Scorecard: Enable branch protection for code review enforcement

[SebTardif]

Scorecard Alert

Check: Code-Review (alert #6)
Score: 0/10

Problem

Scorecard found 0 out of 23 approved changesets. This means PRs are being merged without formal GitHub review approvals. The check looks for GitHub review approvals on merged PRs, not informal review.

Root Cause

As a new single-maintainer project, PRs are self-merged without requesting a review from another GitHub account. Scorecard counts only PRs with at least one APPROVED review.

Options

Option A: Require PR reviews (recommended for maturity)

1. Go to Settings > Rules > Rulesets (or branch protection)
2. Add a rule for main:
   • Require a pull request before merging
   • Require approvals: 1
3. Use a second maintainer account or add a collaborator for reviews

Option B: Self-approve with a bot or second account

• Less ideal but satisfies the Scorecard check mechanically

Option C: Accept the score

• For a single-maintainer project, this score is expected
• The score improves naturally when collaborators join

Context

This is a process/governance improvement, not a technical fix. The score will improve organically as the project gains contributors who review each other's PRs. Consider enabling review requirements when a second regular contributor joins.

Related

• Issue ci: enable GitHub Merge Queue for main branch #61 (Merge Queue) would also benefit from branch protection rules
• Issue repo: migrate from branch protection rules to repository rulesets #75 (Branch Protection Rulesets) covers the broader branch protection setup

[SebTardif]

Closing as expected behavior for a single-maintainer project (Option C from the issue description). The branch protection has been migrated to repository rulesets (PR #97), which can enforce required reviews when collaborators join. Until then, the Scorecard Code-Review score of 0/10 is expected and does not represent a security gap for the current team size.