From dce722cc0757ac49b540a23871a2f081ffa4e7f7 Mon Sep 17 00:00:00 2001
From: Robert Fairburn <8029478+rfairburn@users.noreply.github.com>
Date: Thu, 3 Jul 2025 16:45:39 -0500
Subject: [PATCH] Initial action to synchronize signing secrets to confidential
 repo (#30561)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Added a new workflow to simulate syncing selected secrets to another
repository in dry-run mode. No actual changes will occur during
execution.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 .github/workflows/secrets-to-confidential.yml | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/workflows/secrets-to-confidential.yml

diff --git a/.github/workflows/secrets-to-confidential.yml b/.github/workflows/secrets-to-confidential.yml
new file mode 100644
index 0000000000..36487f7f9a
--- /dev/null
+++ b/.github/workflows/secrets-to-confidential.yml
@@ -0,0 +1,24 @@
+name: Secret sync to confidential
+on:
+  workflow_dispatch:
+
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
+  cancel-in-progress: true
+
+jobs:
+  sync_secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: jpoehnelt/secrets-sync-action@7840777f242539d96b60477b66aa1c179e7644ea # v1.10.0
+        name: Sync secrets to confidential
+        with:
+          SECRETS: |
+            ^DIGICERT_.*
+            ^APPLE_.*
+          REPOSITORIES: |
+            fleetdm/confidential
+          DRY_RUN: true
+          GITHUB_TOKEN: ${{ secrets.SECRETS_GITHUB_PAT }}
+          CONCURRENCY: 10