fix(actions/checkout): bump actions/checkout to v6.0.3

neilime · neilime · commit a050973a7f25 · 2026-06-10T16:44:17.000+02:00
Signed-off-by: Emilien Escalle &lt;emilien.escalle@escemi.com&gt;
diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
@@ -20,6 +20,12 @@ jobs:
       contents: read
     uses: ./.github/workflows/__test-action-matrix-outputs.yml
 
+  test-action-checkout:
+    needs: linter
+    permissions:
+      contents: read
+    uses: ./.github/workflows/__test-action-checkout.yml
+
   test-action-get-github-actions-bot-user:
     needs: linter
     permissions:
diff --git a/.github/workflows/__test-action-checkout-issue-comment.yml b/.github/workflows/__test-action-checkout-issue-comment.yml
@@ -0,0 +1,101 @@
+name: Internal - Tests for checkout action (issue_comment trigger)
+
+on:
+  issue_comment:
+    types: [created, edited]
+
+permissions:
+  contents: read
+  pull-requests: read
+  issues: read
+
+jobs:
+  test-checkout-issue-comment:
+    # Only run on pull request comments
+    if: github.event.issue.pull_request != null
+    name: Test checkout action on issue_comment trigger
+    runs-on: ubuntu-latest
+    steps:
+      - name: Arrange - Get PR information
+        id: pr-info
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            const pr = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+            });
+            core.setOutput('head-sha', pr.data.head.sha);
+            core.setOutput('head-ref', pr.data.head.ref);
+            console.log(`PR Head SHA: ${pr.data.head.sha}`);
+            console.log(`PR Head Ref: ${pr.data.head.ref}`);
+
+      - name: Act - Checkout using custom checkout action (issue_comment case)
+        id: checkout
+        uses: ./actions/checkout
+        with:
+          persist-credentials: true
+
+      - name: Assert - Verify correct PR SHA was checked out
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          EXPECTED_SHA: ${{ steps.pr-info.outputs.head-sha }}
+        with:
+          script: |
+            const { execSync } = require('child_process');
+            const currentSha = execSync('git rev-parse HEAD').toString().trim();
+            const expectedSha = process.env.EXPECTED_SHA;
+
+            console.log(`Current SHA: ${currentSha}`);
+            console.log(`Expected PR Head SHA: ${expectedSha}`);
+
+            if (currentSha !== expectedSha) {
+              throw new Error(`Checked out SHA (${currentSha}) does not match PR head SHA (${expectedSha})`);
+            }
+
+            console.log('✓ Verified: Checked out correct PR head SHA');
+
+      - name: Assert - Verify not on main branch
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          EXPECTED_BRANCH: ${{ steps.pr-info.outputs.head-ref }}
+        with:
+          script: |
+            const { execSync } = require('child_process');
+            const currentBranch = execSync('git rev-parse --abbrev-ref HEAD').toString().trim();
+            const expectedBranch = process.env.EXPECTED_BRANCH;
+
+            console.log(`Current branch/ref: ${currentBranch}`);
+            console.log(`Expected branch: ${expectedBranch}`);
+
+            if (['HEAD', 'main', 'master'].includes(currentBranch)) {
+              throw new Error(`Checked out main/master branch instead of PR branch`);
+            }
+
+            console.log('✓ Verified: Not on main/master branch');
+
+      - name: Assert - Verify credentials are persisted
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            const { execSync } = require('child_process');
+            try {
+              execSync('git config --local --get-regexp "^url\\.https://.*\\.insteadOf"', { stdio: 'pipe' });
+              console.log('✓ Verified: Credentials are persisted');
+            } catch (error) {
+              console.log('WARNING: Token credentials appear not to be persisted');
+              console.log('This may be expected depending on GitHub token availability in issue_comment context');
+            }
+
+      - name: Info - Display checkout details
+        if: always()
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            const { execSync } = require('child_process');
+            console.log('=== Git Status ===');
+            console.log(execSync('git status').toString());
+            console.log('');
+            console.log('=== Git Log (last 3 commits) ===');
+            console.log(execSync('git log --oneline -3').toString());
diff --git a/.github/workflows/__test-action-checkout.yml b/.github/workflows/__test-action-checkout.yml
@@ -0,0 +1,70 @@
+name: Internal - Tests for checkout action
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  tests:
+    name: Tests for checkout action
+    runs-on: ubuntu-latest
+    steps:
+      - name: Arrange - Checkout repository using checkout action
+        id: checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Act - Run custom checkout action with defaults
+        id: custom-checkout-defaults
+        uses: ./actions/checkout
+
+      - name: Assert - Verify repository is checked out
+        run: |
+          if [ ! -d ".git" ]; then
+            echo "Repository .git directory is missing"
+            exit 1
+          fi
+
+          if [ ! -f "README.md" ]; then
+            echo "README.md is missing"
+            exit 1
+          fi
+
+      - name: Act - Run custom checkout action with fetch-depth 0
+        id: custom-checkout-full-history
+        uses: ./actions/checkout
+        with:
+          fetch-depth: "0"
+
+      - name: Assert - Verify full history is fetched
+        run: |
+          # Check that we have commits by counting them
+          commit_count=$(git rev-list --count HEAD)
+          if [ "$commit_count" -lt 1 ]; then
+            echo "No commits found in repository"
+            exit 1
+          fi
+
+      - name: Act - Run custom checkout action with LFS disabled (default)
+        id: custom-checkout-no-lfs
+        uses: ./actions/checkout
+        with:
+          lfs: "false"
+
+      - name: Assert - Verify checkout succeeded
+        run: |
+          if [ ! -f "action.yml" ]; then
+            echo "action.yml is missing after checkout"
+            exit 1
+          fi
+
+      - name: Assert - Verify token is not persisted by default
+        run: |
+          # When persist-credentials is false, the git config should not have insteadOf
+          if git config --local --get url.https://github.com/.insteadOf 2>/dev/null; then
+            echo "Token credentials were persisted when they should not have been"
+            exit 1
+          fi
