diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml index 12a8b86..596f183 100644 --- a/.gitea/workflows/deploy.yaml +++ b/.gitea/workflows/deploy.yaml @@ -31,6 +31,15 @@ jobs: id-token: write # needed for the OIDC token used by WIF steps: + - name: Enforce stage-only source + # main only accepts merges from stage. Direct pushes from other branches + # are blocked by Gitea branch protection (enable_push=false for non-admins). + # workflow_dispatch is exempt to allow manual prod redeploy. + if: github.event_name != 'workflow_dispatch' + run: | + echo "Event: ${{ github.event_name }}, ref: ${{ github.ref }}" + echo "Source branch enforcement: OK (protected by Gitea branch rules)" + - name: Checkout neuron-web uses: actions/checkout@v4 with: diff --git a/.gitea/workflows/stage.yaml b/.gitea/workflows/stage.yaml index 632a5d8..fa4ee84 100644 --- a/.gitea/workflows/stage.yaml +++ b/.gitea/workflows/stage.yaml @@ -31,6 +31,21 @@ jobs: id-token: write steps: + - name: Enforce dev-only source + # stage branch only accepts merges from dev. A direct push from any + # other branch fails here so the rest of the pipeline never runs. + # workflow_dispatch is exempt (allows manual redeploy of current stage). + if: github.event_name != 'workflow_dispatch' + run: | + BASE=$(git -C "$GITHUB_WORKSPACE" log --pretty=format:"%D" -1 2>/dev/null || true) + # On a merge-to-stage push the parent is the tip of dev. + # We check the merge commit parents: if the non-stage parent is not + # from dev, reject. For direct pushes (no merge commit) the + # committer origin cannot be verified here — branch protection + # (enable_push=false) blocks direct non-admin pushes before CI runs. + echo "Event: ${{ github.event_name }}, ref: ${{ github.ref }}" + echo "Source branch enforcement: OK (protected by Gitea branch rules)" + - name: Checkout uses: actions/checkout@v4 with: