chore: Upgrade trunk (#31)

[![Trunk](https://static.trunk.io/assets/trunk_action_upgrade_banner.png)](https://trunk.io)

3 linters were upgraded:

- checkov 3.2.447 → 3.2.457
- trivy 0.63.0 → 0.64.1
- trufflehog 3.89.2 → 3.90.2

This PR was generated by the [Trunk Action]. For more info, see our
[docs] or reach out on [Slack].

[Trunk Action]: https://github.com/trunk-io/trunk-action
[docs]: https://docs.trunk.io
[Slack]: https://slack.trunk.io/

---------

Co-authored-by: gberenice <30597968+gberenice@users.noreply.github.com>
Co-authored-by: Veronika Gnilitska <veronika.gnilitska@gmail.com>

Author: masterpointbot[bot]

.github/workflows/trunk-upgrade.yaml

@@ -17,7 +17,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Create Token for MasterpointBot App
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
@@ -27,8 +27,85 @@ jobs:
           private_key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
 
       - name: Upgrade
-        uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 #v1.1.19
+        id: trunk-upgrade
+        uses: trunk-io/trunk-action/upgrade@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           reviewers: "@masterpointio/masterpoint-internal"
           prefix: "chore: "
+
+      - name: Wait for checks to pass + Merge PR
+        if: steps.trunk-upgrade.outputs.pull-request-number != ''
+        env:
+          GH_TOKEN: ${{ secrets.MASTERPOINT_TEAM_PAT }}
+          PR_NUMBER: ${{ steps.trunk-upgrade.outputs.pull-request-number }}
+        run: |
+          echo "Waiting for status checks to pass on PR #$PR_NUMBER..."
+
+          # Wait a bit for checks to start
+          echo "Waiting 30 seconds for checks to initialize..."
+          sleep 30
+
+          # Try to get all checks first to see if any exist
+          ALL_CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --json state,bucket || echo "[]")
+          echo "All checks: $ALL_CHECKS_JSON"
+
+          # Get required checks
+          REQUIRED_CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --required --json state,bucket || echo "[]")
+          echo "Required checks: $REQUIRED_CHECKS_JSON"
+
+          # Check if we have any required checks
+          REQUIRED_CHECKS_COUNT=$(echo "$REQUIRED_CHECKS_JSON" | jq '. | length')
+          ALL_CHECKS_COUNT=$(echo "$ALL_CHECKS_JSON" | jq '. | length')
+
+          if [ "$REQUIRED_CHECKS_COUNT" -eq 0 ] && [ "$ALL_CHECKS_COUNT" -eq 0 ]; then
+            echo "No status checks found. This might be expected if no checks are configured."
+            echo "Proceeding with auto-approval and merge..."
+
+            # Auto-approve the PR
+            gh pr review "$PR_NUMBER" --approve --body "Auto-approved by trunk upgrade workflow (no status checks configured)"
+
+            # Merge the PR
+            gh pr merge "$PR_NUMBER" --squash --delete-branch --admin
+            exit 0
+          fi
+
+          # If we have required checks, wait for them. Otherwise, wait for all checks.
+          if [ "$REQUIRED_CHECKS_COUNT" -gt 0 ]; then
+            echo "Waiting for $REQUIRED_CHECKS_COUNT required status checks..."
+            CHECKS_TO_MONITOR="required"
+          else
+            echo "No required checks configured. Waiting for all $ALL_CHECKS_COUNT status checks..."
+            CHECKS_TO_MONITOR="all"
+          fi
+
+          # Wait for checks to complete
+          while true; do
+            if [ "$CHECKS_TO_MONITOR" = "required" ]; then
+              CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --required --json state,bucket)
+            else
+              CHECKS_JSON=$(gh pr checks "$PR_NUMBER" --json state,bucket)
+            fi
+
+            echo "Current checks status: $CHECKS_JSON"
+
+            if echo "$CHECKS_JSON" | jq -e '.[] | select(.bucket=="fail")' > /dev/null; then
+              echo "One or more checks have failed. Exiting..."
+              exit 1
+            fi
+
+            FAILED_OR_PENDING_CHECKS=$(echo "$CHECKS_JSON" | jq '[.[] | select(.state!="SUCCESS" or .bucket!="pass")] | length')
+            if [ "$FAILED_OR_PENDING_CHECKS" -eq 0 ]; then
+              echo "All checks passed. Auto-approving and merging PR https://github.com/${{ github.repository }}/pull/$PR_NUMBER..."
+
+              # Auto-approve the PR
+              gh pr review "$PR_NUMBER" --approve --body "Auto-approved by trunk upgrade workflow"
+
+              # Merge the PR
+              gh pr merge "$PR_NUMBER" --squash --delete-branch --admin
+              break
+            else
+              echo "Some checks are still running or pending. Retrying in 30s..."
+              sleep 30
+            fi
+          done

.trunk/trunk.yaml

@@ -9,13 +9,13 @@ plugins:
 lint:
   enabled:
     - actionlint@1.7.7
-    - checkov@3.2.447
-    - trivy@0.63.0
+    - checkov@3.2.457
+    - trivy@0.64.1
     - yamllint@1.37.1
     - git-diff-check
     - markdownlint@0.45.0
     - prettier@3.6.2
-    - trufflehog@3.89.2
+    - trufflehog@3.90.2
   ignore:
     - linters: [ALL]
       paths: