Turn on branch protection for the repo

[joamatab]

Hi, I love this GitHub action

How could we turn branch protection for the repo?

This would make it more secure and allow us to use it within our organization

[mmaraya]

Here's some context on branch protection if that helps: https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection.

[mattwthompson]

I'm in support of adding a minimal branch protecting; in other orgs I've been happy with basic rules like "1 approving review"

[dbast]

+1 This would be now possible as the RELEASE.md file was changed via #309 to not require pushing directly to main anymore.

So best thing (that how many other projects operate):

• allow changes in main branch only via PR
• no exception to admins, by enabling "Do not allow bypassing the above settings" in the protection rule
• Require 1 review before merging

@joamatab no matter how protected branches are, things in a git repo are still mutable if only referenced by tag/branch name ... best security is provided by referencing the action via SHA1 and update the reference via dependabot/renovate as explained here ... like conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2.3.0 instead of conda-incubator/[email protected].

[goanpeca]

Just added the following:

Anything else I missed @dbast ?

[dbast]

@goanpeca Looks good... requiring status checks to pass can cause some pain if those are renamed etc... could be better that the maintainer group checks that before merge instead of putting that into the settings... but this should be also fine if no status checks is selected in the settings list.

[goanpeca]

Removed the status checks one. Thanks

Closing this one!