Update sync configuration

[joselsegura]

Description

New repo-file-sync configuration will:

• Add or update renovate.json in all the repositories (it mostly affects to the enable-auto-merge in most of the cases)
• Add or update linters.yaml into the workflows, using the reusable workflow from now on. In most of the cases, just updating the version tag.
• Add or update bots-auto-merge.yaml workflow to use the bots-auto-merge.yaml reusable workflow from this repository.

Review this change carefully, as it will be synced across ALL our repositories and those PRs will be (hopefully) automerged with further human review when the status checks pass.

Type of change

• Bump-up dependent library (no changes in the code)
• Configuration update

Testing steps

N/A

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Standardized repository synchronization to include additional CI/workflow templates and tooling configs across downstream repos.
  • Added a new downstream sync target to bring those templates into scope.
  • Inserted "auto-synced" header comments into CI/workflow, renovate, and access-control files to mark them as managed upstream.

Walkthrough

Updated repository sync configuration and added synchronization metadata/comments: .github/sync.yml now syncs renovate.json and two workflow templates (workflows_examples/linters.yaml, workflows_examples/bots-auto-merge.yaml) in addition to CODEOWNERS for multiple RedHatInsights projects, and a new RedHatInsights/insights-core-messaging entry was added.

Changes

Cohort / File(s)	Summary
GitHub Sync Configuration \.github/sync.yml	Extended sync entries to include renovate.json and two workflow files (workflows_examples/linters.yaml, workflows_examples/bots-auto-merge.yaml) alongside CODEOWNERS; added RedHatInsights/insights-core-messaging to the sync list.
Repository metadata / ownership CODEOWNERS	Prepended an automated-sync header comment indicating the file is synced from RedHatInsights/processing-tools; ownership entries unchanged.
Renovate configuration renovate.json	Added a top-level description comment noting the file is auto-synced from RedHatInsights/processing-tools; no Renovate behavior changes.
Workflow templates (examples) workflows_examples/linters.yaml, workflows_examples/bots-auto-merge.yaml	Added top-of-file comments indicating these workflows are auto-synced from RedHatInsights/processing-tools; workflow content unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update sync configuration' directly relates to the main change: modifying .github/sync.yml to extend synchronization of configuration files and workflow examples across repositories.
Description check	✅ Passed	The description is fully related to the changeset, explaining the new repo-file-sync configuration updates to renovate.json, linters.yaml, and bots-auto-merge.yaml that will be synced across repositories.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/sync.yml:
- Around line 3-7: The sync currently includes the workflow bots-auto-merge.yaml
but all target repos lack the required secrets OBSINT_PROCESSING_APP_CLIENT_ID
and OBSINT_PROCESSING_APP_PRIVATE_KEY, so either provision those two secrets to
every target repo before syncing or remove/exclude bots-auto-merge.yaml from the
sync config and keep linters.yaml; update the sync configuration to remove the
source entry for bots-auto-merge.yaml (or add an exclusion) so only compatible
workflows (e.g., linters.yaml) are synced until the secrets are provisioned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7d6e9b18-a753-42a2-8e30-8c0965c8300a

📥 Commits

Reviewing files that changed from the base of the PR and between ff49fd3 and 43943ce.

📒 Files selected for processing (1)

• .github/sync.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify prerequisites for repos listed in .github/sync.yml:
# 1) default branch is main/master (for push trigger coverage in linters workflow)
# 2) required secrets exist for bots auto-merge workflow

repos=$(awk '/^RedHatInsights\// {gsub(":", "", $1); print $1}' .github/sync.yml)

printf "repo,default_branch,push_trigger_covered,has_client_id_secret,has_private_key_secret\n"

for repo in $repos; do
  default_branch=$(gh api "repos/$repo" --jq '.default_branch' 2>/dev/null || echo "UNKNOWN")

  if [[ "$default_branch" == "main" || "$default_branch" == "master" ]]; then
    covered="yes"
  else
    covered="no"
  fi

  secret_names=$(gh api "repos/$repo/actions/secrets?per_page=100" --jq '.secrets[].name' 2>/dev/null || true)

  if printf "%s\n" "$secret_names" | grep -qx 'OBSINT_PROCESSING_APP_CLIENT_ID'; then
    has_client_id="yes"
  else
    has_client_id="no"
  fi

  if printf "%s\n" "$secret_names" | grep -qx 'OBSINT_PROCESSING_APP_PRIVATE_KEY'; then
    has_private_key="yes"
  else
    has_private_key="no"
  fi

  printf "%s,%s,%s,%s,%s\n" "$repo" "$default_branch" "$covered" "$has_client_id" "$has_private_key"
done

Repository: RedHatInsights/processing-tools

Length of output: 1378

---

Syncing workflows_examples/bots-auto-merge.yaml will fail in all target repos—required secrets are missing.

The verification shows all 21 target repos lack the required secrets OBSINT_PROCESSING_APP_CLIENT_ID and OBSINT_PROCESSING_APP_PRIVATE_KEY. The bots-auto-merge.yaml workflow will fail at runtime in every repo. Either provision these secrets to all target repos first, or exclude this workflow from the sync until prerequisites are met.

The workflows_examples/linters.yaml workflow is compatible (all repos use main or master as default branch).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/sync.yml around lines 3 - 7, The sync currently includes the
workflow bots-auto-merge.yaml but all target repos lack the required secrets
OBSINT_PROCESSING_APP_CLIENT_ID and OBSINT_PROCESSING_APP_PRIVATE_KEY, so either
provision those two secrets to every target repo before syncing or
remove/exclude bots-auto-merge.yaml from the sync config and keep linters.yaml;
update the sync configuration to remove the source entry for
bots-auto-merge.yaml (or add an exclusion) so only compatible workflows (e.g.,
linters.yaml) are synced until the secrets are provisioned.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/sync.yml:
- Around line 65-71: The new sync target RedHatInsights/insights-core-messaging
adds a synced workflow file bots-auto-merge.yaml but the required secrets
OBSINT_PROCESSING_APP_CLIENT_ID and OBSINT_PROCESSING_APP_PRIVATE_KEY are
missing; provision these two secrets in the target repository's GitHub settings
(Repository > Settings > Secrets) before deploying the sync so
bots-auto-merge.yaml can access them, and verify the secret names exactly match
OBSINT_PROCESSING_APP_CLIENT_ID and OBSINT_PROCESSING_APP_PRIVATE_KEY used by
the workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 36429533-2f8d-42d2-8699-39fe90455078

📥 Commits

Reviewing files that changed from the base of the PR and between 43943ce and 0a2fbb8.

📒 Files selected for processing (5)

• .github/sync.yml
• CODEOWNERS
• renovate.json
• workflows_examples/bots-auto-merge.yaml
• workflows_examples/linters.yaml

✅ Files skipped from review due to trivial changes (4)

• renovate.json
• CODEOWNERS
• workflows_examples/bots-auto-merge.yaml
• workflows_examples/linters.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify the new repository exists and check its default branch
repo="RedHatInsights/insights-core-messaging"

echo "Checking repository: $repo"

# Get repo info
repo_info=$(gh api "repos/$repo" 2>/dev/null || echo "NOT_FOUND")

if [[ "$repo_info" == "NOT_FOUND" ]]; then
  echo "ERROR: Repository $repo does not exist or is not accessible"
  exit 1
fi

default_branch=$(echo "$repo_info" | jq -r '.default_branch')
echo "Default branch: $default_branch"

if [[ "$default_branch" == "main" || "$default_branch" == "master" ]]; then
  echo "✓ Default branch is compatible with linters.yaml push trigger"
else
  echo "⚠ Default branch '$default_branch' may not be covered by linters.yaml push trigger (expects main or master)"
fi

# Check for required secrets (will likely show 'no' until provisioned)
echo ""
echo "Checking secrets (expected to be missing until provisioned):"
secret_names=$(gh api "repos/$repo/actions/secrets?per_page=100" --jq '.secrets[].name' 2>/dev/null || echo "")

for secret in OBSINT_PROCESSING_APP_CLIENT_ID OBSINT_PROCESSING_APP_PRIVATE_KEY; do
  if printf "%s\n" "$secret_names" | grep -qx "$secret"; then
    echo "✓ $secret: present"
  else
    echo "✗ $secret: missing"
  fi
done

Repository: RedHatInsights/processing-tools

Length of output: 369

---

Provision required secrets for the new sync target before deployment.

The new sync target RedHatInsights/insights-core-messaging exists with a compatible default branch (master). However, the required secrets for the bots-auto-merge.yaml workflow are currently missing:

• OBSINT_PROCESSING_APP_CLIENT_ID
• OBSINT_PROCESSING_APP_PRIVATE_KEY

These secrets must be provisioned in the repository before the synced workflow can function.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/sync.yml around lines 65 - 71, The new sync target
RedHatInsights/insights-core-messaging adds a synced workflow file
bots-auto-merge.yaml but the required secrets OBSINT_PROCESSING_APP_CLIENT_ID
and OBSINT_PROCESSING_APP_PRIVATE_KEY are missing; provision these two secrets
in the target repository's GitHub settings (Repository > Settings > Secrets)
before deploying the sync so bots-auto-merge.yaml can access them, and verify
the secret names exactly match OBSINT_PROCESSING_APP_CLIENT_ID and
OBSINT_PROCESSING_APP_PRIVATE_KEY used by the workflow.