Enforce branch policies on this repository

[toddysm]

To improve the security of the ORAS project we need to enforce the branch policies for this repository. I propose that we enforce the policies as follows:

• Use the following rules for main and release/* branches:
  • Require PR before merging
    • Require 3 approvals
    • Dismiss stale PR approvals when new commits are pushed
    • Require review from Code Owners
    • Require status checks to pass before merging
    • Require conversation resolution before merging
    • Require signed commits
    • Do not allow bypass the above settings

Please add your comments and proposals for additional changes to this issue.

[shizhMSFT]

Few comments:

• release/* does not apply to libraries.
• "Require 3 approvals" is not applicable to this repository since we only have 3 code owners.
• Additionally, we require branches to be up to date before merging, which is useful but not captured in this issue.

It is worth noting that "require branches to be up to date before merging" somehow conflicts with "dismiss stale PR approvals when new commits are pushed".

[toddysm]

The same comments as in oras-project/oras-go#458 (comment) and oras-project/oras#862 (comment)

[TerryHowe]

I've updated the branch policies here to be similar to other oras libraries.