Merge branch 'master' into patch-1

5 years ago · beb483bbd0
parent bc7e2aae6a 61b9e3751b
commit beb483bbd0
29 changed files with 17617 additions and 1093 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -19,8 +19,6 @@ jobs:
      - run: npm run build
      - run: npm run format-check
      - run: npm run lint
      - run: npm run pack
      - run: npm run gendocs
      - run: npm test
      - name: Verify no unstaged changes
        run: __test__/verify-no-unstaged-changes.sh
@ -37,7 +35,7 @@ jobs:
        uses: actions/checkout@v2
      # Basic checkout
-      - name: Basic checkout
+      - name: Checkout basic
        uses: ./
        with:
          ref: test-data/v2/basic
@ -50,7 +48,7 @@ jobs:
      - name: Modify work tree
        shell: bash
        run: __test__/modify-work-tree.sh
-      - name: Clean checkout
+      - name: Checkout clean
        uses: ./
        with:
          ref: test-data/v2/basic
@ -60,12 +58,12 @@ jobs:
        run: __test__/verify-clean.sh
      # Side by side
-      - name: Side by side checkout 1
+      - name: Checkout side by side 1
        uses: ./
        with:
          ref: test-data/v2/side-by-side-1
          path: side-by-side-1
-      - name: Side by side checkout 2
+      - name: Checkout side by side 2
        uses: ./
        with:
          ref: test-data/v2/side-by-side-2
@ -75,7 +73,7 @@ jobs:
        run: __test__/verify-side-by-side.sh
      # LFS
-      - name: LFS checkout
+      - name: Checkout LFS
        uses: ./
        with:
          repository: actions/checkout # hardcoded, otherwise doesn't work from a fork
@ -86,6 +84,35 @@ jobs:
        shell: bash
        run: __test__/verify-lfs.sh
      # Submodules false
      - name: Checkout submodules false
        uses: ./
        with:
          ref: test-data/v2/submodule-ssh-url
          path: submodules-false
      - name: Verify submodules false
        run: __test__/verify-submodules-false.sh
      # Submodules one level
      - name: Checkout submodules true
        uses: ./
        with:
          ref: test-data/v2/submodule-ssh-url
          path: submodules-true
          submodules: true
      - name: Verify submodules true
        run: __test__/verify-submodules-true.sh
      # Submodules recursive
      - name: Checkout submodules recursive
        uses: ./
        with:
          ref: test-data/v2/submodule-ssh-url
          path: submodules-recursive
          submodules: recursive
      - name: Verify submodules recursive
        run: __test__/verify-submodules-recursive.sh
      # Basic checkout using REST API
      - name: Remove basic
        if: runner.os != 'windows'
@ -100,7 +127,7 @@ jobs:
      - name: Override git version (Windows)
        if: runner.os == 'windows'
        run: __test__\\override-git-version.cmd
-      - name: Basic checkout using REST API
+      - name: Checkout basic using REST API
        uses: ./
        with:
          ref: test-data/v2/basic
@ -126,7 +153,7 @@ jobs:
        uses: actions/checkout@v2
      # Basic checkout using git
-      - name: Basic checkout
+      - name: Checkout basic
        uses: ./
        with:
          ref: test-data/v2/basic
@ -158,7 +185,7 @@ jobs:
        uses: actions/checkout@v2
      # Basic checkout using git
-      - name: Basic checkout
+      - name: Checkout basic
        uses: ./
        with:
          ref: test-data/v2/basic
@ -171,7 +198,7 @@ jobs:
      # Basic checkout using REST API
      - name: Override git version
        run: __test__/override-git-version.sh
-      - name: Basic checkout using REST API
+      - name: Checkout basic using REST API
        uses: ./
        with:
          ref: test-data/v2/basic
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 __test__/_temp
 lib/
 node_modules/
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,40 @@
 # Changelog
 ## v2.3.1
 - [Fix default branch resolution for .wiki and when using SSH](https://github.com/actions/checkout/pull/284)
 ## v2.3.0
 - [Fallback to the default branch](https://github.com/actions/checkout/pull/278)
 ## v2.2.0
 - [Fetch all history for all tags and branches when fetch-depth=0](https://github.com/actions/checkout/pull/258)
 ## v2.1.1
 - Changes to support GHES ([here](https://github.com/actions/checkout/pull/236) and [here](https://github.com/actions/checkout/pull/248))
 ## v2.1.0
 - [Group output](https://github.com/actions/checkout/pull/191)
 - [Changes to support GHES alpha release](https://github.com/actions/checkout/pull/199)
 - [Persist core.sshCommand for submodules](https://github.com/actions/checkout/pull/184)
 - [Add support ssh](https://github.com/actions/checkout/pull/163)
 - [Convert submodule SSH URL to HTTPS, when not using SSH](https://github.com/actions/checkout/pull/179)
 - [Add submodule support](https://github.com/actions/checkout/pull/157)
 - [Follow proxy settings](https://github.com/actions/checkout/pull/144)
 - [Fix ref for pr closed event when a pr is merged](https://github.com/actions/checkout/pull/141)
 - [Fix issue checking detached when git less than 2.22](https://github.com/actions/checkout/pull/128)
 ## v2.0.0
 - [Do not pass cred on command line](https://github.com/actions/checkout/pull/108)
 - [Add input persist-credentials](https://github.com/actions/checkout/pull/107)
 - [Fallback to REST API to download repo](https://github.com/actions/checkout/pull/104)
 ## v2 (beta)
 - Improved fetch performance
--- a/README.md
+++ b/README.md
@ -6,7 +6,7 @@
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
-Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth` to fetch more history. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
+Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
 The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
@ -18,6 +18,7 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
  - Fetches only a single commit by default
 - Script authenticated git commands
  - Auth token persisted in the local git config
 - Supports SSH
 - Creates a local branch
  - No longer detached HEAD when checking out a branch
 - Improved layout
@ -26,7 +27,6 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 - Fallback to REST API download
  - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
  - When using a job container, the container's PATH is used
 - Removed input `submodules`
 Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
@ -42,17 +42,43 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
    # The branch, tag or SHA to checkout. When checking out the repository that
    # triggered a workflow, this defaults to the reference or SHA for that event.
-    # Otherwise, defaults to `master`.
+    # Otherwise, uses the default branch.
    ref: ''
-    # Auth token used to fetch the repository. The token is stored in the local git
+    # Personal access token (PAT) used to fetch the repository. The PAT is configured
-    # config, which enables your scripts to run authenticated git commands. The
+    # with the local git config, which enables your scripts to run authenticated git
-    # post-job step removes the token from the git config. [Learn more about creating
+    # commands. The post-job step removes the PAT.
-    # and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+    #
    # We recommend using a service account with the least permissions necessary. Also
    # when generating a new PAT, select the least scopes necessary.
    #
    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
    #
    # Default: ${{ github.token }}
    token: ''
-    # Whether to persist the token in the git config
+    # SSH key used to fetch the repository. The SSH key is configured with the local
    # git config, which enables your scripts to run authenticated git commands. The
    # post-job step removes the SSH key.
    #
    # We recommend using a service account with the least permissions necessary.
    #
    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
    ssh-key: ''
    # Known hosts in addition to the user and global host key database. The public SSH
    # keys for a host may be obtained using the utility `ssh-keyscan`. For example,
    # `ssh-keyscan github.com`. The public key for github.com is always implicitly
    # added.
    ssh-known-hosts: ''
    # Whether to perform strict host key checking. When true, adds the options
    # `StrictHostKeyChecking=yes` and `CheckHostIP=no` to the SSH command line. Use
    # the input `ssh-known-hosts` to configure additional hosts.
    # Default: true
    ssh-strict: ''
    # Whether to configure the token or SSH key with the local git config
    # Default: true
    persist-credentials: ''
@ -63,18 +89,28 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
    # Default: true
    clean: ''
-    # Number of commits to fetch. 0 indicates all history.
+    # Number of commits to fetch. 0 indicates all history for all branches and tags.
    # Default: 1
    fetch-depth: ''
    # Whether to download Git-LFS files
    # Default: false
    lfs: ''
    # Whether to checkout submodules: `true` to checkout submodules or `recursive` to
    # recursively checkout submodules.
    #
    # When the `ssh-key` input is not provided, SSH URLs beginning with
    # `git@github.com:` are converted to HTTPS.
    #
    # Default: false
    submodules: ''
 ```
 <!-- end usage -->
 # Scenarios
 - [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
 - [Checkout a different branch](#Checkout-a-different-branch)
 - [Checkout HEAD^](#Checkout-HEAD)
 - [Checkout multiple repos (side by side)](#Checkout-multiple-repos-side-by-side)
@ -82,10 +118,14 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 - [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
 - [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
 - [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
- [Checkout submodules](#Checkout-submodules)
+
- [Fetch all tags](#Fetch-all-tags)
+## Fetch all history for all tags and branches
- [Fetch all branches](#Fetch-all-branches)
+
- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
+```yaml
 - uses: actions/checkout@v2
  with:
    fetch-depth: 0
 ```
 ## Checkout a different branch
--- a/test/git-auth-helper.test.ts
+++ b/test/git-auth-helper.test.ts
@ -0,0 +1,802 @@
 import * as core from '@actions/core'
 import * as fs from 'fs'
 import * as gitAuthHelper from '../lib/git-auth-helper'
 import * as io from '@actions/io'
 import * as os from 'os'
 import * as path from 'path'
 import * as stateHelper from '../lib/state-helper'
 import {IGitCommandManager} from '../lib/git-command-manager'
 import {IGitSourceSettings} from '../lib/git-source-settings'
 const isWindows = process.platform === 'win32'
 const testWorkspace = path.join(__dirname, '_temp', 'git-auth-helper')
 const originalRunnerTemp = process.env['RUNNER_TEMP']
 const originalHome = process.env['HOME']
 let workspace: string
 let localGitConfigPath: string
 let globalGitConfigPath: string
 let runnerTemp: string
 let tempHomedir: string
 let git: IGitCommandManager & {env: {[key: string]: string}}
 let settings: IGitSourceSettings
 let sshPath: string
 describe('git-auth-helper tests', () => {
  beforeAll(async () => {
    // SSH
    sshPath = await io.which('ssh')
    // Clear test workspace
    await io.rmRF(testWorkspace)
  })
  beforeEach(() => {
    // Mock setSecret
    jest.spyOn(core, 'setSecret').mockImplementation((secret: string) => {})
    // Mock error/warning/info/debug
    jest.spyOn(core, 'error').mockImplementation(jest.fn())
    jest.spyOn(core, 'warning').mockImplementation(jest.fn())
    jest.spyOn(core, 'info').mockImplementation(jest.fn())
    jest.spyOn(core, 'debug').mockImplementation(jest.fn())
    // Mock state helper
    jest.spyOn(stateHelper, 'setSshKeyPath').mockImplementation(jest.fn())
    jest
      .spyOn(stateHelper, 'setSshKnownHostsPath')
      .mockImplementation(jest.fn())
  })
  afterEach(() => {
    // Unregister mocks
    jest.restoreAllMocks()
    // Restore HOME
    if (originalHome) {
      process.env['HOME'] = originalHome
    } else {
      delete process.env['HOME']
    }
  })
  afterAll(() => {
    // Restore RUNNER_TEMP
    delete process.env['RUNNER_TEMP']
    if (originalRunnerTemp) {
      process.env['RUNNER_TEMP'] = originalRunnerTemp
    }
  })
  const configureAuth_configuresAuthHeader =
    'configureAuth configures auth header'
  it(configureAuth_configuresAuthHeader, async () => {
    // Arrange
    await setup(configureAuth_configuresAuthHeader)
    expect(settings.authToken).toBeTruthy() // sanity check
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    // Act
    await authHelper.configureAuth()
    // Assert config
    const configContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    const basicCredential = Buffer.from(
      `x-access-token:${settings.authToken}`,
      'utf8'
    ).toString('base64')
    expect(
      configContent.indexOf(
        `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
      )
    ).toBeGreaterThanOrEqual(0)
  })
  const configureAuth_configuresAuthHeaderEvenWhenPersistCredentialsFalse =
    'configureAuth configures auth header even when persist credentials false'
  it(
    configureAuth_configuresAuthHeaderEvenWhenPersistCredentialsFalse,
    async () => {
      // Arrange
      await setup(
        configureAuth_configuresAuthHeaderEvenWhenPersistCredentialsFalse
      )
      expect(settings.authToken).toBeTruthy() // sanity check
      settings.persistCredentials = false
      const authHelper = gitAuthHelper.createAuthHelper(git, settings)
      // Act
      await authHelper.configureAuth()
      // Assert config
      const configContent = (
        await fs.promises.readFile(localGitConfigPath)
      ).toString()
      expect(
        configContent.indexOf(
          `http.https://github.com/.extraheader AUTHORIZATION`
        )
      ).toBeGreaterThanOrEqual(0)
    }
  )
  const configureAuth_copiesUserKnownHosts =
    'configureAuth copies user known hosts'
  it(configureAuth_copiesUserKnownHosts, async () => {
    if (!sshPath) {
      process.stdout.write(
        `Skipped test "${configureAuth_copiesUserKnownHosts}". Executable 'ssh' not found in the PATH.\n`
      )
      return
    }
    // Arange
    await setup(configureAuth_copiesUserKnownHosts)
    expect(settings.sshKey).toBeTruthy() // sanity check
    // Mock fs.promises.readFile
    const realReadFile = fs.promises.readFile
    jest.spyOn(fs.promises, 'readFile').mockImplementation(
      async (file: any, options: any): Promise<Buffer> => {
        const userKnownHostsPath = path.join(
          os.homedir(),
          '.ssh',
          'known_hosts'
        )
        if (file === userKnownHostsPath) {
          return Buffer.from('some-domain.com ssh-rsa ABCDEF')
        }
        return await realReadFile(file, options)
      }
    )
    // Act
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
    // Assert known hosts
    const actualSshKnownHostsPath = await getActualSshKnownHostsPath()
    const actualSshKnownHostsContent = (
      await fs.promises.readFile(actualSshKnownHostsPath)
    ).toString()
    expect(actualSshKnownHostsContent).toMatch(
      /some-domain\.com ssh-rsa ABCDEF/
    )
    expect(actualSshKnownHostsContent).toMatch(/github\.com ssh-rsa AAAAB3N/)
  })
  const configureAuth_registersBasicCredentialAsSecret =
    'configureAuth registers basic credential as secret'
  it(configureAuth_registersBasicCredentialAsSecret, async () => {
    // Arrange
    await setup(configureAuth_registersBasicCredentialAsSecret)
    expect(settings.authToken).toBeTruthy() // sanity check
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    // Act
    await authHelper.configureAuth()
    // Assert secret
    const setSecretSpy = core.setSecret as jest.Mock<any, any>
    expect(setSecretSpy).toHaveBeenCalledTimes(1)
    const expectedSecret = Buffer.from(
      `x-access-token:${settings.authToken}`,
      'utf8'
    ).toString('base64')
    expect(setSecretSpy).toHaveBeenCalledWith(expectedSecret)
  })
  const setsSshCommandEnvVarWhenPersistCredentialsFalse =
    'sets SSH command env var when persist-credentials false'
  it(setsSshCommandEnvVarWhenPersistCredentialsFalse, async () => {
    if (!sshPath) {
      process.stdout.write(
        `Skipped test "${setsSshCommandEnvVarWhenPersistCredentialsFalse}". Executable 'ssh' not found in the PATH.\n`
      )
      return
    }
    // Arrange
    await setup(setsSshCommandEnvVarWhenPersistCredentialsFalse)
    settings.persistCredentials = false
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    // Act
    await authHelper.configureAuth()
    // Assert git env var
    const actualKeyPath = await getActualSshKeyPath()
    const actualKnownHostsPath = await getActualSshKnownHostsPath()
    const expectedSshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename(
      actualKeyPath
    )}" -o StrictHostKeyChecking=yes -o CheckHostIP=no -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename(
      actualKnownHostsPath
    )}"`
    expect(git.setEnvironmentVariable).toHaveBeenCalledWith(
      'GIT_SSH_COMMAND',
      expectedSshCommand
    )
    // Asserty git config
    const gitConfigLines = (await fs.promises.readFile(localGitConfigPath))
      .toString()
      .split('\n')
      .filter(x => x)
    expect(gitConfigLines).toHaveLength(1)
    expect(gitConfigLines[0]).toMatch(/^http\./)
  })
  const configureAuth_setsSshCommandWhenPersistCredentialsTrue =
    'sets SSH command when persist-credentials true'
  it(configureAuth_setsSshCommandWhenPersistCredentialsTrue, async () => {
    if (!sshPath) {
      process.stdout.write(
        `Skipped test "${configureAuth_setsSshCommandWhenPersistCredentialsTrue}". Executable 'ssh' not found in the PATH.\n`
      )
      return
    }
    // Arrange
    await setup(configureAuth_setsSshCommandWhenPersistCredentialsTrue)
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    // Act
    await authHelper.configureAuth()
    // Assert git env var
    const actualKeyPath = await getActualSshKeyPath()
    const actualKnownHostsPath = await getActualSshKnownHostsPath()
    const expectedSshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename(
      actualKeyPath
    )}" -o StrictHostKeyChecking=yes -o CheckHostIP=no -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename(
      actualKnownHostsPath
    )}"`
    expect(git.setEnvironmentVariable).toHaveBeenCalledWith(
      'GIT_SSH_COMMAND',
      expectedSshCommand
    )
    // Asserty git config
    expect(git.config).toHaveBeenCalledWith(
      'core.sshCommand',
      expectedSshCommand
    )
  })
  const configureAuth_writesExplicitKnownHosts = 'writes explicit known hosts'
  it(configureAuth_writesExplicitKnownHosts, async () => {
    if (!sshPath) {
      process.stdout.write(
        `Skipped test "${configureAuth_writesExplicitKnownHosts}". Executable 'ssh' not found in the PATH.\n`
      )
      return
    }
    // Arrange
    await setup(configureAuth_writesExplicitKnownHosts)
    expect(settings.sshKey).toBeTruthy() // sanity check
    settings.sshKnownHosts = 'my-custom-host.com ssh-rsa ABC123'
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    // Act
    await authHelper.configureAuth()
    // Assert known hosts
    const actualSshKnownHostsPath = await getActualSshKnownHostsPath()
    const actualSshKnownHostsContent = (
      await fs.promises.readFile(actualSshKnownHostsPath)
    ).toString()
    expect(actualSshKnownHostsContent).toMatch(
      /my-custom-host\.com ssh-rsa ABC123/
    )
    expect(actualSshKnownHostsContent).toMatch(/github\.com ssh-rsa AAAAB3N/)
  })
  const configureAuth_writesSshKeyAndImplicitKnownHosts =
    'writes SSH key and implicit known hosts'
  it(configureAuth_writesSshKeyAndImplicitKnownHosts, async () => {
    if (!sshPath) {
      process.stdout.write(
        `Skipped test "${configureAuth_writesSshKeyAndImplicitKnownHosts}". Executable 'ssh' not found in the PATH.\n`
      )
      return
    }
    // Arrange
    await setup(configureAuth_writesSshKeyAndImplicitKnownHosts)
    expect(settings.sshKey).toBeTruthy() // sanity check
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    // Act
    await authHelper.configureAuth()
    // Assert SSH key
    const actualSshKeyPath = await getActualSshKeyPath()
    expect(actualSshKeyPath).toBeTruthy()
    const actualSshKeyContent = (
      await fs.promises.readFile(actualSshKeyPath)
    ).toString()
    expect(actualSshKeyContent).toBe(settings.sshKey + '\n')
    if (!isWindows) {
      // Assert read/write for user, not group or others.
      // Otherwise SSH client will error.
      expect((await fs.promises.stat(actualSshKeyPath)).mode & 0o777).toBe(
        0o600
      )
    }
    // Assert known hosts
    const actualSshKnownHostsPath = await getActualSshKnownHostsPath()
    const actualSshKnownHostsContent = (
      await fs.promises.readFile(actualSshKnownHostsPath)
    ).toString()
    expect(actualSshKnownHostsContent).toMatch(/github\.com ssh-rsa AAAAB3N/)
  })
  const configureGlobalAuth_configuresUrlInsteadOfWhenSshKeyNotSet =
    'configureGlobalAuth configures URL insteadOf when SSH key not set'
  it(configureGlobalAuth_configuresUrlInsteadOfWhenSshKeyNotSet, async () => {
    // Arrange
    await setup(configureGlobalAuth_configuresUrlInsteadOfWhenSshKeyNotSet)
    settings.sshKey = ''
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    // Act
    await authHelper.configureAuth()
    await authHelper.configureGlobalAuth()
    // Assert temporary global config
    expect(git.env['HOME']).toBeTruthy()
    const configContent = (
      await fs.promises.readFile(path.join(git.env['HOME'], '.gitconfig'))
    ).toString()
    expect(
      configContent.indexOf(`url.https://github.com/.insteadOf git@github.com`)
    ).toBeGreaterThanOrEqual(0)
  })
  const configureGlobalAuth_copiesGlobalGitConfig =
    'configureGlobalAuth copies global git config'
  it(configureGlobalAuth_copiesGlobalGitConfig, async () => {
    // Arrange
    await setup(configureGlobalAuth_copiesGlobalGitConfig)
    await fs.promises.writeFile(globalGitConfigPath, 'value-from-global-config')
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    // Act
    await authHelper.configureAuth()
    await authHelper.configureGlobalAuth()
    // Assert original global config not altered
    let configContent = (
      await fs.promises.readFile(globalGitConfigPath)
    ).toString()
    expect(configContent).toBe('value-from-global-config')
    // Assert temporary global config
    expect(git.env['HOME']).toBeTruthy()
    const basicCredential = Buffer.from(
      `x-access-token:${settings.authToken}`,
      'utf8'
    ).toString('base64')
    configContent = (
      await fs.promises.readFile(path.join(git.env['HOME'], '.gitconfig'))
    ).toString()
    expect(
      configContent.indexOf('value-from-global-config')
    ).toBeGreaterThanOrEqual(0)
    expect(
      configContent.indexOf(
        `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
      )
    ).toBeGreaterThanOrEqual(0)
  })
  const configureGlobalAuth_createsNewGlobalGitConfigWhenGlobalDoesNotExist =
    'configureGlobalAuth creates new git config when global does not exist'
  it(
    configureGlobalAuth_createsNewGlobalGitConfigWhenGlobalDoesNotExist,
    async () => {
      // Arrange
      await setup(
        configureGlobalAuth_createsNewGlobalGitConfigWhenGlobalDoesNotExist
      )
      await io.rmRF(globalGitConfigPath)
      const authHelper = gitAuthHelper.createAuthHelper(git, settings)
      // Act
      await authHelper.configureAuth()
      await authHelper.configureGlobalAuth()
      // Assert original global config not recreated
      try {
        await fs.promises.stat(globalGitConfigPath)
        throw new Error(
          `Did not expect file to exist: '${globalGitConfigPath}'`
        )
      } catch (err) {
        if (err.code !== 'ENOENT') {
          throw err
        }
      }
      // Assert temporary global config
      expect(git.env['HOME']).toBeTruthy()
      const basicCredential = Buffer.from(
        `x-access-token:${settings.authToken}`,
        'utf8'
      ).toString('base64')
      const configContent = (
        await fs.promises.readFile(path.join(git.env['HOME'], '.gitconfig'))
      ).toString()
      expect(
        configContent.indexOf(
          `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
        )
      ).toBeGreaterThanOrEqual(0)
    }
  )
  const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeyNotSet =
    'configureSubmoduleAuth configures submodules when persist credentials false and SSH key not set'
  it(
    configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeyNotSet,
    async () => {
      // Arrange
      await setup(
        configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeyNotSet
      )
      settings.persistCredentials = false
      settings.sshKey = ''
      const authHelper = gitAuthHelper.createAuthHelper(git, settings)
      await authHelper.configureAuth()
      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
      mockSubmoduleForeach.mockClear() // reset calls
      // Act
      await authHelper.configureSubmoduleAuth()
      // Assert
      expect(mockSubmoduleForeach).toBeCalledTimes(1)
      expect(mockSubmoduleForeach.mock.calls[0][0] as string).toMatch(
        /unset-all.*insteadOf/
      )
    }
  )
  const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet =
    'configureSubmoduleAuth configures submodules when persist credentials false and SSH key set'
  it(
    configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet,
    async () => {
      if (!sshPath) {
        process.stdout.write(
          `Skipped test "${configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet}". Executable 'ssh' not found in the PATH.\n`
        )
        return
      }
      // Arrange
      await setup(
        configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsFalseAndSshKeySet
      )
      settings.persistCredentials = false
      const authHelper = gitAuthHelper.createAuthHelper(git, settings)
      await authHelper.configureAuth()
      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
      mockSubmoduleForeach.mockClear() // reset calls
      // Act
      await authHelper.configureSubmoduleAuth()
      // Assert
      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(1)
      expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
        /unset-all.*insteadOf/
      )
    }
  )
  const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeyNotSet =
    'configureSubmoduleAuth configures submodules when persist credentials true and SSH key not set'
  it(
    configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeyNotSet,
    async () => {
      // Arrange
      await setup(
        configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeyNotSet
      )
      settings.sshKey = ''
      const authHelper = gitAuthHelper.createAuthHelper(git, settings)
      await authHelper.configureAuth()
      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
      mockSubmoduleForeach.mockClear() // reset calls
      // Act
      await authHelper.configureSubmoduleAuth()
      // Assert
      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
      expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
        /unset-all.*insteadOf/
      )
      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/url.*insteadOf/)
    }
  )
  const configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet =
    'configureSubmoduleAuth configures submodules when persist credentials true and SSH key set'
  it(
    configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet,
    async () => {
      if (!sshPath) {
        process.stdout.write(
          `Skipped test "${configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet}". Executable 'ssh' not found in the PATH.\n`
        )
        return
      }
      // Arrange
      await setup(
        configureSubmoduleAuth_configuresSubmodulesWhenPersistCredentialsTrueAndSshKeySet
      )
      const authHelper = gitAuthHelper.createAuthHelper(git, settings)
      await authHelper.configureAuth()
      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
      mockSubmoduleForeach.mockClear() // reset calls
      // Act
      await authHelper.configureSubmoduleAuth()
      // Assert
      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
      expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
        /unset-all.*insteadOf/
      )
      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/)
    }
  )
  const removeAuth_removesSshCommand = 'removeAuth removes SSH command'
  it(removeAuth_removesSshCommand, async () => {
    if (!sshPath) {
      process.stdout.write(
        `Skipped test "${removeAuth_removesSshCommand}". Executable 'ssh' not found in the PATH.\n`
      )
      return
    }
    // Arrange
    await setup(removeAuth_removesSshCommand)
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
    let gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(gitConfigContent.indexOf('core.sshCommand')).toBeGreaterThanOrEqual(
      0
    ) // sanity check
    const actualKeyPath = await getActualSshKeyPath()
    expect(actualKeyPath).toBeTruthy()
    await fs.promises.stat(actualKeyPath)
    const actualKnownHostsPath = await getActualSshKnownHostsPath()
    expect(actualKnownHostsPath).toBeTruthy()
    await fs.promises.stat(actualKnownHostsPath)
    // Act
    await authHelper.removeAuth()
    // Assert git config
    gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(gitConfigContent.indexOf('core.sshCommand')).toBeLessThan(0)
    // Assert SSH key file
    try {
      await fs.promises.stat(actualKeyPath)
      throw new Error('SSH key should have been deleted')
    } catch (err) {
      if (err.code !== 'ENOENT') {
        throw err
      }
    }
    // Assert known hosts file
    try {
      await fs.promises.stat(actualKnownHostsPath)
      throw new Error('SSH known hosts should have been deleted')
    } catch (err) {
      if (err.code !== 'ENOENT') {
        throw err
      }
    }
  })
  const removeAuth_removesToken = 'removeAuth removes token'
  it(removeAuth_removesToken, async () => {
    // Arrange
    await setup(removeAuth_removesToken)
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
    let gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(gitConfigContent.indexOf('http.')).toBeGreaterThanOrEqual(0) // sanity check
    // Act
    await authHelper.removeAuth()
    // Assert git config
    gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
  })
  const removeGlobalAuth_removesOverride = 'removeGlobalAuth removes override'
  it(removeGlobalAuth_removesOverride, async () => {
    // Arrange
    await setup(removeGlobalAuth_removesOverride)
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
    await authHelper.configureGlobalAuth()
    const homeOverride = git.env['HOME'] // Sanity check
    expect(homeOverride).toBeTruthy()
    await fs.promises.stat(path.join(git.env['HOME'], '.gitconfig'))
    // Act
    await authHelper.removeGlobalAuth()
    // Assert
    expect(git.env['HOME']).toBeUndefined()
    try {
      await fs.promises.stat(homeOverride)
      throw new Error(`Should have been deleted '${homeOverride}'`)
    } catch (err) {
      if (err.code !== 'ENOENT') {
        throw err
      }
    }
  })
 })
 async function setup(testName: string): Promise<void> {
  testName = testName.replace(/[^a-zA-Z0-9_]+/g, '-')
  // Directories
  workspace = path.join(testWorkspace, testName, 'workspace')
  runnerTemp = path.join(testWorkspace, testName, 'runner-temp')
  tempHomedir = path.join(testWorkspace, testName, 'home-dir')
  await fs.promises.mkdir(workspace, {recursive: true})
  await fs.promises.mkdir(runnerTemp, {recursive: true})
  await fs.promises.mkdir(tempHomedir, {recursive: true})
  process.env['RUNNER_TEMP'] = runnerTemp
  process.env['HOME'] = tempHomedir
  // Create git config
  globalGitConfigPath = path.join(tempHomedir, '.gitconfig')
  await fs.promises.writeFile(globalGitConfigPath, '')
  localGitConfigPath = path.join(workspace, '.git', 'config')
  await fs.promises.mkdir(path.dirname(localGitConfigPath), {recursive: true})
  await fs.promises.writeFile(localGitConfigPath, '')
  git = {
    branchDelete: jest.fn(),
    branchExists: jest.fn(),
    branchList: jest.fn(),
    checkout: jest.fn(),
    checkoutDetach: jest.fn(),
    config: jest.fn(
      async (key: string, value: string, globalConfig?: boolean) => {
        const configPath = globalConfig
          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
          : localGitConfigPath
        await fs.promises.appendFile(configPath, `\n${key} ${value}`)
      }
    ),
    configExists: jest.fn(
      async (key: string, globalConfig?: boolean): Promise<boolean> => {
        const configPath = globalConfig
          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
          : localGitConfigPath
        const content = await fs.promises.readFile(configPath)
        const lines = content
          .toString()
          .split('\n')
          .filter(x => x)
        return lines.some(x => x.startsWith(key))
      }
    ),
    env: {},
    fetch: jest.fn(),
    getDefaultBranch: jest.fn(),
    getWorkingDirectory: jest.fn(() => workspace),
    init: jest.fn(),
    isDetached: jest.fn(),
    lfsFetch: jest.fn(),
    lfsInstall: jest.fn(),
    log1: jest.fn(),
    remoteAdd: jest.fn(),
    removeEnvironmentVariable: jest.fn((name: string) => delete git.env[name]),
    revParse: jest.fn(),
    setEnvironmentVariable: jest.fn((name: string, value: string) => {
      git.env[name] = value
    }),
    shaExists: jest.fn(),
    submoduleForeach: jest.fn(async () => {
      return ''
    }),
    submoduleSync: jest.fn(),
    submoduleUpdate: jest.fn(),
    tagExists: jest.fn(),
    tryClean: jest.fn(),
    tryConfigUnset: jest.fn(
      async (key: string, globalConfig?: boolean): Promise<boolean> => {
        const configPath = globalConfig
          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
          : localGitConfigPath
        let content = await fs.promises.readFile(configPath)
        let lines = content
          .toString()
          .split('\n')
          .filter(x => x)
          .filter(x => !x.startsWith(key))
        await fs.promises.writeFile(configPath, lines.join('\n'))
        return true
      }
    ),
    tryDisableAutomaticGarbageCollection: jest.fn(),
    tryGetFetchUrl: jest.fn(),
    tryReset: jest.fn()
  }
  settings = {
    authToken: 'some auth token',
    clean: true,
    commit: '',
    fetchDepth: 1,
    lfs: false,
    submodules: false,
    nestedSubmodules: false,
    persistCredentials: true,
    ref: 'refs/heads/master',
    repositoryName: 'my-repo',
    repositoryOwner: 'my-org',
    repositoryPath: '',
    sshKey: sshPath ? 'some ssh private key' : '',
    sshKnownHosts: '',
    sshStrict: true
  }
 }
 async function getActualSshKeyPath(): Promise<string> {
  let actualTempFiles = (await fs.promises.readdir(runnerTemp))
    .sort()
    .map(x => path.join(runnerTemp, x))
  if (actualTempFiles.length === 0) {
    return ''
  }
  expect(actualTempFiles).toHaveLength(2)
  expect(actualTempFiles[0].endsWith('_known_hosts')).toBeFalsy()
  return actualTempFiles[0]
 }
 async function getActualSshKnownHostsPath(): Promise<string> {
  let actualTempFiles = (await fs.promises.readdir(runnerTemp))
    .sort()
    .map(x => path.join(runnerTemp, x))
  if (actualTempFiles.length === 0) {
    return ''
  }
  expect(actualTempFiles).toHaveLength(2)
  expect(actualTempFiles[1].endsWith('_known_hosts')).toBeTruthy()
  expect(actualTempFiles[1].startsWith(actualTempFiles[0])).toBeTruthy()
  return actualTempFiles[1]
 }
--- a/test/git-directory-helper.test.ts
+++ b/test/git-directory-helper.test.ts
@ -0,0 +1,441 @@
 import * as core from '@actions/core'
 import * as fs from 'fs'
 import * as gitDirectoryHelper from '../lib/git-directory-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
 import {IGitCommandManager} from '../lib/git-command-manager'
 const testWorkspace = path.join(__dirname, '_temp', 'git-directory-helper')
 let repositoryPath: string
 let repositoryUrl: string
 let clean: boolean
 let ref: string
 let git: IGitCommandManager
 describe('git-directory-helper tests', () => {
  beforeAll(async () => {
    // Clear test workspace
    await io.rmRF(testWorkspace)
  })
  beforeEach(() => {
    // Mock error/warning/info/debug
    jest.spyOn(core, 'error').mockImplementation(jest.fn())
    jest.spyOn(core, 'warning').mockImplementation(jest.fn())
    jest.spyOn(core, 'info').mockImplementation(jest.fn())
    jest.spyOn(core, 'debug').mockImplementation(jest.fn())
  })
  afterEach(() => {
    // Unregister mocks
    jest.restoreAllMocks()
  })
  const cleansWhenCleanTrue = 'cleans when clean true'
  it(cleansWhenCleanTrue, async () => {
    // Arrange
    await setup(cleansWhenCleanTrue)
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files.sort()).toEqual(['.git', 'my-file'])
    expect(git.tryClean).toHaveBeenCalled()
    expect(git.tryReset).toHaveBeenCalled()
    expect(core.warning).not.toHaveBeenCalled()
  })
  const checkoutDetachWhenNotDetached = 'checkout detach when not detached'
  it(checkoutDetachWhenNotDetached, async () => {
    // Arrange
    await setup(checkoutDetachWhenNotDetached)
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files.sort()).toEqual(['.git', 'my-file'])
    expect(git.checkoutDetach).toHaveBeenCalled()
  })
  const doesNotCheckoutDetachWhenNotAlreadyDetached =
    'does not checkout detach when already detached'
  it(doesNotCheckoutDetachWhenNotAlreadyDetached, async () => {
    // Arrange
    await setup(doesNotCheckoutDetachWhenNotAlreadyDetached)
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    const mockIsDetached = git.isDetached as jest.Mock<any, any>
    mockIsDetached.mockImplementation(async () => {
      return true
    })
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files.sort()).toEqual(['.git', 'my-file'])
    expect(git.checkoutDetach).not.toHaveBeenCalled()
  })
  const doesNotCleanWhenCleanFalse = 'does not clean when clean false'
  it(doesNotCleanWhenCleanFalse, async () => {
    // Arrange
    await setup(doesNotCleanWhenCleanFalse)
    clean = false
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files.sort()).toEqual(['.git', 'my-file'])
    expect(git.isDetached).toHaveBeenCalled()
    expect(git.branchList).toHaveBeenCalled()
    expect(core.warning).not.toHaveBeenCalled()
    expect(git.tryClean).not.toHaveBeenCalled()
    expect(git.tryReset).not.toHaveBeenCalled()
  })
  const removesContentsWhenCleanFails = 'removes contents when clean fails'
  it(removesContentsWhenCleanFails, async () => {
    // Arrange
    await setup(removesContentsWhenCleanFails)
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    let mockTryClean = git.tryClean as jest.Mock<any, any>
    mockTryClean.mockImplementation(async () => {
      return false
    })
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files).toHaveLength(0)
    expect(git.tryClean).toHaveBeenCalled()
    expect(core.warning).toHaveBeenCalled()
    expect(git.tryReset).not.toHaveBeenCalled()
  })
  const removesContentsWhenDifferentRepositoryUrl =
    'removes contents when different repository url'
  it(removesContentsWhenDifferentRepositoryUrl, async () => {
    // Arrange
    await setup(removesContentsWhenDifferentRepositoryUrl)
    clean = false
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    const differentRepositoryUrl =
      'https://github.com/my-different-org/my-different-repo'
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      differentRepositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files).toHaveLength(0)
    expect(core.warning).not.toHaveBeenCalled()
    expect(git.isDetached).not.toHaveBeenCalled()
  })
  const removesContentsWhenNoGitDirectory =
    'removes contents when no git directory'
  it(removesContentsWhenNoGitDirectory, async () => {
    // Arrange
    await setup(removesContentsWhenNoGitDirectory)
    clean = false
    await io.rmRF(path.join(repositoryPath, '.git'))
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files).toHaveLength(0)
    expect(core.warning).not.toHaveBeenCalled()
    expect(git.isDetached).not.toHaveBeenCalled()
  })
  const removesContentsWhenResetFails = 'removes contents when reset fails'
  it(removesContentsWhenResetFails, async () => {
    // Arrange
    await setup(removesContentsWhenResetFails)
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    let mockTryReset = git.tryReset as jest.Mock<any, any>
    mockTryReset.mockImplementation(async () => {
      return false
    })
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files).toHaveLength(0)
    expect(git.tryClean).toHaveBeenCalled()
    expect(git.tryReset).toHaveBeenCalled()
    expect(core.warning).toHaveBeenCalled()
  })
  const removesContentsWhenUndefinedGitCommandManager =
    'removes contents when undefined git command manager'
  it(removesContentsWhenUndefinedGitCommandManager, async () => {
    // Arrange
    await setup(removesContentsWhenUndefinedGitCommandManager)
    clean = false
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      undefined,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files).toHaveLength(0)
    expect(core.warning).not.toHaveBeenCalled()
  })
  const removesLocalBranches = 'removes local branches'
  it(removesLocalBranches, async () => {
    // Arrange
    await setup(removesLocalBranches)
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    const mockBranchList = git.branchList as jest.Mock<any, any>
    mockBranchList.mockImplementation(async (remote: boolean) => {
      return remote ? [] : ['local-branch-1', 'local-branch-2']
    })
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files.sort()).toEqual(['.git', 'my-file'])
    expect(git.branchDelete).toHaveBeenCalledWith(false, 'local-branch-1')
    expect(git.branchDelete).toHaveBeenCalledWith(false, 'local-branch-2')
  })
  const removesLockFiles = 'removes lock files'
  it(removesLockFiles, async () => {
    // Arrange
    await setup(removesLockFiles)
    clean = false
    await fs.promises.writeFile(
      path.join(repositoryPath, '.git', 'index.lock'),
      ''
    )
    await fs.promises.writeFile(
      path.join(repositoryPath, '.git', 'shallow.lock'),
      ''
    )
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    let files = await fs.promises.readdir(path.join(repositoryPath, '.git'))
    expect(files).toHaveLength(0)
    files = await fs.promises.readdir(repositoryPath)
    expect(files.sort()).toEqual(['.git', 'my-file'])
    expect(git.isDetached).toHaveBeenCalled()
    expect(git.branchList).toHaveBeenCalled()
    expect(core.warning).not.toHaveBeenCalled()
    expect(git.tryClean).not.toHaveBeenCalled()
    expect(git.tryReset).not.toHaveBeenCalled()
  })
  const removesAncestorRemoteBranch = 'removes ancestor remote branch'
  it(removesAncestorRemoteBranch, async () => {
    // Arrange
    await setup(removesAncestorRemoteBranch)
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    const mockBranchList = git.branchList as jest.Mock<any, any>
    mockBranchList.mockImplementation(async (remote: boolean) => {
      return remote ? ['origin/remote-branch-1', 'origin/remote-branch-2'] : []
    })
    ref = 'remote-branch-1/conflict'
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files.sort()).toEqual(['.git', 'my-file'])
    expect(git.branchDelete).toHaveBeenCalledTimes(1)
    expect(git.branchDelete).toHaveBeenCalledWith(
      true,
      'origin/remote-branch-1'
    )
  })
  const removesDescendantRemoteBranches = 'removes descendant remote branch'
  it(removesDescendantRemoteBranches, async () => {
    // Arrange
    await setup(removesDescendantRemoteBranches)
    await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
    const mockBranchList = git.branchList as jest.Mock<any, any>
    mockBranchList.mockImplementation(async (remote: boolean) => {
      return remote
        ? ['origin/remote-branch-1/conflict', 'origin/remote-branch-2']
        : []
    })
    ref = 'remote-branch-1'
    // Act
    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      repositoryPath,
      repositoryUrl,
      clean,
      ref
    )
    // Assert
    const files = await fs.promises.readdir(repositoryPath)
    expect(files.sort()).toEqual(['.git', 'my-file'])
    expect(git.branchDelete).toHaveBeenCalledTimes(1)
    expect(git.branchDelete).toHaveBeenCalledWith(
      true,
      'origin/remote-branch-1/conflict'
    )
  })
 })
 async function setup(testName: string): Promise<void> {
  testName = testName.replace(/[^a-zA-Z0-9_]+/g, '-')
  // Repository directory
  repositoryPath = path.join(testWorkspace, testName)
  await fs.promises.mkdir(path.join(repositoryPath, '.git'), {recursive: true})
  // Repository URL
  repositoryUrl = 'https://github.com/my-org/my-repo'
  // Clean
  clean = true
  // Ref
  ref = ''
  // Git command manager
  git = {
    branchDelete: jest.fn(),
    branchExists: jest.fn(),
    branchList: jest.fn(async () => {
      return []
    }),
    checkout: jest.fn(),
    checkoutDetach: jest.fn(),
    config: jest.fn(),
    configExists: jest.fn(),
    fetch: jest.fn(),
    getDefaultBranch: jest.fn(),
    getWorkingDirectory: jest.fn(() => repositoryPath),
    init: jest.fn(),
    isDetached: jest.fn(),
    lfsFetch: jest.fn(),
    lfsInstall: jest.fn(),
    log1: jest.fn(),
    remoteAdd: jest.fn(),
    removeEnvironmentVariable: jest.fn(),
    revParse: jest.fn(),
    setEnvironmentVariable: jest.fn(),
    shaExists: jest.fn(),
    submoduleForeach: jest.fn(),
    submoduleSync: jest.fn(),
    submoduleUpdate: jest.fn(),
    tagExists: jest.fn(),
    tryClean: jest.fn(async () => {
      return true
    }),
    tryConfigUnset: jest.fn(),
    tryDisableAutomaticGarbageCollection: jest.fn(),
    tryGetFetchUrl: jest.fn(async () => {
      // Sanity check - this function shouldn't be called when the .git directory doesn't exist
      await fs.promises.stat(path.join(repositoryPath, '.git'))
      return repositoryUrl
    }),
    tryReset: jest.fn(async () => {
      return true
    })
  }
 }
--- a/test/input-helper.test.ts
+++ b/test/input-helper.test.ts
@ -4,7 +4,7 @@ import * as fsHelper from '../lib/fs-helper'
 import * as github from '@actions/github'
 import * as inputHelper from '../lib/input-helper'
 import * as path from 'path'
-import {ISourceSettings} from '../lib/git-source-provider'
+import {IGitSourceSettings} from '../lib/git-source-settings'
 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
 const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
@ -17,12 +17,18 @@ let originalContext = {...github.context}
 describe('input-helper tests', () => {
  beforeAll(() => {
-    // Mock @actions/core getInput()
+    // Mock getInput
    jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
      return inputs[name]
    })
-    // Mock @actions/github context
+    // Mock error/warning/info/debug
    jest.spyOn(core, 'error').mockImplementation(jest.fn())
    jest.spyOn(core, 'warning').mockImplementation(jest.fn())
    jest.spyOn(core, 'info').mockImplementation(jest.fn())
    jest.spyOn(core, 'debug').mockImplementation(jest.fn())
    // Mock github context
    jest.spyOn(github.context, 'repo', 'get').mockImplementation(() => {
      return {
        owner: 'some-owner',
@ -62,7 +68,7 @@ describe('input-helper tests', () => {
  })
  it('sets defaults', () => {
-    const settings: ISourceSettings = inputHelper.getInputs()
+    const settings: IGitSourceSettings = inputHelper.getInputs()
    expect(settings).toBeTruthy()
    expect(settings.authToken).toBeFalsy()
    expect(settings.clean).toBe(true)
@ -80,7 +86,7 @@ describe('input-helper tests', () => {
    let originalRef = github.context.ref
    try {
      github.context.ref = 'some-unqualified-ref'
-      const settings: ISourceSettings = inputHelper.getInputs()
+      const settings: IGitSourceSettings = inputHelper.getInputs()
      expect(settings).toBeTruthy()
      expect(settings.commit).toBe('1234567890123456789012345678901234567890')
      expect(settings.ref).toBe('refs/heads/some-unqualified-ref')
@ -98,37 +104,23 @@ describe('input-helper tests', () => {
  it('roots path', () => {
    inputs.path = 'some-directory/some-subdirectory'
-    const settings: ISourceSettings = inputHelper.getInputs()
+    const settings: IGitSourceSettings = inputHelper.getInputs()
    expect(settings.repositoryPath).toBe(
      path.join(gitHubWorkspace, 'some-directory', 'some-subdirectory')
    )
  })
  it('sets correct default ref/sha for other repo', () => {
    inputs.repository = 'some-owner/some-other-repo'
    const settings: ISourceSettings = inputHelper.getInputs()
    expect(settings.ref).toBe('refs/heads/master')
    expect(settings.commit).toBeFalsy()
  })
  it('sets ref to empty when explicit sha', () => {
    inputs.ref = '1111111111222222222233333333334444444444'
-    const settings: ISourceSettings = inputHelper.getInputs()
+    const settings: IGitSourceSettings = inputHelper.getInputs()
    expect(settings.ref).toBeFalsy()
    expect(settings.commit).toBe('1111111111222222222233333333334444444444')
  })
  it('sets sha to empty when explicit ref', () => {
    inputs.ref = 'refs/heads/some-other-ref'
-    const settings: ISourceSettings = inputHelper.getInputs()
+    const settings: IGitSourceSettings = inputHelper.getInputs()
    expect(settings.ref).toBe('refs/heads/some-other-ref')
    expect(settings.commit).toBeFalsy()
  })
  it('gives good error message for submodules input', () => {
    inputs.submodules = 'true'
    assert.throws(() => {
      inputHelper.getInputs()
    }, /The input 'submodules' is not supported/)
  })
 })
--- a/test/verify-no-unstaged-changes.sh
+++ b/test/verify-no-unstaged-changes.sh
@ -12,6 +12,6 @@ if [[ "$(git status --porcelain)" != "" ]]; then
    echo ----------------------------------------
    echo Troubleshooting
    echo ----------------------------------------
-    echo "::error::Unstaged changes detected. Locally try running: git clean -ffdx && npm ci && npm run all"
+    echo "::error::Unstaged changes detected. Locally try running: git clean -ffdx && npm ci && npm run format && npm run build"
    exit 1
 fi
--- a/test/verify-submodules-false.sh
+++ b/test/verify-submodules-false.sh
@ -0,0 +1,11 @@
 #!/bin/bash
 if [ ! -f "./submodules-false/regular-file.txt" ]; then
    echo "Expected regular file does not exist"
    exit 1
 fi
 if [ -f "./submodules-false/submodule-level-1/submodule-file.txt" ]; then
    echo "Unexpected submodule file exists"
    exit 1
 fi
--- a/test/verify-submodules-not-checked-out.sh
+++ b/test/verify-submodules-not-checked-out.sh
@ -1,11 +0,0 @@
 #!/bin/bash
 if [ ! -f "./submodules-not-checked-out/regular-file.txt" ]; then
    echo "Expected regular file does not exist"
    exit 1
 fi
 if [ -f "./submodules-not-checked-out/submodule-level-1/submodule-file.txt" ]; then
    echo "Unexpected submodule file exists"
    exit 1
 fi
--- a/test/verify-submodules-recursive.sh
+++ b/test/verify-submodules-recursive.sh
@ -0,0 +1,26 @@
 #!/bin/bash
 if [ ! -f "./submodules-recursive/regular-file.txt" ]; then
    echo "Expected regular file does not exist"
    exit 1
 fi
 if [ ! -f "./submodules-recursive/submodule-level-1/submodule-file.txt" ]; then
    echo "Expected submodule file does not exist"
    exit 1
 fi
 if [ ! -f "./submodules-recursive/submodule-level-1/submodule-level-2/nested-submodule-file.txt" ]; then
    echo "Expected nested submodule file does not exists"
    exit 1
 fi
 echo "Testing persisted credential"
 pushd ./submodules-recursive/submodule-level-1/submodule-level-2
 git config --local --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
    echo "Failed to validate persisted credential"
    popd
    exit 1
 fi
 popd
--- a/test/verify-submodules-true.sh
+++ b/test/verify-submodules-true.sh
@ -0,0 +1,26 @@
 #!/bin/bash
 if [ ! -f "./submodules-true/regular-file.txt" ]; then
    echo "Expected regular file does not exist"
    exit 1
 fi
 if [ ! -f "./submodules-true/submodule-level-1/submodule-file.txt" ]; then
    echo "Expected submodule file does not exist"
    exit 1
 fi
 if [ -f "./submodules-true/submodule-level-1/submodule-level-2/nested-submodule-file.txt" ]; then
    echo "Unexpected nested submodule file exists"
    exit 1
 fi
 echo "Testing persisted credential"
 pushd ./submodules-true/submodule-level-1
 git config --local --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
    echo "Failed to validate persisted credential"
    popd
    exit 1
 fi
 popd
--- a/action.yml
+++ b/action.yml
@ -1,6 +1,6 @@
 name: 'Checkout'
 description: 'Checkout a Git repository at a particular version'
-inputs: 
+inputs:
  repository:
    description: 'Repository name with owner. For example, actions/checkout'
    default: ${{ github.repository }}
@ -8,16 +8,45 @@ inputs:
    description: >
      The branch, tag or SHA to checkout. When checking out the repository that
      triggered a workflow, this defaults to the reference or SHA for that
-      event.  Otherwise, defaults to `master`.
+      event.  Otherwise, uses the default branch.
  token:
    description: >
-      Auth token used to fetch the repository. The token is stored in the local
+      Personal access token (PAT) used to fetch the repository. The PAT is configured
-      git config, which enables your scripts to run authenticated git commands.
+      with the local git config, which enables your scripts to run authenticated git
-      The post-job step removes the token from the git config. [Learn more about
+      commands. The post-job step removes the PAT.
-      creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+
      We recommend using a service account with the least permissions necessary.
      Also when generating a new PAT, select the least scopes necessary.
      [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
    default: ${{ github.token }}
  ssh-key:
    description: >
      SSH key used to fetch the repository. The SSH key is configured with the local
      git config, which enables your scripts to run authenticated git commands.
      The post-job step removes the SSH key.
      We recommend using a service account with the least permissions necessary.
      [Learn more about creating and using
      encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
  ssh-known-hosts:
    description: >
      Known hosts in addition to the user and global host key database. The public
      SSH keys for a host may be obtained using the utility `ssh-keyscan`. For example,
      `ssh-keyscan github.com`. The public key for github.com is always implicitly added.
  ssh-strict:
    description: >
      Whether to perform strict host key checking. When true, adds the options `StrictHostKeyChecking=yes`
      and `CheckHostIP=no` to the SSH command line. Use the input `ssh-known-hosts` to
      configure additional hosts.
    default: true
  persist-credentials:
-    description: 'Whether to persist the token in the git config'
+    description: 'Whether to configure the token or SSH key with the local git config'
    default: true
  path:
    description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
@ -25,11 +54,20 @@ inputs:
    description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
    default: true
  fetch-depth:
-    description: 'Number of commits to fetch. 0 indicates all history.'
+    description: 'Number of commits to fetch. 0 indicates all history for all branches and tags.'
    default: 1
  lfs:
    description: 'Whether to download Git-LFS files'
    default: false
  submodules:
    description: >
      Whether to checkout submodules: `true` to checkout submodules or `recursive` to
      recursively checkout submodules.
      When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
      converted to HTTPS.
    default: false
 runs:
  using: node12
  main: dist/index.js
--- a/adrs/0153-checkout-v2.md
+++ b/adrs/0153-checkout-v2.md
@ -29,14 +29,26 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
    description: >
      Personal access token (PAT) used to fetch the repository. The PAT is configured
      with the local git config, which enables your scripts to run authenticated git
-      commands. The post-job step removes the PAT. [Learn more about creating and using
+      commands. The post-job step removes the PAT.
-      encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+
      We recommend using a service account with the least permissions necessary.
      Also when generating a new PAT, select the least scopes necessary.
      [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
    default: ${{ github.token }}
  ssh-key:
    description: >
-      SSH key used to fetch the repository. SSH key is configured with the local
+      SSH key used to fetch the repository. The SSH key is configured with the local
      git config, which enables your scripts to run authenticated git commands.
-      The post-job step removes the SSH key. [Learn more about creating and using
+      The post-job step removes the SSH key.
      We recommend using a service account with the least permissions necessary.
      [Learn more about creating and using
      encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
  ssh-known-hosts:
    description: >
@ -44,7 +56,10 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
      SSH keys for a host may be obtained using the utility `ssh-keyscan`. For example,
      `ssh-keyscan github.com`. The public key for github.com is always implicitly added.
  ssh-strict:
-    description: 'Whether to perform strict host key checking'
+    description: >
      Whether to perform strict host key checking. When true, adds the options `StrictHostKeyChecking=yes`
      and `CheckHostIP=no` to the SSH command line. Use the input `ssh-known-hosts` to
      configure additional hosts.
    default: true
  persist-credentials:
    description: 'Whether to configure the token or SSH key with the local git config'
@ -55,18 +70,26 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
    description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
    default: true
  fetch-depth:
-    description: 'Number of commits to fetch. 0 indicates all history.'
+    description: 'Number of commits to fetch. 0 indicates all history for all tags and branches.'
    default: 1
  lfs:
    description: 'Whether to download Git-LFS files'
    default: false
  submodules:
    description: >
      Whether to checkout submodules: `true` to checkout submodules or `recursive` to
      recursively checkout submodules.
      When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
      converted to HTTPS.
    default: false
 ```
 Note:
 - SSH support is new
 - `persist-credentials` is new
 - `path` behavior is different (refer [below](#path) for details)
 - `submodules` was removed (error if specified; add later if needed)
 ### Fallback to GitHub API
@ -74,7 +97,7 @@ When a sufficient version of git is not in the PATH, fallback to the [web API](h
 Note:
 - LFS files are not included in the archive. Therefore fail if LFS is set to true.
- Submodules are also not included in the archive. However submodules are not supported by checkout v2 anyway.
+- Submodules are also not included in the archive.
 ### Persist credentials
@ -95,7 +118,6 @@ Note:
 - The auth header is scoped to all of github `http.https://github.com/.extraheader`
  - Additional public remotes also just work.
  - If users want to authenticate to an additional private remote, they should provide the `token` input.
  - Lines up if we add submodule support in the future. Don't need to worry about calculating relative URLs. Just works, although needs to be persisted in each submodule git config.
 #### SSH key
@ -229,6 +251,17 @@ A better solution is:
 Given a source file path, walk up the directories until the first `.git/config` is found. Check if it matches the self repo (`url = https://github.com/OWNER/REPO`). If not, drop the source file path.
 ### Submodules
 With both PAT and SSH key support, we should be able to provide frictionless support for
 submodules scenarios: recursive, non-recursive, relative submodule paths.
 When fetching submodules, follow the `fetch-depth` settings.
 Also when fetching submodules, if the `ssh-key` input is not provided then convert SSH URLs to HTTPS: `-c url."https://github.com/".insteadOf "git@github.com:"`
 Credentials will be persisted in the submodules local git config too.
 ### Port to typescript
 The checkout action should be a typescript action on the GitHub graph, for the following reasons:
--- a/dist/index.js
+++ b/dist/index.js
--- a/package-lock.json
+++ b/package-lock.json
@ -15,19 +15,19 @@
      "integrity": "sha512-nvFkxwiicvpzNiCBF4wFBDfnBvi7xp/as7LE1hBxBxKG2L29+gkIPBiLKMVORL+Hg3JNf07AKRfl0V5djoypjQ=="
    },
    "@actions/github": {
-      "version": "2.1.0",
+      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-2.1.0.tgz",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-2.2.0.tgz",
-      "integrity": "sha512-G4ncMlh4pLLAvNgHUYUtpWQ1zPf/VYqmRH9oshxLabdaOOnp7i1hgSgzr2xne2YUaSND3uqemd3YYTIsm2f/KQ==",
+      "integrity": "sha512-9UAZqn8ywdR70n3GwVle4N8ALosQs4z50N7XMXrSTUVOmVpaBC5kE3TRTT7qQdi3OaQV24mjGuJZsHUmhD+ZXw==",
      "requires": {
        "@actions/http-client": "^1.0.3",
        "@octokit/graphql": "^4.3.1",
-        "@octokit/rest": "^16.15.0"
+        "@octokit/rest": "^16.43.1"
      }
    },
    "@actions/http-client": {
-      "version": "1.0.3",
+      "version": "1.0.8",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.8.tgz",
-      "integrity": "sha512-wFwh1U4adB/Zsk4cc9kVqaBOHoknhp/pJQk+aWTocbAZWpIl4Zx/At83WFRLXvxB+5HVTWOACM6qjULMZfQSfw==",
+      "integrity": "sha512-G4JjJ6f9Hb3Zvejj+ewLLKLf99ZC+9v+yCxoYf9vSyH+WkzPLB2LuUtRMGNkooMqdugGBFStIKXOuvH1W+EctA==",
      "requires": {
        "tunnel": "0.0.6"
      },
@ -622,13 +622,23 @@
      }
    },
    "@octokit/endpoint": {
-      "version": "5.5.1",
+      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-5.5.1.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-6.0.1.tgz",
-      "integrity": "sha512-nBFhRUb5YzVTCX/iAK1MgQ4uWo89Gu0TH00qQHoYRCsE12dWcG1OiLd7v2EIo2+tpUKPMOQ62QFy9hy9Vg2ULg==",
+      "integrity": "sha512-pOPHaSz57SFT/m3R5P8MUu4wLPszokn5pXcB/pzavLTQf2jbU+6iayTvzaY6/BiotuRS0qyEUkx3QglT4U958A==",
      "requires": {
-        "@octokit/types": "^2.0.0",
+        "@octokit/types": "^2.11.1",
        "is-plain-object": "^3.0.0",
-        "universal-user-agent": "^4.0.0"
+        "universal-user-agent": "^5.0.0"
      },
      "dependencies": {
        "universal-user-agent": {
          "version": "5.0.0",
          "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-5.0.0.tgz",
          "integrity": "sha512-B5TPtzZleXyPrUMKCpEHFmVhMN6EhmJYjG5PQna9s7mXeSqGTLap4OpqLl5FCEFUI3UBmllkETwKf/db66Y54Q==",
          "requires": {
            "os-name": "^3.1.0"
          }
        }
      }
    },
    "@octokit/graphql": {
@ -641,25 +651,57 @@
        "universal-user-agent": "^4.0.0"
      }
    },
    "@octokit/plugin-paginate-rest": {
      "version": "1.1.2",
      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-1.1.2.tgz",
      "integrity": "sha512-jbsSoi5Q1pj63sC16XIUboklNw+8tL9VOnJsWycWYR78TKss5PVpIPb1TUUcMQ+bBh7cY579cVAWmf5qG+dw+Q==",
      "requires": {
        "@octokit/types": "^2.0.1"
      }
    },
    "@octokit/plugin-request-log": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/@octokit/plugin-request-log/-/plugin-request-log-1.0.0.tgz",
      "integrity": "sha512-ywoxP68aOT3zHCLgWZgwUJatiENeHE7xJzYjfz8WI0goynp96wETBF+d95b8g/uL4QmS6owPVlaxiz3wyMAzcw=="
    },
    "@octokit/plugin-rest-endpoint-methods": {
      "version": "2.4.0",
      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-2.4.0.tgz",
      "integrity": "sha512-EZi/AWhtkdfAYi01obpX0DF7U6b1VRr30QNQ5xSFPITMdLSfhcBqjamE3F+sKcxPbD7eZuMHu3Qkk2V+JGxBDQ==",
      "requires": {
        "@octokit/types": "^2.0.1",
        "deprecation": "^2.3.1"
      }
    },
    "@octokit/request": {
-      "version": "5.3.1",
+      "version": "5.4.2",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.3.1.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-5.4.2.tgz",
-      "integrity": "sha512-5/X0AL1ZgoU32fAepTfEoggFinO3rxsMLtzhlUX+RctLrusn/CApJuGFCd0v7GMFhF+8UiCsTTfsu7Fh1HnEJg==",
+      "integrity": "sha512-zKdnGuQ2TQ2vFk9VU8awFT4+EYf92Z/v3OlzRaSh4RIP0H6cvW1BFPXq4XYvNez+TPQjqN+0uSkCYnMFFhcFrw==",
      "requires": {
-        "@octokit/endpoint": "^5.5.0",
+        "@octokit/endpoint": "^6.0.1",
-        "@octokit/request-error": "^1.0.1",
+        "@octokit/request-error": "^2.0.0",
-        "@octokit/types": "^2.0.0",
+        "@octokit/types": "^2.11.1",
        "deprecation": "^2.0.0",
        "is-plain-object": "^3.0.0",
        "node-fetch": "^2.3.0",
        "once": "^1.4.0",
-        "universal-user-agent": "^4.0.0"
+        "universal-user-agent": "^5.0.0"
      },
      "dependencies": {
        "universal-user-agent": {
          "version": "5.0.0",
          "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-5.0.0.tgz",
          "integrity": "sha512-B5TPtzZleXyPrUMKCpEHFmVhMN6EhmJYjG5PQna9s7mXeSqGTLap4OpqLl5FCEFUI3UBmllkETwKf/db66Y54Q==",
          "requires": {
            "os-name": "^3.1.0"
          }
        }
      }
    },
    "@octokit/request-error": {
-      "version": "1.2.0",
+      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-1.2.0.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-2.0.0.tgz",
-      "integrity": "sha512-DNBhROBYjjV/I9n7A8kVkmQNkqFAMem90dSxqvPq57e2hBr7mNTX98y3R2zDpqMQHVRpBDjsvsfIGgBzy+4PAg==",
+      "integrity": "sha512-rtYicB4Absc60rUv74Rjpzek84UbVHGHJRu4fNVlZ1mCcyUPPuzFfG9Rn6sjHrd95DEsmjSt1Axlc699ZlbDkw==",
      "requires": {
        "@octokit/types": "^2.0.0",
        "deprecation": "^2.0.0",
@ -667,11 +709,14 @@
      }
    },
    "@octokit/rest": {
-      "version": "16.38.1",
+      "version": "16.43.1",
-      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.38.1.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.43.1.tgz",
-      "integrity": "sha512-zyNFx+/Bd1EXt7LQjfrc6H4wryBQ/oDuZeZhGMBSFr1eMPFDmpEweFQR3R25zjKwBQpDY7L5GQO6A3XSaOfV1w==",
+      "integrity": "sha512-gfFKwRT/wFxq5qlNjnW2dh+qh74XgTQ2B179UX5K1HYCluioWj8Ndbgqw2PVqa1NnVJkGHp2ovMpVn/DImlmkw==",
      "requires": {
        "@octokit/auth-token": "^2.4.0",
        "@octokit/plugin-paginate-rest": "^1.1.1",
        "@octokit/plugin-request-log": "^1.0.0",
        "@octokit/plugin-rest-endpoint-methods": "2.4.0",
        "@octokit/request": "^5.2.0",
        "@octokit/request-error": "^1.0.2",
        "atob-lite": "^2.0.0",
@ -684,12 +729,24 @@
        "octokit-pagination-methods": "^1.1.0",
        "once": "^1.4.0",
        "universal-user-agent": "^4.0.0"
      },
      "dependencies": {
        "@octokit/request-error": {
          "version": "1.2.1",
          "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-1.2.1.tgz",
          "integrity": "sha512-+6yDyk1EES6WK+l3viRDElw96MvwfJxCt45GvmjDUKWjYIb3PJZQkq3i46TwGwoPD4h8NmTrENmtyA1FwbmhRA==",
          "requires": {
            "@octokit/types": "^2.0.0",
            "deprecation": "^2.0.0",
            "once": "^1.4.0"
          }
        }
      }
    },
    "@octokit/types": {
-      "version": "2.1.1",
+      "version": "2.14.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.1.1.tgz",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.14.0.tgz",
-      "integrity": "sha512-89LOYH+d/vsbDX785NOfLxTW88GjNd0lWRz1DVPVsZgg9Yett5O+3MOvwo7iHgvUwbFz0mf/yPIjBkUbs4kxoQ==",
+      "integrity": "sha512-1w2wxpN45rEXPDFeB7rGain7wcJ/aTRg8bdILITVnS0O7a4zEGELa3JmIe+jeLdekQjvZRbVfNPqS+mi5fKCKQ==",
      "requires": {
        "@types/node": ">= 8"
      }
@ -6720,9 +6777,9 @@
      }
    },
    "universal-user-agent": {
-      "version": "4.0.0",
+      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-4.0.0.tgz",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-4.0.1.tgz",
-      "integrity": "sha512-eM8knLpev67iBDizr/YtqkJsF3GK8gzDc6st/WKzrTuPtcsOKW/0IdL4cnMBsU69pOx0otavLWBDGTwg+dB0aA==",
+      "integrity": "sha512-LnST3ebHwVL2aNe4mejI9IQh2HfZ1RLo8Io2HugSif8ekzD1TlWpHpColOB/eh8JHMLkGH3Akqf040I+4ylNxg==",
      "requires": {
        "os-name": "^3.1.0"
      }
@ -6901,9 +6958,9 @@
      "dev": true
    },
    "windows-release": {
-      "version": "3.2.0",
+      "version": "3.3.0",
-      "resolved": "https://registry.npmjs.org/windows-release/-/windows-release-3.2.0.tgz",
+      "resolved": "https://registry.npmjs.org/windows-release/-/windows-release-3.3.0.tgz",
-      "integrity": "sha512-QTlz2hKLrdqukrsapKsINzqMgOUpQW268eJ0OaOpJN32h272waxR9fkB9VoWRtK7uKHG5EHJcTXQBD8XZVJkFA==",
+      "integrity": "sha512-2HetyTg1Y+R+rUgrKeUEhAG/ZuOmTrI1NBb3ZyAGQMYmOJjBBPe4MTodghRkmLJZHwkuPi02anbeGP+Zf401LQ==",
      "requires": {
        "execa": "^1.0.0"
      }
--- a/package.json
+++ b/package.json
@ -4,14 +4,11 @@
  "description": "checkout action",
  "main": "lib/main.js",
  "scripts": {
-    "build": "tsc",
+    "build": "tsc && ncc build && node lib/misc/generate-docs.js",
-    "format": "prettier --write **/*.ts",
+    "format": "prettier --write '**/*.ts'",
-    "format-check": "prettier --check **/*.ts",
+    "format-check": "prettier --check '**/*.ts'",
    "lint": "eslint src/**/*.ts",
-    "pack": "ncc build",
+    "test": "jest"
    "gendocs": "node lib/misc/generate-docs.js",
    "test": "jest",
    "all": "npm run build && npm run format && npm run lint && npm run pack && npm run gendocs && npm test"
  },
  "repository": {
    "type": "git",
@ -31,7 +28,7 @@
  "dependencies": {
    "@actions/core": "^1.1.3",
    "@actions/exec": "^1.0.1",
-    "@actions/github": "^2.0.2",
+    "@actions/github": "^2.2.0",
    "@actions/io": "^1.0.1",
    "@actions/tool-cache": "^1.1.2",
    "uuid": "^3.3.3"
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@ -0,0 +1,350 @@
 import * as assert from 'assert'
 import * as core from '@actions/core'
 import * as exec from '@actions/exec'
 import * as fs from 'fs'
 import * as io from '@actions/io'
 import * as os from 'os'
 import * as path from 'path'
 import * as regexpHelper from './regexp-helper'
 import * as stateHelper from './state-helper'
 import * as urlHelper from './url-helper'
 import {default as uuid} from 'uuid/v4'
 import {IGitCommandManager} from './git-command-manager'
 import {IGitSourceSettings} from './git-source-settings'
 const IS_WINDOWS = process.platform === 'win32'
 const SSH_COMMAND_KEY = 'core.sshCommand'
 export interface IGitAuthHelper {
  configureAuth(): Promise<void>
  configureGlobalAuth(): Promise<void>
  configureSubmoduleAuth(): Promise<void>
  removeAuth(): Promise<void>
  removeGlobalAuth(): Promise<void>
 }
 export function createAuthHelper(
  git: IGitCommandManager,
  settings?: IGitSourceSettings
 ): IGitAuthHelper {
  return new GitAuthHelper(git, settings)
 }
 class GitAuthHelper {
  private readonly git: IGitCommandManager
  private readonly settings: IGitSourceSettings
  private readonly tokenConfigKey: string
  private readonly tokenConfigValue: string
  private readonly tokenPlaceholderConfigValue: string
  private readonly insteadOfKey: string
  private readonly insteadOfValue: string
  private sshCommand = ''
  private sshKeyPath = ''
  private sshKnownHostsPath = ''
  private temporaryHomePath = ''
  constructor(
    gitCommandManager: IGitCommandManager,
    gitSourceSettings?: IGitSourceSettings
  ) {
    this.git = gitCommandManager
    this.settings = gitSourceSettings || (({} as unknown) as IGitSourceSettings)
    // Token auth header
    const serverUrl = urlHelper.getServerUrl()
    this.tokenConfigKey = `http.${serverUrl.origin}/.extraheader` // "origin" is SCHEME://HOSTNAME[:PORT]
    const basicCredential = Buffer.from(
      `x-access-token:${this.settings.authToken}`,
      'utf8'
    ).toString('base64')
    core.setSecret(basicCredential)
    this.tokenPlaceholderConfigValue = `AUTHORIZATION: basic ***`
    this.tokenConfigValue = `AUTHORIZATION: basic ${basicCredential}`
    // Instead of SSH URL
    this.insteadOfKey = `url.${serverUrl.origin}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
    this.insteadOfValue = `git@${serverUrl.hostname}:`
  }
  async configureAuth(): Promise<void> {
    // Remove possible previous values
    await this.removeAuth()
    // Configure new values
    await this.configureSsh()
    await this.configureToken()
  }
  async configureGlobalAuth(): Promise<void> {
    // Create a temp home directory
    const runnerTemp = process.env['RUNNER_TEMP'] || ''
    assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
    const uniqueId = uuid()
    this.temporaryHomePath = path.join(runnerTemp, uniqueId)
    await fs.promises.mkdir(this.temporaryHomePath, {recursive: true})
    // Copy the global git config
    const gitConfigPath = path.join(
      process.env['HOME'] || os.homedir(),
      '.gitconfig'
    )
    const newGitConfigPath = path.join(this.temporaryHomePath, '.gitconfig')
    let configExists = false
    try {
      await fs.promises.stat(gitConfigPath)
      configExists = true
    } catch (err) {
      if (err.code !== 'ENOENT') {
        throw err
      }
    }
    if (configExists) {
      core.info(`Copying '${gitConfigPath}' to '${newGitConfigPath}'`)
      await io.cp(gitConfigPath, newGitConfigPath)
    } else {
      await fs.promises.writeFile(newGitConfigPath, '')
    }
    try {
      // Override HOME
      core.info(
        `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
      )
      this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
      // Configure the token
      await this.configureToken(newGitConfigPath, true)
      // Configure HTTPS instead of SSH
      await this.git.tryConfigUnset(this.insteadOfKey, true)
      if (!this.settings.sshKey) {
        await this.git.config(this.insteadOfKey, this.insteadOfValue, true)
      }
    } catch (err) {
      // Unset in case somehow written to the real global config
      core.info(
        'Encountered an error when attempting to configure token. Attempting unconfigure.'
      )
      await this.git.tryConfigUnset(this.tokenConfigKey, true)
      throw err
    }
  }
  async configureSubmoduleAuth(): Promise<void> {
    // Remove possible previous HTTPS instead of SSH
    await this.removeGitConfig(this.insteadOfKey, true)
    if (this.settings.persistCredentials) {
      // Configure a placeholder value. This approach avoids the credential being captured
      // by process creation audit events, which are commonly logged. For more information,
      // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
      const output = await this.git.submoduleForeach(
        `git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url`,
        this.settings.nestedSubmodules
      )
      // Replace the placeholder
      const configPaths: string[] =
        output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
      for (const configPath of configPaths) {
        core.debug(`Replacing token placeholder in '${configPath}'`)
        this.replaceTokenPlaceholder(configPath)
      }
      if (this.settings.sshKey) {
        // Configure core.sshCommand
        await this.git.submoduleForeach(
          `git config --local '${SSH_COMMAND_KEY}' '${this.sshCommand}'`,
          this.settings.nestedSubmodules
        )
      } else {
        // Configure HTTPS instead of SSH
        await this.git.submoduleForeach(
          `git config --local '${this.insteadOfKey}' '${this.insteadOfValue}'`,
          this.settings.nestedSubmodules
        )
      }
    }
  }
  async removeAuth(): Promise<void> {
    await this.removeSsh()
    await this.removeToken()
  }
  async removeGlobalAuth(): Promise<void> {
    core.debug(`Unsetting HOME override`)
    this.git.removeEnvironmentVariable('HOME')
    await io.rmRF(this.temporaryHomePath)
  }
  private async configureSsh(): Promise<void> {
    if (!this.settings.sshKey) {
      return
    }
    // Write key
    const runnerTemp = process.env['RUNNER_TEMP'] || ''
    assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
    const uniqueId = uuid()
    this.sshKeyPath = path.join(runnerTemp, uniqueId)
    stateHelper.setSshKeyPath(this.sshKeyPath)
    await fs.promises.mkdir(runnerTemp, {recursive: true})
    await fs.promises.writeFile(
      this.sshKeyPath,
      this.settings.sshKey.trim() + '\n',
      {mode: 0o600}
    )
    // Remove inherited permissions on Windows
    if (IS_WINDOWS) {
      const icacls = await io.which('icacls.exe')
      await exec.exec(
        `"${icacls}" "${this.sshKeyPath}" /grant:r "${process.env['USERDOMAIN']}\\${process.env['USERNAME']}:F"`
      )
      await exec.exec(`"${icacls}" "${this.sshKeyPath}" /inheritance:r`)
    }
    // Write known hosts
    const userKnownHostsPath = path.join(os.homedir(), '.ssh', 'known_hosts')
    let userKnownHosts = ''
    try {
      userKnownHosts = (
        await fs.promises.readFile(userKnownHostsPath)
      ).toString()
    } catch (err) {
      if (err.code !== 'ENOENT') {
        throw err
      }
    }
    let knownHosts = ''
    if (userKnownHosts) {
      knownHosts += `# Begin from ${userKnownHostsPath}\n${userKnownHosts}\n# End from ${userKnownHostsPath}\n`
    }
    if (this.settings.sshKnownHosts) {
      knownHosts += `# Begin from input known hosts\n${this.settings.sshKnownHosts}\n# end from input known hosts\n`
    }
    knownHosts += `# Begin implicitly added github.com\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n# End implicitly added github.com\n`
    this.sshKnownHostsPath = path.join(runnerTemp, `${uniqueId}_known_hosts`)
    stateHelper.setSshKnownHostsPath(this.sshKnownHostsPath)
    await fs.promises.writeFile(this.sshKnownHostsPath, knownHosts)
    // Configure GIT_SSH_COMMAND
    const sshPath = await io.which('ssh', true)
    this.sshCommand = `"${sshPath}" -i "$RUNNER_TEMP/${path.basename(
      this.sshKeyPath
    )}"`
    if (this.settings.sshStrict) {
      this.sshCommand += ' -o StrictHostKeyChecking=yes -o CheckHostIP=no'
    }
    this.sshCommand += ` -o "UserKnownHostsFile=$RUNNER_TEMP/${path.basename(
      this.sshKnownHostsPath
    )}"`
    core.info(`Temporarily overriding GIT_SSH_COMMAND=${this.sshCommand}`)
    this.git.setEnvironmentVariable('GIT_SSH_COMMAND', this.sshCommand)
    // Configure core.sshCommand
    if (this.settings.persistCredentials) {
      await this.git.config(SSH_COMMAND_KEY, this.sshCommand)
    }
  }
  private async configureToken(
    configPath?: string,
    globalConfig?: boolean
  ): Promise<void> {
    // Validate args
    assert.ok(
      (configPath && globalConfig) || (!configPath && !globalConfig),
      'Unexpected configureToken parameter combinations'
    )
    // Default config path
    if (!configPath && !globalConfig) {
      configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config')
    }
    // Configure a placeholder value. This approach avoids the credential being captured
    // by process creation audit events, which are commonly logged. For more information,
    // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
    await this.git.config(
      this.tokenConfigKey,
      this.tokenPlaceholderConfigValue,
      globalConfig
    )
    // Replace the placeholder
    await this.replaceTokenPlaceholder(configPath || '')
  }
  private async replaceTokenPlaceholder(configPath: string): Promise<void> {
    assert.ok(configPath, 'configPath is not defined')
    let content = (await fs.promises.readFile(configPath)).toString()
    const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue)
    if (
      placeholderIndex < 0 ||
      placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)
    ) {
      throw new Error(`Unable to replace auth placeholder in ${configPath}`)
    }
    assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined')
    content = content.replace(
      this.tokenPlaceholderConfigValue,
      this.tokenConfigValue
    )
    await fs.promises.writeFile(configPath, content)
  }
  private async removeSsh(): Promise<void> {
    // SSH key
    const keyPath = this.sshKeyPath || stateHelper.SshKeyPath
    if (keyPath) {
      try {
        await io.rmRF(keyPath)
      } catch (err) {
        core.debug(err.message)
        core.warning(`Failed to remove SSH key '${keyPath}'`)
      }
    }
    // SSH known hosts
    const knownHostsPath =
      this.sshKnownHostsPath || stateHelper.SshKnownHostsPath
    if (knownHostsPath) {
      try {
        await io.rmRF(knownHostsPath)
      } catch {
        // Intentionally empty
      }
    }
    // SSH command
    await this.removeGitConfig(SSH_COMMAND_KEY)
  }
  private async removeToken(): Promise<void> {
    // HTTP extra header
    await this.removeGitConfig(this.tokenConfigKey)
  }
  private async removeGitConfig(
    configKey: string,
    submoduleOnly: boolean = false
  ): Promise<void> {
    if (!submoduleOnly) {
      if (
        (await this.git.configExists(configKey)) &&
        !(await this.git.tryConfigUnset(configKey))
      ) {
        // Load the config contents
        core.warning(`Failed to remove '${configKey}' from the git config`)
      }
    }
    const pattern = regexpHelper.escape(configKey)
    await this.git.submoduleForeach(
      `git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :`,
      true
    )
  }
 }
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@ -3,6 +3,8 @@ import * as exec from '@actions/exec'
 import * as fshelper from './fs-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
 import * as refHelper from './ref-helper'
 import * as regexpHelper from './regexp-helper'
 import * as retryHelper from './retry-helper'
 import {GitVersion} from './git-version'
@ -16,25 +18,37 @@ export interface IGitCommandManager {
  branchList(remote: boolean): Promise<string[]>
  checkout(ref: string, startPoint: string): Promise<void>
  checkoutDetach(): Promise<void>
-  config(configKey: string, configValue: string): Promise<void>
+  config(
-  configExists(configKey: string): Promise<boolean>
+    configKey: string,
-  fetch(fetchDepth: number, refSpec: string[]): Promise<void>
+    configValue: string,
    globalConfig?: boolean
  ): Promise<void>
  configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
  fetch(refSpec: string[], fetchDepth?: number): Promise<void>
  getDefaultBranch(repositoryUrl: string): Promise<string>
  getWorkingDirectory(): string
  init(): Promise<void>
  isDetached(): Promise<boolean>
  lfsFetch(ref: string): Promise<void>
  lfsInstall(): Promise<void>
-  log1(): Promise<void>
+  log1(): Promise<string>
  remoteAdd(remoteName: string, remoteUrl: string): Promise<void>
  removeEnvironmentVariable(name: string): void
  revParse(ref: string): Promise<string>
  setEnvironmentVariable(name: string, value: string): void
  shaExists(sha: string): Promise<boolean>
  submoduleForeach(command: string, recursive: boolean): Promise<string>
  submoduleSync(recursive: boolean): Promise<void>
  submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void>
  tagExists(pattern: string): Promise<boolean>
  tryClean(): Promise<boolean>
-  tryConfigUnset(configKey: string): Promise<boolean>
+  tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
  tryDisableAutomaticGarbageCollection(): Promise<boolean>
  tryGetFetchUrl(): Promise<string>
  tryReset(): Promise<boolean>
 }
-export async function CreateCommandManager(
+export async function createCommandManager(
  workingDirectory: string,
  lfs: boolean
 ): Promise<IGitCommandManager> {
@ -123,32 +137,45 @@ class GitCommandManager {
    await this.execGit(args)
  }
-  async config(configKey: string, configValue: string): Promise<void> {
+  async config(
-    await this.execGit(['config', '--local', configKey, configValue])
+    configKey: string,
    configValue: string,
    globalConfig?: boolean
  ): Promise<void> {
    await this.execGit([
      'config',
      globalConfig ? '--global' : '--local',
      configKey,
      configValue
    ])
  }
-  async configExists(configKey: string): Promise<boolean> {
+  async configExists(
-    const pattern = configKey.replace(/[^a-zA-Z0-9_]/g, x => {
+    configKey: string,
-      return `\\${x}`
+    globalConfig?: boolean
-    })
+  ): Promise<boolean> {
    const pattern = regexpHelper.escape(configKey)
    const output = await this.execGit(
-      ['config', '--local', '--name-only', '--get-regexp', pattern],
+      [
        'config',
        globalConfig ? '--global' : '--local',
        '--name-only',
        '--get-regexp',
        pattern
      ],
      true
    )
    return output.exitCode === 0
  }
-  async fetch(fetchDepth: number, refSpec: string[]): Promise<void> {
+  async fetch(refSpec: string[], fetchDepth?: number): Promise<void> {
-    const args = [
+    const args = ['-c', 'protocol.version=2', 'fetch']
-      '-c',
+    if (!refSpec.some(x => x === refHelper.tagsRefSpec)) {
-      'protocol.version=2',
+      args.push('--no-tags')
-      'fetch',
+    }
-      '--no-tags',
+
-      '--prune',
+    args.push('--prune', '--progress', '--no-recurse-submodules')
-      '--progress',
+    if (fetchDepth && fetchDepth > 0) {
      '--no-recurse-submodules'
    ]
    if (fetchDepth > 0) {
      args.push(`--depth=${fetchDepth}`)
    } else if (
      fshelper.fileExistsSync(
@ -169,6 +196,34 @@ class GitCommandManager {
    })
  }
  async getDefaultBranch(repositoryUrl: string): Promise<string> {
    let output: GitOutput | undefined
    await retryHelper.execute(async () => {
      output = await this.execGit([
        'ls-remote',
        '--quiet',
        '--exit-code',
        '--symref',
        repositoryUrl,
        'HEAD'
      ])
    })
    if (output) {
      // Satisfy compiler, will always be set
      for (let line of output.stdout.trim().split('\n')) {
        line = line.trim()
        if (line.startsWith('ref:') || line.endsWith('HEAD')) {
          return line
            .substr('ref:'.length, line.length - 'ref:'.length - 'HEAD'.length)
            .trim()
        }
      }
    }
    throw new Error('Unexpected output when retrieving default branch')
  }
  getWorkingDirectory(): string {
    return this.workingDirectory
  }
@ -199,14 +254,74 @@ class GitCommandManager {
    await this.execGit(['lfs', 'install', '--local'])
  }
-  async log1(): Promise<void> {
+  async log1(): Promise<string> {
-    await this.execGit(['log', '-1'])
+    const output = await this.execGit(['log', '-1'])
    return output.stdout
  }
  async remoteAdd(remoteName: string, remoteUrl: string): Promise<void> {
    await this.execGit(['remote', 'add', remoteName, remoteUrl])
  }
  removeEnvironmentVariable(name: string): void {
    delete this.gitEnv[name]
  }
  /**
   * Resolves a ref to a SHA. For a branch or lightweight tag, the commit SHA is returned.
   * For an annotated tag, the tag SHA is returned.
   * @param {string} ref  For example: 'refs/heads/master' or '/refs/tags/v1'
   * @returns {Promise<string>}
   */
  async revParse(ref: string): Promise<string> {
    const output = await this.execGit(['rev-parse', ref])
    return output.stdout.trim()
  }
  setEnvironmentVariable(name: string, value: string): void {
    this.gitEnv[name] = value
  }
  async shaExists(sha: string): Promise<boolean> {
    const args = ['rev-parse', '--verify', '--quiet', `${sha}^{object}`]
    const output = await this.execGit(args, true)
    return output.exitCode === 0
  }
  async submoduleForeach(command: string, recursive: boolean): Promise<string> {
    const args = ['submodule', 'foreach']
    if (recursive) {
      args.push('--recursive')
    }
    args.push(command)
    const output = await this.execGit(args)
    return output.stdout
  }
  async submoduleSync(recursive: boolean): Promise<void> {
    const args = ['submodule', 'sync']
    if (recursive) {
      args.push('--recursive')
    }
    await this.execGit(args)
  }
  async submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void> {
    const args = ['-c', 'protocol.version=2']
    args.push('submodule', 'update', '--init', '--force')
    if (fetchDepth > 0) {
      args.push(`--depth=${fetchDepth}`)
    }
    if (recursive) {
      args.push('--recursive')
    }
    await this.execGit(args)
  }
  async tagExists(pattern: string): Promise<boolean> {
    const output = await this.execGit(['tag', '--list', pattern])
    return !!output.stdout.trim()
@ -217,9 +332,17 @@ class GitCommandManager {
    return output.exitCode === 0
  }
-  async tryConfigUnset(configKey: string): Promise<boolean> {
+  async tryConfigUnset(
    configKey: string,
    globalConfig?: boolean
  ): Promise<boolean> {
    const output = await this.execGit(
-      ['config', '--local', '--unset-all', configKey],
+      [
        'config',
        globalConfig ? '--global' : '--local',
        '--unset-all',
        configKey
      ],
      true
    )
    return output.exitCode === 0
--- a/src/git-directory-helper.ts
+++ b/src/git-directory-helper.ts
@ -0,0 +1,117 @@
 import * as assert from 'assert'
 import * as core from '@actions/core'
 import * as fs from 'fs'
 import * as fsHelper from './fs-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
 import {IGitCommandManager} from './git-command-manager'
 export async function prepareExistingDirectory(
  git: IGitCommandManager | undefined,
  repositoryPath: string,
  repositoryUrl: string,
  clean: boolean,
  ref: string
 ): Promise<void> {
  assert.ok(repositoryPath, 'Expected repositoryPath to be defined')
  assert.ok(repositoryUrl, 'Expected repositoryUrl to be defined')
  // Indicates whether to delete the directory contents
  let remove = false
  // Check whether using git or REST API
  if (!git) {
    remove = true
  }
  // Fetch URL does not match
  else if (
    !fsHelper.directoryExistsSync(path.join(repositoryPath, '.git')) ||
    repositoryUrl !== (await git.tryGetFetchUrl())
  ) {
    remove = true
  } else {
    // Delete any index.lock and shallow.lock left by a previously canceled run or crashed git process
    const lockPaths = [
      path.join(repositoryPath, '.git', 'index.lock'),
      path.join(repositoryPath, '.git', 'shallow.lock')
    ]
    for (const lockPath of lockPaths) {
      try {
        await io.rmRF(lockPath)
      } catch (error) {
        core.debug(`Unable to delete '${lockPath}'. ${error.message}`)
      }
    }
    try {
      core.startGroup('Removing previously created refs, to avoid conflicts')
      // Checkout detached HEAD
      if (!(await git.isDetached())) {
        await git.checkoutDetach()
      }
      // Remove all refs/heads/*
      let branches = await git.branchList(false)
      for (const branch of branches) {
        await git.branchDelete(false, branch)
      }
      // Remove any conflicting refs/remotes/origin/*
      // Example 1: Consider ref is refs/heads/foo and previously fetched refs/remotes/origin/foo/bar
      // Example 2: Consider ref is refs/heads/foo/bar and previously fetched refs/remotes/origin/foo
      if (ref) {
        ref = ref.startsWith('refs/') ? ref : `refs/heads/${ref}`
        if (ref.startsWith('refs/heads/')) {
          const upperName1 = ref.toUpperCase().substr('REFS/HEADS/'.length)
          const upperName1Slash = `${upperName1}/`
          branches = await git.branchList(true)
          for (const branch of branches) {
            const upperName2 = branch.substr('origin/'.length).toUpperCase()
            const upperName2Slash = `${upperName2}/`
            if (
              upperName1.startsWith(upperName2Slash) ||
              upperName2.startsWith(upperName1Slash)
            ) {
              await git.branchDelete(true, branch)
            }
          }
        }
      }
      core.endGroup()
      // Clean
      if (clean) {
        core.startGroup('Cleaning the repository')
        if (!(await git.tryClean())) {
          core.debug(
            `The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For futher investigation, manually run 'git clean -ffdx' on the directory '${repositoryPath}'.`
          )
          remove = true
        } else if (!(await git.tryReset())) {
          remove = true
        }
        core.endGroup()
        if (remove) {
          core.warning(
            `Unable to clean or reset the repository. The repository will be recreated instead.`
          )
        }
      }
    } catch (error) {
      core.warning(
        `Unable to prepare the existing repository. The repository will be recreated instead.`
      )
      remove = true
    }
  }
  if (remove) {
    // Delete the contents of the directory. Don't delete the directory itself
    // since it might be the current working directory.
    core.info(`Deleting the contents of '${repositoryPath}'`)
    for (const file of await fs.promises.readdir(repositoryPath)) {
      await io.rmRF(path.join(repositoryPath, file))
    }
  }
 }
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@ -1,38 +1,23 @@
 import * as core from '@actions/core'
 import * as fs from 'fs'
 import * as fsHelper from './fs-helper'
 import * as gitAuthHelper from './git-auth-helper'
 import * as gitCommandManager from './git-command-manager'
 import * as gitDirectoryHelper from './git-directory-helper'
 import * as githubApiHelper from './github-api-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
 import * as refHelper from './ref-helper'
 import * as stateHelper from './state-helper'
 import * as urlHelper from './url-helper'
 import {IGitCommandManager} from './git-command-manager'
 import {IGitSourceSettings} from './git-source-settings'
-const serverUrl = 'https://github.com/'
+export async function getSource(settings: IGitSourceSettings): Promise<void> {
 const authConfigKey = `http.${serverUrl}.extraheader`
 export interface ISourceSettings {
  repositoryPath: string
  repositoryOwner: string
  repositoryName: string
  ref: string
  commit: string
  clean: boolean
  fetchDepth: number
  lfs: boolean
  authToken: string
  persistCredentials: boolean
 }
 export async function getSource(settings: ISourceSettings): Promise<void> {
  // Repository URL
  core.info(
    `Syncing repository: ${settings.repositoryOwner}/${settings.repositoryName}`
  )
-  const repositoryUrl = `https://github.com/${encodeURIComponent(
+  const repositoryUrl = urlHelper.getFetchUrl(settings)
    settings.repositoryOwner
  )}/${encodeURIComponent(settings.repositoryName)}`
  // Remove conflicting file path
  if (fsHelper.fileExistsSync(settings.repositoryPath)) {
@ -47,15 +32,18 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
  }
  // Git command manager
  core.startGroup('Getting Git version info')
  const git = await getGitCommandManager(settings)
  core.endGroup()
  // Prepare existing directory, otherwise recreate
  if (isExisting) {
-    await prepareExistingDirectory(
+    await gitDirectoryHelper.prepareExistingDirectory(
      git,
      settings.repositoryPath,
      repositoryUrl,
-      settings.clean
+      settings.clean,
      settings.ref
    )
  }
@ -65,6 +53,16 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
    core.info(
      `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
    )
    if (settings.submodules) {
      throw new Error(
        `Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
      )
    } else if (settings.sshKey) {
      throw new Error(
        `Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
      )
    }
    await githubApiHelper.downloadRepository(
      settings.authToken,
      settings.repositoryOwner,
@ -73,65 +71,155 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
      settings.commit,
      settings.repositoryPath
    )
-  } else {
+    return
-    // Save state for POST action
+  }
    stateHelper.setRepositoryPath(settings.repositoryPath)
-    // Initialize the repository
+  // Save state for POST action
-    if (
+  stateHelper.setRepositoryPath(settings.repositoryPath)
      !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
    ) {
      await git.init()
      await git.remoteAdd('origin', repositoryUrl)
    }
-    // Disable automatic garbage collection
+  // Initialize the repository
-    if (!(await git.tryDisableAutomaticGarbageCollection())) {
+  if (
-      core.warning(
+    !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
-        `Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`
+  ) {
-      )
+    core.startGroup('Initializing the repository')
-    }
+    await git.init()
-
+    await git.remoteAdd('origin', repositoryUrl)
-    // Remove possible previous extraheader
+    core.endGroup()
-    await removeGitConfig(git, authConfigKey)
+  }
-    try {
+  // Disable automatic garbage collection
-      // Config extraheader
+  core.startGroup('Disabling automatic garbage collection')
-      await configureAuthToken(git, settings.authToken)
+  if (!(await git.tryDisableAutomaticGarbageCollection())) {
    core.warning(
      `Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`
    )
  }
  core.endGroup()
-      // LFS install
+  const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-      if (settings.lfs) {
+  try {
-        await git.lfsInstall()
+    // Configure auth
    core.startGroup('Setting up auth')
    await authHelper.configureAuth()
    core.endGroup()
    // Determine the default branch
    if (!settings.ref && !settings.commit) {
      core.startGroup('Determining the default branch')
      if (settings.sshKey) {
        settings.ref = await git.getDefaultBranch(repositoryUrl)
      } else {
        settings.ref = await githubApiHelper.getDefaultBranch(
          settings.authToken,
          settings.repositoryOwner,
          settings.repositoryName
        )
      }
      core.endGroup()
    }
-      // Fetch
+    // LFS install
-      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
+    if (settings.lfs) {
-      await git.fetch(settings.fetchDepth, refSpec)
+      await git.lfsInstall()
    }
-      // Checkout info
+    // Fetch
-      const checkoutInfo = await refHelper.getCheckoutInfo(
+    core.startGroup('Fetching the repository')
-        git,
+    if (settings.fetchDepth <= 0) {
      // Fetch all branches and tags
      let refSpec = refHelper.getRefSpecForAllHistory(
        settings.ref,
        settings.commit
      )
      await git.fetch(refSpec)
-      // LFS fetch
+      // When all history is fetched, the ref we're interested in may have moved to a different
-      // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
+      // commit (push or force push). If so, fetch again with a targeted refspec.
-      // Explicit lfs fetch will fetch lfs objects in parallel.
+      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
-      if (settings.lfs) {
+        refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
-        await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
+        await git.fetch(refSpec)
      }
    } else {
      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
      await git.fetch(refSpec, settings.fetchDepth)
    }
    core.endGroup()
    // Checkout info
    core.startGroup('Determining the checkout info')
    const checkoutInfo = await refHelper.getCheckoutInfo(
      git,
      settings.ref,
      settings.commit
    )
    core.endGroup()
    // LFS fetch
    // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
    // Explicit lfs fetch will fetch lfs objects in parallel.
    if (settings.lfs) {
      core.startGroup('Fetching LFS objects')
      await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
      core.endGroup()
    }
-      // Checkout
+    // Checkout
-      await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
+    core.startGroup('Checking out the ref')
    await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
    core.endGroup()
-      // Dump some info about the checked out commit
+    // Submodules
-      await git.log1()
+    if (settings.submodules) {
-    } finally {
+      try {
-      if (!settings.persistCredentials) {
+        // Temporarily override global config
-        await removeGitConfig(git, authConfigKey)
+        core.startGroup('Setting up auth for fetching submodules')
        await authHelper.configureGlobalAuth()
        core.endGroup()
        // Checkout submodules
        core.startGroup('Fetching submodules')
        await git.submoduleSync(settings.nestedSubmodules)
        await git.submoduleUpdate(
          settings.fetchDepth,
          settings.nestedSubmodules
        )
        await git.submoduleForeach(
          'git config --local gc.auto 0',
          settings.nestedSubmodules
        )
        core.endGroup()
        // Persist credentials
        if (settings.persistCredentials) {
          core.startGroup('Persisting credentials for submodules')
          await authHelper.configureSubmoduleAuth()
          core.endGroup()
        }
      } finally {
        // Remove temporary global config override
        await authHelper.removeGlobalAuth()
      }
    }
    // Dump some info about the checked out commit
    const commitInfo = await git.log1()
    // Check for incorrect pull request merge commit
    await refHelper.checkCommitInfo(
      settings.authToken,
      commitInfo,
      settings.repositoryOwner,
      settings.repositoryName,
      settings.ref,
      settings.commit
    )
  } finally {
    // Remove auth
    if (!settings.persistCredentials) {
      core.startGroup('Removing auth')
      await authHelper.removeAuth()
      core.endGroup()
    }
  }
 }
@ -146,22 +234,22 @@ export async function cleanup(repositoryPath: string): Promise<void> {
  let git: IGitCommandManager
  try {
-    git = await gitCommandManager.CreateCommandManager(repositoryPath, false)
+    git = await gitCommandManager.createCommandManager(repositoryPath, false)
  } catch {
    return
  }
-  // Remove extraheader
+  // Remove auth
-  await removeGitConfig(git, authConfigKey)
+  const authHelper = gitAuthHelper.createAuthHelper(git)
  await authHelper.removeAuth()
 }
 async function getGitCommandManager(
-  settings: ISourceSettings
+  settings: IGitSourceSettings
-): Promise<IGitCommandManager> {
+): Promise<IGitCommandManager | undefined> {
  core.info(`Working directory is '${settings.repositoryPath}'`)
  let git = (null as unknown) as IGitCommandManager
  try {
-    return await gitCommandManager.CreateCommandManager(
+    return await gitCommandManager.createCommandManager(
      settings.repositoryPath,
      settings.lfs
    )
@ -172,138 +260,6 @@ async function getGitCommandManager(
    }
    // Otherwise fallback to REST API
-    return (null as unknown) as IGitCommandManager
+    return undefined
  }
 }
 async function prepareExistingDirectory(
  git: IGitCommandManager,
  repositoryPath: string,
  repositoryUrl: string,
  clean: boolean
 ): Promise<void> {
  let remove = false
  // Check whether using git or REST API
  if (!git) {
    remove = true
  }
  // Fetch URL does not match
  else if (
    !fsHelper.directoryExistsSync(path.join(repositoryPath, '.git')) ||
    repositoryUrl !== (await git.tryGetFetchUrl())
  ) {
    remove = true
  } else {
    // Delete any index.lock and shallow.lock left by a previously canceled run or crashed git process
    const lockPaths = [
      path.join(repositoryPath, '.git', 'index.lock'),
      path.join(repositoryPath, '.git', 'shallow.lock')
    ]
    for (const lockPath of lockPaths) {
      try {
        await io.rmRF(lockPath)
      } catch (error) {
        core.debug(`Unable to delete '${lockPath}'. ${error.message}`)
      }
    }
    try {
      // Checkout detached HEAD
      if (!(await git.isDetached())) {
        await git.checkoutDetach()
      }
      // Remove all refs/heads/*
      let branches = await git.branchList(false)
      for (const branch of branches) {
        await git.branchDelete(false, branch)
      }
      // Remove all refs/remotes/origin/* to avoid conflicts
      branches = await git.branchList(true)
      for (const branch of branches) {
        await git.branchDelete(true, branch)
      }
      // Clean
      if (clean) {
        if (!(await git.tryClean())) {
          core.debug(
            `The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For futher investigation, manually run 'git clean -ffdx' on the directory '${repositoryPath}'.`
          )
          remove = true
        } else if (!(await git.tryReset())) {
          remove = true
        }
        if (remove) {
          core.warning(
            `Unable to clean or reset the repository. The repository will be recreated instead.`
          )
        }
      }
    } catch (error) {
      core.warning(
        `Unable to prepare the existing repository. The repository will be recreated instead.`
      )
      remove = true
    }
  }
  if (remove) {
    // Delete the contents of the directory. Don't delete the directory itself
    // since it might be the current working directory.
