From e6996a75cd6b02d2a763d2d4149f8acfe7269ea4 Mon Sep 17 00:00:00 2001
From: Joseph Rhoads <jrhoads@datacite.org>
Date: Mon, 27 Oct 2025 16:55:55 +0100
Subject: [PATCH] feat: Add flow guard CI for promotion paths (#497)

---
 .github/workflows/flow-guard.yml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .github/workflows/flow-guard.yml

diff --git a/.github/workflows/flow-guard.yml b/.github/workflows/flow-guard.yml
new file mode 100644
index 0000000..869b9ae
--- /dev/null
+++ b/.github/workflows/flow-guard.yml
@@ -0,0 +1,29 @@
+name: Flow Guard
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  flow-guard:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Validate promotion path
+        run: |
+          BASE="${{ github.event.pull_request.base.ref }}"
+          HEAD="${{ github.event.pull_request.head.ref }}"
+          echo "Base: $BASE Head: $HEAD"
+
+          if [ "$BASE" = "staging" ]; then
+            if [ "$HEAD" != "dev" ]; then
+              echo "ERROR: staging can only receive PRs from dev."
+              exit 1
+            fi
+          fi
+
+          if [ "$BASE" = "master" ]; then
+            if [ "$HEAD" != "staging" ]; then
+              echo "ERROR: master can only receive PRs from staging."
+              exit 1
+            fi
+          fi
+
+          echo "Flow guard passed."