Skip to content

fix: add --ignore-secret-teams to peribolos workflows#118

Merged
marcusburghardt merged 1 commit into
complytime:mainfrom
marcusburghardt:fix/ignore-secret-teams
May 29, 2026
Merged

fix: add --ignore-secret-teams to peribolos workflows#118
marcusburghardt merged 1 commit into
complytime:mainfrom
marcusburghardt:fix/ignore-secret-teams

Conversation

@marcusburghardt
Copy link
Copy Markdown
Member

@marcusburghardt marcusburghardt commented May 29, 2026

Summary

Peribolos with --fix-team-repos reconciles each team's repo permissions to match exactly what's declared in peribolos.yaml. Private repos deliberately excluded from the public config had their manually-set team permissions stripped on every scheduled or push-triggered apply run.

The --fix-team-repos flag computes unused = have - want for each team's repo list and removes all repos not in the YAML. Since private repos are intentionally omitted from peribolos.yaml, any team access manually granted to those repos was removed by the next peribolos run.

This PR adds --ignore-secret-teams to both peribolos workflows (peribolos-apply.yml and peribolos-drift.yml), causing peribolos to completely skip secret-privacy teams (creation, deletion, membership, and repo mappings). This allows manually-managed secret teams to grant access to private repos without interference.

Note: no secret teams currently exist in the managed config, so this change has no side effects on existing team management. Long-term, an --exclude-repos flag contributed upstream to kubernetes-sigs/prow would provide more granular control.

Related Issues

  • None

Review Hints

  • Both workflow files receive the same one-line addition of --ignore-secret-teams right after the existing --ignore-enterprise-teams flag.
  • The flag is documented in the peribolos source at kubernetes-sigs/prow/cmd/peribolos/main.go — it causes secret-privacy teams to be excluded from the slugs set entirely, making them invisible to the delete and reconciliation logic.
  • To verify: after merging, trigger a manual workflow_dispatch of peribolos-apply.yml with dry-run: true and confirm secret teams are not listed in the output.

@marcusburghardt
fix: add --ignore-secret-teams to peribolos workflows
fdea105 
Peribolos with --fix-team-repos strips team-repo permissions for any
repo not declared in peribolos.yaml. Private repos deliberately
excluded from the public config had their manually-set team
permissions removed on every scheduled or push-triggered apply run.

Adding --ignore-secret-teams causes peribolos to skip secret-privacy
teams entirely (creation, deletion, membership, and repo mappings),
allowing manually-managed secret teams to grant access to private
repos without interference.

Affected workflows:
- peribolos-apply.yml (daily apply + push to main)
- peribolos-drift.yml (weekly drift detection)

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
@marcusburghardt marcusburghardt enabled auto-merge (rebase) May 29, 2026 11:48
jflowers
jflowers approved these changes May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jflowers jflowers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marcusburghardt marcusburghardt merged commit d603ac5 into complytime:main May 29, 2026
9 checks passed
@marcusburghardt marcusburghardt deleted the fix/ignore-secret-teams branch May 29, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jflowers jflowers jflowers approved these changes

@jpower432 jpower432 Awaiting requested review from jpower432 jpower432 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marcusburghardt @jflowers