actions/checkout@v6 broken on non-GitHub runners (Forgejo, Gitea, etc.) - hardcoded GitHub paths in includeIf directives break authentication

[nrdufour]

Problem

actions/checkout@v6 is incompatible with self-hosted runners on non-GitHub platforms (Forgejo, Gitea, GitLab CI, etc.). Git authentication fails because v6 uses hardcoded GitHub Actions runner paths in its includeIf.gitdir directives. When these paths don't exist, git cannot find credentials and falls back to interactive username/password prompts, causing workflows to hang and timeout.

Root Cause

PR #2286 ("Persist creds to a separate file") replaced v4/v5's universal HTTP Authorization header approach with a path-dependent includeIf.gitdir mechanism that only works on GitHub Actions:

v4/v5 (working everywhere):
[http.https://forge.internal/.extraheader]
AUTHORIZATION: basic

v6 (broken on non-GitHub runners):
[includeIf "gitdir:/github/workspace/.git"]
path = /github/runner_temp/git-credentials-.config
[includeIf "gitdir:/var/lib/gitea-runner/first/action-cache-dir/.../hostexecutor/.git"]
path = /var/lib/gitea-runner/.../tmp/git-credentials-.config

The hardcoded /github/workspace/ and /github/runner_temp/ paths are only meaningful on GitHub Actions. When git tries to find matching credentials on Forgejo (or any other self-hosted runner), the includeIf directives don't match because:

1. The repository isn't located at /github/workspace/
2. The credentials file isn't at /github/runner_temp/

Git then has no credentials available and prompts for interactive authentication, which times out in CI environments.

Reproduction

1. Set up a Forgejo instance with GitHub Actions runners
2. Use actions/checkout@v6 in a workflow
3. Run any git operation that requires authentication (commit, push, etc.)

Expected: Git authenticates silently
Actual: Git prompts for username/password and times out

Evidence

Git config comparison after checkout

v4:
remote.origin.url=https://forge.internal/user/repo
http.https://forge.internal/.extraheader=AUTHORIZATION: basic ***
✅ Push succeeds immediately

v6:
remote.origin.url=https://forge.internal/user/repo
includeIf.gitdir:/github/workspace/.git.path=/github/runner_temp/git-credentials-.config
includeIf.gitdir:/var/lib/gitea-runner/first/action-cache-dir/.../hostexecutor/.git.path=/var/lib/gitea-runner/.../tmp/git-credentials-.config
❌ git push prompts for username and times out with exit code 124

Tested workarounds

• persist-credentials: false - does not help (no credentials set at all)
• Using specific token input - does not help (still uses includeIf mechanism)
• Using ssh-key input - does not help (still uses includeIf mechanism)

Related Issues

This is part of a broader design flaw with v6's path-dependent approach:

• persist-credentials in separate file breaks GitHub authentication for Git worktrees #2318: Same root cause affects Git worktrees (doesn't match .git/worktrees/* patterns)

Impact

• All Forgejo users are blocked from using v6
• All Gitea users are blocked from using v6
• All non-GitHub self-hosted runners are blocked from using v6
• Users are forced to downgrade to v4 or v5

Proposed Solutions

1. Revert to universal HTTP Authorization header approach (v4/v5 behavior) - works everywhere, no path dependencies
2. Support environment variables for custom credential paths (e.g., RUNNER_TEMP, ACTIONS_WORKSPACE) that can be overridden
3. At minimum: Document that v6 only supports GitHub Actions and recommend v5 for self-hosted runners
4. Detect runner environment at runtime and use appropriate credential mechanism (not hardcoded paths)

Workaround

Use actions/checkout@v5 which uses the universal HTTP Authorization header approach and works on all platforms.

[nrdufour]

In fact, it would have been better to use the variable GITHUB_WORKSPACE for that purpose.

Something like:
includeIf.gitdir:${GITHUB_WORKSPACE}/.git.path=${RUNNER_TEMP}/git-credentials-<uuid>.config

[nrdufour]

Hmm, why O why hardcoding the path when the variable is available ?

        // Container submodule git directory
        const githubWorkspace = process.env['GITHUB_WORKSPACE']
        assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
        let relativeSubmoduleGitDir = path.relative(
          githubWorkspace,
          submoduleGitDir
        )
        relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
        const containerSubmoduleGitDir = path.posix.join(
          '/github/workspace',
          relativeSubmoduleGitDir
        )

And same for the runner part ...

  // Container credentials config path
  const containerCredentialsPath = path.posix.join(
    '/github/runner_temp',
    path.basename(credentialsConfigPath)
  )

[ericsciple]

@nrdufour this sounds like it may be an issue with the Forgejo runner. When actions/checkout sets up the includeIf path, it matches the path on disk where the repo is cloned.

For example:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - run: cat .git/config

Outputs:

[includeIf "gitdir:/home/runner/work/myrepo/myrepo/.git"]
	path = /home/runner/work/_temp/git-credentials-733f9a6b-16d1-4d45-94e0-28de48953962.config
[includeIf "gitdir:/github/workspace/.git"]
	path = /github/runner_temp/git-credentials-733f9a6b-16d1-4d45-94e0-28de48953962.config

The first path is the directory where the repo is cloned. The second path is for Docker container actions.

[ahoneybun]

I know this is closed but I have the same issue I think even with v4 and v5:

[command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +43767ce5ab8a0886b49bf3232140d31eb7b5392c:refs/remotes/pull/2/head
fatal: could not read Username for 'https://git.ahoneybun.net': terminal prompts disabled
The process '/usr/bin/git' failed with exit code 128

it used to work.