.github/workflows/beam_Infrastructure_SecurityLogging.yml - beam - Git at Google

 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.

 # This workflow works with the GCP security log analyzer to
 # generate weekly security reports and initialize log sinks

 name: GCP Security Log Analyzer

 on:
   workflow_dispatch:
   schedule:
     # Once a week at 9:00 AM on Monday
     - cron: '0 9 * * 1'
   push:
     paths:
       - 'infra/security/config.yml'

 # This allows a subsequently queued workflow run to interrupt previous runs
 concurrency:
   group: '${{ github.workflow }} @ ${{ github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.sender.login }}'
   cancel-in-progress: true

 #Setting explicit permissions for the action to avoid the default permissions which are `write-all` in case of pull_request_target event
 permissions:
   contents: read

 jobs:
   beam_GCP_Security_LogAnalyzer:
     name: GCP Security Log Analysis
     runs-on: [self-hosted, ubuntu-20.04, main]
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4

       - name: Setup Python
         uses: actions/setup-python@v4
         with:
           python-version: '3.13'

       - name: Install Python dependencies
         working-directory: ./infra/security
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt

       - name: Setup gcloud
         uses: google-github-actions/setup-gcloud@v3

       - name: Initialize Log Sinks
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
         working-directory: ./infra/security
         run: python log_analyzer.py --config config.yml initialize

       - name: Generate Weekly Security Report
         if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
         working-directory: ./infra/security
         env:
           SMTP_SERVER: smtp.gmail.com
           SMTP_PORT: 465
           EMAIL_ADDRESS: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_ADDRESS }}
           EMAIL_PASSWORD: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_PASSWORD }}
           EMAIL_RECIPIENT: "dev@beam.apache.org"
         run: python log_analyzer.py --config config.yml generate-report --dry-run
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.

	# This workflow works with the GCP security log analyzer to
	# generate weekly security reports and initialize log sinks

	name: GCP Security Log Analyzer

	on:
	workflow_dispatch:
	schedule:
	# Once a week at 9:00 AM on Monday
	- cron: '0 9 * * 1'
	push:
	paths:
	- 'infra/security/config.yml'

	# This allows a subsequently queued workflow run to interrupt previous runs
	concurrency:
	group: '${{ github.workflow }} @ ${{ github.sha \|\| github.head_ref \|\| github.ref }}-${{ github.event.schedule \|\| github.event.sender.login }}'
	cancel-in-progress: true

	#Setting explicit permissions for the action to avoid the default permissions which are `write-all` in case of pull_request_target event
	permissions:
	contents: read

	jobs:
	beam_GCP_Security_LogAnalyzer:
	name: GCP Security Log Analysis
	runs-on: [self-hosted, ubuntu-20.04, main]
	timeout-minutes: 30
	steps:
	- uses: actions/checkout@v4

	- name: Setup Python
	uses: actions/setup-python@v4
	with:
	python-version: '3.13'

	- name: Install Python dependencies
	working-directory: ./infra/security
	run: \|
	python -m pip install --upgrade pip
	pip install -r requirements.txt

	- name: Setup gcloud
	uses: google-github-actions/setup-gcloud@v3

	- name: Initialize Log Sinks
	if: github.event_name == 'push' \|\| github.event_name == 'workflow_dispatch'
	working-directory: ./infra/security
	run: python log_analyzer.py --config config.yml initialize

	- name: Generate Weekly Security Report
	if: github.event_name == 'schedule' \|\| github.event_name == 'workflow_dispatch'
	working-directory: ./infra/security
	env:
	SMTP_SERVER: smtp.gmail.com
	SMTP_PORT: 465
	EMAIL_ADDRESS: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_ADDRESS }}
	EMAIL_PASSWORD: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_PASSWORD }}
	EMAIL_RECIPIENT: "dev@beam.apache.org"
	run: python log_analyzer.py --config config.yml generate-report --dry-run