Fix tag protection checks based on real API response

- Normalize scope patterns by stripping refs/tags/ prefix from API response
- Implement proper tag_name_pattern rule validation in naming check
- Compare policy naming operator, pattern, and negate against actual ruleset parameters

Co-authored-by: david3107 <20040740+david3107@users.noreply.github.com>

Author: Copilot

dist/evaluators/repository/TagProtectionChecks.js

@@ -80,19 +80,25 @@ class TagProtectionChecks {
         const excludePatterns = conditions?.ref_name?.exclude || [];
         const expectedInclude = policyScope.include || [];
         const expectedExclude = policyScope.exclude || [];
+        // Normalize patterns - GitHub API returns patterns with refs/tags/ prefix
+        const normalizePattern = (pattern) => {
+            return pattern.replace(/^refs\/tags\//, "");
+        };
+        const normalizedIncludePatterns = includePatterns.map(normalizePattern);
+        const normalizedExcludePatterns = excludePatterns.map(normalizePattern);
         // Check if all expected include patterns are present
-        const missingIncludes = expectedInclude.filter((pattern) => !includePatterns.includes(pattern));
+        const missingIncludes = expectedInclude.filter((pattern) => !normalizedIncludePatterns.includes(pattern));
         // Check if all expected exclude patterns are present
-        const missingExcludes = expectedExclude.filter((pattern) => !excludePatterns.includes(pattern));
+        const missingExcludes = expectedExclude.filter((pattern) => !normalizedExcludePatterns.includes(pattern));
         const passed = missingIncludes.length === 0 && missingExcludes.length === 0;
         return {
             passed,
             details: {
                 expected_include: expectedInclude,
-                actual_include: includePatterns,
+                actual_include: normalizedIncludePatterns,
                 missing_includes: missingIncludes,
                 expected_exclude: expectedExclude,
-                actual_exclude: excludePatterns,
+                actual_exclude: normalizedExcludePatterns,
                 missing_excludes: missingExcludes,
             },
         };
@@ -133,14 +139,45 @@ class TagProtectionChecks {
         };
     }
     checkNaming(policyNaming, ruleset) {
-        // GitHub rulesets don't have a direct naming constraint rule
-        // This would need to be implemented based on specific ruleset rules
-        // For now, we'll return a placeholder
+        const rules = ruleset.rules || [];
+        // Find tag_name_pattern rule
+        const tagNamePatternRule = rules.find((rule) => rule.type === "tag_name_pattern");
+        if (!tagNamePatternRule) {
+            return {
+                passed: false,
+                details: {
+                    message: "No tag_name_pattern rule found in ruleset",
+                    expected: policyNaming,
+                    actual: null,
+                },
+            };
+        }
+        const params = tagNamePatternRule.parameters || {};
+        // Check if operator matches
+        const operatorMatches = params.operator === policyNaming.operator;
+        // Check if pattern matches
+        const patternMatches = params.pattern === policyNaming.pattern;
+        // Check if negate matches
+        const negateMatches = params.negate === policyNaming.negate;
+        const passed = operatorMatches && patternMatches && negateMatches;
         return {
-            passed: true,
+            passed,
             details: {
-                message: "Naming constraint checking not fully implemented - requires custom rule analysis",
-                policy: policyNaming,
+                expected: {
+                    operator: policyNaming.operator,
+                    pattern: policyNaming.pattern,
+                    negate: policyNaming.negate,
+                },
+                actual: {
+                    operator: params.operator,
+                    pattern: params.pattern,
+                    negate: params.negate,
+                },
+                checks: {
+                    operator: operatorMatches,
+                    pattern: patternMatches,
+                    negate: negateMatches,
+                },
             },
         };
     }

dist/index.js

@@ -49310,19 +49310,25 @@ class TagProtectionChecks {
         const excludePatterns = conditions?.ref_name?.exclude || [];
         const expectedInclude = policyScope.include || [];
         const expectedExclude = policyScope.exclude || [];
+        // Normalize patterns - GitHub API returns patterns with refs/tags/ prefix
+        const normalizePattern = (pattern) => {
+            return pattern.replace(/^refs\/tags\//, "");
+        };
+        const normalizedIncludePatterns = includePatterns.map(normalizePattern);
+        const normalizedExcludePatterns = excludePatterns.map(normalizePattern);
         // Check if all expected include patterns are present
-        const missingIncludes = expectedInclude.filter((pattern) => !includePatterns.includes(pattern));
+        const missingIncludes = expectedInclude.filter((pattern) => !normalizedIncludePatterns.includes(pattern));
         // Check if all expected exclude patterns are present
-        const missingExcludes = expectedExclude.filter((pattern) => !excludePatterns.includes(pattern));
+        const missingExcludes = expectedExclude.filter((pattern) => !normalizedExcludePatterns.includes(pattern));
         const passed = missingIncludes.length === 0 && missingExcludes.length === 0;
         return {
             passed,
             details: {
                 expected_include: expectedInclude,
-                actual_include: includePatterns,
+                actual_include: normalizedIncludePatterns,
                 missing_includes: missingIncludes,
                 expected_exclude: expectedExclude,
-                actual_exclude: excludePatterns,
+                actual_exclude: normalizedExcludePatterns,
                 missing_excludes: missingExcludes,
             },
         };
@@ -49363,14 +49369,45 @@ class TagProtectionChecks {
         };
     }
     checkNaming(policyNaming, ruleset) {
-        // GitHub rulesets don't have a direct naming constraint rule
-        // This would need to be implemented based on specific ruleset rules
-        // For now, we'll return a placeholder
+        const rules = ruleset.rules || [];
+        // Find tag_name_pattern rule
+        const tagNamePatternRule = rules.find((rule) => rule.type === "tag_name_pattern");
+        if (!tagNamePatternRule) {
+            return {
+                passed: false,
+                details: {
+                    message: "No tag_name_pattern rule found in ruleset",
+                    expected: policyNaming,
+                    actual: null,
+                },
+            };
+        }
+        const params = tagNamePatternRule.parameters || {};
+        // Check if operator matches
+        const operatorMatches = params.operator === policyNaming.operator;
+        // Check if pattern matches
+        const patternMatches = params.pattern === policyNaming.pattern;
+        // Check if negate matches
+        const negateMatches = params.negate === policyNaming.negate;
+        const passed = operatorMatches && patternMatches && negateMatches;
         return {
-            passed: true,
+            passed,
             details: {
-                message: "Naming constraint checking not fully implemented - requires custom rule analysis",
-                policy: policyNaming,
+                expected: {
+                    operator: policyNaming.operator,
+                    pattern: policyNaming.pattern,
+                    negate: policyNaming.negate,
+                },
+                actual: {
+                    operator: params.operator,
+                    pattern: params.pattern,
+                    negate: params.negate,
+                },
+                checks: {
+                    operator: operatorMatches,
+                    pattern: patternMatches,
+                    negate: negateMatches,
+                },
             },
         };
     }

src/evaluators/repository/TagProtectionChecks.ts

@@ -105,14 +105,22 @@ export class TagProtectionChecks {
     const expectedInclude = policyScope.include || [];
     const expectedExclude = policyScope.exclude || [];
 
+    // Normalize patterns - GitHub API returns patterns with refs/tags/ prefix
+    const normalizePattern = (pattern: string): string => {
+      return pattern.replace(/^refs\/tags\//, "");
+    };
+
+    const normalizedIncludePatterns = includePatterns.map(normalizePattern);
+    const normalizedExcludePatterns = excludePatterns.map(normalizePattern);
+
     // Check if all expected include patterns are present
     const missingIncludes = expectedInclude.filter(
-      (pattern: string) => !includePatterns.includes(pattern),
+      (pattern: string) => !normalizedIncludePatterns.includes(pattern),
     );
 
     // Check if all expected exclude patterns are present
     const missingExcludes = expectedExclude.filter(
-      (pattern: string) => !excludePatterns.includes(pattern),
+      (pattern: string) => !normalizedExcludePatterns.includes(pattern),
     );
 
     const passed = missingIncludes.length === 0 && missingExcludes.length === 0;
@@ -121,10 +129,10 @@ export class TagProtectionChecks {
       passed,
       details: {
         expected_include: expectedInclude,
-        actual_include: includePatterns,
+        actual_include: normalizedIncludePatterns,
         missing_includes: missingIncludes,
         expected_exclude: expectedExclude,
-        actual_exclude: excludePatterns,
+        actual_exclude: normalizedExcludePatterns,
         missing_excludes: missingExcludes,
       },
     };
@@ -177,15 +185,55 @@ export class TagProtectionChecks {
     policyNaming: any,
     ruleset: any,
   ): { passed: boolean; details: any } {
-    // GitHub rulesets don't have a direct naming constraint rule
-    // This would need to be implemented based on specific ruleset rules
-    // For now, we'll return a placeholder
+    const rules = ruleset.rules || [];
+
+    // Find tag_name_pattern rule
+    const tagNamePatternRule = rules.find(
+      (rule: any) => rule.type === "tag_name_pattern",
+    );
+
+    if (!tagNamePatternRule) {
+      return {
+        passed: false,
+        details: {
+          message: "No tag_name_pattern rule found in ruleset",
+          expected: policyNaming,
+          actual: null,
+        },
+      };
+    }
+
+    const params = tagNamePatternRule.parameters || {};
+
+    // Check if operator matches
+    const operatorMatches = params.operator === policyNaming.operator;
+
+    // Check if pattern matches
+    const patternMatches = params.pattern === policyNaming.pattern;
+
+    // Check if negate matches
+    const negateMatches = params.negate === policyNaming.negate;
+
+    const passed = operatorMatches && patternMatches && negateMatches;
+
     return {
-      passed: true,
+      passed,
       details: {
-        message:
-          "Naming constraint checking not fully implemented - requires custom rule analysis",
-        policy: policyNaming,
+        expected: {
+          operator: policyNaming.operator,
+          pattern: policyNaming.pattern,
+          negate: policyNaming.negate,
+        },
+        actual: {
+          operator: params.operator,
+          pattern: params.pattern,
+          negate: params.negate,
+        },
+        checks: {
+          operator: operatorMatches,
+          pattern: patternMatches,
+          negate: negateMatches,
+        },
       },
     };
   }