Merge 230611dbd0 into 61b9e3751b

.eslintrc.json

@@ -1,6 +1,6 @@
 {
   "plugins": ["jest", "@typescript-eslint"],
-  "extends": ["plugin:github/es6"],
+  "extends": ["plugin:github/recommended"],
   "parser": "@typescript-eslint/parser",
   "parserOptions": {
     "ecmaVersion": 9,
@@ -16,23 +16,19 @@
     "@typescript-eslint/no-require-imports": "error",
     "@typescript-eslint/array-type": "error",
     "@typescript-eslint/await-thenable": "error",
-    "@typescript-eslint/ban-ts-ignore": "error",
     "camelcase": "off",
-    "@typescript-eslint/camelcase": "error",
-    "@typescript-eslint/class-name-casing": "error",
     "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
     "@typescript-eslint/func-call-spacing": ["error", "never"],
-    "@typescript-eslint/generic-type-naming": ["error", "^[A-Z][A-Za-z]*$"],
     "@typescript-eslint/no-array-constructor": "error",
     "@typescript-eslint/no-empty-interface": "error",
     "@typescript-eslint/no-explicit-any": "error",
     "@typescript-eslint/no-extraneous-class": "error",
+    "@typescript-eslint/no-floating-promises": "error",
     "@typescript-eslint/no-for-in-array": "error",
     "@typescript-eslint/no-inferrable-types": "error",
     "@typescript-eslint/no-misused-new": "error",
     "@typescript-eslint/no-namespace": "error",
     "@typescript-eslint/no-non-null-assertion": "warn",
-    "@typescript-eslint/no-object-literal-type-assertion": "error",
     "@typescript-eslint/no-unnecessary-qualifier": "error",
     "@typescript-eslint/no-unnecessary-type-assertion": "error",
     "@typescript-eslint/no-useless-constructor": "error",
@@ -40,7 +36,6 @@
     "@typescript-eslint/prefer-for-of": "warn",
     "@typescript-eslint/prefer-function-type": "warn",
     "@typescript-eslint/prefer-includes": "error",
-    "@typescript-eslint/prefer-interface": "error",
     "@typescript-eslint/prefer-string-starts-ends-with": "error",
     "@typescript-eslint/promise-function-async": "error",
     "@typescript-eslint/require-array-sort-compare": "error",

.gitattributes

@@ -0,0 +1 @@
+.licenses/** -diff linguist-generated=true

.github/workflows/check-dist.yml

@@ -0,0 +1,51 @@
+# `dist/index.js` is a special file in Actions.
+# When you reference an action with `uses:` in a workflow,
+# `index.js` is the code that will run.
+# For our project, we generate this file through a build process
+# from other source files.
+# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
+name: Check dist
+
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+  workflow_dispatch:
+
+jobs:
+  check-dist:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set Node.js 12.x
+        uses: actions/setup-node@v1
+        with:
+          node-version: 12.x
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Rebuild the index.js file
+        run: npm run build
+
+      - name: Compare the expected and actual dist/ directories
+        run: |
+          if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
+            echo "Detected uncommitted changes after build.  See status below:"
+            git diff
+            exit 1
+          fi
+
+      # If dist/ was different than expected, upload the expected version as an artifact
+      - uses: actions/upload-artifact@v2
+        if: ${{ failure() && steps.diff.conclusion == 'failure' }}
+        with:
+          name: dist
+          path: dist/

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,58 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '28 9 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    - run: npm ci
+    - run: npm run build
+    - run: rm -rf dist # We want code scanning to analyze lib instead (individual .js files)
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/licensed.yml

@@ -0,0 +1,14 @@
+name: Licensed
+
+on:
+  push: {branches: main}
+  pull_request: {branches: main}
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Check licenses
+    steps:
+      - uses: actions/checkout@v2
+      - run: npm ci
+      - run: npm run licensed-check

.github/workflows/test.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
   push:
     branches:
-      - master
+      - main
       - releases/*
 
 jobs:

.gitignore

@@ -1,3 +1,4 @@
 __test__/_temp
+_temp/
 lib/
 node_modules/

.licensed.yml

@@ -0,0 +1,14 @@
+sources:
+  npm: true
+
+allowed:
+  - apache-2.0
+  - bsd-2-clause
+  - bsd-3-clause
+  - isc
+  - mit
+  - cc0-1.0
+  - unlicense
+
+reviewed:
+  npm:

CODEOWNERS

@@ -0,0 +1 @@
+* @actions/actions-runtime

README.md

@@ -118,6 +118,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 - [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
 - [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
 - [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
+- [Push a commit using the built-in token](#Push-a-commit-using-the-built-in-token)
 
 ## Fetch all history for all tags and branches
 
@@ -184,7 +185,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
   uses: actions/checkout@v2
   with:
     repository: my-org/my-private-tools
-    token: ${{ secrets.GitHub_PAT }} # `GitHub_PAT` is a secret that contains your PAT
+    token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
     path: my-tools
 ```
 
@@ -204,7 +205,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ```yaml
 on:
   pull_request:
-    branches: [master]
+    branches: [main]
     types: [opened, synchronize, closed]
 jobs:
   build:
@@ -213,6 +214,24 @@ jobs:
       - uses: actions/checkout@v2
 ```
 
+## Push a commit using the built-in token
+
+```yaml
+on: push
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: |
+          date > generated.txt
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git add .
+          git commit -m "generated"
+          git push
+```
+
 # License
 
 The scripts and documentation in this project are released under the [MIT License](LICENSE)

__test__/git-auth-helper.test.ts

@@ -417,7 +417,7 @@ describe('git-auth-helper tests', () => {
           `Did not expect file to exist: '${globalGitConfigPath}'`
         )
       } catch (err) {
-        if (err.code !== 'ENOENT') {
+        if ((err as any)?.code !== 'ENOENT') {
           throw err
         }
       }
@@ -518,12 +518,17 @@ describe('git-auth-helper tests', () => {
       await authHelper.configureSubmoduleAuth()
 
       // Assert
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4)
       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
         /unset-all.*insteadOf/
       )
       expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
-      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/url.*insteadOf/)
+      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
+        /url.*insteadOf.*git@github.com:/
+      )
+      expect(mockSubmoduleForeach.mock.calls[3][0]).toMatch(
+        /url.*insteadOf.*org-123456@github.com:/
+      )
     }
   )
 
@@ -601,7 +606,7 @@ describe('git-auth-helper tests', () => {
       await fs.promises.stat(actualKeyPath)
       throw new Error('SSH key should have been deleted')
     } catch (err) {
-      if (err.code !== 'ENOENT') {
+      if ((err as any)?.code !== 'ENOENT') {
         throw err
       }
     }
@@ -611,7 +616,7 @@ describe('git-auth-helper tests', () => {
       await fs.promises.stat(actualKnownHostsPath)
       throw new Error('SSH known hosts should have been deleted')
     } catch (err) {
-      if (err.code !== 'ENOENT') {
+      if ((err as any)?.code !== 'ENOENT') {
         throw err
       }
     }
@@ -658,7 +663,7 @@ describe('git-auth-helper tests', () => {
       await fs.promises.stat(homeOverride)
       throw new Error(`Should have been deleted '${homeOverride}'`)
     } catch (err) {
-      if (err.code !== 'ENOENT') {
+      if ((err as any)?.code !== 'ENOENT') {
         throw err
       }
     }
@@ -764,13 +769,14 @@ async function setup(testName: string): Promise<void> {
     submodules: false,
     nestedSubmodules: false,
     persistCredentials: true,
-    ref: 'refs/heads/master',
+    ref: 'refs/heads/main',
     repositoryName: 'my-repo',
     repositoryOwner: 'my-org',
     repositoryPath: '',
     sshKey: sshPath ? 'some ssh private key' : '',
     sshKnownHosts: '',
-    sshStrict: true
+    sshStrict: true,
+    workflowOrganizationId: 123456
   }
 }
 

__test__/input-helper.test.ts

@@ -1,9 +1,9 @@
-import * as assert from 'assert'
 import * as core from '@actions/core'
 import * as fsHelper from '../lib/fs-helper'
 import * as github from '@actions/github'
 import * as inputHelper from '../lib/input-helper'
 import * as path from 'path'
+import * as workflowContextHelper from '../lib/workflow-context-helper'
 import {IGitSourceSettings} from '../lib/git-source-settings'
 
 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
@@ -43,6 +43,11 @@ describe('input-helper tests', () => {
       .spyOn(fsHelper, 'directoryExistsSync')
       .mockImplementation((path: string) => path == gitHubWorkspace)
 
+    // Mock ./workflowContextHelper getOrganizationId()
+    jest
+      .spyOn(workflowContextHelper, 'getOrganizationId')
+      .mockImplementation(() => Promise.resolve(123456))
+
     // GitHub workspace
     process.env['GITHUB_WORKSPACE'] = gitHubWorkspace
   })
@@ -67,8 +72,8 @@ describe('input-helper tests', () => {
     jest.restoreAllMocks()
   })
 
-  it('sets defaults', () => {
+  it('sets defaults', async () => {
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
     expect(settings).toBeTruthy()
     expect(settings.authToken).toBeFalsy()
     expect(settings.clean).toBe(true)
@@ -82,11 +87,11 @@ describe('input-helper tests', () => {
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
   })
 
-  it('qualifies ref', () => {
+  it('qualifies ref', async () => {
     let originalRef = github.context.ref
     try {
       github.context.ref = 'some-unqualified-ref'
-      const settings: IGitSourceSettings = inputHelper.getInputs()
+      const settings: IGitSourceSettings = await inputHelper.getInputs()
       expect(settings).toBeTruthy()
       expect(settings.commit).toBe('1234567890123456789012345678901234567890')
       expect(settings.ref).toBe('refs/heads/some-unqualified-ref')
@@ -95,32 +100,42 @@ describe('input-helper tests', () => {
     }
   })
 
-  it('requires qualified repo', () => {
+  it('requires qualified repo', async () => {
     inputs.repository = 'some-unqualified-repo'
-    assert.throws(() => {
+    try {
-      inputHelper.getInputs()
+      await inputHelper.getInputs()
-    }, /Invalid repository 'some-unqualified-repo'/)
+      throw 'should not reach here'
+    } catch (err) {
+      expect(`(${(err as any).message}`).toMatch(
+        "Invalid repository 'some-unqualified-repo'"
+      )
+    }
   })
 
-  it('roots path', () => {
+  it('roots path', async () => {
     inputs.path = 'some-directory/some-subdirectory'
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
     expect(settings.repositoryPath).toBe(
       path.join(gitHubWorkspace, 'some-directory', 'some-subdirectory')
     )
   })
 
-  it('sets ref to empty when explicit sha', () => {
+  it('sets ref to empty when explicit sha', async () => {
     inputs.ref = '1111111111222222222233333333334444444444'
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
     expect(settings.ref).toBeFalsy()
     expect(settings.commit).toBe('1111111111222222222233333333334444444444')
   })
 
-  it('sets sha to empty when explicit ref', () => {
+  it('sets sha to empty when explicit ref', async () => {
     inputs.ref = 'refs/heads/some-other-ref'
-    const settings: IGitSourceSettings = inputHelper.getInputs()
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
     expect(settings.ref).toBe('refs/heads/some-other-ref')
     expect(settings.commit).toBeFalsy()
   })
+
+  it('sets workflow organization ID', async () => {
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    expect(settings.workflowOrganizationId).toBe(123456)
+  })
 })

__test__/override-git-version.cmd

@@ -2,5 +2,5 @@
 mkdir override-git-version
 cd override-git-version
 echo @echo override git version 1.2.3 > git.cmd
-echo ::add-path::%CD%
+echo "%CD%" >> $GITHUB_PATH
 cd ..

__test__/override-git-version.sh

@@ -5,5 +5,5 @@ cd override-git-version
 echo "#!/bin/sh" > git
 echo "echo override git version 1.2.3" >> git
 chmod +x git
-echo "::add-path::$(pwd)"
+echo "$(pwd)" >> $GITHUB_PATH
 cd ..

__test__/ref-helper.test.ts

@@ -16,7 +16,7 @@ describe('ref-helper tests', () => {
       await refHelper.getCheckoutInfo(git, 'refs/heads/my/branch', commit)
       throw new Error('Should not reach here')
     } catch (err) {
-      expect(err.message).toBe('Arg git cannot be empty')
+      expect((err as any)?.message).toBe('Arg git cannot be empty')
     }
   })
 
@@ -25,7 +25,9 @@ describe('ref-helper tests', () => {
       await refHelper.getCheckoutInfo(git, '', '')
       throw new Error('Should not reach here')
     } catch (err) {
-      expect(err.message).toBe('Args ref and commit cannot both be empty')
+      expect((err as any)?.message).toBe(
+        'Args ref and commit cannot both be empty'
+      )
     }
   })
 
@@ -102,7 +104,7 @@ describe('ref-helper tests', () => {
       await refHelper.getCheckoutInfo(git, 'my-ref', '')
       throw new Error('Should not reach here')
     } catch (err) {
-      expect(err.message).toBe(
+      expect((err as any)?.message).toBe(
         "A branch or tag with the name 'my-ref' could not be found"
       )
     }

__test__/retry-helper.test.ts

@@ -74,7 +74,7 @@ describe('retry-helper tests', () => {
         throw new Error(`some error ${++attempts}`)
       })
     } catch (err) {
-      error = err
+      error = err as Error
     }
     expect(error.message).toBe('some error 3')
     expect(attempts).toBe(3)

__test__/verify-basic.sh

@@ -20,5 +20,5 @@ else
 
   # Verify auth token
   cd basic
-  git fetch --no-tags --depth=1 origin +refs/heads/master:refs/remotes/origin/master
+  git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
 fi

adrs/0153-checkout-v2.md

@@ -24,7 +24,7 @@ We want to take this opportunity to make behavioral changes, from v1. This docum
     description: >
       The branch, tag or SHA to checkout. When checking out the repository that
       triggered a workflow, this defaults to the reference or SHA for that
-      event.  Otherwise, defaults to `master`.
+      event.  Otherwise, uses the default branch.
   token:
     description: >
       Personal access token (PAT) used to fetch the repository. The PAT is configured
@@ -277,7 +277,7 @@ Note:
 ### Branching strategy and release tags
 
 - Create a servicing branch for V1: `releases/v1`
-- Merge the changes into `master`
+- Merge the changes into the default branch
 - Release using a new tag `preview`
 - When stable, release using a new tag `v2`
 

package.json

@@ -8,7 +8,9 @@
     "format": "prettier --write '**/*.ts'",
     "format-check": "prettier --check '**/*.ts'",
     "lint": "eslint src/**/*.ts",
-    "test": "jest"
+    "test": "jest",
+    "licensed-check": "src/misc/licensed-check.sh",
+    "licensed-generate": "src/misc/licensed-generate.sh"
   },
   "repository": {
     "type": "git",
@@ -26,7 +28,7 @@
   },
   "homepage": "https://github.com/actions/checkout#readme",
   "dependencies": {
-    "@actions/core": "^1.1.3",
+    "@actions/core": "^1.2.6",
     "@actions/exec": "^1.0.1",
     "@actions/github": "^2.2.0",
     "@actions/io": "^1.0.1",
@@ -34,19 +36,19 @@
     "uuid": "^3.3.3"
   },
   "devDependencies": {
-    "@types/jest": "^24.0.23",
+    "@types/jest": "^27.0.2",
     "@types/node": "^12.7.12",
     "@types/uuid": "^3.4.6",
-    "@typescript-eslint/parser": "^2.8.0",
+    "@typescript-eslint/parser": "^5.1.0",
     "@zeit/ncc": "^0.20.5",
-    "eslint": "^5.16.0",
+    "eslint": "^7.32.0",
-    "eslint-plugin-github": "^2.0.0",
+    "eslint-plugin-github": "^4.3.2",
-    "eslint-plugin-jest": "^22.21.0",
+    "eslint-plugin-jest": "^25.2.2",
-    "jest": "^24.9.0",
+    "jest": "^27.3.0",
-    "jest-circus": "^24.9.0",
+    "jest-circus": "^27.3.0",
     "js-yaml": "^3.13.1",
     "prettier": "^1.19.1",
-    "ts-jest": "^24.2.0",
+    "ts-jest": "^27.0.7",
-    "typescript": "^3.6.4"
+    "typescript": "^4.4.4"
   }
 }

src/fs-helper.ts

@@ -9,7 +9,7 @@ export function directoryExistsSync(path: string, required?: boolean): boolean {
   try {
     stats = fs.statSync(path)
   } catch (error) {
-    if (error.code === 'ENOENT') {
+    if ((error as any)?.code === 'ENOENT') {
       if (!required) {
         return false
       }
@@ -18,7 +18,8 @@ export function directoryExistsSync(path: string, required?: boolean): boolean {
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${error.message}`
+      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
+        ?.message ?? error}`
     )
   }
 
