feat: setup fossier to stop bot slop prs (#3482)

I am tired of PRs from "people" who have forked >100 repos and opened
>200 PRs in a single day.

Use AI to amplify what you can do.

I'm not reading your slop PR body that you haven't even read, reviewing
code you have had no part in, and testing something you have probably
never built.

## Checks
- [ ] I am happy for maintainers to push small adjustments to this PR,
to speed up the review cycle
- [ ] I have checked that there are no existing pull requests for the
same thing

6 files changed, 101 insertions, 0 deletions

diff --git a/.fossier.db b/.fossier.db
new file mode 100644
index 00000000..216c685e
--- /dev/null
+++ b/.fossier.db
diff --git a/.fossier.db-wal b/.fossier.db-wal
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/.fossier.db-wal
diff --git a/.github/workflows/fossier-scan.yml b/.github/workflows/fossier-scan.yml
new file mode 100644
index 00000000..784ab36c
--- /dev/null
+++ b/.github/workflows/fossier-scan.yml
@@ -0,0 +1,51 @@
+name: Fossier Scan All PRs
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Dry run - evaluate but don't take actions"
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Install fossier
+        run: uv pip install --system .
+
+      - name: Restore DB cache
+        uses: actions/cache@v4
+        with:
+          path: .fossier.db
+          key: fossier-db-${{ github.repository }}
+          restore-keys: |
+            fossier-db-${{ github.repository }}
+
+      - name: Scan open PRs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          FLAGS="--format table"
+          if [ "${{ inputs.dry-run }}" = "true" ]; then
+            FLAGS="$FLAGS --dry-run"
+          else
+            FLAGS="$FLAGS --execute"
+          fi
+          fossier scan $FLAGS
diff --git a/.github/workflows/fossier.yml b/.github/workflows/fossier.yml
new file mode 100644
index 00000000..ff60125b
--- /dev/null
+++ b/.github/workflows/fossier.yml
@@ -0,0 +1,26 @@
+name: Fossier PR Check
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+permissions:
+  pull-requests: write
+  issues: write
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: PThorpe92/fossier@main
+        id: fossier
+        with:
+          contact-url: "https://discord.gg/Fq8bJSKPHh"
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # Optional: connect to the global spam registry
+          # registry-api-key: ${{ secrets.FOSSIER_REGISTRY_API_KEY }}
+
+      - name: Handle result
+        if: steps.fossier.outputs.outcome == 'deny'
+        run: echo "PR denied with score ${{ steps.fossier.outputs.score }}"
diff --git a/VOUCHED.td b/VOUCHED.td
new file mode 100644
index 00000000..1afc3fd9
--- /dev/null
+++ b/VOUCHED.td
@@ -0,0 +1,7 @@
+# VOUCHED.td: trust declarations
+# Lines starting with + vouch for a user
+# Lines starting with - denounce a user (reason required)
+#
+# Examples:
+# + trusteduser
+# - spammer  Known SEO link spam
diff --git a/fossier.toml b/fossier.toml
new file mode 100644
index 00000000..45ad0bcd
--- /dev/null
+++ b/fossier.toml
@@ -0,0 +1,17 @@
+[repo]
+owner = "atuinsh"
+name = "atuin"
+
+[thresholds]
+allow_score = 70.0
+deny_score = 40.0
+min_confidence = 0.5
+
+[actions.deny]
+close_pr = true
+comment = true
+label = "fossier:spam-likely"
+
+[actions.review]
+comment = true
+label = "fossier:needs-review"