From ce25fc0c73857973d4f53d3916ff7819c0adf360 Mon Sep 17 00:00:00 2001
From: Sudo-Ivan <ivan@quad4.io>
Date: Thu, 1 Jan 2026 19:13:38 -0600
Subject: [PATCH] feat(build): enhance version validation in build workflow to
 prevent branch names as version tags

---
 .gitea/workflows/build.yml | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index a06f765..cbb9982 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -36,7 +36,15 @@ jobs:
                 if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ -n "${{ github.event.inputs.version }}" ]; then
                   echo "version=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
                 elif [[ "${{ github.ref }}" == refs/tags/* ]]; then
-                  echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+                  VERSION="${GITHUB_REF#refs/tags/}"
+                  if [ -z "${VERSION}" ]; then
+                    VERSION="${{ github.ref_name }}"
+                  fi
+                  if [ "${VERSION}" = "master" ] || [ "${VERSION}" = "main" ]; then
+                    echo "Error: Invalid tag name '${VERSION}'. Tag name cannot be a branch name." >&2
+                    exit 1
+                  fi
+                  echo "version=${VERSION}" >> $GITHUB_OUTPUT
                 else
                   SHORT_SHA=$(git rev-parse --short HEAD)
                   echo "version=${SHORT_SHA}" >> $GITHUB_OUTPUT
@@ -104,6 +112,19 @@ jobs:
                     fi
                   done
 
+            - name: Validate version
+              run: |
+                VERSION="${{ steps.version.outputs.version }}"
+                if [ -z "${VERSION}" ]; then
+                  echo "Error: Version is empty" >&2
+                  exit 1
+                fi
+                if [ "${VERSION}" = "master" ] || [ "${VERSION}" = "main" ]; then
+                  echo "Error: Invalid version '${VERSION}'. Version cannot be a branch name." >&2
+                  exit 1
+                fi
+                echo "Using version: ${VERSION}"
+
             - name: Create Release
               if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
               uses: https://git.quad4.io/actions/gitea-release-action@4875285c0950474efb7ca2df55233c51333eeb74 # v1