Summary

Address OpenSSF Scorecard Branch Protection warnings by configuring required status checks, review requirements, and CODEOWNERS integration for the main branch.

Current State

OpenSSF Scorecard Branch Protection check identified the following warnings:

• Stale review dismissal: Disabled
• Required reviewers: 1 (keeping at 1 per team decision)
• Codeowners review: Not required
• Last push approval: Disabled
• Status checks: None required

Proposed Changes

CODEOWNERS Updates

• Add default owner for all files
• Add self-protection for CODEOWNERS file
• Expand coverage for key directories

Branch Protection Rules (Manual Configuration)

• Enable required status checks (8 checks including CodeQL)
• Enable Require branches to be up to date before merging
• Enable Dismiss stale pull request approvals
• Enable Require approval of the most recent reviewable push
• Enable Require review from Code Owners

Expected Outcome

• OpenSSF Scorecard Branch Protection score: ~8/10
• Note: 10/10 requires 2 reviewers; current config prioritizes team velocity with 1 reviewer

References

• OpenSSF Scorecard Branch Protection Check
• GitHub Docs: About protected branches