Branch Protection

These settings match the current Software Graph workflow while keeping room for team scaling.

Scope

Apply rules to main across the org repos (or selected repos first if rolling out gradually).

Recommended Baseline (`main`)

Require status checks to pass
Require PR-only updates
Block force pushes
Restrict deletions
Require the stable repo gate for that repo:
- all repos: Main PR Gate

Status Checks to Require

Use the checks that enforce your actual gates, for example:

Main PR Gate

GitHub may render the same check as CI / Main PR Gate (pull_request) or Meta CI / Main PR Gate in the PR UI, but the ruleset context should use the raw job name.

Avoid requiring transient/non-deterministic checks.

Bypass Notes

Ruleset bypass actors are roles/teams/apps, not PAT strings.

If automation must bypass protections, use a dedicated GitHub App or explicit role/app actor in the bypass list. Keep this minimal.

Practical Rollout

Start in evaluate mode if available.
Confirm no required workflow is accidentally blocked.
Switch to active enforcement.
Revisit required checks after adding/removing CI jobs.

Branch Protection #

Scope #

Recommended Baseline (main) #

Status Checks to Require #

Bypass Notes #