chore: add new workflow to upload specified OCM version and improve error handling in token rotation (#58)

morri-son · morrison-sap · web-flow · commit d08500ba1fad · 2025-04-01T14:06:31.000+02:00
On-behalf-of: Gerald Morrison (SAP) &lt;gerald.morrison@sap.com&gt;
Signed-off-by: Gerald Morrison (SAP) &lt;gerald.morrison@sap.com&gt;

&lt;!-- markdownlint-disable MD041 --&gt;
#### What this PR does / why we need it
 add manual workflow for BDBA scan of specified OCM version

---------

Signed-off-by: Gerald Morrison (SAP) &lt;gerald.morrison@sap.com&gt;
Co-authored-by: Gerald Morrison (SAP) &lt;gerald.morrison@sap.com&gt;
diff --git a/.github/workflows/bdba-upload-ctf-manually.yaml b/.github/workflows/bdba-upload-ctf-manually.yaml
@@ -0,0 +1,105 @@
+# Workflow to upload released versions, RC or final, Black Duck Binary Analysis (BDBA) for scanning.
+# Uses CTF from GitHub release assets.
+# This workflow is triggered manually and allows to specify the OCM version to scan.
+# Can be used in case the BDBA upload did not work in the release workflow.
+
+name: BDBA Scan for dedicated OCM version
+
+on:
+  workflow_dispatch:
+    inputs:
+      OCM_VERSION:
+        description: 'The OCM version to scan (e.g., 0.22.0)'
+        required: true
+        type: string
+
+permissions:
+  actions: read
+  contents: read
+
+jobs:
+  upload-and-scan-ctfs:
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checkout code from correct repository as executed in .github repo
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          repository: open-component-model/ocm
+          ref: main
+
+      # Download CTF from GH release assets
+      - name: Download CTF
+        run: |
+          if [ -z "${{ github.event.inputs.OCM_VERSION }}" ]; then
+            echo "Error: OCM_VERSION parameter is required"
+            exit 1
+          fi
+          
+          CTF_URL="https://github.com/open-component-model/ocm/releases/download/v${{ github.event.inputs.OCM_VERSION }}/ocm-${{ github.event.inputs.OCM_VERSION }}-ctf.tgz"
+          echo "Downloading CTF from: $CTF_URL"
+          
+          mkdir -p "${{ github.workspace }}/gen"
+          curl -L -o "${{ github.workspace }}/gen/ctf-aggregated" "$CTF_URL"
+
+      # Since OCM cli is required to download CVs from CTF, extract binary from CTF
+      - name: Extract OCM Binary from CTF
+        id: extract-ocm
+        run: |
+          ocm_binary="$(bash ./hack/get_bare_resource_from_ctf.sh \
+            "ocm.software/ocmcli" \
+            "" \
+            "ocmcli" \
+            "amd64" \
+            "linux" \
+            "application/octet-stream" \
+            ${{ github.workspace }}/gen/ctf-aggregated)"
+            
+            new_loc="${{ github.workspace }}/bin/ocm"
+            mkdir -p "$(dirname "$new_loc")"
+            ln -s "$ocm_binary" "$new_loc"
+            chmod +x "$new_loc"
+            echo "OCM binary linked to \"$new_loc\""
+            echo "binary=\"$new_loc\"" >> "$GITHUB_OUTPUT"
+      
+      # Download CVs from CTF as TAR, loop over all TARs and upload them to BDBA
+      - name: Upload CVs from CTF from GH assets to Blackduck
+        id: blackduck-upload-ctf
+        run: |
+          set -e  # Exit immediately if any command fails with non-zero status
+          echo "Download CVs from CTF (creates CommonTransportFormat-ctf root folder)"
+          echo "Upload single CVs to BDBA"
+          echo "Large files may take a while to upload. Please be patient."
+          echo
+          cd ${{ github.workspace }}/gen/
+          ${{ steps.extract-ocm.outputs.binary }} download cv --type tar ${{ github.workspace }}/gen/ctf-aggregated
+          # Find all CV tar files within CommonTransportFormat-ctf
+          find "CommonTransportFormat-${{ github.workspace }}/gen/ctf-aggregated" -type f -print0 | while IFS= read -r -d '' file; do
+            # Extract the relative path and construct the upload name
+            relative_path="${file#CommonTransportFormat-${{ github.workspace }}/gen/ctf-aggregated/}"
+            upload_name="${relative_path%/*}"
+            upload_name="${upload_name//\//-}"
+
+            # Extract the version from the filename
+            version=$(basename "$file")
+            version="${version%.tar}"
+
+            # Construct the API URL
+            api_url="${{ secrets.BDBA_URL }}/api/upload/${upload_name}"
+
+            # Upload the file using curl
+            echo "Uploading $upload_name to BDBA"
+            curl_output=$(curl -sS -X PUT -H "Authorization: Bearer ${{ secrets.BDBA_API_TOKEN }}" -H "Group: ${{ secrets.BDBA_GROUP_ID }}" -H "Version: $version" -H "Delete-Binary: true" --data-binary "@$file" "$api_url")
+
+            # Check if upload was successful and print results
+            if [[ $(echo "$curl_output" | jq '.meta.code') == "200" ]]; then
+              echo "--- Upload successful ---"
+              echo "   filename:     $(echo "$curl_output" | jq '.results.filename')"
+              echo "   last_updated: $(echo "$curl_output" | jq '.results.last_updated')"
+            else
+              echo "Upload failed with"
+              echo "$curl_output"
+              exit 1
+            fi
+          done
diff --git a/.github/workflows/rotate-bdba-token.yml b/.github/workflows/rotate-bdba-token.yml
@@ -27,18 +27,29 @@ jobs:
         run: |
           # Generate new token from the Black Duck Binary Analysis API
           # Using the validity period of 3024000 seconds (35 days)
-          RESPONSE=$(curl -s -X PUT \
-            -H "Content-Type: application/json" \
+          if ! RESPONSE=$(curl -sf -X POST \
             -H "Authorization: Bearer ${{ secrets.BDBA_API_TOKEN }}" \
             -d '{"validity": 3024000}' \
-            "https://bdba.tools.sap/api/key/")
+            "https://bdba.tools.sap/api/key/"); then
+            echo "::error::Failed to connect to BDBA API"
+            exit 1
+          fi
           
-          # Extract token from response
+          # Extract token and error message
           TOKEN=$(echo "$RESPONSE" | jq -r '.key.value')
+          ERROR=$(echo "$RESPONSE" | jq -r '.meta.error')
+          CODE=$(echo "$RESPONSE" | jq -r '.meta.code')
+          REASON=$(echo "$RESPONSE" | jq -r '.meta.reason')
           
           # Verify token was generated successfully
+          if [ -n "$ERROR" ] && [ "$ERROR" != "null" ]; then
+            echo "::error::BDBA API Error ($CODE): $ERROR - $REASON"
+            exit 1
+          fi
+
           if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
-            echo "Failed to generate new token. API response: $RESPONSE"
+            echo "::error::Failed to extract token from API response"
+            echo "::debug::Full API response: $RESPONSE"
             exit 1
           fi
           
@@ -59,4 +70,4 @@ jobs:
           --visibility all \
           --body "${{ steps.generate-bdba-token.outputs.bdba_token }}"
 
-          echo "BDBA API token successfully rotated at $(date)"
+          echo "BDBA API token successfully rotated at $(date). Valid for 35 days."
