fix: allow @ in branch names (valid per git-check-ref-format)#1411
Merged
ashwin-ant merged 1 commit intoJun 22, 2026
Merged
Conversation
`validateBranchName` rejects branch names containing `@`, even though `git check-ref-format` permits `@` and GitHub itself accepts such branches. PRs whose head or base branch contains an `@` fail validation in-process before any git operation, so the action errors out immediately. Branch names with `@` show up in real workflows: ticket conventions like "TICKET-123@add-feature" (anthropics#998), leading-prefix conventions like "@hotfix/...", and agent tooling that appends "@<sessionid>" (anthropics#1305). There is no workaround other than renaming the branch, which is often not under the user's control. Branch names are never passed through a shell (git calls use execFileSync argv arrays), so `@` carries no injection risk. This is the same reasoning used to add `#` in anthropics#1167, `+` in anthropics#1248, and `,` in anthropics#1310. The bare name "@" (HEAD shorthand in git revision syntax) and the "@{" reflog sequence are still rejected. - Add `@` to the validateBranchName whitelist regex, including the leading position (the leading-character rule blocks option injection via `-`, which `@` cannot cause) - Reject the bare name "@" with a dedicated check - Update the surrounding comment, JSDoc, and error message to match - Add test cases for @-containing names and bare "@" Fixes anthropics#998 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
ashwin-ant
approved these changes
Jun 22, 2026
This was referenced Jun 28, 2026
mergify Bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
Jun 29, 2026
Bumps the github-actions group with 4 updates: [actions/setup-python](https://github.com/actions/setup-python), [actions/setup-java](https://github.com/actions/setup-java), [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) and [actions/setup-dotnet](https://github.com/actions/setup-dotnet). Updates `actions/setup-python` from 6.2.0 to 6.3.0 Release notes *Sourced from [actions/setup-python's releases](https://github.com/actions/setup-python/releases).* > v6.3.0 > ------ > > What's Changed > -------------- > > ### Enhancement > > * Add RHEL support and include Linux distro in cache keys by [`@priyagupta108`](https://github.com/priyagupta108) in [actions/setup-python#1323](https://redirect.github.com/actions/setup-python/pull/1323) > * Fix pip cache error handling on Windows by [`@priyagupta108`](https://github.com/priyagupta108) in [actions/setup-python#1040](https://redirect.github.com/actions/setup-python/pull/1040) > > ### Dependency update > > * Upgrade minimatch from 3.1.2 to 3.1.5 by [`@dependabot`](https://github.com/dependabot) in [actions/setup-python#1281](https://redirect.github.com/actions/setup-python/pull/1281) > * Upgrade actions dependencies by [`@gowridurgad`](https://github.com/gowridurgad) with [`@Copilot`](https://github.com/Copilot) in [actions/setup-python#1303](https://redirect.github.com/actions/setup-python/pull/1303) > * Upgrade `@actions/cache` to 5.1.0, log cache write denied by [`@jasongin`](https://github.com/jasongin) in [actions/setup-python#1324](https://redirect.github.com/actions/setup-python/pull/1324) > * Upgrade dependency versions and test workflow configuration by [`@HarithaVattikuti`](https://github.com/HarithaVattikuti) in [actions/setup-python#1322](https://redirect.github.com/actions/setup-python/pull/1322) > > ### Documentation > > * Update advanced-usage.md by [`@Dunky-Z`](https://github.com/Dunky-Z) in [actions/setup-python#811](https://redirect.github.com/actions/setup-python/pull/811) > > New Contributors > ---------------- > > * [`@gowridurgad`](https://github.com/gowridurgad) with [`@Copilot`](https://github.com/Copilot) made their first contribution in [actions/setup-python#1303](https://redirect.github.com/actions/setup-python/pull/1303) > * [`@jasongin`](https://github.com/jasongin) made their first contribution in [actions/setup-python#1324](https://redirect.github.com/actions/setup-python/pull/1324) > * [`@Dunky-Z`](https://github.com/Dunky-Z) made their first contribution in [actions/setup-python#811](https://redirect.github.com/actions/setup-python/pull/811) > > **Full Changelog**: <actions/setup-python@v6...v6.3.0> Commits * [`ece7cb0`](actions/setup-python@ece7cb0) Fix pip cache error handling on Windows. ([#1040](https://redirect.github.com/actions/setup-python/issues/1040)) * [`1d18d7a`](actions/setup-python@1d18d7a) Update advanced-usage.md ([#811](https://redirect.github.com/actions/setup-python/issues/811)) * [`d2b357a`](actions/setup-python@d2b357a) Update dependency versions and test workflow configuration ([#1322](https://redirect.github.com/actions/setup-python/issues/1322)) * [`8f639b1`](actions/setup-python@8f639b1) Merge pull request [#1324](https://redirect.github.com/actions/setup-python/issues/1324) from jasongin/update-actions-cache-5.1.0 * [`6731c2b`](actions/setup-python@6731c2b) Resolve high-severity audit issues * [`0cb1a84`](actions/setup-python@0cb1a84) Add RHEL support and include Linux distro in cache keys ([#1323](https://redirect.github.com/actions/setup-python/issues/1323)) * [`dc6eab6`](actions/setup-python@dc6eab6) Update dist * [`6f4b74b`](actions/setup-python@6f4b74b) Strict equality * [`fa8bde1`](actions/setup-python@fa8bde1) Bump `@actions/cache` to 5.1.0, log cache write denied * [`c8813ba`](actions/setup-python@c8813ba) Upgrade [`@actions`](https://github.com/actions) dependencies and update licenses ([#1303](https://redirect.github.com/actions/setup-python/issues/1303)) * Additional commits viewable in [compare view](actions/setup-python@a309ff8...ece7cb0) Updates `actions/setup-java` from 5.3.0 to 5.4.0 Release notes *Sourced from [actions/setup-java's releases](https://github.com/actions/setup-java/releases).* > v5.4.0 > ------ > > What's Changed > -------------- > > * Bump `@typescript-eslint/parser` from 8.48.0 to 8.61.1 by [`@dependabot`](https://github.com/dependabot)[bot] in [actions/setup-java#1021](https://redirect.github.com/actions/setup-java/pull/1021) > * Fix codeql workflow permissions by [`@jsoref`](https://github.com/jsoref) in [actions/setup-java#993](https://redirect.github.com/actions/setup-java/pull/993) > * fix CodeQL permissions by [`@gdams`](https://github.com/gdams) in [actions/setup-java#1025](https://redirect.github.com/actions/setup-java/pull/1025) > * fix: reject non-semver candidate versions in isVersionSatisfies by [`@sproctor`](https://github.com/sproctor) in [actions/setup-java#1009](https://redirect.github.com/actions/setup-java/pull/1009) > * Bump `@actions/cache` to 5.1.0, handle cache write denied by [`@jasongin`](https://github.com/jasongin) in [actions/setup-java#1026](https://redirect.github.com/actions/setup-java/pull/1026) > * Add Maven Wrapper cache feature by [`@mahabaleshwars`](https://github.com/mahabaleshwars) in [actions/setup-java#1027](https://redirect.github.com/actions/setup-java/pull/1027) > * Spelling by [`@jsoref`](https://github.com/jsoref) in [actions/setup-java#713](https://redirect.github.com/actions/setup-java/pull/713) > * add link to advanced configuration for JetBrains by [`@robstoll`](https://github.com/robstoll) in [actions/setup-java#850](https://redirect.github.com/actions/setup-java/pull/850) > * docs(action): fix missing required or default fields by [`@kranthipoturaju`](https://github.com/kranthipoturaju) in [actions/setup-java#1007](https://redirect.github.com/actions/setup-java/pull/1007) > * feat: add microsoft openjdk 17.0.18 by [`@al-kau`](https://github.com/al-kau) in [actions/setup-java#1002](https://redirect.github.com/actions/setup-java/pull/1002) > * Update README.md - use "alert syntax for Markdown" for notes by [`@mhoffrog`](https://github.com/mhoffrog) in [actions/setup-java#924](https://redirect.github.com/actions/setup-java/pull/924) > * Bump undici from 6.24.1 to 6.27.0 by [`@dependabot`](https://github.com/dependabot)[bot] in [actions/setup-java#1033](https://redirect.github.com/actions/setup-java/pull/1033) > * Update contributor guide with emoji for clarity by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1028](https://redirect.github.com/actions/setup-java/pull/1028) > * add javac problem matcher by [`@Trass3r`](https://github.com/Trass3r) in [actions/setup-java#562](https://redirect.github.com/actions/setup-java/pull/562) > * Clarify README version syntax and migration guidance by [`@brunoborges`](https://github.com/brunoborges) with [`@Copilot`](https://github.com/Copilot) in [actions/setup-java#1038](https://redirect.github.com/actions/setup-java/pull/1038) > * Update undici artifacts to 6.27.0 (license cache + dist) by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1040](https://redirect.github.com/actions/setup-java/pull/1040) > * docs: enhance custom jdk file installation by [`@stephanabel`](https://github.com/stephanabel) in [actions/setup-java#996](https://redirect.github.com/actions/setup-java/pull/996) > * Templates for new Java distributions by [`@panticmilos`](https://github.com/panticmilos) in [actions/setup-java#429](https://redirect.github.com/actions/setup-java/pull/429) > * Bump actions/checkout from 6 to 7 by [`@dependabot`](https://github.com/dependabot)[bot] in [actions/setup-java#1032](https://redirect.github.com/actions/setup-java/pull/1032) > * Bump `@types/node` from 25.9.3 to 26.0.0 by [`@dependabot`](https://github.com/dependabot)[bot] in [actions/setup-java#1031](https://redirect.github.com/actions/setup-java/pull/1031) > * docs: replace non-existent HelloWorldApp references with java --version by [`@brunoborges`](https://github.com/brunoborges) with [`@Copilot`](https://github.com/Copilot) in [actions/setup-java#1043](https://redirect.github.com/actions/setup-java/pull/1043) > * docs: add JavaFX Maven project configuration instructions by [`@brunoborges`](https://github.com/brunoborges) with [`@Copilot`](https://github.com/Copilot) in [actions/setup-java#1044](https://redirect.github.com/actions/setup-java/pull/1044) > * docs: self-signed certificate / internal CA handling for GitHub Enterprise by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1050](https://redirect.github.com/actions/setup-java/pull/1050) > * docs: document importing an internal CA into the installed JDK (cacerts) by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1051](https://redirect.github.com/actions/setup-java/pull/1051) > * chore: Harden workflows: least-privilege permissions + zizmor integration by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1039](https://redirect.github.com/actions/setup-java/pull/1039) > * dist: Add GraalVM Community distribution support by [`@brunoborges`](https://github.com/brunoborges) with [`@Copilot`](https://github.com/Copilot) in [actions/setup-java#1042](https://redirect.github.com/actions/setup-java/pull/1042) > * docs: note jdkfile approach for Early Access / unreleased JDK builds by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1058](https://redirect.github.com/actions/setup-java/pull/1058) > * dist: Apply Copilot review suggestions from PR [#1042](https://redirect.github.com/actions/setup-java/issues/1042) (GraalVM Community) by [`@brunoborges`](https://github.com/brunoborges) in [actions/setup-java#1059](https://redirect.github.com/actions/setup-java/pull/1059) > > New Contributors > ---------------- > > * [`@jsoref`](https://github.com/jsoref) made their first contribution in [actions/setup-java#993](https://redirect.github.com/actions/setup-java/pull/993) > * [`@sproctor`](https://github.com/sproctor) made their first contribution in [actions/setup-java#1009](https://redirect.github.com/actions/setup-java/pull/1009) > * [`@jasongin`](https://github.com/jasongin) made their first contribution in [actions/setup-java#1026](https://redirect.github.com/actions/setup-java/pull/1026) > * [`@robstoll`](https://github.com/robstoll) made their first contribution in [actions/setup-java#850](https://redirect.github.com/actions/setup-java/pull/850) > * [`@kranthipoturaju`](https://github.com/kranthipoturaju) made their first contribution in [actions/setup-java#1007](https://redirect.github.com/actions/setup-java/pull/1007) > * [`@al-kau`](https://github.com/al-kau) made their first contribution in [actions/setup-java#1002](https://redirect.github.com/actions/setup-java/pull/1002) > * [`@mhoffrog`](https://github.com/mhoffrog) made their first contribution in [actions/setup-java#924](https://redirect.github.com/actions/setup-java/pull/924) > * [`@brunoborges`](https://github.com/brunoborges) made their first contribution in [actions/setup-java#1028](https://redirect.github.com/actions/setup-java/pull/1028) > * [`@Trass3r`](https://github.com/Trass3r) made their first contribution in [actions/setup-java#562](https://redirect.github.com/actions/setup-java/pull/562) > * [`@stephanabel`](https://github.com/stephanabel) made their first contribution in [actions/setup-java#996](https://redirect.github.com/actions/setup-java/pull/996) > > **Full Changelog**: <actions/setup-java@v5...v5.4.0> Commits * [`1bcf9fb`](actions/setup-java@1bcf9fb) dist: Address Copilot review suggestions from PR [#1042](https://redirect.github.com/actions/setup-java/issues/1042) (GraalVM Community) (#... * [`fa2c650`](actions/setup-java@fa2c650) docs: note jdkfile approach for Early Access / unreleased JDK builds ([#1058](https://redirect.github.com/actions/setup-java/issues/1058)) * [`1d56e31`](actions/setup-java@1d56e31) dist: Add GraalVM Community distribution support ([#1042](https://redirect.github.com/actions/setup-java/issues/1042)) * [`1d25252`](actions/setup-java@1d25252) chore: Harden workflows: least-privilege permissions + zizmor integration ([#1](https://redirect.github.com/actions/setup-java/issues/1)... * [`668c1ea`](actions/setup-java@668c1ea) docs: add post-install keytool import for the JDK cacerts trust store ([#1051](https://redirect.github.com/actions/setup-java/issues/1051)) * [`a9a46fb`](actions/setup-java@a9a46fb) docs: document self-signed certificate / internal CA handling for GitHub Ente... * [`5431e71`](actions/setup-java@5431e71) docs: add JavaFX Maven project configuration instructions ([#1044](https://redirect.github.com/actions/setup-java/issues/1044)) * [`4baa9b4`](actions/setup-java@4baa9b4) docs: replace non-existent HelloWorldApp references with java --version ([#1043](https://redirect.github.com/actions/setup-java/issues/1043)) * [`eab4b08`](actions/setup-java@eab4b08) Bump `@types/node` from 25.9.3 to 26.0.0 ([#1031](https://redirect.github.com/actions/setup-java/issues/1031)) * [`bf0c0e6`](actions/setup-java@bf0c0e6) Bump actions/checkout from 6 to 7 ([#1032](https://redirect.github.com/actions/setup-java/issues/1032)) * Additional commits viewable in [compare view](actions/setup-java@ad2b381...1bcf9fb) Updates `anthropics/claude-code-action` from 1.0.153 to 1.0.159 Release notes *Sourced from [anthropics/claude-code-action's releases](https://github.com/anthropics/claude-code-action/releases).* > v1.0.159 > -------- > > What's Changed > -------------- > > * fix: bound app token revocation cleanup by [`@tarunag10`](https://github.com/tarunag10) in [anthropics/claude-code-action#1437](https://redirect.github.com/anthropics/claude-code-action/pull/1437) > > New Contributors > ---------------- > > * [`@tarunag10`](https://github.com/tarunag10) made their first contribution in [anthropics/claude-code-action#1437](https://redirect.github.com/anthropics/claude-code-action/pull/1437) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.159> > > v1.0.158 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.158> > > v1.0.157 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.157> > > v1.0.156 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.156> > > v1.0.155 > -------- > > What's Changed > -------------- > > * fix: filter PR reviews and inline review comments to trigger time by [`@EffortlessSteven`](https://github.com/EffortlessSteven) in [anthropics/claude-code-action#1385](https://redirect.github.com/anthropics/claude-code-action/pull/1385) > * test: cover format-turns content-type fallbacks and system\_other handling by [`@farmer-data`](https://github.com/farmer-data) in [anthropics/claude-code-action#1421](https://redirect.github.com/anthropics/claude-code-action/pull/1421) > * fix: allow @ in branch names (valid per git-check-ref-format) by [`@bellalMohamed`](https://github.com/bellalMohamed) in [anthropics/claude-code-action#1411](https://redirect.github.com/anthropics/claude-code-action/pull/1411) > > New Contributors > ---------------- > > * [`@EffortlessSteven`](https://github.com/EffortlessSteven) made their first contribution in [anthropics/claude-code-action#1385](https://redirect.github.com/anthropics/claude-code-action/pull/1385) > * [`@farmer-data`](https://github.com/farmer-data) made their first contribution in [anthropics/claude-code-action#1421](https://redirect.github.com/anthropics/claude-code-action/pull/1421) > * [`@bellalMohamed`](https://github.com/bellalMohamed) made their first contribution in [anthropics/claude-code-action#1411](https://redirect.github.com/anthropics/claude-code-action/pull/1411) > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.155> > > v1.0.154 > -------- > > **Full Changelog**: <anthropics/claude-code-action@v1...v1.0.154> Commits * [`a92e7c7`](anthropics/claude-code-action@a92e7c7) chore: bump Claude Code to 2.1.195 and Agent SDK to 0.3.195 * [`f8076dc`](anthropics/claude-code-action@f8076dc) fix: bound app token revocation cleanup ([#1437](https://redirect.github.com/anthropics/claude-code-action/issues/1437)) * [`5211368`](anthropics/claude-code-action@5211368) chore: bump Claude Code to 2.1.193 and Agent SDK to 0.3.193 * [`428971d`](anthropics/claude-code-action@428971d) chore: bump Claude Code to 2.1.191 and Agent SDK to 0.3.191 * [`74eedf1`](anthropics/claude-code-action@74eedf1) chore: bump Claude Code to 2.1.190 and Agent SDK to 0.3.190 * [`80b3182`](anthropics/claude-code-action@80b3182) chore: bump Claude Code to 2.1.187 and Agent SDK to 0.3.187 * [`360be9c`](anthropics/claude-code-action@360be9c) fix: allow @ in branch names (valid per git-check-ref-format) ([#1411](https://redirect.github.com/anthropics/claude-code-action/issues/1411)) * [`e452eb9`](anthropics/claude-code-action@e452eb9) test: cover format-turns content-type fallbacks and system\_other handling ([#1](https://redirect.github.com/anthropics/claude-code-action/issues/1)... * [`6b80630`](anthropics/claude-code-action@6b80630) fix: filter PR reviews and inline review comments to trigger time ([#1385](https://redirect.github.com/anthropics/claude-code-action/issues/1385)) * [`30544b6`](anthropics/claude-code-action@30544b6) chore: bump Claude Code to 2.1.186 and Agent SDK to 0.3.186 * See full diff in [compare view](anthropics/claude-code-action@2fee155...a92e7c7) Updates `actions/setup-dotnet` from 5.3.0 to 5.4.0 Release notes *Sourced from [actions/setup-dotnet's releases](https://github.com/actions/setup-dotnet/releases).* > v5.4.0 > ------ > > What's Changed > -------------- > > ### Enhancements > > * Improve global.json SDK version validation for rollForward by [`@priyagupta108`](https://github.com/priyagupta108) in [actions/setup-dotnet#742](https://redirect.github.com/actions/setup-dotnet/pull/742) > * Pin actions to commit SHAs in workflows by [`@priya-kinthali`](https://github.com/priya-kinthali) in [actions/setup-dotnet#744](https://redirect.github.com/actions/setup-dotnet/pull/744) > * Expand the CSC problem matcher to light up more errors on GitHub. by [`@StephenCleary`](https://github.com/StephenCleary) in [actions/setup-dotnet#717](https://redirect.github.com/actions/setup-dotnet/pull/717) > > ### Documentation > > * Docs(action): Explicitly mark all optional inputs with required: false by [`@kranthipoturaju`](https://github.com/kranthipoturaju) in [actions/setup-dotnet#737](https://redirect.github.com/actions/setup-dotnet/pull/737) > > ### Bug Fixes > > * Fix global.json creation command by [`@michal2612`](https://github.com/michal2612) in [actions/setup-dotnet#694](https://redirect.github.com/actions/setup-dotnet/pull/694) > > ### Dependency Updates > > * Upgrade `@actions/cache` to 5.1.0, log cache write denied by [`@jasongin`](https://github.com/jasongin) in [actions/setup-dotnet#746](https://redirect.github.com/actions/setup-dotnet/pull/746) > > New Contributors > ---------------- > > * [`@jasongin`](https://github.com/jasongin) made their first contribution in [actions/setup-dotnet#746](https://redirect.github.com/actions/setup-dotnet/pull/746) > * [`@michal2612`](https://github.com/michal2612) made their first contribution in [actions/setup-dotnet#694](https://redirect.github.com/actions/setup-dotnet/pull/694) > * [`@kranthipoturaju`](https://github.com/kranthipoturaju) made their first contribution in [actions/setup-dotnet#737](https://redirect.github.com/actions/setup-dotnet/pull/737) > * [`@StephenCleary`](https://github.com/StephenCleary) made their first contribution in [actions/setup-dotnet#717](https://redirect.github.com/actions/setup-dotnet/pull/717) > > **Full Changelog**: <actions/setup-dotnet@v5...v5.4.0> Commits * [`26b0ec1`](actions/setup-dotnet@26b0ec1) Expand the CSC problem matcher to light up more errors on GitHub. ([#717](https://redirect.github.com/actions/setup-dotnet/issues/717)) * [`da5e548`](actions/setup-dotnet@da5e548) docs(action): explicitly mark all optional inputs with required: false ([#737](https://redirect.github.com/actions/setup-dotnet/issues/737)) * [`9bd3b44`](actions/setup-dotnet@9bd3b44) Improve readability of global.json creation command ([#694](https://redirect.github.com/actions/setup-dotnet/issues/694)) * [`4406a63`](actions/setup-dotnet@4406a63) Bump `@actions/cache` to 5.1.0, log cache write denied ([#746](https://redirect.github.com/actions/setup-dotnet/issues/746)) * [`dc3262d`](actions/setup-dotnet@dc3262d) pin actions to commit SHAs in workflows ([#744](https://redirect.github.com/actions/setup-dotnet/issues/744)) * [`95a3f8b`](actions/setup-dotnet@95a3f8b) Validate global.json SDK version before rollForward optimization ([#742](https://redirect.github.com/actions/setup-dotnet/issues/742)) * See full diff in [compare view](actions/setup-dotnet@9a946fd...26b0ec1) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
validateBranchNameinsrc/github/operations/branch.tsrejects branch names containing@, even thoughgit check-ref-formatpermits@and GitHub itself accepts such branches. When the action runs on a PR whose head or base branch contains an@, validation throws before any git operation and the action fails immediately:This shows up in real workflows: ticket conventions like
TICKET-123@add-feature(#998), leading-prefix conventions like@hotfix/...(we run this action org-wide for PR-comment automation on private repos, and every PR from an@-prefixed hotfix branch fails at the prepare step with the error above), and agent tooling that appends@<sessionid>(#1305). There is no workaround other than renaming the branch, which is often not under the user's control.Fixes #998.
Root cause
The whitelist regex at
src/github/operations/branch.ts:68is:@is not in either character class, so any ref containing one is rejected regardless of position.The whitelist exists for injection safety, but branch names are never passed through a shell — git calls use
execFileSyncwith an argv array — so@carries no injection risk under that execution model. This is the same reasoning used to add#in #1167,+in #1248, and,in #1310.Fix
Add
@to the whitelist, including the leading position:/^[a-zA-Z0-9@][a-zA-Z0-9/_.#+,@-]*$/.-x,--help);@is not an option prefix, so allowing it first does not weaken that protection. Leading@is what@hotfix/...-style conventions need, andgit check-ref-format --branch "@hotfix/x"accepts it.@is rejected with a dedicated check: per git-check-ref-format, a refname cannot be the single character@, and@resolves to HEAD in git revision syntax, so it must never reach git as a branch argument where it could be interpreted as a revision instead.@{reflog sequence is still rejected by the existing dedicated check (untouched).Relationship to existing PRs
#999, #1022, and #1305 also propose allowing
@. This PR is intended to complement them with three differences: (1) it is based on currentmain(#1310 landed on the same lines, so the earlier diffs now conflict); (2) it also accepts@in the leading position, which is the failure mode for@hotfix/...-style conventions; and (3) it adds an explicit bare-@guard with a test so HEAD shorthand cannot slip through the widened character class. Happy to close this in favor of any of those if a maintainer prefers.Testing
TICKET-123@add-feature,@hotfix/login-timeout,agent/task@abc123) referencing Branch name validation rejects @ character which is valid in git #998, and 1 new reject test for bare@, both following the style of the fix: allow # in branch names for PR checkout and base restore #1167/fix: allow + in branch names (generated by Claude Code EnterWorktree) #1248/fix: allow , in branch names #1310 tests@{, control characters, spaces, shell metacharacters, option injection, path traversal,.lock, and trailing/consecutive slashes are still rejectedvalidateBranchNamestandalone with node against the full accept/reject matrix from the test suite plus the new cases: 34 accept / 60 reject, 94/94 as expected (my environment cannot run bun; CI will run the real suite)🤖 Generated with Claude Code