From 7f4ed2f67fc861061ab03fa4cd7ddd1d9f012648 Mon Sep 17 00:00:00 2001
From: scottbrumley <scott@nsisecure.com>
Date: Mon, 24 Nov 2025 13:08:10 -0500
Subject: [PATCH] Add workflow to protect staging from unauthorized merges

---
 .github/workflows/protect-staging-merge | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .github/workflows/protect-staging-merge

diff --git a/.github/workflows/protect-staging-merge b/.github/workflows/protect-staging-merge
new file mode 100644
index 0000000..f94140b
--- /dev/null
+++ b/.github/workflows/protect-staging-merge
@@ -0,0 +1,23 @@
+name: Protect staging from unauthorized merges
+
+on:
+  pull_request:
+    branches:
+      - staging
+
+jobs:
+  restrict-staging-source:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Enforce allowed source branches into staging
+        run: |
+          SRC="${{ github.head_ref }}"
+          echo "PR source branch: $SRC"
+
+          if [[ "$SRC" == "develop" ]]; then
+            echo "✅ Allowed source branch into staging."
+            exit 0
+          fi
+
+          echo "❌ PRs into staging must come from 'develop'."
+          exit 1