feat: add flag to allow cross-organization teams during org transitions

jasonwbarnett · jasonwbarnett · commit f0d5edf485fd · 2025-08-15T17:06:30.000-06:00
This allows teams from different organizations to be valid owners, which is
useful during repository transitions between organizations (e.g., from
altana-poc to altana-tech).

When OWNER_CHECKER_ALLOW_CROSS_ORG_TEAMS is set to true, the validator will
skip the check that ensures teams belong to the same organization as the
repository.

Updates:
- Add AllowCrossOrgTeams field to ValidOwnerConfig
- Skip org validation in validateTeam when flag is enabled
- Add documentation for the new environment variable
- Update GitHub Action definition with new input parameter
- Add unit tests for the new configuration flag
diff --git a/README.md b/README.md
@@ -143,6 +143,7 @@ Use the following environment variables to configure the application:
 | <tt>OWNER_CHECKER_IGNORED_OWNERS</tt>         | `@ghost`                      | The comma-separated list of owners that should not be validated. Example: `"@owner1,@owner2,@org/team1,example@email.com"`.                                                                                                                                                                                                                                                                                                                                     |
 | <tt>OWNER_CHECKER_ALLOW_UNOWNED_PATTERNS</tt> | `true`                        | Specifies whether CODEOWNERS may have unowned files. For example: <br> <br>  `/infra/oncall-rotator/                    @sre-team` <br>  `/infra/oncall-rotator/oncall-config.yml` <br> <br>  The `/infra/oncall-rotator/oncall-config.yml` file is not owned by anyone.                                                                                                                                                                                        |
 | <tt>OWNER_CHECKER_OWNERS_MUST_BE_TEAMS</tt>   | `false`                       | Specifies whether only teams are allowed as owners of files.                                                                                                                                                                                                                                                                                                                                                                                                    |
+| <tt>OWNER_CHECKER_ALLOW_CROSS_ORG_TEAMS</tt>  | `false`                       | Specifies whether teams from different organizations are allowed. When set to `true`, the check that validates if a team belongs to the repository's organization will be skipped. This is useful during transitions between organizations.                                                                                                                                                                                                                     |
 | <tt>NOT_OWNED_CHECKER_SKIP_PATTERNS</tt>      |                               | The comma-separated list of patterns that should be ignored by `not-owned-checker`. For example, you can specify `*` and as a result, the `*` pattern from the **CODEOWNERS** file will be ignored and files owned by this pattern will be reported as unowned unless a later specific pattern will match that path. It's useful because often we have default owners entry at the begging of the CODOEWNERS file, e.g. `*       @global-owner1 @global-owner2` |
 | <tt>NOT_OWNED_CHECKER_SUBDIRECTORIES</tt>     |                               | The comma-separated list of subdirectories to check in `not-owned-checker`. When specified, only files in the listed subdirectories will be checked if they do not have specified owners in CODEOWNERS.                                                                                                                                                                                                                                                         |
 | <tt>NOT_OWNED_CHECKER_TRUST_WORKSPACE</tt>    | `false`                       | Specifies whether the repository path should be marked as safe. See: https://github.com/actions/checkout/issues/766.                                                                                                                                                                                                                                                                                                                                            |
diff --git a/action.yml b/action.yml
@@ -69,6 +69,11 @@ inputs:
     default: "false"
     required: false
 
+  owner_checker_allow_cross_org_teams:
+    description: "Specifies whether teams from different organizations are allowed. When set to true, the check that validates if a team belongs to the repository's organization will be skipped. This is useful during transitions between organizations."
+    default: "false"
+    required: false
+
   not_owned_checker_subdirectories:
     description: "Only check listed subdirectories for CODEOWNERS ownership that don't have owners."
     required: false
diff --git a/docs/gh-action.md b/docs/gh-action.md
@@ -89,6 +89,11 @@ jobs:
           # Specifies whether only teams are allowed as owners of files.
           owner_checker_owners_must_be_teams: "false"
 
