From 6d92c17d1eeac8ad7dac2d6a696d5c139d467f44 Mon Sep 17 00:00:00 2001
From: Matt Sturgeon <matt@sturgeon.me.uk>
Date: Fri, 22 Aug 2025 23:42:58 +0100
Subject: [PATCH 1/3] ci/lint: explicitly define permissions

---
 .github/workflows/lint.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index b2640403b5..00bde87aff 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -9,6 +9,9 @@ on:
       - "LICENSE"
       - "flake.lock"
 
+permissions:
+  contents: read
+
 jobs:
   treefmt:
     runs-on: ubuntu-latest

From d1a00bff61c92ef4a2b68fa8d239a2247b0c98d2 Mon Sep 17 00:00:00 2001
From: Matt Sturgeon <matt@sturgeon.me.uk>
Date: Fri, 22 Aug 2025 23:43:23 +0100
Subject: [PATCH 2/3] ci/lint: explicitly define substituters

This means we don't need to rely on `--accept-flake-config`, which could
be problematic if we switch from `pull_request` -> `pull_request_target`
---
 .github/workflows/lint.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 00bde87aff..ab50340116 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -20,5 +20,10 @@ jobs:
         uses: actions/checkout@v4
       - name: Install Nix
         uses: cachix/install-nix-action@v31
+        with:
+          extra_nix_config: |
+            extra-substituters = https://nix-community.cachix.org
+            extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
+
       - name: Run treefmt check
-        run: nix build .#checks.x86_64-linux.treefmt --accept-flake-config
+        run: nix build .#checks.x86_64-linux.treefmt

From 2eab9f26fb23b3baba5223d661db8065777730c8 Mon Sep 17 00:00:00 2001
From: Matt Sturgeon <matt@sturgeon.me.uk>
Date: Mon, 18 Aug 2025 13:27:53 +0100
Subject: [PATCH 3/3] ci: init `pr.yml` and `merge-queue.yml` workflows

These workflows will serve as top-level entry points for running GHA
jobs against PRs and merge groups in the merge queue.

Currently, the only required job is `lint`, which runs treefmt.
---
 .github/workflows/lint.yml        | 15 ++++++-----
 .github/workflows/merge-queue.yml | 39 ++++++++++++++++++++++++++++
 .github/workflows/pr.yml          | 43 +++++++++++++++++++++++++++++++
 3 files changed, 90 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/merge-queue.yml
 create mode 100644 .github/workflows/pr.yml

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index ab50340116..bd9375ceb9 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,13 +1,11 @@
 name: lint
 
 on:
-  pull_request:
-    paths-ignore:
-      - "**.md"
-      - "**.svg"
-      - ".gitignore"
-      - "LICENSE"
-      - "flake.lock"
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
 
 permissions:
   contents: read
@@ -18,6 +16,9 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref }}
+
       - name: Install Nix
         uses: cachix/install-nix-action@v31
         with:
diff --git a/.github/workflows/merge-queue.yml b/.github/workflows/merge-queue.yml
new file mode 100644
index 0000000000..ac7364a147
--- /dev/null
+++ b/.github/workflows/merge-queue.yml
@@ -0,0 +1,39 @@
+name: Merge Queue
+
+on:
+  merge_group:
+
+permissions: {}
+
+jobs:
+  lint:
+    uses: ./.github/workflows/lint.yml
+    with:
+      ref: ${{ github.event.merge_group.head_sha }}
+
+  # This job posts the "Required Status Checks" to satisfy our ruleset.
+  required-checks:
+    # It "needs" all the jobs that should block the Merge Queue.
+    # Modify this list to add or remove jobs from required status checks.
+    needs:
+      - lint
+
+    name: Required checks
+    runs-on: ubuntu-24.04-arm
+    permissions:
+      statuses: write
+    steps:
+      - uses: actions/github-script@v7
+        with:
+          script: |
+            const { serverUrl, repo, runId, payload } = context
+            await github.rest.repos.createCommitStatus({
+              ...repo,
+              sha: payload.merge_group.head_sha,
+              target_url: `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}`,
+              // WARNING:
+              // Do NOT change the context name or it will not match the ruleset.
+              // This would prevent all PRs from merging.
+              context: 'PR checks successful',
+              state: 'success',
+            })
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
new file mode 100644
index 0000000000..d703630f48
--- /dev/null
+++ b/.github/workflows/pr.yml
@@ -0,0 +1,43 @@
+name: PR
+
+on:
+  pull_request_target:
+
+concurrency:
+  group: pr-${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  lint:
+    uses: ./.github/workflows/lint.yml
+    with:
+      ref: ${{ github.event.pull_request.head.sha }}
+
+  # This job posts the "Required Status Checks" to satisfy our ruleset.
+  required-checks:
+    # It "needs" all the jobs that should block merging a PR.
+    # Modify this list to add or remove jobs from required status checks.
+    needs:
+      - lint
+
+    name: Required checks
+    runs-on: ubuntu-24.04-arm
+    permissions:
+      statuses: write
+    steps:
+      - uses: actions/github-script@v7
+        with:
+          script: |
+            const { serverUrl, repo, runId, payload } = context
+            await github.rest.repos.createCommitStatus({
+              ...repo,
+              sha: payload.pull_request.head.sha,
+              target_url: `${serverUrl}/${repo.owner}/${repo.repo}/actions/runs/${runId}`,
+              // WARNING:
+              // Do NOT change the context name or it will not match the ruleset.
+              // This would prevent all PRs from merging.
+              context: 'PR checks successful',
+              state: 'success',
+            })