open-component-model · morri-son · Feb 27, 2025 · Feb 27, 2025
@@ -1,11 +1,11 @@
 name: Blackduck SCA Scan
 on:
-  #push:
-  #  branches: [ "main" ]
-  #pull_request:
-  #  branches: [ "main" ]
+  push:
+    branches: [ "main" ]
+  pull_request_target:
+    branches: [ "main" ]
   schedule:
-    - cron:  '8 0 * * 0'
+    - cron:  '6 1 * * 0'
   workflow_dispatch:
 
 permissions:
@@ -17,39 +17,12 @@
     runs-on: [ ubuntu-latest ]
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-
-      - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34
-        with:
-          go-version-file: '${{ github.workspace }}/go.mod'
-          cache: false
-
-      - name: Get go environment for use with cache
-        run: |
-          echo "go_cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "go_modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
-      # This step will only reuse the go mod and build cache from main made during the Build,
-      # see push_ocm.yaml => "ocm-cli-latest" Job
-      # This means it never caches by itself and PRs cannot cause cache pollution / thrashing
-      # This is because we have huge storage requirements for our cache because of the mass of dependencies
-
-      - name: Restore / Reuse Cache from central build
-        id: cache-golang-restore
-        uses: actions/cache/restore@0c907a75c2c80ebcb7f088228285e798b750cf8f # Only Restore, not build another cache (too big)
-        with:
-          path: |
-            ${{ env.go_cache }}
-            ${{ env.go_modcache }}
-          key: ${{ env.cache_name }}-${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ hashFiles('**/go.mod') }}
-          restore-keys: |
-            ${{ env.cache_name }}-${{ runner.os }}-go-
-        env:
-          cache_name: ocm-cli-latest-go-cache # needs to be the same key in the end as in the build step
-
-      - name: Run Black Duck Full SCA Scan (Manual Trigger and Scheduled)
-        if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
-        uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9
+        if: github.event_name != 'pull_request_target'
+        uses: actions/checkout@v4
+
+      - name: Run Black Duck Full SCA Scan (Push, Manual Trigger or Schedule)
+        if: ${{ github.event_name != 'pull_request_target' }} 
+        uses: blackduck-inc/[email protected]
         env:
           DETECT_PROJECT_USER_GROUPS: opencomponentmodel
           DETECT_PROJECT_VERSION_DISTRIBUTION: opensource
@@ -63,10 +36,10 @@
           blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
           blackducksca_scan_full: true
 
-      - name: Run Black Duck SCA Scan (Pull Request or Push)
-        if: github.event_name != 'workflow_dispatch'
-            # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false
-        uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9
+      - name: Run Black Duck SCA Scan (Pull Requests)
+        if: ${{ github.event_name == 'pull_request_target' }}
+           # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false
+        uses: blackduck-inc/black-duck-security-scan@v2.0.0
         env:
           DETECT_PROJECT_USER_GROUPS: opencomponentmodel
           DETECT_PROJECT_VERSION_DISTRIBUTION: opensource
@@ -77,4 +50,5 @@
           github_token: ${{ secrets.GITHUB_TOKEN }}
           blackducksca_url: ${{ secrets.BLACKDUCK_URL }}
           blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          blackducksca_scan_full: false
           blackducksca_prComment_enabled: true