From a3529a9ef1ccc2b5bf1907b4b1feab1a57dddf85 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnter=20Grodotzki?= <gunter@grodotzki.com>
Date: Fri, 22 May 2026 21:53:33 +0200
Subject: [PATCH 1/2] Oidc retry

---
 main.go | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/main.go b/main.go
index 316d0a87..17f839a9 100644
--- a/main.go
+++ b/main.go
@@ -229,10 +229,7 @@ func main() {
 	router.RegisterAPIv1(apiV1, db, sendmail, cw, defaultEmailSubject, defaultEmailContent, appVersion, gitCommit, auditLog)
 
 	// OIDC SSO routes
-	oidcProvider, err := handler.NewOIDCProvider()
-	if err != nil {
-		log.Warnf("OIDC configuration failed: %v", err)
-	}
+	oidcProvider := initOIDCWithRetry()
 	if oidcProvider != nil {
 		apiV1.GET("/auth/oidc/login", handler.APIStartOIDCLogin(oidcProvider))
 		apiV1.GET("/auth/oidc/callback", handler.APIHandleOIDCCallback(oidcProvider, db))
@@ -334,3 +331,28 @@ func initServerConfig(db store.IStore, tmplDir fs.FS) {
 		log.Fatalf("Cannot create server config: %v", err)
 	}
 }
+
+// initOIDCWithRetry runs OIDC discovery with exponential backoff. If OIDC is
+// not configured it returns nil. If discovery keeps failing (e.g. transient
+// DNS/network issues against the IdP), it exits non-zero so systemd restarts
+// us rather than leaving SSO permanently disabled.
+func initOIDCWithRetry() *handler.OIDCProvider {
+	const maxAttempts = 8
+	const maxBackoff = 30 * time.Second
+	backoff := time.Second
+	for attempt := 1; attempt <= maxAttempts; attempt++ {
+		provider, err := handler.NewOIDCProvider()
+		if err == nil {
+			return provider
+		}
+		if attempt == maxAttempts {
+			log.Fatalf("OIDC discovery failed after %d attempts, exiting for service manager restart: %v", maxAttempts, err)
+		}
+		log.Warnf("OIDC discovery failed (attempt %d/%d), retrying in %s: %v", attempt, maxAttempts, backoff, err)
+		time.Sleep(backoff)
+		if backoff *= 2; backoff > maxBackoff {
+			backoff = maxBackoff
+		}
+	}
+	return nil
+}

From 74e868b4e24e71ea13d2b356d3bbfe927b78a7e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnter=20Grodotzki?= <gunter@grodotzki.com>
Date: Fri, 22 May 2026 21:57:00 +0200
Subject: [PATCH 2/2] test

---
 .github/dependabot.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 2c7737b9..901e708b 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -23,6 +23,10 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    ignore:
+      # stay on Node 24 LTS; revisit when ready to move LTS lines
+      - dependency-name: "node"
+        update-types: ["version-update:semver-major"]
 
   # GitHub Actions
   - package-ecosystem: github-actions