Add PR labeler/sync/stale reusables (Phase 2b prep)#4
Merged
Conversation
GitHub forbids public repos from consuming reusable workflows that live in private/internal repos, so trufflesecurity/helm-charts (the only public repo in our PR Labeling rollout) cannot reach the reusables in .github-private. Move the reusables to this public repo so all 7 consumers (1 public, 6 private/internal) can use them. The reusables already check out scripts and labels.yml from this repo, so no internal references need to change. Follow-up PR will switch existing consumer callers from trufflesecurity/.github-private to trufflesecurity/.github, then a final PR will remove the now-duplicated reusables from .github-private. Made-with: Cursor
2 tasks
bryanbeverly
added a commit
to trufflesecurity/helm-charts
that referenced
this pull request
Apr 20, 2026
## Summary - Switches the `sync-labels.yml` caller workflow's `uses:` reference from `trufflesecurity/.github-private` to `trufflesecurity/.github`. - Functionally identical: the reusable in the public `.github` repo is a verbatim copy. The reusable already checks out scripts and `labels.yml` from public `.github`, so behavior is unchanged. ## Why GitHub forbids public repos from consuming reusable workflows that live in private/internal repos, regardless of org-level Actions Access settings. `trufflesecurity/helm-charts` is the only public repo in the PR Labeling rollout, and it could not call the reusables in `.github-private`. Moving the reusables to public `.github` (already merged: trufflesecurity/.github#4) unblocks helm-charts. This PR switches each consumer to the public source so that `.github-private` can be cleaned up afterward. ## Test plan - [x] CI passes - [ ] After merge, `gh workflow run sync-labels.yml --repo trufflesecurity/<this-repo>` runs successfully and re-applies the 11 standard labels <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Single-line CI workflow reference change; no application code or data handling is modified. > > **Overview** > Updates the `Sync Labels` GitHub Actions workflow to call the reusable label sync workflow from `trufflesecurity/.github` instead of `trufflesecurity/.github-private`. This unblocks running the same label synchronization workflow from public repositories without changing behavior of the job itself. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 0a7d3bf. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pr-labeler-reusable.yml,label-sync-reusable.yml,stale-reusable.yml) to this public repo, copied verbatim fromtrufflesecurity/.github-private.trufflesecurity/helm-charts(the only public repo in our PR Labeling rollout). GitHub forbids public repos from consuming reusable workflows that live in private/internal repos, sohelm-chartscannot reach the copies in.github-private.labels.ymlfrom this repo (trufflesecurity/.github), so no internal references need to change.Rollout sequence (zero downtime)
.github. Non-breaking; existing consumers still call.github-private.uses:fromtrufflesecurity/.github-private/.github/workflows/...totrufflesecurity/.github/.github/workflows/.... Adds a new caller tohelm-charts..github-private-- delete the now-duplicated reusables.Test plan
lint.yml).https://github.com/trufflesecurity/.github/actions.Made with Cursor
Note
Low Risk
Additive workflow-only changes; no existing runtime code is modified. Risk is limited to consumers opting into these reusables and misconfiguring required caller permissions.
Overview
Adds three new reusable GitHub Actions workflows in this repo:
label-sync-reusable.yml(sync labels fromlabels.ymlinto a caller repo),pr-labeler-reusable.yml(apply size/risk/checkbox labels via shared Python scripts), andstale-reusable.yml(PR-only wrapper aroundactions/stalewith configurable stale/close thresholds).All workflows intentionally inherit permissions from the caller (no
permissions:block) and fetch scripts/labels fromtrufflesecurity/.githubviaactions/checkoutsparse checkout so public repos can consume them without PAT/app credentials.Reviewed by Cursor Bugbot for commit 75bc155. Bugbot is set up for automated code reviews on this repo. Configure here.