feat: Update check-file-contents.yml to check for non-mTLS hardcoded …#5774
feat: Update check-file-contents.yml to check for non-mTLS hardcoded …#5774agrawalradhika-cell wants to merge 3 commits into
Conversation
…endpoints feat: Update check-file-contents.yml to check for non-mTLS hardcoded endpoints
|
Response from ADK Triaging Agent Hello @agrawalradhika-cell, thank you for creating this PR! This PR introduces a new check in the GitHub Actions workflow. To help reviewers better understand and verify the fix:
Providing logs/screenshots of the applied changes helps ensure high code quality and speeds up the review process. For more details, you can refer to our contribution guidelines. Thank you! |
rohityan
added
the
needs review
|
Hi @agrawalradhika-cell, Thank you for your contribution! We appreciate you taking the time to submit this pull request. Your PR has been received by the team and is currently under review. We will provide feedback as soon as we have an update to share. |
|
Hi @DeanChensj , can you please review this. |
chore: test linter by Update agent.py
|
@gemini-cli /review |
|
🤖 Hi @DeanChensj, I've received your request, and I'm working on it now! You can track my progress in the logs for more details. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Thanks for the contribution! This is a great addition to the linter to ensure security compliance.
However, there are a few things that need to be addressed:
- The
greplogic in the workflow doesn't correctly filter out compliant endpoints because it's operating on filenames rather than line content. - The temporary test code in
agent.pyshould be removed. - Please fill out or remove the issue placeholders in the PR description (e.g.,
#_issue_number_).
Please see the line-specific comments for more details.
| if [ -n "$CHANGED_FILES" ]; then | ||
| echo "Checking for hardcoded endpoints in: $CHANGED_FILES" | ||
|
|
||
| set +e |
There was a problem hiding this comment.
The current logic grep -lE ... | grep -v '.mtls.googleapis.com' will not work as intended. grep -l returns a list of filenames, and the subsequent grep -v will only exclude the filename if it contains .mtls.googleapis.com, which is unlikely for a filename.
To catch any non-mTLS endpoint, you should probably do something like:
grep -rE 'https?://[a-zA-Z0-9.-]+\.googleapis\.com' $CHANGED_FILES | grep -v '.mtls.googleapis.com'
This will check the content of each line and only exclude lines that contain the .mtls. prefix.
| # Temporary test for linter | ||
| API_ENDPOINT = "https://test.googleapis.com" | ||
|
|
||
| root_agent = Agent( |
There was a problem hiding this comment.
This temporary test code should be removed before merging.
4 participants
…endpoints
feat: Update check-file-contents.yml to check for non-mTLS hardcoded endpoints
Please ensure you have read the contribution guide before creating a pull request.
Link to Issue or Description of Change
1. Link to an existing issue (if applicable):
2. Or, if no issue exists, describe the change:
This PR introduces a new linting step to the check-file-contents.yml workflow to detect and prevent the hardcoding of non-mTLS googleapis.com endpoints in Python files. It provides immediate, actionable guidance to developers on how to implement security-compliant, dynamic endpoint selection
Problem:
Hardcoded googleapis.com URLs (e.g., https://telemetry.googleapis.com) do not support mutual TLS (mTLS) by default. This leads to 401 "Invalid authentication credentials" errors when services, fail to satisfy Client Authentication & Authorization (CAA) mTLS policies. Hardcoding these endpoints prevents the underlying session from utilizing the google-auth library for certificate-based authentication
Solution:
The check-file-contents.yml workflow is updated with a "Check for hardcoded googleapis.com endpoints" step. This step identifies .py files containing googleapis.com strings that lack the .mtls. prefix.
Testing Plan
Please describe the tests that you ran to verify your changes. This is required
for all PRs that are not small documentation or typo fixes.
Unit Tests:
Please include a summary of passed
pytestresults.Manual End-to-End (E2E) Tests:
The new workflow step was verified in the agrawalradhika-cell/adk-python fork.
Checklist
Additional context
Add any other context or screenshots about the feature request here.