Checkout
GitHub Actions · Reference cheat sheet
Checkout
GitHub Actions · Reference cheat sheet
📋 Overview
actions/checkout clones your repository into the runner workspace. It is usually the first step. Configure depth, ref, submodules, and credentials for push or private dependencies.
🔧 Core concepts
| Input | Role |
|---|---|
ref | Branch, tag, or SHA |
fetch-depth | 0 = full history; 1 default shallow |
submodules | true / recursive |
token | PAT or GITHUB_TOKEN |
persist-credentials | Leave creds for later git ops |
path | Clone into subdirectory |
lfs | Fetch Git LFS files |
Default checkout uses the triggering commit SHA for most events. For PRs, it checks out the merge commit unless configured otherwise.
💡 Examples
Standard:
- uses: actions/checkout@v4Full history + tags (changelogs):
- uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: truePush commits back:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GH_PAT }}
persist-credentials: true
- run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
# … commit …
git pushSubdirectory:
- uses: actions/checkout@v4
with:
path: app⚠️ Pitfalls
- Shallow clones break
git describe/ some version tools—raisefetch-depth. persist-credentials: true+ write token can allow unexpected pushes.- Private submodules need a token with access.
pull_request_target+ checkout of PR head is a classic secret-exfiltration risk.- LFS failures are silent if not enabled—set
lfs: truewhen needed. - Multiple checkouts need distinct
pathvalues.