From 43c343e62cbf000d1b7c49f351a4c2aa04fc11fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D8=B4=D8=B1=D9=83=D8=A9=20=D8=AE=D8=A8=D9=8A=D8=B1=20?=
 =?UTF-8?q?=D8=A7=D9=84=D9=85=D8=AD=D8=AF=D9=88=D8=AF=D8=A9?=
 <it@exp-sa.com>
Date: Mon, 24 Nov 2025 15:12:19 +0200
Subject: [PATCH] Update github action file

---
 .github/workflows/block_reserved_branches.yml | 152 ++++++++++++++++++
 1 file changed, 152 insertions(+)
 create mode 100644 .github/workflows/block_reserved_branches.yml

diff --git a/.github/workflows/block_reserved_branches.yml b/.github/workflows/block_reserved_branches.yml
new file mode 100644
index 000000000..45525e52b
--- /dev/null
+++ b/.github/workflows/block_reserved_branches.yml
@@ -0,0 +1,152 @@
+name: Block Reserved Branches
+
+on:
+  create:
+    branches:
+      - '**'
+
+jobs:
+  block-reserved-branches:
+    runs-on: app-sever-project-runner
+
+    steps:
+      - name: Validate branch creator + reserved names
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          REPO: ${{ github.repository }}
+          BRANCH_NAME: ${{ github.ref_name }}
+          CREATOR: ${{ github.actor }}
+        run: |
+          echo "Branch: $BRANCH_NAME"
+          echo "Creator: $CREATOR"
+
+          #######################################################
+          # 🟦 1) Allowed Users List
+          #######################################################
+          ALLOWED_USERS=(
+            "expsa"
+            "moutazmuhammad"
+            "ronozoro"
+            "Abubaker-Altaib"
+            "altexp"
+            "the5abir"
+            "ahmadaking"
+            "kchyounes19"
+            "abdurrahman-saber"
+            "maltayyar2"
+          )
+
+          IS_ALLOWED="false"
+          for user in "${ALLOWED_USERS[@]}"; do
+            if [[ "$CREATOR" == "$user" ]]; then
+              IS_ALLOWED="true"
+              break
+            fi
+          done
+
+          if [[ "$IS_ALLOWED" == "false" ]]; then
+            echo "❌ User '$CREATOR' is NOT allowed to create branches. Deleting..."
+            curl -s -X DELETE \
+              -H "Authorization: token $GH_TOKEN" \
+              https://api.github.com/repos/$REPO/git/refs/heads/$BRANCH_NAME
+            exit 1
+          fi
+
+          echo "✔ User '$CREATOR' is allowed."
+
+          #######################################################
+          # 🟦 2) Reserved Branch Names (Your Existing List)
+          #######################################################
+          RESERVED_NAMES=(
+            master
+            dev_odex25_accounting
+            dev_odex25_base
+            dev_odex25_dms
+            dev_odex25_donation
+            dev_odex25_fleet
+            dev_odex25_helpdesk
+            dev_odex25_hr
+            dev_odex25_inventory
+            dev_odex25_maintenance
+            dev_odex25_mobile
+            dev_odex25_pos
+            dev_odex25_project
+            dev_odex25_purchase
+            dev_odex25_realstate
+            dev_odex25_sales
+            dev_odex25_survey
+            dev_odex25_transactions
+            dev_odex25_website
+            dev_odex-event
+            dev_openeducat_erp-14.0.1.0
+            dev_odex25_benefit
+            dev_odex25_takaful
+            master_odex25_accounting
+            master_odex25_base
+            master_odex25_dms
+            master_odex25_donation
+            master_odex25_fleet
+            master_odex25_helpdesk
+            master_odex25_hr
+            master_odex25_inventory
+            master_odex25_maintenance
+            master_odex25_mobile
+            master_odex25_pos
+            master_odex25_project
+            master_odex25_purchase
+            master_odex25_realstate
+            master_odex25_sales
+            master_odex25_survey
+            master_odex25_transactions
+            master_odex25_website
+            master_odex-event
+            master_openeducat_erp-14.0.1.0
+            master_odex25_benefit
+            master_odex25_takaful
+            preprod_odex25_accounting
+            preprod_odex25_base
+            preprod_odex25_dms
+            preprod_odex25_donation
+            preprod_odex25_fleet
+            preprod_odex25_helpdesk
+            preprod_odex25_hr
+            preprod_odex25_inventory
+            preprod_odex25_maintenance
+            preprod_odex25_mobile
+            preprod_odex25_pos
+            preprod_odex25_project
+            preprod_odex25_purchase
+            preprod_odex25_realstate
+            preprod_odex25_sales
+            preprod_odex25_survey
+            preprod_odex25_transactions
+            preprod_odex25_website
+            preprod_odex-event
+            preprod_openeducat_erp-14.0.1.0
+            preprod_odex25_benefit
+            preprod_odex25_takaful
+          )
+
+          # Exact match
+          for reserved in "${RESERVED_NAMES[@]}"; do
+            if [[ "$BRANCH_NAME" == "$reserved" ]]; then
+              echo "❌ Branch name '$BRANCH_NAME' is reserved. Deleting..."
+              curl -s -X DELETE \
+                -H "Authorization: token $GH_TOKEN" \
+                https://api.github.com/repos/$REPO/git/refs/heads/$BRANCH_NAME
+              exit 1
+            fi
+          done
+
+          #######################################################
+          # 🟦 3) Pattern-based Restriction
+          #######################################################
+          if [[ "$BRANCH_NAME" == master_* || "$BRANCH_NAME" == preprod_* || "$BRANCH_NAME" == dev_* ]]; then
+            echo "❌ Branch name '$BRANCH_NAME' matches restricted pattern. Deleting..."
+            curl -s -X DELETE \
+              -H "Authorization: token $GH_TOKEN" \
+              https://api.github.com/repos/$REPO/git/refs/heads/$BRANCH_NAME
+            exit 1
+          fi
+
+          echo "✅ Branch '$BRANCH_NAME' is allowed."