@@ -77,52 +77,62 @@ export async function init(action: ActionInterface): Promise<void | Error> {
7777 }
7878
7979 // Remove includeIf directives that point to credential files (actions/checkout@v6+)
80+ // This runs unconditionally because checkout@v 6 credentials must be cleared
8081 try {
81- if ( ( process . env . CI && ! action . sshKey ) || action . isTest ) {
82- /* actions/checkout@v6+ uses includeIf directives to inject credentials.
83- We need to remove these to ensure the provided token/SSH key is used instead.
84- Check both local and global scopes as containers may configure differently.
85- */
86- for ( const scope of [ '--local' , '--global' ] ) {
87- try {
88- const includeIfResult = await execute (
89- `git config ${ scope } ,
90- action . workspace ,
91- true // Always silent to avoid exposing credential paths
92- )
93-
94- // Parse the output to find includeIf sections
95- if ( includeIfResult . stdout ) {
96- const lines = includeIfResult . stdout . trim ( ) . split ( '\n' )
97- for ( const line of lines ) {
98- // Skip empty lines
99- if ( ! line . trim ( ) ) {
100- continue
101- }
102- // Each line is in format: includeIf.gitdir:/path/.git.path /path/to/config
103- // The regex captures the section name without the trailing .path suffix
104- const match = line . match ( / ^ ( i n c l u d e I f \. [ ^ \s ] + ) \. p a t h \s + / )
105- if ( match ) {
106- const section = match [ 1 ]
107- try {
108- await execute (
109- `git config ${ scope } ${ section } ,
110- action . workspace ,
111- true // Always silent
112- )
113- } catch {
114- // Continue if section cannot be removed
115- }
82+ /* actions/checkout@v6+ uses includeIf directives to inject credentials.
83+ We need to remove these to ensure the provided token/SSH key is used instead.
84+ Check local, global, and system scopes as containers may configure differently.
85+ */
86+ info ( 'Checking for includeIf credential directives from actions/checkout@v6...' )
87+ let foundAny = false
88+
89+ for ( const scope of [ '--local' , '--global' , '--system' ] ) {
90+ try {
91+ const includeIfResult = await execute (
92+ `git config ${ scope } ,
93+ action . workspace ,
94+ true // Always silent to avoid exposing credential paths
95+ )
96+
97+ // Parse the output to find includeIf sections
98+ if ( includeIfResult . stdout ) {
99+ const lines = includeIfResult . stdout . trim ( ) . split ( '\n' )
100+ for ( const line of lines ) {
101+ // Skip empty lines
102+ if ( ! line . trim ( ) ) {
103+ continue
104+ }
105+ // Each line is in format: includeIf.gitdir:/path/.git.path /path/to/config
106+ // The regex captures the section name without the trailing .path suffix
107+ const match = line . match ( / ^ ( i n c l u d e I f \. [ ^ \s ] + ) \. p a t h \s + / )
108+ if ( match ) {
109+ const section = match [ 1 ]
110+ foundAny = true
111+ info ( `Found includeIf directive in ${ scope } ${ section } )
112+ try {
113+ await execute (
114+ `git config ${ scope } ${ section } ,
115+ action . workspace ,
116+ true // Always silent
117+ )
118+ info ( `Removed includeIf section: ${ section } )
119+ } catch ( error ) {
120+ info ( `Failed to remove includeIf section ${ section } ${ extractErrorMessage ( error ) } )
116121 }
117122 }
118123 }
119- } catch {
120- // Continue if no includeIf directives exist in this scope
121124 }
125+ } catch ( error ) {
126+ // Log but continue - this is expected if no config exists in this scope
127+ info ( `No includeIf directives found in ${ scope } )
122128 }
123129 }
124- } catch {
125- // Silently continue if no includeIf directives exist or cannot be read
130+
131+ if ( ! foundAny ) {
132+ info ( 'No includeIf credential directives found' )
133+ }
134+ } catch ( error ) {
135+ info ( `Error while checking for includeIf directives: ${ extractErrorMessage ( error ) } )
126136 }
127137
128138 try {
0 commit comments