From 984573774e6784a164154c2f7e2653db8865502f Mon Sep 17 00:00:00 2001
From: Jonathan Miller <230051081+jmiller-moko@users.noreply.github.com>
Date: Thu, 18 Dec 2025 18:51:31 -0600
Subject: [PATCH] Update version_branch.yml

---
 .github/workflows/version_branch.yml | 43 ++++++++++++++--------------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/version_branch.yml b/.github/workflows/version_branch.yml
index b3abe91..9b68824 100644
--- a/.github/workflows/version_branch.yml
+++ b/.github/workflows/version_branch.yml
@@ -60,7 +60,7 @@ jobs:
     env:
       NEW_VERSION: ${{ github.event.inputs.new_version }}
       BASE_BRANCH: ${{ github.ref_name }}
-      BRANCH_PREFIX: version/dev/
+      BRANCH_PREFIX: dev/
       COMMIT_CHANGES: ${{ github.event.inputs.commit_changes }}
       ERROR_LOG: /tmp/version_branch_errors.log
       CI_HELPERS: /tmp/moko_ci_helpers.sh
@@ -238,10 +238,10 @@ jobs:
 
           text = p.read_text(encoding='utf-8', errors='replace').splitlines(True)
 
-          todo_re = re.compile(r'^[ \t]*##[ \t]*(?:\[[ \t]*TODO[ \t]*\]|TODO)[ \t]*$', re.IGNORECASE)
-          bullet_re = re.compile(r'^[ \t]*[-*+][ \t]+')
-          blank_re = re.compile(r'^[ \t]*$')
-          unreleased_re = re.compile(r'^[ \t]*##[ \t]*(?:\[[ \t]*UNRELEASED[ \t]*\]|UNRELEASED)[ \t]*$', re.IGNORECASE)
+          todo_re = re.compile(r'^[ 	]*##[ 	]*(?:\[[ 	]*TODO[ 	]*\]|TODO)[ 	]*$', re.IGNORECASE)
+          bullet_re = re.compile(r'^[ 	]*[-*+][ 	]+')
+          blank_re = re.compile(r'^[ 	]*$')
+          unreleased_re = re.compile(r'^[ 	]*##[ 	]*(?:\[[ 	]*UNRELEASED[ 	]*\]|UNRELEASED)[ 	]*$', re.IGNORECASE)
 
           idx = None
           for i, line in enumerate(text):
@@ -349,14 +349,14 @@ jobs:
           stamp = datetime.now(timezone.utc).strftime('%Y-%m-%d')
           root = Path('.').resolve()
 
-          header_re = re.compile(r'(?im)(VERSION[ \t]*:[ \t]*)([0-9]{2}[.][0-9]{2}[.][0-9]{2})')
+          header_re = re.compile(r'(?im)(VERSION[ 	]*:[ 	]*)([0-9]{2}[.][0-9]{2}[.][0-9]{2})')
 
           manifest_marker_re = re.compile(r'(?is)<extension\b')
-          xml_version_re = re.compile(r'(?is)(<version[ \t]*>)([^<]*?)(</version[ \t]*>)')
+          xml_version_re = re.compile(r'(?is)(<version[ 	]*>)([^<]*?)(</version[ 	]*>)')
           xml_date_res = [
-            re.compile(r'(?is)(<creationDate[ \t]*>)([^<]*?)(</creationDate[ \t]*>)'),
-            re.compile(r'(?is)(<date[ \t]*>)([^<]*?)(</date[ \t]*>)'),
-            re.compile(r'(?is)(<releaseDate[ \t]*>)([^<]*?)(</releaseDate[ \t]*>)'),
+            re.compile(r'(?is)(<creationDate[ 	]*>)([^<]*?)(</creationDate[ 	]*>)'),
+            re.compile(r'(?is)(<date[ 	]*>)([^<]*?)(</date[ 	]*>)'),
+            re.compile(r'(?is)(<releaseDate[ 	]*>)([^<]*?)(</releaseDate[ 	]*>)'),
           ]
 
           skip_ext = {
@@ -460,8 +460,8 @@ jobs:
           root = Path('.').resolve()
           skip_dirs = {'.git', '.github', 'node_modules', 'vendor', '.venv', 'dist', 'build'}
 
-          header_re = re.compile(r'(?im)VERSION[ \t]*:[ \t]*([0-9]{2}[.][0-9]{2}[.][0-9]{2})')
-          xml_version_re = re.compile(r'(?is)<version[ \t]*>([^<]*?)</version[ \t]*>')
+          header_re = re.compile(r'(?im)VERSION[ 	]*:[ 	]*([0-9]{2}[.][0-9]{2}[.][0-9]{2})')
+          xml_version_re = re.compile(r'(?is)<version[ 	]*>([^<]*?)</version[ 	]*>')
 
           mismatches = []
 
@@ -497,35 +497,34 @@ jobs:
           print('[INFO] Version consistency audit passed')
           PY
 
-      - name: Change scope allowlist (block unexpected edits)
+      - name: Change scope guard (block .github edits)
         run: |
           source "$CI_HELPERS"
-          moko_init "Change scope allowlist"
+          moko_init "Change scope guard"
 
           if [[ -z "$(git status --porcelain=v1)" ]]; then
-            echo "[INFO] No changes detected. Scope gate skipped."
+            echo "[INFO] No changes detected. Scope guard skipped."
             exit 0
           fi
 
           echo "[INFO] Evaluating changed paths"
           git diff --name-only > /tmp/changed_paths.txt
 
-          allow_re='^(CHANGELOG[.]md|src/.*[.]xml|.*templateDetails[.]xml|.*manifest.*[.]xml|.*[.]md|[.]github/version-bump-report[.]json)$'
-
           bad=0
           while IFS= read -r p; do
-            if [[ ! "${p}" =~ ${allow_re} ]]; then
-              echo "[ERROR] Unexpected file modified by version workflow: ${p}" >&2
+            if [[ "$p" == .github/* ]] && [[ "$p" != .github/version-bump-report.json ]]; then
+              echo "[ERROR] .github change is not permitted by this workflow: $p" >&2
               bad=1
             fi
           done < /tmp/changed_paths.txt
 
-          if [[ "${bad}" -ne 0 ]]; then
-            echo "[FATAL] Scope gate failed. Update allowlist or adjust bump targeting." >&2
+          if [[ "$bad" -ne 0 ]]; then
+            echo "[FATAL] Change scope guard failed. Workflow attempted to modify .github content." >&2
+            echo "$(date -u +%Y-%m-%dT%H:%M:%SZ) | Change scope guard | attempted .github modifications" >> "$ERROR_LOG" || true
             exit 2
           fi
 
-          echo "[INFO] Scope gate passed"
+          echo "[INFO] Scope guard passed"
 
       - name: Publish audit trail to job summary
         if: always()