ci: Add PR review enforcement GitHub Action

[john-weiler]

User description

Summary

• Adds the review-enforcement.yml workflow from the API repo
• Enforces that PRs have at least one approval from a non-bot reviewer (excludes baz-reviewer)
• Auto-requests review from a random rungalileo/product team member when Dependabot PR CI fails

Test plan

• Verify the workflow triggers on PR open/sync/reopen and review submit/dismiss events
• Confirm Dependabot PRs are skipped for review enforcement
• Confirm CI failure on Dependabot PRs triggers reviewer assignment

🤖 Generated with Claude Code

---

Generated description

Below is a concise technical summary of the changes proposed in this PR:
Implements a new GitHub Action workflow to enforce manual review approvals and automate reviewer assignment for failed Dependabot builds. Removes the global product team ownership from the CODEOWNERS file to transition towards this automated enforcement model.

Topic	Details
Review Enforcement	Adds the review-enforcement.yml workflow to ensure PRs receive at least one approval from a non-bot user and to auto-assign reviewers when Dependabot CI fails. Modified files (1) .github/workflows/review-enforcement.yml Latest Contributors(0) User Commit Date
Code Ownership	Removes the catch-all @rungalileo/product team assignment from the .github/CODEOWNERS file. Modified files (1) .github/CODEOWNERS Latest Contributors(0) User Commit Date

This pull request is reviewed by Baz. Review like a pro on (Baz).

[baz-reviewer]

context.payload.pull_request is undefined on workflow_run events, but the script immediately runs const isDependabot = pr.user?.login === 'dependabot[bot]', which throws before the job can exit; can we guard for workflow_run (or restrict the job to pull_request* events) before accessing pr.user?

_{Finding type: Logical Bugs}

Prompt for AI Agents:

In .github/workflows/review-enforcement.yml around lines 22 to 30, the script reads
const pr = context.payload.pull_request and immediately uses pr.user, which throws when
the job runs on workflow_run events where pull_request is undefined. Update the logic to
first check the event type (e.g., if context.eventName === 'workflow_run' or if
context.payload.pull_request is falsy) and return early before accessing pr.user;
alternatively, add a guard like if (!pr) { core.info('No pull request in payload -
skipping.'); return; } so the script never dereferences pr.user when pr is undefined.

[baz-reviewer]

pulls.listReviews returns every historical review event, including approvals that were later dismissed/changed, but this code just filters for any state === 'APPROVED'; a reviewer can undo their approval (change request/dismissal) and the workflow still sees the old approval and passes. Can we reduce to each reviewer's latest review (e.g. sort submitted_at and drop older events) so only current approvals keep the run green?

_{Finding type: Logical Bugs}

Prompt for AI Agents:

In .github/workflows/review-enforcement.yml around lines 41 to 56, the logic that
computes approvals uses reviews.data.filter(r => r.state === 'APPROVED') which can count
historical approvals that were later dismissed or changed. Refactor this block to first
group reviews.data by r.user.login (skip reviews with no user), for each reviewer keep
only their latest review event (compare submitted_at timestamps), then compute approvals
by checking latestReview.state === 'APPROVED' and hasNonBazApproval from those latest
reviews only. Ensure this handles missing submitted_at gracefully and continues to
ignore the 'baz-reviewer' user as before.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.57%. Comparing base (fe3797d) to head (81a634e).
⚠️ Report is 24 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #473      +/-   ##
==========================================
+ Coverage   82.19%   82.57%   +0.37%     
==========================================
  Files          92       96       +4     
  Lines        8509     9140     +631     
==========================================
+ Hits         6994     7547     +553     
- Misses       1515     1593      +78     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.