Executes a validation before the job to ensure that a branch called dependabot does not exist

yeikel · yeikel · commit 6c7545f7b9e0 · 2026-02-18T14:26:52.000-05:00
If a branch named `dependabot` already exists, branches in the format `dependabot/&lt;name&gt;` cannot be created because Git does not allow a ref to be both a file and a directory
diff --git a/common/lib/dependabot/errors.rb b/common/lib/dependabot/errors.rb
@@ -52,6 +52,13 @@ def self.fetcher_error_details(error)
           message: error.message
         }
       }
+    when Dependabot::RefNamespaceConflictError
+      {
+        "error-type": "file_fetcher_error",
+        "error-detail": {
+          message: error.message
+        }
+      }
     when Dependabot::DirectoryNotFound
       {
         "error-type": "directory_not_found",
@@ -469,6 +476,8 @@ class NotImplemented < DependabotError; end
 
   class InvalidGitAuthToken < DependabotError; end
 
+  class RefNamespaceConflictError < DependabotError; end
+
   #####################
   # Repo level errors #
   #####################
diff --git a/updater/lib/dependabot/file_fetcher_command.rb b/updater/lib/dependabot/file_fetcher_command.rb
@@ -31,6 +31,7 @@ def perform_job # rubocop:disable Metrics/AbcSize
         begin
           connectivity_check if ENV["ENABLE_CONNECTIVITY_CHECK"] == "1"
           validate_target_branch
+          dependabot_ref_namespace_available?
           clone_repo_contents
           @base_commit_sha = file_fetcher.commit
           raise "base commit SHA not found" unless @base_commit_sha
@@ -211,6 +212,26 @@ def with_retries(max_retries: 2, &_block)
       end
     end
 
+    # Validates that the repository does not have a top-level branch named `dependabot`.
+    sig { void }
+    def dependabot_ref_namespace_available?
+      dependabot_branch = "dependabot"
+      begin
+        branch_exists = git_metadata_fetcher.ref_names.include?(dependabot_branch)
+        if branch_exists
+          error_message = "Branch '#{dependabot_branch}' already exists and causes a Git ref namespace conflict. " \
+                          "Git can’t create `dependabot/...` branches while the branch `dependabot` exists." \
+                          "Please delete the '#{dependabot_branch}' branch and retry."
+          raise Dependabot::RefNamespaceConflictError, error_message
+        end
+      rescue Dependabot::RefNamespaceConflictError
+        # Re-raise so they aren't caught by the generic rescue
+        raise
+      rescue StandardError => e
+        Dependabot.logger.warn("Could not validate the existence of the 'dependabot' branch: #{e.message}")
+      end
+    end
+
     sig { void }
     def validate_target_branch
       return unless job.source.branch
diff --git a/updater/spec/dependabot/file_fetcher_command_spec.rb b/updater/spec/dependabot/file_fetcher_command_spec.rb
@@ -309,6 +309,74 @@
       end
     end
 
+    context "when the dependabot branch exists" do
+      let(:job_definition) do
+        job_def = JSON.parse(fixture("jobs/job_with_credentials.json"))
+        job_def
+      end
+
+      let(:git_metadata_fetcher) { double("GitMetadataFetcher") }
+
+      before do
+        allow_any_instance_of(described_class)
+          .to receive(:git_metadata_fetcher)
+          .and_return(git_metadata_fetcher)
+
+        allow(git_metadata_fetcher).to receive_messages(
+          ref_names: %w(main develop dependabot),
+          upload_pack: nil
+        )
+      end
+
+      it "raises error with helpful message before file operations" do
+        expect(api_client)
+          .to receive(:record_update_job_error)
+          .with(
+            error_details: {
+              message: "Branch 'dependabot' already exists and causes a Git ref namespace conflict. " \
+                       "Git can’t create `dependabot/...` branches while the branch `dependabot` exists." \
+                       "Please delete the 'dependabot' branch and retry."
+            },
+            error_type: "file_fetcher_error"
+          )
+        expect(api_client).to receive(:mark_job_as_processed)
+
+        expect { perform_job }.to output(/Error during file fetching; aborting/).to_stdout_from_any_process
+      end
+    end
+
+    context "when dependabot branch validation fails gracefully" do
+      let(:job_definition) do
+        job_def = JSON.parse(fixture("jobs/job_with_credentials.json"))
+        job_def
+      end
+
+      let(:git_metadata_fetcher) { double("GitMetadataFetcher") }
+
+      before do
+        allow_any_instance_of(described_class)
+          .to receive(:git_metadata_fetcher)
+          .and_return(git_metadata_fetcher)
+
+        # Simulate an error in git metadata fetching (e.g., network issues)
+        allow(git_metadata_fetcher)
+          .to receive(:ref_names)
+          .and_raise(StandardError, "Network error")
+
+        # Mock the file fetcher to verify it still gets called
+        allow_any_instance_of(Dependabot::Bundler::FileFetcher)
+          .to receive(:commit)
+          .and_return("abc123")
+      end
+
+      it "falls back to existing validation and continues processing" do
+        # Should not raise error during early validation, but log warning
+        expect(Dependabot.logger).to receive(:warn).with(/Could not validate the existence of the 'dependabot' branch:/)
+
+        expect { perform_job }.not_to raise_error
+      end
+    end
+
     context "when the fetcher raises a RepoNotFound error" do
       let(:provider) { job_definition.dig("job", "source", "provider") }
       let(:repo) { job_definition.dig("job", "source", "repo") }
