diff --git a/.github/branch-protection-rules.json b/.github/branch-protection-rules.json
new file mode 100644
index 0000000..904bc03
--- /dev/null
+++ b/.github/branch-protection-rules.json
@@ -0,0 +1,21 @@
+{
+  "required_status_checks": {
+    "strict": true,
+    "checks": [
+      { "context": "Lint / go-vet" },
+      { "context": "Lint / actionlint" }
+    ]
+  },
+  "enforce_admins": true,
+  "required_pull_request_reviews": {
+    "dismiss_stale_reviews": true,
+    "require_code_owner_reviews": false,
+    "required_approving_review_count": 1
+  },
+  "restrictions": null,
+  "required_linear_history": false,
+  "allow_force_pushes": false,
+  "allow_deletions": false,
+  "block_creations": false,
+  "required_conversation_resolution": true
+}
diff --git a/playbooks/apply-branch-protection.yml b/playbooks/apply-branch-protection.yml
new file mode 100644
index 0000000..6a6b690
--- /dev/null
+++ b/playbooks/apply-branch-protection.yml
@@ -0,0 +1,7 @@
+---
+- name: Apply branch protection rules
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  roles:
+    - github
diff --git a/playbooks/roles/github/defaults/main.yml b/playbooks/roles/github/defaults/main.yml
new file mode 100644
index 0000000..f113e9d
--- /dev/null
+++ b/playbooks/roles/github/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+owner: ""
+repo: ""
diff --git a/playbooks/roles/github/tasks/main.yml b/playbooks/roles/github/tasks/main.yml
new file mode 100644
index 0000000..9bceabf
--- /dev/null
+++ b/playbooks/roles/github/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Set branch protection using GitHub CLI
+  ansible.builtin.command: >-
+    gh api repos/{{ owner }}/{{ repo }}/branches/main/protection
+    --method PUT
+    -H "Accept: application/vnd.github+json"
+    --input .github/branch-protection-rules.json
+  args:
+    chdir: "{{ playbook_dir }}/.."
+  environment:
+    GITHUB_TOKEN: "{{ lookup('env', 'GITHUB_TOKEN') }}"