feat(trunk): add trunk + workflows

[Gowiem]

what

• Adds trunk's config for this repo.
• Adds trunk workflows for linting + upgrading trunk configs
• Adds renovate
• Adds CODEOWNERS

why

• Other PRs are blocked because we're requiring the lint GHA check. This repo never got updated to include that so fixing that now 👍

references

• See this blog post PR which is blocked due to the lint requirement: feat: adds tf-terminology-breakdown article #49

Summary by CodeRabbit

• Chores
  • Added repository ownership rules to assign default code owners.
  • Introduced a pull request template to standardize PR submissions.
  • Added Renovate configuration for automated GitHub Actions dependency updates.
  • Set up GitHub Actions workflows for linting and automated Trunk upgrades.
  • Added .gitignore and configuration files for Trunk, markdownlint, yamllint, and SVGO to support consistent development and code quality.

[netlify]

✅ Deploy Preview for masterpoint ready!

Name	Link
🔨 Latest commit	d55a9b5
🔍 Latest deploy log	https://app.netlify.com/projects/masterpoint/deploys/682e3b5143257e0008c9c06e
😎 Deploy Preview	https://deploy-preview-60--masterpoint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 34 Accessibility: 89 Best Practices: 75 SEO: 80 PWA: 70 View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Walkthrough

A set of configuration and workflow files has been added to the repository. These include GitHub Actions workflows for linting and automated upgrades, Renovate and Trunk tool configurations, code ownership and pull request templates, and various linter settings. No application code or exported entities were changed.

Changes

File(s)	Change Summary
.github/CODEOWNERS	Added code ownership file assigning all repository files to the @masterpointio/masterpoint-open-source team, with documentation comments.
.github/PULL_REQUEST_TEMPLATE.md	Introduced a pull request template with sections for describing changes, reasons, and references, standardizing PR submissions.
.github/renovate.json5	Added Renovate configuration for dependency updates, scheduling, PR assignment, auto-merge rules, and labeling for GitHub Actions dependencies.
.github/workflows/lint.yaml	Created a linting workflow with concurrency control, running Trunk CLI lint checks and enforcing conventional PR titles.
.github/workflows/trunk-upgrade.yaml	Added a scheduled and manually-triggered workflow for automated Trunk upgrades, including PR creation, review assignment, and auto-merging.
.trunk/.gitignore	Added a .gitignore file under .trunk to exclude output, logs, actions, notifications, tools, plugins, user configs, and temp files from version control.
.trunk/configs/.markdownlint.yaml	Added markdownlint configuration enabling all rules except formatting-related ones, making it autoformatter-friendly.
.trunk/configs/.yamllint.yaml	Added yamllint configuration enforcing minimal quoting, no empty values, duplicate key detection, and explicit numeric formats.
.trunk/configs/svgo.config.js	Introduced SVGO configuration disabling viewBox removal, enabling attribute sorting, and removing off-canvas paths.
.trunk/trunk.yaml	Added Trunk tool configuration specifying CLI version, plugins, enabled linters, runtimes, and action settings.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant GitHub
    participant Trunk CLI
    participant Renovate Bot

    Note over Developer, GitHub: Lint Workflow on PR
    Developer->>GitHub: Open Pull Request
    GitHub->>Trunk CLI: Run Lint Job
    Trunk CLI-->>GitHub: Lint Results
    GitHub->>GitHub: Enforce Conventional Title

    Note over GitHub, Renovate Bot: Scheduled Upgrades
    GitHub->>Renovate Bot: Schedule Triggers (monthly)
    Renovate Bot->>GitHub: Create/Update Dependency PRs
    GitHub->>Trunk CLI: Run Trunk Upgrade Workflow (monthly/manual)
    Trunk CLI->>GitHub: Create Upgrade PR
    GitHub->>GitHub: Auto-merge PR if conditions met

Loading

Note

⚡️ AI Code Reviews for VS Code, Cursor, Windsurf

CodeRabbit now has a plugin for VS Code, Cursor and Windsurf. This brings AI code reviews directly in the code editor. Each commit is reviewed immediately, finding bugs before the PR is raised. Seamless context handoff to your AI code agent ensures that you can easily incorporate review feedback.
Learn more here.

---

Note

⚡️ Faster reviews with caching

CodeRabbit now supports caching for code and dependencies, helping speed up reviews. This means quicker feedback, reduced wait times, and a smoother review experience overall. Cached data is encrypted and stored securely. This feature will be automatically enabled for all accounts on May 30th. To opt out, configure Review - Disable Cache at either the organization or repository level. If you prefer to disable all data retention across your organization, simply turn off the Data Retention setting under your Organization Settings.
Enjoy the performance boost—your workflow just got faster.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 95704d0 and d55a9b5.

📒 Files selected for processing (1)

• .trunk/trunk.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .trunk/trunk.yaml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[oycyc]

Seeing this "Unknown owner on line 7: make sure the team @masterpointio/masterpoint-open-source exists, is publicly visible, and has write access to the repository"

Not sure why, thinking it's the "has write access to the repository"? But regardless, doesn't matter right now

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (4)

.trunk/.gitignore (1)

1-9: Refine ignore patterns to avoid unintended matches.
Since this .gitignore lives under .trunk/, patterns like *out, *logs, *actions, etc., may match more than just the intended directories (e.g., any file ending with “out”). Consider anchoring them to directory names—e.g.:

-*out
-*logs
-*actions
-*notifications
-*tools
+out/
+logs/
+actions/
+notifications/
+tools/

This change makes the ignore rules more precise.

.github/PULL_REQUEST_TEMPLATE.md (2)

8-9: Consider rephrasing for clarity

The current wording could be improved for clarity and formality.

-- Describe why these changes were made (e.g. why do these commits fix the problem?)
+- Describe why these changes were made (e.g. explain how these changes address the problem)

🧰 Tools

🪛 LanguageTool

[style] ~9-~9: Consider using a different verb for a more formal wording.
Context: ...es were made (e.g. why do these commits fix the problem?) - Use bullet points to be...

(FIX_RESOLVE)

---

14-16: Enhance references section for clarity

The references section is well-structured, but the example could be more specific about GitHub-specific functionality.

-- Link to any supporting GitHub issues or helpful documentation to add some context (e.g. Stackoverflow).
-- Use `closes #123`, if this PR closes a GitHub issue `#123`
+- Link to any supporting GitHub issues or helpful documentation to add some context (e.g. GitHub issues, documentation, Stack Overflow)
+- Use keywords like `closes #123` or `fixes #123` to automatically close GitHub issues when the PR is merged

.github/workflows/trunk-upgrade.yaml (1)

1-7: Consider specifying concurrency to avoid overlapping runs and clarifying cron timezone.

• GitHub Actions cron schedules run in UTC by default; adding a note can avoid confusion.
• Adding a concurrency block prevents monthly jobs from stacking if one run overlaps another.

 name: Trunk Upgrade
+concurrency:
+  group: trunk-upgrade
+  cancel-in-progress: true

 on:
   schedule:
     # On the first day of every month @ 8am (UTC)
     - cron: '0 8 1 * *'

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 582119b and 95704d0.

📒 Files selected for processing (10)

• .github/CODEOWNERS (1 hunks)
• .github/PULL_REQUEST_TEMPLATE.md (1 hunks)
• .github/renovate.json5 (1 hunks)
• .github/workflows/lint.yaml (1 hunks)
• .github/workflows/trunk-upgrade.yaml (1 hunks)
• .trunk/.gitignore (1 hunks)
• .trunk/configs/.markdownlint.yaml (1 hunks)
• .trunk/configs/.yamllint.yaml (1 hunks)
• .trunk/configs/svgo.config.js (1 hunks)
• .trunk/trunk.yaml (1 hunks)

🧰 Additional context used

🪛 LanguageTool

.github/PULL_REQUEST_TEMPLATE.md

[style] ~9-~9: Consider using a different verb for a more formal wording.
Context: ...es were made (e.g. why do these commits fix the problem?) - Use bullet points to be...

(FIX_RESOLVE)

🪛 GitHub Check: Trunk Check

.github/PULL_REQUEST_TEMPLATE.md

[notice] 1-1: markdownlint(MD041)
[new] First line in a file should be a top-level heading

🔇 Additional comments (17)

.trunk/configs/.markdownlint.yaml (1)

1-13: Approve markdownlint configuration for autoformatter compliance.
The settings correctly enable all default rules while disabling formatting-specific ones to let an external formatter handle styling. The explicit disabling of MD025 is clear and purposeful.

.trunk/configs/.yamllint.yaml (1)

1-10: Approve yamllint configuration for YAML files.
The rules enforce necessary quoting, forbid empty values and duplicate keys, and disallow implicit octal values. Syntax and indentation are correct.

.trunk/configs/svgo.config.js (1)

1-15: Approve SVGO configuration with necessary overrides.
The preset-default plugin is properly configured to preserve viewBox, sort attributes, and remove off-canvas paths as referenced. The module export and object structure are valid.

.github/CODEOWNERS (1)

1-8: Approve CODEOWNERS assignment.
The single wildcard pattern * ensures that @masterpointio/masterpoint-open-source is the default owner for all files. The file includes helpful comments on matching precedence.

.github/workflows/lint.yaml (4)

3-5: LGTM! Good use of concurrency controls

The concurrency configuration correctly prevents redundant workflow runs by canceling in-progress jobs when new commits are pushed to the same PR, which helps conserve GitHub Actions minutes.

---

9-13: LGTM! Well-scoped permissions

The workflow correctly implements the principle of least privilege by explicitly defining only the permissions needed for the lint job to function properly.

---

20-22: LGTM! Secure action pinning

Excellent security practice using full commit SHAs to pin the exact version of GitHub Actions, which prevents supply chain attacks.

---

24-29: LGTM! Good semantic PR enforcement

The conventional-title job ensures that PRs follow semantic versioning conventions, which helps with automated versioning and changelog generation.

.trunk/trunk.yaml (3)

9-20: LGTM! Comprehensive linting setup

Excellent selection of linters covering security (checkov, trufflehog, gitleaks), formatting (prettier), and various file types (markdown, YAML, TOML, SVG). All linters are properly version-pinned for reproducibility.

---

21-25: LGTM! Well-defined runtime environments

The configuration correctly specifies the exact versions of runtime environments needed for the linters to function properly.

---

26-32: LGTM! Appropriate action configuration

The actions configuration appropriately enables upgrade notifications while disabling potentially disruptive pre-commit and pre-push hooks, which aligns well with CI/CD integration.

.github/renovate.json5 (3)

1-14: LGTM! Well-structured Renovate base configuration

The Renovate configuration correctly extends best practices and configures important settings:

• Limiting to GitHub Actions dependencies only
• Scheduled updates to minimize disruption
• Integration with CODEOWNERS for automatic PR assignment
• Dashboard auto-closing for reduced noise

---

15-23: LGTM! Good auto-merge configuration for safe updates

The package rule correctly identifies lower-risk updates (minor/patch/pin/digest) for GitHub Actions and configures them for automatic merging, which reduces maintenance overhead while maintaining safety.

---

24-30: LGTM! Appropriate handling of major version updates

The configuration correctly separates major version updates that could have breaking changes, ensuring they're grouped and tagged for manual review rather than being auto-merged.

.github/workflows/trunk-upgrade.yaml (3)

19-24: Pinned action versions improve stability.

Locking actions/checkout@commit and tibdex/github-app-token@commit to specific SHAs ensures reproducible behavior across runs. This is a solid practice.

---

29-36: Upgrade step configuration looks correct.

The trunk-io/trunk-action/upgrade action is properly pinned, uses the generated token, specifies the reviewer team, and prefixes commit messages. No issues found.

---

37-43:

✅ Verification successful

Ensure GitHub CLI is available before merging the PR.

While gh is usually pre-installed on ubuntu-latest, it’s safer to explicitly install or verify it to prevent unexpected failures.

       - name: Merge PR automatically
+      - name: Install GitHub CLI
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gh
        if: steps.trunk-upgrade.outputs.pull-request-number != ''
        env:
          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}

You can also verify availability with:

---

🏁 Script executed:

gh --version

Length of output: 93

---

No need to install GitHub CLI on ubuntu-latest
The ubuntu-latest runner already includes gh (v2.72.0 as of 2025-04-30), so an explicit install step is redundant. You may optionally add a gh --version check for peace of mind, but the merge step will succeed without it.

[coderabbitai]

🛠️ Refactor suggestion

Add a top-level heading to comply with Markdown best practices

The PR template should begin with a top-level heading (using #) to improve document structure and comply with Markdown standards. This would also provide a clear title for the PR in GitHub's interface.

-## what
+# Pull Request
+
+## What

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## what
	# Pull Request
	## What

🧰 Tools

🪛 GitHub Check: Trunk Check

[notice] 1-1: markdownlint(MD041)
[new] First line in a file should be a top-level heading

🤖 Prompt for AI Agents

In .github/PULL_REQUEST_TEMPLATE.md at lines 1 to 2, add a top-level heading by
prefixing the first line with a single '#' character to create a clear title for
the PR template, improving document structure and adhering to Markdown best
practices.

[coderabbitai]

🛠️ Refactor suggestion

Restrict top-level permissions to the minimum necessary.

Using read-all is broader than needed—job-level permissions already grant write access where required. Consider scoping top-level to only what’s needed (e.g., contents: read) to follow the principle of least privilege.

-permissions: read-all
+permissions:
+  contents: read

🤖 Prompt for AI Agents

In .github/workflows/trunk-upgrade.yaml at lines 9 to 10, the top-level
permissions are set to 'read-all', which is broader than necessary. Change the
top-level permissions to only include the minimum required scope, such as
'contents: read', to adhere to the principle of least privilege, since job-level
permissions already cover needed write access.