    core.info(`Deleting the contents of '${repositoryPath}'`)
    for (const file of await fs.promises.readdir(repositoryPath)) {
      await io.rmRF(path.join(repositoryPath, file))
    }
  }
 }
 async function configureAuthToken(
  git: IGitCommandManager,
  authToken: string
 ): Promise<void> {
  // Configure a placeholder value. This approach avoids the credential being captured
  // by process creation audit events, which are commonly logged. For more information,
  // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
  const placeholder = `AUTHORIZATION: basic ***`
  await git.config(authConfigKey, placeholder)
  // Determine the basic credential value
  const basicCredential = Buffer.from(
    `x-access-token:${authToken}`,
    'utf8'
  ).toString('base64')
  core.setSecret(basicCredential)
  // Replace the value in the config file
  const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
  let content = (await fs.promises.readFile(configPath)).toString()
  const placeholderIndex = content.indexOf(placeholder)
  if (
    placeholderIndex < 0 ||
    placeholderIndex != content.lastIndexOf(placeholder)
  ) {
    throw new Error('Unable to replace auth placeholder in .git/config')
  }
  content = content.replace(
    placeholder,
    `AUTHORIZATION: basic ${basicCredential}`
  )
  await fs.promises.writeFile(configPath, content)
 }
 async function removeGitConfig(
  git: IGitCommandManager,
  configKey: string
 ): Promise<void> {
  if (
    (await git.configExists(configKey)) &&
    !(await git.tryConfigUnset(configKey))
  ) {
    // Load the config contents
    core.warning(`Failed to remove '${configKey}' from the git config`)
  }
 }
--- a/src/git-source-settings.ts
+++ b/src/git-source-settings.ts
@ -0,0 +1,76 @@
 export interface IGitSourceSettings {
  /**
   * The location on disk where the repository will be placed
   */
  repositoryPath: string
  /**
   * The repository owner
   */
  repositoryOwner: string
  /**
   * The repository name
   */
  repositoryName: string
  /**
   * The ref to fetch
   */
  ref: string
  /**
   * The commit to checkout
   */
  commit: string
  /**
   * Indicates whether to clean the repository
   */
  clean: boolean
  /**
   * The depth when fetching
   */
  fetchDepth: number
  /**
   * Indicates whether to fetch LFS objects
   */
  lfs: boolean
  /**
   * Indicates whether to checkout submodules
   */
  submodules: boolean
  /**
   * Indicates whether to recursively checkout submodules
   */
  nestedSubmodules: boolean
  /**
   * The auth token to use when fetching the repository
   */
  authToken: string
  /**
   * The SSH key to configure
   */
  sshKey: string
  /**
   * Additional SSH known hosts
   */
  sshKnownHosts: string
  /**
   * Indicates whether the server must be a known host
   */
  sshStrict: boolean
  /**
   * Indicates whether to persist the credentials on disk to enable scripting authenticated git commands
   */
  persistCredentials: boolean
 }
--- a/src/github-api-helper.ts
+++ b/src/github-api-helper.ts
@ -7,7 +7,7 @@ import * as path from 'path'
 import * as retryHelper from './retry-helper'
 import * as toolCache from '@actions/tool-cache'
 import {default as uuid} from 'uuid/v4'
-import {ReposGetArchiveLinkParams} from '@octokit/rest'
+import {Octokit} from '@octokit/rest'
 const IS_WINDOWS = process.platform === 'win32'
@ -19,6 +19,12 @@ export async function downloadRepository(
  commit: string,
  repositoryPath: string
 ): Promise<void> {
  // Determine the default branch
  if (!ref && !commit) {
    core.info('Determining the default branch')
    ref = await getDefaultBranch(authToken, owner, repo)
  }
  // Download the archive
  let archiveData = await retryHelper.execute(async () => {
    core.info('Downloading the archive')
@ -67,6 +73,46 @@ export async function downloadRepository(
  io.rmRF(extractPath)
 }
 /**
 * Looks up the default branch name
 */
 export async function getDefaultBranch(
  authToken: string,
  owner: string,
  repo: string
 ): Promise<string> {
  return await retryHelper.execute(async () => {
    core.info('Retrieving the default branch name')
    const octokit = new github.GitHub(authToken)
    let result: string
    try {
      // Get the default branch from the repo info
      const response = await octokit.repos.get({owner, repo})
      result = response.data.default_branch
      assert.ok(result, 'default_branch cannot be empty')
    } catch (err) {
      // Handle .wiki repo
      if (err['status'] === 404 && repo.toUpperCase().endsWith('.WIKI')) {
        result = 'master'
      }
      // Otherwise error
      else {
        throw err
      }
    }
    // Print the default branch
    core.info(`Default branch '${result}'`)
    // Prefix with 'refs/heads'
    if (!result.startsWith('refs/')) {
      result = `refs/heads/${result}`
    }
    return result
  })
 }
 async function downloadArchive(
  authToken: string,
  owner: string,
@ -75,7 +121,7 @@ async function downloadArchive(
  commit: string
 ): Promise<Buffer> {
  const octokit = new github.GitHub(authToken)
-  const params: ReposGetArchiveLinkParams = {
+  const params: Octokit.ReposGetArchiveLinkParams = {
    owner: owner,
    repo: repo,
    archive_format: IS_WINDOWS ? 'zipball' : 'tarball',
--- a/src/input-helper.ts
+++ b/src/input-helper.ts
@ -2,10 +2,10 @@ import * as core from '@actions/core'
 import * as fsHelper from './fs-helper'
 import * as github from '@actions/github'
 import * as path from 'path'
-import {ISourceSettings} from './git-source-provider'
+import {IGitSourceSettings} from './git-source-settings'
-export function getInputs(): ISourceSettings {
+export function getInputs(): IGitSourceSettings {
-  const result = ({} as unknown) as ISourceSettings
+  const result = ({} as unknown) as IGitSourceSettings
  // GitHub workspace
  let githubWorkspacePath = process.env['GITHUB_WORKSPACE']
@ -68,10 +68,6 @@ export function getInputs(): ISourceSettings {
        result.ref = `refs/heads/${result.ref}`
      }
    }
    if (!result.ref && !result.commit) {
      result.ref = 'refs/heads/master'
    }
  }
  // SHA?
  else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
@ -85,13 +81,6 @@ export function getInputs(): ISourceSettings {
  result.clean = (core.getInput('clean') || 'true').toUpperCase() === 'TRUE'
  core.debug(`clean = ${result.clean}`)
  // Submodules
  if (core.getInput('submodules')) {
    throw new Error(
      "The input 'submodules' is not supported in actions/checkout@v2"
    )
  }
  // Fetch depth
  result.fetchDepth = Math.floor(Number(core.getInput('fetch-depth') || '1'))
  if (isNaN(result.fetchDepth) || result.fetchDepth < 0) {
@ -103,8 +92,27 @@ export function getInputs(): ISourceSettings {
  result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'
  core.debug(`lfs = ${result.lfs}`)
  // Submodules
  result.submodules = false
  result.nestedSubmodules = false
  const submodulesString = (core.getInput('submodules') || '').toUpperCase()
  if (submodulesString == 'RECURSIVE') {
    result.submodules = true
    result.nestedSubmodules = true
  } else if (submodulesString == 'TRUE') {
    result.submodules = true
  }
  core.debug(`submodules = ${result.submodules}`)
  core.debug(`recursive submodules = ${result.nestedSubmodules}`)
  // Auth token
-  result.authToken = core.getInput('token')
+  result.authToken = core.getInput('token', {required: true})
  // SSH
  result.sshKey = core.getInput('ssh-key')
  result.sshKnownHosts = core.getInput('ssh-known-hosts')
  result.sshStrict =
    (core.getInput('ssh-strict') || 'true').toUpperCase() === 'TRUE'
  // Persist credentials
  result.persistCredentials =
--- a/src/misc/generate-docs.ts
+++ b/src/misc/generate-docs.ts
@ -59,13 +59,17 @@ function updateUsage(
    // Constrain the width of the description
    const width = 80
-    let description = input.description as string
+    let description = (input.description as string)
      .trimRight()
      .replace(/\r\n/g, '\n') // Convert CR to LF
      .replace(/ +/g, ' ') //    Squash consecutive spaces
      .replace(/ \n/g, '\n') //  Squash space followed by newline
    while (description) {
      // Longer than width? Find a space to break apart
      let segment: string = description
      if (description.length > width) {
        segment = description.substr(0, width + 1)
-        while (!segment.endsWith(' ') && segment) {
+        while (!segment.endsWith(' ') && !segment.endsWith('\n') && segment) {
          segment = segment.substr(0, segment.length - 1)
        }
@ -77,15 +81,30 @@ function updateUsage(
        segment = description
      }
-      description = description.substr(segment.length) // Remaining
+      // Check for newline
-      segment = segment.trimRight() // Trim the trailing space
+      const newlineIndex = segment.indexOf('\n')
-      newReadme.push(`    # ${segment}`)
+      if (newlineIndex >= 0) {
        segment = segment.substr(0, newlineIndex + 1)
      }
      // Append segment
      newReadme.push(`    # ${segment}`.trimRight())
      // Remaining
      description = description.substr(segment.length)
    }
    // Input and default
    if (input.default !== undefined) {
      // Append blank line if description had paragraphs
      if ((input.description as string).trimRight().match(/\n[ ]*\r?\n/)) {
        newReadme.push(`    #`)
      }
      // Default
      newReadme.push(`    # Default: ${input.default}`)
    }
    // Input name
    newReadme.push(`    ${key}: ''`)
    firstInput = false
--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@ -1,4 +1,9 @@
 import {URL} from 'url'
 import {IGitCommandManager} from './git-command-manager'
 import * as core from '@actions/core'
 import * as github from '@actions/github'
 export const tagsRefSpec = '+refs/tags/*:refs/tags/*'
 export interface ICheckoutInfo {
  ref: string
@ -57,6 +62,16 @@ export async function getCheckoutInfo(
  return result
 }
 export function getRefSpecForAllHistory(ref: string, commit: string): string[] {
  const result = ['+refs/heads/*:refs/remotes/origin/*', tagsRefSpec]
  if (ref && ref.toUpperCase().startsWith('REFS/PULL/')) {
    const branch = ref.substring('refs/pull/'.length)
    result.push(`+${commit || ref}:refs/remotes/pull/${branch}`)
  }
  return result
 }
 export function getRefSpec(ref: string, commit: string): string[] {
  if (!ref && !commit) {
    throw new Error('Args ref and commit cannot both be empty')
@ -107,3 +122,162 @@ export function getRefSpec(ref: string, commit: string): string[] {
    return [`+${ref}:${ref}`]
  }
 }
 /**
 * Tests whether the initial fetch created the ref at the expected commit
 */
 export async function testRef(
  git: IGitCommandManager,
  ref: string,
  commit: string
 ): Promise<boolean> {
  if (!git) {
    throw new Error('Arg git cannot be empty')
  }
  if (!ref && !commit) {
    throw new Error('Args ref and commit cannot both be empty')
  }
  // No SHA? Nothing to test
  if (!commit) {
    return true
  }
  // SHA only?
  else if (!ref) {
    return await git.shaExists(commit)
  }
  const upperRef = ref.toUpperCase()
  // refs/heads/
  if (upperRef.startsWith('REFS/HEADS/')) {
    const branch = ref.substring('refs/heads/'.length)
    return (
      (await git.branchExists(true, `origin/${branch}`)) &&
      commit === (await git.revParse(`refs/remotes/origin/${branch}`))
    )
  }
  // refs/pull/
  else if (upperRef.startsWith('REFS/PULL/')) {
    // Assume matches because fetched using the commit
    return true
  }
  // refs/tags/
  else if (upperRef.startsWith('REFS/TAGS/')) {
    const tagName = ref.substring('refs/tags/'.length)
    return (
      (await git.tagExists(tagName)) && commit === (await git.revParse(ref))
    )
  }
  // Unexpected
  else {
    core.debug(`Unexpected ref format '${ref}' when testing ref info`)
    return true
  }
 }
 export async function checkCommitInfo(
  token: string,
  commitInfo: string,
  repositoryOwner: string,
  repositoryName: string,
  ref: string,
  commit: string
 ): Promise<void> {
  try {
    // GHES?
    if (isGhes()) {
      return
    }
    // Auth token?
    if (!token) {
      return
    }
    // Public PR synchronize, for workflow repo?
    if (
      fromPayload('repository.private') !== false ||
      github.context.eventName !== 'pull_request' ||
      fromPayload('action') !== 'synchronize' ||
      repositoryOwner !== github.context.repo.owner ||
      repositoryName !== github.context.repo.repo ||
      ref !== github.context.ref ||
      !ref.startsWith('refs/pull/') ||
      commit !== github.context.sha
    ) {
      return
    }
    // Head SHA
    const expectedHeadSha = fromPayload('after')
    if (!expectedHeadSha) {
      core.debug('Unable to determine head sha')
      return
    }
    // Base SHA
    const expectedBaseSha = fromPayload('pull_request.base.sha')
    if (!expectedBaseSha) {
      core.debug('Unable to determine base sha')
      return
    }
    // Expected message?
    const expectedMessage = `Merge ${expectedHeadSha} into ${expectedBaseSha}`
    if (commitInfo.indexOf(expectedMessage) >= 0) {
      return
    }
    // Extract details from message
    const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/)
    if (!match) {
      core.debug('Unexpected message format')
      return
    }
    // Post telemetry
    const actualHeadSha = match[1]
    if (actualHeadSha !== expectedHeadSha) {
      core.debug(
        `Expected head sha ${expectedHeadSha}; actual head sha ${actualHeadSha}`
      )
      const octokit = new github.GitHub(token, {
        userAgent: `actions-checkout-tracepoint/1.0 (code=STALE_MERGE;owner=${repositoryOwner};repo=${repositoryName};pr=${fromPayload(
          'number'
        )};run_id=${
          process.env['GITHUB_RUN_ID']
        };expected_head_sha=${expectedHeadSha};actual_head_sha=${actualHeadSha})`
      })
      await octokit.repos.get({owner: repositoryOwner, repo: repositoryName})
    }
  } catch (err) {
    core.debug(`Error when validating commit info: ${err.stack}`)
  }
 }
 function fromPayload(path: string): any {
  return select(github.context.payload, path)
 }
 function select(obj: any, path: string): any {
  if (!obj) {
    return undefined
  }
  const i = path.indexOf('.')
  if (i < 0) {
    return obj[path]
  }
  const key = path.substr(0, i)
  return select(obj[key], path.substr(i + 1))
 }
 function isGhes(): boolean {
  const ghUrl = new URL(
    process.env['GITHUB_SERVER_URL'] || 'https://github.com'
  )
  return ghUrl.hostname.toUpperCase() !== 'GITHUB.COM'
 }
--- a/src/regexp-helper.ts
+++ b/src/regexp-helper.ts
@ -0,0 +1,5 @@
 export function escape(value: string): string {
  return value.replace(/[^a-zA-Z0-9_]/g, x => {
    return `\\${x}`
  })
 }
--- a/src/state-helper.ts
+++ b/src/state-helper.ts
@ -1,4 +1,3 @@
 import * as core from '@actions/core'
 import * as coreCommand from '@actions/core/lib/command'
 /**
@ -12,6 +11,17 @@ export const IsPost = !!process.env['STATE_isPost']
 export const RepositoryPath =
  (process.env['STATE_repositoryPath'] as string) || ''
 /**
 * The SSH key path for the POST action. The value is empty during the MAIN action.
 */
 export const SshKeyPath = (process.env['STATE_sshKeyPath'] as string) || ''
 /**
 * The SSH known hosts path for the POST action. The value is empty during the MAIN action.
 */
 export const SshKnownHostsPath =
  (process.env['STATE_sshKnownHostsPath'] as string) || ''
 /**
 * Save the repository path so the POST action can retrieve the value.
 */
@ -23,6 +33,24 @@ export function setRepositoryPath(repositoryPath: string) {
  )
 }
 /**
 * Save the SSH key path so the POST action can retrieve the value.
 */
 export function setSshKeyPath(sshKeyPath: string) {
  coreCommand.issueCommand('save-state', {name: 'sshKeyPath'}, sshKeyPath)
 }
 /**
 * Save the SSH known hosts path so the POST action can retrieve the value.
 */
 export function setSshKnownHostsPath(sshKnownHostsPath: string) {
  coreCommand.issueCommand(
    'save-state',
    {name: 'sshKnownHostsPath'},
    sshKnownHostsPath
  )
 }
 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!IsPost) {
--- a/src/url-helper.ts
+++ b/src/url-helper.ts
@ -0,0 +1,29 @@
 import * as assert from 'assert'
 import {IGitSourceSettings} from './git-source-settings'
 import {URL} from 'url'
 export function getFetchUrl(settings: IGitSourceSettings): string {
  assert.ok(
    settings.repositoryOwner,
    'settings.repositoryOwner must be defined'
  )
  assert.ok(settings.repositoryName, 'settings.repositoryName must be defined')
  const serviceUrl = getServerUrl()
  const encodedOwner = encodeURIComponent(settings.repositoryOwner)
  const encodedName = encodeURIComponent(settings.repositoryName)
  if (settings.sshKey) {
    return `git@${serviceUrl.hostname}:${encodedOwner}/${encodedName}.git`
  }
  // "origin" is SCHEME://HOSTNAME[:PORT]
  return `${serviceUrl.origin}/${encodedOwner}/${encodedName}`
 }
 export function getServerUrl(): URL {
  // todo: remove GITHUB_URL after support for GHES Alpha is no longer needed
  return new URL(
    process.env['GITHUB_SERVER_URL'] ||
      process.env['GITHUB_URL'] ||
      'https://github.com'
  )
 }