Describe the bug
validateBranchName() in src/github/operations/branch.ts rejects branch names containing a comma (,), even though git check-ref-format permits commas and GitHub itself accepts them when creating the
branch. When the action runs on a PR whose head branch contains a ,, validation throws before any git operation, and the action fails immediately.
The allowlist regex at src/github/operations/branch.ts:66 is:
const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9/_.#+-]*$/;
, is not in the character class, so any ref matching the pattern , is rejected regardless of where the comma appears.
The comment above the regex notes that the allowlist exists for injection safety. However, all git invocations in this file go through execFileSync with an argv array (no shell, no interpolation), so ,
carries no injection risk under that model.
To Reproduce
Steps to reproduce the behavior:
- Create a branch whose name contains a comma, e.g. feature/a,b. GitHub accepts the branch.
- Open a PR from that branch.
- Trigger the action on the PR (e.g. an @claude comment) so it hits the open-PR setup path that calls validateBranchName(prData.headRefName) at src/github/operations/branch.ts:169.
- See error in the action logs:
Error: Action failed with error: Invalid branch name: "".
Branch names must start with an alphanumeric character and contain only alphanumeric
characters, forward slashes, hyphens, underscores, periods, hashes (#), or plus signs (+).
Expected behavior
The action should accept any ref name that git check-ref-format --branch accepts and that GitHub itself has already accepted, including names containing ,. The PR's head branch should be fetched and checked
out normally.
The minimum fix is to add , to the character class:
const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9/_.#+,-]*$/;
A broader fix would be to align the allowlist with git check-ref-format's actual rules (blocklist the characters git disallows — ~^:?*[, control chars, and space — rather than maintaining a narrow
allowlist).
Suggested test addition:
it("accepts branch names containing commas", () => {
expect(() => validateBranchName("feature/a,b")).not.toThrow();
});
Screenshots
N/A — failure is in the action logs (text above).
Workflow yml file
N/A — the bug is independent of workflow configuration. It reproduces on any workflow that invokes the action on a PR whose head branch contains a comma.
API Provider
[x] Anthropic First-Party API (default)
[ ] AWS Bedrock
[ ] GCP Vertex
(API provider is not relevant — failure occurs in prepare, before Claude is invoked.)
Additional context
- The validation runs in-process inside the action, before any git or GitHub API call, so the branch already exists on GitHub by the time the action fails.
- Workaround: rename the PR's head branch to remove the , before triggering the action. Not always practical when branch names are generated from titles or external identifiers.
- Impact: any consumer whose branch-naming convention can produce a , (common when names are derived from titles, place names, or external system identifiers) is silently blocked from using the action on
those PRs.
Describe the bug
validateBranchName()insrc/github/operations/branch.tsrejects branch names containing a comma (,), even thoughgit check-ref-formatpermits commas and GitHub itself accepts them when creating thebranch. When the action runs on a PR whose head branch contains a
,, validation throws before any git operation, and the action fails immediately.The allowlist regex at
src/github/operations/branch.ts:66is:, is not in the character class, so any ref matching the pattern , is rejected regardless of where the comma appears.
The comment above the regex notes that the allowlist exists for injection safety. However, all git invocations in this file go through execFileSync with an argv array (no shell, no interpolation), so ,
carries no injection risk under that model.
To Reproduce
Steps to reproduce the behavior:
Error: Action failed with error: Invalid branch name: "".
Branch names must start with an alphanumeric character and contain only alphanumeric
characters, forward slashes, hyphens, underscores, periods, hashes (#), or plus signs (+).
Expected behavior
The action should accept any ref name that git check-ref-format --branch accepts and that GitHub itself has already accepted, including names containing ,. The PR's head branch should be fetched and checked
out normally.
The minimum fix is to add , to the character class:
const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9/_.#+,-]*$/;
A broader fix would be to align the allowlist with git check-ref-format's actual rules (blocklist the characters git disallows — ~^:?*[, control chars, and space — rather than maintaining a narrow
allowlist).
Suggested test addition:
it("accepts branch names containing commas", () => {
expect(() => validateBranchName("feature/a,b")).not.toThrow();
});
Screenshots
N/A — failure is in the action logs (text above).
Workflow yml file
N/A — the bug is independent of workflow configuration. It reproduces on any workflow that invokes the action on a PR whose head branch contains a comma.
API Provider
[x] Anthropic First-Party API (default)
[ ] AWS Bedrock
[ ] GCP Vertex
(API provider is not relevant — failure occurs in prepare, before Claude is invoked.)
Additional context
those PRs.