diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0defa1e..8601548 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,4 +21,37 @@ jobs:
       with:
         xrefcheck-args: "--root untrusted-pr"
 
-# TODO: Use https://github.com/marketplace/actions/github-codeowners-validator
+  codeowners:
+    name: Validate codeowners
+    runs-on: ubuntu-latest
+    steps:
+
+    - uses: actions/checkout@v4
+      with:
+        path: trusted-base
+
+    - uses: actions/checkout@v4
+      with:
+        ref: refs/pull/${{ github.event.pull_request.number }}/merge
+        path: untrusted-pr
+
+    - uses: mszostok/codeowners-validator@v0.7.4
+      with:
+        # GitHub access token is required only if the `owners` check is enabled
+        # See https://github.com/mszostok/codeowners-validator/blob/main/docs/gh-auth.md#public-repositories
+        github_access_token: "${{ secrets.OWNERS_VALIDATOR_GITHUB_SECRET }}"
+
+        # The repository path in which CODEOWNERS file should be validated."
+        repository_path: untrusted-pr
+
+        # The owner and repository name. For example, gh-codeowners/codeowners-samples. Used to check if GitHub team is in the given organization and has permission to the given repository."
+        owner_checker_repository: "${{ github.repository }}"
+
+        # "The comma-separated list of experimental checks that should be executed. By default, all experimental checks are turned off. Possible values: notowned,avoid-shadowing"
+        experimental_checks: "notowned,avoid-shadowing"
+
+        # Specifies whether CODEOWNERS may have unowned files. For example, `/infra/oncall-rotator/oncall-config.yml` doesn't have owner and this is not reported.
+        owner_checker_allow_unowned_patterns: "false"
+
+        # Specifies whether only teams are allowed as owners of files.
+        owner_checker_owners_must_be_teams: "false"
diff --git a/doc/org-repo.md b/doc/org-repo.md
index 7314250..d213cb8 100644
--- a/doc/org-repo.md
+++ b/doc/org-repo.md
@@ -4,9 +4,7 @@ This repository itself is the entry point for documentation on official resource
 
 Everybody in the [CODEOWNERS](../.github/CODEOWNERS) file has write permission to this repository.
 This allows people to get automatic review requests and merge PRs for the files that concern them.
-
-TODO: Enable branch protection to require reviews by code owners.
-TODO: Ensure that all files have a code owner
+PRs can only be merged if a codeowner for the respective files approves it, and all files need to have a codeowner entry.
 
 Furthermore, the code owners for the CODEOWNERS file should have permission to give more people write access to this repository.
 These people get requested for reviews when new people add themselves to CODEOWNERS, allowing them to give write access when merged.