PatrickJS
diff --git a/‎.github/workflows/main.yml‎
Lines changed: 198 additions & 9 deletions b/‎.github/workflows/main.yml‎
Lines changed: 198 additions & 9 deletions
diff --git a/‎package.json‎
Lines changed: 6 additions & 1 deletion b/‎package.json‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎scripts/check-issue-template-policy.mjs‎
Lines changed: 12 additions & 0 deletions b/‎scripts/check-issue-template-policy.mjs‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎scripts/check-readme-hygiene.mjs‎
Lines changed: 12 additions & 0 deletions b/‎scripts/check-readme-hygiene.mjs‎
Lines changed: 12 additions & 0 deletions
@@ -1,4 +1,4 @@
-name: Repo Hygiene
+name: Repo Checks
 
 on:
   pull_request_target:
@@ -13,16 +13,15 @@ permissions:
   contents: read
 
 jobs:
-  repo-hygiene:
+  pull-request-trust:
     runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
+    if: github.event_name == 'pull_request_target'
     steps:
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 20
 
       - name: Checkout trusted base checks
-        if: github.event_name == 'pull_request_target'
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: ${{ github.event.pull_request.base.ref }}
@@ -31,7 +30,6 @@ jobs:
           persist-credentials: false
 
       - name: Check PR author account age
-        if: github.event_name == 'pull_request_target'
         env:
           GITHUB_TOKEN: ${{ github.token }}
           PR_AUTHOR: ${{ github.event.pull_request.user.login }}
@@ -43,6 +41,23 @@ jobs:
             --minimum-age-days "$PR_AUTHOR_MINIMUM_AGE_DAYS" \
             --allowlist "$PR_AUTHOR_AGE_ALLOWLIST"
 
+  readme-hygiene:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
+    steps:
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+
+      - name: Checkout trusted base checks
+        if: github.event_name == 'pull_request_target'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          ref: ${{ github.event.pull_request.base.ref }}
+          path: .trusted-base
+          fetch-depth: 0
+          persist-credentials: false
+
       - name: Checkout pull request content
         if: github.event_name == 'pull_request_target'
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -66,9 +81,9 @@ jobs:
           git -C pr diff --name-only "$base"...HEAD > pr/.changed-files
           git -C pr diff --unified=0 "$base"...HEAD -- README.md > pr/.readme.diff || true
 
-      - name: Run trusted repo hygiene checks
+      - name: Run trusted README hygiene checks
         if: github.event_name == 'pull_request_target'
-        run: node .trusted-base/scripts/check-repo-hygiene.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files --diff-file .readme.diff
+        run: node .trusted-base/scripts/check-readme-hygiene.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files --diff-file .readme.diff
 
       - name: Checkout push content
         if: github.event_name == 'push'
@@ -90,9 +105,183 @@ jobs:
           git diff --name-only "$base"...HEAD > .changed-files
           git diff --unified=0 "$base"...HEAD -- README.md > .readme.diff || true
 
-      - name: Run repo hygiene checks
+      - name: Run README hygiene checks
+        if: github.event_name == 'push'
+        run: node scripts/check-readme-hygiene.mjs --changed-files .changed-files --diff-file .readme.diff
+
+  rule-hygiene:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
+    steps:
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+
+      - name: Checkout trusted base checks
+        if: github.event_name == 'pull_request_target'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          ref: ${{ github.event.pull_request.base.ref }}
+          path: .trusted-base
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Checkout pull request content
+        if: github.event_name == 'pull_request_target'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: pr
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Determine pull request changed files
+        if: github.event_name == 'pull_request_target'
+        shell: bash
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: |
+          git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git"
+          git -C pr fetch --no-tags trusted-base "$BASE_REF"
+          base="$(git -C pr rev-parse FETCH_HEAD)"
+
+          git -C pr diff --name-only "$base"...HEAD > pr/.changed-files
+
+      - name: Run trusted rule hygiene checks
+        if: github.event_name == 'pull_request_target'
+        run: node .trusted-base/scripts/check-rule-hygiene.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files
+
+      - name: Checkout push content
+        if: github.event_name == 'push'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Determine push changed files
+        if: github.event_name == 'push'
+        shell: bash
+        run: |
+          if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
+            base="${{ github.event.before }}"
+          else
+            base="$(git rev-list --max-parents=0 HEAD)"
+          fi
+
+          git diff --name-only "$base"...HEAD > .changed-files
+
+      - name: Run rule hygiene checks
+        if: github.event_name == 'push'
+        run: node scripts/check-rule-hygiene.mjs --changed-files .changed-files
+
+  issue-template-policy:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
+    steps:
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+
+      - name: Checkout trusted base checks
+        if: github.event_name == 'pull_request_target'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          ref: ${{ github.event.pull_request.base.ref }}
+          path: .trusted-base
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Checkout pull request content
+        if: github.event_name == 'pull_request_target'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: pr
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Run trusted issue template policy checks
+        if: github.event_name == 'pull_request_target'
+        run: node .trusted-base/scripts/check-issue-template-policy.mjs --root "$GITHUB_WORKSPACE/pr"
+
+      - name: Checkout push content
+        if: github.event_name == 'push'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Run issue template policy checks
+        if: github.event_name == 'push'
+        run: node scripts/check-issue-template-policy.mjs
+
+  repo-security:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request_target' || github.event_name == 'push'
+    steps:
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+
+      - name: Checkout trusted base checks
+        if: github.event_name == 'pull_request_target'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          ref: ${{ github.event.pull_request.base.ref }}
+          path: .trusted-base
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Checkout pull request content
+        if: github.event_name == 'pull_request_target'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: pr
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Determine pull request changed files
+        if: github.event_name == 'pull_request_target'
+        shell: bash
+        env:
+          BASE_REF: ${{ github.event.pull_request.base.ref }}
+        run: |
+          git -C pr remote add trusted-base "$GITHUB_SERVER_URL/${{ github.repository }}.git"
+          git -C pr fetch --no-tags trusted-base "$BASE_REF"
+          base="$(git -C pr rev-parse FETCH_HEAD)"
+
+          git -C pr diff --name-only "$base"...HEAD > pr/.changed-files
+
+      - name: Run trusted repo security checks
+        if: github.event_name == 'pull_request_target'
+        run: node .trusted-base/scripts/check-repo-security.mjs --root "$GITHUB_WORKSPACE/pr" --changed-files .changed-files
+
+      - name: Checkout push content
+        if: github.event_name == 'push'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Determine push changed files
+        if: github.event_name == 'push'
+        shell: bash
+        run: |
+          if [[ -n "${{ github.event.before }}" && "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
+            base="${{ github.event.before }}"
+          else
+            base="$(git rev-list --max-parents=0 HEAD)"
+          fi
+
+          git diff --name-only "$base"...HEAD > .changed-files
+
+      - name: Run repo security checks
         if: github.event_name == 'push'
-        run: node scripts/check-repo-hygiene.mjs --changed-files .changed-files --diff-file .readme.diff
+        run: node scripts/check-repo-security.mjs --changed-files .changed-files
 
   awesome-lint:
     name: awesome-lint
 
@@ -7,7 +7,12 @@
     "check:awesome-list:upstream": "pnpm dlx awesome-lint",
     "test": "node --test scripts/*.test.mjs",
     "check:awesome-list": "node scripts/check-awesome-list.mjs",
-    "check:prompt-safety": "node scripts/check-repo-hygiene.mjs",
+    "check:repo-hygiene": "node scripts/check-repo-hygiene.mjs",
+    "check:readme-hygiene": "node scripts/check-readme-hygiene.mjs",
+    "check:rule-hygiene": "node scripts/check-rule-hygiene.mjs",
+    "check:issue-template-policy": "node scripts/check-issue-template-policy.mjs",
+    "check:repo-security": "node scripts/check-repo-security.mjs",
+    "check:prompt-safety": "node scripts/check-repo-security.mjs",
     "links:absolute": "node scripts/convert-readme-links.mjs --to absolute",
     "links:relative": "node scripts/convert-readme-links.mjs --to relative",
     "cleanup:legacy": "node scripts/cleanup-legacy-artifacts.mjs"
 
@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+
+import { spawnSync } from "node:child_process";
+
+const scriptPath = new URL("./check-repo-hygiene.mjs", import.meta.url).pathname;
+const result = spawnSync(
+  process.execPath,
+  [scriptPath, "--only", "issues", ...process.argv.slice(2)],
+  { stdio: "inherit" },
+);
+
+process.exit(result.status ?? 1);
@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+
+import { spawnSync } from "node:child_process";
+
+const scriptPath = new URL("./check-repo-hygiene.mjs", import.meta.url).pathname;
+const result = spawnSync(
+  process.execPath,
+  [scriptPath, "--only", "readme", ...process.argv.slice(2)],
+  { stdio: "inherit" },
+);
+
+process.exit(result.status ?? 1);