Codeowners can be bypassed for moved files
Summary
After a large movement of files inside of our monorepo we encountered that branches that are not rebased onto the latest change of the codeowners, can bypass the approvals required originally. If you change a file in that commit at its original location, the diff shows the file merged at the new location but the codeowner check is running on the old location.
Steps to reproduce
https://gitlab.com/PhilippBoeschen/codeowners-bypass is a reproduction of the issue inside of the merge requests you can see one example where the codeowner list is not applied correctly. And one example on the latest commit that shows the feature working as intended.
Here's how to reproduce this state:
git init
echo "change #1" > a.txt
git add a.txt
git commit -m "Add a.txt" a.txt
echo "/a.txt @Foo" > CODEOWNERS
git add CODEOWNERS
git commit -m "Add codeowners"
git mv a.txt b.txt
echo "/b.txt @Foo" > CODEOWNERS
git commit -am "Moving a.txt to b.txt with codeowners"
git push
git checkout -b codeowners-bypass HEAD^
echo "change #2" >> a.txt
git commit -am "Add new line to a.txt"
git push -u origin codeowners-bypass
# this just is the positive case
git checkout main
git checkout -b codeowners-approval-works HEAD
echo >> "Change #3" >> b.txt
git add b.txt
git commit -m "Adding line to b.txt"
git push -u origin codeowners-approval-works
Example Project
https://gitlab.com/PhilippBoeschen/codeowners-bypass
What is the current bug behavior?
Codeowner rules for the destination file are not used.
What is the expected correct behavior?
Codeowner rules for the destination file are used.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
In theory running the merged result against the Codeowners file should prevent this from happening.