Skip to content

chore: exempt go.mod/go.sum from CODEOWNERS review#2790

Draft
ralphbean wants to merge 3 commits into
mainfrom
add-review-bot-codeowners
Draft

chore: exempt go.mod/go.sum from CODEOWNERS review#2790
ralphbean wants to merge 3 commits into
mainfrom
add-review-bot-codeowners

Conversation

@ralphbean

@ralphbean ralphbean commented Jun 30, 2026

Copy link
Copy Markdown
Member

Summary

  • Adds blank-owner CODEOWNERS entries for go.mod and go.sum, exempting them from code owner review
  • This lets any reviewer — including fullsend-ai-review[bot] — approve dependency update PRs without needing a @fullsend-ai/core member
  • Uses the blank-owner pattern recommended by GitHub

Context

GitHub App bots can't be added as CODEOWNERS (they're not "users" in GitHub's model). The blank-owner pattern is the supported workaround.

Required status checks (test, e2e, commit-lint) and the merge queue still gate all merges, so dependency changes are still validated by CI.

Also fixed (out of band)

@fullsend-ai/core was flagged as an "Unknown owner" because the team didn't have write access to this repo. That's been fixed — CODEOWNERS is now actually enforced for the first time.

🤖 Generated with Claude Code

Allow the review bot to satisfy CODEOWNERS approval for dependency
files so it can approve dependency update PRs autonomously.

Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Add review bot as CODEOWNER for go.mod/go.sum

⚙️ Configuration changes ✨ Enhancement 🕐 Less than 5 minutes

Grey Divider

AI Description

• Add the review bot as a CODEOWNER for go.mod and go.sum.
• Enable bot approval to satisfy CODEOWNERS for dependency update PRs.
• Make CODEOWNERS enforcement behavior for bot accounts observable via GitHub errors API.
Diagram

graph TD
  PR["Dependency update PR"] --> GH(["GitHub PR checks"]) --> CO["CODEOWNERS"] --> CHECK{"CODEOWNER approval?"}
  CHECK --> TEAM["@fullsend-ai/core"]
  CHECK --> BOT["fullsend-ai-review[bot]"]

  subgraph Legend
    direction LR
    _svc(["Service"]) ~~~ _file["File"] ~~~ _dec{"Decision"}
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Use a ruleset/branch protection bypass actor for dependency PRs
  • ➕ Avoids relying on whether bot identities are valid CODEOWNERS entries
  • ➕ More explicit and auditable exception mechanism for automation actors
  • ➖ May require org/admin-level policy changes and careful scoping to avoid over-broad bypass
2. Create a dedicated machine user (non-bot) as CODEOWNER
  • ➕ Typically supported by CODEOWNERS syntax (user handles)
  • ➕ Keeps CODEOWNERS-based approval semantics intact
  • ➖ Requires credential management and elevated access for a human-like account
  • ➖ More security/process overhead than using a GitHub App bot identity
3. Remove CODEOWNERS requirement for go.mod/go.sum and rely on CI/status checks + auto-merge
  • ➕ Simplifies dependency update flow; approvals become optional for low-risk bumps
  • ➕ Avoids CODEOWNERS limitations around bots
  • ➖ Weakens human ownership guarantees for dependency changes unless compensated elsewhere

Recommendation: Proceed with this PR as a low-cost experiment, then validate with gh api repos/{owner}/{repo}/codeowners/errors after merge. If GitHub rejects bot accounts as CODEOWNERS, prefer a narrowly-scoped ruleset/branch-protection bypass actor (best balance of automation and governance) over introducing a long-lived machine user.

Files changed (1) +4 / -0

Other (1) +4 / -0
CODEOWNERSAdd review bot as CODEOWNER for go.mod/go.sum +4/-0

Add review bot as CODEOWNER for go.mod/go.sum

• Adds 'fullsend-ai-review[bot]' as an additional CODEOWNER for 'go.mod' and 'go.sum' alongside '@fullsend-ai/core'. Includes a clarifying comment explaining that this is intended to allow autonomous approval of dependency update PRs.

CODEOWNERS

Use blank-owner CODEOWNERS entries to exempt dependency files from
code owner review. This allows any reviewer (including bots) to
approve PRs that only touch these files.

See: https://github.com/orgs/community/discussions/23064

Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

Site preview

Preview: https://df23ad30-site.fullsend-ai.workers.dev

Commit: 2c73202c818738a3839187ae60d1bd4df5d40b28

@qodo-code-review

qodo-code-review Bot commented Jun 30, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 51 rules

Grey Divider


Remediation recommended

1. CODEOWNERS pattern too broad ✓ Resolved 🐞 Bug ≡ Correctness
Description
The CODEOWNERS patterns go.mod and go.sum match any file with those names anywhere in the
repository, not just the root module files. This unintentionally makes @fullsend-ai-review[bot] a
valid code owner for nested modules (e.g., cmd/mint and internal modules) as well.
Code

CODEOWNERS[R5-6]

+go.mod @fullsend-ai/core @fullsend-ai-review[bot]
+go.sum @fullsend-ai/core @fullsend-ai-review[bot]
Relevance

⭐⭐⭐ High

Team previously accepted anchoring path patterns to avoid unintended nested matches (PR #2398);
CODEOWNERS precision likely expected.

PR-#2398
PR-#90

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The added CODEOWNERS patterns are filename-only (no leading /), and the repo contains additional
go.mod files in subdirectories, meaning those nested module files will also match the new rules.

CODEOWNERS[4-6]
cmd/mint/go.mod[1-3]
internal/mint/go.mod[1-4]
internal/mintcore/go.mod[1-3]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`CODEOWNERS` uses unanchored patterns (`go.mod`, `go.sum`) which apply repo-wide to any matching filename, not only the root module files.

## Issue Context
This repo contains multiple nested Go modules (e.g. `cmd/mint`, `internal/mint`, `internal/mintcore`). The current patterns will apply to all of them.

## Fix Focus Areas
- CODEOWNERS[5-6]

### Suggested change
- If the intent is **only** the root module, change to:
 - `/go.mod @fullsend-ai/core @fullsend-ai-review[bot]`
 - `/go.sum @fullsend-ai/core @fullsend-ai-review[bot]`
- If the intent is to cover **all modules**, list them explicitly (e.g. `cmd/mint/go.mod`, `internal/mint/go.mod`, etc.) so scope is clear and future modules don’t get swept in unintentionally.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment thread CODEOWNERS Outdated
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 30, 2026

Copy link
Copy Markdown

🤖 Review · ⚠️ Cancelled · Started 5:18 PM UTC · Ended 5:22 PM UTC
Commit: 104508d · View workflow run →

@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
@ralphbean ralphbean requested a review from a team as a code owner June 30, 2026 17:21
@ralphbean ralphbean changed the title feat: add review bot as CODEOWNER for go.mod/go.sum chore: exempt go.mod/go.sum from CODEOWNERS review Jun 30, 2026
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 30, 2026

Copy link
Copy Markdown

🤖 Finished Review · ❌ Failure · Started 5:25 PM UTC · Completed 5:31 PM UTC
Commit: 2c73202 · View workflow run →

@ben-alkov

Copy link
Copy Markdown
Member

@ralphbean; Convince me that this is safe (probably won't be too hard - use small words 🤣).

@ralphbean

Copy link
Copy Markdown
Member Author

Nope - putting this in draft.

@ralphbean ralphbean marked this pull request as draft June 30, 2026 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants