From aaf49010d76767c916ac13352b6b3dd3571ed9be Mon Sep 17 00:00:00 2001
From: Jake Mahon <jake.mahon@netwrix.com>
Date: Wed, 14 Jan 2026 07:30:39 -0500
Subject: [PATCH 1/2] Add workflow to validate branch ancestry and prevent old
 git history
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This workflow prevents branches containing pre-initialization git history from
being merged into dev/main, protecting against re-introduction of sensitive
data that was removed during repository re-initialization.

## How It Works

The workflow runs on every push and pull request, performing these steps:

1. Checks out full git history (fetch-depth: 0)
2. Finds ALL root commits of the branch using git rev-list --max-parents=0
3. Validates each root commit against a list of valid initialization commits
4. FAILS if ANY root commit doesn't match the valid list
5. PASSES if all root commits are valid

Valid root commit: 97e73c5cc4a29296024f23499ef5e60bc7db755b

## What Happens When It Runs

**Valid Branch (created from current dev/main):**
- Workflow passes with ✅
- Branch can proceed to merge (if other checks pass)

**Invalid Branch (contains old git history):**
- Workflow FAILS with clear error message
- Shows which root commits are invalid
- Provides step-by-step remediation instructions
- Branch CANNOT be merged if branch protection is configured

## Security Features

- Multi-root detection: Handles merged branches with multiple histories
- Empty line handling: Robust parsing of git output
- Clear error messages: Developers know exactly how to fix the issue
- Minimal permissions: Only requires contents:read and pull-requests:read
- No tokens needed: Uses built-in GITHUB_TOKEN automatically
- Timeout protection: 10-minute limit prevents runaway workflows

## Branch Protection Configuration Required

After merging, these branch protection rules MUST be configured to actually
block invalid branches from merging:

### For 'dev' branch:
1. Go to: Settings → Branches → Edit 'dev' protection rule
2. Under 'Require status checks to pass before merging'
3. Click 'Add status check'
4. Search for and add: 'Validate Clean History'
5. Save changes

### For 'main' branch:
1. Go to: Settings → Branches → Edit 'main' protection rule
2. Under 'Require status checks to pass before merging'
3. Click 'Add status check'
4. Search for and add: 'Validate Clean History'
5. Save changes

**IMPORTANT:** Without this configuration, the workflow will alert but will
NOT block merges. The check must run successfully at least once before it
appears in the status check dropdown.

## Future Maintenance

If the repository is re-initialized again:
1. Edit .github/workflows/validate-branch-history.yml
2. Add the new root commit to VALID_ROOTS array (line 32)
3. Commit and push the change

## No Configuration Needed

- No secrets or tokens to configure
- No repository variables to set
- Uses built-in GITHUB_TOKEN automatically
- Works immediately upon merge

Only action required: Configure branch protection rules (see above).
---
 .github/workflows/validate-branch-history.yml | 91 +++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100644 .github/workflows/validate-branch-history.yml

diff --git a/.github/workflows/validate-branch-history.yml b/.github/workflows/validate-branch-history.yml
new file mode 100644
index 0000000000..e11f1c2624
--- /dev/null
+++ b/.github/workflows/validate-branch-history.yml
@@ -0,0 +1,91 @@
+name: Validate Branch History
+
+on:
+  push:
+    branches:
+      - '**'
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+env:
+  SECURITY_CONTACT: 'netwrix/docs-admins'
+
+jobs:
+  validate-history:
+    name: Validate Clean History
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check branch ancestry
+        id: check_ancestry
+        run: |
+          # Valid root commits
+          VALID_ROOTS=(
+            "97e73c5cc4a29296024f23499ef5e60bc7db755b"
+          )
+
+          echo "🔍 Validating branch ancestry..."
+
+          # Get ALL root commits (handles merged branches with multiple roots)
+          BRANCH_ROOTS=$(git rev-list --max-parents=0 HEAD)
+
+          echo "Found root commit(s):"
+          echo "$BRANCH_ROOTS"
+
+          # Check each root commit
+          INVALID_ROOTS=()
+          while IFS= read -r branch_root; do
+            # Skip empty lines
+            [[ -z "$branch_root" ]] && continue
+
+            VALID=false
+            for valid_root in "${VALID_ROOTS[@]}"; do
+              if [ "$branch_root" = "$valid_root" ]; then
+                VALID=true
+                break
+              fi
+            done
+
+            if [ "$VALID" = false ]; then
+              INVALID_ROOTS+=("$branch_root")
+            fi
+          done <<< "$BRANCH_ROOTS"
+
+          # If any invalid roots found, fail
+          if [ ${#INVALID_ROOTS[@]} -gt 0 ]; then
+            echo "❌ ERROR: This branch contains invalid root commits"
+            echo ""
+            echo "Expected all root commits to be one of:"
+            for root in "${VALID_ROOTS[@]}"; do
+              echo "  - $root"
+            done
+            echo ""
+            echo "Found invalid root commit(s):"
+            for invalid in "${INVALID_ROOTS[@]}"; do
+              echo "  - $invalid"
+            done
+            echo ""
+            echo "This repository was re-initialized to remove sensitive data from git history."
+            echo "Branches must be created from the current dev/main branches."
+            echo ""
+            echo "To fix this:"
+            echo "1. Save your changes as a patch: git diff origin/dev > my-changes.patch"
+            echo "2. Create a fresh branch from current dev: git checkout -b my-branch origin/dev"
+            echo "3. Apply your patch: git apply my-changes.patch"
+            echo "4. Commit and push the clean branch"
+            echo "5. Delete the invalid branch (replace BRANCH_NAME with your branch name):"
+            echo "   git push origin --delete BRANCH_NAME"
+            echo ""
+            echo "Contact @${{ env.SECURITY_CONTACT }} if you need assistance."
+            exit 1
+          fi
+
+          echo "✅ Branch ancestry validation passed"

From b3ed7aab9c277c25402de563a692db68268eb4a7 Mon Sep 17 00:00:00 2001
From: Jake Mahon <jake.mahon@netwrix.com>
Date: Thu, 15 Jan 2026 09:26:01 -0500
Subject: [PATCH 2/2] Optimize workflow triggers to prevent unnecessary runs

- Run on pushes to feature branches (exclude main/dev)
- Run on PRs targeting main or dev branches only
- Prevents redundant runs on protected target branches
---
 .github/workflows/validate-branch-history.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/validate-branch-history.yml b/.github/workflows/validate-branch-history.yml
index e11f1c2624..b2b453ed40 100644
--- a/.github/workflows/validate-branch-history.yml
+++ b/.github/workflows/validate-branch-history.yml
@@ -4,7 +4,12 @@ on:
   push:
     branches:
       - '**'
+      - '!main'
+      - '!dev'
   pull_request:
+    branches:
+      - main
+      - dev
     types: [opened, synchronize, reopened]
 
 env: