Skip to content

Switch sync-labels caller to public .github reusable#23

Merged
bryanbeverly merged 1 commit into
mainfrom
phase2b-switch-to-public-reusable
Apr 20, 2026
Merged

Switch sync-labels caller to public .github reusable#23
bryanbeverly merged 1 commit into
mainfrom
phase2b-switch-to-public-reusable

Conversation

@bryanbeverly
Copy link
Copy Markdown
Contributor

@bryanbeverly bryanbeverly commented Apr 20, 2026
edited
Loading

Summary

  • Switches the sync-labels.yml caller workflow's uses: reference from trufflesecurity/.github-private to trufflesecurity/.github.
  • Functionally identical: the reusable in the public .github repo is a verbatim copy. The reusable already checks out scripts and labels.yml from public .github, so behavior is unchanged.

Why

GitHub forbids public repos from consuming reusable workflows that live in private/internal repos, regardless of org-level Actions Access settings. trufflesecurity/helm-charts is the only public repo in the PR Labeling rollout, and it could not call the reusables in .github-private. Moving the reusables to public .github (already merged: trufflesecurity/.github#4) unblocks helm-charts. This PR switches each consumer to the public source so that .github-private can be cleaned up afterward.

Test plan

  • CI passes
  • After merge, gh workflow run sync-labels.yml --repo trufflesecurity/<this-repo> runs successfully and re-applies the 11 standard labels

Note

Low Risk
Single-line CI workflow reference change; no application code or data handling is modified.

Overview
Updates the Sync Labels GitHub Actions workflow to call the reusable label sync workflow from trufflesecurity/.github instead of trufflesecurity/.github-private. This unblocks running the same label synchronization workflow from public repositories without changing behavior of the job itself.

Reviewed by Cursor Bugbot for commit 0a7d3bf. Bugbot is set up for automated code reviews on this repo. Configure here.

@bryanbeverly
Switch sync-labels caller to trufflesecurity/.github
0a7d3bf 
Move the reusable workflow source from .github-private to the public
.github repo. This is needed so trufflesecurity/helm-charts (a public
repo) can use the same reusable; GitHub forbids public repos from
consuming reusables that live in private/internal repos.

Functionally identical: the reusable in .github is a verbatim copy of
the one in .github-private, and it already references scripts and
labels.yml from the public .github repo.
@bryanbeverly bryanbeverly self-assigned this Apr 20, 2026
@bryanbeverly bryanbeverly marked this pull request as ready for review April 20, 2026 07:08
@bryanbeverly bryanbeverly requested a review from a team April 20, 2026 07:08
@bryanbeverly bryanbeverly merged commit 2d35533 into main Apr 20, 2026
1 check passed
@bryanbeverly bryanbeverly deleted the phase2b-switch-to-public-reusable branch April 20, 2026 07:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bryanbeverly bryanbeverly

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bryanbeverly