name: Schmalz Checkout
description: >
  Composite wrapper around actions/checkout pinned to a specific commit SHA
  to prevent supply chain attacks via tag or branch hijacking.

inputs:
  ref:
    description: The branch, tag, or SHA to checkout. Defaults to the ref that triggered the workflow.
    required: false
    default: ''
  repository:
    description: Repository name with owner (e.g. actions/checkout). Defaults to the current repository.
    required: false
    default: ${{ github.repository }}
  token:
    description: Personal access token used to fetch the repository.
    required: false
    default: ${{ github.token }}
  path:
    description: Relative path under $GITHUB_WORKSPACE to place the repository.
    required: false
    default: ''
  fetch-depth:
    description: Number of commits to fetch. 0 fetches all history.
    required: false
    default: '1'
  submodules:
    description: Whether to checkout submodules. true, false, or recursive.
    required: false
    default: 'false'

runs:
  using: composite
  steps:
    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
    # actions/checkout v4.3.1 — https://code.forgejo.org/actions/checkout/commits/tag/v4.3.1
    - name: Checkout repository
      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
      with:
        ref: ${{ inputs.ref }}
        repository: ${{ inputs.repository }}
        token: ${{ inputs.token }}
        path: ${{ inputs.path }}
        fetch-depth: ${{ inputs.fetch-depth }}
        submodules: ${{ inputs.submodules }}