1 files changed, 122 insertions, 0 deletions
diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml
new file mode 100644
index 0000000000..0e01b66811
--- /dev/null
+++ b/.github/workflows/ci-lint.yml
@@ -0,0 +1,122 @@
+# Copyright (C) Project Tick Contributors
+# SPDX-License-Identifier: MIT
+#
+# Fast lint & commit checks — called from ci.yml before builds start.
+
+name: "Lint & Checks"
+
+on:
+  workflow_call:
+    inputs:
+      run-level:
+        description: "minimal | standard | full"
+        required: true
+        type: string
+      changed-projects:
+        description: "Comma-separated list of changed projects"
+        required: false
+        type: string
+        default: ""
+
+permissions:
+  contents: read
+
+jobs:
+  # ── Commit message lint (Conventional Commits) ──────────────────
+  commit-lint:
+    name: "Commit Messages"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+
+      - name: Install dependencies
+        working-directory: ci/github-script
+        run: npm ci
+
+      - name: Lint commit messages
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const lint = require('./ci/github-script/lint-commits.js')
+            await lint({ github, context, core, repoPath: '.' })
+
+  # ── REUSE / license compliance ──────────────────────────────────
+  reuse:
+    name: "REUSE Compliance"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Check REUSE compliance
+        uses: fsfe/reuse-action@v6
+
+  # ── Whitespace & formatting checks ─────────────────────────────
+  whitespace:
+    name: "Whitespace"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Check trailing whitespace
+        run: |
+          set -euo pipefail
+          ERRORS=$(git diff --check HEAD~1 HEAD -- \
+            ':!*.patch' \
+            ':!*/test/data/*' \
+            ':!*.ico' \
+            ':!*.png' \
+            ':!*.jpg' \
+            ':!*.gif' \
+            ':!*.bin' \
+            ':!*.7z' \
+            ':!*.zip' \
+            ':!*.gz' \
+            ':!*.lock' \
+            2>/dev/null || true)
+          if [[ -n "$ERRORS" ]]; then
+            echo "::warning::Whitespace issues found:"
+            echo "$ERRORS"
+          fi
+
+  # ── Actionlint (validate all workflow YAML) ─────────────────────
+  actionlint:
+    name: "Actionlint"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run actionlint
+        uses: raven-actions/actionlint@v2
+        with:
+          matcher: true