Skip to content

fix: gate repository-permissions/ until provider-upjet-github supports shaPinningRequired#86

Merged
devantler merged 2 commits into
mainfrom
claude/hotfix-repository-permissions-gate
Jul 9, 2026
Merged

fix: gate repository-permissions/ until provider-upjet-github supports shaPinningRequired#86
devantler merged 2 commits into
mainfrom
claude/hotfix-repository-permissions-gate

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

#67's shaPinningRequired patch is currently stalling every prod deploy: the field isn't in the deployed Crossplane provider's CRD schema yet, so the tenant's apps Kustomization health-check times out after 20 minutes on every reconcile cycle — blocking prod deploys and kicking PRs out of the platform merge queue.

What

Comments out repository-permissions/ from the root kustomization until the provider bump lands. The directory and its own gate-note stay in place for when that's ready — nothing is deleted, only un-wired from the published artifact.

Notes

Fixes the live prod stall (hit 2026-07-09, ~4h after #67's v1.12.0 publish).

…s shaPinningRequired

Fixes #67's shaPinningRequired patch is applied to every RepositoryPermissions
resource, but the field is absent from the deployed provider-upjet-github
v0.19.1 CRD schema (it embeds terraform-provider-github 6.6.0; the field
landed in 6.11.0). Dry-run rejects the patch, so the prod tenant's `apps`
Kustomization health-check times out after 20m every reconcile cycle,
stalling deploys and kicking merge-queue PRs out.

Unwire repository-permissions/ from the root kustomization until the
provider bump (own upstream PR crossplane-contrib/provider-upjet-github#288)
lands.

🤖 Generated by the Daily AI Assistant
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This change modifies deploy/kustomization.yaml by removing the repository-permissions/ entry from the resources list. It is replaced with explanatory comments stating the kustomization is intentionally not wired in because the sha_pinning_required patch field is absent from the currently-deployed provider CRD schema, and applying it would break dry-runs and health checks until the provider version is bumped.

Possibly related PRs

  • devantler-tech/.github#67: Adds the deploy/repository-permissions/ manifests and shaPinningRequired patch that this change removes from the kustomization.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly summarizes the main change: temporarily gating repository-permissions until the provider supports shaPinningRequired.
Description check ✅ Passed The description matches the change and explains the gating rationale, impact, and validation.

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy/kustomization.yaml`:
- Around line 25-37: The gate rationale is duplicated between the top-level
kustomization and the repository-permissions kustomization header, so update
both together to avoid drift. Keep the precondition/tracking note in one
canonical place or remove the duplicate once the provider bump lands, and make
sure any change to the gate in deploy/kustomization.yaml is mirrored in
repository-permissions/kustomization.yaml.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: b1ad6e5a-afaf-44d9-a879-7e71e94c821b

📥 Commits

Reviewing files that changed from the base of the PR and between 3cbdd00 and 927e4cf.

📒 Files selected for processing (1)
  • deploy/kustomization.yaml
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: Analyze (actions)
🧰 Additional context used
📓 Path-based instructions (1)
deploy/**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

deploy/**/*.{yaml,yml}: Manage GitHub declaratively — never imperatively. Org/repo/team/label configuration must be changed only by editing deploy/ and shipping a PR; do not use gh api writes or the GitHub UI to change managed config.
Ownership must be modeled as a team, not an individual. Use the maintainers team via Team/TeamRepository; never grant access or ownership to individual logins.
When adopting an existing live resource, use observe-first settings: set crossplane.io/external-name to the live name and use a management policy that excludes Delete for new Repository/IssueLabels/team resources.

Files:

  • deploy/kustomization.yaml
🔇 Additional comments (1)
deploy/kustomization.yaml (1)

25-37: LGTM!

Comment thread deploy/kustomization.yaml Outdated
CodeRabbit: the precondition/tracking note was fully restated in both
deploy/kustomization.yaml and repository-permissions/kustomization.yaml.
Point to the latter as the canonical source instead of duplicating it.

🤖 Generated by the Daily AI Assistant
@devantler devantler marked this pull request as ready for review July 9, 2026 03:14
@devantler devantler merged commit a9b3fcd into main Jul 9, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant