chore(deps): update actions/checkout action to v4.1.3

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	patch	v4.1.1 -> v4.1.3

---

Release Notes

actions/checkout (actions/checkout)

v4.1.3

Compare Source

What's Changed

• Update actions/checkout version in update-main-version.yml by @​jww3 in https://github.com/actions/checkout/pull/1650
• Check git version before attempting to disable sparse-checkout by @​jww3 in https://github.com/actions/checkout/pull/1656
• Add SSH user parameter by @​cory-miller in https://github.com/actions/checkout/pull/1685

Full Changelog: actions/checkout@v4.1.2...v4.1.3

v4.1.2

Compare Source

• Fix: Disable sparse checkout whenever sparse-checkout option is not present @​dscho in https://github.com/actions/checkout/pull/1598

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

[puLL-Merge] - actions/[email protected]

Description

This PR makes several changes to the actions/checkout codebase:

1. Adds support for disabling sparse checkout when the sparse-checkout option is not provided. This fixes an issue where sparse checkout settings could persist unexpectedly.
2. Updates the test workflow to use a custom Ubuntu+git docker image for improved reliability. The workflow for building this image is also added.
3. Bumps the version to v4.1.2 and updates the changelog.
4. Adds an ssh-user option to allow configuring the SSH user.

The main motivation seems to be fixing the sparse checkout persistence bug and improving the reliability of the test workflow.

Changes

Changes

• .github/workflows/test.yml: Updated to use the custom test-ubuntu-git docker image. Added a test for disabling sparse checkout.
• .github/workflows/update-main-version.yml: Now pins actions/checkout to a stable version for reliability.
• .github/workflows/update-test-ubuntu-git.yml: New workflow to build and publish the test-ubuntu-git docker image.
• images/test-ubuntu-git.Dockerfile: Dockerfile for the custom test image with git pre-installed on Ubuntu.
• images/test-ubuntu-git.md: Documentation for the new custom Docker image.
• action.yml: Added new ssh-user input.
• src/git-command-manager.ts: Added disableSparseCheckout() function. Updated minimum Git version constants.
• src/git-source-provider.ts: Disables sparse checkout if not configured.
• src/git-source-settings.ts: Added sshUser property.
• src/input-helper.ts: Reads new ssh-user input.
• src/url-helper.ts: Uses configured ssh-user for SSH URLs.
• *: Version bumped to 4.1.2. Changelog updated.

Security Hotspots

1. Medium: The new ssh-user input is used to construct Git URLs without any validation or sanitization. Validate the input is a safe username.
2. Low: The custom Docker image building is gated behind a manual workflow_dispatch, reducing risk of it being abused. But access to trigger it should be restricted.
3. Low: Package version bumped to 4.1.2 without major changes. Consider if this should be a patch version bump instead per semver.

Overall the changes look reasonable, with the main security recommendation being to validate the ssh-user input. Let me know if you have any other questions!

[rillian]

keep ci scripts up to date