chore: update Blackduck scan workflow to ignore workflow paths and improve status checking

morrison-sap · morrison-sap · commit 039d896dba83 · 2025-03-20T16:14:15.000+01:00
On-behalf-of: Gerald Morrison (SAP) &lt;gerald.morrison@sap.com&gt;
Signed-off-by: Gerald Morrison (SAP) &lt;gerald.morrison@sap.com&gt;
diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml
@@ -1,11 +1,15 @@
 name: Blackduck SCA Scan
 on:
   push:
+    paths-ignore:
+    - '.github/workflows/**'
     branches: [ "main" ]
   pull_request_target:
+    paths-ignore:
+    - '.github/workflows/**'
     branches: [ "main" ]
   schedule:
-    - cron:  '6 1 * * 0'
+    - cron:  '6 0 * * 0'
   workflow_dispatch:
   
 permissions:
@@ -25,7 +29,6 @@ jobs:
         env:
           DETECT_PROJECT_USER_GROUPS: opencomponentmodel
           DETECT_PROJECT_VERSION_DISTRIBUTION: opensource
-          DETECT_SOURCE_PATH: ./
           DETECT_EXCLUDED_DIRECTORIES: .bridge
           DETECT_BLACKDUCK_SIGNATURE_SCANNER_ARGUMENTS: '--min-scan-interval=0'
           NODE_TLS_REJECT_UNAUTHORIZED: true
@@ -42,13 +45,55 @@ jobs:
         env:
           DETECT_PROJECT_USER_GROUPS: opencomponentmodel
           DETECT_PROJECT_VERSION_DISTRIBUTION: opensource
-          DETECT_SOURCE_PATH: ./
           DETECT_EXCLUDED_DIRECTORIES: .bridge
           NODE_TLS_REJECT_UNAUTHORIZED: true
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           blackducksca_url: ${{ secrets.BLACKDUCK_URL }}
           blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
           blackducksca_scan_full: false
-          blackducksca_prComment_enabled: true
-               
+
+      # Check Black Duck status and upload status file as artifact.
+      # This step is required to be set as always(), so the status file is uploaded even if the Black Duck scan fails.
+      - name: Check Black Duck status
+        if: always()
+        id: check_blackduck_status
+        shell: bash
+        run: |
+          # Use find to locate status file
+          STATUS_FILE=$(find "/home/runner/work/ocm-cicd-playground/ocm-cicd-playground/.bridge/Blackduck SCA Detect Execution/detect/runs" -name "status.json" | head -n 1)
+      
+          if [ -z "$STATUS_FILE" ]; then
+            echo "::warning file=status.json::No Black Duck status file found"
+            exit 1
+          else
+            ISSUE_COUNT=$(jq '.issues | length' "$STATUS_FILE")
+            
+            if [[ "$ISSUE_COUNT" -eq 0 ]]; then
+              echo "status_file_path=$STATUS_FILE" >> "$GITHUB_OUTPUT"
+              echo "Black Duck scan successfully executed. Status JSON will be uploaded as an artifact to the GitHub action.""
+            else
+              # Issues exist, fail step but save file path for upload
+              echo "status_file_path=$STATUS_FILE" >> "$GITHUB_OUTPUT"
+              echo "::error file=$STATUS_FILE::Black Duck scan had issues:"
+              
+              # Extract and print issue details
+              jq -r '.issues[] | "\(.type): \(.title)\n  Details: \((.messages | if type == "string" then [.] else . end) | join("; "))"' status.json | \
+              while IFS= read -r line; do
+                echo "::error::$line"
+              done
+              echo
+              echo "Black Duck Overall Status:"
+              jq -r '.overallStatus[0].key + " - " + .overallStatus[0].status' "$STATUS_FILE"
+              echo
+              echo "Status JSON will be uploaded as an artifact to the GitHub action."
+              exit 1
+            fi
+          fi
+            
+      - name: Upload Blackduck status file
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: status-json
+          path: ${{ steps.check_blackduck_status.outputs.status_file_path }}
