Merge a5b3296627 into 61b9e3751b

.eslintrc.json

@@ -1,6 +1,6 @@
 {
   "plugins": ["jest", "@typescript-eslint"],
-  "extends": ["plugin:github/es6"],
+  "extends": ["plugin:github/recommended"],
   "parser": "@typescript-eslint/parser",
   "parserOptions": {
     "ecmaVersion": 9,
@@ -16,23 +16,19 @@
     "@typescript-eslint/no-require-imports": "error",
     "@typescript-eslint/array-type": "error",
     "@typescript-eslint/await-thenable": "error",
-    "@typescript-eslint/ban-ts-ignore": "error",
     "camelcase": "off",
-    "@typescript-eslint/camelcase": "error",
-    "@typescript-eslint/class-name-casing": "error",
     "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
     "@typescript-eslint/func-call-spacing": ["error", "never"],
-    "@typescript-eslint/generic-type-naming": ["error", "^[A-Z][A-Za-z]*$"],
     "@typescript-eslint/no-array-constructor": "error",
     "@typescript-eslint/no-empty-interface": "error",
     "@typescript-eslint/no-explicit-any": "error",
     "@typescript-eslint/no-extraneous-class": "error",
+    "@typescript-eslint/no-floating-promises": "error",
     "@typescript-eslint/no-for-in-array": "error",
     "@typescript-eslint/no-inferrable-types": "error",
     "@typescript-eslint/no-misused-new": "error",
     "@typescript-eslint/no-namespace": "error",
     "@typescript-eslint/no-non-null-assertion": "warn",
-    "@typescript-eslint/no-object-literal-type-assertion": "error",
     "@typescript-eslint/no-unnecessary-qualifier": "error",
     "@typescript-eslint/no-unnecessary-type-assertion": "error",
     "@typescript-eslint/no-useless-constructor": "error",
@@ -40,7 +36,6 @@
     "@typescript-eslint/prefer-for-of": "warn",
     "@typescript-eslint/prefer-function-type": "warn",
     "@typescript-eslint/prefer-includes": "error",
-    "@typescript-eslint/prefer-interface": "error",
     "@typescript-eslint/prefer-string-starts-ends-with": "error",
     "@typescript-eslint/promise-function-async": "error",
     "@typescript-eslint/require-array-sort-compare": "error",

.gitattributes

@@ -0,0 +1 @@
+.licenses/** -diff linguist-generated=true

.github/workflows/CHANGELOG.md

@@ -0,0 +1,61 @@
+# Changelog
+
+## v3.0.0
+
+- [Update to node 16](https://github.com/actions/checkout/pull/689)
+
+## v2.3.1
+
+- [Fix default branch resolution for .wiki and when using SSH](https://github.com/actions/checkout/pull/284)
+
+## v2.3.0
+
+- [Fallback to the default branch](https://github.com/actions/checkout/pull/278)
+
+## v2.2.0
+
+- [Fetch all history for all tags and branches when fetch-depth=0](https://github.com/actions/checkout/pull/258)
+
+## v2.1.1
+
+- Changes to support GHES ([here](https://github.com/actions/checkout/pull/236) and [here](https://github.com/actions/checkout/pull/248))
+
+## v2.1.0
+
+- [Group output](https://github.com/actions/checkout/pull/191)
+- [Changes to support GHES alpha release](https://github.com/actions/checkout/pull/199)
+- [Persist core.sshCommand for submodules](https://github.com/actions/checkout/pull/184)
+- [Add support ssh](https://github.com/actions/checkout/pull/163)
+- [Convert submodule SSH URL to HTTPS, when not using SSH](https://github.com/actions/checkout/pull/179)
+- [Add submodule support](https://github.com/actions/checkout/pull/157)
+- [Follow proxy settings](https://github.com/actions/checkout/pull/144)
+- [Fix ref for pr closed event when a pr is merged](https://github.com/actions/checkout/pull/141)
+- [Fix issue checking detached when git less than 2.22](https://github.com/actions/checkout/pull/128)
+
+## v2.0.0
+
+- [Do not pass cred on command line](https://github.com/actions/checkout/pull/108)
+- [Add input persist-credentials](https://github.com/actions/checkout/pull/107)
+- [Fallback to REST API to download repo](https://github.com/actions/checkout/pull/104)
+
+## v2 (beta)
+
+- Improved fetch performance
+  - The default behavior now fetches only the SHA being checked-out
+- Script authenticated git commands
+  - Persists `with.token` in the local git config
+  - Enables your scripts to run authenticated git commands
+  - Post-job cleanup removes the token
+  - Coming soon: Opt out by setting `with.persist-credentials` to `false`
+- Creates a local branch
+  - No longer detached HEAD when checking out a branch
+  - A local branch is created with the corresponding upstream branch set
+- Improved layout
+  - `with.path` is always relative to `github.workspace`
+  - Aligns better with container actions, where `github.workspace` gets mapped in
+- Removed input `submodules`
+
+
+## v1
+
+Refer [here](https://github.com/actions/checkout/blob/v1/CHANGELOG.md) for the V1 changelog

.github/workflows/InRelease.txt

@@ -0,0 +1,36 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+Archive: Raspbian_10
+Codename: Raspbian_10
+Origin: obs://build.opensuse.org/devel:kubic:libcontainers:stable/Raspbian_10
+Label: devel:kubic:libcontainers:stable
+Architectures: armhf
+Date: Wed Mar 16 13:23:56 2022
+Description: Stable Releases of Upstream github.com/containers packages (Raspbian_10)
+MD5Sum:
+ 00da1553977a958c3908af1ba0b53aca 34187 Packages
+ 25f9011747fdc99548ffb82ef6ad910a 8497 Packages.gz
+ 5263d81ae22ea768594b67dda64de11a 21789 Sources
+ d575956d08185c9ae22ffdbc0008926c 6196 Sources.gz
+SHA1:
+ 7a14c49010851925c6d73077b6795c2e1b5ad2e0 34187 Packages
+ 7d3104745bd34fb57b3e8280550a54f51691044f 8497 Packages.gz
+ 51e00b51469e6e8efbef466d137ea8c8350343a9 21789 Sources
+ c606e67b2cb0685a1c82e03932585c57eb5d0d2e 6196 Sources.gz
+SHA256:
+ 47774476bc047c3a515a86a154f8b8a350933c4a584b5dcf116b4ff1b4e00195 34187 Packages
+ 3e9e99a38156473bef2ba321610cb796bcdff0e2c964bad9ee54c6a4e35e0989 8497 Packages.gz
+ 078616e1b3d43cc561a389d0fb4588a3e733e468496d920faf2cf786f4013eb1 21789 Sources
+ a15440ff40420e6b40a6e94fc2a3c3228735e0cbdb08c1ec7bec70aefeb3af62 6196 Sources.gz
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.7 (GNU/Linux)
+
+iQEVAwUBYjHk7E1kOQN1BgqkAQg/Ugf/aDxica0mCO/W1xUfw61cVhCgzi5IH9gk
+lF/uCqeM9vVsEaW9oPtwOPrpA81ajkjZi/VvhOBTVYBGhQLLL83tGW5MAwC6CJDC
+QCQPGd+YXlsgb6mR+S2d9zXILi6oEWpTQyTFxbI9GzyAke7uTY+a2vTSR/4YW86F
+UI/PWpehWLUj09BKjOXR4/P5eqqe21ekiPZH+K2IL3ODAjA+6ZXl+X3s6/VFqQ5p
+lO51eIgcekX5lYDiifxVvIcYnOhquWtJLsQxIuWLNokzqdRIPyGIj7uvRjTW6yky
+QogFZ5+il0WLxrBWQmUQ4dxyVdcH4CyVOYGJhy2yn8CdRo+aLEpySQ==
+=tKyt
+-----END PGP SIGNATURE-----

.github/workflows/README.md

@@ -0,0 +1,224 @@
+<p align="center">
+  <a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a>
+</p>
+
+# Checkout V3
+
+This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
+
+Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
+
+The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
+
+When Git 2.18 or higher is not in your PATH, falls back to the REST API to download the files.
+
+# What's new
+
+- Updated to the node16 runtime by default
+  - This requires a minimum [Actions Runner](https://github.com/actions/runner/releases/tag/v2.285.0) version of v2.285.0 to run, which is by default available in GHES 3.4 or later.
+
+# Usage
+
+<!-- start usage -->
+```yaml
+- uses: actions/checkout@v3
+  with:
+    # Repository name with owner. For example, actions/checkout
+    # Default: ${{ github.repository }}
+    repository: ''
+
+    # The branch, tag or SHA to checkout. When checking out the repository that
+    # triggered a workflow, this defaults to the reference or SHA for that event.
+    # Otherwise, uses the default branch.
+    ref: ''
+
+    # Personal access token (PAT) used to fetch the repository. The PAT is configured
+    # with the local git config, which enables your scripts to run authenticated git
+    # commands. The post-job step removes the PAT.
+    #
+    # We recommend using a service account with the least permissions necessary. Also
+    # when generating a new PAT, select the least scopes necessary.
+    #
+    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+    #
+    # Default: ${{ github.token }}
+    token: ''
+
+    # SSH key used to fetch the repository. The SSH key is configured with the local
+    # git config, which enables your scripts to run authenticated git commands. The
+    # post-job step removes the SSH key.
+    #
+    # We recommend using a service account with the least permissions necessary.
+    #
+    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+    ssh-key: ''
+
+    # Known hosts in addition to the user and global host key database. The public SSH
+    # keys for a host may be obtained using the utility `ssh-keyscan`. For example,
+    # `ssh-keyscan github.com`. The public key for github.com is always implicitly
+    # added.
+    ssh-known-hosts: ''
+
+    # Whether to perform strict host key checking. When true, adds the options
+    # `StrictHostKeyChecking=yes` and `CheckHostIP=no` to the SSH command line. Use
+    # the input `ssh-known-hosts` to configure additional hosts.
+    # Default: true
+    ssh-strict: ''
+
+    # Whether to configure the token or SSH key with the local git config
+    # Default: true
+    persist-credentials: ''
+
+    # Relative path under $GITHUB_WORKSPACE to place the repository
+    path: ''
+
+    # Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching
+    # Default: true
+    clean: ''
+
+    # Number of commits to fetch. 0 indicates all history for all branches and tags.
+    # Default: 1
+    fetch-depth: ''
+
+    # Whether to download Git-LFS files
+    # Default: false
+    lfs: ''
+
+    # Whether to checkout submodules: `true` to checkout submodules or `recursive` to
+    # recursively checkout submodules.
+    #
+    # When the `ssh-key` input is not provided, SSH URLs beginning with
+    # `git@github.com:` are converted to HTTPS.
+    #
+    # Default: false
+    submodules: ''
+```
+<!-- end usage -->
+
+# Scenarios
+
+- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
+- [Checkout a different branch](#Checkout-a-different-branch)
+- [Checkout HEAD^](#Checkout-HEAD)
+- [Checkout multiple repos (side by side)](#Checkout-multiple-repos-side-by-side)
+- [Checkout multiple repos (nested)](#Checkout-multiple-repos-nested)
+- [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
+- [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
+- [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
+- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
+
+## Fetch all history for all tags and branches
+
+```yaml
+- uses: actions/checkout@v3
+  with:
+    fetch-depth: 0
+```
+
+## Checkout a different branch
+
+```yaml
+- uses: actions/checkout@v3
+  with:
+    ref: my-branch
+```
+
+## Checkout HEAD^
+
+```yaml
+- uses: actions/checkout@v3
+  with:
+    fetch-depth: 2
+- run: git checkout HEAD^
+```
+
+## Checkout multiple repos (side by side)
+
+```yaml
+- name: Checkout
+  uses: actions/checkout@v3
+  with:
+    path: main
+
+- name: Checkout tools repo
+  uses: actions/checkout@v3
+  with:
+    repository: my-org/my-tools
+    path: my-tools
+```
+
+## Checkout multiple repos (nested)
+
+```yaml
+- name: Checkout
+  uses: actions/checkout@v3
+
+- name: Checkout tools repo
+  uses: actions/checkout@v3
+  with:
+    repository: my-org/my-tools
+    path: my-tools
+```
+
+## Checkout multiple repos (private)
+
+```yaml
+- name: Checkout
+  uses: actions/checkout@v3
+  with:
+    path: main
+
+- name: Checkout private tools
+  uses: actions/checkout@v3
+  with:
+    repository: my-org/my-private-tools
+    token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
+    path: my-tools
+```
+
+> - `${{ github.token }}` is scoped to the current repository, so if you want to checkout a different repository that is private you will need to provide your own [PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line).
+
+
+## Checkout pull request HEAD commit instead of merge commit
+
+```yaml
+- uses: actions/checkout@v3
+  with:
+    ref: ${{ github.event.pull_request.head.sha }}
+```
+
+## Checkout pull request on closed event
+
+```yaml
+on:
+  pull_request:
+    branches: [main]
+    types: [opened, synchronize, closed]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+```
+
+## Push a commit using the built-in token
+
+```yaml
+on: push
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: |
+          date > generated.txt
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git add .
+          git commit -m "generated"
+          git push
+```
+
+# License
+
+The scripts and documentation in this project are released under the [MIT License](LICENSE)

.github/workflows/check-dist.yml

@@ -0,0 +1,51 @@
+# `dist/index.js` is a special file in Actions.
+# When you reference an action with `uses:` in a workflow,
+# `index.js` is the code that will run.
+# For our project, we generate this file through a build process
+# from other source files.
+# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
+name: Check dist
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+  workflow_dispatch:
+
+jobs:
+  check-dist:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set Node.js 16.x
+        uses: actions/setup-node@v1
+        with:
+          node-version: 16.x
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Rebuild the index.js file
+        run: npm run build
+
+      - name: Compare the expected and actual dist/ directories
+        run: |
+          if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
+            echo "Detected uncommitted changes after build.  See status below:"
+            git diff
+            exit 1
+          fi
+
+      # If dist/ was different than expected, upload the expected version as an artifact
+      - uses: actions/upload-artifact@v2
+        if: ${{ failure() && steps.diff.conclusion == 'failure' }}
+        with:
+          name: dist
+          path: dist/

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,58 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '28 9 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    - run: npm ci
+    - run: npm run build
+    - run: rm -rf dist # We want code scanning to analyze lib instead (individual .js files)
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/dependency-review.yml

@@ -0,0 +1,20 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v3
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v1

.github/workflows/ibm.yml

@@ -0,0 +1,76 @@
+# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the "main" branch.
+#
+# To configure this workflow:
+#
+# 1. Ensure that your repository contains a Dockerfile
+# 2. Setup secrets in your repository by going to settings: Create ICR_NAMESPACE and IBM_CLOUD_API_KEY
+# 3. Change the values for the IBM_CLOUD_REGION, REGISTRY_HOSTNAME, IMAGE_NAME, IKS_CLUSTER, DEPLOYMENT_NAME, and PORT
+
+name: Build and Deploy to IKS
+
+on:
+  push:
+    branches:
+      - "main"
+
+# Environment variables available to all jobs and steps in this workflow
+env:
+  GITHUB_SHA: ${{ github.sha }}
+  IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }}
+  IBM_CLOUD_REGION: us-south
+  ICR_NAMESPACE: ${{ secrets.ICR_NAMESPACE }}
+  REGISTRY_HOSTNAME: us.icr.io
+  IMAGE_NAME: iks-test
+  IKS_CLUSTER: example-iks-cluster-name-or-id
+  DEPLOYMENT_NAME: iks-test
+  PORT: 5001
+
+jobs:
+  setup-build-publish-deploy:
+    name: Setup, Build, Publish, and Deploy
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    # Download and Install IBM Cloud CLI
+    - name: Install IBM Cloud CLI
+      run: |
+        curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
+        ibmcloud --version
+        ibmcloud config --check-version=false
+        ibmcloud plugin install -f kubernetes-service
+        ibmcloud plugin install -f container-registry
+
+    # Authenticate with IBM Cloud CLI
+    - name: Authenticate with IBM Cloud CLI
+      run: |
+        ibmcloud login --apikey "${IBM_CLOUD_API_KEY}" -r "${IBM_CLOUD_REGION}" -g default
+        ibmcloud cr region-set "${IBM_CLOUD_REGION}"
+        ibmcloud cr login
+
+    # Build the Docker image
+    - name: Build with Docker
+      run: |
+        docker build -t "$REGISTRY_HOSTNAME"/"$ICR_NAMESPACE"/"$IMAGE_NAME":"$GITHUB_SHA" \
+          --build-arg GITHUB_SHA="$GITHUB_SHA" \
+          --build-arg GITHUB_REF="$GITHUB_REF" .
+
+    # Push the image to IBM Container Registry
+    - name: Push the image to ICR
+      run: |
+        docker push $REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA
+
+    # Deploy the Docker image to the IKS cluster
+    - name: Deploy to IKS
+      run: |
+        ibmcloud ks cluster config --cluster $IKS_CLUSTER
+        kubectl config current-context
+        kubectl create deployment $DEPLOYMENT_NAME --image=$REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA --dry-run -o yaml > deployment.yaml
+        kubectl apply -f deployment.yaml
+        kubectl rollout status deployment/$DEPLOYMENT_NAME
+        kubectl create service loadbalancer $DEPLOYMENT_NAME --tcp=80:$PORT --dry-run -o yaml > service.yaml
+        kubectl apply -f service.yaml
+        kubectl get services -o wide

.github/workflows/licensed.yml

@@ -0,0 +1,14 @@
+name: Licensed
+
+on:
+  push: {branches: main}
+  pull_request: {branches: main}
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Check licenses
+    steps:
+      - uses: actions/checkout@v3
+      - run: npm ci
+      - run: npm run licensed-check

.github/workflows/node.js.yml

@@ -0,0 +1,31 @@
+# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: Node.js CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [12.x, 14.x, 16.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v3
+      with:
+        node-version: ${{ matrix.node-version }}
+        cache: 'npm'
+    - run: npm ci
+    - run: npm run build --if-present
+    - run: npm test

.github/workflows/test.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
   push:
     branches:
-      - master
+      - main
       - releases/*
 
 jobs:
@@ -13,8 +13,8 @@ jobs:
     steps:
       - uses: actions/setup-node@v1
         with:
-          node-version: 12.x
-      - uses: actions/checkout@v2
+          node-version: 16.x
+      - uses: actions/checkout@v3
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -32,7 +32,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Basic checkout
       - name: Checkout basic
@@ -150,7 +150,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Basic checkout using git
       - name: Checkout basic
@@ -182,7 +182,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Basic checkout using git
       - name: Checkout basic
@@ -205,3 +205,41 @@ jobs:
           path: basic
       - name: Verify basic
         run: __test__/verify-basic.sh --archive
+    
+  test-git-container:
+    runs-on: ubuntu-latest
+    container: bitnami/git:latest
+    steps:
+      # Clone this repo
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          path: v3
+
+      # Basic checkout using git
+      - name: Checkout basic
+        uses: ./v3
+        with:
+          ref: test-data/v2/basic
+      - name: Verify basic
+        run: |
+          if [ ! -f "./basic-file.txt" ]; then
+              echo "Expected basic file does not exist"
+              exit 1
+          fi
+
+          # Verify .git folder
+          if [ ! -d "./.git" ]; then
+            echo "Expected ./.git folder to exist"
+            exit 1
+          fi
+
+          # Verify auth token
+          git config --global --add safe.directory "*"
+          git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
+
+      # needed to make checkout post cleanup succeed
+      - name: Fix Checkout v3
+        uses: actions/checkout@v3
+        with:
+          path: v3

.gitignore

@@ -1,3 +1,4 @@
 __test__/_temp
+_temp/
 lib/
 node_modules/

.licensed.yml

@@ -0,0 +1,14 @@
+sources:
+  npm: true
+
+allowed:
+  - apache-2.0
+  - bsd-2-clause
+  - bsd-3-clause
+  - isc
+  - mit
+  - cc0-1.0
+  - unlicense
+
+reviewed:
+  npm:

CHANGELOG.md

@@ -1,10 +1,20 @@
 # Changelog
 
+## v3.0.2
+- [Add input `set-safe-directory`](https://github.com/actions/checkout/pull/770)
+
+## v3.0.1
+- [Fixed an issue where checkout failed to run in container jobs due to the new git setting `safe.directory`](https://github.com/actions/checkout/pull/762)
+- [Bumped various npm package versions](https://github.com/actions/checkout/pull/744)
+
+## v3.0.0
+
+- [Update to node 16](https://github.com/actions/checkout/pull/689)
+
 ## v2.3.1
 
 - [Fix default branch resolution for .wiki and when using SSH](https://github.com/actions/checkout/pull/284)
 
-
 ## v2.3.0
 
 - [Fallback to the default branch](https://github.com/actions/checkout/pull/278)

CODEOWNERS

@@ -0,0 +1 @@
+* @actions/actions-runtime

InRelease.txt

@@ -0,0 +1,36 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+Archive: Raspbian_10
+Codename: Raspbian_10
+Origin: obs://build.opensuse.org/devel:kubic:libcontainers:stable/Raspbian_10
+Label: devel:kubic:libcontainers:stable
+Architectures: armhf
+Date: Wed Mar 16 13:23:56 2022
+Description: Stable Releases of Upstream github.com/containers packages (Raspbian_10)
+MD5Sum:
+ 00da1553977a958c3908af1ba0b53aca 34187 Packages
+ 25f9011747fdc99548ffb82ef6ad910a 8497 Packages.gz
+ 5263d81ae22ea768594b67dda64de11a 21789 Sources
+ d575956d08185c9ae22ffdbc0008926c 6196 Sources.gz
+SHA1:
+ 7a14c49010851925c6d73077b6795c2e1b5ad2e0 34187 Packages
+ 7d3104745bd34fb57b3e8280550a54f51691044f 8497 Packages.gz
+ 51e00b51469e6e8efbef466d137ea8c8350343a9 21789 Sources
+ c606e67b2cb0685a1c82e03932585c57eb5d0d2e 6196 Sources.gz
+SHA256:
+ 47774476bc047c3a515a86a154f8b8a350933c4a584b5dcf116b4ff1b4e00195 34187 Packages
+ 3e9e99a38156473bef2ba321610cb796bcdff0e2c964bad9ee54c6a4e35e0989 8497 Packages.gz
+ 078616e1b3d43cc561a389d0fb4588a3e733e468496d920faf2cf786f4013eb1 21789 Sources
+ a15440ff40420e6b40a6e94fc2a3c3228735e0cbdb08c1ec7bec70aefeb3af62 6196 Sources.gz
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.7 (GNU/Linux)
+
+iQEVAwUBYjHk7E1kOQN1BgqkAQg/Ugf/aDxica0mCO/W1xUfw61cVhCgzi5IH9gk
+lF/uCqeM9vVsEaW9oPtwOPrpA81ajkjZi/VvhOBTVYBGhQLLL83tGW5MAwC6CJDC
+QCQPGd+YXlsgb6mR+S2d9zXILi6oEWpTQyTFxbI9GzyAke7uTY+a2vTSR/4YW86F
+UI/PWpehWLUj09BKjOXR4/P5eqqe21ekiPZH+K2IL3ODAjA+6ZXl+X3s6/VFqQ5p
+lO51eIgcekX5lYDiifxVvIcYnOhquWtJLsQxIuWLNokzqdRIPyGIj7uvRjTW6yky
+QogFZ5+il0WLxrBWQmUQ4dxyVdcH4CyVOYGJhy2yn8CdRo+aLEpySQ==
+=tKyt
+-----END PGP SIGNATURE-----

README.md

@@ -2,7 +2,7 @@
   <a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a>
 </p>
 
-# Checkout V2
+# Checkout V3
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
@@ -14,27 +14,14 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 
 # What's new
 
-- Improved performance
-  - Fetches only a single commit by default
-- Script authenticated git commands
-  - Auth token persisted in the local git config
-- Supports SSH
-- Creates a local branch
-  - No longer detached HEAD when checking out a branch
-- Improved layout
-  - The input `path` is always relative to $GITHUB_WORKSPACE
-  - Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in
-- Fallback to REST API download
-  - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
-  - When using a job container, the container's PATH is used
-
-Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
+- Updated to the node16 runtime by default
+  - This requires a minimum [Actions Runner](https://github.com/actions/runner/releases/tag/v2.285.0) version of v2.285.0 to run, which is by default available in GHES 3.4 or later.
 
 # Usage
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -105,6 +92,11 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
     #
     # Default: false
     submodules: ''
+
+    # Add repository path as safe.directory for Git global config by running `git
+    # config --global --add safe.directory <path>`
+    # Default: true
+    set-safe-directory: ''
 ```
 <!-- end usage -->
 
@@ -118,11 +110,12 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 - [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
 - [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
 - [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
+- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
 
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     fetch-depth: 0
 ```
@@ -130,7 +123,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     ref: my-branch
 ```
@@ -138,7 +131,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -148,12 +141,12 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -163,10 +156,10 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
 
 - name: Checkout tools repo
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -176,15 +169,15 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-private-tools
-    token: ${{ secrets.GitHub_PAT }} # `GitHub_PAT` is a secret that contains your PAT
+    token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
     path: my-tools
 ```
 
@@ -194,7 +187,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -204,13 +197,31 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ```yaml
 on:
   pull_request:
-    branches: [master]
+    branches: [main]
     types: [opened, synchronize, closed]
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+```
+
+## Push a commit using the built-in token
+
+```yaml
+on: push
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: |
+          date > generated.txt
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git add .
+          git commit -m "generated"
+          git push
 ```
 
 # License

Sources

@@ -0,0 +1,462 @@
+Format: 1.0
+Package: buildah
+Binary: buildah
+Architecture: any
+Version: 100:1.19.6-2
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/projectatomic/buildah.git
+Standards-Version: 4.3.0
+Vcs-Git: git://github.com/lsm5/buildah.git
+Build-Depends: debhelper (>= 9), libassuan-dev, libgpgme11-dev, dh-golang (>> 1.47), golang-1.15 | golang-1.14 | golang, libbtrfs-dev | btrfs-progs, libglib2.0-dev, libseccomp-dev, go-md2man, git
+Package-List:
+ buildah deb devel optional arch=any
+Directory: .
+Checksums-Sha1:
+ b60770b528d85e106ad0439d34c8d088b13a68c5 790 buildah_1.19.6-2.dsc
+ cc576df1c688eec0cf8c3a88474a4a067592876b 97322254 buildah_1.19.6-2.tar.gz
+Checksums-Sha256:
+ 5edc49431cb6d8fedc8aad6bd93d7d6107ac5f9c095dc8ec97483f0fa3147b16 790 buildah_1.19.6-2.dsc
+ 7573d2c068453ccdb3283e52cdc9f4bfbb294449ec2c1c0f75944bfcf5c8d202 97322254 buildah_1.19.6-2.tar.gz
+Files:
+ 23b008e03fdf410709ae846accadf66c 790 buildah_1.19.6-2.dsc
+ 2c0b7f46b7c6effea1c832698246de51 97322254 buildah_1.19.6-2.tar.gz
+
+Format: 1.0
+Package: catatonit
+Binary: catatonit
+Architecture: any
+Version: 0.1.5~1
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/openSUSE/catatonit.git
+Standards-Version: 4.3.0
+Vcs-Git: https://gitlab.com/rhcontainerbot/catatonit.git
+Build-Depends: debhelper (>= 9), autoconf, automake, file, gcc, libtool
+Package-List:
+ catatonit deb devel optional arch=any
+Directory: .
+Checksums-Sha1:
+ 0367592e8ccbb03787e13f2a360a0c27a0ce3199 675 catatonit_0.1.5~1.dsc
+ bf19ce5e86ff83de91efec486fff4de830d486e0 419981 catatonit_0.1.5~1.tar.gz
+Checksums-Sha256:
+ 46d0dd6634788fd5f702b0a4c9454106d09dd5a986c1184d91197489e5adcdc8 675 catatonit_0.1.5~1.dsc
+ 32f655920e9c4f224c011b65860855b335747dded35a2a469fcf58fcd65ef4c3 419981 catatonit_0.1.5~1.tar.gz
+Files:
+ 3a782f905686f9078c156f4184427884 675 catatonit_0.1.5~1.dsc
+ 7bc4f427d5b7d008ee6f4bd60934d2ca 419981 catatonit_0.1.5~1.tar.gz
+
+Format: 1.0
+Package: conmon
+Binary: conmon
+Architecture: any
+Version: 100:2.0.30-2
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/containers/conmon.git
+Standards-Version: 4.3.0
+Vcs-Git: git://github.com/lsm5/conmon.git
+Build-Depends: debhelper (>= 9), dh-strip-nondeterminism, dh-autoreconf, libglib2.0-dev, libseccomp-dev, libsystemd-dev
+Package-List:
+ conmon deb devel optional arch=any
+Directory: .
+Checksums-Sha1:
+ e2deb69698b8150bc1d6ff9820c61dc0ece26eb5 697 conmon_2.0.30-2.dsc
+ 2c7b7d3159cd676b706f896c1a26fd25322d4436 970973 conmon_2.0.30-2.tar.gz
+Checksums-Sha256:
+ 34fa0ac9a100a291d078f1d6b9fd82736ddf645180c513af5f48864729e6c4ec 697 conmon_2.0.30-2.dsc
+ d4f25ebaa574c8b372bd13c8295d3d0ad8841b561e905604ca5adbabeda0841f 970973 conmon_2.0.30-2.tar.gz
+Files:
+ 5ba5a9fb80c1accdb85ff6ad849dc364 697 conmon_2.0.30-2.dsc
+ 44e2641914cfba3c3d8299f19dd33ece 970973 conmon_2.0.30-2.tar.gz
+
+Format: 1.0
+Package: containernetworking-plugins
+Binary: containernetworking-plugins
+Architecture: any
+Version: 100:0.9.1-1
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/containernetworking/plugins
+Standards-Version: 4.3.0
+Vcs-Browser: https://github.com/lsm5/plugins
+Vcs-Git: https://github.com/lsm5/plugins
+Build-Depends: debhelper (>= 9), dh-golang (>> 1.47), golang-1.15 | golang-1.14, golang
+Package-List:
+ containernetworking-plugins deb devel extra arch=any
+Directory: .
+Checksums-Sha1:
+ 535037cbdeb19bf75e4a58bcd1766ae8482ac545 840 containernetworking-plugins_0.9.1-1.dsc
+ bfc5ce72b61a6104365de98acbb9177879182239 12029404 containernetworking-plugins_0.9.1-1.tar.gz
+Checksums-Sha256:
+ c7801c015c84605c2fef832db68e0e0fa9a28235305cd7ba07fa98cb886af706 840 containernetworking-plugins_0.9.1-1.dsc
+ b6efdc87ca499a3846a84877314f1307d12ce8c151a2f719d159d7742f858d46 12029404 containernetworking-plugins_0.9.1-1.tar.gz
+Files:
+ b98de6c8890f7d120a5c0d641e00d6a8 840 containernetworking-plugins_0.9.1-1.dsc
+ c7e2b0cf6fb983e3a12485d07fb61f51 12029404 containernetworking-plugins_0.9.1-1.tar.gz
+
+Format: 1.0
+Package: containers-common
+Binary: containers-common
+Architecture: all
+Version: 100:1-22
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/projectatomic/skopeo
+Standards-Version: 4.3.0
+Build-Depends: debhelper (>= 9), config-package-dev, go-md2man
+Package-List:
+ containers-common deb devel optional arch=all
+Directory: .
+Checksums-Sha1:
+ 42913db41af8b0e5a172b9cfa8f1ba5f479f4c92 647 containers-common_1-22.dsc
+ ed5ea20284706f52ec4ec00513d6ab8a2b1db4b5 123217 containers-common_1-22.tar.gz
+Checksums-Sha256:
+ 14b64d38a2912f22a42630462b4d6237a01078b9221b47e00b1c8c92c5f10710 647 containers-common_1-22.dsc
+ 9d95672a7cd46a6e764be9875c593ea2d212e133fdcc7310aea67156e654e90b 123217 containers-common_1-22.tar.gz
+Files:
+ b0fa7431da46cb3e64e38f5f8ef64c03 647 containers-common_1-22.dsc
+ e14dc8a88d15fa02e8ffb06d57398200 123217 containers-common_1-22.tar.gz
+
+Format: 1.0
+Package: cri-o-runc
+Binary: cri-o-runc
+Architecture: any
+Version: 1.0.1~0
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/opencontainers/runc
+Standards-Version: 4.3.0
+Vcs-Browser: https://gitlab.com/rhcontainerbot/cri-o-runc.git
+Vcs-Git: https://gitlab.com/rhcontainerbot/cri-o-runc.git
+Build-Depends: debhelper (>= 9), dh-golang (>> 1.47), golang-1.15 | golang-1.14, golang, go-md2man, libapparmor-dev, protobuf-compiler, libseccomp-dev, pkg-config
+Package-List:
+ cri-o-runc deb devel extra arch=any
+Directory: .
+Checksums-Sha1:
+ 5446edee7a715c7fdd9043d0fb91f98d421f661b 835 cri-o-runc_1.0.1~0.dsc
+ 4201ef306b1e2198c05373845297b9b60e1ea91f 24681719 cri-o-runc_1.0.1~0.tar.gz
+Checksums-Sha256:
+ 6fffedfcb6eb829d30b29a53be25fb50e1f96979014a1aef815a665a3983d83c 835 cri-o-runc_1.0.1~0.dsc
+ ea3c5e1c81cf87f450eb293c7213470e86bbb3b1eb57afce175a01369b735db1 24681719 cri-o-runc_1.0.1~0.tar.gz
+Files:
+ e1a7d308f717c08e9f0265aa961e6d6c 835 cri-o-runc_1.0.1~0.dsc
+ e7611fceea3dc71e488938b982a0ee53 24681719 cri-o-runc_1.0.1~0.tar.gz
+
+Format: 1.0
+Package: cri-tools
+Binary: cri-tools
+Architecture: any
+Version: 1.17.0~3
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/kubernetes-sigs/cri-tools.git
+Standards-Version: 4.3.0
+Vcs-Git: https://gitlab.com/rhcontainerbot/cri-tools.git
+Build-Depends: debhelper (>= 9), rsync, libassuan-dev, libgpgme11-dev, dh-golang, golang, libglib2.0-dev, go-md2man
+Package-List:
+ cri-tools deb devel optional arch=any
+Directory: .
+Checksums-Sha1:
+ 30048c99f01954cf139d2aacde0464225febb3e3 736 cri-tools_1.17.0~3.dsc
+ 13cd2a21e4c7af58052ea2fef801c132cfb7414e 33383821 cri-tools_1.17.0~3.tar.gz
+Checksums-Sha256:
+ 1e9bfb8a48aa578bb68e08fec6db818690d373db76cbf7b5a455c294c82bc287 736 cri-tools_1.17.0~3.dsc
+ 9ea3169d6a6bc3e27b643cfdc2959c18eaf204452842e2e25321f628b919bf51 33383821 cri-tools_1.17.0~3.tar.gz
+Files:
+ 4170942a2570b6d85ca58e298c41cd68 736 cri-tools_1.17.0~3.dsc
+ 5711da22e8d93eace3809df65eacb757 33383821 cri-tools_1.17.0~3.tar.gz
+
+Format: 3.0 (quilt)
+Package: criu
+Binary: criu
+Architecture: amd64 arm64 armhf ppc64el s390x
+Version: 3.16.1-3
+Maintainer: Salvatore Bonaccorso <carnil@debian.org>
+Homepage: https://www.criu.org/
+Standards-Version: 4.1.5
+Vcs-Browser: https://salsa.debian.org/debian/criu
+Vcs-Git: https://salsa.debian.org/debian/criu.git
+Build-Depends: asciidoctor, debhelper (>= 11), dh-python, git, libbsd-dev, libcap-dev, libgnutls28-dev, libgnutls30, libnet1-dev, libnl-3-dev, libprotobuf-c-dev, libprotobuf-dev, pkg-config, protobuf-c-compiler, protobuf-compiler, python3-all
+Package-List:
+ criu deb admin optional arch=amd64,arm64,armhf,ppc64el,s390x
+Directory: .
+Checksums-Sha1:
+ 80814f41219da83c1e7722ba5fc0d9f38201351f 1159 criu_3.16.1-3.dsc
+ aab38d1dab5c61be04f3f9b2a92ffb10b8c63cd6 1228535 criu_3.16.1.orig.tar.gz
+ 236081b9f99ea8b2ed86b0eb161b121cff58842b 6908 criu_3.16.1-3.debian.tar.xz
+Checksums-Sha256:
+ adb9f2b5918d094baeef827f5fae02f05d84fcc624262418a21f4414ed3053ed 1159 criu_3.16.1-3.dsc
+ 13d6e2f99a34abf83ec2b9777af5bd069e739bf38582857c7f4c19a355a2b0b5 1228535 criu_3.16.1.orig.tar.gz
+ 7fd5878198cdc29dd0573fa198ac36ebd89ebc5fb245d98de1de44a703ff7724 6908 criu_3.16.1-3.debian.tar.xz
+Files:
+ b45d29c71e10bdaa7dfdb8a07146fc10 1159 criu_3.16.1-3.dsc
+ eb4330f57145d403565a6a3328c8bc72 1228535 criu_3.16.1.orig.tar.gz
+ 9917cd8cfbc698b19219dd59dc0fe3d9 6908 criu_3.16.1-3.debian.tar.xz
+
+Format: 1.0
+Package: crun
+Binary: crun
+Architecture: any
+Version: 100:0.18-2
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/containers/crun.git
+Standards-Version: 4.3.0
+Vcs-Git: https://gitlab.com/rhcontainerbot/crun.git
+Build-Depends: debhelper (>= 9), criu (>= 3.15), git, dh-autoreconf, dh-strip-nondeterminism, libglib2.0-dev, libcap-dev, libseccomp-dev, libsystemd-dev, libyajl-dev
+Package-List:
+ crun deb devel optional arch=any
+Directory: .
+Checksums-Sha1:
+ f481aba82110522d8fff1cf39e2d24a2cef78f35 737 crun_0.18-2.dsc
+ 5badc728327a9eb0f686644cc5794e6bc5170094 19704274 crun_0.18-2.tar.gz
+Checksums-Sha256:
+ 693f215616ec7340d4314553b9756434051473962490ba59dfd52b1c5617c2ec 737 crun_0.18-2.dsc
+ ba17ecc9e720cb91edc0562c94623e15fb1541438a7580b0512010e3064dd1c8 19704274 crun_0.18-2.tar.gz
+Files:
+ 470aa2db625fc9b52a52b572d4cdcb04 737 crun_0.18-2.dsc
+ 5213a4fbd4fd1f0f8e8ba82b0c51025b 19704274 crun_0.18-2.tar.gz
+
+Format: 3.0 (native)
+Package: dh-golang
+Binary: dh-golang
+Architecture: all
+Version: 1.48~bpo10+1
+Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
+Uploaders: Michael Stapelberg <stapelberg@debian.org>, Martina Ferrari <tincho@debian.org>, Anthony Fok <foka@debian.org>, Dr. Tobias Quathamer <toddy@debian.org>,
+Standards-Version: 4.5.0
+Vcs-Browser: https://salsa.debian.org/go-team/packages/dh-golang
+Vcs-Git: https://salsa.debian.org/go-team/packages/dh-golang.git
+Build-Depends: debhelper-compat (= 10), libmodule-install-perl
+Package-List:
+ dh-golang deb devel optional arch=all
+Directory: .
+Checksums-Sha1:
+ 6dc25f606c41e4e2771750db5d78fa64c091fcb7 893 dh-golang_1.48~bpo10+1.dsc
+ a49182cd856763c1b093b73cea397fada8673e3a 16484 dh-golang_1.48~bpo10+1.tar.xz
+Checksums-Sha256:
+ e21ee7275a38ca8db52281a2e5068b97029870b8103dd6b6c147930d803de09d 893 dh-golang_1.48~bpo10+1.dsc
+ 6a259342872189f694c5ed8b459b823af2373d9292c09e0184029f5400d67b02 16484 dh-golang_1.48~bpo10+1.tar.xz
+Files:
+ 6c340177fd1e2fa87a1570046d57db82 893 dh-golang_1.48~bpo10+1.dsc
+ 68514741519f0c3ab58a26069117a94f 16484 dh-golang_1.48~bpo10+1.tar.xz
+
+Format: 1.0
+Package: fuse-overlayfs
+Binary: fuse-overlayfs
+Architecture: any
+Version: 1.4.0~1
+Maintainer: Reinhard Tartler <siretart@tauware.de>
+Uploaders: Dmitry Smirnov <onlyjob@debian.org>
+Homepage: https://github.com/containers/fuse-overlayfs
+Standards-Version: 4.5.0
+Vcs-Browser: https://salsa.debian.org/debian/fuse-overlayfs
+Vcs-Git: https://salsa.debian.org/debian/fuse-overlayfs.git
+Build-Depends: debhelper-compat (= 12), autoconf, automake, go-md2man, libfuse3-dev, pkg-config | pkgconf
+Package-List:
+ fuse-overlayfs deb misc optional arch=any
+Directory: .
+Checksums-Sha1:
+ 2372ce979fb899984ed025542356c4e92114a119 851 fuse-overlayfs_1.4.0~1.dsc
+ 35ffab09e19f5c6345df124d108fd8f075f18e32 1147939 fuse-overlayfs_1.4.0~1.tar.gz
+Checksums-Sha256:
+ 3d9a4398ceb78bc28dd8b1d4c36afa96b26683a6d5ad2fd4cd012352fdcab561 851 fuse-overlayfs_1.4.0~1.dsc
+ 24740ec108b0183984871d639619a57469f6c67593bd0ae2d8945414790259d6 1147939 fuse-overlayfs_1.4.0~1.tar.gz
+Files:
+ 0cf763211bffd79eb5672542bb443923 851 fuse-overlayfs_1.4.0~1.dsc
+ 2892996acc99b25132ec234ccc0f3b34 1147939 fuse-overlayfs_1.4.0~1.tar.gz
+
+Format: 1.0
+Package: golang-1.14
+Binary: golang-1.14-go, golang-1.14-src, golang-1.14-doc, golang-1.14
+Architecture: amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64 ppc64el riscv64 s390x all
+Version: 1.14.4-3
+Maintainer: Go Compiler Team <team+go-compiler@tracker.debian.org>
+Uploaders: Michael Stapelberg <stapelberg@debian.org>, Paul Tagliamonte <paultag@debian.org>, Tianon Gravi <tianon@debian.org>, Michael Hudson-Doyle <mwhudson@debian.org>, Dr. Tobias Quathamer <toddy@debian.org>
+Homepage: https://golang.org
+Standards-Version: 4.5.0
+Vcs-Browser: https://salsa.debian.org/go-team/compiler/golang/tree/golang-1.14
+Vcs-Git: https://salsa.debian.org/go-team/compiler/golang.git -b golang-1.14
+Build-Depends: debhelper-compat (= 10), golang-any (>= 2:1.4~) | golang-go (>= 2:1.4~) | gccgo (>= 4:5~), netbase
+Package-List:
+ golang-1.14 deb devel optional arch=all
+ golang-1.14-doc deb doc optional arch=all
+ golang-1.14-go deb devel optional arch=amd64,arm64,armel,armhf,i386,mips,mips64el,mipsel,ppc64,ppc64el,riscv64,s390x
+ golang-1.14-src deb devel optional arch=amd64,arm64,armel,armhf,i386,mips,mips64el,mipsel,ppc64,ppc64el,riscv64,s390x
+Directory: .
+Checksums-Sha1:
+ bde3e7cfc8209490ba0f19a4a7def4b141d2251b 1454 golang-1.14_1.14.4-3.dsc
+ 2531d36b444d808c70ed544fdb86e104cde26acd 1364335460 golang-1.14_1.14.4-3.tar.gz
+Checksums-Sha256:
+ 44eddadce1ed64f7fbc690a81a9a15dc6386999922f2e4c639e54a7c515ce565 1454 golang-1.14_1.14.4-3.dsc
+ 64bdf698b955c3f24f773359de8321a9ddea3e70d6aa8f7fb9c5659659ec0eba 1364335460 golang-1.14_1.14.4-3.tar.gz
+Files:
+ 5d91d26b6bdcfbc8d036ed4f8fbad045 1454 golang-1.14_1.14.4-3.dsc
+ 39f7d379ef65f0498653508bed314fe9 1364335460 golang-1.14_1.14.4-3.tar.gz
+
+Format: 1.0
+Package: golang-1.15
+Binary: golang-1.15-go, golang-1.15-src, golang-1.15-doc, golang-1.15
+Architecture: amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64 ppc64el riscv64 s390x all
+Version: 1.15.2-1
+Maintainer: Go Compiler Team <team+go-compiler@tracker.debian.org>
+Uploaders: Michael Stapelberg <stapelberg@debian.org>, Paul Tagliamonte <paultag@debian.org>, Tianon Gravi <tianon@debian.org>, Michael Hudson-Doyle <mwhudson@debian.org>, Dr. Tobias Quathamer <toddy@debian.org>
+Homepage: https://golang.org
+Standards-Version: 4.5.0
+Vcs-Browser: https://salsa.debian.org/go-team/compiler/golang/tree/golang-1.15
+Vcs-Git: https://salsa.debian.org/go-team/compiler/golang.git -b golang-1.15
+Build-Depends: debhelper-compat (= 10), golang | golang-any (>= 2:1.4~) | golang-go (>= 2:1.4~) | gccgo (>= 4:5~), netbase
+Package-List:
+ golang-1.15 deb devel optional arch=all
+ golang-1.15-doc deb doc optional arch=all
+ golang-1.15-go deb devel optional arch=amd64,arm64,armel,armhf,i386,mips,mips64el,mipsel,ppc64,ppc64el,riscv64,s390x
+ golang-1.15-src deb devel optional arch=amd64,arm64,armel,armhf,i386,mips,mips64el,mipsel,ppc64,ppc64el,riscv64,s390x
+Directory: .
+Checksums-Sha1:
+ 21cbd7af6714fc586f172b7fc7f34117a59d1588 1463 golang-1.15_1.15.2-1.dsc
+ 31c1e5b14f18b741c8403a1abde10cb78a70dbec 1365462709 golang-1.15_1.15.2-1.tar.gz
+Checksums-Sha256:
+ 03aa7652efb523a2df61e7d6f03d632f771fee830a4179ddd8bcd44538eebcc9 1463 golang-1.15_1.15.2-1.dsc
+ 850b8df1dbbc29cc3296ce186dfec0eb595cd3c468f09e898027126b3eaa3f61 1365462709 golang-1.15_1.15.2-1.tar.gz
+Files:
+ 2b0429374a33ead42756a2daaa2b7c88 1463 golang-1.15_1.15.2-1.dsc
+ d5f1ddb8345ed557fc107b9071a9c37b 1365462709 golang-1.15_1.15.2-1.tar.gz
+
+Format: 1.0
+Package: golang-1.16
+Binary: golang-1.16-go, golang-1.16-src, golang-1.16-doc, golang-1.16
+Architecture: amd64 arm64 armel armhf i386 mips mips64el mipsel ppc64 ppc64el riscv64 s390x all
+Version: 1.16.6-5
+Maintainer: Go Compiler Team <team+go-compiler@tracker.debian.org>
+Uploaders: Michael Stapelberg <stapelberg@debian.org>, Paul Tagliamonte <paultag@debian.org>, Tianon Gravi <tianon@debian.org>, Michael Hudson-Doyle <mwhudson@debian.org>, Dr. Tobias Quathamer <toddy@debian.org>, Anthony Fok <foka@debian.org>
+Homepage: https://golang.org
+Standards-Version: 4.5.0
+Vcs-Browser: https://salsa.debian.org/go-team/compiler/golang/tree/golang-1.16
+Vcs-Git: https://salsa.debian.org/go-team/compiler/golang.git -b golang-1.16
+Build-Depends: debhelper-compat (= 10), golang-1.15 | golang-any (>= 2:1.4~) | golang-go (>= 2:1.4~) | gccgo (>= 4:5~), netbase
+Package-List:
+ golang-1.16 deb golang optional arch=all
+ golang-1.16-doc deb doc optional arch=all
+ golang-1.16-go deb golang optional arch=amd64,arm64,armel,armhf,i386,mips,mips64el,mipsel,ppc64,ppc64el,riscv64,s390x
+ golang-1.16-src deb golang optional arch=all
+Directory: .
+Checksums-Sha1:
+ 1b5a22dbf4280c50e37e1dbfa6d2df1ba1bef7bd 1425 golang-1.16_1.16.6-5.dsc
+ c4b08fbe7d01dbc35e2aa3d52b72c2353e96942b 156242466 golang-1.16_1.16.6-5.tar.gz
+Checksums-Sha256:
+ ff4563f32053679207ca93670b621aed67da2025663dc2989bcaad427a62495f 1425 golang-1.16_1.16.6-5.dsc
+ 1909124fdf4eb4874b2656d8ce343ab05b02e965e7e98f8854367bbf39b80d44 156242466 golang-1.16_1.16.6-5.tar.gz
+Files:
+ f2ea561af62a4b119cbfc44d5de376dc 1425 golang-1.16_1.16.6-5.dsc
+ f5586207a6c0c877f6d98cbf03064484 156242466 golang-1.16_1.16.6-5.tar.gz
+
+Format: 1.0
+Package: podman-machine-cni
+Binary: podman-machine-cni
+Architecture: any
+Version: 100:0.0.0-1
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/containers/podman-machine-cni.git
+Standards-Version: 4.3.0
+Vcs-Git: https://gitlab.com/rhcontainerbot/podman-machine-cni.git
+Build-Depends: debhelper (>= 9), dh-golang (>> 1.47), golang-1.15 | golang-1.14, golang, go-md2man, git
+Package-List:
+ podman-machine-cni deb devel optional arch=any
+Directory: .
+Checksums-Sha1:
+ bf753b7bfcbd374011d262567492427c4200f036 788 podman-machine-cni_0.0.0-1.dsc
+ 5169367c51585444cf710e53b7e5f25af8c0575a 5435209 podman-machine-cni_0.0.0-1.tar.gz
+Checksums-Sha256:
+ 5eff5851a51121303318c8629acb51b71cc4cf001589eda730de7aacdf7485af 788 podman-machine-cni_0.0.0-1.dsc
+ 13138395b8000c54d6a933ab3c5d5a2125647b63d84034bf5bbdc4c2983f83a8 5435209 podman-machine-cni_0.0.0-1.tar.gz
+Files:
+ 03f9e7cf01513ad704818e4e379ad5a1 788 podman-machine-cni_0.0.0-1.dsc
+ e4f1865497f860b43de1bc268873191f 5435209 podman-machine-cni_0.0.0-1.tar.gz
+
+Format: 1.0
+Package: podman-plugins
+Binary: podman-plugins
+Architecture: any
+Version: 100:1.1.1-5
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/containers/dnsname.git
+Standards-Version: 4.3.0
+Vcs-Git: https://gitlab.com/rhcontainerbot/podman-plugins.git
+Build-Depends: debhelper (>= 9), dh-golang (>> 1.47), golang-1.15 | golang-1.14, golang, go-md2man, git
+Package-List:
+ podman-plugins deb devel optional arch=any
+Directory: .
+Checksums-Sha1:
+ 457d412f38654c23d1fdf80b8a25b5e832225ad2 752 podman-plugins_1.1.1-5.dsc
+ 4469cf8c2b1e49c857cda34d0df56d7099ad1d1b 37766862 podman-plugins_1.1.1-5.tar.gz
+Checksums-Sha256:
+ 89268c6000e506df7cb7a9a381b66591ce08bfc426f2c9b202f786293109fd80 752 podman-plugins_1.1.1-5.dsc
+ 8c1e706bb5db788075ca71ffaf270c73f4c788a72b4d16cb2078e063650acc06 37766862 podman-plugins_1.1.1-5.tar.gz
+Files:
+ de1ee275215e17873d72200b5f4d9e7e 752 podman-plugins_1.1.1-5.dsc
+ e3a2807c0be0546865096b2b70c6c54f 37766862 podman-plugins_1.1.1-5.tar.gz
+
+Format: 1.0
+Package: podman
+Binary: podman, podman-rootless
+Architecture: any
+Version: 100:3.0.1-2
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/containers/podman.git
+Standards-Version: 4.3.0
+Vcs-Git: https://gitlab.com/rhcontainerbot/podman.git
+Build-Depends: debhelper (>= 9), cpio, libassuan-dev, libgpgme11-dev, libseccomp-dev, libsystemd-dev, libbtrfs-dev | btrfs-progs, dh-golang (>> 1.47), golang-1.15 | golang-1.14, golang, libglib2.0-dev, go-md2man, git
+Package-List:
+ podman deb devel optional arch=any
+ podman-rootless deb devel optional arch=any
+Directory: .
+Checksums-Sha1:
+ 1e90a9417af61fd9b2e03e3049c979a0619a05ba 873 podman_3.0.1-2.dsc
+ c8a6a76c8821d9412ca695441f86b2e4da07276f 129856422 podman_3.0.1-2.tar.gz
+Checksums-Sha256:
+ 40ca4fdc10654830feabf402e59dac0f882ea37581e7b4a0ff1d53f6d32c7e94 873 podman_3.0.1-2.dsc
+ 9a57c6812db03f26de704d66625e8f7ec04e8aa4a3ef0b5886603f1736e288ed 129856422 podman_3.0.1-2.tar.gz
+Files:
+ 56e3042f91666bebf77c7d6234ea2042 873 podman_3.0.1-2.dsc
+ 8bb3775f6204cfc941d70fb6f419306e 129856422 podman_3.0.1-2.tar.gz
+
+Format: 1.0
+Package: skopeo
+Binary: skopeo
+Architecture: any
+Version: 100:1.2.2-2
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/projectatomic/skopeo
+Standards-Version: 4.3.0
+Build-Depends: debhelper (>= 9), config-package-dev, libgpgme11-dev, libassuan-dev, libbtrfs-dev | btrfs-progs, dh-golang (>> 1.47), golang-1.15 | golang-1.14, golang, libglib2.0-dev, go-md2man
+Package-List:
+ skopeo deb devel optional arch=any
+Directory: .
+Checksums-Sha1:
+ 80aa605df5f07c26a5dc74843664140f45737eae 733 skopeo_1.2.2-2.dsc
+ ba70c8dea23f12d872d284097549ef4797adce70 105759212 skopeo_1.2.2-2.tar.gz
+Checksums-Sha256:
+ 8619bb7f3275779c0b8d1bd094dba89a40d837e448fc9ecb28543cd9162590e8 733 skopeo_1.2.2-2.dsc
+ 5c8642a96a59771180c23bc59ed3438c20586ada4489fcf3e43690348a8349ac 105759212 skopeo_1.2.2-2.tar.gz
+Files:
+ e8a6db8b0f531d7b5f73b6366b694677 733 skopeo_1.2.2-2.dsc
+ a984058a5e9e4bb75e010d52b7d7f885 105759212 skopeo_1.2.2-2.tar.gz
+
+Format: 1.0
+Package: slirp4netns
+Binary: slirp4netns
+Architecture: any
+Version: 100:1.1.8-3
+Maintainer: Lokesh Mandvekar <lsm5@fedoraproject.org>
+Homepage: https://github.com/rootless-containers/slirp4netns
+Standards-Version: 4.3.0
+Vcs-Browser: https://gitlab.com/rhcontainerbot/slirp4netns
+Vcs-Git: https://gitlab.com/rhcontainerbot/slirp4netns.git
+Testsuite: autopkgtest
+Build-Depends: debhelper (>= 9), autoconf, automake, autotools-dev, dh-autoreconf, libcap-dev, libglib2.0-dev, libseccomp-dev
+Package-List:
+ slirp4netns deb devel optional arch=any
+Directory: .
+Checksums-Sha1:
+ 6066526104b524bf82261eb3b750526383486fa2 841 slirp4netns_1.1.8-3.dsc
+ 51e5137b4fae89ce7ab3eddccc75fac4f46acb00 2316590 slirp4netns_1.1.8-3.tar.gz
+Checksums-Sha256:
+ 56b64da3348f369dce58d51b3eaac1fa5905b9440b6d00a2c0c7c1aeec655c92 841 slirp4netns_1.1.8-3.dsc
+ 8c10225fdde58a2eab8784cd8bdee2a72feabbf3c70c9856cf8bd8354e6cb4c0 2316590 slirp4netns_1.1.8-3.tar.gz
+Files:
+ d4a0128e1194d6feca673c6f02063333 841 slirp4netns_1.1.8-3.dsc
+ 55064e30e7216599723e9ef8c83f9e63 2316590 slirp4netns_1.1.8-3.tar.gz
+

__test__/git-auth-helper.test.ts

@@ -417,7 +417,7 @@ describe('git-auth-helper tests', () => {
           `Did not expect file to exist: '${globalGitConfigPath}'`
         )
       } catch (err) {
-        if (err.code !== 'ENOENT') {
+        if ((err as any)?.code !== 'ENOENT') {
           throw err
         }
       }
@@ -518,12 +518,17 @@ describe('git-auth-helper tests', () => {
       await authHelper.configureSubmoduleAuth()
 
       // Assert
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4)
       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
         /unset-all.*insteadOf/
       )
       expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
-      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/url.*insteadOf/)
+      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
+        /url.*insteadOf.*git@github.com:/
+      )
+      expect(mockSubmoduleForeach.mock.calls[3][0]).toMatch(
+        /url.*insteadOf.*org-123456@github.com:/
+      )
     }
   )
 
@@ -601,7 +606,7 @@ describe('git-auth-helper tests', () => {
       await fs.promises.stat(actualKeyPath)
       throw new Error('SSH key should have been deleted')
     } catch (err) {
-      if (err.code !== 'ENOENT') {
+      if ((err as any)?.code !== 'ENOENT') {
         throw err
       }
     }
@@ -611,7 +616,7 @@ describe('git-auth-helper tests', () => {
       await fs.promises.stat(actualKnownHostsPath)
       throw new Error('SSH known hosts should have been deleted')
     } catch (err) {
-      if (err.code !== 'ENOENT') {
+      if ((err as any)?.code !== 'ENOENT') {
         throw err
       }
     }
@@ -638,10 +643,11 @@ describe('git-auth-helper tests', () => {
     expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
   })
 
-  const removeGlobalAuth_removesOverride = 'removeGlobalAuth removes override'
-  it(removeGlobalAuth_removesOverride, async () => {
+  const removeGlobalConfig_removesOverride =
+    'removeGlobalConfig removes override'
+  it(removeGlobalConfig_removesOverride, async () => {
     // Arrange
-    await setup(removeGlobalAuth_removesOverride)
+    await setup(removeGlobalConfig_removesOverride)
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
     await authHelper.configureAuth()
     await authHelper.configureGlobalAuth()
@@ -650,7 +656,7 @@ describe('git-auth-helper tests', () => {
     await fs.promises.stat(path.join(git.env['HOME'], '.gitconfig'))
 
     // Act
-    await authHelper.removeGlobalAuth()
+    await authHelper.removeGlobalConfig()
 
     // Assert
     expect(git.env['HOME']).toBeUndefined()
@@ -658,7 +664,7 @@ describe('git-auth-helper tests', () => {
       await fs.promises.stat(homeOverride)
       throw new Error(`Should have been deleted '${homeOverride}'`)
     } catch (err) {
-      if (err.code !== 'ENOENT') {
+      if ((err as any)?.code !== 'ENOENT') {
         throw err
       }
     }
@@ -764,13 +770,15 @@ async function setup(testName: string): Promise<void> {
     submodules: false,
     nestedSubmodules: false,
     persistCredentials: true,
-    ref: 'refs/heads/master',
+    ref: 'refs/heads/main',
     repositoryName: 'my-repo',
     repositoryOwner: 'my-org',
     repositoryPath: '',
     sshKey: sshPath ? 'some ssh private key' : '',
     sshKnownHosts: '',
-    sshStrict: true
+    sshStrict: true,
+    workflowOrganizationId: 123456,
+    setSafeDirectory: true
   }
 }
 

__test__/input-helper.test.ts

@@ -1,9 +1,9 @@
-import * as assert from 'assert'
 import * as core from '@actions/core'
 import * as fsHelper from '../lib/fs-helper'
 import * as github from '@actions/github'
 import * as inputHelper from '../lib/input-helper'
 import * as path from 'path'
+import * as workflowContextHelper from '../lib/workflow-context-helper'
 import {IGitSourceSettings} from '../lib/git-source-settings'
 
 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
@@ -43,6 +43,11 @@ describe('input-helper tests', () => {
       .spyOn(fsHelper, 'directoryExistsSync')
       .mockImplementation((path: string) => path == gitHubWorkspace)
 
+    // Mock ./workflowContextHelper getOrganizationId()
+    jest
+      .spyOn(workflowContextHelper, 'getOrganizationId')
+      .mockImplementation(() => Promise.resolve(123456))
+
     // GitHub workspace
     process.env['GITHUB_WORKSPACE'] = gitHubWorkspace
   })
@@ -67,8 +72,8 @@ describe('input-helper tests', () => {
     jest.restoreAllMocks()
   })
 
-  it('sets defaults', () => {
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+  it('sets defaults', async () => {
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
     expect(settings).toBeTruthy()
     expect(settings.authToken).toBeFalsy()
     expect(settings.clean).toBe(true)
@@ -80,13 +85,14 @@ describe('input-helper tests', () => {
     expect(settings.repositoryName).toBe('some-repo')
     expect(settings.repositoryOwner).toBe('some-owner')
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
+    expect(settings.setSafeDirectory).toBe(true)
   })
 
-  it('qualifies ref', () => {
+  it('qualifies ref', async () => {
     let originalRef = github.context.ref
     try {
       github.context.ref = 'some-unqualified-ref'
-      const settings: IGitSourceSettings = inputHelper.getInputs()
+      const settings: IGitSourceSettings = await inputHelper.getInputs()
       expect(settings).toBeTruthy()
       expect(settings.commit).toBe('1234567890123456789012345678901234567890')
       expect(settings.ref).toBe('refs/heads/some-unqualified-ref')
@@ -95,32 +101,42 @@ describe('input-helper tests', () => {
     }
   })
 
-  it('requires qualified repo', () => {
+  it('requires qualified repo', async () => {
     inputs.repository = 'some-unqualified-repo'
-    assert.throws(() => {
-      inputHelper.getInputs()
-    }, /Invalid repository 'some-unqualified-repo'/)
+    try {
+      await inputHelper.getInputs()
+      throw 'should not reach here'
+    } catch (err) {
+      expect(`(${(err as any).message}`).toMatch(
+        "Invalid repository 'some-unqualified-repo'"
+      )
+    }
   })
 
-  it('roots path', () => {
+  it('roots path', async () => {
     inputs.path = 'some-directory/some-subdirectory'
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
     expect(settings.repositoryPath).toBe(
       path.join(gitHubWorkspace, 'some-directory', 'some-subdirectory')
     )
   })
 
-  it('sets ref to empty when explicit sha', () => {
+  it('sets ref to empty when explicit sha', async () => {
     inputs.ref = '1111111111222222222233333333334444444444'
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
     expect(settings.ref).toBeFalsy()
     expect(settings.commit).toBe('1111111111222222222233333333334444444444')
   })
 
-  it('sets sha to empty when explicit ref', () => {
+  it('sets sha to empty when explicit ref', async () => {
     inputs.ref = 'refs/heads/some-other-ref'
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
     expect(settings.ref).toBe('refs/heads/some-other-ref')
     expect(settings.commit).toBeFalsy()
   })
+
+  it('sets workflow organization ID', async () => {
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    expect(settings.workflowOrganizationId).toBe(123456)
+  })
 })

__test__/override-git-version.cmd

@@ -2,5 +2,5 @@
 mkdir override-git-version
 cd override-git-version
 echo @echo override git version 1.2.3 > git.cmd
-echo ::add-path::%CD%
+echo "%CD%" >> $GITHUB_PATH
 cd ..

__test__/override-git-version.sh

@@ -5,5 +5,5 @@ cd override-git-version
 echo "#!/bin/sh" > git
 echo "echo override git version 1.2.3" >> git
 chmod +x git
-echo "::add-path::$(pwd)"
+echo "$(pwd)" >> $GITHUB_PATH
 cd ..

__test__/ref-helper.test.ts

@@ -16,7 +16,7 @@ describe('ref-helper tests', () => {
       await refHelper.getCheckoutInfo(git, 'refs/heads/my/branch', commit)
       throw new Error('Should not reach here')
     } catch (err) {
-      expect(err.message).toBe('Arg git cannot be empty')
+      expect((err as any)?.message).toBe('Arg git cannot be empty')
     }
   })
 
@@ -25,7 +25,9 @@ describe('ref-helper tests', () => {
       await refHelper.getCheckoutInfo(git, '', '')
       throw new Error('Should not reach here')
     } catch (err) {
-      expect(err.message).toBe('Args ref and commit cannot both be empty')
+      expect((err as any)?.message).toBe(
+        'Args ref and commit cannot both be empty'
+      )
     }
   })
 
@@ -102,7 +104,7 @@ describe('ref-helper tests', () => {
       await refHelper.getCheckoutInfo(git, 'my-ref', '')
       throw new Error('Should not reach here')
     } catch (err) {
-      expect(err.message).toBe(
+      expect((err as any)?.message).toBe(
         "A branch or tag with the name 'my-ref' could not be found"
       )
     }

__test__/retry-helper.test.ts

@@ -74,7 +74,7 @@ describe('retry-helper tests', () => {
         throw new Error(`some error ${++attempts}`)
       })
     } catch (err) {
-      error = err
+      error = err as Error
     }
     expect(error.message).toBe('some error 3')
     expect(attempts).toBe(3)

__test__/verify-basic.sh

@@ -20,5 +20,5 @@ else
 
   # Verify auth token
   cd basic
-  git fetch --no-tags --depth=1 origin +refs/heads/master:refs/remotes/origin/master
+  git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
 fi

action.yml

@@ -68,7 +68,10 @@ inputs:
       When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
       converted to HTTPS.
     default: false
+  set-safe-directory:
+    description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
+    default: true
 runs:
-  using: node12
+  using: node16
   main: dist/index.js
   post: dist/index.js

adrs/0153-checkout-v2.md

@@ -24,7 +24,7 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
     description: >
       The branch, tag or SHA to checkout. When checking out the repository that
       triggered a workflow, this defaults to the reference or SHA for that
-      event.  Otherwise, defaults to `master`.
+      event.  Otherwise, uses the default branch.
   token:
     description: >
       Personal access token (PAT) used to fetch the repository. The PAT is configured
@@ -277,7 +277,7 @@ Note:
 ### Branching strategy and release tags
 
 - Create a servicing branch for V1: `releases/v1`
-- Merge the changes into `master`
+- Merge the changes into the default branch
 - Release using a new tag `preview`
 - When stable, release using a new tag `v2`
 

package.json

@@ -8,7 +8,9 @@
     "format": "prettier --write '**/*.ts'",
     "format-check": "prettier --check '**/*.ts'",
     "lint": "eslint src/**/*.ts",
-    "test": "jest"
+    "test": "jest",
+    "licensed-check": "src/misc/licensed-check.sh",
+    "licensed-generate": "src/misc/licensed-generate.sh"
   },
   "repository": {
     "type": "git",
@@ -26,27 +28,27 @@
   },
   "homepage": "https://github.com/actions/checkout#readme",
   "dependencies": {
-    "@actions/core": "^1.1.3",
+    "@actions/core": "^1.7.0",
     "@actions/exec": "^1.0.1",
-    "@actions/github": "^2.2.0",
+    "@actions/github": "^5.0.3",
     "@actions/io": "^1.0.1",
     "@actions/tool-cache": "^1.1.2",
-    "uuid": "^3.3.3"
+    "uuid": "^8.3.2"
   },
   "devDependencies": {
-    "@types/jest": "^24.0.23",
+    "@types/jest": "^27.0.2",
     "@types/node": "^12.7.12",
     "@types/uuid": "^3.4.6",
-    "@typescript-eslint/parser": "^2.8.0",
+    "@typescript-eslint/parser": "^5.1.0",
     "@zeit/ncc": "^0.20.5",
-    "eslint": "^5.16.0",
-    "eslint-plugin-github": "^2.0.0",
-    "eslint-plugin-jest": "^22.21.0",
-    "jest": "^24.9.0",
-    "jest-circus": "^24.9.0",
+    "eslint": "^7.32.0",
+    "eslint-plugin-github": "^4.3.2",
+    "eslint-plugin-jest": "^25.2.2",
+    "jest": "^27.3.0",
+    "jest-circus": "^27.3.0",
     "js-yaml": "^3.13.1",
     "prettier": "^1.19.1",
-    "ts-jest": "^24.2.0",
-    "typescript": "^3.6.4"
+    "ts-jest": "^27.0.7",
+    "typescript": "^4.4.4"
   }
 }

src/fs-helper.ts

@@ -9,7 +9,7 @@ export function directoryExistsSync(path: string, required?: boolean): boolean {
   try {
     stats = fs.statSync(path)
   } catch (error) {
-    if (error.code === 'ENOENT') {
+    if ((error as any)?.code === 'ENOENT') {
       if (!required) {
         return false
       }
@@ -18,7 +18,8 @@ export function directoryExistsSync(path: string, required?: boolean): boolean {
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${error.message}`
+      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
+        ?.message ?? error}`
     )
   }
 
@@ -39,12 +40,13 @@ export function existsSync(path: string): boolean {
   try {
     fs.statSync(path)
   } catch (error) {
-    if (error.code === 'ENOENT') {
+    if ((error as any)?.code === 'ENOENT') {
       return false
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${error.message}`
+      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
+        ?.message ?? error}`
     )
   }
 
@@ -60,12 +62,13 @@ export function fileExistsSync(path: string): boolean {
   try {
     stats = fs.statSync(path)
   } catch (error) {
-    if (error.code === 'ENOENT') {
+    if ((error as any)?.code === 'ENOENT') {
       return false
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${error.message}`
+      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
+        ?.message ?? error}`
     )
   }
 

src/git-auth-helper.ts

@@ -19,8 +19,9 @@ export interface IGitAuthHelper {
   configureAuth(): Promise<void>
   configureGlobalAuth(): Promise<void>
   configureSubmoduleAuth(): Promise<void>
+  configureTempGlobalConfig(): Promise<string>
   removeAuth(): Promise<void>
-  removeGlobalAuth(): Promise<void>
+  removeGlobalConfig(): Promise<void>
 }
 
 export function createAuthHelper(
@@ -37,7 +38,7 @@ class GitAuthHelper {
   private readonly tokenConfigValue: string
   private readonly tokenPlaceholderConfigValue: string
   private readonly insteadOfKey: string
-  private readonly insteadOfValue: string
+  private readonly insteadOfValues: string[] = []
   private sshCommand = ''
   private sshKeyPath = ''
   private sshKnownHostsPath = ''
@@ -45,7 +46,7 @@ class GitAuthHelper {
 
   constructor(
     gitCommandManager: IGitCommandManager,
-    gitSourceSettings?: IGitSourceSettings
+    gitSourceSettings: IGitSourceSettings | undefined
   ) {
     this.git = gitCommandManager
     this.settings = gitSourceSettings || (({} as unknown) as IGitSourceSettings)
@@ -63,7 +64,12 @@ class GitAuthHelper {
 
     // Instead of SSH URL
     this.insteadOfKey = `url.${serverUrl.origin}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
-    this.insteadOfValue = `git@${serverUrl.hostname}:`
+    this.insteadOfValues.push(`git@${serverUrl.hostname}:`)
+    if (this.settings.workflowOrganizationId) {
+      this.insteadOfValues.push(
+        `org-${this.settings.workflowOrganizationId}@github.com:`
+      )
+    }
   }
 
   async configureAuth(): Promise<void> {
@@ -75,7 +81,11 @@ class GitAuthHelper {
     await this.configureToken()
   }
 
-  async configureGlobalAuth(): Promise<void> {
+  async configureTempGlobalConfig(): Promise<string> {
+    // Already setup global config
+    if (this.temporaryHomePath?.length > 0) {
+      return path.join(this.temporaryHomePath, '.gitconfig')
+    }
     // Create a temp home directory
     const runnerTemp = process.env['RUNNER_TEMP'] || ''
     assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
@@ -94,7 +104,7 @@ class GitAuthHelper {
       await fs.promises.stat(gitConfigPath)
       configExists = true
     } catch (err) {
-      if (err.code !== 'ENOENT') {
+      if ((err as any)?.code !== 'ENOENT') {
         throw err
       }
     }
@@ -105,20 +115,28 @@ class GitAuthHelper {
       await fs.promises.writeFile(newGitConfigPath, '')
     }
 
-    try {
-      // Override HOME
-      core.info(
-        `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
-      )
-      this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
+    // Override HOME
+    core.info(
+      `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
+    )
+    this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
 
+    return newGitConfigPath
+  }
+
+  async configureGlobalAuth(): Promise<void> {
+    // 'configureTempGlobalConfig' noops if already set, just returns the path
+    const newGitConfigPath = await this.configureTempGlobalConfig()
+    try {
       // Configure the token
       await this.configureToken(newGitConfigPath, true)
 
       // Configure HTTPS instead of SSH
       await this.git.tryConfigUnset(this.insteadOfKey, true)
       if (!this.settings.sshKey) {
-        await this.git.config(this.insteadOfKey, this.insteadOfValue, true)
+        for (const insteadOfValue of this.insteadOfValues) {
+          await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
+        }
       }
     } catch (err) {
       // Unset in case somehow written to the real global config
@@ -148,7 +166,7 @@ class GitAuthHelper {
         output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
       for (const configPath of configPaths) {
         core.debug(`Replacing token placeholder in '${configPath}'`)
-        this.replaceTokenPlaceholder(configPath)
+        await this.replaceTokenPlaceholder(configPath)
       }
 
       if (this.settings.sshKey) {
@@ -159,10 +177,12 @@ class GitAuthHelper {
         )
       } else {
         // Configure HTTPS instead of SSH
-        await this.git.submoduleForeach(
-          `git config --local '${this.insteadOfKey}' '${this.insteadOfValue}'`,
-          this.settings.nestedSubmodules
-        )
+        for (const insteadOfValue of this.insteadOfValues) {
+          await this.git.submoduleForeach(
+            `git config --local --add '${this.insteadOfKey}' '${insteadOfValue}'`,
+            this.settings.nestedSubmodules
+          )
+        }
       }
     }
   }
@@ -172,10 +192,12 @@ class GitAuthHelper {
     await this.removeToken()
   }
 
-  async removeGlobalAuth(): Promise<void> {
-    core.debug(`Unsetting HOME override`)
-    this.git.removeEnvironmentVariable('HOME')
-    await io.rmRF(this.temporaryHomePath)
+  async removeGlobalConfig(): Promise<void> {
+    if (this.temporaryHomePath?.length > 0) {
+      core.debug(`Unsetting HOME override`)
+      this.git.removeEnvironmentVariable('HOME')
+      await io.rmRF(this.temporaryHomePath)
+    }
   }
 
   private async configureSsh(): Promise<void> {
@@ -213,7 +235,7 @@ class GitAuthHelper {
         await fs.promises.readFile(userKnownHostsPath)
       ).toString()
     } catch (err) {
-      if (err.code !== 'ENOENT') {
+      if ((err as any)?.code !== 'ENOENT') {
         throw err
       }
     }
@@ -302,7 +324,7 @@ class GitAuthHelper {
       try {
         await io.rmRF(keyPath)
       } catch (err) {
-        core.debug(err.message)
+        core.debug(`${(err as any)?.message ?? err}`)
         core.warning(`Failed to remove SSH key '${keyPath}'`)
       }
     }

src/git-command-manager.ts

@@ -21,7 +21,8 @@ export interface IGitCommandManager {
   config(
     configKey: string,
     configValue: string,
-    globalConfig?: boolean
+    globalConfig?: boolean,
+    add?: boolean
   ): Promise<void>
   configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
   fetch(refSpec: string[], fetchDepth?: number): Promise<void>
@@ -31,7 +32,7 @@ export interface IGitCommandManager {
   isDetached(): Promise<boolean>
   lfsFetch(ref: string): Promise<void>
   lfsInstall(): Promise<void>
-  log1(): Promise<string>
+  log1(format?: string): Promise<string>
   remoteAdd(remoteName: string, remoteUrl: string): Promise<void>
   removeEnvironmentVariable(name: string): void
   revParse(ref: string): Promise<string>
@@ -140,14 +141,15 @@ class GitCommandManager {
   async config(
     configKey: string,
     configValue: string,
-    globalConfig?: boolean
+    globalConfig?: boolean,
+    add?: boolean
   ): Promise<void> {
-    await this.execGit([
-      'config',
-      globalConfig ? '--global' : '--local',
-      configKey,
-      configValue
-    ])
+    const args: string[] = ['config', globalConfig ? '--global' : '--local']
+    if (add) {
+      args.push('--add')
+    }
+    args.push(...[configKey, configValue])
+    await this.execGit(args)
   }
 
   async configExists(
@@ -254,8 +256,10 @@ class GitCommandManager {
     await this.execGit(['lfs', 'install', '--local'])
   }
 
-  async log1(): Promise<string> {
-    const output = await this.execGit(['log', '-1'])
+  async log1(format?: string): Promise<string> {
+    var args = format ? ['log', '-1', format] : ['log', '-1']
+    var silent = format ? false : true
+    const output = await this.execGit(args, false, silent)
     return output.stdout
   }
 
@@ -270,7 +274,7 @@ class GitCommandManager {
   /**
    * Resolves a ref to a SHA. For a branch or lightweight tag, the commit SHA is returned.
    * For an annotated tag, the tag SHA is returned.
-   * @param {string} ref  For example: 'refs/heads/master' or '/refs/tags/v1'
+   * @param {string} ref  For example: 'refs/heads/main' or '/refs/tags/v1'
    * @returns {Promise<string>}
    */
   async revParse(ref: string): Promise<string> {
@@ -390,7 +394,8 @@ class GitCommandManager {
 
   private async execGit(
     args: string[],
-    allowAllExitCodes = false
+    allowAllExitCodes = false,
+    silent = false
   ): Promise<GitOutput> {
     fshelper.directoryExistsSync(this.workingDirectory, true)
 
@@ -409,6 +414,7 @@ class GitCommandManager {
     const options = {
       cwd: this.workingDirectory,
       env,
+      silent,
       ignoreReturnCode: allowAllExitCodes,
       listeners: {
         stdout: (data: Buffer) => {

src/git-directory-helper.ts

@@ -39,7 +39,9 @@ export async function prepareExistingDirectory(
       try {
         await io.rmRF(lockPath)
       } catch (error) {
-        core.debug(`Unable to delete '${lockPath}'. ${error.message}`)
+        core.debug(
+          `Unable to delete '${lockPath}'. ${(error as any)?.message ?? error}`
+        )
       }
     }
 

src/git-source-provider.ts

@@ -36,68 +36,94 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
   const git = await getGitCommandManager(settings)
   core.endGroup()
 
-  // Prepare existing directory, otherwise recreate
-  if (isExisting) {
-    await gitDirectoryHelper.prepareExistingDirectory(
-      git,
-      settings.repositoryPath,
-      repositoryUrl,
-      settings.clean,
-      settings.ref
-    )
-  }
+  let authHelper: gitAuthHelper.IGitAuthHelper | null = null
+  try {
+    if (git) {
+      authHelper = gitAuthHelper.createAuthHelper(git, settings)
+      if (settings.setSafeDirectory) {
+        // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
+        // Otherwise all git commands we run in a container fail
+        await authHelper.configureTempGlobalConfig()
+        core.info(
+          `Adding repository directory to the temporary git global config as a safe directory`
+        )
 
-  if (!git) {
-    // Downloading using REST API
-    core.info(`The repository will be downloaded using the GitHub REST API`)
-    core.info(
-      `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
-    )
-    if (settings.submodules) {
-      throw new Error(
-        `Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
-      )
-    } else if (settings.sshKey) {
-      throw new Error(
-        `Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
+        await git
+          .config('safe.directory', settings.repositoryPath, true, true)
+          .catch(error => {
+            core.info(
+              `Failed to initialize safe directory with error: ${error}`
+            )
+          })
+
+        stateHelper.setSafeDirectory()
+      }
+    }
+
+    // Prepare existing directory, otherwise recreate
+    if (isExisting) {
+      await gitDirectoryHelper.prepareExistingDirectory(
+        git,
+        settings.repositoryPath,
+        repositoryUrl,
+        settings.clean,
+        settings.ref
       )
     }
 
-    await githubApiHelper.downloadRepository(
-      settings.authToken,
-      settings.repositoryOwner,
-      settings.repositoryName,
-      settings.ref,
-      settings.commit,
-      settings.repositoryPath
-    )
-    return
-  }
+    if (!git) {
+      // Downloading using REST API
+      core.info(`The repository will be downloaded using the GitHub REST API`)
+      core.info(
+        `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
+      )
+      if (settings.submodules) {
+        throw new Error(
+          `Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
+        )
+      } else if (settings.sshKey) {
+        throw new Error(
+          `Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
+        )
+      }
 
-  // Save state for POST action
-  stateHelper.setRepositoryPath(settings.repositoryPath)
+      await githubApiHelper.downloadRepository(
+        settings.authToken,
+        settings.repositoryOwner,
+        settings.repositoryName,
+        settings.ref,
+        settings.commit,
+        settings.repositoryPath
+      )
+      return
+    }
 
-  // Initialize the repository
-  if (
-    !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
-  ) {
-    core.startGroup('Initializing the repository')
-    await git.init()
-    await git.remoteAdd('origin', repositoryUrl)
+    // Save state for POST action
+    stateHelper.setRepositoryPath(settings.repositoryPath)
+
+    // Initialize the repository
+    if (
+      !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
+    ) {
+      core.startGroup('Initializing the repository')
+      await git.init()
+      await git.remoteAdd('origin', repositoryUrl)
+      core.endGroup()
+    }
+
+    // Disable automatic garbage collection
+    core.startGroup('Disabling automatic garbage collection')
+    if (!(await git.tryDisableAutomaticGarbageCollection())) {
+      core.warning(
+        `Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`
+      )
+    }
     core.endGroup()
-  }
 
-  // Disable automatic garbage collection
-  core.startGroup('Disabling automatic garbage collection')
-  if (!(await git.tryDisableAutomaticGarbageCollection())) {
-    core.warning(
-      `Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`
-    )
-  }
-  core.endGroup()
-
-  const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-  try {
+    // If we didn't initialize it above, do it now
+    if (!authHelper) {
+      authHelper = gitAuthHelper.createAuthHelper(git, settings)
+    }
     // Configure auth
     core.startGroup('Setting up auth')
     await authHelper.configureAuth()
@@ -170,40 +196,35 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
 
     // Submodules
     if (settings.submodules) {
-      try {
-        // Temporarily override global config
-        core.startGroup('Setting up auth for fetching submodules')
-        await authHelper.configureGlobalAuth()
-        core.endGroup()
+      // Temporarily override global config
+      core.startGroup('Setting up auth for fetching submodules')
+      await authHelper.configureGlobalAuth()
+      core.endGroup()
 
-        // Checkout submodules
-        core.startGroup('Fetching submodules')
-        await git.submoduleSync(settings.nestedSubmodules)
-        await git.submoduleUpdate(
-          settings.fetchDepth,
-          settings.nestedSubmodules
-        )
-        await git.submoduleForeach(
-          'git config --local gc.auto 0',
-          settings.nestedSubmodules
-        )
-        core.endGroup()
+      // Checkout submodules
+      core.startGroup('Fetching submodules')
+      await git.submoduleSync(settings.nestedSubmodules)
+      await git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules)
+      await git.submoduleForeach(
+        'git config --local gc.auto 0',
+        settings.nestedSubmodules
+      )
+      core.endGroup()
 
-        // Persist credentials
-        if (settings.persistCredentials) {
-          core.startGroup('Persisting credentials for submodules')
-          await authHelper.configureSubmoduleAuth()
-          core.endGroup()
-        }
-      } finally {
-        // Remove temporary global config override
-        await authHelper.removeGlobalAuth()
+      // Persist credentials
+      if (settings.persistCredentials) {
+        core.startGroup('Persisting credentials for submodules')
+        await authHelper.configureSubmoduleAuth()
+        core.endGroup()
       }
     }
 
-    // Dump some info about the checked out commit
+    // Get commit information
     const commitInfo = await git.log1()
 
+    // Log commit sha
+    await git.log1("--format='%H'")
+
     // Check for incorrect pull request merge commit
     await refHelper.checkCommitInfo(
       settings.authToken,
@@ -215,10 +236,13 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     )
   } finally {
     // Remove auth
-    if (!settings.persistCredentials) {
-      core.startGroup('Removing auth')
-      await authHelper.removeAuth()
-      core.endGroup()
+    if (authHelper) {
+      if (!settings.persistCredentials) {
+        core.startGroup('Removing auth')
+        await authHelper.removeAuth()
+        core.endGroup()
+      }
+      authHelper.removeGlobalConfig()
     }
   }
 }
@@ -241,7 +265,26 @@ export async function cleanup(repositoryPath: string): Promise<void> {
 
   // Remove auth
   const authHelper = gitAuthHelper.createAuthHelper(git)
-  await authHelper.removeAuth()
+  try {
+    if (stateHelper.PostSetSafeDirectory) {
+      // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
+      // Otherwise all git commands we run in a container fail
+      await authHelper.configureTempGlobalConfig()
+      core.info(
+        `Adding repository directory to the temporary git global config as a safe directory`
+      )
+
+      await git
+        .config('safe.directory', repositoryPath, true, true)
+        .catch(error => {
+          core.info(`Failed to initialize safe directory with error: ${error}`)
+        })
+    }
+
+    await authHelper.removeAuth()
+  } finally {
+    await authHelper.removeGlobalConfig()
+  }
 }
 
 async function getGitCommandManager(

src/git-source-settings.ts

@@ -73,4 +73,14 @@ export interface IGitSourceSettings {
    * Indicates whether to persist the credentials on disk to enable scripting authenticated git commands
    */
   persistCredentials: boolean
+
+  /**
+   * Organization ID for the currently running workflow (used for auth settings)
+   */
+  workflowOrganizationId: number | undefined
+
+  /**
+   * Indicates whether to add repositoryPath as safe.directory in git global config
+   */
+  setSafeDirectory: boolean
 }

src/github-api-helper.ts

@@ -47,7 +47,7 @@ export async function downloadRepository(
   } else {
     await toolCache.extractTar(archivePath, extractPath)
   }
-  io.rmRF(archivePath)
+  await io.rmRF(archivePath)
 
   // Determine the path of the repository content. The archive contains
   // a top-level folder and the repository content is inside.
@@ -70,7 +70,7 @@ export async function downloadRepository(
       await io.mv(sourcePath, targetPath)
     }
   }
-  io.rmRF(extractPath)
+  await io.rmRF(extractPath)
 }
 
 /**
@@ -92,7 +92,10 @@ export async function getDefaultBranch(
       assert.ok(result, 'default_branch cannot be empty')
     } catch (err) {
       // Handle .wiki repo
-      if (err['status'] === 404 && repo.toUpperCase().endsWith('.WIKI')) {
+      if (
+        (err as any)?.status === 404 &&
+        repo.toUpperCase().endsWith('.WIKI')
+      ) {
         result = 'master'
       }
       // Otherwise error

src/input-helper.ts

@@ -2,9 +2,10 @@ import * as core from '@actions/core'
 import * as fsHelper from './fs-helper'
 import * as github from '@actions/github'
 import * as path from 'path'
+import * as workflowContextHelper from './workflow-context-helper'
 import {IGitSourceSettings} from './git-source-settings'
 
-export function getInputs(): IGitSourceSettings {
+export async function getInputs(): Promise<IGitSourceSettings> {
   const result = ({} as unknown) as IGitSourceSettings
 
   // GitHub workspace
@@ -63,7 +64,7 @@ export function getInputs(): IGitSourceSettings {
       result.commit = github.context.sha
 
       // Some events have an unqualifed ref. For example when a PR is merged (pull_request closed event),
-      // the ref is unqualifed like "master" instead of "refs/heads/master".
+      // the ref is unqualifed like "main" instead of "refs/heads/main".
       if (result.commit && result.ref && !result.ref.startsWith('refs/')) {
         result.ref = `refs/heads/${result.ref}`
       }
@@ -118,5 +119,11 @@ export function getInputs(): IGitSourceSettings {
   result.persistCredentials =
     (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
 
+  // Workflow organization ID
+  result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()
+
+  // Set safe.directory in git global config.
+  result.setSafeDirectory =
+    (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE'
   return result
 }

src/main.ts

@@ -7,7 +7,7 @@ import * as stateHelper from './state-helper'
 
 async function run(): Promise<void> {
   try {
-    const sourceSettings = inputHelper.getInputs()
+    const sourceSettings = await inputHelper.getInputs()
 
     try {
       // Register problem matcher
@@ -24,7 +24,7 @@ async function run(): Promise<void> {
       coreCommand.issueCommand('remove-matcher', {owner: 'checkout-git'}, '')
     }
   } catch (error) {
-    core.setFailed(error.message)
+    core.setFailed(`${(error as any)?.message ?? error}`)
   }
 }
 
@@ -32,7 +32,7 @@ async function cleanup(): Promise<void> {
   try {
     await gitSourceProvider.cleanup(stateHelper.RepositoryPath)
   } catch (error) {
-    core.warning(error.message)
+    core.warning(`${(error as any)?.message ?? error}`)
   }
 }
 

src/misc/generate-docs.ts

@@ -10,10 +10,10 @@ import * as yaml from 'js-yaml'
 
 function updateUsage(
   actionReference: string,
-  actionYamlPath: string = 'action.yml',
-  readmePath: string = 'README.md',
-  startToken: string = '<!-- start usage -->',
-  endToken: string = '<!-- end usage -->'
+  actionYamlPath = 'action.yml',
+  readmePath = 'README.md',
+  startToken = '<!-- start usage -->',
+  endToken = '<!-- end usage -->'
 ): void {
   if (!actionReference) {
     throw new Error('Parameter actionReference must not be empty')
@@ -120,7 +120,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v2',
+  'actions/checkout@v3',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )

src/misc/licensed-check.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+
+src/misc/licensed-download.sh
+
+echo 'Running: licensed cached'
+_temp/licensed-3.6.0/licensed status

src/misc/licensed-download.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -e
+
+if [ ! -f _temp/licensed-3.6.0.done ]; then
+  echo 'Clearing temp'
+  rm -rf _temp/licensed-3.6.0 || true
+
+  echo 'Downloading licensed'
+  mkdir -p _temp/licensed-3.6.0
+  pushd _temp/licensed-3.6.0
+  if [[ "$OSTYPE" == "darwin"* ]]; then
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-darwin-x64.tar.gz
+  else
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-linux-x64.tar.gz
+  fi
+
+  echo 'Extracting licenesed'
+  tar -xzf licensed.tar.gz
+  popd
+  touch _temp/licensed-3.6.0.done
+else
+  echo 'Licensed already downloaded'
+fi

src/misc/licensed-generate.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+
+src/misc/licensed-download.sh
+
+echo 'Running: licensed cached'
+_temp/licensed-3.6.0/licensed cache

src/ref-helper.ts

@@ -253,7 +253,9 @@ export async function checkCommitInfo(
       await octokit.repos.get({owner: repositoryOwner, repo: repositoryName})
     }
   } catch (err) {
-    core.debug(`Error when validating commit info: ${err.stack}`)
+    core.debug(
+      `Error when validating commit info: ${(err as any)?.stack ?? err}`
+    )
   }
 }
 

src/retry-helper.ts

@@ -29,7 +29,7 @@ export class RetryHelper {
       try {
         return await action()
       } catch (err) {
-        core.info(err.message)
+        core.info((err as any)?.message)
       }
 
       // Sleep

src/state-helper.ts

@@ -11,6 +11,12 @@ export const IsPost = !!process.env['STATE_isPost']
 export const RepositoryPath =
   (process.env['STATE_repositoryPath'] as string) || ''
 
+/**
+ * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action.
+ */
+export const PostSetSafeDirectory =
+  (process.env['STATE_setSafeDirectory'] as string) === 'true'
+
 /**
  * The SSH key path for the POST action. The value is empty during the MAIN action.
  */
@@ -51,6 +57,13 @@ export function setSshKnownHostsPath(sshKnownHostsPath: string) {
   )
 }
 
+/**
+ * Save the sef-safe-directory input so the POST action can retrieve the value.
+ */
+export function setSafeDirectory() {
+  coreCommand.issueCommand('save-state', {name: 'setSafeDirectory'}, 'true')
+}
+
 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!IsPost) {

src/workflow-context-helper.ts

@@ -0,0 +1,30 @@
+import * as core from '@actions/core'
+import * as fs from 'fs'
+
+/**
+ * Gets the organization ID of the running workflow or undefined if the value cannot be loaded from the GITHUB_EVENT_PATH
+ */
+export async function getOrganizationId(): Promise<number | undefined> {
+  try {
+    const eventPath = process.env.GITHUB_EVENT_PATH
+    if (!eventPath) {
+      core.debug(`GITHUB_EVENT_PATH is not defined`)
+      return
+    }
+
+    const content = await fs.promises.readFile(eventPath, {encoding: 'utf8'})
+    const event = JSON.parse(content)
+    const id = event?.repository?.owner?.id
+    if (typeof id !== 'number') {
+      core.debug('Repository owner ID not found within GITHUB event info')
+      return
+    }
+
+    return id as number
+  } catch (err) {
+    core.debug(
+      `Unable to load organization ID from GITHUB_EVENT_PATH: ${(err as any)
+        .message || err}`
+    )
+  }
+}

tsconfig.json

@@ -10,7 +10,8 @@
     "declaration": true,
     "strict": true,
     "noImplicitAny": false,
-    "esModuleInterop": true
+    "esModuleInterop": true,
+    "skipLibCheck": true
   },
   "exclude": ["__test__", "lib", "node_modules"]
 }