Hotfix: Prevent webhooks from running on non-master/main branches

app/blueprints/github/__init__.py

@@ -134,6 +134,10 @@ def webhook():
 	if event == "push":
 		ref = json["after"]
 		title = json["head_commit"]["message"].partition("\n")[0]
+		branch = json["ref"].replace("refs/heads/", "")
+		if branch not in [ "master", "main" ]:
+			return jsonify({ "success": False, "message": "Webhook ignored, as it's not on the master/main branch" })
+
 	elif event == "create" and json["ref_type"] == "tag":
 		ref = json["ref"]
 		title = ref

app/blueprints/gitlab/__init__.py

@@ -14,7 +14,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-from flask import Blueprint, request
+from flask import Blueprint, request, jsonify
 
 bp = Blueprint("gitlab", __name__)
 
@@ -53,6 +53,12 @@ def webhook_impl():
 	if event == "push":
 		ref = json["after"]
 		title = ref[:5]
+
+		branch = json["ref"].replace("refs/heads/", "")
+		if branch not in ["master", "main"]:
+			return jsonify({"success": False,
+				"message": "Webhook ignored, as it's not on the master/main branch"})
+
 	elif event == "tag_push":
 		ref = json["ref"]
 		title = ref.replace("refs/tags/", "")

app/flatpages/help/release_webhooks.md

@@ -21,8 +21,8 @@ The process is as follows:
 4. ContentDB checks the API token and issues a new release.
 
 <p class="alert alert-warning">
-    "New commit" or "push" based webhooks are currently broken as they don't check the branch name.
-    This means that releases will be created for pushes to non-default branches.
+    "New commit" or "push" based webhooks will currently only work on branches named `master` or
+    `main`.
 </p>
 
 ## Setting up