code · pull · May 18, 2026 · May 18, 2026 · May 18, 2026
diff --git a/.github/workflows/changes-file.yml b/.github/workflows/changes-file.yml
diff --git a/.github/workflows/close-feature-pr.yml b/.github/workflows/close-feature-pr.yml
diff --git a/.github/workflows/pr-actions.yml b/.github/workflows/pr-actions.yml
@@ -0,0 +1,52 @@
+name: PR (Actions)
+
+# Triggered when "PR (Check)" completes. Downloads the artifact produced by
+# the upstream workflow and applies the recorded actions (sticky comments,
+# label changes, close, etc.) with write permissions. Never executes PR
+# source code — only reads the JSON artifact.
+
+on:
+  workflow_run:
+    workflows: ["PR (Check)"]
+    types: [completed]
+
+jobs:
+  actions:
+    name: PR (Actions)
+    if: >
+      github.event.workflow_run.conclusion == 'success' &&
+      github.repository == 'remix-run/react-router'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+      actions: read
+
+    steps:
+      # Check's out the base (main) branch - not the PR branch
+      - name: ⬇️ Checkout repo
+        uses: actions/checkout@v6
+
+      - name: 📦 Setup pnpm
+        uses: pnpm/action-setup@v6
+
+      - name: ⎔ Setup node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: ".nvmrc"
+          cache: pnpm
+
+      - name: 📥 Install deps
+        run: pnpm install --frozen-lockfile
+
+      - name: 📥 Download result from upstream workflow
+        uses: actions/download-artifact@v4
+        with:
+          name: pr-checks-result
+          github-token: ${{ github.token }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: 💬 Apply actions
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: node scripts/pr.ts actions pr-checks-result.json
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
@@ -0,0 +1,53 @@
+name: PR (Check)
+
+# Read-only PR inspection. Computes a list of "actions" (sticky comments,
+# label changes, close, etc.) and uploads them as an artifact. The PR (Actions)
+# workflow consumes the artifact and applies the actions with write
+# permissions — keeping that step out of the PR's untrusted code path.
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, labeled]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.action }}-${{ github.event.label.name }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    name: 🔍 Check PR
+    if: github.repository == 'remix-run/react-router'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+
+    steps:
+      - name: ⬇️ Checkout repo
+        uses: actions/checkout@v6
+
+      - name: 📦 Setup pnpm
+        uses: pnpm/action-setup@v6
+
+      - name: ⎔ Setup node
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: ".nvmrc"
+          cache: pnpm
+
+      - name: 📥 Install deps
+        run: pnpm install --frozen-lockfile
+
+      - name: 🔍 Run checks
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_BASE: ${{ github.event.pull_request.base.ref }}
+          EVENT_ACTION: ${{ github.event.action }}
+          LABEL_NAME: ${{ github.event.label.name }}
+        run: node scripts/pr.ts check
+
+      - name: 📤 Upload result
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr-checks-result
+          path: pr-checks-result.json
diff --git a/scripts/changes/check-pr.ts b/scripts/changes/check-pr.ts