patternfly · cdcabrera · May 11, 2026 · May 11, 2026
@@ -6,6 +6,7 @@ about: Create a report to help us improve
 
 ## Description
 <!-- Provide a quick overview of the issue being raised. -->
+<!-- Link a Git diff with the format https://github.com/patternfly/patternfly-mcp/compare/main...your-username:your-branch -->
 
 ### Expected behavior
 <!-- Describe the expected behavior for the program. -->

@@ -6,6 +6,8 @@ about: Suggest an idea for this project
 
 ## Description
 <!-- Provide a quick overview of the feature -->
+<!-- Link a Git diff with the format https://github.com/patternfly/patternfly-mcp/compare/main...your-username:your-branch -->
+
 As user X, I want Y to happen so that Z.
 
 ## Acceptance criteria

@@ -1,44 +1,44 @@
-<!--
-PR tips
-- Updates to MCP architecture, resources, prompts, and tools require an issue being opened first.
-- Review existing issues for confirmation that the work isn't already in progress.
-- Review our [PR contributing guidelines](https://github.com/patternfly/patternfly-mcp/blob/main/CONTRIBUTING.md#pull-requests).
+<!-- GH_PR_METADATA_V1_789 -->
+<!-- 
+Before you open a PR, make sure you have reviewed our contribution guidelines:
+https://github.com/patternfly/patternfly-mcp/blob/main/CONTRIBUTING.md 
 -->
+
 ## What is it?
 <!-- Summary of changes/additions/commits -->
-...
 
 ### Notes
-<!--
-- This is bot-created work, I am but a passenger on this wild-ride. AI agent tooling and model leveraged are:
-   - tooling: [IDE/Chat]
-   - model: [Specific/IDE specific/Auto-selection]
--->
 ...
 
-<!-- ## How to test-->
+## How to test
 <!-- Are there directions to test/review? -->
-<!--
-### Prompt an agent to
-1. `> [test prompt]`
--->
+...
+
 <!--
 ### Check the work
 1. Update the NPM packages with `$ npm install`
 1. `$ npm run build`
 1. `npx -y @modelcontextprotocol/inspector node dist/cli.js`
 1. next...
 -->
+
+<!--
+### Prompt an agent to
+1. `> [test prompt]`
+-->
+
 <!--
 ### Unit test check
 1. Update the NPM packages with `$ npm install`
 1. `$ npm test`
 -->
+
 <!--
 ### E2E test check
 1. Update the NPM packages with `$ npm install`
 1. `$ npm run test:integration`
 -->
+
 <!--
 ### Check the build
 1. Update the NPM packages with `$ npm install`

@@ -1,16 +1,21 @@
-name: Data Audit
+name: Security & Data Audit
 
 on:
   pull_request:
     paths:
       - 'src/docs.json'
+      - 'scripts/**'
+      - 'tests/scripts/**'
       - 'tests/audit/**'
+      - 'package.json'
+      - 'package-lock.json'
   schedule:
     - cron: '0 0 * * *' # Daily at midnight
   workflow_dispatch:
 
 jobs:
-  audit-links:
+  documentation-audit:
+    name: Documentation Audit
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -30,3 +35,37 @@ jobs:
           DOCS_AUDIT_MAX_TOTAL: ${{ github.event_name == 'schedule' && '0' || '50' }}
         # Advisories are non-blocking for PRs
         continue-on-error: ${{ github.event_name == 'pull_request' }}
+
+  dependency-audit:
+    name: Dependency Audit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+      - name: Setup Node.js
+        uses: actions/setup-node@v6.3.0
+        with:
+          node-version: 22.x
+          cache: npm
+      - name: Run npm audit
+        run: npm audit --omit-dev --audit-level=critical
+        # Advisories are non-blocking for PRs
+        continue-on-error: ${{ github.event_name == 'pull_request' }}
+
+  script-audit:
+    name: Script Audit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+      - name: Setup Node.js
+        uses: actions/setup-node@v6.3.0
+        with:
+          node-version: 22.x
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
+      - name: Run script audit
+        run: npm run test:scripts
@@ -1,42 +1,106 @@
 name: Build
 on:
+  pull_request:
   push:
     branches: [ main ]
     tags:
       - "*"
-  pull_request:
 
 jobs:
+  Gatekeeper:
+    if: ${{ github.event_name == 'pull_request' }}
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: read
+    steps:
+      - name: Trusted configuration
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.base.ref }} # Force our main/base branch
+          sparse-checkout: |
+            .github
+            scripts
+
+      - name: Validate PR
+        uses: actions/github-script@v9
+        with:
+          script: |
+            const path = require('path');
+            let startFn;
+            try {
+              const scriptPath = path.resolve(process.env.GITHUB_WORKSPACE, 'scripts', 'workflow.preCheck.js');
+              const module = await import(scriptPath);
+              startFn = module.start || module.default;
+            } catch (err) {
+              console.error('PreCheck loading error.', err?.message || err);
+              core.setFailed('PreCheck loading error. File is missing or unreadable. Has the file been checked in?');
+            }
+
+            if (startFn) {
+              await startFn({
+                  LABEL_NEEDS_CLEANUP: 'bot:needs-cleanup',
+                  LABEL_NEEDS_MAINTAINER: 'bot:needs-maintainer',
+                  LABEL_PRECHECKS_PASS: 'bot:ready-for-testing'
+                }, {
+                  github,
+                  context,
+                  core,
+                });
+            }
+
+      - name: Lint
+        uses: actions/github-script@v9
+        with:
+          script: |
+            const path = require('path');
+            let workflowCommitLint;
+            try {
+              const scriptPath = path.resolve(process.env.GITHUB_WORKSPACE, 'scripts', 'workflow.commitLint.js');
+              const module = await import(scriptPath);
+              workflowCommitLint = module.workflowCommitLint || module.default;
+            } catch (err) {
+              console.error('Lint loading error.', err?.message || err);
+              core.setFailed('Lint loading error. File is missing or unreadable. Has the file been checked in?');
+            }
+
+            if (workflowCommitLint) {
+              const { data: commits } = await github.rest.pulls.listCommits({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.issue.number,
+              });
+
+              const { resultsArray, resultsString } = workflowCommitLint(commits);
+
+              if (resultsArray.length) {
+                core.setFailed(resultsString);
+              }
+            }
+
   Integration-checks:
     runs-on: ubuntu-latest
+    needs: Gatekeeper
+    if: ${{ always() && (github.event_name == 'push' || needs.Gatekeeper.result == 'success') }}
     permissions:
       contents: read
     strategy:
       matrix:
         node-version: [20.x, 22.x, 24.x]
     steps:
       - uses: actions/checkout@v6
+
       - name: Setup Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v6.3.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm
-      - name: Node.js modules cache
-        uses: actions/cache@v5
-        id: modules-cache
-        with:
-          path: ${{ github.workspace }}/node_modules
-          key: ${{ runner.os }}-${{ matrix.node-version }}-modules-${{ hashFiles('**/package-lock.json') }}
-          restore-keys: |
-            ${{ runner.os }}-${{ matrix.node-version }}-modules
+
       - name: Install Node.js packages
-        if: ${{ steps.modules-cache.outputs.cache-hit != 'true' }}
         run: npm ci
-      - name: Audit packages
-        run: npm audit --audit-level=high
-        continue-on-error: true
+
       - name: Lint and test
         run: npm run test:ci
+
       - name: Confirm integration
-        if: ${{ success() }}
         run: npm run test:integration