GitVita
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

microsoft/hve-core

Public

mirrored fromhttps://github.com/microsoft/hve-coreAvailable

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
hve-core-v3.3.27

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

hve-core/docs/contributing

docs/contributing/branch-protection.md

100lines · modecode

RawDownload
Latest commit unavailable.
1---
2title: Branch Protection Configuration
3description: Branch protection configuration for the hve-core repository
4sidebar_position: 8
5author: Microsoft
6ms.date: 2026-01-16
7ms.topic: reference
8keywords:
9 - branch protection
10 - security
11 - openssf scorecard
12 - codeowners
13estimated_reading_time: 3
14---
15
16## Overview
17
18Guidelines and configuration for GitHub branch protection rules in hve-core.
19
20Branch protection rules ensure code quality and security by requiring:
21
22* Status checks to pass before merging
23* Code review approval
24* Protection against post-approval malicious commits
25
26## Required Status Checks
27
28The following CI jobs must pass before a PR can be merged:
29
30| Check Name | Purpose |
31|-----------------------------|-----------------------------------|
32| Spell Check | Validates spelling in markdown |
33| Markdown Lint | Enforces markdown formatting |
34| Table Format Check | Validates table formatting |
35| PowerShell Lint | PSScriptAnalyzer validation |
36| Frontmatter Validation | Validates YAML frontmatter |
37| Validate Dependency Pinning | Ensures dependencies are pinned |
38| npm Security Audit | Scans for vulnerable dependencies |
39| CodeQL Security Analysis | Security vulnerability scanning |
40
41Note: `Markdown Link Check` uses soft-fail and is not a required check.
42
43## Review Requirements
44
45| Setting | Value | Rationale |
46|-----------------------|---------|-----------------------------------------------|
47| Required reviewers | 1 | Team size decision |
48| Dismiss stale reviews | Enabled | Prevents post-approval malicious commits |
49| Last push approval | Enabled | Requires non-author approval of final changes |
50| Code owner review | Enabled | Ensures domain experts review changes |
51
52## CODEOWNERS
53
54The `.github/CODEOWNERS` file defines code ownership:
55
56* Default owner for all files: `@microsoft/edge-ai-core-dev`
57* Self-protection pattern prevents unauthorized CODEOWNERS modifications
58* Key directories have explicit ownership
59
60## OpenSSF Scorecard
61
62With this configuration, the expected OpenSSF Scorecard Branch Protection score is **~8/10**.
63
64Note: Achieving 10/10 requires 2 reviewers. The current configuration prioritizes team velocity with 1 reviewer.
65
66## Configuration Reference
67
68### GitHub UI Settings
69
70Navigate to: **Settings → Branches → Branch protection rules → Edit `main`**
71
72#### Require a Pull Request before Merging
73
74* [x] Require approvals (1)
75* [x] Dismiss stale pull request approvals when new commits are pushed
76* [x] Require approval of the most recent reviewable push
77* [x] Require review from Code Owners
78
79#### Require Status Checks to Pass before Merging
80
81* [x] Require branches to be up to date before merging
82* Add all status checks listed in table above
83
84#### Other Settings
85
86* [x] Do not allow bypassing the above settings
87
88## Future Considerations
89
90| Item | Details |
91|-----------------|---------------------------------------------------------------|
92| GitHub Rulesets | Consider migrating to Rulesets for enhanced push restrictions |
93| 2 reviewers | Can be enabled as team grows for Tier 4 (9/10) score |
94
95---
96
97<!-- markdownlint-disable MD036 -->
98*🤖 Crafted with precision by ✨Copilot following brilliant human instruction,
99then carefully refined by our team of discerning human reviewers.*
100<!-- markdownlint-enable MD036 -->
101