GitVita
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

microsoft/hve-core

Public

mirrored fromhttps://github.com/microsoft/hve-coreAvailable

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
abfd03ef8b9f81e150e6d564a43b755cc910c8e6

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

hve-core/docs/contributing

docs/contributing/branch-protection.md

99lines · modecode

RawDownload
Latest commit unavailable.
1---
2title: Branch Protection Configuration
3description: Branch protection configuration for the hve-core repository
4author: Microsoft
5ms.date: 2026-01-16
6ms.topic: reference
7keywords:
8 - branch protection
9 - security
10 - openssf scorecard
11 - codeowners
12estimated_reading_time: 3
13---
14
15## Overview
16
17Guidelines and configuration for GitHub branch protection rules in hve-core.
18
19Branch protection rules ensure code quality and security by requiring:
20
21* Status checks to pass before merging
22* Code review approval
23* Protection against post-approval malicious commits
24
25## Required Status Checks
26
27The following CI jobs must pass before a PR can be merged:
28
29| Check Name | Purpose |
30|-----------------------------|-----------------------------------|
31| Spell Check | Validates spelling in markdown |
32| Markdown Lint | Enforces markdown formatting |
33| Table Format Check | Validates table formatting |
34| PowerShell Lint | PSScriptAnalyzer validation |
35| Frontmatter Validation | Validates YAML frontmatter |
36| Validate Dependency Pinning | Ensures dependencies are pinned |
37| npm Security Audit | Scans for vulnerable dependencies |
38| CodeQL Security Analysis | Security vulnerability scanning |
39
40**Note**: `Markdown Link Check` uses soft-fail and is not a required check.
41
42## Review Requirements
43
44| Setting | Value | Rationale |
45|-----------------------|---------|-----------------------------------------------|
46| Required reviewers | 1 | Team size decision |
47| Dismiss stale reviews | Enabled | Prevents post-approval malicious commits |
48| Last push approval | Enabled | Requires non-author approval of final changes |
49| Code owner review | Enabled | Ensures domain experts review changes |
50
51## CODEOWNERS
52
53The `.github/CODEOWNERS` file defines code ownership:
54
55* Default owner for all files: `@microsoft/edge-ai-core-dev`
56* Self-protection pattern prevents unauthorized CODEOWNERS modifications
57* Key directories have explicit ownership
58
59## OpenSSF Scorecard
60
61With this configuration, the expected OpenSSF Scorecard Branch Protection score is **~8/10**.
62
63**Note**: Achieving 10/10 requires 2 reviewers. The current configuration prioritizes team velocity with 1 reviewer.
64
65## Configuration Reference
66
67### GitHub UI Settings
68
69Navigate to: **Settings → Branches → Branch protection rules → Edit `main`**
70
71**Require a pull request before merging**:
72
73* [x] Require approvals (1)
74* [x] Dismiss stale pull request approvals when new commits are pushed
75* [x] Require approval of the most recent reviewable push
76* [x] Require review from Code Owners
77
78**Require status checks to pass before merging**:
79
80* [x] Require branches to be up to date before merging
81* Add all status checks listed in table above
82
83**Other settings**:
84
85* [x] Do not allow bypassing the above settings
86
87## Future Considerations
88
89| Item | Details |
90|-----------------|---------------------------------------------------------------|
91| GitHub Rulesets | Consider migrating to Rulesets for enhanced push restrictions |
92| 2 reviewers | Can be enabled as team grows for Tier 4 (9/10) score |
93
94---
95
96<!-- markdownlint-disable MD036 -->
97*🤖 Crafted with precision by ✨Copilot following brilliant human instruction,
98then carefully refined by our team of discerning human reviewers.*
99<!-- markdownlint-enable MD036 -->