Merge pull request #66 from chezmoi-sh/add-trunk

🔧 (trunk): Add Trunk integration for this project

.github/workflows/merge_group,pull_request,schedule.codeql.yaml

@@ -0,0 +1,74 @@
+name: CodeQL
+
+on:
+  merge_group: {}
+  pull_request: {}
+  schedule:
+    - cron: 31 14 * * 6
+
+permissions: read-all
+
+jobs:
+  analyze:
+    name: Analyze
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners
+    # Consider using larger runners for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [go]
+        # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
+        # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install Golang
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # renovate: tag=v5.0.0
+        with:
+          go-version-file: go.mod
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      # - name: Autobuild
+      #   uses: github/codeql-action/autobuild@b374143c1149a9115d881581d29b8390bbcbb59c # renovate: tag=v3.22.1
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #     echo "Run, Build Application using script"
+      #     ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/merge_group,pull_request.all.lint.yaml

@@ -0,0 +1,17 @@
+name: Lint everything (Trunk)
+
+on:
+  merge_group: {}
+  pull_request: {}
+
+permissions: read-all
+
+jobs:
+  trunk:
+    name: Trunk Check
+    permissions:
+      checks: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: trunk-io/trunk-action@97ecd21fe6c743bf7a606791584b683a7995c70e # v1.1.9

.github/workflows/merge_group,pull_request.go.test.yaml

@@ -0,0 +1,37 @@
+name: Test code (Go)
+on:
+  merge_group: {}
+  pull_request:
+    paths:
+      - "**/*.go"
+      - go.mod
+      - go.sum
+      - .github/workflows/pull_request,push.go.test.yaml
+
+permissions: read-all
+
+jobs:
+  test:
+    name: Go test
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        go: [1.21]
+        os: [ubuntu-latest, macos-latest]
+    steps:
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # renovate: tag=v5.0.0
+        with:
+          go-version: ${{ matrix.go }}
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - run: go test -v -race -covermode=atomic -coverprofile=coverage.out ./...
+      - uses: codecov/codecov-action@e0b68c6749509c5f83f984dd99a76a1c1a231044 # v4.0.1
+        env:
+          OS: ${{ matrix.os }}
+          GO_VERSION: ${{ matrix.go }}
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: coverage.out
+          env_vars: GO_VERSION
+          fail_ci_if_error: true
+          flags: unittests
+          verbose: true

.github/workflows/pull_request.security.workflows.yaml

@@ -1,9 +1,12 @@
 name: Security hardening (Github Actions workflows)
 
 on:
+  merge_group: {}
   pull_request:
     types: [opened, synchronize]
-    paths: [".github/workflows/**"]
+    paths: [.github/workflows/**]
+
+permissions: read-all
 
 jobs:
   ci_harden_security:

.github/workflows/push.repo.labels.yaml

@@ -4,15 +4,17 @@ on:
     branches: [main]
     paths: [.github/workflows/push.repo.labels.yaml, .github/labels.yaml]
 
+permissions: read-all
+
 jobs:
   sync:
     name: Synchronize labels
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-    - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # renovate: tag=v1.3.0
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        manifest: .github/labels.yaml
-        prune: true
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # renovate: tag=v1.3.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          manifest: .github/labels.yaml
+          prune: true

.github/workflows/push.trunk-cache.yaml

@@ -0,0 +1,21 @@
+name: Refresh Trunk cache
+
+on:
+  push:
+    branches: [main]
+    paths: [.trunk/trunk.yaml]
+
+permissions: read-all
+
+jobs:
+  trunk-cache:
+    name: Refresh Trunk cache
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: trunk-io/trunk-action@97ecd21fe6c743bf7a606791584b683a7995c70e # v1.1.9
+        with:
+          check-mode: populate_cache_only

.tool-versions

@@ -1,2 +1 @@
 golang 1.22.0
-lefthook 1.5.5

.trunk/.gitignore

@@ -0,0 +1,9 @@
+*out
+*logs
+*actions
+*notifications
+*tools
+plugins
+user_trunk.yaml
+user.yaml
+tmp

.trunk/configs/.markdownlint.yaml

@@ -0,0 +1,10 @@
+# Autoformatter friendly markdownlint config (all formatting rules disabled)
+default: true
+blank_lines: false
+bullet: false
+html: false
+indentation: false
+line_length: false
+spaces: false
+url: false
+whitespace: false

.trunk/configs/.yamllint.yaml

@@ -0,0 +1,10 @@
+rules:
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  empty-values:
+    forbid-in-block-mappings: true
+    forbid-in-flow-mappings: true
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true