chore: sync with latest template state (#15)

This PR syncs the repository with the latest state from .

**Changes include:**
- Updated configuration files (.checkov.yaml, .markdownlint.yaml, etc.)
- Updated GitHub workflows and templates
- Updated linting and formatting configurations
- Updated documentation templates

Author: gberenice

.trunk/configs/.checkov.yaml renamed to .checkov.yaml

@@ -4,7 +4,7 @@ concurrency:
   group: lint-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
-on: pull_request
+on: pull_request_target
 
 permissions:
   actions: read
@@ -20,6 +20,10 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Trunk Check
         uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
+        env:
+          # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   conventional-title:
     runs-on: ubuntu-latest

.github/workflows/lint.yaml

@@ -14,6 +14,14 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      - name: Create Token for MasterpointBot App
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.MP_BOT_APP_ID }}
+          private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
+
       - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3
         with:
+          token: ${{ steps.generate-token.outputs.token }}
           release-type: terraform-module

.github/workflows/release-please.yaml

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-  pull_request:
+  pull_request_target:
 
 permissions:
   actions: read

.github/workflows/test.yaml

@@ -34,10 +34,78 @@ jobs:
           reviewers: "@masterpointio/masterpoint-internal"
           prefix: "chore: "
 
-      - name: Merge PR automatically
+      - name: Wait for checks to pass + Merge PR
         if: steps.trunk-upgrade.outputs.pull-request-number != ''
         env:
-          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+          GH_TOKEN: ${{ secrets.MASTERPOINT_TEAM_PAT }}
           PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }}
         run: |
-          gh pr merge "$PR_NUMBER" --squash --auto --delete-branch
+          echo "Waiting for status checks to pass on PR #$PR_NUMBER..."
+
+          # Wait a bit for checks to start
+          echo "Waiting 30 seconds for checks to initialize..."
+          sleep 30
+
+          # Try to get all checks first to see if any exist
+          ALL_CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --json state,bucket || echo "[]")
+          echo "All checks: $ALL_CHECKS_JSON"
+
+          # Get required checks
+          REQUIRED_CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --required --json state,bucket || echo "[]")
+          echo "Required checks: $REQUIRED_CHECKS_JSON"
+
+          # Check if we have any required checks
+          REQUIRED_CHECKS_COUNT=$(echo "$REQUIRED_CHECKS_JSON" | jq '. | length')
+          ALL_CHECKS_COUNT=$(echo "$ALL_CHECKS_JSON" | jq '. | length')
+
+          if [ "$REQUIRED_CHECKS_COUNT" -eq 0 ] && [ "$ALL_CHECKS_COUNT" -eq 0 ]; then
+            echo "No status checks found. This might be expected if no checks are configured."
+            echo "Proceeding with auto-approval and merge..."
+
+            # Auto-approve the PR
+            gh pr review "$PR_NUMBER" --approve --body "Auto-approved by trunk upgrade workflow (no status checks configured)"
+
+            # Merge the PR
+            gh pr merge "$PR_NUMBER" --squash --delete-branch --admin
+            exit 0
+          fi
+
+          # If we have required checks, wait for them. Otherwise, wait for all checks.
+          if [ "$REQUIRED_CHECKS_COUNT" -gt 0 ]; then
+            echo "Waiting for $REQUIRED_CHECKS_COUNT required status checks..."
+            CHECKS_TO_MONITOR="required"
+          else
+            echo "No required checks configured. Waiting for all $ALL_CHECKS_COUNT status checks..."
+            CHECKS_TO_MONITOR="all"
+          fi
+
+          # Wait for checks to complete
+          while true; do
+            if [ "$CHECKS_TO_MONITOR" = "required" ]; then
+              CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --required --json state,bucket)
+            else
+              CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --json state,bucket)
+            fi
+
+            echo "Current checks status: $CHECKS_JSON"
+
+            if echo "$CHECKS_JSON" | jq -e '.[] | select(.bucket=="fail")' > /dev/null; then
+              echo "One or more checks have failed. Exiting..."
+              exit 1
+            fi
+
+            FAILED_OR_PENDING_CHECKS=$(echo "$CHECKS_JSON" | jq '[.[] | select(.state!="SUCCESS" or .bucket!="pass")] | length')
+            if [ "$FAILED_OR_PENDING_CHECKS" -eq 0 ]; then
+              echo "All checks passed. Auto-approving and merging PR https://github.com/${{ github.repository }}/pull/$PR_NUMBER..."
+
+              # Auto-approve the PR
+              gh pr review "$PR_NUMBER" --approve --body "Auto-approved by trunk upgrade workflow"
+
+              # Merge the PR
+              gh pr merge "$PR_NUMBER" --squash --delete-branch --admin
+              break
+            else
+              echo "Some checks are still running or pending. Retrying in 30s..."
+              sleep 30
+            fi
+          done

.github/workflows/trunk-upgrade.yaml

@@ -16,6 +16,7 @@
 # IDE/Editor settings
 **/.idea
 **/*.iml
+.cursor/
 .vscode/
 *.orig
 *.draft
@@ -44,3 +45,8 @@ backend.tf.json
 **/*.bak
 **/*.*swp
 **/.DS_Store
+
+# AI code gen tools - we beleive engineers are responsible for the code they push no matter how it's generated
+.claude/*
+.cursor/*
+CLAUDE.md

.gitignore

@@ -0,0 +1,42 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "all"
+}
+
+config {
+  format = "compact"
+
+  # Inspect vars passed into "module" blocks. eg, lint AMI value passed into ec2 module.
+  # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/calling-modules.md
+  call_module_type = "all"
+
+  # default values but keeping them here for clarity
+  disabled_by_default = false
+  force = false
+}
+
+# Installing tflint rulesets from Github requires setting a GITHUB_TOKEN
+# environment variable. Without it, you'll get an error like this:
+#   $ tflint --init
+#   Installing "aws" plugin...
+#   Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials []
+#
+# The solution is to provide a github PAT via a GITHUB_TOKEN env var,
+# export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789
+#
+# See docs for more info: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+plugin "aws" {
+  enabled = true
+  version = "0.39.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+  deep_check = false
+}
+
+# Allow variables to exist in more files than ONLY variables.tf
+# Example use cases where we prefer for variables to exist in context,
+# - context.tf (applicable to the null-label module)
+# - providers.tf (when passing in secret keys from SOPs - example, github provider)
+# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md
+rule "terraform_standard_module_structure" {
+  enabled = false
+}