apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: git-clone-checkout
spec:
  description: |
    This task clones a Git repository and checks out a specified branch if it exists.
    Supports SSH, basic-auth, custom CA certs, sparse checkout, submodules, shallow clone, and proxy settings.
    The commit SHA, committer date, and fetched URL are exposed as Task results.

  params:
    - name: context
      type: string
      default: ""
      description: context directory

    - name: url
      type: string
      description: The Git repository URL to clone.

    - name: ref
      type: string
      default: ""
      description: The branch or commit SHA to check out. If empty, default branch will be used.

    - name: refspec
      type: string
      default: ""
      description: Refspec to fetch before checking out revision.

    - name: submodules
      type: string
      default: "true"
      description: Initialize and fetch git submodules.

    - name: depth
      type: string
      default: "1"
      description: Perform a shallow clone, fetching only the most recent N commits.

    - name: sslVerify
      type: string
      default: "true"
      description: |
        Set the `http.sslVerify` global git config.
        Setting this to `false` is not advised unless you are sure that you trust your git remote.

    - name: crtFileName
      type: string
      default: "ca-bundle.crt"
      description: file name of mounted crt using ssl-ca-directory workspace.

    - name: sparseCheckoutDirectories
      type: string
      default: ""
      description: Define the directory patterns to match or exclude when performing a sparse checkout.

    - name: deleteExisting
      type: string
      default: "true"
      description: Clean out the contents of the destination directory if it already exists before cloning.

    - name: httpProxy
      type: string
      default: ""
      description: HTTP proxy server for non-SSL requests.

    - name: httpsProxy
      type: string
      default: ""
      description: HTTPS proxy server for SSL requests.

    - name: noProxy
      type: string
      default: ""
      description: Opt out of proxying HTTP/HTTPS requests.

    - name: verbose
      type: string
      default: "true"
      description: Log the commands that are executed during `git-clone`'s operation.

    - name: gitInitImage
      type: string
      default: "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2"
      description: The image providing the git-init binary that this Task runs.

  workspaces:
    - name: base
      description: The workspace where the repository will be cloned.

  results:
    - name: commit
      description: The precise commit SHA that was fetched by this Task.
    - name: url
      description: The precise URL that was fetched by this Task.
    - name: committer-date
      description: The epoch timestamp of the commit that was fetched by this Task.

  steps:
    - name: clone
      image: $(params.gitInitImage)
      env:
        - name: HOME
          value: /workspace/base/$(params.context)/home
        - name: SSL_CERT_FILE
          value: /workspace/base/$(params.context)/home/cert/$(params.crtFileName)"
        - name: HTTP_PROXY
          value: $(params.httpProxy)
        - name: HTTPS_PROXY
          value: $(params.httpsProxy)
        - name: NO_PROXY
          value: $(params.noProxy)
      script: |
        #!/bin/sh
        set -eu

        if [ "$(params.sslVerify)" = "false" ]; then
          echo "[INFO] Disabling SSL verification"
          git config --global http.sslVerify false
        fi

        cd /workspace/base

        CLONE_DIR="$(params.source)"
        if [ -z "$CLONE_DIR" ]; then
          CLONE_DIR="."
        fi

        if [ "$(params.deleteExisting)" = "true" ] && [ -d "$CLONE_DIR" ]; then
          echo "[INFO] Deleting existing directory $CLONE_DIR"
          rm -rf "$CLONE_DIR"
        fi

        echo "[INFO] Cloning repository..."
        git clone --depth=$(params.depth) $(params.url) "$CLONE_DIR"
        cd "$CLONE_DIR"

        if [ -n "$(params.refspec)" ]; then
          git fetch origin $(params.refspec)
        fi

        REF="$(params.ref)"
        if [ -n "$REF" ]; then
          if echo "$REF" | grep -q '^refs/heads/'; then
            BRANCH="${REF#refs/heads/}"
            echo "[INFO] Checking out branch: $BRANCH"
            git checkout -b "$BRANCH" "origin/$BRANCH" || git checkout "$BRANCH"
          elif echo "$REF" | grep -q '^refs/tags/'; then
            TAG="${REF#refs/tags/}"
            echo "[INFO] Checking out tag: $TAG"
            git fetch --tags
            git checkout "tags/$TAG" || git checkout "$TAG"
          elif git rev-parse --verify "$REF" >/dev/null 2>&1; then
            echo "[INFO] Checking out commit SHA: $REF"
            git checkout "$REF"
          else
            echo "[ERROR] Invalid revision: $REF not found as branch, tag, or commit"
            exit 1
          fi
        else
          echo "[INFO] No revision specified, staying on default branch"
        fi

        if [ "$(params.submodules)" = "true" ]; then
          echo "[INFO] Initializing submodules..."
          git submodule update --init --recursive
        fi

        if [ -n "$(params.sparseCheckoutDirectories)" ]; then
          echo "[INFO] Setting up sparse checkout..."
          git config core.sparseCheckout true
          echo "$(params.sparseCheckoutDirectories)" > .git/info/sparse-checkout
          git read-tree -mu HEAD
        fi

        echo "[INFO] Writing Task results..."
        echo -n "$(git rev-parse HEAD)" > $(results.commit.path)
        echo -n "$(git config --get remote.origin.url)" > $(results.url.path)
        echo -n "$(git show -s --format=%ct HEAD)" > $(results.committer-date.path)

        echo "[INFO] Clone and checkout complete"