To create a branch protection rule, PUT to '/repos/{owner}/{repo}/branches/{branch}/protection' with a JSON body specifying 'required_status_checks', 'enforce_admins', 'required_pull_request_reviews', and 'restrictions'
For the newer rulesets API, POST to '/repos/{owner}/{repo}/rulesets' with 'name', 'target' ('branch' or 'tag'), 'enforcement' ('active' or 'evaluate'), 'conditions' (ref name patterns), and 'rules' array
Each rule in the 'rules' array is an object with a 'type' (e.g. 'pull_request', 'required_status_checks', 'commit_message_pattern') and a 'parameters' object specific to that type
Retrieve existing rulesets via GET '/repos/{owner}/{repo}/rulesets' and update with PUT '/repos/{owner}/{repo}/rulesets/{ruleset_id}'
Test changes with 'enforcement: evaluate' before switching to 'active' to see which rule conditions would have triggered without blocking merges
Known gotchas
Branch protection rules and rulesets are separate systems; rulesets are the newer approach and support layering multiple rulesets on the same branch, while the older API supports only one rule set per branch pattern
Admins bypass branch protection rules unless 'enforce_admins' is true; rulesets have a separate bypass list mechanism using actor IDs
Required status check context names must exactly match the job name (or custom name) as it appears in the Checks API; mismatches cause PRs to block forever
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp