chore: finalize CODEOWNERS standard as Required + add enforcement#193
Conversation
Promote the team-based CODEOWNERS standard from "active" to "required" after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped reviewDecision to APPROVED via @petry-projects/org-leads). Changes: - standards/codeowners-standard.md: mark Required, document forbidden legacy patterns, add machine-user PAT setup notes (resource owner must be the org), record migration history and verification. - standards/github-settings.md: replace inline CODEOWNERS bot rules with a pointer to codeowners-standard.md; update bot accounts table to add donpetry-bot and mark petry-projects-pr-review-agent deprecated. - standards/dependabot-policy.md: replace stale references to bot account listings with the @petry-projects/org-leads team. - scripts/compliance-audit.sh: enforce the standard. check_codeowners now requires @petry-projects/org-leads on every owner line and flags legacy direct listings (@petry-projects-pr-review-agent, @dependabot-automerge-petry, @don-petry) as errors. Closes the CODEOWNERS gap from pr-review-agent#27. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Warning Rate limit exceeded
To continue reviewing without waiting, purchase usage credits in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe PR converts CODEOWNERS enforcement to a team-first model: every owner line must list ChangesCODEOWNERS Team-Based Governance Migration
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
standards/github-settings.md (1)
230-238:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winSeparate machine users from GitHub Apps in this section.
donpetry-botis a machine user, not a GitHub App, but it is listed under “Installed GitHub Apps”. Split this into separate tables (Apps vs machine users) to avoid governance/audit confusion.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@standards/github-settings.md` around lines 230 - 238, The "Installed GitHub Apps (org-wide, all repos)" section incorrectly mixes GitHub Apps and a machine user; split this into two separate tables and headings — one titled e.g. "Installed GitHub Apps" listing entries like Claude, dependabot-automerge-petry, petry-projects-pr-review-agent, SonarQube Cloud (SonarCloud), and another titled e.g. "Machine users" listing donpetry-bot (and any other machine accounts); update the explanatory note for petry-projects-pr-review-agent to keep its deprecation explanation and move the CODEOWNERS note about donpetry-bot into the machine users table to avoid governance/audit confusion.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/compliance-audit.sh`:
- Around line 438-445: The check currently only ensures owner lines contain the
`@petry-projects/org-leads` team but doesn't verify the exact default rule; update
the logic around owner_lines/lines_missing_team (the check_codeowners flow) to
also assert there is a literal default rule line matching "*
`@petry-projects/org-leads`" (allowing optional trailing whitespace) and
fail/add_finding if that exact rule is missing or different; locate the block
that computes owner_lines and lines_missing_team and add a second validation
that greps for an exact default rule (or tests equality) and reports
"codeowners-missing-default" (or reuse the existing "codeowners-missing-team")
via add_finding when not present.
In `@standards/codeowners-standard.md`:
- Around line 10-12: Update the ambiguous policy language in the CODEOWNERS
standard to explicitly separate the rules for the default "*" entry versus
path-specific entries: state that the default "*" pattern MUST reference only
the `@petry-projects/org-leads` team and no individual accounts, and clarify that
path-specific CODEOWNERS entries MAY include individual users or bots in
addition to the `@petry-projects/org-leads` team (or MUST include the team if that
is intended); replace the current blanket ban wording in the section referencing
CODEOWNERS files and the default pattern and add a short sentence in the
path-specific entries section making the allowed usage of individual owners
explicit.
---
Outside diff comments:
In `@standards/github-settings.md`:
- Around line 230-238: The "Installed GitHub Apps (org-wide, all repos)" section
incorrectly mixes GitHub Apps and a machine user; split this into two separate
tables and headings — one titled e.g. "Installed GitHub Apps" listing entries
like Claude, dependabot-automerge-petry, petry-projects-pr-review-agent,
SonarQube Cloud (SonarCloud), and another titled e.g. "Machine users" listing
donpetry-bot (and any other machine accounts); update the explanatory note for
petry-projects-pr-review-agent to keep its deprecation explanation and move the
CODEOWNERS note about donpetry-bot into the machine users table to avoid
governance/audit confusion.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 289e7539-10e3-45fe-a401-822d8f3ccb8c
📒 Files selected for processing (4)
scripts/compliance-audit.shstandards/codeowners-standard.mdstandards/dependabot-policy.mdstandards/github-settings.md
There was a problem hiding this comment.
Pull request overview
Promotes the org’s CODEOWNERS policy from guidance to a required standard and updates the compliance audit plus related standards docs to use @petry-projects/org-leads as the canonical ownership model.
Changes:
- Marks
standards/codeowners-standard.mdas Required and documents the team-based CODEOWNERS model plus migration/verification details. - Updates
standards/github-settings.mdandstandards/dependabot-policy.mdto reference the new CODEOWNERS standard and team-based approvals. - Changes
scripts/compliance-audit.shsocheck_codeownersenforces presence of@petry-projects/org-leadsand flags legacy direct listings.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
standards/github-settings.md |
Replaces inline CODEOWNERS guidance with a summary and pointer to the dedicated standard; updates bot account table. |
standards/dependabot-policy.md |
Updates Dependabot approval documentation to reference team-based CODEOWNERS ownership. |
standards/codeowners-standard.md |
Finalizes the required CODEOWNERS policy, setup guidance, and migration history. |
scripts/compliance-audit.sh |
Updates the compliance audit CODEOWNERS check to enforce the new standard. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…viduals - Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line (so it always satisfies require_code_owner_review) - Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained ownership - Rule 3: individual users (@username without /) are forbidden — manage membership via teams Updates compliance-audit.sh to enforce all three rules: - codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads - codeowners-individual-users: any owner token without / (not a team)
A CODEOWNERS file with only path-specific rules leaves unmatched files owner-less — require_code_owner_review won't apply to them. Add a warning-level finding (codeowners-no-catchall) when no `*` default rule is present. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Updates since last reviewd9373b9 — added A CODEOWNERS file that uses only path-specific rules (no Thread status: all CodeRabbit and Copilot review threads are now addressed — see replies in the individual threads above. The previous rewrite (087d0be) resolved the |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/compliance-audit.sh`:
- Around line 462-466: The pipeline that builds individual_owners from
owner_lines can abort the script under set -euo pipefail when no @ tokens are
found; update the pipeline that assigns individual_owners (the block using
owner_lines | tr ... | grep -E '^@' ... | sort -u) to append "|| true" after the
subshell/command substitution so the assignment yields an empty string instead
of causing the script to exit, allowing the later checks that handle empty
individual_owners to run.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 8921068f-b3b8-401e-b259-881d47d919c7
📒 Files selected for processing (3)
scripts/compliance-audit.shstandards/codeowners-standard.mdstandards/dependabot-policy.md
Under set -euo pipefail, grep -E '^@' exits with code 1 when no @ tokens are found (e.g. owner-less pattern lines). The pipeline failure propagated through the command substitution and aborted the audit. Add || true so an empty result is assigned instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 1d63387
Review mode: triage-approved (single reviewer)
Summary
Promotes the CODEOWNERS standard from Active to Required, replacing legacy individual/bot owner listings with team-based ownership via @petry-projects/org-leads. The compliance audit script enforces the new rules. All prior review findings have been resolved and CI is green.
Linked issue analysis
PR references pr-review-agent#27 (cross-repo). The CODEOWNERS gap described in that issue — GitHub Apps cannot be code owners — is directly addressed by the team-based standard with machine-user accounts.
Findings
No blocking findings.
The changes are well-structured documentation updates and a read-only audit script. Specific observations:
- Script logic is correct:
awk '{print $2}'for first-owner extraction avoids the\s/grep -Ebug identified in the initial review. The individual-user check (grep -vE '^@[^/]+/') correctly identifies non-team owners.|| trueguards prevent pipefail exits. - Catch-all advisory is appropriate: Missing
*pattern emits awarning, not anerror— path-specific-only CODEOWNERS files are valid but risky, so a warning is the right severity. - Documentation consistency:
codeowners-standard.md,dependabot-policy.md, andgithub-settings.mdall consistently reference the team-based model with no contradictions. - All prior review threads resolved: CodeRabbit's
\sregex concern, Copilot's contradiction finding, and the exactness-of-default-rule discussion were all addressed in commits087d0beandd9373b9. CodeRabbit gave final APPROVED status.
CI status
| Check | Status |
|---|---|
| ShellCheck | ✅ Pass |
| CodeQL | ✅ Pass |
| SonarCloud | ✅ Pass (0 issues) |
| Agent Security Scan | ✅ Pass |
| AgentShield | ✅ Pass |
| Lint | ✅ Pass |
Reviewed automatically by the don-petry PR-review agent (single-reviewer mode: opus 4.6). Reply with @don-petry if you need a human.
Auto-rebase uses github.token which suppresses pull_request:synchronize workflow triggers. Push an empty commit via PAT to run CI checks on the current branch HEAD. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
* chore: finalize CODEOWNERS standard and add enforcement Promote the team-based CODEOWNERS standard from "active" to "required" after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped reviewDecision to APPROVED via @petry-projects/org-leads). Changes: - standards/codeowners-standard.md: mark Required, document forbidden legacy patterns, add machine-user PAT setup notes (resource owner must be the org), record migration history and verification. - standards/github-settings.md: replace inline CODEOWNERS bot rules with a pointer to codeowners-standard.md; update bot accounts table to add donpetry-bot and mark petry-projects-pr-review-agent deprecated. - standards/dependabot-policy.md: replace stale references to bot account listings with the @petry-projects/org-leads team. - scripts/compliance-audit.sh: enforce the standard. check_codeowners now requires @petry-projects/org-leads on every owner line and flags legacy direct listings (@petry-projects-pr-review-agent, @dependabot-automerge-petry, @don-petry) as errors. Closes the CODEOWNERS gap from pr-review-agent#27. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * refine: org-leads must be FIRST owner; allow other teams; forbid individuals - Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line (so it always satisfies require_code_owner_review) - Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained ownership - Rule 3: individual users (@username without /) are forbidden — manage membership via teams Updates compliance-audit.sh to enforce all three rules: - codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads - codeowners-individual-users: any owner token without / (not a team) * fix(audit): warn when CODEOWNERS lacks a catch-all * pattern A CODEOWNERS file with only path-specific rules leaves unmatched files owner-less — require_code_owner_review won't apply to them. Add a warning-level finding (codeowners-no-catchall) when no `*` default rule is present. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(audit): guard individual-owner pipeline against pipefail exit Under set -euo pipefail, grep -E '^@' exits with code 1 when no @ tokens are found (e.g. owner-less pattern lines). The pipeline failure propagated through the command substitution and aborted the audit. Add || true so an empty result is assigned instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: trigger CI on auto-rebase commit Auto-rebase uses github.token which suppresses pull_request:synchronize workflow triggers. Push an empty commit via PAT to run CI checks on the current branch HEAD. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore: finalize CODEOWNERS standard and add enforcement Promote the team-based CODEOWNERS standard from "active" to "required" after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped reviewDecision to APPROVED via @petry-projects/org-leads). Changes: - standards/codeowners-standard.md: mark Required, document forbidden legacy patterns, add machine-user PAT setup notes (resource owner must be the org), record migration history and verification. - standards/github-settings.md: replace inline CODEOWNERS bot rules with a pointer to codeowners-standard.md; update bot accounts table to add donpetry-bot and mark petry-projects-pr-review-agent deprecated. - standards/dependabot-policy.md: replace stale references to bot account listings with the @petry-projects/org-leads team. - scripts/compliance-audit.sh: enforce the standard. check_codeowners now requires @petry-projects/org-leads on every owner line and flags legacy direct listings (@petry-projects-pr-review-agent, @dependabot-automerge-petry, @don-petry) as errors. Closes the CODEOWNERS gap from pr-review-agent#27. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * refine: org-leads must be FIRST owner; allow other teams; forbid individuals - Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line (so it always satisfies require_code_owner_review) - Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained ownership - Rule 3: individual users (@username without /) are forbidden — manage membership via teams Updates compliance-audit.sh to enforce all three rules: - codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads - codeowners-individual-users: any owner token without / (not a team) * fix(audit): warn when CODEOWNERS lacks a catch-all * pattern A CODEOWNERS file with only path-specific rules leaves unmatched files owner-less — require_code_owner_review won't apply to them. Add a warning-level finding (codeowners-no-catchall) when no `*` default rule is present. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(audit): guard individual-owner pipeline against pipefail exit Under set -euo pipefail, grep -E '^@' exits with code 1 when no @ tokens are found (e.g. owner-less pattern lines). The pipeline failure propagated through the command substitution and aborted the audit. Add || true so an empty result is assigned instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: trigger CI on auto-rebase commit Auto-rebase uses github.token which suppresses pull_request:synchronize workflow triggers. Push an empty commit via PAT to run CI checks on the current branch HEAD. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore: finalize CODEOWNERS standard and add enforcement Promote the team-based CODEOWNERS standard from "active" to "required" after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped reviewDecision to APPROVED via @petry-projects/org-leads). Changes: - standards/codeowners-standard.md: mark Required, document forbidden legacy patterns, add machine-user PAT setup notes (resource owner must be the org), record migration history and verification. - standards/github-settings.md: replace inline CODEOWNERS bot rules with a pointer to codeowners-standard.md; update bot accounts table to add donpetry-bot and mark petry-projects-pr-review-agent deprecated. - standards/dependabot-policy.md: replace stale references to bot account listings with the @petry-projects/org-leads team. - scripts/compliance-audit.sh: enforce the standard. check_codeowners now requires @petry-projects/org-leads on every owner line and flags legacy direct listings (@petry-projects-pr-review-agent, @dependabot-automerge-petry, @don-petry) as errors. Closes the CODEOWNERS gap from pr-review-agent#27. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * refine: org-leads must be FIRST owner; allow other teams; forbid individuals - Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line (so it always satisfies require_code_owner_review) - Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained ownership - Rule 3: individual users (@username without /) are forbidden — manage membership via teams Updates compliance-audit.sh to enforce all three rules: - codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads - codeowners-individual-users: any owner token without / (not a team) * fix(audit): warn when CODEOWNERS lacks a catch-all * pattern A CODEOWNERS file with only path-specific rules leaves unmatched files owner-less — require_code_owner_review won't apply to them. Add a warning-level finding (codeowners-no-catchall) when no `*` default rule is present. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(audit): guard individual-owner pipeline against pipefail exit Under set -euo pipefail, grep -E '^@' exits with code 1 when no @ tokens are found (e.g. owner-less pattern lines). The pipeline failure propagated through the command substitution and aborted the audit. Add || true so an empty result is assigned instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: trigger CI on auto-rebase commit Auto-rebase uses github.token which suppresses pull_request:synchronize workflow triggers. Push an empty commit via PAT to run CI checks on the current branch HEAD. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore: finalize CODEOWNERS standard and add enforcement Promote the team-based CODEOWNERS standard from "active" to "required" after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped reviewDecision to APPROVED via @petry-projects/org-leads). Changes: - standards/codeowners-standard.md: mark Required, document forbidden legacy patterns, add machine-user PAT setup notes (resource owner must be the org), record migration history and verification. - standards/github-settings.md: replace inline CODEOWNERS bot rules with a pointer to codeowners-standard.md; update bot accounts table to add donpetry-bot and mark petry-projects-pr-review-agent deprecated. - standards/dependabot-policy.md: replace stale references to bot account listings with the @petry-projects/org-leads team. - scripts/compliance-audit.sh: enforce the standard. check_codeowners now requires @petry-projects/org-leads on every owner line and flags legacy direct listings (@petry-projects-pr-review-agent, @dependabot-automerge-petry, @don-petry) as errors. Closes the CODEOWNERS gap from pr-review-agent#27. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * refine: org-leads must be FIRST owner; allow other teams; forbid individuals - Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line (so it always satisfies require_code_owner_review) - Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained ownership - Rule 3: individual users (@username without /) are forbidden — manage membership via teams Updates compliance-audit.sh to enforce all three rules: - codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads - codeowners-individual-users: any owner token without / (not a team) * fix(audit): warn when CODEOWNERS lacks a catch-all * pattern A CODEOWNERS file with only path-specific rules leaves unmatched files owner-less — require_code_owner_review won't apply to them. Add a warning-level finding (codeowners-no-catchall) when no `*` default rule is present. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(audit): guard individual-owner pipeline against pipefail exit Under set -euo pipefail, grep -E '^@' exits with code 1 when no @ tokens are found (e.g. owner-less pattern lines). The pipeline failure propagated through the command substitution and aborted the audit. Add || true so an empty result is assigned instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: trigger CI on auto-rebase commit Auto-rebase uses github.token which suppresses pull_request:synchronize workflow triggers. Push an empty commit via PAT to run CI checks on the current branch HEAD. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore: finalize CODEOWNERS standard and add enforcement Promote the team-based CODEOWNERS standard from "active" to "required" after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped reviewDecision to APPROVED via @petry-projects/org-leads). Changes: - standards/codeowners-standard.md: mark Required, document forbidden legacy patterns, add machine-user PAT setup notes (resource owner must be the org), record migration history and verification. - standards/github-settings.md: replace inline CODEOWNERS bot rules with a pointer to codeowners-standard.md; update bot accounts table to add donpetry-bot and mark petry-projects-pr-review-agent deprecated. - standards/dependabot-policy.md: replace stale references to bot account listings with the @petry-projects/org-leads team. - scripts/compliance-audit.sh: enforce the standard. check_codeowners now requires @petry-projects/org-leads on every owner line and flags legacy direct listings (@petry-projects-pr-review-agent, @dependabot-automerge-petry, @don-petry) as errors. Closes the CODEOWNERS gap from pr-review-agent#27. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * refine: org-leads must be FIRST owner; allow other teams; forbid individuals - Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line (so it always satisfies require_code_owner_review) - Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained ownership - Rule 3: individual users (@username without /) are forbidden — manage membership via teams Updates compliance-audit.sh to enforce all three rules: - codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads - codeowners-individual-users: any owner token without / (not a team) * fix(audit): warn when CODEOWNERS lacks a catch-all * pattern A CODEOWNERS file with only path-specific rules leaves unmatched files owner-less — require_code_owner_review won't apply to them. Add a warning-level finding (codeowners-no-catchall) when no `*` default rule is present. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(audit): guard individual-owner pipeline against pipefail exit Under set -euo pipefail, grep -E '^@' exits with code 1 when no @ tokens are found (e.g. owner-less pattern lines). The pipeline failure propagated through the command substitution and aborted the audit. Add || true so an empty result is assigned instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * ci: trigger CI on auto-rebase commit Auto-rebase uses github.token which suppresses pull_request:synchronize workflow triggers. Push an empty commit via PAT to run CI checks on the current branch HEAD. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>



Summary
Promotes the team-based CODEOWNERS standard from Active to Required after the end-to-end validation completed on 2026-05-04 (TalkTerm#159 —
donpetry-botapproval flippedreviewDecisionfromREVIEW_REQUIREDtoAPPROVEDvia@petry-projects/org-leads).Changes
standards/codeowners-standard.md— mark Required; document forbidden legacy patterns; add machine-user PAT setup section (resource owner MUST be the org); record migration history and verification result.standards/github-settings.md— replace inline CODEOWNERS bot rules with a pointer tocodeowners-standard.md; update bot accounts table (adddonpetry-bot, markpetry-projects-pr-review-agentdeprecated).standards/dependabot-policy.md— replace stale references to direct bot listings with@petry-projects/org-leads.scripts/compliance-audit.sh—check_codeownersnow enforces the standard:@petry-projects/org-leadson every owner line@petry-projects-pr-review-agent,@dependabot-automerge-petry,@don-petry) trigger an error findingEnforcement
The weekly
compliance-audit-and-improvementworkflow runscheck_codeownersagainst every org repo. Drift from the standard now producescompliance-auditissues witherrorseverity, picked up by the agent-driven remediation flow.Closes
Closes the CODEOWNERS gap from pr-review-agent#27.
Test plan
compliance-audit-and-improvementworkflow withdry_run=trueagainst the migrated repos and confirm zero CODEOWNERS findings🤖 Generated with Claude Code
Summary by CodeRabbit
Documentation
Chores