Use github app for codeowners validation (#116)

goruha · web-flow · commit 80e333e7848b · 2024-10-10T13:03:12.000+03:00
* Use github app for codeowners validation

* Update ci-codeowners.yml

* Update ci-codeowners.yml
diff --git a/.github/workflows/ci-codeowners.yml b/.github/workflows/ci-codeowners.yml
@@ -14,6 +14,7 @@ name: |-
         uses: cloudposse/github-actions-workflows/.github/workflows/ci-codeowners-full.yml@main
         with:
           is_fork: $\{\{ github.event.pull_request.head.repo.full_name != github.repository \}\}
+        secrets: inherit
   ```
 on:
   workflow_call:
@@ -27,36 +28,48 @@ on:
         type: string
         required: false
         default: '["ubuntu-latest"]'
-    secrets:
-      github_access_token:
-        description: "GitHub API token"
-        required: false
 
 jobs:
-  validate:
+  syntax:
     runs-on: ${{ fromJSON(inputs.runs-on) }}
-    name: "Codeowners validate"
+    name: Validate Codeowners (syntax)
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - uses: mszostok/codeowners-validator@v0.7.1
         # Pull request from a fork
         name: "Validate CODEOWNERS"
-        if: ${{ inputs.is_fork }}
         with:
           checks: "syntax,duppatterns"
           owner_checker_allow_unowned_patterns: "false"
 
-      - uses: mszostok/codeowners-validator@v0.7.1
+  owners:
+    runs-on: ${{ fromJSON(inputs.runs-on) }}
+    name: Validate Codeowners (owners)
+    if: ${{ false && ! inputs.is_fork }}
+    environment: release    
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: github-app
+        with:
+          app-id: ${{ vars.BOT_GITHUB_APP_ID }}
+          private-key: ${{ secrets.BOT_GITHUB_APP_PRIVATE_KEY }}
+          
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.github-app.outputs.token }}
+
+      - uses: mszostok/codeowners-validator@v0.7.4
         # Main branch / Pull request from the same repo
         name: "Validate CODEOWNERS"
-        if: ${{ ! inputs.is_fork }}
         with:
           # For now, remove "files" check to allow CODEOWNERS to specify non-existent
           # files so we can use the same CODEOWNERS file for Terraform and non-Terraform repos
           #   checks: "files,syntax,owners,duppatterns"
-          checks: "syntax,duppatterns,owners"
+          checks: "owners"
           owner_checker_allow_unowned_patterns: "false"
           # Admin GitHub access token is required only if the `owners` check is enabled
-          github_access_token: "${{ secrets.github_access_token }}"
+          github_access_token: ${{ steps.github-app.outputs.token }}
+          
