feat(lint): add self lint and auto-fix callers with shared config support

.github/actions/notify-irm/README.md

@@ -18,11 +18,11 @@ auto-resolve once the workflow goes green again.
 
 ## Inputs
 
-| Name                 | Required | Default | Description                                                                                                |
-| -------------------- | :------: | ------- | ---------------------------------------------------------------------------------------------------------- |
-| `webhook-url`        |   yes    | —       | Grafana IRM Custom webhook URL. Empty value disables the step.                                             |
-| `job-failed`         |   yes    | —       | `'true'` when any prior job failed/was cancelled, `'false'` otherwise.                                     |
-| `service`            |    no    | `ci`    | Logical service tag for IRM routing/labelling.                                                             |
+| Name                 | Required | Default | Description                                                                                                  |
+| -------------------- | :------: | ------- | ------------------------------------------------------------------------------------------------------------ |
+| `webhook-url`        |   yes    | —       | Grafana IRM Custom webhook URL. Empty value disables the step.                                               |
+| `job-failed`         |   yes    | —       | `'true'` when any prior job failed/was cancelled, `'false'` otherwise.                                       |
+| `service`            |    no    | `ci`    | Logical service tag for IRM routing/labelling.                                                               |
 | `resolve-on-success` |    no    | `true`  | When `true`, a green run posts `state=ok` to auto-resolve. Set `false` for unique-uid workflows (e.g. tags). |
 
 ## Usage

.github/skills/commit-and-release/SKILL.md

@@ -211,4 +211,4 @@ The tag push triggers `.github/workflows/release.yml`, which generates release-s
 
 After every successful release, end with a celebrative message. Be enthusiastic, reference the version number, and congratulate the team on shipping. Make it fun — this is a milestone worth celebrating! Example:
 
-> "SHIP IT! v0.12.0 is now LIVE and sailing into production! The stacks are deployed, the changelog is fresh, and the CI is green. Take a beer — you've earned it!"
+> "SHIP IT! v0.12.0 is now LIVE and sailing into production! The stacks are deployed, the changelog is fresh, and the CI is green. Take a beer — you've earned it!"

.github/workflows/assign-issue-to-codeowners.yml

@@ -38,7 +38,7 @@ jobs:
           EXCLUDE_RENOVATE_ISSUES: ${{ inputs.exclude-renovate-issues }}
           ISSUE_NUMBER: ${{ inputs.issue-number }}
         with:
-          script: |
+          script: |-
             // Try to read CODEOWNERS from common locations
             const paths = ['.github/CODEOWNERS', 'CODEOWNERS', 'docs/CODEOWNERS'];
             let content = null;

.github/workflows/autofix-caller.yml

@@ -0,0 +1,19 @@
+---
+name: Auto-fix formatting
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  autofix:
+    # Local reference validates reusable workflow changes in this repository.
+    uses: ./.github/workflows/autofix.yml
+    permissions:
+      contents: write
+    with:
+      # renovate: datasource=github-releases depName=jdx/mise
+      mise-version: "2026.4.9"
+      autofix-config-dir: config-sync/files

.github/workflows/autofix.yml

@@ -8,6 +8,11 @@ on:
         description: "mise version to install"
         required: true
         type: string
+      autofix-config-dir:
+        description: "Directory containing optional formatter config files"
+        required: false
+        type: string
+        default: ""
       autofix-dprint:
         description: "Run dprint fmt (Markdown auto-format)"
         required: false
@@ -48,11 +53,29 @@ jobs:
 
       - name: Auto-fix with dprint
         if: ${{ inputs.autofix-dprint }}
-        run: mise exec -- dprint fmt
+        env:
+          CONFIG_DIR: ${{ inputs.autofix-config-dir }}
+        run: |-
+          if [ -n "${CONFIG_DIR}" ] && [ -f "${CONFIG_DIR}/dprint.json" ]; then
+            mise exec -- dprint fmt \
+              --config "${CONFIG_DIR}/dprint.json" \
+              --config-discovery=false
+          else
+            mise exec -- dprint fmt
+          fi
 
       - name: Auto-fix with yamlfmt
         if: ${{ inputs.autofix-yamlfmt }}
-        run: find . \( -name '*.yaml' -o -name '*.yml' \) -print0 | xargs -0 mise exec -- yamlfmt
+        env:
+          CONFIG_DIR: ${{ inputs.autofix-config-dir }}
+        run: |-
+          if [ -n "${CONFIG_DIR}" ] && [ -f "${CONFIG_DIR}/.yamlfmt.yaml" ]; then
+            find . \( -name '*.yaml' -o -name '*.yml' \) -print0 |
+              xargs -0 mise exec -- yamlfmt -conf "${CONFIG_DIR}/.yamlfmt.yaml"
+          else
+            find . \( -name '*.yaml' -o -name '*.yml' \) -print0 |
+              xargs -0 mise exec -- yamlfmt
+          fi
 
       - name: Auto-fix with shfmt
         if: ${{ inputs.autofix-shfmt }}

.github/workflows/config-sync.yml

@@ -9,7 +9,8 @@ on:
   workflow_call:
     inputs:
       sync-templates:
-        description: "Also sync template files (only copies if file does not exist locally — will not overwrite customized files)"
+        description: "Also sync template files (only copies if file does not exist locally — will not overwrite customized
+          files)"
         required: false
         type: boolean
         default: false

.github/workflows/lint-caller.yml

@@ -0,0 +1,23 @@
+---
+name: Lint
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    # Local reference validates reusable workflow changes in this repository.
+    uses: ./.github/workflows/lint.yml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      # renovate: datasource=github-releases depName=jdx/mise
+      mise-version: "2026.4.9"
+      lint-config-dir: config-sync/files

.github/workflows/lint.yml

@@ -8,6 +8,11 @@ on:
         description: "mise version to install"
         required: true
         type: string
+      lint-config-dir:
+        description: "Directory containing optional linter config files"
+        required: false
+        type: string
+        default: ""
       lint-dprint:
         description: "Run dprint (Markdown formatting)"
         required: false
@@ -77,6 +82,10 @@ on:
 permissions:
   contents: read
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   dprint:
     name: dprint
@@ -95,7 +104,17 @@ jobs:
           version: ${{ inputs.mise-version }}
 
       - name: Check formatting with dprint
-        run: mise exec -- dprint check
+        env:
+          CONFIG_DIR: ${{ inputs.lint-config-dir }}
+        run: |-
+          if [ -n "${CONFIG_DIR}" ] && [ -f "${CONFIG_DIR}/dprint.json" ]; then
+            mise exec -- dprint check \
+              --config "${CONFIG_DIR}/dprint.json" \
+              --config-discovery=false \
+              --allow-no-files
+          else
+            mise exec -- dprint check --allow-no-files
+          fi
 
   yamlfmt:
     name: yamlfmt
@@ -114,7 +133,16 @@ jobs:
           version: ${{ inputs.mise-version }}
 
       - name: Check YAML formatting
-        run: find . \( -name '*.yaml' -o -name '*.yml' \) -print0 | xargs -0 mise exec -- yamlfmt -lint
+        env:
+          CONFIG_DIR: ${{ inputs.lint-config-dir }}
+        run: |-
+          if [ -n "${CONFIG_DIR}" ] && [ -f "${CONFIG_DIR}/.yamlfmt.yaml" ]; then
+            find . \( -name '*.yaml' -o -name '*.yml' \) -print0 |
+              xargs -0 mise exec -- yamlfmt -conf "${CONFIG_DIR}/.yamlfmt.yaml" -lint
+          else
+            find . \( -name '*.yaml' -o -name '*.yml' \) -print0 |
+              xargs -0 mise exec -- yamlfmt -lint
+          fi
 
   yamllint:
     name: yamllint
@@ -133,7 +161,16 @@ jobs:
           version: ${{ inputs.mise-version }}
 
       - name: Run yamllint
-        run: find . \( -name '*.yaml' -o -name '*.yml' \) -print0 | xargs -0 mise exec -- yamllint
+        env:
+          CONFIG_DIR: ${{ inputs.lint-config-dir }}
+        run: |-
+          if [ -n "${CONFIG_DIR}" ] && [ -f "${CONFIG_DIR}/.yamllint.yaml" ]; then
+            find . \( -name '*.yaml' -o -name '*.yml' \) -print0 |
+              xargs -0 mise exec -- yamllint -c "${CONFIG_DIR}/.yamllint.yaml"
+          else
+            find . \( -name '*.yaml' -o -name '*.yml' \) -print0 |
+              xargs -0 mise exec -- yamllint
+          fi
 
   actionlint:
     name: actionlint
@@ -172,7 +209,14 @@ jobs:
           version: ${{ inputs.mise-version }}
 
       - name: Run gitleaks
-        run: mise exec -- gitleaks detect --redact
+        env:
+          CONFIG_DIR: ${{ inputs.lint-config-dir }}
+        run: |-
+          if [ -n "${CONFIG_DIR}" ] && [ -f "${CONFIG_DIR}/.gitleaks.toml" ]; then
+            mise exec -- gitleaks detect --redact --config "${CONFIG_DIR}/.gitleaks.toml"
+          else
+            mise exec -- gitleaks detect --redact
+          fi
 
   shellcheck:
     name: shellcheck
@@ -192,12 +236,28 @@ jobs:
 
       - name: Run shellcheck
         env:
+          CONFIG_DIR: ${{ inputs.lint-config-dir }}
           EXCLUDE_PATTERN: ${{ inputs.lint-shellcheck-exclude }}
         run: |
+          repo_dir="${GITHUB_WORKSPACE:-$PWD}"
+          shellcheck_workdir="${repo_dir}"
+
+          if [ -n "${CONFIG_DIR}" ] && [ -f "${CONFIG_DIR}/.shellcheckrc" ]; then
+            if [ -f "${repo_dir}/.shellcheckrc" ]; then
+              echo "::notice::.shellcheckrc already exists; using the local file"
+            else
+              shellcheck_workdir="${RUNNER_TEMP:-/tmp}/shellcheck-config"
+              mkdir -p "${shellcheck_workdir}"
+              cp "${CONFIG_DIR}/.shellcheckrc" "${shellcheck_workdir}/.shellcheckrc"
+            fi
+          fi
+
           if [ -n "${EXCLUDE_PATTERN}" ]; then
-            find . -name '*.sh' -not -path "./${EXCLUDE_PATTERN}" -print0 | xargs -0 mise exec -- shellcheck
+            find "${repo_dir}" -name '*.sh' -not -path "${repo_dir}/${EXCLUDE_PATTERN}" -print0 |
+              (cd "${shellcheck_workdir}" && xargs -0 mise exec -- shellcheck)
           else
-            find . -name '*.sh' -print0 | xargs -0 mise exec -- shellcheck
+            find "${repo_dir}" -name '*.sh' -print0 |
+              (cd "${shellcheck_workdir}" && xargs -0 mise exec -- shellcheck)
           fi
 
   shfmt:
@@ -289,7 +349,18 @@ jobs:
           version: ${{ inputs.mise-version }}
 
       - name: Run trivy
-        run: mise exec -- trivy fs --scanners misconfig,secret --format sarif --output trivy.sarif . || true
+        env:
+          CONFIG_DIR: ${{ inputs.lint-config-dir }}
+        run: |-
+          trivy_args=()
+          if [ -n "${CONFIG_DIR}" ] && [ -f "${CONFIG_DIR}/trivy.yaml" ]; then
+            trivy_args+=(--config "${CONFIG_DIR}/trivy.yaml")
+          fi
+
+          mise exec -- trivy fs "${trivy_args[@]}" \
+            --scanners misconfig,secret \
+            --format sarif \
+            --output trivy.sarif . || true
 
       - name: Upload SARIF report
         uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2

.github/workflows/todo-to-issue.yml

@@ -34,4 +34,5 @@ jobs:
         with:
           AUTO_ASSIGN: "${{ inputs.auto_assign }}"
           IDENTIFIERS: >-
-            ${{ inputs.label != '' && format('[{{"name": "TODO", "labels": ["{0}"]}}]', inputs.label) || '[{"name": "TODO", "labels": []}]' }}
+            ${{ inputs.label != '' && format('[{{"name": "TODO", "labels": ["{0}"]}}]', inputs.label) || '[{"name": "TODO",
+            "labels": []}]' }}

.mise.toml

@@ -2,6 +2,15 @@
 min_version = "2026.4.9"
 
 [tools]
+actionlint = "1.7.12"
 cocogitto = "7.0.0"
 dprint = "0.54.0"
+gitleaks = "8.30.1"
 git-cliff = "2.12.0"
+"pipx:checkov" = "3.2.521"
+"pipx:yamllint" = "1.38.0"
+shellcheck = "0.11.0"
+shfmt = "3.13.1"
+trivy = "0.70.0"
+yamlfmt = "0.21.0"
+zizmor = "1.24.1"