From 71448c1f7f2a5c9cf09f41dbd5eeed2c1255bee5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20=22Pisco=22=20Fernandes?=
 <joaocarlos@cloudflare.com>
Date: Mon, 22 Sep 2025 15:44:50 +0100
Subject: [PATCH] TUN-9800: Add pipeline to sync between gitlab and github
 repos

---
 .ci/github.gitlab-ci.yml   | 17 +++++++++++++++++
 .ci/scripts/github-push.sh | 31 +++++++++++++++++++++++++++++++
 .gitlab-ci.yml             |  7 ++++++-
 3 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 .ci/github.gitlab-ci.yml
 create mode 100755 .ci/scripts/github-push.sh

diff --git a/.ci/github.gitlab-ci.yml b/.ci/github.gitlab-ci.yml
new file mode 100644
index 00000000..bf63b020
--- /dev/null
+++ b/.ci/github.gitlab-ci.yml
@@ -0,0 +1,17 @@
+include:
+  - local: .ci/commons.gitlab-ci.yml
+
+######################################
+### Sync master branch with Github ###
+######################################
+push-github:
+  stage: sync
+  rules:
+    - !reference [.default-rules, run-on-master]
+  script:
+    - ./.ci/scripts/github-push.sh
+  secrets:
+    CLOUDFLARED_DEPLOY_SSH_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
+      file: false
+  cache: {}
diff --git a/.ci/scripts/github-push.sh b/.ci/scripts/github-push.sh
new file mode 100755
index 00000000..b9859e12
--- /dev/null
+++ b/.ci/scripts/github-push.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -e -o pipefail
+
+BRANCH="master"
+TMP_PATH="$PWD/tmp"
+PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
+PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
+
+mkdir -p $TMP_PATH
+
+# Setup Private Key
+echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
+chmod 400 $PRIVATE_KEY_PATH
+
+# Download GitHub Public Key for KnownHostsFile
+ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
+
+# Setup git ssh command with the right configurations
+export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
+
+# Add GitHub as a new remote
+git remote add github git@github.com:cloudflare/cloudflared.git || true
+
+# GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
+# Therefore, we need to manually fetch the reference to then push it to GitHub.
+git fetch origin $BRANCH:$BRANCH
+git push -u github $BRANCH
+
+if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
+  git push -u github "$TAG"
+fi
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 09826a2c..c9673553 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,7 +7,7 @@ default:
     VAULT_ID_TOKEN:
       aud: https://vault.cfdata.org
 
-stages: [pre-build, build, validate, test, package, release]
+stages: [sync, pre-build, build, validate, test, package, release]
 
 include:
   #####################################################
@@ -15,6 +15,11 @@ include:
   #####################################################
   - local: .ci/commons.gitlab-ci.yml
 
+  #####################################################
+  ########### Sync Repository with Github #############
+  #####################################################
+  - local: .ci/github.gitlab-ci.yml
+
   #####################################################
   ############# Build or Fetch CI Image ###############
   #####################################################