Test Fine-Grained GitHub token #14
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Check Inactive Collaborators | |
on: | |
schedule: | |
- cron: '30 9 */100,1-7 * 1' | |
pull_request: | |
branches: | |
main | |
env: | |
AWS_REGION: "eu-west-2" | |
ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }} | |
API_KEY: ${{ secrets.GOV_UK_NOTIFY_API_KEY }} | |
TEMPLATE_ID: "44d86b2d-2a73-4179-9b67-7c3fc2b58934" | |
GH_TOKEN: ${{ secrets.MP_GITHUB_CI_USER_PAT_TEST }} | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
issues: write # This is required to create issues | |
jobs: | |
disable-login-for-inactive-collaborators: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Set Account Number | |
run: | | |
ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) | |
echo "::add-mask::$ACCOUNT_NUMBER" | |
echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" | |
role-session-name: githubactionsrolesession | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Fetch Inactive Collaborators | |
run: bash ./scripts/iam-monitoring/collaborators-inactivity-monitoring/check_inactive_users.sh | |
env: | |
threshold: 120 | |
- name: Disable Console Login | |
run: bash ./scripts/iam-monitoring/collaborators-inactivity-monitoring/disable_user_credentials.sh | |
notify-inactive-collaborators: | |
runs-on: ubuntu-latest | |
needs: disable-login-for-inactive-collaborators | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.10' | |
- name: Set Account Number | |
run: | | |
ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) | |
echo "::add-mask::$ACCOUNT_NUMBER" | |
echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" | |
role-session-name: githubactionsrolesession | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Install the client | |
run: pip install notifications-python-client | |
- name: Fetch Inactive Collaborators | |
run: bash ./scripts/iam-monitoring/collaborators-inactivity-monitoring/check_inactive_users.sh | |
env: | |
threshold: 90 | |
SKIP_DISABLED_CONSOLE_USERS: true | |
- name: Send Notification to Collaborators | |
run: | | |
if [ -f final_users.list ]; then | |
python ./scripts/iam-monitoring/collaborators-inactivity-monitoring/notification.py collaborators.json final_users.list | |
else | |
echo "There are no inactive collaborator users with an inactivity period of 90 days or longer" | |
fi | |
schedule-user-deletion: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Set Account Number | |
run: | | |
ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) | |
echo "::add-mask::$ACCOUNT_NUMBER" | |
echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" | |
role-session-name: githubactionsrolesession | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Fetch Inactive Collaborators | |
run: bash ./scripts/iam-monitoring/collaborators-inactivity-monitoring/check_inactive_users.sh | |
env: | |
threshold: 180 | |
- name: Create Deletion Issue | |
run: bash ./scripts/iam-monitoring/collaborators-inactivity-monitoring/collaborator_user_deletion_issue.sh |