From 21dcb76dc739201b43fde1c503db6512417bb2ce Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 16 Apr 2026 15:00:26 +0200
Subject: [PATCH] chore(mage): silence gosec on worktree branch-exists helpers

The branch name is supplied by the developer running the mage task,
so flagging it as tainted input is a false positive.
---
 magefile.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/magefile.go b/magefile.go
index dc4187347..3b8e45949 100644
--- a/magefile.go
+++ b/magefile.go
@@ -1893,11 +1893,11 @@ func (Generate) ConfigYAML(commented bool) {
 }
 
 func localBranchExists(ctx context.Context, name string) bool {
-	return exec.CommandContext(ctx, "git", "show-ref", "--verify", "--quiet", "refs/heads/"+name).Run() == nil
+	return exec.CommandContext(ctx, "git", "show-ref", "--verify", "--quiet", "refs/heads/"+name).Run() == nil //nolint:gosec // This is a dev-only mage task and the branch name is supplied by the developer running it.
 }
 
 func remoteBranchExists(ctx context.Context, name string) bool {
-	return exec.CommandContext(ctx, "git", "show-ref", "--verify", "--quiet", "refs/remotes/"+name).Run() == nil
+	return exec.CommandContext(ctx, "git", "show-ref", "--verify", "--quiet", "refs/remotes/"+name).Run() == nil //nolint:gosec // This is a dev-only mage task and the branch name is supplied by the developer running it.
 }
 
 // PrepareWorktree creates a new git worktree for development.