Commit 6fd5512
committed
Add workflow to validate branch ancestry and prevent old git history
This workflow prevents branches containing pre-initialization git history from
being merged into dev/main, protecting against re-introduction of sensitive
data that was removed during the December 22, 2025 repository re-initialization.
## How It Works
The workflow runs on every push and pull request, performing these steps:
1. Checks out full git history (fetch-depth: 0)
2. Finds ALL root commits of the branch using git rev-list --max-parents=0
3. Validates each root commit against a list of valid initialization commits
4. FAILS if ANY root commit doesn't match the valid list
5. PASSES if all root commits are valid
Valid root commit (Dec 22, 2025 initialization):
97e73c5
## What Happens When It Runs
**Valid Branch (created from current dev/main):**
- Workflow passes with ✅
- Branch can proceed to merge (if other checks pass)
**Invalid Branch (contains old git history):**
- Workflow FAILS with clear error message
- Shows which root commits are invalid
- Provides step-by-step remediation instructions
- Branch CANNOT be merged if branch protection is configured
## Security Features
- Multi-root detection: Handles merged branches with multiple histories
- Empty line handling: Robust parsing of git output
- Clear error messages: Developers know exactly how to fix the issue
- Minimal permissions: Only requires contents:read and pull-requests:read
- No tokens needed: Uses built-in GITHUB_TOKEN automatically
- Timeout protection: 10-minute limit prevents runaway workflows
## Branch Protection Configuration Required
After merging, these branch protection rules MUST be configured to actually
block invalid branches from merging:
### For 'dev' branch:
1. Go to: Settings → Branches → Edit 'dev' protection rule
2. Under 'Require status checks to pass before merging'
3. Click 'Add status check'
4. Search for and add: 'Validate Clean History'
5. Save changes
### For 'main' branch:
1. Go to: Settings → Branches → Edit 'main' protection rule
2. Under 'Require status checks to pass before merging'
3. Click 'Add status check'
4. Search for and add: 'Validate Clean History'
5. Save changes
**IMPORTANT:** Without this configuration, the workflow will alert but will
NOT block merges. The check must run successfully at least once before it
appears in the status check dropdown.
## Future Maintenance
If the repository is re-initialized again:
1. Edit .github/workflows/validate-branch-history.yml
2. Add the new root commit to VALID_ROOTS array (line 32)
3. Commit and push the change
## Testing
This workflow was designed to block branch 'origin/nps-am-25120' which
contains 1,545 commits from before Dec 22, 2025, including sensitive
customer data (e.g., woodmenlife.org domain references).
## No Configuration Needed
- No secrets or tokens to configure
- No repository variables to set
- Uses built-in GITHUB_TOKEN automatically
- Works immediately upon merge
Only action required: Configure branch protection rules (see above).1 parent 6d2217a commit 6fd5512
1 file changed
+91
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
0 commit comments