Merge d86d1a437e into d632683dd7

The user provided inputs here are vulnerable to script injection. This PR uses an intermediary environment variable to treat the input as a string, rather than as part of the command.

See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

.github/workflows/publish-immutable-actions.yml

@@ -1,20 +0,0 @@
-name: 'Publish Immutable Action Version'
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
-    steps:
-      - name: Checking out
-        uses: actions/checkout@v4
-      - name: Publish
-        id: publish
-        uses: actions/publish-immutable-action@0.0.3

.github/workflows/update-main-version.yml

@@ -18,6 +18,9 @@ on:
 jobs:
   tag:
     runs-on: ubuntu-latest
+    env:
+      TARGET: ${{ github.event.inputs.target }}
+      MAIN_VERSION: ${{ github.event.inputs.major_version }}
     steps:
     # Note this update workflow can also be used as a rollback tool.
     # For that reason, it's best to pin `actions/checkout` to a known, stable version
@@ -30,6 +33,6 @@ jobs:
         git config user.name "github-actions[bot]"
         git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
     - name: Tag new target
-      run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }}
+      run: git tag -f "$MAIN_VERSION" "$TARGET"
     - name: Push new tag
-      run: git push origin ${{ github.event.inputs.major_version }} --force
+      run: git push origin "$MAIN_VERSION" --force

CHANGELOG.md

@@ -1,8 +1,5 @@
 # Changelog
 
-## v4.2.1
-* Check out other refs/* by commit if provided, fall back to ref by @orhantoy in https://github.com/actions/checkout/pull/1924
-
 ## v4.2.0
 
 * Add Ref and Commit outputs by @lucacome in https://github.com/actions/checkout/pull/1180

__test__/ref-helper.test.ts

@@ -77,16 +77,6 @@ describe('ref-helper tests', () => {
     expect(checkoutInfo.startPoint).toBeFalsy()
   })
 
-  it('getCheckoutInfo refs/ without commit', async () => {
-    const checkoutInfo = await refHelper.getCheckoutInfo(
-      git,
-      'refs/non-standard-ref',
-      ''
-    )
-    expect(checkoutInfo.ref).toBe('refs/non-standard-ref')
-    expect(checkoutInfo.startPoint).toBeFalsy()
-  })
-
   it('getCheckoutInfo unqualified branch only', async () => {
     git.branchExists = jest.fn(async (remote: boolean, pattern: string) => {
       return true

dist/index.js

@@ -2005,8 +2005,8 @@ function getCheckoutInfo(git, ref, commit) {
             result.ref = ref;
         }
         // refs/
-        else if (upperRef.startsWith('REFS/')) {
-            result.ref = commit ? commit : ref;
+        else if (upperRef.startsWith('REFS/') && commit) {
+            result.ref = commit;
         }
         // Unqualified ref, check for a matching branch or tag
         else {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "checkout",
-  "version": "4.2.1",
+  "version": "4.2.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "checkout",
-      "version": "4.2.1",
+      "version": "4.2.0",
       "license": "MIT",
       "dependencies": {
         "@actions/core": "^1.10.1",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "4.2.1",
+  "version": "4.2.0",
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {

src/ref-helper.ts

@@ -46,8 +46,8 @@ export async function getCheckoutInfo(
     result.ref = ref
   }
   // refs/
-  else if (upperRef.startsWith('REFS/')) {
-    result.ref = commit ? commit : ref
+  else if (upperRef.startsWith('REFS/') && commit) {
+    result.ref = commit
   }
   // Unqualified ref, check for a matching branch or tag
   else {