Merge pull request #1 from awslabs/feat/repo-guardrails

feat: Add repo-level guardrails and CI workflows

Author: icarthick

.bandit-baseline.json

@@ -0,0 +1 @@
+[]

.github/CODEOWNERS

@@ -0,0 +1,11 @@
+# Repo infrastructure - only admins can modify
+/.github/                @awslabs/startups-admins
+mise.toml                @awslabs/startups-admins
+dprint.json              @awslabs/startups-admins
+.pre-commit-config.yaml  @awslabs/startups-admins
+.gitleaks.toml           @awslabs/startups-admins
+.semgrep.yaml            @awslabs/startups-admins
+.markdownlint-cli2.yaml  @awslabs/startups-admins
+
+# Team folders
+/migrate/                @awslabs/startups-migrate

.github/ISSUE_TEMPLATE/rfc---request-for-comments.md

@@ -4,23 +4,28 @@ about: Propose a new feature, artifact, or major update
 title: 'RFC: <your proposal title>'
 labels: needs-triage, rfc-proposal
 assignees: ayn-builds
-
 ---
 
 ## Summary
+
 <!-- One paragraph describing the proposal -->
 
 ## Motivation
+
 <!-- Why is this needed? What problem does it solve? -->
 
 ## Proposed Solution
+
 <!-- Describe your approach in detail -->
 
 ## Alternatives Considered
+
 <!-- What other approaches did you evaluate and why were they rejected? -->
 
 ## Open Questions
+
 <!-- What is still undecided or needs community input? -->
 
 ## Drawbacks
+
 <!-- Any known trade-offs or risks? -->

.github/pull_request_template.md

@@ -0,0 +1,26 @@
+## Description
+
+<!-- Brief description of the changes -->
+
+## Type of Change
+
+- [ ] New plugin/power/tool
+- [ ] Bug fix
+- [ ] Enhancement to existing content
+- [ ] Documentation update
+- [ ] Guardrail/CI update
+
+## Team Folder
+
+<!-- Which top-level folder does this PR affect? -->
+
+- [ ] `migrate/`
+- [ ] Other: ___
+
+## Checklist
+
+- [ ] I have read the [CONTRIBUTING.md](../CONTRIBUTING.md) guidelines
+- [ ] My changes do not include hardcoded secrets, credentials, or internal-only content
+- [ ] I have run `mise run build` locally and it passes
+- [ ] I have updated documentation if needed
+- [ ] My changes are scoped to my team's folder only

.github/workflows/build.yml

@@ -0,0 +1,51 @@
+name: Build
+
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+
+permissions:
+  actions: none
+  contents: none
+
+jobs:
+  build:
+    permissions:
+      actions: read
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Setup mise
+        uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
+        with:
+          cache: true
+
+      - name: Build
+        run: mise run build
+
+      - name: Find mutations
+        id: self_mutation
+        run: |-
+          git add .
+          git diff --staged --patch --exit-code > repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT
+        shell: bash
+
+      - name: Upload patch
+        if: steps.self_mutation.outputs.self_mutation_happened
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: repo.patch
+          path: repo.patch
+          overwrite: true
+
+      - name: Fail build on mutation
+        if: steps.self_mutation.outputs.self_mutation_happened
+        run: |-
+          echo "::error::Files were changed during build (see build log). Please run the build locally and commit the changes."
+          cat repo.patch
+          exit 1

.github/workflows/security-scanners.yml

@@ -0,0 +1,176 @@
+name: Security Scanners
+
+on:
+  schedule:
+    - cron: '12 15 * * *'
+  workflow_dispatch:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  actions: none
+  contents: none
+
+jobs:
+  gitleaks:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    env:
+      GITLEAKS_VERSION: "8.30.0"
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - name: Install gitleaks
+        run: |
+          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz;
+          sudo mv gitleaks /usr/local/bin/;
+          gitleaks --version;
+      - name: Run gitleaks
+        id: gitleaks
+        run: |
+          set +e
+          gitleaks git --config=.gitleaks.toml --baseline-path=.gitleaks-baseline.json --report-path=gitleaks-report.sarif --report-format=sarif .
+          GITLEAKS_EXIT=$?
+          set -e
+          echo "exit_code=$GITLEAKS_EXIT" >> "$GITHUB_OUTPUT"
+          exit 0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        if: always()
+        with:
+          name: gitleaks.sarif
+          path: gitleaks-report.sarif
+          if-no-files-found: error
+      - uses: github/codeql-action/upload-sarif@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2
+        continue-on-error: true
+        with:
+          sarif_file: gitleaks-report.sarif
+      - if: steps.gitleaks.outputs.exit_code != '0'
+        run: |
+          echo "::error::gitleaks found secrets"
+          exit ${{ steps.gitleaks.outputs.exit_code }}
+
+  bandit:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.x'
+      - name: Run bandit
+        id: bandit
+        run: |
+          pip install "bandit[sarif]==1.9.3"
+          set +e
+          bandit -r . -f sarif -o bandit-report.sarif
+          BANDIT_EXIT=$?
+          set -e
+          echo "exit_code=$BANDIT_EXIT" >> "$GITHUB_OUTPUT"
+          exit 0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        if: always()
+        with:
+          name: bandit.sarif
+          path: bandit-report.sarif
+          if-no-files-found: error
+      - uses: github/codeql-action/upload-sarif@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2
+        continue-on-error: true
+        with:
+          sarif_file: bandit-report.sarif
+      - if: steps.bandit.outputs.exit_code != '0'
+        run: |
+          echo "::error::bandit found security issues"
+          exit ${{ steps.bandit.outputs.exit_code }}
+
+  semgrep:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.x'
+      - name: Run semgrep
+        id: semgrep
+        env:
+          BASELINE_SHA: ${{ github.event.pull_request.base.sha || github.event.merge_group.base_sha }}
+        run: |
+          pip install "semgrep==1.151.0"
+          BASELINE_ARGS=""
+          if [ -n "$BASELINE_SHA" ]; then
+            BASELINE_ARGS="--baseline-commit $BASELINE_SHA"
+          fi
+          set +e
+          semgrep scan --oss-only --metrics=off --config=r/all \
+            --exclude-rule="ai.generic.detect-generic-ai-anthprop.detect-generic-ai-anthprop" \
+            --exclude-rule="ai.generic.detect-generic-ai-oai.detect-generic-ai-oai" \
+            --sarif-output semgrep-report.sarif $BASELINE_ARGS
+          SEMGREP_EXIT=$?
+          set -e
+          echo "exit_code=$SEMGREP_EXIT" >> "$GITHUB_OUTPUT"
+          exit 0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        if: always()
+        with:
+          name: semgrep.sarif
+          path: semgrep-report.sarif
+          if-no-files-found: error
+      - uses: github/codeql-action/upload-sarif@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2
+        continue-on-error: true
+        with:
+          sarif_file: semgrep-report.sarif
+      - if: steps.semgrep.outputs.exit_code != '0'
+        run: |
+          echo "::error::semgrep found security issues"
+          exit ${{ steps.semgrep.outputs.exit_code }}
+
+  checkov:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: '3.x'
+      - name: Run checkov
+        id: checkov
+        run: |
+          pip install "checkov==3.2.500"
+          set +e
+          checkov -d . --output sarif --output-file-path .
+          CHECKOV_EXIT=$?
+          mv results_sarif.sarif checkov-report.sarif || true
+          set -e
+          echo "exit_code=$CHECKOV_EXIT" >> "$GITHUB_OUTPUT"
+          exit 0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        if: always()
+        with:
+          name: checkov.sarif
+          path: checkov-report.sarif
+          if-no-files-found: error
+      - uses: github/codeql-action/upload-sarif@5e7a52feb2a3dfb87f88be2af33b9e2275f48de6 # v4.32.2
+        continue-on-error: true
+        with:
+          sarif_file: checkov-report.sarif
+      - if: steps.checkov.outputs.exit_code != '0'
+        run: |
+          echo "::error::checkov found IaC issues"
+          exit ${{ steps.checkov.outputs.exit_code }}

.github/workflows/stale.yml

@@ -0,0 +1,26 @@
+name: Stale Issues
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        with:
+          stale-issue-message: >
+            This issue has been automatically marked as stale because it has not had
+            recent activity. It will be closed if no further activity occurs within 7 days.
+          stale-pr-message: >
+            This PR has been automatically marked as stale because it has not had
+            recent activity. It will be closed if no further activity occurs within 7 days.
+          days-before-stale: 60
+          days-before-close: 7
+          stale-issue-label: stale
+          stale-pr-label: stale

.gitignore

@@ -0,0 +1,36 @@
+# Dependencies
+node_modules/
+
+# Build outputs
+dist/
+build/
+__pycache__/
+
+# Tool caches
+.dprint/
+.ruff_cache/
+.mise/
+
+# Temporary files
+.tmp/
+*.log
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Environment
+.env
+.env.local
+
+# Claude
+.claude/settings.local.json
+
+# Migration artifacts (generated at runtime by plugins)
+.migration/

.gitleaks-baseline.json

@@ -0,0 +1 @@
+[]

.gitleaks.toml

@@ -0,0 +1,14 @@
+# Gitleaks Configuration
+# https://github.com/gitleaks/gitleaks
+
+title = "gitleaks config"
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Global allowlist"
+paths = [
+  '''\.gitleaksignore$''',
+  '''\.gitleaks-baseline\.json$''',
+]