apache · pabloem · Oct 8, 2025 · Oct 7, 2025 · Oct 7, 2025
diff --git a/.github/workflows/beam_Infrastructure_UsersPermissions.yml b/.github/workflows/beam_Infrastructure_UsersPermissions.yml
@@ -24,14 +24,8 @@ name: Modify the GCP User Roles according to the infra/users.yml file
 
 on:
   workflow_dispatch:
-  # Trigger when the users.yml file is modified on the main branch
-  push:
-    branches:
-      - main
-    paths:
-      - 'infra/iam/users.yml'
   pull_request_target:
-    types: [opened, synchronize, reopened]
+    types: [opened, synchronize, reopened, closed]
     paths:
       - 'infra/iam/users.yml'
 
@@ -40,9 +34,8 @@ concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.comment.id || github.event.sender.login }}'
   cancel-in-progress: true
 
-#Setting explicit permissions for the action to avoid the default permissions which are `write-all` in case of pull_request_target event
 permissions:
-  contents: write
+  contents: read
   pull-requests: write
 
 jobs:
@@ -51,7 +44,10 @@ jobs:
     runs-on: [self-hosted, ubuntu-20.04, main]
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.merged == true && github.base_ref || github.event.pull_request.head.sha }}
       - name: Setup gcloud
         uses: google-github-actions/setup-gcloud@v3
       - name: Install Terraform
@@ -66,12 +62,12 @@ jobs:
         run: terraform plan -out=tfplan
 
       - name: Convert plan to plaintext
-        if: github.event_name == 'pull_request_target'
+        if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened'
         working-directory: ./infra/iam
         run: terraform show -no-color tfplan > tfplan.txt
 
       - name: Create comment body
-        if: github.event_name == 'pull_request_target'
+        if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened'
         run: |
           PLAN_SIZE=$(wc -c < ./infra/iam/tfplan.txt)
           if [ "$PLAN_SIZE" -gt 60000 ]; then
@@ -85,13 +81,13 @@ jobs:
           fi
 
       - name: Upload plan as a comment to PR
-        if: github.event_name == 'pull_request_target'
+        if: github.event.action == 'opened' || github.event.action == 'synchronize' || github.event.action == 'reopened'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: ${{ github.repository }}
         run: gh pr comment ${{ github.event.pull_request.number }} --body-file comment_body.txt
 
       - name: Terraform Apply
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'apache/beam'
+        if: github.event.pull_request.merged == true
         working-directory: ./infra/iam
         run: terraform apply -auto-approve tfplan
diff --git a/infra/iam/users.yml b/infra/iam/users.yml
@@ -367,7 +367,7 @@
 - username: enriquecaol04
   email: enriquecaol04@gmail.com
   permissions:
-  - role: roles/viewer
+  - role: projects/apache-beam-testing/roles/beam_viewer
 - username: eventarc-workflow-sa
   email: eventarc-workflow-sa@apache-beam-testing.iam.gserviceaccount.com
   permissions: