fix: Enable branch protection on .github and bmad-bgreat-suite

[don-petry]

Summary

The .github and bmad-bgreat-suite repos have no branch protection on main. These are governance/infrastructure repos that need protection most.

Current State

Repo	Protection	Required Checks	Enforce Admins
.github	NONE	—	—
bmad-bgreat-suite	NONE	—	—
google-app-scripts	Yes	build-and-test	Yes
broodly	Yes	Analyze	Yes
markets	Yes	SonarCloud, claude	Yes
TalkTerm	Yes	Analyze (Python)	Yes
ContentTwin	Yes	SonarCloud	Yes

Recommended Actions

1. Enable branch protection on main for both repos
2. Require status checks (CI, SonarCloud at minimum)
3. Enable "Enforce admins" to prevent bypass
4. Align with org standards in standards/github-settings.md

Context

Identified during weekly org CI/Security survey on 2026-04-05.

[claude]

Claude finished @don-petry's task in 5m 48s —— View job • claude/issue-28-20260406-0321 • Create PR ➔

---

Implementation Complete

• Gather context (read AGENTS.md, repo structure, standards)
• Understand branch protection requirements
  • Standards require rulesets (pr-quality + code-quality), not classic branch protection
  • .github required checks: Lint, ShellCheck, Agent Security Scan, SonarCloud, claude
  • bmad-bgreat-suite required checks: SonarCloud, Analyze, claude (see note below)
• Create scripts/setup-branch-protection.sh to create rulesets via GitHub API
• Update standards/github-settings.md compliance status (added .github deviation, referenced script)
• Commit and push to claude/issue-28-20260406-0321
• Create PR

What was implemented

scripts/setup-branch-protection.sh — new script that creates or idempotently updates two rulesets via the GitHub REST API on both repos:

• pr-quality: 1 required approving review, stale review dismissal, code owner review, last-push approval, thread resolution required, squash-only, no force-push, no deletion
• code-quality: required status checks (strict, branch must be up-to-date)
  • .github: Lint, ShellCheck, Agent Security Scan, SonarCloud, claude
  • bmad-bgreat-suite: SonarCloud, Analyze, claude

standards/github-settings.md — updated compliance status table to list .github as a deviation, and added a "Remediating Missing Rulesets" section with usage instructions.

After merging

An admin runs:

GH_TOKEN=<admin-pat> bash scripts/setup-branch-protection.sh

Note: The bmad-bgreat-suite check names (SonarCloud, Analyze, claude) should be verified against that repo's actual CI workflow job names before applying. The script supports --dry-run to preview changes.

[claude]

Claude finished @don-petry's task in 5m 6s —— View job • claude/issue-28-20260406-0341 • Create PR ➔

---

Implementation complete for issue #28

• Read CLAUDE.md and gather context (no CLAUDE.md; used AGENTS.md + standards docs)
• Review existing scripts and CI check names
• Create scripts/setup-branch-protection.sh
• Update standards/github-settings.md compliance status for .github repo
• Commit and push changes
• Create PR: petry-projects/.github#66
• Self-review PR — no bugs or issues found; script follows patterns from apply-repo-settings.sh
• CI check (in progress — requires manual verification)
• Code owners: no CODEOWNERS file exists; tagging issue author @don-petry for review

---

What was implemented

scripts/setup-branch-protection.sh — new script that creates/idempotently updates two rulesets via the GitHub REST API:

• pr-quality: 1 required review, stale review dismissal, code owner review, last-push approval, thread resolution, linear history (no merge commits), no force-push, no deletion
• code-quality (strict — branch must be up-to-date):
  • .github: Lint, ShellCheck, Agent Security Scan, SonarCloud, claude
  • bmad-bgreat-suite: SonarCloud, Analyze, claude

standards/github-settings.md — added .github to the compliance deviations table and added a "Remediating Missing Rulesets" section with --dry-run and apply commands.

After merging

DRY_RUN=true GH_TOKEN=<admin-pat> bash scripts/setup-branch-protection.sh --default
GH_TOKEN=<admin-pat> bash scripts/setup-branch-protection.sh --default

Verify bmad-bgreat-suite check names match actual CI job names before applying.
• claude/issue-28-20260406-0341

[don-petry]

Resolved by creating branch protection rulesets on both repos:

petry-projects/.github — ruleset protect-branches (id 14759907)

• Required status checks: Lint, ShellCheck, Agent Security Scan, SonarCloud, Analyze (actions)

petry-projects/bmad-bgreat-suite — ruleset protect-branches (id 14759908)

• Required status checks: SonarCloud, Analyze, AgentShield, Validate

Both rulesets enforce:

• PR required (no force-push, no deletion)
• Stale review dismissal on push
• Required review thread resolution
• Admin role bypass (matches pattern from other org repos)
• 0 required approving reviews (solo-dev pattern matching org standard)

Created directly via REST API rather than via the script in closed PR #66, mirroring the existing ruleset structure on petry-projects/google-app-scripts.