This GitHub Action is designed to identify and flag any pull requests within the Ministry of Justice Cloud Platform that contain changes related to IAM roles and IAM policies. Such changes require approval from the Cloud Platform team to ensure compliance and security within the platform's infrastructure.
This action automatically marks pull requests containing IAM role and policy changes as failed, signalling the need for a review by authorised team members. This process helps maintain the integrity and security of the IAM policies within the Cloud Platform.
To integrate this GitHub Action into your workflow, follow the steps below:
-
Create a Workflow File: In your repository, create a file named
.github/workflows/iam-role-policy-changes-check.yml. -
Configure the Workflow: Copy and paste the following workflow configuration into your new file:
name: Identify PRs that contain IAM Role and Policy changes on: pull_request env: PR_OWNER: ${{ github.event.pull_request.user.login }} GITHUB_OAUTH_TOKEN: ${{ secrets.DOCUMENT_REVIEW_GITHUB }} jobs: check-diff: runs-on: ${{ matrix.os }} strategy: matrix: os: [ubuntu-latest] steps: - name: Checkout PR code uses: actions/checkout@v3 - run: | git fetch --no-tags --prune --depth=1 origin +refs/heads/*:refs/remotes/origin/* - name: Run git diff against repository run: | git diff origin/main HEAD > changes - name: Run iam/role policy changes check id: review_pr uses: ministryofjustice/cloud-platform-iam-policy-github-action@main - name: Request changes in the PR uses: andrewmusgrave/automatic-pull-request-review@0.0.5 if: steps.review_pr.outputs.review_pr_iam_check == 'false' with: repo-token: "${{ secrets.GITHUB_TOKEN }}" event: COMMENT body: | There are potential IAM Role and/or policy Changes/additions. Reviewer - If satisfied with the changes/additions - dismiss this request
-
Provide Required Secret: Ensure the
secrets.DOCUMENT_REVIEW_GITHUBsecret is set in your repository's settings to allow the action to operate correctly.