Enforce branch protection via .github/branch-protection.main.json (Closes #95)#167
Merged
Conversation
mvillmow
force-pushed
the
95-auto-impl
branch
2 times, most recently
from
a5a9a87 to
6e12ac8
Compare
Closes #95 Implement automated, auditable branch protection enforcement for the `main` branch by introducing a committed JSON source of truth, apply and verify scripts, offline regression tests, and a post-merge workflow that auto-applies the ruleset on changes. Changes: - Add .github/branch-protection.main.json with required_approving_review_count=1 and require_code_owner_reviews=true - Add scripts/apply-branch-protection.sh (PUT ruleset to GitHub API) - Add scripts/verify-branch-protection.sh (GET and diff against JSON) - Add scripts/verify-context-names.sh (validate all contexts map to real jobs) - Add tests/branch-protection.test.sh (offline shim-based test suite) - Add .github/workflows/apply-branch-protection.yml (post-merge auto-apply) - Wire branch-protection recipes into justfile - Add branch-protection-test job to _required.yml CI - Update pixi.toml to include jq dependency and test-branch-protection task - Update docs/branch-protection.md with enforcement procedure - Update CLAUDE.md to remove "Branch protection partial" defect entry - Update docs/audit-2026-04-28/remediation-plan.md (if exists) Verification: - All 15 required-status-check contexts map to real workflow job names - JSON validates with jq - Offline test suite passes (clean, drift, missing-token, malformed-JSON cases) - Scripts pass shellcheck References: Closes #95. Partially closes #102 (API half only; CODEOWNERS coverage audit remains open). Refs #81 (audit remediation). Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> Signed-off-by: mvillmow <4211002+mvillmow@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implement automated, auditable branch protection enforcement for the
mainbranch by introducing a committed JSON source of truth, apply and verify
scripts, offline regression tests, and a post-merge workflow that
auto-applies the ruleset on changes.
Implementation
Files Created:
.github/branch-protection.main.json— committed source of truth withrequired_approving_review_count=1andrequire_code_owner_reviews=truescripts/apply-branch-protection.sh— PUT ruleset to GitHub APIscripts/verify-branch-protection.sh— GET and diff against JSONscripts/verify-context-names.sh— validate all contexts map to real workflow jobstests/branch-protection.test.sh— offline shim-based test suite with 4 test cases.github/workflows/apply-branch-protection.yml— post-merge auto-apply workflowFiles Modified:
pixi.toml— addjqdependency andtest-branch-protectiontaskjustfile— wire 3 new recipes (apply-branch-protection,verify-branch-protection,test-branch-protection) and updatechecktarget.github/workflows/_required.yml— addbranch-protection-testjobdocs/branch-protection.md— update with correct job names and enforcement procedureCLAUDE.md— remove "Branch protection partial" defect entryVerification
✅ All 15 required-status-check contexts map to real workflow job names
✅ JSON validates with jq
✅ Offline test suite passes (clean, drift, missing-token, malformed-JSON cases)
✅ All scripts are executable
Post-Merge Manual Steps
One-time admin setup required:
BRANCH_PROTECTION_PATwith fine-grained PAT scoped toAdministration: writeon ProjectProteus.github/workflows/apply-branch-protection.ymlwill fire automatically and apply the rulesetReferences
Closes #95
Partially closes #102 (API half only;
require_code_owner_reviews=trueenforced here; CODEOWNERS coverage audit remains open)Refs #81 (audit remediation)
Co-Authored-By: Claude Haiku 4.5 noreply@anthropic.com