make octokit follow proxy setting.

.github/workflows/test.yml

@@ -1,25 +1,39 @@
 name: Build and Test
 
-on: push
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - releases/*
 
 jobs:
-  test-archive:
-    runs-on: windows-latest
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - run: npm ci
+      - run: npm run build
+      - run: npm run format-check
+      - run: npm run lint
+      - run: npm run pack
+      - run: npm run gendocs
+      - run: npm test
+      - name: Verify no unstaged changes
+        run: __test__/verify-no-unstaged-changes.sh
+
+  test:
+    strategy:
+      matrix:
+        runs-on: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.runs-on }}
+
     steps:
       # Clone this repo
       - name: Checkout
-        shell: bash
-        run: |
-          curl --location --user token:${{ github.token }} --output checkout.tar.gz https://api.github.com/repos/actions/checkout/tarball/${{ github.sha }}
-          tar -xzf checkout.tar.gz
-          mv */* ./
+        uses: actions/checkout@v2
 
       # Basic checkout
-      - shell: cmd
-        run: |
-          echo echo hello > git.cmd
-          echo ::add-path::%CD%
-
       - name: Basic checkout
         uses: ./
         with:
@@ -27,5 +41,61 @@ jobs:
           path: basic
       - name: Verify basic
         shell: bash
-        run: __test__/verify-basic.sh container
+        run: __test__/verify-basic.sh
 
+      # Clean
+      - name: Modify work tree
+        shell: bash
+        run: __test__/modify-work-tree.sh
+      - name: Clean checkout
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify clean
+        shell: bash
+        run: __test__/verify-clean.sh
+
+      # Side by side
+      - name: Side by side checkout 1
+        uses: ./
+        with:
+          ref: test-data/v2/side-by-side-1
+          path: side-by-side-1
+      - name: Side by side checkout 2
+        uses: ./
+        with:
+          ref: test-data/v2/side-by-side-2
+          path: side-by-side-2
+      - name: Verify side by side
+        shell: bash
+        run: __test__/verify-side-by-side.sh
+
+      # LFS
+      - name: LFS checkout
+        uses: ./
+        with:
+          repository: actions/checkout # hardcoded, otherwise doesn't work from a fork
+          ref: test-data/v2/lfs
+          path: lfs
+          lfs: true
+      - name: Verify LFS
+        shell: bash
+        run: __test__/verify-lfs.sh
+
+  test-job-container:
+    runs-on: ubuntu-latest
+    container: alpine:latest
+    steps:
+      # Clone this repo
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      # Basic checkout
+      - name: Basic checkout
+        uses: ./
+        with:
+          ref: test-data/v2/basic
+          path: basic
+      - name: Verify basic
+        run: __test__/verify-basic.sh --archive

README.md

@@ -2,29 +2,30 @@
   <a href="https://github.com/actions/checkout"><img alt="GitHub Actions status" src="https://github.com/actions/checkout/workflows/test-local/badge.svg"></a>
 </p>
 
-# Checkout V2 beta
+# Checkout V2
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
-By default, the repository that triggered the workflow is checked-out, for the ref/SHA that triggered the event.
+Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set `fetch-depth` to fetch more history. Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
 
-Refer [here](https://help.github.com/en/articles/events-that-trigger-workflows) to learn which commit `$GITHUB_SHA` points to for different events.
+The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set `persist-credentials: false` to opt-out.
+
+When Git 2.18 or higher is not in your PATH, falls back to the REST API to download the files.
 
