chore: update workflow to download and extract OCM CLI alongside CTF (#59)

On-behalf-of: Gerald Morrison (SAP) <[email protected]>
Signed-off-by: Gerald Morrison (SAP) <[email protected]>

<!-- markdownlint-disable MD041 -->
#### What this PR does / why we need it
update workflow to download and extract OCM CLI alongside CTF

---------

Signed-off-by: Gerald Morrison (SAP) <[email protected]>
Co-authored-by: Gerald Morrison (SAP) <[email protected]>
Co-authored-by: Jakob Möller <[email protected]>

Author: 3 people

.github/workflows/bdba.yaml

@@ -1,5 +1,10 @@
 # Workflow to upload CTFs to Black Duck Binary Analysis (BDBA) for scanning.
 # Located in .github repo to be shared across all repositories in the GH org.
+# This workflow is triggered by other workflows, e.g., release workflow.
+# The secret for the BDBA_API_TOKEN is generated in another workflow
+# (https://github.com/open-component-model/.github/actions/workflows/rotate-bdba-token.yml)
+# which is scheduled to run every 30 days. By policy the maximum lifetime of a token is 180 days.
+
 name: BDBA Scan
 
 on:

.github/workflows/rotate-bdba-token.yml

@@ -1,5 +1,8 @@
-# Rotate Black Duck Binary Analysis API token on a monthly basis
+# Rotate Black Duck Binary Analysis API token on a monthly basis.
+# Per SAP policy the maximum lifetime of a BDBA token is 180 days.
 # The token is used in the worklfow bdba.yaml and stored as a secret on org level
+# The secret is used in the BDBA workflows.
+
 name: BDBA Token Rotation
 
 permissions: