From 042b9b2b2f0f444b66422a70aa3906cabb78c962 Mon Sep 17 00:00:00 2001
From: Will Anderson <will.anderson@neurontechnologies.ai>
Date: Thu, 7 May 2026 01:07:20 -0500
Subject: [PATCH] =?UTF-8?q?Enforce=20dev-only=20source=20on=20stage=20?=
 =?UTF-8?q?=E2=80=94=20reject=20PRs=20from=20non-dev=20branches?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitea/workflows/stage.yaml | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflows/stage.yaml b/.gitea/workflows/stage.yaml
index 6ebdfff..303fcf2 100644
--- a/.gitea/workflows/stage.yaml
+++ b/.gitea/workflows/stage.yaml
@@ -32,19 +32,23 @@ jobs:
 
     steps:
       - name: Enforce dev-only source
-        # stage branch only accepts merges from dev. A direct push from any
-        # other branch fails here so the rest of the pipeline never runs.
+        # stage only accepts merges from dev. Any PR from another branch fails
+        # here before a single build step runs.
         # workflow_dispatch is exempt (allows manual redeploy of current stage).
         if: github.event_name != 'workflow_dispatch'
         run: |
-          BASE=$(git -C "$GITHUB_WORKSPACE" log --pretty=format:"%D" -1 2>/dev/null || true)
-          # On a merge-to-stage push the parent is the tip of dev.
-          # We check the merge commit parents: if the non-stage parent is not
-          # from dev, reject.  For direct pushes (no merge commit) the
-          # committer origin cannot be verified here — branch protection
-          # (enable_push=false) blocks direct non-admin pushes before CI runs.
-          echo "Event: ${{ github.event_name }}, ref: ${{ github.ref }}"
-          echo "Source branch enforcement: OK (protected by Gitea branch rules)"
+          set -euo pipefail
+          COMMIT_MSG=$(git log -1 --pretty=format:"%s" 2>/dev/null || true)
+          echo "Merge commit: $COMMIT_MSG"
+          # Gitea merge commits: "Merge pull request '...' (#N) from dev into stage"
+          # Direct branch merges:  "Merge branch 'dev' into stage"
+          if echo "$COMMIT_MSG" | grep -qE " from dev into stage$| 'dev' into stage$"; then
+            echo "Source branch check: OK (merged from dev)"
+          else
+            echo "ERROR: stage only accepts merges from dev."
+            echo "Commit message was: $COMMIT_MSG"
+            exit 1
+          fi
 
       - name: Checkout
         uses: actions/checkout@v4
-- 
2.52.0