From eef3948a9137eaa656fd59a6c817996a4ab65287 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 14:33:15 -0800 Subject: [PATCH 01/30] feat: add pre-commit, pull request template, and fixes Signed-off-by: Scott Schreckengaust --- .claude-plugin/marketplace.json | 34 ++++-- .../pull_request_template.md | 16 +++ .gitignore | 3 + .pre-commit-config.yaml | 78 ++++++++++++ dprint.json | 26 ++-- .../deploy-on-aws/.claude-plugin/plugin.json | 17 ++- plugins/deploy-on-aws/.mcp.json | 22 ++-- schemas/marketplace.schema.json | 100 ++++++++------- schemas/mcp.schema.json | 115 +++++++++++------- schemas/plugin.schema.json | 68 ++++++----- schemas/skill-frontmatter.schema.json | 77 ++++++------ 11 files changed, 360 insertions(+), 196 deletions(-) create mode 100644 .github/PULL_REQUEST_TEMPLATE/pull_request_template.md create mode 100644 .pre-commit-config.yaml diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index 1492992a..d62dc067 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -1,22 +1,36 @@ { - "name": "awslabs-agent-plugins", - "owner": { - "name": "Amazon Web Services", - "email": "aws-agent-plugins@amazon.com" - }, "metadata": { "description": "Official AWS plugins for Claude Code, Cursor, and AI coding assistants.", "version": "1.0.0" }, + "name": "awslabs-agent-plugins", + "owner": { + "email": "aws-agent-plugins@amazon.com", + "name": "Amazon Web Services" + }, "plugins": [ { + "category": "deployment", + "description": "Deploy any application to AWS. Get architecture recommendations, cost estimates, and one-command deployment.", + "keywords": [ + "aws", + "aws agent skills", + "amazon", + "deploy", + "cdk", + "cloudformation", + "infrastructure", + "pricing" + ], "name": "deploy-on-aws", "source": "./plugins/deploy-on-aws", - "description": "Deploy any application to AWS. Get architecture recommendations, cost estimates, and one-command deployment.", - "version": "1.0.0", - "category": "deployment", - "tags": ["aws", "deploy", "infrastructure", "cdk"], - "keywords": ["aws", "aws agent skills", "amazon", "deploy", "cdk", "cloudformation", "infrastructure", "pricing"] + "tags": [ + "aws", + "deploy", + "infrastructure", + "cdk" + ], + "version": "1.0.0" } ] } diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md new file mode 100644 index 00000000..77f99e06 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md @@ -0,0 +1,16 @@ + + + +#### Related + + + + +#### Changes + + + + +#### Acknowledgment + +By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the [project license](https://github.com/awslabs/agent-plugins/blob/main/LICENSE). diff --git a/.gitignore b/.gitignore index 7d2b28a6..3c6f9ca9 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,6 @@ Thumbs.db # Environment .env .env.local + +# Claude +.claude/settings.local.json diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..d44ea636 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,78 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v6.0.0 + hooks: + - id: check-added-large-files + - id: check-ast + - id: check-builtin-literals + - id: check-case-conflict + - id: check-executables-have-shebangs + - id: check-illegal-windows-names + - id: check-json + - id: check-merge-conflict + - id: check-shebang-scripts-are-executable + - id: check-symlinks + - id: check-toml + - id: check-vcs-permalinks + - id: check-xml + - id: check-yaml + - id: debug-statements + - id: destroyed-symlinks + - id: detect-private-key + - id: end-of-file-fixer + exclude: | + (?x)^( + \.kiro/hooks/.*\.kiro\.hook| + \.kiro/settings/mcp\.json* + )$ + - id: fix-byte-order-marker + - id: forbid-submodules + - id: forbid-new-submodules + - id: mixed-line-ending + - id: no-commit-to-branch + - id: pretty-format-json + exclude: | + (?x)^( + .*package-lock\.json| + \.kiro/settings/mcp\.json.* + )$ + args: [ --autofix ] + - id: trailing-whitespace + +- repo: https://github.com/astral-sh/ruff-pre-commit + rev: v0.14.10 + hooks: + - id: ruff-check + args: [ --fix, --exit-non-zero-on-fix ] + - id: ruff-format + +- repo: https://github.com/PyCQA/bandit + rev: 1.9.3 + hooks: + - id: bandit + args: [ --baseline, .bandit-baseline.json ] + +- repo: https://github.com/semgrep/pre-commit + rev: v1.149.0 + hooks: + - id: semgrep + args: [ '--oss-only', '--verbose', '--metrics=off', '--baseline-commit', 'HEAD', '--config=r/all', '--sarif-output', '.tmp/semgrep.sarif.json', '--error' ] +- repo: https://github.com/bridgecrewio/checkov + rev: 3.2.499 + hooks: + - id: checkov + +- repo: https://github.com/gitleaks/gitleaks + rev: v8.27.2 + hooks: + - id: gitleaks + +- repo: local + hooks: + - id: act + name: act (GitHub Actions locally) + pass_filenames: false + language: system + entry: act + stages: [pre-push] + always_run: true diff --git a/dprint.json b/dprint.json index 94b35b25..865eaef7 100644 --- a/dprint.json +++ b/dprint.json @@ -1,25 +1,25 @@ { "$schema": "https://dprint.dev/schemas/v0.json", - "lineWidth": 100, - "indentWidth": 2, - "useTabs": false, - "newLineKind": "lf", - "markdown": { - "lineWidth": 100, - "textWrap": "maintain" - }, - "json": { - "indentWidth": 2, - "lineWidth": 120 - }, "excludes": [ "**/node_modules/**", "**/.git/**", "**/dist/**", "**/.claude/docs/**" ], + "indentWidth": 2, + "json": { + "indentWidth": 2, + "lineWidth": 120 + }, + "lineWidth": 100, + "markdown": { + "lineWidth": 100, + "textWrap": "maintain" + }, + "newLineKind": "lf", "plugins": [ "https://plugins.dprint.dev/markdown-0.17.8.wasm", "https://plugins.dprint.dev/json-0.19.4.wasm" - ] + ], + "useTabs": false } diff --git a/plugins/deploy-on-aws/.claude-plugin/plugin.json b/plugins/deploy-on-aws/.claude-plugin/plugin.json index 3a20c039..8b378627 100644 --- a/plugins/deploy-on-aws/.claude-plugin/plugin.json +++ b/plugins/deploy-on-aws/.claude-plugin/plugin.json @@ -1,12 +1,19 @@ { - "name": "deploy-on-aws", - "description": "Deploy any application to AWS. Get architecture recommendations, cost estimates, and one-command deployment.", - "version": "1.0.0", "author": { "name": "Amazon Web Services" }, + "description": "Deploy any application to AWS. Get architecture recommendations, cost estimates, and one-command deployment.", "homepage": "https://github.com/awslabs/agent-plugins", - "repository": "https://github.com/awslabs/agent-plugins", + "keywords": [ + "aws", + "deploy", + "infrastructure", + "cdk", + "cloudformation", + "pricing" + ], "license": "Apache-2.0", - "keywords": ["aws", "deploy", "infrastructure", "cdk", "cloudformation", "pricing"] + "name": "deploy-on-aws", + "repository": "https://github.com/awslabs/agent-plugins", + "version": "1.0.0" } diff --git a/plugins/deploy-on-aws/.mcp.json b/plugins/deploy-on-aws/.mcp.json index 1173851e..0e201a27 100644 --- a/plugins/deploy-on-aws/.mcp.json +++ b/plugins/deploy-on-aws/.mcp.json @@ -1,22 +1,26 @@ { "mcpServers": { "awsiac": { - "command": "uvx", - "args": ["awslabs.aws-iac-mcp-server@latest"] + "args": [ + "awslabs.aws-iac-mcp-server@latest" + ], + "command": "uvx" + }, + "awsknowledge": { + "type": "http", + "url": "https://knowledge-mcp.global.api.aws" }, "awspricing": { - "type": "stdio", + "args": [ + "awslabs.aws-pricing-mcp-server@latest" + ], "command": "uvx", - "args": ["awslabs.aws-pricing-mcp-server@latest"], + "disabled": false, "env": { "FASTMCP_LOG_LEVEL": "ERROR" }, "timeout": 120000, - "disabled": false - }, - "awsknowledge": { - "url": "https://knowledge-mcp.global.api.aws", - "type": "http" + "type": "stdio" } } } diff --git a/schemas/marketplace.schema.json b/schemas/marketplace.schema.json index 836813b2..d42670c1 100644 --- a/schemas/marketplace.schema.json +++ b/schemas/marketplace.schema.json @@ -1,47 +1,55 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://awslabs.github.io/agent-plugins/schemas/marketplace.schema.json", - "title": "Marketplace Registry", + "$schema": "http://json-schema.org/draft-07/schema#", "description": "Schema for marketplace.json registry file", - "type": "object", - "required": ["name", "owner", "metadata", "plugins"], "properties": { - "name": { - "type": "string", - "pattern": "^[a-z][a-z0-9-]*$" - }, - "owner": { - "type": "object", - "required": ["name"], + "metadata": { "properties": { - "name": { + "description": { "type": "string" }, - "email": { + "version": { "type": "string" } - } + }, + "type": "object" }, - "metadata": { - "type": "object", + "name": { + "pattern": "^[a-z][a-z0-9-]*$", + "type": "string" + }, + "owner": { "properties": { - "description": { + "email": { "type": "string" }, - "version": { + "name": { "type": "string" } - } + }, + "required": [ + "name" + ], + "type": "object" }, "plugins": { - "type": "array", "items": { - "type": "object", - "required": ["name", "source"], "properties": { + "category": { + "type": "string" + }, + "description": { + "type": "string" + }, + "keywords": { + "items": { + "type": "string" + }, + "type": "array" + }, "name": { - "type": "string", - "pattern": "^[a-z][a-z0-9-]*$" + "pattern": "^[a-z][a-z0-9-]*$", + "type": "string" }, "source": { "oneOf": [ @@ -49,7 +57,6 @@ "type": "string" }, { - "type": "object", "properties": { "github": { "type": "string" @@ -57,33 +64,36 @@ "url": { "type": "string" } - } + }, + "type": "object" } ] }, - "description": { - "type": "string" - }, - "version": { - "type": "string" - }, - "category": { - "type": "string" - }, "tags": { - "type": "array", "items": { "type": "string" - } + }, + "type": "array" }, - "keywords": { - "type": "array", - "items": { - "type": "string" - } + "version": { + "type": "string" } - } - } + }, + "required": [ + "name", + "source" + ], + "type": "object" + }, + "type": "array" } - } + }, + "required": [ + "name", + "owner", + "metadata", + "plugins" + ], + "title": "Marketplace Registry", + "type": "object" } diff --git a/schemas/mcp.schema.json b/schemas/mcp.schema.json index c5f878df..a1ebc0c5 100644 --- a/schemas/mcp.schema.json +++ b/schemas/mcp.schema.json @@ -1,70 +1,95 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://awslabs.github.io/agent-plugins/schemas/mcp.schema.json", - "title": "MCP Configuration", + "$schema": "http://json-schema.org/draft-07/schema#", "description": "Schema for .mcp.json MCP server definitions", - "type": "object", - "required": ["mcpServers"], "properties": { "mcpServers": { - "type": "object", "additionalProperties": { - "type": "object", - "properties": { - "type": { - "type": "string", - "enum": ["stdio", "http"], - "default": "stdio" - }, - "command": { - "type": "string", - "description": "Command to execute (stdio type)" + "allOf": [ + { + "if": { + "properties": { + "type": { + "const": "stdio" + } + }, + "required": [ + "type" + ] + }, + "then": { + "required": [ + "command" + ] + } }, + { + "if": { + "properties": { + "type": { + "const": "http" + } + }, + "required": [ + "type" + ] + }, + "then": { + "required": [ + "url" + ] + } + } + ], + "properties": { "args": { - "type": "array", + "description": "Command arguments (stdio type)", "items": { "type": "string" }, - "description": "Command arguments (stdio type)" + "type": "array" }, - "url": { - "type": "string", - "description": "HTTP endpoint (http type)" + "command": { + "description": "Command to execute (stdio type)", + "type": "string" + }, + "disabled": { + "default": false, + "type": "boolean" }, "env": { - "type": "object", "additionalProperties": { "type": "string" }, - "description": "Environment variables" + "description": "Environment variables", + "type": "object" }, "timeout": { - "type": "integer", + "description": "Timeout in milliseconds", "minimum": 1000, - "description": "Timeout in milliseconds" + "type": "integer" }, - "disabled": { - "type": "boolean", - "default": false - } - }, - "allOf": [ - { - "if": { - "properties": { "type": { "const": "stdio" } }, - "required": ["type"] - }, - "then": { "required": ["command"] } + "type": { + "default": "stdio", + "enum": [ + "stdio", + "http" + ], + "type": "string" }, - { - "if": { - "properties": { "type": { "const": "http" } }, - "required": ["type"] - }, - "then": { "required": ["url"] } + "url": { + "description": "HTTP endpoint (http type)", + "type": "string" } - ] - } + }, + "type": "object" + }, + "type": "object" } - } + }, + "required": [ + "mcpServers" + ], + "title": "MCP Configuration", + "type": "object" } diff --git a/schemas/plugin.schema.json b/schemas/plugin.schema.json index ef825dcb..ede1963b 100644 --- a/schemas/plugin.schema.json +++ b/schemas/plugin.schema.json @@ -1,56 +1,58 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://awslabs.github.io/agent-plugins/schemas/plugin.schema.json", - "title": "Plugin Manifest", + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": true, "description": "Schema for plugin.json files in AWS Agent Plugins", - "type": "object", - "required": ["name"], "properties": { - "name": { - "type": "string", - "description": "Plugin identifier (kebab-case)", - "pattern": "^[a-z][a-z0-9-]*$", - "minLength": 1, - "maxLength": 64 - }, - "description": { - "type": "string", - "description": "Brief plugin description", - "maxLength": 500 - }, - "version": { - "type": "string", - "description": "Semantic version", - "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(-[a-zA-Z0-9.-]+)?$" - }, "author": { - "type": "object", "properties": { - "name": { + "email": { "type": "string" }, - "email": { + "name": { "type": "string" } - } + }, + "type": "object" }, - "homepage": { + "description": { + "description": "Brief plugin description", + "maxLength": 500, "type": "string" }, - "repository": { + "homepage": { "type": "string" }, - "license": { - "type": "string", - "description": "SPDX license identifier" - }, "keywords": { - "type": "array", "items": { "type": "string" }, + "type": "array", "uniqueItems": true + }, + "license": { + "description": "SPDX license identifier", + "type": "string" + }, + "name": { + "description": "Plugin identifier (kebab-case)", + "maxLength": 64, + "minLength": 1, + "pattern": "^[a-z][a-z0-9-]*$", + "type": "string" + }, + "repository": { + "type": "string" + }, + "version": { + "description": "Semantic version", + "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(-[a-zA-Z0-9.-]+)?$", + "type": "string" } }, - "additionalProperties": true + "required": [ + "name" + ], + "title": "Plugin Manifest", + "type": "object" } diff --git a/schemas/skill-frontmatter.schema.json b/schemas/skill-frontmatter.schema.json index 61350aeb..b1c56cee 100644 --- a/schemas/skill-frontmatter.schema.json +++ b/schemas/skill-frontmatter.schema.json @@ -1,53 +1,58 @@ { - "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://awslabs.github.io/agent-plugins/schemas/skill-frontmatter.schema.json", - "title": "SKILL.md Frontmatter", + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": true, "description": "Schema for YAML frontmatter in SKILL.md files", - "type": "object", - "required": ["name", "description"], "properties": { - "name": { - "type": "string", - "pattern": "^[a-z][a-z0-9-]*$", - "maxLength": 64, - "description": "Skill name (kebab-case)" + "agent": { + "description": "Subagent type (when context: fork)", + "type": "string" }, - "description": { - "type": "string", - "minLength": 20, - "description": "When to use this skill (for auto-triggering)" + "allowed-tools": { + "description": "Comma-separated list of allowed tools", + "type": "string" }, "argument-hint": { - "type": "string", - "description": "Hint for expected arguments" + "description": "Hint for expected arguments", + "type": "string" }, - "disable-model-invocation": { - "type": "boolean", - "default": false, - "description": "Prevent Claude from auto-loading" + "context": { + "description": "Run in forked subagent context", + "enum": [ + "fork" + ], + "type": "string" }, - "user-invocable": { - "type": "boolean", - "default": true, - "description": "Show in slash command menu" + "description": { + "description": "When to use this skill (for auto-triggering)", + "minLength": 20, + "type": "string" }, - "allowed-tools": { - "type": "string", - "description": "Comma-separated list of allowed tools" + "disable-model-invocation": { + "default": false, + "description": "Prevent Claude from auto-loading", + "type": "boolean" }, "model": { - "type": "string", - "description": "Model to use when skill is active" + "description": "Model to use when skill is active", + "type": "string" }, - "context": { - "type": "string", - "enum": ["fork"], - "description": "Run in forked subagent context" + "name": { + "description": "Skill name (kebab-case)", + "maxLength": 64, + "pattern": "^[a-z][a-z0-9-]*$", + "type": "string" }, - "agent": { - "type": "string", - "description": "Subagent type (when context: fork)" + "user-invocable": { + "default": true, + "description": "Show in slash command menu", + "type": "boolean" } }, - "additionalProperties": true + "required": [ + "name", + "description" + ], + "title": "SKILL.md Frontmatter", + "type": "object" } From a4e56b77f8578c7af7dacf47aded338461af97ad Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 14:52:05 -0800 Subject: [PATCH 02/30] feat: add bandit baseline Signed-off-by: Scott Schreckengaust --- .bandit-baseline.json | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .bandit-baseline.json diff --git a/.bandit-baseline.json b/.bandit-baseline.json new file mode 100644 index 00000000..b5efe48a --- /dev/null +++ b/.bandit-baseline.json @@ -0,0 +1,20 @@ +{ + "errors": [], + "generated_at": "2026-02-05T22:50:21Z", + "metrics": { + "_totals": { + "CONFIDENCE.HIGH": 0, + "CONFIDENCE.LOW": 0, + "CONFIDENCE.MEDIUM": 0, + "CONFIDENCE.UNDEFINED": 0, + "SEVERITY.HIGH": 0, + "SEVERITY.LOW": 0, + "SEVERITY.MEDIUM": 0, + "SEVERITY.UNDEFINED": 0, + "loc": 0, + "nosec": 0, + "skipped_tests": 0 + } + }, + "results": [] +} From 937a7b688fdd20ae35c5fe4cb753355b66730c8f Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 14:53:59 -0800 Subject: [PATCH 03/30] fix: markdown lint Signed-off-by: Scott Schreckengaust --- .github/PULL_REQUEST_TEMPLATE/pull_request_template.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md index 77f99e06..b4b467d4 100644 --- a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md +++ b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md @@ -1,16 +1,13 @@ - #### Related - #### Changes - #### Acknowledgment By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the [project license](https://github.com/awslabs/agent-plugins/blob/main/LICENSE). From b40f2ad2899bab897f8ccaa0247b59622b7d8390 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 14:59:35 -0800 Subject: [PATCH 04/30] fix: change the baseline commit for semgrep Signed-off-by: Scott Schreckengaust --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d44ea636..5f7c5cab 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -56,7 +56,7 @@ repos: rev: v1.149.0 hooks: - id: semgrep - args: [ '--oss-only', '--verbose', '--metrics=off', '--baseline-commit', 'HEAD', '--config=r/all', '--sarif-output', '.tmp/semgrep.sarif.json', '--error' ] + args: [ '--oss-only', '--verbose', '--metrics=off', '--baseline-commit', 'main', '--config=r/all', '--sarif-output', '.tmp/semgrep.sarif.json', '--error' ] - repo: https://github.com/bridgecrewio/checkov rev: 3.2.499 hooks: From cb0a7ef61b4d72135f23020ea898813f1c63b187 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 15:02:04 -0800 Subject: [PATCH 05/30] chore: update pre-commit hooks Signed-off-by: Scott Schreckengaust --- .pre-commit-config.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5f7c5cab..9c951f8f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - id: trailing-whitespace - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.14.10 + rev: v0.15.0 hooks: - id: ruff-check args: [ --fix, --exit-non-zero-on-fix ] @@ -53,17 +53,17 @@ repos: args: [ --baseline, .bandit-baseline.json ] - repo: https://github.com/semgrep/pre-commit - rev: v1.149.0 + rev: v1.151.0 hooks: - id: semgrep args: [ '--oss-only', '--verbose', '--metrics=off', '--baseline-commit', 'main', '--config=r/all', '--sarif-output', '.tmp/semgrep.sarif.json', '--error' ] - repo: https://github.com/bridgecrewio/checkov - rev: 3.2.499 + rev: 3.2.500 hooks: - id: checkov - repo: https://github.com/gitleaks/gitleaks - rev: v8.27.2 + rev: v8.30.0 hooks: - id: gitleaks @@ -74,5 +74,5 @@ repos: pass_filenames: false language: system entry: act - stages: [pre-push] + stages: [manual] always_run: true From 2cc04909acc0c83f2d68b0d704cbeb0cfb2336fb Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 15:36:43 -0800 Subject: [PATCH 06/30] fix: validator cross refs for plugins Signed-off-by: Scott Schreckengaust --- tools/validate-cross-refs.cjs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/validate-cross-refs.cjs b/tools/validate-cross-refs.cjs index 24f3440e..584c0f38 100644 --- a/tools/validate-cross-refs.cjs +++ b/tools/validate-cross-refs.cjs @@ -76,9 +76,9 @@ function validatePlugin(plugin) { info(`Validating plugin: ${pluginName}`); // Determine plugin directory path - const source = plugin.source || `./${pluginName}`; - const normalizedSource = source.replace(/^\.\//, "").replace(/\/$/, ""); - const pluginDir = path.join(PLUGINS_ROOT, normalizedSource); + // source is relative to repo root (e.g., "./plugins/deploy-on-aws") + const source = plugin.source || `${PLUGINS_ROOT}/${pluginName}`; + const pluginDir = source.replace(/^\.\//, "").replace(/\/$/, ""); // Check 1: Plugin directory exists if (!fs.existsSync(pluginDir)) { From de2b3a5e4a1eb52b4fc07938f5e57bd20750e838 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 15:43:13 -0800 Subject: [PATCH 07/30] feat: add validate cross references to ci Signed-off-by: Scott Schreckengaust --- .github/workflows/quality.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 814c603c..ede97cb5 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -47,5 +47,8 @@ jobs: - name: Lint Markdown (includes SKILL.md validation) run: mise run lint:md + - name: Validate Cross Reference manifests + run: mise run lint:cross-refs + - name: Validate JSON manifests run: mise run lint:manifests From 3bdf0f1afef221ef55b09d0bf4c2e168d6fd2f46 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 15:47:38 -0800 Subject: [PATCH 08/30] feat: add advanced CodeQL Signed-off-by: Scott Schreckengaust --- .github/workflows/codeql.yml | 101 +++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..6dd4a3f8 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,101 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '23 14 * * 3' + workflow_dispatch: +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" From eca15b973d5e8d675835ea79b2d955f58334024c Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 16:05:45 -0800 Subject: [PATCH 09/30] docs: add CODEOWNERS file Signed-off-by: Scott Schreckengaust --- .github/CODEOWNERS | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..d32d68bd --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,30 @@ +# [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#about-code-owners) + +## Default owners for everything in the repo + +* @awslabs/agent-plugins-admins @awslabs/agent-plugins-maintainers + +## Adminstrators + +.bandit-baseline.json @awslabs/agent-plugins-admins +.claude-plugin/ @awslabs/agent-plugins-admins +.github/ @awslabs/agent-plugins-admins +.gitignore @awslabs/agent-plugins-admins +.markdownlint-cli2.yaml @awslabs/agent-plugins-admins +.pre-commit-config.yaml @awslabs/agent-plugins-admins +AGENTS.md @awslabs/agent-plugins-admins +CLAUDE.md @awslabs/agent-plugins-admins +CODE_OF_CONDUCT.md @awslabs/agent-plugins-admins +CONTRIBUTING.md @awslabs/agent-plugins-admins +dprint.json @awslabs/agent-plugins-admins +LICENSE @awslabs/agent-plugins-admins +mise.toml @awslabs/agent-plugins-admins +NOTICE @awslabs/agent-plugins-admins +plugins/ @awslabs/agent-plugins-admins +README.md @awslabs/agent-plugins-admins +schemas/ @awslabs/agent-plugins-admins +tools/ @awslabs/agent-plugins-admins + +## File must end with CODEOWNERS file + +.github/CODEOWNERS @awslabs/agent-plugins-admins From bb3597133f609ec75157fc73bc0071f889d8466c Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 17:00:56 -0800 Subject: [PATCH 10/30] feat: ignore more feature Signed-off-by: Scott Schreckengaust --- .github/guides/ADMINISTRATIVE_GUIDE.md | 36 +++ .github/guides/DEVELOPMENT_GUIDE.md | 28 ++ .github/guides/MAINTAINER_GUIDE.md | 28 ++ .github/workflows/merge-prevention.yml | 116 ++++++++ .github/workflows/pre-commit-requirements.txt | 93 +++++++ .github/workflows/pre-commit.yml | 57 ++++ .github/workflows/push.yml | 187 +++++++++++++ .github/workflows/scanners.yml | 258 ++++++++++++++++++ .github/workflows/scorecard-analysis.yml | 54 ++++ .github/workflows/stale.yml | 30 ++ .gitleaks-baseline.json | 1 + .gitleaks.toml | 29 ++ .gitleaksignore | 5 + CONTRIBUTING.md | 8 + 14 files changed, 930 insertions(+) create mode 100644 .github/guides/ADMINISTRATIVE_GUIDE.md create mode 100644 .github/guides/DEVELOPMENT_GUIDE.md create mode 100644 .github/guides/MAINTAINER_GUIDE.md create mode 100644 .github/workflows/merge-prevention.yml create mode 100644 .github/workflows/pre-commit-requirements.txt create mode 100644 .github/workflows/pre-commit.yml create mode 100644 .github/workflows/push.yml create mode 100644 .github/workflows/scanners.yml create mode 100644 .github/workflows/scorecard-analysis.yml create mode 100644 .github/workflows/stale.yml create mode 100644 .gitleaks-baseline.json create mode 100644 .gitleaks.toml create mode 100644 .gitleaksignore diff --git a/.github/guides/ADMINISTRATIVE_GUIDE.md b/.github/guides/ADMINISTRATIVE_GUIDE.md new file mode 100644 index 00000000..e453110a --- /dev/null +++ b/.github/guides/ADMINISTRATIVE_GUIDE.md @@ -0,0 +1,36 @@ +# Administrative Guide + +## Updating Pre-commit Hooks + +Pre-commit hooks should be updated periodically to get the latest versions and security fixes. + +### Update all hooks + +```bash +pre-commit autoupdate +``` + +### Update a specific hook + +```bash +pre-commit autoupdate --repo https://github.com/pre-commit/pre-commit-hooks +``` + +### After updating + +1. Review the changes to `.pre-commit-config.yaml` +2. Run hooks against all files to verify compatibility: + ```bash + pre-commit run --all-files + ``` +3. Commit the updated configuration + +## Gitleaks Baseline Management + +To update the gitleaks baseline with current findings: + +```bash +gitleaks detect --baseline-path .gitleaks-baseline.json --report-path .gitleaks-baseline.json +``` + +Note: If an issue is already ignored via inline comments (`# gitleaks:allow`) or `.gitleaksignore`, the baseline won't capture it. The baseline is useful for grandfathering in existing findings without requiring inline comments or ignore file entries. diff --git a/.github/guides/DEVELOPMENT_GUIDE.md b/.github/guides/DEVELOPMENT_GUIDE.md new file mode 100644 index 00000000..6c27db24 --- /dev/null +++ b/.github/guides/DEVELOPMENT_GUIDE.md @@ -0,0 +1,28 @@ +# Development Guide + +## Security Scanning + +### Gitleaks - Secret Detection + +This repository uses [gitleaks](https://github.com/gitleaks/gitleaks) to detect secrets and sensitive information in the codebase. + +#### Handling False Positives + +If gitleaks reports a false positive (e.g., example API keys in documentation, test fixtures), you can add it to the baseline file to suppress future warnings. + +1. Run gitleaks locally to generate the baseline: + ```bash + gitleaks git --config=.gitleaks.toml --report-format=json . > .gitleaks-baseline.json + ``` + +2. Review the generated file to ensure only legitimate false positives are included. + +3. Commit the updated `.gitleaks-baseline.json` file. + +#### Configuration + +Custom rules and allowlists are defined in `.gitleaks.toml`. Common customizations include: + +- Excluding paths (vendor directories, generated files) +- Allowlisting specific patterns or files +- Adding custom secret detection rules diff --git a/.github/guides/MAINTAINER_GUIDE.md b/.github/guides/MAINTAINER_GUIDE.md new file mode 100644 index 00000000..ea550b4d --- /dev/null +++ b/.github/guides/MAINTAINER_GUIDE.md @@ -0,0 +1,28 @@ +# Maintainer Guide + +## Pull Request Reviews + +- Review PRs for code quality, security, and adherence to project standards +- Ensure CI checks pass before merging +- Use squash merges to keep history clean + +## Release Management + +### Creating a Release + +1. Ensure all intended changes are merged to `main` +2. Update version numbers and changelog +3. Create a GitHub release with semantic versioning (e.g., `v1.2.0`) +4. Tag the release with release notes summarizing changes + +## Issue Triage + +- Label new issues appropriately (`bug`, `enhancement`, `question`, etc.) +- Close duplicates with a reference to the original issue +- Add `help wanted` or `good first issue` labels to encourage contributions + +## Branch Protection + +- Maintain branch protection rules on `main` +- Require PR reviews and passing CI before merge +- Do not bypass protections except in emergencies diff --git a/.github/workflows/merge-prevention.yml b/.github/workflows/merge-prevention.yml new file mode 100644 index 00000000..1bd9616b --- /dev/null +++ b/.github/workflows/merge-prevention.yml @@ -0,0 +1,116 @@ +--- +# This workflow is to prevent unintentional merges that cannot be accomplished by rulesets or other settings. +name: Merge Prevention +on: + pull_request: + types: + - opened + - reopened + - synchronize + - edited + - labeled + - unlabeled + merge_group: + types: + - checks_requested +permissions: + actions: none + attestations: none + checks: none + contents: none + deployments: none + discussions: none + id-token: none + issues: none + models: none + packages: none + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none +env: + DO_NOT_MERGE_LABEL: ${{ vars.DO_NOT_MERGE_LABEL || 'do-not-merge' }} + HALT_MERGES: ${{ vars.HALT_MERGES || '0' }} +jobs: + get-pr-info: + permissions: + contents: read + pull-requests: read + # id-token: write + runs-on: ubuntu-latest + outputs: + pr_number: ${{ steps.get-pr.outputs.pr-number }} + pr_labels: ${{ steps.get-pr.outputs.pr-labels }} + env: + GH_TOKEN: ${{ github.token }} + PR_LABELS_JSON: ${{ toJson(github.event.pull_request.labels.*.name) }} + steps: + - name: Get PR info + id: get-pr + run: | + if [ "${{ github.event_name }}" == "merge_group" ]; then + PR_NUMBER=$(echo "${{ github.ref }}" | grep -oP '(?<=/pr-)\d+' || echo "") + PR_LABELS=$(gh api repos/Schreckengaust/mcp/pulls/2 | jq -c '[.labels[].name] // []') + echo "::group::Getting Information" + gh api repos/${{ github.repository }}/pulls/$PR_NUMBER + echo "::endgroup::" + elif [ "${{ github.event_name }}" == "pull_request" ]; then + PR_NUMBER="${{ github.event.pull_request.number }}" + PR_LABELS=$(echo "$PR_LABELS_JSON" | jq -c '.') + fi + echo "::group::Debug Output Values" + echo "PR_NUMBER: $PR_NUMBER" + echo "PR_LABELS: $PR_LABELS" + echo "::endgroup::" + echo "pr-number=$PR_NUMBER" >> $GITHUB_OUTPUT + echo "pr-labels=$PR_LABELS" >> $GITHUB_OUTPUT + check-merge-status: + runs-on: ubuntu-latest + needs: get-pr-info + if: always() + steps: + - run: | + PR_NUMBER="${{ needs.get-pr-info.outputs.pr_number }}" + # Default to 0 (allow all) if not set + if [ -z "$HALT_MERGES" ]; then + HALT_MERGES=0 + fi + echo "::debug::HALT_MERGES value: $HALT_MERGES" + echo "::debug::This PR number: $PR_NUMBER" + if [ "$HALT_MERGES" = "0" ]; then + echo "::notice::✅ All merges are allowed (HALT_MERGES=0)" + exit 0 + elif [ "$HALT_MERGES" = "$PR_NUMBER" ]; then + echo "::notice::✅ This PR #$PR_NUMBER is explicitly allowed" + exit 0 + else + echo "::debug::🛑 Merges are blocked. HALT_MERGES is set to $HALT_MERGES" + if [ "$HALT_MERGES" -lt 0 ]; then + echo "::error::All merges are blocked" + else + echo "::warning::Only PR #$HALT_MERGES is allowed to merge" + fi + exit 1 + fi + fail-by-label: + runs-on: ubuntu-latest + needs: get-pr-info + if: always() + steps: + - run: | + echo "::group::Debug Output Values" + echo "PR_LABELS: ${{ needs.get-pr-info.outputs.pr_labels }}" + echo "::endgroup::" + - name: When PR has the "${{ env.DO_NOT_MERGE_LABEL }}" label + id: pr-has-label + if: contains(needs.get-pr-info.outputs.pr_labels, env.DO_NOT_MERGE_LABEL) + run: | + echo "::error::❌ The label \"${{ env.DO_NOT_MERGE_LABEL }}\" is used to prevent merging." + exit 1 + - name: When PR does not have the "${{ env.DO_NOT_MERGE_LABEL }}" label + id: pr-missing-label + if: ! contains(needs.get-pr-info.outputs.pr_labels, env.DO_NOT_MERGE_LABEL) + run: | + echo "::notice::✅ The label \"${{ env.DO_NOT_MERGE_LABEL }}\" is absent" + exit 0 diff --git a/.github/workflows/pre-commit-requirements.txt b/.github/workflows/pre-commit-requirements.txt new file mode 100644 index 00000000..d75bcdc3 --- /dev/null +++ b/.github/workflows/pre-commit-requirements.txt @@ -0,0 +1,93 @@ +# +# This file is autogenerated by pip-compile with Python 3.12 +# by the following command: +# +# pip-compile --generate-hashes --output-file=.github/workflows/pre-commit-requirements.txt --strip-extras .github/workflows/pre-commit-requirements.in +# +cfgv==3.4.0 \ + --hash=sha256:b7265b1f29fd3316bfcd2b330d63d024f2bfd8bcb8b0272f8e19a504856c48f9 \ + --hash=sha256:e52591d4c5f5dead8e0f673fb16db7949d2cfb3f7da4582893288f0ded8fe560 + # via pre-commit +distlib==0.3.9 \ + --hash=sha256:47f8c22fd27c27e25a65601af709b38e4f0a45ea4fc2e710f65755fa8caaaf87 \ + --hash=sha256:a60f20dea646b8a33f3e7772f74dc0b2d0772d2837ee1342a00645c81edf9403 + # via virtualenv +filelock==3.20.1 \ + --hash=sha256:15d9e9a67306188a44baa72f569d2bfd803076269365fdea0934385da4dc361a \ + --hash=sha256:b8360948b351b80f420878d8516519a2204b07aefcdcfd24912a5d33127f188c + # via virtualenv +identify==2.6.12 \ + --hash=sha256:ad9672d5a72e0d2ff7c5c8809b62dfa60458626352fb0eb7b55e69bdc45334a2 \ + --hash=sha256:d8de45749f1efb108badef65ee8386f0f7bb19a7f26185f74de6367bffbaf0e6 + # via pre-commit +nodeenv==1.9.1 \ + --hash=sha256:6ec12890a2dab7946721edbfbcd91f3319c6ccc9aec47be7c7e6b7011ee6645f \ + --hash=sha256:ba11c9782d29c27c70ffbdda2d7415098754709be8a7056d79a737cd901155c9 + # via pre-commit +platformdirs==4.3.8 \ + --hash=sha256:3d512d96e16bcb959a814c9f348431070822a6496326a4be0911c40b5a74c2bc \ + --hash=sha256:ff7059bb7eb1179e2685604f4aaf157cfd9535242bd23742eadc3c13542139b4 + # via virtualenv +pre-commit==4.2.0 \ + --hash=sha256:601283b9757afd87d40c4c4a9b2b5de9637a8ea02eaff7adc2d0fb4e04841146 \ + --hash=sha256:a009ca7205f1eb497d10b845e52c838a98b6cdd2102a6c8e4540e94ee75c58bd + # via -r .github/workflows/pre-commit-requirements.in +pyyaml==6.0.2 \ + --hash=sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff \ + --hash=sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48 \ + --hash=sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086 \ + --hash=sha256:0b69e4ce7a131fe56b7e4d770c67429700908fc0752af059838b1cfb41960e4e \ + --hash=sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133 \ + --hash=sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5 \ + --hash=sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484 \ + --hash=sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee \ + --hash=sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5 \ + --hash=sha256:23502f431948090f597378482b4812b0caae32c22213aecf3b55325e049a6c68 \ + --hash=sha256:24471b829b3bf607e04e88d79542a9d48bb037c2267d7927a874e6c205ca7e9a \ + --hash=sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf \ + --hash=sha256:2e99c6826ffa974fe6e27cdb5ed0021786b03fc98e5ee3c5bfe1fd5015f42b99 \ + --hash=sha256:39693e1f8320ae4f43943590b49779ffb98acb81f788220ea932a6b6c51004d8 \ + --hash=sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85 \ + --hash=sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19 \ + --hash=sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc \ + --hash=sha256:43fa96a3ca0d6b1812e01ced1044a003533c47f6ee8aca31724f78e93ccc089a \ + --hash=sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1 \ + --hash=sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317 \ + --hash=sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c \ + --hash=sha256:6395c297d42274772abc367baaa79683958044e5d3835486c16da75d2a694631 \ + --hash=sha256:688ba32a1cffef67fd2e9398a2efebaea461578b0923624778664cc1c914db5d \ + --hash=sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652 \ + --hash=sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5 \ + --hash=sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e \ + --hash=sha256:7c36280e6fb8385e520936c3cb3b8042851904eba0e58d277dca80a5cfed590b \ + --hash=sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8 \ + --hash=sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476 \ + --hash=sha256:82d09873e40955485746739bcb8b4586983670466c23382c19cffecbf1fd8706 \ + --hash=sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563 \ + --hash=sha256:8824b5a04a04a047e72eea5cec3bc266db09e35de6bdfe34c9436ac5ee27d237 \ + --hash=sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b \ + --hash=sha256:9056c1ecd25795207ad294bcf39f2db3d845767be0ea6e6a34d856f006006083 \ + --hash=sha256:936d68689298c36b53b29f23c6dbb74de12b4ac12ca6cfe0e047bedceea56180 \ + --hash=sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425 \ + --hash=sha256:a4d3091415f010369ae4ed1fc6b79def9416358877534caf6a0fdd2146c87a3e \ + --hash=sha256:a8786accb172bd8afb8be14490a16625cbc387036876ab6ba70912730faf8e1f \ + --hash=sha256:a9f8c2e67970f13b16084e04f134610fd1d374bf477b17ec1599185cf611d725 \ + --hash=sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183 \ + --hash=sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab \ + --hash=sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774 \ + --hash=sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725 \ + --hash=sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e \ + --hash=sha256:d7fded462629cfa4b685c5416b949ebad6cec74af5e2d42905d41e257e0869f5 \ + --hash=sha256:d84a1718ee396f54f3a086ea0a66d8e552b2ab2017ef8b420e92edbc841c352d \ + --hash=sha256:d8e03406cac8513435335dbab54c0d385e4a49e4945d2909a581c83647ca0290 \ + --hash=sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44 \ + --hash=sha256:ec031d5d2feb36d1d1a24380e4db6d43695f3748343d99434e6f5f9156aaa2ed \ + --hash=sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4 \ + --hash=sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba \ + --hash=sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12 \ + --hash=sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4 + # via pre-commit +virtualenv==20.31.2 \ + --hash=sha256:36efd0d9650ee985f0cad72065001e66d49a6f24eb44d98980f630686243cf11 \ + --hash=sha256:e10c0a9d02835e592521be48b332b6caee6887f332c111aa79a09b9e79efc2af + # via pre-commit diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml new file mode 100644 index 00000000..bb2d76f6 --- /dev/null +++ b/.github/workflows/pre-commit.yml @@ -0,0 +1,57 @@ +name: pre-commit + +on: + pull_request: + push: +permissions: {} +jobs: + detect-precommit: + runs-on: ubuntu-latest + permissions: + contents: read + outputs: + precommits: ${{ steps.find-precommit.outputs.precommits }} + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + - name: Find precommit configurations + id: find-precommit + working-directory: . + run: | + PRECOMMITS=$(find . -name ".pre-commit-config.yaml" -exec dirname {} \; | sed 's/^\.\///' | jq -R -s -c 'split("\n")[:-1]') + echo "precommits=$PRECOMMITS" >> $GITHUB_OUTPUT + + pre-commit: + needs: [detect-precommit] + if: ${{ needs.detect-precommit.outputs.precommits != '[]' && needs.detect-precommit.outputs.precommits != '' }} + strategy: + fail-fast: false + matrix: + precommit: ${{ fromJson(needs.detect-precommit.outputs.precommits) }} + name: Precommit ${{ matrix.precommit }} + defaults: + run: + shell: bash + working-directory: ${{ matrix.precommit }} + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 #v6.1.0 + with: + python-version-file: ${{ matrix.precommit }}/.python-version + - run: | + echo "github.workspace=${{ github.workspace }}" + echo "env.GITHUB_WORKSPACE=${{ env.GITHUB_WORKSPACE }}" + echo "vars.GITHUB_WORKSPACE=${{ vars.GITHUB_WORKSPACE }}" + python -m pip install --require-hashes --requirement ${{ github.workspace }}/.github/workflows/pre-commit-requirements.txt + python -m pip freeze --local + - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1 + with: + path: ~/.cache/pre-commit + key: pre-commit-3|${{ runner.os }}|${{ hashFiles(matrix.precommit) }} + - name: Set SKIP variable for main branch + if: github.ref == 'refs/heads/main' + run: echo "SKIP=no-commit-to-branch" >> $GITHUB_ENV + - run: SKIP="$SKIP" pre-commit run --show-diff-on-failure --color=always --all-files + working-directory: ${{ matrix.precommit }} diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 00000000..552d3ca3 --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,187 @@ +name: CI + +on: + push: + branches: ["*"] + pull_request: + branches: [main] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +env: + PYTHON_VERSION: "3.12" + +jobs: + # =========================================================================== + # BUILD: Linting, formatting, security scanning via pre-commit + # =========================================================================== + build: + name: Build & Lint + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Cache pre-commit + uses: actions/cache@v4 + with: + path: ~/.cache/pre-commit + key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }} + restore-keys: | + pre-commit-${{ runner.os }}- + + - name: Install pre-commit + run: pip install pre-commit + + - name: Run pre-commit (linting + security) + run: | + # Skip hooks not applicable in CI: + # - no-commit-to-branch: CI can commit to any branch + # - gitleaks: uses Go proxy which has network issues in act; + # gitleaks-action in security job does full history scan instead + SKIP=no-commit-to-branch,gitleaks pre-commit run --all-files + + # =========================================================================== + # TEST: Unit, Integration, E2E tests + # =========================================================================== + test-unit: + name: Unit Tests + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: ${{ env.PYTHON_VERSION }} + + # TODO: Install dependencies + # - name: Install dependencies + # run: | + # pip install -e ".[test]" + # # or: npm ci + # # or: uv sync --frozen + + - name: Run unit tests + run: | + echo "TODO: Add unit tests" + # pytest tests/unit/ --cov --cov-report=xml + # npm run test:unit + # uv run pytest tests/unit/ + + test-integration: + name: Integration Tests + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: ${{ env.PYTHON_VERSION }} + + # TODO: Install dependencies and set up services + # services: + # postgres: + # image: postgres:16 + # env: + # POSTGRES_PASSWORD: postgres + # ports: + # - 5432:5432 + + - name: Run integration tests + run: | + echo "TODO: Add integration tests" + # pytest tests/integration/ + # npm run test:integration + + test-e2e: + name: E2E Tests + runs-on: ubuntu-latest + needs: build + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: ${{ env.PYTHON_VERSION }} + + # TODO: Install dependencies and browser drivers + # - name: Install Playwright + # run: npx playwright install --with-deps + + - name: Run E2E tests + run: | + echo "TODO: Add E2E tests" + # npx playwright test + # pytest tests/e2e/ + + # =========================================================================== + # SECURITY: Additional security scanning (beyond pre-commit) + # =========================================================================== + security: + name: Security Scan + runs-on: ubuntu-latest + needs: build + permissions: + security-events: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Run gitleaks (full history) + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_CONFIG: .gitleaks.toml + GITLEAKS_ENABLE_COMMENTS: false + with: + extra_args: --baseline-path=.gitleaks-baseline.json + continue-on-error: true + + # TODO: Add CodeQL for supported languages + # - name: Initialize CodeQL + # uses: github/codeql-action/init@v3 + # with: + # languages: python, javascript + # + # - name: Perform CodeQL Analysis + # uses: github/codeql-action/analyze@v3 + + # =========================================================================== + # DEPLOY: Deployment placeholder + # =========================================================================== + deploy: + name: Deploy + runs-on: ubuntu-latest + needs: [test-unit, test-integration, test-e2e, security] + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + environment: production + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Deploy placeholder + run: | + echo "TODO: Add deployment steps" + echo "Branch: ${{ github.ref_name }}" + echo "Commit: ${{ github.sha }}" + # Examples: + # - Deploy to Vercel: npx vercel --prod + # - Deploy to AWS: aws s3 sync ./dist s3://bucket + # - Deploy to Kubernetes: kubectl apply -f k8s/ + # - Deploy to Docker: docker push image:tag diff --git a/.github/workflows/scanners.yml b/.github/workflows/scanners.yml new file mode 100644 index 00000000..3f6ebaa6 --- /dev/null +++ b/.github/workflows/scanners.yml @@ -0,0 +1,258 @@ +on: + schedule: + # Daily at 15:12 UTC (random time to avoid GitHub Actions load spikes) + - cron: '12 15 * * *' + push: + pull_request: + workflow_dispatch: +permissions: + actions: none + attestations: none + checks: none + contents: none + deployments: none + discussions: none + id-token: none + issues: none + models: none + packages: none + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none +jobs: + gitleaks: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + env: + GITLEAKS_VERSION: "8.30.0" + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + - name: Install gitleaks + run: | + curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz; + sudo mv gitleaks /usr/local/bin/; + gitleaks --version; + - name: Run gitleaks (full history) + run: | + gitleaks git --config=.gitleaks.toml --baseline-path=.gitleaks-baseline.json --report-path=gitleaks-report_sarif.json --report-format=sarif . || true + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + if: always() + with: + name: gitleaks.sarif + path: gitleaks-report_sarif.json + if-no-files-found: ignore + - uses: github/codeql-action/upload-sarif@57eebf61a2246ab60a0c2f5a85766db783ad3553 # v3.28.15 + continue-on-error: true + with: + sarif_file: gitleaks-report_sarif.json + bandit: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f # v1.0.1 + continue-on-error: true + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + if: always() + with: + name: bandit.sarif + path: results.sarif + if-no-files-found: error + semgrep: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 # Required for baseline comparison + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 + with: + python-version: '3.13' + cache: 'pip' + - run: pip install "semgrep==1.149.0" #TODO: use hash installation + - name: Run semgrep + id: semgrep + env: + # For PRs: base SHA; for push to default branch: empty + BASELINE_SHA: ${{ github.event.pull_request.base.sha || github.event.merge_group.base_sha }} + run: | + BASELINE_ARGS="" + if [ -n "$BASELINE_SHA" ]; then + BASELINE_ARGS="--baseline-commit $BASELINE_SHA" + fi + + # Run semgrep, capture exit code + set +e + semgrep scan --oss-only --verbose --metrics=off --config=r/all --sarif-output semgrep.sarif.json $BASELINE_ARGS + SEMGREP_EXIT=$? + set -e + + echo "exit_code=$SEMGREP_EXIT" >> "$GITHUB_OUTPUT" + + # Exit 0 for now to allow artifact upload + exit 0 + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: semgrep.sarif + path: semgrep.sarif.json + if-no-files-found: error + - uses: github/codeql-action/upload-sarif@57eebf61a2246ab60a0c2f5a85766db783ad3553 # v3.28.15 + continue-on-error: true + with: + sarif_file: semgrep.sarif.json + - if: steps.semgrep.outputs.exit_code != '0' + run: | + echo "::error::semgrep found new security issues" + exit ${{ steps.semgrep.outputs.exit_code }} + clamav: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + services: + clamav: + image: clamav/clamav@sha256:a56287b4ffa299bde2ef09234cb8b6134d591d0be05b63f5065932dc93cb2435 + ports: + - 3310:3310 + options: >- + --health-cmd "/usr/local/bin/clamdcheck.sh" + --health-interval 10s + --health-timeout 5s + --health-retries 10 + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Wait for ClamAV service + run: timeout 300 bash -c 'until echo > /dev/tcp/localhost/3310; do sleep 5; done' 2>/dev/null + - run: | + sudo apt-get update || true + sudo rm -f /var/lib/man-db/auto-update + sudo apt-get install -y --no-install-recommends clamdscan + sudo mkdir -p /etc/clamav + cat << EOF | sudo tee /etc/clamav/clamd.conf + TCPSocket 3310 + TCPAddr 127.0.0.1 + EOF + clamdscan --version + - run: | + clamdscan --verbose --log=clamdscan.txt --stream --fdpass --multiscan . + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + if: always() + with: + name: clamdscan.txt + path: clamdscan.txt + if-no-files-found: error + sonarqube: + runs-on: ubuntu-latest + services: + sonarqube: + image: sonarqube:community@sha256:48dd0e946ad6481dde43bb31d1a7af09c22f59be6399b195dcce7b87d82c5f40 + ports: + - 9000:9000 + env: + SONAR_ES_BOOTSTRAP_CHECKS_DISABLE: true + SONAR_WEB_SYSTEMPASSCODE: passcode # is it possible to make this dynamic? + options: >- + --health-cmd "status=$(wget -qO- http://localhost:9000/api/system/status | grep -oP '(?<=status\":\").*' | sed -e 's|\"}||' | tr -d '\n'); echo -n \"$status\"; test \"$status\" = \"UP\"" + --health-interval 10s + --health-timeout 5s + --health-retries 30 + steps: + # - if: always() + # run: | + # docker inspect $(docker ps -qf "ancestor=sonarqube:community@sha256:48dd0e946ad6481dde43bb31d1a7af09c22f59be6399b195dcce7b87d82c5f40") | jq '.[] | {"test": .Config.Healthcheck.Test, "state": .State.Health}' + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + - name: Wait for SonarQube to be ready + run: | + until curl --silent http://localhost:9000/api/system/status | jq -r '.status' | grep -q 'UP'; do + echo "Waiting for SonarQube..." + sleep 5 + done + echo "SonarQube is ready!" + - name: Get SonarQube token + run: | + # Login and get token (default credentials: admin/admin) + SONAR_TOKEN=$(curl -s -u admin:admin -X POST "http://localhost:9000/api/user_tokens/generate?name=github-actions" \ # gitleaks:allow + | jq -r '.token') + echo "SONAR_TOKEN=$SONAR_TOKEN" >> $GITHUB_ENV + - name: SonarQube Info + run: | + curl --silent --request GET \ + --url 'http://localhost:9000/api/server/version' \ + --header 'X-Sonar-Passcode: passcode' + curl --silent --request GET \ + --url 'http://localhost:9000/api/system/health' \ + --header 'X-Sonar-Passcode: passcode' | jq + curl --silent --request GET \ + --url 'http://localhost:9000/api/system/info' \ + --header 'Authorization: Bearer ${{ env.SONAR_TOKEN }}' | jq + + # TODO: Shouldn't the project be matching the repo and name? + - name: Create SonarQube project + run: | + # Create project + curl --silent --request POST \ + --url "http://localhost:9000/api/projects/create?project=my-project&name=MyProject" \ + --header 'Authorization: Bearer ${{ env.SONAR_TOKEN }}' + + - uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0 + id: sonarqube-scan-action + env: + SONAR_HOST_URL: http://localhost:9000 + SONAR_TOKEN: ${{ env.SONAR_TOKEN }} + with: + args: > + "-Dsonar.projectName=MyProject" + -Dsonar.projectKey=my-project + -Dsonar.sources=. + -Dsonar.verbose=true + + # If you wish to fail your job when the Quality Gate is red, uncomment the + # following lines. This would typically be used to fail a deployment. + - uses: SonarSource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b # v1.2.0 + id: sonarqube-quality-gate-check + timeout-minutes: 5 # why 4 minutes? + env: + SONAR_HOST_URL: http://localhost:9000 + SONAR_TOKEN: ${{ env.SONAR_TOKEN }} + + # Use the output from the Quality Gate in another step. + # The possible outputs of the `quality-gate-status` variable are `PASSED`, `WARN`, or `FAILED`. + - name: "Example show SonarQube Quality Gate Status value" + if: always() + run: | + echo "The Quality Gate status is ${{ steps.sonarqube-quality-gate-check.outputs.quality-gate-status }}" + find . -name "report-task.txt" -print0 | xargs -0 -I{} cat {} + + - name: Get Issues + run: | + curl --silent --request GET \ + --url 'http://localhost:9000/api/issues/search?componentKeys=my-project&ps=500&p=1' \ + --header 'Authorization: Bearer ${{ env.SONAR_TOKEN }}' | tee sonar-issues.json | jq || exit 1 + + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + if: always() + with: + name: sonar-issues.json + path: sonar-issues.json + if-no-files-found: error + + # TODO: write a loop and write the JSON artifact out + # TODO: convert the artifact to a SARIF format + # http://localhost:9000/api/issues/search?componentKeys=AWS-Labs-MCP-Servers + # https://next.sonarqube.com/sonarqube/web_api/api/project_analyses/search diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml new file mode 100644 index 00000000..9a94108e --- /dev/null +++ b/.github/workflows/scorecard-analysis.yml @@ -0,0 +1,54 @@ +name: Scorecard analysis workflow +on: + push: + branches: + - main + schedule: + # Weekly on Mondays at 3am Pacific (11:00 UTC) + - cron: '0 11 * * 1' + +permissions: {} + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 + with: + results_file: scorecard-results.sarif + results_format: sarif + # Scorecard team runs a weekly scan of public GitHub repos, + # see https://github.com/ossf/scorecard#public-data. + # Setting `publish_results: true` helps us scale by leveraging your workflow to + # extract the results instead of relying on our own infrastructure to run scans. + # And it's free for you! + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable + # uploads of run results in SARIF format to the repository Actions tab. + # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts + - name: "Upload artifact" + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: SARIF file + path: scorecard-results.sarif + retention-days: 14 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@7434149006143a4d75b82a2f411ef15b03ccc2d7 # v4.31.9 + with: + sarif_file: scorecard-results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 00000000..cb338a13 --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,30 @@ +name: stale +on: + schedule: + - cron: 0 1 * * * + workflow_dispatch: {} +permissions: {} +jobs: + stale: + runs-on: ubuntu-latest + permissions: + contents: read + issues: write + pull-requests: write + steps: + - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1 + with: + days-before-stale: -1 + days-before-close: -1 + days-before-pr-stale: 14 + days-before-pr-close: 2 + stale-pr-message: This pull request is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon. If you wish to exclude this issue from being marked as stale, add the "backlog" label. + close-pr-message: Closing this pull request as it hasn't seen activity for a while. Please add a comment @mentioning a maintainer to reopen. If you wish to exclude this issue from being marked as stale, add the "backlog" label. + stale-pr-label: stale + exempt-pr-labels: backlog + days-before-issue-stale: 60 + days-before-issue-close: 7 + stale-issue-message: This issue is now marked as stale because it hasn't seen activity for a while. Add a comment or it will be closed soon. If you wish to exclude this issue from being marked as stale, add the "backlog" label. + close-issue-message: Closing this issue as it hasn't seen activity for a while. Please add a comment @mentioning a maintainer to reopen. If you wish to exclude this issue from being marked as stale, add the "backlog" label. + stale-issue-label: stale + exempt-issue-labels: backlog diff --git a/.gitleaks-baseline.json b/.gitleaks-baseline.json new file mode 100644 index 00000000..fe51488c --- /dev/null +++ b/.gitleaks-baseline.json @@ -0,0 +1 @@ +[] diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 00000000..2d2cb5a4 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,29 @@ +# Gitleaks Configuration +# https://github.com/gitleaks/gitleaks + +title = "gitleaks config" + +# Extend the default gitleaks configuration +[extend] +useDefault = true + +# Global allowlist patterns +[allowlist] +description = "Global allowlist" +paths = [ + '''\.gitleaksignore$''', + '''\.gitleaks-baseline\.json$''', +] + +# Example: Add custom rules or override defaults +# [[rules]] +# id = "custom-api-key" +# description = "Custom API Key Pattern" +# regex = '''(?i)custom[_-]?api[_-]?key\s*[=:]\s*['"]?([a-zA-Z0-9]{32,})['"]?''' +# keywords = ["custom", "api", "key"] + +# Example: Rule-specific allowlist +# [[rules.allowlists]] +# description = "Allow example keys in tests" +# paths = ['''test/.*''', '''.*_test\.go$'''] +# regexTarget = "match" diff --git a/.gitleaksignore b/.gitleaksignore new file mode 100644 index 00000000..8666bd15 --- /dev/null +++ b/.gitleaksignore @@ -0,0 +1,5 @@ +# Gitleaks ignore file +# https://github.com/gitleaks/gitleaks#gitleaksignore + +# SonarQube default credentials for local CI container (not real secrets) +.github/workflows/scanners.yml:curl-auth-user:190 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b2a4fdd2..1d1611ac 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,6 +2,14 @@ Thank you for your interest in contributing to AWS Agent Plugins. +## Role Guides + +Depending on your role, please review the appropriate guide for repository-specific instructions: + +- [Development Guide](.github/guides/DEVELOPMENT_GUIDE.md) - For contributors and developers +- [Administrative Guide](.github/guides/ADMINISTRATIVE_GUIDE.md) - For repository administrators +- [Maintainer Guide](.github/guides/MAINTAINER_GUIDE.md) - For project maintainers + ## Reporting Bugs/Feature Requests We welcome you to use the GitHub issue tracker to report bugs or suggest features. From 05a376310d7cf53fb6fedc871e51afa053fbf1bd Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 17:15:57 -0800 Subject: [PATCH 11/30] fix: stuff Signed-off-by: Scott Schreckengaust --- .github/guides/ADMINISTRATIVE_GUIDE.md | 2 ++ .github/guides/DEVELOPMENT_GUIDE.md | 1 + .github/workflows/scanners.yml | 6 +++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/guides/ADMINISTRATIVE_GUIDE.md b/.github/guides/ADMINISTRATIVE_GUIDE.md index e453110a..7a658137 100644 --- a/.github/guides/ADMINISTRATIVE_GUIDE.md +++ b/.github/guides/ADMINISTRATIVE_GUIDE.md @@ -20,9 +20,11 @@ pre-commit autoupdate --repo https://github.com/pre-commit/pre-commit-hooks 1. Review the changes to `.pre-commit-config.yaml` 2. Run hooks against all files to verify compatibility: + ```bash pre-commit run --all-files ``` + 3. Commit the updated configuration ## Gitleaks Baseline Management diff --git a/.github/guides/DEVELOPMENT_GUIDE.md b/.github/guides/DEVELOPMENT_GUIDE.md index 6c27db24..c618b76f 100644 --- a/.github/guides/DEVELOPMENT_GUIDE.md +++ b/.github/guides/DEVELOPMENT_GUIDE.md @@ -11,6 +11,7 @@ This repository uses [gitleaks](https://github.com/gitleaks/gitleaks) to detect If gitleaks reports a false positive (e.g., example API keys in documentation, test fixtures), you can add it to the baseline file to suppress future warnings. 1. Run gitleaks locally to generate the baseline: + ```bash gitleaks git --config=.gitleaks.toml --report-format=json . > .gitleaks-baseline.json ``` diff --git a/.github/workflows/scanners.yml b/.github/workflows/scanners.yml index 3f6ebaa6..b3c83b93 100644 --- a/.github/workflows/scanners.yml +++ b/.github/workflows/scanners.yml @@ -78,11 +78,15 @@ jobs: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 # Required for baseline comparison + - run: | + echo "semgrep==1.149.0" > requirements.txt - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: '3.13' cache: 'pip' - - run: pip install "semgrep==1.149.0" #TODO: use hash installation + - run: | + pip install -r requirements.txt + rm requirements.txt - name: Run semgrep id: semgrep env: From 3d248fc220a5ef4f0f6719f0f189fa1bbc29aa34 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 17:18:47 -0800 Subject: [PATCH 12/30] fix: remove push Signed-off-by: Scott Schreckengaust --- .github/workflows/push.yml | 187 ------------------------------------- 1 file changed, 187 deletions(-) delete mode 100644 .github/workflows/push.yml diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml deleted file mode 100644 index 552d3ca3..00000000 --- a/.github/workflows/push.yml +++ /dev/null @@ -1,187 +0,0 @@ -name: CI - -on: - push: - branches: ["*"] - pull_request: - branches: [main] - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -env: - PYTHON_VERSION: "3.12" - -jobs: - # =========================================================================== - # BUILD: Linting, formatting, security scanning via pre-commit - # =========================================================================== - build: - name: Build & Lint - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: ${{ env.PYTHON_VERSION }} - - - name: Cache pre-commit - uses: actions/cache@v4 - with: - path: ~/.cache/pre-commit - key: pre-commit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }} - restore-keys: | - pre-commit-${{ runner.os }}- - - - name: Install pre-commit - run: pip install pre-commit - - - name: Run pre-commit (linting + security) - run: | - # Skip hooks not applicable in CI: - # - no-commit-to-branch: CI can commit to any branch - # - gitleaks: uses Go proxy which has network issues in act; - # gitleaks-action in security job does full history scan instead - SKIP=no-commit-to-branch,gitleaks pre-commit run --all-files - - # =========================================================================== - # TEST: Unit, Integration, E2E tests - # =========================================================================== - test-unit: - name: Unit Tests - runs-on: ubuntu-latest - needs: build - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: ${{ env.PYTHON_VERSION }} - - # TODO: Install dependencies - # - name: Install dependencies - # run: | - # pip install -e ".[test]" - # # or: npm ci - # # or: uv sync --frozen - - - name: Run unit tests - run: | - echo "TODO: Add unit tests" - # pytest tests/unit/ --cov --cov-report=xml - # npm run test:unit - # uv run pytest tests/unit/ - - test-integration: - name: Integration Tests - runs-on: ubuntu-latest - needs: build - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: ${{ env.PYTHON_VERSION }} - - # TODO: Install dependencies and set up services - # services: - # postgres: - # image: postgres:16 - # env: - # POSTGRES_PASSWORD: postgres - # ports: - # - 5432:5432 - - - name: Run integration tests - run: | - echo "TODO: Add integration tests" - # pytest tests/integration/ - # npm run test:integration - - test-e2e: - name: E2E Tests - runs-on: ubuntu-latest - needs: build - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: ${{ env.PYTHON_VERSION }} - - # TODO: Install dependencies and browser drivers - # - name: Install Playwright - # run: npx playwright install --with-deps - - - name: Run E2E tests - run: | - echo "TODO: Add E2E tests" - # npx playwright test - # pytest tests/e2e/ - - # =========================================================================== - # SECURITY: Additional security scanning (beyond pre-commit) - # =========================================================================== - security: - name: Security Scan - runs-on: ubuntu-latest - needs: build - permissions: - security-events: write - contents: read - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Run gitleaks (full history) - uses: gitleaks/gitleaks-action@v2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_CONFIG: .gitleaks.toml - GITLEAKS_ENABLE_COMMENTS: false - with: - extra_args: --baseline-path=.gitleaks-baseline.json - continue-on-error: true - - # TODO: Add CodeQL for supported languages - # - name: Initialize CodeQL - # uses: github/codeql-action/init@v3 - # with: - # languages: python, javascript - # - # - name: Perform CodeQL Analysis - # uses: github/codeql-action/analyze@v3 - - # =========================================================================== - # DEPLOY: Deployment placeholder - # =========================================================================== - deploy: - name: Deploy - runs-on: ubuntu-latest - needs: [test-unit, test-integration, test-e2e, security] - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - environment: production - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Deploy placeholder - run: | - echo "TODO: Add deployment steps" - echo "Branch: ${{ github.ref_name }}" - echo "Commit: ${{ github.sha }}" - # Examples: - # - Deploy to Vercel: npx vercel --prod - # - Deploy to AWS: aws s3 sync ./dist s3://bucket - # - Deploy to Kubernetes: kubectl apply -f k8s/ - # - Deploy to Docker: docker push image:tag From 8c554c9fd1f661aa9992709da24a41ccfdbb773b Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 17:30:35 -0800 Subject: [PATCH 13/30] fix: unmatrix pre-commit Signed-off-by: Scott Schreckengaust --- .github/workflows/pre-commit.yml | 36 ++------------------------------ .github/workflows/scanners.yml | 4 ++++ 2 files changed, 6 insertions(+), 34 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index bb2d76f6..35076bb7 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -5,53 +5,21 @@ on: push: permissions: {} jobs: - detect-precommit: - runs-on: ubuntu-latest - permissions: - contents: read - outputs: - precommits: ${{ steps.find-precommit.outputs.precommits }} - steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - name: Find precommit configurations - id: find-precommit - working-directory: . - run: | - PRECOMMITS=$(find . -name ".pre-commit-config.yaml" -exec dirname {} \; | sed 's/^\.\///' | jq -R -s -c 'split("\n")[:-1]') - echo "precommits=$PRECOMMITS" >> $GITHUB_OUTPUT - pre-commit: - needs: [detect-precommit] - if: ${{ needs.detect-precommit.outputs.precommits != '[]' && needs.detect-precommit.outputs.precommits != '' }} - strategy: - fail-fast: false - matrix: - precommit: ${{ fromJson(needs.detect-precommit.outputs.precommits) }} - name: Precommit ${{ matrix.precommit }} - defaults: - run: - shell: bash - working-directory: ${{ matrix.precommit }} runs-on: ubuntu-latest permissions: contents: read steps: - - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 #v6.1.0 - with: - python-version-file: ${{ matrix.precommit }}/.python-version - run: | - echo "github.workspace=${{ github.workspace }}" - echo "env.GITHUB_WORKSPACE=${{ env.GITHUB_WORKSPACE }}" - echo "vars.GITHUB_WORKSPACE=${{ vars.GITHUB_WORKSPACE }}" python -m pip install --require-hashes --requirement ${{ github.workspace }}/.github/workflows/pre-commit-requirements.txt python -m pip freeze --local - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1 with: path: ~/.cache/pre-commit - key: pre-commit-3|${{ runner.os }}|${{ hashFiles(matrix.precommit) }} + key: pre-commit-3|${{ runner.os }} - name: Set SKIP variable for main branch if: github.ref == 'refs/heads/main' run: echo "SKIP=no-commit-to-branch" >> $GITHUB_ENV - run: SKIP="$SKIP" pre-commit run --show-diff-on-failure --color=always --all-files - working-directory: ${{ matrix.precommit }} diff --git a/.github/workflows/scanners.yml b/.github/workflows/scanners.yml index b3c83b93..a4e391a0 100644 --- a/.github/workflows/scanners.yml +++ b/.github/workflows/scanners.yml @@ -160,6 +160,10 @@ jobs: path: clamdscan.txt if-no-files-found: error sonarqube: + permissions: + actions: read + contents: read + security-events: write runs-on: ubuntu-latest services: sonarqube: From 6c8ef528c7b02b86c596392817e6ea2093382943 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 17:38:56 -0800 Subject: [PATCH 14/30] fix: gitleaks ignore Signed-off-by: Scott Schreckengaust --- .github/ISSUE_TEMPLATE/bug_report.yml | 4 ++-- .github/ISSUE_TEMPLATE/documentation.yml | 2 +- .github/workflows/scanners.yml | 2 +- .gitleaksignore | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 4ffbdf0a..5ca9b637 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -30,7 +30,7 @@ body: label: Current Behavior description: | What actually happened? - + Please include full errors, uncaught exceptions, stack traces, and relevant logs. If service responses are relevant, please include wire logs. validations: @@ -42,7 +42,7 @@ body: description: | Provide a self-contained, concise snippet of code that can be used to reproduce the issue. For more complex issues provide a repo with the smallest sample that reproduces the bug. - + Avoid including business logic or unrelated code, it makes diagnosis more difficult. The code sample should be an SSCCE. See http://sscce.org/ for details. In short, please provide a code sample that we can copy/paste, run and reproduce. validations: diff --git a/.github/ISSUE_TEMPLATE/documentation.yml b/.github/ISSUE_TEMPLATE/documentation.yml index 166f3161..75d8a001 100644 --- a/.github/ISSUE_TEMPLATE/documentation.yml +++ b/.github/ISSUE_TEMPLATE/documentation.yml @@ -24,4 +24,4 @@ body: description: | Include links to affected documentation page(s). validations: - required: true \ No newline at end of file + required: true diff --git a/.github/workflows/scanners.yml b/.github/workflows/scanners.yml index a4e391a0..70a3462c 100644 --- a/.github/workflows/scanners.yml +++ b/.github/workflows/scanners.yml @@ -195,7 +195,7 @@ jobs: - name: Get SonarQube token run: | # Login and get token (default credentials: admin/admin) - SONAR_TOKEN=$(curl -s -u admin:admin -X POST "http://localhost:9000/api/user_tokens/generate?name=github-actions" \ # gitleaks:allow + SONAR_TOKEN=$(curl -s -u admin:admin -X POST "http://localhost:9000/api/user_tokens/generate?name=github-actions" \ | jq -r '.token') echo "SONAR_TOKEN=$SONAR_TOKEN" >> $GITHUB_ENV - name: SonarQube Info diff --git a/.gitleaksignore b/.gitleaksignore index 8666bd15..8f60d8c6 100644 --- a/.gitleaksignore +++ b/.gitleaksignore @@ -2,4 +2,4 @@ # https://github.com/gitleaks/gitleaks#gitleaksignore # SonarQube default credentials for local CI container (not real secrets) -.github/workflows/scanners.yml:curl-auth-user:190 +.github/workflows/scanners.yml:curl-auth-user:198 From 1649160cceca3ddb130b3023d7608e42c6f144ef Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 17:42:16 -0800 Subject: [PATCH 15/30] fix: semgrep only on pre-push Signed-off-by: Scott Schreckengaust --- .pre-commit-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9c951f8f..ad478240 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -57,6 +57,7 @@ repos: hooks: - id: semgrep args: [ '--oss-only', '--verbose', '--metrics=off', '--baseline-commit', 'main', '--config=r/all', '--sarif-output', '.tmp/semgrep.sarif.json', '--error' ] + stages: [pre-push] - repo: https://github.com/bridgecrewio/checkov rev: 3.2.500 hooks: From 4ff17068783a93b8d8b307d2cb8b626eb9f91f0e Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 20:43:40 -0800 Subject: [PATCH 16/30] Add Dependency Review workflow for pull requests Signed-off-by: Scott Schreckengaust --- .github/workflows/dependency-review.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..06099d04 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,14 @@ +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/dependency-review-action@v4 + with: + config-file: amazon-ospo/dependency-review-config/default/dependency-review-config.yml@main From 9334a84e8162633abc8c37769f806ffcfab0a09b Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 20:57:03 -0800 Subject: [PATCH 17/30] feat: add grype and checkov Signed-off-by: Scott Schreckengaust --- .github/workflows/scanners.yml | 39 ++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/.github/workflows/scanners.yml b/.github/workflows/scanners.yml index 70a3462c..6812475a 100644 --- a/.github/workflows/scanners.yml +++ b/.github/workflows/scanners.yml @@ -68,6 +68,45 @@ jobs: name: bandit.sarif path: results.sarif if-no-files-found: error + grype: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + - run: | + curl -sSfL https://raw.githubusercontent.com/anchore/grype/43e7e3246ed01b1ec0ff54f9b054201ccbe78e3a/install.sh | sh -s -- -b /usr/local/bin v0.104.3 + grype --version + - run: | + grype --output sarif . | tee grype.sarif.json + - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 + with: + name: grype.sarif + path: grype.sarif.json + if-no-files-found: error + - uses: github/codeql-action/upload-sarif@57eebf61a2246ab60a0c2f5a85766db783ad3553 # v3.28.15 + continue-on-error: true + with: + sarif_file: grype.sarif.json + checkov: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 + - uses: bridgecrewio/checkov-action@5051a5cfc7e4c71d95199f81ffafbb490c7e6213 # v12.3079.0 + with: + output_format: cli,sarif + output_file_path: console,results.sarif + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@b2ff80ddacba59b60f4e0cf3b699baaea3230cd9 # v4.31.9 + if: success() || failure() + with: + sarif_file: results.sarif semgrep: permissions: actions: read From 0dab20d3af67feed92f3e3fc7a31278063bdb0d4 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 21:06:06 -0800 Subject: [PATCH 18/30] fix: update filelock Signed-off-by: Scott Schreckengaust --- .github/workflows/pre-commit-requirements.txt | 22 ++++++++----------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/.github/workflows/pre-commit-requirements.txt b/.github/workflows/pre-commit-requirements.txt index d75bcdc3..345ec57a 100644 --- a/.github/workflows/pre-commit-requirements.txt +++ b/.github/workflows/pre-commit-requirements.txt @@ -1,9 +1,5 @@ -# -# This file is autogenerated by pip-compile with Python 3.12 -# by the following command: -# -# pip-compile --generate-hashes --output-file=.github/workflows/pre-commit-requirements.txt --strip-extras .github/workflows/pre-commit-requirements.in -# +# This file was autogenerated by uv via the following command: +# uv pip compile --generate-hashes --output-file=pre-commit-requirements.txt --strip-extras requirements.in cfgv==3.4.0 \ --hash=sha256:b7265b1f29fd3316bfcd2b330d63d024f2bfd8bcb8b0272f8e19a504856c48f9 \ --hash=sha256:e52591d4c5f5dead8e0f673fb16db7949d2cfb3f7da4582893288f0ded8fe560 @@ -12,9 +8,9 @@ distlib==0.3.9 \ --hash=sha256:47f8c22fd27c27e25a65601af709b38e4f0a45ea4fc2e710f65755fa8caaaf87 \ --hash=sha256:a60f20dea646b8a33f3e7772f74dc0b2d0772d2837ee1342a00645c81edf9403 # via virtualenv -filelock==3.20.1 \ - --hash=sha256:15d9e9a67306188a44baa72f569d2bfd803076269365fdea0934385da4dc361a \ - --hash=sha256:b8360948b351b80f420878d8516519a2204b07aefcdcfd24912a5d33127f188c +filelock==3.20.3 \ + --hash=sha256:18c57ee915c7ec61cff0ecf7f0f869936c7c30191bb0cf406f1341778d0834e1 \ + --hash=sha256:4b0dda527ee31078689fc205ec4f1c1bf7d56cf88b6dc9426c4f230e46c2dce1 # via virtualenv identify==2.6.12 \ --hash=sha256:ad9672d5a72e0d2ff7c5c8809b62dfa60458626352fb0eb7b55e69bdc45334a2 \ @@ -28,10 +24,10 @@ platformdirs==4.3.8 \ --hash=sha256:3d512d96e16bcb959a814c9f348431070822a6496326a4be0911c40b5a74c2bc \ --hash=sha256:ff7059bb7eb1179e2685604f4aaf157cfd9535242bd23742eadc3c13542139b4 # via virtualenv -pre-commit==4.2.0 \ - --hash=sha256:601283b9757afd87d40c4c4a9b2b5de9637a8ea02eaff7adc2d0fb4e04841146 \ - --hash=sha256:a009ca7205f1eb497d10b845e52c838a98b6cdd2102a6c8e4540e94ee75c58bd - # via -r .github/workflows/pre-commit-requirements.in +pre-commit==4.5.1 \ + --hash=sha256:3b3afd891e97337708c1674210f8eba659b52a38ea5f822ff142d10786221f77 \ + --hash=sha256:eb545fcff725875197837263e977ea257a402056661f09dae08e4b149b030a61 + # via -r requirements.in pyyaml==6.0.2 \ --hash=sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff \ --hash=sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48 \ From 6c9b86e973120ad8245eabf95087f99bae70b0ea Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 21:09:56 -0800 Subject: [PATCH 19/30] fix: update virtualenv Signed-off-by: Scott Schreckengaust --- .github/workflows/pre-commit-requirements.txt | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/pre-commit-requirements.txt b/.github/workflows/pre-commit-requirements.txt index 345ec57a..84b62853 100644 --- a/.github/workflows/pre-commit-requirements.txt +++ b/.github/workflows/pre-commit-requirements.txt @@ -4,9 +4,9 @@ cfgv==3.4.0 \ --hash=sha256:b7265b1f29fd3316bfcd2b330d63d024f2bfd8bcb8b0272f8e19a504856c48f9 \ --hash=sha256:e52591d4c5f5dead8e0f673fb16db7949d2cfb3f7da4582893288f0ded8fe560 # via pre-commit -distlib==0.3.9 \ - --hash=sha256:47f8c22fd27c27e25a65601af709b38e4f0a45ea4fc2e710f65755fa8caaaf87 \ - --hash=sha256:a60f20dea646b8a33f3e7772f74dc0b2d0772d2837ee1342a00645c81edf9403 +distlib==0.4.0 \ + --hash=sha256:9659f7d87e46584a30b5780e43ac7a2143098441670ff0a49d5f9034c54a6c16 \ + --hash=sha256:feec40075be03a04501a973d81f633735b4b69f98b05450592310c0f401a4e0d # via virtualenv filelock==3.20.3 \ --hash=sha256:18c57ee915c7ec61cff0ecf7f0f869936c7c30191bb0cf406f1341778d0834e1 \ @@ -20,9 +20,9 @@ nodeenv==1.9.1 \ --hash=sha256:6ec12890a2dab7946721edbfbcd91f3319c6ccc9aec47be7c7e6b7011ee6645f \ --hash=sha256:ba11c9782d29c27c70ffbdda2d7415098754709be8a7056d79a737cd901155c9 # via pre-commit -platformdirs==4.3.8 \ - --hash=sha256:3d512d96e16bcb959a814c9f348431070822a6496326a4be0911c40b5a74c2bc \ - --hash=sha256:ff7059bb7eb1179e2685604f4aaf157cfd9535242bd23742eadc3c13542139b4 +platformdirs==4.5.1 \ + --hash=sha256:61d5cdcc6065745cdd94f0f878977f8de9437be93de97c1c12f853c9c0cdcbda \ + --hash=sha256:d03afa3963c806a9bed9d5125c8f4cb2fdaf74a55ab60e5d59b3fde758104d31 # via virtualenv pre-commit==4.5.1 \ --hash=sha256:3b3afd891e97337708c1674210f8eba659b52a38ea5f822ff142d10786221f77 \ @@ -83,7 +83,7 @@ pyyaml==6.0.2 \ --hash=sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12 \ --hash=sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4 # via pre-commit -virtualenv==20.31.2 \ - --hash=sha256:36efd0d9650ee985f0cad72065001e66d49a6f24eb44d98980f630686243cf11 \ - --hash=sha256:e10c0a9d02835e592521be48b332b6caee6887f332c111aa79a09b9e79efc2af +virtualenv==20.36.1 \ + --hash=sha256:575a8d6b124ef88f6f51d56d656132389f961062a9177016a50e4f507bbcc19f \ + --hash=sha256:8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba # via pre-commit From 016f86209b30a9c67d2222dc235dade4ee9203b8 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Thu, 5 Feb 2026 21:17:55 -0800 Subject: [PATCH 20/30] feat: add codeql and dependency review Signed-off-by: Scott Schreckengaust --- .github/workflows/codeql.yml | 16 ++++++++++++++++ .github/workflows/dependency-review.yml | 2 ++ 2 files changed, 18 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6dd4a3f8..ffef0135 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,6 +11,22 @@ # name: "CodeQL Advanced" +permissions: + actions: none + attestations: none + checks: none + contents: none + deployments: none + discussions: none + id-token: none + issues: none + models: none + packages: none + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none on: push: branches: [ "main" ] diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 06099d04..be525b94 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -12,3 +12,5 @@ jobs: - uses: actions/dependency-review-action@v4 with: config-file: amazon-ospo/dependency-review-config/default/dependency-review-config.yml@main + # distlib + allow-dependencies-licenses: "pkg:pypi/distlib@0.4.0" From f56af0b90a1e133893038a4eca1c34344d1e13a9 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Fri, 6 Feb 2026 07:36:32 -0800 Subject: [PATCH 21/30] fix: addressing comments Signed-off-by: Scott Schreckengaust --- .github/guides/ADMINISTRATIVE_GUIDE.md | 38 -------- .github/guides/MAINTAINER_GUIDE.md | 28 ------ .github/workflows/pre-commit-requirements.txt | 89 ------------------- .github/workflows/pre-commit.yml | 25 ------ .pre-commit-config.yaml | 79 ---------------- CONTRIBUTING.md | 4 +- ...VELOPMENT_GUIDE.md => DEVELOPMENT_GUIDE.md | 0 7 files changed, 1 insertion(+), 262 deletions(-) delete mode 100644 .github/guides/ADMINISTRATIVE_GUIDE.md delete mode 100644 .github/guides/MAINTAINER_GUIDE.md delete mode 100644 .github/workflows/pre-commit-requirements.txt delete mode 100644 .github/workflows/pre-commit.yml delete mode 100644 .pre-commit-config.yaml rename .github/guides/DEVELOPMENT_GUIDE.md => DEVELOPMENT_GUIDE.md (100%) diff --git a/.github/guides/ADMINISTRATIVE_GUIDE.md b/.github/guides/ADMINISTRATIVE_GUIDE.md deleted file mode 100644 index 7a658137..00000000 --- a/.github/guides/ADMINISTRATIVE_GUIDE.md +++ /dev/null @@ -1,38 +0,0 @@ -# Administrative Guide - -## Updating Pre-commit Hooks - -Pre-commit hooks should be updated periodically to get the latest versions and security fixes. - -### Update all hooks - -```bash -pre-commit autoupdate -``` - -### Update a specific hook - -```bash -pre-commit autoupdate --repo https://github.com/pre-commit/pre-commit-hooks -``` - -### After updating - -1. Review the changes to `.pre-commit-config.yaml` -2. Run hooks against all files to verify compatibility: - - ```bash - pre-commit run --all-files - ``` - -3. Commit the updated configuration - -## Gitleaks Baseline Management - -To update the gitleaks baseline with current findings: - -```bash -gitleaks detect --baseline-path .gitleaks-baseline.json --report-path .gitleaks-baseline.json -``` - -Note: If an issue is already ignored via inline comments (`# gitleaks:allow`) or `.gitleaksignore`, the baseline won't capture it. The baseline is useful for grandfathering in existing findings without requiring inline comments or ignore file entries. diff --git a/.github/guides/MAINTAINER_GUIDE.md b/.github/guides/MAINTAINER_GUIDE.md deleted file mode 100644 index ea550b4d..00000000 --- a/.github/guides/MAINTAINER_GUIDE.md +++ /dev/null @@ -1,28 +0,0 @@ -# Maintainer Guide - -## Pull Request Reviews - -- Review PRs for code quality, security, and adherence to project standards -- Ensure CI checks pass before merging -- Use squash merges to keep history clean - -## Release Management - -### Creating a Release - -1. Ensure all intended changes are merged to `main` -2. Update version numbers and changelog -3. Create a GitHub release with semantic versioning (e.g., `v1.2.0`) -4. Tag the release with release notes summarizing changes - -## Issue Triage - -- Label new issues appropriately (`bug`, `enhancement`, `question`, etc.) -- Close duplicates with a reference to the original issue -- Add `help wanted` or `good first issue` labels to encourage contributions - -## Branch Protection - -- Maintain branch protection rules on `main` -- Require PR reviews and passing CI before merge -- Do not bypass protections except in emergencies diff --git a/.github/workflows/pre-commit-requirements.txt b/.github/workflows/pre-commit-requirements.txt deleted file mode 100644 index 84b62853..00000000 --- a/.github/workflows/pre-commit-requirements.txt +++ /dev/null @@ -1,89 +0,0 @@ -# This file was autogenerated by uv via the following command: -# uv pip compile --generate-hashes --output-file=pre-commit-requirements.txt --strip-extras requirements.in -cfgv==3.4.0 \ - --hash=sha256:b7265b1f29fd3316bfcd2b330d63d024f2bfd8bcb8b0272f8e19a504856c48f9 \ - --hash=sha256:e52591d4c5f5dead8e0f673fb16db7949d2cfb3f7da4582893288f0ded8fe560 - # via pre-commit -distlib==0.4.0 \ - --hash=sha256:9659f7d87e46584a30b5780e43ac7a2143098441670ff0a49d5f9034c54a6c16 \ - --hash=sha256:feec40075be03a04501a973d81f633735b4b69f98b05450592310c0f401a4e0d - # via virtualenv -filelock==3.20.3 \ - --hash=sha256:18c57ee915c7ec61cff0ecf7f0f869936c7c30191bb0cf406f1341778d0834e1 \ - --hash=sha256:4b0dda527ee31078689fc205ec4f1c1bf7d56cf88b6dc9426c4f230e46c2dce1 - # via virtualenv -identify==2.6.12 \ - --hash=sha256:ad9672d5a72e0d2ff7c5c8809b62dfa60458626352fb0eb7b55e69bdc45334a2 \ - --hash=sha256:d8de45749f1efb108badef65ee8386f0f7bb19a7f26185f74de6367bffbaf0e6 - # via pre-commit -nodeenv==1.9.1 \ - --hash=sha256:6ec12890a2dab7946721edbfbcd91f3319c6ccc9aec47be7c7e6b7011ee6645f \ - --hash=sha256:ba11c9782d29c27c70ffbdda2d7415098754709be8a7056d79a737cd901155c9 - # via pre-commit -platformdirs==4.5.1 \ - --hash=sha256:61d5cdcc6065745cdd94f0f878977f8de9437be93de97c1c12f853c9c0cdcbda \ - --hash=sha256:d03afa3963c806a9bed9d5125c8f4cb2fdaf74a55ab60e5d59b3fde758104d31 - # via virtualenv -pre-commit==4.5.1 \ - --hash=sha256:3b3afd891e97337708c1674210f8eba659b52a38ea5f822ff142d10786221f77 \ - --hash=sha256:eb545fcff725875197837263e977ea257a402056661f09dae08e4b149b030a61 - # via -r requirements.in -pyyaml==6.0.2 \ - --hash=sha256:01179a4a8559ab5de078078f37e5c1a30d76bb88519906844fd7bdea1b7729ff \ - --hash=sha256:0833f8694549e586547b576dcfaba4a6b55b9e96098b36cdc7ebefe667dfed48 \ - --hash=sha256:0a9a2848a5b7feac301353437eb7d5957887edbf81d56e903999a75a3d743086 \ - --hash=sha256:0b69e4ce7a131fe56b7e4d770c67429700908fc0752af059838b1cfb41960e4e \ - --hash=sha256:0ffe8360bab4910ef1b9e87fb812d8bc0a308b0d0eef8c8f44e0254ab3b07133 \ - --hash=sha256:11d8f3dd2b9c1207dcaf2ee0bbbfd5991f571186ec9cc78427ba5bd32afae4b5 \ - --hash=sha256:17e311b6c678207928d649faa7cb0d7b4c26a0ba73d41e99c4fff6b6c3276484 \ - --hash=sha256:1e2120ef853f59c7419231f3bf4e7021f1b936f6ebd222406c3b60212205d2ee \ - --hash=sha256:1f71ea527786de97d1a0cc0eacd1defc0985dcf6b3f17bb77dcfc8c34bec4dc5 \ - --hash=sha256:23502f431948090f597378482b4812b0caae32c22213aecf3b55325e049a6c68 \ - --hash=sha256:24471b829b3bf607e04e88d79542a9d48bb037c2267d7927a874e6c205ca7e9a \ - --hash=sha256:29717114e51c84ddfba879543fb232a6ed60086602313ca38cce623c1d62cfbf \ - --hash=sha256:2e99c6826ffa974fe6e27cdb5ed0021786b03fc98e5ee3c5bfe1fd5015f42b99 \ - --hash=sha256:39693e1f8320ae4f43943590b49779ffb98acb81f788220ea932a6b6c51004d8 \ - --hash=sha256:3ad2a3decf9aaba3d29c8f537ac4b243e36bef957511b4766cb0057d32b0be85 \ - --hash=sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19 \ - --hash=sha256:41e4e3953a79407c794916fa277a82531dd93aad34e29c2a514c2c0c5fe971cc \ - --hash=sha256:43fa96a3ca0d6b1812e01ced1044a003533c47f6ee8aca31724f78e93ccc089a \ - --hash=sha256:50187695423ffe49e2deacb8cd10510bc361faac997de9efef88badc3bb9e2d1 \ - --hash=sha256:5ac9328ec4831237bec75defaf839f7d4564be1e6b25ac710bd1a96321cc8317 \ - --hash=sha256:5d225db5a45f21e78dd9358e58a98702a0302f2659a3c6cd320564b75b86f47c \ - --hash=sha256:6395c297d42274772abc367baaa79683958044e5d3835486c16da75d2a694631 \ - --hash=sha256:688ba32a1cffef67fd2e9398a2efebaea461578b0923624778664cc1c914db5d \ - --hash=sha256:68ccc6023a3400877818152ad9a1033e3db8625d899c72eacb5a668902e4d652 \ - --hash=sha256:70b189594dbe54f75ab3a1acec5f1e3faa7e8cf2f1e08d9b561cb41b845f69d5 \ - --hash=sha256:797b4f722ffa07cc8d62053e4cff1486fa6dc094105d13fea7b1de7d8bf71c9e \ - --hash=sha256:7c36280e6fb8385e520936c3cb3b8042851904eba0e58d277dca80a5cfed590b \ - --hash=sha256:7e7401d0de89a9a855c839bc697c079a4af81cf878373abd7dc625847d25cbd8 \ - --hash=sha256:80bab7bfc629882493af4aa31a4cfa43a4c57c83813253626916b8c7ada83476 \ - --hash=sha256:82d09873e40955485746739bcb8b4586983670466c23382c19cffecbf1fd8706 \ - --hash=sha256:8388ee1976c416731879ac16da0aff3f63b286ffdd57cdeb95f3f2e085687563 \ - --hash=sha256:8824b5a04a04a047e72eea5cec3bc266db09e35de6bdfe34c9436ac5ee27d237 \ - --hash=sha256:8b9c7197f7cb2738065c481a0461e50ad02f18c78cd75775628afb4d7137fb3b \ - --hash=sha256:9056c1ecd25795207ad294bcf39f2db3d845767be0ea6e6a34d856f006006083 \ - --hash=sha256:936d68689298c36b53b29f23c6dbb74de12b4ac12ca6cfe0e047bedceea56180 \ - --hash=sha256:9b22676e8097e9e22e36d6b7bda33190d0d400f345f23d4065d48f4ca7ae0425 \ - --hash=sha256:a4d3091415f010369ae4ed1fc6b79def9416358877534caf6a0fdd2146c87a3e \ - --hash=sha256:a8786accb172bd8afb8be14490a16625cbc387036876ab6ba70912730faf8e1f \ - --hash=sha256:a9f8c2e67970f13b16084e04f134610fd1d374bf477b17ec1599185cf611d725 \ - --hash=sha256:bc2fa7c6b47d6bc618dd7fb02ef6fdedb1090ec036abab80d4681424b84c1183 \ - --hash=sha256:c70c95198c015b85feafc136515252a261a84561b7b1d51e3384e0655ddf25ab \ - --hash=sha256:cc1c1159b3d456576af7a3e4d1ba7e6924cb39de8f67111c735f6fc832082774 \ - --hash=sha256:ce826d6ef20b1bc864f0a68340c8b3287705cae2f8b4b1d932177dcc76721725 \ - --hash=sha256:d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e \ - --hash=sha256:d7fded462629cfa4b685c5416b949ebad6cec74af5e2d42905d41e257e0869f5 \ - --hash=sha256:d84a1718ee396f54f3a086ea0a66d8e552b2ab2017ef8b420e92edbc841c352d \ - --hash=sha256:d8e03406cac8513435335dbab54c0d385e4a49e4945d2909a581c83647ca0290 \ - --hash=sha256:e10ce637b18caea04431ce14fabcf5c64a1c61ec9c56b071a4b7ca131ca52d44 \ - --hash=sha256:ec031d5d2feb36d1d1a24380e4db6d43695f3748343d99434e6f5f9156aaa2ed \ - --hash=sha256:ef6107725bd54b262d6dedcc2af448a266975032bc85ef0172c5f059da6325b4 \ - --hash=sha256:efdca5630322a10774e8e98e1af481aad470dd62c3170801852d752aa7a783ba \ - --hash=sha256:f753120cb8181e736c57ef7636e83f31b9c0d1722c516f7e86cf15b7aa57ff12 \ - --hash=sha256:ff3824dc5261f50c9b0dfb3be22b4567a6f938ccce4587b38952d85fd9e9afe4 - # via pre-commit -virtualenv==20.36.1 \ - --hash=sha256:575a8d6b124ef88f6f51d56d656132389f961062a9177016a50e4f507bbcc19f \ - --hash=sha256:8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba - # via pre-commit diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml deleted file mode 100644 index 35076bb7..00000000 --- a/.github/workflows/pre-commit.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: pre-commit - -on: - pull_request: - push: -permissions: {} -jobs: - pre-commit: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 #v6.1.0 - - run: | - python -m pip install --require-hashes --requirement ${{ github.workspace }}/.github/workflows/pre-commit-requirements.txt - python -m pip freeze --local - - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1 - with: - path: ~/.cache/pre-commit - key: pre-commit-3|${{ runner.os }} - - name: Set SKIP variable for main branch - if: github.ref == 'refs/heads/main' - run: echo "SKIP=no-commit-to-branch" >> $GITHUB_ENV - - run: SKIP="$SKIP" pre-commit run --show-diff-on-failure --color=always --all-files diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index ad478240..00000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,79 +0,0 @@ -repos: -- repo: https://github.com/pre-commit/pre-commit-hooks - rev: v6.0.0 - hooks: - - id: check-added-large-files - - id: check-ast - - id: check-builtin-literals - - id: check-case-conflict - - id: check-executables-have-shebangs - - id: check-illegal-windows-names - - id: check-json - - id: check-merge-conflict - - id: check-shebang-scripts-are-executable - - id: check-symlinks - - id: check-toml - - id: check-vcs-permalinks - - id: check-xml - - id: check-yaml - - id: debug-statements - - id: destroyed-symlinks - - id: detect-private-key - - id: end-of-file-fixer - exclude: | - (?x)^( - \.kiro/hooks/.*\.kiro\.hook| - \.kiro/settings/mcp\.json* - )$ - - id: fix-byte-order-marker - - id: forbid-submodules - - id: forbid-new-submodules - - id: mixed-line-ending - - id: no-commit-to-branch - - id: pretty-format-json - exclude: | - (?x)^( - .*package-lock\.json| - \.kiro/settings/mcp\.json.* - )$ - args: [ --autofix ] - - id: trailing-whitespace - -- repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.15.0 - hooks: - - id: ruff-check - args: [ --fix, --exit-non-zero-on-fix ] - - id: ruff-format - -- repo: https://github.com/PyCQA/bandit - rev: 1.9.3 - hooks: - - id: bandit - args: [ --baseline, .bandit-baseline.json ] - -- repo: https://github.com/semgrep/pre-commit - rev: v1.151.0 - hooks: - - id: semgrep - args: [ '--oss-only', '--verbose', '--metrics=off', '--baseline-commit', 'main', '--config=r/all', '--sarif-output', '.tmp/semgrep.sarif.json', '--error' ] - stages: [pre-push] -- repo: https://github.com/bridgecrewio/checkov - rev: 3.2.500 - hooks: - - id: checkov - -- repo: https://github.com/gitleaks/gitleaks - rev: v8.30.0 - hooks: - - id: gitleaks - -- repo: local - hooks: - - id: act - name: act (GitHub Actions locally) - pass_filenames: false - language: system - entry: act - stages: [manual] - always_run: true diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7e7d6843..d3c0ede7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -6,9 +6,7 @@ Thank you for your interest in contributing to Agent Plugins for AWS. Depending on your role, please review the appropriate guide for repository-specific instructions: -- [Development Guide](.github/guides/DEVELOPMENT_GUIDE.md) - For contributors and developers -- [Administrative Guide](.github/guides/ADMINISTRATIVE_GUIDE.md) - For repository administrators -- [Maintainer Guide](.github/guides/MAINTAINER_GUIDE.md) - For project maintainers +- [Development Guide](DEVELOPMENT_GUIDE.md) - For contributors and developers ## Reporting Bugs/Feature Requests diff --git a/.github/guides/DEVELOPMENT_GUIDE.md b/DEVELOPMENT_GUIDE.md similarity index 100% rename from .github/guides/DEVELOPMENT_GUIDE.md rename to DEVELOPMENT_GUIDE.md From bce436afae9eb138be653d0bbf1ba7df06c4130b Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Fri, 6 Feb 2026 07:42:56 -0800 Subject: [PATCH 22/30] fix: remove hardcoded repo Signed-off-by: Scott Schreckengaust --- .github/workflows/merge-prevention.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/merge-prevention.yml b/.github/workflows/merge-prevention.yml index 1bd9616b..4eb57a22 100644 --- a/.github/workflows/merge-prevention.yml +++ b/.github/workflows/merge-prevention.yml @@ -51,7 +51,7 @@ jobs: run: | if [ "${{ github.event_name }}" == "merge_group" ]; then PR_NUMBER=$(echo "${{ github.ref }}" | grep -oP '(?<=/pr-)\d+' || echo "") - PR_LABELS=$(gh api repos/Schreckengaust/mcp/pulls/2 | jq -c '[.labels[].name] // []') + PR_LABELS=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER | jq -c '[.labels[].name] // []') echo "::group::Getting Information" gh api repos/${{ github.repository }}/pulls/$PR_NUMBER echo "::endgroup::" From 034a18d97a92c238226c3d23e1d1dfc164176759 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Fri, 6 Feb 2026 07:45:21 -0800 Subject: [PATCH 23/30] fix: updated mise version Signed-off-by: Scott Schreckengaust --- mise.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mise.toml b/mise.toml index bf4904bb..9463f0b6 100644 --- a/mise.toml +++ b/mise.toml @@ -1,7 +1,7 @@ # mise.toml - Tool versions and tasks for Agent Plugins for AWS # See: https://mise.jdx.dev -min_version = "2024.11.1" +min_version = "2026.2.4" [tools] node = "24" From 6d429752e22fdc45a6bbcdfa8b881e0c5c72af1a Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Fri, 6 Feb 2026 07:48:59 -0800 Subject: [PATCH 24/30] feat: rename scanners workflow Signed-off-by: Scott Schreckengaust --- .github/workflows/{scanners.yml => security-scanners.yml} | 1 + 1 file changed, 1 insertion(+) rename .github/workflows/{scanners.yml => security-scanners.yml} (99%) diff --git a/.github/workflows/scanners.yml b/.github/workflows/security-scanners.yml similarity index 99% rename from .github/workflows/scanners.yml rename to .github/workflows/security-scanners.yml index 6812475a..bad77b4f 100644 --- a/.github/workflows/scanners.yml +++ b/.github/workflows/security-scanners.yml @@ -1,3 +1,4 @@ +name: Security Scanners on: schedule: # Daily at 15:12 UTC (random time to avoid GitHub Actions load spikes) From 7c47cddbec4d7c76224f6ccbc26a44a33b033a3a Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Fri, 6 Feb 2026 08:03:06 -0800 Subject: [PATCH 25/30] feat: add pull request linting workflow Signed-off-by: Scott Schreckengaust --- .github/workflows/pull-request-lint.yml | 62 +++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/pull-request-lint.yml diff --git a/.github/workflows/pull-request-lint.yml b/.github/workflows/pull-request-lint.yml new file mode 100644 index 00000000..c7327034 --- /dev/null +++ b/.github/workflows/pull-request-lint.yml @@ -0,0 +1,62 @@ +name: Pull Request Lint + +on: + pull_request_target: + branches: [ "main" ] + types: + - labeled + - opened + - synchronize + - reopened + - ready_for_review + - edited + merge_group: {} + +permissions: {} + +jobs: + validate: + name: Validate PR title + runs-on: ubuntu-latest + permissions: + pull-requests: read + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') + steps: + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 #v6.1.1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + types: |- + fix + feat + build + chore + ci + docs + style + refactor + perf + test + requireScope: false + + contributorStatement: + name: Require Contributor Statement + runs-on: ubuntu-latest + permissions: + pull-requests: read + env: + PR_BODY: ${{ github.event.pull_request.body }} + EXPECTED: By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the [project license](https://github.com/${{ github.repository }}/blob/main/LICENSE). + HELP: Contributor statement missing from PR description. Please include the following text in the PR description + if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') && !(github.event.pull_request.user.login == 'awslabs-mcp' || github.event.pull_request.user.login == 'dependabot[bot]') + steps: + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd #v8.0.0 + with: + script: |- + const actual = process.env.PR_BODY.replace(/\r?\n/g, "\n"); + const expected = process.env.EXPECTED.replace(/\r?\n/g, "\n"); + if (!actual.includes(expected)) { + console.log("%j", actual); + console.log("%j", expected); + core.setFailed(`${process.env.HELP}: ${expected}`); + } From aa8eef95ba9a7ac2e54474d6422e7522078b9c6c Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Fri, 6 Feb 2026 08:10:41 -0800 Subject: [PATCH 26/30] fix: CODEOWNERS updates Signed-off-by: Scott Schreckengaust --- .github/CODEOWNERS | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index d32d68bd..ea6d6056 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -10,12 +10,15 @@ .claude-plugin/ @awslabs/agent-plugins-admins .github/ @awslabs/agent-plugins-admins .gitignore @awslabs/agent-plugins-admins +.gitleaks-baseline.json @awslabs/agent-plugins-admins +.gitleaks.toml @awslabs/agent-plugins-admins +.gitleaksignore @awslabs/agent-plugins-admins .markdownlint-cli2.yaml @awslabs/agent-plugins-admins -.pre-commit-config.yaml @awslabs/agent-plugins-admins AGENTS.md @awslabs/agent-plugins-admins CLAUDE.md @awslabs/agent-plugins-admins CODE_OF_CONDUCT.md @awslabs/agent-plugins-admins CONTRIBUTING.md @awslabs/agent-plugins-admins +DEVELOPMENT_GUIDE.md @awslabs/agent-plugins-admins dprint.json @awslabs/agent-plugins-admins LICENSE @awslabs/agent-plugins-admins mise.toml @awslabs/agent-plugins-admins From 065f9cc89b1b9966669ad7414e9424b2f50a1202 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Fri, 6 Feb 2026 08:50:55 -0800 Subject: [PATCH 27/30] fix: concurrency and switching notice to debug Signed-off-by: Scott Schreckengaust --- .github/workflows/merge-prevention.yml | 6 +++--- .github/workflows/pull-request-lint.yml | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/merge-prevention.yml b/.github/workflows/merge-prevention.yml index 4eb57a22..087e01da 100644 --- a/.github/workflows/merge-prevention.yml +++ b/.github/workflows/merge-prevention.yml @@ -79,10 +79,10 @@ jobs: echo "::debug::HALT_MERGES value: $HALT_MERGES" echo "::debug::This PR number: $PR_NUMBER" if [ "$HALT_MERGES" = "0" ]; then - echo "::notice::✅ All merges are allowed (HALT_MERGES=0)" + echo "::debug::✅ All merges are allowed (HALT_MERGES=0)" exit 0 elif [ "$HALT_MERGES" = "$PR_NUMBER" ]; then - echo "::notice::✅ This PR #$PR_NUMBER is explicitly allowed" + echo "::debug::✅ This PR #$PR_NUMBER is explicitly allowed" exit 0 else echo "::debug::🛑 Merges are blocked. HALT_MERGES is set to $HALT_MERGES" @@ -112,5 +112,5 @@ jobs: id: pr-missing-label if: ! contains(needs.get-pr-info.outputs.pr_labels, env.DO_NOT_MERGE_LABEL) run: | - echo "::notice::✅ The label \"${{ env.DO_NOT_MERGE_LABEL }}\" is absent" + echo "::debug::✅ The label \"${{ env.DO_NOT_MERGE_LABEL }}\" is absent" exit 0 diff --git a/.github/workflows/pull-request-lint.yml b/.github/workflows/pull-request-lint.yml index c7327034..82ae381f 100644 --- a/.github/workflows/pull-request-lint.yml +++ b/.github/workflows/pull-request-lint.yml @@ -14,6 +14,10 @@ on: permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: validate: name: Validate PR title From 92bf6b424a0f6c76bb7ea7f298ed6d93af1801a2 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Fri, 6 Feb 2026 08:53:05 -0800 Subject: [PATCH 28/30] fix: title Scorecard Signed-off-by: Scott Schreckengaust --- .github/workflows/scorecard-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index 9a94108e..dff49c79 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -1,4 +1,4 @@ -name: Scorecard analysis workflow +name: Scorecard Analysis on: push: branches: From 5acaa31409ed4d9aa2c7a2e408c64cfa0648c4e8 Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Fri, 6 Feb 2026 08:59:25 -0800 Subject: [PATCH 29/30] fix: naming and remove allowed license Signed-off-by: Scott Schreckengaust --- .github/workflows/dependency-review.yml | 4 ++-- .github/workflows/pull-request-lint.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index be525b94..7572f3b2 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -12,5 +12,5 @@ jobs: - uses: actions/dependency-review-action@v4 with: config-file: amazon-ospo/dependency-review-config/default/dependency-review-config.yml@main - # distlib - allow-dependencies-licenses: "pkg:pypi/distlib@0.4.0" + # # distlib + # allow-dependencies-licenses: "pkg:pypi/distlib@0.4.0" diff --git a/.github/workflows/pull-request-lint.yml b/.github/workflows/pull-request-lint.yml index 82ae381f..94e3e397 100644 --- a/.github/workflows/pull-request-lint.yml +++ b/.github/workflows/pull-request-lint.yml @@ -1,4 +1,4 @@ -name: Pull Request Lint +name: Pull Request Validation on: pull_request_target: From b9844fc4c97d63a90cbf5cd56cec98943ff1179b Mon Sep 17 00:00:00 2001 From: Scott Schreckengaust Date: Fri, 6 Feb 2026 09:09:33 -0800 Subject: [PATCH 30/30] fix: bandit to main commit hash Signed-off-by: Scott Schreckengaust --- .github/workflows/security-scanners.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-scanners.yml b/.github/workflows/security-scanners.yml index bad77b4f..182752c6 100644 --- a/.github/workflows/security-scanners.yml +++ b/.github/workflows/security-scanners.yml @@ -61,7 +61,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f # v1.0.1 + - uses: PyCQA/bandit-action@cd2700ff8e8a10b277288e068d0c207c614c46ee # main continue-on-error: true - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 if: always()