Prepare 4.2.0 release (#1878)

* Bump package version to 4.1.8

* Add v4.1.8 changelog

* Bump version to `4.2.0`

.github/dependabot.yml

@@ -0,0 +1,20 @@
+---
+version: 2
+
+updates:
+- package-ecosystem: "npm"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  groups:
+    minor-npm-dependencies:
+      # NPM: Only group minor and patch updates (we want to carefully review major updates)
+      update-types: [minor, patch]
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  groups:
+    minor-actions-dependencies:
+      # GitHub Actions: Only group minor and patch updates (we want to carefully review major updates)
+      update-types: [minor, patch]

.github/workflows/check-dist.yml

@@ -22,10 +22,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4.1.6
 
       - name: Set Node.js 20.x
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v4
         with:
           node-version: 20.x
 
@@ -44,7 +44,7 @@ jobs:
           fi
 
       # If dist/ was different than expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

.github/workflows/codeql-analysis.yml

@@ -39,10 +39,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4.1.6
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -55,4 +55,4 @@ jobs:
     - run: rm -rf dist # We want code scanning to analyze lib instead (individual .js files)
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/licensed.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Check licenses
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4.1.6
       - run: npm ci
       - run: npm run licensed-check

.github/workflows/test.yml

@@ -7,14 +7,19 @@ on:
       - main
       - releases/*
 
+
+# Note that when you see patterns like "ref: test-data/v2/basic" within this workflow,
+# these refer to "test-data" branches on this actions/checkout repo.
+# (For example, test-data/v2/basic -> https://github.com/actions/checkout/tree/test-data/v2/basic)
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-node@v1
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.x
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4.1.6
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -32,7 +37,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout
       - name: Checkout basic
@@ -95,6 +100,16 @@ jobs:
       - name: Verify sparse checkout
         run: __test__/verify-sparse-checkout.sh
 
+      # Disabled sparse checkout in existing checkout
+      - name: Disabled sparse checkout
+        uses: ./
+        with:
+          path: sparse-checkout
+
+      - name: Verify disabled sparse checkout
+        shell: bash
+        run: set -x && ls -l sparse-checkout/src/git-command-manager.ts
+
       # Sparse checkout (non-cone mode)
       - name: Sparse checkout (non-cone mode)
         uses: ./
@@ -175,7 +190,7 @@ jobs:
   test-proxy:
     runs-on: ubuntu-latest
     container:
-      image: alpine/git:latest
+      image: ghcr.io/actions/test-ubuntu-git:main.20240221.114913.703z
       options: --dns 127.0.0.1
     services:
       squid-proxy:
@@ -187,7 +202,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -219,7 +234,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -242,20 +257,20 @@ jobs:
           path: basic
       - name: Verify basic
         run: __test__/verify-basic.sh --archive
-    
+
   test-git-container:
     runs-on: ubuntu-latest
     container: bitnami/git:latest
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.1.6
         with:
-          path: v3
+          path: localClone
 
       # Basic checkout using git
       - name: Checkout basic
-        uses: ./v3
+        uses: ./localClone
         with:
           ref: test-data/v2/basic
       - name: Verify basic
@@ -276,7 +291,41 @@ jobs:
           git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
 
       # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v3
-        uses: actions/checkout@v3
+      - name: Fix Checkout v4
+        uses: actions/checkout@v4.1.6
         with:
-          path: v3
+          path: localClone
+
+  test-output:
+    runs-on: ubuntu-latest
+    steps:
+      # Clone this repo
+      - name: Checkout
+        uses: actions/checkout@v4.1.6
+
+      # Basic checkout using git
+      - name: Checkout basic
+        id: checkout
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+
+      # Verify output
+      - name: Verify output
+        run: |
+          echo "Commit: ${{ steps.checkout.outputs.commit }}"
+          echo "Ref: ${{ steps.checkout.outputs.ref }}"
+
+          if [ "${{ steps.checkout.outputs.ref }}" != "test-data/v2/basic" ]; then
+            echo "Expected ref to be test-data/v2/basic"
+            exit 1
+          fi
+
+          if [ "${{ steps.checkout.outputs.commit }}" != "82f71901cf8c021332310dcc8cdba84c4193ff5d" ]; then
+            echo "Expected commit to be 82f71901cf8c021332310dcc8cdba84c4193ff5d"
+            exit 1
+          fi
+
+      # needed to make checkout post cleanup succeed
+      - name: Fix Checkout
+        uses: actions/checkout@v4.1.6

.github/workflows/update-main-version.yml

@@ -19,13 +19,16 @@ jobs:
   tag:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    # Note this update workflow can also be used as a rollback tool.
+    # For that reason, it's best to pin `actions/checkout` to a known, stable version
+    # (typically, about two releases back).
+    - uses: actions/checkout@v4.1.6
       with:
         fetch-depth: 0
     - name: Git config
       run: |
-        git config user.name github-actions
-        git config user.email github-actions@github.com
+        git config user.name "github-actions[bot]"
+        git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
     - name: Tag new target
       run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }}
     - name: Push new tag

.github/workflows/update-test-ubuntu-git.yml

@@ -0,0 +1,59 @@
+name: Publish test-ubuntu-git Container
+
+on:
+  # Use an on demand workflow trigger.  
+  # (Forked copies of actions/checkout won't have permission to update GHCR.io/actions, 
+  #  so avoid trigger events that run automatically.)
+  workflow_dispatch:
+    inputs:
+      publish:
+        description:  'Publish to ghcr.io? (main branch only)'
+        type: boolean
+        required: true
+        default: false
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: actions/test-ubuntu-git
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+ 
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Use `docker/login-action` to log in to GHCR.io. 
+      # Once published, the packages are scoped to the account defined here.
+      - name: Log in to the ghcr.io container registry
+        uses: docker/login-action@v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Format Timestamp
+        id: timestamp
+        # Use `date` with a custom format to achieve the key=value format GITHUB_OUTPUT expects.
+        run: date -u "+now=%Y%m%d.%H%M%S.%3NZ" >> "$GITHUB_OUTPUT"
+
+      - name: Issue Image Publish Warning
+        if:  ${{ inputs.publish && github.ref_name != 'main' }}
+        run: echo "::warning::test-ubuntu-git images can only be published from the actions/checkout 'main' branch.  Workflow will continue with push/publish disabled."
+
+      # Use `docker/build-push-action` to build (and optionally publish) the image. 
+      - name: Build Docker Image (with optional Push)
+        uses: docker/build-push-action@v6.5.0
+        with:
+          context: .
+          file: images/test-ubuntu-git.Dockerfile
+          # For now, attempts to push to ghcr.io must target the `main` branch.
+          # In the future, consider also allowing attempts from `releases/*` branches.
+          push: ${{ inputs.publish && github.ref_name == 'main' }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}.${{ steps.timestamp.outputs.now }}

.licenses/npm/@actions/github.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/github"
-version: 6.0.1
+version: 6.0.0
 type: npm
 summary: Actions github lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/github

.licenses/npm/@actions/http-client-3.0.2.dep.yml

@@ -1,32 +0,0 @@
----
-name: "@actions/http-client"
-version: 3.0.2
-type: npm
-summary: Actions Http Client
-homepage: https://github.com/actions/toolkit/tree/main/packages/http-client
-license: other
-licenses:
-- sources: LICENSE
-  text: |
-    Actions Http Client for Node.js
-
-    Copyright (c) GitHub, Inc.
-
-    All rights reserved.
-
-    MIT License
-
-    Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
-    associated documentation files (the "Software"), to deal in the Software without restriction,
-    including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
-    and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
-    subject to the following conditions:
-
-    The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
-    LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
-    NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
-    WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-    SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-notices: []

.licenses/npm/@actions/http-client.dep.yml

@@ -1,10 +1,10 @@
 ---
 name: "@actions/http-client"
-version: 2.1.0
+version: 2.2.1
 type: npm
 summary: Actions Http Client
 homepage: https://github.com/actions/toolkit/tree/main/packages/http-client
-license: other
+license: mit
 licenses:
 - sources: LICENSE
   text: |

.licenses/npm/@fastify/busboy.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@fastify/busboy"
-version: 2.0.0
+version: 2.1.1
 type: npm
 summary: A streaming parser for HTML form data for node.js
 homepage: 

.licenses/npm/@octokit/auth-token.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/auth-token"
-version: 3.0.4
+version: 4.0.0
 type: npm
 summary: GitHub API token authentication for browsers and Node.js
 homepage: 

.licenses/npm/@octokit/core.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/core"
-version: 4.2.4
+version: 5.2.0
 type: npm
 summary: Extendable client for GitHub's REST & GraphQL APIs
 homepage: 

.licenses/npm/@octokit/endpoint.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/endpoint"
-version: 7.0.6
+version: 9.0.5
 type: npm
 summary: Turns REST API endpoints into generic request options
 homepage: 

.licenses/npm/@octokit/graphql.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/graphql"
-version: 5.0.6
+version: 7.1.0
 type: npm
 summary: GitHub GraphQL API client for browsers and Node
 homepage: 

.licenses/npm/@octokit/openapi-types-20.0.0.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/openapi-types"
-version: 18.1.1
+version: 20.0.0
 type: npm
 summary: Generated TypeScript definitions based on GitHub's OpenAPI spec for api.github.com
 homepage: 

.licenses/npm/@octokit/openapi-types-22.1.0.dep.yml

@@ -1,18 +1,18 @@
 ---
-name: "@octokit/tsconfig"
-version: 1.0.2
+name: "@octokit/openapi-types"
+version: 22.1.0
 type: npm
-summary: TypeScript configuration for Octokit packages
+summary: Generated TypeScript definitions based on GitHub's OpenAPI spec for api.github.com
 homepage: 
 license: mit
 licenses:
 - sources: LICENSE
-  text: |
-    MIT License Copyright (c) 2020 Octokit contributors
+  text: |-
+    Copyright 2020 Gregor Martynus
 
     Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
-    The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
+    The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 
     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 - sources: README.md

.licenses/npm/@octokit/plugin-paginate-rest.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/plugin-paginate-rest"
-version: 6.1.2
+version: 9.2.1
 type: npm
 summary: Octokit plugin to paginate REST API endpoint responses
 homepage: 

.licenses/npm/@octokit/plugin-rest-endpoint-methods.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/plugin-rest-endpoint-methods"
-version: 7.2.3
+version: 10.4.1
 type: npm
 summary: Octokit plugin adding one method for all of api.github.com REST API endpoints
 homepage: 

.licenses/npm/@octokit/request-error.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/request-error"
-version: 3.0.3
+version: 5.1.0
 type: npm
 summary: Error class for Octokit request errors
 homepage: 

.licenses/npm/@octokit/request.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/request"
-version: 6.2.8
+version: 8.4.0
 type: npm
 summary: Send parameterized requests to GitHub's APIs with sensible defaults in browsers
   and Node

.licenses/npm/@octokit/types-12.6.0.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/types"
-version: 10.0.0
+version: 12.6.0
 type: npm
 summary: Shared TypeScript definitions for Octokit projects
 homepage: 

.licenses/npm/@octokit/types-13.4.1.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/types"
-version: 9.3.2
+version: 13.4.1
 type: npm
 summary: Shared TypeScript definitions for Octokit projects
 homepage: 

.licenses/npm/is-plain-object.dep.yml

@@ -1,40 +0,0 @@
----
-name: is-plain-object
-version: 5.0.0
-type: npm
-summary: Returns true if an object was created by the `Object` constructor, or Object.create(null).
-homepage: https://github.com/jonschlinkert/is-plain-object
-license: mit
-licenses:
-- sources: LICENSE
-  text: |
-    The MIT License (MIT)
-
-    Copyright (c) 2014-2017, Jon Schlinkert.
-
-    Permission is hereby granted, free of charge, to any person obtaining a copy
-    of this software and associated documentation files (the "Software"), to deal
-    in the Software without restriction, including without limitation the rights
-    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-    copies of the Software, and to permit persons to whom the Software is
-    furnished to do so, subject to the following conditions:
-
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-    THE SOFTWARE.
-- sources: README.md
-  text: |-
-    Copyright © 2019, [Jon Schlinkert](https://github.com/jonschlinkert).
-    Released under the [MIT License](LICENSE).
-
-    ***
-
-    _This file was generated by [verb-generate-readme](https://github.com/verbose/verb-generate-readme), v0.8.0, on April 28, 2019._
-notices: []

.licenses/npm/node-fetch.dep.yml

@@ -1,56 +0,0 @@
----
-name: node-fetch
-version: 2.7.0
-type: npm
-summary: A light-weight module that brings window.fetch to node.js
-homepage: https://github.com/bitinn/node-fetch
-license: mit
-licenses:
-- sources: LICENSE.md
-  text: |+
-    The MIT License (MIT)
-
-    Copyright (c) 2016 David Frank
-
-    Permission is hereby granted, free of charge, to any person obtaining a copy
-    of this software and associated documentation files (the "Software"), to deal
-    in the Software without restriction, including without limitation the rights
-    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-    copies of the Software, and to permit persons to whom the Software is
-    furnished to do so, subject to the following conditions:
-
-    The above copyright notice and this permission notice shall be included in all
-    copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-    SOFTWARE.
-
-- sources: README.md
-  text: |-
-    MIT
-
-    [npm-image]: https://flat.badgen.net/npm/v/node-fetch
-    [npm-url]: https://www.npmjs.com/package/node-fetch
-    [travis-image]: https://flat.badgen.net/travis/bitinn/node-fetch
-    [travis-url]: https://travis-ci.org/bitinn/node-fetch
-    [codecov-image]: https://flat.badgen.net/codecov/c/github/bitinn/node-fetch/master
-    [codecov-url]: https://codecov.io/gh/bitinn/node-fetch
-    [install-size-image]: https://flat.badgen.net/packagephobia/install/node-fetch
-    [install-size-url]: https://packagephobia.now.sh/result?p=node-fetch
-    [discord-image]: https://img.shields.io/discord/619915844268326952?color=%237289DA&label=Discord&style=flat-square
-    [discord-url]: https://discord.gg/Zxbndcm
-    [opencollective-image]: https://opencollective.com/node-fetch/backers.svg
-    [opencollective-url]: https://opencollective.com/node-fetch
-    [whatwg-fetch]: https://fetch.spec.whatwg.org/
-    [response-init]: https://fetch.spec.whatwg.org/#responseinit
-    [node-readable]: https://nodejs.org/api/stream.html#stream_readable_streams
-    [mdn-headers]: https://developer.mozilla.org/en-US/docs/Web/API/Headers
-    [LIMITS.md]: https://github.com/bitinn/node-fetch/blob/master/LIMITS.md
-    [ERROR-HANDLING.md]: https://github.com/bitinn/node-fetch/blob/master/ERROR-HANDLING.md
-    [UPGRADE-GUIDE.md]: https://github.com/bitinn/node-fetch/blob/master/UPGRADE-GUIDE.md
-notices: []

.licenses/npm/semver.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: semver
-version: 6.3.0
+version: 6.3.1
 type: npm
 summary: The semantic version parser used by npm.
 homepage: 

.licenses/npm/tr46.dep.yml

@@ -1,30 +0,0 @@
----
-name: tr46
-version: 0.0.3
-type: npm
-summary: An implementation of the Unicode TR46 spec
-homepage: https://github.com/Sebmaster/tr46.js#readme
-license: mit
-licenses:
-- sources: Auto-generated MIT license text
-  text: |
-    MIT License
-
-    Permission is hereby granted, free of charge, to any person obtaining a copy
-    of this software and associated documentation files (the "Software"), to deal
-    in the Software without restriction, including without limitation the rights
-    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-    copies of the Software, and to permit persons to whom the Software is
-    furnished to do so, subject to the following conditions:
-
-    The above copyright notice and this permission notice shall be included in all
-    copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-    SOFTWARE.
-notices: []

.licenses/npm/undici.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: undici
-version: 5.25.4
+version: 5.28.4
 type: npm
 summary: An HTTP/1.1 client, written from scratch for Node.js
 homepage: https://undici.nodejs.org

.licenses/npm/universal-user-agent.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: universal-user-agent
-version: 6.0.0
+version: 6.0.1
 type: npm
 summary: Get a user agent string in both browser and node
 homepage: 

.licenses/npm/uuid-9.0.1.dep.yml

@@ -0,0 +1,20 @@
+---
+name: uuid
+version: 9.0.1
+type: npm
+summary: RFC4122 (v1, v4, and v5) UUIDs
+homepage: 
+license: mit
+licenses:
+- sources: LICENSE.md
+  text: |
+    The MIT License (MIT)
+
+    Copyright (c) 2010-2020 Robert Kieffer and other contributors
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+notices: []

.licenses/npm/webidl-conversions.dep.yml

@@ -1,23 +0,0 @@
----
-name: webidl-conversions
-version: 3.0.1
-type: npm
-summary: Implements the WebIDL algorithms for converting to and from JavaScript values
-homepage: https://github.com/jsdom/webidl-conversions#readme
-license: bsd-2-clause
-licenses:
-- sources: LICENSE.md
-  text: |
-    # The BSD 2-Clause License
-
-    Copyright (c) 2014, Domenic Denicola
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-notices: []

.licenses/npm/whatwg-url.dep.yml

@@ -1,32 +0,0 @@
----
-name: whatwg-url
-version: 5.0.0
-type: npm
-summary: An implementation of the WHATWG URL Standard's URL API and parsing machinery
-homepage: https://github.com/jsdom/whatwg-url#readme
-license: mit
-licenses:
-- sources: LICENSE.txt
-  text: |
-    The MIT License (MIT)
-
-    Copyright (c) 2015–2016 Sebastian Mayr
-
-    Permission is hereby granted, free of charge, to any person obtaining a copy
-    of this software and associated documentation files (the "Software"), to deal
-    in the Software without restriction, including without limitation the rights
-    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-    copies of the Software, and to permit persons to whom the Software is
-    furnished to do so, subject to the following conditions:
-
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-    THE SOFTWARE.
-notices: []

CHANGELOG.md

@@ -1,5 +1,44 @@
 # Changelog
 
+## v4.2.0
+
+* Add Ref and Commit outputs by @lucacome in https://github.com/actions/checkout/pull/1180
+* Dependency updates by @dependabot- https://github.com/actions/checkout/pull/1777, https://github.com/actions/checkout/pull/1872
+
+## v4.1.7
+* Bump the minor-npm-dependencies group across 1 directory with 4 updates by @dependabot in https://github.com/actions/checkout/pull/1739
+* Bump actions/checkout from 3 to 4 by @dependabot in https://github.com/actions/checkout/pull/1697
+* Check out other refs/* by commit by @orhantoy in https://github.com/actions/checkout/pull/1774
+* Pin actions/checkout's own workflows to a known, good, stable version. by @jww3 in https://github.com/actions/checkout/pull/1776
+
+## v4.1.6
+* Check platform to set archive extension appropriately by @cory-miller in https://github.com/actions/checkout/pull/1732
+
+## v4.1.5
+* Update NPM dependencies by @cory-miller in https://github.com/actions/checkout/pull/1703
+* Bump github/codeql-action from 2 to 3 by @dependabot in https://github.com/actions/checkout/pull/1694
+* Bump actions/setup-node from 1 to 4 by @dependabot in https://github.com/actions/checkout/pull/1696
+* Bump actions/upload-artifact from 2 to 4 by @dependabot in https://github.com/actions/checkout/pull/1695
+* README: Suggest `user.email` to be `41898282+github-actions[bot]@users.noreply.github.com` by @cory-miller in https://github.com/actions/checkout/pull/1707
+
+## v4.1.4
+- Disable `extensions.worktreeConfig` when disabling `sparse-checkout` by @jww3 in https://github.com/actions/checkout/pull/1692
+- Add dependabot config by @cory-miller in https://github.com/actions/checkout/pull/1688
+- Bump the minor-actions-dependencies group with 2 updates by @dependabot in https://github.com/actions/checkout/pull/1693
+- Bump word-wrap from 1.2.3 to 1.2.5 by @dependabot in https://github.com/actions/checkout/pull/1643
+
+## v4.1.3
+- Check git version before attempting to disable `sparse-checkout` by @jww3 in https://github.com/actions/checkout/pull/1656
+- Add SSH user parameter by @cory-miller in https://github.com/actions/checkout/pull/1685
+- Update `actions/checkout` version in `update-main-version.yml` by @jww3 in https://github.com/actions/checkout/pull/1650
+
+## v4.1.2
+- Fix: Disable sparse checkout whenever `sparse-checkout` option is not present @dscho in https://github.com/actions/checkout/pull/1598
+
+## v4.1.1
+- Correct link to GitHub Docs by @peterbe in https://github.com/actions/checkout/pull/1511
+- Link to release page from what's new section by @cory-miller in https://github.com/actions/checkout/pull/1514
+
 ## v4.1.0
 - [Add support for partial checkout filters](https://github.com/actions/checkout/pull/1396)
 

CODEOWNERS

@@ -1 +1 @@
-* @actions/actions-runtime
+* @actions/actions-launch

README.md

@@ -4,7 +4,7 @@
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
-Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
+Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth: 0` to fetch all history for all branches and tags. Refer [here](https://docs.github.com/actions/using-workflows/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
 
 The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
 
@@ -12,9 +12,7 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 
 # What's new
 
-- Updated default runtime to node20
-  - This requires a minimum Actions Runner version of [v2.308.0](https://github.com/actions/runner/releases/tag/v2.308.0).
-- Added support for fetching without the `--progress` option
+Please refer to the [release page](https://github.com/actions/checkout/releases/latest) for the latest release notes.
 
 # Usage
 
@@ -64,6 +62,11 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
     # Default: true
     ssh-strict: ''
 
+    # The user to use when connecting to the remote SSH host. By default 'git' is
+    # used.
+    # Default: git
+    ssh-user: ''
+
     # Whether to configure the token or SSH key with the local git config
     # Default: true
     persist-credentials: ''
@@ -276,12 +279,14 @@ jobs:
       - uses: actions/checkout@v4
       - run: |
           date > generated.txt
-          git config user.name github-actions
-          git config user.email github-actions@github.com
+          # Note: the following account information will not work on GHES
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add .
           git commit -m "generated"
           git push
 ```
+*NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D
 
 # License
 

__test__/git-auth-helper.test.ts

@@ -727,6 +727,7 @@ async function setup(testName: string): Promise<void> {
     branchDelete: jest.fn(),
     branchExists: jest.fn(),
     branchList: jest.fn(),
+    disableSparseCheckout: jest.fn(),
     sparseCheckout: jest.fn(),
     sparseCheckoutNonConeMode: jest.fn(),
     checkout: jest.fn(),
@@ -795,7 +796,8 @@ async function setup(testName: string): Promise<void> {
     ),
     tryDisableAutomaticGarbageCollection: jest.fn(),
     tryGetFetchUrl: jest.fn(),
-    tryReset: jest.fn()
+    tryReset: jest.fn(),
+    version: jest.fn()
   }
 
   settings = {
@@ -819,6 +821,7 @@ async function setup(testName: string): Promise<void> {
     sshKey: sshPath ? 'some ssh private key' : '',
     sshKnownHosts: '',
     sshStrict: true,
+    sshUser: '',
     workflowOrganizationId: 123456,
     setSafeDirectory: true,
     githubServerUrl: githubServerUrl

__test__/git-directory-helper.test.ts

@@ -462,6 +462,7 @@ async function setup(testName: string): Promise<void> {
     branchList: jest.fn(async () => {
       return []
     }),
+    disableSparseCheckout: jest.fn(),
     sparseCheckout: jest.fn(),
     sparseCheckoutNonConeMode: jest.fn(),
     checkout: jest.fn(),
@@ -500,6 +501,7 @@ async function setup(testName: string): Promise<void> {
     }),
     tryReset: jest.fn(async () => {
       return true
-    })
+    }),
+    version: jest.fn()
   }
 }

__test__/git-version.test.ts

@@ -1,4 +1,5 @@
-import {GitVersion} from '../lib/git-version'
+import {GitVersion} from '../src/git-version'
+import {MinimumGitSparseCheckoutVersion} from '../src/git-command-manager'
 
 describe('git-version tests', () => {
   it('basics', async () => {
@@ -42,4 +43,44 @@ describe('git-version tests', () => {
     expect(version.checkMinimum(new GitVersion('5.1'))).toBeFalsy()
     expect(version.checkMinimum(new GitVersion('5.1.2'))).toBeFalsy()
   })
+
+  it('sparse checkout', async () => {
+    const minSparseVer = MinimumGitSparseCheckoutVersion
+    expect(new GitVersion('1.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('1.99').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.24').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.24.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.24.9').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.25').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.25.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.25.1').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.25.9').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.26').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.26.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.26.1').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.26.9').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.27').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.27.0').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.27.1').checkMinimum(minSparseVer)).toBeFalsy()
+    expect(new GitVersion('2.27.9').checkMinimum(minSparseVer)).toBeFalsy()
+    //                             /---------------------------------------
+    //         ^^^ before         /         after vvv
+    // --------------------------/
+    expect(new GitVersion('2.28').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.28.0').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.28.1').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.28.9').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.29').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.29.0').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.29.1').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.29.9').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('2.99').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('3.0').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('3.99').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('4.0').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('4.99').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('5.0').checkMinimum(minSparseVer)).toBeTruthy()
+    expect(new GitVersion('5.99').checkMinimum(minSparseVer)).toBeTruthy()
+  })
 })

__test__/ref-helper.test.ts

@@ -67,6 +67,16 @@ describe('ref-helper tests', () => {
     expect(checkoutInfo.startPoint).toBeFalsy()
   })
 
+  it('getCheckoutInfo refs/', async () => {
+    const checkoutInfo = await refHelper.getCheckoutInfo(
+      git,
+      'refs/gh/queue/main/pr-123',
+      commit
+    )
+    expect(checkoutInfo.ref).toBe(commit)
+    expect(checkoutInfo.startPoint).toBeFalsy()
+  })
+
   it('getCheckoutInfo unqualified branch only', async () => {
     git.branchExists = jest.fn(async (remote: boolean, pattern: string) => {
       return true

__test__/verify-basic.sh

@@ -18,6 +18,20 @@ else
     exit 1
   fi
 
+  # Verify that sparse-checkout is disabled.
+  SPARSE_CHECKOUT_ENABLED=$(git -C ./basic config --local --get-all core.sparseCheckout)
+  if [ "$SPARSE_CHECKOUT_ENABLED" != "" ]; then
+    echo "Expected sparse-checkout to be disabled (discovered: $SPARSE_CHECKOUT_ENABLED)"
+    exit 1
+  fi
+
+  # Verify git configuration shows worktreeConfig is effectively disabled
+  WORKTREE_CONFIG_ENABLED=$(git -C ./basic config --local --get-all extensions.worktreeConfig)
+  if [[ "$WORKTREE_CONFIG_ENABLED" != "" ]]; then
+    echo "Expected extensions.worktreeConfig (boolean) to be disabled in git config.  This could be an artifact of sparse checkout functionality."
+    exit 1
+  fi
+
   # Verify auth token
   cd basic
   git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main

action.yml

@@ -45,6 +45,10 @@ inputs:
       and `CheckHostIP=no` to the SSH command line. Use the input `ssh-known-hosts` to
       configure additional hosts.
     default: true
+  ssh-user:
+    description: >
+      The user to use when connecting to the remote SSH host. By default 'git' is used.
+    default: git
   persist-credentials:
     description: 'Whether to configure the token or SSH key with the local git config'
     default: true
@@ -94,6 +98,11 @@ inputs:
   github-server-url:
     description: The base URL for the GitHub instance that you are trying to clone from, will use environment defaults to fetch from the same instance that the workflow is running from unless specified. Example URLs are https://github.com or https://my-ghes-server.example.com
     required: false
+outputs:
+  ref:
+    description: 'The branch, tag or SHA that was checked out'
+  commit:
+    description: 'The commit SHA that was checked out'
 runs:
   using: node20
   main: dist/index.js

images/test-ubuntu-git.Dockerfile

@@ -0,0 +1,12 @@
+# Defines the test-ubuntu-git Container Image.
+# Consumed by actions/checkout CI/CD validation workflows.
+
+FROM ubuntu:latest
+
+RUN apt update
+RUN apt install -y git
+
+LABEL org.opencontainers.image.title="Ubuntu + git (validation image)"
+LABEL org.opencontainers.image.description="Ubuntu image with git pre-installed. Intended primarily for testing `actions/checkout` during CI/CD workflows."
+LABEL org.opencontainers.image.documentation="https://github.com/actions/checkout/tree/main/images/test-ubuntu-git.md"
+LABEL org.opencontainers.image.licenses=MIT

images/test-ubuntu-git.md

@@ -0,0 +1,15 @@
+# `test-ubuntu-git` Container Image
+
+[![Publish test-ubuntu-git Container](https://github.com/actions/checkout/actions/workflows/update-test-ubuntu-git.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/update-test-ubuntu-git.yml)
+
+## Purpose
+
+`test-ubuntu-git` is a container image hosted on the GitHub Container Registry, `ghcr.io`.  
+
+It is intended primarily for testing the [`actions/checkout` repository](https://github.com/actions/checkout) as part of `actions/checkout`'s CI/CD workflows.
+
+The composition of `test-ubuntu-git` is intentionally minimal.  It is comprised of [git](https://git-scm.com/) installed on top of a [base-level ubuntu image](https://hub.docker.com/_/ubuntu/tags).
+
+# License
+
+`test-ubuntu-git` is released under the [MIT License](/LICENSE).

jest.config.js

@@ -1,5 +1,6 @@
 module.exports = {
   clearMocks: true,
+  fakeTimers: {},
   moduleFileExtensions: ['js', 'ts'],
   testEnvironment: 'node',
   testMatch: ['**/*.test.ts'],

package.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "4.1.0",
+  "version": "4.2.0",
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {
@@ -30,26 +30,26 @@
   "dependencies": {
     "@actions/core": "^1.10.1",
     "@actions/exec": "^1.1.1",
-    "@actions/github": "file:actions-github-6.0.2.tgz",
+    "@actions/github": "^6.0.0",
     "@actions/io": "^1.1.3",
     "@actions/tool-cache": "^2.0.1",
-    "uuid": "^3.3.3"
+    "uuid": "^9.0.1"
   },
   "devDependencies": {
-    "@types/jest": "^29.5.5",
-    "@types/node": "^20.8.2",
-    "@types/uuid": "^3.4.6",
-    "@typescript-eslint/eslint-plugin": "^6.7.4",
-    "@typescript-eslint/parser": "^6.7.4",
-    "@vercel/ncc": "^0.38.0",
-    "eslint": "^8.50.0",
-    "eslint-plugin-github": "^4.10.1",
-    "eslint-plugin-jest": "^27.4.2",
+    "@types/jest": "^29.5.12",
+    "@types/node": "^20.12.12",
+    "@types/uuid": "^9.0.8",
+    "@typescript-eslint/eslint-plugin": "^7.9.0",
+    "@typescript-eslint/parser": "^7.9.0",
+    "@vercel/ncc": "^0.38.1",
+    "eslint": "^8.57.0",
+    "eslint-plugin-github": "^4.10.2",
+    "eslint-plugin-jest": "^28.8.2",
     "jest": "^29.7.0",
     "jest-circus": "^29.7.0",
-    "js-yaml": "^3.13.1",
-    "prettier": "^3.0.3",
-    "ts-jest": "^29.1.1",
-    "typescript": "^5.2.2"
+    "js-yaml": "^4.1.0",
+    "prettier": "^3.3.3",
+    "ts-jest": "^29.2.5",
+    "typescript": "^5.5.4"
   }
 }

src/git-auth-helper.ts

@@ -8,7 +8,7 @@ import * as path from 'path'
 import * as regexpHelper from './regexp-helper'
 import * as stateHelper from './state-helper'
 import * as urlHelper from './url-helper'
-import {default as uuid} from 'uuid/v4'
+import {v4 as uuid} from 'uuid'
 import {IGitCommandManager} from './git-command-manager'
 import {IGitSourceSettings} from './git-source-settings'
 

src/git-command-manager.ts

@@ -11,12 +11,15 @@ import {GitVersion} from './git-version'
 
 // Auth header not supported before 2.9
 // Wire protocol v2 not supported before 2.18
+// sparse-checkout not [well-]supported before 2.28 (see https://github.com/actions/checkout/issues/1386)
 export const MinimumGitVersion = new GitVersion('2.18')
+export const MinimumGitSparseCheckoutVersion = new GitVersion('2.28')
 
 export interface IGitCommandManager {
   branchDelete(remote: boolean, branch: string): Promise<void>
   branchExists(remote: boolean, pattern: string): Promise<boolean>
   branchList(remote: boolean): Promise<string[]>
+  disableSparseCheckout(): Promise<void>
   sparseCheckout(sparseCheckout: string[]): Promise<void>
   sparseCheckoutNonConeMode(sparseCheckout: string[]): Promise<void>
   checkout(ref: string, startPoint: string): Promise<void>
@@ -59,6 +62,7 @@ export interface IGitCommandManager {
   tryDisableAutomaticGarbageCollection(): Promise<boolean>
   tryGetFetchUrl(): Promise<string>
   tryReset(): Promise<boolean>
+  version(): Promise<GitVersion>
 }
 
 export async function createCommandManager(
@@ -82,6 +86,7 @@ class GitCommandManager {
   private lfs = false
   private doSparseCheckout = false
   private workingDirectory = ''
+  private gitVersion: GitVersion = new GitVersion()
 
   // Private constructor; use createCommandManager()
   private constructor() {}
@@ -171,6 +176,12 @@ class GitCommandManager {
     return result
   }
 
+  async disableSparseCheckout(): Promise<void> {
+    await this.execGit(['sparse-checkout', 'disable'])
+    // Disabling 'sparse-checkout` leaves behind an undesirable side-effect in config (even in a pristine environment).
+    await this.tryConfigUnset('extensions.worktreeConfig', false)
+  }
+
   async sparseCheckout(sparseCheckout: string[]): Promise<void> {
     await this.execGit(['sparse-checkout', 'set', ...sparseCheckout])
   }
@@ -475,6 +486,10 @@ class GitCommandManager {
     return output.exitCode === 0
   }
 
+  async version(): Promise<GitVersion> {
+    return this.gitVersion
+  }
+
   static async createCommandManager(
     workingDirectory: string,
     lfs: boolean,
@@ -551,23 +566,23 @@ class GitCommandManager {
 
     // Git version
     core.debug('Getting git version')
-    let gitVersion = new GitVersion()
+    this.gitVersion = new GitVersion()
     let gitOutput = await this.execGit(['version'])
     let stdout = gitOutput.stdout.trim()
     if (!stdout.includes('\n')) {
       const match = stdout.match(/\d+\.\d+(\.\d+)?/)
       if (match) {
-        gitVersion = new GitVersion(match[0])
+        this.gitVersion = new GitVersion(match[0])
       }
     }
-    if (!gitVersion.isValid()) {
+    if (!this.gitVersion.isValid()) {
       throw new Error('Unable to determine git version')
     }
 
     // Minimum git version
-    if (!gitVersion.checkMinimum(MinimumGitVersion)) {
+    if (!this.gitVersion.checkMinimum(MinimumGitVersion)) {
       throw new Error(
-        `Minimum required git version is ${MinimumGitVersion}. Your git ('${this.gitPath}') is ${gitVersion}`
+        `Minimum required git version is ${MinimumGitVersion}. Your git ('${this.gitPath}') is ${this.gitVersion}`
       )
     }
 
@@ -601,16 +616,14 @@ class GitCommandManager {
 
     this.doSparseCheckout = doSparseCheckout
     if (this.doSparseCheckout) {
-      // The `git sparse-checkout` command was introduced in Git v2.25.0
-      const minimumGitSparseCheckoutVersion = new GitVersion('2.25')
-      if (!gitVersion.checkMinimum(minimumGitSparseCheckoutVersion)) {
+      if (!this.gitVersion.checkMinimum(MinimumGitSparseCheckoutVersion)) {
         throw new Error(
-          `Minimum Git version required for sparse checkout is ${minimumGitSparseCheckoutVersion}. Your git ('${this.gitPath}') is ${gitVersion}`
+          `Minimum Git version required for sparse checkout is ${MinimumGitSparseCheckoutVersion}. Your git ('${this.gitPath}') is ${this.gitVersion}`
         )
       }
     }
     // Set the user agent
-    const gitHttpUserAgent = `git/${gitVersion} (github-actions-checkout)`
+    const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
     core.debug(`Set git useragent to: ${gitHttpUserAgent}`)
     this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent
   }

src/git-source-provider.ts

@@ -9,7 +9,10 @@ import * as path from 'path'
 import * as refHelper from './ref-helper'
 import * as stateHelper from './state-helper'
 import * as urlHelper from './url-helper'
-import {IGitCommandManager} from './git-command-manager'
+import {
+  MinimumGitSparseCheckoutVersion,
+  IGitCommandManager
+} from './git-command-manager'
 import {IGitSourceSettings} from './git-source-settings'
 
 export async function getSource(settings: IGitSourceSettings): Promise<void> {
@@ -208,7 +211,13 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     }
 
     // Sparse checkout
-    if (settings.sparseCheckout) {
+    if (!settings.sparseCheckout) {
+      let gitVersion = await git.version()
+      // no need to disable sparse-checkout if the installed git runtime doesn't even support it.
+      if (gitVersion.checkMinimum(MinimumGitSparseCheckoutVersion)) {
+        await git.disableSparseCheckout()
+      }
+    } else {
       core.startGroup('Setting up sparse checkout')
       if (settings.sparseCheckoutConeMode) {
         await git.sparseCheckout(settings.sparseCheckout)
@@ -252,7 +261,8 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     const commitInfo = await git.log1()
 
     // Log commit sha
-    await git.log1("--format='%H'")
+    const commitSHA = await git.log1('--format=%H')
+    core.setOutput('commit', commitSHA.trim())
 
     // Check for incorrect pull request merge commit
     await refHelper.checkCommitInfo(

src/git-source-settings.ts

@@ -94,6 +94,11 @@ export interface IGitSourceSettings {
    */
   sshStrict: boolean
 
+  /**
+   * The SSH user to login as
+   */
+  sshUser: string
+
   /**
    * Indicates whether to persist the credentials on disk to enable scripting authenticated git commands
    */

src/github-api-helper.ts

@@ -6,7 +6,7 @@ import * as io from '@actions/io'
 import * as path from 'path'
 import * as retryHelper from './retry-helper'
 import * as toolCache from '@actions/tool-cache'
-import {default as uuid} from 'uuid/v4'
+import {v4 as uuid} from 'uuid'
 import {getServerApiUrl} from './url-helper'
 
 const IS_WINDOWS = process.platform === 'win32'
@@ -35,7 +35,9 @@ export async function downloadRepository(
   // Write archive to disk
   core.info('Writing archive to disk')
   const uniqueId = uuid()
-  const archivePath = path.join(repositoryPath, `${uniqueId}.tar.gz`)
+  const archivePath = IS_WINDOWS
+    ? path.join(repositoryPath, `${uniqueId}.zip`)
+    : path.join(repositoryPath, `${uniqueId}.tar.gz`)
   await fs.promises.writeFile(archivePath, archiveData)
   archiveData = Buffer.from('') // Free memory
 

src/input-helper.ts

@@ -143,6 +143,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
   result.sshKnownHosts = core.getInput('ssh-known-hosts')
   result.sshStrict =
     (core.getInput('ssh-strict') || 'true').toUpperCase() === 'TRUE'
+  result.sshUser = core.getInput('ssh-user')
 
   // Persist credentials
   result.persistCredentials =

src/main.ts

@@ -19,6 +19,7 @@ async function run(): Promise<void> {
 
       // Get sources
       await gitSourceProvider.getSource(sourceSettings)
+      core.setOutput('ref', sourceSettings.ref)
     } finally {
       // Unregister problem matcher
       coreCommand.issueCommand('remove-matcher', {owner: 'checkout-git'}, '')

src/misc/generate-docs.ts

@@ -20,7 +20,7 @@ function updateUsage(
   }
 
   // Load the action.yml
-  const actionYaml = yaml.safeLoad(fs.readFileSync(actionYamlPath).toString())
+  const actionYaml = yaml.load(fs.readFileSync(actionYamlPath).toString())
 
   // Load the README
   const originalReadme = fs.readFileSync(readmePath).toString()

src/ref-helper.ts

@@ -42,9 +42,13 @@ export async function getCheckoutInfo(
     result.ref = `refs/remotes/pull/${branch}`
   }
   // refs/tags/
-  else if (upperRef.startsWith('REFS/')) {
+  else if (upperRef.startsWith('REFS/TAGS/')) {
     result.ref = ref
   }
+  // refs/
+  else if (upperRef.startsWith('REFS/') && commit) {
+    result.ref = commit
+  }
   // Unqualified ref, check for a matching branch or tag
   else {
     if (await git.branchExists(true, `origin/${ref}`)) {

src/url-helper.ts

@@ -12,7 +12,8 @@ export function getFetchUrl(settings: IGitSourceSettings): string {
   const encodedOwner = encodeURIComponent(settings.repositoryOwner)
   const encodedName = encodeURIComponent(settings.repositoryName)
   if (settings.sshKey) {
-    return `git@${serviceUrl.hostname}:${encodedOwner}/${encodedName}.git`
+    const user = settings.sshUser.length > 0 ? settings.sshUser : 'git'
+    return `${user}@${serviceUrl.hostname}:${encodedOwner}/${encodedName}.git`
   }
 
   // "origin" is SCHEME://HOSTNAME[:PORT]