ci: add branch protection

.github/dependabot.yml

@@ -9,13 +9,16 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+    target-branch: develop      
 
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: daily
+    target-branch: develop      
 
   - package-ecosystem: docker
     directory: /internal/sm2ec/fiat
     schedule:
       interval: daily
+    target-branch: develop      

.github/workflows/ci.yml

@@ -2,9 +2,9 @@ name: ci
 
 on:
   push:
-    branches: [ main ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ main ]
+    branches: [ "develop", "main" ]
 
 permissions:
   contents: read

.github/workflows/licenses.yml

@@ -1,7 +1,7 @@
 name: Update License File
 on:
   push:
-    branches: [ main ]
+    branches: [ "develop" ]
     paths:
       - 'go.mod'
       - 'go.sum'

.github/workflows/macos.yml

@@ -2,9 +2,9 @@ name: macOs
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
 
 permissions:
   contents: read

.github/workflows/scorecard.yml

@@ -12,7 +12,7 @@ on:
   schedule:
     - cron: '32 2 * * 2'
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
 
 # Declare default permissions as read only.
 permissions: read-all

.github/workflows/test_ppc64.yaml

@@ -5,13 +5,13 @@ name: ppc64le-qemu
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
+
+permissions:
+  contents: read
 
-permissions:
-  contents: read
-
 jobs:
 
   test:
@@ -22,11 +22,11 @@ jobs:
         ppc64: [power8]
     runs-on: ubuntu-latest
     steps:
-    - name: Harden the runner (Audit all outbound calls)
+    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-      with:
+      with:
-        egress-policy: audit
+        egress-policy: audit
-
+
     - name: Set up Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:

.github/workflows/test_qemu.yml

@@ -5,9 +5,9 @@ name: arm64-qemu
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
 
 permissions:
   contents: read

.github/workflows/test_riscv64.yaml

@@ -5,13 +5,13 @@ name: riscv64-qemu
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
+
+permissions:
+  contents: read
 
-permissions:
-  contents: read
-
 jobs:
 
   test:
@@ -21,11 +21,11 @@ jobs:
         arch: [riscv64]  
     runs-on: ubuntu-latest
     steps:
-    - name: Harden the runner (Audit all outbound calls)
+    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
-      with:
+      with:
-        egress-policy: audit
+        egress-policy: audit
-
+
     - name: Set up Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:

.github/workflows/test_s390x.yaml

@@ -5,9 +5,9 @@ name: s390x-qemu
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
 
 permissions:
   contents: read

.github/workflows/test_sm_ni.yml

@@ -5,9 +5,9 @@ name: sm3-sm4-ni-qemu
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: [ "develop", "main" ]
 
 permissions:
   contents: read