feat: add reusable github workflows (INT-1582)

[glaracuente]

what

• Add the workflows that we use in our OSS repos as reusable workflows in this centralized actions repo
• In release-please.yaml, tibdex/github-app-token is replaced with actions/create-github-app-token since the tibdex one was depracated on July 7, 2025. This is out of the original scope of migrating to reusable workflows, but it's a quick win to take care of this here.

why

• Centralize the logic of our workflows in one place, in order to make rollouts to all of our OSS repos simpler and more consistent.

notes

• I have a draft PRs for terraform-aws-tailscale and terraform-spacelift-automation to accompany this PR as proof that this is working from the caller workflows as well.
• I intend to tag this as v0.1.0, and will update callers to use masterpointio/actions/.github/workflows/workflow_name.yaml@sha123 #v0.1.0.

references

• INT-1582

Summary by CodeRabbit

• Chores
  • Added reusable CI workflows for linting and conventional PR title checks.
  • Added reusable test workflow for infrastructure-as-code validation (Terraform/Tofu).
  • Added a reusable release workflow to automate versioning and release PRs.
  • Added an automated trunk/upgrade workflow to keep tooling up to date.
  • Added a security/scan workflow for stricter dependency and action auditing.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds five new reusable GitHub Actions workflows to the repository: linting (trunk checks and semantic PR titles), security auditing (Zizmor with pedantic settings), infrastructure testing (Terraform/Tofu matrix), release automation (release-please), and trunk upgrades. All workflows use workflow_call triggers and employ restrictive default permissions with job-level grants.

Changes

GitHub Actions Reusable Workflows

Layer / File(s)	Summary
Linting & Validation ​.github/workflows/lint.yaml	Adds lint job running trunk-io checks and conventional-title job validating semantic PR titles via workflow_call trigger with GITHUB_TOKEN secret.
Security Auditing ​.github/workflows/zizmor.yaml	Adds zizmor job running security action with advanced-security: false and persona: pedantic for stricter stale-action-refs auditing on checked-out repo.
Testing Infrastructure ​.github/workflows/test.yaml	Defines reusable tf-test workflow accepting required aws_role_arn input and SPACELIFT secrets; runs matrix job for tofu and terraform with OIDC token write permission.
Release Automation ​.github/workflows/release-please.yaml	Adds release-please-action job that exchanges GitHub App credentials for token and runs release automation with release-type input and write permissions for contents, PRs, and issues.
Trunk Upgrade Automation ​.github/workflows/trunk-upgrade.yaml	Adds trunk-upgrade job with GitHub App token generation, runs masterpointio/github-action-trunk-upgrade with pinned versions and sets @masterpointio/masterpoint-open-source as reviewers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Five workflows now take flight,
Linting code and audits tight,
Testing tofu, terraform too,
Release notes and upgrades brew,
Security pedantic and true!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding reusable GitHub workflows. It is specific, directly related to the changeset, and provides meaningful context.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/INT-1582/reusable_mp_workflows

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/lint.yaml (1)

31-37: ⚡ Quick win

Guard the semantic-title job to only run when PR context exists.

amannn/action-semantic-pull-request expects pull-request payload data; without a guard, this reusable workflow can fail when called from non-PR events.

Suggested change

   conventional-title:
     name: conventional title
+    if: ${{ github.event.pull_request != null }}
     runs-on: ubuntu-latest

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/lint.yaml around lines 31 - 37, The conventional-title job
runs an action that requires PR context (amannn/action-semantic-pull-request)
and should be guarded so it only executes for pull request events; update the
job definition for conventional-title to include a conditional check (e.g. if:
github.event_name == 'pull_request' or if: github.event.pull_request != null) so
the job is skipped on non-PR events and the reusable action is never invoked
without PR payload data.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/lint.yaml:
- Around line 5-7: Remove the explicit secrets: GITHUB_TOKEN requirement from
the workflow and update the two action usages that currently consume that secret
to use the built-in github.token context instead; specifically, delete the
secrets: GITHUB_TOKEN block and change the inputs for trunk-io/trunk-action and
amannn/action-semantic-pull-request so they no longer reference
secrets.GITHUB_TOKEN but use inputs: github.token (or directly ${ { github.token
} } in the action input) so the actions use the job-level github.token which
honors declared permissions.

In @.github/workflows/release-please.yaml:
- Around line 26-31: Replace the deprecated uses: tibdex/github-app-token step
in the workflow (step name "Create Token for MasterpointBot App", id
"generate-token") with the maintained GitHub action
actions/create-github-app-token, keeping the same input keys (app_id and
private_key) and any required permissions configuration; update the uses
reference to the current stable tag (e.g., actions/create-github-app-token@v3)
and ensure downstream steps that reference the generated token (via the
"generate-token" step id) continue to read the same output variable name.

In @.github/workflows/test.yaml:
- Around line 16-17: Remove the workflow input named GITHUB_TOKEN (do not accept
it as a caller-passed secret) and update any places that reference
secrets.GITHUB_TOKEN to use the workflow-scoped token ${ { github.token } }
instead; specifically replace usages of secrets.GITHUB_TOKEN with github.token
and keep the job-level permissions as-is so the scoped token enforces
least-privilege.

---

Nitpick comments:
In @.github/workflows/lint.yaml:
- Around line 31-37: The conventional-title job runs an action that requires PR
context (amannn/action-semantic-pull-request) and should be guarded so it only
executes for pull request events; update the job definition for
conventional-title to include a conditional check (e.g. if: github.event_name ==
'pull_request' or if: github.event.pull_request != null) so the job is skipped
on non-PR events and the reusable action is never invoked without PR payload
data.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a2b707d2-f795-42fa-b42e-e90a91df7bff

📥 Commits

Reviewing files that changed from the base of the PR and between 9926e95 and 02a3436.

📒 Files selected for processing (5)

• .github/workflows/lint.yaml
• .github/workflows/release-please.yaml
• .github/workflows/test.yaml
• .github/workflows/trunk-upgrade.yaml
• .github/workflows/zizmor.yaml

[glaracuente]

I put this back into draft mode to look into the code rabbit suggestions.

[Gowiem]

I didn't think we'd centralize all the things... but let's try it out.