BDBA Token Rotation #28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Rotate Black Duck Binary Analysis API token on a monthly basis | |
| # The token is used in the worklfow bdba.yaml and stored as a secret on org level | |
| name: BDBA Token Rotation | |
| on: | |
| schedule: | |
| - cron: '37 2 1 * *' # Run on every 1st of month 2:37 AM UTC | |
| workflow_dispatch: # Allow manual trigger | |
| jobs: | |
| rotate-token: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Generate GitHub token | |
| id: generate-token | |
| uses: tibdex/github-app-token@v2 | |
| with: | |
| app_id: ${{ secrets.OCMBOT_APP_ID }} | |
| private_key: ${{ secrets.OCMBOT_PRIV_KEY }} | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Generate new API token using the BDBA API | |
| - name: Generate new BDBA API token | |
| id: generate-bdba-token | |
| if: ${{ env.SHOULD_RUN == 'true' }} | |
| run: | | |
| # Generate new token from the Black Duck Binary Analysis API | |
| # Using the validity period of 7257600 seconds (84 days / 12 weeks) | |
| RESPONSE=$(curl -s -X PUT \ | |
| -H "Content-Type: application/json" \ | |
| -H "Authorization: Bearer ${{ secrets.BDBA_API_TOKEN }}" \ | |
| -d '{"validity": 7257600}' \ | |
| "https://bdba.tools.sap/api/key/") | |
| # Extract token from response | |
| TOKEN=$(echo "$RESPONSE" | jq -r '.key.value') | |
| # Verify token was generated successfully | |
| if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then | |
| echo "Failed to generate new token. API response: $RESPONSE" | |
| exit 1 | |
| fi | |
| # Store token as step output | |
| echo "::add-mask::$TOKEN" | |
| echo "bdba_token=$TOKEN" >> "$GITHUB_OUTPUT" | |
| echo "Successfully generated new BDBA API token" | |
| # Update the organization secret with the new token | |
| - name: Update organization secret | |
| run: | | |
| # Authenticate with the GitHub CLI and set the secret on org level | |
| gh auth login --with-token <<< ${{ steps.generate-token.outputs.token }} | |
| gh secret set BDBA_API_TOKEN \ | |
| --org open-component-model \ | |
| --visibility all \ | |
| --body "${{ steps.generate-bdba-token.outputs.bdba_token }}" | |
| echo "BDBA API token successfully rotated at $(date)" |