🌱 Sync workflows from kubestellar/infra

[clubanderson]

This PR syncs the caller workflows from kubestellar/infra.

These workflows call reusable workflows from kubestellar/infra:

Standard Workflows:

• add-help-wanted.yml - Add help-wanted label to issues
• assignment-helper.yml - Handle issue assignments
• feedback.yml - Collect feedback
• greetings.yml - Welcome new contributors
• label-helper.yml - Manage labels
• pr-verifier.yml - Verify PR contents
• pr-verify-title.yml - Verify PR title format
• scorecard.yml - Security scorecard
• stale.yml - Mark stale issues/PRs

Agentic Workflows (Copilot Integration):

• ai-fix.yml - Assign Copilot to issues with ai-fix-requested label
• copilot-automation.yml - Automate Copilot PR processing (DCO, labels)
• copilot-dco.yml - Override DCO for Copilot PRs

Auto-generated by workflow sync

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mikespreitzer for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubestellar-prow]

Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits.

📝 Please follow instructions in the contributing guide to update your commits with the DCO

Full details of the Developer Certificate of Origin can be found at developercertificate.org.

The list of commits missing DCO signoff:

• b07264c 🌱 Sync workflows from kubestellar/infra

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[netlify]

✅ Deploy Preview for kubestellarconsole ready!

Name	Link
🔨 Latest commit	b07264c
🔍 Latest deploy log	https://app.netlify.com/projects/kubestellarconsole/deploys/6a2e023b6b7877000808d21f
😎 Deploy Preview	https://deploy-preview-18391.console-deploy-preview.kubestellar.io
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[github-actions]

👋 Hey @clubanderson — thanks for opening this PR!

🤖 This project is developed exclusively using AI coding assistants.

Please do not attempt to code anything for this project manually.
All contributions should be authored using an AI coding tool such as:

• Claude Code (Opus 4.5 / 4.6) — recommended
• GitHub Copilot
• Cursor
• Other AI coding assistants

This ensures consistency in code style, architecture patterns, test coverage,
and commit quality across the entire codebase.

---

This is an automated message.

[github-actions]

🐝 Hi @clubanderson! I'm kubestellar-hive[bot], an automation bot for this repo.

Trusted users — org members and contributors with write access — can mention @kubestellar-hive in a comment to trigger repo automation.
On issues, that mention queues an automated fix attempt. On pull requests, it records extra context for existing automation.
This is not an interactive Q&A bot, so mentions should be treated as requests for automation rather than a conversation.

Automation may take a moment to start, and follow-up happens through workflow activity rather than chat replies.

[Copilot]

Pull request overview

This PR syncs several GitHub Actions “caller” workflows in this repo to invoke reusable workflows hosted in kubestellar/infra, updating permissions and invocation details to match upstream.

Changes:

• Updated multiple workflows to call kubestellar/infra reusable workflows using uses: ...@main.
• Moved/scoped permissions blocks to workflow-level in several files.
• Added secrets: inherit for several reusable-workflow calls.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 18 comments.

Show a summary per file

File	Description
.github/workflows/stale.yml	Updates caller permissions and switches reusable workflow reference to @main with secrets inheritance.
.github/workflows/scorecard.yml	Sets explicit workflow permissions and switches reusable workflow reference to @main with secrets inheritance.
.github/workflows/label-helper.yml	Moves permissions to workflow scope and switches reusable workflow reference to @main with secrets inheritance.
.github/workflows/greetings.yml	Adds contents: read, switches to @main, and inherits secrets for a pull_request_target caller.
.github/workflows/feedback.yml	Switches reusable workflow reference to @main and inherits secrets.
.github/workflows/copilot-dco.yml	Switches reusable workflow reference to @main and removes explicit permissions block.
.github/workflows/copilot-automation.yml	Expands workflow-level permissions and switches reusable workflow reference to @main for a pull_request_target caller.
.github/workflows/assignment-helper.yml	Switches reusable workflow reference to @main and adjusts permissions.
.github/workflows/ai-fix.yml	Consolidates to a single job calling @main and adjusts permissions for a pull_request_target caller.
.github/workflows/add-help-wanted.yml	Switches reusable workflow reference to @main with secrets inheritance and adjusts permissions.

Comments suppressed due to low confidence (2)

.github/workflows/copilot-automation.yml:30

• This workflow runs on pull_request_target and performs privileged automation; it should not run unconditionally on forked PRs. Add the same fork guard used elsewhere (e.g., .github/workflows/pr-verifier.yml:11) so the job only runs for PRs from this repository.

  copilot-automation:
    uses: kubestellar/infra/.github/workflows/reusable-copilot-automation.yml@main
    with:
      pr_number: ${{ github.event.inputs.pr_number || '' }}
    secrets:
      token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ai-fix.yml:27

• This workflow runs on pull_request_target with write permissions. It should not run unconditionally on forked PRs; add a fork guard so the job only runs when the PR head repo is the same as the base repo.

jobs:
  ai-fix:
    uses: kubestellar/infra/.github/workflows/reusable-ai-fix.yml@main
    with:
      issue_number: ${{ github.event.inputs.issue_number || '' }}
    secrets:
      token: ${{ secrets.GITHUB_TOKEN }}