update readme for v3 (#708)

* update readme for v3

* update readme with changes

* nit grammar

.github/workflows/check-dist.yml

@@ -24,10 +24,10 @@ jobs:
     steps:
       - uses: actions/checkout@v2
 
-      - name: Set Node.js 12.x
+      - name: Set Node.js 16.x
         uses: actions/setup-node@v1
         with:
-          node-version: 12.x
+          node-version: 16.x
 
       - name: Install dependencies
         run: npm ci

.github/workflows/test.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - uses: actions/setup-node@v1
         with:
-          node-version: 12.x
+          node-version: 16.x
       - uses: actions/checkout@v2
       - run: npm ci
       - run: npm run build
@@ -205,41 +205,3 @@ jobs:
           path: basic
       - name: Verify basic
         run: __test__/verify-basic.sh --archive
-    
-  test-git-container:
-    runs-on: ubuntu-latest
-    container: bitnami/git:latest
-    steps:
-      # Clone this repo
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          path: v3
-
-      # Basic checkout using git
-      - name: Checkout basic
-        uses: ./v3
-        with:
-          ref: test-data/v2/basic
-      - name: Verify basic
-        run: |
-          if [ ! -f "./basic-file.txt" ]; then
-              echo "Expected basic file does not exist"
-              exit 1
-          fi
-
-          # Verify .git folder
-          if [ ! -d "./.git" ]; then
-            echo "Expected ./.git folder to exist"
-            exit 1
-          fi
-
-          # Verify auth token
-          git config --global --add safe.directory "*"
-          git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
-
-      # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v3
-        uses: actions/checkout@v3
-        with:
-          path: v3

CHANGELOG.md

@@ -1,11 +1,5 @@
 # Changelog
 
-## v2.4.2
-- [Add input `set-safe-directory`](https://github.com/actions/checkout/pull/776)
-
-## v2.4.1
-- [Set the safe directory option on git to prevent git commands failing when running in containers](https://github.com/actions/checkout/pull/762)
-
 ## v2.3.1
 
 - [Fix default branch resolution for .wiki and when using SSH](https://github.com/actions/checkout/pull/284)

README.md

@@ -2,7 +2,7 @@
   <a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a>
 </p>
 
-# Checkout V2
+# Checkout V3
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
@@ -14,27 +14,14 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 
 # What's new
 
-- Improved performance
-  - Fetches only a single commit by default
-- Script authenticated git commands
-  - Auth token persisted in the local git config
-- Supports SSH
-- Creates a local branch
-  - No longer detached HEAD when checking out a branch
-- Improved layout
-  - The input `path` is always relative to $GITHUB_WORKSPACE
-  - Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in
-- Fallback to REST API download
-  - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
-  - When using a job container, the container's PATH is used
-
-Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
+- Updated to the node16 runtime by default
+  - This requires a minimum [Actions Runner](https://github.com/actions/runner/releases/tag/v2.285.0) version of v2.285.0 to run, which is by default available in GHES 3.4 or later.
 
 # Usage
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -105,11 +92,6 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
     #
     # Default: false
     submodules: ''
-
-    # Add repository path as safe.directory for Git global config by running `git
-    # config --global --add safe.directory <path>`
-    # Default: true
-    set-safe-directory: ''
 ```
 <!-- end usage -->
 
@@ -128,7 +110,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     fetch-depth: 0
 ```
@@ -136,7 +118,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     ref: my-branch
 ```
@@ -144,7 +126,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -154,12 +136,12 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -169,10 +151,10 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
 
 - name: Checkout tools repo
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -182,12 +164,12 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-private-tools
     token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -200,7 +182,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -216,7 +198,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 ```
 
 ## Push a commit using the built-in token
@@ -227,7 +209,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - run: |
           date > generated.txt
           git config user.name github-actions

__test__/git-auth-helper.test.ts

@@ -643,11 +643,10 @@ describe('git-auth-helper tests', () => {
     expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
   })
 
-  const removeGlobalConfig_removesOverride =
-    'removeGlobalConfig removes override'
-  it(removeGlobalConfig_removesOverride, async () => {
+  const removeGlobalAuth_removesOverride = 'removeGlobalAuth removes override'
+  it(removeGlobalAuth_removesOverride, async () => {
     // Arrange
-    await setup(removeGlobalConfig_removesOverride)
+    await setup(removeGlobalAuth_removesOverride)
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
     await authHelper.configureAuth()
     await authHelper.configureGlobalAuth()
@@ -656,7 +655,7 @@ describe('git-auth-helper tests', () => {
     await fs.promises.stat(path.join(git.env['HOME'], '.gitconfig'))
 
     // Act
-    await authHelper.removeGlobalConfig()
+    await authHelper.removeGlobalAuth()
 
     // Assert
     expect(git.env['HOME']).toBeUndefined()
@@ -777,8 +776,7 @@ async function setup(testName: string): Promise<void> {
     sshKey: sshPath ? 'some ssh private key' : '',
     sshKnownHosts: '',
     sshStrict: true,
-    workflowOrganizationId: 123456,
-    setSafeDirectory: true
+    workflowOrganizationId: 123456
   }
 }
 

__test__/input-helper.test.ts

@@ -85,7 +85,6 @@ describe('input-helper tests', () => {
     expect(settings.repositoryName).toBe('some-repo')
     expect(settings.repositoryOwner).toBe('some-owner')
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
-    expect(settings.setSafeDirectory).toBe(true)
   })
 
   it('qualifies ref', async () => {

action.yml

@@ -68,10 +68,7 @@ inputs:
       When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
       converted to HTTPS.
     default: false
-  set-safe-directory:
-    description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
-    default: true
 runs:
-  using: node12
+  using: node16
   main: dist/index.js
   post: dist/index.js

dist/index.js

@@ -3592,7 +3592,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.setSafeDirectory = exports.setSshKnownHostsPath = exports.setSshKeyPath = exports.setRepositoryPath = exports.SshKnownHostsPath = exports.SshKeyPath = exports.PostSetSafeDirectory = exports.RepositoryPath = exports.IsPost = void 0;
+exports.setSshKnownHostsPath = exports.setSshKeyPath = exports.setRepositoryPath = exports.SshKnownHostsPath = exports.SshKeyPath = exports.RepositoryPath = exports.IsPost = void 0;
 const coreCommand = __importStar(__webpack_require__(431));
 /**
  * Indicates whether the POST action is running
@@ -3602,10 +3602,6 @@ exports.IsPost = !!process.env['STATE_isPost'];
  * The repository path for the POST action. The value is empty during the MAIN action.
  */
 exports.RepositoryPath = process.env['STATE_repositoryPath'] || '';
-/**
- * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action.
- */
-exports.PostSetSafeDirectory = process.env['STATE_setSafeDirectory'] === 'true';
 /**
  * The SSH key path for the POST action. The value is empty during the MAIN action.
  */
@@ -3635,13 +3631,6 @@ function setSshKnownHostsPath(sshKnownHostsPath) {
     coreCommand.issueCommand('save-state', { name: 'sshKnownHostsPath' }, sshKnownHostsPath);
 }
 exports.setSshKnownHostsPath = setSshKnownHostsPath;
-/**
- * Save the sef-safe-directory input so the POST action can retrieve the value.
- */
-function setSafeDirectory() {
-    coreCommand.issueCommand('save-state', { name: 'setSafeDirectory' }, 'true');
-}
-exports.setSafeDirectory = setSafeDirectory;
 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!exports.IsPost) {
@@ -4240,7 +4229,7 @@ module.exports = require("punycode");
 /***/ 215:
 /***/ (function(module) {
 
-module.exports = {"name":"@octokit/rest","version":"16.43.1","publishConfig":{"access":"public"},"description":"GitHub REST API client for Node.js","keywords":["octokit","github","rest","api-client"],"author":"Gregor Martynus (https://github.com/gr2m)","contributors":[{"name":"Mike de Boer","email":"info@mikedeboer.nl"},{"name":"Fabian Jakobs","email":"fabian@c9.io"},{"name":"Joe Gallo","email":"joe@brassafrax.com"},{"name":"Gregor Martynus","url":"https://github.com/gr2m"}],"repository":"https://github.com/octokit/rest.js","dependencies":{"@octokit/auth-token":"^2.4.0","@octokit/plugin-paginate-rest":"^1.1.1","@octokit/plugin-request-log":"^1.0.0","@octokit/plugin-rest-endpoint-methods":"2.4.0","@octokit/request":"^5.2.0","@octokit/request-error":"^1.0.2","atob-lite":"^2.0.0","before-after-hook":"^2.0.0","btoa-lite":"^1.0.0","deprecation":"^2.0.0","lodash.get":"^4.4.2","lodash.set":"^4.3.2","lodash.uniq":"^4.5.0","octokit-pagination-methods":"^1.1.0","once":"^1.4.0","universal-user-agent":"^4.0.0"},"devDependencies":{"@gimenete/type-writer":"^0.1.3","@octokit/auth":"^1.1.1","@octokit/fixtures-server":"^5.0.6","@octokit/graphql":"^4.2.0","@types/node":"^13.1.0","bundlesize":"^0.18.0","chai":"^4.1.2","compression-webpack-plugin":"^3.1.0","cypress":"^3.0.0","glob":"^7.1.2","http-proxy-agent":"^4.0.0","lodash.camelcase":"^4.3.0","lodash.merge":"^4.6.1","lodash.upperfirst":"^4.3.1","lolex":"^5.1.2","mkdirp":"^1.0.0","mocha":"^7.0.1","mustache":"^4.0.0","nock":"^11.3.3","npm-run-all":"^4.1.2","nyc":"^15.0.0","prettier":"^1.14.2","proxy":"^1.0.0","semantic-release":"^17.0.0","sinon":"^8.0.0","sinon-chai":"^3.0.0","sort-keys":"^4.0.0","string-to-arraybuffer":"^1.0.0","string-to-jsdoc-comment":"^1.0.0","typescript":"^3.3.1","webpack":"^4.0.0","webpack-bundle-analyzer":"^3.0.0","webpack-cli":"^3.0.0"},"types":"index.d.ts","scripts":{"coverage":"nyc report --reporter=html && open coverage/index.html","lint":"prettier --check '{lib,plugins,scripts,test}/**/*.{js,json,ts}' 'docs/*.{js,json}' 'docs/src/**/*' index.js README.md package.json","lint:fix":"prettier --write '{lib,plugins,scripts,test}/**/*.{js,json,ts}' 'docs/*.{js,json}' 'docs/src/**/*' index.js README.md package.json","pretest":"npm run -s lint","test":"nyc mocha test/mocha-node-setup.js \"test/*/**/*-test.js\"","test:browser":"cypress run --browser chrome","build":"npm-run-all build:*","build:ts":"npm run -s update-endpoints:typescript","prebuild:browser":"mkdirp dist/","build:browser":"npm-run-all build:browser:*","build:browser:development":"webpack --mode development --entry . --output-library=Octokit --output=./dist/octokit-rest.js --profile --json > dist/bundle-stats.json","build:browser:production":"webpack --mode production --entry . --plugin=compression-webpack-plugin --output-library=Octokit --output-path=./dist --output-filename=octokit-rest.min.js --devtool source-map","generate-bundle-report":"webpack-bundle-analyzer dist/bundle-stats.json --mode=static --no-open --report dist/bundle-report.html","update-endpoints":"npm-run-all update-endpoints:*","update-endpoints:fetch-json":"node scripts/update-endpoints/fetch-json","update-endpoints:typescript":"node scripts/update-endpoints/typescript","prevalidate:ts":"npm run -s build:ts","validate:ts":"tsc --target es6 --noImplicitAny index.d.ts","postvalidate:ts":"tsc --noEmit --target es6 test/typescript-validate.ts","start-fixtures-server":"octokit-fixtures-server"},"license":"MIT","files":["index.js","index.d.ts","lib","plugins"],"nyc":{"ignore":["test"]},"release":{"publish":["@semantic-release/npm",{"path":"@semantic-release/github","assets":["dist/*","!dist/*.map.gz"]}]},"bundlesize":[{"path":"./dist/octokit-rest.min.js.gz","maxSize":"33 kB"}],"_resolved":"https://registry.npmjs.org/@octokit/rest/-/rest-16.43.1.tgz","_integrity":"sha512-gfFKwRT/wFxq5qlNjnW2dh+qh74XgTQ2B179UX5K1HYCluioWj8Ndbgqw2PVqa1NnVJkGHp2ovMpVn/DImlmkw==","_from":"@octokit/rest@16.43.1"};
+module.exports = {"name":"@octokit/rest","version":"16.43.1","publishConfig":{"access":"public"},"description":"GitHub REST API client for Node.js","keywords":["octokit","github","rest","api-client"],"author":"Gregor Martynus (https://github.com/gr2m)","contributors":[{"name":"Mike de Boer","email":"info@mikedeboer.nl"},{"name":"Fabian Jakobs","email":"fabian@c9.io"},{"name":"Joe Gallo","email":"joe@brassafrax.com"},{"name":"Gregor Martynus","url":"https://github.com/gr2m"}],"repository":"https://github.com/octokit/rest.js","dependencies":{"@octokit/auth-token":"^2.4.0","@octokit/plugin-paginate-rest":"^1.1.1","@octokit/plugin-request-log":"^1.0.0","@octokit/plugin-rest-endpoint-methods":"2.4.0","@octokit/request":"^5.2.0","@octokit/request-error":"^1.0.2","atob-lite":"^2.0.0","before-after-hook":"^2.0.0","btoa-lite":"^1.0.0","deprecation":"^2.0.0","lodash.get":"^4.4.2","lodash.set":"^4.3.2","lodash.uniq":"^4.5.0","octokit-pagination-methods":"^1.1.0","once":"^1.4.0","universal-user-agent":"^4.0.0"},"devDependencies":{"@gimenete/type-writer":"^0.1.3","@octokit/auth":"^1.1.1","@octokit/fixtures-server":"^5.0.6","@octokit/graphql":"^4.2.0","@types/node":"^13.1.0","bundlesize":"^0.18.0","chai":"^4.1.2","compression-webpack-plugin":"^3.1.0","cypress":"^3.0.0","glob":"^7.1.2","http-proxy-agent":"^4.0.0","lodash.camelcase":"^4.3.0","lodash.merge":"^4.6.1","lodash.upperfirst":"^4.3.1","lolex":"^5.1.2","mkdirp":"^1.0.0","mocha":"^7.0.1","mustache":"^4.0.0","nock":"^11.3.3","npm-run-all":"^4.1.2","nyc":"^15.0.0","prettier":"^1.14.2","proxy":"^1.0.0","semantic-release":"^17.0.0","sinon":"^8.0.0","sinon-chai":"^3.0.0","sort-keys":"^4.0.0","string-to-arraybuffer":"^1.0.0","string-to-jsdoc-comment":"^1.0.0","typescript":"^3.3.1","webpack":"^4.0.0","webpack-bundle-analyzer":"^3.0.0","webpack-cli":"^3.0.0"},"types":"index.d.ts","scripts":{"coverage":"nyc report --reporter=html && open coverage/index.html","lint":"prettier --check '{lib,plugins,scripts,test}/**/*.{js,json,ts}' 'docs/*.{js,json}' 'docs/src/**/*' index.js README.md package.json","lint:fix":"prettier --write '{lib,plugins,scripts,test}/**/*.{js,json,ts}' 'docs/*.{js,json}' 'docs/src/**/*' index.js README.md package.json","pretest":"npm run -s lint","test":"nyc mocha test/mocha-node-setup.js \"test/*/**/*-test.js\"","test:browser":"cypress run --browser chrome","build":"npm-run-all build:*","build:ts":"npm run -s update-endpoints:typescript","prebuild:browser":"mkdirp dist/","build:browser":"npm-run-all build:browser:*","build:browser:development":"webpack --mode development --entry . --output-library=Octokit --output=./dist/octokit-rest.js --profile --json > dist/bundle-stats.json","build:browser:production":"webpack --mode production --entry . --plugin=compression-webpack-plugin --output-library=Octokit --output-path=./dist --output-filename=octokit-rest.min.js --devtool source-map","generate-bundle-report":"webpack-bundle-analyzer dist/bundle-stats.json --mode=static --no-open --report dist/bundle-report.html","update-endpoints":"npm-run-all update-endpoints:*","update-endpoints:fetch-json":"node scripts/update-endpoints/fetch-json","update-endpoints:typescript":"node scripts/update-endpoints/typescript","prevalidate:ts":"npm run -s build:ts","validate:ts":"tsc --target es6 --noImplicitAny index.d.ts","postvalidate:ts":"tsc --noEmit --target es6 test/typescript-validate.ts","start-fixtures-server":"octokit-fixtures-server"},"license":"MIT","files":["index.js","index.d.ts","lib","plugins"],"nyc":{"ignore":["test"]},"release":{"publish":["@semantic-release/npm",{"path":"@semantic-release/github","assets":["dist/*","!dist/*.map.gz"]}]},"bundlesize":[{"path":"./dist/octokit-rest.min.js.gz","maxSize":"33 kB"}]};
 
 /***/ }),
 
@@ -6583,13 +6572,9 @@ class GitAuthHelper {
             yield this.configureToken();
         });
     }
-    configureTempGlobalConfig() {
-        var _a, _b;
+    configureGlobalAuth() {
+        var _a;
         return __awaiter(this, void 0, void 0, function* () {
-            // Already setup global config
-            if (((_a = this.temporaryHomePath) === null || _a === void 0 ? void 0 : _a.length) > 0) {
-                return path.join(this.temporaryHomePath, '.gitconfig');
-            }
             // Create a temp home directory
             const runnerTemp = process.env['RUNNER_TEMP'] || '';
             assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
@@ -6605,7 +6590,7 @@ class GitAuthHelper {
                 configExists = true;
             }
             catch (err) {
-                if (((_b = err) === null || _b === void 0 ? void 0 : _b.code) !== 'ENOENT') {
+                if (((_a = err) === null || _a === void 0 ? void 0 : _a.code) !== 'ENOENT') {
                     throw err;
                 }
             }
@@ -6616,17 +6601,10 @@ class GitAuthHelper {
             else {
                 yield fs.promises.writeFile(newGitConfigPath, '');
             }
-            // Override HOME
-            core.info(`Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`);
-            this.git.setEnvironmentVariable('HOME', this.temporaryHomePath);
-            return newGitConfigPath;
-        });
-    }
-    configureGlobalAuth() {
-        return __awaiter(this, void 0, void 0, function* () {
-            // 'configureTempGlobalConfig' noops if already set, just returns the path
-            const newGitConfigPath = yield this.configureTempGlobalConfig();
             try {
+                // Override HOME
+                core.info(`Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`);
+                this.git.setEnvironmentVariable('HOME', this.temporaryHomePath);
                 // Configure the token
                 yield this.configureToken(newGitConfigPath, true);
                 // Configure HTTPS instead of SSH
@@ -6679,14 +6657,11 @@ class GitAuthHelper {
             yield this.removeToken();
         });
     }
-    removeGlobalConfig() {
-        var _a;
+    removeGlobalAuth() {
         return __awaiter(this, void 0, void 0, function* () {
-            if (((_a = this.temporaryHomePath) === null || _a === void 0 ? void 0 : _a.length) > 0) {
-                core.debug(`Unsetting HOME override`);
-                this.git.removeEnvironmentVariable('HOME');
-                yield io.rmRF(this.temporaryHomePath);
-            }
+            core.debug(`Unsetting HOME override`);
+            this.git.removeEnvironmentVariable('HOME');
+            yield io.rmRF(this.temporaryHomePath);
         });
     }
     configureSsh() {
@@ -7351,59 +7326,40 @@ function getSource(settings) {
         core.startGroup('Getting Git version info');
         const git = yield getGitCommandManager(settings);
         core.endGroup();
-        let authHelper = null;
-        try {
-            if (git) {
-                authHelper = gitAuthHelper.createAuthHelper(git, settings);
-                if (settings.setSafeDirectory) {
-                    // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-                    // Otherwise all git commands we run in a container fail
-                    yield authHelper.configureTempGlobalConfig();
-                    core.info(`Adding repository directory to the temporary git global config as a safe directory`);
-                    yield git
-                        .config('safe.directory', settings.repositoryPath, true, true)
-                        .catch(error => {
-                        core.info(`Failed to initialize safe directory with error: ${error}`);
-                    });
-                    stateHelper.setSafeDirectory();
-                }
+        // Prepare existing directory, otherwise recreate
+        if (isExisting) {
+            yield gitDirectoryHelper.prepareExistingDirectory(git, settings.repositoryPath, repositoryUrl, settings.clean, settings.ref);
+        }
+        if (!git) {
+            // Downloading using REST API
+            core.info(`The repository will be downloaded using the GitHub REST API`);
+            core.info(`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`);
+            if (settings.submodules) {
+                throw new Error(`Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`);
             }
-            // Prepare existing directory, otherwise recreate
-            if (isExisting) {
-                yield gitDirectoryHelper.prepareExistingDirectory(git, settings.repositoryPath, repositoryUrl, settings.clean, settings.ref);
-            }
-            if (!git) {
-                // Downloading using REST API
-                core.info(`The repository will be downloaded using the GitHub REST API`);
-                core.info(`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`);
-                if (settings.submodules) {
-                    throw new Error(`Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`);
-                }
-                else if (settings.sshKey) {
-                    throw new Error(`Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`);
-                }
-                yield githubApiHelper.downloadRepository(settings.authToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath);
-                return;
-            }
-            // Save state for POST action
-            stateHelper.setRepositoryPath(settings.repositoryPath);
-            // Initialize the repository
-            if (!fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))) {
-                core.startGroup('Initializing the repository');
-                yield git.init();
-                yield git.remoteAdd('origin', repositoryUrl);
-                core.endGroup();
-            }
-            // Disable automatic garbage collection
-            core.startGroup('Disabling automatic garbage collection');
-            if (!(yield git.tryDisableAutomaticGarbageCollection())) {
-                core.warning(`Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`);
+            else if (settings.sshKey) {
+                throw new Error(`Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`);
             }
+            yield githubApiHelper.downloadRepository(settings.authToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath);
+            return;
+        }
+        // Save state for POST action
+        stateHelper.setRepositoryPath(settings.repositoryPath);
+        // Initialize the repository
+        if (!fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))) {
+            core.startGroup('Initializing the repository');
+            yield git.init();
+            yield git.remoteAdd('origin', repositoryUrl);
             core.endGroup();
-            // If we didn't initialize it above, do it now
-            if (!authHelper) {
-                authHelper = gitAuthHelper.createAuthHelper(git, settings);
-            }
+        }
+        // Disable automatic garbage collection
+        core.startGroup('Disabling automatic garbage collection');
+        if (!(yield git.tryDisableAutomaticGarbageCollection())) {
+            core.warning(`Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`);
+        }
+        core.endGroup();
+        const authHelper = gitAuthHelper.createAuthHelper(git, settings);
+        try {
             // Configure auth
             core.startGroup('Setting up auth');
             yield authHelper.configureAuth();
@@ -7459,21 +7415,27 @@ function getSource(settings) {
             core.endGroup();
             // Submodules
             if (settings.submodules) {
-                // Temporarily override global config
-                core.startGroup('Setting up auth for fetching submodules');
-                yield authHelper.configureGlobalAuth();
-                core.endGroup();
-                // Checkout submodules
-                core.startGroup('Fetching submodules');
-                yield git.submoduleSync(settings.nestedSubmodules);
-                yield git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules);
-                yield git.submoduleForeach('git config --local gc.auto 0', settings.nestedSubmodules);
-                core.endGroup();
-                // Persist credentials
-                if (settings.persistCredentials) {
-                    core.startGroup('Persisting credentials for submodules');
-                    yield authHelper.configureSubmoduleAuth();
+                try {
+                    // Temporarily override global config
+                    core.startGroup('Setting up auth for fetching submodules');
+                    yield authHelper.configureGlobalAuth();
                     core.endGroup();
+                    // Checkout submodules
+                    core.startGroup('Fetching submodules');
+                    yield git.submoduleSync(settings.nestedSubmodules);
+                    yield git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules);
+                    yield git.submoduleForeach('git config --local gc.auto 0', settings.nestedSubmodules);
+                    core.endGroup();
+                    // Persist credentials
+                    if (settings.persistCredentials) {
+                        core.startGroup('Persisting credentials for submodules');
+                        yield authHelper.configureSubmoduleAuth();
+                        core.endGroup();
+                    }
+                }
+                finally {
+                    // Remove temporary global config override
+                    yield authHelper.removeGlobalAuth();
                 }
             }
             // Get commit information
@@ -7485,13 +7447,10 @@ function getSource(settings) {
         }
         finally {
             // Remove auth
-            if (authHelper) {
-                if (!settings.persistCredentials) {
-                    core.startGroup('Removing auth');
-                    yield authHelper.removeAuth();
-                    core.endGroup();
-                }
-                authHelper.removeGlobalConfig();
+            if (!settings.persistCredentials) {
+                core.startGroup('Removing auth');
+                yield authHelper.removeAuth();
+                core.endGroup();
             }
         }
     });
@@ -7513,23 +7472,7 @@ function cleanup(repositoryPath) {
         }
         // Remove auth
         const authHelper = gitAuthHelper.createAuthHelper(git);
-        try {
-            if (stateHelper.PostSetSafeDirectory) {
-                // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-                // Otherwise all git commands we run in a container fail
-                yield authHelper.configureTempGlobalConfig();
-                core.info(`Adding repository directory to the temporary git global config as a safe directory`);
-                yield git
-                    .config('safe.directory', repositoryPath, true, true)
-                    .catch(error => {
-                    core.info(`Failed to initialize safe directory with error: ${error}`);
-                });
-            }
-            yield authHelper.removeAuth();
-        }
-        finally {
-            yield authHelper.removeGlobalConfig();
-        }
+        yield authHelper.removeAuth();
     });
 }
 exports.cleanup = cleanup;
@@ -17301,9 +17244,6 @@ function getInputs() {
             (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE';
         // Workflow organization ID
         result.workflowOrganizationId = yield workflowContextHelper.getOrganizationId();
-        // Set safe.directory in git global config.
-        result.setSafeDirectory =
-            (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE';
         return result;
     });
 }

src/git-auth-helper.ts

@@ -19,9 +19,8 @@ export interface IGitAuthHelper {
   configureAuth(): Promise<void>
   configureGlobalAuth(): Promise<void>
   configureSubmoduleAuth(): Promise<void>
-  configureTempGlobalConfig(): Promise<string>
   removeAuth(): Promise<void>
-  removeGlobalConfig(): Promise<void>
+  removeGlobalAuth(): Promise<void>
 }
 
 export function createAuthHelper(
@@ -81,11 +80,7 @@ class GitAuthHelper {
     await this.configureToken()
   }
 
-  async configureTempGlobalConfig(): Promise<string> {
-    // Already setup global config
-    if (this.temporaryHomePath?.length > 0) {
-      return path.join(this.temporaryHomePath, '.gitconfig')
-    }
+  async configureGlobalAuth(): Promise<void> {
     // Create a temp home directory
     const runnerTemp = process.env['RUNNER_TEMP'] || ''
     assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
@@ -115,19 +110,13 @@ class GitAuthHelper {
       await fs.promises.writeFile(newGitConfigPath, '')
     }
 
-    // Override HOME
-    core.info(
-      `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
-    )
-    this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
-
-    return newGitConfigPath
-  }
-
-  async configureGlobalAuth(): Promise<void> {
-    // 'configureTempGlobalConfig' noops if already set, just returns the path
-    const newGitConfigPath = await this.configureTempGlobalConfig()
     try {
+      // Override HOME
+      core.info(
+        `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
+      )
+      this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
+
       // Configure the token
       await this.configureToken(newGitConfigPath, true)
 
@@ -192,12 +181,10 @@ class GitAuthHelper {
     await this.removeToken()
   }
 
-  async removeGlobalConfig(): Promise<void> {
-    if (this.temporaryHomePath?.length > 0) {
-      core.debug(`Unsetting HOME override`)
-      this.git.removeEnvironmentVariable('HOME')
-      await io.rmRF(this.temporaryHomePath)
-    }
+  async removeGlobalAuth(): Promise<void> {
+    core.debug(`Unsetting HOME override`)
+    this.git.removeEnvironmentVariable('HOME')
+    await io.rmRF(this.temporaryHomePath)
   }
 
   private async configureSsh(): Promise<void> {

src/git-source-provider.ts

@@ -36,94 +36,68 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
   const git = await getGitCommandManager(settings)
   core.endGroup()
 
-  let authHelper: gitAuthHelper.IGitAuthHelper | null = null
-  try {
-    if (git) {
-      authHelper = gitAuthHelper.createAuthHelper(git, settings)
-      if (settings.setSafeDirectory) {
-        // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-        // Otherwise all git commands we run in a container fail
-        await authHelper.configureTempGlobalConfig()
-        core.info(
-          `Adding repository directory to the temporary git global config as a safe directory`
-        )
+  // Prepare existing directory, otherwise recreate
+  if (isExisting) {
+    await gitDirectoryHelper.prepareExistingDirectory(
+      git,
+      settings.repositoryPath,
+      repositoryUrl,
+      settings.clean,
+      settings.ref
+    )
+  }
 
-        await git
-          .config('safe.directory', settings.repositoryPath, true, true)
-          .catch(error => {
-            core.info(
-              `Failed to initialize safe directory with error: ${error}`
-            )
-          })
-
-        stateHelper.setSafeDirectory()
-      }
-    }
-
-    // Prepare existing directory, otherwise recreate
-    if (isExisting) {
-      await gitDirectoryHelper.prepareExistingDirectory(
-        git,
-        settings.repositoryPath,
-        repositoryUrl,
-        settings.clean,
-        settings.ref
+  if (!git) {
+    // Downloading using REST API
+    core.info(`The repository will be downloaded using the GitHub REST API`)
+    core.info(
+      `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
+    )
+    if (settings.submodules) {
+      throw new Error(
+        `Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
+      )
+    } else if (settings.sshKey) {
+      throw new Error(
+        `Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
       )
     }
 
-    if (!git) {
-      // Downloading using REST API
-      core.info(`The repository will be downloaded using the GitHub REST API`)
-      core.info(
-        `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
-      )
-      if (settings.submodules) {
-        throw new Error(
-          `Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
-        )
-      } else if (settings.sshKey) {
-        throw new Error(
-          `Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
-        )
-      }
+    await githubApiHelper.downloadRepository(
+      settings.authToken,
+      settings.repositoryOwner,
+      settings.repositoryName,
+      settings.ref,
+      settings.commit,
+      settings.repositoryPath
+    )
+    return
+  }
 
-      await githubApiHelper.downloadRepository(
-        settings.authToken,
-        settings.repositoryOwner,
-        settings.repositoryName,
-        settings.ref,
-        settings.commit,
-        settings.repositoryPath
-      )
-      return
-    }
+  // Save state for POST action
+  stateHelper.setRepositoryPath(settings.repositoryPath)
 
-    // Save state for POST action
-    stateHelper.setRepositoryPath(settings.repositoryPath)
-
-    // Initialize the repository
-    if (
-      !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
-    ) {
-      core.startGroup('Initializing the repository')
-      await git.init()
-      await git.remoteAdd('origin', repositoryUrl)
-      core.endGroup()
-    }
-
-    // Disable automatic garbage collection
-    core.startGroup('Disabling automatic garbage collection')
-    if (!(await git.tryDisableAutomaticGarbageCollection())) {
-      core.warning(
-        `Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`
-      )
-    }
+  // Initialize the repository
+  if (
+    !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
+  ) {
+    core.startGroup('Initializing the repository')
+    await git.init()
+    await git.remoteAdd('origin', repositoryUrl)
     core.endGroup()
+  }
 
-    // If we didn't initialize it above, do it now
-    if (!authHelper) {
-      authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    }
+  // Disable automatic garbage collection
+  core.startGroup('Disabling automatic garbage collection')
+  if (!(await git.tryDisableAutomaticGarbageCollection())) {
+    core.warning(
+      `Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`
+    )
+  }
+  core.endGroup()
+
+  const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+  try {
     // Configure auth
     core.startGroup('Setting up auth')
     await authHelper.configureAuth()
@@ -196,26 +170,34 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
 
     // Submodules
     if (settings.submodules) {
-      // Temporarily override global config
-      core.startGroup('Setting up auth for fetching submodules')
-      await authHelper.configureGlobalAuth()
-      core.endGroup()
-
-      // Checkout submodules
-      core.startGroup('Fetching submodules')
-      await git.submoduleSync(settings.nestedSubmodules)
-      await git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules)
-      await git.submoduleForeach(
-        'git config --local gc.auto 0',
-        settings.nestedSubmodules
-      )
-      core.endGroup()
-
-      // Persist credentials
-      if (settings.persistCredentials) {
-        core.startGroup('Persisting credentials for submodules')
-        await authHelper.configureSubmoduleAuth()
+      try {
+        // Temporarily override global config
+        core.startGroup('Setting up auth for fetching submodules')
+        await authHelper.configureGlobalAuth()
         core.endGroup()
+
+        // Checkout submodules
+        core.startGroup('Fetching submodules')
+        await git.submoduleSync(settings.nestedSubmodules)
+        await git.submoduleUpdate(
+          settings.fetchDepth,
+          settings.nestedSubmodules
+        )
+        await git.submoduleForeach(
+          'git config --local gc.auto 0',
+          settings.nestedSubmodules
+        )
+        core.endGroup()
+
+        // Persist credentials
+        if (settings.persistCredentials) {
+          core.startGroup('Persisting credentials for submodules')
+          await authHelper.configureSubmoduleAuth()
+          core.endGroup()
+        }
+      } finally {
+        // Remove temporary global config override
+        await authHelper.removeGlobalAuth()
       }
     }
 
@@ -236,13 +218,10 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     )
   } finally {
     // Remove auth
-    if (authHelper) {
-      if (!settings.persistCredentials) {
-        core.startGroup('Removing auth')
-        await authHelper.removeAuth()
-        core.endGroup()
-      }
-      authHelper.removeGlobalConfig()
+    if (!settings.persistCredentials) {
+      core.startGroup('Removing auth')
+      await authHelper.removeAuth()
+      core.endGroup()
     }
   }
 }
@@ -265,26 +244,7 @@ export async function cleanup(repositoryPath: string): Promise<void> {
 
   // Remove auth
   const authHelper = gitAuthHelper.createAuthHelper(git)
-  try {
-    if (stateHelper.PostSetSafeDirectory) {
-      // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-      // Otherwise all git commands we run in a container fail
-      await authHelper.configureTempGlobalConfig()
-      core.info(
-        `Adding repository directory to the temporary git global config as a safe directory`
-      )
-
-      await git
-        .config('safe.directory', repositoryPath, true, true)
-        .catch(error => {
-          core.info(`Failed to initialize safe directory with error: ${error}`)
-        })
-    }
-
-    await authHelper.removeAuth()
-  } finally {
-    await authHelper.removeGlobalConfig()
-  }
+  await authHelper.removeAuth()
 }
 
 async function getGitCommandManager(

src/git-source-settings.ts

@@ -78,9 +78,4 @@ export interface IGitSourceSettings {
    * Organization ID for the currently running workflow (used for auth settings)
    */
   workflowOrganizationId: number | undefined
-
-  /**
-   * Indicates whether to add repositoryPath as safe.directory in git global config
-   */
-  setSafeDirectory: boolean
 }

src/input-helper.ts

@@ -122,8 +122,5 @@ export async function getInputs(): Promise<IGitSourceSettings> {
   // Workflow organization ID
   result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()
 
-  // Set safe.directory in git global config.
-  result.setSafeDirectory =
-    (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE'
   return result
 }

src/misc/generate-docs.ts

@@ -120,7 +120,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v2',
+  'actions/checkout@v3',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )

src/state-helper.ts

@@ -11,12 +11,6 @@ export const IsPost = !!process.env['STATE_isPost']
 export const RepositoryPath =
   (process.env['STATE_repositoryPath'] as string) || ''
 
-/**
- * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action.
- */
-export const PostSetSafeDirectory =
-  (process.env['STATE_setSafeDirectory'] as string) === 'true'
-
 /**
  * The SSH key path for the POST action. The value is empty during the MAIN action.
  */
@@ -57,13 +51,6 @@ export function setSshKnownHostsPath(sshKnownHostsPath: string) {
   )
 }
 
-/**
- * Save the sef-safe-directory input so the POST action can retrieve the value.
- */
-export function setSafeDirectory() {
-  coreCommand.issueCommand('save-state', {name: 'setSafeDirectory'}, 'true')
-}
-
 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!IsPost) {