chore(ci): update reusable workflows

[bedatty]

GitHub Actions Shared Workflows

---

Description

Type of Change

• feat: New workflow or new input/output/step in an existing workflow
• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run:

Related Issues

Closes #

Summary by CodeRabbit

• Chores

  • Removed an automatic push trigger for label config; added manual and repo-self entrypoints for label sync.
  • Introduced a self-managed branch-cleanup workflow that runs weekly and deletes merged or stale branches (with dry-run support).

• Documentation

  • Added comprehensive label-sync usage docs.
  • Added guidance for self-* entrypoint workflows and updated workflow docs to require a branding header and stricter naming/structure.

[coderabbitai]

Walkthrough

Removed the push trigger on .github/workflows/labels-sync.yml for changes to .github/labels.yml; added two repo-local self-* entrypoint workflows (.github/workflows/self-branch-cleanup.yml, .github/workflows/self-labels-sync.yml); and added/updated documentation and repository rules describing self-* entrypoints and the labels-sync workflow.

Changes

Cohort / File(s)	Summary
Reusable workflow .github/workflows/labels-sync.yml	Removed the push trigger on main that watched .github/labels.yml; workflow now intended to run via workflow_call and workflow_dispatch only. Review for downstream callers and scheduled/manual entrypoints.
Self-use entrypoints .github/workflows/self-branch-cleanup.yml, .github/workflows/self-labels-sync.yml	Added self-branch-cleanup.yml (weekly schedule, PR-closed merged deletion job, manual dispatch with dry_run/stale_days, reuses branch-cleanup.yml) and self-labels-sync.yml (triggers on push to main when .github/labels.yml changes and manual dispatch, reuses local labels-sync.yml). Validate permissions and inputs mapping.
Docs & rules .claude/commands/gha.md, .claude/commands/workflow.md, .cursor/rules/reusable-workflows.mdc, docs/labels-sync.md, .coderabbit.yml	Added docs/labels-sync.md documenting the labels-sync reusable workflow; introduced rules and examples for self-* repo-local entrypoints and added requirement for a Lerian branding header in workflow docs; updated .coderabbit.yml path_instructions accordingly. Review for consistency with repository policy and doc header templates.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description lacks concrete details about the changes. The Type of Change is marked as 'refactor' but the commit message indicates 'feat', creating inconsistency. The summary section is empty, and no specific workflows or behavior changes are documented.	Add a detailed description of the changes: list the new self-* workflows created, explain the architectural restructuring, document behavior changes in labels-sync and branch-cleanup workflows, and clarify whether this is a 'feat' or 'refactor.'
Title check	❓ Inconclusive	The title 'chore(ci): update reusable workflows' is vague and doesn't reflect the substantive changes made, which involve creating new self-* entrypoint workflows, restructuring workflow architecture, and adding comprehensive documentation for the new patterns.	Clarify the title to reflect the main changes: e.g., 'chore(ci): introduce self-* entrypoint workflows and restructure reusable workflow patterns' or 'refactor(ci): add self-* workflow entrypoints with new documentation.'

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/update-reusable-workflows

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/self-branch-cleanup.yml:
- Around line 11-14: The dry_run input for the self-branch-cleanup workflow is
defaulting to true; change the default value of the input named dry_run to false
so state-changing workflows comply with the policy (look for the inputs block
that defines dry_run and update its default from true to false).
- Around line 3-19: The workflow is missing on.workflow_call which prevents it
from being used as a reusable workflow; add an on.workflow_call block that
exposes the same inputs currently under workflow_dispatch (dry_run and
stale_days) so callers can invoke this workflow programmatically. Specifically,
update the top-level on: section to include workflow_call with inputs dry_run
(type: boolean, default: true) and stale_days (type: number, default: 30),
mirroring the existing workflow_dispatch input definitions so both workflow_call
and workflow_dispatch are present and consistent.
- Around line 1-41: The workflow "Self — Branch Cleanup" is missing a
workflow_call trigger, has an incorrect default for the dry_run input, and lacks
the required docs file; add a top-level workflow_call trigger alongside
workflow_dispatch so the workflow can be invoked by other workflows, change the
workflow_dispatch input dry_run default from true to false (update the dry_run
input block under workflow_dispatch), and create the required documentation file
docs/self-branch-cleanup.md that describes this workflow and its inputs
(mentioning dry_run and stale_days) so the repo meets the guideline; refer to
the workflow name "Self — Branch Cleanup" and the inputs/dry_run and
workflow_dispatch identifiers when making the changes.

In @.github/workflows/self-labels-sync.yml:
- Around line 3-15: Add a reusable trigger by adding an on.workflow_call block
alongside the existing on.workflow_dispatch; define an inputs.dry_run boolean
with the same description and default as the workflow_dispatch input so callers
can invoke this workflow programmatically, while leaving the existing
workflow_dispatch intact (i.e., ensure both workflow_call and workflow_dispatch
are present and use the same dry_run input).
- Around line 1-26: The workflow declared as "Self — Sync Labels" (file
self-labels-sync.yml) is missing its corresponding docs markdown; add a new
documentation file named self-labels-sync.md in the docs collection that
documents the workflow purpose and usage, including the dry_run input, required
permissions (issues: write, contents: read), the sync job that uses labels-sync
workflow, and any example invocation or behavior notes so it matches the repo's
docs/<filename>.md convention.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 003b8ced-1cf4-4759-8cf0-dd4e5a4e2cc4

📥 Commits

Reviewing files that changed from the base of the PR and between 3a637cf and 3e621d6.

📒 Files selected for processing (3)

• .github/workflows/labels-sync.yml
• .github/workflows/self-branch-cleanup.yml
• .github/workflows/self-labels-sync.yml

💤 Files with no reviewable changes (1)

• .github/workflows/labels-sync.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/labels-sync.md`:
- Around line 54-71: The example workflow mixes push and workflow_dispatch but
still passes a with: parameter referencing inputs.dry_run (which only exists for
workflow_dispatch); remove the with: block (and specifically the dry_run
argument) from the sync job that uses
LerianStudio/github-actions-shared-workflows/.github/workflows/labels-sync.yml@v1.0.0
so the reusable workflow's default dry_run value is used instead; keep secrets:
inherit as-is and ensure no other references to inputs.dry_run remain in the
example.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 08060da0-b514-4aef-832e-bc66a7e968ae

📥 Commits

Reviewing files that changed from the base of the PR and between 3e621d6 and b05c43a.

📒 Files selected for processing (4)

• .claude/commands/gha.md
• .claude/commands/workflow.md
• .cursor/rules/reusable-workflows.mdc
• docs/labels-sync.md

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.coderabbit.yml:
- Around line 40-43: Update the self-* entrypoint rule so it not only ignores
missing `dry_run` but also enforces that if a `dry_run` input is present on
self-* entrypoints it must be declared optional; specifically modify the rule
logic that currently only suppresses “missing `dry_run`” findings to also
validate `dry_run` presence and ensure its `required: false` (or equivalent
“optional”) attribute for any workflow entrypoint matching the self-* pattern,
referencing the rule handling for self-* entrypoints and the `dry_run` input
name.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d31dbdd2-9a93-4d92-a462-78c715ae576a

📥 Commits

Reviewing files that changed from the base of the PR and between b05c43a and 76c7faa.

📒 Files selected for processing (4)

• .claude/commands/gha.md
• .claude/commands/workflow.md
• .coderabbit.yml
• .cursor/rules/reusable-workflows.mdc

[coderabbitai]

♻️ Duplicate comments (1)

.coderabbit.yml (1)

42-43: ⚠️ Potential issue | 🟠 Major

Resolve conflicting dry_run enforcement wording.

Line 42’s “flag it only if …” gate conflicts with Line 43 and can suppress valid findings (for example, wrong type or unsafe default). Keep a single normative rule for optional-but-constrained dry_run.

Proposed wording fix

-        `dry_run` is not required; flag it only if it is marked `required: true` or lacks a default value.
-        When `dry_run` is present it must be: type boolean, required false, default true for destructive operations (delete, purge) or default false for non-destructive ones (sync, notify).
+        `dry_run` is optional on self-* entrypoints.
+        When `dry_run` is present, it must be: `type: boolean`, `required: false`, and
+        `default: true` for destructive operations (delete, purge) or `default: false` for
+        non-destructive operations (sync, notify).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yml around lines 42 - 43, Unify the conflicting guidance by
removing the "flag it only if it is marked `required: true` or lacks a default
value" gate and replace it with a single normative rule: when a `dry_run` key is
present it must be type boolean, have `required: false`, and set `default: true`
for destructive operations (delete, purge) or `default: false` for
non-destructive operations (sync, notify); update the `.coderabbit.yml` wording
so only this single rule about `dry_run` remains and ensure the examples/notes
reference the `dry_run` key and the two default behaviors for destructive vs
non-destructive operations.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.coderabbit.yml:
- Around line 42-43: Unify the conflicting guidance by removing the "flag it
only if it is marked `required: true` or lacks a default value" gate and replace
it with a single normative rule: when a `dry_run` key is present it must be type
boolean, have `required: false`, and set `default: true` for destructive
operations (delete, purge) or `default: false` for non-destructive operations
(sync, notify); update the `.coderabbit.yml` wording so only this single rule
about `dry_run` remains and ensure the examples/notes reference the `dry_run`
key and the two default behaviors for destructive vs non-destructive operations.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9eb0e76f-5a47-48c1-a9e5-711ad44d1029

📥 Commits

Reviewing files that changed from the base of the PR and between 76c7faa and 3c9ba4a.

📒 Files selected for processing (4)

• .claude/commands/gha.md
• .claude/commands/workflow.md
• .coderabbit.yml
• .cursor/rules/reusable-workflows.mdc