diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index 87c8c11..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,21 +0,0 @@
-FROM docker.io/golang:1.23-alpine3.20 AS compile
-
-ENV CGO_ENABLED=0
-
-WORKDIR /app
-
-COPY go.mod go.sum /app/
-RUN go mod download
-
-COPY *.go /app/
-RUN go build -o app .
-
-FROM docker.io/alpine:3.20
-
-WORKDIR /
-
-RUN apk add git
-
-COPY --from=compile /app/app /
-
-ENTRYPOINT ["/app"]
\ No newline at end of file
diff --git a/LICENSE b/LICENSE.md
similarity index 100%
rename from LICENSE
rename to LICENSE.md
diff --git a/README.md b/README.md
index 4642dd4..e7d58f1 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,20 @@
 # checkout
+
+This action checks-out your repository under $GITHUB_WORKSPACE, so your workflow can access it.
+
+Only a single commit is fetched by default, for the ref/sha that triggered the workflow. The auth token
+is persisted in the local git config. This enables your scripts to run authenticated git commands.
+
+This action is only written in shell (bash).
+
+## Usage
+
+```yaml
+uses: actions/checkout:1.0.0
+with:
+  repository: ${{ github.server_url }}/${{ github.repository }}.git
+  token: ${{ github.token }}
+  path: .
+  ref: ${{ github.ref || github.sha }}
+```
+
diff --git a/action.yml b/action.yml
index 09b6faa..54df608 100644
--- a/action.yml
+++ b/action.yml
@@ -1,23 +1,37 @@
 # SPDX-License-Identifier: EUPL-1.2
 name: "Checkout"
 description: "Checkout a Git repository at a particular version"
-author: "Louis Seubert"
 inputs:
   repository:
     description: >
-      The path to the repository to checkout. Must be accessible with the
-      pipeline token on publiclly
-    default: "${{ github.server_url }}/${{ github.repository }}.git"
+      Repository name with owner. For example, actions/checkout
+    default: ${{ github.server_url }}/${{ github.repository }}.git
+  token:
+    description: >
+      Personal access token (PAT) used to fetch the repository. The PAT is configured
+      with the local git config, which enables your scripts to run authenticated git
+      commands.
+    default: ${{ github.token }}
   path:
     description: >
       Relative path under $GITHUB_WORKSPACE to place the repository
-    default: "."
+    default: .
   ref:
     description: >
       The branch, tag or SHA to checkout. When checking out the repository that
       triggered a workflow, this defaults to the reference or SHA for that
-      event. Otherwise, uses the default branch.
+      event.  Otherwise, uses the default branch.
     default: ${{ github.ref || github.sha }}
 runs:
-  using: 'docker'
-  image: 'Dockerfile'
+  using: composite
+  steps:
+    - name: Checkout
+      shell: bash
+      run: |
+        export PATH=${{ github.action_path }}/scripts:$PATH
+        checkout.sh
+      env:
+        ACTION_INPUT_TOKEN: ${{ inputs.token }}
+        ACTION_INPUT_REPOSITORY: ${{ inputs.repository }}
+        ACTION_INPUT_PATH: ${{ inputs.path }}
+        ACTION_INPUT_REF: ${{ inputs.ref }}
diff --git a/go.mod b/go.mod
deleted file mode 100644
index 5889153..0000000
--- a/go.mod
+++ /dev/null
@@ -1,5 +0,0 @@
-module git.geekeey.de/actions/checkout
-
-go 1.23.2
-
-require git.geekeey.de/actions/sdk v1.0.1
diff --git a/go.sum b/go.sum
deleted file mode 100644
index 9f838a7..0000000
--- a/go.sum
+++ /dev/null
@@ -1,6 +0,0 @@
-git.geekeey.de/actions/sdk v0.0.0-20241020125724-76a93c0d8cec h1:auq6X3d0N25UPSyjuvRDh55W4sgAsSaeDGdWOS6AG6g=
-git.geekeey.de/actions/sdk v0.0.0-20241020125724-76a93c0d8cec/go.mod h1:pBcHd6afsvseZF9hSc2A0b6+MldC/Ch6CSDaVlWMAmA=
-git.geekeey.de/actions/sdk v1.0.0 h1:vVEPz6ndFJt4iqtJhhFuf7XA3bf2gasZJ3f8gb94o5g=
-git.geekeey.de/actions/sdk v1.0.0/go.mod h1:pBcHd6afsvseZF9hSc2A0b6+MldC/Ch6CSDaVlWMAmA=
-git.geekeey.de/actions/sdk v1.0.1 h1:fecr+IILPgKFoMaQDtSvkBbaFfudOlf+2KdMVKcFA1M=
-git.geekeey.de/actions/sdk v1.0.1/go.mod h1:pBcHd6afsvseZF9hSc2A0b6+MldC/Ch6CSDaVlWMAmA=
diff --git a/main.go b/main.go
deleted file mode 100644
index 5f2d0d7..0000000
--- a/main.go
+++ /dev/null
@@ -1,173 +0,0 @@
-package main
-
-import (
-	"context"
-	"encoding/base64"
-	"fmt"
-	"net/url"
-	"os"
-	"os/exec"
-	"os/signal"
-	"strings"
-
-	"git.geekeey.de/actions/sdk"
-)
-
-func main() {
-	action := &CheckoutAction{Action: sdk.New()}
-	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt)
-	defer cancel()
-	if err := action.run(ctx); err != nil {
-		action.Errorf("%s", err)
-		os.Exit(1)
-	}
-}
-
-type CheckoutAction struct {
-	*sdk.Action
-	repository string
-	path       string
-	reference  string
-}
-
-func (action *CheckoutAction) setup() error {
-	var err error
-	action.repository = action.GetInput("repository")
-	action.path = action.GetInput("path")
-	action.reference = action.GetInput("ref")
-	return err
-}
-
-func (action *CheckoutAction) run(ctx context.Context) error {
-	if err := action.setup(); err != nil {
-		return err
-	}
-	env := action.Context()
-
-	var sh *Shell
-
-	sh = &Shell{}
-	sh.Add("git", "config", "--global", "--add", "protocol.version", "2")
-	sh.Add("git", "init", "-q", action.path)
-	sh.Add("git", "-C", action.path, "config", "--local", "gc.auto", "0")
-	if err := sh.Run(ctx); err != nil {
-		return err
-	}
-
-	action.Noticef("Configuring git repository credentials")
-	server, err := url.Parse(env.ServerURL)
-	if err != nil {
-		return err
-	}
-
-	sh = &Shell{}
-	sh.Add("git", "-C", action.path, "config", "--local", "--add", fmt.Sprintf("url.%s.insteadof", env.ServerURL), fmt.Sprintf("git@%s", server.Host))
-	sh.Add("git", "-C", action.path, "config", "--local", "--add", fmt.Sprintf("url.%s.insteadof", env.ServerURL), fmt.Sprintf("ssh://git@%s", server.Host))
-	sh.Add("git", "-C", action.path, "config", "--local", "--add", fmt.Sprintf("url.%s.insteadof", env.ServerURL), fmt.Sprintf("git://%s", server.Host))
-	if err := sh.Run(ctx); err != nil {
-		return err
-	}
-
-	enc := base64.StdEncoding
-	header := fmt.Sprintf("Authorization: Basic %s", enc.EncodeToString([]byte(fmt.Sprintf("x-access-token:%s", env.Token))))
-
-	sh = &Shell{}
-	sh.Add("git", "-C", action.path, "config", "--local", "--add", fmt.Sprintf("http.%s.extraheader", env.ServerURL), header)
-	if err := sh.Run(ctx); err != nil {
-		return err
-	}
-
-	origin := "origin"
-
-	sh = &Shell{}
-	sh.Add("git", "-C", action.path, "remote", "add", origin, action.repository)
-	if err := sh.Run(ctx); err != nil {
-		return err
-	}
-
-	stdout, _, err := execx(ctx, "git", "-C", action.path, "ls-remote", origin, action.reference)
-	if err != nil {
-		return err
-	}
-	lines := strings.Split(stdout, "\t")
-	if len(lines) < 2 {
-		return fmt.Errorf("git ls-remore resolved nothing")
-	}
-	sha := strings.TrimSpace(lines[0])
-	ref := strings.TrimSpace(lines[1])
-
-	sh = &Shell{}
-
-	if strings.HasPrefix(ref, "refs/heads/") {
-		name := strings.TrimPrefix(ref, "refs/heads/")
-		remote := fmt.Sprintf("refs/remotes/%s/%s", origin, name)
-		branch := name
-
-		action.Debugf("Checking out branch %s@%s", name, sha)
-
-		sh.Add("git", "-C", action.path, "fetch", "--no-tags", "--prune", "--no-recurse-submodules", "--depth=1",
-			origin, fmt.Sprintf("+%s:%s", sha, remote))
-		sh.Add("git", "-C", action.path, "checkout", "--force", "-B", branch, remote)
-	} else if strings.HasPrefix(ref, "refs/pull/") {
-		name := strings.TrimPrefix(ref, "refs/pull/")
-		remote := fmt.Sprintf("refs/remotes/pull/%s", name)
-
-		action.Debugf("Checking out pull-request %s@%s", name, sha)
-
-		var branch string
-		if len(env.BaseRef) != 0 {
-			branch = env.BaseRef
-		} else if len(env.HeadRef) != 0 {
-			branch = env.HeadRef
-		} else {
-			return fmt.Errorf("pull request can not find base ref for branch")
-		}
-
-		sh.Add("git", "-C", action.path, "fetch", "--no-tags", "--prune", "--no-recurse-submodules", "--depth=1",
-			origin, fmt.Sprintf("+%s:%s", sha, remote))
-		sh.Add("git", "-C", action.path, "checkout", "--force", "-B", branch, remote)
-	} else if strings.HasPrefix(ref, "refs/tags/") {
-		name := strings.TrimPrefix(ref, "refs/tags/")
-		remote := fmt.Sprintf("refs/tags/%s", name)
-
-		action.Debugf("Checking out ptag %s@%s", name, sha)
-
-		sh.Add("git", "-C", action.path, "fetch", "--no-tags", "--prune", "--no-recurse-submodules", "--depth=1",
-			origin, fmt.Sprintf("+%s:%s", sha, remote))
-		sh.Add("git", "-C", action.path, "checkout", "--force", remote)
-	} else {
-		action.Debugf("Checking out detached head %s", ref)
-
-		sh.Add("git", "-C", action.path, "fetch", "--no-tags", "--prune", "--no-recurse-submodules", "--depth=1",
-			origin, ref)
-		sh.Add("git", "-C", action.path, "checkout", "--force", ref)
-	}
-
-	if err := sh.Run(ctx); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-type Shell [][]string
-
-func (sh *Shell) Add(line ...string) { *sh = append([][]string(*sh), line) }
-
-func (sh *Shell) Run(ctx context.Context) error {
-	for _, line := range [][]string(*sh) {
-		if _, _, err := execx(ctx, line...); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func execx(ctx context.Context, args ...string) (string, string, error) {
-	cmd := exec.CommandContext(ctx, args[0], args[1:]...)
-	var outbuf, errbuf strings.Builder
-	cmd.Stdout = &outbuf
-	cmd.Stderr = &errbuf
-	err := cmd.Run()
-	return outbuf.String(), errbuf.String(), err
-}
diff --git a/scripts/checkout.sh b/scripts/checkout.sh
new file mode 100755
index 0000000..4f63f24
--- /dev/null
+++ b/scripts/checkout.sh
@@ -0,0 +1,121 @@
+#!/usr/bin/env bash
+shopt -s extglob
+
+ACTION_INPUT_TOKEN="${ACTION_INPUT_TOKEN:?}"
+ACTION_INPUT_REPOSITORY="${ACTION_INPUT_REPOSITORY:?}"
+ACTION_INPUT_PATH="${ACTION_INPUT_PATH:?}"
+ACTION_INPUT_REF="${ACTION_INPUT_REF:?}"
+
+error() {
+  echo "$*" 1>&2 ; exit 1;
+}
+
+# ensure we are in the right place
+[[ -z "${GITHUB_WORKSPACE:-}" ]] || { cd "${GITHUB_WORKSPACE}" || error ; }
+
+git config --global --add protocol.version 2
+
+git init -q "${ACTION_INPUT_PATH}" && { cd "${ACTION_INPUT_PATH}" || error ; }
+
+git config --local gc.auto 0
+
+# the server url and uri are important for determining the default checkout url
+GITHUB_SERVER_URL="${GITHUB_SERVER_URL:?}"
+GITHUB_SERVER_URI="${GITHUB_SERVER_URL//http?(s):\/\//}"
+
+# use https instead of everything else
+git config --add url."${GITHUB_SERVER_URL}/".insteadOf "git@${GITHUB_SERVER_URI}:"
+git config --add url."${GITHUB_SERVER_URL}/".insteadOf "ssh://git@${GITHUB_SERVER_URI}/"
+git config --add url."${GITHUB_SERVER_URL}/".insteadOf "git://${GITHUB_SERVER_URI}/"
+
+# prepare git config extra header for https auth
+BASE64="base64 --wrap 0"
+echo "" | ${BASE64} >/dev/null 2>&1 || BASE64="base64"
+echo "" | ${BASE64} >/dev/null 2>&1 || BASE64="openssl base64 -A"
+echo "" | ${BASE64} >/dev/null 2>&1
+
+GIT_HTTP_EXTRAHEADER="AUTHORIZATION: basic $(echo -n "x-access-token:${ACTION_INPUT_TOKEN}" | ${BASE64})"
+git config --local --add http."${GITHUB_SERVER_URL}".extraheader "${GIT_HTTP_EXTRAHEADER}"
+
+# add the repository as remote
+git remote add origin "${ACTION_INPUT_REPOSITORY}"
+
+git_default_refspec() {
+  git ls-remote --symref origin HEAD | { read -r _ ref name ; echo "${ref}" ; }
+}
+
+git_resolve_refspec() {
+  # shellcheck disable=SC2068
+  git ls-remote origin $@ | { read -r sha ref _ ; echo "${sha} ${ref}" ; }
+}
+
+fetch() {
+  # shellcheck disable=SC2068
+  git fetch --no-tags --prune --no-recurse-submodules --depth=1 origin $@
+}
+
+checkout() {
+  # shellcheck disable=SC2068
+  git checkout --force $@
+}
+
+# the checkout is based on a commit hash
+if [[ ${ACTION_INPUT_REF:-} =~ ^[0-9a-f]{5,40}$ ]]
+then
+  fetch "${ACTION_INPUT_REF}" && checkout "${ACTION_INPUT_REF}"
+  exit
+fi
+
+# update selected ref when no input is given to remote default branch
+: "${ACTION_INPUT_REF:=$( git_default_refspec )}"
+
+# TODO: check if repo is workflow repo, if so, use commit sha from env
+# like GITHUB_REF and GITHUB_SHA
+
+read -r GIT_SHA GIT_REF _ <<< "$( git_resolve_refspec "${ACTION_INPUT_REF}" )"
+: "${GIT_SHA:?}" "${GIT_REF:?}"
+
+# we always use the refspec with the commit sha as source to prevent
+# race conditions when running on a frequently used branch
+
+checkout_head() {
+  local name="${GIT_REF#refs\/heads\/}"
+  local remote="refs/remotes/origin/${name}"
+
+  fetch "+${GIT_SHA}:${remote}"
+
+  checkout -B "${name}" "${remote}"
+}
+
+checkout_pull() {
+  local name="${GIT_REF#refs\/pull\/}"
+  local remote="refs/remotes/pull/${name}"
+
+  fetch "+${GIT_SHA}:${remote}"
+  
+  # pull requests have a special treatment for the branch name. The name
+  # is determined by the branch the pull request is targeting.
+
+  local branch="${GITHUB_BASE_REF:-$( git_default_refspec )}"
+  checkout -B "${branch#refs\/heads\/}" "${remote}"
+}
+
+checkout_tag() {
+  local name="${GIT_REF#refs\/tags\/}"
+  local remote="refs/tags/${name}"
+
+  fetch "+${GIT_SHA}:${remote}"
+
+  checkout "${remote}"
+}
+
+case "${GIT_REF}" in
+  # heads and pull are a branch based checkout
+  refs/heads/*) checkout_head ;;
+  refs/pull/* ) checkout_pull ;;
+
+  # tags are a detached head checkout
+  refs/tags/* ) checkout_tag ;;
+
+  *) error "ref type '${GIT_REF}' is unknown" ;;
+esac
\ No newline at end of file