In this article we will present the Code Owners concept from top to bottom, dive into the details with more advanced use cases and give you best practices and Code owners tips to enhance and secure your review processes.
Table of Contents:
The bodies responsible for setting industry standards or managing certifications with regards to secure software like SOC2, PCI DSS, OWASP and SAFECode provide general guidelines for a secure code review process.
Overall, a secure process can be broken down into these 4 steps:
According to the OWASP Code Review Guide, reviewers should be people that have...
It depends on the size of the company and the industry regulation. This is not a one size fit all situation.
The level of scrutiny each Pull Request should go through can of course differ from a small company that may want a pair of reviewers, to a bigger company that may need several reviewers focused on different aspects of the Pull Request.
For a company looking to comprehensively cover functional and security aspects, a common configuration could be to include two types of reviewers:
Identifying the relevant set of reviewers for each specific Pull Request can be a real challenge, even more so to do it repeatedly. So how do you pick a relevant set of reviewers consistently and at scale? Introducing the concept of Code Owners.
Code Owners are users or shared groups responsible for specific code parts.
They are usually experts with the parts of the codebase they own, and ensure that any changes meet the quality, style, and functionality standards.
Example:
The idea is for Code Owners to be automatically requested for review when someone opens a Pull Request that modifies code that they own.
Example:
Here is a short history of the concept:
This is an interesting point as the agile methodology promotes a shared approach of code ownerships where all users should be able to review each part of the codebase. Is Code Owners an anti-pattern then?
Well we think not because:
Whatever your organization and the level of scrutiny you want for your Pull Requests, you can adapt the Code Owners rules to fit your needs. Code Owner rules can cover a lot of different use cases and code coverage policies.
Customers usually define the followings types of code ownership:
This very simple example shows how you could define rules per type of ownership.
A number of open source projects use Code Owners. As an illustration we took the php-docs-sample repository from Google Cloud Platform.
The need for Code Owners can stem here from the various type of resources maintained in this repository that has over 150 contributors.
In this example, one reviewing team is the default one and different types of samples are owned by specific teams or individuals.
Whatever platform you are using (GitHub, GitLab, Bitbucket), the rules are defined in a similar way.
In terms of format and location, they are defined in a plain text file.
The rules are defined using a pattern syntax in line with the .gitignore standards.
Here is how it works:
Example that works for GitHub, GitLab and Bitbucket:
docs/* @tech-writer-team
*.rb @dev-team
CODEOWNERS @cto
CODEOWNERS files can be committed at the root of a repository or in specific folders depending on the platform.
Here is an example CODEOWNERS file and the results in the GitHub Pull Request UI.
# Lines starting with '#' are comments.
# Each line is a file pattern followed by one or more # owners.
# These owners will be the default owners for
# everything in the repo.
* @defunkt
# Order is important. The last matching pattern has
# the most precedence.
# So if a pull request only touches javascript files,
# only these owners will be requested to review.
*.js @octocat @github/js
# You can also use email addresses if you prefer.
docs/* docs@example.com
Great, I can assign reviewers automatically with Code Owners. What now?
Well next, you want to secure your review process with merge checks.
The goal is for all your changes to go through an actual review and a validation from your code owners.
If we take our previous example from GitHub:
So we can assign reviewers and enforce the review. Are we all set? Not quite, in a real life usage you might end up with the following challenges:
Let's see together how we can tackle these challenges.
So if my Code Owners are absents, how can my Pull Request be reviewed and approved?
Repository owners and administrators can merge a Pull Request even if it hasn't received an approving review.
This can be done in GitHub, GitLab and Bitbucket.
With Bitbucket: The plugin Code Owners for Bitbucket has a feature allowing to auto assign fallback reviewers counted in merge checks quota
@@@FallbackOwners @paul @monica
What if I have a monorepo and a pattern should have different reviewers depending on the app?
You can use the file/ folder path for reviewer assignment.
/apps/app1/ui/ @UX_TEAM1
/apps/app2/ui/ @UX_TEAM2
This can be done in GitHub, GitLab and Bitbucket.
With GitLab: GitLab implemented sections to easily organize the reviewers rules.
[app1]@TEAM1
/apps/app1/
/apps/app1/ui/ @UX_TEAM1
[app2]@TEAM2
/apps/app2/
/apps/app2/ui/ @UX_TEAM2
With Bitbucket: Code Owners for Bitbucket supports project/path specific CODEOWNERS files.
/apps/app1/CODEOWNERS
ui/ @UX_TEAM1
/apps/app2/CODEOWNERS
ui/ @UX_TEAM1
How can I avoid creating distraction through notifications and unnecessary work (efficiency threshold effect) when my code owners groups are very large?
Have random assignment of a subset of users. Also helps to reduce potential code owners burnouts.
This has been implemented only by GitHub so far documentation link.
With Bitbucket: The plugin Code Owners for Bitbucket has a random assignment feature.
CODEOWNERS.toplevel.assignment_routing random 2
How can I require a minimum number of reviewers instead of all in my merge checks?
Offer flexible merge checks, requiring only a specific amount of approvals from the code owner groups.
This is possible in GitLab per section - documentation link.
With Bitbucket: The plugin Code Owners for Bitbucket offers a feature to choose the number of reviews required overall, per group or conditionally.
**/*.java @@Seniors @@Juniors
(Check(@@Seniors >= 1) | Check(@@Juniors >= 2))
Here are a few steps that you could take to introduce Code Owners within your organization.
Here is in a nutshell what you should remember from this article:
You can play around with how Code Owners rules are constructed in our Code Owners Playground.
You can also use the following links to get access to the documentation of Code Owners for:
Ilona_Mibex Software
Product Marketing Manager - Mibex Software
Mibex Software
Zurich
1 comment