From fc6e87afd3b9ae119d6f78052fd1436927594c25 Mon Sep 17 00:00:00 2001
From: Ross McAllister <10053959+rmca14@users.noreply.github.com>
Date: Tue, 23 Jun 2026 17:26:39 -0700
Subject: [PATCH] New approval functionality (#251)

---
 .github/CODEOWNERS                            | 10 ----
 .../workflows/MSecD-RequireWriterReview.yml   | 57 +++++++++++++++++++
 authorized-approvers.txt                      | 25 ++++++++
 3 files changed, 82 insertions(+), 10 deletions(-)
 delete mode 100644 .github/CODEOWNERS
 create mode 100644 .github/workflows/MSecD-RequireWriterReview.yml
 create mode 100644 authorized-approvers.txt

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
deleted file mode 100644
index 766dd75..0000000
--- a/.github/CODEOWNERS
+++ /dev/null
@@ -1,10 +0,0 @@
-# Any repo changes beyond docs require PM owner approval.
-*                         @localden @jmprieur
-
-# Conceptual and API content needs the review of the engineering team.
-msal-java-articles/*    @MicrosoftDocs/identity-sdk-cca-engineering-team
-
-# API documentation does not have code owners, but that is OK.
-# Anyone can create a PR to the `main` branch and we will review
-# the changes on the one-off basis.
-java/
\ No newline at end of file
diff --git a/.github/workflows/MSecD-RequireWriterReview.yml b/.github/workflows/MSecD-RequireWriterReview.yml
new file mode 100644
index 0000000..54c371f
--- /dev/null
+++ b/.github/workflows/MSecD-RequireWriterReview.yml
@@ -0,0 +1,57 @@
+name: Approver Review
+
+permissions:
+  pull-requests: write
+  contents: read
+  statuses: write
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, labeled]
+  issue_comment:
+    types:
+      - created
+      - edited
+
+concurrency:
+  # Separate groups per event type so that issue_comment runs do not cancel
+  # pull_request_target runs (and vice versa). The required check_run is only
+  # produced by pull_request_target runs, so cross-event cancellation can leave
+  # the required check stuck at "cancelled" even though policy ran successfully.
+  group: require-writer-review-${{ github.event.pull_request.number || github.event.issue.number }}-${{ github.event_name }}
+  # Only cancel high-frequency issue_comment runs. pull_request_target events
+  # queue (at most 1 running + 1 pending per group), so supersession does not
+  # produce a misleading red "cancelled" check on the PR's visible head SHA.
+  cancel-in-progress: ${{ github.event_name == 'issue_comment' }}
+
+jobs:
+  policy:
+    # Job-skip policy — the two trigger families are treated differently:
+    #
+    # pull_request_target events MUST never be skipped at the job level. They
+    # are the only events that publish the required check on the PR head SHA.
+    # A skipped reusable-workflow caller job surfaces as "Approver Review /
+    # policy", whereas a job that runs surfaces "Approver Review / policy /
+    # gate" — skipping some PR events would produce two different required-check
+    # names. The gate derives label qualification from live PR state (not the
+    # event payload), so running on non-qualifying PR events is an idempotent
+    # no-op and keeps a single check name.
+    #
+    # issue_comment events fire for EVERY comment on EVERY issue/PR in the repo
+    # (and again on every edit). The vast majority are not PRMerger commands,
+    # and the gate's own confirmation/hold-off comments would otherwise re-
+    # trigger it in a feedback loop. These runs never publish the required
+    # head-SHA check, so filtering them out is safe for branch protection. Only
+    # start an issue_comment run when a human posts a '#'-command on a PR.
+    if: >-
+      (github.repository_owner == 'MicrosoftDocs' || github.repository_owner == 'microsoftgraph')
+      && (
+        github.event_name != 'issue_comment'
+        || (
+          github.event.issue.pull_request != null
+          && startsWith(github.event.comment.body, '#')
+          && github.event.comment.user.type != 'Bot'
+        )
+      )
+    uses: MicrosoftDocs/defender-docs/.github/workflows/MSecD-Shared-RequireWriterReview.yml@workflows-test
+    secrets: inherit
diff --git a/authorized-approvers.txt b/authorized-approvers.txt
new file mode 100644
index 0000000..3c467c5
--- /dev/null
+++ b/authorized-approvers.txt
@@ -0,0 +1,25 @@
+# Authorized Approvers
+# Format: CODEOWNERS syntax — last matching rule wins per file.
+# Teams are resolved to individual members at runtime.
+#
+# Usage:
+#   <pattern>  @user1 @org/team @user2
+#
+# Rules:
+#   - The * catch-all should be first as the default/fallback.
+#   - Later rules override earlier ones for matching files.
+#   - To keep default owners on a specific folder, include them on that line too.
+
+# Default owners for everything unless a later match takes precedence
+* @MicrosoftDocs/msecd-org
+
+# Any repo changes beyond docs require PM owner approval.
+*                         @localden @jmprieur
+
+# Conceptual and API content needs the review of the engineering team.
+msal-java-articles/*    @MicrosoftDocs/identity-sdk-cca-engineering-team
+
+# API documentation does not have code owners, but that is OK.
+# Anyone can create a PR to the `main` branch and we will review
+# the changes on the one-off basis.
+java/
\ No newline at end of file