{ "slug": "code_ownership", "term": "Code Ownership & CODEOWNERS", "category": "quality", "difficulty": "beginner", "short": "CODEOWNERS defines which team members must review changes to specific files or directories — enforcing expertise-based review and preventing unreviewed changes to critical code.", "long": "GitHub/GitLab CODEOWNERS (.github/CODEOWNERS or CODEOWNERS) maps file patterns to required reviewers. When a PR touches a matched file, the owner is automatically added as required reviewer. This enforces: security team reviews auth changes, platform team reviews CI config, frontend team reviews shared components. Code ownership also defines accountability — who to contact when something breaks, and who maintains what. Weak ownership (everyone owns everything) means nobody feels responsible.", "aliases": [ "CODEOWNERS", "code review ownership", "required reviewers" ], "tags": [ "quality", "git", "team", "process" ], "misconception": "CODEOWNERS slows down development — required reviews add upfront time but prevent costly rollbacks and incidents caused by unreviewed changes to critical paths.", "why_it_matters": "Without CODEOWNERS, a junior developer can merge changes to the payment processing code or authentication system without any expert review — CODEOWNERS prevents this silently.", "common_mistakes": [ "CODEOWNERS with departed team members — reviews block forever; maintain the file when team changes.", "Too many CODEOWNERS per file — requiring 5 reviewers creates bottlenecks; 1-2 per critical path is enough.", "No CODEOWNERS for security-critical paths — auth, payments, and crypto code should always require specific review.", "CODEOWNERS not enforced as required — configure branch protection to require CODEOWNERS review, otherwise it is advisory only." ], "when_to_use": [], "avoid_when": [], "related": [ "git_hooks_deep", "github_actions_php", "pair_programming", "blameless_culture" ], "prerequisites": [ "bus_factor", "documentation_as_code", "developer_experience" ], "refs": [ "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners" ], "bad_code": "# No CODEOWNERS — anyone merges anything:\n# Junior dev modifies src/Auth/JwtValidator.php\n# No security review required\n# Merges a JWT algorithm confusion vulnerability\n# Nobody with security expertise saw the change", "good_code": "# .github/CODEOWNERS:\n# Security-critical paths:\n/src/Auth/ @security-team @senior-dev\n/src/Payment/ @payments-team @security-team\n\n# Infrastructure:\n/.github/workflows/ @platform-team\n/docker/ @platform-team\n\n# Shared components:\n/src/UI/components/ @frontend-team\n\n# Default owner for everything else:\n* @tech-lead", "quick_fix": "Add a CODEOWNERS file to your repository root — it auto-assigns reviewers to PRs touching specific paths and documents who is responsible for each component", "severity": "medium", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/code_ownership", "html_url": "https://codeclaritylab.com/glossary/code_ownership", "json_url": "https://codeclaritylab.com/glossary/code_ownership.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Code Ownership & CODEOWNERS](https://codeclaritylab.com/glossary/code_ownership) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/code_ownership" } } } }