diff --git a/.github/workflows/on-delete.yml b/.github/workflows/on-delete.yml
new file mode 100644
index 00000000..5dc97769
--- /dev/null
+++ b/.github/workflows/on-delete.yml
@@ -0,0 +1,34 @@
+name: Cleanup staging branch on delete
+
+on:
+  delete:
+
+env:
+  ROT13_STAGING_OWNER: ${{ secrets.ROT13_STAGING_OWNER }}
+  ROT13_UPSTREAM_OWNER: ${{ secrets.ROT13_UPSTREAM_OWNER }}
+  ROT13_UPSTREAM_BRANCH: ${{ secrets.ROT13_UPSTREAM_BRANCH }}
+
+jobs:
+  Delete-From-Staging:
+    name: Delete branch from staging
+
+    runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
+
+    permissions:
+      # Read-only access so we don't accidentally try to push to *this* repository.
+      contents: read
+
+    # Only run on the private repository.
+    if: github.event.repository.private
+    steps:
+    - name: Detect configuration.
+      uses: The-OpenROAD-Project/actions/auto_config@main
+
+    - name: Delete branch from staging repository.
+      uses: The-OpenROAD-Project/actions/delete_from@main
+      continue-on-error: true
+      with:
+        owner: ${{ env.STAGING_OWNER }}
+        repo: ${{ env.STAGING_REPO }}
+        branch: ${{ env.STAGING_BRANCH }}
+        deployToken: ${{ secrets.STAGING_GITHUB_TOKEN }}
diff --git a/.github/workflows/on-label.yml b/.github/workflows/on-label.yml
new file mode 100644
index 00000000..4e083dac
--- /dev/null
+++ b/.github/workflows/on-label.yml
@@ -0,0 +1,64 @@
+name: Labelled Ready to Sync Public
+
+on:
+  pull_request:
+    types: [labeled]
+
+env:
+  ROT13_STAGING_OWNER: ${{ secrets.ROT13_STAGING_OWNER }}
+  ROT13_UPSTREAM_OWNER: ${{ secrets.ROT13_UPSTREAM_OWNER }}
+  ROT13_UPSTREAM_BRANCH: ${{ secrets.ROT13_UPSTREAM_BRANCH }}
+
+jobs:
+  Push-To-Staging:
+    name: Push to staging
+    runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
+
+    permissions:
+      # Read-only access so we don't accidentally try to push to *this* repository.
+      contents: read
+      # Pull request write access, so we can remove the label.
+      issues: write
+      pull-requests: write
+      # Deployment write access, so we can add the nice deployment info.
+      deployments: write
+
+    # Only run on the private repository.
+    if: github.event.repository.private && github.event.label.name == 'Ready To Sync Public'
+    steps:
+    - name: Detect configuration
+      uses: The-OpenROAD-Project/actions/auto_config@main
+
+    - name: Removing label '${{ github.event.label.name }}'
+      uses: The-OpenROAD-Project/actions/remove_label@main
+      continue-on-error: true
+
+    - name: Clone repository
+      uses: The-OpenROAD-Project/actions/clone_from@main
+      with:
+        branch: ${{ env.PRIVATE_BRANCH }}
+        checkout: true
+
+    - name: Run security scan
+      uses: The-OpenROAD-Project/actions/security_scan_on_push@main
+
+    - name: Push to staging repository.
+      uses: The-OpenROAD-Project/actions/push_to@main
+      with:
+        owner: ${{ env.STAGING_OWNER }}
+        repo: ${{ env.STAGING_REPO }}
+        branch: ${{ env.STAGING_BRANCH }}
+        deployToken: ${{ secrets.STAGING_GITHUB_TOKEN }}
+        force: true
+
+    - id: send_pr
+      name: Create PR if needed.
+      uses: The-OpenROAD-Project/actions/send_pr@main
+      env:
+        STAGING_GITHUB_TOKEN: ${{ secrets.STAGING_GITHUB_TOKEN }}
+
+    - name: Linking to PR using deployment.
+      uses: The-OpenROAD-Project/actions/link_pr@main
+      env:
+        GITHUB_TOKEN: ${{ github.token }}
+        UPSTREAM_PR: ${{ steps.send_pr.outputs.pr }}
diff --git a/.github/workflows/on-push.yml b/.github/workflows/on-push.yml
new file mode 100644
index 00000000..2452422a
--- /dev/null
+++ b/.github/workflows/on-push.yml
@@ -0,0 +1,16 @@
+name: Scan Code with pre commit trigger
+
+on:
+  push:
+  pull_request:
+    branches:
+    - master
+
+jobs:
+  Security-Scan:
+    runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v6
+      - name: run security_scan_on_push
+        uses: The-OpenROAD-Project/actions/security_scan_on_push@main
diff --git a/.github/workflows/sync-from-upstream.yml b/.github/workflows/sync-from-upstream.yml
new file mode 100644
index 00000000..cae3fa81
--- /dev/null
+++ b/.github/workflows/sync-from-upstream.yml
@@ -0,0 +1,46 @@
+name: Automatically sync branch from upstream.
+
+on:
+  schedule:
+  - cron: "*/5 * * * *"
+
+  workflow_dispatch:
+    inputs:
+      force:
+        description: Use GitHub --force push.
+        default:
+
+  repository_dispatch:
+
+
+jobs:
+  Sync-Branch-From-Upstream:
+    name: Automatic sync 'master' from The-OpenROAD-Project/OpenSTA
+    runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
+
+    # Only allow one action to run at a time.
+    concurrency: sync-branch-from-upstream
+
+    # Action needs no permissions, as push is granted via adding a deploy key
+    # with write access to the $DEPLOY_KEY secret.
+    permissions:
+      contents: read
+
+    # Don't run on the upstream repository and only run on the right branch.
+    if: ${{ (github.repository != 'The-OpenROAD-Project/OpenSTA') && endsWith(github.ref, '/master') }}
+
+    steps:
+
+    - uses: The-OpenROAD-Project/actions/upstream_sync@main
+      env:
+        HAS_DEPLOY_KEY: ${{ !!(secrets.DEPLOY_KEY) }}
+      if: ${{ env.HAS_DEPLOY_KEY == 'true' }}
+      with:
+        upstreamRepo: The-OpenROAD-Project/OpenSTA
+        upstreamBranch: master
+        # To always overwrite master branch, set UPSTREAM_SYNC to the exact
+        # string 'always overwrite master branch'.
+        # You can also manually trigger a workflow dispatch with the force
+        # value equal to 'true'.
+        force: ${{ github.event.inputs.force || (secrets.UPSTREAM_SYNC == 'always overwrite master branch') }}
+        deployKey: ${{ secrets.DEPLOY_KEY }}