Merge branch 'main' into rm-deprecated-substr

2025-04-21 09:10:16 +03:00 · 2023-08-26 21:33:44 +02:00 · 2023-08-26 21:33:44 +02:00 · 55ad59dfaa
commit 55ad59dfaa
parent dedef103f1 f43a0e5ff2
82 changed files with 33787 additions and 36891 deletions
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@ -19,8 +19,9 @@ export interface IGitAuthHelper {
  configureAuth(): Promise<void>
  configureGlobalAuth(): Promise<void>
  configureSubmoduleAuth(): Promise<void>
+  configureTempGlobalConfig(): Promise<string>
  removeAuth(): Promise<void>
-  removeGlobalAuth(): Promise<void>
+  removeGlobalConfig(): Promise<void>
 }

 export function createAuthHelper(
@ -51,7 +52,7 @@ class GitAuthHelper {
    this.settings = gitSourceSettings || (({} as unknown) as IGitSourceSettings)

    // Token auth header
-    const serverUrl = urlHelper.getServerUrl()
+    const serverUrl = urlHelper.getServerUrl(this.settings.githubServerUrl)
    this.tokenConfigKey = `http.${serverUrl.origin}/.extraheader` // "origin" is SCHEME://HOSTNAME[:PORT]
    const basicCredential = Buffer.from(
      `x-access-token:${this.settings.authToken}`,
@ -80,7 +81,11 @@ class GitAuthHelper {
    await this.configureToken()
  }

-  async configureGlobalAuth(): Promise<void> {
+  async configureTempGlobalConfig(): Promise<string> {
+    // Already setup global config
+    if (this.temporaryHomePath?.length > 0) {
+      return path.join(this.temporaryHomePath, '.gitconfig')
+    }
    // Create a temp home directory
    const runnerTemp = process.env['RUNNER_TEMP'] || ''
    assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
@ -110,13 +115,19 @@ class GitAuthHelper {
      await fs.promises.writeFile(newGitConfigPath, '')
    }

-    try {
-      // Override HOME
-      core.info(
-        `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
-      )
-      this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)
+    // Override HOME
+    core.info(
+      `Temporarily overriding HOME='${this.temporaryHomePath}' before making global git config changes`
+    )
+    this.git.setEnvironmentVariable('HOME', this.temporaryHomePath)

+    return newGitConfigPath
+  }
+
+  async configureGlobalAuth(): Promise<void> {
+    // 'configureTempGlobalConfig' noops if already set, just returns the path
+    const newGitConfigPath = await this.configureTempGlobalConfig()
+    try {
      // Configure the token
      await this.configureToken(newGitConfigPath, true)

@ -146,7 +157,8 @@ class GitAuthHelper {
      // by process creation audit events, which are commonly logged. For more information,
      // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
      const output = await this.git.submoduleForeach(
-        `git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url`,
+        // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
+        `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
        this.settings.nestedSubmodules
      )

@ -181,10 +193,12 @@ class GitAuthHelper {
    await this.removeToken()
  }

-  async removeGlobalAuth(): Promise<void> {
-    core.debug(`Unsetting HOME override`)
-    this.git.removeEnvironmentVariable('HOME')
-    await io.rmRF(this.temporaryHomePath)
+  async removeGlobalConfig(): Promise<void> {
+    if (this.temporaryHomePath?.length > 0) {
+      core.debug(`Unsetting HOME override`)
+      this.git.removeEnvironmentVariable('HOME')
+      await io.rmRF(this.temporaryHomePath)
+    }
  }

  private async configureSsh(): Promise<void> {
@ -233,7 +247,7 @@ class GitAuthHelper {
    if (this.settings.sshKnownHosts) {
      knownHosts += `# Begin from input known hosts\n${this.settings.sshKnownHosts}\n# end from input known hosts\n`
    }
-    knownHosts += `# Begin implicitly added github.com\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\n# End implicitly added github.com\n`
+    knownHosts += `# Begin implicitly added github.com\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=\n# End implicitly added github.com\n`
    this.sshKnownHostsPath = path.join(runnerTemp, `${uniqueId}_known_hosts`)
    stateHelper.setSshKnownHostsPath(this.sshKnownHostsPath)
    await fs.promises.writeFile(this.sshKnownHostsPath, knownHosts)
@ -352,7 +366,8 @@ class GitAuthHelper {

