feat(codeowners): Add codeowners enforcement

[mikejihbe]

TLDR;

1. Codeowners coverage is now enforced in CI. Make sure new code has a github team in CODEOWNERS.
2. Try not to add to the exclusion-list.
3. If you are getting notified about changes you don’t care about, remind the dev to move their code into an owned part of the application to help us modularize.

More: https://www.notion.so/sentry/Enforcing-ownership-31f8b10e4b5d80c99362fe35e7b1ca8b?showMoveTo=true&saveParent=true

[kenzoengineer]

nit: i wouldn't say .craft.yml is an "agent file", this is a config file thats used to publish new releases

[markstory]

It would be good if this header could explain how to rebuild the baseline file.

[mikejihbe]

codeowners-coverage baseline is the command to regenerate it!

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Autofix Details

Bugbot Autofix prepared fixes for both issues found in the latest run.

• ✅ Fixed: Duplicate CODEOWNERS entry for /tests/sentry/api/
  • Removed the duplicate line 16 that assigned /tests/sentry/api/ to @getsentry/app-backend.
• ✅ Fixed: Multiple CODEOWNERS teams missing from team_allowlist
  • Added four missing teams to the allowlist: app-backend, value-discovery, coding-workflows-sentry-frontend, and coding-workflows-sentry-backend.

Or push these changes by commenting:

@cursor push 12d32c0dfc

Preview (12d32c0dfc)

diff --git a/.codeowners-config.yml b/.codeowners-config.yml
--- a/.codeowners-config.yml
+++ b/.codeowners-config.yml
@@ -9,10 +9,13 @@
 team_allowlist:
   - getsentry/alerts-create-issues
   - getsentry/alerts-notifications
+  - getsentry/app-backend
   - getsentry/app-frontend
   - getsentry/codecov
   - getsentry/codecov-merge
   - getsentry/coding-workflows
+  - getsentry/coding-workflows-sentry-backend
+  - getsentry/coding-workflows-sentry-frontend
   - getsentry/crons
   - getsentry/dashboards
   - getsentry/data
@@ -58,6 +61,7 @@
   - getsentry/team-javascript-sdks
   - getsentry/team-web-sdk-backend
   - getsentry/telemetry-experience
+  - getsentry/value-discovery
 
 # File patterns to exclude from coverage checking
 exclusions:

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -13,7 +13,6 @@
 /src/sentry/testutils/                                  @getsentry/app-backend
 /src/sentry/users/                                      @getsentry/app-backend
 /tests/sentry/api/                                      @getsentry/app-backend
-/tests/sentry/api/                                      @getsentry/app-backend
 /src/sentry/templates/                                  @getsentry/app-backend
 /src/sentry/tasks/                                      @getsentry/app-backend
 /.agents/skills/sentry-backend-bugs/                    @getsentry/app-backend

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[wedamija]

I'm not really sure this is right. I'd probably give these to backend, since they're kind of unowned

[wedamija]

/src/sentry/processing_errors/ belongs to value-discovery

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Broad settings rule overrides many specific team ownerships

High Severity

The new /static/app/views/settings/ rule for @getsentry/design-engineering at line 794 silently overrides at least 9 earlier, more specific settings ownership rules because CODEOWNERS uses "last match wins" semantics. Teams like alerts-notifications (projectAlerts, account/notifications), replay-frontend (featureFlags), enterprise (organizationAuth, organizationMembers), telemetry-experience (dynamicSampling), and ecosystem (organizationIntegrations, organizationDeveloperSettings, organizationDataForwarding) all lose their ownership of settings subdirectories.

Additional Locations (2)

• .github/CODEOWNERS#L226-L234
• .github/CODEOWNERS#L749-L752

 

[cursor]

Broad nav rule overrides issue-workflow nav ownership

Medium Severity

The new /static/app/views/nav/ rule for @getsentry/design-engineering at line 795 overrides the earlier /static/app/views/nav/secondary/sections/issues/ rule for @getsentry/issue-workflow at line 665, because CODEOWNERS uses last-match-wins semantics. The issues nav section will incorrectly be owned by design-engineering instead of issue-workflow.

Additional Locations (1)

• .github/CODEOWNERS#L664-L665

 

[sentry]

Bug: The CI workflow attempts to install codeowners-coverage==0.2.1 from the public PyPI, but the package only exists in a private index, causing the pip install step to fail.
_{Severity: HIGH}

Suggested Fix

Modify the pip install command in the workflow file to use the private Sentry PyPI index. Add the --index-url flag pointing to Sentry's private index (https://pypi.devinfra.sentry.io/simple) to the pip install command to ensure it can locate and download the package.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/codeowners-coverage.yml#L31

Potential issue: The GitHub Actions workflow at
`.github/workflows/codeowners-coverage.yml` executes `pip install
codeowners-coverage==0.2.1`. This command defaults to searching the public PyPI
repository. However, the `codeowners-coverage` package is hosted on a private Sentry
PyPI index. Since the workflow does not configure `pip` to use this private index via
the `--index-url` flag or a configuration file, the `pip install` command will fail with
a "Package not found" error, causing the CI build to fail.