🐛 Fix branch-protection ruleset handling when there are no include patterns

[trask]

What kind of change does this PR introduce?

Bug fix – repository rulesets without any include patterns should apply to all branches which aren't explicitly excluded

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

Scorecard ignores GitHub rulesets that rely on an empty include list (apply to all refs unless excluded), so branches covered only by those rulesets are reported as lacking protection. The branch-protection check emits false warnings such as “Warn: branch protection not enabled for branch 'xyz'”.

What is the new behavior (if this is a feature change)?

Rulesets with no explicit include patterns are now treated as applying to every ref except those explicitly excluded, matching GitHub’s semantics. Branches governed by such rulesets are marked protected and no longer generate false warnings.

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

None

Special notes for your reviewer

None

Does this PR introduce a user-facing change?

Fix branch-protection scoring so GitHub rulesets without include patterns are honored, eliminating false warnings for branches covered by those rulesets.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.49%. Comparing base (353ed60) to head (677aec3).
⚠️ Report is 267 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4835      +/-   ##
==========================================
+ Coverage   66.80%   69.49%   +2.68%     
==========================================
  Files         230      250      +20     
  Lines       16602    15595    -1007     
==========================================
- Hits        11091    10837     -254     
+ Misses       4808     3891     -917     
- Partials      703      867     +164     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[spencerschrock]

repository rulesets without any include patterns should apply to all branches which aren't explicitly excluded

Are you sure about that? This is what I see on a test repo when making a ruleset without a target:

This ruleset does not target any resources and will not be applied.

[trask]

Are you sure about that? This is what I see on a test repo when making a ruleset without a target:

This ruleset does not target any resources and will not be applied.

ah, good point, fixed: 677aec3

[spencerschrock]

Is this intentionally a draft PR?

[trask]

yeah, sorry, was going to confirm if we really needed it in OpenTelemetry or not (I think we may need to restructure our rulesets unrelated to this issue). do you prefer that I close until then or would you prefer I just mark it ready for review?

[spencerschrock]

Up to you, I mainly wanted to make sure this PR wasn't waiting for a review which wasn't assigned.

But this fixes an edge case I didn't know about, so happy to merge it regardless of if OpenTelemetry ends up needing it.

[spencerschrock]

/scdiff generate Branch-Protection

[github-actions]

Here's a link to the scdiff run