DocsGetting StartedUsing Code Owners

Using Code Owners

What are Code Owners

Code Owners are a concept within GitLab, which assigns certain files and folders to be “owned” by specific users and/or groups. This makes it possible to add additional Approval Rules for Merge Requests that state that a Code Owner’s approval is required. This ensures that merge requests can only be merged after the people with the right knowledge have approved them.

Why use them with Frigg?

For certain companies, it’s interesting to allow people outside of their instance administrators to create and approve Merge Requests on the Frigg Repository. This can be due to a small number of administrators, which would create a bottleneck for creating and managing projects.

Code Owners can be used to ensure that people other than the administrators can approve changes to high-level resources, which would make them able to remove administrators and give themselves rights to resources they shouldn’t be able to access.

Same as with Frigg resources, Code Owners are written down in a file which exists within your repository, named CODEOWNERS. This ensures that the list of Code Owners also needs the approval of the correct people before being altered.

How to set up Code Owners properly in your Frigg repository

The following file is an example of a CODEOWNERS file one could put in their Frigg repository.

# Protect the CODEOWNERS file itself
/CODEOWNERS @user1 @group1 # Code Owners can be both users or groups. Groups will only include direct members.
 
# Protect the resources for the Top Level Group
/resources/gitlab/TOP_LEVEL_GROUP/TOP_LEVEL_GROUP.yaml @user1 @user2 @group1 @group2
 
# Protect the resources for the Frigg repository
/resources/gitlab/TOP_LEVEL_GROUP/frigg.yaml @user1 @user2 @group1 @group2

Just replace all instances of TOP_LEVEL_GROUP with the group name of your top-level group. Then proceed to place the file in the root of your Frigg Project. Make sure that Code Owner approvals are enabled for this project’s main branch. This is a setting within Frigg, see GitLab Project Resource Protected Branches.

This file ensures that only the correct users and groups are able to alter the CODEOWNERS file, as well as the Frigg project resource and Top Level Group resource. Allowing anyone with access to the Frigg project to change these without approval from an instance administrator might result in the wrong people getting access to the wrong resources.

Important to note: whenever you assign a GitLab Group as a Code Owner, this group needs to either be the parent (of a parent of) the project the file exists in. Or the group needs to be added as a member to the project with at least the Access Level Developer.

Handling ErrorsGitlabDefaults