Skip to content

ci/release: verify branch protection for Renovate auto-merge; consider a publish approval gate #299

Description

@maximn

From the AI-native docs audit (B8 in .agents/known-issues.md).

Two supply-chain hardening points:

  1. Renovate auto-merge (renovate.json) merges non-major updates automatically. This relies on master branch protection requiring status checks to pass. Verify that protection is configured, otherwise a broken update could merge without CI.
  2. NuGet publish has no approval gate (.github/workflows/nuget.yml): pushing a v* tag publishes to NuGet.org immediately. Consider a GitHub Environment with required reviewers for the publish job.

Severity: medium (process).

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filetech-debtKnown tech debt / cleanup from the AI-native docs audit

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions