Workflow Reference
All workflows in .github/workflows/, grouped by priority tier.
For trigger details and schedules see Workflow Triggers.
Auto-generated on 2026-06-09 from
config/workflow-quota-costs.ymlandconfig/workflow-priority-tiers.yml.
Quota cost columns: Low = fast/cached run · Mid = typical (p50) · High = large/uncached (p95)
Tier 1 — Critical
| Workflow | Synopsis | Schedule | min_quota | Low | Mid | High |
|---|---|---|---|---|---|---|
| Cancel Runs After Token Rotation | Cancels queued and in-progress runs that hold the old (now-invalid) token immediately after Rotate Secret Token completes, preventing Bad credentials failures. | Manual | 50 | 5 | 20 | 50 |
| Cancel Stale Runs | Cancels queued and in-progress workflow runs older than MAX_AGE_MINUTES (default 90) or created before a fix commit, preventing stale runs from burning quota. | Manual | 100 | 10 | 30 | 80 |
| Critical Deploy | Fast-lane workflow for deploying critical fixes when the system is degraded — commits and pushes changes, clears the queue aggressively, then dispatches priority workflows. | Manual | 50 | 5 | 30 | 100 |
| Mirror Watchdog | Triggers when any mirror workflow fails — waits 5 minutes then retries once. Surfaces persistent failures in the Actions tab without consuming quota on repeated retries. | 50 | 5 | 15 | 30 | |
| Pre-Flush Prep | Prepares the system for a clean full-chain-flush — cancels stale runs, merges ready PRs, validates config, cleans merged branches, removes template pollution, then dispatches full-chain-flush when quota is sufficient. | Manual | 100 | 10 | 30 | 60 |
| Queue Manager | Deduplicates queued workflow runs (keeps newest per workflow) and evicts runs queued longer than STALE_QUEUE_MIN (default 25 min) to prevent quota exhaustion cascades. | Every 30 min | 50 | 5 | 15 | 30 |
| Quota Monitor | Polls GitHub quota and optionally dispatches a target workflow once quota recovers above a configurable threshold. Dispatch-only — never scheduled. | 10 | 1 | 5 | 10 | |
| Quota Reserve | Cancels low-priority queued runs when remaining quota drops below RESERVE_FLOOR (default 1000). Uses per-workflow min_quota from workflow-quota-costs.yml for cost-aware cancellation. | Every 30 min | 10 | 1 | 5 | 15 |
| Rate-Limit Re-trigger | Scans recently-failed workflow runs, identifies those that failed due to rate limiting, and re-triggers them after their quota reset epoch. | Every 4h at :05 | 50 | 5 | 20 | 50 |
| Rotate Secret Token | Rotates GitHub PATs and GitLab tokens stored as org/repo secrets. Validates the new token before committing, then triggers Cancel Runs After Token Rotation to clear stale runs. | Manual | 50 | 5 | 10 | 20 |
| Token Health Monitor | Checks expiry dates for all tracked PATs and GitLab tokens. Opens a GitHub issue labelled token-monitor when any token expires within 45 days. | Weekly Mon 09:24 UTC | 50 | 5 | 10 | 20 |
| Validate Config | Validates all config files (gitlab-subgroups.yml, workflow-sync.yml, priority-tiers.yml, registered-imports.json) on every push that touches them. Blocks merges on invalid config. | Manual | 50 | 2 | 5 | 10 |
Tier 2 — High
| Workflow | Synopsis | Schedule | min_quota | Low | Mid | High |
|---|---|---|---|---|---|---|
| Add Mirror Repo | Adds a new repo to the three-org mirror chain (Interested-Deving-1896 → OSP → OOC) by creating the repo in each org, setting up webhooks, and registering it in gitlab-subgroups.yml. | Manual | 200 | 10 | 30 | 60 |
| Full Chain Flush | Orchestrates the complete mirror chain in sequence — mirror-to-osp → mirror-osp-to-ooc → mirror-osp-to-gitlab — with quota checks between each stage. | 17 5 1 * * | 1000 | 100 | 400 | 1000 |
| Import Repository | Platform-agnostic repo importer — clones any public or authenticated git URL into Interested-Deving-1896, optionally mirrors through the OSP→OOC chain and registers for ongoing sync. | 100 | 10 | 30 | 60 | |
| Merge Repos into Monorepo | Merges multiple git repositories into a single monorepo, preserving full commit history, tags, and Git LFS objects. Manual dispatch only. | Manual | 100 | 10 | 30 | 60 |
| Mirror Interested-Deving-1896 → OSP | Bare-clones every repo in Interested-Deving-1896 and git push --mirror into OpenOS-Project-OSP, syncing all branches, tags, and refs exactly. | Every 6h at :13 | 500 | 20 | 80 | 200 |
| Mirror OSP → GitLab | Mirrors every repo in OpenOS-Project-OSP to its GitLab counterpart under openos-project, creating the GitLab project in the correct subgroup if it does not exist yet. | Every 8h at :23 | 300 | 5 | 20 | 50 |
| Mirror to OpenOS-Project-Ecosystem-OOC | Bare-clones every repo in OpenOS-Project-OSP and git push --mirror into OpenOS-Project-Ecosystem-OOC, completing the second hop of the three-org mirror chain. | Every 6h at :15 | 300 | 20 | 80 | 200 |
| Pre-Mirror CI Gate | Checks CI status on all OSP-bound repos in Interested-Deving-1896 before mirroring. Dispatches resolve-failures for red repos, waits, then re-checks. Blocks the mirror if repos are still failing. | Manual | 800 | 50 | 150 | 300 |
| Rebase PRs | Rebases open PRs in Interested-Deving-1896 onto their base branch when they fall behind, keeping PRs mergeable without manual intervention. | Daily 05:10 UTC | 100 | 5 | 20 | 50 |
| Sync All Forks | Syncs all branches of every fork owned by Interested-Deving-1896 with their upstream via the GitHub merge-upstream API, falling back to force-reset on divergence. | Daily 06:07 UTC | 500 | 50 | 200 | 500 |
| Sync Registered Imports | Re-syncs all repos listed in registered-imports.json — bare-clones each source URL and pushes all branches and tags to Interested-Deving-1896. | Every 6h at :55 | 200 | 5 | 15 | 30 |
| Sync from GitLab | Pulls changes from the GitLab mirror back to GitHub when GitLab CI has committed changes (e.g. generated files, CI artifacts). | Daily 04:22 UTC | 100 | 5 | 20 | 50 |
| Sync to GitLab Variant | Variant of Sync to GitLab that uses a different token and push strategy — used when the primary sync is blocked or for testing. | Every 8h at :50 | 100 | 5 | 20 | 50 |
Tier 3 — Medium
| Workflow | Synopsis | Schedule | min_quota | Low | Mid | High |
|---|---|---|---|---|---|---|
| Check OSP-Bound CI Status | Checks CI status across all OSP-bound repos and reports failing workflows. Triggers resolve-failures when failures are detected. | Daily 09:05 UTC | 300 | 50 | 150 | 300 |
| Cleanup Stale Branches | Deletes branches that have been merged into the default branch across all repos in Interested-Deving-1896, OSP, and OOC. | 29 4 1 * * | 200 | 10 | 60 | 200 |
| Cleanup Template Pollution | Removes files incorrectly propagated from fork-sync-all to consumer repos via the template sync pipeline, across all three GitHub orgs and GitLab. | Manual | 200 | 20 | 80 | 200 |
| Clone Org | Clones all repositories from an org or user on any supported platform (GitHub, GitLab, Bitbucket, Gitea) into Interested-Deving-1896. | Manual | 200 | 20 | 80 | 200 |
| Create Missing READMEs | Creates README.md from the standard template for OSP-bound repos that have no README, with placeholder sections for human-owned content. | Daily 07:08 UTC | 200 | 20 | 80 | 200 |
| Deploy Book | Builds the mdBook documentation site from DOCS/ and deploys it to GitHub Pages at interested-deving-1896.github.io/fork-sync-all/. | Manual | 50 | 5 | 10 | 20 |
| Docker → Incus Migration | Scans repos for Docker artifacts (Dockerfile, docker-compose.yml) and replaces them with Incus equivalents. Runs after Add Mirror Repo and weekly. | Weekly Sun 03:08 UTC | 100 | 10 | 40 | 100 |
| Enforce Agnostic Vendor | Scans vendor/ for distro-specific hardcoded fallback values in shell, YAML, and TypeScript. All vendored components must be deployment-agnostic. | Manual | 50 | 2 | 5 | 10 |
| Fork KDE Neon Repos | One-shot workflow that clones the 6 KDE Invent neon repos into Interested-Deving-1896 and pushes them through the OSP mirror chain. Ongoing re-sync handled by sync-registered-imports. | Manual | 100 | 10 | 30 | 60 |
| Generate Book Pages | Regenerates DOCS/generated/ pages from config sources (workflow-quota-costs.yml, priority-tiers.yml, gitlab-subgroups.yml, registered-imports.json) and commits the result. | Manual | 50 | 1 | 2 | 5 |
| Inject Built-with-Ona Badges | Adds a Built-with-Ona badge to README.md for all repos in Interested-Deving-1896 that are missing it. Skips repos that already have the badge. | Daily 08:15 UTC | 200 | 5 | 30 | 80 |
| OTA Discover | Scans forks of fork-sync-all for .ota/config.yml with enabled: true and adds newly discovered repos to config/ota-registry.yml. | Daily 06:38 UTC | 100 | 10 | 40 | 100 |
| OTA Opt-In | Propagated to opted-in forks. Fork owners run this once to create .ota/config.yml and open a registration PR against fork-sync-all's OTA registry. | 50 | 5 | 15 | 30 | |
| OTA Release | Triggered on semver tag push. Assembles and delivers OTA updates to all opted-in repos in config/ota-registry.yml, then updates CHANGELOG.md with release notes. | Manual | 100 | 10 | 40 | 100 |
| OTA Self-Update | Propagated to opted-in forks. Pulls the latest OTA release from fork-sync-all and applies it to the fork's workflow files. | Weekly Mon 05:15 UTC | 50 | 5 | 15 | 30 |
| PR Automation | Applies size labels, path-based labels, reviewer auto-assignment, risky pattern detection, and auto-merge for low-risk PRs on every PR open or update. | On push | 50 | 5 | 15 | 30 |
| Pipeline Telemetry | Post-run observability workflow. Fetches completed run data, builds a span tree (workflow→jobs→steps), computes Thoth-equivalent metrics, parses log severity, writes a step summary and trace artifact, and upserts a rolling metrics issue. | Manual | 200 | 5 | 15 | 30 |
| Post-Flush Verification | End-to-end health check after full-chain-flush — mirror integrity across all three pairs, CI status on I-D-1896 OSP-bound repos, quota health, and workflow queue health. | Manual | 300 | 150 | 350 | 600 |
| Rebuild LTS Branch (penguins-eggs) | Rebases the all-features branch onto the upstream master after each pieroproietti sync, then force-pushes the result to the lts branch. | Manual | 50 | 5 | 15 | 30 |
| Reconcile Org References | Rewrites org/repo references in OSP and OOC mirrors to point at the correct org, fixing stale Interested-Deving-1896 references left by the mirror process. | Daily 05:50 UTC | 300 | 10 | 60 | 150 |
| Resolve CI Failures | Analyses CI failure patterns across OSP-bound repos and applies automated fixes (dependency updates, config corrections, workflow patches) where possible. | Daily 07:43 UTC | 100 | 10 | 40 | 100 |
| Setup Dashboard Variables | Sets all VITE_* repository variables required by the infra-dashboard public-dashboard build. Safe to re-run — blank inputs leave existing variables unchanged. | Manual | 50 | 5 | 15 | 30 |
| Setup OSP Mirror Workflows | Ensures all repos in OpenOS-Project-OSP have the correct mirror workflow files and secrets configured for the OSP→OOC mirror chain. | Every 6h at :45 | 200 | 20 | 80 | 200 |
| Sync Registry Sources | Registry-driven upstream sync — reads a JSON registry of upstream sources and syncs each repo via merge-upstream or force-reset. Agnostic generalisation of sync-pieroproietti-forks. | Daily 03:05 UTC | 100 | 10 | 40 | 100 |
| Sync Template | Syncs fork-sync-all's file tree into target repos. Three modes — create (new repo + mirror chain), inject (copy into existing repo), propagate (push-triggered sync to all consumers in template-consumers.yml). | Manual | 200 | 20 | 80 | 200 |
| Sync Upstream Sources | Reads the Origins section of every OSP-bound repo and syncs each referenced external fork to its upstream HEAD via merge-upstream or force-reset. | Daily 01:37 UTC | 200 | 20 | 80 | 200 |
| Sync btrfs-devel Branches | Syncs tracked btrfs-devel branches from the upstream kernel tree into the btrfs-dwarfs-framework fork. | Every 6h at :02 | 100 | 5 | 20 | 50 |
| Sync pieroproietti Forks | Syncs all penguins-eggs forks owned by Interested-Deving-1896 with their upstream pieroproietti sources via merge-upstream. | Every 8h at :07 | 100 | 10 | 40 | 100 |
| Sync to GitLab | Pushes the Interested-Deving-1896/fork-sync-all repo to its GitLab mirror at openos-project/ops/fork-sync-all. | Daily 09:17 UTC | 100 | 5 | 20 | 50 |
| Update READMEs | Regenerates AI-owned sections (what-it-does, architecture, ci, mirror-chain, etc.) in README.md for all OSP-bound repos, preserving human-owned sections. | Daily 03:15 UTC | 300 | 50 | 150 | 300 |
| Validate README Render | Checks README.md for rendering issues — leaked log lines, unclosed fences, bare brackets, raw angle brackets, unclosed AI markers, missing H1, and empty sections. | Manual | 50 | 5 | 15 | 30 |
| Verify Mirror Integrity | Compares default-branch HEAD SHAs between source and destination for all OSP-bound repos after a mirror stage. Reports mismatches as warnings; configurable hard-fail mode. | Manual | 400 | 50 | 100 | 150 |
Tier 4 — Low
| Workflow | Synopsis | Schedule | min_quota | Low | Mid | High |
|---|---|---|---|---|---|---|
| Check GitLab CI Sync | Compares paired jobs in .gitlab-ci.yml against config/workflow-sync.yml and reports drift — scripts with changed entry points, mismatched cadence rules, or jobs missing from either side. | Manual | 50 | 2 | 5 | 10 |
| Generate NotebookLM Content | Generates NotebookLM content artifacts (audio, video, slides, infographic, quiz, flashcards, report) for a given notebook and uploads them to a GitHub Release. | Manual | 50 | 5 | 15 | 30 |
| Generate OSP Dependency Graph | Scans all OSP-bound repos for package.json and requirements.txt files and generates a dependency graph showing inter-repo relationships. | Weekly Sun 03:10 UTC | 100 | 20 | 60 | 150 |
| GitLab Storage Scan | Scans all projects under openos-project on GitLab and reports storage usage. Useful for diagnosing when the namespace approaches its 10 GiB limit. | Manual | 50 | 2 | 5 | 10 |
| LTS README Standardisation | Standardises README.md structure for LTS-tagged repos, ensuring they follow the LTS template with correct version badges and support tables. | 19 3 1 * * | 100 | 10 | 40 | 100 |
| List Chromium GitLab Repos | Lists all projects under the Chromium_Browser_OS_Deving GitLab group. Informational only — used to audit what has been mirrored. | Manual | 50 | 2 | 5 | 10 |
| Mirror Artifacts | Mirrors GitHub Releases, Flatpak packages, and RPM packages from Interested-Deving-1896 repos to their OSP and OOC counterparts. | Every 8h at :10 | 200 | 10 | 50 | 150 |
| Mirror Orgs | Mirrors all repos from Interested-Deving-1896 to OpenOS-Project-OSP and OpenOS-Project-Ecosystem-OOC using bare clone + push --mirror. | Daily 02:17 UTC | 100 | 20 | 60 | 150 |
| Mirror Releases | Mirrors GitHub Releases (tags + release notes + assets) from Interested-Deving-1896 repos to their OSP and OOC counterparts. | Every 6h at :03 | 200 | 10 | 50 | 150 |
| Notification Poller | Polls GitHub notifications for unread CI failure notifications and triggers resolve-failures immediately when any are found. | Every 4h at :32 | 50 | 1 | 5 | 15 |
| README Wizard | AI-guided README authoring — writes or rewrites a README for a specific repo according to custom instructions (audience, tone, sections), respecting existing human-owned markers. | Manual | 100 | 10 | 30 | 60 |
| Rate Limit Status | Queries current rate limit status for GitHub REST, GitLab, and GitHub Models APIs. Exits non-zero if any platform is below 10% remaining. | Manual | 10 | 2 | 5 | 10 |
| Refresh NotebookLM Auth | Rotates the short-lived __Secure-1PSIDTS cookie in NOTEBOOKLM_AUTH_JSON weekly and writes the updated state back to the repo secret. | Weekly Tue 06:17 UTC | 10 | 1 | 2 | 5 |
| Repo Manifest | Exports a manifest of all repos in an org, or imports repos from a manifest into a target GitHub org. Supports multi-platform bulk import. | Manual | 100 | 10 | 40 | 100 |
| Setup GitLab CI Schedules | Replaces all existing GitLab pipeline schedules in openos-project/ops/fork-sync-all with the 3 consolidated CADENCE-based schedules. Safe to re-run. | 50 | 2 | 5 | 10 | |
| Shallow Reclone Large GitLab Mirrors | Reduces GitLab storage usage by replacing full git history on large mirror projects with a shallow clone. Run when openos-project approaches its 10 GiB storage limit. | Manual | 50 | 2 | 5 | 10 |
| Sync penguins-eggs docs to penguins-eggs-book | Triggered by repository_dispatch from penguins-eggs when docs/chromiumos/ changes on all-features. Syncs the updated docs into the penguins-eggs-book repo. | Manual | 50 | 5 | 15 | 30 |
| Translate Docs | Translates DOCS/ mdBook pages into a target language using GitHub Models API. Writes translated files to DOCS/ | Daily 11:15 UTC | 100 | 5 | 15 | 30 |
| Translate READMEs | Translates README.md files for OSP-bound repos into additional languages using GitHub Models API. Writes translated files alongside the English original. | Daily 10:43 UTC | 100 | 10 | 40 | 100 |
| Trigger Artifact Mirror | Dispatches mirror-artifacts immediately when a release is published in this repo, so OSP and OOC receive the release without waiting for the next scheduled run. | 50 | 2 | 5 | 10 | |
| Update Infrastructure Dependencies | Runs Dependabot-style updates for GitHub Actions versions across all workflow files and opens a grouped PR. | Weekly Mon 06:11 UTC | 50 | 5 | 15 | 30 |
| Update Quota Cost Registry | Reads quota-instrument records from job logs, computes observed p50/p95 REST costs per workflow, and commits updated values to workflow-quota-costs.yml weekly. | Weekly Mon 08:00 UTC | 200 | 30 | 80 | 150 |
| Update Workflow Triggers Doc | Regenerates docs/workflow-triggers.md and docs/workflow-triggers.txt whenever a workflow file changes on main. Commits the result directly to main. | Manual | 50 | 5 | 10 | 20 |
| Upstream Direct Commits from OSP + OOC | Detects commits pushed directly to OSP/OOC default branches (without a PR) and opens PRs against Interested-Deving-1896 to reconcile them. | Every 6h at :47 | 200 | 20 | 80 | 200 |
| Upstream PRs from OSP + OOC | Detects commits on OSP and OOC default branches that are not present in Interested-Deving-1896 and opens PRs to bring them upstream. | Every 6h at :33 | 200 | 20 | 80 | 200 |
| Upstream Workflow Proposal | Scans OSP-bound repos for new workflow patterns not present in fork-sync-all and opens a PR proposing them as template skeletons. | Weekly Mon 06:06 UTC | 50 | 5 | 20 | 50 |
✦ Mid value is an observed p50 measurement. All other values are code-audit estimates.