This GitHub Action extends the functionality of GitHub's CODEOWNERS feature by requiring all codeowners listed for a file or directory to approve a pull request before it can be merged. This ensures stricter review policies, particularly for critical or shared code areas.
By default, GitHub only requires one codeowner's approval, even if multiple codeowners are listed. This action enforces that every codeowner must approve, providing better safeguards for code quality and accountability.
For example, given the following line in a CODEOWNERS file:
* @noamelf @uzihs
Both @noamelf and @uzihs must approve any pull request affecting files in the repository. Without this action, only one of these approvals would be required.
The action is triggered by the pull_request_review event when a review is submitted. It scans the CODEOWNERS file for the pull request's files and verifies that all listed codeowners, including individuals and teams, have approved the changes.
-
Create a Workflow File:
Add a new workflow in the.github/workflowsdirectory. For example, create.github/workflows/codeowners-approval.ymlwith the following content:name: "Codeowners Approval Workflow" on: pull_request_review: types: [submitted] jobs: codeowners-approval: runs-on: ubuntu-latest steps: - name: Check Codeowners Approval uses: noamelf/codeowner-multi-approval-action@main with: pr-number: ${{ github.event.pull_request.number }} repo-name: ${{ github.repository }} github-token: ${{ secrets.MY_GITHUB_TOKEN }}
-
Provide a GitHub Token:
This action requires a token with enhanced permissions to read organization teams. The next section explains how to set this up.
To handle teams in the CODEOWNERS file, the action requires a GitHub token with the following permissions:
reporead:org
-
Personal Access Token (Simpler Setup):
Create a personal access token with the required permissions and add it as a repository secret (e.g.,MY_GITHUB_TOKEN). -
GitHub App Token (Recommended for Organizations):
Use a GitHub App for token generation. This is more secure and scalable for larger organizations.
Here’s an example workflow using a GitHub App token:
name: "Codeowners Approval Workflow"
on:
pull_request_review:
types: [submitted]
jobs:
codeowners-approval:
runs-on: ubuntu-latest
steps:
- uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.app-id }}
private-key: ${{ secrets.app-private-key }}
owner: ${{ github.repository_owner }}
- name: Check Codeowners Approval
uses: noamelf/codeowner-multi-approval-action@main
with:
pr-number: ${{ github.event.pull_request.number }}
repo-name: ${{ github.repository }}
github-token: ${{ steps.app-token.outputs.token }}app-id: The ID of your GitHub App.app-private-key: The private key for your GitHub App.owner: The organization name.
This workflow generates a token via the actions/create-github-app-token@v1 action and passes it to the codeowner-approval-action.
Thanks to @uzihs for coming up with the idea