task: Scorecard — enforce PR review on default branches (Code-Review failing)

[mirzakopic]

Description

This is the most security-relevant Scorecard finding currently open.

Four repos have Code-Review: 0–2/10 because most commits to the default branch land without an approved pull request. Scorecard counts approved changesets vs total changesets in recent history:

Repo	Approved / Total	Score
helm-charts	1 / 21	0/10
portal-server-lib	1 / 16	0/10
portal-ui-lib	1 / 13	0/10
upstream-images	6 / 30	2/10

This means commits are being pushed directly to main (or PRs are being merged without an approving review), bypassing the review process even when one nominally exists.

Root causes (likely)

• Default branch is not protected, OR
• Branch protection allows admins to bypass, OR
• "Required approvals: 0" is configured, OR
• Bot commits (Dependabot, release-please) are being self-approved or merged without review.

Steps (per repo)

1. Audit recent commits: gh api repos/platform-mesh/<repo>/commits --paginate | jq '.[] | {sha:.sha[:8], author:.author.login, msg:.commit.message[:60]}' → identify which commits lack an associated PR.
2. Check current branch protection: gh api repos/platform-mesh/<repo>/branches/main/protection.
3. Enable: Require pull request before merging + Require approvals: ≥ 1 + Dismiss stale approvals + Do not allow bypassing the above settings.
4. For Dependabot/automated bots: configure auto-merge with required approval from a separate reviewer (or a CODEOWNERS-based bot reviewer).

Affected repos

• helm-charts — Code-Review: 0/10 (1/21 approved)
• portal-server-lib — Code-Review: 0/10 (1/16 approved)
• portal-ui-lib — Code-Review: 0/10 (1/13 approved)
• upstream-images — Code-Review: 2/10 (6/30 approved)

Objectives

• All four repos reach Code-Review: 8/10 or higher.
• Branch protection prevents direct push to default branch, even for org admins.
• Bot commits flow through a reviewed PR process.

Demo Required

None

Demo Steps

No response

---

Epic: #278