.github/renovate.json5

@@ -0,0 +1,13 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: ["config:base"],
+  prConcurrentLimit: 3,
+  packageRules: [
+    {
+      groupName: "all non-major dependencies",
+      groupSlug: "all-minor-patch",
+      matchPackagePatterns: ["*"],
+      matchUpdateTypes: ["minor", "patch"]
+    }
+  ]
+}

.github/workflows/annotate_pr.yaml

@@ -1,20 +1,25 @@
-name: Annotate PR with trunk issues
+name: Trunk Check PR Annotation
 
 on:
   workflow_run:
-    workflows: ["Pull Request"]
+    workflows: [Pull Request]
     types:
       - completed
 
+permissions: read-all
+
 jobs:
-  trunk_check:
-    name: Trunk Check Annotate
+  trunk_check_annotate_pr:
+    name: Trunk Check PR Annotation
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+
       - name: Trunk Check
-        uses: ./
+        uses: ./ # external users, use: trunk-io/trunk-action@v1
         with:
           post-annotations: true

.github/workflows/cache_trunk.yaml

@@ -0,0 +1,24 @@
+name: Cache Trunk
+
+on:
+  push:
+    branches: [main]
+    paths: [.trunk/trunk.yaml]
+
+permissions: read-all
+
+jobs:
+  cache_trunk:
+    name: Cache Trunk
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+
+      - name: Trunk Check
+        uses: ./ # external users, use: trunk-io/trunk-action@v1
+        with:
+          check-mode: populate_cache_only

.github/workflows/codeql.yml

@@ -0,0 +1,63 @@
+name: Code Scanning - Action
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    #        ┌───────────── minute (0 - 59)
+    #        │  ┌───────────── hour (0 - 23)
+    #        │  │ ┌───────────── day of the month (1 - 31)
+    #        │  │ │ ┌───────────── month (1 - 12 or JAN-DEC)
+    #        │  │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
+    #        │  │ │ │ │
+    #        │  │ │ │ │
+    #        │  │ │ │ │
+    #        *  * * * *
+    - cron: 30 1 * * 0
+
+permissions: read-all
+
+jobs:
+  CodeQL-Build:
+    # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
+    runs-on: ubuntu-latest
+
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        # Override language selection by uncommenting this and choosing your languages
+        with:
+          languages: javascript
+
+      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below).
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following
+      #    three lines and modify them (or add more) to build your code if your
+      #    project uses a compiled language
+
+      #- run: |
+      #     make bootstrap
+      #     make release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4

.github/workflows/nightly.yaml

@@ -4,14 +4,16 @@ on:
     - cron: 0 8 * * 1-5
   workflow_dispatch: {}
 
+permissions: read-all
+
 jobs:
   trunk_check:
     name: Trunk Check Upload
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       - name: Trunk Check
         uses: ./ # external users, use: trunk-io/trunk-action@v1

.github/workflows/pr.yaml

@@ -4,14 +4,18 @@ concurrency:
   group: ${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   trunk_check:
     name: Trunk Check Runner
     runs-on: ubuntu-latest
+    permissions:
+      checks: write # For trunk to post annotations
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       - name: Trunk Check
         uses: ./ # external users, use: trunk-io/trunk-action@v1

.github/workflows/scorecard.yml

@@ -0,0 +1,70 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  # branch_protection_rule:
+
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: 44 9 * * 2
+  push:
+    branches: [main]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: Upload artifact
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        with:
+          sarif_file: results.sarif

.trunk/configs/.yamllint.yaml

@@ -0,0 +1,10 @@
+rules:
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  empty-values:
+    forbid-in-block-mappings: true
+    forbid-in-flow-mappings: true
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true

.trunk/trunk.yaml

@@ -1,24 +1,30 @@
 version: 0.1
+
 cli:
-  version: 1.2.1
+  version: 1.4.1
+
 plugins:
   sources:
     - id: trunk
-      ref: v0.0.8
+      ref: v0.0.10
       uri: https://github.com/trunk-io/plugins
+
+runtimes:
+  enabled:
+    - go@1.18.3
+    - node@18.12.1
+
 lint:
   enabled:
-    - actionlint@1.6.22
+    - actionlint@1.6.23
     - git-diff-check
-    - gitleaks@8.15.2
-    - markdownlint@0.32.2
-    - prettier@2.8.1
+    - gitleaks@8.15.3
+    - markdownlint@0.33.0
+    - prettier@2.8.4
     - shellcheck@0.9.0
     - shfmt@3.5.0
-runtimes:
-  enabled:
-    - go@1.18.3
-    - node@16.14.2
+    - yamllint@1.29.0
+
 actions:
   enabled:
     - trunk-announce

.vscode/extensions.json

@@ -0,0 +1,3 @@
+{
+  "recommendations": ["eamodio.gitlens", "redhat.vscode-yaml", "trunk.io"]
+}

.vscode/settings.json

@@ -0,0 +1,12 @@
+{
+  "editor.defaultFormatter": "trunk.io",
+  "files.insertFinalNewline": true,
+  "files.trimFinalNewlines": true,
+  "files.trimTrailingWhitespace": true,
+  "git.enableSmartCommit": true,
+  "git.ignoreLimitWarning": true,
+  "gitlens.advanced.fileHistoryFollowsRenames": true,
+  "gitlens.codeLens.enabled": false,
+  "terminal.integrated.scrollback": 100000,
+  "workbench.list.horizontalScrolling": true
+}

action.yaml

@@ -4,7 +4,7 @@ description: The official trunk.io GitHub action
 
 branding:
   icon: check
-  color: orange
+  color: green
 
 inputs:
   trunk-path:
@@ -26,9 +26,9 @@ inputs:
 
   check-mode:
     description:
-      Trunk check mode. Leave unset to autodetect just changes. Set to 'all' to check the entire
-      repository. If `trunk-token` is set with 'all', 'all' will also upload results to the Trunk
-      web app.
+      Trunk check mode. Leave unset to autodetect. Set to 'all' to check the entire repository. Set
+      to 'populate_cache_only' in a dedicated workflow to populate the GitHub Actions cache with
+      Trunk artifacts (see docs for more details).
     required: false
 
   cache:
@@ -96,7 +96,7 @@ runs:
       if: env.TRUNK_CHECK_MODE == 'pull_request'
       shell: bash
       run: |
-        # Run trunk check on pull request
+        # Run 'trunk check' on pull request
         ${GITHUB_ACTION_PATH}/pull_request.sh
       env:
         GITHUB_EVENT_PULL_REQUEST_BASE_SHA: ${{ github.event.pull_request.base.sha }}
@@ -114,7 +114,7 @@ runs:
       if: env.TRUNK_CHECK_MODE == 'push'
       shell: bash
       run: |
-        # Run trunk check on push
+        # Run 'trunk check' on push
         ${GITHUB_ACTION_PATH}/push.sh
       env:
         GITHUB_EVENT_AFTER: ${{ github.event.after }}
@@ -129,7 +129,7 @@ runs:
       if: env.TRUNK_CHECK_MODE == 'all'
       shell: bash
       run: |
-        # Run trunk check on all
+        # Run 'trunk check' on all
         ${GITHUB_ACTION_PATH}/all.sh
       env:
         GITHUB_REF_NAME: ${{ github.ref_name }}
@@ -145,7 +145,7 @@ runs:
       if: env.TRUNK_CHECK_MODE == 'trunk_merge'
       shell: bash
       run: |
-        # Run trunk check on Trunk Merge
+        # Run 'trunk check' on Trunk Merge
         ${GITHUB_ACTION_PATH}/trunk_merge.sh
       env:
         GITHUB_REPOSITORY: ${{ github.repository }}
@@ -154,6 +154,15 @@ runs:
         INPUT_ARGUMENTS: ${{ inputs.arguments }}
         INPUT_LABEL: ${{ inputs.label }}
 
+    - name: Run trunk install to populate the GitHub Actions cache
+      if: env.TRUNK_CHECK_MODE == 'populate_cache_only'
+      shell: bash
+      run: |
+        # Run 'trunk install' to populate the GitHub Actions cache
+        ${GITHUB_ACTION_PATH}/populate_cache_only.sh
+      env:
+        INPUT_ARGUMENTS: ${{ inputs.arguments }}
+
     - name: Upload annotations artifact
       if: always() && env.TRUNK_UPLOAD_ANNOTATIONS == 'true'
       uses: actions/upload-artifact@v3

populate_cache_only.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# shellcheck disable=SC2086
+
+set -euo pipefail
+
+"${TRUNK_PATH}" install \
+  --ci \
+  ${INPUT_ARGUMENTS}