What is a CODEOWNERS file, and how does it enforce review ownership?
CI/CD & GitOps · Intermediate level
Answer
A CODEOWNERS file maps repository paths to responsible reviewers. When branch protection requires code owner review, changes to owned paths cannot merge until an owner approves, which enforces domain ownership for platform, security, infrastructure, or critical service files.
Technical explanation
Branch protection is effective only when admins cannot bypass it casually and required checks are stable.
CODEOWNERS review works best with clear ownership boundaries and small, maintainable path patterns.
GitHub delivery controls combine repository settings, branch protection, required status checks, environments, CODEOWNERS, and workflow permissions.
Use least-privilege permissions for the GITHUB_TOKEN and prefer OIDC federation over long-lived cloud access keys.
Separate trusted and untrusted workflow contexts, especially pull_request from forks, and avoid exposing secrets to unreviewed code.
Make merge policy explicit: linear history, squash, merge commits, signed commits, or code-owner approvals should match audit and release requirements.
Hands-on example
1. Implement the control for: What is a CODEOWNERS file, and how does it enforce review ownership in a GitHub repository that contains a simple service and .github/workflows/ci.yml.
2. Create a workflow with on: [pull_request], jobs: build, test, scan; set permissions: contents: read by default and grant write only to jobs that truly need it.
3. Add CODEOWNERS entries such as /terraform/ @platform-team and /.github/workflows/ @devops-team, then enable required code-owner review in branch protection.
4. Use environments for staging/prod with required reviewers and environment secrets; prefer OIDC cloud login over storing AWS/Azure/GCP access keys.
5. Validate by opening a PR that fails one required check and confirm GitHub blocks merge until the check passes and required reviewers approve.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More CI/CD & GitOps interview questions
- What is CI/CD, and what is the difference between continuous delivery and continuous deployment?
- What are the goals of a CI pipeline beyond just running tests?
- What is Jenkins, and what is the difference between a controller and an agent?
- What is the difference between a freestyle job and a pipeline job in Jenkins?
- What is the difference between a declarative and a scripted Jenkins pipeline?
- What is a Jenkinsfile, and why keep your pipeline as code in the repo?
- Explain the structure of a declarative pipeline (agent, stages, steps, post).
- What is the post section used for, and what are its conditions (success, failure, always)?