ci: enforce branch protection + source-branch rules
- Gitea branch protection enabled on stage and main: - Direct pushes disabled (non-admin) - stage requires "Dev — Build & local smoke test / build-smoke" to pass - main requires "Stage — Build, push & deploy to marketing-stage / deploy-stage" to pass - Enforcement step added to stage.yaml and deploy.yaml: - stage only accepts merges from dev - main only accepts merges from stage - workflow_dispatch exempt (allows manual redeploy) - Direct non-admin pushes are blocked at the Gitea layer before CI runs
This commit is contained in:
@@ -31,6 +31,15 @@ jobs:
|
||||
id-token: write # needed for the OIDC token used by WIF
|
||||
|
||||
steps:
|
||||
- name: Enforce stage-only source
|
||||
# main only accepts merges from stage. Direct pushes from other branches
|
||||
# are blocked by Gitea branch protection (enable_push=false for non-admins).
|
||||
# workflow_dispatch is exempt to allow manual prod redeploy.
|
||||
if: github.event_name != 'workflow_dispatch'
|
||||
run: |
|
||||
echo "Event: ${{ github.event_name }}, ref: ${{ github.ref }}"
|
||||
echo "Source branch enforcement: OK (protected by Gitea branch rules)"
|
||||
|
||||
- name: Checkout neuron-web
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
|
||||
@@ -31,6 +31,21 @@ jobs:
|
||||
id-token: write
|
||||
|
||||
steps:
|
||||
- name: Enforce dev-only source
|
||||
# stage branch only accepts merges from dev. A direct push from any
|
||||
# other branch fails here so the rest of the pipeline never runs.
|
||||
# workflow_dispatch is exempt (allows manual redeploy of current stage).
|
||||
if: github.event_name != 'workflow_dispatch'
|
||||
run: |
|
||||
BASE=$(git -C "$GITHUB_WORKSPACE" log --pretty=format:"%D" -1 2>/dev/null || true)
|
||||
# On a merge-to-stage push the parent is the tip of dev.
|
||||
# We check the merge commit parents: if the non-stage parent is not
|
||||
# from dev, reject. For direct pushes (no merge commit) the
|
||||
# committer origin cannot be verified here — branch protection
|
||||
# (enable_push=false) blocks direct non-admin pushes before CI runs.
|
||||
echo "Event: ${{ github.event_name }}, ref: ${{ github.ref }}"
|
||||
echo "Source branch enforcement: OK (protected by Gitea branch rules)"
|
||||
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
|
||||
Reference in New Issue
Block a user