Skip to content

R22: Harden default-branch and release governance #61

Description

@100yenadmin

Protect main; require PR review and current-head CI, Tests, Quality Checks, E2E Tests, CodeQL, Gitleaks, Dependency Review, and Workflow Lint. Rebuild no-default-publish policy on current publish.yml, require protected-environment approval, and disable the legacy RC workflow only after equivalent controls are proven.

Acceptance: direct push is blocked, reconciliation branches cannot publish, dry-run/workflow proof shows no artifact publication, and rollback is documented.

This issue changes governance only after R05 audit approval.

Parent epic: #39

Tracking ID: R22

Metadata

Metadata

Assignees

No one assigned

    Labels

    P0Release-blocking priority zero workevidence-gateMust close with retained validation evidencefork-onlyElectric Sheep policy or compatibility behavior retained only in the forkreconciliationUpstream reconciliation programrelease-blockerBlocks promotion or release readiness

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions