feat: inital version

[gberenice]

what

• This introduces a new GitHub Action for testing Terraform and OpenTofu modules.
• This supports optional AWS integration via OIDC.
• See README for more details.

why

• Make our TF test workflow reusable.

references

• https://masterpoint.slack.com/archives/C04MUCKUDKK/p1746028171707949?thread_ts=1746027819.488189&cid=C04MUCKUDKK

Summary by CodeRabbit

• New Features
  • Introduced a GitHub Action for automated testing of Terraform or OpenTofu modules with AWS authentication support.
  • Added configuration files for Trunk CLI, markdown and YAML linting, and repository code ownership.
  • Implemented automated workflows for linting, release management, and monthly Trunk upgrades.
• Documentation
  • Expanded and detailed README with usage instructions, input parameters, dependencies, contribution guidelines, and organizational information.
  • Added a pull request template to standardize PR submissions.
• Chores
  • Updated .gitignore to exclude unnecessary files from version control.

[coderabbitai]

Walkthrough

This update introduces initial repository configuration files, automation workflows, documentation, and a new GitHub Action for Terraform/OpenTofu module testing. The changes add code ownership and PR templates, set up linting and release workflows using GitHub Actions, and configure Trunk CLI with linting and formatting rules. The README is expanded to provide comprehensive documentation for the new "TF Test" GitHub Action, which is defined in action.yaml and supports AWS OIDC, Aqua dependency management, and both Terraform and OpenTofu testing. Several configuration and ignore files are included to standardize development and automation processes.

Changes

File(s)	Change Summary
.github/CODEOWNERS	Added code ownership rules assigning @masterpointio/masterpoint-open-source as default owner for all files, with explanatory comments and documentation link.
.github/PULL_REQUEST_TEMPLATE.md	Added a pull request template with sections for describing changes, rationale, and references to issues or docs.
.github/workflows/lint.yaml	Introduced a GitHub Actions workflow for linting on pull requests using Trunk and trunk-io/trunk-action.
.github/workflows/release-please.yaml	Added a workflow for automated releases using googleapis/release-please-action, triggered on pushes to main.
.github/workflows/trunk-upgrade.yaml	Added a scheduled and manually-triggerable workflow for Trunk CLI upgrades, including steps for repo checkout, GitHub App token creation, and trunk upgrade action.
.trunk/.gitignore	Added .gitignore to exclude various output, log, tool, plugin, and temporary files from version control in the .trunk directory.
.trunk/configs/.markdownlint.yaml	Added markdownlint configuration enabling all default rules but disabling formatting-related ones; customized line length and heading rules for compatibility with autoformatters.
.trunk/configs/.yamllint.yaml	Added yamllint configuration enforcing quoted-strings only when necessary, duplicate key detection, and forbidding implicit octal values.
.trunk/trunk.yaml	Added Trunk CLI configuration specifying version, plugin sources, enabled runtimes (Node.js, Python), linters, and Trunk actions for linting, formatting, and upgrades.
README.md	Expanded from minimal to comprehensive documentation for the "github-action-tf-test" GitHub Action, including usage, inputs, workflow, dependencies, maintainers, contribution guidelines, and organizational information.
action.yaml	Added a composite GitHub Action "TF Test" for testing Terraform/OpenTofu modules, supporting AWS OIDC, Aqua dependency management, and conditional AWS credential configuration. Defines inputs, steps, and usage details.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant GitHub Actions Runner
    participant TF Test Action
    participant Aqua
    participant AWS
    participant Terraform/OpenTofu

    User->>GitHub Actions Runner: Trigger workflow (e.g., on PR)
    GitHub Actions Runner->>TF Test Action: Execute action.yaml
    TF Test Action->>GitHub Actions Runner: Checkout repository
    TF Test Action->>Aqua: Install Aqua and required packages
    alt AWS Role ARN provided
        TF Test Action->>AWS: Assume role and configure credentials
    end
    TF Test Action->>Terraform/OpenTofu: Run init and test commands
    Terraform/OpenTofu-->>TF Test Action: Return test results
    TF Test Action-->>GitHub Actions Runner: Complete action

Loading

Poem

In the warren of code, a new dawn appears,
With workflows and lint checks, we conquer our fears.
Aqua flows swiftly, Terraform put to the test,
OIDC and caching ensure we’re the best.
The README now sparkles, the docs are in bloom—
A hop, a skip, and our Action goes vroom!
🐇✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (11)

.github/workflows/release-please.yaml (1)

16-17: Include an explicit checkout step

Most GitHub Actions workflows include an explicit checkout to guarantee the action has access to the repo contents (e.g., CHANGELOG.md, package.json, or Terraform modules). While googleapis/release-please-action may handle checking out by default, adding it improves clarity and avoids surprises:

 jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v3
       - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3
         with:
           release-type: simple

Please verify in the action’s documentation whether the checkout is required or redundant.

