feat: add reusable github workflows (INT-1582)

.github/workflows/lint.yaml

@@ -0,0 +1,39 @@
+name: Lint
+
+on:
+  workflow_call:
+    secrets:
+      GITHUB_TOKEN:
+        required: true
+
+permissions: {}
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read # needed by trunk-action to read workflow run context
+      checks: write # needed by trunk-action to write check results
+      contents: read # needed by trunk-action to read repository contents
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Trunk Check
+        uses: trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b # v1.2.4
+        env:
+          # NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  conventional-title:
+    name: conventional title
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read # needed by action-semantic-pull-request to inspect pull request context
+    steps:
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-please.yaml

@@ -0,0 +1,36 @@
+name: Release Please
+
+on:
+  workflow_call:
+    inputs:
+      release-type:
+        type: string
+        required: true
+    secrets:
+      MP_BOT_APP_ID:
+        required: true
+      MP_BOT_APP_PRIVATE_KEY:
+        required: true
+
+permissions: {}
+
+jobs:
+  release-please:
+    name: release please
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed by release-please-action to write repository contents
+      pull-requests: write # needed by release-please-action to write pull requests
+      issues: write # needed by release-please-action to write issues
+    steps:
+      - name: Create Token for MasterpointBot App
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 #v3.1.1
+        id: generate-token
+        with:
+          app-id: ${{ secrets.MP_BOT_APP_ID }}
+          private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
+
+      - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          release-type: ${{ inputs.release-type }}

.github/workflows/test.yaml

@@ -0,0 +1,43 @@
+name: TF Test
+
+on:
+  workflow_call:
+    inputs:
+      aws_role_arn:
+        type: string
+        required: true
+    secrets:
+      SPACELIFT_API_KEY_ENDPOINT:
+        required: true
+      SPACELIFT_API_KEY_ID:
+        required: true
+      SPACELIFT_API_KEY_SECRET:
+        required: true
+      GITHUB_TOKEN:
+        required: true
+
+permissions: {}
+
+jobs:
+  tf-test:
+    name: 🧪 ${{ matrix.tf }} test
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read # needed by github-action-tf-test to read workflow run context
+      checks: write # needed by github-action-tf-test to write check results
+      contents: read # needed by github-action-tf-test to read repository contents
+      id-token: write # needed by github-action-tf-test to write id token
+      pull-requests: read # needed by github-action-tf-test to read pull request context
+    env:
+      SPACELIFT_API_KEY_ENDPOINT: ${{ secrets.SPACELIFT_API_KEY_ENDPOINT }}
+      SPACELIFT_API_KEY_ID: ${{ secrets.SPACELIFT_API_KEY_ID }}
+      SPACELIFT_API_KEY_SECRET: ${{ secrets.SPACELIFT_API_KEY_SECRET }}
+    strategy:
+      matrix:
+        tf: [tofu, terraform]
+    steps:
+      - uses: masterpointio/github-action-tf-test@c1e41998f67925ac3f34e0bbcfcaa4a44d1f0cd9 # v1.0.1
+        with:
+          tf_type: ${{ matrix.tf }}
+          aws_role_arn: ${{ inputs.aws_role_arn }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/trunk-upgrade.yaml

@@ -0,0 +1,34 @@
+name: Trunk Upgrade
+
+on:
+  workflow_call:
+    secrets:
+      MP_BOT_APP_ID:
+        required: true
+      MP_BOT_APP_PRIVATE_KEY:
+        required: true
+      MASTERPOINT_TEAM_PAT:
+        required: true
+
+permissions: {}
+
+jobs:
+  trunk-upgrade:
+    name: trunk upgrade
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed by github-action-trunk-upgrade to write repository contents
+      pull-requests: write # needed by github-action-trunk-upgrade to write pull requests
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run Trunk Upgrade
+        uses: masterpointio/github-action-trunk-upgrade@a79fd65d524d92031fe167daee411d2f25d4a999 # v0.1.0
+        with:
+          app-id: ${{ secrets.MP_BOT_APP_ID }}
+          app-private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
+          github-token: ${{ secrets.MASTERPOINT_TEAM_PAT }}
+          reviewers: "@masterpointio/masterpoint-open-source"

.github/workflows/zizmor.yaml

@@ -0,0 +1,25 @@
+name: Zizmor
+
+on:
+  workflow_call: {}
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          # Set to false, so zizmor will not upload results to Github Advanced Security
+          # and will instead print them to the Action's run log.
+          advanced-security: false
+          # Set to pedantic so that zizmor will run it's stale-action-refs audit rule
+          persona: pedantic