Enable branch protection on 'master'

[wbqpk3]

See OpenSSF security test (#659).

{
      "details": [
        "Warn: branch protection not enabled for branch 'master'"
      ],
      "score": 0,
      "reason": "branch protection not enabled on development/release branches",
      "name": "Branch-Protection",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection",
        "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
      }
}

[mcserep]

Only a limited number of users have write access to the repository, as we follow the open source software development paradigm, where by default all contributors are required to fork the repo and open pull requests for each contribution.

Nevertheless I have added a default branch protection rule now to the repository, so pull requests are now mandatory towards the master branch. (Except for repository administrators.)

[gkunz]

Hi @mcserep,
I'd like to switch the current branch protection rule (which is a "legacy" branch protection rule") with a rule using the new GitHub repo ruleset feature. While on it, I would also enable additional restrictions:

• "Dismiss stale pull request approvals when new commits are pushed", and
• "Require approval of the most recent reviewable push"

I have already created a replacement rule [1] for review, but it is not enabled yet.

[1] https://github.com/Ericsson/CodeCompass/settings/rules/504331

Best
Georg

[mcserep]

Hi @gkunz,
I agree with these rules, on other project hosting services (e.g. GitLab) those additions are also usually part of the default configuration for protected branches. I have added those 2 points to the default branch protection rule of master at https://github.com/Ericsson/CodeCompass/settings/branch_protection_rules/43650916 .

[gkunz]

Thank you, @mcserep.