adr support fetch-refs

.github/workflows/test.yml

@@ -19,6 +19,8 @@ jobs:
       - run: npm run build
       - run: npm run format-check
       - run: npm run lint
+      - run: npm run pack
+      - run: npm run gendocs
       - run: npm test
       - name: Verify no unstaged changes
         run: __test__/verify-no-unstaged-changes.sh
@@ -35,7 +37,7 @@ jobs:
         uses: actions/checkout@v2
 
       # Basic checkout
-      - name: Checkout basic
+      - name: Basic checkout
         uses: ./
         with:
           ref: test-data/v2/basic
@@ -48,7 +50,7 @@ jobs:
       - name: Modify work tree
         shell: bash
         run: __test__/modify-work-tree.sh
-      - name: Checkout clean
+      - name: Clean checkout
         uses: ./
         with:
           ref: test-data/v2/basic
@@ -58,12 +60,12 @@ jobs:
         run: __test__/verify-clean.sh
 
       # Side by side
-      - name: Checkout side by side 1
+      - name: Side by side checkout 1
         uses: ./
         with:
           ref: test-data/v2/side-by-side-1
           path: side-by-side-1
-      - name: Checkout side by side 2
+      - name: Side by side checkout 2
         uses: ./
         with:
           ref: test-data/v2/side-by-side-2
@@ -73,7 +75,7 @@ jobs:
         run: __test__/verify-side-by-side.sh
 
       # LFS
-      - name: Checkout LFS
+      - name: LFS checkout
         uses: ./
         with:
           repository: actions/checkout # hardcoded, otherwise doesn't work from a fork
@@ -84,35 +86,6 @@ jobs:
         shell: bash
         run: __test__/verify-lfs.sh
 
-      # Submodules false
-      - name: Checkout submodules false
-        uses: ./
-        with:
-          ref: test-data/v2/submodule-ssh-url
-          path: submodules-false
-      - name: Verify submodules false
-        run: __test__/verify-submodules-false.sh
-
-      # Submodules one level
-      - name: Checkout submodules true
-        uses: ./
-        with:
-          ref: test-data/v2/submodule-ssh-url
-          path: submodules-true
-          submodules: true
-      - name: Verify submodules true
-        run: __test__/verify-submodules-true.sh
-
-      # Submodules recursive
-      - name: Checkout submodules recursive
-        uses: ./
-        with:
-          ref: test-data/v2/submodule-ssh-url
-          path: submodules-recursive
-          submodules: recursive
-      - name: Verify submodules recursive
-        run: __test__/verify-submodules-recursive.sh
-
       # Basic checkout using REST API
       - name: Remove basic
         if: runner.os != 'windows'
@@ -127,7 +100,7 @@ jobs:
       - name: Override git version (Windows)
         if: runner.os == 'windows'
         run: __test__\\override-git-version.cmd
-      - name: Checkout basic using REST API
+      - name: Basic checkout using REST API
         uses: ./
         with:
           ref: test-data/v2/basic
@@ -153,7 +126,7 @@ jobs:
         uses: actions/checkout@v2
 
       # Basic checkout using git
-      - name: Checkout basic
+      - name: Basic checkout
         uses: ./
         with:
           ref: test-data/v2/basic
@@ -185,7 +158,7 @@ jobs:
         uses: actions/checkout@v2
 
       # Basic checkout using git
-      - name: Checkout basic
+      - name: Basic checkout
         uses: ./
         with:
           ref: test-data/v2/basic
@@ -198,7 +171,7 @@ jobs:
       # Basic checkout using REST API
       - name: Override git version
         run: __test__/override-git-version.sh
-      - name: Checkout basic using REST API
+      - name: Basic checkout using REST API
         uses: ./
         with:
           ref: test-data/v2/basic

.gitignore

@@ -1,3 +1,2 @@
-__test__/_temp
 lib/
 node_modules/

README.md

@@ -18,7 +18,6 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
   - Fetches only a single commit by default
 - Script authenticated git commands
   - Auth token persisted in the local git config
-- Supports SSH
 - Creates a local branch
   - No longer detached HEAD when checking out a branch
 - Improved layout
@@ -27,6 +26,7 @@ When Git 2.18 or higher is not in your PATH, falls back to the REST API to downl
 - Fallback to REST API download
   - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
   - When using a job container, the container's PATH is used
+- Removed input `submodules`
 
 Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
 
@@ -45,40 +45,14 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
     # Otherwise, defaults to `master`.
     ref: ''
 
-    # Personal access token (PAT) used to fetch the repository. The PAT is configured
-    # with the local git config, which enables your scripts to run authenticated git
-    # commands. The post-job step removes the PAT.
-    #
-    # We recommend using a service account with the least permissions necessary. Also
-    # when generating a new PAT, select the least scopes necessary.
-    #
-    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
-    #
+    # Auth token used to fetch the repository. The token is stored in the local git
+    # config, which enables your scripts to run authenticated git commands. The
+    # post-job step removes the token from the git config. [Learn more about creating
+    # and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     # Default: ${{ github.token }}
     token: ''
 
-    # SSH key used to fetch the repository. The SSH key is configured with the local
-    # git config, which enables your scripts to run authenticated git commands. The
-    # post-job step removes the SSH key.
-    #
-    # We recommend using a service account with the least permissions necessary.
-    #
-    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
-    ssh-key: ''
-
-    # Known hosts in addition to the user and global host key database. The public SSH
-    # keys for a host may be obtained using the utility `ssh-keyscan`. For example,
-    # `ssh-keyscan github.com`. The public key for github.com is always implicitly
-    # added.
-    ssh-known-hosts: ''
-
-    # Whether to perform strict host key checking. When true, adds the options
-    # `StrictHostKeyChecking=yes` and `CheckHostIP=no` to the SSH command line. Use
-    # the input `ssh-known-hosts` to configure additional hosts.
-    # Default: true
-    ssh-strict: ''
-
-    # Whether to configure the token or SSH key with the local git config
+    # Whether to persist the token in the git config
     # Default: true
     persist-credentials: ''
 
@@ -96,15 +70,6 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
     # Whether to download Git-LFS files
     # Default: false
     lfs: ''
-
-    # Whether to checkout submodules: `true` to checkout submodules or `recursive` to
-    # recursively checkout submodules.
-    #
-    # When the `ssh-key` input is not provided, SSH URLs beginning with
-    # `git@github.com:` are converted to HTTPS.
-    #
-    # Default: false
-    submodules: ''
 ```
 <!-- end usage -->
 
@@ -117,6 +82,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 - [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
 - [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
 - [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
+- [Checkout submodules](#Checkout-submodules)
 - [Fetch all tags](#Fetch-all-tags)
 - [Fetch all branches](#Fetch-all-branches)
 - [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
@@ -207,6 +173,20 @@ jobs:
       - uses: actions/checkout@v2
 ```
 
+## Checkout submodules
+
+```yaml
+- uses: actions/checkout@v2
+- name: Checkout submodules
+  shell: bash
+  run: |
+    # If your submodules are configured to use SSH instead of HTTPS please uncomment the following line
+    # git config --global url."https://github.com/".insteadOf "git@github.com:"
+    auth_header="$(git config --local --get http.https://github.com/.extraheader)"
+    git submodule sync --recursive
+    git -c "http.extraheader=$auth_header" -c protocol.version=2 submodule update --init --force --recursive --depth=1
+```
+
 ## Fetch all tags
 
 ```yaml

__test__/input-helper.test.ts

@@ -4,7 +4,7 @@ import * as fsHelper from '../lib/fs-helper'
 import * as github from '@actions/github'
 import * as inputHelper from '../lib/input-helper'
 import * as path from 'path'
-import {IGitSourceSettings} from '../lib/git-source-settings'
+import {ISourceSettings} from '../lib/git-source-provider'
 
 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
 const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
@@ -17,18 +17,12 @@ let originalContext = {...github.context}
 
 describe('input-helper tests', () => {
   beforeAll(() => {
-    // Mock getInput
+    // Mock @actions/core getInput()
     jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
       return inputs[name]
     })
 
-    // Mock error/warning/info/debug
-    jest.spyOn(core, 'error').mockImplementation(jest.fn())
-    jest.spyOn(core, 'warning').mockImplementation(jest.fn())
-    jest.spyOn(core, 'info').mockImplementation(jest.fn())
-    jest.spyOn(core, 'debug').mockImplementation(jest.fn())
-
-    // Mock github context
+    // Mock @actions/github context
     jest.spyOn(github.context, 'repo', 'get').mockImplementation(() => {
       return {
         owner: 'some-owner',
@@ -68,7 +62,7 @@ describe('input-helper tests', () => {
   })
 
   it('sets defaults', () => {
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: ISourceSettings = inputHelper.getInputs()
     expect(settings).toBeTruthy()
     expect(settings.authToken).toBeFalsy()
     expect(settings.clean).toBe(true)
@@ -86,7 +80,7 @@ describe('input-helper tests', () => {
     let originalRef = github.context.ref
     try {
       github.context.ref = 'some-unqualified-ref'
-      const settings: IGitSourceSettings = inputHelper.getInputs()
+      const settings: ISourceSettings = inputHelper.getInputs()
       expect(settings).toBeTruthy()
       expect(settings.commit).toBe('1234567890123456789012345678901234567890')
       expect(settings.ref).toBe('refs/heads/some-unqualified-ref')
@@ -104,7 +98,7 @@ describe('input-helper tests', () => {
 
   it('roots path', () => {
     inputs.path = 'some-directory/some-subdirectory'
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: ISourceSettings = inputHelper.getInputs()
     expect(settings.repositoryPath).toBe(
       path.join(gitHubWorkspace, 'some-directory', 'some-subdirectory')
     )
@@ -112,22 +106,29 @@ describe('input-helper tests', () => {
 
   it('sets correct default ref/sha for other repo', () => {
     inputs.repository = 'some-owner/some-other-repo'
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: ISourceSettings = inputHelper.getInputs()
     expect(settings.ref).toBe('refs/heads/master')
     expect(settings.commit).toBeFalsy()
   })
 
   it('sets ref to empty when explicit sha', () => {
     inputs.ref = '1111111111222222222233333333334444444444'
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: ISourceSettings = inputHelper.getInputs()
     expect(settings.ref).toBeFalsy()
     expect(settings.commit).toBe('1111111111222222222233333333334444444444')
   })
 
   it('sets sha to empty when explicit ref', () => {
     inputs.ref = 'refs/heads/some-other-ref'
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: ISourceSettings = inputHelper.getInputs()
     expect(settings.ref).toBe('refs/heads/some-other-ref')
     expect(settings.commit).toBeFalsy()
   })
+
+  it('gives good error message for submodules input', () => {
+    inputs.submodules = 'true'
+    assert.throws(() => {
+      inputHelper.getInputs()
+    }, /The input 'submodules' is not supported/)
+  })
 })

__test__/verify-submodules-false.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-
-if [ ! -f "./submodules-false/regular-file.txt" ]; then
-    echo "Expected regular file does not exist"
-    exit 1
-fi
-
-if [ -f "./submodules-false/submodule-level-1/submodule-file.txt" ]; then
-    echo "Unexpected submodule file exists"
-    exit 1
-fi

__test__/verify-submodules-not-checked-out.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [ ! -f "./submodules-not-checked-out/regular-file.txt" ]; then
+    echo "Expected regular file does not exist"
+    exit 1
+fi
+
+if [ -f "./submodules-not-checked-out/submodule-level-1/submodule-file.txt" ]; then
+    echo "Unexpected submodule file exists"
+    exit 1
+fi

__test__/verify-submodules-recursive.sh

@@ -1,26 +0,0 @@
-#!/bin/bash
-
-if [ ! -f "./submodules-recursive/regular-file.txt" ]; then
-    echo "Expected regular file does not exist"
-    exit 1
-fi
-
-if [ ! -f "./submodules-recursive/submodule-level-1/submodule-file.txt" ]; then
-    echo "Expected submodule file does not exist"
-    exit 1
-fi
-
-if [ ! -f "./submodules-recursive/submodule-level-1/submodule-level-2/nested-submodule-file.txt" ]; then
-    echo "Expected nested submodule file does not exists"
-    exit 1
-fi
-
-echo "Testing persisted credential"
-pushd ./submodules-recursive/submodule-level-1/submodule-level-2
-git config --local --name-only --get-regexp http.+extraheader && git fetch
-if [ "$?" != "0" ]; then
-    echo "Failed to validate persisted credential"
-    popd
-    exit 1
-fi
-popd

__test__/verify-submodules-true.sh

@@ -1,26 +0,0 @@
-#!/bin/bash
-
-if [ ! -f "./submodules-true/regular-file.txt" ]; then
-    echo "Expected regular file does not exist"
-    exit 1
-fi
-
-if [ ! -f "./submodules-true/submodule-level-1/submodule-file.txt" ]; then
-    echo "Expected submodule file does not exist"
-    exit 1
-fi
-
-if [ -f "./submodules-true/submodule-level-1/submodule-level-2/nested-submodule-file.txt" ]; then
-    echo "Unexpected nested submodule file exists"
-    exit 1
-fi
-
-echo "Testing persisted credential"
-pushd ./submodules-true/submodule-level-1
-git config --local --name-only --get-regexp http.+extraheader && git fetch
-if [ "$?" != "0" ]; then
-    echo "Failed to validate persisted credential"
-    popd
-    exit 1
-fi
-popd

action.yml

@@ -1,6 +1,6 @@
 name: 'Checkout'
 description: 'Checkout a Git repository at a particular version'
-inputs:
+inputs: 
   repository:
     description: 'Repository name with owner. For example, actions/checkout'
     default: ${{ github.repository }}
@@ -11,42 +11,13 @@ inputs:
       event.  Otherwise, defaults to `master`.
   token:
     description: >
-      Personal access token (PAT) used to fetch the repository. The PAT is configured
-      with the local git config, which enables your scripts to run authenticated git
-      commands. The post-job step removes the PAT.
-
-
-      We recommend using a service account with the least permissions necessary.
-      Also when generating a new PAT, select the least scopes necessary.
-
-
-      [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
-    default: ${{ github.token }}
-  ssh-key:
-    description: >
-      SSH key used to fetch the repository. The SSH key is configured with the local
+      Auth token used to fetch the repository. The token is stored in the local
       git config, which enables your scripts to run authenticated git commands.
-      The post-job step removes the SSH key.
-
-
-      We recommend using a service account with the least permissions necessary.
-
-
-      [Learn more about creating and using
-      encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
-  ssh-known-hosts:
-    description: >
-      Known hosts in addition to the user and global host key database. The public
-      SSH keys for a host may be obtained using the utility `ssh-keyscan`. For example,
-      `ssh-keyscan github.com`. The public key for github.com is always implicitly added.
-  ssh-strict:
-    description: >
-      Whether to perform strict host key checking. When true, adds the options `StrictHostKeyChecking=yes`
-      and `CheckHostIP=no` to the SSH command line. Use the input `ssh-known-hosts` to
-      configure additional hosts.
-    default: true
+      The post-job step removes the token from the git config. [Learn more about
+      creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+    default: ${{ github.token }}
   persist-credentials:
-    description: 'Whether to configure the token or SSH key with the local git config'
+    description: 'Whether to persist the token in the git config'
     default: true
   path:
     description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
@@ -59,15 +30,6 @@ inputs:
   lfs:
     description: 'Whether to download Git-LFS files'
     default: false
-  submodules:
-    description: >
-      Whether to checkout submodules: `true` to checkout submodules or `recursive` to
-      recursively checkout submodules.
-
-
-      When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
-      converted to HTTPS.
-    default: false
 runs:
   using: node12
   main: dist/index.js

adrs/0153-checkout-v2.md

@@ -27,42 +27,13 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
       event.  Otherwise, defaults to `master`.
   token:
     description: >
-      Personal access token (PAT) used to fetch the repository. The PAT is configured
-      with the local git config, which enables your scripts to run authenticated git
-      commands. The post-job step removes the PAT.
-
-
-      We recommend using a service account with the least permissions necessary.
-      Also when generating a new PAT, select the least scopes necessary.
-
-
-      [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
-    default: ${{ github.token }}
-  ssh-key:
-    description: >
-      SSH key used to fetch the repository. The SSH key is configured with the local
+      Auth token used to fetch the repository. The token is stored in the local
       git config, which enables your scripts to run authenticated git commands.
-      The post-job step removes the SSH key.
-
-
-      We recommend using a service account with the least permissions necessary.
-
-
-      [Learn more about creating and using
-      encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
-  ssh-known-hosts:
-    description: >
-      Known hosts in addition to the user and global host key database. The public
-      SSH keys for a host may be obtained using the utility `ssh-keyscan`. For example,
-      `ssh-keyscan github.com`. The public key for github.com is always implicitly added.
-  ssh-strict:
-    description: >
-      Whether to perform strict host key checking. When true, adds the options `StrictHostKeyChecking=yes`
-      and `CheckHostIP=no` to the SSH command line. Use the input `ssh-known-hosts` to
-      configure additional hosts.
-    default: true
+      The post-job step removes the token from the git config. [Learn more about
+      creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
+    default: ${{ github.token }}
   persist-credentials:
-    description: 'Whether to configure the token or SSH key with the local git config'
+    description: 'Whether to persist the token in the git config'
     default: true
   path:
     description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
@@ -72,24 +43,21 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
   fetch-depth:
     description: 'Number of commits to fetch. 0 indicates all history.'
     default: 1
+  fetch-refs:
+    description: >
+      Additional refs to fetch: `branches`, `tags`, `pr-base`, or `all`.
+      Combinations are also accepted. For example: `branches, tags`
+    default: ''
   lfs:
     description: 'Whether to download Git-LFS files'
     default: false
-  submodules:
-    description: >
-      Whether to checkout submodules: `true` to checkout submodules or `recursive` to
-      recursively checkout submodules.
-
-
-      When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
-      converted to HTTPS.
-    default: false
 ```
 
 Note:
-- SSH support is new
+- `fetch-refs` is new
 - `persist-credentials` is new
 - `path` behavior is different (refer [below](#path) for details)
+- `submodules` was removed (error if specified; add later if needed)
 
 ### Fallback to GitHub API
 
@@ -97,57 +65,23 @@ When a sufficient version of git is not in the PATH, fallback to the [web API](h
 
 Note:
 - LFS files are not included in the archive. Therefore fail if LFS is set to true.
-- Submodules are also not included in the archive.
+- Submodules are also not included in the archive. However submodules are not supported by checkout v2 anyway.
 
 ### Persist credentials
 
-The credentials will be persisted on disk. This will allow users to script authenticated git commands, like `git fetch`.
+Persist the token in the git config (http.extraheader). This will allow users to script authenticated git commands, like `git fetch`.
 
-A post script will remove the credentials (cleanup for self-hosted).
+A post script will remove the credentials from the git config (cleanup for self-hosted).
 
 Users may opt-out by specifying `persist-credentials: false`
 
 Note:
 - Users scripting `git commit` may need to set the username and email. The service does not provide any reasonable default value. Users can add `git config user.name <NAME>` and `git config user.email <EMAIL>`. We will document this guidance.
-
-#### PAT
-
-When using the `${{github.token}}` or a PAT, the token will be persisted in the local git config. The config key `http.https://github.com/.extraheader` enables an auth header to be specified on all authenticated commands `AUTHORIZATION: basic <BASE64_U:P>`.
-
-Note:
-- The auth header is scoped to all of github `http.https://github.com/.extraheader`
+- The auth header (stored in the repo's git config), is scoped to all of github `http.https://github.com/.extraheader`
   - Additional public remotes also just work.
   - If users want to authenticate to an additional private remote, they should provide the `token` input.
-
-#### SSH key
-
-The SSH key will be written to disk under the `$RUNNER_TEMP` directory. The SSH key will
-be removed by the action's post-job hook. Additionally, RUNNER_TEMP is cleared by the
-runner between jobs.
-
-The SSH key must be written with strict file permissions. The SSH client requires the file
-to be read/write for the user, and not accessible by others.
-
-The user host key database (`~/.ssh/known_hosts`) will be copied to a unique file under
-`$RUNNER_TEMP`. And values from the input `ssh-known-hosts` will be added to the file.
-
-The SSH command will be overridden for the local git config:
-
-```sh
-git config core.sshCommand 'ssh -i "$RUNNER_TEMP/path-to-ssh-key" -o StrictHostKeyChecking=yes -o CheckHostIP=no -o "UserKnownHostsFile=$RUNNER_TEMP/path-to-known-hosts"'
-```
-
-When the input `ssh-strict` is set to `false`, the options `CheckHostIP` and `StrictHostKeyChecking` will not be overridden.
-
-Note:
-- When `ssh-strict` is set to `true` (default), the SSH option `CheckHostIP` can safely be disabled.
-  Strict host checking verifies the server's public key. Therefore, IP verification is unnecessary
-  and noisy. For example:
-  > Warning: Permanently added the RSA host key for IP address '140.82.113.4' to the list of known hosts.
-- Since GIT_SSH_COMMAND overrides core.sshCommand, temporarily set the env var when fetching the repo. When creds
-  are persisted, core.sshCommand is leveraged to avoid multiple checkout steps stomping over each other.
-- Modify actions/runner to mount RUNNER_TEMP to enable scripting authenticated git commands from a container action.
-- Refer [here](https://linux.die.net/man/5/ssh_config) for SSH config details.
+  - Lines up if we add submodule support in the future. Don't need to worry about calculating relative URLs. Just works, although needs to be persisted in each submodule git config.
+  - Users opt out of persisted credentials (`persist-credentials: false`), or can script the removal themselves (`git config --unset-all http.https://github.com/.extraheader`).
 
 ### Fetch behavior
 
@@ -157,6 +91,8 @@ If a SHA isn't available (e.g. multi repo), then fetch only the specified ref wi
 
 The input `fetch-depth` can be used to control the depth.
 
+The input `fetch-refs` can be used to fetch additional refs.
+
 Note:
 - Fetching a single commit is supported by Git wire protocol version 2. The git client uses protocol version 0 by default. The desired protocol version can be overridden in the git config or on the fetch command line invocation (`-c protocol.version=2`). We will override on the fetch command line, for transparency.
 - Git client version 2.18+ (released June 2018) is required for wire protocol version 2.
@@ -251,17 +187,6 @@ A better solution is:
 
 Given a source file path, walk up the directories until the first `.git/config` is found. Check if it matches the self repo (`url = https://github.com/OWNER/REPO`). If not, drop the source file path.
 
-### Submodules
-
-With both PAT and SSH key support, we should be able to provide frictionless support for
-submodules scenarios: recursive, non-recursive, relative submodule paths.
-
-When fetching submodules, follow the `fetch-depth` settings.
-
-Also when fetching submodules, if the `ssh-key` input is not provided then convert SSH URLs to HTTPS: `-c url."https://github.com/".insteadOf "git@github.com:"`
-
-Credentials will be persisted in the submodules local git config too.
-
 ### Port to typescript
 
 The checkout action should be a typescript action on the GitHub graph, for the following reasons:

package.json

@@ -4,11 +4,14 @@
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {
-    "build": "tsc && ncc build && node lib/misc/generate-docs.js",
+    "build": "tsc",
     "format": "prettier --write **/*.ts",
     "format-check": "prettier --check **/*.ts",
     "lint": "eslint src/**/*.ts",
-    "test": "jest"
+    "pack": "ncc build",
+    "gendocs": "node lib/misc/generate-docs.js",
+    "test": "jest",
+    "all": "npm run build && npm run format && npm run lint && npm run pack && npm run gendocs && npm test"
   },
   "repository": {
     "type": "git",

src/git-command-manager.ts

@@ -3,7 +3,6 @@ import * as exec from '@actions/exec'
 import * as fshelper from './fs-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
-import * as regexpHelper from './regexp-helper'
 import * as retryHelper from './retry-helper'
 import {GitVersion} from './git-version'
 
@@ -17,12 +16,8 @@ export interface IGitCommandManager {
   branchList(remote: boolean): Promise<string[]>
   checkout(ref: string, startPoint: string): Promise<void>
   checkoutDetach(): Promise<void>
-  config(
-    configKey: string,
-    configValue: string,
-    globalConfig?: boolean
-  ): Promise<void>
-  configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
+  config(configKey: string, configValue: string): Promise<void>
+  configExists(configKey: string): Promise<boolean>
   fetch(fetchDepth: number, refSpec: string[]): Promise<void>
   getWorkingDirectory(): string
   init(): Promise<void>
@@ -31,20 +26,15 @@ export interface IGitCommandManager {
   lfsInstall(): Promise<void>
   log1(): Promise<void>
   remoteAdd(remoteName: string, remoteUrl: string): Promise<void>
-  removeEnvironmentVariable(name: string): void
-  setEnvironmentVariable(name: string, value: string): void
-  submoduleForeach(command: string, recursive: boolean): Promise<string>
-  submoduleSync(recursive: boolean): Promise<void>
-  submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void>
   tagExists(pattern: string): Promise<boolean>
   tryClean(): Promise<boolean>
-  tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
+  tryConfigUnset(configKey: string): Promise<boolean>
   tryDisableAutomaticGarbageCollection(): Promise<boolean>
   tryGetFetchUrl(): Promise<string>
   tryReset(): Promise<boolean>
 }
 
-export async function createCommandManager(
+export async function CreateCommandManager(
   workingDirectory: string,
   lfs: boolean
 ): Promise<IGitCommandManager> {
@@ -133,32 +123,16 @@ class GitCommandManager {
     await this.execGit(args)
   }
 
-  async config(
-    configKey: string,
-    configValue: string,
-    globalConfig?: boolean
-  ): Promise<void> {
-    await this.execGit([
-      'config',
-      globalConfig ? '--global' : '--local',
-      configKey,
-      configValue
-    ])
+  async config(configKey: string, configValue: string): Promise<void> {
+    await this.execGit(['config', '--local', configKey, configValue])
   }
 
-  async configExists(
-    configKey: string,
-    globalConfig?: boolean
-  ): Promise<boolean> {
-    const pattern = regexpHelper.escape(configKey)
+  async configExists(configKey: string): Promise<boolean> {
+    const pattern = configKey.replace(/[^a-zA-Z0-9_]/g, x => {
+      return `\\${x}`
+    })
     const output = await this.execGit(
-      [
-        'config',
-        globalConfig ? '--global' : '--local',
-        '--name-only',
-        '--get-regexp',
-        pattern
-      ],
+      ['config', '--local', '--name-only', '--get-regexp', pattern],
       true
     )
     return output.exitCode === 0
@@ -233,48 +207,6 @@ class GitCommandManager {
     await this.execGit(['remote', 'add', remoteName, remoteUrl])
   }
 
-  removeEnvironmentVariable(name: string): void {
-    delete this.gitEnv[name]
-  }
-
-  setEnvironmentVariable(name: string, value: string): void {
-    this.gitEnv[name] = value
-  }
-
-  async submoduleForeach(command: string, recursive: boolean): Promise<string> {
-    const args = ['submodule', 'foreach']
-    if (recursive) {
-      args.push('--recursive')
-    }
-    args.push(command)
-
-    const output = await this.execGit(args)
-    return output.stdout
-  }
-
-  async submoduleSync(recursive: boolean): Promise<void> {
-    const args = ['submodule', 'sync']
-    if (recursive) {
-      args.push('--recursive')
-    }
-
-    await this.execGit(args)
-  }
-
-  async submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void> {
-    const args = ['-c', 'protocol.version=2']
-    args.push('submodule', 'update', '--init', '--force')
-    if (fetchDepth > 0) {
-      args.push(`--depth=${fetchDepth}`)
-    }
-
-    if (recursive) {
-      args.push('--recursive')
-    }
-
-    await this.execGit(args)
-  }
-
   async tagExists(pattern: string): Promise<boolean> {
     const output = await this.execGit(['tag', '--list', pattern])
     return !!output.stdout.trim()
@@ -285,17 +217,9 @@ class GitCommandManager {
     return output.exitCode === 0
   }
 
-  async tryConfigUnset(
-    configKey: string,
-    globalConfig?: boolean
-  ): Promise<boolean> {
+  async tryConfigUnset(configKey: string): Promise<boolean> {
     const output = await this.execGit(
-      [
-        'config',
-        globalConfig ? '--global' : '--local',
-        '--unset-all',
-        configKey
-      ],
+      ['config', '--local', '--unset-all', configKey],
       true
     )
     return output.exitCode === 0

src/git-directory-helper.ts

@@ -1,101 +0,0 @@
-import * as assert from 'assert'
-import * as core from '@actions/core'
-import * as fs from 'fs'
-import * as fsHelper from './fs-helper'
-import * as io from '@actions/io'
-import * as path from 'path'
-import {IGitCommandManager} from './git-command-manager'
-import {IGitSourceSettings} from './git-source-settings'
-
-export async function prepareExistingDirectory(
-  git: IGitCommandManager | undefined,
-  repositoryPath: string,
-  repositoryUrl: string,
-  clean: boolean
-): Promise<void> {
-  assert.ok(repositoryPath, 'Expected repositoryPath to be defined')
-  assert.ok(repositoryUrl, 'Expected repositoryUrl to be defined')
-
-  // Indicates whether to delete the directory contents
-  let remove = false
-
-  // Check whether using git or REST API
-  if (!git) {
-    remove = true
-  }
-  // Fetch URL does not match
-  else if (
-    !fsHelper.directoryExistsSync(path.join(repositoryPath, '.git')) ||
-    repositoryUrl !== (await git.tryGetFetchUrl())
-  ) {
-    remove = true
-  } else {
-    // Delete any index.lock and shallow.lock left by a previously canceled run or crashed git process
-    const lockPaths = [
-      path.join(repositoryPath, '.git', 'index.lock'),
-      path.join(repositoryPath, '.git', 'shallow.lock')
-    ]
-    for (const lockPath of lockPaths) {
-      try {
-        await io.rmRF(lockPath)
-      } catch (error) {
-        core.debug(`Unable to delete '${lockPath}'. ${error.message}`)
-      }
-    }
-
-    try {
-      core.startGroup('Removing previously created refs, to avoid conflicts')
-      // Checkout detached HEAD
-      if (!(await git.isDetached())) {
-        await git.checkoutDetach()
-      }
-
-      // Remove all refs/heads/*
-      let branches = await git.branchList(false)
-      for (const branch of branches) {
-        await git.branchDelete(false, branch)
-      }
-
-      // Remove all refs/remotes/origin/* to avoid conflicts
-      branches = await git.branchList(true)
-      for (const branch of branches) {
-        await git.branchDelete(true, branch)
-      }
-      core.endGroup()
-
-      // Clean
-      if (clean) {
-        core.startGroup('Cleaning the repository')
-        if (!(await git.tryClean())) {
-          core.debug(
-            `The clean command failed. This might be caused by: 1) path too long, 2) permission issue, or 3) file in use. For futher investigation, manually run 'git clean -ffdx' on the directory '${repositoryPath}'.`
-          )
-          remove = true
-        } else if (!(await git.tryReset())) {
-          remove = true
-        }
-        core.endGroup()
-
-        if (remove) {
-          core.warning(
-            `Unable to clean or reset the repository. The repository will be recreated instead.`
-          )
-        }
-      }
-    } catch (error) {
-      core.warning(
-        `Unable to prepare the existing repository. The repository will be recreated instead.`
-      )
-      remove = true
-    }
-  }
-
-  if (remove) {
-    // Delete the contents of the directory. Don't delete the directory itself
-    // since it might be the current working directory.
-    core.info(`Deleting the contents of '${repositoryPath}'`)
-    for (const file of await fs.promises.readdir(repositoryPath)) {
-      await io.rmRF(path.join(repositoryPath, file))
-    }
-  }
-}

src/git-source-settings.ts

@@ -1,76 +0,0 @@
-export interface IGitSourceSettings {
-  /**
-   * The location on disk where the repository will be placed
-   */
-  repositoryPath: string
-
-  /**
-   * The repository owner
-   */
-  repositoryOwner: string
-
-  /**
-   * The repository name
-   */
-  repositoryName: string
-
-  /**
-   * The ref to fetch
-   */
-  ref: string
-
-  /**
-   * The commit to checkout
-   */
-  commit: string
-
-  /**
-   * Indicates whether to clean the repository
-   */
-  clean: boolean
-
-  /**
-   * The depth when fetching
-   */
-  fetchDepth: number
-
-  /**
-   * Indicates whether to fetch LFS objects
-   */
-  lfs: boolean
-
-  /**
-   * Indicates whether to checkout submodules
-   */
-  submodules: boolean
-
-  /**
-   * Indicates whether to recursively checkout submodules
-   */
-  nestedSubmodules: boolean
-
-  /**
-   * The auth token to use when fetching the repository
-   */
-  authToken: string
-
-  /**
-   * The SSH key to configure
-   */
-  sshKey: string
-
-  /**
-   * Additional SSH known hosts
-   */
-  sshKnownHosts: string
-
-  /**
-   * Indicates whether the server must be a known host
-   */
-  sshStrict: boolean
-
-  /**
-   * Indicates whether to persist the credentials on disk to enable scripting authenticated git commands
-   */
-  persistCredentials: boolean
-}

src/github-api-helper.ts

@@ -6,7 +6,6 @@ import * as io from '@actions/io'
 import * as path from 'path'
 import * as retryHelper from './retry-helper'
 import * as toolCache from '@actions/tool-cache'
-import * as urlHelper from './url-helper'
 import {default as uuid} from 'uuid/v4'
 import {ReposGetArchiveLinkParams} from '@octokit/rest'
 
@@ -75,7 +74,7 @@ async function downloadArchive(
   ref: string,
   commit: string
 ): Promise<Buffer> {
-  const octokit = new github.GitHub(authToken, {baseUrl: urlHelper.getApiUrl()})
+  const octokit = new github.GitHub(authToken)
   const params: ReposGetArchiveLinkParams = {
     owner: owner,
     repo: repo,

src/input-helper.ts

@@ -2,10 +2,10 @@ import * as core from '@actions/core'
 import * as fsHelper from './fs-helper'
 import * as github from '@actions/github'
 import * as path from 'path'
-import {IGitSourceSettings} from './git-source-settings'
+import {ISourceSettings} from './git-source-provider'
 
-export function getInputs(): IGitSourceSettings {
-  const result = ({} as unknown) as IGitSourceSettings
+export function getInputs(): ISourceSettings {
+  const result = ({} as unknown) as ISourceSettings
 
   // GitHub workspace
   let githubWorkspacePath = process.env['GITHUB_WORKSPACE']
@@ -85,6 +85,13 @@ export function getInputs(): IGitSourceSettings {
   result.clean = (core.getInput('clean') || 'true').toUpperCase() === 'TRUE'
   core.debug(`clean = ${result.clean}`)
 
+  // Submodules
+  if (core.getInput('submodules')) {
+    throw new Error(
+      "The input 'submodules' is not supported in actions/checkout@v2"
+    )
+  }
+
   // Fetch depth
   result.fetchDepth = Math.floor(Number(core.getInput('fetch-depth') || '1'))
   if (isNaN(result.fetchDepth) || result.fetchDepth < 0) {
@@ -96,28 +103,9 @@ export function getInputs(): IGitSourceSettings {
   result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'
   core.debug(`lfs = ${result.lfs}`)
 
-  // Submodules
-  result.submodules = false
-  result.nestedSubmodules = false
-  const submodulesString = (core.getInput('submodules') || '').toUpperCase()
-  if (submodulesString == 'RECURSIVE') {
-    result.submodules = true
-    result.nestedSubmodules = true
-  } else if (submodulesString == 'TRUE') {
-    result.submodules = true
-  }
-  core.debug(`submodules = ${result.submodules}`)
-  core.debug(`recursive submodules = ${result.nestedSubmodules}`)
-
   // Auth token
   result.authToken = core.getInput('token')
 
-  // SSH
-  result.sshKey = core.getInput('ssh-key')
-  result.sshKnownHosts = core.getInput('ssh-known-hosts')
-  result.sshStrict =
-    (core.getInput('ssh-strict') || 'true').toUpperCase() === 'TRUE'
-
   // Persist credentials
   result.persistCredentials =
     (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'

src/misc/generate-docs.ts

@@ -59,17 +59,13 @@ function updateUsage(
 
     // Constrain the width of the description
     const width = 80
-    let description = (input.description as string)
-      .trimRight()
-      .replace(/\r\n/g, '\n') // Convert CR to LF
-      .replace(/ +/g, ' ') //    Squash consecutive spaces
-      .replace(/ \n/g, '\n') //  Squash space followed by newline
+    let description = input.description as string
     while (description) {
       // Longer than width? Find a space to break apart
       let segment: string = description
       if (description.length > width) {
         segment = description.substr(0, width + 1)
-        while (!segment.endsWith(' ') && !segment.endsWith('\n') && segment) {
+        while (!segment.endsWith(' ') && segment) {
           segment = segment.substr(0, segment.length - 1)
         }
 
@@ -81,30 +77,15 @@ function updateUsage(
         segment = description
       }
 
-      // Check for newline
-      const newlineIndex = segment.indexOf('\n')
-      if (newlineIndex >= 0) {
-        segment = segment.substr(0, newlineIndex + 1)
-      }
-
-      // Append segment
-      newReadme.push(`    # ${segment}`.trimRight())
-
-      // Remaining
-      description = description.substr(segment.length)
+      description = description.substr(segment.length) // Remaining
+      segment = segment.trimRight() // Trim the trailing space
+      newReadme.push(`    # ${segment}`)
     }
 
+    // Input and default
     if (input.default !== undefined) {
-      // Append blank line if description had paragraphs
-      if ((input.description as string).trimRight().match(/\n[ ]*\r?\n/)) {
-        newReadme.push(`    #`)
-      }
-
-      // Default
       newReadme.push(`    # Default: ${input.default}`)
     }
-
-    // Input name
     newReadme.push(`    ${key}: ''`)
 
     firstInput = false

src/regexp-helper.ts

@@ -1,5 +0,0 @@
-export function escape(value: string): string {
-  return value.replace(/[^a-zA-Z0-9_]/g, x => {
-    return `\\${x}`
-  })
-}

src/state-helper.ts

@@ -1,3 +1,4 @@
+import * as core from '@actions/core'
 import * as coreCommand from '@actions/core/lib/command'
 
 /**
@@ -11,17 +12,6 @@ export const IsPost = !!process.env['STATE_isPost']
 export const RepositoryPath =
   (process.env['STATE_repositoryPath'] as string) || ''
 
-/**
- * The SSH key path for the POST action. The value is empty during the MAIN action.
- */
-export const SshKeyPath = (process.env['STATE_sshKeyPath'] as string) || ''
-
-/**
- * The SSH known hosts path for the POST action. The value is empty during the MAIN action.
- */
-export const SshKnownHostsPath =
-  (process.env['STATE_sshKnownHostsPath'] as string) || ''
-
 /**
  * Save the repository path so the POST action can retrieve the value.
  */
@@ -33,24 +23,6 @@ export function setRepositoryPath(repositoryPath: string) {
   )
 }
 
-/**
- * Save the SSH key path so the POST action can retrieve the value.
- */
-export function setSshKeyPath(sshKeyPath: string) {
-  coreCommand.issueCommand('save-state', {name: 'sshKeyPath'}, sshKeyPath)
-}
-
-/**
- * Save the SSH known hosts path so the POST action can retrieve the value.
- */
-export function setSshKnownHostsPath(sshKnownHostsPath: string) {
-  coreCommand.issueCommand(
-    'save-state',
-    {name: 'sshKnownHostsPath'},
-    sshKnownHostsPath
-  )
-}
-
 // Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
 // This is necessary since we don't have a separate entry point.
 if (!IsPost) {

src/url-helper.ts

@@ -1,28 +0,0 @@
-import * as assert from 'assert'
-import {IGitSourceSettings} from './git-source-settings'
-import {URL} from 'url'
-
-export function getApiUrl(): string {
-  return process.env['GITHUB_API_URL'] || 'https://api.github.com'
-}
-
-export function getFetchUrl(settings: IGitSourceSettings): string {
-  assert.ok(
-    settings.repositoryOwner,
-    'settings.repositoryOwner must be defined'
-  )
-  assert.ok(settings.repositoryName, 'settings.repositoryName must be defined')
-  const serviceUrl = getServerUrl()
-  const encodedOwner = encodeURIComponent(settings.repositoryOwner)
-  const encodedName = encodeURIComponent(settings.repositoryName)
-  if (settings.sshKey) {
-    return `git@${serviceUrl.hostname}:${encodedOwner}/${encodedName}.git`
-  }
-
-  // "origin" is SCHEME://HOSTNAME[:PORT]
-  return `${serviceUrl.origin}/${encodedOwner}/${encodedName}`
-}
-
-export function getServerUrl(): URL {
-  return new URL(process.env['GITHUB_URL'] || 'https://github.com')
-}