feat: enforce allowed branches for git commits and jobs

src/web/gitCommit.ts

@@ -15,6 +15,7 @@ import { CHANNELS } from "../config";
 import { client, db } from "../index";
 
 const configured_channel = CHANNELS.UPDATES;
+export const ALLOWED_BRANCHES = ["main", "master", "dev"];
 
 export default async function gitCommitPOST(app: Express) {
     app.post("/git-commit", async (req: Request, res: Response) => {
@@ -42,6 +43,14 @@ export default async function gitCommitPOST(app: Express) {
             const headCommit = body.head_commit;
             const ref: string = body.ref ?? "";
             const branch = ref.replace("refs/heads/", "");
+
+            if (!ALLOWED_BRANCHES.includes(branch) && !ref.startsWith("refs/tags/")) {
+                return res.status(200).json({
+                    success: true,
+                    message: `Branch '${branch}' not in allowed list`,
+                });
+            }
+
             const compareUrl: string = body.compare ?? "";
             const forced: boolean = body.forced ?? false;
 

src/web/gitJob.ts

@@ -13,6 +13,7 @@ import {
 } from "discord.js";
 import { CHANNELS } from "../config";
 import { client, db } from "../index";
+import { ALLOWED_BRANCHES } from "./gitCommit";
 
 const configured_channel = CHANNELS.UPDATES;
 const EDIT_COOLDOWN_MS = 2000;
@@ -221,6 +222,15 @@ export default async function gitJobPOST(app: Express) {
             }
 
             const head_sha: string = job.head_sha;
+            const branch: string = (job.head_branch as string) || "";
+
+            if (!ALLOWED_BRANCHES.includes(branch)) {
+                return res.status(200).json({
+                    success: true,
+                    message: `Branch '${branch}' not in allowed list`,
+                });
+            }
+
             const jobName: string = job.name;
             const status: string = job.status;
             const conclusion: string | null = job.conclusion ?? null;