Skip to content

[GSoC 2026] Fixing the github action Unmanaged Service Account Keys#39177

Open
HansMarcus01 wants to merge 3 commits into
apache:masterfrom
HansMarcus01:Fix-AuditUnmanagedAccountKeys
Open

[GSoC 2026] Fixing the github action Unmanaged Service Account Keys#39177
HansMarcus01 wants to merge 3 commits into
apache:masterfrom
HansMarcus01:Fix-AuditUnmanagedAccountKeys

Conversation

@HansMarcus01

Copy link
Copy Markdown
Contributor

This pull request fixes a runtime error in the GitHub action "Unmanaged Service Account Keys". It adds a new report for unauthorized service accounts and prompts users to comply with compliance policies.

Currently the keys.yaml file is empty, which indicates that the service accounts have been created manually, thus preventing secure management of them.

Output expected:
image

…rt for service accounts that are not yet found in keys.yaml
@github-actions github-actions Bot added the build label Jun 30, 2026
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the 'Unmanaged Service Account Keys' GitHub action by improving how compliance issues are reported and tracked. It introduces a more robust system for logging unauthorized service accounts and compliance violations, ensuring that security alerts are distinct from general issues and that historical audit data is preserved within GitHub issues instead of being lost during updates.

Highlights

  • Enhanced Compliance Reporting: Implemented a structured audit report format for GitHub issues, including timestamped entries and a collapsible history section for better tracking of compliance violations.
  • Security Alert Differentiation: Separated unmanaged service account keys from general compliance issues, ensuring security-critical alerts are prioritized and clearly identified.
  • Improved Issue Management: Updated the logic for creating and updating GitHub issues to append new reports to existing threads rather than overwriting them, preserving audit trails.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/beam_Infrastructure_AuditUnmanagedKeys.yml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the compliance enforcement logic for service account keys. It separates general compliance issues from unmanaged key security alerts, and updates the announcement system to append new reports to existing GitHub issues while archiving older reports into a collapsed history section. The review feedback highlights a potential runtime NameError in account_keys.py due to a missing datetime import, points out robustness issues in sending.py when parsing and replacing HTML tags in the issue body, and recommends replacing non-idiomatic inline import statements with standard imports at the top of the file.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread infra/enforcement/account_keys.py Outdated
self.sending_client.print_announcement(title, body, recipient, announcement)
if unmanaged_keys_issues:
self.logger.info("Printing security dashboard update for unmanaged keys...")
timestamp = datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Potential Runtime Error: Ensure that datetime is imported at the top of the file. If it is not imported, this line will raise a NameError at runtime.

If datetime is not imported, please add from datetime import datetime, timezone at the top of the file and update this line to use them directly.

Suggested change
timestamp = datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")
timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")

Comment thread infra/enforcement/sending.py Outdated
Comment on lines +265 to +268
headed = old_body.split(history_marker)
last_report = headed[0].strip()
old_history = headed[1].replace("</details>", "").strip()
combined_history = f"{last_report}\n\n---\n\n{old_history}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Correctness/Robustness: Using .replace("</details>", "") is risky because it will remove all occurrences of </details> within the history, which will corrupt the Markdown rendering if there are other collapsed sections or nested HTML details blocks. Additionally, split(history_marker) should limit the split to 1 to prevent issues if the marker appears elsewhere.

Instead, split with maxsplit=1 and safely strip only the trailing </details> tag.

Suggested change
headed = old_body.split(history_marker)
last_report = headed[0].strip()
old_history = headed[1].replace("</details>", "").strip()
combined_history = f"{last_report}\n\n---\n\n{old_history}"
headed = old_body.split(history_marker, 1)
last_report = headed[0].strip()
old_history = headed[1].rstrip()
if old_history.endswith("</details>"):
old_history = old_history[:-10].rstrip()
combined_history = f"{last_report}\n\n---\n\n{old_history}"

Comment thread infra/enforcement/sending.py Outdated
open_issues = self._get_open_issues(title)
open_issues.sort(key=lambda x: x.updated_at, reverse=True)

timestamp = __import__("datetime").datetime.now(__import__("datetime").timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Style/Maintainability: Using inline __import__("datetime") is non-idiomatic and violates PEP 8 guidelines regarding imports being at the top of the file.

Please import datetime and timezone at the top of the file:

from datetime import datetime, timezone

And simplify this line.

Suggested change
timestamp = __import__("datetime").datetime.now(__import__("datetime").timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")
timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")
References
  1. Imports should be placed at the top of the file, as per PEP 8 guidelines. (link)

Comment thread infra/enforcement/sending.py Outdated
print("\nSimulating GitHub issue creation...")
print(f"Title: {title}")
print(f"Body: {body}")
timestamp = __import__("datetime").datetime.now(__import__("datetime").timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Style/Maintainability: Using inline __import__("datetime") is non-idiomatic and violates PEP 8 guidelines.

Please import datetime and timezone at the top of the file and simplify this line.

Suggested change
timestamp = __import__("datetime").datetime.now(__import__("datetime").timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")
timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC")
References
  1. Imports should be placed at the top of the file, as per PEP 8 guidelines. (link)

print(f"Body:\n### Unmanaged Keys Audit Report ({timestamp})")
print(f"The following unauthorized or unmanaged keys were detected in `{self.project_id}`:\n")
for issue in unmanaged_keys_issues:
print(f"- {issue}")
@github-actions

Copy link
Copy Markdown
Contributor

Checks are failing. Will not request review until checks are succeeding. If you'd like to override that behavior, comment assign set of reviewers

…their roles within the GCP environment, eliminates redundant code, and updates the documentation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants