Fix checkout init for SHA-256 repositories

fix: expand merge commit SHA regex and add SHA-256 test cases (#2414 )
* fix: expand merge commit SHA regex and add SHA-256 test cases Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: add checkCommitInfo SHA coverage Add checkCommitInfo tests for SHA-1 and SHA-256 merge messages and reject invalid 50-character hex merge heads.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * style: fix Prettier formatting in test and source files Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-30 03:01:52 +08:00 · 2026-05-28 22:40:09 -04:00 · 2026-05-04 13:30:55 -04:00 · 2026-01-09 14:09:42 -06:00
10 changed files with 400 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog

+## v6.0.2
+* Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in https://github.com/actions/checkout/pull/2356
+
+## v6.0.1
+* Add worktree support for persist-credentials includeIf by @ericsciple in https://github.com/actions/checkout/pull/2327
+
 ## v6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
--- a/test/github-api-helper.test.ts
+++ b/test/github-api-helper.test.ts
@@ -0,0 +1,98 @@
+import * as core from '@actions/core'
+import * as github from '@actions/github'
+import * as githubApiHelper from '../lib/github-api-helper'
+
+describe('github-api-helper object format', () => {
+  let getOctokitSpy: jest.SpyInstance
+  let debugSpy: jest.SpyInstance
+  let request: jest.Mock
+
+  function mockHashAlgorithmApi(hashAlgorithm: string): void {
+    request = jest.fn(async () => ({
+      data: {
+        hash_algorithm: hashAlgorithm
+      }
+    }))
+    getOctokitSpy = jest.spyOn(github, 'getOctokit').mockReturnValue({
+      request
+    } as any)
+  }
+
+  beforeEach(() => {
+    debugSpy = jest.spyOn(core, 'debug').mockImplementation(jest.fn())
+  })
+
+  afterEach(() => {
+    jest.restoreAllMocks()
+  })
+
+  it('detects SHA-256 from the repository hash algorithm endpoint', async () => {
+    mockHashAlgorithmApi('sha256')
+
+    await expect(
+      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
+    ).resolves.toEqual({format: 'sha256', succeeded: true})
+
+    expect(getOctokitSpy).toHaveBeenCalledWith(
+      'token',
+      expect.objectContaining({baseUrl: 'https://api.github.com'})
+    )
+    expect(request).toHaveBeenCalledWith(
+      'GET /repos/{owner}/{repo}/hash-algorithm',
+      {owner: 'owner', repo: 'repo'}
+    )
+  })
+
+  it('detects SHA-1 from the repository hash algorithm endpoint', async () => {
+    mockHashAlgorithmApi('sha1')
+
+    await expect(
+      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
+    ).resolves.toEqual({format: 'sha1', succeeded: true})
+  })
+
+  it('detects object format from an existing commit without API calls', async () => {
+    const commitSha =
+      '9422233ca7ee1b17f1e905d0e141faf0c401556c41cdc6acd71c6bd685da2e92'
+    getOctokitSpy = jest.spyOn(github, 'getOctokit')
+
+    await expect(
+      githubApiHelper.tryGetRepositoryObjectFormat(
+        'token',
+        'owner',
+        'repo',
+        undefined,
+        commitSha
+      )
+    ).resolves.toEqual({format: 'sha256', succeeded: true})
+
+    expect(getOctokitSpy).not.toHaveBeenCalled()
+  })
+
+  it('returns unsuccessful when the hash algorithm endpoint value is not recognized', async () => {
+    mockHashAlgorithmApi('unknown')
+
+    await expect(
+      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
+    ).resolves.toEqual({format: '', succeeded: false})
+    expect(debugSpy).toHaveBeenCalledWith(
+      'Unable to determine repository object format from hash-algorithm endpoint'
+    )
+  })
+
+  it('returns unsuccessful when the hash algorithm API lookup fails', async () => {
+    request = jest.fn(async () => {
+      throw new Error('not found')
+    })
+    jest.spyOn(github, 'getOctokit').mockReturnValue({
+      request
+    } as any)
+
+    await expect(
+      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
+    ).resolves.toEqual({format: '', succeeded: false})
+    expect(debugSpy).toHaveBeenCalledWith(
+      'Unable to determine repository object format from hash-algorithm endpoint: not found'
+    )
+  })
+})
--- a/test/input-helper.test.ts
+++ b/test/input-helper.test.ts
@@ -133,6 +133,16 @@ describe('input-helper tests', () => {
    expect(settings.commit).toBe('1111111111222222222233333333334444444444')
  })