 # What's new
 
-- Improved fetch performance
-  - The default behavior now fetches only the SHA being checked-out
+- Improved performance
+  - Fetches only a single commit by default
 - Script authenticated git commands
-  - Persists `with.token` in the local git config
-  - Enables your scripts to run authenticated git commands
-  - Post-job cleanup removes the token
-  - Coming soon: Opt out by setting `with.persist-credentials` to `false`
+  - Auth token persisted in the local git config
 - Creates a local branch
   - No longer detached HEAD when checking out a branch
-  - A local branch is created with the corresponding upstream branch set
 - Improved layout
-  - `with.path` is always relative to `github.workspace`
-  - Aligns better with container actions, where `github.workspace` gets mapped in
+  - The input `path` is always relative to $GITHUB_WORKSPACE
+  - Aligns better with container actions, where $GITHUB_WORKSPACE gets mapped in
+- Fallback to REST API download
+  - When Git 2.18 or higher is not in the PATH, the REST API will be used to download the files
+  - When using a job container, the container's PATH is used
 - Removed input `submodules`
 
 Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous versions.
@@ -33,21 +34,28 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v2-beta
+- uses: actions/checkout@v2
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
     repository: ''
 
-    # The branch, tag or SHA to checkout.  When checking out the repository that
+    # The branch, tag or SHA to checkout. When checking out the repository that
     # triggered a workflow, this defaults to the reference or SHA for that event.
     # Otherwise, defaults to `master`.
     ref: ''
 
-    # Access token for clone repository
+    # Auth token used to fetch the repository. The token is stored in the local git
+    # config, which enables your scripts to run authenticated git commands. The
+    # post-job step removes the token from the git config. [Learn more about creating
+    # and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     # Default: ${{ github.token }}
     token: ''
 
+    # Whether to persist the token in the git config
+    # Default: true
+    persist-credentials: ''
+
     # Relative path under $GITHUB_WORKSPACE to place the repository
     path: ''
 
@@ -65,31 +73,139 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
 ```
 <!-- end usage -->
 
+# Scenarios
+
+- [Checkout a different branch](#Checkout-a-different-branch)
+- [Checkout HEAD^](#Checkout-HEAD)
+- [Checkout multiple repos (side by side)](#Checkout-multiple-repos-side-by-side)
+- [Checkout multiple repos (nested)](#Checkout-multiple-repos-nested)
+- [Checkout multiple repos (private)](#Checkout-multiple-repos-private)
+- [Checkout pull request HEAD commit instead of merge commit](#Checkout-pull-request-HEAD-commit-instead-of-merge-commit)
+- [Checkout pull request on closed event](#Checkout-pull-request-on-closed-event)
+- [Checkout submodules](#Checkout-submodules)
+- [Fetch all tags](#Fetch-all-tags)
+- [Fetch all branches](#Fetch-all-branches)
+- [Fetch all history for all tags and branches](#Fetch-all-history-for-all-tags-and-branches)
+
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v2-beta
+- uses: actions/checkout@v2
   with:
-    ref: some-branch
+    ref: my-branch
 ```
 
-## Checkout a different, private repository
+## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v2-beta
+- uses: actions/checkout@v2
   with:
-    repository: myAccount/myRepository
-    ref: refs/heads/master
+    fetch-depth: 2
+- run: git checkout HEAD^
+```
+
+## Checkout multiple repos (side by side)
+
+```yaml
+- name: Checkout
+  uses: actions/checkout@v2
+  with:
+    path: main
+
+- name: Checkout tools repo
+  uses: actions/checkout@v2
+  with:
+    repository: my-org/my-tools
+    path: my-tools
+```
+
+## Checkout multiple repos (nested)
+
+```yaml
+- name: Checkout
+  uses: actions/checkout@v2
+
+- name: Checkout tools repo
+  uses: actions/checkout@v2
+  with:
+    repository: my-org/my-tools
+    path: my-tools
+```
+
+## Checkout multiple repos (private)
+
+```yaml
+- name: Checkout
+  uses: actions/checkout@v2
+  with:
+    path: main
+
+- name: Checkout private tools
+  uses: actions/checkout@v2
+  with:
+    repository: my-org/my-private-tools
     token: ${{ secrets.GitHub_PAT }} # `GitHub_PAT` is a secret that contains your PAT
+    path: my-tools
 ```
-> - `${{ github.token }}` is scoped to the current repository, so if you want to checkout another repository that is private you will need to provide your own [PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line).
 
-## Checkout the HEAD commit of a PR, rather than the merge commit
+> - `${{ github.token }}` is scoped to the current repository, so if you want to checkout a different repository that is private you will need to provide your own [PAT](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line).
+
+
+## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v2-beta
+- uses: actions/checkout@v2
   with:
-    ref: ${{ github.event.after }}
+    ref: ${{ github.event.pull_request.head.sha }}
+```
+
+## Checkout pull request on closed event
+
+```yaml
+on:
+  pull_request:
+    branches: [master]
+    types: [opened, synchronize, closed]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+```
+
+## Checkout submodules
+
+```yaml
+- uses: actions/checkout@v2
+- name: Checkout submodules
+  shell: bash
+  run: |
+    auth_header="$(git config --local --get http.https://github.com/.extraheader)"
+    git submodule sync --recursive
+    git -c "http.extraheader=$auth_header" -c protocol.version=2 submodule update --init --force --recursive --depth=1
+```
+
+## Fetch all tags
+
+```yaml
+- uses: actions/checkout@v2
+- run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
+```
+
+## Fetch all branches
+
+```yaml
+- uses: actions/checkout@v2
+- run: |
+    git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/*
+```
+
+## Fetch all history for all tags and branches
+
+```yaml
+- uses: actions/checkout@v2
+- run: |
+    git fetch --prune --unshallow
 ```
 
 # License

__test__/input-helper.test.ts

@@ -63,7 +63,7 @@ describe('input-helper tests', () => {
   it('sets defaults', () => {
     const settings: ISourceSettings = inputHelper.getInputs()
     expect(settings).toBeTruthy()
-    expect(settings.accessToken).toBeFalsy()
+    expect(settings.authToken).toBeFalsy()
     expect(settings.clean).toBe(true)
     expect(settings.commit).toBeTruthy()
     expect(settings.commit).toBe('1234567890123456789012345678901234567890')

__test__/verify-basic.sh

@@ -5,7 +5,7 @@ if [ ! -f "./basic/basic-file.txt" ]; then
     exit 1
 fi
 
-if [ "$1" = "container" ]; then
+if [ "$1" = "--archive" ]; then
   # Verify no .git folder
   if [ -d "./basic/.git" ]; then
     echo "Did not expect ./basic/.git folder to exist"
@@ -20,5 +20,5 @@ else
 
   # Verify auth token
   cd basic
-  git fetch --depth=1
+  git fetch --no-tags --depth=1 origin +refs/heads/master:refs/remotes/origin/master
 fi

action.yml

@@ -6,12 +6,19 @@ inputs:
     default: ${{ github.repository }}
   ref:
     description: >
-      The branch, tag or SHA to checkout.  When checking out the repository
-      that triggered a workflow, this defaults to the reference or SHA for
-      that event.  Otherwise, defaults to `master`.
+      The branch, tag or SHA to checkout. When checking out the repository that
+      triggered a workflow, this defaults to the reference or SHA for that
+      event.  Otherwise, defaults to `master`.
   token:
-    description: 'Access token for clone repository'
+    description: >
+      Auth token used to fetch the repository. The token is stored in the local
+      git config, which enables your scripts to run authenticated git commands.
+      The post-job step removes the token from the git config. [Learn more about
+      creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     default: ${{ github.token }}
+  persist-credentials:
+    description: 'Whether to persist the token in the git config'
+    default: true
   path:
     description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
   clean:

