From 836536eb97cb1aab5fabb348cc1e35ea1bc49928 Mon Sep 17 00:00:00 2001
From: Jakub Domeracki <jakub@coder.com>
Date: Mon, 12 Jan 2026 13:51:27 +0100
Subject: [PATCH] chore: add CODEOWNERS and enforce approval for GHA Workflow
 changes (#654)

## Summary

Adds a `CODEOWNERS` file to enforce code review requirements for GitHub
Actions workflow changes.

- Creates `CODEOWNERS` file designating `@jdomeracki-coder` as owner of
`.github/` directory
- All changes to GitHub Actions workflows (`.github/` directory) now
require approval from the designated code owner
- Improves security posture by preventing unauthorized modifications to
CI/CD pipelines

  ## Why this change?

GitHub Actions workflows have elevated privileges and can access
repository secrets. Requiring explicit approval for workflow changes
helps prevent:

  - Accidental or malicious modifications to CI/CD pipelines
  - Unauthorized access to secrets
  - Supply chain security vulnerabilities

  ## Test plan

  - [x] Verify CODEOWNERS file is properly formatted
- [ ] Test that PRs modifying `.github/` directory require approval from
`@jdomeracki-coder`
- [ ] Confirm existing PRs not touching `.github/` continue to work
normally
---
 CODEOWNERS | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 CODEOWNERS

diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 00000000..9881ee77
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1,2 @@
+# GitHub Actions Workflow Owners
+.github/ @jdomeracki-coder