.

.github/workflows/test.yml

@@ -1,39 +1,25 @@
 name: Build and Test
 
-on:
+on: push
-  pull_request:
-  push:
-    branches:
-      - master
-      - releases/*
 
 jobs:
-  build:
+  test-archive:
-    runs-on: ubuntu-latest
+    runs-on: windows-latest
-    steps:
-      - uses: actions/checkout@v1 # todo: switch to v2
-      - run: npm ci
-      - run: npm run build
-      - run: npm run format-check
-      - run: npm run lint
-      - run: npm run pack
-      - run: npm run gendocs
-      - run: npm test
-      - name: Verify no unstaged changes
-        run: __test__/verify-no-unstaged-changes.sh
-
-  test:
-    strategy:
-      matrix:
-        runs-on: [ubuntu-latest, macos-latest, windows-latest]
-    runs-on: ${{ matrix.runs-on }}
-
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v2
+        shell: bash
+        run: |
+          curl --location --user token:${{ github.token }} --output checkout.tar.gz https://api.github.com/repos/actions/checkout/tarball/${{ github.sha }}
+          tar -xzf checkout.tar.gz
+          mv */* ./
 
       # Basic checkout
+      - shell: cmd
+        run: |
+          echo echo hello > git.cmd
+          echo ::add-path::%CD%
+
       - name: Basic checkout
         uses: ./
         with:
@@ -41,61 +27,5 @@ jobs:
           path: basic
       - name: Verify basic
         shell: bash
-        run: __test__/verify-basic.sh
+        run: __test__/verify-basic.sh container
 
-      # Clean
-      - name: Modify work tree
-        shell: bash
-        run: __test__/modify-work-tree.sh
-      - name: Clean checkout
-        uses: ./
-        with:
-          ref: test-data/v2/basic
-          path: basic
-      - name: Verify clean
-        shell: bash
-        run: __test__/verify-clean.sh
-
-      # Side by side
-      - name: Side by side checkout 1
-        uses: ./
-        with:
-          ref: test-data/v2/side-by-side-1
-          path: side-by-side-1
-      - name: Side by side checkout 2
-        uses: ./
-        with:
-          ref: test-data/v2/side-by-side-2
-          path: side-by-side-2
-      - name: Verify side by side
-        shell: bash
-        run: __test__/verify-side-by-side.sh
-
-      # LFS
-      - name: LFS checkout
-        uses: ./
-        with:
-          repository: actions/checkout # hardcoded, otherwise doesn't work from a fork
-          ref: test-data/v2/lfs
-          path: lfs
-          lfs: true
-      - name: Verify LFS
-        shell: bash
-        run: __test__/verify-lfs.sh
-
-  test-job-container:
-    runs-on: ubuntu-latest
-    container: alpine:latest
-    steps:
-      # Clone this repo
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      # Basic checkout
-      - name: Basic checkout
-        uses: ./
-        with:
-          ref: test-data/v2/basic
-          path: basic
-      - name: Verify basic
-        run: __test__/verify-basic.sh --archive

README.md

@@ -2,7 +2,7 @@
   <a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a>
 </p>
 
-# Checkout V2
+# Checkout V2 beta
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
@@ -13,20 +13,18 @@ Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows)
 # What's new
 
 - Improved fetch performance
-  - The default behavior now fetches only the commit being checked-out
+  - The default behavior now fetches only the SHA being checked-out
 - Script authenticated git commands
-  - Persists the input `token` in the local git config
+  - Persists `with.token` in the local git config
   - Enables your scripts to run authenticated git commands
   - Post-job cleanup removes the token
-  - Opt out by setting the input `persist-credentials: false`
+  - Coming soon: Opt out by setting `with.persist-credentials` to `false`
 - Creates a local branch
   - No longer detached HEAD when checking out a branch
   - A local branch is created with the corresponding upstream branch set
 - Improved layout
-  - The input `path` is always relative to $GITHUB_WORKSPACE
+  - `with.path` is always relative to `github.workspace`
-  - Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in
+  - Aligns better with container actions, where `github.workspace` gets mapped in
-- Fallback to REST API download
-  - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
 - Removed input `submodules`
 
 Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
@@ -35,27 +33,21 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v2-beta
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
     repository: ''
 
-    # The branch, tag or SHA to checkout. When checking out the repository that
+    # The branch, tag or SHA to checkout.  When checking out the repository that
     # triggered a workflow, this defaults to the reference or SHA for that event.
     # Otherwise, defaults to `master`.
     ref: ''
 
-    # Auth token used to fetch the repository. The token is stored in the local git
+    # Access token for clone repository
-    # config, which enables your scripts to run authenticated git commands. The
-    # post-job step removes the token from the git config.
     # Default: ${{ github.token }}
     token: ''
 
-    # Whether to persist the token in the git config
-    # Default: true
-    persist-credentials: ''
-
     # Relative path under $GITHUB_WORKSPACE to place the repository
     path: ''
 
@@ -76,7 +68,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v2-beta
   with:
     ref: some-branch
 ```
@@ -84,7 +76,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout a different, private repository
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v2-beta
   with:
     repository: myAccount/myRepository
     ref: refs/heads/master
@@ -95,9 +87,9 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout the HEAD commit of a PR, rather than the merge commit
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v2-beta
   with:
-    ref: ${{ github.event.pull_request.head.sha }}
+    ref: ${{ github.event.after }}
 ```
 
 # License

__test__/input-helper.test.ts

@@ -63,7 +63,7 @@ describe('input-helper tests', () => {
   it('sets defaults', () => {
     const settings: ISourceSettings = inputHelper.getInputs()
     expect(settings).toBeTruthy()
-    expect(settings.authToken).toBeFalsy()
+    expect(settings.accessToken).toBeFalsy()
     expect(settings.clean).toBe(true)
     expect(settings.commit).toBeTruthy()
     expect(settings.commit).toBe('1234567890123456789012345678901234567890')

__test__/verify-basic.sh

@@ -5,7 +5,7 @@ if [ ! -f "./basic/basic-file.txt" ]; then
     exit 1
 fi
 
-if [ "$1" = "--archive" ]; then
+if [ "$1" = "container" ]; then
   # Verify no .git folder
   if [ -d "./basic/.git" ]; then
     echo "Did not expect ./basic/.git folder to exist"
@@ -20,5 +20,5 @@ else
 
   # Verify auth token
   cd basic
-  git fetch --no-tags --depth=1 origin +refs/heads/master:refs/remotes/origin/master
+  git fetch --depth=1
 fi

action.yml

@@ -6,18 +6,12 @@ inputs:
     default: ${{ github.repository }}
   ref:
     description: >
-      The branch, tag or SHA to checkout. When checking out the repository that
+      The branch, tag or SHA to checkout.  When checking out the repository
-      triggered a workflow, this defaults to the reference or SHA for that
+      that triggered a workflow, this defaults to the reference or SHA for
-      event.  Otherwise, defaults to `master`.
+      that event.  Otherwise, defaults to `master`.
   token:
-    description: >
+    description: 'Access token for clone repository'
-      Auth token used to fetch the repository. The token is stored in the local
-      git config, which enables your scripts to run authenticated git commands.
-      The post-job step removes the token from the git config.
     default: ${{ github.token }}
-  persist-credentials:
-    description: 'Whether to persist the token in the git config'
-    default: true
   path:
     description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
   clean:

dist/index.js

@@ -2620,7 +2620,7 @@ exports.IsPost = !!process.env['STATE_isPost'];
 /**
  * The repository path for the POST action. The value is empty during the MAIN action.
  */
-exports.RepositoryPath = process.env['STATE_repositoryPath'] || '';
+exports.RepositoryPath = process.env['STATE_repositoryPath'];
 /**
  * Save the repository path so the POST action can retrieve the value.
  */
@@ -4838,7 +4838,7 @@ class GitCommandManager {
     }
     config(configKey, configValue) {
         return __awaiter(this, void 0, void 0, function* () {
-            yield this.execGit(['config', '--local', configKey, configValue]);
+            yield this.execGit(['config', configKey, configValue]);
         });
     }
     configExists(configKey) {
@@ -4846,7 +4846,7 @@ class GitCommandManager {
             const pattern = configKey.replace(/[^a-zA-Z0-9_]/g, x => {
                 return `\\${x}`;
             });
-            const output = yield this.execGit(['config', '--local', '--name-only', '--get-regexp', pattern], true);
+            const output = yield this.execGit(['config', '--name-only', '--get-regexp', pattern], true);
             return output.exitCode === 0;
         });
     }
@@ -4932,19 +4932,19 @@ class GitCommandManager {
     }
     tryConfigUnset(configKey) {
         return __awaiter(this, void 0, void 0, function* () {
-            const output = yield this.execGit(['config', '--local', '--unset-all', configKey], true);
+            const output = yield this.execGit(['config', '--unset-all', configKey], true);
             return output.exitCode === 0;
         });
     }
     tryDisableAutomaticGarbageCollection() {
         return __awaiter(this, void 0, void 0, function* () {
-            const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true);
+            const output = yield this.execGit(['config', 'gc.auto', '0'], true);
             return output.exitCode === 0;
         });
     }
     tryGetFetchUrl() {
         return __awaiter(this, void 0, void 0, function* () {
-            const output = yield this.execGit(['config', '--local', '--get', 'remote.origin.url'], true);
+            const output = yield this.execGit(['config', '--get', 'remote.origin.url'], true);
             if (output.exitCode !== 0) {
                 return '';
             }
@@ -5121,7 +5121,7 @@ function getSource(settings) {
             // Downloading using REST API
             core.info(`The repository will be downloaded using the GitHub REST API`);
             core.info(`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`);
-            yield githubApiHelper.downloadRepository(settings.authToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath);
+            yield githubApiHelper.downloadRepository(settings.accessToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath);
         }
         else {
             // Save state for POST action
@@ -5137,34 +5137,30 @@ function getSource(settings) {
             }
             // Remove possible previous extraheader
             yield removeGitConfig(git, authConfigKey);
-            try {
+            // Add extraheader (auth)
-                // Config auth token
+            const base64Credentials = Buffer.from(`x-access-token:${settings.accessToken}`, 'utf8').toString('base64');
-                yield configureAuthToken(git, settings.authToken);
+            core.setSecret(base64Credentials);
-                // LFS install
+            const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`;
-                if (settings.lfs) {
+            yield git.config(authConfigKey, authConfigValue);
-                    yield git.lfsInstall();
+            // LFS install
-                }
+            if (settings.lfs) {
-                // Fetch
+                yield git.lfsInstall();
-                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
-                yield git.fetch(settings.fetchDepth, refSpec);
-                // Checkout info
-                const checkoutInfo = yield refHelper.getCheckoutInfo(git, settings.ref, settings.commit);
-                // LFS fetch
-                // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
-                // Explicit lfs fetch will fetch lfs objects in parallel.
-                if (settings.lfs) {
-                    yield git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref);
-                }
-                // Checkout
-                yield git.checkout(checkoutInfo.ref, checkoutInfo.startPoint);
-                // Dump some info about the checked out commit
-                yield git.log1();
             }
-            finally {
+            // Fetch
-                if (!settings.persistCredentials) {
+            const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
-                    yield removeGitConfig(git, authConfigKey);
+            yield git.fetch(settings.fetchDepth, refSpec);
-                }
+            // Checkout info
+            const checkoutInfo = yield refHelper.getCheckoutInfo(git, settings.ref, settings.commit);
+            // LFS fetch
+            // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
+            // Explicit lfs fetch will fetch lfs objects in parallel.
+            if (settings.lfs) {
+                yield git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref);
             }
+            // Checkout
+            yield git.checkout(checkoutInfo.ref, checkoutInfo.startPoint);
+            // Dump some info about the checked out commit
+            yield git.log1();
         }
     });
 }
@@ -5269,34 +5265,23 @@ function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean) {
         }
     });
 }
-function configureAuthToken(git, authToken) {
-    return __awaiter(this, void 0, void 0, function* () {
-        // Configure a placeholder value. This approach avoids the credential being captured
-        // by process creation audit events, which are commonly logged. For more information,
-        // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
-        const placeholder = `AUTHORIZATION: basic ***`;
-        yield git.config(authConfigKey, placeholder);
-        // Determine the basic credential value
-        const basicCredential = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
-        core.setSecret(basicCredential);
-        // Replace the value in the config file
-        const configPath = path.join(git.getWorkingDirectory(), '.git', 'config');
-        let content = (yield fs.promises.readFile(configPath)).toString();
-        const placeholderIndex = content.indexOf(placeholder);
-        if (placeholderIndex < 0 ||
-            placeholderIndex != content.lastIndexOf(placeholder)) {
-            throw new Error('Unable to replace auth placeholder in .git/config');
-        }
-        content = content.replace(placeholder, `AUTHORIZATION: basic ${basicCredential}`);
-        yield fs.promises.writeFile(configPath, content);
-    });
-}
 function removeGitConfig(git, configKey) {
     return __awaiter(this, void 0, void 0, function* () {
         if ((yield git.configExists(configKey)) &&
             !(yield git.tryConfigUnset(configKey))) {
             // Load the config contents
-            core.warning(`Failed to remove '${configKey}' from the git config`);
+            core.warning(`Failed to remove '${configKey}' from the git config. Attempting to remove the config value by editing the file directly.`);
+            const configPath = path.join(git.getWorkingDirectory(), '.git', 'config');
+            fsHelper.fileExistsSync(configPath);
+            let contents = fs.readFileSync(configPath).toString() || '';
+            // Filter - only includes lines that do not contain the config key
+            const upperConfigKey = configKey.toUpperCase();
+            const split = contents
+                .split('\n')
+                .filter(x => !x.toUpperCase().includes(upperConfigKey));
+            contents = split.join('\n');
+            // Rewrite the config file
+            fs.writeFileSync(configPath, contents);
         }
     });
 }
@@ -8418,12 +8403,12 @@ const retryHelper = __importStar(__webpack_require__(587));
 const toolCache = __importStar(__webpack_require__(533));
 const v4_1 = __importDefault(__webpack_require__(826));
 const IS_WINDOWS = process.platform === 'win32';
-function downloadRepository(authToken, owner, repo, ref, commit, repositoryPath) {
+function downloadRepository(accessToken, owner, repo, ref, commit, repositoryPath) {
     return __awaiter(this, void 0, void 0, function* () {
         // Download the archive
         let archiveData = yield retryHelper.execute(() => __awaiter(this, void 0, void 0, function* () {
             core.info('Downloading the archive');
-            return yield downloadArchive(authToken, owner, repo, ref, commit);
+            return yield downloadArchive(accessToken, owner, repo, ref, commit);
         }));
         // Write archive to disk
         core.info('Writing archive to disk');
@@ -8453,20 +8438,15 @@ function downloadRepository(authToken, owner, repo, ref, commit, repositoryPath)
         for (const fileName of yield fs.promises.readdir(tempRepositoryPath)) {
             const sourcePath = path.join(tempRepositoryPath, fileName);
             const targetPath = path.join(repositoryPath, fileName);
-            if (IS_WINDOWS) {
+            yield io.mv(sourcePath, targetPath);
-                yield io.cp(sourcePath, targetPath, { recursive: true }); // Copy on Windows (Windows Defender may have a lock)
-            }
-            else {
-                yield io.mv(sourcePath, targetPath);
-            }
         }
         io.rmRF(extractPath);
     });
 }
 exports.downloadRepository = downloadRepository;
-function downloadArchive(authToken, owner, repo, ref, commit) {
+function downloadArchive(accessToken, owner, repo, ref, commit) {
     return __awaiter(this, void 0, void 0, function* () {
-        const octokit = new github.GitHub(authToken);
+        const octokit = new github.GitHub(accessToken);
         const params = {
             owner: owner,
             repo: repo,
@@ -8475,7 +8455,7 @@ function downloadArchive(authToken, owner, repo, ref, commit) {
         };
         const response = yield octokit.repos.getArchiveLink(params);
         if (response.status != 200) {
-            throw new Error(`Unexpected response from GitHub API. Status: ${response.status}, Data: ${response.data}`);
+            throw new Error(`Unexpected response from GitHub API. Status: '${response.status}'`);
         }
         return Buffer.from(response.data); // response.data is ArrayBuffer
     });
@@ -9822,9 +9802,6 @@ class RetryHelper {
         this.maxAttempts = maxAttempts;
         this.minSeconds = Math.floor(minSeconds);
         this.maxSeconds = Math.floor(maxSeconds);
-        if (this.minSeconds > this.maxSeconds) {
-            throw new Error('min seconds should be less than or equal to max seconds');
-        }
     }
     execute(action) {
         return __awaiter(this, void 0, void 0, function* () {
@@ -12779,11 +12756,8 @@ function getInputs() {
     // LFS
     result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE';
     core.debug(`lfs = ${result.lfs}`);
-    // Auth token
+    // Access token
-    result.authToken = core.getInput('token');
+    result.accessToken = core.getInput('token');
-    // Persist credentials
-    result.persistCredentials =
-        (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE';
     return result;
 }
 exports.getInputs = getInputs;

