Compare commits

..

21 Commits

Author SHA1 Message Date
eric sciple
4a1fa615de . 2019-12-10 01:52:10 -05:00
eric sciple
19fb09ae8f . 2019-12-10 01:50:41 -05:00
eric sciple
bb56c8569a . 2019-12-10 01:44:30 -05:00
eric sciple
ba329ee889 . 2019-12-10 01:42:25 -05:00
eric sciple
a039094e93 . 2019-12-10 01:40:30 -05:00
eric sciple
64fcc0c59a . 2019-12-10 01:32:25 -05:00
eric sciple
35bb830cfd . 2019-12-09 20:07:49 -05:00
eric sciple
54a7542872 . 2019-12-09 20:06:34 -05:00
eric sciple
8ade6aebfa . 2019-12-09 20:04:52 -05:00
eric sciple
bf32513e49 . 2019-12-09 19:39:49 -05:00
eric sciple
675d935214 . 2019-12-09 19:39:01 -05:00
eric sciple
e7d8850882 . 2019-12-09 19:37:05 -05:00
eric sciple
1475d13f7a . 2019-12-09 19:36:02 -05:00
eric sciple
34b9c46c61 . 2019-12-09 19:31:21 -05:00
eric sciple
255d69d4c5 . 2019-12-09 19:26:59 -05:00
eric sciple
c124b3fb75 . 2019-12-09 19:17:39 -05:00
eric sciple
afff79a5a2 . 2019-12-09 19:16:06 -05:00
eric sciple
306dc1c898 . 2019-12-09 19:15:39 -05:00
eric sciple
d415b27760 . 2019-12-09 17:06:03 -05:00
eric sciple
4af80cb867 . 2019-12-09 17:01:19 -05:00
eric sciple
ad6dd29a96 fallback to REST API to download repo 2019-12-09 16:54:42 -05:00
21 changed files with 662 additions and 2212 deletions

View File

@@ -6,35 +6,32 @@ on:
branches: branches:
- master - master
- releases/* - releases/*
- users/ericsciple/*
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/setup-node@v1 - uses: actions/checkout@v2-beta
with: # - run: npm ci
node-version: 12.x # - run: npm run build
- uses: actions/checkout@v2 # - run: npm run format-check
- run: npm ci # - run: npm run lint
- run: npm run build # - run: npm run pack
- run: npm run format-check # - run: npm run gendocs
- run: npm run lint # - name: Verify no unstaged changes
- run: npm run pack # run: __test__/verify-no-unstaged-changes.sh
- run: npm run gendocs
- run: npm test
- name: Verify no unstaged changes
run: __test__/verify-no-unstaged-changes.sh
test: # test:
strategy: # strategy:
matrix: # matrix:
runs-on: [ubuntu-latest, macos-latest, windows-latest] # runs-on: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.runs-on }} # runs-on: ${{ matrix.runs-on }}
steps: # steps:
# Clone this repo # # Clone this repo
- name: Checkout # - name: Checkout
uses: actions/checkout@v2 # uses: actions/checkout@v1 # todo: switch to V2
# Basic checkout # Basic checkout
- name: Basic checkout - name: Basic checkout
@@ -42,139 +39,46 @@ jobs:
with: with:
ref: test-data/v2/basic ref: test-data/v2/basic
path: basic path: basic
- name: Verify basic # - name: Verify basic
shell: bash # shell: bash
run: __test__/verify-basic.sh # run: __test__/verify-basic.sh
# Clean # # Clean
- name: Modify work tree # - name: Modify work tree
shell: bash # shell: bash
run: __test__/modify-work-tree.sh # run: __test__/modify-work-tree.sh
- name: Clean checkout # - name: Clean checkout
uses: ./ # uses: ./
with: # with:
ref: test-data/v2/basic # ref: test-data/v2/basic
path: basic # path: basic
- name: Verify clean # - name: Verify clean
shell: bash # shell: bash
run: __test__/verify-clean.sh # run: __test__/verify-clean.sh
# Side by side # # Side by side
- name: Side by side checkout 1 # - name: Side by side checkout 1
uses: ./ # uses: ./
with: # with:
ref: test-data/v2/side-by-side-1 # ref: test-data/v2/side-by-side-1
path: side-by-side-1 # path: side-by-side-1
- name: Side by side checkout 2 # - name: Side by side checkout 2
uses: ./ # uses: ./
with: # with:
ref: test-data/v2/side-by-side-2 # ref: test-data/v2/side-by-side-2
path: side-by-side-2 # path: side-by-side-2
- name: Verify side by side # - name: Verify side by side
shell: bash # shell: bash
run: __test__/verify-side-by-side.sh # run: __test__/verify-side-by-side.sh
# LFS # # LFS
- name: LFS checkout # - name: LFS checkout
uses: ./ # uses: ./
with: # with:
repository: actions/checkout # hardcoded, otherwise doesn't work from a fork # repository: actions/checkout # hardcoded, otherwise doesn't work from a fork
ref: test-data/v2/lfs # ref: test-data/v2/lfs
path: lfs # path: lfs
lfs: true # lfs: true
- name: Verify LFS # - name: Verify LFS
shell: bash # shell: bash
run: __test__/verify-lfs.sh # run: __test__/verify-lfs.sh
# Basic checkout using REST API
- name: Remove basic
if: runner.os != 'windows'
run: rm -rf basic
- name: Remove basic (Windows)
if: runner.os == 'windows'
shell: cmd
run: rmdir /s /q basic
- name: Override git version
if: runner.os != 'windows'
run: __test__/override-git-version.sh
- name: Override git version (Windows)
if: runner.os == 'windows'
run: __test__\\override-git-version.cmd
- name: Basic checkout using REST API
uses: ./
with:
ref: test-data/v2/basic
path: basic
- name: Verify basic
run: __test__/verify-basic.sh --archive
test-proxy:
runs-on: ubuntu-latest
container:
image: alpine/git:latest
options: --dns 127.0.0.1
services:
squid-proxy:
image: datadog/squid:latest
ports:
- 3128:3128
env:
https_proxy: http://squid-proxy:3128
steps:
# Clone this repo
- name: Checkout
uses: actions/checkout@v2
# Basic checkout using git
- name: Basic checkout
uses: ./
with:
ref: test-data/v2/basic
path: basic
- name: Verify basic
run: __test__/verify-basic.sh
# Basic checkout using REST API
- name: Remove basic
run: rm -rf basic
- name: Override git version
run: __test__/override-git-version.sh
- name: Basic checkout using REST API
uses: ./
with:
ref: test-data/v2/basic
path: basic
- name: Verify basic
run: __test__/verify-basic.sh --archive
test-bypass-proxy:
runs-on: ubuntu-latest
env:
https_proxy: http://no-such-proxy:3128
no_proxy: api.github.com,github.com
steps:
# Clone this repo
- name: Checkout
uses: actions/checkout@v2
# Basic checkout using git
- name: Basic checkout
uses: ./
with:
ref: test-data/v2/basic
path: basic
- name: Verify basic
run: __test__/verify-basic.sh
- name: Remove basic
run: rm -rf basic
# Basic checkout using REST API
- name: Override git version
run: __test__/override-git-version.sh
- name: Basic checkout using REST API
uses: ./
with:
ref: test-data/v2/basic
path: basic
- name: Verify basic
run: __test__/verify-basic.sh --archive

168
README.md
View File

@@ -2,30 +2,29 @@
<a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a> <a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a>
</p> </p>
# Checkout V2 # Checkout V2 beta
This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it. This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth` to fetch more history. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events. By default, the repository that triggered the workflow is checked-out, for the ref/SHA that triggered the event.
The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
When Git 2.18 or higher is not in your PATH, falls back to the REST API to download the files.
# What's new # What's new
- Improved performance - Improved fetch performance
- Fetches only a single commit by default - The default behavior now fetches only the SHA being checked-out
- Script authenticated git commands - Script authenticated git commands
- Auth token persisted in the local git config - Persists `with.token` in the local git config
- Enables your scripts to run authenticated git commands
- Post-job cleanup removes the token
- Coming soon: Opt out by setting `with.persist-credentials` to `false`
- Creates a local branch - Creates a local branch
- No longer detached HEAD when checking out a branch - No longer detached HEAD when checking out a branch
- A local branch is created with the corresponding upstream branch set
- Improved layout - Improved layout
- The input `path` is always relative to $GITHUB_WORKSPACE - `with.path` is always relative to `github.workspace`
- Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in - Aligns better with container actions, where `github.workspace` gets mapped in
- Fallback to REST API download
- When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
- When using a job container, the container's PATH is used
- Removed input `submodules` - Removed input `submodules`
Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions. Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
@@ -34,28 +33,21 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
<!-- start usage --> <!-- start usage -->
```yaml ```yaml
- uses: actions/checkout@v2 - uses: actions/checkout@v2-beta
with: with:
# Repository name with owner. For example, actions/checkout # Repository name with owner. For example, actions/checkout
# Default: ${{ github.repository }} # Default: ${{ github.repository }}
repository: '' repository: ''
# The branch, tag or SHA to checkout. When checking out the repository that # The branch, tag or SHA to checkout. When checking out the repository that
# triggered a workflow, this defaults to the reference or SHA for that event. # triggered a workflow, this defaults to the reference or SHA for that event.
# Otherwise, defaults to `master`. # Otherwise, defaults to `master`.
ref: '' ref: ''
# Auth token used to fetch the repository. The token is stored in the local git # Access token for clone repository
# config, which enables your scripts to run authenticated git commands. The
# post-job step removes the token from the git config. [Learn more about creating
# and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
# Default: ${{ github.token }} # Default: ${{ github.token }}
token: '' token: ''
# Whether to persist the token in the git config
# Default: true
persist-credentials: ''
# Relative path under $GITHUB_WORKSPACE to place the repository # Relative path under $GITHUB_WORKSPACE to place the repository
path: '' path: ''
@@ -73,141 +65,31 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
``` ```
<!-- end usage --> <!-- end usage -->
# Scenarios
- [Checkout a different branch](#Checkout-a-different-branch)
- [Checkout HEAD^](#Checkout-HEAD)
- [Checkout multiple repos (side by side)](#Checkout-multiple-repos-side-by-side)
- [Checkout multiple repos (nested)](#Checkout-multiple-repos-nested)
- [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
- [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
- [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
- [Checkout submodules](#Checkout-submodules)
- [Fetch all tags](#Fetch-all-tags)
- [Fetch all branches](#Fetch-all-branches)
- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
## Checkout a different branch ## Checkout a different branch
```yaml ```yaml
- uses: actions/checkout@v2 - uses: actions/checkout@v2-beta
with: with:
ref: my-branch ref: some-branch
``` ```
## Checkout HEAD^ ## Checkout a different, private repository
```yaml ```yaml
- uses: actions/checkout@v2 - uses: actions/checkout@v2-beta
with: with:
fetch-depth: 2 repository: myAccount/myRepository
- run: git checkout HEAD^ ref: refs/heads/master
```
## Checkout multiple repos (side by side)
```yaml
- name: Checkout
uses: actions/checkout@v2
with:
path: main
- name: Checkout tools repo
uses: actions/checkout@v2
with:
repository: my-org/my-tools
path: my-tools
```
## Checkout multiple repos (nested)
```yaml
- name: Checkout
uses: actions/checkout@v2
- name: Checkout tools repo
uses: actions/checkout@v2
with:
repository: my-org/my-tools
path: my-tools
```
## Checkout multiple repos (private)
```yaml
- name: Checkout
uses: actions/checkout@v2
with:
path: main
- name: Checkout private tools
uses: actions/checkout@v2
with:
repository: my-org/my-private-tools
token: ${{ secrets.GitHub_PAT }} # `GitHub_PAT` is a secret that contains your PAT token: ${{ secrets.GitHub_PAT }} # `GitHub_PAT` is a secret that contains your PAT
path: my-tools
``` ```
> - `${{ github.token }}` is scoped to the current repository, so if you want to checkout another repository that is private you will need to provide your own [PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line).
> - `${{ github.token }}` is scoped to the current repository, so if you want to checkout a different repository that is private you will need to provide your own [PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line). ## Checkout the HEAD commit of a PR, rather than the merge commit
## Checkout pull request HEAD commit instead of merge commit
```yaml ```yaml
- uses: actions/checkout@v2 - uses: actions/checkout@v2-beta
with: with:
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.after }}
```
## Checkout pull request on closed event
```yaml
on:
pull_request:
branches: [master]
types: [opened, synchronize, closed]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
```
## Checkout submodules
```yaml
- uses: actions/checkout@v2
- name: Checkout submodules
shell: bash
run: |
# If your submodules are configured to use SSH instead of HTTPS please uncomment the following line
# git config --global url."https://github.com/".insteadOf "git@github.com:"
auth_header="$(git config --local --get http.https://github.com/.extraheader)"
git submodule sync --recursive
git -c "http.extraheader=$auth_header" -c protocol.version=2 submodule update --init --force --recursive --depth=1
```
## Fetch all tags
```yaml
- uses: actions/checkout@v2
- run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
```
## Fetch all branches
```yaml
- uses: actions/checkout@v2
- run: |
git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
```
## Fetch all history for all tags and branches
```yaml
- uses: actions/checkout@v2
- run: |
git fetch --prune --unshallow
``` ```
# License # License

View File

@@ -1,44 +1,47 @@
import * as assert from 'assert' import * as assert from 'assert'
import * as core from '@actions/core'
import * as fsHelper from '../lib/fs-helper'
import * as github from '@actions/github'
import * as inputHelper from '../lib/input-helper'
import * as path from 'path' import * as path from 'path'
import {ISourceSettings} from '../lib/git-source-provider' import {ISourceSettings} from '../lib/git-source-provider'
const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE'] const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
const gitHubWorkspace = path.resolve('/checkout-tests/workspace') const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
// Inputs for mock @actions/core // Late bind
let inputs = {} as any let inputHelper: any
// Shallow clone original @actions/github context // Mock @actions/core
let originalContext = {...github.context} let inputs = {} as any
const mockCore = jest.genMockFromModule('@actions/core') as any
mockCore.getInput = (name: string) => {
return inputs[name]
}
// Mock @actions/github
const mockGitHub = jest.genMockFromModule('@actions/github') as any
mockGitHub.context = {
repo: {
owner: 'some-owner',
repo: 'some-repo'
},
ref: 'refs/heads/some-ref',
sha: '1234567890123456789012345678901234567890'
}
// Mock ./fs-helper
const mockFSHelper = jest.genMockFromModule('../lib/fs-helper') as any
mockFSHelper.directoryExistsSync = (path: string) => path == gitHubWorkspace
describe('input-helper tests', () => { describe('input-helper tests', () => {
beforeAll(() => { beforeAll(() => {
// Mock @actions/core getInput()
jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
return inputs[name]
})
// Mock @actions/github context
jest.spyOn(github.context, 'repo', 'get').mockImplementation(() => {
return {
owner: 'some-owner',
repo: 'some-repo'
}
})
github.context.ref = 'refs/heads/some-ref'
github.context.sha = '1234567890123456789012345678901234567890'
// Mock ./fs-helper directoryExistsSync()
jest
.spyOn(fsHelper, 'directoryExistsSync')
.mockImplementation((path: string) => path == gitHubWorkspace)
// GitHub workspace // GitHub workspace
process.env['GITHUB_WORKSPACE'] = gitHubWorkspace process.env['GITHUB_WORKSPACE'] = gitHubWorkspace
// Mocks
jest.setMock('@actions/core', mockCore)
jest.setMock('@actions/github', mockGitHub)
jest.setMock('../lib/fs-helper', mockFSHelper)
// Now import
inputHelper = require('../lib/input-helper')
}) })
beforeEach(() => { beforeEach(() => {
@@ -47,24 +50,20 @@ describe('input-helper tests', () => {
}) })
afterAll(() => { afterAll(() => {
// Restore GitHub workspace // Reset GitHub workspace
delete process.env['GITHUB_WORKSPACE'] delete process.env['GITHUB_WORKSPACE']
if (originalGitHubWorkspace) { if (originalGitHubWorkspace) {
process.env['GITHUB_WORKSPACE'] = originalGitHubWorkspace process.env['GITHUB_WORKSPACE'] = originalGitHubWorkspace
} }
// Restore @actions/github context // Reset modules
github.context.ref = originalContext.ref jest.resetModules()
github.context.sha = originalContext.sha
// Restore
jest.restoreAllMocks()
}) })
it('sets defaults', () => { it('sets defaults', () => {
const settings: ISourceSettings = inputHelper.getInputs() const settings: ISourceSettings = inputHelper.getInputs()
expect(settings).toBeTruthy() expect(settings).toBeTruthy()
expect(settings.authToken).toBeFalsy() expect(settings.accessToken).toBeFalsy()
expect(settings.clean).toBe(true) expect(settings.clean).toBe(true)
expect(settings.commit).toBeTruthy() expect(settings.commit).toBeTruthy()
expect(settings.commit).toBe('1234567890123456789012345678901234567890') expect(settings.commit).toBe('1234567890123456789012345678901234567890')
@@ -76,19 +75,6 @@ describe('input-helper tests', () => {
expect(settings.repositoryPath).toBe(gitHubWorkspace) expect(settings.repositoryPath).toBe(gitHubWorkspace)
}) })
it('qualifies ref', () => {
let originalRef = github.context.ref
try {
github.context.ref = 'some-unqualified-ref'
const settings: ISourceSettings = inputHelper.getInputs()
expect(settings).toBeTruthy()
expect(settings.commit).toBe('1234567890123456789012345678901234567890')
expect(settings.ref).toBe('refs/heads/some-unqualified-ref')
} finally {
github.context.ref = originalRef
}
})
it('requires qualified repo', () => { it('requires qualified repo', () => {
inputs.repository = 'some-unqualified-repo' inputs.repository = 'some-unqualified-repo'
assert.throws(() => { assert.throws(() => {

View File

@@ -1,6 +0,0 @@
mkdir override-git-version
cd override-git-version
echo @echo override git version 1.2.3 > git.cmd
echo ::add-path::%CD%
cd ..

View File

@@ -1,9 +0,0 @@
#!/bin/sh
mkdir override-git-version
cd override-git-version
echo "#!/bin/sh" > git
echo "echo override git version 1.2.3" >> git
chmod +x git
echo "::add-path::$(pwd)"
cd ..

View File

@@ -1,87 +0,0 @@
import * as core from '@actions/core'
import {RetryHelper} from '../lib/retry-helper'
let info: string[]
let retryHelper: any
describe('retry-helper tests', () => {
beforeAll(() => {
// Mock @actions/core info()
jest.spyOn(core, 'info').mockImplementation((message: string) => {
info.push(message)
})
retryHelper = new RetryHelper(3, 0, 0)
})
beforeEach(() => {
// Reset info
info = []
})
afterAll(() => {
// Restore
jest.restoreAllMocks()
})
it('first attempt succeeds', async () => {
const actual = await retryHelper.execute(async () => {
return 'some result'
})
expect(actual).toBe('some result')
expect(info).toHaveLength(0)
})
it('second attempt succeeds', async () => {
let attempts = 0
const actual = await retryHelper.execute(() => {
if (++attempts == 1) {
throw new Error('some error')
}
return Promise.resolve('some result')
})
expect(attempts).toBe(2)
expect(actual).toBe('some result')
expect(info).toHaveLength(2)
expect(info[0]).toBe('some error')
expect(info[1]).toMatch(/Waiting .+ seconds before trying again/)
})
it('third attempt succeeds', async () => {
let attempts = 0
const actual = await retryHelper.execute(() => {
if (++attempts < 3) {
throw new Error(`some error ${attempts}`)
}
return Promise.resolve('some result')
})
expect(attempts).toBe(3)
expect(actual).toBe('some result')
expect(info).toHaveLength(4)
expect(info[0]).toBe('some error 1')
expect(info[1]).toMatch(/Waiting .+ seconds before trying again/)
expect(info[2]).toBe('some error 2')
expect(info[3]).toMatch(/Waiting .+ seconds before trying again/)
})
it('all attempts fail succeeds', async () => {
let attempts = 0
let error: Error = (null as unknown) as Error
try {
await retryHelper.execute(() => {
throw new Error(`some error ${++attempts}`)
})
} catch (err) {
error = err
}
expect(error.message).toBe('some error 3')
expect(attempts).toBe(3)
expect(info).toHaveLength(4)
expect(info[0]).toBe('some error 1')
expect(info[1]).toMatch(/Waiting .+ seconds before trying again/)
expect(info[2]).toBe('some error 2')
expect(info[3]).toMatch(/Waiting .+ seconds before trying again/)
})
})

View File

@@ -1,24 +1,10 @@
#!/bin/sh #!/bin/bash
if [ ! -f "./basic/basic-file.txt" ]; then if [ ! -f "./basic/basic-file.txt" ]; then
echo "Expected basic file does not exist" echo "Expected basic file does not exist"
exit 1 exit 1
fi fi
if [ "$1" = "--archive" ]; then # Verify auth token
# Verify no .git folder cd basic
if [ -d "./basic/.git" ]; then git fetch
echo "Did not expect ./basic/.git folder to exist"
exit 1
fi
else
# Verify .git folder
if [ ! -d "./basic/.git" ]; then
echo "Expected ./basic/.git folder to exist"
exit 1
fi
# Verify auth token
cd basic
git fetch --no-tags --depth=1 origin +refs/heads/master:refs/remotes/origin/master
fi

View File

@@ -6,19 +6,12 @@ inputs:
default: ${{ github.repository }} default: ${{ github.repository }}
ref: ref:
description: > description: >
The branch, tag or SHA to checkout. When checking out the repository that The branch, tag or SHA to checkout. When checking out the repository
triggered a workflow, this defaults to the reference or SHA for that that triggered a workflow, this defaults to the reference or SHA for
event. Otherwise, defaults to `master`. that event. Otherwise, defaults to `master`.
token: token:
description: > description: 'Access token for clone repository'
Auth token used to fetch the repository. The token is stored in the local
git config, which enables your scripts to run authenticated git commands.
The post-job step removes the token from the git config. [Learn more about
creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
default: ${{ github.token }} default: ${{ github.token }}
persist-credentials:
description: 'Whether to persist the token in the git config'
default: true
path: path:
description: 'Relative path under $GITHUB_WORKSPACE to place the repository' description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
clean: clean:

View File

@@ -1,215 +0,0 @@
# ADR 0153: Checkout v2
**Date**: 2019-10-21
**Status**: Accepted
## Context
This ADR details the behavior for `actions/checkout@v2`.
The new action will be written in typescript. We are moving away from runner-plugin actions.
We want to take this opportunity to make behavioral changes, from v1. This document is scoped to those differences.
## Decision
### Inputs
```yaml
repository:
description: 'Repository name with owner. For example, actions/checkout'
default: ${{ github.repository }}
ref:
description: >
The branch, tag or SHA to checkout. When checking out the repository that
triggered a workflow, this defaults to the reference or SHA for that
event. Otherwise, defaults to `master`.
token:
description: >
Auth token used to fetch the repository. The token is stored in the local
git config, which enables your scripts to run authenticated git commands.
The post-job step removes the token from the git config. [Learn more about
creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
default: ${{ github.token }}
persist-credentials:
description: 'Whether to persist the token in the git config'
default: true
path:
description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
clean:
description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
default: true
fetch-depth:
description: 'Number of commits to fetch. 0 indicates all history.'
default: 1
fetch-refs:
description: >
Additional refs to fetch: `branches`, `tags`, `pr-base`, or `all`.
Combinations are also accepted. For example: `branches, tags`
default: ''
lfs:
description: 'Whether to download Git-LFS files'
default: false
```
Note:
- `fetch-refs` is new
- `persist-credentials` is new
- `path` behavior is different (refer [below](#path) for details)
- `submodules` was removed (error if specified; add later if needed)
### Fallback to GitHub API
When a sufficient version of git is not in the PATH, fallback to the [web API](https://developer.github.com/v3/repos/contents/#get-archive-link) to download a tarball/zipball.
Note:
- LFS files are not included in the archive. Therefore fail if LFS is set to true.
- Submodules are also not included in the archive. However submodules are not supported by checkout v2 anyway.
### Persist credentials
Persist the token in the git config (http.extraheader). This will allow users to script authenticated git commands, like `git fetch`.
A post script will remove the credentials from the git config (cleanup for self-hosted).
Users may opt-out by specifying `persist-credentials: false`
Note:
- Users scripting `git commit` may need to set the username and email. The service does not provide any reasonable default value. Users can add `git config user.name <NAME>` and `git config user.email <EMAIL>`. We will document this guidance.
- The auth header (stored in the repo's git config), is scoped to all of github `http.https://github.com/.extraheader`
- Additional public remotes also just work.
- If users want to authenticate to an additional private remote, they should provide the `token` input.
- Lines up if we add submodule support in the future. Don't need to worry about calculating relative URLs. Just works, although needs to be persisted in each submodule git config.
- Users opt out of persisted credentials (`persist-credentials: false`), or can script the removal themselves (`git config --unset-all http.https://github.com/.extraheader`).
### Fetch behavior
Fetch only the SHA being built and set depth=1. This significantly reduces the fetch time for large repos.
If a SHA isn't available (e.g. multi repo), then fetch only the specified ref with depth=1.
The input `fetch-depth` can be used to control the depth.
The input `fetch-refs` can be used to fetch additional refs.
Note:
- Fetching a single commit is supported by Git wire protocol version 2. The git client uses protocol version 0 by default. The desired protocol version can be overridden in the git config or on the fetch command line invocation (`-c protocol.version=2`). We will override on the fetch command line, for transparency.
- Git client version 2.18+ (released June 2018) is required for wire protocol version 2.
### Checkout behavior
For CI, checkout will create a local ref with the upstream set. This allows users to script git as they normally would.
For PR, continue to checkout detached head. The PR branch is special - the branch and merge commit are created by the server. It doesn't match a users' local workflow.
Note:
- Consider deleting all local refs during cleanup if that helps avoid collisions. More testing required.
### Path
For the mainline scenario, the disk-layout behavior remains the same.
Remember, given the repo `johndoe/foo`, the mainline disk layout looks like:
```
GITHUB_WORKSPACE=/home/runner/work/foo/foo
RUNNER_WORKSPACE=/home/runner/work/foo
```
V2 introduces a new contraint on the checkout path. The location must now be under `github.workspace`. Whereas the checkout@v1 constraint was one level up, under `runner.workspace`.
V2 no longer changes `github.workspace` to follow wherever the self repo is checked-out.
These behavioral changes align better with container actions. The [documented filesystem contract](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners#docker-container-filesystem) is:
- `/github/home`
- `/github/workspace` - Note: GitHub Actions must be run by the default Docker user (root). Ensure your Dockerfile does not set the USER instruction, otherwise you will not be able to access `GITHUB_WORKSPACE`.
- `/github/workflow`
Note:
- The tracking config will not be updated to reflect the path of the workflow repo.
- Any existing workflow repo will not be moved when the checkout path changes. In fact some customers want to checkout the workflow repo twice, side by side against different branches.
- Actions that need to operate only against the root of the self repo, should expose a `path` input.
#### Default value for `path` input
The `path` input will default to `./` which is rooted against `github.workspace`.
This default fits the mainline scenario well: single checkout
For multi-checkout, users must specify the `path` input for at least one of the repositories.
Note:
- An alternative is for the self repo to default to `./` and other repos default to `<REPO_NAME>`. However nested layout is an atypical git layout and therefore is not a good default. Users should supply the path info.
#### Example - Nested layout
The following example checks-out two repositories and creates a nested layout.
```yaml
# Self repo - Checkout to $GITHUB_WORKSPACE
- uses: checkout@v2
# Other repo - Checkout to $GITHUB_WORKSPACE/myscripts
- uses: checkout@v2
with:
repository: myorg/myscripts
path: myscripts
```
#### Example - Side by side layout
The following example checks-out two repositories and creates a side-by-side layout.
```yaml
# Self repo - Checkout to $GITHUB_WORKSPACE/foo
- uses: checkout@v2
with:
path: foo
# Other repo - Checkout to $GITHUB_WORKSPACE/myscripts
- uses: checkout@v2
with:
repository: myorg/myscripts
path: myscripts
```
#### Path impact to problem matchers
Problem matchers associate the source files with annotations.
Today the runner verifies the source file is under the `github.workspace`. Otherwise the source file property is dropped.
Multi-checkout complicates the matter. However even today submodules may cause this heuristic to be inaccurate.
A better solution is:
Given a source file path, walk up the directories until the first `.git/config` is found. Check if it matches the self repo (`url = https://github.com/OWNER/REPO`). If not, drop the source file path.
### Port to typescript
The checkout action should be a typescript action on the GitHub graph, for the following reasons:
- Enables customers to fork the checkout repo and modify
- Serves as an example for customers
- Demystifies the checkout action manifest
- Simplifies the runner
- Reduce the amount of runner code to port (if we ever do)
Note:
- This means job-container images will need git in the PATH, for checkout.
### Branching strategy and release tags
- Create a servicing branch for V1: `releases/v1`
- Merge the changes into `master`
- Release using a new tag `preview`
- When stable, release using a new tag `v2`
## Consequences
- Update the checkout action and readme
- Update samples to consume `actions/checkout@v2`
- Job containers now require git in the PATH for checkout, otherwise fallback to REST API
- Minimum git version 2.18
- Update problem matcher logic regarding source file verification (runner)

1416
dist/index.js vendored

File diff suppressed because one or more lines are too long

54
package-lock.json generated
View File

@@ -1,6 +1,6 @@
{ {
"name": "checkout", "name": "checkout",
"version": "2.0.2", "version": "2.0.0",
"lockfileVersion": 1, "lockfileVersion": 1,
"requires": true, "requires": true,
"dependencies": { "dependencies": {
@@ -15,30 +15,14 @@
"integrity": "sha512-nvFkxwiicvpzNiCBF4wFBDfnBvi7xp/as7LE1hBxBxKG2L29+gkIPBiLKMVORL+Hg3JNf07AKRfl0V5djoypjQ==" "integrity": "sha512-nvFkxwiicvpzNiCBF4wFBDfnBvi7xp/as7LE1hBxBxKG2L29+gkIPBiLKMVORL+Hg3JNf07AKRfl0V5djoypjQ=="
}, },
"@actions/github": { "@actions/github": {
"version": "2.1.0", "version": "2.0.0",
"resolved": "https://registry.npmjs.org/@actions/github/-/github-2.1.0.tgz", "resolved": "https://registry.npmjs.org/@actions/github/-/github-2.0.0.tgz",
"integrity": "sha512-G4ncMlh4pLLAvNgHUYUtpWQ1zPf/VYqmRH9oshxLabdaOOnp7i1hgSgzr2xne2YUaSND3uqemd3YYTIsm2f/KQ==", "integrity": "sha512-sNpZ5dJyJyfJIO5lNYx8r/Gha4Tlm8R0MLO2cBkGdOnAAEn3t1M/MHVcoBhY/VPfjGVe5RNAUPz+6INrViiUPA==",
"requires": { "requires": {
"@actions/http-client": "^1.0.3",
"@octokit/graphql": "^4.3.1", "@octokit/graphql": "^4.3.1",
"@octokit/rest": "^16.15.0" "@octokit/rest": "^16.15.0"
} }
}, },
"@actions/http-client": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.3.tgz",
"integrity": "sha512-wFwh1U4adB/Zsk4cc9kVqaBOHoknhp/pJQk+aWTocbAZWpIl4Zx/At83WFRLXvxB+5HVTWOACM6qjULMZfQSfw==",
"requires": {
"tunnel": "0.0.6"
},
"dependencies": {
"tunnel": {
"version": "0.0.6",
"resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
"integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
}
}
},
"@actions/io": { "@actions/io": {
"version": "1.0.1", "version": "1.0.1",
"resolved": "https://registry.npmjs.org/@actions/io/-/io-1.0.1.tgz", "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.0.1.tgz",
@@ -613,14 +597,6 @@
"@types/yargs": "^13.0.0" "@types/yargs": "^13.0.0"
} }
}, },
"@octokit/auth-token": {
"version": "2.4.0",
"resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.4.0.tgz",
"integrity": "sha512-eoOVMjILna7FVQf96iWc3+ZtE/ZT6y8ob8ZzcqKY1ibSQCnu4O/B7pJvzMx5cyZ/RjAff6DAdEb0O0Cjcxidkg==",
"requires": {
"@octokit/types": "^2.0.0"
}
},
"@octokit/endpoint": { "@octokit/endpoint": {
"version": "5.5.1", "version": "5.5.1",
"resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-5.5.1.tgz", "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-5.5.1.tgz",
@@ -667,11 +643,10 @@
} }
}, },
"@octokit/rest": { "@octokit/rest": {
"version": "16.38.1", "version": "16.35.0",
"resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.38.1.tgz", "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.35.0.tgz",
"integrity": "sha512-zyNFx+/Bd1EXt7LQjfrc6H4wryBQ/oDuZeZhGMBSFr1eMPFDmpEweFQR3R25zjKwBQpDY7L5GQO6A3XSaOfV1w==", "integrity": "sha512-9ShFqYWo0CLoGYhA1FdtdykJuMzS/9H6vSbbQWDX4pWr4p9v+15MsH/wpd/3fIU+tSxylaNO48+PIHqOkBRx3w==",
"requires": { "requires": {
"@octokit/auth-token": "^2.4.0",
"@octokit/request": "^5.2.0", "@octokit/request": "^5.2.0",
"@octokit/request-error": "^1.0.2", "@octokit/request-error": "^1.0.2",
"atob-lite": "^2.0.0", "atob-lite": "^2.0.0",
@@ -687,9 +662,9 @@
} }
}, },
"@octokit/types": { "@octokit/types": {
"version": "2.1.1", "version": "2.0.2",
"resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.1.1.tgz", "resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.0.2.tgz",
"integrity": "sha512-89LOYH+d/vsbDX785NOfLxTW88GjNd0lWRz1DVPVsZgg9Yett5O+3MOvwo7iHgvUwbFz0mf/yPIjBkUbs4kxoQ==", "integrity": "sha512-StASIL2lgT3TRjxv17z9pAqbnI7HGu9DrJlg3sEBFfCLaMEqp+O3IQPUF6EZtQ4xkAu2ml6kMBBCtGxjvmtmuQ==",
"requires": { "requires": {
"@types/node": ">= 8" "@types/node": ">= 8"
} }
@@ -792,15 +767,6 @@
"integrity": "sha512-l42BggppR6zLmpfU6fq9HEa2oGPEI8yrSPL3GITjfRInppYFahObbIQOQK3UGxEnyQpltZLaPe75046NOZQikw==", "integrity": "sha512-l42BggppR6zLmpfU6fq9HEa2oGPEI8yrSPL3GITjfRInppYFahObbIQOQK3UGxEnyQpltZLaPe75046NOZQikw==",
"dev": true "dev": true
}, },
"@types/uuid": {
"version": "3.4.6",
"resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-3.4.6.tgz",
"integrity": "sha512-cCdlC/1kGEZdEglzOieLDYBxHsvEOIg7kp/2FYyVR9Pxakq+Qf/inL3RKQ+PA8gOlI/NnL+fXmQH12nwcGzsHw==",
"dev": true,
"requires": {
"@types/node": "*"
}
},
"@types/yargs": { "@types/yargs": {
"version": "13.0.3", "version": "13.0.3",
"resolved": "https://registry.npmjs.org/@types/yargs/-/yargs-13.0.3.tgz", "resolved": "https://registry.npmjs.org/@types/yargs/-/yargs-13.0.3.tgz",

View File

@@ -1,6 +1,6 @@
{ {
"name": "checkout", "name": "checkout",
"version": "2.0.2", "version": "2.0.0",
"description": "checkout action", "description": "checkout action",
"main": "lib/main.js", "main": "lib/main.js",
"scripts": { "scripts": {
@@ -31,15 +31,13 @@
"dependencies": { "dependencies": {
"@actions/core": "^1.1.3", "@actions/core": "^1.1.3",
"@actions/exec": "^1.0.1", "@actions/exec": "^1.0.1",
"@actions/github": "^2.0.2", "@actions/github": "^2.0.0",
"@actions/io": "^1.0.1", "@actions/io": "^1.0.1",
"@actions/tool-cache": "^1.1.2", "@actions/tool-cache": "^1.1.2"
"uuid": "^3.3.3"
}, },
"devDependencies": { "devDependencies": {
"@types/jest": "^24.0.23", "@types/jest": "^24.0.23",
"@types/node": "^12.7.12", "@types/node": "^12.7.12",
"@types/uuid": "^3.4.6",
"@typescript-eslint/parser": "^2.8.0", "@typescript-eslint/parser": "^2.8.0",
"@zeit/ncc": "^0.20.5", "@zeit/ncc": "^0.20.5",
"eslint": "^5.16.0", "eslint": "^5.16.0",

View File

@@ -77,12 +77,10 @@ class GitCommandManager {
async branchList(remote: boolean): Promise<string[]> { async branchList(remote: boolean): Promise<string[]> {
const result: string[] = [] const result: string[] = []
// Note, this implementation uses "rev-parse --symbolic-full-name" because the output from // Note, this implementation uses "rev-parse --symbolic" because the output from
// "branch --list" is more difficult when in a detached HEAD state. // "branch --list" is more difficult when in a detached HEAD state.
// Note, this implementation uses "rev-parse --symbolic-full-name" because there is a bug
// in Git 2.18 that causes "rev-parse --symbolic" to output symbolic full names.
const args = ['rev-parse', '--symbolic-full-name'] const args = ['rev-parse', '--symbolic']
if (remote) { if (remote) {
args.push('--remotes=origin') args.push('--remotes=origin')
} else { } else {
@@ -94,12 +92,6 @@ class GitCommandManager {
for (let branch of output.stdout.trim().split('\n')) { for (let branch of output.stdout.trim().split('\n')) {
branch = branch.trim() branch = branch.trim()
if (branch) { if (branch) {
if (branch.startsWith('refs/heads/')) {
branch = branch.substr('refs/heads/'.length)
} else if (branch.startsWith('refs/remotes/')) {
branch = branch.substr('refs/remotes/'.length)
}
result.push(branch) result.push(branch)
} }
} }
@@ -124,7 +116,7 @@ class GitCommandManager {
} }
async config(configKey: string, configValue: string): Promise<void> { async config(configKey: string, configValue: string): Promise<void> {
await this.execGit(['config', '--local', configKey, configValue]) await this.execGit(['config', configKey, configValue])
} }
async configExists(configKey: string): Promise<boolean> { async configExists(configKey: string): Promise<boolean> {
@@ -132,7 +124,7 @@ class GitCommandManager {
return `\\${x}` return `\\${x}`
}) })
const output = await this.execGit( const output = await this.execGit(
['config', '--local', '--name-only', '--get-regexp', pattern], ['config', '--name-only', '--get-regexp', pattern],
true true
) )
return output.exitCode === 0 return output.exitCode === 0
@@ -178,12 +170,12 @@ class GitCommandManager {
} }
async isDetached(): Promise<boolean> { async isDetached(): Promise<boolean> {
// Note, "branch --show-current" would be simpler but isn't available until Git 2.22 // Note, this implementation uses "branch --show-current" because
const output = await this.execGit( // "rev-parse --symbolic-full-name HEAD" can fail on a new repo
['rev-parse', '--symbolic-full-name', '--verify', '--quiet', 'HEAD'], // with nothing checked out.
true
) const output = await this.execGit(['branch', '--show-current'])
return !output.stdout.trim().startsWith('refs/heads/') return output.stdout.trim() === ''
} }
async lfsFetch(ref: string): Promise<void> { async lfsFetch(ref: string): Promise<void> {
@@ -219,23 +211,20 @@ class GitCommandManager {
async tryConfigUnset(configKey: string): Promise<boolean> { async tryConfigUnset(configKey: string): Promise<boolean> {
const output = await this.execGit( const output = await this.execGit(
['config', '--local', '--unset-all', configKey], ['config', '--unset-all', configKey],
true true
) )
return output.exitCode === 0 return output.exitCode === 0
} }
async tryDisableAutomaticGarbageCollection(): Promise<boolean> { async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
const output = await this.execGit( const output = await this.execGit(['config', 'gc.auto', '0'], true)
['config', '--local', 'gc.auto', '0'],
true
)
return output.exitCode === 0 return output.exitCode === 0
} }
async tryGetFetchUrl(): Promise<string> { async tryGetFetchUrl(): Promise<string> {
const output = await this.execGit( const output = await this.execGit(
['config', '--local', '--get', 'remote.origin.url'], ['config', '--get', 'remote.origin.url'],
true true
) )

View File

@@ -1,16 +1,15 @@
import * as core from '@actions/core' import * as core from '@actions/core'
import * as coreCommand from '@actions/core/lib/command'
import * as fs from 'fs' import * as fs from 'fs'
import * as fsHelper from './fs-helper' import * as fsHelper from './fs-helper'
import * as gitCommandManager from './git-command-manager' import * as gitCommandManager from './git-command-manager'
import * as githubApiHelper from './github-api-helper'
import * as io from '@actions/io' import * as io from '@actions/io'
import * as path from 'path' import * as path from 'path'
import * as refHelper from './ref-helper' import * as refHelper from './ref-helper'
import * as stateHelper from './state-helper' import * as githubApiHelper from './github-api-helper'
import {IGitCommandManager} from './git-command-manager' import {IGitCommandManager} from './git-command-manager'
const serverUrl = 'https://github.com/' const authConfigKey = `http.https://github.com/.extraheader`
const authConfigKey = `http.${serverUrl}.extraheader`
export interface ISourceSettings { export interface ISourceSettings {
repositoryPath: string repositoryPath: string
@@ -21,8 +20,7 @@ export interface ISourceSettings {
clean: boolean clean: boolean
fetchDepth: number fetchDepth: number
lfs: boolean lfs: boolean
authToken: string accessToken: string
persistCredentials: boolean
} }
export async function getSource(settings: ISourceSettings): Promise<void> { export async function getSource(settings: ISourceSettings): Promise<void> {
@@ -34,6 +32,13 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
settings.repositoryOwner settings.repositoryOwner
)}/${encodeURIComponent(settings.repositoryName)}` )}/${encodeURIComponent(settings.repositoryName)}`
// Set intra-task state for cleanup
coreCommand.issueCommand(
'save-state',
{name: 'repositoryPath'},
settings.repositoryPath
)
// Remove conflicting file path // Remove conflicting file path
if (fsHelper.fileExistsSync(settings.repositoryPath)) { if (fsHelper.fileExistsSync(settings.repositoryPath)) {
await io.rmRF(settings.repositoryPath) await io.rmRF(settings.repositoryPath)
@@ -47,7 +52,21 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
} }
// Git command manager // Git command manager
const git = await getGitCommandManager(settings) core.info(`Working directory is '${settings.repositoryPath}'`)
let git = (null as unknown) as IGitCommandManager
try {
git = await gitCommandManager.CreateCommandManager(
settings.repositoryPath,
settings.lfs
)
} catch (err) {
// Git is required for LFS
if (settings.lfs) {
throw err
}
// Otherwise fallback to REST API
}
// Prepare existing directory, otherwise recreate // Prepare existing directory, otherwise recreate
if (isExisting) { if (isExisting) {
@@ -59,14 +78,13 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
) )
} }
if (!git) { if (!git || `${1}` == '1') {
// Downloading using REST API core.info(`Downloading the repository files using the GitHub REST API`)
core.info(`The repository will be downloaded using the GitHub REST API`)
core.info( core.info(
`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH` `To create a local repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
) )
await githubApiHelper.downloadRepository( await githubApiHelper.downloadRepository(
settings.authToken, settings.accessToken,
settings.repositoryOwner, settings.repositoryOwner,
settings.repositoryName, settings.repositoryName,
settings.ref, settings.ref,
@@ -74,9 +92,6 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
settings.repositoryPath settings.repositoryPath
) )
} else { } else {
// Save state for POST action
stateHelper.setRepositoryPath(settings.repositoryPath)
// Initialize the repository // Initialize the repository
if ( if (
!fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git')) !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
@@ -95,87 +110,61 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
// Remove possible previous extraheader // Remove possible previous extraheader
await removeGitConfig(git, authConfigKey) await removeGitConfig(git, authConfigKey)
try { // Add extraheader (auth)
// Config extraheader const base64Credentials = Buffer.from(
await configureAuthToken(git, settings.authToken) `x-access-token:${settings.accessToken}`,
'utf8'
).toString('base64')
core.setSecret(base64Credentials)
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
await git.config(authConfigKey, authConfigValue)
// LFS install // LFS install
if (settings.lfs) { if (settings.lfs) {
await git.lfsInstall() await git.lfsInstall()
}
// Fetch
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
await git.fetch(settings.fetchDepth, refSpec)
// Checkout info
const checkoutInfo = await refHelper.getCheckoutInfo(
git,
settings.ref,
settings.commit
)
// LFS fetch
// Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
// Explicit lfs fetch will fetch lfs objects in parallel.
if (settings.lfs) {
await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
}
// Checkout
await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
// Dump some info about the checked out commit
await git.log1()
} finally {
if (!settings.persistCredentials) {
await removeGitConfig(git, authConfigKey)
}
} }
// Fetch
const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
await git.fetch(settings.fetchDepth, refSpec)
// Checkout info
const checkoutInfo = await refHelper.getCheckoutInfo(
git,
settings.ref,
settings.commit
)
// LFS fetch
// Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
// Explicit lfs fetch will fetch lfs objects in parallel.
if (settings.lfs) {
await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
}
// Checkout
await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
// Dump some info about the checked out commit
await git.log1()
} }
} }
export async function cleanup(repositoryPath: string): Promise<void> { export async function cleanup(repositoryPath: string): Promise<void> {
// Repo exists? // Repo exists?
if ( if (!fsHelper.fileExistsSync(path.join(repositoryPath, '.git', 'config'))) {
!repositoryPath ||
!fsHelper.fileExistsSync(path.join(repositoryPath, '.git', 'config'))
) {
return return
} }
fsHelper.directoryExistsSync(repositoryPath, true)
let git: IGitCommandManager // Remove the config key
try { const git = await gitCommandManager.CreateCommandManager(
git = await gitCommandManager.CreateCommandManager(repositoryPath, false) repositoryPath,
} catch { false
return )
}
// Remove extraheader
await removeGitConfig(git, authConfigKey) await removeGitConfig(git, authConfigKey)
} }
async function getGitCommandManager(
settings: ISourceSettings
): Promise<IGitCommandManager> {
core.info(`Working directory is '${settings.repositoryPath}'`)
let git = (null as unknown) as IGitCommandManager
try {
return await gitCommandManager.CreateCommandManager(
settings.repositoryPath,
settings.lfs
)
} catch (err) {
// Git is required for LFS
if (settings.lfs) {
throw err
}
// Otherwise fallback to REST API
return (null as unknown) as IGitCommandManager
}
}
async function prepareExistingDirectory( async function prepareExistingDirectory(
git: IGitCommandManager, git: IGitCommandManager,
repositoryPath: string, repositoryPath: string,
@@ -261,40 +250,6 @@ async function prepareExistingDirectory(
} }
} }
async function configureAuthToken(
git: IGitCommandManager,
authToken: string
): Promise<void> {
// Configure a placeholder value. This approach avoids the credential being captured
// by process creation audit events, which are commonly logged. For more information,
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
const placeholder = `AUTHORIZATION: basic ***`
await git.config(authConfigKey, placeholder)
// Determine the basic credential value
const basicCredential = Buffer.from(
`x-access-token:${authToken}`,
'utf8'
).toString('base64')
core.setSecret(basicCredential)
// Replace the value in the config file
const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
let content = (await fs.promises.readFile(configPath)).toString()
const placeholderIndex = content.indexOf(placeholder)
if (
placeholderIndex < 0 ||
placeholderIndex != content.lastIndexOf(placeholder)
) {
throw new Error('Unable to replace auth placeholder in .git/config')
}
content = content.replace(
placeholder,
`AUTHORIZATION: basic ${basicCredential}`
)
await fs.promises.writeFile(configPath, content)
}
async function removeGitConfig( async function removeGitConfig(
git: IGitCommandManager, git: IGitCommandManager,
configKey: string configKey: string
@@ -304,6 +259,21 @@ async function removeGitConfig(
!(await git.tryConfigUnset(configKey)) !(await git.tryConfigUnset(configKey))
) { ) {
// Load the config contents // Load the config contents
core.warning(`Failed to remove '${configKey}' from the git config`) core.warning(
`Failed to remove '${configKey}' from the git config. Attempting to remove the config value by editing the file directly.`
)
const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
fsHelper.fileExistsSync(configPath)
let contents = fs.readFileSync(configPath).toString() || ''
// Filter - only includes lines that do not contain the config key
const upperConfigKey = configKey.toUpperCase()
const split = contents
.split('\n')
.filter(x => !x.toUpperCase().includes(upperConfigKey))
contents = split.join('\n')
// Rewrite the config file
fs.writeFileSync(configPath, contents)
} }
} }

View File

@@ -1,92 +1,173 @@
import * as assert from 'assert' import * as assert from 'assert'
import * as core from '@actions/core' import * as core from '@actions/core'
import * as exec from '@actions/exec'
import * as fs from 'fs' import * as fs from 'fs'
import * as github from '@actions/github' import * as github from '@actions/github'
import * as https from 'https'
import * as io from '@actions/io' import * as io from '@actions/io'
import * as path from 'path' import * as path from 'path'
import * as refHelper from './ref-helper'
import * as retryHelper from './retry-helper' import * as retryHelper from './retry-helper'
import * as toolCache from '@actions/tool-cache' import * as toolCache from '@actions/tool-cache'
import {default as uuid} from 'uuid/v4' import {ExecOptions} from '@actions/exec/lib/interfaces'
import {IncomingMessage} from 'http'
import {ReposGetArchiveLinkParams} from '@octokit/rest' import {ReposGetArchiveLinkParams} from '@octokit/rest'
import {RequestOptions} from 'https'
import {WriteStream} from 'fs'
const IS_WINDOWS = process.platform === 'win32' const IS_WINDOWS = process.platform === 'win32'
export async function downloadRepository( export async function downloadRepository(
authToken: string, accessToken: string,
owner: string, owner: string,
repo: string, repo: string,
ref: string, ref: string,
commit: string, commit: string,
repositoryPath: string repositoryPath: string
): Promise<void> { ): Promise<void> {
// Download the archive // Determine archive path
let archiveData = await retryHelper.execute(async () => { const runnerTemp = process.env['RUNNER_TEMP'] as string
core.info('Downloading the archive') assert.ok(runnerTemp, 'RUNNER_TEMP not defined')
return await downloadArchive(authToken, owner, repo, ref, commit) const archivePath = path.join(runnerTemp, 'checkout.tar.gz')
// await fs.promises.writeFile(archivePath, raw)
// Get the archive URL using the REST API
await retryHelper.execute(async () => {
// Prepare the archive stream
core.debug(`Preparing the archive stream: ${archivePath}`)
await io.rmRF(archivePath)
const fileStream = fs.createWriteStream(archivePath)
const fileStreamClosed = getFileClosedPromise(fileStream)
try {
// Get the archive URL using the GitHub REST API
core.info('Getting archive URL from GitHub REST API')
const octokit = new github.GitHub(accessToken)
const params: RequestOptions & ReposGetArchiveLinkParams = {
method: 'HEAD',
archive_format: IS_WINDOWS ? 'zipball' : 'tarball',
owner: owner,
repo: repo,
ref: refHelper.getDownloadRef(ref, commit)
}
const response = await octokit.repos.getArchiveLink(params)
console.log('GOT THE RESPONSE')
if (response.status != 302) {
throw new Error(
`Unexpected response from GitHub API. Status: '${response.status}'`
)
}
console.log('GETTING THE LOCATION')
const archiveUrl = response.headers['Location'] // Do not print the archive URL because it has an embedded token
assert.ok(
archiveUrl,
`Expected GitHub API response to contain 'Location' header`
)
// Download the archive
core.info('Downloading the archive') // Do not print the archive URL because it has an embedded token
await downloadFile(archiveUrl, fileStream)
} finally {
await fileStreamClosed
}
// return Buffer.from(response.data) // response.data is ArrayBuffer
}) })
// Write archive to disk // // Download the archive
core.info('Writing archive to disk') // core.info('Downloading the archive') // Do not print the URL since it contains a token to download the archive
const uniqueId = uuid() // await downloadFile(archiveUrl, archivePath)
const archivePath = path.join(repositoryPath, `${uniqueId}.tar.gz`)
await fs.promises.writeFile(archivePath, archiveData) // // console.log(`status=${response.status}`)
archiveData = Buffer.from('') // Free memory // // console.log(`headers=${JSON.stringify(response.headers)}`)
// // console.log(`data=${response.data}`)
// // console.log(`data=${JSON.stringify(response.data)}`)
// // for (const key of Object.keys(response.data)) {
// // console.log(`data['${key}']=${response.data[key]}`)
// // }
// // Write archive to file
// const runnerTemp = process.env['RUNNER_TEMP'] as string
// assert.ok(runnerTemp, 'RUNNER_TEMP not defined')
// const archivePath = path.join(runnerTemp, 'checkout.tar.gz')
// await io.rmRF(archivePath)
// await fs.promises.writeFile(archivePath, raw)
// // await exec.exec(`ls -la "${archiveFile}"`, [], {
// // cwd: repositoryPath
// // } as ExecOptions)
// Extract archive // Extract archive
core.info('Extracting the archive') const extractPath = path.join(
const extractPath = path.join(repositoryPath, uniqueId) runnerTemp,
`checkout-archive${IS_WINDOWS ? '.zip' : '.tar.gz'}`
)
await io.rmRF(extractPath)
await io.mkdirP(extractPath) await io.mkdirP(extractPath)
if (IS_WINDOWS) { if (IS_WINDOWS) {
await toolCache.extractZip(archivePath, extractPath) await toolCache.extractZip(archivePath, extractPath)
} else { } else {
await toolCache.extractTar(archivePath, extractPath) await toolCache.extractTar(archivePath, extractPath)
} }
io.rmRF(archivePath) // await exec.exec(`tar -xzf "${archiveFile}"`, [], {
// cwd: extractPath
// } as ExecOptions)
// Determine the path of the repository content. The archive contains // Determine the real directory to copy (ignore extra dir at root of the archive)
// a top-level folder and the repository content is inside.
const archiveFileNames = await fs.promises.readdir(extractPath) const archiveFileNames = await fs.promises.readdir(extractPath)
assert.ok( assert.ok(
archiveFileNames.length == 1, archiveFileNames.length == 1,
'Expected exactly one directory inside archive' 'Expected exactly one directory inside archive'
) )
const archiveVersion = archiveFileNames[0] // The top-level folder name includes the short SHA const extraDirectoryName = archiveFileNames[0]
core.info(`Resolved version ${archiveVersion}`) core.info(`Resolved ${extraDirectoryName}`) // contains the short SHA
const tempRepositoryPath = path.join(extractPath, archiveVersion) const tempRepositoryPath = path.join(extractPath, extraDirectoryName)
// Move the files // Move the files
for (const fileName of await fs.promises.readdir(tempRepositoryPath)) { for (const fileName of await fs.promises.readdir(tempRepositoryPath)) {
const sourcePath = path.join(tempRepositoryPath, fileName) const sourcePath = path.join(tempRepositoryPath, fileName)
const targetPath = path.join(repositoryPath, fileName) const targetPath = path.join(repositoryPath, fileName)
if (IS_WINDOWS) { await io.mv(sourcePath, targetPath)
await io.cp(sourcePath, targetPath, {recursive: true}) // Copy on Windows (Windows Defender may have a lock) }
} else {
await io.mv(sourcePath, targetPath) await exec.exec(`find .`, [], {
cwd: repositoryPath
} as ExecOptions)
}
function downloadFile(url: string, fileStream: WriteStream): Promise<void> {
return new Promise((resolve, reject) => {
try {
https.get(url, (response: IncomingMessage) => {
if (response.statusCode != 200) {
reject(`Request failed with status '${response.statusCode}'`)
response.resume() // Consume response data to free up memory
return
}
response.on('data', chunk => {
fileStream.write(chunk)
})
response.on('end', () => {
resolve()
})
response.on('error', err => {
reject(err)
})
// response.pipe(fileStream)
})
} catch (err) {
reject(err)
} }
} })
io.rmRF(extractPath)
} }
async function downloadArchive( function getFileClosedPromise(stream: WriteStream): Promise<void> {
authToken: string, return new Promise((resolve, reject) => {
owner: string, stream.on('error', err => {
repo: string, reject(err)
ref: string, })
commit: string stream.on('finish', () => {
): Promise<Buffer> { resolve()
const octokit = new github.GitHub(authToken) })
const params: ReposGetArchiveLinkParams = { })
owner: owner,
repo: repo,
archive_format: IS_WINDOWS ? 'zipball' : 'tarball',
ref: commit || ref
}
const response = await octokit.repos.getArchiveLink(params)
if (response.status != 200) {
throw new Error(
`Unexpected response from GitHub API. Status: ${response.status}, Data: ${response.data}`
)
}
return Buffer.from(response.data) // response.data is ArrayBuffer
} }

View File

@@ -61,12 +61,6 @@ export function getInputs(): ISourceSettings {
if (isWorkflowRepository) { if (isWorkflowRepository) {
result.ref = github.context.ref result.ref = github.context.ref
result.commit = github.context.sha result.commit = github.context.sha
// Some events have an unqualifed ref. For example when a PR is merged (pull_request closed event),
// the ref is unqualifed like "master" instead of "refs/heads/master".
if (result.commit && result.ref && !result.ref.startsWith('refs/')) {
result.ref = `refs/heads/${result.ref}`
}
} }
if (!result.ref && !result.commit) { if (!result.ref && !result.commit) {
@@ -103,12 +97,8 @@ export function getInputs(): ISourceSettings {
result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE' result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'
core.debug(`lfs = ${result.lfs}`) core.debug(`lfs = ${result.lfs}`)
// Auth token // Access token
result.authToken = core.getInput('token') result.accessToken = core.getInput('token')
// Persist credentials
result.persistCredentials =
(core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
return result return result
} }

View File

@@ -3,7 +3,8 @@ import * as coreCommand from '@actions/core/lib/command'
import * as gitSourceProvider from './git-source-provider' import * as gitSourceProvider from './git-source-provider'
import * as inputHelper from './input-helper' import * as inputHelper from './input-helper'
import * as path from 'path' import * as path from 'path'
import * as stateHelper from './state-helper'
const cleanupRepositoryPath = process.env['STATE_repositoryPath'] as string
async function run(): Promise<void> { async function run(): Promise<void> {
try { try {
@@ -30,14 +31,14 @@ async function run(): Promise<void> {
async function cleanup(): Promise<void> { async function cleanup(): Promise<void> {
try { try {
await gitSourceProvider.cleanup(stateHelper.RepositoryPath) await gitSourceProvider.cleanup(cleanupRepositoryPath)
} catch (error) { } catch (error) {
core.warning(error.message) core.warning(error.message)
} }
} }
// Main // Main
if (!stateHelper.IsPost) { if (!cleanupRepositoryPath) {
run() run()
} }
// Post // Post

View File

@@ -65,14 +65,9 @@ function updateUsage(
let segment: string = description let segment: string = description
if (description.length > width) { if (description.length > width) {
segment = description.substr(0, width + 1) segment = description.substr(0, width + 1)
while (!segment.endsWith(' ') && segment) { while (!segment.endsWith(' ')) {
segment = segment.substr(0, segment.length - 1) segment = segment.substr(0, segment.length - 1)
} }
// Trimmed too much?
if (segment.length < width * 0.67) {
segment = description
}
} else { } else {
segment = description segment = description
} }
@@ -101,7 +96,7 @@ function updateUsage(
} }
updateUsage( updateUsage(
'actions/checkout@v2', 'actions/checkout@v2-beta',
path.join(__dirname, '..', '..', 'action.yml'), path.join(__dirname, '..', '..', 'action.yml'),
path.join(__dirname, '..', '..', 'README.md') path.join(__dirname, '..', '..', 'README.md')
) )

View File

@@ -5,6 +5,15 @@ export interface ICheckoutInfo {
startPoint: string startPoint: string
} }
export function getDownloadRef(ref: string, commit: string): string {
if (commit) {
return commit
}
// todo fix this to work with refs/pull etc
return ref
}
export async function getCheckoutInfo( export async function getCheckoutInfo(
git: IGitCommandManager, git: IGitCommandManager,
ref: string, ref: string,

View File

@@ -1,61 +1,36 @@
import * as core from '@actions/core' import * as core from '@actions/core'
const defaultMaxAttempts = 3 const maxAttempts = 3
const defaultMinSeconds = 10 const minSeconds = 10
const defaultMaxSeconds = 20 const maxSeconds = 20
export class RetryHelper {
private maxAttempts: number
private minSeconds: number
private maxSeconds: number
constructor(
maxAttempts: number = defaultMaxAttempts,
minSeconds: number = defaultMinSeconds,
maxSeconds: number = defaultMaxSeconds
) {
this.maxAttempts = maxAttempts
this.minSeconds = Math.floor(minSeconds)
this.maxSeconds = Math.floor(maxSeconds)
if (this.minSeconds > this.maxSeconds) {
throw new Error('min seconds should be less than or equal to max seconds')
}
}
async execute<T>(action: () => Promise<T>): Promise<T> {
let attempt = 1
while (attempt < this.maxAttempts) {
// Try
try {
return await action()
} catch (err) {
core.info(err.message)
}
// Sleep
const seconds = this.getSleepAmount()
core.info(`Waiting ${seconds} seconds before trying again`)
await this.sleep(seconds)
attempt++
}
// Last attempt
return await action()
}
private getSleepAmount(): number {
return (
Math.floor(Math.random() * (this.maxSeconds - this.minSeconds + 1)) +
this.minSeconds
)
}
private async sleep(seconds: number): Promise<void> {
return new Promise(resolve => setTimeout(resolve, seconds * 1000))
}
}
export async function execute<T>(action: () => Promise<T>): Promise<T> { export async function execute<T>(action: () => Promise<T>): Promise<T> {
const retryHelper = new RetryHelper() let attempt = 1
return await retryHelper.execute(action) while (attempt < maxAttempts) {
// Try
try {
return await action()
} catch (err) {
core.info(err.message)
}
// Sleep
const seconds = getRandomIntInclusive(minSeconds, maxSeconds)
core.info(`Waiting ${seconds} before trying again`)
await sleep(seconds * 1000)
attempt++
}
// Last attempt
return await action()
}
function getRandomIntInclusive(minimum: number, maximum: number): number {
minimum = Math.floor(minimum)
maximum = Math.floor(maximum)
return Math.floor(Math.random() * (maximum - minimum + 1)) + minimum
}
async function sleep(milliseconds): Promise<void> {
return new Promise(resolve => setTimeout(resolve, milliseconds))
} }

View File

@@ -1,30 +0,0 @@
import * as core from '@actions/core'
import * as coreCommand from '@actions/core/lib/command'
/**
* Indicates whether the POST action is running
*/
export const IsPost = !!process.env['STATE_isPost']
/**
* The repository path for the POST action. The value is empty during the MAIN action.
*/
export const RepositoryPath =
(process.env['STATE_repositoryPath'] as string) || ''
/**
* Save the repository path so the POST action can retrieve the value.
*/
export function setRepositoryPath(repositoryPath: string) {
coreCommand.issueCommand(
'save-state',
{name: 'repositoryPath'},
repositoryPath
)
}
// Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
// This is necessary since we don't have a separate entry point.
if (!IsPost) {
coreCommand.issueCommand('save-state', {name: 'isPost'}, 'true')
}