Fix/int 1582/fix lint context + upgrade trunk-action

[glaracuente]

what

• Add head-ref as an input to our lint workflow
• Rename test.yaml to tf-test.yaml
• Upgrade trunk-io/trunk-action to 1.3.1

why

• Since lint is currently running against pull_request_target, the workflow is currently checking out the code in main and not linting on the changes being added in the feature branch. Using head-ref will fix this.
• In the caller lint.yaml workflows, head-ref will be defined as ${{ format('refs/pull/{0}/merge', github.event.number) }}
• I discovered this when moving zizmor from a workflow to trunk. I could test zizmor failures through trunk locally, but the failures were not surfacing in CI. This is a problem, because trunk will warn us before pushing changes, but we can easily just ignore these warning and push anyway, and CI linting will be blind to these failures.
• test.yaml is renamed to tf-test.yaml, because "test" is very generic and I know of at least one example where we use the same name for a workflow file that does testing that is not terraform related. Since this is a centralized workflow file, it makes sense to make the name more specific.
• While Im at it, I'm taking the chance to upgrade trunk-action. The newer version includes contributions from our very own @Xeboc. It's a very important contribution to Pin GitHub Actions to full commit SHAs, which is going to be good for our overall security posture here as well.

references

• INT-1582

[coderabbitai]

📝 Walkthrough

Walkthrough

The lint reusable workflow adds a required head-ref input parameter to allow calling workflows to specify the Git reference to check out. The checkout step is updated to use this parameter, and the trunk-io/trunk-action dependency is bumped from v1.2.4 to v1.3.1.

Changes

Lint Workflow Reusable Input

Layer / File(s)	Summary
Workflow input contract and checkout usage .github/workflows/lint.yaml	workflow_call input head-ref (required, string) is declared and used in the checkout step's ref parameter; trunk-io/trunk-action is upgraded to v1.3.1.

Possibly Related PRs

• masterpointio/actions#1: Both PRs touch the same reusable workflow file .github/workflows/lint.yaml, with this PR updating the workflow_call interface and the trunk-io/trunk-action pinned revision that was introduced by the previous PR.

Suggested Reviewers

• Gowiem

Poem

🐰 A workflow takes flight with a parameterized grace,
Head-ref now guides where the checkout will trace,
Trunk's version bumped up to the latest and new,
Reusable and ready—this lint workflow's true! 🎉

---

🎯 2 (Simple) | ⏱️ ~5-10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references fixing lint context and upgrading trunk-action, which aligns with the main changes in the PR (adding head-ref input, updating trunk-action version).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/INT-1582/fix_lint_context

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/lint.yaml (1)

27-34: ⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

Avoid linting PR-controlled refs under a pull_request_target trust boundary.

Checking out ${{ inputs.head-ref }} and then running Trunk with ${{ secrets.GITHUB_TOKEN }} executes PR-authored code/config with repository-token privileges. Given this is intended to be called from pull_request_target, this is a privilege-escalation risk for untrusted PRs.

Use pull_request for PR-ref linting, or split trusted/untrusted paths so no secrets or write-capable token are exposed when linting PR code.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yaml around lines 27 - 34, The workflow currently
checks out `${{ inputs.head-ref }}` and runs the "Trunk Check" step using the
trunk-io/trunk-action with `GITHUB_TOKEN` which exposes a write-capable secret
when this job is invoked under a `pull_request_target` trust boundary; change
the workflow to avoid running untrusted PR code with secrets by either switching
PR linting to run under the `pull_request` event (so `${{ inputs.head-ref }}`
runs without elevated tokens) or by splitting the job into trusted vs untrusted
paths: keep the trunk-io/trunk-action step that uses `GITHUB_TOKEN` only on
trusted events (e.g., `pull_request_target` comparing repository refs) and
create a separate untrusted Trunk step for PRs that does not pass `GITHUB_TOKEN`
(or uses a read-only token) and does not check out PR-controlled refs, ensuring
the `Trunk Check` step and use of `GITHUB_TOKEN` are only present in trusted
workflows.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/lint.yaml:
- Around line 27-34: The workflow currently checks out `${{ inputs.head-ref }}`
and runs the "Trunk Check" step using the trunk-io/trunk-action with
`GITHUB_TOKEN` which exposes a write-capable secret when this job is invoked
under a `pull_request_target` trust boundary; change the workflow to avoid
running untrusted PR code with secrets by either switching PR linting to run
under the `pull_request` event (so `${{ inputs.head-ref }}` runs without
elevated tokens) or by splitting the job into trusted vs untrusted paths: keep
the trunk-io/trunk-action step that uses `GITHUB_TOKEN` only on trusted events
(e.g., `pull_request_target` comparing repository refs) and create a separate
untrusted Trunk step for PRs that does not pass `GITHUB_TOKEN` (or uses a
read-only token) and does not check out PR-controlled refs, ensuring the `Trunk
Check` step and use of `GITHUB_TOKEN` are only present in trusted workflows.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c4c6efaf-358e-4359-a80b-a8eb9fed547d

📥 Commits

Reviewing files that changed from the base of the PR and between dc403c8 and 51f00b1.

📒 Files selected for processing (2)

• .github/workflows/lint.yaml
• .github/workflows/tf-test.yaml