From fdea105be6a3278ea578b7f777a0037e5d8385ac Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 29 May 2026 12:06:42 +0200
Subject: [PATCH] fix: add --ignore-secret-teams to peribolos workflows

Peribolos with --fix-team-repos strips team-repo permissions for any
repo not declared in peribolos.yaml. Private repos deliberately
excluded from the public config had their manually-set team
permissions removed on every scheduled or push-triggered apply run.

Adding --ignore-secret-teams causes peribolos to skip secret-privacy
teams entirely (creation, deletion, membership, and repo mappings),
allowing manually-managed secret teams to grant access to private
repos without interference.

Affected workflows:
- peribolos-apply.yml (daily apply + push to main)
- peribolos-drift.yml (weekly drift detection)

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
---
 .github/workflows/peribolos-apply.yml | 1 +
 .github/workflows/peribolos-drift.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/peribolos-apply.yml b/.github/workflows/peribolos-apply.yml
index 4f872e8..d84ad12 100644
--- a/.github/workflows/peribolos-apply.yml
+++ b/.github/workflows/peribolos-apply.yml
@@ -103,6 +103,7 @@ jobs:
             --required-admins marcusburghardt
             --require-self=false
             --ignore-enterprise-teams
+            --ignore-secret-teams
           )
 
           if [ "$DRY_RUN" != "true" ]; then
diff --git a/.github/workflows/peribolos-drift.yml b/.github/workflows/peribolos-drift.yml
index 0a74e85..808eaef 100644
--- a/.github/workflows/peribolos-drift.yml
+++ b/.github/workflows/peribolos-drift.yml
@@ -81,6 +81,7 @@ jobs:
             --required-admins marcusburghardt \
             --require-self=false \
             --ignore-enterprise-teams \
+            --ignore-secret-teams \
             --github-token-path "$TOKEN_FILE" \
             > /tmp/peribolos-dryrun.log 2>&1 || true