README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com (#1707)

* README: Set `user.email` to GitHub Actions Bot

* Update workflow to use proper bot GitHub Bot email

* Prefix `user.email` with `41898282+`

To match squash merge user, else showing as two different users, see: b0948d0da0

* Update README.md

---------

Co-authored-by: Pelle Wessman <pelle@kodfabrik.se>

.github/dependabot.yml

@@ -0,0 +1,20 @@
+---
+version: 2
+
+updates:
+- package-ecosystem: "npm"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  groups:
+    minor-npm-dependencies:
+      # NPM: Only group minor and patch updates (we want to carefully review major updates)
+      update-types: [minor, patch]
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  groups:
+    minor-actions-dependencies:
+      # GitHub Actions: Only group minor and patch updates (we want to carefully review major updates)
+      update-types: [minor, patch]

.github/workflows/check-dist.yml

@@ -25,7 +25,7 @@ jobs:
       - uses: actions/checkout@v3
 
       - name: Set Node.js 20.x
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v4
         with:
           node-version: 20.x
 
@@ -44,7 +44,7 @@ jobs:
           fi
 
       # If dist/ was different than expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

.github/workflows/codeql-analysis.yml

@@ -42,7 +42,7 @@ jobs:
       uses: actions/checkout@v3
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -55,4 +55,4 @@ jobs:
     - run: rm -rf dist # We want code scanning to analyze lib instead (individual .js files)
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/test.yml

@@ -7,11 +7,16 @@ on:
       - main
       - releases/*
 
+
+# Note that when you see patterns like "ref: test-data/v2/basic" within this workflow,
+# these refer to "test-data" branches on this actions/checkout repo.
+# (For example, test-data/v2/basic -> https://github.com/actions/checkout/tree/test-data/v2/basic)
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-node@v1
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.x
       - uses: actions/checkout@v3
@@ -32,7 +37,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.1.1
 
       # Basic checkout
       - name: Checkout basic
@@ -72,6 +77,16 @@ jobs:
         shell: bash
         run: __test__/verify-side-by-side.sh
 
+      # Filter
+      - name: Fetch filter
+        uses: ./
+        with:
+          filter: 'blob:none'
+          path: fetch-filter
+
+      - name: Verify fetch filter
+        run: __test__/verify-fetch-filter.sh
+
       # Sparse checkout
       - name: Sparse checkout
         uses: ./
@@ -85,6 +100,16 @@ jobs:
       - name: Verify sparse checkout
         run: __test__/verify-sparse-checkout.sh
 
+      # Disabled sparse checkout in existing checkout
+      - name: Disabled sparse checkout
+        uses: ./
+        with:
+          path: sparse-checkout
+
+      - name: Verify disabled sparse checkout
+        shell: bash
+        run: set -x && ls -l sparse-checkout/src/git-command-manager.ts
+
       # Sparse checkout (non-cone mode)
       - name: Sparse checkout (non-cone mode)
         uses: ./
@@ -165,7 +190,7 @@ jobs:
   test-proxy:
     runs-on: ubuntu-latest
     container:
-      image: alpine/git:latest
+      image: ghcr.io/actions/test-ubuntu-git:main.20240221.114913.703z
       options: --dns 127.0.0.1
     services:
       squid-proxy:
@@ -232,7 +257,7 @@ jobs:
           path: basic
       - name: Verify basic
         run: __test__/verify-basic.sh --archive
-    
+
   test-git-container:
     runs-on: ubuntu-latest
     container: bitnami/git:latest
@@ -269,4 +294,4 @@ jobs:
       - name: Fix Checkout v3
         uses: actions/checkout@v3
         with:
-          path: v3
+          path: v3

.github/workflows/update-main-version.yml

@@ -19,13 +19,16 @@ jobs:
   tag:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    # Note this update workflow can also be used as a rollback tool.
+    # For that reason, it's best to pin `actions/checkout` to a known, stable version
+    # (typically, about two releases back).
+    - uses: actions/checkout@v4.1.1
       with:
         fetch-depth: 0
     - name: Git config
       run: |
-        git config user.name github-actions
+        git config user.name "github-actions[bot]"
-        git config user.email github-actions@github.com
+        git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
     - name: Tag new target
       run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }}
     - name: Push new tag

.github/workflows/update-test-ubuntu-git.yml

@@ -0,0 +1,59 @@
+name: Publish test-ubuntu-git Container
+
+on:
+  # Use an on demand workflow trigger.  
+  # (Forked copies of actions/checkout won't have permission to update GHCR.io/actions, 
+  #  so avoid trigger events that run automatically.)
+  workflow_dispatch:
+    inputs:
+      publish:
+        description:  'Publish to ghcr.io? (main branch only)'
+        type: boolean
+        required: true
+        default: false
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: actions/test-ubuntu-git
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+ 
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Use `docker/login-action` to log in to GHCR.io. 
+      # Once published, the packages are scoped to the account defined here.
+      - name: Log in to the ghcr.io container registry
+        uses: docker/login-action@v3.1.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Format Timestamp
+        id: timestamp
+        # Use `date` with a custom format to achieve the key=value format GITHUB_OUTPUT expects.
+        run: date -u "+now=%Y%m%d.%H%M%S.%3NZ" >> "$GITHUB_OUTPUT"
+
+      - name: Issue Image Publish Warning
+        if:  ${{ inputs.publish && github.ref_name != 'main' }}
+        run: echo "::warning::test-ubuntu-git images can only be published from the actions/checkout 'main' branch.  Workflow will continue with push/publish disabled."
+
+      # Use `docker/build-push-action` to build (and optionally publish) the image. 
+      - name: Build Docker Image (with optional Push)
+        uses: docker/build-push-action@v5.3.0
+        with:
+          context: .
+          file: images/test-ubuntu-git.Dockerfile
+          # For now, attempts to push to ghcr.io must target the `main` branch.
+          # In the future, consider also allowing attempts from `releases/*` branches.
+          push: ${{ inputs.publish && github.ref_name == 'main' }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}.${{ steps.timestamp.outputs.now }}

CHANGELOG.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## v4.1.4
+- Disable `extensions.worktreeConfig` when disabling `sparse-checkout` by @jww3 in https://github.com/actions/checkout/pull/1692
+- Add dependabot config by @cory-miller in https://github.com/actions/checkout/pull/1688
+- Bump the minor-actions-dependencies group with 2 updates by @dependabot in https://github.com/actions/checkout/pull/1693
+- Bump word-wrap from 1.2.3 to 1.2.5 by @dependabot in https://github.com/actions/checkout/pull/1643
+
+## v4.1.3
+- Check git version before attempting to disable `sparse-checkout` by @jww3 in https://github.com/actions/checkout/pull/1656
+- Add SSH user parameter by @cory-miller in https://github.com/actions/checkout/pull/1685
+- Update `actions/checkout` version in `update-main-version.yml` by @jww3 in https://github.com/actions/checkout/pull/1650
+
+## v4.1.2
+- Fix: Disable sparse checkout whenever `sparse-checkout` option is not present @dscho in https://github.com/actions/checkout/pull/1598
+
+## v4.1.1
+- Correct link to GitHub Docs by @peterbe in https://github.com/actions/checkout/pull/1511
+- Link to release page from what's new section by @cory-miller in https://github.com/actions/checkout/pull/1514
+
+## v4.1.0
+- [Add support for partial checkout filters](https://github.com/actions/checkout/pull/1396)
+
 ## v4.0.0
 - [Support fetching without the --progress option](https://github.com/actions/checkout/pull/1067)
 - [Update to node20](https://github.com/actions/checkout/pull/1436)

CODEOWNERS

@@ -1 +1 @@
-* @actions/actions-runtime
+* @actions/actions-launch

README.md

@@ -1,10 +1,10 @@
 [![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml)
 
-# Checkout V3
+# Checkout V4
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
-Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
+Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://docs.github.com/actions/using-workflows/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
 
 The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
 
@@ -12,14 +12,13 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 
 # What's new
 
-- Updated to the node16 runtime by default
+Please refer to the [release page](https://github.com/actions/checkout/releases/latest) for the latest release notes.
-  - This requires a minimum [Actions Runner](https://github.com/actions/runner/releases/tag/v2.285.0) version of v2.285.0 to run, which is by default available in GHES 3.4 or later.
 
 # Usage
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v4
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -63,6 +62,11 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
     # Default: true
     ssh-strict: ''
 
+    # The user to use when connecting to the remote SSH host. By default 'git' is
+    # used.
+    # Default: git
+    ssh-user: ''
+
     # Whether to configure the token or SSH key with the local git config
     # Default: true
     persist-credentials: ''
@@ -74,8 +78,12 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
     # Default: true
     clean: ''
 
+    # Partially clone against a given filter. Overrides sparse-checkout if set.
+    # Default: null
+    filter: ''
+
     # Do a sparse checkout on given patterns. Each pattern should be separated with
-    # new lines
+    # new lines.
     # Default: null
     sparse-checkout: ''
 
@@ -139,7 +147,7 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 ## Fetch only the root files
 
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v4
   with:
     sparse-checkout: .
 ```
@@ -147,7 +155,7 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 ## Fetch only the root files and `.github` and `src` folder
 
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v4
   with:
     sparse-checkout: |
       .github
@@ -157,7 +165,7 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 ## Fetch only a single file
 
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v4
   with:
     sparse-checkout: |
       README.md
@@ -167,7 +175,7 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v4
   with:
     fetch-depth: 0
 ```
@@ -175,7 +183,7 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v4
   with:
     ref: my-branch
 ```
@@ -183,7 +191,7 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v4
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -193,12 +201,12 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v3
+  uses: actions/checkout@v4
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v3
+  uses: actions/checkout@v4
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -209,10 +217,10 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v3
+  uses: actions/checkout@v4
 
 - name: Checkout tools repo
-  uses: actions/checkout@v3
+  uses: actions/checkout@v4
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -223,12 +231,12 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v3
+  uses: actions/checkout@v4
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v3
+  uses: actions/checkout@v4
   with:
     repository: my-org/my-private-tools
     token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -241,7 +249,7 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v3
+- uses: actions/checkout@v4
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -257,7 +265,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 ```
 
 ## Push a commit using the built-in token
@@ -268,11 +276,12 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - run: |
           date > generated.txt
-          git config user.name github-actions
+          # Note: the following account information will not work on GHES
-          git config user.email github-actions@github.com
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add .
           git commit -m "generated"
           git push

__test__/git-auth-helper.test.ts

@@ -169,8 +169,9 @@ describe('git-auth-helper tests', () => {
 
     // Mock fs.promises.readFile
     const realReadFile = fs.promises.readFile
-    jest.spyOn(fs.promises, 'readFile').mockImplementation(
+    jest
-      async (file: any, options: any): Promise<Buffer> => {
+      .spyOn(fs.promises, 'readFile')
+      .mockImplementation(async (file: any, options: any): Promise<Buffer> => {
         const userKnownHostsPath = path.join(
           os.homedir(),
           '.ssh',
@@ -181,8 +182,7 @@ describe('git-auth-helper tests', () => {
         }
 
         return await realReadFile(file, options)
-      }
+      })
-    )
 
     // Act
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
@@ -727,6 +727,7 @@ async function setup(testName: string): Promise<void> {
     branchDelete: jest.fn(),
     branchExists: jest.fn(),
     branchList: jest.fn(),
+    disableSparseCheckout: jest.fn(),
     sparseCheckout: jest.fn(),
     sparseCheckoutNonConeMode: jest.fn(),
     checkout: jest.fn(),
@@ -795,13 +796,15 @@ async function setup(testName: string): Promise<void> {
     ),
     tryDisableAutomaticGarbageCollection: jest.fn(),
     tryGetFetchUrl: jest.fn(),
-    tryReset: jest.fn()
+    tryReset: jest.fn(),
+    version: jest.fn()
   }
 
   settings = {
     authToken: 'some auth token',
     clean: true,
     commit: '',
+    filter: undefined,
     sparseCheckout: [],
     sparseCheckoutConeMode: true,
     fetchDepth: 1,
@@ -818,6 +821,7 @@ async function setup(testName: string): Promise<void> {
     sshKey: sshPath ? 'some ssh private key' : '',
     sshKnownHosts: '',
     sshStrict: true,
+    sshUser: '',
     workflowOrganizationId: 123456,
     setSafeDirectory: true,
     githubServerUrl: githubServerUrl

__test__/git-directory-helper.test.ts

@@ -462,6 +462,7 @@ async function setup(testName: string): Promise<void> {
     branchList: jest.fn(async () => {
       return []
     }),
+    disableSparseCheckout: jest.fn(),
     sparseCheckout: jest.fn(),
     sparseCheckoutNonConeMode: jest.fn(),
     checkout: jest.fn(),
@@ -500,6 +501,7 @@ async function setup(testName: string): Promise<void> {
     }),
     tryReset: jest.fn(async () => {
       return true
-    })
+    }),
+    version: jest.fn()
   }
 }

__test__/git-version.test.ts

@@ -1,4 +1,5 @@
-import {GitVersion} from '../lib/git-version'
+import {GitVersion} from '../src/git-version'
+import {MinimumGitSparseCheckoutVersion} from '../src/git-command-manager'
 
 describe('git-version tests', () => {
   it('basics', async () => {
@@ -42,4 +43,44 @@ describe('git-version tests', () => {
     expect(version.checkMinimum(new GitVersion('5.1'))).toBeFalsy()
     expect(version.checkMinimum(new GitVersion('5.1.2'))).toBeFalsy()
   })
+
+  it('sparse checkout', async () => {
+    const minSparseVer = MinimumGitSparseCheckoutVersion
+    expect(new GitVersion('1.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('1.99').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.24').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.24.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.24.9').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.25').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.25.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.25.1').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.25.9').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.26').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.26.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.26.1').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.26.9').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.27').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.27.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.27.1').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.27.9').checkMinimum(minSparseVer)).toBeFalsy()
+    //                             /---------------------------------------
+    //         ^^^ before         /         after vvv
+    // --------------------------/
+    expect(new GitVersion('2.28').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.28.0').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.28.1').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.28.9').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.29').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.29.0').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.29.1').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.29.9').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.99').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('3.0').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('3.99').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('4.0').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('4.99').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('5.0').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('5.99').checkMinimum(minSparseVer)).toBeTruthy()
+  })
 })

__test__/input-helper.test.ts

@@ -79,6 +79,7 @@ describe('input-helper tests', () => {
     expect(settings.clean).toBe(true)
     expect(settings.commit).toBeTruthy()
     expect(settings.commit).toBe('1234567890123456789012345678901234567890')
+    expect(settings.filter).toBe(undefined)
     expect(settings.sparseCheckout).toBe(undefined)
     expect(settings.sparseCheckoutConeMode).toBe(true)
     expect(settings.fetchDepth).toBe(1)

__test__/ref-helper.test.ts

@@ -7,11 +7,11 @@ let git: IGitCommandManager
 
 describe('ref-helper tests', () => {
   beforeEach(() => {
-    git = ({} as unknown) as IGitCommandManager
+    git = {} as unknown as IGitCommandManager
   })
 
   it('getCheckoutInfo requires git', async () => {
-    const git = (null as unknown) as IGitCommandManager
+    const git = null as unknown as IGitCommandManager
     try {
       await refHelper.getCheckoutInfo(git, 'refs/heads/my/branch', commit)
       throw new Error('Should not reach here')

__test__/retry-helper.test.ts

@@ -68,7 +68,7 @@ describe('retry-helper tests', () => {
 
   it('all attempts fail succeeds', async () => {
     let attempts = 0
-    let error: Error = (null as unknown) as Error
+    let error: Error = null as unknown as Error
     try {
       await retryHelper.execute(() => {
         throw new Error(`some error ${++attempts}`)

__test__/verify-basic.sh

@@ -18,6 +18,20 @@ else
     exit 1
   fi
 
+  # Verify that sparse-checkout is disabled.
+  SPARSE_CHECKOUT_ENABLED=$(git -C ./basic config --local --get-all core.sparseCheckout)
+  if [ "$SPARSE_CHECKOUT_ENABLED" != "" ]; then
+    echo "Expected sparse-checkout to be disabled (discovered: $SPARSE_CHECKOUT_ENABLED)"
+    exit 1
+  fi
+
+  # Verify git configuration shows worktreeConfig is effectively disabled
+  WORKTREE_CONFIG_ENABLED=$(git -C ./basic config --local --get-all extensions.worktreeConfig)
+  if [[ "$WORKTREE_CONFIG_ENABLED" != "" ]]; then
+    echo "Expected extensions.worktreeConfig (boolean) to be disabled in git config.  This could be an artifact of sparse checkout functionality."
+    exit 1
+  fi
+
   # Verify auth token
   cd basic
   git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main

__test__/verify-fetch-filter.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Verify .git folder
+if [ ! -d "./fetch-filter/.git" ]; then
+  echo "Expected ./fetch-filter/.git folder to exist"
+  exit 1
+fi
+
+# Verify .git/config contains partialclonefilter
+
+CLONE_FILTER=$(git -C fetch-filter config --local --get remote.origin.partialclonefilter)
+
+if [ "$CLONE_FILTER" != "blob:none" ]; then
+  echo "Expected ./fetch-filter/.git/config to have 'remote.origin.partialclonefilter' set to 'blob:none'"
+  exit 1
+fi

action.yml

@@ -45,6 +45,10 @@ inputs:
       and `CheckHostIP=no` to the SSH command line. Use the input `ssh-known-hosts` to
       configure additional hosts.
     default: true
+  ssh-user:
+    description: >
+      The user to use when connecting to the remote SSH host. By default 'git' is used.
+    default: git
   persist-credentials:
     description: 'Whether to configure the token or SSH key with the local git config'
     default: true
@@ -53,10 +57,15 @@ inputs:
   clean:
     description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
     default: true
+  filter:
+    description: >
+      Partially clone against a given filter.
+      Overrides sparse-checkout if set.
+    default: null
   sparse-checkout:
     description: >
       Do a sparse checkout on given patterns.
-      Each pattern should be separated with new lines
+      Each pattern should be separated with new lines.
     default: null
   sparse-checkout-cone-mode:
     description: >

images/test-ubuntu-git.Dockerfile

@@ -0,0 +1,12 @@
+# Defines the test-ubuntu-git Container Image.
+# Consumed by actions/checkout CI/CD validation workflows.
+
+FROM ubuntu:latest
+
+RUN apt update
+RUN apt install -y git
+
+LABEL org.opencontainers.image.title="Ubuntu + git (validation image)"
+LABEL org.opencontainers.image.description="Ubuntu image with git pre-installed. Intended primarily for testing `actions/checkout` during CI/CD workflows."
+LABEL org.opencontainers.image.documentation="https://github.com/actions/checkout/tree/main/images/test-ubuntu-git.md"
+LABEL org.opencontainers.image.licenses=MIT

images/test-ubuntu-git.md

@@ -0,0 +1,15 @@
+# `test-ubuntu-git` Container Image
+
+[![Publish test-ubuntu-git Container](https://github.com/actions/checkout/actions/workflows/update-test-ubuntu-git.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/update-test-ubuntu-git.yml)
+
+## Purpose
+
+`test-ubuntu-git` is a container image hosted on the GitHub Container Registry, `ghcr.io`.  
+
+It is intended primarily for testing the [`actions/checkout` repository](https://github.com/actions/checkout) as part of `actions/checkout`'s CI/CD workflows.
+
+The composition of `test-ubuntu-git` is intentionally minimal.  It is comprised of [git](https://git-scm.com/) installed on top of a [base-level ubuntu image](https://hub.docker.com/_/ubuntu/tags).
+
+# License
+
+`test-ubuntu-git` is released under the [MIT License](/LICENSE).

jest.config.js

@@ -1,5 +1,6 @@
 module.exports = {
   clearMocks: true,
+  fakeTimers: {},
   moduleFileExtensions: ['js', 'ts'],
   testEnvironment: 'node',
   testMatch: ['**/*.test.ts'],

package.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "4.0.0",
+  "version": "4.1.4",
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {
@@ -28,28 +28,28 @@
   },
   "homepage": "https://github.com/actions/checkout#readme",
   "dependencies": {
-    "@actions/core": "^1.10.0",
+    "@actions/core": "^1.10.1",
-    "@actions/exec": "^1.0.1",
+    "@actions/exec": "^1.1.1",
-    "@actions/github": "^5.0.0",
+    "@actions/github": "^6.0.0",
     "@actions/io": "^1.1.3",
-    "@actions/tool-cache": "^1.1.2",
+    "@actions/tool-cache": "^2.0.1",
-    "uuid": "^3.3.3"
+    "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@types/jest": "^27.0.2",
+    "@types/jest": "^29.5.12",
-    "@types/node": "^20.5.3",
+    "@types/node": "^20.12.7",
-    "@types/uuid": "^3.4.6",
+    "@types/uuid": "^9.0.8",
-    "@typescript-eslint/eslint-plugin": "^5.45.0",
+    "@typescript-eslint/eslint-plugin": "^7.7.1",
-    "@typescript-eslint/parser": "^5.45.0",
+    "@typescript-eslint/parser": "^7.7.1",
-    "@vercel/ncc": "^0.36.1",
+    "@vercel/ncc": "^0.38.1",
-    "eslint": "^7.32.0",
+    "eslint": "^8.57.0",
-    "eslint-plugin-github": "^4.3.2",
+    "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-jest": "^25.7.0",
+    "eslint-plugin-jest": "^28.2.0",
-    "jest": "^27.3.0",
+    "jest": "^29.7.0",
-    "jest-circus": "^27.3.0",
+    "jest-circus": "^29.7.0",
-    "js-yaml": "^3.13.1",
+    "js-yaml": "^4.1.0",
-    "prettier": "^1.19.1",
+    "prettier": "^3.2.5",
-    "ts-jest": "^27.0.7",
+    "ts-jest": "^29.1.2",
-    "typescript": "^4.4.4"
+    "typescript": "^5.4.5"
   }
-}
+}

src/fs-helper.ts

@@ -18,8 +18,9 @@ export function directoryExistsSync(path: string, required?: boolean): boolean {
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
+      `Encountered an error when checking whether path '${path}' exists: ${
-        ?.message ?? error}`
+        (error as any)?.message ?? error
+      }`
     )
   }
 
@@ -45,8 +46,9 @@ export function existsSync(path: string): boolean {
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
+      `Encountered an error when checking whether path '${path}' exists: ${
-        ?.message ?? error}`
+        (error as any)?.message ?? error
+      }`
     )
   }
 
@@ -67,8 +69,9 @@ export function fileExistsSync(path: string): boolean {
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
+      `Encountered an error when checking whether path '${path}' exists: ${
-        ?.message ?? error}`
+        (error as any)?.message ?? error
+      }`
     )
   }
 

src/git-auth-helper.ts

@@ -8,7 +8,7 @@ import * as path from 'path'
 import * as regexpHelper from './regexp-helper'
 import * as stateHelper from './state-helper'
 import * as urlHelper from './url-helper'
-import {default as uuid} from 'uuid/v4'
+import {v4 as uuid} from 'uuid'
 import {IGitCommandManager} from './git-command-manager'
 import {IGitSourceSettings} from './git-source-settings'
 
@@ -49,7 +49,7 @@ class GitAuthHelper {
     gitSourceSettings: IGitSourceSettings | undefined
   ) {
     this.git = gitCommandManager
-    this.settings = gitSourceSettings || (({} as unknown) as IGitSourceSettings)
+    this.settings = gitSourceSettings || ({} as unknown as IGitSourceSettings)
 
     // Token auth header
     const serverUrl = urlHelper.getServerUrl(this.settings.githubServerUrl)

src/git-command-manager.ts

@@ -11,12 +11,15 @@ import {GitVersion} from './git-version'
 
 // Auth header not supported before 2.9
 // Wire protocol v2 not supported before 2.18
+// sparse-checkout not [well-]supported before 2.28 (see https://github.com/actions/checkout/issues/1386)
 export const MinimumGitVersion = new GitVersion('2.18')
+export const MinimumGitSparseCheckoutVersion = new GitVersion('2.28')
 
 export interface IGitCommandManager {
   branchDelete(remote: boolean, branch: string): Promise<void>
   branchExists(remote: boolean, pattern: string): Promise<boolean>
   branchList(remote: boolean): Promise<string[]>
+  disableSparseCheckout(): Promise<void>
   sparseCheckout(sparseCheckout: string[]): Promise<void>
   sparseCheckoutNonConeMode(sparseCheckout: string[]): Promise<void>
   checkout(ref: string, startPoint: string): Promise<void>
@@ -59,6 +62,7 @@ export interface IGitCommandManager {
   tryDisableAutomaticGarbageCollection(): Promise<boolean>
   tryGetFetchUrl(): Promise<string>
   tryReset(): Promise<boolean>
+  version(): Promise<GitVersion>
 }
 
 export async function createCommandManager(
@@ -82,6 +86,7 @@ class GitCommandManager {
   private lfs = false
   private doSparseCheckout = false
   private workingDirectory = ''
+  private gitVersion: GitVersion = new GitVersion()
 
   // Private constructor; use createCommandManager()
   private constructor() {}
@@ -171,6 +176,12 @@ class GitCommandManager {
     return result
   }
 
+  async disableSparseCheckout(): Promise<void> {
+    await this.execGit(['sparse-checkout', 'disable'])
+    // Disabling 'sparse-checkout` leaves behind an undesirable side-effect in config (even in a pristine environment).
+    await this.tryConfigUnset('extensions.worktreeConfig', false)
+  }
+
   async sparseCheckout(sparseCheckout: string[]): Promise<void> {
     await this.execGit(['sparse-checkout', 'set', ...sparseCheckout])
   }
@@ -475,6 +486,10 @@ class GitCommandManager {
     return output.exitCode === 0
   }
 
+  async version(): Promise<GitVersion> {
+    return this.gitVersion
+  }
+
   static async createCommandManager(
     workingDirectory: string,
     lfs: boolean,
@@ -551,23 +566,23 @@ class GitCommandManager {
 
     // Git version
     core.debug('Getting git version')
-    let gitVersion = new GitVersion()
+    this.gitVersion = new GitVersion()
     let gitOutput = await this.execGit(['version'])
     let stdout = gitOutput.stdout.trim()
     if (!stdout.includes('\n')) {
       const match = stdout.match(/\d+\.\d+(\.\d+)?/)
       if (match) {
-        gitVersion = new GitVersion(match[0])
+        this.gitVersion = new GitVersion(match[0])
       }
     }
-    if (!gitVersion.isValid()) {
+    if (!this.gitVersion.isValid()) {
       throw new Error('Unable to determine git version')
     }
 
     // Minimum git version
-    if (!gitVersion.checkMinimum(MinimumGitVersion)) {
+    if (!this.gitVersion.checkMinimum(MinimumGitVersion)) {
       throw new Error(
-        `Minimum required git version is ${MinimumGitVersion}. Your git ('${this.gitPath}') is ${gitVersion}`
+        `Minimum required git version is ${MinimumGitVersion}. Your git ('${this.gitPath}') is ${this.gitVersion}`
       )
     }
 
@@ -601,16 +616,14 @@ class GitCommandManager {
 
     this.doSparseCheckout = doSparseCheckout
     if (this.doSparseCheckout) {
-      // The `git sparse-checkout` command was introduced in Git v2.25.0
+      if (!this.gitVersion.checkMinimum(MinimumGitSparseCheckoutVersion)) {
-      const minimumGitSparseCheckoutVersion = new GitVersion('2.25')
-      if (!gitVersion.checkMinimum(minimumGitSparseCheckoutVersion)) {
         throw new Error(
-          `Minimum Git version required for sparse checkout is ${minimumGitSparseCheckoutVersion}. Your git ('${this.gitPath}') is ${gitVersion}`
+          `Minimum Git version required for sparse checkout is ${MinimumGitSparseCheckoutVersion}. Your git ('${this.gitPath}') is ${this.gitVersion}`
         )
       }
     }
     // Set the user agent
-    const gitHttpUserAgent = `git/${gitVersion} (github-actions-checkout)`
+    const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
     core.debug(`Set git useragent to: ${gitHttpUserAgent}`)
     this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent
   }

src/git-source-provider.ts

@@ -9,7 +9,10 @@ import * as path from 'path'
 import * as refHelper from './ref-helper'
 import * as stateHelper from './state-helper'
 import * as urlHelper from './url-helper'
-import {IGitCommandManager} from './git-command-manager'
+import {
+  MinimumGitSparseCheckoutVersion,
+  IGitCommandManager
+} from './git-command-manager'
 import {IGitSourceSettings} from './git-source-settings'
 
 export async function getSource(settings: IGitSourceSettings): Promise<void> {
@@ -159,7 +162,13 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
       fetchTags?: boolean
       showProgress?: boolean
     } = {}
-    if (settings.sparseCheckout) fetchOptions.filter = 'blob:none'
+
+    if (settings.filter) {
+      fetchOptions.filter = settings.filter
+    } else if (settings.sparseCheckout) {
+      fetchOptions.filter = 'blob:none'
+    }
+
     if (settings.fetchDepth <= 0) {
       // Fetch all branches and tags
       let refSpec = refHelper.getRefSpecForAllHistory(
@@ -202,7 +211,13 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     }
 
     // Sparse checkout
-    if (settings.sparseCheckout) {
+    if (!settings.sparseCheckout) {
+      let gitVersion = await git.version()
+      // no need to disable sparse-checkout if the installed git runtime doesn't even support it.
