A CODEOWNERS file tells GitHub who must review changes to each path before they can merge — but the format fails open. A misspelled team name or stray inline comment causes GitHub to drop owners from a pattern with no warning, silently losing review coverage. Cloud Posse repositories have run a third-party validator action for years, but it requires a PAT with read:org to enumerate teams, and rotating that token across every repo turned into a recurring tax.

Atmos Pro now does the check natively. When a pull request modifies a CODEOWNERS file at any of the three GitHub locations (CODEOWNERS, .github/CODEOWNERS, docs/CODEOWNERS), the result is folded directly into the existing Atmos Pro check on the PR. A CODEOWNERS failure fails the composite check; the comment that the check links to lists every issue with its line number. PRs that don't touch CODEOWNERS skip the validator entirely — no noisy passing checks on every commit, and no second status check fighting for attention in the PR sidebar.

The behavior is a per-repository toggle on the Settings tab, off by default so existing branch protection rules don't suddenly start failing. Toggle it on for any repo where CODEOWNERS should be enforced — branch protection on the existing Atmos Pro check now also gates CODEOWNERS quality without any extra configuration.

The validator runs the same three checks our existing GitHub Action runs internally:

The team check uses the Atmos Pro GitHub App's installation token — no PAT to rotate, no per-repo secret to keep alive.