Skip to content

Release: enable branch protection and private vulnerability reporting #7

Description

@akratch

Problem

A few public-repo trust settings cannot be fully verified from the current private/account-limited state. Branch protection returns a GitHub tier/public-repo restriction while the repository is private, and some security endpoints are not available for this repo state.

Desired end state

  • Hosted GitHub Actions remain disabled for the launch repository; public launch uses local release/preflight evidence.
  • Protect main without required hosted status checks.
  • Require PR review/conversation resolution and prevent force pushes/deletions on main.
  • Enable private vulnerability reporting and secret scanning/push protection if GitHub exposes them for the repository/account.
  • Confirm Dependabot vulnerability alerts remain enabled.

Current evidence

  • Issues and Discussions are enabled.
  • Hosted GitHub Actions are disabled for the local-CI launch policy.
  • Dependabot vulnerability alerts are enabled.
  • Branch protection API currently reports that the feature requires GitHub Pro or a public repository while private.
  • Private vulnerability reporting/secret scanning endpoints may need final application immediately after the public flip.

Validation

Before public visibility:

scripts/configure_github_launch_settings.sh --repo akratch/mgb64 --yes
NO_COLOR=1 scripts/check_github_launch_ready.sh --repo akratch/mgb64 --allow-private

After public visibility:

scripts/configure_github_launch_settings.sh --repo akratch/mgb64 --yes
NO_COLOR=1 scripts/check_github_launch_ready.sh --repo akratch/mgb64

Do not require hosted status checks unless the project deliberately re-enables hosted Actions later and the billing/policy decision changes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    release-hygienePublic release checklist, CI, docs alignment, and archive hygiene

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions