mirror of
https://code.forgejo.org/actions/checkout.git
synced 2024-11-22 02:21:16 +01:00
add input persist-credentials (#107)
This commit is contained in:
parent
a572f640b0
commit
c170eefc26
9 changed files with 149 additions and 128 deletions
10
.github/workflows/test.yml
vendored
10
.github/workflows/test.yml
vendored
|
@ -18,6 +18,7 @@ jobs:
|
|||
- run: npm run lint
|
||||
- run: npm run pack
|
||||
- run: npm run gendocs
|
||||
- run: npm test
|
||||
- name: Verify no unstaged changes
|
||||
run: __test__/verify-no-unstaged-changes.sh
|
||||
|
||||
|
@ -84,15 +85,12 @@ jobs:
|
|||
|
||||
test-job-container:
|
||||
runs-on: ubuntu-latest
|
||||
container: pstauffer/curl:latest
|
||||
container: alpine:latest
|
||||
steps:
|
||||
# Clone this repo
|
||||
# todo: after v2-beta contains the latest changes, switch this to "uses: actions/checkout@v2-beta". Also switch to "alpine:latest"
|
||||
# todo: after v2-beta contains the latest changes, switch this to "uses: actions/checkout@v2-beta"
|
||||
- name: Checkout
|
||||
run: |
|
||||
curl --location --user token:${{ github.token }} --output checkout.tar.gz https://api.github.com/repos/actions/checkout/tarball/${{ github.sha }}
|
||||
tar -xzf checkout.tar.gz
|
||||
mv */* ./
|
||||
uses: actions/checkout@a572f640b07e96fc5837b3adfa0e5a2ddd8dae21
|
||||
|
||||
# Basic checkout
|
||||
- name: Basic checkout
|
||||
|
|
16
README.md
16
README.md
|
@ -15,16 +15,16 @@ Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows)
|
|||
- Improved fetch performance
|
||||
- The default behavior now fetches only the commit being checked-out
|
||||
- Script authenticated git commands
|
||||
- Persists `with.token` in the local git config
|
||||
- Persists the input `token` in the local git config
|
||||
- Enables your scripts to run authenticated git commands
|
||||
- Post-job cleanup removes the token
|
||||
- Coming soon: Opt out by setting `with.persist-credentials` to `false`
|
||||
- Opt out by setting the input `persist-credentials: false`
|
||||
- Creates a local branch
|
||||
- No longer detached HEAD when checking out a branch
|
||||
- A local branch is created with the corresponding upstream branch set
|
||||
- Improved layout
|
||||
- `with.path` is always relative to `github.workspace`
|
||||
- Aligns better with container actions, where `github.workspace` gets mapped in
|
||||
- The input `path` is always relative to $GITHUB_WORKSPACE
|
||||
- Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in
|
||||
- Fallback to REST API download
|
||||
- When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
|
||||
- Removed input `submodules`
|
||||
|
@ -46,10 +46,16 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
|
|||
# Otherwise, defaults to `master`.
|
||||
ref: ''
|
||||
|
||||
# Access token for clone repository
|
||||
# Auth token used to fetch the repository. The token is stored in the local git
|
||||
# config, which enables your scripts to run authenticated git commands. The
|
||||
# post-job step removes the token from the git config.
|
||||
# Default: ${{ github.token }}
|
||||
token: ''
|
||||
|
||||
# Whether to persist the token in the git config
|
||||
# Default: true
|
||||
persist-credentials: ''
|
||||
|
||||
# Relative path under $GITHUB_WORKSPACE to place the repository
|
||||
path: ''
|
||||
|
||||
|
|
|
@ -63,7 +63,7 @@ describe('input-helper tests', () => {
|
|||
it('sets defaults', () => {
|
||||
const settings: ISourceSettings = inputHelper.getInputs()
|
||||
expect(settings).toBeTruthy()
|
||||
expect(settings.accessToken).toBeFalsy()
|
||||
expect(settings.authToken).toBeFalsy()
|
||||
expect(settings.clean).toBe(true)
|
||||
expect(settings.commit).toBeTruthy()
|
||||
expect(settings.commit).toBe('1234567890123456789012345678901234567890')
|
||||
|
|
14
action.yml
14
action.yml
|
@ -6,12 +6,18 @@ inputs:
|
|||
default: ${{ github.repository }}
|
||||
ref:
|
||||
description: >
|
||||
The branch, tag or SHA to checkout. When checking out the repository
|
||||
that triggered a workflow, this defaults to the reference or SHA for
|
||||
that event. Otherwise, defaults to `master`.
|
||||
The branch, tag or SHA to checkout. When checking out the repository that
|
||||
triggered a workflow, this defaults to the reference or SHA for that
|
||||
event. Otherwise, defaults to `master`.
|
||||
token:
|
||||
description: 'Access token for clone repository'
|
||||
description: >
|
||||
Auth token used to fetch the repository. The token is stored in the local
|
||||
git config, which enables your scripts to run authenticated git commands.
|
||||
The post-job step removes the token from the git config.
|
||||
default: ${{ github.token }}
|
||||
persist-credentials:
|
||||
description: 'Whether to persist the token in the git config'
|
||||
default: true
|
||||
path:
|
||||
description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
|
||||
clean:
|
||||
|
|
63
dist/index.js
vendored
63
dist/index.js
vendored
|
@ -4838,7 +4838,7 @@ class GitCommandManager {
|
|||
}
|
||||
config(configKey, configValue) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
yield this.execGit(['config', configKey, configValue]);
|
||||
yield this.execGit(['config', '--local', configKey, configValue]);
|
||||
});
|
||||
}
|
||||
configExists(configKey) {
|
||||
|
@ -4846,7 +4846,7 @@ class GitCommandManager {
|
|||
const pattern = configKey.replace(/[^a-zA-Z0-9_]/g, x => {
|
||||
return `\\${x}`;
|
||||
});
|
||||
const output = yield this.execGit(['config', '--name-only', '--get-regexp', pattern], true);
|
||||
const output = yield this.execGit(['config', '--local', '--name-only', '--get-regexp', pattern], true);
|
||||
return output.exitCode === 0;
|
||||
});
|
||||
}
|
||||
|
@ -4932,19 +4932,19 @@ class GitCommandManager {
|
|||
}
|
||||
tryConfigUnset(configKey) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const output = yield this.execGit(['config', '--unset-all', configKey], true);
|
||||
const output = yield this.execGit(['config', '--local', '--unset-all', configKey], true);
|
||||
return output.exitCode === 0;
|
||||
});
|
||||
}
|
||||
tryDisableAutomaticGarbageCollection() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const output = yield this.execGit(['config', 'gc.auto', '0'], true);
|
||||
const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true);
|
||||
return output.exitCode === 0;
|
||||
});
|
||||
}
|
||||
tryGetFetchUrl() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const output = yield this.execGit(['config', '--get', 'remote.origin.url'], true);
|
||||
const output = yield this.execGit(['config', '--local', '--get', 'remote.origin.url'], true);
|
||||
if (output.exitCode !== 0) {
|
||||
return '';
|
||||
}
|
||||
|
@ -5121,7 +5121,7 @@ function getSource(settings) {
|
|||
// Downloading using REST API
|
||||
core.info(`The repository will be downloaded using the GitHub REST API`);
|
||||
core.info(`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`);
|
||||
yield githubApiHelper.downloadRepository(settings.accessToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath);
|
||||
yield githubApiHelper.downloadRepository(settings.authToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath);
|
||||
}
|
||||
else {
|
||||
// Save state for POST action
|
||||
|
@ -5137,11 +5137,9 @@ function getSource(settings) {
|
|||
}
|
||||
// Remove possible previous extraheader
|
||||
yield removeGitConfig(git, authConfigKey);
|
||||
// Add extraheader (auth)
|
||||
const base64Credentials = Buffer.from(`x-access-token:${settings.accessToken}`, 'utf8').toString('base64');
|
||||
core.setSecret(base64Credentials);
|
||||
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`;
|
||||
yield git.config(authConfigKey, authConfigValue);
|
||||
try {
|
||||
// Config auth token
|
||||
yield configureAuthToken(git, settings.authToken);
|
||||
// LFS install
|
||||
if (settings.lfs) {
|
||||
yield git.lfsInstall();
|
||||
|
@ -5162,6 +5160,12 @@ function getSource(settings) {
|
|||
// Dump some info about the checked out commit
|
||||
yield git.log1();
|
||||
}
|
||||
finally {
|
||||
if (!settings.persistCredentials) {
|
||||
yield removeGitConfig(git, authConfigKey);
|
||||
}
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
exports.getSource = getSource;
|
||||
|
@ -5265,23 +5269,21 @@ function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean) {
|
|||
}
|
||||
});
|
||||
}
|
||||
function configureAuthToken(git, authToken) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
// Add extraheader (auth)
|
||||
const base64Credentials = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
|
||||
core.setSecret(base64Credentials);
|
||||
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`;
|
||||
yield git.config(authConfigKey, authConfigValue);
|
||||
});
|
||||
}
|
||||
function removeGitConfig(git, configKey) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
if ((yield git.configExists(configKey)) &&
|
||||
!(yield git.tryConfigUnset(configKey))) {
|
||||
// Load the config contents
|
||||
core.warning(`Failed to remove '${configKey}' from the git config. Attempting to remove the config value by editing the file directly.`);
|
||||
const configPath = path.join(git.getWorkingDirectory(), '.git', 'config');
|
||||
fsHelper.fileExistsSync(configPath);
|
||||
let contents = fs.readFileSync(configPath).toString() || '';
|
||||
// Filter - only includes lines that do not contain the config key
|
||||
const upperConfigKey = configKey.toUpperCase();
|
||||
const split = contents
|
||||
.split('\n')
|
||||
.filter(x => !x.toUpperCase().includes(upperConfigKey));
|
||||
contents = split.join('\n');
|
||||
// Rewrite the config file
|
||||
fs.writeFileSync(configPath, contents);
|
||||
core.warning(`Failed to remove '${configKey}' from the git config`);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
@ -8403,12 +8405,12 @@ const retryHelper = __importStar(__webpack_require__(587));
|
|||
const toolCache = __importStar(__webpack_require__(533));
|
||||
const v4_1 = __importDefault(__webpack_require__(826));
|
||||
const IS_WINDOWS = process.platform === 'win32';
|
||||
function downloadRepository(accessToken, owner, repo, ref, commit, repositoryPath) {
|
||||
function downloadRepository(authToken, owner, repo, ref, commit, repositoryPath) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
// Download the archive
|
||||
let archiveData = yield retryHelper.execute(() => __awaiter(this, void 0, void 0, function* () {
|
||||
core.info('Downloading the archive');
|
||||
return yield downloadArchive(accessToken, owner, repo, ref, commit);
|
||||
return yield downloadArchive(authToken, owner, repo, ref, commit);
|
||||
}));
|
||||
// Write archive to disk
|
||||
core.info('Writing archive to disk');
|
||||
|
@ -8449,9 +8451,9 @@ function downloadRepository(accessToken, owner, repo, ref, commit, repositoryPat
|
|||
});
|
||||
}
|
||||
exports.downloadRepository = downloadRepository;
|
||||
function downloadArchive(accessToken, owner, repo, ref, commit) {
|
||||
function downloadArchive(authToken, owner, repo, ref, commit) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const octokit = new github.GitHub(accessToken);
|
||||
const octokit = new github.GitHub(authToken);
|
||||
const params = {
|
||||
owner: owner,
|
||||
repo: repo,
|
||||
|
@ -12764,8 +12766,11 @@ function getInputs() {
|
|||
// LFS
|
||||
result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE';
|
||||
core.debug(`lfs = ${result.lfs}`);
|
||||
// Access token
|
||||
result.accessToken = core.getInput('token');
|
||||
// Auth token
|
||||
result.authToken = core.getInput('token');
|
||||
// Persist credentials
|
||||
result.persistCredentials =
|
||||
(core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE';
|
||||
return result;
|
||||
}
|
||||
exports.getInputs = getInputs;
|
||||
|
|
|
@ -116,7 +116,7 @@ class GitCommandManager {
|
|||
}
|
||||
|
||||
async config(configKey: string, configValue: string): Promise<void> {
|
||||
await this.execGit(['config', configKey, configValue])
|
||||
await this.execGit(['config', '--local', configKey, configValue])
|
||||
}
|
||||
|
||||
async configExists(configKey: string): Promise<boolean> {
|
||||
|
@ -124,7 +124,7 @@ class GitCommandManager {
|
|||
return `\\${x}`
|
||||
})
|
||||
const output = await this.execGit(
|
||||
['config', '--name-only', '--get-regexp', pattern],
|
||||
['config', '--local', '--name-only', '--get-regexp', pattern],
|
||||
true
|
||||
)
|
||||
return output.exitCode === 0
|
||||
|
@ -211,20 +211,23 @@ class GitCommandManager {
|
|||
|
||||
async tryConfigUnset(configKey: string): Promise<boolean> {
|
||||
const output = await this.execGit(
|
||||
['config', '--unset-all', configKey],
|
||||
['config', '--local', '--unset-all', configKey],
|
||||
true
|
||||
)
|
||||
return output.exitCode === 0
|
||||
}
|
||||
|
||||
async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
|
||||
const output = await this.execGit(['config', 'gc.auto', '0'], true)
|
||||
const output = await this.execGit(
|
||||
['config', '--local', 'gc.auto', '0'],
|
||||
true
|
||||
)
|
||||
return output.exitCode === 0
|
||||
}
|
||||
|
||||
async tryGetFetchUrl(): Promise<string> {
|
||||
const output = await this.execGit(
|
||||
['config', '--get', 'remote.origin.url'],
|
||||
['config', '--local', '--get', 'remote.origin.url'],
|
||||
true
|
||||
)
|
||||
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
import * as core from '@actions/core'
|
||||
import * as coreCommand from '@actions/core/lib/command'
|
||||
import * as fs from 'fs'
|
||||
import * as fsHelper from './fs-helper'
|
||||
import * as gitCommandManager from './git-command-manager'
|
||||
|
@ -21,7 +20,8 @@ export interface ISourceSettings {
|
|||
clean: boolean
|
||||
fetchDepth: number
|
||||
lfs: boolean
|
||||
accessToken: string
|
||||
authToken: string
|
||||
persistCredentials: boolean
|
||||
}
|
||||
|
||||
export async function getSource(settings: ISourceSettings): Promise<void> {
|
||||
|
@ -65,7 +65,7 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
|
|||
`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
|
||||
)
|
||||
await githubApiHelper.downloadRepository(
|
||||
settings.accessToken,
|
||||
settings.authToken,
|
||||
settings.repositoryOwner,
|
||||
settings.repositoryName,
|
||||
settings.ref,
|
||||
|
@ -94,14 +94,9 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
|
|||
// Remove possible previous extraheader
|
||||
await removeGitConfig(git, authConfigKey)
|
||||
|
||||
// Add extraheader (auth)
|
||||
const base64Credentials = Buffer.from(
|
||||
`x-access-token:${settings.accessToken}`,
|
||||
'utf8'
|
||||
).toString('base64')
|
||||
core.setSecret(base64Credentials)
|
||||
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
|
||||
await git.config(authConfigKey, authConfigValue)
|
||||
try {
|
||||
// Config auth token
|
||||
await configureAuthToken(git, settings.authToken)
|
||||
|
||||
// LFS install
|
||||
if (settings.lfs) {
|
||||
|
@ -131,6 +126,11 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
|
|||
|
||||
// Dump some info about the checked out commit
|
||||
await git.log1()
|
||||
} finally {
|
||||
if (!settings.persistCredentials) {
|
||||
await removeGitConfig(git, authConfigKey)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -255,6 +255,20 @@ async function prepareExistingDirectory(
|
|||
}
|
||||
}
|
||||
|
||||
async function configureAuthToken(
|
||||
git: IGitCommandManager,
|
||||
authToken: string
|
||||
): Promise<void> {
|
||||
// Add extraheader (auth)
|
||||
const base64Credentials = Buffer.from(
|
||||
`x-access-token:${authToken}`,
|
||||
'utf8'
|
||||
).toString('base64')
|
||||
core.setSecret(base64Credentials)
|
||||
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
|
||||
await git.config(authConfigKey, authConfigValue)
|
||||
}
|
||||
|
||||
async function removeGitConfig(
|
||||
git: IGitCommandManager,
|
||||
configKey: string
|
||||
|
@ -264,21 +278,6 @@ async function removeGitConfig(
|
|||
!(await git.tryConfigUnset(configKey))
|
||||
) {
|
||||
// Load the config contents
|
||||
core.warning(
|
||||
`Failed to remove '${configKey}' from the git config. Attempting to remove the config value by editing the file directly.`
|
||||
)
|
||||
const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
|
||||
fsHelper.fileExistsSync(configPath)
|
||||
let contents = fs.readFileSync(configPath).toString() || ''
|
||||
|
||||
// Filter - only includes lines that do not contain the config key
|
||||
const upperConfigKey = configKey.toUpperCase()
|
||||
const split = contents
|
||||
.split('\n')
|
||||
.filter(x => !x.toUpperCase().includes(upperConfigKey))
|
||||
contents = split.join('\n')
|
||||
|
||||
// Rewrite the config file
|
||||
fs.writeFileSync(configPath, contents)
|
||||
core.warning(`Failed to remove '${configKey}' from the git config`)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -12,7 +12,7 @@ import {ReposGetArchiveLinkParams} from '@octokit/rest'
|
|||
const IS_WINDOWS = process.platform === 'win32'
|
||||
|
||||
export async function downloadRepository(
|
||||
accessToken: string,
|
||||
authToken: string,
|
||||
owner: string,
|
||||
repo: string,
|
||||
ref: string,
|
||||
|
@ -22,7 +22,7 @@ export async function downloadRepository(
|
|||
// Download the archive
|
||||
let archiveData = await retryHelper.execute(async () => {
|
||||
core.info('Downloading the archive')
|
||||
return await downloadArchive(accessToken, owner, repo, ref, commit)
|
||||
return await downloadArchive(authToken, owner, repo, ref, commit)
|
||||
})
|
||||
|
||||
// Write archive to disk
|
||||
|
@ -68,13 +68,13 @@ export async function downloadRepository(
|
|||
}
|
||||
|
||||
async function downloadArchive(
|
||||
accessToken: string,
|
||||
authToken: string,
|
||||
owner: string,
|
||||
repo: string,
|
||||
ref: string,
|
||||
commit: string
|
||||
): Promise<Buffer> {
|
||||
const octokit = new github.GitHub(accessToken)
|
||||
const octokit = new github.GitHub(authToken)
|
||||
const params: ReposGetArchiveLinkParams = {
|
||||
owner: owner,
|
||||
repo: repo,
|
||||
|
|
|
@ -97,8 +97,12 @@ export function getInputs(): ISourceSettings {
|
|||
result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'
|
||||
core.debug(`lfs = ${result.lfs}`)
|
||||
|
||||
// Access token
|
||||
result.accessToken = core.getInput('token')
|
||||
// Auth token
|
||||
result.authToken = core.getInput('token')
|
||||
|
||||
// Persist credentials
|
||||
result.persistCredentials =
|
||||
(core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
|
||||
|
||||
return result
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue