TopGit
GitHub Repo Review

GitHub Actions Checkout Action: actions/checkout

actions/checkout

The GitHub Actions checkout action (actions/checkout) is the official step that clones your repository into a workflow runner so the rest of your job can build, test, or deploy it. It's the near-universal first line of a GitHub Actions workflow — a `uses: actions/checkout@v4` step that pulls your code onto the runner, with inputs for how much history, which ref, and which credentials come along.

GGitHub Actions Checkout Action: actions/checkout — open-source GitHub repository preview
Quick verdict

Reach for it — the GitHub Actions checkout action is the default first step in almost any workflow, and the real decisions aren't whether to use it but which options you set: fetch-depth, submodules, token handling, and version pinning. There's rarely a reason to hand-roll `git clone`, since this action already handles auth, workspace cleanup, and the detached-HEAD edge cases for you.

Stars
★ 0
Forks
⑂ 0
Language
License
See repository
Topic
Updated
Jul 2026
Homepage
GitHub

The problem it solves

A GitHub Actions runner starts empty — your repository isn't on it. Before you can run tests or a build, something has to fetch the code, wire up credentials so `git push` works, and clean the workspace between runs. Doing that by hand with `git clone` means juggling the `GITHUB_TOKEN`, detached-HEAD states, and post-job cleanup yourself. This action exists to make that first step a single line.

What is it?

The GitHub Actions checkout action is the official action (actions/checkout) that clones your repository into a workflow runner under `$GITHUB_WORKSPACE`, so later steps can access your code. By default it fetches a single commit — the ref or SHA that triggered the workflow — and persists an auth token in the local git config so your scripts can run authenticated git commands; that token is removed during post-job cleanup. It's written in TypeScript, MIT-licensed, and maintained by GitHub itself.

Why it's getting attention

It's less trending than foundational — at 8.4k stars, actions/checkout is one of the most-used GitHub Actions in existence, sitting at the top of essentially every workflow file. Recent movement is about security: the README says v7 now refuses to check out fork pull-request code by default under `pull_request_target` and `workflow_run` (a common 'pwn request' vector), v6 moved persisted credentials out of `.git/config` into `$RUNNER_TEMP`, and v5 moved to the node24 runtime.

How this repository's GitHub stars have grown over time. Source: star-history.com.View the star history

Key features

  • Fetch-depth control: `fetch-depth: 0` pulls full history for all branches and tags; the default of 1 grabs only the triggering commit
  • Submodule support via `submodules: true` or `recursive` to check out nested repositories
  • Sparse checkout through `sparse-checkout` (with cone mode) and partial clone via `filter`, to fetch only the paths you need
  • Git-LFS support with `lfs: true` for large files
  • Token and SSH auth: persists the `GITHUB_TOKEN` (or a PAT, or an `ssh-key`) in git config for authenticated commands, then removes it post-job
  • Multi-repo checkout using `path` and `repository` to place several repositories side by side or nested on the runner
  • A `ref` input to check out any branch, tag, or SHA instead of the default event ref

Best use cases

  • The first step of almost any CI job — getting your code onto the runner before building, testing, or linting
  • Fetching full git history with `fetch-depth: 0` for tools that need it, like semantic-release or `git describe`
  • Checking out a second repository (private tools, shared config) alongside your main repo in one workflow
  • Sparse or single-file checkouts to speed up jobs that only touch part of a large monorepo
  • Pushing a commit back from a workflow using the built-in token — e.g. a bot that generates and commits files

How to install / try

There's nothing to install — it's a GitHub Action referenced directly in a workflow YAML file. Add a step with `uses: actions/checkout@v4`, pinning to a major-version tag (or a full commit SHA for stricter supply-chain safety). The GitHub Actions checkout action is MIT-licensed and maintained by GitHub; v7 is the current major, though `@v4` remains the most widely pinned. It runs on GitHub-hosted and self-hosted runners.

How to use

In a workflow file, the checkout step goes first: ```yaml - uses: actions/checkout@v4 ``` That clones the ref that triggered the run. To fetch all history and tags: ```yaml - uses: actions/checkout@v4 with: fetch-depth: 0 ``` To check out a second repository into a subdirectory: ```yaml - uses: actions/checkout@v4 with: repository: my-org/my-tools path: my-tools ``` The README recommends setting `permissions: contents: read` for the `GITHUB_TOKEN` unless you provide your own `token` or `ssh-key`.

Strengths

  • One line replaces a pile of `git clone` plumbing — auth, workspace cleanup, and detached-HEAD handling included
  • Maintained by GitHub, so it tracks runner and Node-runtime changes and receives security fixes
  • Sensible option surface: fetch-depth, submodules, LFS, sparse checkout, and multi-repo layouts are all inputs, not hand-written scripts
  • Post-job cleanup removes the persisted token automatically, so credentials don't linger on the runner
  • MIT-licensed and open source, so you can read exactly what it does before trusting it with your token

Limitations & risks

  • GitHub Actions-only — it's a workflow action, with no use outside a GitHub Actions (or compatible) runner
  • The default `fetch-depth: 1` catches people out: a shallow checkout has no tags and no history, so tools that call `git log`, `git describe`, or diff against a base branch fail until you set `fetch-depth: 0`
  • Version pinning is a genuine decision — pinning `@v4` trusts a moving tag; strict supply-chain setups pin the full commit SHA, which then needs manual updates
  • By default it persists a credential for authenticated git commands (`persist-credentials: true`); set it to `false` if you don't want a token available to later steps
  • The README states GitHub is not currently accepting contributions to this repo, so external feature PRs won't be merged — only bug reports and security fixes
View on GitHub

Alternatives

Manual `git clone` in a `run` step using `${{ github.token }}` — full control over the fetch, at the cost of handling auth and cleanup yourselfCircleCI's `checkout` step or GitLab CI's built-in checkout — the platform-native equivalent on other CI systemsOlder majors like `actions/checkout@v3` — pin to these only if your runner can't meet the newer Node runtime requirements

Who should try it — and who should skip

Anyone writing a GitHub Actions workflow. If your job touches your repository's code at all — build, test, lint, release — the checkout action is the step that puts the code on the runner. The only people who skip it are those running a job that genuinely needs no source (a pure API call, or a container image that already ships the code), or who have a specific reason to script `git clone` by hand.

Frequently asked questions

What is the GitHub Actions checkout action?

actions/checkout is the official GitHub Action that clones your repository onto the workflow runner under `$GITHUB_WORKSPACE`, so later steps can build, test, or deploy your code. It's the standard first step in a GitHub Actions workflow.

Do I need actions/checkout in every workflow?

Only if a step needs your repository's files. A job that just calls an API or runs a prebuilt image can skip it, but any build, test, or lint job needs the code on the runner first.

Why is my git history missing after checkout?

By default the action fetches only the single triggering commit (`fetch-depth: 1`). Set `fetch-depth: 0` to pull full history and tags for tools like `git describe` or semantic-release.

Should I pin actions/checkout to @v4 or a commit SHA?

`@v4` is a major-version tag and receives patch updates automatically. Pinning the full commit SHA is stricter for supply-chain safety but means you update it by hand. v7 is the current major version.

Is actions/checkout free?

Yes. It's open source under the MIT License and maintained by GitHub; using it costs nothing beyond your normal GitHub Actions minutes.

Source & attribution

Based on the official actions/checkout GitHub repository, including its README and project metadata.

Back to TopGit