diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 448d3d6..b826451 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,45 +1,22 @@ name: Lint +# We ignore the dangerous-triggers warning because forked PRs +# require repo secrets to run some of the defined checks, +# and we protect against malicious actors by requiring approval +# for all external contributors before workflows will run. +on: pull_request_target # zizmor: ignore[dangerous-triggers] + concurrency: - group: lint-${{ github.head_ref || github.run_id }} + group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: true -# Use pull_request_target to support fork PRs and enable `checks: write` permission -# This allows external contributors to get linting feedback on their PRs -on: pull_request_target - -permissions: - actions: read - checks: write # Required to post check results back to the PR - contents: read - pull-requests: read +permissions: {} jobs: lint: - runs-on: ubuntu-latest - steps: - # SECURITY: With pull_request_target, checkout defaults to the base branch (main) - # We must explicitly checkout the PR head to lint the actual changes - - name: Check out Git repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - # Checkout the actual PR code, not the base branch - ref: ${{ github.event.pull_request.head.sha }} - # Support forks by using the head repository - repository: ${{ github.event.pull_request.head.repo.full_name }} - # SECURITY: Disable credential persistence to prevent potential misuse - persist-credentials: false - - - name: Trunk Check - uses: trunk-io/trunk-action@04ba50e7658c81db7356da96657e6e77f220bfa3 # v1.3.1 - env: - # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter - # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - conventional-title: - runs-on: ubuntu-latest - steps: - - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + uses: masterpointio/actions/.github/workflows/lint.yaml@7dad35e85d864ca5dda0971dfd3c940cc67ed380 #v0.3.0 + permissions: + actions: read # for trunk-action + checks: write # for trunk-action + contents: read # for trunk-action + checkout + pull-requests: read # for action-semantic-pull-request diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index 9ac10c2..6816e26 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -5,23 +5,21 @@ on: branches: - main -permissions: - contents: write - pull-requests: write - issues: write +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} + cancel-in-progress: true + +permissions: {} jobs: release-please: - runs-on: ubuntu-latest - steps: - - name: Create Token for MasterpointBot App - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0 - id: generate-token - with: - app_id: ${{ secrets.MP_BOT_APP_ID }} - private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} - - - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4.4.1 - with: - token: ${{ steps.generate-token.outputs.token }} - release-type: terraform-module + uses: masterpointio/actions/.github/workflows/release-please.yaml@7dad35e85d864ca5dda0971dfd3c940cc67ed380 #v0.3.0 + with: + release-type: terraform-module + secrets: + MP_BOT_APP_ID: ${{ secrets.MP_BOT_APP_ID }} + MP_BOT_APP_PRIVATE_KEY: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }} + permissions: + contents: write # needed by release-please-action + pull-requests: write # needed by release-please-action + issues: write # needed by release-please-action diff --git a/.github/workflows/trunk-upgrade.yaml b/.github/workflows/trunk-upgrade.yaml index 6732c29..0333e3c 100644 --- a/.github/workflows/trunk-upgrade.yaml +++ b/.github/workflows/trunk-upgrade.yaml @@ -6,18 +6,24 @@ on: - cron: 0 8 1 * * workflow_dispatch: {} -permissions: read-all +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} + cancel-in-progress: true + +permissions: {} jobs: trunk-upgrade: + name: trunk upgrade runs-on: ubuntu-latest permissions: - # For trunk to create PRs - contents: write - pull-requests: write + contents: write # needed by github-action-trunk-upgrade to write repository contents + pull-requests: write # needed by github-action-trunk-upgrade to write pull requests steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Run Trunk Upgrade uses: ./ # Use the local action for self-testing diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml index 1eb5ff6..c6478b7 100644 --- a/.trunk/trunk.yaml +++ b/.trunk/trunk.yaml @@ -7,7 +7,7 @@ cli: plugins: sources: - id: trunk - ref: v1.10.0 + ref: v1.10.1 uri: https://github.com/trunk-io/plugins # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes) runtimes: @@ -26,6 +26,19 @@ lint: - trivy@0.70.0 - trufflehog@3.95.3 - yamllint@1.38.0 + - zizmor@1.25.2 + definitions: + - name: zizmor + environment: + # Optional token here so that it's not needed locally, but can be used + # when trunk is called from our lint workflow in GHA + - name: ZIZMOR_GITHUB_TOKEN + value: ${env.GITHUB_TOKEN} + optional: true + commands: + # Set to pedantic so that zizmor will run its stale-action-refs audit rule + - name: lint + run: zizmor --format=sarif --persona=pedantic ${target} ignore: # Ignore CHANGELOG.md as release-please manages this file - linters: [ALL]