+          # Specifies whether teams from different organizations are allowed. When set to true, 
+          # the check that validates if a team belongs to the repository's organization will be 
+          # skipped. This is useful during transitions between organizations.
+          owner_checker_allow_cross_org_teams: "false"
+
           # Only check listed subdirectories for CODEOWNERS ownership that don't have owners.
           not_owned_checker_subdirectories: ""
 ```
diff --git a/internal/check/valid_owner.go b/internal/check/valid_owner.go
@@ -38,6 +38,10 @@ type ValidOwnerConfig struct {
 	AllowUnownedPatterns bool `envconfig:"default=true"`
 	// OwnersMustBeTeams specifies whether owners must be teams in the same org as the repository
 	OwnersMustBeTeams bool `envconfig:"default=false"`
+	// AllowCrossOrgTeams specifies whether teams from different organizations are allowed.
+	// When set to true, the check that validates if a team belongs to the repository's
+	// organization will be skipped. This is useful during transitions between organizations.
+	AllowCrossOrgTeams bool `envconfig:"default=false"`
 }
 
 // ValidOwner validates each owner
@@ -51,6 +55,7 @@ type ValidOwner struct {
 	ignOwners            map[string]struct{}
 	allowUnownedPatterns bool
 	ownersMustBeTeams    bool
+	allowCrossOrgTeams   bool
 }
 
 // NewValidOwner returns new instance of the ValidOwner
@@ -73,6 +78,7 @@ func NewValidOwner(cfg ValidOwnerConfig, ghClient *github.Client, checkScopes bo
 		ignOwners:            ignOwners,
 		allowUnownedPatterns: cfg.AllowUnownedPatterns,
 		ownersMustBeTeams:    cfg.OwnersMustBeTeams,
+		allowCrossOrgTeams:   cfg.AllowCrossOrgTeams,
 	}, nil
 }
 
@@ -216,7 +222,8 @@ func (v *ValidOwner) validateTeam(ctx context.Context, name string) *validateErr
 	team := parts[1]
 
 	// GitHub normalizes name before comparison
-	if !strings.EqualFold(org, v.orgName) {
+	// Skip org check if cross-org teams are allowed
+	if !v.allowCrossOrgTeams && !strings.EqualFold(org, v.orgName) {
 		return newValidateError("Team %q does not belong to %q organization.", name, v.orgName)
 	}
 
diff --git a/internal/check/valid_owner_test.go b/internal/check/valid_owner_test.go
@@ -159,3 +159,55 @@ func TestValidOwnerCheckerOwnersMustBeTeams(t *testing.T) {
 		})
 	}
 }
+
+func TestValidOwnerCheckerAllowCrossOrgTeams(t *testing.T) {
+	// This test validates the AllowCrossOrgTeams config flag behavior
+	// Note: This test only validates the configuration parsing and basic team syntax validation
+	// The actual org validation requires a GitHub client and is tested in integration tests
+	
+	t.Run("Config with AllowCrossOrgTeams enabled", func(t *testing.T) {
+		// given
+		ownerCheck, err := check.NewValidOwner(check.ValidOwnerConfig{
+			Repository:           "org/repo",
+			AllowUnownedPatterns: true,
+			AllowCrossOrgTeams:   true, // Enable cross-org teams
+		}, nil, true)
+		require.NoError(t, err)
+		
+		// Verify the config was properly set
+		assert.NotNil(t, ownerCheck)
+	})
+	
+	t.Run("Config with AllowCrossOrgTeams disabled", func(t *testing.T) {
+		// given
+		ownerCheck, err := check.NewValidOwner(check.ValidOwnerConfig{
+			Repository:           "org/repo",
+			AllowUnownedPatterns: true,
+			AllowCrossOrgTeams:   false, // Disable cross-org teams (default)
+		}, nil, true)
+		require.NoError(t, err)
+		
+		// Verify the config was properly set
+		assert.NotNil(t, ownerCheck)
+	})
+	
+	t.Run("Team syntax validation", func(t *testing.T) {
+		// Test that team syntax is recognized correctly regardless of org
+		tests := []struct {
+			owner   string
+			isValid bool
+		}{
+			{"@org/team", true},
+			{"@different-org/team", true},
+			{"@altana-poc/team", true},
+			{"@altana-tech/team", true},
+			{"@org/", false},
+			{"org/team", false},
+		}
+		
+		for _, tc := range tests {
+			result := check.IsValidOwner(tc.owner)
+			assert.Equal(t, tc.isValid, result, "Owner %s validation failed", tc.owner)
+		}
+	})
+}
