validateBranchName rejects '+' which EnterWorktree generates by converting '/' in worktree names

[awakia]

Summary

validateBranchName in src/github/operations/branch.ts rejects branch names containing +, but Claude Code's EnterWorktree tool automatically converts / in worktree names to + when generating branch names. This creates a compatibility issue where branches created via the standard Claude Code workflow fail CI when using claude-code-action.

Steps to Reproduce

1. Use Claude Code's EnterWorktree tool with a name containing /, e.g. feat/skill-consolidation
2. EnterWorktree generates the branch name worktree-feat+skill-consolidation (converts / → +)
3. Open a PR from that branch
4. claude-code-action fails with:

   Invalid branch name: "worktree-feat+skill-consolidation". Branch names must start with an
   alphanumeric character and contain only alphanumeric characters, forward slashes, hyphens,
   underscores, periods, or hashes (#).
   

Root Cause

The whitelist pattern in validateBranchName:

const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9/_.#-]*$/;

does not include +, so branch names generated by EnterWorktree are rejected.

Why This Should Be Fixed

As noted in the code comments, all git calls use execFileSync (not shell interpolation), so + carries no command injection risk — the same argument made for allowing #:

All git calls use execFileSync (not shell interpolation), so # carries no injection risk.

The same logic applies to +. Git itself allows + in branch names, and since the execution is sandboxed via execFileSync, there is no security concern.

Proposed Fix

Add + to the whitelist pattern:

const validPattern = /^[a-zA-Z0-9][a-zA-Z0-9/_.#+\-]*$/;

Alternatively, fix EnterWorktree to use - instead of + when sanitizing worktree names — but since both tools are Anthropic products, fixing the validation in claude-code-action is the cleaner solution, as + is a valid and common character in branch names.

Environment

• claude-code-action: v1 (latest)
• Claude Code CLI with EnterWorktree tool