Skip to content

Commit 56901ce

Browse files
committed
feat: add Code Owners and Path-Based Review section to repository governance documentation
1 parent 2ef2a0a commit 56901ce

1 file changed

Lines changed: 77 additions & 0 deletions

File tree

docs/07-repository-governance.md

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ render_with_liquid: false
2323
- [Repository Ruleset Deep Dive](#repository-ruleset-deep-dive)
2424
- [Tag Protection Rules](#tag-protection-rules)
2525
- [Push Rulesets and File Path Restrictions](#push-rulesets-and-file-path-restrictions)
26+
- [Code Owners and Path-Based Review](#code-owners-and-path-based-review)
2627
- [Merge Strategies and Settings](#merge-strategies-and-settings)
2728
- [Repository Lifecycle Management](#repository-lifecycle-management)
2829
- [Innersource Patterns with Internal Repositories](#innersource-patterns-with-internal-repositories)
@@ -773,6 +774,82 @@ Push rulesets extend governance to file-level granularity, enabling controls bas
773774
- CI checks that duplicate restrictions
774775
- Helpful error messages with solutions
775776

777+
## Code Owners and Path-Based Review
778+
779+
A `CODEOWNERS` file automatically requests review from designated owners whenever a pull request changes files matching a path pattern. It is GitHub's equivalent of Azure DevOps' "automatically include code reviewers" branch policy, scoped per directory or file type. On its own the file only *suggests* reviewers; combine it with a ruleset or branch protection rule to *require* their approval before merge.
780+
781+
### File Location and Lookup Order
782+
783+
Name the file `CODEOWNERS` (no extension) and place it in one of three locations. GitHub searches in this order and uses the **first** file it finds, ignoring the others:
784+
785+
| Order | Location | Notes |
786+
|-------|-----------------------|----------------------------------------|
787+
| 1 | `.github/CODEOWNERS` | Most common; keeps governance metadata together |
788+
| 2 | `/CODEOWNERS` | Repository root |
789+
| 3 | `docs/CODEOWNERS` | Useful for documentation-centric repos |
790+
791+
The file is evaluated per branch: the version on a branch governs pull requests that target that branch. Maintain it on the default branch and let rulesets enforce it across protected branches.
792+
793+
### Syntax and Pattern Precedence
794+
795+
Patterns use gitignore-style matching mapped to one or more owners (individual users, `@org/team` teams, or email addresses). **Within the file, the last matching pattern wins** — the opposite of first-match — so order rules from general to specific.
796+
797+
```text
798+
# Default owners for everything in the repo (fallback)
799+
* @githubabcs/platform-admins
800+
801+
# Per-folder owners
802+
/docs/ @githubabcs/tech-writers
803+
/src/api/ @alice @githubabcs/api-team
804+
/infra/ @githubabcs/devops
805+
806+
# Per file-type owners
807+
*.tf @githubabcs/devops
808+
*.md @githubabcs/tech-writers
809+
810+
# Make CODEOWNERS own itself so only admins can change ownership (list last)
811+
/.github/CODEOWNERS @githubabcs/platform-admins
812+
/CODEOWNERS @githubabcs/platform-admins
813+
```
814+
815+
Prefer `@org/team` references over individuals so reviewer changes happen through team membership rather than file edits. Every listed owner must have at least write access to the repository, or the entry is ignored.
816+
817+
### Enforcing Code Owner Review
818+
819+
The file becomes a gate only when a protection rule requires it:
820+
821+
- **Repository ruleset (recommended):** Settings → Rules → Rulesets → branch ruleset → enable **Require a pull request before merging**, then check **Require review from Code Owners**.
822+
- **Classic branch protection:** Settings → Branches → protect the branch → check **Require review from Code Owners**.
823+
824+
Once enabled, any pull request touching an owned path needs approval from a matching owner before it can merge. Required Code Owner review needs a plan that supports protected branches (private repositories require GitHub Team or Enterprise; public repositories include it).
825+
826+
### Preventing Contributors from Changing Ownership
827+
828+
To stop other repository contributors from quietly editing ownership, layer these controls:
829+
830+
1. **Make CODEOWNERS own itself** — add the `/.github/CODEOWNERS` and `/CODEOWNERS` entries shown above so changes to the file require admin approval.
831+
2. **Require Code Owner review** so even a pull request editing CODEOWNERS is gated by the current owners.
832+
3. **Restrict bypass** — keep the ruleset bypass list limited to a small admin team; a broad bypass list defeats the gate.
833+
4. **Block force pushes and deletions** on the protected branch to prevent history rewrites that sidestep review.
834+
835+
Contributors can still propose ownership changes through a pull request, but they cannot self-approve or merge them.
836+
837+
### Organization-Level Considerations
838+
839+
GitHub does not provide a single organization-wide `CODEOWNERS` file:
840+
841+
- The organization `.github` **default repository** supplies default community health files (for example `CODE_OF_CONDUCT.md`), but **CODEOWNERS is not inherited** from it — each repository needs its own file.
842+
- You can centralize **enforcement** with **organization (or enterprise) rulesets**: target many repositories with name patterns and require Code Owner review everywhere at once. The per-repository `CODEOWNERS` file still defines *who owns what*.
843+
- To scale ownership consistently, seed a baseline `.github/CODEOWNERS` through a template repository or repository-bootstrap workflow, and reference teams rather than individuals.
844+
845+
| Goal | Mechanism |
846+
|-------------------------------------|-----------------------------------------------------------------|
847+
| Auto-request reviewers per folder | `CODEOWNERS` path patterns |
848+
| Require their approval | Ruleset or branch protection → Require review from Code Owners |
849+
| Protect CODEOWNERS itself | CODEOWNERS owns itself plus a restricted bypass list |
850+
| Apply enforcement across many repos | Organization or enterprise rulesets (file remains per-repo) |
851+
| Single org-wide CODEOWNERS file | Not supported — use template repos or automation |
852+
776853
## Merge Strategies and Settings
777854

778855
Merge strategies determine how pull requests integrate into target branches, affecting git history, bisectability, and workflow patterns.

0 commit comments

Comments
 (0)