With the new Rulesets you can enforce branches with specific patterns. It was a bit confusing to me at first, because I had to think in inverse to make this rule work.
If you are on GitHub Enterprise you can use the metadata restrictions feature of the new Rulesets:
Available rules for rulesets - GitHub Enterprise Cloud Docs
Learn which rules you can add to a ruleset to protect specific branches and tags in a repository.
But if you are on a different plan (free, team), here's a trick that will also do the job.
Create a rule that restricts the creation of any branch **, then selectively excludes prefixes from this restriction:
Include pattern:
**
Exclude pattern:
fix/**/*release/**/*main
Then turn on ✅ Restrict creations.
In case you need specific GitHub apps (such as Dependabot and Renovate or Azure Pipelines) to create arbitrary branch names, you can exclude them from the policy:
