GitHub Merge Queue CODEOWNERS Approval Deadlock: Unblock Rollback PRs Fast (2026)
Your rollback PR has green checks, but merge queue still blocks it with Required review from Code Owners. The listed reviewers are asleep, out of office, or no longer mapped correctly. This is a classic CODEOWNERS approval deadlock during incident recovery.
This guide gives you a practical runbook: confirm the deadlock quickly, apply bounded incident controls, land rollback safely, and restore normal policy without leaving security gaps behind.
Table of contents
1. How to confirm a CODEOWNERS deadlock fast
| Observed signal | Likely meaning | Immediate action |
|---|---|---|
| Checks are green but PR still says "Required review from Code Owners" | Approval gate is reviewer-availability bound, not CI bound | Identify exact owner path in CODEOWNERS and mapped teams. |
| Listed required owners are offline or unavailable | Single-point approval dependency during incident | Escalate rollback approval path with incident commander. |
| Review granted but queue update requests review again | CODEOWNERS + stale-review interaction loop | Correlate requeue timeline with dismissal events. |
| Team listed in CODEOWNERS no longer has active maintainers | Ownership drift or broken reviewer mapping | Apply temporary delegated owner group with expiry. |
2. Why merge queue + CODEOWNERS deadlock rollback PRs
Most rollback deadlocks come from four mechanisms stacking together:
- Strict CODEOWNERS requirement on protected branches.
- Narrow reviewer pool (single team, no active backup owner).
- Merge queue reordering/rebuilding during active incidents.
- Stale approval behavior that invalidates previously valid owner review.
Even if your rollback diff is tiny and checks pass, branch policy can still block merge until a specific owner approves under current queue context.
3. 10-minute incident triage workflow
- Capture the exact PR status text and timestamps of approval loss or pending owner review.
- Open the matching CODEOWNERS paths for changed files and list required teams/users.
- Verify reviewer availability (on-call rota, timezone, team membership, permission level).
- Check whether queue events (requeue, merge-group refresh) occurred before review became required again.
- Confirm no functional rollback diff change occurred after last approval.
- Classify as CODEOWNERS approval deadlock and switch to bounded incident policy.
# Fast incident checks
# 1) Verify changed files and owner scope
gh pr diff <PR_NUMBER> --name-only
# 2) Snapshot reviews and approval state
gh pr view <PR_NUMBER> --json reviews,latestReviews,reviewDecision,mergeStateStatus
# 3) Capture current branch protection/ruleset for audit
gh api repos/<owner>/<repo>/branches/main/protection > protection-snapshot.json
# 4) Optional: list team membership if owner team is suspected stale
gh api orgs/<org>/teams/<team_slug>/members --jq '.[].login'4. Safe mitigation patterns
| Mitigation | When to use | Risk | Control |
|---|---|---|---|
| Temporary backup owner team | Primary owners unavailable but policy can be updated quickly | Medium | Dual approval, incident-only scope, hard expiry. |
| Delegated incident approvers | Urgent rollback with clear blast radius | Medium | Require incident commander + service owner approvals. |
| Emergency bypass (governed) | Active outage + no reachable owners + SLA breach risk | High | Use bypass governance runbook with audit log. |
5. Rollback policy template
Use an explicit incident note in the PR and timeline:
# Rollback CODEOWNERS deadlock policy note
Incident rollback owner override activated
- PR: #<number>
- Trigger: required CODEOWNERS approvals unavailable during outage rollback
- Temporary approvers: @incident-commander + @service-owner
- Effective until: 2026-02-16T23:59:00Z
- Compensating controls: green required checks, smoke test evidence, post-merge verification
- Restoration owner: @platform-oncall
- Follow-up task: validate CODEOWNERS fallback team membershipKeep this template in your incident runbook so responders do not invent policy under stress.
6. Post-incident hardening
- Add at least one backup owner team for high-risk paths in CODEOWNERS.
- Review owner team membership weekly for attrition and permission drift.
- Separate routine approval policy from rollback incident approval policy.
- Game-day test rollback merge queue path with owner unavailability scenario.
- Track metric: time blocked on owner approval during rollback incidents.
FAQ
Why do rollback PRs get blocked when all checks pass?
Because branch rules can require CODEOWNERS approval independently from CI status. Passing checks alone cannot satisfy owner-review requirements.
Can we just remove CODEOWNERS from protected branches permanently?
You can, but that creates long-term governance risk. A better approach is a bounded incident fallback path and immediate restoration after recovery.
What if the only code owner is on leave?
That is an ownership design bug. Use temporary delegated approval with dual control during incident, then fix CODEOWNERS with backup ownership groups.
Does merge queue make this worse?
It can. Queue rebuild/reorder events can interact with stale-review policies, forcing fresh approvals and amplifying owner availability bottlenecks.
What should we audit after the incident?
Audit the exact policy delta, approvers used, expiry restoration time, and whether owner-team mapping was corrected before closing the incident.
Related Resources
- GitHub Merge Queue Stale Review Dismissal Guide — stop approval-loss loops when queue churn triggers stale review behavior
- GitHub Merge Queue Required Check Name Mismatch Guide — fix waiting-for-status deadlocks caused by required-check context drift
- GitHub Merge Queue Rollback Stuck Guide — triage queue starvation and pending rollback states quickly
- GitHub Merge Queue Emergency Bypass Governance Guide — apply dual-control and expiry safely when bypass is unavoidable
- Git Branching Strategies Guide — choose branch policy that balances delivery speed and rollback safety
- Git Worktrees Complete Guide — run hotfix and incident rollback in parallel without stash churn