.github/workflows: simplify tag checkout steps

In commit df6e49c of PR git-lfs#5243 we added
a step to all of the jobs in our CI and release GitHub Actions workflows
to work around the problem described in actions/checkout#290 and
actions/checkout#882.  This step, which only executes if the job is
running due to the push of a new tag, performs a "git fetch" command
of the tag's reference to ensure that the local copy is identical to
the remote one and has not been converted from an annotated tag into
a lightweight one.  Starting with v2 of the actions/checkout action,
annotated tags are by default replaced with lightweight ones, which then
causes any subsequent "git describe" commands to return an incorrect
value.  Since we depend on the output of "git describe" in several
places in our workflows to generate the appropriate version name for our
release artifacts, we need to ensure we have the full annotated tag
for the current reference rather than a lightweight one.

Recently, in commit 9c3fab1 of PR git-lfs#5930,
we strengthened the security of our GitHub Action workflows by setting
the "persist-credentials" option of the actions/checkout action to "false",
so that any cached Git credentials are removed at the end of that step.
While this causes no problems when our CI workflow runs after a branch
is pushed, as is the case for new PRs, when we push a new tag the
"git fetch" step now fails as it depends on the cached Git credentials
from the actions/checkout step.

We could use the GITHUB_TOKEN Action secret to temporarily set an
appropriate HTTP Authorization header to make the "git fetch" command
succeed.  However, a more straightforward solution exists whereby we
specify explicitly the reference we want to check out using the "ref"
option of the actions/checkout action.  This causes the action to
fetch the reference such that if the reference is an annotated tag,
it remains one and is not converted into a lightweight one.  For
reference, see:

  actions/checkout#882 (comment)
  actions/runner-images#1717 (comment)

h/t classabbyamp and xenoterracide for documenting this workaround

Author: chrisd8088

.github/workflows/ci.yml

@@ -16,11 +16,11 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
-      if: ${{ github.ref_type == 'tag' }}
-      # We update the current tag as the checkout step turns annotated tags
-      # into lightweight ones by accident, breaking "git describe".
-      # See https://github.com/actions/checkout/issues/882 for details.
+        ref: ${{ github.ref }}
+      # We specify the current ref because otherwise the checkout turns
+      # annotated tags into lightweight ones, breaking "git describe".
+      # See https://github.com/actions/checkout/issues/290 and
+      # https://github.com/actions/checkout/issues/882 for details.
     - uses: ruby/setup-ruby@v1
     - run: gem install asciidoctor
     - uses: actions/setup-go@v5
@@ -53,8 +53,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
-      if: ${{ github.ref_type == 'tag' }}
+        ref: ${{ github.ref }}
     - uses: actions/setup-go@v5
       with:
         go-version: ${{ matrix.go }}
@@ -67,9 +66,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
-      if: ${{ github.ref_type == 'tag' }}
-      shell: bash
+        ref: ${{ github.ref }}
     - uses: ruby/setup-ruby@v1
     - run: gem install asciidoctor
     - run: Rename-Item -Path C:\msys64 -NewName msys64-tmp -Force
@@ -136,11 +133,10 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
+        ref: ${{ github.ref }}
     - uses: actions/setup-go@v5
       with:
         go-version: '1.23.x'
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
-      if: ${{ github.ref_type == 'tag' }}
     - run: git clone -b master https://github.com/git/git.git "$HOME/git"
     - run: |
         echo "GIT_INSTALL_DIR=$HOME/git" >> "$GITHUB_ENV"
@@ -161,11 +157,10 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
+        ref: ${{ github.ref }}
     - uses: actions/setup-go@v5
       with:
         go-version: '1.23.x'
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
-      if: ${{ github.ref_type == 'tag' }}
     - run: git clone -b v2.0.0 https://github.com/git/git.git "$HOME/git"
     - run: |
         echo "GIT_INSTALL_DIR=$HOME/git" >> "$GITHUB_ENV"
@@ -183,8 +178,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
-      if: ${{ github.ref_type == 'tag' }}
+        ref: ${{ github.ref }}
     - uses: ruby/setup-ruby@v1
     - run: git clone https://github.com/git-lfs/build-dockers.git "$HOME/build-dockers"
     - run: (cd "$HOME/build-dockers" && ./build_dockers.bsh)
@@ -201,8 +195,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
-      if: ${{ github.ref_type == 'tag' }}
+        ref: ${{ github.ref }}
     - uses: ruby/setup-ruby@v1
     - run: |
         echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json

.github/workflows/release.yml

@@ -17,11 +17,11 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
-      shell: bash
-      # We update the current tag as the checkout step turns annotated tags
-      # into lightweight ones by accident, breaking "git describe".
-      # See https://github.com/actions/checkout/issues/882 for details.
+        ref: ${{ github.ref }}
+      # We specify the current ref because otherwise the checkout turns
+      # annotated tags into lightweight ones, breaking "git describe".
+      # See https://github.com/actions/checkout/issues/290 and
+      # https://github.com/actions/checkout/issues/882 for details.
     - uses: ruby/setup-ruby@v1
     - run: gem install asciidoctor
     - run: Rename-Item -Path C:\msys64 -NewName msys64-tmp -Force
@@ -110,7 +110,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
+        ref: ${{ github.ref }}
     - uses: ruby/setup-ruby@v1
     - run: gem install asciidoctor
     - uses: actions/setup-go@v5
@@ -149,7 +149,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
+        ref: ${{ github.ref }}
     - uses: ruby/setup-ruby@v1
     - run: gem install asciidoctor
     - uses: actions/setup-go@v5
@@ -181,7 +181,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
+        ref: ${{ github.ref }}
     - uses: ruby/setup-ruby@v1
     - run: gem install packagecloud-ruby
     - run: git clone https://github.com/git-lfs/build-dockers.git "$HOME/build-dockers"
@@ -203,7 +203,7 @@ jobs:
       with:
         fetch-depth: 0
         persist-credentials: false
-    - run: git fetch origin "+${GITHUB_REF}:${GITHUB_REF}"
+        ref: ${{ github.ref }}
     - uses: ruby/setup-ruby@v1
     - run: gem install packagecloud-ruby
     - run: |