# checkout

Composite wrapper around actions/checkout pinned to a specific commit SHA to prevent supply chain attacks via tag or branch hijacking.

## Inputs

| Input | Required | Default | Description |
|-------|----------|---------|-------------|
| `ref` | No | `''` | Branch, tag, or SHA to checkout |
| `repository` | No | `${{ github.repository }}` | Repository name with owner |
| `token` | No | `${{ github.token }}` | Personal access token to fetch the repository |
| `path` | No | `''` | Relative path under `$GITHUB_WORKSPACE` to place the repository |
| `fetch-depth` | No | `1` | Number of commits to fetch. `0` fetches all history |
| `submodules` | No | `false` | Whether to checkout submodules (`true`, `false`, or `recursive`) |

## Usage

```yaml
- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/checkout@checkout-v1
```

## Notes

- Pinned to `actions/checkout` commit SHA `de0fac2e` (v6.0.2) to prevent supply chain attacks via tag or branch hijacking.