Enforce branch policies on the repository

[toddysm]

To improve the security of the ORAS project we need to enforce the branch policies for this repository. I propose that we enforce the policies as follows:

• Use the following rules for main and release/* branches:
  • Require PR before merging
    • Require 3 approvals
    • Dismiss stale PR approvals when new commits are pushed
    • Require review from Code Owners
    • Require status checks to pass before merging
    • Require conversation resolution before merging
    • Require signed commits
    • Do not allow bypass the above settings

Please add your comments and proposals for additional changes to this issue.

[vsoch]

This would only work with more contributors. In the past when I’ve asked for PR reviews in slack it would take a month or more, often with a manager doing it. I’m good for branch policies but they need to be reasonably feasible.

[vsoch]

And how will that improve security? Do you think I’ve been merging code that has introduced security issues? 🤔

[toddysm]

This is a fair point @vsoch. Apologies for the copy and paste from the other repos. I would be happy to help with PR reviews and also fixes. And you are right, we need more contributors for the Python libraries.

To answer your question about how this increases security, it is an additional check so unwanted changes don't sneak in either by mistake or because of a compromised account.