The valid_owner.go check requires the GitHub personal access token for the following reasons:
- Information about organization teams and their repositories is not publicly available.
- If you set GitHub Enterprise base URL, an unauthorized error may occur.
- For unauthenticated requests, the rate limit allows for up to 60 requests per hour. Unauthenticated requests are associated with the originating IP address. In a big organization where you have a lot of calls between your infrastructure server and the GitHub site, it is easy to exceed that quota.
Instructions for creating a token can be found here. The minimal scope required for the token is read-only, but the definition of this scope differs between public and private repositories.
For public repositories, select public_repo and read:org:
For private repositories, select repo and read:org:
The Codeowners Validator source code is available on GitHub. You can always perform a security audit against its code base and build your own version from the source code if your organization is more strict about the software run in its infrastructure.