Enforce safe directory (#762)

* set safe directory when running checkout

* Update CHANGELOG.md

.github/workflows/check-dist.yml

@@ -22,12 +22,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
-      - name: Set Node.js 12.x
+      - name: Set Node.js 16.x
         uses: actions/setup-node@v1
         with:
-          node-version: 12.x
+          node-version: 16.x
 
       - name: Install dependencies
         run: npm ci

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1

.github/workflows/licensed.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Check licenses
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - run: npm ci
       - run: npm run licensed-check

.github/workflows/test.yml

@@ -13,8 +13,8 @@ jobs:
     steps:
       - uses: actions/setup-node@v1
         with:
-          node-version: 12.x
+          node-version: 16.x
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -32,7 +32,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Basic checkout
       - name: Checkout basic
@@ -150,7 +150,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Basic checkout using git
       - name: Checkout basic
@@ -182,7 +182,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Basic checkout using git
       - name: Checkout basic
@@ -205,41 +205,3 @@ jobs:
           path: basic
       - name: Verify basic
         run: __test__/verify-basic.sh --archive
-    
-  test-git-container:
-    runs-on: ubuntu-latest
-    container: bitnami/git:latest
-    steps:
-      # Clone this repo
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          path: v3
-
-      # Basic checkout using git
-      - name: Checkout basic
-        uses: ./v3
-        with:
-          ref: test-data/v2/basic
-      - name: Verify basic
-        run: |
-          if [ ! -f "./basic-file.txt" ]; then
-              echo "Expected basic file does not exist"
-              exit 1
-          fi
-
-          # Verify .git folder
-          if [ ! -d "./.git" ]; then
-            echo "Expected ./.git folder to exist"
-            exit 1
-          fi
-
-          # Verify auth token
-          git config --global --add safe.directory "*"
-          git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
-
-      # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v3
-        uses: actions/checkout@v3
-        with:
-          path: v3

.licenses/npm/node-fetch.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: node-fetch
-version: 2.6.5
+version: 2.6.7
 type: npm
 summary: A light-weight module that brings window.fetch to node.js
 homepage: https://github.com/bitinn/node-fetch

CHANGELOG.md

@@ -1,19 +1,17 @@
 # Changelog
 
-## v2.5.0
+## v3.0.1
-- [Bump @actions/core to v1.10.0](https://github.com/actions/checkout/pull/962)
+- [Fixed an issue where checkout failed to run in container jobs due to the new git setting `safe.directory`](https://github.com/actions/checkout/pull/762)
+- [Bumped various npm package versions](https://github.com/actions/checkout/pull/744)
 
-## v2.4.2
+## v3.0.0
-- [Add input `set-safe-directory`](https://github.com/actions/checkout/pull/776)
 
-## v2.4.1
+- [Update to node 16](https://github.com/actions/checkout/pull/689)
-- [Set the safe directory option on git to prevent git commands failing when running in containers](https://github.com/actions/checkout/pull/762)
 
 ## v2.3.1
 
 - [Fix default branch resolution for .wiki and when using SSH](https://github.com/actions/checkout/pull/284)
 
-
 ## v2.3.0
 
 - [Fallback to the default branch](https://github.com/actions/checkout/pull/278)

README.md

@@ -2,7 +2,7 @@
   <a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a>
 </p>
 
-# Checkout V2
+# Checkout V3
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
@@ -14,27 +14,14 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 
 # What's new
 
-- Improved performance
+- Updated to the node16 runtime by default
-  - Fetches only a single commit by default
+  - This requires a minimum [Actions Runner](https://github.com/actions/runner/releases/tag/v2.285.0) version of v2.285.0 to run, which is by default available in GHES 3.4 or later.
-- Script authenticated git commands
-  - Auth token persisted in the local git config
-- Supports SSH
-- Creates a local branch
-  - No longer detached HEAD when checking out a branch
-- Improved layout
-  - The input `path` is always relative to $GITHUB_WORKSPACE
-  - Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in
-- Fallback to REST API download
-  - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
-  - When using a job container, the container's PATH is used
-
-Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
 
 # Usage
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -105,11 +92,6 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
     #
     # Default: false
     submodules: ''
-
-    # Add repository path as safe.directory for Git global config by running `git
-    # config --global --add safe.directory <path>`
-    # Default: true
-    set-safe-directory: ''
 ```
 <!-- end usage -->
 
@@ -128,7 +110,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     fetch-depth: 0
 ```
@@ -136,7 +118,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     ref: my-branch
 ```
@@ -144,7 +126,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -154,12 +136,12 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -169,10 +151,10 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
 
 - name: Checkout tools repo
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -182,12 +164,12 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v2
+  uses: actions/checkout@v3
   with:
     repository: my-org/my-private-tools
     token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -200,7 +182,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v2
+- uses: actions/checkout@v3
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -216,7 +198,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 ```
 
 ## Push a commit using the built-in token
@@ -227,7 +209,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - run: |
           date > generated.txt
           git config user.name github-actions

__test__/git-auth-helper.test.ts

@@ -777,8 +777,7 @@ async function setup(testName: string): Promise<void> {
     sshKey: sshPath ? 'some ssh private key' : '',
     sshKnownHosts: '',
     sshStrict: true,
-    workflowOrganizationId: 123456,
+    workflowOrganizationId: 123456
-    setSafeDirectory: true
   }
 }
 

__test__/input-helper.test.ts

@@ -85,7 +85,6 @@ describe('input-helper tests', () => {
     expect(settings.repositoryName).toBe('some-repo')
     expect(settings.repositoryOwner).toBe('some-owner')
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
-    expect(settings.setSafeDirectory).toBe(true)
   })
 
   it('qualifies ref', async () => {

action.yml

@@ -68,10 +68,7 @@ inputs:
       When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
       converted to HTTPS.
     default: false
-  set-safe-directory:
-    description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
-    default: true
 runs:
-  using: node12
+  using: node16
   main: dist/index.js
   post: dist/index.js

package-lock.json

@@ -5,28 +5,9 @@
   "requires": true,
   "dependencies": {
     "@actions/core": {
-      "version": "1.10.0",
+      "version": "1.2.6",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.0.tgz",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.2.6.tgz",
-      "integrity": "sha512-2aZDDa3zrrZbP5ZYg159sNoLRb61nQ7awl5pSvIq5Qpj81vwDzdMRKzkWJGJuwVvWpvZKx7vspJALyvaaIQyug==",
+      "integrity": "sha512-ZQYitnqiyBc3D+k7LsgSBmMDVkOVidaagDG7j3fOym77jNunWRuYx7VSHa9GNfFZh+zh61xsCjRj4JxMZlDqTA=="
-      "requires": {
-        "@actions/http-client": "^2.0.1",
-        "uuid": "^8.3.2"
-      },
-      "dependencies": {
-        "@actions/http-client": {
-          "version": "2.0.1",
-          "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.0.1.tgz",
-          "integrity": "sha512-PIXiMVtz6VvyaRsGY268qvj57hXQEpsYogYOu2nrQhlf+XCGmZstmuZBbAybUl1nQGnvS1k1eEsQ69ZoD7xlSw==",
-          "requires": {
-            "tunnel": "^0.0.6"
-          }
-        },
-        "uuid": {
-          "version": "8.3.2",
-          "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
-          "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg=="
-        }
-      }
     },
     "@actions/exec": {
       "version": "1.0.1",
@@ -1948,12 +1929,6 @@
             "picomatch": "^2.2.3"
           }
         },
-        "minimist": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-          "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
-          "dev": true
-        },
         "normalize-path": {
           "version": "3.0.0",
           "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
@@ -3344,12 +3319,6 @@
             "picomatch": "^2.2.3"
           }
         },
-        "minimist": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-          "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
-          "dev": true
-        },
         "normalize-path": {
           "version": "3.0.0",
           "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
@@ -5408,12 +5377,6 @@
             "picomatch": "^2.2.3"
           }
         },
-        "minimist": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-          "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
-          "dev": true
-        },
         "normalize-path": {
           "version": "3.0.0",
           "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
@@ -7733,12 +7696,6 @@
             "minimist": "^1.2.5"
           }
         },
-        "minimist": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-          "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
-          "dev": true
-        },
         "semver": {
           "version": "6.3.0",
           "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz",
@@ -9387,12 +9344,6 @@
             "picomatch": "^2.2.3"
           }
         },
-        "minimist": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-          "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
-          "dev": true
-        },
         "normalize-path": {
           "version": "3.0.0",
           "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
@@ -11408,12 +11359,6 @@
             "picomatch": "^2.2.3"
           }
         },
-        "minimist": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-          "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
-          "dev": true
-        },
         "normalize-path": {
           "version": "3.0.0",
           "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
@@ -12959,12 +12904,6 @@
             "picomatch": "^2.2.3"
           }
         },
-        "minimist": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-          "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
-          "dev": true
-        },
         "normalize-path": {
           "version": "3.0.0",
           "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
@@ -13719,12 +13658,6 @@
             "picomatch": "^2.2.3"
           }
         },
-        "minimist": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-          "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
-          "dev": true
-        },
         "normalize-path": {
           "version": "3.0.0",
           "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
@@ -14652,12 +14585,6 @@
           "integrity": "sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==",
           "dev": true
         },
-        "minimist": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-          "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
-          "dev": true
-        },
         "normalize-path": {
           "version": "3.0.0",
           "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
@@ -15749,14 +15676,6 @@
       "dev": true,
       "requires": {
         "minimist": "^1.2.0"
-      },
-      "dependencies": {
-        "minimist": {
-          "version": "1.2.5",
-          "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-          "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
-          "dev": true
-        }
       }
     },
     "kleur": {
@@ -15953,9 +15872,9 @@
       }
     },
     "minimist": {
-      "version": "1.2.5",
+      "version": "1.2.6",
-      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
-      "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
+      "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
       "dev": true
     },
     "ms": {
@@ -15976,9 +15895,9 @@
       "integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ=="
     },
     "node-fetch": {
-      "version": "2.6.5",
+      "version": "2.6.7",
-      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.5.tgz",
+      "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz",
-      "integrity": "sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==",
+      "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==",
       "requires": {
         "whatwg-url": "^5.0.0"
       },

package.json

@@ -28,7 +28,7 @@
   },
   "homepage": "https://github.com/actions/checkout#readme",
   "dependencies": {
-    "@actions/core": "^1.10.0",
+    "@actions/core": "^1.2.6",
     "@actions/exec": "^1.0.1",
     "@actions/github": "^2.2.0",
     "@actions/io": "^1.0.1",

src/git-auth-helper.ts

@@ -19,7 +19,7 @@ export interface IGitAuthHelper {
   configureAuth(): Promise<void>
   configureGlobalAuth(): Promise<void>
   configureSubmoduleAuth(): Promise<void>
-  configureTempGlobalConfig(): Promise<string>
+  configureTempGlobalConfig(repositoryPath?: string): Promise<string>
   removeAuth(): Promise<void>
   removeGlobalConfig(): Promise<void>
 }
@@ -81,7 +81,7 @@ class GitAuthHelper {
     await this.configureToken()
   }
 
-  async configureTempGlobalConfig(): Promise<string> {
+  async configureTempGlobalConfig(repositoryPath?: string): Promise<string> {
     // Already setup global config
     if (this.temporaryHomePath?.length > 0) {
       return path.join(this.temporaryHomePath, '.gitconfig')
@@ -121,6 +121,21 @@ class GitAuthHelper {
     )
     this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
 
+    // Setup the workspace as a safe directory, so if we pass this into a container job with a different user it doesn't fail
+    // Otherwise all git commands we run in a container fail
+    core.info(
+      `Adding working directory to the temporary git global config as a safe directory`
+    )
+    await this.git
+      .config(
+        'safe.directory',
+        repositoryPath ?? this.settings.repositoryPath,
+        true,
+        true
+      )
+      .catch(error => {
+        core.info(`Failed to initialize safe directory with error: ${error}`)
+      })
     return newGitConfigPath
   }
 

src/git-source-provider.ts

@@ -40,24 +40,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
   try {
     if (git) {
       authHelper = gitAuthHelper.createAuthHelper(git, settings)
-      if (settings.setSafeDirectory) {
+      await authHelper.configureTempGlobalConfig()
-        // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-        // Otherwise all git commands we run in a container fail
-        await authHelper.configureTempGlobalConfig()
-        core.info(
-          `Adding repository directory to the temporary git global config as a safe directory`
-        )
-
-        await git
-          .config('safe.directory', settings.repositoryPath, true, true)
-          .catch(error => {
-            core.info(
-              `Failed to initialize safe directory with error: ${error}`
-            )
-          })
-
-        stateHelper.setSafeDirectory()
-      }
     }
 
     // Prepare existing directory, otherwise recreate
@@ -266,21 +249,7 @@ export async function cleanup(repositoryPath: string): Promise<void> {
   // Remove auth
   const authHelper = gitAuthHelper.createAuthHelper(git)
   try {
-    if (stateHelper.PostSetSafeDirectory) {
+    await authHelper.configureTempGlobalConfig(repositoryPath)
-      // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
-      // Otherwise all git commands we run in a container fail
-      await authHelper.configureTempGlobalConfig()
-      core.info(
-        `Adding repository directory to the temporary git global config as a safe directory`
-      )
-
-      await git
-        .config('safe.directory', repositoryPath, true, true)
-        .catch(error => {
-          core.info(`Failed to initialize safe directory with error: ${error}`)
-        })
-    }
-
     await authHelper.removeAuth()
   } finally {
     await authHelper.removeGlobalConfig()

src/git-source-settings.ts

@@ -78,9 +78,4 @@ export interface IGitSourceSettings {
    * Organization ID for the currently running workflow (used for auth settings)
    */
   workflowOrganizationId: number | undefined
-
-  /**
-   * Indicates whether to add repositoryPath as safe.directory in git global config
-   */
-  setSafeDirectory: boolean
 }

src/input-helper.ts

@@ -122,8 +122,5 @@ export async function getInputs(): Promise<IGitSourceSettings> {
   // Workflow organization ID
   result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()
 
-  // Set safe.directory in git global config.
-  result.setSafeDirectory =
-    (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE'
   return result
 }

src/misc/generate-docs.ts

@@ -120,7 +120,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v2',
+  'actions/checkout@v3',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )

src/misc/licensed-check.sh

@@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh
 
 echo 'Running: licensed cached'
-_temp/licensed-3.3.1/licensed status
+_temp/licensed-3.6.0/licensed status

src/misc/licensed-download.sh

@@ -2,23 +2,23 @@
 
 set -e
 
-if [ ! -f _temp/licensed-3.3.1.done ]; then
+if [ ! -f _temp/licensed-3.6.0.done ]; then
   echo 'Clearing temp'
-  rm -rf _temp/licensed-3.3.1 || true
+  rm -rf _temp/licensed-3.6.0 || true
 
   echo 'Downloading licensed'
-  mkdir -p _temp/licensed-3.3.1
+  mkdir -p _temp/licensed-3.6.0
-  pushd _temp/licensed-3.3.1
+  pushd _temp/licensed-3.6.0
   if [[ "$OSTYPE" == "darwin"* ]]; then
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-darwin-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-darwin-x64.tar.gz
   else
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-linux-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-linux-x64.tar.gz
   fi
 
   echo 'Extracting licenesed'
   tar -xzf licensed.tar.gz
   popd
-  touch _temp/licensed-3.3.1.done
+  touch _temp/licensed-3.6.0.done
 else
   echo 'Licensed already downloaded'
 fi

src/misc/licensed-generate.sh

@@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh
 
 echo 'Running: licensed cached'
-_temp/licensed-3.3.1/licensed cache
+_temp/licensed-3.6.0/licensed cache

src/state-helper.ts

@@ -1,60 +1,58 @@
-import * as core from '@actions/core'
+import * as coreCommand from '@actions/core/lib/command'
 
 /**
  * Indicates whether the POST action is running
  */
-export const IsPost = !!core.getState('isPost')
+export const IsPost = !!process.env['STATE_isPost']
 
 /**
  * The repository path for the POST action. The value is empty during the MAIN action.
  */
-export const RepositoryPath = core.getState('repositoryPath')
+export const RepositoryPath =
-
+  (process.env['STATE_repositoryPath'] as string) || ''
-/**
- * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action.
- */
-export const PostSetSafeDirectory = core.getState('setSafeDirectory') === 'true'
 
 /**
  * The SSH key path for the POST action. The value is empty during the MAIN action.
  */
-export const SshKeyPath = core.getState('sshKeyPath')
+export const SshKeyPath = (process.env['STATE_sshKeyPath'] as string) || ''
 
 /**
  * The SSH known hosts path for the POST action. The value is empty during the MAIN action.
  */
-export const SshKnownHostsPath = core.getState('sshKnownHostsPath')
+export const SshKnownHostsPath =
+  (process.env['STATE_sshKnownHostsPath'] as string) || ''
 
 /**
  * Save the repository path so the POST action can retrieve the value.
  */
 export function setRepositoryPath(repositoryPath: string) {
-  core.saveState('repositoryPath', repositoryPath)
+  coreCommand.issueCommand(
+    'save-state',
+    {name: 'repositoryPath'},
+    repositoryPath
+  )
 }
 
 /**
  * Save the SSH key path so the POST action can retrieve the value.
  */
 export function setSshKeyPath(sshKeyPath: string) {
-  core.saveState('sshKeyPath', sshKeyPath)
+  coreCommand.issueCommand('save-state', {name: 'sshKeyPath'}, sshKeyPath)
 }
 
 /**
  * Save the SSH known hosts path so the POST action can retrieve the value.
  */
 export function setSshKnownHostsPath(sshKnownHostsPath: string) {
-  core.saveState('sshKnownHostsPath', sshKnownHostsPath)
+  coreCommand.issueCommand(
-}
+    'save-state',
-
+    {name: 'sshKnownHostsPath'},
-/**
+    sshKnownHostsPath
- * Save the sef-safe-directory input so the POST action can retrieve the value.
+  )
- */
-export function setSafeDirectory() {
-  core.saveState('setSafeDirectory', 'true')
 }
 
 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!IsPost) {
-  core.saveState('isPost', 'true')
+  coreCommand.issueCommand('save-state', {name: 'isPost'}, 'true')
 }