enable notices generation from blackduck scan (when go dependencies change)

.github/actions/blackduck-scan/action.yml

@@ -8,11 +8,11 @@ runs:
         bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/master/synopsys-detect) \
         ci-build ${GITHUB_REPOSITORY} ${GITHUB_REF_NAME} \
         --logging.level.com.synopsys.integration=DEBUG  \
-        --detect.notices.report=false \
+        --detect.notices.report=true \
         --detect.timeout=600 \
         --detect.included.detector.types=GO_MOD \
         --detect.go.mod.dependency.types.excluded=UNUSED \
         --detect.code.location.name=${GITHUB_REPOSITORY}_${GITHUB_JOB} \
         --detect.follow.symbolic.links=false
       shell: bash -euo pipefail -c "source nix.source && exec bash {0}"
-
+

.github/workflows/blackduck.yml

@@ -4,10 +4,9 @@ defaults:
     shell: bash -euo pipefail -c "source nix.source && source .envrc.vars && exec bash {0}"
 on:
   push:
-    branches:
-      - 'blackduck*'
-  schedule:
-    - cron: '0 10 * * *' # 5am US Eastern Time (UTC+5)
+    paths:
+      - go.mod
+      - go.sum
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -19,19 +18,45 @@ env:
 
 jobs:
   scan:
-    runs-on: dach-ny-dpm
+    runs-on: digital-asset-dpm
+    permissions:
+      contents: write
+      pull-requests: write    
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           fetch-depth: 0
+          token: ${{ secrets.AUTO_REBASE_PAT }}
       - uses: ./.github/actions/nix
       - uses: ./.github/actions/gcloud-login
         with:
-          key: ${{ inputs.key }}
+          key: ${{ secrets.DA_IMAGES }}
       - name: Build and Test Go Project
         run: |
           go build -o target/ ./cmd/...
           go test -v ./...
         shell: bash -euo pipefail -c "source nix.source && exec bash {0}"
       - uses: ./.github/actions/blackduck-scan
-
+      - name: Rename notices file
+        run: |
+          files=( *Black_Duck_Notices_Report.txt )
+          if [ "${#files[@]}" -eq 1 ]; then
+            mv -- "${files[0]}" NOTICES
+          else
+            echo "Expected exactly one *Black_Duck_Notices_Report.txt file, found ${#files[@]}" >&2
+            exit 1
+          fi
+        shell: bash -euo pipefail -c "source nix.source && exec bash {0}"
+      - name: Commit and push changes
+        if: github.ref != 'refs/heads/main'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add NOTICES
+          if git diff --cached --quiet; then
+            echo "No changes to commit"
+          else
+            git commit -m "Update NOTICES after go.mod change"
+            git push
+          fi
+        shell: bash -euo pipefail -c "source nix.source && exec bash {0}"

.github/workflows/comments.yml

@@ -0,0 +1,43 @@
+name: blackduck-add-comment
+defaults:
+  run:
+    shell: bash -euo pipefail -c "source nix.source && source .envrc.vars && exec bash {0}"
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+    paths:
+      - go.mod
+      - go.sum
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  USER: gha
+
+jobs:
+  scan:
+    runs-on: digital-asset-dpm
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.AUTO_REBASE_PAT }}
+      - uses: ./.github/actions/nix
+      - name: Comment on the Pull Request
+        if: github.ref != 'refs/heads/main'
+        uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # Use the comment action
+        with:
+          message: |
+            The NOTICES file has been updated on this PR due to a change in 
+            your library dependencies.
+
+            The workflow run ID is **${{ github.run_id }}**.
+          github-token: ${{ secrets.AUTO_REBASE_PAT }}