ci(repo-hygiene): run trusted checks on prs

Author: PatrickJS

.github/workflows/main.yml

@@ -1,6 +1,9 @@
 name: Repo Hygiene
 
 on:
+  pull_request_target:
+    branches: [main]
+    types: [opened, synchronize, reopened]
   pull_request:
     branches: [main]
   push:
@@ -12,66 +15,73 @@ permissions:
 jobs:
   repo-hygiene:
     runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
     steps:
-      - name: Check PR author account age
-        if: github.event_name == 'pull_request'
-        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
-        env:
-          PR_AUTHOR_MINIMUM_AGE_DAYS: ${{ vars.PR_AUTHOR_MINIMUM_AGE_DAYS || '30' }}
-          PR_AUTHOR_AGE_ALLOWLIST: ${{ vars.PR_AUTHOR_AGE_ALLOWLIST }}
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
-          script: |
-            const username = context.payload.pull_request.user.login;
-            const allowlist = (process.env.PR_AUTHOR_AGE_ALLOWLIST || "PatrickJS,dependabot[bot],Copilot")
-              .split(",")
-              .map((entry) => entry.trim().toLowerCase())
-              .filter(Boolean);
-
-            if (allowlist.includes(username.toLowerCase())) {
-              core.info(`PR author account age check passed: ${username} is allowlisted.`);
-              return;
-            }
-
-            const minimumAgeDays = Number.parseInt(process.env.PR_AUTHOR_MINIMUM_AGE_DAYS, 10);
-            if (!Number.isInteger(minimumAgeDays) || minimumAgeDays < 0) {
-              core.setFailed(`Invalid PR_AUTHOR_MINIMUM_AGE_DAYS: ${process.env.PR_AUTHOR_MINIMUM_AGE_DAYS}`);
-              return;
-            }
-
-            const { data: user } = await github.rest.users.getByUsername({ username });
-            const createdTime = Date.parse(user.created_at);
-            const ageDays = Math.floor((Date.now() - createdTime) / 86400000);
-
-            if (ageDays < minimumAgeDays) {
-              core.setFailed(
-                `PR author account is too new: ${username} is ${ageDays} day(s) old; minimum is ${minimumAgeDays} day(s).`,
-              );
-              return;
-            }
-
-            core.info(
-              `PR author account age check passed: ${username} is ${ageDays} day(s) old; minimum is ${minimumAgeDays} day(s).`,
-            );
+          node-version: 20
 
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Checkout trusted base checks
+        if: github.event_name == 'pull_request_target'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          ref: ${{ github.event.pull_request.base.ref }}
+          path: .trusted-base
           fetch-depth: 0
+          persist-credentials: false
 
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      - name: Check PR author account age
+        if: github.event_name == 'pull_request_target'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_AUTHOR_MINIMUM_AGE_DAYS: ${{ vars.PR_AUTHOR_MINIMUM_AGE_DAYS || '30' }}
+          PR_AUTHOR_AGE_ALLOWLIST: ${{ vars.PR_AUTHOR_AGE_ALLOWLIST || 'PatrickJS,dependabot[bot],Copilot' }}
+        run: |
+          node .trusted-base/scripts/check-pr-author.mjs \
+            --username "$PR_AUTHOR" \
+            --minimum-age-days "$PR_AUTHOR_MINIMUM_AGE_DAYS" \
+            --allowlist "$PR_AUTHOR_AGE_ALLOWLIST"
+
+      - name: Checkout pull request content
+        if: github.event_name == 'pull_request_target'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
-          node-version: 20
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: pr
+          fetch-depth: 0
+          persist-credentials: false
 
-      - name: Enable pnpm
+      - name: Determine pull request changed files
+        if: github.event_name == 'pull_request_target'
+        shell: bash
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
-          corepack enable
-          corepack prepare pnpm@10.20.0 --activate
+          git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git"
+          git -C pr fetch --no-tags trusted-base "$BASE_REF"
+          base="$(git -C pr rev-parse FETCH_HEAD)"
+
+          git -C pr diff --name-only "$base"...HEAD > pr/.changed-files
+          git -C pr diff --unified=0 "$base"...HEAD -- README.md > pr/.readme.diff || true
+
+      - name: Run trusted repo hygiene checks
+        if: github.event_name == 'pull_request_target'
+        run: node .trusted-base/scripts/check-repo-hygiene.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files --diff-file .readme.diff
 
-      - name: Determine changed files
+      - name: Checkout push content
+        if: github.event_name == 'push'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Determine push changed files
+        if: github.event_name == 'push'
         shell: bash
         run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            base="${{ github.event.pull_request.base.sha }}"
-          elif [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
+          if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
             base="${{ github.event.before }}"
           else
             base="$(git rev-list --max-parents=0 HEAD)"
@@ -80,25 +90,14 @@ jobs:
           git diff --name-only "$base"...HEAD > .changed-files
           git diff --unified=0 "$base"...HEAD -- README.md > .readme.diff || true
 
-      - name: Checkout trusted base checks
-        if: github.event_name == 'pull_request'
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          ref: ${{ github.event.pull_request.base.sha }}
-          path: .trusted-base
-          fetch-depth: 1
-
-      - name: Run trusted repo hygiene checks
-        if: github.event_name == 'pull_request'
-        run: node .trusted-base/scripts/check-repo-hygiene.mjs --root "$GITHUB_WORKSPACE" --changed-files .changed-files --diff-file .readme.diff
-
       - name: Run repo hygiene checks
-        if: github.event_name != 'pull_request'
+        if: github.event_name == 'push'
         run: node scripts/check-repo-hygiene.mjs --changed-files .changed-files --diff-file .readme.diff
 
   awesome-lint:
     name: awesome-lint
     runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request_target'
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:

.gitignore

@@ -1,3 +1,4 @@
 .idea
 awesome-claude-code
 node_modules/
+/docs/goals

scripts/check-pr-author.mjs

@@ -27,7 +27,11 @@ try {
 
   if (ageDays < minimumAgeDays) {
     fail(
-      `PR author account is too new: ${username} is ${ageDays} day(s) old; minimum is ${minimumAgeDays} day(s).`,
+      [
+        `PR author account is too new: ${username} is ${ageDays} day(s) old; minimum is ${minimumAgeDays} day(s).`,
+        "This repo trust policy blocks very fresh GitHub accounts because they are higher risk for spam, prompt-injection, promotional, and other abuse risk.",
+        "Maintainers can allow trusted exceptions with PR_AUTHOR_AGE_ALLOWLIST.",
+      ].join(" "),
     );
   }
 

scripts/check-pr-author.test.mjs

@@ -42,6 +42,22 @@ test("blocks authors whose accounts are newer than the minimum age", () => {
   assert.match(result.stderr, /PR author account is too new/);
   assert.match(result.stderr, /new-contributor/);
   assert.match(result.stderr, /8 day/);
+  assert.match(result.stderr, /repo trust policy/);
+  assert.match(result.stderr, /spam, prompt-injection, promotional, and other abuse risk/);
+});
+
+test("passes authors exactly at the minimum account age", () => {
+  const result = run([
+    "--username",
+    "boundary-contributor",
+    "--created-at",
+    "2026-04-11T12:00:00Z",
+    "--minimum-age-days",
+    "30",
+  ]);
+
+  assert.equal(result.status, 0, result.stderr + result.stdout);
+  assert.match(result.stdout, /boundary-contributor is 30 day\(s\) old/);
 });
 
