Add workflow to validate branch ancestry and prevent old git history

This workflow prevents branches containing pre-initialization git history from
being merged into dev/main, protecting against re-introduction of sensitive
data that was removed during the December 22, 2025 repository re-initialization.

## How It Works

The workflow runs on every push and pull request, performing these steps:

1. Checks out full git history (fetch-depth: 0)
2. Finds ALL root commits of the branch using git rev-list --max-parents=0
3. Validates each root commit against a list of valid initialization commits
4. FAILS if ANY root commit doesn't match the valid list
5. PASSES if all root commits are valid

Valid root commit (Dec 22, 2025 initialization):
  97e73c5

## What Happens When It Runs

**Valid Branch (created from current dev/main):**
- Workflow passes with ✅
- Branch can proceed to merge (if other checks pass)

**Invalid Branch (contains old git history):**
- Workflow FAILS with clear error message
- Shows which root commits are invalid
- Provides step-by-step remediation instructions
- Branch CANNOT be merged if branch protection is configured

## Security Features

- Multi-root detection: Handles merged branches with multiple histories
- Empty line handling: Robust parsing of git output
- Clear error messages: Developers know exactly how to fix the issue
- Minimal permissions: Only requires contents:read and pull-requests:read
- No tokens needed: Uses built-in GITHUB_TOKEN automatically
- Timeout protection: 10-minute limit prevents runaway workflows

## Branch Protection Configuration Required

After merging, these branch protection rules MUST be configured to actually
block invalid branches from merging:

### For 'dev' branch:
1. Go to: Settings → Branches → Edit 'dev' protection rule
2. Under 'Require status checks to pass before merging'
3. Click 'Add status check'
4. Search for and add: 'Validate Clean History'
5. Save changes

### For 'main' branch:
1. Go to: Settings → Branches → Edit 'main' protection rule
2. Under 'Require status checks to pass before merging'
3. Click 'Add status check'
4. Search for and add: 'Validate Clean History'
5. Save changes

**IMPORTANT:** Without this configuration, the workflow will alert but will
NOT block merges. The check must run successfully at least once before it
appears in the status check dropdown.

## Future Maintenance

If the repository is re-initialized again:
1. Edit .github/workflows/validate-branch-history.yml
2. Add the new root commit to VALID_ROOTS array (line 32)
3. Commit and push the change

## Testing

This workflow was designed to block branch 'origin/nps-am-25120' which
contains 1,545 commits from before Dec 22, 2025, including sensitive
customer data (e.g., woodmenlife.org domain references).

## No Configuration Needed

- No secrets or tokens to configure
- No repository variables to set
- Uses built-in GITHUB_TOKEN automatically
- Works immediately upon merge

Only action required: Configure branch protection rules (see above).

Author: jake-mahon-netwrix

.github/workflows/validate-branch-history.yml

@@ -0,0 +1,91 @@
+name: Validate Branch History
+
+on:
+  push:
+    branches:
+      - '**'
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+env:
+  SECURITY_CONTACT: 'jake-mahon-netwrix'
+
+jobs:
+  validate-history:
+    name: Validate Clean History
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check branch ancestry
+        id: check_ancestry
+        run: |
+          # Valid root commits
+          VALID_ROOTS=(
+            "97e73c5cc4a29296024f23499ef5e60bc7db755b"
+          )
+
+          echo "🔍 Validating branch ancestry..."
+
+          # Get ALL root commits (handles merged branches with multiple roots)
+          BRANCH_ROOTS=$(git rev-list --max-parents=0 HEAD)
+
+          echo "Found root commit(s):"
+          echo "$BRANCH_ROOTS"
+
+          # Check each root commit
+          INVALID_ROOTS=()
+          while IFS= read -r branch_root; do
+            # Skip empty lines
+            [[ -z "$branch_root" ]] && continue
+
+            VALID=false
+            for valid_root in "${VALID_ROOTS[@]}"; do
+              if [ "$branch_root" = "$valid_root" ]; then
+                VALID=true
+                break
+              fi
+            done
+
+            if [ "$VALID" = false ]; then
+              INVALID_ROOTS+=("$branch_root")
+            fi
+          done <<< "$BRANCH_ROOTS"
+
+          # If any invalid roots found, fail
+          if [ ${#INVALID_ROOTS[@]} -gt 0 ]; then
+            echo "❌ ERROR: This branch contains invalid root commits"
+            echo ""
+            echo "Expected all root commits to be one of:"
+            for root in "${VALID_ROOTS[@]}"; do
+              echo "  - $root"
+            done
+            echo ""
+            echo "Found invalid root commit(s):"
+            for invalid in "${INVALID_ROOTS[@]}"; do
+              echo "  - $invalid"
+            done
+            echo ""
+            echo "This repository was re-initialized to remove sensitive data from git history."
+            echo "Branches must be created from the current dev/main branches."
+            echo ""
+            echo "To fix this:"
+            echo "1. Save your changes as a patch: git diff origin/dev > my-changes.patch"
+            echo "2. Create a fresh branch from current dev: git checkout -b my-branch origin/dev"
+            echo "3. Apply your patch: git apply my-changes.patch"
+            echo "4. Commit and push the clean branch"
+            echo "5. Delete the invalid branch (replace BRANCH_NAME with your branch name):"
+            echo "   git push origin --delete BRANCH_NAME"
+            echo ""
+            echo "Contact @${{ env.SECURITY_CONTACT }} if you need assistance."
+            exit 1
+          fi
+
+          echo "✅ Branch ancestry validation passed"