src/git-command-manager.ts

@@ -116,7 +116,7 @@ class GitCommandManager {
   }
 
   async config(configKey: string, configValue: string): Promise<void> {
-    await this.execGit(['config', '--local', configKey, configValue])
+    await this.execGit(['config', configKey, configValue])
   }
 
   async configExists(configKey: string): Promise<boolean> {
@@ -124,7 +124,7 @@ class GitCommandManager {
       return `\\${x}`
     })
     const output = await this.execGit(
-      ['config', '--local', '--name-only', '--get-regexp', pattern],
+      ['config', '--name-only', '--get-regexp', pattern],
       true
     )
     return output.exitCode === 0
@@ -211,23 +211,20 @@ class GitCommandManager {
 
   async tryConfigUnset(configKey: string): Promise<boolean> {
     const output = await this.execGit(
-      ['config', '--local', '--unset-all', configKey],
+      ['config', '--unset-all', configKey],
       true
     )
     return output.exitCode === 0
   }
 
   async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
-    const output = await this.execGit(
+    const output = await this.execGit(['config', 'gc.auto', '0'], true)
-      ['config', '--local', 'gc.auto', '0'],
-      true
-    )
     return output.exitCode === 0
   }
 
   async tryGetFetchUrl(): Promise<string> {
     const output = await this.execGit(
-      ['config', '--local', '--get', 'remote.origin.url'],
+      ['config', '--get', 'remote.origin.url'],
       true
     )
 

src/git-source-provider.ts

@@ -1,4 +1,5 @@
 import * as core from '@actions/core'
+import * as coreCommand from '@actions/core/lib/command'
 import * as fs from 'fs'
 import * as fsHelper from './fs-helper'
 import * as gitCommandManager from './git-command-manager'
@@ -20,8 +21,7 @@ export interface ISourceSettings {
   clean: boolean
   fetchDepth: number
   lfs: boolean
-  authToken: string
+  accessToken: string
-  persistCredentials: boolean
 }
 
 export async function getSource(settings: ISourceSettings): Promise<void> {
@@ -65,7 +65,7 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
       `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
     )
     await githubApiHelper.downloadRepository(
-      settings.authToken,
+      settings.accessToken,
       settings.repositoryOwner,
       settings.repositoryName,
       settings.ref,
@@ -94,43 +94,43 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
     // Remove possible previous extraheader
     await removeGitConfig(git, authConfigKey)
 
-    try {
+    // Add extraheader (auth)
-      // Config auth token
+    const base64Credentials = Buffer.from(
-      await configureAuthToken(git, settings.authToken)
+      `x-access-token:${settings.accessToken}`,
+      'utf8'
+    ).toString('base64')
+    core.setSecret(base64Credentials)
+    const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
+    await git.config(authConfigKey, authConfigValue)
 
-      // LFS install
+    // LFS install
-      if (settings.lfs) {
+    if (settings.lfs) {
-        await git.lfsInstall()
+      await git.lfsInstall()
-      }
-
-      // Fetch
-      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
-      await git.fetch(settings.fetchDepth, refSpec)
-
-      // Checkout info
-      const checkoutInfo = await refHelper.getCheckoutInfo(
-        git,
-        settings.ref,
-        settings.commit
-      )
-
-      // LFS fetch
-      // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
-      // Explicit lfs fetch will fetch lfs objects in parallel.
-      if (settings.lfs) {
-        await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
-      }
-
-      // Checkout
-      await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
-
-      // Dump some info about the checked out commit
-      await git.log1()
-    } finally {
-      if (!settings.persistCredentials) {
-        await removeGitConfig(git, authConfigKey)
-      }
     }
+
+    // Fetch
+    const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
+    await git.fetch(settings.fetchDepth, refSpec)
+
+    // Checkout info
+    const checkoutInfo = await refHelper.getCheckoutInfo(
+      git,
+      settings.ref,
+      settings.commit
+    )
+
+    // LFS fetch
+    // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
+    // Explicit lfs fetch will fetch lfs objects in parallel.
+    if (settings.lfs) {
+      await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
+    }
+
+    // Checkout
+    await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
+
+    // Dump some info about the checked out commit
+    await git.log1()
   }
 }
 
@@ -255,40 +255,6 @@ async function prepareExistingDirectory(
   }
 }
 
-async function configureAuthToken(
-  git: IGitCommandManager,
-  authToken: string
-): Promise<void> {
-  // Configure a placeholder value. This approach avoids the credential being captured
-  // by process creation audit events, which are commonly logged. For more information,
-  // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
-  const placeholder = `AUTHORIZATION: basic ***`
-  await git.config(authConfigKey, placeholder)
-
-  // Determine the basic credential value
-  const basicCredential = Buffer.from(
-    `x-access-token:${authToken}`,
-    'utf8'
-  ).toString('base64')
-  core.setSecret(basicCredential)
-
-  // Replace the value in the config file
-  const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
-  let content = (await fs.promises.readFile(configPath)).toString()
-  const placeholderIndex = content.indexOf(placeholder)
-  if (
-    placeholderIndex < 0 ||
-    placeholderIndex != content.lastIndexOf(placeholder)
-  ) {
-    throw new Error('Unable to replace auth placeholder in .git/config')
-  }
-  content = content.replace(
-    placeholder,
-    `AUTHORIZATION: basic ${basicCredential}`
-  )
-  await fs.promises.writeFile(configPath, content)
-}
-
 async function removeGitConfig(
   git: IGitCommandManager,
   configKey: string
@@ -298,6 +264,21 @@ async function removeGitConfig(
     !(await git.tryConfigUnset(configKey))
   ) {
     // Load the config contents
-    core.warning(`Failed to remove '${configKey}' from the git config`)
+    core.warning(
+      `Failed to remove '${configKey}' from the git config. Attempting to remove the config value by editing the file directly.`
+    )
+    const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
+    fsHelper.fileExistsSync(configPath)
+    let contents = fs.readFileSync(configPath).toString() || ''
+
+    // Filter - only includes lines that do not contain the config key
+    const upperConfigKey = configKey.toUpperCase()
+    const split = contents
+      .split('\n')
+      .filter(x => !x.toUpperCase().includes(upperConfigKey))
+    contents = split.join('\n')
+
+    // Rewrite the config file
+    fs.writeFileSync(configPath, contents)
   }
 }

src/github-api-helper.ts

@@ -12,7 +12,7 @@ import {ReposGetArchiveLinkParams} from '@octokit/rest'
 const IS_WINDOWS = process.platform === 'win32'
 
 export async function downloadRepository(
-  authToken: string,
+  accessToken: string,
   owner: string,
   repo: string,
   ref: string,
@@ -22,7 +22,7 @@ export async function downloadRepository(
   // Download the archive
   let archiveData = await retryHelper.execute(async () => {
     core.info('Downloading the archive')
-    return await downloadArchive(authToken, owner, repo, ref, commit)
+    return await downloadArchive(accessToken, owner, repo, ref, commit)
   })
 
   // Write archive to disk
@@ -58,23 +58,19 @@ export async function downloadRepository(
   for (const fileName of await fs.promises.readdir(tempRepositoryPath)) {
     const sourcePath = path.join(tempRepositoryPath, fileName)
     const targetPath = path.join(repositoryPath, fileName)
-    if (IS_WINDOWS) {
+    await io.mv(sourcePath, targetPath)
-      await io.cp(sourcePath, targetPath, {recursive: true}) // Copy on Windows (Windows Defender may have a lock)
-    } else {
-      await io.mv(sourcePath, targetPath)
-    }
   }
   io.rmRF(extractPath)
 }
 
 async function downloadArchive(
-  authToken: string,
+  accessToken: string,
   owner: string,
   repo: string,
   ref: string,
   commit: string
 ): Promise<Buffer> {
-  const octokit = new github.GitHub(authToken)
+  const octokit = new github.GitHub(accessToken)
   const params: ReposGetArchiveLinkParams = {
     owner: owner,
     repo: repo,
@@ -84,7 +80,7 @@ async function downloadArchive(
   const response = await octokit.repos.getArchiveLink(params)
   if (response.status != 200) {
     throw new Error(
-      `Unexpected response from GitHub API. Status: ${response.status}, Data: ${response.data}`
+      `Unexpected response from GitHub API. Status: '${response.status}'`
     )
   }
 

src/input-helper.ts

@@ -97,12 +97,8 @@ export function getInputs(): ISourceSettings {
   result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'
   core.debug(`lfs = ${result.lfs}`)
 
-  // Auth token
+  // Access token
-  result.authToken = core.getInput('token')
+  result.accessToken = core.getInput('token')
-
-  // Persist credentials
-  result.persistCredentials =
-    (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
 
   return result
 }

src/misc/generate-docs.ts

@@ -96,7 +96,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v2',
+  'actions/checkout@v2-beta',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )

src/retry-helper.ts

@@ -17,9 +17,6 @@ export class RetryHelper {
     this.maxAttempts = maxAttempts
     this.minSeconds = Math.floor(minSeconds)
     this.maxSeconds = Math.floor(maxSeconds)
-    if (this.minSeconds > this.maxSeconds) {
-      throw new Error('min seconds should be less than or equal to max seconds')
-    }
   }
 
   async execute<T>(action: () => Promise<T>): Promise<T> {

src/state-helper.ts

@@ -9,8 +9,7 @@ export const IsPost = !!process.env['STATE_isPost']
 /**
  * The repository path for the POST action. The value is empty during the MAIN action.
  */
-export const RepositoryPath =
+export const RepositoryPath = process.env['STATE_repositoryPath'] as string
-  (process.env['STATE_repositoryPath'] as string) || ''
 
 /**
  * Save the repository path so the POST action can retrieve the value.