https://github.com/jllaines/codefather/releases

Codefather: Fine-Grained Codebase Access Control for CI/CD

Codefather protects your codebase by controlling who can change what. Set authorization levels, lock down files, and enforce your rules—offline via CLI or online with GitHub Actions.

Embrace precise control over code changes. Manage access, review requirements, and enforce your policies across local workstations and CI workflows without sacrificing speed or collaboration.

✨ Core idea: assign clear ownership, lock sensitive paths, and enforce rules early in the development cycle. Codefather helps teams stay aligned, reduce risky changes, and log decisions for audits.

What this project offers

• Fine-grained access control for code changes
• Offline enforcement via a CLI
• Online enforcement via GitHub Actions
• Path-based protections and file lockdowns
• Rule-based authorization that fits your policy
• Integrated codeowner and reviewer workflows
• Team-based management for large orgs
• Clear, auditable outcomes for changes and reviews
• Simple configuration that scales with your repo

Table of contents

• About Codefather
• Why use Codefather
• Core concepts
• Getting started
• Configuration essentials
• Command reference (CLI)
• GitHub Actions integration
• Advanced usage
• Security and compliance
• Extending Codefather
• Roadmap and future work
• Contributing
• FAQ
• Releases

About Codefather

Codefather is built to protect critical parts of your codebase without slowing down teams. You can define who may modify specific files or folders, require approvals from designated reviewers, and lock down high-risk paths. The system works offline, so developers can enforce policies without the internet, and it works online through GitHub Actions to guard your repository during pull requests and pushes.

Codefather also integrates with existing governance models. You can map roles to teams, assign reviewers, and route changes through consistent approval flows. The result is a transparent, auditable process that reduces mistakes and drift across projects.

Why use Codefather

• Reduce accidental or intentional risky changes
• Enforce consistent review and approval policies
• Centralize control without micromanaging every repo
• Support offline work with a CLI, preserving local autonomy
• Align with GitHub workflows to prevent unsafe merges
• Improve onboarding by codifying access rules
• Enhance security posture for public and private repositories

Core concepts

• Authorization levels: Define what each role can do. Examples include read, propose, approve, merge, and admin actions.
• File protections: Lock paths or patterns to prevent changes without proper authorization.
• Codeowners integration: Tie ownership to teams and individuals for automatic reviewer assignment.
• Rule-based policies: Create rules that apply to specific paths, branches, or event types.
• Offline CLI: Apply, verify, and test policies without network access.
• Online enforcement: Use GitHub Actions to enforce rules during PRs and pushes.
• Auditing: Record changes to policy, access decisions, and review outcomes.
• Team management: Map corporate structures to access groups for scalable control.
• Conflict resolution: Clear behavior for policy conflicts and overrides.

Getting started

Prerequisites

• A repository under your control where you want to apply access rules
• Access to the Releases page for Codefather assets
• A basic understanding of your organization’s code ownership model

Install and initialize

• Download the appropriate release asset from the Releases page. You can find assets and commands there. The Releases page is here: https://github.com/jllaines/codefather/releases
• Install the CLI on your workstation or CI runner according to the assets provided in the release.
• Initialize Codefather in your repository to create a baseline policy file. The CLI will guide you through a minimal configuration.

Downloads and assets

• You can find builds, installers, and configuration samples on the Releases page. See the Releases page for the exact assets and steps. The link to the releases is: https://github.com/jllaines/codefather/releases
• When you select a release, download the appropriate file for your operating system. After download, follow the installer or setup instructions included with the asset.

Quick tour of the workflow

• Define your policy: Create a policy file that specifies authorization levels, protected paths, and required reviewers.
• Apply locally: Use the offline CLI to verify the policy against your local changes.
• Enforce in CI: Add a GitHub Actions workflow to enforce the policy on pull requests and pushes.
• Review and adjust: Monitor enforcement results and refine your rules as needed.

Configuration essentials

Codefather uses a human-readable policy file that maps roles to actions, paths, and reviewers. The policy file is typically named codefather.yml or .codefather.yml in your repository root, but you can customize the filename to fit your project conventions.

Key sections you’ll configure

• policy_version: Versioning for backward compatibility
• owners: Map codeowners to paths
• rules: A list of path-based rules that enforce specific behavior
• roles: Define authorization levels and capabilities
• reviewers: Assign default reviewers for certain paths or events
• locks: Specify files or directories that must be locked for changes
• audit: Enable and configure logging for changes and decisions

Example configuration (YAML)

policy_version: "1.0" owners:

• path: "src/critical/**" owners:
  • team: "core-security" role: "admin"
  • user: "alice" role: "maintainer" rules:
• name: "Protect core config" path: "config/secure/**" required_approval: true approvals: ["security-team", "lead-dev"] required-reviewers: ["security-team", "lead-dev"]
• name: "Codeowner enforcement" path: "src/**" required_approval: true owners_in_check: true locks:
• path: "config/secure/**" lock_reason: "Sensitive configuration must be protected" enforce_once_changed: true reviewers:
• path: "src/**" reviewers: ["codeowners", "qa-team"] roles:
• name: "admin" permissions: ["read","propose","approve","merge","admin"]
• name: "maintainer" permissions: ["read","propose","approve"]
• name: " reviewer" permissions: ["read","propose"] audit: enabled: true log_to: "local_file"

Notes about the config

• Path patterns support globbing for flexibility and precision.
• You can require multiple approvals for sensitive actions.
• Locks help prevent accidental changes to critical files.
• Roles define what each user or team can do across the policy.

CLI usage (offline)

Codefather’s CLI runs locally to verify, test, and apply policy without network access. Typical commands include:

• codefather init
  • Create a baseline policy file and sample dataset.
• codefather validate
  • Validate the policy against a sample set of changes.
• codefather verify
  • Run a dry check to see if your current changes would be accepted.
• codefather apply
  • Apply the policy to the local working tree and enforce it on subsequent changes.
• codefather lock
  • Lock specified files or paths according to your policy.
• codefather unlock
  • Remove a lock when you need to override temporarily.
• codefather status
  • Show the current policy status and any pending actions.

CLI usage (examples)

• Initialize a policy in the repository root: codefather init

• Validate a policy against a hypothetical change set: codefather validate --change-set changes.json

• Verify changes locally before pushing: codefather verify --branch main --change-set changes.json

• Apply policy to your local repo after updates: codefather apply

• Lock a critical file: codefather lock config/secure/app.config.json

• Unlock a previously locked path: codefather unlock config/secure/app.config.json

GitHub Actions integration (online)

Codefather supports online enforcement through GitHub Actions. You can run checks on pull requests, push events, and more to ensure that every change adheres to your policy.

Basic workflow example

name: Codefather Policy Enforcement on: pull_request: push: jobs: enforce-policy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Codefather uses: jllaines/codefather-action@v1 with: policy-file: ".codefather/codefather.yml" fail-on-violation: true log-output: true - name: Report results run: echo "Policy checks completed."

Notes

• Replace jllaines/codefather-action@v1 with the correct action path and version from the Releases page.
• Point policy-file to your policy YAML file in the repository.
• The fail-on-violation option stops a workflow when a rule is violated, helping you enforce policy strictly.

Advanced usage

• Multi-repo enforcement: Link multiple repositories to share a common policy. This is useful for monorepos and packages that cross boundaries.
• Custom reporters: Extend the audit output with custom reporters to integrate with your internal dashboards.
• Dynamic reviewers: Use rules to assign reviewers based on file ownership, recent changes, or team availability.
• Branch-specific policies: Different rules apply to feature branches, release branches, and main branches.
• API hooks: Expose part of the policy evaluation to your internal services through a safe API surface.

Security and compliance

Codefather is designed to reduce risk in code changes. By enforcing who can modify what, and by requiring appropriate reviews for sensitive areas, you minimize the chance of accidental or malicious modifications.

• Access control: Clear roles with explicit permissions.
• Change governance: Both local and CI-driven enforcement.
• Auditability: A record of decisions and actions for auditing.
• Compliance ready: Aligns with common security and governance practices.

Extending Codefather

• Plugins: Extend the policy engine with custom rules, path predicates, and event hooks.
• Integrations: Add new connectors to your favorite CI tools or project management systems.
• Custom reporters: Output policy results to your dashboards or ticketing systems.

Roadmap and future work

• More granular path patterns and improved performance for large repos
• Expanded plug-in ecosystem with official templates
• Improved UI helpers for policy drafting and validation
• Built-in templates for common governance models
• Enhanced analytics and insights into policy impact

Contributing

Codefather welcomes contributors. If you want to help, follow these steps:

• Read the contributing guidelines to understand the process
• Open issues for new features or bug reports
• Propose changes via pull requests
• Keep changes small and focused
• Provide tests for any new functionality

Releases

• The official releases page hosts assets, installation packages, and release notes. See the link again here: https://github.com/jllaines/codefather/releases. Download the release, then follow the included instructions to install and activate Codefather in your environment.

Topics

• access-control
• cli
• code-review
• codefather
• codeowner-approval
• codeowners
• codeowners-files
• file-protection
• github-actions
• godfather
• mafia
• protection
• repository-management
• reviewer
• reviewer-assignment
• rule-based
• security
• team-management

FAQ

• What platforms does Codefather support? Codefather is designed to be cross-platform and compatible with major operating systems. The exact binaries and installers are provided in the releases. Check the releases for details.
• How do I map my internal teams to Codefather roles? Use the roles section in your policy file. Map each role to a team or individual, then configure their permissions.
• Can I start with a minimal policy and expand later? Yes. Begin with the core protections and gradually add new rules for more areas or events.

Appendix: sample workflows and templates

• Minimal policy template policy_version: "1.0" owners:

  • path: "src/core/**" owners:
    • team: "core-team" role: "admin" rules:
  • name: "Core path protection" path: "src/core/**" required_approval: true approvals: ["core-team"] required-reviewers: ["core-team"]

• Simple offline verification steps:

  • codefather init
  • codefather validate
  • codefather verify

Appendix: further reading and resources

• Official documentation and user guides
• Community forums and discussions
• Best practices for code ownership and review workflows

Closing notes

Codefather brings together authorization, file protections, and reviewer workflows into a single, coherent system. It covers offline policy enforcement and online enforcement through GitHub Actions, offering a consistent experience across development environments. By aligning roles with teams and owners with paths, you create a clear governance model that can scale with your organization and projects.

Downloads and assets page reminder

• For installation assets, configuration samples, and latest releases, consult the Releases page at https://github.com/jllaines/codefather/releases. This page hosts downloadable artifacts and versioned notes to help you implement Codefather in your environment.

End of document.