Skip to content

Branch protection: enforce DCO, status checks, signed commits and reviews #72

Open
Open
Branch protection: enforce DCO, status checks, signed commits and reviews#72
Labels
area: ciCI/CD & GitHub Actionsarea: cncfCNCF compliance, governance and supply chain securitypriority: highHigh prioritytype: choreMaintenance / scaffolding
Milestone
v0.0.1 - CNCF Foundation
@mwaldheim

Description

@mwaldheim
mwaldheim
opened on May 22, 2026

Goal

Protect the main branch per OpenSSF Scorecard and CNCF supply chain security requirements.

Required settings on main

  • Require pull request before merging (no direct push)
  • Require at least 1 (ideally 2) approving reviews
  • Dismiss stale reviews on new push
  • Require status checks: CI tests, DCO, lint, OpenSSF Scorecard
  • Require signed commits (GPG / SSH / Vigilant mode)
  • Restrict who can push to main (maintainers only)
  • Require linear history (no merge commits)
  • Do not allow bypassing required checks

Tasks

  • Configure branch protection rules in GitHub settings (or via Terraform/gh CLI)
  • Document the branch strategy in CONTRIBUTING.md
  • Set up
    uleset (GitHub rulesets API, more granular than classic protection)

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: ciCI/CD & GitHub Actionsarea: cncfCNCF compliance, governance and supply chain securitypriority: highHigh prioritytype: choreMaintenance / scaffolding

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions