beam/.github/workflows/beam_Infrastructure_SecurityLogging.yml at 45c2863c0a3c3d8e7243edee8d29d77f5b153372 · apache/beam · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

# This workflow works with the GCP security log analyzer to
# generate weekly security reports and initialize log sinks

name: GCP Security Log Analyzer

on:
  workflow_dispatch:
  schedule:
    # Once a week at 9:00 AM on Monday
    - cron: '0 9 * * 1'
  push:
    paths:
      - 'infra/security/config.yml'

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: '${{ github.workflow }} @ ${{ github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.sender.login }}'
  cancel-in-progress: true

#Setting explicit permissions for the action to avoid the default permissions which are `write-all` in case of pull_request_target event
permissions:
  contents: read

jobs:
  beam_GCP_Security_LogAnalyzer:
    name: GCP Security Log Analysis
    runs-on: [self-hosted, ubuntu-20.04, main]
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.13'

      - name: Install Python dependencies
        working-directory: ./infra/security
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.txt

      - name: Setup gcloud
        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db

      - name: Initialize Log Sinks
        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
        working-directory: ./infra/security
        run: python log_analyzer.py --config config.yml initialize

      - name: Generate Weekly Security Report
        if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
        working-directory: ./infra/security
        env:
          SMTP_SERVER: smtp.gmail.com
          SMTP_PORT: 465
          EMAIL_ADDRESS: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_ADDRESS }}
          EMAIL_PASSWORD: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_PASSWORD }}
          EMAIL_RECIPIENT: "dev@beam.apache.org"
        run: python log_analyzer.py --config config.yml generate-report --dry-run