Add checkout.clean-git-credentials to support submodule-safe checkout credential cleanup

[Copilot]

Compiled workflows were forcing persist-credentials: false on generated actions/checkout steps, which breaks on repositories with submodules during checkout post-step cleanup. This change adds an explicit frontmatter mode to keep credentials persisted for checkout while still cleaning git credentials in a submodule-compatible way.

• Problem scope

  • Generated checkout steps in agent workflows used persist-credentials: false unconditionally.
  • In submodule-heavy/sparse scenarios, checkout post-cleanup can fail with missing submodule URL/path errors.

• Compiler/frontmatter changes

  • Added checkout.clean-git-credentials: bool to checkout config parsing/modeling.
  • Wired the flag through checkout resolution/merge logic so it can be applied per checkout target.

• Checkout generation behavior

  • When clean-git-credentials: true:
    • emit persist-credentials: true on that checkout step
    • inject Clean git credentials after checkout immediately after the checkout
  • Cleanup step behavior:
    • prefers shared clean_git_credentials.sh from setup assets when available
    • falls back to inline cleanup logic (credential + http.*.extraheader removal)
    • scans both repo and submodule git configs (.git/config and .git/modules/*/config)

• Credential cleaner hardening

  • Updated shared actions/setup/sh/clean_git_credentials.sh to include submodule config paths and deeper nested module traversal.

checkout:
  repository: owner/repo
  clean-git-credentials: true

- uses: actions/checkout@...
  with:
    persist-credentials: true
- name: Clean git credentials after checkout
  continue-on-error: true
  run: |
    # uses shared cleaner when available, else inline fallback

---

pr-sous-chef: branch update requested by run https://github.com/github/gh-aw/actions/runs/25995204443

Generated by 👨‍🍳 PR Sous Chef · ◷

[pelikhan]

@copilot move to helper file in actions/setup/sh

[Copilot]

Done in 65317ac. I moved the checkout-time fallback cleanup logic out of checkout_step_generator.go into actions/setup/sh/clean_git_credentials_pre_setup.sh and updated the generated checkout cleanup step to use helper script paths.

[pelikhan]

@copilot find an agentic workflow in the repo with a checkout field (not checkout: false) and enable this flag.

[github-actions]

@copilot review all comments and address the unresolved review feedback before the next pass.

Generated by 👨‍🍳 PR Sous Chef · ◷

[pelikhan]

@copilot rename clean-git-credentials to force-clean-git-credentials

[Copilot]

@copilot rename clean-git-credentials to force-clean-git-credentials

Done in 2855e3d. I renamed the checkout frontmatter key to force-clean-git-credentials across parser handling, schema, tests, and updated .github/workflows/smoke-claude.md plus its recompiled lock file.

[github-actions]

Please review the changes and address any remaining feedback.
``
@copilot review all comments

Generated by 👨‍🍳 PR Sous Chef · ◷

[pelikhan]

@copilot is this dead code?

[Copilot]

No — it’s an intentional fallback path, not dead code. The primary path is ${RUNNER_TEMP}/gh-aw/actions/clean_git_credentials_checkout.sh, and this inline branch is only for cases where that helper is missing at runtime (for example setup assets not present).

[pelikhan]

@copilot remove the fallback, the script file is guaranteed to exist

[github-actions]

@copilot review all comments

Please remove the fallback the maintainer called out, then rerun checks and share the result.

Generated by 👨‍🍳 PR Sous Chef · ◷

[Copilot]

@copilot remove the fallback, the script file is guaranteed to exist

Implemented in ba7b0fb. I removed the generated checkout cleanup fallback and now call only bash "${RUNNER_TEMP}/gh-aw/actions/clean_git_credentials_checkout.sh".

[github-actions]

@copilot review all comments and address any unresolved review feedback.
Then post a short blocker summary if anything still needs maintainer input.

Generated by 👨‍🍳 PR Sous Chef · ◷

[github-actions]

Caution

agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.

Details

Potential security threats were detected in the agent output.

Review the workflow run logs for details.

@copilot merge main and recompile, then rerun the checks.
Please clear the remaining lint and gate failures so this is ready for maintainer review.

Generated by 👨‍🍳 PR Sous Chef · ◷

[pelikhan]

@copilot review the changes in tbe clean git credentials shell script

[Copilot]

@copilot review the changes in tbe clean git credentials shell script

Reviewed and tightened coverage in b10b7cf. I added shell tests for .git/modules/**/config cleanup (including nested module configs), URL-scoped extraheader removal, and authenticated submodule remote URL sanitization.