feat: add better support git heads

Signed-off-by: Josef Andersson <josef.andersson@digg.se>

Author: janderssonse

linters/commits.sh

@@ -8,17 +8,7 @@ set -uo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/../utils/colors.sh"
-
-get_default_branch() {
-  git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed "s@^refs/remotes/origin/@@" || echo "main"
-}
-
-has_commits_to_check() {
-  local default_branch="$1"
-  local count
-  count=$(git rev-list --count "${default_branch}..HEAD" 2>/dev/null || echo 0)
-  [[ "$count" -gt 0 ]]
-}
+source "${SCRIPT_DIR}/../utils/git-utils.sh"
 
 main() {
   print_header "COMMIT HEALTH (CONFORM)"
@@ -33,7 +23,7 @@ main() {
     return 0
   fi
 
-  if ! has_commits_to_check "$default_branch"; then
+  if ! has_commits_since "$default_branch"; then
     print_info "No commits to check on ${current_branch} (compared to ${default_branch})"
     return 0
   fi

linters/secrets.sh

@@ -8,10 +8,7 @@ set -uo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${SCRIPT_DIR}/../utils/colors.sh"
-
-get_default_branch() {
-  git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed "s@^refs/remotes/origin/@@" || echo "main"
-}
+source "${SCRIPT_DIR}/../utils/git-utils.sh"
 
 main() {
   print_header "SECRET SCANNING (GITLEAKS)"
@@ -31,10 +28,14 @@ main() {
     print_info "On default branch, scanning all commits..."
     gitleaks detect --source=. --verbose --redact=50
     gitleaks_result=$?
-  else
+  elif branch_exists "$default_branch"; then
     print_info "Scanning commits different from ${default_branch}..."
     gitleaks detect --source=. --log-opts="${default_branch}..HEAD" --verbose --redact=50
     gitleaks_result=$?
+  else
+    print_info "No base branch found, scanning all commits..."
+    gitleaks detect --source=. --verbose --redact=50
+    gitleaks_result=$?
   fi
 
   if [[ $gitleaks_result -eq 0 ]]; then

tests/utils-git.bats

@@ -0,0 +1,243 @@
+#!/usr/bin/env bats
+
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+#
+# SPDX-License-Identifier: MIT
+
+# Tests for utils/git-utils.sh
+#
+# These tests verify get_default_branch works correctly across different
+# repository configurations:
+# - Cloned repos (with origin/HEAD)
+# - Local repos pushed to remote (origin/main exists but no origin/HEAD)
+# - Pure local repos (no remote)
+# - Repos with master instead of main
+
+bats_require_minimum_version 1.13.0
+
+load "${BATS_TEST_DIRNAME}/libs/bats-support/load.bash"
+load "${BATS_TEST_DIRNAME}/libs/bats-assert/load.bash"
+load "${BATS_TEST_DIRNAME}/libs/bats-file/load.bash"
+load "${BATS_TEST_DIRNAME}/test_helper.bash"
+
+setup() {
+  common_setup
+  export DEVTOOLS_ROOT="${BATS_TEST_DIRNAME}/.."
+  source "${DEVTOOLS_ROOT}/utils/git-utils.sh"
+  cd "$TEST_DIR"
+}
+
+teardown() {
+  common_teardown
+}
+
+# =============================================================================
+# Helper: Create git repo with specific configuration
+# =============================================================================
+
+# Create a bare remote repo to simulate origin
+create_bare_remote() {
+  local remote_path="${TEST_DIR}/remote.git"
+  git init -q --bare "$remote_path"
+  echo "$remote_path"
+}
+
+# =============================================================================
+# get_default_branch tests
+# =============================================================================
+
+@test "get_default_branch: cloned repo with origin/HEAD returns correct branch" {
+  # Simulate a cloned repo by setting up origin/HEAD symbolic ref
+  init_git_repo
+  local remote_path
+  remote_path=$(create_bare_remote)
+  git remote add origin "$remote_path"
+  git push -u origin main 2>/dev/null
+  # Manually set origin/HEAD like git clone does
+  git symbolic-ref refs/remotes/origin/HEAD refs/remotes/origin/main
+
+  run get_default_branch
+
+  assert_success
+  assert_output "main"
+}
+
+@test "get_default_branch: local repo pushed to remote (no origin/HEAD) returns main" {
+  # This is the failing case: git init + git remote add + git push
+  # origin/main exists but origin/HEAD does not
+  init_git_repo
+  local remote_path
+  remote_path=$(create_bare_remote)
+  git remote add origin "$remote_path"
+  git push -u origin main 2>/dev/null
+  # Do NOT set origin/HEAD - this simulates the real scenario
+
+  run get_default_branch
+
+  assert_success
+  assert_output "main"
+}
+
+@test "get_default_branch: local repo with master pushed to remote returns master" {
+  # Same as above but with master branch
+  export GIT_CONFIG_NOSYSTEM=1
+  git init -q --initial-branch=master
+  git config user.email "test@example.com"
+  git config user.name "Test User"
+  echo "initial" > file.txt
+  git add file.txt
+  git commit -q -m "Initial commit"
+
+  local remote_path
+  remote_path=$(create_bare_remote)
+  git remote add origin "$remote_path"
+  git push -u origin master 2>/dev/null
+
+  run get_default_branch
+
+  assert_success
+  assert_output "master"
+}
+
+@test "get_default_branch: pure local repo with main returns main" {
+  # No remote at all
+  init_git_repo
+
+  run get_default_branch
+
+  assert_success
+  assert_output "main"
+}
+
+@test "get_default_branch: pure local repo with master returns master" {
+  # No remote, default branch is master
+  export GIT_CONFIG_NOSYSTEM=1
+  git init -q --initial-branch=master
+  git config user.email "test@example.com"
+  git config user.name "Test User"
+  echo "initial" > file.txt
+  git add file.txt
+  git commit -q -m "Initial commit"
+
+  run get_default_branch
+
+  assert_success
+  assert_output "master"
+}
+
+@test "get_default_branch: prefers origin/main over local master" {
+  # Edge case: local master exists, but origin/main also exists
+  export GIT_CONFIG_NOSYSTEM=1
+  git init -q --initial-branch=master
+  git config user.email "test@example.com"
+  git config user.name "Test User"
+  echo "initial" > file.txt
+  git add file.txt
+  git commit -q -m "Initial commit"
+
+  local remote_path
+  remote_path=$(create_bare_remote)
+  git remote add origin "$remote_path"
+  # Rename to main for push, then create local master
+  git branch -m master main
+  git push -u origin main 2>/dev/null
+  git checkout -b master 2>/dev/null
+
+  run get_default_branch
+
+  assert_success
+  assert_output "main"
+}
+
+@test "get_default_branch: empty repo falls back to main" {
+  # Repo with no commits yet
+  export GIT_CONFIG_NOSYSTEM=1
+  git init -q
+
+  run get_default_branch
+
+  assert_success
+  assert_output "main"
+}
+
+# =============================================================================
+# branch_exists tests
+# =============================================================================
+
+@test "branch_exists: returns true for existing local branch" {
+  init_git_repo
+
+  run branch_exists "main"
+
+  assert_success
+}
+
+@test "branch_exists: returns false for non-existing branch" {
+  init_git_repo
+
+  run branch_exists "nonexistent"
+
+  assert_failure
+}
+
+@test "branch_exists: returns true for remote tracking branch" {
+  init_git_repo
+  local remote_path
+  remote_path=$(create_bare_remote)
+  git remote add origin "$remote_path"
+  git push -u origin main 2>/dev/null
+
+  run branch_exists "main"
+
+  assert_success
+}
+
+# =============================================================================
+# has_commits_since tests
+# =============================================================================
+
+@test "has_commits_since: returns true when commits exist on feature branch" {
+  init_git_repo
+  git checkout -b feature 2>/dev/null
+  echo "feature" > feature.txt
+  git add feature.txt
+  git commit -q -m "Feature commit"
+
+  run has_commits_since "main"
+
+  assert_success
+}
+
+@test "has_commits_since: returns false when no commits since branch" {
+  init_git_repo
+  git checkout -b feature 2>/dev/null
+  # No new commits
+
+  run has_commits_since "main"
+
+  assert_failure
+}
+
+@test "has_commits_since: returns false when base branch does not exist" {
+  init_git_repo
+
+  run has_commits_since "nonexistent"
+
+  assert_failure
+}
+
+@test "has_commits_since: works with remote tracking branch as base" {
+  init_git_repo
+  local remote_path
+  remote_path=$(create_bare_remote)
+  git remote add origin "$remote_path"
+  git push -u origin main 2>/dev/null
+  git checkout -b feature 2>/dev/null
+  echo "feature" > feature.txt
+  git add feature.txt
+  git commit -q -m "Feature commit"
+
+  run has_commits_since "main"
+
+  assert_success
+}

utils/git-utils.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+
+# SPDX-FileCopyrightText: 2025 Digg - Agency for Digital Government
+#
+# SPDX-License-Identifier: MIT
+
+# Git utility functions for devbase-check linters
+#
+# This module provides reliable git branch detection that works across:
+# - Cloned repositories (with origin/HEAD set)
+# - Locally created repositories pushed to remote (no origin/HEAD)
+# - Pure local repositories (no remote at all)
+
+# Get the default branch name for comparison operations
+#
+# Detection order:
+# 1. Remote origin HEAD symbolic ref (set by git clone)
+# 2. Remote tracking branches origin/main or origin/master
+# 3. Local branches main or master
+# 4. Fallback to "main"
+#
+# Usage: get_default_branch
+# Returns: Branch name on stdout, always succeeds
+get_default_branch() {
+  local branch
+
+  # 1. Try remote origin HEAD symbolic ref (works for cloned repos)
+  branch=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed "s@^refs/remotes/origin/@@")
+  if [[ -n "$branch" ]]; then
+    echo "$branch"
+    return 0
+  fi
+
+  # 2. No symbolic HEAD - check if origin/main or origin/master tracking branch exists
+  #    This handles repos created locally and pushed (git push -u origin main)
+  for candidate in main master; do
+    if git show-ref --verify --quiet "refs/remotes/origin/$candidate" 2>/dev/null; then
+      echo "$candidate"
+      return 0
+    fi
+  done
+
+  # 3. No remote branches - check local main/master branches
+  #    This handles pure local repos with no remote
+  for candidate in main master; do
+    if git show-ref --verify --quiet "refs/heads/$candidate" 2>/dev/null; then
+      echo "$candidate"
+      return 0
+    fi
+  done
+
+  # 4. Fallback - assume main (modern git default)
+  echo "main"
+}
+
+# Check if a branch exists (local or remote tracking)
+#
+# Usage: branch_exists <branch_name>
+# Returns: 0 if exists, 1 if not
+branch_exists() {
+  local branch="$1"
+  git show-ref --verify --quiet "refs/heads/$branch" 2>/dev/null ||
+    git show-ref --verify --quiet "refs/remotes/origin/$branch" 2>/dev/null
+}
+
+# Check if we have any commits to compare against a base branch
+#
+# Usage: has_commits_since <base_branch>
+# Returns: 0 if there are commits, 1 if none or error
+has_commits_since() {
+  local base_branch="$1"
+  local count
+
+  # Verify the base branch exists before comparing
+  if ! branch_exists "$base_branch"; then
+    return 1
+  fi
+
+  count=$(git rev-list --count "${base_branch}..HEAD" 2>/dev/null || echo 0)
+  [[ "$count" -gt 0 ]]
+}