Add branch pattern check to prevent accidental releases from non-configured branches

[Copilot]

Problem

The release script could be executed from any branch, leading to accidental releases from PR branches or outdated feature branches. This would leave the main branch behind while creating a release from the wrong branch.

Solution

Added a branchPattern option to the git plugin that validates the current branch before allowing a release to proceed. The check happens early in the check stage, immediately after verifying git identity.

Features

Default Behavior

By default, releases are only allowed from the repository's default branch (dynamically detected via git symbolic-ref --short refs/remotes/origin/HEAD). If detection fails, it falls back to allowing main or master:

yarn release  # Only works on the repo's default branch (or main/master as fallback)

Custom Patterns

Configure which branches are allowed using the --branchPattern option:

# Allow only develop branch
yarn release --branchPattern develop

# Allow multiple patterns
yarn release --branchPattern main --branchPattern "release/*"

Pattern Syntax

Supports a simplified wildcard syntax with * matching 1 or more characters:

Wildcards:

• release/* - matches any branch starting with release/ (e.g., release/1.0, release/v2.0)
• hotfix/* - matches any branch starting with hotfix/ (e.g., hotfix/bug-123)
• * matches 1+ characters (not zero)

Note: Full regex patterns are not supported. All special characters except * are treated as literals.

Error Messages

When a branch doesn't match, the script aborts with a clear, actionable error:

Release can only be triggered from branches matching: main. Current branch: feature/my-feature

Testing

Added comprehensive integration tests covering:

• Dynamic default branch detection using git symbolic-ref
• Fallback to main/master when dynamic detection fails
• Default pattern matching (main/master)
• Custom single and multiple patterns
• Wildcard patterns (success and failure cases)

All 105 tests pass, including 8 new tests specifically for this feature.

Implementation Details

• Added getCurrentBranch() helper to retrieve the current git branch
• Added getDefaultBranch() helper to dynamically detect the repository's default branch using git symbolic-ref
• Added matchesBranchPattern() helper with simplified wildcard matching (* only)
• Added checkBranchPattern() to validate branch against configured patterns, with dynamic default branch detection
• Integrated check into executeCheckStage() before any git operations
• Zero security vulnerabilities (verified with CodeQL)

Fixes #179

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add branch check to release script to prevent accidental releases from non-configured branches</issue_title>
<issue_description>The release script should only run on a specific configured branch (e.g. main). At the moment it can be executed from any branch, which can lead to accidental releases from open PR branches or outdated feature branches. This leaves main behind while the release is created from the wrong branch.

To avoid this, the release script should:

• Check that the current branch is main (or another configurable default branch, e.g. master).
• If not on the correct branch, abort with a clear error message like:
  "Release can only be triggered from main. Current branch: ".
• Optionally allow overriding with a flag if someone really wants to release from another branch.

This would reduce mistakes and ensure releases are only cut from the intended base branch.</issue_description>

<agent_instructions>Add an option branchPattern (string or string array) to the git plugin, default ["main", "master"].

During the check stage of the git plugin, add a check to ensure the current branch matches one of the branches specified in branchPattern, and if not abort with an actionable error message.

The pattern should accept regular expressions and a simplified wildcard syntax (* without a leading dot expands to .*)

Add integration tests for failing and happy paths, with and without wildcards/regex.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

Fixes #179

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[AlCalzone]

@copilot instead of hardcoding main, master as the default branch, let's use git symbolic-ref --short refs/remotes/origin/HEAD to dynamically determine the default branch of the current repo. This command returns a string like origin/branchname, extract the default branch name from that.
This should take effect when the branchPattern option is not set.

[Copilot]

@copilot instead of hardcoding main, master as the default branch, let's use git symbolic-ref --short refs/remotes/origin/HEAD to dynamically determine the default branch of the current repo. Th...

Done! The implementation now uses git symbolic-ref --short refs/remotes/origin/HEAD to dynamically determine the default branch. If that command fails (e.g., symbolic ref not set), it falls back to ["main", "master"].

Added tests to verify both the dynamic detection and the fallback behavior.

Commit: 46d39b0 (initial implementation), updated in this commit

[AlCalzone]

@copilot let's get rid of the functionality that allows users to specify branches as regex. * should be the only wildcard (matches 1+ characters)

[Copilot]

@copilot let's get rid of the functionality that allows users to specify branches as regex. * should be the only wildcard (matches 1+ characters)

Done! Removed regex support and simplified the pattern matching to only support * as a wildcard that matches 1 or more characters. All regex-related tests have been removed.

Commit: 136863b

[AlCalzone]

OK with my changes