diff --git a/.github/workflows/protect-staging-merge b/.github/workflows/protect-staging-merge
new file mode 100644
index 0000000..f94140b
--- /dev/null
+++ b/.github/workflows/protect-staging-merge
@@ -0,0 +1,23 @@
+name: Protect staging from unauthorized merges
+
+on:
+  pull_request:
+    branches:
+      - staging
+
+jobs:
+  restrict-staging-source:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Enforce allowed source branches into staging
+        run: |
+          SRC="${{ github.head_ref }}"
+          echo "PR source branch: $SRC"
+
+          if [[ "$SRC" == "develop" ]]; then
+            echo "✅ Allowed source branch into staging."
+            exit 0
+          fi
+
+          echo "❌ PRs into staging must come from 'develop'."
+          exit 1