name: Enforce Branch Protection

on:
  pull_request:
    types: [opened, synchronize]

jobs:
  enforce:
    runs-on: ubuntu-latest
    steps:
      - name: Check branch protection status
        uses: actions/github-script@v6
        with:
          script: |
            const { data: pr } = await github.rest.pulls.get({
              ...context.repo,
              pull_number: context.payload.pull_request.number
            });
            
            if (pr.head.ref === 'main') {
              core.setFailed('Direct pushes to main branch are not allowed. Please create a feature branch.');
            }
            
            const { data: status } = await github.rest.repos.getBranchProtection({
              owner: context.repo.owner,
              repo: context.repo.repo,
              branch: 'main'
            });
            
            if (!status.required_status_checks || !status.required_status_checks.strict) {
              core.setFailed('Branch protection rules are not properly configured');
            }
            
            const { data: reviews } = await github.rest.pulls.getReviews({
              ...context.repo,
              pull_number: context.payload.pull_request.number
            });
            
            if (reviews.filter(r => r.state === 'APPROVED').length < 1) {
              core.set failed('At least one approval is required for merge');
            }
  enforce-branch-protection:
    needs: enforce
    runs-on: ubuntu-latest
    steps:
      - name: Check branch protection status
        run: |
          # Add custom branch protection checks here
          echo "Branch protection enforced"