 test("allows explicitly allowlisted authors even when the account is new", () => {
@@ -94,3 +110,17 @@ test("fails when account creation date is invalid", () => {
   assert.equal(result.status, 1);
   assert.match(result.stderr, /Invalid account creation date/);
 });
+
+test("fails when minimum account age is invalid", () => {
+  const result = run([
+    "--username",
+    "bad-config",
+    "--created-at",
+    "2026-01-01T12:00:00Z",
+    "--minimum-age-days",
+    "not-a-number",
+  ]);
+
+  assert.equal(result.status, 1);
+  assert.match(result.stderr, /Invalid minimum age/);
+});

scripts/workflow-security.test.mjs

@@ -5,25 +5,41 @@ import test from "node:test";
 const workflow = readFileSync(new URL("../.github/workflows/main.yml", import.meta.url), "utf8");
 const codeowners = readFileSync(new URL("../.github/CODEOWNERS", import.meta.url), "utf8");
 const pullRequestTemplate = readFileSync(new URL("../.github/pull_request_template.md", import.meta.url), "utf8");
+const repoHygieneJob = workflow.slice(workflow.indexOf("  repo-hygiene:"), workflow.indexOf("\n  awesome-lint:"));
+const awesomeLintJob = workflow.slice(workflow.indexOf("  awesome-lint:"));
 
 test("repo hygiene workflow grants read-only contents permission", () => {
   assert.match(workflow, /^permissions:\n\s+contents:\s+read\s*$/m);
   assert.doesNotMatch(workflow, /contents:\s*write/);
 });
 
-test("pull request hygiene runs the trusted base copy of the script", () => {
-  assert.match(workflow, /path:\s+\.trusted-base/);
+test("repo hygiene uses a trusted pull_request_target preflight", () => {
   assert.match(
     workflow,
-    /node \.trusted-base\/scripts\/check-repo-hygiene\.mjs --root "\$GITHUB_WORKSPACE" --changed-files \.changed-files --diff-file \.readme\.diff/,
+    /^  pull_request_target:\n\s+branches:\s+\[main\]\n\s+types:\s+\[opened, synchronize, reopened\]$/m,
   );
+  assert.match(repoHygieneJob, /if:\s+github\.event_name == 'pull_request_target' \|\| github\.event_name == 'push'/);
+  assert.match(repoHygieneJob, /path:\s+\.trusted-base/);
+  assert.match(
+    repoHygieneJob,
+    /node \.trusted-base\/scripts\/check-repo-hygiene\.mjs --root "\$GITHUB_WORKSPACE\/pr" --changed-files \.changed-files --diff-file \.readme\.diff/,
+  );
+  assert.doesNotMatch(repoHygieneJob, /github\.event\.pull_request\.base\.sha/);
 });
 
 test("workflow has an explicit awesome-lint job for every pull request", () => {
-  assert.match(workflow, /^  awesome-lint:\n\s+name:\s+awesome-lint\n\s+runs-on:\s+ubuntu-latest$/m);
+  assert.match(awesomeLintJob, /^  awesome-lint:\n\s+name:\s+awesome-lint\n\s+runs-on:\s+ubuntu-latest$/m);
   assert.match(workflow, /^  pull_request:\n\s+branches:\s+\[main\]$/m);
 });
 
+test("repo hygiene does not execute contributor-controlled code", () => {
+  assert.match(repoHygieneJob, /node \.trusted-base\/scripts\/check-pr-author\.mjs/);
+  assert.match(repoHygieneJob, /path:\s+pr/);
+  assert.match(repoHygieneJob, /persist-credentials:\s+false/);
+  assert.doesNotMatch(repoHygieneJob, /\bpnpm\s+(install|dlx|run)\b/);
+  assert.doesNotMatch(repoHygieneJob, /\bcorepack\b/);
+});
+
 test("pull requests run trusted awesome-list checks", () => {
   assert.match(workflow, /node \.trusted-base\/scripts\/check-awesome-list\.mjs --root "\$GITHUB_WORKSPACE"/);
   assert.match(workflow, /pnpm dlx awesome-lint "\$GITHUB_WORKSPACE\/README\.md"/);