.trunk/configs/.yamllint.yaml (1)

1-7: YAML Lint Rules: Ensure syntactic coverage

The rules enforce only-needed quoting, catch duplicate keys, and forbid implicit octals—good defaults. Consider:

• Adding line-length or trailing-spaces rules if style consistency is desired.
• Defining severity levels or exclusions for specific file patterns.

Would you like assistance extending the rule set for broader coverage?

.github/CODEOWNERS (1)

6-7: Wildcard ownership may be too broad

Assigning * to a single team delegates review for everything. Consider narrowing patterns for critical directories (e.g., /.github/**, src/**) to specific owners to avoid review bottlenecks.

I can help draft a more granular CODEOWNERS file—let me know.

.github/PULL_REQUEST_TEMPLATE.md (1)

9-9: Use more formal verb in description: Replace “were made” with “implemented” for a more formal tone.

- Describe why these changes were made (e.g. why do these commits fix the problem?)
+ Describe why these changes were implemented (e.g. how these commits resolve the issue)

🧰 Tools

🪛 LanguageTool

[style] ~9-~9: Consider using a different verb for a more formal wording.
Context: ...es were made (e.g. why do these commits fix the problem?) - Use bullet points to be...

(FIX_RESOLVE)

README.md (4)

13-19: Ensure parallel phrasing in feature list: Align bullet points to start with active verbs. For example, change "Aqua-based dependency management" to "Manages dependencies with Aqua".

- - Aqua-based dependency management
+ - Manages dependencies with Aqua

---

47-63: Enhance caching example: To demonstrate the action's caching capability, consider adding an actions/cache step before running the action.

- uses: actions/cache@v3
  with:
    path: |
      .terraform
    key: ${{ runner.os }}-terraform-${{ hashFiles('**/*.tf') }}

---

117-130: Refine phrasing for readability:

• Add a comma in line 123: "Our mission is to simplify cloud infrastructure, so developers can innovate faster..."
• Hyphenate "hard-earned" in line 133 for correct compound.

- Our mission is to simplify cloud infrastructure so developers can innovate faster, safer, and with greater confidence.
+ Our mission is to simplify cloud infrastructure, so developers can innovate faster, safer, and with greater confidence.

- ...sharing our hard earned expertise...
+ ...sharing our hard-earned expertise...

🧰 Tools

🪛 LanguageTool

[uncategorized] ~123-~123: Use a comma before ‘so’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sion is to simplify cloud infrastructure so developers can innovate faster, safer, ...

(COMMA_COMPOUND_SENTENCE_2)

---

7-8: Verify link anchor consistency: The link to the "Who We Are" section uses a Unicode anchor (#who-we-are-𐦂𖨆𐀪𖠋). Confirm that the heading matches exactly, or consider simplifying to a plain ASCII anchor to avoid potential navigation issues.

Also applies to: 117-119

action.yaml (3)

1-7: Add optional branding metadata for better discoverability.

Composite actions support an optional branding block (icon and color) which makes the Action more recognizable in the GitHub Marketplace. Consider adding something like:

branding:
  icon: 'terraform'
  color: 'blue'

---

8-25: Validate the tf_type input against allowed values.

Currently, tf_type is free-form (tofu or terraform), so a typo could lead to a silent failure during the install or run steps. Since composite actions don’t support an enum field, you can add an early validation step:

- name: Validate tf_type
  if: ${{ !contains('terraform,tofu', inputs.tf_type) }}
  run: |
    echo "Invalid tf_type: ${{ inputs.tf_type }}. Must be 'terraform' or 'tofu'."
    exit 1

This ensures users get immediate feedback if they pass an unsupported value.

---

53-60: Note required permissions for AWS OIDC.

This step assumes an OIDC-enabled workflow. Make sure calling workflows include:

permissions:
  id-token: write

Otherwise, configure-aws-credentials will fail to obtain an OIDC token. You may want to add a comment or mention in the README to surface this requirement.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9f40016 and c8811eb.

📒 Files selected for processing (11)

• .github/CODEOWNERS (1 hunks)
• .github/PULL_REQUEST_TEMPLATE.md (1 hunks)
• .github/workflows/lint.yaml (1 hunks)
• .github/workflows/release-please.yaml (1 hunks)
• .github/workflows/trunk-upgrade.yaml (1 hunks)
• .trunk/.gitignore (1 hunks)
• .trunk/configs/.markdownlint.yaml (1 hunks)
• .trunk/configs/.yamllint.yaml (1 hunks)
• .trunk/trunk.yaml (1 hunks)
• README.md (1 hunks)
• action.yaml (1 hunks)

🧰 Additional context used

🪛 LanguageTool

.github/PULL_REQUEST_TEMPLATE.md

[style] ~9-~9: Consider using a different verb for a more formal wording.
Context: ...es were made (e.g. why do these commits fix the problem?) - Use bullet points to be...

(FIX_RESOLVE)

README.md

[uncategorized] ~123-~123: Use a comma before ‘so’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sion is to simplify cloud infrastructure so developers can innovate faster, safer, ...

(COMMA_COMPOUND_SENTENCE_2)

---

[misspelling] ~133-~133: This word is normally spelled with a hyphen.
Context: ... content, giving talks, and sharing our hard earned expertise. Here are a few ways you can ...

(EN_COMPOUNDS_HARD_EARNED)

🔇 Additional comments (13)

.trunk/.gitignore (1)

1-9: Validate ignore patterns for Trunk CLI artifacts

The patterns seem reasonable for excluding Trunk’s transient outputs, but ensure they align with actual directories/files created by Trunk runs. For example:

• Should you also ignore .trunk/.cache or similar?
• Confirm that *actions won’t unintentionally ignore your .github/actions or local custom actions.

[tag_missing_context]?
Run a dry Trunk run locally and list new files to adjust the ignore list if needed.

.trunk/configs/.markdownlint.yaml (1)

1-20: Markdownlint config relaxes all formatting rules

This configuration disables most formatting rules to play nice with autoformatters. A few thoughts:

• Ensure teams are aware that line-length is now effectively unlimited (350 chars)—this may hide readability issues.
• You might selectively re-enable MD041 (first-line heading) for docs where consistency matters.

If the broad disabling is intentional for your workflow, no changes are needed.

.github/workflows/lint.yaml (1)

1-19: Well-configured lint workflow: The workflow uses pinned action SHAs, minimal permissions, and triggers on pull requests, ensuring secure and consistent linting.

.trunk/trunk.yaml (1)

3-32: Configuration looks solid: Trunk CLI version, plugins, runtimes, linters, and actions are appropriately specified and align with your workflows.

.github/workflows/trunk-upgrade.yaml (1)

1-34: Well-designed upgrade workflow: The scheduled trigger, workflow dispatch, scoped permissions, token generation, and pinned action versions are correctly set up for automated Trunk CLI upgrades.

README.md (4)

41-46: Confirm action version tagging: Ensure the @v1.0.0 version in the basic usage snippet matches your release tag. Consider using a floating major version like @v1 to automatically pick up patch releases.

---

64-73: Verify documented defaults: Please ensure the defaults for aws_region (us-east-1) and role_session_name (GitHubActions-TF-Test) match those defined in action.yaml.

---

78-85: Required permissions documented correctly: The permissions block accurately reflects the scopes needed by the action and matches your workflow configurations.

---

94-102: Dependencies section complete: All primary dependencies—Aqua, AWS OIDC, actions/checkout, and actions/cache—are listed, giving users clear guidance.

action.yaml (4)

30-33: Pinned checkout version looks good.

Using a full commit SHA for actions/checkout@… ensures stability and reproducibility.

---

44-48: Installer version pin is correct.

Pinning the Aqua installer (aquaproj/aqua-installer@…) and the Aqua version (v2.48.1) ensures a reproducible environment.

---

49-52: Aqua package installation is straightforward and correct.

Using aqua install --tags ${{ inputs.tf_type }} cleanly scopes package installs to the selected Terraform type.

---

61-66: Verify the intended test command for Terraform modules.

Terraform’s built-in test command is experimental and targets provider-level tests, not module validations. If your goal is module‐level checks, you might prefer:

${{ inputs.tf_type }} init
${{ inputs.tf_type }} validate
${{ inputs.tf_type }} plan

Otherwise, confirm that terraform test (and tofu test) exist in the environments you target.

[oycyc]

Oh this is smart! I was wondering what the purpose of the environment variable if we can set a default value for the input parameter, but the using it as the organization-level environment environment makes it so much smoother and DRY.

[gberenice]

This might be a bit confusing for those who can't see the org-level vars, but I'm going to document this.

[oycyc]

Suggested change

	2. As an environment variable (TF_TEST_AWS_ROLE_ARN)
	2. As an environment variable (TF_TEST_AWS_ROLE_ARN) -- The use case for this is setting it in the GitHub organization's environment variable. See the README for more details.

[oycyc]

I think might be good to have it here as well

[gberenice]

@oycyc I've added your suggestion, and a bunch of other configs we typically use. Please review 🙏

[oycyc]

🙌