{"uuid": "fc0c5e03-4cba-4cce-b90c-536450f9be4d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-1234", "type": "seen", "source": "https://gist.github.com/charanyama/28b7a3ea8b4aa8570f39b977d6a0677a", "content": "# Git Branch & Commit Tag Conventions \u2014 Production Reference\n\n> A complete reference for naming branches and writing commit messages in production-grade repositories.  \n> Based on **Conventional Commits**, **Gitflow**, **trunk-based development**, and industry-wide best practices.\n\n---\n\n## \ud83c\udf3f BRANCH NAMING TAGS (Prefixes)\n\nBranch names follow the pattern:\n```\n/-\n```\n> Example: `feat/AUTH-142-oauth2-google-login`\n\n---\n\n### \ud83d\udd35 Core Feature & Work Types\n\n| Tag | Full Form | When to Use |\n|-----|-----------|-------------|\n| `feat/` | Feature | New feature or user-facing functionality |\n| `feature/` | Feature (verbose) | Same as above \u2014 team preference |\n| `fix/` | Bug Fix | Fixing a bug in existing functionality |\n| `bugfix/` | Bug Fix (verbose) | Same as above |\n| `hotfix/` | Hot Fix | **Critical** production bug; branches off `main`/`master` directly |\n| `patch/` | Patch | Minor fix that doesn't warrant a hotfix |\n| `chore/` | Chore | Maintenance tasks, dependency bumps, config changes |\n\n---\n\n### \ud83d\udfe3 Release & Deployment\n\n| Tag | When to Use |\n|-----|-------------|\n| `release/` | Preparing a version release (e.g. `release/v2.4.0`) |\n| `deploy/` | Deployment-specific branch for a specific environment |\n| `rollback/` | Rolling back to a previous stable state |\n| `revert/` | Reverting specific commits or changes |\n\n---\n\n### \ud83d\udfe1 Refactoring & Technical Debt\n\n| Tag | When to Use |\n|-----|-------------|\n| `refactor/` | Restructuring code without changing behavior |\n| `perf/` | Performance improvements |\n| `cleanup/` | Removing dead code, unused imports, etc. |\n| `migrate/` | Data or code migration tasks |\n| `upgrade/` | Upgrading a major dependency or framework version |\n\n---\n\n### \ud83d\udfe2 Quality & Compliance\n\n| Tag | When to Use |\n|-----|-------------|\n| `test/` | Adding or fixing tests |\n| `ci/` | CI/CD pipeline changes |\n| `build/` | Build system changes (webpack, gradle, etc.) |\n| `lint/` | Linting/formatting fixes only |\n| `security/` | Security patches or vulnerability fixes |\n| `audit/` | Dependency or compliance audit changes |\n\n---\n\n### \ud83d\udfe0 Documentation & Configuration\n\n| Tag | When to Use |\n|-----|-------------|\n| `docs/` | Documentation updates |\n| `config/` | Configuration file changes (env, infra, flags) |\n| `env/` | Environment-specific changes |\n| `infra/` | Infrastructure or DevOps changes |\n| `iac/` | Infrastructure as Code (Terraform, Pulumi, etc.) |\n\n---\n\n### \ud83d\udd34 Exploratory / Temporary\n\n| Tag | When to Use |\n|-----|-------------|\n| `spike/` | Research/proof-of-concept \u2014 usually not merged |\n| `poc/` | Proof of Concept |\n| `experiment/` | Experimental feature under evaluation |\n| `wip/` | Work In Progress \u2014 not ready for review |\n| `draft/` | Draft branch for early feedback |\n| `sandbox/` | Free-form experimentation |\n\n---\n\n### \u2699\ufe0f Gitflow Long-lived Branches\n\n| Branch | Purpose |\n|--------|---------|\n| `main` / `master` | Production-ready code |\n| `develop` / `dev` | Integration branch for completed features |\n| `staging` | Pre-production environment |\n| `qa` | QA / Testing environment |\n| `uat` | User Acceptance Testing |\n| `preprod` | Pre-production mirror |\n\n---\n\n---\n\n## \ud83d\udcdd COMMIT MESSAGE TAGS (Types)\n\nCommit messages follow the **Conventional Commits** spec:\n```\n(): \n\n[optional body]\n[optional footer: BREAKING CHANGE / closes #issue]\n```\n> Example: `feat(auth): add Google OAuth2 login support`\n\n---\n\n### \ud83d\udd35 Core Commit Types\n\n| Tag | When to Use |\n|-----|-------------|\n| `feat` | Introduces a new feature (triggers **minor** version bump) |\n| `fix` | Patches a bug (triggers **patch** version bump) |\n| `hotfix` | Emergency production fix |\n| `revert` | Reverts a previous commit |\n\n---\n\n### \ud83d\udfe1 Refactoring & Internal Changes\n\n| Tag | When to Use |\n|-----|-------------|\n| `refactor` | Code change that neither fixes a bug nor adds a feature |\n| `perf` | Improves performance |\n| `cleanup` | Removes dead code, obsolete files |\n| `style` | Formatting only \u2014 no logic changes (whitespace, semicolons) |\n\n---\n\n### \ud83d\udfe2 Testing & Automation\n\n| Tag | When to Use |\n|-----|-------------|\n| `test` | Adding or correcting tests |\n| `ci` | CI pipeline configuration (GitHub Actions, CircleCI, etc.) |\n| `build` | Build system changes (make, gradle, webpack, etc.) |\n| `lint` | Linting/formatter config changes |\n| `release` | Commit marking a release (usually automated) |\n\n---\n\n### \ud83d\udfe0 Documentation & Config\n\n| Tag | When to Use |\n|-----|-------------|\n| `docs` | Documentation only changes |\n| `chore` | Routine tasks: dependency updates, config tweaks, file moves |\n| `config` | Configuration changes (env files, settings) |\n| `infra` | Infrastructure or DevOps related commit |\n| `iac` | Infrastructure as Code changes |\n\n---\n\n### \ud83d\udd34 Security & Compliance\n\n| Tag | When to Use |\n|-----|-------------|\n| `security` | Security patches or vulnerability fixes |\n| `audit` | Dependency audits, compliance updates |\n| `deps` | Dependency upgrades or removals |\n\n---\n\n### \ud83d\udfe3 Breaking Changes\n\nUse `!` after the type to signal a **breaking change**:\n\n```\nfeat!: remove support for Node.js v14\nrefactor!: rename config keys in settings module\n```\n\nOr include in the commit footer:\n```\nBREAKING CHANGE: `getUser()` now returns a Promise instead of a callback\n```\n\n> \u26a1 A `BREAKING CHANGE` triggers a **major** version bump in SemVer.\n\n---\n\n---\n\n## \ud83d\udce6 SEMANTIC VERSION MAPPING\n\n| Commit Type | SemVer Impact |\n|-------------|---------------|\n| `feat` | `MINOR` \u2014 1.**x**.0 |\n| `fix`, `perf`, `patch` | `PATCH` \u2014 1.0.**x** |\n| `feat!` / `BREAKING CHANGE` | `MAJOR` \u2014 **x**.0.0 |\n| `chore`, `docs`, `style`, `refactor`, `test`, `ci` | No version bump |\n\n---\n\n## \ud83c\udff7\ufe0f GIT TAGS (Release Tags)\n\nUse annotated tags for production releases:\n\n```bash\ngit tag -a v1.4.2 -m \"Release v1.4.2 \u2014 hotfix for session expiry bug\"\ngit push origin v1.4.2\n```\n\n| Pattern | Use Case |\n|---------|----------|\n| `v1.0.0` | Full semantic release |\n| `v1.0.0-alpha.1` | Alpha pre-release |\n| `v1.0.0-beta.2` | Beta pre-release |\n| `v1.0.0-rc.1` | Release Candidate |\n| `v1.0.0-hotfix.1` | Emergency hotfix release |\n\n---\n\n## \u2705 QUICK-REFERENCE EXAMPLES\n\n```bash\n# \u2500\u2500 BRANCHES \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nfeat/USER-301-add-dark-mode\nfix/CART-88-tax-calculation-error\nhotfix/PROD-critical-payment-gateway-null-ptr\nrefactor/API-56-normalize-response-format\nchore/bump-deps-june-2026\ndocs/update-api-auth-guide\nrelease/v3.1.0\nci/add-sonarqube-scan-step\nsecurity/CVE-2026-1234-patch-jwt-lib\n\n# \u2500\u2500 COMMITS \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nfeat(auth): add biometric login support for mobile\nfix(checkout): resolve tax rounding error for EU locales\nhotfix(payments): fix null reference in Stripe webhook handler\nrefactor(user-service): extract profile logic to separate module\nperf(search): add Redis caching to product query results\ntest(cart): add unit tests for discount edge cases\nci(github-actions): add SAST scan on PR open\ndocs(readme): update local dev setup instructions\nchore(deps): upgrade axios from 1.6.0 to 1.8.2\nsecurity(jwt): patch CVE-2026-1234 in jsonwebtoken lib\nfeat!: drop support for legacy v1 API endpoints\n```\n\n---\n\n## \ud83d\udccc RULES TO REMEMBER\n\n1. **Branch names** \u2192 all lowercase, hyphens (not underscores), include ticket ID when possible\n2. **Commit subject** \u2192 imperative mood, \u226472 chars, no period at end\n3. **Scope** \u2192 optional but encouraged: `feat(scope): message`\n4. **Breaking changes** \u2192 always flag with `!` or `BREAKING CHANGE:` footer\n5. **Revert commits** \u2192 use `revert: feat(auth): add biometric login` format\n6. **WIP/Draft branches** \u2192 prefix with `wip/` or `draft/`; open as Draft PRs\n7. **Hotfix branches** \u2192 always branch from `main`, merge back to both `main` AND `develop`\n\n---\n\n*Based on: [Conventional Commits v1.0.0](https://www.conventionalcommits.org) \u00b7 [Gitflow Workflow](https://nvie.com/posts/a-successful-git-branching-model/) \u00b7 [Semantic Versioning 2.0.0](https://semver.org)*", "creation_timestamp": "2026-06-12T13:19:16.000000Z"}