Git, GitHub & GitHub Actions
by Sergey Okinchuk
Branch Protection and RulesetsProjects and Issue Management
Collaborating on GitHub
Topic 38

CODEOWNERS and Required Reviews

Collaboration

A CODEOWNERS file maps file paths to the people or teams responsible for them, so the right reviewers are requested automatically when a pull request touches their area. On its own it only suggests; combined with branch protection, an owner's approval becomes mandatory for changes in their part of the tree.

The whole file is a list of path patterns and owners, evaluated with one rule that trips people up constantly: the last matching line wins. Get the ordering and the team permissions right and ownership routes itself; get either wrong and the rule silently does nothing.

The CODEOWNERS File

The file lives at .github/CODEOWNERS (or the repo root, or docs/). Each line is a gitignore-style path pattern followed by one or more owners, written as @user or @org/team. Patterns are matched against changed paths, and the last line that matches a given path is the one that assigns its owners.

# Default owner for everything not matched below
*                    @org/maintainers

# Frontend code
/src/web/            @org/frontend

# A specific file overrides the directory rule above it
/src/web/auth.ts     @org/security

Auto-Request vs Required

By default, matching owners are added as requested reviewers automatically — helpful, but not blocking. The "Require review from Code Owners" setting in branch protection is what makes their approval mandatory: until an owner of every changed path approves, the merge button stays disabled.

This split is the single most important thing to understand: CODEOWNERS alone never enforces anything. It is the branch-protection toggle that turns a suggestion into a gate.

Teams as Owners

Assigning ownership to a team, @org/team, rather than an individual lets GitHub route the request to the team and, with code-review assignment enabled, load-balance it across available members. When someone goes on vacation or leaves, the team still owns the path and the review is not blocked on one person.

Precedence and Gotchas

Because the last matching rule wins, a broad pattern placed near the bottom of the file overrides every specific rule above it — a single * at the end quietly makes one team own everything. Order rules from general at the top to specific at the bottom so the most specific match applies. Paths that match no rule simply have no owner and no required review.

Validation

GitHub validates the file and shows problems in the repository's CODEOWNERS errors view. An invalid line — a typo in a pattern, or a team without write access — does not raise a loud failure; the rule is just silently dropped, leaving that path unowned. Checking the errors tab after every edit is how you catch a rule that has quietly stopped applying.

Common Mistakes
  • Putting a broad * rule at the bottom of the file — last match wins, so it overrides every specific owner above it and one team ends up owning everything.
  • Naming a team that lacks write access to the repo — the rule is ignored and no review is required for that path.
  • Turning on "Require review from Code Owners" while listing an individual who is on vacation — the PR is blocked with no one able to approve.
  • Leaving a typo in a path pattern — the entry silently fails validation and that path is left with no required owner.
  • Assuming CODEOWNERS enforces anything by itself — without the branch-protection toggle it only suggests reviewers.
Best Practices
  • Order the file from general to specific so the most specific rule wins for each path.
  • Assign ownership to teams (@org/team), not individuals, so vacations and turnover do not block merges.
  • Turn on "Require review from Code Owners" in branch protection to make ownership enforced rather than advisory.
  • Check the repository's CODEOWNERS errors view after every edit to the file.
  • Grant each owning team at least write access so its rules actually take effect.
Comparable toolsGitLab Code Owners with approval rulesBitbucket default reviewers / Code Owners appAzure DevOps automatic reviewers via branch-policy path filters

Knowledge Check

A specific rule for /src/web/auth.ts sits above a * rule at the bottom. Who owns auth.ts?

  • The owner on the * line — the last matching rule wins, so the broad rule overrides the specific one above it
  • The auth.ts owner, because the most specific path match always wins over a broad wildcard
  • Both owners, since every matching rule applies and the approvals of all of them are combined for that path
  • No one, because two conflicting rules for the same path cancel each other out entirely

What does CODEOWNERS do without the "Require review from Code Owners" branch setting?

  • It only auto-requests the owners as reviewers; their approval is not required to merge
  • It blocks the merge on every matching path until a listed owner approves the pull request
  • Nothing at all — the file stays inert until the branch setting is turned on
  • It auto-merges the pull request as soon as any listed owner leaves a comment

Why assign ownership to a team rather than an individual?

  • A team still owns the path when a member is on vacation or leaves, so reviews are not blocked on one person
  • Individuals cannot be listed as owners in a CODEOWNERS file; only teams are permitted there
  • A team owner approves the pull request automatically without any member actually reviewing it
  • Only teams can be granted write access to the repository, so an individual user is never able to own a path

What happens when you name a team that lacks write access to the repo?

  • The rule is ignored, so that path has no required owner and changes can merge unreviewed
  • GitHub grants the named team write access to the repository automatically when the file is saved
  • The PR touching that path is permanently blocked until the team is given write access
  • The rule falls back to the previous matching line so the earlier owner takes over the path

You got correct