+  it('sets ref to empty when explicit sha-256', async () => {
+    inputs.ref =
+      '1111111111222222222233333333334444444444555555555566666666667777'
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    expect(settings.ref).toBeFalsy()
+    expect(settings.commit).toBe(
+      '1111111111222222222233333333334444444444555555555566666666667777'
+    )
+  })
+
  it('sets sha to empty when explicit ref', async () => {
    inputs.ref = 'refs/heads/some-other-ref'
    const settings: IGitSourceSettings = await inputHelper.getInputs()
--- a/test/ref-helper.test.ts
+++ b/test/ref-helper.test.ts
@@ -1,8 +1,12 @@
 import * as assert from 'assert'
+import * as core from '@actions/core'
+import * as github from '@actions/github'
 import * as refHelper from '../lib/ref-helper'
 import {IGitCommandManager} from '../lib/git-command-manager'

 const commit = '1234567890123456789012345678901234567890'
+const sha256Commit =
+  '1234567890123456789012345678901234567890123456789012345678901234'
 let git: IGitCommandManager

 describe('ref-helper tests', () => {
@@ -37,6 +41,12 @@ describe('ref-helper tests', () => {
    expect(checkoutInfo.startPoint).toBeFalsy()
  })

+  it('getCheckoutInfo sha-256 only', async () => {
+    const checkoutInfo = await refHelper.getCheckoutInfo(git, '', sha256Commit)
+    expect(checkoutInfo.ref).toBe(sha256Commit)
+    expect(checkoutInfo.startPoint).toBeFalsy()
+  })
+
  it('getCheckoutInfo refs/heads/', async () => {
    const checkoutInfo = await refHelper.getCheckoutInfo(
      git,
@@ -227,4 +237,142 @@ describe('ref-helper tests', () => {
      '+refs/heads/my/branch:refs/remotes/origin/my/branch'
    )
  })
+
+  describe('checkCommitInfo', () => {
+    const repositoryOwner = 'some-owner'
+    const repositoryName = 'some-repo'
+    const ref = 'refs/pull/123/merge'
+    const sha1Head = '1111111111222222222233333333334444444444'
+    const sha1Base = 'aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd'
+    const sha256Head =
+      '1111111111222222222233333333334444444444555555555566666666667777'
+    const sha256Base =
+      'aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff0000'
+    let debugSpy: jest.SpyInstance
+    let getOctokitSpy: jest.SpyInstance
+    let repoGetSpy: jest.Mock
+    let originalEventName: string
+    let originalPayload: unknown
+    let originalRef: string
+    let originalSha: string
+
+    function setPullRequestContext(
+      expectedHeadSha: string,
+      expectedBaseSha: string,
+      mergeCommit: string
+    ): void {
+      ;(github.context as any).eventName = 'pull_request'
+      github.context.ref = ref
+      github.context.sha = mergeCommit
+      ;(github.context as any).payload = {
+        action: 'synchronize',
+        after: expectedHeadSha,
+        number: 123,
+        pull_request: {
+          base: {
+            sha: expectedBaseSha
+          }
+        },
+        repository: {
+          private: false
+        }
+      }
+    }
+
+    beforeEach(() => {
+      originalEventName = github.context.eventName
+      originalPayload = github.context.payload
+      originalRef = github.context.ref
+      originalSha = github.context.sha
+
+      jest.spyOn(github.context, 'repo', 'get').mockReturnValue({
+        owner: repositoryOwner,
+        repo: repositoryName
+      })
+      debugSpy = jest.spyOn(core, 'debug').mockImplementation(jest.fn())
+      repoGetSpy = jest.fn(async () => ({}))
+      getOctokitSpy = jest.spyOn(github, 'getOctokit').mockReturnValue({
+        rest: {
+          repos: {
+            get: repoGetSpy
+          }
+        }
+      } as any)
+    })
+
+    afterEach(() => {
+      ;(github.context as any).eventName = originalEventName
+      ;(github.context as any).payload = originalPayload
+      github.context.ref = originalRef
+      github.context.sha = originalSha
+      jest.restoreAllMocks()
+    })
+
+    it('returns early for SHA-1 merge commit', async () => {
+      setPullRequestContext(sha1Head, sha1Base, commit)
+
+      await refHelper.checkCommitInfo(
+        'token',
+        `Merge ${sha1Head} into ${sha1Base}`,
+        repositoryOwner,
+        repositoryName,
+        ref,
+        commit
+      )
+
+      expect(getOctokitSpy).not.toHaveBeenCalled()
+      expect(repoGetSpy).not.toHaveBeenCalled()
+    })
+
+    it('matches SHA-256 merge commit info', async () => {
+      const actualHeadSha =
+        '9999999999888888888877777777776666666666555555555544444444443333'
+      setPullRequestContext(sha256Head, sha256Base, sha256Commit)
+
+      await refHelper.checkCommitInfo(
+        'token',
+        `Merge ${actualHeadSha} into ${sha256Base}`,
+        repositoryOwner,
+        repositoryName,
+        ref,
+        sha256Commit
+      )
+
+      expect(getOctokitSpy).toHaveBeenCalledWith(
+        'token',
+        expect.objectContaining({
+          userAgent: expect.stringContaining(
+            `expected_head_sha=${sha256Head};actual_head_sha=${actualHeadSha}`
+          )
+        })
+      )
+      expect(repoGetSpy).toHaveBeenCalledWith({
+        owner: repositoryOwner,
+        repo: repositoryName
+      })
+      expect(debugSpy).toHaveBeenCalledWith(
+        `Expected head sha ${sha256Head}; actual head sha ${actualHeadSha}`
+      )
+      expect(debugSpy).not.toHaveBeenCalledWith('Unexpected message format')
+    })
+
+    it('does not match 50-char hex as a valid merge', async () => {
+      const invalidHeadSha =
+        '99999999998888888888777777777766666666665555555555'
+      setPullRequestContext(sha1Head, sha1Base, commit)
+
+      await refHelper.checkCommitInfo(
+        'token',
+        `Merge ${invalidHeadSha} into ${sha1Base}`,
+        repositoryOwner,
+        repositoryName,
+        ref,
+        commit
+      )
+
+      expect(getOctokitSpy).not.toHaveBeenCalled()
+      expect(repoGetSpy).not.toHaveBeenCalled()
+      expect(debugSpy).toHaveBeenCalledWith('Unexpected message format')
+    })
+  })
 })
--- a/dist/index.js
+++ b/dist/index.js
@@ -896,9 +896,14 @@ class GitCommandManager {
    getWorkingDirectory() {
        return this.workingDirectory;
    }
-    init() {
+    init(objectFormat) {
        return __awaiter(this, void 0, void 0, function* () {
-            yield this.execGit(['init', this.workingDirectory]);
+            const args = ['init'];
+            if (objectFormat === 'sha256') {
+                args.push('--object-format=sha256');
+            }
+            args.push(this.workingDirectory);
+            yield this.execGit(args);
        });
    }
    isDetached() {
@@ -1486,8 +1491,17 @@ function getSource(settings) {
            stateHelper.setRepositoryPath(settings.repositoryPath);
            // Initialize the repository
            if (!fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))) {
+                core.startGroup('Determining repository object format');
+                const objectFormatResult = yield githubApiHelper.tryGetRepositoryObjectFormat(settings.authToken, settings.repositoryOwner, settings.repositoryName, settings.githubServerUrl, settings.commit);
+                const objectFormat = objectFormatResult.succeeded
+                    ? objectFormatResult.format
+                    : '';
+                if (objectFormat === 'sha256') {
+                    core.info('Detected SHA-256 repository object format');
+                }
+                core.endGroup();
                core.startGroup('Initializing the repository');
-                yield git.init();
+                yield git.init(objectFormat);
                yield git.remoteAdd('origin', repositoryUrl);
                core.endGroup();
            }
@@ -1810,6 +1824,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.downloadRepository = downloadRepository;
 exports.getDefaultBranch = getDefaultBranch;
+exports.tryGetRepositoryObjectFormat = tryGetRepositoryObjectFormat;
 const assert = __importStar(__nccwpck_require__(9491));
 const core = __importStar(__nccwpck_require__(2186));
 const fs = __importStar(__nccwpck_require__(7147));
@@ -1911,6 +1926,40 @@ function getDefaultBranch(authToken, owner, repo, baseUrl) {
        }));
    });
 }
+function tryGetRepositoryObjectFormat(authToken, owner, repo, baseUrl, commit) {
+    return __awaiter(this, void 0, void 0, function* () {
+        var _a;
+        const commitFormat = getObjectFormat(commit);
+        if (commitFormat) {
+            return { format: commitFormat, succeeded: true };
+        }
+        try {
+            const octokit = github.getOctokit(authToken, {
+                baseUrl: (0, url_helper_1.getServerApiUrl)(baseUrl)
+            });
+            const response = yield octokit.request('GET /repos/{owner}/{repo}/hash-algorithm', { owner, repo });
+            const hashAlgorithm = response.data.hash_algorithm;
+            if (hashAlgorithm === 'sha256' || hashAlgorithm === 'sha1') {
+                return { format: hashAlgorithm, succeeded: true };
+            }
+            core.debug('Unable to determine repository object format from hash-algorithm endpoint');
+            return { format: '', succeeded: false };
+        }
+        catch (err) {
+            core.debug(`Unable to determine repository object format from hash-algorithm endpoint: ${(_a = err === null || err === void 0 ? void 0 : err.message) !== null && _a !== void 0 ? _a : err}`);
+            return { format: '', succeeded: false };
+        }
+    });
+}
+function getObjectFormat(sha) {
+    if (/^[0-9a-fA-F]{64}$/.test(sha || '')) {
+        return 'sha256';
+    }
+    if (/^[0-9a-fA-F]{40}$/.test(sha || '')) {
+        return 'sha1';
+    }
+    return '';
+}
 function downloadArchive(authToken, owner, repo, ref, commit, baseUrl) {
    return __awaiter(this, void 0, void 0, function* () {
        const octokit = github.getOctokit(authToken, {
@@ -2021,7 +2070,7 @@ function getInputs() {
            }
        }
        // SHA?
-        else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
+        else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
            result.commit = result.ref;
            result.ref = '';
        }
@@ -2444,7 +2493,7 @@ function checkCommitInfo(token, commitInfo, repositoryOwner, repositoryName, ref
                return;
            }
            // Extract details from message
-            const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/);
+            const match = commitInfo.match(/Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/);
            if (!match) {
                core.debug('Unexpected message format');
                return;
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@@ -43,7 +43,7 @@ export interface IGitCommandManager {
  getDefaultBranch(repositoryUrl: string): Promise<string>
  getSubmoduleConfigPaths(recursive: boolean): Promise<string[]>
  getWorkingDirectory(): string
-  init(): Promise<void>
+  init(objectFormat?: string): Promise<void>
  isDetached(): Promise<boolean>
  lfsFetch(ref: string): Promise<void>
  lfsInstall(): Promise<void>
@@ -364,8 +364,14 @@ class GitCommandManager {
    return this.workingDirectory
  }

-  async init(): Promise<void> {
-    await this.execGit(['init', this.workingDirectory])
+  async init(objectFormat?: string): Promise<void> {
+    const args = ['init']
+    if (objectFormat === 'sha256') {
+      args.push('--object-format=sha256')
+    }
+    args.push(this.workingDirectory)
+
+    await this.execGit(args)
  }

  async isDetached(): Promise<boolean> {
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@@ -109,8 +109,25 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
    if (
      !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
    ) {
+      core.startGroup('Determining repository object format')
+      const objectFormatResult =
+        await githubApiHelper.tryGetRepositoryObjectFormat(
+          settings.authToken,
+          settings.repositoryOwner,
+          settings.repositoryName,
+          settings.githubServerUrl,
+          settings.commit
+        )
+      const objectFormat = objectFormatResult.succeeded
+        ? objectFormatResult.format
+        : ''
+      if (objectFormat === 'sha256') {
+        core.info('Detected SHA-256 repository object format')
+      }
+      core.endGroup()
+
      core.startGroup('Initializing the repository')
-      await git.init()
+      await git.init(objectFormat)
      await git.remoteAdd('origin', repositoryUrl)
      core.endGroup()
    }
--- a/src/github-api-helper.ts
+++ b/src/github-api-helper.ts
@@ -11,6 +11,12 @@ import {getServerApiUrl} from './url-helper'

 const IS_WINDOWS = process.platform === 'win32'

+export interface RepositoryObjectFormatResult {
+  defaultBranch?: string
+  format: string
+  succeeded: boolean
+}
+
 export async function downloadRepository(
  authToken: string,
  owner: string,
@@ -122,6 +128,53 @@ export async function getDefaultBranch(
  })
 }

+export async function tryGetRepositoryObjectFormat(
+  authToken: string,
+  owner: string,
+  repo: string,
+  baseUrl?: string,
+  commit?: string
+): Promise<RepositoryObjectFormatResult> {
+  const commitFormat = getObjectFormat(commit)
+  if (commitFormat) {
+    return {format: commitFormat, succeeded: true}
+  }
+
+  try {
+    const octokit = github.getOctokit(authToken, {
+      baseUrl: getServerApiUrl(baseUrl)
+    })
+    const response = await octokit.request(
+      'GET /repos/{owner}/{repo}/hash-algorithm',
+      {owner, repo}
+    )
+    const hashAlgorithm = response.data.hash_algorithm
+    if (hashAlgorithm === 'sha256' || hashAlgorithm === 'sha1') {
+      return {format: hashAlgorithm, succeeded: true}
+    }
+
+    core.debug(
+      'Unable to determine repository object format from hash-algorithm endpoint'
+    )
+    return {format: '', succeeded: false}
+  } catch (err) {
+    core.debug(
+      `Unable to determine repository object format from hash-algorithm endpoint: ${(err as any)?.message ?? err}`
+    )
+    return {format: '', succeeded: false}
+  }
+}
+
+function getObjectFormat(sha?: string): string {
+  if (/^[0-9a-fA-F]{64}$/.test(sha || '')) {
+    return 'sha256'
+  }
+  if (/^[0-9a-fA-F]{40}$/.test(sha || '')) {
+    return 'sha1'
+  }
+  return ''
+}
+
 async function downloadArchive(
  authToken: string,
  owner: string,
--- a/src/input-helper.ts
+++ b/src/input-helper.ts
@@ -71,7 +71,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
    }
  }
  // SHA?
-  else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
+  else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
    result.commit = result.ref
    result.ref = ''
  }
--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@@ -258,7 +258,9 @@ export async function checkCommitInfo(
    }

    // Extract details from message
-    const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/)
+    const match = commitInfo.match(
+      /Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/
+    )
    if (!match) {
      core.debug('Unexpected message format')
      return