    const pattern = regexpHelper.escape(configKey)
    await this.git.submoduleForeach(
-      `git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :`,
+      // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
+      `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`,
      true
    )
  }
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@ -1,5 +1,6 @@
 import * as core from '@actions/core'
 import * as exec from '@actions/exec'
+import * as fs from 'fs'
 import * as fshelper from './fs-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
@ -16,6 +17,8 @@ export interface IGitCommandManager {
  branchDelete(remote: boolean, branch: string): Promise<void>
  branchExists(remote: boolean, pattern: string): Promise<boolean>
  branchList(remote: boolean): Promise<string[]>
+  sparseCheckout(sparseCheckout: string[]): Promise<void>
+  sparseCheckoutNonConeMode(sparseCheckout: string[]): Promise<void>
  checkout(ref: string, startPoint: string): Promise<void>
  checkoutDetach(): Promise<void>
  config(
@ -25,7 +28,14 @@ export interface IGitCommandManager {
    add?: boolean
  ): Promise<void>
  configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
-  fetch(refSpec: string[], fetchDepth?: number): Promise<void>
+  fetch(
+    refSpec: string[],
+    options: {
+      filter?: string
+      fetchDepth?: number
+      fetchTags?: boolean
+    }
+  ): Promise<void>
  getDefaultBranch(repositoryUrl: string): Promise<string>
  getWorkingDirectory(): string
  init(): Promise<void>
@ -41,6 +51,7 @@ export interface IGitCommandManager {
  submoduleForeach(command: string, recursive: boolean): Promise<string>
  submoduleSync(recursive: boolean): Promise<void>
  submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void>
+  submoduleStatus(): Promise<boolean>
  tagExists(pattern: string): Promise<boolean>
  tryClean(): Promise<boolean>
  tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
@ -51,9 +62,14 @@ export interface IGitCommandManager {

 export async function createCommandManager(
  workingDirectory: string,
-  lfs: boolean
+  lfs: boolean,
+  doSparseCheckout: boolean
 ): Promise<IGitCommandManager> {
-  return await GitCommandManager.createCommandManager(workingDirectory, lfs)
+  return await GitCommandManager.createCommandManager(
+    workingDirectory,
+    lfs,
+    doSparseCheckout
+  )
 }

 class GitCommandManager {
@ -63,6 +79,7 @@ class GitCommandManager {
  }
  private gitPath = ''
  private lfs = false
+  private doSparseCheckout = false
  private workingDirectory = ''

  // Private constructor; use createCommandManager()
@ -94,8 +111,11 @@ class GitCommandManager {

    // Note, this implementation uses "rev-parse --symbolic-full-name" because the output from
    // "branch --list" is more difficult when in a detached HEAD state.
-    // Note, this implementation uses "rev-parse --symbolic-full-name" because there is a bug
-    // in Git 2.18 that causes "rev-parse --symbolic" to output symbolic full names.
+
+    // TODO(https://github.com/actions/checkout/issues/786): this implementation uses
+    // "rev-parse --symbolic-full-name" because there is a bug
+    // in Git 2.18 that causes "rev-parse --symbolic" to output symbolic full names. When
+    // 2.18 is no longer supported, we can switch back to --symbolic.

    const args = ['rev-parse', '--symbolic-full-name']
    if (remote) {
@ -104,24 +124,73 @@ class GitCommandManager {
      args.push('--branches')
    }

-    const output = await this.execGit(args)
+    const stderr: string[] = []
+    const errline: string[] = []
+    const stdout: string[] = []
+    const stdline: string[] = []

-    for (let branch of output.stdout.trim().split('\n')) {
-      branch = branch.trim()
-      if (branch) {
-        if (branch.startsWith('refs/heads/')) {
-          branch = branch.slice('refs/heads/'.length)
-        } else if (branch.startsWith('refs/remotes/')) {
-          branch = branch.slice('refs/remotes/'.length)
-        }
-
-        result.push(branch)
+    const listeners = {
+      stderr: (data: Buffer) => {
+        stderr.push(data.toString())
+      },
+      errline: (data: Buffer) => {
+        errline.push(data.toString())
+      },
+      stdout: (data: Buffer) => {
+        stdout.push(data.toString())
+      },
+      stdline: (data: Buffer) => {
+        stdline.push(data.toString())
      }
    }

+    // Suppress the output in order to avoid flooding annotations with innocuous errors.
+    await this.execGit(args, false, true, listeners)
+
+    core.debug(`stderr callback is: ${stderr}`)
+    core.debug(`errline callback is: ${errline}`)
+    core.debug(`stdout callback is: ${stdout}`)
+    core.debug(`stdline callback is: ${stdline}`)
+
+    for (let branch of stdline) {
+      branch = branch.trim()
+      if (!branch) {
+        continue
+      }
+
+      if (branch.startsWith('refs/heads/')) {
+        branch = branch.substring('refs/heads/'.length)
+      } else if (branch.startsWith('refs/remotes/')) {
+        branch = branch.substring('refs/remotes/'.length)
+      }
+
+      result.push(branch)
+    }
+
    return result
  }

+  async sparseCheckout(sparseCheckout: string[]): Promise<void> {
+    await this.execGit(['sparse-checkout', 'set', ...sparseCheckout])
+  }
+
+  async sparseCheckoutNonConeMode(sparseCheckout: string[]): Promise<void> {
+    await this.execGit(['config', 'core.sparseCheckout', 'true'])
+    const output = await this.execGit([
+      'rev-parse',
+      '--git-path',
+      'info/sparse-checkout'
+    ])
+    const sparseCheckoutPath = path.join(
+      this.workingDirectory,
+      output.stdout.trimRight()
+    )
+    await fs.promises.appendFile(
+      sparseCheckoutPath,
+      `\n${sparseCheckout.join('\n')}\n`
+    )
+  }
+
  async checkout(ref: string, startPoint: string): Promise<void> {
    const args = ['checkout', '--progress', '--force']
    if (startPoint) {
@ -170,15 +239,23 @@ class GitCommandManager {
    return output.exitCode === 0
  }

-  async fetch(refSpec: string[], fetchDepth?: number): Promise<void> {
+  async fetch(
+    refSpec: string[],
+    options: {filter?: string; fetchDepth?: number; fetchTags?: boolean}
+  ): Promise<void> {
    const args = ['-c', 'protocol.version=2', 'fetch']
-    if (!refSpec.some(x => x === refHelper.tagsRefSpec)) {
+    if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
      args.push('--no-tags')
    }

    args.push('--prune', '--progress', '--no-recurse-submodules')
-    if (fetchDepth && fetchDepth > 0) {
-      args.push(`--depth=${fetchDepth}`)
+
+    if (options.filter) {
+      args.push(`--filter=${options.filter}`)
+    }
+
+    if (options.fetchDepth && options.fetchDepth > 0) {
+      args.push(`--depth=${options.fetchDepth}`)
    } else if (
      fshelper.fileExistsSync(
        path.join(this.workingDirectory, '.git', 'shallow')
@ -257,8 +334,8 @@ class GitCommandManager {
  }

  async log1(format?: string): Promise<string> {
-    var args = format ? ['log', '-1', format] : ['log', '-1']
-    var silent = format ? false : true
+    const args = format ? ['log', '-1', format] : ['log', '-1']
+    const silent = format ? false : true
    const output = await this.execGit(args, false, silent)
    return output.stdout
  }
@ -326,6 +403,12 @@ class GitCommandManager {
    await this.execGit(args)
  }

+  async submoduleStatus(): Promise<boolean> {
+    const output = await this.execGit(['submodule', 'status'], true)
+    core.debug(output.stdout)
+    return output.exitCode === 0
+  }
+
  async tagExists(pattern: string): Promise<boolean> {
    const output = await this.execGit(['tag', '--list', pattern])
    return !!output.stdout.trim()
@ -385,17 +468,23 @@ class GitCommandManager {

  static async createCommandManager(
    workingDirectory: string,
-    lfs: boolean
+    lfs: boolean,
+    doSparseCheckout: boolean
  ): Promise<GitCommandManager> {
    const result = new GitCommandManager()
-    await result.initializeCommandManager(workingDirectory, lfs)
+    await result.initializeCommandManager(
+      workingDirectory,
+      lfs,
+      doSparseCheckout
+    )
    return result
  }

  private async execGit(
    args: string[],
    allowAllExitCodes = false,
-    silent = false
+    silent = false,
+    customListeners = {}
  ): Promise<GitOutput> {
    fshelper.directoryExistsSync(this.workingDirectory, true)

@ -409,28 +498,36 @@ class GitCommandManager {
      env[key] = this.gitEnv[key]
    }

-    const stdout: string[] = []
+    const defaultListener = {
+      stdout: (data: Buffer) => {
+        stdout.push(data.toString())
+      }
+    }

+    const mergedListeners = {...defaultListener, ...customListeners}
+
+    const stdout: string[] = []
    const options = {
      cwd: this.workingDirectory,
      env,
      silent,
      ignoreReturnCode: allowAllExitCodes,
-      listeners: {
-        stdout: (data: Buffer) => {
-          stdout.push(data.toString())
-        }
-      }
+      listeners: mergedListeners
    }

    result.exitCode = await exec.exec(`"${this.gitPath}"`, args, options)
    result.stdout = stdout.join('')
+
+    core.debug(result.exitCode.toString())
+    core.debug(result.stdout)
+
    return result
  }

  private async initializeCommandManager(
    workingDirectory: string,
-    lfs: boolean
+    lfs: boolean,
+    doSparseCheckout: boolean
  ): Promise<void> {
    this.workingDirectory = workingDirectory

@ -493,6 +590,16 @@ class GitCommandManager {
      }
    }

+    this.doSparseCheckout = doSparseCheckout
+    if (this.doSparseCheckout) {
+      // The `git sparse-checkout` command was introduced in Git v2.25.0
+      const minimumGitSparseCheckoutVersion = new GitVersion('2.25')
+      if (!gitVersion.checkMinimum(minimumGitSparseCheckoutVersion)) {
+        throw new Error(
+          `Minimum Git version required for sparse checkout is ${minimumGitSparseCheckoutVersion}. Your git ('${this.gitPath}') is ${gitVersion}`
+        )
+      }
+    }
    // Set the user agent
    const gitHttpUserAgent = `git/${gitVersion} (github-actions-checkout)`
    core.debug(`Set git useragent to: ${gitHttpUserAgent}`)
--- a/src/git-directory-helper.ts
+++ b/src/git-directory-helper.ts
@ -81,12 +81,18 @@ export async function prepareExistingDirectory(
      }
      core.endGroup()

+      // Check for submodules and delete any existing files if submodules are present
+      if (!(await git.submoduleStatus())) {
+        remove = true
+        core.info('Bad Submodules found, removing existing files')
+      }
+
      // Clean
      if (clean) {
        core.startGroup('Cleaning the repository')
        if (!(await git.tryClean())) {
          core.debug(
-            `The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For futher investigation, manually run 'git clean -ffdx' on the directory '${repositoryPath}'.`
+            `The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For further investigation, manually run 'git clean -ffdx' on the directory '${repositoryPath}'.`
          )
          remove = true
        } else if (!(await git.tryReset())) {
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@ -36,68 +36,95 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
  const git = await getGitCommandManager(settings)
  core.endGroup()

-  // Prepare existing directory, otherwise recreate
-  if (isExisting) {
-    await gitDirectoryHelper.prepareExistingDirectory(
-      git,
-      settings.repositoryPath,
-      repositoryUrl,
-      settings.clean,
-      settings.ref
-    )
-  }
+  let authHelper: gitAuthHelper.IGitAuthHelper | null = null
+  try {
+    if (git) {
+      authHelper = gitAuthHelper.createAuthHelper(git, settings)
+      if (settings.setSafeDirectory) {
+        // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
+        // Otherwise all git commands we run in a container fail
+        await authHelper.configureTempGlobalConfig()
+        core.info(
+          `Adding repository directory to the temporary git global config as a safe directory`
+        )

-  if (!git) {
-    // Downloading using REST API
-    core.info(`The repository will be downloaded using the GitHub REST API`)
-    core.info(
-      `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
-    )
-    if (settings.submodules) {
-      throw new Error(
-        `Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
-      )
-    } else if (settings.sshKey) {
-      throw new Error(
-        `Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
+        await git
+          .config('safe.directory', settings.repositoryPath, true, true)
+          .catch(error => {
+            core.info(
+              `Failed to initialize safe directory with error: ${error}`
+            )
+          })
+
+        stateHelper.setSafeDirectory()
+      }
+    }
+
+    // Prepare existing directory, otherwise recreate
+    if (isExisting) {
+      await gitDirectoryHelper.prepareExistingDirectory(
+        git,
+        settings.repositoryPath,
+        repositoryUrl,
+        settings.clean,
+        settings.ref
      )
    }

-    await githubApiHelper.downloadRepository(
-      settings.authToken,
-      settings.repositoryOwner,
-      settings.repositoryName,
-      settings.ref,
-      settings.commit,
-      settings.repositoryPath
-    )
-    return
-  }
+    if (!git) {
+      // Downloading using REST API
+      core.info(`The repository will be downloaded using the GitHub REST API`)
+      core.info(
+        `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
+      )
+      if (settings.submodules) {
+        throw new Error(
+          `Input 'submodules' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
+        )
+      } else if (settings.sshKey) {
+        throw new Error(
+          `Input 'ssh-key' not supported when falling back to download using the GitHub REST API. To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH.`
+        )
+      }

-  // Save state for POST action
-  stateHelper.setRepositoryPath(settings.repositoryPath)
+      await githubApiHelper.downloadRepository(
+        settings.authToken,
+        settings.repositoryOwner,
+        settings.repositoryName,
+        settings.ref,
+        settings.commit,
+        settings.repositoryPath,
+        settings.githubServerUrl
+      )
+      return
+    }

-  // Initialize the repository
-  if (
-    !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
-  ) {
-    core.startGroup('Initializing the repository')
-    await git.init()
-    await git.remoteAdd('origin', repositoryUrl)
+    // Save state for POST action
+    stateHelper.setRepositoryPath(settings.repositoryPath)
+
+    // Initialize the repository
+    if (
+      !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
+    ) {
+      core.startGroup('Initializing the repository')
+      await git.init()
+      await git.remoteAdd('origin', repositoryUrl)
+      core.endGroup()
+    }
+
+    // Disable automatic garbage collection
+    core.startGroup('Disabling automatic garbage collection')
+    if (!(await git.tryDisableAutomaticGarbageCollection())) {
+      core.warning(
+        `Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`
+      )
+    }
    core.endGroup()
-  }

-  // Disable automatic garbage collection
-  core.startGroup('Disabling automatic garbage collection')
-  if (!(await git.tryDisableAutomaticGarbageCollection())) {
-    core.warning(
-      `Unable to turn off git automatic garbage collection. The git fetch operation may trigger garbage collection and cause a delay.`
-    )
-  }
-  core.endGroup()
-
-  const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-  try {
+    // If we didn't initialize it above, do it now
+    if (!authHelper) {
+      authHelper = gitAuthHelper.createAuthHelper(git, settings)
+    }
    // Configure auth
    core.startGroup('Setting up auth')
    await authHelper.configureAuth()
@ -112,7 +139,8 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
        settings.ref = await githubApiHelper.getDefaultBranch(
          settings.authToken,
          settings.repositoryOwner,
-          settings.repositoryName
+          settings.repositoryName,
+          settings.githubServerUrl
        )
      }
      core.endGroup()
@ -125,23 +153,31 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {

    // Fetch
    core.startGroup('Fetching the repository')
+    const fetchOptions: {
+      filter?: string
+      fetchDepth?: number
+      fetchTags?: boolean
+    } = {}
+    if (settings.sparseCheckout) fetchOptions.filter = 'blob:none'
    if (settings.fetchDepth <= 0) {
      // Fetch all branches and tags
      let refSpec = refHelper.getRefSpecForAllHistory(
        settings.ref,
        settings.commit
      )
-      await git.fetch(refSpec)
+      await git.fetch(refSpec, fetchOptions)

      // When all history is fetched, the ref we're interested in may have moved to a different
      // commit (push or force push). If so, fetch again with a targeted refspec.
      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
        refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
-        await git.fetch(refSpec)
+        await git.fetch(refSpec, fetchOptions)
      }
    } else {
+      fetchOptions.fetchDepth = settings.fetchDepth
+      fetchOptions.fetchTags = settings.fetchTags
      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
-      await git.fetch(refSpec, settings.fetchDepth)
+      await git.fetch(refSpec, fetchOptions)
    }
    core.endGroup()

@ -157,12 +193,24 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
    // LFS fetch
    // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
    // Explicit lfs fetch will fetch lfs objects in parallel.
-    if (settings.lfs) {
+    // For sparse checkouts, let `checkout` fetch the needed objects lazily.
+    if (settings.lfs && !settings.sparseCheckout) {
      core.startGroup('Fetching LFS objects')
      await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
      core.endGroup()
    }

+    // Sparse checkout
+    if (settings.sparseCheckout) {
+      core.startGroup('Setting up sparse checkout')
+      if (settings.sparseCheckoutConeMode) {
+        await git.sparseCheckout(settings.sparseCheckout)
+      } else {
+        await git.sparseCheckoutNonConeMode(settings.sparseCheckout)
+      }
+      core.endGroup()
+    }
+
    // Checkout
    core.startGroup('Checking out the ref')
    await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
@ -170,34 +218,26 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {

    // Submodules
    if (settings.submodules) {
-      try {
-        // Temporarily override global config
-        core.startGroup('Setting up auth for fetching submodules')
-        await authHelper.configureGlobalAuth()
-        core.endGroup()
+      // Temporarily override global config
+      core.startGroup('Setting up auth for fetching submodules')
+      await authHelper.configureGlobalAuth()
+      core.endGroup()

-        // Checkout submodules
-        core.startGroup('Fetching submodules')
-        await git.submoduleSync(settings.nestedSubmodules)
-        await git.submoduleUpdate(
-          settings.fetchDepth,
-          settings.nestedSubmodules
-        )
-        await git.submoduleForeach(
-          'git config --local gc.auto 0',
-          settings.nestedSubmodules
-        )
-        core.endGroup()
+      // Checkout submodules
+      core.startGroup('Fetching submodules')
+      await git.submoduleSync(settings.nestedSubmodules)
+      await git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules)
+      await git.submoduleForeach(
+        'git config --local gc.auto 0',
+        settings.nestedSubmodules
+      )
+      core.endGroup()

-        // Persist credentials
-        if (settings.persistCredentials) {
-          core.startGroup('Persisting credentials for submodules')
-          await authHelper.configureSubmoduleAuth()
-          core.endGroup()
-        }
-      } finally {
-        // Remove temporary global config override
-        await authHelper.removeGlobalAuth()
+      // Persist credentials
+      if (settings.persistCredentials) {
+        core.startGroup('Persisting credentials for submodules')
+        await authHelper.configureSubmoduleAuth()
+        core.endGroup()
      }
    }

@ -214,14 +254,18 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
      settings.repositoryOwner,
      settings.repositoryName,
      settings.ref,
-      settings.commit
+      settings.commit,
+      settings.githubServerUrl
    )
  } finally {
    // Remove auth
-    if (!settings.persistCredentials) {
-      core.startGroup('Removing auth')
-      await authHelper.removeAuth()
-      core.endGroup()
+    if (authHelper) {
+      if (!settings.persistCredentials) {
+        core.startGroup('Removing auth')
+        await authHelper.removeAuth()
+        core.endGroup()
+      }
+      authHelper.removeGlobalConfig()
    }
  }
 }
@ -237,14 +281,37 @@ export async function cleanup(repositoryPath: string): Promise<void> {

  let git: IGitCommandManager
  try {
-    git = await gitCommandManager.createCommandManager(repositoryPath, false)
+    git = await gitCommandManager.createCommandManager(
+      repositoryPath,
+      false,
+      false
+    )
  } catch {
    return
  }

  // Remove auth
  const authHelper = gitAuthHelper.createAuthHelper(git)
-  await authHelper.removeAuth()
+  try {
+    if (stateHelper.PostSetSafeDirectory) {
+      // Setup the repository path as a safe directory, so if we pass this into a container job with a different user it doesn't fail
+      // Otherwise all git commands we run in a container fail
+      await authHelper.configureTempGlobalConfig()
+      core.info(
+        `Adding repository directory to the temporary git global config as a safe directory`
+      )
+
+      await git
+        .config('safe.directory', repositoryPath, true, true)
+        .catch(error => {
+          core.info(`Failed to initialize safe directory with error: ${error}`)
+        })
+    }
+
+    await authHelper.removeAuth()
+  } finally {
+    await authHelper.removeGlobalConfig()
+  }
 }

 async function getGitCommandManager(
@ -254,7 +321,8 @@ async function getGitCommandManager(
  try {
    return await gitCommandManager.createCommandManager(
      settings.repositoryPath,
-      settings.lfs
+      settings.lfs,
+      settings.sparseCheckout != null
    )
  } catch (err) {
    // Git is required for LFS
--- a/src/git-source-settings.ts
+++ b/src/git-source-settings.ts
@ -29,11 +29,26 @@ export interface IGitSourceSettings {
   */
  clean: boolean

