AZ-First · tbowers7 · Dec 29, 2025 · Nov 10, 2025 · Nov 10, 2025 · Dec 1, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -10,6 +10,7 @@ updates:
   - package-ecosystem: "github-actions"
     # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
     directory: "/"
+    target-branch: "admin"
     labels:
       - "github_actions"
     schedule:
@@ -19,6 +20,7 @@ updates:
   - package-ecosystem: "gradle"
     directory: "/" # Location of package manifests
     registries: "*"
+    target-branch: "admin"
     labels:
       - "gradle dependencies"
     schedule:

diff --git a/.github/workflows/admin-orchestrator.yaml b/.github/workflows/admin-orchestrator.yaml
@@ -0,0 +1,101 @@
+name: Admin branch orchestration
+
+on:
+  create:
+
+  push:
+    branches:
+      - "main"
+
+  schedule:
+    - cron: "0 3 * * 1"   # Weekly, Monday 03:00 UTC
+
+  workflow_dispatch:
+
+  pull_request:
+    branches:
+      - admin
+  pull_request_review:
+    types:
+      - submitted
+  check_suite:
+    types:
+      - completed
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  admin-orchestrator:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # ------------------------------------------------------------
+      # Detect default branch
+      # ------------------------------------------------------------
+      - name: Detect default branch
+        id: default
+        run: |
+          DEFAULT_BRANCH=$(git remote show origin | sed -n '/HEAD branch/s/.*: //p')
+          echo "branch=$DEFAULT_BRANCH" >> "$GITHUB_OUTPUT"
+
+      # ------------------------------------------------------------
+      # Ensure admin branch exists
+      # ------------------------------------------------------------
+      - name: Ensure admin branch exists
+        run: |
+          if git show-ref --verify --quiet refs/remotes/origin/admin; then
+            echo "admin branch already exists"
+          else
+            git checkout "${{ steps.default.outputs.branch }}"
+            git checkout -b admin
+            git push origin admin
+          fi
+
+      # ------------------------------------------------------------
+      # Periodically rebase admin onto default (true rebase)
+      # ------------------------------------------------------------
+      - name: Rebase admin onto default
+        if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
+        run: |
+          set -e
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          git fetch origin
+          git checkout admin
+
+          # Rebase admin commits on top of default branch
+          git rebase origin/${{ steps.default.outputs.branch }}
+
+          # Push updated admin branch
+          git push --force-with-lease origin admin
+
+      # ------------------------------------------------------------
+      # Guardrail: warn if non-Dependabot PR targets admin
+      # (no hard failure without branch protection)
+      # ------------------------------------------------------------
+      - name: Warn on non-Dependabot PRs
+        if: github.event_name == 'pull_request'
+        run: |
+          if [[ "${{ github.actor }}" != "dependabot[bot]" ]]; then
+            echo "::warning::PR to admin opened by non-Dependabot actor"
+          fi
+
+      # ------------------------------------------------------------
+      # Auto-merge Dependabot PRs
+      # ------------------------------------------------------------
+      - name: Auto-merge Dependabot PR
+        if: |
+          github.event_name == 'pull_request' &&
+          github.event.pull_request.user.login == 'dependabot[bot]'
+        uses: peter-evans/enable-pull-request-automerge@v3
+        with:
+          pull-request-number: ${{ github.event.pull_request.number }}
+          merge-method: squash
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,51 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  # ------------------------------------------------------------
+  # Main build job
+  # ------------------------------------------------------------
+  build:
+    runs-on: ubuntu-latest
+    container: wpilib/roborio-cross-ubuntu:2024-22.04
+    if: ${{ github.event_name != 'pull_request' || github.event.pull_request == null }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Mark repo as safe for git
+        run: git config --global --add safe.directory $GITHUB_WORKSPACE
+
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+
+      - name: Set up Gradle cache
+        uses: gradle/actions/setup-gradle@v4
+
+      - name: Build robot code
+        run: ./gradlew build --no-daemon --parallel --build-cache
+
+  # ------------------------------------------------------------
+  # Spotless job (separate for branch protection)
+  # ------------------------------------------------------------
+  spotless:
+    runs-on: ubuntu-latest
+    container: wpilib/roborio-cross-ubuntu:2024-22.04
+    # Only run for PRs or pushes targeting main/develop
+    if: github.base_ref == 'main' || github.base_ref == 'develop' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Grant execute permission for gradlew
+        run: chmod +x gradlew
+
+      - name: Set up Gradle cache
+        uses: gradle/actions/setup-gradle@v4
+
+      - name: Run Spotless check
+        run: ./gradlew spotlessCheck --no-daemon --parallel --build-cache
diff --git a/.github/workflows/create-dependabot-labels.yaml b/.github/workflows/create-dependabot-labels.yaml
@@ -0,0 +1,47 @@
+name: "Ensure Dependabot Labels Exist"
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - '.github/dependabot.yml'
+  workflow_dispatch:
+
+jobs:
+  create-labels:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write  # Needed to create labels via API
+    steps:
+      - name: Create labels for Dependabot PRs
+        uses: actions/github-script@v8
+        with:
+          script: |
+            const labels = [
+              { name: "github_actions", color: "BFFFD1", description: "Updates to GitHub Actions workflows" },
+              { name: "gradle dependencies", color: "02303A", description: "Gradle dependency updates" },
+            ];
+
+            for (const label of labels) {
+              try {
+                await github.rest.issues.getLabel({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  name: label.name,
+                });
+                core.info(`✅ Label '${label.name}' already exists.`);
+              } catch (error) {
+                if (error.status === 404) {
+                  await github.rest.issues.createLabel({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    name: label.name,
+                    color: label.color,
+                    description: label.description,
+                  });
+                  core.info(`🎨 Created label '${label.name}'.`);
+                } else {
+                  throw error;
+                }
+              }
+            }
diff --git a/.github/workflows/dependency-submission.yml b/.github/workflows/dependency-submission.yml
@@ -1,5 +1,9 @@
 name: Dependency Submission
 
+# Purpose: Generate and submit Gradle dependency metadata (graph) to Gradle’s services.
+# Trigger: Push to main branch only.
+# Effect: Helps with dependency insight, conflict detection, and build analytics.
+
 on:
   push:
     branches: [ 'main' ]
@@ -12,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout sources
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
     - name: Setup Java
       uses: actions/setup-java@v5
       with:

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
diff --git a/...hub/workflows/record_template_origin.yaml → ...hub/workflows/record-template-origin.yaml b/...hub/workflows/record_template_origin.yaml → ...hub/workflows/record-template-origin.yaml
@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -64,9 +64,14 @@ jobs:
 
       - name: Record template origin file
         run: |
-          echo "Template: ${{ steps.template.outputs.template_repo }}" > TEMPLATE_ORIGIN.txt
-          echo "Template Branch: ${{ steps.template.outputs.template_branch }}" >> TEMPLATE_ORIGIN.txt
-          echo "Template Commit: ${{ steps.template.outputs.template_commit }}" >> TEMPLATE_ORIGIN.txt
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          {
+            echo "Template: ${{ steps.template.outputs.template_repo }}"
+            echo "Template Branch: ${{ steps.template.outputs.template_branch }}"
+            echo "Template Commit: ${{ steps.template.outputs.template_commit }}"
+            echo "Recorded At (UTC): $timestamp"
+          } > TEMPLATE_ORIGIN.txt
+
           echo "Recorded template origin:"
           cat TEMPLATE_ORIGIN.txt