[codex] align secrets-sync action and pipeline flags

[jbdevprimary]

Summary

• Defines the documented GitHub Action inputs and passes them to the Docker action as explicit secretsync pipeline CLI arguments.
• Adds pipeline support for --parallelism, --continue-on-error, and --output side-by-side.
• Updates docs and quick references so Action metadata, CLI help, and examples agree.

Validation

• go test ./...
• make build
• YAML parse check for action.yml and workflows
• go run ./cmd/secretsync pipeline --help

Summary by CodeRabbit

• New Features

  • Expanded GitHub Action inputs and runtime flags; pipeline supports side-by-side aliases and emits a stable JSON summary (aggregates counts, duration, optional diff) with configurable exit-code; continue-on-error enabled by default.

• Documentation

  • Updated examples, CI/workflow snippets, installation, marketplace, and publishing guides to use standalone repo references, version-placeholder action tags, pinned actions, and refreshed usage docs.

• Tests

  • Added tests for output parsing, JSON summary behavior, default options, workflow pinning, logging/security doc checks, and packaging/helm validations.

• Chores

  • CI/tooling updates, vulnerability scan added, Go/Docker builder versions bumped, removed fork-break script.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds Action inputs mapped to container CLI args; extends pipeline CLI with new flags, output aliases, run timing, and a JSON summary envelope; updates defaults (Go/Python), organizations discovery YAML handling, tests, docs, CI, and release/tooling examples.

Changes

Pipeline CLI and GitHub Action Configuration

Layer / File(s)	Summary
Action inputs and runs.args wiring action.yml, docs/*, examples/*, .github/workflows/*	Defines additional GitHub Action inputs and wires them into container runs.args as pipeline + equivalent CLI flags; updates docs and examples to use pinned action tags/SHAs.
Pipeline CLI: flags, parsing, run flow, and JSON envelope cmd/secretsync/cmd/pipeline.go, cmd/secretsync/cmd/pipeline_test.go	Adds --continue-on-error and --parallelism flags wired into pipeline.Options; accepts side-by-side aliases for --output; measures run duration, captures p.Diff(), and emits an aggregated JSON summary envelope via new helpers. Tests validate parsing, aggregation, failure propagation, and error-detection.
Pipeline CLI unit tests cmd/secretsync/cmd/pipeline_test.go	Table-driven tests for output-format aliases, JSON summary aggregation, failure reporting, and pipeline error detection.
Default options changed and Python aggregation update pkg/pipeline/pipeline.go, pkg/pipeline/pipeline_test.go, python/secretssync/secretssync.go, python/secretssync/secretssync_test.go	DefaultOptions() and DefaultSyncOptions() now set ContinueOnError=true; Python RunPipeline() computes TargetCount as the number of unique non-empty targets via countUniqueTargets. Tests added for defaults and unique-target counting.
Organizations discovery: OUs list and YAML validation pkg/pipeline/types.go, pkg/pipeline/discovery_organizations.go, pkg/pipeline/discovery_ou_test.go, examples/organizations-discovery.yaml, docs/testing/*	Replaces legacy single ou scalar with ous slice; adds UnmarshalYAML that rejects the removed ou key; updates discovery logic and tests/examples to use the OUs list.
Documentation, CI, release, and packaging updates README.md, docs/*, .goreleaser.yml, Makefile, .github/workflows/*, Dockerfile, go.mod, examples/*	Refreshes docs/examples to reference repo-local docs, --output examples, and secrets-sync-vX.Y.Z tag; pins workflow actions; adds govulncheck step in development docs; bumps Go toolchain and Docker builder images; adjusts GoReleaser header and Makefile metadata.

🎯 3 (Moderate) | ⏱️ ~25 minutes

"A rabbit scurries through flags and docs,
Parsing outputs with neat little hops,
Side-by-side diffs and JSON bouquets,
Parallel runs hum in tidy arrays,
CI and release markers tied up in bows." 🐇✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/secrets-sync-polish

[amazon-q-developer]

Review Summary

This PR successfully aligns the GitHub Action inputs with the CLI pipeline flags. The implementation correctly adds support for parallelism, continue-on-error, and the new side-by-side output format.

Changes Reviewed:

• ✅ GitHub Action metadata properly defines new inputs with appropriate defaults
• ✅ CLI flags correctly map to pipeline options
• ✅ Unit tests cover the new output format parsing
• ✅ Documentation consistently updated across README, getting started guide, and GitHub Actions docs

The changes are well-structured and maintain consistency between the Action inputs, CLI implementation, and documentation. No blocking issues identified.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[gemini-code-assist]

Code Review

This pull request adds GitHub Action inputs to action.yml and maps them to the Docker action arguments, aligning the action with the CLI flags. It also introduces continue-on-error and parallelism flags to the pipeline command, supports a new side-by-side output format, and updates documentation and tests accordingly. Feedback on this PR highlights a critical issue in cmd/secretsync/cmd/pipeline.go where errors can be swallowed in CI/CD environments when exitCodeMode is enabled. Specifically, if the pipeline fails early, the exit code check might return 0 and bypass the error check, returning success. A refactoring of the exit behavior is suggested to ensure errors and target failures are evaluated first.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/secretsync/cmd/pipeline.go`:
- Line 87: CLI flag and docs default to true while pipeline.DefaultOptions() and
the Python DefaultSyncOptions() use false; make programmatic defaults match the
CLI/docs by changing the pipeline default to true. Update
pkg/pipeline/pipeline.go's DefaultOptions() to set ContinueOnError: true, and
mirror that change in python/secretssync/secretssync.go's DefaultSyncOptions()
so both codepaths use the same default; also scan for any other places that
construct defaults and adjust them to the new ContinueOnError default to keep
behavior consistent with pipelineCmd.Flags().BoolVar and docs/action.yml.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f2f9067f-5941-4148-aca9-1e83ab611d0a

📥 Commits

Reviewing files that changed from the base of the PR and between 74b24ae and bf0cfe7.

📒 Files selected for processing (7)

• README.md
• action.yml
• cmd/secretsync/cmd/pipeline.go
• cmd/secretsync/cmd/pipeline_test.go
• docs/ACTION_QUICK_REFERENCE.md
• docs/GETTING_STARTED.md
• docs/GITHUB_ACTIONS.md

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/pipeline/pipeline.go (1)

87-96: ⚠️ Potential issue | 🟠 Major

Align ContinueOnError default (true) across surfaces; confirm --exit-code + docs.

• action.yml default for continue-on-error is "true", and the CLI --continue-on-error flag help default is true, matching pkg/pipeline/pipeline.go (DefaultOptions sets ContinueOnError: true).
• Confirm all documentation reflects the new default (beyond the CLI help text).
• Confirm --exit-code mode still surfaces failures with a non-zero exit code even when ContinueOnError=true allows the pipeline to continue.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/pipeline/pipeline.go` around lines 87 - 96, DefaultOptions currently sets
ContinueOnError: true; ensure consistency by verifying and updating all surfaces
that declare the default (e.g., action.yml, CLI flag help text, and any docs) to
reflect ContinueOnError = true, and update documentation where necessary; also
confirm the CLI flag handling and the exit-code logic (where --exit-code is
parsed and the pipeline final status is computed) still override process exit
behavior so that even when Options.ContinueOnError is true the program returns a
non-zero exit code when failures occurred and --exit-code is enabled (adjust the
exit logic in the code path that evaluates Options and the --exit-code flag to
compute finalExitCode based on recorded failures).

🧹 Nitpick comments (1)

cmd/secretsync/cmd/pipeline.go (1)

198-203: 💤 Low value

Redundant cancel() calls before os.Exit().

The cancel() calls on lines 198 and 203 occur immediately before os.Exit(), which terminates the process. The deferred context cancellation is redundant since the process exits immediately.

♻️ Optional cleanup

 if exitCodeMode {
     if hasErrors {
-        cancel()
         os.Exit(2)
     }
     exitCode := p.ExitCode()
     if exitCode != 0 {
-        cancel()
         os.Exit(exitCode)
     }
     return nil
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/secretsync/cmd/pipeline.go` around lines 198 - 203, The cancel() calls
immediately before os.Exit(...) in the pipeline shutdown path are redundant
because os.Exit terminates the process and deferred cancellation won't run;
remove the cancel() invocations that directly precede os.Exit(2) and
os.Exit(...) (the calls adjacent to p.ExitCode() handling) and rely on existing
deferred cancel() or perform necessary cleanup before calling os.Exit; search
for the cancel() calls in the function that also calls p.ExitCode() to update
those spots.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@pkg/pipeline/pipeline.go`:
- Around line 87-96: DefaultOptions currently sets ContinueOnError: true; ensure
consistency by verifying and updating all surfaces that declare the default
(e.g., action.yml, CLI flag help text, and any docs) to reflect ContinueOnError
= true, and update documentation where necessary; also confirm the CLI flag
handling and the exit-code logic (where --exit-code is parsed and the pipeline
final status is computed) still override process exit behavior so that even when
Options.ContinueOnError is true the program returns a non-zero exit code when
failures occurred and --exit-code is enabled (adjust the exit logic in the code
path that evaluates Options and the --exit-code flag to compute finalExitCode
based on recorded failures).

---

Nitpick comments:
In `@cmd/secretsync/cmd/pipeline.go`:
- Around line 198-203: The cancel() calls immediately before os.Exit(...) in the
pipeline shutdown path are redundant because os.Exit terminates the process and
deferred cancellation won't run; remove the cancel() invocations that directly
precede os.Exit(2) and os.Exit(...) (the calls adjacent to p.ExitCode()
handling) and rely on existing deferred cancel() or perform necessary cleanup
before calling os.Exit; search for the cancel() calls in the function that also
calls p.ExitCode() to update those spots.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ccd560ef-fbe7-4ce9-890c-73c8377e9cc0

📥 Commits

Reviewing files that changed from the base of the PR and between bf0cfe7 and bd6dbfa.

📒 Files selected for processing (25)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• .goreleaser.yml
• Makefile
• README.md
• action.yml
• cmd/secretsync/cmd/pipeline.go
• cmd/secretsync/cmd/pipeline_test.go
• docs/ACTION_QUICK_REFERENCE.md
• docs/ARCHITECTURE_GAP_ANALYSIS.md
• docs/FAQ.md
• docs/GETTING_STARTED.md
• docs/GITHUB_ACTIONS.md
• docs/MARKETPLACE.md
• docs/PIPELINE.md
• docs/PUBLISHING_CHECKLIST.md
• docs/PYTHON_BINDINGS.md
• docs/SUPPORT.md
• docs/TWO_PHASE_ARCHITECTURE.md
• docs/getting-started/installation.md
• examples/github-action-workflow.yml
• pkg/pipeline/pipeline.go
• pkg/pipeline/pipeline_test.go
• python/secretssync/secretssync.go
• python/secretssync/secretssync_test.go

✅ Files skipped from review due to trivial changes (3)

• pkg/pipeline/pipeline_test.go
• docs/PYTHON_BINDINGS.md
• docs/FAQ.md

[coderabbitai]

🧹 Nitpick comments (1)

Dockerfile (1)

8-8: golang:1.26-trixie base image tag exists (and patch-pinned tags are available).

golang:1.26-trixie resolves on Docker Hub, and patch-pinned alternatives golang:1.26.4-trixie / golang:1.26.4 also exist. If you want the builder image to stay aligned with go.mod’s 1.26.4 exactly, consider pinning golang:1.26.4-trixie instead of 1.26-trixie.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 8, The Dockerfile currently uses the floating builder
image tag "golang:1.26-trixie"; update the FROM instruction to the patch-pinned
tag that matches go.mod (e.g., "golang:1.26.4-trixie" or "golang:1.26.4") so the
builder image is version-aligned—modify the FROM line in the Dockerfile to use
the chosen patch-pinned tag.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Dockerfile`:
- Line 8: The Dockerfile currently uses the floating builder image tag
"golang:1.26-trixie"; update the FROM instruction to the patch-pinned tag that
matches go.mod (e.g., "golang:1.26.4-trixie" or "golang:1.26.4") so the builder
image is version-aligned—modify the FROM line in the Dockerfile to use the
chosen patch-pinned tag.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7f9ac9e7-1e8f-4567-bb28-7be44546cde4

📥 Commits

Reviewing files that changed from the base of the PR and between bd6dbfa and fc24399.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (20)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• Dockerfile
• README.md
• docs/DEPLOYMENT.md
• docs/ERROR_CONTEXT.md
• docs/PIPELINE.md
• docs/PUBLISHING_CHECKLIST.md
• docs/ROADMAP.md
• docs/development/contributing.md
• docs/getting-started/installation.md
• docs/testing/organizations-discovery-integration-tests.md
• examples/organizations-discovery.yaml
• examples/pipeline-config.yaml
• go.mod
• pkg/pipeline/aws_context_test.go
• pkg/pipeline/config_test.go
• pkg/pipeline/discovery_organizations.go
• pkg/pipeline/discovery_ou_test.go
• pkg/pipeline/types.go

✅ Files skipped from review due to trivial changes (10)

• pkg/pipeline/config_test.go
• docs/development/contributing.md
• docs/DEPLOYMENT.md
• examples/pipeline-config.yaml
• docs/getting-started/installation.md
• docs/ERROR_CONTEXT.md
• docs/PIPELINE.md
• docs/PUBLISHING_CHECKLIST.md
• .github/workflows/release.yml
• README.md

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@dockerfile_test.go`:
- Line 31: The current check in dockerfile_test.go of if strings.Contains(text,
"./vss") || strings.Contains(text, " vss ") can miss variants like "vss
pipeline", "`vss`", or occurrences at line edges; replace this fragile check by
normalizing the dockerfile text (e.g., lowercasing and replacing
punctuation/newlines with spaces) and then perform a boundary-based match for
the token "vss" (use a word-boundary regex such as \bvss\b or split into fields
and check equality) against the normalized text variable so that occurrences
like "./vss", "`vss`", "vss", and "vss pipeline" are all detected reliably.
Ensure you update the conditional where text is inspected and reuse the same
normalized text/regex match logic for both "./vss" and bare "vss" checks.

In `@SECURITY.md`:
- Around line 9-10: The security policy shows support for 2.x only but the
example later still demonstrates a 1.2.x patch update; update the
security-update example to use the 2.x patch flow instead of "1.2.x" so examples
match the support table — locate the example that references "1.2.x" (the
security-update example) and change the version strings, commands, and any
sample bump/patch steps to use the 2.x patch version format (e.g., 2.<minor>.x)
and ensure wording reflects the 2.x patch-release flow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1741400b-7b62-4502-a220-8218b3001f5e

📥 Commits

Reviewing files that changed from the base of the PR and between 5bee28b and 052f9ca.

📒 Files selected for processing (22)

• .goreleaser.yml
• Dockerfile
• SECURITY.md
• cmd/secretsync/cmd/context.go
• cmd/secretsync/cmd/graph.go
• cmd/secretsync/cmd/help_text_test.go
• cmd/secretsync/cmd/migrate.go
• cmd/secretsync/cmd/validate.go
• deploy/charts/secretsync/charts/secretsync-operator/crds/secretsync.extendeddata.dev_secretsyncs.yaml
• deploy/charts/secretsync/charts/secretsync-operator/templates/clusterrole.yaml
• dockerfile_test.go
• docs/FAQ.md
• docs/OBSERVABILITY.md
• docs/ROADMAP.md
• docs/SECURITY.md
• docs/USAGE.md
• docs/testing/organizations-discovery-integration-tests.md
• docs_security_test.go
• docs_version_test.go
• helm_chart_test.go
• release_config_test.go
• scripts/break-fork.sh

💤 Files with no reviewable changes (2)

• scripts/break-fork.sh
• Dockerfile

✅ Files skipped from review due to trivial changes (4)

• docs/OBSERVABILITY.md
• cmd/secretsync/cmd/graph.go
• docs/USAGE.md
• cmd/secretsync/cmd/context.go

🚧 Files skipped from review as they are similar to previous changes (1)

• .goreleaser.yml