From 45c0f878b1407f26c3932077754d45df59e71562 Mon Sep 17 00:00:00 2001
From: Graham Beckley <gbeckley@mozilla.com>
Date: Thu, 18 Dec 2025 14:08:29 -0500
Subject: [PATCH 1/6] chore: Create reusable workflow for `codeowners` linting

---
 .github/workflows/codeowners.yml | 34 ++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 .github/workflows/codeowners.yml

diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
new file mode 100644
index 0000000..0485734
--- /dev/null
+++ b/.github/workflows/codeowners.yml
@@ -0,0 +1,34 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+# Reusable workflow to lint CODEOWNERS file
+
+name: CODEOWNERS
+
+on:
+  workflow_call:
+    inputs:
+      exclude_dirs:
+        description: 'Directories to exclude from linting (space-separated, e.g. "projects misc modules")'
+        type: string
+        required: false
+        default: ""
+
+jobs:
+  lint-codeowners:
+    runs-on: ubuntu-latest
+    container:
+      image: us-west1-docker.pkg.dev/moz-fx-platform-artifacts/platform-shared-images/sre-citools:latest
+      options: --cpus 1
+    steps:
+      - name: Clone Repository
+        uses: actions/checkout@v6
+
+      - name: Lint CODEOWNERS
+        run: |
+          exclude_args=""
+          for dir in ${{ inputs.exclude_dirs }}; do
+            exclude_args="$exclude_args --excludedirs $dir"
+          done
+          /usr/bin/lint-codeowners $PWD $exclude_args

From b33404b50e87bd225811380fcc001e73a347fc5e Mon Sep 17 00:00:00 2001
From: Graham Beckley <gbeckley@mozilla.com>
Date: Thu, 18 Dec 2025 14:16:30 -0500
Subject: [PATCH 2/6] chore: apply Zizmor fixes

---
 .github/workflows/codeowners.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
index 0485734..c12a6b3 100644
--- a/.github/workflows/codeowners.yml
+++ b/.github/workflows/codeowners.yml
@@ -24,11 +24,15 @@ jobs:
     steps:
       - name: Clone Repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Lint CODEOWNERS
         run: |
           exclude_args=""
-          for dir in ${{ inputs.exclude_dirs }}; do
+          for dir in ${INPUTS_EXCLUDE_DIRS}; do
             exclude_args="$exclude_args --excludedirs $dir"
           done
           /usr/bin/lint-codeowners $PWD $exclude_args
+        env:
+          INPUTS_EXCLUDE_DIRS: ${{ inputs.exclude_dirs }}

From 316be35a1db68139dce00ea9526142a5bc062262 Mon Sep 17 00:00:00 2001
From: Graham Beckley <gbeckley@mozilla.com>
Date: Thu, 18 Dec 2025 14:42:04 -0500
Subject: [PATCH 3/6] chore: Use newly-tagged "1.0" image

---
 .github/workflows/codeowners.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
index c12a6b3..e388147 100644
--- a/.github/workflows/codeowners.yml
+++ b/.github/workflows/codeowners.yml
@@ -19,7 +19,7 @@ jobs:
   lint-codeowners:
     runs-on: ubuntu-latest
     container:
-      image: us-west1-docker.pkg.dev/moz-fx-platform-artifacts/platform-shared-images/sre-citools:latest
+      image: us-west1-docker.pkg.dev/moz-fx-platform-artifacts/platform-shared-images/sre-citools:1.0
       options: --cpus 1
     steps:
       - name: Clone Repository

From de62d6023e230e28368c992fb306fd3874bc8db5 Mon Sep 17 00:00:00 2001
From: Graham Beckley <gbeckley@mozilla.com>
Date: Thu, 18 Dec 2025 14:44:07 -0500
Subject: [PATCH 4/6] Tweak workflow name and top-level comment

---
 .github/workflows/codeowners.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
index e388147..b405568 100644
--- a/.github/workflows/codeowners.yml
+++ b/.github/workflows/codeowners.yml
@@ -2,9 +2,9 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
-# Reusable workflow to lint CODEOWNERS file
+# Reusable workflow to lint CODEOWNERS files in our *-infra repos
 
-name: CODEOWNERS
+name: Lint CODEOWNERS
 
 on:
   workflow_call:

From 4da8a469b3c99e69a89c19cb4c0f68b8fc664533 Mon Sep 17 00:00:00 2001
From: Graham Beckley <gbeckley@mozilla.com>
Date: Thu, 18 Dec 2025 15:30:30 -0500
Subject: [PATCH 5/6] Add README for the codeowners workflow

---
 .github/workflows/docs/codeowners.md | 26 ++++++++++++++++++++++++++
 README.md                            |  1 +
 2 files changed, 27 insertions(+)
 create mode 100644 .github/workflows/docs/codeowners.md

diff --git a/.github/workflows/docs/codeowners.md b/.github/workflows/docs/codeowners.md
new file mode 100644
index 0000000..c75a7e9
--- /dev/null
+++ b/.github/workflows/docs/codeowners.md
@@ -0,0 +1,26 @@
+# CODEOWNERS Linting Reusable Workflow
+
+Validates CODEOWNERS files using the `lint-codeowners` tool found in [mozilla-it/sre-citools](https://github.com/mozilla-it/sre-citools).
+
+## Inputs
+
+| Name           | Required | Type   | Default | Description                                                              |
+| -------------- | -------- | ------ | ------- | ------------------------------------------------------------------------ |
+| `exclude_dirs` | false    | string | `""`    | Space-separated list of directories to exclude from linting (e.g. `"projects misc modules"`) |
+
+## Usage
+
+```yaml
+name: Lint CODEOWNERS
+
+on:
+  pull_request:
+    paths:
+      - 'CODEOWNERS'
+
+jobs:
+  lint-codeowners:
+    uses: mozilla-it/deploy-actions/.github/workflows/codeowners.yml@main
+    with:
+      exclude_dirs: "projects misc modules"  # optional: exclude specific directories
+```
diff --git a/README.md b/README.md
index cdebabd..6530597 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@ This repository contains GitHub Actions Composite Actions used for Deployment Au
 
 ## Workflows
 * [build-and-push](./.github/workflows/docs/build-and-push.md)
+* [codeowners](./.github/workflows/docs/codeowners.md)
 * [diff-rendered-charts](./.github/workflows/docs/diff-rendered-charts.md)
 * [psa-checker](./.github/workflows/docs/psa-checker.md)
 * [validate-k8s-manifests](./.github/workflows/docs/validate-k8s-manifests.md)

From 083c7666c89fe6a0c8c4969e93e003c080561e08 Mon Sep 17 00:00:00 2001
From: Graham Beckley <gbeckley@mozilla.com>
Date: Thu, 18 Dec 2025 16:06:27 -0500
Subject: [PATCH 6/6] chore: Use $GITHUB_WORKSPACE rather than $PWD

---
 .github/workflows/codeowners.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
index b405568..cb65a3e 100644
--- a/.github/workflows/codeowners.yml
+++ b/.github/workflows/codeowners.yml
@@ -33,6 +33,6 @@ jobs:
           for dir in ${INPUTS_EXCLUDE_DIRS}; do
             exclude_args="$exclude_args --excludedirs $dir"
           done
-          /usr/bin/lint-codeowners $PWD $exclude_args
+          /usr/bin/lint-codeowners $GITHUB_WORKSPACE $exclude_args
         env:
           INPUTS_EXCLUDE_DIRS: ${{ inputs.exclude_dirs }}