do not pass cred on command line (#108 )

add input persist-credentials (#107 )
fallback to REST API to download repo (#104 )
2019-12-12 14:04:04 -05:00 · 2019-12-12 13:49:26 -05:00 · 2019-12-12 13:16:16 -05:00 · 2019-12-10 11:17:38 -05:00
17 changed files with 651 additions and 572 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,32 +6,32 @@ on:
    branches:
      - master
      - releases/*
-      - users/ericsciple/*

 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2-beta
-  #     - run: npm ci
-  #     - run: npm run build
-  #     - run: npm run format-check
-  #     - run: npm run lint
-  #     - run: npm run pack
-  #     - run: npm run gendocs
-  #     - name: Verify no unstaged changes
-  #       run: __test__/verify-no-unstaged-changes.sh
+      - uses: actions/checkout@v1 # todo: switch to v2
+      - run: npm ci
+      - run: npm run build
+      - run: npm run format-check
+      - run: npm run lint
+      - run: npm run pack
+      - run: npm run gendocs
+      - run: npm test
+      - name: Verify no unstaged changes
+        run: __test__/verify-no-unstaged-changes.sh

-  # test:
-  #   strategy:
-  #     matrix:
-  #       runs-on: [ubuntu-latest, macos-latest, windows-latest]
-  #   runs-on: ${{ matrix.runs-on }}
+  test:
+    strategy:
+      matrix:
+        runs-on: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.runs-on }}

-  #   steps:
-  #     # Clone this repo
-  #     - name: Checkout
-  #       uses: actions/checkout@v1 # todo: switch to V2
+    steps:
+      # Clone this repo
+      - name: Checkout
+        uses: actions/checkout@v2-beta

      # Basic checkout
      - name: Basic checkout
@@ -39,46 +39,64 @@ jobs:
        with:
          ref: test-data/v2/basic
          path: basic
-      # - name: Verify basic
-      #   shell: bash
-      #   run: __test__/verify-basic.sh
+      - name: Verify basic
+        shell: bash
+        run: __test__/verify-basic.sh

-      # # Clean
-      # - name: Modify work tree
-      #   shell: bash
-      #   run: __test__/modify-work-tree.sh
-      # - name: Clean checkout
-      #   uses: ./
-      #   with:
-      #     ref: test-data/v2/basic
-      #     path: basic
-      # - name: Verify clean
-      #   shell: bash
-      #   run: __test__/verify-clean.sh
+      # Clean
+      - name: Modify work tree
+        shell: bash
+        run: __test__/modify-work-tree.sh
+      - name: Clean checkout
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify clean
+        shell: bash
+        run: __test__/verify-clean.sh

-      # # Side by side
-      # - name: Side by side checkout 1
-      #   uses: ./
-      #   with:
-      #     ref: test-data/v2/side-by-side-1
-      #     path: side-by-side-1
-      # - name: Side by side checkout 2
-      #   uses: ./
-      #   with:
-      #     ref: test-data/v2/side-by-side-2
-      #     path: side-by-side-2
-      # - name: Verify side by side
-      #   shell: bash
-      #   run: __test__/verify-side-by-side.sh
+      # Side by side
+      - name: Side by side checkout 1
+        uses: ./
+        with:
+          ref: test-data/v2/side-by-side-1
+          path: side-by-side-1
+      - name: Side by side checkout 2
+        uses: ./
+        with:
+          ref: test-data/v2/side-by-side-2
+          path: side-by-side-2
+      - name: Verify side by side
+        shell: bash
+        run: __test__/verify-side-by-side.sh

-      # # LFS
-      # - name: LFS checkout
-      #   uses: ./
-      #   with:
-      #     repository: actions/checkout # hardcoded, otherwise doesn't work from a fork
-      #     ref: test-data/v2/lfs
-      #     path: lfs
-      #     lfs: true
-      # - name: Verify LFS
-      #   shell: bash
-      #   run: __test__/verify-lfs.sh
+      # LFS
+      - name: LFS checkout
+        uses: ./
+        with:
+          repository: actions/checkout # hardcoded, otherwise doesn't work from a fork
+          ref: test-data/v2/lfs
+          path: lfs
+          lfs: true
+      - name: Verify LFS
+        shell: bash
+        run: __test__/verify-lfs.sh
+
+  test-job-container:
+    runs-on: ubuntu-latest
+    container: alpine:latest
+    steps:
+      # Clone this repo
+      # todo: after v2-beta contains the latest changes, switch this to "uses: actions/checkout@v2-beta"
+      - name: Checkout
+        uses: actions/checkout@a572f640b07e96fc5837b3adfa0e5a2ddd8dae21
+
+      # Basic checkout
+      - name: Basic checkout
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh --archive
--- a/README.md
+++ b/README.md
@@ -13,18 +13,20 @@ Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows)
 # What's new

 - Improved fetch performance
-  - The default behavior now fetches only the SHA being checked-out
+  - The default behavior now fetches only the commit being checked-out
 - Script authenticated git commands
-  - Persists `with.token` in the local git config
+  - Persists the input `token` in the local git config
  - Enables your scripts to run authenticated git commands
  - Post-job cleanup removes the token
-  - Coming soon: Opt out by setting `with.persist-credentials` to `false`
+  - Opt out by setting the input `persist-credentials: false`
 - Creates a local branch
  - No longer detached HEAD when checking out a branch
  - A local branch is created with the corresponding upstream branch set
 - Improved layout
-  - `with.path` is always relative to `github.workspace`
-  - Aligns better with container actions, where `github.workspace` gets mapped in
+  - The input `path` is always relative to $GITHUB_WORKSPACE
+  - Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in
+- Fallback to REST API download
+  - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
 - Removed input `submodules`

 Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
@@ -39,15 +41,21 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
    # Default: ${{ github.repository }}
    repository: ''

-    # The branch, tag or SHA to checkout.  When checking out the repository that
+    # The branch, tag or SHA to checkout. When checking out the repository that
    # triggered a workflow, this defaults to the reference or SHA for that event.
    # Otherwise, defaults to `master`.
    ref: ''

-    # Access token for clone repository
+    # Auth token used to fetch the repository. The token is stored in the local git
+    # config, which enables your scripts to run authenticated git commands. The
+    # post-job step removes the token from the git config.
