Sync .github directory from main branch

- Applied .github directory from main to morriscode-patch-1
- Ensures workflows and GitHub configurations are up to date
- Automated sync via script

Author: alex-herold

.github/CODEOWNERS

@@ -0,0 +1 @@
+*.yml @sublime-security/Detection

.github/pull_request_template.md

@@ -0,0 +1,30 @@
+# Description
+
+<!-- 
+Explain your change and why. For example, "negating legitimate replies," or "adding additional credential theft keywords."
+
+If it's a new rule or insight, explain what the rule is designed to catch/what the insight should fire on.
+-->
+
+# Associated samples
+<!-- 
+Link to samples that are affected by your change. 
+
+For example, samples you are negating, samples you are including, or samples your new insight should fire on.
+-->
+
+- Sample 1
+- Sample 2
+
+## Associated hunts
+<!-- 
+
+If you ran any hunts with your rule, please link them here.
+-->
+
+- Hunt 1
+
+# Screenshot (insights)
+<!-- 
+**For new insights only:** Insert a screenshot of the insight firing. Remove this section if not applicable.
+-->

.github/workflows/clear-old-test-rules.yml

@@ -9,29 +9,34 @@ on:
 
 jobs:
   remove-stale:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     permissions:
       contents: write
       pull-requests: read
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           ref: "test-rules"
           path: destination
 
       - name: Get Open PRs
         id: open_prs
+        # this needs to be upgraded to v7 but need to get this working now
+        # actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         uses: actions/github-script@v4
         with:
           script: |
-            github.pulls.list({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open'
-            }).then((result) => {
-              const openPRs = result.data.map(pr => pr.number);
+            github.paginate(
+              github.pulls.list,
+              {
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                state: 'open',
+              },
+              (response) => response.data.map((pr) => pr.number)
+            ).then((openPRs) => {
               console.log(`::set-output name=open_prs::${openPRs.join(',')}`);
             });
 
@@ -43,15 +48,17 @@ jobs:
             echo "This is a forked repository. Skipping the job."
             exit 0
           fi
+          
+          echo "Open PRs: [$OPEN_PRS]"
 
           echo "Scheduled cleanup" > message.txt
           echo "" >> message.txt
           
           cd destination
-          files=$(ls **/*.yml) || true
+          files=$(ls -- **/*.yml) || true
 
           for file in $files; do
-            file_pr_num=$(yq '.testing_pr' $file)            
+            file_pr_num=$(yq '.testing_pr' "$file")
             in_open_pr=false
           
             IFS=',' read -ra PR_ARRAY <<< "$OPEN_PRS"
@@ -61,8 +68,9 @@ jobs:
               fi
             done
           
+            echo "$file is in open PR: $in_open_pr. File PR num: $file_pr_num"
             if [[ "$in_open_pr" = "false" ]]; then
-                rm $file
+                rm "$file"
                 echo "Removed $file_pr_num" >> ../message.txt
             fi
           done

.github/workflows/pr-auto-tag.yml

@@ -0,0 +1,39 @@
+name: Auto-tag External PRs
+
+on:
+  pull_request_target:
+    types: [opened, ready_for_review]
+
+jobs:
+  auto-tag:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Check if PR author is external
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+            const username = pr.user.login;
+            const authorAssociation = pr.author_association;
+            
+            console.log(`PR author: ${username}`);
+            console.log(`Author association: ${authorAssociation}`);
+            
+            // MEMBER, OWNER, and COLLABORATOR are considered internal
+            const internalAssociations = ['MEMBER', 'OWNER', 'COLLABORATOR'];
+            const isInternal = internalAssociations.includes(authorAssociation);
+            
+            if (!isInternal) {
+              console.log('User is external, adding review-needed label');
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: pr.number,
+                labels: ['review-needed']
+              });
+              console.log('Added review-needed label to external PR');
+            } else {
+              console.log(`User is internal (${authorAssociation}), no label added`);
+            }