feat: initial version

[gberenice]

what

• Create a reusable GitHub Action for automated Trunk upgrades with intelligent auto-merge capabilities

why

• Eliminates manual overhead of keeping Trunk configurations up-to-date across multiple repositories

references

• N/A

Summary by CodeRabbit

• New Features
  • Added a GitHub Action to automate Trunk upgrades and auto-merge PRs with configurable auth, reviewers, merge method, and status-check handling.
• Documentation
  • Expanded README with setup, usage, inputs/outputs, and authentication guidance. Added CHANGELOG and a standardized PR template.
• CI/CD
  • Introduced linting and release workflows, a scheduled Trunk upgrade workflow, Renovate config for GitHub Actions updates, and CODEOWNERS.
• Chores
  • Added repository-wide editor and lint configs, .gitignore rules, Trunk configuration, and an AI reviewer setup.

[coderabbitai]

Walkthrough

This PR introduces repository scaffolding and automation configs: .editorconfig, CODEOWNERS, PR template, gitignores, markdown/yaml lint configs, Trunk config, and .coderabbit.yaml. It adds Renovate settings (.github/renovate.json5), workflows for linting, release-please, and a scheduled/manual trunk-upgrade. Documentation updates include an expanded README and a new (empty) CHANGELOG. The key functional addition is a composite GitHub Action (action.yml) “Trunk Upgrade with Auto-merge” that performs Trunk upgrades, opens a PR, waits/polls for required checks via gh, auto-approves, and merges with retries, supporting optional GitHub App auth.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Possibly related PRs

• fix(gha-trunk-upgrade): wait for checks and merge with admin terraform-module-template#42 — Similar trunk-upgrade automation with wait-for-checks and admin merge logic.
• fix(gha): use app–generated token to create release-please PRs terraform-module-template#45 — Mirrors the release-please workflow using a GitHub App token via tibdex/github-app-token.
• feat(trunk): add trunk + workflows masterpoint.io#60 — Introduces the same Trunk config, workflows (lint, trunk-upgrade), CODEOWNERS, PR template, and Renovate settings.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/inital-version

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 10

🔭 Outside diff range comments (2)

.markdownlint.yaml (1)

1-20: Invalid rule keys: top-level snake_case entries aren’t recognized by markdownlint.

markdownlint expects MDxxx rule IDs (and rule-specific option objects). Keys like blank_lines, bullet, html, indentation, line_length, spaces, url, whitespace won’t have any effect. You already correctly configured MD041 and MD013; disable the intended rules via their MD codes instead.

Apply this diff to replace invalid keys with proper MD rule IDs:

 # Autoformatter friendly markdownlint config (all formatting rules disabled)
 default: true
-blank_lines: false
-bullet: false
-html: false
-indentation: false
-line_length: false
-spaces: false
-url: false
-whitespace: false
+
+# Disable formatting-sensitive rules (prefer deferring to an autoformatter)
+# MD012/no-multiple-blanks (blank_lines)
+MD012: false
+# MD004/ul-style (bullet)
+MD004: false
+# MD033/no-inline-html (html)
+MD033: false
+# MD007/ul-indent (indentation)
+MD007: false
+# MD009/no-trailing-spaces and MD010/no-hard-tabs (spaces)
+MD009: false
+MD010: false
+# MD034/no-bare-urls (url)
+MD034: false
 
 # Ignore MD041/first-line-heading/first-line-h1
 # Error: First line in a file should be a top-level heading
 MD041: false
 
 # Ignore MD013/line-length
 MD013:
   strict: false
   line_length: 350

If you’re using markdownlint-cli2, this format remains valid. If using a different engine, confirm its config schema.

.coderabbit.yaml (1)

49-96: Explicitly disable all auxiliary tools in .coderabbit.yaml

By default, any tool not listed under tools: remains enabled. Since only a subset is currently disabled, tools such as flake8, pylint, semgrep, sqlfluff, and others will still run alongside Trunk. To fully suppress overlapping feedback, explicitly disable the remainder:

File: .coderabbit.yaml (around lines 49–96)

   tools:
     # By default, all tools are enabled.
     # Masterpoint uses Trunk (https://trunk.io) so we do not need a lot of this feedback due to overlap.
     shellcheck:
       enabled: false
+    flake8:
+      enabled: false
+    pylint:
+      enabled: false
+    semgrep:
+      enabled: false
+    sqlfluff:
+      enabled: false
+    prismaLint:
+      enabled: false
+    oxc:
+      enabled: false
+    clippy:
+      enabled: false
+    phpmd:
+      enabled: false
+    phpcs:
+      enabled: false
+    shopifyThemeCheck:
+      enabled: false
+    luacheck:
+      enabled: false
+    brakeman:
+      enabled: false
+    dotenvLint:
+      enabled: false
+    htmlhint:
+      enabled: false
+    checkmake:
+      enabled: false
     ruff:
       enabled: false
     markdownlint:
       enabled: false
     github-checks:
       enabled: false
     … (rest unchanged) …

• Review the CodeRabbit documentation for the full list of supported tools and add any additional enabled: false entries as needed.

🧹 Nitpick comments (19)

CHANGELOG.md (1)

1-2: Seed the changelog with a usable structure (or clearly defer to release automation).

Right now it’s just a header. If you intend to rely on release-please to manage entries, add a brief note. Otherwise, seed an “Unreleased” section so contributors know where to add changes.

Apply this diff to add a minimal, conventional structure:

 # Changelog
-
+All notable changes to this project will be documented in this file.
+
+The format is based on Keep a Changelog and this repository uses Conventional Commits.
+
+## [Unreleased]
+### Added
+- Initial reusable GitHub Action for Trunk upgrade with auto-merge.
+
+### Changed
+- Repository scaffolding, lint configs, and workflows.
+
+### Fixed
+- N/A

.github/CODEOWNERS (1)

6-8: Add path-specific owners for critical automation and align with auto-merge actors.

A repo-wide default is fine, but for reliability:

• Explicitly own high-impact files (action.yml, workflows) to avoid ambiguity.
• Ensure the identity that auto-approves/auto-merges (bot/GitHub App) satisfies CODEOWNERS-required reviews; otherwise, merges may stall.

Example additions:

 # These owners will be the default owners for everything
 *             @masterpointio/masterpoint-open-source
+
+# Prefer explicit owners for critical automation
+/action.yml                        @masterpointio/masterpoint-open-source
+/.github/workflows/*.yaml          @masterpointio/masterpoint-open-source
+/.github/renovate.json5            @masterpointio/masterpoint-open-source

If branch protection requires CODEOWNERS approval, confirm the auto-approver identity (GitHub App or bot user) is a member of @masterpointio/masterpoint-open-source or that the policy allows bot approvals.

.trunk/.gitignore (1)

1-9: Tighten ignore globs to avoid accidental matches and clarify intent.

Patterns like “*out” or “*logs” will ignore any path ending with that suffix under .trunk/. Prefer directory-anchored patterns with trailing slashes for precision.

Apply this diff:

-*out
-*logs
-*actions
-*notifications
-*tools
-plugins
+out/
+logs/
+actions/
+notifications/
+tools/
+plugins/
 user_trunk.yaml
 user.yaml
-tmp
+tmp/

.editorconfig (4)

2-8: Add root = true to stop EditorConfig from cascading from parent directories

Prevents unexpected settings from higher-level directories.

 # Unix-style newlines with a newline ending every file
+root = true
 [*]
 charset = utf-8
 end_of_line = lf
 indent_size = 2
 indent_style = space
 insert_final_newline = true
 trim_trailing_whitespace = true

---

10-12: Preserve Markdown hard line breaks

Setting trim_trailing_whitespace = false for Markdown avoids stripping intentional two-space line breaks.

 [*.md]
 max_line_length = 0
+trim_trailing_whitespace = false

---

10-15: Non-standard max_line_length in EditorConfig

max_line_length isn’t a core EditorConfig property and may be ignored by many editors. Since you already manage MD line length via .markdownlint.yaml, consider removing these entries from EditorConfig to avoid confusion.

---

13-15: Optional: Makefile tabs

If/when you add Makefiles, it’s conventional to enforce tabs for rules.

 [COMMIT_EDITMSG]
 max_line_length = 0
+
+[Makefile]
+indent_style = tab

.github/workflows/release-please.yaml (3)

24-28: Confirm release-type is correct for this repo

terraform-module seems mismatched for a repository hosting a GitHub Action. If you don’t have Terraform-specific release handling (e.g., module version injection), consider simple so changelogs/tags are generated without language-specific assumptions.

       - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f #v4.1.3
         with:
           token: ${{ steps.generate-token.outputs.token }}
-          release-type: terraform-module
+          release-type: simple

---

8-12: Tighten permissions (principle of least privilege)

Unless you rely on issue creation/modification, issues: write can be dropped.

 permissions:
   contents: write
   pull-requests: write
-  issues: write

---

13-16: Optional: Add workflow concurrency to avoid overlapping releases

Prevents race conditions if multiple pushes hit main in quick succession.

 jobs:
+concurrency:
+  group: release-please-${{ github.ref }}
+  cancel-in-progress: false
   release-please:
     runs-on: ubuntu-latest

.github/renovate.json5 (1)

8-13: Set an explicit timezone for scheduled runs

Schedules default to UTC. If you intend a specific local time, set timezone explicitly.

   "schedule": [
     "after 9am on the first day of the month"
   ],
+  "timezone": "UTC",
   "assigneesFromCodeOwners": true,
   "dependencyDashboardAutoclose": true,

.github/PULL_REQUEST_TEMPLATE.md (1)

12-16: Optional: Add testing and checklist sections to improve review signal

These prompts reduce back-and-forth and clarify risk.

 ## references
 
 - Link to any supporting GitHub issues or helpful documentation to add some context (e.g. Stackoverflow).
 - Use `closes #123`, if this PR closes a GitHub issue `#123`
+
+## testing
+
+- Describe how you validated these changes locally or in CI.
+- Include screenshots/logs if applicable.
+
+## checklist
+
+- [ ] Tests added/updated (if applicable)
+- [ ] Docs updated (README/CHANGELOG)
+- [ ] No breaking changes, or breaking changes documented

.gitignore (1)

49-53: Fix small typo in comment.

Polish the message for clarity.

Apply this diff:

-# AI code gen tools - we beleive engineers are responsible for the code they push no matter how it's generated
+# AI code gen tools - we believe engineers are responsible for the code they push, no matter how it's generated

action.yml (1)

67-71: Validate numeric inputs for timeout and interval.

Add basic validation to fail fast on invalid values.

Apply this diff:

         if [[ "${{ inputs.merge-method }}" != "squash" && "${{ inputs.merge-method }}" != "merge" && "${{ inputs.merge-method }}" != "rebase" ]]; then
           echo "::error::merge-method must be one of: squash, merge, rebase"
           exit 1
         fi

+        # Validate numeric inputs
+        if ! [[ "${{ inputs.check-timeout-minutes }}" =~ ^[0-9]+$ ]]; then
+          echo "::error::check-timeout-minutes must be a non-negative integer"
+          exit 1
+        fi
+        if ! [[ "${{ inputs.check-interval-seconds }}" =~ ^[0-9]+$ ]]; then
+          echo "::error::check-interval-seconds must be a non-negative integer"
+          exit 1
+        fi

.github/workflows/lint.yaml (1)

3-6: Improve concurrency grouping for PRs.

github.head_ref is empty on pull_request_target, so runs don’t deduplicate per-PR. Group by PR number instead.

Apply this diff:

 concurrency:
-  group: lint-${{ github.head_ref || github.run_id }}
+  group: lint-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true

.github/workflows/trunk-upgrade.yaml (2)

1-2: Add concurrency to prevent overlapping scheduled runs.

Avoid multiple overlapping monthly runs in case of delays or manual triggers.

Apply this diff:

 name: Trunk Upgrade
+
+concurrency:
+  group: trunk-upgrade-${{ github.workflow }}
+  cancel-in-progress: false

---

9-9: Tighten top-level permissions (optional).

You already set job-level permissions. You can remove read-all at the workflow level for least privilege.

Apply this diff:

-permissions: read-all
+# Rely on job-level permissions to follow least privilege
+# permissions:

README.md (2)

36-36: Clarify cron timezone.

GitHub Actions cron uses UTC. Update the comment to avoid confusion.

Apply this diff:

-    - cron: 0 9 1 * * # Monthly on the 1st at 9am
+    - cron: 0 9 1 * * # Monthly on the 1st at 09:00 UTC

---

87-95: Align secret names for consistency.

Earlier you define ORG_PAT; here you reference TEAM_PAT. Harmonize to one name to reduce setup friction.

Apply this diff:

 with:
   app-id: ${{ secrets.BOT_APP_ID }}
   app-private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
-  github-token: ${{ secrets.TEAM_PAT }}
+  github-token: ${{ secrets.ORG_PAT }}

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4626c05 and 892cd1b.

📒 Files selected for processing (16)

• .coderabbit.yaml (1 hunks)
• .editorconfig (1 hunks)
• .github/CODEOWNERS (1 hunks)
• .github/PULL_REQUEST_TEMPLATE.md (1 hunks)
• .github/renovate.json5 (1 hunks)
• .github/workflows/lint.yaml (1 hunks)
• .github/workflows/release-please.yaml (1 hunks)
• .github/workflows/trunk-upgrade.yaml (1 hunks)
• .gitignore (1 hunks)
• .markdownlint.yaml (1 hunks)
• .trunk/.gitignore (1 hunks)
• .trunk/trunk.yaml (1 hunks)
• .yamllint.yaml (1 hunks)
• CHANGELOG.md (1 hunks)
• README.md (1 hunks)
• action.yml (1 hunks)

🔇 Additional comments (5)

.yamllint.yaml (1)

1-8: YAML lint config looks solid.

Rules are valid and pragmatic for repos with templated content.

.github/workflows/release-please.yaml (1)

17-26: Good: Actions pinned to full commit SHAs

Using pinned SHAs for tibdex/github-app-token and googleapis/release-please-action is a solid supply-chain practice.

.trunk/trunk.yaml (1)

3-39: Solid Trunk configuration and pinning.

Versions and pinned plugin refs look good. Ignoring CHANGELOG is appropriate alongside release-please.

README.md (2)

48-48: Good job pinning actions/checkout to a commit SHA.

This follows supply-chain security best practices and aids reproducibility.

---

57-77: Inputs/Outputs documentation reads clean and maps well to the action interface.

Clear descriptions, sensible defaults, and consistent casing. Nicely done.

[coderabbitai]

🛠️ Refactor suggestion

Use PR-based automerge to respect branch protection

automergeType: branch can bypass branch protections and CODEOWNERS. Prefer pr so merges occur via protected workflows.

     {
       "matchManagers": ["github-actions"],
       "matchUpdateTypes": ["minor", "patch", "pin", "digest"],
       "automerge": true,
-      "automergeType": "branch",
+      "automergeType": "pr",
       "groupName": "github-actions-auto-upgrade",
       "addLabels": ["auto-upgrade"]
     },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"matchManagers": ["github-actions"],
	"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
	"automerge": true,
	"automergeType": "branch",
	"groupName": "github-actions-auto-upgrade",
	"addLabels": ["auto-upgrade"]
	{
	"matchManagers": ["github-actions"],
	"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
	"automerge": true,
	- "automergeType": "branch",
	+ "automergeType": "pr",
	"groupName": "github-actions-auto-upgrade",
	"addLabels": ["auto-upgrade"]
	},

🤖 Prompt for AI Agents

.github/renovate.json5 around lines 16 to 21: the config sets "automergeType":
"branch" which can bypass branch protection and CODEOWNERS; change the value to
"pr" so Renovate performs PR-based automerges that respect protected-branch
workflows and CODEOWNERS, and ensure any related documentation or CI checks
expect "pr" behavior.

[coderabbitai]

⚠️ Potential issue

pull_request_target isn’t linting the PR’s code.

With pull_request_target, checkout defaults to the base repo, not the PR head. You’re linting the wrong commit. Also, for safety, disable credential persistence.

Apply this diff to check out the PR head safely:

       - name: Check out Git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # Check out the PR head safely under pull_request_target
+          ref: ${{ github.event.pull_request.head.sha }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          persist-credentials: false
+          fetch-depth: 0

Alternatively, switch to on: pull_request if you don’t need target-level permissions.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Check out Git repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- name: Trunk Check
	uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
	env:
	# NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter
	# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Check out Git repository
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	# Check out the PR head safely under pull_request_target
	ref: ${{ github.event.pull_request.head.sha }}
	repository: ${{ github.event.pull_request.head.repo.full_name }}
	persist-credentials: false
	fetch-depth: 0
	- name: Trunk Check
	uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
	env:
	# NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter
	# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

🤖 Prompt for AI Agents

In .github/workflows/lint.yaml around lines 19–27, the workflow uses
pull_request_target but the checkout step is leaving the runner on the base repo
commit and leaving credentials persisted; change the checkout step to explicitly
check out the PR head (use the pull_request head ref / sha) and disable
credential persistence (set persist-credentials: false and fetch full history if
needed), so the linter runs against the PR code and credentials aren’t leaked;
alternatively, if you don’t need target-level permissions, change the workflow
trigger to on: pull_request.

[coderabbitai]

🛠️ Refactor suggestion

Scope the Terraform lock file ignore to root only.

The comment says “Ignore the root .terraform.lock.hcl,” but the current pattern ignores it at any depth (then partially reverts for examples/). Make it root-anchored and drop the exception.

Apply this diff:

-.terraform.lock.hcl
-!examples/**/.terraform.lock.hcl
+/.terraform.lock.hcl

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Ignore the root .terraform.lock.hcl file (Child modules don't want this)
	.terraform.lock.hcl
	!examples/**/.terraform.lock.hcl
	# Ignore the root .terraform.lock.hcl file (Child modules don't want this)
	/.terraform.lock.hcl

🤖 Prompt for AI Agents

In .gitignore around lines 12 to 15, the pattern currently ignores
.terraform.lock.hcl at any depth and then un-ignores example subfolders; change
this to only ignore the root lock file by replacing the broad pattern with a
root-anchored one (/ .terraform.lock.hcl) and remove the negated example
exception line so examples retain their own lock files; update the two lines
accordingly.

[coderabbitai]

⚠️ Potential issue

Fix invalid glob pattern '/.tmp'.**

Triple-asterisk is not a valid glob and won’t match as intended.

Apply this diff:

-***/*.tmp
+**/*.tmp

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	***/*.tmp
	**/*.tmp

🤖 Prompt for AI Agents

In .gitignore at line 43, the pattern '***/*.tmp' is an invalid glob; replace it
with a valid recursive pattern such as '**/*.tmp' (or '*.tmp' if you only want
top-level files) so it matches .tmp files at any directory depth and commit the
change.

[coderabbitai]

⚠️ Potential issue

Use the selected token (App or PAT) for gh CLI operations.

You compute a preferred token, but GH_TOKEN is always set to inputs.github-token. This can cause permission mismatches when using a GitHub App token.

Apply this diff:

-        GH_TOKEN: ${{ inputs.github-token }}
+        GH_TOKEN: ${{ steps.github-token.outputs.token }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	env:
	GH_TOKEN: ${{ inputs.github-token }}
	PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }}
	REPO_URL: https://github.com/${{ github.repository }}
	MERGE_METHOD: ${{ inputs.merge-method }}
	TIMEOUT_MINUTES: ${{ inputs.check-timeout-minutes }}
	CHECK_INTERVAL: ${{ inputs.check-interval-seconds }}
	run: |
	env:
	- GH_TOKEN: ${{ inputs.github-token }}
	+ GH_TOKEN: ${{ steps.github-token.outputs.token }}
	PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }}
	REPO_URL: https://github.com/${{ github.repository }}
	MERGE_METHOD: ${{ inputs.merge-method }}
	TIMEOUT_MINUTES: ${{ inputs.check-timeout-minutes }}
	CHECK_INTERVAL: ${{ inputs.check-interval-seconds }}
	run: |

🤖 Prompt for AI Agents

In action.yml around lines 102 to 109, GH_TOKEN is being hardcoded to
inputs.github-token even though a preferred token (App or PAT) is computed
earlier; change GH_TOKEN to use the computed/preferred token variable you
already produce (for example the env or step output name used when selecting the
token) — e.g. set GH_TOKEN: ${{ env.PREFERRED_TOKEN }} or ${{
steps.select-token.outputs.token }} (whichever name your workflow uses) and
ensure that variable is exported/available in this job so the gh CLI uses the
correct token.

[coderabbitai]

🛠️ Refactor suggestion

Avoid forcing admin merges by default.

Using --admin requires elevated privileges and increases failure rates in consumer repos. Make it opt-in or remove it.

Apply this diff to remove the flag:

-            if gh pr merge "$PR_NUMBER" --"$MERGE_METHOD" --delete-branch --admin; then
+            if gh pr merge "$PR_NUMBER" --"$MERGE_METHOD" --delete-branch; then

If you’d prefer configurability, I can add an optional boolean input (e.g., admin-merge) and gate the flag accordingly.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	while [ $retry_count -lt $max_retries ]; do
	if gh pr merge "$PR_NUMBER" --"$MERGE_METHOD" --delete-branch --admin; then
	echo "✅ Successfully merged PR #$PR_NUMBER"
	echo "merged=true" >> $GITHUB_OUTPUT
	return 0
	else
	retry_count=$((retry_count + 1))
	if [ $retry_count -lt $max_retries ]; then
	echo "⚠️ Merge failed (attempt $retry_count/$max_retries). Retrying in 10 seconds..."
	echo "This could be due to base branch updates or temporary GitHub issues."
	sleep 10
	else
	echo "❌ Merge failed after $max_retries attempts. Manual intervention may be required."
	echo "merged=false" >> $GITHUB_OUTPUT
	return 1
	fi
	fi
	while [ $retry_count -lt $max_retries ]; do
	if gh pr merge "$PR_NUMBER" --"$MERGE_METHOD" --delete-branch; then
	echo "✅ Successfully merged PR #$PR_NUMBER"
	echo "merged=true" >> $GITHUB_OUTPUT
	return 0
	else
	retry_count=$((retry_count + 1))
	if [ $retry_count -lt $max_retries ]; then
	echo "⚠️ Merge failed (attempt $retry_count/$max_retries). Retrying in 10 seconds..."
	echo "This could be due to base branch updates or temporary GitHub issues."
	sleep 10
	else
	echo "❌ Merge failed after $max_retries attempts. Manual intervention may be required."
	echo "merged=false" >> $GITHUB_OUTPUT
	return 1
	fi
	fi

🤖 Prompt for AI Agents

In the action.yml file around lines 143 to 159, the merge process is using the
--admin flag to force an admin merge, which requires elevated privileges and can
increase the failure rate of merges in consumer repositories. To address this,
remove the --admin flag from the gh pr merge command. This will allow the merge
to be performed without requiring admin privileges, which will make the merge
process more reliable and accessible to a wider range of users.

[coderabbitai]

🛠️ Refactor suggestion

Fix anchor link; special characters break GitHub heading anchors.

The link to “Who We Are” won’t resolve due to special characters in the heading. Simplify the heading and target anchor.

Apply this diff:

-💡 Learn more about Masterpoint [below](#who-we-are-𐦂𖨆𐀪𖠋).
+💡 Learn more about Masterpoint [below](#who-we-are).

-## Who We Are 𐦂𖨆𐀪𖠋
+## Who We Are

Also applies to: 112-112

🤖 Prompt for AI Agents

In README.md around lines 7 and 112, the anchor link to “Who We Are” uses
special characters that break GitHub heading anchors; update the heading text to
a simple ASCII form (e.g., "Who We Are") and remove any non-ASCII symbols, then
change the link target to the normalized anchor (e.g., "#who-we-are") so the
link resolves correctly; ensure both occurrences of the link and the heading
itself use the same plain anchor text.

[coderabbitai]

⚠️ Potential issue

Add checks/statuses read permissions to support status polling with GITHUB_TOKEN.

If users run in “GitHub Token Only” mode, the job-level permissions currently omit checks:read/statuses:read, which can block reading check runs/commit statuses when polling required checks.

Apply this diff:

     permissions:
       contents: write
       pull-requests: write
+      checks: read
+      statuses: read

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	jobs:
	trunk-upgrade:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	pull-requests: write
	steps:
	jobs:
	trunk-upgrade:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	pull-requests: write
	checks: read
	statuses: read
	steps:

🤖 Prompt for AI Agents

In README.md around lines 41 to 47 (the trunk-upgrade job permissions block),
the job-level permissions omit checks:read and statuses:read which are required
for status polling with GITHUB_TOKEN; update the permissions map to include
checks: read and statuses: read (e.g., add entries checks: read and statuses:
read at the same indentation level as contents/pull-requests) so the workflow
can read check runs and commit statuses when running in “GitHub Token Only”
mode.

[coderabbitai]

⚠️ Potential issue

Replace placeholder SHA with a real tag or commit (supply-chain safety).

The example uses a non-existent placeholder SHA. Prefer a stable tag like v1 for readability, and consider pinning to the corresponding full commit SHA in security-conscious environments.

Apply this diff:

-      - uses: masterpointio/github-action-trunk-upgrade@abc123def456789012345678901234567890abcd # v1.0.0
+      - uses: masterpointio/github-action-trunk-upgrade@v1 # or pin to a full commit SHA for supply-chain security

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: masterpointio/github-action-trunk-upgrade@abc123def456789012345678901234567890abcd # v1.0.0
	with:
	app-id: ${{ secrets.BOT_APP_ID }}
	app-private-key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
	github-token: ${{ secrets.ORG_PAT }}
	reviewers: "@org/engineering"
	```
	- uses: masterpointio/github-action-trunk-upgrade@v1 # or pin to a full commit SHA for supply-chain security
	with:
	app-id: ${{ secrets.BOT_APP_ID }}
	app-private-key: ${{ secrets.BOT_PRIVATE_KEY }}
	github-token: ${{ secrets.ORG_PAT }}
	reviewers: "@org/engineering"

🤖 Prompt for AI Agents

In README.md around lines 49 to 55, the GitHub Action reference uses a
non-existent placeholder SHA; replace the placeholder
"masterpointio/github-action-trunk-upgrade@abc123def456789012345678901234567890abcd"
with a real ref — preferably a stable tag like "@v1" for readability or, for
supply-chain safety, the corresponding full commit SHA (formatted as
owner/repo@<tag> or owner/repo@<full-commit-sha>); update that single line to
the chosen valid tag or SHA and keep the rest of the invocation the same.