You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Codify and document the GitHub branch-protection ruleset on the default branch so reviewers, auditors, and the OpenSSF Scorecard Branch-Protection check can verify it without admin access.
Background
The repo already enforces signed tags and runs CodeQL, Gitleaks, Scorecard, and lint workflows on PRs. The current branch-protection configuration is not exported or documented, which limits external verifiability and creates drift risk.
Acceptance Criteria
Default-branch ruleset enforces: required pull-request reviews (>=1, dismiss stale reviews on push), required status checks (CodeQL, Gitleaks, Scorecard, markdown/yaml/python lint, build), required signed commits, restrict force-push, restrict branch deletion, require linear history
Ruleset JSON exported and committed to docs/security/branch-protection.md with a brief operator runbook
SECURITY.md links to the exported ruleset
Verification step (manual or scripted) documented for confirming live config matches the committed JSON
OpenSSF Scorecard Branch-Protection check reaches its maximum score
Summary
Codify and document the GitHub branch-protection ruleset on the default branch so reviewers, auditors, and the OpenSSF Scorecard
Branch-Protectioncheck can verify it without admin access.Background
The repo already enforces signed tags and runs CodeQL, Gitleaks, Scorecard, and lint workflows on PRs. The current branch-protection configuration is not exported or documented, which limits external verifiability and creates drift risk.
Acceptance Criteria
docs/security/branch-protection.mdwith a brief operator runbookBranch-Protectioncheck reaches its maximum scoreRelated