fix ci failures

* Bump uuid, @actions/core and @actions/tool-cache

Bumps [uuid](https://github.com/uuidjs/uuid), [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) and [@actions/tool-cache](https://github.com/actions/toolkit/tree/HEAD/packages/tool-cache). These dependencies needed to be updated together.

Updates `uuid` from 9.0.1 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](https://github.com/uuidjs/uuid/compare/v9.0.1...v14.0.0)

Updates `@actions/core` from 1.10.1 to 1.11.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

Updates `@actions/tool-cache` from 2.0.1 to 2.0.2
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/tool-cache/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/tool-cache)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
- dependency-name: "@actions/core"
  dependency-version: 1.11.1
  dependency-type: direct:production
- dependency-name: "@actions/tool-cache"
  dependency-version: 2.0.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* switch to use crpto.randomUUID

* update license

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Aiqiao Yan <55104035+aiqiaoy@users.noreply.github.com>

.github/workflows/publish-immutable-actions.yml

@@ -17,4 +17,4 @@ jobs:
         uses: actions/checkout@v6
       - name: Publish
         id: publish
-        uses: actions/publish-immutable-action@0.0.3
+        uses: actions/publish-immutable-action@v0.0.4

.licensed.yml

@@ -11,4 +11,5 @@ allowed:
   - unlicense
 
 reviewed:
-  npm:
+  npm:
+    - "@actions/http-client" # MIT

.licenses/npm/@actions/core.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/core"
-version: 1.10.1
+version: 3.0.1
 type: npm
 summary: Actions core lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/core

.licenses/npm/@actions/exec.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/exec"
-version: 1.1.1
+version: 3.0.0
 type: npm
 summary: Actions exec lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/exec

.licenses/npm/@actions/github.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/github"
-version: 6.0.0
+version: 9.1.1
 type: npm
 summary: Actions github lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/github

.licenses/npm/@actions/http-client-3.0.2.dep.yml

@@ -1,10 +1,10 @@
 ---
 name: "@actions/http-client"
-version: 2.2.1
+version: 3.0.2
 type: npm
 summary: Actions Http Client
 homepage: https://github.com/actions/toolkit/tree/main/packages/http-client
-license: mit
+license: other
 licenses:
 - sources: LICENSE
   text: |

.licenses/npm/@actions/http-client-4.0.1.dep.yml

@@ -0,0 +1,32 @@
+---
+name: "@actions/http-client"
+version: 4.0.1
+type: npm
+summary: Actions Http Client
+homepage: https://github.com/actions/toolkit/tree/main/packages/http-client
+license: other
+licenses:
+- sources: LICENSE
+  text: |
+    Actions Http Client for Node.js
+
+    Copyright (c) GitHub, Inc.
+
+    All rights reserved.
+
+    MIT License
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
+    associated documentation files (the "Software"), to deal in the Software without restriction,
+    including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+    and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
+    subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+    LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+    NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+    WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+    SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+notices: []

.licenses/npm/@actions/io.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/io"
-version: 1.1.3
+version: 3.0.2
 type: npm
 summary: Actions io lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/io

.licenses/npm/@actions/tool-cache.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/tool-cache"
-version: 2.0.1
+version: 4.0.0
 type: npm
 summary: Actions tool-cache lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/tool-cache

.licenses/npm/@fastify/busboy.dep.yml

@@ -1,30 +0,0 @@
----
-name: "@fastify/busboy"
-version: 2.1.1
-type: npm
-summary: A streaming parser for HTML form data for node.js
-homepage: 
-license: mit
-licenses:
-- sources: LICENSE
-  text: |-
-    Copyright Brian White. All rights reserved.
-
-    Permission is hereby granted, free of charge, to any person obtaining a copy
-    of this software and associated documentation files (the "Software"), to
-    deal in the Software without restriction, including without limitation the
-    rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-    sell copies of the Software, and to permit persons to whom the Software is
-    furnished to do so, subject to the following conditions:
-
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-    IN THE SOFTWARE.
-notices: []

.licenses/npm/@octokit/auth-token.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/auth-token"
-version: 4.0.0
+version: 6.0.0
 type: npm
 summary: GitHub API token authentication for browsers and Node.js
 homepage: 

.licenses/npm/@octokit/core.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/core"
-version: 5.2.0
+version: 7.0.6
 type: npm
 summary: Extendable client for GitHub's REST & GraphQL APIs
 homepage: 

.licenses/npm/@octokit/endpoint.dep.yml

@@ -1,9 +1,9 @@
 ---
 name: "@octokit/endpoint"
-version: 9.0.6
+version: 11.0.3
 type: npm
 summary: Turns REST API endpoints into generic request options
-homepage:
+homepage: 
 license: mit
 licenses:
 - sources: LICENSE

.licenses/npm/@octokit/graphql.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/graphql"
-version: 7.1.0
+version: 9.0.3
 type: npm
 summary: GitHub GraphQL API client for browsers and Node
 homepage: 

.licenses/npm/@octokit/openapi-types-22.1.0.dep.yml

@@ -1,20 +0,0 @@
----
-name: "@octokit/openapi-types"
-version: 22.1.0
-type: npm
-summary: Generated TypeScript definitions based on GitHub's OpenAPI spec for api.github.com
-homepage: 
-license: mit
-licenses:
-- sources: LICENSE
-  text: |-
-    Copyright 2020 Gregor Martynus
-
-    Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-    The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-- sources: README.md
-  text: "[MIT](LICENSE)"
-notices: []

.licenses/npm/@octokit/openapi-types.dep.yml

@@ -1,14 +1,14 @@
 ---
 name: "@octokit/openapi-types"
-version: 20.0.0
+version: 27.0.0
 type: npm
 summary: Generated TypeScript definitions based on GitHub's OpenAPI spec for api.github.com
 homepage: 
 license: mit
 licenses:
 - sources: LICENSE
-  text: |-
-    Copyright 2020 Gregor Martynus
+  text: |
+    Copyright (c) GitHub 2025 - Licensed as MIT.
 
     Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

.licenses/npm/@octokit/plugin-paginate-rest.dep.yml

@@ -1,9 +1,9 @@
 ---
 name: "@octokit/plugin-paginate-rest"
-version: 9.2.2
+version: 14.0.0
 type: npm
 summary: Octokit plugin to paginate REST API endpoint responses
-homepage:
+homepage: 
 license: mit
 licenses:
 - sources: LICENSE

.licenses/npm/@octokit/plugin-rest-endpoint-methods.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/plugin-rest-endpoint-methods"
-version: 10.4.1
+version: 17.0.0
 type: npm
 summary: Octokit plugin adding one method for all of api.github.com REST API endpoints
 homepage: 

.licenses/npm/@octokit/request-error.dep.yml

@@ -1,9 +1,9 @@
 ---
 name: "@octokit/request-error"
-version: 5.1.1
+version: 7.1.0
 type: npm
 summary: Error class for Octokit request errors
-homepage:
+homepage: 
 license: mit
 licenses:
 - sources: LICENSE

.licenses/npm/@octokit/request.dep.yml

@@ -1,10 +1,10 @@
 ---
 name: "@octokit/request"
-version: 8.4.1
+version: 10.0.10
 type: npm
 summary: Send parameterized requests to GitHub's APIs with sensible defaults in browsers
   and Node
-homepage:
+homepage: 
 license: mit
 licenses:
 - sources: LICENSE

.licenses/npm/@octokit/types-13.4.1.dep.yml

@@ -1,20 +0,0 @@
----
-name: "@octokit/types"
-version: 13.4.1
-type: npm
-summary: Shared TypeScript definitions for Octokit projects
-homepage: 
-license: mit
-licenses:
-- sources: LICENSE
-  text: |
-    MIT License Copyright (c) 2019 Octokit contributors
-
-    Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-    The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-- sources: README.md
-  text: "[MIT](LICENSE)"
-notices: []

.licenses/npm/@octokit/types.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@octokit/types"
-version: 12.6.0
+version: 16.0.0
 type: npm
 summary: Shared TypeScript definitions for Octokit projects
 homepage: 

.licenses/npm/before-after-hook.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: before-after-hook
-version: 2.2.3
+version: 4.0.0
 type: npm
 summary: asynchronous before/error/after hooks for internal functionality
 homepage: 

.licenses/npm/content-type.dep.yml

@@ -0,0 +1,47 @@
+---
+name: content-type
+version: 2.0.0
+type: npm
+summary: Create and parse HTTP Content-Type header
+homepage: 
+license: mit
+licenses:
+- sources: LICENSE
+  text: |
+    (The MIT License)
+
+    Copyright (c) 2015 Douglas Christopher Wilson
+
+    Permission is hereby granted, free of charge, to any person obtaining
+    a copy of this software and associated documentation files (the
+    'Software'), to deal in the Software without restriction, including
+    without limitation the rights to use, copy, modify, merge, publish,
+    distribute, sublicense, and/or sell copies of the Software, and to
+    permit persons to whom the Software is furnished to do so, subject to
+    the following conditions:
+
+    The above copyright notice and this permission notice shall be
+    included in all copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+    EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+    MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+    IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+    CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+    TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+    SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+- sources: README.md
+  text: |-
+    [MIT](LICENSE)
+
+    [npm-image]: https://img.shields.io/npm/v/content-type
+    [npm-url]: https://npmjs.org/package/content-type
+    [downloads-image]: https://img.shields.io/npm/dm/content-type
+    [downloads-url]: https://npmjs.org/package/content-type
+    [build-image]: https://img.shields.io/github/actions/workflow/status/jshttp/content-type/ci.yml?branch=master
+    [build-url]: https://github.com/jshttp/content-type/actions/workflows/ci.yml?query=branch%3Amaster
+    [coverage-image]: https://img.shields.io/codecov/c/gh/jshttp/content-type
+    [coverage-url]: https://codecov.io/gh/jshttp/content-type
+    [license-image]: http://img.shields.io/npm/l/content-type.svg?style=flat
+    [license-url]: LICENSE
+notices: []

.licenses/npm/deprecation.dep.yml

@@ -1,28 +0,0 @@
----
-name: deprecation
-version: 2.3.1
-type: npm
-summary: Log a deprecation message with stack
-homepage: https://github.com/gr2m/deprecation#readme
-license: isc
-licenses:
-- sources: LICENSE
-  text: |
-    The ISC License
-
-    Copyright (c) Gregor Martynus and contributors
-
-    Permission to use, copy, modify, and/or distribute this software for any
-    purpose with or without fee is hereby granted, provided that the above
-    copyright notice and this permission notice appear in all copies.
-
-    THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-    WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-    IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-- sources: README.md
-  text: "[ISC](LICENSE)"
-notices: []

.licenses/npm/json-with-bigint.dep.yml

@@ -1,16 +1,17 @@
 ---
-name: uuid
-version: 3.4.0
+name: json-with-bigint
+version: 3.5.8
 type: npm
-summary: RFC4122 (v1, v4, and v5) UUIDs
+summary: JS library that allows you to easily serialize and deserialize data with
+  BigInt values
 homepage: 
 license: mit
 licenses:
-- sources: LICENSE.md
+- sources: LICENSE
   text: |
-    The MIT License (MIT)
+    MIT License
 
-    Copyright (c) 2010-2016 Robert Kieffer and other contributors
+    Copyright (c) 2023 Ivan Korolenko
 
     Permission is hereby granted, free of charge, to any person obtaining a copy
     of this software and associated documentation files (the "Software"), to deal
@@ -29,11 +30,4 @@ licenses:
     LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
     OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
     SOFTWARE.
-notices:
-- sources: AUTHORS
-  text: |-
-    Robert Kieffer <robert@broofa.com>
-    Christoph Tavan <dev@tavan.de>
-    AJ ONeal <coolaj86@gmail.com>
-    Vincent Voyer <vincent@zeroload.net>
-    Roman Shtylman <shtylman@gmail.com>
+notices: []

.licenses/npm/once.dep.yml

@@ -1,26 +0,0 @@
----
-name: once
-version: 1.4.0
-type: npm
-summary: Run a function exactly one time
-homepage: https://github.com/isaacs/once#readme
-license: isc
-licenses:
-- sources: LICENSE
-  text: |
-    The ISC License
-
-    Copyright (c) Isaac Z. Schlueter and Contributors
-
-    Permission to use, copy, modify, and/or distribute this software for any
-    purpose with or without fee is hereby granted, provided that the above
-    copyright notice and this permission notice appear in all copies.
-
-    THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-    WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-    IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-notices: []

.licenses/npm/semver.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: semver
-version: 6.3.1
+version: 7.8.4
 type: npm
 summary: The semantic version parser used by npm.
 homepage: 

.licenses/npm/undici.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: undici
-version: 5.29.0
+version: 6.27.0
 type: npm
 summary: An HTTP/1.1 client, written from scratch for Node.js
 homepage: https://undici.nodejs.org

.licenses/npm/universal-user-agent.dep.yml

@@ -1,8 +1,8 @@
 ---
 name: universal-user-agent
-version: 6.0.1
+version: 7.0.3
 type: npm
-summary: Get a user agent string in both browser and node
+summary: Get a user agent string across all JavaScript Runtime Environments
 homepage: 
 license: isc
 licenses:
@@ -10,7 +10,7 @@ licenses:
   text: |
     # [ISC License](https://spdx.org/licenses/ISC)
 
-    Copyright (c) 2018, Gregor Martynus (https://github.com/gr2m)
+    Copyright (c) 2018-2021, Gregor Martynus (https://github.com/gr2m)
 
     Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
 

.licenses/npm/uuid-8.3.2.dep.yml

@@ -1,20 +0,0 @@
----
-name: uuid
-version: 8.3.2
-type: npm
-summary: RFC4122 (v1, v4, and v5) UUIDs
-homepage: https://github.com/uuidjs/uuid#readme
-license: mit
-licenses:
-- sources: LICENSE.md
-  text: |
-    The MIT License (MIT)
-
-    Copyright (c) 2010-2020 Robert Kieffer and other contributors
-
-    Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-    The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-notices: []

.licenses/npm/uuid-9.0.1.dep.yml

@@ -1,20 +0,0 @@
----
-name: uuid
-version: 9.0.1
-type: npm
-summary: RFC4122 (v1, v4, and v5) UUIDs
-homepage: 
-license: mit
-licenses:
-- sources: LICENSE.md
-  text: |
-    The MIT License (MIT)
-
-    Copyright (c) 2010-2020 Robert Kieffer and other contributors
-
-    Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-    The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-notices: []

.licenses/npm/wrappy.dep.yml

@@ -1,26 +0,0 @@
----
-name: wrappy
-version: 1.0.2
-type: npm
-summary: Callback wrapping utility
-homepage: https://github.com/npm/wrappy
-license: isc
-licenses:
-- sources: LICENSE
-  text: |
-    The ISC License
-
-    Copyright (c) Isaac Z. Schlueter and Contributors
-
-    Permission to use, copy, modify, and/or distribute this software for any
-    purpose with or without fee is hereby granted, provided that the above
-    copyright notice and this permission notice appear in all copies.
-
-    THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-    WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-    IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-notices: []

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## v6.0.3
+* Fix checkout init for SHA-256 repositories by @yaananth in https://github.com/actions/checkout/pull/2439
+* fix: expand merge commit SHA regex and add SHA-256 test cases by @yaananth in https://github.com/actions/checkout/pull/2414
+
+## v6.0.2
+* Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in https://github.com/actions/checkout/pull/2356
+
+## v6.0.1
+* Add worktree support for persist-credentials includeIf by @ericsciple in https://github.com/actions/checkout/pull/2327
+
 ## v6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248

README.md

@@ -160,6 +160,15 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
     # running from unless specified. Example URLs are https://github.com or
     # https://my-ghes-server.example.com
     github-server-url: ''
+
+    # Required to check out fork pull request code from a workflow triggered by
+    # `pull_request_target` or `workflow_run`. These workflows run with the base
+    # repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
+    # access; fetching and executing a fork's code in that trusted context commonly
+    # leads to "pwn request" vulnerabilities. Set to `true` only after reviewing the
+    # risks at https://gh.io/securely-using-pull_request_target.
+    # Default: false
+    allow-unsafe-pr-checkout: ''
 ```
 <!-- end usage -->
 

__test__/git-auth-helper.test.ts

@@ -1,12 +1,46 @@
-import * as core from '@actions/core'
+import {
+  jest,
+  describe,
+  it,
+  expect,
+  beforeAll,
+  beforeEach,
+  afterEach,
+  afterAll
+} from '@jest/globals'
 import * as fs from 'fs'
-import * as gitAuthHelper from '../lib/git-auth-helper'
 import * as io from '@actions/io'
 import * as os from 'os'
 import * as path from 'path'
-import * as stateHelper from '../lib/state-helper'
-import {IGitCommandManager} from '../lib/git-command-manager'
-import {IGitSourceSettings} from '../lib/git-source-settings'
+import {fileURLToPath} from 'url'
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url))
+
+// Mock @actions/core before loading git-auth-helper
+jest.unstable_mockModule('@actions/core', () => ({
+  setSecret: jest.fn(),
+  error: jest.fn(),
+  warning: jest.fn(),
+  info: jest.fn(),
+  debug: jest.fn(),
+  setFailed: jest.fn()
+}))
+
+// Mock state-helper
+jest.unstable_mockModule('../src/state-helper.js', () => ({
+  setSshKeyPath: jest.fn(),
+  setSshKnownHostsPath: jest.fn(),
+  IsPost: false,
+  RepositoryPath: ''
+}))
+
+// Dynamic imports after mocking
+const core = await import('@actions/core')
+const gitAuthHelper = await import('../src/git-auth-helper.js')
+type IGitCommandManager =
+  import('../src/git-command-manager.js').IGitCommandManager
+type IGitSourceSettings =
+  import('../src/git-source-settings.js').IGitSourceSettings
 
 const isWindows = process.platform === 'win32'
 const testWorkspace = path.join(__dirname, '_temp', 'git-auth-helper')
@@ -32,25 +66,12 @@ describe('git-auth-helper tests', () => {
   })
 
   beforeEach(() => {
-    // Mock setSecret
-    jest.spyOn(core, 'setSecret').mockImplementation((secret: string) => {})
-
-    // Mock error/warning/info/debug
-    jest.spyOn(core, 'error').mockImplementation(jest.fn())
-    jest.spyOn(core, 'warning').mockImplementation(jest.fn())
-    jest.spyOn(core, 'info').mockImplementation(jest.fn())
-    jest.spyOn(core, 'debug').mockImplementation(jest.fn())
-
-    // Mock state helper
-    jest.spyOn(stateHelper, 'setSshKeyPath').mockImplementation(jest.fn())
-    jest
-      .spyOn(stateHelper, 'setSshKnownHostsPath')
-      .mockImplementation(jest.fn())
+    jest.clearAllMocks()
   })
 
   afterEach(() => {
     // Unregister mocks
-    jest.restoreAllMocks()
+    jest.clearAllMocks()
 
     // Restore HOME
     if (originalHome) {
@@ -229,7 +250,7 @@ describe('git-auth-helper tests', () => {
     await authHelper.configureAuth()
 
     // Assert secret
-    const setSecretSpy = core.setSecret as jest.Mock<any, any>
+    const setSecretSpy = core.setSecret as jest.Mock<any>
     expect(setSecretSpy).toHaveBeenCalledTimes(1)
     const expectedSecret = Buffer.from(
       `x-access-token:${settings.authToken}`,
@@ -529,7 +550,7 @@ describe('git-auth-helper tests', () => {
       settings.sshKey = ''
       const authHelper = gitAuthHelper.createAuthHelper(git, settings)
       await authHelper.configureAuth()
-      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
+      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any>
       mockSubmoduleForeach.mockClear() // reset calls
 
       // Act
@@ -562,7 +583,7 @@ describe('git-auth-helper tests', () => {
       settings.persistCredentials = false
       const authHelper = gitAuthHelper.createAuthHelper(git, settings)
       await authHelper.configureAuth()
-      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
+      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any>
       mockSubmoduleForeach.mockClear() // reset calls
 
       // Act
@@ -588,7 +609,7 @@ describe('git-auth-helper tests', () => {
       settings.sshKey = ''
       const authHelper = gitAuthHelper.createAuthHelper(git, settings)
       await authHelper.configureAuth()
-      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
+      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any>
       mockSubmoduleForeach.mockClear() // reset calls
 
       // Act
@@ -627,7 +648,7 @@ describe('git-auth-helper tests', () => {
       )
       const authHelper = gitAuthHelper.createAuthHelper(git, settings)
       await authHelper.configureAuth()
-      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any, any>
+      const mockSubmoduleForeach = git.submoduleForeach as jest.Mock<any>
       mockSubmoduleForeach.mockClear() // reset calls
 
       // Act
@@ -809,7 +830,7 @@ describe('git-auth-helper tests', () => {
 
     // Mock getSubmoduleConfigPaths to return our fake submodules (for both configure and remove)
     const mockGetSubmoduleConfigPaths =
-      git.getSubmoduleConfigPaths as jest.Mock<any, any>
+      git.getSubmoduleConfigPaths as jest.Mock<any>
     mockGetSubmoduleConfigPaths.mockResolvedValue([
       submodule1ConfigPath,
       submodule2ConfigPath
@@ -1147,7 +1168,7 @@ async function setup(testName: string): Promise<void> {
     ),
     tryReset: jest.fn(),
     version: jest.fn()
-  }
+  } as unknown as IGitCommandManager & {env: {[key: string]: string}}
 
   settings = {
     authToken: 'some auth token',
@@ -1173,7 +1194,8 @@ async function setup(testName: string): Promise<void> {
     sshUser: '',
     workflowOrganizationId: 123456,
     setSafeDirectory: true,
-    githubServerUrl: githubServerUrl
+    githubServerUrl: githubServerUrl,
+    allowUnsafePrCheckout: false
   }
 }
 

__test__/git-command-manager.test.ts

@@ -1,26 +1,51 @@
-import * as exec from '@actions/exec'
-import * as fshelper from '../lib/fs-helper'
-import * as commandManager from '../lib/git-command-manager'
+import {
+  jest,
+  describe,
+  it,
+  expect,
+  beforeAll,
+  beforeEach,
+  afterEach,
+  afterAll
+} from '@jest/globals'
 
-let git: commandManager.IGitCommandManager
-let mockExec = jest.fn()
+// Mock @actions/exec
+const mockExec = jest.fn()
+jest.unstable_mockModule('@actions/exec', () => ({
+  exec: mockExec
+}))
+
+// Mock fs-helper
+const mockFileExistsSync = jest.fn()
+const mockDirectoryExistsSync = jest.fn()
+jest.unstable_mockModule('../src/fs-helper.js', () => ({
+  fileExistsSync: mockFileExistsSync,
+  directoryExistsSync: mockDirectoryExistsSync
+}))
+
+// Dynamic imports after mocking
+const commandManager = await import('../src/git-command-manager.js')
+type IGitCommandManager =
+  import('../src/git-command-manager.js').IGitCommandManager
+
+let git: IGitCommandManager
 
 describe('git-auth-helper tests', () => {
   beforeAll(async () => {})
 
   beforeEach(async () => {
-    jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
-    jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
+    mockFileExistsSync.mockReset()
+    mockDirectoryExistsSync.mockReset()
   })
 
   afterEach(() => {
-    jest.restoreAllMocks()
+    jest.clearAllMocks()
   })
 
   afterAll(() => {})
 
   it('branch list matches', async () => {
-    mockExec.mockImplementation((path, args, options) => {
+    mockExec.mockImplementation((path: any, args: any, options: any) => {
       console.log(args, options.listeners.stdout)
 
       if (args.includes('version')) {
@@ -36,7 +61,7 @@ describe('git-auth-helper tests', () => {
 
       return 1
     })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
     const workingDirectory = 'test'
     const lfs = false
     const doSparseCheckout = false
@@ -53,7 +78,7 @@ describe('git-auth-helper tests', () => {
   })
 
   it('ambiguous ref name output is captured', async () => {
-    mockExec.mockImplementation((path, args, options) => {
+    mockExec.mockImplementation((path: any, args: any, options: any) => {
       console.log(args, options.listeners.stdout)
 
       if (args.includes('version')) {
@@ -72,7 +97,7 @@ describe('git-auth-helper tests', () => {
 
       return 1
     })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
     const workingDirectory = 'test'
     const lfs = false
     const doSparseCheckout = false
@@ -91,9 +116,9 @@ describe('git-auth-helper tests', () => {
 
 describe('Test fetchDepth and fetchTags options', () => {
   beforeEach(async () => {
-    jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
-    jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
-    mockExec.mockImplementation((path, args, options) => {
+    mockFileExistsSync.mockReset()
+    mockDirectoryExistsSync.mockReset()
+    mockExec.mockImplementation((path: any, args: any, options: any) => {
       console.log(args, options.listeners.stdout)
 
       if (args.includes('version')) {
@@ -105,11 +130,11 @@ describe('Test fetchDepth and fetchTags options', () => {
   })
 
   afterEach(() => {
-    jest.restoreAllMocks()
+    jest.clearAllMocks()
   })
 
   it('should call execGit with the correct arguments when fetchDepth is 0', async () => {
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
     const workingDirectory = 'test'
     const lfs = false
     const doSparseCheckout = false
@@ -146,7 +171,7 @@ describe('Test fetchDepth and fetchTags options', () => {
   })
 
   it('should call execGit with the correct arguments when fetchDepth is 0 and refSpec includes tags', async () => {
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
 
     const workingDirectory = 'test'
     const lfs = false
@@ -184,7 +209,7 @@ describe('Test fetchDepth and fetchTags options', () => {
   })
 
   it('should call execGit with the correct arguments when fetchDepth is 1', async () => {
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
 
     const workingDirectory = 'test'
     const lfs = false
@@ -222,7 +247,7 @@ describe('Test fetchDepth and fetchTags options', () => {
   })
 
   it('should call execGit with the correct arguments when fetchDepth is 1 and refSpec includes tags', async () => {
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
 
     const workingDirectory = 'test'
     const lfs = false
@@ -261,7 +286,7 @@ describe('Test fetchDepth and fetchTags options', () => {
   })
 
   it('should call execGit with the correct arguments when showProgress is true', async () => {
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
 
     const workingDirectory = 'test'
     const lfs = false
@@ -299,7 +324,7 @@ describe('Test fetchDepth and fetchTags options', () => {
   })
 
   it('should call execGit with the correct arguments when fetchDepth is 42 and showProgress is true', async () => {
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
 
     const workingDirectory = 'test'
     const lfs = false
@@ -339,7 +364,7 @@ describe('Test fetchDepth and fetchTags options', () => {
   })
 
   it('should call execGit with the correct arguments when showProgress is true and refSpec includes tags', async () => {
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
 
     const workingDirectory = 'test'
     const lfs = false
@@ -378,14 +403,67 @@ describe('Test fetchDepth and fetchTags options', () => {
   })
 })
 
-describe('git user-agent with orchestration ID', () => {
+describe('repository initialization object format', () => {
   beforeEach(async () => {
-    jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
-    jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
+    mockFileExistsSync.mockReset()
+    mockDirectoryExistsSync.mockReset()
   })
 
   afterEach(() => {
-    jest.restoreAllMocks()
+    jest.clearAllMocks()
+  })
+
+  it('initializes SHA-256 repositories with the matching object format', async () => {
+    mockExec.mockImplementation((path: any, args: any, options: any) => {
+      if (args.includes('version')) {
+        options.listeners.stdout(Buffer.from('git version 2.50.1'))
+      }
+
+      return 0
+    })
+    // exec.exec is already mockExec
+
+    git = await commandManager.createCommandManager('test', false, false)
+
+    await git.init('sha256')
+
+    expect(mockExec).toHaveBeenCalledWith(
+      expect.any(String),
+      ['init', '--object-format=sha256', 'test'],
+      expect.any(Object)
+    )
+  })
+
+  it('initializes SHA-1 repositories with existing default arguments', async () => {
+    mockExec.mockImplementation((path: any, args: any, options: any) => {
+      if (args.includes('version')) {
+        options.listeners.stdout(Buffer.from('git version 2.50.1'))
+      }
+
+      return 0
+    })
+    // exec.exec is already mockExec
+
+    git = await commandManager.createCommandManager('test', false, false)
+
+    await git.init('sha1')
+
+    expect(mockExec).toHaveBeenCalledWith(
+      expect.any(String),
+      ['init', 'test'],
+      expect.any(Object)
+    )
+  })
+})
+
+describe('git user-agent with orchestration ID', () => {
+  beforeEach(async () => {
+    mockFileExistsSync.mockReset()
+    mockDirectoryExistsSync.mockReset()
+  })
+
+  afterEach(() => {
+    jest.clearAllMocks()
     // Clean up environment variable to prevent test pollution
     delete process.env['ACTIONS_ORCHESTRATION_ID']
   })
@@ -395,7 +473,7 @@ describe('git user-agent with orchestration ID', () => {
     process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
 
     let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
+    mockExec.mockImplementation((path: any, args: any, options: any) => {
       if (args.includes('version')) {
         options.listeners.stdout(Buffer.from('2.18'))
       }
@@ -403,7 +481,7 @@ describe('git user-agent with orchestration ID', () => {
       capturedEnv = options.env
       return 0
     })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
 
     const workingDirectory = 'test'
     const lfs = false
@@ -430,7 +508,7 @@ describe('git user-agent with orchestration ID', () => {
     process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
 
     let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
+    mockExec.mockImplementation((path: any, args: any, options: any) => {
       if (args.includes('version')) {
         options.listeners.stdout(Buffer.from('2.18'))
       }
@@ -438,7 +516,7 @@ describe('git user-agent with orchestration ID', () => {
       capturedEnv = options.env
       return 0
     })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
 
     const workingDirectory = 'test'
     const lfs = false
@@ -464,7 +542,7 @@ describe('git user-agent with orchestration ID', () => {
     delete process.env['ACTIONS_ORCHESTRATION_ID']
 
     let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
+    mockExec.mockImplementation((path: any, args: any, options: any) => {
       if (args.includes('version')) {
         options.listeners.stdout(Buffer.from('2.18'))
       }
@@ -472,7 +550,7 @@ describe('git user-agent with orchestration ID', () => {
       capturedEnv = options.env
       return 0
     })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+    // exec.exec is already mockExec
 
     const workingDirectory = 'test'
     const lfs = false

__test__/git-directory-helper.test.ts

@@ -1,9 +1,36 @@
-import * as core from '@actions/core'
+import {
+  jest,
+  describe,
+  it,
+  expect,
+  beforeAll,
+  beforeEach,
+  afterEach
+} from '@jest/globals'
 import * as fs from 'fs'
-import * as gitDirectoryHelper from '../lib/git-directory-helper'
 import * as io from '@actions/io'
 import * as path from 'path'
-import {IGitCommandManager} from '../lib/git-command-manager'
+import {fileURLToPath} from 'url'
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url))
+
+// Mock @actions/core before loading git-directory-helper
+jest.unstable_mockModule('@actions/core', () => ({
+  error: jest.fn(),
+  warning: jest.fn(),
+  info: jest.fn(),
+  debug: jest.fn(),
+  setFailed: jest.fn(),
+  startGroup: jest.fn(),
+  endGroup: jest.fn()
+}))
+
+// Dynamic imports after mocking
+const core = await import('@actions/core')
+const gitDirectoryHelper = await import('../src/git-directory-helper.js')
+
+type IGitCommandManager =
+  import('../src/git-command-manager.js').IGitCommandManager
 
 const testWorkspace = path.join(__dirname, '_temp', 'git-directory-helper')
 let repositoryPath: string
@@ -19,16 +46,11 @@ describe('git-directory-helper tests', () => {
   })
 
   beforeEach(() => {
-    // Mock error/warning/info/debug
-    jest.spyOn(core, 'error').mockImplementation(jest.fn())
-    jest.spyOn(core, 'warning').mockImplementation(jest.fn())
-    jest.spyOn(core, 'info').mockImplementation(jest.fn())
-    jest.spyOn(core, 'debug').mockImplementation(jest.fn())
+    jest.clearAllMocks()
   })
 
   afterEach(() => {
-    // Unregister mocks
-    jest.restoreAllMocks()
+    jest.clearAllMocks()
   })
 
   const cleansWhenCleanTrue = 'cleans when clean true'
@@ -81,7 +103,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(doesNotCheckoutDetachWhenNotAlreadyDetached)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    const mockIsDetached = git.isDetached as jest.Mock<any, any>
+    const mockIsDetached = git.isDetached as jest.Mock<any>
     mockIsDetached.mockImplementation(async () => {
       return true
     })
@@ -132,7 +154,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(removesContentsWhenCleanFails)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    let mockTryClean = git.tryClean as jest.Mock<any, any>
+    let mockTryClean = git.tryClean as jest.Mock<any>
     mockTryClean.mockImplementation(async () => {
       return false
     })
@@ -210,7 +232,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(removesContentsWhenResetFails)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    let mockTryReset = git.tryReset as jest.Mock<any, any>
+    let mockTryReset = git.tryReset as jest.Mock<any>
     mockTryReset.mockImplementation(async () => {
       return false
     })
@@ -260,7 +282,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(removesLocalBranches)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    const mockBranchList = git.branchList as jest.Mock<any, any>
+    const mockBranchList = git.branchList as jest.Mock<any>
     mockBranchList.mockImplementation(async (remote: boolean) => {
       return remote ? [] : ['local-branch-1', 'local-branch-2']
     })
@@ -291,7 +313,7 @@ describe('git-directory-helper tests', () => {
 
     //mock bad submodule
 
-    const submoduleStatus = git.submoduleStatus as jest.Mock<any, any>
+    const submoduleStatus = git.submoduleStatus as jest.Mock<any>
     submoduleStatus.mockImplementation(async (remote: boolean) => {
       return false
     })
@@ -319,7 +341,7 @@ describe('git-directory-helper tests', () => {
     await setup(doesNotCleanWhenSubmoduleStatusIsTrue)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
 
-    const submoduleStatus = git.submoduleStatus as jest.Mock<any, any>
+    const submoduleStatus = git.submoduleStatus as jest.Mock<any>
     submoduleStatus.mockImplementation(async (remote: boolean) => {
       return true
     })
@@ -381,7 +403,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(removesAncestorRemoteBranch)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    const mockBranchList = git.branchList as jest.Mock<any, any>
+    const mockBranchList = git.branchList as jest.Mock<any>
     mockBranchList.mockImplementation(async (remote: boolean) => {
       return remote ? ['origin/remote-branch-1', 'origin/remote-branch-2'] : []
     })
@@ -411,7 +433,7 @@ describe('git-directory-helper tests', () => {
     // Arrange
     await setup(removesDescendantRemoteBranches)
     await fs.promises.writeFile(path.join(repositoryPath, 'my-file'), '')
-    const mockBranchList = git.branchList as jest.Mock<any, any>
+    const mockBranchList = git.branchList as jest.Mock<any>
     mockBranchList.mockImplementation(async (remote: boolean) => {
       return remote
         ? ['origin/remote-branch-1/conflict', 'origin/remote-branch-2']
@@ -507,5 +529,5 @@ async function setup(testName: string): Promise<void> {
       return true
     }),
     version: jest.fn()
-  }
+  } as unknown as IGitCommandManager
 }

__test__/git-version.test.ts

@@ -1,5 +1,6 @@
-import {GitVersion} from '../src/git-version'
-import {MinimumGitSparseCheckoutVersion} from '../src/git-command-manager'
+import {describe, it, expect} from '@jest/globals'
+import {GitVersion} from '../src/git-version.js'
+import {MinimumGitSparseCheckoutVersion} from '../src/git-command-manager.js'
 
 describe('git-version tests', () => {
   it('basics', async () => {

__test__/github-api-helper.test.ts

@@ -0,0 +1,112 @@
+import {jest, describe, it, expect, beforeEach, afterEach} from '@jest/globals'
+
+// Mock @actions/core
+const mockDebug = jest.fn()
+jest.unstable_mockModule('@actions/core', () => ({
+  debug: mockDebug,
+  info: jest.fn(),
+  warning: jest.fn(),
+  error: jest.fn()
+}))
+
+// Mock @actions/github
+const mockGetOctokit = jest.fn()
+jest.unstable_mockModule('@actions/github', () => ({
+  getOctokit: mockGetOctokit
+}))
+
+// Dynamic imports after mocking
+const githubApiHelper = await import('../src/github-api-helper.js')
+
+describe('github-api-helper object format', () => {
+  let request: jest.Mock<any>
+
+  function mockHashAlgorithmApi(hashAlgorithm: string): void {
+    request = jest.fn(async () => ({
+      data: {
+        hash_algorithm: hashAlgorithm
+      }
+    }))
+    mockGetOctokit.mockReturnValue({
+      request
+    } as any)
+  }
+
+  beforeEach(() => {
+    mockDebug.mockClear()
+    mockGetOctokit.mockClear()
+  })
+
+  afterEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('detects SHA-256 from the repository hash algorithm endpoint', async () => {
+    mockHashAlgorithmApi('sha256')
+
+    await expect(
+      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
+    ).resolves.toEqual({format: 'sha256', succeeded: true})
+
+    expect(mockGetOctokit).toHaveBeenCalledWith(
+      'token',
+      expect.objectContaining({baseUrl: 'https://api.github.com'})
+    )
+    expect(request).toHaveBeenCalledWith(
+      'GET /repos/{owner}/{repo}/hash-algorithm',
+      {owner: 'owner', repo: 'repo'}
+    )
+  })
+
+  it('detects SHA-1 from the repository hash algorithm endpoint', async () => {
+    mockHashAlgorithmApi('sha1')
+
+    await expect(
+      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
+    ).resolves.toEqual({format: 'sha1', succeeded: true})
+  })
+
+  it('detects object format from an existing commit without API calls', async () => {
+    const commitSha =
+      '9422233ca7ee1b17f1e905d0e141faf0c401556c41cdc6acd71c6bd685da2e92'
+
+    await expect(
+      githubApiHelper.tryGetRepositoryObjectFormat(
+        'token',
+        'owner',
+        'repo',
+        undefined,
+        commitSha
+      )
+    ).resolves.toEqual({format: 'sha256', succeeded: true})
+
+    expect(mockGetOctokit).not.toHaveBeenCalled()
+  })
+
+  it('returns unsuccessful when the hash algorithm endpoint value is not recognized', async () => {
+    mockHashAlgorithmApi('unknown')
+
+    await expect(
+      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
+    ).resolves.toEqual({format: '', succeeded: false})
+    expect(mockDebug).toHaveBeenCalledWith(
+      'Unable to determine repository object format from hash-algorithm endpoint'
+    )
+  })
+
+  it('returns unsuccessful when the hash algorithm API lookup fails', async () => {
+    request = jest.fn(async () => {
+      throw new Error('not found')
+    })
+    mockGetOctokit.mockReturnValue({
+      request
+    } as any)
+
+    await expect(
+      githubApiHelper.tryGetRepositoryObjectFormat('token', 'owner', 'repo')
+    ).resolves.toEqual({format: '', succeeded: false})
+    expect(mockDebug).toHaveBeenCalledWith(
+      'Unable to determine repository object format from hash-algorithm endpoint: not found'
+    )
+  })
+})

__test__/input-helper.test.ts

@@ -1,10 +1,13 @@
-import * as core from '@actions/core'
-import * as fsHelper from '../lib/fs-helper'
-import * as github from '@actions/github'
-import * as inputHelper from '../lib/input-helper'
+import {
+  jest,
+  describe,
+  it,
+  expect,
+  beforeAll,
+  beforeEach,
+  afterAll
+} from '@jest/globals'
 import * as path from 'path'
-import * as workflowContextHelper from '../lib/workflow-context-helper'
-import {IGitSourceSettings} from '../lib/git-source-settings'
 
 const originalGitHubWorkspace = process.env['GITHUB_WORKSPACE']
 const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
@@ -12,42 +15,58 @@ const gitHubWorkspace = path.resolve('/checkout-tests/workspace')
 // Inputs for mock @actions/core
 let inputs = {} as any
 
-// Shallow clone original @actions/github context
-let originalContext = {...github.context}
+// Mutable mock github context
+const mockGithubContext: any = {
+  ref: 'refs/heads/some-ref',
+  sha: '1234567890123456789012345678901234567890',
+  repo: {owner: 'some-owner', repo: 'some-repo'},
+  eventName: '',
+  payload: {}
+}
+
+// Mock @actions/core before loading input-helper
+jest.unstable_mockModule('@actions/core', () => ({
+  getInput: jest.fn((name: string) => inputs[name]),
+  getBooleanInput: jest.fn((name: string) => inputs[name]),
+  getMultilineInput: jest.fn((name: string) =>
+    inputs[name] ? String(inputs[name]).split('\n').filter(Boolean) : []
+  ),
+  error: jest.fn(),
+  warning: jest.fn(),
+  info: jest.fn(),
+  debug: jest.fn(),
+  setFailed: jest.fn(),
+  setOutput: jest.fn(),
+  setSecret: jest.fn()
+}))
+
+// Mock @actions/github before loading input-helper
+jest.unstable_mockModule('@actions/github', () => ({
+  context: mockGithubContext,
+  getOctokit: jest.fn()
+}))
+
+// Mock fs-helper
+const mockDirectoryExistsSync = jest.fn((p: string) => p === gitHubWorkspace)
+jest.unstable_mockModule('../src/fs-helper.js', () => ({
+  directoryExistsSync: mockDirectoryExistsSync,
+  fileExistsSync: jest.fn()
+}))
+
+// Mock workflow-context-helper
+const mockGetOrganizationId = jest.fn(async () => 123456)
+jest.unstable_mockModule('../src/workflow-context-helper.js', () => ({
+  getOrganizationId: mockGetOrganizationId
+}))
+
+// Dynamic imports after mocking
+const core = await import('@actions/core')
+const inputHelper = await import('../src/input-helper.js')
+type IGitSourceSettings =
+  import('../src/git-source-settings.js').IGitSourceSettings
 
 describe('input-helper tests', () => {
   beforeAll(() => {
-    // Mock getInput
-    jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
-      return inputs[name]
-    })
-
-    // Mock error/warning/info/debug
-    jest.spyOn(core, 'error').mockImplementation(jest.fn())
-    jest.spyOn(core, 'warning').mockImplementation(jest.fn())
-    jest.spyOn(core, 'info').mockImplementation(jest.fn())
-    jest.spyOn(core, 'debug').mockImplementation(jest.fn())
-
-    // Mock github context
-    jest.spyOn(github.context, 'repo', 'get').mockImplementation(() => {
-      return {
-        owner: 'some-owner',
-        repo: 'some-repo'
-      }
-    })
-    github.context.ref = 'refs/heads/some-ref'
-    github.context.sha = '1234567890123456789012345678901234567890'
-
-    // Mock ./fs-helper directoryExistsSync()
-    jest
-      .spyOn(fsHelper, 'directoryExistsSync')
-      .mockImplementation((path: string) => path == gitHubWorkspace)
-
-    // Mock ./workflowContextHelper getOrganizationId()
-    jest
-      .spyOn(workflowContextHelper, 'getOrganizationId')
-      .mockImplementation(() => Promise.resolve(123456))
-
     // GitHub workspace
     process.env['GITHUB_WORKSPACE'] = gitHubWorkspace
   })
@@ -55,6 +74,15 @@ describe('input-helper tests', () => {
   beforeEach(() => {
     // Reset inputs
     inputs = {}
+    jest.clearAllMocks()
+    // Re-apply default mocks
+    ;(core.getInput as jest.Mock<any>).mockImplementation(
+      (name: string) => inputs[name]
+    )
+    mockDirectoryExistsSync.mockImplementation(
+      (p: string) => p === gitHubWorkspace
+    )
+    mockGetOrganizationId.mockResolvedValue(123456)
   })
 
   afterAll(() => {
@@ -65,11 +93,8 @@ describe('input-helper tests', () => {
     }
 
     // Restore @actions/github context
-    github.context.ref = originalContext.ref
-    github.context.sha = originalContext.sha
-
-    // Restore
-    jest.restoreAllMocks()
+    mockGithubContext.ref = 'refs/heads/some-ref'
+    mockGithubContext.sha = '1234567890123456789012345678901234567890'
   })
 
   it('sets defaults', async () => {
@@ -91,18 +116,19 @@ describe('input-helper tests', () => {
     expect(settings.repositoryOwner).toBe('some-owner')
     expect(settings.repositoryPath).toBe(gitHubWorkspace)
     expect(settings.setSafeDirectory).toBe(true)
+    expect(settings.allowUnsafePrCheckout).toBe(false)
   })
 
   it('qualifies ref', async () => {
-    let originalRef = github.context.ref
+    let originalRef = mockGithubContext.ref
     try {
-      github.context.ref = 'some-unqualified-ref'
+      mockGithubContext.ref = 'some-unqualified-ref'
       const settings: IGitSourceSettings = await inputHelper.getInputs()
       expect(settings).toBeTruthy()
       expect(settings.commit).toBe('1234567890123456789012345678901234567890')
       expect(settings.ref).toBe('refs/heads/some-unqualified-ref')
     } finally {
-      github.context.ref = originalRef
+      mockGithubContext.ref = originalRef
     }
   })
 
@@ -133,6 +159,16 @@ describe('input-helper tests', () => {
     expect(settings.commit).toBe('1111111111222222222233333333334444444444')
   })
 
+  it('sets ref to empty when explicit sha-256', async () => {
+    inputs.ref =
+      '1111111111222222222233333333334444444444555555555566666666667777'
+    const settings: IGitSourceSettings = await inputHelper.getInputs()
+    expect(settings.ref).toBeFalsy()
+    expect(settings.commit).toBe(
+      '1111111111222222222233333333334444444444555555555566666666667777'
+    )
+  })
+
   it('sets sha to empty when explicit ref', async () => {
     inputs.ref = 'refs/heads/some-other-ref'
     const settings: IGitSourceSettings = await inputHelper.getInputs()

__test__/ref-helper.test.ts

@@ -1,13 +1,46 @@
+import {jest, describe, it, expect, beforeEach, afterEach} from '@jest/globals'
 import * as assert from 'assert'
-import * as refHelper from '../lib/ref-helper'
-import {IGitCommandManager} from '../lib/git-command-manager'
+
+// Mutable mock github context
+const mockGithubContext: any = {
+  eventName: '',
+  payload: {},
+  repo: {owner: 'some-owner', repo: 'some-repo'},
+  ref: '',
+  sha: ''
+}
+
+// Mock @actions/core
+const mockDebug = jest.fn()
+jest.unstable_mockModule('@actions/core', () => ({
+  debug: mockDebug,
+  info: jest.fn(),
+  warning: jest.fn(),
+  error: jest.fn(),
+  setFailed: jest.fn()
+}))
+
+// Mock @actions/github
+const mockGetOctokit = jest.fn()
+jest.unstable_mockModule('@actions/github', () => ({
+  context: mockGithubContext,
+  getOctokit: mockGetOctokit
+}))
+
+// Dynamic imports after mocking
+const refHelper = await import('../src/ref-helper.js')
+type IGitCommandManager =
+  import('../src/git-command-manager.js').IGitCommandManager
 
 const commit = '1234567890123456789012345678901234567890'
+const sha256Commit =
+  '1234567890123456789012345678901234567890123456789012345678901234'
 let git: IGitCommandManager
 
 describe('ref-helper tests', () => {
   beforeEach(() => {
     git = {} as unknown as IGitCommandManager
+    jest.clearAllMocks()
   })
 
   it('getCheckoutInfo requires git', async () => {
@@ -37,6 +70,12 @@ describe('ref-helper tests', () => {
     expect(checkoutInfo.startPoint).toBeFalsy()
   })
 
+  it('getCheckoutInfo sha-256 only', async () => {
+    const checkoutInfo = await refHelper.getCheckoutInfo(git, '', sha256Commit)
+    expect(checkoutInfo.ref).toBe(sha256Commit)
+    expect(checkoutInfo.startPoint).toBeFalsy()
+  })
+
   it('getCheckoutInfo refs/heads/', async () => {
     const checkoutInfo = await refHelper.getCheckoutInfo(
       git,
@@ -156,14 +195,12 @@ describe('ref-helper tests', () => {
   })
 
   it('getRefSpec sha + refs/tags/ with fetchTags', async () => {
-    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
     const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit, true)
     expect(refSpec.length).toBe(1)
     expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
   })
 
   it('getRefSpec sha + refs/heads/ with fetchTags', async () => {
-    // When fetchTags is true, include both the branch refspec and tags wildcard
     const refSpec = refHelper.getRefSpec('refs/heads/my/branch', commit, true)
     expect(refSpec.length).toBe(2)
     expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
@@ -184,7 +221,6 @@ describe('ref-helper tests', () => {
   })
 
   it('getRefSpec unqualified ref only with fetchTags', async () => {
-    // When fetchTags is true, skip specific tag pattern since wildcard covers all
     const refSpec = refHelper.getRefSpec('my-ref', '', true)
     expect(refSpec.length).toBe(2)
     expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
@@ -212,14 +248,12 @@ describe('ref-helper tests', () => {
   })
 
   it('getRefSpec refs/tags/ only with fetchTags', async () => {
-    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
     const refSpec = refHelper.getRefSpec('refs/tags/my-tag', '', true)
     expect(refSpec.length).toBe(1)
     expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
   })
 
   it('getRefSpec refs/heads/ only with fetchTags', async () => {
-    // When fetchTags is true, include both the branch refspec and tags wildcard
     const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '', true)
     expect(refSpec.length).toBe(2)
     expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
@@ -227,4 +261,140 @@ describe('ref-helper tests', () => {
       '+refs/heads/my/branch:refs/remotes/origin/my/branch'
     )
   })
+
+  describe('checkCommitInfo', () => {
+    const repositoryOwner = 'some-owner'
+    const repositoryName = 'some-repo'
+    const ref = 'refs/pull/123/merge'
+    const sha1Head = '1111111111222222222233333333334444444444'
+    const sha1Base = 'aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd'
+    const sha256Head =
+      '1111111111222222222233333333334444444444555555555566666666667777'
+    const sha256Base =
+      'aaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffff0000'
+    let repoGetSpy: jest.Mock<any>
+    let originalEventName: string
+    let originalPayload: unknown
+    let originalRef: string
+    let originalSha: string
+
+    function setPullRequestContext(
+      expectedHeadSha: string,
+      expectedBaseSha: string,
+      mergeCommit: string
+    ): void {
+      mockGithubContext.eventName = 'pull_request'
+      mockGithubContext.ref = ref
+      mockGithubContext.sha = mergeCommit
+      mockGithubContext.payload = {
+        action: 'synchronize',
+        after: expectedHeadSha,
+        number: 123,
+        pull_request: {
+          base: {
+            sha: expectedBaseSha
+          }
+        },
+        repository: {
+          private: false
+        }
+      }
+    }
+
+    beforeEach(() => {
+      originalEventName = mockGithubContext.eventName
+      originalPayload = mockGithubContext.payload
+      originalRef = mockGithubContext.ref
+      originalSha = mockGithubContext.sha
+
+      mockGithubContext.repo = {
+        owner: repositoryOwner,
+        repo: repositoryName
+      }
+
+      repoGetSpy = jest.fn(async () => ({}))
+      mockGetOctokit.mockReturnValue({
+        rest: {
+          repos: {
+            get: repoGetSpy
+          }
+        }
+      } as any)
+    })
+
+    afterEach(() => {
+      mockGithubContext.eventName = originalEventName
+      mockGithubContext.payload = originalPayload
+      mockGithubContext.ref = originalRef
+      mockGithubContext.sha = originalSha
+      jest.clearAllMocks()
+    })
+
+    it('returns early for SHA-1 merge commit', async () => {
+      setPullRequestContext(sha1Head, sha1Base, commit)
+
+      await refHelper.checkCommitInfo(
+        'token',
+        `Merge ${sha1Head} into ${sha1Base}`,
+        repositoryOwner,
+        repositoryName,
+        ref,
+        commit
+      )
+
+      expect(mockGetOctokit).not.toHaveBeenCalled()
+      expect(repoGetSpy).not.toHaveBeenCalled()
+    })
+
+    it('matches SHA-256 merge commit info', async () => {
+      const actualHeadSha =
+        '9999999999888888888877777777776666666666555555555544444444443333'
+      setPullRequestContext(sha256Head, sha256Base, sha256Commit)
+
+      await refHelper.checkCommitInfo(
+        'token',
+        `Merge ${actualHeadSha} into ${sha256Base}`,
+        repositoryOwner,
+        repositoryName,
+        ref,
+        sha256Commit
+      )
+
+      expect(mockGetOctokit).toHaveBeenCalledWith(
+        'token',
+        expect.objectContaining({
+          userAgent: expect.stringContaining(
+            `expected_head_sha=${sha256Head};actual_head_sha=${actualHeadSha}`
+          )
+        })
+      )
+      expect(repoGetSpy).toHaveBeenCalledWith({
+        owner: repositoryOwner,
+        repo: repositoryName
+      })
+      expect(mockDebug).toHaveBeenCalledWith(
+        `Expected head sha ${sha256Head}; actual head sha ${actualHeadSha}`
+      )
+      expect(mockDebug).not.toHaveBeenCalledWith('Unexpected message format')
+    })
+
+    it('does not match 50-char hex as a valid merge', async () => {
+      const invalidHeadSha =
+        '99999999998888888888777777777766666666665555555555'
+      setPullRequestContext(sha1Head, sha1Base, commit)
+
+      await refHelper.checkCommitInfo(
+        'token',
+        `Merge ${invalidHeadSha} into ${sha1Base}`,
+        repositoryOwner,
+        repositoryName,
+        ref,
+        commit
+      )
+
+      expect(mockGetOctokit).not.toHaveBeenCalled()
+      expect(repoGetSpy).not.toHaveBeenCalled()
+      expect(mockDebug).toHaveBeenCalledWith('Unexpected message format')
+    })
+  })
 })

__test__/retry-helper.test.ts

@@ -1,16 +1,32 @@
-import * as core from '@actions/core'
-import {RetryHelper} from '../lib/retry-helper'
+import {
+  jest,
+  describe,
+  it,
+  expect,
+  beforeAll,
+  beforeEach,
+  afterAll
+} from '@jest/globals'
+
+let info: string[] = []
+
+// Mock @actions/core before loading retry-helper
+jest.unstable_mockModule('@actions/core', () => ({
+  info: jest.fn((message: string) => {
+    info.push(message)
+  }),
+  debug: jest.fn(),
+  warning: jest.fn(),
+  error: jest.fn()
+}))
+
+// Dynamic imports after mocking
+const {RetryHelper} = await import('../src/retry-helper.js')
 
-let info: string[]
 let retryHelper: any
 
 describe('retry-helper tests', () => {
   beforeAll(() => {
-    // Mock @actions/core info()
-    jest.spyOn(core, 'info').mockImplementation((message: string) => {
-      info.push(message)
-    })
-
     retryHelper = new RetryHelper(3, 0, 0)
   })
 
@@ -20,7 +36,6 @@ describe('retry-helper tests', () => {
   })
 
   afterAll(() => {
-    // Restore
     jest.restoreAllMocks()
   })
 

__test__/unsafe-pr-checkout-helper.test.ts

@@ -0,0 +1,285 @@
+import {
+  jest,
+  describe,
+  it,
+  expect,
+  beforeAll,
+  afterEach,
+  afterAll
+} from '@jest/globals'
+
+const BASE_REPO_ID = 100
+const FORK_REPO_ID = 200
+const PR_HEAD_SHA = '1111111111111111111111111111111111111111'
+const PR_MERGE_SHA = '2222222222222222222222222222222222222222'
+const SAFE_BASE_SHA = '3333333333333333333333333333333333333333'
+const WORKFLOW_RUN_HEAD_COMMIT_SHA = '4444444444444444444444444444444444444444'
+const BASE_QUALIFIED_REPO = 'some-owner/some-repo'
+const FORK_QUALIFIED_REPO = 'another-repo/fork'
+
+// Mutable mock context
+const mockContext: any = {
+  eventName: '',
+  payload: {},
+  repo: {owner: 'some-owner', repo: 'some-repo'},
+  ref: '',
+  sha: ''
+}
+
+jest.unstable_mockModule('@actions/github', () => ({
+  context: mockContext
+}))
+
+// Dynamic imports after mocking
+const {assertSafePrCheckout} = await import(
+  '../src/unsafe-pr-checkout-helper.js'
+)
+
+const originalEventName = mockContext.eventName
+const originalPayload = mockContext.payload
+
+function setContext(eventName: string, payload: object): void {
+  mockContext.eventName = eventName
+  mockContext.payload = payload
+}
+
+function forkPullRequestTargetPayload(): object {
+  return {
+    repository: {id: BASE_REPO_ID},
+    pull_request: {
+      head: {
+        sha: PR_HEAD_SHA,
+        repo: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
+      },
+      merge_commit_sha: PR_MERGE_SHA
+    }
+  }
+}
+
+function sameRepoPullRequestTargetPayload(): object {
+  return {
+    repository: {id: BASE_REPO_ID},
+    pull_request: {
+      head: {
+        sha: PR_HEAD_SHA,
+        repo: {id: BASE_REPO_ID, full_name: BASE_QUALIFIED_REPO}
+      },
+      merge_commit_sha: PR_MERGE_SHA
+    }
+  }
+}
+
+function forkWorkflowRunPayload(): object {
+  return {
+    repository: {id: BASE_REPO_ID},
+    workflow_run: {
+      event: 'pull_request',
+      head_commit: {id: WORKFLOW_RUN_HEAD_COMMIT_SHA},
+      head_repository: {id: FORK_REPO_ID, full_name: FORK_QUALIFIED_REPO}
+    }
+  }
+}
+
+describe('unsafe-pr-checkout-helper', () => {
+  beforeAll(() => {
+    mockContext.repo = {owner: 'some-owner', repo: 'some-repo'}
+  })
+
+  afterEach(() => {
+    mockContext.eventName = originalEventName
+    mockContext.payload = originalPayload
+  })
+
+  afterAll(() => {
+    mockContext.eventName = originalEventName
+    mockContext.payload = originalPayload
+  })
+
+  it('allows pull_request events untouched', () => {
+    setContext('pull_request', forkPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: 'attacker/fork',
+        ref: 'refs/pull/1/merge',
+        commit: '',
+        allowUnsafePrCheckout: false
+      })
+    ).not.toThrow()
+  })
+
+  it('allows pull_request_target default checkout (base branch)', () => {
+    setContext('pull_request_target', forkPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: BASE_QUALIFIED_REPO,
+        ref: 'refs/heads/main',
+        commit: SAFE_BASE_SHA,
+        allowUnsafePrCheckout: false
+      })
+    ).not.toThrow()
+  })
+
+  it('allows same-repo pull_request_target checkout of PR head', () => {
+    setContext('pull_request_target', sameRepoPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: BASE_QUALIFIED_REPO,
+        ref: '',
+        commit: PR_HEAD_SHA,
+        allowUnsafePrCheckout: false
+      })
+    ).not.toThrow()
+  })
+
+  it('refuses pull_request_target fork PR head SHA checkout', () => {
+    setContext('pull_request_target', forkPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: BASE_QUALIFIED_REPO,
+        ref: '',
+        commit: PR_HEAD_SHA,
+        allowUnsafePrCheckout: false
+      })
+    ).toThrow(/Refusing to check out fork pull request code/)
+  })
+
+  it('refuses pull_request_target fork PR merge_commit_sha checkout', () => {
+    setContext('pull_request_target', forkPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: BASE_QUALIFIED_REPO,
+        ref: '',
+        commit: PR_MERGE_SHA,
+        allowUnsafePrCheckout: false
+      })
+    ).toThrow(/allow-unsafe-pr-checkout/)
+  })
+
+  it('refuses pull_request_target fork PR ref pattern (head)', () => {
+    setContext('pull_request_target', forkPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: BASE_QUALIFIED_REPO,
+        ref: 'refs/pull/42/head',
+        commit: '',
+        allowUnsafePrCheckout: false
+      })
+    ).toThrow()
+  })
+
+  it('refuses pull_request_target fork PR ref pattern (merge)', () => {
+    setContext('pull_request_target', forkPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: BASE_QUALIFIED_REPO,
+        ref: 'refs/pull/42/merge',
+        commit: '',
+        allowUnsafePrCheckout: false
+      })
+    ).toThrow()
+  })
+
+  it('refuses pull_request_target when repository points at the fork', () => {
+    setContext('pull_request_target', forkPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: FORK_QUALIFIED_REPO,
+        ref: 'refs/heads/main',
+        commit: '',
+        allowUnsafePrCheckout: false
+      })
+    ).toThrow()
+  })
+
+  it('allows pull_request_target checkout of an unrelated third-party repo', () => {
+    setContext('pull_request_target', forkPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: 'some-other/unrelated',
+        ref: 'refs/heads/main',
+        commit: '',
+        allowUnsafePrCheckout: false
+      })
+    ).not.toThrow()
+  })
+
+  it('refuses pull_request_target ignoring repository case differences', () => {
+    setContext('pull_request_target', forkPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: FORK_QUALIFIED_REPO.toUpperCase(),
+        ref: '',
+        commit: '',
+        allowUnsafePrCheckout: false
+      })
+    ).toThrow()
+  })
+
+  it('refuses pull_request_target ignoring commit SHA case differences', () => {
+    setContext('pull_request_target', forkPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: BASE_QUALIFIED_REPO,
+        ref: '',
+        commit: PR_HEAD_SHA.toUpperCase(),
+        allowUnsafePrCheckout: false
+      })
+    ).toThrow()
+  })
+
+  it('allows pull_request_target fork PR checkout when opted in', () => {
+    setContext('pull_request_target', forkPullRequestTargetPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: BASE_QUALIFIED_REPO,
+        ref: 'refs/pull/42/merge',
+        commit: '',
+        allowUnsafePrCheckout: true
+      })
+    ).not.toThrow()
+  })
+
+  it('refuses workflow_run fork PR head_commit.id checkout', () => {
+    setContext('workflow_run', forkWorkflowRunPayload())
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: BASE_QUALIFIED_REPO,
+        ref: '',
+        commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
+        allowUnsafePrCheckout: false
+      })
+    ).toThrow()
+  })
+
+  it('refuses workflow_run with pull_request_target underlying event', () => {
+    const payload = forkWorkflowRunPayload() as {
+      workflow_run: {event: string}
+    }
+    payload.workflow_run.event = 'pull_request_target'
+    setContext('workflow_run', payload)
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: BASE_QUALIFIED_REPO,
+        ref: '',
+        commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
+        allowUnsafePrCheckout: false
+      })
+    ).toThrow()
+  })
+
+  it('allows workflow_run same-repo PR (head_repository.id matches base)', () => {
+    const payload = forkWorkflowRunPayload() as {
+      workflow_run: {head_repository: {id: number}}
+    }
+    payload.workflow_run.head_repository.id = BASE_REPO_ID
+    setContext('workflow_run', payload)
+    expect(() =>
+      assertSafePrCheckout({
+        qualifiedRepository: BASE_QUALIFIED_REPO,
+        ref: '',
+        commit: WORKFLOW_RUN_HEAD_COMMIT_SHA,
+        allowUnsafePrCheckout: false
+      })
+    ).not.toThrow()
+  })
+})

__test__/url-helper.test.ts

@@ -1,4 +1,5 @@
-import * as urlHelper from '../src/url-helper'
+import {jest, describe, it, expect, beforeEach, afterAll} from '@jest/globals'
+import * as urlHelper from '../src/url-helper.js'
 
 describe('getServerUrl tests', () => {
   it('basics', async () => {

action.yml

@@ -98,6 +98,15 @@ inputs:
   github-server-url:
     description: The base URL for the GitHub instance that you are trying to clone from, will use environment defaults to fetch from the same instance that the workflow is running from unless specified. Example URLs are https://github.com or https://my-ghes-server.example.com
     required: false
+  allow-unsafe-pr-checkout:
+    description: >
+      Required to check out fork pull request code from a workflow triggered by
+      `pull_request_target` or `workflow_run`. These workflows run with the
+      base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
+      runner access; fetching and executing a fork's code in that trusted
+      context commonly leads to "pwn request" vulnerabilities. Set to `true`
+      only after reviewing the risks at https://gh.io/securely-using-pull_request_target.
+    default: false
 outputs:
   ref:
     description: 'The branch, tag or SHA that was checked out'

dist/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

jest.config.js

@@ -1,12 +0,0 @@
-module.exports = {
-  clearMocks: true,
-  fakeTimers: {},
-  moduleFileExtensions: ['js', 'ts'],
-  testEnvironment: 'node',
-  testMatch: ['**/*.test.ts'],
-  testRunner: 'jest-circus/runner',
-  transform: {
-    '^.+\\.ts$': 'ts-jest'
-  },
-  verbose: true
-}

jest.config.ts

@@ -0,0 +1,24 @@
+export default {
+  clearMocks: true,
+  moduleFileExtensions: ['js', 'ts'],
+  roots: ['<rootDir>'],
+  testEnvironment: 'node',
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.ts$': [
+      'ts-jest',
+      {
+        useESM: true,
+        diagnostics: {
+          ignoreCodes: [151002]
+        }
+      }
+    ]
+  },
+  extensionsToTreatAsEsm: ['.ts'],
+  transformIgnorePatterns: ['node_modules/(?!(@actions)/)'],
+  moduleNameMapper: {
+    '^(\\.{1,2}/.*)\\.js$': '$1'
+  },
+  verbose: true
+}

package-lock.json

@@ -9,29 +9,30 @@
       "version": "5.0.0",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.10.1",
-        "@actions/exec": "^1.1.1",
-        "@actions/github": "^6.0.0",
-        "@actions/io": "^1.1.3",
-        "@actions/tool-cache": "^2.0.1",
-        "uuid": "^9.0.1"
+        "@actions/core": "^3.0.1",
+        "@actions/exec": "^3.0.0",
+        "@actions/github": "^9.1.1",
+        "@actions/io": "^3.0.2",
+        "@actions/tool-cache": "^4.0.0"
       },
       "devDependencies": {
         "@types/jest": "^29.5.12",
         "@types/node": "^24.1.0",
-        "@types/uuid": "^9.0.8",
         "@typescript-eslint/eslint-plugin": "^7.9.0",
         "@typescript-eslint/parser": "^7.9.0",
-        "@vercel/ncc": "^0.38.1",
+        "@vercel/ncc": "^0.38.4",
         "eslint": "^8.57.0",
         "eslint-plugin-github": "^4.10.2",
         "eslint-plugin-jest": "^28.8.2",
         "jest": "^29.7.0",
-        "jest-circus": "^29.7.0",
-        "js-yaml": "^4.1.0",
+        "js-yaml": "^4.2.0",
         "prettier": "^3.3.3",
         "ts-jest": "^29.2.5",
+        "ts-node": "^10.9.2",
         "typescript": "^5.5.4"
+      },
+      "engines": {
+        "node": ">=24"
       }
     },
     "node_modules/@aashutoshrathi/word-wrap": {
@@ -44,75 +45,88 @@
       }
     },
     "node_modules/@actions/core": {
-      "version": "1.10.1",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.10.1.tgz",
-      "integrity": "sha512-3lBR9EDAY+iYIpTnTIXmWcNbX3T2kCkAEQGIQx4NVQ0575nk2k3GRZDTPQG+vVtS2izSLmINlxXf0uLtnrTP+g==",
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.1.tgz",
+      "integrity": "sha512-a6d/Nwahm9fliVGRhdhofo40HjHQasUPusmc7vBfyky+7Z+P2A1J68zyFVaNcEclc/Se+eO595oAr5nwEIoIUA==",
+      "license": "MIT",
       "dependencies": {
-        "@actions/http-client": "^2.0.1",
-        "uuid": "^8.3.2"
-      }
-    },
-    "node_modules/@actions/core/node_modules/uuid": {
-      "version": "8.3.2",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
-      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
-      "bin": {
-        "uuid": "dist/bin/uuid"
+        "@actions/exec": "^3.0.0",
+        "@actions/http-client": "^4.0.0"
       }
     },
     "node_modules/@actions/exec": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
-      "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz",
+      "integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==",
+      "license": "MIT",
       "dependencies": {
-        "@actions/io": "^1.0.1"
+        "@actions/io": "^3.0.2"
       }
     },
     "node_modules/@actions/github": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@actions/github/-/github-6.0.0.tgz",
-      "integrity": "sha512-alScpSVnYmjNEXboZjarjukQEzgCRmjMv6Xj47fsdnqGS73bjJNDpiiXmp8jr0UZLdUB6d9jW63IcmddUP+l0g==",
+      "version": "9.1.1",
+      "resolved": "https://registry.npmjs.org/@actions/github/-/github-9.1.1.tgz",
+      "integrity": "sha512-tL5JbYOBZHc0ngEnCsaDcryUizIUIlQyIMwy1Wkx93H5HzbBJ7TbiPx2PnFjBwZW0Vh05JmfFZhecE6gglYegA==",
+      "license": "MIT",
       "dependencies": {
-        "@actions/http-client": "^2.2.0",
-        "@octokit/core": "^5.0.1",
-        "@octokit/plugin-paginate-rest": "^9.0.0",
-        "@octokit/plugin-rest-endpoint-methods": "^10.0.0"
+        "@actions/http-client": "^3.0.2",
+        "@octokit/core": "^7.0.6",
+        "@octokit/plugin-paginate-rest": "^14.0.0",
+        "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
+        "@octokit/request": "^10.0.7",
+        "@octokit/request-error": "^7.1.0",
+        "undici": "^6.23.0"
+      }
+    },
+    "node_modules/@actions/github/node_modules/@actions/http-client": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-3.0.2.tgz",
+      "integrity": "sha512-JP38FYYpyqvUsz+Igqlc/JG6YO9PaKuvqjM3iGvaLqFnJ7TFmcLyy2IDrY0bI0qCQug8E9K+elv5ZNfw62ZJzA==",
+      "license": "MIT",
+      "dependencies": {
+        "tunnel": "^0.0.6",
+        "undici": "^6.23.0"
       }
     },
     "node_modules/@actions/http-client": {
-      "version": "2.2.1",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.1.tgz",
-      "integrity": "sha512-KhC/cZsq7f8I4LfZSJKgCvEwfkE8o1538VoBeoGzokVLLnbFDEAdFD3UhoMklxo2un9NJVBdANOresx7vTHlHw==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.1.tgz",
+      "integrity": "sha512-+Nvd1ImaOZBSoPbsUtEhv+1z99H12xzncCkz0a3RuehINE81FZSe2QTj3uvAPTcJX/SCzUQHQ0D1GrPMbrPitg==",
+      "license": "MIT",
       "dependencies": {
         "tunnel": "^0.0.6",
-        "undici": "^5.25.4"
+        "undici": "^6.23.0"
       }
     },
     "node_modules/@actions/io": {
-      "version": "1.1.3",
-      "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz",
-      "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q=="
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz",
+      "integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw==",
+      "license": "MIT"
     },
     "node_modules/@actions/tool-cache": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.1.tgz",
-      "integrity": "sha512-iPU+mNwrbA8jodY8eyo/0S/QqCKDajiR8OxWTnSk/SnYg0sj8Hp4QcUEVC1YFpHWXtrfbQrE13Jz4k4HXJQKcA==",
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-4.0.0.tgz",
+      "integrity": "sha512-L8P9HbXvpvqjZDveb/fdsa55IVC0trfPgQ4ZwGo6r5af6YDVdM9vMGPZ7rgY2fAT9gGj4PSYd6bYlg3p3jD78A==",
+      "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.2.6",
-        "@actions/exec": "^1.0.0",
-        "@actions/http-client": "^2.0.1",
-        "@actions/io": "^1.1.1",
-        "semver": "^6.1.0",
-        "uuid": "^3.3.2"
+        "@actions/core": "^3.0.0",
+        "@actions/exec": "^3.0.0",
+        "@actions/http-client": "^4.0.0",
+        "@actions/io": "^3.0.0",
+        "semver": "^7.7.3"
       }
     },
-    "node_modules/@actions/tool-cache/node_modules/uuid": {
-      "version": "3.4.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz",
-      "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==",
-      "deprecated": "Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.",
+    "node_modules/@actions/tool-cache/node_modules/semver": {
+      "version": "7.8.4",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.4.tgz",
+      "integrity": "sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==",
+      "license": "ISC",
       "bin": {
-        "uuid": "bin/uuid"
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
       }
     },
     "node_modules/@ampproject/remapping": {
@@ -622,6 +636,30 @@
       "integrity": "sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==",
       "dev": true
     },
+    "node_modules/@cspotcode/source-map-support": {
+      "version": "0.8.1",
+      "resolved": "https://registry.npmjs.org/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz",
+      "integrity": "sha512-IchNf6dN4tHoMFIn/7OE8LWZ19Y6q/67Bmf6vnGREv8RSbBVb9LPJxEcnwrcwX6ixSvaiGoomAUvu4YSxXrVgw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/trace-mapping": "0.3.9"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@cspotcode/source-map-support/node_modules/@jridgewell/trace-mapping": {
+      "version": "0.3.9",
+      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.9.tgz",
+      "integrity": "sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/resolve-uri": "^3.0.3",
+        "@jridgewell/sourcemap-codec": "^1.4.10"
+      }
+    },
     "node_modules/@eslint-community/eslint-utils": {
       "version": "4.4.0",
       "resolved": "https://registry.npmjs.org/@eslint-community/eslint-utils/-/eslint-utils-4.4.0.tgz",
@@ -701,14 +739,6 @@
         "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
       }
     },
-    "node_modules/@fastify/busboy": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
-      "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
-      "engines": {
-        "node": ">=14"
-      }
-    },
     "node_modules/@github/browserslist-config": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/@github/browserslist-config/-/browserslist-config-1.0.0.tgz",
@@ -1241,151 +1271,131 @@
       }
     },
     "node_modules/@octokit/auth-token": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-4.0.0.tgz",
-      "integrity": "sha512-tY/msAuJo6ARbK6SPIxZrPBms3xPbfwBrulZe0Wtr/DIY9lje2HeV1uoebShn6mx7SjCHif6EjMvoREj+gZ+SA==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-6.0.0.tgz",
+      "integrity": "sha512-P4YJBPdPSpWTQ1NU4XYdvHvXJJDxM6YwpS0FZHRgP7YFkdVxsWcpWGy/NVqlAA7PcPCnMacXlRm1y2PFZRWL/w==",
+      "license": "MIT",
       "engines": {
-        "node": ">= 18"
+        "node": ">= 20"
       }
     },
     "node_modules/@octokit/core": {
-      "version": "5.2.0",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-5.2.0.tgz",
-      "integrity": "sha512-1LFfa/qnMQvEOAdzlQymH0ulepxbxnCYAKJZfMci/5XJyIHWgEYnDmgnKakbTh7CH2tFQ5O60oYDvns4i9RAIg==",
+      "version": "7.0.6",
+      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz",
+      "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==",
+      "license": "MIT",
       "dependencies": {
-        "@octokit/auth-token": "^4.0.0",
-        "@octokit/graphql": "^7.1.0",
-        "@octokit/request": "^8.3.1",
-        "@octokit/request-error": "^5.1.0",
-        "@octokit/types": "^13.0.0",
-        "before-after-hook": "^2.2.0",
-        "universal-user-agent": "^6.0.0"
+        "@octokit/auth-token": "^6.0.0",
+        "@octokit/graphql": "^9.0.3",
+        "@octokit/request": "^10.0.6",
+        "@octokit/request-error": "^7.0.2",
+        "@octokit/types": "^16.0.0",
+        "before-after-hook": "^4.0.0",
+        "universal-user-agent": "^7.0.0"
       },
       "engines": {
-        "node": ">= 18"
+        "node": ">= 20"
       }
     },
     "node_modules/@octokit/endpoint": {
-      "version": "9.0.6",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.6.tgz",
-      "integrity": "sha512-H1fNTMA57HbkFESSt3Y9+FBICv+0jFceJFPWDePYlR/iMGrwM5ph+Dd4XRQs+8X+PUFURLQgX9ChPfhJ/1uNQw==",
+      "version": "11.0.3",
+      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-11.0.3.tgz",
+      "integrity": "sha512-FWFlNxghg4HrXkD3ifYbS/IdL/mDHjh9QcsNyhQjN8dplUoZbejsdpmuqdA76nxj2xoWPs7p8uX2SNr9rYu0Ag==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^13.1.0",
-        "universal-user-agent": "^6.0.0"
+        "@octokit/types": "^16.0.0",
+        "universal-user-agent": "^7.0.2"
       },
       "engines": {
-        "node": ">= 18"
+        "node": ">= 20"
       }
     },
     "node_modules/@octokit/graphql": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-7.1.0.tgz",
-      "integrity": "sha512-r+oZUH7aMFui1ypZnAvZmn0KSqAUgE1/tUXIWaqUCa1758ts/Jio84GZuzsvUkme98kv0WFY8//n0J1Z+vsIsQ==",
+      "version": "9.0.3",
+      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-9.0.3.tgz",
+      "integrity": "sha512-grAEuupr/C1rALFnXTv6ZQhFuL1D8G5y8CN04RgrO4FIPMrtm+mcZzFG7dcBm+nq+1ppNixu+Jd78aeJOYxlGA==",
+      "license": "MIT",
       "dependencies": {
-        "@octokit/request": "^8.3.0",
-        "@octokit/types": "^13.0.0",
-        "universal-user-agent": "^6.0.0"
+        "@octokit/request": "^10.0.6",
+        "@octokit/types": "^16.0.0",
+        "universal-user-agent": "^7.0.0"
       },
       "engines": {
-        "node": ">= 18"
+        "node": ">= 20"
       }
     },
     "node_modules/@octokit/openapi-types": {
-      "version": "22.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-22.1.0.tgz",
-      "integrity": "sha512-pGUdSP+eEPfZiQHNkZI0U01HLipxncisdJQB4G//OAmfeO8sqTQ9KRa0KF03TUPCziNsoXUrTg4B2Q1EX++T0Q=="
+      "version": "27.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-27.0.0.tgz",
+      "integrity": "sha512-whrdktVs1h6gtR+09+QsNk2+FO+49j6ga1c55YZudfEG+oKJVvJLQi3zkOm5JjiUXAagWK2tI2kTGKJ2Ys7MGA==",
+      "license": "MIT"
     },
     "node_modules/@octokit/plugin-paginate-rest": {
-      "version": "9.2.2",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-9.2.2.tgz",
-      "integrity": "sha512-u3KYkGF7GcZnSD/3UP0S7K5XUFT2FkOQdcfXZGZQPGv3lm4F2Xbf71lvjldr8c1H3nNbF+33cLEkWYbokGWqiQ==",
+      "version": "14.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-14.0.0.tgz",
+      "integrity": "sha512-fNVRE7ufJiAA3XUrha2omTA39M6IXIc6GIZLvlbsm8QOQCYvpq/LkMNGyFlB1d8hTDzsAXa3OKtybdMAYsV/fw==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^12.6.0"
+        "@octokit/types": "^16.0.0"
       },
       "engines": {
-        "node": ">= 18"
+        "node": ">= 20"
       },
       "peerDependencies": {
-        "@octokit/core": "5"
-      }
-    },
-    "node_modules/@octokit/plugin-paginate-rest/node_modules/@octokit/openapi-types": {
-      "version": "20.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-20.0.0.tgz",
-      "integrity": "sha512-EtqRBEjp1dL/15V7WiX5LJMIxxkdiGJnabzYx5Apx4FkQIFgAfKumXeYAqqJCj1s+BMX4cPFIFC4OLCR6stlnA=="
-    },
-    "node_modules/@octokit/plugin-paginate-rest/node_modules/@octokit/types": {
-      "version": "12.6.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-12.6.0.tgz",
-      "integrity": "sha512-1rhSOfRa6H9w4YwK0yrf5faDaDTb+yLyBUKOCV4xtCDB5VmIPqd/v9yr9o6SAzOAlRxMiRiCic6JVM1/kunVkw==",
-      "dependencies": {
-        "@octokit/openapi-types": "^20.0.0"
+        "@octokit/core": ">=6"
       }
     },
     "node_modules/@octokit/plugin-rest-endpoint-methods": {
-      "version": "10.4.1",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-10.4.1.tgz",
-      "integrity": "sha512-xV1b+ceKV9KytQe3zCVqjg+8GTGfDYwaT1ATU5isiUyVtlVAO3HNdzpS4sr4GBx4hxQ46s7ITtZrAsxG22+rVg==",
+      "version": "17.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-17.0.0.tgz",
+      "integrity": "sha512-B5yCyIlOJFPqUUeiD0cnBJwWJO8lkJs5d8+ze9QDP6SvfiXSz1BF+91+0MeI1d2yxgOhU/O+CvtiZ9jSkHhFAw==",
+      "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^12.6.0"
+        "@octokit/types": "^16.0.0"
       },
       "engines": {
-        "node": ">= 18"
+        "node": ">= 20"
       },
       "peerDependencies": {
-        "@octokit/core": "5"
-      }
-    },
-    "node_modules/@octokit/plugin-rest-endpoint-methods/node_modules/@octokit/openapi-types": {
-      "version": "20.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-20.0.0.tgz",
-      "integrity": "sha512-EtqRBEjp1dL/15V7WiX5LJMIxxkdiGJnabzYx5Apx4FkQIFgAfKumXeYAqqJCj1s+BMX4cPFIFC4OLCR6stlnA=="
-    },
-    "node_modules/@octokit/plugin-rest-endpoint-methods/node_modules/@octokit/types": {
-      "version": "12.6.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-12.6.0.tgz",
-      "integrity": "sha512-1rhSOfRa6H9w4YwK0yrf5faDaDTb+yLyBUKOCV4xtCDB5VmIPqd/v9yr9o6SAzOAlRxMiRiCic6JVM1/kunVkw==",
-      "dependencies": {
-        "@octokit/openapi-types": "^20.0.0"
+        "@octokit/core": ">=6"
       }
     },
     "node_modules/@octokit/request": {
-      "version": "8.4.1",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-8.4.1.tgz",
-      "integrity": "sha512-qnB2+SY3hkCmBxZsR/MPCybNmbJe4KAlfWErXq+rBKkQJlbjdJeS85VI9r8UqeLYLvnAenU8Q1okM/0MBsAGXw==",
+      "version": "10.0.10",
+      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-10.0.10.tgz",
+      "integrity": "sha512-KxNC2pTqqhszMNrf12ZRd4PonRgyJdsM4F/jySiddQK+DsRcfBtUvqn8t7UsyZhnRJHvX46OohDt5N3VqIWC2w==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/endpoint": "^9.0.6",
-        "@octokit/request-error": "^5.1.1",
-        "@octokit/types": "^13.1.0",
-        "universal-user-agent": "^6.0.0"
+        "@octokit/endpoint": "^11.0.3",
+        "@octokit/request-error": "^7.0.2",
+        "@octokit/types": "^16.0.0",
+        "content-type": "^2.0.0",
+        "json-with-bigint": "^3.5.3",
+        "universal-user-agent": "^7.0.2"
       },
       "engines": {
-        "node": ">= 18"
+        "node": ">= 20"
       }
     },
     "node_modules/@octokit/request-error": {
-      "version": "5.1.1",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.1.tgz",
-      "integrity": "sha512-v9iyEQJH6ZntoENr9/yXxjuezh4My67CBSu9r6Ve/05Iu5gNgnisNWOsoJHTP6k0Rr0+HQIpnH+kyammu90q/g==",
+      "version": "7.1.0",
+      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.1.0.tgz",
+      "integrity": "sha512-KMQIfq5sOPpkQYajXHwnhjCC0slzCNScLHs9JafXc4RAJI+9f+jNDlBNaIMTvazOPLgb4BnlhGJOTbnN0wIjPw==",
       "license": "MIT",
       "dependencies": {
-        "@octokit/types": "^13.1.0",
-        "deprecation": "^2.0.0",
-        "once": "^1.4.0"
+        "@octokit/types": "^16.0.0"
       },
       "engines": {
-        "node": ">= 18"
+        "node": ">= 20"
       }
     },
     "node_modules/@octokit/types": {
-      "version": "13.4.1",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-13.4.1.tgz",
-      "integrity": "sha512-Y73oOAzRBAUzR/iRAbGULzpNkX8vaxKCqEtg6K74Ff3w9f5apFnWtE/2nade7dMWWW3bS5Kkd6DJS4HF04xreg==",
+      "version": "16.0.0",
+      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-16.0.0.tgz",
+      "integrity": "sha512-sKq+9r1Mm4efXW1FCk7hFSeJo4QKreL/tTbR0rz/qx/r1Oa2VV83LTA/H/MuCOX7uCIJmQVRKBcbmWoySjAnSg==",
+      "license": "MIT",
       "dependencies": {
-        "@octokit/openapi-types": "^22.1.0"
+        "@octokit/openapi-types": "^27.0.0"
       }
     },
     "node_modules/@pkgr/core": {
@@ -1424,6 +1434,34 @@
         "@sinonjs/commons": "^3.0.0"
       }
     },
+    "node_modules/@tsconfig/node10": {
+      "version": "1.0.12",
+      "resolved": "https://registry.npmjs.org/@tsconfig/node10/-/node10-1.0.12.tgz",
+      "integrity": "sha512-UCYBaeFvM11aU2y3YPZ//O5Rhj+xKyzy7mvcIoAjASbigy8mHMryP5cK7dgjlz2hWxh1g5pLw084E0a/wlUSFQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@tsconfig/node12": {
+      "version": "1.0.11",
+      "resolved": "https://registry.npmjs.org/@tsconfig/node12/-/node12-1.0.11.tgz",
+      "integrity": "sha512-cqefuRsh12pWyGsIoBKJA9luFu3mRxCA+ORZvA4ktLSzIuCUtWVxGIuXigEwO5/ywWFMZ2QEGKWvkZG1zDMTag==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@tsconfig/node14": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/@tsconfig/node14/-/node14-1.0.3.tgz",
+      "integrity": "sha512-ysT8mhdixWK6Hw3i1V2AeRqZ5WfXg1G43mqoYlM2nc6388Fq5jcXyr5mRsqViLx/GJYdoL0bfXD8nmF+Zn/Iow==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@tsconfig/node16": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/@tsconfig/node16/-/node16-1.0.4.tgz",
+      "integrity": "sha512-vxhUy4J8lyeyinH7Azl1pdd43GJhZH/tP2weN8TntQblOY+A0XbT8DJk1/oCPuOOyg/Ja757rG0CgHcWC8OfMA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/babel__core": {
       "version": "7.20.5",
       "resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.20.5.tgz",
@@ -1529,12 +1567,6 @@
       "integrity": "sha512-9aEbYZ3TbYMznPdcdr3SmIrLXwC/AKZXQeCf9Pgao5CKb8CyHuEX5jzWPTkvregvhRJHcpRO6BFoGW9ycaOkYw==",
       "dev": true
     },
-    "node_modules/@types/uuid": {
-      "version": "9.0.8",
-      "resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-9.0.8.tgz",
-      "integrity": "sha512-jg+97EGIcY9AGHJJRaaPVgetKDsrTgbRjQ5Msgjh/DQKEFl0DtyRr/VCOyD1T2R1MNeWPK/u7JoGhlDZnKBAfA==",
-      "dev": true
-    },
     "node_modules/@types/yargs": {
       "version": "17.0.32",
       "resolved": "https://registry.npmjs.org/@types/yargs/-/yargs-17.0.32.tgz",
@@ -1754,10 +1786,11 @@
       "dev": true
     },
     "node_modules/@vercel/ncc": {
-      "version": "0.38.1",
-      "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.1.tgz",
-      "integrity": "sha512-IBBb+iI2NLu4VQn3Vwldyi2QwaXt5+hTyh58ggAMoCGE6DJmPvwL3KPBWcJl1m9LYPChBLE980Jw+CS4Wokqxw==",
+      "version": "0.38.4",
+      "resolved": "https://registry.npmjs.org/@vercel/ncc/-/ncc-0.38.4.tgz",
+      "integrity": "sha512-8LwjnlP39s08C08J5NstzriPvW1SP8Zfpp1BvC2sI35kPeZnHfxVkCwu4/+Wodgnd60UtT1n8K8zw+Mp7J9JmQ==",
       "dev": true,
+      "license": "MIT",
       "bin": {
         "ncc": "dist/ncc/cli.js"
       }
@@ -1783,6 +1816,19 @@
         "acorn": "^6.0.0 || ^7.0.0 || ^8.0.0"
       }
     },
+    "node_modules/acorn-walk": {
+      "version": "8.3.5",
+      "resolved": "https://registry.npmjs.org/acorn-walk/-/acorn-walk-8.3.5.tgz",
+      "integrity": "sha512-HEHNfbars9v4pgpW6SO1KSPkfoS0xVOM/9UzkJltjlsHZmJasxg8aXkuZa7SMf8vKGIBhpUsPluQSqhJFCqebw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "acorn": "^8.11.0"
+      },
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
     "node_modules/ajv": {
       "version": "6.12.6",
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
@@ -1863,6 +1909,13 @@
         "node": ">= 8"
       }
     },
+    "node_modules/arg": {
+      "version": "4.1.3",
+      "resolved": "https://registry.npmjs.org/arg/-/arg-4.1.3.tgz",
+      "integrity": "sha512-58S9QDqG0Xx27YwPSt9fJxivjYl432YCwfDMfZ+71RAqUrZef7LrKQZ3LHLOwCS4FLNBplP533Zx895SeOCHvA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/argparse": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
@@ -2160,9 +2213,10 @@
       "dev": true
     },
     "node_modules/before-after-hook": {
-      "version": "2.2.3",
-      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-2.2.3.tgz",
-      "integrity": "sha512-NzUnlZexiaH/46WDhANlyR2bXRopNg4F/zuSA3OpZnllCUgRaOF2znDioDWrmbNVsuZk6l9pMquQB38cfBZwkQ=="
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-4.0.0.tgz",
+      "integrity": "sha512-q6tR3RPqIB1pMiTRMFcZwuG5T8vwp+vUvEG0vuI6B+Rikh5BfPp2fQ82c925FOs+b0lcFQ8CFrL+KbilfZFhOQ==",
+      "license": "Apache-2.0"
     },
     "node_modules/brace-expansion": {
       "version": "2.0.2",
@@ -2402,6 +2456,19 @@
       "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==",
       "dev": true
     },
+    "node_modules/content-type": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/content-type/-/content-type-2.0.0.tgz",
+      "integrity": "sha512-j/O/d7GcZCyNl7/hwZAb606rzqkyvaDctLmckbxLzHvFBzTJHuGEdodATcP3yIRoDrLHkIATJuvzbFlp/ki2cQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
     "node_modules/convert-source-map": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
@@ -2429,6 +2496,13 @@
         "node": "^14.15.0 || ^16.10.0 || >=18.0.0"
       }
     },
+    "node_modules/create-require": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/create-require/-/create-require-1.1.1.tgz",
+      "integrity": "sha512-dcKFX3jn0MpIaXjisoRvexIJVEKzaq7z2rZKxf+MSr9TkdmHmsU4m2lcLojrj/FHl8mk5VxMmYA+ftRkP/3oKQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/cross-spawn": {
       "version": "7.0.6",
       "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
@@ -2581,11 +2655,6 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
-    "node_modules/deprecation": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz",
-      "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ=="
-    },
     "node_modules/dequal": {
       "version": "2.0.3",
       "resolved": "https://registry.npmjs.org/dequal/-/dequal-2.0.3.tgz",
@@ -2604,6 +2673,16 @@
         "node": ">=8"
       }
     },
+    "node_modules/diff": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.4.tgz",
+      "integrity": "sha512-X07nttJQkwkfKfvTPG/KSnE2OMdcUCao6+eXF3wmnIQRn2aPAHH3VxDbDOdegkd6JbPsXqShpvEOHfAT+nCNwQ==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">=0.3.1"
+      }
+    },
     "node_modules/diff-sequences": {
       "version": "29.6.3",
       "resolved": "https://registry.npmjs.org/diff-sequences/-/diff-sequences-29.6.3.tgz",
@@ -3590,10 +3669,11 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.1.tgz",
-      "integrity": "sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==",
-      "dev": true
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
+      "dev": true,
+      "license": "ISC"
     },
     "node_modules/for-each": {
       "version": "0.3.3",
@@ -5186,10 +5266,21 @@
       "license": "MIT"
     },
     "node_modules/js-yaml": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
-      "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz",
+      "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==",
       "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/puzrin"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/nodeca"
+        }
+      ],
+      "license": "MIT",
       "dependencies": {
         "argparse": "^2.0.1"
       },
@@ -5233,6 +5324,12 @@
       "integrity": "sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==",
       "dev": true
     },
+    "node_modules/json-with-bigint": {
+      "version": "3.5.8",
+      "resolved": "https://registry.npmjs.org/json-with-bigint/-/json-with-bigint-3.5.8.tgz",
+      "integrity": "sha512-eq/4KP6K34kwa7TcFdtvnftvHCD9KvHOGGICWwMFc4dOOKF5t4iYqnfLK8otCRCRv06FXOzGGyqE8h8ElMvvdw==",
+      "license": "MIT"
+    },
     "node_modules/json5": {
       "version": "2.2.3",
       "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
@@ -5657,6 +5754,7 @@
       "version": "1.4.0",
       "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
       "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "dev": true,
       "dependencies": {
         "wrappy": "1"
       }
@@ -6222,6 +6320,7 @@
       "version": "6.3.1",
       "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
       "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+      "dev": true,
       "bin": {
         "semver": "bin/semver.js"
       }
@@ -6671,6 +6770,50 @@
         "node": ">=10"
       }
     },
+    "node_modules/ts-node": {
+      "version": "10.9.2",
+      "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-10.9.2.tgz",
+      "integrity": "sha512-f0FFpIdcHgn8zcPSbf1dRevwt047YMnaiJM3u2w2RewrB+fob/zePZcrOyQoLMMO7aBIddLcQIEK5dYjkLnGrQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@cspotcode/source-map-support": "^0.8.0",
+        "@tsconfig/node10": "^1.0.7",
+        "@tsconfig/node12": "^1.0.7",
+        "@tsconfig/node14": "^1.0.0",
+        "@tsconfig/node16": "^1.0.2",
+        "acorn": "^8.4.1",
+        "acorn-walk": "^8.1.1",
+        "arg": "^4.1.0",
+        "create-require": "^1.1.0",
+        "diff": "^4.0.1",
+        "make-error": "^1.1.1",
+        "v8-compile-cache-lib": "^3.0.1",
+        "yn": "3.1.1"
+      },
+      "bin": {
+        "ts-node": "dist/bin.js",
+        "ts-node-cwd": "dist/bin-cwd.js",
+        "ts-node-esm": "dist/bin-esm.js",
+        "ts-node-script": "dist/bin-script.js",
+        "ts-node-transpile-only": "dist/bin-transpile.js",
+        "ts-script": "dist/bin-script-deprecated.js"
+      },
+      "peerDependencies": {
+        "@swc/core": ">=1.2.50",
+        "@swc/wasm": ">=1.2.50",
+        "@types/node": "*",
+        "typescript": ">=2.7"
+      },
+      "peerDependenciesMeta": {
+        "@swc/core": {
+          "optional": true
+        },
+        "@swc/wasm": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/tsconfig-paths": {
       "version": "3.15.0",
       "resolved": "https://registry.npmjs.org/tsconfig-paths/-/tsconfig-paths-3.15.0.tgz",
@@ -6714,6 +6857,7 @@
       "version": "0.0.6",
       "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
       "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+      "license": "MIT",
       "engines": {
         "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
       }
@@ -6853,15 +6997,12 @@
       }
     },
     "node_modules/undici": {
-      "version": "5.29.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
-      "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
+      "version": "6.27.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.27.0.tgz",
+      "integrity": "sha512-YmfV3YnEDzXRC5lZ2jWtWWHKGUm1zIt8AhesR1tens+HTNv+YZlN/dp6G727LOvMJ8xjP9Be7Y2Sdr96LDm+pg==",
       "license": "MIT",
-      "dependencies": {
-        "@fastify/busboy": "^2.0.0"
-      },
       "engines": {
-        "node": ">=14.0"
+        "node": ">=18.17"
       }
     },
     "node_modules/undici-types": {
@@ -6871,9 +7012,10 @@
       "dev": true
     },
     "node_modules/universal-user-agent": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-6.0.1.tgz",
-      "integrity": "sha512-yCzhz6FN2wU1NiiQRogkTQszlQSlpWaw8SvVegAc+bDxbzHgh1vX8uIe8OYyMH6DwH+sdTJsgMl36+mSMdRJIQ=="
+      "version": "7.0.3",
+      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
+      "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==",
+      "license": "ISC"
     },
     "node_modules/update-browserslist-db": {
       "version": "1.0.13",
@@ -6914,17 +7056,12 @@
         "punycode": "^2.1.0"
       }
     },
-    "node_modules/uuid": {
-      "version": "9.0.1",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
-      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
-      "funding": [
-        "https://github.com/sponsors/broofa",
-        "https://github.com/sponsors/ctavan"
-      ],
-      "bin": {
-        "uuid": "dist/bin/uuid"
-      }
+    "node_modules/v8-compile-cache-lib": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/v8-compile-cache-lib/-/v8-compile-cache-lib-3.0.1.tgz",
+      "integrity": "sha512-wa7YjyUGfNZngI/vtK0UHAN+lgDCxBPCylVXGp0zu59Fz5aiGtNXaq3DhIov063MorB+VfufLh3JlF2KdTK3xg==",
+      "dev": true,
+      "license": "MIT"
     },
     "node_modules/v8-to-istanbul": {
       "version": "9.2.0",
@@ -7063,7 +7200,8 @@
     "node_modules/wrappy": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
-      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
+      "dev": true
     },
     "node_modules/write-file-atomic": {
       "version": "4.0.2",
@@ -7120,6 +7258,16 @@
         "node": ">=12"
       }
     },
+    "node_modules/yn": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/yn/-/yn-3.1.1.tgz",
+      "integrity": "sha512-Ux4ygGWsu2c7isFWe8Yu1YluJmqVhxqK2cLXNQA5AcC3QfbGNpM7fu0Y8b/z16pXLnFxZYvWhd3fhBY9DLmC6Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/yocto-queue": {
       "version": "0.1.0",
       "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz",

package.json

@@ -2,13 +2,14 @@
   "name": "checkout",
   "version": "5.0.0",
   "description": "checkout action",
+  "type": "module",
   "main": "lib/main.js",
   "scripts": {
-    "build": "tsc && ncc build && node lib/misc/generate-docs.js",
+    "build": "tsc && ncc build src/main.ts -o dist && node lib/misc/generate-docs.js",
     "format": "prettier --write '**/*.ts'",
     "format-check": "prettier --check '**/*.ts'",
     "lint": "eslint src/**/*.ts",
-    "test": "jest",
+    "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",
     "licensed-check": "src/misc/licensed-check.sh",
     "licensed-generate": "src/misc/licensed-generate.sh"
   },
@@ -27,29 +28,30 @@
     "url": "https://github.com/actions/checkout/issues"
   },
   "homepage": "https://github.com/actions/checkout#readme",
+  "engines": {
+    "node": ">=24"
+  },
   "dependencies": {
-    "@actions/core": "^1.10.1",
-    "@actions/exec": "^1.1.1",
-    "@actions/github": "^6.0.0",
-    "@actions/io": "^1.1.3",
-    "@actions/tool-cache": "^2.0.1",
-    "uuid": "^9.0.1"
+    "@actions/core": "^3.0.1",
+    "@actions/exec": "^3.0.0",
+    "@actions/github": "^9.1.1",
+    "@actions/io": "^3.0.2",
+    "@actions/tool-cache": "^4.0.0"
   },
   "devDependencies": {
     "@types/jest": "^29.5.12",
     "@types/node": "^24.1.0",
-    "@types/uuid": "^9.0.8",
     "@typescript-eslint/eslint-plugin": "^7.9.0",
     "@typescript-eslint/parser": "^7.9.0",
-    "@vercel/ncc": "^0.38.1",
+    "@vercel/ncc": "^0.38.4",
     "eslint": "^8.57.0",
     "eslint-plugin-github": "^4.10.2",
     "eslint-plugin-jest": "^28.8.2",
     "jest": "^29.7.0",
-    "jest-circus": "^29.7.0",
-    "js-yaml": "^4.1.0",
+    "js-yaml": "^4.2.0",
     "prettier": "^3.3.3",
     "ts-jest": "^29.2.5",
+    "ts-node": "^10.9.2",
     "typescript": "^5.5.4"
   }
 }

src/git-auth-helper.ts

@@ -5,12 +5,12 @@ import * as fs from 'fs'
 import * as io from '@actions/io'
 import * as os from 'os'
 import * as path from 'path'
-import * as regexpHelper from './regexp-helper'
-import * as stateHelper from './state-helper'
-import * as urlHelper from './url-helper'
-import {v4 as uuid} from 'uuid'
-import {IGitCommandManager} from './git-command-manager'
-import {IGitSourceSettings} from './git-source-settings'
+import * as regexpHelper from './regexp-helper.js'
+import * as stateHelper from './state-helper.js'
+import * as urlHelper from './url-helper.js'
+import {randomUUID} from 'crypto'
+import {IGitCommandManager} from './git-command-manager.js'
+import {IGitSourceSettings} from './git-source-settings.js'
 
 const IS_WINDOWS = process.platform === 'win32'
 const SSH_COMMAND_KEY = 'core.sshCommand'
@@ -90,7 +90,7 @@ class GitAuthHelper {
     // Create a temp home directory
     const runnerTemp = process.env['RUNNER_TEMP'] || ''
     assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
-    const uniqueId = uuid()
+    const uniqueId = randomUUID()
     this.temporaryHomePath = path.join(runnerTemp, uniqueId)
     await fs.promises.mkdir(this.temporaryHomePath, {recursive: true})
 
@@ -255,7 +255,7 @@ class GitAuthHelper {
     // Write key
     const runnerTemp = process.env['RUNNER_TEMP'] || ''
     assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
-    const uniqueId = uuid()
+    const uniqueId = randomUUID()
     this.sshKeyPath = path.join(runnerTemp, uniqueId)
     stateHelper.setSshKeyPath(this.sshKeyPath)
     await fs.promises.mkdir(runnerTemp, {recursive: true})
@@ -422,7 +422,7 @@ class GitAuthHelper {
     assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
 
     // Create a unique filename for this checkout instance
-    const configFileName = `git-credentials-${uuid()}.config`
+    const configFileName = `git-credentials-${randomUUID()}.config`
     this.credentialsConfigPath = path.join(runnerTemp, configFileName)
 
     core.debug(`Credentials config path: ${this.credentialsConfigPath}`)

src/git-command-manager.ts

@@ -1,13 +1,13 @@
 import * as core from '@actions/core'
 import * as exec from '@actions/exec'
 import * as fs from 'fs'
-import * as fshelper from './fs-helper'
+import * as fshelper from './fs-helper.js'
 import * as io from '@actions/io'
 import * as path from 'path'
-import * as refHelper from './ref-helper'
-import * as regexpHelper from './regexp-helper'
-import * as retryHelper from './retry-helper'
-import {GitVersion} from './git-version'
+import * as refHelper from './ref-helper.js'
+import * as regexpHelper from './regexp-helper.js'
+import * as retryHelper from './retry-helper.js'
+import {GitVersion} from './git-version.js'
 
 // Auth header not supported before 2.9
 // Wire protocol v2 not supported before 2.18
@@ -43,7 +43,7 @@ export interface IGitCommandManager {
   getDefaultBranch(repositoryUrl: string): Promise<string>
   getSubmoduleConfigPaths(recursive: boolean): Promise<string[]>
   getWorkingDirectory(): string
-  init(): Promise<void>
+  init(objectFormat?: string): Promise<void>
   isDetached(): Promise<boolean>
   lfsFetch(ref: string): Promise<void>
   lfsInstall(): Promise<void>
@@ -364,8 +364,14 @@ class GitCommandManager {
     return this.workingDirectory
   }
 
-  async init(): Promise<void> {
-    await this.execGit(['init', this.workingDirectory])
+  async init(objectFormat?: string): Promise<void> {
+    const args = ['init']
+    if (objectFormat === 'sha256') {
+      args.push('--object-format=sha256')
+    }
+    args.push(this.workingDirectory)
+
+    await this.execGit(args)
   }
 
   async isDetached(): Promise<boolean> {

src/git-directory-helper.ts

@@ -1,10 +1,10 @@
 import * as assert from 'assert'
 import * as core from '@actions/core'
 import * as fs from 'fs'
-import * as fsHelper from './fs-helper'
+import * as fsHelper from './fs-helper.js'
 import * as io from '@actions/io'
 import * as path from 'path'
-import {IGitCommandManager} from './git-command-manager'
+import {IGitCommandManager} from './git-command-manager.js'
 
 export async function prepareExistingDirectory(
   git: IGitCommandManager | undefined,

src/git-source-provider.ts

@@ -1,19 +1,19 @@
 import * as core from '@actions/core'
-import * as fsHelper from './fs-helper'
-import * as gitAuthHelper from './git-auth-helper'
-import * as gitCommandManager from './git-command-manager'
-import * as gitDirectoryHelper from './git-directory-helper'
-import * as githubApiHelper from './github-api-helper'
+import * as fsHelper from './fs-helper.js'
+import * as gitAuthHelper from './git-auth-helper.js'
+import * as gitCommandManager from './git-command-manager.js'
+import * as gitDirectoryHelper from './git-directory-helper.js'
+import * as githubApiHelper from './github-api-helper.js'
 import * as io from '@actions/io'
 import * as path from 'path'
-import * as refHelper from './ref-helper'
-import * as stateHelper from './state-helper'
-import * as urlHelper from './url-helper'
+import * as refHelper from './ref-helper.js'
+import * as stateHelper from './state-helper.js'
+import * as urlHelper from './url-helper.js'
 import {
   MinimumGitSparseCheckoutVersion,
   IGitCommandManager
-} from './git-command-manager'
-import {IGitSourceSettings} from './git-source-settings'
+} from './git-command-manager.js'
+import {IGitSourceSettings} from './git-source-settings.js'
 
 export async function getSource(settings: IGitSourceSettings): Promise<void> {
   // Repository URL
@@ -109,8 +109,25 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     if (
       !fsHelper.directoryExistsSync(path.join(settings.repositoryPath, '.git'))
     ) {
+      core.startGroup('Determining repository object format')
+      const objectFormatResult =
+        await githubApiHelper.tryGetRepositoryObjectFormat(
+          settings.authToken,
+          settings.repositoryOwner,
+          settings.repositoryName,
+          settings.githubServerUrl,
+          settings.commit
+        )
+      const objectFormat = objectFormatResult.succeeded
+        ? objectFormatResult.format
+        : ''
+      if (objectFormat === 'sha256') {
+        core.info('Detected SHA-256 repository object format')
+      }
+      core.endGroup()
+
       core.startGroup('Initializing the repository')
-      await git.init()
+      await git.init(objectFormat)
       await git.remoteAdd('origin', repositoryUrl)
       core.endGroup()
     }

src/git-source-settings.ts

@@ -118,4 +118,10 @@ export interface IGitSourceSettings {
    * User override on the GitHub Server/Host URL that hosts the repository to be cloned
    */
   githubServerUrl: string | undefined
+
+  /**
+   * Opt-in to allow checking out fork pull request code from a workflow
+   * triggered by pull_request_target or workflow_run.
+   */
+  allowUnsafePrCheckout: boolean
 }

src/github-api-helper.ts

@@ -4,13 +4,18 @@ import * as fs from 'fs'
 import * as github from '@actions/github'
 import * as io from '@actions/io'
 import * as path from 'path'
-import * as retryHelper from './retry-helper'
+import * as retryHelper from './retry-helper.js'
 import * as toolCache from '@actions/tool-cache'
-import {v4 as uuid} from 'uuid'
-import {getServerApiUrl} from './url-helper'
+import {randomUUID} from 'crypto'
+import {getServerApiUrl} from './url-helper.js'
 
 const IS_WINDOWS = process.platform === 'win32'
 
+export interface RepositoryObjectFormatResult {
+  format: string
+  succeeded: boolean
+}
+
 export async function downloadRepository(
   authToken: string,
   owner: string,
@@ -34,7 +39,7 @@ export async function downloadRepository(
 
   // Write archive to disk
   core.info('Writing archive to disk')
-  const uniqueId = uuid()
+  const uniqueId = randomUUID()
   const archivePath = IS_WINDOWS
     ? path.join(repositoryPath, `${uniqueId}.zip`)
     : path.join(repositoryPath, `${uniqueId}.tar.gz`)
@@ -122,6 +127,53 @@ export async function getDefaultBranch(
   })
 }
 
+export async function tryGetRepositoryObjectFormat(
+  authToken: string,
+  owner: string,
+  repo: string,
+  baseUrl?: string,
+  commit?: string
+): Promise<RepositoryObjectFormatResult> {
+  const commitFormat = getObjectFormat(commit)
+  if (commitFormat) {
+    return {format: commitFormat, succeeded: true}
+  }
+
+  try {
+    const octokit = github.getOctokit(authToken, {
+      baseUrl: getServerApiUrl(baseUrl)
+    })
+    const response = await octokit.request(
+      'GET /repos/{owner}/{repo}/hash-algorithm',
+      {owner, repo}
+    )
+    const hashAlgorithm = response.data.hash_algorithm
+    if (hashAlgorithm === 'sha256' || hashAlgorithm === 'sha1') {
+      return {format: hashAlgorithm, succeeded: true}
+    }
+
+    core.debug(
+      'Unable to determine repository object format from hash-algorithm endpoint'
+    )
+    return {format: '', succeeded: false}
+  } catch (err) {
+    core.debug(
+      `Unable to determine repository object format from hash-algorithm endpoint: ${(err as any)?.message ?? err}`
+    )
+    return {format: '', succeeded: false}
+  }
+}
+
+function getObjectFormat(sha?: string): string {
+  if (/^[0-9a-fA-F]{64}$/.test(sha || '')) {
+    return 'sha256'
+  }
+  if (/^[0-9a-fA-F]{40}$/.test(sha || '')) {
+    return 'sha1'
+  }
+  return ''
+}
+
 async function downloadArchive(
   authToken: string,
   owner: string,

src/input-helper.ts

@@ -1,9 +1,10 @@
 import * as core from '@actions/core'
-import * as fsHelper from './fs-helper'
+import * as fsHelper from './fs-helper.js'
 import * as github from '@actions/github'
 import * as path from 'path'
-import * as workflowContextHelper from './workflow-context-helper'
-import {IGitSourceSettings} from './git-source-settings'
+import * as unsafePrCheckoutHelper from './unsafe-pr-checkout-helper.js'
+import * as workflowContextHelper from './workflow-context-helper.js'
+import {IGitSourceSettings} from './git-source-settings.js'
 
 export async function getInputs(): Promise<IGitSourceSettings> {
   const result = {} as unknown as IGitSourceSettings
@@ -71,7 +72,7 @@ export async function getInputs(): Promise<IGitSourceSettings> {
     }
   }
   // SHA?
-  else if (result.ref.match(/^[0-9a-fA-F]{40}$/)) {
+  else if (result.ref.match(/^(?:[0-9a-fA-F]{40}|[0-9a-fA-F]{64})$/)) {
     result.commit = result.ref
     result.ref = ''
   }
@@ -161,5 +162,18 @@ export async function getInputs(): Promise<IGitSourceSettings> {
   result.githubServerUrl = core.getInput('github-server-url')
   core.debug(`GitHub Host URL = ${result.githubServerUrl}`)
 
+  // Allow unsafe PR checkout (opt-in for pull_request_target / workflow_run fork PRs)
+  result.allowUnsafePrCheckout =
+    (core.getInput('allow-unsafe-pr-checkout') || 'false').toUpperCase() ===
+    'TRUE'
+  core.debug(`allow unsafe PR checkout = ${result.allowUnsafePrCheckout}`)
+
+  unsafePrCheckoutHelper.assertSafePrCheckout({
+    qualifiedRepository,
+    ref: result.ref,
+    commit: result.commit,
+    allowUnsafePrCheckout: result.allowUnsafePrCheckout
+  })
+
   return result
 }

src/main.ts

@@ -1,9 +1,11 @@
 import * as core from '@actions/core'
-import * as coreCommand from '@actions/core/lib/command'
-import * as gitSourceProvider from './git-source-provider'
-import * as inputHelper from './input-helper'
+import * as gitSourceProvider from './git-source-provider.js'
+import * as inputHelper from './input-helper.js'
 import * as path from 'path'
-import * as stateHelper from './state-helper'
+import * as stateHelper from './state-helper.js'
+import {fileURLToPath} from 'url'
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url))
 
 async function run(): Promise<void> {
   try {
@@ -11,10 +13,8 @@ async function run(): Promise<void> {
 
     try {
       // Register problem matcher
-      coreCommand.issueCommand(
-        'add-matcher',
-        {},
-        path.join(__dirname, 'problem-matcher.json')
+      core.info(
+        `::add-matcher::${path.join(__dirname, 'problem-matcher.json')}`
       )
 
       // Get sources
@@ -22,7 +22,7 @@ async function run(): Promise<void> {
       core.setOutput('ref', sourceSettings.ref)
     } finally {
       // Unregister problem matcher
-      coreCommand.issueCommand('remove-matcher', {owner: 'checkout-git'}, '')
+      core.info('::remove-matcher owner=checkout-git::')
     }
   } catch (error) {
     core.setFailed(`${(error as any)?.message ?? error}`)

src/misc/generate-docs.ts

@@ -2,6 +2,9 @@ import * as fs from 'fs'
 import * as os from 'os'
 import * as path from 'path'
 import * as yaml from 'js-yaml'
+import {fileURLToPath} from 'url'
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url))
 
 //
 // SUMMARY

src/ref-helper.ts

@@ -1,7 +1,7 @@
-import {IGitCommandManager} from './git-command-manager'
+import {IGitCommandManager} from './git-command-manager.js'
 import * as core from '@actions/core'
 import * as github from '@actions/github'
-import {getServerApiUrl, isGhes} from './url-helper'
+import {getServerApiUrl, isGhes} from './url-helper.js'
 
 export const tagsRefSpec = '+refs/tags/*:refs/tags/*'
 
@@ -258,7 +258,9 @@ export async function checkCommitInfo(
     }
 
     // Extract details from message
-    const match = commitInfo.match(/Merge ([0-9a-f]{40}) into ([0-9a-f]{40})/)
+    const match = commitInfo.match(
+      /Merge ([0-9a-f]{40}|[0-9a-f]{64}) into ([0-9a-f]{40}|[0-9a-f]{64})/
+    )
     if (!match) {
       core.debug('Unexpected message format')
       return
@@ -290,7 +292,7 @@ export async function checkCommitInfo(
   }
 }
 
-function fromPayload(path: string): any {
+export function fromPayload(path: string): any {
   return select(github.context.payload, path)
 }
 

src/unsafe-pr-checkout-helper.ts

@@ -0,0 +1,88 @@
+import * as github from '@actions/github'
+import {fromPayload} from './ref-helper.js'
+
+const PR_REF_PATTERN = /^refs\/pull\/[0-9]+\/(?:head|merge)$/
+
+export interface IUnsafePrCheckoutInput {
+  qualifiedRepository: string
+  ref: string
+  commit: string | undefined
+  allowUnsafePrCheckout: boolean
+}
+
+export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
+  if (input.allowUnsafePrCheckout) {
+    return
+  }
+
+  const eventName = github.context.eventName
+  if (eventName !== 'pull_request_target' && eventName !== 'workflow_run') {
+    return
+  }
+
+  const baseRepoId = fromPayload('repository.id')
+  if (typeof baseRepoId !== 'number') {
+    return
+  }
+
+  let prHeadRepoId: unknown
+  let prHeadRepoFullName: unknown
+  const prShas: string[] = []
+
+  if (eventName === 'pull_request_target') {
+    prHeadRepoId = fromPayload('pull_request.head.repo.id')
+    prHeadRepoFullName = fromPayload('pull_request.head.repo.full_name')
+    pushIfSha(prShas, fromPayload('pull_request.head.sha'))
+    pushIfSha(prShas, fromPayload('pull_request.merge_commit_sha'))
+  } else {
+    const wrEvent = fromPayload('workflow_run.event')
+    if (typeof wrEvent !== 'string' || !wrEvent.startsWith('pull_request')) {
+      return
+    }
+    prHeadRepoId = fromPayload('workflow_run.head_repository.id')
+    prHeadRepoFullName = fromPayload('workflow_run.head_repository.full_name')
+    pushIfSha(prShas, fromPayload('workflow_run.head_commit.id'))
+    // For `pull_request_target`-triggered workflow_run, `head_sha` is the base
+    // default branch SHA (not the PR head)
+    if (wrEvent !== 'pull_request_target') {
+      pushIfSha(prShas, fromPayload('workflow_run.head_sha'))
+    }
+  }
+
+  // (A) Fork PR?
+  if (typeof prHeadRepoId !== 'number' || prHeadRepoId === baseRepoId) {
+    return
+  }
+
+  // (B) We cannot check for all fork PR refs so check to see
+  // if the resolved input points to the fork PR sha we have in the payload
+  const repositoryMatchesPrHead =
+    typeof prHeadRepoFullName === 'string' &&
+    input.qualifiedRepository.toLowerCase() === prHeadRepoFullName.toLowerCase()
+  const refMatchesPullPattern = PR_REF_PATTERN.test(input.ref)
+  const commitMatchesPrHeadSha =
+    !!input.commit && prShas.includes(input.commit.toLowerCase())
+
+  if (
+    !repositoryMatchesPrHead &&
+    !refMatchesPullPattern &&
+    !commitMatchesPrHeadSha
+  ) {
+    return
+  }
+
+  throw new Error(
+    `Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
+      `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
+      `cache scope, and runner access. Fetching and executing a fork's code in that trusted ` +
+      `context commonly leads to "pwn request" vulnerabilities. To opt in after reviewing ` +
+      `the risks at https://gh.io/securely-using-pull_request_target, set ` +
+      `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
+  )
+}
+
+function pushIfSha(target: string[], value: unknown): void {
+  if (typeof value === 'string' && value.length > 0) {
+    target.push(value.toLowerCase())
+  }
+}

src/url-helper.ts

@@ -1,6 +1,6 @@
 import * as assert from 'assert'
 import {URL} from 'url'
-import {IGitSourceSettings} from './git-source-settings'
+import {IGitSourceSettings} from './git-source-settings.js'
 
 export function getFetchUrl(settings: IGitSourceSettings): string {
   assert.ok(

tsconfig.json

@@ -1,17 +1,13 @@
 {
   "compilerOptions": {
-    "target": "es6",
-    "module": "commonjs",
-    "lib": [
-      "es6"
-    ],
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
     "outDir": "./lib",
     "rootDir": "./src",
-    "declaration": true,
     "strict": true,
     "noImplicitAny": false,
-    "esModuleInterop": true,
-    "skipLibCheck": true
+    "esModuleInterop": true
   },
-  "exclude": ["__test__", "lib", "node_modules"]
+  "exclude": ["__test__", "lib", "node_modules", "jest.config.ts"]
 }