# Defining who has to review changes to what files.
# Try to keep the entries sorted alphabetically, so they end up in the same order as
# they would if you listed the entire repository as a tree.
#
# This enforcement is to protect certain important files from being changed without the approval
# of team leads. For more fine grained code ownership assignments to teams, see
# `/code-owners.json` and `/.github/workflows/code-owner-approval.yml`.

# Container images used for building the app are owned by respective team leads and tech lead
/building/android-container-image.txt @faern @albin-mullvad @rawa
/building/linux-container-image.txt @faern @raksooo

# Developer signing keys must be approved by team/tech leads
/ci/keys/ @faern @raksooo @pinkisemils @rawa
/mullvad-update/trusted-metadata-signing-pubkeys @faern @raksooo @pinkisemils @rawa

# Desktop build server files owned by desktop leads
/ci/buildserver* @faern @raksooo
/ci/linux-repository-builder/ @faern @raksooo

# Desktop release config specifying code signing key fingerprint
/desktop/scripts/release/release-config.sh

# Cargo deny config must be approved by tech lead or desktop team lead
**/deny.toml @faern @raksooo

# Changes to what CVEs are ignored must be approved by leads
**/osv-scanner.toml @faern @raksooo @pinkisemils @albin-mullvad @rawa
/.github/workflows/osv-scanner*.yml @faern @raksooo @pinkisemils @rawa

# Security related github action workflow changes must be approved by leads
/.github/workflows/verify-locked-down-signatures.yml @faern @raksooo @pinkisemils @rawa
/ci/verify-locked-down-signatures.sh @faern @raksooo @pinkisemils @rawa
/.github/workflows/unicop.yml @faern @raksooo @pinkisemils @rawa

# Our own code ownership mapping and automation must be approved by leads
/.github/workflows/code-owner-approval.yml @faern @raksooo @pinkisemils @rawa
/code-owners.json @faern @raksooo @pinkisemils @rawa

# The CODEOWNERS itself must be protected from unauthorized changes,
# otherwise the protection becomes quite moot.
# Keep this entry last, so it is sure to override any existing previous wildcard match
/.github/CODEOWNERS @faern @raksooo @pinkisemils @rawa
