@@ -100,3 +100,37 @@ jobs:
100100 else
101101 echo "✅ No relevant Python files found."
102102 fi
103+
104+ name : Check for hardcoded googleapis.com endpoints
105+ run : |
106+ git fetch origin ${GITHUB_BASE_REF}
107+ CHANGED_FILES=$(git diff --diff-filter=ACMR --name-only origin/${GITHUB_BASE_REF}...HEAD | grep -E '\.py$' || true)
108+ if [ -n "$CHANGED_FILES" ]; then
109+ echo "Checking for hardcoded endpoints in: $CHANGED_FILES"
110+
111+ # 1. Identify files containing any googleapis.com URL.
112+ set +e
113+ FILES_WITH_ENDPOINTS=$(grep -lE 'https?://[a-zA-Z0-9.-]+\.googleapis\.com' $CHANGED_FILES)
114+
115+ # 2. From those, identify files that are MISSING the required mTLS version.
116+ if [ -n "$FILES_WITH_ENDPOINTS" ]; then
117+ FILES_MISSING_MTLS=$(grep -L '.mtls.googleapis.com' $FILES_WITH_ENDPOINTS)
118+ fi
119+ set -e
120+
121+ if [ -n "$FILES_MISSING_MTLS" ]; then
122+ echo "❌ Found hardcoded googleapis.com endpoints without mTLS support."
123+ echo "The following files must define both standard and mTLS (.mtls.googleapis.com) endpoints"
124+ echo "to support dynamic endpoint selection as required by security policy:"
125+ echo "$FILES_MISSING_MTLS"
126+ echo ""
127+ echo "To fix this, please follow these steps:"
128+ echo "1. Initialize an AuthorizedSession with your credentials."
129+ echo "2. Use 'mtls.has_default_client_cert_source() from google-auth' to check for available client certificates."
130+ echo "3. If certificates are present, use 'session.configure_mtls_channel()'."
131+ echo "4. Dynamically select the '.mtls.' variant of the endpoint when mTLS is active."
132+ exit 1
133+ else
134+ echo "✅ All hardcoded endpoints have corresponding mTLS definitions or no endpoints found."
135+ fi
136+ fi
0 commit comments