Added workflow files

.github/workflows/jenkins-trigger.yml

@@ -0,0 +1,15 @@
+name: Jenkins Trigger - Security Scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  jenkins-security-check:
+    uses: thoughtspot/workflows/.github/workflows/jenkins-trigger.yml@main
+    secrets:
+      JENKINS_USER: ${{ secrets.JENKINS_USER }}
+      JENKINS_TOKEN: ${{ secrets.JENKINS_TOKEN }}

.github/workflows/sonar-scan.yml

@@ -0,0 +1,17 @@
+name: Sonar Analysis
+
+on:
+  push:
+    branches:
+      - '**'
+      - '*'
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  sonar:
+    uses: thoughtspot/workflows/.github/workflows/sonar-scan.yml@main
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+      SONAR_PROJECTKEY: ${{ secrets.SONAR_PROJECTKEY }}

.github/workflows/sync-to-public-mirror.yml

@@ -0,0 +1,52 @@
+name: Sync Repository to Public Mirror
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+     - main
+  workflow_dispatch:
+    inputs:
+      force_sync:
+        description: 'Force sync all branches (WARNING: This will sync all branches)'
+        required: false
+        default: false  # CRITICAL FIX: Changed from 'true' to false
+        type: boolean
+      public_repo_name:
+        description: 'Public repository name (leave empty to auto-derive by removing "-private")'
+        required: false
+        type: string
+      target_branches:
+        description: 'Comma-separated list of specific branches to sync (leave empty to sync merged branch only)'
+        required: false
+        type: string
+
+# Branch-level concurrency control - allows parallel syncs for different branches
+concurrency:
+  group: sync-public-mirror-${{ github.repository }}-${{ github.event.pull_request.base.ref || github.event.client_payload.branch || github.event.inputs.target_branches || 'default' }}
+  cancel-in-progress: false  # Queue per branch to ensure all changes are synced
+
+jobs:
+  call-sync-workflow:
+    # Only run this job when the PR was merged, not just closed, OR when manually triggered, OR via repository_dispatch
+    if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'repository_dispatch'
+    uses: thoughtspot/workflows/.github/workflows/sync-to-public-mirror.yml@main
+    with:
+      # CRITICAL FIX: Only force sync when explicitly requested, not on every PR
+      force_sync: ${{ github.event.inputs.force_sync == true || (github.event_name == 'repository_dispatch' && github.event.client_payload.force_sync == true) }}
+
+      public_repo_name: ${{ github.event.inputs.public_repo_name || github.event.client_payload.public_repo_name || '' }}
+
+      # Optimization: Pass specific target branches instead of syncing all
+      target_branches: ${{ github.event.inputs.target_branches || github.event.client_payload.target_branches || (github.event_name == 'pull_request' && github.event.pull_request.base.ref) || '' }}
+
+      # Enhanced context for better logging and traceability
+      trigger_type: ${{ github.event_name }}
+      pr_number: ${{ github.event.pull_request.number || github.event.client_payload.pr_number || '' }}
+
+      # CRITICAL FIX: Use base.ref (target branch) instead of head.ref (source branch)
+      merged_branch: ${{ github.event.pull_request.base.ref || github.event.client_payload.branch || '' }}
+
+      merge_commit_sha: ${{ github.event.pull_request.merge_commit_sha || github.event.client_payload.commit_sha || github.sha }}
+    secrets:
+      SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }}