BDBA Token Rotation #22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: BDBA Token Rotation | |
| # Rotate the Black Duck Binary Analysis API token on a monthly basis | |
| on: | |
| schedule: | |
| # Run on first of every month at 0:37 AM UTC | |
| - cron: '37 0 1 * *' | |
| workflow_dispatch: # Allow manual trigger | |
| jobs: | |
| rotate-token: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Generate GitHub token | |
| id: generate-github-token | |
| uses: tibdex/github-app-token@v2 | |
| with: | |
| app_id: ${{ secrets.OCMBOT_APP_ID }} | |
| private_key: ${{ secrets.OCMBOT_PRIV_KEY }} | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Generate new BDBA API token | |
| id: generate-bdba-token | |
| run: | | |
| # Generate new token from the Black Duck Binary Analysis API | |
| # Using the validity period of 3888000 seconds (45 days) | |
| RESPONSE=$(curl -s -X PUT \ | |
| -H "Content-Type: application/json" \ | |
| -u "${{ secrets.BDBA_USERNAME }}:${{ secrets.BDBA_PASSWORD }}" \ | |
| -d '{"validity": 3888000}' \ | |
| "https://bdba.tools.sap/api/key/") | |
| # Extract token from response | |
| TOKEN=$(echo "$RESPONSE" | jq -r '.key.value') | |
| # Verify token was generated successfully | |
| if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then | |
| echo "Failed to generate new token. API response: $RESPONSE" | |
| exit 1 | |
| fi | |
| # Store token as step output | |
| echo "::add-mask::$TOKEN" | |
| echo "bdba_token=$TOKEN" >> "$GITHUB_OUTPUT" | |
| echo "Successfully generated new BDBA API token" | |
| - name: Update organization secret | |
| run: | | |
| # Authenticate with the GitHub CLI using the generated token | |
| gh auth login --with-token <<< ${{ steps.generate-github-token.outputs.token }} | |
| # List of specific repositories to update | |
| # Secrets do not work out of the box for BDBA action | |
| # workflow_run trigger requires GH environments and | |
| # environments require repo-scoped secrets | |
| REPOSITORIES=("open-component-model" "ocm-cicd-playground" "ocm-k8s-toolkit" "ocm-controller") | |
| # Loop through each repository and set the secret | |
| for repo in "${REPOSITORIES[@]}"; do | |
| echo "Setting BDBA_API_TOKEN for repository: $repo" | |
| gh secret set BDBA_API_TOKEN \ | |
| --repo "open-component-model/$repo" \ | |
| --body "${{ steps.generate-bdba-token.outputs.bdba_token }}" | |
| done | |
| echo "BDBA API token successfully rotated for specific repositories at $(date)" |