Add block on pending codeowner reviews branch protection

Naxdy · Naxdy · commit 8a9f76269267 · 2025-10-15T12:44:36.000+02:00
diff --git a/models/git/protected_branch.go b/models/git/protected_branch.go
@@ -57,6 +57,7 @@ type ProtectedBranch struct {
 	RequiredApprovals             int64    `xorm:"NOT NULL DEFAULT 0"`
 	BlockOnRejectedReviews        bool     `xorm:"NOT NULL DEFAULT false"`
 	BlockOnOfficialReviewRequests bool     `xorm:"NOT NULL DEFAULT false"`
+	BlockOnCodeownerReviews       bool     `xorm:"NOT NULL DEFAULT false"`
 	BlockOnOutdatedBranch         bool     `xorm:"NOT NULL DEFAULT false"`
 	DismissStaleApprovals         bool     `xorm:"NOT NULL DEFAULT false"`
 	IgnoreStaleApprovals          bool     `xorm:"NOT NULL DEFAULT false"`
diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
@@ -25,6 +25,7 @@ import (
 	"code.gitea.io/gitea/models/migrations/v1_23"
 	"code.gitea.io/gitea/models/migrations/v1_24"
 	"code.gitea.io/gitea/models/migrations/v1_25"
+	"code.gitea.io/gitea/models/migrations/v1_26"
 	"code.gitea.io/gitea/models/migrations/v1_6"
 	"code.gitea.io/gitea/models/migrations/v1_7"
 	"code.gitea.io/gitea/models/migrations/v1_8"
@@ -395,6 +396,9 @@ func prepareMigrationTasks() []*migration {
 		newMigration(321, "Use LONGTEXT for some columns and fix review_state.updated_files column", v1_25.UseLongTextInSomeColumnsAndFixBugs),
 		newMigration(322, "Extend comment tree_path length limit", v1_25.ExtendCommentTreePathLength),
 		newMigration(323, "Add support for actions concurrency", v1_25.AddActionsConcurrency),
+
+		// Gitea 1.25.0 ends at database version 323
+		newMigration(324, "Add block on codeowner reviews branch protection", v1_26.AddBlockOnCodeownerReviews),
 	}
 	return preparedMigrations
 }
diff --git a/models/migrations/v1_26/v324.go b/models/migrations/v1_26/v324.go
@@ -0,0 +1,16 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_26
+
+import (
+	"xorm.io/xorm"
+)
+
+func AddBlockOnCodeownerReviews(x *xorm.Engine) error {
+	type ProtectedBranch struct {
+		BlockOnCodeownerReviews bool `xorm:"NOT NULL DEFAULT false"`
+	}
+
+	return x.Sync(new(ProtectedBranch))
+}
diff --git a/modules/structs/repo_branch.go b/modules/structs/repo_branch.go
@@ -58,6 +58,7 @@ type BranchProtection struct {
 	ApprovalsWhitelistTeams       []string `json:"approvals_whitelist_teams"`
 	BlockOnRejectedReviews        bool     `json:"block_on_rejected_reviews"`
 	BlockOnOfficialReviewRequests bool     `json:"block_on_official_review_requests"`
+	BlockOnCodeownerReviews       bool     `json:"block_on_codeowner_reviews"`
 	BlockOnOutdatedBranch         bool     `json:"block_on_outdated_branch"`
 	DismissStaleApprovals         bool     `json:"dismiss_stale_approvals"`
 	IgnoreStaleApprovals          bool     `json:"ignore_stale_approvals"`
@@ -98,6 +99,7 @@ type CreateBranchProtectionOption struct {
 	ApprovalsWhitelistTeams       []string `json:"approvals_whitelist_teams"`
 	BlockOnRejectedReviews        bool     `json:"block_on_rejected_reviews"`
 	BlockOnOfficialReviewRequests bool     `json:"block_on_official_review_requests"`
+	BlockOnCodeownerReviews       bool     `json:"block_on_codeowner_reviews"`
 	BlockOnOutdatedBranch         bool     `json:"block_on_outdated_branch"`
 	DismissStaleApprovals         bool     `json:"dismiss_stale_approvals"`
 	IgnoreStaleApprovals          bool     `json:"ignore_stale_approvals"`
@@ -131,6 +133,7 @@ type EditBranchProtectionOption struct {
 	ApprovalsWhitelistTeams       []string `json:"approvals_whitelist_teams"`
 	BlockOnRejectedReviews        *bool    `json:"block_on_rejected_reviews"`
 	BlockOnOfficialReviewRequests *bool    `json:"block_on_official_review_requests"`
+	BlockOnCodeownerReviews       *bool    `json:"block_on_codeowner_reviews"`
 	BlockOnOutdatedBranch         *bool    `json:"block_on_outdated_branch"`
 	DismissStaleApprovals         *bool    `json:"dismiss_stale_approvals"`
 	IgnoreStaleApprovals          *bool    `json:"ignore_stale_approvals"`
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
@@ -1916,6 +1916,7 @@ pulls.required_status_check_administrator = As an administrator, you may still m
 pulls.blocked_by_approvals = "This pull request doesn't have enough required approvals yet. %d of %d official approvals granted."
