Enforce branch policies on the repository

[toddysm]

To improve the security of the ORAS project we need to enforce the branch policies for this repository. I propose that we enforce the policies as follows:

• Use the following rules for main and release/* branches:
  • Require PR before merging
    • Require 3 approvals
    • Dismiss stale PR approvals when new commits are pushed
    • Require review from Code Owners
    • Require status checks to pass before merging
    • Require conversation resolution before merging
    • Require signed commits
    • Do not allow bypass the above settings

Please add your comments and proposals for additional changes to this issue.

[TerryHowe]

I think 2 approvals from maintainers/owners would be good enough regardless of who submitted the PR.