.

.github/workflows/check-dist.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
 
       - name: Set Node.js 24.x
         uses: actions/setup-node@v4

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v4.1.6
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3

.github/workflows/licensed.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Check licenses
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
       - run: npm ci
       - run: npm run licensed-check

.github/workflows/publish-immutable-actions.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checking out
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
       - name: Publish
         id: publish
         uses: actions/publish-immutable-action@0.0.3

.github/workflows/test.yml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 24.x
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -37,7 +37,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout
       - name: Checkout basic
@@ -87,17 +87,6 @@ jobs:
       - name: Verify fetch filter
         run: __test__/verify-fetch-filter.sh
 
-      # Fetch tags
-      - name: Checkout with fetch-tags
-        uses: ./
-        with:
-          ref: test-data/v2/basic
-          path: fetch-tags-test
-          fetch-tags: true
-      - name: Verify fetch-tags
-        shell: bash
-        run: __test__/verify-fetch-tags.sh
-
       # Sparse checkout
       - name: Sparse checkout
         uses: ./
@@ -176,22 +165,6 @@ jobs:
       - name: Verify submodules recursive
         run: __test__/verify-submodules-recursive.sh
 
-      # Worktree credentials
-      - name: Checkout for worktree test
-        uses: ./
-        with:
-          path: worktree-test
-      - name: Verify worktree credentials
-        shell: bash
-        run: __test__/verify-worktree.sh worktree-test worktree-branch
-
-      # Worktree credentials in container step
-      - name: Verify worktree credentials in container step
-        if: runner.os == 'Linux'
-        uses: docker://bitnami/git:latest
-        with:
-          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
-
       # Basic checkout using REST API
       - name: Remove basic
         if: runner.os != 'windows'
@@ -229,7 +202,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -261,7 +234,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -291,7 +264,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
         with:
           path: localClone
 
@@ -318,17 +291,17 @@ jobs:
           git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
 
       # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v6
+      - name: Fix Checkout v4
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
         with:
           path: localClone
 
   test-output:
     runs-on: ubuntu-latest
     steps:
-      # Clone this repo
+      # Download the action at the current ref
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
         with:
           path: actions-checkout
 

.github/workflows/update-main-version.yml

@@ -23,7 +23,7 @@ jobs:
     # Note this update workflow can also be used as a rollback tool.
     # For that reason, it's best to pin `actions/checkout` to a known, stable version
     # (typically, about two releases back).
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v4.1.6
       with:
         fetch-depth: 0
     - name: Git config

.github/workflows/update-test-ubuntu-git.yml

@@ -26,7 +26,7 @@ jobs:
  
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       # Use `docker/login-action` to log in to GHCR.io. 
       # Once published, the packages are scoped to the account defined here.

CHANGELOG.md

@@ -1,25 +1,10 @@
 # Changelog
 
-## v6.0.2
+## V5.0.0
-* Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in https://github.com/actions/checkout/pull/2356
-
-## v6.0.1
-* Add worktree support for persist-credentials includeIf by @ericsciple in https://github.com/actions/checkout/pull/2327
-
-## v6.0.0
-* Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
-* Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
-
-## v5.0.1
-* Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
-
-## v5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
 
-## v4.3.1
-* Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
 
-## v4.3.0
+## V4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043

README.md

@@ -1,14 +1,6 @@
 [![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml)
 
-# Checkout v6
+# Checkout V5
-
-## What's new
-
-- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
-- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
-- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
-
-# Checkout v5
 
 ## What's new
 
@@ -16,7 +8,7 @@
   - This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.
 
 
-# Checkout v4
+# Checkout V4
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
@@ -52,7 +44,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -191,7 +183,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: .
 ```
@@ -199,7 +191,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files and `.github` and `src` folder
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: |
       .github
@@ -209,7 +201,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only a single file
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: |
       README.md
@@ -219,7 +211,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     fetch-depth: 0
 ```
@@ -227,7 +219,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     ref: my-branch
 ```
@@ -235,7 +227,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -245,12 +237,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -261,10 +253,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
 
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -275,12 +267,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-private-tools
     token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -293,7 +285,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -309,7 +301,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
 ```
 
 ## Push a commit using the built-in token
@@ -320,7 +312,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
       - run: |
           date > generated.txt
           # Note: the following account information will not work on GHES
@@ -342,7 +334,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       - run: |

__test__/git-auth-helper.test.ts

@@ -706,7 +706,7 @@ describe('git-auth-helper tests', () => {
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
     await authHelper.configureAuth()
 
-    // Verify includeIf entries exist in local config
+    // Sanity check - verify includeIf entries exist in local config
     let localConfigContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
@@ -714,192 +714,26 @@ describe('git-auth-helper tests', () => {
       localConfigContent.indexOf('includeIf.gitdir:')
     ).toBeGreaterThanOrEqual(0)
 
-    // Verify both host and container includeIf entries are present
+    // Sanity check - verify credentials file exists
-    const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
-    expect(
-      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify credentials file exists
     let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
       f => f.startsWith('git-credentials-') && f.endsWith('.config')
     )
     expect(credentialsFiles.length).toBe(1)
-    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
-
-    // Verify credentials file contains the auth token
-    let credentialsContent = (
-      await fs.promises.readFile(credentialsFilePath)
-    ).toString()
-    const basicCredential = Buffer.from(
-      `x-access-token:${settings.authToken}`,
-      'utf8'
-    ).toString('base64')
-    expect(
-      credentialsContent.indexOf(
-        `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
-      )
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify the includeIf entries point to the credentials file
-    const containerCredentialsPath = path.posix.join(
-      '/github/runner_temp',
-      path.basename(credentialsFilePath)
-    )
-    expect(
-      localConfigContent.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      localConfigContent.indexOf(containerCredentialsPath)
-    ).toBeGreaterThanOrEqual(0)
 
     // Act
     await authHelper.removeAuth()
 
-    // Assert all includeIf entries removed from local git config
+    // Assert includeIf entries removed from local git config
     localConfigContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
     expect(localConfigContent.indexOf('includeIf.gitdir:')).toBeLessThan(0)
-    expect(
-      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
-    ).toBeLessThan(0)
-    expect(
-      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
-    ).toBeLessThan(0)
-    expect(localConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
-    expect(localConfigContent.indexOf(containerCredentialsPath)).toBeLessThan(0)
 
     // Assert credentials config file deleted
     credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
       f => f.startsWith('git-credentials-') && f.endsWith('.config')
     )
     expect(credentialsFiles.length).toBe(0)
-
-    // Verify credentials file no longer exists on disk
-    try {
-      await fs.promises.stat(credentialsFilePath)
-      throw new Error('Credentials file should have been deleted')
-    } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
-        throw err
-      }
-    }
-  })
-
-  const removeAuth_removesTokenFromSubmodules =
-    'removeAuth removes token from submodules'
-  it(removeAuth_removesTokenFromSubmodules, async () => {
-    // Arrange
-    await setup(removeAuth_removesTokenFromSubmodules)
-
-    // Create fake submodule config paths
-    const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
-    const submodule2Dir = path.join(workspace, '.git', 'modules', 'submodule-2')
-    const submodule1ConfigPath = path.join(submodule1Dir, 'config')
-    const submodule2ConfigPath = path.join(submodule2Dir, 'config')
-
-    await fs.promises.mkdir(submodule1Dir, {recursive: true})
-    await fs.promises.mkdir(submodule2Dir, {recursive: true})
-    await fs.promises.writeFile(submodule1ConfigPath, '')
-    await fs.promises.writeFile(submodule2ConfigPath, '')
-
-    // Mock getSubmoduleConfigPaths to return our fake submodules (for both configure and remove)
-    const mockGetSubmoduleConfigPaths =
-      git.getSubmoduleConfigPaths as jest.Mock<any, any>
-    mockGetSubmoduleConfigPaths.mockResolvedValue([
-      submodule1ConfigPath,
-      submodule2ConfigPath
-    ])
-
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    await authHelper.configureAuth()
-    await authHelper.configureSubmoduleAuth()
-
-    // Verify credentials file exists
-    let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      f => f.startsWith('git-credentials-') && f.endsWith('.config')
-    )
-    expect(credentialsFiles.length).toBe(1)
-    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
-
-    // Verify submodule 1 config has includeIf entries
-    let submodule1Content = (
-      await fs.promises.readFile(submodule1ConfigPath)
-    ).toString()
-    const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
-    expect(
-      submodule1Content.indexOf(`includeIf.gitdir:${submodule1GitDir}.path`)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      submodule1Content.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify submodule 2 config has includeIf entries
-    let submodule2Content = (
-      await fs.promises.readFile(submodule2ConfigPath)
-    ).toString()
-    const submodule2GitDir = submodule2Dir.replace(/\\/g, '/')
-    expect(
-      submodule2Content.indexOf(`includeIf.gitdir:${submodule2GitDir}.path`)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      submodule2Content.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify both host and container paths are in each submodule config
-    const containerCredentialsPath = path.posix.join(
-      '/github/runner_temp',
-      path.basename(credentialsFilePath)
-    )
-    expect(
-      submodule1Content.indexOf(containerCredentialsPath)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      submodule2Content.indexOf(containerCredentialsPath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Act - ensure mock persists for removeAuth
-    mockGetSubmoduleConfigPaths.mockResolvedValue([
-      submodule1ConfigPath,
-      submodule2ConfigPath
-    ])
-    await authHelper.removeAuth()
-
-    // Assert submodule 1 includeIf entries removed
-    submodule1Content = (
-      await fs.promises.readFile(submodule1ConfigPath)
-    ).toString()
-    expect(submodule1Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
-    expect(submodule1Content.indexOf(credentialsFilePath)).toBeLessThan(0)
-    expect(submodule1Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
-
-    // Assert submodule 2 includeIf entries removed
-    submodule2Content = (
-      await fs.promises.readFile(submodule2ConfigPath)
-    ).toString()
-    expect(submodule2Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
-    expect(submodule2Content.indexOf(credentialsFilePath)).toBeLessThan(0)
-    expect(submodule2Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
-
-    // Assert credentials config file deleted
-    credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      f => f.startsWith('git-credentials-') && f.endsWith('.config')
-    )
-    expect(credentialsFiles.length).toBe(0)
-
-    // Verify credentials file no longer exists on disk
-    try {
-      await fs.promises.stat(credentialsFilePath)
-      throw new Error('Credentials file should have been deleted')
-    } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
-        throw err
-      }
-    }
   })
 
   const removeGlobalConfig_removesOverride =
@@ -935,85 +769,21 @@ describe('git-auth-helper tests', () => {
     // Arrange
     await setup(testCredentialsConfigPath_matchesCredentialsConfigPaths)
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-
+    
     // Get a real credentials config path
-    const credentialsConfigPath = await (
+    const credentialsConfigPath = await (authHelper as any).getCredentialsConfigPath()
-      authHelper as any
+    
-    ).getCredentialsConfigPath()
-
     // Act & Assert
-    expect(
+    expect((authHelper as any).testCredentialsConfigPath(credentialsConfigPath)).toBe(true)
-      (authHelper as any).testCredentialsConfigPath(credentialsConfigPath)
+    expect((authHelper as any).testCredentialsConfigPath('/some/path/git-credentials-12345678-abcd-1234-5678-123456789012.config')).toBe(true)
-    ).toBe(true)
+    expect((authHelper as any).testCredentialsConfigPath('/some/path/git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config')).toBe(true)
-    expect(
+    
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-12345678-abcd-1234-5678-123456789012.config'
-      )
-    ).toBe(true)
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
-      )
-    ).toBe(true)
-
     // Test invalid paths
-    expect(
+    expect((authHelper as any).testCredentialsConfigPath('/some/path/other-config.config')).toBe(false)
-      (authHelper as any).testCredentialsConfigPath(
+    expect((authHelper as any).testCredentialsConfigPath('/some/path/git-credentials-invalid.config')).toBe(false)
-        '/some/path/other-config.config'
+    expect((authHelper as any).testCredentialsConfigPath('/some/path/git-credentials-.config')).toBe(false)
-      )
-    ).toBe(false)
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-invalid.config'
-      )
-    ).toBe(false)
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-.config'
-      )
-    ).toBe(false)
     expect((authHelper as any).testCredentialsConfigPath('')).toBe(false)
   })
-
-  const includeIfCleanupRegex_matchesBothVariants =
-    'includeIf cleanup regex matches both gitdir: and gitdir/i: keys'
-  it(includeIfCleanupRegex_matchesBothVariants, async () => {
-    // The cleanup regex must match both variants so credential
-    // removal works regardless of which was written
-    const regex = /^includeIf\.gitdir(\/i)?:/
-    expect(regex.test('includeIf.gitdir:D:/workspaces/repo/.git.path')).toBe(
-      true
-    )
-    expect(regex.test('includeIf.gitdir/i:D:/Workspaces/repo/.git.path')).toBe(
-      true
-    )
-    expect(regex.test('includeIf.gitdir/i:/github/workspace/.git.path')).toBe(
-      true
-    )
-    expect(regex.test('includeIf.gitdir:~/projects/foo/.git.path')).toBe(true)
-    expect(regex.test('includeIf.onbranch:main.path')).toBe(false)
-    expect(regex.test('include.path')).toBe(false)
-  })
-
-  const includeIfDirective_usesCorrectVariantForPlatform =
-    'includeIf directive uses gitdir/i on Windows and gitdir on other platforms'
-  it(includeIfDirective_usesCorrectVariantForPlatform, async () => {
-    await setup(includeIfDirective_usesCorrectVariantForPlatform)
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    await authHelper.configureAuth()
-
-    const localConfigContent = (
-      await fs.promises.readFile(localGitConfigPath)
-    ).toString()
-
-    if (isWindows) {
-      expect(localConfigContent).toContain('includeIf.gitdir/i:')
-      expect(localConfigContent).not.toContain('includeIf.gitdir:')
-    } else {
-      expect(localConfigContent).toContain('includeIf.gitdir:')
-      expect(localConfigContent).not.toContain('includeIf.gitdir/i:')
-    }
-  })
 })
 
 async function setup(testName: string): Promise<void> {
@@ -1120,41 +890,28 @@ async function setup(testName: string): Promise<void> {
       }
     ),
     tryConfigUnsetValue: jest.fn(
-      async (
+      async (key: string, value: string, globalConfig?: boolean): Promise<boolean> => {
-        key: string,
+        const configPath = globalConfig
-        value: string,
+          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-        globalConfig?: boolean,
+          : localGitConfigPath
-        configPath?: string
+        let content = await fs.promises.readFile(configPath)
-      ): Promise<boolean> => {
-        const targetConfigPath =
-          configPath ||
-          (globalConfig
-            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-            : localGitConfigPath)
-        let content = await fs.promises.readFile(targetConfigPath)
         let lines = content
           .toString()
           .split('\n')
           .filter(x => x)
           .filter(x => !(x.startsWith(key) && x.includes(value)))
-        await fs.promises.writeFile(targetConfigPath, lines.join('\n'))
+        await fs.promises.writeFile(configPath, lines.join('\n'))
         return true
       }
     ),
     tryDisableAutomaticGarbageCollection: jest.fn(),
     tryGetFetchUrl: jest.fn(),
     tryGetConfigValues: jest.fn(
-      async (
+      async (key: string, globalConfig?: boolean): Promise<string[]> => {
-        key: string,
+        const configPath = globalConfig
-        globalConfig?: boolean,
+          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-        configPath?: string
+          : localGitConfigPath
-      ): Promise<string[]> => {
+        const content = await fs.promises.readFile(configPath)
-        const targetConfigPath =
-          configPath ||
-          (globalConfig
-            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-            : localGitConfigPath)
-        const content = await fs.promises.readFile(targetConfigPath)
         const lines = content
           .toString()
           .split('\n')
@@ -1164,17 +921,11 @@ async function setup(testName: string): Promise<void> {
       }
     ),
     tryGetConfigKeys: jest.fn(
-      async (
+      async (pattern: string, globalConfig?: boolean): Promise<string[]> => {
-        pattern: string,
+        const configPath = globalConfig
-        globalConfig?: boolean,
+          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-        configPath?: string
+          : localGitConfigPath
-      ): Promise<string[]> => {
+        const content = await fs.promises.readFile(configPath)
-        const targetConfigPath =
-          configPath ||
-          (globalConfig
-            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-            : localGitConfigPath)
-        const content = await fs.promises.readFile(targetConfigPath)
         const lines = content
           .toString()
           .split('\n')

__test__/git-command-manager.test.ts

@@ -108,7 +108,7 @@ describe('Test fetchDepth and fetchTags options', () => {
     jest.restoreAllMocks()
   })
 
-  it('should call execGit with the correct arguments when fetchDepth is 0', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is true', async () => {
     jest.spyOn(exec, 'exec').mockImplementation(mockExec)
     const workingDirectory = 'test'
     const lfs = false
@@ -122,7 +122,45 @@ describe('Test fetchDepth and fetchTags options', () => {
     const refSpec = ['refspec1', 'refspec2']
     const options = {
       filter: 'filterValue',
-      fetchDepth: 0
+      fetchDepth: 0,
+      fetchTags: true
+    }
+
+    await git.fetch(refSpec, options)
+
+    expect(mockExec).toHaveBeenCalledWith(
+      expect.any(String),
+      [
+        '-c',
+        'protocol.version=2',
+        'fetch',
+        '--prune',
+        '--no-recurse-submodules',
+        '--filter=filterValue',
+        'origin',
+        'refspec1',
+        'refspec2'
+      ],
+      expect.any(Object)
+    )
+  })
+
+  it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is false', async () => {
+    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+
+    const workingDirectory = 'test'
+    const lfs = false
+    const doSparseCheckout = false
+    git = await commandManager.createCommandManager(
+      workingDirectory,
+      lfs,
+      doSparseCheckout
+    )
+    const refSpec = ['refspec1', 'refspec2']
+    const options = {
+      filter: 'filterValue',
+      fetchDepth: 0,
+      fetchTags: false
     }
 
     await git.fetch(refSpec, options)
@@ -145,45 +183,7 @@ describe('Test fetchDepth and fetchTags options', () => {
     )
   })
 
-  it('should call execGit with the correct arguments when fetchDepth is 0 and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is false', async () => {
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
-    const options = {
-      filter: 'filterValue',
-      fetchDepth: 0
-    }
-
-    await git.fetch(refSpec, options)
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      [
-        '-c',
-        'protocol.version=2',
-        'fetch',
-        '--no-tags',
-        '--prune',
-        '--no-recurse-submodules',
-        '--filter=filterValue',
-        'origin',
-        'refspec1',
-        'refspec2',
-        '+refs/tags/*:refs/tags/*'
-      ],
-      expect.any(Object)
-    )
-  })
-
-  it('should call execGit with the correct arguments when fetchDepth is 1', async () => {
     jest.spyOn(exec, 'exec').mockImplementation(mockExec)
 
     const workingDirectory = 'test'
@@ -197,7 +197,8 @@ describe('Test fetchDepth and fetchTags options', () => {
     const refSpec = ['refspec1', 'refspec2']
     const options = {
       filter: 'filterValue',
-      fetchDepth: 1
+      fetchDepth: 1,
+      fetchTags: false
     }
 
     await git.fetch(refSpec, options)
@@ -221,7 +222,7 @@ describe('Test fetchDepth and fetchTags options', () => {
     )
   })
 
-  it('should call execGit with the correct arguments when fetchDepth is 1 and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is true', async () => {
     jest.spyOn(exec, 'exec').mockImplementation(mockExec)
 
     const workingDirectory = 'test'
@@ -232,10 +233,11 @@ describe('Test fetchDepth and fetchTags options', () => {
       lfs,
       doSparseCheckout
     )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
+    const refSpec = ['refspec1', 'refspec2']
     const options = {
       filter: 'filterValue',
-      fetchDepth: 1
+      fetchDepth: 1,
+      fetchTags: true
     }
 
     await git.fetch(refSpec, options)
@@ -246,15 +248,13 @@ describe('Test fetchDepth and fetchTags options', () => {
         '-c',
         'protocol.version=2',
         'fetch',
-        '--no-tags',
         '--prune',
         '--no-recurse-submodules',
         '--filter=filterValue',
         '--depth=1',
         'origin',
         'refspec1',
-        'refspec2',
+        'refspec2'
-        '+refs/tags/*:refs/tags/*'
       ],
       expect.any(Object)
     )
@@ -338,7 +338,7 @@ describe('Test fetchDepth and fetchTags options', () => {
     )
   })
 
-  it('should call execGit with the correct arguments when showProgress is true and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchTags is true and showProgress is true', async () => {
     jest.spyOn(exec, 'exec').mockImplementation(mockExec)
 
     const workingDirectory = 'test'
@@ -349,9 +349,10 @@ describe('Test fetchDepth and fetchTags options', () => {
       lfs,
       doSparseCheckout
     )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
+    const refSpec = ['refspec1', 'refspec2']
     const options = {
       filter: 'filterValue',
+      fetchTags: true,
       showProgress: true
     }
 
@@ -363,134 +364,15 @@ describe('Test fetchDepth and fetchTags options', () => {
         '-c',
         'protocol.version=2',
         'fetch',
-        '--no-tags',
         '--prune',
         '--no-recurse-submodules',
         '--progress',
         '--filter=filterValue',
         'origin',
         'refspec1',
-        'refspec2',
+        'refspec2'
-        '+refs/tags/*:refs/tags/*'
       ],
       expect.any(Object)
     )
   })
 })
-
-describe('git user-agent with orchestration ID', () => {
-  beforeEach(async () => {
-    jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
-    jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
-  })
-
-  afterEach(() => {
-    jest.restoreAllMocks()
-    // Clean up environment variable to prevent test pollution
-    delete process.env['ACTIONS_ORCHESTRATION_ID']
-  })
-
-  it('should include orchestration ID in user-agent when ACTIONS_ORCHESTRATION_ID is set', async () => {
-    const orchId = 'test-orch-id-12345'
-    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent includes the orchestration ID
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      `git/2.18 (github-actions-checkout) actions_orchestration_id/${orchId}`
-    )
-  })
-
-  it('should sanitize invalid characters in orchestration ID', async () => {
-    const orchId = 'test (with) special/chars'
-    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent has sanitized orchestration ID (spaces, parentheses, slash replaced)
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      'git/2.18 (github-actions-checkout) actions_orchestration_id/test__with__special_chars'
-    )
-  })
-
-  it('should not modify user-agent when ACTIONS_ORCHESTRATION_ID is not set', async () => {
-    delete process.env['ACTIONS_ORCHESTRATION_ID']
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent does NOT contain orchestration ID
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      'git/2.18 (github-actions-checkout)'
-    )
-  })
-})

__test__/input-helper.test.ts

@@ -133,16 +133,6 @@ describe('input-helper tests', () => {
     expect(settings.commit).toBe('1111111111222222222233333333334444444444')
   })
 
-  it('sets ref to empty when explicit sha-256', async () => {
-    inputs.ref =
-      '1111111111222222222233333333334444444444555555555566666666667777'
-    const settings: IGitSourceSettings = await inputHelper.getInputs()
-    expect(settings.ref).toBeFalsy()
-    expect(settings.commit).toBe(
-      '1111111111222222222233333333334444444444555555555566666666667777'
-    )
-  })
-
   it('sets sha to empty when explicit ref', async () => {
     inputs.ref = 'refs/heads/some-other-ref'
     const settings: IGitSourceSettings = await inputHelper.getInputs()

__test__/ref-helper.test.ts

@@ -1,12 +1,8 @@
 import * as assert from 'assert'
-import * as core from '@actions/core'
-import * as github from '@actions/github'
 import * as refHelper from '../lib/ref-helper'
 import {IGitCommandManager} from '../lib/git-command-manager'
 
 const commit = '1234567890123456789012345678901234567890'
-const sha256Commit =
-  '1234567890123456789012345678901234567890123456789012345678901234'
 let git: IGitCommandManager
 
 describe('ref-helper tests', () => {
@@ -41,12 +37,6 @@ describe('ref-helper tests', () => {
     expect(checkoutInfo.startPoint).toBeFalsy()
   })
 
-  it('getCheckoutInfo sha-256 only', async () => {
-    const checkoutInfo = await refHelper.getCheckoutInfo(git, '', sha256Commit)
-    expect(checkoutInfo.ref).toBe(sha256Commit)
-    expect(checkoutInfo.startPoint).toBeFalsy()
-  })
-
   it('getCheckoutInfo refs/heads/', async () => {
     const checkoutInfo = await refHelper.getCheckoutInfo(
       git,
@@ -162,22 +152,7 @@ describe('ref-helper tests', () => {
   it('getRefSpec sha + refs/tags/', async () => {
     const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit)
     expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe(`+refs/tags/my-tag:refs/tags/my-tag`)
+    expect(refSpec[0]).toBe(`+${commit}:refs/tags/my-tag`)
-  })
-
-  it('getRefSpec sha + refs/tags/ with fetchTags', async () => {
-    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
-    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit, true)
-    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-  })
-
-  it('getRefSpec sha + refs/heads/ with fetchTags', async () => {
-    // When fetchTags is true, include both the branch refspec and tags wildcard
-    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', commit, true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe(`+${commit}:refs/remotes/origin/my/branch`)
   })
 
   it('getRefSpec sha only', async () => {
@@ -193,14 +168,6 @@ describe('ref-helper tests', () => {
     expect(refSpec[1]).toBe('+refs/tags/my-ref*:refs/tags/my-ref*')
   })
 
-  it('getRefSpec unqualified ref only with fetchTags', async () => {
-    // When fetchTags is true, skip specific tag pattern since wildcard covers all
-    const refSpec = refHelper.getRefSpec('my-ref', '', true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe('+refs/heads/my-ref*:refs/remotes/origin/my-ref*')
-  })
-
   it('getRefSpec refs/heads/ only', async () => {
     const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '')
     expect(refSpec.length).toBe(1)
@@ -220,159 +187,4 @@ describe('ref-helper tests', () => {
     expect(refSpec.length).toBe(1)
     expect(refSpec[0]).toBe('+refs/tags/my-tag:refs/tags/my-tag')
   })
-
-  it('getRefSpec refs/tags/ only with fetchTags', async () => {
-    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
-    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', '', true)
-    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-  })
-
-  it('getRefSpec refs/heads/ only with fetchTags', async () => {
-    // When fetchTags is true, include both the branch refspec and tags wildcard
-    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '', true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe(
-      '+refs/heads/my/branch:refs/remotes/origin/my/branch'
-    )
-  })
-
-  describe('checkCommitInfo', () => {
-    const repositoryOwner = 'some-owner'
-    const repositoryName = 'some-repo'
-    const ref = 'refs/pull/123/merge'
-    const sha1Head = '1111111111222222222233333333334444444444'
-    const sha1Base = 'aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd'
-    const sha256Head =
-      '1111111111222222222233333333334444444444555555555566666666667777'
-    const sha256Base =
-      'aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff0000'
-    let debugSpy: jest.SpyInstance
-    let getOctokitSpy: jest.SpyInstance
-    let repoGetSpy: jest.Mock
-    let originalEventName: string
-    let originalPayload: unknown
-    let originalRef: string
-    let originalSha: string
-
-    function setPullRequestContext(
-      expectedHeadSha: string,
-      expectedBaseSha: string,
-      mergeCommit: string
-    ): void {
-      ;(github.context as any).eventName = 'pull_request'
-      github.context.ref = ref
-      github.context.sha = mergeCommit
-      ;(github.context as any).payload = {
-        action: 'synchronize',
-        after: expectedHeadSha,
-        number: 123,
-        pull_request: {
-          base: {
-            sha: expectedBaseSha
-          }
-        },
-        repository: {
-          private: false
-        }
-      }
-    }
-
-    beforeEach(() => {
-      originalEventName = github.context.eventName
-      originalPayload = github.context.payload
-      originalRef = github.context.ref
-      originalSha = github.context.sha
-
-      jest.spyOn(github.context, 'repo', 'get').mockReturnValue({
-        owner: repositoryOwner,
-        repo: repositoryName
-      })
-      debugSpy = jest.spyOn(core, 'debug').mockImplementation(jest.fn())
-      repoGetSpy = jest.fn(async () => ({}))
-      getOctokitSpy = jest.spyOn(github, 'getOctokit').mockReturnValue({
-        rest: {
-          repos: {
-            get: repoGetSpy
-          }
-        }
-      } as any)
-    })
-
-    afterEach(() => {
-      ;(github.context as any).eventName = originalEventName
-      ;(github.context as any).payload = originalPayload
-      github.context.ref = originalRef
-      github.context.sha = originalSha
-      jest.restoreAllMocks()
-    })
-
-    it('returns early for SHA-1 merge commit', async () => {
-      setPullRequestContext(sha1Head, sha1Base, commit)
-
-      await refHelper.checkCommitInfo(
-        'token',
-        `Merge ${sha1Head} into ${sha1Base}`,
-        repositoryOwner,
-        repositoryName,
-        ref,
-        commit
-      )
-
-      expect(getOctokitSpy).not.toHaveBeenCalled()
-      expect(repoGetSpy).not.toHaveBeenCalled()
-    })
-
-    it('matches SHA-256 merge commit info', async () => {
-      const actualHeadSha =
-        '9999999999888888888877777777776666666666555555555544444444443333'
-      setPullRequestContext(sha256Head, sha256Base, sha256Commit)
-
-      await refHelper.checkCommitInfo(
-        'token',
-        `Merge ${actualHeadSha} into ${sha256Base}`,
-        repositoryOwner,
-        repositoryName,
-        ref,
-        sha256Commit
-      )
-
-      expect(getOctokitSpy).toHaveBeenCalledWith(
-        'token',
-        expect.objectContaining({
-          userAgent: expect.stringContaining(
-            `expected_head_sha=${sha256Head};actual_head_sha=${actualHeadSha}`
-          )
-        })
-      )
-      expect(repoGetSpy).toHaveBeenCalledWith({
-        owner: repositoryOwner,
-        repo: repositoryName
-      })
-      expect(debugSpy).toHaveBeenCalledWith(
-        `Expected head sha ${sha256Head}; actual head sha ${actualHeadSha}`
-      )
-      expect(debugSpy).not.toHaveBeenCalledWith('Unexpected message format')
-    })
-
-    it('does not match 50-char hex as a valid merge', async () => {
-      const invalidHeadSha =
-        '99999999998888888888777777777766666666665555555555'
-      setPullRequestContext(sha1Head, sha1Base, commit)
-
-      await refHelper.checkCommitInfo(
-        'token',
-        `Merge ${invalidHeadSha} into ${sha1Base}`,
-        repositoryOwner,
-        repositoryName,
-        ref,
-        commit
-      )
-
-      expect(getOctokitSpy).not.toHaveBeenCalled()
-      expect(repoGetSpy).not.toHaveBeenCalled()
-      expect(debugSpy).toHaveBeenCalledWith('Unexpected message format')
-    })
-  })
 })

__test__/verify-fetch-tags.sh

@@ -1,9 +0,0 @@
-#!/bin/sh
-
-# Verify tags were fetched
-TAG_COUNT=$(git -C ./fetch-tags-test tag | wc -l)
-if [ "$TAG_COUNT" -eq 0 ]; then
-    echo "Expected tags to be fetched, but found none"
-    exit 1
-fi
-echo "Found $TAG_COUNT tags"

__test__/verify-submodules-recursive.sh

@@ -17,7 +17,7 @@ fi
 
 echo "Testing persisted credential"
 pushd ./submodules-recursive/submodule-level-1/submodule-level-2
-git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
+git config --local --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
     echo "Failed to validate persisted credential"
     popd

__test__/verify-submodules-true.sh

@@ -17,7 +17,7 @@ fi
 
 echo "Testing persisted credential"
 pushd ./submodules-true/submodule-level-1
-git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
+git config --local --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
     echo "Failed to validate persisted credential"
     popd

__test__/verify-worktree.sh

@@ -1,51 +0,0 @@
-#!/bin/bash
-set -e
-
-# Verify worktree credentials
-# This test verifies that git credentials work in worktrees created after checkout
-# Usage: verify-worktree.sh <checkout-path> <worktree-name>
-
-CHECKOUT_PATH="$1"
-WORKTREE_NAME="$2"
-
-if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
-  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
-  exit 1
-fi
-
-cd "$CHECKOUT_PATH"
-
-# Add safe directory for container environments
-git config --global --add safe.directory "*" 2>/dev/null || true
-
-# Show the includeIf configuration
-echo "Git config includeIf entries:"
-git config --list --show-origin | grep -i include || true
-
-# Create the worktree
-echo "Creating worktree..."
-git worktree add "../$WORKTREE_NAME" HEAD --detach
-
-# Change to worktree directory
-cd "../$WORKTREE_NAME"
-
-# Verify we're in a worktree
-echo "Verifying worktree gitdir:"
-cat .git
-
-# Verify credentials are available in worktree by checking extraheader is configured
-echo "Checking credentials in worktree..."
-if git config --list --show-origin | grep -q "extraheader"; then
-  echo "Credentials are configured in worktree"
-else
-  echo "ERROR: Credentials are NOT configured in worktree"
-  echo "Full git config:"
-  git config --list --show-origin
-  exit 1
-fi
-
-# Verify fetch works in the worktree
-echo "Fetching in worktree..."
-git fetch origin
-
-echo "Worktree credentials test passed!"

dist/index.js

@@ -151,12 +151,6 @@ const stateHelper = __importStar(__nccwpck_require__(4866));
 const urlHelper = __importStar(__nccwpck_require__(9437));
 const uuid_1 = __nccwpck_require__(5840);
 const IS_WINDOWS = process.platform === 'win32';
-// Use case-insensitive gitdir matching on Windows to handle path casing mismatches
-// between the runner's GITHUB_WORKSPACE and the actual filesystem casing.
-// See: https://github.com/actions/checkout/issues/2345
-const INCLUDE_IF_GITDIR = IS_WINDOWS
-    ? 'includeIf.gitdir/i:'
-    : 'includeIf.gitdir:';
 const SSH_COMMAND_KEY = 'core.sshCommand';
 function createAuthHelper(git, settings) {
     return new GitAuthHelper(git, settings);
@@ -244,9 +238,7 @@ class GitAuthHelper {
                 yield this.git.tryConfigUnset(this.insteadOfKey, true);
                 if (!this.settings.sshKey) {
                     for (const insteadOfValue of this.insteadOfValues) {
-                        yield this.git.config(this.insteadOfKey, insteadOfValue, true, // globalConfig?
+                        yield this.git.config(this.insteadOfKey, insteadOfValue, true, true);
-                        true // add?
-                        );
                     }
                 }
             }
@@ -263,10 +255,17 @@ class GitAuthHelper {
             // Remove possible previous HTTPS instead of SSH
             yield this.removeSubmoduleGitConfig(this.insteadOfKey);
             if (this.settings.persistCredentials) {
-                // Get the credentials config file path in RUNNER_TEMP
+                // Credentials config path
-                const credentialsConfigPath = this.getCredentialsConfigPath();
+                const credentialsConfigPath = yield this.getCredentialsConfigPath();
                 // Container credentials config path
                 const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
+                // Container repo path
+                const workingDirectory = this.git.getWorkingDirectory();
+                const githubWorkspace = process.env['GITHUB_WORKSPACE'];
+                assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
+                let relativePath = path.relative(githubWorkspace, workingDirectory);
+                relativePath = relativePath.replace(/\\/g, '/');
+                const containerRepoPath = path.posix.join('/github/workspace', relativePath);
                 // Get submodule config file paths.
                 const configPaths = yield this.git.getSubmoduleConfigPaths(this.settings.nestedSubmodules);
                 // For each submodule, configure includeIf entries pointing to the shared credentials file.
@@ -276,19 +275,12 @@ class GitAuthHelper {
                     let submoduleGitDir = path.dirname(configPath); // The config file is at .git/modules/submodule-name/config
                     submoduleGitDir = submoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                     // Configure host includeIf
-                    yield this.git.config(`${INCLUDE_IF_GITDIR}${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig?
+                    yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, false, configPath);
-                    false, // add?
+                    // Configure container includeIf
-                    configPath);
-                    // Container submodule git directory
-                    const githubWorkspace = process.env['GITHUB_WORKSPACE'];
-                    assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
                     let relativeSubmoduleGitDir = path.relative(githubWorkspace, submoduleGitDir);
                     relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                     const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleGitDir);
-                    // Configure container includeIf
+                    yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, false, configPath);
-                    yield this.git.config(`${INCLUDE_IF_GITDIR}${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig?
-                    false, // add?
-                    configPath);
                 }
                 if (this.settings.sshKey) {
                     // Configure core.sshCommand
@@ -387,14 +379,12 @@ class GitAuthHelper {
     configureToken(globalConfig) {
         return __awaiter(this, void 0, void 0, function* () {
             // Get the credentials config file path in RUNNER_TEMP
-            const credentialsConfigPath = this.getCredentialsConfigPath();
+            const credentialsConfigPath = yield this.getCredentialsConfigPath();
             // Write placeholder to the separate credentials config file using git config.
             // This approach avoids the credential being captured by process creation audit events,
             // which are commonly logged. For more information, refer to
             // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
-            yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, // globalConfig?
+            yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, false, credentialsConfigPath);
-            false, // add?
-            credentialsConfigPath);
             // Replace the placeholder in the credentials config file
             let content = (yield fs.promises.readFile(credentialsConfigPath)).toString();
             const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue);
@@ -408,34 +398,27 @@ class GitAuthHelper {
             // Add include or includeIf to reference the credentials config
             if (globalConfig) {
                 // Global config file is temporary
-                yield this.git.config('include.path', credentialsConfigPath, true // globalConfig?
+                yield this.git.config('include.path', credentialsConfigPath, true);
-                );
             }
             else {
                 // Host git directory
                 let gitDir = path.join(this.git.getWorkingDirectory(), '.git');
                 gitDir = gitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                 // Configure host includeIf
-                const hostIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}.path`;
+                const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                 yield this.git.config(hostIncludeKey, credentialsConfigPath);
-                // Configure host includeIf for worktrees
-                const hostWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}/worktrees/*.path`;
-                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                 // Container git directory
-                const workingDirectory = this.git.getWorkingDirectory();
                 const githubWorkspace = process.env['GITHUB_WORKSPACE'];
                 assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
+                const workingDirectory = this.git.getWorkingDirectory();
                 let relativePath = path.relative(githubWorkspace, workingDirectory);
                 relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                 const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
                 // Container credentials config path
                 const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
                 // Configure container includeIf
-                const containerIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}.path`;
+                const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                 yield this.git.config(containerIncludeKey, containerCredentialsPath);
-                // Configure container includeIf for worktrees
-                const containerWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}/worktrees/*.path`;
-                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
             }
         });
     }
@@ -444,16 +427,18 @@ class GitAuthHelper {
      * @returns The absolute path to the credentials config file
      */
     getCredentialsConfigPath() {
-        if (this.credentialsConfigPath) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (this.credentialsConfigPath) {
+                return this.credentialsConfigPath;
+            }
+            const runnerTemp = process.env['RUNNER_TEMP'] || '';
+            assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
+            // Create a unique filename for this checkout instance
+            const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
+            this.credentialsConfigPath = path.join(runnerTemp, configFileName);
+            core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
             return this.credentialsConfigPath;
-        }
+        });
-        const runnerTemp = process.env['RUNNER_TEMP'] || '';
-        assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
-        // Create a unique filename for this checkout instance
-        const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
-        this.credentialsConfigPath = path.join(runnerTemp, configFileName);
-        core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
-        return this.credentialsConfigPath;
     }
     /**
      * Removes SSH authentication configuration by cleaning up SSH keys,
@@ -487,7 +472,7 @@ class GitAuthHelper {
                 }
             }
             // SSH command
-            core.info('Removing SSH command configuration');
+            core.info("Removing SSH command configuration");
             yield this.removeGitConfig(SSH_COMMAND_KEY);
             yield this.removeSubmoduleGitConfig(SSH_COMMAND_KEY);
         });
@@ -500,13 +485,13 @@ class GitAuthHelper {
         return __awaiter(this, void 0, void 0, function* () {
             var _a;
             // Remove HTTP extra header
-            core.info('Removing HTTP extra header');
+            core.info("Removing HTTP extra header");
             yield this.removeGitConfig(this.tokenConfigKey);
             yield this.removeSubmoduleGitConfig(this.tokenConfigKey);
             // Collect credentials config paths that need to be removed
             const credentialsPaths = new Set();
             // Remove includeIf entries that point to git-credentials-*.config files
-            core.info('Removing includeIf entries pointing to credentials config files');
+            core.info("Removing includeIf entries pointing to credentials config files");
             const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
             mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
             // Remove submodule includeIf entries that point to git-credentials-*.config files
@@ -571,12 +556,10 @@ class GitAuthHelper {
             const credentialsPaths = new Set();
             try {
                 // Get all includeIf.gitdir keys
-                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir(/i)?:', false, // globalConfig?
+                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, configPath);
-                configPath);
                 for (const key of keys) {
                     // Get all values for this key
-                    const values = yield this.git.tryGetConfigValues(key, false, // globalConfig?
+                    const values = yield this.git.tryGetConfigValues(key, false, configPath);
-                    configPath);
                     if (values.length > 0) {
                         // Remove only values that match git-credentials-<uuid>.config pattern
                         for (const value of values) {
@@ -659,6 +642,7 @@ const fs = __importStar(__nccwpck_require__(7147));
 const fshelper = __importStar(__nccwpck_require__(7219));
 const io = __importStar(__nccwpck_require__(7436));
 const path = __importStar(__nccwpck_require__(1017));
+const refHelper = __importStar(__nccwpck_require__(8601));
 const regexpHelper = __importStar(__nccwpck_require__(3120));
 const retryHelper = __importStar(__nccwpck_require__(2155));
 const git_version_1 = __nccwpck_require__(3142);
@@ -836,9 +820,9 @@ class GitCommandManager {
     fetch(refSpec, options) {
         return __awaiter(this, void 0, void 0, function* () {
             const args = ['-c', 'protocol.version=2', 'fetch'];
-            // Always use --no-tags for explicit control over tag fetching
+            if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
-            // Tags are fetched explicitly via refspec when needed
+                args.push('--no-tags');
-            args.push('--no-tags');
+            }
             args.push('--prune', '--no-recurse-submodules');
             if (options.showProgress) {
                 args.push('--progress');
@@ -1076,10 +1060,7 @@ class GitCommandManager {
             if (output.exitCode !== 0) {
                 return [];
             }
-            return output.stdout
+            return output.stdout.trim().split('\n').filter(value => value.trim());
-                .trim()
-                .split('\n')
-                .filter(value => value.trim());
         });
     }
     tryGetConfigKeys(pattern, globalConfig, configFile) {
@@ -1096,10 +1077,7 @@ class GitCommandManager {
             if (output.exitCode !== 0) {
                 return [];
             }
-            return output.stdout
+            return output.stdout.trim().split('\n').filter(key => key.trim());
-                .trim()
-                .split('\n')
-                .filter(key => key.trim());
         });
     }
     tryReset() {
@@ -1211,17 +1189,7 @@ class GitCommandManager {
                 }
             }
             // Set the user agent
-            let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
+            const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
-            // Append orchestration ID if set
-            const orchId = process.env['ACTIONS_ORCHESTRATION_ID'];
-            if (orchId) {
-                // Sanitize the orchestration ID to ensure it contains only valid characters
-                // Valid characters: 0-9, a-z, _, -, .
-                const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_');
-                if (sanitizedId) {
-                    gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`;
-                }
-            }
             core.debug(`Set git useragent to: ${gitHttpUserAgent}`);
             this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent;
         });
@@ -1544,26 +1512,13 @@ function getSource(settings) {
                 if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
                     refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
                     yield git.fetch(refSpec, fetchOptions);
-                    // Verify the ref now matches. For branches, the targeted fetch above brings
-                    // in the specific commit. For tags (fetched by ref), this will fail if
-                    // the tag was moved after the workflow was triggered.
-                    if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
-                        throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-                            `The ref may have been updated after the workflow was triggered.`);
-                    }
                 }
             }
             else {
                 fetchOptions.fetchDepth = settings.fetchDepth;
-                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit, settings.fetchTags);
+                fetchOptions.fetchTags = settings.fetchTags;
+                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
                 yield git.fetch(refSpec, fetchOptions);
-                // For tags, verify the ref still points to the expected commit.
-                // Tags are fetched by ref (not commit), so if a tag was moved after the
-                // workflow was triggered, we would silently check out the wrong commit.
-                if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
-                    throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-                        `The ref may have been updated after the workflow was triggered.`);
-                }
             }
             core.endGroup();
             // Checkout info
@@ -2027,7 +1982,7 @@ function getInputs() {
             }
         }
         // SHA?
-        else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
+        else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
             result.commit = result.ref;
             result.ref = '';
         }
@@ -2302,67 +2257,53 @@ function getRefSpecForAllHistory(ref, commit) {
     }
     return result;
 }
-function getRefSpec(ref, commit, fetchTags) {
+function getRefSpec(ref, commit) {
     if (!ref && !commit) {
         throw new Error('Args ref and commit cannot both be empty');
     }
     const upperRef = (ref || '').toUpperCase();
-    const result = [];
-    // When fetchTags is true, always include the tags refspec
-    if (fetchTags) {
-        result.push(exports.tagsRefSpec);
-    }
     // SHA
     if (commit) {
         // refs/heads
         if (upperRef.startsWith('REFS/HEADS/')) {
             const branch = ref.substring('refs/heads/'.length);
-            result.push(`+${commit}:refs/remotes/origin/${branch}`);
+            return [`+${commit}:refs/remotes/origin/${branch}`];
         }
         // refs/pull/
         else if (upperRef.startsWith('REFS/PULL/')) {
             const branch = ref.substring('refs/pull/'.length);
-            result.push(`+${commit}:refs/remotes/pull/${branch}`);
+            return [`+${commit}:refs/remotes/pull/${branch}`];
         }
         // refs/tags/
         else if (upperRef.startsWith('REFS/TAGS/')) {
-            if (!fetchTags) {
+            return [`+${commit}:${ref}`];
-                result.push(`+${ref}:${ref}`);
-            }
         }
         // Otherwise no destination ref
         else {
-            result.push(commit);
+            return [commit];
         }
     }
     // Unqualified ref, check for a matching branch or tag
     else if (!upperRef.startsWith('REFS/')) {
-        result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`);
+        return [
-        if (!fetchTags) {
+            `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
-            result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`);
+            `+refs/tags/${ref}*:refs/tags/${ref}*`
-        }
+        ];
     }
     // refs/heads/
     else if (upperRef.startsWith('REFS/HEADS/')) {
         const branch = ref.substring('refs/heads/'.length);
-        result.push(`+${ref}:refs/remotes/origin/${branch}`);
+        return [`+${ref}:refs/remotes/origin/${branch}`];
     }
     // refs/pull/
     else if (upperRef.startsWith('REFS/PULL/')) {
         const branch = ref.substring('refs/pull/'.length);
-        result.push(`+${ref}:refs/remotes/pull/${branch}`);
+        return [`+${ref}:refs/remotes/pull/${branch}`];
     }
     // refs/tags/
-    else if (upperRef.startsWith('REFS/TAGS/')) {
-        if (!fetchTags) {
-            result.push(`+${ref}:${ref}`);
-        }
-    }
-    // Other refs
     else {
-        result.push(`+${ref}:${ref}`);
+        return [`+${ref}:${ref}`];
     }
-    return result;
 }
 /**
  * Tests whether the initial fetch created the ref at the expected commit
@@ -2398,9 +2339,7 @@ function testRef(git, ref, commit) {
         // refs/tags/
         else if (upperRef.startsWith('REFS/TAGS/')) {
             const tagName = ref.substring('refs/tags/'.length);
-            // Use ^{commit} to dereference annotated tags to their underlying commit
+            return ((yield git.tagExists(tagName)) && commit === (yield git.revParse(ref)));
-            return ((yield git.tagExists(tagName)) &&
-                commit === (yield git.revParse(`${ref}^{commit}`)));
         }
         // Unexpected
         else {
@@ -2450,7 +2389,7 @@ function checkCommitInfo(token, commitInfo, repositoryOwner, repositoryName, ref
                 return;
             }
             // Extract details from message
-            const match = commitInfo.match(/Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/);
+            const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/);
             if (!match) {
                 core.debug('Unexpected message format');
                 return;

src/git-auth-helper.ts

@@ -13,12 +13,6 @@ import {IGitCommandManager} from './git-command-manager'
 import {IGitSourceSettings} from './git-source-settings'
 
 const IS_WINDOWS = process.platform === 'win32'
-// Use case-insensitive gitdir matching on Windows to handle path casing mismatches
-// between the runner's GITHUB_WORKSPACE and the actual filesystem casing.
-// See: https://github.com/actions/checkout/issues/2345
-const INCLUDE_IF_GITDIR = IS_WINDOWS
-  ? 'includeIf.gitdir/i:'
-  : 'includeIf.gitdir:'
 const SSH_COMMAND_KEY = 'core.sshCommand'
 
 export interface IGitAuthHelper {
@@ -142,12 +136,7 @@ class GitAuthHelper {
       await this.git.tryConfigUnset(this.insteadOfKey, true)
       if (!this.settings.sshKey) {
         for (const insteadOfValue of this.insteadOfValues) {
-          await this.git.config(
+          await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
-            this.insteadOfKey,
-            insteadOfValue,
-            true, // globalConfig?
-            true // add?
-          )
         }
       }
     } catch (err) {
@@ -165,8 +154,8 @@ class GitAuthHelper {
     await this.removeSubmoduleGitConfig(this.insteadOfKey)
 
     if (this.settings.persistCredentials) {
-      // Get the credentials config file path in RUNNER_TEMP
+      // Credentials config path
-      const credentialsConfigPath = this.getCredentialsConfigPath()
+      const credentialsConfigPath = await this.getCredentialsConfigPath()
 
       // Container credentials config path
       const containerCredentialsPath = path.posix.join(
@@ -174,6 +163,17 @@ class GitAuthHelper {
         path.basename(credentialsConfigPath)
       )
 
+      // Container repo path
+      const workingDirectory = this.git.getWorkingDirectory()
+      const githubWorkspace = process.env['GITHUB_WORKSPACE']
+      assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
+      let relativePath = path.relative(githubWorkspace, workingDirectory)
+      relativePath = relativePath.replace(/\\/g, '/')
+      const containerRepoPath = path.posix.join(
+        '/github/workspace',
+        relativePath
+      )
+
       // Get submodule config file paths.
       const configPaths = await this.git.getSubmoduleConfigPaths(
         this.settings.nestedSubmodules
@@ -188,16 +188,14 @@ class GitAuthHelper {
 
         // Configure host includeIf
         await this.git.config(
-          `${INCLUDE_IF_GITDIR}${submoduleGitDir}.path`,
+          `includeIf.gitdir:${submoduleGitDir}.path`,
           credentialsConfigPath,
-          false, // globalConfig?
+          false,
-          false, // add?
+          false,
           configPath
         )
 
-        // Container submodule git directory
+        // Configure container includeIf
-        const githubWorkspace = process.env['GITHUB_WORKSPACE']
-        assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
         let relativeSubmoduleGitDir = path.relative(
           githubWorkspace,
           submoduleGitDir
@@ -207,13 +205,11 @@ class GitAuthHelper {
           '/github/workspace',
           relativeSubmoduleGitDir
         )
-
-        // Configure container includeIf
         await this.git.config(
-          `${INCLUDE_IF_GITDIR}${containerSubmoduleGitDir}.path`,
+          `includeIf.gitdir:${containerSubmoduleGitDir}.path`,
           containerCredentialsPath,
-          false, // globalConfig?
+          false,
-          false, // add?
+          false,
           configPath
         )
       }
@@ -331,7 +327,7 @@ class GitAuthHelper {
    */
   private async configureToken(globalConfig?: boolean): Promise<void> {
     // Get the credentials config file path in RUNNER_TEMP
-    const credentialsConfigPath = this.getCredentialsConfigPath()
+    const credentialsConfigPath = await this.getCredentialsConfigPath()
 
     // Write placeholder to the separate credentials config file using git config.
     // This approach avoids the credential being captured by process creation audit events,
@@ -340,8 +336,8 @@ class GitAuthHelper {
     await this.git.config(
       this.tokenConfigKey,
       this.tokenPlaceholderConfigValue,
-      false, // globalConfig?
+      false,
-      false, // add?
+      false,
       credentialsConfigPath
     )
 
@@ -352,9 +348,7 @@ class GitAuthHelper {
       placeholderIndex < 0 ||
       placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)
     ) {
-      throw new Error(
+      throw new Error(`Unable to replace auth placeholder in ${credentialsConfigPath}`)
-        `Unable to replace auth placeholder in ${credentialsConfigPath}`
-      )
     }
     assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined')
     content = content.replace(
@@ -366,28 +360,20 @@ class GitAuthHelper {
     // Add include or includeIf to reference the credentials config
     if (globalConfig) {
       // Global config file is temporary
-      await this.git.config(
+      await this.git.config('include.path', credentialsConfigPath, true)
-        'include.path',
-        credentialsConfigPath,
-        true // globalConfig?
-      )
     } else {
       // Host git directory
       let gitDir = path.join(this.git.getWorkingDirectory(), '.git')
       gitDir = gitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
 
       // Configure host includeIf
-      const hostIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}.path`
+      const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
       await this.git.config(hostIncludeKey, credentialsConfigPath)
 
-      // Configure host includeIf for worktrees
-      const hostWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${gitDir}/worktrees/*.path`
-      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
-
       // Container git directory
-      const workingDirectory = this.git.getWorkingDirectory()
       const githubWorkspace = process.env['GITHUB_WORKSPACE']
       assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
+      const workingDirectory = this.git.getWorkingDirectory()
       let relativePath = path.relative(githubWorkspace, workingDirectory)
       relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows
       const containerGitDir = path.posix.join(
@@ -403,15 +389,8 @@ class GitAuthHelper {
       )
 
       // Configure container includeIf
-      const containerIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}.path`
+      const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
       await this.git.config(containerIncludeKey, containerCredentialsPath)
-
-      // Configure container includeIf for worktrees
-      const containerWorktreeIncludeKey = `${INCLUDE_IF_GITDIR}${containerGitDir}/worktrees/*.path`
-      await this.git.config(
-        containerWorktreeIncludeKey,
-        containerCredentialsPath
-      )
     }
   }
 
@@ -419,7 +398,7 @@ class GitAuthHelper {
    * Gets or creates the path to the credentials config file in RUNNER_TEMP.
    * @returns The absolute path to the credentials config file
    */
-  private getCredentialsConfigPath(): string {
+  private async getCredentialsConfigPath(): Promise<string> {
     if (this.credentialsConfigPath) {
       return this.credentialsConfigPath
     }
@@ -466,7 +445,7 @@ class GitAuthHelper {
     }
 
     // SSH command
-    core.info('Removing SSH command configuration')
+    core.info("Removing SSH command configuration")
     await this.removeGitConfig(SSH_COMMAND_KEY)
     await this.removeSubmoduleGitConfig(SSH_COMMAND_KEY)
   }
@@ -477,7 +456,7 @@ class GitAuthHelper {
    */
   private async removeToken(): Promise<void> {
     // Remove HTTP extra header
-    core.info('Removing HTTP extra header')
+    core.info("Removing HTTP extra header")
     await this.removeGitConfig(this.tokenConfigKey)
     await this.removeSubmoduleGitConfig(this.tokenConfigKey)
 
@@ -485,15 +464,14 @@ class GitAuthHelper {
     const credentialsPaths = new Set<string>()
 
     // Remove includeIf entries that point to git-credentials-*.config files
-    core.info('Removing includeIf entries pointing to credentials config files')
+    core.info("Removing includeIf entries pointing to credentials config files")
     const mainCredentialsPaths = await this.removeIncludeIfCredentials()
     mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
 
     // Remove submodule includeIf entries that point to git-credentials-*.config files
     const submoduleConfigPaths = await this.git.getSubmoduleConfigPaths(true)
     for (const configPath of submoduleConfigPaths) {
-      const submoduleCredentialsPaths =
+      const submoduleCredentialsPaths = await this.removeIncludeIfCredentials(configPath)
-        await this.removeIncludeIfCredentials(configPath)
       submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
     }
 
@@ -513,9 +491,7 @@ class GitAuthHelper {
           )
         }
       } else {
-        core.debug(
+        core.debug(`Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`)
-          `Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`
-        )
       }
     }
   }
@@ -552,26 +528,16 @@ class GitAuthHelper {
    * @param configPath Optional path to a specific git config file to operate on
    * @returns Array of unique credentials config file paths that were found and removed
    */
-  private async removeIncludeIfCredentials(
+  private async removeIncludeIfCredentials(configPath?: string): Promise<string[]> {
-    configPath?: string
-  ): Promise<string[]> {
     const credentialsPaths = new Set<string>()
-
+    
     try {
       // Get all includeIf.gitdir keys
-      const keys = await this.git.tryGetConfigKeys(
+      const keys = await this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, configPath)
-        '^includeIf\\.gitdir(/i)?:',
+      
-        false, // globalConfig?
-        configPath
-      )
-
       for (const key of keys) {
         // Get all values for this key
-        const values = await this.git.tryGetConfigValues(
+        const values = await this.git.tryGetConfigValues(key, false, configPath)
-          key,
-          false, // globalConfig?
-          configPath
-        )
         if (values.length > 0) {
           // Remove only values that match git-credentials-<uuid>.config pattern
           for (const value of values) {
@@ -590,7 +556,7 @@ class GitAuthHelper {
         core.debug(`Error during includeIf cleanup: ${err}`)
       }
     }
-
+    
     return Array.from(credentialsPaths)
   }
 

src/git-command-manager.ts

@@ -37,6 +37,7 @@ export interface IGitCommandManager {
     options: {
       filter?: string
       fetchDepth?: number
+      fetchTags?: boolean
       showProgress?: boolean
     }
   ): Promise<void>
@@ -60,24 +61,11 @@ export interface IGitCommandManager {
   tagExists(pattern: string): Promise<boolean>
   tryClean(): Promise<boolean>
   tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
-  tryConfigUnsetValue(
+  tryConfigUnsetValue(configKey: string, configValue: string, globalConfig?: boolean, configFile?: string): Promise<boolean>
-    configKey: string,
-    configValue: string,
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<boolean>
   tryDisableAutomaticGarbageCollection(): Promise<boolean>
   tryGetFetchUrl(): Promise<string>
-  tryGetConfigValues(
+  tryGetConfigValues(configKey: string, globalConfig?: boolean, configFile?: string): Promise<string[]>
-    configKey: string,
+  tryGetConfigKeys(pattern: string, globalConfig?: boolean, configFile?: string): Promise<string[]>
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<string[]>
-  tryGetConfigKeys(
-    pattern: string,
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<string[]>
   tryReset(): Promise<boolean>
   version(): Promise<GitVersion>
 }
@@ -279,13 +267,14 @@ class GitCommandManager {
     options: {
       filter?: string
       fetchDepth?: number
+      fetchTags?: boolean
       showProgress?: boolean
     }
   ): Promise<void> {
     const args = ['-c', 'protocol.version=2', 'fetch']
-    // Always use --no-tags for explicit control over tag fetching
+    if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
-    // Tags are fetched explicitly via refspec when needed
+      args.push('--no-tags')
-    args.push('--no-tags')
+    }
 
     args.push('--prune', '--no-recurse-submodules')
     if (options.showProgress) {
@@ -505,7 +494,7 @@ class GitCommandManager {
       args.push(globalConfig ? '--global' : '--local')
     }
     args.push('--unset', configKey, configValue)
-
+    
     const output = await this.execGit(args, true)
     return output.exitCode === 0
   }
@@ -548,17 +537,14 @@ class GitCommandManager {
       args.push(globalConfig ? '--global' : '--local')
     }
     args.push('--get-all', configKey)
-
+    
     const output = await this.execGit(args, true)
 
     if (output.exitCode !== 0) {
       return []
     }
 
-    return output.stdout
+    return output.stdout.trim().split('\n').filter(value => value.trim())
-      .trim()
-      .split('\n')
-      .filter(value => value.trim())
   }
 
   async tryGetConfigKeys(
@@ -573,17 +559,14 @@ class GitCommandManager {
       args.push(globalConfig ? '--global' : '--local')
     }
     args.push('--name-only', '--get-regexp', pattern)
-
+    
     const output = await this.execGit(args, true)
 
     if (output.exitCode !== 0) {
       return []
     }
 
-    return output.stdout
+    return output.stdout.trim().split('\n').filter(key => key.trim())
-      .trim()
-      .split('\n')
-      .filter(key => key.trim())
   }
 
   async tryReset(): Promise<boolean> {
@@ -728,19 +711,7 @@ class GitCommandManager {
       }
     }
     // Set the user agent
-    let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
+    const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
-
-    // Append orchestration ID if set
-    const orchId = process.env['ACTIONS_ORCHESTRATION_ID']
-    if (orchId) {
-      // Sanitize the orchestration ID to ensure it contains only valid characters
-      // Valid characters: 0-9, a-z, _, -, .
-      const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_')
-      if (sanitizedId) {
-        gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`
-      }
-    }
-
     core.debug(`Set git useragent to: ${gitHttpUserAgent}`)
     this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent
   }

src/git-source-provider.ts

@@ -159,6 +159,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     const fetchOptions: {
       filter?: string
       fetchDepth?: number
+      fetchTags?: boolean
       showProgress?: boolean
     } = {}
 
@@ -181,35 +182,12 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
       if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
         refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
         await git.fetch(refSpec, fetchOptions)
-
-        // Verify the ref now matches. For branches, the targeted fetch above brings
-        // in the specific commit. For tags (fetched by ref), this will fail if
-        // the tag was moved after the workflow was triggered.
-        if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
-          throw new Error(
-            `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-              `The ref may have been updated after the workflow was triggered.`
-          )
-        }
       }
     } else {
       fetchOptions.fetchDepth = settings.fetchDepth
-      const refSpec = refHelper.getRefSpec(
+      fetchOptions.fetchTags = settings.fetchTags
-        settings.ref,
+      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
-        settings.commit,
-        settings.fetchTags
-      )
       await git.fetch(refSpec, fetchOptions)
-
-      // For tags, verify the ref still points to the expected commit.
-      // Tags are fetched by ref (not commit), so if a tag was moved after the
-      // workflow was triggered, we would silently check out the wrong commit.
-      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
-        throw new Error(
-          `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-            `The ref may have been updated after the workflow was triggered.`
-        )
-      }
     }
     core.endGroup()
 

src/input-helper.ts

@@ -71,7 +71,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
     }
   }
   // SHA?
-  else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
+  else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
     result.commit = result.ref
     result.ref = ''
   }

src/misc/generate-docs.ts

@@ -120,7 +120,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v6',
+  'actions/checkout@v5',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )

src/ref-helper.ts

@@ -76,75 +76,55 @@ export function getRefSpecForAllHistory(ref: string, commit: string): string[] {
   return result
 }
 
-export function getRefSpec(
+export function getRefSpec(ref: string, commit: string): string[] {
-  ref: string,
-  commit: string,
-  fetchTags?: boolean
-): string[] {
   if (!ref && !commit) {
     throw new Error('Args ref and commit cannot both be empty')
   }
 
   const upperRef = (ref || '').toUpperCase()
-  const result: string[] = []
-
-  // When fetchTags is true, always include the tags refspec
-  if (fetchTags) {
-    result.push(tagsRefSpec)
-  }
 
   // SHA
   if (commit) {
     // refs/heads
     if (upperRef.startsWith('REFS/HEADS/')) {
       const branch = ref.substring('refs/heads/'.length)
-      result.push(`+${commit}:refs/remotes/origin/${branch}`)
+      return [`+${commit}:refs/remotes/origin/${branch}`]
     }
     // refs/pull/
     else if (upperRef.startsWith('REFS/PULL/')) {
       const branch = ref.substring('refs/pull/'.length)
-      result.push(`+${commit}:refs/remotes/pull/${branch}`)
+      return [`+${commit}:refs/remotes/pull/${branch}`]
     }
     // refs/tags/
     else if (upperRef.startsWith('REFS/TAGS/')) {
-      if (!fetchTags) {
+      return [`+${commit}:${ref}`]
-        result.push(`+${ref}:${ref}`)
-      }
     }
     // Otherwise no destination ref
     else {
-      result.push(commit)
+      return [commit]
     }
   }
   // Unqualified ref, check for a matching branch or tag
   else if (!upperRef.startsWith('REFS/')) {
-    result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`)
+    return [
-    if (!fetchTags) {
+      `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
-      result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`)
+      `+refs/tags/${ref}*:refs/tags/${ref}*`
-    }
+    ]
   }
   // refs/heads/
   else if (upperRef.startsWith('REFS/HEADS/')) {
     const branch = ref.substring('refs/heads/'.length)
-    result.push(`+${ref}:refs/remotes/origin/${branch}`)
+    return [`+${ref}:refs/remotes/origin/${branch}`]
   }
   // refs/pull/
   else if (upperRef.startsWith('REFS/PULL/')) {
     const branch = ref.substring('refs/pull/'.length)
-    result.push(`+${ref}:refs/remotes/pull/${branch}`)
+    return [`+${ref}:refs/remotes/pull/${branch}`]
   }
   // refs/tags/
-  else if (upperRef.startsWith('REFS/TAGS/')) {
-    if (!fetchTags) {
-      result.push(`+${ref}:${ref}`)
-    }
-  }
-  // Other refs
   else {
-    result.push(`+${ref}:${ref}`)
+    return [`+${ref}:${ref}`]
   }
-
-  return result
 }
 
 /**
@@ -190,10 +170,8 @@ export async function testRef(
   // refs/tags/
   else if (upperRef.startsWith('REFS/TAGS/')) {
     const tagName = ref.substring('refs/tags/'.length)
-    // Use ^{commit} to dereference annotated tags to their underlying commit
     return (
-      (await git.tagExists(tagName)) &&
+      (await git.tagExists(tagName)) && commit === (await git.revParse(ref))
-      commit === (await git.revParse(`${ref}^{commit}`))
     )
   }
   // Unexpected
@@ -258,9 +236,7 @@ export async function checkCommitInfo(
     }
 
     // Extract details from message
-    const match = commitInfo.match(
+    const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/)
-      /Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/
-    )
     if (!match) {
       core.debug('Unexpected message format')
       return