 pulls.blocked_by_approvals_whitelisted = "This pull request doesn't have enough required approvals yet. %d of %d approvals granted from users or teams on the allowlist."
 pulls.blocked_by_rejection = "This pull request has changes requested by an official reviewer."
+pulls.blocked_by_codeowners = "This pull request is missing approval from one or more code owners."
 pulls.blocked_by_official_review_requests = "This pull request has official review requests."
 pulls.blocked_by_outdated_branch = "This pull request is blocked because it's outdated."
 pulls.blocked_by_changed_protected_files_1= "This pull request is blocked because it changes a protected file:"
@@ -2553,6 +2554,8 @@ settings.block_rejected_reviews = Block merge on rejected reviews
 settings.block_rejected_reviews_desc = Merging will not be possible when changes are requested by official reviewers, even if there are enough approvals.
 settings.block_on_official_review_requests = Block merge on official review requests
 settings.block_on_official_review_requests_desc = Merging will not be possible when it has official review requests, even if there are enough approvals.
+settings.block_on_codeowner_reviews = Require approval from code owners
+settings.block_on_codeowner_reviews_desc = Merging will only be possible if at least one code owner per code owner rule has given an approving review.
 settings.block_outdated_branch = Block merge if pull request is outdated
 settings.block_outdated_branch_desc = Merging will not be possible when head branch is behind base branch.
 settings.block_admin_merge_override = Administrators must follow branch protection rules
diff --git a/result b/result
@@ -0,0 +1 @@
+/nix/store/fggjagh3w5ba30jc86d0c68jrxm2pzmb-gitea-1.25.0
diff --git a/routers/api/v1/repo/branch.go b/routers/api/v1/repo/branch.go
@@ -855,6 +855,10 @@ func EditBranchProtection(ctx *context.APIContext) {
 		protectBranch.BlockOnOfficialReviewRequests = *form.BlockOnOfficialReviewRequests
 	}
 
+	if form.BlockOnCodeownerReviews != nil {
+		protectBranch.BlockOnCodeownerReviews = *form.BlockOnCodeownerReviews
+	}
+
 	if form.DismissStaleApprovals != nil {
 		protectBranch.DismissStaleApprovals = *form.DismissStaleApprovals
 	}
diff --git a/routers/web/repo/issue_view.go b/routers/web/repo/issue_view.go
@@ -948,6 +948,7 @@ func preparePullViewReviewAndMerge(ctx *context.Context, issue *issues_model.Iss
 		ctx.Data["ProtectedBranch"] = pb
 		ctx.Data["IsBlockedByApprovals"] = !issues_model.HasEnoughApprovals(ctx, pb, pull)
 		ctx.Data["IsBlockedByRejection"] = issues_model.MergeBlockedByRejectedReview(ctx, pb, pull)
+		ctx.Data["IsBlockedByCodeowners"] = !issue_service.HasAllRequiredCodeownerReviews(ctx, pb, pull)
 		ctx.Data["IsBlockedByOfficialReviewRequests"] = issues_model.MergeBlockedByOfficialReviewRequests(ctx, pb, pull)
 		ctx.Data["IsBlockedByOutdatedBranch"] = issues_model.MergeBlockedByOutdatedBranch(pb, pull)
 		ctx.Data["GrantedApprovals"] = issues_model.GetGrantedApprovalsCount(ctx, pb, pull)
diff --git a/routers/web/repo/setting/protected_branch.go b/routers/web/repo/setting/protected_branch.go
@@ -254,6 +254,7 @@ func SettingsProtectedBranchPost(ctx *context.Context) {
 	}
 	protectBranch.BlockOnRejectedReviews = f.BlockOnRejectedReviews
 	protectBranch.BlockOnOfficialReviewRequests = f.BlockOnOfficialReviewRequests
+	protectBranch.BlockOnCodeownerReviews = f.BlockOnCodeownerReviews
 	protectBranch.DismissStaleApprovals = f.DismissStaleApprovals
 	protectBranch.IgnoreStaleApprovals = f.IgnoreStaleApprovals
 	protectBranch.RequireSignedCommits = f.RequireSignedCommits
diff --git a/services/convert/convert.go b/services/convert/convert.go
@@ -189,6 +189,7 @@ func ToBranchProtection(ctx context.Context, bp *git_model.ProtectedBranch, repo
 		ApprovalsWhitelistTeams:       approvalsWhitelistTeams,
 		BlockOnRejectedReviews:        bp.BlockOnRejectedReviews,
 		BlockOnOfficialReviewRequests: bp.BlockOnOfficialReviewRequests,
+		BlockOnCodeownerReviews:       bp.BlockOnCodeownerReviews,
 		BlockOnOutdatedBranch:         bp.BlockOnOutdatedBranch,
 		DismissStaleApprovals:         bp.DismissStaleApprovals,
 		IgnoreStaleApprovals:          bp.IgnoreStaleApprovals,
diff --git a/services/forms/repo_form.go b/services/forms/repo_form.go
@@ -189,6 +189,7 @@ type ProtectBranchForm struct {
 	ApprovalsWhitelistTeams       string
 	BlockOnRejectedReviews        bool
 	BlockOnOfficialReviewRequests bool
+	BlockOnCodeownerReviews       bool
 	BlockOnOutdatedBranch         bool
 	DismissStaleApprovals         bool
 	IgnoreStaleApprovals          bool
diff --git a/services/issue/pull.go b/services/issue/pull.go
@@ -9,6 +9,7 @@ import (
 	"slices"
 	"time"
 
+	git_model "code.gitea.io/gitea/models/git"
 	issues_model "code.gitea.io/gitea/models/issues"
 	org_model "code.gitea.io/gitea/models/organization"
 	repo_model "code.gitea.io/gitea/models/repo"
@@ -49,6 +50,125 @@ func IsCodeOwnerFile(f string) bool {
 	return slices.Contains(codeOwnerFiles, f)
 }
 
+func HasAllRequiredCodeownerReviews(ctx context.Context, pb *git_model.ProtectedBranch, pr *issues_model.PullRequest) bool {
+	if !pb.BlockOnCodeownerReviews {
+		return true
+	}
+
+	if err := pr.LoadHeadRepo(ctx); err != nil {
+		return false
+	}
+
+	if err := pr.LoadBaseRepo(ctx); err != nil {
+		return false
+	}
+
+	pr.Issue.Repo = pr.BaseRepo
+
+	if pr.BaseRepo.IsFork {
+		return true
+	}
+
+	repo, err := gitrepo.OpenRepository(ctx, pr.BaseRepo)
+	if err != nil {
+		return false
+	}
+
+	defer repo.Close()
+
+	commit, err := repo.GetBranchCommit(pr.BaseRepo.DefaultBranch)
+	if err != nil {
+		return false
+	}
+
+	var data string
+
+	for _, file := range codeOwnerFiles {
+		if blob, err := commit.GetBlobByPath(file); err == nil {
+			data, err = blob.GetBlobContent(setting.UI.MaxDisplayFileSize)
+			if err == nil {
+				break
+			}
+		}
+	}
+
+	// no code owner file = no one to approve
+	if data == "" {
+		return true
+	}
+
+	rules, _ := issues_model.GetCodeOwnersFromContent(ctx, data)
+	if len(rules) == 0 {
+		return true
+	}
+
+	// get the mergebase
+	mergeBase, err := getMergeBase(ctx, pr.BaseRepo, repo, pr, git.BranchPrefix+pr.BaseBranch, pr.GetGitHeadRefName())
+	if err != nil {
+		return false
+	}
+
+	// https://github.com/go-gitea/gitea/issues/29763, we need to get the files changed
+	// between the merge base and the head commit but not the base branch and the head commit
+	changedFiles, err := repo.GetFilesChangedBetween(mergeBase, pr.GetGitHeadRefName())
+	if err != nil {
+		return false
+	}
+
+	approvingReviews, err := issues_model.FindLatestReviews(ctx, issues_model.FindReviewOptions{
+		Types:   []issues_model.ReviewType{issues_model.ReviewTypeApprove},
+		IssueID: pr.IssueID,
+	})
+	if err != nil {
+		return false
+	}
+
+	hasApprovals := true
+
+	matchingRules := make([]*issues_model.CodeOwnerRule, 0)
+
+	for _, rule := range rules {
+		for _, f := range changedFiles {
+			if (rule.Rule.MatchString(f) && !rule.Negative) || (!rule.Rule.MatchString(f) && rule.Negative) {
+				matchingRules = append(matchingRules, rule)
+				break
+			}
+		}
+	}
+
+	for _, rule := range matchingRules {
+		ruleReviewers := slices.Clone(rule.Users)
+		for _, t := range rule.Teams {
+			if err := t.LoadMembers(ctx); err != nil {
+				return false
+			}
+
+			ruleReviewers = slices.AppendSeq(ruleReviewers, slices.Values(t.Members))
+		}
+
+		// we need at least 1 code owner that isn't the PR author
+		hasPotentialReviewers := slices.ContainsFunc(ruleReviewers, func(elem *user_model.User) bool { return elem.ID != pr.Issue.PosterID })
+
+		if !hasPotentialReviewers {
+			continue
+		}
+
+		// then we need at least 1 approving review from any valid code owner for this rule
+		hasRuleApproval := slices.ContainsFunc(ruleReviewers, func(elem *user_model.User) bool {
+			return slices.ContainsFunc(approvingReviews, func(review *issues_model.Review) bool {
+				return review.ReviewerID == elem.ID
+			})
+		})
+
+		if !hasRuleApproval {
+			hasApprovals = false
+			break
+		}
+	}
+
+	return hasApprovals
+}
+
 func PullRequestCodeOwnersReview(ctx context.Context, pr *issues_model.PullRequest) ([]*ReviewRequestNotifier, error) {
 	if err := pr.LoadIssue(ctx); err != nil {
 		return nil, err
diff --git a/services/pull/merge.go b/services/pull/merge.go
@@ -598,6 +598,10 @@ func CheckPullBranchProtections(ctx context.Context, pr *issues_model.PullReques
 		return util.ErrorWrap(ErrNotReadyToMerge, "The head branch is behind the base branch")
 	}
 
+	if !issue_service.HasAllRequiredCodeownerReviews(ctx, pb, pr) {
+		return util.ErrorWrap(ErrNotReadyToMerge, "There are missing code owner reviews.")
+	}
+
 	if skipProtectedFilesCheck {
 		return nil
 	}
diff --git a/templates/repo/issue/view_content/pull_merge_box.tmpl b/templates/repo/issue/view_content/pull_merge_box.tmpl
@@ -16,6 +16,7 @@
 	{{- else if .IsBlockedByApprovals}}red
 	{{- else if .IsBlockedByRejection}}red
 	{{- else if .IsBlockedByOfficialReviewRequests}}red
+	{{- else if .IsBlockedByCodeowners}}red
 	{{- else if .IsBlockedByOutdatedBranch}}red
 	{{- else if .IsBlockedByChangedProtectedFiles}}red
 	{{- else if and .EnableStatusCheck (or .RequiredStatusCheckState.IsFailure .RequiredStatusCheckState.IsError)}}red
@@ -131,6 +132,11 @@
 						{{svg "octicon-x"}}
 					{{ctx.Locale.Tr "repo.pulls.blocked_by_official_review_requests"}}
 					</div>
+				{{else if .IsBlockedByCodeowners}}
+					<div class="item">
+						{{svg "octicon-x"}}
+					{{ctx.Locale.Tr "repo.pulls.blocked_by_codeowners"}}
+					</div>
 				{{else if .IsBlockedByOutdatedBranch}}
 					<div class="item">
 						{{svg "octicon-x"}}
@@ -167,7 +173,7 @@
 					</div>
 				{{end}}
 
-				{{$notAllOverridableChecksOk := or .IsBlockedByApprovals .IsBlockedByRejection .IsBlockedByOfficialReviewRequests .IsBlockedByOutdatedBranch .IsBlockedByChangedProtectedFiles (and .EnableStatusCheck (not .RequiredStatusCheckState.IsSuccess))}}
+				{{$notAllOverridableChecksOk := or .IsBlockedByApprovals .IsBlockedByRejection .IsBlockedByOfficialReviewRequests .IsBlockedByCodeowners .IsBlockedByOutdatedBranch .IsBlockedByChangedProtectedFiles (and .EnableStatusCheck (not .RequiredStatusCheckState.IsSuccess))}}
 
 				{{/* admin can merge without checks, writer can merge when checks succeed */}}
 				{{$canMergeNow := and (or (and (not $.ProtectedBranch.BlockAdminMergeOverride) $.IsRepoAdmin) (not $notAllOverridableChecksOk)) (or (not .AllowMerge) (not .RequireSigned) .WillSign)}}
@@ -337,6 +343,11 @@
 						{{svg "octicon-x"}}
 						{{ctx.Locale.Tr "repo.pulls.blocked_by_official_review_requests"}}
 					</div>
+					{{else if .IsBlockedByCodeowners}}
+					<div class="item text red">
+						{{svg "octicon-x"}}
+						{{ctx.Locale.Tr "repo.pulls.blocked_by_codeowners"}}
+					</div>
 				{{else if .IsBlockedByOutdatedBranch}}
 					<div class="item text red">
 						{{svg "octicon-x"}}
diff --git a/templates/repo/settings/protected_branch.tmpl b/templates/repo/settings/protected_branch.tmpl
@@ -320,6 +320,13 @@
 						<p class="help">{{ctx.Locale.Tr "repo.settings.block_on_official_review_requests_desc"}}</p>
 					</div>
 				</div>
+				<div class="field">
+					<div class="ui checkbox">
+						<input name="block_on_codeowner_reviews" type="checkbox" {{if .Rule.BlockOnCodeownerReviews}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "repo.settings.block_on_codeowner_reviews"}}</label>
+						<p class="help">{{ctx.Locale.Tr "repo.settings.block_on_codeowner_reviews_desc"}}</p>
+					</div>
+				</div>
 				<div class="field">
 					<div class="ui checkbox">
 						<input name="block_on_outdated_branch" type="checkbox" {{if .Rule.BlockOnOutdatedBranch}}checked{{end}}>
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+/nix/store/fggjagh3w5ba30jc86d0c68jrxm2pzmb-gitea-1.25.0`
Original file line number	Diff line number	Diff line change
`@@ -855,6 +855,10 @@ func EditBranchProtection(ctx *context.APIContext) {`
`855`	`855`	`protectBranch.BlockOnOfficialReviewRequests = *form.BlockOnOfficialReviewRequests`
`856`	`856`	`}`
`857`	`857`
	`858`	`+ if form.BlockOnCodeownerReviews != nil {`
	`859`	`+ protectBranch.BlockOnCodeownerReviews = *form.BlockOnCodeownerReviews`
	`860`	`+ }`
	`861`	`+`
`858`	`862`	`if form.DismissStaleApprovals != nil {`
`859`	`863`	`protectBranch.DismissStaleApprovals = *form.DismissStaleApprovals`
`860`	`864`	`}`
Original file line number	Diff line number	Diff line change
`@@ -254,6 +254,7 @@ func SettingsProtectedBranchPost(ctx *context.Context) {`
`254`	`254`	`}`
`255`	`255`	`protectBranch.BlockOnRejectedReviews = f.BlockOnRejectedReviews`
`256`	`256`	`protectBranch.BlockOnOfficialReviewRequests = f.BlockOnOfficialReviewRequests`
	`257`	`+ protectBranch.BlockOnCodeownerReviews = f.BlockOnCodeownerReviews`
`257`	`258`	`protectBranch.DismissStaleApprovals = f.DismissStaleApprovals`
`258`	`259`	`protectBranch.IgnoreStaleApprovals = f.IgnoreStaleApprovals`
`259`	`260`	`protectBranch.RequireSignedCommits = f.RequireSignedCommits`