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -929,6 +929,11 @@
       "integrity": "sha512-7evsyfH1cLOCdAzZAd43Cic04yKydNx0cF+7tiA19p1XnLLPU4dpCQOqpjqwokFe//vS0QqfqqjCS2JkiIs0cA==",
       "dev": true
     },
+    "agent-base": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-5.1.1.tgz",
+      "integrity": "sha512-TMeqbNl2fMW0nMjTEPOwe3J/PRFP4vqeoNuQMG0HlMrtm5QxKqdvAkZ1pRBQ/ulIyDD5Yq0nJ7YbdD8ey0TO3g=="
+    },
     "ajv": {
       "version": "6.10.2",
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.10.2.tgz",
@@ -1707,7 +1712,6 @@
       "version": "4.1.1",
       "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
       "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
-      "dev": true,
       "requires": {
         "ms": "^2.1.1"
       }
@@ -3670,6 +3674,15 @@
         "sshpk": "^1.7.0"
       }
     },
+    "https-proxy-agent": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-4.0.0.tgz",
+      "integrity": "sha512-zoDhWrkR3of1l9QAL8/scJZyLu8j/gBkcwcaQOZh7Gyh/+uJQzGVETdgT30akuwkpL8HTRfssqI3BZuV18teDg==",
+      "requires": {
+        "agent-base": "5",
+        "debug": "4"
+      }
+    },
     "iconv-lite": {
       "version": "0.4.24",
       "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
@@ -4985,8 +4998,7 @@
     "ms": {
       "version": "2.1.2",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==",
-      "dev": true
+      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
     },
     "mute-stream": {
       "version": "0.0.7",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {
@@ -34,6 +34,7 @@
     "@actions/github": "^2.0.0",
     "@actions/io": "^1.0.1",
     "@actions/tool-cache": "^1.1.2",
+    "https-proxy-agent": "^4.0.0",
     "uuid": "^3.3.3"
   },
   "devDependencies": {

src/git-command-manager.ts

@@ -77,10 +77,12 @@ class GitCommandManager {
   async branchList(remote: boolean): Promise<string[]> {
     const result: string[] = []
 
-    // Note, this implementation uses "rev-parse --symbolic" because the output from
+    // Note, this implementation uses "rev-parse --symbolic-full-name" because the output from
     // "branch --list" is more difficult when in a detached HEAD state.
+    // Note, this implementation uses "rev-parse --symbolic-full-name" because there is a bug
+    // in Git 2.18 that causes "rev-parse --symbolic" to output symbolic full names.
 
-    const args = ['rev-parse', '--symbolic']
+    const args = ['rev-parse', '--symbolic-full-name']
     if (remote) {
       args.push('--remotes=origin')
     } else {
@@ -92,6 +94,12 @@ class GitCommandManager {
     for (let branch of output.stdout.trim().split('\n')) {
       branch = branch.trim()
       if (branch) {
+        if (branch.startsWith('refs/heads/')) {
+          branch = branch.substr('refs/heads/'.length)
+        } else if (branch.startsWith('refs/remotes/')) {
+          branch = branch.substr('refs/remotes/'.length)
+        }
+
         result.push(branch)
       }
     }
@@ -116,7 +124,7 @@ class GitCommandManager {
   }
 
   async config(configKey: string, configValue: string): Promise<void> {
-    await this.execGit(['config', configKey, configValue])
+    await this.execGit(['config', '--local', configKey, configValue])
   }
 
   async configExists(configKey: string): Promise<boolean> {
@@ -124,7 +132,7 @@ class GitCommandManager {
       return `\\${x}`
     })
     const output = await this.execGit(
-      ['config', '--name-only', '--get-regexp', pattern],
+      ['config', '--local', '--name-only', '--get-regexp', pattern],
       true
     )
     return output.exitCode === 0
@@ -170,12 +178,12 @@ class GitCommandManager {
   }
 
   async isDetached(): Promise<boolean> {
-    // Note, this implementation uses "branch --show-current" because
-    // "rev-parse --symbolic-full-name HEAD" can fail on a new repo
-    // with nothing checked out.
-
-    const output = await this.execGit(['branch', '--show-current'])
-    return output.stdout.trim() === ''
+    // Note, "branch --show-current" would be simpler but isn't available until Git 2.22
+    const output = await this.execGit(
+      ['rev-parse', '--symbolic-full-name', '--verify', '--quiet', 'HEAD'],
+      true
+    )
+    return !output.stdout.trim().startsWith('refs/heads/')
   }
 
   async lfsFetch(ref: string): Promise<void> {
@@ -211,20 +219,23 @@ class GitCommandManager {
 
   async tryConfigUnset(configKey: string): Promise<boolean> {
     const output = await this.execGit(
-      ['config', '--unset-all', configKey],
+      ['config', '--local', '--unset-all', configKey],
       true
     )
     return output.exitCode === 0
   }
 
   async tryDisableAutomaticGarbageCollection(): Promise<boolean> {
-    const output = await this.execGit(['config', 'gc.auto', '0'], true)
+    const output = await this.execGit(
+      ['config', '--local', 'gc.auto', '0'],
+      true
+    )
     return output.exitCode === 0
   }
 
   async tryGetFetchUrl(): Promise<string> {
     const output = await this.execGit(
-      ['config', '--get', 'remote.origin.url'],
+      ['config', '--local', '--get', 'remote.origin.url'],
       true
     )
 

src/git-source-provider.ts

@@ -1,5 +1,4 @@
 import * as core from '@actions/core'
-import * as coreCommand from '@actions/core/lib/command'
 import * as fs from 'fs'
 import * as fsHelper from './fs-helper'
 import * as gitCommandManager from './git-command-manager'
@@ -21,7 +20,8 @@ export interface ISourceSettings {
   clean: boolean
   fetchDepth: number
   lfs: boolean
-  accessToken: string
+  authToken: string
+  persistCredentials: boolean
 }
 
 export async function getSource(settings: ISourceSettings): Promise<void> {
@@ -65,7 +65,7 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
       `To create a local Git repository instead, add Git ${gitCommandManager.MinimumGitVersion} or higher to the PATH`
     )
     await githubApiHelper.downloadRepository(
-      settings.accessToken,
+      settings.authToken,
       settings.repositoryOwner,
       settings.repositoryName,
       settings.ref,
@@ -94,43 +94,43 @@ export async function getSource(settings: ISourceSettings): Promise<void> {
     // Remove possible previous extraheader
     await removeGitConfig(git, authConfigKey)
 
-    // Add extraheader (auth)
-    const base64Credentials = Buffer.from(
-      `x-access-token:${settings.accessToken}`,
-      'utf8'
-    ).toString('base64')
-    core.setSecret(base64Credentials)
-    const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
-    await git.config(authConfigKey, authConfigValue)
+    try {
+      // Config auth token
+      await configureAuthToken(git, settings.authToken)
 
-    // LFS install
-    if (settings.lfs) {
-      await git.lfsInstall()
+      // LFS install
+      if (settings.lfs) {
+        await git.lfsInstall()
+      }
+
+      // Fetch
+      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
+      await git.fetch(settings.fetchDepth, refSpec)
+
+      // Checkout info
+      const checkoutInfo = await refHelper.getCheckoutInfo(
+        git,
+        settings.ref,
+        settings.commit
+      )
+
+      // LFS fetch
+      // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
+      // Explicit lfs fetch will fetch lfs objects in parallel.
+      if (settings.lfs) {
+        await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
+      }
+
+      // Checkout
+      await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
+
+      // Dump some info about the checked out commit
+      await git.log1()
+    } finally {
+      if (!settings.persistCredentials) {
+        await removeGitConfig(git, authConfigKey)
+      }
     }
-
-    // Fetch
-    const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
-    await git.fetch(settings.fetchDepth, refSpec)
-
-    // Checkout info
-    const checkoutInfo = await refHelper.getCheckoutInfo(
-      git,
-      settings.ref,
-      settings.commit
-    )
-
-    // LFS fetch
-    // Explicit lfs-fetch to avoid slow checkout (fetches one lfs object at a time).
-    // Explicit lfs fetch will fetch lfs objects in parallel.
-    if (settings.lfs) {
-      await git.lfsFetch(checkoutInfo.startPoint || checkoutInfo.ref)
-    }
-
-    // Checkout
-    await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
-
-    // Dump some info about the checked out commit
-    await git.log1()
   }
 }
 
@@ -255,6 +255,40 @@ async function prepareExistingDirectory(
   }
 }
 
+async function configureAuthToken(
+  git: IGitCommandManager,
+  authToken: string
+): Promise<void> {
+  // Configure a placeholder value. This approach avoids the credential being captured
+  // by process creation audit events, which are commonly logged. For more information,
+  // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+  const placeholder = `AUTHORIZATION: basic ***`
+  await git.config(authConfigKey, placeholder)
+
+  // Determine the basic credential value
+  const basicCredential = Buffer.from(
+    `x-access-token:${authToken}`,
+    'utf8'
+  ).toString('base64')
+  core.setSecret(basicCredential)
+
+  // Replace the value in the config file
+  const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
+  let content = (await fs.promises.readFile(configPath)).toString()
+  const placeholderIndex = content.indexOf(placeholder)
+  if (
+    placeholderIndex < 0 ||
+    placeholderIndex != content.lastIndexOf(placeholder)
+  ) {
+    throw new Error('Unable to replace auth placeholder in .git/config')
+  }
+  content = content.replace(
+    placeholder,
+    `AUTHORIZATION: basic ${basicCredential}`
+  )
+  await fs.promises.writeFile(configPath, content)
+}
+
 async function removeGitConfig(
   git: IGitCommandManager,
   configKey: string
@@ -264,21 +298,6 @@ async function removeGitConfig(
     !(await git.tryConfigUnset(configKey))
   ) {
     // Load the config contents
-    core.warning(
-      `Failed to remove '${configKey}' from the git config. Attempting to remove the config value by editing the file directly.`
-    )
-    const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
-    fsHelper.fileExistsSync(configPath)
-    let contents = fs.readFileSync(configPath).toString() || ''
-
-    // Filter - only includes lines that do not contain the config key
-    const upperConfigKey = configKey.toUpperCase()
-    const split = contents
-      .split('\n')
-      .filter(x => !x.toUpperCase().includes(upperConfigKey))
-    contents = split.join('\n')
-
-    // Rewrite the config file
-    fs.writeFileSync(configPath, contents)
+    core.warning(`Failed to remove '${configKey}' from the git config`)
   }
 }

src/github-api-helper.ts

@@ -8,11 +8,12 @@ import * as retryHelper from './retry-helper'
 import * as toolCache from '@actions/tool-cache'
 import {default as uuid} from 'uuid/v4'
 import {ReposGetArchiveLinkParams} from '@octokit/rest'
+import HttpsProxyAgent from 'https-proxy-agent'
 
 const IS_WINDOWS = process.platform === 'win32'
 
 export async function downloadRepository(
-  accessToken: string,
+  authToken: string,
   owner: string,
   repo: string,
   ref: string,
@@ -22,7 +23,7 @@ export async function downloadRepository(
   // Download the archive
   let archiveData = await retryHelper.execute(async () => {
     core.info('Downloading the archive')
-    return await downloadArchive(accessToken, owner, repo, ref, commit)
+    return await downloadArchive(authToken, owner, repo, ref, commit)
   })
 
   // Write archive to disk
@@ -58,19 +59,23 @@ export async function downloadRepository(
   for (const fileName of await fs.promises.readdir(tempRepositoryPath)) {
     const sourcePath = path.join(tempRepositoryPath, fileName)
     const targetPath = path.join(repositoryPath, fileName)
-    await io.mv(sourcePath, targetPath)
+    if (IS_WINDOWS) {
+      await io.cp(sourcePath, targetPath, {recursive: true}) // Copy on Windows (Windows Defender may have a lock)
+    } else {
+      await io.mv(sourcePath, targetPath)
+    }
   }
   io.rmRF(extractPath)
 }
 
 async function downloadArchive(
-  accessToken: string,
+  authToken: string,
   owner: string,
   repo: string,
   ref: string,
   commit: string
 ): Promise<Buffer> {
-  const octokit = new github.GitHub(accessToken)
+  const octokit = createOctokit(authToken)
   const params: ReposGetArchiveLinkParams = {
     owner: owner,
     repo: repo,
@@ -80,9 +85,44 @@ async function downloadArchive(
   const response = await octokit.repos.getArchiveLink(params)
   if (response.status != 200) {
     throw new Error(
-      `Unexpected response from GitHub API. Status: '${response.status}'`
+      `Unexpected response from GitHub API. Status: ${response.status}, Data: ${response.data}`
     )
   }
 
   return Buffer.from(response.data) // response.data is ArrayBuffer
 }
+
+function createOctokit(authToken: string): github.GitHub {
+  let proxyVar: string =
+    process.env['https_proxy'] || process.env['HTTPS_PROXY'] || ''
+
+  if (!proxyVar) {
+    return new github.GitHub(authToken)
+  }
+
+  let noProxy: string = process.env['no_proxy'] || process.env['NO_PROXY'] || ''
+
+  let bypass: boolean = false
+  if (noProxy) {
+    let bypassList = noProxy.split(',')
+    for (let i = 0; i < bypassList.length; i++) {
+      let item = bypassList[i]
+      if (
+        item &&
+        typeof item === 'string' &&
+        item.trim().toLocaleLowerCase() === 'github.com'
+      ) {
+        bypass = true
+        break
+      }
+    }
+  }
+
+  if (bypass) {
+    return new github.GitHub(authToken)
+  } else {
+    return new github.GitHub(authToken, {
+      request: {agent: new HttpsProxyAgent(proxyVar)}
+    })
+  }
+}

src/input-helper.ts

@@ -97,8 +97,12 @@ export function getInputs(): ISourceSettings {
   result.lfs = (core.getInput('lfs') || 'false').toUpperCase() === 'TRUE'
   core.debug(`lfs = ${result.lfs}`)
 
-  // Access token
-  result.accessToken = core.getInput('token')
+  // Auth token
+  result.authToken = core.getInput('token')
+
+  // Persist credentials
+  result.persistCredentials =
+    (core.getInput('persist-credentials') || 'false').toUpperCase() === 'TRUE'
 
   return result
 }

src/misc/generate-docs.ts

@@ -65,9 +65,14 @@ function updateUsage(
       let segment: string = description
       if (description.length > width) {
         segment = description.substr(0, width + 1)
-        while (!segment.endsWith(' ')) {
+        while (!segment.endsWith(' ') && segment) {
           segment = segment.substr(0, segment.length - 1)
         }
+
+        // Trimmed too much?
+        if (segment.length < width * 0.67) {
+          segment = description
+        }
       } else {
         segment = description
       }
@@ -96,7 +101,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v2-beta',
+  'actions/checkout@v2',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )

src/retry-helper.ts

@@ -17,6 +17,9 @@ export class RetryHelper {
     this.maxAttempts = maxAttempts
     this.minSeconds = Math.floor(minSeconds)
     this.maxSeconds = Math.floor(maxSeconds)
+    if (this.minSeconds > this.maxSeconds) {
+      throw new Error('min seconds should be less than or equal to max seconds')
+    }
   }
 
   async execute<T>(action: () => Promise<T>): Promise<T> {

src/state-helper.ts

@@ -9,7 +9,8 @@ export const IsPost = !!process.env['STATE_isPost']
 /**
  * The repository path for the POST action. The value is empty during the MAIN action.
  */
-export const RepositoryPath = process.env['STATE_repositoryPath'] as string
+export const RepositoryPath =
+  (process.env['STATE_repositoryPath'] as string) || ''
 
 /**
  * Save the repository path so the POST action can retrieve the value.