diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..63d6896
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# All files require review from the repository owner
+* @leeoades
diff --git a/.github/workflows/branch-protection.yml b/.github/workflows/branch-protection.yml
new file mode 100644
index 0000000..b938c02
--- /dev/null
+++ b/.github/workflows/branch-protection.yml
@@ -0,0 +1,37 @@
+name: Apply Branch Protection
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths: ['.github/workflows/branch-protection.yml']
+
+permissions:
+  contents: read
+  administration: write
+
+jobs:
+  protect-main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Apply main branch protection rules
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            await github.rest.repos.updateBranchProtection({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              branch: 'main',
+              required_status_checks: null,
+              enforce_admins: true,
+              required_pull_request_reviews: {
+                required_approving_review_count: 1,
+                dismiss_stale_reviews: true,
+                require_code_owner_reviews: true,
+              },
+              restrictions: null,
+              allow_force_pushes: false,
+              allow_deletions: false,
+            });
+            console.log('Branch protection rules applied to main.');