[WIP] feat: add sync workflows and initial sync templates

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @radius-project/on-call

.github/dependabot.yml

@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://www.schemastore.org/dependabot-2.0.json
+# See GitHub's documentation for more information on this file:
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
+---
+version: 2
+
+updates:
+  - package-ecosystem: github-actions
+    directories:
+      - /
+      - workflow-templates
+    schedule:
+      interval: weekly
+    commit-message:
+      prefix: ci
+      include: scope
+    groups:
+      all:
+        patterns: ["*"]

.github/ghalint.yml

@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/ghalint/main/json-schema/ghalint.json
+---
+excludes:
+  - policy_name: github_app_should_limit_repositories
+    workflow_file_path: .github/workflows/sync.yml
+    job_name: sync
+    step_id: get-token

.github/sync.yml

@@ -0,0 +1,48 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/raven-actions/repo-files-sync/main/sync.schema.json
+# docs: https://github.com/raven-actions/repo-files-sync?tab=readme-ov-file#advanced-sync-config
+# nunjucks template: https://mozilla.github.io/nunjucks/templating.html
+---
+group:
+  # source: https://github.com/orgs/radius-project/repositories?q=archived%3Afalse+sort%3Aname-asc
+  - repos: |
+      radius-project/.github
+      radius-project/bicep-types-aws
+      radius-project/blog
+      radius-project/community
+      radius-project/dashboard
+      radius-project/design-notes
+      radius-project/docs@edge
+      radius-project/lab
+      radius-project/radius
+      radius-project/recipes
+      radius-project/resource-types-contrib
+      radius-project/roadmap
+      radius-project/samples@edge
+      radius-project/terraform-private-modules
+      radius-project/website
+    files:
+      - source: sync-templates/LICENSE.APACHE20
+        dest: LICENSE
+
+      - source: sync-templates/.gitattributes
+        dest: .gitattributes
+
+      - source: sync-templates/.editorconfig
+        dest: .editorconfig
+
+      - source: sync-templates/.github/CODEOWNERS.njk
+        dest: .github/CODEOWNERS
+        template:
+          maintainers_prefix: "@radius-project/maintainers-"
+          approvers_prefix: "@radius-project/approvers-"
+          oncall: "@radius-project/on-call"
+
+      - source: workflow-templates/dependency-review.yml
+        dest: .github/workflows/dependency-review.yml
+
+  - repos: |
+      radius-project/design-notes
+      radius-project/radius
+    files:
+      - source: sync-templates/.github/instructions/shell.instructions.md
+        dest: .github/instructions/shell.instructions.md

.github/workflows/__dependency-review.yml

@@ -0,0 +1,32 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+# docs:
+# - https://github.com/actions/dependency-review-action
+# - https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-review-action
+---
+name: __dependency-review
+
+on:
+  workflow_call:
+
+permissions: {}
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
+      pull-requests: write
+      checks: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Run Dependency Review
+        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
+        with:
+          comment-summary-in-pr: always
+          retry-on-snapshot-warnings: true
+          warn-on-openssf-scorecard-level: 4

.github/workflows/sync.yml

@@ -0,0 +1,62 @@
+# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
+---
+name: Sync
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/sync.yml
+      - .github/sync.yml
+      - sync-templates/**
+      - workflow-templates/*.yaml
+      - workflow-templates/*.yml
+
+permissions: {}
+
+concurrency:
+  group: ${{ format('{0}-{1}-{2}-{3}-{4}', github.workflow, github.event_name, github.ref, github.base_ref, github.head_ref) }}
+  cancel-in-progress: true
+
+jobs:
+  sync:
+    name: Sync
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Get App Token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: get-token
+        with:
+          app-id: ${{ secrets.FILES_SYNC_BOT_APP_ID }}
+          private-key: ${{ secrets.FILES_SYNC_BOT_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          permission-metadata: read
+          permission-contents: write
+          permission-pull-requests: write
+          permission-workflows: write
+
+      - name: Get bot details
+        id: bot-details
+        uses: raven-actions/bot-details@ee8966a9ff6e7e42cbfc4a56b4ddb60a9d1b40a6 # v1.2.0
+        with:
+          bot-slug-name: ${{ steps.get-token.outputs.app-slug }}
+          set-env: false
+
+      - name: Run Repo File Sync
+        uses: raven-actions/repo-files-sync@a32d49a3138401b885770be18ee22d31c6faf7fb
+        with:
+          GH_INSTALLATION_TOKEN: ${{ steps.get-token.outputs.token }}
+          CONFIG_PATH: ./.github/sync.yml
+          COMMIT_PREFIX: "chore(sync):"
+          BRANCH_PREFIX: repo-sync
+          GIT_EMAIL: ${{ steps.bot-details.outputs.email }}
+          GIT_USERNAME: ${{ steps.bot-details.outputs.name }}