Skip to content

SEC: Tighten branch protection rules on main #166

Open
Open
SEC: Tighten branch protection rules on main#166
Labels
mediumsecurity
@AlexKantor87

Description

@AlexKantor87
AlexKantor87
opened on Mar 30, 2026

Security: Branch Protection Gaps

Severity: MEDIUM
Audit ref: M4

The Problem

Branch protection on main should be reviewed and tightened. Currently admin merges bypass protections (used for infrastructure PRs). For a public repo, the following should be verified and enforced:

Checklist

  • Required pull request reviews (at least 1 reviewer)
  • Required status checks passing before merge (pipeline-tests at minimum)
  • No force push allowed
  • No branch deletion allowed
  • Require conversation resolution before merging
  • CODEOWNERS approval required (once CODEOWNERS is updated per SEC: Update CODEOWNERS to cover scripts/coding/ and all security-sensitive paths #165)
  • Consider restricting who can push directly
  • Audit use of --admin merge flag — should be exceptional, not routine

Metadata

Metadata

Assignees

No one assigned

    Labels

    mediumsecurity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions