rust-lang
diff --git a/‎sync-team/.github/workflows/ci.yml
Lines changed: 81 additions & 0 deletions b/‎sync-team/.github/workflows/ci.yml
Lines changed: 81 additions & 0 deletions
diff --git a/‎sync-team/.github/workflows/dry-run.yml
Lines changed: 102 additions & 0 deletions b/‎sync-team/.github/workflows/dry-run.yml
Lines changed: 102 additions & 0 deletions
diff --git a/‎sync-team/.github/workflows/run.yml
Lines changed: 21 additions & 0 deletions b/‎sync-team/.github/workflows/run.yml
Lines changed: 21 additions & 0 deletions
diff --git a/‎sync-team/.gitignore
Lines changed: 1 addition & 0 deletions b/‎sync-team/.gitignore
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,81 @@
+name: CI
+on:
+  pull_request:
+  merge_group:
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Build
+        run: cargo build
+
+      - name: Run tests
+        run: cargo test
+
+      - name: Run rustfmt
+        run: cargo fmt -- --check
+
+      - name: Run clippy
+        run: cargo clippy -- -Dwarnings
+  deploy:
+    name: Deploy
+    needs: [ test ]
+    environment: deploy
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    if: github.event_name == 'merge_group'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build the Docker container
+        run: docker build -t sync-team .
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--sync-team
+          aws-region: us-west-1
+
+      - name: Login to Amazon ECR Private
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Build, tag, and push docker image to Amazon ECR
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          REPOSITORY: sync-team
+        run: |
+          docker tag sync-team $REGISTRY/$REPOSITORY:latest
+          docker push $REGISTRY/$REPOSITORY:latest
+
+      - name: Start the synchronization tool
+        run: |
+          aws --region us-west-1 lambda invoke --function-name start-sync-team output.json
+          cat output.json | python3 -m json.tool
+
+  # Summary job for the merge queue.
+  # ALL THE PREVIOUS JOBS NEED TO BE ADDED TO THE `needs` SECTION OF THIS JOB!
+  conclusion:
+    name: CI
+    needs: [ test, deploy ]
+    # We need to ensure this job does *not* get skipped if its dependencies fail,
+    # because a skipped job is considered a success by GitHub. So we have to
+    # overwrite `if:`. We use `!cancelled()` to ensure the job does still not get run
+    # when the workflow is canceled manually.
+    if: ${{ !cancelled() }}
+    runs-on: ubuntu-latest
+    steps:
+      # Manually check the status of all dependencies. `if: failure()` does not work.
+      - name: Conclusion
+        run: |
+          # Print the dependent jobs to see them in the CI log
+          jq -C <<< '${{ toJson(needs) }}'
+          # Check if all jobs that we depend on (in the needs array) were successful.
+          jq --exit-status 'all(.result == "success" or .result == "skipped")' <<< '${{ toJson(needs) }}'
@@ -0,0 +1,102 @@
+name: Dry Run
+
+on:
+  push:
+  workflow_dispatch:
+  schedule:
+    # Run the dry run every 4 hours
+    - cron: "0 */4 * * *"
+
+jobs:
+  dry-run:
+    name: Run sync-team dry-run
+    runs-on: ubuntu-24.04
+    if: ${{ github.repository_owner == 'rust-lang' }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # We don't need to do authenticated `git` operations, since we use the GitHub API.
+          persist-credentials: false
+
+      - uses: Swatinem/rust-cache@v2
+
+      # GitHub tokens generated from GitHub Apps can access resources from one organization,
+      # so we need to generate a token for each organization.
+      - name: Generate GitHub token (rust-lang)
+        uses: actions/create-github-app-token@v1
+        id: rust-lang-token
+        with:
+          # GitHub App ID secret name
+          app-id: ${{ secrets.GH_APP_ID }}
+          # GitHub App private key secret name
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          # Set the owner, so the token can be used in all repositories
+          owner: rust-lang
+
+      - name: Generate GitHub token (rust-lang-ci)
+        uses: actions/create-github-app-token@v1
+        id: rust-lang-ci-token
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: rust-lang-ci
+
+      - name: Generate GitHub token (rust-lang-deprecated)
+        uses: actions/create-github-app-token@v1
+        id: rust-lang-deprecated-token
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: rust-lang-deprecated
+
+      - name: Generate GitHub token (rust-lang-nursery)
+        uses: actions/create-github-app-token@v1
+        id: rust-lang-nursery-token
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: rust-lang-nursery
+
+      - name: Generate GitHub token (bors-rs)
+        uses: actions/create-github-app-token@v1
+        id: bors-rs-token
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: bors-rs
+
+      - name: Generate GitHub token (rust-analyzer)
+        uses: actions/create-github-app-token@v1
+        id: rust-analyzer-token
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: rust-analyzer
+
+      - name: Generate GitHub token (rust-embedded)
+        uses: actions/create-github-app-token@v1
+        id: rust-embedded-token
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: rust-embedded
+
+      - name: Generate GitHub token (rust-dev-tools)
+        uses: actions/create-github-app-token@v1
+        id: rust-dev-tools-token
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: rust-dev-tools
+
+      - name: Dry run
+        env:
+          GITHUB_TOKEN_RUST_LANG: ${{ steps.rust-lang-token.outputs.token }}
+          GITHUB_TOKEN_RUST_LANG_CI: ${{ steps.rust-lang-ci-token.outputs.token }}
+          GITHUB_TOKEN_RUST_LANG_DEPRECATED: ${{ steps.rust-lang-deprecated-token.outputs.token }}
+          GITHUB_TOKEN_RUST_LANG_NURSERY: ${{ steps.rust-lang-nursery-token.outputs.token }}
+          GITHUB_TOKEN_BORS_RS: ${{ steps.bors-rs-token.outputs.token }}
+          GITHUB_TOKEN_RUST_ANALYZER: ${{ steps.rust-analyzer-token.outputs.token }}
+          GITHUB_TOKEN_RUST_EMBEDDED: ${{ steps.rust-embedded-token.outputs.token }}
+          GITHUB_TOKEN_RUST_DEV_TOOLS: ${{ steps.rust-dev-tools-token.outputs.token }}
+        run: cargo run -- print-plan --services github
@@ -0,0 +1,21 @@
+name: Run
+on:
+  workflow_dispatch: { }
+
+jobs:
+  run:
+    name: Run the sync-team tool
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::890664054962:role/ci--rust-lang--sync-team
+          aws-region: us-west-1
+
+      - name: Start the synchronization tool
+        run: |
+          aws --region us-west-1 lambda invoke --function-name start-sync-team output.json
+          cat output.json | python3 -m json.tool
@@ -0,0 +1 @@
+/target