new

Author: NagyVikt

.github/workflows/sync-frontend-mirror.yml

@@ -0,0 +1,35 @@
+name: Sync Frontend Mirror
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - frontend/**
+      - scripts/sync-frontend-mirror.sh
+      - .github/workflows/sync-frontend-mirror.yml
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: sync-frontend-mirror
+  cancel-in-progress: false
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    env:
+      TARGET_REPO: ${{ vars.GUARDEX_FRONTEND_MIRROR_REPO || 'Webu-PRO/guardex-frontend' }}
+      TARGET_BRANCH: ${{ vars.GUARDEX_FRONTEND_MIRROR_BRANCH || 'main' }}
+      SOURCE_PREFIX: frontend
+      SYNC_TOKEN: ${{ secrets.GUARDEX_FRONTEND_MIRROR_PAT }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Sync frontend subtree to mirror repo
+        run: bash scripts/sync-frontend-mirror.sh

README.md

@@ -287,6 +287,34 @@ Then in your repo:
 
 After that, the app reviews new and updated pull requests automatically.
 
+## Frontend mirror sync (`Webu-PRO/guardex-frontend`)
+
+This repo includes `.github/workflows/sync-frontend-mirror.yml`, which mirrors
+the `frontend/` subtree to a separate repository whenever `main` receives
+changes under `frontend/**`.
+
+Default target:
+
+- repo: `Webu-PRO/guardex-frontend`
+- branch: `main`
+
+Required setup (in this repository):
+
+1. `Settings -> Secrets and variables -> Actions`
+2. Add repository secret `GUARDEX_FRONTEND_MIRROR_PAT`
+   - value must be a token with `contents:write` access to `Webu-PRO/guardex-frontend`
+
+Optional overrides (Actions Variables):
+
+- `GUARDEX_FRONTEND_MIRROR_REPO` (default `Webu-PRO/guardex-frontend`)
+- `GUARDEX_FRONTEND_MIRROR_BRANCH` (default `main`)
+
+Manual run:
+
+```sh
+gh workflow run sync-frontend-mirror.yml
+```
+
 ## Companion dependency: `codex-auth` account switcher
 
 For multi-identity Codex workflows, GuardeX pairs with

openspec/changes/agent-codex-sync-frontend-mirror-webu-pro-2026-04-20-13-08/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-04-20

openspec/changes/agent-codex-sync-frontend-mirror-webu-pro-2026-04-20-13-08/proposal.md

@@ -0,0 +1,16 @@
+## Why
+
+- The user requested that updates to the `frontend/` app in this repository also update `https://github.com/Webu-PRO/guardex-frontend`.
+- The current workflow does not automatically publish frontend subtree updates to that external repository.
+
+## What Changes
+
+- Add an automated GitHub Actions workflow that mirrors the `frontend/` subtree to a configurable target repository.
+- Add a local shell helper script for the subtree-sync push logic so workflow behavior is explicit and reusable.
+- Document required repository secrets/variables and manual trigger behavior in `README.md`.
+
+## Impact
+
+- Affected surface: CI automation (`.github/workflows`) and documentation; no runtime behavior change for `gx`.
+- Operational requirement: a repository secret with push access to `Webu-PRO/guardex-frontend`.
+- Risk is moderate: mirror push is force-updated by subtree commit to keep target repo exactly aligned with `frontend/`.

openspec/changes/agent-codex-sync-frontend-mirror-webu-pro-2026-04-20-13-08/specs/frontend-mirror-sync/spec.md

@@ -0,0 +1,19 @@
+## ADDED Requirements
+
+### Requirement: Frontend subtree mirror sync
+The repository SHALL provide an automated mirror flow that updates an external frontend repository from the `frontend/` subtree whenever qualifying changes land on the base branch.
+
+#### Scenario: Sync runs after frontend changes on main
+- **WHEN** a commit is pushed to `main` and includes changes under `frontend/**`
+- **THEN** the mirror workflow runs
+- **AND** it computes a subtree commit from `frontend/`
+- **AND** it force-pushes that subtree commit to the configured target repo/branch.
+
+#### Scenario: Manual sync run
+- **WHEN** an operator triggers the mirror workflow manually
+- **THEN** the workflow syncs the latest `frontend/` subtree to the configured target repo/branch even without a new push event.
+
+#### Scenario: Missing credentials fails closed
+- **WHEN** the required mirror push token is missing
+- **THEN** the workflow fails with a clear configuration error
+- **AND** it does not attempt an anonymous or partial push.

openspec/changes/agent-codex-sync-frontend-mirror-webu-pro-2026-04-20-13-08/tasks.md

@@ -0,0 +1,21 @@
+## 1. Specification
+
+- [x] 1.1 Finalize proposal scope and acceptance criteria for frontend mirror sync.
+- [x] 1.2 Define normative requirements in `specs/frontend-mirror-sync/spec.md`.
+
+## 2. Implementation
+
+- [x] 2.1 Add subtree sync helper script for `frontend/` -> target repo branch push.
+- [x] 2.2 Add GitHub Actions workflow to run sync on `main` pushes that touch `frontend/**` and on manual dispatch.
+- [x] 2.3 Document setup requirements (secret + optional vars) and operator runbook in `README.md`.
+
+## 3. Verification
+
+- [x] 3.1 Run shell syntax checks for modified script/workflow support files.
+- [x] 3.2 Run `npm test`.
+- [x] 3.3 Run `openspec validate --specs`.
+
+## 4. Cleanup
+
+- [x] 4.1 Confirm task checklist reflects implemented state and known limitations.
+- [ ] 4.2 Merge the branch and clean up worktree/branch per repo policy.

scripts/sync-frontend-mirror.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+TARGET_REPO="${TARGET_REPO:-}"
+TARGET_BRANCH="${TARGET_BRANCH:-main}"
+SOURCE_PREFIX="${SOURCE_PREFIX:-frontend}"
+SYNC_TOKEN="${SYNC_TOKEN:-${GITHUB_TOKEN:-}}"
+
+usage() {
+  cat <<'EOF'
+Usage: sync-frontend-mirror.sh [options]
+
+Options:
+  --repo <owner/name>     Target GitHub repository (default: $TARGET_REPO)
+  --branch <name>         Target branch in the mirror repository (default: main)
+  --source-prefix <path>  Subtree path to mirror (default: frontend)
+  --token <token>         GitHub token with push access to target repo
+  -h, --help              Show this help
+EOF
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --repo)
+      TARGET_REPO="${2:-}"
+      shift 2
+      ;;
+    --branch)
+      TARGET_BRANCH="${2:-}"
+      shift 2
+      ;;
+    --source-prefix)
+      SOURCE_PREFIX="${2:-}"
+      shift 2
+      ;;
+    --token)
+      SYNC_TOKEN="${2:-}"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "[frontend-mirror-sync] Unknown argument: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -z "$TARGET_REPO" ]]; then
+  echo "[frontend-mirror-sync] Missing target repository. Set --repo or TARGET_REPO." >&2
+  exit 1
+fi
+
+if [[ -z "$SYNC_TOKEN" ]]; then
+  echo "[frontend-mirror-sync] Missing token. Set --token, SYNC_TOKEN, or GITHUB_TOKEN." >&2
+  exit 1
+fi
+
+if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+  echo "[frontend-mirror-sync] Not inside a git repository." >&2
+  exit 1
+fi
+
+repo_root="$(git rev-parse --show-toplevel)"
+cd "$repo_root"
+
+if [[ ! -d "$SOURCE_PREFIX" ]]; then
+  echo "[frontend-mirror-sync] Source prefix not found: ${SOURCE_PREFIX}" >&2
+  exit 1
+fi
+
+if ! split_sha="$(git subtree split --prefix="$SOURCE_PREFIX" HEAD 2>/dev/null)"; then
+  echo "[frontend-mirror-sync] Failed to compute subtree split for '${SOURCE_PREFIX}'." >&2
+  exit 1
+fi
+
+remote_url="https://x-access-token:${SYNC_TOKEN}@github.com/${TARGET_REPO}.git"
+push_output=""
+if ! push_output="$(git push --force "$remote_url" "${split_sha}:${TARGET_BRANCH}" 2>&1)"; then
+  sanitized_output="$push_output"
+  if [[ -n "$SYNC_TOKEN" ]]; then
+    sanitized_output="${sanitized_output//${SYNC_TOKEN}/***}"
+  fi
+  echo "[frontend-mirror-sync] Push failed for ${TARGET_REPO}:${TARGET_BRANCH}." >&2
+  echo "$sanitized_output" >&2
+  exit 1
+fi
+
+echo "[frontend-mirror-sync] Synced ${SOURCE_PREFIX} (commit ${split_sha}) -> ${TARGET_REPO}:${TARGET_BRANCH}"