ci: add sync-skills workflow

[ko3n1g]

Summary

Replaces the self-contained sync-skills.yml workflow with a thin workflow_call wrapper that delegates to the shared reusable workflow in NVIDIA-NeMo/FW-CI-templates.

Background

There is no common standard for markdown file discovery across agent frameworks — each tool looks in a different place. This PR addresses that gap by coupling the generic AGENTS.md / skills/ layout with a sync job that runs on push to main, so every agent runtime finds the files it expects without per-framework duplication. The logic is centralised in FW-CI-templates so all repos pick up improvements automatically.

What the delegated workflow does

NVIDIA-NeMo/FW-CI-templates/.github/workflows/_sync_skills.yml (called via workflow_call):

• Checks out the repo using the provided PAT secret
• Symlinks skills/ → .claude/skills and .agents/skills
• Symlinks AGENTS.md → CLAUDE.md
• Commits and pushes any resulting changes back to the branch

Example

jobs:
  sync:
    uses: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_sync_skills.yml@main
    secrets:
      PAT: ${{ secrets.PAT }}

[coderabbitai]

📝 Walkthrough

Walkthrough

The .github/workflows/sync-skills.yml workflow is refactored from inline implementation with explicit checkout, filesystem operations, and conditional git commits to a single reusable workflow invocation. The PAT secret wiring is updated to pass credentials to the reusable workflow instead of directly to checkout.

Changes

Cohort / File(s)	Summary
Workflow Refactoring .github/workflows/sync-skills.yml	Replaced inline sync job steps with reusable workflow invocation NVIDIA-NeMo/FW-CI-templates/.github/workflows/_sync_skills.yml@main. Updated PAT secret handling to flow through reusable workflow instead of inline checkout action.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: sync skills/ → .claude/skills/ on push to main #3321: Implements the original inline sync-skills workflow logic that is now being consolidated into a reusable workflow call by this PR.

Suggested reviewers

• yaoyu-33

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'ci: add sync-skills workflow' is misleading; the PR actually refactors an existing workflow to use a reusable one, not adding a new workflow from scratch.	Revise the title to reflect the actual change, such as 'ci: refactor sync-skills to use shared workflow' or 'ci: delegate sync-skills to reusable workflow'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Test Results For Major Changes	✅ Passed	PR contains minor CI/CD infrastructure changes refactoring workflow logic to use shared templates, with no impact to core library functionality, numerics, or performance.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ko3n1g/ci/sync-skills

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/sync-skills.yml (1)

27-29: Consider pinning to a commit SHA instead of @main for improved supply-chain security.

The reusable workflow is referenced by branch (@main), which means any change pushed to the template repository's main branch will automatically affect this workflow. Since a PAT secret is passed, a compromised or malicious update to the template could exfiltrate credentials.

Pinning to a specific commit SHA (e.g., @63ee9e3b...) provides an auditable, immutable reference. You can still update periodically by bumping the SHA when template changes are reviewed.

🔒 Example with SHA pinning

 jobs:
   sync:
-    uses: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_sync_skills.yml@main
+    uses: NVIDIA-NeMo/FW-CI-templates/.github/workflows/_sync_skills.yml@63ee9e3b9fc4ca02af1bd75d3126e526b2a77a24
     secrets:
       PAT: ${{ secrets.PAT }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/sync-skills.yml around lines 27 - 29, The workflow
currently pins the reusable workflow to a branch (`uses:
NVIDIA-NeMo/FW-CI-templates/.github/workflows/_sync_skills.yml@main`), which is
risky; update the `uses` reference to a specific commit SHA (e.g., replace
`@main` with `@<commit-sha>`) so the reusable workflow is immutably pinned, then
periodically bump that SHA after reviewing changes; ensure the `uses` line in
the file remains the single place updated and keep the `secrets: PAT` mapping
unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/sync-skills.yml:
- Around line 27-29: The workflow currently pins the reusable workflow to a
branch (`uses:
NVIDIA-NeMo/FW-CI-templates/.github/workflows/_sync_skills.yml@main`), which is
risky; update the `uses` reference to a specific commit SHA (e.g., replace
`@main` with `@<commit-sha>`) so the reusable workflow is immutably pinned, then
periodically bump that SHA after reviewing changes; ensure the `uses` line in
the file remains the single place updated and keep the `secrets: PAT` mapping
unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 150eab27-2727-40e4-825e-82dfd2a69572

📥 Commits

Reviewing files that changed from the base of the PR and between cea8be7 and eac00af.

📒 Files selected for processing (1)

• .github/workflows/sync-skills.yml