Enforce dev-only source on stage — reject PRs from non-dev branches

.gitea/workflows/stage.yaml

@@ -32,19 +32,23 @@ jobs:
 
     steps:
       - name: Enforce dev-only source
-        # stage branch only accepts merges from dev. A direct push from any
-        # other branch fails here so the rest of the pipeline never runs.
+        # stage only accepts merges from dev. Any PR from another branch fails
+        # here before a single build step runs.
         # workflow_dispatch is exempt (allows manual redeploy of current stage).
         if: github.event_name != 'workflow_dispatch'
         run: |
-          BASE=$(git -C "$GITHUB_WORKSPACE" log --pretty=format:"%D" -1 2>/dev/null || true)
-          # On a merge-to-stage push the parent is the tip of dev.
-          # We check the merge commit parents: if the non-stage parent is not
-          # from dev, reject.  For direct pushes (no merge commit) the
-          # committer origin cannot be verified here — branch protection
-          # (enable_push=false) blocks direct non-admin pushes before CI runs.
-          echo "Event: ${{ github.event_name }}, ref: ${{ github.ref }}"
-          echo "Source branch enforcement: OK (protected by Gitea branch rules)"
+          set -euo pipefail
+          COMMIT_MSG=$(git log -1 --pretty=format:"%s" 2>/dev/null || true)
+          echo "Merge commit: $COMMIT_MSG"
+          # Gitea merge commits: "Merge pull request '...' (#N) from dev into stage"
+          # Direct branch merges:  "Merge branch 'dev' into stage"
+          if echo "$COMMIT_MSG" | grep -qE " from dev into stage$| 'dev' into stage$"; then
+            echo "Source branch check: OK (merged from dev)"
+          else
+            echo "ERROR: stage only accepts merges from dev."
+            echo "Commit message was: $COMMIT_MSG"
+            exit 1
+          fi
 
       - name: Checkout
         uses: actions/checkout@v4