From 3555cb21728577c9ebdf53ac00b7999a899a2aaf Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Feb 2026 21:52:02 +0000
Subject: [PATCH 1/2] Initial plan


From c72a172b9ef4f4fab474ac22e85c86356ecd29e7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 19 Feb 2026 21:54:12 +0000
Subject: [PATCH 2/2] feat: add CODEOWNERS and branch-protection workflow to
 secure main branch

Co-authored-by: leeoades <2321091+leeoades@users.noreply.github.com>
---
 .github/CODEOWNERS                      |  2 ++
 .github/workflows/branch-protection.yml | 37 +++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/workflows/branch-protection.yml

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..63d6896
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# All files require review from the repository owner
+* @leeoades
diff --git a/.github/workflows/branch-protection.yml b/.github/workflows/branch-protection.yml
new file mode 100644
index 0000000..b938c02
--- /dev/null
+++ b/.github/workflows/branch-protection.yml
@@ -0,0 +1,37 @@
+name: Apply Branch Protection
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths: ['.github/workflows/branch-protection.yml']
+
+permissions:
+  contents: read
+  administration: write
+
+jobs:
+  protect-main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Apply main branch protection rules
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            await github.rest.repos.updateBranchProtection({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              branch: 'main',
+              required_status_checks: null,
+              enforce_admins: true,
+              required_pull_request_reviews: {
+                required_approving_review_count: 1,
+                dismiss_stale_reviews: true,
+                require_code_owner_reviews: true,
+              },
+              restrictions: null,
+              allow_force_pushes: false,
+              allow_deletions: false,
+            });
+            console.log('Branch protection rules applied to main.');