From 5b6598cd4cda085d00ef13afec9a00ebe7db5745 Mon Sep 17 00:00:00 2001
From: James Newman <james.newman@rokt.com>
Date: Mon, 12 Jan 2026 13:03:09 -0500
Subject: [PATCH 1/3] feat: Add trunk rule to detect mParticle API keys

---
 .trunk/trunk.yaml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/.trunk/trunk.yaml b/.trunk/trunk.yaml
index 04763f88b..fbd0abc7d 100644
--- a/.trunk/trunk.yaml
+++ b/.trunk/trunk.yaml
@@ -35,6 +35,31 @@ lint:
     - shellcheck@0.11.0
     - shfmt@3.6.0
     - trufflehog@3.90.6
+    - mparticle-api-key-check # Custom rule to prevent mParticle API keys from being committed
+  definitions:
+    - name: mparticle-api-key-check
+      files: [ALL]
+      commands:
+        - name: check-mparticle-keys
+          output: pass_fail
+          # ──────────────────────────────────────────────────────────────────────
+          # Matches:
+          #   us2-[32 hex chars]
+          #   us1-...
+          #   us-...
+          #   eu1-...
+          #   Any two lowercase letters + optional digits + hyphen + exactly 32 hex chars
+          # ──────────────────────────────────────────────────────────────────────
+          run: >-
+            sh -c '
+              if grep -E "(?i)[a-z]{2}[0-9]*-[0-9a-f]{32}" "${target}"; then
+                echo "ERROR: Possible mParticle API key detected in ${target}"
+                echo "       Format: xx...-[32 hex chars]  (e.g. us2-, eu1-, us-, au4-, etc.)"
+                echo "API keys should never be committed to version control!"
+                exit 1
+              fi
+            '
+          success_codes: [0, 1]
   disabled:
     - yamllint
   ignore:

From e29986b3940fc584abb826599023e20a44a4ee5e Mon Sep 17 00:00:00 2001
From: James Newman <james.newman@rokt.com>
Date: Mon, 12 Jan 2026 13:09:01 -0500
Subject: [PATCH 2/3] Correct location of trunk check

---
 .github/workflows/pull-request.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 01a45f7bb..a5e144768 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -12,7 +12,7 @@ permissions:
   checks: write
   id-token: write
 
-  # Code quality checks
+jobs:
   trunk-check:
     name: Trunk code check
     runs-on: ubuntu-latest
@@ -24,7 +24,6 @@ permissions:
         with:
           check-mode: all
 
-jobs:
   pr-check-hadcoded-secrets:
     name: "Check PR for hardcoded secrets"
     uses: mParticle/mparticle-workflows/.github/workflows/security-hardcoded-secrets.yml@main

From e7785afaba84227295d7fbbdb23c1482360607a2 Mon Sep 17 00:00:00 2001
From: James Newman <james.newman@rokt.com>
Date: Mon, 12 Jan 2026 13:12:20 -0500
Subject: [PATCH 3/3] Only check trunk changes on pull request

---
 .github/workflows/pull-request.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
index 1c9d323da..21af96ca2 100644
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -21,8 +21,6 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
       - name: Trunk Check
         uses: trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b # v1.2.4
-        with:
-          check-mode: all
 
   pr-check-hadcoded-secrets:
     name: "Check PR for hardcoded secrets"