actions / checkout

actions / checkout

Checkout v7 What’s new

Safer fork pull request handling: checkout now refuses to check out fork pull request code by default when the workflow is triggered by pull_request_target or workflow_run. These triggers run with the base repository’s GITHUB_TOKEN, secrets, and runner access, where executing a fork’s code commonly leads to “pwn request” vulnerabilities. To opt in after reviewing the risks, set the new allow-unsafe-pr-checkout: true input. Migrated actions/checkout to ESM to support new versions of the @actions/* packages. Updated direct and transitive dependencies, including security fixes for known vulnerabilities.

Checkout v7 更新内容: 更安全的 Fork Pull Request 处理: 当工作流由 pull_request_targetworkflow_run 触发时,checkout 现在默认拒绝检出 Fork 仓库的 Pull Request 代码。这些触发器运行在基础仓库的 GITHUB_TOKEN、机密信息(secrets)和运行器(runner)权限下,执行 Fork 的代码通常会导致“pwn request”漏洞。若在评估风险后仍需使用,请设置新的输入参数 allow-unsafe-pr-checkout: true。已将 actions/checkout 迁移至 ESM 以支持 @actions/* 包的新版本。更新了直接和间接依赖项,包括针对已知漏洞的安全修复。


Checkout v6 What’s new

Improved credential security: persist-credentials now stores credentials in a separate file under $RUNNER_TEMP instead of directly in .git/config. No workflow changes required — git fetch, git push, etc. continue to work automatically. Running authenticated git commands from a Docker container action requires Actions Runner v2.329.0 or later.

Checkout v6 更新内容: 改进的凭据安全性: persist-credentials 现在将凭据存储在 $RUNNER_TEMP 下的独立文件中,而不是直接存储在 .git/config 中。无需更改工作流配置,git fetchgit push 等命令将继续自动运行。在 Docker 容器操作中运行经过身份验证的 git 命令需要 Actions Runner v2.329.0 或更高版本。


Checkout v5 What’s new

Updated to the node24 runtime: This requires a minimum Actions Runner version of v2.327.1 to run.

Checkout v5 更新内容: 更新至 node24 运行时: 这要求 Actions Runner 的最低版本为 v2.327.1。


Checkout v4

This action checks-out your repository under $GITHUB_WORKSPACE, so your workflow can access it. Only a single commit is fetched by default, for the ref/SHA that triggered the workflow. Set fetch-depth: 0 to fetch all history for all branches and tags. Refer here to learn which commit $GITHUB_SHA points to for different events. The auth token is persisted in the local git config. This enables your scripts to run authenticated git commands. The token is removed during post-job cleanup. Set persist-credentials: false to opt-out. When Git 2.18 or higher is not in your PATH, falls back to the REST API to download the files.

Checkout v4: 此操作将您的仓库检出到 $GITHUB_WORKSPACE 下,以便您的工作流可以访问它。默认情况下,仅获取触发工作流的 ref/SHA 对应的单个提交。设置 fetch-depth: 0 可获取所有分支和标签的完整历史记录。请参考此处了解 $GITHUB_SHA 在不同事件中指向哪个提交。身份验证令牌会保留在本地 git 配置中,这使您的脚本能够运行经过身份验证的 git 命令。令牌会在作业后清理阶段被移除。设置 persist-credentials: false 可禁用此功能。当系统路径中没有 Git 2.18 或更高版本时,将回退到使用 REST API 下载文件。


Note

Thank you for your interest in this GitHub action, however, right now we are not taking contributions. We continue to focus our resources on strategic areas that help our customers be successful while making developers’ lives easier. While GitHub Actions remains a key part of this vision, we are allocating resources towards other areas of Actions and are not taking contributions to this repository at this time. The GitHub public roadmap is the best place to follow along for any updates on features we’re working on and what stage they’re in.

注意: 感谢您对该 GitHub Action 的关注,但目前我们不接受贡献。我们继续将资源集中在有助于客户成功并简化开发者工作的战略领域。虽然 GitHub Actions 仍然是我们愿景的关键部分,但我们目前正将资源分配给 Actions 的其他领域,因此暂时不接受对此仓库的贡献。GitHub 公共路线图是跟踪我们正在开发的功能及其进展阶段的最佳途径。


Usage

- uses: actions/checkout@v7
  with:
    # Repository name with owner. For example, actions/checkout
    # Default: ${{ github.repository }}
    repository: ''
    # The branch, tag or SHA to checkout.
    ref: ''
    # Personal access token (PAT) used to fetch the repository.
    token: ''
    # SSH key used to fetch the repository.
    ssh-key: ''
    # Known hosts in addition to the user and global host key database.
    ssh-known-hosts: ''
    # Whether to perform strict host key checking.
    # Default: true
    ssh-strict: ''
    # The user to use when connecting to the remote SSH host.
    # Default: git
    ssh-user: ''
    # Whether to configure the token or SSH key with the local git config
    # Default: true
    persist-credentials: ''
    # Relative path under $GITHUB_WORKSPACE to place the repository
    path: ''
    # Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching
    # Default: true
    clean: ''
    # Partially clone against a given filter.
    filter: ''
    # Do a sparse checkout on given patterns.
    sparse-checkout: ''
    # Specifies whether to use cone-mode when doing a sparse checkout.
    # Default: true
    sparse-checkout-cone-mode: ''
    # Number of commits to fetch. 0 indicates all history.
    # Default: 1
    fetch-depth: ''
    # Whether to fetch tags.
    # Default: false
    fetch-tags: ''
    # Whether to show progress status output when fetching.
    # Default: true
    show-progress: ''
    # Whether to download Git-LFS files
    # Default: false
    lfs: ''

用法: (以上为 YAML 配置示例,包含仓库地址、分支/标签/SHA、身份验证令牌、SSH 密钥、路径设置、深度获取、LFS 下载等参数说明。)