BDBA Token Rotation #25

Workflow file for this run

.github/workflows/rotate-bdba-token.yml at 736ba65

	name: BDBA Token Rotation
	# Rotate the Black Duck Binary Analysis API token on a monthly basis
	on:
	schedule:
	# Run on first of every month at 0:37 AM UTC
	- cron: '37 0 1 * *'
	workflow_dispatch: # Allow manual trigger

	jobs:
	rotate-token:
	runs-on: ubuntu-latest
	steps:
	- name: Generate GitHub token
	id: generate-github-token
	uses: tibdex/github-app-token@v2
	with:
	app_id: ${{ secrets.OCMBOT_APP_ID }}
	private_key: ${{ secrets.OCMBOT_PRIV_KEY }}

	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Generate new BDBA API token
	id: generate_bdba_token
	run: \|
	# Generate new token from the Black Duck Binary Analysis API
	# Using the validity period of 3888000 seconds (45 days)
	RESPONSE=$(curl -s -X PUT \
	-H "Content-Type: application/json" \
	-u "${{ secrets.BDBA_USERNAME }}:${{ secrets.BDBA_PASSWORD }}" \
	-d '{"validity": 3888000}' \
	"https://bdba.tools.sap/api/key/")

	# Extract token from response
	TOKEN=$(echo "$RESPONSE" \| jq -r '.key.value')

	# Verify token was generated successfully
	if [ -z "$TOKEN" ] \|\| [ "$TOKEN" = "null" ]; then
	echo "Failed to generate new token. API response: $RESPONSE"
	exit 1
	fi

	# Store token as step output
	echo "::add-mask::$TOKEN"
	echo "bdba_token=$TOKEN" >> "$GITHUB_OUTPUT"

	echo "Successfully generated new BDBA API token"

	- name: Update organization secret
	run: \|
	# Authenticate with the GitHub CLI and set the secret on org level
	gh auth login --with-token <<< ${{ steps.generate_token.outputs.token }}

	gh secret set BDBA_API_TOKEN \
	--org open-component-model \
	--visibility all \
	--body "${{ steps.generate_bdba_token.outputs.bdba_token }}"

	echo "BDBA API token successfully rotated at $(date)"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BDBA Token Rotation #25

Workflow file

BDBA Token Rotation #25

Uh oh!

Workflow file for this run