-
Notifications
You must be signed in to change notification settings - Fork 194
105 lines (102 loc) · 3.84 KB
/
BDBA_caller.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# Copyright (c) 2024 Intel Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: BDBA Scan
on:
workflow_dispatch:
inputs:
org:
description: "Enter Project organizational repo to run BDBA scan (ex: intel-innersource):"
required: true
type: string
repo:
description: "Enter Project repo for which you want to run BDBA scan (ex: frameworks.ai.infrastructure.code-scan-tools):"
required: true
type: string
refs:
description: "Enter Project branch, tag:"
required: true
type: string
group:
description: "Enter BDBA group (ex: 32):"
required: true
type: string
runners:
description: "Array of runner labels: "
required: true
type: string
default: "['gasp']"
pull_request:
branches: [main]
types: [opened, reopened, ready_for_review, synchronize] # added `ready_for_review` since draft is skipped
paths-ignore:
- "**.md"
jobs:
bdba_scan:
runs-on: internal
container:
image: cache-registry.caas.intel.com/cache/library/python:slim
steps:
- name: Checkout Project Repo
uses: actions/checkout@v4
- name: Pack Additional Resources
shell: bash
run: |
apt-get update
apt-get install zip unzip wget -y
apt-get install curl jq -y
zip -r genai-bdba.zip ${GITHUB_WORKSPACE}/.*
- name: get intel certs
shell: bash
run: |
mkdir -p ${{ github.workspace }}/certs
wget http://certificates.intel.com/repository/certificates/IntelSHA256RootCA-Base64.crt -O- >> ${{ github.workspace }}/certs/ca-certificates.crt
- name: Run BDBA Scan
id: bdba
env:
BDBA_TOKEN: "${{ secrets.BDBA_TOKEN }}"
uses: ./.github/workflows/BDBA_action.yml
with:
bdba_group: 22
bdba_binary: genai-bdba.zip
- name: Fetch BDBA projects
id: data
shell: bash
run: |
export CURL_CA_BUNDLE="${{ github.workspace }}/certs/ca-certificates.crt"
curl -H "Authorization: Bearer ${{ secrets.BDBA_TOKEN }}" "https://bdba001.icloud.intel.com/api/apps/?q=file:genai-bdba.zip" -o /tmp/scan.txt
echo "PRODUCT=$(jq -r '.products[0].product_id' /tmp/scan.txt)" >> $GITHUB_ENV
- name: Download BDBA project Scan data
shell: bash
run: |
export CURL_CA_BUNDLE="${{ github.workspace }}/certs/ca-certificates.crt"
curl -H "Authorization: Bearer ${{ secrets.BDBA_TOKEN }}" "https://bdba001.icloud.intel.com/api/product/${{ env.PRODUCT }}/pdf-report" -o /tmp/genai-bdba_scan.pdf
- name: Upload Scan artifact to Github
uses: actions/upload-artifact@v4
with:
name: BDBA-log
path: /tmp/genai-bdba_scan.pdf
if-no-files-found: ignore # 'warn' or 'ignore' are also available, defaults to `warn`
retention-days: 60 # 1 <= retention-days <= 90
#jobs:
# bdba_job:
# name: BDBA Scan
# uses: intel-innersource/frameworks.ai.infrastructure.code-scan-tools/.github/workflows/Scanner_Bdba.yml@one-ci-cd
# with:
# repos: ${{ github.event.repository.name }}
# refs: ${{ github.ref_name }}
# group: "22"
# runners: "['self-hosted']"
# secrets:
# token: ${{ secrets.GITHUB_TOKEN }}
# BDBA_TOKEN: ${{ secrets.BDBA_TOKEN }}