From 18292ec55f88bf84c3e8257540ce180d3c60537c Mon Sep 17 00:00:00 2001
From: Chris Butler <chris.butler@redhat.com>
Date: Thu, 27 Nov 2025 10:05:50 +0900
Subject: [PATCH 1/3] chore: add commit linting

Signed-off-by: Chris Butler <chris.butler@redhat.com>
---
 .github/workflows/conventional-pr.yml | 26 ++++++++++++++++++++++++++
 .prettierrc                           |  4 ++++
 commitlint.config.js                  |  1 +
 3 files changed, 31 insertions(+)
 create mode 100644 .github/workflows/conventional-pr.yml
 create mode 100644 .prettierrc
 create mode 100644 commitlint.config.js

diff --git a/.github/workflows/conventional-pr.yml b/.github/workflows/conventional-pr.yml
new file mode 100644
index 0000000..1baf634
--- /dev/null
+++ b/.github/workflows/conventional-pr.yml
@@ -0,0 +1,26 @@
+name: "Lint PR title"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+    branches:
+      - 'main'
+      - 'develop'
+jobs:
+  lint:
+    if: ${{ github.head_ref != 'develop' }}
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: npm install @commitlint/cli @commitlint/config-conventional
+
+    - name: Validate PR title
+      run: |
+        PR_TITLE=$(jq -r '.pull_request.title' "$GITHUB_EVENT_PATH")
+        echo "$PR_TITLE" | npx commitlint --config commitlint.config.js
diff --git a/.prettierrc b/.prettierrc
new file mode 100644
index 0000000..c3481a7
--- /dev/null
+++ b/.prettierrc
@@ -0,0 +1,4 @@
+{
+  "singleQuote": true,
+  "semi": false
+}
\ No newline at end of file
diff --git a/commitlint.config.js b/commitlint.config.js
new file mode 100644
index 0000000..4fedde6
--- /dev/null
+++ b/commitlint.config.js
@@ -0,0 +1 @@
+module.exports = { extends: ['@commitlint/config-conventional'] }

From 4b2411a6e29891788bfc5e2dd0aa3fe0c50e926d Mon Sep 17 00:00:00 2001
From: Chris Butler <chris.butler@redhat.com>
Date: Thu, 27 Nov 2025 10:14:04 +0900
Subject: [PATCH 2/3] chore: scope down permissions

Signed-off-by: Chris Butler <chris.butler@redhat.com>
---
 .github/workflows/conventional-pr.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/conventional-pr.yml b/.github/workflows/conventional-pr.yml
index 1baf634..7b9d840 100644
--- a/.github/workflows/conventional-pr.yml
+++ b/.github/workflows/conventional-pr.yml
@@ -9,6 +9,10 @@ on:
     branches:
       - 'main'
       - 'develop'
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   lint:
     if: ${{ github.head_ref != 'develop' }}

From 3d6d3e1a84da0963b22656d3057a7f6ad96331b5 Mon Sep 17 00:00:00 2001
From: Chris Butler <chris.butler@redhat.com>
Date: Thu, 27 Nov 2025 10:20:04 +0900
Subject: [PATCH 3/3] fix: tighten permissions

Signed-off-by: Chris Butler <chris.butler@redhat.com>
---
 .github/workflows/conventional-pr.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/conventional-pr.yml b/.github/workflows/conventional-pr.yml
index 7b9d840..7564909 100644
--- a/.github/workflows/conventional-pr.yml
+++ b/.github/workflows/conventional-pr.yml
@@ -8,7 +8,6 @@ on:
       - synchronize
     branches:
       - 'main'
-      - 'develop'
 permissions:
   contents: read
   pull-requests: read
@@ -20,6 +19,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Install dependencies
       run: npm install @commitlint/cli @commitlint/config-conventional