SERVER-111134 Support banned codeowners (#41582)

GitOrigin-RevId: db62857e6f08da946c68711d0209838a65abb071

.bazelrc

@@ -437,6 +437,8 @@ coverage --legacy_external_runfiles
 common --define codeowners_add_auto_approve_user=True
 common --define codeowners_have_allowed_unowned_files=True
 common --define codeowners_allowed_unowned_files_path=.github/ALLOWED_UNOWNED_FILES.yml
+common --define codeowners_have_banned_codeowners=True
+common --define codeowners_banned_codeowners_file_path=.github/BANNED_CODEOWNERS.txt
 common --define codeowners_have_default_owner=True
 common --define codeowners_default_owner=@10gen/mongo-default-approvers
 

.github/BANNED_CODEOWNERS.txt

@@ -0,0 +1,7 @@
+#
+# Code owners in this file are not allowed to be assigned to any files in the repo.
+# This is a new-line separated list. Lines starting with '#' are comments and ignored.
+#
+
+# Only assign ownership to sub-teams of Storage Execution.
+10gen/server-storage-execution

.github/CODEOWNERS

@@ -1214,7 +1214,7 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot
 
 # The following patterns are parsed from ./jstests/noPassthrough/oplog/OWNERS.yml
 /jstests/noPassthrough/oplog/**/* @10gen/server-oplog @svc-auto-approve-bot
-/jstests/noPassthrough/oplog/**/check_for_oplog_cap_maintainer_thread.js @10gen/server-storage-execution @svc-auto-approve-bot
+/jstests/noPassthrough/oplog/**/check_for_oplog_cap_maintainer_thread.js @10gen/server-storage-engine-integration @svc-auto-approve-bot
 
 # The following patterns are parsed from ./jstests/noPassthrough/profile/OWNERS.yml
 /jstests/noPassthrough/profile/**/* @10gen/query-integration-observability @svc-auto-approve-bot
@@ -3123,7 +3123,7 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot
 /src/third_party/**/gperftools @10gen/server-workload-resilience @svc-auto-approve-bot
 /src/third_party/**/grpc @10gen/server-networking-and-observability @svc-auto-approve-bot
 /src/third_party/**/icu4c* @10gen/query-execution @svc-auto-approve-bot
-/src/third_party/**/immer @10gen/server-storage-execution @svc-auto-approve-bot
+/src/third_party/**/immer @10gen/server-catalog-and-routing @svc-auto-approve-bot
 /src/third_party/**/IntelRDFPMathLib* @10gen/server-programmability @svc-auto-approve-bot
 /src/third_party/**/JSON-Schema-Test-Suite @10gen/query-optimization @svc-auto-approve-bot
 /src/third_party/**/libbson @10gen/server-security @svc-auto-approve-bot
@@ -3133,7 +3133,7 @@ WORKSPACE.bazel @10gen/devprod-build @svc-auto-approve-bot
 /src/third_party/**/libstemmer_c @10gen/query-integration @svc-auto-approve-bot
 /src/third_party/**/mock_ocsp_responder @10gen/server-security @svc-auto-approve-bot
 /src/third_party/**/mozjs @10gen/query-integration-features @10gen/server-security @svc-auto-approve-bot
-/src/third_party/**/murmurhash3 @10gen/server-storage-execution @svc-auto-approve-bot
+/src/third_party/**/murmurhash3 @10gen/server-programmability @svc-auto-approve-bot
 /src/third_party/**/nlohmann-json @10gen/server-networking-and-observability @svc-auto-approve-bot
 /src/third_party/**/node @10gen/server-workload-resilience @svc-auto-approve-bot
 /src/third_party/**/opentelemetry-cpp @10gen/server-networking-and-observability @svc-auto-approve-bot

buildscripts/bazel_rules_mongo/codeowners/BUILD.bazel

@@ -36,6 +36,11 @@ py_binary(
             "CODEOWNERS_DEFAULT_OWNER": "$(codeowners_default_owner)",
         },
         "//conditions:default": {},
+    }) | select({
+        ":have_banned_codeowners": {
+            "BANNED_CODEOWNERS_FILE_PATH": "$(codeowners_banned_codeowners_file_path)",
+        },
+        "//conditions:default": {},
     }),
     main = "codeowners_generate.py",
     visibility = ["//visibility:public"],
@@ -76,3 +81,10 @@ config_setting(
         "codeowners_have_default_owner": "True",
     },
 )
+
+config_setting(
+    name = "have_banned_codeowners",
+    define_values = {
+        "codeowners_have_banned_codeowners": "True",
+    },
+)

buildscripts/bazel_rules_mongo/codeowners/codeowners_generate.py

@@ -260,9 +260,64 @@ def post_generation_checks(
             codeowners_binary_path, expansions_file, branch, codeowners_file_path
         )
 
+    status |= check_banned_codeowners(codeowners_file_path)
     return status
 
 
+def get_banned_codeowners_file_path() -> Optional[str]:
+    return os.environ.get("BANNED_CODEOWNERS_FILE_PATH", None)
+
+
+# Check that there are no banned codeowners in the codeowners file
+def check_banned_codeowners(codeowners_file_path: str) -> int:
+    banned_codeowners_file_path = get_banned_codeowners_file_path()
+    if not banned_codeowners_file_path:
+        return 0
+
+    if not os.path.isfile(banned_codeowners_file_path):
+        print(f"{banned_codeowners_file_path} file not found.")
+        return 1
+
+    banned_owners: set[str] = set()
+    with open(banned_codeowners_file_path, "r", encoding="utf8") as file:
+        for line in file:
+            line = line.strip()
+            if not line:
+                continue
+
+            if line.startswith("@"):
+                line = line[1:]
+
+            if not line.startswith("#"):
+                banned_owners.add(line)
+
+    print(f"Banned codeowners loaded: {banned_owners}")
+
+    offending_lines = []
+    with open(codeowners_file_path, "r", encoding="utf8") as file:
+        for i, line in enumerate(file.readlines()):
+            parts = line.split()
+            if len(parts) < 2:
+                continue
+            owners = parts[1:]
+            for owner in owners:
+                if owner.startswith("@"):
+                    owner = owner[1:]
+
+                if owner in banned_owners:
+                    offending_lines.append((i + 1, line.strip(), owner))
+
+    if not offending_lines:
+        return 0
+
+    print("The following lines in the CODEOWNERS file contain banned owners:")
+    for line_num, line, owner in offending_lines:
+        print(f" line {line_num}: {line} (banned owner: {owner})")
+
+    print("Please remove the banned owners from the CODEOWNERS file.")
+    return 1
+
+
 def get_allowed_unowned_files_path() -> Optional[str]:
     return os.environ.get("ALLOWED_UNOWNED_FILES_PATH", None)
 

docs/owners/banned_codeowners_format.md

@@ -0,0 +1,23 @@
+# Code Owners
+
+## BANNED_CODEOWNERS.txt File Format
+
+This file enumerates code owners that are not allowed to own code.
+
+Banned owners should be separated by newlines. Empty lines and lines starting with '#' are ignored.
+
+### Example file
+
+```
+# Only assign ownership to sub-teams of Organization Team.
+10gen/server-organization-team
+```
+
+### Configuration
+
+This can be configured in any repo with `bazel_rules_mongo` by putting the following lines in your `.bazelrc` file:
+
+```
+common --define codeowners_have_banned_codeowners=True
+common --define codeowners_banned_codeowners_file_path=.github/BANNED_CODEOWNERS.txt
+```

jstests/noPassthrough/oplog/OWNERS.yml

@@ -5,4 +5,4 @@ filters:
       - 10gen/server-oplog
   - "check_for_oplog_cap_maintainer_thread.js":
     approvers:
-      - 10gen/server-storage-execution
+      - 10gen/server-storage-engine-integration

src/third_party/OWNERS.yml

@@ -47,7 +47,7 @@ filters:
       - 10gen/query-execution
   - "immer":
     approvers:
-      - 10gen/server-storage-execution
+      - 10gen/server-catalog-and-routing
   - "IntelRDFPMathLib*":
     approvers:
       - 10gen/server-programmability
@@ -78,7 +78,7 @@ filters:
       - 10gen/server-security
   - "murmurhash3":
     approvers:
-      - 10gen/server-storage-execution
+      - 10gen/server-programmability
   - "nlohmann-json":
     approvers:
       - 10gen/server-networking-and-observability