarbageCollection(): Promise<boolean> tryDisableAutomaticGarbageCollection(): Promise<boolean>
tryGetFetchUrl(): Promise<string> tryGetFetchUrl(): Promise<string>
tryGetConfigValues(configKey: string, globalConfig?: boolean): Promise<string[]>
tryGetConfigKeys(pattern: string, globalConfig?: boolean): Promise<string[]>
tryReset(): Promise<boolean> tryReset(): Promise<boolean>
version(): Promise<GitVersion> version(): Promise<GitVersion>
} }
@ -462,6 +465,24 @@ class GitCommandManager {
return output.exitCode === 0 return output.exitCode === 0
} }
async tryConfigUnsetValue(
configKey: string,
configValue: string,
globalConfig?: boolean
): Promise<boolean> {
const output = await this.execGit(
[
'config',
globalConfig ? '--global' : '--local',
'--unset',
configKey,
configValue
],
true
)
return output.exitCode === 0
}
async tryDisableAutomaticGarbageCollection(): Promise<boolean> { async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
const output = await this.execGit( const output = await this.execGit(
['config', '--local', 'gc.auto', '0'], ['config', '--local', 'gc.auto', '0'],
@ -488,6 +509,49 @@ class GitCommandManager {
return stdout return stdout
} }
async tryGetConfigValues(
configKey: string,
globalConfig?: boolean
): Promise<string[]> {
const output = await this.execGit(
[
'config',
globalConfig ? '--global' : '--local',
'--get-all',
configKey
],
true
)
if (output.exitCode !== 0) {
return []
}
return output.stdout.trim().split('\n').filter(value => value.trim())
}
async tryGetConfigKeys(
pattern: string,
globalConfig?: boolean
): Promise<string[]> {
const output = await this.execGit(
[
'config',
globalConfig ? '--global' : '--local',
'--name-only',
'--get-regexp',
pattern
],
true
)
if (output.exitCode !== 0) {
return []
}
return output.stdout.trim().split('\n').filter(key => key.trim())
}
async tryReset(): Promise<boolean> { async tryReset(): Promise<boolean> {
const output = await this.execGit(['reset', '--hard', 'HEAD'], true) const output = await this.execGit(['reset', '--hard', 'HEAD'], true)
return output.exitCode === 0 return output.exitCode === 0