# Branch Protection (Forgejo Primary)

`main` should be protected to satisfy constitutional governance (`all changes merge through pull requests`) and to require CI before merge.

## Required settings

- Protected branch: `main`
- Direct pushes disabled
- Required approvals: `1` (or stricter)
- Required status checks:
  - `ci-gates / checks`
- Require signed commits: enabled

## Apply via script

```sh
./scripts/fj-enforce-branch-protection.sh
```

Optional overrides:

```sh
EVERY_CHANNEL_FORGE_HOST=https://git.every.channel \
EVERY_CHANNEL_FORGE_REPO=every-channel/every.channel \
EVERY_CHANNEL_PROTECTED_BRANCH=main \
EVERY_CHANNEL_REQUIRED_CHECKS="ci-gates / checks" \
EVERY_CHANNEL_REQUIRED_APPROVALS=1 \
./scripts/fj-enforce-branch-protection.sh
```

Token source order:

1. `EVERY_CHANNEL_FORGE_TOKEN` / `FORGE_TOKEN` / `CODEBERG_TOKEN` env var
2. `secrets/forgejo-api-token.age` (preferred) via `agenix` or `age`
3. `secrets/forge-token.age` or `secrets/codeberg-token.age` (compat) via `agenix` or `age`

The token must have repository admin scope to edit branch protection.