ci(policy): restrict main PR authors and target bot PRs to dev (#1310)

.github/workflows/main-branch-flow.md

@@ -116,10 +116,11 @@ Notes:
 ### 3) Promotion PR `dev` -> `main`
 
 1. Maintainer opens PR with head `dev` and base `main`.
-2. `main-promotion-gate.yml` runs and fails if head repo/branch is not `<this-repo>:dev`.
-3. `ci-run.yml` and `sec-audit.yml` run on the promotion PR.
-4. Maintainer merges PR once checks and review policy pass.
-5. Merge emits a `push` event on `main`.
+2. `main-promotion-gate.yml` runs and fails unless PR author is `willsarg` or `theonlyhennygod`.
+3. `main-promotion-gate.yml` also fails if head repo/branch is not `<this-repo>:dev`.
+4. `ci-run.yml` and `sec-audit.yml` run on the promotion PR.
+5. Maintainer merges PR once checks and review policy pass.
+6. Merge emits a `push` event on `main`.
 
 ### 4) Push to `dev` or `main` (including after merge)
 

.github/workflows/main-promotion-gate.yml

@@ -22,9 +22,26 @@ jobs:
                   HEAD_REF: ${{ github.head_ref }}
                   HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
                   BASE_REPO: ${{ github.repository }}
+                  PR_AUTHOR: ${{ github.event.pull_request.user.login }}
               run: |
                   set -euo pipefail
 
+                  pr_author_lc="$(echo "${PR_AUTHOR}" | tr '[:upper:]' '[:lower:]')"
+                  allowed_authors=("willsarg" "theonlyhennygod")
+
+                  is_allowed_author=false
+                  for allowed in "${allowed_authors[@]}"; do
+                    if [[ "$pr_author_lc" == "$allowed" ]]; then
+                      is_allowed_author=true
+                      break
+                    fi
+                  done
+
+                  if [[ "$is_allowed_author" != "true" ]]; then
+                    echo "::error::PRs into main are restricted to: willsarg, theonlyhennygod. PR author: ${PR_AUTHOR}. Open this PR against dev instead."
+                    exit 1
+                  fi
+
                   if [[ "$HEAD_REPO" != "$BASE_REPO" ]]; then
                     echo "::error::PRs into main must originate from ${BASE_REPO}:dev. Current head repo: ${HEAD_REPO}."
                     exit 1
@@ -35,4 +52,4 @@ jobs:
                     exit 1
                   fi
 
-                  echo "Promotion policy satisfied: ${HEAD_REPO}:${HEAD_REF} -> main"
+                  echo "Promotion policy satisfied: author=${PR_AUTHOR}, source=${HEAD_REPO}:${HEAD_REF} -> main"