+      if (gitVersion.checkMinimum(MinimumGitSparseCheckoutVersion)) {
+        await git.disableSparseCheckout()
+      }
+    } else {
       core.startGroup('Setting up sparse checkout')
       if (settings.sparseCheckoutConeMode) {
         await git.sparseCheckout(settings.sparseCheckout)

src/git-source-settings.ts

@@ -29,6 +29,11 @@ export interface IGitSourceSettings {
    */
   clean: boolean
 
+  /**
+   * The filter determining which objects to include
+   */
+  filter: string | undefined
+
   /**
    * The array of folders to make the sparse checkout
    */
@@ -89,6 +94,11 @@ export interface IGitSourceSettings {
    */
   sshStrict: boolean
 
+  /**
+   * The SSH user to login as
+   */
+  sshUser: string
+
   /**
    * Indicates whether to persist the credentials on disk to enable scripting authenticated git commands
    */

src/github-api-helper.ts

@@ -6,7 +6,7 @@ import * as io from '@actions/io'
 import * as path from 'path'
 import * as retryHelper from './retry-helper'
 import * as toolCache from '@actions/tool-cache'
-import {default as uuid} from 'uuid/v4'
+import {v4 as uuid} from 'uuid'
 import {getServerApiUrl} from './url-helper'
 
 const IS_WINDOWS = process.platform === 'win32'

src/input-helper.ts

@@ -6,7 +6,7 @@ import * as workflowContextHelper from './workflow-context-helper'
 import {IGitSourceSettings} from './git-source-settings'
 
 export async function getInputs(): Promise<IGitSourceSettings> {
-  const result = ({} as unknown) as IGitSourceSettings
+  const result = {} as unknown as IGitSourceSettings
 
   // GitHub workspace
   let githubWorkspacePath = process.env['GITHUB_WORKSPACE']
@@ -82,6 +82,14 @@ export async function getInputs(): Promise<IGitSourceSettings> {
   result.clean = (core.getInput('clean') || 'true').toUpperCase() === 'TRUE'
   core.debug(`clean = ${result.clean}`)
 
+  // Filter
+  const filter = core.getInput('filter')
+  if (filter) {
+    result.filter = filter
+  }
+
+  core.debug(`filter = ${result.filter}`)
+
   // Sparse checkout
   const sparseCheckout = core.getMultilineInput('sparse-checkout')
   if (sparseCheckout.length) {
@@ -135,13 +143,15 @@ export async function getInputs(): Promise<IGitSourceSettings> {
   result.sshKnownHosts = core.getInput('ssh-known-hosts')
   result.sshStrict =
     (core.getInput('ssh-strict') || 'true').toUpperCase() === 'TRUE'
+  result.sshUser = core.getInput('ssh-user')
 
   // Persist credentials
   result.persistCredentials =
     (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
 
   // Workflow organization ID
-  result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()
+  result.workflowOrganizationId =
+    await workflowContextHelper.getOrganizationId()
 
   // Set safe.directory in git global config.
   result.setSafeDirectory =

src/misc/generate-docs.ts

@@ -20,7 +20,7 @@ function updateUsage(
   }
 
   // Load the action.yml
-  const actionYaml = yaml.safeLoad(fs.readFileSync(actionYamlPath).toString())
+  const actionYaml = yaml.load(fs.readFileSync(actionYamlPath).toString())
 
   // Load the README
   const originalReadme = fs.readFileSync(readmePath).toString()
@@ -120,7 +120,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v3',
+  'actions/checkout@v4',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )

src/ref-helper.ts

@@ -23,7 +23,7 @@ export async function getCheckoutInfo(
     throw new Error('Args ref and commit cannot both be empty')
   }
 
-  const result = ({} as unknown) as ICheckoutInfo
+  const result = {} as unknown as ICheckoutInfo
   const upperRef = (ref || '').toUpperCase()
 
   // SHA only

src/url-helper.ts

@@ -12,7 +12,8 @@ export function getFetchUrl(settings: IGitSourceSettings): string {
   const encodedOwner = encodeURIComponent(settings.repositoryOwner)
   const encodedName = encodeURIComponent(settings.repositoryName)
   if (settings.sshKey) {
-    return `git@${serviceUrl.hostname}:${encodedOwner}/${encodedName}.git`
+    const user = settings.sshUser.length > 0 ? settings.sshUser : 'git'
+    return `${user}@${serviceUrl.hostname}:${encodedOwner}/${encodedName}.git`
   }
 
   // "origin" is SCHEME://HOSTNAME[:PORT]

src/workflow-context-helper.ts

@@ -23,8 +23,9 @@ export async function getOrganizationId(): Promise<number | undefined> {
     return id as number
   } catch (err) {
     core.debug(
-      `Unable to load organization ID from GITHUB_EVENT_PATH: ${(err as any)
+      `Unable to load organization ID from GITHUB_EVENT_PATH: ${
-        .message || err}`
+        (err as any).message || err
+      }`
     )
   }
 }