+  /**
+   * The array of folders to make the sparse checkout
+   */
+  sparseCheckout: string[]
+
+  /**
+   * Indicates whether to use cone mode in the sparse checkout (if any)
+   */
+  sparseCheckoutConeMode: boolean
+
  /**
   * The depth when fetching
   */
  fetchDepth: number

+  /**
+   * Fetch tags, even if fetchDepth > 0 (default: false)
+   */
+  fetchTags: boolean
+
  /**
   * Indicates whether to fetch LFS objects
   */
@ -78,4 +93,14 @@ export interface IGitSourceSettings {
   * Organization ID for the currently running workflow (used for auth settings)
   */
  workflowOrganizationId: number | undefined
+
+  /**
+   * Indicates whether to add repositoryPath as safe.directory in git global config
+   */
+  setSafeDirectory: boolean
+
+  /**
+   * User override on the GitHub Server/Host URL that hosts the repository to be cloned
+   */
+  githubServerUrl: string | undefined
 }
--- a/src/github-api-helper.ts
+++ b/src/github-api-helper.ts
@ -7,7 +7,7 @@ import * as path from 'path'
 import * as retryHelper from './retry-helper'
 import * as toolCache from '@actions/tool-cache'
 import {default as uuid} from 'uuid/v4'
-import {Octokit} from '@octokit/rest'
+import {getServerApiUrl} from './url-helper'

 const IS_WINDOWS = process.platform === 'win32'

@ -17,18 +17,19 @@ export async function downloadRepository(
  repo: string,
  ref: string,
  commit: string,
-  repositoryPath: string
+  repositoryPath: string,
+  baseUrl?: string
 ): Promise<void> {
  // Determine the default branch
  if (!ref && !commit) {
    core.info('Determining the default branch')
-    ref = await getDefaultBranch(authToken, owner, repo)
+    ref = await getDefaultBranch(authToken, owner, repo, baseUrl)
  }

  // Download the archive
  let archiveData = await retryHelper.execute(async () => {
    core.info('Downloading the archive')
-    return await downloadArchive(authToken, owner, repo, ref, commit)
+    return await downloadArchive(authToken, owner, repo, ref, commit, baseUrl)
  })

  // Write archive to disk
@ -79,15 +80,18 @@ export async function downloadRepository(
 export async function getDefaultBranch(
  authToken: string,
  owner: string,
-  repo: string
+  repo: string,
+  baseUrl?: string
 ): Promise<string> {
  return await retryHelper.execute(async () => {
    core.info('Retrieving the default branch name')
-    const octokit = new github.GitHub(authToken)
+    const octokit = github.getOctokit(authToken, {
+      baseUrl: getServerApiUrl(baseUrl)
+    })
    let result: string
    try {
      // Get the default branch from the repo info
-      const response = await octokit.repos.get({owner, repo})
+      const response = await octokit.rest.repos.get({owner, repo})
      result = response.data.default_branch
      assert.ok(result, 'default_branch cannot be empty')
    } catch (err) {
@ -121,21 +125,19 @@ async function downloadArchive(
  owner: string,
  repo: string,
  ref: string,
-  commit: string
+  commit: string,
+  baseUrl?: string
 ): Promise<Buffer> {
-  const octokit = new github.GitHub(authToken)
-  const params: Octokit.ReposGetArchiveLinkParams = {
+  const octokit = github.getOctokit(authToken, {
+    baseUrl: getServerApiUrl(baseUrl)
+  })
+  const download = IS_WINDOWS
+    ? octokit.rest.repos.downloadZipballArchive
+    : octokit.rest.repos.downloadTarballArchive
+  const response = await download({
    owner: owner,
    repo: repo,
-    archive_format: IS_WINDOWS ? 'zipball' : 'tarball',
    ref: commit || ref
-  }
-  const response = await octokit.repos.getArchiveLink(params)
-  if (response.status != 200) {
-    throw new Error(
-      `Unexpected response from GitHub API. Status: ${response.status}, Data: ${response.data}`
-    )
-  }
-
-  return Buffer.from(response.data) // response.data is ArrayBuffer
+  })
+  return Buffer.from(response.data as ArrayBuffer) // response.data is ArrayBuffer
 }
--- a/src/input-helper.ts
+++ b/src/input-helper.ts
@ -82,6 +82,17 @@ export async function getInputs(): Promise<IGitSourceSettings> {
  result.clean = (core.getInput('clean') || 'true').toUpperCase() === 'TRUE'
  core.debug(`clean = ${result.clean}`)

+  // Sparse checkout
+  const sparseCheckout = core.getMultilineInput('sparse-checkout')
+  if (sparseCheckout.length) {
+    result.sparseCheckout = sparseCheckout
+    core.debug(`sparse checkout = ${result.sparseCheckout}`)
+  }
+
+  result.sparseCheckoutConeMode =
+    (core.getInput('sparse-checkout-cone-mode') || 'true').toUpperCase() ===
+    'TRUE'
+
  // Fetch depth
  result.fetchDepth = Math.floor(Number(core.getInput('fetch-depth') || '1'))
  if (isNaN(result.fetchDepth) || result.fetchDepth < 0) {
@ -89,6 +100,11 @@ export async function getInputs(): Promise<IGitSourceSettings> {
  }
  core.debug(`fetch depth = ${result.fetchDepth}`)

+  // Fetch tags
+  result.fetchTags =
+    (core.getInput('fetch-tags') || 'false').toUpperCase() === 'TRUE'
+  core.debug(`fetch tags = ${result.fetchTags}`)
+
  // LFS
  result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'
  core.debug(`lfs = ${result.lfs}`)
@ -122,5 +138,13 @@ export async function getInputs(): Promise<IGitSourceSettings> {
  // Workflow organization ID
  result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()

+  // Set safe.directory in git global config.
+  result.setSafeDirectory =
+    (core.getInput('set-safe-directory') || 'true').toUpperCase() === 'TRUE'
+
+  // Determine the GitHub URL that the repository is being hosted from
+  result.githubServerUrl = core.getInput('github-server-url')
+  core.debug(`GitHub Host URL = ${result.githubServerUrl}`)
+
  return result
 }
--- a/src/misc/licensed-check.sh
+++ b/src/misc/licensed-check.sh
@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh

 echo 'Running: licensed cached'
-_temp/licensed-3.3.1/licensed status
+_temp/licensed-3.6.0/licensed status
--- a/src/misc/licensed-download.sh
+++ b/src/misc/licensed-download.sh
@ -2,23 +2,23 @@

 set -e

-if [ ! -f _temp/licensed-3.3.1.done ]; then
+if [ ! -f _temp/licensed-3.6.0.done ]; then
  echo 'Clearing temp'
-  rm -rf _temp/licensed-3.3.1 || true
+  rm -rf _temp/licensed-3.6.0 || true

  echo 'Downloading licensed'
-  mkdir -p _temp/licensed-3.3.1
-  pushd _temp/licensed-3.3.1
+  mkdir -p _temp/licensed-3.6.0
+  pushd _temp/licensed-3.6.0
  if [[ "$OSTYPE" == "darwin"* ]]; then
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-darwin-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-darwin-x64.tar.gz
  else
-    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-linux-x64.tar.gz
+    curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-linux-x64.tar.gz
  fi

  echo 'Extracting licenesed'
  tar -xzf licensed.tar.gz
  popd
-  touch _temp/licensed-3.3.1.done
+  touch _temp/licensed-3.6.0.done
 else
  echo 'Licensed already downloaded'
 fi
--- a/src/misc/licensed-generate.sh
+++ b/src/misc/licensed-generate.sh
@ -5,4 +5,4 @@ set -e
 src/misc/licensed-download.sh

 echo 'Running: licensed cached'
-_temp/licensed-3.3.1/licensed cache
+_temp/licensed-3.6.0/licensed cache
--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@ -1,7 +1,7 @@
-import {URL} from 'url'
 import {IGitCommandManager} from './git-command-manager'
 import * as core from '@actions/core'
 import * as github from '@actions/github'
+import {getServerApiUrl, isGhes} from './url-helper'

 export const tagsRefSpec = '+refs/tags/*:refs/tags/*'

@ -183,11 +183,12 @@ export async function checkCommitInfo(
  repositoryOwner: string,
  repositoryName: string,
  ref: string,
-  commit: string
+  commit: string,
+  baseUrl?: string
 ): Promise<void> {
  try {
    // GHES?
-    if (isGhes()) {
+    if (isGhes(baseUrl)) {
      return
    }

@ -243,14 +244,18 @@ export async function checkCommitInfo(
      core.debug(
        `Expected head sha ${expectedHeadSha}; actual head sha ${actualHeadSha}`
      )
-      const octokit = new github.GitHub(token, {
+      const octokit = github.getOctokit(token, {
+        baseUrl: getServerApiUrl(baseUrl),
        userAgent: `actions-checkout-tracepoint/1.0 (code=STALE_MERGE;owner=${repositoryOwner};repo=${repositoryName};pr=${fromPayload(
          'number'
        )};run_id=${
          process.env['GITHUB_RUN_ID']
        };expected_head_sha=${expectedHeadSha};actual_head_sha=${actualHeadSha})`
      })
-      await octokit.repos.get({owner: repositoryOwner, repo: repositoryName})
+      await octokit.rest.repos.get({
+        owner: repositoryOwner,
+        repo: repositoryName
+      })
    }
  } catch (err) {
    core.debug(
@ -276,10 +281,3 @@ function select(obj: any, path: string): any {
  const key = path.slice(0, i)
  return select(obj[key], path.slice(i + 1))
 }
-
-function isGhes(): boolean {
-  const ghUrl = new URL(
-    process.env['GITHUB_SERVER_URL'] || 'https://github.com'
-  )
-  return ghUrl.hostname.toUpperCase() !== 'GITHUB.COM'
-}
--- a/src/state-helper.ts
+++ b/src/state-helper.ts
@ -1,58 +1,60 @@
-import * as coreCommand from '@actions/core/lib/command'
+import * as core from '@actions/core'

 /**
 * Indicates whether the POST action is running
 */
-export const IsPost = !!process.env['STATE_isPost']
+export const IsPost = !!core.getState('isPost')

 /**
 * The repository path for the POST action. The value is empty during the MAIN action.
 */
-export const RepositoryPath =
-  (process.env['STATE_repositoryPath'] as string) || ''
+export const RepositoryPath = core.getState('repositoryPath')
+
+/**
+ * The set-safe-directory for the POST action. The value is set if input: 'safe-directory' is set during the MAIN action.
+ */
+export const PostSetSafeDirectory = core.getState('setSafeDirectory') === 'true'

 /**
 * The SSH key path for the POST action. The value is empty during the MAIN action.
 */
-export const SshKeyPath = (process.env['STATE_sshKeyPath'] as string) || ''
+export const SshKeyPath = core.getState('sshKeyPath')

 /**
 * The SSH known hosts path for the POST action. The value is empty during the MAIN action.
 */
-export const SshKnownHostsPath =
-  (process.env['STATE_sshKnownHostsPath'] as string) || ''
+export const SshKnownHostsPath = core.getState('sshKnownHostsPath')

 /**
 * Save the repository path so the POST action can retrieve the value.
 */
 export function setRepositoryPath(repositoryPath: string) {
-  coreCommand.issueCommand(
-    'save-state',
-    {name: 'repositoryPath'},
-    repositoryPath
-  )
+  core.saveState('repositoryPath', repositoryPath)
 }

 /**
 * Save the SSH key path so the POST action can retrieve the value.
 */
 export function setSshKeyPath(sshKeyPath: string) {
-  coreCommand.issueCommand('save-state', {name: 'sshKeyPath'}, sshKeyPath)
+  core.saveState('sshKeyPath', sshKeyPath)
 }

 /**
 * Save the SSH known hosts path so the POST action can retrieve the value.
 */
 export function setSshKnownHostsPath(sshKnownHostsPath: string) {
-  coreCommand.issueCommand(
-    'save-state',
-    {name: 'sshKnownHostsPath'},
-    sshKnownHostsPath
-  )
+  core.saveState('sshKnownHostsPath', sshKnownHostsPath)
+}
+
+/**
+ * Save the set-safe-directory input so the POST action can retrieve the value.
+ */
+export function setSafeDirectory() {
+  core.saveState('setSafeDirectory', 'true')
 }

 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!IsPost) {
-  coreCommand.issueCommand('save-state', {name: 'isPost'}, 'true')
+  core.saveState('isPost', 'true')
 }
--- a/src/url-helper.ts
+++ b/src/url-helper.ts
@ -1,6 +1,6 @@
 import * as assert from 'assert'
-import {IGitSourceSettings} from './git-source-settings'
 import {URL} from 'url'
+import {IGitSourceSettings} from './git-source-settings'

 export function getFetchUrl(settings: IGitSourceSettings): string {
  assert.ok(
@ -8,7 +8,7 @@ export function getFetchUrl(settings: IGitSourceSettings): string {
    'settings.repositoryOwner must be defined'
  )
  assert.ok(settings.repositoryName, 'settings.repositoryName must be defined')
-  const serviceUrl = getServerUrl()
+  const serviceUrl = getServerUrl(settings.githubServerUrl)
  const encodedOwner = encodeURIComponent(settings.repositoryOwner)
  const encodedName = encodeURIComponent(settings.repositoryName)
  if (settings.sshKey) {
@ -19,11 +19,27 @@ export function getFetchUrl(settings: IGitSourceSettings): string {
  return `${serviceUrl.origin}/${encodedOwner}/${encodedName}`
 }

-export function getServerUrl(): URL {
-  // todo: remove GITHUB_URL after support for GHES Alpha is no longer needed
-  return new URL(
-    process.env['GITHUB_SERVER_URL'] ||
-      process.env['GITHUB_URL'] ||
-      'https://github.com'
-  )
+export function getServerUrl(url?: string): URL {
+  let urlValue =
+    url && url.trim().length > 0
+      ? url
+      : process.env['GITHUB_SERVER_URL'] || 'https://github.com'
+  return new URL(urlValue)
+}
+
+export function getServerApiUrl(url?: string): string {
+  let apiUrl = 'https://api.github.com'
+
+  if (isGhes(url)) {
+    const serverUrl = getServerUrl(url)
+    apiUrl = new URL(`${serverUrl.origin}/api/v3`).toString()
+  }
+
+  return apiUrl
+}
+
+export function isGhes(url?: string): boolean {
+  const ghUrl = getServerUrl(url)
+
+  return ghUrl.hostname.toUpperCase() !== 'GITHUB.COM'
 }