| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| |
| # This workflow works with the infrastructure policy enforcer to |
| # generate a report of IAM and Service Account Policies violations |
| |
| name: Infrastructure Policy Enforcer |
| |
| on: |
| workflow_dispatch: |
| schedule: |
| # Once a week at 9:00 AM on Monday |
| - cron: '0 9 * * 1' |
| |
| # This allows a subsequently queued workflow run to interrupt previous runs |
| concurrency: |
| group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.comment.id || github.event.sender.login }}' |
| cancel-in-progress: true |
| |
| #Setting explicit permissions for the action to avoid the default permissions which are `write-all` in case of pull_request_target event |
| permissions: |
| contents: read |
| issues: write |
| |
| jobs: |
| beam_Infrastructure_PolicyEnforcer: |
| name: Check and Report Infrastructure Policies Violations |
| runs-on: [self-hosted, ubuntu-20.04, main] |
| timeout-minutes: 30 |
| steps: |
| - uses: actions/checkout@v4 |
| |
| - name: Setup Python |
| uses: actions/setup-python@v4 |
| with: |
| python-version: '3.13' |
| |
| - name: Install Python dependencies |
| working-directory: ./infra/enforcement |
| run: | |
| python -m pip install --upgrade pip |
| pip install -r requirements.txt |
| |
| - name: Setup gcloud |
| uses: google-github-actions/setup-gcloud@v3 |
| |
| - name: Run IAM Policy Enforcement |
| working-directory: ./infra/enforcement |
| env: |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| GITHUB_REPOSITORY: ${{ github.repository }} |
| SMTP_SERVER: smtp.gmail.com |
| SMTP_PORT: 465 |
| EMAIL_ADDRESS: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_ADDRESS }} |
| EMAIL_PASSWORD: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_PASSWORD }} |
| EMAIL_RECIPIENT: "dev@beam.apache.org" |
| run: python iam.py --action print |
| |
| - name: Run Account Keys Policy Enforcement |
| working-directory: ./infra/enforcement |
| env: |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| GITHUB_REPOSITORY: ${{ github.repository }} |
| SMTP_SERVER: smtp.gmail.com |
| SMTP_PORT: 465 |
| EMAIL_ADDRESS: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_ADDRESS }} |
| EMAIL_PASSWORD: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_PASSWORD }} |
| EMAIL_RECIPIENT: "dev@beam.apache.org" |
| run: python account_keys.py --action print |
