Organize branch protection playbook as GitHub role

.github/branch-protection-rules.json

@@ -0,0 +1,21 @@
+{
+  "required_status_checks": {
+    "strict": true,
+    "checks": [
+      { "context": "Lint / go-vet" },
+      { "context": "Lint / actionlint" }
+    ]
+  },
+  "enforce_admins": true,
+  "required_pull_request_reviews": {
+    "dismiss_stale_reviews": true,
+    "require_code_owner_reviews": false,
+    "required_approving_review_count": 1
+  },
+  "restrictions": null,
+  "required_linear_history": false,
+  "allow_force_pushes": false,
+  "allow_deletions": false,
+  "block_creations": false,
+  "required_conversation_resolution": true
+}

playbooks/apply-branch-protection.yml

@@ -0,0 +1,7 @@
+---
+- name: Apply branch protection rules
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  roles:
+    - github

playbooks/roles/github/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+owner: ""
+repo: ""

playbooks/roles/github/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Set branch protection using GitHub CLI
+  ansible.builtin.command: >-
+    gh api repos/{{ owner }}/{{ repo }}/branches/main/protection
+    --method PUT
+    -H "Accept: application/vnd.github+json"
+    --input .github/branch-protection-rules.json
+  args:
+    chdir: "{{ playbook_dir }}/.."
+  environment:
+    GITHUB_TOKEN: "{{ lookup('env', 'GITHUB_TOKEN') }}"