Enforce branch policies on the repository

[toddysm]

To improve the security of the ORAS project we need to enforce the branch policies for this repository. I propose that we enforce the policies as follows:

• Use the following rules for main and release/* branches:
  • Require PR before merging
    • Require 3 approvals
    • Dismiss stale PR approvals when new commits are pushed
    • Require review from Code Owners
    • Require status checks to pass before merging
    • Require conversation resolution before merging
    • Require signed commits
    • Do not allow bypass the above settings

Please add your comments and proposals for additional changes to this issue.

[TerryHowe]

If a code owner created the PR, is that one approval? I am assuming only approvals from code owners count.

[toddysm]

That is correct @TerryHowe - only codeowners count. And no, this is in addition to the person who submitted the PR as far as I know. We can have a relaxed policy and ask for 2 codeowner approvals only.

[shizhMSFT]

Few comments:

• release/* does not apply to libraries. Besides, we have a special branch named v1.
• "Require 3 approvals" is not applicable to this repository since we only have 2 active code owners.
• Additionally, we require branches to be up to date before merging, which is useful but not captured in this issue.

It is worth noting that "require branches to be up to date before merging" somehow conflicts with "dismiss stale PR approvals when new commits are pushed".

[toddysm]

I am confused with that you mean with "release doesn't apply to libraries". Is this about the branch name of is it because we do not "release" libraries? Also, it will be good to be consistent with the branch names across all ORAS projects. Also, see some comments from oras-project/oras#862 (comment) they apply here too.