From 28dc1ac4fe9cc09fdb4e506fc4681b4c2a10667a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 15 Jul 2026 04:04:25 +0000 Subject: [PATCH 1/2] Add workflow to enforce PR branch flow --- .github/workflows/pr-branch-policy.yml | 28 ++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/pr-branch-policy.yml diff --git a/.github/workflows/pr-branch-policy.yml b/.github/workflows/pr-branch-policy.yml new file mode 100644 index 0000000..4fdb5fc --- /dev/null +++ b/.github/workflows/pr-branch-policy.yml @@ -0,0 +1,28 @@ +name: PR Branch Policy + +on: + pull_request: + types: [opened, reopened, synchronize, edited, ready_for_review] + +jobs: + validate-pr-flow: + runs-on: ubuntu-latest + steps: + - name: Validate source and target branches + env: + BASE_REF: ${{ github.event.pull_request.base.ref }} + HEAD_REF: ${{ github.event.pull_request.head.ref }} + run: | + if [ "$BASE_REF" = "dev" ]; then + echo "Allowed: any branch can open PR to dev." + exit 0 + fi + + if [ "$BASE_REF" = "main" ] && [ "$HEAD_REF" = "dev" ]; then + echo "Allowed: only dev can open PR to main." + exit 0 + fi + + echo "Blocked: PR flow must be dev> or main>." + echo "Current flow: $HEAD_REF -> $BASE_REF" + exit 1 From 3adda3cbe30091363634f505b06cb23b65986d03 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 15 Jul 2026 04:05:07 +0000 Subject: [PATCH 2/2] Harden PR policy workflow token permissions --- .github/workflows/pr-branch-policy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pr-branch-policy.yml b/.github/workflows/pr-branch-policy.yml index 4fdb5fc..9d53976 100644 --- a/.github/workflows/pr-branch-policy.yml +++ b/.github/workflows/pr-branch-policy.yml @@ -4,6 +4,8 @@ on: pull_request: types: [opened, reopened, synchronize, edited, ready_for_review] +permissions: {} + jobs: validate-pr-flow: runs-on: ubuntu-latest