Clarify v6 README (#2328)

- Updated README.md examples to reference @v6
- Updated all workflow files to use actions/checkout@v6

.github/workflows/check-dist.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4.1.6
+      - uses: actions/checkout@v6
 
       - name: Set Node.js 24.x
         uses: actions/setup-node@v4

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4.1.6
+      uses: actions/checkout@v6
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3

.github/workflows/licensed.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     name: Check licenses
     steps:
-      - uses: actions/checkout@v4.1.6
+      - uses: actions/checkout@v6
       - run: npm ci
       - run: npm run licensed-check

.github/workflows/publish-immutable-actions.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checking out
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       - name: Publish
         id: publish
         uses: actions/publish-immutable-action@0.0.3

.github/workflows/test.yml

@@ -19,7 +19,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 24.x
-      - uses: actions/checkout@v4.1.6
+      - uses: actions/checkout@v6
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -37,7 +37,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@v6
 
       # Basic checkout
       - name: Checkout basic
@@ -165,6 +165,22 @@ jobs:
       - name: Verify submodules recursive
         run: __test__/verify-submodules-recursive.sh
 
+      # Worktree credentials
+      - name: Checkout for worktree test
+        uses: ./
+        with:
+          path: worktree-test
+      - name: Verify worktree credentials
+        shell: bash
+        run: __test__/verify-worktree.sh worktree-test worktree-branch
+
+      # Worktree credentials in container step
+      - name: Verify worktree credentials in container step
+        if: runner.os == 'Linux'
+        uses: docker://bitnami/git:latest
+        with:
+          args: bash __test__/verify-worktree.sh worktree-test container-worktree-branch
+
       # Basic checkout using REST API
       - name: Remove basic
         if: runner.os != 'windows'
@@ -202,7 +218,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@v6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -234,7 +250,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@v6
 
       # Basic checkout using git
       - name: Checkout basic
@@ -264,7 +280,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@v6
         with:
           path: localClone
 
@@ -291,17 +307,17 @@ jobs:
           git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
 
       # needed to make checkout post cleanup succeed
-      - name: Fix Checkout v4
-        uses: actions/checkout@v4.1.6
+      - name: Fix Checkout v6
+        uses: actions/checkout@v6
         with:
           path: localClone
 
   test-output:
     runs-on: ubuntu-latest
     steps:
-      # Download the action at the current ref
+      # Clone this repo
       - name: Checkout
-        uses: actions/checkout@v4.1.6
+        uses: actions/checkout@v6
         with:
           path: actions-checkout
 

.github/workflows/update-main-version.yml

@@ -23,7 +23,7 @@ jobs:
     # Note this update workflow can also be used as a rollback tool.
     # For that reason, it's best to pin `actions/checkout` to a known, stable version
     # (typically, about two releases back).
-    - uses: actions/checkout@v4.1.6
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - name: Git config

.github/workflows/update-test-ubuntu-git.yml

@@ -26,7 +26,7 @@ jobs:
  
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       # Use `docker/login-action` to log in to GHCR.io. 
       # Once published, the packages are scoped to the account defined here.

CHANGELOG.md

@@ -1,10 +1,19 @@
 # Changelog
 
-## V5.0.0
+## v6.0.0
+* Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
+* Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
+
+## v5.0.1
+* Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
+
+## v5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
 
+## v4.3.1
+* Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
 
-## V4.3.0
+## v4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043

README.md

@@ -1,6 +1,14 @@
 [![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml)
 
-# Checkout V5
+# Checkout v6
+
+## What's new
+
+- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
+- No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
+- Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
+
+# Checkout v5
 
 ## What's new
 
@@ -8,7 +16,7 @@
   - This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.
 
 
-# Checkout V4
+# Checkout v4
 
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
 
@@ -44,7 +52,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 <!-- start usage -->
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     # Repository name with owner. For example, actions/checkout
     # Default: ${{ github.repository }}
@@ -183,7 +191,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     sparse-checkout: .
 ```
@@ -191,7 +199,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files and `.github` and `src` folder
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     sparse-checkout: |
       .github
@@ -201,7 +209,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only a single file
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     sparse-checkout: |
       README.md
@@ -211,7 +219,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch all history for all tags and branches
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     fetch-depth: 0
 ```
@@ -219,7 +227,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     ref: my-branch
 ```
@@ -227,7 +235,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     fetch-depth: 2
 - run: git checkout HEAD^
@@ -237,12 +245,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
   with:
     path: main
 
 - name: Checkout tools repo
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -253,10 +261,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
 
 - name: Checkout tools repo
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
   with:
     repository: my-org/my-tools
     path: my-tools
@@ -267,12 +275,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
   with:
     path: main
 
 - name: Checkout private tools
-  uses: actions/checkout@v5
+  uses: actions/checkout@v6
   with:
     repository: my-org/my-private-tools
     token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -285,7 +293,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit
 
 ```yaml
-- uses: actions/checkout@v5
+- uses: actions/checkout@v6
   with:
     ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -301,7 +309,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 ```
 
 ## Push a commit using the built-in token
@@ -312,7 +320,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - run: |
           date > generated.txt
           # Note: the following account information will not work on GHES
@@ -334,7 +342,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.head_ref }}
       - run: |

__test__/git-auth-helper.test.ts

@@ -706,7 +706,7 @@ describe('git-auth-helper tests', () => {
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
     await authHelper.configureAuth()
 
-    // Sanity check - verify includeIf entries exist in local config
+    // Verify includeIf entries exist in local config
     let localConfigContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
@@ -714,26 +714,192 @@ describe('git-auth-helper tests', () => {
       localConfigContent.indexOf('includeIf.gitdir:')
     ).toBeGreaterThanOrEqual(0)
 
-    // Sanity check - verify credentials file exists
+    // Verify both host and container includeIf entries are present
+    const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
+    expect(
+      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
+    ).toBeGreaterThanOrEqual(0)
+    expect(
+      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
+    ).toBeGreaterThanOrEqual(0)
+
+    // Verify credentials file exists
     let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
       f => f.startsWith('git-credentials-') && f.endsWith('.config')
     )
     expect(credentialsFiles.length).toBe(1)
+    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
+
+    // Verify credentials file contains the auth token
+    let credentialsContent = (
+      await fs.promises.readFile(credentialsFilePath)
+    ).toString()
+    const basicCredential = Buffer.from(
+      `x-access-token:${settings.authToken}`,
+      'utf8'
+    ).toString('base64')
+    expect(
+      credentialsContent.indexOf(
+        `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
+      )
+    ).toBeGreaterThanOrEqual(0)
+
+    // Verify the includeIf entries point to the credentials file
+    const containerCredentialsPath = path.posix.join(
+      '/github/runner_temp',
+      path.basename(credentialsFilePath)
+    )
+    expect(
+      localConfigContent.indexOf(credentialsFilePath)
+    ).toBeGreaterThanOrEqual(0)
+    expect(
+      localConfigContent.indexOf(containerCredentialsPath)
+    ).toBeGreaterThanOrEqual(0)
 
     // Act
     await authHelper.removeAuth()
 
-    // Assert includeIf entries removed from local git config
+    // Assert all includeIf entries removed from local git config
     localConfigContent = (
       await fs.promises.readFile(localGitConfigPath)
     ).toString()
     expect(localConfigContent.indexOf('includeIf.gitdir:')).toBeLessThan(0)
+    expect(
+      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
+    ).toBeLessThan(0)
+    expect(
+      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
+    ).toBeLessThan(0)
+    expect(localConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
+    expect(localConfigContent.indexOf(containerCredentialsPath)).toBeLessThan(0)
 
     // Assert credentials config file deleted
     credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
       f => f.startsWith('git-credentials-') && f.endsWith('.config')
     )
     expect(credentialsFiles.length).toBe(0)
+
+    // Verify credentials file no longer exists on disk
+    try {
+      await fs.promises.stat(credentialsFilePath)
+      throw new Error('Credentials file should have been deleted')
+    } catch (err) {
+      if ((err as any)?.code !== 'ENOENT') {
+        throw err
+      }
+    }
+  })
+
+  const removeAuth_removesTokenFromSubmodules =
+    'removeAuth removes token from submodules'
+  it(removeAuth_removesTokenFromSubmodules, async () => {
+    // Arrange
+    await setup(removeAuth_removesTokenFromSubmodules)
+
+    // Create fake submodule config paths
+    const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
+    const submodule2Dir = path.join(workspace, '.git', 'modules', 'submodule-2')
+    const submodule1ConfigPath = path.join(submodule1Dir, 'config')
+    const submodule2ConfigPath = path.join(submodule2Dir, 'config')
+
+    await fs.promises.mkdir(submodule1Dir, {recursive: true})
+    await fs.promises.mkdir(submodule2Dir, {recursive: true})
+    await fs.promises.writeFile(submodule1ConfigPath, '')
+    await fs.promises.writeFile(submodule2ConfigPath, '')
+
+    // Mock getSubmoduleConfigPaths to return our fake submodules (for both configure and remove)
+    const mockGetSubmoduleConfigPaths =
+      git.getSubmoduleConfigPaths as jest.Mock<any, any>
+    mockGetSubmoduleConfigPaths.mockResolvedValue([
+      submodule1ConfigPath,
+      submodule2ConfigPath
+    ])
+
+    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
+    await authHelper.configureAuth()
+    await authHelper.configureSubmoduleAuth()
+
+    // Verify credentials file exists
+    let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
+      f => f.startsWith('git-credentials-') && f.endsWith('.config')
+    )
+    expect(credentialsFiles.length).toBe(1)
+    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
+
+    // Verify submodule 1 config has includeIf entries
+    let submodule1Content = (
+      await fs.promises.readFile(submodule1ConfigPath)
+    ).toString()
+    const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
+    expect(
+      submodule1Content.indexOf(`includeIf.gitdir:${submodule1GitDir}.path`)
+    ).toBeGreaterThanOrEqual(0)
+    expect(
+      submodule1Content.indexOf(credentialsFilePath)
+    ).toBeGreaterThanOrEqual(0)
+
+    // Verify submodule 2 config has includeIf entries
+    let submodule2Content = (
+      await fs.promises.readFile(submodule2ConfigPath)
+    ).toString()
+    const submodule2GitDir = submodule2Dir.replace(/\\/g, '/')
+    expect(
+      submodule2Content.indexOf(`includeIf.gitdir:${submodule2GitDir}.path`)
+    ).toBeGreaterThanOrEqual(0)
+    expect(
+      submodule2Content.indexOf(credentialsFilePath)
+    ).toBeGreaterThanOrEqual(0)
+
+    // Verify both host and container paths are in each submodule config
+    const containerCredentialsPath = path.posix.join(
+      '/github/runner_temp',
+      path.basename(credentialsFilePath)
+    )
+    expect(
+      submodule1Content.indexOf(containerCredentialsPath)
+    ).toBeGreaterThanOrEqual(0)
+    expect(
+      submodule2Content.indexOf(containerCredentialsPath)
+    ).toBeGreaterThanOrEqual(0)
+
+    // Act - ensure mock persists for removeAuth
+    mockGetSubmoduleConfigPaths.mockResolvedValue([
+      submodule1ConfigPath,
+      submodule2ConfigPath
+    ])
+    await authHelper.removeAuth()
+
+    // Assert submodule 1 includeIf entries removed
+    submodule1Content = (
+      await fs.promises.readFile(submodule1ConfigPath)
+    ).toString()
+    expect(submodule1Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
+    expect(submodule1Content.indexOf(credentialsFilePath)).toBeLessThan(0)
+    expect(submodule1Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
+
+    // Assert submodule 2 includeIf entries removed
+    submodule2Content = (
+      await fs.promises.readFile(submodule2ConfigPath)
+    ).toString()
+    expect(submodule2Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
+    expect(submodule2Content.indexOf(credentialsFilePath)).toBeLessThan(0)
+    expect(submodule2Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
+
+    // Assert credentials config file deleted
+    credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
+      f => f.startsWith('git-credentials-') && f.endsWith('.config')
+    )
+    expect(credentialsFiles.length).toBe(0)
+
+    // Verify credentials file no longer exists on disk
+    try {
+      await fs.promises.stat(credentialsFilePath)
+      throw new Error('Credentials file should have been deleted')
+    } catch (err) {
+      if ((err as any)?.code !== 'ENOENT') {
+        throw err
+      }
+    }
   })
 
   const removeGlobalConfig_removesOverride =
@@ -769,19 +935,43 @@ describe('git-auth-helper tests', () => {
     // Arrange
     await setup(testCredentialsConfigPath_matchesCredentialsConfigPaths)
     const authHelper = gitAuthHelper.createAuthHelper(git, settings)
-    
+
     // Get a real credentials config path
-    const credentialsConfigPath = await (authHelper as any).getCredentialsConfigPath()
-    
+    const credentialsConfigPath = await (
+      authHelper as any
+    ).getCredentialsConfigPath()
+
     // Act & Assert
-    expect((authHelper as any).testCredentialsConfigPath(credentialsConfigPath)).toBe(true)
-    expect((authHelper as any).testCredentialsConfigPath('/some/path/git-credentials-12345678-abcd-1234-5678-123456789012.config')).toBe(true)
-    expect((authHelper as any).testCredentialsConfigPath('/some/path/git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config')).toBe(true)
-    
+    expect(
+      (authHelper as any).testCredentialsConfigPath(credentialsConfigPath)
+    ).toBe(true)
+    expect(
+      (authHelper as any).testCredentialsConfigPath(
+        '/some/path/git-credentials-12345678-abcd-1234-5678-123456789012.config'
+      )
+    ).toBe(true)
+    expect(
+      (authHelper as any).testCredentialsConfigPath(
+        '/some/path/git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
+      )
+    ).toBe(true)
+
     // Test invalid paths
-    expect((authHelper as any).testCredentialsConfigPath('/some/path/other-config.config')).toBe(false)
-    expect((authHelper as any).testCredentialsConfigPath('/some/path/git-credentials-invalid.config')).toBe(false)
-    expect((authHelper as any).testCredentialsConfigPath('/some/path/git-credentials-.config')).toBe(false)
+    expect(
+      (authHelper as any).testCredentialsConfigPath(
+        '/some/path/other-config.config'
+      )
+    ).toBe(false)
+    expect(
+      (authHelper as any).testCredentialsConfigPath(
+        '/some/path/git-credentials-invalid.config'
+      )
+    ).toBe(false)
+    expect(
+      (authHelper as any).testCredentialsConfigPath(
+        '/some/path/git-credentials-.config'
+      )
+    ).toBe(false)
     expect((authHelper as any).testCredentialsConfigPath('')).toBe(false)
   })
 })
@@ -890,28 +1080,41 @@ async function setup(testName: string): Promise<void> {
       }
     ),
     tryConfigUnsetValue: jest.fn(
-      async (key: string, value: string, globalConfig?: boolean): Promise<boolean> => {
-        const configPath = globalConfig
-          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-          : localGitConfigPath
-        let content = await fs.promises.readFile(configPath)
+      async (
+        key: string,
+        value: string,
+        globalConfig?: boolean,
+        configPath?: string
+      ): Promise<boolean> => {
+        const targetConfigPath =
+          configPath ||
+          (globalConfig
+            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
+            : localGitConfigPath)
+        let content = await fs.promises.readFile(targetConfigPath)
         let lines = content
           .toString()
           .split('\n')
           .filter(x => x)
           .filter(x => !(x.startsWith(key) && x.includes(value)))
-        await fs.promises.writeFile(configPath, lines.join('\n'))
+        await fs.promises.writeFile(targetConfigPath, lines.join('\n'))
         return true
       }
     ),
     tryDisableAutomaticGarbageCollection: jest.fn(),
     tryGetFetchUrl: jest.fn(),
     tryGetConfigValues: jest.fn(
-      async (key: string, globalConfig?: boolean): Promise<string[]> => {
-        const configPath = globalConfig
-          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-          : localGitConfigPath
-        const content = await fs.promises.readFile(configPath)
+      async (
+        key: string,
+        globalConfig?: boolean,
+        configPath?: string
+      ): Promise<string[]> => {
+        const targetConfigPath =
+          configPath ||
+          (globalConfig
+            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
+            : localGitConfigPath)
+        const content = await fs.promises.readFile(targetConfigPath)
         const lines = content
           .toString()
           .split('\n')
@@ -921,11 +1124,17 @@ async function setup(testName: string): Promise<void> {
       }
     ),
     tryGetConfigKeys: jest.fn(
-      async (pattern: string, globalConfig?: boolean): Promise<string[]> => {
-        const configPath = globalConfig
-          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-          : localGitConfigPath
-        const content = await fs.promises.readFile(configPath)
+      async (
+        pattern: string,
+        globalConfig?: boolean,
+        configPath?: string
+      ): Promise<string[]> => {
+        const targetConfigPath =
+          configPath ||
+          (globalConfig
+            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
+            : localGitConfigPath)
+        const content = await fs.promises.readFile(targetConfigPath)
         const lines = content
           .toString()
           .split('\n')

__test__/verify-submodules-recursive.sh

@@ -17,7 +17,7 @@ fi
 
 echo "Testing persisted credential"
 pushd ./submodules-recursive/submodule-level-1/submodule-level-2
-git config --local --name-only --get-regexp http.+extraheader && git fetch
+git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
     echo "Failed to validate persisted credential"
     popd

__test__/verify-submodules-true.sh

@@ -17,7 +17,7 @@ fi
 
 echo "Testing persisted credential"
 pushd ./submodules-true/submodule-level-1
-git config --local --name-only --get-regexp http.+extraheader && git fetch
+git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
     echo "Failed to validate persisted credential"
     popd

__test__/verify-worktree.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+set -e
+
+# Verify worktree credentials
+# This test verifies that git credentials work in worktrees created after checkout
+# Usage: verify-worktree.sh <checkout-path> <worktree-name>
+
+CHECKOUT_PATH="$1"
+WORKTREE_NAME="$2"
+
+if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
+  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
+  exit 1
+fi
+
+cd "$CHECKOUT_PATH"
+
+# Add safe directory for container environments
+git config --global --add safe.directory "*" 2>/dev/null || true
+
+# Show the includeIf configuration
+echo "Git config includeIf entries:"
+git config --list --show-origin | grep -i include || true
+
+# Create the worktree
+echo "Creating worktree..."
+git worktree add "../$WORKTREE_NAME" HEAD --detach
+
+# Change to worktree directory
+cd "../$WORKTREE_NAME"
+
+# Verify we're in a worktree
+echo "Verifying worktree gitdir:"
+cat .git
+
+# Verify credentials are available in worktree by checking extraheader is configured
+echo "Checking credentials in worktree..."
+if git config --list --show-origin | grep -q "extraheader"; then
+  echo "Credentials are configured in worktree"
+else
+  echo "ERROR: Credentials are NOT configured in worktree"
+  echo "Full git config:"
+  git config --list --show-origin
+  exit 1
+fi
+
+# Verify fetch works in the worktree
+echo "Fetching in worktree..."
+git fetch origin
+
+echo "Worktree credentials test passed!"

dist/index.js

@@ -238,7 +238,9 @@ class GitAuthHelper {
                 yield this.git.tryConfigUnset(this.insteadOfKey, true);
                 if (!this.settings.sshKey) {
                     for (const insteadOfValue of this.insteadOfValues) {
-                        yield this.git.config(this.insteadOfKey, insteadOfValue, true, true);
+                        yield this.git.config(this.insteadOfKey, insteadOfValue, true, // globalConfig?
+                        true // add?
+                        );
                     }
                 }
             }
@@ -255,17 +257,10 @@ class GitAuthHelper {
             // Remove possible previous HTTPS instead of SSH
             yield this.removeSubmoduleGitConfig(this.insteadOfKey);
             if (this.settings.persistCredentials) {
-                // Credentials config path
-                const credentialsConfigPath = yield this.getCredentialsConfigPath();
+                // Get the credentials config file path in RUNNER_TEMP
+                const credentialsConfigPath = this.getCredentialsConfigPath();
                 // Container credentials config path
                 const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
-                // Container repo path
-                const workingDirectory = this.git.getWorkingDirectory();
-                const githubWorkspace = process.env['GITHUB_WORKSPACE'];
-                assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
-                let relativePath = path.relative(githubWorkspace, workingDirectory);
-                relativePath = relativePath.replace(/\\/g, '/');
-                const containerRepoPath = path.posix.join('/github/workspace', relativePath);
                 // Get submodule config file paths.
                 const configPaths = yield this.git.getSubmoduleConfigPaths(this.settings.nestedSubmodules);
                 // For each submodule, configure includeIf entries pointing to the shared credentials file.
@@ -275,12 +270,19 @@ class GitAuthHelper {
                     let submoduleGitDir = path.dirname(configPath); // The config file is at .git/modules/submodule-name/config
                     submoduleGitDir = submoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                     // Configure host includeIf
-                    yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, false, configPath);
-                    // Configure container includeIf
+                    yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig?
+                    false, // add?
+                    configPath);
+                    // Container submodule git directory
+                    const githubWorkspace = process.env['GITHUB_WORKSPACE'];
+                    assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
                     let relativeSubmoduleGitDir = path.relative(githubWorkspace, submoduleGitDir);
                     relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                     const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleGitDir);
-                    yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, false, configPath);
+                    // Configure container includeIf
+                    yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig?
+                    false, // add?
+                    configPath);
                 }
                 if (this.settings.sshKey) {
                     // Configure core.sshCommand
@@ -379,12 +381,14 @@ class GitAuthHelper {
     configureToken(globalConfig) {
         return __awaiter(this, void 0, void 0, function* () {
             // Get the credentials config file path in RUNNER_TEMP
-            const credentialsConfigPath = yield this.getCredentialsConfigPath();
+            const credentialsConfigPath = this.getCredentialsConfigPath();
             // Write placeholder to the separate credentials config file using git config.
             // This approach avoids the credential being captured by process creation audit events,
             // which are commonly logged. For more information, refer to
             // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
-            yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, false, credentialsConfigPath);
+            yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, // globalConfig?
+            false, // add?
+            credentialsConfigPath);
             // Replace the placeholder in the credentials config file
             let content = (yield fs.promises.readFile(credentialsConfigPath)).toString();
             const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue);
@@ -398,7 +402,8 @@ class GitAuthHelper {
             // Add include or includeIf to reference the credentials config
             if (globalConfig) {
                 // Global config file is temporary
-                yield this.git.config('include.path', credentialsConfigPath, true);
+                yield this.git.config('include.path', credentialsConfigPath, true // globalConfig?
+                );
             }
             else {
                 // Host git directory
@@ -407,10 +412,13 @@ class GitAuthHelper {
                 // Configure host includeIf
                 const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                 yield this.git.config(hostIncludeKey, credentialsConfigPath);
+                // Configure host includeIf for worktrees
+                const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
+                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                 // Container git directory
+                const workingDirectory = this.git.getWorkingDirectory();
                 const githubWorkspace = process.env['GITHUB_WORKSPACE'];
                 assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
-                const workingDirectory = this.git.getWorkingDirectory();
                 let relativePath = path.relative(githubWorkspace, workingDirectory);
                 relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                 const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
@@ -419,6 +427,9 @@ class GitAuthHelper {
                 // Configure container includeIf
                 const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                 yield this.git.config(containerIncludeKey, containerCredentialsPath);
+                // Configure container includeIf for worktrees
+                const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
+                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
             }
         });
     }
@@ -427,18 +438,16 @@ class GitAuthHelper {
      * @returns The absolute path to the credentials config file
      */
     getCredentialsConfigPath() {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (this.credentialsConfigPath) {
-                return this.credentialsConfigPath;
-            }
-            const runnerTemp = process.env['RUNNER_TEMP'] || '';
-            assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
-            // Create a unique filename for this checkout instance
-            const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
-            this.credentialsConfigPath = path.join(runnerTemp, configFileName);
-            core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
+        if (this.credentialsConfigPath) {
             return this.credentialsConfigPath;
-        });
+        }
+        const runnerTemp = process.env['RUNNER_TEMP'] || '';
+        assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
+        // Create a unique filename for this checkout instance
+        const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
+        this.credentialsConfigPath = path.join(runnerTemp, configFileName);
+        core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
+        return this.credentialsConfigPath;
     }
     /**
      * Removes SSH authentication configuration by cleaning up SSH keys,
@@ -472,7 +481,7 @@ class GitAuthHelper {
                 }
             }
             // SSH command
-            core.info("Removing SSH command configuration");
+            core.info('Removing SSH command configuration');
             yield this.removeGitConfig(SSH_COMMAND_KEY);
             yield this.removeSubmoduleGitConfig(SSH_COMMAND_KEY);
         });
@@ -485,13 +494,13 @@ class GitAuthHelper {
         return __awaiter(this, void 0, void 0, function* () {
             var _a;
             // Remove HTTP extra header
-            core.info("Removing HTTP extra header");
+            core.info('Removing HTTP extra header');
             yield this.removeGitConfig(this.tokenConfigKey);
             yield this.removeSubmoduleGitConfig(this.tokenConfigKey);
             // Collect credentials config paths that need to be removed
             const credentialsPaths = new Set();
             // Remove includeIf entries that point to git-credentials-*.config files
-            core.info("Removing includeIf entries pointing to credentials config files");
+            core.info('Removing includeIf entries pointing to credentials config files');
             const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
             mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
             // Remove submodule includeIf entries that point to git-credentials-*.config files
@@ -556,10 +565,12 @@ class GitAuthHelper {
             const credentialsPaths = new Set();
             try {
                 // Get all includeIf.gitdir keys
-                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, configPath);
+                const keys = yield this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, // globalConfig?
+                configPath);
                 for (const key of keys) {
                     // Get all values for this key
-                    const values = yield this.git.tryGetConfigValues(key, false, configPath);
+                    const values = yield this.git.tryGetConfigValues(key, false, // globalConfig?
+                    configPath);
                     if (values.length > 0) {
                         // Remove only values that match git-credentials-<uuid>.config pattern
                         for (const value of values) {
@@ -1060,7 +1071,10 @@ class GitCommandManager {
             if (output.exitCode !== 0) {
                 return [];
             }
-            return output.stdout.trim().split('\n').filter(value => value.trim());
+            return output.stdout
+                .trim()
+                .split('\n')
+                .filter(value => value.trim());
         });
     }
     tryGetConfigKeys(pattern, globalConfig, configFile) {
@@ -1077,7 +1091,10 @@ class GitCommandManager {
             if (output.exitCode !== 0) {
                 return [];
             }
-            return output.stdout.trim().split('\n').filter(key => key.trim());
+            return output.stdout
+                .trim()
+                .split('\n')
+                .filter(key => key.trim());
         });
     }
     tryReset() {

src/git-auth-helper.ts

@@ -136,7 +136,12 @@ class GitAuthHelper {
       await this.git.tryConfigUnset(this.insteadOfKey, true)
       if (!this.settings.sshKey) {
         for (const insteadOfValue of this.insteadOfValues) {
-          await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
+          await this.git.config(
+            this.insteadOfKey,
+            insteadOfValue,
+            true, // globalConfig?
+            true // add?
+          )
         }
       }
     } catch (err) {
@@ -154,8 +159,8 @@ class GitAuthHelper {
     await this.removeSubmoduleGitConfig(this.insteadOfKey)
 
     if (this.settings.persistCredentials) {
-      // Credentials config path
-      const credentialsConfigPath = await this.getCredentialsConfigPath()
+      // Get the credentials config file path in RUNNER_TEMP
+      const credentialsConfigPath = this.getCredentialsConfigPath()
 
       // Container credentials config path
       const containerCredentialsPath = path.posix.join(
@@ -163,17 +168,6 @@ class GitAuthHelper {
         path.basename(credentialsConfigPath)
       )
 
-      // Container repo path
-      const workingDirectory = this.git.getWorkingDirectory()
-      const githubWorkspace = process.env['GITHUB_WORKSPACE']
-      assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
-      let relativePath = path.relative(githubWorkspace, workingDirectory)
-      relativePath = relativePath.replace(/\\/g, '/')
-      const containerRepoPath = path.posix.join(
-        '/github/workspace',
-        relativePath
-      )
-
       // Get submodule config file paths.
       const configPaths = await this.git.getSubmoduleConfigPaths(
         this.settings.nestedSubmodules
@@ -190,12 +184,14 @@ class GitAuthHelper {
         await this.git.config(
           `includeIf.gitdir:${submoduleGitDir}.path`,
           credentialsConfigPath,
-          false,
-          false,
+          false, // globalConfig?
+          false, // add?
           configPath
         )
 
-        // Configure container includeIf
+        // Container submodule git directory
+        const githubWorkspace = process.env['GITHUB_WORKSPACE']
+        assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
         let relativeSubmoduleGitDir = path.relative(
           githubWorkspace,
           submoduleGitDir
@@ -205,11 +201,13 @@ class GitAuthHelper {
           '/github/workspace',
           relativeSubmoduleGitDir
         )
+
+        // Configure container includeIf
         await this.git.config(
           `includeIf.gitdir:${containerSubmoduleGitDir}.path`,
           containerCredentialsPath,
-          false,
-          false,
+          false, // globalConfig?
+          false, // add?
           configPath
         )
       }
@@ -327,7 +325,7 @@ class GitAuthHelper {
    */
   private async configureToken(globalConfig?: boolean): Promise<void> {
     // Get the credentials config file path in RUNNER_TEMP
-    const credentialsConfigPath = await this.getCredentialsConfigPath()
+    const credentialsConfigPath = this.getCredentialsConfigPath()
 
     // Write placeholder to the separate credentials config file using git config.
     // This approach avoids the credential being captured by process creation audit events,
@@ -336,8 +334,8 @@ class GitAuthHelper {
     await this.git.config(
       this.tokenConfigKey,
       this.tokenPlaceholderConfigValue,
-      false,
-      false,
+      false, // globalConfig?
+      false, // add?
       credentialsConfigPath
     )
 
@@ -348,7 +346,9 @@ class GitAuthHelper {
       placeholderIndex < 0 ||
       placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)
     ) {
-      throw new Error(`Unable to replace auth placeholder in ${credentialsConfigPath}`)
+      throw new Error(
+        `Unable to replace auth placeholder in ${credentialsConfigPath}`
+      )
     }
     assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined')
     content = content.replace(
@@ -360,7 +360,11 @@ class GitAuthHelper {
     // Add include or includeIf to reference the credentials config
     if (globalConfig) {
       // Global config file is temporary
-      await this.git.config('include.path', credentialsConfigPath, true)
+      await this.git.config(
+        'include.path',
+        credentialsConfigPath,
+        true // globalConfig?
+      )
     } else {
       // Host git directory
       let gitDir = path.join(this.git.getWorkingDirectory(), '.git')
@@ -370,10 +374,14 @@ class GitAuthHelper {
       const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
       await this.git.config(hostIncludeKey, credentialsConfigPath)
 
+      // Configure host includeIf for worktrees
+      const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
+      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
+
       // Container git directory
+      const workingDirectory = this.git.getWorkingDirectory()
       const githubWorkspace = process.env['GITHUB_WORKSPACE']
       assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
-      const workingDirectory = this.git.getWorkingDirectory()
       let relativePath = path.relative(githubWorkspace, workingDirectory)
       relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows
       const containerGitDir = path.posix.join(
@@ -391,6 +399,13 @@ class GitAuthHelper {
       // Configure container includeIf
       const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
       await this.git.config(containerIncludeKey, containerCredentialsPath)
+
+      // Configure container includeIf for worktrees
+      const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
+      await this.git.config(
+        containerWorktreeIncludeKey,
+        containerCredentialsPath
+      )
     }
   }
 
@@ -398,7 +413,7 @@ class GitAuthHelper {
    * Gets or creates the path to the credentials config file in RUNNER_TEMP.
    * @returns The absolute path to the credentials config file
    */
-  private async getCredentialsConfigPath(): Promise<string> {
+  private getCredentialsConfigPath(): string {
     if (this.credentialsConfigPath) {
       return this.credentialsConfigPath
     }
@@ -445,7 +460,7 @@ class GitAuthHelper {
     }
 
     // SSH command
-    core.info("Removing SSH command configuration")
+    core.info('Removing SSH command configuration')
     await this.removeGitConfig(SSH_COMMAND_KEY)
     await this.removeSubmoduleGitConfig(SSH_COMMAND_KEY)
   }
@@ -456,7 +471,7 @@ class GitAuthHelper {
    */
   private async removeToken(): Promise<void> {
     // Remove HTTP extra header
-    core.info("Removing HTTP extra header")
+    core.info('Removing HTTP extra header')
     await this.removeGitConfig(this.tokenConfigKey)
     await this.removeSubmoduleGitConfig(this.tokenConfigKey)
 
@@ -464,14 +479,15 @@ class GitAuthHelper {
     const credentialsPaths = new Set<string>()
 
     // Remove includeIf entries that point to git-credentials-*.config files
-    core.info("Removing includeIf entries pointing to credentials config files")
+    core.info('Removing includeIf entries pointing to credentials config files')
     const mainCredentialsPaths = await this.removeIncludeIfCredentials()
     mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
 
     // Remove submodule includeIf entries that point to git-credentials-*.config files
     const submoduleConfigPaths = await this.git.getSubmoduleConfigPaths(true)
     for (const configPath of submoduleConfigPaths) {
-      const submoduleCredentialsPaths = await this.removeIncludeIfCredentials(configPath)
+      const submoduleCredentialsPaths =
+        await this.removeIncludeIfCredentials(configPath)
       submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
     }
 
@@ -491,7 +507,9 @@ class GitAuthHelper {
           )
         }
       } else {
-        core.debug(`Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`)
+        core.debug(
+          `Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`
+        )
       }
     }
   }
@@ -528,16 +546,26 @@ class GitAuthHelper {
    * @param configPath Optional path to a specific git config file to operate on
    * @returns Array of unique credentials config file paths that were found and removed
    */
-  private async removeIncludeIfCredentials(configPath?: string): Promise<string[]> {
+  private async removeIncludeIfCredentials(
+    configPath?: string
+  ): Promise<string[]> {
     const credentialsPaths = new Set<string>()
-    
+
     try {
       // Get all includeIf.gitdir keys
-      const keys = await this.git.tryGetConfigKeys('^includeIf\\.gitdir:', false, configPath)
-      
+      const keys = await this.git.tryGetConfigKeys(
+        '^includeIf\\.gitdir:',
+        false, // globalConfig?
+        configPath
+      )
+
       for (const key of keys) {
         // Get all values for this key
-        const values = await this.git.tryGetConfigValues(key, false, configPath)
+        const values = await this.git.tryGetConfigValues(
+          key,
+          false, // globalConfig?
+          configPath
+        )
         if (values.length > 0) {
           // Remove only values that match git-credentials-<uuid>.config pattern
           for (const value of values) {
@@ -556,7 +584,7 @@ class GitAuthHelper {
         core.debug(`Error during includeIf cleanup: ${err}`)
       }
     }
-    
+
     return Array.from(credentialsPaths)
   }
 

src/git-command-manager.ts

@@ -61,11 +61,24 @@ export interface IGitCommandManager {
   tagExists(pattern: string): Promise<boolean>
   tryClean(): Promise<boolean>
   tryConfigUnset(configKey: string, globalConfig?: boolean): Promise<boolean>
-  tryConfigUnsetValue(configKey: string, configValue: string, globalConfig?: boolean, configFile?: string): Promise<boolean>
+  tryConfigUnsetValue(
+    configKey: string,
+    configValue: string,
+    globalConfig?: boolean,
+    configFile?: string
+  ): Promise<boolean>
   tryDisableAutomaticGarbageCollection(): Promise<boolean>
   tryGetFetchUrl(): Promise<string>
-  tryGetConfigValues(configKey: string, globalConfig?: boolean, configFile?: string): Promise<string[]>
-  tryGetConfigKeys(pattern: string, globalConfig?: boolean, configFile?: string): Promise<string[]>
+  tryGetConfigValues(
+    configKey: string,
+    globalConfig?: boolean,
+    configFile?: string
+  ): Promise<string[]>
+  tryGetConfigKeys(
+    pattern: string,
+    globalConfig?: boolean,
+    configFile?: string
+  ): Promise<string[]>
   tryReset(): Promise<boolean>
   version(): Promise<GitVersion>
 }
@@ -494,7 +507,7 @@ class GitCommandManager {
       args.push(globalConfig ? '--global' : '--local')
     }
     args.push('--unset', configKey, configValue)
-    
+
     const output = await this.execGit(args, true)
     return output.exitCode === 0
   }
@@ -537,14 +550,17 @@ class GitCommandManager {
       args.push(globalConfig ? '--global' : '--local')
     }
     args.push('--get-all', configKey)
-    
+
     const output = await this.execGit(args, true)
 
     if (output.exitCode !== 0) {
       return []
     }
 
-    return output.stdout.trim().split('\n').filter(value => value.trim())
+    return output.stdout
+      .trim()
+      .split('\n')
+      .filter(value => value.trim())
   }
 
   async tryGetConfigKeys(
@@ -559,14 +575,17 @@ class GitCommandManager {
       args.push(globalConfig ? '--global' : '--local')
     }
     args.push('--name-only', '--get-regexp', pattern)
-    
+
     const output = await this.execGit(args, true)
 
     if (output.exitCode !== 0) {
       return []
     }
 
-    return output.stdout.trim().split('\n').filter(key => key.trim())
+    return output.stdout
+      .trim()
+      .split('\n')
+      .filter(key => key.trim())
   }
 
   async tryReset(): Promise<boolean> {

src/misc/generate-docs.ts

@@ -120,7 +120,7 @@ function updateUsage(
 }
 
 updateUsage(
-  'actions/checkout@v5',
+  'actions/checkout@v6',
   path.join(__dirname, '..', '..', 'action.yml'),
   path.join(__dirname, '..', '..', 'README.md')
 )