From 08e4086bb967bab3d60263b23a218f3f93632b6b Mon Sep 17 00:00:00 2001
From: Manthan Mallikarjun <nahtnam@gmail.com>
Date: Wed, 13 Aug 2025 01:14:47 -0700
Subject: [PATCH] fix(git): use exact refspec in ls-remote to avoid matching
 similarly named branches (e.g., changeset-release/main). Use
 refs/heads/<branch> or provider-specific PR refs.

---
 app/Jobs/ApplicationDeploymentJob.php | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index bc5fab30c..efece13df 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -1421,6 +1421,19 @@ class ApplicationDeploymentJob implements ShouldBeEncrypted, ShouldQueue
         if ($this->pull_request_id !== 0) {
             $local_branch = "pull/{$this->pull_request_id}/head";
         }
+        // Build an exact refspec for ls-remote so we don't match similarly named branches (e.g., changeset-release/main)
+        if ($this->pull_request_id === 0) {
+            $lsRemoteRef = "refs/heads/{$local_branch}";
+        } else {
+            if ($this->git_type === 'github' || $this->git_type === 'gitea') {
+                $lsRemoteRef = "refs/pull/{$this->pull_request_id}/head";
+            } elseif ($this->git_type === 'gitlab') {
+                $lsRemoteRef = "refs/merge-requests/{$this->pull_request_id}/head";
+            } else {
+                // Fallback to the original value if provider-specific ref is unknown
+                $lsRemoteRef = $local_branch;
+            }
+        }
         $private_key = data_get($this->application, 'private_key.private_key');
         if ($private_key) {
             $private_key = base64_encode($private_key);
@@ -1435,7 +1448,7 @@ class ApplicationDeploymentJob implements ShouldBeEncrypted, ShouldQueue
                     executeInDocker($this->deployment_uuid, 'chmod 600 /root/.ssh/id_rsa'),
                 ],
                 [
-                    executeInDocker($this->deployment_uuid, "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$this->customPort} -o Port={$this->customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git ls-remote {$this->fullRepoUrl} {$local_branch}"),
+                    executeInDocker($this->deployment_uuid, "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$this->customPort} -o Port={$this->customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git ls-remote {$this->fullRepoUrl} {$lsRemoteRef}"),
                     'hidden' => true,
                     'save' => 'git_commit_sha',
                 ]
@@ -1443,7 +1456,7 @@ class ApplicationDeploymentJob implements ShouldBeEncrypted, ShouldQueue
         } else {
             $this->execute_remote_command(
                 [
-                    executeInDocker($this->deployment_uuid, "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$this->customPort} -o Port={$this->customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git ls-remote {$this->fullRepoUrl} {$local_branch}"),
+                    executeInDocker($this->deployment_uuid, "GIT_SSH_COMMAND=\"ssh -o ConnectTimeout=30 -p {$this->customPort} -o Port={$this->customPort} -o LogLevel=ERROR -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null\" git ls-remote {$this->fullRepoUrl} {$lsRemoteRef}"),
                     'hidden' => true,
                     'save' => 'git_commit_sha',
                 ],