github-actions[bot]
commented
7 months ago [puLL-Merge] - actions/checkout@v4.1.1..v4.1.3
Description
This PR makes several changes to the actions/checkout codebase:
- Adds support for disabling sparse checkout when the
sparse-checkoutoption is not provided. This fixes an issue where sparse checkout settings could persist unexpectedly. - Updates the test workflow to use a custom Ubuntu+git docker image for improved reliability. The workflow for building this image is also added.
- Bumps the version to v4.1.2 and updates the changelog.
- Adds an
ssh-useroption to allow configuring the SSH user.
The main motivation seems to be fixing the sparse checkout persistence bug and improving the reliability of the test workflow.
Changes
### Changes - __.github/workflows/test.yml__: Updated to use the custom `test-ubuntu-git` docker image. Added a test for disabling sparse checkout. - __.github/workflows/update-main-version.yml__: Now pins `actions/checkout` to a stable version for reliability. - __.github/workflows/update-test-ubuntu-git.yml__: New workflow to build and publish the `test-ubuntu-git` docker image. - __images/test-ubuntu-git.Dockerfile__: Dockerfile for the custom test image with git pre-installed on Ubuntu. - __images/test-ubuntu-git.md__: Documentation for the new custom Docker image. - __action.yml__: Added new `ssh-user` input. - __src/git-command-manager.ts__: Added `disableSparseCheckout()` function. Updated minimum Git version constants. - __src/git-source-provider.ts__: Disables sparse checkout if not configured. - __src/git-source-settings.ts__: Added `sshUser` property. - __src/input-helper.ts__: Reads new `ssh-user` input. - __src/url-helper.ts__: Uses configured `ssh-user` for SSH URLs. - __*__: Version bumped to 4.1.2. Changelog updated.Security Hotspots
- Medium: The new
ssh-userinput is used to construct Git URLs without any validation or sanitization. Validate the input is a safe username. - Low: The custom Docker image building is gated behind a manual
workflow_dispatch, reducing risk of it being abused. But access to trigger it should be restricted. - Low: Package version bumped to 4.1.2 without major changes. Consider if this should be a patch version bump instead per semver.
Overall the changes look reasonable, with the main security recommendation being to validate the ssh-user input. Let me know if you have any other questions!
This PR contains the following updates:
v4.1.1->v4.1.3Release Notes
actions/checkout (actions/checkout)
### [`v4.1.3`](https://togithub.com/actions/checkout/releases/tag/v4.1.3) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.2...v4.1.3) #### What's Changed - Update `actions/checkout` version in `update-main-version.yml` by [@jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1650](https://togithub.com/actions/checkout/pull/1650) - Check git version before attempting to disable `sparse-checkout` by [@jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1656](https://togithub.com/actions/checkout/pull/1656) - Add SSH user parameter by [@cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1685](https://togithub.com/actions/checkout/pull/1685) **Full Changelog**: https://github.com/actions/checkout/compare/v4.1.2...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.1...v4.1.2) - Fix: Disable sparse checkout whenever `sparse-checkout` option is not present [@dscho](https://togithub.com/dscho) in [https://github.com/actions/checkout/pull/1598](https://togithub.com/actions/checkout/pull/1598)Configuration
š Schedule: Branch creation - " 0-4 * 3" (UTC), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.