    # Default: ${{ github.token }}
    token: ''

+    # Whether to persist the token in the git config
+    # Default: true
+    persist-credentials: ''
+
    # Relative path under $GITHUB_WORKSPACE to place the repository
    path: ''

@@ -89,7 +97,7 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ```yaml
 - uses: actions/checkout@v2-beta
  with:
-    ref: ${{ github.event.after }}
+    ref: ${{ github.event.pull_request.head.sha }}
 ```

 # License
--- a/test/input-helper.test.ts
+++ b/test/input-helper.test.ts
@@ -63,7 +63,7 @@ describe('input-helper tests', () => {
  it('sets defaults', () => {
    const settings: ISourceSettings = inputHelper.getInputs()
    expect(settings).toBeTruthy()
-    expect(settings.accessToken).toBeFalsy()
+    expect(settings.authToken).toBeFalsy()
    expect(settings.clean).toBe(true)
    expect(settings.commit).toBeTruthy()
    expect(settings.commit).toBe('1234567890123456789012345678901234567890')
--- a/test/retry-helper.test.ts
+++ b/test/retry-helper.test.ts
@@ -0,0 +1,88 @@
+const mockCore = jest.genMockFromModule('@actions/core') as any
+mockCore.info = (message: string) => {
+  info.push(message)
+}
+let info: string[]
+let retryHelper: any
+
+describe('retry-helper tests', () => {
+  beforeAll(() => {
+    // Mocks
+    jest.setMock('@actions/core', mockCore)
+
+    // Now import
+    const retryHelperModule = require('../lib/retry-helper')
+    retryHelper = new retryHelperModule.RetryHelper(3, 0, 0)
+  })
+
+  beforeEach(() => {
+    // Reset info
+    info = []
+  })
+
+  afterAll(() => {
+    // Reset modules
+    jest.resetModules()
+  })
+
+  it('first attempt succeeds', async () => {
+    const actual = await retryHelper.execute(async () => {
+      return 'some result'
+    })
+    expect(actual).toBe('some result')
+    expect(info).toHaveLength(0)
+  })
+
+  it('second attempt succeeds', async () => {
+    let attempts = 0
+    const actual = await retryHelper.execute(() => {
+      if (++attempts == 1) {
+        throw new Error('some error')
+      }
+
+      return Promise.resolve('some result')
+    })
+    expect(attempts).toBe(2)
+    expect(actual).toBe('some result')
+    expect(info).toHaveLength(2)
+    expect(info[0]).toBe('some error')
+    expect(info[1]).toMatch(/Waiting .+ seconds before trying again/)
+  })
+
+  it('third attempt succeeds', async () => {
+    let attempts = 0
+    const actual = await retryHelper.execute(() => {
+      if (++attempts < 3) {
+        throw new Error(`some error ${attempts}`)
+      }
+
+      return Promise.resolve('some result')
+    })
+    expect(attempts).toBe(3)
+    expect(actual).toBe('some result')
+    expect(info).toHaveLength(4)
+    expect(info[0]).toBe('some error 1')
+    expect(info[1]).toMatch(/Waiting .+ seconds before trying again/)
+    expect(info[2]).toBe('some error 2')
+    expect(info[3]).toMatch(/Waiting .+ seconds before trying again/)
+  })
+
+  it('all attempts fail succeeds', async () => {
+    let attempts = 0
+    let error: Error = (null as unknown) as Error
+    try {
+      await retryHelper.execute(() => {
+        throw new Error(`some error ${++attempts}`)
+      })
+    } catch (err) {
+      error = err
+    }
+    expect(error.message).toBe('some error 3')
+    expect(attempts).toBe(3)
+    expect(info).toHaveLength(4)
+    expect(info[0]).toBe('some error 1')
+    expect(info[1]).toMatch(/Waiting .+ seconds before trying again/)
+    expect(info[2]).toBe('some error 2')
+    expect(info[3]).toMatch(/Waiting .+ seconds before trying again/)
+  })
+})
--- a/test/verify-basic.sh
+++ b/test/verify-basic.sh
@@ -1,10 +1,24 @@
-#!/bin/bash
+#!/bin/sh

 if [ ! -f "./basic/basic-file.txt" ]; then
    echo "Expected basic file does not exist"
    exit 1
 fi

-# Verify auth token
-cd basic
-git fetch
+if [ "$1" = "--archive" ]; then
+  # Verify no .git folder
+  if [ -d "./basic/.git" ]; then
+    echo "Did not expect ./basic/.git folder to exist"
+    exit 1
+  fi
+else
+  # Verify .git folder
+  if [ ! -d "./basic/.git" ]; then
+    echo "Expected ./basic/.git folder to exist"
+    exit 1
+  fi
+
+  # Verify auth token
+  cd basic
+  git fetch --no-tags --depth=1 origin +refs/heads/master:refs/remotes/origin/master
+fi
--- a/action.yml
+++ b/action.yml
@@ -6,12 +6,18 @@ inputs:
    default: ${{ github.repository }}
  ref:
    description: >
-      The branch, tag or SHA to checkout.  When checking out the repository
-      that triggered a workflow, this defaults to the reference or SHA for
-      that event.  Otherwise, defaults to `master`.
+      The branch, tag or SHA to checkout. When checking out the repository that
+      triggered a workflow, this defaults to the reference or SHA for that
+      event.  Otherwise, defaults to `master`.
  token:
-    description: 'Access token for clone repository'
+    description: >
+      Auth token used to fetch the repository. The token is stored in the local
+      git config, which enables your scripts to run authenticated git commands.
+      The post-job step removes the token from the git config.
    default: ${{ github.token }}
+  persist-credentials:
+    description: 'Whether to persist the token in the git config'
+    default: true
  path:
    description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
  clean:
--- a/dist/index.js
+++ b/dist/index.js
@@ -2597,6 +2597,44 @@ function paginatePlugin(octokit) {
 }


+/***/ }),
+
+/***/ 153:
+/***/ (function(__unusedmodule, exports, __webpack_require__) {
+
+"use strict";
+
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    result["default"] = mod;
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const coreCommand = __importStar(__webpack_require__(431));
+/**
+ * Indicates whether the POST action is running
+ */
+exports.IsPost = !!process.env['STATE_isPost'];
+/**
+ * The repository path for the POST action. The value is empty during the MAIN action.
+ */
+exports.RepositoryPath = process.env['STATE_repositoryPath'] || '';
+/**
+ * Save the repository path so the POST action can retrieve the value.
+ */
+function setRepositoryPath(repositoryPath) {
+    coreCommand.issueCommand('save-state', { name: 'repositoryPath' }, repositoryPath);
+}
+exports.setRepositoryPath = setRepositoryPath;
+// Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
+// This is necessary since we don't have a separate entry point.
+if (!exports.IsPost) {
+    coreCommand.issueCommand('save-state', { name: 'isPost' }, 'true');
+}
+
+
 /***/ }),

 /***/ 168:
@@ -2751,7 +2789,7 @@ const coreCommand = __importStar(__webpack_require__(431));
 const gitSourceProvider = __importStar(__webpack_require__(293));
 const inputHelper = __importStar(__webpack_require__(821));
 const path = __importStar(__webpack_require__(622));
-const cleanupRepositoryPath = process.env['STATE_repositoryPath'];
+const stateHelper = __importStar(__webpack_require__(153));
 function run() {
    return __awaiter(this, void 0, void 0, function* () {
        try {
@@ -2775,7 +2813,7 @@ function run() {
 function cleanup() {
    return __awaiter(this, void 0, void 0, function* () {
        try {
-            yield gitSourceProvider.cleanup(cleanupRepositoryPath);
+            yield gitSourceProvider.cleanup(stateHelper.RepositoryPath);
        }
        catch (error) {
            core.warning(error.message);
@@ -2783,7 +2821,7 @@ function cleanup() {
    });
 }
 // Main
-if (!cleanupRepositoryPath) {
+if (!stateHelper.IsPost) {
    run();
 }
 // Post
@@ -2823,14 +2861,6 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
    });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-function getDownloadRef(ref, commit) {
-    if (commit) {
-        return commit;
-    }
-    // todo fix this to work with refs/pull etc
-    return ref;
-}
-exports.getDownloadRef = getDownloadRef;
 function getCheckoutInfo(git, ref, commit) {
    return __awaiter(this, void 0, void 0, function* () {
        if (!git) {
@@ -4808,7 +4838,7 @@ class GitCommandManager {
    }
    config(configKey, configValue) {
        return __awaiter(this, void 0, void 0, function* () {
-            yield this.execGit(['config', configKey, configValue]);
+            yield this.execGit(['config', '--local', configKey, configValue]);
        });
    }
    configExists(configKey) {
@@ -4816,7 +4846,7 @@ class GitCommandManager {
            const pattern = configKey.replace(/[^a-zA-Z0-9_]/g, x => {
                return `\\${x}`;
            });
-            const output = yield this.execGit(['config', '--name-only', '--get-regexp', pattern], true);
+            const output = yield this.execGit(['config', '--local', '--name-only', '--get-regexp', pattern], true);
            return output.exitCode === 0;
        });
    }
@@ -4902,19 +4932,19 @@ class GitCommandManager {
    }
    tryConfigUnset(configKey) {
        return __awaiter(this, void 0, void 0, function* () {
-            const output = yield this.execGit(['config', '--unset-all', configKey], true);
+            const output = yield this.execGit(['config', '--local', '--unset-all', configKey], true);
            return output.exitCode === 0;
        });
    }
    tryDisableAutomaticGarbageCollection() {
        return __awaiter(this, void 0, void 0, function* () {
-            const output = yield this.execGit(['config', 'gc.auto', '0'], true);
+            const output = yield this.execGit(['config', '--local', 'gc.auto', '0'], true);
            return output.exitCode === 0;
        });
    }
    tryGetFetchUrl() {
        return __awaiter(this, void 0, void 0, function* () {
-            const output = yield this.execGit(['config', '--get', 'remote.origin.url'], true);
+            const output = yield this.execGit(['config', '--local', '--get', 'remote.origin.url'], true);
            if (output.exitCode !== 0) {
                return '';
            }
@@ -5057,22 +5087,20 @@ var __importStar = (this && this.__importStar) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(__webpack_require__(470));
-const coreCommand = __importStar(__webpack_require__(431));
 const fs = __importStar(__webpack_require__(747));
 const fsHelper = __importStar(__webpack_require__(618));
 const gitCommandManager = __importStar(__webpack_require__(289));
+const githubApiHelper = __importStar(__webpack_require__(464));
 const io = __importStar(__webpack_require__(1));
 const path = __importStar(__webpack_require__(622));
 const refHelper = __importStar(__webpack_require__(227));
-const githubApiHelper = __importStar(__webpack_require__(464));
+const stateHelper = __importStar(__webpack_require__(153));
 const authConfigKey = `http.https://github.com/.extraheader`;
 function getSource(settings) {
    return __awaiter(this, void 0, void 0, function* () {
        // Repository URL
        core.info(`Syncing repository: ${settings.repositoryOwner}/${settings.repositoryName}`);
        const repositoryUrl = `https://github.com/${encodeURIComponent(settings.repositoryOwner)}/${encodeURIComponent(settings.repositoryName)}`;
-        // Set intra-task state for cleanup
-        coreCommand.issueCommand('save-state', { name: 'repositoryPath' }, settings.repositoryPath);
        // Remove conflicting file path
        if (fsHelper.fileExistsSync(settings.repositoryPath)) {
            yield io.rmRF(settings.repositoryPath);
@@ -5084,28 +5112,20 @@ function getSource(settings) {
            yield io.mkdirP(settings.repositoryPath);
        }
        // Git command manager
-        core.info(`Working directory is '${settings.repositoryPath}'`);
-        let git = null;
-        try {
-            git = yield gitCommandManager.CreateCommandManager(settings.repositoryPath, settings.lfs);
-        }
-        catch (err) {
-            // Git is required for LFS
-            if (settings.lfs) {
-                throw err;
-            }
-            // Otherwise fallback to REST API
-        }
+        const git = yield getGitCommandManager(settings);
        // Prepare existing directory, otherwise recreate
        if (isExisting) {
            yield prepareExistingDirectory(git, settings.repositoryPath, repositoryUrl, settings.clean);
        }
-        if (!git || `${1}` == '1') {
-            core.info(`Downloading the repository files using the GitHub REST API`);
-            core.info(`To create a local repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`);
-            yield githubApiHelper.downloadRepository(settings.accessToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath);
+        if (!git) {
+            // Downloading using REST API
+            core.info(`The repository will be downloaded using the GitHub REST API`);
+            core.info(`To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`);
+            yield githubApiHelper.downloadRepository(settings.authToken, settings.repositoryOwner, settings.repositoryName, settings.ref, settings.commit, settings.repositoryPath);
        }
        else {
+            // Save state for POST action
+            stateHelper.setRepositoryPath(settings.repositoryPath);
            // Initialize the repository
            if (!fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))) {
                yield git.init();
@@ -5117,30 +5137,34 @@ function getSource(settings) {
            }
            // Remove possible previous extraheader
            yield removeGitConfig(git, authConfigKey);
-            // Add extraheader (auth)
-            const base64Credentials = Buffer.from(`x-access-token:${settings.accessToken}`, 'utf8').toString('base64');
-            core.setSecret(base64Credentials);
-            const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`;
-            yield git.config(authConfigKey, authConfigValue);
-            // LFS install
-            if (settings.lfs) {
-                yield git.lfsInstall();
+            try {
+                // Config auth token
+                yield configureAuthToken(git, settings.authToken);
+                // LFS install
+                if (settings.lfs) {
+                    yield git.lfsInstall();
+                }
+                // Fetch
+                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
+                yield git.fetch(settings.fetchDepth, refSpec);
+                // Checkout info
+                const checkoutInfo = yield refHelper.getCheckoutInfo(git, settings.ref, settings.commit);
+                // LFS fetch
+                // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
+                // Explicit lfs fetch will fetch lfs objects in parallel.
+                if (settings.lfs) {
+                    yield git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref);
+                }
+                // Checkout
+                yield git.checkout(checkoutInfo.ref, checkoutInfo.startPoint);
+                // Dump some info about the checked out commit
+                yield git.log1();
            }
-            // Fetch
-            const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
-            yield git.fetch(settings.fetchDepth, refSpec);
-            // Checkout info
-            const checkoutInfo = yield refHelper.getCheckoutInfo(git, settings.ref, settings.commit);
-            // LFS fetch
-            // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
-            // Explicit lfs fetch will fetch lfs objects in parallel.
-            if (settings.lfs) {
-                yield git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref);
+            finally {
+                if (!settings.persistCredentials) {
+                    yield removeGitConfig(git, authConfigKey);
+                }
            }
-            // Checkout
-            yield git.checkout(checkoutInfo.ref, checkoutInfo.startPoint);
-            // Dump some info about the checked out commit
-            yield git.log1();
        }
    });
 }
@@ -5158,6 +5182,23 @@ function cleanup(repositoryPath) {
    });
 }
 exports.cleanup = cleanup;
+function getGitCommandManager(settings) {
+    return __awaiter(this, void 0, void 0, function* () {
+        core.info(`Working directory is '${settings.repositoryPath}'`);
+        let git = null;
+        try {
+            return yield gitCommandManager.CreateCommandManager(settings.repositoryPath, settings.lfs);
+        }
+        catch (err) {
+            // Git is required for LFS
+            if (settings.lfs) {
+                throw err;
+            }
+            // Otherwise fallback to REST API
+            return null;
+        }
+    });
+}
 function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean) {
    return __awaiter(this, void 0, void 0, function* () {
        let remove = false;
@@ -5228,23 +5269,34 @@ function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean) {
        }
    });
 }
+function configureAuthToken(git, authToken) {
+    return __awaiter(this, void 0, void 0, function* () {
+        // Configure a placeholder value. This approach avoids the credential being captured
+        // by process creation audit events, which are commonly logged. For more information,
+        // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+        const placeholder = `AUTHORIZATION: basic ***`;
+        yield git.config(authConfigKey, placeholder);
+        // Determine the basic credential value
+        const basicCredential = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
+        core.setSecret(basicCredential);
+        // Replace the value in the config file
+        const configPath = path.join(git.getWorkingDirectory(), '.git', 'config');
+        let content = (yield fs.promises.readFile(configPath)).toString();
+        const placeholderIndex = content.indexOf(placeholder);
+        if (placeholderIndex < 0 ||
+            placeholderIndex != content.lastIndexOf(placeholder)) {
+            throw new Error('Unable to replace auth placeholder in .git/config');
+        }
+        content = content.replace(placeholder, `AUTHORIZATION: basic ${basicCredential}`);
+        yield fs.promises.writeFile(configPath, content);
+    });
+}
 function removeGitConfig(git, configKey) {
    return __awaiter(this, void 0, void 0, function* () {
        if ((yield git.configExists(configKey)) &&
            !(yield git.tryConfigUnset(configKey))) {
            // Load the config contents
-            core.warning(`Failed to remove '${configKey}' from the git config. Attempting to remove the config value by editing the file directly.`);
-            const configPath = path.join(git.getWorkingDirectory(), '.git', 'config');
-            fsHelper.fileExistsSync(configPath);
-            let contents = fs.readFileSync(configPath).toString() || '';
-            // Filter - only includes lines that do not contain the config key
-            const upperConfigKey = configKey.toUpperCase();
-            const split = contents
-                .split('\n')
-                .filter(x => !x.toUpperCase().includes(upperConfigKey));
-            contents = split.join('\n');
-            // Rewrite the config file
-            fs.writeFileSync(configPath, contents);
+            core.warning(`Failed to remove '${configKey}' from the git config`);
        }
    });
 }
@@ -8352,68 +8404,36 @@ var __importStar = (this && this.__importStar) || function (mod) {
    result["default"] = mod;
    return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const assert = __importStar(__webpack_require__(357));
 const core = __importStar(__webpack_require__(470));
-const exec = __importStar(__webpack_require__(986));
 const fs = __importStar(__webpack_require__(747));
 const github = __importStar(__webpack_require__(469));
 const io = __importStar(__webpack_require__(1));
 const path = __importStar(__webpack_require__(622));
-const refHelper = __importStar(__webpack_require__(227));
 const retryHelper = __importStar(__webpack_require__(587));
 const toolCache = __importStar(__webpack_require__(533));
+const v4_1 = __importDefault(__webpack_require__(826));
 const IS_WINDOWS = process.platform === 'win32';
-function downloadRepository(accessToken, owner, repo, ref, commit, repositoryPath) {
+function downloadRepository(authToken, owner, repo, ref, commit, repositoryPath) {
    return __awaiter(this, void 0, void 0, function* () {
-        // Determine archive path
-        const runnerTemp = process.env['RUNNER_TEMP'];
-        assert.ok(runnerTemp, 'RUNNER_TEMP not defined');
-        const archivePath = path.join(runnerTemp, 'checkout.tar.gz');
-        // Ensure file does not exist
-        core.debug(`Ensuring archive file does not exist: ${archivePath}`);
-        yield io.rmRF(archivePath);
        // Download the archive
        let archiveData = yield retryHelper.execute(() => __awaiter(this, void 0, void 0, function* () {
-            core.info('Downloading the archive using the REST API');
-            return yield downloadArchive(accessToken, owner, repo, ref, commit);
+            core.info('Downloading the archive');
+            return yield downloadArchive(authToken, owner, repo, ref, commit);
        }));
        // Write archive to disk
        core.info('Writing archive to disk');
+        const uniqueId = v4_1.default();
+        const archivePath = path.join(repositoryPath, `${uniqueId}.tar.gz`);
        yield fs.promises.writeFile(archivePath, archiveData);
        archiveData = Buffer.from(''); // Free memory
-        // // Get the archive URL using the REST API
-        // await retryHelper.execute(async () => {
-        //   // Prepare the archive stream
-        //   core.debug(`Preparing the archive stream: ${archivePath}`)
-        //   await io.rmRF(archivePath)
-        //   const fileStream = fs.createWriteStream(archivePath)
-        //   const fileStreamClosed = getFileClosedPromise(fileStream)
-        //   try {
-        //     // Get the archive URL
-        //     core.info('Getting archive URL')
-        //     const archiveUrl = await getArchiveUrl(
-        //       accessToken,
-        //       owner,
-        //       repo,
-        //       ref,
-        //       commit
-        //     )
-        //     // Download the archive
-        //     core.info('Downloading the archive') // Do not print the archive URL because it has an embedded token
-        //     await downloadFile(archiveUrl, fileStream)
-        //   } finally {
-        //     fileStream.end()
-        //     await fileStreamClosed
-        //   }
-        // })
-        // await fs.promises.writeFile(archivePath, raw)
-        // // await exec.exec(`ls -la "${archiveFile}"`, [], {
-        // //   cwd: repositoryPath
-        // // } as ExecOptions)
        // Extract archive
-        const extractPath = path.join(runnerTemp, `checkout`);
-        yield io.rmRF(extractPath);
+        core.info('Extracting the archive');
+        const extractPath = path.join(repositoryPath, uniqueId);
        yield io.mkdirP(extractPath);
        if (IS_WINDOWS) {
            yield toolCache.extractZip(archivePath, extractPath);
@@ -8421,114 +8441,45 @@ function downloadRepository(accessToken, owner, repo, ref, commit, repositoryPat
        else {
            yield toolCache.extractTar(archivePath, extractPath);
        }
-        // await exec.exec(`tar -xzf "${archiveFile}"`, [], {
-        //   cwd: extractPath
-        // } as ExecOptions)
-        // Determine the real directory to copy (ignore extra dir at root of the archive)
+        io.rmRF(archivePath);
+        // Determine the path of the repository content. The archive contains
+        // a top-level folder and the repository content is inside.
        const archiveFileNames = yield fs.promises.readdir(extractPath);
        assert.ok(archiveFileNames.length == 1, 'Expected exactly one directory inside archive');
-        const extraDirectoryName = archiveFileNames[0];
-        core.info(`Resolved ${extraDirectoryName}`); // contains the short SHA
-        const tempRepositoryPath = path.join(extractPath, extraDirectoryName);
+        const archiveVersion = archiveFileNames[0]; // The top-level folder name includes the short SHA
+        core.info(`Resolved version ${archiveVersion}`);
+        const tempRepositoryPath = path.join(extractPath, archiveVersion);
        // Move the files
        for (const fileName of yield fs.promises.readdir(tempRepositoryPath)) {
            const sourcePath = path.join(tempRepositoryPath, fileName);
            const targetPath = path.join(repositoryPath, fileName);
-            yield io.mv(sourcePath, targetPath);
+            if (IS_WINDOWS) {
+                yield io.cp(sourcePath, targetPath, { recursive: true }); // Copy on Windows (Windows Defender may have a lock)
+            }
+            else {
+                yield io.mv(sourcePath, targetPath);
+            }
        }
-        yield exec.exec(`find .`, [], {
-            cwd: repositoryPath
-        });
+        io.rmRF(extractPath);
    });
 }
 exports.downloadRepository = downloadRepository;
-function downloadArchive(accessToken, owner, repo, ref, commit) {
+function downloadArchive(authToken, owner, repo, ref, commit) {
    return __awaiter(this, void 0, void 0, function* () {
-        const octokit = new github.GitHub(accessToken);
+        const octokit = new github.GitHub(authToken);
        const params = {
            owner: owner,
            repo: repo,
            archive_format: IS_WINDOWS ? 'zipball' : 'tarball',
-            ref: refHelper.getDownloadRef(ref, commit)
+            ref: commit || ref
        };
        const response = yield octokit.repos.getArchiveLink(params);
-        console.log('GOT THE RESPONSE');
-        console.log(`status=${response.status}`);
-        console.log(`headers=${JSON.stringify(response.headers)}`);
-        console.log(`data=${JSON.stringify(response.data)}`);
        if (response.status != 200) {
-            throw new Error(`Unexpected response from GitHub API. Status: '${response.status}'`);
+            throw new Error(`Unexpected response from GitHub API. Status: ${response.status}, Data: ${response.data}`);
        }
        return Buffer.from(response.data); // response.data is ArrayBuffer
    });
 }
-// async function getArchiveUrl(
-//   accessToken: string,
-//   owner: string,
-//   repo: string,
-//   ref: string,
-//   commit: string
-// ): Promise<string> {
-//   const octokit = new github.GitHub(accessToken)
-//   const params: RequestOptions & ReposGetArchiveLinkParams = {
-//     method: 'HEAD',
-//     owner: owner,
-//     repo: repo,
-//     archive_format: IS_WINDOWS ? 'zipball' : 'tarball',
-//     ref: refHelper.getDownloadRef(ref, commit)
-//   }
-//   const response = await octokit.repos.getArchiveLink(params)
-//   console.log('GOT THE RESPONSE')
-//   console.log(`status=${response.status}`)
-//   console.log(`headers=${JSON.stringify(response.headers)}`)
-//   console.log(`data=${JSON.stringify(response.data)}`)
-//   if (response.status != 200) {
-//     throw new Error(
-//       `Unexpected response from GitHub API. Status: '${response.status}'`
-//     )
-//   }
-//   console.log('GETTING THE LOCATION')
-//   const archiveUrl = response.headers['Location'] // Do not print the archive URL because it has an embedded token
-//   assert.ok(
-//     archiveUrl,
-//     `Expected GitHub API response to contain 'Location' header`
-//   )
-//   return archiveUrl
-// }
-// function downloadFile(url: string, fileStream: WriteStream): Promise<void> {
-//   return new Promise((resolve, reject) => {
-//     try {
-//       https.get(url, (response: IncomingMessage) => {
-//         if (response.statusCode != 200) {
-//           reject(`Request failed with status '${response.statusCode}'`)
-//           response.resume() // Consume response data to free up memory
-//           return
-//         }
-//         response.on('data', chunk => {
-//           fileStream.write(chunk)
-//         })
-//         response.on('end', () => {
-//           resolve()
-//         })
-//         response.on('error', err => {
-//           reject(err)
-//         })
-//       })
-//     } catch (err) {
-//       reject(err)
-//     }
-//   })
-// }
-// function getFileClosedPromise(stream: WriteStream): Promise<void> {
-//   return new Promise((resolve, reject) => {
-//     stream.on('error', err => {
-//       reject(err)
-//     })
-//     stream.on('finish', () => {
-//       resolve()
-//     })
-//   })
-// }


 /***/ }),
@@ -9863,41 +9814,57 @@ var __importStar = (this && this.__importStar) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 const core = __importStar(__webpack_require__(470));
-const maxAttempts = 3;
-const minSeconds = 10;
-const maxSeconds = 20;
+const defaultMaxAttempts = 3;
+const defaultMinSeconds = 10;
+const defaultMaxSeconds = 20;
+class RetryHelper {
+    constructor(maxAttempts = defaultMaxAttempts, minSeconds = defaultMinSeconds, maxSeconds = defaultMaxSeconds) {
+        this.maxAttempts = maxAttempts;
+        this.minSeconds = Math.floor(minSeconds);
+        this.maxSeconds = Math.floor(maxSeconds);
+        if (this.minSeconds > this.maxSeconds) {
+            throw new Error('min seconds should be less than or equal to max seconds');
+        }
+    }
+    execute(action) {
+        return __awaiter(this, void 0, void 0, function* () {
+            let attempt = 1;
+            while (attempt < this.maxAttempts) {
+                // Try
+                try {
+                    return yield action();
+                }
+                catch (err) {
+                    core.info(err.message);
+                }
+                // Sleep
+                const seconds = this.getSleepAmount();
+                core.info(`Waiting ${seconds} seconds before trying again`);
+                yield this.sleep(seconds);
+                attempt++;
+            }
+            // Last attempt
+            return yield action();
+        });
+    }
+    getSleepAmount() {
+        return (Math.floor(Math.random() * (this.maxSeconds - this.minSeconds + 1)) +
+            this.minSeconds);
+    }
+    sleep(seconds) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return new Promise(resolve => setTimeout(resolve, seconds * 1000));
+        });
+    }
+}
+exports.RetryHelper = RetryHelper;
 function execute(action) {
    return __awaiter(this, void 0, void 0, function* () {
-        let attempt = 1;
-        while (attempt < maxAttempts) {
-            // Try
-            try {
-                return yield action();
-            }
-            catch (err) {
-                core.info(err.message);
-            }
-            // Sleep
-            const seconds = getRandomIntInclusive(minSeconds, maxSeconds);
-            core.info(`Waiting ${seconds} before trying again`);
-            yield sleep(seconds * 1000);
-            attempt++;
-        }
-        // Last attempt
-        return yield action();
+        const retryHelper = new RetryHelper();
+        return yield retryHelper.execute(action);
    });
 }
 exports.execute = execute;
-function getRandomIntInclusive(minimum, maximum) {
-    minimum = Math.floor(minimum);
-    maximum = Math.floor(maximum);
-    return Math.floor(Math.random() * (maximum - minimum + 1)) + minimum;
-}
-function sleep(milliseconds) {
-    return __awaiter(this, void 0, void 0, function* () {
-        return new Promise(resolve => setTimeout(resolve, milliseconds));
-    });
-}


 /***/ }),
@@ -12812,8 +12779,11 @@ function getInputs() {
    // LFS
    result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE';
    core.debug(`lfs = ${result.lfs}`);
-    // Access token
-    result.accessToken = core.getInput('token');
+    // Auth token
+    result.authToken = core.getInput('token');
+    // Persist credentials
+    result.persistCredentials =
+        (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE';
    return result;
 }
 exports.getInputs = getInputs;
--- a/package-lock.json
+++ b/package-lock.json
@@ -767,6 +767,15 @@
      "integrity": "sha512-l42BggppR6zLmpfU6fq9HEa2oGPEI8yrSPL3GITjfRInppYFahObbIQOQK3UGxEnyQpltZLaPe75046NOZQikw==",
      "dev": true
    },
+    "@types/uuid": {
+      "version": "3.4.6",
+      "resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-3.4.6.tgz",
+      "integrity": "sha512-cCdlC/1kGEZdEglzOieLDYBxHsvEOIg7kp/2FYyVR9Pxakq+Qf/inL3RKQ+PA8gOlI/NnL+fXmQH12nwcGzsHw==",
+      "dev": true,
+      "requires": {
+        "@types/node": "*"
+      }
+    },
    "@types/yargs": {
      "version": "13.0.3",
      "resolved": "https://registry.npmjs.org/@types/yargs/-/yargs-13.0.3.tgz",
--- a/package.json
+++ b/package.json
@@ -33,11 +33,13 @@
    "@actions/exec": "^1.0.1",
    "@actions/github": "^2.0.0",
    "@actions/io": "^1.0.1",
-    "@actions/tool-cache": "^1.1.2"
+    "@actions/tool-cache": "^1.1.2",
+    "uuid": "^3.3.3"
  },
  "devDependencies": {
    "@types/jest": "^24.0.23",
    "@types/node": "^12.7.12",
+    "@types/uuid": "^3.4.6",
    "@typescript-eslint/parser": "^2.8.0",
    "@zeit/ncc": "^0.20.5",
    "eslint": "^5.16.0",
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@@ -116,7 +116,7 @@ class GitCommandManager {
  }

  async config(configKey: string, configValue: string): Promise<void> {
-    await this.execGit(['config', configKey, configValue])
+    await this.execGit(['config', '--local', configKey, configValue])
  }

  async configExists(configKey: string): Promise<boolean> {
@@ -124,7 +124,7 @@ class GitCommandManager {
      return `\\${x}`
    })
    const output = await this.execGit(
-      ['config', '--name-only', '--get-regexp', pattern],
+      ['config', '--local', '--name-only', '--get-regexp', pattern],
      true
    )
    return output.exitCode === 0
@@ -211,20 +211,23 @@ class GitCommandManager {

  async tryConfigUnset(configKey: string): Promise<boolean> {
    const output = await this.execGit(
-      ['config', '--unset-all', configKey],
+      ['config', '--local', '--unset-all', configKey],
      true
    )
    return output.exitCode === 0
  }

  async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
-    const output = await this.execGit(['config', 'gc.auto', '0'], true)
+    const output = await this.execGit(
+      ['config', '--local', 'gc.auto', '0'],
+      true
+    )
    return output.exitCode === 0
  }

  async tryGetFetchUrl(): Promise<string> {
    const output = await this.execGit(
-      ['config', '--get', 'remote.origin.url'],
+      ['config', '--local', '--get', 'remote.origin.url'],
      true
    )

--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@@ -1,12 +1,12 @@
 import * as core from '@actions/core'
-import * as coreCommand from '@actions/core/lib/command'
 import * as fs from 'fs'
 import * as fsHelper from './fs-helper'
 import * as gitCommandManager from './git-command-manager'
+import * as githubApiHelper from './github-api-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
 import * as refHelper from './ref-helper'
-import * as githubApiHelper from './github-api-helper'
+import * as stateHelper from './state-helper'
 import {IGitCommandManager} from './git-command-manager'

 const authConfigKey = `http.https://github.com/.extraheader`
@@ -20,7 +20,8 @@ export interface ISourceSettings {
  clean: boolean
  fetchDepth: number
  lfs: boolean
-  accessToken: string
+  authToken: string
+  persistCredentials: boolean
 }

 export async function getSource(settings: ISourceSettings): Promise<void> {
@@ -32,13 +33,6 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
    settings.repositoryOwner
  )}/${encodeURIComponent(settings.repositoryName)}`

-  // Set intra-task state for cleanup
-  coreCommand.issueCommand(
-    'save-state',
-    {name: 'repositoryPath'},
-    settings.repositoryPath
-  )
-
  // Remove conflicting file path
  if (fsHelper.fileExistsSync(settings.repositoryPath)) {
    await io.rmRF(settings.repositoryPath)
@@ -52,21 +46,7 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
  }

  // Git command manager
-  core.info(`Working directory is '${settings.repositoryPath}'`)
-  let git = (null as unknown) as IGitCommandManager
-  try {
-    git = await gitCommandManager.CreateCommandManager(
-      settings.repositoryPath,
-      settings.lfs
-    )
-  } catch (err) {
-    // Git is required for LFS
-    if (settings.lfs) {
-      throw err
-    }
-
-    // Otherwise fallback to REST API
-  }
+  const git = await getGitCommandManager(settings)

  // Prepare existing directory, otherwise recreate
  if (isExisting) {
@@ -78,13 +58,14 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
    )
  }

-  if (!git || `${1}` == '1') {
-    core.info(`Downloading the repository files using the GitHub REST API`)
+  if (!git) {
+    // Downloading using REST API
+    core.info(`The repository will be downloaded using the GitHub REST API`)
    core.info(
-      `To create a local repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
+      `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
    )
    await githubApiHelper.downloadRepository(
-      settings.accessToken,
+      settings.authToken,
      settings.repositoryOwner,
      settings.repositoryName,
      settings.ref,
@@ -92,6 +73,9 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
      settings.repositoryPath
    )
  } else {
+    // Save state for POST action
+    stateHelper.setRepositoryPath(settings.repositoryPath)
+
    // Initialize the repository
    if (
      !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
@@ -110,43 +94,43 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
    // Remove possible previous extraheader
    await removeGitConfig(git, authConfigKey)

-    // Add extraheader (auth)
-    const base64Credentials = Buffer.from(
-      `x-access-token:${settings.accessToken}`,
-      'utf8'
-    ).toString('base64')
-    core.setSecret(base64Credentials)
-    const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
-    await git.config(authConfigKey, authConfigValue)
+    try {
+      // Config auth token
+      await configureAuthToken(git, settings.authToken)

-    // LFS install
-    if (settings.lfs) {
-      await git.lfsInstall()
+      // LFS install
+      if (settings.lfs) {
+        await git.lfsInstall()
+      }
+
+      // Fetch
+      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
+      await git.fetch(settings.fetchDepth, refSpec)
+
+      // Checkout info
+      const checkoutInfo = await refHelper.getCheckoutInfo(
+        git,
+        settings.ref,
+        settings.commit
+      )
+
+      // LFS fetch
+      // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
+      // Explicit lfs fetch will fetch lfs objects in parallel.
+      if (settings.lfs) {
+        await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
+      }
+
+      // Checkout
+      await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
+
+      // Dump some info about the checked out commit
+      await git.log1()
+    } finally {
+      if (!settings.persistCredentials) {
+        await removeGitConfig(git, authConfigKey)
+      }
    }
-
-    // Fetch
-    const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
-    await git.fetch(settings.fetchDepth, refSpec)
-
-    // Checkout info
-    const checkoutInfo = await refHelper.getCheckoutInfo(
-      git,
-      settings.ref,
-      settings.commit
-    )
-
-    // LFS fetch
-    // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
-    // Explicit lfs fetch will fetch lfs objects in parallel.
-    if (settings.lfs) {
-      await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
-    }
-
-    // Checkout
-    await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
-
-    // Dump some info about the checked out commit
-    await git.log1()
  }
 }

@@ -165,6 +149,27 @@ export async function cleanup(repositoryPath: string): Promise<void> {
  await removeGitConfig(git, authConfigKey)
 }

+async function getGitCommandManager(
+  settings: ISourceSettings
+): Promise<IGitCommandManager> {
+  core.info(`Working directory is '${settings.repositoryPath}'`)
+  let git = (null as unknown) as IGitCommandManager
+  try {
+    return await gitCommandManager.CreateCommandManager(
+      settings.repositoryPath,
+      settings.lfs
+    )
+  } catch (err) {
+    // Git is required for LFS
+    if (settings.lfs) {
+      throw err
+    }
+
+    // Otherwise fallback to REST API
+    return (null as unknown) as IGitCommandManager
+  }
+}
+
 async function prepareExistingDirectory(
  git: IGitCommandManager,
  repositoryPath: string,
@@ -250,6 +255,40 @@ async function prepareExistingDirectory(
  }
 }

+async function configureAuthToken(
+  git: IGitCommandManager,
+  authToken: string
+): Promise<void> {
+  // Configure a placeholder value. This approach avoids the credential being captured
+  // by process creation audit events, which are commonly logged. For more information,
+  // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+  const placeholder = `AUTHORIZATION: basic ***`
+  await git.config(authConfigKey, placeholder)
+
+  // Determine the basic credential value
+  const basicCredential = Buffer.from(
+    `x-access-token:${authToken}`,
+    'utf8'
+  ).toString('base64')
+  core.setSecret(basicCredential)
+
+  // Replace the value in the config file
+  const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
+  let content = (await fs.promises.readFile(configPath)).toString()
+  const placeholderIndex = content.indexOf(placeholder)
+  if (
+    placeholderIndex < 0 ||
+    placeholderIndex != content.lastIndexOf(placeholder)
+  ) {
+    throw new Error('Unable to replace auth placeholder in .git/config')
+  }
+  content = content.replace(
+    placeholder,
+    `AUTHORIZATION: basic ${basicCredential}`
+  )
+  await fs.promises.writeFile(configPath, content)
+}
+
 async function removeGitConfig(
  git: IGitCommandManager,
  configKey: string
@@ -259,21 +298,6 @@ async function removeGitConfig(
    !(await git.tryConfigUnset(configKey))
  ) {
    // Load the config contents
-    core.warning(
-      `Failed to remove '${configKey}' from the git config. Attempting to remove the config value by editing the file directly.`
-    )
-    const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
-    fsHelper.fileExistsSync(configPath)
-    let contents = fs.readFileSync(configPath).toString() || ''
-
-    // Filter - only includes lines that do not contain the config key
-    const upperConfigKey = configKey.toUpperCase()
-    const split = contents
-      .split('\n')
-      .filter(x => !x.toUpperCase().includes(upperConfigKey))
-    contents = split.join('\n')
-
-    // Rewrite the config file
-    fs.writeFileSync(configPath, contents)
+    core.warning(`Failed to remove '${configKey}' from the git config`)
  }
 }
--- a/src/github-api-helper.ts
+++ b/src/github-api-helper.ts
@@ -1,204 +1,92 @@
 import * as assert from 'assert'
 import * as core from '@actions/core'
-import * as exec from '@actions/exec'
 import * as fs from 'fs'
 import * as github from '@actions/github'
-import * as https from 'https'
 import * as io from '@actions/io'
 import * as path from 'path'
-import * as refHelper from './ref-helper'
 import * as retryHelper from './retry-helper'
 import * as toolCache from '@actions/tool-cache'
-import {ExecOptions} from '@actions/exec/lib/interfaces'
-import {IncomingMessage} from 'http'
-import {RequestOptions, ReposGetArchiveLinkParams} from '@octokit/rest'
-import {WriteStream} from 'fs'
+import {default as uuid} from 'uuid/v4'
+import {ReposGetArchiveLinkParams} from '@octokit/rest'

 const IS_WINDOWS = process.platform === 'win32'

 export async function downloadRepository(
-  accessToken: string,
+  authToken: string,
  owner: string,
  repo: string,
  ref: string,
  commit: string,
  repositoryPath: string
 ): Promise<void> {
-  // Determine archive path
-  const runnerTemp = process.env['RUNNER_TEMP'] as string
-  assert.ok(runnerTemp, 'RUNNER_TEMP not defined')
-  const archivePath = path.join(runnerTemp, 'checkout.tar.gz')
-
-  // Ensure file does not exist
-  core.debug(`Ensuring archive file does not exist: ${archivePath}`)
-  await io.rmRF(archivePath)
-
  // Download the archive
  let archiveData = await retryHelper.execute(async () => {
-    core.info('Downloading the archive using the REST API')
-    return await downloadArchive(accessToken, owner, repo, ref, commit)
+    core.info('Downloading the archive')
+    return await downloadArchive(authToken, owner, repo, ref, commit)
  })

  // Write archive to disk
  core.info('Writing archive to disk')
+  const uniqueId = uuid()
+  const archivePath = path.join(repositoryPath, `${uniqueId}.tar.gz`)
  await fs.promises.writeFile(archivePath, archiveData)
  archiveData = Buffer.from('') // Free memory

-  // // Get the archive URL using the REST API
-  // await retryHelper.execute(async () => {
-  //   // Prepare the archive stream
-  //   core.debug(`Preparing the archive stream: ${archivePath}`)
-  //   await io.rmRF(archivePath)
-  //   const fileStream = fs.createWriteStream(archivePath)
-  //   const fileStreamClosed = getFileClosedPromise(fileStream)
-
-  //   try {
-  //     // Get the archive URL
-  //     core.info('Getting archive URL')
-  //     const archiveUrl = await getArchiveUrl(
-  //       accessToken,
-  //       owner,
-  //       repo,
-  //       ref,
-  //       commit
-  //     )
-
-  //     // Download the archive
-  //     core.info('Downloading the archive') // Do not print the archive URL because it has an embedded token
-  //     await downloadFile(archiveUrl, fileStream)
-  //   } finally {
-  //     fileStream.end()
-  //     await fileStreamClosed
-  //   }
-  // })
-
  // Extract archive
-  const extractPath = path.join(runnerTemp, `checkout`)
-  await io.rmRF(extractPath)
+  core.info('Extracting the archive')
+  const extractPath = path.join(repositoryPath, uniqueId)
  await io.mkdirP(extractPath)
  if (IS_WINDOWS) {
    await toolCache.extractZip(archivePath, extractPath)
  } else {
    await toolCache.extractTar(archivePath, extractPath)
  }
+  io.rmRF(archivePath)

-  // Determine the real directory to copy (ignore extra dir at root of the archive)
+  // Determine the path of the repository content. The archive contains
+  // a top-level folder and the repository content is inside.
  const archiveFileNames = await fs.promises.readdir(extractPath)
  assert.ok(
    archiveFileNames.length == 1,
    'Expected exactly one directory inside archive'
  )
-  const extraDirectoryName = archiveFileNames[0]
-  core.info(`Resolved ${extraDirectoryName}`) // contains the short SHA
-  const tempRepositoryPath = path.join(extractPath, extraDirectoryName)
+  const archiveVersion = archiveFileNames[0] // The top-level folder name includes the short SHA
+  core.info(`Resolved version ${archiveVersion}`)
+  const tempRepositoryPath = path.join(extractPath, archiveVersion)

  // Move the files
  for (const fileName of await fs.promises.readdir(tempRepositoryPath)) {
    const sourcePath = path.join(tempRepositoryPath, fileName)
    const targetPath = path.join(repositoryPath, fileName)
-    await io.mv(sourcePath, targetPath)
+    if (IS_WINDOWS) {
+      await io.cp(sourcePath, targetPath, {recursive: true}) // Copy on Windows (Windows Defender may have a lock)
+    } else {
+      await io.mv(sourcePath, targetPath)
+    }
  }
-
-  await exec.exec(`find .`, [], {
-    cwd: repositoryPath
-  } as ExecOptions)
+  io.rmRF(extractPath)
 }

 async function downloadArchive(
-  accessToken: string,
+  authToken: string,
  owner: string,
  repo: string,
  ref: string,
  commit: string
 ): Promise<Buffer> {
-  const octokit = new github.GitHub(accessToken)
+  const octokit = new github.GitHub(authToken)
  const params: ReposGetArchiveLinkParams = {
    owner: owner,
    repo: repo,
    archive_format: IS_WINDOWS ? 'zipball' : 'tarball',
-    ref: refHelper.getDownloadRef(ref, commit)
+    ref: commit || ref
  }
  const response = await octokit.repos.getArchiveLink(params)
-  console.log('GOT THE RESPONSE')
-  console.log(`status=${response.status}`)
-  console.log(`headers=${JSON.stringify(response.headers)}`)
-  console.log(`data=${JSON.stringify(response.data)}`)
  if (response.status != 200) {
    throw new Error(
-      `Unexpected response from GitHub API. Status: '${response.status}'`
+      `Unexpected response from GitHub API. Status: ${response.status}, Data: ${response.data}`
    )
  }

  return Buffer.from(response.data) // response.data is ArrayBuffer
 }
-
-// async function getArchiveUrl(
-//   accessToken: string,
-//   owner: string,
-//   repo: string,
-//   ref: string,
-//   commit: string
-// ): Promise<string> {
-//   const octokit = new github.GitHub(accessToken)
-//   const params: RequestOptions & ReposGetArchiveLinkParams = {
-//     method: 'HEAD',
-//     owner: owner,
-//     repo: repo,
-//     archive_format: IS_WINDOWS ? 'zipball' : 'tarball',
-//     ref: refHelper.getDownloadRef(ref, commit)
-//   }
-//   const response = await octokit.repos.getArchiveLink(params)
-//   console.log('GOT THE RESPONSE')
-//   console.log(`status=${response.status}`)
-//   console.log(`headers=${JSON.stringify(response.headers)}`)
-//   console.log(`data=${JSON.stringify(response.data)}`)
-//   if (response.status != 200) {
-//     throw new Error(
-//       `Unexpected response from GitHub API. Status: '${response.status}'`
-//     )
-//   }
-//   console.log('GETTING THE LOCATION')
-//   const archiveUrl = response.headers['Location'] // Do not print the archive URL because it has an embedded token
-//   assert.ok(
-//     archiveUrl,
-//     `Expected GitHub API response to contain 'Location' header`
-//   )
-//   return archiveUrl
-// }
-
-// function downloadFile(url: string, fileStream: WriteStream): Promise<void> {
-//   return new Promise((resolve, reject) => {
-//     try {
-//       https.get(url, (response: IncomingMessage) => {
-//         if (response.statusCode != 200) {
-//           reject(`Request failed with status '${response.statusCode}'`)
-//           response.resume() // Consume response data to free up memory
-//           return
-//         }
-
-//         response.on('data', chunk => {
-//           fileStream.write(chunk)
-//         })
-//         response.on('end', () => {
-//           resolve()
-//         })
-//         response.on('error', err => {
-//           reject(err)
-//         })
-//       })
-//     } catch (err) {
-//       reject(err)
-//     }
-//   })
-// }
-
-// function getFileClosedPromise(stream: WriteStream): Promise<void> {
-//   return new Promise((resolve, reject) => {
-//     stream.on('error', err => {
-//       reject(err)
-//     })
-//     stream.on('finish', () => {
-//       resolve()
-//     })
-//   })
-// }
--- a/src/input-helper.ts
+++ b/src/input-helper.ts
@@ -97,8 +97,12 @@ export function getInputs(): ISourceSettings {
  result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'
  core.debug(`lfs = ${result.lfs}`)

-  // Access token
-  result.accessToken = core.getInput('token')
+  // Auth token
+  result.authToken = core.getInput('token')
+
+  // Persist credentials
+  result.persistCredentials =
+    (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'

  return result
 }
--- a/src/main.ts
+++ b/src/main.ts
@@ -3,8 +3,7 @@ import * as coreCommand from '@actions/core/lib/command'
 import * as gitSourceProvider from './git-source-provider'
 import * as inputHelper from './input-helper'
 import * as path from 'path'
-
-const cleanupRepositoryPath = process.env['STATE_repositoryPath'] as string
+import * as stateHelper from './state-helper'

 async function run(): Promise<void> {
  try {
@@ -31,14 +30,14 @@ async function run(): Promise<void> {

 async function cleanup(): Promise<void> {
  try {
-    await gitSourceProvider.cleanup(cleanupRepositoryPath)
+    await gitSourceProvider.cleanup(stateHelper.RepositoryPath)
  } catch (error) {
    core.warning(error.message)
  }
 }

 // Main
-if (!cleanupRepositoryPath) {
+if (!stateHelper.IsPost) {
  run()
 }
 // Post
--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@@ -5,15 +5,6 @@ export interface ICheckoutInfo {
  startPoint: string
 }

-export function getDownloadRef(ref: string, commit: string): string {
-  if (commit) {
-    return commit
-  }
-
-  // todo fix this to work with refs/pull etc
-  return ref
-}
-
 export async function getCheckoutInfo(
  git: IGitCommandManager,
  ref: string,
--- a/src/retry-helper.ts
+++ b/src/retry-helper.ts
@@ -1,36 +1,61 @@
 import * as core from '@actions/core'

-const maxAttempts = 3
-const minSeconds = 10
-const maxSeconds = 20
+const defaultMaxAttempts = 3
+const defaultMinSeconds = 10
+const defaultMaxSeconds = 20

-export async function execute<T>(action: () => Promise<T>): Promise<T> {
-  let attempt = 1
-  while (attempt < maxAttempts) {
-    // Try
-    try {
-      return await action()
-    } catch (err) {
-      core.info(err.message)
+export class RetryHelper {
+  private maxAttempts: number
+  private minSeconds: number
+  private maxSeconds: number
+
+  constructor(
+    maxAttempts: number = defaultMaxAttempts,
+    minSeconds: number = defaultMinSeconds,
+    maxSeconds: number = defaultMaxSeconds
+  ) {
+    this.maxAttempts = maxAttempts
+    this.minSeconds = Math.floor(minSeconds)
+    this.maxSeconds = Math.floor(maxSeconds)
+    if (this.minSeconds > this.maxSeconds) {
+      throw new Error('min seconds should be less than or equal to max seconds')
    }
-
-    // Sleep
-    const seconds = getRandomIntInclusive(minSeconds, maxSeconds)
-    core.info(`Waiting ${seconds} before trying again`)
-    await sleep(seconds * 1000)
-    attempt++
  }

-  // Last attempt
-  return await action()
+  async execute<T>(action: () => Promise<T>): Promise<T> {
+    let attempt = 1
+    while (attempt < this.maxAttempts) {
+      // Try
+      try {
+        return await action()
+      } catch (err) {
+        core.info(err.message)
+      }
+
+      // Sleep
+      const seconds = this.getSleepAmount()
+      core.info(`Waiting ${seconds} seconds before trying again`)
+      await this.sleep(seconds)
+      attempt++
+    }
+
+    // Last attempt
+    return await action()
+  }
+
+  private getSleepAmount(): number {
+    return (
+      Math.floor(Math.random() * (this.maxSeconds - this.minSeconds + 1)) +
+      this.minSeconds
+    )
+  }
+
+  private async sleep(seconds: number): Promise<void> {
+    return new Promise(resolve => setTimeout(resolve, seconds * 1000))
+  }
 }

-function getRandomIntInclusive(minimum: number, maximum: number): number {
-  minimum = Math.floor(minimum)
-  maximum = Math.floor(maximum)
-  return Math.floor(Math.random() * (maximum - minimum + 1)) + minimum
-}
-
-async function sleep(milliseconds): Promise<void> {
-  return new Promise(resolve => setTimeout(resolve, milliseconds))
+export async function execute<T>(action: () => Promise<T>): Promise<T> {
+  const retryHelper = new RetryHelper()
+  return await retryHelper.execute(action)
 }
--- a/src/state-helper.ts
+++ b/src/state-helper.ts
@@ -0,0 +1,30 @@
+import * as core from '@actions/core'
+import * as coreCommand from '@actions/core/lib/command'
+
+/**
+ * Indicates whether the POST action is running
+ */
+export const IsPost = !!process.env['STATE_isPost']
+
+/**
+ * The repository path for the POST action. The value is empty during the MAIN action.
+ */
+export const RepositoryPath =
+  (process.env['STATE_repositoryPath'] as string) || ''
+
+/**
+ * Save the repository path so the POST action can retrieve the value.
+ */
+export function setRepositoryPath(repositoryPath: string) {
+  coreCommand.issueCommand(
+    'save-state',
+    {name: 'repositoryPath'},
+    repositoryPath
+  )
+}
+
+// Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
+// This is necessary since we don't have a separate entry point.
+if (!IsPost) {
+  coreCommand.issueCommand('save-state', {name: 'isPost'}, 'true')
+}
Author	SHA1	Message	Date
eric sciple	a6747255bd	do not pass cred on command line (#108 )	2019-12-12 14:04:04 -05:00
eric sciple	c170eefc26	add input persist-credentials (#107 )	2019-12-12 13:49:26 -05:00
eric sciple	a572f640b0	fallback to REST API to download repo (#104 )	2019-12-12 13:16:16 -05:00
Riddhesh Sanghvi	cab31617d8	Document update: Checkout PR head sha (#102 )	2019-12-10 11:17:38 -05:00