[GSoC 2026] Fixing the github action Unmanaged Service Account Keys#39177
[GSoC 2026] Fixing the github action Unmanaged Service Account Keys#39177HansMarcus01 wants to merge 3 commits into
Conversation
…rt for service accounts that are not yet found in keys.yaml
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the 'Unmanaged Service Account Keys' GitHub action by improving how compliance issues are reported and tracked. It introduces a more robust system for logging unauthorized service accounts and compliance violations, ensuring that security alerts are distinct from general issues and that historical audit data is preserved within GitHub issues instead of being lost during updates. Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request refactors the compliance enforcement logic for service account keys. It separates general compliance issues from unmanaged key security alerts, and updates the announcement system to append new reports to existing GitHub issues while archiving older reports into a collapsed history section. The review feedback highlights a potential runtime NameError in account_keys.py due to a missing datetime import, points out robustness issues in sending.py when parsing and replacing HTML tags in the issue body, and recommends replacing non-idiomatic inline import statements with standard imports at the top of the file.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| self.sending_client.print_announcement(title, body, recipient, announcement) | ||
| if unmanaged_keys_issues: | ||
| self.logger.info("Printing security dashboard update for unmanaged keys...") | ||
| timestamp = datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC") |
There was a problem hiding this comment.
Potential Runtime Error: Ensure that datetime is imported at the top of the file. If it is not imported, this line will raise a NameError at runtime.
If datetime is not imported, please add from datetime import datetime, timezone at the top of the file and update this line to use them directly.
| timestamp = datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC") | |
| timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC") |
| headed = old_body.split(history_marker) | ||
| last_report = headed[0].strip() | ||
| old_history = headed[1].replace("</details>", "").strip() | ||
| combined_history = f"{last_report}\n\n---\n\n{old_history}" |
There was a problem hiding this comment.
Correctness/Robustness: Using .replace("</details>", "") is risky because it will remove all occurrences of </details> within the history, which will corrupt the Markdown rendering if there are other collapsed sections or nested HTML details blocks. Additionally, split(history_marker) should limit the split to 1 to prevent issues if the marker appears elsewhere.
Instead, split with maxsplit=1 and safely strip only the trailing </details> tag.
| headed = old_body.split(history_marker) | |
| last_report = headed[0].strip() | |
| old_history = headed[1].replace("</details>", "").strip() | |
| combined_history = f"{last_report}\n\n---\n\n{old_history}" | |
| headed = old_body.split(history_marker, 1) | |
| last_report = headed[0].strip() | |
| old_history = headed[1].rstrip() | |
| if old_history.endswith("</details>"): | |
| old_history = old_history[:-10].rstrip() | |
| combined_history = f"{last_report}\n\n---\n\n{old_history}" |
| open_issues = self._get_open_issues(title) | ||
| open_issues.sort(key=lambda x: x.updated_at, reverse=True) | ||
|
|
||
| timestamp = __import__("datetime").datetime.now(__import__("datetime").timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC") |
There was a problem hiding this comment.
Style/Maintainability: Using inline __import__("datetime") is non-idiomatic and violates PEP 8 guidelines regarding imports being at the top of the file.
Please import datetime and timezone at the top of the file:
from datetime import datetime, timezoneAnd simplify this line.
| timestamp = __import__("datetime").datetime.now(__import__("datetime").timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC") | |
| timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC") |
References
- Imports should be placed at the top of the file, as per PEP 8 guidelines. (link)
| print("\nSimulating GitHub issue creation...") | ||
| print(f"Title: {title}") | ||
| print(f"Body: {body}") | ||
| timestamp = __import__("datetime").datetime.now(__import__("datetime").timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC") |
There was a problem hiding this comment.
Style/Maintainability: Using inline __import__("datetime") is non-idiomatic and violates PEP 8 guidelines.
Please import datetime and timezone at the top of the file and simplify this line.
| timestamp = __import__("datetime").datetime.now(__import__("datetime").timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC") | |
| timestamp = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M:%S UTC") |
References
- Imports should be placed at the top of the file, as per PEP 8 guidelines. (link)
| print(f"Body:\n### Unmanaged Keys Audit Report ({timestamp})") | ||
| print(f"The following unauthorized or unmanaged keys were detected in `{self.project_id}`:\n") | ||
| for issue in unmanaged_keys_issues: | ||
| print(f"- {issue}") |
|
Checks are failing. Will not request review until checks are succeeding. If you'd like to override that behavior, comment |
…their roles within the GCP environment, eliminates redundant code, and updates the documentation.
This pull request fixes a runtime error in the GitHub action "Unmanaged Service Account Keys". It adds a new report for unauthorized service accounts and prompts users to comply with compliance policies.
Currently the keys.yaml file is empty, which indicates that the service accounts have been created manually, thus preventing secure management of them.
Output expected:
