Merge 02ade5d400 into 85e6279cec

Adjust positioning of user email note and permissions heading (#2044 )
Documentation update - add recommended permissions to Readme (#2043 )
2025-04-20 17:00:15 +03:00 · 2025-01-22 15:43:33 +03:00 · 2025-01-16 15:56:18 -05:00 · 2025-01-16 14:14:48 -05:00 · 2022-02-14 23:18:53 +00:00
2 changed files with 10 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -311,8 +311,17 @@ jobs:
          git commit -m "generated"
          git push
 ```
+
 *NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D

+# Recommended permissions
+
+When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs:
+
+```yaml
+permissions:
+  contents: read
+```

 # License

--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@ -179,7 +179,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {

      // When all history is fetched, the ref we're interested in may have moved to a different
      // commit (push or force push). If so, fetch again with a targeted refspec.
-      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
+      if (!settings.refs.startsWith("refs/tags") && !(await refHelper.testRef(git, settings.ref, settings.commit))) {
        refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
        await git.fetch(refSpec, fetchOptions)
      }
Author	SHA1	Message	Date
brian m. carlson	cecb7b88c8	Merge `02ade5d400` into `85e6279cec`	2025-01-22 15:43:33 +03:00
Josh Gross	85e6279cec	Adjust positioning of user email note and permissions heading (#2044 ) Some checks failed CodeQL / Analyze (push) Has been cancelled Details Licensed / Check licenses (push) Has been cancelled Details Build and Test / build (push) Has been cancelled Details Build and Test / test (macos-latest) (push) Has been cancelled Details Build and Test / test (ubuntu-latest) (push) Has been cancelled Details Build and Test / test (windows-latest) (push) Has been cancelled Details Build and Test / test-proxy (push) Has been cancelled Details Build and Test / test-bypass-proxy (push) Has been cancelled Details Build and Test / test-git-container (push) Has been cancelled Details Build and Test / test-output (push) Has been cancelled Details	2025-01-16 15:56:18 -05:00
Ben Wells	009b9ae9e4	Documentation update - add recommended permissions to Readme (#2043 ) * Update README.md * Update README.md Co-authored-by: Josh Gross <joshmgross@github.com> --------- Co-authored-by: Josh Gross <joshmgross@github.com>	2025-01-16 14:14:48 -05:00
brian m. carlson	02ade5d400	Don't overwrite annotated tags with commit object When checking out a repository with full history, a full clone is done and then the ref is finally updated to point to the commit that caused the workflow to be run. Normally, this is a good protection against someone pushing to the repository twice in short succession, but it causes problems with annotated tags. Specifically, because the entry in refs/tags is set to the commit hash, if an annotated tag was used, the tag is turned merely into a lightweight one, which breaks `git describe`. Every other tag in the repository will continue to remain a valid annotated tag except the one for which the workflow was invoked, which is not what the user expected. Let's work around this by not performing a fetch if what we're fetching is a tag. Technically, annotated tags can be anywhere in the hierarchy at any ref, but this should work as a suitable heuristic for now. Note that the proper solution would be to expose the revision of the actual object and check against that instead of the commit, but it doesn't presently appear that that information is exposed. Also, we explicitly do not case-fold since Git refs are case sensitive.	2022-02-14 23:18:53 +00:00