From fd1977604b9f5659680604717f2bb7548a8e557a Mon Sep 17 00:00:00 2001
From: 0xmariowu <130952152+0xmariowu@users.noreply.github.com>
Date: Wed, 6 May 2026 14:37:07 +0800
Subject: [PATCH] =?UTF-8?q?ci(pr-flow):=20add=20PR=20base=20guard=20?=
 =?UTF-8?q?=E2=80=94=20reject=20PRs=20whose=20base=20!=3D=20default=20bran?=
 =?UTF-8?q?ch?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../assert-base-is-default-branch.yml         | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .github/workflows/assert-base-is-default-branch.yml

diff --git a/.github/workflows/assert-base-is-default-branch.yml b/.github/workflows/assert-base-is-default-branch.yml
new file mode 100644
index 00000000..28b18f4e
--- /dev/null
+++ b/.github/workflows/assert-base-is-default-branch.yml
@@ -0,0 +1,29 @@
+name: PR base guard
+
+# Reject PRs whose base is not the repo's default branch.
+# Stacked PRs (PR-on-PR) are not supported here: under squash merge the
+# downstream PR's base ref still points at the pre-squash commits, so the
+# chain silently desyncs. Branch from the default branch and merge serially.
+
+on:
+  pull_request:
+    types: [opened, reopened, edited, synchronize]
+
+permissions: {}
+
+jobs:
+  base-must-be-default:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Reject if base is not the default branch
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          if [ "$BASE_REF" != "$DEFAULT_BRANCH" ]; then
+            echo "::error::PR #${PR_NUMBER} base is '${BASE_REF}', must be '${DEFAULT_BRANCH}'."
+            echo "Stacked PRs are not supported. Branch from '${DEFAULT_BRANCH}' and merge serially."
+            exit 1
+          fi
+          echo "OK: base '${BASE_REF}' matches default branch."