Skip to content

chore: finalize CODEOWNERS standard as Required + add enforcement#193

Merged
don-petry merged 10 commits into
mainfrom
chore/codeowners-standard-enforcement
May 6, 2026
Merged

chore: finalize CODEOWNERS standard as Required + add enforcement#193
don-petry merged 10 commits into
mainfrom
chore/codeowners-standard-enforcement

Conversation

@don-petry

@don-petry don-petry commented May 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Promotes the team-based CODEOWNERS standard from Active to Required after the end-to-end validation completed on 2026-05-04 (TalkTerm#159 — donpetry-bot approval flipped reviewDecision from REVIEW_REQUIRED to APPROVED via @petry-projects/org-leads).

Changes

  • standards/codeowners-standard.md — mark Required; document forbidden legacy patterns; add machine-user PAT setup section (resource owner MUST be the org); record migration history and verification result.
  • standards/github-settings.md — replace inline CODEOWNERS bot rules with a pointer to codeowners-standard.md; update bot accounts table (add donpetry-bot, mark petry-projects-pr-review-agent deprecated).
  • standards/dependabot-policy.md — replace stale references to direct bot listings with @petry-projects/org-leads.
  • scripts/compliance-audit.shcheck_codeowners now enforces the standard:
    • Required: @petry-projects/org-leads on every owner line
    • Forbidden: legacy direct listings (@petry-projects-pr-review-agent, @dependabot-automerge-petry, @don-petry) trigger an error finding

Enforcement

The weekly compliance-audit-and-improvement workflow runs check_codeowners against every org repo. Drift from the standard now produces compliance-audit issues with error severity, picked up by the agent-driven remediation flow.

Closes

Closes the CODEOWNERS gap from pr-review-agent#27.

Test plan

  • CI lint passes
  • After merge: trigger compliance-audit-and-improvement workflow with dry_run=true against the migrated repos and confirm zero CODEOWNERS findings
  • Optionally introduce a temporary regression in a test branch and confirm the audit detects it

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Documentation

    • Upgraded CODEOWNERS to a required, team-first standard: every owner line must list @petry-projects/org-leads first; individual user owners and GitHub Apps are forbidden.
    • Updated Dependabot policy and GitHub settings guidance to align with the new team-based approval workflow.
    • Added migration history, verified validation procedure, and automation-account setup steps.
  • Chores

    • Compliance audit tightened to error on missing/invalid owner lines and warn when no catch-all pattern is present.

Promote the team-based CODEOWNERS standard from "active" to "required"
after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped
reviewDecision to APPROVED via @petry-projects/org-leads).

Changes:

- standards/codeowners-standard.md: mark Required, document forbidden
  legacy patterns, add machine-user PAT setup notes (resource owner must
  be the org), record migration history and verification.
- standards/github-settings.md: replace inline CODEOWNERS bot rules with
  a pointer to codeowners-standard.md; update bot accounts table to add
  donpetry-bot and mark petry-projects-pr-review-agent deprecated.
- standards/dependabot-policy.md: replace stale references to bot account
  listings with the @petry-projects/org-leads team.
- scripts/compliance-audit.sh: enforce the standard. check_codeowners
  now requires @petry-projects/org-leads on every owner line and flags
  legacy direct listings (@petry-projects-pr-review-agent,
  @dependabot-automerge-petry, @don-petry) as errors.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 4, 2026 23:51
@don-petry don-petry requested a review from a team as a code owner May 4, 2026 23:51
@coderabbitai

coderabbitai Bot commented May 4, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 52 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6159014e-bdf1-4f36-b5a3-a561879bf63e

📥 Commits

Reviewing files that changed from the base of the PR and between d9373b9 and b94692e.

📒 Files selected for processing (2)
  • scripts/compliance-audit.sh
  • standards/github-settings.md
📝 Walkthrough

Walkthrough

The PR converts CODEOWNERS enforcement to a team-first model: every owner line must list @petry-projects/org-leads as the first owner, individual user/bot owners are forbidden, and the compliance script enforces these rules; documentation and dependabot/github-settings policies are updated accordingly.

Changes

CODEOWNERS Team-Based Governance Migration

Layer / File(s) Summary
Policy Definition
standards/codeowners-standard.md
Standard changed to Required; mandates @petry-projects/org-leads as first owner on every owner line, forbids individual/bot user listings, restricts default * to only @petry-projects/org-leads, adds "Required Setup for New Bots" and migration history.
Enforcement Implementation
scripts/compliance-audit.sh
check_codeowners() now: errors if CODEOWNERS has no non-comment owner lines (codeowners-empty); enforces @petry-projects/org-leads as the first owner (codeowners-org-leads-not-first); forbids individual user owners (codeowners-individual-users); warns if no * catch-all (codeowners-no-catchall); removed prior missing-bot checks.
Supporting Policy Integration
standards/dependabot-policy.md, standards/github-settings.md
Dependabot policy updated to rely on @petry-projects/org-leads approvals via CODEOWNERS; github-settings replaced bot-account guidance with the new CODEOWNERS standard, updated installed-apps list and clarified GitHub Apps cannot be code owners.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

  • petry-projects/.github#180: Conflicting approach — that PR required bot accounts as CODEOWNERS while this PR replaces bot-based owners with the @petry-projects/org-leads team.
  • petry-projects/.github#15: Related — touches scripts/compliance-audit.sh; CI/ShellCheck work in that PR applies to the modified script here.
  • petry-projects/.github#10: Related — modifies org GitHub settings/CODEOWNERS guidance that overlaps with the updated standards/github-settings.md.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: promoting CODEOWNERS standard from Active to Required and adding enforcement via the compliance audit script.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/codeowners-standard-enforcement

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
standards/github-settings.md (1)

230-238: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Separate machine users from GitHub Apps in this section.

donpetry-bot is a machine user, not a GitHub App, but it is listed under “Installed GitHub Apps”. Split this into separate tables (Apps vs machine users) to avoid governance/audit confusion.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@standards/github-settings.md` around lines 230 - 238, The "Installed GitHub
Apps (org-wide, all repos)" section incorrectly mixes GitHub Apps and a machine
user; split this into two separate tables and headings — one titled e.g.
"Installed GitHub Apps" listing entries like Claude, dependabot-automerge-petry,
petry-projects-pr-review-agent, SonarQube Cloud (SonarCloud), and another titled
e.g. "Machine users" listing donpetry-bot (and any other machine accounts);
update the explanatory note for petry-projects-pr-review-agent to keep its
deprecation explanation and move the CODEOWNERS note about donpetry-bot into the
machine users table to avoid governance/audit confusion.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/compliance-audit.sh`:
- Around line 438-445: The check currently only ensures owner lines contain the
`@petry-projects/org-leads` team but doesn't verify the exact default rule; update
the logic around owner_lines/lines_missing_team (the check_codeowners flow) to
also assert there is a literal default rule line matching "*
`@petry-projects/org-leads`" (allowing optional trailing whitespace) and
fail/add_finding if that exact rule is missing or different; locate the block
that computes owner_lines and lines_missing_team and add a second validation
that greps for an exact default rule (or tests equality) and reports
"codeowners-missing-default" (or reuse the existing "codeowners-missing-team")
via add_finding when not present.

In `@standards/codeowners-standard.md`:
- Around line 10-12: Update the ambiguous policy language in the CODEOWNERS
standard to explicitly separate the rules for the default "*" entry versus
path-specific entries: state that the default "*" pattern MUST reference only
the `@petry-projects/org-leads` team and no individual accounts, and clarify that
path-specific CODEOWNERS entries MAY include individual users or bots in
addition to the `@petry-projects/org-leads` team (or MUST include the team if that
is intended); replace the current blanket ban wording in the section referencing
CODEOWNERS files and the default pattern and add a short sentence in the
path-specific entries section making the allowed usage of individual owners
explicit.

---

Outside diff comments:
In `@standards/github-settings.md`:
- Around line 230-238: The "Installed GitHub Apps (org-wide, all repos)" section
incorrectly mixes GitHub Apps and a machine user; split this into two separate
tables and headings — one titled e.g. "Installed GitHub Apps" listing entries
like Claude, dependabot-automerge-petry, petry-projects-pr-review-agent,
SonarQube Cloud (SonarCloud), and another titled e.g. "Machine users" listing
donpetry-bot (and any other machine accounts); update the explanatory note for
petry-projects-pr-review-agent to keep its deprecation explanation and move the
CODEOWNERS note about donpetry-bot into the machine users table to avoid
governance/audit confusion.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 289e7539-10e3-45fe-a401-822d8f3ccb8c

📥 Commits

Reviewing files that changed from the base of the PR and between 6bce134 and 9736963.

📒 Files selected for processing (4)
  • scripts/compliance-audit.sh
  • standards/codeowners-standard.md
  • standards/dependabot-policy.md
  • standards/github-settings.md

Comment thread scripts/compliance-audit.sh Outdated
Comment thread standards/codeowners-standard.md Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Promotes the org’s CODEOWNERS policy from guidance to a required standard and updates the compliance audit plus related standards docs to use @petry-projects/org-leads as the canonical ownership model.

Changes:

  • Marks standards/codeowners-standard.md as Required and documents the team-based CODEOWNERS model plus migration/verification details.
  • Updates standards/github-settings.md and standards/dependabot-policy.md to reference the new CODEOWNERS standard and team-based approvals.
  • Changes scripts/compliance-audit.sh so check_codeowners enforces presence of @petry-projects/org-leads and flags legacy direct listings.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
standards/github-settings.md Replaces inline CODEOWNERS guidance with a summary and pointer to the dedicated standard; updates bot account table.
standards/dependabot-policy.md Updates Dependabot approval documentation to reference team-based CODEOWNERS ownership.
standards/codeowners-standard.md Finalizes the required CODEOWNERS policy, setup guidance, and migration history.
scripts/compliance-audit.sh Updates the compliance audit CODEOWNERS check to enforce the new standard.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/compliance-audit.sh Outdated
Comment thread scripts/compliance-audit.sh Outdated
Comment thread standards/codeowners-standard.md Outdated
Comment thread scripts/compliance-audit.sh Outdated
don-petry and others added 2 commits May 4, 2026 19:00
…viduals

- Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line
  (so it always satisfies require_code_owner_review)
- Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained
  ownership
- Rule 3: individual users (@username without /) are forbidden — manage
  membership via teams

Updates compliance-audit.sh to enforce all three rules:
- codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads
- codeowners-individual-users: any owner token without / (not a team)
coderabbitai[bot]
coderabbitai Bot previously approved these changes May 5, 2026
A CODEOWNERS file with only path-specific rules leaves unmatched files
owner-less — require_code_owner_review won't apply to them. Add a
warning-level finding (codeowners-no-catchall) when no `*` default rule
is present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@don-petry

Copy link
Copy Markdown
Contributor Author

Updates since last review

d9373b9 — added codeowners-no-catchall warning to check_codeowners().

A CODEOWNERS file that uses only path-specific rules (no * ... default) leaves unmatched files owner-less; require_code_owner_review won't apply to those files. The new check detects this and emits a warning-level finding pointing to codeowners-standard.md.


Thread status: all CodeRabbit and Copilot review threads are now addressed — see replies in the individual threads above. The previous rewrite (087d0be) resolved the \s/grep concerns, the first-owner logic, and the doc contradiction; this commit closes the remaining gap.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/compliance-audit.sh`:
- Around line 462-466: The pipeline that builds individual_owners from
owner_lines can abort the script under set -euo pipefail when no @ tokens are
found; update the pipeline that assigns individual_owners (the block using
owner_lines | tr ... | grep -E '^@' ... | sort -u) to append "|| true" after the
subshell/command substitution so the assignment yields an empty string instead
of causing the script to exit, allowing the later checks that handle empty
individual_owners to run.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8921068f-b3b8-401e-b259-881d47d919c7

📥 Commits

Reviewing files that changed from the base of the PR and between 9736963 and d9373b9.

📒 Files selected for processing (3)
  • scripts/compliance-audit.sh
  • standards/codeowners-standard.md
  • standards/dependabot-policy.md

Comment thread scripts/compliance-audit.sh Outdated
Under set -euo pipefail, grep -E '^@' exits with code 1 when no @
tokens are found (e.g. owner-less pattern lines). The pipeline failure
propagated through the command substitution and aborted the audit.
Add || true so an empty result is assigned instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@don-petry don-petry enabled auto-merge (squash) May 5, 2026 02:49

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 1d63387
Review mode: triage-approved (single reviewer)

Summary

Promotes the CODEOWNERS standard from Active to Required, replacing legacy individual/bot owner listings with team-based ownership via @petry-projects/org-leads. The compliance audit script enforces the new rules. All prior review findings have been resolved and CI is green.

Linked issue analysis

PR references pr-review-agent#27 (cross-repo). The CODEOWNERS gap described in that issue — GitHub Apps cannot be code owners — is directly addressed by the team-based standard with machine-user accounts.

Findings

No blocking findings.

The changes are well-structured documentation updates and a read-only audit script. Specific observations:

  • Script logic is correct: awk '{print $2}' for first-owner extraction avoids the \s/grep -E bug identified in the initial review. The individual-user check (grep -vE '^@[^/]+/') correctly identifies non-team owners. || true guards prevent pipefail exits.
  • Catch-all advisory is appropriate: Missing * pattern emits a warning, not an error — path-specific-only CODEOWNERS files are valid but risky, so a warning is the right severity.
  • Documentation consistency: codeowners-standard.md, dependabot-policy.md, and github-settings.md all consistently reference the team-based model with no contradictions.
  • All prior review threads resolved: CodeRabbit's \s regex concern, Copilot's contradiction finding, and the exactness-of-default-rule discussion were all addressed in commits 087d0be and d9373b9. CodeRabbit gave final APPROVED status.

CI status

Check Status
ShellCheck ✅ Pass
CodeQL ✅ Pass
SonarCloud ✅ Pass (0 issues)
Agent Security Scan ✅ Pass
AgentShield ✅ Pass
Lint ✅ Pass

Reviewed automatically by the don-petry PR-review agent (single-reviewer mode: opus 4.6). Reply with @don-petry if you need a human.

github-actions Bot and others added 3 commits May 6, 2026 00:28
Auto-rebase uses github.token which suppresses pull_request:synchronize
workflow triggers. Push an empty commit via PAT to run CI checks on the
current branch HEAD.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sonarqubecloud

sonarqubecloud Bot commented May 6, 2026

Copy link
Copy Markdown

@don-petry don-petry disabled auto-merge May 6, 2026 01:24
@don-petry don-petry merged commit bc338c0 into main May 6, 2026
20 checks passed
@don-petry don-petry deleted the chore/codeowners-standard-enforcement branch May 6, 2026 01:25
don-petry added a commit that referenced this pull request Jun 8, 2026
* chore: finalize CODEOWNERS standard and add enforcement

Promote the team-based CODEOWNERS standard from "active" to "required"
after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped
reviewDecision to APPROVED via @petry-projects/org-leads).

Changes:

- standards/codeowners-standard.md: mark Required, document forbidden
  legacy patterns, add machine-user PAT setup notes (resource owner must
  be the org), record migration history and verification.
- standards/github-settings.md: replace inline CODEOWNERS bot rules with
  a pointer to codeowners-standard.md; update bot accounts table to add
  donpetry-bot and mark petry-projects-pr-review-agent deprecated.
- standards/dependabot-policy.md: replace stale references to bot account
  listings with the @petry-projects/org-leads team.
- scripts/compliance-audit.sh: enforce the standard. check_codeowners
  now requires @petry-projects/org-leads on every owner line and flags
  legacy direct listings (@petry-projects-pr-review-agent,
  @dependabot-automerge-petry, @don-petry) as errors.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refine: org-leads must be FIRST owner; allow other teams; forbid individuals

- Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line
  (so it always satisfies require_code_owner_review)
- Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained
  ownership
- Rule 3: individual users (@username without /) are forbidden — manage
  membership via teams

Updates compliance-audit.sh to enforce all three rules:
- codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads
- codeowners-individual-users: any owner token without / (not a team)

* fix(audit): warn when CODEOWNERS lacks a catch-all * pattern

A CODEOWNERS file with only path-specific rules leaves unmatched files
owner-less — require_code_owner_review won't apply to them. Add a
warning-level finding (codeowners-no-catchall) when no `*` default rule
is present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(audit): guard individual-owner pipeline against pipefail exit

Under set -euo pipefail, grep -E '^@' exits with code 1 when no @
tokens are found (e.g. owner-less pattern lines). The pipeline failure
propagated through the command substitution and aborted the audit.
Add || true so an empty result is assigned instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: trigger CI on auto-rebase commit

Auto-rebase uses github.token which suppresses pull_request:synchronize
workflow triggers. Push an empty commit via PAT to run CI checks on the
current branch HEAD.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 10, 2026
* chore: finalize CODEOWNERS standard and add enforcement

Promote the team-based CODEOWNERS standard from "active" to "required"
after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped
reviewDecision to APPROVED via @petry-projects/org-leads).

Changes:

- standards/codeowners-standard.md: mark Required, document forbidden
  legacy patterns, add machine-user PAT setup notes (resource owner must
  be the org), record migration history and verification.
- standards/github-settings.md: replace inline CODEOWNERS bot rules with
  a pointer to codeowners-standard.md; update bot accounts table to add
  donpetry-bot and mark petry-projects-pr-review-agent deprecated.
- standards/dependabot-policy.md: replace stale references to bot account
  listings with the @petry-projects/org-leads team.
- scripts/compliance-audit.sh: enforce the standard. check_codeowners
  now requires @petry-projects/org-leads on every owner line and flags
  legacy direct listings (@petry-projects-pr-review-agent,
  @dependabot-automerge-petry, @don-petry) as errors.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refine: org-leads must be FIRST owner; allow other teams; forbid individuals

- Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line
  (so it always satisfies require_code_owner_review)
- Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained
  ownership
- Rule 3: individual users (@username without /) are forbidden — manage
  membership via teams

Updates compliance-audit.sh to enforce all three rules:
- codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads
- codeowners-individual-users: any owner token without / (not a team)

* fix(audit): warn when CODEOWNERS lacks a catch-all * pattern

A CODEOWNERS file with only path-specific rules leaves unmatched files
owner-less — require_code_owner_review won't apply to them. Add a
warning-level finding (codeowners-no-catchall) when no `*` default rule
is present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(audit): guard individual-owner pipeline against pipefail exit

Under set -euo pipefail, grep -E '^@' exits with code 1 when no @
tokens are found (e.g. owner-less pattern lines). The pipeline failure
propagated through the command substitution and aborted the audit.
Add || true so an empty result is assigned instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: trigger CI on auto-rebase commit

Auto-rebase uses github.token which suppresses pull_request:synchronize
workflow triggers. Push an empty commit via PAT to run CI checks on the
current branch HEAD.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
* chore: finalize CODEOWNERS standard and add enforcement

Promote the team-based CODEOWNERS standard from "active" to "required"
after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped
reviewDecision to APPROVED via @petry-projects/org-leads).

Changes:

- standards/codeowners-standard.md: mark Required, document forbidden
  legacy patterns, add machine-user PAT setup notes (resource owner must
  be the org), record migration history and verification.
- standards/github-settings.md: replace inline CODEOWNERS bot rules with
  a pointer to codeowners-standard.md; update bot accounts table to add
  donpetry-bot and mark petry-projects-pr-review-agent deprecated.
- standards/dependabot-policy.md: replace stale references to bot account
  listings with the @petry-projects/org-leads team.
- scripts/compliance-audit.sh: enforce the standard. check_codeowners
  now requires @petry-projects/org-leads on every owner line and flags
  legacy direct listings (@petry-projects-pr-review-agent,
  @dependabot-automerge-petry, @don-petry) as errors.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refine: org-leads must be FIRST owner; allow other teams; forbid individuals

- Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line
  (so it always satisfies require_code_owner_review)
- Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained
  ownership
- Rule 3: individual users (@username without /) are forbidden — manage
  membership via teams

Updates compliance-audit.sh to enforce all three rules:
- codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads
- codeowners-individual-users: any owner token without / (not a team)

* fix(audit): warn when CODEOWNERS lacks a catch-all * pattern

A CODEOWNERS file with only path-specific rules leaves unmatched files
owner-less — require_code_owner_review won't apply to them. Add a
warning-level finding (codeowners-no-catchall) when no `*` default rule
is present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(audit): guard individual-owner pipeline against pipefail exit

Under set -euo pipefail, grep -E '^@' exits with code 1 when no @
tokens are found (e.g. owner-less pattern lines). The pipeline failure
propagated through the command substitution and aborted the audit.
Add || true so an empty result is assigned instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: trigger CI on auto-rebase commit

Auto-rebase uses github.token which suppresses pull_request:synchronize
workflow triggers. Push an empty commit via PAT to run CI checks on the
current branch HEAD.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
* chore: finalize CODEOWNERS standard and add enforcement

Promote the team-based CODEOWNERS standard from "active" to "required"
after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped
reviewDecision to APPROVED via @petry-projects/org-leads).

Changes:

- standards/codeowners-standard.md: mark Required, document forbidden
  legacy patterns, add machine-user PAT setup notes (resource owner must
  be the org), record migration history and verification.
- standards/github-settings.md: replace inline CODEOWNERS bot rules with
  a pointer to codeowners-standard.md; update bot accounts table to add
  donpetry-bot and mark petry-projects-pr-review-agent deprecated.
- standards/dependabot-policy.md: replace stale references to bot account
  listings with the @petry-projects/org-leads team.
- scripts/compliance-audit.sh: enforce the standard. check_codeowners
  now requires @petry-projects/org-leads on every owner line and flags
  legacy direct listings (@petry-projects-pr-review-agent,
  @dependabot-automerge-petry, @don-petry) as errors.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refine: org-leads must be FIRST owner; allow other teams; forbid individuals

- Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line
  (so it always satisfies require_code_owner_review)
- Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained
  ownership
- Rule 3: individual users (@username without /) are forbidden — manage
  membership via teams

Updates compliance-audit.sh to enforce all three rules:
- codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads
- codeowners-individual-users: any owner token without / (not a team)

* fix(audit): warn when CODEOWNERS lacks a catch-all * pattern

A CODEOWNERS file with only path-specific rules leaves unmatched files
owner-less — require_code_owner_review won't apply to them. Add a
warning-level finding (codeowners-no-catchall) when no `*` default rule
is present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(audit): guard individual-owner pipeline against pipefail exit

Under set -euo pipefail, grep -E '^@' exits with code 1 when no @
tokens are found (e.g. owner-less pattern lines). The pipeline failure
propagated through the command substitution and aborted the audit.
Add || true so an empty result is assigned instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: trigger CI on auto-rebase commit

Auto-rebase uses github.token which suppresses pull_request:synchronize
workflow triggers. Push an empty commit via PAT to run CI checks on the
current branch HEAD.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
don-petry added a commit that referenced this pull request Jun 11, 2026
* chore: finalize CODEOWNERS standard and add enforcement

Promote the team-based CODEOWNERS standard from "active" to "required"
after end-to-end validation on TalkTerm#159 (donpetry-bot approval flipped
reviewDecision to APPROVED via @petry-projects/org-leads).

Changes:

- standards/codeowners-standard.md: mark Required, document forbidden
  legacy patterns, add machine-user PAT setup notes (resource owner must
  be the org), record migration history and verification.
- standards/github-settings.md: replace inline CODEOWNERS bot rules with
  a pointer to codeowners-standard.md; update bot accounts table to add
  donpetry-bot and mark petry-projects-pr-review-agent deprecated.
- standards/dependabot-policy.md: replace stale references to bot account
  listings with the @petry-projects/org-leads team.
- scripts/compliance-audit.sh: enforce the standard. check_codeowners
  now requires @petry-projects/org-leads on every owner line and flags
  legacy direct listings (@petry-projects-pr-review-agent,
  @dependabot-automerge-petry, @don-petry) as errors.

Closes the CODEOWNERS gap from pr-review-agent#27.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refine: org-leads must be FIRST owner; allow other teams; forbid individuals

- Rule 1: @petry-projects/org-leads MUST be the FIRST owner on every line
  (so it always satisfies require_code_owner_review)
- Rule 2: additional teams (@petry-projects/<slug>) allowed for finer-grained
  ownership
- Rule 3: individual users (@username without /) are forbidden — manage
  membership via teams

Updates compliance-audit.sh to enforce all three rules:
- codeowners-org-leads-not-first: first owner is not @petry-projects/org-leads
- codeowners-individual-users: any owner token without / (not a team)

* fix(audit): warn when CODEOWNERS lacks a catch-all * pattern

A CODEOWNERS file with only path-specific rules leaves unmatched files
owner-less — require_code_owner_review won't apply to them. Add a
warning-level finding (codeowners-no-catchall) when no `*` default rule
is present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(audit): guard individual-owner pipeline against pipefail exit

Under set -euo pipefail, grep -E '^@' exits with code 1 when no @
tokens are found (e.g. owner-less pattern lines). The pipeline failure
propagated through the command substitution and aborted the audit.
Add || true so an empty result is assigned instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* ci: trigger CI on auto-rebase commit

Auto-rebase uses github.token which suppresses pull_request:synchronize
workflow triggers. Push an empty commit via PAT to run CI checks on the
current branch HEAD.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants