From 641a6fa205ad596aac9a349d4b018d41e881c75e Mon Sep 17 00:00:00 2001
From: Sun Yimin <emmansun@users.noreply.github.com>
Date: Fri, 8 Aug 2025 09:48:58 +0800
Subject: [PATCH] ci: add branch protection

---
 .github/dependabot.yml              |  3 +++
 .github/workflows/ci.yml            |  4 ++--
 .github/workflows/licenses.yml      |  2 +-
 .github/workflows/macos.yml         |  4 ++--
 .github/workflows/scorecard.yml     |  2 +-
 .github/workflows/test_ppc64.yaml   | 20 ++++++++++----------
 .github/workflows/test_qemu.yml     |  4 ++--
 .github/workflows/test_riscv64.yaml | 20 ++++++++++----------
 .github/workflows/test_s390x.yaml   |  4 ++--
 .github/workflows/test_sm_ni.yml    |  4 ++--
 10 files changed, 35 insertions(+), 32 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 36265d2..d673a11 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,13 +9,16 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+    target-branch: develop      
 
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: daily
+    target-branch: develop      
 
   - package-ecosystem: docker
     directory: /internal/sm2ec/fiat
     schedule:
       interval: daily
+    target-branch: develop      
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 38248dd..e2fc02d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,9 +2,9 @@ name: ci
 
 on:
   push:
-    branches: [ main ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ main ]
+    branches: [ "develop", "main" ]
 
 permissions:
   contents: read
diff --git a/.github/workflows/licenses.yml b/.github/workflows/licenses.yml
index c1164f5..551e2a0 100644
--- a/.github/workflows/licenses.yml
+++ b/.github/workflows/licenses.yml
@@ -1,7 +1,7 @@
 name: Update License File
 on:
   push:
-    branches: [ main ]
+    branches: [ "develop" ]
     paths:
       - 'go.mod'
       - 'go.sum'
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index 03bcbd5..547af65 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -2,9 +2,9 @@ name: macOs
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
 
 permissions:
   contents: read
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 7cc9325..a898084 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -12,7 +12,7 @@ on:
   schedule:
     - cron: '32 2 * * 2'
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
 
 # Declare default permissions as read only.
 permissions: read-all
diff --git a/.github/workflows/test_ppc64.yaml b/.github/workflows/test_ppc64.yaml
index 2b03da6..41a227d 100644
--- a/.github/workflows/test_ppc64.yaml
+++ b/.github/workflows/test_ppc64.yaml
@@ -5,13 +5,13 @@ name: ppc64le-qemu
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
+
+permissions:
+  contents: read
 
-permissions:
-  contents: read
-
 jobs:
 
   test:
@@ -22,11 +22,11 @@ jobs:
         ppc64: [power8]
     runs-on: ubuntu-latest
     steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-      with:
-        egress-policy: audit
-
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      with:
+        egress-policy: audit
+
     - name: Set up Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
diff --git a/.github/workflows/test_qemu.yml b/.github/workflows/test_qemu.yml
index 02a3a1f..79c79e6 100644
--- a/.github/workflows/test_qemu.yml
+++ b/.github/workflows/test_qemu.yml
@@ -5,9 +5,9 @@ name: arm64-qemu
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
 
 permissions:
   contents: read
diff --git a/.github/workflows/test_riscv64.yaml b/.github/workflows/test_riscv64.yaml
index 6446c7a..3d2d47e 100644
--- a/.github/workflows/test_riscv64.yaml
+++ b/.github/workflows/test_riscv64.yaml
@@ -5,13 +5,13 @@ name: riscv64-qemu
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
+
+permissions:
+  contents: read
 
-permissions:
-  contents: read
-
 jobs:
 
   test:
@@ -21,11 +21,11 @@ jobs:
         arch: [riscv64]  
     runs-on: ubuntu-latest
     steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-      with:
-        egress-policy: audit
-
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      with:
+        egress-policy: audit
+
     - name: Set up Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
diff --git a/.github/workflows/test_s390x.yaml b/.github/workflows/test_s390x.yaml
index d15f149..2c834e8 100644
--- a/.github/workflows/test_s390x.yaml
+++ b/.github/workflows/test_s390x.yaml
@@ -5,9 +5,9 @@ name: s390x-qemu
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
 
 permissions:
   contents: read
diff --git a/.github/workflows/test_sm_ni.yml b/.github/workflows/test_sm_ni.yml
index 4e63f61..2733c26 100644
--- a/.github/workflows/test_sm_ni.yml
+++ b/.github/workflows/test_sm_ni.yml
@@ -5,9 +5,9 @@ name: sm3-sm4-ni-qemu
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
 
 permissions:
   contents: read