BDBA Token Rotation #29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Rotate Black Duck Binary Analysis API token on a monthly basis | |
| # The token is used in the worklfow bdba.yaml and stored as a secret on org level | |
| name: BDBA Token Rotation | |
| on: | |
| schedule: | |
| - cron: '37 2 1 * *' # Run on every 1st of month 2:37 AM UTC | |
| workflow_dispatch: # Allow manual trigger | |
| jobs: | |
| rotate-token: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Generate GitHub token | |
| id: generate-token | |
| uses: tibdex/github-app-token@v2 | |
| with: | |
| app_id: ${{ secrets.OCMBOT_APP_ID }} | |
| private_key: ${{ secrets.OCMBOT_PRIV_KEY }} | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Generate new API token using the BDBA API | |
| - name: Generate new BDBA API token | |
| id: generate-bdba-token | |
| run: | | |
| # Generate new token from the Black Duck Binary Analysis API | |
| # Using the validity period of 3024000 seconds (35 days) | |
| if ! RESPONSE=$(curl -sf -X POST \ | |
| -H "Authorization: Bearer ${{ secrets.BDBA_API_TOKEN }}" \ | |
| -d '{"validity": 3024000}' \ | |
| "https://bdba.tools.sap/api/key/"); then | |
| echo "::error::Failed to connect to BDBA API" | |
| exit 1 | |
| fi | |
| # Extract token and error message | |
| TOKEN=$(echo "$RESPONSE" | jq -r '.key.value') | |
| ERROR=$(echo "$RESPONSE" | jq -r '.meta.error') | |
| CODE=$(echo "$RESPONSE" | jq -r '.meta.code') | |
| REASON=$(echo "$RESPONSE" | jq -r '.meta.reason') | |
| # Verify token was generated successfully | |
| if [ -n "$ERROR" ] && [ "$ERROR" != "null" ]; then | |
| echo "::error::BDBA API Error ($CODE): $ERROR - $REASON" | |
| exit 1 | |
| fi | |
| if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then | |
| echo "::error::Failed to extract token from API response" | |
| echo "::debug::Full API response: $RESPONSE" | |
| exit 1 | |
| fi | |
| # Store token as step output | |
| echo "::add-mask::$TOKEN" | |
| echo "bdba_token=$TOKEN" >> "$GITHUB_OUTPUT" | |
| echo "Successfully generated new BDBA API token" | |
| # Update the organization secret with the new token | |
| - name: Update organization secret | |
| run: | | |
| # Authenticate with the GitHub CLI and set the secret on org level | |
| gh auth login --with-token <<< ${{ steps.generate-token.outputs.token }} | |
| gh secret set BDBA_API_TOKEN \ | |
| --org open-component-model \ | |
| --visibility all \ | |
| --body "${{ steps.generate-bdba-token.outputs.bdba_token }}" | |
| echo "BDBA API token successfully rotated at $(date). Valid for 35 days." |