fix: restore peribolos with reliable auth and drift detection#89
Merged
marcusburghardt merged 2 commits intocomplytime:mainfrom May 8, 2026
Merged
Conversation
- Replace expired APP_ACCESS_TOKEN with per-run GitHub App installation tokens via actions/create-github-app-token (complytime-bot app) - Fix silent failure masking by adding set -o pipefail to the pipeline - Add workflow_dispatch trigger with dry-run option for on-demand reapply - Add daily scheduled reconciliation (cron 05:30 UTC) - Add weekly drift detection workflow that opens issues on org state drift - Remove unused ghproxy sidecar from apply workflow - Fix org admins listed as team members instead of maintainers - Remove orphan docs: key from peribolos.yaml - Wire dead testTeamMembers() into TestOrgs() for team config validation - Use process substitution for token passing (no credentials on disk) Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
hbraswelrh
reviewed
May 8, 2026
Member
hbraswelrh
left a comment
hbraswelrh
left a comment
There was a problem hiding this comment.
Solid fix for a critical operational failure. Two minor findings below — neither blocks merge.
This review was generated by /review-pr (AI-assisted).
sonupreetam
approved these changes
May 8, 2026
Contributor
sonupreetam
left a comment
sonupreetam
left a comment
There was a problem hiding this comment.
Agree with @hbraswelrh's finding on the missing set -o pipefail in drift_detection.yml.
Two additional minor nits on the spec artifacts below — neither blocks merge.
This review was generated by /review-pr (AI-assisted).
- Add set -o pipefail to drift_detection.yml dump step to prevent silent failures (same class of bug this PR fixes in apply workflow) - Redirect peribolos --dump stderr to log file instead of /dev/null so diagnostics are available on failure - Update task 1.5 to reflect process substitution approach - Fix cron example in scheduled-reconciliation spec to match implementation (30 5 not 30 6) Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
jflowers
approved these changes
May 8, 2026
Contributor
jflowers
left a comment
jflowers
left a comment
There was a problem hiding this comment.
manual review, lgtm
nice work everyone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Root cause fixed: Peribolos has been silently failing since April 16, 2026. The GitHub App user access token expired and the
jqpipeline was swallowing the exit code, making every run appear successful. This PR replaces the static token with per-run installation tokens viaactions/create-github-app-tokenusing the existingcomplytime-botapp.Pipeline reliability: Added
set -o pipefailso Peribolos failures actually fail the workflow. Removed unused ghproxy sidecar. Token is passed via process substitution (no credentials written to disk).On-demand reapply: Added
workflow_dispatchtrigger with adry-runboolean input so org admins can manually reapply or preview changes.Daily reconciliation: Added daily cron schedule (05:30 UTC) to prevent drift accumulation between config changes.
Weekly drift detection: New workflow (
drift_detection.yml) runs Monday 04:30 UTC, dumps actual org state viaperibolos --dump, diffs againstperibolos.yaml, and opens/updates a GitHub issue with theperibolos-driftlabel when drift is detected.Config fixes: Removed orphan
docs:key fromperibolos.yaml. Moved org admins (jpower432,marcusburghardt) frommembers:tomaintainers:in teams where they appeared.Test fixes: Wired the existing
testTeamMembers()function intoTestOrgs()inconfig/config_test.go— it was defined but never called, so team config validation (admin/member placement, duplicates, sorted lists, privacy) was never running.Prerequisites
The following secrets must be configured in the repository settings (already done):
COMPLYTIME_BOT_CLIENT_ID— Client ID of thecomplytime-botGitHub AppCOMPLYTIME_BOT_PRIVATE_KEY— Private key of thecomplytime-botGitHub App (newly generated, old 2024 key should be revoked after validation)Validation
After merging, trigger a manual
workflow_dispatchwithdry-run: trueto validate the new authentication works before the first real apply.