Merge branch 'main' into trunk-io/update-trunk

westonplatter · web-flow · commit 97606564a005 · 2025-06-27T10:17:24.000-06:00
diff --git a/.checkov.yaml b/.checkov.yaml
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -4,7 +4,7 @@ concurrency:
   group: lint-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
-on: pull_request
+on: pull_request_target
 
 permissions:
   actions: read
@@ -20,6 +20,10 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Trunk Check
         uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
+        env:
+          # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   conventional-title:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
@@ -14,6 +14,14 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      - name: Create Token for MasterpointBot App
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.MP_BOT_APP_ID }}
+          private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
+
       - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3
         with:
+          token: ${{ steps.generate-token.outputs.token }}
           release-type: terraform-module
diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml
@@ -34,10 +34,29 @@ jobs:
           reviewers: "@masterpointio/masterpoint-internal"
           prefix: "chore: "
 
-      - name: Merge PR automatically
+      - name: Wait for checks to pass + Merge PR
         if: steps.trunk-upgrade.outputs.pull-request-number != ''
         env:
-          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
           PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }}
         run: |
-          gh pr merge "$PR_NUMBER" --squash --auto --delete-branch
+          echo "Waiting for required status checks to pass on PR #$PR_NUMBER..."
+          while true; do
+            CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --required --json state,bucket)
+            echo "Current checks status: $CHECKS_JSON"
+
+            if echo "$CHECKS_JSON" | jq -e '.[] | select(.bucket=="fail")' > /dev/null; then
+              echo "One or more required checks have failed. Exiting..."
+              exit 1
+            fi
+
+            FAILED_OR_PENDING_CHECKS=$(echo "$CHECKS_JSON" | jq '[.[] | select(.state!="SUCCESS" or .bucket!="pass")] | length')
+            if [ "$FAILED_OR_PENDING_CHECKS" -eq 0 ]; then
+              echo "All required checks passed. Merging PR https://github.com/${{ github.repository }}/pull/$PR_NUMBER..."
+              gh pr merge "$PR_NUMBER" --squash --delete-branch --admin
+              break
+            else
+              echo "Some required checks are still running or pending. Retrying in 30s..."
+              sleep 30
+            fi
+          done
diff --git a/.gitignore b/.gitignore
@@ -16,6 +16,7 @@
 # IDE/Editor settings
 **/.idea
 **/*.iml
+.cursor/
 .vscode/
 *.orig
 *.draft
@@ -44,3 +45,7 @@ backend.tf.json
 **/*.bak
 **/*.*swp
 **/.DS_Store
+
+# Claude Code - we beleive engineers are responsible for the code they push no matter how it's generated.
+# Therefore, configs specific to their coding practices are their responsibilty to judiciously manage.
+.claude/*
diff --git a/.markdownlint.yaml b/.markdownlint.yaml
diff --git a/.tflint.hcl b/.tflint.hcl
@@ -0,0 +1,42 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "all"
+}
+
+config {
+  format = "compact"
+
+  # Inspect vars passed into "module" blocks. eg, lint AMI value passed into ec2 module.
+  # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/calling-modules.md
+  call_module_type = "all"
+
+  # default values but keeping them here for clarity
+  disabled_by_default = false
+  force = false
+}
+
+# Installing tflint rulesets from Github requires setting a GITHUB_TOKEN
+# environment variable. Without it, you'll get an error like this:
+#   $ tflint --init
+#   Installing "aws" plugin...
+#   Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials []
+#
+# The solution is to provide a github PAT via a GITHUB_TOKEN env var,
+# export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789
+#
+# See docs for more info: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+plugin "aws" {
+  enabled = true
+  version = "0.39.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+  deep_check = false
+}
+
+# Allow variables to exist in more files than ONLY variables.tf
+# Example use cases where we prefer for variables to exist in context,
+# - context.tf (applicable to the null-label module)
+# - providers.tf (when passing in secret keys from SOPs - example, github provider)
+# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md
+rule "terraform_standard_module_structure" {
+  enabled = false
+}
diff --git a/.trunk/.gitignore b/.trunk/.gitignore
@@ -6,4 +6,4 @@
 plugins
 user_trunk.yaml
 user.yaml
-tmp
+tmp
diff --git a/.yamllint.yaml b/.yamllint.yaml
