chore: Adding GH Workflows

.github/workflows/semgrep.yml

@@ -0,0 +1,40 @@
+name: Semgrep
+
+on:
+  merge_group:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "30 0 1,15 * *"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  run:
+    name: Check for Vulnerabilities
+    runs-on: ubuntu-latest
+
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - run: semgrep ci
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

.github/workflows/snyk.yml

@@ -0,0 +1,126 @@
+name: Snyk
+
+on:
+  merge_group:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: '30 0 1,15 * *'
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+jobs:
+  # Discover packages with changes for targeted scanning
+  discover-changed-packages:
+    name: Discover Changed Packages
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      has-changes: ${{ steps.set-matrix.outputs.has-changes }}
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+          fetch-depth: 0
+
+      - name: Discover packages with changes
+        id: set-matrix
+        run: |
+          # For push events or scheduled runs, scan all packages
+          if [[ "${{ github.event_name }}" == "push" || "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            packages=$(find packages -maxdepth 1 -type d -name "auth0_*" | sed 's|^packages/||' | jq -R -s -c 'split("\n")[:-1]')
+            echo "Scanning all packages for ${{ github.event_name }} event"
+          else
+            # For PRs, only scan packages with changes
+            changed_files=$(git diff --name-only origin/main...HEAD)
+            changed_packages=$(echo "$changed_files" | grep '^packages/auth0_' | cut -d'/' -f2 | sort -u | jq -R -s -c 'split("\n")[:-1] | map(select(length > 0))')
+            packages="$changed_packages"
+            echo "Changed files: $changed_files"
+            echo "Scanning changed packages for PR: $packages"
+          fi
+
+          echo "matrix={\"package\":$packages}" >> $GITHUB_OUTPUT
+          if [ "$packages" = "[]" ]; then
+            echo "has-changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "has-changes=true" >> $GITHUB_OUTPUT
+          fi
+          echo "Final packages to scan: $packages"
+
+  # Security scanning for packages with changes
+  security-scan:
+    name: Security Scan (${{ matrix.package }})
+    runs-on: ubuntu-latest
+    needs: discover-changed-packages
+    if: needs.discover-changed-packages.outputs.has-changes == 'true'
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.discover-changed-packages.outputs.matrix) }}
+
+    steps:
+      - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
+        run: exit 0
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha || github.ref }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Check for requirements.txt
+        working-directory: packages/${{ matrix.package }}
+        run: |
+          if [ ! -f "requirements.txt" ]; then
+            echo "❌ requirements.txt not found for ${{ matrix.package }}"
+            echo "Please ensure requirements.txt exists in the package directory"
+            exit 1
+          fi
+          echo "✅ Found requirements.txt for ${{ matrix.package }}"
+          echo "Dependencies to scan:"
+          head -5 requirements.txt
+
+      - name: Install dependencies
+        working-directory: packages/${{ matrix.package }}
+        run: |
+          echo "Installing dependencies for Snyk scan..."
+          pip install -r requirements.txt
+          echo "✅ Dependencies installed successfully"
+
+      - name: Install Snyk CLI
+        run: |
+          curl -Lo snyk "https://static.snyk.io/cli/latest/snyk-linux"
+          chmod +x snyk
+          sudo mv snyk /usr/local/bin/
+
+      - name: Run Snyk security scan
+        working-directory: packages/${{ matrix.package }}
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: |
+          echo "Running Snyk scan in $(pwd)"
+          echo "Python version: $(python3 --version)"
+          echo "Pip packages installed:"
+          pip3 list | grep -E "(authlib|requests|httpx|ada-url)" || echo "Some packages not found"
+
+          # Run Snyk test with debug output
+          snyk test --file=requirements.txt --package-manager=pip --command=python3 --debug || {
+            echo "Snyk test failed, trying with --allow-missing flag..."
+            snyk test --file=requirements.txt --package-manager=pip --command=python3 -- --allow-missing
+          }

.github/workflows/test-auth0-api-python.yml

@@ -0,0 +1,63 @@
+name: Test auth0-api-python
+
+on:
+  push:
+    branches:
+      - feature/auth0-api-python
+    paths:
+      - 'packages/auth0_api_python/**'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'packages/auth0_api_python/**'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [3.9, "3.10", "3.11", "3.12"]
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v4
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Install Poetry
+      uses: snok/install-poetry@v1
+      with:
+        version: latest
+        virtualenvs-create: true
+        virtualenvs-in-project: true
+        installer-parallel: true
+
+    - name: Load cached venv
+      id: cached-poetry-dependencies
+      uses: actions/cache@v3
+      with:
+        path: packages/auth0_api_python/.venv
+        key: venv-${{ runner.os }}-${{ matrix.python-version }}-${{ hashFiles('**/poetry.lock') }}
+
+    - name: Install dependencies
+      if: steps.cached-poetry-dependencies.outputs.cache-hit != 'true'
+      working-directory: ./packages/auth0_api_python
+      run: poetry install --no-interaction --no-root
+
+    - name: Install package
+      working-directory: ./packages/auth0_api_python
+      run: poetry install --no-interaction
+
+    - name: Run tests with pytest
+      working-directory: ./packages/auth0_api_python
+      run: |
+        poetry run pytest -v --cov=src --cov-report=term-missing --cov-report=xml
+
+    - name: Run ruff linting
+      working-directory: ./packages/auth0_api_python
+      run: |
+        poetry run ruff check .

packages/auth0_api_python/.ruff.toml

@@ -0,0 +1,16 @@
+line-length = 100
+target-version = "py39"
+select = [
+    "E",   # pycodestyle errors
+    "W",   # pycodestyle warnings
+    "F",   # pyflakes
+    "I",   # isort
+    "B",   # flake8-bugbear
+    "C4",  # flake8-comprehensions
+    "UP",  # pyupgrade
+    "S",   # bandit (security)
+]
+ignore = ["E501", "B904"]  # Line too long (handled by black), Exception handling without from
+
+[per-file-ignores]
+"tests/*" = ["S101", "S105", "S106"]  # Allow assert and ignore hardcoded password warnings in test files

packages/auth0_api_python/.snyk

@@ -0,0 +1,20 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.12.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-PYTHON-REQUESTS-72435:
+    - '*':
+        reason: 'unaffected, only affects https->http authorization header redirection.'
+        expires: 2019-11-05T00:00:00.000Z
+  SNYK-PYTHON-REQUESTS-40470:
+    - '*':
+        reason: 'patched in latest python versions: https://bugs.python.org/issue27568'
+  "snyk:lic:pip:certifi:MPL-2.0":
+    - '*':
+        reason: "Accepting certifi’s MPL-2.0 license for now"
+        expires: "2030-12-31T23:59:59Z"
+  "snyk:lic:pip:jwcrypto:LGPL-3.0":
+    - '*':
+        reason: "Accepting jwcrypto’s LGPL-3.0 license for now"
+        expires: "2030-12-31T23:59:59Z"
+patch: {}