From 642e48ea9bc8adb35a44677d0860472b9a4573d0 Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Mon, 16 Mar 2026 16:02:28 -0700
Subject: [PATCH] fix: use dedicated vouched branch to avoid branch protection

Branch protection on main blocks direct commits from workflows.
Use a dedicated 'vouched' branch (same pattern as DCO signatures
branch) for VOUCHED.td storage. Both vouch-command writes and
vouch-check reads now use the vouched branch. The branch is
auto-created from main on the first vouch.

Signed-off-by: John Myers <johntmyers@users.noreply.github.com>
---
 .github/workflows/vouch-check.yml   |  6 +++---
 .github/workflows/vouch-command.yml | 30 +++++++++++++++++++++++++++--
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/vouch-check.yml b/.github/workflows/vouch-check.yml
index 08d9e829..642a9db1 100644
--- a/.github/workflows/vouch-check.yml
+++ b/.github/workflows/vouch-check.yml
@@ -59,15 +59,15 @@ jobs:
               }
             }
 
-            // Check the VOUCHED.td file. Read from the default branch, NOT the
-            // PR branch — the PR author could add themselves in their fork.
+            // Check the VOUCHED.td file on the dedicated "vouched" branch.
+            // NOT the PR branch — the PR author could add themselves in their fork.
             let vouched = false;
             try {
               const { data } = await github.rest.repos.getContent({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 path: '.github/VOUCHED.td',
-                ref: context.payload.repository.default_branch,
+                ref: 'vouched',
               });
               const content = Buffer.from(data.content, 'base64').toString('utf-8');
               const usernames = content
diff --git a/.github/workflows/vouch-command.yml b/.github/workflows/vouch-command.yml
index b1aa3bfe..af4fcca4 100644
--- a/.github/workflows/vouch-command.yml
+++ b/.github/workflows/vouch-command.yml
@@ -75,7 +75,33 @@ jobs:
             // --- Read VOUCHED.td ---
 
             const filePath = '.github/VOUCHED.td';
-            const branch = context.payload.repository.default_branch;
+            const branch = 'vouched';
+
+            // Ensure the "vouched" branch exists. If not, create it from main.
+            try {
+              await github.rest.repos.getBranch({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                branch,
+              });
+            } catch (e) {
+              if (e.status === 404) {
+                console.log('Creating "vouched" branch from main.');
+                const { data: mainRef } = await github.rest.git.getRef({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  ref: `heads/${context.payload.repository.default_branch}`,
+                });
+                await github.rest.git.createRef({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  ref: 'refs/heads/vouched',
+                  sha: mainRef.object.sha,
+                });
+              } else {
+                throw e;
+              }
+            }
 
             let currentContent = '';
             let sha = '';
@@ -89,7 +115,7 @@ jobs:
               currentContent = Buffer.from(data.content, 'base64').toString('utf-8');
               sha = data.sha;
             } catch (e) {
-              console.log(`Could not read VOUCHED.td: ${e.message}`);
+              console.log(`Could not read VOUCHED.td on "${branch}" branch: ${e.message}`);
               return;
             }