masterpointio · gberenice · May 13, 2025 · Jun 24, 2025
@@ -7,6 +7,7 @@ language: en
 tone_instructions: |
   Provide feedback in a professional, friendly, constructive, and concise tone.
   Offer clear, specific suggestions and best practices to help enhance the code quality and promote learning.
+  Be concise and only comment on significant issues.
 
 early_access: true
 
@@ -26,21 +27,25 @@ knowledge_base:
 reviews:
   profile: chill
   auto_review:
-    # Ignore reviewing if the title of the pull request contains any of these keywords (case-insensitive)
+    # Disable incremental code review on each push
+    auto_incremental_review: false
+    # The keywords are case-insensitive
     ignore_title_keywords:
       - wip
       - draft
       - test
-  # Set the commit status to 'pending' when the review is in progress and 'success' when it is complete.
   commit_status: false
-  # Post review details on each review. Additionally, post a review status when a review is skipped in certain cases.
-  review_status: false
   path_instructions:
     - path: "**/*.tf"
       instructions: |
         You're a Terraform expert who has thoroughly studied all the documentation from Hashicorp https://developer.hashicorp.com/terraform/docs and OpenTofu https://opentofu.org/docs/.
         You have a strong grasp of Terraform syntax and prioritize providing accurate and insightful code suggestions.
         As a fan of the Cloud Posse / SweetOps ecosystem, you incorporate many of their best practices https://docs.cloudposse.com/best-practices/terraform/ while balancing them with general Terraform guidelines.
+  changed_files_summary: false
+  poem: false
+  # Don't post review details on each review.
+  review_status: false
+  sequence_diagrams: false
   tools:
     # By default, all tools are enabled.
     # Masterpoint uses Trunk (https://trunk.io) so we do not need a lot of this feedback due to overlap.

@@ -4,4 +4,4 @@
 # Order is important: the last matching pattern takes the most precedence
 
 # These owners will be the default owners for everything
-*             @masterpointio/masterpoint-internal
+*             @masterpointio/masterpoint-open-source
@@ -0,0 +1,64 @@
+{
+  "extends": [
+    "config:best-practices",
+    "github>aquaproj/aqua-renovate-config#2.7.5"
+  ],
+  "enabledManagers": [
+    "terraform",
+    "github-actions"
+  ],
+  "terraform": {
+    "ignorePaths": [
+      "**/context.tf" // Mixin file https://github.com/cloudposse/terraform-null-label/blob/main/exports/context.tf
+    ],
+    "fileMatch": [
+      "\\.tf$",
+      "\\.tofu$"
+    ]
+  },
+  "schedule": [
+    "after 9am on the first day of the month"
+  ],
+  "assigneesFromCodeOwners": true,
+  "dependencyDashboardAutoclose": true,
+  "addLabels": ["{{manager}}"],
+  "packageRules": [
+    {
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
+      "automerge": true,
+      "automergeType": "branch",
+      "groupName": "github-actions-auto-upgrade",
+      "addLabels": ["auto-upgrade"]
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["major"],
+      "groupName": "github-actions-needs-review",
+      "addLabels": ["needs-review"]
+    },
+    {
+      "matchManagers": ["terraform"],
+      "groupName": "tf",
+      "addLabels": ["needs-review"]
+    },
+    {
+      "matchFileNames": ["**/*.tofu", "**/*.tf"],
+      "matchDatasources": ["terraform-provider", "terraform-module"],
+      "registryUrls": ["https://registry.opentofu.org"],
+      "groupName": "tf"
+    },
+    {
+      "matchFileNames": ["**/*.tofu"],
+      "matchDepTypes": ["required_version"],
+      "registryUrls": ["https://registry.opentofu.org"],
+      "groupName": "tf"
+    },
+    {
+      "matchFileNames": ["**/*.tf"],
+      "matchDepTypes": ["required_version"],
+      "registryUrls": ["https://registry.terraform.io"],
+      "groupName": "tf"
+    }
+  ]
+}
@@ -1,6 +1,10 @@
 name: Lint
 
-on: pull_request
+concurrency:
+  group: lint-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+on: pull_request_target
 
 permissions:
   actions: read
@@ -13,6 +17,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out Git repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Trunk Check
-        uses: trunk-io/trunk-action@v1
+        uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
+        env:
+          # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  conventional-title:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -8,11 +8,20 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  issues: write
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
+      - name: Create Token for MasterpointBot App
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.MP_BOT_APP_ID }}
+          private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
+
       - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3
         with:
+          token: ${{ steps.generate-token.outputs.token }}
           release-type: terraform-module
@@ -0,0 +1,28 @@
+name: TF Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request_target:
+
+permissions:
+  actions: read
+  checks: write
+  contents: read
+  id-token: write
+  pull-requests: read
+
+jobs:
+  tf-test:
+    name: 🧪 ${{ matrix.tf }} test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        tf: [tofu, terraform]
+    steps:
+      - uses: masterpointio/github-action-tf-test@c3b619f3bca9e4f482b9e0fb3166ab3f02d9d54c # v1.0.0
+        with:
+          tf_type: ${{ matrix.tf }}
+          aws_role_arn: ${{ vars.TF_TEST_AWS_ROLE_ARN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -17,7 +17,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Create Token for MasterpointBot App
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
@@ -27,8 +27,36 @@ jobs:
           private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
 
       - name: Upgrade
-        uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 #v1.1.19
+        id: trunk-upgrade
+        uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           reviewers: "@masterpointio/masterpoint-internal"
           prefix: "chore: "
+
+      - name: Wait for checks to pass + Merge PR
+        if: steps.trunk-upgrade.outputs.pull-request-number != ''
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+          PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }}
+        run: |
+          echo "Waiting for required status checks to pass on PR #$PR_NUMBER..."
+          while true; do
+            CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --required --json state,bucket)
+            echo "Current checks status: $CHECKS_JSON"
+
+            if echo "$CHECKS_JSON" | jq -e '.[] | select(.bucket=="fail")' > /dev/null; then
+              echo "One or more required checks have failed. Exiting..."
+              exit 1
+            fi
+
+            FAILED_OR_PENDING_CHECKS=$(echo "$CHECKS_JSON" | jq '[.[] | select(.state!="SUCCESS" or .bucket!="pass")] | length')
+            if [ "$FAILED_OR_PENDING_CHECKS" -eq 0 ]; then
+              echo "All required checks passed. Merging PR https://github.com/${{ github.repository }}/pull/$PR_NUMBER..."
+              gh pr merge "$PR_NUMBER" --squash --delete-branch --admin
+              break
+            else
+              echo "Some required checks are still running or pending. Retrying in 30s..."
+              sleep 30
+            fi
+          done
@@ -9,9 +9,14 @@
 # Local .terraform directories
 **/.terraform/*
 
+# Ignore the root .terraform.lock.hcl file (Child modules don't want this)
+.terraform.lock.hcl
+!examples/**/.terraform.lock.hcl
+
 # IDE/Editor settings
 **/.idea
 **/*.iml
+.cursor/
 .vscode/
 *.orig
 *.draft
@@ -39,4 +44,8 @@ backend.tf.json
 **/*.temp
 **/*.bak
 **/*.*swp
-**/.DS_Store
+**/.DS_Store
+
+# Claude Code - we beleive engineers are responsible for the code they push no matter how it's generated.
+# Therefore, configs specific to their coding practices are their responsibilty to judiciously manage.
+.claude/*
@@ -12,3 +12,8 @@ whitespace: false
 # Ignore MD041/first-line-heading/first-line-h1
 # Error: First line in a file should be a top-level heading
 MD041: false
+
+# Ignore MD013/line-length
+MD013:
+  strict: false
+  line_length: 350
@@ -0,0 +1,16 @@
+version: 0.20.0
+formatter: markdown table
+
+recursive:
+  enabled: false
+
+settings:
+  lockfile: false
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+    {{ .Content }}
+    <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -0,0 +1,42 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "all"
+}
+
+config {
+  format = "compact"
+
+  # Inspect vars passed into "module" blocks. eg, lint AMI value passed into ec2 module.
+  # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/calling-modules.md
+  call_module_type = "all"
+
+  # default values but keeping them here for clarity
+  disabled_by_default = false
+  force = false
+}
+
+# Installing tflint rulesets from Github requires setting a GITHUB_TOKEN
+# environment variable. Without it, you'll get an error like this:
+#   $ tflint --init
+#   Installing "aws" plugin...
+#   Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.39.0: 401 Bad credentials []
+#
+# The solution is to provide a github PAT via a GITHUB_TOKEN env var,
+# export GITHUB_TOKEN=github_pat_120abc123def456ghi789jkl123mno456pqr789stu123vwx456yz789
+#
+# See docs for more info: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+plugin "aws" {
+  enabled = true
+  version = "0.39.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+  deep_check = false
+}
+
+# Allow variables to exist in more files than ONLY variables.tf
+# Example use cases where we prefer for variables to exist in context,
+# - context.tf (applicable to the null-label module)
+# - providers.tf (when passing in secret keys from SOPs - example, github provider)
+# https://github.com/terraform-linters/tflint-ruleset-terraform/blob/main/docs/rules/terraform_standard_module_structure.md
+rule "terraform_standard_module_structure" {
+  enabled = false
+}
@@ -6,4 +6,4 @@
 plugins
 user_trunk.yaml
 user.yaml
-tmp
+tmp
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,4 +6,4 @@ @@
     plugins
     user_trunk.yaml
     user.yaml
-    tmp
+    tmp