@@ -39,12 +40,13 @@ export function existsSync(path: string): boolean {
   try {
     fs.statSync(path)
   } catch (error) {
-    if (error.code === 'ENOENT') {
+    if ((error as any)?.code === 'ENOENT') {
       return false
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${error.message}`
+      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
+        ?.message ?? error}`
     )
   }
 
@@ -60,12 +62,13 @@ export function fileExistsSync(path: string): boolean {
   try {
     stats = fs.statSync(path)
   } catch (error) {
-    if (error.code === 'ENOENT') {
+    if ((error as any)?.code === 'ENOENT') {
       return false
     }
 
     throw new Error(
-      `Encountered an error when checking whether path '${path}' exists: ${error.message}`
+      `Encountered an error when checking whether path '${path}' exists: ${(error as any)
+        ?.message ?? error}`
     )
   }
 

src/git-auth-helper.ts

@@ -37,7 +37,7 @@ class GitAuthHelper {
   private readonly tokenConfigValue: string
   private readonly tokenPlaceholderConfigValue: string
   private readonly insteadOfKey: string
-  private readonly insteadOfValue: string
+  private readonly insteadOfValues: string[] = []
   private sshCommand = ''
   private sshKeyPath = ''
   private sshKnownHostsPath = ''
@@ -45,7 +45,7 @@ class GitAuthHelper {
 
   constructor(
     gitCommandManager: IGitCommandManager,
-    gitSourceSettings?: IGitSourceSettings
+    gitSourceSettings: IGitSourceSettings | undefined
   ) {
     this.git = gitCommandManager
     this.settings = gitSourceSettings || (({} as unknown) as IGitSourceSettings)
@@ -63,7 +63,12 @@ class GitAuthHelper {
 
     // Instead of SSH URL
     this.insteadOfKey = `url.${serverUrl.origin}/.insteadOf` // "origin" is SCHEME://HOSTNAME[:PORT]
-    this.insteadOfValue = `git@${serverUrl.hostname}:`
+    this.insteadOfValues.push(`git@${serverUrl.hostname}:`)
+    if (this.settings.workflowOrganizationId) {
+      this.insteadOfValues.push(
+        `org-${this.settings.workflowOrganizationId}@github.com:`
+      )
+    }
   }
 
   async configureAuth(): Promise<void> {
@@ -94,7 +99,7 @@ class GitAuthHelper {
       await fs.promises.stat(gitConfigPath)
       configExists = true
     } catch (err) {
-      if (err.code !== 'ENOENT') {
+      if ((err as any)?.code !== 'ENOENT') {
         throw err
       }
     }
@@ -118,7 +123,9 @@ class GitAuthHelper {
       // Configure HTTPS instead of SSH
       await this.git.tryConfigUnset(this.insteadOfKey, true)
       if (!this.settings.sshKey) {
-        await this.git.config(this.insteadOfKey, this.insteadOfValue, true)
+        for (const insteadOfValue of this.insteadOfValues) {
+          await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
+        }
       }
     } catch (err) {
       // Unset in case somehow written to the real global config
@@ -148,7 +155,7 @@ class GitAuthHelper {
         output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
       for (const configPath of configPaths) {
         core.debug(`Replacing token placeholder in '${configPath}'`)
-        this.replaceTokenPlaceholder(configPath)
+        await this.replaceTokenPlaceholder(configPath)
       }
 
       if (this.settings.sshKey) {
@@ -159,10 +166,12 @@ class GitAuthHelper {
         )
       } else {
         // Configure HTTPS instead of SSH
-        await this.git.submoduleForeach(
+        for (const insteadOfValue of this.insteadOfValues) {
-          `git config --local '${this.insteadOfKey}' '${this.insteadOfValue}'`,
+          await this.git.submoduleForeach(
-          this.settings.nestedSubmodules
+            `git config --local --add '${this.insteadOfKey}' '${insteadOfValue}'`,
-        )
+            this.settings.nestedSubmodules
+          )
+        }
       }
     }
   }
@@ -213,7 +222,7 @@ class GitAuthHelper {
         await fs.promises.readFile(userKnownHostsPath)
       ).toString()
     } catch (err) {
-      if (err.code !== 'ENOENT') {
+      if ((err as any)?.code !== 'ENOENT') {
         throw err
       }
     }
@@ -302,7 +311,7 @@ class GitAuthHelper {
       try {
         await io.rmRF(keyPath)
       } catch (err) {
-        core.debug(err.message)
+        core.debug(`${(err as any)?.message ?? err}`)
         core.warning(`Failed to remove SSH key '${keyPath}'`)
       }
     }

src/git-command-manager.ts

@@ -21,7 +21,8 @@ export interface IGitCommandManager {
   config(
     configKey: string,
     configValue: string,
-    globalConfig?: boolean
+    globalConfig?: boolean,
+    add?: boolean
   ): Promise<void>
   configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
   fetch(refSpec: string[], fetchDepth?: number): Promise<void>
@@ -31,7 +32,7 @@ export interface IGitCommandManager {
   isDetached(): Promise<boolean>
   lfsFetch(ref: string): Promise<void>
   lfsInstall(): Promise<void>
-  log1(): Promise<string>
+  log1(format?: string): Promise<string>
   remoteAdd(remoteName: string, remoteUrl: string): Promise<void>
   removeEnvironmentVariable(name: string): void
   revParse(ref: string): Promise<string>
@@ -140,14 +141,15 @@ class GitCommandManager {
   async config(
     configKey: string,
     configValue: string,
-    globalConfig?: boolean
+    globalConfig?: boolean,
+    add?: boolean
   ): Promise<void> {
-    await this.execGit([
+    const args: string[] = ['config', globalConfig ? '--global' : '--local']
-      'config',
+    if (add) {
-      globalConfig ? '--global' : '--local',
+      args.push('--add')
-      configKey,
+    }
-      configValue
+    args.push(...[configKey, configValue])
-    ])
+    await this.execGit(args)
   }
 
   async configExists(
@@ -254,8 +256,10 @@ class GitCommandManager {
     await this.execGit(['lfs', 'install', '--local'])
   }
 
-  async log1(): Promise<string> {
+  async log1(format?: string): Promise<string> {
-    const output = await this.execGit(['log', '-1'])
+    var args = format ? ['log', '-1', format] : ['log', '-1']
+    var silent = format ? false : true
+    const output = await this.execGit(args, false, silent)
     return output.stdout
   }
 
@@ -270,7 +274,7 @@ class GitCommandManager {
   /**
    * Resolves a ref to a SHA. For a branch or lightweight tag, the commit SHA is returned.
    * For an annotated tag, the tag SHA is returned.
-   * @param {string} ref  For example: 'refs/heads/master' or '/refs/tags/v1'
+   * @param {string} ref  For example: 'refs/heads/main' or '/refs/tags/v1'
    * @returns {Promise<string>}
    */
   async revParse(ref: string): Promise<string> {
@@ -390,7 +394,8 @@ class GitCommandManager {
 
   private async execGit(
     args: string[],
-    allowAllExitCodes = false
+    allowAllExitCodes = false,
+    silent = false
   ): Promise<GitOutput> {
     fshelper.directoryExistsSync(this.workingDirectory, true)
 
@@ -409,6 +414,7 @@ class GitCommandManager {
     const options = {
       cwd: this.workingDirectory,
       env,
+      silent,
       ignoreReturnCode: allowAllExitCodes,
       listeners: {
         stdout: (data: Buffer) => {

src/git-directory-helper.ts

@@ -39,7 +39,9 @@ export async function prepareExistingDirectory(
       try {
         await io.rmRF(lockPath)
       } catch (error) {
-        core.debug(`Unable to delete '${lockPath}'. ${error.message}`)
+        core.debug(
+          `Unable to delete '${lockPath}'. ${(error as any)?.message ?? error}`
+        )
       }
     }
 

src/git-source-provider.ts

@@ -201,9 +201,12 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
       }
     }
 
-    // Dump some info about the checked out commit
+    // Get commit information
     const commitInfo = await git.log1()
 
+    // Log commit sha
+    await git.log1("--format='%H'")
+
     // Check for incorrect pull request merge commit
     await refHelper.checkCommitInfo(
       settings.authToken,

src/git-source-settings.ts

@@ -73,4 +73,9 @@ export interface IGitSourceSettings {
    * Indicates whether to persist the credentials on disk to enable scripting authenticated git commands
    */
   persistCredentials: boolean
+
+  /**
+   * Organization ID for the currently running workflow (used for auth settings)
+   */
+  workflowOrganizationId: number | undefined
 }

src/github-api-helper.ts

@@ -47,7 +47,7 @@ export async function downloadRepository(
   } else {
     await toolCache.extractTar(archivePath, extractPath)
   }
-  io.rmRF(archivePath)
+  await io.rmRF(archivePath)
 
   // Determine the path of the repository content. The archive contains
   // a top-level folder and the repository content is inside.
@@ -70,7 +70,7 @@ export async function downloadRepository(
       await io.mv(sourcePath, targetPath)
     }
   }
-  io.rmRF(extractPath)
+  await io.rmRF(extractPath)
 }
 
 /**
@@ -92,7 +92,10 @@ export async function getDefaultBranch(
       assert.ok(result, 'default_branch cannot be empty')
     } catch (err) {
       // Handle .wiki repo
-      if (err['status'] === 404 && repo.toUpperCase().endsWith('.WIKI')) {
+      if (
+        (err as any)?.status === 404 &&
+        repo.toUpperCase().endsWith('.WIKI')
+      ) {
         result = 'master'
       }
       // Otherwise error

src/input-helper.ts

@@ -2,9 +2,10 @@ import * as core from '@actions/core'
 import * as fsHelper from './fs-helper'
 import * as github from '@actions/github'
 import * as path from 'path'
+import * as workflowContextHelper from './workflow-context-helper'
 import {IGitSourceSettings} from './git-source-settings'
 
-export function getInputs(): IGitSourceSettings {
+export async function getInputs(): Promise<IGitSourceSettings> {
   const result = ({} as unknown) as IGitSourceSettings
 
   // GitHub workspace
@@ -63,7 +64,7 @@ export function getInputs(): IGitSourceSettings {
       result.commit = github.context.sha
 
       // Some events have an unqualifed ref. For example when a PR is merged (pull_request closed event),
-      // the ref is unqualifed like "master" instead of "refs/heads/master".
+      // the ref is unqualifed like "main" instead of "refs/heads/main".
       if (result.commit && result.ref && !result.ref.startsWith('refs/')) {
         result.ref = `refs/heads/${result.ref}`
       }
@@ -118,5 +119,8 @@ export function getInputs(): IGitSourceSettings {
   result.persistCredentials =
     (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
 
+  // Workflow organization ID
+  result.workflowOrganizationId = await workflowContextHelper.getOrganizationId()
+
   return result
 }

src/main.ts

@@ -7,7 +7,7 @@ import * as stateHelper from './state-helper'
 
 async function run(): Promise<void> {
   try {
-    const sourceSettings = inputHelper.getInputs()
+    const sourceSettings = await inputHelper.getInputs()
 
     try {
       // Register problem matcher
@@ -24,7 +24,7 @@ async function run(): Promise<void> {
       coreCommand.issueCommand('remove-matcher', {owner: 'checkout-git'}, '')
     }
   } catch (error) {
-    core.setFailed(error.message)
+    core.setFailed(`${(error as any)?.message ?? error}`)
   }
 }
 
@@ -32,7 +32,7 @@ async function cleanup(): Promise<void> {
   try {
     await gitSourceProvider.cleanup(stateHelper.RepositoryPath)
   } catch (error) {
-    core.warning(error.message)
+    core.warning(`${(error as any)?.message ?? error}`)
   }
 }
 

src/misc/generate-docs.ts

@@ -10,10 +10,10 @@ import * as yaml from 'js-yaml'
 
 function updateUsage(
   actionReference: string,
-  actionYamlPath: string = 'action.yml',
+  actionYamlPath = 'action.yml',
-  readmePath: string = 'README.md',
+  readmePath = 'README.md',
-  startToken: string = '<!-- start usage -->',
+  startToken = '<!-- start usage -->',
-  endToken: string = '<!-- end usage -->'
+  endToken = '<!-- end usage -->'
 ): void {
   if (!actionReference) {
     throw new Error('Parameter actionReference must not be empty')