Also sync content to composefs GH org (#125)

* ci: Add composefs org to sync-common and sync-labels targets

The composefs org has significant overlap with bootc-dev contributors,
so keep CI infrastructure in sync across both. This adds a second
GitHub App token scoped to the composefs org and discovers repos from
both orgs to build the sync matrix.

Each matrix entry now includes an 'owner' field so the sync job
generates a correctly-scoped token for the target repo's org.

Prerequisite: the bootc-bot GitHub App must be installed on the
composefs GitHub organization.

Closes: #119

Assisted-by: OpenCode (Claude claude-opus-4-6)
Signed-off-by: Colin Walters <walters@verbum.org>

* ci: Add composefs org to Renovate and update shared config

Run Renovate as a matrix job across both bootc-dev and composefs orgs,
each with its own scoped GitHub App token. Autodiscovery works per-token
so each run finds the correct repos.

Change inheritConfigRepoName from '{{parentOrg}}/infra' to the explicit
'bootc-dev/infra' so that composefs repos also inherit the shared
Renovate config from this repository (the repo is public so
cross-org reads work).

Add composefs/composefs and composefs/composefs-rs to the
matchRepositories list for ignorePaths, preventing Renovate from
creating conflicting PRs for files managed by sync-common.

Closes: #119

Assisted-by: OpenCode (Claude claude-opus-4-6)
Signed-off-by: Colin Walters <walters@verbum.org>

---------

Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

.github/workflows/renovate.yml

@@ -32,6 +32,12 @@ jobs:
     runs-on: ubuntu-latest
     needs: validate
     if: github.event_name != 'pull_request'
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - owner: bootc-dev
+          - owner: composefs
     steps:
       - name: Generate Actions Token
         id: token
@@ -40,7 +46,7 @@ jobs:
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
+          owner: ${{ matrix.owner }}
 
       - name: Checkout
         uses: actions/checkout@v6

.github/workflows/sync-common.yml

@@ -55,45 +55,70 @@ jobs:
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
 
+      - name: Generate Actions Token (composefs)
+        id: token-composefs
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: composefs
+
       - name: Checkout
         uses: actions/checkout@v6
 
       - name: Get repository list
         id: get-repos
         uses: actions/github-script@v8
+        env:
+          COMPOSEFS_TOKEN: ${{ steps.token-composefs.outputs.token }}
         with:
           github-token: ${{ steps.token.outputs.token }}
           script: |
-            const repos = await github.paginate(github.rest.repos.listForOrg, {
-              org: context.repo.owner,
-              type: 'all',
-              per_page: 100
-            });
-
-            // Filter out archived repos and this repo itself
-            let activeRepos = repos.filter(repo =>
-              !repo.archived &&
-              repo.name !== context.repo.repo &&
-              !repo.name.startsWith('.')
-            );
+            const composefsGithub = require('@actions/github').getOctokit(process.env.COMPOSEFS_TOKEN);
+
+            const orgs = [
+              { name: context.repo.owner, octokit: github },
+              { name: 'composefs', octokit: composefsGithub },
+            ];
+
+            let allRepos = [];
+            for (const org of orgs) {
+              const repos = await org.octokit.paginate(org.octokit.rest.repos.listForOrg, {
+                org: org.name,
+                type: 'all',
+                per_page: 100
+              });
+
+              // Filter out archived repos, this repo itself (for home org), and dot-prefixed repos
+              const activeRepos = repos.filter(repo =>
+                !repo.archived &&
+                !(org.name === context.repo.owner && repo.name === context.repo.repo) &&
+                !repo.name.startsWith('.')
+              );
+
+              for (const repo of activeRepos) {
+                allRepos.push({
+                  repo: repo.name,
+                  full_name: repo.full_name,
+                  owner: org.name
+                });
+              }
+            }
 
             // Test mode - only sync to ci-sandbox
             const testMode = '${{ github.event.inputs.test_mode }}' === 'true';
             if (testMode) {
               console.log('Test mode enabled - only syncing to ci-sandbox');
-              activeRepos = activeRepos.filter(repo => repo.name === 'ci-sandbox');
+              allRepos = allRepos.filter(repo =>
+                repo.owner === context.repo.owner && repo.name === 'ci-sandbox'
+              );
             }
 
-            const matrix = activeRepos.map(repo => ({
-              repo: repo.name,
-              full_name: repo.full_name
-            }));
-
-            console.log('Discovered repositories:', matrix);
-            core.setOutput('matrix', JSON.stringify(matrix));
+            console.log('Discovered repositories:', allRepos);
+            core.setOutput('matrix', JSON.stringify(allRepos));
 
   sync:
-    name: Sync to ${{ matrix.repo }}
+    name: Sync to ${{ matrix.full_name }}
     needs: [build, init]
     if: needs.init.outputs.matrix != '[]'
     runs-on: ubuntu-latest
@@ -108,7 +133,7 @@ jobs:
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
+          owner: ${{ matrix.owner }}
           repositories: ${{ matrix.repo }}
 
       - name: Checkout infra repository

.github/workflows/sync-labels.yml

@@ -59,41 +59,66 @@ jobs:
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
 
+      - name: Generate Actions Token (composefs)
+        id: token-composefs
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          owner: composefs
+
       - name: Get repository list
         id: get-repos
         uses: actions/github-script@v8
+        env:
+          COMPOSEFS_TOKEN: ${{ steps.token-composefs.outputs.token }}
         with:
           github-token: ${{ steps.token.outputs.token }}
           script: |
-            const repos = await github.paginate(github.rest.repos.listForOrg, {
-              org: context.repo.owner,
-              type: 'all',
-              per_page: 100
-            });
-
-            // Filter out archived repos
-            let activeRepos = repos.filter(repo =>
-              !repo.archived &&
-              !repo.name.startsWith('.')
-            );
+            const composefsGithub = require('@actions/github').getOctokit(process.env.COMPOSEFS_TOKEN);
+
+            const orgs = [
+              { name: context.repo.owner, octokit: github },
+              { name: 'composefs', octokit: composefsGithub },
+            ];
+
+            let allRepos = [];
+            for (const org of orgs) {
+              const repos = await org.octokit.paginate(org.octokit.rest.repos.listForOrg, {
+                org: org.name,
+                type: 'all',
+                per_page: 100
+              });
+
+              // Filter out archived repos and dot-prefixed repos
+              const activeRepos = repos.filter(repo =>
+                !repo.archived &&
+                !repo.name.startsWith('.')
+              );
+
+              for (const repo of activeRepos) {
+                allRepos.push({
+                  repo: repo.name,
+                  full_name: repo.full_name,
+                  owner: org.name
+                });
+              }
+            }
 
             // Test mode - only sync to ci-sandbox
             const testMode = '${{ github.event.inputs.test_mode }}' === 'true';
             if (testMode) {
               console.log('Test mode enabled - only syncing to ci-sandbox');
-              activeRepos = activeRepos.filter(repo => repo.name === 'ci-sandbox');
+              allRepos = allRepos.filter(repo =>
+                repo.owner === context.repo.owner && repo.name === 'ci-sandbox'
+              );
             }
 
-            const matrix = activeRepos.map(repo => ({
-              repo: repo.name,
-              full_name: repo.full_name
-            }));
-
-            console.log('Discovered repositories:', matrix);
-            core.setOutput('matrix', JSON.stringify(matrix));
+            console.log('Discovered repositories:', allRepos);
+            core.setOutput('matrix', JSON.stringify(allRepos));
 
   sync:
-    name: Sync to ${{ matrix.repo }}
+    name: Sync to ${{ matrix.full_name }}
     needs: init
     if: needs.init.outputs.matrix != '[]'
     runs-on: ubuntu-24.04
@@ -108,7 +133,7 @@ jobs:
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
+          owner: ${{ matrix.owner }}
           repositories: ${{ matrix.repo }}
 
       - name: Sync labels
@@ -119,7 +144,7 @@ jobs:
           github-token: ${{ steps.token.outputs.token }}
           script: |
             const labels = JSON.parse(process.env.LABELS_JSON);
-            const owner = context.repo.owner;
+            const owner = '${{ matrix.owner }}';
             const repo = '${{ matrix.repo }}';
 
             console.log(`Syncing labels to ${owner}/${repo}`);

renovate-config.js

@@ -11,10 +11,13 @@ module.exports = {
   // Centralise all Renovate configuration into this repository
   //
   // This allows for easier management of Renovate settings across multiple
-  // repositories.  Each individual repository can still contain their own
-  // configuration.
+  // repositories and organisations. Each individual repository can still
+  // contain their own configuration.
+  //
+  // Note: this uses an explicit repo name rather than {{parentOrg}}/infra
+  // so that repos in other orgs (e.g. composefs) also inherit from here.
   inheritConfig: true,
-  inheritConfigRepoName: '{{parentOrg}}/infra',
+  inheritConfigRepoName: 'bootc-dev/infra',
   inheritConfigFileName: "renovate-shared-config.json",
   inheritConfigStrict: true,
 

renovate-shared-config.json

@@ -81,7 +81,9 @@
         "bootc-dev/bcvk",
         "bootc-dev/ci-sandbox",
         "bootc-dev/containers-image-proxy-rs",
-        "bootc-dev/bootc-dev.github.io"
+        "bootc-dev/bootc-dev.github.io",
+        "composefs/composefs",
+        "composefs/composefs-rs"
       ],
       "ignorePaths": [
         ".github/workflows/rebase.yml",