DRIVERS-2890: Summary of necessary driver changes All drivers MUST enable branch protections as outlined in the policy : All branches that contain a supported release (e.g. support branches for minor versions) as well as the main development branch MUST require a pull request and MUST NOT allow direct pushes Pull request MUST be reviewed by at least one other engineer on the team before being mergeable Pull request MUST pass checks before being mergeable. Static checks (e.g. compiling, linters, static analysis) MUST be required; teams MAY add additional checks (e.g. certain evergreen tasks) as requirements for merging Use repository rules (not branch protection settings) as they offer more flexibility. In a GitHub repository, go to "Settings -> Rules -> Rulesets" to configure them. For convenience, you can store the files in this gist and import the rules; then select branches they apply to and checks to apply. It is recommended to leave rules in the "Evaluate" state before enabling them. That way, checks are not enforced and can be reviewed using the "Settings -> Rules -> Insights" page to fine-tune rules to avoid disruption. TPMs will then review access to each repository and limit write access (and admin access) to relevant teams/people. The "Signing git artifacts" portion requires that all tags pushed to repositories containing supported releases be cryptographically signed. Until automated releases and signing via garasign is implemented, engineers MUST sign using their own gpg key which MUST contain their full name and MongoDB email address. Note that the requirement for the signing key to be signed by the department key does not apply yet, as we don't have such a key.