CODEOWNERS: Exclude group from directory (git)

Question

My team <team-1> is sharing a github repo with <team-2>. The repo looks something like this (Simplified example):

infrastructure/
       |
       |-- .github/CODEOWNERS 
       |
       |-- directory1/ 
               |
               |-- subdirectory1.1/
               |
               |-- subdirectory1.2/
              |
       |-- directory2/ 
               |
               |-- subdirectory2.1/
               |
               |-- subdirectory2.2/
              |
       |-- directory3/ 
               |
               |-- subdirectory3.1/
               |
               |-- subdirectory3.2/
       

<team-2> is the CODEOWNER of every directory in the repo, and my team <team-1> owns only subdirectory1.1 and subdirectory2.1.

In otherwords the CODEOWNERS file looks something like this:

github/CODEOWNERS

* @mycompany/team2
/infrastructure/directory1/subdirectory1.1 @mycompany/team1
/infrastructure/directory2/subdirectory2.1 @mycompany/team1

---

Given the aforementioned, what I would like to do is exclude team2 from every folder that team1 owns, ideally without removing the wildcard in the codeowners file.

* @mycompany/team2
/infrastructure/directory1/subdirectory1.1 @mycompany/team1 AND EXCLUDE TEAM2
/infrastructure/directory2/subdirectory2.1 @mycompany/team1 AND EXCLUDE TEAM2

What is the best way to do that without rewriting the whole codeowners logic?

Answer 1

According to the documentation, your example should work just fine.

Quote from the example:

# Order is important; the last matching pattern takes the most
# precedence. When someone opens a pull request that only
# modifies JS files, only @js-owner and not the global
# owner(s) will be requested for a review.
*.js    @js-owner

So, in this case, it seems that one of the following is the case:

• Github has fixed the issue, their docs are up to date, and your example now works just as you'd like it to.
• OR: Their docs are incorrect and Github needs to fix either the feature or their docs to accurately describe behavior.

Answer 2

In theory, prefixing a line with ! should work, since

• the syntax for CODEOWNERS should be the same as for .gitignore (see https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-syntax)
• .gitignore allows excluding (i.e. re-including) patterns by prefixing ! (see https://git-scm.com/docs/gitignore#_pattern_format)

In practice, though, I tried this and the CODEOWNERS lines starting with ! are invalid according to mszostok/codeowners-validator checks, so, no luck.

Answer 3

GitHub native option: GitHub Action

You can try and configure the GitHub Action mszostok/codeowners-validator which can validate the GitHub CODEOWNERS file based on specified checks.

For instance:

notowned: Reports if a given repository contain files that do not have specified owners in CODEOWNERS file.

---

Non-GitHUb native options

Gitolite

If by "code owner" you means push/write access to a folder, this is not supported natively by Git, or GitHub: if you can push to part of a repository, you can push to all of the repository.

What you might consider is pushing to an intermediate gateway repository, on a server you control, and where you can set-up an authorization layer, like gitolite

With Gitolite, you can with VREF restrict pushes by the names of dirs and files changed.

In your case:

repo foo
        RW+                             =   @team2
        R                               =   @team1

        RW   VREF/NAME/infrastructure/directory1/subdirectory1.1 @team1
        RW   VREF/NAME/infrastructure/directory1/subdirectory2.1 @team1

Once the push is validated by Gitolite, that same server could in turn push to GitHub.

---

Split repository and git filter-repo

But a more natural way would be to split the repository in two, referencing the team1 content in the main parent teeam2 repository, as a submodule.
Not easy though, considering it would involve history rewriting, and folder reorganization.