From f6804c1c5579d6ba72df5c8c57b3d88f8fcd9c4f Mon Sep 17 00:00:00 2001
From: Matteo Mortari <matteo.mortari@gmail.com>
Date: Mon, 19 Jan 2026 07:52:34 +0100
Subject: [PATCH 1/2] chore: maintenance of OWNERS files

see https://github.com/kubeflow/internal-acls/pull/882#discussion_r2695032969

moving:
  - ckadner
  - Tomcli
  - zijianjoy

as emeritus.
Keeping andreyvelich being part of KSC for any special operations
we may require

Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com>
---
 OWNERS | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/OWNERS b/OWNERS
index 1d6122f393..263908cea5 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,11 +1,12 @@
 approvers:
   - Al-Pragliola
-  - andreyvelich
-  - ckadner
+  - andreyvelich  # noqa(kubeflow-hub-team)
   - ederign
   - pboyd
   - rareddy
   - tarilabs
+emeritus_approvers:
+  - ckadner
   - Tomcli
   - zijianjoy
 reviewers:

From 6a3b7647f471942f340a8540073616893d9269d8 Mon Sep 17 00:00:00 2001
From: Matteo Mortari <matteo.mortari@gmail.com>
Date: Mon, 19 Jan 2026 07:54:58 +0100
Subject: [PATCH 2/2] add GitHub workflow to check OWNERS files

Add a simple workflow to annotate OWENERS file in case some entry
in the file is not (yet?) reflected in the kubeflow-hub-team
in the KF ACL.
Make the workflow only annotate the file and non-blocking for PR merges.

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Matteo Mortari <matteo.mortari@gmail.com>
---
 .github/workflows/check-owners.yml | 52 ++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 .github/workflows/check-owners.yml

diff --git a/.github/workflows/check-owners.yml b/.github/workflows/check-owners.yml
new file mode 100644
index 0000000000..c27333810f
--- /dev/null
+++ b/.github/workflows/check-owners.yml
@@ -0,0 +1,52 @@
+name: "Check OWNERS"
+
+on:
+  pull_request:
+    paths:
+      - 'OWNERS'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  check-owners:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: yq - portable yaml processor
+        uses: mikefarah/yq@v4
+
+      - name: Check approvers against kubeflow-hub-team
+        continue-on-error: true
+        run: |
+          # Extract approvers from OWNERS (excluding noqa lines)
+          approvers=$(grep -v '# noqa(kubeflow-hub-team)' OWNERS | yq eval '.approvers[]')
+
+          # Fetch kubeflow-hub-team members
+          hub_team=$(curl -s https://raw.githubusercontent.com/kubeflow/internal-acls/master/github-orgs/kubeflow/org.yaml | \
+            yq '.orgs.kubeflow.teams.kubeflow-hub-team.members[]')
+
+          echo -e "Approvers:\n$approvers\n"
+          echo -e "kubeflow-hub-team:\n$hub_team\n"
+
+          # Find approvers not in hub team
+          missing=$(comm -23 <(echo "$approvers" | sort) <(echo "$hub_team" | sort))
+
+          echo "Approvers NOT in kubeflow-hub-team:"
+          echo "$missing"
+
+          # Convert to space-separated for annotation
+          missing=$(echo "$missing" | tr '\n' ' ' | xargs)
+
+          # Annotate if there are missing approvers
+          if [ -n "$missing" ]; then
+            echo "::warning file=OWNERS,line=1::Approvers not in kubeflow-hub-team: $missing"
+          else
+            echo "✅ All approvers are in kubeflow-hub-team!"
+          fi
+
+      - name: Ensure workflow success  # don't ever fail merging PR for this sanity check
+        run: exit 0