From 02a3436b35718208185b3eaa90139c8c395f3f40 Mon Sep 17 00:00:00 2001 From: Gerry Laracuente Date: Fri, 8 May 2026 09:36:16 -0400 Subject: [PATCH 1/2] add reusable github workflows (INT-1582) --- .github/workflows/lint.yaml | 39 ++++++++++++++++++++++++ .github/workflows/release-please.yaml | 36 ++++++++++++++++++++++ .github/workflows/test.yaml | 43 +++++++++++++++++++++++++++ .github/workflows/trunk-upgrade.yaml | 34 +++++++++++++++++++++ .github/workflows/zizmor.yaml | 25 ++++++++++++++++ 5 files changed, 177 insertions(+) create mode 100644 .github/workflows/lint.yaml create mode 100644 .github/workflows/release-please.yaml create mode 100644 .github/workflows/test.yaml create mode 100644 .github/workflows/trunk-upgrade.yaml create mode 100644 .github/workflows/zizmor.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000..b5f7b15 --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,39 @@ +name: Lint + +on: + workflow_call: + secrets: + GITHUB_TOKEN: + required: true + +permissions: {} + +jobs: + lint: + name: lint + runs-on: ubuntu-latest + permissions: + actions: read # needed by trunk-action to read workflow run context + checks: write # needed by trunk-action to write check results + contents: read # needed by trunk-action to read repository contents + steps: + - name: Check out Git repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Trunk Check + uses: trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b # v1.2.4 + env: + # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + conventional-title: + name: conventional title + runs-on: ubuntu-latest + permissions: + pull-requests: read # needed by action-semantic-pull-request to inspect pull request context + steps: + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml new file mode 100644 index 0000000..11c9d5f --- /dev/null +++ b/.github/workflows/release-please.yaml @@ -0,0 +1,36 @@ +name: Release Please + +on: + workflow_call: + inputs: + release-type: + type: string + required: true + secrets: + MP_BOT_APP_ID: + required: true + MP_BOT_APP_PRIVATE_KEY: + required: true + +permissions: {} + +jobs: + release-please: + name: release please + runs-on: ubuntu-latest + permissions: + contents: write # needed by release-please-action to write repository contents + pull-requests: write # needed by release-please-action to write pull requests + issues: write # needed by release-please-action to write issues + steps: + - name: Create Token for MasterpointBot App + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0 + id: generate-token + with: + app_id: ${{ secrets.MP_BOT_APP_ID }} + private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} + + - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3 + with: + token: ${{ steps.generate-token.outputs.token }} + release-type: ${{ inputs.release-type }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 0000000..317e44b --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,43 @@ +name: TF Test + +on: + workflow_call: + inputs: + aws_role_arn: + type: string + required: true + secrets: + SPACELIFT_API_KEY_ENDPOINT: + required: true + SPACELIFT_API_KEY_ID: + required: true + SPACELIFT_API_KEY_SECRET: + required: true + GITHUB_TOKEN: + required: true + +permissions: {} + +jobs: + tf-test: + name: 🧪 ${{ matrix.tf }} test + runs-on: ubuntu-latest + permissions: + actions: read # needed by github-action-tf-test to read workflow run context + checks: write # needed by github-action-tf-test to write check results + contents: read # needed by github-action-tf-test to read repository contents + id-token: write # needed by github-action-tf-test to write id token + pull-requests: read # needed by github-action-tf-test to read pull request context + env: + SPACELIFT_API_KEY_ENDPOINT: ${{ secrets.SPACELIFT_API_KEY_ENDPOINT }} + SPACELIFT_API_KEY_ID: ${{ secrets.SPACELIFT_API_KEY_ID }} + SPACELIFT_API_KEY_SECRET: ${{ secrets.SPACELIFT_API_KEY_SECRET }} + strategy: + matrix: + tf: [tofu, terraform] + steps: + - uses: masterpointio/github-action-tf-test@c1e41998f67925ac3f34e0bbcfcaa4a44d1f0cd9 # v1.0.1 + with: + tf_type: ${{ matrix.tf }} + aws_role_arn: ${{ inputs.aws_role_arn }} + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml new file mode 100644 index 0000000..e8f1856 --- /dev/null +++ b/.github/workflows/trunk-upgrade.yaml @@ -0,0 +1,34 @@ +name: Trunk Upgrade + +on: + workflow_call: + secrets: + MP_BOT_APP_ID: + required: true + MP_BOT_APP_PRIVATE_KEY: + required: true + MASTERPOINT_TEAM_PAT: + required: true + +permissions: {} + +jobs: + trunk-upgrade: + name: trunk upgrade + runs-on: ubuntu-latest + permissions: + contents: write # needed by github-action-trunk-upgrade to write repository contents + pull-requests: write # needed by github-action-trunk-upgrade to write pull requests + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run Trunk Upgrade + uses: masterpointio/github-action-trunk-upgrade@a79fd65d524d92031fe167daee411d2f25d4a999 # v0.1.0 + with: + app-id: ${{ secrets.MP_BOT_APP_ID }} + app-private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} + github-token: ${{ secrets.MASTERPOINT_TEAM_PAT }} + reviewers: "@masterpointio/masterpoint-open-source" diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..35199ab --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,25 @@ +name: Zizmor + +on: + workflow_call: {} + +permissions: {} + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + # Set to false, so zizmor will not upload results to Github Advanced Security + # and will instead print them to the Action's run log. + advanced-security: false + # Set to pedantic so that zizmor will run it's stale-action-refs audit rule + persona: pedantic From 5e2504978af79d9d5a3245f4c59548c246a091af Mon Sep 17 00:00:00 2001 From: Gerry Laracuente Date: Fri, 8 May 2026 15:27:51 -0400 Subject: [PATCH 2/2] chore: use maintained token action (INT-1582) --- .github/workflows/release-please.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index 11c9d5f..936a2b7 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -24,11 +24,11 @@ jobs: issues: write # needed by release-please-action to write issues steps: - name: Create Token for MasterpointBot App - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1 id: generate-token with: - app_id: ${{ secrets.MP_BOT_APP_ID }} - private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} + app-id: ${{ secrets.MP_BOT_APP_ID }} + private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3 with: