-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathCODEOWNERS
More file actions
Validating CODEOWNERS rules...
82 lines (74 loc) · 4.55 KB
/
Copy pathCODEOWNERS
File metadata and controls
82 lines (74 loc) · 4.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# https://docs.github.com/en/repositories/managing-your-repositories-settings-and-customization/customizing-your-repository/about-code-owners
#
# CODEOWNERS for simple-container-com/api.
#
# IMPORTANT — semantics: when multiple users are listed on the same
# pattern, GitHub treats them as ALTERNATIVES, not a conjunction. A PR
# satisfies the CODEOWNERS gate once ANY one listed owner approves.
# To genuinely require approvals from BOTH leads on sensitive paths,
# configure a branch protection rule / Ruleset that sets:
# - "Require review from Code Owners"
# - "Required approving reviews" ≥ 2
# That's a repo-admin UI setting; this file can't express it.
#
# What this file DOES enforce:
# - GitHub auto-requests review from a code owner when a PR touches
# a matching file.
# - If the matching review-count rule is set in the admin UI, a PR
# cannot merge without enough code-owner approvals.
#
# Listing both leads on a pattern widens the review pool — either lead
# can sign off; both don't have to (unless the admin UI rule is set).
#
# Tip: GitHub picks the LAST matching pattern in this file for a given
# file path — ordering matters. Put broad defaults at the top and
# specific high-sensitivity globs at the bottom so they win.
# ---------------------------------------------------------------------
# Default — every file pulls in at least one lead for review.
# ---------------------------------------------------------------------
* @Cre-eD @smecsia @universe-ops @Laboratory
# ---------------------------------------------------------------------
# CI / supply-chain — sensitive paths. Multi-reviewer gating depends
# on the branch-protection setting described in the header. Touching
# these files changes how every release is built and how secrets
# reach the runner.
# ---------------------------------------------------------------------
/.github/ @Cre-eD @smecsia @universe-ops @Laboratory
/.github/workflows/ @Cre-eD @smecsia @universe-ops @Laboratory
/.github/actions/ @Cre-eD @smecsia @universe-ops @Laboratory
/.github/dependabot.yml @Cre-eD @smecsia @universe-ops @Laboratory
# ---------------------------------------------------------------------
# Image build context.
# ---------------------------------------------------------------------
/*.Dockerfile @Cre-eD @smecsia @universe-ops @Laboratory
/welder.yaml @Cre-eD @smecsia @universe-ops @Laboratory
/sc.sh @Cre-eD @smecsia @universe-ops @Laboratory
# ---------------------------------------------------------------------
# Security pipeline source — code that signs, scans, attests, and
# decides what gets blocked. Tamper with this and the whole consumer
# supply chain weakens.
# ---------------------------------------------------------------------
/pkg/security/ @Cre-eD @smecsia @universe-ops @Laboratory
# ---------------------------------------------------------------------
# Secrets / config plumbing.
# ---------------------------------------------------------------------
/pkg/api/secrets/ @Cre-eD @smecsia @universe-ops @Laboratory
/pkg/cmd/cmd_secrets/ @Cre-eD @smecsia @universe-ops @Laboratory
# ---------------------------------------------------------------------
# Cloud provisioning — IAM and resource defaults that ship to every
# consumer account.
# ---------------------------------------------------------------------
/pkg/clouds/pulumi/aws/ @Cre-eD @smecsia @universe-ops @Laboratory
/pkg/clouds/pulumi/gcp/ @Cre-eD @smecsia @universe-ops @Laboratory
# ---------------------------------------------------------------------
# Module graph — dep bumps need security review (see
# `feedback_sc_ci_tools_step` for the CI-quirk caveat).
# ---------------------------------------------------------------------
/go.mod @Cre-eD @smecsia @universe-ops @Laboratory
/go.sum @Cre-eD @smecsia @universe-ops @Laboratory
/tools.go @Cre-eD @smecsia @universe-ops @Laboratory
# ---------------------------------------------------------------------
# This policy + ownership file itself.
# ---------------------------------------------------------------------
/docs/SECURITY.md @Cre-eD @smecsia @universe-ops @Laboratory
/CODEOWNERS @Cre-eD @smecsia @universe-ops @Laboratory