Merge pull request #19 from alexphillips-dev/fix/main-history-guard-allows-promotion-merges

Allow main promotion merges in history guard

Author: alexphillips-dev

scripts/main_branch_history_guard.sh

@@ -53,11 +53,72 @@ if [[ -z "${RANGE}" ]]; then
   exit 0
 fi
 
+ensure_allowed_merge_refs() {
+  local missing=()
+  local branch=""
+  for branch in dev beta; do
+    if git rev-parse --verify "refs/remotes/origin/${branch}^{commit}" >/dev/null 2>&1; then
+      continue
+    fi
+    missing+=("${branch}")
+  done
+
+  if [[ "${#missing[@]}" -eq 0 ]]; then
+    return
+  fi
+
+  git fetch --no-tags origin "${missing[@]}" >/dev/null 2>&1 || true
+}
+
+merge_commit_allowed() {
+  local commit="${1:-}"
+  local parent_refs=""
+  local parent_list=()
+  local parent_index=0
+  local parent_commit=""
+  local allowed_ref=""
+
+  parent_refs="$(git show -s --format=%P "${commit}" 2>/dev/null || true)"
+  if [[ -z "${parent_refs}" ]]; then
+    return 1
+  fi
+
+  # Non-first parents identify the merged branch tip(s).
+  read -r -a parent_list <<< "${parent_refs}"
+  for (( parent_index=1; parent_index<${#parent_list[@]}; parent_index++ )); do
+    parent_commit="${parent_list[$parent_index]}"
+    for allowed_ref in refs/remotes/origin/dev refs/heads/dev refs/remotes/origin/beta refs/heads/beta; do
+      if ! git rev-parse --verify "${allowed_ref}^{commit}" >/dev/null 2>&1; then
+        continue
+      fi
+      if git merge-base --is-ancestor "${parent_commit}" "${allowed_ref}"; then
+        return 0
+      fi
+    done
+  done
+
+  return 1
+}
+
 MERGES="$(git rev-list --merges "${RANGE}" || true)"
 if [[ -n "${MERGES}" ]]; then
-  echo "ERROR: merge commits are not allowed in the checked main-branch range (${RANGE})." >&2
-  echo "${MERGES}" >&2
-  exit 1
+  BAD_MERGES=()
+  MERGE_COMMIT=""
+
+  ensure_allowed_merge_refs
+
+  while IFS= read -r MERGE_COMMIT; do
+    [[ -z "${MERGE_COMMIT}" ]] && continue
+    if ! merge_commit_allowed "${MERGE_COMMIT}"; then
+      BAD_MERGES+=("${MERGE_COMMIT}")
+    fi
+  done <<< "${MERGES}"
+
+  if [[ "${#BAD_MERGES[@]}" -gt 0 ]]; then
+    echo "ERROR: main-branch merge commits must promote only dev/beta history in the checked range (${RANGE})." >&2
+    printf '%s\n' "${BAD_MERGES[@]}" >&2
+    exit 1
+  fi
 fi
 
 echo "Main branch history guard passed: range=${RANGE}"

tests/versioning-guard.test.mjs

@@ -425,7 +425,8 @@ test('standards guard scripts exist with expected core checks', () => {
     assert.match(mainBranchHistoryGuard, /Main branch history guard skipped/);
     assert.match(mainBranchHistoryGuard, /FVPLUS_MAIN_HISTORY_BASE_REF/);
     assert.match(mainBranchHistoryGuard, /@\{upstream\}\.\.HEAD/);
-    assert.match(mainBranchHistoryGuard, /merge commits are not allowed/);
+    assert.match(mainBranchHistoryGuard, /merge_commit_allowed/);
+    assert.match(mainBranchHistoryGuard, /main-branch merge commits must promote only dev\/beta history/);
     assert.match(mainBranchHistoryGuard, /Main branch history guard passed/);
     assert.match(unraidMatrixSmoke, /FVPLUS_UNRAID_MATRIX/);
     assert.match(unraidMatrixSmoke, /Skipping Unraid matrix smoke checks/);