Skip to content

psc-1944_add-codeowner-check-action#119

Open
harshil-roo wants to merge 1 commit intomasterfrom
psc-1944-add-codeowners-check
Open

psc-1944_add-codeowner-check-action#119
harshil-roo wants to merge 1 commit intomasterfrom
psc-1944-add-codeowners-check

Conversation

@harshil-roo
Copy link

@harshil-roo harshil-roo commented Nov 27, 2025

JIRA: PSC-1944

Why this PR?

We're adding a CI/CD check to automatically validate your CODEOWNERS file on every commit.

The Problem

Invalid or misconfigured CODEOWNERS files can cause:

  • Missed or incorrect code reviews
  • Security gaps (anyone with write access can approve PRs)
  • Slower workflows (missed team notifications)
  • Audit issues (large or broken codeowner groups)

The Solution

A new CI check will:

  • Warn if your CODEOWNERS file is missing or invalid
  • Check that all listed teams/users exist and have write access

For now, this is a warning only.
We’ll make it blocking soon.

What to Do

  1. Approve this PR, even if you see a warning.
  2. Review your CODEOWNERS file and fix any issues. Confirm this PR is either updating an existing codeowners file or adding a new one.
  3. Make sure your codeowners meet GitHub Security Standard.

For help, ask in #support-devsecops.

Copilot AI review requested due to automatic review settings November 27, 2025 11:22
@harshil-roo harshil-roo requested a review from a team as a code owner November 27, 2025 11:22
@harshil-roo harshil-roo self-assigned this Nov 27, 2025
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds automated CI validation for the CODEOWNERS file to catch configuration issues that could lead to missed reviews, security gaps, or audit problems. The check runs on every pull request as a warning-only step initially.

Key Changes:

  • New GitHub Actions workflow that validates CODEOWNERS file integrity and team/user permissions
  • Updated CODEOWNERS file to protect the new validation workflow itself

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/codeowner-check.yml Defines the new CI workflow that calls a reusable validation workflow from the GHAS-enablement-repo
.github/CODEOWNERS Adds ownership protection for the new codeowner-check workflow file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/codeowner-check.yml
@@ -0,0 +1,13 @@
name: CODEOWNERS Validation Call
Copy link

Copilot AI Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The workflow name should match the filename for consistency. Consider renaming to 'Codeowner Check' or updating the filename to 'codeowners-validation-call.yml'.

Suggested change
name: CODEOWNERS Validation Call
name: Codeowner Check

Copilot uses AI. Check for mistakes.
.github/CODEOWNERS
* @deliveroo/team-trust
**/codeql*.yml @deliveroo/product-sec-eng # DO NOT MODIFY/REMOVE, AUTOGENERATED by Product Security
**/dependency*.yml @deliveroo/product-sec-eng # DO NOT MODIFY/REMOVE, AUTOGENERATED by Product Security
**/codeowner-check.yml @deliveroo/product-sec-eng # DO NOT MODIFY/REMOVE, AUTOGENERATED by DevSecOps
Copy link

Copilot AI Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Corrected spelling of 'codeowner' to 'codeowners' to match GitHub's terminology and the workflow filename.

Suggested change
**/codeowner-check.yml @deliveroo/product-sec-eng # DO NOT MODIFY/REMOVE, AUTOGENERATED by DevSecOps
**/codeowners-check.yml @deliveroo/product-sec-eng # DO NOT MODIFY/REMOVE, AUTOGENERATED by DevSecOps

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shubhamc-roo shubhamc-roo Awaiting requested review from shubhamc-roo shubhamc-roo is a code owner automatically assigned from deliveroo/team-trust

@antoniopapadeliveroo antoniopapadeliveroo Awaiting requested review from antoniopapadeliveroo antoniopapadeliveroo is a code owner automatically assigned from deliveroo/team-trust

@roo-yash roo-yash Awaiting requested review from roo-yash roo-yash is a code owner automatically assigned from deliveroo/team-trust

At least 1 approving review is required to merge this pull request.

Assignees

@harshil-roo harshil-roo

Labels

codeowner-check DevSecOps psc-1944

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@harshil-roo

Comments