carbon-lang/.github/workflows/sync_repos.yaml

# Part of the Carbon Language project, under the Apache License v2.0 with LLVM
# Exceptions. See /LICENSE for license information.
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

name: Sync repos

on:
  push:
    branches: [trunk]
    paths:
      # Minimize where we run this to changes to the top-level files and
      # specific trees that we sync to other repositories.
      - '*'
      - 'utils/**'
      # Also run if the action itself is updated.
      - '.github/workflows/sync_repos.yaml'
      - 'scripts/sync_repos.sh'

# Note the sync script has its own token.
permissions:
  contents: read # For actions/checkout.

jobs:
  sync-repos:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
        with:
          egress-policy: audit

      # Checkout our main repository.
      - name: Checkout the main repository
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      # Run the sync script.
      - name: Sync to other repositories
        env:
          API_TOKEN_GITHUB: ${{ secrets.SYNC_REPOS_API_TOKEN_GITHUB }}
        run: ./scripts/sync_repos.sh