Skip to content

Commit 97ab111

Browse files
authored
chore: zizmor trunk plugin and reusable workflows (INT-1582) (#51)
## what - Refactor workflows to utilize reusable/centralized workflows in our actions repo - Add the Zizmor plugin to trunk, for static analysis of our Github Actions ## why - Align this repo with our centralized standard workflows - Improve our security posture with zizmor and also set an example for clients ## references - [INT-1582](https://www.notion.so/masterpoint/Roll-out-Zizmor-across-all-Masterpoint-OSS-repos-08a6992b18de4b9581bec3eb579715b1)
1 parent dc2bbef commit 97ab111

4 files changed

Lines changed: 52 additions & 36 deletions

File tree

.github/workflows/lint.yaml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -2,17 +2,17 @@ name: Lint
22

33
on: pull_request
44

5-
permissions:
6-
actions: read
7-
checks: write
8-
contents: read
9-
pull-requests: read
5+
concurrency:
6+
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
7+
cancel-in-progress: true
8+
9+
permissions: {}
1010

1111
jobs:
1212
lint:
13-
runs-on: ubuntu-latest
14-
steps:
15-
- name: Check out Git repository
16-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
17-
- name: Trunk Check
18-
uses: trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b # v1.2.4
13+
uses: masterpointio/actions/.github/workflows/lint.yaml@7dad35e85d864ca5dda0971dfd3c940cc67ed380 #v0.3.0
14+
permissions:
15+
actions: read # for trunk-action
16+
checks: write # for trunk-action
17+
contents: read # for trunk-action + checkout
18+
pull-requests: read # for action-semantic-pull-request

.github/workflows/release-please.yaml

Lines changed: 15 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -5,14 +5,21 @@ on:
55
branches:
66
- main
77

8-
permissions:
9-
contents: write
10-
pull-requests: write
8+
concurrency:
9+
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
10+
cancel-in-progress: true
11+
12+
permissions: {}
1113

1214
jobs:
1315
release-please:
14-
runs-on: ubuntu-latest
15-
steps:
16-
- uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3
17-
with:
18-
release-type: terraform-module
16+
uses: masterpointio/actions/.github/workflows/release-please.yaml@7dad35e85d864ca5dda0971dfd3c940cc67ed380 #v0.3.0
17+
with:
18+
release-type: terraform-module
19+
secrets:
20+
MP_BOT_APP_ID: ${{ secrets.MP_BOT_APP_ID }}
21+
MP_BOT_APP_PRIVATE_KEY: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
22+
permissions:
23+
contents: write # needed by release-please-action
24+
pull-requests: write # needed by release-please-action
25+
issues: write # needed by release-please-action

.github/workflows/trunk-upgrade.yaml

Lines changed: 12 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -6,23 +6,19 @@ on:
66
- cron: 0 8 1 * *
77
workflow_dispatch: {}
88

9-
permissions: read-all
9+
concurrency:
10+
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
11+
cancel-in-progress: true
12+
13+
permissions: {}
1014

1115
jobs:
1216
trunk-upgrade:
13-
runs-on: ubuntu-latest
17+
uses: masterpointio/actions/.github/workflows/trunk-upgrade.yaml@7dad35e85d864ca5dda0971dfd3c940cc67ed380 #v0.3.0
18+
secrets:
19+
MP_BOT_APP_ID: ${{ secrets.MP_BOT_APP_ID }}
20+
MP_BOT_APP_PRIVATE_KEY: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
21+
MASTERPOINT_TEAM_PAT: ${{ secrets.MASTERPOINT_TEAM_PAT }}
1422
permissions:
15-
# For trunk to create PRs
16-
contents: write
17-
pull-requests: write
18-
steps:
19-
- name: Checkout
20-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
21-
22-
- name: Run Trunk Upgrade
23-
uses: masterpointio/github-action-trunk-upgrade@a79fd65d524d92031fe167daee411d2f25d4a999 # v0.1.0
24-
with:
25-
app-id: ${{ secrets.MP_BOT_APP_ID }}
26-
app-private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
27-
github-token: ${{ secrets.MASTERPOINT_TEAM_PAT }}
28-
reviewers: "@masterpointio/masterpoint-internal"
23+
contents: write # needed by github-action-trunk-upgrade
24+
pull-requests: write # needed by github-action-trunk-upgrade

.trunk/trunk.yaml

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ cli:
44
plugins:
55
sources:
66
- id: trunk
7-
ref: v1.7.6
7+
ref: v1.10.1
88
uri: https://github.com/trunk-io/plugins
99
lint:
1010
enabled:
@@ -16,6 +16,19 @@ lint:
1616
- markdownlint@0.48.0
1717
- prettier@3.8.1
1818
- trufflehog@3.94.1
19+
- zizmor@1.25.2
20+
definitions:
21+
- name: zizmor
22+
environment:
23+
# Optional token here so that it's not needed locally, but can be used
24+
# when trunk is called from our lint workflow in GHA
25+
- name: ZIZMOR_GITHUB_TOKEN
26+
value: ${env.GITHUB_TOKEN}
27+
optional: true
28+
commands:
29+
# Set to pedantic so that zizmor will run its stale-action-refs audit rule
30+
- name: lint
31+
run: zizmor --format=sarif --persona=pedantic ${target}
1932
ignore:
2033
- linters: [ALL]
2134
paths:

0 commit comments

Comments
 (0)