CEC-4854 Trunk-based deploy pipeline (#412)

* CEC-4855: fix manifest deselect (#410) * fix manifest deselect * adjusted blackduck pipeline to run the latest detect version * added blackduck_rapid pipeline to run synopsys detect rapid scans * adjusted deploy pipeline to trun-based model, adjusted test pipeline to use main branch * test image builds * clean up * CEC-4563: add cancel and include results in promise (#411) * splited build and deploy order according to each environment, test builds * clean up * clean up * CEC-4635: prevent false 0 calculation (#413) * prevent false 0 calculation * refactor switch statement --------- Co-authored-by: Tristan Timblin <ttimblin@fiskerinc.com>
2023-08-14 14:09:15 -05:00
parent 5b0d3a9437
commit e1f4da2232
9 changed files with 476 additions and 131 deletions
--- a/.github/workflows/blackduck.yml
+++ b/.github/workflows/blackduck.yml
@@ -7,11 +7,32 @@ on:

 jobs:
  blackduck:
-    name: Blackduck scan
-    uses: Fisker-Inc/github-actions/.github/workflows/blackduck.yml@main 
-    with:
-      project: ota-admin-portal
-    secrets: 
-      github-token: ${{ secrets.GITHUB_TOKEN }}
-      blackduck-url: ${{ secrets.BLACKDUCK_URL }}
-      blackduck-api-token: ${{ secrets.BLACKDUCK_API_KEY }}
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v3
+
+    - uses: actions/setup-node@v3
+      with:
+        node-version: '16'
+        cache: npm
+
+    - run: npm install
+    - run: npm run build
+
+    - name: Run Synopsys Detect INTELLIGENT
+      run: |
+        bash <(curl -s -L https://detect.synopsys.com/detect8.sh) \
+        --blackduck.url=${{ secrets.BLACKDUCK_URL }} \
+        --blackduck.api.token=${{ secrets.BLACKDUCK_API_KEY }} \
+        --blackduck.trust.cert=true \
+        --detect.project.version.update=true \
+        --detect.project.name='ota-admin-portal' \
+        --detect.excluded.directories='node_modules' \
+        --detect.project.version.name=$GITHUB_REF_NAME \
+        --detect.blackduck.scan.mode="INTELLIGENT" \
+        --detect.detector.search.depth=3 \
+        --detect.detector.search.continue=true \
+        --detect.npm.include.dev.dependencies=false 
+      # --detect.policy.check.fail.on.severities=ALL,NONE,UNSPECIFIED,TRIVIAL,MINOR,MAJOR,CRITICAL,BLOCKER - Use it if you want to fail the build on a certain severity type
+      # --detect.detector.search.continue=true - If true, the bom tool search will continue to look for nested bom tools of the same type to the maximum search depth