diff --git a/.github/workflows/bdba-upload-ctf-manually.yaml b/.github/workflows/bdba-upload-ctf-manually.yaml deleted file mode 100644 index 4fde750..0000000 --- a/.github/workflows/bdba-upload-ctf-manually.yaml +++ /dev/null @@ -1,105 +0,0 @@ -# Workflow to upload released versions, RC or final, Black Duck Binary Analysis (BDBA) for scanning. -# Uses CTF from GitHub release assets. -# This workflow is triggered manually and allows to specify the OCM version to scan. -# Can be used in case the BDBA upload did not work in the release workflow. - -name: BDBA Scan for dedicated OCM version - -on: - workflow_dispatch: - inputs: - OCM_VERSION: - description: 'The OCM version to scan (e.g., 0.22.0)' - required: true - type: string - -permissions: - actions: read - contents: read - -jobs: - upload-and-scan-ctfs: - runs-on: ubuntu-latest - - steps: - # Checkout code from correct repository as executed in .github repo - - name: Checkout code - uses: actions/checkout@v4 - with: - repository: open-component-model/ocm - ref: main - - # Download CTF from GH release assets - - name: Download CTF - run: | - if [ -z "${{ github.event.inputs.OCM_VERSION }}" ]; then - echo "Error: OCM_VERSION parameter is required" - exit 1 - fi - - CTF_URL="https://github.com/open-component-model/ocm/releases/download/v${{ github.event.inputs.OCM_VERSION }}/ocm-${{ github.event.inputs.OCM_VERSION }}-ctf.tgz" - echo "Downloading CTF from: $CTF_URL" - - mkdir -p "${{ github.workspace }}/gen" - curl -L -o "${{ github.workspace }}/gen/ctf-aggregated" "$CTF_URL" - - # Since OCM cli is required to download CVs from CTF, extract binary from CTF - - name: Extract OCM Binary from CTF - id: extract-ocm - run: | - ocm_binary="$(bash ./hack/get_bare_resource_from_ctf.sh \ - "ocm.software/ocmcli" \ - "" \ - "ocmcli" \ - "amd64" \ - "linux" \ - "application/octet-stream" \ - ${{ github.workspace }}/gen/ctf-aggregated)" - - new_loc="${{ github.workspace }}/bin/ocm" - mkdir -p "$(dirname "$new_loc")" - ln -s "$ocm_binary" "$new_loc" - chmod +x "$new_loc" - echo "OCM binary linked to \"$new_loc\"" - echo "binary=\"$new_loc\"" >> "$GITHUB_OUTPUT" - - # Download CVs from CTF as TAR, loop over all TARs and upload them to BDBA - - name: Upload CVs from CTF from GH assets to Blackduck - id: blackduck-upload-ctf - run: | - set -e # Exit immediately if any command fails with non-zero status - echo "Download CVs from CTF (creates CommonTransportFormat-ctf root folder)" - echo "Upload single CVs to BDBA" - echo "Large files may take a while to upload. Please be patient." - echo - cd ${{ github.workspace }}/gen/ - ${{ steps.extract-ocm.outputs.binary }} download cv --type tar ${{ github.workspace }}/gen/ctf-aggregated - # Find all CV tar files within CommonTransportFormat-ctf - find "CommonTransportFormat-${{ github.workspace }}/gen/ctf-aggregated" -type f -print0 | while IFS= read -r -d '' file; do - # Extract the relative path and construct the upload name - relative_path="${file#CommonTransportFormat-${{ github.workspace }}/gen/ctf-aggregated/}" - upload_name="${relative_path%/*}" - upload_name="${upload_name//\//-}" - - # Extract the version from the filename - version=$(basename "$file") - version="${version%.tar}" - - # Construct the API URL - api_url="${{ secrets.BDBA_URL }}/api/upload/${upload_name}" - - # Upload the file using curl - echo "Uploading $upload_name to BDBA" - curl_output=$(curl -sS -X PUT -H "Authorization: Bearer ${{ secrets.BDBA_API_TOKEN }}" -H "Group: ${{ secrets.BDBA_GROUP_ID }}" -H "Version: $version" -H "Delete-Binary: true" --data-binary "@$file" "$api_url") - - # Check if upload was successful and print results - if [[ $(echo "$curl_output" | jq '.meta.code') == "200" ]]; then - echo "--- Upload successful ---" - echo " filename: $(echo "$curl_output" | jq '.results.filename')" - echo " last_updated: $(echo "$curl_output" | jq '.results.last_updated')" - else - echo "Upload failed with" - echo "$curl_output" - exit 1 - fi - done diff --git a/.github/workflows/bdba.yaml b/.github/workflows/bdba.yaml deleted file mode 100644 index ba4a765..0000000 --- a/.github/workflows/bdba.yaml +++ /dev/null @@ -1,110 +0,0 @@ -# Workflow to upload CTFs to Black Duck Binary Analysis (BDBA) for scanning. -# Located in .github repo to be shared across all repositories in the GH org. -# This workflow is triggered by other workflows, e.g., release workflow. -# The secret for the BDBA_API_TOKEN is generated in another workflow -# (https://github.com/open-component-model/.github/actions/workflows/rotate-bdba-token.yml) -# which is scheduled to run every 30 days. By policy the maximum lifetime of a token is 180 days. - -name: BDBA Scan - -on: - # Trigger for call from other workflows - workflow_call: - inputs: - artifact_id: - description: Identifier for the artifact to download - required: false - type: string - # Secrets have to be passed from the calling workflow - # as for security reasons secrets are not shared between workflows - secrets: - BDBA_API_TOKEN: - required: true - BDBA_URL: - required: true - BDBA_GROUP_ID: - required: true - -permissions: - actions: read - contents: read - -jobs: - upload-and-scan-ctfs: - runs-on: ubuntu-latest - - steps: - # Since workflow is called, checkout code from correct repository - - name: Checkout code - uses: actions/checkout@v4 - with: - repository: open-component-model/ocm - ref: main - - # Download the CTF that has been uploaded from release workflow - - name: Download CTF - uses: actions/download-artifact@v4 - with: - pattern: '${{ inputs.artifact_id }}' - path: ${{ github.workspace }}/gen - - # Since OCM cli is required to download CVs from CTF, extract binary from CTF - - name: Extract OCM Binary from CTF - id: extract-ocm - run: | - ocm_binary="$(bash ./hack/get_bare_resource_from_ctf.sh \ - "ocm.software/ocmcli" \ - "" \ - "ocmcli" \ - "amd64" \ - "linux" \ - "application/octet-stream" \ - ${{ github.workspace }}/gen/ctf-aggregated)" - - new_loc="${{ github.workspace }}/bin/ocm" - mkdir -p "$(dirname "$new_loc")" - ln -s "$ocm_binary" "$new_loc" - chmod +x "$new_loc" - echo "OCM binary linked to \"$new_loc\"" - echo "binary=\"$new_loc\"" >> "$GITHUB_OUTPUT" - - # Download CVs from CTF as TAR, loop over all TARs and upload them to BDBA - - name: Upload to Blackduck for CTF - id: blackduck-upload-ctf - run: | - set -e # Exit immediately if any command fails with non-zero status - echo "Download CVs from CTF (creates CommonTransportFormat-ctf root folder)" - echo "Upload single CVs to BDBA" - echo "Large files may take a while to upload. Please be patient." - echo - cd ${{ github.workspace }}/gen/ - ${{ steps.extract-ocm.outputs.binary }} download cv --type tar ${{ github.workspace }}/gen/ctf-aggregated - # Find all CV tar files within CommonTransportFormat-ctf - find "CommonTransportFormat-${{ github.workspace }}/gen/ctf-aggregated" -type f -print0 | while IFS= read -r -d '' file; do - # Extract the relative path and construct the upload name - relative_path="${file#CommonTransportFormat-${{ github.workspace }}/gen/ctf-aggregated/}" - upload_name="${relative_path%/*}" - upload_name="${upload_name//\//-}" - - # Extract the version from the filename - version=$(basename "$file") - version="${version%.tar}" - - # Construct the API URL - api_url="${{ secrets.BDBA_URL }}/api/upload/${upload_name}" - - # Upload the file using curl - echo "Uploading $upload_name to BDBA" - curl_output=$(curl -sS -X PUT -H "Authorization: Bearer ${{ secrets.BDBA_API_TOKEN }}" -H "Group: ${{ secrets.BDBA_GROUP_ID }}" -H "Version: $version" -H "Delete-Binary: true" --data-binary "@$file" "$api_url") - - # Check if upload was successful and print results - if [[ $(echo "$curl_output" | jq '.meta.code') == "200" ]]; then - echo "--- Upload successful ---" - echo " filename: $(echo "$curl_output" | jq '.results.filename')" - echo " last_updated: $(echo "$curl_output" | jq '.results.last_updated')" - else - echo "Upload failed with" - echo "$curl_output" - exit 1 - fi - done diff --git a/.github/workflows/blackduck-scan.yaml b/.github/workflows/blackduck-scan.yaml deleted file mode 100644 index b6c13cc..0000000 --- a/.github/workflows/blackduck-scan.yaml +++ /dev/null @@ -1,115 +0,0 @@ -# This central workflow is used to run a Black Duck SCA scan on a repository. -# It is triggered by the Trigger Blackduck Scan workflow, -# which is defined in the other repositories' .github/workflows -name: Execute Blackduck SCA Scan - -on: - workflow_call: - inputs: - detector_search_depth: - description: 'Optional detector search depth for the Black Duck scan.' - required: false - type: number - default: 0 # default is required as otherwise Blackduck will throw an error with empty string - event_type: - description: 'The event type of the triggering workflow.' - required: true - type: string - secrets: - BLACKDUCK_API_TOKEN: - required: true - BLACKDUCK_URL: - required: true - -permissions: - contents: read - -jobs: - build: - runs-on: [ ubuntu-latest ] - steps: - - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Run Black Duck Full SCA Scan (Push, Manual Trigger or Schedule) - if: ${{ inputs.event_type != 'pull_request_target' }} - uses: blackduck-inc/black-duck-security-scan@66ede8f408f5c8eb3affd1c8cdfa6eb321c3aa97 #v2.1.0 - env: - DETECT_PROJECT_USER_GROUPS: opencomponentmodel - DETECT_PROJECT_VERSION_DISTRIBUTION: opensource - DETECT_BLACKDUCK_SIGNATURE_SCANNER_ARGUMENTS: '--min-scan-interval=0' - DETECT_DETECTOR_SEARCH_DEPTH: ${{ inputs.detector_search_depth }} - DETECT_ACCURACY_REQUIRED: NONE - NODE_TLS_REJECT_UNAUTHORIZED: true - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - blackducksca_url: ${{ secrets.BLACKDUCK_URL }} - blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} - blackducksca_scan_full: true - blackducksca_scan_failure_severities: 'BLOCKER,CRITICAL' - # Parameter required to avoid failing the build even if policy violations are found. - # Scan results are nonetheless uploaded to Blackduck SCA backend. - # !!! THEY SHOULD BE REMOVED ONCE WE TRIAGED ALL FINDINGS AND THE SCAN RESULTS ARE STABLE !!! - mark_build_status: success - - - name: Run Black Duck SCA Scan (Pull Requests) - if: ${{ inputs.event_type == 'pull_request_target' }} - uses: blackduck-inc/black-duck-security-scan@66ede8f408f5c8eb3affd1c8cdfa6eb321c3aa97 #v2.1.0 - env: - DETECT_PROJECT_USER_GROUPS: opencomponentmodel - DETECT_PROJECT_VERSION_DISTRIBUTION: opensource - DETECT_DETECTOR_SEARCH_DEPTH: ${{ inputs.detector_search_depth }} - DETECT_ACCURACY_REQUIRED: NONE - NODE_TLS_REJECT_UNAUTHORIZED: true - with: - github_token: ${{ secrets.GITHUB_TOKEN }} - blackducksca_url: ${{ secrets.BLACKDUCK_URL }} - blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} - blackducksca_scan_full: false - # Parameter required to avoid failing the build even if policy violations are found. - # !!! THEY SHOULD BE REMOVED ONCE WE TRIAGED ALL FINDINGS AND THE SCAN RESULTS ARE STABLE !!! - mark_build_status: success - - - # Check Black Duck status and upload status file as artifact. - # This step is required to be set as always(), so the status file is uploaded even if the Black Duck scan fails. - - name: Check Black Duck status - if: always() - id: check_blackduck_status - shell: bash - run: | - # Use find to locate status file - STATUS_FILE=$(find "$GITHUB_WORKSPACE/.bridge/blackduck_sca_detect_execution/detect/runs" -name "status.json" | head -n 1) - - if [ -z "$STATUS_FILE" ]; then - echo "::warning file=status.json::No Black Duck status file found" - exit 1 - fi - - echo "status_file_path=$STATUS_FILE" >> "$GITHUB_OUTPUT" - ISSUE_COUNT=$(jq '.issues | length' "$STATUS_FILE") - - if [[ "$ISSUE_COUNT" -eq 0 ]]; then - echo "Black Duck scan successful, no technical issues during scan." - else - # Technical issues with scan exist - echo "::error file=$STATUS_FILE::Black Duck scan had technical issues:" - - # Extract and print issue details - jq -r '.issues[] | "\(.type): \(.title)\n Details: \((.messages | if type == "string" then [.] else . end) | join("; "))"' "$STATUS_FILE" | \ - while IFS= read -r line; do - echo "::error::$line" - done - echo - echo "Black Duck Overall Status:" - jq -r '.overallStatus[0].key + " - " + .overallStatus[0].status' "$STATUS_FILE" - exit 1 - fi - - - name: Upload Blackduck status file - if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: status-json - path: ${{ steps.check_blackduck_status.outputs.status_file_path }} - \ No newline at end of file diff --git a/.github/workflows/rotate-bdba-token.yml b/.github/workflows/rotate-bdba-token.yml deleted file mode 100644 index 57d51d4..0000000 --- a/.github/workflows/rotate-bdba-token.yml +++ /dev/null @@ -1,79 +0,0 @@ -# Rotate Black Duck Binary Analysis API token on a monthly basis. -# Per SAP policy the maximum lifetime of a BDBA token is 180 days. -# The token is used in the worklfow bdba.yaml and stored as a secret on org level -# The secret is used in the BDBA workflows. - -name: BDBA Token Rotation - -permissions: - contents: read - -on: - schedule: - - cron: '37 2 1 * *' # Run on every 1st of month 2:37 AM UTC - workflow_dispatch: # Allow manual trigger - -jobs: - rotate-token: - runs-on: ubuntu-latest - steps: - - name: Generate GitHub token - id: generate-token - uses: tibdex/github-app-token@v2 - with: - app_id: ${{ secrets.OCMBOT_APP_ID }} - private_key: ${{ secrets.OCMBOT_PRIV_KEY }} - - - name: Checkout repository - uses: actions/checkout@v4 - - # Generate new API token using the BDBA API - - name: Generate new BDBA API token - id: generate-bdba-token - run: | - # Generate new token from the Black Duck Binary Analysis API - # Using the validity period of 3024000 seconds (35 days) - if ! RESPONSE=$(curl -sf -X POST \ - -H "Authorization: Bearer ${{ secrets.BDBA_API_TOKEN }}" \ - -d '{"validity": 3024000}' \ - "https://bdba.tools.sap/api/key/"); then - echo "::error::Failed to connect to BDBA API" - exit 1 - fi - - # Extract token and error message - TOKEN=$(echo "$RESPONSE" | jq -r '.key.value') - ERROR=$(echo "$RESPONSE" | jq -r '.meta.error') - CODE=$(echo "$RESPONSE" | jq -r '.meta.code') - REASON=$(echo "$RESPONSE" | jq -r '.meta.reason') - - # Verify token was generated successfully - if [ -n "$ERROR" ] && [ "$ERROR" != "null" ]; then - echo "::error::BDBA API Error ($CODE): $ERROR - $REASON" - exit 1 - fi - - if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then - echo "::error::Failed to extract token from API response" - echo "::debug::Full API response: $RESPONSE" - exit 1 - fi - - # Store token as step output - echo "::add-mask::$TOKEN" - echo "bdba_token=$TOKEN" >> "$GITHUB_OUTPUT" - - echo "Successfully generated new BDBA API token" - - # Update the organization secret with the new token - - name: Update organization secret - run: | - # Authenticate with the GitHub CLI and set the secret on org level - gh auth login --with-token <<< ${{ steps.generate-token.outputs.token }} - - gh secret set BDBA_API_TOKEN \ - --org open-component-model \ - --visibility all \ - --body "${{ steps.generate-bdba-token.outputs.bdba_token }}" - - echo "BDBA API token successfully rotated at $(date). Valid for 35 days." diff --git a/.github/workflows/safe-settings.yml b/.github/workflows/safe-settings.yml index eac5599..d8fa3e5 100644 --- a/.github/workflows/safe-settings.yml +++ b/.github/workflows/safe-settings.yml @@ -13,6 +13,9 @@ jobs: safeSettingsSync: name: synchronize settings runs-on: ubuntu-latest + environment: + name: automations + deployment: false env: SAFE_SETTINGS_CODE_DIR: "${{ github.workspace }}/.safe-settings-code" steps: