carbon-lang/.github/workflows/sync_repos.yaml

# Part of the Carbon Language project, under the Apache License v2.0 with LLVM
# Exceptions. See /LICENSE for license information.
# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

name: Sync repos

on:
  push:
    branches: [trunk]
    paths:
      # Minimize where we run this to changes to the top-level files and
      # specific trees that we sync to other repositories.
      - '*'
      - 'utils/**'
      # Also run if the action itself is updated.
      - '.github/workflows/sync_repos.yaml'
      - 'scripts/sync_repos.sh'

# Note the sync script has its own token.
permissions:
  contents: read # For actions/checkout.

jobs:
  sync-repos:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
        with:
          egress-policy: audit

      # Checkout our main repository.
      - name: Checkout the main repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      # Run the sync script.
      - name: Sync to other repositories
        env:
          API_TOKEN_GITHUB: ${{ secrets.SYNC_REPOS_API_TOKEN_GITHUB }}
        run: ./scripts/sync_repos.sh