ci(gitflow): enforce branch and PR governance checks

.gitea/scripts/check-branch-name.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env sh
+set -eu
+
+branch="${1:-}"
+
+if [ -z "$branch" ]; then
+  echo "Missing branch name."
+  exit 1
+fi
+
+case "$branch" in
+  dev|staging|main)
+    echo "Long-lived branch detected: $branch"
+    exit 0
+    ;;
+esac
+
+if printf "%s" "$branch" | grep -Eq '^(todo|refactor|code)\/[a-z0-9]+([._-][a-z0-9]+)*$'; then
+  echo "Branch naming valid: $branch"
+  exit 0
+fi
+
+echo "Invalid branch name: $branch"
+echo "Expected: todo/<slug> | refactor/<slug> | code/<slug>"
+exit 1

.gitea/scripts/check-pr-todo-reference.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env sh
+set -eu
+
+body="${1:-}"
+
+if [ -z "$body" ]; then
+  echo "PR body is empty."
+  exit 1
+fi
+
+if printf "%s" "$body" | grep -Eq 'TODO|todo|\[P[1-3]\]'; then
+  echo "PR body includes TODO reference."
+  exit 0
+fi
+
+echo "PR body must reference the related TODO item."
+exit 1

.gitea/scripts/configure-branch-protection.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env sh
+set -eu
+
+if [ "${#}" -ne 4 ]; then
+  echo "Usage: $0 <base-url> <owner> <repo> <token>"
+  exit 1
+fi
+
+base_url="$1"
+owner="$2"
+repo="$3"
+token="$4"
+
+protect_branch() {
+  branch="$1"
+
+  curl -sS -X POST \
+    "${base_url}/api/v1/repos/${owner}/${repo}/branch_protections" \
+    -H "Authorization: token ${token}" \
+    -H "Content-Type: application/json" \
+    -d "{
+      \"branch_name\": \"${branch}\",
+      \"enable_push\": false,
+      \"enable_push_whitelist\": false,
+      \"enable_merge_whitelist\": false,
+      \"enable_status_check\": true,
+      \"status_check_contexts\": [\"Governance Checks\", \"Lint Typecheck Unit E2E\"]
+    }" >/dev/null
+}
+
+protect_branch "main"
+protect_branch "staging"
+
+echo "Branch protection applied for main and staging."