diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..87c8c11 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,21 @@ +FROM docker.io/golang:1.23-alpine3.20 AS compile + +ENV CGO_ENABLED=0 + +WORKDIR /app + +COPY go.mod go.sum /app/ +RUN go mod download + +COPY *.go /app/ +RUN go build -o app . + +FROM docker.io/alpine:3.20 + +WORKDIR / + +RUN apk add git + +COPY --from=compile /app/app / + +ENTRYPOINT ["/app"] \ No newline at end of file diff --git a/LICENSE.md b/LICENSE similarity index 100% rename from LICENSE.md rename to LICENSE diff --git a/README.md b/README.md index e7d58f1..4642dd4 100644 --- a/README.md +++ b/README.md @@ -1,20 +1 @@ # checkout - -This action checks-out your repository under $GITHUB_WORKSPACE, so your workflow can access it. - -Only a single commit is fetched by default, for the ref/sha that triggered the workflow. The auth token -is persisted in the local git config. This enables your scripts to run authenticated git commands. - -This action is only written in shell (bash). - -## Usage - -```yaml -uses: actions/checkout:1.0.0 -with: - repository: ${{ github.server_url }}/${{ github.repository }}.git - token: ${{ github.token }} - path: . - ref: ${{ github.ref || github.sha }} -``` - diff --git a/action.yml b/action.yml index 54df608..09b6faa 100644 --- a/action.yml +++ b/action.yml @@ -1,37 +1,23 @@ # SPDX-License-Identifier: EUPL-1.2 name: "Checkout" description: "Checkout a Git repository at a particular version" +author: "Louis Seubert" inputs: repository: description: > - Repository name with owner. For example, actions/checkout - default: ${{ github.server_url }}/${{ github.repository }}.git - token: - description: > - Personal access token (PAT) used to fetch the repository. The PAT is configured - with the local git config, which enables your scripts to run authenticated git - commands. - default: ${{ github.token }} + The path to the repository to checkout. Must be accessible with the + pipeline token on publiclly + default: "${{ github.server_url }}/${{ github.repository }}.git" path: description: > Relative path under $GITHUB_WORKSPACE to place the repository - default: . + default: "." ref: description: > The branch, tag or SHA to checkout. When checking out the repository that triggered a workflow, this defaults to the reference or SHA for that - event. Otherwise, uses the default branch. + event. Otherwise, uses the default branch. default: ${{ github.ref || github.sha }} runs: - using: composite - steps: - - name: Checkout - shell: bash - run: | - export PATH=${{ github.action_path }}/scripts:$PATH - checkout.sh - env: - ACTION_INPUT_TOKEN: ${{ inputs.token }} - ACTION_INPUT_REPOSITORY: ${{ inputs.repository }} - ACTION_INPUT_PATH: ${{ inputs.path }} - ACTION_INPUT_REF: ${{ inputs.ref }} + using: 'docker' + image: 'Dockerfile' diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..5889153 --- /dev/null +++ b/go.mod @@ -0,0 +1,5 @@ +module git.geekeey.de/actions/checkout + +go 1.23.2 + +require git.geekeey.de/actions/sdk v1.0.1 diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..9f838a7 --- /dev/null +++ b/go.sum @@ -0,0 +1,6 @@ +git.geekeey.de/actions/sdk v0.0.0-20241020125724-76a93c0d8cec h1:auq6X3d0N25UPSyjuvRDh55W4sgAsSaeDGdWOS6AG6g= +git.geekeey.de/actions/sdk v0.0.0-20241020125724-76a93c0d8cec/go.mod h1:pBcHd6afsvseZF9hSc2A0b6+MldC/Ch6CSDaVlWMAmA= +git.geekeey.de/actions/sdk v1.0.0 h1:vVEPz6ndFJt4iqtJhhFuf7XA3bf2gasZJ3f8gb94o5g= +git.geekeey.de/actions/sdk v1.0.0/go.mod h1:pBcHd6afsvseZF9hSc2A0b6+MldC/Ch6CSDaVlWMAmA= +git.geekeey.de/actions/sdk v1.0.1 h1:fecr+IILPgKFoMaQDtSvkBbaFfudOlf+2KdMVKcFA1M= +git.geekeey.de/actions/sdk v1.0.1/go.mod h1:pBcHd6afsvseZF9hSc2A0b6+MldC/Ch6CSDaVlWMAmA= diff --git a/main.go b/main.go new file mode 100644 index 0000000..5f2d0d7 --- /dev/null +++ b/main.go @@ -0,0 +1,173 @@ +package main + +import ( + "context" + "encoding/base64" + "fmt" + "net/url" + "os" + "os/exec" + "os/signal" + "strings" + + "git.geekeey.de/actions/sdk" +) + +func main() { + action := &CheckoutAction{Action: sdk.New()} + ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt) + defer cancel() + if err := action.run(ctx); err != nil { + action.Errorf("%s", err) + os.Exit(1) + } +} + +type CheckoutAction struct { + *sdk.Action + repository string + path string + reference string +} + +func (action *CheckoutAction) setup() error { + var err error + action.repository = action.GetInput("repository") + action.path = action.GetInput("path") + action.reference = action.GetInput("ref") + return err +} + +func (action *CheckoutAction) run(ctx context.Context) error { + if err := action.setup(); err != nil { + return err + } + env := action.Context() + + var sh *Shell + + sh = &Shell{} + sh.Add("git", "config", "--global", "--add", "protocol.version", "2") + sh.Add("git", "init", "-q", action.path) + sh.Add("git", "-C", action.path, "config", "--local", "gc.auto", "0") + if err := sh.Run(ctx); err != nil { + return err + } + + action.Noticef("Configuring git repository credentials") + server, err := url.Parse(env.ServerURL) + if err != nil { + return err + } + + sh = &Shell{} + sh.Add("git", "-C", action.path, "config", "--local", "--add", fmt.Sprintf("url.%s.insteadof", env.ServerURL), fmt.Sprintf("git@%s", server.Host)) + sh.Add("git", "-C", action.path, "config", "--local", "--add", fmt.Sprintf("url.%s.insteadof", env.ServerURL), fmt.Sprintf("ssh://git@%s", server.Host)) + sh.Add("git", "-C", action.path, "config", "--local", "--add", fmt.Sprintf("url.%s.insteadof", env.ServerURL), fmt.Sprintf("git://%s", server.Host)) + if err := sh.Run(ctx); err != nil { + return err + } + + enc := base64.StdEncoding + header := fmt.Sprintf("Authorization: Basic %s", enc.EncodeToString([]byte(fmt.Sprintf("x-access-token:%s", env.Token)))) + + sh = &Shell{} + sh.Add("git", "-C", action.path, "config", "--local", "--add", fmt.Sprintf("http.%s.extraheader", env.ServerURL), header) + if err := sh.Run(ctx); err != nil { + return err + } + + origin := "origin" + + sh = &Shell{} + sh.Add("git", "-C", action.path, "remote", "add", origin, action.repository) + if err := sh.Run(ctx); err != nil { + return err + } + + stdout, _, err := execx(ctx, "git", "-C", action.path, "ls-remote", origin, action.reference) + if err != nil { + return err + } + lines := strings.Split(stdout, "\t") + if len(lines) < 2 { + return fmt.Errorf("git ls-remore resolved nothing") + } + sha := strings.TrimSpace(lines[0]) + ref := strings.TrimSpace(lines[1]) + + sh = &Shell{} + + if strings.HasPrefix(ref, "refs/heads/") { + name := strings.TrimPrefix(ref, "refs/heads/") + remote := fmt.Sprintf("refs/remotes/%s/%s", origin, name) + branch := name + + action.Debugf("Checking out branch %s@%s", name, sha) + + sh.Add("git", "-C", action.path, "fetch", "--no-tags", "--prune", "--no-recurse-submodules", "--depth=1", + origin, fmt.Sprintf("+%s:%s", sha, remote)) + sh.Add("git", "-C", action.path, "checkout", "--force", "-B", branch, remote) + } else if strings.HasPrefix(ref, "refs/pull/") { + name := strings.TrimPrefix(ref, "refs/pull/") + remote := fmt.Sprintf("refs/remotes/pull/%s", name) + + action.Debugf("Checking out pull-request %s@%s", name, sha) + + var branch string + if len(env.BaseRef) != 0 { + branch = env.BaseRef + } else if len(env.HeadRef) != 0 { + branch = env.HeadRef + } else { + return fmt.Errorf("pull request can not find base ref for branch") + } + + sh.Add("git", "-C", action.path, "fetch", "--no-tags", "--prune", "--no-recurse-submodules", "--depth=1", + origin, fmt.Sprintf("+%s:%s", sha, remote)) + sh.Add("git", "-C", action.path, "checkout", "--force", "-B", branch, remote) + } else if strings.HasPrefix(ref, "refs/tags/") { + name := strings.TrimPrefix(ref, "refs/tags/") + remote := fmt.Sprintf("refs/tags/%s", name) + + action.Debugf("Checking out ptag %s@%s", name, sha) + + sh.Add("git", "-C", action.path, "fetch", "--no-tags", "--prune", "--no-recurse-submodules", "--depth=1", + origin, fmt.Sprintf("+%s:%s", sha, remote)) + sh.Add("git", "-C", action.path, "checkout", "--force", remote) + } else { + action.Debugf("Checking out detached head %s", ref) + + sh.Add("git", "-C", action.path, "fetch", "--no-tags", "--prune", "--no-recurse-submodules", "--depth=1", + origin, ref) + sh.Add("git", "-C", action.path, "checkout", "--force", ref) + } + + if err := sh.Run(ctx); err != nil { + return err + } + + return nil +} + +type Shell [][]string + +func (sh *Shell) Add(line ...string) { *sh = append([][]string(*sh), line) } + +func (sh *Shell) Run(ctx context.Context) error { + for _, line := range [][]string(*sh) { + if _, _, err := execx(ctx, line...); err != nil { + return err + } + } + return nil +} + +func execx(ctx context.Context, args ...string) (string, string, error) { + cmd := exec.CommandContext(ctx, args[0], args[1:]...) + var outbuf, errbuf strings.Builder + cmd.Stdout = &outbuf + cmd.Stderr = &errbuf + err := cmd.Run() + return outbuf.String(), errbuf.String(), err +} diff --git a/scripts/checkout.sh b/scripts/checkout.sh deleted file mode 100755 index 4f63f24..0000000 --- a/scripts/checkout.sh +++ /dev/null @@ -1,121 +0,0 @@ -#!/usr/bin/env bash -shopt -s extglob - -ACTION_INPUT_TOKEN="${ACTION_INPUT_TOKEN:?}" -ACTION_INPUT_REPOSITORY="${ACTION_INPUT_REPOSITORY:?}" -ACTION_INPUT_PATH="${ACTION_INPUT_PATH:?}" -ACTION_INPUT_REF="${ACTION_INPUT_REF:?}" - -error() { - echo "$*" 1>&2 ; exit 1; -} - -# ensure we are in the right place -[[ -z "${GITHUB_WORKSPACE:-}" ]] || { cd "${GITHUB_WORKSPACE}" || error ; } - -git config --global --add protocol.version 2 - -git init -q "${ACTION_INPUT_PATH}" && { cd "${ACTION_INPUT_PATH}" || error ; } - -git config --local gc.auto 0 - -# the server url and uri are important for determining the default checkout url -GITHUB_SERVER_URL="${GITHUB_SERVER_URL:?}" -GITHUB_SERVER_URI="${GITHUB_SERVER_URL//http?(s):\/\//}" - -# use https instead of everything else -git config --add url."${GITHUB_SERVER_URL}/".insteadOf "git@${GITHUB_SERVER_URI}:" -git config --add url."${GITHUB_SERVER_URL}/".insteadOf "ssh://git@${GITHUB_SERVER_URI}/" -git config --add url."${GITHUB_SERVER_URL}/".insteadOf "git://${GITHUB_SERVER_URI}/" - -# prepare git config extra header for https auth -BASE64="base64 --wrap 0" -echo "" | ${BASE64} >/dev/null 2>&1 || BASE64="base64" -echo "" | ${BASE64} >/dev/null 2>&1 || BASE64="openssl base64 -A" -echo "" | ${BASE64} >/dev/null 2>&1 - -GIT_HTTP_EXTRAHEADER="AUTHORIZATION: basic $(echo -n "x-access-token:${ACTION_INPUT_TOKEN}" | ${BASE64})" -git config --local --add http."${GITHUB_SERVER_URL}".extraheader "${GIT_HTTP_EXTRAHEADER}" - -# add the repository as remote -git remote add origin "${ACTION_INPUT_REPOSITORY}" - -git_default_refspec() { - git ls-remote --symref origin HEAD | { read -r _ ref name ; echo "${ref}" ; } -} - -git_resolve_refspec() { - # shellcheck disable=SC2068 - git ls-remote origin $@ | { read -r sha ref _ ; echo "${sha} ${ref}" ; } -} - -fetch() { - # shellcheck disable=SC2068 - git fetch --no-tags --prune --no-recurse-submodules --depth=1 origin $@ -} - -checkout() { - # shellcheck disable=SC2068 - git checkout --force $@ -} - -# the checkout is based on a commit hash -if [[ ${ACTION_INPUT_REF:-} =~ ^[0-9a-f]{5,40}$ ]] -then - fetch "${ACTION_INPUT_REF}" && checkout "${ACTION_INPUT_REF}" - exit -fi - -# update selected ref when no input is given to remote default branch -: "${ACTION_INPUT_REF:=$( git_default_refspec )}" - -# TODO: check if repo is workflow repo, if so, use commit sha from env -# like GITHUB_REF and GITHUB_SHA - -read -r GIT_SHA GIT_REF _ <<< "$( git_resolve_refspec "${ACTION_INPUT_REF}" )" -: "${GIT_SHA:?}" "${GIT_REF:?}" - -# we always use the refspec with the commit sha as source to prevent -# race conditions when running on a frequently used branch - -checkout_head() { - local name="${GIT_REF#refs\/heads\/}" - local remote="refs/remotes/origin/${name}" - - fetch "+${GIT_SHA}:${remote}" - - checkout -B "${name}" "${remote}" -} - -checkout_pull() { - local name="${GIT_REF#refs\/pull\/}" - local remote="refs/remotes/pull/${name}" - - fetch "+${GIT_SHA}:${remote}" - - # pull requests have a special treatment for the branch name. The name - # is determined by the branch the pull request is targeting. - - local branch="${GITHUB_BASE_REF:-$( git_default_refspec )}" - checkout -B "${branch#refs\/heads\/}" "${remote}" -} - -checkout_tag() { - local name="${GIT_REF#refs\/tags\/}" - local remote="refs/tags/${name}" - - fetch "+${GIT_SHA}:${remote}" - - checkout "${remote}" -} - -case "${GIT_REF}" in - # heads and pull are a branch based checkout - refs/heads/*) checkout_head ;; - refs/pull/* ) checkout_pull ;; - - # tags are a detached head checkout - refs/tags/* ) checkout_tag ;; - - *) error "ref type '${GIT_REF}' is unknown" ;; -esac \ No newline at end of file