reverse-config-label-sync functionality

Author: UltraProdigy

.github/workflows/reverse-config-label-sync.yml

@@ -0,0 +1,81 @@
+name: Reverse-Config-Label-Sync
+
+on:
+  workflow_run:
+    workflows:
+      - Validate-Configs
+    types:
+      - completed
+
+permissions:
+  contents: read
+
+jobs:
+  reverse-sync:
+    if: >-
+      ${{
+        github.event.workflow_run.conclusion == 'success' &&
+        github.event.workflow_run.event == 'push' &&
+        github.event.workflow_run.head_branch == github.event.repository.default_branch
+      }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out validated commit
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+          fetch-depth: 2
+
+      - name: Check triggering commit
+        id: trigger
+        shell: bash
+        run: |
+          author_name="$(git show -s --format='%an' HEAD)"
+          author_email="$(git show -s --format='%ae' HEAD)"
+          committer_name="$(git show -s --format='%cn' HEAD)"
+          committer_email="$(git show -s --format='%ce' HEAD)"
+          changed_files="$(git diff-tree --no-commit-id --name-only -r -m HEAD)"
+
+          is_bot_commit=false
+          case "${author_name}|${author_email}|${committer_name}|${committer_email}" in
+            *"[bot]"*|*"github-actions[bot]"*|*"41898282+github-actions[bot]@users.noreply.github.com"*)
+              is_bot_commit=true
+              ;;
+          esac
+
+          has_config_change=false
+          if echo "${changed_files}" | grep -q '^config/'; then
+            has_config_change=true
+          fi
+
+          echo "Commit author: ${author_name} <${author_email}>"
+          echo "Commit committer: ${committer_name} <${committer_email}>"
+          echo "Config files changed: ${has_config_change}"
+          echo "Bot commit: ${is_bot_commit}"
+          echo "has_config_change=${has_config_change}" >> "${GITHUB_OUTPUT}"
+          echo "is_bot_commit=${is_bot_commit}" >> "${GITHUB_OUTPUT}"
+
+      - name: Set up Node.js
+        if: ${{ steps.trigger.outputs.has_config_change == 'true' && steps.trigger.outputs.is_bot_commit != 'true' }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Load properties
+        if: ${{ steps.trigger.outputs.has_config_change == 'true' && steps.trigger.outputs.is_bot_commit != 'true' }}
+        id: properties
+        env:
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: node scripts/export-properties.mjs
+
+      - name: Validate config
+        if: ${{ steps.trigger.outputs.has_config_change == 'true' && steps.trigger.outputs.is_bot_commit != 'true' }}
+        run: node scripts/reverse-config-label-sync.mjs --validate-only
+
+      - name: Sync config into source repo labels
+        if: ${{ steps.trigger.outputs.has_config_change == 'true' && steps.trigger.outputs.is_bot_commit != 'true' }}
+        env:
+          LABEL_SYNC_TOKEN: ${{ secrets[steps.properties.outputs.label_sync_token_secret_name] }}
+          SOURCE_REPOSITORY: ${{ steps.properties.outputs.source_repository }}
+        run: node scripts/reverse-config-label-sync.mjs

README.md

@@ -12,12 +12,13 @@ Its job is to:
 
 ## How It Works
 
-This repo uses four workflows:
+This repo uses five workflows:
 
 1. `Config-Label_Sync`
 2. `Validate-Configs`
-3. `Org-Label-Sync`
-4. `Remove-Labels`
+3. `Reverse-Config-Label-Sync`
+4. `Org-Label-Sync`
+5. `Remove-Labels`
 
 The normal flow is:
 
@@ -28,6 +29,13 @@ The normal flow is:
 5. That config change triggers `Validate-Configs`.
 6. `Org-Label-Sync` then checks out the latest default branch, validates the config again, and syncs labels across the organization.
 
+The reverse flow is:
+
+1. You make a non-bot commit to `config/**` on the default branch.
+2. `Validate-Configs` runs for that commit.
+3. If validation passes, `Reverse-Config-Label-Sync` updates the configured source repository labels from `config/labels.jsonc`.
+4. Bot commits are ignored, so `Config-Label_Sync` can update `labels.jsonc` without triggering a reverse sync loop.
+
 ## Repository Layout
 
 ```text
@@ -37,6 +45,7 @@ The normal flow is:
 |       |-- config-label-sync.yml
 |       |-- org-label-sync.yml
 |       |-- remove-labels.yml
+|       |-- reverse-config-label-sync.yml
 |       `-- validate-configs.yml
 |-- config/
 |   |-- auto-pruned-labels.jsonc
@@ -49,6 +58,7 @@ The normal flow is:
 `-- scripts/
     |-- export-properties.mjs
     |-- remove-labels.mjs
+    |-- reverse-config-label-sync.mjs
     |-- sync-config-labels.mjs
     |-- sync-labels.mjs
     `-- lib/
@@ -218,6 +228,26 @@ Validation includes:
 - exact auto-pruned label shape validation
 - validation for the shared config used by `Remove-Labels`
 
+### `Reverse-Config-Label-Sync`
+
+File: `.github/workflows/reverse-config-label-sync.yml`
+
+Trigger:
+
+- after `Validate-Configs` completes successfully for a push to the default branch
+
+What it does:
+
+1. Checks out the exact commit that passed validation
+2. Skips the run unless the triggering commit changed `config/**`
+3. Skips the run when the triggering commit author or committer is a bot
+4. Loads shared settings from `config/properties.jsonc`
+5. Validates the config again as a local guard
+6. Creates or updates source repository labels from `config/labels.jsonc`
+7. Deletes exact auto-pruned labels and any other source repository labels that are not in `config/labels.jsonc`
+
+This workflow is the bridge from "the managed config was changed by a person" back to "the source repository label settings should now match that config."
+
 ### `Org-Label-Sync`
 
 File: `.github/workflows/org-label-sync.yml`
@@ -304,6 +334,7 @@ That token needs enough access to:
 - read and update labels on the source repository
 - discover repositories in the organization
 - read and update labels on target repositories
+- read and update labels on the source repository when running `Reverse-Config-Label-Sync`
 - read and update issues and pull requests when running `Remove-Labels`
 - push config updates back to this repository when `Config-Label_Sync` changes `labels.jsonc`
 - push changelog commits back to this repository when an action changes another repository

scripts/reverse-config-label-sync.mjs

@@ -0,0 +1,205 @@
+import path from "node:path";
+import {
+  assert,
+  labelsExactlyMatch,
+  normalizeColor,
+  normalizeDescription,
+  normalizeName,
+  readJsonc,
+} from "./lib/config-utils.mjs";
+import {
+  validateDeleteLabels,
+  validateLabels,
+  validateProperties,
+} from "./lib/config-validation.mjs";
+
+const workspaceRoot = process.cwd();
+const propertiesPath = path.join(workspaceRoot, "config", "properties.jsonc");
+const labelsPath = path.join(workspaceRoot, "config", "labels.jsonc");
+const autoPrunedLabelsPath = path.join(workspaceRoot, "config", "auto-pruned-labels.jsonc");
+
+const validateOnly = process.argv.includes("--validate-only");
+const dryRun = validateOnly || process.env.DRY_RUN === "true";
+
+async function githubRequest(token, method, apiPath, body) {
+  const response = await fetch(`https://api.github.com${apiPath}`, {
+    method,
+    headers: {
+      Accept: "application/vnd.github+json",
+      Authorization: `Bearer ${token}`,
+      "User-Agent": "reverse-config-label-sync",
+      "X-GitHub-Api-Version": "2022-11-28",
+    },
+    body: body ? JSON.stringify(body) : undefined,
+  });
+
+  if (!response.ok) {
+    const message = await response.text();
+    throw new Error(`${method} ${apiPath} failed with ${response.status}: ${message}`);
+  }
+
+  if (response.status === 204) {
+    return null;
+  }
+
+  return response.json();
+}
+
+async function getAllLabels(token, repo) {
+  const labels = [];
+  let page = 1;
+
+  while (true) {
+    const batch = await githubRequest(token, "GET", `/repos/${repo}/labels?per_page=100&page=${page}`);
+    labels.push(...batch);
+
+    if (batch.length < 100) {
+      return labels;
+    }
+
+    page += 1;
+  }
+}
+
+function summarizeLabelDiff(existing, desired) {
+  if (!existing) {
+    return "create";
+  }
+
+  const sameColor = normalizeColor(existing.color) === desired.color;
+  const sameDescription = normalizeDescription(existing.description) === desired.description;
+  const sameName = existing.name === desired.name;
+
+  if (sameColor && sameDescription && sameName) {
+    return "unchanged";
+  }
+
+  return "update";
+}
+
+function isExactAutoPrunedLabel(label, deleteLabels) {
+  return deleteLabels.some((deleteLabel) => labelsExactlyMatch(label, deleteLabel));
+}
+
+async function syncSourceRepository(token, repository, desiredLabels, deleteLabels) {
+  console.log(`Syncing ${repository} labels from config`);
+  const existingLabels = await getAllLabels(token, repository);
+  const existingByName = new Map(existingLabels.map((label) => [normalizeName(label.name), label]));
+  const desiredKeys = new Set(desiredLabels.map((label) => normalizeName(label.name)));
+
+  let created = 0;
+  let updated = 0;
+  let deletedConfigured = 0;
+  let deletedMissing = 0;
+  let unchanged = 0;
+
+  for (const desired of desiredLabels) {
+    const existing = existingByName.get(normalizeName(desired.name));
+    const action = summarizeLabelDiff(existing, desired);
+
+    if (action === "unchanged") {
+      unchanged += 1;
+      console.log(`  = ${desired.name}`);
+      continue;
+    }
+
+    if (action === "create") {
+      created += 1;
+      console.log(`  + ${desired.name}`);
+
+      if (!dryRun) {
+        await githubRequest(token, "POST", `/repos/${repository}/labels`, desired);
+      }
+
+      continue;
+    }
+
+    updated += 1;
+    console.log(`  ~ ${desired.name}`);
+
+    if (!dryRun) {
+      await githubRequest(
+        token,
+        "PATCH",
+        `/repos/${repository}/labels/${encodeURIComponent(existing.name)}`,
+        desired,
+      );
+    }
+  }
+
+  for (const existing of existingLabels) {
+    const existingKey = normalizeName(existing.name);
+
+    if (desiredKeys.has(existingKey) || !isExactAutoPrunedLabel(existing, deleteLabels)) {
+      continue;
+    }
+
+    deletedConfigured += 1;
+    console.log(`  - ${existing.name} (configured delete)`);
+
+    if (!dryRun) {
+      await githubRequest(
+        token,
+        "DELETE",
+        `/repos/${repository}/labels/${encodeURIComponent(existing.name)}`,
+      );
+    }
+  }
+
+  for (const existing of existingLabels) {
+    const existingKey = normalizeName(existing.name);
+
+    if (desiredKeys.has(existingKey) || isExactAutoPrunedLabel(existing, deleteLabels)) {
+      continue;
+    }
+
+    deletedMissing += 1;
+    console.log(`  - ${existing.name} (not in config)`);
+
+    if (!dryRun) {
+      await githubRequest(
+        token,
+        "DELETE",
+        `/repos/${repository}/labels/${encodeURIComponent(existing.name)}`,
+      );
+    }
+  }
+
+  console.log(
+    `Summary for ${repository}: created=${created}, updated=${updated}, deletedConfigured=${deletedConfigured}, deletedMissing=${deletedMissing}, unchanged=${unchanged}`,
+  );
+}
+
+async function main() {
+  const properties = validateProperties(await readJsonc(propertiesPath), {
+    includeSourceRepository: true,
+    defaultSourceRepository: process.env.GITHUB_REPOSITORY ?? "",
+  });
+  const labels = validateLabels(await readJsonc(labelsPath));
+  const deleteLabels = validateDeleteLabels(await readJsonc(autoPrunedLabelsPath));
+  const repository = process.env.SOURCE_REPOSITORY ?? properties.sourceRepository;
+  assert(repository, "SOURCE_REPOSITORY or properties.sourceRepository is required.");
+
+  console.log(
+    `Loaded ${labels.length} managed labels and ${deleteLabels.length} exact auto-pruned label specs for ${repository}.`,
+  );
+
+  if (validateOnly) {
+    console.log("Configuration is valid.");
+    return;
+  }
+
+  const token = process.env.LABEL_SYNC_TOKEN;
+  assert(token, "LABEL_SYNC_TOKEN is required unless --validate-only is used.");
+
+  await syncSourceRepository(token, repository, labels, deleteLabels);
+
+  if (dryRun) {
+    console.log("Dry-run mode did not apply label changes.");
+  }
+}
+
+main().catch((error) => {
+  console.error(error.message);
+  process.exitCode = 1;
+});

scripts/validate-configs.mjs

@@ -25,6 +25,7 @@ function runValidation(scriptName) {
 
 async function main() {
   await runValidation("sync-labels.mjs");
+  await runValidation("reverse-config-label-sync.mjs");
   await runValidation("remove-labels.mjs");
 }