diff --git a/README.md b/README.md
index c3bca05..164ed8d 100644
--- a/README.md
+++ b/README.md
@@ -44,3 +44,31 @@ variables:
 | settings_merge_squash | Enable merge request squash                   |
 | settings_projects     | Whether the project tab should be enabled     |
 | settings_wiki         | Wiki enabled or not                           |
+
+## testing
+
+- [Install](https://github.com/cli/cli?tab=readme-ov-file#installation) gh cli.
+- Create a read only token.
+- Login: `gh auth login`
+
+https://gist.github.com/duboisf/68fb6e22ac0a2165ca298074f0e3b553
+
+```
+gh api graphql -F repositoryId="MDEwOlJlcG9zaXRvcnkxMTUzMzI5MTE=" -F branchName='master6' -f query='
+   mutation CreateBranchProtectionRule($branchName: String!, $repositoryId: ID!) {
+  createBranchProtectionRule(input: {
+    repositoryId: $repositoryId,
+    pattern: $branchName,requiresApprovingReviews:true,    requiredApprovingReviewCount:1
+    requiresCodeOwnerReviews:true,    requiresStatusChecks:true,
+    restrictsReviewDismissals:false,     allowsDeletions: false
+    allowsForcePushes:false
+    dismissesStaleReviews:true
+  }) {
+    branchProtectionRule {
+      id
+      databaseId
+    }
+  }
+}
+  '
+```
diff --git a/action.yml b/action.yml
index 9db0f6e..09b10ae 100644
--- a/action.yml
+++ b/action.yml
@@ -72,3 +72,42 @@ runs:
     - name: enable or disable the 'wiki' tab for ${{ inputs.project }}
       run: gh repo edit ${{ inputs.project }} --enable-wiki=${{ inputs.settings_wiki }}
       shell: bash
+
+    - name: Set GitHub Path
+      run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
+      shell: bash
+      env:
+        GITHUB_ACTION_PATH: ${{ github.action_path }}
+    - name: protect main branch
+      run: |
+        repositoryId=$(gh repo view --json id -q '.id' "${{ inputs.project }}")
+        echo $repositoryId
+
+        branch_to_be_protected="main"
+        if gh api repos/${{ inputs.project }}/branches/${branch_to_be_protected}/protection; then
+          echo "main branch is protected already. Updating it...";
+          # gh api graphql \
+          #   -f query="$(cat ${GITHUB_ACTION_PATH}/update-branch-protection-rule.graphql)" \
+          #   -F branchName="${branch_to_be_protected}" \
+          #   -F repository="${{ inputs.project }}"
+
+
+          curl \
+            --fail \
+            --verbose \
+            -L \
+            -X PUT \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            --data-binary "@${GITHUB_ACTION_PATH}/update-branch-protection.json" \
+            https://api.github.com/repos/${{ inputs.project }}/branches/${branch_to_be_protected}/protection
+        else
+          echo "main branch not protected. Protecting it...";
+          gh api graphql \
+            -f query="$(cat ${GITHUB_ACTION_PATH}/create-branch-protection-rule.graphql)" \
+            -F branchName="${branch_to_be_protected}" \
+            -F repository="${{ inputs.project }}"
+        fi
+
+      shell: bash
diff --git a/create-branch-protection-rule.graphql b/create-branch-protection-rule.graphql
new file mode 100644
index 0000000..a7efa05
--- /dev/null
+++ b/create-branch-protection-rule.graphql
@@ -0,0 +1,11 @@
+# https://docs.github.com/en/graphql/reference/input-objects#createbranchprotectionruleinput
+mutation CreateBranchProtectionRule($branchName: String!, $repositoryId: ID!) {
+  updateBranchProtectionRule(
+    input: { pattern: $branchName, repositoryId: $repositoryId }
+  ) {
+    branchProtectionRule {
+      id
+      databaseId
+    }
+  }
+}
diff --git a/update-branch-protection-rule.graphql b/update-branch-protection-rule.graphql
new file mode 100644
index 0000000..32f51d5
--- /dev/null
+++ b/update-branch-protection-rule.graphql
@@ -0,0 +1,16 @@
+# https://docs.github.com/en/graphql/reference/input-objects#updatebranchprotectionruleinput
+# https://docs.github.com/en/graphql/reference/objects#branchprotectionrule
+mutation UpdateBranchProtectionRule($branchName: String!, $repositoryId: ID!) {
+  branchProtectionRule(
+    input: {
+      pattern: $branchName
+      repositoryId: $repositoryId
+      requiresApprovingReviews: true
+    }
+  ) {
+    branchProtectionRule {
+      id
+      databaseId
+    }
+  }
+}
diff --git a/update-branch-protection.json b/update-branch-protection.json
new file mode 100644
index 0000000..eeef21a
--- /dev/null
+++ b/update-branch-protection.json
@@ -0,0 +1,30 @@
+{
+  "required_status_checks": {
+    "strict": true,
+    "contexts": ["continuous-integration/travis-ci"]
+  },
+  "enforce_admins": true,
+  "required_pull_request_reviews": {
+    "dismissal_restrictions": {
+      "users": ["octocat"]
+    },
+    "dismiss_stale_reviews": true,
+    "require_code_owner_reviews": true,
+    "required_approving_review_count": 2,
+    "require_last_push_approval": true,
+    "bypass_pull_request_allowances": {
+      "users": ["octocat"]
+    }
+  },
+  "restrictions": {
+    "users": ["octocat"],
+    "apps": ["super-ci"]
+  },
+  "required_linear_history": true,
+  "allow_force_pushes": true,
+  "allow_deletions": true,
+  "block_creations": true,
+  "required_conversation_resolution": true,
+  "lock_branch": true,
+  "allow_fork_syncing": true
+}