.

.github/workflows/check-dist.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
 
       - name: Set Node.js 24.x
         uses: actions/setup-node@v4

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v4.1.6
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3

.github/workflows/licensed.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Check licenses
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
       - run: npm ci
       - run: npm run licensed-check

.github/workflows/publish-immutable-actions.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checking out
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
       - name: Publish
         id: publish
         uses: actions/publish-immutable-action@0.0.3

.github/workflows/test.yml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 24.x
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -37,7 +37,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout
       - name: Checkout basic
@@ -165,22 +165,6 @@ jobs:
       - name: Verify submodules recursive
         run: __test__/verify-submodules-recursive.sh
 
-      # Worktree credentials
-      - name: Checkout for worktree test
-        uses: ./
-        with:
-          path: worktree-test
-      - name: Verify worktree credentials
-        shell: bash
-        run: __test__/verify-worktree.sh worktree-test worktree-branch
-
-      # Worktree credentials in container step
-      - name: Verify worktree credentials in container step
-        if: runner.os == 'Linux'
-        uses: docker://bitnami/git:latest
-        with:
-          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
-
       # Basic checkout using REST API
       - name: Remove basic
         if: runner.os != 'windows'
@@ -218,7 +202,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -250,7 +234,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -280,7 +264,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
         with:
           path: localClone
 
@@ -307,17 +291,17 @@ jobs:
           git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
 
       # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v6
+      - name: Fix Checkout v4
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
         with:
           path: localClone
 
   test-output:
     runs-on: ubuntu-latest
     steps:
-      # Clone this repo
+      # Download the action at the current ref
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
         with:
           path: actions-checkout
 

.github/workflows/update-main-version.yml

@@ -23,7 +23,7 @@ jobs:
     # Note this update workflow can also be used as a rollback tool.
     # For that reason, it's best to pin `actions/checkout` to a known, stable version
     # (typically, about two releases back).
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v4.1.6
       with:
         fetch-depth: 0
     - name: Git config

.github/workflows/update-test-ubuntu-git.yml

@@ -26,7 +26,7 @@ jobs:
  
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       # Use `docker/login-action` to log in to GHCR.io. 
       # Once published, the packages are scoped to the account defined here.

CHANGELOG.md

@@ -1,19 +1,10 @@
 # Changelog
 
-## v6.0.0
+## V5.0.0
-* Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
-* Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
-
-## v5.0.1
-* Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
-
-## v5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
 
-## v4.3.1
-* Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
 
-## v4.3.0
+## V4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043

README.md

@@ -1,14 +1,6 @@
 [![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml)
 
-# Checkout v6
+# Checkout V5
-
-## What's new
-
-- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
-- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
-- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
-
-# Checkout v5
 
 ## What's new
 
@@ -16,7 +8,7 @@
   - This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.
 
 
-# Checkout v4
+# Checkout V4
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
@@ -52,7 +44,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -191,7 +183,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: .
 ```
@@ -199,7 +191,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files and `.github` and `src` folder
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: |
       .github
@@ -209,7 +201,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only a single file
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     sparse-checkout: |
       README.md
@@ -219,7 +211,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     fetch-depth: 0
 ```
@@ -227,7 +219,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     ref: my-branch
 ```
@@ -235,7 +227,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -245,12 +237,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -261,10 +253,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
 
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -275,12 +267,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
   with:
     repository: my-org/my-private-tools
     token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -293,7 +285,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v6
+- uses: actions/checkout@v5
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -309,7 +301,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
 ```
 
 ## Push a commit using the built-in token
@@ -320,7 +312,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
       - run: |
           date > generated.txt
           # Note: the following account information will not work on GHES
@@ -342,7 +334,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
         with:
           ref: ${{ github.head_ref }}
       - run: |

__test__/git-auth-helper.test.ts

@@ -595,15 +595,18 @@ describe('git-auth-helper tests', () => {
       await authHelper.configureSubmoduleAuth()
 
       // Assert
-      // Should configure insteadOf (2 calls for two values)
+      // Should get submodule config paths (1 call) and configure insteadOf (2 calls for two values)
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4)
       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
         /unset-all.*insteadOf/
       )
       expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(
-        /url.*insteadOf.*git@github.com:/
+        /show-origin.*remote\.origin\.url/
       )
       expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
+        /url.*insteadOf.*git@github.com:/
+      )
+      expect(mockSubmoduleForeach.mock.calls[3][0]).toMatch(
         /url.*insteadOf.*org-123456@github.com:/
       )
     }
@@ -634,12 +637,15 @@ describe('git-auth-helper tests', () => {
       await authHelper.configureSubmoduleAuth()
 
       // Assert
-      // Should configure sshCommand (1 call)
+      // Should get submodule config paths (1 call) and configure sshCommand (1 call)
-      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(2)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
       expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
         /unset-all.*insteadOf/
       )
-      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/core\.sshCommand/)
+      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(
+        /show-origin.*remote\.origin\.url/
+      )
+      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/)
     }
   )
 
@@ -706,7 +712,7 @@ describe('git-auth-helper tests', () => {
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
     await authHelper.configureAuth()
 
-    // Verify includeIf entries exist in local config
+    // Sanity check - verify includeIf entries exist in local config
     let localConfigContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
@@ -714,192 +720,26 @@ describe('git-auth-helper tests', () => {
       localConfigContent.indexOf('includeIf.gitdir:')
     ).toBeGreaterThanOrEqual(0)
 
-    // Verify both host and container includeIf entries are present
+    // Sanity check - verify credentials file exists
-    const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
-    expect(
-      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify credentials file exists
     let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
       f => f.startsWith('git-credentials-') && f.endsWith('.config')
     )
     expect(credentialsFiles.length).toBe(1)
-    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
-
-    // Verify credentials file contains the auth token
-    let credentialsContent = (
-      await fs.promises.readFile(credentialsFilePath)
-    ).toString()
-    const basicCredential = Buffer.from(
-      `x-access-token:${settings.authToken}`,
-      'utf8'
-    ).toString('base64')
-    expect(
-      credentialsContent.indexOf(
-        `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
-      )
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify the includeIf entries point to the credentials file
-    const containerCredentialsPath = path.posix.join(
-      '/github/runner_temp',
-      path.basename(credentialsFilePath)
-    )
-    expect(
-      localConfigContent.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      localConfigContent.indexOf(containerCredentialsPath)
-    ).toBeGreaterThanOrEqual(0)
 
     // Act
     await authHelper.removeAuth()
 
-    // Assert all includeIf entries removed from local git config
+    // Assert includeIf entries removed from local git config
     localConfigContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
     expect(localConfigContent.indexOf('includeIf.gitdir:')).toBeLessThan(0)
-    expect(
-      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
-    ).toBeLessThan(0)
-    expect(
-      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
-    ).toBeLessThan(0)
-    expect(localConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
-    expect(localConfigContent.indexOf(containerCredentialsPath)).toBeLessThan(0)
 
