Can GitHub CODEOWNERS Bypass and Merge Queue Coexist?
GitHub’s merge queue serializes merges to the main branch, running CI before each merge completes. CODEOWNERS requires designated owners to approve changes before merging.
A common team need is “require CODEOWNERS review by default, but allow certain members to bypass it in urgent situations.” The question is: does merge queue still work when you bypass CODEOWNERS? I set up a test repository to find out.
- Test repository: merge-queue-bypass-demo (results documented in the README)
Conclusion
There is currently no way to bypass CODEOWNERS review while preserving merge queue behavior.
- Branch Protection bypass skips CODEOWNERS but also skips merge queue entirely
- Rulesets bypass should allow per-rule control, but CODEOWNERS bypass does not work when merge queue is enabled
Test Environment
| Item | Detail |
|---|---|
| Repository | codenote-net/merge-queue-bypass-demo (public) |
| Default branch | main |
| CI | A simple workflow that runs echo "CI passed" |
The CODEOWNERS file assigned the organization team @codenote-net/reviewers as the owner, so that I (the bypass actor) could test CODEOWNERS bypass behavior.
# .github/CODEOWNERS
* @codenote-net/reviewersThe CI workflow triggers on both pull_request and merge_group events. The merge_group event is used when the merge queue runs CI.
# .github/workflows/ci.yml
name: CI
on:
pull_request:
merge_group:
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- run: echo "CI passed"Scenarios and Results
I tested 4 scenarios.
| Scenario | Protection | Bypass | CODEOWNERS bypassed | Merge queue works | Merge method |
|---|---|---|---|---|---|
| 1 (PR #7) | Branch Protection | None | N/A (approved) | ✅ Yes | Via queue |
| 2 (PR #8) | Branch Protection | Yes | ✅ Yes | ❌ Skipped | Direct merge |
| 3 (PR #9) | Rulesets (separate) | Yes | ❌ No | ❌ Blocked | N/A |
| 4 (PR #10) | Rulesets (single) | Yes | ❌ No | ❌ Blocked | N/A |
Scenario 1: Branch Protection (no bypass)
This is the baseline scenario. Branch Protection was configured with:
- Require pull request reviews before merging
- Require review from Code Owners
- Require merge queue
- Require status checks to pass (CI)
After the CODEOWNERS reviewer approved, clicking “Merge when ready” added the PR to the merge queue. CI passed and the PR was auto-merged. This is the expected behavior.
Scenario 2: Branch Protection (with bypass)
Same as Scenario 1, with my account added to “Allow specified actors to bypass required pull requests.”
The PR showed a “Confirm bypass rules and merge” button without requiring CODEOWNERS approval. Clicking it merged the PR directly, completely skipping the merge queue.
Branch Protection bypass is all-or-nothing. You cannot selectively bypass CODEOWNERS while preserving merge queue.
Scenario 3: Rulesets with separate rule groups (with bypass)
I removed Branch Protection and created two Rulesets:
- Ruleset A “Merge Queue and CI” (no bypass): merge queue + status checks
- Ruleset B “Code Review” (with bypass): PR reviews + CODEOWNERS
The intent was to enforce merge queue for everyone while allowing bypass of CODEOWNERS review only.
However, the bypass did not take effect. The PR remained blocked with “Merging is blocked: Waiting on code owner review” and could not enter the merge queue.
Even with separate Rulesets, CODEOWNERS bypass does not work when merge queue is enabled.
Scenario 4: Rulesets with a single rule group (with bypass)
For comparison, I put all rules into a single Ruleset:
- Merge queue + status checks + PR reviews + CODEOWNERS + bypass
The result was identical to Scenario 3. CODEOWNERS review was not bypassed and the PR could not enter the merge queue. Whether rules are in one or two Rulesets makes no difference.
Branch Protection vs Rulesets Comparison
| Behavior | Branch Protection | Rulesets |
|---|---|---|
| CODEOWNERS bypass | ✅ Works | ❌ Does not work |
| Merge queue behavior | ❌ Skipped entirely on bypass | ❌ Blocked (PR never enters queue) |
| Bypass granularity | ⚠️ All-or-nothing | ⚠️ Per-rule (but not effective in practice) |
Root Cause Hypothesis
- Branch Protection: Bypass circumvents all protection rules at once. Since merge queue is part of Branch Protection, it gets skipped along with everything else.
- Rulesets: Bypass is designed to exempt specific actors from individual rules. However, when merge queue is enabled, CODEOWNERS review appears to be treated as a hard prerequisite for entering the queue, and bypass permissions are not evaluated correctly at that stage.
Workarounds
There is no perfect solution, but here are some operational approaches:
- Branch Protection bypass without merge queue: Accept that bypass means direct merge, and lose merge queue benefits for bypassed PRs.
- Rulesets without CODEOWNERS: Use required PR reviews instead of CODEOWNERS. Regular PR review requirements can be bypassed normally with Rulesets.
- Wait for GitHub to fix this: Rulesets bypass may eventually work correctly with merge queue in a future update.
Summary
I tested CODEOWNERS bypass with merge queue across 4 scenarios. Branch Protection bypass is all-or-nothing and skips merge queue entirely. Rulesets bypass cannot bypass CODEOWNERS when merge queue is enabled.
If your team uses both merge queue and CODEOWNERS, be careful when designing your bypass workflow. For full details, see the README and PRs in the merge-queue-bypass-demo repository.
That’s all from the Gemba, where I verified CODEOWNERS bypass and merge queue coexistence.