From 3d2f98dc0664296ecbe2339a06a796c0fa682513 Mon Sep 17 00:00:00 2001
From: Jake Barnby <jakeb994@gmail.com>
Date: Fri, 10 Apr 2026 15:34:50 +1200
Subject: [PATCH 1/2] (fix): disable sparse checkout cone mode to prevent root
 file leaks

---
 src/VCS/Adapter/Git/GitHub.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/VCS/Adapter/Git/GitHub.php b/src/VCS/Adapter/Git/GitHub.php
index 56bf657d..d3b6c7e2 100644
--- a/src/VCS/Adapter/Git/GitHub.php
+++ b/src/VCS/Adapter/Git/GitHub.php
@@ -863,8 +863,9 @@ public function generateCloneCommand(string $owner, string $repositoryName, stri
             "git config --global init.defaultBranch main",
             "git init",
             "git remote add origin {$cloneUrl}",
-            // Enable sparse checkout
+            // Enable non-cone sparse checkout (cone mode includes root-level files)
             "git config core.sparseCheckout true",
+            "git config core.sparseCheckoutCone false",
             "echo {$rootDirectory} >> .git/info/sparse-checkout",
             // Disable fetching of refs we don't need
             "git config --add remote.origin.fetch '+refs/heads/*:refs/remotes/origin/*'",

From 93d23b13bcbef72afe02bd519cc79d7532de8868 Mon Sep 17 00:00:00 2001
From: Jake Barnby <jakeb994@gmail.com>
Date: Fri, 10 Apr 2026 15:44:58 +1200
Subject: [PATCH 2/2] (fix): only disable cone mode for subdirectory checkouts

---
 src/VCS/Adapter/Git/GitHub.php | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/VCS/Adapter/Git/GitHub.php b/src/VCS/Adapter/Git/GitHub.php
index d3b6c7e2..ada4dce2 100644
--- a/src/VCS/Adapter/Git/GitHub.php
+++ b/src/VCS/Adapter/Git/GitHub.php
@@ -857,21 +857,30 @@ public function generateCloneCommand(string $owner, string $repositoryName, stri
         $directory = escapeshellarg($directory);
         $rootDirectory = escapeshellarg($rootDirectory);
 
+        $isSubdirectory = $rootDirectory !== escapeshellarg('*');
+
         $commands = [
             "mkdir -p {$directory}",
             "cd {$directory}",
             "git config --global init.defaultBranch main",
             "git init",
             "git remote add origin {$cloneUrl}",
-            // Enable non-cone sparse checkout (cone mode includes root-level files)
+            // Enable sparse checkout
             "git config core.sparseCheckout true",
-            "git config core.sparseCheckoutCone false",
+        ];
+
+        // Disable cone mode for subdirectory checkouts (cone mode includes root-level files)
+        if ($isSubdirectory) {
+            $commands[] = "git config core.sparseCheckoutCone false";
+        }
+
+        $commands = array_merge($commands, [
             "echo {$rootDirectory} >> .git/info/sparse-checkout",
             // Disable fetching of refs we don't need
             "git config --add remote.origin.fetch '+refs/heads/*:refs/remotes/origin/*'",
             // Disable fetching of tags
             "git config remote.origin.tagopt --no-tags",
-        ];
+        ]);
 
         switch ($versionType) {
             case self::CLONE_TYPE_BRANCH: