diff --git a/.github/workflows/direct-push-alert.yml b/.github/workflows/direct-push-alert.yml
new file mode 100644
index 0000000..8e71119
--- /dev/null
+++ b/.github/workflows/direct-push-alert.yml
@@ -0,0 +1,16 @@
+name: Direct Push Alert
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  alert:
+    uses: basecamp/.github/.github/workflows/direct-push-alert.yml@a667bfaac8b33b9c8a6c61019664463a98055995
+    permissions:
+      contents: read
+      issues: write
diff --git a/.github/workflows/sensitive-change-gate.yml b/.github/workflows/sensitive-change-gate.yml
new file mode 100644
index 0000000..2ca5d7e
--- /dev/null
+++ b/.github/workflows/sensitive-change-gate.yml
@@ -0,0 +1,19 @@
+name: Sensitive Change Gate
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  gate:
+    uses: basecamp/.github/.github/workflows/sensitive-change-gate.yml@a667bfaac8b33b9c8a6c61019664463a98055995
+    with:
+      extra-patterns: |
+        scripts/sync-skills.sh
+    permissions:
+      contents: read
+      pull-requests: write