GitHub Branch Protection Install Guide

Current State (as of 2026-04-19)

Five repos in the eco-monetize GitHub org have rulesets created but no rules are actually enforced. All checkboxes are unchecked. The rulesets are Active in name only.

Repo	main ruleset	develop ruleset	Rules enforced
partner-sync	main-partner-sync	develop-account-partner-sync	None
project-management	(exists)	develop-project-management	None
content-management	(exists)	develop-content-management	None
ops-docs	(exists)	develop-ops-docs	None
account-planning	(exists)	develop-account-planning	None

Recommended Configuration

main branch (production)

Enable these rules in each main-* ruleset:

1. Require a pull request before merging — ON
2. Required approvals: 1 (Rick reviews, or designate a second reviewer when team grows)
3. Dismiss stale PR approvals when new commits are pushed: ON
4. Require review from Code Owners: OFF (no CODEOWNERS file yet)
5. Require approval of the most recent reviewable push: ON

6. Require conversation resolution before merging: ON

7. Allowed merge methods — Squash only

8. Keeps main history linear and readable. Rebase allowed as fallback.

9. Require status checks to pass — ON (when CI exists)

10. Add the CI check (already configured but unchecked on partner-sync)

11. Require branches to be up to date before merging: ON

12. Block force pushes — ON

13. Non-negotiable for production branches

14. Restrict deletions — ON

15. Prevents accidental deletion of main

develop branch

Enable these rules in each develop-* ruleset:

1. Require a pull request before merging — ON
2. Required approvals: 0 (self-merge OK for solo work, but PR still required for traceability)

3. Require conversation resolution: ON

4. Block force pushes — ON

5. Require status checks to pass — ON (when CI exists)

Bypass list

Leave empty for now (solo operator). When the team grows, add specific roles (e.g., "Release Manager") that can bypass for hotfixes.

Step-by-Step: Enabling Rules

Prerequisites

• GitHub repo admin access (Rick has this as org owner)
• Browser access to github.com

Steps (repeat per repo, per ruleset)

1. Go to https://github.com/eco-monetize/{repo}/settings/rules
2. Click the existing ruleset name (e.g., main-partner-sync)
3. Verify Enforcement status is "Active"
4. Verify Target branches shows the correct branch (main or develop)
5. Check each rule per the recommended config above
6. For "Require a pull request before merging":
7. Click to expand "Hide additional settings"
8. Set "Required approvals" to 1 (main) or 0 (develop)
9. Enable sub-options as listed above
10. For "Require status checks to pass":
11. Click to expand
12. Enable "Require branches to be up to date before merging"
13. Verify CI appears in "Status checks that are required" (add it if missing)
14. Click Save changes
15. Repeat for the other ruleset (main vs develop) on the same repo
16. Repeat for all 5 repos

Estimated time: ~3 minutes per ruleset, ~30 minutes total for all 10 rulesets.

Verification

After enabling rules, verify by:

1. Try pushing directly to main — should be rejected
2. Create a test PR to main — should require approval before merge
3. Force push to main — should be blocked
4. Create a PR to develop — should be allowed to self-merge (0 approvals) but must go through PR flow

Troubleshooting

Problem	Fix
"Bypass list is empty" warning	Expected for solo operator. Add bypass actors only when team structure requires hotfix paths.
CI check not found when adding status checks	The CI workflow must have run at least once on the branch for GitHub to discover the check name. Push a commit, let CI run, then add the check.
Can't push after enabling rules	Use PR flow. If truly blocked (emergency), temporarily set enforcement to "Evaluate" (logs violations but doesn't block), fix, then re-enable "Active".
Ruleset shows Active but rules still not enforcing	Verify the target branch name matches exactly (e.g., main not master). Check that rules are checked, not just expanded.

Org-Level Security Settings (Do First)

These two settings apply org-wide and should be enabled before configuring per-repo rulesets.

1. Require 2FA for all org members

1. Go to https://github.com/organizations/eco-monetize/settings/security
2. Under "Two-factor authentication", check Require two-factor authentication for everyone in the eco-monetize organization
3. Click Save

Any member without 2FA enabled will be removed from the org until they enable it.

2. Disable public repo creation

Free-plan limitation — action not available on current plan.

Verified 2026-04-21: On GitHub Free for organizations, the "Public" checkbox under Repository creation cannot be unchecked. Private repo creation by members is a GitHub Team feature ($4/user/month). With Private unavailable on the free tier, GitHub won't allow removing Public — there would be nothing left to select.

Current risk: Low. Rick is the sole org member; outside collaborators can never create repos regardless of plan. The restriction matters when non-owner members are added.

Upgrade trigger: Move to GitHub Team when the first non-owner org member joins. Then: 1. Go to https://github.com/organizations/eco-monetize/settings/member_privileges 2. Under "Repository creation", uncheck Public, leave Private checked 3. Also enable "Restrict members from changing repository visibility" on the same page 4. Click Save

Classification: SEV3 known gap — documented, low risk at current org size.

Org audit summary (2026-04-19)

Setting	Current	Target
2FA required	OFF	ON — completed 2026-04-21
Public repo creation	Allowed	Cannot restrict on free plan — SEV3 gap, upgrade trigger: first non-owner member added
Default repo permission	Read	Read (no change)
Members can fork private repos	No	No (no change)
Outside collaborators	None	None (no change)
Public repos	None	None (no change)

Consolidated org cleanup: The ecomonetize user account (no hyphen) had 1 repo (ecosystem-signal-integration-layer) which has been transferred to eco-monetize. The ecomonetize account is now empty and can be deleted or left dormant.

Repos Without Branch Protection

7 repos currently have no rulesets. 5 are archived (low risk). The 2 active repos without protection:

Repo	Status	Action
ecomonetize	Active	Add main branch ruleset (same config as other repos)
ecomonetize-factory	Active	Add main branch ruleset
content-engine	Archived	No action needed
ecomonetize-website	Archived	No action needed
claude	Active	Add main branch ruleset
lovable	Archived	No action needed
website	Archived	No action needed

Security Recommendations (Future)

When the team grows beyond solo operator:

• Enable Require signed commits for all branches
• Enable Require review from Code Owners and create a CODEOWNERS file
• Enable Require code scanning results when GitHub Advanced Security is available
• Consider Restrict commit metadata to enforce commit email matching org domain
• Add branch name restrictions to prevent creation of branches matching protected patterns