Remember to lock down not only the public certificate, but also lock down the /.github/CODEOWNERS file itself!
The only tricky bit is that the setting to require review from a code owner is hidden by default, and only shown after the Require a pull request before merging option is enabled:
I recommend enabling at least the first three of those five checkboxes. for personal github repositories, only the owner can modify these settings … so I cannot do this on your behalf (Sorry!).
# Require Ian or Henry to review changes to...
# Changes to the public key, or cert commands
/src/pubkey/ @DangerousPrototypes @henrygab
/src/commands/global/cert.* @DangerousPrototypes @henrygab
# Modifications to CMakeLists.txt can change which files are included in the build
CMakeLists.txt @DangerousPrototypes @henrygab
# Anything in github directory (workflows, codeowners, etc.)
/.github/ @DangerousPrototypes @henrygab
/.devcontainer/ @DangerousPrototypes @henrygab
/.vscode/ @DangerousPrototypes @henrygab
/LICENSE.TXT @DangerousPrototypes @henrygab
/.gitignore @DangerousPrototypes @henrygab
/.gitmodules @DangerousPrototypes @henrygab
/docker-compose.yml @DangerousPrototypes @henrygab
Then, add the branch protection rules as noted above…
