Cloud FlowCloud FlowsAdvanced

Branch SHA Drift Checker

Daily schedule reads expected head SHAs per long-lived release branch from a config SharePoint list, calls Get A Reference to fetch actual SHAs, and emails the release manager any drift for investigation.

SharePointGitHubOffice 365 Outlook

Unique name

flowLibsBranchSHADriftChecker

Publisher

FlowLibs (flowlibs)

Version

1.0.0.0

Components

3 env vars + 1 cloud flow

Request access

Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.

What it does

Overview

This cloud flow runs on a daily schedule and verifies that a curated set of long-lived release branches in a target GitHub repository still point at the head SHAs your team has designated as "expected." For every branch defined in a SharePoint configuration list, the flow fetches the current HEAD SHA from GitHub and compares it against the recorded expected SHA. Any branch where the two disagree is rolled up into a drift report and emailed to the release manager as a High-importance alert.

The flow is entirely declarative — no scripts, no Azure Functions, no webhooks — and relies exclusively on first-party connector actions.

Why you'd use it

Use Case

Engineering teams that maintain a set of protected release branches (release/2026-04, hotfix/2026-03, main, etc.) often need confidence that nobody has quietly rebased, force-pushed, or fast-forwarded those branches outside of the change-management process. This flow gives release managers a daily "diff" between what the SharePoint config list says the branch head *should* be and what GitHub reports it *actually* is.

The flow is ideal for teams that:

SOC 2 / ISO 27001 evidence of branch-integrity monitoring.
Release-freeze windows where branches should be immutable.
Coordinating multiple long-lived hotfix branches across repos.
Auditing force-push exceptions granted to CI/CD service accounts.

Step-by-step

Flow Architecture

Daily_Schedule_0900

Recurrence

Fires once a day at 09:00 EST.

Init 5 variables

InitializeVariable

varSharePointSiteURL, varConfigListName, varReleaseManagerEmail, varDriftCount=0, varDriftReportHtmlRows=''.

Get_Branch_Config_Items

SharePoint GetItems

Pulls every active row from the Branch Drift Config list with top=500.

For_Each_Branch_Config_Row

Foreach

Inner: Get_Actual_Reference_From_GitHub → Check_If_SHA_Has_Drifted → Append_Drift_Row_To_Html_Report + Increment_Drift_Count when SHAs differ.

Check_If_Any_Drift_Detected

If condition

Evaluates greater(varDriftCount, 0) so the email is only sent when there is signal.

If drift detected1 actions run in series

Send_Branch_Drift_Alert_Email — Outlook SendEmailV2 with the accumulated <tr> rows wrapped in a styled table, Importance=High.

If no drift

Empty branch — no email is sent on clean days.

Solution config

Environment Variables

Schema name	Type	Default	Description
flowlibs_SharePointSiteURL	String	—	SharePoint site that hosts the branch-drift config list.
flowlibs_BranchDriftConfigListName	String	Branch Drift Config	Display name of the list containing one row per monitored branch.
flowlibs_ReleaseManagerEmail	String	—	Recipient for drift alert emails.

Auth dependencies

Connectors & Connections

Connector	API name	Actions used
SharePoint	shared_sharepointonline	GetItems (reads the config list)
GitHub	shared_github	GetReference (fetches current HEAD SHA)
Office 365 Outlook	shared_office365	SendEmailV2 (drift alert email)

Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.

Tweaks & variations

Customization Guide

Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.

Multi-recipient alerting: Replace the single env var with a semicolon-delimited list — SendEmailV2 accepts ;-separated To.
Teams alert instead of email: Swap Outlook SendEmailV2 for Teams PostMessageToChannelV3 using the same accumulated HTML body.
Per-branch severity: Add an Importance column to the config list and set emailMessage/Importance dynamically from the highest value across drifts.
Auto-reconcile: If a drift is trusted (CI bot advanced a release branch), call GitHub UpdateRef and write the actual SHA back to SharePoint as the new expected value.
Run faster: Change Recurrence frequency from Day to Hour and drop the schedule block for hourly polling.

Helpers & literals

Key Expressions

The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.

EXPR.01Environment-variable-seeded Init

Canonical pattern for hydrating a string variable from an env var.

workflow definition language

parameters('flowlibs_SharePointSiteURL')

EXPR.02GitHub reference path

GetReference expects `heads/{branch}` — no leading slash, no `refs/`.

workflow definition language

concat('heads/', items('For_Each_Branch_Config_Row')?['BranchName'])

EXPR.03Case-insensitive SHA compare

Robust against uppercase SHAs in user-edited config rows.

workflow definition language

not(equals(toLower(outputs('Get_Actual_Reference_From_GitHub')?['body/object/sha']), toLower(items('For_Each_Branch_Config_Row')?['ExpectedSHA'])))

EXPR.04Drift-guarded branching

Suppresses the daily 'no drifts' email.

workflow definition language

greater(variables('varDriftCount'), 0)

Overview

Use Case

Flow Architecture

Daily_Schedule_0900

Init 5 variables

Get_Branch_Config_Items

For_Each_Branch_Config_Row

Check_If_Any_Drift_Detected

Environment Variables

Connectors & Connections

Customization Guide

Key Expressions

EXPR.01Environment-variable-seeded Init

EXPR.02GitHub reference path

EXPR.03Case-insensitive SHA compare

EXPR.04Drift-guarded branching

Comments