Merge pull request #135 from mohitpali/main

Add workflows - security scans and other checks

.github/SECURITY.md

@@ -0,0 +1,6 @@
+## Reporting a Vulnerability
+
+If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security
+via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com.
+
+Please do **not** create a public GitHub issue.

.github/workflows/closed-issue-message.yml

@@ -0,0 +1,17 @@
+name: Closed Issue Message
+on:
+    issues:
+        types: [closed]
+jobs:
+    auto_comment:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: aws-actions/closed-issue-message@v1
+              with:
+                  # These inputs are both required
+                  repo-token: "${{ secrets.GITHUB_TOKEN }}"
+                  message: |
+                      ### ⚠️COMMENT VISIBILITY WARNING⚠️
+                      Comments on closed issues are hard for our team to see.
+                      If you need more assistance, please either tag a team member or open a new issue that references this one.
+                      If you wish to keep having a conversation with other community members under this issue feel free to do so.

.github/workflows/license-check.yml

@@ -0,0 +1,48 @@
+name: License Scan
+
+on: [pull_request]
+
+jobs:
+    licensescan:
+        name: License Scan
+        runs-on: ubuntu-latest
+        strategy:
+            matrix:
+                python-version: [3.9]
+
+        steps:
+            - name: Checkout target
+              uses: actions/checkout@v2
+              with:
+                  path: mskauthmain
+                  ref: ${{ github.base_ref }}
+            - name: Checkout this ref
+              uses: actions/checkout@v2
+              with:
+                  path: new-ref
+                  fetch-depth: 0
+            - name: Get Diff
+              run: git --git-dir ./new-ref/.git diff --name-only --diff-filter=ACMRT ${{ github.event.pull_request.base.sha }} ${{ github.sha }} > refDiffFiles.txt
+            - name: Get Target Files
+              run: git --git-dir ./mskauthmain/.git ls-files | grep -xf refDiffFiles.txt - > targetFiles.txt
+            - name: Checkout scancode
+              uses: actions/checkout@v2
+              with:
+                  repository: nexB/scancode-toolkit
+                  path: scancode-toolkit
+                  fetch-depth: 1
+            - name: Set up Python ${{ matrix.python-version }}
+              uses: actions/setup-python@v4
+              with:
+                  python-version: ${{ matrix.python-version }}
+            # ScanCode
+            - name: Self-configure scancode
+              working-directory: ./scancode-toolkit
+              run: ./scancode --help
+            - name: Run Scan code on pr ref
+              run: cat targetFiles.txt | while read filename; do echo ./mskauthmain/$filename; done | xargs ./scancode-toolkit/scancode -l -n 30 --json-pp - | grep short_name | sort | uniq >> old-licenses.txt
+            - name: Run Scan code on target
+              run: cat refDiffFiles.txt | while read filename; do echo ./new-ref/$filename; done | xargs ./scancode-toolkit/scancode -l -n 30 --json-pp - | grep short_name | sort | uniq >> new-licenses.txt
+            # compare
+            - name: License test
+              run: if ! cmp old-licenses.txt new-licenses.txt; then echo "Licenses differ! Failing."; exit -1; else echo "Licenses are the same. Success."; exit 0; fi

.github/workflows/securityscan.yml

@@ -0,0 +1,34 @@
+name: Security Scan
+
+on:
+    push:
+        branches: [ main ]
+    pull_request:
+        branches: [ main ]
+    schedule:
+        - cron: '00 11 * * 2'
+
+jobs:
+  securityscan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: TruffleHog Secrets Scanner
+        uses: trufflesecurity/trufflehog@v3.47.0
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+          extra_args: --debug --only-verified
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+            languages: java
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/stale_issue.yml

@@ -0,0 +1,45 @@
+name: "Close stale issues"
+
+# Controls when the action will run.
+on:
+    schedule:
+        - cron: "0 0 * * *"
+
+jobs:
+    cleanup:
+        runs-on: ubuntu-latest
+        name: Stale issue job
+        steps:
+            - uses: aws-actions/stale-issue-cleanup@v3
+              with:
+                  # Setting messages to an empty string will cause the automation to skip
+                  # that category
+                  ancient-issue-message: We have noticed this issue has not received attention in 1 year. We will close this issue for now. If you think this is in error, please feel free to comment and reopen the issue.
+                  stale-issue-message: This issue has not received a response in 1 month. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.
+                  stale-pr-message: Greetings! It looks like this PR hasn’t been active in longer than a month, add a comment or an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.
+
+                  # These labels are required
+                  stale-issue-label: closing-soon
+                  exempt-issue-label: no-autoclose
+                  stale-pr-label: no-pr-activity
+                  exempt-pr-label: awaiting-approval
+                  response-requested-label: response-requested
+
+                  # Don't set closed-for-staleness label to skip closing very old issues
+                  # regardless of label
+                  closed-for-staleness-label: closed-for-staleness
+
+                  # Issue timing
+                  days-before-stale: 30
+                  days-before-close: 60
+                  days-before-ancient: 365
+
+                  # If you don't want to mark a issue as being ancient based on a
+                  # threshold of "upvotes", you can set this here. An "upvote" is
+                  # the total number of +1, heart, hooray, and rocket reactions
+                  # on an issue.
+                  minimum-upvotes-to-exempt: 1
+
+                  repo-token: ${{ secrets.GITHUB_TOKEN }}
+                  # loglevel: DEBUG
+                  # Set dry-run to true to not perform label or close actions.

CODEOWNERS

@@ -0,0 +1,3 @@
+# Add core contributors to all PRs by default
+
+* @aws/amazon-managed-streaming-for-apache-kafka