Skip to content
Apothem
Security

Branch protection

Apothem branch protection on main — review gate, status-check gating, and push restrictions.

Apothem's main branch is protected by GitHub branch protection after the single fresh release commit is published. The protection enforces the change-set discipline declared at rules/production-ready-prs.md and feeds the OpenSSF Scorecard Branch-Protection and Code-Review checks for future work.

Ruleset declaration

SettingValueRationale
TargetmainProtects the public default branch.
Enforcement statusactiveNot in dry-run mode.
Require pull request before mergingDirect pushes to main blocked.
Required approving reviews1Minimum human-review gate for a new solo-maintainer project.
Dismiss stale approvals on new commitsA force-push after approval re-triggers review.
Require review from Code OwnersDeferredEnabling this before a second maintainer joins can deadlock solo-maintainer PRs.
Require approval of the most recent reviewable pushThe latest pushed commit must carry approval.
Required conversation resolutionOpen review threads block merge.
Require status checks to passCI workflow + Scorecard + CodeQL + pip-audit.
Required status checksCurrent core checksThe required list is refreshed from the latest green release commit.
Require branches to be up to datePrevents stale-merge regressions.
Require signed commitsRecommendedLocal release commits are signed; full enforcement waits until contributor onboarding documents SSH/GPG setup.
Require linear historyKeeps the single-line public history understandable.
Block force-pushesHistory rewrite on main is blocked.
Allow deletionThe main branch cannot be deleted.

Solo-maintainer constraint

GitHub does not let repository files create human review history. The repository therefore applies the strongest non-deadlocking branch protection for its current maintainer model: one approving review, stale-review dismissal, latest-push approval, conversation resolution, status checks, linear history, and no branch deletion or force-push. When a second maintainer joins, CODEOWNERS review and a two-reviewer minimum become the stronger setting.

Status-check requirements

The four hard-gating status checks declared above:

  • ci — full test matrix + ruff + mypy + bandit + Trivy + pip-audit on the resolved dependency tree
  • Scorecard — OpenSSF Scorecard run with no per-check regression
  • CodeQLsecurity-extended query packs for python + actions
  • pip-audit — weekly + per-PR vulnerability scan against the resolved dep tree

Any other workflow may report status, but its outcome does not gate merge unless it is promoted into the required-check list.

Audit cadence

This file is reviewed on every security audit and at every release-engineering checkpoint. Drift between this file and the actual branch protection configuration is a high-severity finding.

References

On this page