protect main branch against force push and delete

[hboutemy]

protect GH main branch against forced push and delete
for GHA, every commit is de-facto a distribution, then this type of protection is even more useful than on any other Git repo

@ppkarwasz I suppose that such a Git repo for GH Actions would deserve SLSA Source controls: I did not really study https://slsa.dev/spec/v1.2/source-requirements but the basic protection I'm configuring in this PR is really the most basic first step

to me, with proper Git tag protection (I don't know how to implement, just talking from a pure logic perspective), such GHA could promote using Git tags again, which would be a great benefit for users to navigate from release to release, instead of using just Git commits chosen arbitrarily

just proposing a first step

[dave2wave]

Thank you for catching this.

[ppkarwasz]

Hi @hboutemy,

Yes, the minimum protection to reach a SLSA Source Level 2 requirement is disabling deletion and force-push on protected branches and tags. However, non-admin users and third parties will not be able to verify that until apache/infrastructure-asfyaml#89 is merged and we switch to GitHub Rulesets. Also, currently tags are not protected.