Description
OpenSSF Scorecard reports Branch-Protection: 4–6/10 on six platform-mesh repos. Branch protection on the default and release branches is not maximal — typically missing one or more of: required reviewers, dismiss-stale-reviews, require-PR-before-merge, require-status-checks, prevent force-push, prevent deletion.
Fix pattern (per repo):
- GitHub repo settings → Branches → add/edit ruleset for
main (and any release-* branch):
- Require pull request before merging
- Require approvals: at least 1 (2 for security-sensitive repos)
- Dismiss stale pull request approvals when new commits are pushed
- Require status checks to pass before merging
- Require branches to be up to date before merging
- Restrict deletions
- Block force pushes
- Alternatively: use a shared org-level ruleset and point all repos at it.
Affected repos
Notes
Objectives
- All six repos reach
Branch-Protection: 8/10 or higher.
- Org-level ruleset documented in
.github repo so new repos inherit the same protection.
Demo Required
None
Demo Steps
No response
Epic: #278
Description
OpenSSF Scorecard reports
Branch-Protection: 4–6/10on six platform-mesh repos. Branch protection on the default and release branches is not maximal — typically missing one or more of: required reviewers, dismiss-stale-reviews, require-PR-before-merge, require-status-checks, prevent force-push, prevent deletion.Fix pattern (per repo):
main(and anyrelease-*branch):Affected repos
custom-images— Branch-Protection: 5/10ocm— Branch-Protection: 6/10platform-mesh.github.io— Branch-Protection: 6/10provider-quickstart— Branch-Protection: 5/10resource-broker— Branch-Protection: 4/10upstream-images— Branch-Protection: 5/10Notes
Warnsimply because the Scorecard token can't see them. Consider granting Scorecard read-only admin access via a fine-grained PAT if scores are stuck after fixes.Objectives
Branch-Protection: 8/10or higher..githubrepo so new repos inherit the same protection.Demo Required
None
Demo Steps
No response
Epic: #278