Use safe-settings or probot/settings to enforce repository policies

[magnusbaeck]

Description

We should implement github.com/github/safe-settings or github.com/probot/settings to enforce the repository policies that current are maintained by hand, like "repo maintainers should also be watchers" and "two approvals are required before a merge".

Motivation

Automatically enforced policies are preferable (as long as they don't get in the way).

Exemplification

N/A

Benefits

Less work setting up a repository, easier to deal with configuration drift, fewer documentation requirements.

Possible Drawbacks

We can introduce friction if we add policies that we think should apply to all repositories but actually don't. Policy enforcement choices need to be done with care.

[magnusbaeck]

One interesting use case for this is to enforce approval of workflow executions for PRs from external contributors. See https://www.securityweek.com/major-it-crypto-firms-exposed-to-supply-chain-compromise-via-new-class-of-ci-cd-attack/ and the minutes of the 2024-02-08 TC meeting.