This repository contains a GitHub Actions workflow that mirrors branches and tags from the repository where it runs to a target repository, including repositories owned by another GitHub Enterprise account.
Add .github/workflows/sync-repository.yml to the source repository, then configure these source repository settings:
| Name | Type | Required | Description |
|---|---|---|---|
SYNC_TARGET_TOKEN |
Secret | Yes | Fine-grained PAT, GitHub App token, or classic PAT that can write contents to the target repository. For cross-enterprise sync, create this credential in the target enterprise context and store it as a secret in the source repository. |
SYNC_TARGET_REPOSITORY |
Variable | Yes for scheduled runs | Target repository in OWNER/REPO format. Manual runs can provide this as an input instead. |
SYNC_TARGET_HOST |
Variable | No | Target host, such as github.com or github.example.com. Defaults to github.com. |
SYNC_REFSPEC |
Variable | No | Git refspecs to sync. Defaults to all branches and tags. |
SYNC_DRY_RUN |
Variable | No | Set to true to preview scheduled runs without pushing. Defaults to false. |
The workflow runs whenever a source branch or tag is pushed, whenever a source branch or tag is deleted, hourly on a schedule, and manually with workflow_dispatch. It fetches all source branches and tags, then pushes them to the target repository with --prune, so refs removed from the source are also removed from the target.
The default refspec is:
+refs/heads/*:refs/heads/* +refs/tags/*:refs/tags/*
Use a narrower refspec if you only want to sync selected branches or tags, for example:
+refs/heads/main:refs/heads/main +refs/tags/*:refs/tags/*
- The target repository must already exist.
- Branch protection, rulesets, secret scanning, and enterprise policies can reject pushes; adjust the target repository policy or token permissions accordingly.
- The workflow uses HTTPS token authentication so it works across enterprises without shared deploy keys.