limit branch names on windows, check required git feature early

linkdata · linkdata · commit 5a83561a2123 · 2026-03-05T11:44:18.000+01:00
diff --git a/.github/workflows/self-test.yml b/.github/workflows/self-test.yml
@@ -57,6 +57,11 @@ jobs:
           git tag v-test
           git push origin v-test
 
+          # Branch used to verify Windows-only branch-name filtering.
+          # '=' is Git-valid but rejected by our Windows compatibility regex.
+          git branch 'feat=compat'
+          git push origin 'feat=compat'
+
           # Detached/tag-only commit (not contained by any remote branch)
           git checkout --detach
           echo "detached-only" > detached-only.txt
@@ -79,6 +84,24 @@ jobs:
           branch: main
           report: reports/report.html
 
+      - name: Run action with Windows-restricted branch charset
+        id: windows_branch
+        continue-on-error: true
+        uses: ./action-src
+        with:
+          coverage: "80%"
+          branch: "feat=compat"
+
+      - name: Verify Windows-only branch filter
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [[ "${RUNNER_OS}" == "Windows" ]]; then
+            test "${{ steps.windows_branch.outcome }}" = "failure"
+          else
+            test "${{ steps.windows_branch.outcome }}" = "success"
+          fi
+
       - name: Verify explicit branch run
         shell: bash
         run: |
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ This action has no dependencies except for `git`, a `bash` shell and common *nix
 It supports Linux/macOS runners and Windows runners with Bash tooling (Git Bash/WSL-enabled images such as
 `windows-2025`).
 
-Requires **Git 2.15.0 or newer**.
+Requires **Git 2.15.0 or newer** (the action fails fast on older versions).
 
 ## Usage
 
@@ -34,7 +34,7 @@ If you submitted a detailed HTML report of the coverage to the action, replace t
 - `report` (optional): Path to an HTML report file to publish as `report.html`.
 - `branch` (optional): Source branch override. Recommended for tag-triggered workflows where multiple branches may contain the same tag commit.
   Also recommended for very large or restricted repos to avoid scanning all remote branches during tag-triggered branch resolution.
-  A Git-valid branch name may still be an invalid Windows path component (for example names containing `<`, `>`, `|`, or `"`), which can fail on Windows runners because this action writes files under `<branch>/...`.
+  On Windows runners, the action applies a strict compatibility filter and requires branch names to match `[A-Za-z0-9._/+-]+`.
 
 ## Examples
 
diff --git a/action.yml b/action.yml
@@ -43,6 +43,20 @@ runs:
             printf '%s\n' "${p//\\//}"
           fi
         }
+        detect_and_store_repo_depth_mode() {
+          local shallow
+          if ! shallow="$(git rev-parse --is-shallow-repository 2>/dev/null)"; then
+            echo "gitcoverage requires Git 2.15.0 or newer (missing 'git rev-parse --is-shallow-repository')." >&2
+            exit 1
+          fi
+          if [[ "$shallow" != "true" && "$shallow" != "false" ]]; then
+            echo "Unexpected result from 'git rev-parse --is-shallow-repository': '$shallow'" >&2
+            exit 1
+          fi
+          echo "GITCOVERAGE_IS_SHALLOW_REPOSITORY=$shallow" >> "$GITHUB_ENV"
+        }
+
+        detect_and_store_repo_depth_mode
 
         WORKSPACE_PATH="${GITHUB_WORKSPACE:-$PWD}"
         WORKSPACE_PATH="$(to_posix_path "$WORKSPACE_PATH")"
@@ -125,9 +139,20 @@ runs:
           local b="$1"
           git check-ref-format --branch "$b" >/dev/null 2>&1
         }
+        validate_windows_safe_branch_path_or_fail() {
+          local b="$1"
+          # Only enforce this compatibility check on Windows runners.
+          if [[ "${RUNNER_OS:-}" == "Windows" ]]; then
+            # Keep this intentionally strict and simple for filesystem safety.
+            if ! [[ "$b" =~ ^[A-Za-z0-9._/+-]+$ ]]; then
+              echo "On Windows runners, branch '$b' must match: [A-Za-z0-9._/+-]+" >&2
+              return 1
+            fi
+          fi
+        }
         ensure_tag_resolution_refs() {
           # Only tag-triggered auto-mapping needs full remote-branch refs.
-          if git rev-parse --is-shallow-repository >/dev/null 2>&1 && [[ "$(git rev-parse --is-shallow-repository)" == "true" ]]; then
+          if [[ "$GITCOVERAGE_IS_SHALLOW_REPOSITORY" == "true" ]]; then
             # Fully unshallow if possible so --contains works reliably.
             git fetch --prune --tags --unshallow origin || git fetch --prune --tags --depth=1000 origin
           else
@@ -161,19 +186,19 @@ runs:
             exit 1
           fi
           echo "Using explicit branch input: $BRANCH"
-          echo "branch=$BRANCH" >> "$GITHUB_OUTPUT"
-          exit 0
         fi
 
         # --- Fast paths: branch refs; never let PR head-ref override tag context ---
-        if [[ "$REF_TYPE" == "tag" || "$REF_FULL" == refs/tags/* ]]; then
-          BRANCH=""
-        elif [[ -n "$HEAD_REF" ]]; then
-          BRANCH="${HEAD_REF}"
-        elif [[ "$REF_TYPE" == "branch" && -n "$REF_NAME" ]]; then
-          BRANCH="${REF_NAME}"
-        else
-          BRANCH=""
+        if [[ -z "$BRANCH" ]]; then
+          if [[ "$REF_TYPE" == "tag" || "$REF_FULL" == refs/tags/* ]]; then
+            BRANCH=""
+          elif [[ -n "$HEAD_REF" ]]; then
+            BRANCH="${HEAD_REF}"
+          elif [[ "$REF_TYPE" == "branch" && -n "$REF_NAME" ]]; then
+            BRANCH="${REF_NAME}"
+          else
+            BRANCH=""
+          fi
         fi
 
         # --- Tag path: map tag -> containing branch ---
@@ -254,6 +279,9 @@ runs:
           echo "Could not determine branch (still detached at a tag). Consider actions/checkout with 'fetch-depth: 0'." >&2
           exit 1
         fi
+        if ! validate_windows_safe_branch_path_or_fail "$BRANCH"; then
+          exit 1
+        fi
 
         echo "Resolved branch: $BRANCH"
         echo "branch=$BRANCH" >> "$GITHUB_OUTPUT"
