From 1d3fa26c9e7d4ecfa3e57f92ce378f166e84fc3f Mon Sep 17 00:00:00 2001
From: Mark Vander Stel <mvndrstl@gmail.com>
Date: Fri, 6 Oct 2023 12:40:07 -0400
Subject: [PATCH 1/3] Fix checkout of annotated tag loosing annotation

Currently, a check is done after fetch to ensure that the repo state has
not changed since the workflow was triggered. This check will reset the
checkout to the commit that triggered the workflow, even if the branch
or tag has moved since.

The issue is that the check currently sees what "object" the ref points
to. For an annotated tag, that is the annotation, not the commit. This
means the check always fails for annotated tags, and they are reset to
the commit, losing the annotation. Losing the annotation can be fatal,
as `git describe` will only match annotated tags.

The fix is simple: check if the tag points at the right commit, ignoring
any other type of object. This is done with the <rev>^{commit} syntax.

From the git-rev-parse docs:
> <rev>^{<type>}, e.g. v0.99.8^{commit}
>  A suffix ^ followed by an object type name enclosed in brace pair
>  means dereference the object at <rev> recursively until an object of
>  type <type> is found or the object cannot be dereferenced anymore (in
>  which case, barf). For example, if <rev> is a commit-ish,
>  <rev>^{commit} describes the corresponding commit object. Similarly,
>  if <rev> is a tree-ish, <rev>^{tree} describes the corresponding tree
>  object.  <rev>^0 is a short-hand for <rev>^{commit}.

If the check still fails, we will still reset the tag to the commit,
losing the annotation. However, there is no way to truly recover in this
situtation, as GitHub does not capture the annotation on workflow start,
and since the history has changed, we can not trust the new tag to
contain the same data as it did before.

Fixes #290
Closes #697
---
 dist/index.js     | 3 ++-
 src/ref-helper.ts | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dist/index.js b/dist/index.js
index ddf2b3d..855a40a 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -2059,7 +2059,8 @@ function testRef(git, ref, commit) {
         // refs/tags/
         else if (upperRef.startsWith('REFS/TAGS/')) {
             const tagName = ref.substring('refs/tags/'.length);
-            return ((yield git.tagExists(tagName)) && commit === (yield git.revParse(ref)));
+            return ((yield git.tagExists(tagName)) &&
+                commit === (yield git.revParse(`${ref}^{commit}`)));
         }
         // Unexpected
         else {
diff --git a/src/ref-helper.ts b/src/ref-helper.ts
index 1c25049..912ad4e 100644
--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@@ -167,7 +167,8 @@ export async function testRef(
   else if (upperRef.startsWith('REFS/TAGS/')) {
     const tagName = ref.substring('refs/tags/'.length)
     return (
-      (await git.tagExists(tagName)) && commit === (await git.revParse(ref))
+      (await git.tagExists(tagName)) &&
+      commit === (await git.revParse(`${ref}^{commit}`))
     )
   }
   // Unexpected

From 009b9ae9e446ad8d9b8c809870b0fbcc5e03573e Mon Sep 17 00:00:00 2001
From: Ben Wells <benwells@github.com>
Date: Thu, 16 Jan 2025 14:14:48 -0500
Subject: [PATCH 2/3] Documentation update - add recommended permissions to
 Readme (#2043)

* Update README.md

* Update README.md

Co-authored-by: Josh Gross <joshmgross@github.com>

---------

Co-authored-by: Josh Gross <joshmgross@github.com>
---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index b0f6224..f28fec7 100644
--- a/README.md
+++ b/README.md
@@ -311,6 +311,16 @@ jobs:
           git commit -m "generated"
           git push
 ```
+
+## Recommended permissions
+
+When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs:
+
+```yaml
+permissions:
+  contents: read
+```
+
 *NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D
 
 

From 85e6279cec87321a52edac9c87bce653a07cf6c2 Mon Sep 17 00:00:00 2001
From: Josh Gross <joshmgross@github.com>
Date: Thu, 16 Jan 2025 15:56:18 -0500
Subject: [PATCH 3/3] Adjust positioning of user email note and permissions
 heading (#2044)

---
 README.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index f28fec7..64dc025 100644
--- a/README.md
+++ b/README.md
@@ -312,7 +312,9 @@ jobs:
           git push
 ```
 
-## Recommended permissions
+*NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D
+
+# Recommended permissions
 
 When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs:
 
@@ -321,9 +323,6 @@ permissions:
   contents: read
 ```
 
-*NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D
-
-
 # License
 
 The scripts and documentation in this project are released under the [MIT License](LICENSE)