A CODEOWNERS file tells GitHub which people or teams should automatically review changes to specific parts of a repository. This builder maps path patterns to owners, validates the @owner syntax, and emits a correctly ordered file that auto-requests the right reviewers on every pull request.
How it works
CODEOWNERS uses gitignore-style path patterns followed by one or more owners:
- Each line is
pattern @owner1 @owner2, where owners are GitHub usernames (@alice), teams (@org/team), or member emails. - GitHub evaluates rules top to bottom and applies last-match-wins — the final matching line decides ownership — so general rules go first and specific ones last.
- A
*pattern acts as a default catch-all so no file is left without a reviewer.
The tool warns when an owner is missing its @, when a team has no org/ prefix, or when a rule has no owners at all.
Pattern syntax quick reference
| Pattern | What it matches |
|---|---|
* | Every file in the repository |
/src/ | All files under the src directory |
*.ts | Every TypeScript file anywhere |
/infra/**/*.tf | Any Terraform file under infra/ |
docs/ | All files in the docs directory |
Example CODEOWNERS file
# Default catch-all — every unmatched file goes to the infra team
* @myorg/platform
# Backend API owned by the server team
/src/api/ @myorg/backend @alice
# Frontend components — two specific engineers
/src/components/ @bob @carol
# All Terraform files need an infrastructure review
**/*.tf @myorg/infrastructure
# Security-sensitive files: require security and a senior lead
/src/auth/ @myorg/security @alice
Rules are evaluated top to bottom, so a file at /src/api/auth/token.ts matches both /src/api/ and /src/auth/ — but the last matching rule (/src/auth/) wins.
Tips and notes
- Put the broad
*default at the top and narrow rules below it so specificity wins. - Directory patterns should end with
/to match everything inside, e.g./src/api/. - Teams must be written as
@org/team-nameand the team must have write access to the repo. - Enable the “Require review from Code Owners” branch-protection rule to make owners’ approval mandatory before merging.
- GitHub supports CODEOWNERS in three locations: the repository root,
.github/, ordocs/. Most teams use.github/CODEOWNERS. - Adding a new code owner does not retroactively open review requests on existing open PRs — it applies to new pushes only.
Common CODEOWNERS patterns
Requiring a security review on sensitive paths:
/src/auth/ @org/security-team
/.env.example @org/security-team
/infra/ @org/infrastructure @org/security-team
Splitting ownership by technology:
*.go @org/backend
*.ts *.tsx @org/frontend
*.tf @org/infrastructure
*.yml *.yaml @org/devops
Shared core packages that many teams depend on:
/packages/core/ @alice @bob @carol # senior engineers only
When to set this up
CODEOWNERS pays for itself the first time a security-critical file changes without the right person being notified. Set it up early, when it is easy to reason about ownership, rather than retroactively after a missed review causes an incident. If your repository already has hundreds of contributors and thousands of files, start with the highest-risk paths (auth, payments, infra, core packages) and expand from there.