Issue

When a branch is added to the exclude list in branchprotector configuration, the tool correctly stops applying new protection rules but does not remove existing protection from branches that were previously protected.

Impact

Branches that match exclusion patterns (e.g., ^konflux-, ^dependabot/) remain protected on GitHub even though they are excluded in the configuration. This causes push failures when users expect these branches to be unprotected:

remote: error: GH006: Protected branch update failed for refs/heads/konflux-oadp-operator-oadp-1-5.
remote: - Changes must be made through a pull request.
! [remote rejected] konflux-oadp-operator-oadp-1-5 -> konflux-oadp-operator-oadp-1-5 (protected branch hook declined)

While branchprotector logs show the branch as excluded:

"msg":"openshift/oadp-operator=konflux-oadp-operator-oadp-1-5: excluded"

Root Cause

In cmd/branchprotector/protect.go:341-343, excluded branches are filtered out early and never added to the updates channel. The protection removal logic at lines 184-188 only triggers when Request is set to nil, but excluded branches bypass this mechanism entirely.

Workaround

1. Temporarily remove the branch pattern from the exclude list
2. Let branchprotector run once to detect the branch should be unmanaged (triggering removal)
3. Add the pattern back to the exclude list

Alternatively, manually remove branch protection via GitHub's web interface or API.