GITHUB_TRIPLE_LOCK: enforce authority lock on governance-sensitive paths #33
Description
GITHUB_TRIPLE_LOCK_INVARIANT v0.1 — LOCK 1: AUTHORITY
Part of: GITHUB_TRIPLE_LOCK_INVARIANT
Source: Security audit by Comet (Perplexity browser agent), 2026-03-08
Question this lock answers
Is this actor allowed to propose and approve this class of change?
Required checks
- 2FA enabled on all accounts with push/merge access
- CODEOWNER review required for governance-sensitive paths
- Require approval of most recent push (dismiss stale approvals)
- Self-approval forbidden on sensitive paths
- Actor has repository role required for action
- Authority scope matches changed files
Governance-sensitive paths (require triple lock)
.github/workflows/**
stop_machine/**
authority_gate/**
mgtp/**
registry/**
commit_gate/**
schemas/**
FAIL conditions
- Unknown actor
- No 2FA
- Approval from wrong reviewer class
- Actor merges own sensitive change without required second party
- Approval predates a new push (stale)
Audit issues addressed
- Issue cluster D: no branch protection on stop-machine, stale approvals OFF, bypassing allowed, no signed commits, no 2FA
- Branch protection setting: "Dismiss stale PR approvals" currently OFF
- Branch protection setting: "Require Code Owner review" currently OFF
- Branch protection setting: "Require approval of most recent push" currently OFF
- GitHub account 2FA not yet enabled (deadline April 3, 2026)
Concrete actions
- Enable 2FA on GitHub account immediately
- Enable "Require review from Code Owners" in branch protection for
main - Enable "Dismiss stale pull request approvals when new commits are pushed"
- Enable "Require approval of the most recent reviewable push"
- Add branch protection to
stop-machinerepo matching constraint-workshop rules - Ensure CODEOWNERS file covers all governance-sensitive paths listed above