Skip to main content

PR Branch Policy

This project enforces pull request branch flow through GitHub Actions workflow: .github/workflows/pr-branch-policy.yml.

Protected Base Branch Rules

  1. stage -> main is allowed.
  2. hotfix/* -> main is allowed.
  3. dev -> stage is allowed.
  4. release/* -> stage is allowed.

Non-Protected Base Branches

Any source branch can target non-protected base branches, for example:

  1. stage
  2. dev
  3. working
  4. feature/*
  5. fix/*

Override

Add PR label policy-override to bypass enforcement.

Draft PR Behavior

Draft PRs are marked as warning and are not blocked until marked ready for review.

Enforcement Actions

When policy fails:

  1. A comment is posted on PR with reason.
  2. PR author is assigned.
  3. PR is closed automatically.
  4. Workflow fails.

Protected Branch Fallback (Without Admin Rulesets)

When hard GitHub branch protection/rulesets are not available, workflow applies post-event rollback controls for:

  1. main
  2. stage

Direct Push Auto-Revert

On push to protected branches:

  1. If commit is from merged PR (same base branch), push is allowed.
  2. If actor is github-actions[bot], push is allowed.
  3. Otherwise push is treated as unauthorized.
  4. Workflow reverts commit range (before..after) and pushes revert commit.
  5. Workflow fails after revert so violation remains visible.

Branch Delete Auto-Restore

  1. Allowed pushes update backup ref: refs/tags/backup/<branch>/latest.
  2. If protected branch is deleted, workflow recreates branch from backup ref.
  3. Workflow fails after restore so deletion event is visible.

Limitations

  1. This is rollback after event, not pre-event hard block.
  2. Restore works only when backup ref already exists.
  3. Auto-revert may require manual intervention if git revert conflict occurs.