feat: Handle Secret Lookup Rate Limit errors

[adityathebe]

resolves: #2818

Summary by CodeRabbit

Release Notes

• New Features

  • Implemented automatic rescheduling of canary checks when encountering secret lookup rate limits, with optimized retry timing to improve reliability and distribution.

• Refactor

  • Improved internal check execution pathways and canary status update processing for enhanced efficiency.
  • Updated dependencies for improved scheduling and timing capabilities.

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{"name":"HttpError","status":404,"request":{"method":"PATCH","url":"https://api.github.com/repos/flanksource/canary-checker/issues/comments/3876525019","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","authorization":"token [REDACTED]","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- walkthrough_start -->\n\n## Walkthrough\n\nThis PR introduces Kubernetes secret lookup rate limiting support. It adds a new `RunChecksMeta` type to carry rate limit information, modifies `RunChecks` to return metadata alongside results, introduces `RunChecksNoPersistence` for non-persistent check execution, adds rate limiting infrastructure with helper functions, and updates all callers and downstream components to handle reschedules when rate limits are encountered.\n\n## Changes\n\n|Cohort / File(s)|Summary|\n|---|---|\n|**Rate limiting infrastructure** <br> `checks/runchecks.go`, `go.mod`|Introduced `RunChecksMeta` struct and updated `RunChecks` signature to return metadata; added `RunChecksNoPersistence` for non-persistent execution; implemented secret lookup rate limiting with constants, rate limiter, and filtering helpers; added `golang.org/x/time` dependency.|\n|**Check execution paths** <br> `checks/kubernetes_resource.go`, `pkg/topology/run.go`|Updated calls to use `RunChecksNoPersistence` instead of `Exec` or direct execution for embedded check contexts, enabling non-persistent check evaluation.|\n|**Caller signature updates** <br> `cmd/run.go`, `pkg/api/run_now.go`, `test/run_test.go`|Updated all call sites of `RunChecks` to handle the new three-value return signature, discarding the metadata value where not needed.|\n|**Canary job orchestration** <br> `pkg/jobs/canary/canary_jobs.go`, `pkg/jobs/canary/status.go`|Added `maybeRescheduleAfterSecretLookupRateLimit` helper to conditionally reschedule canary runs when rate limits are encountered; added early-exit guard in status update when results are empty.|\n|**Import reordering** <br> `api/context/context.go`|Reordered imports to position external, v1, and pkg imports after gomplate import; no functional changes.|\n\n## Sequence Diagram(s)\n\n```mermaid\nsequenceDiagram\n    participant Client\n    participant RunChecks as Check Executor\n    participant RateLimiter as Rate Limiter\n    participant Handler as Result Handler\n    participant Scheduler as Job Scheduler\n\n    Client->>RunChecks: Execute checks\n    activate RunChecks\n    RunChecks->>RateLimiter: Check secret lookup rate limit\n    alt Rate limit exceeded\n        RateLimiter-->>RunChecks: Limited (increment skip count)\n        RunChecks->>Handler: Return results with<br/>SecretLookupRateLimitSkipped > 0\n    else Within limits\n        RateLimiter-->>RunChecks: Proceed\n        RunChecks->>Handler: Return results with<br/>SecretLookupRateLimitSkipped = 0\n    end\n    deactivate RunChecks\n    \n    activate Handler\n    Handler->>Scheduler: Check if rate limit was hit\n    alt SecretLookupRateLimitSkipped > 0\n        Handler->>Scheduler: Schedule earlier retry<br/>with deterministic delay\n        Scheduler-->>Handler: Retry scheduled\n    else No rate limit hit\n        Handler->>Scheduler: Proceed with normal flow\n    end\n    deactivate Handler\n```\n\n## Possibly related PRs\n\n- **flanksource/canary-checker#2802**: Modifies checks/runchecks.go and api/context/context.go for alternative check execution paths and per-check output propagation.\n\n## Suggested reviewers\n\n- moshloop\n\n<!-- walkthrough_end -->\n\n\n<!-- pre_merge_checks_walkthrough_start -->\n\n<details>\n<summary>🚥 Pre-merge checks | ✅ 4 | ❌ 1</summary>\n\n<details>\n<summary>❌ Failed checks (1 warning)</summary>\n\n|     Check name     | Status     | Explanation                                                                           | Resolution                                                                         |\n| :----------------: | :--------- | :------------------------------------------------------------------------------------ | :--------------------------------------------------------------------------------- |\n| Docstring Coverage | ⚠️ Warning | Docstring coverage is 12.50% which is insufficient. The required threshold is 80.00%. | Write docstrings for the functions missing them to satisfy the coverage threshold. |\n\n</details>\n<details>\n<summary>✅ Passed checks (4 passed)</summary>\n\n|         Check name         | Status   | Explanation                                                                                                                                                                                                                                   |\n| :------------------------: | :------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n|      Description Check     | ✅ Passed | Check skipped - CodeRabbit’s high-level summary is enabled.                                                                                                                                                                                   |\n|         Title check        | ✅ Passed | The title 'feat: Handle Secret Lookup Rate Limit errors' clearly and specifically describes the main change in the PR, matching the primary objective of handling Kubernetes secret lookup rate limit errors.                                 |\n|     Linked Issues check    | ✅ Passed | The PR implements infrastructure to distinguish secret lookup rate-limit errors from genuine failures: adds rate-limit detection, filtering logic, rescheduling on rate limits, and prevents rate-limited results from failing health checks. |\n| Out of Scope Changes check | ✅ Passed | All changes are directly related to implementing secret lookup rate-limit handling. No unrelated code changes or refactoring outside the PR's stated objectives were introduced.                                                              |\n\n</details>\n\n<sub>✏️ Tip: You can configure your own custom pre-merge checks in the settings.</sub>\n\n</details>\n\n<!-- pre_merge_checks_walkthrough_end -->\n\n<!-- finishing_touch_checkbox_start -->\n\n<details>\n<summary>✨ Finishing touches</summary>\n\n- [ ] <!-- {\"checkboxId\": \"7962f53c-55bc-4827-bfbf-6a18da830691\"} --> 📝 Generate docstrings\n<details>\n<summary>🧪 Generate unit tests (beta)</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f47ac10b-58cc-4372-a567-0e02b2c3d479\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Create PR with unit tests\n- [ ] <!-- {\"checkboxId\": \"07f1e7d6-8a8e-4e23-9900-8731c2c87f58\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Post copyable unit tests in a comment\n- [ ] <!-- {\"checkboxId\": \"6ba7b810-9dad-11d1-80b4-00c04fd430c8\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Commit unit tests in branch `fix-2818-secret-rate-limit-handling`\n\n</details>\n\n</details>\n\n<!-- finishing_touch_checkbox_end -->\n\n<!-- tips_start -->\n\n---\n\nThanks for using [CodeRabbit](https://coderabbit.ai?utm_source=oss&utm_medium=github&utm_campaign=flanksource/canary-checker&utm_content=2866)! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.\n\n<details>\n<summary>❤️ Share</summary>\n\n- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)\n- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)\n- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)\n- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)\n\n</details>\n\n<sub>Comment `@coderabbitai help` to get the list of available commands and usage tips.</sub>\n\n<!-- tips_end -->\n\n<!-- internal state start -->\n\n\n<!-- DwQgtGAEAqAWCWBnSTIEMB26CuAXA9mAOYCmGJATmriQCaQDG+Ats2bgFyQAOFk+AIwBWJBrngA3EsgEBPRvlqU0AgfFwA6NPEgQAfACgjoCEYDEZyAAUASpETZWaCrKPR1AGxJcAZiWpcABKYtF6QAMqiFCS4kAAy+PgA1tjckDbUJPHwzOqQlBT4FMiQBgByjgKUXABMABwAbA2QgCgEkLC4uNyIHAD0vUTqsNgCGkzMvT4emEmI+NgUDCS9DJjOsmAMsKJJlL3c2B4evfVNkKUAgniwRVxotOqy1NtV5wbh84tZAlQYW77wAAeYHqAEY6mBEFEYmAqDQwB4cuowLAQoiMERIIAkwhgzlIsR+mH+kGYaEQND4pXCuGo2B6/G4ZAA3IxoplaLUAAw1BpgblgUGc6CcgCcHAALAB2Dg1ACsAC03gARaQMCjwbjifAYLi4BDIWyQaJzDxSZBIBxZMxguoaSAASVi8AwuEKtGwS2QaEgflp0UgBHaaKyAGkRpRyDRkFC1TFIB5Eik0nCsojcrECkVEHayvgfQs9ZQUMxuF42C7qPBtZAlDT4B4vf7eNJ2CgsIWeIUJPAlPQlIg1RqtRgNOZLAB5YSicRmn2FZjx527egW7DSIz2xCWyDWurgrhKvMYfCxJgYRA9othqoUSPSI2ZRfp52Y/A+ezQ2IJ5KpdDIbZoB4eqMNsDBJD62geAs0h2nAWSCCIYiSFkqCBmQDj+nq1CQAA7tsWAxtEX6JqkyBkEw2AukWSR1MgFxWPaD7wmmeTGtw2pQogAA0AY3FC+QUIUxToP6x6nvMVH0GSEH1i+7T+EBsAgTs2YwNsbY0C6KDIIGDzki+2BIEprqYBerYpgiSIZoJWZziwkCkBghnkB+FDdksvSEXGaASJBKiybg8g+JB0HRnmAGKcpYFGtIhy4I2WRiW2TCCdOHjyKSFDLn+MleH2a4Bnm9GMXqhSdOiRCjgY+jGOAUBkPQb44AQxBkMoND0OM5acJ2/BTkhs5yAoShUKo6haDoNUmFAcCoKgmDNYQjntXQCisOwXBUDh9iOJl8hDUwI0qGomjaLoYCGLVpgGGg3DwCs2o0ICuAPVRz0aEQ+AcAYABEf0GBYkAXParXkCm9AOE4Lj8O+WyYKQiBGFANgkEUI2rTk7EUPFbboHdr1PS9Z6Ex9X0kvgUj0B2mNFDjPhFPkz0RoBPESKCPEhDwSSYoG9NHPg20dp9JbTDQxZY7gPFwxicmFvAfDRKLyE8PgF7DrhQzOrxKElrTkACAmYE5nmh3wXwCaDAwIHw9ILLHn1UJuSoYRVKi3ZFIB1sYjBRhxM697S6QHKQAA1OKvRgAAzEYACi+mkh1w1ZNE3YkNtJA+PT2NcAkOG/f91XXVsKm9CkN53ogAD6xqfEspPfX9P0A5YwOgytEO7esMNewjSPpCQpZoJ62uMIBHiFZAMeAqIAAUxdgQAwrggIAJQa8BNiUQvoGzLmViUBe5LkSQc870vq9theSgj4yFCbDvjOiHgVZYN+3B2pEpIuvADD0nS97egeJnSgrYSDTwYM/as3Bni8WwrQfA94kq30PrEckmQ7QxxsnwVEGBQhyWiKSZ0Ol1KIDQGwFkDgGCekQD4Q4MUHBAWQLwfA1C5Kcz0oPDKt07oYhioQrAlFA50DtAvR6hRx5TAFugHwFIR6rCOAob+Tl7yBjQEQIg0QiCPmNHFL0MgM5FBIFVMcQMgLtRfjpPMHYlAMGmHCCx3cwES1WgzA4Bsf75G/uIdc1VIC5kZs42g+wRiIitjYuxlYOK4RAegWgvYeIEIpnQHiDNmCKHgD4eAwjjBfwydIXAldMleEMJ9DQaTaAGGAL0XJfhySFPrCQX2/tkBCODiHUEEdQSx3juyJOMVU7p0zrTLgABZOg8BHD5yboXMARh56zF6BQQRO9syfQbv9QGrdlrgx2lDeQTUhGI18faF0boPSrW9OQbam8MDbxUmMmkAZZCMgnqsQSGUYjemdFnBOL9IAz0iLGXACQfzcAyDQP26ZwhJA1IyWga8fDznSFvFZo4oDbxtlTdSbjQlAwYt3G5dywL0mPNtIiCxzz/IANoAF0ABU3BuYaCJUkFGDDJbItuSsh5aAeKZgoGvIhNB7jdxnrShlTKWVsrinyrBK80VAziatQlKy94HyQJpJYc9l5rzwj/JSuQsHIBVSpeM+BLb6zwOvG4VrkEauPpCS8+RgFiG4jFXAFK5LanSgGX4NCihsHoDoxh6BcECSEgqi4SqIafjNaCpiqYrJyW+VQckSyxDQW+ucdFHEaQumQEoYKcVAVERBUmAAYiFaIcBjQ3A8FJMNha0DFs/GW1Ilb6zQQAOrOngThUc2agYJqfOoIsXlgUkTBZkSFo6KADt0H4tO8kPC33zH8Yc5pEAlpiG2qdEKrLSqAqG+gRSKTbonaC8FJAZ0dUPTjXm9ZZGpOcOBYNOM0AusTkNcdcakzDpYvFBVIz0mZOVSi01qiqGOEOI+TmzDoFaLFia4lPKeLOlsdgB4vDUi0ErLw/lPBnhejDf4CgPryW3ksclKC182A0gVQAVW4LhxOt9747E7Cw6QF5eHQL1FR/+PpH0gKDbFENM8f3fj/RZADq032IARQzAQJ4DUxHVL/fIuQtx/M5vMLoVqoSdBfAqqe0DcGrS6uwYjfYWGOHYJErAWdOUssQGq4o9q/hZF0qqdUrx1D6LdlWPgnN/6bDJEY45pzFDnKkpAK5znVX4H3u5o+nnCPAScyQZgVQ4lyTAU/dWxMwE4xnkYyqPECDsQtvIKTpEeJlwjDEaQbLa5ZAcAIdjxL5W+KjUIOkidnDiGCmIfYhRWG8MkYLPM+Bb6PmrKekT9DdHHonkPCBzAYNixk1ZCIIZ7RWCsDHJUJI1M/2zCYi4Zj7FRMDNY0QESN2OMBIE/gfAcUePYOoLJRyoAPJuBDeARAMB+iyDh9kXAAAGtC/gJZUtqwEkA6VFfeqIt6uA15ivpYyyqUqxMcuQ7MVD4aigrwh7jIpWR5mIEWcslSpNsSQDB4nC8QOQcTwo1gAniAeXoATBiK+yc8fWeJ3O3x0BnlZHuL2SHgUXlc552mj0sQADeERW2TqvTe6FsKMZaQAL5k61hTqKCyll/FRaU3xf3FCxOl5AKHgjYfErcyg4+8PEfI80KjwmGPxXY+ZTvO9sqhKk/Jw0k31OzdU9JkBmI/37CA+Bx6/0Uu6BcBnorXpgYucu480sNe0loHY27vF48GAwB2tSxmcBkCsB8dgCyDnyBvXyHkyt/lCrcw0C4GUJd2wV1FhC+IREgU11ISiRDpA57d2a4PXjsnnMofCYoNPjX06rJ0DvYgBf/pKJONpnQO2J5qOYd1zwEJHjiq84pA587zdIAjMwHk8kkBy3h4uMD9KAAvSgTTyAtJwSDi4BDhFE5E6RFCmSRiLmYCCTN3rkgM2RBm2V6Uhj2m7kOT7gxW9nQFiDgM+gT27yd1mDiykSb14miCyF8ignvCFX8EanfFwBwnwBZA7BjG1FE2TywCoIKjmiB0MSkliA7HkXHjViyD1TCGbEdm7HwywSDFwQqlgnUgIW0AwDkgtg8U5mJnER9ATG2hnnQxozy1kJwTwV4U5jfUgAAEc1xnIiA15lCiER5SE2BjF79Lsb9Htbt1JwlnBb8nsXtXEL8rZPtvEftrAgix91YWck9oJGdmNwd7cucZ4NAUjQ8tZoEwI1EsgIcqcydSV3UKViEKDIBuCaDzxhV6CAwmC7QrAU4qw6R0pIdMcJUcdA88dg8ScIcj8cImi/dJU2j2UeJgBKIkhSUMA9AOiBUycJNRB2CCjbwSjAICpU9aAKsJdGdzxGQGAMkskVwBFSFSBut79H9VDalYg38wgP9AJZAf8KA/8A5AC09Q4OkBRulxAE4LNFBBcBlnUs4eoxkHhJlG4oDZkDBSlyl1km5EC24dlUCu4DlHiwiTlXRoslhYt4sHhogxAawB4GpyJ9ksBPppgMQNAigiBehAReh3jKDOQNBQRxQNBORcYOxMlihcCSBrD5ZvhDYkgFUUY0lKYPwpAqBx5e0uTsSkhbpxAMB0RCNMiEYuBBg9QRgxgWBS4pTnR0QBhCB4BwQMAeIlThhRhxh1TNRNTnReghA5gMB2JnQKQDShgVSTTJSzSZSLSrSOJi5SQOYw1DSnS1SXTpStS2AtwsiflqBiB8A+SsskksUUJcFxTYglBGRzM/h5A/TjS1TPowAPTy8nFKAch2BLTrToyBTVpqYEysTYgiT4ZSSKByTKTqSSjaT6TGTPFXQgokVWDZiw1ohOT/QDYWFwIZ57Y+dSA+AxSqzusZp1JIxfjpxtJyZpDMRGzCy7IFxJyFzdJEyfT6BeBKI5IoRhTPZ8B61qINS3Ty9M9E5NzsTky8S/hvtXDNkrs/CvCsgfDrtKUmp99sYXE3sIiQjvs+5cxyB7iADMVgCXiGg3ichelTZ+kslBk/jRlxkgSC4IBQTsdehbp7ozdK5SV4DgToTkDmdO5oYESbYjk4JnM1gXBgh5Cix8jhDjVwNiVrVyCSBBdODFjqDzRyi6Du5GD8ApYpSFhZYSEeyOCKVeKeCXQ8xAEkA3lexFj1RnYjE1J4IBApD1L9YSBAsGYHDKVWCyFJcBd1z0AqEWByk8MeZ1IpcvttRPYOdZKSAWQCMTCKoVstDTydCpFnBQdzdMU/wnVEV7J7g+t9JeEOwyRojuoJ4E4tgR54todx8CJE8QdXCoB/FfyOpgl3Ewl7tfDHtykdi6BwKe4nj2lOlYKPjOovjEKl0M4UKH80LmBICZkjBsKhBBBqdVhgcXAVg6LZBK4ertKiKNkW4kC2pYTyL9lYZES+5kSzlh5JNJ0E1LJ0w5DTDMQP1ZEzdVDeF+qu4qd9Z5BVhNRxLeEzcecwqFwudj00N3xEAYVuA4UPwgVm8oNUpVj7Bi53QvLvR2JNJxBPZSNEQiwiJoZuxvRLk+8SAB851FVaAvQ4sl0BxtgAaSAwAIzaxKBchVD9IGAwAlBph5B68cI0B5AcIhh0AHxcF7Jxh2JyAXRdyzUiBiE2t/rDgvU8BxgIsoAp5NIUbOV0tjITYOJLxgsw0h5Yhqw6N7hqBvQ7qiDkAAV1dL118oVXq4U15bt1R1FB8fRTzdCwBfwzcUB3xyBqF1geIqgs4shmElhxleEabgIwENV8E8dONxtdqw1K9NUBbkbUb4t+9V1Ur1ZAwma8BEpisjRKJqSpZ2DHLP8fUMa6BDhJcsBwaskFZKI2aLZ+A+aWBbZeJUAI6/l/5Ubfh4Fcgf8+wEaqbvKFpXRAdxzQ1ixA14BtE1N5AYaYADbxyLhNAjALtXzPCrFvCiqvzm93xcr/zz8Cr2yvsfEoBy1BF1YVjIdSRZAqg2VuavALgZFKBV9Nb910x3dPdmVHpiseJaABAF5hquYcdhrRKBq+7QRmVX77Adbdd0dDcsAIdureqhr37QH1hRrerSYIcTETjn9zj39P8bjf8DA/Z/9Kq2l6gaqDA453j4KGq6imqhls5IBAhAdYAOrMKuruZLSQHjrBq0EPVVkvoECpqYSUC5r0DFqeto0O7wb5APanQsAmMWMSBH737qRaREAP9aAY4pAtI8IyAlsQ1UAstNRZAEkYhPVeF7bDF8xsZtg3sxtuNjM/FptCw+BXYfIgtPZDl3LARPbeEiBsBnAT0GZxH1hJGmGsDyBx4jK780GHjILQ5w4+Rar8Hr5CHkLhlWrAT2rgTOqDBsLKtTzzVZAacRw1lWGgZpqwYOG9kuGqK3B1IELmKx4AC6cc8kt1VUstV6HZBz5BUBKRUES6cp5Z56nGnL4nUOxas0gK7tRFDUBDkR5KIRp0o5J5lH4IF1Z68J5BNLltQK8amQbVLu7WbcIEAJDjRKBlyRdtrAbezvanaTHeF1CGBjZ+ALHFEUSJFdDXt9nPLJnESRJ4yUT3Q0SWClD8khLsVjHtNeFWnoo29/GNjWlnyW5x6HF3ycTbFiqHEfznsD9GoAKl6gLV6zGwLUHmkMGoLsHcG4LE4EKonfiYmASJl4mMLroowXp8KaWJqoS2HSLVo4SKKFqinfERGs8Smx5XlUUkjPc9aFKrKE7jbpbbcU7nKtGFjSi7RHQSDtpYrE9OaPq5iXLSjVt9ZiTwJLxv5QM+AZ5K4C8w1dgB4yJBIcoOw9R5ZpKZWliNKaLjQ5aGD1IPK0Q2Ew12soRrDWwTmAXMRQXllMVXCrc48bdoi2cmcniBWb7no158iyDSouLXK1b5kt8hirlq5pXxjg8mmj4WmGCmD/k02hdc3FDKcGqsJxJzw7MVWBmBF4iowR4lWgd4rIMupFBHwOx4t1X7WzqawlLXHk1Yg3alJK4qoXyPDoXJ6Pzp6/DEWAjUXcV0WwjrcAdWdk9QdG2niIcY20c0i68h5JTSB7dciGcE3s3kAIdT4dh03IBgBM2OcJjw0D383Kjr2S32U3UChScKrWk8XXicGekiWCGSAfjmqyW2rKGLorp6ow0mpm0WpmX6r1oXRNo0BtpWX9pzqvjRoToJpzpDBpo1p0xK4ewq4om6BK40Fi8apKk6p0BQQBBQRaAfARQBA0ARQfAagRQ0BI5I4GAahaAeQlh7hQRZQfBxRmOSBZRxQagagSBI5OQ6hCPYOSP1AyOUas2BkqOGpVPiPmxK42B6ySBK4qdqOaRaOYODBlcDBzgfokBbAAAhHkugURVD3AKwVWDqH6XwQCKELiOzyAH6RAG1etFzoc2wXziCBsEgQL+zpAccYU9UJVDAaL4KWL+L4Lh4WgG5Q8BgakdUfnFlaL10NcLLn6HLm5dwXALwEr3UJZOLoLyrnsPLnzIcF+ermLgL5r9EZcTcS0LdV0aLn6AAHQwHG9G9wCm5m+m7m+AD66o9XBID0Em7m9m9m4sEsF3H3EgEPBIOrYFz4BomQBTBHWlNfGetjT6Zym9HkkAmAimeCk7WNEm4m/W4+6m8Bhq68De/26SjPCO8gBO//STUBau6BV/V/Gkju4ike4fme6gle/e424+6qUW9oDI63DXD0B+gq+mHJFxy/ei6pSC/OFs/OEp+C/mTKFMpG5VAHHVDNOrBK6y6p5C5pCYdK8a7Z8p5+icWJIcxG5ZR/p13oBzSUAyDGlwEAEwCf8chhEMDhG3ZNA1R4HA2YRPHsnvn8pEgEbym28F8LXqn+zooQHZ0QCFlWntgEb/sQcZntL7XvXXnink3n6GnunrgH6H7ynHeY3t3xhukbn8r7X+zgXtYYcEbmi8QWrrIAAcl9B6gYtCCyHPXiHWqvWyC2v5UQDj8YC8GcB9U5kQC2J2OEPkDt98xUXUn4UquZPUlsB4kSoQGir+bgoov6hnHgnfCed4WvEaybbWvjTO4AxF2zH9/Z91/1+cEOqIAn756xO1EyWceiHS/86a5N+C7N8GE/yt89+C5j68Cbip+d+19d/Z495t697QeygG7XAqbAnn/s8D8QGD437d/D6Txfij4b7sExjLCsxthEUZIMrhmkwh5g9IF3QyKFw+pEQoeyYTIJtTyA58LKjkZyFkER6hQ7gcSU7ogNH5400qPEBbEV0xDnNNG6dAGl6iwAj8rIbqODCnEAHbZ0wcmIXBZUR5yQ4eSkaPE/2C5T8veBvWfjwJ+iL8MAy/aCGv0y6h8t+BtC3h4D35X9guGPO/tIAuBbhuM3UY/pT1P5U9z+fPS/nry97jgrUTUcIEwBeRYEEYJuIQS/zf688w+z2QXpHy96XZx4IzAKgOyrLkZG6icQMP/yyyfZeEQ/aTHgJ2y99KoZjDYteU+LXwRmhlDOLLTN6As8A5lDsLYDj7RhOeLiTvshGQA4QYkdpFaprzsG8Cvi0/Q3hiCEEiCxBq/PzpIM34/Rt+sg+QQYK354BxwPgUwTNjEaIlVBnERABoKd4u8pB7vHeNbxaE/R8uaaOSKImPKkBrBnPIPrUJ671DP+QvL3pMNbpHUkkVAE9qgFBA1ANAsoTkAAFJNm+qRckQmwCZwf4WSF0OWxij9lyysAWtKeRXDIA6gtJTkCcI0CVDpAp5WvCNy7TqgxY8CX+JsI5pisR49bZAFph4x2UssE8UhOIBoTyAhC2wrIpxVC6vCfhxQn6HwOC4CCjeuIxobv1GH79KuLCKYfzk0HnA9cQXGlPjxAG2AGe9vJwcFzqCSgagKgcUGgFBCggGAqgWUKCF44MA9waAcUA0AECRxuOoISUKsAzgCAagnIcULQEjiycSA8nbjvx1VGSiGgAnBoKCAaDigRQkcEUPUBFD+8foBPTzjYB94jddRPgQTpHCqBGjQCnIWUA0BNGei0ANQSOGgBIAihZQgndjiKFoAMBQQPoyUCQHpLghJQDQIMaoB8CRwagwo8UHQCTGBjxQsoy0aCKpFEAZhygUgMiWZgeAvGLQ3QT9Gwq4UMmBFAWKTGi66D7OBAGkB4HXrroLE0XdmMMOhE9o9QGwkga/y4CchBh2vEYSXCjwW58ADY4Yc2MAhti0qg4yAIKFxE9ihg/Yl8IuK6Qn9eelYmhmNT6rDVPICw5htOPqGzjWxG9DsVwC7H1DVxfYykeCMXHDjtxo44BtpXAaDV6mkDcap9FPFu9zx84jdNFxqArjLxHEXsbAHXHUihxI49njSxrH0tfxXARsQfxPBziwJ54TsaBPbHgS1xD4gcZ2Ngl89kmM2VJkQHSZ4EpxyEmcWhIvE4TMJ147CQuIglQSOa0XZ8VoKC50i6R9HCAJ2FM7GdSAZnFZJXD05TQGOiHfAJXGgT/wLOmQOSVZ0ujK4rRTI5tFCFoDD0UYOnWgO53TCiIE6vnTkDxOI6STpJak0zow1M5iSLoQAA=== -->\n\n<!-- internal state end -->"},"request":{"retryCount":1}},"response":{"url":"https://api.github.com/repos/flanksource/canary-checker/issues/comments/3876525019","status":404,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset","content-encoding":"gzip","content-security-policy":"default-src 'none'","content-type":"application/json; charset=utf-8","date":"Tue, 10 Feb 2026 10:41:49 GMT","referrer-policy":"origin-when-cross-origin, strict-origin-when-cross-origin","server":"github.com","strict-transport-security":"max-age=31536000; includeSubdomains; preload","transfer-encoding":"chunked","vary":"Accept-Encoding, Accept, X-Requested-With","x-accepted-github-permissions":"issues=write; pull_requests=write","x-content-type-options":"nosniff","x-frame-options":"deny","x-github-api-version-selected":"2022-11-28","x-github-media-type":"github.v3; format=json","x-github-request-id":"104B:28CDA1:77C9BA0:204D69ED:698B0B6D","x-ratelimit-limit":"5000","x-ratelimit-remaining":"4917","x-ratelimit-reset":"1770720451","x-ratelimit-resource":"core","x-ratelimit-used":"83","x-xss-protection":"0"},"data":{"message":"Not Found","documentation_url":"https://docs.github.com/rest/issues/comments#update-an-issue-comment","status":"404"}}}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@checks/runchecks.go`:
- Around line 199-201: RunChecksNoPersistence is calling
filterSecretLookupRateLimitedResults which consumes tokens from the global
secretLookupRateLimiter even though its skipped counts are discarded; change
RunChecksNoPersistence to avoid draining the shared limiter by either (A)
skipping the call to filterSecretLookupRateLimitedResults in the no-persistence
path and directly use transformedResults for ExportCheckMetrics, or (B) modify
filterSecretLookupRateLimitedResults to accept an injected limiter and pass a
per-canary/no-op limiter from RunChecksNoPersistence so the global
secretLookupRateLimiter is not consumed; ensure ExportCheckMetrics still
receives the correct filteredResults or equivalent and preserve any
skipped-count reporting logic local to the canary if needed.
- Around line 32-35: The package-level singleton secretLookupRateLimiter causes
token sharing across canaries; replace it with a per-canary limiter registry
(e.g., a sync.Map or existing gocache) and provide a helper like
getSecretLookupLimiter(canaryID string) that looks up or creates a
rate.NewLimiter(rate.Limit(float64(defaultSecretLookupFailureThreshold)/defaultSecretLookupFailureWindow.Seconds()),
defaultSecretLookupFailureThreshold) for that canary; update call sites that
used secretLookupRateLimiter to call getSecretLookupLimiter(canary.ID) and
consider eviction/cleanup of stale limiters if using a long-lived map.

🧹 Nitpick comments (2)

pkg/jobs/canary/canary_jobs.go (1)

172-192: Simplify the random number generation — Go 1.20+ supports auto-seeded, thread-safe rand.Intn, so the local rand.New(rand.NewSource(...)) is unnecessary:

-	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
-	delay := time.Minute + time.Duration(rng.Intn(60))*time.Second
+	delay := time.Minute + time.Duration(rand.Intn(60))*time.Second

Consider a safeguard against excessive retry chains — if a canary's rate-limited job keeps failing every 1-2 minutes while its next scheduled run is > 5 minutes away, maybeRescheduleAfterSecretLookupRateLimit will reschedule repeatedly, creating a chain of retries. The 5-minute check provides some protection but doesn't prevent multiple consecutive retries. Consider adding a max retry limit or cooldown tracking to avoid potential thundering herd behavior during sustained rate-limiting.

pkg/topology/run.go (1)

223-226: Switching to RunChecksNoPersistence is appropriate for topology lookups.

The return signature ([]*pkg.CheckResult, error) matches the existing destructuring. Topology lookups don't need persistence, so this is a clean fit.

One consideration: RunChecksNoPersistence silently filters out rate-limited results (discards the skipped count in checks/runchecks.go line 198). If a topology lookup is rate-limited, the caller here gets an incomplete result set with no indication that entries were dropped. This could lead to topology components silently disappearing during rate-limit episodes. You may want to at least log a warning inside RunChecksNoPersistence when results are filtered, or surface the count to the caller.