Merge 7618b1f401 into 900f2210b1

fix: expand merge commit SHA regex and add SHA-256 test cases (#2414 )
* fix: expand merge commit SHA regex and add SHA-256 test cases Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: add checkCommitInfo SHA coverage Add checkCommitInfo tests for SHA-1 and SHA-256 merge messages and reject invalid 50-character hex merge heads.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * style: fix Prettier formatting in test and source files Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-13 16:38:07 +00:00 · 2026-05-05 06:27:44 +02:00 · 2026-05-04 13:30:55 -04:00 · 2024-08-28 13:16:59 +02:00 · 2024-08-27 10:37:37 +02:00
12 changed files with 248 additions and 12 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -166,6 +166,17 @@ jobs:
      - name: Verify submodules true
        run: __test__/verify-submodules-true.sh
  
+      # Submodules limited
+      - name: Checkout submodules limited
+        uses: ./
+        with:
+          ref: test-data/v2/submodule-ssh-url
+          path: submodules-true
+          submodules: true
+          submodule-directories: submodule-level-1
+      - name: Verify submodules true
+        run: __test__/verify-submodules-true.sh
+
      # Submodules recursive
      - name: Checkout submodules recursive
        uses: ./
--- a/README.md
+++ b/README.md
@ -150,6 +150,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
    # Default: false
    submodules: ''

+    # A list of submodules to checkout.
+    # Default: null
+    submodule-directories: ''
+
    # Add repository path as safe.directory for Git global config by running `git
    # config --global --add safe.directory <path>`
    # Default: true
--- a/test/git-auth-helper.test.ts
+++ b/test/git-auth-helper.test.ts
@ -1162,6 +1162,7 @@ async function setup(testName: string): Promise<void> {
    lfs: false,
    submodules: false,
    nestedSubmodules: false,
+    submoduleDirectories: [],
    persistCredentials: true,
    ref: 'refs/heads/main',
    repositoryName: 'my-repo',
--- a/test/input-helper.test.ts
+++ b/test/input-helper.test.ts
@ -21,6 +21,13 @@ describe('input-helper tests', () => {
    jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
      return inputs[name]
    })
+    // Mock getMultilineInput
+    jest.spyOn(core, 'getMultilineInput').mockImplementation((name: string) => {
+      const input: string[] = (inputs[name] || '')
+        .split('\n')
+        .filter(x => x !== '')
+      return input.map(inp => inp.trim())
+    })

    // Mock error/warning/info/debug
    jest.spyOn(core, 'error').mockImplementation(jest.fn())
@ -87,6 +94,7 @@ describe('input-helper tests', () => {
    expect(settings.showProgress).toBe(true)
    expect(settings.lfs).toBe(false)
    expect(settings.ref).toBe('refs/heads/some-ref')
+    expect(settings.submoduleDirectories).toStrictEqual([])
    expect(settings.repositoryName).toBe('some-repo')
    expect(settings.repositoryOwner).toBe('some-owner')
    expect(settings.repositoryPath).toBe(gitHubWorkspace)
@ -133,6 +141,16 @@ describe('input-helper tests', () => {
    expect(settings.commit).toBe('1111111111222222222233333333334444444444')
  })

+  it('sets ref to empty when explicit sha-256', async () => {
+    inputs.ref =
+      '1111111111222222222233333333334444444444555555555566666666667777'
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    expect(settings.ref).toBeFalsy()
+    expect(settings.commit).toBe(
+      '1111111111222222222233333333334444444444555555555566666666667777'
+    )
+  })
+
  it('sets sha to empty when explicit ref', async () => {
    inputs.ref = 'refs/heads/some-other-ref'
    const settings: IGitSourceSettings = await inputHelper.getInputs()
@ -144,4 +162,13 @@ describe('input-helper tests', () => {
    const settings: IGitSourceSettings = await inputHelper.getInputs()
    expect(settings.workflowOrganizationId).toBe(123456)
  })
+  it('sets submoduleDirectories', async () => {
+    inputs['submodule-directories'] = 'submodule1\nsubmodule2'
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    expect(settings.submoduleDirectories).toStrictEqual([
+      'submodule1',
+      'submodule2'
+    ])
+    expect(settings.submodules).toBe(true)
+  })
 })
--- a/test/ref-helper.test.ts
+++ b/test/ref-helper.test.ts
@ -1,8 +1,12 @@
 import * as assert from 'assert'
+import * as core from '@actions/core'
+import * as github from '@actions/github'
 import * as refHelper from '../lib/ref-helper'
 import {IGitCommandManager} from '../lib/git-command-manager'

 const commit = '1234567890123456789012345678901234567890'
+const sha256Commit =
+  '1234567890123456789012345678901234567890123456789012345678901234'
 let git: IGitCommandManager

 describe('ref-helper tests', () => {
@ -37,6 +41,12 @@ describe('ref-helper tests', () => {
    expect(checkoutInfo.startPoint).toBeFalsy()
  })

+  it('getCheckoutInfo sha-256 only', async () => {
+    const checkoutInfo = await refHelper.getCheckoutInfo(git, '', sha256Commit)
+    expect(checkoutInfo.ref).toBe(sha256Commit)
+    expect(checkoutInfo.startPoint).toBeFalsy()
+  })
+
  it('getCheckoutInfo refs/heads/', async () => {
    const checkoutInfo = await refHelper.getCheckoutInfo(
      git,
@ -227,4 +237,142 @@ describe('ref-helper tests', () => {
      '+refs/heads/my/branch:refs/remotes/origin/my/branch'
    )
  })
+
+  describe('checkCommitInfo', () => {
+    const repositoryOwner = 'some-owner'
+    const repositoryName = 'some-repo'
+    const ref = 'refs/pull/123/merge'
+    const sha1Head = '1111111111222222222233333333334444444444'
+    const sha1Base = 'aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd'
+    const sha256Head =
+      '1111111111222222222233333333334444444444555555555566666666667777'
+    const sha256Base =
+      'aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff0000'
+    let debugSpy: jest.SpyInstance
+    let getOctokitSpy: jest.SpyInstance
+    let repoGetSpy: jest.Mock
+    let originalEventName: string
+    let originalPayload: unknown
+    let originalRef: string
+    let originalSha: string
+
+    function setPullRequestContext(
+      expectedHeadSha: string,
+      expectedBaseSha: string,
+      mergeCommit: string
+    ): void {
+      ;(github.context as any).eventName = 'pull_request'
+      github.context.ref = ref
+      github.context.sha = mergeCommit
+      ;(github.context as any).payload = {
+        action: 'synchronize',
+        after: expectedHeadSha,
+        number: 123,
+        pull_request: {
+          base: {
+            sha: expectedBaseSha
+          }
+        },
+        repository: {
+          private: false
+        }
+      }
+    }
+
+    beforeEach(() => {
+      originalEventName = github.context.eventName
+      originalPayload = github.context.payload
+      originalRef = github.context.ref
+      originalSha = github.context.sha
+
+      jest.spyOn(github.context, 'repo', 'get').mockReturnValue({
+        owner: repositoryOwner,
+        repo: repositoryName
+      })
+      debugSpy = jest.spyOn(core, 'debug').mockImplementation(jest.fn())
+      repoGetSpy = jest.fn(async () => ({}))
+      getOctokitSpy = jest.spyOn(github, 'getOctokit').mockReturnValue({
+        rest: {
+          repos: {
+            get: repoGetSpy
+          }
+        }
+      } as any)
+    })
+
+    afterEach(() => {
+      ;(github.context as any).eventName = originalEventName
+      ;(github.context as any).payload = originalPayload
+      github.context.ref = originalRef
+      github.context.sha = originalSha
+      jest.restoreAllMocks()
+    })
+
+    it('returns early for SHA-1 merge commit', async () => {
+      setPullRequestContext(sha1Head, sha1Base, commit)
+
+      await refHelper.checkCommitInfo(
+        'token',
+        `Merge ${sha1Head} into ${sha1Base}`,
+        repositoryOwner,
+        repositoryName,
+        ref,
+        commit
+      )
+
+      expect(getOctokitSpy).not.toHaveBeenCalled()
+      expect(repoGetSpy).not.toHaveBeenCalled()
+    })
+
+    it('matches SHA-256 merge commit info', async () => {
+      const actualHeadSha =
+        '9999999999888888888877777777776666666666555555555544444444443333'
+      setPullRequestContext(sha256Head, sha256Base, sha256Commit)
+
+      await refHelper.checkCommitInfo(
+        'token',
+        `Merge ${actualHeadSha} into ${sha256Base}`,
+        repositoryOwner,
+        repositoryName,
+        ref,
+        sha256Commit
+      )
+
+      expect(getOctokitSpy).toHaveBeenCalledWith(
+        'token',
+        expect.objectContaining({
+          userAgent: expect.stringContaining(
+            `expected_head_sha=${sha256Head};actual_head_sha=${actualHeadSha}`
+          )
+        })
+      )
+      expect(repoGetSpy).toHaveBeenCalledWith({
+        owner: repositoryOwner,
+        repo: repositoryName
+      })
+      expect(debugSpy).toHaveBeenCalledWith(
+        `Expected head sha ${sha256Head}; actual head sha ${actualHeadSha}`
+      )
+      expect(debugSpy).not.toHaveBeenCalledWith('Unexpected message format')
+    })
+
+    it('does not match 50-char hex as a valid merge', async () => {
+      const invalidHeadSha =
+        '99999999998888888888777777777766666666665555555555'
+      setPullRequestContext(sha1Head, sha1Base, commit)
+
+      await refHelper.checkCommitInfo(
+        'token',
+        `Merge ${invalidHeadSha} into ${sha1Base}`,
+        repositoryOwner,
+        repositoryName,
+        ref,
+        commit
+      )
+
+      expect(getOctokitSpy).not.toHaveBeenCalled()
+      expect(repoGetSpy).not.toHaveBeenCalled()
+      expect(debugSpy).toHaveBeenCalledWith('Unexpected message format')
+    })
+  })
 })
--- a/action.yml
+++ b/action.yml
@ -92,6 +92,10 @@ inputs:
      When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
      converted to HTTPS.
    default: false
+  submodule-directories:
+    description: >
+      A list of submodules to checkout.
+    default: null
  set-safe-directory:
    description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
    default: true
--- a/dist/index.js
+++ b/dist/index.js
@ -980,10 +980,10 @@ class GitCommandManager {
            yield this.execGit(args);
        });
    }
-    submoduleUpdate(fetchDepth, recursive) {
+    submoduleUpdate(fetchDepth, recursive, submoduleDirectories) {
        return __awaiter(this, void 0, void 0, function* () {
            const args = ['-c', 'protocol.version=2'];
-            args.push('submodule', 'update', '--init', '--force');
+            args.push('submodule', 'update', '--init', '--force', ...submoduleDirectories);
            if (fetchDepth > 0) {
                args.push(`--depth=${fetchDepth}`);
            }
@ -1604,7 +1604,7 @@ function getSource(settings) {
                // Checkout submodules
                core.startGroup('Fetching submodules');
                yield git.submoduleSync(settings.nestedSubmodules);
-                yield git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules);
+                yield git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules, settings.submoduleDirectories);
                yield git.submoduleForeach('git config --local gc.auto 0', settings.nestedSubmodules);
                core.endGroup();
                // Persist credentials
@ -2021,7 +2021,7 @@ function getInputs() {
            }
        }
        // SHA?
-        else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
+        else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
            result.commit = result.ref;
            result.ref = '';
        }
@ -2065,6 +2065,7 @@ function getInputs() {
        // Submodules
        result.submodules = false;
        result.nestedSubmodules = false;
+        result.submoduleDirectories = [];
        const submodulesString = (core.getInput('submodules') || '').toUpperCase();
        if (submodulesString == 'RECURSIVE') {
            result.submodules = true;
@ -2073,8 +2074,15 @@ function getInputs() {
        else if (submodulesString == 'TRUE') {
            result.submodules = true;
        }
+        const submoduleDirectories = core.getMultilineInput('submodule-directories');
+        if (submoduleDirectories.length > 0) {
+            result.submoduleDirectories = submoduleDirectories;
+            if (!result.submodules)
+                result.submodules = true;
+        }
        core.debug(`submodules = ${result.submodules}`);
        core.debug(`recursive submodules = ${result.nestedSubmodules}`);
+        core.debug(`submodule directories = ${result.submoduleDirectories}`);
        // Auth token
        result.authToken = core.getInput('token', { required: true });
        // SSH
@ -2444,7 +2452,7 @@ function checkCommitInfo(token, commitInfo, repositoryOwner, repositoryName, ref
                return;
            }
            // Extract details from message
-            const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/);
+            const match = commitInfo.match(/Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/);
            if (!match) {
                core.debug('Unexpected message format');
                return;
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@ -55,7 +55,11 @@ export interface IGitCommandManager {
  shaExists(sha: string): Promise<boolean>
  submoduleForeach(command: string, recursive: boolean): Promise<string>
  submoduleSync(recursive: boolean): Promise<void>
-  submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void>
+  submoduleUpdate(
+    fetchDepth: number,
+    recursive: boolean,
+    submoduleDirectories: string[]
+  ): Promise<void>
  submoduleStatus(): Promise<boolean>
  tagExists(pattern: string): Promise<boolean>
  tryClean(): Promise<boolean>
@ -446,9 +450,19 @@ class GitCommandManager {
    await this.execGit(args)
  }

-  async submoduleUpdate(fetchDepth: number, recursive: boolean): Promise<void> {
+  async submoduleUpdate(
+    fetchDepth: number,
+    recursive: boolean,
+    submoduleDirectories: string[]
+  ): Promise<void> {
    const args = ['-c', 'protocol.version=2']
-    args.push('submodule', 'update', '--init', '--force')
+    args.push(
+      'submodule',
+      'update',
+      '--init',
+      '--force',
+      ...submoduleDirectories
+    )
    if (fetchDepth > 0) {
      args.push(`--depth=${fetchDepth}`)
    }
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@ -264,7 +264,11 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
      // Checkout submodules
      core.startGroup('Fetching submodules')
      await git.submoduleSync(settings.nestedSubmodules)
-      await git.submoduleUpdate(settings.fetchDepth, settings.nestedSubmodules)
+      await git.submoduleUpdate(
+        settings.fetchDepth,
+        settings.nestedSubmodules,
+        settings.submoduleDirectories
+      )
      await git.submoduleForeach(
        'git config --local gc.auto 0',
        settings.nestedSubmodules
--- a/src/git-source-settings.ts
+++ b/src/git-source-settings.ts
@ -74,6 +74,11 @@ export interface IGitSourceSettings {
   */
  nestedSubmodules: boolean

+  /**
+   * Indicates which submodule paths to checkout
+   */
+  submoduleDirectories: string[]
+
  /**
   * The auth token to use when fetching the repository
   */
--- a/src/input-helper.ts
+++ b/src/input-helper.ts
@ -71,7 +71,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
    }
  }
  // SHA?
-  else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
+  else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
    result.commit = result.ref
    result.ref = ''
  }
@ -125,6 +125,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
  // Submodules
  result.submodules = false
  result.nestedSubmodules = false
+  result.submoduleDirectories = []
  const submodulesString = (core.getInput('submodules') || '').toUpperCase()
  if (submodulesString == 'RECURSIVE') {
    result.submodules = true
@ -132,9 +133,16 @@ export async function getInputs(): Promise<IGitSourceSettings> {
  } else if (submodulesString == 'TRUE') {
    result.submodules = true
  }
+
+  const submoduleDirectories = core.getMultilineInput('submodule-directories')
+  if (submoduleDirectories.length > 0) {
+    result.submoduleDirectories = submoduleDirectories
+    if (!result.submodules) result.submodules = true
+  }
+
  core.debug(`submodules = ${result.submodules}`)
  core.debug(`recursive submodules = ${result.nestedSubmodules}`)
-
+  core.debug(`submodule directories = ${result.submoduleDirectories}`)
  // Auth token
  result.authToken = core.getInput('token', {required: true})

--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@ -258,7 +258,9 @@ export async function checkCommitInfo(
    }

    // Extract details from message
-    const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/)
+    const match = commitInfo.match(
+      /Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/
+    )
    if (!match) {
      core.debug('Unexpected message format')
      return
Author	SHA1	Message	Date
Marcus Tillmanns	b667f36fde	Merge `7618b1f401` into `900f2210b1`	2026-05-05 06:27:44 +02:00
Yashwanth Anantharaju	900f2210b1	fix: expand merge commit SHA regex and add SHA-256 test cases (#2414 ) Some checks failed Check dist / check-dist (push) Has been cancelled Details CodeQL / Analyze (javascript) (push) Has been cancelled Details Licensed / Check licenses (push) Has been cancelled Details Build and Test / build (push) Has been cancelled Details Build and Test / test (macos-latest) (push) Has been cancelled Details Build and Test / test (ubuntu-latest) (push) Has been cancelled Details Build and Test / test (windows-latest) (push) Has been cancelled Details Build and Test / test-proxy (push) Has been cancelled Details Build and Test / test-bypass-proxy (push) Has been cancelled Details Build and Test / test-git-container (push) Has been cancelled Details Build and Test / test-output (push) Has been cancelled Details * fix: expand merge commit SHA regex and add SHA-256 test cases Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: add checkCommitInfo SHA coverage Add checkCommitInfo tests for SHA-1 and SHA-256 merge messages and reject invalid 50-character hex merge heads.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * style: fix Prettier formatting in test and source files Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-05-04 13:30:55 -04:00
Marcus Tillmanns	7618b1f401	Simplified the submoduleDirectories	2024-08-28 13:16:59 +02:00
Marcus Tillmanns	b6625bb44a	Add string[] option to submodules Allows checking out only specific submodules instead of all	2024-08-27 10:37:37 +02:00