generated from coulomb/repo-seed
Add security architecture pattern infospace
This commit is contained in:
@@ -0,0 +1,44 @@
|
||||
# Pattern: Protected Main Branch
|
||||
|
||||
Status: seed
|
||||
Readiness target: RL2 private beta
|
||||
Primary owners: product repos, NetKingdom
|
||||
Genesis family: Supply chain
|
||||
|
||||
## Problem
|
||||
|
||||
Production code can be changed without review, tests, or traceable
|
||||
approval when the main branch is not protected.
|
||||
|
||||
## Context
|
||||
|
||||
Use this pattern for repositories that produce production services,
|
||||
platform manifests, policy packages, documentation standards, or release
|
||||
artifacts.
|
||||
|
||||
## Forces
|
||||
|
||||
- Teams need fast iteration.
|
||||
- Production branches need review and checks.
|
||||
- Emergency fixes need traceable override.
|
||||
- Branch rules should match artifact criticality.
|
||||
|
||||
## Solution
|
||||
|
||||
Protect main and release branches with review, required checks, signed
|
||||
or verified changes where useful, and explicit emergency override
|
||||
procedures.
|
||||
|
||||
## Verification
|
||||
|
||||
- Direct pushes to protected branches are blocked.
|
||||
- Required tests and reviews pass before merge.
|
||||
- Emergency overrides are logged and reviewed.
|
||||
- Release artifacts link back to protected branch commits.
|
||||
|
||||
## Related Patterns
|
||||
|
||||
- GitOps with Guardrails.
|
||||
- SLSA Build Provenance.
|
||||
- SBOM-per-Release.
|
||||
- Supply-Chain Provenance.
|
||||
Reference in New Issue
Block a user