2026-01-11 22:53:07 +08:00
19 changed files with 134 additions and 495 deletions
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6

      - name: Set Node.js 24.x
        uses: actions/setup-node@v4
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -39,7 +39,7 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@v4.1.6

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
--- a/.github/workflows/licensed.yml
+++ b/.github/workflows/licensed.yml
@ -9,6 +9,6 @@ jobs:
    runs-on: ubuntu-latest
    name: Check licenses
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
      - run: npm ci
      - run: npm run licensed-check
--- a/.github/workflows/publish-immutable-actions.yml
+++ b/.github/workflows/publish-immutable-actions.yml
@ -14,7 +14,7 @@ jobs:

    steps:
      - name: Checking out
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
      - name: Publish
        id: publish
        uses: actions/publish-immutable-action@0.0.3
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -19,7 +19,7 @@ jobs:
      - uses: actions/setup-node@v4
        with:
          node-version: 24.x
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4.1.6
      - run: npm ci
      - run: npm run build
      - run: npm run format-check
@ -37,7 +37,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6

      # Basic checkout
      - name: Checkout basic
@ -87,17 +87,6 @@ jobs:
      - name: Verify fetch filter
        run: __test__/verify-fetch-filter.sh

-      # Fetch tags
-      - name: Checkout with fetch-tags
-        uses: ./
-        with:
-          ref: test-data/v2/basic
-          path: fetch-tags-test
-          fetch-tags: true
-      - name: Verify fetch-tags
-        shell: bash
-        run: __test__/verify-fetch-tags.sh
-
      # Sparse checkout
      - name: Sparse checkout
        uses: ./
@ -176,22 +165,6 @@ jobs:
      - name: Verify submodules recursive
        run: __test__/verify-submodules-recursive.sh

-      # Worktree credentials
-      - name: Checkout for worktree test
-        uses: ./
-        with:
-          path: worktree-test
-      - name: Verify worktree credentials
-        shell: bash
-        run: __test__/verify-worktree.sh worktree-test worktree-branch
-
-      # Worktree credentials in container step
-      - name: Verify worktree credentials in container step
-        if: runner.os == 'Linux'
-        uses: docker://bitnami/git:latest
-        with:
-          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
-
      # Basic checkout using REST API
      - name: Remove basic
        if: runner.os != 'windows'
@ -229,7 +202,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6

      # Basic checkout using git
      - name: Checkout basic
@ -261,7 +234,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6

      # Basic checkout using git
      - name: Checkout basic
@ -291,7 +264,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
        with:
          path: localClone

@ -318,8 +291,8 @@ jobs:
          git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main

      # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v6
-        uses: actions/checkout@v6
+      - name: Fix Checkout v4
+        uses: actions/checkout@v4.1.6
        with:
          path: localClone

@ -328,7 +301,7 @@ jobs:
    steps:
      # Clone this repo
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4.1.6
        with:
          path: actions-checkout

--- a/.github/workflows/update-main-version.yml
+++ b/.github/workflows/update-main-version.yml
@ -23,7 +23,7 @@ jobs:
    # Note this update workflow can also be used as a rollback tool.
    # For that reason, it's best to pin `actions/checkout` to a known, stable version
    # (typically, about two releases back).
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v4.1.6
      with:
        fetch-depth: 0
    - name: Git config
--- a/.github/workflows/update-test-ubuntu-git.yml
+++ b/.github/workflows/update-test-ubuntu-git.yml
@ -26,7 +26,7 @@ jobs:
 
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4

      # Use `docker/login-action` to log in to GHCR.io. 
      # Once published, the packages are scoped to the account defined here.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,25 +1,19 @@
 # Changelog

-## v6.0.2
-* Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in https://github.com/actions/checkout/pull/2356
-
-## v6.0.1
-* Add worktree support for persist-credentials includeIf by @ericsciple in https://github.com/actions/checkout/pull/2327
-
-## v6.0.0
+## V6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248

-## v5.0.1
+## V5.0.1
 * Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301

-## v5.0.0
+## V5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226

-## v4.3.1
+## V4.3.1
 * Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305

-## v4.3.0
+## V4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043
--- a/README.md
+++ b/README.md
@ -4,9 +4,8 @@

 ## What's new

- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
+- Updated `persist-credentials` to store the credentials under `$RUNNER_TEMP` instead of directly in the local git config.
+  - This requires a minimum Actions Runner version of [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) to access the persisted credentials for [Docker container action](https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action) scenarios.

 # Checkout v5

@ -52,7 +51,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 <!-- start usage -->
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    # Repository name with owner. For example, actions/checkout
    # Default: ${{ github.repository }}
@ -191,7 +190,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    sparse-checkout: .
 ```
@ -199,7 +198,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files and `.github` and `src` folder

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    sparse-checkout: |
      .github
@ -209,7 +208,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only a single file

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    sparse-checkout: |
      README.md
@ -219,7 +218,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch all history for all tags and branches

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    fetch-depth: 0
 ```
@ -227,7 +226,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    ref: my-branch
 ```
@ -235,7 +234,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    fetch-depth: 2
 - run: git checkout HEAD^
@ -245,12 +244,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    path: main

 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-tools
    path: my-tools
@ -261,10 +260,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5

 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-tools
    path: my-tools
@ -275,12 +274,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/

 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    path: main

 - name: Checkout private tools
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-private-tools
    token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@ -293,7 +292,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit

 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    ref: ${{ github.event.pull_request.head.sha }}
 ```
@ -309,7 +308,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
 ```

 ## Push a commit using the built-in token
@ -320,7 +319,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
      - run: |
          date > generated.txt
          # Note: the following account information will not work on GHES
@ -342,7 +341,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
        with:
          ref: ${{ github.head_ref }}
      - run: |
--- a/test/git-command-manager.test.ts
+++ b/test/git-command-manager.test.ts
@ -108,7 +108,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    jest.restoreAllMocks()
  })

-  it('should call execGit with the correct arguments when fetchDepth is 0', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
@ -122,7 +122,45 @@ describe('Test fetchDepth and fetchTags options', () => {
    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 0
+      fetchDepth: 0,
+      fetchTags: true
+    }
+
+    await git.fetch(refSpec, options)
+
+    expect(mockExec).toHaveBeenCalledWith(
+      expect.any(String),
+      [
+        '-c',
+        'protocol.version=2',
+        'fetch',
+        '--prune',
+        '--no-recurse-submodules',
+        '--filter=filterValue',
+        'origin',
+        'refspec1',
+        'refspec2'
+      ],
+      expect.any(Object)
+    )
+  })
+
+  it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is false', async () => {
+    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
+
+    const workingDirectory = 'test'
+    const lfs = false
+    const doSparseCheckout = false
+    git = await commandManager.createCommandManager(
+      workingDirectory,
+      lfs,
+      doSparseCheckout
+    )
+    const refSpec = ['refspec1', 'refspec2']
+    const options = {
+      filter: 'filterValue',
+      fetchDepth: 0,
+      fetchTags: false
    }

    await git.fetch(refSpec, options)
@ -145,45 +183,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })

-  it('should call execGit with the correct arguments when fetchDepth is 0 and refSpec includes tags', async () => {
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
-    const options = {
-      filter: 'filterValue',
-      fetchDepth: 0
-    }
-
-    await git.fetch(refSpec, options)
-
-    expect(mockExec).toHaveBeenCalledWith(
-      expect.any(String),
-      [
-        '-c',
-        'protocol.version=2',
-        'fetch',
-        '--no-tags',
-        '--prune',
-        '--no-recurse-submodules',
-        '--filter=filterValue',
-        'origin',
-        'refspec1',
-        'refspec2',
-        '+refs/tags/*:refs/tags/*'
-      ],
-      expect.any(Object)
-    )
-  })
-
-  it('should call execGit with the correct arguments when fetchDepth is 1', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is false', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)

    const workingDirectory = 'test'
@ -197,7 +197,8 @@ describe('Test fetchDepth and fetchTags options', () => {
    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 1
+      fetchDepth: 1,
+      fetchTags: false
    }

    await git.fetch(refSpec, options)
@ -221,7 +222,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })

-  it('should call execGit with the correct arguments when fetchDepth is 1 and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)

    const workingDirectory = 'test'
@ -232,10 +233,11 @@ describe('Test fetchDepth and fetchTags options', () => {
      lfs,
      doSparseCheckout
    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
+    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 1
+      fetchDepth: 1,
+      fetchTags: true
    }

    await git.fetch(refSpec, options)
@ -246,15 +248,13 @@ describe('Test fetchDepth and fetchTags options', () => {
        '-c',
        'protocol.version=2',
        'fetch',
-        '--no-tags',
        '--prune',
        '--no-recurse-submodules',
        '--filter=filterValue',
        '--depth=1',
        'origin',
        'refspec1',
-        'refspec2',
-        '+refs/tags/*:refs/tags/*'
+        'refspec2'
      ],
      expect.any(Object)
    )
@ -338,7 +338,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })

-  it('should call execGit with the correct arguments when showProgress is true and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchTags is true and showProgress is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)

    const workingDirectory = 'test'
@ -349,9 +349,10 @@ describe('Test fetchDepth and fetchTags options', () => {
      lfs,
      doSparseCheckout
    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
+    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
+      fetchTags: true,
      showProgress: true
    }

@ -363,134 +364,15 @@ describe('Test fetchDepth and fetchTags options', () => {
        '-c',
        'protocol.version=2',
        'fetch',
-        '--no-tags',
        '--prune',
        '--no-recurse-submodules',
        '--progress',
        '--filter=filterValue',
        'origin',
        'refspec1',
-        'refspec2',
-        '+refs/tags/*:refs/tags/*'
+        'refspec2'
      ],
      expect.any(Object)
    )
  })
 })
-
-describe('git user-agent with orchestration ID', () => {
-  beforeEach(async () => {
-    jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
-    jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
-  })
-
-  afterEach(() => {
-    jest.restoreAllMocks()
-    // Clean up environment variable to prevent test pollution
-    delete process.env['ACTIONS_ORCHESTRATION_ID']
-  })
-
-  it('should include orchestration ID in user-agent when ACTIONS_ORCHESTRATION_ID is set', async () => {
-    const orchId = 'test-orch-id-12345'
-    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent includes the orchestration ID
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      `git/2.18 (github-actions-checkout) actions_orchestration_id/${orchId}`
-    )
-  })
-
-  it('should sanitize invalid characters in orchestration ID', async () => {
-    const orchId = 'test (with) special/chars'
-    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent has sanitized orchestration ID (spaces, parentheses, slash replaced)
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      'git/2.18 (github-actions-checkout) actions_orchestration_id/test__with__special_chars'
-    )
-  })
-
-  it('should not modify user-agent when ACTIONS_ORCHESTRATION_ID is not set', async () => {
-    delete process.env['ACTIONS_ORCHESTRATION_ID']
-
-    let capturedEnv: any = null
-    mockExec.mockImplementation((path, args, options) => {
-      if (args.includes('version')) {
-        options.listeners.stdout(Buffer.from('2.18'))
-      }
-      // Capture env on any command
-      capturedEnv = options.env
-      return 0
-    })
-    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
-
-    const workingDirectory = 'test'
-    const lfs = false
-    const doSparseCheckout = false
-    git = await commandManager.createCommandManager(
-      workingDirectory,
-      lfs,
-      doSparseCheckout
-    )
-
-    // Call a git command to trigger env capture after user-agent is set
-    await git.init()
-
-    // Verify the user agent does NOT contain orchestration ID
-    expect(git).toBeDefined()
-    expect(capturedEnv).toBeDefined()
-    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
-      'git/2.18 (github-actions-checkout)'
-    )
-  })
-})
--- a/test/ref-helper.test.ts
+++ b/test/ref-helper.test.ts
@ -152,22 +152,7 @@ describe('ref-helper tests', () => {
  it('getRefSpec sha + refs/tags/', async () => {
    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit)
    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe(`+refs/tags/my-tag:refs/tags/my-tag`)
-  })
-
-  it('getRefSpec sha + refs/tags/ with fetchTags', async () => {
-    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
-    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit, true)
-    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-  })
-
-  it('getRefSpec sha + refs/heads/ with fetchTags', async () => {
-    // When fetchTags is true, include both the branch refspec and tags wildcard
-    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', commit, true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe(`+${commit}:refs/remotes/origin/my/branch`)
+    expect(refSpec[0]).toBe(`+${commit}:refs/tags/my-tag`)
  })

  it('getRefSpec sha only', async () => {
@ -183,14 +168,6 @@ describe('ref-helper tests', () => {
    expect(refSpec[1]).toBe('+refs/tags/my-ref*:refs/tags/my-ref*')
  })

-  it('getRefSpec unqualified ref only with fetchTags', async () => {
-    // When fetchTags is true, skip specific tag pattern since wildcard covers all
-    const refSpec = refHelper.getRefSpec('my-ref', '', true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe('+refs/heads/my-ref*:refs/remotes/origin/my-ref*')
-  })
-
  it('getRefSpec refs/heads/ only', async () => {
    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '')
    expect(refSpec.length).toBe(1)
@ -210,21 +187,4 @@ describe('ref-helper tests', () => {
    expect(refSpec.length).toBe(1)
    expect(refSpec[0]).toBe('+refs/tags/my-tag:refs/tags/my-tag')
  })
-
-  it('getRefSpec refs/tags/ only with fetchTags', async () => {
-    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
-    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', '', true)
-    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-  })
-
-  it('getRefSpec refs/heads/ only with fetchTags', async () => {
-    // When fetchTags is true, include both the branch refspec and tags wildcard
-    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '', true)
-    expect(refSpec.length).toBe(2)
-    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
-    expect(refSpec[1]).toBe(
-      '+refs/heads/my/branch:refs/remotes/origin/my/branch'
-    )
-  })
 })
--- a/test/verify-fetch-tags.sh
+++ b/test/verify-fetch-tags.sh
@ -1,9 +0,0 @@
-#!/bin/sh
-
-# Verify tags were fetched
-TAG_COUNT=$(git -C ./fetch-tags-test tag | wc -l)
-if [ "$TAG_COUNT" -eq 0 ]; then
-    echo "Expected tags to be fetched, but found none"
-    exit 1
-fi
-echo "Found $TAG_COUNT tags"
--- a/test/verify-worktree.sh
+++ b/test/verify-worktree.sh
@ -1,51 +0,0 @@
-#!/bin/bash
-set -e
-
-# Verify worktree credentials
-# This test verifies that git credentials work in worktrees created after checkout
-# Usage: verify-worktree.sh <checkout-path> <worktree-name>
-
-CHECKOUT_PATH="$1"
-WORKTREE_NAME="$2"
-
-if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
-  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
-  exit 1
-fi
-
-cd "$CHECKOUT_PATH"
-
-# Add safe directory for container environments
-git config --global --add safe.directory "*" 2>/dev/null || true
-
-# Show the includeIf configuration
-echo "Git config includeIf entries:"
-git config --list --show-origin | grep -i include || true
-
-# Create the worktree
-echo "Creating worktree..."
-git worktree add "../$WORKTREE_NAME" HEAD --detach
-
-# Change to worktree directory
-cd "../$WORKTREE_NAME"
-
-# Verify we're in a worktree
-echo "Verifying worktree gitdir:"
-cat .git
-
-# Verify credentials are available in worktree by checking extraheader is configured
-echo "Checking credentials in worktree..."
-if git config --list --show-origin | grep -q "extraheader"; then
-  echo "Credentials are configured in worktree"
-else
-  echo "ERROR: Credentials are NOT configured in worktree"
-  echo "Full git config:"
-  git config --list --show-origin
-  exit 1
-fi
-
-# Verify fetch works in the worktree
-echo "Fetching in worktree..."
-git fetch origin
-
-echo "Worktree credentials test passed!"
--- a/dist/index.js
+++ b/dist/index.js
@ -412,9 +412,6 @@ class GitAuthHelper {
                // Configure host includeIf
                const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                yield this.git.config(hostIncludeKey, credentialsConfigPath);
-                // Configure host includeIf for worktrees
-                const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
-                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                // Container git directory
                const workingDirectory = this.git.getWorkingDirectory();
                const githubWorkspace = process.env['GITHUB_WORKSPACE'];
@ -427,9 +424,6 @@ class GitAuthHelper {
                // Configure container includeIf
                const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                yield this.git.config(containerIncludeKey, containerCredentialsPath);
-                // Configure container includeIf for worktrees
-                const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
-                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
            }
        });
    }
@ -653,6 +647,7 @@ const fs = __importStar(__nccwpck_require__(7147));
 const fshelper = __importStar(__nccwpck_require__(7219));
 const io = __importStar(__nccwpck_require__(7436));
 const path = __importStar(__nccwpck_require__(1017));
+const refHelper = __importStar(__nccwpck_require__(8601));
 const regexpHelper = __importStar(__nccwpck_require__(3120));
 const retryHelper = __importStar(__nccwpck_require__(2155));
 const git_version_1 = __nccwpck_require__(3142);
@ -830,9 +825,9 @@ class GitCommandManager {
    fetch(refSpec, options) {
        return __awaiter(this, void 0, void 0, function* () {
            const args = ['-c', 'protocol.version=2', 'fetch'];
-            // Always use --no-tags for explicit control over tag fetching
-            // Tags are fetched explicitly via refspec when needed
-            args.push('--no-tags');
+            if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
+                args.push('--no-tags');
+            }
            args.push('--prune', '--no-recurse-submodules');
            if (options.showProgress) {
                args.push('--progress');
@ -1205,17 +1200,7 @@ class GitCommandManager {
                }
            }
            // Set the user agent
-            let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
-            // Append orchestration ID if set
-            const orchId = process.env['ACTIONS_ORCHESTRATION_ID'];
-            if (orchId) {
-                // Sanitize the orchestration ID to ensure it contains only valid characters
-                // Valid characters: 0-9, a-z, _, -, .
-                const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_');
-                if (sanitizedId) {
-                    gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`;
-                }
-            }
+            const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
            core.debug(`Set git useragent to: ${gitHttpUserAgent}`);
            this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent;
        });
@ -1538,26 +1523,13 @@ function getSource(settings) {
                if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
                    refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
                    yield git.fetch(refSpec, fetchOptions);
-                    // Verify the ref now matches. For branches, the targeted fetch above brings
-                    // in the specific commit. For tags (fetched by ref), this will fail if
-                    // the tag was moved after the workflow was triggered.
-                    if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
-                        throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-                            `The ref may have been updated after the workflow was triggered.`);
-                    }
                }
            }
            else {
                fetchOptions.fetchDepth = settings.fetchDepth;
-                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit, settings.fetchTags);
+                fetchOptions.fetchTags = settings.fetchTags;
+                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
                yield git.fetch(refSpec, fetchOptions);
-                // For tags, verify the ref still points to the expected commit.
-                // Tags are fetched by ref (not commit), so if a tag was moved after the
-                // workflow was triggered, we would silently check out the wrong commit.
-                if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
-                    throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-                        `The ref may have been updated after the workflow was triggered.`);
-                }
            }
            core.endGroup();
            // Checkout info
@ -2296,67 +2268,53 @@ function getRefSpecForAllHistory(ref, commit) {
    }
    return result;
 }
-function getRefSpec(ref, commit, fetchTags) {
+function getRefSpec(ref, commit) {
    if (!ref && !commit) {
        throw new Error('Args ref and commit cannot both be empty');
    }
    const upperRef = (ref || '').toUpperCase();
-    const result = [];
-    // When fetchTags is true, always include the tags refspec
-    if (fetchTags) {
-        result.push(exports.tagsRefSpec);
-    }
    // SHA
    if (commit) {
        // refs/heads
        if (upperRef.startsWith('REFS/HEADS/')) {
            const branch = ref.substring('refs/heads/'.length);
-            result.push(`+${commit}:refs/remotes/origin/${branch}`);
+            return [`+${commit}:refs/remotes/origin/${branch}`];
        }
        // refs/pull/
        else if (upperRef.startsWith('REFS/PULL/')) {
            const branch = ref.substring('refs/pull/'.length);
-            result.push(`+${commit}:refs/remotes/pull/${branch}`);
+            return [`+${commit}:refs/remotes/pull/${branch}`];
        }
        // refs/tags/
        else if (upperRef.startsWith('REFS/TAGS/')) {
-            if (!fetchTags) {
-                result.push(`+${ref}:${ref}`);
-            }
+            return [`+${commit}:${ref}`];
        }
        // Otherwise no destination ref
        else {
-            result.push(commit);
+            return [commit];
        }
    }
    // Unqualified ref, check for a matching branch or tag
    else if (!upperRef.startsWith('REFS/')) {
-        result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`);
-        if (!fetchTags) {
-            result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`);
-        }
+        return [
+            `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
+            `+refs/tags/${ref}*:refs/tags/${ref}*`
+        ];
    }
    // refs/heads/
    else if (upperRef.startsWith('REFS/HEADS/')) {
        const branch = ref.substring('refs/heads/'.length);
-        result.push(`+${ref}:refs/remotes/origin/${branch}`);
+        return [`+${ref}:refs/remotes/origin/${branch}`];
    }
    // refs/pull/
    else if (upperRef.startsWith('REFS/PULL/')) {
        const branch = ref.substring('refs/pull/'.length);
-        result.push(`+${ref}:refs/remotes/pull/${branch}`);
+        return [`+${ref}:refs/remotes/pull/${branch}`];
    }
    // refs/tags/
-    else if (upperRef.startsWith('REFS/TAGS/')) {
-        if (!fetchTags) {
-            result.push(`+${ref}:${ref}`);
-        }
-    }
-    // Other refs
    else {
-        result.push(`+${ref}:${ref}`);
+        return [`+${ref}:${ref}`];
    }
-    return result;
 }
 /**
 * Tests whether the initial fetch created the ref at the expected commit
@ -2392,9 +2350,7 @@ function testRef(git, ref, commit) {
        // refs/tags/
        else if (upperRef.startsWith('REFS/TAGS/')) {
            const tagName = ref.substring('refs/tags/'.length);
-            // Use ^{commit} to dereference annotated tags to their underlying commit
-            return ((yield git.tagExists(tagName)) &&
-                commit === (yield git.revParse(`${ref}^{commit}`)));
+            return ((yield git.tagExists(tagName)) && commit === (yield git.revParse(ref)));
        }
        // Unexpected
        else {
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@ -374,10 +374,6 @@ class GitAuthHelper {
      const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
      await this.git.config(hostIncludeKey, credentialsConfigPath)

-      // Configure host includeIf for worktrees
-      const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
-      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
-
      // Container git directory
      const workingDirectory = this.git.getWorkingDirectory()
      const githubWorkspace = process.env['GITHUB_WORKSPACE']
@ -399,13 +395,6 @@ class GitAuthHelper {
      // Configure container includeIf
      const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
      await this.git.config(containerIncludeKey, containerCredentialsPath)
-
-      // Configure container includeIf for worktrees
-      const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
-      await this.git.config(
-        containerWorktreeIncludeKey,
-        containerCredentialsPath
-      )
    }
  }

--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@ -37,6 +37,7 @@ export interface IGitCommandManager {
    options: {
      filter?: string
      fetchDepth?: number
+      fetchTags?: boolean
      showProgress?: boolean
    }
  ): Promise<void>
@ -279,13 +280,14 @@ class GitCommandManager {
    options: {
      filter?: string
      fetchDepth?: number
+      fetchTags?: boolean
      showProgress?: boolean
    }
  ): Promise<void> {
    const args = ['-c', 'protocol.version=2', 'fetch']
-    // Always use --no-tags for explicit control over tag fetching
-    // Tags are fetched explicitly via refspec when needed
-    args.push('--no-tags')
+    if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
+      args.push('--no-tags')
+    }

    args.push('--prune', '--no-recurse-submodules')
    if (options.showProgress) {
@ -728,19 +730,7 @@ class GitCommandManager {
      }
    }
    // Set the user agent
-    let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
-
-    // Append orchestration ID if set
-    const orchId = process.env['ACTIONS_ORCHESTRATION_ID']
-    if (orchId) {
-      // Sanitize the orchestration ID to ensure it contains only valid characters
-      // Valid characters: 0-9, a-z, _, -, .
-      const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_')
-      if (sanitizedId) {
-        gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`
-      }
-    }
-
+    const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
    core.debug(`Set git useragent to: ${gitHttpUserAgent}`)
    this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent
  }
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@ -159,6 +159,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
    const fetchOptions: {
      filter?: string
      fetchDepth?: number
+      fetchTags?: boolean
      showProgress?: boolean
    } = {}

@ -181,35 +182,12 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
        refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
        await git.fetch(refSpec, fetchOptions)
-
-        // Verify the ref now matches. For branches, the targeted fetch above brings
-        // in the specific commit. For tags (fetched by ref), this will fail if
-        // the tag was moved after the workflow was triggered.
-        if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
-          throw new Error(
-            `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-              `The ref may have been updated after the workflow was triggered.`
-          )
-        }
      }
    } else {
      fetchOptions.fetchDepth = settings.fetchDepth
-      const refSpec = refHelper.getRefSpec(
-        settings.ref,
-        settings.commit,
-        settings.fetchTags
-      )
+      fetchOptions.fetchTags = settings.fetchTags
+      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
      await git.fetch(refSpec, fetchOptions)
-
-      // For tags, verify the ref still points to the expected commit.
-      // Tags are fetched by ref (not commit), so if a tag was moved after the
-      // workflow was triggered, we would silently check out the wrong commit.
-      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
-        throw new Error(
-          `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
-            `The ref may have been updated after the workflow was triggered.`
-        )
-      }
    }
    core.endGroup()

--- a/src/misc/generate-docs.ts
+++ b/src/misc/generate-docs.ts
@ -120,7 +120,7 @@ function updateUsage(
 }

 updateUsage(
-  'actions/checkout@v6',
+  'actions/checkout@v5',
  path.join(__dirname, '..', '..', 'action.yml'),
  path.join(__dirname, '..', '..', 'README.md')
 )
--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@ -76,75 +76,55 @@ export function getRefSpecForAllHistory(ref: string, commit: string): string[] {
  return result
 }

-export function getRefSpec(
-  ref: string,
-  commit: string,
-  fetchTags?: boolean
-): string[] {
+export function getRefSpec(ref: string, commit: string): string[] {
  if (!ref && !commit) {
    throw new Error('Args ref and commit cannot both be empty')
  }

  const upperRef = (ref || '').toUpperCase()
-  const result: string[] = []
-
-  // When fetchTags is true, always include the tags refspec
-  if (fetchTags) {
-    result.push(tagsRefSpec)
-  }

  // SHA
  if (commit) {
    // refs/heads
    if (upperRef.startsWith('REFS/HEADS/')) {
      const branch = ref.substring('refs/heads/'.length)
-      result.push(`+${commit}:refs/remotes/origin/${branch}`)
+      return [`+${commit}:refs/remotes/origin/${branch}`]
    }
    // refs/pull/
    else if (upperRef.startsWith('REFS/PULL/')) {
      const branch = ref.substring('refs/pull/'.length)
-      result.push(`+${commit}:refs/remotes/pull/${branch}`)
+      return [`+${commit}:refs/remotes/pull/${branch}`]
    }
    // refs/tags/
    else if (upperRef.startsWith('REFS/TAGS/')) {
-      if (!fetchTags) {
-        result.push(`+${ref}:${ref}`)
-      }
+      return [`+${commit}:${ref}`]
    }
    // Otherwise no destination ref
    else {
-      result.push(commit)
+      return [commit]
    }
  }
  // Unqualified ref, check for a matching branch or tag
  else if (!upperRef.startsWith('REFS/')) {
-    result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`)
-    if (!fetchTags) {
-      result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`)
-    }
+    return [
+      `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
+      `+refs/tags/${ref}*:refs/tags/${ref}*`
+    ]
  }
  // refs/heads/
  else if (upperRef.startsWith('REFS/HEADS/')) {
    const branch = ref.substring('refs/heads/'.length)
-    result.push(`+${ref}:refs/remotes/origin/${branch}`)
+    return [`+${ref}:refs/remotes/origin/${branch}`]
  }
  // refs/pull/
  else if (upperRef.startsWith('REFS/PULL/')) {
    const branch = ref.substring('refs/pull/'.length)
-    result.push(`+${ref}:refs/remotes/pull/${branch}`)
+    return [`+${ref}:refs/remotes/pull/${branch}`]
  }
  // refs/tags/
-  else if (upperRef.startsWith('REFS/TAGS/')) {
-    if (!fetchTags) {
-      result.push(`+${ref}:${ref}`)
-    }
-  }
-  // Other refs
  else {
-    result.push(`+${ref}:${ref}`)
+    return [`+${ref}:${ref}`]
  }
-
-  return result
 }

 /**
@ -190,10 +170,8 @@ export async function testRef(
  // refs/tags/
  else if (upperRef.startsWith('REFS/TAGS/')) {
    const tagName = ref.substring('refs/tags/'.length)
-    // Use ^{commit} to dereference annotated tags to their underlying commit
    return (
-      (await git.tagExists(tagName)) &&
-      commit === (await git.revParse(`${ref}^{commit}`))
+      (await git.tagExists(tagName)) && commit === (await git.revParse(ref))
    )
  }
  // Unexpected