fix: strip git name-rev suffix operators from detected branch name#189
Merged
Martin Torp (mtorp) merged 1 commit intomainfrom Apr 17, 2026
Merged
fix: strip git name-rev suffix operators from detected branch name#189Martin Torp (mtorp) merged 1 commit intomainfrom
Martin Torp (mtorp) merged 1 commit intomainfrom
Conversation
In detached-HEAD CI checkouts (common in Buildkite/CircleCI/Jenkins/etc.
where none of the GitHub/GitLab/Bitbucket CI env vars are recognized),
the Python CLI falls back to `git name-rev --name-only HEAD` to detect
the current branch. When the checked-out SHA is not exactly at a branch
tip (e.g. master moved forward after the pipeline started), name-rev
returns strings like `remotes/origin/master~1` or `master^0`. The
previous split('/')[-1] cleanup kept the `~N`/`^N` suffix, which the
Socket API then rejected with "Invalid branch name".
Strip anything from the first `~` or `^` onward before the prefix
split. Both characters are forbidden in git ref names per
check-ref-format(1), so truncating at them is always safe.
Assisted-by: Claude Code:opus-4-7
|
🚀 Preview package published! Install with: pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.83.dev2Docker image: |
Benjamin Barslev Nielsen (barslev)
approved these changes
Apr 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
In detached-HEAD CI checkouts (Buildkite, CircleCI, Jenkins, and anything else not explicitly detected via
GITHUB_REF/CI_COMMIT_BRANCH/BITBUCKET_BRANCH), the CLI falls back togit name-rev --name-only HEADfor branch detection. When the checked-out SHA isn't exactly at a branch tip — typically because a new commit landed on the target branch between pipeline trigger and scan start —name-revreturns output with a suffix operator:remotes/origin/master~1(one commit behind master)master^0(alternate form for exact tip)remotes/origin/master~3^2The existing
split('/')[-1]cleanup only strips theremotes/origin/prefix; the~N/^Nsuffix survived and was sent to the Socket API as the branch name. The API then rejected it because~and^are forbidden characters in Git ref names, producing the error:The fix strips anything from the first
~or^onward before the prefix split. Both characters are forbidden in Git ref names percheck-ref-format(1), so cutting at them can never truncate a real branch name.Verification
Reproduced end-to-end against a test repo in detached HEAD where
git name-rev --name-only HEADreturnedremotes/origin/master~1:socketsecurity==2.2.81(unpatched)branch=master~1branch=masterTest plan
Git(path).branchreturnsmasterwhengit name-revoutputsremotes/origin/master~1