feat(worker): add env var to disable repo-driven permission syncing (#989)

brendan-kellam · claude · web-flow · commit ab1ff6d30d52 · 2026-03-09T21:15:56.000-07:00
* feat(backend): add env vars to independently enable/disable user and repo driven permission syncing Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: update CHANGELOG for #989 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(backend): only allow repo-driven permission syncing to be disabled Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs: add Azure DevOps Cloud and Server to permission syncing platform support table Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - [EE] Added multi-owner support with promote/demote actions. [#988](https://github.com/sourcebot-dev/sourcebot/pull/988)
+- [EE] Added `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` environment variable to enable/disable repo-driven permission syncing. [#989](https://github.com/sourcebot-dev/sourcebot/pull/989)
 
 ## [4.15.3] - 2026-03-10
 
diff --git a/docs/docs/configuration/environment-variables.mdx b/docs/docs/configuration/environment-variables.mdx
@@ -46,6 +46,7 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `AUTH_EE_GCP_IAP_ENABLED` | `false` | <p>When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect</p> |
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
+| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | <p>Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` is `true`.</p> |
 | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 
 
diff --git a/docs/docs/features/permission-syncing.mdx b/docs/docs/features/permission-syncing.mdx
@@ -41,6 +41,8 @@ We are actively working on supporting more code hosts. If you'd like to see a sp
 | [GitLab (Self-managed & Cloud)](/docs/features/permission-syncing#gitlab) | ✅ |
 | [Bitbucket Cloud](/docs/features/permission-syncing#bitbucket-cloud) | 🟠 Partial |
 | [Bitbucket Data Center](/docs/features/permission-syncing#bitbucket-data-center) | 🟠 Partial |
+| Azure DevOps Cloud | 🛑 |
+| Azure DevOps Server | 🛑 |
 | Gitea | 🛑 |
 | Gerrit | 🛑 |
 | Generic git host | 🛑 |
@@ -134,7 +136,14 @@ Permission syncing works by periodically syncing ACLs from the code host(s) to S
 - **User driven** : fetches the list of all repositories that a given user has access to.
 - **Repo driven** : fetches the list of all users that have access to a given repository.
 
-User driven and repo driven syncing occurs every 24 hours by default. These intervals can be configured using the following settings in the [config file](/docs/configuration/config-file):
+User driven and repo driven syncing occurs every 24 hours by default. Repo-driven syncing can be disabled independently using the following environment variable:
+
+| Environment variable | Default | Description |
+|---|---|---|
+| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | Enables/disables repo-driven syncing. |
+
+The sync intervals can be configured using the following settings in the [config file](/docs/configuration/config-file):
+
 | Setting                                         | Type    | Default    | Minimum |
 |-------------------------------------------------|---------|------------|---------|
 | `experiment_repoDrivenPermissionSyncIntervalMs` | number  | 24 hours   | 1       |
diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts
@@ -76,7 +76,9 @@ if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && !hasEntitlement('per
     process.exit(1);
 }
 else if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing')) {
-    repoPermissionSyncer.startScheduler();
+    if (env.PERMISSION_SYNC_REPO_DRIVEN_ENABLED === 'true') {
+        repoPermissionSyncer.startScheduler();
+    }
     accountPermissionSyncer.startScheduler();
 }
 
diff --git a/packages/shared/src/env.server.ts b/packages/shared/src/env.server.ts
@@ -247,6 +247,7 @@ export const env = createEnv({
         // @NOTE: Take care to update actions.ts when changing the name of this.
         EXPERIMENT_SELF_SERVE_REPO_INDEXING_GITHUB_TOKEN: z.string().optional(),
         EXPERIMENT_EE_PERMISSION_SYNC_ENABLED: booleanSchema.default('false'),
+        PERMISSION_SYNC_REPO_DRIVEN_ENABLED: booleanSchema.default('true'),
         EXPERIMENT_ASK_GH_ENABLED: booleanSchema.default('false'),
 
         SOURCEBOT_ENCRYPTION_KEY: z.string(),

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,9 @@ if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && !hasEntitlement('per`
`76`	`76`	`process.exit(1);`
`77`	`77`	`}`
`78`	`78`	`else if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing')) {`
`79`		`- repoPermissionSyncer.startScheduler();`
	`79`	`+ if (env.PERMISSION_SYNC_REPO_DRIVEN_ENABLED === 'true') {`
	`80`	`+ repoPermissionSyncer.startScheduler();`
	`81`	`+ }`
`80`	`82`	`accountPermissionSyncer.startScheduler();`
`81`	`83`	`}`
`82`	`84`