Problem
Branch protection enforced by hand drifts. Artifact storage on a public repo grows without bound. SAST (CodeQL) is the cheapest static security signal.
Proposed solution
Port .github/branch-protection/{main,develop}.json (declarative protection: required status checks, no force-push, no deletions, conversation_resolution, 1 approving review). Port .github/workflows/branch-protection.yml (weekly + workflow_dispatch + on edits to JSON; applies via gh api). Port .github/workflows/artifact-cleanup.yml (weekly, prunes >7 days). Port .github/workflows/codeql.yml (Python + JS/TS, scheduled).
Acceptance criteria
Priority rationale
High: portfolio repos get scanned by recruiters and other engineers. Solid branch protection + SAST signal trust.
Depends on
#9, #10
Problem
Branch protection enforced by hand drifts. Artifact storage on a public repo grows without bound. SAST (CodeQL) is the cheapest static security signal.
Proposed solution
Port
.github/branch-protection/{main,develop}.json(declarative protection: required status checks, no force-push, no deletions, conversation_resolution, 1 approving review). Port.github/workflows/branch-protection.yml(weekly + workflow_dispatch + on edits to JSON; applies viagh api). Port.github/workflows/artifact-cleanup.yml(weekly, prunes >7 days). Port.github/workflows/codeql.yml(Python + JS/TS, scheduled).Acceptance criteria
workflow_dispatch.ci.ymljob names (verified by chore: CI meta-gates (branch-protection contexts sync, commit-types sync) #10's contexts-sync gate).Priority rationale
High: portfolio repos get scanned by recruiters and other engineers. Solid branch protection + SAST signal trust.
Depends on
#9, #10