adr support fetch-refs

* Handle submodules with SSH URLs

This is just a documentation change, explaining how to fix submodules
that are configured to use SSH URLs instead of HTTPS URLs. Spent a while
banging my head on the wall and hope this saves someone else the pain.

This is helpful for teams that use the SSH protocol for local
development so don't want to change the mechanism that pulls in the
submodules. Using `insteadOf` seems a bit nicer than than setting up a
deploy keypair.

* SSH submodules

Co-authored-by: Chris Patterson <chrispat@github.com>

.github/workflows/test.yml

@@ -11,6 +11,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/setup-node@v1
+        with:
+          node-version: 12.x
       - uses: actions/checkout@v2
       - run: npm ci
       - run: npm run build
@@ -83,16 +86,92 @@ jobs:
         shell: bash
         run: __test__/verify-lfs.sh
 
-  test-job-container:
-    runs-on: ubuntu-latest
-    container: alpine:latest
-    steps:
-      # Clone this repo
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      # Basic checkout
-      - name: Basic checkout
+      # Basic checkout using REST API
+      - name: Remove basic
+        if: runner.os != 'windows'
+        run: rm -rf basic
+      - name: Remove basic (Windows)
+        if: runner.os == 'windows'
+        shell: cmd
+        run: rmdir /s /q basic
+      - name: Override git version
+        if: runner.os != 'windows'
+        run: __test__/override-git-version.sh
+      - name: Override git version (Windows)
+        if: runner.os == 'windows'
+        run: __test__\\override-git-version.cmd
+      - name: Basic checkout using REST API
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh --archive
+
+  test-proxy:
+    runs-on: ubuntu-latest
+    container:
+      image: alpine/git:latest
+      options: --dns 127.0.0.1
+    services:
+      squid-proxy:
+        image: datadog/squid:latest
+        ports:
+          - 3128:3128
+    env:
+      https_proxy: http://squid-proxy:3128
+    steps:
+      # Clone this repo
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      # Basic checkout using git
+      - name: Basic checkout
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh
+
+      # Basic checkout using REST API
+      - name: Remove basic
+        run: rm -rf basic
+      - name: Override git version
+        run: __test__/override-git-version.sh
+      - name: Basic checkout using REST API
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh --archive
+
+  test-bypass-proxy:
+    runs-on: ubuntu-latest
+    env:
+      https_proxy: http://no-such-proxy:3128
+      no_proxy: api.github.com,github.com
+    steps:
+      # Clone this repo
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      # Basic checkout using git
+      - name: Basic checkout
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh
+      - name: Remove basic
+        run: rm -rf basic
+
+      # Basic checkout using REST API
+      - name: Override git version
+        run: __test__/override-git-version.sh
+      - name: Basic checkout using REST API
         uses: ./
         with:
           ref: test-data/v2/basic

README.md

@@ -180,6 +180,8 @@ jobs:
 - name: Checkout submodules
   shell: bash
   run: |
+    # If your submodules are configured to use SSH instead of HTTPS please uncomment the following line
+    # git config --global url."https://github.com/".insteadOf "git@github.com:"
     auth_header="$(git config --local --get http.https://github.com/.extraheader)"
     git submodule sync --recursive
     git -c "http.extraheader=$auth_header" -c protocol.version=2 submodule update --init --force --recursive --depth=1

__test__/input-helper.test.ts

@@ -1,47 +1,44 @@
 import * as assert from 'assert'
+import * as core from '@actions/core'
+import * as fsHelper from '../lib/fs-helper'
+import * as github from '@actions/github'
+import * as inputHelper from '../lib/input-helper'
 import * as path from 'path'
 import {ISourceSettings} from '../lib/git-source-provider'
 
 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
 const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
 
-// Late bind
-let inputHelper: any
-
-// Mock @actions/core
+// Inputs for mock @actions/core
 let inputs = {} as any
-const mockCore = jest.genMockFromModule('@actions/core') as any
-mockCore.getInput = (name: string) => {
-  return inputs[name]
-}
 
-// Mock @actions/github
-const mockGitHub = jest.genMockFromModule('@actions/github') as any
-mockGitHub.context = {
-  repo: {
-    owner: 'some-owner',
-    repo: 'some-repo'
-  },
-  ref: 'refs/heads/some-ref',
-  sha: '1234567890123456789012345678901234567890'
-}
-
-// Mock ./fs-helper
-const mockFSHelper = jest.genMockFromModule('../lib/fs-helper') as any
-mockFSHelper.directoryExistsSync = (path: string) => path == gitHubWorkspace
+// Shallow clone original @actions/github context
+let originalContext = {...github.context}
 
 describe('input-helper tests', () => {
   beforeAll(() => {
+    // Mock @actions/core getInput()
+    jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
+      return inputs[name]
+    })
+
+    // Mock @actions/github context
+    jest.spyOn(github.context, 'repo', 'get').mockImplementation(() => {
+      return {
+        owner: 'some-owner',
+        repo: 'some-repo'
+      }
+    })
+    github.context.ref = 'refs/heads/some-ref'
+    github.context.sha = '1234567890123456789012345678901234567890'
+
+    // Mock ./fs-helper directoryExistsSync()
+    jest
+      .spyOn(fsHelper, 'directoryExistsSync')
+      .mockImplementation((path: string) => path == gitHubWorkspace)
+
     // GitHub workspace
     process.env['GITHUB_WORKSPACE'] = gitHubWorkspace
-
-    // Mocks
-    jest.setMock('@actions/core', mockCore)
-    jest.setMock('@actions/github', mockGitHub)
-    jest.setMock('../lib/fs-helper', mockFSHelper)
-
-    // Now import
-    inputHelper = require('../lib/input-helper')
   })
 
   beforeEach(() => {
@@ -50,14 +47,18 @@ describe('input-helper tests', () => {
   })
 
   afterAll(() => {
-    // Reset GitHub workspace
+    // Restore GitHub workspace
     delete process.env['GITHUB_WORKSPACE']
     if (originalGitHubWorkspace) {
       process.env['GITHUB_WORKSPACE'] = originalGitHubWorkspace
     }
 
-    // Reset modules
-    jest.resetModules()
+    // Restore @actions/github context
+    github.context.ref = originalContext.ref
+    github.context.sha = originalContext.sha
+
+    // Restore
+    jest.restoreAllMocks()
   })
 
   it('sets defaults', () => {
@@ -75,6 +76,19 @@ describe('input-helper tests', () => {
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
   })
 
+  it('qualifies ref', () => {
+    let originalRef = github.context.ref
+    try {
+      github.context.ref = 'some-unqualified-ref'
+      const settings: ISourceSettings = inputHelper.getInputs()
+      expect(settings).toBeTruthy()
+      expect(settings.commit).toBe('1234567890123456789012345678901234567890')
+      expect(settings.ref).toBe('refs/heads/some-unqualified-ref')
+    } finally {
+      github.context.ref = originalRef
+    }
+  })
+
   it('requires qualified repo', () => {
     inputs.repository = 'some-unqualified-repo'
     assert.throws(() => {

__test__/override-git-version.cmd

@@ -0,0 +1,6 @@
+
+mkdir override-git-version
+cd override-git-version
+echo @echo override git version 1.2.3 > git.cmd
+echo ::add-path::%CD%
+cd ..

__test__/override-git-version.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+mkdir override-git-version
+cd override-git-version
+echo "#!/bin/sh" > git
+echo "echo override git version 1.2.3" >> git
+chmod +x git
+echo "::add-path::$(pwd)"
+cd ..

__test__/retry-helper.test.ts

@@ -1,18 +1,17 @@
-const mockCore = jest.genMockFromModule('@actions/core') as any
-mockCore.info = (message: string) => {
-  info.push(message)
-}
+import * as core from '@actions/core'
+import {RetryHelper} from '../lib/retry-helper'
+
 let info: string[]
 let retryHelper: any
 
 describe('retry-helper tests', () => {
   beforeAll(() => {
-    // Mocks
-    jest.setMock('@actions/core', mockCore)
+    // Mock @actions/core info()
+    jest.spyOn(core, 'info').mockImplementation((message: string) => {
+      info.push(message)
+    })
 
-    // Now import
-    const retryHelperModule = require('../lib/retry-helper')
-    retryHelper = new retryHelperModule.RetryHelper(3, 0, 0)
+    retryHelper = new RetryHelper(3, 0, 0)
   })
 
   beforeEach(() => {
@@ -21,8 +20,8 @@ describe('retry-helper tests', () => {
   })
 
   afterAll(() => {
-    // Reset modules
-    jest.resetModules()
+    // Restore
+    jest.restoreAllMocks()
   })
 
   it('first attempt succeeds', async () => {

adrs/0153-checkout-v2.md

@@ -0,0 +1,215 @@
+# ADR 0153: Checkout v2
+
+**Date**: 2019-10-21
+
+**Status**: Accepted
+
+## Context
+
+This ADR details the behavior for `actions/checkout@v2`.
+
+The new action will be written in typescript. We are moving away from runner-plugin actions.
+
+We want to take this opportunity to make behavioral changes, from v1. This document is scoped to those differences.
+
+## Decision
+
+### Inputs
+
+```yaml
+  repository:
+    description: 'Repository name with owner. For example, actions/checkout'
+    default: ${{ github.repository }}
+  ref:
+    description: >
+      The branch, tag or SHA to checkout. When checking out the repository that
+      triggered a workflow, this defaults to the reference or SHA for that
+      event.  Otherwise, defaults to `master`.
+  token:
+    description: >
+      Auth token used to fetch the repository. The token is stored in the local
+      git config, which enables your scripts to run authenticated git commands.
+      The post-job step removes the token from the git config. [Learn more about
+      creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+    default: ${{ github.token }}
+  persist-credentials:
+    description: 'Whether to persist the token in the git config'
+    default: true
+  path:
+    description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
+  clean:
+    description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
+    default: true
+  fetch-depth:
+    description: 'Number of commits to fetch. 0 indicates all history.'
+    default: 1
+  fetch-refs:
+    description: >
+      Additional refs to fetch: `branches`, `tags`, `pr-base`, or `all`.
+      Combinations are also accepted. For example: `branches, tags`
+    default: ''
+  lfs:
+    description: 'Whether to download Git-LFS files'
+    default: false
+```
+
+Note:
+- `fetch-refs` is new
+- `persist-credentials` is new
+- `path` behavior is different (refer [below](#path) for details)
+- `submodules` was removed (error if specified; add later if needed)
+
+### Fallback to GitHub API
+
+When a sufficient version of git is not in the PATH, fallback to the [web API](https://developer.github.com/v3/repos/contents/#get-archive-link) to download a tarball/zipball.
+
+Note:
+- LFS files are not included in the archive. Therefore fail if LFS is set to true.
+- Submodules are also not included in the archive. However submodules are not supported by checkout v2 anyway.
+
+### Persist credentials
+
+Persist the token in the git config (http.extraheader). This will allow users to script authenticated git commands, like `git fetch`.
+
+A post script will remove the credentials from the git config (cleanup for self-hosted).
+
+Users may opt-out by specifying `persist-credentials: false`
+
+Note:
+- Users scripting `git commit` may need to set the username and email. The service does not provide any reasonable default value. Users can add `git config user.name <NAME>` and `git config user.email <EMAIL>`. We will document this guidance.
+- The auth header (stored in the repo's git config), is scoped to all of github `http.https://github.com/.extraheader`
+  - Additional public remotes also just work.
+  - If users want to authenticate to an additional private remote, they should provide the `token` input.
+  - Lines up if we add submodule support in the future. Don't need to worry about calculating relative URLs. Just works, although needs to be persisted in each submodule git config.
+  - Users opt out of persisted credentials (`persist-credentials: false`), or can script the removal themselves (`git config --unset-all http.https://github.com/.extraheader`).
+
+### Fetch behavior
+
+Fetch only the SHA being built and set depth=1. This significantly reduces the fetch time for large repos.
+
+If a SHA isn't available (e.g. multi repo), then fetch only the specified ref with depth=1.
+
+The input `fetch-depth` can be used to control the depth.
+
+The input `fetch-refs` can be used to fetch additional refs.
+
+Note:
+- Fetching a single commit is supported by Git wire protocol version 2. The git client uses protocol version 0 by default. The desired protocol version can be overridden in the git config or on the fetch command line invocation (`-c protocol.version=2`). We will override on the fetch command line, for transparency.
+- Git client version 2.18+ (released June 2018) is required for wire protocol version 2.
+
+### Checkout behavior
+
+For CI, checkout will create a local ref with the upstream set. This allows users to script git as they normally would.
+
+For PR, continue to checkout detached head. The PR branch is special - the branch and merge commit are created by the server. It doesn't match a users' local workflow.
+
+Note:
+- Consider deleting all local refs during cleanup if that helps avoid collisions. More testing required.
+
+### Path
+
+For the mainline scenario, the disk-layout behavior remains the same.
+
+Remember, given the repo `johndoe/foo`, the mainline disk layout looks like:
+
+```
+GITHUB_WORKSPACE=/home/runner/work/foo/foo
+RUNNER_WORKSPACE=/home/runner/work/foo
+```
+
+V2 introduces a new contraint on the checkout path. The location must now be under `github.workspace`. Whereas the checkout@v1 constraint was one level up, under `runner.workspace`.
+
+V2 no longer changes `github.workspace` to follow wherever the self repo is checked-out.
+
+These behavioral changes align better with container actions. The [documented filesystem contract](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners#docker-container-filesystem) is:
+
+- `/github/home`
+- `/github/workspace` - Note: GitHub Actions must be run by the default Docker user (root). Ensure your Dockerfile does not set the USER instruction, otherwise you will not be able to access `GITHUB_WORKSPACE`.
+- `/github/workflow`
+
+Note:
+- The tracking config will not be updated to reflect the path of the workflow repo.
+- Any existing workflow repo will not be moved when the checkout path changes. In fact some customers want to checkout the workflow repo twice, side by side against different branches.
+- Actions that need to operate only against the root of the self repo, should expose a `path` input.
+
+#### Default value for `path` input
+
+The `path` input will default to `./` which is rooted against `github.workspace`.
+
+This default fits the mainline scenario well: single checkout
+
+For multi-checkout, users must specify the `path` input for at least one of the repositories.
+
+Note:
+- An alternative is for the self repo to default to `./` and other repos default to `<REPO_NAME>`. However nested layout is an atypical git layout and therefore is not a good default. Users should supply the path info.
+
+#### Example - Nested layout
+
+The following example checks-out two repositories and creates a nested layout.
+
+```yaml
+# Self repo - Checkout to $GITHUB_WORKSPACE
+- uses: checkout@v2
+
+# Other repo - Checkout to $GITHUB_WORKSPACE/myscripts
+- uses: checkout@v2
+  with:
+    repository: myorg/myscripts
+    path: myscripts
+```
+
+#### Example - Side by side layout
+
+The following example checks-out two repositories and creates a side-by-side layout.
+
+```yaml
+# Self repo - Checkout to $GITHUB_WORKSPACE/foo
+- uses: checkout@v2
+  with:
+    path: foo
+
+# Other repo - Checkout to $GITHUB_WORKSPACE/myscripts
+- uses: checkout@v2
+  with:
+    repository: myorg/myscripts
+    path: myscripts
+```
+
+#### Path impact to problem matchers
+
+Problem matchers associate the source files with annotations.
+
+Today the runner verifies the source file is under the `github.workspace`. Otherwise the source file property is dropped.
+
+Multi-checkout complicates the matter. However even today submodules may cause this heuristic to be inaccurate.
+
+A better solution is:
+
+Given a source file path, walk up the directories until the first `.git/config` is found. Check if it matches the self repo (`url = https://github.com/OWNER/REPO`). If not, drop the source file path.
+
+### Port to typescript
+
+The checkout action should be a typescript action on the GitHub graph, for the following reasons:
+- Enables customers to fork the checkout repo and modify
+- Serves as an example for customers
+- Demystifies the checkout action manifest
+- Simplifies the runner
+- Reduce the amount of runner code to port (if we ever do)
+
+Note:
+- This means job-container images will need git in the PATH, for checkout.
+
+### Branching strategy and release tags
+
+- Create a servicing branch for V1: `releases/v1`
+- Merge the changes into `master`
+- Release using a new tag `preview`
+- When stable, release using a new tag `v2`
+
+## Consequences
+
+- Update the checkout action and readme
+- Update samples to consume `actions/checkout@v2`
+- Job containers now require git in the PATH for checkout, otherwise fallback to REST API
+- Minimum git version 2.18
+- Update problem matcher logic regarding source file verification (runner)

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -15,14 +15,30 @@
       "integrity": "sha512-nvFkxwiicvpzNiCBF4wFBDfnBvi7xp/as7LE1hBxBxKG2L29+gkIPBiLKMVORL+Hg3JNf07AKRfl0V5djoypjQ=="
     },
     "@actions/github": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-2.0.0.tgz",
-      "integrity": "sha512-sNpZ5dJyJyfJIO5lNYx8r/Gha4Tlm8R0MLO2cBkGdOnAAEn3t1M/MHVcoBhY/VPfjGVe5RNAUPz+6INrViiUPA==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-2.1.0.tgz",
+      "integrity": "sha512-G4ncMlh4pLLAvNgHUYUtpWQ1zPf/VYqmRH9oshxLabdaOOnp7i1hgSgzr2xne2YUaSND3uqemd3YYTIsm2f/KQ==",
       "requires": {
+        "@actions/http-client": "^1.0.3",
         "@octokit/graphql": "^4.3.1",
         "@octokit/rest": "^16.15.0"
       }
     },
+    "@actions/http-client": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.3.tgz",
+      "integrity": "sha512-wFwh1U4adB/Zsk4cc9kVqaBOHoknhp/pJQk+aWTocbAZWpIl4Zx/At83WFRLXvxB+5HVTWOACM6qjULMZfQSfw==",
+      "requires": {
+        "tunnel": "0.0.6"
+      },
+      "dependencies": {
+        "tunnel": {
+          "version": "0.0.6",
+          "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+          "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="
+        }
+      }
+    },
     "@actions/io": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.0.1.tgz",
@@ -597,6 +613,14 @@
         "@types/yargs": "^13.0.0"
       }
     },
+    "@octokit/auth-token": {
+      "version": "2.4.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-2.4.0.tgz",
+      "integrity": "sha512-eoOVMjILna7FVQf96iWc3+ZtE/ZT6y8ob8ZzcqKY1ibSQCnu4O/B7pJvzMx5cyZ/RjAff6DAdEb0O0Cjcxidkg==",
+      "requires": {
+        "@octokit/types": "^2.0.0"
+      }
+    },
     "@octokit/endpoint": {
       "version": "5.5.1",
       "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-5.5.1.tgz",
@@ -643,10 +667,11 @@
       }
     },
     "@octokit/rest": {
-      "version": "16.35.0",
-      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.35.0.tgz",
-      "integrity": "sha512-9ShFqYWo0CLoGYhA1FdtdykJuMzS/9H6vSbbQWDX4pWr4p9v+15MsH/wpd/3fIU+tSxylaNO48+PIHqOkBRx3w==",
+      "version": "16.38.1",
+      "resolved": "https://registry.npmjs.org/@octokit/rest/-/rest-16.38.1.tgz",
+      "integrity": "sha512-zyNFx+/Bd1EXt7LQjfrc6H4wryBQ/oDuZeZhGMBSFr1eMPFDmpEweFQR3R25zjKwBQpDY7L5GQO6A3XSaOfV1w==",
       "requires": {
+        "@octokit/auth-token": "^2.4.0",
         "@octokit/request": "^5.2.0",
         "@octokit/request-error": "^1.0.2",
         "atob-lite": "^2.0.0",
@@ -662,9 +687,9 @@
       }
     },
     "@octokit/types": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.0.2.tgz",
-      "integrity": "sha512-StASIL2lgT3TRjxv17z9pAqbnI7HGu9DrJlg3sEBFfCLaMEqp+O3IQPUF6EZtQ4xkAu2ml6kMBBCtGxjvmtmuQ==",
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-2.1.1.tgz",
+      "integrity": "sha512-89LOYH+d/vsbDX785NOfLxTW88GjNd0lWRz1DVPVsZgg9Yett5O+3MOvwo7iHgvUwbFz0mf/yPIjBkUbs4kxoQ==",
       "requires": {
         "@types/node": ">= 8"
       }
@@ -929,11 +954,6 @@
       "integrity": "sha512-7evsyfH1cLOCdAzZAd43Cic04yKydNx0cF+7tiA19p1XnLLPU4dpCQOqpjqwokFe//vS0QqfqqjCS2JkiIs0cA==",
       "dev": true
     },
-    "agent-base": {
-      "version": "5.1.1",
-      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-5.1.1.tgz",
-      "integrity": "sha512-TMeqbNl2fMW0nMjTEPOwe3J/PRFP4vqeoNuQMG0HlMrtm5QxKqdvAkZ1pRBQ/ulIyDD5Yq0nJ7YbdD8ey0TO3g=="
-    },
     "ajv": {
       "version": "6.10.2",
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz",
@@ -1712,6 +1732,7 @@
       "version": "4.1.1",
       "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
       "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
+      "dev": true,
       "requires": {
         "ms": "^2.1.1"
       }
@@ -3674,15 +3695,6 @@
         "sshpk": "^1.7.0"
       }
     },
-    "https-proxy-agent": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-4.0.0.tgz",
-      "integrity": "sha512-zoDhWrkR3of1l9QAL8/scJZyLu8j/gBkcwcaQOZh7Gyh/+uJQzGVETdgT30akuwkpL8HTRfssqI3BZuV18teDg==",
-      "requires": {
-        "agent-base": "5",
-        "debug": "4"
-      }
-    },
     "iconv-lite": {
       "version": "0.4.24",
       "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
@@ -4998,7 +5010,8 @@
     "ms": {
       "version": "2.1.2",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
+      "dev": true
     },
     "mute-stream": {
       "version": "0.0.7",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "2.0.1",
+  "version": "2.0.2",
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {
@@ -31,10 +31,9 @@
   "dependencies": {
     "@actions/core": "^1.1.3",
     "@actions/exec": "^1.0.1",
-    "@actions/github": "^2.0.0",
+    "@actions/github": "^2.0.2",
     "@actions/io": "^1.0.1",
     "@actions/tool-cache": "^1.1.2",
-    "https-proxy-agent": "^4.0.0",
     "uuid": "^3.3.3"
   },
   "devDependencies": {

src/git-source-provider.ts

@@ -9,7 +9,8 @@ import * as refHelper from './ref-helper'
 import * as stateHelper from './state-helper'
 import {IGitCommandManager} from './git-command-manager'
 
-const authConfigKey = `http.https://github.com/.extraheader`
+const serverUrl = 'https://github.com/'
+const authConfigKey = `http.${serverUrl}.extraheader`
 
 export interface ISourceSettings {
   repositoryPath: string
@@ -95,7 +96,7 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
     await removeGitConfig(git, authConfigKey)
 
     try {
-      // Config auth token
+      // Config extraheader
       await configureAuthToken(git, settings.authToken)
 
       // LFS install
@@ -136,16 +137,21 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
 
 export async function cleanup(repositoryPath: string): Promise<void> {
   // Repo exists?
-  if (!fsHelper.fileExistsSync(path.join(repositoryPath, '.git', 'config'))) {
+  if (
+    !repositoryPath ||
+    !fsHelper.fileExistsSync(path.join(repositoryPath, '.git', 'config'))
+  ) {
     return
   }
-  fsHelper.directoryExistsSync(repositoryPath, true)
 
-  // Remove the config key
-  const git = await gitCommandManager.CreateCommandManager(
-    repositoryPath,
-    false
-  )
+  let git: IGitCommandManager
+  try {
+    git = await gitCommandManager.CreateCommandManager(repositoryPath, false)
+  } catch {
+    return
+  }
+
+  // Remove extraheader
   await removeGitConfig(git, authConfigKey)
 }
 

src/github-api-helper.ts

@@ -8,7 +8,6 @@ import * as retryHelper from './retry-helper'
 import * as toolCache from '@actions/tool-cache'
 import {default as uuid} from 'uuid/v4'
 import {ReposGetArchiveLinkParams} from '@octokit/rest'
-import HttpsProxyAgent from 'https-proxy-agent'
 
 const IS_WINDOWS = process.platform === 'win32'
 
@@ -75,7 +74,7 @@ async function downloadArchive(
   ref: string,
   commit: string
 ): Promise<Buffer> {
-  const octokit = createOctokit(authToken)
+  const octokit = new github.GitHub(authToken)
   const params: ReposGetArchiveLinkParams = {
     owner: owner,
     repo: repo,
@@ -91,38 +90,3 @@ async function downloadArchive(
 
   return Buffer.from(response.data) // response.data is ArrayBuffer
 }
-
-function createOctokit(authToken: string): github.GitHub {
-  let proxyVar: string =
-    process.env['https_proxy'] || process.env['HTTPS_PROXY'] || ''
-
-  if (!proxyVar) {
-    return new github.GitHub(authToken)
-  }
-
-  let noProxy: string = process.env['no_proxy'] || process.env['NO_PROXY'] || ''
-
-  let bypass: boolean = false
-  if (noProxy) {
-    let bypassList = noProxy.split(',')
-    for (let i = 0; i < bypassList.length; i++) {
-      let item = bypassList[i]
-      if (
-        item &&
-        typeof item === 'string' &&
-        item.trim().toLocaleLowerCase() === 'github.com'
-      ) {
-        bypass = true
-        break
-      }
-    }
-  }
-
-  if (bypass) {
-    return new github.GitHub(authToken)
-  } else {
-    return new github.GitHub(authToken, {
-      request: {agent: new HttpsProxyAgent(proxyVar)}
-    })
-  }
-}

src/input-helper.ts

@@ -61,6 +61,12 @@ export function getInputs(): ISourceSettings {
     if (isWorkflowRepository) {
       result.ref = github.context.ref
       result.commit = github.context.sha
+
+      // Some events have an unqualifed ref. For example when a PR is merged (pull_request closed event),
+      // the ref is unqualifed like "master" instead of "refs/heads/master".
+      if (result.commit && result.ref && !result.ref.startsWith('refs/')) {
+        result.ref = `refs/heads/${result.ref}`
+      }
     }
 
     if (!result.ref && !result.commit) {