chore: sync with latest template state (#78)

This PR syncs the repository with the latest state from .

**Changes include:**
- Updated configuration files (.checkov.yaml, .markdownlint.yaml, etc.)
- Updated GitHub workflows and templates
- Updated linting and formatting configurations
- Updated documentation templates

Author: gberenice

.trunk/configs/.checkov.yaml .checkov.yaml.trunk/configs/.checkov.yaml renamed to .checkov.yaml

@@ -4,4 +4,4 @@
 # Order is important: the last matching pattern takes the most precedence
 
 # These owners will be the default owners for everything
-*             @masterpointio/masterpoint-open-source
+*             @masterpointio/masterpoint-open-source

.github/CODEOWNERS

@@ -4,7 +4,7 @@ concurrency:
   group: lint-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
-on: pull_request
+on: pull_request_target
 
 permissions:
   actions: read
@@ -20,6 +20,10 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Trunk Check
         uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
+        env:
+          # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   conventional-title:
     runs-on: ubuntu-latest

.github/workflows/lint.yaml

@@ -6,11 +6,6 @@ on:
       - main
   pull_request_target:
 
-env:
-  SPACELIFT_API_KEY_ENDPOINT: ${{ secrets.SPACELIFT_API_KEY_ENDPOINT }}
-  SPACELIFT_API_KEY_ID: ${{ secrets.SPACELIFT_API_KEY_ID }}
-  SPACELIFT_API_KEY_SECRET: ${{ secrets.SPACELIFT_API_KEY_SECRET }}
-
 permissions:
   actions: read
   checks: write

.github/workflows/test.yaml

@@ -19,44 +19,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Create Token for MasterpointBot App
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
-        id: generate-token
+      - name: Run Trunk Upgrade
+        uses: masterpointio/github-action-trunk-upgrade@v0.1.0
         with:
-          app_id: ${{ secrets.MP_BOT_APP_ID }}
-          private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
-
-      - name: Upgrade
-        id: trunk-upgrade
-        uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
-        with:
-          github-token: ${{ steps.generate-token.outputs.token }}
-          reviewers: "@masterpointio/masterpoint-internal"
-          prefix: "chore: "
-
-      - name: Wait for checks to pass + Merge PR
-        if: steps.trunk-upgrade.outputs.pull-request-number != ''
-        env:
-          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
-          PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }}
-        run: |
-          echo "Waiting for required status checks to pass on PR #$PR_NUMBER..."
-          while true; do
-            CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --required --json state,bucket)
-            echo "Current checks status: $CHECKS_JSON"
-
-            if echo "$CHECKS_JSON" | jq -e '.[] | select(.bucket=="fail")' > /dev/null; then
-              echo "One or more required checks have failed. Exiting..."
-              exit 1
-            fi
-
-            FAILED_OR_PENDING_CHECKS=$(echo "$CHECKS_JSON" | jq '[.[] | select(.state!="SUCCESS" or .bucket!="pass")] | length')
-            if [ "$FAILED_OR_PENDING_CHECKS" -eq 0 ]; then
-              echo "All required checks passed. Merging PR #$PR_NUMBER..."
-              gh pr merge "$PR_NUMBER" --squash --delete-branch --admin
-              break
-            else
-              echo "Some required checks are still running or pending. Retrying in 30s..."
-              sleep 30
-            fi
-          done
+          app-id: ${{ secrets.MP_BOT_APP_ID }}
+          app-private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
+          github-token: ${{ secrets.MASTERPOINT_TEAM_PAT }}
+          reviewers: "@masterpointio/masterpoint-open-source"

.github/workflows/trunk-upgrade.yaml

@@ -16,6 +16,7 @@
 # IDE/Editor settings
 **/.idea
 **/*.iml
+.cursor/
 .vscode/
 *.orig
 *.draft
@@ -39,8 +40,13 @@ backend.tf.json
 
 # Other
 **/*.backup
-***/*.tmp
+**/*.tmp
 **/*.temp
 **/*.bak
 **/*.*swp
 **/.DS_Store
+
+# AI code gen tools - we beleive engineers are responsible for the code they push no matter how it's generated
+.claude/*
+.cursor/*
+CLAUDE.md

.gitignore

@@ -0,0 +1,42 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "all"
+}
+
+config {
+  format = "compact"
+
+  # Inspect vars passed into "module" blocks. eg, lint AMI value passed into ec2 module.
+  # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/calling-modules.md
+  call_module_type = "all"
+
+  # default values but keeping them here for clarity
+  disabled_by_default = false
+  force = false
+}
+
+# Installing tflint rulesets from Github requires setting a GITHUB_TOKEN
+# environment variable. Without it, you'll get an error like this:
+#   $ tflint --init
+#   Installing "aws" plugin...
+#   Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials []
+#
+# The solution is to provide a github PAT via a GITHUB_TOKEN env var,
+# export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789
+#
+# See docs for more info: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+plugin "aws" {
+  enabled = true
+  version = "0.39.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+  deep_check = false
+}
+
+# Allow variables to exist in more files than ONLY variables.tf
+# Example use cases where we prefer for variables to exist in context,
+# - context.tf (applicable to the null-label module)
+# - providers.tf (when passing in secret keys from SOPs - example, github provider)
+# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md
+rule "terraform_standard_module_structure" {
+  enabled = false
+}

.trunk/configs/.markdownlint.yaml .markdownlint.yaml.trunk/configs/.markdownlint.yaml renamed to .markdownlint.yaml

@@ -6,4 +6,4 @@
 plugins
 user_trunk.yaml
 user.yaml
-tmp
+tmp

.tflint.hcl

@@ -7,7 +7,7 @@ cli:
 plugins:
   sources:
     - id: trunk
-      ref: v1.7.1
+      ref: v1.7.0
       uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
@@ -20,16 +20,16 @@ lint:
     # Incompatible with some Terraform features: https://github.com/tenable/terrascan/issues/1331
     - terrascan
   enabled:
-    - renovate@41.46.3
-    - tofu@1.10.3
+    - renovate@40.36.2
+    - tofu@1.9.1
     - actionlint@1.7.7
-    - checkov@3.2.457
+    - checkov@3.2.435
     - git-diff-check
     - markdownlint@0.45.0
-    - prettier@3.6.2
-    - tflint@0.58.1
-    - trivy@0.64.1
-    - trufflehog@3.90.2
+    - prettier@3.5.3
+    - tflint@0.58.0
+    - trivy@0.63.0
+    - trufflehog@3.88.35
     - yamllint@1.37.1
   ignore:
     - linters: [tofu]