feat: setup fossier to stop bot slop prs (#3482)

I am tired of PRs from "people" who have forked >100 repos and opened
>200 PRs in a single day.

Use AI to amplify what you can do.

I'm not reading your slop PR body that you haven't even read, reviewing
code you have had no part in, and testing something you have probably
never built.

## Checks
- [ ] I am happy for maintainers to push small adjustments to this PR,
to speed up the review cycle
- [ ] I have checked that there are no existing pull requests for the
same thing

1 files changed, 51 insertions, 0 deletions

diff --git a/.github/workflows/fossier-scan.yml b/.github/workflows/fossier-scan.yml
new file mode 100644
index 00000000..784ab36c
--- /dev/null
+++ b/.github/workflows/fossier-scan.yml
@@ -0,0 +1,51 @@
+name: Fossier Scan All PRs
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Dry run - evaluate but don't take actions"
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Install fossier
+        run: uv pip install --system .
+
+      - name: Restore DB cache
+        uses: actions/cache@v4
+        with:
+          path: .fossier.db
+          key: fossier-db-${{ github.repository }}
+          restore-keys: |
+            fossier-db-${{ github.repository }}
+
+      - name: Scan open PRs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          FLAGS="--format table"
+          if [ "${{ inputs.dry-run }}" = "true" ]; then
+            FLAGS="$FLAGS --dry-run"
+          else
+            FLAGS="$FLAGS --execute"
+          fi
+          fossier scan $FLAGS