chore: switch to upstream peribolos with enterprise team support#7
Merged
Conversation
- Build peribolos from kubernetes-sigs/prow source instead of uwu-tools container - Add --ignore-enterprise-teams and --ignore-secret-teams flags - Remove enterprise-managed members and team from config (no longer needed) - Add go.mod for setup-go action - Add daily schedule, dry-run support, concurrency control - Restore --maximum-removal-delta to 0.25 - Update actions to latest versions
trevor-vaughan
requested changes
Jun 24, 2026
| - name: Checkout peribolos source | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| repository: kubernetes-sigs/prow |
There was a problem hiding this comment.
We should pin the hashref here to stay in line with the rest of the pulled material.
| with: | ||
| app-id: ${{ secrets.APP_ID }} | ||
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | ||
| owner: unbound-force |
There was a problem hiding this comment.
We should shorten the default TTL for the token to the minimum viable lifetime.
The 10 minute minimum should be enough.
expires-in: 600
This is because there's a possibility that the error handling passthrough commands could log the raw token.
|
|
||
| jobs: | ||
| detect-drift: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
We should bind this to the current repo so that forks don't attempt to run the job.
if: github.repository == 'unbound-force/.github'
…ork guards - Pin kubernetes-sigs/prow checkout to commit hash (supply-chain safety) - Add expires-in: 600 to GitHub App tokens (least-privilege TTL) - Add repository guard to prevent fork execution on scheduled runs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Switches from the
uwu-tools/periboloscontainer image to building peribolos from the upstreamkubernetes-sigs/prowsource. This gives access to--ignore-enterprise-teamsand--ignore-secret-teamsflags, which cleanly handle enterprise-managed teams without needing to list them in the config.Changes
Workflow (
.github/workflows/peribolos-sync.yml):kubernetes-sigs/prowsource instead of using theghcr.io/uwu-tools/periboloscontainer--ignore-enterprise-teamsand--ignore-secret-teamsflags--maximum-removal-deltaback to0.25Config (
org/config.yaml):ent:enterprise-security-managersteam (now ignored by peribolos)New file (
go.mod):setup-goaction to determine Go versionModeled after the complytime/.github workflow.