v6 credential `includeIf` matching fails on self-hosted runners with symlinked `_work` directory

[dballance]

Description

actions/checkout@v6 fails to authenticate during the fetch step on self-hosted
runners where the _work directory is a symlink to a different path (e.g. an
external volume).

v6 writes includeIf "gitdir:..." directives using the symlink path, but git
resolves symlinks when evaluating gitdir: conditions. This means the condition
never matches, the credentials file is never loaded, and the fetch fails with:

fatal: could not read Username for 'https://github.com': terminal prompts disabled

actions/checkout@v5 is unaffected because it writes credentials directly into
.git/config as http.https://github.com/.extraheader rather than using includeIf.

Environment

• actions/checkout: v6.0.2 (de0fac2e4500dabe0009e67214ff5f5447ce83dd)
• Runner version: 2.333.0
• OS: macOS (Apple Silicon, self-hosted)
• Git version: 2.53.0 (Homebrew, /opt/homebrew/bin/git)
• Runner _work directory: symlink → external volume
  • Symlink path: /Users/<runner-user>/actions-runner-N/_work
  • Resolved path: /Volumes/External/actions-runner-N-work

What v6 writes into .git/config

[includeIf "gitdir:/Users/<runner-user>/actions-runner-N/_work/repo/repo/.git"]
    path = /Users/<runner-user>/actions-runner-N/_work/_temp/git-credentials-<uuid>.config
[includeIf "gitdir:/Users/<runner-user>/actions-runner-N/_work/repo/repo/.git/worktrees/*"]
    path = /Users/<runner-user>/actions-runner-N/_work/_temp/git-credentials-<uuid>.config

What git resolves the gitdir to

$ git -C /Users/<runner-user>/actions-runner-N/_work/repo/repo rev-parse --absolute-git-dir
/Volumes/External/actions-runner-N-work/repo/repo/.git

The includeIf condition uses the symlink path, but git evaluates it against
the resolved real path. They never match, so the credentials file is never
included and the fetch fails.

Steps to reproduce

1. Set up a self-hosted macOS runner where _work is a symlink to a different
   path (e.g. an external drive)
2. Use actions/checkout@v6 in a workflow
3. Observe fetch failure with terminal prompts disabled

Expected behavior

v6 should either:

• Resolve symlinks when writing the gitdir: path in includeIf directives
  (use git rev-parse --absolute-git-dir to get the real path), or
• Fall back to writing credentials directly into .git/config as v5 did when
  symlink resolution would cause a mismatch

Workaround

Pin to actions/checkout@v5 which uses http.extraheader directly in
.git/config and is unaffected by symlink resolution.

Related issues

• actions/checkout@v6 broken on non-GitHub runners (Forgejo, Gitea, etc.) - hardcoded GitHub paths in includeIf directives break authentication #2321 — v6 broken on non-GitHub runners due to hardcoded paths in includeIf
• persist-credentials in separate file breaks GitHub authentication for Git worktrees #2318 — persist-credentials in separate file breaks git worktrees
• checkout@v6 credentials don't work with Docker container actions - no workaround available #2359 — v6 credentials don't work with Docker container actions

[dballance]

I've tested my fork and PR #2394 - and the issue is resolved in my environment.

Would appreciate any effort to release this!