Protect main; require PR review and current-head CI, Tests, Quality Checks, E2E Tests, CodeQL, Gitleaks, Dependency Review, and Workflow Lint. Rebuild no-default-publish policy on current publish.yml, require protected-environment approval, and disable the legacy RC workflow only after equivalent controls are proven.
Acceptance: direct push is blocked, reconciliation branches cannot publish, dry-run/workflow proof shows no artifact publication, and rollback is documented.
This issue changes governance only after R05 audit approval.
Parent epic: #39
Tracking ID: R22
Protect
main; require PR review and current-head CI, Tests, Quality Checks, E2E Tests, CodeQL, Gitleaks, Dependency Review, and Workflow Lint. Rebuild no-default-publish policy on currentpublish.yml, require protected-environment approval, and disable the legacy RC workflow only after equivalent controls are proven.Acceptance: direct push is blocked, reconciliation branches cannot publish, dry-run/workflow proof shows no artifact publication, and rollback is documented.
This issue changes governance only after R05 audit approval.
Parent epic: #39
Tracking ID:
R22