trunk-merge/pr-2/51527fa2-3add-4005-a2f8-3c1f860505a9

.github/labeler.yml

@@ -0,0 +1,59 @@
+# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+
+# Define automatically the `kind` label based on the changed files and the head branch
+kind::dependencies:
+  - head-branch:
+      - ^renovate\/.+$
+
+kind:documentation:
+  - changed-files:
+      - any-glob-to-any-file: [README.md, LICENSE, docs/**]
+
+kind::kubevault:
+  - all:
+      - changed-files:
+          - any-glob-to-any-file: [Cargo.lock, Cargo.toml, src/**]
+      - head-branch:
+          - ^(?!renovate\/).+$
+
+kind::tests:
+  - all:
+      - changed-files:
+          - any-glob-to-any-file: [tests/**]
+      - head-branch:
+          - ^(?!renovate\/).+$
+
+kind::workflows:
+  - all:
+      - changed-files:
+          - any-glob-to-any-file: [.github/workflows/**]
+      - head-branch:
+          - ^(?!renovate\/).+$
+
+kind::others:
+  - changed-files:
+      - any-glob-to-any-file: "**"
+      - all-globs-to-all-files:
+          - "!.github/workflows/**"
+          - "!Cargo.lock"
+          - "!Cargo.toml"
+          - "!docs/**"
+          - "!LICENSE"
+          - "!README.md"
+          - "!src/**"
+          - "!tests/**"
+  - head-branch:
+      - ^(?!renovate\/).+$

.github/labels.yaml

@@ -0,0 +1,77 @@
+# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+
+- name: kind::dependencies
+  description: Dependencies upgrade
+  color: 2B098D
+- name: kind::documentation
+  description: Improvements or additions to documentation
+  color: 0075CA
+- name: kind::kubevault
+  description: Changes on how `kubevault` works (enhancements, bug fixes, etc.)
+  color: A2EEEF
+- name: kind::tests
+  description: Anything related to tests
+  color: 4D76A1
+- name: kind::workflows
+  description: Changes on workflows
+  color: 6A5ACD
+- name: kind::others
+  description: Anything else
+  color: DEDB26
+
+- name: size::XS
+  color: 008000
+- name: size::S
+  color: 008000
+- name: size::M
+  color: FFFF00
+- name: size::L
+  color: FF0000
+- name: size::XL
+  color: FF0000
+
+- name: bug
+  description: Something isn't working
+  color: D73A4A
+- name: duplicate
+  description: This doesn't seem right
+  color: CFD3D7
+- name: good first issue
+  description: Good for newcomers
+  color: 7057FF
+- name: help wanted
+  description: Extra attention is needed
+  color: 008672
+- name: invalid
+  description: This doesn't seem right
+  color: E4E669
+- name: question
+  description: Further information is requested
+  color: D876E3
+- name: wontfix
+  description: This will not be worked on
+  color: FFFFFF
+
+- name: 💖 sponsor
+  description: This issue comes from a sponsor
+  color: FFDBF0
+
+- name: stale
+  description: This issue has not had recent activity
+  color: 6A5ACD
+- name: no-stale
+  description: This issue cannot be marked as stale
+  color: 6A5ACD

.github/workflows/pull_request.automations.yaml

@@ -0,0 +1,49 @@
+# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+---
+name: 🤖 Issue/PR Automation
+on:
+  pull_request:
+  issues:
+    types: [opened]
+
+permissions: {}
+
+jobs:
+  labeler:
+    name: 🏷️ Labeler
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: 🏷️ Apply label on PR
+        uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+
+  sponsor:
+    name: 💖 Sponsor
+    if: github.event.action == 'opened'
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: 💖 Add sponsor label
+        uses: JasonEtco/is-sponsor-label-action@70b4efb770e0ea4a7e9d4eff63bb5c89732a7819 # main
+        with:
+          labels: 💖 sponsor
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/push,schedule.sync-labels.yaml

@@ -0,0 +1,42 @@
+# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+---
+name: 🏷️ Sync Github labels
+
+on:
+  push:
+    branches: [master]
+    paths: [.github/labels.yaml, .github/workflows/sync-labels.yaml]
+  schedule:
+    - cron: 0 0 * * *
+
+permissions: {}
+
+jobs:
+  labeler:
+    name: 🏷️ Labeler
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+      - name: 🏷️ Sync Github labels with the definition
+        uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          manifest: .github/labels.yaml
+          prune: true

.github/workflows/push.trunk_merge.yaml

@@ -0,0 +1,56 @@
+# Copyright (C) 2024 Alexandre Nicolaie (xunleii@users.noreply.github.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------
+---
+name: ⛔ Trunk validation for Rust
+on:
+  push:
+    branches:
+      - trunk-merge/**
+
+permissions: {}
+
+jobs:
+  trunk:
+    name: ✅ Validate code quality
+    permissions:
+      contents: read
+      checks: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      # - name: ✏️ Overrides Trunk configuration for Github Action
+      #   run: mv .trunk/gha.yaml .trunk/user.yaml
+      - name: ⚡️ Run `trunk check`
+        uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16
+  ci_harden_security:
+    name: 🔒️ Github Action security hardening
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: ⬇️ Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: 📄 Lint Github Actions
+        run: |
+          curl -O https://raw.githubusercontent.com/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/.github/actionlint-matcher.json
+
+          echo "::add-matcher::actionlint-matcher.json"
+          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/4f6274a8e0f4f4d2057aa9ae07660f61aa29c5f3/scripts/download-actionlint.bash)
+          ./actionlint -color
+
+      - name: ✅ Ensure SHA pinned actions
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@40e45e738b3cad2729f599d8afc6ed02184e1dbd # v3.0.5

.trunk/configs/svgo.config.js

@@ -0,0 +1,14 @@
+module.exports = {
+  plugins: [
+    {
+      name: "preset-default",
+      params: {
+        overrides: {
+          removeViewBox: false, // https://github.com/svg/svgo/issues/1128
+          sortAttrs: true,
+          removeOffCanvasPaths: true,
+        },
+      },
+    },
+  ],
+};

.trunk/trunk.yaml

@@ -14,21 +14,25 @@ runtimes:
   enabled:
     - node@18.12.1
     - python@3.10.8
+
 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
 lint:
   disabled:
     - checkov
+    - trufflehog # hang unexpectedly and trivy is already enabled
     - vale
   enabled:
+    - actionlint@1.7.1
+    - clippy@1.80.0
+    - svgo@3.3.2
     - git-diff-check
     - hadolint@2.12.0
     - markdownlint@0.41.0
     - osv-scanner@1.8.2
     - prettier@3.3.3
-    - rustfmt@1.65.0
+    - rustfmt@1.80.0
     - taplo@0.9.3
     - trivy@0.54.1
-    - trufflehog@3.80.5
     - yamllint@1.35.1
   ignore:
     - linters: [ALL]
@@ -40,3 +44,8 @@ actions:
     - trunk-check-pre-push
     - trunk-fmt-pre-commit
     - trunk-upgrade-available
+
+merge:
+  required_statuses:
+    - ✅ Validate code quality
+    - 🔒️ Github Action security hardening