feat: add initial templates and sync workflow

DariuszPorowski · DariuszPorowski · commit bfe2aa69dd80 · 2025-12-09T12:28:42.000-08:00
Signed-off-by: Dariusz Porowski &lt;3431813+DariuszPorowski@users.noreply.github.com&gt;
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @radius-project/on-call
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://www.schemastore.org/dependabot-2.0.json
+# See GitHub's documentation for more information on this file:
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
+---
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directories:
+      - /
+      - workflow-templates
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: ci
+      include: scope
+    groups:
+      all:
+        patterns: ["*"]
diff --git a/.github/ghalint.yml b/.github/ghalint.yml
@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/ghalint/main/json-schema/ghalint.json
+---
+excludes:
+  - policy_name: github_app_should_limit_repositories
+    workflow_file_path: .github/workflows/sync.yml
+    job_name: sync
+    step_id: get-token
diff --git a/.github/sync.yml b/.github/sync.yml
@@ -0,0 +1,34 @@
+# docs: https://github.com/PaddleHQ/repo-file-sync-action?tab=readme-ov-file#advanced-sync-config
+# nunjucks template: https://mozilla.github.io/nunjucks/templating.html
+---
+group:
+  # source: https://github.com/orgs/radius-project/repositories?q=archived%3Afalse+sort%3Aname-asc
+  repos: |
+    radius-project/.github
+    radius-project/bicep-types-aws
+    radius-project/blog
+    radius-project/community
+    radius-project/dashboard
+    radius-project/design-notes
+    radius-project/docs@edge
+    radius-project/lab
+    radius-project/radius
+    radius-project/recipes
+    radius-project/resource-types-contrib
+    radius-project/roadmap
+    radius-project/samples@edge
+    radius-project/terraform-private-modules
+    radius-project/website
+
+  files:
+    - source: sync-templates/LICENSE
+      dest: LICENSE
+
+    - source: sync-templates/.gitattributes
+      dest: .gitattributes
+
+    - source: sync-templates/.editorconfig
+      dest: .editorconfig
+
+    - source: workflow-templates/dependency-review.yml
+      dest: .github/workflows/dependency-review.yml
diff --git a/.github/workflows/__dependency-review.yml b/.github/workflows/__dependency-review.yml
@@ -0,0 +1,32 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+# docs:
+# - https://github.com/actions/dependency-review-action
+# - https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action
+---
+name: __dependency-review
+
+on:
+  workflow_call:
+
+permissions: {}
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
+      pull-requests: write
+      checks: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Run Dependency Review
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
+        with:
+          comment-summary-in-pr: always
+          retry-on-snapshot-warnings: true
+          warn-on-openssf-scorecard-level: 4
diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
@@ -0,0 +1,62 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
+name: Sync
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/sync.yml
+      - .github/sync.yml
+      - sync-templates/**
+      - workflow-templates/*.yaml
+      - workflow-templates/*.yml
+
+permissions: {}
+
+concurrency:
+  group: ${{ format('{0}-{1}-{2}-{3}-{4}', github.workflow, github.event_name, github.ref, github.base_ref, github.head_ref) }}
+  cancel-in-progress: true
+
+jobs:
+  sync:
+    name: Sync
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Get App Token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: get-token
+        with:
+          app-id: ${{ secrets.SYNC_BOT_APP_ID }}
+          private-key: ${{ secrets.SYNC_BOT_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          permission-metadata: read
+          permission-contents: write
+          permission-pull-requests: write
+          permission-workflows: write
+
+      - name: Get bot details
+        id: bot-details
+        uses: raven-actions/bot-details@ee8966a9ff6e7e42cbfc4a56b4ddb60a9d1b40a6 # v1.2.0
+        with:
+          bot-slug-name: ${{ steps.get-token.outputs.app-slug }}
+          set-env: false
+
+      - name: Run Repo File Sync
+        uses: PaddleHQ/repo-file-sync-action@fb024b6e51a36213d16cc4b2c3b51c73b2b5ca70 # v1.26.13
+        with:
+          GH_INSTALLATION_TOKEN: ${{ steps.get-token.outputs.token }}
+          CONFIG_PATH: ./.github/sync.yml
+          COMMIT_PREFIX: "chore:"
+          BRANCH_PREFIX: repo-sync
+          GIT_EMAIL: ${{ steps.bot-details.outputs.email }}
+          GIT_USERNAME: ${{ steps.bot-details.outputs.name }}
diff --git a/sync-templates/.editorconfig b/sync-templates/.editorconfig
@@ -0,0 +1,36 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+trim_trailing_whitespace = true
+insert_final_newline = true
+indent_style = space
+indent_size = 2
+
+[*.{go,mod}]
+indent_style = tab
+
+[*.{tsv}]
+indent_style = tab
+
+[*.md]
+indent_size = unset
+
+[*.py]
+indent_size = 4
+
+[*.ps1]
+indent_size = 4
+
+[*.{cmd,bat}]
+end_of_line = crlf
+
+[Makefile]
+indent_style = tab
+
+[**/node_modules/**]
+ignore = true
+
+[**/.venv/**]
+ignore = true
diff --git a/sync-templates/.gitattributes b/sync-templates/.gitattributes
@@ -0,0 +1,29 @@
+# Force the following filetypes to have unix eols, so Windows does not break them
+* text eol=lf
+
+# Declare files that will always have CRLF line endings on checkout.
+*.{cmd,[cC][mM][dD]} text eol=crlf
+*.{bat,[bB][aA][tT]} text eol=crlf
+
+# Common files
+*.pdf binary
+
+# Image files
+*.gif binary
+*.tif binary
+*.ico binary
+*.jpg binary
+*.jpeg binary
+*.png binary
+
+# Microsoft Office documents
+*.pptx binary
+*.potx binary
+*.docx binary
+*.dotx binary
+*.vsdx binary
+
+# Lock files
+package-lock.json linguist-generated=true
+pnpm-lock.yaml linguist-generated=true
+yarn.lock linguist-generated=true
diff --git a/sync-templates/LICENSE b/sync-templates/LICENSE
diff --git a/workflow-templates/README.md b/workflow-templates/README.md
diff --git a/workflow-templates/dependency-review.properties.json b/workflow-templates/dependency-review.properties.json
diff --git a/workflow-templates/dependency-review.yml b/workflow-templates/dependency-review.yml
