fix: pin GitHub Actions to commit SHAs (INT-326)

[Xeboc]

Info

• Pins all uses: references in GitHub Actions workflows to full commit SHAs.

References

• https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow dependencies to latest pinned versions
  • Upgraded Trunk CLI and plugin versions for improved tooling
  • Enhanced code quality checks with additional linter configurations and enabled new linters

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates GitHub Actions workflows and Trunk configuration to use newer versions. GitHub Actions references are pinned to newer commits: actions/checkout to v6.0.2, trunk-io/trunk-action to v1.2.4, amannn/action-semantic-pull-request to v6.1.1, and masterpointio/github-action-tf-test to a newer commit. The Trunk CLI is upgraded from 1.24.0 to 1.25.0, and the trunk plugin reference is updated from v1.7.1 to v1.7.6. New linting configuration files are added for isort and Ruff. The .trunk/trunk.yaml configuration adds new enabled linters (taplo, bandit, black, isort, ruff) and updates versions of existing linters.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: initial version github-action-trunk-upgrade#1 — Updates the same .trunk/trunk.yaml and GitHub Actions workflow files with pinned action/tool version changes.
• fix: pin GitHub Actions to commit SHAs (INT-326) terraform-components#6 — Makes overlapping changes to .github/workflows/lint.yaml, .github/workflows/trunk-upgrade.yaml, and .trunk/trunk.yaml with action and tool version updates.
• feat: first pass at reworking to more holistic example infra-monorepo-template#5 — Modifies .trunk/trunk.yaml to update CLI and linter version references and enabled linter configurations.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changeset: pinning GitHub Actions to commit SHAs across multiple workflow files, which is the primary focus of all changes in this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/INT-326/pin-github-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[oycyc]

LGTM - GitHub Actions SHA pinning and tooling updates.

[Xeboc]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

.trunk/trunk.yaml (1)

23-38: Please run one full Trunk pass before merge.

Given the linter set/version changes, a trunk check and trunk fmt run is a good final validation step to catch any newly enforced rules.

Based on learnings: Run Trunk for linting and formatting (trunk check, trunk fmt).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.trunk/trunk.yaml around lines 23 - 38, The Trunk toolset versions were
changed in the YAML list (e.g., entries like taplo@0.10.0, black@26.3.1,
ruff@0.15.9), so before merging run a full Trunk pass: execute `trunk check` to
surface any new lint failures and `trunk fmt` to apply formatting changes,
review and stage the resulting modifications (including any lock/metadata
updates), and commit them so CI will pass with the updated linter/formatter
rules.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.trunk/trunk.yaml:
- Around line 23-38: The Trunk toolset versions were changed in the YAML list
(e.g., entries like taplo@0.10.0, black@26.3.1, ruff@0.15.9), so before merging
run a full Trunk pass: execute `trunk check` to surface any new lint failures
and `trunk fmt` to apply formatting changes, review and stage the resulting
modifications (including any lock/metadata updates), and commit them so CI will
pass with the updated linter/formatter rules.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 89398851-a01b-4837-9493-0a4bd6fc212f

📥 Commits

Reviewing files that changed from the base of the PR and between 8d43a90 and 6323160.

📒 Files selected for processing (6)

• .github/workflows/lint.yaml
• .github/workflows/test.yaml
• .github/workflows/trunk-upgrade.yaml
• .trunk/configs/.isort.cfg
• .trunk/configs/ruff.toml
• .trunk/trunk.yaml