This document contains maintainer-oriented planning notes that are kept out of the primary usage README.
This section documents how required status checks and branch protection are set up for this public repository. It is intended to help maintainers who may not regularly manage GitHub repository rules and need to configure or verify the merge protections used here.
The following jobs are configured as required status checks:
Basic Source checksfromchecks.ymlDCO / Signed-off-byfromdco-signoff.yml
Basic Source checks consolidates code quality gates:
code-checking-refguard — blocks accidental commits of local overrides- Executable mode verification — ensures scripts have correct git index mode
- Dynamic linter selection and execution — runs applicable linters (shellcheck, etc.)
This consolidation avoids coupling branch protection rules to per-linter checks.
The separate DCO check enforces Signed-off-by: commit trailer policy.
GitHub's repository settings interface has been reorganized multiple times. This section describes the underlying structure; exact interface paths may vary.
Locate the ruleset configuration:
- Navigate to repository Settings (gear icon in top-right menu).
- Look for "Branches" or "Rules" in the left sidebar. GitHub has two
overlapping systems:
- Branches (older): Protection rules per-branch
- Rules (newer): Rulesets with target patterns
- For this repository, Rules (rulesets) is the managed path and source of truth; Branches settings are not used.
Create or edit the rule for main:
- Create or edit the ruleset that targets the
mainbranch. We use the nameprotect-main. - Set the ruleset-level Bypass list to Organization admin with bypass
mode
For pull requests only. - Under Branch targeting criteria, use
Default. - Enable these branch rules:
- Restrict deletions
- Require signed commits (optional)
- Enable only when all contributors are set up for verified commit signing (GPG/SSH/S/MIME).
- Require a pull request before merging
- Required approvals: 1
- Dismiss stale pull request approvals when new commits are pushed
- Require review from Code Owners
- Require conversation resolution before merging
- Allowed merge methods: disable merge commits; allow squash and rebase merges
- Require status checks to pass
- Status checks that are required:
-
Basic Source checks-DCO / Signed-off-by- GitHub does not make this selectable until the workflow exists on the
default
mainbranch.
- GitHub does not make this selectable until the workflow exists on the
default
- Block force pushes
Verification:
Once configured, attempts to merge a PR will fail with:
- "
Basic Source checks– required check" - "
DCO / Signed-off-by- required check"
if any of the check steps fail.
To verify the guard works:
-
Create a test branch from
main. -
Create a local
code-checking-reffile with content:pull/123/head(or any valid git ref) -
Commit and push:
git add code-checking-ref git commit -m "test guard" git push -
Create a PR against
main. -
Verify GitHub shows
Basic Source checksfailing with guard error. -
Verify the PR cannot be merged (merge button is disabled).
The GitHub Actions job will show:
[guard-code-checking-ref] tracked file detected in commit: code-checking-ref
To clean up:
- Close the test PR if it is no longer needed.
- If you want to keep using the branch for other changes, remove
code-checking-ref, commit that removal, and push the update.
This section documents repository-level automation settings that are configured in GitHub Settings (not only in tracked files).
Dependabot should be enabled for this repository with a focused scope:
github-actionsupdates for workflow action versions in.github/workflows/*.yml.
Use this runbook when bootstrapping a new repository host instance or auditing for uncoordinated settings changes.
- File-based Dependabot update behavior is defined in
.github/dependabot.yml. - Repository UI security toggles and alert auto-dismiss rules are manual settings and must be verified in GitHub Settings.
The GitHub Security settings page shows a Dependabot version updates entry
with an "Enable" button. This is not a toggle. It is a status indicator
that reflects whether .github/dependabot.yml exists in the repository.
Clicking "Enable" starts a wizard to create that file via the GitHub web
editor. Do not use the wizard — the file is tracked in this repository and
managed via normal pull requests. If the indicator shows "Disabled", the file
is missing and should be restored from version control.
- Open repository Settings.
- Open Security and quality, then Advanced Security (section labels may change over time).
- Enable Dependabot alerts.
- Enable Dependabot security updates.
- Enable grouped security updates.
- Do not change the Dependabot version updates setting in the UI. It only
reports whether
.github/dependabot.ymlexists on the defaultmainbranch. If it is missing, add or restore the file through a pull request.
Record and periodically verify these manual settings in the Dependabot alert rules UI:
- Dismiss low-impact alerts for development-scoped dependencies: enabled.
- Dismiss package malware alerts: disabled. Malware scanning is a paid GitHub feature not available on the free tier. Leave disabled unless the repository moves to a paid plan or GitHub Enterprise with that feature licensed.
If these values are changed, update this document in the same PR with rationale and reviewer sign-off.
At audit time, verify all of the following:
.github/dependabot.ymlexists and matches expected policy.- Dependabot alerts and security updates are enabled in repository settings.
- Manual alert rule toggles match this document.
- Dependabot is producing update PRs for
github-actionswhen updates are available.
Initial scope is intentionally limited to workflow actions because those are the repository-managed dependencies with the highest supply-chain relevance. Expand scope later only when additional dependency manifests are intentionally tracked and maintained in this repository.
- Keeps workflow action updates visible and reviewable via PRs.
- Reduces manual drift risk for action versions.
- Avoids noisy update churn for ecosystems not centrally managed in this repo.
- Workflow
uses:entries are pinned to full commit SHAs. - This is required to satisfy OpenSSF Scorecard
Pinned-Dependencieschecks. - Include the corresponding version tag as an inline YAML comment when useful
for readability (for example,
# v6.0.2).
At least quarterly, maintainers should:
-
Verify Dependabot is enabled for
github-actionsand opening update PRs. -
Review all workflow action versions in
.github/workflows/*.yml. -
Check release notes for major actions used here (at minimum
actions/checkout). -
Update SHA pins as needed and run full local checks before merging:
./bin/run-linters.sh --mode full ./bin/run-checks.sh
-
Reconfirm branch/ruleset protections still require
Basic Source checks.
- ansible-lab
- system-pipeline-lib
- Shell and PowerShell check scripts
- Check script library (ansible-lint, yamllint, shellcheck, markdownlint, groovylint, codespell)
- IDE setup baselines and a master IDE-agnostic YAML input (with VS Code section)