     // Assert credentials config file deleted
     credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
       f => f.startsWith('git-credentials-') && f.endsWith('.config')
     )
     expect(credentialsFiles.length).toBe(0)
-
-    // Verify credentials file no longer exists on disk
-    try {
-      await fs.promises.stat(credentialsFilePath)
-      throw new Error('Credentials file should have been deleted')
-    } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
-        throw err
-      }
-    }
-  })
-
-  const removeAuth_removesTokenFromSubmodules =
-    'removeAuth removes token from submodules'
-  it(removeAuth_removesTokenFromSubmodules, async () => {
-    // Arrange
-    await setup(removeAuth_removesTokenFromSubmodules)
-
-    // Create fake submodule config paths
-    const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
-    const submodule2Dir = path.join(workspace, '.git', 'modules', 'submodule-2')
-    const submodule1ConfigPath = path.join(submodule1Dir, 'config')
-    const submodule2ConfigPath = path.join(submodule2Dir, 'config')
-
-    await fs.promises.mkdir(submodule1Dir, {recursive: true})
-    await fs.promises.mkdir(submodule2Dir, {recursive: true})
-    await fs.promises.writeFile(submodule1ConfigPath, '')
-    await fs.promises.writeFile(submodule2ConfigPath, '')
-
-    // Mock getSubmoduleConfigPaths to return our fake submodules (for both configure and remove)
-    const mockGetSubmoduleConfigPaths =
-      git.getSubmoduleConfigPaths as jest.Mock<any, any>
-    mockGetSubmoduleConfigPaths.mockResolvedValue([
-      submodule1ConfigPath,
-      submodule2ConfigPath
-    ])
-
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    await authHelper.configureAuth()
-    await authHelper.configureSubmoduleAuth()
-
-    // Verify credentials file exists
-    let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      f => f.startsWith('git-credentials-') && f.endsWith('.config')
-    )
-    expect(credentialsFiles.length).toBe(1)
-    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
-
-    // Verify submodule 1 config has includeIf entries
-    let submodule1Content = (
-      await fs.promises.readFile(submodule1ConfigPath)
-    ).toString()
-    const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
-    expect(
-      submodule1Content.indexOf(`includeIf.gitdir:${submodule1GitDir}.path`)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      submodule1Content.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify submodule 2 config has includeIf entries
-    let submodule2Content = (
-      await fs.promises.readFile(submodule2ConfigPath)
-    ).toString()
-    const submodule2GitDir = submodule2Dir.replace(/\\/g, '/')
-    expect(
-      submodule2Content.indexOf(`includeIf.gitdir:${submodule2GitDir}.path`)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      submodule2Content.indexOf(credentialsFilePath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Verify both host and container paths are in each submodule config
-    const containerCredentialsPath = path.posix.join(
-      '/github/runner_temp',
-      path.basename(credentialsFilePath)
-    )
-    expect(
-      submodule1Content.indexOf(containerCredentialsPath)
-    ).toBeGreaterThanOrEqual(0)
-    expect(
-      submodule2Content.indexOf(containerCredentialsPath)
-    ).toBeGreaterThanOrEqual(0)
-
-    // Act - ensure mock persists for removeAuth
-    mockGetSubmoduleConfigPaths.mockResolvedValue([
-      submodule1ConfigPath,
-      submodule2ConfigPath
-    ])
-    await authHelper.removeAuth()
-
-    // Assert submodule 1 includeIf entries removed
-    submodule1Content = (
-      await fs.promises.readFile(submodule1ConfigPath)
-    ).toString()
-    expect(submodule1Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
-    expect(submodule1Content.indexOf(credentialsFilePath)).toBeLessThan(0)
-    expect(submodule1Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
-
-    // Assert submodule 2 includeIf entries removed
-    submodule2Content = (
-      await fs.promises.readFile(submodule2ConfigPath)
-    ).toString()
-    expect(submodule2Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
-    expect(submodule2Content.indexOf(credentialsFilePath)).toBeLessThan(0)
-    expect(submodule2Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
-
-    // Assert credentials config file deleted
-    credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
-      f => f.startsWith('git-credentials-') && f.endsWith('.config')
-    )
-    expect(credentialsFiles.length).toBe(0)
-
-    // Verify credentials file no longer exists on disk
-    try {
-      await fs.promises.stat(credentialsFilePath)
-      throw new Error('Credentials file should have been deleted')
-    } catch (err) {
-      if ((err as any)?.code !== 'ENOENT') {
-        throw err
-      }
-    }
   })
 
   const removeGlobalConfig_removesOverride =
@@ -928,52 +768,6 @@ describe('git-auth-helper tests', () => {
       }
     }
   })
-
-  const testCredentialsConfigPath_matchesCredentialsConfigPaths =
-    'testCredentialsConfigPath matches credentials config paths'
-  it(testCredentialsConfigPath_matchesCredentialsConfigPaths, async () => {
-    // Arrange
-    await setup(testCredentialsConfigPath_matchesCredentialsConfigPaths)
-    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-
-    // Get a real credentials config path
-    const credentialsConfigPath = await (
-      authHelper as any
-    ).getCredentialsConfigPath()
-
-    // Act & Assert
-    expect(
-      (authHelper as any).testCredentialsConfigPath(credentialsConfigPath)
-    ).toBe(true)
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-12345678-abcd-1234-5678-123456789012.config'
-      )
-    ).toBe(true)
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
-      )
-    ).toBe(true)
-
-    // Test invalid paths
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/other-config.config'
-      )
-    ).toBe(false)
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-invalid.config'
-      )
-    ).toBe(false)
-    expect(
-      (authHelper as any).testCredentialsConfigPath(
-        '/some/path/git-credentials-.config'
-      )
-    ).toBe(false)
-    expect((authHelper as any).testCredentialsConfigPath('')).toBe(false)
-  })
 })
 
 async function setup(testName: string): Promise<void> {
@@ -1040,7 +834,6 @@ async function setup(testName: string): Promise<void> {
     env: {},
     fetch: jest.fn(),
     getDefaultBranch: jest.fn(),
-    getSubmoduleConfigPaths: jest.fn(async () => []),
     getWorkingDirectory: jest.fn(() => workspace),
     init: jest.fn(),
     isDetached: jest.fn(),
@@ -1080,41 +873,28 @@ async function setup(testName: string): Promise<void> {
       }
     ),
     tryConfigUnsetValue: jest.fn(
-      async (
+      async (key: string, value: string, globalConfig?: boolean): Promise<boolean> => {
-        key: string,
+        const configPath = globalConfig
-        value: string,
+          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-        globalConfig?: boolean,
+          : localGitConfigPath
-        configPath?: string
+        let content = await fs.promises.readFile(configPath)
-      ): Promise<boolean> => {
-        const targetConfigPath =
-          configPath ||
-          (globalConfig
-            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-            : localGitConfigPath)
-        let content = await fs.promises.readFile(targetConfigPath)
         let lines = content
           .toString()
           .split('\n')
           .filter(x => x)
           .filter(x => !(x.startsWith(key) && x.includes(value)))
-        await fs.promises.writeFile(targetConfigPath, lines.join('\n'))
+        await fs.promises.writeFile(configPath, lines.join('\n'))
         return true
       }
     ),
     tryDisableAutomaticGarbageCollection: jest.fn(),
     tryGetFetchUrl: jest.fn(),
     tryGetConfigValues: jest.fn(
-      async (
+      async (key: string, globalConfig?: boolean): Promise<string[]> => {
-        key: string,
+        const configPath = globalConfig
-        globalConfig?: boolean,
+          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-        configPath?: string
+          : localGitConfigPath
-      ): Promise<string[]> => {
+        const content = await fs.promises.readFile(configPath)
-        const targetConfigPath =
-          configPath ||
-          (globalConfig
-            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-            : localGitConfigPath)
-        const content = await fs.promises.readFile(targetConfigPath)
         const lines = content
           .toString()
           .split('\n')
@@ -1124,17 +904,11 @@ async function setup(testName: string): Promise<void> {
       }
     ),
     tryGetConfigKeys: jest.fn(
-      async (
+      async (pattern: string, globalConfig?: boolean): Promise<string[]> => {
-        pattern: string,
+        const configPath = globalConfig
-        globalConfig?: boolean,
+          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-        configPath?: string
+          : localGitConfigPath
-      ): Promise<string[]> => {
+        const content = await fs.promises.readFile(configPath)
-        const targetConfigPath =
-          configPath ||
-          (globalConfig
-            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-            : localGitConfigPath)
-        const content = await fs.promises.readFile(targetConfigPath)
         const lines = content
           .toString()
           .split('\n')

__test__/git-directory-helper.test.ts

@@ -471,7 +471,6 @@ async function setup(testName: string): Promise<void> {
     configExists: jest.fn(),
     fetch: jest.fn(),
     getDefaultBranch: jest.fn(),
-    getSubmoduleConfigPaths: jest.fn(async () => []),
     getWorkingDirectory: jest.fn(() => repositoryPath),
     init: jest.fn(),
     isDetached: jest.fn(),

__test__/verify-submodules-recursive.sh

@@ -17,7 +17,7 @@ fi
 
 echo "Testing persisted credential"
 pushd ./submodules-recursive/submodule-level-1/submodule-level-2
-git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
+git config --local --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
     echo "Failed to validate persisted credential"
     popd

__test__/verify-submodules-true.sh

@@ -17,7 +17,7 @@ fi
 
 echo "Testing persisted credential"
 pushd ./submodules-true/submodule-level-1
-git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
+git config --local --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
     echo "Failed to validate persisted credential"
     popd

__test__/verify-worktree.sh

@@ -1,51 +0,0 @@
-#!/bin/bash
-set -e
-
-# Verify worktree credentials
-# This test verifies that git credentials work in worktrees created after checkout
-# Usage: verify-worktree.sh <checkout-path> <worktree-name>
-
-CHECKOUT_PATH="$1"
-WORKTREE_NAME="$2"
-
-if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
-  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
-  exit 1
-fi
-
-cd "$CHECKOUT_PATH"
-
-# Add safe directory for container environments
-git config --global --add safe.directory "*" 2>/dev/null || true
-
-# Show the includeIf configuration
-echo "Git config includeIf entries:"
-git config --list --show-origin | grep -i include || true
-
-# Create the worktree
-echo "Creating worktree..."
-git worktree add "../$WORKTREE_NAME" HEAD --detach
-
-# Change to worktree directory
-cd "../$WORKTREE_NAME"
-
-# Verify we're in a worktree
-echo "Verifying worktree gitdir:"
-cat .git
-
-# Verify credentials are available in worktree by checking extraheader is configured
-echo "Checking credentials in worktree..."
-if git config --list --show-origin | grep -q "extraheader"; then
-  echo "Credentials are configured in worktree"
-else
-  echo "ERROR: Credentials are NOT configured in worktree"
-  echo "Full git config:"
-  git config --list --show-origin
-  exit 1
-fi
-
-# Verify fetch works in the worktree
-echo "Fetching in worktree..."
-git fetch origin
-
-echo "Worktree credentials test passed!"

dist/index.js

@@ -163,6 +163,7 @@ class GitAuthHelper {
         this.sshKnownHostsPath = '';
         this.temporaryHomePath = '';
         this.credentialsConfigPath = ''; // Path to separate credentials config file in RUNNER_TEMP
+        this.credentialsIncludeKeys = []; // Track includeIf config keys for cleanup
         this.git = gitCommandManager;
         this.settings = gitSourceSettings || {};
         // Token auth header
@@ -188,6 +189,20 @@ class GitAuthHelper {
             yield this.configureToken();
         });
     }
+    getCredentialsConfigPath() {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (this.credentialsConfigPath) {
+                return this.credentialsConfigPath;
+            }
+            const runnerTemp = process.env['RUNNER_TEMP'] || '';
+            assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
+            // Create a unique filename for this checkout instance
+            const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
+            this.credentialsConfigPath = path.join(runnerTemp, configFileName);
+            core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
+            return this.credentialsConfigPath;
+        });
+    }
     configureTempGlobalConfig() {
         return __awaiter(this, void 0, void 0, function* () {
             var _a;
@@ -238,9 +253,7 @@ class GitAuthHelper {
                 yield this.git.tryConfigUnset(this.insteadOfKey, true);
                 if (!this.settings.sshKey) {
                     for (const insteadOfValue of this.insteadOfValues) {
-                        yield this.git.config(this.insteadOfKey, insteadOfValue, true, // globalConfig?
+                        yield this.git.config(this.insteadOfKey, insteadOfValue, true, true);
-                        true // add?
-                        );
                     }
                 }
             }
@@ -257,12 +270,22 @@ class GitAuthHelper {
             // Remove possible previous HTTPS instead of SSH
             yield this.removeSubmoduleGitConfig(this.insteadOfKey);
             if (this.settings.persistCredentials) {
-                // Get the credentials config file path in RUNNER_TEMP
+                // Credentials config path
-                const credentialsConfigPath = this.getCredentialsConfigPath();
+                const credentialsConfigPath = yield this.getCredentialsConfigPath();
                 // Container credentials config path
                 const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
+                // Container repo path
+                const workingDirectory = this.git.getWorkingDirectory();
+                const githubWorkspace = process.env['GITHUB_WORKSPACE'];
+                assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
+                let relativePath = path.relative(githubWorkspace, workingDirectory);
+                relativePath = relativePath.replace(/\\/g, '/');
+                const containerRepoPath = path.posix.join('/github/workspace', relativePath);
                 // Get submodule config file paths.
-                const configPaths = yield this.git.getSubmoduleConfigPaths(this.settings.nestedSubmodules);
+                // Use `--show-origin` to get the config file path for each submodule.
+                const output = yield this.git.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, this.settings.nestedSubmodules);
+                // Extract config file paths from the output (lines starting with "file:").
+                const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
                 // For each submodule, configure includeIf entries pointing to the shared credentials file.
                 // Configure both host and container paths to support Docker container actions.
                 for (const configPath of configPaths) {
@@ -270,19 +293,12 @@ class GitAuthHelper {
                     let submoduleGitDir = path.dirname(configPath); // The config file is at .git/modules/submodule-name/config
                     submoduleGitDir = submoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                     // Configure host includeIf
-                    yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig?
+                    yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, false, configPath);
-                    false, // add?
+                    // Configure container includeIf
-                    configPath);
-                    // Container submodule git directory
-                    const githubWorkspace = process.env['GITHUB_WORKSPACE'];
-                    assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
                     let relativeSubmoduleGitDir = path.relative(githubWorkspace, submoduleGitDir);
                     relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                     const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleGitDir);
-                    // Configure container includeIf
+                    yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, false, configPath);
-                    yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig?
-                    false, // add?
-                    configPath);
                 }
                 if (this.settings.sshKey) {
                     // Configure core.sshCommand
@@ -313,10 +329,6 @@ class GitAuthHelper {
             }
         });
     }
-    /**
-     * Configures SSH authentication by writing the SSH key and known hosts,
-     * and setting up the GIT_SSH_COMMAND environment variable.
-     */
     configureSsh() {
         return __awaiter(this, void 0, void 0, function* () {
             if (!this.settings.sshKey) {
@@ -373,37 +385,21 @@ class GitAuthHelper {
             }
         });
     }
-    /**
-     * Configures token-based authentication by creating a credentials config file
-     * and setting up includeIf entries to reference it.
-     * @param globalConfig Whether to configure global config instead of local
-     */
     configureToken(globalConfig) {
         return __awaiter(this, void 0, void 0, function* () {
             // Get the credentials config file path in RUNNER_TEMP
-            const credentialsConfigPath = this.getCredentialsConfigPath();
+            const credentialsConfigPath = yield this.getCredentialsConfigPath();
             // Write placeholder to the separate credentials config file using git config.
             // This approach avoids the credential being captured by process creation audit events,
             // which are commonly logged. For more information, refer to
             // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
-            yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, // globalConfig?
+            yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, false, credentialsConfigPath);
-            false, // add?
-            credentialsConfigPath);
             // Replace the placeholder in the credentials config file
-            let content = (yield fs.promises.readFile(credentialsConfigPath)).toString();
+            yield this.replaceTokenPlaceholder(credentialsConfigPath);
-            const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue);
-            if (placeholderIndex < 0 ||
-                placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)) {
-                throw new Error(`Unable to replace auth placeholder in ${credentialsConfigPath}`);
-            }
-            assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined');
-            content = content.replace(this.tokenPlaceholderConfigValue, this.tokenConfigValue);
-            yield fs.promises.writeFile(credentialsConfigPath, content);
             // Add include or includeIf to reference the credentials config
             if (globalConfig) {
                 // Global config file is temporary
-                yield this.git.config('include.path', credentialsConfigPath, true // globalConfig?
+                yield this.git.config('include.path', credentialsConfigPath, true);
-                );
             }
             else {
                 // Host git directory
@@ -412,13 +408,11 @@ class GitAuthHelper {
                 // Configure host includeIf
                 const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                 yield this.git.config(hostIncludeKey, credentialsConfigPath);
-                // Configure host includeIf for worktrees
+                this.credentialsIncludeKeys.push(hostIncludeKey);
-                const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
-                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                 // Container git directory
-                const workingDirectory = this.git.getWorkingDirectory();
                 const githubWorkspace = process.env['GITHUB_WORKSPACE'];
                 assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
+                const workingDirectory = this.git.getWorkingDirectory();
                 let relativePath = path.relative(githubWorkspace, workingDirectory);
                 relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                 const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
@@ -427,40 +421,31 @@ class GitAuthHelper {
                 // Configure container includeIf
                 const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                 yield this.git.config(containerIncludeKey, containerCredentialsPath);
-                // Configure container includeIf for worktrees
+                this.credentialsIncludeKeys.push(containerIncludeKey);
-                const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
-                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
             }
         });
     }
-    /**
+    replaceTokenPlaceholder(configPath) {
-     * Gets or creates the path to the credentials config file in RUNNER_TEMP.
+        return __awaiter(this, void 0, void 0, function* () {
-     * @returns The absolute path to the credentials config file
+            assert.ok(configPath, 'configPath is not defined');
-     */
+            let content = (yield fs.promises.readFile(configPath)).toString();
-    getCredentialsConfigPath() {
+            const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue);
-        if (this.credentialsConfigPath) {
+            if (placeholderIndex < 0 ||
-            return this.credentialsConfigPath;
+                placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)) {
-        }
+                throw new Error(`Unable to replace auth placeholder in ${configPath}`);
-        const runnerTemp = process.env['RUNNER_TEMP'] || '';
+            }
-        assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
+            assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined');
-        // Create a unique filename for this checkout instance
+            content = content.replace(this.tokenPlaceholderConfigValue, this.tokenConfigValue);
-        const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
+            yield fs.promises.writeFile(configPath, content);
-        this.credentialsConfigPath = path.join(runnerTemp, configFileName);
+        });
-        core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
-        return this.credentialsConfigPath;
     }
-    /**
-     * Removes SSH authentication configuration by cleaning up SSH keys,
-     * known hosts files, and SSH command configurations.
-     */
     removeSsh() {
         return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b;
+            var _a;
             // SSH key
             const keyPath = this.sshKeyPath || stateHelper.SshKeyPath;
             if (keyPath) {
                 try {
-                    core.info(`Removing SSH key '${keyPath}'`);
                     yield io.rmRF(keyPath);
                 }
                 catch (err) {
@@ -472,68 +457,60 @@ class GitAuthHelper {
             const knownHostsPath = this.sshKnownHostsPath || stateHelper.SshKnownHostsPath;
             if (knownHostsPath) {
                 try {
-                    core.info(`Removing SSH known hosts '${knownHostsPath}'`);
                     yield io.rmRF(knownHostsPath);
                 }
-                catch (err) {
+                catch (_b) {
-                    core.debug(`${(_b = err === null || err === void 0 ? void 0 : err.message) !== null && _b !== void 0 ? _b : err}`);
+                    // Intentionally empty
-                    core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`);
                 }
             }
             // SSH command
-            core.info('Removing SSH command configuration');
             yield this.removeGitConfig(SSH_COMMAND_KEY);
             yield this.removeSubmoduleGitConfig(SSH_COMMAND_KEY);
         });
     }
-    /**
-     * Removes token-based authentication by cleaning up HTTP headers,
-     * includeIf entries, and credentials config files.
-     */
     removeToken() {
         return __awaiter(this, void 0, void 0, function* () {
             var _a;
             // Remove HTTP extra header
-            core.info('Removing HTTP extra header');
             yield this.removeGitConfig(this.tokenConfigKey);
             yield this.removeSubmoduleGitConfig(this.tokenConfigKey);
-            // Collect credentials config paths that need to be removed
-            const credentialsPaths = new Set();
             // Remove includeIf entries that point to git-credentials-*.config files
-            core.info('Removing includeIf entries pointing to credentials config files');
+            // This is more aggressive than tracking keys, but necessary since cleanup
-            const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
+            // runs in a post-step where this.credentialsIncludeKeys is empty
-            mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
+            try {
-            // Remove submodule includeIf entries that point to git-credentials-*.config files
+                // Get all includeIf.gitdir keys
-            const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
+                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:');
-            for (const configPath of submoduleConfigPaths) {
+                for (const key of keys) {
-                const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
+                    // Get all values for this key
-                submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
+                    const values = yield this.git.tryGetConfigValues(key);
-            }
+                    if (values.length > 0) {
-            // Remove credentials config files
+                        // Remove only values that match git-credentials-<uuid>.config pattern
-            for (const credentialsPath of credentialsPaths) {
+                        for (const value of values) {
-                // Only remove credentials config files if they are under RUNNER_TEMP
+                            if (/git-credentials-[0-9a-f-]+\.config$/i.test(value)) {
-                const runnerTemp = process.env['RUNNER_TEMP'];
+                                yield this.git.tryConfigUnsetValue(key, value);
-                assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
+                            }
-                if (credentialsPath.startsWith(runnerTemp)) {
+                        }
-                    try {
-                        core.info(`Removing credentials config '${credentialsPath}'`);
-                        yield io.rmRF(credentialsPath);
-                    }
-                    catch (err) {
-                        core.debug(`${(_a = err === null || err === void 0 ? void 0 : err.message) !== null && _a !== void 0 ? _a : err}`);
-                        core.warning(`Failed to remove credentials config '${credentialsPath}'`);
                     }
                 }
-                else {
+            }
-                    core.debug(`Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`);
+            catch (err) {
+                // Ignore errors - this is cleanup code
+                core.debug(`Error during includeIf cleanup: ${err}`);
+            }
+            // Remove submodule includeIf
+            yield this.git.submoduleForeach(`sh -c "git config --local --get-regexp '^includeIf\\.' && git config --local --remove-section includeIf || :"`, true);
+            // Remove credentials config file
+            if (this.credentialsConfigPath) {
+                try {
+                    yield io.rmRF(this.credentialsConfigPath);
+                }
+                catch (err) {
+                    core.debug(`${(_a = err === null || err === void 0 ? void 0 : err.message) !== null && _a !== void 0 ? _a : err}`);
+                    core.warning(`Failed to remove credentials config '${this.credentialsConfigPath}'`);
                 }
             }
         });
     }
-    /**
-     * Removes a git config key from the local repository config.
-     * @param configKey The git config key to remove
-     */
     removeGitConfig(configKey) {
         return __awaiter(this, void 0, void 0, function* () {
             if ((yield this.git.configExists(configKey)) &&
@@ -543,10 +520,6 @@ class GitAuthHelper {
             }
         });
     }
-    /**
-     * Removes a git config key from all submodule configs.
-     * @param configKey The git config key to remove
-     */
     removeSubmoduleGitConfig(configKey) {
         return __awaiter(this, void 0, void 0, function* () {
             const pattern = regexpHelper.escape(configKey);
@@ -555,53 +528,6 @@ class GitAuthHelper {
             `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true);
         });
     }
-    /**
-     * Removes includeIf entries that point to git-credentials-*.config files.
-     * @param configPath Optional path to a specific git config file to operate on
-     * @returns Array of unique credentials config file paths that were found and removed
-     */
-    removeIncludeIfCredentials(configPath) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const credentialsPaths = new Set();
-            try {
-                // Get all includeIf.gitdir keys
-                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, // globalConfig?
-                configPath);
-                for (const key of keys) {
-                    // Get all values for this key
-                    const values = yield this.git.tryGetConfigValues(key, false, // globalConfig?
-                    configPath);
-                    if (values.length > 0) {
-                        // Remove only values that match git-credentials-<uuid>.config pattern
-                        for (const value of values) {
-                            if (this.testCredentialsConfigPath(value)) {
-                                credentialsPaths.add(value);
-                                yield this.git.tryConfigUnsetValue(key, value, false, configPath);
-                            }
-                        }
-                    }
-                }
-            }
-            catch (err) {
-                // Ignore errors - this is cleanup code
-                if (configPath) {
-                    core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`);
-                }
-                else {
-                    core.debug(`Error during includeIf cleanup: ${err}`);
-                }
-            }
-            return Array.from(credentialsPaths);
-        });
-    }
-    /**
-     * Tests if a path matches the git-credentials-*.config pattern.
-     * @param path The path to test
-     * @returns True if the path matches the credentials config pattern
-     */
-    testCredentialsConfigPath(path) {
-        return /git-credentials-[0-9a-f-]+\.config$/i.test(path);
-    }
 }
 
 
@@ -884,16 +810,6 @@ class GitCommandManager {
             throw new Error('Unexpected output when retrieving default branch');
         });
     }
-    getSubmoduleConfigPaths(recursive) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // Get submodule config file paths.
-            // Use `--show-origin` to get the config file path for each submodule.
-            const output = yield this.submoduleForeach(`git config --local --show-origin --name-only --get-regexp remote.origin.url`, recursive);
-            // Extract config file paths from the output (lines starting with "file:").
-            const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
-            return configPaths;
-        });
-    }
     getWorkingDirectory() {
         return this.workingDirectory;
     }
@@ -1024,17 +940,15 @@ class GitCommandManager {
             return output.exitCode === 0;
         });
     }
-    tryConfigUnsetValue(configKey, configValue, globalConfig, configFile) {
+    tryConfigUnsetValue(configKey, configValue, globalConfig) {
         return __awaiter(this, void 0, void 0, function* () {
-            const args = ['config'];
+            const output = yield this.execGit([
-            if (configFile) {
+                'config',
-                args.push('--file', configFile);
+                globalConfig ? '--global' : '--local',
-            }
+                '--unset',
-            else {
+                configKey,
-                args.push(globalConfig ? '--global' : '--local');
+                configValue
-            }
+            ], true);
-            args.push('--unset', configKey, configValue);
-            const output = yield this.execGit(args, true);
             return output.exitCode === 0;
         });
     }
@@ -1057,44 +971,33 @@ class GitCommandManager {
             return stdout;
         });
     }
-    tryGetConfigValues(configKey, globalConfig, configFile) {
+    tryGetConfigValues(configKey, globalConfig) {
         return __awaiter(this, void 0, void 0, function* () {
-            const args = ['config'];
+            const output = yield this.execGit([
-            if (configFile) {
+                'config',
-                args.push('--file', configFile);
+                globalConfig ? '--global' : '--local',
-            }
+                '--get-all',
-            else {
+                configKey
-                args.push(globalConfig ? '--global' : '--local');
+            ], true);
-            }
-            args.push('--get-all', configKey);
-            const output = yield this.execGit(args, true);
             if (output.exitCode !== 0) {
                 return [];
             }
-            return output.stdout
+            return output.stdout.trim().split('\n').filter(value => value.trim());
-                .trim()
-                .split('\n')
-                .filter(value => value.trim());
         });
     }
-    tryGetConfigKeys(pattern, globalConfig, configFile) {
+    tryGetConfigKeys(pattern, globalConfig) {
         return __awaiter(this, void 0, void 0, function* () {
-            const args = ['config'];
+            const output = yield this.execGit([
-            if (configFile) {
+                'config',
-                args.push('--file', configFile);
+                globalConfig ? '--global' : '--local',
-            }
+                '--name-only',
-            else {
+                '--get-regexp',
-                args.push(globalConfig ? '--global' : '--local');
+                pattern
-            }
+            ], true);
-            args.push('--name-only', '--get-regexp', pattern);
-            const output = yield this.execGit(args, true);
             if (output.exitCode !== 0) {
                 return [];
             }
-            return output.stdout
+            return output.stdout.trim().split('\n').filter(key => key.trim());
-                .trim()
-                .split('\n')
-                .filter(key => key.trim());
         });
     }
     tryReset() {

src/git-auth-helper.ts

@@ -44,6 +44,7 @@ class GitAuthHelper {
   private sshKnownHostsPath = ''
   private temporaryHomePath = ''
   private credentialsConfigPath = '' // Path to separate credentials config file in RUNNER_TEMP
+  private credentialsIncludeKeys: string[] = [] // Track includeIf config keys for cleanup
 
   constructor(
     gitCommandManager: IGitCommandManager,
@@ -82,6 +83,22 @@ class GitAuthHelper {
     await this.configureToken()
   }
 
+  private async getCredentialsConfigPath(): Promise<string> {
+    if (this.credentialsConfigPath) {
+      return this.credentialsConfigPath
+    }
+
+    const runnerTemp = process.env['RUNNER_TEMP'] || ''
+    assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
+
+    // Create a unique filename for this checkout instance
+    const configFileName = `git-credentials-${uuid()}.config`
+    this.credentialsConfigPath = path.join(runnerTemp, configFileName)
+
+    core.debug(`Credentials config path: ${this.credentialsConfigPath}`)
+    return this.credentialsConfigPath
+  }
+
   async configureTempGlobalConfig(): Promise<string> {
     // Already setup global config
     if (this.temporaryHomePath?.length > 0) {
@@ -136,12 +153,7 @@ class GitAuthHelper {
       await this.git.tryConfigUnset(this.insteadOfKey, true)
       if (!this.settings.sshKey) {
         for (const insteadOfValue of this.insteadOfValues) {
-          await this.git.config(
+          await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
-            this.insteadOfKey,
-            insteadOfValue,
-            true, // globalConfig?
-            true // add?
-          )
         }
       }
     } catch (err) {
@@ -159,8 +171,8 @@ class GitAuthHelper {
     await this.removeSubmoduleGitConfig(this.insteadOfKey)
 
     if (this.settings.persistCredentials) {
-      // Get the credentials config file path in RUNNER_TEMP
+      // Credentials config path
-      const credentialsConfigPath = this.getCredentialsConfigPath()
+      const credentialsConfigPath = await this.getCredentialsConfigPath()
 
       // Container credentials config path
       const containerCredentialsPath = path.posix.join(
@@ -168,11 +180,28 @@ class GitAuthHelper {
         path.basename(credentialsConfigPath)
       )
 
+      // Container repo path
+      const workingDirectory = this.git.getWorkingDirectory()
+      const githubWorkspace = process.env['GITHUB_WORKSPACE']
+      assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
+      let relativePath = path.relative(githubWorkspace, workingDirectory)
+      relativePath = relativePath.replace(/\\/g, '/')
+      const containerRepoPath = path.posix.join(
+        '/github/workspace',
+        relativePath
+      )
+
       // Get submodule config file paths.
-      const configPaths = await this.git.getSubmoduleConfigPaths(
+      // Use `--show-origin` to get the config file path for each submodule.
+      const output = await this.git.submoduleForeach(
+        `git config --local --show-origin --name-only --get-regexp remote.origin.url`,
         this.settings.nestedSubmodules
       )
 
+      // Extract config file paths from the output (lines starting with "file:").
+      const configPaths =
+        output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
+
       // For each submodule, configure includeIf entries pointing to the shared credentials file.
       // Configure both host and container paths to support Docker container actions.
       for (const configPath of configPaths) {
@@ -184,14 +213,12 @@ class GitAuthHelper {
         await this.git.config(
           `includeIf.gitdir:${submoduleGitDir}.path`,
           credentialsConfigPath,
-          false, // globalConfig?
+          false,
-          false, // add?
+          false,
           configPath
         )
 
-        // Container submodule git directory
+        // Configure container includeIf
-        const githubWorkspace = process.env['GITHUB_WORKSPACE']
-        assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
         let relativeSubmoduleGitDir = path.relative(
           githubWorkspace,
           submoduleGitDir
@@ -201,13 +228,11 @@ class GitAuthHelper {
           '/github/workspace',
           relativeSubmoduleGitDir
         )
-
-        // Configure container includeIf
         await this.git.config(
           `includeIf.gitdir:${containerSubmoduleGitDir}.path`,
           containerCredentialsPath,
-          false, // globalConfig?
+          false,
-          false, // add?
+          false,
           configPath
         )
       }
@@ -243,10 +268,6 @@ class GitAuthHelper {
     }
   }
 
-  /**
-   * Configures SSH authentication by writing the SSH key and known hosts,
-   * and setting up the GIT_SSH_COMMAND environment variable.
-   */
   private async configureSsh(): Promise<void> {
     if (!this.settings.sshKey) {
       return
@@ -318,14 +339,9 @@ class GitAuthHelper {
     }
   }
 
-  /**
-   * Configures token-based authentication by creating a credentials config file
-   * and setting up includeIf entries to reference it.
-   * @param globalConfig Whether to configure global config instead of local
-   */
   private async configureToken(globalConfig?: boolean): Promise<void> {
     // Get the credentials config file path in RUNNER_TEMP
-    const credentialsConfigPath = this.getCredentialsConfigPath()
+    const credentialsConfigPath = await this.getCredentialsConfigPath()
 
     // Write placeholder to the separate credentials config file using git config.
     // This approach avoids the credential being captured by process creation audit events,
@@ -334,37 +350,18 @@ class GitAuthHelper {
     await this.git.config(
       this.tokenConfigKey,
       this.tokenPlaceholderConfigValue,
-      false, // globalConfig?
+      false,
-      false, // add?
+      false,
       credentialsConfigPath
     )
 
     // Replace the placeholder in the credentials config file
-    let content = (await fs.promises.readFile(credentialsConfigPath)).toString()
+    await this.replaceTokenPlaceholder(credentialsConfigPath)
-    const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue)
-    if (
-      placeholderIndex < 0 ||
-      placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)
-    ) {
-      throw new Error(
-        `Unable to replace auth placeholder in ${credentialsConfigPath}`
-      )
-    }
-    assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined')
-    content = content.replace(
-      this.tokenPlaceholderConfigValue,
-      this.tokenConfigValue
-    )
-    await fs.promises.writeFile(credentialsConfigPath, content)
 
     // Add include or includeIf to reference the credentials config
     if (globalConfig) {
       // Global config file is temporary
-      await this.git.config(
+      await this.git.config('include.path', credentialsConfigPath, true)
-        'include.path',
-        credentialsConfigPath,
-        true // globalConfig?
-      )
     } else {
       // Host git directory
       let gitDir = path.join(this.git.getWorkingDirectory(), '.git')
@@ -373,15 +370,12 @@ class GitAuthHelper {
       // Configure host includeIf
       const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
       await this.git.config(hostIncludeKey, credentialsConfigPath)
-
+      this.credentialsIncludeKeys.push(hostIncludeKey)
-      // Configure host includeIf for worktrees
-      const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
-      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
 
       // Container git directory
-      const workingDirectory = this.git.getWorkingDirectory()
       const githubWorkspace = process.env['GITHUB_WORKSPACE']
       assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
+      const workingDirectory = this.git.getWorkingDirectory()
       let relativePath = path.relative(githubWorkspace, workingDirectory)
       relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows
       const containerGitDir = path.posix.join(
@@ -399,46 +393,33 @@ class GitAuthHelper {
       // Configure container includeIf
       const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
       await this.git.config(containerIncludeKey, containerCredentialsPath)
-
+      this.credentialsIncludeKeys.push(containerIncludeKey)
-      // Configure container includeIf for worktrees
-      const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
-      await this.git.config(
-        containerWorktreeIncludeKey,
-        containerCredentialsPath
-      )
     }
   }
 
-  /**
+  private async replaceTokenPlaceholder(configPath: string): Promise<void> {
-   * Gets or creates the path to the credentials config file in RUNNER_TEMP.
+    assert.ok(configPath, 'configPath is not defined')
-   * @returns The absolute path to the credentials config file
+    let content = (await fs.promises.readFile(configPath)).toString()
-   */
+    const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue)
-  private getCredentialsConfigPath(): string {
+    if (
-    if (this.credentialsConfigPath) {
+      placeholderIndex < 0 ||
-      return this.credentialsConfigPath
+      placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)
+    ) {
+      throw new Error(`Unable to replace auth placeholder in ${configPath}`)
     }
-
+    assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined')
-    const runnerTemp = process.env['RUNNER_TEMP'] || ''
+    content = content.replace(
-    assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
+      this.tokenPlaceholderConfigValue,
-
+      this.tokenConfigValue
-    // Create a unique filename for this checkout instance
+    )
-    const configFileName = `git-credentials-${uuid()}.config`
+    await fs.promises.writeFile(configPath, content)
-    this.credentialsConfigPath = path.join(runnerTemp, configFileName)
-
-    core.debug(`Credentials config path: ${this.credentialsConfigPath}`)
-    return this.credentialsConfigPath
   }
 
-  /**
-   * Removes SSH authentication configuration by cleaning up SSH keys,
-   * known hosts files, and SSH command configurations.
-   */
   private async removeSsh(): Promise<void> {
     // SSH key
     const keyPath = this.sshKeyPath || stateHelper.SshKeyPath
     if (keyPath) {
       try {
-        core.info(`Removing SSH key '${keyPath}'`)
         await io.rmRF(keyPath)
       } catch (err) {
         core.debug(`${(err as any)?.message ?? err}`)
@@ -451,73 +432,65 @@ class GitAuthHelper {
       this.sshKnownHostsPath || stateHelper.SshKnownHostsPath
     if (knownHostsPath) {
       try {
-        core.info(`Removing SSH known hosts '${knownHostsPath}'`)
         await io.rmRF(knownHostsPath)
-      } catch (err) {
+      } catch {
-        core.debug(`${(err as any)?.message ?? err}`)
+        // Intentionally empty
-        core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`)
       }
     }
 
     // SSH command
-    core.info('Removing SSH command configuration')
     await this.removeGitConfig(SSH_COMMAND_KEY)
     await this.removeSubmoduleGitConfig(SSH_COMMAND_KEY)
   }
 
-  /**
-   * Removes token-based authentication by cleaning up HTTP headers,
-   * includeIf entries, and credentials config files.
-   */
   private async removeToken(): Promise<void> {
     // Remove HTTP extra header
-    core.info('Removing HTTP extra header')
     await this.removeGitConfig(this.tokenConfigKey)
     await this.removeSubmoduleGitConfig(this.tokenConfigKey)
 
-    // Collect credentials config paths that need to be removed
-    const credentialsPaths = new Set<string>()
-
     // Remove includeIf entries that point to git-credentials-*.config files
-    core.info('Removing includeIf entries pointing to credentials config files')
+    // This is more aggressive than tracking keys, but necessary since cleanup
-    const mainCredentialsPaths = await this.removeIncludeIfCredentials()
+    // runs in a post-step where this.credentialsIncludeKeys is empty
-    mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
+    try {
-
+      // Get all includeIf.gitdir keys
-    // Remove submodule includeIf entries that point to git-credentials-*.config files
+      const keys = await this.git.tryGetConfigKeys('^includeIf\\.gitdir:')
-    const submoduleConfigPaths = await this.git.getSubmoduleConfigPaths(true)
+      
-    for (const configPath of submoduleConfigPaths) {
+      for (const key of keys) {
-      const submoduleCredentialsPaths =
+        // Get all values for this key
-        await this.removeIncludeIfCredentials(configPath)
+        const values = await this.git.tryGetConfigValues(key)
-      submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
+        if (values.length > 0) {
+          // Remove only values that match git-credentials-<uuid>.config pattern
+          for (const value of values) {
+            if (/git-credentials-[0-9a-f-]+\.config$/i.test(value)) {
+              await this.git.tryConfigUnsetValue(key, value)
+            }
+          }
+        }
+      }
+    } catch (err) {
+      // Ignore errors - this is cleanup code
+      core.debug(`Error during includeIf cleanup: ${err}`)
     }
 
-    // Remove credentials config files
+    // Remove submodule includeIf
-    for (const credentialsPath of credentialsPaths) {
+    await this.git.submoduleForeach(
-      // Only remove credentials config files if they are under RUNNER_TEMP
+      `sh -c "git config --local --get-regexp '^includeIf\\.' && git config --local --remove-section includeIf || :"`,
-      const runnerTemp = process.env['RUNNER_TEMP']
+      true
-      assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
+    )
-      if (credentialsPath.startsWith(runnerTemp)) {
+
-        try {
+    // Remove credentials config file
-          core.info(`Removing credentials config '${credentialsPath}'`)
+    if (this.credentialsConfigPath) {
-          await io.rmRF(credentialsPath)
+      try {
-        } catch (err) {
+        await io.rmRF(this.credentialsConfigPath)
-          core.debug(`${(err as any)?.message ?? err}`)
+      } catch (err) {
-          core.warning(
+        core.debug(`${(err as any)?.message ?? err}`)
-            `Failed to remove credentials config '${credentialsPath}'`
+        core.warning(
-          )
+          `Failed to remove credentials config '${this.credentialsConfigPath}'`
-        }
-      } else {
-        core.debug(
-          `Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`
         )
       }
     }
   }
 
-  /**
-   * Removes a git config key from the local repository config.
-   * @param configKey The git config key to remove
-   */
   private async removeGitConfig(configKey: string): Promise<void> {
     if (
       (await this.git.configExists(configKey)) &&
@@ -528,10 +501,6 @@ class GitAuthHelper {
     }
   }
 
-  /**
-   * Removes a git config key from all submodule configs.
-   * @param configKey The git config key to remove
-   */
   private async removeSubmoduleGitConfig(configKey: string): Promise<void> {
     const pattern = regexpHelper.escape(configKey)
     await this.git.submoduleForeach(
@@ -540,60 +509,4 @@ class GitAuthHelper {
       true
     )
   }
-
-  /**
-   * Removes includeIf entries that point to git-credentials-*.config files.
-   * @param configPath Optional path to a specific git config file to operate on
-   * @returns Array of unique credentials config file paths that were found and removed
-   */
-  private async removeIncludeIfCredentials(
-    configPath?: string
-  ): Promise<string[]> {
-    const credentialsPaths = new Set<string>()
-
-    try {
-      // Get all includeIf.gitdir keys
-      const keys = await this.git.tryGetConfigKeys(
-        '^includeIf\\.gitdir:',
-        false, // globalConfig?
-        configPath
-      )
-
-      for (const key of keys) {
-        // Get all values for this key
-        const values = await this.git.tryGetConfigValues(
-          key,
-          false, // globalConfig?
-          configPath
-        )
-        if (values.length > 0) {
-          // Remove only values that match git-credentials-<uuid>.config pattern
-          for (const value of values) {
-            if (this.testCredentialsConfigPath(value)) {
-              credentialsPaths.add(value)
-              await this.git.tryConfigUnsetValue(key, value, false, configPath)
-            }
-          }
-        }
-      }
-    } catch (err) {
-      // Ignore errors - this is cleanup code
-      if (configPath) {
-        core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`)
-      } else {
-        core.debug(`Error during includeIf cleanup: ${err}`)
-      }
-    }
-
-    return Array.from(credentialsPaths)
-  }
-
-  /**
-   * Tests if a path matches the git-credentials-*.config pattern.
-   * @param path The path to test
-   * @returns True if the path matches the credentials config pattern
-   */
-  private testCredentialsConfigPath(path: string): boolean {
-    return /git-credentials-[0-9a-f-]+\.config$/i.test(path)
-  }
 }

src/git-command-manager.ts

@@ -42,7 +42,6 @@ export interface IGitCommandManager {
     }
   ): Promise<void>
   getDefaultBranch(repositoryUrl: string): Promise<string>
-  getSubmoduleConfigPaths(recursive: boolean): Promise<string[]>
   getWorkingDirectory(): string
   init(): Promise<void>
   isDetached(): Promise<boolean>
@@ -61,24 +60,11 @@ export interface IGitCommandManager {
   tagExists(pattern: string): Promise<boolean>
   tryClean(): Promise<boolean>
   tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
-  tryConfigUnsetValue(
+  tryConfigUnsetValue(configKey: string, configValue: string, globalConfig?: boolean): Promise<boolean>
-    configKey: string,
-    configValue: string,
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<boolean>
   tryDisableAutomaticGarbageCollection(): Promise<boolean>
   tryGetFetchUrl(): Promise<string>
-  tryGetConfigValues(
+  tryGetConfigValues(configKey: string, globalConfig?: boolean): Promise<string[]>
-    configKey: string,
+  tryGetConfigKeys(pattern: string, globalConfig?: boolean): Promise<string[]>
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<string[]>
-  tryGetConfigKeys(
-    pattern: string,
-    globalConfig?: boolean,
-    configFile?: string
-  ): Promise<string[]>
   tryReset(): Promise<boolean>
   version(): Promise<GitVersion>
 }
@@ -347,21 +333,6 @@ class GitCommandManager {
     throw new Error('Unexpected output when retrieving default branch')
   }
 
-  async getSubmoduleConfigPaths(recursive: boolean): Promise<string[]> {
-    // Get submodule config file paths.
-    // Use `--show-origin` to get the config file path for each submodule.
-    const output = await this.submoduleForeach(
-      `git config --local --show-origin --name-only --get-regexp remote.origin.url`,
-      recursive
-    )
-
-    // Extract config file paths from the output (lines starting with "file:").
-    const configPaths =
-      output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
-
-    return configPaths
-  }
-
   getWorkingDirectory(): string {
     return this.workingDirectory
   }
@@ -497,18 +468,18 @@ class GitCommandManager {
   async tryConfigUnsetValue(
     configKey: string,
     configValue: string,
-    globalConfig?: boolean,
+    globalConfig?: boolean
-    configFile?: string
   ): Promise<boolean> {
-    const args = ['config']
+    const output = await this.execGit(
-    if (configFile) {
+      [
-      args.push('--file', configFile)
+        'config',
-    } else {
+        globalConfig ? '--global' : '--local',
-      args.push(globalConfig ? '--global' : '--local')
+        '--unset',
-    }
+        configKey,
-    args.push('--unset', configKey, configValue)
+        configValue
-
+      ],
-    const output = await this.execGit(args, true)
+      true
+    )
     return output.exitCode === 0
   }
 
@@ -540,52 +511,45 @@ class GitCommandManager {
 
   async tryGetConfigValues(
     configKey: string,
-    globalConfig?: boolean,
+    globalConfig?: boolean
-    configFile?: string
   ): Promise<string[]> {
-    const args = ['config']
+    const output = await this.execGit(
-    if (configFile) {
+      [
-      args.push('--file', configFile)
+        'config',
-    } else {
+        globalConfig ? '--global' : '--local',
-      args.push(globalConfig ? '--global' : '--local')
+        '--get-all',
-    }
+        configKey
-    args.push('--get-all', configKey)
+      ],
-
+      true
-    const output = await this.execGit(args, true)
+    )
 
     if (output.exitCode !== 0) {
       return []
     }
 
-    return output.stdout
+    return output.stdout.trim().split('\n').filter(value => value.trim())
-      .trim()
-      .split('\n')
-      .filter(value => value.trim())
   }
 
   async tryGetConfigKeys(
     pattern: string,
-    globalConfig?: boolean,
+    globalConfig?: boolean
-    configFile?: string
   ): Promise<string[]> {
-    const args = ['config']
+    const output = await this.execGit(
-    if (configFile) {
+      [
-      args.push('--file', configFile)
+        'config',
-    } else {
+        globalConfig ? '--global' : '--local',
-      args.push(globalConfig ? '--global' : '--local')
+        '--name-only',
-    }
+        '--get-regexp',
-    args.push('--name-only', '--get-regexp', pattern)
+        pattern
-
+      ],
-    const output = await this.execGit(args, true)
+      true
+    )
 
     if (output.exitCode !== 0) {
       return []
     }
 
-    return output.stdout
+    return output.stdout.trim().split('\n').filter(key => key.trim())
-      .trim()
-      .split('\n')
-      .filter(key => key.trim())
   }
 
   async tryReset(): Promise<boolean> {

src/misc/generate-docs.ts

@@ -120,7 +120,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v6',
+  'actions/checkout@v5',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )