Branch SHA Drift Checker
Daily schedule reads expected head SHAs per long-lived release branch from a config SharePoint list, calls Get A Reference to fetch actual SHAs, and emails the release manager any drift for investigation.
Overview
Runs daily and verifies that a curated set of long-lived release branches in a target GitHub repo still point at the head SHAs your team has designated as "expected". For every branch defined in a SharePoint config list, fetches current HEAD SHA from GitHub and compares against the recorded expected SHA. Any drift is rolled into a report and emailed to the release manager as a High-importance alert.
Fully declarative — no scripts, no Azure Functions, no webhooks. First-party connectors only.
**State:** Stopped (Off)
Use Case
Engineering teams that maintain protected release branches (release/2026-04, hotfix/2026-03, main) need confidence that nobody has rebased, force-pushed, or fast-forwarded those branches outside change-management. Branch protection rules don't catch the inverse case where a branch has *legitimately* advanced but documentation still references the old SHA.
Typical triggers: SOC 2 / ISO 27001 evidence; release-freeze windows; multi-hotfix coordination; auditing CI/CD force-push exceptions.
Flow Architecture
Trigger: **Daily_Schedule_0900** (daily, 09:00 EST).
1. Init 5 vars (SP site URL, list name, release mgr email, drift count=0, drift report HTML rows='')
2. **Get_Branch_Config_Items** (SP GetItems with $top: 500 against config list)
3. **For_Each_Branch_Config_Row** (Foreach):
- Get_Actual_Reference_From_GitHub (GitHub GetReference for `heads/{BranchName}`)
- Check_If_SHA_Has_Drifted (If: lower-cased actual != lower-cased expected)
- True: Append <tr> row to HTML report; increment drift count
4. **Check_If_Any_Drift_Detected** (If: `varDriftCount > 0`)
- True: Send_Branch_Drift_Alert_Email (High importance)Environment Variables
| Variable | Schema Name | Type | Default | Purpose |
|---|---|---|---|---|
| FlowLibs SharePoint Site URL | flowlibs_SharePointSiteURL | String | (none) | SharePoint site hosting the branch-drift config list |
| FlowLibs Branch Drift Config List Name | flowlibs_BranchDriftConfigListName | String | Branch Drift Config | Display name of the list with one row per monitored branch |
| FlowLibs Release Manager Email | flowlibs_ReleaseManagerEmail | String | (none) | Recipient for drift alert emails |
Connectors & Connections
| Connector | API Name | Connection Format | Usage |
|---|---|---|---|
| SharePoint | shared_sharepointonline | shared-sharepointonl-{guid} | GetItems — config list |
| GitHub | shared_github | raw GUID | GetReference — fetch HEAD SHA per branch |
| Office 365 Outlook | shared_office365 | shared-office365-{guid} | SendEmailV2 — drift alert |
Customization Guide
1. Import managed solution (prompts for env vars + connection refs).
2. Supply SP site URL, list name, recipient email.
3. Bind 3 connection refs.
4. Populate config list with RepositoryOwner, RepositoryName, BranchName, ExpectedSHA columns.
5. Turn on.
**Common Modifications:** multi-recipient via ;-separated list; Teams alert via PostMessageToChannelV3; per-branch severity via Importance column; auto-reconcile via UpdateRef + write-back; faster cadence (Hour frequency).
Key Expressions
- @parameters('flowlibs_SharePointSiteURL') — env-var-seeded init
- @concat('heads/', items('For_Each_Branch_Config_Row')?['BranchName']) — GitHub reference path
- Case-insensitive SHA compare via toLower() on both sides
- Flat operator If: {"not":{"equals":[…]}} — flow-definition friendly form
- @greater(variables('varDriftCount'), 0) — drift-guarded branching