Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions .github/branch-protection/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,31 @@
"ruleset_id": 18693265,
"rules_applied": [
"deletion (blocks branch deletion)",
"non_fast_forward (blocks force-push)"
"non_fast_forward (blocks force-push)",
"required_signatures (requires verified commits)",
"required_linear_history (blocks merge commits)"
],
"allow_force_pushes": false,
"allow_deletions": false,
"release_governance": {
"semver_tag_ruleset_id": 18733591,
"protected_tag_patterns": [
"refs/tags/[0-9]*.[0-9]*.[0-9]*",
"refs/tags/[0-9]*.[0-9]*.[0-9]*-*"
],
"tag_rules": [
"deletion",
"non_fast_forward",
"update"
],
"immutable_future_releases": true
},
"notes": [
"This file documents the ACTUAL branch protection applied via gh API ruleset.",
"Solo-maintainer repo: no PR review requirement (self-approval not possible on GitHub).",
"Security-critical rules (deletion block, force-push block) are enforced.",
"Repository administrators retain the standard emergency bypass used across NDDev repositories.",
"SemVer tags cannot be updated, force-pushed, or deleted after creation.",
"Repository-level release immutability applies to releases created after it was enabled; release 2.0.0 predates that setting and remains protected by its immutable tag.",
"Secret scanning, push protection, and Dependabot security updates are enabled at repo level.",
"To add PR reviews later (when collaborators join), add a 'pull_request' rule to the ruleset."
]
Expand Down
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

### Security

- Require verified signatures and linear history on `main`, protect SemVer tags
from update or deletion, and enable immutable releases for future
publications.

## [2.0.0] - 2026-07-10

### Changed
Expand Down
3 changes: 3 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,9 @@ accepted report within 30 business days. These targets are best-effort.

- External GitHub Actions and reusable workflows are pinned to full commit SHAs.
- Workflow permissions follow least privilege.
- `main` requires verified signatures and linear history; SemVer tags cannot be
updated or deleted.
- Repository-level release immutability is enabled for future releases.
- Generic CodeQL, dependency-review, secret-scan, and Scorecard checks run in
this public repository.
- The maintainers' private `nddev-harnesses` control plane validates module
Expand Down