Security: Implement Owner-Only protection, Code Owners, and CI Gatekeeper

Hamas · Hamas · commit 90fa5f6f2e76 · 2026-01-30T19:07:38.000+05:00
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,4 @@
+# Owner-Only Security
+# @Hamas owns the entire repository.
+# No PR can be merged without explicit approval.
+* @Hamas
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,30 @@
+name: dart_dlp CI
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dart-lang/setup-dart@v1
+        with:
+          sdk: stable
+
+      - name: Install dependencies
+        run: dart pub get
+
+      - name: Verify formatting
+        run: dart format --output=none --set-exit-if-changed .
+
+      - name: Analyze project source
+        run: dart analyze
+
+      - name: Run Health Checks
+        run: dart run bin/check_health.dart
diff --git a/.github/workflows/security_check.yml b/.github/workflows/security_check.yml
@@ -0,0 +1,21 @@
+name: Security Gatekeeper
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  gatekeeper:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dart-lang/setup-dart@v1
+      
+      - name: Install dependencies
+        run: dart pub get
+
+      - name: Enforce Formatting
+        run: dart format --output=none --set-exit-if-changed .
+
+      - name: Static Analysis
+        run: dart analyze
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,15 @@
+# Contributing to dart_dlp
+
+## 🔒 Security & Access
+- **Direct pushes to main are disabled.** All contributions must be made via sub-branches and Pull Requests.
+- **Only the repository owner (Hamas) has direct push access to the main branch.**
+
+## Code Standards
+- All Pull Requests must pass the `Security Gatekeeper` check (Format & Analyze).
+- Code must be properly branded with `/// Developed by Hamas`.
+
+## Workflow
+1. Fork the repository.
+2. Create a feature branch.
+3. Submit a Pull Request.
+4. Wait for approval from @Hamas.
diff --git a/GITHUB_SETUP.md b/GITHUB_SETUP.md
@@ -0,0 +1,24 @@
+# GitHub Branch Protection Setup
+
+Follow these steps to secure the `main` branch.
+
+1.  **Go to Settings**:
+    - Navigate to your repository on GitHub.
+    - Click **Settings** > **Branches**.
+
+2.  **Add Rule**:
+    - Click **Add branch protection rule**.
+    - **Branch name pattern**: `main`
+
+3.  **Configure Rules**:
+    - [x] **Require a pull request before merging**
+        - [x] **Require approvals**: 1
+        - [x] **Require review from Code Owners** (Crucial for `lib/src/core` protection)
+    - [x] **Require status checks to pass before merging**
+        - Search for "build" (or whatever your CI job name is once it runs once) and select it.
+    - [x] **Do not allow bypassing the above settings**
+
+4.  **Save**:
+    - Click **Create** or **Save changes**.
+
+Your repository is now secured. Only approved PRs passing CI can land in `main`.
