|
| 1 | +# CODEOWNERS — required reviewer routing for security-sensitive paths. |
| 2 | +# |
| 3 | +# Branch protection on `main` / `v10-rc` should have "Require review from |
| 4 | +# Code Owners" enabled (admin task — see |
| 5 | +# docs/security/SUPPLY_CHAIN_HARDENING.md §C). With that toggle on, any |
| 6 | +# PR that touches a path listed below requires an approving review from |
| 7 | +# at least one of the listed owners before it can merge. Without |
| 8 | +# CODEOWNERS, the "code-owner review" branch protection rule is a no-op: |
| 9 | +# there is nobody to ask, so the requirement is silently satisfied for |
| 10 | +# every PR. The 2024 reviewdog supply-chain compromise hinged on this |
| 11 | +# exact failure mode — an attacker landed a workflow change that no |
| 12 | +# named maintainer was required to approve. |
| 13 | +# |
| 14 | +# Owner syntax: GitHub @-usernames or @org/team names. Teams are |
| 15 | +# preferred for shared infra (no churn when the active maintainer |
| 16 | +# rotates). Individual handles are fine for the bootstrap period below |
| 17 | +# and can be migrated to a team mention later without touching the |
| 18 | +# patterns. |
| 19 | +# |
| 20 | +# Bootstrap owners — derived from the most recent committers on these |
| 21 | +# paths at the time CODEOWNERS landed. Replace with `@OriginTrail/<team>` |
| 22 | +# once a maintainers' team is created in the org. Each path needs at |
| 23 | +# LEAST two owners so no single account compromise can self-approve a |
| 24 | +# malicious change here. |
| 25 | + |
| 26 | +# ---------------------------------------------------------------------- |
| 27 | +# CI workflow files — full attacker surface. Anything that runs on a |
| 28 | +# privileged event (`push` to main, `pull_request_target`, `schedule`, |
| 29 | +# `workflow_dispatch`) inherits the workflow's `permissions:` block, |
| 30 | +# so a malicious workflow change is equivalent to handing out a token |
| 31 | +# in the worst case. These MUST get a security-aware review. |
| 32 | +.github/ @branarakic @Jurij89 @zsculac |
| 33 | +.github/workflows/ @branarakic @Jurij89 @zsculac |
| 34 | +.github/actions/ @branarakic @Jurij89 @zsculac |
| 35 | +.github/dependabot.yml @branarakic @Jurij89 @zsculac |
| 36 | +.github/zizmor.yml @branarakic @Jurij89 @zsculac |
| 37 | +.github/CODEOWNERS @branarakic @Jurij89 @zsculac |
| 38 | + |
| 39 | +# ---------------------------------------------------------------------- |
| 40 | +# Publish credentials surface — anything that influences what gets |
| 41 | +# packed, published, or which packages are public. A change that flips |
| 42 | +# a `"private": true` to false on a previously-private package, or |
| 43 | +# that adds a postinstall script, lands here. |
| 44 | +package.json @branarakic @Jurij89 @zsculac |
| 45 | +pnpm-lock.yaml @branarakic @Jurij89 @zsculac |
| 46 | +pnpm-workspace.yaml @branarakic @Jurij89 @zsculac |
| 47 | +.npmrc @branarakic @Jurij89 @zsculac |
| 48 | +packages/*/package.json @branarakic @Jurij89 @zsculac |
| 49 | +packages/*/.npmrc @branarakic @Jurij89 @zsculac |
| 50 | + |
| 51 | +# ---------------------------------------------------------------------- |
| 52 | +# Release / deploy scripts — covered as code, not config. A modification |
| 53 | +# here can change what `pnpm build` produces or which file the release |
| 54 | +# workflow uploads as a release asset, both of which are publish-trust |
| 55 | +# boundaries. |
| 56 | +scripts/ @branarakic @Jurij89 @zsculac |
| 57 | +packages/cli/scripts/ @branarakic @Jurij89 @zsculac |
| 58 | + |
| 59 | +# ---------------------------------------------------------------------- |
| 60 | +# Security documentation — keeps the threat-model description in sync |
| 61 | +# with the controls actually configured in this repo. Drift between |
| 62 | +# the doc and the configured controls was the gap that PR review found |
| 63 | +# the first time around. |
| 64 | +docs/security/ @branarakic @Jurij89 @zsculac |
| 65 | +SECURITY.md @branarakic @Jurij89 @zsculac |
0 commit comments